Motorola WiNG 5.7.1 System Reference Manual

Table of Contents

Quick Links

WiNG 5.7.1

ACCESS POINT

SYSTEM REFERENCE GUIDE

Table of Contents

Summary of Contents for Motorola WiNG 5.7.1

Page 1 WiNG 5.7.1 ACCESS POINT SYSTEM REFERENCE GUIDE...
Page 3 WING 5.7.1 ACCESS POINT SYSTEM REFERENCE GUIDE MN001977A01 Revision A April 2015...
Page 4 WiNG 5.7.1 Access Point System Reference Guide...
Page 5: Table Of Contents
TABLE OF CONTENTS About this Guide Chapter 1, Overview 1.1 About the WiNG Software ............................1-2 Chapter 2, Web User Interface Features 2.1 Accessing the Web UI ..............................2-2 2.1.1 Browser and System Requirements ........................2-2 2.1.2 Connecting to the Web UI ..........................2-2 2.2 Glossary of Icons Used ..............................2-4 2.2.1 Global Icons ................................2-4 2.2.2 Dialog Box Icons ..............................2-5...
Page 6 WiNG 5.7.1 Access Point System Reference Guide 3.1.1.6 Wireless LAN Setup ..........................3-15 3.1.1.7 Summary And Commit Screen ........................3-19 3.1.1.8 Adopt to a controller ..........................3-20 3.1.2 Advanced Setup Wizard ...........................3-21 3.1.2.1 Network Topology Selection ........................3-24 3.1.2.2 LAN Configuration ...........................3-25 3.1.2.3 WAN Configuration ..........................3-27 3.1.2.4 Radio Configuration ..........................3-29...
Page 7 Table of Contents 5.2.6.3 L2TPv3 Profile Configuration ........................5-70 5.2.6.4 IGMP Snooping ............................5-80 5.2.6.5 MLD Snooping ............................5-82 5.2.6.6 Quality of Service (QoS) ..........................5-84 5.2.6.7 Spanning Tree Configuration ........................5-86 5.2.6.8 Routing ..............................5-89 5.2.6.9 Dynamic Routing (OSPF) ..........................5-92 5.2.6.10 Forwarding Database ..........................5-106 5.2.6.11 Bridge VLAN ............................5-108 5.2.6.12 Cisco Discovery Protocol Configuration ....................5-116 5.2.6.13 Link Layer Discovery Protocol Configuration ..................5-117 5.2.6.14 Miscellaneous Network Configuration ....................5-118...
Page 8 WiNG 5.7.1 Access Point System Reference Guide 5.4.5.4 Overriding the Network Configuration ....................5-267 5.4.5.5 Overriding a Security Configuration ......................5-326 5.4.5.6 Overriding the Virtual Router Redundancy Protocol (VRRP) Configuration ..........5-348 5.4.5.7 Profile Critical Resources ........................5-353 5.4.5.8 Overriding a Services Configuration .....................5-356 5.4.5.9 Overriding a Management Configuration .....................5-357...
Page 9 Table of Contents 6.6.1 Smart RF Configuration and Deployment Considerations ................6-92 6.7 MeshConnex Policy ..............................6-93 6.8 Mesh QoS Policy ...............................6-100 6.9 Passpoint Policy ................................6-107 Chapter 7, Network Configuration 7.1 Policy Based Routing (PBR) ............................7-2 7.2 L2TP V3 Configuration ..............................7-8 7.3 Crypto CMP Policy ..............................7-12 7.4 AAA Policy ..................................7-15 7.5 AAA TACACS Policy ..............................7-26 7.6 Alias ....................................7-34...
Page 10 WiNG 5.7.1 Access Point System Reference Guide 9.5.2 DHCPv6 Pool Configuration ..........................9-34 9.6 Setting the RADIUS Configuration ..........................9-38 9.6.1 Creating RADIUS Groups ..........................9-38 9.6.1.1 Creating RADIUS Groups ........................9-41 9.6.2 Defining User Pools ............................9-43 9.6.3 Configuring the RADIUS Server ........................9-48 9.7 Services Deployment Considerations .........................9-56 Chapter 10, Management Access 10.1 Creating Administrators and Roles .........................10-2...
Page 11 Table of Contents 12.1.11 Managing Crypto CMP Certificates ......................12-46 12.1.12 Re-elect Controller ............................12-47 12.2 Certificates ................................12-49 12.2.1 Certificate Management ..........................12-49 12.2.2 RSA Key Management ..........................12-54 12.2.3 Certificate Creation ............................12-59 12.2.4 Generating a Certificate Signing Request (CSR) ..................12-61 12.3 Smart RF .................................12-64 12.3.1 Managing Smart RF for a RF Domain ......................12-64 12.4 Operations Deployment Considerations .........................12-67 Chapter 13, Statistics...
Page 12 WiNG 5.7.1 Access Point System Reference Guide 13.3.5.1 Adopted APs ............................13-65 13.3.5.2 AP Adoption History ..........................13-66 13.3.5.3 AP Self Adoption History ........................13-67 13.3.5.4 Pending Adoptions ..........................13-67 13.3.6 AP Detection ..............................13-69 13.3.7 Wireless Clients ............................13-71 13.3.8 Wireless LANs ..............................13-73 13.3.9 Policy Based Routing ............................13-75 13.3.10 Radios .................................13-77...
Page 13 Table of Contents 13.3.24 DHCP Server ..............................13-141 13.3.24.1 DHCP Server General Information ....................13-141 13.3.24.2 DHCP Server Bindings ........................13-143 13.3.24.3 DHCP Server Networks ........................13-143 13.3.25 Firewall ..............................13-145 13.3.25.1 Packet Flows ...........................13-145 13.3.25.2 Denial of Service ..........................13-146 13.3.25.3 IP Firewall Rules ..........................13-147 13.3.25.4 IPv6 Firewall Rules .........................13-148 13.3.25.5 MAC Firewall Rules ........................13-149 13.3.25.6 NAT Translations ..........................13-150...
Page 14 WiNG 5.7.1 Access Point System Reference Guide Appendix A, Customer Support Appendix B, Publicly Available Software B.1 General Information ..............................B-1 B.2 Open Source Software Used ............................B-1 B.3 OSS Licenses ................................B-10 B.3.1 Apache License, Version 2.0 ........................... B-10 B.3.2 The BSD License ..............................
Page 15: About This Guide
ABOUT THIS GUIDE This manual supports the following access points: • Access Points – AP621, AP622, AP650, AP6511, AP6521, AP6522, AP6522M, AP6532, AP6562, AP7131, AP7161, AP7181, AP7502, AP7522, AP7532, AP7562, AP8122, AP8132, AP8163, AP8222, AP8232 and ES6510. NOTE: In this guide: •...
Page 16: Notational Conventions
WiNG 5.7.1 Access Point System Reference Guide Document Convention The following conventions are used in this document to draw your attention to important information: NOTE: Indicates tips or special requirements. CAUTION: Indicates conditions that can cause equipment damage or data loss.
Page 17 About this Guide Symbol Technologies End-User Software License Agreement THIS SYMBOL TECHNOLOGIES END-USER SOFTWARE LICENSE AGREEMENT (“END-USER LICENSE AGREEMENT”) IS BETWEEN SYMBOL TECHNOLOGIES INC. (HEREIN “SYMBOL TECHNOLOGIES”) AND END-USER CUSTOMER TO WHOM SYMBOL TECHNOLOGIES’ PROPRIETARY SOFTWARE OR SYMBOL TECHNOLOGIES PRODUCTS CONTAINING EMBEDDED, PRE-LOADED, OR INSTALLED SOFTWARE (“PRODUCTS”) IS MADE AVAILABLE.
Page 18 WiNG 5.7.1 Access Point System Reference Guide not make the Software available for use by third parties on a “time sharing,” “application service provider,” or “service bureau” basis or for any other similar commercial rental or sharing arrangement. 3.2 End-User Customer will not, and will not allow or enable any third party to: (i) reverse engineer, disassemble, peel components, decompile, reprogram or otherwise reduce the Software or any portion to a human perceptible form or otherwise attempt to recreate the source code;...
Page 19 About this Guide 8. LIMITED WARRANTY AND LIMITATION OF LIABILITY 8.1 Unless otherwise specified in the applicable warranty statement, the Documentation or in any other media at the time of shipment of the Software by Symbol Technologies, and for the warranty period specified therein, for the first 120 days after initial shipment of the Software to the End-User Customer, Symbol Technologies warrants that the Software, when installed and/or used properly, will be free from reproducible defects that materially vary from its published specifications.
Page 20 WiNG 5.7.1 Access Point System Reference Guide 11. GENERAL 11.1 Copyright Notices. The existence of a copyright notice on the Software will not be construed as an admission or presumption that public disclosure of the Software or any trade secrets associated with the Software has occurred.
Page 21: Chapter 1, Overview
CHAPTER 1 OVERVIEW The family of WING supported access points enable high performance with secure and resilient wireless voice and data services to remote locations with the scalability required to meet the needs of large distributed enterprises. AP6511, AP6521, AP6522, AP6532, AP6562, AP71XX, AP7502, AP7522, AP7532, AP7562, AP81XX and AP82XX access points and ES6510 model ethernet switch can now use WiNG software as its onboard operating system.
Page 22: About The Wing Software
1 - 2 WiNG 5.7.1 Access Point System Reference Guide optimized to prevent wired congestion and wireless congestion. Traffic flows dynamically, based on user and application, and finds alternate routes to work around network choke points. NOTE: This guide describes the installation and use of the WiNG software designed specifically for AP6511, AP6521, AP6522, AP6532, AP6562, AP71XX, AP7502, AP7522, AP7532, AP7562, AP81XX and AP82XX access points and ES6510 model ethernet switch.
Page 23 1 - 3 Additionally, integrated access point sensors, in conjunction with AirDefense Network Assurance, alerts administrators of interference and network coverage problems, which shortens response times and boosts overall reliability and availability of the access point managed network. Network traffic optimization protects the network from broadcast storms and minimizes congestion on the wired network. The access point managed network provides VLAN load balancing, WAN traffic shaping and optimizations in dynamic host configuration protocol (DHCP) responses and Internet group management protocol (IGMP) snooping for multicast traffic flows in wired and wireless networks.
Page 24 1 - 4 WiNG 5.7.1 Access Point System Reference Guide...
Page 25: Chapter 2, Web User Interface Features
CHAPTER 2 WEB USER INTERFACE FEATURES The access point’s on board user interface contains a set of features specifically designed to enable either Virtual Controller AP, Standalone AP or Adopt to Controller functionality. In Virtual Controller AP mode, an access point can manage up to 24 other access points of the same model and share data amongst managed access points.
Page 26: Accessing The Web Ui
2 - 2 WiNG 5.7.1 Access Point System Reference Guide 2.1 Accessing the Web UI Web User Interface Features The access point uses a Graphical User Interface (GUI) which can be accessed using any supported Web browser on a client connected to the subnet the Web UI is configured on.
Page 27 2 - 3 Figure 2-1 Access Point Web UI Login screen 9. Enter the default username admin in the Username field. 10. Enter the default password admin123 in the Password field. 11. Select the Login button to load the management interface. If this is the first time the management interface has been accessed, the first screen to display will prompt for a change of the default access point password.
Page 28: Glossary Of Icons Used
2 - 4 WiNG 5.7.1 Access Point System Reference Guide 2.2 Glossary of Icons Used Web User Interface Features The access point interface utilizes a number of icons designed to interact with the system, gather information from managed devices and obtain status. This chapter is a compendium of the icons used, and is organized as follows: •...
Page 29: Dialog Box Icons
2 - 5 Create new policy – Select this icon to create a new policy. Policies define different configuration parameters that can be applied to device configurations, and device profiles. Edit policy – Select this icon to edit an existing configuration item or policy. To edit a policy, select the policy and this icon.
Page 30: Status Icons
2 - 6 WiNG 5.7.1 Access Point System Reference Guide 2.2.4 Status Icons Glossary of Icons Used These icons define device status, operations on the wireless controller, or any other action that requires a status being returned to the user.
Page 31 2 - 7 Radio QoS Policy – Indicates a QoS policy configuration has been impacted. AAA Policy – Indicates an Authentication, Authorization and Accounting (AAA) policy has been impacted. AAA policies define RADIUS authentication and accounting parameters. Association ACL – Indicates an Association Access Control List (ACL) configuration has been impacted.
Page 32 2 - 8 WiNG 5.7.1 Access Point System Reference Guide Device Categorization – Indicates a device categorization policy is being applied. This is used by the intrusion prevention system to categorize APs or wireless clients as either neighbors or sanctioned devices. This enables these devices to bypass the intrusion prevention system.
Page 33: Configuration Objects
2 - 9 2.2.6 Configuration Objects Glossary of Icons Used Configuration icons are used to define the following: Configuration – Indicates an item capable of being configured by the access point’s interface. View Events / Event History – Defines a list of events. Select this icon to view events or view the event history.
Page 34: Access Type Icons
2 - 10 WiNG 5.7.1 Access Point System Reference Guide 2.2.8 Access Type Icons Glossary of Icons Used The following icons display a user access type: Web UI – Defines a Web UI access permission. A user with this permission is permitted to access an associated device’s Web UI.
Page 35: Device Icons
2 - 11 Help Desk – Indicates help desk privileges. A help desk user is allowed to use troubleshooting tools like sniffers, execute service commands, view or retrieve logs and reboot an access point. Web User – Indicates a Web user privilege. A Web user is allowed accessing the access point’s Web user interface.
Page 36 2 - 12 WiNG 5.7.1 Access Point System Reference Guide...
Page 37: Chapter 3, Quick Start
CHAPTER 3 QUICK START Access points can utilize an initial setup wizard to streamline the process of initially accessing the wireless network. The wizard defines the access point’s operational mode, deployment location, basic security, network and WLAN settings. For instructions on how to use the initial setup wizard, see Using the Initial Setup Wizard on page 3-2.
Page 38: Using The Initial Setup Wizard
3 - 2 WiNG 5.7.1 Access Point System Reference Guide 3.1 Using the Initial Setup Wizard Quick Start Once the access point is installed and powered on, complete the following steps to get the access point up and running and access management functions: 1.
Page 39 3 - 3 Figure 3-2 Initial Setup Wizard NOTE: The Initial Setup Wizard displays the same pages and content for each access point model supported. The only difference being the number of radios configurable by model, as an AP7131 model can support up to three radios, AP6522, AP6532, AP6562, AP81XX, AP82XX, AP7502, AP7522, AP7532 and AP71XX models support two radios and AP6511 and AP6521 models support a single radio.
Page 40 3 - 4 WiNG 5.7.1 Access Point System Reference Guide Figure 3-3 Initial Setup Wizard - Navigation Panel - Typical Setup Wizard A green check mark to the left of an item in the Navigation Panel defines the listed task as having its minimum required configuration parameters set correctly.
Page 41: Typical Setup Wizard
3 - 5 6. Select Save/Commit within each page to save the updates made to that page's configuration. Select Next to proceed to the next page listed in the Navigation Panel. Select Back to revert to the previous screen without saving your updates. NOTE: While you can navigate to any page in the navigation panel, you cannot complete the Initial Setup Wizard until each task in the Navigation Panel has a green check mark.
Page 42 3 - 6 WiNG 5.7.1 Access Point System Reference Guide Figure 3-5 Initial Setup Wizard - Access Point Settings screen for Typical Setup Wizard 3. Select an Access Point Type from the following options: • Virtual Controller AP - When more than one access points are deployed, a single access point can function as a Virtual Controller AP.
Page 43 3 - 7 • Adopted to Controller - Select this option when deploying the access point as a controller managed (Dependent mode) access point. Selecting this option closes the Initial AP Setup Wizard. An adopted access point obtains its configuration from a profile stored on its managing controller.
Page 44: Virtual Controller Ap Mode
3 - 8 WiNG 5.7.1 Access Point System Reference Guide 3.1.1.1 Virtual Controller AP Mode Using the Initial Setup Wizard When more than one access point is deployed, a single access point can function as a Virtual Controller AP. Up to 24 access points can be connected to, and managed by a single Virtual Controller AP of the same access point model.
Page 45: Standalone Mode
3 - 9 3.1.1.2 Standalone Mode Using the Initial Setup Wizard In the Standalone mode, the access point is not adopted to a wireless controller. Select this option to deploy this access point as an autonomous fat access point. CAUTION: If designating the access point as a Standalone AP, it is recommended that the access point’s UI be used exclusively to define its device configuration, and not the CLI.
Page 46: Network Topology Selection
3 - 10 WiNG 5.7.1 Access Point System Reference Guide 3.1.1.3 Network Topology Selection Typical Setup Wizard Use the Network Topology screen to define how the access point manages network traffic. The available modes are: Figure 3-6 Initial Setup Wizard - Network Topology screen for Typical Setup Wizard •...
Page 47: Lan Configuration
3 - 11 3.1.1.4 LAN Configuration Typical Setup Wizard Use the LAN Configuration screen to set the access point's DHCP and LAN network address configuration. Figure 3-7 Initial Setup Wizard - LAN Configuration screen for Typical Setup Wizard 1. Set the following DHCP and Static IP Address/Subnet information: •...
Page 48 3 - 12 WiNG 5.7.1 Access Point System Reference Guide option is not selected, a primary and secondary DNS resource must be specified. DNS forwarding is useful when a request for a domain name is made but the DNS server, responsible for converting the name into its corresponding IP address, cannot locate the matching IP address.
Page 49: Wan Configuration
3 - 13 3.1.1.5 WAN Configuration Typical Setup Wizard NOTE: This option is only available when Router Mode is selected in the Network Topology screen. Use the WAN Setting screen to define network address settings for the WAN interface. The WAN interface connects the access point to a wired local area network or backhaul.
Page 50 3 - 14 WiNG 5.7.1 Access Point System Reference Guide • Enable NAT on the WAN Interface – Select this option to enable Network Address Translation on the selected GE interface. 2. Select Next. The Typical Setup Wizard displays the...
Page 51: Wireless Lan Setup
3 - 15 3.1.1.6 Wireless LAN Setup Typical Setup Wizard A Wireless Local Area Network (WLAN) is a data-communications system and local area network that flexibly extends the functionality of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or OFDM modulation based technology.
Page 52 3 - 16 WiNG 5.7.1 Access Point System Reference Guide • Captive Portal Authentication and No Encryption – Configures a network that uses a RADIUS server to authenticate users before allowing them on to the network. Once on the network, no encryption is used for the data being transmitted through the network.
Page 53 3 - 17 3.1.1.6.1 RADIUS Server Configuration Wireless LAN Setup Use the RADIUS Server Configuration screen to configure the users for the onboard RADIUS server. Use the screen to add, modify and remove RADIUS users. Figure 3-10 Initial Setup Wizard - RADIUS Server Configuration screen for Typical Setup Wizard Use the Add User button to add a new RADIUS user.
Page 54 3 - 18 WiNG 5.7.1 Access Point System Reference Guide Figure 3-11 Initial Setup Wizard - RADIUS Server Configuration - Add User screen for Typical Setup Wizard 1. Use the Add User dialog to provide user information to add to the RADIUS server user database.
Page 55: Summary And Commit Screen
3 - 19 3.1.1.7 Summary And Commit Screen Typical Setup Wizard The Summary And Commit screen displays a complete overview of the configurations made in the previous screens. There is no user intervention or additional settings required. The Summary and Commit screen is an additional means of validating the configuration before it is deployed.
Page 56: Adopt To A Controller
3 - 20 WiNG 5.7.1 Access Point System Reference Guide 3.1.1.8 Adopt to a controller Using the Initial Setup Wizard Adopted to Controller is the default behavior of the access point. When the access point is switched on for the first time, it looks for a wireless controller on the default subnet and that runs the same WiNG firmware version and automatically adopts to it.
Page 57: Advanced Setup Wizard
3 - 21 3.1.2 Advanced Setup Wizard Using the Initial Setup Wizard Advanced Setup is the recommended wizard for users who want more control on how the access point is configured beyond minimum default settings. This wizard provides additional radio and system information settings. The Advanced Setup wizard consists of the following: •...
Page 58 3 - 22 WiNG 5.7.1 Access Point System Reference Guide Figure 3-14 Initial Setup Wizard - Access Point Settings screen for Advanced Setup Wizard 3. Select an Access Point Type from the following options: • Virtual Controller AP - When more than one access point is deployed, a single access point can function as a Virtual Controller AP.
Page 59 3 - 23 • Adopted to Controller - Select this option when deploying the access point as a controller managed (Dependent mode) access point. Selecting this option closes the Initial AP Setup Wizard. An adopted access point obtains its configuration from a profile stored on its managing controller.
Page 60: Network Topology Selection
3 - 24 WiNG 5.7.1 Access Point System Reference Guide 3.1.2.1 Network Topology Selection Advanced Setup Wizard Use the Network Topology screen to define how the access point manages network traffic. The available modes are: Figure 3-15 Initial Setup Wizard - Access Point Mode screen for Advanced Setup Wizard •...
Page 61: Lan Configuration
3 - 25 3.1.2.2 LAN Configuration Advanced Setup Wizard Use the LAN Configuration screen to configure the parameters required for setting a Local Area Network (LAN) on the access point. Figure 3-16 Initial Setup Wizard - LAN Configuration screen for Advanced Setup Wizard 1.
Page 62 3 - 26 WiNG 5.7.1 Access Point System Reference Guide • Default Gateway - Define a default gateway address for use with the DHCP server configuration. This is a required parameter. • DNS Forwarding - Select this option to allow a DNS server to translate domain names into IP addresses. If this option is not selected, a primary and secondary DNS resource must be specified.
Page 63: Wan Configuration
3 - 27 3.1.2.3 WAN Configuration Advanced Setup Wizard NOTE: This option is only available when Router Mode is selected in the Network Topology screen of the Advanced Setup Wizard. The Advanced Setup Wizard displays the WAN Setting screen to define DHCP and network address information for the WAN interface.
Page 64 3 - 28 WiNG 5.7.1 Access Point System Reference Guide • Select the port that’s connected to the WAN – Select the port that is connected to the WAN. • Enable NAT on the WAN Interface – Select this option to enable Network Address Translation on the selected GE interface.
Page 65: Radio Configuration
3 - 29 3.1.2.4 Radio Configuration Advanced Setup Wizard Use the Radio Configuration screen to define radio support for the 2.4 GHz radio band, 5.0 GHz radio band or set the radio as a dedicated sensor. NOTE: The Radio Configuration screen displays separate configurable fields for each access point radio.
Page 66 3 - 30 WiNG 5.7.1 Access Point System Reference Guide • Power Level - Use the spinner control to select a 1 - 23 dBm minimum power level to assign to this radio in selected 2.4 GHz or 5.0 GHz band. 1 dBm is the default setting.
Page 67: Wireless Lan Setup
3 - 31 3.1.2.5 Wireless LAN Setup Advanced Setup Wizard A Wireless Local Area Network (WLAN) is a data-communications system and wireless local area network that flexibly extends the functionality of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or OFDM modulation based technology.
Page 68 3 - 32 WiNG 5.7.1 Access Point System Reference Guide users before allowing them on to the network. Once on the network, no encryption is used for the data transmitted through the network. Select this option to use a Web page (either internally or externally hosted) to authenticate users before access is granted to the network.
Page 69: System Information
3 - 33 3.1.2.6 System Information Advanced Setup Wizard Use the System Information screen to define the device’s location, contact information for an administrator, and the country where this access point is deployed. Figure 3-20 Initial Setup Wizard - System Information screen for the Advanced Setup Wizard •...
Page 70: Summary And Commit Screen
3 - 34 WiNG 5.7.1 Access Point System Reference Guide 3.1.2.7 Summary And Commit Screen Advanced Setup Wizard The Summary And Commit screen displays an overview of the updates made using the Advanced Setup Wizard. There is no user intervention or additional settings required. This screen is an additional means of validating the configuration before it is deployed.
Page 71: Adopt To A Controller
3 - 35 3.1.2.8 Adopt to a controller Advanced Setup Wizard When the access point is powered on for the first time, it looks for a wireless controller on the default subnet running the same firmware version and automatically adopts to it. When Adopted to Controller is selected, further configuration settings are displayed in the same screen.
Page 72 3 - 36 WiNG 5.7.1 Access Point System Reference Guide...
Page 73: Chapter 4, Dashboard
CHAPTER 4 DASHBOARD The dashboard allows network administrators to review and troubleshoot the operation of the devices comprising the access point managed network. Use the dashboard to review the current network topology, assess the network’s component health and diagnose problematic device behavior. By default, the Dashboard screen displays the System Dashboard, which is the top level in the device hierarchy.
Page 74: Dashboard Conventions
4 - 2 WiNG 5.7.1 Access Point System Reference Guide 4.1 Dashboard Dashboard The Dashboard screen displays device information organized by device association and inter-connectivity between an access point and connected wireless clients. To review dashboard information: 1. Select Dashboard. Expand the...
Page 75: Health
4 - 3 4.1.1.1 Health Dashboard Conventions Health tab displays performance and utilization data for the access point managed network. Figure 4-2 Dashboard - Health tab For more information see: • Device Details • Radio RF Quality Index • Radio Utilization Index •...
Page 76 4 - 4 WiNG 5.7.1 Access Point System Reference Guide Figure 4-3 Dashboard - Health tab - Device Details field Device Details field displays the name assigned to the selected access point, factory encoded MAC address, primary IP address, model type, RF Domain, software version, uptime, CPU and RAM information and system clock. Use this data to determine whether a software upgrade is warranted, or if the system clock needs adjustment.
Page 77 4 - 5 Periodically select Refresh (at the bottom of the screen) to update the RF quality data. 4.1.1.1.3 Radio Utilization Index Dashboard Conventions Radio Utilization Index displays how efficiently the RF medium is used by the access point. Traffic utilization is defined as the percentage of throughput relative to the maximum possible throughput.
Page 78 4 - 6 WiNG 5.7.1 Access Point System Reference Guide 1. The Client RF Quality Index displays the following: Worst 5 Lists the worst 5 performing client radios connected to the access point. The RF Quality Index measures the overall effectiveness of the RF environment as a percentage. It is a function of the connect rate in both directions, as well as the retry rate and the error rate.
Page 79: Inventory
4 - 7 4.1.1.2 Inventory Dashboard Conventions Inventory tab displays information relative to the devices managed by the selected access point. The Inventory screen affords a system administrator an overview of the number and state of managed devices. The screen contains links to display more granular data specific to a radio.
Page 80 4 - 8 WiNG 5.7.1 Access Point System Reference Guide 4.1.1.2.1 Radio Types Inventory Radio Types field displays the total number and types of radios managed by the selected access point. Figure 4-8 Dashboard - Inventory tab - Radio Types field...
Page 81 4 - 9 Figure 4-10 Dashboard - Inventory tab - Wireless Clients field Information within the Wireless Clients field is presented in two tables. The first table lists the total number of wireless clients managed by this access point. The second table lists an ordered ranking of radios based on their supported client count. Use this information to assess if an access point managed radio is optimally deployed in respect to its radio type and intended client support requirements.
Page 82: Network View
4 - 10 WiNG 5.7.1 Access Point System Reference Guide 4.2 Network View Dashboard Network View displays device topology association between a selected access point, its RF Domain and its connected clients. Access points and clients can be selected and viewed using various color schemes in respect to neighboring access points, connected devices and performance criteria.
Page 83: Network View Display Options
4 - 11 Figure 4-13 Network View - System Browser 4.2.1 Network View Display Options Network View 1. Select the blue Options link right under the Network View banner to display a menu for different device interaction display options. Figure 4-14 Network View - Display Options 2.
Page 84: Device Specific Information
4 - 12 WiNG 5.7.1 Access Point System Reference Guide and error rates. Quality results include: Red (Bad Quality), Orange (Poor Quality), Yellow (Fair Quality) and Green (Good Quality). • Vendor – Displays the device manufacturer. • Band – Select this option to filter based on the 2.4 or 5.0 GHz radio band of connected clients. Results include: Yellow (2.4 GHz radio band) and Blue (5.0 GHz radio band).
Page 85: Chapter 5, Device Configuration
CHAPTER 5 DEVICE CONFIGURATION Access points can either be assigned unique configurations to support a particular deployment objective or have an existing RF Domain or profile configuration modified (overridden) to support a requirement that deviates its configuration from the configuration shared by its peer access points. Refer to the following to set an access point’s sensor functionality, Virtual Controller AP designation, and license and certificate usage configuration: •...
Page 86: Rf Domain Configuration
5 - 2 WiNG 5.7.1 Access Point System Reference Guide 5.1 RF Domain Configuration Device Configuration An access point’s configuration consists of numerous elements including a RF Domain, WLAN and device specific settings. RF Domains are used to assign regulatory, location and relevant policies to access points of the same model. For example, an AP6532 RF Domain can only be applied to another AP6532 model.
Page 87: Rf Domain Sensor Configuration
5 - 3 4. Define the following Basic Configuration values for the access point RF Domain: Location Assign the physical location of the RF Domain. This name could be as specific as the floor of a building, or as generic as an entire site. The location defines the physical area where a common set of access point configurations are deployed and managed by the RF Domain policy.
Page 88: Rf Client Name Configuration
5 - 4 WiNG 5.7.1 Access Point System Reference Guide WIPS is not supported on a WLAN basis, rather, sensor functionality is supported on the access point radio(s) available to each managed WLAN. When an access point radio is functioning as a WIPS sensor, it is able to scan in sensor mode across all legal channels within the 2.4 and 5.0 GHz band.
Page 89: Rf Domain Alias Configuration
5 - 5 3. Select RF Domains from the options on left-hand side of the UI. 4. Select the Client Name tab. Figure 5-3 RF Domain Client Configuration screen 5. Either select the + Add Row button to create a new client configuration or highlight an existing configuration and select Delete icon to remove it.
Page 90 5 - 6 WiNG 5.7.1 Access Point System Reference Guide • RF Domain aliases are defined from Configuration > Devices > RF Domain > Alias screen. These aliases are available for use for a site as a RF Domain is site specific. RF Domain alias values override alias values defined in a global alias or a profile alias configuration.
Page 91: Network Basic Alias
5 - 7 5.1.3.1 Network Basic Alias RF Domain Configuration A basic alias is a set of configurations that consist of VLAN, Host, Network and Address Range alias configurations. VLAN configuration is a configuration for optimal VLAN re-use and management for local and remote deployments. A host alias configuration is for a particular host device’s IP address.
Page 92 5 - 8 WiNG 5.7.1 Access Point System Reference Guide Use the VLAN Alias field to create unique aliases for VLANs that can be used at different deployments. For example, if a named VLAN is defined as 10 for the central network, and the VLAN is set at 26 at a remote location, the VLAN can be overridden at the deployment location with an alias.
Page 93 5 - 9 8. Select + Add Row to define Network Alias settings: Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote location’s network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement.
Page 94: Network Group Alias
5 - 10 WiNG 5.7.1 Access Point System Reference Guide 5.1.3.2 Network Group Alias RF Domain Configuration A network group alias is a set of configurations that consist of host and network configurations. Network configurations are complete networks in the form 192.168.10.0/24 or IP address range in the form 192.168.10.10-192.168.10.20. Host configuration is in the form of single IP address, 192.168.10.23.
Page 95 5 - 11 5. Select Edit to modify the attributes of an existing policy or Delete to remove obsolete policies from the list of those available. Select to create a new Network Group Alias. Copy to copy an existing policy or Rename to rename an existing policy.
Page 96: Network Service Alias
5 - 12 WiNG 5.7.1 Access Point System Reference Guide 9. Select when completed to update the network group alias rules. Select Reset to revert the screen back to its last saved configuration. 5.1.3.3 Network Service Alias RF Domain Configuration A network service alias is a set of configurations that consist of protocol and port mappings.
Page 97 5 - 13 Figure 5-8 RF Domain - Network Service Alias Add screen 6. If adding a new Network Service Alias, provide it a name up to 32 characters. NOTE: The Network Service Alias Name always starts with a dollar sign ($). 7.
Page 98: System Profile Configuration
5 - 14 WiNG 5.7.1 Access Point System Reference Guide 5.2 System Profile Configuration Device Configuration An access point profile enables an administrator to assign a common set of configuration parameters and policies to access points of the same model. Profiles can be used to assign common or unique network, wireless and security parameters to across a large, multi segment, site.
Page 99: General Profile Configuration
5 - 15 5.2.1 General Profile Configuration System Profile Configuration An access point profile requires unique clock synchronization settings as part of its general configuration. Network time protocol (NTP) manages time and/or network clock synchronization within the access point managed network. NTP is a client/server implementation.
Page 100: Profile Radio Power
5 - 16 WiNG 5.7.1 Access Point System Reference Guide Version Use the spinner control to specify the version number used by this NTP server resource. The default setting is 0. 5. Use the RF Domain Manager field to configure how this access point behaves in standalone mode. Set the following...
Page 101 5 - 17 Figure 5-10 Profile - Power screen 5. Use the Power Mode drop-down menu to set the Power Mode Configuration on this NOTE: Single radio model access points always operate using a full power configuration. The power management configurations described in this section do not apply to single radio access point models.
Page 102: Profile Adoption (Auto Provisioning) Configuration
5 - 18 WiNG 5.7.1 Access Point System Reference Guide 5.2.3 Profile Adoption (Auto Provisioning) Configuration System Profile Configuration Adoption is the process an access point uses to discover Virtual Controller APs available in the network, pick the most desirable Virtual Controller, establish an association with the Virtual Controller and optionally obtain an image upgrade, obtains its configuration and considers itself provisioned.
Page 103 5 - 19 Figure 5-11 Profile Adoption screen 5. Define the Preferred Group used as optimal group of Virtual Controller for adoption. The name of the preferred group cannot exceed 64 characters. The preferred group is the controller group the access point would prefer to connect upon adoption. 6.
Page 104: Profile Wired 802.1X Configuration
5 - 20 WiNG 5.7.1 Access Point System Reference Guide 10. Enter Controller Hostnames as needed to define resources for adoption. Click +Add Row to add controllers. Set the following parameters to define Controller Hostnames: Host Use the drop-down menu to specify whether the controller adoption resource is defined as a (non DNS) IP address or a hostname.
Page 105: Profile Interface Configuration
5 - 21 Figure 5-12 Profile Wired 802.1X screen 5. Set the following Wired 802.1x Settings: Dot1x Authentication Select this option to globally enable 802.1x authentication for the selected device. This Control setting is disabled by default. Dot1x AAA Policy Use the drop-down menu to select an AAA policy to associate with wired 802.1x traffic.
Page 106: Ethernet Port Configuration
5 - 22 WiNG 5.7.1 Access Point System Reference Guide 5.2.5.1 Ethernet Port Configuration Profile Interface Configuration Displays the physical port reporting runtime data and statistics. The following ports are available depending on model: • AP6511 - fe1, fe2, fe3, fe4, up1/POE (LAN) •...
Page 107 5 - 23 5. Refer to the following to assess port status, mode and VLAN configuration: Name Displays the physical port name reporting runtime data and statistics. Supported ports vary depending on model. Type Displays the physical port type. Description Displays an administrator defined description for each listed port.
Page 108 5 - 24 WiNG 5.7.1 Access Point System Reference Guide Figure 5-14 Ethernet Ports - Basic Configuration screen 7. Set the following Ethernet port Properties: Description Enter a brief description for the port (64 characters maximum). The description should reflect the port’s intended function to differentiate it from others with similar configurations.
Page 109 5 - 25 8. Define the following Cisco Discovery Protocol (CDP) and LLDP parameters to apply to the Ethernet port configuration: Cisco Discover Protocol Select this option to allow the Cisco discovery protocol for receiving data on this port. If Receive enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors.
Page 110 5 - 26 WiNG 5.7.1 Access Point System Reference Guide A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network.
