Wi-Fi Array 3. New VLAN Name/Number: Enter a name and number for the new VLAN in this field, then click on the Create button. The new VLAN is added to the list. 4. VLAN Number: Enter a number for this VLAN (1-4094). 5. Management: Check this box to allow management over this VLAN. 6. DHCP: Check this box if you want the DHCP server to assign the IP address, subnet mask and gateway address to the VLAN automatically, otherwise you must go to the next step and assign these parameters manually. 7.
Wi-Fi Array Security This status- only window allows you to review the Array’s security parameters. It includes the assigned network administration accounts, Access Control List (ACL) values, management settings, encryption and authentication protocol settings, and RADIUS configuration settings. There are no configuration options available in this window, but if you are experiencing issues with security, you may want to print this window for your records. Figure 122.
Wi-Fi Array z “Admin RADIUS” on page 214 z “Management Control” on page 217 z “Access Control List” on page 221 z “Global Settings” on page 223 z “External Radius” on page 226 z “Internal Radius” on page 229 z “Rogue Control List” on page 231 Understanding Security The Xirrus Wi-Fi Array incorporates many configurable security features.
Wi-Fi Array required to use a VPN connection through a secure SSH utility, like PuTTy. • WEP (Wired Equivalent Privacy)—this option provides minimal protection (though much better than using an open network). An early standard for wireless data encryption and supported by all Wi-Fi certified equipment, WEP is vulnerable to hacking and is therefore not recommended for use by Enterprise networks.
Wi-Fi Array z Choosing an authentication method: User authentication ensures that users are who they say they are. For this purpose, the Array allows you to choose between the following user authentication methods: • Pre-Shared Key—users must manually enter a key (passphrase) on the client side of the wireless network that matches the key stored by the administrator in the Array. This method should be used only for smaller networks when a RADIUS server is unavailable.
Wi-Fi Array Certificates and Connecting Securely to the WMI When you point your browser to the Array to connect to the WMI, the Array presents an X.509 security certificate to the browser to establish a secure channel. One significant piece of information in the certificate is the Array’s host name. This ties the certificate to a particular Array and ensures the client that it is connecting to that host.
Wi-Fi Array Figure 123. Import Xirrus Certificate Authority By clicking and opening this file, you can follow your browser’s instructions and import the Xirrus CA into your CA cache (see page 219 for more information). This instructs your browser to trust any of the certificates signed by the Xirrus CA, so that when you connect to any of our Arrays you should no longer see the warning about an untrusted site. Note however, that this only works if you use the host name when connecting to the Array.
Wi-Fi Array is presented, the user will not see a security error if the Array’s certificate was obtained from an external CA that is already trusted by the user’s browser. WMI provides options for creating a Certificate Signing Request that you can send to an external CA, and for uploading the signed certificate to the Array after you obtain it from the CA. This certificate will be tied to the Array’s host name and private key. See “External Certification Authority” on page 220 for more details.
Wi-Fi Array 3. User Password: Enter a password for this ID. The length of the password must be between 5 and 50 characters, inclusive. For special characters that may be used, see “Character Restrictions” on page 126. 4. Verify Password: Re-enter the password in this field to verify that you typed the password correctly. If you do not re-enter the correct password, an error message is displayed). 5. Click on the Create button to add this administrator ID to the list. 6.
Wi-Fi Array If you are using the Console port, the Array will authenticate administrators using accounts configured on the Admin Management window first, and then use the RADIUS servers. This provides a safety net to be ensure that you are not completely locked out of an Array if the RADIUS server is down. Permissions for RADIUS administrator accounts are controlled by the RADIUS Service-Type attribute.
Wi-Fi Array Procedure for Configuring Admin RADIUS 1. Admin RADIUS Settings: a. Enable Admin RADIUS: Click Yes to enable the use of RADIUS to authenticate administrators logging in to the Array. You will need to specify the RADIUS server(s) to be used. b. Timeout (seconds): Define the maximum idle time (in seconds) before the RADIUS server’s session times out. The default is 600 seconds. 2. Admin RADIUS Primary Server: This is the RADIUS server that you intend to use as your primary server. a.
Wi-Fi Array c. Shared Secret / Verify Secret: Enter the shared secret that this RADIUS server will be using, then re-enter the shared secret to verify that you typed it correctly. Management Control This window allows the Array management interfaces to be enabled and disabled and their inactivity time-outs set. The supported range is 300 (default) to 100,000 seconds. Figure 126.
Wi-Fi Array Procedure for Configuring Management Control 1. SSH: a. Enable Management: Choose Yes to enable Array over a Secure Shell (SSH-2) connection, feature. Be aware that only SSH-2 connections Array. SSH clients used for connecting to configured to use SSH-2. management of the or No to disable this are supported by the the Array must be b. Connection Timeout 30-100000 (Seconds): Enter a value in this field to define the timeout (in seconds) before your SSH connection is disconnected.
Wi-Fi Array 4. HTTPS a. Connection Timeout 30-100000 (Seconds): Enter a value in this field to define the timeout (in seconds) before your HTTPS connection is disconnected. The value you enter here must be between 30 seconds and 100,000 seconds. Management via HTTPS (i.e., the Web Management Interface) cannot be disabled on this window. To disable management over HTTPS, you must use the Command Line Interface. b. Port: Enter a value in this field to define the port used by SSH. The default port is 443.
Wi-Fi Array 5. External Certification Authority This Step and Step 6 allow you to obtain a certificate from an external authority and install it on an Array. “Using an External Certificate Authority” on page 212 discusses reasons for using an external CA. For example, to obtain and install a certificate from VeriSign on the Array, follow these steps: • If you don’t already have the certificate from the external (nonXirrus) Certificate Authority, see Step 6 to create a request for a certificate.
