Wireless LAN Services

Size: px

Start display at page:

Download "Wireless LAN Services"

Suzan Wiggins
6 years ago
Views:

RingMaster User Interface RingMaster software presents a Graphical User Interface (GUI) consisting of a series of screens, windows, and dialog boxes.

3 RingMaster User Interface RingMaster software presents a Graphical User Interface (GUI) consisting of a series of screens, windows, and dialog boxes. The RingMaster GUI allows you to resize these elements, and this has been done to minimize element illustration sizes in this publication, while retaining all of the information visible in them. This resizing of screens, windows and dialog results in illustrations that may differ in appearance from what you may see on your workstation display. Informational Note: Because the same features are in Mobility System Software (MSS) and RingMaster, feature descriptions in RingMaster may not be as complete as those in the MSS Configuration Guide. Be sure to check the MSS Configuration Guide if you don t find enough explanation in this guide. RingMaster Client Main Window The RingMaster Client presents a Main Window like the one shown below. Menu Bar Navigation Bar Organizer Panel Tasks Panel Content Panel Alerts and Alarms Panel Server Icon The Menu bar provides pull-down menus containing selectable items for accessing administrative tools such as plan management and online Help. For example, to examine RingMaster logging preferences, select Tools > Preferences and click the Logging tab. The Navigation bar provides buttons by which you access features and summary views. For example, you use the Back and Forward buttons to cycle through display selections. Copyright 2012, Juniper Networks, Inc. RingMaster Client Main Window 1

When you select a device or configuration in the tree, context- sensitive information about a device or configuration is displayed in the Content panel.

4 RingMaster User Interface The Organizer panel displays a network tree representing WLAN devices and configurations on those devices. You can use it to navigate to policy configurations, equipment within your network, and network sites. When you select a device or configuration in the tree, context- sensitive information about a device or configuration is displayed in the Content panel. The Content panel displays context-sensitive information about the device or configuration selected from the tree in the Organizer panel. This information may be in the form of a table, a floor view, details panels, a four-segment dashboard layout of Outdoor Area view. From the Content panel, view Juniper devices and their status, verify Juniper device configurations in the network plan and in the network, and display event logs and rogue detection results. The Alerts and Alarms panel displays configuration errors/warnings, network alarms, local and network changes. Click on a button or summary to display details. The Tasks panel displays context-sensitive actions for a Tool button/organizer selection. The Server icon shows the status of the RingMaster Client connection and the host for RingMaster Services. Clicking here gives status and the name you used to log in to the server. Window Resizing and Navigation Bar Buttons When the width of the RingMaster main window on your monitor is insufficient to display all Navigation Bar buttons, missing buttons are available by clicking on the icon. You will then see a pull-down that displays missing buttons, thus allowing you to select these buttons. An example of this is shown in the illustration below, where two buttons are hidden and then revealed using the pull-down method. Display Panel Descriptions The main RingMaster window contains the following display panels: Organizer Panel Content Panel Tasks Panel The main RingMaster window also contains a Navigation Bar to select major features, a menu bar to access management options, and status counters for more information. 2 RingMaster Client Main Window Copyright 2012, Juniper Networks, Inc.

Clicking on toolbar buttons in the Organizer panel puts information in the Content panel.

5 RingMaster User Interface Organizer Panel The Organizer panel provides a series of icons for Polices, RF Planning, Configuration and Monitor. It is a tree some tree nodes have icons. Clicking on +/- expands/collapses items. Clicking text on some nodes automatically expands them. Clicking on toolbar buttons in the Organizer panel puts information in the Content panel. The Organizer panel can contain the following object trees, depending on the button selected on the Navigation Bar: Policies Device configuration policies in a network plan. RF Planning Network Plan sites and subsidiary buildings and outside areas. Copyright 2012, Juniper Networks, Inc. RingMaster Client Main Window 3

RingMaster User Interface Configuration Devices in a network plan. Includes mobility domains, WLAN Controllers and WLAs, plus third-party WLAs RingMaster must be aware of while planning a network.

