Configuring Access Point Security Backup KDC Optionally, specify a numerical (non-DNS) IP address and port for a backup KDC. Backup KDCs are referred to as slave servers. The slave server periodically synchronizes its database with the primary (or master) KDC. Remote KDC Optionally, specify a numerical (non-DNS) IP address and port for a remote KDC. Kerberos implementations can use an administration server allowing remote manipulation of the Kerberos database.
6-12 AP-51xx Access Point Product Reference Guide 3. Select the 802.1x EAP radio button. The 802.1x EAP Settings field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. If using the access point’s Internal Radius server, leave the Radius Server drop-down menu in the default setting of Internal. If an external Radius server is used, select External from the drop-down menu. 6.
Configuring Access Point Security Radius Server Address If using an External Radius Server, specify the numerical (non-DNS) IP address of a primary Remote Dial-In User Service (Radius) server. Optionally, specify the IP address of a secondary server. The secondary server acts as a failover server if the primary server cannot be contacted. An ISP or a network administrator provides these addresses.
6-14 AP-51xx Access Point Product Reference Guide 7. Select the Accounting tab as required to define a timeout period and retry interval Syslog for MUs interoperating with the access point and EAP authentication server. The items within this tab could be enabled or disabled depending on whether internal or External has been selected from the Radius Server drop-down menu.
Configuring Access Point Security Period (30-9999) secs Set the EAP reauthentication period to a shorter time interval (at least 30 seconds) for tighter security on the WLAN's connections. Set the EAP reauthentication period to a longer time interval (at most, 9999 seconds) to relax security on wireless connections. The reauthentication period setting does not affect wireless connection throughput. The default is 3600 seconds. Max.
-16 AP-51xx Access Point Product Reference Guide 11. Click the Cancel button to undo any changes made within the 802.1x EAP Settings field and return to the WLAN screen. This reverts all settings for the 802.1x EAP Settings field to the last saved configuration. 6.6 Configuring WEP Encryption Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard.
Configuring Access Point Security 5. Configure the WEP 64 Settings or WEP 128 Settings field as required to define the Pass Key used to generate the WEP keys. These keys must be the same between the access point and its MU to encrypt packets between the two devices. Pass Key Specify a 4 to 32 character pass key and click the Generate button. The pass key can be any alphanumeric string.
6-18 AP-51xx Access Point Product Reference Guide Key 1 1011121314 Key 2 2021222324 Key 3 3031323334 Key 4 4041424344 Default (hexadecimal) keys for WEP 128 include: Key 1 101112131415161718191A1B1C Key 2 202122232425262728292A2B2C Key 3 303132333435363738393A3B3C Key 4 404142434445464748494A4B4C 6. Click the Apply button to save any changes made within the WEP 64 Setting or WEP 128 Setting field of the New Security Policy screen. 7.
Configuring Access Point Security 3. Select the KeyGuard radio button. The KeyGuard Settings field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. Configure the KeyGuard Settings field as required to define the Pass Key used to generate the WEP keys used with the KeyGuard algorithm.
6-20 AP-51xx Access Point Product Reference Guide Default (hexadecimal) keys for KeyGuard include: Key 1 101112131415161718191A1B1C Key 2 202122232425262728292A2B2C Key 3 303132333435363738393A3B3C Key 4 404142434445464748494A4B4C 6. Select the Allow WEP128 Clients checkbox (from within the KeyGuard Mixed Mode field) to enable WEP128 clients to associate with an access point’s KeyGuard supported WLAN.
Configuring Access Point Security 3. Select the WPA/TKIP radio button. The WPA/TKIP Settings field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. Configure the Key Rotation Settings area as needed to broadcast encryption key changes to MUs and define the broadcast interval.
6-22 AP-51xx Access Point Product Reference Guide ASCII Passphrase To use an ASCII passphrase (and not a hexadecimal value), select the checkbox and enter an alphanumeric string of 8 to 63 characters. The alphanumeric string allows character spaces. The access point converts the string to a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated.
Configuring Access Point Security If security policies supporting WPA2-CCMP exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting WPA2-CCMP, continue to step 2. 2. Click the Create button to configure a new policy supporting WPA2-CCMP. The New Security Policy screen displays with no authentication or encryption options selected. 3.