Wi-Fi Array Address. Click the Create button to create the certificate signing request. See Step 5 above to use this request. 7. Click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent.
Wi-Fi Array Procedure for Configuring Access Control Lists 1. Access Control List Type: Select Disabled to disable the Access Control List, or select the Access Control List type—either Allow List or Deny List. Then click Apply to apply your changes. • Allow List: Only allows these MAC addresses to associate to the Array. • Deny List: Allows all MAC addresses except the addresses defined in this list.
Wi-Fi Array Global Settings This window allows you to establish the security parameters for your wireless network, including WEP, WPA, WPA2 and RADIUS authentication. When finished, click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. For additional information about wireless network security, refer to “Security Planning” on page 70 and “Understanding Security” on page 208. Figure 128.
Wi-Fi Array Procedure for Configuring Network Security 1. RADIUS Server Mode: Choose the RADIUS server mode you want to use, either Internal or External. Parameters for these modes are configured in “External Radius” on page 226 and “Internal Radius” on page 229. WPA Settings These settings are used if the WPA or WPA2 encryption type is selected on the SSIDs >SSID Management window or the Express Setup window (on this window, encryption type is set in the SSID Settings: Wireless Security field). 224 2.
Wi-Fi Array WEP Settings These settings are used if the WEP encryption type is selected on the SSIDs >SSID Management window or the Express Setup window (on this window, encryption type is set in the SSID Settings: Wireless Security field). 8. Key Mode / Length: If you enabled WEP, choose the mode (either ASCII or Hex) and the desired key length (either 40 or 128) from the pull-down lists.
Wi-Fi Array Security Planning SSID Management External Radius This window allows you to define the parameters of an external RADIUS server for user authentication. To set up an external RADIUS server, you must choose External as the RADIUS server mode in Global Settings. Refer to “Global Settings” on page 223. Figure 129. External RADIUS Server If you want to include user group membership in the RADIUS account information for users, see “Understanding Groups” on page 245.
Wi-Fi Array Procedure for Configuring an External RADIUS Server 1. Primary Server: This is the external RADIUS server that you intend to use as your primary server. a. Address: Enter the IP address or domain name of this external RADIUS server. b. Port Number: Enter the port number of this external RADIUS server. The default is 1812. c.
Wi-Fi Array NAS Identifier (IP address) that the RADIUS servers expect the Array to use—this is normally the IP address of the Array’s Gigabit1 port. c. 4. Accounting: If you would like the Array to send RADIUS Start, Stop, and Interim records to a RADIUS accounting server, click the On button and click Apply. The account settings appear, and must be configured. Accounting Settings: a. Accounting Interval (seconds): Specify how often Interim records are to be sent to the server.
Wi-Fi Array Global Settings (IAP) Internal Radius Access Control List Management Control Security Understanding Groups Internal Radius This window allows you to define the parameters for the Array’s internal RADIUS server for user authentication. However, the internal RADIUS server will only authenticate wireless clients that want to associate to the Array. This can be useful if an external RADIUS server is not available.
Wi-Fi Array Procedure for Creating a New User 1. User Name: Enter the name of the user that you want to authenticate to the internal RADIUS server. 2. SSID Restriction: (Optional) If you want to restrict this user to associating to a particular SSID, choose an SSID from the pull-down list. 3. User Group: (Optional) If you want to make this user a member of a previously defined user group, choose a group from the pull-down list. This will apply all of the user group’s settings to the user.
Wi-Fi Array Global Settings (IAP) Access Control List Management Control Security Understanding Groups Rogue Control List This window allows you to set up a control list for rogue APs, based on a type that you define. You may classify rogue APs as blocked., so that the Array will take steps to prevent stations from associating with the blocked AP. See “About Blocking Rogue APs” on page 276. The Array can keep up to 5000 entries in this list. When finished, click on the Save button to save your changes.
Wi-Fi Array Procedure for Establishing Rogue AP Control 1. Rogue BSSID/SSID: Enter the BSSID or SSID for the new rogue AP. 2. Rogue Control Type: Define a type for the new rogue AP, either Blocked, Known or Approved. 3. Click Create to add this rogue AP to the Rogue Control List. 4. Rogue Control List: If you want to edit the control type for a rogue AP, just click the radio button for the new type for the entry: Blocked, Known or Approved, then click Apply or Save to apply your change. 5.
Wi-Fi Array SSIDs This is a status only window that allows you to review SSID (Service Set IDentifier) assignments. It includes the SSID name, whether or not an SSID is visible on the network, any security and QoS parameters defined for each SSID, associated VLAN IDs, radio availability, and DHCP pools defined per SSID. You may click on an SSID’s name to jump to the edit page for the SSID.
Wi-Fi Array allowed, time on and time off, days on and off, and whether each SSID is currently active or inactive. Understanding SSIDs The SSID (Service Set Identifier) is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or sub-network can use the same SSIDs. SSIDs are case-sensitive and can contain up to 32 alphanumeric characters (do not include spaces when defining SSIDs).
Wi-Fi Array Another example may define an SSID named voice that supports voice over Wireless LAN phones with the highest Quality of Service (QoS) definition. This SSID might also forward traffic to specific VLANs on the wired network. See Also SSID Management SSIDs Understanding SSIDs Understanding QoS Priority on the Wi-Fi Array # For a complete discussion of implementing Voice over Wi-Fi on the Array, see the Xirrus Voice over Wi-Fi Application Note in the Xirrus Library.
Wi-Fi Array possible user priority levels and the Array implements four wireless QoS levels, user priorities are mapped to QoS as described below. End-to-End QoS Handling z Wired QoS - Ethernet Port: Ingress: Incoming wired packets are assigned QoS priority based on their SSID and 802.1p tag (if any), as shown in the table below. This table follows the mapping recommended by IEEE802.11e. FROM Priority Tag 802.