6 RingMaster User Interface Configuration Devices in a network plan. Includes mobility domains, WLAN Controllers and WLAs, plus third-party WLAs RingMaster must be aware of while planning a network. Monitor Devices in a network plan. Includes mobility domains, WLAN Controllers, and third-party WLAs RingMaster must be aware of while monitoring a network. The tree displayed depends on the Navigation Bar button selected. (See Navigation Bar Buttons.) To expand an object in the tree, click on the plus sign next to it. For example, to display buildings in a site, click on the plus sign next to a site name. To display floors in the building, click next to the building name, and so on. 4 RingMaster Client Main Window Copyright 2012, Juniper Networks, Inc.

RingMaster User Interface Content Panel The Content panel displays information on the item clicked in the Organizer panel and allows the setting of information or configuration settings, based on the

7 RingMaster User Interface Content Panel The Content panel displays information on the item clicked in the Organizer panel and allows the setting of information or configuration settings, based on the Navigation Bar button selected. The Policies, RF Planning, and Configuration Navigation Bar buttons display configuration fields. After selecting one of these Navigation Bar buttons, click on a policy, WLAN Controller, or site object in the Organizer panel to display and configure settings for that object. (For more information about Navigation Bar buttons, see Navigation Bar Buttons.) Copyright 2012, Juniper Networks, Inc. RingMaster Client Main Window 5

8 RingMaster User Interface Tasks Panel The Tasks panel displays lists of tasks related to the object selected in the Organizer panel. Click a task to open a dialog or configuration wizard to perform a selected task. There are context-sensitive groupings of tool sets. In the example shown at left, there are four groups of tools Create, Setup, AirDefense and Other, with individual selectable tools/items in each group. Headers of these groups can be clicked to expand/collapse them. Short windows will auto-collapse some groups. Many tasks are disabled/grey when you do not have permission (i.e. monitor user). These groups and their contents reflect selected main window buttons and selection made in the Organizer panel, as described in detail in this and the other guides for RingMaster 8.0. The Tasks panel can also contain any tasks that pertain to a selection made in a table within the Content panel, if one exists. Saving or Discarding Configuration Changes Informational Note: When one administrative user is making modifications, this locks the configured object from changes by other administrators, who can not make changes during this interval. A locked object dialog is displayed when this occurs. Locks can be managed via the server management pages. When you select Policies, RF Planning, Reports, or Configuration Navigation Bar buttons, the Content panel contains a Save button and a Discard button. Save Click Save to send unsaved configuration changes to RingMaster Services to save in the network plan. The RingMaster Client buffers configuration changes you make to a policy, WLAN Controller, or site until you click Save or save the network plan. When you click Save, the client sends all buffered configuration changes. Discard Click Discard to undo all buffered changes. Save and Discard buttons are greyed out unless there are unsaved changes. 6 RingMaster Client Main Window Copyright 2012, Juniper Networks, Inc.

9 RingMaster User Interface Configuration wizards have a Finish or OK button, which saves configuration items you type or select in a wizard. When you save changes in a wizard by clicking Finish or OK, Save and Discard in the Content panel may remain greyed out because there are no unsaved changes to save or discard. When you click a button to open a configuration wizard, and then there are unsaved changes, RingMaster prompts you to apply or cancel changes. Click Apply to save buffered changes. Save, Apply, Finish, and OK do not send configuration changes to WLAN Controllers in a network until you deploy changes. (See Reviewing and Deploying MX Configuration Changes.) Reviewing and Deploying WLAN Controller Configuration Changes RingMaster does not automatically deploy WLAN Controller configuration changes from a network plan to the WLAN Controllers in a network. Tasks panel icons allow you to review and deploy changes as follows: Review Displays a categorized list of un-deployed changes. Deploy Sends changes to a network. When you click Deploy, RingMaster verifies configuration changes and displays warnings or errors if applicable. If errors are listed, RingMaster does not deploy changes. To resolve errors and deploy changes, use the Verification button to get detailed information on errors and warnings to resolve them. Generally, errors are not meant to be ignored; they are serious configuration problems. Warnings, however, can be safely ignored but should be cleared. Display Panel Viewing Options In the Header/title areas of the Organizer, Content and Tasks panels are icons that allow you to alter the look of the main window in order to focus on specific areas of this window. Organizer Panel Icons There are two icons to the right of the title of this panel the Tree Filter icon icon. and the Minimize Copyright 2012, Juniper Networks, Inc. RingMaster Client Main Window 7

RingMaster User Interface The Tree Filter icon allows you to open a filter to limit items viewed in this panel to those whose names match the test you type into the Filter area that appears.