6-24 AP-51xx Access Point Product Reference Guide Broadcast Key Rotation Select the Broadcast Key Rotation checkbox to enable or disable the broadcasting of encryption key changes to MUs. Only broadcast key changes when required by associated MUs to reduce the transmissions of sensitive key information. This option is disabled by default. Update broadcast keys every (300604800 seconds) Specify a time period in seconds for broadcasting encryption key changes to MUs.
Configuring Access Point Security 8. Configure the Fast Roaming (802.1x only) field as required to enable additional access point roaming and key caching options. This feature is applicable only when using 802.1x EAP authentication with WPA2/CCMP. Pre-Authentication Selecting this option enables an associated MU to carry out an 802.1x authentication with another access point before it roams to it. The access point caches the keying information of the client until it roams to the other access point.
6-26 AP-51xx Access Point Product Reference Guide 2. Refer to the Global Firewall Disable field to enable or disable the access point firewall. Disable Firewall Select the Disable Firewall checkbox to disable all firewall functions on the access point. This includes firewall filters, NAT, VPN, content filtering, and subnet access. Disabling the access point firewall makes the access point vulnerable to data attacks and is not recommended during normal operation if using the WAN port. 3.
Configuring Access Point Security Source Routing Check A source routing attack specifies an exact route for a packet's travel through a network, while exploiting the use of an intermediate host to gain access to a private host. Winnuke Attack Check A "Win-nuking" attack uses the IP address of a destination host to send junk packets to its receiving port.
6-28 AP-51xx Access Point Product Reference Guide 1. Select Network Configuration -> Firewall -> Subnet Access from the access point menu tree. 2. Refer to the Overview table to view rectangles representing subnet associations. The three possible colors indicate the current access level, as defined, for each subnet association. Color Access Type Description Green Full Access No protocol exceptions (rules) are specified. All traffic may pass between these two areas.
Configuring Access Point Security Allow or Deny all protocols, except Use the drop-down menu to select either Allow or Deny. The selected setting applies to all protocols except those with enabled checkboxes and any traffic that is added to the table. For example, if the adoption rule is to Deny access to all protocols except those listed, access is allowed only to those selected protocols. Pre configured Rules The following protocols are preconfigured with the access point.
6-30 AP-51xx Access Point Product Reference Guide Transport Select a protocol from the drop-down menu. For a detailed description of the protocols available, see Available Protocols on page 6-30. Start Port Enter the starting port number for a range of ports. If the protocol uses a single port, enter that port in this field. End Port Enter the ending port number for a port range. If the protocol uses a single port, leave the field blank.
Configuring Access Point Security end points. Also, AH can be used in tunnel mode, providing security like that of a Virtual Private Network (VPN). • • ESP - Encapsulating Security Protocol is one of two key components of IP Security Protocol (IPsec). The other key component is Authentication Header (AH). ESP encrypts the packets and provides authentication services. ESP can be used in transport mode, providing security between two end points.
6-32 AP-51xx Access Point Product Reference Guide 2. Configure the Settings field as needed to override the settings in the Subnet Access screen and import firewall rules into the Advanced Subnet Access screen. Override Subnet Access settings Select this checkbox to enable advanced subnet access rules and disable existing subnet access rules, port forwarding, and 1 to many mappings from the system.
Configuring Access Point Security Source IP The Source IP range defines the origin address or address range for the firewall rule. To configure the Source IP range, click on the field. A new window displays for entering the IP address and range. Destination IP The Destination IP range determines the target address or address range for the firewall rule. To configure the Destination IP range, click on the field. A new window displays for entering the IP address and range.
6-34 AP-51xx Access Point Product Reference Guide Use the VPN screen to add and remove VPN tunnels. To configure an existing VPN tunnel, select it from the list in the VPN Tunnels field. The selected tunnel’s configuration displays in a VPN Tunnel Config field. To configure a VPN tunnel on the access point: 1. Select Network Configuration -> WAN -> VPN from the access point menu tree. 2.
Configuring Access Point Security Remote Gateway The Remote Gateway column lists a remote gateway IP address for each tunnel. The numeric remote gateway is the gateway IP address on the remote network the VPN tunnel connects to. Ensure the address is the same as the WAN port address of the target gateway AP or switch. Key Exchange Type The Key Exchange Type column lists the key exchange type for passing keys between both ends of a VPN tunnel.
6-36 AP-51xx Access Point Product Reference Guide Local WAN IP Enter the WAN’s numerical (non-DNS) IP address in order for the tunnel to pass traffic to a remote network. Remote Subnet Specify the numerical (non-DNS) IP address for the Remote Subnet. Remote Subnet Mask Enter the subnet mask for the tunnel’s remote network for the tunnel. The remote subnet mask is the subnet setting for the remote network the tunnel connects to.