Wi-Fi Array z Egress: Outgoing wired packets are IEEE 802.1p tagged at the Ethernet port for upstream traffic, thus enabling QoS at the edge of the network. FROM Array QoS (Wireless) 0 (Lowest priority) TO Priority Tag 802.1p (Wired) 0 (Default) 1 1 2 5 3 (Highest priority) 6 Wireless QoS - Radios: z Each SSID can be assigned a separate QoS priority (i.e., traffic class) from 0 to 3, where 3 is highest priority and 0 is the default. See “SSID Management” on page 238.
Wi-Fi Array Voice Support z The QoS priority implementation on the Array supports voice applications, as certified by Spectralink’s Voice Interoperability for Enterprise Wireless (VIEW) Certification Program. In particular, Spectralink voice packets are automatically classified and set to the highest priority level. SSID Management This window allows you to manage SSIDs (create, edit and delete), assign security parameters and VLANs on a per SSID basis, and configure the Web Page Redirect functionality.
Wi-Fi Array Procedure for Managing SSIDs 1. New SSID Name: To create a new SSID, enter a new SSID name to the left of the Create button (Figure 134), then click Create. You may create up to 16 SSIDs. SSID List (top of page) 2. SSID: Shows all currently assigned SSIDs. When you create a new SSID, the SSID name appears in this table. Click any SSID in this list to select it. 3. On: Check this box to activate this SSID or clear it to deactivate it. 4.
Wi-Fi Array The QoS setting you define here will prioritize wireless traffic for this SSID over other SSID traffic, as described in “Understanding QoS Priority on the Wi-Fi Array” on page 235. The default value for this field is 2. 8. DHCP Pool: If you want to associate an internal DHCP pool to this SSID, choose the pool from the pull--down list. An internal DHCP pool must be created before it can be assigned. To create an internal DHCP pool, go to “DHCP Server” on page 201. 9.
Wi-Fi Array 12. Global: Check the checkbox if you want this SSID to use the security settings established at the global level (refer to “Global Settings” on page 223). Clear the checkbox if you want the settings established here to take precedence. Additional sections will be displayed to allow you to configure encryption settings, and RADIUS and RADIUS accounting settings. The encryption settings are described in “Procedure for Configuring Network Security” on page 224.
Wi-Fi Array 15. Stations: Enter the maximum number of stations allowed on this SSID. The default is 1024. This step is optional. Note that the IAPs - Global Settings window also has a station limit option—Max Station Association per IAP. If both station limits are set, both will be enforced. As soon as either limit is reached, no new stations can associate until some other station has terminated its association. 16.
Wi-Fi Array Web Page Redirect Configuration Settings If you enable WPR, the SSID Management window displays additional fields that must be configured. For example configurations and complete examples, please For an in-depth discussion, please see the Xirrus Web Page Redirect Application Note in the Xirrus Library.
Wi-Fi Array z Internal Login page This option displays a login page (residing on the Array) instead of the first user-requested URL. Note that there is an upload function that allows you to replace the default login page, if you wish. Please see “Web Page Redirect” on page 300 for more information. To set up internal login, set Server to Internal Login.
Wi-Fi Array Groups This is a status only window that allows you to review user Group assignments. It includes the group name, Radius ID, VLAN IDs and QoS parameters and roaming layer defined for each group, and DHCP pools and web page redirect information defined for the group. You may click on a group’s name to jump to the edit page for the group.
Wi-Fi Array Groups provide flexible control over user privileges without the need to create large numbers of SSIDs. A group allows you to define a set of parameter values to be applied to selected users. For example, you might define the user group Students, and set its VLAN, security parameters, web page redirect (WPR), and traffic limits. When a new user is created, you can apply all of these settings just by making the user a member of the group.
Wi-Fi Array Internal Radius SSIDs Understanding QoS Priority on the Wi-Fi Array Web Page Redirect Configuration Settings Understanding Fast Roaming Group Management This window allows you to manage groups (create, edit and delete), assign usage limits and other parameters on a per group basis, and configure the Web Page Redirect functionality. When finished, click the Save button to save your changes. Figure 137. Group Management Procedure for Managing Groups 1.
Wi-Fi Array 3. On: Check this box to enable this group or leave it blank to disable it. When a group is disabled, users that are members of the group will behave as if the group did not exist. In other words, the options configured for the SSID will apply to the users, rather than the options configured for the group. 4. Radius ID: Enter a unique Radius ID for the group, to be used on an external Radius server.
Wi-Fi Array 7. Internal DHCP Pool Assigned: (Optional) To associate an internal DHCP pool to this group, select it from the pull--down list. Only one pool may be assigned. An internal DHCP pool must be created before it can be assigned. To create a DHCP pool, go to “DHCP Server” on page 201. 8. Filter List: (Optional) If you wish to apply a set a filters to this user group’s traffic, select the desired Filter List. See “Filters” on page 289. 9.
Wi-Fi Array z If any connection date/time restriction applies, it is enforced. You can picture this as a logical AND of all restrictions. For example, suppose that a station’s SSID is available MTWTF between 8:00am and 5:00pm, and the User Group is available MWF between 6:00am and 8:00pm, then the station will be allowed on MWF between 8:00am and 5:00pm. To eliminate confusion, we recommend that you configure one set of limits or the other, but not both. 11.
Wi-Fi Array DHCP Server External Radius Internal Radius Security Planning SSIDs Configuring the Wi-Fi Array 251
Wi-Fi Array IAPs This status-only window summarizes the status of the Integrated Access Points (radios). For each IAP, it shows whether it is up or down, the channel and antenna that it is currently using, its cell size and transmit and receive power, how many users (stations) are currently associated to it, whether it is part of a WDS link, and its MAC address. Figure 138.
