Wi-Fi Array Configuring the Wi-Fi Array The following topics include procedures for configuring the Array using the product’s embedded Web Management Interface (WMI). Procedures have been organized into functional areas that reflect the flow and content of the WMI.
Wi-Fi Array 172 “Viewing Status on the Wi-Fi Array” on page 123 “Using Tools on the Wi-Fi Array” on page 323 Configuring the Wi-Fi Array
Wi-Fi Array Express Setup The Express Setup procedure allows you to establish global configuration settings that will enable basic Array functionality. Any changes you make in this window will affect all radios. When finished, click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. Figure 84.
Wi-Fi Array Procedure for Performing an Express Setup 1. Host Name: Specify a unique host name for this Array. The host name is used to identify the Array on the network. Use a name that will be meaningful within your network environment, up to 64 alphanumeric characters. The default is Xirrus-WiFi-Array. 2. Location Information: Enter a brief but meaningful description that accurately defines the physical location of the Array.
Wi-Fi Array on this port. Choose Yes to allow management of the Array via this Gigabit interface, or choose No to deny all management privileges for this interface. c. 8. Configuration Server Protocol: Choose DHCP to instruct the Array to use DHCP to assign IP addresses to the Array’s Ethernet interfaces, or choose Static if you intend to enter IP addresses manually. If you choose the Static IP option, you must enter the following information: • IP Address: Enter a valid IP address for this Array.
Wi-Fi Array required to use a VPN connection through a secure SSH utility, like PuTTy. • WEP (Wired Equivalent Privacy) — An optional IEEE 802.11 function that offers frame transmission privacy similar to a wired network. WEP generates secret shared encryption keys that both source and destination stations can use to alter frame bits to avoid disclosure to eavesdroppers. • WPA (Wi-Fi Protected Access) — A Wi-Fi Alliance standard that contains a subset of the IEEE 802.
Wi-Fi Array write privileges on the Array (i.e., the new user will be able to change the configuration of the Array). The default admin user is deleted. Note that the Array also offers the option of authenticating administrators using a RADIUS server (see “Admin Management” on page 215)). b. xxxxxxx priority: If you entered a new administration password, confirm the new password here. c. New Admin Password: If desired, enter a new administration password for managing this Array.
Wi-Fi Array d. NTP Primary Server: If you are using NTP, enter the IP address or domain name of the NTP server. e. NTP Secondary Server: Enter the IP address or domain name of an optional secondary NTP server to be used in case the Array is unable to contact the primary server. f. Set Time (hrs:min:sec): If you are not using NTP, check this box if you want to adjust the current system time. When the box is checked, the time fields become active.
Wi-Fi Array 12. Click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. Network This is a status-only window that provides a snapshot of the configuration settings currently established for the 10/100 Ethernet 0 interface and the Gigabit 1 and Gigabit 2 interfaces. DNS Settings and CDP Settings (Cisco Discovery Protocol) are summarized as well.
Wi-Fi Array Spanning Tree Status Network Statistics Network Interfaces This window allows you to establish configuration settings for the 10/100 Fast Ethernet interface and the Gigabit 1 and Gigabit 2 interfaces. Figure 87.
Wi-Fi Array Gigabit 2 settings will “mirror” Gigabit 1 settings (except for MAC addresses) and cannot be configured separately. When finished making changes, click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. When the status of an Ethernet or Gigabit port changes, a Syslog entry is created describing the change.
Wi-Fi Array 2. LED Indicator: Choose Enabled to allow the LED for this interface to blink with traffic on the port, or choose Disabled to turn the LED off. The LED will still light during the boot sequence, then turn off. This option is only available for the Gigabit interfaces. 3. Allow Management on Interface: Choose Yes to allow management of this Array via the selected network interface, or choose No to deny all management privileges for this interface.
Wi-Fi Array primary link. Gigabit2 is the backup link and is passive. Gigabit2 assumes the IP properties of Gigabit1. If Gigabit 1 fails the Array automatically fails over to Gigabit2. When a failover occurs in this mode, Gigabit2 issues gratuitous ARPs to allow it to substitute for Gigabit1 at Layer 3 as well as Layer 2. See Figure 89 (a). b. Aggregate Traffic from gig1 & gig2 using 802.3ad — The Array sends network traffic across both gigabit ports to increase link speed to the network.
Wi-Fi Array c. Bridge traffic between gig1 & gig2 — Traffic received on Gigabit1 is transmitted by Gigabit2; similarly, traffic received on Gigabit2 is transmitted by Gigabit1. This allows the Array to act as a wired bridge and allows Arrays to be daisy-chained and still maintain wired connectivity. See Figure 90 (c). d. Transmit Traffic on both gig1 & gig2 — Transmits incoming traffic on both Gigabit1 and Gigabit2. Any traffic received on Gigabit1 or Gigabit2 is sent to the onboard processor.
Wi-Fi Array (e) Load balance traffic Gig1 Gig2 Destinations Array load balances outgoing traffic based on source and destination address Switch (f) Mirror traffic Gig1 Gig2 Received wireless traffic is sent to both links Network Analyzer Switch Gig1 Gig2 Traffic from Gig 1 is processed for wireless transmission and copied to Gig 2 Switch Network Analyzer Gig1 Gig2 Traffic from Gig 2 is processed for wireless transmission and copied to Gig 1 Network Analyzer Switch Figure 91.
Wi-Fi Array processor as well as out Gigabit1. This allows a network analyzer to be plugged into one port to capture traffic for troubleshooting, while the other port provides network connectivity for data traffic. See Figure 91 (f). 6. Configuration Server Protocol: Choose DHCP to instruct the Array to use DHCP when assigning IP addresses to the Array, or choose Static IP if you intend to enter IP addresses manually.
Wi-Fi Array DNS Settings This window allows you to establish your DNS (Domain Name System) settings. The Array uses these DNS servers to resolve host names into IP addresses. The Array also registers its own Host Name with these DNS servers, so that others may address the Array using its name rather than its IP address. An option allows you to specify that the Array’s DNS servers will be assigned via a DHCP server on the wired network.
Wi-Fi Array 4. DNS Server 2 and DNS Server 3: Enter the IP address of the secondary and tertiary DNS servers (if required). 5. Use DNS settings assigned by DHCP: If you are using DHCP to assign the Array’s IP address, you may turn this option On. The Array will then obtain its DNS domain and server settings from the network DHCP server that assigns an IP address to the Array, rather than using the DNS Server fields above. You may also configure that DHCP server to assign a host name to the Array. 6.
Wi-Fi Array CDP Settings CDP (Cisco Discovery Protocol) is a layer 2 network protocol used to share information (such as the device manufacturer and model, network capabilities, and IP address) with other directly connected network devices. Wi-Fi Arrays can both advertise their presence by sending CDP announcements, and gather and display information sent by neighbors (see “CDP Neighbors” on page 137). This window allows you to establish your CDP settings.
Wi-Fi Array See Also CDP Neighbors Network Network Interfaces Network Statistics 190 Configuring the Wi-Fi Array
Wi-Fi Array Services This is a status-only window that allows you to review the current settings and status for services on the Array, including DHCP, SNMP, Syslog, and Network Time Protocol (NTP) services. For example, for the DHCP server, it shows each DHCP pool name, whether the pool is enabled, the IP address range, the gateway address, lease times, and the DNS domain being used.
Wi-Fi Array “SNMP” on page 199 “DHCP Server” on page 202 Time Settings (NTP) This window allows you to manage the Array’s time settings, including synchronizing the Array’s clock with a universal clock from an NTP (Network Time Protocol) server. Synchronizing the Array’s clock with an NTP server ensures that Syslog time-stamping is maintained across all units. Figure 95. Time Settings (Manual Time) Procedure for Managing the Time Settings 192 1.
Wi-Fi Array a. Adjust Time (hrs:min:sec): If you are not using NTP, check this box if you want to adjust the current system time. When the box is checked, you may enter a revised time (hours, minutes, seconds, am/pm) in the corresponding fields. If you don’t want to adjust the current time, this box should be left unchecked (default). b. Adjust Date (month/day/year): If you are not using NTP, check this box if you want to adjust the current system date.
Wi-Fi Array See Also Services SNMP System Log NetFlow This window allows you to enable or disable the sending of NetFlow information to a designated collector. NetFlow is a proprietary but open network protocol developed by Cisco Systems for collecting IP traffic information. When NetFlow is enabled, the Array will send IP flow information (traffic statistics) to the designated collector. NetFlow sends per-flow network traffic information from the Array.
Wi-Fi Array Some features, such as Netflow, are only available if the Array’s license includes the Xirrus Advanced RF Analysis Manager (RAM). If a setting is unavailable (grayed out), then your license does not support the feature. See “About Licensing and Upgrades” on page 325. Procedure for Configuring NetFlow 1. Enable NetFlow: Choose Yes to enable NetFlow functionality, or choose No to disable this feature. 2.
Wi-Fi Array 2. Wi-Fi Tag UDP Port: If you enabled Wi-Fi tagging, enter the port on the Array which the Wi-Fi tagging server will use to query the Array for tagging data. When queried, the Array will send back information on the tags it has observed. For each, the Array sends information such as the MAC address of the tag transmitting device, and the RSSI and noise floor observed. 3. Wi-Fi Tag Channel: If you enabled Wi-Fi tagging, enter the 802.11 channel on which the Array will listen for tags.
Wi-Fi Array Procedure for Configuring Syslog 1. Enable Syslog Server: Choose Yes to enable Syslog functionality, or choose No to disable this feature. 2. Console Logging: If you enabled Syslog, select whether or not to echo Syslog messages to the console as they occur. If you enable console logging, be sure to set the Console Logging level (see Step 7 below). 3.
Wi-Fi Array 7. Syslog Levels: For each of the Syslog destinations, choose your preferred level of Syslog reporting from the pull-down list. Messages with criticality at the selected level and above will be shown. The default level varies depending on the destination. a. Console Logging: For messages to be echoed to the console, the default level is Critical and more serious. This prevents large numbers of non-critical messages from being displayed on the console.
Wi-Fi Array SNMP This window allows you to enable or disable SNMP v2 and SNMP v3 and define the SNMP parameters. SNMP allows remote management of the Array by the Xirrus Management System (XMS) and other SNMP management tools. SNMP v3 was designed to offer much stronger security. You may enable either SNMP version, neither, or both. Complete SNMP details for the Array, including trap descriptions, are found in the Xirrus MIB, available at support.xirrus.
Wi-Fi Array Procedure for Configuring SNMP SNMPv2 Settings 1. Enable SNMPv2: Choose Yes to enable SNMP v2 functionality, or choose No to disable this feature. When used in conjunction with the Xirrus Management System, SNMP v2 (not SNMP v3) must be enabled on each Array to be managed with XMS. The default for this feature is Yes (enabled). 2. SNMP Read-Write Community String: Enter the read-write community string. The default is xirrus. 3.
Wi-Fi Array 10. SNMP Read-Write Privacy Password: Enter the read-write password for privacy (i.e., a key for encryption). The default is xirrus-rw. 11. SNMP Read-Only Username: Enter the read-only user name. This username and password do not allow configuration changes to be made on the Array. The default is xirrus-ro. 12. SNMP Read-Only Authentication Password: Enter the read-only password for authentication (i.e., logging in). The default is xirrus-ro. 13.
Wi-Fi Array System Log Time Settings (NTP) DHCP Server This window allows you to create, enable, modify and delete DHCP (Dynamic Host Configuration Protocol) address pools. DHCP allows the Array to provide wireless clients with IP addresses and other networking information. The DHCP server will not provide DHCP services to the wired side of the network.
Wi-Fi Array Procedure for Configuring the DHCP Server 1. New Internal DHCP Pool: Enter a name for the new DHCP pool, then click on the Create button. The new pool ID is added to the list of available DHCP pools. 2. On: Click this checkbox to make this pool of addresses available, or clear it to disable the pool. 3. Lease Time — Default: This field defines the default DHCP lease time (in seconds). The factory default is 300 seconds, but you can change the default at any time. 4.
Wi-Fi Array 12. Click Apply to apply the new settings to this session, or click Save to apply your changes and make them permanent.
Wi-Fi Array VLANs This is a status-only window that allows you to review the current status of assigned VLANs. A VLAN (Virtual LAN) is comprised of a group of devices that communicate as a single network, even though they are physically located on different LAN segments. Because VLANs are based on logical rather than physical connections, they are extremely flexible. A device that is moved to another location can remain on the same VLAN without any hardware reconfiguration.
Wi-Fi Array Virtual Tunnel Server (VTS) Tunneling capability is provided by a Virtual Tunnel Server. You supply the server and deploy it in your network using open-source VTun software, available from vtun.sourceforge.net. To enable the Array to use tunneling for a VLAN, simply enter the IP address, port and secret for the tunnel server as described in Step 10 on page 208. VTun may be configured for a number of different tunnel types, protocols, and encryption types.
Wi-Fi Array VLAN Management This window allows you to assign and configure VLANs. After creating a new VLAN (added to the list of VLANs), you can modify the configuration parameters of an existing VLAN or delete a selected VLAN. Figure 103. VLAN Management The Wi-Fi Array supports dynamic VLAN assignments specified by RADIUS policy settings. When RADIUS sends these assignments, the Array dynamically assigns wireless stations to VLANs as requested. VLAN tags on traffic are passed through the Array (i.
Wi-Fi Array 3. New VLAN Name/Number: Enter a name and number for the new VLAN in this field, then click on the Create button. The new VLAN is added to the list. 4. VLAN Number: Enter a number for this VLAN (1-4094). 5. Management: Check this box to allow management over this VLAN. 6. DHCP: Check this box if you want the DHCP server to assign the IP address, subnet mask and gateway address to the VLAN automatically, otherwise you must go to the next step and assign these parameters manually. 7.
Wi-Fi Array Security This status- only window allows you to review the Array’s security parameters. It includes the assigned network administration accounts, Access Control List (ACL) values, management settings, encryption and authentication protocol settings, and RADIUS configuration settings. There are no configuration options available in this window, but if you are experiencing issues with security, you may want to print this window for your records. Figure 104.
Wi-Fi Array “Using the Array’s Default Certificate” on page 214 “Using an External Certificate Authority” on page 215 “About Creating Admin Accounts on the RADIUS Server” on page 219 “About Creating User Accounts on the RADIUS Server” on page 235 Security settings are configured with the following windows: “Admin Management” on page 215 “Admin Privileges” on page 216 “Admin RADIUS” on page 218 “Management Control” on page 222 “Access Control List” on page 229 “Global S
Wi-Fi Array deployments, and can audit your configuration settings automatically. In addition, using the XMS eliminates the need for an FTP server. Choosing an encryption method: Wireless data encryption prevents eavesdropping on data being transmitted or received over the airwaves.
Wi-Fi Array WPA and WPA2 to be used at the same time on the same SSID). Otherwise, if multiple security methods are needed, you must define multiple SSIDs. The encryption mode (WEP, WPA, etc.) is selected in the SSIDs >SSID Management window (see “SSID Management” on page 248). The encryption standard used with WPA or WPA2 (AES or TKIP) is selected in the Security>Global Settings window under WPA Settings (see “Global Settings” on page 231).
