Documentation HiPath Wireless Controller, Access Points and Convergence Software V5 R1 C20/C2400 User Guide A31003-W1050-U100-2-7619 Communication for the open minded Siemens Enterprise Communications www.siemens.
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2007 Hofmannstr. 51, D-81359 München Reference No.: A31003-W1050-U100-2-7619 Communication for the open minded Siemens Enterprise Communications www.siemens.com/open The information provided in this document contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products.
hwc_user_guideTOC.fm Nur für den internen Gebrauch Contents Contents 0 1 About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.1 Who should use this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.2 What is in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
hwc_user_guideTOC.fm Contents Nur für den internen Gebrauch 4.1.4 Wireless AP international licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.1.5 Wireless AP default IP address and first-time configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.1.6 Assigning static IP address to Wireless AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 4.1.6.
hwc_user_guideTOC.fm Nur für den internen Gebrauch Contents 6.1 VNS Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Creating a new VNS name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3 Topology for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
hwc_user_guideTOC.fm Contents Nur für den internen Gebrauch 6.17.2 Wireless Repeater configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.17.3 Wireless Bridge configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.17.4 Examples of deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.17.5 WDS VNS . . . .
hwc_user_guideTOC.fm Nur für den internen Gebrauch Contents 10.2 Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 11 Performing system maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 Performing Wireless AP client management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1.
hwc_user_guideTOC.
hwc_pref.fm About this Guide Who should use this guide 1 About this Guide This guide describes how to install, configure, and manage the Controller, Access Points and Convergence Software software. This guide is also available as an online help system. To access the online help system: 1. In the HiPath Wireless Assistant Main Menu bar, click Help. The About HiPath Wireless Assistant page is displayed. 2. In the left pane, click Controller Documentation. The online help system is launched. 1.
hwc_pref.fm About this Guide Formatting conventions • Chapter 6, “Virtual Network configuration”, provides detailed instructions in how to configure a VNS, its topology, authentication, accounting, RADIUS policy, multicast, filtering and privacy. Both Captive Portal and AAA types of VNS are described.
hwc_pref.fm About this Guide Documentation feedback For example: Type https://[:mgmt-port>] • The following notes are used to draw your attention to additional information: Note: Notes identify useful information, such as reminders, tips, or other ways to perform a task. Caution: Cautionary notes identify essential information, which if ignored can adversely affect the operation of your equipment or software.
hwc_pref.fm About this Guide Safety Information • Only authorized Siemens service personnel are permitted to service the system. Warnings • This device must not be connected to a LAN segment with outdoor wiring. • Ensure that all cables are run correctly to avoid strain. • Replace the power supply adapter immediately if it shows any sign of damage. • Disconnect all power before working near power supplies unless otherwise instructed by a maintenance procedure.
hwc_pref.fm About this Guide Sicherheitshinweise 1.6 Sicherheitshinweise Gefahrenhinweise • Sollte das Netzkabel Anzeichen von Beschädigungen aufweisen, tauschen Sie es sofort aus. • Tauschen Sie beschädigte Sicherheitsausrüstungen (Abdeckungen, Typenschilder und Schutzkabel) sofort aus. • Verwenden Sie ausschließlich Originalzubehör oder systemspezifisch zugelassene Komponenten.
hwc_pref.fm About this Guide Consignes de sécurité Vorsichtshinweise • Überprüfen Sie die für die Ausrüstung festgelegte Nennspannung (Bedienungsanleitung und Typenschild). Diese Ausrüstung arbeitet mit Hochspannung, die mit der Gefahr eines elektrischen Schlages verbunden ist. Gehen Sie mit großer Vorsicht vor, wenn Sie bei eingeschaltetem System Hochspannungen messen oder Karten, Schalttafeln und Baugruppen warten. • Verwenden Sie nur Werkzeuge und Ausrüstung in einwandfreiem Zustand.
hwc_pref.fm About this Guide Consignes de sécurité • Prenez toutes les précautions nécessaires lors de l'entretien/réparations des modules du HiPath Wireless Controller pouvant être branchés à chaud : alimentations électriques ou ventilateurs.Les ventilateurs rotatifs peuvent provoquer des blessures graves. • Cette unité peut avoir plusieurs cordons d'alimentation.Pour éviter tout choc électrique, débranchez tous les cordons d'alimentation avant de procéder à la maintenance.
hwc_pref.
hwc_intro.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Conventional wireless LANS access point. The 802.11 standard defines access point communications as devices that allow wireless devices to communicate with a distribution system. This setup is defined as a basic service set (BSS) or infrastructure network.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Elements of the Controller, Access Points and Convergence Software solution 2.
hwc_intro.
hwc_intro.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network • Provides accounting services – Logs wireless user sessions, user group activity, and other activity reporting, enabling the generation of consolidated billing records. • Offers troubleshooting capability – Logs system and session activity and provides reports to aid in troubleshooting analysis.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network Controller during the initial registration process. For SLP, DHCP should have Option 78 enabled. Option 78 specifies the location of one or more SLP Directory Agents. • Service Location Protocol (SLP) (SLP RFC2608) – Client applications are User Agents and services that are advertised by a Service Agent.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network • Zone Integrity – The Zone integrity server enhances network security by ensuring clients accessing your network are compliant with your security policies before gaining access. Zone Integrity Release 5 is supported. • HiPath HiGuard – Provides continuous active intrusion detection and prevention capabilities.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network Each wireless device sends IP packets in the 802.11 standard to the Wireless AP. The Wireless AP uses a UDP (User Datagram Protocol) based tunnelling protocol to encapsulate the packets and forward them to the HiPath Wireless Controller.
hwc_intro.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network 2.3.2.2 Privacy Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques. Controller, Access Points and Convergence Software supports the Wired Equivalent Privacy (WEP) standard common to conventional access points. It also provides Wi-Fi Protected Access version 1 (WPA v.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network 2.3.4 Static routing and routing protocols Routing can be used on the HiPath Wireless Controller to support the VNS definitions.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network specific filter is returned or indicated by the authentication mechanism. The characteristics and level of access for a filter are controlled and defined by the system administrator. 2.3.6 Mobility and roaming In typical configurations that are not HiPath Wireless, APs are setup as bridges that bridge wireless traffic to the local subnet.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution System Configuration Overview Controller is restored if it is active. However, active APs will continue to be attached to the failover controller until the administrator releases them back to the original home controller. 2.3.8 Quality of Service (QoS) Controller, Access Points and Convergence Software provides advanced Quality of Service (QoS) management to provide better network traffic flow.
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution System Configuration Overview 3. Data Port Setup – Set up the HiPath Wireless Controller on the network by configuring the physical data ports and their function as “host port”, “router port”, or “3rd party AP port”. 4. Routing Setup – Configure static routes and OSPF parameters for any port defined as a router port, if appropriate to the network. 5.
hwc_intro.
hwc_startup.
hwc_startup.fm Configuring the HiPath Wireless Controller System configuration overview HiPath Wireless Controller Model Number Specifications C2400 (Enterprise license) • • • • Table 1 Four GigE ports supporting up to 100 Wireless APs One management port (10/100 BaseT) One console port (DB9 serial) Redundant dual power supply unit HiPath Wireless Controller product families 3.
hwc_startup.fm Configuring the HiPath Wireless Controller System configuration overview initial installation and configuration of the HiPath Wireless Controller to avoid network interruptions. For more information, see Section 7.4, “Configuring network time”, on page 266. • To configure a physical port to attach to a VLAN, define the VLAN as part of the IP address assignment. Applying the product license key Apply a product license key file.
hwc_startup.fm Configuring the HiPath Wireless Controller System configuration overview Step 5 – Configuring the VNS Research and then configure the traffic topologies your network must support. Set up one or more virtual subnetworks on the HiPath Wireless Controller. For each VNS, configure the following: • Topology – Configure the VNS. • RF – Assign the Wireless APs’ radios to the VNS.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 3.2 Performing the first time setup of the HiPath Wireless Controller Before you can connect the HiPath Wireless Controller to the enterprise network, you must change the IP address of the HiPath Wireless Controller management port from its factory default to the IP address suitable for your enterprise network.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 5. In the Password box, type your password. The default is abc123. Note: To reinforce security protection, the login password length has now been increased to eight characters. Please note the following: • The HiPath Wireless Controller continues to be shipped from the factory with a six character default password (abc123).