Wi-Fi Array z “Global Settings .11a” on page 266 z “Global Settings .11bg” on page 269 z “Global Settings .11n” on page 273 z “Advanced RF Settings” on page 275 z “LED Settings” on page 283 See Also IAP Statistics Summary Understanding Fast Roaming To maintain sessions for real-time data traffic, such as voice and video, users must be able to maintain the same IP address through the entire session. With traditional networks, if a user crosses VLAN or subnet boundaries (i.e.
Wi-Fi Array IAP Settings This window allows you to enable/disable IAPs, define the wireless mode for each IAP, specify the channel to be used and the cell size for each IAP, lock the channel selection, establish transmit/receive parameters, select antennas, and reset channels. Buttons at the bottom of the list allow you to Reset Channels, Enable All IAPs, or Disable All IAPs.
Wi-Fi Array Procedure for Auto Configuring IAPs You can auto-configure channel and cell size of radios by clicking on the Auto Configure buttons on the relevant WMI page (auto configuration only applies to enabled radios): z For all radios, go to “Advanced RF Settings” on page 275. z For all 802.11a settings, go to “Global Settings .11a” on page 266. z For all 802.11bg settings, go to “Global Settings .11bg” on page 269. z For all 802.11n settings, go to “Global Settings .11n” on page 273.
Wi-Fi Array • YELLOW—The channel has less than optimum separation (some degree of overlap with neighboring radios). • GRAY—The channel is already in use. Select Auto to have the Array dynamically select a channel automatically, based on changes in the Wi-Fi environment. See “Allocating Channels” on page 54. After you click Apply, this window and the IAPs window will show the channel that was assigned, rather than Auto.
Wi-Fi Array • -1—This channel is bonded to the next lower channel number. Auto Channel bonding does not apply. 5. Click the Lock check box if you want to lock in your channel selection so that the autochannel operation (see Advanced RF Settings) cannot change it. 6. In the Cell Size column, select Auto to allow the optimal cell size to be automatically computed (see also, Step 8 on page 279).
Wi-Fi Array 8. If desired, enter a description for this IAP in the Description field. 9. You may reset all of the enabled IAPs by clicking the Reset Channels button at the bottom of the list. A message will inform you that all enabled radios have been taken down and brought back up. 10. Buttons at the bottom of the list allow you to Enable All IAPs or Disable All IAPs. 11. Click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent.
Wi-Fi Array Global Settings (IAP) This window allows you to establish global IAP settings. Global IAP settings include enabling or disabling all IAPs (regardless of their operating mode), enabling or disabling the Beacon World Mode, specifying the short and long retry limits, and defining the beacon interval and DTIM period. Changes you make on this page are applied to all IAPs, without exception. Figure 140.
Wi-Fi Array Procedure for Configuring Global IAP Settings 1. Country: If no country is set, you may choose from the pull-down list. Once a country has been chosen, it may not be changed. You are responsible for choosing the correct country and conforming to the regulatory laws for wireless transmissions within your country. Please contact Xirrus Customer Support if you need to change the operating country after a country has already been set (see “Contact Information” on page 419).
Wi-Fi Array Beacon Configuration 5. Beacon Interval: When the Array sends a beacon, it includes with it a beacon interval, which specifies the period of time before it will send the beacon again. Enter the desired value in the Beacon Interval field, between 20 and 1000. The value you enter here is applied to all IAPs. 6.
Wi-Fi Array 11. Max Phones per IAP: This option allows you to control the maximum number of phones that are allowed per IAP. The default is set to a maximum of 16 but you can reduce this number, as desired. Enter a value in this field between 0 (no phones allowed) and 16. # This admission control feature applies only to Spectralink phones. It does not apply to all VoIP phones in general. 12.
Wi-Fi Array 15. Load Balancing: The Xirrus Wi-Fi Array supports an automatic load balancing feature designed to distribute Wi-Fi stations across multiple radios rather than having stations associate to the closest radios with the strongest signal strength, as they normally would. In Wi-Fi networks, the station decides to which radio it will associate.
Wi-Fi Array • Pass-thru: The Array forwards the ARP request. It passes along only ARP messages that target the stations that are associated to it. • Proxy: The Array replies on behalf of the stations that are associated to it. The ARP request is not broadcast to the stations. Note that the Array has a broadcast optimization feature that is always on (it is not configurable). Broadcast optimization restricts all broadcast packets (not just ARP broadcasts) to only those radios that need to forward them.
Wi-Fi Array 18. Fast Roaming Layer: Select whether to enable roaming capabilities between IAPs or Arrays at Layer 2 and 3, or at Layer 2 only. Depending on your wired network, you may wish to allow fast roaming at Layer 3. This may result in delayed traffic. 19. Share Roaming Info With: Three options allow your Array to share roaming information with all Arrays; just with those that are within range; or with specifically targeted Arrays. Choose either All, In Range or Target Only, respectively. a.
Wi-Fi Array Global Settings .11a This window allows you to establish global 802.11a IAP settings. These settings include defining which 802.11a data rates are supported, enabling or disabling all 802.11a IAPs, auto-configuration of channel allocations for all 802.11a IAPs, and specifying the fragmentation and RTS thresholds for all 802.11a IAPs. Figure 141. Global Settings .11a Procedure for Configuring Global 802.11a IAP Settings 1. 2. 266 802.
Wi-Fi Array Optimize Throughput button to optimize data rates based on throughput. The Restore Defaults button will take you back to the factory default rate settings. 3. 802.11a IAP Status: Click Enable 802.11a IAPs to enable all 802.11a IAPs for this Array, or click Disable 802.11a IAPs to disable all 802.11a IAPs. 4. Channel Configuration: Click Auto Configure to instruct the Array to determine the best channel allocation settings for each 802.