10 RingMaster User Interface The Tree Filter icon allows you to open a filter to limit items viewed in this panel to those whose names match the test you type into the Filter area that appears. The example below shows an Organizer panel s appearance with all items shown, and this panel filtered with the term po so that only Ports and Port Groups are shown. Clicking at the icon at the right side of the filter field clears this filter term entry area, and clicking on the Tree Filter icon a second time hides this feature. The Toggle Auto Hide icon closes the Organizer panel down to a name to the left of the Content panel, thus allowing more space for other panels. To replace the full Organizer panel, hold your mouse cursor over the word Organizer, and when the panel re-appears, click the icon. The example below shows the Organizer panel maximized and minimized. The Minimizer icon collapses details in the Organizer panel. Content Panel Icons At the right side of the title/header of the Content panel are Maximize and Minimize icons used to re-size the Content panel to focus on it alone, or to show all three panels. These icons acts as a toggle to maximize and minimize the size of the Content panel as shown below. 8 RingMaster Client Main Window Copyright 2012, Juniper Networks, Inc.

RingMaster User Interface This feature can be used along with the Minimizer icons in the Organizer and Tasks panels. The example below shows the Content panel maximized and minimized.

To replace the full Tasks panel, hold your mouse cursor over the word Tasks, and when the panel re-appears, click the icon. The example below shows the Tasks panel maximized and minimized.

11 RingMaster User Interface This feature can be used along with the Minimizer icons in the Organizer and Tasks panels. The example below shows the Content panel maximized and minimized. Tasks Panel Icons The Minimize icon closes the Tasks panel down to a name to the right of the Content panel, thus allowing more space for other panels. To replace the full Tasks panel, hold your mouse cursor over the word Tasks, and when the panel re-appears, click the icon. The example below shows the Tasks panel maximized and minimized. Any panel showing these min/max icons can be dragged and dropped within the RingMaster window below the Navigation Bar. They are dockable, although these preferences are not saved when a client is closed. Copyright 2012, Juniper Networks, Inc. RingMaster Client Main Window 9

12 RingMaster User Interface Resizing a Display Panel Click and drag the panel border or click the resize icons (where applicable) to resize a panel. The resize icons listed in the table below are supported for panels displayed by the RF Planning, Configuration, and Monitor Navigation Bar buttons. Table 1: Resize Icons icon Description Minimize panel. When a panel is minimized, it is displayed as a tab. Place your cursor over a tab to temporarily maximize a panel. The panel is maximized only until you move your cursor away from the panel. To make a panel remain maximized, click on the maximize icon. This icon is supported on the Organizer and Tasks panels. Show filter bar. This icon lets you filter items seen in the panel. This icon is supported on the Organizer and Tasks panels. Maximize Content panel. The panel fills the entire window and minimizes the Organizer and Tasks panels. This icon applies only to the Content panel. Restore Content panel. The Organizer and Tasks panels are maximized and the Content panel is restored to its former size between the other two panels. This icon applies only to the Content panel. Configuration Wizards When you click on a task in the Tasks panel, RingMaster opens a dialog box or a configuration wizard (a series of dialog boxes). For example, after selecting the Configuration button on the main window toolbar, click on Create WLAN Controller to open a dialog box that allows configuring basic WLAN Controller parameters. Some dialog boxes contain tabs or multiple pages or tabs. Click on tabs or use Next and Previous buttons at the bottom of a wizard to navigate pages. Finish saves changes and closes the dialog. Saving changes results in newly configured objects appearing in the Content panel. 10 RingMaster Client Main Window Copyright 2012, Juniper Networks, Inc.

Properties Dialogs To open a dialog containing the configurable settings for an object, select an object in the table, and then click Properties.

14 RingMaster User Interface The series of dialog boxes above are filled in to produce a Wireless Service Profile shown in the Content panel like the example shown below: Wizards displayed by selecting tasks in the Tasks panel allow configuration of settings that are essential or that are commonly customized. Properties Dialogs To open a dialog containing the configurable settings for an object, select an object in the table, and then click Properties... An example is shown below of the Content panel Wireless Service Profile shown above after it was highlighted and the Properties button clicked on, resulting in the appearance of the Service Profile Properties multi-tabbed dialog shown below. The icon to the right shows or hides table columns. Some items in properties are not editable because they are key values required for data processing. To change these, you must delete and re-create or copy and paste them manually. An example would be a Service Profile name. 12 RingMaster Client Main Window Copyright 2012, Juniper Networks, Inc.