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller Note: All images of the HiPath Wireless Assistant in this User Guide represent the HiPath Wireless Controller C2400. In the footer of the HiPath Wireless Assistant, the following is displayed: • [host name | product name | up time] For example, [HWC-206 | C2400 | 01 days, 06:29]. If your HiPath Wireless Assistant is running the C2400 license, the footer will display C2400.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 10. Type the following information: • Hostname – Specifies the name of the HiPath Wireless Controller • Domain – Specifies the IP domain name of the enterprise network • Management IP Address – Specifies the new IP address for the HiPath Wireless Controller’s management port. Change this as appropriate for the enterprise network.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 3.2.1.1 Changing the administrator password It is recommended to change your default administrator password once your system is installed. To change the administrator password: 1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration page is displayed. 2. In the left pane, click Management Users. 3.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 4. In the Apply Product Key section, click Browse to navigate to the location of the product key file and click the file. 5. Click Apply Now. The product license key is applied, and the HiPath Wireless Controller reboots. 3.2.4 Setting up the data ports The next step in the initial setup of the HiPath Wireless Controller is to configure the physical data ports.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller VLAN ID parameter You can define a specific VLAN tag to be applied to a particular interface. All packets associated with that port will be tagged with the corresponding VLAN. This allows the HiPath Wireless Controller to directly attach to a VLAN network without the need to remove VLAN tags at the connection port.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller There is a fourth port type that is not configurable in the HiPath Wireless Assistant: • Virtual Network Services (VNS) interface A VNS port is a virtual port created automatically on the HiPath Wireless Controller when a new VNS is defined. The VNS port becomes the default gateway for wireless devices on this VNS.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller The lower portion of the HiPath Wireless Controller Configuration page displays the number of Ethernet ports of the HiPath Wireless Controller: • HiPath Wireless Controller C2400 – Four Ethernet ports • HiPath Wireless Controller C20 – Two Ethernet ports Note: All images of the HiPath Wireless Assistant in this User Guide represent the HiPath Wireless Controller C2400. 3.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller • MTU – The Maximum Transmission Unit or maximum packet size for this port. The default setting is 1500. If you change this setting and are using OSPF, be sure that the MTU of each port in the OSPF link matches.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 3.2.5 Setting up static routes It is recommended that you defiIne a default route to your enterprise network, either with a static route or by using OSPF protocol. A default route enables the HiPath Wireless Controller to forward packets to destinations that do not match a more specific route definition. To set a static route on the HiPath Wireless Controller: 1.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 6. Click Add. The new route is added to the list of routes. 7. Select the Override dynamic routes checkbox to give priority over the OSPF learned routes, including the default route, which the HiPath Wireless Controller uses for routing. This option is enabled by default.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 3.2.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 4. From the OSPF Status drop-down list, click On to enable OSPF. 5. In the Router ID box, type the IP address of the HiPath Wireless Controller. This ID must be unique across the OSPF area. If left blank, the OSPF daemon automatically picks a router ID from one of the HiPath Wireless Controller’s interface IP addresses. 6. In the Area ID box, type the area. 0.0.0.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller To set OSPF Routing Port Settings on the HiPath Wireless Controller: 1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration page is displayed. 2. In the left pane, click Routing Protocols. 3. Click the OSPF tab. The OSPF Settings page is displayed. 4. In the Port Status drop-down list, click Enabled to enable OSPF on the port.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller To confirm that ports are set for OSPF: 1. To confirm that the ports are set up for OSPF, and that advertised routes from the upstream router are recognized, click View Forwarding Table. The Forwarding Table is displayed.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller for users connected on a VNS, the VNS configuration itself must have allow management enabled and users will only be able to target the VNS interface specifically. Note: You can also enable management traffic in the VNS definition.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller 3. On the IP Addresses page, click the appropriate interface. 4. Select the corresponding Management checkbox. 5. To save your changes, click Save. 3.2.9 User defined port-based exception filters You can add specific filtering rules at the port level in addition to the built-in rules.
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first time setup of the HiPath Wireless Controller The rules defined for port exception filters are prepended to the normal set of restrictive exception filters and have precedence over the system's normal protection enforcement. Warning: If defined improperly, user exception rules may seriously compromise the systems normal security enforcement rules.
hwc_startup.fm Configuring the HiPath Wireless Controller Completing the system configuration 6. Click Add. The new filter is displayed on the Filter section of the page. 7. Click the new filter. 8. To allow traffic, select the Allow checkbox. 9. To adjust the order of the filtering rules, click Up or Down to position the rule. The filtering rules are executed in the order defined here. 10. To save your changes, click Save. 3.
hwc_apstartup.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview The Wireless AP comes in the following variants: • HiPath Wireless AP • HiPath Wireless Outdoor AP • HiPath Wireless 802.11n AP Note: The term, ‘Wireless AP’, is used in this document to encompass all three variants — HiPath Wireless AP, HiPath Wireless Outdoor AP, and HiPath Wireless 802.11n AP. The variants are only specifically identified in the documentation where it is necessary to do so. 4.1.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview Figure 4 HiPath Wireless AP’s Baseband The Figure 4 illustrates the following: • The HiPath Wireless AP has two radios— a radio and b/g radio. • The a radio supports 5 GHz radio • The b/g radio supports 2.4 GHz radio • The a radio and the b/g radio are connected to both the external antennas — EA1 and EA2.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview 5 GHz radio supporting the 802.11a standard – The 802.11a standard is an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5-GHz band. The 802.11a standard uses an orthogonal frequency division multiplexing encoding scheme, rather than Frequency-Hopping Spread Spectrum (FHSS) or Direct-Sequence Spread Spectrum (DSSS). 2.4 GHz radio supporting the 802.11b/g standards – The 802.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview • Model AP2660 – External antenna (dual external antennas), RP-SMA connectors Note: Since the HiPath Wireless Outdoor AP is meant for outdoor environments, it is also referred to as the Outdoor AP. Although the HiPath Wireless Outdoor AP is meant for outdoor environments, it can also be deployed in indoor environments.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview The 802.11n AP’s MIMO radio sends out one or two radio signals through its three antennas. Each of these signals is called a spatial stream. Because the location of the antennas on the 802.11n AP is spaced out, each spatial stream follows a slightly different path to the client device. Furthermore, the three spatial streams get multiplied into several streams as they bounce off the obstructions in the vicinity.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview Note: MIMO should not be confused with the Diversity feature. While Diversity is the use of two antennas to increase the odds that a better radio stream is received on either of the antennas, MIMO antennas radiate and receive multistreams of the same packet to achieve the increased throughput.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview • Model AP3620 – Three external antennas Note: The 802.11n AP cannot be deployed in an outdoor environment. 4.1.3.1 HiPath Wireless 802.11n AP’s radios The HiPath Wireless 802.11n AP is equipped with two radios — radio a/n and radio b/g/n. The following is a block diagram of the HiPath Wireless 802.11n AP equipped with external antennas. Figure 6 HiPath Wireless 802.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview • The a/n radio supports 5 GHz radio • The b/g/n radio supports 2.4 GHz radio 5 GHz radio supporting the 802.11a/n standard — When in legacy 802.11a mode, the AP36xx supports data rates up to 54Mbps identical to the AP26xx. The modulation used is OFDM. In 802.11n mode there are 2 supported channel bandwidths, 20MHz and 40MHz. The 802.11n AP supports up to 300Mbps in 40MHz channels and 130Mbps in 20MHz channels.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview 4.1.5 Wireless AP default IP address and first-time configuration The HiPath Wireless AP and the HiPath Wireless Outdoor AP are shipped from the factory with a default IP address — 192.168.1.20. The default IP address simplifies the first-time IP address configuration process for Wireless APs.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview 4.1.6 Assigning static IP address to Wireless AP In order to establish the telnet session, you have to ping the Wireless AP’s IP address. You must know the correct IP address to ping. The Wireless AP's IP address may have the default values or the DHCP-assigned values, depending upon the network condition.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview Note: If the telnet session is not established within 30 seconds of successful pinging, the Wireless AP again initiates the process of getting the IP address via the DHCP assignment. Note: The default user name and the password for telnet access are: • User Name – admin • Password – new2day You can override the default password by setting up a new telnet access password on the Wireless Registration screen.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview Note: After you run these commands, you must reboot the Wireless AP for the configuration to take effect. CLI commands to configure static IP address in the HiPath Wireless 802.11n AP: Syntax cset cset cset cset capply csave Parameters Parameter Name Description dhcp disable By default, the Wireless AP is configured to acquire its IP address via the DHCP assignment.
hwc_apstartup.fm Configuring the Wireless AP Wireless AP overview 4.1.6.1 Enabling/Disabling telnet access and setting up new Telnet Access Password via the controller’s user interface You can enable/disable the telnet access, and set up a new Telnet Access Password via the controller's user interface. The Wireless AP must successfully discover the controller to pick up this configuration.
hwc_apstartup.fm Configuring the Wireless AP Discovery and registration overview Setting up a new Telnet Access Password via the controller’s user interface To set up a new Telnet Access Password: 1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration screen appears. 2. From the left pane, click AP Registration. The Wireless AP Registration screen appears. 3. Under the Telnet Access section, type the new password in the Password box. 4.
hwc_apstartup.fm Configuring the Wireless AP Discovery and registration overview 4.2.1 Wireless AP discovery Wireless APs discover the IP address of a HiPath Wireless Controller using a sequence of mechanisms that allow for the possible services available on the enterprise network. The discovery process is successful when the Wireless AP successfully locates a HiPath Wireless Controller to which it can register.
hwc_apstartup.fm Configuring the Wireless AP Discovery and registration overview • SLP (Service Location Protocol) – A means of allowing client applications to discover network services without knowing their location beforehand. Devices advertise their services using a Service Agent (SA). In larger installations, a Directory Agent (DA) collects information from SAs and creates a central repository (SLP RFC2608).
hwc_apstartup.fm Configuring the Wireless AP Discovery and registration overview Once the Wireless AP is registered with a HiPath Wireless Controller, the Wireless AP must be configured. After the Wireless AP is registered and configured, it can be assigned to a Virtual Network Segment (VNS) to handle wireless traffic. 4.2.2.1 Default Wireless AP configuration Default Wireless AP configuration simplifies the registration after discovery process.