Wi-Fi Array See Also Coverage and Capacity Planning Global Settings (IAP) Global Settings .
Wi-Fi Array Global Settings .11bg This window allows you to establish global 802.11b/g IAP settings. These settings include defining which 802.11b and 802.11g data rates are supported, enabling or disabling all 802.11b/g IAPs, auto-configuring 802.11b/g IAP channel allocations, and specifying the fragmentation and RTS thresholds for all 802.11b/g IAPs. Figure 142. Global Settings .11bg Procedure for Configuring Global 802.11b/g IAP Settings 1. 802.
Wi-Fi Array • 270 Supported Rate—data rate used to transmit to clients. 2. 802.11b Data Rates: This task is similar to Step 1, but these data rates apply only to 802.11b IAPs. 3. Data Rate Presets: The Wi-Fi Array can optimize your 802.11b/g data rates automatically, based on range or throughput. Click Optimize Range button to optimize data rates based on range, or click on the Optimize Throughput to optimize data rates based on throughput.
Wi-Fi Array older, slower 802.11b stations. Protection avoids collisions by preventing 802.11b and 802.11g stations from transmitting simultaneously. When Auto CTS or Auto RTS is enabled and any 802.11b station is associated to the IAP, additional frames are sent to gain access to the wireless network. • Auto CTS requires 802.11g stations to send a slow Clear To Send frame that locks out other stations. Automatic protection reduces 802.11g throughput when 802.
Wi-Fi Array 13. RTS Threshold: The RTS (Request To Send) Threshold specifies the packet size. Packets larger than the RTS threshold will use CTS/RTS prior to transmitting the packet—useful for larger packets to help ensure the success of their transmission. Enter a value between 1 and 2347. 14. Click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. See Also Coverage and Capacity Planning Global Settings (IAP) Global Settings .
Wi-Fi Array Global Settings .11n This window is displayed only for XN Array models. It allows you to establish global 802.11n IAP settings. These settings include enabling or disabling 802.11n mode for the entire Array, specifying the number of transmit and receive chains (data stream) used for spatial multiplexing, setting a short or standard guard interval, auto-configuring channel bonding, and specifying whether autoconfigured channel bonding will be static or dynamic.
Wi-Fi Array 274 2. TX Chains: Select the number of separate data streams transmitted by the antennas of each IAP. The data rate of the IAP is multiplied by the number of streams. The default is 3.See “Multiple Data Streams—Spatial Multiplexing” on page 61. 3. RX Chains: Select the number of separate data streams received by the antennas of each IAP. This number must be greater than or equal to TX Chains.The data rate of the IAP is multiplied by the number of streams. The default is 3.
Wi-Fi Array Advanced RF Settings This window allows you to establish RF settings, including automatically configuring channel allocation and cell size, specifying intrusion detection and blocking of rogue APs, and configuring radio assurance and standby modes. Changes you make on this page are applied to all IAPs, without exception. Figure 144. Advanced RF Settings About Standby Mode Standby Mode supports the Array-to-Array fail-over capability.
Wi-Fi Array enables its radios until it detects that the target Array has come back online. Standby Mode is off by default. Note that you must ensure that the configuration of the standby Array is correct. This window allows you to enable or disable Standby Mode and specify the primary Array that is the target of the backup unit. See also, “Failover Planning” on page 67.
Wi-Fi Array Procedure for Configuring Advanced RF Settings RF Intrusion Detection 1. Intrusion Detection: This option allows you to establish the intrusion detection method, either Standard or Advanced, or you can choose Off to disable this feature. See “Array Monitor and Radio Assurance Capabilities” on page 408 for more information. • Standard—enables the abg(n)2 radio as a monitor which collects Rogue AP information.
Wi-Fi Array RF Resilience 5. Radio Assurance Mode: When this mode is enabled, IAP abg(n)2 performs loopback tests on the Array. This mode requires Intrusion Detection to be set to Standard (Step 1) to enable abg(n)2’s selfmonitoring functions. It also requires abg(n)2 to be set to monitoring mode (see “Enabling Monitoring on the Array” on page 408). Operation of Radio Assurance mode is described in detail in “Array Monitor and Radio Assurance Capabilities” on page 408.
Wi-Fi Array RF Power & Sensitivity For an overview of RF power and cell size settings, please see “Capacity and Cell Sizes” on page 52 and “Fine Tuning Cell Sizes” on page 53. # To use the Auto Cell feature, the following additional settings are required: The abg(n)2 radio must be in monitor mode, and all other IAPs that will use Auto Cell must have Cell Size set to auto. See “Procedure for Manually Configuring IAPs” on page 255. The Intrusion Detection Mode must not be set to Advanced.
Wi-Fi Array 12. Sharp Cell: This feature reduces interference between neighboring Arrays or other Access Points by limiting to a defined boundary (cell size) the trailing edge bleed of RF energy. Choose On to enable the Sharp Cell functionality, or choose Off to disable this feature. See also, “Fine Tuning Cell Sizes” on page 53. The Sharp Cell feature only works when the cell size is Small, Medium, or Large (or Auto)—but not Max.
Wi-Fi Array Factory Preset Channels (US) for both XN and XS models IAP 16-Radio Models 12-Radio Models 8-Radio Models 4-Radio Models abg(n)1 1 1 1 1 abg(n)2 mon mon mon mon abg(n)3 11 11 11 11 abg(n)4 6 6 6 6 a(n)1 36 36 40 - a(n)2 52 52 56 - a(n)3 149 40 48 - a(n)4 40 56 64 - a(n)5 56 44 - - a(n)6 157 60 - - a(n)7 44 48 - - a(n)8 60 64 - - a(n)9 153 - - - a(n)10 48 - - - a(n)11 64 - - - a(n)12 161 - - - 14.