Page 111 5 - 27 Use the IPv6 Inbound Firewall Rules drop-down menu to select the IPv6 specific firewall rules to apply to this profile’s Ethernet port configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet.
Page 112 5 - 28 WiNG 5.7.1 Access Point System Reference Guide Port Control Use the drop-down menu to set the port control state to apply to this port. Options include force-authorized, force-unauthorized and automatic. The default setting is port-authorized. Re Authenticate Select this setting to force clients to reauthenticate on this port.
Page 113 5 - 29 encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages. Each MSTI messages conveys spanning tree information for each instance. Each instance can be assigned a number of configured VLANs. The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region.
Page 114 5 - 30 WiNG 5.7.1 Access Point System Reference Guide 22. Refer to the MSTP Configuration field to define the following: Enable as Edge Port Select to enable the port as an Edge Port for MSTP. An Edge Port is a port known to connect to a LAN which has no other bridges attached to it or is directly connected to an user device.
Page 115: Virtual Interface Configuration
5 - 31 5.2.5.2 Virtual Interface Configuration Profile Interface Configuration A Virtual Interface is required for layer 3 (IP) access to provide layer 3 service on a VLAN. The Virtual Interface defines which IP address is associated with each VLAN ID the access point is connected to. A Virtual Interface is created for the default VLAN (VLAN 1) to enable remote administration.
Page 116 5 - 32 WiNG 5.7.1 Access Point System Reference Guide VLAN Displays the numerical VLAN ID associated with each listed interface. IP Address Defines whether DHCP was used to obtain the primary IP address used by the Virtual Interface configuration.
Page 117 5 - 33 Select either the Inside, Outside or None radio buttons. • Inside - The inside network is transmitting data over the network to its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address. •...
Page 118 5 - 34 WiNG 5.7.1 Access Point System Reference Guide 14. Set the following Router Advertisement Processing settings for the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information.
Page 119 5 - 35 18. Set the following network information from within the IPv4 Addresses field: Enable Zero Zero configuration can be a means of providing a primary or secondary IP addresses for the Configuration virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings.
Page 120 5 - 36 WiNG 5.7.1 Access Point System Reference Guide Figure 5-20 Virtual Interfaces - Basic Configuration screen - IPv6 tab 21. Refer to the IPv6 Addresses field to define how IP6 addresses are created and utilized. IPv6 Mode Select this option to enable IPv6 support on this virtual interface. IPv6 is disabled by default.
Page 121 5 - 37 Figure 5-21 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider Delegated Prefix Enter a 32 character maximum name for the IPv6 address prefix from provider. Name Host ID Define the subnet ID, host ID and prefix length. Select to save the changes to the new IPv6 prefix from provider.
Page 122 5 - 38 WiNG 5.7.1 Access Point System Reference Guide Figure 5-23 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add DHCPv6 Relay Address Enter an address for the DHCPv6 relay. These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers.
Page 123 5 - 39 Figure 5-25 Virtual Interfaces - Basic Configuration screen - Add IPv6 RA Prefix 29. Set the following IPv6 RA Prefix settings: Prefix Type Set the prefix delegation type used with this configuration. Options include, Prefix, and prefix- from-provider.
Page 124 5 - 40 WiNG 5.7.1 Access Point System Reference Guide Valid Lifetime Time If the lifetime type is set to decrementing, set the time for the prefix's validity. Use the spinner controls to set the time in hours and minutes. Use the...
Page 125: Port Channel Configuration
5 - 41 33. Use the IPv4 Inbound Firewall Rules drop-down menu to select the IPv4 specific inbound firewall rules to apply to this profile’s virtual interface configuration. Select the Create icon to define a new IPv4 firewall rule configuration or select the Edit icon to modify an existing configuration.
Page 126 5 - 42 WiNG 5.7.1 Access Point System Reference Guide 2. Select Devices. 3. Select System Profile from the options on left-hand side of the UI. 4. Expand the Interface menu and select Port Channels. 5. Refer to the following to review existing port channel configurations and their current status: Name Displays the port channel’s numerical identifier assigned to it when it was created.
Page 127 5 - 43 Admin Status Select the Enabled radio button to define this port channel as active to the controller profile it supports. Select the Disabled radio button to disable this port channel configuration within the profile. It can be activated at any future time when needed. The default setting is disabled.
Page 128 5 - 44 WiNG 5.7.1 Access Point System Reference Guide Tag the Native VLAN Select this option to tag the native VLAN. Access points support the IEEE 802.1Q specification for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs.
Page 129 5 - 45 Use the IPv6 Inbound Firewall Rules drop-down menu to select the IPv6 specific firewall rules to apply to this profile’s port channel configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet.
Page 130 5 - 46 WiNG 5.7.1 Access Point System Reference Guide Figure 5-30 Port Channels - Spanning Tree tab 17. Define the following PortFast parameters for the port channel’s MSTP configuration: Enable PortFast PortFast reduces the time required for a port to complete a MSTP state change from Blocked to Forward.
Page 131 5 - 47 Cisco MSTP Select either the Enable or Disable radio buttons. This enables interoperability with Interoperability Cisco’s version of MSTP, which is incompatible with standard MSTP. This setting is disabled by default. Force Protocol Version Sets the protocol version to either STP(0), Not Supported(1), RSTP(2) or MSTP(3). MSTP is the default setting.
Page 132: Access Point Radio Configuration
5 - 48 WiNG 5.7.1 Access Point System Reference Guide 5.2.5.4 Access Point Radio Configuration Profile Interface Configuration An access point profile can have its radio configuration modified once its radios have successfully associated to the network. To define a access point radio configuration: 1.
Page 133 5 - 49 RF Mode Displays whether each listed radio is operating in the 802.11a/n or 802.11b/g/n radio band. If the radio is a dedicated sensor, it will be listed as a sensor to define the radio as not providing typical WLAN support. If the radio is a client-bridge, it will be listed as a client bridge and does not provide typical WLAN support.
Page 134 5 - 50 WiNG 5.7.1 Access Point System Reference Guide Radio QoS Policy Use the drop-down menu to specify an existing QoS policy to apply to the access point radio in respect to its intended radio traffic. If no Radio QoS Policy exists that suits the radio’s intended operation, select the Create icon to define a new QoS policy that can be...
Page 135 5 - 51 Antenna Gain Set the antenna from 0.00 - 30.00 dBm. The access point’s Power Management Antenna Configuration File (PMACF) automatically configures the access point’s radio transmit power based on the antenna type, its antenna gain (provided here) and the deployed country’s regulatory domain restrictions.
Page 136 5 - 52 WiNG 5.7.1 Access Point System Reference Guide NOTE: AP6522, AP6522M, AP6532, AP6562, AP71XX, AP75XX, AP81XX and AP82XX can support up to 256 client connections per access point. AP6511 and AP6521 model access points (both single radio models) can support up to 128 client connections per access point.
Page 137 5 - 53 Short Preamble If using an 802.11bg radio, select this option for the radio to transmit using a short preamble. Short preambles improve throughput. However, some devices (SpectraLink phones) require long preambles. The default value is disabled. Guard Interval Use the drop-down menu to specify a Long or Any guard interval.
Page 138 5 - 54 WiNG 5.7.1 Access Point System Reference Guide 15. Select Create New MeshPoint to open a dialog where new mesh points are created. 16. Select the button located at the bottom right of the screen to save the changes to the WLAN Mapping. Select Reset to revert to the last saved configuration.
Page 139 5 - 55 Figure 5-35 Access Point Radio - Advanced Settings tab 22. Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define how MAC service frames are aggregated by the access point radio. A-MPDU Modes Use the drop-down menu to define the A-MPDU mode supported. Options include Transmit Only, Receive Only, Transmit and Receive and None.
Page 140 5 - 56 WiNG 5.7.1 Access Point System Reference Guide 26. Set or override the following Miscellaneous advanced radio settings: RIFS Mode Define a RIFS mode to determine whether interframe spacing is applied to access point transmissions or received packets, both, or neither The default mode is Transmit and Receive.
Page 141 5 - 57 Broadcast/Multicast Define whether client broadcast and multicast packets should always follow DTIM, or Forwarding only follow DTIM when using Power Save Aware mode. The default setting is Follow DTIM. 30. Refer to the Sniffer Redirect (Packet Capture) field to define the radio’s captured packet configuration.
Page 142 5 - 58 WiNG 5.7.1 Access Point System Reference Guide Table 5.1 MCS-1Stream MCS Index Number of 20 MHz 20 MHz 40 MHz 40MHz Streams No SGI With SGI No SGI With SGI 14.4 19.5 21.7 40.5 28.9 43.4 57.8 58.5...
Page 143 5 - 59 Table 5.3 MCS-3Stream MCS Index Number of 20 MHz 20 MHz 40 MHz 40MHz Streams No SGI With SGI No SGI With SGI 216.7 802.11ac MCS rates are defined as follows both with and without short guard intervals (SGI): Table 5.4 MCS-802.11ac (theoretical throughput for single spatial streams) 20 MHz 20 MHz...
Page 144: Wan Backhaul Configuration
5 - 60 WiNG 5.7.1 Access Point System Reference Guide 5.2.5.5 WAN Backhaul Configuration Profile Interface Configuration A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a network device to connect, transmit and receive data over a Cellular Wide Area Network. The AP7131N model access point has a PCI Express card slot that supports 3G WWAN cards.
Page 145 5 - 61 Figure 5-36 Profile Interface - WAN Backhaul screen 5. Refer to the WAN (3G) Backhaul configuration to specify the access point’s WAN card interface settings: WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card. Enable WAN (3G) Select this option to enable 3G WAN card support on the access point.
Page 146 5 - 62 WiNG 5.7.1 Access Point System Reference Guide 8. Configure the IPv4 Inbound Firewall Rules. Use the drop-down menu to select a firewall (set of IP access connection rules) to apply to the PPPoE client connection. If a firewall rule does not exist suiting the data protection needs of the PPPoE client connection, select the Create icon to define a new rule configuration or the Edit icon to modify an existing rule.
Page 147: Pppoe Configuration
5 - 63 5.2.5.6 PPPoE Configuration Profile Interface Configuration PPP over Ethernet (PPPoE) is a data-link protocol for dialup connections. PPPoE allows the access point to use a broadband modem (DSL, cable modem, etc.) for access to high-speed data and broadband networks. Most DSL providers are currently supporting (or deploying) the PPPoE protocol.
Page 148 5 - 64 WiNG 5.7.1 Access Point System Reference Guide Figure 5-37 Profile Interface - PPPoE screen 5. Use the Basic Settings field to enable PPPoE and define a PPPoE client. Admin Status Select Enable to support a high speed client mode point-to-point connection using the PPPoE protocol.
Page 149 5 - 65 6. Define the following Authentication parameters for PPPoE client interoperation: Username Provide the 64 character maximum username used for authentication support by the PPPoE client. Password Provide the 64 character maximum password used for authentication by the PPPoE client. Use the Show option to view the actual characters comprising the password.
Page 150: Profile Network Configuration
5 - 66 WiNG 5.7.1 Access Point System Reference Guide 5.2.6 Profile Network Configuration System Profile Configuration Setting an access point profile’s network configuration is a large task comprised of numerous administration activities. An access point profile network configuration process consists of the following: •...
Page 151: Dns Configuration
5 - 67 5.2.6.1 DNS Configuration Profile Network Configuration Domain Naming System (DNS) is a hierarchical naming system for resources connected to the Internet or a private network. Primarily, DNS resources translate domain names into IP addresses. If one DNS server does not know how to translate a particular domain name, it asks another one until the correct IP address is returned.
Page 152: Arp
5 - 68 WiNG 5.7.1 Access Point System Reference Guide 8. Set the following DNS Servers IPv6 configuration data when using IPv6: IPv6 DNS Name Provide the default domain name used to resolve IPv6 DNS names. When an IPv6 host is...
Page 153 5 - 69 6. Set the following parameters to define the ARP configuration: Switch VLAN Interface Use the spinner control to select a VLAN for an address requiring resolution. IP Address Define the IP address used to fetch a MAC Address. MAC Address Displays the target MAC address that’s subject to resolution.
Page 154: L2Tpv3 Profile Configuration
5 - 70 WiNG 5.7.1 Access Point System Reference Guide 5.2.6.3 L2TPv3 Profile Configuration Profile Network Configuration L2TP V3 is an IETF standard used for transporting different types of layer 2 frames in an IP network (and access point profile).
Page 155 5 - 71 Figure 5-40 Network - L2TPv3 screen - General tab 5. Set the following General Settings for an L2TPv3 profile configuration: Host Name Define a 64 character maximum hostname to specify the name of the host that is sent tunnel messages.
Page 156 5 - 72 WiNG 5.7.1 Access Point System Reference Guide 7. Select the L2TPv3 Tunnel tab. Figure 5-41 Network - L2TPv3 screen - L2TPv3 tunnel tab 8. Review the following L2TPv3 tunnel configuration data: Name Displays the name of each listed L2TPv3 tunnel assigned upon creation.
Page 157 5 - 73 Figure 5-42 Network - L2TPv3 screen - Add L2TPv3 Tunnel Configuration 10. If creating a new tunnel configuration, assign it a 31 character maximum Name. 11. Refer to the Session table to review the configurations of the peers available for tunnel connection. 12.
Page 158 5 - 74 WiNG 5.7.1 Access Point System Reference Guide Figure 5-43 Network - L2TPv3 screen - Add L2TPv3 Tunnel Configuration - Settings screen 15. Define the following Settings required for the L2TP tunnel configuration: Local IP Address Enter the IP address assigned as the local tunnel end point address, not the interface IP address.
Page 159 5 - 75 Establishment Criteria Configure establishment criteria for creating a tunnel between the device and the NOC. This criteria ensures only one tunnel is created between two sites where the tunnel is established between the vrrp-master/cluster master/rf-domain manager at the remote site and the controller at the NOC.
Page 160 5 - 76 WiNG 5.7.1 Access Point System Reference Guide Video Set the random early detection threshold in % for video traffic. Set a value from 1 - 100%. The default is 25%. Voice Set the random early detection threshold in % for voice traffic. Set a value from 1 - 100%.
Page 161 5 - 77 21. Select the Manual Session tab. After successful tunnel connection and establishment, individual sessions can be created. Each session is a single data stream. After successful session establishment, data corresponding to that session (pseudowire) can be transferred. If a session is down, the pseudowire associated with it is shut down as well.
Page 162 5 - 78 WiNG 5.7.1 Access Point System Reference Guide Figure 5-46 Network - L2TPv3 screen, Add L2TPv3 Peer Configuration 24. Set the following session parameters: Name Define a 31 character maximum name for this tunnel session. Each session name represents a single data stream.
Page 163 5 - 79 UDP Port If UDP encapsulation is selected, use the spinner control to define the UDP encapsulation port. This is the port where the L2TP service is running. Source Type Select a VLAN as the virtual interface source type. Source Value Define the Source Value range (1 - 4,094) to include in the tunnel.
Page 164: Igmp Snooping
5 - 80 WiNG 5.7.1 Access Point System Reference Guide 5.2.6.4 IGMP Snooping Profile Network Configuration Internet Group Management Protocol (IGMP) is a protocol to establish and maintain multicast group memberships to interested members. Multicasting allows a networked computer to send content to multiple computers who have registered to receive the content.
Page 165 5 - 81 6. Set the following for IGMP Querier configuration: Enable IGMP Querier Select this option to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. It is primarily used in a network where there is a multicast streaming server and hosts subscribed to the server and no IGMP querier present.
Page 166: Mld Snooping
5 - 82 WiNG 5.7.1 Access Point System Reference Guide 5.2.6.5 MLD Snooping Profile Network Configuration Multicast Listener Discovery (MLD) snooping enables a controller, service platform or access point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses.
Page 167 5 - 83 5. Define the following MLD Querier settings for the MLD snooping configuration: Enable MLD Querier Select this option to enable MLD querier on the controller, service platform or access point. When enabled, the device sends query messages to discover which network devices are members of a given multicast group.
Page 168: Quality Of Service (Qos)
5 - 84 WiNG 5.7.1 Access Point System Reference Guide 5.2.6.6 Quality of Service (QoS) Profile Network Configuration The uses different Quality of Service (QoS) screens to define WLAN and device radio QoS configurations. The System Profiles > Network > QoS facility is separate from WLAN and radio QoS configurations, and is used to configure the priority of the different DSCP packet types.
Page 169 5 - 85 802.1p Priority Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted.
Page 170: Spanning Tree Configuration
5 - 86 WiNG 5.7.1 Access Point System Reference Guide 5.2.6.7 Spanning Tree Configuration Profile Network Configuration The Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology.
Page 171 5 - 87 Figure 5-50 Network - Spanning Tree screen 5. Set the following MSTP Configuration parameters: MSTP Enable Select this option to enable MSTP for this profile. MSTP is disabled by default, so enable this setting if requiring different (groups) of VLANs with the profile supported network segment.
Page 172 5 - 88 WiNG 5.7.1 Access Point System Reference Guide Hello Time Set a BPDU hello interval from 1 - 10 seconds. BPDUs are exchanged regularly (every 2 seconds by default) and enable supported devices to keep track of network changes and start/stop port forwarding as required.
Page 173: Routing
5 - 89 5.2.6.8 Routing Profile Network Configuration Routing is the process of selecting IP paths to send access point managed network traffic. Use the Routing screen to set destination IP and gateway addresses enabling assignment of static IP addresses for requesting clients without creating numerous host pools with manual bindings.
Page 174 5 - 90 WiNG 5.7.1 Access Point System Reference Guide 5. Select IP Routing to enable static routes using IPv4 addresses. This option is enabled by default. 6. Select the Policy Based Routing policy to apply to this profile. Select the...
Page 175 5 - 91 12. Select Unicast Routing to enable IPv6 unicast routing for this profile. Keeping unicast enabled allows the profile’s neighbor advertisements and solicitations in unicast (as well as multicast) to provide better neighbor discovery. This setting is enabled by default. 13.
Page 176: Dynamic Routing (Ospf)
5 - 92 WiNG 5.7.1 Access Point System Reference Guide Default Gateway Use a network address of ::/0 to set the default gateway. 19. Select the button located at the bottom right of the screen to save the changes. Select...
Page 177 5 - 93 Figure 5-54 Network - OSPF Settings tab 5. Enable/disable OSPF and provide the following dynamic routing settings: Enable OSPF Select this option to enable OSPF for this access point. OSPF is disabled by default. Router ID Select this option to define a router ID (numeric IP address) for this access point. This ID must be established in every OSPF instance.
Page 178 5 - 94 WiNG 5.7.1 Access Point System Reference Guide VRRP State Check Select this option to enable checking VRRP state. If the interface’s VRRP state is not Backup, then the interface is published via OSPF. 6. Set the following...
Page 179 5 - 95 Figure 5-55 Network - Area Settings tab 12. Review existing Area Settings configurations using: Area ID Displays either the IP address or integer representing the OSPF area. Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections.
Page 180 5 - 96 WiNG 5.7.1 Access Point System Reference Guide 14. Set the OSPF Area configuration. Area ID Use the drop-down menu and specify either an IP address or Integer for the OSPF area. Authentication Type Select either None, simple-password or message-digest as credential validation scheme used with the OSPF dynamic route.
Page 181 5 - 97 18. Select the button to define a new set of virtual interface basic settings, or Edit to update the settings of an existing virtual interface configuration. Figure 5-58 Network - OSPF Virtual Interfaces - Basic Configuration tab The Basic Configuration screen displays by default regardless of a whether a new Virtual Interface is being created or an existing one is being modified.
Page 182 5 - 98 WiNG 5.7.1 Access Point System Reference Guide • None - No NAT activity takes place. This is the default setting. 22. Set the following DHCPv6 Client Configuration. The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework for passing configuration information.
Page 183 5 - 99 No MTU Select this option to not use the existing MTU setting for router advertisements on this virtual interface. If the value is set to zero no MTU options are sent. This setting is disabled by default. No Hop Count Select this option to not use the hop count advertisement setting for router advertisements on this virtual interface.
Page 184 5 - 100 WiNG 5.7.1 Access Point System Reference Guide Use DHCP to obtain Select this option to allow DHCP to obtain a default gateway address and DNS resource for Gateway/DNS one virtual interface. This setting is disabled by default and only available when the Use Servers DHCP to Obtain IP option is selected.
Page 185 5 - 101 IPv6 Address Static Optionally set up to 15 global IPv6 IP addresses (in the EUI-64 format) that can created using EUI64 statically. The IPv6 EUI-64 format address is obtained through a 48-bit MAC address. The MAC is initially separated into two 24-bits, with one being an OUI (Organizationally Unique Identifier) and the other being client specific.
Page 186 5 - 102 WiNG 5.7.1 Access Point System Reference Guide Figure 5-62 Network - OSPF Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider EUI64 Delegated Prefix Enter a 32 character maximum name for the IPv6 prefix from provider in EUI format. Using...
Page 187 5 - 103 42. Select the IPv6 RA Prefixes tab. Figure 5-64 Network - OSPF Virtual Interfaces - Basic Configuration screen - IPv6 RA Prefixes tab 43. Use the Router Advertisement Policy drop-down menu to select and apply a policy to the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests.
Page 188 5 - 104 WiNG 5.7.1 Access Point System Reference Guide 45. Set the following IPv6 RA Prefix settings: Prefix Type Set the prefix delegation type used with this configuration. Options include, Prefix, and prefix- from-provider. The default setting is Prefix. A prefix allows an administrator to associate a user defined name to an IPv6 prefix.
Page 189 5 - 105 46. Select to save the changes to the IPv6 RA prefix configuration. Select Exit to close the screen without saving the updates. 47. Select the button to save the changes and overrides to the basic configuration. Select Reset to revert to the last saved configuration.
Page 190: Forwarding Database
5 - 106 WiNG 5.7.1 Access Point System Reference Guide 5.2.6.10 Forwarding Database Profile Network Configuration A Forwarding Database is used by a bridge to forward or filter packets. The bridge reads the packet’s destination MAC address and decides to either forward the packet or drop (filter) it. If it is determined the destination MAC is on a different network segment, it forwards the packet to the segment.
Page 191 5 - 107 8. Define the target VLAN ID if the destination MAC is on a different network segment. 9. Provide an Interface Name used as the target destination interface for the target MAC address. 10. Select to save the changes. Select Reset to revert to the last saved configuration.
Page 192: Bridge Vlan
5 - 108 WiNG 5.7.1 Access Point System Reference Guide 5.2.6.11 Bridge VLAN Profile Network Configuration A Virtual LAN (VLAN) is separately administrated virtual network within the same physical managed network. VLANs are broadcast domains to allow control of broadcast, multicast, unicast and unknown unicast within a Layer 2 device.
Page 193 5 - 109 Edge VLAN Mode Defines whether the VLAN is currently in edge VLAN mode. An edge VLAN is the VLAN where hosts are connected. For example, if VLAN 10 is defined with wireless clients and VLAN 20 is where the default gateway resides, VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldn’t be marked as an edge VLAN.
Page 194 5 - 110 WiNG 5.7.1 Access Point System Reference Guide Figure 5-69 Network - Bridge VLAN Configuration screen 6. If adding a new Bridge VLAN configuration, use the spinner control to define a VLAN ID from 1 - 4095. This value must be...
Page 195 5 - 111 9. Set or override the following Web Filter parameters. Web filters are used to control the access to resources on the Internet. URL Filter Use the drop-down menu to select a URL filter to use with this Bridge VLAN. 10.
Page 196 5 - 112 WiNG 5.7.1 Access Point System Reference Guide Trust DHCP Responses Select this option to use DHCP packets from a DHCP server as trusted and permissible within the network. DHCP packets update the DHCP Snoop Table to prevent IP spoof attacks.
Page 197 5 - 113 Figure 5-70 Network - Bridge VLAN - IGMP Snooping screen 17. Define the following IGMP General parameters. Enable IGMP Snooping Select this option to enable IGMP snooping. If disabled, snooping on this Bridge VLAN is disabled. This feature is enabled by default. If disabled, the settings under bridge configuration are overridden.
Page 198 5 - 114 WiNG 5.7.1 Access Point System Reference Guide 19. Set the following IGMP Querier parameters for the Bridge VLAN configuration: Enable IGMP Querier IGMP snoop querier is used to keep host memberships alive. It’s primarily used in a network where there is a multicast streaming server, hosts subscribed to the server and no IGMP querier present.
Page 199 5 - 115 21. Define the following General MLD snooping parameters for the Bridge VLAN configuration: Multicast Listener Discovery (MLD) snooping enables a controller, service platform or access point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses.
Page 200: Cisco Discovery Protocol Configuration
5 - 116 WiNG 5.7.1 Access Point System Reference Guide 5.2.6.12 Cisco Discovery Protocol Configuration Profile Network Configuration The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol implemented in Cisco networking equipment. It's primarily used to obtain IP addresses of neighboring devices and discover their platform information. CDP is also used to obtain information about the interfaces the access point uses.
Page 201: Link Layer Discovery Protocol Configuration
5 - 117 5.2.6.13 Link Layer Discovery Protocol Configuration Profile Network Configuration The Link Layer Discovery Protocol (LLDP) provides a standard way for a controller or access point to advertise information about themselves to networked neighbors and store information they discover from their peers. LLDP is neighbor discovery protocol that defines a method for network access devices using Ethernet connectivity to advertise information about them to peer devices on the same physical LAN and store information about the network.
Page 202: Miscellaneous Network Configuration
5 - 118 WiNG 5.7.1 Access Point System Reference Guide Extended Power via MDI Select this option to include LLPD-MED extended power via MDI discovery TLV in LLDP Discovery PDUs. This setting is disabled by default. 6. Select the button to save the changes to the LLDP configuration. Select Reset to revert to the last saved configuration.
Page 203: Alias
5 - 119 5.2.6.15 Alias Profile Network Configuration With large deployments, the configuration of remote sites utilizes a set of shared attributes, of which a small set of attributes are unique for each location. For such deployments, maintaining separate configuration (WLANs, profiles, policies and ACLs) for each remote site is complex.
Page 204 5 - 120 WiNG 5.7.1 Access Point System Reference Guide 2. Select System Profiles. 3. Select Network to expand it and display its sub menus. 4. Select the Alias item, the Basic Alias screen displays. Figure 5-75 Network - Basic Alias Screen 5.
Page 205 5 - 121 • Wireless LANs 6. Select + Add Row to define Address Range Alias settings: Use the Address Range Alias field to create aliases for IP address ranges that can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote location’s network range is 172.16.13.20 through 172.16.13.110, the remote location’s ACL can be overridden using an alias.
Page 206 5 - 122 WiNG 5.7.1 Access Point System Reference Guide loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain.
Page 207 5 - 123 Figure 5-76 Network - Alias - Network Group Alias screen Name Displays the administrator assigned name of the Network Group Alias. Host Displays all host aliases configured in this network group alias. Displays a blank column if no host alias is defined.
Page 208 5 - 124 WiNG 5.7.1 Access Point System Reference Guide Figure 5-77 Network - Alias - Network Group Alias Add screen 7. If adding a new Network Group Alias, provide it a name of up to 32 characters. NOTE: The Network Group Alias Name always starts with a dollar sign ($).
Page 209 5 - 125 5.2.6.15.3Network Service Alias Alias Network Service Alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per Network Service Alias.
Page 210 5 - 126 WiNG 5.7.1 Access Point System Reference Guide Figure 5-79 Network - Alias - Network Service Alias Add screen 7. If adding a new Network Service Alias, provide it a name up to 32 characters. NOTE: The Network Service Alias Name always starts with a dollar sign ($).
Page 211: Profile Network Configuration And Deployment Considerations
5 - 127 5.2.6.16 Profile Network Configuration and Deployment Considerations Profile Network Configuration Before defining a profile’s network configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective: • Administrators often need to route traffic to interoperate between different VLANs. Bridging VLANs are only for non-routable traffic, like tagged VLAN frames destined to some other device which will untag it.
Page 212: Profile Security Configuration
5 - 128 WiNG 5.7.1 Access Point System Reference Guide 5.2.7 Profile Security Configuration System Profile Configuration An access point profile can have its own firewall policy, wireless client role policy, WEP shared key authentication and NAT policy applied. For more information, refer to the following: •...
Page 213: Defining Profile Vpn Settings
5 - 129 5.2.7.1 Defining Profile VPN Settings Profile Security Configuration IPSec VPN provides a secure tunnel between two networked peer access points or controllers. Administrators can define which packets are sent within the tunnel, and how they’re protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination.
Page 214 5 - 130 WiNG 5.7.1 Access Point System Reference Guide DPD Keep Alive Lists each policy’s IKE keep alive message interval defined for IKE VPN tunnel dead peer detection. IKE LifeTime Displays each policy’s lifetime for an IKE SA. The lifetime defines how long a connection (encryption/authentication keys) should last, from successful key negotiation to expiration.
Page 215 5 - 131 Mode If using IKEv1, use the drop-down menu to define the IKE mode as either Main or Aggressive. IPSEC has two modes in IKEv1 for key exchanges. Aggressive mode requires 3 messages be exchanged between the IPSEC peers to setup the SA, Main requires 6 messages. The default setting is Main.
Page 216 5 - 132 WiNG 5.7.1 Access Point System Reference Guide 12. Refer to the following to determine whether a VPN Peer Configuration requires creation, modification or removal: Name Lists the 32 character maximum name assigned to each listed peer configuration.
Page 217 5 - 133 IP Type Enter either the IP address or FQDN hostname of the IPSec VPN peer used in the tunnel setup. If IKEv1 is used, this value is titled IP Type, if IKEv2 is used, this parameter is titled Select IP/Hostname.
Page 218 5 - 134 WiNG 5.7.1 Access Point System Reference Guide Figure 5-84 Profile Security - VPN Transform Set tab 16. Review the following attributes of an existing Transform Set configurations: Transform Set Lists the 32 character maximum name assigned to each listed transform set upon creation.
Page 219 5 - 135 18. Define the following settings for the new or modified Transform Set configuration: Transform Set If creating a new transform set, define a 32 character maximum name to differentiate this configuration from others with similar attributes. Authentication Algorithm Set the transform sets’s authentication scheme used to validate identity credentials.
Page 220 5 - 136 WiNG 5.7.1 Access Point System Reference Guide IPSec Transform Set Displays the transform set (encryption and has algorithms) applied to each listed crypto map configuration. Thus, each crypto map can be customized with its own data protection and peer authentication schemes.
Page 221 5 - 137 Figure 5-88 Profile Security - VPN Crypto Map Entry screen 26. Define the following parameters to set the crypto map configuration: Sequence Each crypto map configuration uses a list of entries based on a sequence number. Specifying multiple sequence numbers within the same crypto map extends connection flexibility to multiple peers on the same interface, based on this selected sequence number (from 1 - 1,000).
Page 222 5 - 138 WiNG 5.7.1 Access Point System Reference Guide IP Firewall Rules Use the drop-down menu to select the access list (ACL) used to protect IPSec VPN traffic. New access/deny rules can be defined for the crypto map by selecting the Create icon, or an existing set of firewall rules can be modified by selecting the Edit icon.
Page 223 5 - 139 Figure 5-89 Profile Security - Remote VPN Server tab (IKEv2 example) 29. Select either the IKEv1 IKEv2 radio button to enforce peer key exchanges over the remote VPN server using either IKEv1 or IKEv2. IKEv2 provides improvements from the original IKEv1 design (improved cryptographic mechanisms, NAT and firewall traversal, attack resistance etc.) and is recommended in most deployments.
Page 224 5 - 140 WiNG 5.7.1 Access Point System Reference Guide AAA Policy Select the AAA policy used with the remote VPN client. AAA policies define RADIUS authentication and accounting parameters. The access point can optionally use AAA server resources (when using RADIUS as the authentication method) to provide user database information and user authentication data.
Page 225 5 - 141 Figure 5-90 Profile Security - Remote VPN Client tab 38. Refer to the following fields to define Remote VPN Client Configuration settings: Shutdown Select this option to disable the remote VPN client. The default is disabled. Transform Set Configure the transform set used to specify how traffic is protected within the crypto ACL defining the traffic that needs to be protected.
Page 226 5 - 142 WiNG 5.7.1 Access Point System Reference Guide value Set the DHCP peer local ID. The ID cannot exceed 128 characters. 42. Select to save the updates made to the Remote VPN Client screen. Selecting Reset reverts the screen to its last saved configuration.
Page 227 5 - 143 Plain Text Deny Select global or interface to set the scope of the ACL. The default setting is global, expanding the rules of the ACL beyond just the interface. Enable IKE UniqueIds Select this option to initiate a unique ID check. This is disabled by default. 45.
Page 228: Defining Profile Auto Ipsec Tunnel
5 - 144 WiNG 5.7.1 Access Point System Reference Guide 5.2.7.2 Defining Profile Auto IPSec Tunnel Profile Security Configuration IPSec tunnels are established to secure traffic, data and management traffic, from access points to remote wireless controllers. Secure tunnels must be established between access points and the wireless controller with minimum configuration pushed through DHCP option settings.
Page 229: Defining Profile Security Settings
5 - 145 Re-Authentication Select this option to re-authenticate the key on a IKE rekey. This setting is disabled by default. IKE Life Time Set a lifetime in either Seconds (600 - 86,400), Minutes (10 - 1,440), Hours (1 - 24) or Days (1) for IKE security association duration.
Page 230 5 - 146 WiNG 5.7.1 Access Point System Reference Guide that identify devices and applies specific permissions and restrictions on these devices. From the drop-down menu select the client identity group to use with this device profile. For more information, see Device Fingerprinting on page 8-23.
Page 231: Setting The Certificate Revocation List (Crl) Configuration
5 - 147 5.2.7.4 Setting the Certificate Revocation List (CRL) Configuration Profile Security Configuration A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the certificate authority (CA) had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key.
Page 232: Setting The Profile's Nat Configuration
5 - 148 WiNG 5.7.1 Access Point System Reference Guide 5.2.7.5 Setting the Profile’s NAT Configuration Profile Security Configuration Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit across a traffic routing device. This enables mapping one IP address to another to protect network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address.
Page 233 5 - 149 NAT Pool tab displays by default. The NAT Pool tab lists those NAT policies created thus far. Any of these policies can be selected and applied to the access point profile. 5. Select to create a new NAT policy that can be applied to a profile. Select Edit to modify the attributes of a existing policy or select...
Page 234 5 - 150 WiNG 5.7.1 Access Point System Reference Guide Figure 5-97 Profile Security - Static NAT screen - Source tab 10. To map a source IP address from an internal network to a NAT IP address click the button.
Page 235 5 - 151 Figure 5-98 Profile Security - Static NAT screen - Destination tab 13. Select to create a new NAT destination configuration or Delete to permanently remove a NAT destination. Existing NAT destination configurations are not editable. Figure 5-99 NAT Destination - Add screen...
Page 236 5 - 152 WiNG 5.7.1 Access Point System Reference Guide 14. Set the following Destination configuration parameters: Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 237 5 - 153 Figure 5-100 Profile Security - Dynamic NAT tab 17. Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or deletion: Source List ACL Lists the ACL defining packet selection criteria for the NAT configuration. NAT is applied only on packets which match a rule defined in the access list.
Page 238 5 - 154 WiNG 5.7.1 Access Point System Reference Guide Figure 5-101 Profile Security - Source ACL List screen 19. Set the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT.
Page 239 5 - 155 21. Select to save the changes made to the dynamic NAT configuration. Select Reset to revert to the last saved configuration.