Wi-Fi Array this case, enter the MAC address of each user in the Allow list. In the event of a lost or stolen MAC adapter, enter the affected MAC address in the Deny list. The Wi-Fi Array will accept up to 1,000 ACL entries. PCI DSS or FIPS 140-2 Security — to implement the requirements of these security standards on the Wi-Fi Array, please see Appendix D: Implementing PCI DSS or Appendix E: Implementing FIPS Security.
Wi-Fi Array Using the Array’s Default Certificate Figure 105. Import Xirrus Certificate Authority The Array’s certificate is signed by a Xirrus CA that is customized for your Array and its current host name. By default, browsers will not trust the Array’s certificate. You may import the Xirrus certificate to instruct the browser to trust the Xirrus CA on all future connections to Arrays.
Wi-Fi Array Using an External Certificate Authority If you prefer, you may install a certificate on your Array signed by an outside CA. Why use a certificate from an external CA? The Array’s certificate is used for security when stations attempt to associate to an SSID that has Web Page Redirect enabled. In this case, it is preferable for the Array to present a certificate from an external CA that is likely to be trusted by most browsers.
Wi-Fi Array Procedure for Creating or Modifying Network Administrator Accounts 1. Admin ID: Enter the login name for a new network administrator ID. The length of the ID must be between 5 and 50 characters, inclusive. 2. Read/Write: Choose Read/Write if you want to give this administrator ID full read/write privileges, or choose Read to restrict this user to read only status. In the read only mode, administrators cannot save changes to configurations. 3. User Password: Enter a password for this ID.
Wi-Fi Array may perform any operation except those whose level was set to 4. An error message will be displayed if an operation is attempted without a sufficient privilege level. Figure 107. Admin Privileges Privilege level 0 is read-only. As a minimum, all administrators have permission for read access to all areas of Array configuration. Higher privilege levels may be used to define additional privileges for specific configuration sections.
Wi-Fi Array Procedure for Configuring Admin Privileges 1. Privilege Level Names (optional): You may assign a Name to each Privilege Level. The name may be used to describe the access granted by this level. By default, levels 0 and 1 are named read-only and read-write, respectively, and levels 2 through 7 have the same name as their level number. 2. Privilege Levels: Use this section to assign a Minimum Privilege Level to selected Configuration Sections as desired.
Wi-Fi Array Enforced policies — you may set password rules (e.g., passwords must contain at least one number and be at least 12 characters in length), and you may set expiration times for passwords. Admin RADIUS settings override any local administrator accounts configured on the Admin Management window. If you have Admin RADIUS enabled, all administrator authentication is done via the configured RADIUS servers. The only exception to this is when you are connected via the Console port (using CLI).
Wi-Fi Array Figure 108. Admin RADIUS Procedure for Configuring Admin RADIUS Use this window to enable/disable administrator authentication via RADIUS, and to set up primary and secondary servers to use for authentication of administrators attempting to log in to the Array. When finished, click on the Save button to save your changes. 1. Admin RADIUS Settings: a. Enable Admin RADIUS: Click Yes to enable the use of RADIUS to authenticate administrators logging in to the Array.
Wi-Fi Array c. 2. Timeout (seconds): Define the maximum idle time (in seconds) before the RADIUS server’s session times out. The default is 600 seconds. Admin RADIUS Primary Server: This is the RADIUS server that you intend to use as your primary server. a. Host Name / IP Address: Enter the IP address or domain name of this external RADIUS server. b. Port Number: Enter the port number of this RADIUS server. The default is 1812. c.
Wi-Fi Array Management Control This window allows you to enable or disable the Array management interfaces and set their inactivity time-outs. The supported range is 300 (default) to 100,000 seconds. Figure 109.
Wi-Fi Array Procedure for Configuring Management Control 1. Management Settings: a. Failed login retry period (0-65535 seconds): After three consecutive failing administrator login attempts via ssh or telnet, the administrator’s IP address is denied access to the array for the specified period of time (in seconds). The default is 0. b. Pre-login Banner: Text that you enter here will be displayed above the WMI login prompt. (Figure 110) You may enter up to ??xxx characters??. Figure 110.
Wi-Fi Array c. 3. Port: Enter a value in this field to define the port used by SSH. The default port is 22. Telnet: a. On/Off: Choose On to enable Array management over a Telnet connection, or Off to disable this feature. SSH offers a more secure connection than Telnet, and is recommended over Telnet. b. Connection Timeout 30-100000 (Seconds): Enter a value in this field to define the timeout (in seconds) before your Telnet connection is disconnected.
Wi-Fi Array 6. Management Modes a. Network Assurance: Click the On button to enable this mode. Network assurance checks network connectivity to each server that you configure, such as the NTP server, RADIUS servers, SNMP trap hosts, etc. By proactively identifying network resources that are unavailable, the network manager can be alerted of problems potentially before end-users notice an issue.
Wi-Fi Array the Array in accordance with the PCI DSS requirements. For more information, see “Appendix D: Implementing PCI DSS” on page 455. The pci-audit command checks items such as: c. • Telnet is disabled. • Admin RADIUS is enabled (admin login authentication is via RADIUS server). • An external Syslog server is in use. • All SSIDs must set encryption to WPA or better (which also enforces 802.
Wi-Fi Array start your browser’s Certificate Install Wizard. We recommend that you use this process to install Xirrus as a root authority in your browser. When you assign a Host Name to your Array using the Express Setup window, then the next time you reboot the Array it automatically creates a security certificate for that host name. That certificate uses Xirrus as the signing authority.
Wi-Fi Array a. Download Certificate Signing Request: After creating a certificate signing request (.csr file — Step 9), click the View button to review it. If it is satisfactory, click the name of the .csr file to display the text of the request. You can then copy this text and use it as required by the CA. You may also click on the filename of the .csr file to download it to your local computer. b.
Wi-Fi Array Access Control List This window allows you to enable or disable the use of the global Access Control List (ACL), which controls whether a station with a particular MAC address may associate to the Array. You may create station access control list entries and delete existing entries, and control the type of list. When finished, click on the Save button to save your changes.
Wi-Fi Array Procedure for Configuring Access Control Lists 1. Access Control List Type: Select Disabled to disable use of the Access Control List, or select the ACL type — either Allow List or Deny List. Then click Apply to apply your changes. • Allow List: Only allows the listed MAC addresses to associate to the Array. All others are denied. • Deny List: Denies the listed MAC addresses permission to associate to the Array. All others are allowed.
Wi-Fi Array Global Settings This window allows you to establish the security parameters for your wireless network, including WEP, WPA, WPA2 and RADIUS authentication. When finished, click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. For additional information about wireless network security, refer to “Security Planning” on page 83 and “Understanding Security” on page 210. Figure 112.
Wi-Fi Array Procedure for Configuring Network Security 1. RADIUS Server Mode: Choose the RADIUS server mode you want to use, either Internal or External. Parameters for these modes are configured in “External Radius” on page 234 and “Internal Radius” on page 238. WPA Settings These settings are used if the WPA or WPA2 encryption type is selected on the SSIDs >SSID Management window or the Express Setup window (on this window, encryption type is set in the SSID Settings: Wireless Security field). 2.
Wi-Fi Array WEP Settings These settings are used if the WEP encryption type is selected on the SSIDs > SSID Management window or the Express Setup window (on this window, encryption type is set in the SSID Settings: Wireless Security field). WEP encryption does not support high throughput rates or features like frame aggregation or block acknowledgements (see Improved MAC Throughput), per the IEEE 802.11n specification. WEP should never be used for WDS links on XR and XN arrays. 8.
Wi-Fi Array See Also Admin Management External Radius Internal Radius Access Control List Management Control Security Security Planning SSID Management External Radius This window allows you to define the parameters of an external RADIUS server for user authentication. To set up an external RADIUS server, you must choose External as the RADIUS server mode in Global Settings. Refer to “Global Settings” on page 231. Figure 113.
Wi-Fi Array If you want to include user group membership in the RADIUS account information for users, see “Understanding Groups” on page 262. User groups allow you to easily apply a uniform configuration to a user on the Array. About Creating User Accounts on the RADIUS Server A number of attributes of user (Wi-Fi client) accounts are controlled by RADIUS Vendor Specific Attributes (VSAs) defined by Xirrus.
Wi-Fi Array c. 3. Shared Secret / Verify Secret: Enter the shared secret that this external RADIUS server will be using, then re-enter the shared secret to verify that you typed it correctly. Settings: Define the session timeout, the NAS Identifier, and whether accounting will be used. a. Timeout (seconds): Define the maximum idle time (in seconds) before the external RADIUS server’s session times out. The default is 600 seconds. b.
Wi-Fi Array 5. e. Secondary Server Host Name / IP Address (optional): If desired, enter an IP address or domain name for an alternative RADIUS accounting server. If the primary server becomes unreachable, the Array will “failover” to this secondary server (defined here). f. Secondary Port Number: If using a secondary accounting server, enter its port number. The default is 1813. g.
Wi-Fi Array Internal Radius This window allows you to define the parameters for the Array’s internal RADIUS server for user authentication. However, the internal RADIUS server will only authenticate wireless clients that want to associate to the Array. This can be useful if an external RADIUS server is not available. To set up the internal RADIUS server, you must choose Internal as the RADIUS server mode in Global Settings. Refer to “Global Settings” on page 231. Figure 114.
Wi-Fi Array Procedure for Creating a New User 1. User Name: Enter the name of the user that you want to authenticate to the internal RADIUS server. 2. SSID Restriction: (Optional) If you want to restrict this user to associating to a particular SSID, choose an SSID from the pull-down list. 3. User Group: (Optional) If you want to make this user a member of a previously defined user group, choose a group from the pull-down list. This will apply all of the user group’s settings to the user.
Wi-Fi Array Global Settings (IAP) Access Control List Management Control Security Understanding Groups 240 Configuring the Wi-Fi Array
Wi-Fi Array Rogue Control List This window allows you to set up a control list for rogue APs, based on a type that you define. You may classify rogue APs as blocked, so that the Array will take steps to prevent stations from associating with the blocked AP. See “About Blocking Rogue APs” on page 295. The Array can keep up to 5000 entries in this list. When finished, click on the Save button to save your changes.
Wi-Fi Array Procedure for Establishing Rogue AP Control 1. Rogue BSSID/SSID: Enter the BSSID, SSID, or manufacturer string to match for the new rogue control entry. The Match Only radio buttons specify what to match (e.g., the MAC address, SSID, or manufacturer). You may use the “*” character as a wildcard to match any string at this position. For example, 00:0f:7d:* matches any string that starts with 00:0f:7d:.
Wi-Fi Array SSIDs This status-only window allows you to review SSID (Service Set IDentifier) assignments. It includes the SSID name, whether or not an SSID is visible on the network, any security and QoS parameters defined for each SSID, associated VLAN IDs, radio availability, and DHCP pools defined per SSID. Click on an SSID’s name to jump to the edit page for the SSID.
Wi-Fi Array SSIDs are managed with the following windows: “SSID Management” on page 248 “Active IAPs” on page 259 Understanding SSIDs The SSID (Service Set Identifier) is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or sub-network can use the same SSIDs. SSIDs are case-sensitive and can contain up to 32 alphanumeric characters (do not include spaces when defining SSIDs).
Wi-Fi Array As an example, one SSID named accounting might require the highest level of security, while another named guests might have low security requirements. Another example may define an SSID named voice that supports voice over Wireless LAN phones with the highest Quality of Service (QoS) definition. This SSID might also forward traffic to specific VLANs on the wired network.
Wi-Fi Array IEEE802.1p defines eight priority levels for wired networks. Each data packet may be tagged with a priority level, i.e., a user priority tag. Since there are eight possible user priority levels and the Array implements four wireless QoS levels, user priorities are mapped to QoS as described below. End-to-End QoS Handling Wired QoS - Ethernet Port: Ingress: Incoming wired packets are assigned QoS priority based on their SSID and 802.1p tag (if any), as shown in the table below.
Wi-Fi Array Egress: Outgoing wired packets are IEEE 802.1p tagged at the Ethernet port for upstream traffic, thus enabling QoS at the edge of the network. FROM Array QoS (Wireless) TO Priority Tag 802.1p (Wired) 0 (Lowest priority) 0 1 1 2 (Default) 5 3 (Highest priority) 6 Wireless QoS - Radios: Each SSID can be assigned a separate QoS priority (i.e., traffic class) from 0 to 3, where 3 is highest priority and 2 is the default. See “SSID Management” on page 248.
Wi-Fi Array Voice Support The QoS priority implementation on the Array supports voice applications. SSID Management This window allows you to manage SSIDs (create, edit and delete), assign security parameters and VLANs on a per SSID basis, and configure the Web Page Redirect functionality. When finished, click on the Save button to save your changes. Create new SSID Configure parameters Set traffic limits / usage schedule Configure WPR Configure RADIUS server Figure 118.
Wi-Fi Array Procedure for Managing SSIDs 1. New SSID Name: To create a new SSID, enter a new SSID name to the left of the Create button (Figure 118), then click Create. The SSID name may only consist of the characters A-Z, a-z, 0-9, dash, and underscore. You may create up to 16 SSIDs. SSID List (top of page) 2. SSID: Shows all currently assigned SSIDs. When you create a new SSID, the SSID name appears in this table. Click any SSID in this list to select it. 3.
Wi-Fi Array • 3 — The highest QoS priority setting, normally used to give priority to voice traffic. The QoS setting you define here will prioritize wireless traffic for this SSID over other SSID traffic, as described in “Understanding QoS Priority on the Wi-Fi Array” on page 245. The default value for this field is 2. 8. DHCP Pool: If you want to associate an internal DHCP pool to this SSID, choose the pool from the pull--down list. An internal DHCP pool must be created before it can be assigned.
Wi-Fi Array Each SSID supports only one encryption type at a time (except that WPA and WPA2 are both supported on an SSID if you select WPA-Both). If you need to support other encryption types, you must define additional SSIDs. The encryption standard used with WPA or WPA2 is selected in the Security>Global Settings window (page 231). For an overview of the security options, see “Security Planning” on page 83 and “Understanding Security” on page 210.
Wi-Fi Array . Set Encryption Configure Radius, Accounting Figure 119. SSID Management 13. L3: For this SSID, Check the checkbox to enable fast roaming between IAPs or Arrays at Layer 2 and Layer 3, or clear the checkbox to allow roaming at Layer 2 only. You may only select fast roaming at Layers 2 and 3 if this has been selected in Global Settings (IAP). See “Understanding Fast Roaming” on page 270. 14.
Wi-Fi Array based login, users may be authenticated without using an 802.1x supplicant. See “Web Page Redirect Configuration Settings” on page 254 for details of WPR usage and configuration. When using WPR, it is particularly important to adhere to the SSID naming restrictions detailed in Step 1. The lower part of the window contains a few sections of additional settings to configure for the currently selected SSID, depending on the values chosen for the settings described above.
Wi-Fi Array 18. Days Active: Choose Everyday if you want this SSID to be active every day of the week, or select only the specific days that you want this SSID to be active. Days that are not checked are considered to be the inactive days. 19. Time Active: Choose Always if you want this SSID active without interruption, or enter values in the Time On and Time Off fields to limit the time that this SSID is active. 20. To delete SSIDs, click their Delete checkboxes, then click Apply or Save. 21.
Wi-Fi Array You may select among five different modes for use of the Web Page Redirect feature, each displaying a different set of parameters that must be entered: Internal Login page This option displays a login page (residing on the Array) instead of the first user-requested URL. There is an upload function that allows you to replace the default login page, if you wish. Please see “Web Page Redirect” on page 332 for more information. To set up internal login, set Server to Internal Login.