Configuring Access Point Security 5. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the VPN, Auto Key Settings, IKE Settings and Manual Key Settings screens to the last saved configuration. 6. Click Logout to securely exit the access point Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed. 6.11.
6-38 AP-51xx Access Point Product Reference Guide 3. Configure the Manual Key Settings screen to modify the following: NOTE When entering Inbound or Outbound encryption or authentication keys, an error message could display stating the keys provided are “weak”. Some WEP attack tools invoke a dictionary to hack WEP keys based on commonly used words.
Configuring Access Point Security Inbound AH Authentication Key Configure a key for computing the integrity check on inbound traffic with the selected authentication algorithm. The key must be 32/40 (for MD5/SHA1) hexadecimal (0-9, A-F) characters in length. The key value must match the corresponding outbound key on the remote security gateway. Outbound AH Authentication Key Configure a key for computing the integrity check on outbound traffic with the selected authentication algorithm.
6-40 AP-51xx Access Point Product Reference Guide Inbound ESP Encryption Key Enter a key for inbound traffic. The length of the key is determined by the selected encryption algorithm. The key must match the outbound key at the remote gateway. Outbound ESP Encryption Key Define a key for outbound traffic. The length of the key is determined by the selected encryption algorithm. The key must match the inbound key at the remote gateway.
Configuring Access Point Security AP2 Inbound SPI = 801 AP2 Outbound SPI = 800 4. Click Ok to return to the VPN screen. Click Apply to retain the settings made on the Manual Key Settings screen. 5. Click Cancel to return to the VPN screen without retaining the changes made to the Manual Key Settings screen. 6.11.2 Configuring Auto Key Settings The access point’s Network Management System can automatically set encryption and authentication keys for VPN access.
6-42 AP-51xx Access Point Product Reference Guide 3. Configure the Auto Key Settings screen to modify the following: Use Perfect Forward Secrecy Forward secrecy is a key-establishment protocol guaranteeing the discovery of a session key or long-term private key does not compromise the keys of other sessions. Select Yes to enable Perfect Forward Secrecy. Select No to disable Perfect Forward Secrecy.
Configuring Access Point Security ESP Encryption Algorithm Use this menu to select the encryption and authentication algorithms for this VPN tunnel. • DES - Selects the DES algorithm.No keys are required to be manually provided. • 3DES - Selects the 3DES algorithm. No keys are required to be manually provided. • AES 128-bit: - Selects the Advanced Encryption Standard algorithm with 128-bit. No keys are required to be manually provided.
6-44 AP-51xx Access Point Product Reference Guide 3. Configure the IKE Key Settings screen to modify the following: Operation Mode The Phase I protocols of IKE are based on the ISAKMP identityprotection and aggressive exchanges. IKE main mode refers to the identity-protection exchange, and IKE aggressive mode refers to the aggressive exchange. • Main - Standard IKE mode for communication and key exchange. • Aggressive - Aggressive mode is faster, but less secure than Main mode.
Configuring Access Point Security Local ID Type Select the type of ID to be used for the access point end of the SA. • IP - Select IP if the local ID type is the IP address specified as part of the tunnel. • FQDN - Use FQDN if the local ID is a fully qualified domain name (such as sj.symbol.com). • UFQDN - Select UFQDN if the local ID is a user fully-qualified email (such as johndoe@symbol.com). Local ID Data Specify the FQDN or UFQDN based on the Local ID type assigned.
6-46 AP-51xx Access Point Product Reference Guide IKE Authentication Algorithm IKE provides data authentication and anti-replay services for the VPN tunnel. Select an authentication methods from the drop-down menu. • MD5 - Enables the Message Digest 5 algorithm. No keys are required to be manually provided. • SHA1 - Enables Secure Hash Algorithm. No keys are required to be manually provided.
Configuring Access Point Security Diffie Hellman Group Select a Diffie-Hellman Group to use. The Diffie-Hellman key agreement protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. Two algorithms exist, 768-bit and 1024-bit. Select one of the following options: • Group 1 - 768 bit - Somewhat faster than the 1024-bit algorithm, but secure enough in most situations.