hwc_apstartup.fm Configuring the Wireless AP Discovery and registration overview Status Left LED LED 2.4 GHz radio activity Figure 7 Right LED 5 GHz radio activity HiPath Wireless AP LEDs Warning: Never disconnect a Wireless AP from its power supply during a firmware upgrade. Disconnecting a Wireless AP from its power supply during a firmware upgrade may cause firmware corruption rendering the AP unusable.
hwc_apstartup.
hwc_apstartup.fm Configuring the Wireless AP Discovery and registration overview Left LED Right LED Center LED HiPath Wireless AP’s Detailed state Off Blinking Green Initialization: Power-on self-test (POST) Blinking Green Blinking Green Initialization: Random delay Blinking Green Initialization: Vulnerable period Solid Green Off Blinking Red Reset to factory defaults Solid Green Off Blinking Orange WDS scanning Blinking Green / Orange Network discovery: 802.
hwc_apstartup.fm Configuring the Wireless AP Discovery and registration overview Note: The Left and Right LEDs turn on after the center LED. This allows you to distinguish easily between the Center LED and the Left/Right LEDs. Note: If the Center LED begins blinking RED, it indicates that the Wireless AP’s state has failed. Note: Random delays do not occur during normal reboot. A random delay only occurs after vulnerable period power-down. The Wireless AP can be reset to its factory default settings.
hwc_apstartup.
hwc_apstartup.fm Configuring the Wireless AP Discovery and registration overview 4.2.3.3 HiPath Wireless 802.11n AP LED status Figure 9 depicts the location of the LEDs on the HiPath Wireless 802.11n . Figure 9 HiPath Wireless 802.11n AP LEDs The LEDs, L1, L3 and L4 work in conjunction to indicate the general, high-level, and detailed state respectively. After initialization and discovery is completed and the 802.
hwc_apstartup.fm Configuring the Wireless AP Discovery and registration overview L1 HiPath Wireless 802.11n AP’s general state Blink Green Initialization and discovery in progress Blink Red Error during initialization and discovery Solid Green Discovery finished; AP connected to the HiPath Wireless Controller Table 10 LED L1 and Wireless AP’s status LEDs L3 and L4 The LEDs L3 and L4 indicate the detailed state of the Wireless AP.
hwc_apstartup.
hwc_apstartup.fm Configuring the Wireless AP Configuring the Wireless APs for the first time Note: • If you are installing the HiPath Wireless AP, see the HiPath Wireless AP Installation Instructions. • If you are installing the HiPath Wireless 802.11n AP, see the HiPath Wireless 802.11n AP Installation Instructions. • If you are installing the HiPath Wireless Outdoor AP, see the HiPath Wireless Outdoor AP Installation Instructions and the HiPath Wireless Outdoor AP Installation Guide.
hwc_apstartup.fm Configuring the Wireless AP Configuring the Wireless APs for the first time • • If the HiPath Wireless Controller does not recognize the registering serial number, a new registration record is automatically created for the AP (if within MDL license limit). The AP receives a default configuration. The default configuration can be the default template assignment.
hwc_apstartup.fm Configuring the Wireless AP Configuring the Wireless APs for the first time 3. In the Security Mode section, select one of the following: • Allow all Wireless APs to connect • Allow only approved Wireless APs to connect The Allow all Wireless APs to connect option is selected by default. For more information, see Section 4.3.1, “Security mode”, on page 83. 4.
hwc_apstartup.fm Configuring the Wireless AP Adding and registering a Wireless AP manually 4.3.2 Connecting the Wireless AP to a power source and initiating the discovery and registration process When a Wireless AP is powered on, it automatically begins the discovery and registration process with the HiPath Wireless Controller. HiPath Wireless AP The HiPath Wireless AP can be connected and powered in the following ways: • • Power over Ethernet (802.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings To add and register a Wireless AP manually: 1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP page is displayed. 2. Click Add Wireless AP. The Add Wireless AP page is displayed. 3. In the Serial # box, type the unique identifier. 4. In the Hardware Type drop-down list, click the hardware type of the Wireless AP. 5. In the Name box, type a unique name for the Wireless AP. 6.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings You can also locate and select Wireless APs in specific registration states to modify their settings. For example, this feature is useful when approving pending Wireless APs when there are a large number of other Wireless APs that are already registered. On the Access Approval page, click Pending to select all pending Wireless APs, then click Approve to approve all selected Wireless APs.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 3. To select the Wireless APs for status change, do one of the following: • For a specific Wireless AP, select the corresponding checkbox. • For Wireless APs by category, click one of the Select Wireless APs options. Note: You must consider all the three AP variants — HiPath Wireless AP, HiPath Wireless Outdoor AP, and HiPath Wireless 802.11n AP — as Local. To clear your Wireless AP selections, click Clear All. 4.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Approved as Sensor – AP ceases performing RF services and begins performing scanning services. For more information, see Section 4.9, “Configuring an AP as a sensor”, on page 141. Note: Only approve an AP as a sensor if HiPath HiGuard has been installed on your HiPath Wireless Manager. For more information, see the HiPath Wireless Manager User Guide. Note: The HiPath Wireless Outdoor AP and the Wireless 802.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings To modify a Wireless AP’s properties as an access point: 1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP page is displayed. 2. In the Wireless AP list, click the Wireless AP whose properties you want to modify. The AP Properties tab displays Wireless AP information. 3. Modify the Wireless AP’s information: • Name – Type a unique name for the Wireless AP that identifies the AP.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Role – Click the role for the Wireless AP, either Access Point or Sensor. Once the Wireless AP is configured as Sensor, it no longer performs RF services, and is no longer managed by the HiPath Wireless Controller. Note: The Role drop-down is displayed on the AP Properties page only if the selected Wireless AP is the HiPath Wireless AP 2610/2620.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Country – Click the country of operation. This option is only available with some licenses. The following on the AP Properties tab are view only: • Serial # – Displays a unique identifier that is assigned during the manufacturing process. • Port – Displays the Ethernet port of the HiPath Wireless Controller the Wireless AP is connected to. • Hardware Version – Displays the current version of the Wireless AP hardware.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 3. Modify the Wireless AP’s information: • Name – Type a unique name for the Wireless AP that identifies the AP. The default value is the Wireless AP’s serial number. • Description – Type comments for the Wireless AP. • Role – Click the role for the AP, either Access Point or Sensor. Once the AP is configured as a Sensor, the AP no longer performs RF services and is no longer managed by the HiPath Wireless Controller.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 4.5.3 Modifying Wireless AP radio properties Most properties of the Wireless AP radios can be modified without requiring a reboot of the Wireless AP. However, if the modification of a Wireless AP property does trigger a reboot, the Wireless AP property is identified with a red asterix in the HiPath Wireless Assistant.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • • A user selects the Auto channel from the Wireless AP’s radio configuration tabs. • A user selects the Auto channel from the AP Multi-edit page.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • 802.11b/g/n – Any channel can bond up or down as long as the band edge is not exceeded. • 802.11a/n – Bonding pairs are predefined. Channel bonding is enabled by selecting the Channel Width on the 802.11b/g/n and 802.11a/n tabs. When selecting Channel Width, the following options are available: • • • 20MHz – Channel bonding is not enabled: • 802.11n clients use the primary channel (20MHz) • Non-802.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings select the guard interval to improve the channel effeciency. The guard interval is selected from the Guard Interval drop-down list. Longer guard periods reduce the channel efficiency. Aggregate MSDU and MPDU The Wireless 802.11n AP provides aggregate Mac Service Data Unit (MSDU) and aggregate Mac Protocol Data Unit (MPDU) functionality, which combines multiple frames together into one larger frame for a single delivery.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • C20 – Up to 8 VNSs The Wireless 802.11n AP radios can be assigned to each of the configured VNSs in a system. Each radio can be the subject of 8 VNS assignments (corresponding to the number of SSIDs it can support). Once a radio has all 8 slots assigned, it is no longer eligible for further assignment. The BSS Info section is view only.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Beacon Period – Type the desired time, in milliseconds, between beacon transmissions. The default value is 100 milliseconds. • RTS/CTS Threshold – Type the packet size threshold, in bytes, above which the packet will be preceded by an RTS/CTS (Request to Send/ Clear to Send) handshake. The default value is 2346, which means all packets are sent without RTS/CTS. Reduce this value only if necessary. • Frag.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Last Requested Channel – This field is view only. This field displays the last wireless channel that you had selected for the Wireless AP to communicate with the wireless devices. • Auto Tx Power Ctrl (ATPC) – The Wireless 802.11n AP does not support the DRM functionality of the HiPath Wireless Controller and its related ATPC feature. • Current Tx Power Level – This field is view only.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • 40MHz Protection Mode – Click a protection type, CTS Only or RTSCTS, or None, when a 40MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. • 40MHz Prot.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 10. In the Base Settings section, do the following: • Radio Mode – Click one of the following radio options: • a – Click to enable only the 802.11a mode of the 802.11a/n radio. If disabled, the Wireless 802.11n AP will not accept associations from 11a clients. • a/n – Click to enable both the 802.11a mode and the 802.11n mode of the 802.11ba/n radio. • off – Click to disable the 802.11a/n radio.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • 40MHz – Click to allow 802.11n clients that support the 40MHz frequency to use 40MHz, 20MHz, or the 802.11a radio protocols. 802.11n clients that do not support the 40MHz frequency can use 20MHz or the 802.11a radio protocols and non-802.11n clients, beacons, and multicasts use the 802.11a radio protocols.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Current Channel – This field is view only. It displays the actual channel the ACS has assigned to the Wireless 802.11n AP radio. The Current Channel value and the Request New Channel value may be different because the ACS automatically assigns the best available channel to the Wireless 802.11n AP, ensuring that a Wireless 802.11n AP’s radio is always operating on the best available channel.