Wi-Fi Array is displayed before timing out, or select Never to prevent the page from timing out automatically. After the splash page, the user is redirected to the captured URL. If you want the user redirected to a specific landing page instead, enter its address in Landing Page URL. External Login page This option redirects the user to a login page on an external web server for authentication, instead of the first user-requested URL.
Wi-Fi Array To set up external splash page usage, set Server to External Splash. Enter the URL of the external web server in Redirect URL, and enter that server’s shared secret in Redirect Secret. After the splash page, the user is redirected to the captured URL. If you want the user redirected to a specific landing page instead, enter its address in Landing Page URL. Landing Page Only This option redirects the user to a specific landing page.
Wi-Fi Array Background Image — specify an optional jpg, gif, or png file to display in the background of the page. Other customizations (logo, header, footer) will overlay the background, so that it will not be visible in those areas. Logo Image — specify an optional jpg, gif, or png file to display at the top of the page. Header Text File — specify an optional .txt file to display at the top of the page (beneath the logo, if any). Footer Text File — specify an optional .
Wi-Fi Array SSIDs Understanding QoS Priority on the Wi-Fi Array Active IAPs By default, when a new SSID is created, that SSID is active on all IAPs. This window allows you to specify which IAPs will offer that SSID. Put differently, you can specify which SSIDs are active on each IAP. This feature is useful in conjunction with WDS. You may use this window to configure the WDS link IAPs so that only the WDS link SSIDs are active on them. Figure 122.
Wi-Fi Array Per-SSID Access Control List This window allows you to enable or disable the use of the per-SSID Access Control List (ACL), which controls whether a station with a particular MAC address may associate to this SSID. You may create access control list entries and delete existing entries, and control the type of list. When finished, click on the Save button to save your changes.
Wi-Fi Array 3. MAC Address: If you want to add a MAC address to the ACL, enter the new MAC address here, then click on the Add button. The MAC address is added to the ACL. 4. Delete: You may delete selected MAC addresses from this list by checking their Delete buttons, then clicking Apply or Save. 5. Delete All: This button, on the lower left, may be used to delete all the MAC entries in an ACL. 6.
Wi-Fi Array Groups This is a status-only window that allows you to review user (i.e., wireless client) Group assignments. It includes the group name, Radius ID, VLAN IDs and QoS parameters and roaming layer defined for each group, and DHCP pools and web page redirect information defined for the group. You may click on a group’s name to jump to the edit page for the group.
Wi-Fi Array A group allows you to define a set of parameter values to be applied to selected users. For example, you might define the user group Students, and set its VLAN, security parameters, web page redirect (WPR), and traffic limits. When a new user is created, you can apply all of these settings just by making the user a member of the group. The group allows you to apply a uniform configuration to a set of users in one step.
Wi-Fi Array Understanding QoS Priority on the Wi-Fi Array Web Page Redirect Configuration Settings Understanding Fast Roaming Group Management This window allows you to manage groups (create, edit and delete), assign usage limits and other parameters on a per group basis, and configure the Web Page Redirect functionality. When finished, click the Save button to save your changes. Figure 125. Group Management Procedure for Managing Groups 1.
Wi-Fi Array 4. Radius ID: Enter a unique Radius ID for the group, to be used on an external Radius server. When adding a user account to the external server, this Radius ID value should be entered for the user. When the user is authenticated, Radius sends this value to the Array. This tells the Array that the user is a member of the group having this Radius ID. 5. VLAN ID: (Optional) From the pull-down list, select a VLAN for this user’s traffic to use.
Wi-Fi Array 9. L3: (Optional) For this group, check this box to enable fast roaming between IAPs or Arrays at Layer 2 and Layer 3. If the box is not checked, then roaming uses Layer 2 only. You may only select fast roaming at Layers 2 and 3 if this has been selected in Global Settings (IAP). See “Understanding Fast Roaming” on page 270. 10. WPR (Web Page Redirect): (Optional) Check this box if you wish to enable the Web Page Redirect functionality.
Wi-Fi Array To eliminate confusion, we recommend that you configure one set of limits or the other, but not both. 11. Stations: Enter the maximum number of stations allowed on this group. The default is 1536. 12. Overall Traffic: Check the Unlimited checkbox if you do not want to place a restriction on the traffic for this group, or enter a value in the Packets/Sec field and make sure that the Unlimited box is unchecked to force a traffic restriction. 13.
Wi-Fi Array IAPs This status-only window summarizes the status of the Integrated Access Points (radios). For each IAP, it shows whether it is up or down, the channel and Wi-Fi mode, the antenna that it is currently using, its cell size and transmit and receive power, how many users (stations) are currently associated to it, whether it is part of a WDS link, and its MAC address. Figure 126.
Wi-Fi Array Figure 127. Source of Channel Setting There are no configuration options in this window, but if you are experiencing problems or simply reviewing the IAP assignments, you may print this window for your records. Click any IAP name to open the associated configuration page. Arrays have a fast roaming feature, allowing them to maintain sessions for applications such as voice, even while users cross boundaries between Arrays.
Wi-Fi Array Understanding Fast Roaming To maintain sessions for real-time data traffic, such as voice and video, users must be able to maintain the same IP address through the entire session. With traditional networks, if a user crosses VLAN or subnet boundaries (i.e., roaming between domains), a new IP address must be obtained. Mobile Wi-Fi users are likely to cross multiple roaming domains during a single session (especially wireless users of VoIP phones).
Wi-Fi Array IAP Settings This window allows you to enable/disable IAPs, define the wireless mode for each IAP, specify the channel to be used and the cell size for each IAP, lock the channel selection, establish transmit/receive parameters, select antennas, and reset channels. Buttons at the bottom of the list allow you to Reset Channels, Enable All IAPs, or Disable All IAPs.
Wi-Fi Array For all 802.11bg settings, go to “Global Settings .11bg” on page 287. For all 802.11n settings, go to “Global Settings .11n” on page 291. Procedure for Manually Configuring IAPs 1. In the Enabled column, check the box for a corresponding IAP to enable the IAP, or uncheck the box if you want to disable the IAP. 2. In the Band column for 802.11abg(n) radios, select the wireless band for this IAP from the choices available in the pull-down menu, either 2.4GHz or 5 GHz.
Wi-Fi Array • RED — Usage is not recommended, for example, because of overlap with neighboring radios. • YELLOW — The channel has less than optimum separation (some degree of overlap with neighboring radios). • GRAY — The channel is already in use. Select Auto to have the Array dynamically select a channel automatically, based on changes in the Wi-Fi environment. See “Allocating Channels” on page 67 .
Wi-Fi Array • Channel number — If a channel number appears, then this channel is already bonded to the listed channel. • Off — Do not bond his channel to another channel. • On — Bond this channel to an adjacent channel. The bonded channel is selected automatically by the Array based on the Channel (Step 3). The choice of banded channel is static — fixed once the selection is made. • +1 — Bond this channel to the next higher channel number. Auto Channel bonding does not apply.
Wi-Fi Array The number of users and their applications are major drivers of bandwidth requirements. The network architect must account for the number of users within the Array’s cell diameter. In a large office, or if multiple Arrays are in use, you may choose Small cells to achieve a higher data rate, since walls and other objects will not define the cells naturally. For additional information about cell sizes, go to “Coverage and Capacity Planning” on page 62. 7.
Wi-Fi Array Global Settings (IAP) Global Settings .11a Global Settings .11bg Global Settings .
Wi-Fi Array Global Settings (IAP) This window allows you to establish global IAP settings. Global IAP settings include enabling or disabling all IAPs (regardless of their operating mode), and changing settings for beacons, station management, and advanced traffic optimization — including multicast processing, load balancing, and roaming. Changes you make on this page are applied to all IAPs, without exception. Figure 129.
Wi-Fi Array Procedure for Configuring Global IAP Settings 278 Some of the features below, such as Load Balancing, are only available if the Array’s license includes the Xirrus Advanced RF Performance Manager (RPM) . If a setting is unavailable (grayed out), then your license does not support the feature. See“About Licensing and Upgrades” on page 325 . 2. IAP Status : Click on the Enable All IAPs this Array, or click on the Disable All IAPs button to enable all IAPs for button to disable all IAPs.
Wi-Fi Array Beacon Configuration 5. Beacon Interval: When the Array sends a beacon, it includes with it a beacon interval, which specifies the period of time before it will send the beacon again. Enter the desired value in the Beacon Interval field, between 20 and 1000 Kusecs. A Kusec is 1000 microseconds = 1 millisecond. The value you enter here is applied to all IAPs. 6.
Wi-Fi Array SSIDs — SSID Management window also has a station limit option — Station Limit (page 253). If both station limits are set, both will be enforced. As soon as either limit is reached, no new stations can associate until some other station has terminated its association. 12. Max Phones per IAP: This option allows you to control the maximum number of phones that are allowed per IAP. The default is set to a maximum of 16 but you can reduce this number, as desired.
Wi-Fi Array 16. Broadcast Rates: This changes the rates of broadcast traffic sent by the Array (including beacons). When set to Optimized, each broadcast or multicast packet that is transmitted on each radio is sent at the lowest transmit rate used by any client associated to that radio at that time. This results in each IAP broadcasting at the highest Array TX data rate that can be heard by all associated stations, improving system performance.
Wi-Fi Array 18. ARP Filtering: Address Resolution Protocol finds the MAC address of a device with a given IP address by sending out a broadcast message requesting this information. ARP filtering allows you to reduce the proliferation of ARP messages by restricting how they are forwarded across the network. You may select from the following options for handling ARP requests: • Off: ARP filtering is disabled. ARP requests are broadcast to radios that have stations associated to them.
Wi-Fi Array To enable fast roaming, choose Broadcast or Tunneled, and set additional fast roaming attributes (Step 21). To disable fast roaming, choose Off. If you enable Fast Roaming, the following ports cannot be blocked: • Port 22610 — reserved for Layer 2 roaming using UDP to share PMK information between Arrays. • Ports 15000 to 17999 — reserved for Layer 3 roaming (tunneling between subnets). 20.
Wi-Fi Array IAP Statistics Summary LED Settings IAP Settings Global Settings .11a This window allows you to establish global 802.11a IAP settings. These settings include defining which 802.11a data rates are supported, enabling or disabling all 802.11a IAPs, auto-configuration of channel allocations for all 802.11a IAPs, and specifying the fragmentation and RTS thresholds for all 802.11a IAPs. Figure 130. Global Settings .
Wi-Fi Array Procedure for Configuring Global 802.11a IAP Settings 1. Some of the features below, such as Auto Configure for Cell Size and Channel Configuration, are only available if the Array’s license includes the Xirrus Advanced RF Performance Manager (RPM). If a setting is unavailable (grayed out), then your license does not support the feature. Please see “About Licensing and Upgrades” on page 325. 802.11a Data Rates: The Array allows you to define which data rates are supported for all 802.
Wi-Fi Array 6. Set Cell Size: The Cell Size may be set globally for all 802.11a IAPs to auto, large, medium, small, or max using the drop down menu. 7. Fragmentation Threshold: This is the maximum size for directed data packets transmitted over the 802.11a radio. Larger frames fragment into several packets, their maximum size defined by the value you enter here. Smaller fragmentation numbers can help to “squeeze” packets through in noisy environments.
Wi-Fi Array Global Settings .11bg This window allows you to establish global 802.11b/g IAP settings. These settings include defining which 802.11b and 802.11g data rates are supported, enabling or disabling all 802.11b/g IAPs, auto-configuring 802.11b/g IAP channel allocations, and specifying the fragmentation and RTS thresholds for all 802.11b/g IAPs. Figure 131. Global Settings .
Wi-Fi Array Procedure for Configuring Global 802.11b/g IAP Settings 1. 288 802.11g Data Rates: The Array allows you to define which data rates are supported for all 802.11g radios. Select (or deselect) 11g data rates by clicking in the corresponding Supported and Basic data rate check boxes. • Basic Rate — a wireless station (client) must support this rate in order to associate. • Supported Rate — data rates that can be used to transmit to clients. 2. 802.
Wi-Fi Array 8. 802.11g Only: Choose On to restrict use to 802.11g mode only. In this mode, no 802.11b rates are transmitted. Stations that only support 802.11b will not be able to associate. 9. 802.11g Protection: You should select Auto CTS or Auto RTS to provide automatic protection for all 802.11g radios in mixed networks (802.11 b and g). You may select Off to disable this feature, but this is not recommended. Protection allows 802.11g stations to share an IAP with older, slower 802.11b stations.
Wi-Fi Array special data, such as voice, VoIP (Voice-over IP) and streaming video. Select Auto to instruct the Array to manage the preamble (long and short) automatically, or choose Long Only. 12. Fragmentation Threshold: This is the maximum size for directed data packets transmitted over the 802.11b/g IAP. Larger frames fragment into several packets, their maximum size defined by the value you enter here. Enter the desired Fragmentation Threshold value, between 256 and 2346. 13.
Wi-Fi Array Global Settings .11n This window is displayed only for XR and XN Array models. It allows you to establish global 802.11n IAP settings. These settings include enabling or disabling 802.11n mode for the entire Array, specifying the number of transmit and receive chains (data stream) used for spatial multiplexing, setting a short or standard guard interval, auto-configuring channel bonding, and specifying whether autoconfigured channel bonding will be static or dynamic.
Wi-Fi Array Procedure for Configuring Global 802.11n IAP Settings 1. 2. 802.11n operation is allowed only if the Array’s license includes this feature. Please see “About Licensing and Upgrades” on page 325. 802.11n Data Rates: The Array allows you to define which data rates are supported for all 802.11n radios. Select (or deselect) 11n data rates by clicking in the corresponding Supported and Basic data rate check boxes.
Wi-Fi Array 6. Auto bond 5 GHz channels: Select Enabled to use Channel Bonding on 5 GHz channels and automatically select the best channels for bonding. The default is Enabled. See “Channel Bonding” on page 76. 7. 5 GHz channel bonding: Select Dynamic to have auto-configuration for bonded 5 GHz channels be automatically updated as conditions change. For example, if there are too many clients to be supported by a bonded channel, dynamic mode will automatically break the bonded channel into two channels.
Wi-Fi Array Advanced RF Settings This window allows you to establish RF settings, including automatically configuring channel allocation and cell size, specifying intrusion detection and blocking of rogue APs, and configuring radio assurance and standby modes. Changes you make on this page are applied to all IAPs, without exception. Figure 133. Advanced RF Settings About Standby Mode Standby Mode supports the Array-to-Array fail-over capability.
Wi-Fi Array When the target has not been heard from for 40 seconds, the standby Array enables its radios until it detects that the target Array has come back online. Standby Mode is off by default. Note that you must ensure that the configuration of the standby Array is correct. This window allows you to enable or disable Standby Mode and specify the primary Array that is the target of the backup unit. See also, “Failover Planning” on page 80.
Wi-Fi Array Procedure for Configuring Advanced RF Settings Some of the features below, such as Auto Configure for Cell Size and Channel Configuration, are only available if the Array’s license includes the Xirrus Advanced RF Performance Manager (RPM). If a setting is unavailable (grayed out), then your license does not support the feature. Please see “About Licensing and Upgrades” on page 325.