Page 240: Setting The Profile's Bridge Nat Configuration
5 - 156 WiNG 5.7.1 Access Point System Reference Guide 5.2.7.6 Setting the Profile’s Bridge NAT Configuration Profile Security Configuration Use Bridge NAT to manage Internet traffic originating at a remote site. In addition to traditional NAT functionality, Bridge NAT provides a means of configuring NAT for bridged traffic through an access point.
Page 241 5 - 157 5. Review the following Bridge NAT configurations to determine whether a new Bridge NAT configuration requires creation or an existing configuration modified or removed: Access List Lists the ACL applying IP address access/deny permission rules to the Bridge NAT configuration. Interface Lists the communication medium (outgoing layer 3 interface) between source and destination points.
Page 242: Profile Security Configuration And Deployment Considerations
5 - 158 WiNG 5.7.1 Access Point System Reference Guide 9. Select + Add Row to set the IP address range settings for the Bridge NAT configuration. Figure 5-104 Profile Security - Source Dynamic NAT screen - Add Row field 10.
Page 243: Virtual Router Redundancy Protocol (Vrrp) Configuration
5 - 159 5.2.8 Virtual Router Redundancy Protocol (VRRP) Configuration System Profile Configuration A default gateway is a critical resource for connectivity. However, it’s prone to a single point of failure. Thus, redundancy for the default gateway is required by the access point. If WAN backhaul is available on an AP7131, and a router failure occurs, then the access point should act as a router and forward traffic on to its WAN link.
Page 244 5 - 160 WiNG 5.7.1 Access Point System Reference Guide 5. Review the following VRRP configuration data to assess if a new VRRP configuration is required or if an existing VRRP configuration requires modification or removal: Virtual Router ID Lists a numerical index (from 1 - 254) used to differentiate VRRP configurations. The index is assigned when a VRRP configuration is initially defined.
Page 245 5 - 161 Figure 5-107 Profiles - VRRP screen 8. If creating a new VRRP configuration, assign a Virtual Router ID from 1 - 255. In addition to functioning as numerical identifier, the ID identifies the access point’s virtual router a packet is reporting status for. 9.
Page 246: Profile Critical Resources
5 - 162 WiNG 5.7.1 Access Point System Reference Guide Advertisement Interval Once the Advertisement Interval Unit has been selected, use the spinner control to set the interval at which the VRRP master sends out advertisements on each of its configured VLANs.
Page 247 5 - 163 Critical resources can be configured for access points and wireless controllers using their respective profiles. To define critical resources: 1. Select the Configuration tab from the Web UI. 2. Select Devices. 3. Select System Profile from the options on left-hand side of the UI. 4.
Page 248 5 - 164 WiNG 5.7.1 Access Point System Reference Guide Figure 5-109 Critical Resources screen - Adding a Critical Resource 6. Use the Offline Resource Detection drop-down menu to define how critical resource event messages are generated. Options include Any and All. If selecting Any, an event is generated when the state of any single critical resource changes.
Page 249 5 - 165 Mode Set the ping mode used when the availability of a critical resource is validated. Select from: • arp-only – Use the Address Resolution Protocol (ARP) for only pinging the critical resource. ARP is used to resolve hardware addresses when only the network layer address is known. •...
Page 250: Profile Services Configuration
5 - 166 WiNG 5.7.1 Access Point System Reference Guide 5.2.10 Profile Services Configuration System Profile Configuration A profile can contain specific guest access (captive portal) server configurations. These guest network access permissions can be defined uniquely as profile requirements dictate.
Page 251: Profile Services Configuration And Deployment Considerations
5 - 167 7. Select to save the changes made to the profile’s services configuration. Select Reset to revert to the last saved configuration. 5.2.10.1 Profile Services Configuration and Deployment Considerations Profile Services Configuration Before defining a profile’s captive portal and DHCP configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective: •...
Page 252: Profile Management Configuration
5 - 168 WiNG 5.7.1 Access Point System Reference Guide 5.2.11 Profile Management Configuration System Profile Configuration The access point has mechanisms to allow/deny management access to the network for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). These management access configurations can be applied strategically to profiles as resource permissions dictate.
Page 253 5 - 169 Remote Logging Host Use this table to define numerical (non DNS) IP addresses for up to three external resources where logged system events can be sent on behalf of the profile. Select Clear to remove an IP address. Facility to Send Log Use the drop-down menu to specify the server facility (if used) for the profile event log Messages...
Page 254 5 - 170 WiNG 5.7.1 Access Point System Reference Guide Username for SMTP Server Specify the sender’s username on the outgoing SMTP server. Many SMTP servers require users to authenticate with a username and password before sending E-mail through the server.
Page 255: Upgrading Ap6532 Firmware From 5.1
5 - 171 15. Use the parameters within the Automatic Adopted AP Firmware Upgrade field to define an automatic firmware configuration. Enable Controller Upgrade Select the access point model to upgrade to a newer firmware version using its of AP Firmware associated Virtual Controller AP’s most recent firmware file for that model.
Page 256: Profile Management Configuration And Deployment Considerations
5 - 172 WiNG 5.7.1 Access Point System Reference Guide 6. Within the CLI, type enable 7. Enter to save the new password. commit write memory 8. To upgrade firmware using a FTP server, use the upgrade command. ftp://<username>:<password>@169.254.0.1/AP6532-5.4.0.0-047R.img Alternatively, a user can upgrade the AP6532 firmware using a TFTP server using the upgrade command.
Page 257 5 - 173 Figure 5-115 Mesh Point Configuration - Mesh Point screen The Mesh Point screen displays a list of configured MeshConnex policies on this device. 5. Refer to the following for more information on the Mesh Point screen: Mesh Connex Policy Displays the name of the selected Mesh Connex™...
Page 258 5 - 174 WiNG 5.7.1 Access Point System Reference Guide Figure 5-116 Mesh Point Configuration - Add Mesh Point Mesh Connex Policy screen 7. Refer to the following for more information on the Mesh Point Mesh Connex Policy screen: MeshConnex Policy Provide a name for the Mesh Connex Policy.
Page 259 5 - 175 Path Method From the drop-down menu, select the method to use for path selection in a mesh network. The available options are: • None – Select this to indicate no criteria used in root path selection. • uniform – Indicates that the path selection method is uniform. When selected, two paths will be considered equivalent if the average value is the same for these paths.
Page 260 5 - 176 WiNG 5.7.1 Access Point System Reference Guide Figure 5-117 Mesh Connex Auto Channel Selection screen 9. By default, the Dynamic Root Selection screen displays. This screen provides configuration for the 2.4 GHz and 5.0/4.9 GHz frequencies. Refer to the following for more information on the Auto Channel Selection Dynamic Root Selection screen.
Page 261 5 - 177 Priority Meshpoint Configure the mesh point monitored for automatic channel scan. This is the mesh point given priority over other available mesh points. When configured, a mesh is created with this mesh point. When not configured, a mesh point is automatically selected. Off-channel Duration Configure the duration in the range of 20 - 250 milliseconds for the Off Channel Duration field.
Page 262 5 - 178 WiNG 5.7.1 Access Point System Reference Guide 11. Refer to the following for more information on the Path Method SNR screen. These descriptions apply to both the 2.4 GHz and 5.0/4.9 GHz frequencies. Channel Width Configure the channel width that mesh point automatic channel scan should assign to the selected radio.
Page 263 5 - 179 Figure 5-119 Mesh Point Auto Channel Selection Path Method Root Path Metric screen 13. Refer to the following for more information on the Path Method Root Path Metric screen. These descriptions apply to both the 2.4 GHz and 5.0/4.9 GHz frequencies. Channel Width Configure the channel width that mesh point automatic channel scan should assign to the selected radio.
Page 264: Vehicle Mounted Modem (Vmm) Deployment Consideration
5 - 180 WiNG 5.7.1 Access Point System Reference Guide Meshpoint: Path Metric Configure a minimum threshold value for triggering an automatic channel selection for Threshold mesh point selection. Set a value in between 800 - 65535. Meshpoint: Tolerance Configure the time duration in seconds to wait before triggering a automatic channel Period selection for the next hop.
Page 265: Advanced Profile Configuration
5 - 181 5.2.13 Advanced Profile Configuration System Profile Configuration An access point profile’s advanced configuration is comprised of defining connected client load balance settings, a MINT protocol configuration and miscellaneous settings (NAS ID, access point LEDs and RF Domain Manager). To set an access point profile’s advanced configuration: 1.
Page 266 5 - 182 WiNG 5.7.1 Access Point System Reference Guide Figure 5-120 Advanced Profile Configuration - Client Load Balancing screen 2. Use the Group ID field to define a group ID of up to 32 characters. 3. Use the drop-down menu to define a strategy.
Page 267 5 - 183 6. Set the following Channel Load Balancing settings: Balance 2.4GHz Channel Select this option to balance loads across channels in the 2.4 GHz radio band. This can Loads prevent congestion on the 2.4 GHz radio if a channel is over utilized. This setting is enabled by default.
Page 268 5 - 184 WiNG 5.7.1 Access Point System Reference Guide Minimum number of clients When Using probes from common clients is selected as a neighbor selection strategy, seen use the spinner control to set the number of clients (from 0 -256) that must be shared by at least 2 access points to be regarded as neighbors in the neighbor selection process.
Page 269 5 - 185 Weightage given to Use the spinner control to assign a weight (from 0 - 100%) the access point radio uses Throughput to prioritize 5GHz radio throughput in the load calculation. Assign this value higher if throughput and radio performance are considered mission critical and more important than a high client connection count.
Page 270: Configuring Mint Protocol
5 - 186 WiNG 5.7.1 Access Point System Reference Guide 5.2.13.2 Configuring MINT Protocol Advanced Profile Configuration MINT provides the means to secure access point profile communications at the transport layer. Using MINT, an access point can be configured to only communicate with other authorized (MINT enabled) access points of the same model.
Page 271 5 - 187 3. Define the following Device Heartbeat Settings in respect to devices supported by the profile: Designated IS Priority Use the spinner control to set a Designated IS Priority Adjustment setting from -255 Adjustment and 255. This is the value added to the base level DIS priority to influence the Designated IS (DIS) election.
Page 272 5 - 188 WiNG 5.7.1 Access Point System Reference Guide Figure 5-123 Advanced Profile Configuration- MINT Protocol screen - Add IP MiNT Link field 11. Set the following Link IP parameters to complete the MINT network address configuration: Define the IP address used by peer access points for interoperation when supporting the MINT protocol.
Page 273 5 - 189 The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another. Figure 5-124 Advanced Profile Configuration - MINT Protocol screen - VLAN tab 13.
Page 274 5 - 190 WiNG 5.7.1 Access Point System Reference Guide Adjacency Hold Time Set a hold time interval in either Seconds (2 - 600) or Minutes (1 - 10) for the transmission of hello packets. The default interval is 13 seconds.
Page 275: Advanced Profile Miscellaneous Configuration
5 - 191 5.2.13.3 Advanced Profile Miscellaneous Configuration Advanced Profile Configuration Refer to the advanced profile’s Miscellaneous menu item to set the profile’s NAS configuration. The profile database on the RADIUS server consists of user profiles for each connected network access server (NAS) port. Each profile is matched to a username representing a physical port.
Page 276: Environmental Sensor Configuration
5 - 192 WiNG 5.7.1 Access Point System Reference Guide When a client requests access to the network, the CISCO ISE RADIUS server presents the client with a URL where the device’s compliance to the networks security such as validity of anti-virus or anti-spyware software is checked for the validity of their definition files (this checking is called posture).
Page 277 5 - 193 5. Set the following Light Sensor settings for the AP8132’s sensor module: Enable Light Sensor Select this option to enable the light sensor on the module. This setting is enabled by default. The light sensor reports whether the access point has its light sensor powered on or off.
Page 278: Managing Virtual Controllers
5 - 194 WiNG 5.7.1 Access Point System Reference Guide 5.3 Managing Virtual Controllers Device Configuration Access points set to function as Standalone APs can be re-defined as Virtual Controllers as required, and Virtual Controllers can reverted back to Standalone APs. Consider setting the access point to a Virtual Controller when more than one access points (of the same model) are deployed are require management from a centralized access point.
Page 279 5 - 195 Figure 5-129 Managing Virtual Controller - AP Designation screen 6. Select the Set as Virtual Controller AP radio button to change the selected access point’s designation from Standalone to Virtual Controller AP. Remember, only one Virtual Controller can manage (up to) 24 access points of the same model. Thus, an administrator should take care to change the designation of a Virtual Controller AP to Standalone AP to compensate for a new Virtual Controller AP designation.
Page 280: Overriding A Device Configuration
5 - 196 WiNG 5.7.1 Access Point System Reference Guide 5.4 Overriding a Device Configuration Device Configuration Devices within the access point managed network can have an override configuration defined and applied. New devices can also have an override configuration defined and applied once NOTE: The best way to administer a network populated by numerous access points is to configure them directly from the designated Virtual Controller AP.
Page 281 5 - 197 Figure 5-130 Device Overrides - Basic Configuration screen 5. Set the following Configuration settings for the target device: System Name Provide the selected device a system name up to 64 characters in length. This is the device name that appears within the RF Domain or Profile the access point supports and is identified by.
Page 282: Certificate Management
5 - 198 WiNG 5.7.1 Access Point System Reference Guide Refer to the Device Time parameter to assess the device’s current time. If the device’s time has not been set, the device time is displayed as unavailable. Select Refresh to update the device’s system time.
Page 283 5 - 199 Figure 5-131 Device Overrides - Certificates screen 6. Set the following Management Security certificate configurations: HTTPS Trustpoint Either use the default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be leveraged. To leverage an existing device certificate for use with this target device, select the Launch Manager button.
Page 284: Manage Certificates
5 - 200 WiNG 5.7.1 Access Point System Reference Guide For more information on the certification activities, refer to the following: • Manage Certificates • RSA Key Management • Certificate Creation • Generating a Certificate Signing Request 5.4.2.1 Manage Certificates...
Page 285 5 - 201 2. Select a device from amongst those displayed to review its certificate information. Refer to Certificate Details to review the certificate’s properties, self-signed credentials, validity period and CA information. 3. To optionally import a certificate, select the Import button from the Certificate Management...
Page 286 5 - 202 WiNG 5.7.1 Access Point System Reference Guide Signed certificates (or root certificates) avoid the use of public or private CAs. A self-signed certificate is an identity certificate signed by its own creator, thus the certificate creator also signs off on its legitimacy. The lack of mistakes or corruption in the issuance of self signed certificates is central.
Page 287 5 - 203 Figure 5-134 Certificate Management - Export Trustpoint screen 9. Define the following configuration parameters to export a trustpoint: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. Provide the complete URL to the location of the trustpoint.
Page 288 5 - 204 WiNG 5.7.1 Access Point System Reference Guide Username/Password These fields are enabled if using ftp or sftp protocols,. Specify the username and the password for that username to access the remote servers using these protocols. Path/File If using Advanced settings, specify the path to the trustpoint. Enter the complete relative path to the file on the server.
Page 289 5 - 205 Figure 5-135 Certificate Management - RSA Keys screen 3. Select a listed device to review its current RSA key configuration. Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device.
Page 290 5 - 206 WiNG 5.7.1 Access Point System Reference Guide Figure 5-136 Certificate Management - Generate RSA Key screen 5. Define the following configuration parameters required to generate a key: Key Name Enter the 32 character maximum name assigned to the RSA key.
Page 291 5 - 207 Key Passphrase Define the key used by both the access point and the server (or repository) of the target RSA key. Select the Show option to expose the actual characters used in the passphrase. Leaving the Show option unselected displays the passphrase as a series of asterisks “*”. Provide the complete URL to the location of the RSA key.
Page 292 5 - 208 WiNG 5.7.1 Access Point System Reference Guide Figure 5-138 Certificate Management - Export RSA Key screen 12. Define the following configuration parameters required to export a RSA key: Key Name Enter the 32 character maximum name assigned to the RSA key.
Page 293 5 - 209 Host If selecting Advanced, provide the hostname of the server used to export the RSA key. Select IPv4 Address or IPv6 Address to provide the IP address of a host device appropriately. This option is not valid for cf, usb1, usb2, usb3 and usb4. A valid hostname cannot contain an underscore.
Page 294 5 - 210 WiNG 5.7.1 Access Point System Reference Guide Figure 5-139 Certificate Management - Create Certificate screen 3. Set the following Create New Self-Signed Certificate configuration parameters: Certificate Name Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate.
Page 295 5 - 211 State (ST) Enter a State for the state or province name used in the certificate. This is a required field. City (L) Enter a City to represent the city name used in the certificate. This is a required field. Organization (O) Define an Organization for the organization used in the certificate.
Page 296 5 - 212 WiNG 5.7.1 Access Point System Reference Guide Figure 5-140 Certificate Management - Create CSR screen 3. Set the following Create New Certificate Signing Request (CSR) configuration parameters: Create New Select this option to create a new RSA Key. Provide a 32 character name to identify the RSA key.
Page 297: Rf Domain Overrides
5 - 213 Organizational Unit (OU) Enter an Organizational Unit for the name of the organization unit used in the CSR. This is a required field. Common Name (CN) If there is a Common Name (IP address) for the organizational unit issuing the certificate, enter it here.
Page 298 5 - 214 WiNG 5.7.1 Access Point System Reference Guide Figure 5-141 Device Overrides - RF Domain Overrides screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove a device’s override, go to the Basic Configuration screen’s Device Overrides field, and then select the Clear Overrides button.
Page 299: Wired 802.1X Overrides
5 - 215 7. Refer to the SMART Scan field to review the settings defined for SMART RF. Optionally assign/remove overrides to and from specific parameters. Enable Dynamic Channel Select this option to enable dynamic channel scan. 2.4 GHz Channels Use the Select drop-down menu to select channels to scan in the 2.4 GHz band.
Page 300: Device Overrides
5 - 216 WiNG 5.7.1 Access Point System Reference Guide 6. Set the following Wired 802.1x Settings: Dot1x Authentication Select this option to globally enable 802.1x authentication for the . This setting access point Control is disabled by default. Dot1x AAA Policy Use the drop-down menu to select an AAA policy to associate with the wired 802.1x...
Page 301 5 - 217 Figure 5-143 Device Overrides - General screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 302 5 - 218 WiNG 5.7.1 Access Point System Reference Guide Refer to the following to complete the override of the access point’s entire profile configuration: • Radio Power Overrides • Adoption Overrides • Profile Interface Override Configuration • Overriding the Network Configuration •...
Page 303: Radio Power Overrides
5 - 219 5.4.5.1 Radio Power Overrides Device Overrides Use the Power screen to set or override one of two power modes (3af or Auto) for an access point. When Automatic is selected, the access point safely operates within available power. Once the power configuration is determined, the access point configures its operating power characteristics based on its model and power configuration.
Page 304 5 - 220 WiNG 5.7.1 Access Point System Reference Guide 7. Use the Power Mode drop-down menu to set or override the Power Mode Configuration on this AP. NOTE: Single radio model access point’s always operate using a full power configuration.
Page 305: Adoption Overrides
5 - 221 5.4.5.2 Adoption Overrides Device Overrides Use the Adoption screen to define the configuration of a preferred Virtual Controller, wireless controller, or service platform resource used for access point adoption. A Virtual Controller can adopt up to 24 access points of the same model. The Virtual Controller must also share its VLAN to peer access points wishing to adopt to it.
Page 306 5 - 222 WiNG 5.7.1 Access Point System Reference Guide Figure 5-145 Device Overrides - Adoption screen 7. Define a 64 character maximum Preferred Group. The preferred group is the controller group the access point would prefer to connect upon adoption.
Page 307 5 - 223 11. Define the Offline Duration for this device. This is the time duration in minutes after which an unadopted device generates a offline event. 12. Use the spinner control to set the Controller VLAN. This is the VLAN the Virtual Controller is reachable on. Select from 1 - 4094. There is no default value for this setting. 13.
Page 308: Profile Interface Override Configuration
5 - 224 WiNG 5.7.1 Access Point System Reference Guide 5.4.5.3 Profile Interface Override Configuration Device Overrides An access point requires its Virtual Interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A virtual interface defines which IP address is associated with each connected VLAN ID.
Page 309 5 - 225 6. Select Ethernet Ports. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 310 5 - 226 WiNG 5.7.1 Access Point System Reference Guide Tag Native VLAN A green check mark defines the native VLAN as tagged. A red “X” defines the native VLAN as untagged. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to.
Page 311 5 - 227 Speed Set the speed at which the port can receive and transmit the data. Select either 10 Mbps, 100 Mbps, 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port. These options are not available if Auto is selected.
Page 312 5 - 228 WiNG 5.7.1 Access Point System Reference Guide Tag Native VLAN Select this option to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs.
Page 313 5 - 229 Figure 5-148 Ethernet Ports - Security screen 15. Refer to the Access Control field. As part of the port’s security configuration, Inbound IP and MAC address firewall rules are required. The configuration can be optionally overridden if needed. Use the Inbound MAC Firewall Rules drop-down menus to select the firewall rules to apply to this profile’s Ethernet port...
Page 314 5 - 230 WiNG 5.7.1 Access Point System Reference Guide 17. Refer to the Trust field to define the following: Trust ARP Responses Select this option to enable ARP trust on this port. ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the network.
Page 315 5 - 231 Re Authenticate Select to enable or disable reauthentication. Reauthentication is primarily used to refresh the current state of the selected port. When enabled the device is forced to reauthenticate. When this happens, the port is still considered authenticated. If reauthentication fails, the port is considered unauthorized and devices using the port are denied access.
Page 316 5 - 232 WiNG 5.7.1 Access Point System Reference Guide Figure 5-149 Ethernet Ports – Spanning Tree Configuration Spanning Tree Protocol (STP) (IEEE 802.1D standard) configures a meshed network for robustness by eliminating loops within the network and calculating and storing alternate paths to provide fault tolerance.
Page 317 5 - 233 VLANs. The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region. To avoid conveying their entire VLAN to spanning tree mapping in each BPDU, the access point encodes an MD5 digest of their VLAN to an instance table in the MSTP BPDU.
Page 318 5 - 234 WiNG 5.7.1 Access Point System Reference Guide 5.4.5.3.2 Virtual Interface Override Configuration Profile Interface Override Configuration A Virtual Interface is required for layer 3 (IP) access or provide layer 3 service on a VLAN. The Virtual Interface defines which IP address is associated with each VLAN ID.
Page 319 5 - 235 7. Review the following parameters unique to each Virtual Interface configuration to determine whether a parameter override is warranted: Name Displays the name of each listed Virtual Interface assigned when it was created. The name is from 1 - 4094, and cannot be modified as part of a Virtual Interface edit. Type Displays the type of Virtual Interface for each listed interface.
Page 320 5 - 236 WiNG 5.7.1 Access Point System Reference Guide The Basic Configuration screen displays by default regardless of a whether a new Virtual Interface is being created or an existing one is being modified. 9. If creating a new Virtual Interface, use the spinner control to define a numeric ID from 1 - 4094.
Page 321 5 - 237 14. Set the following MTU settings for the virtual interface: Maximum Set the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. The MTU is the Transmission Unit largest physical packet size in bytes a network can transmit. Any messages larger than the (MTU) MTU are divided into smaller packets before being sent.
Page 322 5 - 238 WiNG 5.7.1 Access Point System Reference Guide Figure 5-152 Device Overrides - Virtual Interfaces - Basic Configuration screen - IPv4 tab 21. Set the following network information from within the IPv4 Addresses field: Enable Zero Zero configuration can be a means of providing a primary or secondary IP addresses for the Configuration virtual interface.
Page 323 5 - 239 Figure 5-153 Device Overrides - Virtual Interfaces - Basic Configuration screen - IPv6 tab 24. Refer to the IPv6 Addresses field to define how IP6 addresses are created and utilized. IPv6 Mode Select this option to enable IPv6 support on this virtual interface. IPv6 is disabled by default. IPv6 Address Static Define up to 15 global IPv6 IP addresses that can created statically.
Page 324 5 - 240 WiNG 5.7.1 Access Point System Reference Guide Figure 5-154 Device Overrides - Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider Delegated Prefix Enter a 32 character maximum name for the IPv6 address prefix from provider.
Page 325 5 - 241 Figure 5-156 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add DHCPv6 Relay Address Enter an address for the DHCPv6 relay. These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers. The DHCPv6 server sends responses back to the relay, and the relay then sends these responses to the client on the local network.
Page 326 5 - 242 WiNG 5.7.1 Access Point System Reference Guide Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. 32. Review the configurations of existing IPv6 advertisement policies. If needed select...
Page 327 5 - 243 Valid Lifetime Date If the lifetime type is set to decrementing, set the date in MM/DD/YYYY format for the expiration of the prefix. Valid Lifetime Time If the lifetime type is set to decrementing, set the time for the prefix's validity. Use the spinner controls to set the time in hours and minutes.
Page 328 5 - 244 WiNG 5.7.1 Access Point System Reference Guide Figure 5-159 Device Overrides - Virtual Interfaces Security screen 37. Use the IPv4 Inbound Firewall Rules drop-down menu to select the IPv4 specific inbound firewall rules to apply to this profile’s virtual interface configuration.
Page 329 5 - 245 Figure 5-160 Device Overrides – Virtual Interfaces Dynamic Routing screen 40. Refer to the following to configure OSPF Settings. Priority Select this option to enable or disable OSPF priority settings. Use the spinner to configure a value from 0 - 255. This option sets the priority of this interface becoming the Designated Router (DR) for the network.
Page 330 5 - 246 WiNG 5.7.1 Access Point System Reference Guide 42. Refer the following to configure MD5 Authentication keys. Select the + Add Row button to add a row to the table. Key ID Set the unique MD5 Authentication key ID. The available key ID range is 1 - 255.
Page 331 5 - 247 Admin Status A green check mark defines the listed port channel as active and currently enabled with the access point’s profile. A red “X” defines the port channel as currently disabled and not available for use. The interface status can be modified with the port channel configuration as required 7.
Page 332 5 - 248 WiNG 5.7.1 Access Point System Reference Guide Duplex Select either Half, Full or Automatic as the duplex option. Select Half duplex to send data over the port channel, then immediately receive data from the same direction in which the data was transmitted.
Page 333 5 - 249 Figure 5-163 Device Overrides - Port Channels - Security tab 13. Refer to the Access Control section. As part of the port channel’s security configuration, Inbound IPv4 IP, IPv6 IP and MAC address firewall rules are required. Use the IPv4 Inbound Firewall Rules, IPv6 Inbound Firewall Rules Inbound MAC Firewall Rules...
Page 334 5 - 250 WiNG 5.7.1 Access Point System Reference Guide Trust 802.1p COS values Select this option to enable 802.1p COS values on this port channel. The default value is enabled. Trust IP DSCP Select this option to enable IP DSCP values on this port channel. The default value is enabled.
Page 335 5 - 251 18. Define the following PortFast parameters for the port channel’s MSTP configuration: Enable PortFast PortFast reduces the time required for a port to complete a MSTP state change from Blocked to Forward. PortFast must only be enabled on ports on the wireless controller directly connected to a server/workstation and not another hub or controller.
Page 336 5 - 252 WiNG 5.7.1 Access Point System Reference Guide 20. Refer to the Spanning Tree Port Cost table. Define an Instance Index using the spinner control and then set the cost. The default path cost depends on the user defined port speed.
Page 337 5 - 253 Figure 5-165 Device Overrides - Access Point Radios screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear...
Page 338 5 - 254 WiNG 5.7.1 Access Point System Reference Guide 8. If required, select a radio configuration and select the Edit button to modify or override portions of its configuration. Figure 5-166 Device Overrides - Access Point Radio Settings tab Radio Settings tab displays by default.
Page 339 5 - 255 10. Set or override the following profile Radio Settings for the selected radio: RF Mode Set the mode to either 2.4 GHz WLAN or 5.0 GHz WLAN support depending on the radio’s intended client support. Set the mode to sensor if using the radio for rogue device detection.
Page 340 5 - 256 WiNG 5.7.1 Access Point System Reference Guide Enable Antenna Diversity Select this option for the radio to dynamically change the number of transmit chains. This option is enabled by default. Wireless Client Power Select this option to enable a spinner control for client radio power transmissions in dBm.
Page 341 5 - 257 DTIM Interval Set a DTIM Interval to specify a period for Delivery Traffic Indication Messages (DTIM). A DTIM is periodically included in a beacon frame transmitted from adopted radios. The DTIM indicates broadcast and multicast frames (buffered at the access point) are soon to arrive.
Page 342 5 - 258 WiNG 5.7.1 Access Point System Reference Guide 13. Select the WLAN Mapping/Mesh Mapping tab. Figure 5-167 Device Overrides - WLAN Mapping tab Refer to the WLAN/BSS Mappings field to set or override WLAN BSSID assignments for an existing access point deployment.
Page 343 5 - 259 Figure 5-168 Device Overrides - Access Point Radio - Mesh tab 16. Use the Mesh Legacy screen to define or override how mesh connections are established and the number of links available amongst access points within the Mesh network. 17.
Page 344 5 - 260 WiNG 5.7.1 Access Point System Reference Guide Figure 5-169 Device Overrides - Access Point Radio Advanced Settings tab 21. Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define or override how MAC service frames are aggregated by the access point radio.
Page 345 5 - 261 Select Enable Fair Access to enable this feature. Select Prefer High Throughput Clients to prefer clients with higher throughput (802.11n clients) over clients with slower throughput (802.11 a/b/g) clients. Use the spinner control to set a weight for the higher throughput clients. 25.
Page 346 5 - 262 WiNG 5.7.1 Access Point System Reference Guide 5.4.5.3.5 WAN Backhaul Overrides Profile Interface Override Configuration A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a network device to connect, transmit and receive data over a Cellular Wide Area Network. Certain AP7131N model access points have a PCI Express card slot that supports 3G WWAN cards.
Page 347 5 - 263 6. Refer to the WAN (3G) Backhaul configuration to specify WAN card settings: WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card. Reset WAN Card If the WAN card becomes unresponsive or is experiencing other errors click the Reset WAN Card button to power cycle and reboot the WAN card.
Page 348 5 - 264 WiNG 5.7.1 Access Point System Reference Guide connection. By using such a connection, a Wireless WAN failover is available to maintain seamless network access if the access point’s Wired WAN were to fail. NOTE: Access points with PPPoE enabled continue to support VPN, NAT, PBR and 3G failover over the PPPoE interface.
Page 349 5 - 265 Figure 5-171 Device Overrides - PPPoE screen 6. Use the Basic Settings field to enable PPPoE and define a PPPoE client: Enable PPPoE Select Enable PPPoE to support a high speed client mode point-to-point connection using the PPPoE protocol. The default setting is disabled. Service Enter the 128 character maximum PPPoE client service name provided by the service provider.
Page 350 5 - 266 WiNG 5.7.1 Access Point System Reference Guide Password Provide the 64 character maximum password used for authentication by the PPPoE client. Select Show to display the actual characters comprising the password. Authentication Type Use the drop-down menu to specify authentication type used by the PPPoE client, and whose credentials must be shared by its peer access point.
Page 351: Overriding The Network Configuration
5 - 267 5.4.5.4 Overriding the Network Configuration Device Overrides Setting a network configuration is a large task comprised of numerous administration activities. Each of the configuration activities described can have an override applied to the original configuration. Applying an override differentiates the device from the profile’s configuration and requires careful administration to ensure this one device still supports the deployment requirements within the network.
Page 352 5 - 268 WiNG 5.7.1 Access Point System Reference Guide Figure 5-172 Device Overrides - Network DNS screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device...
Page 353 5 - 269 10. Select to save the changes and overrides made to the DNS configuration. Select Reset to revert to the last saved configuration. 5.4.5.4.2 Overriding an ARP Configuration Overriding the Network Configuration Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address. ARP provides protocol rules for making this correlation and providing address conversion in both directions.
Page 354 5 - 270 WiNG 5.7.1 Access Point System Reference Guide 6. Set or override the following parameters to define the ARP configuration: Switch VLAN Interface Use the spinner control to select a VLAN (1 - 4094) for an address requiring resolution.
Page 355 5 - 271 4. Select Network to expand its sub menu options. 5. Select L2TP NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 356 5 - 272 WiNG 5.7.1 Access Point System Reference Guide 7. Set the following Logging Settings for a L2TPv3 profile configuration: Enable Logging Select this option to enable the logging of Ethernet frame events to and from bridge VLANs and physical ports on a defined IP address, host or router ID. This setting is disabled by default.
Page 357 5 - 273 Critical Resource Specifies the critical resource that should exist for a tunnel between two peers to be created and maintained. Critical resources are device IP addresses or interface destinations interpreted as critical to the health of the network. Critical resources allow for the continuous monitoring of these defined addresses.
Page 358 5 - 274 WiNG 5.7.1 Access Point System Reference Guide Traffic Source Value Define a VLAN range to include in the tunnel session. Available VLAN ranges are from 1 - 4,094. Native VLAN Select this option to provide a VLAN ID that will not be tagged in tunnel establishment and packet transfer.
Page 359 5 - 275 Establishment Criteria Specify the establishment criteria for creating a tunnel. The tunnel is only created if this device is one of the following: • vrrp-master • cluster-master • rf-domain-manager The tunnel is always created if Always is selected. This indicates that the device need not be any one of the above three (3) to establish a tunnel.
Page 360 5 - 276 WiNG 5.7.1 Access Point System Reference Guide Figure 5-178 Device Overrides - Network - L2TPv3 screen, Add L2TP Peer Configuration 20. Define the following Peer parameters: Peer ID Define the primary peer ID used to set the primary and secondary peer for tunnel failover.
Page 361 5 - 277 Figure 5-179 Device Overrides - Network - L2TPv3 screen, Manual Session tab 24. Refer to the following manual session configurations to determine whether one should be created or modified: IP Address Lists the IP address assigned as the local tunnel end point address, not the interface IP address.
Page 362 5 - 278 WiNG 5.7.1 Access Point System Reference Guide Figure 5-180 Device Overrides - Network - L2TPv3 screen, Add L2TPv3 Peer Configuration 26. Set the following Manual Session parameters: Name Define a 31 character maximum name of this tunnel session. After a successful tunnel connection and establishment, the session is created.
Page 363 5 - 279 Encapsulation Select either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. UDP Port If UDP encapsulation is selected, use the spinner control to define the UDP encapsulation port.