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Aggregate MPDU Max Length – Type the maximum length of the aggregate MPDU. The value range is 1024-65535 bytes. • Agg. MPDU Max # of Sub-frames – Type the maximum number of sub-frames of the aggregate MPDU. The value range is 2-64. • ADDBA Support – Click an ADDBA support mode: Enabled or Disabled. ADDBA, or block acknowledgement, provides acknowledgement of a group of frames instead of a single frame.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 5. In the Base Settings section, do the following: • • Radio Mode – Click one of the following radio options: • b – Click to select the 802.11b-only mode of the 802.11b/g radio. If selected, the AP will use only 11b (CCK) rates with all associated clients. The AP will not transmit or receive 11g rates. • g – Click to select the 802.11g-only mode of the 802.11b/g radio.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Beacon Period – Type the desired time, in milliseconds, between beacon transmissions. The default value is 100 milliseconds. • RTS/CTS Threshold – Type the packet size threshold, in bytes, above which the packet will be preceded by an RTS/CTS (Request to Send/ Clear to Send) handshake. The default value is 2346, which means all packets are sent without RTS/CTS. Reduce this value only if necessary. • Frag.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Max Tx Power – Click the maximum Tx power level that the range of transmit power can be adjusted: 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, and 18 dBm. It is recommended to use 18 dBm to not limit the potential Tx power level range that can be used. • Min Tx Power – If ATPC is enabled, click the minimum Tx power level that the range of transmit power can be adjusted: 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, and 18 dBm.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Max Operational Rate – Click the maximum data rate that clients can operate at while associated with the AP: 1, 2, 5.5, or 11 Mbps for 11b-only mode. Click 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 28, or 54 Mbps for 11b+11g or 11g-only modes. If necessary, the Max Operational Rate choices adjust automatically to be higher or equal to the Min Basic Rate.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Protection Type – Click a protection type: CTS Only or RTS CTS. The default and recommended setting is CTS Only. Click RTS CTS only if an 11b AP that operates on the same channel is detected in the neighborhood, or if there are many 11b-only clients in the environment. Note: The overall throughput is reduced when Protection Mode is enabled, due to the additional overhead caused by the RTS/CTS.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • DTIM Period – Type the desired DTIM (Delivery Traffic Indication Message) period — the number of beacon intervals between two DTIM beacons. To ensure the best client power savings, use a large number. For example, 5. Use a small number to minimize broadcast and multicast delay. The default value is 5. • Beacon Period – Type the desired time, in milliseconds, between beacon transmissions.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Auto Tx Power Ctrl (ATPC) – Click to enable ATPC. ATPC automatically adapts transmission power signals according to the coverage provided by the Wireless APs. After a period of time, the system will stabilize itself based on the RF coverage of your Wireless APs. • Current Tx Power Level – This field is view only. It displays the actual Tx power level assigned to the Wireless AP radio.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Max Operational Rate – Click the maximum data rate that clients can operate at while associated with the AP: 6, 9, 12, 18, 24, 36, 48, or 54 Mbps. If necessary, the Max Operational Rate choices adjust automatically to be higher or equal to the Max Basic Rate. Note: Radio a channels 100 to 140 occupy the 5470-5725 MHz band in the regulatory domains of the European Union and European Union free trade countries.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings while the HiPath Wireless Controller is in the central office. The Wireless APs require the capability to interact in both the local site network and the central network. To achieve this model, a static configuration is used.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Untagged – Select if you want this AP to be untagged. This option is selected by default. Caution: Caution should be exercised when using this feature. If a VLAN tag is not configured properly, the connectivity with the AP will be lost. To configure the AP VLAN, do the following: • Connect the AP to the HiPath Wireless Controller or to the network point that does not require AP VLAN tagging.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings assignment.) If the Wireless AP IP address is not configured properly, connecting to the Wireless AP may not be possible. To recover from this situation, you will need to reset the Wireless AP to its factory default settings. For more information, see Section 11.2, “Resetting the Wireless APs to their factory default settings”, on page 313. 6.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 802.1x authentication credentials can be updated at any time, whether or not the Wireless AP is connected with an active session. If the Wireless AP is connected, the new credentials are sent immediately. If the Wireless AP is not connected, the new credentials are delivered the next time the Wireless AP connects to the HiPath Wireless Controller. There are two main aspects to the 802.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 4.5.5.1 Configuring 802.1x PEAP authentication PEAP authentication uses user ID and passwords for authentication. To successfully configure 802.1x authentication of a Wireless AP, the Wireless AP must first be configured for 802.1x authentication before the Wireless AP is deployed on a 802.1x enabled switch port. Note: Usernames and passwords for PEAP authentication credentials each have a maximum length of 128 characters.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Serial – The serial number of the Wireless AP. The Wireless AP serial number cannot be edited. • MAC – The MAC address of the Wireless AP. The Wireless AP MAC address cannot be edited. • Other – Click to specify a custom value. A text box is displayed. In the text box, type the value you want to assign as the username credential. 5.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings successfully configure 802.1x authentication of a Wireless AP, the Wireless AP must first be configured for 802.1x authentication before the Wireless AP is deployed on a 802.1x enabled switch port. To configure 802.1x EAP-TLS authentication in proxy mode: 1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP page is displayed. 2.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • • Name – The name of the Wireless AP, which is assigned on the AP Properties tab. The Wireless AP name can be edited. • Serial – The serial number of the Wireless AP. The Wireless AP serial number cannot be edited. • MAC – The MAC address of the Wireless AP. The Wireless AP MAC address cannot be edited. • Other – Click to specify a custom value. A text box is displayed.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings To configure 802.1x EAP-TLS authentication in pass through mode: 1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP page is displayed. 2. In the Wireless AP list, click the Wireless AP for which you want to configure 802.1x EAP-TLS authentication. 3. Click the 802.1x tab. 4. Click Browse. The Choose file window is displayed. 5. Navigate to the location of the certificate file (.pfx) and click Open.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings To view current 802.1x credentials: 1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP page is displayed. 2. In the Wireless AP list, click the Wireless AP for which you want to view its current 802.1x credentials. 3. In the Current Credentials section, click Get additional Certificate info. The Wireless AP Credentials window is displayed. 4.5.5.4 Deleting 802.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings The credentials are deleted and the Wireless AP settings are updated. Note: If you attempt to delete the 802.1x credentials of a Wireless AP that currently does not have an active session with the HiPath Wireless Controller, the credentials are only deleted after the Wireless AP connects with the HiPath Wireless Controller. 4.5.6 Setting up 802.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 4. In the PEAP Authentication section, do the following: • • In the Username drop-down list, click the value you want to assign as the username credential: • Name – The name of the Wireless AP, which is assigned on the AP Properties tab. The Wireless AP name can be edited. • Serial – The serial number of the Wireless AP. The Wireless AP serial number cannot be edited. • MAC – The MAC address of the Wireless AP.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Organizational Unit name – The name of the unit whithin the organization • Common name – Click the value you want to assign as the common name of the Wireless AP: • • Name – The name of the Wireless AP, which is assigned on the AP Properties tab. The Wireless AP name can be edited. • Serial – The serial number of the Wireless AP. The Wireless AP serial number cannot be edited.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • All .pfx files created by the the third-party Certificate Authentication application must be zipped into one file. To configure 802.1x EAP-TLS authentication in pass through mode using Multi-edit: 1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP page is displayed. 2. In the left pane, click AP 802.1x Multi-edit. 3. In the Wireless APs list, click one or more Wireless APs to configure.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Common Configuration – Configure common configuration, such as VNS assignments and static configuration options for all Wireless APs including, the Wireless AP 2610/2620, the Wireless 802.11n AP 3610/3620, and the HiPath Wireless Outdoor AP 2650/2660. • Standard AP Defaults – Configure the default Wireless AP settings for only the Wireless AP 2610/2620 and HiPath Wireless Outdoor AP 2650/2660.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 4. To configure common configuration applicable to all Wireless APs, click the Common Configuration tab. 5. In the Static Configuration section, do one of the following: • To allow each Wireless AP to provide its own HWC Search List, select the Learn HWC Search List from AP checkbox.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 8. In the AP Properties section, do the following: • Role – Click the role for the Wireless AP, either Access Point or Sensor. Once the Wireless AP is configured as Sensor, it no longer performs RF services, and is no longer managed by the HiPath Wireless Controller. • Poll Timeout – Type the timeout value, in seconds.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Use broadcast for disassociation – Select if you want the Wireless AP to use broadcast disassociation when disconnecting all clients, instead of disassociating each client one by one. This will affect the behavior of the AP under the following conditions: • If the Wireless AP is preparing to reboot or to enter one of the special modes (DRM initial channel selection).