Wi-Fi Array • 5. Automatically block unknown rogue APs with WEP or no encryption. Auto Block Network Types: Select rogues to automatically block by applying the criteria above only to networks of the type specified below. The choices are: • All — the unknown rogues may be part of any wireless network.
Wi-Fi Array • Disabled — Disable IAP radio assurance tests (no self-monitoring occurs). Loopback tests are disabled by default. 7. Enable Standby Mode: Choose Yes to enable this Array to function as a backup unit for the target Array, or choose No to disable this feature. See “About Standby Mode” on page 294. 8. Standby Target Address: If you enabled the Standby Mode, enter the MAC address of the target Array (i.e., the address of the primary Array that is being monitored and backed up by this Array).
Wi-Fi Array 11. Auto Cell Size Overlap (%): Enter the percentage of cell overlap that will be allowed when the Array is determining automatic cell sizes. For 100% overlap, the power is adjusted such that neighboring Arrays that hear each other best will hear each other at -70dB. For 0% overlap, that number is -90dB. 12. Auto Cell Min Tx Power (dBm): Enter the minimum transmit power that the Array can assign to a radio when adjusting automatic cell sizes. 13.
Wi-Fi Array Arrays that have been detected, to determine whether to stagger the start time for the procedure slightly. Thus, nearby Arrays will not run auto channel at the same time. This prevents Arrays from interfering with each other’s channel assignments. Click Factory Defaults to instruct the Array to return all IAPs to their factory preset channels, as shown in the table below. Click Auto Configure to perform auto channel configuration immediately, without first negotiating with any nearby Arrays.
Wi-Fi Array Factory Preset Channels (US) for all models IAP 16-Radio Models 12-Radio Models 8-Radio Models 4-Radio Models a(n)2 52 52 56 - a(n)3 149 40 48 - a(n)4 40 56 64 - a(n)5 56 44 - - a(n)6 157 60 - - a(n)7 44 48 - - a(n)8 60 64 - - a(n)9 153 - - - a(n)10 48 - - - a(n)11 64 - - - a(n)12 161 - - - 17.
Wi-Fi Array 19. Channel List Selection: This list selects which channels are available to the auto channel algorithm. Channels that are not checked are left out of the auto channel selection process. Note that channels that have been locked by the user are also not available to the auto channel algorithm. 20. Auto Channel List: Use All Channels selects all available channels (this does not include locked channels). Use Defaults sets the auto channel list back to the defaults.
Wi-Fi Array LED Settings This window assigns behavior preferences for the Array’s IAP LEDs. Figure 134. LED Settings Procedure for Configuring the IAP LEDs 1. LED State: This option determines which event triggers the LEDs, either when an IAP is enabled or when an IAP first associates with the network. Choose On Radio Enabled or On First Association, as desired. You may also choose Disabled to keep the LEDs from being lit. The LEDs will still light during the boot sequence, then turn off. 2.
Wi-Fi Array See Also Global Settings (IAP) Global Settings .11a Global Settings .
Wi-Fi Array WDS This is a status-only window that provides an overview of all WDS links that have been defined. WDS (Wireless Distribution System) is a system that enables the interconnection of access points wirelessly, allowing your wireless network to be expanded using multiple access points without the need for a wired backbone to link them. The Summary of WDS Client Links shows the WDS links that you have defined on this Array and identifies the target Array for each by its base MAC address.
Wi-Fi Array The configuration for WDS is performed on the client Array only, as described in “WDS Client Links” on page 307. No WDS configuration is performed on the host Array. First you will set up a client link, defining the target (host) Array and SSID, and the maximum number of IAPs in the link. Then you will select the IAPs to be used in the link. When the client link is created, each member IAP will associate to an IAP on the host Array.
Wi-Fi Array See Also SSID Management Active IAPs WDS Client Link IAP Assignments: WDS Client Links WDS Statistics WDS Client Links This window allows you to set up a maximum of four WDS client links. Figure 137. WDS Client Links Procedure for Setting Up WDS Client Links WDS Client Link Settings: 1. Client Link: Shows the ID (1 to 4) of each of the four possible WDS links. 2. Enabled: Check this box if you want to enable this WDS link, or uncheck the box to disable the link. 3.
Wi-Fi Array 4. Target Array Base MAC Address: Enter the base MAC address of the target Array (the host Array at the other side of this link). To find this MAC address, open the WDS window on the target Array, and use This Array Address located on the right under the Summary of WDS Host Links. 5. Target SSID: Enter the SSID that the target Array is using. 6. Username: Enter a username for this WDS link.
Wi-Fi Array 13. Reset All Links: this command tears down all links configured on the Array and sets them back to their factory defaults, effective immediately.
Wi-Fi Array Filters This feature is only available if the Array’s license includes the Xirrus Advanced RF Security Manager (RSM). If a setting is unavailable (grayed out), then your license does not support the feature. Please see “About Licensing and Upgrades” on page 325. The Wi-Fi Array’s integrated firewall uses stateful inspection to speed the decision of whether to allow or deny traffic. Filters are used to define the rules used for blocking or passing traffic.
Wi-Fi Array The read-only Filters window provides you with an overview of all filter lists that have been defined for this Array, and the filters that have been created in each list. Filters are listed in the left side column by name under the filter list to which they belong. Each filter entry includes information about the type of filter, the protocol it is filtering, which port it applies to, source and destination addresses, and QoS and VLAN assignments.
Wi-Fi Array 312 2. New Filter List Name: Enter a name for the new filter list in this field, then click on the Create button to create the list. All new filters are disabled when they are created. The new filter list is added to the Filter List table in the window. Click on the filter list name, and you will be taken to the Filter Management window for that filter list. 3. On: Check this box to enable this filter list, or leave it blank to disable the list.
Wi-Fi Array Filter Management This window allows you to create and manage filters that belong to a selected filter list, based on the filter criteria you specify. Filters are applied in order, from top to bottom. Click here to change the order. Figure 140. Filter Management Note that filtering is secondary to the stateful inspection performed by the integrated firewall. Traffic for established connections is passed through without the application of these filtering rules.
Wi-Fi Array filter in a different filter list. Two filters with the same name in different filter lists will be completely unrelated to each other — they may be defined with different parameter values. 3. Filter: Choose a filter entry to modify from the list at the top of the window. 4. On: Use this field to enable or disable this filter. 5. Deny: Choose whether this filter will be an Allow filter or a Deny filter.
Wi-Fi Array 11. Source Address: Define a source address to match as a filter criterion. Click the radio button for the desired type of address (or other attribute) to match. Then specify the value to match in the field to the right of the button. Choose Any to use any source address. Check Not to match any address except for the specified address. 12. Destination Address: Define a destination address to match as a filter criterion.
Wi-Fi Array Clusters Clusters allow you to configure multiple Arrays at the same time. Using WMI (or CLI), you may define a set of Arrays that are members of the cluster. Then you may enter Cluster mode for a selected cluster, which sends all successive configuration commands issued via CLI or WMI to all of the member Arrays. When you exit cluster mode, configuration commands revert to applying only to the Array to which you are connected.
Wi-Fi Array Cluster Definition This window allows you to create clusters. All existing clusters are shown, along with the number of Arrays currently in each. Up to 16 clusters may be created, with up to 50 Arrays in each. Figure 142. Cluster Definition Procedure for Managing Cluster Definition 1. New Cluster Name: Enter a name for the new cluster in the field to the left of the Create button, then click Create to add this entry. The new cluster is added to the list in the window.
Wi-Fi Array Cluster Management This window allows you to add Arrays to or delete them from a selected cluster. A cluster may include a maximum of 50 Arrays. Note that the Array on which you are currently running WMI is not automatically a member of the cluster. If you would like it to be a member, you must add it explicitly. Figure 143. Cluster Management Procedure for Managing Clusters 318 1. Edit Cluster: Select the cluster to display and manage on this window.
Wi-Fi Array Cluster Operation This window puts WMI into Cluster Mode. In this mode, all configuration operations that you execute in WMI or CLI are performed on the members of the cluster. They are not performed on the Array where you are running WMI, unless it is a member of the cluster. You must use the Apply and Save buttons at the bottom of configuration windows to apply your changes in Cluster Mode, just as you would in normal operation.
Wi-Fi Array 2. Select a WMI window for settings that you wish to configure for the cluster, and proceed to make the desired changes. Click the Apply or Save button when done with that window to apply the changes to all Arrays in the cluster. 3. Proceed to any additional pages where you wish to make changes. 4. Some Status and Statistics windows will present information for all Arrays in the cluster. 5. Click the Save button when done if you wish to save changes on the cluster member Arrays. 6.
Wi-Fi Array You have the option to show aggregate information for the cluster members, or click the Group by Array check box to separate it out for each Array. Figure 147. Status Display in Cluster Mode You may terminate cluster mode operation by clicking the Exit button to the right of the Group by Array check box.
Wi-Fi Array 322 Configuring the Wi-Fi Array
Wi-Fi Array Using Tools on the Wi-Fi Array These WMI windows allow you to perform administrative tasks on your Array, such as upgrading software, rebooting, uploading and downloading configuration files, and other utility tasks. Tools are described in the following sections: “System Tools” on page 324 “CLI” on page 336 “Options” on page 337 “Logout” on page 340 This section does not discuss using status or configuration windows.
Wi-Fi Array System Tools This window allows you to manage files for software images, configuration, and Web Page Redirect (WPR), manage the system’s configuration parameters, reboot the system, and use diagnostic tools. Status is shown here Progress is shown here Figure 148.
Wi-Fi Array Some tools, such as Network Tools and Diagnostics, are only available if the Array’s license includes the Xirrus Advanced RF Analysis Manager (RAM). If a tool is unavailable (grayed out), then your license does not support the feature. See “About Licensing and Upgrades” on page 325. About Licensing and Upgrades The Array’s license determines many of the features that are available on the Array.
Wi-Fi Array Network Tools Progress and Status Frames System 1. Save & Reboot or Reboot: Use Save & Reboot to save the current configuration and then reboot the Array. The LEDs on the Array indicate the progress of the reboot, as described in “Powering Up the Wi-Fi Array” on page 100. Alternatively, use the Reboot button to discard any configuration changes which have not been saved since the last reboot. 2. Software Upgrade: This feature upgrades the ArrayOS to a newer version provided by Xirrus.
Wi-Fi Array 3. License Key: If Xirrus provides you with a new license key for your Array, use this field to enter it, then click the Upgrade button to the right. A valid license is required for Array operation, and it controls the features available on the Array. If you upgrade your Array for additional features, you will be provided with a license key to activate those capabilities. If you attempt to enter an invalid key, you will receive an error message and the current key will not be replaced.
Wi-Fi Array 6. The Remote Boot Image or Configuration update happens every time that the Array reboots. If you only want to fetch the remote image or configuration file one time, be sure to turn off the remote option (blank out the field on the System Tools page) after the initial download. When a remote boot image is used, the image is transferred directly into memory and is never written to the compact flash.
Wi-Fi Array • history/saved-yyyymmdd-pre-update.conf: history/saved-yyyymmdd-post-update.conf: Two files are saved for an upgrade: the setting values from just before an upgrade was performed, and the initial values afterward. The filename includes the upgrade date. • history/saved-yyyymmdd-auto.conf: Each time you use the Save button, an “auto” file is saved with the settings current at that time. • history/saved-yyyymmdd-pre-reset.conf: history/saved-yyyymmdd-post-reset.
Wi-Fi Array Note that the configuration is automatically saved to a file in a few situations, as described in Step 8 above. Important! When you have initially configured your Array, or have made significant changes to its configuration, we strongly recommend that you save the configuration to a file in order to have a safe backup of your working configuration. 10. Download Current Configuration: Click on the link titled xs_current.
Wi-Fi Array is complete, the filename xs_diagnostic.log will be displayed in blue and provides a link to the newly created log file. Click the link to download this file to the C:\ folder on your local computer. (Figure 149) Click Update to create log Then click this link to save log file to local computer Figure 149. Saving the Diagnostic Log This feature is only used at the request of Customer Support.
Wi-Fi Array Web Page Redirect The Array uses a Perl script and a cascading style sheet to define the default splash/login Web page that the Array delivers for WPR. You may replace these files with files for one or more custom pages of your own. See Step 15 below to view the default files. See Step 14 on page 252 for more information about WPR and how the splash/login page is used. Each SSID that has WPR enabled may have its own page. Custom files for a specific SSID must be named based on the SSID name.
Wi-Fi Array 14. Remove File: Enter the name of the WPR file you want to remove, then click on the Delete button. You can use the List Files button to show you a list of files that have been saved on the Array for WPR. The list is displayed in the Status section at the bottom of the WMI window. You must reboot to make your changes take effect. 15. Download Sample Files: Click on a link to access the corresponding sample WPR files: • wpr.pl — a sample Perl script. • hs.css — a sample cascading style sheet.
Wi-Fi Array The RADIUS Ping command is a simple utility that tests connectivity to a RADIUS server by attempting to log in with the specified Username and Password. When using a RADIUS server, this command allows you to verify that the server configuration is correct and whether a particular Username and Password are set up properly. If a client is having trouble accessing the network, you can quickly determine if there is a basic RADIUS problem by using the RADIUS Ping tool.
Wi-Fi Array 17. IP Address: For Ping or Trace Route, enter the IP address of the target device. 18. Timeout: For Ping or Trace Route, enter a value (in seconds) before the action times out. 19. Execute System Command: Click Execute to start the specified command. Progress of command execution is displayed in the Progress frame. Results are displayed in the Status frame. Progress and Status Frames The Progress frame displays a progress bar for commands such as Software Upgrade and Ping.
Wi-Fi Array CLI The WMI provides this window to allow you to use the Array’s Command Line Interface (CLI). You can enter commands to configure the Array, or display information using show commands. You will not need to log in - you already logged in to the Array when you started the WMI. Figure 154. CLI Window To enter a command, simply type it in. The command is echoed and output is shown in the normal way — that is, the same way it would be if you were using the CLI directly.
Wi-Fi Array config-iap. The prompt will indicate the current command mode, for example: My-Array(config-iap) # You can abbreviate a command and it will be executed if you have typed enough of the command to be unambiguous. The command will not auto-complete, however. Only the abbreviated command that you actually typed will be shown. You can type a partial command and press Tab to have the command auto-complete. If the partial command is ambiguous a list of legal endings is displayed.
Wi-Fi Array Procedure for Configuring Options 1. Style: This option allows you to change the appearance and operation of the user interface. Select one of the available styles from the drop-down list. Click the Apply button to view the WMI with the selected style. Note that some styles just change the display appearance (the skin) of WMI, in much the same way as changing the display theme used in Windows 7. Other styles include more extensive changes to the interface. Figure 156.
Wi-Fi Array 2. Refresh Interval in Seconds: Many of the windows in the Status section of the WMI have an Auto Refresh option. You may use this setting to change how often a status or statistics window is refreshed, if its auto refresh option is enabled. Enter the desired number of seconds between refreshes, then click the Apply button. The default refresh interval is 30 seconds. 3.
Wi-Fi Array Logout Click on the Logout button to terminate your session. When the session is terminated, you are presented with the Array’s login window. Figure 157.
Wi-Fi Array The Command Line Interface This section covers the commands and the command structure used by the Wi-Fi Array’s Command Line Interface (CLI), and provides a procedure for establishing a Telnet connection to the Array. Topics discussed include: “Establishing a Secure Shell (SSH) Connection” on page 341. “Getting Started with the CLI” on page 343. “Top Level Commands” on page 346. “Configuration Commands” on page 355. “Sample Configuration Tasks” on page 389.