Page 364 5 - 280 WiNG 5.7.1 Access Point System Reference Guide Figure 5-181 Device Overrides - Network - IGMP Snooping Screen 6. Set the following parameters to configure General IGMP Snooping values: Enable IGMP Snooping Select the box to enable IGMP Snooping on the access point. This feature is enabled by default.
Page 365 5 - 281 Maximum Response Time Specify the maximum time (from 1 - 25 seconds) before sending a responding report. When no reports are received from a radio, radio information is removed from the IGMP snooping table. The access point only forwards multicast packets to radios present in the snooping table.
Page 366 5 - 282 WiNG 5.7.1 Access Point System Reference Guide 7. Define the following General MLD snooping settings: Enable MLD Snooping Enable MLD snooping to examine MLD packets and make content forwarding for this profile. Packets delivered to group members are identified by a single multicast group address.
Page 367 5 - 283 5. Select Quality of Service. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 368 5 - 284 WiNG 5.7.1 Access Point System Reference Guide 7. Set or override the following parameters for IPv6 Traffic Class Mapping for untagged frames: Traffic Class Devices that originate a packet must identify different classes or priorities for IPv6 packets.
Page 369 5 - 285 Figure 5-184 Device Overrides - Network - Spanning Tree screen 6. Set the following MSTP Configuration parameters: MSTP Enable Select this option to enable MSTP for this profile. MSTP is disabled by default, so if requiring different (groups) of VLANs with the profile supported network segment. Max Hop Count Define the maximum number of hops the BPDU will consider valid in the spanning tree topology.
Page 370 5 - 286 WiNG 5.7.1 Access Point System Reference Guide Forward Delay Set the forward delay time from 4 - 30 seconds. When a device is first attached to a port, it does not immediately start to forward data. It first processes BPDUs and determines the network topology.
Page 371 5 - 287 3. Select a target device from the device browser in the lower, left-hand, side of the UI. 4. Select Network to expand its sub menu options. 5. Select Routing. The IPv4 Routing screen displays by default. Figure 5-185 Device Overrides - Network - Network Routing screen 6.
Page 372 5 - 288 WiNG 5.7.1 Access Point System Reference Guide 11. Refer to the Default Route Priority field and set the following parameters: Static Default Route Use the spinner control to set the priority value (1 - 8,000) for the default static route.
Page 373 5 - 289 15. Set a System NS Retransmit Interval (from 1,000 to 3,600,000 milliseconds) as the interval between neighbor solicitation (NS) messages. NS messages are sent by a node to determine the link layer address of a neighbor, or verify a neighbor is still reachable via a cached link-layer address.
Page 374 5 - 290 WiNG 5.7.1 Access Point System Reference Guide 5.4.5.4.9 Overriding a Dynamic Routing (OSPF) Configuration Overriding the Network Configuration Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN.
Page 375 5 - 291 Figure 5-188 Device Overrides - Network - OSPF Settings screen 6. Enable/disable OSPF and provide the following dynamic routing settings: Enable OSPF Select this option to enable OSPF for this access point. OSPF is disabled by default. Router ID Select this option to define a router ID (numeric IP address) for this access point.
Page 376 5 - 292 WiNG 5.7.1 Access Point System Reference Guide VRRP Mode Check Select this option to enable checking VRRP state. If the interface’s VRRP state is not Backup, then the interface is published via OSPF. 7. Set the following...
Page 377 5 - 293 Figure 5-189 Device Overrides - Network - OSPF Area Settings screen 16. Review existing Area Settings configurations using: Area ID Displays either the IP address or integer representing the OSPF area. Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections.
Page 378 5 - 294 WiNG 5.7.1 Access Point System Reference Guide Figure 5-190 Device Overrides - Network - OSPF Area Configuration screen 18. Set the OSPF Area configuration. Area ID Use the drop-down menu and specify either an IP address or Integer for the OSPF area.
Page 379 5 - 295 Figure 5-191 Device Overrides - Network - OSPF Interface Settings screen 21. Review existing Interface Settings using: Name Displays the name defined for the interface configuration. Type Displays the type of interface. Description Lists each interface’s 32 character maximum description. Admin Status Displays whether Admin Status privileges have been enabled or disabled for the OSPF route’s virtual interface connection.
Page 380 5 - 296 WiNG 5.7.1 Access Point System Reference Guide Figure 5-192 Device Overrides - Network - OSPF Virtual Interface - Basic Configuration screen The Basic Configuration screen displays by default regardless of a whether a new Virtual Interface is being created or an existing one is being modified.
Page 381 5 - 297 26. Set the following DHCPv6 Client Configuration. The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework for passing configuration information. Stateless DHCPv6 Select this option to request information from the DHCPv6 server using stateless DHCPv6. Client DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network.
Page 382 5 - 298 WiNG 5.7.1 Access Point System Reference Guide 31. Set the following Router Advertisement Processing settings for the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information.
Page 383 5 - 299 34. Set the following network information from within the IPv4 Addresses field: Enable Zero Zero configuration can be a means of providing a primary or secondary IP addresses for the Configuration virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings.
Page 384 5 - 300 WiNG 5.7.1 Access Point System Reference Guide Figure 5-194 Device Overrides - Network - OSPF Virtual Interfaces - Basic Configuration screen - IPv6 tab 37. Refer to the IPv6 Addresses field to define how IP6 addresses are created and utilized.
Page 385 5 - 301 Figure 5-195 Device Overrides - Network - OSPF Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider Delegated Prefix Enter a 32 character maximum name for the IPv6 address prefix from provider. Name Host ID Define the subnet ID, host ID and prefix length.
Page 386 5 - 302 WiNG 5.7.1 Access Point System Reference Guide Select + Add Row to launch a sub screen wherein a new DHCPv6 relay address and interface VLAN ID can be set. Figure 5-197 Device Overrides - Network - OSPF Virtual Interfaces - Basic Configuration screen -...
Page 387 5 - 303 Figure 5-199 Device Overrides - Network - OSPF Virtual Interfaces - Basic Configuration screen - Add IPv6 RA Prefix 45. Set the following IPv6 RA Prefix settings: Prefix Type Set the prefix delegation type used with this configuration. Options include, Prefix, and prefix- from-provider.
Page 388 5 - 304 WiNG 5.7.1 Access Point System Reference Guide Valid Lifetime Time If the lifetime type is set to decrementing, set the time for the prefix's end of validity. Use the spinner controls to set the time in hours and minutes. Use the...
Page 389 5 - 305 49. Use the IPv4 Inbound Firewall Rules drop-down menu to select the IPv4 specific inbound firewall rules to apply to this profile’s virtual interface configuration. Select the Create icon to define a new IPv4 firewall rule configuration or select the Edit icon to modify an existing configuration.
Page 390 5 - 306 WiNG 5.7.1 Access Point System Reference Guide 53. Refer to the following to configure OSPF Settings: Priority Select to enable or disable OSPF priority settings. Use the spinner to configure a value in the range 0-255. This option sets the priority of this interface becoming the Designated Router (DR) for the network.
Page 391 5 - 307 5. Select Forwarding Database. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 392 5 - 308 WiNG 5.7.1 Access Point System Reference Guide For example, say several computers are used into conference room X and some into conference Y. The systems in conference room X can communicate with one another, but not with the systems in conference room Y. The creation of a VLAN enables the systems in conference rooms X and Y to communicate with one another even though they are on separate physical subnets.
Page 393 5 - 309 Edge VLAN Mode Defines whether the VLAN is currently in edge VLAN mode. An edge VLAN is the VLAN where hosts are connected. For example, if VLAN 10 is defined with wireless clients and VLAN 20 is where the default gateway resides, VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldn’t be marked as an edge VLAN.
Page 394 5 - 310 WiNG 5.7.1 Access Point System Reference Guide Figure 5-204 Device Overrides - Add Network Bridge VLAN screen 8. If adding a new Bridge VLAN configuration, use the spinner control to define or override a VLAN ID from 1 - 4094. This value...
Page 395 5 - 311 11. Set or override the following Web Filter parameters. Web filters are used to control access to resources on the Internet. URL Filter Use the drop-down menu to select a URL filter to use with this Bridge VLAN. L2 Tunnel Broadcast Select this option to enhance (optimize) layer 2 traffic broadcast packet transmissions.
Page 396 5 - 312 WiNG 5.7.1 Access Point System Reference Guide Video Set the random early detection threshold in % for video traffic. Set a value from 1 - 100%. The default is 25%. Voice Set the random early detection threshold in % for voice traffic. Set a value from 1 - 100%.
Page 397 5 - 313 Figure 5-205 Device Overrides - Network Bridge VLAN - IGMP Snooping screen 19. Set the following parameters to configure IGMP Snooping values: Enable IGMP Snooping Select this option to enable IGMP snooping. If disabled, snooping on this Bridge VLAN is disabled.
Page 398 5 - 314 WiNG 5.7.1 Access Point System Reference Guide 21. Set the following parameters for IGMP Querier configuration: Enable IGMP Querier Select this option to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. It is primarily used in a network where there is a multicast streaming server and hosts subscribed to the server and no IGMP querier present.
Page 399 5 - 315 23. Define the following General MLD snooping parameters for the Bridge VLAN configuration: Multicast Listener Discovery (MLD) snooping enables a controller, service platform or access point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses.
Page 400 5 - 316 WiNG 5.7.1 Access Point System Reference Guide information about the interfaces the access point uses. CDP runs only over the data link layer enabling two systems that support different network-layer protocols to learn about each other. To override a profile’s CDP configuration: 1.
Page 401 5 - 317 2. Select Device Overrides from the Device menu to expand it into sub menu options. 3. Select a target device from the device browser in the lower, left-hand, side of the UI. 4. Select Network to expand its sub menu options. 5.
Page 402 5 - 318 WiNG 5.7.1 Access Point System Reference Guide 4. Select Network to expand its sub menu options. 5. Select Miscellaneous. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device...
Page 403 5 - 319 • Device aliases are defined from Configuration > Devices > Device Overrides > Network > Alias screen. Device alias are utilized by a single device only. Device alias values override alias values defined in a global alias, profiles alias or RF Domain alias configuration.
Page 404 5 - 320 WiNG 5.7.1 Access Point System Reference Guide Figure 5-210 Device Overrides - Network - Basic Alias screen 6. Select + Add Row to define VLAN Alias settings. Use the VLAN Alias field to create unique aliases for VLANs that can be used at different deployments. For example, if a named VLAN is defined as 10 for the central network, and the VLAN is set at 26 at a remote location, the VLAN can be overridden at the deployment location with an alias.
Page 405 5 - 321 Use the Host Alias field to create aliases for hosts that can be utilized at different deployments. For example, if a central network DNS server is set a static IP address, and a remote location’s local DNS server is defined, this host can be overridden at the remote location.
Page 406 5 - 322 WiNG 5.7.1 Access Point System Reference Guide loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain.
Page 407 5 - 323 Figure 5-211 Device Overrides - Network - Alias - Network Group Alias screen Name Displays the administrator assigned name of the Network Group Alias. Host Displays all host aliases configured in this network group alias. Displays a blank column if no host alias is defined.
Page 408 5 - 324 WiNG 5.7.1 Access Point System Reference Guide Figure 5-212 Device Overrides - Network - Alias - Network Group Alias Add screen 8. If adding a new Network Group Alias, provide it a name of up to 32 characters.
Page 409 5 - 325 5.4.5.4.18Network Service Alias Overriding Alias Configuration Network Service Alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per Network Service Alias.
Page 410: Overriding A Security Configuration
5 - 326 WiNG 5.7.1 Access Point System Reference Guide Figure 5-214 Device Overrides - Network - Alias - Network Service Alias Add screen 8. If adding a new Network Service Alias, provide it a name up to 32 characters.
Page 411 5 - 327 device’s deployed environment. However, in doing so this device must now be managed separately from the profile configuration shared by other identical models within the network. For more information on applying an override to an existing device profile, refer to the following sections: •...
Page 412 5 - 328 WiNG 5.7.1 Access Point System Reference Guide 5.4.5.5.2 Quick Setup Wizard Overriding General Security Settings The Quick Setup Wizard creates a VPN connection with minimum manual configuration. Default values are retained for most of the parameters. Figure 5-216 VPN Quick Setup Wizard 1.
Page 413 5 - 329 Select Interface Configure the interface for creating the tunnel. The following options are available: • VLAN – Configures the tunnel over a Virtual LAN interface. Use the spinner to configure the VLAN number. • WWLAN – Configures the tunnel over the WWLAN interface. •...
Page 414 5 - 330 WiNG 5.7.1 Access Point System Reference Guide Figure 5-217 VPN Step-By-Step Wizard - Step 1 3. Define the following: Tunnel Name Provide a name for the tunnel in the Tunnel Name field. Tunnel Type Select the tunnel type being created. Two types of tunnels can be created. Site to Site is used to create a tunnel between two remote sites as indicated in the image.
Page 415 5 - 331 Figure 5-218 VPN Step-By-Step Wizard - Step 2 5. In Step 2 screen, configure the following parameters: Peer Select the type of peer for this device when forming a tunnel. Peer information can be either IP Address or Host Name. Provide the IP address or the hostname of the peer device. Authentication Configure how the devices authenticate with each other.
Page 416 5 - 332 WiNG 5.7.1 Access Point System Reference Guide 6. Click the Add Peer button to add the Tunnel peer information into the Peer(s) table. This table lists all the peers configured for the VPN Tunnel. 7. Click the Next button to go to the next configuration screen.
Page 417 5 - 333 Mode This field is enabled when Create New Policy is selected in Transform Set field. The mode indicates how packets are transported through the tunnel. • Tunnel – Use this mode when the tunnel is between two routers or servers. •...
Page 418 5 - 334 WiNG 5.7.1 Access Point System Reference Guide 3. Select a target device from the device browser in the lower, left-hand, side of the UI. 4. Select Security to expand its sub menu options. 5. Select Auto IPSec Tunnel to configure its parameters.
Page 419 5 - 335 5.4.5.5.5 Overriding General Security Settings Overriding a Security Configuration A profile can leverage existing firewall, wireless client role and WIPS policies and configurations and apply them to the configuration. This affords a profile a truly unique combination of data protection policies. However, as deployment requirements arise, an individual access point may need some or all of its general security configuration overridden from that applied in the profile.
Page 420 5 - 336 WiNG 5.7.1 Access Point System Reference Guide 7. Use the Web Filter drop-down menu to select or override the URL Filter configuration applied to this virtual interface. Web filtering is used to restrict access to resources on the Internet.
Page 421 5 - 337 Additionally, a certificate can be placed on hold for a user defined period. If, for instance, a private key was found and nobody had access to it, its status could be reinstated. 7. Provide the name of the trustpoint in question within the Trustpoint Name field.
Page 422 5 - 338 WiNG 5.7.1 Access Point System Reference Guide Figure 5-224 Device Overrides - NAT Pool screen 6. The Pool tab displays by default. The NAT Pool screen lists those NAT policies created thus far. Any of these policies can be selected and applied to a profile.
Page 423 5 - 339 10. Select to save the changes or overrides made to the profile’s NAT Pool configuration. Select Reset to revert to the last saved configuration. 11. Select the Static NAT tab. The Source tab displays by default. Source tab displays existing static NAT configurations.
Page 424 5 - 340 WiNG 5.7.1 Access Point System Reference Guide Network Select Inside or Outside NAT as the network direction. The default setting is Inside. Select Inside to create a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 425 5 - 341 Figure 5-228 Device Overrides - Add Destination NAT screen 15. Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 426 5 - 342 WiNG 5.7.1 Access Point System Reference Guide Network Select Inside or Outside NAT as the network direction. Inside is the default setting. Select Inside to create a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 427 5 - 343 Network Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration. Interface Lists the VLAN (from 1 - 4094) used as the communication medium between the source and destination points within the NAT configuration. Overload Type Options include NAT Pool, One Global Address and Interface IP Address.
Page 428 5 - 344 WiNG 5.7.1 Access Point System Reference Guide Interface Select the VLAN (from 1 - 4094) or WWAN used as the communication medium between the source and destination points within the NAT configuration. Ensure the VLAN selected adequately supports the intended network traffic within the NAT supported configuration.
Page 429 5 - 345 Figure 5-231 Profile Override - Security - Bridge NAT screen 5. Review the following Bridge NAT configurations to determine whether a new Bridge NAT configuration requires creation or an existing configuration overridden or removed: Access List Lists the ACL applying IP address access/deny permission rules to the Bridge NAT configuration. Interface Lists the communication medium (outgoing layer 3 interface) between source and destination points.
Page 430 5 - 346 WiNG 5.7.1 Access Point System Reference Guide Figure 5-232 Profile Security - Dynamic NAT screen 7. Select the whose IP rules are applied to this policy based forwarding rule. A new ACL can be defined by selecting the...
Page 431 5 - 347 Figure 5-233 Profile Security - Source Dynamic NAT screen - Add Row field 11. Select to save the changes made within the Add Row Dynamic NAT screens. Select Reset to revert to the last saved configuration.
Page 432: Overriding The Virtual Router Redundancy Protocol (Vrrp) Configuration
5 - 348 WiNG 5.7.1 Access Point System Reference Guide 5.4.5.6 Overriding the Virtual Router Redundancy Protocol (VRRP) Configuration Overriding a Device Configuration A default gateway is a critical resource for connectivity. However, it’s prone to a single point of failure. Thus, redundancy for the default gateway is required by the access point.
Page 433 5 - 349 Figure 5-234 Device Overrides - VRRP screen - VRRP tab 5. Review the following VRRP configuration data to assess if a new VRRP configuration is required or if an existing VRRP configuration requires modification or removal: Virtual Router ID Lists a numerical index (from 1 - 254) used to differentiate VRRP configurations.
Page 434 5 - 350 WiNG 5.7.1 Access Point System Reference Guide Figure 5-235 Device Overrides - VRRP screen - Version tab VRRP version 3 (RFC 5798) and 2 (RFC 3768) are selectable to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP.
Page 435 5 - 351 9. Define the following VRRP General parameters: Description In addition to an ID assignment, a virtual router configuration can be assigned a textual description (up to 64 characters) to further distinguish it from others with a similar configuration.
Page 436 5 - 352 WiNG 5.7.1 Access Point System Reference Guide Network Monitoring: Use this setting to decrement the configured priority (by the set value) when the Delta Priority monitored interface is down. When critical resource monitoring, the configured value is incremented by the value defined.
Page 437: Profile Critical Resources
5 - 353 5.4.5.7 Profile Critical Resources System Profile Configuration Critical resources are device IP addresses or interface destinations on the network interoperated as critical to the health of the network. The critical resource feature allows for the continuous monitoring of these addresses. A critical resource, if not available, can result in the network suffering performance degradation.
Page 438 5 - 354 WiNG 5.7.1 Access Point System Reference Guide Figure 5-238 Device Overrides - Critical Resources screen - Adding a Critical Resource 6. Select Use Flows to configure the critical resource to monitor using firewall flows for DHCP or DNS instead of ICMP or ARP packets and reduce the amount of traffic on the network.
Page 439 5 - 355 Mode Set the ping mode used when the availability of a critical resource is validated. Select from: • arp-only – Use the Address Resolution Protocol (ARP) for only pinging the critical resource. ARP is used to resolve hardware addresses when only the network layer address is known. •...
Page 440: Overriding A Services Configuration
5 - 356 WiNG 5.7.1 Access Point System Reference Guide 5.4.5.8 Overriding a Services Configuration Device Overrides A profile can contain specific guest access (captive portal), DHCP server and RADIUS server configurations. These access, IP assignment and user authorization resources can be defined uniquely as profile requirements dictate.
Page 441: Overriding A Management Configuration
5 - 357 Either select an existing captive portal policy, use the default captive portal policy or select the Create link to create a new captive portal configuration that can be applied to a profile. For more information, see Configuring Captive Portal Policies on page 9-2.
Page 442 5 - 358 WiNG 5.7.1 Access Point System Reference Guide Figure 5-241 Device Overrides - Management Settings screen 5. Refer to the Message Logging field to define how the profile logs system events. It’s important to log individual events to discern an overall pattern that may be negatively impacting performance.
Page 443 5 - 359 Console Logging Level Event severity coincides with the console logging level defined for the profile. Assign a numeric identifier to log events based on criticality. Severity levels include 0 - Emergency, 1 - Alert, 2 - Critical, 3 - Errors, 4 - Warning, 5 - Notice, 6 - Info and 7 - Debug.
Page 444 5 - 360 WiNG 5.7.1 Access Point System Reference Guide 10. Select to save the changes and overrides made to the profile’s Management Settings. Select Reset to revert to the last saved configuration. 11. Select the Firmware tab from the Management menu.
Page 445: Overriding Mesh Point Configuration
5 - 361 17. Select to save the changes and overrides made to the profile maintenance Heartbeat tab. Select Reset to revert to the last saved configuration. 5.4.5.10 Overriding Mesh Point Configuration Device Overrides The access point can be configured to be a part of a meshed network. A mesh network is one where each node in the network is be able to communicate with other nodes in the network and where the node can maintain more than one path to its peers.
Page 446 5 - 362 WiNG 5.7.1 Access Point System Reference Guide Figure 5-245 Device Overrides - Add Mesh Point screen 6. Refer to the following to configure Mesh Point General parameters: Mesh Connex Policy Provide a name for the Mesh Connex Policy. Use the Create icon to create a new Mesh Connex Policy.
Page 447 5 - 363 Monitor Critical Select this option to enable critical resource monitoring for this mesh point. Resources Monitor Primary Port Select to enable monitoring of primary port link is enabled for this mesh connex policy. If Link the primary port link is not present and if the device is a mesh root, it is automatically changed to a non-root device.
Page 448 5 - 364 WiNG 5.7.1 Access Point System Reference Guide NOTE: With this release of the WiNG software, an AP7161 model access point can be deployed as a Vehicle Mounted Modem (VMM) to provide wireless network access to a mobile vehicle (car, train, etc.). A VMM provides layer 2 mobility for connected devices.
Page 449 5 - 365 This screen provides configuration for the 2.4 GHz and 5.0/4.9 GHz frequencies. Refer to the following for more information on the Auto Channel Selection Dynamic Root Selection screen. These descriptions are common for configuring the 2.4 GHZ and 5.0/4.9 GHz frequencies Channel Width Configure the channel width that mesh point automatic channel scan should assign to the...
Page 450 5 - 366 WiNG 5.7.1 Access Point System Reference Guide Figure 5-247 Mesh Point Auto Channel Selection Path Method SNR screen Refer to the following for more information on the Path Method SNR screen. These descriptions apply to both the 2.4 GHz and 5.0/4.9 GHz frequencies.
Page 451 5 - 367 SNR Threshold Configure the signal to noise threshold value for path selection. When the signal strength of the next hop in the mesh network goes below this value, a scan is triggered to select a better next hop. The default is -65 dB. Off-channel Duration Configure the duration in the range of 20 - 250 milliseconds for the Off Channel Duration field.
Page 452 5 - 368 WiNG 5.7.1 Access Point System Reference Guide 11. Refer to the following for more information on the Path Method Root Path Metric screen. These descriptions apply to both the 2.4 GHz and 5.0/4.9 GHz frequencies. Channel Width Configure the channel width that mesh point automatic channel scan should assign to the selected radio.
Page 453 5 - 369 • Set the RTS threshold value to 1 on all mesh devices. The default value is 65,536. For more information on defining radio settings, see Access Point Radio Configuration. • Use Opportunistic as the rate selection settings for the AP7161 radio The default is Standard. For more information on defining this setting, see Radio Override Configuration.
Page 454: Overriding An Advanced Configuration
5 - 370 WiNG 5.7.1 Access Point System Reference Guide 5.4.5.11 Overriding an Advanced Configuration Device Overrides Advanced device settings sets or overrides a profile’s MiNT and/or NAS configurations. MINT secures controller profile communications at the transport layer. Using MINT, a device can be configured to only communicate with other authorized (MINT enabled) devices.
Page 455 5 - 371 Figure 5-249 Device Overrides - Client Load Balancing 6. Use the Group ID field to define a group ID of up to 32 characters. 7. Use the drop-down to set a value for strategy. Options include Prefer 5GHz, Prefer 2.4 GHz, and distribute-by-ratio. The default value is Prefer 5GHz.
Page 456 5 - 372 WiNG 5.7.1 Access Point System Reference Guide Balance 5 GHz Channel Select this option to balance the access point’s 5 GHz radio load across the channels Loads supported within the country of deployment. This can prevent congestion on the 5 GHz radio if a channel is over utilized.
Page 457 5 - 373 13. Refer to the following AP Load Balancing fields to configure or override them: Min Value to Trigger Use the spinner control to set the access point radio threshold value (from 0 - 100%) used Load Balancing to initiate load balancing across other access point radios.
Page 458 5 - 374 WiNG 5.7.1 Access Point System Reference Guide Max confirmed Use the spinner to set the maximum number of learned neighbors stored at this device. Neighbors Minimum signal Use the spinner to set the minimum signal strength of neighbor devices that are learnt strength for smart-rf through Smart RF before being recognized as neighbors.
Page 459 5 - 375 20. Define or override the following MINT Link Settings: MLCP IP Select this option to enable MINT Link Creation Protocol (MLCP) by IP Address. MINT Link Creation Protocol is used to create one UDP/IP link from the device to a neighbor. That neighboring device can be another AP.
Page 460 5 - 376 WiNG 5.7.1 Access Point System Reference Guide Figure 5-251 Device Overrides - Advanced Profile MINT screen - IP tab The IP tab displays the IP address, Routing Level, Listening Link, Port, Forced Link, Link Cost, Hello Packet Interval, Adjacency Hold Time, IPSec Secure and IPSec GW information that managed devices use to securely communicate amongst one another.
Page 461 5 - 377 Figure 5-252 Device Overrides - Advanced Profile MINT screen - IP (Add) 27. Set the following Link IP parameters to complete the MINT network address configuration: Define or override the IP address used by peer access points for interoperation when supporting the MINT protocol.
Page 462 5 - 378 WiNG 5.7.1 Access Point System Reference Guide 28. Select to save the changes and overrides made to MINT protocol’s network address configuration. Select Reset revert to the last saved configuration. 29. Select the VLAN tab to display the link IP VLAN information shared by the access points managed by the MINT configuration.
Page 463 5 - 379 Routing Level Use the spinner control to define or override a routing level of either 1 or 2. Link Cost Use the spinner control to define or override a link cost from 1 - 10,000. The default value is 10.
Page 464 5 - 380 WiNG 5.7.1 Access Point System Reference Guide (downstream). Existing rate limit configurations display along with their virtual connection protocols and data traffic QoS customizations. 36. Select to create a new rate limit configuration or Edit to update the configuration of an existing configuration.
Page 465 5 - 381 VLAN When the Protocol is set to link and the Link Type is set to VLAN, use the spinner control to select a virtual LAN from 1 - 4094 to refine the rate limiting configuration to a specific VLAN. When the Protocol is set to link and the Link Type is set to VLAN, enter the IP address as the network target for rate limiting.
Page 466 5 - 382 WiNG 5.7.1 Access Point System Reference Guide Figure 5-257 Device Overrides - Miscellaneous screen 40. Set a NAS-Identifier Attribute up to 253 characters in length. This is the RADIUS NAS-Identifier attribute that typically identifies where a RADIUS message originates 41.
Page 467: Overriding Environmental Sensor Configuration
5 - 383 5.4.5.12 Overriding Environmental Sensor Configuration Overriding a Device Configuration NOTE: This feature is available on the AP8132 model only. An AP8132 sensor module is a USB environmental sensor extension to an AP8132 model access point. It provides a variety of sensing mechanisms, allowing the monitoring and reporting of the AP8132's radio coverage area.
Page 468 5 - 384 WiNG 5.7.1 Access Point System Reference Guide Low Limit of Light Set the low threshold limit (from 0 - 1,000 lux) to determine whether the lighting is off in Threshold the AP8132’s deployment location. The default is 100.
Page 469: Managing An Event Policy
5 - 385 5.5 Managing an Event Policy Device Configuration Event Policies enable an administrator to create specific notification mechanisms using one, some or all of the SNMP, syslog, controller forwarding or E-mail notification options available to the controller. Each listed event can have customized notification settings defined and saved as part of an event policy.
Page 470 5 - 386 WiNG 5.7.1 Access Point System Reference Guide...
Page 471: Chapter 6, Wireless Configuration
CHAPTER 6 WIRELESS CONFIGURATION A Wireless Local Area Network (WLAN) is a data-communications system and wireless local area network that flexibly extends the functionality of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or OFDM modulation based technology.
Page 472 6 - 2 WiNG 5.7.1 Access Point System Reference Guide Figure 6-1 Configuration > Wireless menu...
Page 473: Wireless Lans
6 - 3 6.1 Wireless LANs Wireless Configuration To review the attributes of existing WLANs and, if necessary, modify their configurations: 1. Select the Configuration tab from the Web UI. 2. Select Wireless. 3. Select Wireless LANs to display a high level display of existing WLANs. Figure 6-2 Wireless LANs screen 4.
Page 474 6 - 4 WiNG 5.7.1 Access Point System Reference Guide DHCP Option 82 Displays if DHCP Option 82 is enabled or not. DHCP option 82 provides additional information on the physical attachment of a client DHCPv6 LDRA Lightweight DHCPv6 Relay Agent (LDRA) is used to insert relay-agent options in DHCPv6 message exchanges that identify client-facing interfaces.
Page 475: Configuring Wlan Basic Configuration
6 - 5 6.1.1 Configuring WLAN Basic Configuration Wireless LANs When creating or modifying a WLAN, the Basic Configuration screen is the first screen that displays as part of the WLAN configuration screen flow. Use this screen to enable a WLAN, and define its SSID, client behavior and VLAN assignments. 1.
Page 476 6 - 6 WiNG 5.7.1 Access Point System Reference Guide 5. Refer to the WLAN Configuration field to define the following: WLAN If adding a new WLAN, enter its name in the space provided. Spaces between words are not permitted. The name could be a logical representation of the WLAN coverage area (engineering, marketing etc.).
Page 477: Wlan Basic Configuration Deployment Considerations
6 - 7 7. Refer to the VLAN Assignment field to add or remove VLANs for the selected WLAN, and define the number of clients permitted. Remember, users belonging to separate VLANs can share the same WLAN. It’s not necessary to create a new WLAN for every VLAN in the network.
Page 478: Configuring Wlan Security Settings
6 - 8 WiNG 5.7.1 Access Point System Reference Guide 6.1.2 Configuring WLAN Security Settings Wireless LANs Assign WLANs unique security configurations supporting authentication, captive portal (hotspot), self registration or encryption schemes as data protection requirements dictate. Figure 6-4 WLAN Security screen Authentication ensures only known and trusted users or devices access an access point managed WLAN.
Page 479: Eap, Eap-Psk And Eap Mac
6 - 9 Refer to the following to configure a WLAN’s authentication scheme: • 802.1x EAP, EAP-PSK and EAP MAC • MAC Authentication • PSK / None Secure guest access to the network is referred to as captive portal. A captive portal is guest access policy for providing temporary and restrictive access to the access point managed wireless network.
Page 480 6 - 10 WiNG 5.7.1 Access Point System Reference Guide encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over wireless controller managed WLANs. The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case, the authentication server).
Page 481: Mac Authentication
6 - 11 • It is recommended that a valid certificate be issued and installed on devices providing 802.1X EAP. The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials.
Page 482: Psk / None
6 - 12 WiNG 5.7.1 Access Point System Reference Guide MAC Authentication Deployment Considerations MAC Authentication Before defining a MAC authentication configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • MAC authentication can only be used to identify end-user devices, not the users themselves.
Page 483: Passpoint Policy
6 - 13 6.1.2.5 Passpoint Policy Configuring WLAN Security Settings A Passpoint policy provides an interoperable platform for streamlining Wi-Fi access to access points deployed as public hotspots. Passpoint is supported across a wide range of wireless network deployment scenarios and client devices. 1.
Page 484: External Controller
6 - 14 WiNG 5.7.1 Access Point System Reference Guide 10. Select when completed to update the MAC Registration configuration. Select Reset to revert the screen back to the last saved configuration. 6.1.2.7 External Controller Configuring WLAN Security Settings External controller configuration enables this WLAN to be managed by a remote wireless controller. This feature is disabled by default.
Page 485 6 - 15 Figure 6-5 WLAN Security - TKIP-CCMP screen 7. Define the Settings. Pre-Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces.
Page 486 6 - 16 WiNG 5.7.1 Access Point System Reference Guide Frequent rotating of these keys is recommended so that a potential hacker would not have enough data using a single key to attack the deployed encryption scheme. Unicast Rotation Interval Define an interval for unicast key transmission interval from 30 - 86,400 seconds.
Page 487 6 - 17 Exclude WPA2-TKIP Select this option to advertise and enable support for only WPA-TKIP. This option can be used if certain older clients are not compatible with newer WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP, but do not support WPA2-CCMP.
Page 488: Tkip-Ccmp Deployment Considerations
6 - 18 WiNG 5.7.1 Access Point System Reference Guide 6.2 TKIP-CCMP Deployment Considerations TKIP-CCMP Before defining a WPA-TKIP supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • It is recommend that TKIP only be enabled for legacy device support when WPA2-CCMP support is not available.
Page 489 6 - 19 Figure 6-6 WLAN Security - WPA2-CCMP screen 7. Define Settings. Pre-Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces.
Page 490 6 - 20 WiNG 5.7.1 Access Point System Reference Guide Frequent rotating of these keys is recommended so that a potential hacker would not have enough data using a single key to attack the deployed encryption scheme. Unicast Rotation Interval Define a unicast key transmission interval from 30 - 86,400 seconds.
Page 491: Wep 64
6 - 21 Exclude WPA2-TKIP Select this option to advertise and enable support for only WPA-TKIP. This option can be used if certain older clients are not compatible with newer WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP, but do not support WPA2-CCMP.
Page 492 6 - 22 WiNG 5.7.1 Access Point System Reference Guide Figure 6-7 WLAN Security - WEP 64 screen 7. Configure the following WEP 64 settings: Generate Keys Specify a 4 to 32 character pass key and select the Generate button. The pass key can be any alphanumeric string.
Page 493 6 - 23 WEP 64 Before defining a WEP 64 supported configuration on a WLAN, refer to the following deployment guideline to ensure the configuration is optimally effective: • It is recommended that additional layers of security (beyond WEP 64) be enabled to minimize the likelihood of data loss and security breaches.
Page 494 6 - 24 WiNG 5.7.1 Access Point System Reference Guide Figure 6-8 WLAN Security - WEP 128 screen 7. Configure the following WEP 128 settings: Generate Keys Specify a 4 to 32 character pass key and select the Generate button. The pass key can be any alphanumeric string.
Page 495: Wep 128
6 - 25 WEP 128 Deployment Considerations WEP 128 Before defining a WEP 128 supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • It is recommended that additional layers of security (beyond WEP) be enabled to minimize the likelihood of data loss and security breaches.
Page 496: Configuring Wlan Firewall Settings
6 - 26 WiNG 5.7.1 Access Point System Reference Guide 5. Configure the following Keyguard settings: Generate Keys Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. WiNG clients use the algorithm to convert an ASCII string to the same hexadecimal number.
Page 497 6 - 27 A MAC Firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to WLAN packet traffic. Keep in mind, IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.