6-48 AP-51xx Access Point Product Reference Guide 2. Reference the Security Associations field to view the following: Tunnel Name The Tunnel Name column lists the names of all the tunnels configured on the access point. For information on configuring a tunnel, see Configuring VPN Tunnels on page 6-33. Status The Status column lists the status of each configured tunnel. When the tunnel is not in use, the status reads NOT_ACTIVE. When the tunnel is connected, the status reads ACTIVE.
Configuring Access Point Security Tx Bytes The Tx Bytes column lists the amount of data (in bytes) transmitted through each configured tunnel. Rx Bytes The Rx Bytes column lists the amount of data (in bytes) received through each configured tunnel. 3. Click the Reset VPNs button to reset active VPNs. Selecting Reset VPNs forces renegotiation of all the Security Associations and keys. Users could notice a slight pause in network performance. 4.
6-50 AP-51xx Access Point Product Reference Guide 2. Configure the HTTP field to configure block Web proxies and URL extensions. Block Outbound HTTP HyperText Transport Protocol (HTTP) is the protocol used to transfer information to and from Web sites. HTTP Blocking allows for blocking of specific HTTP commands going outbound on the access point WAN port. HTTP blocks commands on port 80 only.
Configuring Access Point Security Block Outbound SMTP Simple Mail Transport Protocol (SMTP) is the Internet standard for Commands host-to-host mail transport. SMTP generally operates over TCP on port 25. SMTP filtering allows the blocking of any or all outgoing SMTP commands. Check the box next to the command to disable that command when using SMTP across the access point’s WAN port. • HELO - (Hello) Identifies the SMTP sender to the SMTP receiver.
6-52 AP-51xx Access Point Product Reference Guide Block Outbound FTP Actions File Transfer Protocol (FTP) is the Internet standard for host-to-host mail transport. FTP generally operates over TCP port 20 and 21. FTP filtering allows the blocking of any or all outgoing FTP functions. Check the box next to the command to disable the command when using FTP across the access point’s WAN port.
Configuring Access Point Security The rogue detection interval is used in conjunction with Symbol MUs that identify themselves as rogue detection capable to the access point. The detection interval defines how often the access point requests these MUs to scan for a rogue AP. A shorter interval can effect the performance of the MU, but it will also decrease the time it takes for the access point to scan for a rogue AP.
6-54 AP-51xx Access Point Product Reference Guide RF Scan by MU Select the RF Scan by MU checkbox to enable MUs to scan for potential rogue APs within the network. Define an interval in the Scan Interval field for associated MUs to beacon in an attempt to locate a rogue AP. Set the interval to a value sooner than the default if a large volume of device network traffic is anticipated within the coverage area of the target access point access point.
Configuring Access Point Security MAC Address Click Add, and enter the device MAC address to be excluded from classification as a rogue device. Any ESSID Select the Any ESSid checkbox to prevent a device’s ESSID (whether it is a known device ESSID or not) from being considered a rogue device ESSID Click Add, and enter the name of a device ESSid to be excluded from classification as a rogue device. 4. Click Apply to save any changes to the Rogue AP Detection screen.
6-56 AP-51xx Access Point Product Reference Guide The Active APs screen displays with detected rogue devices displayed within the Rogue APs table. 2. Enter a value (in minutes) in the Allowed APs Age Out Time field to indicate the number of elapsed minutes before an AP will be removed from the approved list and reevaluated. A zero (0) for this value (default value) indicates an AP can remain on the approved AP list permanently. 3.
Configuring Access Point Security 7. To remove the Rogue AP entries displayed within the e Rogue APs field, click the Clear Rogue AP List button. Symbol only recommends clearing the list of Rogue APs when the devices displaying within the list do not represent a threat to the access point managed network. 8. Click Apply to save any changes to the Active APs screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost. 9.
6-58 AP-51xx Access Point Product Reference Guide 3. Refer to the Rogue AP Detail field for the following information: BSSID/MAC Displays the MAC address of the rogue AP. This information could be useful if the MAC address is determined to be a Symbol MAC address and the device is interpreted as non-hostile and the device should be defined as an allowed AP. ESSID Displays the ESSID of the rogue AP.
Configuring Access Point Security Detection Method Displays the RF Scan by MU, RF On-Channel Detection or RF Scan by Detector Radio method selected from the Rogue AP screen to detect rogue devices. For information on detection methods, see Configuring Rogue AP Detection on page 6-52. First Heard (days:hrs:min) Defines the time in (days:hrs:min) that the rogue AP was initially heard by the detecting AP.