15 RingMaster User Interface The dialog below allows you to change service profile properties under each of the various tabs shown at the top of the dialog. Menu Bar Items The table below lists the items selectable available from the menu at the top of the main RingMaster window. Click on a menu category to display the icons for that category. Menu Item Description File Services Tools Connect Close Exit Licensing Setup Plan Management Backup & Restore Lock Management Preferences Certificates Auditing Import Export Upgrade RF Obstacles Types Library Log on to RingMaster Services. Disconnect the client from the RingMaster server. Close RingMaster. Open the License Information page of RingMaster Service. Open page to configure preferences for RingMaster Services. Open the Plan Management page of RingMaster Services. Open page to configure settings for backing up the database used by RingMaster Services, as well as restore a previously backed-up version of the database. Open page to display information about a lock and/or delete the lock. Change RingMaster user preferences. Manage certificates. Select criteria to be used in searching local database for Audit records. Import an WLAN Controller XML, WLAN Controller CSV, or WLA CSV into the currently open network plan. RingMaster 7.1 supports import of WLA CSV. Export an WLAN Controller XML, WLAN Controller CSV, or WLA CSV from the currently open network plan. RingMaster 7.1 supports export of WLA CSV. Opens the Auto Update wizard Shows RF Obstacles types and attenuation values Copyright 2012, Juniper Networks, Inc. RingMaster Client Main Window 13

16 RingMaster User Interface Menu Item Description Help Help Juniper Support Online Report Problem About RingMaster Open the online help. You also can access the help by pressing the F1 key. Online support resources Report a problem to the Juniper Technical Assistance Center (TAC). About RingMaster: RingMaster version information, Memory usage, Java garbage collection (Force GC) Navigation Bar Buttons Table 1 3 lists the buttons available from the Navigation Bar of the main RingMaster window. Buttons are placed so you naturally progress from left to right during your initial planning with RingMaster. Click on a button to open the data or tabs for that button. Some Navigation Bar buttons fill the Content panel. Others fill the entire window area under the Navigation Bar. The larger buttons provide access to RingMaster features. The smaller icons underneath the Back and Forward buttons apply to the RingMaster application itself. Button Back Forward Policies RF Planning Configuration Verification Devices Description Page back through the previously selected Navigation Bar buttons or Organizer panel tree selections. Page forward through previously selected Navigation Bar buttons. Display the tree of configured policies in the Organizer panel. To display the configuration settings in a policy, click on the policy. The settings appear in the Content panel. To create a new policy, click Policy in the Tasks panel. Display the tree of configured sites in the Organizer panel. To display information about a site or an object in that site, click on it. The information appears in the Content panel. To perform site-related tasks, click task links in the Tasks panel. Display the tree of configured devices in the Organizer panel. To display information about a device or a configuration area within that device, click on it. The information appears in the Content panel. To perform device-related tasks, click task links in the Tasks panel. Display the Config Verification tab. The Verification tab enables you to troubleshoot configuration issues on WLAN Controllers in the network plan or in the live network. To display more information about an error or warning message, click on the row containing the message. To resolve the situation causing the message or to ignore the message, select icons in the Resolutions area of the tab. Display a list of the WLAN Controllers in the network plan. To upload, restart, or change the management status of WLAN Controllers, view scheduled tasks, or distribute certificates, use the Device tab. To review and either allow or disallow local and network changes, or to schedule configuration deployment, use the Changes tab. To manage and distribute MSS software images, use the Image tab. 14 RingMaster Client Main Window Copyright 2012, Juniper Networks, Inc.

RingMaster User Interface Button Monitor Security Alarms Reports Description Display status information and statistics for equipment or site objects selected in the Organizer panel.