Page 498 6 - 28 WiNG 5.7.1 Access Point System Reference Guide 6. Select an existing Inbound IP Firewall Rules Outbound IP Firewall Rules Inbound IPv6 Firewall Rules Outbound IPv6 Firewall Rules using the drop-down menu. If no rules exist, select the...
Page 499 6 - 29 Figure 6-13 WLAN Security - IP Firewall Rules - IP Firewall Rules Add Criteria screen NOTE: Only those selected IP ACL filter attributes display. Each value can have its current settings adjusted by selecting that IP ACL’s column to display a pop-up to adjust that one value.
Page 500 6 - 30 WiNG 5.7.1 Access Point System Reference Guide Destination Select the destination IP address or network group configuration used as a basis matching criteria for this IP ACL rule. Destination options include: • Any – Indicates any host device in any network.
Page 501 6 - 31 Mark Select this option to mark certain fields inside a packet before allowing them. Mark is only applicable for Allow rules. Mark sets the rule’s 802.1p or dscp level (from 0 - 7) Select this option to create a log entry that a firewall rule has allowed a packet to be either denied or allowed.
Page 502 6 - 32 WiNG 5.7.1 Access Point System Reference Guide Figure 6-15 WLAN Security - IPv6 Firewall Rules - Edit Rule screen 14. Click the icon within the Description column (top right-hand side of the screen) and select IPv6 filter values as needed to add criteria into the configuration of the IPv6 ACL.
Page 503 6 - 33 Destination Select the destination IPv6 address or network group configuration used as a basis matching criteria for this IPv6 ACL rule. Destination options include: • Any – Indicates any host device in any IPv6 network. • Network – Indicates all hosts in a particular IPv6 network. Subnet mask information has to be provided for filtering based on network.
Page 504 6 - 34 WiNG 5.7.1 Access Point System Reference Guide Figure 6-17 WLAN Security - MAC Firewall Rules screen 20. Define the following parameters for either the inbound or outbound MAC Firewall Rules: Allow Every MAC firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria.
Page 505 6 - 35 Match 802.1P Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting from 0 - 7. Ethertype Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp or monitor 8021q.
Page 506 6 - 36 WiNG 5.7.1 Access Point System Reference Guide DHCPv6 Trust Select this option to enable the trust all DHCPv6 responses on this WLAN’s firewall. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network.
Page 507: Configuring Wlan Client Settings
6 - 37 6.2.2 Configuring WLAN Client Settings Wireless LANs Each WLAN can maintain its own client setting configuration. These settings include wireless client inactivity timeouts and broadcast configurations. Dual-radio model access points can support up to 256 clients per access point. AP6511 and AP6521 models can support up to 128 clients per access point.
Page 508 6 - 38 WiNG 5.7.1 Access Point System Reference Guide 6. Define the following Client Settings for the WLAN: Enable Select this option to allow client to client communication within this WLAN. The default Client-to-Client is enabled, meaning clients are allowed to exchange packets with other clients. Disabling...
Page 509: Configuring Wlan Accounting Settings
6 - 39 Proxy ND Mode Use the drop-down menu to define the proxy neighbor discovery (ND) mode for WLAN member clients as either Strict or Dynamic. ND Proxy is used in IPv6 to provide reachability by allowing the a client to act as proxy. Proxy certificate signing can be done either dynamically (requiring exchanges of identity and authorization information) or statically when the network topology is defined.
Page 510 6 - 40 WiNG 5.7.1 Access Point System Reference Guide To configure WLAN accounting settings: 1. Select the Configuration tab from the Web UI. 2. Select Wireless. 3. Select Wireless LANs to display a high level display of existing WLANs.
Page 511: Configuring Wlan Service Monitoring Settings
6 - 41 Case Use the drop-down menu to specify whether the MAC address format supplied is specified in upper or lower case. The default setting is upper case. 7. Select Enable RADIUS Accounting to use an external RADIUS resource for AAA accounting. When the radio button is selected, a AAA Policy field displays.
Page 512 6 - 42 WiNG 5.7.1 Access Point System Reference Guide Figure 6-20 WLAN – Service Monitoring screen 6. Refer the following for more information on Service Monitoring fields: AAA Server Monitoring Select to enable monitoring of a dedicated external RADIUS server and ensure its adoption resource availability.
Page 513: Configuring Wlan Client Load Balancing Settings
6 - 43 DHCP Server Monitoring Configure the DHCP server to monitor. When this DHCP server becomes unavailable, the - CRM Name device falls back to the VLAN configured in the DHCP Server Monitoring:VLAN field. This VLAN has a DHCP server that provides a pool of IP addresses with a lease time lesser than the main DHCP server.
Page 514 6 - 44 WiNG 5.7.1 Access Point System Reference Guide Figure 6-21 WLAN - Client Load Balancing screen 6. Set the following Load Balance Settings generic to both the 2.4 GHz and 5.0 GHz bands: Enforce Client Load Select this radio button to enforce a client load balance distribution on this WLAN. This Balancing setting is disabled by default.
Page 515 6 - 45 8. Set the following Load Balancing Settings (5 GHz): Single Band Clients Select this option to enable single band client associations on the 5.0 GHz frequency, even if load balancing is available. This option is enabled by default. Max Probe Requests Enter a value (from 0 - 10,000) for the maximum number of probe requests for client associations on the 5.0 GHz frequency.
Page 516: Configuring Wlan Advanced Settings
6 - 46 WiNG 5.7.1 Access Point System Reference Guide 6.2.6 Configuring WLAN Advanced Settings Wireless LANs To configure advanced RADIUS configuration and radio rate settings for a WLAN: 1. Select the Configuration tab from the Web UI. 2. Select Wireless.
Page 517 6 - 47 6. Refer to the Advanced RADIUS Configuration field to set the WLAN’s NAS configuration and RADIUS Dynamic Authorization. NAS Identifier Specify what is included in the RADIUS NAS-Identifier field for authentication and accounting packets. This is an optional setting, and defaults are used if no values are provided.
Page 518 6 - 48 WiNG 5.7.1 Access Point System Reference Guide Figure 6-24 Advanced WLAN - Rate Settings 5 GHz-WLAN screen 9. For 5.0 GHz WLAN radio transmission rate settings, define the minimum Basic and Supported rates in the 802.11a Rates, 802.11n Rates...
Page 519 6 - 49 Table 6.2 MCS-2Stream Number of 20 MHz 20 MHz 40 MHz 40MHz MCS Index Streams No SGI With SGI No SGI With SGI 28.9 43.4 57.8 86.7 115.6 144.4 Table 6.3 MCS-3Stream Number of 20 MHz 20 MHz 40 MHz 40MHz MCS Index...
Page 520 6 - 50 WiNG 5.7.1 Access Point System Reference Guide Table 6.4 MCS-802.11ac (theoretical throughput for single spatial streams) 20 MHz 20 MHz 40 MHz 40MHz 80 MHz 80MHz MCS Index No SGI With SGI No SGI With SGI No SGI With SGI 72.2...
Page 521: Configuring Auto Shutdown Settings
6 - 51 6.2.7 Configuring Auto Shutdown Settings Wireless LANs Auto shutdown provides a mechanism to regulate the availability of a WLAN based on time. WLANs can be enabled or disabled depending on the day of the week and time of day. A WLAN can be made available during a particular time of the day to prevent misuse and reduce the vulnerability of the wireless network.
Page 522 6 - 52 WiNG 5.7.1 Access Point System Reference Guide Figure 6-25 WLAN - Auto Shutdown screen 6. Refer to the following to configure Auto Shutdown parameters: Shutdown on Mesh Point Select to enable the WLAN to shutdown if the access point’s connection to the mesh Loss network is lost.
Page 523 6 - 53 End Time Configures the ending time of day(s) that the WLAN will be disabled. Use the spinner controls to select the hour and minute, in a 12h time format. Then use the radio button to choose AM or PM. 9.
Page 524: Wlan Qos Policy
6 - 54 WiNG 5.7.1 Access Point System Reference Guide 6.3 WLAN QoS Policy Wireless Configuration QoS provides a data traffic prioritization scheme that reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value.
Page 525 6 - 55 4. Refer to the following read-only information to determine whether an existing policy can be used as is, an existing policy requires edit or a new policy requires creation: WLAN QoS Policy Displays the name assigned to each listed WLAN QoS. The policy name cannot be edited. Wireless Client Lists each policy’s Wireless Client Classification as defined for this WLAN's intended Classification...
Page 526: Configuring Qos Wmm Settings
6 - 56 WiNG 5.7.1 Access Point System Reference Guide 5. Either select the button to define a new WLAN QoS policy, or select an existing WLAN QoS policy and Edit configuration. Existing QoS policies can also be selected and deleted as needed.
Page 527 6 - 57 Figure 6-27 WLAN - WLAN QoS Policy screen - WMM tab 5. Configure the following Settings in respect to the WLAN’s intended WMM radio traffic and user requirements: Wireless Client Use the drop-down menu to select the Wireless Client Classification for this WLAN's Classification intended traffic.
Page 528 6 - 58 WiNG 5.7.1 Access Point System Reference Guide Non-Unicast Use this drop-down menu to define how traffic matching multicast masks is classified Classification relative to prioritization on the radio. Options include Video, Voice, Normal, Low and Default. The default setting is Default.
Page 529 6 - 59 ECW Min ECW Min is combined with ECW Max to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. The available range is from 0-15.
Page 530: Configuring A Wlan's Qos Rate Limit Settings
6 - 60 WiNG 5.7.1 Access Point System Reference Guide Trust 802.11 WMM QoS Select this option to trust 802.11 WMM QoS values for WLANs.This feature is enabled by default. 11. Select when completed to update this WLAN’s QoS settings. Select...
Page 531 6 - 61 Figure 6-28 WLAN - WLAN QoS Policy screen - Rate Limit tab 6. Configure the following intended Upstream Rate Limit parameters for the selected WLAN: Enable Select this radio button to enable rate limiting for data transmitted from access point radios to associated clients on this WLAN.
Page 532 6 - 62 WiNG 5.7.1 Access Point System Reference Guide Maximum Burst Size Set a maximum burst size from 2 - 1024 kbytes. The smaller the burst, the less likely the upstream packet transmission will result in congestion for the WLAN’s wireless client destinations.
Page 533 6 - 63 Maximum Burst Size Set a maximum burst size from 2 - 1024 kbytes. The smaller the burst, the less likely the downstream packet transmission will result in congestion for the WLANs wireless client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained.
Page 534 6 - 64 WiNG 5.7.1 Access Point System Reference Guide Maximum Burst Size Set a maximum burst size from 2 - 1024 kbytes. The smaller the burst, the less likely the upstream packet transmission will result in congestion for wireless client traffic. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained.
Page 535: Configuring Multimedia Optimizations
6 - 65 Maximum Burst Size Set a maximum burst size from 2 - 1024 kbytes. The smaller the burst, the less likely the downstream packet transmission will result in congestion for wireless client traffic. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained.
Page 536 6 - 66 WiNG 5.7.1 Access Point System Reference Guide Figure 6-29 WLAN - WLAN QoS Policy Screen - Multimedia Optimizations 6. Configure the following parameters in respect to the intended Multicast Mask: Multicast Mask Primary Configure the primary multicast mask for each listed QoS policy. Normally all multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode wake to check for frames.
Page 537: Wlan Qos Deployment Considerations
6 - 67 Automatically Detect Select this option to convert multicast packets to unicast to provide better overall airtime Multicast Streams utilization and performance. The administrator can either have the system automatically detect multicast streams and convert all detected multicast streams to unicast, or specify which multicast streams are converted to unicast.
Page 538: Radio Qos Policy
6 - 68 WiNG 5.7.1 Access Point System Reference Guide 6.4 Radio QoS Policy Wireless Configuration Without a dedicated QoS policy, a network operates on a best-effort delivery basis, meaning all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being...
Page 539: Configuring A Radio's Qos Policy
6 - 69 Wireless network administrators can also assign weights to each WLAN in relation to user priority levels. The lower the weight, the lower the priority. Use a weighted round robin technique to achieve different QoS levels across WLANs. Optionally rate-limit bandwidth for WLAN sessions.
Page 540 6 - 70 WiNG 5.7.1 Access Point System Reference Guide Implicit TPSEC A green check mark defines the policy as requiring wireless clients to send their traffic specifications to an access point before they can transmit or receive data. If enabled, this setting applies to just this radio’s QoS policy.
Page 541 6 - 71 6. Set the following Voice Access settings for the radio QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. When resources are shared between a Voice over IP (VoIP) call and a low priority file transfer, bandwidth is normally exploited by the file transfer, thus reducing call quality or even causing the call to disconnect.
Page 542 6 - 72 WiNG 5.7.1 Access Point System Reference Guide ECW Min ECW Min is combined with ECW Max to create a contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism.
Page 543 6 - 73 Figure 6-32 Radio QoS Policy screen - Admission Control tab 12. Select the Firewall detection traffic Enable (e.g, SIP) check box to force admission control to traffic whose access category is detected by the firewall. This option is enabled by default. 13.
Page 544 6 - 74 WiNG 5.7.1 Access Point System Reference Guide Maximum Wireless Set the number of voice supported wireless clients allowed to exist (and consume Clients bandwidth) within the radio’s QoS policy. Select from an available range of 0 - 256 clients.
Page 545 6 - 75 Maximum Airtime Set the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for video supported client traffic. The available percentage range is from 0 - 150%, with 150% being available to account for over-subscription. This value helps ensure the radio’s bandwidth is available for high bandwidth video traffic (if anticipated on the wireless medium) or other access category traffic if video support is not prioritized.
Page 546 6 - 76 WiNG 5.7.1 Access Point System Reference Guide Figure 6-33 Radio QoS Policy screen - Multimedia Optimizations tab 19. Set the following Accelerated Multicast settings: Maximum multicast Specify the maximum number of multicast streams (from 0 - 256) allowed accelerated streams allowed multicast.
Page 547 6 - 77 Smart Aggregation enhances the existing implementation of frame aggregation by dynamically selecting the time when the aggregated frame is transmitted. In the normal implementation of frame aggregation, an aggregated frame is sent when it meets one of these conditions: •...
Page 548 6 - 78 WiNG 5.7.1 Access Point System Reference Guide Radio QoS Configuration and Deployment Considerations Radio QoS Policy Before defining a radio QoS policy, refer to the following deployment guidelines to ensure the configuration is optimally effective: • To support QoS, each multimedia application, wireless client and WLAN is required to support WMM.
Page 549: Association Acl
6 - 79 6.5 Association ACL Wireless Configuration An Association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a WLAN. An Association ACL allows an administrator to grant or restrict client access by specifying a wireless client MAC address or range of MAC addresses to either include or exclude from connectivity.
Page 550 6 - 80 WiNG 5.7.1 Access Point System Reference Guide Figure 6-35 Association ACL screen 5. Select the + Add Row button to add an association ACL template. 6. If creating a new Association ACL, provide a name specific to its function. Avoid naming it after a WLAN it may support.
Page 551: Association Acl Deployment Considerations
6 - 81 6.5.1 Association ACL Deployment Considerations Association ACL Before defining an Association ACL configuration and applying it to a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Use the Association ACL screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to.
Page 552: Smart Rf
6 - 82 WiNG 5.7.1 Access Point System Reference Guide 6.6 SMART RF Wireless Configuration Self Monitoring At Run Time RF Management (SMART RF) is an innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization radio performance improvements.
Page 553 6 - 83 3. Select Smart RF. Basic Configuration screen displays by default. 4. Select the Activate SMART RF Policy check box to enable the parameters on the screen for configuration. The configuration cannot be applied to the access point profile unless this settings is selected and remains enabled. Figure 6-36 SMART RF - Basic Configuration screen 5.
Page 554 6 - 84 WiNG 5.7.1 Access Point System Reference Guide 6. Refer to the Calibration Assignment field to define whether Smart RF Calibration and radio grouping is conducted by the floor the access point is deployed on or building in its entirety. Both options are disabled by default.
Page 555 6 - 85 9. Refer to the Power Settings field to define Smart RF recovery settings for the access point’s 5.0 GHz (802.11a) and 2.4 GHz (802.11bg) radio. 5 GHz Minimum Power Use the spinner control to select a 1 - 20 dBm minimum power level for Smart RF to assign to a radio in the 5.0 GHz band.
Page 556 6 - 86 WiNG 5.7.1 Access Point System Reference Guide Channel List Use the Select drop-down menu to select the channels used in Smart RF area based channel settings. 13. Select to update the Smart RF Channel and Power settings for this policy. Select...
Page 557 6 - 87 Use the drop-down menu to select a day of the week to apply the override. Selecting All will apply the policy every day. Selecting weekends will apply the policy on Saturdays and Sundays only. Selecting weekdays will apply the policy on Monday, Tuesday, Wednesday, Thursday and Friday.
Page 558 6 - 88 WiNG 5.7.1 Access Point System Reference Guide Figure 6-39 SMART RF Recovery Configuration screen - Neighbor Recovery tab Power Hold Time Defines the minimum time between two radio power changes during neighbor recovery. Set the time in either Seconds (0 - 3,600), Minutes (0 - 60) or Hours (0 - 1). The default setting is 0 seconds.
Page 559 6 - 89 22. Set the following Dynamic Sample Recovery parameters: Dynamic Sample Select this option to enable dynamic sampling. Dynamic sampling enables an Enabled administrator to define how Smart RF adjustments are triggered by locking retry and threshold values. This option is disabled by default. Dynamic Sample Retries Use the spinner control to set the number of retries (1 - 10) before a power change is allowed to compensate for a potential coverage hole.
Page 560 6 - 90 WiNG 5.7.1 Access Point System Reference Guide Noise Factor Use this field to set the noise factor to take into consideration by Smart RF during interference recovery calculations. Set a value from 1.0 - 3.0. Channel Hold Time Defines the minimum time between channel changes during neighbor recovery.
Page 561 6 - 91 28. Set the following Coverage Hole Recovery for 5.0 GHz 2.4 GHz parameters: Client Threshold Use the spinner to set a client threshold from 1 - 255. This is the minimum number of clients a radio should have associated for coverage hole recovery to trigger. AP6522, AP6522M, AP6532, AP6562, AP8132, AP8232 and AP71XX model access points can support up to 256 clients per access point or radio.
Page 562: Smart Rf Configuration And Deployment Considerations
6 - 92 WiNG 5.7.1 Access Point System Reference Guide 6.6.1 Smart RF Configuration and Deployment Considerations SMART RF Before defining a Smart RF supported configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Smart RF is not able to detect a voice call in progress, and will switch to a different channel resulting in voice call reconnections •...
Page 563: Meshconnex Policy
6 - 93 6.7 MeshConnex Policy Wireless Configuration MeshConnex is a mesh networking technology comparable to the 802.11s mesh networking specification. MeshConnex meshing uses a hybrid proactive/on-demand path selection protocol, similar to Ad hoc On Demand Distance Vector (AODV) routing protocols. This allows it to form efficient paths using multiple attachment points to a distribution WAN, or form purely ad-hoc peer-to-peer mesh networks in the absence of a WAN.
Page 564 6 - 94 WiNG 5.7.1 Access Point System Reference Guide Mesh ID Displays the IDs of all mesh identifiers for the configured mesh points. Mesh Point Status Specifies the status of each configured mesh point, either Enabled or Disabled. Description Displays any descriptive text entered for each of the configured mesh points.
Page 565 6 - 95 Mesh Point Status To enable this mesh point, select the Enabled radio button. To disable the mesh point select the Disabled button. The default value is enabled. Mesh QoS Policy Use the drop-down menu to specify the mesh QoS policy to use on this mesh point. This value is mandatory.
Page 566 6 - 96 WiNG 5.7.1 Access Point System Reference Guide Figure 6-44 MeshConnex - Security screen 9. Refer to the Select Authentication field to define an authentication method for the mesh policy. Security Mode Select a security authentication mode for the mesh point. Select None to have no authentication for the mesh point.
Page 567 6 - 97 Password Configure the password associated with the specified username. Trust Point Configure the name of the Trust Point used for installing CA certificate and validating server certificate. EAP TLS Configure the name of the Trust Point used for installing client certificate, client private key, and CA certificate.
Page 568 6 - 98 WiNG 5.7.1 Access Point System Reference Guide Figure 6-45 Advanced Rate Settings 2.4 GHz screen Figure 6-46 Advanced Rate Settings 5 GHz screen...
Page 569 6 - 99 16. Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band and 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this mesh point.
Page 570: Mesh Qos Policy
6 - 100 WiNG 5.7.1 Access Point System Reference Guide 6.8 Mesh QoS Policy Wireless Configuration Mesh QoS provides a data traffic prioritization scheme that reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value.
Page 571 6 - 101 Mesh Rx Rate Limit Displays whether or not a Mesh Rx Rate Limit is enabled for each Mesh QoS policy. This indicates rate limiting is enabled or disabled for all data transmitted by the device to any mesh point in the mesh.
Page 572 6 - 102 WiNG 5.7.1 Access Point System Reference Guide Figure 6-48 Mesh QoS Policy - Rate Limit screen 6. Configure the following parameters in respect to the intended From Air Upstream Rate Limit, or traffic from the controller to associated access point radios and their associated neighbor:...
Page 573 6 - 103 Maximum Burst Size Set a maximum burst size from 2 - 1024 kbytes. The smaller the burst, the less likely the transmit packet transmission will result in congestion for the mesh point’s client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained.
Page 574 6 - 104 WiNG 5.7.1 Access Point System Reference Guide Maximum Burst Size Set a maximum burst size from 2 - 1024 kbytes. The smaller the burst, the less likely the receive packet transmission will result in congestion for the mesh point’s wireless client destinations.
Page 575 6 - 105 11. Set the following From Air Upstream Random Early Detection Threshold settings for each access category: Background Traffic Set a percentage value for background traffic in the transmit direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated.
Page 576 6 - 106 WiNG 5.7.1 Access Point System Reference Guide 14. Select when completed to update this mesh QoS rate limit settings. Select Reset to revert the screen back to its last saved configuration. 15. Select the Multimedia Optimizations tab.
Page 577: Passpoint Policy
6 - 107 6.9 Passpoint Policy Wireless Configuration A Passpoint Policy provides a mechanism by which devices can select the correct network by querying for information from the available networks and then deciding which network to associate with. A Passpoint policy is associated to a WLAN to enable the WLAN to provide hotspot services.
Page 578 6 - 108 WiNG 5.7.1 Access Point System Reference Guide 5. Select the button to define a new Passpoint policy, or select an existing Passpoint policy and select Edit to modify its existing configuration. Existing Passpoint policies can be selected and deleted as needed.
Page 579: Chapter 7, Network Configuration
CHAPTER 7 NETWORK CONFIGURATION The access point allows packet routing customizations and additional route resources. For more information on the network configuration options available to the access point, refer to the following: • Policy Based Routing (PBR) • L2TP V3 Configuration •...
Page 580: Policy Based Routing (Pbr)
7 - 2 WiNG 5.7.1 Access Point System Reference Guide 7.1 Policy Based Routing (PBR) Network Configuration Define a policy based routing (PBR) configuration to direct packets to selective paths. PBR can optionally mark traffic for preferential services or Quality of Service (QoS). PBR minimally provides the following: •...
Page 581 7 - 3 • Default next hop - If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This can be either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined.
Page 582 7 - 4 WiNG 5.7.1 Access Point System Reference Guide 5. If creating a new PBR policy assign it a Policy Name up to 32 characters to distinguish this route map configuration from others with similar attributes. Select Continue to proceed to the Policy Name screen where route map configurations can be added, modified or removed.
Page 583 7 - 5 Figure 7-3 Policy Based Routing screen - Add a Route Map 8. Use the spinner control to set a numeric precedence (priority) for this route-map. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value). 9.
Page 584 7 - 6 WiNG 5.7.1 Access Point System Reference Guide Incoming Interface Select this option to enable radio buttons used to define the interfaces required to receive route-map packets. Use the drop-down menu to define either the access point’s wwan1 or pppoe1 interface.
Page 585 7 - 7 Figure 7-4 Policy Based Routing screen - General tab 13. Set the following General PBR configuration settings: Logging Select this option to log events generated by route-map configuration rule enforcement. This setting is disabled by default. Local PBR Select this option to implement policy based routing for this access point’s packet traffic.
Page 586: L2Tp V3 Configuration
7 - 8 WiNG 5.7.1 Access Point System Reference Guide 7.2 L2TP V3 Configuration Network Configuration L2TP V3 is an IETF standard used for transporting different types of layer 2 frames in an IP network. L2TP V3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes.
Page 587 7 - 9 Figure 7-5 L2TP V3 Policy screen The L2TP V3 screen lists the policy configurations defined thus far. 2. Refer to the following to determine whether a new L2TP V3 policy requires creation or modification: Name Lists the 31 character maximum name assigned to each listed L2TP V3 policy upon creation.
Page 588 7 - 10 WiNG 5.7.1 Access Point System Reference Guide Force L2 Path Recovery Indicates if L2 Path Recovery is enabled to learn servers, gateways and other network devices behind a L2TPV3 tunnel. 3. Select to create a new L2TP V3 policy,...
Page 589 7 - 11 Reconnect Attempts Use the spinner control to set a value (from 0 - 250) representing the maximum number of reconnection attempts initiated to reestablish the tunnel. The default interval is 0. Reconnect Interval Define an interval in either Seconds (1 - 3,600), Minutes (1 -60) or Hours (1) between two successive reconnection attempts.
Page 590: Crypto Cmp Policy
7 - 12 WiNG 5.7.1 Access Point System Reference Guide 7.3 Crypto CMP Policy Network Configuration Certificate Management Protocol (CMP) is an Internet protocol to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A Certificate Authority (CA) issues the certificates using the defined CMP.
Page 591 7 - 13 Figure 7-8 Crypto CMP Policy Creation screen 5. If creating a new Crypto CMP policy assign it a Name up to 31 characters to help distinguish it. 6. Set the Certificate Renewal Timeout period to trigger a new certificate renewal request with the dedicated CMP server resource.
Page 592 7 - 14 WiNG 5.7.1 Access Point System Reference Guide Reference ID Set the user reference value for the CMP CA trust point message. The range is 0-256. This field is mandatory. Secret Specify the secret used for trustpoint authentication over the designated CMP server resource.
Page 593: Aaa Policy
7 - 15 7.4 AAA Policy Network Configuration Authentication, Authorization, and Accounting (AAA) is the mechanism network administrators use to define access control within the access point managed network. The access point can optionally use an external RADIUS and LDAP Servers (AAA Servers) to provide user database information and user authentication data.
Page 594 7 - 16 WiNG 5.7.1 Access Point System Reference Guide Figure 7-9 Authentication, Authorization, and Accounting (AAA) screen 4. Refer to the following information listed for each existing AAA policy: AAA Policy Displays the name assigned to the AAA policy when it was initially created. The name cannot be edited within a listed profile.
Page 595 7 - 17 Figure 7-10 AAA Policy - RADIUS Authentication tab 6. Refer to the following configured RADIUS Authentication details: Server Id Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point. Host Displays the IP address or hostname of the RADIUS authentication server.
Page 596 7 - 18 WiNG 5.7.1 Access Point System Reference Guide NAI Routing Enable Displays NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an E-mail address as either user or user@ but it need not be a valid E-mail address or a fully qualified domain name.
Page 597 7 - 19 8. Define the following settings to add or modify AAA RADIUS authentication server configuration: Server Id Define the numerical server index (1-6) for the authentication server to differentiate it from others available to the access point’s AAA policy. Host Specify the IP address or hostname of the RADIUS authentication server.
Page 598 7 - 20 WiNG 5.7.1 Access Point System Reference Guide Realm Type Specify the type of realm that is being used, either Prefix or Suffix. Strip Realm Select this option to remove information from the packet when NAI routing is enabled.
Page 599 7 - 21 NAI Routing Enable Displays the NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an E-mail address as either user or user@ but it need not be a valid E-mail address or a fully qualified domain name.
Page 600 7 - 22 WiNG 5.7.1 Access Point System Reference Guide Host Specify the IP address or hostname of the RADIUS authentication server. A valid hostname cannot contain an underscore. Port Define or edit the port on which the RADIUS server listens to traffic within the access point managed network.
Page 601 7 - 23 Figure 7-14 AAA-Policy - Settings screen 15. Set the following RADIUS server configuration parameters: Protocol for MAC, Set the authentication protocol when the server is used for any non-EAP authentication. Captive-Portal Options include Password Authentication Protocol (PAP), Challenge Handshake Authentication Authentication Protocol (CHAP), MSPAP and MSCHAP-V2.
Page 602 7 - 24 WiNG 5.7.1 Access Point System Reference Guide Attributes Lists whether the format specified applies only to the user name/password in mac-auth or for all attributes that include a MAC address, such as calling-station-id or called- station-id. Server Pooling Mode Controls how requests are transmitted across RADIUS servers.
Page 603 7 - 25 Proxy NAS IPv4 Address Sets the RADIUS attribute NAS IP address and NAS IPv4 address behavior when proxying through the controller or RF Domain manager. Options include None and proxier (default setting). Proxy NAS IPv6 Address Sets the RADIUS attribute NAS IP address and NAS IPv4 address behavior when proxying through the controller or RF Domain manager.
Page 604: Aaa Tacacs Policy
7 - 26 WiNG 5.7.1 Access Point System Reference Guide 7.5 AAA TACACS Policy Network Configuration Terminal Access Controller Access - Control System+ (TACACS+) is a protocol created by CISCO Systems which provides access control to network devices such as routers, network access servers and other networked computing devices through one or more centralized servers.
Page 605 7 - 27 Figure 7-15 Authentication, Authorization, and Accounting (AAA) TACACS screen 4. Refer to the following information for each existing AAA TACACS policy: AAA TACACS Policy Displays the name assigned to the AAA TACACS policy when it was initially created. The name cannot be edited within a listed profile.
Page 606 7 - 28 WiNG 5.7.1 Access Point System Reference Guide Figure 7-16 AAA TACACS Policy - Server Info tab 7. Under the Authentication table, select + Add Row.
Page 607 7 - 29 Figure 7-17 AAA TACACS Policy - Authentication - Add screen 8. Set the following Authentication settings: Server Id Set numerical server index (1-2) for the authentication server when added to the list of available TACACS authentication server resources. Host Specify the IP address or hostname of the AAA TACACS server.
Page 608 7 - 30 WiNG 5.7.1 Access Point System Reference Guide 10. Set the Authorization Server Preference to select the server to receive authorization requests. The default is authenticated-server-host. If selecting None, authenticated-server-number, authorized-server-host, or authorized-server-number, select + Add Row to populate the table with required parameters.
Page 609 7 - 31 Request Timeout Specify the time for the re-transmission of request packets after an unsuccessful attempt. The default is 3 seconds. If the set time is exceeded, the authentication session is terminated. Retry Timeout Factor Set the scaling of retransmission attempts from 50 - 200 seconds. The timeout at each attempt is the function of the retry timeout factor and the attempt number.
Page 610 7 - 32 WiNG 5.7.1 Access Point System Reference Guide 16. Set the following AAA TACACS Authentication server configuration parameters: Authentication Access Specify the connection method(s) for authentication requests. Method • All – Authentication is performed for all types of access without prioritization.
Page 611 7 - 33 NOTE: A maximum or 5 entries can be made in the Service Protocol Settings table. 20. Select to save the updates to the AAA TACACS policy. Select Reset to revert to the last saved configuration.
Page 612: Alias
7 - 34 WiNG 5.7.1 Access Point System Reference Guide 7.6 Alias Network Configuration With large deployments, the configuration of remote sites utilizes a set of shared attributes, of which a small set of attributes are unique for each location. For such deployments, maintaining separate configuration (WLANs, profiles, policies and ACLs) for each remote site is complex.
Page 613 7 - 35 To edit or delete a basic alias configuration: 1. Select Configuration tab from the Web user interface. 2. Select Network. 3. Select the Alias item, the Basic Alias screen displays. Figure 7-19 Network - Basic Alias Screen 4.
Page 614 7 - 36 WiNG 5.7.1 Access Point System Reference Guide • Switchport • Wireless LANs 5. Select + Add Row to define Address Range Alias settings: Use the Address Range Alias field to create aliases for IP address ranges that can be utilized at different deployments.
Page 615: Network Group Alias
7 - 37 8. Select + Add Row to define String Alias settings: Use the String Alias field to create aliases for strings that can be utilized at different deployments. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement.
Page 616 7 - 38 WiNG 5.7.1 Access Point System Reference Guide Figure 7-20 Network - Alias - Network Group Alias screen Name Displays the administrator assigned name of the Network Group Alias. Host Displays all host aliases configured in this network group alias. Displays a blank column if no host alias is defined.
Page 617 7 - 39 Figure 7-21 Network - Alias - Network Group Alias Add screen 6. If adding a new Network Group Alias, provide it a name of up to 32 characters. NOTE: The Network Group Alias Name always starts with a dollar sign ($). 7.
Page 618: Network Service Alias
7 - 40 WiNG 5.7.1 Access Point System Reference Guide 7.6.3 Network Service Alias Alias A network service alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network service alias.
Page 619 7 - 41 Figure 7-23 Network - Alias - Network Service Alias Add screen 6. If adding a new Network Service Alias, provide it a name up to 32 characters. NOTE: The Network Service Alias Name always starts with a dollar sign ($). 7.
Page 620: Ipv6 Router Advertisement Policy
7 - 42 WiNG 5.7.1 Access Point System Reference Guide 7.7 IPv6 Router Advertisement Policy Network Configuration An IPv6 router policy allows routers to advertise their presence in response to solicitation messages. After receiving a neighbor solicitation message, the destination node sends an advertisement message. which includes the link layer address of the source node.
Page 621 7 - 43 IPv6 RA Policy Name screen displays. Figure 7-25 Network IPv6 RA Policy Name screen 3. Set the following Router Advertisement Policy Basic Settings: Advertise MTU Select this option to include the Maximum Transmission Unit (MTU) in the router advertisements.
Page 622 7 - 44 WiNG 5.7.1 Access Point System Reference Guide RA Consistency Flag Select this option to check if parameters advertised by other routers on the local link are in conflict with those router advertisements by this controller, service platform or access point.
Page 623: Network Deployment Considerations
7 - 45 Domain Name Set the DNS Server Lifetime Type. Options include expired, External (fixed), and infinite. The Lifetime Type default is External (fixed). Domain Name Set the maximum time the DNS domain name is available as a name resolution resource. The Lifetime default is 10 minutes.
Page 624 7 - 46 WiNG 5.7.1 Access Point System Reference Guide...
Page 625: Chapter 8, Security Configuration
CHAPTER 8 SECURITY CONFIGURATION When taking precautions to secure wireless traffic from a client to an access point, the network administrator should not lose sight of the security solution in it's entirety, since the network’s chain is as weak as its weakest link. An access point managed wireless network provides seamless data protection and user validation to protect and secure data at each vulnerable point in the network.
Page 626: Wireless Firewall
8 - 2 WiNG 5.7.1 Access Point System Reference Guide 8.1 Wireless Firewall Security Configuration A firewall enforces access control, and is considered a first line of defense in protecting proprietary information within the access point managed network. The means by which this is accomplished varies, but in principle firewalls are mechanisms that block and permit data traffic within the network.
Page 627 8 - 3 Figure 8-1 Wireless Firewall screen - Denial of Service tab A denial of service (DoS) attack is an attempt to make a computer or network resource unavailable to its intended users. Although the means to carry out a DoS attack will vary, it generally consists of a concerted effort of one or more persons attempting to prevent a device, site or service from functioning temporarily or indefinitely.
Page 628 8 - 4 WiNG 5.7.1 Access Point System Reference Guide Action If a DoS filter is enabled, chose an action from the drop-down menu to determine how the firewall treats the associated DoS attack. Options include: • Log and Drop - An entry for the associated DoS attack is added to the log and then the packets are dropped.
Page 629 8 - 5 Router Advertisement In this attack, the attacker uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false' router).