6-60 AP-51xx Access Point Product Reference Guide 2. Highlight an MU from within the Rogue AP enabled MUs field and click the scan button. The target MU begins scanning for rogue devices using the detection parameters defined within the Rogue AP Detection screen. To modify the detection parameters, see Configuring Rogue AP Detection on page 6-52. Those devices detected as rogue APs display within the Scan Result table.
Configuring Access Point Security 6.14 Configuring User Authentication The access point can work with external Radius and LDAP Servers (AAA Servers) to provide user database information and user authentication. 6.14.1 Configuring the Radius Server The Radius Server screen enables an administrator to define data sources and specify authentication information for the RADIUS Server. To configure the Radius Server: 1. Select System Configuration -> User Authentication -> RADIUS Server from the menu tree. 2.
6-62 AP-51xx Access Point Product Reference Guide 3. Use the TTLS/PEAP Configuration field to specify the Radius Server default EAP type, EAP authentication type and a Server or CA certificate (if used). EAP Type Use the EAP Type checkboxes to enable the default EAP type(s) for the RADIUS server. Options include: • PEAP - Select the PEAP checkbox to enable both PEAP types (GTC and MSCHAP-V2) available to the access point. PEAP uses a TLS layer on top of EAP as a carrier for other EAP modules.
Configuring Access Point Security Default Authentication Type Specify a PEAP and/or TTLS Authentication Type for EAP to use from the drop-down menu to the right of each checkbox item. PEAP options include: • GTC - EAP Generic Token Card (GTC) is a challenge handshake authentication protocol using a hardware token card to provide the response string. • MSCHAP-V2 - Microsoft CHAP (MSCHAP-V2) is an encrypted authentication method based on Microsoft's challenge/ response authentication protocol.
6-64 AP-51xx Access Point Product Reference Guide 4. Use the Radius Client Authentication table to configure multiple shared secrets based on the subnet or host attempting to authenticate with the Radius server. Use the Add button to add entries to the list. Modify the following information as needed within the table. Subnet/Host Defines the IP address of the subnet or host that will be authenticating with the Radius server.
Configuring Access Point Security 2. Enter the appropriate information within the LDAP Configuration field to allow the access point to interoperate with the LDAP server. Consult with your LDAP server administrator for details on how to define the values in this screen. LDAP Server IP Enter the IP address of the external LDAP server acting as the data source for the Radius server. The LDAP server must be accessible from the WAN port or from the access point’s active subnet.
6-66 AP-51xx Access Point Product Reference Guide ! Base Distinguished Name Enter a name that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. Group Attribute Define the group attribute used by the LDAP server. Group Filter Specify the group filters used by the LDAP server. Group Member Attribute Enter the Group Member Attribute sent to the LDAP server when authenticating users.
Configuring Access Point Security 2. Refer to the Proxy Configuration field to define the proxy server’s retry count and timeout values. Retry Count Enter a value between 3 and 6 to indicate the number of times the access point attempts to reach a proxy server before giving up. Timeout Enter a value between 5 and 10 to indicate the number of elapsed seconds causing the access point to time out on a request to a proxy server. 3. Use the Add button to add a new proxy server.
6-68 AP-51xx Access Point Product Reference Guide 4. To remove a row, select the row and click the Del (Delete) button. 5. Click Apply to save any changes to the Proxy screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost. 6. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Proxy screen to the last saved configuration. 7.
Configuring Access Point Security Refer to the Groups field for a list of all groups in the local Radius database. The groups are listed in the order added. Although groups can be added and deleted, there is no capability to edit a group name. 2. Click the Add button and enter the name of the group in the new blank field in the Groups table. 3. To remove a group, select the group from the table and click the Del (Delete) key. The Users table displays the entire list of users.
6-70 AP-51xx Access Point Product Reference Guide The Users Group Setting screen displays with the groups available for user inclusion displayed within the Available column. 3. To add the user to a group, select the group in the Available list (on the right) and click the <-Add button. Assigned users will display within the Assigned table. Map one or more groups as needed for group authentication access for this particular user. 4.
Configuring Access Point Security under the group column. Similarly, existing WLANs can be individually mapped to user groups by clicking the WLANs button to the right of each group name. For more information on creating groups and users, see Managing the Local User Database on page 6-68. For information on creating a new WLAN or editing the properties of an existing WLAN, see Creating/Editing Individual WLANs on page 5-24 1. Select User Authentication -> Radius Server -> Access Policy from the menu tree.