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings Depending on the regulatory domain (based on country), some channels may be restricted. The default value is based on North America. For more information, see Appendix B, “Regulatory information”. • Auto Tx Power Ctrl – For each radio, click to either enable or disable ATPC from the Auto Tx Power Ctrl drop-down list. ATPC automatically adapts transmission power signals according to the coverage provided by the Wireless APs.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings 134 • Protection Mode – Click a protection mode: None, Auto, or Always. The default and recommended setting is Auto. Click None if 11b APs and clients are not expected. Click Always if you expect many 11b-only clients. • Protection Rate – Click a protection rate: 1, 2, 5.5, or 11 Mbps. The default and recommended setting is 11.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Video VI – For each radio, click the number of retries for the Video transmission queue. The default value is adaptive (multi-rate). The recommended setting is adaptive (multi-rate). • Voice VO – For each radio, click the number of retries for the Voice transmission queue. The default value is adaptive (multi-rate). The recommended setting is adaptive (multi-rate).
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Country – Click the country of operation. This option is only available with some licenses. 12. In the Radio Settings section, do the following: 136 • Radio Mode – Click the radios you want to enable. • Channel Width – Click the channel width for the radio: • 20MHz – Click to allow 802.11n clients to use the primary channel (20MHz) and non-802.11n clients, beacons, and multicasts to use the 802.11b/g radio protocols.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless AP settings • Channel Bonding – Click the bonding method, Up or Down. The primary channel (20MHz) is bonded with an extension channel that is either 20MHz above (bonding up) or 20MHz below (bonding down) of the primary channel. Depending on the channel that is selected in the Request New Channel drop-down list, you may be prevented from bonding Up or Down in the Channel Bonding drop-down list.
hwc_apstartup.fm Configuring the Wireless AP Modifying a Wireless AP’s properties based on a default AP configuration • 40MHz Channel Busy Threshold – Type the extension channel threshold percentage, which if exceeded, will disable transmissions on the extension channel (40MHz). • Aggregate MSDUs – Click an aggregate MSDU mode: Enabled or Disabled. Aggregate MSDU increases the maximum frame transmission size. • Aggregate MSDU Max Length – Type the maximum length of the aggregate MSDU.
hwc_apstartup.fm Configuring the Wireless AP Modifying the Wireless AP’s default setting using the Copy to Defaults feature 4.7 Modifying the Wireless AP’s default setting using the Copy to Defaults feature You can modify the system’s default AP settings by using the Copy to Defaults feature on the AP Properties tab. This feature allows the properties of an already configured AP to become the system’s default AP settings. To modify the system’s default AP settings based on an already configured AP: 1.
hwc_apstartup.fm Configuring the Wireless AP Configuring Wireless APs simultaneously To configure Wireless APs simultaneously: 1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP page is displayed. 2. In the left pane, click AP Multi-edit. 3. Do the following: • In the Hardware Types list, click one or more Wireless AP hardware types. • In the Wireless APs list, click one or more Wireless APs to edit.
hwc_apstartup.fm Configuring the Wireless AP Configuring an AP as a sensor • AP Properties – For more information, see Section 4.5.2, “Modifying a Wireless AP’s properties”, on page 90. • Radio Settings – For more information, see Section 4.5.3, “Modifying Wireless AP radio properties”, on page 95. • Static Configuration – For more information, see Section 4.5.4, “Setting up the Wireless AP using static configuration”, on page 114. 5.
hwc_apstartup.fm Configuring the Wireless AP Performing Wireless AP software maintenance • TFTP server IP address • Path to sensor image To configure Sensor Management values for the HiPath Wireless Controller: 1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP page is displayed. 2. In the left pane, click Sensor Management. The Wireless AP Sensor Management page is displayed. 3.
hwc_apstartup.fm Configuring the Wireless AP Performing Wireless AP software maintenance The software for each Wireless AP can be uploaded either immediately, or the next time the Wireless AP connects. Part of the Wireless AP boot sequence is to seek and install its software from the HiPath Wireless Controller. Most of the properties of each radio on a Wireless AP can be modified without requiring a reboot of the AP. The Wireless AP keeps a backup copy of its software image.
hwc_apstartup.fm Configuring the Wireless AP Performing Wireless AP software maintenance 4. To select an image to be the default image for a software upgrade, click it in the list, and then click Set as default. 5. In the Upgrade Behavior section, select one of the following: • Upgrade when AP connects using settings from Controlled Upgrade – The Controlled Upgrade tab is displayed.
hwc_apstartup.fm Configuring the Wireless AP Performing Wireless AP software maintenance • Directory – The directory on the server in which the image file that is to be retrieved is stored. • Filename – The name of the image file to retrieve. • Platform – The AP hardware type to which the image applies. The are several types of AP and they require different images. 4. Click Download. The new software image is downloaded. To define parameters for a Wireless AP controlled software upgrade: 1.
hwc_apstartup.fm Configuring the Wireless AP Performing Wireless AP software maintenance 6. In the list of registered Wireless APs, select the checkbox for each Wireless AP to be upgraded with the selected software image. 7. Click Apply AP image version. The selected software image is displayed in the Upgrade To column of the list. 8. To save the software upgrade strategy to be run later, click Save for later. 9. To run the software upgrade immediately, click Upgrade Now.
hwc_vnsintro.fm Virtual Network Services VNS overview 5 Virtual Network Services This chapter describes Virtual Network Services (VNS) concepts, including: • VNS overview • Setting up a VNS checklist • Topology of a VNS • RF assignment for a VNS • Authentication for a VNS • Filtering for a VNS • Data protection on a VNS—WEP and WPA • VNS global settings • Setting up a new VNS 5.1 VNS overview A VNS is an IP subnet designed to enable Wireless APs to interact with wireless devices.
hwc_vnsintro.fm Virtual Network Services Setting up a VNS checklist These IP addresses are not virtual IP addresses. They are regular IP addresses and are unique over the network. These IP addresses are advertised to other hosts on the network to exchange traffic with the wireless devices in the VNS. • A single overall filtering policy applies to all the wireless devices within the VNS.
hwc_vnsintro.
hwc_vnsintro.fm Virtual Network Services Topology of a VNS Configure Captive Portal page, select the No Captive Portal option. There will be no authentication of users, but the Controller, Access Points and Convergence Software is otherwise operational.
hwc_vnsintro.fm Virtual Network Services Topology of a VNS • Has 802.1x authentication • Requires filtering rules for group filter IDs and default filter. A definition of group filter IDs is optional. If a filter is not specified or not returned by the Access-Accept response, the default filter group is applied. • Has WEP and WPA privacy • HiPath Wireless Controller is involved in authenticating users. 802.
hwc_vnsintro.fm Virtual Network Services RF assignment for a VNS 5.4 RF assignment for a VNS The second step in setting up a VNS is to configure the RF assignment for the VNS. From the RF tab you assign APs to a VNS and SSID definitions. 5.5 Authentication for a VNS The third step in setting up a VNS is to configure the authentication mechanism for the VNS. The authentication mechanism depends on the network assignment.
hwc_vnsintro.fm Virtual Network Services Authentication for a VNS • Password Authentication Protocol (PAP) • Challenge Handshake Authentication Protocol (CHAP) • Windows-specific version of CHAP (MS CHAP) • MS CHAP v2 (Windows-specific version of CHAP, version 2) For Captive Portal authentication, the RADIUS server must support the selected authentication type: PAP, CHAP (RFC2484), MS-CHAP (RFC2433), or MS-CHAPv2 (RFC2759). 5.5.2 Authentication with AAA (802.
hwc_vnsintro.fm Virtual Network Services Filtering for a VNS In addition, the definition of a specific filter ID is optional configuration. If a specific filter ID is not defined or returned by the access-accept operation, the HiPath Wireless Controller assigns the VNS' default filter for authenticated users. Note: The HiPath Wireless Controller only assigns the device's IP after the client requests one. Both Captive Portal and AAA (802.
hwc_vnsintro.fm Virtual Network Services Filtering for a VNS 5.6.1 Final filter rule The final rule in any filter should act as a catch-all for any traffic that did not match a filter. This final rule should either allow all or deny all traffic, depending on the requirements for network access. For example, the final rule in a nonauthenticated filter for Captive Portal is typically deny all.
hwc_vnsintro.fm Virtual Network Services Data protection on a VNS—WEP and WPA different topology definition than the parent VNS, as well as having its own set of filter definitions. Filter IDs returned in association with a Login-LAT-Group definition are applied to the user, in relation to the sub-VNS indicated by the Login-LAT-Group specification. If no filter ID matches are found, then the default filter is applied.
hwc_vnsintro.fm Virtual Network Services VNS global settings 5.8 VNS global settings Before defining a specific VNS, define the global settings that will apply to all VNS definitions. These global settings include: • Identify the location and password of RADIUS servers on the enterprise network. The defined servers appear as available choices when you set up the authentication mechanism for each VNS. • Define the shared secret used to encrypt the Pairwise Master Key (PMK) for WPA2 v.
hwc_vnsintro.fm Virtual Network Services VNS global settings 3. To define a RADIUS server available on the network, do the following: • In the Server Name box, type a name. • In the Server Address box, type the IP address. • In the Shared Secret box, type the password that is required in both directions. This password is used to validate the connection between controller and the RADIUS server. 4. In order to proofread your password before saving the configuration, click Unmask.
hwc_vnsintro.fm Virtual Network Services VNS global settings To define admission control thresholds for VNS global settings: 1. From the main menu, click Virtual Network Configuration. The Virtual Network list is displayed. 2. In the left pane, click Global Settings. The Authentication tab is displayed. 3. Click the Wireless QoS tab. 4.
hwc_vnsintro.fm Virtual Network Services VNS global settings These global QoS settings apply to all APs that serve QoS enabled VNSs with admission control. Note: The Wireless 802.11n AP does not support admission control thresholds. 5. To save your changes, click Save. To define inter-HiPath Wireless Controller shared secret for VNS global settings: 1. From the main menu, click Virtual Network Configuration. The Virtual Network list is displayed. 2. In the left pane, click Global Settings. 3.
hwc_vnsintro.fm Virtual Network Services Setting up a new VNS This precautionary step is highly recommended in order to avoid an error, later, when the HiPath Wireless Controller attempts to communicate with the RADIUS server. 6. To save your changes, click Save. 5.9 Setting up a new VNS Now that you are familiar with the VNS concepts, you can now set up a new VNS.
hwc_vnsintro.
hwc_vnsconfiguration.
hwc_vnsconfiguration.fm Virtual Network configuration Creating a new VNS name • Wireless Distribution System (WDS) – User traffic plies over a wireless network that uses multiple access points interconnected via wireless links. For more information, see Section 6.17.7, “Deploying the WDS system”, on page 238. Note: The bridged at the controller, routed and bridged at the AP VNSs are the network VNSs and they are used to service the client devices.