17 RingMaster User Interface Button Monitor Security Alarms Reports Description Display status information and statistics for equipment or site objects selected in the Organizer panel. Shows you a list of unauthorized networks, IDS Alarms, and DoS Alarms. Display graphs of alarm activity. RingMaster has an Events item, under Tools on the menu bar. The Events item shows polled data/snmp traps that created/updated an alarm. Display links for configuring and generating reports. Content Panel Icons Table 1 4 lists the icons available from the Navigation Bar of the main RingMaster window Content panel. Table 1 4 lists the toolbar icons at the top of the Content panel. Option Description Option Description Option Description Launch Help. Ungroup selected objects. Adjust the paper space (crop the drawing). Define the drawing scale. Select all visible objects. Assign layers to selected objects. Change the grid size. Copy selected objects. Edit properties. Remove RF obstacle information. Delete selected components. View or change dimensions. Copyright 2012, Juniper Networks, Inc. RingMaster Client Main Window 15

18 RingMaster User Interface Option Description Option Description Option Description Zoom in. Paste selected objects. Place an RF measurement point. Zoom out. Undo last change. Show a RF coverage in the floor display area. Fit view in window. Redo last change. Show b RF coverage in the floor display area. Print view in floor display area. Group selected objects. Show g RF coverage in the floor display area. Toggle WLA label. Create RF obstacle. Hide display of RF coverage in the floor display area. Status Counters Table 1 5 lists the counters displayed at the bottom of the main RingMaster window. To obtain more information, place your cursor over a counter and click. Alert Category Config Local Changes Network Changes Alarms Description Lists the number of outstanding configuration errors and warnings. RingMaster compares the configuration of an WLAN Controller to a set of configuration rules, and flags errors or warnings to be corrected before deploying an WLAN Controller configuration from a network plan to a live network. Click this counter (or select the Verification toolbar button) to open the Verification tab in the Content panel. Use this tab to correct configuration errors or disable rules. Lists the number of WLAN Controller configuration changes that have occurred (in a network plan) since the last time the WLAN Controllers in the network were synchronized with their counterparts in RingMaster. Click this counter (or click the Devices toolbar button) to open the Change Management tab in the Content panel. Use this tab to review the local changes and deploy them to the network. Lists the number of devices with local/network changes that have occurred in the live network since the last time the WLAN Controllers in the network were synchronized with their counterparts in RingMaster. Click this counter (or click the Devices toolbar button) to open the Change Management tab in the Content panel. Use this tab to review the network changes and upload them to RingMaster. Lists alarms of each severity been generated by RingMaster Services or an WLAN Controller currently managed by RingMaster. Severities are indicated by the following colors: Red Critical Orange Major Yellow Minor Blue Informational White Total count for all severities. To display log entries of a particular severity, click on the color for that severity. For entries for all severities, click on the white counter. 16 RingMaster Client Main Window Copyright 2012, Juniper Networks, Inc.

19 RingMaster User Interface Copying, Pasting, and Deleting Objects Copy, paste, and delete objects in the Organizer panel or in the Content panel. In the Organizer panel, right-click (Macintosh: Control+click) on an object icon to display a menu with the following options: Copy Copy the selected object and its child objects to the clipboard. Paste Add the object(s) in the clipboard to the selected object. Paste Replace Replace the like-named object(s) in the selected object with the object(s) in the clipboard. Delete Remove the selected object from the network plan. Use Copy and Paste to create a new object. Use Copy and Paste Replace to replace an object with another instance of the same type of object. You can copy and paste objects listed in tables in the Content panel using copy and paste icons. (See Copy and Paste in the Content Panel.) To delete an object in a table, select the object and click Delete. Copy and Paste in the Organizer Panel To create a new object in the Organizer panel: 1. Select the object you want to copy in the Organizer panel. 2. Right-click (Macintosh: Control+click) on the object and select Copy. 3. Select the parent object to add copied object. 4. Right-click (Macintosh: Control+click) on the parent object and select Paste. RingMaster displays a configuration wizard. Use this configuration wizard to modify the name and other parameters as applicable. When finished, a new copy of the object appears under the parent object. Copy and Paste Replace in the Organizer Panel To replace an object with the Copy and Paste Replace options: 1. Select the object you want to copy in the Organizer panel. 2. Right-click (Macintosh: Control+click) on the object and select Copy. 3. Select the object you want to replace. 4. Right-click (Macintosh: Control+click) on the parent object and select Paste Replace. RingMaster displays a configuration wizard. Use this configuration wizard to modify the name and other parameters as applicable. When finished, a new copy of the object appears under the parent object. Copy and Paste in the Content Panel 1. Select the objects (rows). To select a single object, click on the row for the object. To select multiple contiguous objects, click Shift while selecting them. To select non-contiguous objects, click Control (Macintosh: Command) while selecting them. 2. Click the Copy icon. 3. Click the Paste icon. A properties dialog appears. Copyright 2012, Juniper Networks, Inc. Copying, Pasting, and Deleting Objects 17