Page 630 8 - 6 WiNG 5.7.1 Access Point System Reference Guide TCP Intercept A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established.
Page 631 8 - 7 TCP XMAS Scan The TCP XMAS Scan floods the target system with TCP packets including the FIN, URG, and PUSH flags. This is used to determine details about the target system and can crash a system. TCP Header Fragment Enables the TCP Header Fragment denial of service check in the firewall.
Page 632 8 - 8 WiNG 5.7.1 Access Point System Reference Guide Figure 8-2 Wireless Firewall screen - Storm Control tab The firewall maintains a facility to control packet storms. Storms are packet bombardments that exceed the high threshold configured for an interface. During a storm, packets are throttled until the rate falls below the configured rate, severely impacting performance for the interface.
Page 633 8 - 9 9. Select + Add Row as needed to add additional Storm Control configurations for other traffic types or interfaces. Select the Delete icon as required to remove selected rows. 10. Refer to the Storm Control Logging field to define how storm events are logged. Traffic Type Use the drop-down menu to define the traffic type for which the Storm Control logging configuration applies.
Page 634 8 - 10 WiNG 5.7.1 Access Point System Reference Guide 15. Refer to the General field to enable or disable the following firewall parameters: Enable Proxy ARP Select the radio button to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of another device.
Page 635 8 - 11 Virtual Defragmentation Set the virtual defragmentation timeout to prevent IP fragment based attacks. Set a value Timeout from 1 - 60 seconds. The default value is 1 second. 16. The firewall policy allows traffic filtering at the application layer using the Application Layer Gateway feature.
Page 636 8 - 12 WiNG 5.7.1 Access Point System Reference Guide TCP Reset Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds. TCP Setup Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9).
Page 637 8 - 13 Figure 8-4 Wireless Firewall screen - Advanced Settings tab - IPv6 Settings tab 22. Refer to the IPv6 Firewall Enable option to provide firewall support to IPv6 packet streams. This setting is enabled by default. Disabling IPv6 firewall support also disables proxy neighbor discovery. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages.
Page 638 8 - 14 WiNG 5.7.1 Access Point System Reference Guide 25. Use the Event table to enable individual IPv6 unique events. IPv6 events can be individually enabled or collectively enabled/ disabled using the Enable All Events Disable All Events buttons.
Page 639 8 - 15 27. Select to update the Firewall Policy Advanced Settings. Select Reset to revert to the last saved configuration. The firewall policy can be invoked at any point in the configuration process by selecting Activate Firewall Policy from the upper, left-hand side, of the access point user interface.
Page 640: Configuring Ip Firewall Rules
8 - 16 WiNG 5.7.1 Access Point System Reference Guide 8.2 Configuring IP Firewall Rules Security Configuration Access points use IP based firewalls like Access Control Lists (ACLs) to filter/mark packets based on the IP address from which they arrive, as opposed to filtering packets on Layer 2 ports.
Page 641 8 - 17 Figure 8-5 IP Firewall Policy screen 4. Select to create a new IPv4 or IPv6 Firewall Rule. Select an existing policy and select Edit to modify the attributes of the rule’s configuration. 5. Select the added row to expand it into configurable parameters for defining a new rule. Figure 8-6 IP Firewall Rules screen - Adding a new rule If adding a new rule, enter a name up to 32 characters.
Page 642 8 - 18 WiNG 5.7.1 Access Point System Reference Guide 7. IP firewall rule configurations can either be modified as a collective group of variables or selected and updated individually as their filtering attributes require a more refined update. a. Select the Edit Rule icon to the left of a particular IP firewall rule configuration to update its parameters collectively.
Page 643 8 - 19 Action Every IP firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported: • Deny - Instructs the firewall to prohibit a packet from proceeding to its destination. •...
Page 644: Setting An Ip Snmp Acl Policy
8 - 20 WiNG 5.7.1 Access Point System Reference Guide ICMP Type Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. The Internet Control Message Protocol (ICMP) uses messages identified by numeric type.
Page 645 8 - 21 Figure 8-9 IP SNMP ACL screen 3. Select to create a new SNMP firewall rule. Select an existing policy and click Edit to modify the attributes of that policy’s configuration. Existing policies can be removed by highlighting them and selecting Delete. Figure 8-10 IP SNMP ACL Add screen 4.
Page 646 8 - 22 WiNG 5.7.1 Access Point System Reference Guide Type Define whether the permit or deny ACL rule applied to the ACL is specific to a Host IP address, a Network address and subnet mask or is applied to Any. The default setting is Network.
Page 647: Device Fingerprinting
8 - 23 8.3 Device Fingerprinting Security Configuration With the increase in popularity of Bring Your Own Devices (BYOD) for use in the corporate environment, there is an increase in the number of possible vectors of attacks on the network. BYOD devices are inherently unsafe as the organization does not have control on the level of security on these devices.
Page 648 8 - 24 WiNG 5.7.1 Access Point System Reference Guide 4. Select to create a new client identity policy. Client identity policies configure the signatures used to identify clients and then use these signatures to classify and assign permissions to them. A set of pre-defined client identities are included.
Page 649 8 - 25 Figure 8-13 Security - Device Fingerprinting - New Client Identity - Pre-defined Identity screen 6. To create a custom client identity, select Custom and provide a name in the adjacent field and click the button at the bottom of the screen.
Page 650 8 - 26 WiNG 5.7.1 Access Point System Reference Guide Figure 8-14 Security - Device Fingerprinting - Client Signature screen 9. Provide the following information for each device signature: Index Use the spinner control to assign an index for this signature. A maximum of 16 signatures can be created in each Client Identity.
Page 651 8 - 27 Match Type Use the drop-down menu to select how the signatures are matched. The available options are: • Exact – The complete signature string completely matches the string specified in the Option Value field. • starts-with – The signature is checked if it starts with the string specified in the Option Value field.
Page 652 8 - 28 WiNG 5.7.1 Access Point System Reference Guide a different signature from Android devices. This unique signature can then be used to classify the devices and assign permissions and restrictions on each device class. 12. Select to create a new Client Identity Group policy. Client Identity Group policies configure the signatures used to identify clients and then use these signatures to classify and assign permissions to them.
Page 653 8 - 29 Figure 8-17 Security - Device Fingerprinting - Client Identity Group - New Client Identity Group 15. From the drop-down, select the Client Identity Policy to include in this group. Use the buttons next to the drop-down to manage and create new Client Identity policies.
Page 654: Configuring Mac Firewall Rules
8 - 30 WiNG 5.7.1 Access Point System Reference Guide 8.4 Configuring MAC Firewall Rules Security Configuration Access points can use MAC based firewalls like Access Control Lists (ACLs) to filter/mark packets based on the IP from which they arrive, as opposed to filtering packets on Layer 2 ports.
Page 655 8 - 31 Figure 8-19 MAC Firewall Rules screen - Adding a new rule 6. If adding a new MAC Firewall Rule, provide a name up to 32 characters in length. 7. Define the following parameters for the MAC Firewall Rule: Allow Every MAC firewall rule is made up of matching criteria rules.
Page 656 8 - 32 WiNG 5.7.1 Access Point System Reference Guide Traffic Class Select this option to enable filtering using Traffic Class. Use the spinner control to specify a traffic class. Traffic class can be from 1 - 10. Match 802.1P Configures IP DSCP to 802.1p priority mapping for untagged frames.
Page 657: Wireless Ips (Wips)
8 - 33 8.5 Wireless IPS (WIPS) Security Configuration The access point supports Wireless Intrusion Protection Systems (WIPS) to provide continuous protection against wireless threats and act as an additional layer of security complementing wireless VPNs and encryption and authentication policies. An access point supports WIPS through the use of dedicated sensor devices designed to actively detect and locate unauthorized AP devices.
Page 658 8 - 34 WiNG 5.7.1 Access Point System Reference Guide Figure 8-20 Wireless IPS screen - Settings tab 4. Select the Activate Wireless IPS Policy option on the upper left-hand side of the screen to enable the screen’s parameters for configuration. Ensure this option stays selected to apply the configuration to the access point profile.
Page 659 8 - 35 Air Termination Select this option to enable the termination of detected rogue AP devices. Air termination lets you terminate the connection between your wireless LAN and any access point or client associated with it. If the device is an access point, all clients dis-associated with the access point.
Page 660 8 - 36 WiNG 5.7.1 Access Point System Reference Guide An Excessive Action Event is an event where an action is performed repetitively and continuously. DoS attacks come under this category. Use the Excessive Actions Events table to select and configure the action taken when events are triggered.
Page 661 8 - 37 Figure 8-22 Wireless IPS screen - WIPS Events - MU Anomaly tab MU Anomaly events are suspicious events by wireless clients that can compromise the security and stability of the network. Use the MU Anomaly screen to set the intervals clients can be filtered upon the generation of each event. 14.
Page 662 8 - 38 WiNG 5.7.1 Access Point System Reference Guide 15. Select to save the updates to the MU Anomaly configuration used by the WIPS policy. Select Reset to revert to the last saved configuration. The WIPS policy can be invoked at any point in the configuration process by selecting...
Page 663 8 - 39 19. Select the WIPS Signatures tab. Ensure the Activate Wireless IPS Policy option remains selected to enable the screen’s configuration parameters. A WIPS signature is the set or parameters, or pattern, used by WIPS to identify and categorize particular sets of attack behaviors in order to classify them.
Page 664 8 - 40 WiNG 5.7.1 Access Point System Reference Guide Figure 8-25 WIPS Signature Configuration screen 22. If adding a new WIPS signature, define a Name to distinguish it from others with similar configurations. The name cannot exceed 64 characters.
Page 665 8 - 41 24. Refer to Thresholds field to set the thresholds used as filtering criteria. Wireless Client Specify the threshold limit per client that, when exceeded, signals the event. The Threshold configurable range is from 1 - 65,535. Radio Threshold Specify the threshold limit per radio that, when exceeded, signals the event.
Page 666: Device Categorization
8 - 42 WiNG 5.7.1 Access Point System Reference Guide 8.6 Device Categorization Security Configuration A proper classification and categorization of access points and clients can help suppress unnecessary unauthorized access point alarms, and allow an administrator to focus on alarms on devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized could potentially perform activities that harm your organization.
Page 667 8 - 43 Figure 8-27 Device Categorization screen - Marked Devices 5. If creating a new Device Categorization filter, provide it a Name (up to 32 characters). Select to save the name and enable the remaining device categorization parameters. 6. Select + Add Row to populate the Marked Devices...
Page 668: Security Deployment Considerations
8 - 44 WiNG 5.7.1 Access Point System Reference Guide 8.7 Security Deployment Considerations Security Configuration Before defining a firewall supported configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Firewalls implement access control policies, so if you don't have an idea of what kind of access to allow or deny, a firewall is of little value.
Page 669: Chapter 9, Services Configuration
CHAPTER 9 SERVICES CONFIGURATION The WING software supports services providing captive portal access, leased DHCP IP address assignments to requesting clients and local RADIUS client authentication. For more information, refer to the following: • Configuring Captive Portal Policies • Setting the DNS Whitelist Configuration •...
Page 670: Configuring Captive Portal Policies
9 - 2 WiNG 5.7.1 Access Point System Reference Guide 9.1 Configuring Captive Portal Policies Services Configuration A captive portal is an access policy that provides temporary and restrictive access to the access point managed wireless network. A captive portal policy provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access the wireless network.
Page 671 9 - 3 Captive Portal Server Lists the IP address (or DNS hostname) of the external (centralized) server validating guest Host user permissions for the listed captive portal policy. Captive Portal IPv6 Lists the IPv6 formatted IP address (non DNS hostname) of the external (fixed) IPv6 server Server validating user permissions for the listed captive portal policy.
Page 672 9 - 4 WiNG 5.7.1 Access Point System Reference Guide Figure 9-2 Captive Portal Policy screen - Basic Configuration tab 6. Define the following Settings for the captive portal policy: Captive Portal Policy If creating a new policy, assign a name representative of its access permissions, location or intended wireless client user base.
Page 673 9 - 5 Captive Portal Server When Internal (Self) is selected as the Captive Portal Server Mode, use this field to Host provide the host name of the internal captive portal server. When Centralized is selected as the Captive Portal Server Mode, use the drop down to select either Hostname or IP Address and provide the appropriate hostname/address of the controller or access point hosting the captive portal server.
Page 674 9 - 6 WiNG 5.7.1 Access Point System Reference Guide 9. Set the following Client Settings to define the duration clients are allowed captive portal access and when they’re timed out due to inactivity: RADIUS VLAN Select this option to enable the RADIUS server to assign a VLAN post authentication.
Page 675 9 - 7 d. If necessary, select the radio button of an existing whitelist entry and select the - Delete icon to remove the entry from the whitelist. 11. Set the following Accounting parameters to define how accounting is conducted for clients entering and exiting the captive portal.
Page 676 9 - 8 WiNG 5.7.1 Access Point System Reference Guide Figure 9-4 Captive Portal Policy screen - Web Page tab The Login screen prompts for a username and password to access the captive portal and proceed to either the Terms and Conditions page (if used) or the Welcome page.
Page 677 9 - 9 Title Text Set the title text displayed on the Login, Terms and Conditions, Welcome and Fail pages when wireless clients access each page. The text should be in the form of a page title describing the respective function of each page and should be unique to each login, terms, welcome and fail function.
Page 678 9 - 10 WiNG 5.7.1 Access Point System Reference Guide Figure 9-6 Captive Portal Policy screen - Web Page tab - Externally Hosted Web Page screen 22. Set the following URL destinations for externally hosted captive portal pages: Login URL Define the complete URL for the location of the Login page.
Page 679 9 - 11 24. Select Advanced to use a custom directory of Web pages copied to and from the access point for captive portal support. Figure 9-7 Captive Portal Policy screen - Web Page tab - Advanced Web Page screen 25.
Page 680: Setting The Dns Whitelist Configuration
9 - 12 WiNG 5.7.1 Access Point System Reference Guide 9.2 Setting the DNS Whitelist Configuration Services Configuration A DNS whitelist is used in conjunction with a captive portal to provide captive portal services to wireless clients. Use the DNS whitelist parameter to create a set of allowed destination IP addresses within the captive portal.
Page 681: Setting The Dhcp Server Configuration
9 - 13 9.3 Setting the DHCP Server Configuration Services Configuration Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses as well as discover information about the network where they reside. Each subnet can be configured with its own address pool. Whenever a DHCP client requests an IP address, the DHCP server assigns an IP address from that subnet’s address pool.
Page 682 9 - 14 WiNG 5.7.1 Access Point System Reference Guide Figure 9-9 DHCP Server Policy screen - DHCP Pool tab 4. Select the Activate DHCP Server Policy option to optimally display the screen and enable the ability Add or Edit a new policy.
Page 683 9 - 15 6. Select to create a new DHCP pool, Edit to modify an existing pool or Delete to remove a pool. Figure 9-10 DHCP Pools screen - Basic Settings tab If adding or editing a DHCP pool, the DHCP Pool screen displays the Basic Settings tab by default.
Page 684 9 - 16 WiNG 5.7.1 Access Point System Reference Guide Lease Time DHCP leases provide addresses for defined times to various clients. If a client does not use the leased address for the defined time, that IP address can be re-assigned to another DHCP supported client.
Page 685 9 - 17 Figure 9-11 DHCP Pools screen - Static Bindings tab 12. Review existing DHCP pool static bindings to determine if a static binding can be used as is, a new one requires creation or edit, or if one requires deletion: Client Identifier Type Lists whether the reporting client is using a Hardware Address or Client Identifier as its identifier type.
Page 686 9 - 18 WiNG 5.7.1 Access Point System Reference Guide Figure 9-12 Static Bindings Add screen 14. Define the following General parameters required to complete the creation of the static binding configuration: Client Identifier Type Use the drop-down menu whether the DHCP client is using a Hardware Address or Client Identifier as its identifier type with a DHCP server.
Page 687 9 - 19 Client Name Provide the name of the client requesting DHCP Server support. Enable Unicast Unicast packets are sent from one location to another location (there is just one sender, and one receiver). Select this option to forward unicast messages to just a single device within this network pool.
Page 688 9 - 20 WiNG 5.7.1 Access Point System Reference Guide Figure 9-13 DHCP Pools screen - Advanced tab 23. The addition or edit of the DHCP pool’s advanced settings requires the following General parameters be set: Boot File Enter the name of the boot file used with this pool. Boot files (Boot Protocol) can be used to boot remote systems over the network.
Page 689: Defining Dhcp Server Global Settings
9 - 21 NetBIOS Servers Specify a numerical IP address of a single or group of NetBIOS WINS servers available to DHCP supported wireless clients. Select Alias to use a network alias with the NetBIOS server configuration. For more information see Alias on page 7-34.
Page 690 9 - 22 WiNG 5.7.1 Access Point System Reference Guide Figure 9-14 DHCP Server Policy screen - Global Settings tab 2. Set the following parameters within the Configuration field: Ignore BOOTP Requests Select the check box to ignore BOOTP requests. BOOTP requests boot remote systems within the network.
Page 691: Dhcp Class Policy Configuration
9 - 23 4. Refer to the Global DHCP Server Options field. Use the + Add Row button at the bottom of the field to add a new global DHCP server option. At any time you can select the radio button of an existing global DHCP server option and select the Delete icon to remove it from the list of those available.
Page 692 9 - 24 WiNG 5.7.1 Access Point System Reference Guide Figure 9-15 DHCP Server Policy screen - Class Policy tab 2. Select to create a new DHCP class policy, Edit to update an existing policy or Delete to remove an existing policy.
Page 693: Dhcp Deployment Considerations
9 - 25 Figure 9-16 DHCP Class - Name Add screen 3. If adding a new DHCP Class Name, assign a name representative of the device class supported. The DHCP user class name should not exceed 32 characters. 4. Select a row within the Value column to enter a 32 character maximum value string.
Page 694: Setting The Bonjour Gateway Configuration
9 - 26 WiNG 5.7.1 Access Point System Reference Guide 9.4 Setting the Bonjour Gateway Configuration Services Configuration Bonjour is Apple’s implementation of zero-configuration networking (Zeroconf). Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates devices such as printers, other computers and services that these computers offer over a local network.
Page 695 9 - 27 Figure 9-17 Bonjour - Discovery Policy screen This screen displays the name of the configured Bonjour discovery policies. 5. Select an existing policy and click Edit to edit it. To add a new policy, select Add. Select an existing policy and click Delete to delete the policy or use Copy...
Page 696: Configuring The Bonjour Forwarding Policy
9 - 28 WiNG 5.7.1 Access Point System Reference Guide Refer to the following for more information on the discovery rules. Service Name Configures the service that can be discovered by the Bonjour Gateway. • Predefined – Use the drop-down menu to select from a list of predefined Apple services.
Page 697 9 - 29 Figure 9-19 Bonjour Gateway - Forwarding Policy screen This screen displays the name of the configured Bonjour forwarding policies. 5. Select an existing policy and click Edit to edit it. To add a new policy, select Add. Figure 9-20 Bonjour Gateway - Forwarding Policy - Add screen...
Page 698 9 - 30 WiNG 5.7.1 Access Point System Reference Guide 6. Select the + Add Row button to add a forwarding rule to the Bonjour Forwarding Policy. Advertisements from VLANs that contain services are forwarded to VLANs containing clients. From VLANs From VLANs are VLANs where the Apple services are available.
Page 699: Setting The Dhcpv6 Server Policy
9 - 31 9.5 Setting the DHCPv6 Server Policy Services Configuration DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 servers pass IPv6 network addresses to IPv6 clients. The DHCPv6 address assignment feature manages non-duplicate addresses in the correct prefix based on the network where the host is connected.
Page 700: Defining Dhcpv6 Options
9 - 32 WiNG 5.7.1 Access Point System Reference Guide 4. Review the following DHCPv6 server configurations (at a high level) to determine whether a new server policy requires creation, an existing policy requires modification or an existing policy requires deletion: DHCPv6 Server Lists the name assigned to each DHCPv6 server policy when it was initially created.
Page 701: Dhcpv6 Pool Configuration
9 - 33 Figure 9-22 DHCP v6Server Policy - DHCPv6 Options tab 4. Select Restrict Vendor Options to restrict the use of vendor specific DHCPv6 options. This limits the use of vendor specific DHCP options in this specific DHCPv6 policy. 5.
Page 702 9 - 34 WiNG 5.7.1 Access Point System Reference Guide 3. Select DHCPv6 Server Policy. 4. Select to create a new policy or Edit to modify the policy’s properties of a selected DHCPv6 server policy. Select + Add to populate the screen with editable rows for DHCPv6 option configuration. The...
Page 703 9 - 35 Figure 9-24 DHCP Server Policy - DHCPv6 Pool - Add/Edit screen 8. Set the following General DHCPv6 pool parameters: Name Provide as administrator assigned name for the IPv6 pool resource from which IPv6 formatted addresses can be issued to DHCPv6 client requests. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
Page 704 9 - 36 WiNG 5.7.1 Access Point System Reference Guide 9. If using DHCPv6 options in the pool, set the following within the DHCPv6 option Value table Name Use the drop-down menu to select an existing DHCP option name from the existing options configured in DHCPv6 Options.
Page 705: Setting The Radius Configuration
9 - 37 9.6 Setting the RADIUS Configuration Services Configuration Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software enabling remote access servers to authenticate users and authorize their access to the access point managed network. RADIUS is a distributed client/server system that secures networks against unauthorized access.
Page 706 9 - 38 WiNG 5.7.1 Access Point System Reference Guide To review existing RADIUS groups and add, modify or delete group configurations: 1. Select Configuration tab from the Web user interface. 2. Select Services. 3. Select RADIUS. A list of existing groups displays by default.
Page 707 9 - 39 VLAN Displays the VLAN ID used by the group. The VLAN ID is representative of the shared SSID each group member (user) employs to interoperate within the access point managed network (once authenticated by the local RADIUS server). Time Start Specifies the time users within each listed group can access local RADIUS resources.
Page 708: Creating Radius Groups
9 - 40 WiNG 5.7.1 Access Point System Reference Guide 9.6.1.1 Creating RADIUS Groups Creating RADIUS Groups To create a RADIUS group: 1. Select Configuration tab from the Web user interface. 2. Select Services. 3. Select and expand the RADIUS menu.
Page 709 9 - 41 VLAN Select this option (and use the slider) to assign a specific VLAN to this RADIUS user group. Ensure Dynamic VLAN assignment (Single VLAN) is enabled for the WLAN for the VLAN to work properly. For more information, see Configuring WLAN Basic Configuration on page 6-5.
Page 710: Defining User Pools
9 - 42 WiNG 5.7.1 Access Point System Reference Guide 7. Select Restrict Access By Day Of Week control to enable access based on the day of the week. Days Optionally select the Restrict Access by Day Of Week option, and select the days RADIUS group members can access RADIUS resources.
Page 711 9 - 43 Figure 9-28 RADIUS User Pool Add screen 6. Refer to the following User Pool configurations to discern when specific user IDs have access to the access point’s RADIUS resources: User Id Displays the unique alphanumeric string identifying this user. This is ID assigned to the user when created and cannot be modified with the rest of the configuration.
Page 712 9 - 44 WiNG 5.7.1 Access Point System Reference Guide Access Duration Lists the total duration of allowed access for guest users. Up to 356 days can be configured. Data Limit (KB) Lists the total amount of bandwidth (in KiloBytes) consumable by each guest user Committed Downlink Displays the download speed (in KiloBytes) allocated to the guest user.
Page 713 9 - 45 Figure 9-29 RADIUS - Add User screen 8. Set the following to create a new RADIUS user with unique access privileges: User Id Assign a unique alphanumeric string identifying this user. The ID cannot exceed 64 characters. Password Provide a password unique to this user.
Page 714 9 - 46 WiNG 5.7.1 Access Point System Reference Guide Start Time Enter a start time, or use the spinner controls to select a starting time for the user's credentials to start working. Use the AM and PM buttons to apply a morning or...
Page 715: Configuring The Radius Server
9 - 47 9.6.3 Configuring the RADIUS Server Setting the RADIUS Configuration A RADIUS server policy is a unique authentication and authorization configuration for receiving user connection requests, authenticating users and returning the configuration information necessary for the RADIUS client to deliver service to the user. An access point’s requesting client is the entity with authentication information requiring validation.
Page 716 9 - 48 WiNG 5.7.1 Access Point System Reference Guide LDAP Groups Use the drop-down menu to select LDAP groups to apply the server policy configuration. Select the Create or Edit icons as needed to either create a new group or modify an existing group.
Page 717 9 - 49 Do Not Verify Username Only enabled when TLS is selected in Authentication Type. When selected, user name is not matched but the certificate expiry is checked. Enable CRL Validation Select this option to enable a Certificate Revocation List (CRL) check. Certificates can be checked and revoked for a number of reasons, including the failure or compromise of a device using a certificate, a compromise of a certificate key pair or errors within an issued certificate.
Page 718 9 - 50 WiNG 5.7.1 Access Point System Reference Guide server receives a RADIUS access request packet and verifies the server possesses a shared secret for the client. If the server does not possess a shared secret for the client, the request is dropped. If the client received a verified access accept packet, the username and password are considered correct, and the user is authenticated.
Page 719 9 - 51 proxying server is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite requests when they are proxied. Figure 9-32 RADIUS Server Policy screen - Proxy tab 17. Enter the Proxy Retry Delay as a value in seconds (from 5 - 10 seconds).
Page 720 9 - 52 WiNG 5.7.1 Access Point System Reference Guide 26. Select the LDAP and ensure the Activate RADIUS Server Policy button remains selected. Administrators have the option of using the access point’s RADIUS server to authenticate users against an external LDAP server resource.
Page 721 9 - 53 28. Select to add a new LDAP server configuration, Edit to modify an existing LDAP server configuration or Delete remove a LDAP server from the list of those available. Figure 9-34 LDAP Server Add screen 29. Set the following Network address information required for the connection to the external LDAP server resource: Redundancy...
Page 722 9 - 54 WiNG 5.7.1 Access Point System Reference Guide Bind DN Specify the distinguished name to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas.
Page 723: Services Deployment Considerations
9 - 55 9.7 Services Deployment Considerations Services Configuration Before defining the access point’s configuration using the Services menu, refer to the following deployment guidelines to ensure the configuration is optimally effective: • It is recommended that each RADIUS client use a different shared secret password. If a shared secret is compromised, only the one client poses a risk as opposed all the additional clients that potentially share that secret password.
Page 724 9 - 56 WiNG 5.7.1 Access Point System Reference Guide...
Page 725: Chapter 10 Management Access
CHAPTER 10 MANAGEMENT ACCESS The access point uses mechanisms to allow/deny access to the network for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Management access can be enabled/disabled as required for unique policies. Management Access is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces.
Page 726: Creating Administrators And Roles
10 - 2 WiNG 5.7.1 Access Point System Reference Guide 10.1 Creating Administrators and Roles Management Access Use the Administrators screen to review existing administrators, their access medium and their administrative role within the access point managed network. New administrators can be added and existing administrative configurations modified or deleted as required.
Page 727 10 - 3 Figure 10-2 Administrators screen 6. If adding a new administrator, enter the name in the User Name field. This is a mandatory field, and cannot exceed 32 characters. Optimally assign a name representative of the user’s intended access type and role. 7.
Page 728 10 - 4 WiNG 5.7.1 Access Point System Reference Guide Security Select this option to set the administrative rights for a security administrator allowing the configuration of all security parameters. Monitor Select this option to assign permissions without administrative rights. The Monitor option provides read-only permissions.
Page 729: Setting The Access Control Configuration
10 - 5 10.2 Setting the Access Control Configuration Management Access Refer to the Access Control screen to allow/deny management access to the network using selected protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Access options can be either enabled or disabled as required. Disable unused interfaces to reduce security holes.
Page 730 10 - 6 WiNG 5.7.1 Access Point System Reference Guide 4. Set the following parameters required for Telnet access: Enable Telnet Select the check box to enable Telnet device access. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication.
Page 731 10 - 7 8. Set the following General parameters: Idle Session Timeout Specify an inactivity timeout for management connects (in seconds) between 1 - 4,320. The default setting is 12.0 Message of the Day Enter message of the day text (no longer than 255 characters) displayed at login for clients connecting via Telnet or SSH.
Page 732: Setting The Authentication Configuration
10 - 8 WiNG 5.7.1 Access Point System Reference Guide 10.3 Setting the Authentication Configuration Management Access As part of the access point’s Management Policy, define how client authentication requests are validated using either an external or internal authentication resource: To configure an authentication resource: 1.
Page 733 10 - 9 6. Set the following AAA TACACS configuration parameters Authentication Select to enable TACACS authentication on login. This option is not available when the Local field is set to enabled. Also, this option cannot be selected when Fallback is selected.
Page 734: Setting The Snmp Configuration
10 - 10 WiNG 5.7.1 Access Point System Reference Guide 10.4 Setting the SNMP Configuration Management Access The access point can use Simple Network Management Protocol (SNMP) to interact with wireless devices. SNMP is an application layer protocol that facilitates the exchange of management information. SNMP enabled devices listen on port 162 (by default) for SNMP packets from their management server.
Page 735 10 - 11 3. Enable or disable SNMPv1, SNMPv2 and SNMPv3. Enable SNMPv1 Select the check box to enable SNMPv1 support. SNMPv1 provides device management using a hierarchical set of variables. SNMPv1 uses Get, GetNext, and Set operations for data management. SNMPv1 is enabled by default. Enable SNMPv2 Select the check box to enable SNMPv2 support.
Page 736: Snmp Trap Configuration
10 - 12 WiNG 5.7.1 Access Point System Reference Guide 10.5 SNMP Trap Configuration Management Access An access point can use SNMP trap receivers for fault notifications. SNMP traps are unsolicited notifications triggered by thresholds (or actions) on devices, and are therefore an important fault management tool.
Page 737 10 - 13 Trap Community Provide a 32 character maximum trap community string. The community string functions like a user id or password allowing access to access point resources. If the community string is correct, the access point provides with the requested information.
Page 738: Management Access Deployment Considerations
10 - 14 WiNG 5.7.1 Access Point System Reference Guide 10.6 Management Access Deployment Considerations Before defining an access control configuration as part of a Management Access policy, refer to the following deployment guidelines to ensure the configuration is optimally effective: •...
Page 739: Chapter 11 Diagnostics
CHAPTER 11 DIAGNOSTICS An access point’s resident diagnostic capabilities enable administrators to understand how devices are performing and troubleshoot issues impacting network performance. Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail. Numerous tools are available within the Diagnostics menu.
Page 740: Fault Management
11 - 2 WiNG 5.7.1 Access Point System Reference Guide 11.1 Fault Management Diagnostics Fault management enables users administering multiple sites to assess device performance and issues effecting the network. Use the Fault Management screens to view and administrate errors generated by an access point or a connected wireless client.
Page 741 11 - 3 Module Select the module from which events are tracked. When a single module is selected, events from other modules are not tracked. Remember this when interested in events generated by a particular module. Individual modules can be selected (such as TEST, LOG, FSM etc.) or all modules can be tracked by selecting All Modules.
Page 742 11 - 4 WiNG 5.7.1 Access Point System Reference Guide Module Displays the module used to track the event. Events detected by other modules are not tracked. Message Displays error or status messages for each event listed. Severity Displays the severity of the event as defined for tracking from the Configuration screen.
Page 743 11 - 5 12. Select Fetch Historical Events from the lower, right-hand, side of the UI to populate the table with either device or RF Domain events. The following event data is fetched and displayed: Timestamp Displays the timestamp (time zone specific) each listed event occurred. Module Displays the module tracking the listed event.
Page 744: Crash Files
11 - 6 WiNG 5.7.1 Access Point System Reference Guide 11.2 Crash Files Diagnostics Use Crash Files to assess critical access point failures and malfunctions. Use crash files to troubleshoot issues specific to the device on which a crash event was generated. These are issues impacting the core (distribution layer).
Page 745: Advanced
11 - 7 11.3 Advanced Diagnostics Use Advanced diagnostics to review and troubleshoot potential issues with the access point’s User Interface (UI). The UI Diagnostics screen contains tools to effectively identify and correct access point UI issues. Diagnostics can also be performed at the device level for connected clients.
Page 746: View Ui Logs
11 - 8 WiNG 5.7.1 Access Point System Reference Guide Real Time NETCONF Messages area lists an XML representation of any message generated by the system. The main display area of the screen is updated in real time. Refer to the...
Page 747: View Sessions
11 - 9 Figure 11-7 View UI Logs - Error Logs tab The Sequence (order of occurrence), Date/Time, Type, Category and Message items display for each log option selected. 11.3.3 View Sessions Advanced View Sessions screen displays a list of all sessions associated with this device. A session is created when a user name/ password combination is used to access the device to interact with it for any purpose.
Page 748 11 - 10 WiNG 5.7.1 Access Point System Reference Guide Figure 11-8 Advanced - View Sessions screen 4. Refer to the following table for more information on the fields displayed in this screen: Cookie Displays the number of cookies created by this session.
Page 749: Chapter 12 Operations
CHAPTER 12 OPERATIONS The functions supported within the Operations menu allow the administration of firmware, configuration files and certificates for managed devices. A certificate links identity information with a public key enclosed in the certificate. Device certificates can be imported and exported to a secure remote location for archive and retrieval as they are required for application to other managed devices.
Page 750: Devices
12 - 2 WiNG 5.7.1 Access Point System Reference Guide 12.1 Devices Operations Periodically, releases of updated device firmware and configuration files are uploaded to the Support Web site. If an access point’s (or its associated device’s) firmware is older than the version on the Web site, it is recommended to update to the latest firmware version for full functionality and utilization.
Page 751: Managing Running Configuration
12 - 3 Figure 12-2 Device Browser - Options for an AP7131 Refer to the drop-down menu on the lower, left-hand side, of the UI. The following tasks and displays are available in respect to device firmware for the selected device: Show Running Config Select this option to display the running configuration of the selected device.
Page 752 12 - 4 WiNG 5.7.1 Access Point System Reference Guide Figure 12-3 Device Browser 2. Select the down arrow next to the device to view a set of operations that can be performed on the selected device. Figure 12-4 Device Browser - Options for a device 3.