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS • • SSID – The SSID determines the VNS to which a user profile will be assigned (user topology/IP, filters): • Has Captive Portal authentication, or no authentication (as well as MACbased authentication). • Requires restricted filtering rules before authentication and, after authentication, filtering rules for group filter IDs. • Is used for a VNS supporting wireless voice traffic (QoS).
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS To create an SSID for Captive Portal VNS: 1. From the main menu, click Virtual Network Configuration. The Virtual Network Configuration page is displayed. 2. In the left pane Virtual Networks list, click the VNS you want to create an SSID for. The Topology tab is displayed. 3. From the Assignment by drop-down list, click SSID. 6.3.1.
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS The post timeout is the max amount of time that is allowed to elapse from the last time any traffic was received for an authenticated user. For example, a user may have disconnected from the system and is no longer be connected. A post timeout expires and cleans up the session. A client that exceeds either the pre or post timeout value will be forced to disassociate.
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS To enable management traffic on a VNS: 1. From the main menu, click Virtual Network Configuration. The Virtual Network Configuration page is displayed. 2. In the left pane Virtual Networks list, click the VNS you want to enable management traffic for. The Topology tab is displayed. 3. Select the Allow mgmt traffic checkbox. 6.3.1.
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS 4. To save your changes, click Save. 6.3.1.4 Defining a next hop route and OSPF advertisement for a VNS The next hop definition allows the administrator to define a specific host as the target for all non-VNS targeted traffic for users in a VNS. The next hop IP identifies the target device to which all VNS (user traffic) will be forwarded to. Next-hop definition supersedes any other possible definition in the routing table.
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS 6.3.1.5 Defining the IP address for the VNS (for the DHCP server on the controller) Bridged at the AP VNSs do not require the definition of a corresponding IP address definition for the VNS since all traffic for users in that VNS will be directly bridged by the AP at the local network point of attachment (VLAN at AP port). The IP address definition is only required for a routed VNS or VLAN bridged VNS.
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS • To modify the address in the Address Range to box, type the last available address. • If there are specific IP addresses to be excluded from this range, click Exclusion(s). The DHCP Address Exclusion window is displayed. • In the DHCP Address Exclusion window, do one of the following: • • To specify an IP range, type the first available address in the From box and type the last available address in the to box.
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS To modify time limits for IP assignments: 1. From the main menu, click Virtual Network Configuration. The Virtual Network Configuration page is displayed. 2. In the left pane Virtual Networks list, click the VNS you want to set time limits for. The Topology tab is displayed. 3. In the Lease default box, type the default time limit. The default time limit dictates how long a wireless device can keep the DHCP server assigned IP address.
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS Using a DHCP relay forces the HiPath Wireless Controller to forward DHCP requests to an external DHCP server on the enterprise network. This function bypasses the local DHCP server for the HiPath Wireless Controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure.
hwc_vnsconfiguration.fm Virtual Network configuration Assigning Wireless AP radios to a VNS 4. Configure the topology for your VNS accordingly. For more information, see Section 6.3, “Topology for a VNS”, on page 164. 5. To save your changes, click Save. 6.3.3 Saving your topology properties Once your topology is defined, you can then save your topology properties to continue configuring your VNS. To save your topology properties, click Save. 6.
hwc_vnsconfiguration.fm Virtual Network configuration Assigning Wireless AP radios to a VNS • C20 – Up to 8 VNSs Note: You can assign the radios of all three Wireless AP variants — HiPath Wireless AP, HiPath Wireless Outdoor AP, and Wireless 802.11n AP — to any VNS. To assign Wireless APs to a VNS: 1. From the main menu, click Virtual Network Configuration. The Virtual Network Configuration page is displayed. 2. In the left pane Virtual Networks list, click the VNS you want to assign Wireless APs to.
hwc_vnsconfiguration.fm Virtual Network configuration Deleting a VNS 6. From the Wireless APs list, click the APs and their radios that you want to assign to the VNS. You can also use the Select APs list, to select APs and their radios by grouping: • All radios – Click to assign all of the APs’ radios. • a radios – Click to assign only the APs’ a radios. • b/g radios – Click to assign only the APs’ b/g radios. • local APs - all radios – Click to assign only the local APs.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS • • If network assignment is by SSID, authentication can be: • none • by Captive Portal using internal Captive Portal • by Captive Portal using external Captive Portal • by MAC-based authentication If network assignment is by AAA (802.1x), authentication can be: • by 802.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS Attribute Name ID Type Messages Siemens-VNSName 4 string Sent to The name of the Virtual Network the RADIUS server client has been assigned to. It is used in assigning policy and billing options, based on service selection. Siemens-SSID 5 string Sent to The name of the SSID the client is RADIUS server associating to. It is used in assigning policy and billing options, based on service selection.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS • External Captive Portal – After an external server displays the Captive Portal Web page and carries out the authentication, the HiPath Wireless Controller implements policy. • External Captive Portal with internal authentication – After an external server displays the Captive Portal Web page, the HiPath Wireless Controller carries out the authentication and implements policy. To define authentication by Captive Portal: 1.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS The RADIUS servers are defined on the Global Settings page. For more information, see Section 5.8, “VNS global settings”, on page 157. The selected server is no longer available in the RADIUS drop-down list. The server name is now displayed in the list of configured servers, next to the Up and Down buttons, where it can be prioritized for RADIUS redundancy.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS 10. In the Auth. Type drop-down list, click the authentication protocol to be used by the RADIUS server to authenticate the wireless device users.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS In the event of a failover of the main RADIUS server—if there is no response after the set number of retries—then the other servers in the list will be polled on a round-robin basis until a server responds. If one of the other servers becomes the active server during a failover, when the new active server properties are displayed the Set as primary server checkbox is selected.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS 10. To view a summary of the RADIUS configuration, click View Summary. The RADIUS summary page is displayed. 11. To save your changes, click Save. 6.6.2.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS To configure the Captive Portal settings for internal Captive Portal: 1. From the main menu, click Virtual Network Configuration. The Virtual Network Configuration page is displayed. 2. In the left pane Virtual Networks list, click the VNS you want to configure the Captive Portal settings for. The Topology tab is displayed. 3. Click the Auth & Acct tab. 4. Click Configure Captive Portal Settings.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS • VNS Name • SSID • MAC Address 15. In the right pane, select whether these VSA attributes apply to the header or footer of the Captive Portal page. The selections influence what URL is returned in either section. For example, wireless users can be identified by which Wireless AP or which VNS they are associated with, and can be presented with a Captive Portal Web page that is customized for those identifiers. 16.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS If there is an authentication server configured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the HiPath Wireless Controller to allow the HiPath Wireless Controller to continue with the RADIUS authentication and filtering.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS 4. Click Auth. The Authentication fields are displayed. 5. From the RADIUS drop-down list, click the server you want to use for Captive Portal authentication, and then click Use. The server’s default information is displayed. The RADIUS servers are defined on the Global Settings page. For more information, see Section 5.8, “VNS global settings”, on page 157.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS The selected server is no longer available in the RADIUS drop-down list. The server name is now displayed in the list of configured servers, next to the Up and Down buttons, where it can be prioritized for RADIUS redundancy. The server can also be assigned again for MAC-based authentication or accounting purposes. A red asterisk is displayed next to Auth, indicating that a server has been assigned. 6.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS • VNS’s • SSID The Vendor Specific Attributes must be defined on the RADIUS server. 11. If applicable, select the Set as primary server checkbox. 12. To save your changes, click Save.