Wi-Fi Array network administrator assign a reserved address to the Array for ease of access in the future. 2. • If the network does not use DHCP, use the factory default address 10.0.2.1 to access either the Gigabit 1 or Gigabit 2 Ethernet port. You may need to change the IP address of the port on your computer that is connected to the Array — change that port’s IP address so that it is on the same 10.0.2.xx subnet as the Array port.
Wi-Fi Array Getting Started with the CLI The root command prompt (Root Command Prompt) is the first prompt you see after logging in to the CLI. If you are at a level other than the root command prompt you can return to this prompt at any time by using the exit command to step back through each command prompt level. The root command prompt you see in the CLI window is determined by the host name you assigned to your Array.
Wi-Fi Array The help command is only available at the root command prompt. Initiating this command generates a window that provides information about the types of help that are available with the CLI. Figure 159.
Wi-Fi Array ? Command This command is available at any prompt and provides either FULL or PARTIAL help. Using the ? (question mark) command when you are ready to enter an argument will display all the possible arguments (full help). Partial help is provided when you enter an abbreviated argument and you want to know what arguments will match your input. Figure 160.
Wi-Fi Array Top Level Commands This section offers an at-a-glance view of all top level commands — organized alphabetically. Top level commands are defined here as commands that are directly accessible from the root command prompt (Xirrus_Wi-Fi_Array#). The root command prompt is based on the host name assigned to your Array. When inputting commands, be aware that all commands are case-sensitive.
Wi-Fi Array Command show Description Display information about the selected item. See “show Commands” on page 350. statistics Display statistical data about the Array. See “statistics Commands” on page 353. uptime Display the elapsed time since the last boot. configure Commands The following table shows the second level commands that are available with the top level configure command [Xirrus_Wi-Fi_Array(config)#].
Wi-Fi Array Command filter Define protocol filter parameters. group Define user groups with parameter settings help Description of the interactive Help system. history List history of commands that have been executed. hostname Host name for this Array. interface Select the interface to configure. load location management more netflow no quit radius-server reboot Load running configuration from flash Location name for this Array.
Wi-Fi Array Command Description show Display current information about the selected item. snmp Enable, disable or configure SNMP. ssid statistics Configure the SSID parameters. Display statistics. syslog Enable, disable or configure the Syslog Server. uptime Display time since the last boot. vlan Configure VLAN parameters. wifi-tag Configure VLAN parameters.
Wi-Fi Array show Commands The following table shows the second level commands that are available with the top level show command [Xirrus_Wi-Fi_Array# show]. Command acl admin Display the Access Control List. Display the administrator list or login information. array-info Display system information. associatedstations Display stations that have associated to the Array. boot-env capabilities Display Boot loader environment variables. Display detailed station capabilities.
Wi-Fi Array Command Description diff Display the difference between configurations. dns Display DNS summary information. env-ctrl error-numbers ethernet Display the environmental controller status for the outdoor enclosure. Display the detailed error number in error messages. Display Ethernet interface summary information. external-radius Display summary information for the external RADIUS server settings. factory-config Display the Array factory configuration information.
Wi-Fi Array Command saved-config Display the last saved Array configuration. security Display security settings summary information. self-test Display self test results. snmp spanning-tree spectrumanalyzer ssid Display SNMP summary information. Display spanning tree information. Display spectrum analyzer measurements. Display SSID summary information. stations Display station information. statistics Display statistics. syslog Display the system log.
Wi-Fi Array statistics Commands The following table shows the second level commands that are available with the top level statistics command [Xirrus_Wi-Fi_Array# statistics]. Command ethernet Ethernet Name eth0, gig1, gig2 filter filter-list iap Description Display statistical data for all Ethernet interfaces. Display statistical data for the defined Ethernet interface (either eth0, gig1 or gig2). FORMAT: statistics gig1 Display statistics for defined filters (if any).
Wi-Fi Array 354 Command Description wds Display statistical data for the defined active WDS (Wireless Distribution System) links. FORMAT: statistics wds 1 Display configuration or status information.
Wi-Fi Array Configuration Commands All configuration commands are accessed by using the configure command at the root command prompt (Xirrus_Wi-Fi_Array#). This section provides a brief description of each command and presents sample formats where deemed necessary. The commands are organized alphabetically. When inputting commands, be aware that all commands are case-sensitive.
Wi-Fi Array admin The admin command [Xirrus_Wi-Fi_Array(config-admin)#] is used to configure the Administrator List. Command add Add a user to the Administrator List. FORMAT: admin add [userID] del Delete a user to the Administrator List. FORMAT: admin del [userID] edit Modify user in the Administrator List. FORMAT: admin edit [userID] radius reset 356 Description Define a RADIUS server to be used for authenticating administrators.
Wi-Fi Array cdp The cdp command [Xirrus_Wi-Fi_Array(config)# cdp] is used to configure the Cisco Discovery Protocol. Command Description disable Disable the Cisco Discovery Protocol FORMAT: cdp disable enable Enable the Cisco Discovery Protocol FORMAT: cdp enable hold-time Select CDP message hold time before messages received from neighbors expire. FORMAT: cdp hold-time [# seconds] interval The Array sends out CDP announcements at this interval.
Wi-Fi Array clear The clear command [Xirrus_Wi-Fi_Array(config)# clear] is used to clear requested elements. Command authentication Deauthenticate a station. FORMAT: clear station [authenticated station] history Clear the history of CLI commands executed. FORMAT: clear history screen Clear the screen where you’re viewing CLI output. FORMAT: clear syslog statistics Clear the statistics for a requested interface.
Wi-Fi Array cluster The cluster command [Xirrus_Wi-Fi_Array(config)# cluster] is used to create and operate clusters. Clusters allow you to configure multiple Arrays at the same time. Using CLI (or WMI), you may define a set of Arrays that are members of the cluster. Then you may switch the Array to Cluster operating mode for a selected cluster, which sends all successive configuration commands issued via CLI or WMI to all of the member Arrays.
Wi-Fi Array Command operate reset Description Enter Cluster operation mode. All configuration commands are applied to all of the selected cluster’s member Arrays until you give the end command (see above). FORMAT: cluster operate [cluster-name] Delete all clusters. FORMAT: cluster reset contact-info The contact-info command [Xirrus_Wi-Fi_Array(config)# contact-info] is used for managing administrator contact information.
Wi-Fi Array date-time The date-time command [Xirrus_Wi-Fi_Array(config-date-time)#] is used to configure the date and time parameters. Your Array supports the Network Time Protocol (NTP) in order to ensure that the Array’s internal time is accurate. NTP is set to UTC time by default; however, you can set the time zone so that your Array will display local time. This is done by defining an offset from the UTC value.
Wi-Fi Array dhcp-server The dhcp-server command [Xirrus_Wi-Fi_Array(config-dhcp-server)#] is used to add, delete and modify DHCP pools. Command 362 Description add Add a DHCP pool. FORMAT: dhcp-server add [dhcp pool] del Delete a DHCP pool. FORMAT: dhcp-server del [dhcp pool] edit Edit a DHCP pool FORMAT: dhcp-server edit [dhcp pool] reset Delete all DHCP pools.
Wi-Fi Array dns The dns command [Xirrus_Wi-Fi_Array(config-dns)#] is used to configure your DNS parameters. Command Description domain Enter your domain name. FORMAT: dns domain [www.mydomain.com] server1 Enter the IP address of the primary DNS server. FORMAT: dns server1 [1.2.3.4] server2 Enter the IP address of the secondary DNS server. FORMAT: dns server1 [2.3.4.5] server3 Enter the IP address of the tertiary DNS server. FORMAT: dns server1 [3.4.5.
Wi-Fi Array file The file command [Xirrus_Wi-Fi_Array(config-file)#] is used to manage files. Command active-image backup-image check-image chkdsk copy cp dir erase format 364 Description Validate and commit a new array software image. Validate and commit a new backup software image. Validate a new array software image. Check flash file system. Copy a file to another file. FORMAT: file copy [sourcefile destinationfile] List the contents of a directory.
Wi-Fi Array Command Description remote-config When the Array boots up, it fetches the specified configuration file from the TFTP server defined in the file remote-server command, and uses this configuration. This must be an Array configuration file with a .conf extension. A partial configuration file may be used. For instance, if you wish to use a single configuration file for all of your Arrays but don't want to have the same IP address for each Array, you may remove the ipaddr line from the file.
Wi-Fi Array Command 366 Description scp Copy a file to or from a remote system. You may specify the port to use. tftp Open a TFTP connection with a remote server. FORMAT: file tftp host { |} [port ] [user {anonymous | password } ] { put [] | get [] } Note: Any time you transfer any kind of software image file for the Array, it must be transferred in binary mode, or the file may be corrupted.
Wi-Fi Array filter The filter command [Xirrus_Wi-Fi_Array(config-filter)#] is used to manage protocol filters and filter lists. Command add add-list del del-list edit Description Add a filter. FORMAT: filter add [name] Add a filter list. FORMAT: filter add-list [name] Delete a filter. FORMAT: filter del [name] Delete a filter list. FORMAT: filter del-list [name] Edit a filter.
Wi-Fi Array Command off Disable a filter list. FORMAT: filter off on Enable a filter list. FORMAT: filter on reset stateful 368 Description Delete all protocol filters and filter lists. FORMAT: filter reset Enable or disable stateful filtering (firewall).
Wi-Fi Array group The group command [Xirrus_Wi-Fi_Array(config)# group] is used to create and configure user groups. User groups allow administrators to assign specific network parameters to users through RADIUS privileges rather than having to map users to a specific SSID. Groups provide flexible control over user privileges without the need to create large numbers of SSIDs. For more information, see “Groups” on page 262. Command Description add Create a new user group.
Wi-Fi Array interface The interface command [Xirrus_Wi-Fi_Array(config)# interface] is used to select the interface that you want to configure. To see a listing of the commands that are available for each interface, use the ? command at the selected interface prompt. For example, using the ? command at the Xirrus_Wi-Fi_Array(config-gig1}# prompt displays a listing of all commands for the gig1 interface. Command 370 Description console Select the console interface.
Wi-Fi Array load The load command [Xirrus_Wi-Fi_Array(config)# load] loads a configuration file. Command Description factory.conf Load the factory settings configuration file. FORMAT: load [factory.conf] lastboot.conf Load the configuration file from the last boot-up. FORMAT: load [lastboot.conf] [myfile].conf If you have saved a configuration, enter its name to load it. FORMAT: load [myfile.conf] saved.conf Load the configuration file with the last saved settings. FORMAT: load [saved.
Wi-Fi Array management The management command [Xirrus_Wi-Fi_Array(config)# management] enters management mode, where you may configure management parameters. Command Description Enter management mode. FORMAT: management The following types of settings may be configured in management mode: 372 console Configure console management parameters fips Enable/disable FIPS 140-2, Level 2 Security.
Wi-Fi Array more The more command [Xirrus_Wi-Fi_Array(config)# more] is used to turn terminal pagination ON or OFF. Command Description off Turn OFF terminal pagination. FORMAT: more off on Turn ON terminal pagination.
Wi-Fi Array netflow The netflow command [Xirrus_Wi-Fi_Array(config-netflow)#] is used to enable or disable, or configure sending IP flow information (traffic statistics) to the collector you specify. Command disable Disable netflow. FORMAT: netflow disable enable Enable netflow. FORMAT: netflow enable off Disable netflow. FORMAT: netflow off on Enable netflow. FORMAT: netflow on collector 374 Description Set the netflow collector IP address or fully qualified domain name (host.domain).
Wi-Fi Array no The no command [Xirrus_Wi-Fi_Array(config)# no] is used to disable a selected element or set the element to its default value. Command acl dot11a dot11bg https Description Disable the Access Control List. FORMAT: no acl Disable all 802.11a(n) IAPs (radios). FORMAT: no dot11a Disable all 802.11bg(n) IAPs (radios). FORMAT: no dot11bg Disable https access. FORMAT: no https intrude-detect Disable intrusion detection.
Wi-Fi Array Command snmp ssh Disable SNMP features. FORMAT: no snmp Disable ssh access. FORMAT: no ssh syslog Disable the Syslog services. FORMAT: no syslog telnet Disable Telnet access. FORMAT: no telnet ETH-NAME 376 Description Disable the selected Ethernet interface (eth0, gig1 or gig2). You cannot disable the console interface. with this command.
Wi-Fi Array quit The quit command [Xirrus_Wi-Fi_Array(config)# quit] is used to exit the Command Line Interface. Command Description Exit the Command Line Interface. FORMAT: quit If you have made any configuration changes and your changes have not been saved, you are prompted to save your changes to Flash. At the prompt, answer Yes to save your changes, or answer No to discard your changes.
Wi-Fi Array reboot The reboot command [Xirrus_Wi-Fi_Array(config)# reboot] is used to reboot the Array. If you have unsaved changes, the command will notify you and give you a chance to cancel the reboot. Command Description Reboot the Array. FORMAT: reboot delay Reboot the Array after a delay of 1 to 60 seconds. FORMAT: reboot delay [n] reset The reset command [Xirrus_Wi-Fi_Array(config)# reset] is used to reset all settings to their default values then reboot the Array.
Wi-Fi Array restore The restore command [Xirrus_Wi-Fi_Array(config)# restore] is used to restore configuration to a version that was previously saved locally. Command Description ? Use this to display the list of available config files. FORMAT: restore ? Enter the name of the locally saved configuration to restore.
Wi-Fi Array run-tests The run-tests command [Xirrus_Wi-Fi_Array(run-tests)#] is used to enter runtests mode, which allows you to perform a range of tests on the Array. Command Description Enter run-tests mode. FORMAT: run-tests iperf Execute iperf utility. FORMAT: run-tests iperf kill-beacons Turn off beacons for selected single IAP. FORMAT: run-tests kill-beacons [off | iap-name] kill-proberesponses led Turn off probe responses for selected single IAP.
Wi-Fi Array Command radius-ping Description Special ping utility to test the connection to a RADIUS server.
Wi-Fi Array Command telnet Description Execute telnet utility. FORMAT: run-tests telnet [hostname | ip-addr] [command-line-switches (optional)] traceroute Execute traceroute utility. FORMAT: run-tests traceroute [host-name | ip-addr] security The security command [Xirrus_Wi-Fi_Array(config-security)#] is used to establish the security parameters for the Array. Command 382 Description wep Set the WEP encryption parameters. FORMAT: security wep wpa Set the WEP encryption parameters.
Wi-Fi Array snmp The snmp command [Xirrus_Wi-Fi_Array(config-snmp)#] is used to enable, disable, or configure SNMP. Command Description v2 Enable SNMP v2. FORMAT: snmp v2 v3 Enable SNMP v3. FORMAT: snmp v3 trap Configure traps for SNMP. Up to four trap destinations may be configured, and you may specify whether to send traps for authentication failure.
Wi-Fi Array ssid The ssid command [Xirrus_Wi-Fi_Array(config-ssid)#] is used to establish your SSID parameters. Command 384 Description add Add an SSID. FORMAT: ssid add [newssid] del Delete an SSID. FORMAT: ssid del [oldssid] edit Edit an existing SSID. FORMAT: ssid edit [existingssid] reset Delete all SSIDs and restore the default SSID.