Wi-Fi Array 15. Auto Channel Configure on Time: This option allows you to instruct the Array to auto-configure channel selection for each enabled IAP at a time you specify here (in hours and minutes, using the format: hh:mm). Leave this field blank unless you want to specify a time at which the autoconfiguration utility is initiated. 16. Channel List Selection: This list selects which channels are available to the auto channel algorithm.
Wi-Fi Array LED Settings This window assigns behavior preferences for the Array’s IAP LEDs. Figure 145. LED Settings Procedure for Configuring the IAP LEDs 1. LED State: This option determines which event triggers the LEDs, either when an IAP is enabled or when an IAP first associates with the network. Choose On Radio Enabled or On First Association, as desired. You may also choose Disabled to keep the LEDs from being lit. The LEDs will still light during the boot sequence, then turn off. 2.
Wi-Fi Array Global Settings (IAP) Global Settings .11a Global Settings .
Wi-Fi Array WDS This is a status only window that provides an overview of all WDS links that have been defined. WDS (Wireless Distribution System) is a system that enables the interconnection of access points wirelessly, allowing your wireless network to be expanded using multiple access points without the need for a wired backbone to link them. The Summary of WDS Client Links shows the WDS links that you have defined on this Array and identifies the target Array for each by its base MAC address.
Wi-Fi Array The configuration for WDS is performed on the client Array only, as described in “WDS Client Links” on page 287. No WDS configuration is performed on the host Array. First you will set up a client link, defining the target (host) Array and SSID, and the maximum number of IAPs in the link. Then you will select the IAPs to be used in the link. When the client link is created, each member IAP will associate to an IAP on the host Array.
Wi-Fi Array WDS Client Links This window allows you to set up a maximum of four WDS client links. Figure 148. WDS Client Links Procedure for Setting Up WDS Client Links WDS Client Link Settings: 1. Client Link: Shows the ID (1 to 4) of each of the four possible WDS links. 2. Enabled: Check this box if you want to enable this WDS link, or uncheck the box to disable the link. 3. Max IAPs Allowed (1-3): Enter the maximum number of IAPs for this link, between 1 and 3. 4.
Wi-Fi Array 5. Target SSID: Enter the SSID that the target Array is using. 6. Username: Enter a username for this WDS link. A username and password is required if the SSID is using PEAP for WDS authentication from the internal RADIUS server. 7. Password: Enter a password for this WDS link. 8. Clear Settings: Click on the Clear button to reset all of the fields on this line. 9.
Wi-Fi Array Filters The Wi-Fi Array’s integrated firewall uses stateful inspection to speed the decision of whether to allow or deny traffic. Filters are also used to define the rules used for blocking or passing traffic. Filters can also set the VLAN and QoS level for selected traffic. User connections managed by the firewall are maintained statefully—once a user flow is established through the Array, it is recognized and passed through without application of all defined filtering rules.
Wi-Fi Array Filter Lists This window allows you to create filter lists. The Array comes with one predefined list, named Global, which cannot be deleted. Filter lists (including Global) may be applied to SSIDs or to Groups. Only one filter list at a time may be applied to a group or SSID (although the filter list may contain a number of filters). All filters are created within filter lists. Figure 150. Filter Lists Procedure for Managing Filter Lists 290 1.
Wi-Fi Array 4. SSIDs: This read-only field lists the SSIDs that use this filter list. 5. User Groups: This read-only field lists the Groups that use this filter list. 6. Delete: Click this checkbox and then click the Apply or Save button to delete this filter list. 7. Click on the Apply button to apply your changes to the selected filter, or click Save to apply your changes and make them permanent. 8.
Wi-Fi Array Note that filtering is secondary to the stateful inspection performed by the integrated firewall. Traffic for established connections is passed through without the application of these filtering rules. Procedure for Managing Filters 292 1. Filter List: Select the filter list to display and manage on this window. All of the filters already defined for this list are shown, and you may create additional filters for this list. 2.
Wi-Fi Array 8. QoS: (Optional) Set packets that match the filter criteria to this QoS level (0 to 3) from the pull-down list. Level 0 has the lowest priority; level 3 has the highest priority. By default, this field is blank and the filter does not modify QoS level. See “Understanding QoS Priority on the Wi-Fi Array” on page 235. 9. VLAN ID: (Optional) Set packets that match the filter criteria to this VLAN.
Wi-Fi Array 294 Configuring the Wi-Fi Array
Wi-Fi Array Using Tools on the Wi-Fi Array These WMI windows allow you to perform administrative tasks on your Array, such as upgrading software, rebooting, uploading and downloading configuration files, and other utility tasks. Tools are described in the following sections: z “System Tools” on page 296 z “CLI” on page 303 z “Logout” on page 305 This section does not discuss using status or configuration windows.
Wi-Fi Array System Tools This window allows you to manage files for software images, configuration, and Web Page Redirect (WPR), manage the system’s configuration parameters, reboot the system, and use diagnostic tools. Status is shown here Progress is shown here Figure 152.
Wi-Fi Array Procedure for Configuring System Tools These tools are broken down into the following sections: z System z Configuration z Diagnostics z Web Page Redirect z Tools z Progress and Status Frames System 1. Save & Reboot or Reboot: Use Save & Reboot to save the current configuration and then reboot the Array. The LEDs on the Array indicate the progress of the reboot, as described in “Powering Up the Wi-Fi Array” on page 107.
Wi-Fi Array Configuration 3. Update from Remote File: This field allows you to define the path to a configuration file (one that you previously saved—see Step 5 below). Click on the Browse button if you need to browse for the location of the file, then click Update to update your configuration settings. 4. Update from Local File: This field updates Array settings from a local configuration file on the Array. Select one of the following files from the drop-down list: • factory.