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS • MAC – Use to define servers for MAC-based authentication. • Acct – Use to define accounting servers. 4. Click MAC. The MAC fields are displayed. 5. From the RADIUS drop-down list, click the server you want to use for MAC authentication, and then click Use. The server’s default information is displayed and a red asterisk is displayed next to MAC, indicating that a server has been assigned.
hwc_vnsconfiguration.fm Virtual Network configuration Defining accounting methods for a VNS 10. In the NAS IP Address box, type the Network Access Server (NAS) IP address. 11. In the NAS Identifier box, type the Network Access Server (NAS) identifier. The NAS identifier is a RADIUS attribute that identifies the server responsible for passing information to designated RADIUS servers and then acting on the response returned. This is an optional step. 12. In the Auth.
hwc_vnsconfiguration.fm Virtual Network configuration Defining accounting methods for a VNS HiPath Wireless Controller accounting creates Call Data Records (CDRs) in a standard format of authenticated user sessions, such as start time and duration of session. The CDRs are stored in flat files that can be downloaded via the Command Line Interface (CLI). If RADIUS accounting is enabled, a RADIUS accounting server needs to be specified. To define accounting methods for a VNS: 1.
hwc_vnsconfiguration.fm Virtual Network configuration Defining RADIUS filter policy for VNSs and VNS groups 6.8 Defining RADIUS filter policy for VNSs and VNS groups The next step in configuring a VNS is to define the filter ID values for a VNS. These filter ID values must match those set up on the RADIUS servers. Note: This configuration step is optional. If filter ID values are not defined, the system uses the default filter as the applicable filter group for authenticated users within a VNS.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS 4. In the Filter ID Values box, type the name of a group that you want to define specific filtering rules for to control network access. 5. Click the corresponding Add button. The filter ID value is displayed in the list. These filter ID values will appear in the Filter ID list on the Filtering tab. These filter ID values must match those set up for the filter ID attribute in the RADIUS server. 6.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS ID that has its own filtering rules. If no filter ID matches are found, then the default filter is applied. VNS Policy is also applicable for Captive Portal and MAC-based authorization. 6.9.1 Filtering rules for an exception filter The exception filter provides a set of rules aimed at restricting the type of traffic that is delivered to the controller.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS relax the built-in filtering that automatically drops packets not specifically allowed by filtering rule definitions. The exception filtering rules can deny access in the event of a DoS attack, or can allow certain types of management traffic that would otherwise be denied. Typically, Allow Management is enabled To define filtering rules for an exception filter: 1.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS • Type the default gateway IP address (VNS' IP address) that you defined on the Topology tab for this VNS. 7. Click Add. The information is displayed in the Filter Rules section of the tab. 8. Click the new filter, then select the Allow checkbox applicable to the rule you defined. 9. To edit the order of filters, click the filter, and then click the Up and Down buttons.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS Redirection and Captive Portal credentials apply to HTTP traffic only. A wireless device user attempting to reach Websites other than those specifically allowed in the non-authenticated filter will be redirected to the allowed destinations. Most HTTP traffic outside of those defined in the non-authenticated filter will be redirected.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS The Filtering tab automatically provides a Deny All rule already in place. Use this rule as the final rule in the non-authenticated filter for Captive Portal. 5. For each filtering rule you are defining, do the following: • In the IP/subnet:port box, type the destination IP address. You can also specify an IP range, a port designation, or a port range on that IP address.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS • Select the Allow checkbox applicable to the rule you defined. 9. To edit the order of filters, click the filter, and then click the Up and Down buttons. The filtering rules are executed in the order you define here. 10. To save your changes, click Save.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS In Out Allow IP / Port x x x IP address of the default Allow all incoming wireless devices gateway access to the default gateway of the VNS. x x x IP address of the DNS Server x x x x x x Table 16 Description Allow all incoming wireless devices access to the DNS server of the VNS.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS To define filtering rules for a filter ID group: 1. From the main menu, click Virtual Network Configuration. The Virtual Network Configuration page is displayed. 2. In the left pane Virtual Networks list, click the VNS you want to define filtering rules for a filter ID group. The Topology tab is displayed. 3. Click the Filtering tab. 4.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS • If applicable, select In to refer to traffic from the wireless device that is trying to get on the network. • If applicable, select Out to refer to traffic from the network host that is trying to get to a wireless device. • Select the Allow checkbox applicable to the rule you defined. 8. To edit the order of filters, click the filter, and then click the Up and Down buttons.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS The final rule in the default filter should be a catch-all rule for any traffic that did not match a filter. A final Allow All rule in a default filter will ensure that a packet is not dropped entirely if no other match can be found. VNS Policy is also applicable for Captive Portal and MAC-based authorization. To define the filtering rules for a default filter: 1.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS In Out Allow IP / Port x x Intranet IP, range Deny all access to an IP range x x Port 80 (HTTP) Deny all access to Web browsing x x Intranet IP Deny all access to a specific IP x x *.*.*.*.
hwc_vnsconfiguration.fm Virtual Network configuration Enabling multicast for a VNS In Out Allow IP / Port Description x x x Allow access to the Gateway IP address of the VNS only x x x x [Intranet IP] [Intranet IP, range] Deny all access to the VNS subnet range (such as 0/24) x *.*.*.*. Table 21 Allow everything else Rules between two wireless devices 6.10 Enabling multicast for a VNS A mechanism that supports multicast traffic can be enabled as part of a VNS definition.
hwc_vnsconfiguration.fm Virtual Network configuration Enabling multicast for a VNS 4. To enable the multicast function, select Enable Multicast Support. 5. Define the multicast groups by selecting one of the radio buttons: • IP Group – Type the IP address range. • Defined groups – Click from the drop-down list. 6. Click Add. The group is added to the list above. 7. To enable the wireless multicast replication for this group, select the corresponding Wireless Replication checkbox. 8.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS 6.11 Configuring privacy for a VNS Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques. The following section describes how the Privacy mechanism is handled for a Captive Portal VNS and an AAA VNS. 6.11.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS 5. From the WEP Key Length drop-down list, click the WEP encryption key length: • 64-bit • 128-bit • 152-bit 6. Select one of the following input methods: • Input Hex – If you select Input Hex, type the WEP key input in the WEP Key box. The key is generated automatically, based on the input.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS 4. Select WPA-PSK. 5. To enable WPA v1 encryption, select WPA v.1. 6. If WPA v.1 is enabled, click one of the following encryption types from the Encryption drop-down list: • Auto – The AP will advertise both TKIP and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard).
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS 8. To enable re-keying after a time interval, select Broadcast re-key interval. If this checkbox is not selected, the Broadcast encryption key is never changed and the Wireless AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. 9.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS • If WPA v.1 is disabled, the Wireless 802.11n AP will advertise the encryption cipher AES (Advanced Encryption Standard). To set up static WEP privacy for an AAA VNS: 1. From the main menu, click Virtual Network Configuration. The Virtual Network Configuration page is displayed. 2. In the left pane Virtual Networks list, click the AAA VNS you want to configure privacy by WPA-PSK for a Captive Portal.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS • Input String – If you select Input String, type the secret WEP key string used for encrypting and decrypting in the WEP Key String box. The WEP Key box is automatically filled by the corresponding Hex code. 7. To save your changes, click Save. 6.11.2.1 Dynamic WEP privacy for an AAA VNS The dynamic key WEP mechanism changes the key for each user and each session. To set up dynamic WEP privacy for a selected AAA VNS: 1.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS • An enhanced Initialization Vector (IV) of 48 bits, instead of 24 bits, making it more difficult to compromise • A Message Integrity Check or Code (MIC), an additional 8-byte code that is inserted before the standard WEP 4-byte Integrity Check Value (ICV).
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS 6.11.2.3 Key Management Options Wi-Fi Protected Access (WPA v1 and WPA v2) Privacy offers you the following key management options: • None • Opportunistic Keying • Pre-authentication • Opportunistic Keying & Pre-auth The following sections explain the key management options. None The wireless client device performs a complete 802.1X authentication each time it associates or tries to connect to a Wireless AP.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS Opportunistic Keying & Pre-auth Opportunistic Keying and Pre-auth options is meant for the device clients that support both the authentication processes. For example, the Microsoft-operated device clients support opportunistic keying by default, but they can be configured to support pre-authentication too. To set up Wi-Fi Protected Access privacy (WPA) for an AAA VNS: 1.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS • Auto – The AP will advertise both TKIP and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Auto is the default. • TKIP only – The AP will advertise TKIP as an available encryption protocol for WPAv1. It will not advertise CCMP. 6.
hwc_vnsconfiguration.fm Virtual Network configuration Defining a VNS with no authentication 6.12 Defining a VNS with no authentication You can set up a VNS that will bypass all authentication mechanisms and run Controller, Access Points and Convergence Software with no authentication of a wireless device user. A VNS with no authentication can still control network access using filtering rules.
hwc_vnsconfiguration.fm Virtual Network configuration Defining priority level and service class for VNS traffic 6.13 Defining priority level and service class for VNS traffic Voice over Internet Protocol (VoIP) using 802.11 wireless local area networks are enabling the integration of internet telephony technology on wireless networks. Various issues including Quality-of-Service (QoS), call control, network capacity, and network architecture are factors in VoIP over 802.11 WLANs.
hwc_vnsconfiguration.fm Virtual Network configuration Working with Quality of Service (QoS) Service class name (number) Priority level Silver (3) 3 Bronze (2) 2 Best Effort (1) 1 Background (0) 0 (lowest priority) Table 22 Service classes The service class is equivalent to the 802.1D UP (user priority) with the exception that its scale is linear: SC name SC Value 802.
hwc_vnsconfiguration.fm Virtual Network configuration Working with Quality of Service (QoS) Each VNS has a configurable policy for the QoS characteristics of the VNS. For every user associated with the VNS there will be a different behavior on the wireless traffic. Note: Active QoS is only applied on the wireless/802.11 domain, not on the wired domain. 6.14.
hwc_vnsconfiguration.fm Virtual Network configuration Working with Quality of Service (QoS) Table 24 QoS mode combinations The APs are capable of supporting 5 queues. The queues are implemented per radio. For example, 5 queues per radio. The queues are: Queue Name Purpose AC_VO Voice AC_VI Video AC_BK Background AC_BE Best Effort AC_TVO Turbo Voice Table 25 Queues The HiPath Wireless Controller supports the definition of 8 levels of user priority (UP).