Wi-Fi Array syslog The syslog command [Xirrus_Wi-Fi_Array(config-syslog)#] is used to enable, disable, or configure the Syslog server. Command Description console Enable or disable the display of Syslog messages on the console, and set the level to be displayed. All messages at this level and lower (i.e., more severe) will be displayed. FORMAT: syslog console [on/off] level [0-7] disable Disable the Syslog server. FORMAT: syslog disable email Disable the Syslog server.
Wi-Fi Array Command Description off Disable the Syslog server. FORMAT: syslog off on Enable the Syslog server. FORMAT: syslog on primary secondary Set the IP address of the primary Syslog server and/or the severity level of messages to be logged. FORMAT: syslog primary [1.2.3.4] level [0-7] Set the IP address of the secondary (backup) Syslog server and/or the severity level of messages to be logged. FORMAT: syslog primary [1.2.3.
Wi-Fi Array vlan The vlan command [Xirrus_Wi-Fi_Array(config-vlan)#] is used to establish your VLAN parameters. Command add default-route delete edit native-vlan Description Add a VLAN. FORMAT: vlan add [newvlan] Assign a VLAN for the default route (for outbound management traffic). FORMAT: vlan default-route [defaultroute] Delete a VLAN. FORMAT: vlan delete [oldvlan] Modify an existing VLAN. FORMAT: vlan edit [existingvlan] Assign a native VLAN (traffic is untagged).
Wi-Fi Array wifi-tag The wifi-tag command [Xirrus_Wi-Fi_Array(config-wifi-tag)#] is used to enable or disable Wi-Fi tag capabilities. When enabled, the Array listens for and collects information about Wi-Fi RFID tags sent on the designated channels. See also “WiFi Tag” on page 195. Command 388 Description disable Disable wifi-tag. FORMAT: wifi-tag disable enable Enable wifi-tag. FORMAT: wifi-tag enable off Disable wifi-tag. FORMAT: wifi-tag off on Enable wifi-tag.
Wi-Fi Array Sample Configuration Tasks This section provides examples of some of the common configuration tasks used with the Wi-Fi Array, including: “Configuring a Simple Open Global SSID” on page 390. “Configuring a Global SSID using WPA-PEAP” on page 391. “Configuring an SSID-Specific SSID using WPA-PEAP” on page 392. “Enabling Global IAPs” on page 393. “Disabling Global IAPs” on page 394. “Enabling a Specific IAP” on page 395. “Disabling a Specific IAP” on page 396.
Wi-Fi Array Configuring a Simple Open Global SSID This example shows you how to configure a simple open global SSID. Figure 162.
Wi-Fi Array Configuring a Global SSID using WPA-PEAP This example shows you how to configure a global SSID using WPA-PEAP encryption in conjunction with the Array’s Internal RADIUS server. Figure 163.
Wi-Fi Array Configuring an SSID-Specific SSID using WPA-PEAP This example shows you how to configure an SSID-specific SSID using WPAPEAP encryption in conjunction with the Array’s Internal RADIUS server. Figure 164.
Wi-Fi Array Enabling Global IAPs This example shows you how to enable all IAPs (radios), regardless of the wireless technology they use. Figure 165.
Wi-Fi Array Disabling Global IAPs This example shows you how to disable all IAPs (radios), regardless of the wireless technology they use. Figure 166.
Wi-Fi Array Enabling a Specific IAP This example shows you how to enable a specific IAP (radio). In this example, the IAP that is being enabled is a1 (the first IAP in the summary list). Figure 167.
Wi-Fi Array Disabling a Specific IAP This example shows you how to disable a specific IAP (radio). In this example, the IAP that is being disabled is a2 (the second IAP in the summary list). Figure 168.
Wi-Fi Array Setting Cell Size Auto-Configuration for All IAPs This example shows how to set the cell size for all enabled IAPs to be autoconfigured (auto). (See “Fine Tuning Cell Sizes” on page 66.) The auto_cell option may be used with global_settings, global_a_settings, or global_bg_settings. It sets the cell size of the specified IAPs to auto, and it launches an autoconfiguration to adjust the sizes.
Wi-Fi Array Setting the Cell Size for All IAPs This example shows you how to establish the cell size for all IAPs (radios), regardless of the wireless technology they use. Be aware that if the intrude-detect feature is enabled on abg(n)2 the cell size cannot be set globally — you must first disable the intrude-detect feature on abg(n)2. In this example, the cell size is being set to small for all IAPs. You have the option of setting IAP cell sizes to small, medium, large, or max.
Wi-Fi Array Setting the Cell Size for a Specific IAP This example shows you how to establish the cell size for a specific IAP (radio). In this example, the cell size for a2 is being set to medium. You have the option of setting IAP cell sizes to small, medium, large, or max (the default is max). See also, “Fine Tuning Cell Sizes” on page 66. Figure 171.
Wi-Fi Array Configuring VLANs on an Open SSID This example shows you how to configure VLANs on an Open SSID. Setting the default route enables the Array to send management traffic, such as Syslog messages and SNMP information to a destination behind a router. Figure 172.
Wi-Fi Array Configuring Radio Assurance Mode (Loopback Tests) The Array uses the built-in monitor radio, IAP abg(n)2, to monitor other radios in the Array. Tests include sending probes on all channels and checking for a response, and checking whether beacons are received from the other radio. If a problem is detected, corrective actions are taken to recover. Loopback mode operation is described in detail in “Array Monitor and Radio Assurance Capabilities” on page 440.
Wi-Fi Array Figure 173.
Wi-Fi Array Appendices Appendices 403
Wi-Fi Array Page is intentionally blank 404 Appendices
Wi-Fi Array Appendix A: Servicing the Wi-Fi Array This appendix contains procedures for servicing the Xirrus Wi-Fi Array, including the removal and reinstallation of major hardware components. Topics include: “Removing the Access Panel” on page 407. “Reinstalling the Access Panel” on page 410. “Replacing the FLASH Memory Module” on page 412. “Replacing the Main System Memory” on page 414. “Replacing the Integrated Access Point Radio Module” on page 416.
Wi-Fi Array See Also Reinstalling the Access Panel Removing the Access Panel Replacing the FLASH Memory Module Replacing the Integrated Access Point Radio Module Replacing the Main System Memory Replacing the Power Supply Module 406 Appendices
Wi-Fi Array Removing the Access Panel Use this procedure when you want to remove the system’s access panel. You must remove this panel whenever you need to service the internal components of the Array. 1. Disconnect the AC power cord or Ethernet cable supplying power from the Array. 2. Place the Array face-down on a flat surface. Avoid moving the unit to reduce the risk of damage (scratching) to the finished enclosure. 3.
Wi-Fi Array 4. Lift up the access panel to reveal the main system board. Lift up the access panel Figure 176. Removing the Access Panel 5. Disconnect the connectors to the power supply and the fan. Fan connector Power supply connector Figure 177. Disconnecting the Power Supply and Fan 6. 408 The access panel can now be safely removed.
Wi-Fi Array See Also Reinstalling the Access Panel Replacing the FLASH Memory Module Replacing the Integrated Access Point Radio Module Replacing the Main System Memory Replacing the Power Supply Module Appendix A: Servicing the Wi-Fi Array Appendices 409
Wi-Fi Array Reinstalling the Access Panel Use this procedure when you need to reinstall the access panel after servicing the Array’s internal components. 1. Reconnect the fan and power supply. Fan connector Power supply connector Figure 178. Reconnecting the Fan and Power Supply 2. Reinstall the access panel and secure the panel with the three screws. Screw ! Do not overtighten Screw ! Do not overtighten Screw ! Do not overtighten Figure 179.
Wi-Fi Array 3. Reconnect the power source and turn ON the main power switch (if applicable).
Wi-Fi Array Replacing the FLASH Memory Module Use this procedure when you want to replace the system’s FLASH memory module. 1. Remove the system’s access panel. Refer to “Removing the Access Panel” on page 407. 2. Remove the FLASH memory module, taking care not to “wiggle” the module and risk damaging the connection points. FLASH memory module Figure 180. Removing the FLASH Memory Module 3. 412 The removal procedure is complete.
Wi-Fi Array 4. Reinstall the access panel (refer to “Reinstalling the Access Panel” on page 410).
Wi-Fi Array Replacing the Main System Memory Use this procedure when you want to replace the main system memory. 1. Remove the access panel (refer to “Removing the Access Panel” on page 407). 2. Remove the DIMM memory module, taking care not to “wiggle” the module and risk damaging the connection points. DIMM memory module Push down on the two locking tabs to release the DIMM memory module Figure 181. Removing the DIMM Memory Module 3. The removal procedure is complete.
Wi-Fi Array Replacing the Integrated Access Point Radio Module Replacing the Power Supply Module Appendix A: Servicing the Wi-Fi Array Appendices 415
Wi-Fi Array Replacing the Integrated Access Point Radio Module Use this procedure when you want to replace the integrated access point radio module. 1. Remove the access panel (refer to “Removing the Access Panel” on page 407). 2. Remove the locking screws (8 places) that secure the chassis cover to the main body of the Wi-Fi Array. Screws (8 places) Figure 182. Removing the Chassis Cover Screws 3. Lift and remove the chassis cover. Remove the chassis cover Figure 183.
Wi-Fi Array 4. Lift the edge of the integrated access point module. Lift here (do not force) Figure 184. Lifting the Integrated Access Point Module 5. Slide the integrated access point module away from the unit to disconnect it from the main system board. Disconnect the module Figure 185. Disconnect the Integrated Access Point Module 6. The removal procedure is complete. You can now reinstall the integrated access point module (or install a new module).
Wi-Fi Array 7. Reinstall the chassis cover (see warnings). ! When reinstalling the chassis cover, take care to align the cover correctly to avoid damaging the antenna modules. Do not force the chassis cover onto the body of the unit. ! Do not overtighten the locking screws. 8. Reinstall the locking screws (8 places) to secure the chassis cover in place — do not overtighten. 9. Reinstall the access panel (refer to “Reinstalling the Access Panel” on page 410).
Wi-Fi Array Replacing the Power Supply Module Use this procedure when you want to replace the power supply module. 1. Remove the access panel (refer to “Removing the Access Panel” on page 407). 2. Because the power supply unit is molded into the access panel, you must install a new access panel assembly (with the power supply attached). Refer to “Reinstalling the Access Panel” on page 410. Access panel (with power supply and fan) Figure 186.
Wi-Fi Array Use this Space for Your Notes 420 Appendices
Wi-Fi Array Appendix B: Quick Reference Guide This section contains product reference information. Use this section to locate the information you need quickly and efficiently. Topics include: “Factory Default Settings” on page 421. “Keyboard Shortcuts” on page 428. Factory Default Settings The following tables show the Wi-Fi Array’s factory default settings.
Wi-Fi Array Gigabit 1 and Gigabit 2 Setting Default Value Enabled Yes DHCP Bind Yes Default IP Address 10.0.2.1 Default IP Mask 255.255.255.0 Default Gateway None Auto Negotiate On Duplex Full Speed 1000 Mbps MTU Size 1504 Management Enabled Yes Fast Ethernet Setting Enabled Yes DHCP Bind Yes Default IP Address 422 Default Value 10.0.1.1 Default IP Mask 255.255.255.
Wi-Fi Array Setting Default Value MTU Size 1500 Management Enabled Yes Integrated Access Points (IAPs) Setting IAP abg2 Defaults Enabled (Radio State) Default Value Enabled Mode = Monitor Channel = Monitor Cell Size = Manual Antenna = Internal-Omni No Mode XS16 802.11a for a1 to a12 802.11bg for abg1 to abg4 XS8 802.11a for a1 to a4 802.11bg for abg1 to abg4 XS4 802.
Wi-Fi Array Server Settings NTP Setting Default Value Enabled No Primary time.nist.gov Secondary pool.ntp.
Wi-Fi Array Setting Default Value Trap Port 162 Authorization Fail Port On DHCP Setting Enabled Default Value No Maximum Lease Time 300 minutes Default Lease Time 300 minutes IP Start Range 192.168.1.2 IP End Range 192.168.1.
Wi-Fi Array Setting Broadcast Default Value On Security Global Settings - Encryption Setting Enabled Default Value Yes WEP Keys null (all 4 keys) WEP Key Length null (all 4 keys) Default Key ID 1 WPA Enabled No TKIP Enabled Yes AES Enabled Yes EAP Enabled Yes PSK Enabled No Pass Phrase null Group Rekey Disabled External RADIUS (Global) Setting Enabled 426 Default Value Yes Primary Server None Primary Port 1812
Wi-Fi Array Setting Primary Secret Default Value xirrus Secondary Server Secondary Port null (no IP address) 1812 Secondary Secret Time Out (before primary server is retired) Accounting null (no secret) 600 seconds Disabled Interval 300 seconds Primary Server None Primary Port 1813 Primary Secret xirrus Secondary Server None Secondary Port 1813 Secondary Secret null (no secret) Internal RADIUS Setting Enabled Default Value No The user database is cleared upon reset to the factory def
Wi-Fi Array Administrator Account and Password Setting Default Value ID admin Password admin Management Setting SSH Default Value On SSH timeout 300 seconds Telnet Off Telnet timeout 300 seconds Serial On Serial timeout 300 seconds Management over IAPs http timeout Off 300 seconds Keyboard Shortcuts The following table shows the most common keyboard shortcuts used by the Command Line Interface. Action 428 Shortcut Cut selected data and place it on the clipboard.
Wi-Fi Array Action Shortcut Paste data from the clipboard into a document (at the insertion point). Ctrl + V Go to top of screen. Ctrl + Z Copy the active window to the clipboard. Copy the entire desktop image to the clipboard. Abort an action at any time. Alt + Print Screen Print Screen Esc Go back to the previous screen. b Access the Help screen.
Wi-Fi Array Use this Space for Your Notes 430
Wi-Fi Array Appendix C: Technical Support This appendix provides valuable support information that can help you resolve technical difficulties. Before contacting Xirrus, review all topics below and try to determine if your problem resides with the Wi-Fi Array or your network infrastructure.
Wi-Fi Array If you are deploying multiple units, the Array should be oriented so that the abg(n)2 radio is oriented in the direction of the least required coverage, because when in monitor mode the abg(n)2 radio does not function as an AP servicing stations. The Wi-Fi Array should only be used with Wi-Fi certified client devices.
Wi-Fi Array Q. What would I use SSIDs for? A. The creation of different wireless network names allows system administrators to separate types of users with different requirements. The following policies can be tied to an SSID: Minimum security required to join this SSID. The wireless Quality of Service (QoS) desired for this SSID. The wired VLAN associated with this SSID.
Wi-Fi Array 6. If desired (optional), you can select which radios this SSID will not be available on — the default is to make this SSID available on all radios. 7. Click on the Apply button to apply your changes to this session. 8. Click on the Save button to save your changes. 9. If you need to edit any of the SSID settings, you can do so from the SSID Management page. See Also Contact Information General Hints and Tips Security SSIDs SSID Management VLAN Support Security Q.
Wi-Fi Array SSH versus Telnet Be aware that Telnet is not secure over network connections and should be used only with a direct serial port connection. When connecting to the unit’s Command Line Interface over a network connection, you must use a Secure SHell (SSH) utility. The most commonly used freeware providing SSH tools is PuTTY. The Array only allows SSH-2 connections, so your SSH utility must be set up to use SSH-2. Configuration auditing Do not change approved configuration settings.