20 RingMaster User Interface 4. Edit settings to make the new object unique from the object copied, then click OK or Finish to save changes and close the configuration wizard. Configuration Using Dialog Boxes RingMaster dialog boxes allow you to specify options and perform actions. You can right-click (on Macintosh it is Control+click) on many objects to display optional actions. Configuration Using Wizards Clicking on an option in the Tasks panel opens a configuration wizard. Configuration wizards enable configuration of basic settings for an object. A wizard presents the next dialog you should use to proceed, in the recommended sequence, to complete an overall configuration task. Although there are other ways to view and/or alter configuration settings later, wizards are helpful for completing initial setups using best practices.after configuring settings and closing a wizard, a new object is added to a table in the Content panel for most types of WLAN Controller objects. Some objects have advanced, infrequently modified settings not configurable using a wizard. To configure advanced settings for an object listed in the Content panel, select an object and click Properties. This opens a configuration dialog containing all configurable settings for an object, including advanced settings. For simple changes, select multiple objects and click Properties to make changes for all selected objects. For example, to disable or re-enable multiple ports, select affected ports, click Properties, change port state in the dialog, and then close it. Changes take effect on all of the selected ports. 18 Copying, Pasting, and Deleting Objects Copyright 2012, Juniper Networks, Inc.

21 Network Plan Overview Network Plan Overview RingMaster allows you to add, configure, and modify WLCs in the RingMaster plan. These tasks are located in the Organizer panel under the network plan you created using the RF Planning feature in RingMaster. These tasks assume that you are here: You can perform these tasks even if you haven t created a complete network plan. However, the default network plan in RingMaster uses the country code US and only the radio channels available for the US are displayed. If you are in another location, you need to change the network plan country code to your location. The following tasks can be performed as part of the Network Plan interface: Adding a WLC Using the Create WLAN Controller Wizard Creating a New WLC from an Existing WLC Uploading a WLC into a Network Plan Adding a WLC by Uploading the Configuration from a Network Adding a WLC by Importing a Configuration File Modifying WLC Properties Creating a Mobility Domain Creating an Equipment Group in a Network Plan Adding a Third Party AP to a Network Plan Changing the Country Code for a Network Plan Changing the Channel Set for a Network Plan Copyright 2012, Juniper Networks, Inc.

22 Disabling Auto-tune on a Network Plan Configuring the Authentication Mode for a WLC Local Packet Switching on WLAs Configuring Web Portal Profiles Converting an Auto AP into a Static AP Removing Auto APs Setting Up a Network Domain Setting Up WLC to WLC Security 2 Copyright 2012, Juniper Networks, Inc.

23 Adding a WLC Using the Create WLAN Controller Wizard You can use any of the following methods to add a WLC to a network plan: Allow RingMaster to create a WLC as part of RF planning. Use the Create WLAN Controller wizard. Copy and paste an existing WLC in a network plan. Upload a WLC from the network. Import an XML configuration file for a WLC. In this section, the Create WLAN Controller wizard is explained. 1. Select the Configuration Navigation Bar button. 2. In the Tasks panel, select Create WLAN Controller. 3. Enter a WLC Name, and select an WLC Model from the list. 4. Select a Software Version for the WLC and enter an Enable Password. Click Next. 5. In the WLC IP Address dialog, enter an IP Address and Gateway IP for this new WLC. Click Next. 6. Now you can select Ports and Port Groups to add to the VLAN and tag those you want. Click Next. 7. You next select a Mobility Domain and Wiring Closet, and select Enable Cluster if you want the WLC to become a member of a cluster configuration. Click Next. 8. Now you select areas to configure by clicking check boxes as desired for Static Route, SNMP, VLANs and RADIUS Servers. Click Next. 9. You can select or create a static route if a gateway is being used. Either select an existing route and click Next or select Create and click Next. 10. If you select Create, you see the following dialog. 11. Select Default Route check box or specify a Destination IP Address, Gateway IP address and select a Metric for the route and then click OK. 12. Use check boxes to configure security level and allowed protocols for the SNMP interface. Click Next. 13. The next dialog allows you to set Notification Target Properties. 14. The next dialog allows you to set a Security Model and Security Type. 15. If you selected USM, click Next and go to step 15. If you selected V1, you see the RingMaster Notification Target: SNMP Community dialog: 16. Enter a Community String, select an Access or Group, an Access Type, and a Group if that was selected, then click Next. 17. You see the RingMaster Notification Target: USM User dialog 18. Enter information and make selections, then click Next. 19. You see the RingMaster Notification Target: USM User dialog, where you enter a Username, Access or Group, Access Type and Group if selectable Copyright 2012, Juniper Networks, Inc. Adding a WLC Using the Create WLAN Controller Wizard