Wi-Fi Array Click Reset to reset all of the system’s current configuration settings to the factory default values, including the management IP address—all previous configuration settings will be lost. The Array’s Gigabit Ethernet ports default to using DHCP to obtain an IP address. # If the IP settings change, the connection to the WMI may be lost. Diagnostics 7. Diagnostic Log: Click the Create button to save a snapshot of Array information for use by Xirrus Customer Support personnel.
Wi-Fi Array # All passwords are stored on the array in an encrypted form and will not be exposed in the diagnostic log. Web Page Redirect The Array uses a Perl script and a cascading style sheet to define the default splash/login Web page that the Array delivers for WPR. You may replace these files with files for one or more custom pages of your own. See Step 10 below to view the default files. See Step 14 on page 241 for more information about WPR and how the splash/login page is used.
Wi-Fi Array 9. Remove File: Enter the name of the WPR file you want to remove, then click on the Delete button. You can use the List Files button to show you a list of files that have been saved on the Array for WPR. The list is displayed in the Status section at the bottom of the WMI window. You must reboot to make your changes take effect. 10. Download Sample Files: Click on a link to access the corresponding sample WPR files: • wpr.pl—a sample Perl script. • hs.css—a sample cascading style sheet.
Wi-Fi Array Username and Password are set up properly. If a client is having trouble accessing the network, you can quickly determine if there is a basic RADIUS problem by using the RADIUS Ping tool. For example, in Figure 156 (A), RADIUS Ping is unable to contact the server. In Figure 156 (B), RADIUS Ping verifies that the host information and secret for a RADIUS server are correct, but that the user account information is not.
Wi-Fi Array Progress and Status Frames The Progress frame displays a progress bar for commands such as Software Upgrade and Ping. The Status frame presents the output from system commands (Ping and Trace Route), as well as other information, such as the results of software upgrade. 15. If you want to save the parameters you established in this window for future sessions, click on the Save button. CLI The WMI provides this window to allow you to use the Array’s Command Line Interface (CLI).
Wi-Fi Array the CLI directly. You may use the extra scroll bar inside the right edge of the window to scroll through your output. This window has some minor differences, compared to direct use of the CLI via the console or an SSH connection: z The CLI starts in config mode. All configuration and show commands are available in this mode. You can “drill down” the mode further in the usual way. For example, you can type interface iap to change the mode to config-iap.
Wi-Fi Array Logout Click on the Logout button to terminate your session. When the session is terminated, you are presented with the Array’s login window. Figure 158.
Wi-Fi Array 306 Using Tools on the Wi-Fi Array
Wi-Fi Array The Command Line Interface This section covers the commands and the command structure used by the Wi-Fi Array’s Command Line Interface (CLI), and provides a procedure for establishing a Telnet connection to the Array. Topics discussed include: z “Establishing a Secure Shell (SSH) Connection” on page 308. z “Getting Started with the CLI” on page 309. z “Top Level Commands” on page 311. z “Configuration Commands” on page 320. z “Sample Configuration Tasks” on page 356.
Wi-Fi Array Establishing a Secure Shell (SSH) Connection Use this procedure to initialize the system and log in to the Command Line Interface (CLI) via a Secure Shell (SSH) utility, such as PuTTY. When connecting to the unit’s Command Line Interface over a network connection, you must use a Secure SHell version 2 (SSH-2) utility. Make sure that your SSH utility is set up to use SSH-2. 1. Start your SSH session and communicate with the Array via its default IP address (10.0.2.
Wi-Fi Array Getting Started with the CLI The root command prompt (Root Command Prompt) is the first prompt you see after logging in to the CLI. If you are at a level other than the root command prompt you can return to this prompt at any time by using the exit command to step back through each command prompt level. The root command prompt you see in the CLI window is determined by the host name you assigned to your Array.
Wi-Fi Array z ? Command This command is available at any prompt and provides either FULL or PARTIAL help. Using the ? (question mark) command when you are ready to enter an argument will display all the possible arguments (full help). Partial help is provided when you enter an abbreviated argument and you want to know what arguments will match your input. Figure 161.
Wi-Fi Array Top Level Commands This section offers an at-a-glance view of all top level commands—organized alphabetically. Top level commands are defined here as commands that are directly accessible from the root command prompt (Xirrus_Wi-Fi_Array#). The root command prompt is based on the host name assigned to your Array. When inputting commands, be aware that all commands are case-sensitive.
Wi-Fi Array Command show Description Display information about the selected item. See “show Commands” on page 315. statistics Display statistical data about the Array. See “statistics Commands” on page 318. uptime Display the elapsed time since the last boot. configure Commands The following table shows the second level commands that are available with the top level configure command [Xirrus_Wi-Fi_Array(config)#].
Wi-Fi Array Command Description group Define user groups with parameter settings help Description of the interactive Help system. history hostname https interface load location management more netflow no quit radius-server reboot reset run-tests save search security show List history of commands that have been executed. Host name for this Array. Enable/disable HTTPS. Select the interface to configure. Load running configuration from flash Location name for this Array.
Wi-Fi Array Command snmp Enable, disable or configure SNMP. ssh Enable/disable SSH. ssid Configure the SSID parameters. standby Configure the standby parameters. statistics Display statistics. syslog Enable, disable or configure the Syslog Server. telnet Enable/disable Telnet. uptime vlan 314 Description Display time since the last boot. Configure VLAN parameters.