Wi-Fi Array TKIP solves security issues with WEP. It also allows you to establish encryption keys on a per-user-basis, with key rotation for added security. In addition, TKIP provides Message Integrity Check (MIC) functionality and prevents active attacks on the wireless network. AES is the strongest encryption standard and is used by government agencies; however, old legacy hardware may not be capable of supporting the AES mode (it probably won’t work on older wireless clients).
Wi-Fi Array (provided by the Wi-Fi Array) or external. An external RADIUS server offers more functionality and is recommended for large Enterprise deployments. When using this method, user names and passwords must be entered into the RADIUS server for user authentication. MAC Address ACLs (Access Control Lists) MAC address ACLs provide a list of client adapter MAC addresses that are allowed or denied access to the wireless network.
Wi-Fi Array VLAN Support Q. What Are VLANs? A. VLANs (Virtual Local Area Networks) are a logical grouping of network devices that share a common network broadcast domain. Members of a particular VLAN can be on any segment of the physical network but logically only members of a particular VLAN can see each other. VLANs are defined and implemented using the wired network switches that are VLAN capable. Packets are tagged for transmission on a particular VLAN according to the IEEE 802.
Wi-Fi Array As an example, to provide guest user access an SSID of guest might be created. This SSID could be mapped to a wired VLAN that segregates unknown users from the rest of the wired network and restricts them to Internet access only. Wireless users could then associate to the wireless network via the guest SSID and obtain access to the Internet through the selected VLAN, but would be unable to access other privileged network resources.
Wi-Fi Array Array Monitor and Radio Assurance Capabilities All models of the Wi-Fi Array have a monitor radio, abg(n)2, that checks that the Array’s radios are functioning correctly, and acts as a dedicated threat sensor to detect and prevent intrusion from rogue access points. Enabling Monitoring on the Array IAP abg(n)2 may be set to monitor the Array or to be a normal IAP radio.
Wi-Fi Array Radio Assurance The Array is capable of performing continuous, comprehensive tests on its radios to assure that they are operating properly. Testing is enabled using the Radio Assurance Mode setting on the Advanced RF Settings window (Step 6 in “Advanced RF Settings” on page 294). When this mode is enabled, IAP abg(n)2 performs loopback tests on the Array. Radio Assurance Mode requires Intrusion Detection to be set to Standard (See Step 1 in “Advanced RF Settings” on page 294).
Wi-Fi Array Radio Assurance Options If the monitor detects a problem with an Array radio as described above, it will take action according to the preference that you have specified in the Radio Assurance Mode setting on the Advanced RF Settings window (see Step 6 page 297): 442 Failure alerts only — The Array will issue alerts in the Syslog, but will not initiate repairs or reboots.
Wi-Fi Array RADIUS Vendor Specific Attributes (VSAs) for Xirrus A number of RADIUS VSAs are defined for Xirrus Arrays. These control administrator privileges and a number of settings for user accounts, such as QoS, roaming, VLAN, etc. The RADIUS VSAs are used by Arrays to define selected attributes for the following account types: Array administrators — the Xirrus-Admin-Role attribute sets the privilege level for this account.
Wi-Fi Array 444 ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE Xirrus-User-Roaming-Layer Xirrus-User-Traffic-Limit Xirrus-User-DHCP-Pool Xirrus-User-Filter-List Xirrus-User-Group Xirrus-User-Interface Xirrus-User-Location 7 8 9 10 11 12 13 integer integer string string string string string VALUE VALUE VALUE VALUE Xirrus-User-Qos-Wifi Xirrus-User-Qos-Wifi Xirrus-User-Qos-Wifi Xirrus-User-Qos-Wifi Best-Effort Background Video Voice 0 1 2 3 VALUE VALUE VALUE VALUE VALUE VALUE V
Wi-Fi Array VALUE Xirrus-User-Roaming-Layer END-VENDOR Xirrus None 3 445
Wi-Fi Array Upgrading the Array via CLI If you are experiencing difficulties communicating with the Array using the Web Management Interface, the Array provides lower-level facilities that may be used to accomplish an upgrade via the CLI and the Xirrus Boot Loader (XBL). 1. Download the latest software update from the Xirrus FTP site using your Enhanced Care FTP username and password. If you do not have an FTP username and password, contact Xirrus Customer Service for assistance (support@xirrus.com).
Wi-Fi Array Boot your Array and watch the progress messages. When Press space bar to exit to bootloader: is displayed, press the space bar. The rest of this procedure is performed using the bootloader. The following steps assume that you are running DHCP on your local network. 5. Type dhcp and hit return. This instructs the Array to obtain a DHCP address and use it during this boot in the bootloader environment. 6. Type dir and hit return to see what's currently in the compact flash. 7.
Wi-Fi Array L1 cache | Data: 32 KB Inst: 32 KB Status : Enabled Watchdog | Enabled (5 secs) I2C Bus | 400 KHz DTT | CPU:34C RF0:34C RF1:34C RF2:27C RF3:29C RTC | Wed 2007-Nov-05 6:43:14 GMT System DDR | 256 MB, Unbuffered Non-ECC (2T) L2 cache | 256 KB, Enabled FLASH | 4 MB, CRC: OK FPGA | 2 Devices programmed Packet DDR | 256 MB, Unbuffered Non-ECC, Enabled Network | Mot FEC Mot TSEC1 [Primary] Mot TSEC2 IDE Bus 0 | OK CFCard | 122 MB, Model: Hitachi XXM2.3.
Wi-Fi Array XBL>del * [CFCard] Delete : 2 file(s) deleted XBL>update server 192.168.39.102 xs-3.0-0425.bin [TFTP ] Device : Mot TSEC1 1000BT Full Duplex [TFTP ] Client : 192.168.39.195 [TFTP ] Server : 192.168.39.102 [TFTP ] File : xs-3.0-0425.bin [TFTP ] Address : 0x1000000 [TFTP ] Loading : ################################################## [TFTP ] Loading : ################################################## [TFTP ] Loading : ###### done [TFTP ] Complete: 12.9 sec, 2.
Wi-Fi Array L2 cache | 256 KB, Enabled FLASH | 4 MB, CRC: OK FPGA | 2 Devices programmed Packet DDR | 256 MB, Unbuffered Non-ECC, Enabled Network | Mot FEC Mot TSEC1 [Primary] Mot TSEC2 IDE Bus 0 | OK CFCard | 122 MB, Model: Hitachi XXM2.3.0 Environment| 4 KB, Initialized In: serial Out: serial Err: serial Press space bar to exit to bootloader: [CFCard] File : xs*.bin [CFCard] Address : 0x1000000 [CFCard] Loading : ############################################### done [CFCard] Complete: 26.9 sec, 1.
Wi-Fi Array Power over Gigabit Ethernet Compatibility Matrix ??xxx Need to update this?? What injector models are recommended?? The Xirrus Power over Gigabit Ethernet (PoGE) solution includes different modules to be used with particular Array models. The following two tables indicate the proper PoGE injectors to use with each Array. X indicates that products are INCOMPATIBLE.
Wi-Fi Array Table 2: Legacy PoGE Injectors/Splitters XP8-MSI Injector XP1-MSI Injector XP1-MSI-X Injector XS4 Works with any PoGE injector XS8, XN4 Works with any PoGE injector, no splitter required 1 X Array Model Compatible Xirrus Injector XN16/XN12/ Works with two injector XN8/XN4, XS16 options, no splitter required 1. The 8-port XP8-MSI-H and XP8-MSI injectors each power up to eight 4-port or 8-port Arrays; or four 16-port Arrays.
Wi-Fi Array Contact Information Xirrus, Inc. is located in Thousand Oaks, California, just 55 minutes northwest of downtown Los Angeles and 40 minutes southeast of Santa Barbara. Xirrus, Inc. 2101 Corporate Center Drive Thousand Oaks, CA 91320 USA Tel: Fax: 1.805.262.1600 1.800.947.7871 Toll Free in the US 1.866.462.3980 www.xirrus.com support.xirrus.
Wi-Fi Array 454
Wi-Fi Array Appendix D: Implementing PCI DSS The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by major credit card companies to help those that process credit card transactions (or cardholder information) in order to secure cardholder information and protect it from unauthorized access, fraud and other security issues. The major contributors to the standard are VISA, MasterCard, American Express, JCB, and Discover.
Wi-Fi Array PCI DSS Control Objectives and Associated Requirements Objective: Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Objective: Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-toknow. Requirement 8: Assign a unique ID to each person with computer access.
Wi-Fi Array The Xirrus Array PCI Compliance Configuration The check list below is designed to help ensure that Xirrus Wi-Fi Arrays are configured in a manner that is supportive of PCI Data Security Standards. Detailed configuration steps for each item are found in the referenced section of the User’s Guide. Xirrus Wi-Fi Array Configuration for PCI DSS ( ) Register at the Xirrus Support Site to ensure notification and access to software updates.
Wi-Fi Array Xirrus Wi-Fi Array Configuration for PCI DSS See... ( ) Check that external RADIUS servers have been configured for use with 802.1x and WPA/WPA2 wireless security. ( ) Ensure that Array Administration Accounts are being validated by External RADIUS servers. SSIDs, p. 243 and Global Settings, p. 231 Admin RADIUS, p. 218 ( ) Dismounting the Array, p.
Wi-Fi Array with The Xirrus Array PCI Compliance Configuration above to ensure that you are using the Array in accordance with the PCI DSS requirements. The pci-audit command checks items such as: Telnet is disabled. Admin RADIUS is enabled (admin login authentication is via RADIUS server). An external Syslog server is in use. All SSIDs must set encryption to WPA or better (which also enforces 802.1x authentication) Sample output from this command is shown below.
Wi-Fi Array 460
Wi-Fi Array Appendix E: Implementing FIPS Security Wi-Fi Arrays may be configured to satisfy the requirements for Level 2 of Federal Information Processing Standard (FIPS) Publication 140-2. The procedure in this section lists simple steps that must be followed exactly to implement FIPS 140-2, Level 2. The procedure includes physical actions, and parameters that must be set in Web Management Interface (WMI) windows in the Security section and in other sections.
Wi-Fi Array • Arrays with 8 or more radios — Apply two seals, one on either side of the Array about 180° apart from each other, as shown. Apply a third seal to the access panel opening, as shown. IMPORTANT: Make sure that each seal straddles a seam. 1 3 2 Figure 188.
Wi-Fi Array • 4-radio Arrays — Apply two seals, one on either side of the Array about 180° apart from each other, as shown. IMPORTANT: Make sure that each seal straddles a seam. 1 2 Figure 189. Applying Two Tamper-evident seals to the XS4 or XN4 2. Enable HTTPS using the CLI if it is not already enabled, using the following command: Xirrus_Wi-Fi_Array(config)# https on This allows the Web Management Interface to be used for the rest of this procedure. HTTPS is enabled on Arrays by default.
Wi-Fi Array 3. The following steps must be performed in the order shown — you must enable FIPS 140-2 before you create SSIDs. Otherwise, FIPS mode will change the PSK keys of SSIDs, and you will not know what the keys are. Select the Security > Management Control window. Set FIPS 140-2, Level 2 Security to On (Figure 190 ). Click Apply, then Save. Figure 190. Security - Management Control Window 4. You may now proceed to define SSIDs, as described in “SSIDs” on page 243.
Wi-Fi Array To implement FIPS 140-2, Level 2 using CLI: 1. The following CLI command will perform all of the settings required to put the Array in FIPS mode:. Xirrus_Wi-Fi_Array(config}# management Xirrus_Wi-Fi_Array(config-mgmt}# fips on Use the save command to save these changes to flash memory. 2. Use the fips off command if you wish to stop enforcing FIPS security requirements on the Array. Xirrus_Wi-Fi_Array(config-mgmt}# fips off Use the save command to save these changes to flash memory.
Wi-Fi Array 466
Wi-Fi Array Appendix F: Notices This appendix contains the following information: “Notices” on page 467 “EU Directive 1999/5/EC Compliance Information” on page 470 “Compliance Information (Non-EU)” on page 477 “Safety Warnings” on page 478 “Translated Safety Warnings” on page 479 “Software License and Product Warranty Agreement” on page 480 “Hardware Warranty Agreement” on page 486 Notices Wi-Fi Alliance Certification www.wi-fi.
Wi-Fi Array determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following safety measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and the receiver. Consult the dealer or an experienced wireless technician for help. Use of a shielded twisted pair (STP) cable must be used for all Ethernet connections in order to comply with EMC requirements.
Wi-Fi Array Battery Warning Caution! The Array contains a battery which is not to be replaced by the customer. Danger of Explosion exists if the battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions. Power Cord If you will be using the Array with a power cord, you must use a UL-Approved cord (supplied with the unit).
Wi-Fi Array EU Directive 1999/5/EC Compliance Information This section contains compliance information for the Xirrus Wi-Fi Array family of products, which includes the XN16, XN12, XN8, XN4, XS16, XS8 and XS4. The compliance information contained in this section is relevant to the European Union and other countries that have implemented the EU Directive 1999/5/EC.
Wi-Fi Array ĺslenska [Icelandic] Þetta tæki er samkvæmt grunnkröfum og öðrum viðeigandi ákvæðum Tilskipunar 1999/5/EC. Italiano [Italian] Questo apparato é conforme ai requisiti essenziali ed agli altri principi sanciti dalla Direttiva 1999/5/CE. Latviski [Latvian] Šī iekārta atbilst Direktīvas 1999/5/EK būtiskajā prasībām un citiem ar to saistītajiem noteikumiem. Lietuvių [Lithuanian] Šis įrenginys tenkina 1995/5/EB Direktyvos esminius reikalavimus ir kitas šios direktyvos nuostatas.
Wi-Fi Array Slovensky [Slovak] Toto zariadenie je v zhode so základnými požadavkami a inými prislušnými nariadeniami direktiv: 1999/5/EC. Suomi [Finnish] Tämä laite täyttää direktiivin 1999/5//EY olennaiset vaatimukset ja on siinä asetettujen muiden laitetta koskevien määräysten mukainen. Svenska [Swedish] Denna utrustning är i överensstämmelse med de väsentliga kraven och andra relevanta bestämmelser i Direktiv 1999/5/EC.
Wi-Fi Array WEEE Compliance Natural resources were used in the production of this equipment. This equipment may contain hazardous substances that could impact the health of the environment. In order to avoid harm to the environment and consumption of natural resources, we encourage you to use appropriate take-back systems when disposing of this equipment.
Wi-Fi Array National Restrictions In the majority of the EU and other European countries, the 2.4 GHz and 5 GHz bands have been made available for the use of Wireless LANs. The following table provides an overview of the regulatory requirements in general that are applicable for the 2.4 GHz and 5 GHz bands. Frequency Band (MHz) Max Power Level (EIRP) (mW) Indoor Outdoor 2400–2483.
Wi-Fi Array Les liasons sans fil pour une utilisation en extérieur d’une distance supérieure à 300 mèters doivent être notifiées à l’Institut Belge des services Postaux et des Télécommunications (IBPT). Visitez www.bipt.be pour de plus amples détails. Greece A license from EETT is required for the outdoor operation in the 5470 MHz to 5725 MHz band. Xirrus recommends checking www.eett.gr for more details.