6-72 AP-51xx Access Point Product Reference Guide 7. Click Logout to securely exit the access point Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed.
Monitoring Statistics The access point has functionality to display robust transmit and receive statistics for its WAN and LAN port. Wireless Local Area Network (WLAN) stats can also be displayed collectively for each enabled WLAN as well as individually for up to 16 specific WLANs. Transmit and receive statistics can also be displayed for the access point’s 802.11a and 802.11b/g radios.
7-2 AP-51xx Access Point Product Reference Guide See the following sections for more details on viewing statistics for the access point: • • • • • • • Viewing WAN Statistics Viewing LAN Statistics Viewing Wireless Statistics Viewing Radio Statistics Summary Viewing MU Statistics Summary Viewing the Mesh Statistics Summary Viewing Known Access Point Statistics 7.
Monitoring Statistics 2. Refer to the Information field to reference the following access point WAN data: Status The Status field displays Enabled if the WAN interface is enabled on the WAN screen. If the WAN interface is disabled on the WAN screen, the WAN Stats screen displays no connection information and statistics. To enable the WAN connection, see Configuring WAN Settings on page 5-14 HW Address The Media Access Control (MAC) address of the access point WAN port.
7-4 AP-51xx Access Point Product Reference Guide Speed The WAN connection speed is displayed in Megabits per second (Mbps), for example, 54Mbps. If the throughput speed is not achieved, examine the number of transmit and receive errors, or consider increasing the supported data rate. To change the data rate of the 802.11a or 802.11b/g radio, see Configuring the 802.11a or 802.11b/g Radio on page 5-47. 3. Refer to the Received field to reference data received over the access point WAN port.
Monitoring Statistics TX Packets TX packets are data packets sent over the WAN connection. The displayed number is a cumulative total since the WAN interface was last enabled or the access point was last restarted. To begin a new data collection, see Configuring System Settings on page 42. TX Bytes TX bytes are bytes of information sent over the WAN connection. The displayed number is a cumulative total since the WAN interface was last enabled or the access point was last restarted.
7-6 AP-51xx Access Point Product Reference Guide 7.2 Viewing LAN Statistics Use the LAN Stats screen to monitor the activity of the access point LAN1 or LAN2 connection. The Information field of the LAN Stats screen displays network traffic information as monitored over the access point LAN1 or LAN2 port.
Monitoring Statistics Network Mask The first two sets of numbers specify the network domain, the next set specifies the subset of hosts within a larger network. These values help divide a network into subnetworks and simplify routing and data transmission. Ethernet Address The Media Access Control (MAC) address of the access point. The MAC address is hard coded at the factory and cannot be changed.
7-8 AP-51xx Access Point Product Reference Guide TX Packets TX packets are data packets sent over the access point LAN port. The displayed number is a cumulative total since the LAN connection was last enabled or the access point was last restarted. To begin a new data collection, see Configuring System Settings on page 4-2. TX Bytes TX bytes are bytes of information sent over the LAN port.
Monitoring Statistics 7.2.1 Viewing a LAN’s STP Statistics Each access point LAN has the ability to track its own unique STP statistics. Refer to the LAN STP Stats page when assessing mesh networking functionality for each of the two access point LANs. Access points in bridge mode exchange configuration messages at regular intervals (typically 1 to 4 seconds).
7-10 AP-51xx Access Point Product Reference Guide Bridge ID The Bridge ID identifies the priority and ID of the bridge sending the message Root Port Number Identifies the root bridge by listing its 2-byte priority followed by its 6-byte ID. Root Path Cost Bridge message traffic contains information identifying the root bridge and the sending bridge. The root path cost represents the distance (cost) from the sending bridge to the root bridge. Bridge Max Msg.
Monitoring Statistics Designated Root Displays the MAC address of the access point defined with the lowest priority within the Mesh STP Configuration screen. Designated Bridge There is only one root bridge within each mesh network. All other bridges are designated bridges that look to the root bridge for several mesh network timeout values. For information on root and bridge designations, see Setting the LAN Configuration for Mesh Networking Support on page 9-5.
7-12 AP-51xx Access Point Product Reference Guide 2. Refer to the WLAN Summary field to reference high-level data for each enabled WLAN. Name Displays the names of all the enabled WLANs on the access point. For information on enabling a WLAN, see Enabling Wireless LANs (WLANs) on page 5-22. MUs Displays the total number of MUs currently associated with each enabled WLAN. Use this information to assess if the MUs are properly grouped by function within each enabled WLAN.