24 20. Click Next You see the Configure VLANs dialog, where you create a new one or select an existing VLAN. 22. When done, click Next and you will go to the Configure VLANs dialog described in step 16. When you finish selections on this dialog and click Next, you see the Optional: RADIUS Servers dialog below: 23. Select an existing RADIUS Server and Finish, or click Create to create a new one. 24. If you click Create you see the following dialog: 25. Enter a server Name, IP Address, and a Key if desired, or select Use MAC as Password or enter an Authorization Password and select a MAC Address Format then click Next. 26. You see the RADIUS Server Group dialog. Click Finish. Uploading a WLC into a Network Plan The following steps can be used to upload a WLC into an existing network plan: 1. Select the Configuration Navigation bar button. 2. In the Tasks panel, select Upload WLC. 3. In the IP Address field, enter the IP address of the WLC. 4. In the Enable Password field, type the enable password for the WLC. This password must match the enable password creating using the set enablepass command in the CLI. 5. Click Next. 6. A dialogue box displays the upload progress. 7. After the Successfully uploaded device message is displayed, click Finish. 8. If error or warning messages are displayed, navigate to the Verification panel by clicking the button on the Navigation bar. Creating a New WLC from an Existing WLC You can copy and modify an WLC already in a network plan by copying and pasting the WLC in the Organizer panel. 1. Select the Configuration Navigation Bar button. 2. In the Organizer panel, select an WLC to copy, then right-click (Macintosh: Control+click) on the WLCand select Copy. 3. Right-click (Macintosh: Control+click) and select Paste. The WLAN Controller Properties wizard appears. Creating a New WLC from an Existing WLC Copyright 2012, Juniper Networks, Inc.

25 4. In the WLC Name field, type a name for the WLC (1 to 256 alphanumeric characters, with no spaces or tabs). Informational Note: In each network plan or Mobility Domain, every WLC on the network must have a unique name. 5. Type the serial number for the WLC in the Serial Number field. 6. To modify the system IP address and VLAN, select them from the System VLAN/IP list. The system IP address determines the interface or source IP address MSS uses for system tasks, including the following: Mobility Domain operations Topology reporting for redundant MP access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP notifications 7. Click Management Interface. Warning: After selecting Managed to enable management of an WLC by RingMaster, do not change this option unless advised to do so by Juniper Networks TAC. If you change an WLC to an unmanaged state in a network plan, all network operations (polling) stop for that WLC. If you change back to a managed state, the entire configuration of the WLC is replaced with settings from the network plan, which can result in loss of connectivity to the WLC. 8. To enable a WLC to be managed by RingMaster, select Managed. Until this option is selected, you cannot deploy the WLC configuration you create in RingMaster to an actual WLC in a network. This option also enables the Telnet to WLC and Launch Browser options in the Tasks panel. Selecting an WLC in the Organizer panel and clicking on Telnet to WLC in the Tasks panel opens communication as with the WLC via Telnet.Enter a username to begin a Telnet session. 9. To modify the management interface, select the IP interface and VLAN from the VLAN/IP list. 10. To modify the enable password, edit the string in the Enable Password field. 11. Click WLC Associations. 12. To change the Mobility Domain membership for a WLC, select the Mobility Domain from the Mobility Domain list. To leave the WLC out of all Mobility Domains, select Not Assigned. 13. To change the wiring closet membership for a WLC, select a closet from the Wiring Closet list. To leave the WLC out of all wiring closets, select Not Assigned. 14. Click OK to save changes. 15. Edit other parameters as required. Copyright 2012, Juniper Networks, Inc. Creating a New WLC from an Existing WLC

26 Adding a WLC by Uploading the Configuration from a Network If you have already deployed an WLC in a network and want to add it to a network plan, upload the configuration for the WLC into RingMaster, edit the WLC, then re-deploy the WLC with the new parameters.) Adding a WLC by Importing a Configuration File You can add a WLC to a network plan by importing a configuration file. Configurations are imported in XML format. Use the procedure in Importing and Exporting Switch Configuration Files in the RingMaster 7.1 Management Guide to import configuration files for WLCs. Creating a New WLC from an Existing WLC Copyright 2012, Juniper Networks, Inc.