Wi-Fi Array show Commands The following table shows the second level commands that are available with the top level show command [Xirrus_Wi-Fi_Array# show]. Command acl admin Description Display the Access Control List. Display the administrator list or login information. array-info Display system information. associatedstations Display stations that have associated to the Array. boot-env capabilities Display Boot loader environment variables. Display detailed station capabilities.
Wi-Fi Array Command diff Display the difference between configurations. dns Display DNS summary information. env-ctrl error-numbers ethernet Display the environmental controller status for the outdoor enclosure. Display the detailed error number in error messages. Display Ethernet interface summary information. external-radius Display summary information for the external RADIUS server settings. factory-config Display the Array factory configuration information.
Wi-Fi Array Command saved-config Description Display the last saved Array configuration. security Display security settings summary information. self-test Display self test results. snmp spanning-tree spectrumanalyzer ssid Display SNMP summary information. Display spanning tree information. Display spectrum analyzer measurements. Display SSID summary information. stations Display station information. statistics Display statistics. syslog Display the system log.
Wi-Fi Array statistics Commands The following table shows the second level commands that are available with the top level statistics command [Xirrus_Wi-Fi_Array# statistics]. Command ethernet Ethernet Name eth0, gig1, gig2 filter filter-list iap 318 Description Display statistical data for all Ethernet interfaces. Display statistical data for the defined Ethernet interface (either eth0, gig1 or gig2). FORMAT: statistics gig1 Display statistics for defined filters (if any).
Wi-Fi Array Command Description Display configuration or status information.
Wi-Fi Array Configuration Commands All configuration commands are accessed by using the configure command at the root command prompt (Xirrus_Wi-Fi_Array#). This section provides a brief description of each command and presents sample formats where deemed necessary. The commands are organized alphabetically. When inputting commands, be aware that all commands are case-sensitive.
Wi-Fi Array admin The admin command [Xirrus_Wi-Fi_Array(config-admin)#] is used to configure the Administrator List. Command Description add Add a user to the Administrator List. FORMAT: admin add [userID] del Delete a user to the Administrator List. FORMAT: admin del [userID] edit Modify user in the Administrator List. FORMAT: admin edit [userID] radius reset Define a RADIUS server to be used for authenticating administrators.
Wi-Fi Array cdp The cdp command [Xirrus_Wi-Fi_Array(config)# cdp] is used to configure the Cisco Discovery Protocol. Command 322 Description disable Disable the Cisco Discovery Protocol FORMAT: cdp disable enable Enable the Cisco Discovery Protocol FORMAT: cdp enable hold-time Select CDP message hold time before messages received from neighbors expire. FORMAT: cdp hold-time [# seconds] interval The Array sends out CDP announcements at this interval.
Wi-Fi Array clear The clear command [Xirrus_Wi-Fi_Array(config)# clear] is used to clear requested elements. Command authentication Description Deauthenticate a station. FORMAT: clear station [authenticated station] history Clear the history of CLI commands executed. FORMAT: clear history screen Clear the screen where you’re viewing CLI output. FORMAT: clear syslog statistics Clear the statistics for a requested interface.
Wi-Fi Array contact-info The contact-info command [Xirrus_Wi-Fi_Array(config)# contact-info] is used for managing administrator contact information. Command 324 Description email Add an email address for the contact (must be in quotation marks). FORMAT: contact-info email [“contact@mail.com”] name Add a contact name (must be in quotation marks). FORMAT: contact-info name [“Contact Name”] phone Add a telephone number for the contact (must be in quotation marks).
Wi-Fi Array date-time The date-time command [Xirrus_Wi-Fi_Array(config-date-time)#] is used to configure the date and time parameters. Your Array supports the Network Time Protocol (NTP) in order to ensure that the Array’s internal time is accurate. NTP is set to UTC time by default; however, you can set the time zone so that your Array will display local time. This is done by defining an offset from the UTC value.
Wi-Fi Array dhcp-server The dhcp-server command [Xirrus_Wi-Fi_Array(config-dhcp-server)#] is used to add, delete and modify DHCP pools. Command 326 Description add Add a DHCP pool. FORMAT: dhcp-server add [dhcp pool] del Delete a DHCP pool. FORMAT: dhcp-server del [dhcp pool] edit Edit a DHCP pool FORMAT: dhcp-server edit [dhcp pool] reset Delete all DHCP pools.
Wi-Fi Array dns The dns command [Xirrus_Wi-Fi_Array(config-dns)#] is used to configure your DNS parameters. Command Description domain Enter your domain name. FORMAT: dns domain [www.mydomain.com] server1 Enter the IP address of the primary DNS server. FORMAT: dns server1 [1.2.3.4] server2 Enter the IP address of the secondary DNS server. FORMAT: dns server1 [2.3.4.5] server3 Enter the IP address of the tertiary DNS server. FORMAT: dns server1 [3.4.5.
Wi-Fi Array file The file command [Xirrus_Wi-Fi_Array(config-file)#] is used to manage files. Command active-image backup-image check-image chkdsk copy dir erase format 328 Description Validate and commit a new array software image. Validate and commit a new backup software image. Validate a new array software image. Check flash file system. Copy a file to another file. FORMAT: file copy [sourcefile destinationfile] List the contents of a directory.
Wi-Fi Array Command Description remote-config When the Array boots up, it fetches the specified configuration file from the TFTP server defined in the file remote-server command, and uses this configuration. This must be an Array configuration file with a .conf extension. A partial configuration file may be used. For instance, if you wish to use a single configuration file for all of your Arrays but don't want to have the same IP address for each Array, you may remove the ipaddr line from the file.
Wi-Fi Array Command tftp 330 Description Open a TFTP connection with a remote server. FORMAT: file tftp host { |} [port ] [user {anonymous | password } ] { put [] | get [] } Note: Any time you transfer any kind of software image file for the Array, it must be transferred in binary mode, or the file may be corrupted.