Monitoring Statistics Clear All WLAN Stats Click this button to reset each of the data collection counters to zero in order to begin new data collections. Do not clear the WLAN stats if currently in an important data gathering activity or risk losing all data calculations to that point. 3. Refer to the Total AP RF Traffic field to view throughput information for the access point and WLAN.
7-14 AP-51xx Access Point Product Reference Guide traffic errors based on retries, dropped packets, and undecryptable packets. The WLAN Stats screen is view-only with no user configurable data fields. To view statistics for an individual WLAN: 1. Select Status and Statistics -> Wireless Stats -> WLANx Stats (x = target WLAN) from the access point menu tree. 2.
Monitoring Statistics Num. Associated MUs Displays the total number of MUs currently associated with the WLAN. If this number seems excessive, consider segregating MU’s to other WLANs if appropriate. 3. Refer to the Traffic field to view performance and throughput information for the WLAN selected from the access point menu tree. Pkts per second The Total column displays the average total packets per second crossing the selected WLAN.
7-16 AP-51xx Access Point Product Reference Guide Avg MU Signal Displays the average RF signal strength in dBm for all MUs associated with the selected WLAN. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour. If the signal is low, consider mapping the MU to a different WLAN if a better functional grouping of MUs can be determined.
Monitoring Statistics Do not clear the WLAN stats if currently in an important data gathering activity or risk losing all data calculations to that point. 7. Click the Logout button to securely exit the access point Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed. 7.4 Viewing Radio Statistics Summary Select the Radio Stats Summary screen to view high-level information (radio name, type, number of associated MUs, etc.
7-18 AP-51xx Access Point Product Reference Guide T-put Displays the total throughput in Megabits per second (Mbps) for each access point radio listed. To adjust the data rate for a specific radio, see Configuring the 802.11a or 802.11b/g Radio on page 5-47. ABS Displays the Average Bit Speed (ABS) in Megabits per second (Mbps) for each access point radio.
Monitoring Statistics 2. Refer to the Information field to view the access point 802.11a or 802.11b/g radio’s MAC address, placement and transmission information. HW Address The Media Access Control (MAC) address of the access point housing the 802.11a radio. The MAC address is set at the factory and can be found on the bottom of the AP. Radio Type Displays the radio type (either 802.11a or 802.11b/g). Power The power level in milliwatts (mW) for RF signal strength.
7-20 AP-51xx Access Point Product Reference Guide 3. Refer to the Traffic field to view performance and throughput information for the target access point 802.11a or 802.11b/g radio. Pkts per second The Total column displays the average total packets per second crossing the radio. The Rx column displays the average total packets per second received. The Tx column displays the average total packets per second transmitted.
Monitoring Statistics Avg MU Noise Displays the average RF noise for all MUs associated with the access point radio. The number in black represents MU noise for the last 30 seconds and the number in blue represents MU noise for the last hour. If MU noise is excessive, consider moving the MU closer to the access point, or in area with less conflicting network traffic. Avg MU SNR Displays the average Signal to Noise Ratio (SNR) for all MUs associated with the access point radio.
7-22 AP-51xx Access Point Product Reference Guide 1. Select Status and Statistics -> Radio Stats -> Radio1(802.11b/g) Stats -> Retry Histogram from the access point menu tree. A Radio Histogram screen is available for each access point radio (regardless of single or dual-radio model). The table’s first column shows 0 under Retries.
Monitoring Statistics 7.5 Viewing MU Statistics Summary Use the MU Stats Summary screen to display overview statistics for mobile units (MUs) associated with the access point. The MU List field displays basic information such as IP Address and total throughput for each associated MU. The MU Stats screen is view-only with no user configurable data fields.
7-24 AP-51xx Access Point Product Reference Guide ABS Displays the Average Bit Speed (ABS) in Megabits per second (Mbps) for each associated MU. Retries Displays the average number of retries per packet. A high number retries could indicate possible network or hardware problems. 3. Click the Refresh button to update the data collections displayed without resetting the data collections to zero. 4. Click the Echo Test button to display a screen for verifying the link with an associated MU.
Monitoring Statistics field displays RF traffic errors based on retries, dropped packets and undecryptable packets. The MU Details screen is view-only with no user configurable data fields. To view details specific to an individual MU: 1. 2. 3. 4. Select Status and Statistics -> MU Stats from the access point menu tree. Highlight a specific MU. Select the MU Details button. Refer to the MU Properties field to view MU address information. IP Address Displays the IP address of the MU.