hwc_vnsconfiguration.fm Virtual Network configuration Configuring the QoS policy on a VNS VNS type Packet Source Packet type L2 L3 Branch or Tunneled Wireless non-WMM No Yes Table 26 Traffic prioritization 6.15 Configuring the QoS policy on a VNS The following is an overview of the steps involved in configuring the QoS on a VNS.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring the QoS policy on a VNS Step 3 – Defining the DSCP and service class classifications: All 64 DSCP code-points are supported. The IETF defined codes are listed by name and code. Un-defined codes are listed by code.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring the QoS policy on a VNS 4. From the Wireless QoS list, do the following: • Legacy – Select if your VNS will support legacy devices that use SpectraLink Voice Protocol (SVP) for prioritizing voice traffic. If selected, the Turbo Voice option is displayed. • WMM – Select to enable the AP to accept WMM client associations, and classify and prioritize the downlink traffic for all WMM clients.
hwc_vnsconfiguration.fm Virtual Network configuration Configuring the QoS policy on a VNS and/or 802.11e clients in that VNS are instructed by the AP to transmit all traffic classified to VO AC with special contention parameters tailored to maximize voice performance and capacity. Note: The HiPath Wireless 802.11n supports only the WMM QoS mode. 5. To define the service class and DSCP marking for the VNS, select the Priority Override checkbox. For each DSCP you can click one of the eight service classes.
hwc_vnsconfiguration.fm Virtual Network configuration Bridging traffic locally • Enable U-APSD – Select to enable the Unscheduled Automatic Power Save Delivery (U-APSD) feature. This feature can be used by mobile devices to efficiently sustain one or more real-time streams while being in power-save mode. This feature works in conjunction with WMM and/or 802.11e, and it is automatically disabled if both WMM and 802.11e are disabled.
hwc_vnsconfiguration.fm Virtual Network configuration Bridging traffic locally If you select Tagged, type the VLAN ID in the VLAN ID box. Note: The VLAN IDs are assigned by the branch office network administrator. The AP will operate correctly if you set the VLAN ID corresponding to the VLAN ID that was setup in the LAN. Configuring two untagged branch VNSs to the same AP on different radios is permitted.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System untagged per AP per radio. The other branch mode VNSs need to have unique VLAN ID. You must have VLAN aware L2 switches to support this feature. Note: When a VNS is setup for bridged mode, it cannot be switched to tunneled mode. The administrator must delete and re-add the VNS. 6.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System Root Wireless AP Satellite Wireless AP HiPath Wireless Controller Client Devices Figure 10 Simple WDS configuration 6.17.2 Wireless Repeater configuration In Wireless Repeater configuration, a Repeater Wireless AP is installed between the Root Wireless AP and the Satellite Wireless AP. The Repeater Wireless AP relays the user traffic between the Root Wireless AP and the Satellite Wireless AP.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 6.17.3 Wireless Bridge configuration In Wireless Bridge configuration, the traffic between two Wireless APs that are connected to two separate wired LAN segments is bridged via WDS link. You may also install a Repeater Wireless AP between the two Wireless APs connected to two separate LAN segments.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System In WDS deployment, one of the radios of every WDS Wireless AP establishes a WDS link on an exclusive VNS. The WDS Wireless AP is therefore limited to seven network VNSs on the WDS radio. The other radio can interact with the client-devices on a maximum of eight VNSs. Note: The Root Wireless AP and the Repeater Wireless APs can also be configured to interact with the client-devices. For more information, see Section 6.17.7.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System HiPath Wireless Controller Lancaster Ion Minoru Urso Dove Theodore Client Devices Figure 15 WDS setup with a single WDS VNS The tree will operate as a single WDS entity. It will have a single WDS SSID and and a single pre-shared key for WDS links. This tree will have multiple roots. For more information, see Section 6.17.6.3, “Multi-root WDS topology”, on page 236.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System HiPath Wireless Controller Minoru Lancaster Ion Urso Theodore Dove Client Devices Figure 16 WDS setup with multiple WDS VNSs 6.17.6 Key features of WDS Some key features of WDS are: • Tree-like topology • Radio Channels • Multi-root WDS topology • Automatic discovery of parent and backup parent Wireless APs • Link security 6.17.6.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System The nodes in the tree-structure have a parent-child relationship. The Wireless AP that provides the WDS service to the other Wireless APs in the downstream direction is a parent. The Wireless APs that establish a link with the Wireless AP in the upstream direction for WDS service are children.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System The WDS system enables you to configure the Wireless AP’s role — parent, child or both — from the HiPath Wireless Controller’s interface. If the WDS Wireless AP will be serving as a parent and a child in a given topology, its role is configured as both. Note: It is recommended to limit the number of APs participating in a WDS tree to 8. This limit guarantees decent performance in most typical situations.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System HiPath Wireless Controller Root Wireless AP 1 Root Wireless AP 2 Root Wireless AP 3 Repeater AP 2 Repeater AP 3 Repeater AP 1 Satellite AP 2 Satellite AP 1 Satellite AP 3 Wireless Devices Figure 18 Wireless Devices Multiple-root WDS topology 6.17.6.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 6.17.7 Deploying the WDS system Before you start configuring the WDS Wireless APs, you must ensure the following: • The Wireless APs that are part of the wired HiPath WLAN are connected to the wired network. • The wired Wireless APs that will serve as the Root AP/Root APs of the proposed WDS topology are operating normally. • The HiPath WLAN is operating normally.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 5. Assigning the Satellite Wireless APs’ radios to the network VNSs. 6. Connecting the WDS Wireless APs to the enterprise network via the Ethernet link for provisioning. For more information, see Section 6.17.7, “Provisioning the WDS Wireless APs”, on page 238. 7. Disconnecting the WDS Wireless APs from the enterprise network and moving them to the target location.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 1. Creating a WDS VNS. 2. Defining the SSID name and the pre-shared key. 3. Assigning roles, parents and backup parents to the WDS Wireless APs. For the ease of understanding, the WDS configuration process is explained with the help of an example. The following illustration depicts a site with the following features: • An office building, denoted by a rectangular enclosure.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System To configure the WDS Wireless APs through the HiPath Wireless Controller: Note: You must identify and mark the Preferred Parents, Backup Parents and the Child Wireless APs in the proposed WDS topology before starting the configuration process. 1. From the main menu, click Virtual Network Configuration. The Virtual Network Configuration page is displayed. 2. In the left pane, type the WDS VNS name in the Add subnet box. 3.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 5. To save your changes, click Save. The Topology tab is displayed.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 6. Click the RF tab. 7. In the SSID box, type a name that will identify the new WDS SSID. 8. In the Pre-shared Key box, type the key. Note: The pre-shared key must be 8 to 63 characters long. The WDS Wireless APs use this pre-shared key to establish a WDS link between them. Note: Changing the pre-shared key after the WDS is deployed can be a lengthy process. For more information, see Section 6.17.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System the parent Wireless AP. If the Wireless AP will be serving both as parent and child, you must select both as its role. To configure the WDS as illustrated in Figure 19 with a single WDS VNS, you must assign the roles, preferred parents and backup parents to the Wireless APs according to the following table: Wireless AP Radio b/g Radio a Preferred Parent Backup Parent Ardal Parent Parent See the note below.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System Note: You must first assign the ‘parent’ role to the Wireless APs that will serve as the parents. Unless this is done, the Parent Wireless APs will not be displayed in the Preferred Parent and Backup Parent drop-down lists of other Wireless APs. Note: The WDS Bridge feature on the user interface relates to WDS Bridge configuration.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 10. To save your changes, click Save. 6.17.7.3 Assigning the Satellite Wireless APs’ radios to the network VNSs You must assign the Satellite Wireless APs’s radios to the network VNSs. Note: The network VNSs are the usual VNSs on which the Wireless APs service the client devices. Routed, Bridge Traffic Locally at HWC and Bridge Traffic Locally at AP VNSs are the network VNSs. For more information, see Section 6.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 4. In the Wireless APs list, select the radios of the Satellite APs — Osborn, Oscar, Orson and Oswald. Note: If you want the Root Wireless AP and the Repeater Wireless APs to service the client devices, you must select their radios in addition to the radios of the Satellite Wireless APs. 5. To save your changes, click Save. 6. Log out from the HiPath Wireless Controller.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 6.17.7.4 Connecting the WDS Wireless APs to the enterprise network for provisioning You must connect the WDS Wireless APs to the enterprise network once more in order to enable them to obtain their configuration from the HiPath Wireless Controller. The configuration includes the pre-shared key, the Wireless AP’s role, preferred parent and backup parent. For more information, see Provisioning the WDS Wireless APs on page 238.
hwc_vnsconfiguration.fm Virtual Network configuration Wireless Distribution System 6.17.8 Changing the pre-shared key in WDS VNS To change the pre-shared key in WDS VNS: 1. Create a new WDS VNS with a new pre-shared key. 2. Assign the RF of the Wireless APs from the old WDS to the new WDS VNS. 3. Check the WDS Wireless AP Statistics report page to ensure that all the WDS Wireless APs have connected to the HiPath Wireless Controller via the new WDS VNS. For more information, see Section 10.1.
hwc_vnsconfiguration.