Page 753 12 - 5 Figure 12-5 Operations - Manage Running Configuration 4. Use the Export Config field to configure the parameters required to export the running configuration to an external server. Refer to the following to configure the export parameters: Protocol Select the protocol used for exporting the running configuration.
Page 754: Managing Startup Configuration
12 - 6 WiNG 5.7.1 Access Point System Reference Guide Path/File Specify the path to the folder to export the running configuration to. Enter the complete relative path to the file on the server. User Name Define the user name used to access either a FTP or SFTP server.
Page 755 12 - 7 3. Select Show Startup Config to display the Startup Configuration window. Figure 12-8 Operations - Manage Startup Configuration 4. Use the Import/Export Config field to configure the parameters required to export or import the startup configuration to or from an external server.
Page 756: Rebooting The Device
12 - 8 WiNG 5.7.1 Access Point System Reference Guide Port Use the spinner control or manually enter the value to define the port used by the protocol for exporting or importing the startup configuration. This option is not valid for cf, usb1, usb2, usb3 and usb4.
Page 757 12 - 9 Figure 12-10 Device Browser - Options for a device 3. To reboot the device, select the Reload item. Figure 12-11 Device - Reload screen 4. Refer the following for more information on this screen: Force Reload Select this option to force this device to reload. Use this option for devices that are unresponsive and do not reload normally.
Page 758: Managing Crypto Cmp Certificates
12 - 10 WiNG 5.7.1 Access Point System Reference Guide Fallback Displays the status of Fallback. Displays Enabled or Disabled. 12.1.3 Managing Crypto CMP Certificates Managing Firmware and Configuration Files Certificate Management Protocol (CMP) is an Internet protocol to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network.
Page 759: Upgrading Device Firmware
12 - 11 Trust Point Valid The expiration of the CMP certificate is checked once a day. When a certificate is about to Until expire a certificate renewal can initiated with the server via an existing IPsec tunnel. If the tunnel is not established, the CMP renewal request is not sent.
Page 760 12 - 12 WiNG 5.7.1 Access Point System Reference Guide 4. Provide the following information to accurately define the location of the target device’s firmware file: Protocol Select the protocol used for updating the firmware. Available options include: • tftp •...
Page 761: Troubleshooting The Device
12 - 13 12.1.5 Troubleshooting the Device Managing Firmware and Configuration Files The Troubleshooting menu is a list of the functions that can be performed on the device to resolve any issues with the device. The following options are available: •...
Page 762 12 - 14 WiNG 5.7.1 Access Point System Reference Guide Figure 12-18 Device Browser - Options for a device - Troubleshooting sub-menu 4. Select Clear Crash Info to display the Clear Crash Info window. Figure 12-19 Clear Crash Info screen 5.
Page 763: Copy Crash Info
12 - 15 12.1.5.2 Copy Crash Info Troubleshooting the Device Crash files are generated when the device encounters a critical error that impairs the performance of the device. When a critical error arises, information about the state of the device at that moment is written to a text file. This file is used by the Support Center to debug the issue and provide a solution to correct the error condition.
Page 764 12 - 16 WiNG 5.7.1 Access Point System Reference Guide Figure 12-23 Copy Crash Info screen 5. The crash dump files on this device can be copied to another device for further analysis. Files can be transferred using either the ftp or tftp protocols.
Page 765: Copy Tech Support Dump
12 - 17 12.1.5.3 Copy Tech Support Dump Troubleshooting the Device To troubleshoot some issues, the Support Center might require that some files be supplied to it. These files are compressed as a .tar.gz file. This file must be sent to the Support Center on request. To retrieve the Tech Support Dump files, do the following: 1.
Page 766 12 - 18 WiNG 5.7.1 Access Point System Reference Guide Figure 12-27 Copy Tech Support Dump screen 5. The Tech Support Dump file can be sent using ftp or tftp. Provide the following information when transferring files using the ftp protocol.
Page 767: Locating A Device
12 - 19 12.1.5.4 Locating a Device Troubleshooting the Device In large deployments with a large number of devices, it is very hard to identify a specific device. Use the device’s locator feature to find the device. Once configured, the device blinks its LEDs in a color that enables it to be identified amongst all other deployed devices.
Page 768: Debugging Wireless Clients
12 - 20 WiNG 5.7.1 Access Point System Reference Guide Figure 12-31 Device Pane - Locator screen 5. Use the spinner to set a value for Flash LED Duration. This is the duration, in minutes, the device will flash its LEDs. Once this duration expires, the LEDs starts operating normally.
Page 769 12 - 21 Figure 12-34 Device Browser - Options for a device - Troubleshooting sub-menu 4. Select Debug Wireless Clients. Figure 12-35 Device Browser - Options for Devices - Troubleshooting menu - Debug Wireless Clients screen 5. Use the Send Data To drop-down to select the destination for the debug events.
Page 770: Packet Capture
12 - 22 WiNG 5.7.1 Access Point System Reference Guide Selected Debug Select this to display only selected debug messages. The list of debug messages that can Messages be selected are: • 802.11 Management – Displays all 802.11 management debug messages.
Page 771 12 - 23 Figure 12-37 Device Browser - Options for a device 3. Select Troubleshooting to expand its sub-menu. Figure 12-38 Device Browser - Options for a device - Troubleshooting sub-menu 4. Select Packet Capture. NOTE: The maximum packet capture data limit is 15 MB.
Page 772 12 - 24 WiNG 5.7.1 Access Point System Reference Guide Figure 12-39 Device Browser - Options for Devices - Troubleshooting menu - Packet Capture screen 5. Use the Send Data To drop-down to select the destination for the captured packets. Select from Screen or File.
Page 773: Viewing Device Summary Information
12 - 25 Filter by IP Select this to enable filtering the capture dropped packets based on the IP address of a device. IP Protocol Select this to enable filtering the capture packets on specific protocols. The protocols can be select from the drop-down list.
Page 774 12 - 26 WiNG 5.7.1 Access Point System Reference Guide Figure 12-40 Device Details screen 4. Refer to the following to determine whether a firmware image needs requires an update: Firmware Version Displays the Primary and Secondary firmware image version currently utilized by the selected access point.
Page 775: Adopted Device Upgrades
12 - 27 12.1.7 Adopted Device Upgrades Devices To configure an access point upgrade: NOTE: AP upgrades can only be performed by access points in Virtual Controller AP mode, and cannot be initiated by Standalone APs. Additionally, upgrades can only be performed on access points of the same model as the Virtual Controller AP.
Page 776 12 - 28 WiNG 5.7.1 Access Point System Reference Guide Figure 12-42 Devices - Adopted AP Upgrade screen NOTE: If selecting the Device Upgrade screen from the RF Domain level of the UI, there is an additional Upgrade from Controller...
Page 777 12 - 29 Schedule Reboot Time To reboot a target access point immediately, select Now. To schedule the reboot to take place at a specified time in the future, enter a date and time. This feature is helpful when wishing to upgrade an access point’s firmware, but wish to keep in operation until the reboot does not impact its current client support and operation.
Page 778 12 - 30 WiNG 5.7.1 Access Point System Reference Guide Figure 12-43 AP Upgrade screen - AP Image File 9. Select the Device Image File tab and refer to the following configuration parameters: Device Image Type Select the access point model to specify which model should be available to upgrade.
Page 779 12 - 31 Protocol Select the protocol to retrieve the image files. Available options include: • tftp - Select this option to specify a file location using Trivial File Transfer Protocol. A port and IP address or hostname are required. A path is optional. A valid hostname cannot contain an underscore.
Page 780 12 - 32 WiNG 5.7.1 Access Point System Reference Guide Figure 12-44 AP Upgrade screen - Upgrade Status screen 12. Refer to the following fields to understand the status of the number of device being updated: Number of devices currently...
Page 781 12 - 33 Result Lists the state of an upgrade operation (downloading, waiting for a reboot etc.). Upgrade Time Displays whether the upgrade is immediate or set by an administrator for a specific time. This is helpful to ensure a sufficient number of devices remain in service at any given time.
Page 782: File Management
12 - 34 WiNG 5.7.1 Access Point System Reference Guide Result Displays the current upgrade status for each listed access point. Possible states include: • Waiting • Downloading • Updating Scheduled • Reboot • Rebooting Done • Cancelled • Done •...
Page 783 12 - 35 Figure 12-46 Device Summary screen 4. Click File Management.
Page 784 12 - 36 WiNG 5.7.1 Access Point System Reference Guide Figure 12-47 Devices - File Management screen 5. The pane on the left of the screen displays the directory tree for the selected device. Use this tree to navigate around the...
Page 785 12 - 37 Figure 12-48 Devices - File Management screen 6. Refer to the following for more information: File Name Displays the name of the file. Size (Kb) Displays the size of the file in kilobytes. Last Modified Displays the timestamp for the last modification made to the file. File Type Displays the type of file.
Page 786 12 - 38 WiNG 5.7.1 Access Point System Reference Guide Click Proceed to delete the directory. All files in the selected directory also get deleted. Click Abort to exit without deleting the directory. 9. Click Transfer File to transfer files between the device and a remote server. The following window displays: Figure 12-50 File Management - File Transfer Dialog Use this dialog to transfer files between the device and a remote location.
Page 787 12 - 39 Protocol If Advanced is selected, choose the protocol for file management. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 • usb3 • usb4 This parameter is required only when Server is selected as the Source and Advanced is selected.
Page 788: Adopted Device Restart
12 - 40 WiNG 5.7.1 Access Point System Reference Guide 11. Select to begin the file transfer. Selecting Cancel reverts the screen to its last saved configuration. 12. To delete a file, select the file to be deleted and click Delete File button.
Page 789: Captive Portal
12 - 41 Figure 12-52 Devices - Adopted Device Restart screen 5. From the list of adopted devices, select the access point from the list and select Reload. 6. Select Refresh to refresh the list of adopted access points on the screen. 12.1.10 Captive Portal Pages Devices A captive portal is an access policy that provides temporary and restrictive access to the access point managed wireless...
Page 790 12 - 42 WiNG 5.7.1 Access Point System Reference Guide 2. Select Devices. 3. Use the navigation pane on the left to navigate to the device to manage the files on and select it. Figure 12-53 Device Summary screen 4. Select Captive Portal Pages.
Page 791 12 - 43 Figure 12-54 Devices Captive Portal Pages - AP Upload List screen 5. Use the Captive Portal List drop-down list to select the captive portal configuration to upload to the adopted access points. 6. Use the Scheduled Upload Time field to configure the time of the captive portal pages update.
Page 792 12 - 44 WiNG 5.7.1 Access Point System Reference Guide Figure 12-55 Devices Captive Portal Pages - CP Page Image File screen 10. Use the Captive Portal List drop-down list to select the captive portal configuration to upload to the adopted access points.
Page 793 12 - 45 IP Address If Advanced is selected, specify the IP address of the server used to transfer files. This option is not valid for cf, usb1, usb2, usb3 and usb4. If IP address of the server is provided, a Hostname is not required. Hostname If needed, specify a Hostname of the server transferring the file.
Page 794: Managing Crypto Cmp Certificates
12 - 46 WiNG 5.7.1 Access Point System Reference Guide 15. Refer to the Status tab to view the history of captive portal pages upload. Hostname Displays the hostname of the target device. Displays the factory assigned MAC address of the target device.
Page 795: Re-Elect Controller
12 - 47 Use the Crypto Certificate Renewal screen to view and if required, trigger certificate renewal for CMP certificates. 1. Refer to the following for more information on Crypto CMP Certificates: Hostname Lists the administrator assigned hostname of the CMP resource requesting a certificate renewal from the CMP CA server.
Page 796 12 - 48 WiNG 5.7.1 Access Point System Reference Guide Figure 12-58 Re-elect Controller screen 4. Refer to the Available APs column, and use the > button to move the selected access point into the list of Selected APs available for RF Domain Manager candidacy. Use the >>...
Page 797: Certificates
12 - 49 12.2 Certificates Operations A certificate links identity information with a public key enclosed in the certificate. A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.
Page 798 12 - 50 WiNG 5.7.1 Access Point System Reference Guide Figure 12-59 Certificate Management -Trustpoints screen Trustpoints screen displays for the selected MAC address. 3. Refer to the Certificate Details to review certificate properties, self-signed credentials, validity period and CA information.
Page 799 12 - 51 Figure 12-60 Certificate Management - Import New Trustpoint screen 5. Define the following configuration parameters required for the Import of the Trustpoint: Import Select the type of Trustpoint to import. The following Trustpoints can be imported: • Import – Select to import any trustpoint. •...
Page 800 12 - 52 WiNG 5.7.1 Access Point System Reference Guide 6. Define the following configuration to import the Trustpoint from a location on the network. To do so, select From Network and provide the following information. Provide the complete URL to the location of the trustpoint. This option is available by default.
Page 801 12 - 53 Figure 12-61 Certificate Management - Export Trustpoint screen 9. Define the following configuration parameters required for the Export of the trustpoint: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. Provide the complete URL to the location of the trustpoint.
Page 802: Rsa Key Management
12 - 54 WiNG 5.7.1 Access Point System Reference Guide Hostname Provide the hostname or numeric IP4 or IPv6 formatted IP address of the server used to export the trustpoint. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
Page 803 12 - 55 Figure 12-62 Certificate Management - RSA Keys screen Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device. 4.
Page 804 12 - 56 WiNG 5.7.1 Access Point System Reference Guide 5. Select to generate the RSA key. Select Cancel to revert the screen to its last saved configuration. Key Name Enter the 32 character maximum name assigned to the RSA key.
Page 805 12 - 57 Protocol Select the protocol used for importing the target key. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 • usb3 • usb4 Port Use the spinner control to set the port. This option is not valid for cf and usb1 - 4. IP Address Enter IP address of the server used to import the RSA key.
Page 806 12 - 58 WiNG 5.7.1 Access Point System Reference Guide Figure 12-65 Certificate Management - Export RSA Key screen 11. Define the following configuration parameters required for the Export of the RSA key: Key Name Enter the 32 character maximum name assigned to the RSA key.
Page 807: Certificate Creation
12 - 59 IP Address If using Advanced settings, enter IP address of the server used to export the RSA key. This option is not valid for cf and usb1 - 4. Hostname Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to export the RSA key.
Page 808 12 - 60 WiNG 5.7.1 Access Point System Reference Guide Figure 12-66 Certificate Management - Create Certificate screen 4. Define the following configuration parameters required to Create New Self-Signed Certificate: Certificate Name Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate.
Page 809: Generating A Certificate Signing Request (Csr)
12 - 61 State (ST) Enter a State/Prov. for the state or province name used in the certificate. This is a required field. City (L) Enter a City to represent the city name used in the certificate. This is a required field. Organization (O) Define an Organization for the organization used in the certificate.
Page 810 12 - 62 WiNG 5.7.1 Access Point System Reference Guide Figure 12-67 Certificate Management - Create CSR screen 4. Define the following configuration parameters required to Create New Certificate Signing Request (CSR): RSA Key: Use Existing Select the radio button and use the drop-down menu to select the existing key used by both the access point and the server (or repository) of the target RSA key.
Page 811 12 - 63 Organizational Unit (OU) Enter an Organizational Unit for the name of the organization unit used in the CSR. This is a required field. Common Name (CN) If there is a common name (IP address) for the organizational unit issuing the certificate, enter it here.
Page 812: Smart Rf
12 - 64 WiNG 5.7.1 Access Point System Reference Guide 12.3 Smart RF Operations Self Monitoring At Run Time RF Management (Smart RF) is an innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements.
Page 813 12 - 65 3. Refer to the following to determine whether Smart RF calibrations or interactive calibration is required: Hostname Displays the user friendly hostname assigned to each access point within the RF Domain. This value cannot be modified as a part of calibration activity. AP MAC Address Displays the hardware encoded MAC address assigned to each access point within the RF Domain.
Page 814 12 - 66 WiNG 5.7.1 Access Point System Reference Guide 4. Select the Refresh button to (as required) to update the contents of the Smart RF screen and the attributes of the devices within the RF Domain. CAUTION: Smart RF is not able to detect a voice call in progress, and will switch to a different channel resulting in voice call reconnections.
Page 815: Operations Deployment Considerations
12 - 67 12.4 Operations Deployment Considerations Before defining the access point’s configuration using the Operations menu, refer to the following deployment guidelines to ensure the configuration is optimally effective: • If an access point’s (or its associated device’s) firmware is older than the version on the support site, update to the latest firmware version for full functionality and utilization.
Page 816 12 - 68 WiNG 5.7.1 Access Point System Reference Guide...
Page 817: Chapter 13 Statistics
CHAPTER 13 STATISTICS This chapter describes statistics displayed by the graphical user interface (GUI). Statistics are available for access point and their managed devices. A Smart RF statistical history is available to assess adjustments made to device configurations to compensate for detected coverage holes or device failures.
Page 818: System Statistics
13 - 2 WiNG 5.7.1 Access Point System Reference Guide 13.1 System Statistics Statistics System screen displays information supporting managed devices. Use this information to asses the overall state of the devices comprising the system. Systems data is organized as follows: •...
Page 819 13 - 3 Figure 13-1 System - Health screen 4. The Devices field displays the total number of devices in the network. The pie chart is a proportional view of how many devices are functional and currently online. Green indicates online devices and red offline devices detected within the network.
Page 820: Inventory
13 - 4 WiNG 5.7.1 Access Point System Reference Guide • 75 – 100 (Good). The RF Quality field displays the following: Worst 5 Displays five RF Domains with the lowest quality indices in the wireless controller managed network. The value can be interpreted as: •...
Page 821: Adopted Devices
13 - 5 Figure 13-2 System - Inventory screen 4. The Devices field displays an exploded pie chart depicting controller, service platform and access point device type distribution by model. Use this information to assess whether these are the correct models for the original deployment objective.
Page 822 13 - 6 WiNG 5.7.1 Access Point System Reference Guide To view adopted AP statistics: 1. Select the Statistics menu from the Web UI. 2. Select the System node from the left navigation pane. 3. Select Adopted Devices from the left-hand side of the UI.
Page 823: Pending Adoptions
13 - 7 13.1.4 Pending Adoptions System Statistics The Pending Adoptions screen displays those devices detected within the network coverage area, but have yet to be adopted. Review these devices to assess whether they could provide radio coverage to wireless clients needing support. To view pending AP adoptions to the controller or service platform: 1.
Page 824: Offline Devices
13 - 8 WiNG 5.7.1 Access Point System Reference Guide Add to Devices Select a listed AP and select the Add to Devices button to begin the adoption process for this detected AP. Refresh Click the Refresh button to update the list of pending adoptions.
Page 825: Device Upgrade
13 - 9 Area Lists the administrator assigned deployment area where the offline device has been detected. Floor Lists the administrator assigned deployment floor where the offline device has been detected. Connected To Lists the offline’s device’s connected controller, service platform or peer model access point. Last Update Displays the date and time stamp of the last time the device was detected within the network.
Page 826: Licenses
13 - 10 WiNG 5.7.1 Access Point System Reference Guide Device Hostname List the administrator assigned hostname of the device receiving an update. History ID Displays a unique timestamp for the upgrade event. Last Update Status Displays the initiation, completion or error status of each listed upgrade operation.
Page 827 13 - 11 Figure 13-7 System - Licenses screen 4. The Local Licenses table provides the following information: Cluster/Hostname Lists the administrator assigned cluster hostname whose license count and utilization is tallied in this Local Licenses table. AP Licenses Installed Lists the number of access point connections available to this device under the terms of the current license.
Page 828 13 - 12 WiNG 5.7.1 Access Point System Reference Guide Lent AAP Licenses Displays the number of Adaptive Access Point licenses lent (from this device) to a cluster member to compensate for an access point licenses deficiency. Total AAP Licenses Displays the total number of Adaptive Access Point connection licenses currently available to this device.
Page 829 13 - 13 Refer to the following license utilization data: Cluster/Hostname Lists the administrator assigned cluster hostname whose license count and utilization is listed and tallied for access points. AP Licenses Installed Lists the number of access point connections available to this peer access point under the terms of the current license.
Page 830: Wips Summary
13 - 14 WiNG 5.7.1 Access Point System Reference Guide 13.1.8 WIPS Summary System Statistics The Wireless Intrusion Protection System (WIPS) provides continuous protection against wireless threats and acts as an additional layer of security complementing wireless VPNs and existing encryption and authentication policies. Controllers and service platforms support WIPS through the use of dedicated sensor devices, designed to actively detect and locate unauthorized AP devices.
Page 831 13 - 15 Number of Interfering APs Displays the number of devices exceeding the interference threshold in each listed RF Domain. Each RF Domain utilizes a WIPS policy with a set interference threshold (from -100 to -10 dBm). When a device exceeds this noise value, it is defined as an interfering access point capable of disrupting the signal quality of other sanctioned devices operating below an approved RSSI maximum value.
Page 832: Rf Domain Statistics
13 - 16 WiNG 5.7.1 Access Point System Reference Guide 13.2 RF Domain Statistics Statistics RF Domain screens display status for a selected RF domain. This includes the RF Domain health and device inventory, wireless clients and Smart RF functionality. RF Domains allow administrators to assign regional, regulatory and RF configuration to devices deployed in a common coverage area such as on a building floor, or site.
Page 833 13 - 17 Figure 13-10 RF Domain - Health screen 4. The Domain field displays the name of the RF Domain manager. The RF Domain manager is the focal point for the radio system and acts as a central registry of applications, hardware and capabilities. It also serves as a mount point for all the different pieces of the hardware system file.
Page 834 13 - 18 WiNG 5.7.1 Access Point System Reference Guide Radio ID Lists each radio’s administrator defined hostname and its radio designation (radio 1, radio 2 or radio 3). Radio Type Displays the radio type as either 5 GHz or 2.4 GHz.
Page 835: Inventory
13 - 19 Total Packets Lists the total number of data packets transmitted and received within the access point RF Domain. User Data Rate Lists the average user data rate within the access point RF Domain. Bcast/Mcast Packets Displays the total number of broadcast/multicast packets transmitted and received within the access point RF Domain.
Page 836 13 - 20 WiNG 5.7.1 Access Point System Reference Guide Figure 13-11 RF Domain - Inventory screen Device Types table displays the total members in the RF Domain. The exploded pie chart depicts the distribution of RF Domain members by controller and access point model type.
Page 837: Devices
13 - 21 4. Refer to the WLANs table to review RF Domain WLAN, radio and client utilization. Use this information to help determine whether the WLANs within this RF Domain have an optimal radio and client utilization. 5. The Clients by Band bar graph displays the total number of RF Domain member clients by their IEEE 802.11 radio type.
Page 838: Ap Detection
13 - 22 WiNG 5.7.1 Access Point System Reference Guide Radio Count Displays the number of radios on each listed device. AP7131N models can support from 1-3 radios depending on the hardware SKU. AP6532, AP6522, AP6562, AP7131, AP7161, AP7181, AP7502, AP7522, AP7532, AP8122, AP8132, AP8222, AP8232 models have two radios.
Page 839: Wireless Clients
13 - 23 SSID Displays the Service Set ID (SSID) of the network to which the detected access point belongs. First Seen Provides a timestamp when the detected access point was first detected by a RF Domain member device. Top Reporter Hostname Lists the administrator assigned hostname of the top performing RF Domain member detecting the listed access point MAC address.
Page 840 13 - 24 WiNG 5.7.1 Access Point System Reference Guide 2. Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3. Select Wireless Clients from the RF Domain menu. Figure 13-14 RF Domain - Wireless Clients screen...
Page 841: Device Upgrade
13 - 25 WLAN Displays the name of the WLAN the wireless client is currently using for its interoperation within the RF Domain. VLAN Displays the VLAN ID the client’s connected access point has defined for use as a virtual interface.
Page 842: Wireless Lans
13 - 26 WiNG 5.7.1 Access Point System Reference Guide Device Upgrade screen displays the following for RF Domain member devices: Upgraded By Device Lists the name of the device performing an update on behalf of a peer device. Type Displays the model of the device receiving an update.
Page 843 13 - 27 Figure 13-16 RF Domain - Wireless LANs screen Wireless LANs screen displays the following: WLAN Name Displays the name assigned to each WLAN upon its creation within the network. SSID Displays the Service Set ID (SSID) assigned to the WLAN upon its creation within the network. Traffic Index Displays the traffic utilization index of each listed WLAN, which measures how efficiently the traffic medium is used.
Page 844: Radios
13 - 28 WiNG 5.7.1 Access Point System Reference Guide 13.2.8 Radios RF Domain Statistics Radio screens displays information on RF Domain member access point radios. Use these screens to troubleshooting radio issues negatively impacting RF Domain performance. For more information, refer to the following: •...
Page 845: Rf Statistics
13 - 29 Access Point Displays the user assigned name of the RF Domain member access point to which the radio resides. AP7131N models can have from 1-3 radios depending on the SKU. AP6532, AP6522, AP6562, AP71XX, AP81XX and AP82XX models have two radios, while AP6511 and AP6521 models have 1 radio.
Page 846: Traffic Statistics
13 - 30 WiNG 5.7.1 Access Point System Reference Guide Signal Displays the power of listed RF Domain member radio signals in dBm. Noise Lists the level of noise (in - X dbm format) reported by each listed RF Domain member access point.
Page 847 13 - 31 Figure 13-19 RF Domain - Radio Traffic Statistics screen Radio Traffic screen displays the following: Radio Displays the name assigned to each listed RF Domain member access point radio. Each name displays as a link that can be selected to display radio information in greater detail. Tx Bytes Displays the total number of bytes transmitted by each RF Domain member access point radio.
Page 848: Mesh
13 - 32 WiNG 5.7.1 Access Point System Reference Guide 13.2.9 Mesh RF Domain Statistics Mesh networking enables users to wirelessly access broadband applications anywhere (even in a moving vehicle). Initially developed for secure and reliable military battlefield communications, mesh technology supports public safety, public access and public works.
Page 849 13 - 33 1. Select the Statistics menu from the Web UI. 2. Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3. Select Mesh Point. MCX Geographical View displays by default. Figure 13-21 RF Domain - Mesh Point MCX Geographical View screen MCX Geographical View screen displays a map where icons of each device in the RF Domain is overlaid.
Page 850 13 - 34 WiNG 5.7.1 Access Point System Reference Guide Figure 13-22 RF Domain - Mesh Point MCX Logical View screen Concentric Hierarchical buttons define how the mesh point is displayed in the MCX Logical View screen. In the Concentric mode, the mesh is displayed as a concentric arrangement of devices with the root mesh at the centre and the other mesh device arranged around it.
Page 851 13 - 35 Figure 13-23 RF Domain - Mesh Point Device Type screen Root field displays the Mesh ID and MAC Address of the configured root mesh points in the RF Domain. 8. The Non Root field displays the Mesh ID and MAC Address of all configured non-root mesh points in the RF Domain. displays the Mesh ID and MAC Address of all configured non-root mesh points in the RF Domain.
Page 852 13 - 36 WiNG 5.7.1 Access Point System Reference Guide Meshpoint Identifier The MP identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration.
Page 853 13 - 37 Sequence The sequence number also known as the destination sequence number. It is updated whenever a mesh point receives new information about the sequence number from RREQ, RREP, or RERR messages that may be received related to that destination. Root tab displays the following: Mesh Point Name...
Page 854 13 - 38 WiNG 5.7.1 Access Point System Reference Guide Neighbor IFID The MAC Address used by the interface on the neighbor device to communicate with this device. This may define a particular radio or Ethernet port that communicates with this device over the mesh.
Page 855 13 - 39 Displays the number of mili seconds since the mesh point last heard from this neighbor. Security tab displays the following: Mesh Point Name Displays the name of each configured mesh point in the RF Domain. Destination Addr The destination is the endpoint of mesh path.
Page 856 13 - 40 WiNG 5.7.1 Access Point System Reference Guide Figure 13-24 RF Domain - Mesh Point Device Brief Info screen All Roots and Mesh Points field displays the following: Displays the MAC Address of each configured mesh point in the RF Domain.
Page 857 13 - 41 General tab displays the following: Mesh Point Name Displays the name of each configured mesh point in the RF Domain. Displays the MAC Address of each configured mesh point in the RF Domain. Hostname Displays the hostname for each configured mesh point in the RF Domain. Configured as Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network.
Page 858 13 - 42 WiNG 5.7.1 Access Point System Reference Guide Mobility Displays whether the mesh point is a mobile or static node. Displays True when the device is mobile and False when the device is not mobile. Metric A measure of the quality of the path. A lower value indicates a better path.
Page 859 13 - 43 Timeout The timeout interval in seconds. The interpretation this value will vary depending on the value of the state. If the state is Init or In Progress, the timeout duration has no significance. If the state is Enabled, the timeout duration indicates the amount of time left before the security validity check is initiated.
Page 860 13 - 44 WiNG 5.7.1 Access Point System Reference Guide Rank The rank is the level of importance and is used for automatic resource management. 8 – The current next hop to the recommended root. 7 – Any secondary next hop to the recommended root to has a good potential route metric.
Page 861 13 - 45 Displays the age of the proxy connection for each of the mesh points in the RF Domain. Proxy Owner The owner (MPID) is used to distinguish the device that is the neighbor. Persistence Displays the persistence (duration) of the proxy connection for each of the mesh points in the RF Domain.
Page 862 13 - 46 WiNG 5.7.1 Access Point System Reference Guide Data Bytes (Bytes): Total Displays the total amount of data, in Bytes, that has been transmitted and received by Bytes mesh points in the RF Domain. Data Packets Throughput Displays the total amount of data, in packets, transmitted by mesh points in the RF (Kbps): Transmitted Domain.
Page 863: Smart Rf
13 - 47 Data Indicators: Max Displays the maximum user throughput rate for mesh points in the RF Domain. User Rate Data Distribution: Displays the total number of neighbors known to the mesh points in the RF Domain. Neighbor Count Data Distribution: Radio Displays the total number of neighbor radios known to the mesh points in the RF Domain.
Page 864 13 - 48 WiNG 5.7.1 Access Point System Reference Guide Figure 13-26 RF Domain - Smart RF Summary screen 5. The Channel Distribution field lists how RF Domain member devices are utilizing different channels to optimally support connect devices and avoid congestion and interference with neighboring devices. Assess whether the channel spectrum is being effectively utilized and whether channel changes are warranted to improve RF Domain member device performance.
Page 865 13 - 49 Power Changes Displays the number of Smart RF initiated power level changes reported for this top performing RF Domain member radio. Channel Changes Displays the number of Smart RF initiated channel changes reported for this top performing RF Domain member radio. Coverage Changes Displays the number of Smart RF initiated coverage changes reported for this top performing RF Domain member radio.
Page 866 13 - 50 WiNG 5.7.1 Access Point System Reference Guide Figure 13-27 RF Domain - Smart RF Details screen Refer to the Neighbors table to review the attributes of neighbor radio resources available for Smart RF radio compensations for other RF Domain member device radios. Individual access point hostnames can be selected and the RF Domain member radio can be reviewed in greater detail.
Page 867 13 - 51 Figure 13-28 RFDomain - Smart RF Energy Graph 12. Select Smart RF History to review the descriptions and types of Smart RF events impacting RF Domain member devices. Figure 13-29 RF Domain - Smart RF History screen SMART RF History screen displays the following RF Domain member historical data: Time...
Page 868: Wips
13 - 52 WiNG 5.7.1 Access Point System Reference Guide Type Lists a high-level description of the Smart RF activity initiated for a RF Domain member device. Description Provides a more detailed description of the Smart RF event in respect to the actual Smart RF calibration or adjustment made to compensate for detected coverage holes and interference.
Page 869: Wips Events
13 - 53 The WIPS Client Blacklist screen displays the following: Event Name Displays the name of the blacklisting wireless intrusion event detected by a RF Domain member access point. Blacklisted Client Displays the MAC address of the unauthorized (blacklisted) client intruding the RF Domain. Time Blacklisted Displays the time when the wireless client was blacklisted by a RF Domain member access point.
Page 870: Captive Portal
13 - 54 WiNG 5.7.1 Access Point System Reference Guide Detector Radio Displays access point radio number detecting the event. AP7131N models can have from 1-3 radios depending on the SKU. AP6532, AP6522, AP6562, AP7161, AP7181, AP7502, AP7522, AP7532, AP7562, AP8122, AP8132, AP8222 and AP8232 models have 2 radios, while AP6511 and AP6521 models have 1 radio.
Page 871 13 - 55 Hostname Lists the administrator assigned hostname of the device requesting captive portal access to network’s RF Domain resources. Client IP Displays the IP address of each listed client using its connected RF Domain member access point for captive portal access. Client IPv6 Displays any IPv6 formatted address of any listed client using its connected RF Domain member access point for captive portal access.
Page 872: Access Point Statistics
13 - 56 WiNG 5.7.1 Access Point System Reference Guide 13.3 Access Point Statistics Statistics The access point statistics screens displays controller or service platform connected access point performance, health, version, client support, radio, mesh, interface, DHCP, firewall, WIPS, sensor, captive portal, NTP and load information. Access point statistics consists of the following: •...
Page 873: Health
13 - 57 • Environmental Sensors (AP8132 Models Only) 13.3.1 Health Access Point Statistics The Health screen displays a selected access point’s hardware version and software version. Use this information to fine tune the performance of an access point. This screen should also be the starting point for troubleshooting an access point since it is designed to present a high level display of access point performance efficiency.
Page 874 13 - 58 WiNG 5.7.1 Access Point System Reference Guide Device Details field displays the following information: Hostname Displays the AP’s unique name as assigned within the network. A hostname is assigned to a device connected to a computer network.
Page 875: Device
13 - 59 Client MAC Displays the MAC addresses of the clients with the lowest RF indices. Retry Rate Displays the average number of retries per packet. A high number indicates possible network or hardware problems. 4. Select the Refresh button as needed to update the screen’s statistics counters to their latest values.
Page 876 13 - 60 WiNG 5.7.1 Access Point System Reference Guide Fallback Enabled Displays whether this option is enabled. This method enables a user to store a known legacy version and a new version in device memory. The user can test the new software, and use an automatic fallback, which loads the old version on the access point if the new version fails.
Page 877 13 - 61 IP Domain field displays the following: IP Domain Name Displays the name of the IP Domain service used with the selected access point. IP Domain Lookup Lists the current state of an IP lookup operation. state IP Name Servers field displays the following: Name Server Displays the names of the servers designated to provide DNS resources to this access point.
Page 878: Web-Filtering