7-26 AP-51xx Access Point Product Reference Guide Packets per second The Total column displays average total packets per second crossing the MU. The Rx column displays the average total packets per second received on the MU. The Tx column displays the average total packets per second sent on the MU. The number in black represents Pkts per second for the last 30 seconds and the number in blue represents Pkts per second for the last hour.
Monitoring Statistics Avg MU SNR Displays the Signal to Noise Ratio (SNR) for the target MU. The Signal to Noise Ratio is an indication of overall RF performance on your wireless network. 7. Refer to the Errors field to view MU retry information and statistics on packets not transmitted. Avg Num of Retries Displays the average number of retries for the MU. The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour.
7-28 AP-51xx Access Point Product Reference Guide Number of ping Specify the number of ping packets to transmit to the target MU. The default is 100. Packet Length Specify the length of each data packet transmitted to the target MU during the ping test. The default is 100 bytes. Packet Data Defines the data to be transmitted as part of the test. 4. Click the Ping button to begin transmitting ping packets to the station address specified.
Monitoring Statistics 7.6 Viewing the Mesh Statistics Summary The access point has the capability of detecting and displaying the properties of other access points in mesh network (either base bridges or client bridges) mode. This information is used to create a list of known wireless bridges. To view detected mesh network statistics: 1. Select Status and Statistics -> Mesh Stats from the access point menu tree.
7-30 AP-51xx Access Point Product Reference Guide T-put Displays the total throughput in Megabits per second (Mbps) for each associated bridge. ABS Displays the Average Bit Speed (ABS) in Megabits per second (Mbps) for each associated bridge. Retries Displays the average number of retries per packet. A high number retries could indicate possible network or hardware problems. 2. Click the Refresh button to update the display of the Mesh Statistics Summary screen to the latest values. 3.
Monitoring Statistics The Known AP Statistics screen displays the following information: IP Address The network-assigned Internet Protocol address of the located AP. MAC Address The unique 48-bit, hard-coded Media Access Control address, known as the devices station identifier. This value is hard coded at the factory by the manufacturer and cannot be changed. MUs The number MUs associated with the located access point.
7-32 AP-51xx Access Point Product Reference Guide The Known AP Details screen displays the target AP’s MAC address, IP address, radio channel, number of associated MUs, packet throughput per second, radio type(s), model, firmware version, ESS and client bridges currently connected to the AP radio. Use this informatiaccess point on to determine whether this AP provides better MU association support than the locating access point or warrants consideration as a member of a different mesh network. 4.
Monitoring Statistics 5. Click the Send Cfg to APs button to send the your access point’s configuration to other access point’s. The recipient access point must be the same single or dual-radio model as the access point sending the configuration. The sending and recipient access point’s must also be running the same major firmware version (i.e., 1.1 to 1.1).
7-34 AP-51xx Access Point Product Reference Guide
Command Line Interface Reference The access point Command Line Interface (CLI) is accessed through the serial port or a Telnet session. The access point CLI follows the same conventions as the Web-based user interface. The CLI does, however, provide an “escape sequence” to provide diagnostics for problem identification and resolution. The CLI treats the following as invalid characters: | " & , \ ' < > In order to avoid problems when using the CLI, these characters should be avoided. 8.
8-2 AP-51xx Access Point Product Reference Guide 8.1.2 Accessing the CLI via Telnet To connect to the access point CLI through a Telnet connection: 1. Telnet into the access point using an IP address of 192.168.0.1 2. Enter the default username of admin and the default password of symbol. If this is your first time logging into the access point, you are unable to access any of the access point’s commands until the country code is set. A new password will also need to be created.
Command Line Interface Reference 8-3 8.2 Admin and Common Commands AP51xx>admin> Description: Displays admin configuration options. The items available under this command are shown below. Syntax: help passwd summary network system stats .. / save quit Displays general user interface help. Changes the admin password. Shows a system summary. Goes to the network submenu Goes to the system submenu. Goes to the stats submenu. Goes to the parent menu. Goes to the root menu.
8-4 AP-51xx Access Point Product Reference Guide AP51xx>admin>help Description: Displays general CLI user interface help. Syntax: help Displays command line help using combinations of function keys for navigation. Example: admin>help ? * Restriction of “?”: : display command help - Eg. ?, show ?, s? : “?” after a function argument is treated : as an argument : Eg. admin