Wi-Fi Array Antennas The Xirrus Wi-Fi Array employs integrated antennas that cannot be removed and which are not user accessible. Nevertheless, as regulatory limits are not the same throughout the EU, users may need to adjust the conducted power setting for the radio to meet the EIRP limits applicable in their country or region. Adjustments can be made from the product’s management interface — either Web Management Interface (WMI) or Command Line Interface (CLI).
Wi-Fi Array Compliance Information (Non-EU) This section contains compliance information for the Xirrus Wi-Fi Array family of products, which includes the XN16, XN12, XN8, and XN4. The compliance information contained in this section is relevant to the listed countries (outside of the European Union and other countries that have implemented the EU Directive 1999/5/EC).
Wi-Fi Array Safety Warnings ! Safety Warnings ! Explosive Device Proximity Warning ! Lightning Activity Warning ! Circuit Breaker Warning Read all user documentation before powering this device. All Xirrus interconnected equipment should be contained indoors. This product is not suitable for outdoor operation. Please verify the integrity of the system ground prior to installing Xirrus equipment. Additionally, verify that the ambient operating temperature does not exceed 50°C.
Wi-Fi Array Translated Safety Warnings Avertissements de Sécurité ! Sécurité ! Proximité d'appareils explosifs ! Foudre ! Disjoncteur Lisez l'ensemble de la documentation utilisateur avant de mettre cet appareil sous tension. Tous les équipements Xirrus interconnectés doivent être installés en intérieur. Ce produit n'est pas conçu pour être utilisé en extérieur. Veuillez vérifier l'intégrité de la terre du système avant d'installer des équipements Xirrus.
Wi-Fi Array Software License and Product Warranty Agreement THIS SOFTWARE LICENSE AGREEMENT (THE “AGREEMENT”) IS A LEGAL AGREEMENT BETWEEN YOU (“CUSTOMER”) AND LICENSOR (AS DEFINED BELOW) AND GOVERNS THE USE OF THE SOFTWARE INSTALLED ON THE PRODUCT (AS DEFINED BELOW).
Wi-Fi Array the Product in accordance with the accompanying Documentation and for no other purpose. 2.2 Ownership. The license granted under Sections 2.1 above with respect to the Software does not constitute a transfer or sale of Licensor's or its suppliers' ownership interest in or to the Software, which is solely licensed to Customer. The Software is protected by both national and international intellectual property laws and treaties.
Wi-Fi Array 3.0 LIMITED WARRANTY AND LIMITATION OF LIABILITY 3.1 Limited Warranty & Exclusions. Licensor warrants that the Software will perform in substantial accordance with the specifications therefore set forth in the Documentation for a period of ninety [90] days after Customer's acceptance of the terms of this Agreement with respect to the Software (“Warranty Period”).
Wi-Fi Array 3.4 Limitation of Liability. (a) TOTAL LIABILITY. NOTWITHSTANDING ANYTHING ELSE HEREIN, ALL LIABILITY OF LICENSOR AND ITS SUPPLIERS UNDER THIS AGREEMENT SHALL BE LIMITED TO THE AMOUNT PAID BY CUSTOMER FOR THE RELEVANT SOFTWARE, OR PORTION THEREOF, THAT GAVE RISE TO SUCH LIABILITY OR ONE HUNDRED UNITED STATES DOLLARS (US$100), WHICHEVER IS GREATER. THE LIABILITY OF LICENSOR AND ITS SUPPLIERS UNDER THIS SECTION SHALL BE CUMULATIVE AND NOT PER INCIDENT. (b) DAMAGES.
Wi-Fi Array protective of a party's right in such Confidential Information as those set forth herein. 4.2 Return of Materials. Customer agrees to (i) destroy all Confidential Information (including deleting any and all copies contained on any of Customer's Designated Hardware or the Product) within fifteen (15) days of the date of termination of this Agreement or (ii) if requested by Licensor, return, any Confidential Information to Licensor within thirty (30) days of Licensor's written request. 5.
Wi-Fi Array 6. MISCELLANEOUS If Customer is a corporation, partnership or similar entity, then the license to the Software and Documentation that is granted under this Agreement is expressly conditioned upon and Customer represents and warrants to Licensor that the person accepting the terms of this Agreement is authorized to bind such entity to the terms and conditions herein.
Wi-Fi Array Hardware Warranty Agreement PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT BY USING THIS PRODUCT, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT AND THAT YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, RETURN THE UNUSED PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND. LIMITED WARRANTY.
Wi-Fi Array whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. SOME STATES DO NOT ALLOW LIMITATION OR EXCLUSION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES. The above warranty DOES NOT apply to any evaluation Equipment made available for testing or demonstration purposes. All such Equipment is provided AS IS without any warranty whatsoever.
Wi-Fi Array 488
Wi-Fi Array Glossary of Terms 802.11a A supplement to the IEEE 802.11 WLAN specification that describes radio transmissions at a frequency of 5 GHz and data rates of up to 54 Mbps. 802.11b A supplement to the IEEE 802.11 WLAN specification that describes radio transmissions at a frequency of 2.4 GHz and data rates of up to 11 Mbps. 802.11d A supplement to the Media Access Control (MAC) layer in 802.11 to promote worldwide use of 802.11 WLANs.
Wi-Fi Array authentication The process that a station, device, or user employs to announce its identify to the network which validates it. IEEE 802.11 specifies two forms of authentication, open system and shared key. bandwidth Specifies the amount of the frequency spectrum that is usable for data transfer. In other words, it identifies the maximum data rate a signal can attain on the medium without encountering significant attenuation (loss of power).
Wi-Fi Array cell The basic geographical unit of a cellular communications system. Service coverage of a given area is based on an interlocking network of cells, each with a radio base station (transmitter/receiver) at its center. The size of each cell is determined by the terrain and forecasted number of users. channel A specific portion of the radio spectrum — the channels allotted to one of the wireless networking protocols. For example, 802.11b and 802.11g use 14 channels in the 2.
Wi-Fi Array DNS (Domain Name System) A system that maps meaningful domain names with complex numeric IP addresses. DNS is actually a separate network — if one DNS server cannot translate a domain name, it will ask a second or third until a server is found with the correct IP address. domain The main name/Internet address of a user's Internet site as registered with the InterNIC organization, which handles domain registration on the Internet. For example, the “domain” address for Xirrus is: http://www.
Wi-Fi Array EDCF (Enhanced Distributed Coordinator Function) A QoS extension which uses the same contention-based access mechanism as current devices but adds “offset contention windows” that separate high priority packets from low priority packets (by assigning a larger random backoff window to lower priorities than to higher priorities). The result is “statistical priority,” where high-priority packets usually are transmitted before low-priority packets.
Wi-Fi Array Gigabit 2 The secondary Gigabit Ethernet interface. See also, Gigabit Ethernet. Gigabit Ethernet The newest version of Ethernet, with data transfer rates of 1 Gigabit (1,000 Mbps). Group A user group, created to define a set of attributes (such as VLAN, traffic limits, and Web Page Redirect) and privileges (such as fast roaming) that apply to all users that are members of the group. This allows a uniform configuration to be easily applied to multiple user accounts.
Wi-Fi Array MTU (Maximum Transmission Unit) The largest physical packet size — measured in bytes — that a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. Every network has a different MTU, which is set by the network administrator. Ideally, you want the MTU to be the same as the smallest MTU of all the networks between your machine and a message's final destination.
Wi-Fi Array preamble Preamble (sometimes called a header) is a section of data at the head of a packet that contains information that the access point and client devices need when sending and receiving packets. PLCP Has two structures, a long and a short preamble. All compliant 802.11b systems have to support the long preamble.
Wi-Fi Array SDMA (Spatial Division Multiple Access) A wireless communications mode that optimizes the use of the radio spectrum and minimizes cost by taking advantage of the directional properties of antennas. The antennas are highly directional, allowing duplicate frequencies to be used for multiple zones. SNMP (Simple Network Management Protocol) A standard protocol that regulates network management over the Internet. SNTP (Simple Network Time Protocol) A simplified version of NTP.
Wi-Fi Array subnet mask A mask used to determine what subnet an IP address belongs to. An IP address has two components: (1) the network address and (2) the host address. For example, consider the IP address 150.215.017.009. Assuming this is part of a Class B network, the first two numbers (150.215) represent the Class B network address, and the second two numbers (017.009) identify a particular host on this network.
Wi-Fi Array multiple switches from different vendors. This interoperability and traffic containment across different switches is the result of a switch's ability to use and recognize 802.1Q tag headers — called VLAN tagging. Switches that implement 802.1Q tagging add this tag header to the frame directly after the destination and source MAC addresses. The tag header indicates: 1. That the packet has a tag. 2. Whether the packet should have priority over other packets. 3.
Wi-Fi Array WPA2 (Wi-Fi Protected Access 2) WPA2 is the follow-on security method to WPA for wireless networks and provides stronger data protection and network access control. It offers Enterprise and consumer Wi-Fi users with a high level of assurance that only authorized users can access their wireless networks. Like WPA, WPA2 is designed to secure all versions of 802.11 devices, including 802.11a, 802.11b, 802.11g, and 802.11n, multi-band and multi-mode.
Wi-Fi Array Index Numerics 11n see IEEE 802.11n 72 4.9 GHz Public Safety Band 302 802.11a 8, 9, 271, 284 802.11a/b/g 60 802.11a/b/g/n 18 802.11a/n 18, 100, 248 802.11b 8, 9, 287 802.11b/g 271, 287 802.11b/g/n 18, 100, 248 802.11e 20 802.11g 8, 9, 287 802.11i 9, 106, 173 802.11n 9 see IEEE 802.11n 72 WMI page 291 802.11p 20 802.11q 20 802.
Wi-Fi Array setting rogues 145 APs 93, 145, 241, 434 rogues, blocking 295 APs, rogue see rogue APs 294 ARP filtering 282 ARP table window 135 Array 62, 99, 100, 114, 173, 180 connecting 99 dismounting 99 management 323 mounting 99 powering up 100 securing 99 Web Management Interface 114 ArrayOS upgrade 326 Arrays managing in clusters 316 associated users 62 assurance network server connectivity 138, 225 assurance (radio loopback testing) 294 authentication 20 of admin via RADIUS 218 authority certificate 21
Wi-Fi Array X.
Wi-Fi Array show 350 snmp 383 ssid 384 statistics 353 syslog 385 vlan 387 Community String 424 configuration 171, 434 express setup 173 reset to factory defaults 330 configuration changes applying 121 configuration files automatic update from remote server 327 download 328 update from local file 328 update from remote file 328 connection tracking window 136 connectivity servers, see network assurance 138, 225 Console port login via 219 Contact Information 453 contact information 453 coverage 62, 96 extended
Wi-Fi Array E EAP 426, 434 EAP-MDS 20 EAP-PEAP 434 EAP-TLS 20, 83, 434 EAP-TTLS 20, 83, 434 EDCF 277 Encryption 426, 434 encryption 20 encryption method recommended (WPA2 with AES) 211 setting 212 support of multiple methods 211 encryption method (encryption mode) Open, WEP, WPA, WPA2, WPABoth 211 encryption standard AES, TKIP, both 211 setting 212 Enterprise 2, 8, 434 WLAN 8 Enterprise Class Management 9 Enterprise Class Security 9 ESS 432 ESSID 432 Ethernet 96, 99, 100, 103, 106, 173 event log see system
Wi-Fi Array express setup 173 Gigabit 96, 103, 106, 173, 180, 421 global settings 277, 284, 287 glossary of terms 489 Group management 264 group 262 CLI command 359, 369 VLAN overrides dynamic VLAN 265 group limits and interactions 266 Group Rekey 426 guard interval short, for IEEE 802.11n 77 GUI see WMI 337 H help button, bottom of page 119 button, left frame 117 Help button 114 help button 119 host name 106, 114, 173, 187 hs.
Wi-Fi Array configuration 294 setting as approved or known 145 IP Address 62, 106, 114, 121, 145, 173, 180, 187, 196, 199, 323, 424 IP Subnet Mask 106 K key upgrade 327 key features 17 Keyboard Shortcuts 428 keyboard shortcuts 428 known setting rogues 145 L lastboot.
Wi-Fi Array messages syslog counters 118 MIC 20, 434 MIMO (Multiple-In Multiple-Out) 73 mode cluster operating mode 319 mode, Wi-Fi 269 monitoring intrusion detection 145 see intrusion detection 296 mounting 99 mounting plate 99 mounting the unit 99 MTU 180 size 180 multiple data streams 75 N NAT table - see connection tracking 136 neighbors, CDP 137 Netflow 194 netflow CLI command 374 Netscape Navigator 57, 58 network interfaces 179 settings 180 network assurance 138, 225 network connections 96, 121, 434
Wi-Fi Array security 83 switch failover 80 WDS 90 PoGE 57 see Power over Gigabit Ethernet 14 PoGE Power Injectors 2 port failover 80 port requirements 86 power cord 407 power outlet 57 Power over Gigabit Ethernet 4, 24, 32, 38, 46, 51, 57, 82, 97 compatibility with Array models 451 Power over Gigabit Ethernet (PoGE) 14 power planning 82 Power Supply 407, 410, 419 power supply replacing 419 pre-shared key 83, 93, 434 Print button 114 print button 119 probe see Netflow 194 product installation 57, 403 product
Wi-Fi Array remote boot image automatic update from remote TFTP server 327 remote configuration automatic update from remote server 327 remote TFTP server automatic update of boot image, configuration 327 Reset 323, 424 reset configuration to factory defaults 330 restore command 379 restrictions date/time 266 stations 266 traffic 266 RF intrusion detection 294 spectrum management 294 RF Analysis Manager see RAM 22 RF configuration 294 RF management see channel 294 RF Performance Manager see RPM 21 RF resili
Wi-Fi Array server, VTun see VTun 208 servers connectivity, see network assurance 138, 225 Service Set Identifier 106 Services 191, 407, 410, 432 servicing 405 servicing the unit 403 settings 173 setup, express 173 sharp cell 294 setting in WMI 299 short retry limit 277 signal processing MIMO 74 skin changing WMI appearance 338 SNMP 9, 14, 106, 173, 180, 191, 199, 424 required for XMS 199, 200 software upgrade license key 327 software image upgrading via CLI 446 Software Upgrade 323 software upgrade 326 spa
Wi-Fi Array counters 118 Syslog reporting 196 Syslog Server 196 system commands ping, trace route, RADIUS ping 333 System Configuration Reset 323 System Log 196 system log viewing window 168 system memory replacing 414 System Reboot 323 System Tools 323 system tools 324 Tools 323, 434 tools, network 333 tools, system 324 trace route utility 333 traffic filtering 310 limits and interactions 266 transmit power 62, 423 Trap Host 424 trap port 199, 424 tunneled fast roaming 282 tunnels see VTun 205, 208 U T t
Wi-Fi Array V Vendor Specific Attributes (VSAs) RADIUS, for Xirrus 443 virtual tunnels see VTun 208 VLAN 9, 93, 248, 425, 432, 438 broadcast optimization 282 dynamic overridden by group 265 group (vs.
Wi-Fi Array appearance, changing 338 certificate error 213, 226 executing CLI commands 336 menu behavior 339 options 337 page loading 339 refresh interval 339 workflow 94 WPA 9, 93, 106, 173, 209, 248, 426, 434 WPA (Wi-Fi Protected Access) and WPA2 encryption method 211 WPA2 9 WPR see web page redirect 332 wpr.pl 332, 333 X X.