13 - 62 WiNG 5.7.1 Access Point System Reference Guide 13.3.3 Web-Filtering Access Point Statistics The Web-Filtering screen displays information on Web requests for content and whether the requests were blocked or approved based on URL filter settings defined for the selected access point. A URL filter is comprised of several filter rules (whitelist and/or blacklist rules).
Page 879 13 - 63 Top Categories field helps administrators assess the content most requested, blocked and approved based on the defined whitelist and blacklist permissions: Top Categories - Lists those Web content categories most requested by clients managed by this access point. Requested Use this information to assess whether the permissions defined in the blacklist and whitelist optimally support these client requests for cached Web content.
Page 880: Device Upgrade
13 - 64 WiNG 5.7.1 Access Point System Reference Guide 13.3.4 Device Upgrade Access Point Statistics The Device Upgrade screen displays information about devices receiving updates and the devices used to provision them. Use this screen to gather version data, install firmware images, boot an image and upgrade status.
Page 881: Adoption
13 - 65 13.3.5 Adoption Access Point Statistics Access point adoption stats are available for both currently adopted and access points pending adoption. Historical data can be also be fetched for adopted access points. For more information, refer to the following: •...
Page 882: Ap Adoption History
13 - 66 WiNG 5.7.1 Access Point System Reference Guide RF Domain Name Displays each access point’s RF Domain membership. An access point can only share RF Domain membership with other access points of the same model. Model Number Displays each listed access point’s numeric model (AP6532, AP6511 etc.).
Page 883: Ap Self Adoption History
13 - 67 Event Time Displays day, date and time for each adoption attempt. access point Refresh Select the Refresh button to update the screen’s statistics counters to their latest values. 13.3.5.3 AP Self Adoption History Adoption The AP Self Adoption History displays an event history of peer access points that have adopted to the selected access point. 1.
Page 884 13 - 68 WiNG 5.7.1 Access Point System Reference Guide 2. Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain and select one of its connected access points. 3. Expand the Adoption menu item.
Page 885: Ap Detection
13 - 69 13.3.6 AP Detection Access Point Statistics The AP Detection screen displays potentially hostile access points, their SSIDs, reporting AP, and so on. Continuously revalidating the credentials of detected devices reduces the possibility of an access point hacking into the network. To view the AP detection statistics: 1.
Page 886 13 - 70 WiNG 5.7.1 Access Point System Reference Guide RSSI Lists a relative signal strength indication (RSSI) for a detected (and perhaps unsanctioned) access point. Last Seen Displays the time (in seconds) the unsanctioned access point was last seen on the network.
Page 887: Wireless Clients
13 - 71 13.3.7 Wireless Clients Access Point Statistics The Wireless Clients screen displays credential information for wireless clients associated with an access point. Use this information to assess if configuration changes are required to improve network performance. To view wireless client statistics: 1.
Page 888 13 - 72 WiNG 5.7.1 Access Point System Reference Guide AP Hostname Displays the administrator assigned hostname of the access point to which this access point is adopted. Radio MAC Displays the MAC address of the radio which the wireless client is using.
Page 889: Wireless Lans
13 - 73 13.3.8 Wireless LANs Access Point Statistics The Wireless LANs screen displays an overview of access point WLAN utilization. This screen displays access point WLAN assignment, SSIDs, traffic utilization, number of radios the access point is utilizing on the WLAN and transmit and receive statistics.
Page 890 13 - 74 WiNG 5.7.1 Access Point System Reference Guide Rx Bytes Displays the average number of packets in bytes received on each listed WLAN. Rx User Data Rate Displays the received user data rate on each listed WLAN. Disconnect All...
Page 891: Policy Based Routing
13 - 75 13.3.9 Policy Based Routing Access Point Statistics The Policy Based Routing statistics screen displays statistics for selective path packet redirection. PBR can optionally mark traffic for preferential services (QoS). PBR is applied to incoming routed packets, and a route-map is created containing a set of filters and associated actions.
Page 892 13 - 76 WiNG 5.7.1 Access Point System Reference Guide Secondary Next Displays whether the secondary hop is applied to incoming routed packets (UP/UNREACHABLE). Hop State Default Next Hop If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used.
Page 893: Radios
13 - 77 13.3.10 Radios Access Point Statistics The Radio statistics screens display information on access point radios. The actual number of radios depend on the access point model and type. This screen displays information on a per radio basis. Use this information to refine and optimize the performance of each radio and therefore improve network performance.
Page 894: Rf Statistics
13 - 78 WiNG 5.7.1 Access Point System Reference Guide Figure 13-45 Access Point - Radio Status screen The radio Status screen provides the following information: Radio Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data.
Page 895 13 - 79 Figure 13-46 Access Point - Radio RF Statistics screen RF Statistics screen lists the following: Radio Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data. Signal Displays the radio’s current power level in - dBm.
Page 896: Traffic Statistics
13 - 80 WiNG 5.7.1 Access Point System Reference Guide 13.3.10.3 Traffic Statistics Radios Refer to the Traffic Statistics screen to review access point radio transmit and receive statistics, data rate, and packets dropped during both transmit and receive operations.
Page 897 13 - 81 Tx Dropped Displays the total number of transmitted packets dropped by each listed radio. This includes all user data as well as management overhead packets that were dropped. Traffic Index Displays the traffic utilization index of each listed radio, which measures how efficiently the traffic medium is used.
Page 898: Mesh
13 - 82 WiNG 5.7.1 Access Point System Reference Guide 13.3.11 Mesh Access Point Statistics The Mesh screen provides detailed statistics on each Mesh capable client available within the selected access point’s radio coverage area. To view the Mesh statistics: 1.
Page 899: Interfaces
13 - 83 13.3.12 Interfaces Access Point Statistics The Interface screen provides detailed statistics on each of the interfaces available on the selected access point. Use this screen to review the statistics for each interface. Interfaces vary amongst supported access point models. To review access point interface statistics: 1.
Page 900: General Interface Details
13 - 84 WiNG 5.7.1 Access Point System Reference Guide • IPv6 Address • Multicast Groups Joined • Network Graph 13.3.12.1 General Interface Details Interfaces The General tab provides information on a selected access point interface such as its MAC address, type and TX/RX statistics.
Page 901 13 - 85 Admin Speed Displays the speed the port can transmit or receive. This value can be either 10, 100, 1000 or Auto. This value is the maximum port speed in Mbps. Auto indicates the speed is negotiated between connected devices. Operator Speed Displays the current speed of data transmitted and received over the interface.
Page 902 13 - 86 WiNG 5.7.1 Access Point System Reference Guide MAC Receive Error Displays the number of received packets that failed due to an internal MAC sublayer (that’s not a late collision), an excessive number of collisions or a carrier sense error.
Page 903: Ipv6 Address
13 - 87 13.3.12.2 IPv6 Address Interfaces IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
Page 904 13 - 88 WiNG 5.7.1 Access Point System Reference Guide Preferred Lifetime Lists is the time in seconds (relative to when the packet is sent) the IPv6 formatted (seconds) addresses remains in a preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime.
Page 905 13 - 89 Preferred Lifetime Lists is the time in seconds (relative to when the packet is sent) the local link addresses (seconds) remains in the preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime. Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the local link addresses remains in the valid state on the selected interface.
Page 906: Multicast Groups Joined
13 - 90 WiNG 5.7.1 Access Point System Reference Guide 9. Verify the following IPv6 Transmit Errors data: Transmit Errors Displays the number of transmit errors in the packets sent on the selected interface since the screen was last refreshed.
Page 907 13 - 91 Figure 13-52 Access Point- Interface Multicast Groups Joined screen 5. The screen displays the following information: Group Lists the name of existing multicast groups whose current members share multicast packets with one another on this selected interface as a means of collective interoperation.
Page 908: Network Graph
13 - 92 WiNG 5.7.1 Access Point System Reference Guide 13.3.12.4 Network Graph Interfaces The Network Graph displays statistics the access point continuously collects for its interfaces. Even when the interface statistics graph is closed, data is still collected. Display the interface statistics graph periodically for assessing the latest interface information.
Page 909: Rtls
13 - 93 13.3.13 RTLS Access Point Statistics The real time locationing system (RTLS) enables accurate location determination and presence detection capabilities for Wi-Fi-based devices, Wi-Fi-based active RFID tags and passive RFID tags. While the operating system does not support locationing locally, it does report the locationing statistics of both Aeroscout and Ekahau tags.
Page 910 13 - 94 WiNG 5.7.1 Access Point System Reference Guide Displays the number of location based service (LBS) frames received from RTLS supported radio devices providing locationing services. AP Status Provides the status of peer access points providing locationing assistance.
Page 911: Pppoe
13 - 95 13.3.14 PPPoE Access Point Statistics The PPPoE statistics screen displays stats derived from the AP’s access to high-speed data and broadband networks. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables access points to establish a point-to-point connection to an ISP over existing Ethernet interface.
Page 912 13 - 96 WiNG 5.7.1 Access Point System Reference Guide Client Idle Timeout The access point uses the listed timeout so it does not sit idle waiting for input from the PPPoE client and the server, that may never come.
Page 913: Ospf
13 - 97 13.3.15 OSPF Access Point Statistics Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology.
Page 914: Ospf Summary
13 - 98 WiNG 5.7.1 Access Point System Reference Guide 13.3.15.1 OSPF Summary OSPF To view OSPF summary statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 915 13 - 99 ABR/ASBR Lists Autonomous System Boundary Router (ASBR) data relevant to OSPF routing, including the ASBR, ABR and ABR type. An Area Border Router (ABR) is a router that connects one or more areas to the main backbone network. It is considered a member of all areas it is connected to. An ABR keeps multiple copies of the link-state database in memory, one for each area to which that router is connected An ASBR is a router connected to more than one Routing protocol and exchanges routing information with routers in other protocols.
Page 916: Ospf Neighbors
13 - 100 WiNG 5.7.1 Access Point System Reference Guide 13.3.15.2 OSPF Neighbors OSPF OSPF establishes neighbor relationships to exchange routing updates with other routers. An access point supporting OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors.
Page 917: Ospf Area Details
13 - 101 Request Count Lists the connection request count (hello packets) to connect to the router interface, discover neighbors and elect a designated router. Retransmit Count Lists the connection retransmission count attempted in order to connect to the router interface, discover neighbors and elect a designated router.
Page 918 13 - 102 WiNG 5.7.1 Access Point System Reference Guide Figure 13-58 Access Point - OSPF Area Details tab Area Details tab describes the following: OSPF Area ID Displays either the integer (numeric ID) or IP address assigned to the OSPF area as a unique identifier.
Page 919: Ospf Route Statistics
13 - 103 NSSA LSA Routers in a Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network.
Page 920 13 - 104 WiNG 5.7.1 Access Point System Reference Guide Figure 13-59 Access Point - OSPF External Routes tab External routes are external to area, originate from other routing protocols (or different OSPF processes) and are inserted into OSPF using redistribution. A stub area is configured not to carry external routes. Each external route can be tagged by the advertising router, enabling the passing of additional information between routers.
Page 921 13 - 105 Figure 13-60 Access Point - OSPF Network Routes tab Network routes support more than two routers, with the capability of addressing a single physical message to all attached routers (broadcast). Neighboring routers are discovered dynamically using OSPF hello messages. This use of the hello protocol takes advantage of broadcast capability.
Page 922: Ospf Interface
13 - 106 WiNG 5.7.1 Access Point System Reference Guide 8. Select the Refresh button (within any of the four OSPF Routes tabs) to update the statistics counters to their latest values. 13.3.15.5 OSPF Interface OSPF An OSPF interface is the connection between a router and one of its attached networks. An interface has state information associated with it, which is obtained from the underlying lower level protocols and the routing protocol itself.
Page 923: Ospf State
13 - 107 OSPF Enabled Lists whether OSPF has been enabled for each listed interface. OSPF is disabled by default. UP/DOWN Displays whether the OSPF interface (the dynamic route) is currently up or down for each listed interface. An OSPF interface is the connection between a router and one of its attached networks. 5.
Page 924 13 - 108 WiNG 5.7.1 Access Point System Reference Guide OSPF ignore Displays the timeout that, when exceeded, prohibits the from detecting changes to the access point state monitor OSPF link state. timeout OSPF ignore Displays the timeout value that the access point remains in the ignore state.
Page 925: L2Tpv3 Tunnels
13 - 109 13.3.16 L2TPv3 Tunnels Access Point Statistics Access points use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables an access point to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between WING devices and other devices supporting the L2TP V3 protocol.
Page 926 13 - 110 WiNG 5.7.1 Access Point System Reference Guide Peer Host Name Lists the assigned peer hostname used as matching criteria in the tunnel establishment process. Peer Control Displays the numeric identifier for the tunnel session. This is the peer pseudowire ID for the Connection ID session.
Page 927: Vrrp
13 - 111 13.3.17 VRRP Access Point Statistics The VRRP statistics screen displays Virtual Router Redundancy Protocol (VRRP) configuration statistics supporting router redundancy in a wireless network requiring high availability. To review a selected access point’s VRRP statistics: 1. Select the Statistics menu from the Web UI.
Page 928 13 - 112 WiNG 5.7.1 Access Point System Reference Guide Interface Name Displays the interfaces selected on the access point to supply VRRP redundancy failover support. Version Display VRRP version 3 (RFC 5798) or 2 (RFC 3768) as selected to set the router redundancy.
Page 929: Critical Resources
13 - 113 13.3.18 Critical Resources Access Point Statistics The Critical Resources statistics screen displays a list of device IP addresses on the network (gateways, routers etc.). These IP addresses are critical to the health of the network. These device addresses are pinged regularly by managed access points. If there is a connectivity issue, an event is generated stating a critical resource is unavailable.
Page 930 13 - 114 WiNG 5.7.1 Access Point System Reference Guide Error Reason Provides an error status as to why the critical resource is not available over its designated VLAN. Mode Displays the operational mode of each listed critical resource. Refresh...
Page 931: Ldap Agent Status
13 - 115 13.3.19 LDAP Agent Status Access Point Statistics When LDAP has been specified as an external resource (as opposed to local access point RADIUS resources) to validate PEAP- MS-CHAP v2 authentication requests, user credentials and password information needs to be made available locally to successfully connect to the external LDAP server.
Page 932 13 - 116 WiNG 5.7.1 Access Point System Reference Guide Status Displays whether the access point has successfully joined the remote LDAP server domain designated to externally validate PEAP-MS-CHAP v2 authentication requests. Refresh Select Refresh to update the statistics counters to their latest values.
Page 933: Guest Users
13 - 117 13.3.20 Guest Users Access Point Statistics A captive portal is an access policy for providing guests temporary and restrictive access to the wireless network. A captive portal configuration provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network.
Page 934 13 - 118 WiNG 5.7.1 Access Point System Reference Guide Configured Uplink If the user does not have a bandwidth based voucher, the time configured and remaining are Rate (kbps) labeled as unlimited. Current Downlink Displays the current download rate for the guest user in Kilobytes per seconds. This value Rate (kbps) should not exceed the configured downlink rate.
Page 935: Gre Tunnels
13 - 119 13.3.21 GRE Tunnels Access Point Statistics Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.
Page 936 13 - 120 WiNG 5.7.1 Access Point System Reference Guide Refresh Select the Refresh button to update the screen’s statistics counters to their latest value.
Page 937: Dot1X
13 - 121 13.3.22 Dot1x Access Point Statistics Dot1x (or 802.1x) is an IEEE standard for network authentication. Devices supporting Dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a Dot1x network, a device automatically connects and authenticates without needing to manually login.
Page 938 13 - 122 WiNG 5.7.1 Access Point System Reference Guide 5. Review the following Dot1x Auth Ports utilization information: Name Lists the access point ge ports subject to automatic connection and authentication using Dot1x. Auth SM Lists the current authentication state of the listed port.
Page 939: Network
13 - 123 13.3.23 Network Access Point Statistics Use the Network screen to view information for performance statistics for ARP, DHCP, Routing and Bridging.For more information, refer to the following: • ARP Entries • Route Entries • Default Routes • Bridge •...
Page 940: Route Entries
13 - 124 WiNG 5.7.1 Access Point System Reference Guide Figure 13-71 Access Point - Network ARP screen ARP Entries screen describes the following: IP Address Displays the IP address of the client resolved on behalf of the access point.
Page 941: Default Routes
13 - 125 Figure 13-72 Access Point - Network Route Entries screen Route Entries screen supports the following: Destination Displays the IP address of the destination route address. FLAGS The flag signifies the condition of the direct or indirect route. A direct route is where the destination is directly connected to the forwarding host.
Page 942 13 - 126 WiNG 5.7.1 Access Point System Reference Guide 4. Select Default Routes. The IPv4 Default Routes tab displays by default. Figure 13-73 Access Point - Network IPv4 Default Routes screen IPv4 Default Routes screen provides the following information:...
Page 943: Bridge
13 - 127 Figure 13-74 Access Point - Network IPv6 Default Routes screen IPv6 Default Routes screen provides the following information: Gateway Address Lists the IP address of the gateway resource used with the listed route. Installed A green checkmark defines the listed IPv6 default route as currently installed on the controller or service platform.
Page 944 13 - 128 WiNG 5.7.1 Access Point System Reference Guide • Issues IP addresses • Throttles bandwidth • Permits access to other networks • Times out old logins The Bridging screen also provides information about the Multicast Router (MRouter), which is a router program that distinguishes between multicast and unicast packets and how they should be distributed along the Multicast Internet.
Page 945: Igmp
13 - 129 13.3.23.5 IGMP Network Internet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. The access point listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the interested hosts are connected. On the wired side of the network, the access point floods all the wired interfaces.
Page 946: Mld
13 - 130 WiNG 5.7.1 Access Point System Reference Guide Port Members Displays the ports on which multicast clients have been discovered by the multicast router. For example, ge1, radio1, etc. MiNT IDs Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure access point profile communications at the transport layer.
Page 947 13 - 131 Figure 13-77 Access Point - Network MLD screen Multicast Listener Discovery (MLD) Group field describes the following: VLAN Displays the group VLAN where the MLD groups multicast transmission is conducted. Group Address Displays the Multicast Group ID supporting the statistics displayed. This group ID is the multicast address hosts are listening to.
Page 948: Dhcp Options
13 - 132 WiNG 5.7.1 Access Point System Reference Guide IPv6 Multicast Router (MRouter) field describes the following: VLAN Displays the group VLAN where the multicast transmission is conducted. MiNT IDs Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer.
Page 949: Cisco Discovery Protocol
13 - 133 Figure 13-78 Access Point - Network DHCP Options screen DHCP Options screen displays the following: Server Information Displays the DHCP server hostname used on behalf of the access point. Image File Displays the image file name. BOOTP or the bootstrap protocol can be used to boot diskless clients.
Page 950 13 - 134 WiNG 5.7.1 Access Point System Reference Guide Figure 13-79 Access Point - Network CDP screen Cisco Discovery Protocol screen displays the following: Capabilities Displays the capabilities code for the device. Device ID Displays the configured device ID or name for each listed device.
Page 951: Link Layer Discovery Protocol
13 - 135 Figure 13-80 Access Point - Network LLDP screen Link Layer Discovery Protocol screen displays the following: Capabilities Displays the capabilities code for the device as either Router, Trans Bridge, Source Route Bridge, Host, IGMP or Repeater. Device ID Displays the configured device ID or name for each device in the table.
Page 952: Ipv6 Neighbor
13 - 136 WiNG 5.7.1 Access Point System Reference Guide Neighbor solicitation messages also verify the availability of a neighbor once its the link layer address is identified. When a node wants to verify the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor.
Page 953 13 - 137 Type Displays the device type for the neighbor solicitation. Neighbor solicitations request the link layer address of a target node while providing the sender’s own link layer address to the target. Neighbor solicitations are multicast when the node needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor.
Page 954: Mstp
13 - 138 WiNG 5.7.1 Access Point System Reference Guide 13.3.23.11MSTP Network The Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology.
Page 955 13 - 139 Figure 13-82 Access Point - Network MSTP screen MST Config field displays the name assigned to the MSTP configuration, its digest, format ID, name and revision. MST Bridge field lists the filters and guards that have been enabled and whether CISCO interoperability is enabled. MST Bridge Port Detail field lists specific access point port status and their current state.
Page 956: Dhcpv6 Relay & Client
13 - 140 WiNG 5.7.1 Access Point System Reference Guide 13.3.23.12DHCPv6 Relay & Client Network DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them a DHCPv6 server. The server sends responses back to the relay agent and the relay agent sends the responses to the client on the local link.
Page 957: Dhcp Server
13 - 141 5. The DHCPv6 Client Received Options tables defines the following: Client Identifier Lists whether the reporting client is using a hardware address or client identifier as its identifier type within requests to the DHCPv6 server. Server Identifier Displays the server identifier supporting client DHCPv6 relay message reception.
Page 958 13 - 142 WiNG 5.7.1 Access Point System Reference Guide 4. Select General. Figure 13-84 Access Point - DHCP Server General screen 5. The DHCPv4 Status DHCPv6 Status tables defines the following: Interfaces Displays the controller or service platform interface used with the DHCPv4 or DHCPv6 resource for IP address provisioning.
Page 959: Dhcp Server Bindings
13 - 143 13.3.24.2 DHCP Server Bindings DHCP Server The DHCP Binding screen displays DHCP binding expiry time, client IP addresses and their MAC address. To view a network’s DHCP Bindings: 1. Select the Statistics menu from the Web UI. 2.
Page 960 13 - 144 WiNG 5.7.1 Access Point System Reference Guide The Networks screen provides network pool information such as the subnet for the addresses you want to use from the pool, the pool name, the used addresses and the total number of addresses.
Page 961: Firewall
13 - 145 13.3.25 Firewall Access Point Statistics A firewall is a part of a computer system or network designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit or deny access to the controller or service platform managed network based on a defined set of rules.
Page 962: Denial Of Service
13 - 146 WiNG 5.7.1 Access Point System Reference Guide Figure 13-87 Access Point - Firewall Packet Flows screen 13.3.25.2 Denial of Service Firewall A denial-of-service attack (DoS attack) or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users.
Page 963: Ip Firewall Rules
13 - 147 Figure 13-88 Access Point - Firewall Denial of Service screen Denial of Service screen displays the following: Attack Type Displays the Denial of Service (DoS) attack type. Count Displays the number of times the access point’s firewall has detected each listed DoS attack. Last Occurrence Displays the when the attack event was last detected by the access point firewall.
Page 964: Ipv6 Firewall Rules
13 - 148 WiNG 5.7.1 Access Point System Reference Guide Figure 13-89 Access Point - Firewall IP Firewall Rules screen IP Firewall Rules screen displays the following: Precedence Displays the precedence value applied to packets. The rules within an Access Control Entries (ACL) list are based on precedence values.
Page 965: Mac Firewall Rules
13 - 149 Figure 13-90 Access Point - Firewall IPv6 Firewall Rules screen IPv6 Firewall Rules screen displays the following: Precedence Displays the precedence (priority) applied to IPV6 formatted packets. Unlike IPv4, IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet.
Page 966: Nat Translations
13 - 150 WiNG 5.7.1 Access Point System Reference Guide Figure 13-91 Access Point - Firewall MAC Firewall Rules screen MAC Firewall Rules screen displays the following information: Precedence Displays a precedence value, which are applied to packets. The rules within an Access Control Entries (ACL) list are based on their precedence.
Page 967: Dhcp Snooping
13 - 151 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain and select one of its connected access points. 3. Select Firewall and expand the menu to reveal its sub menu items.
Page 968 13 - 152 WiNG 5.7.1 Access Point System Reference Guide 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain and select one of its connected access points. 3. Select Firewall and expand the menu to reveal its sub menu items.
Page 969: Ipv6 Neighbor Snooping
13 - 153 13.3.25.8 IPv6 Neighbor Snooping Firewall IPv6 snooping bundles layer 2 IPv6 hop security features, such as IPv6 neighbor discovery (ND) inspection, IPv6 address gleaning and IPv6 device tracking. When IPv6 ND is configured on a device, packet capture instructions redirect the ND protocol and DHCP for IPv6 traffic up to the controller for inspection.
Page 970 13 - 154 WiNG 5.7.1 Access Point System Reference Guide Snoop Id Lists a numeric snooping ID associated with each packet inspection snooping session conducted by the controller or service platform. Time Elapsed Since Displays the amount of time elapsed since the DHCPv6 server was last updated.
Page 971: Vpn
13 - 155 13.3.26 VPN Access Point Statistics IPSec VPN provides a secure tunnel between two networked peer controllers or service platforms. Administrators can define which packets are sent within the tunnel, and how they are protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination.
Page 972: Ipsec
13 - 156 WiNG 5.7.1 Access Point System Reference Guide 5. Review the following VPN peer security association statistics: Peer Lists peer IDs for peers sharing security associations (SA) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination.
Page 973 13 - 157 5. Review the following VPN peer security association statistics: Peer Lists IP addresses for peers sharing security associations (SAs) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination.
Page 974: Certificates
13 - 158 WiNG 5.7.1 Access Point System Reference Guide 13.3.27 Certificates Access Point Statistics The Secure Socket Layer (SSL) protocol ensures secure transactions between Web servers and browsers. SSL uses a third-party certificate authority to identify one (or both) ends of a transaction. A browser checks the certificate issued by the server before establishing a connection.
Page 975 13 - 159 Figure 13-97 Access Point - Certificate Trustpoint screen Certificate Details field displays the following: Subject Name Lists details about the entity to which the certificate is issued. Alternate Subject Displays alternative details to the information specified under the Subject Name field. Name Issuer Name Displays the name of the organization issuing the certificate.
Page 976: Rsa Keys
13 - 160 WiNG 5.7.1 Access Point System Reference Guide Server Certificate Displays whether a server certification is present or not (Yes/No). Present CRL Present Displays whether a Certificate Revocation List (CRL) is present (Yes/No). A CRL contains a list of subscribers paired with digital certificate status.
Page 977 13 - 161 Figure 13-98 Access Point - Certificate RSA Keys screen RSA Key Details field displays the size (in bits) of the desired key. If not specified, a default key size of 1024 is used. RSA Public Key field lists the public key used for encrypting messages. 5.
Page 978: Wips
13 - 162 WiNG 5.7.1 Access Point System Reference Guide 13.3.28 WIPS Access Point Statistics A Wireless Intrusion Prevention System (WIPS) monitors the radio spectrum for the presence of unauthorized access points and take measures to prevent an intrusion. Unauthorized attempts to access a controller or service platform managed WLAN is generally accompanied by anomalous behavior as intruding clients try to find network vulnerabilities.
Page 979: Wips Events
13 - 163 Blacklisted Client Displays the MAC address of the unauthorized and blacklisted device intruding this access point’s radio coverage area. Time Blacklisted Displays the time when the client was blacklisted by this access point. Total Time Displays the time the unauthorized (now blacklisted) device remained in this access point’s WLAN.
Page 980 13 - 164 WiNG 5.7.1 Access Point System Reference Guide Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection. Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.
Page 981: Sensor Servers
13 - 165 13.3.29 Sensor Servers Access Point Statistics Sensor servers allow the monitor and download of data from multiple sensors and remote locations using Ethernet TCP/IP or serial communication. Repeaters are available to extend the transmission range and combine sensors with various frequencies on the same receiver.
Page 982: Bonjour Services
13 - 166 WiNG 5.7.1 Access Point System Reference Guide 13.3.30 Bonjour Services Access Point Statistics Bonjour is Apple’s implementation of zero-configuration networking (Zeroconf). Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates devices such as printers, other computers and services that these computers offer over a local network.
Page 983 13 - 167 VLAN Type Displays local if the VLAN on which a service is advertised is local to this network. Displays tunneled otherwise. Expiry Displays the time at which the advertised service expires. 4. Select Refresh to refresh the displayed statistics.
Page 984: Captive Portal
13 - 168 WiNG 5.7.1 Access Point System Reference Guide 13.3.31 Captive Portal Access Point Statistics A captive portal forces a HTTP client to use a special Web page for authentication before using the Internet. A captive portal turns a Web browser into a client authenticator. This is done by intercepting packets regardless of the address or port, until the user opens a browser and tries to access the Internet.
Page 985 13 - 169 VLAN Displays the name of the access point VLAN the requesting client uses a virtual interface for captive portal sessions. Remaining Time Displays the time after which the client is disconnected from the captive portal hosted Internet, and access point connectivity. Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.
Page 986: Network Time
13 - 170 WiNG 5.7.1 Access Point System Reference Guide 13.3.32 Network Time Access Point Statistics Network Time Protocol (NTP) is central to networks that rely on their access point(s) to supply system time. Without NTP, access point supplied network time is unpredictable, which can result in data loss, failed processes, and compromised security. With network speed, memory, and capability increasing at an exponential rate, the accuracy, precision, and synchronization of network time is essential in an access point managed enterprise network.
Page 987: Ntp Association
13 - 171 Precision Displays the precision of the time clock (in Hz). The values that normally appear in this field range from -6, for mains-frequency clocks, to -20 for microsecond clocks. Reference Time Displays the time stamp the access point’s clock was last synchronized or corrected. Reference Displays the address of the time source the access point is synchronized to.
Page 988: Load Balancing
13 - 172 WiNG 5.7.1 Access Point System Reference Guide NTP Association screen displays the following: Delay Time Displays the round-trip delay (in seconds) for broadcasts between the NTP server and the access point. Display Displays the time difference between the peer NTP server and the access point’s clock.
Page 989 13 - 173 Figure 13-106 Access Point - Load Balancing screen Load Balancing screen displays the following: Load Balancing Select any of the options to display any or all of the following information in the graph below: AP Load, 2.4GHz Load, 5GHz Load, and Channel. The graph section displays the load percentages for each of the selected variables over a period of time, which can be altered using the slider below the upper graph.
Page 990: Environmental Sensors (Ap8132 Models Only)
13 - 174 WiNG 5.7.1 Access Point System Reference Guide 13.3.34 Environmental Sensors (AP8132 Models Only) Access Point Statistics An AP8132 sensor module is a USB environmental sensor extension to an AP8132 model access point. It provides a variety of sensing mechanisms, allowing the monitoring and reporting of the AP8132's radio coverage area.
Page 991 13 - 175 remains consistently lit, as an administrator can power off the access point’s radios when no activity is detected in the immediate deployment area. For more information, see Environmental Sensor Configuration on page 5-192. 5. Refer to the Light Intensity Trend Over Last Hour graph to assess the fluctuation in lighting over the last hour.
Page 992 13 - 176 WiNG 5.7.1 Access Point System Reference Guide 10. Refer to the Temperature Trend Over Last Day graph to assess whether deployment area temperature is consistent across specific hours of the day. Use this information to help determine whether the AP8132 can be upgraded or powered off during specific hours of the day.
Page 993 13 - 177 Figure 13-110 Access Point - Environmental Sensor screen (Humidity tab) 4. Refer to the Humidity table to assess the sensor's detected humidity fluctuations within the AP8132’s immediate deployment area. Humidity is measured in percentage. The table displays the Current Humidity (percent) and a 20 Minute Average...
Page 994: Wireless Client Statistics
13 - 178 WiNG 5.7.1 Access Point System Reference Guide 13.4 Wireless Client Statistics Statistics The wireless client statistics display read-only statistics for a client selected from within its connected access point directory. It provides an overview of the health of wireless clients in the network. Use this information to assess if configuration changes are required to improve client performance.
Page 995 13 - 179 Figure 13-111 Wireless Client - Health screen Wireless Client field displays the following: Client MAC Displays the factory encoded MAC address of the selected wireless client. Hostname Lists the hostname assigned to the client when initially managed by the access point. Vendor Displays the vendor name (manufacturer) of the wireless client.
Page 996 13 - 180 WiNG 5.7.1 Access Point System Reference Guide Encryption Lists the encryption scheme applied to the client for interoperation with the access point. Captive Portal Displays whether captive portal authentication is enabled for the client as a guest access Authentication medium to the controller or service platform managed network.
Page 997: Details
13 - 181 Traffic Utilization table displays the following: Total Bytes Displays the total bytes processed by the access point’s connected wireless client. Total Packets Displays the total number of packets processed by the wireless client. User Data Rate Displays the average user data rate in both directions. Physical Layer Rate Displays the average packet rate at the physical layer in both directions.
Page 998 13 - 182 WiNG 5.7.1 Access Point System Reference Guide Figure 13-112 Wireless Client - Details screen Wireless Client field displays the following: SSID Displays the client’s Service Set ID (SSID). Hostname Lists the hostname assigned to the client when initially managed by the access point managed network.
Page 999 13 - 183 Client Identity Lists the numeric precedence this client uses in establishing its identity amongst its peers. Precedence User Details field displays the following: Username Displays the unique name of the administrator or operator managing the client’s connected access point.
Page 1000: Traffic
13 - 184 WiNG 5.7.1 Access Point System Reference Guide Radio Number Displays the access point radio the wireless client is connected to. Radio Type Displays the radio type. The radio can be 802.11b, 802.11bg, 802.11bgn, 802.11a or 802.11an. Rate Displays the permitted data rate for access point and client interoperation.
Page 1001 13 - 185 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, an access point, then a connected client. 3. Select Traffic. Figure 13-113 Wireless Client - Traffic screen Traffic Utilization statistics employ an index, which measures how efficiently the traffic medium is used.

Motorola WiNG 5.7.1 System Reference Manual

About this Guide

Chapter 1, Overview

Chapter 2, Web User Interface Features

Chapter 3, Quick Start

Chapter 4, Dashboard

Chapter 5, Device Configuration

Chapter 6, Wireless Configuration

Chapter 7, Network Configuration

Chapter 8, Security Configuration

Chapter 9, Services Configuration

Chapter 10 Management Access

Chapter 11 Diagnostics

Chapter 12 Operations

Chapter 13 Statistics

Quick Links

Related Manuals for Motorola WiNG 5.7.1

Summary of Contents for Motorola WiNG 5.7.1