27 Modifying WLC Properties 1. Select the Configuration Navigation Bar button. 2. Select a WLC from the Organizer panel. The WLC information is displayed in the Configuration panel. 3. To modify the WLC Name, edit the string in the WLC Name field. 4. To modify the serial number, edit the string in the Serial Number field. 5. To modify the system IP address and VLAN, select them from the System VLAN/IP list. The system IP address determines the interface or source IP address that MSS uses for system tasks, including the following: Mobility Domain operations Topology reporting for redundant access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP notifications. 6. To allow RingMaster management of the WLC, select Managed. You cannot deploy a WLC configuration using RingMaster until you enabled this option. Informational Note: This option also enables the Launch Telnet and Launch Browser options in the Tasks panel. Warning: After selecting Managed to enable management of the WLC by RingMaster, do not change this option unless advised to do so by Juniper Networks TAC. If you change an WLC to an unmanaged state in a network plan, all network operations (polling)stop for that WLC. If you change back to a managed state, the entire configuration of the WLC is replaced with the settings from the network plan, which can result in loss of connectivity to the WLC. 7. To modify the management IP address and VLAN, select them from the System VLAN/IP list. 8. To modify the enable password, edit the string in the Enable Password field. 9. To change the Mobility Domain membership for an WLC, select one from the Mobility Domain list. 10. To change a wiring closet membership for a WLC, select the closet from the Wiring Closet list. To remove a WLC from a wiring closet, select Not Assigned. 11. Click Save. Copyright 2012, Juniper Networks, Inc. Modifying WLC Properties

28 Creating a Mobility Domain Informational Note: The Create Mobility Domain wizard requires you to select WLCs to place in a Mobility Domain and to select a seed WLC. Add WLCs to a network plan before you configure a Mobility Domain Before you can perform this task, you must have more than one WLC in your network plan. To add WLCs to the network plan, see Adding a WLC Using the Create WLAN Controller Wizard. 1. Select the Configuration Navigation Bar button. 2. Select the network plan in the Organizer panel. 3. Select the Create Mobility Domain task in the Tasks panel. The Setup Mobility Domain wizard is displayed. 4. In the Name field, type the name for the Mobility Domain (1 to 16 characters, with no spaces or tabs). Click Next. 5. From the Available Devices list, select WLCs you want to add to a Mobility Domain. 6. Click Next. 7. Select the WLC to act as the primary seed WLC for the Mobility Domain. 8. To provide mobility domain redundancy, select an WLC to act as secondary seed. Click Finish. For detailed information about this feature, refer to the Mobility System Software (MSS) Configuration Guide. Copyright 2012, Juniper Networks, Inc. Creating a Mobility Domain 1

29 Creating an Equipment Group in a Network Plan An equipment group can contain the following types of objects: Mobility Domain All member devices are implicitly included as equipment group members. Standalone WLC A device not associated with a Mobility Domain Mobility Domain member WLC A device associated with a Mobility Domain where the Mobility Domain as a whole is not a member of the equipment group. Equipment groups can be created under a top-level plan object, or under a Mobility Domain. The equipment organizer tree is enhanced to support the concept of equipment groups. Equipment group nodes appear in the tree to contain associated device and/or MobilityDomain members. Device nodes hang directly under an equipment group node, unless a device s Mobility Domain is a member of the group. Selecting a device node, reveals any Mobility Domain membership information in the configuration view s detail panel. Cluster Configuration Whenever a Mobility Domain is cluster-enabled, an associated Cluster node appears in the organizer. This node contains the cluster seeds, members, and the DomainConfiguration node. A Mobility Domain cluster node may appear multiple times in the tree. There is no method to assign a cluster as a whole to an equipment group. Only devices and MobilityDomains can be assigned to a group. One restriction is enforced regarding assignment of devices to equipment groups, which is that, if a device is a cluster seed, the other cluster seed must also be assigned to the same equipment group. This is required to ensure that a deploy target switchover is not rejected due to access control restrictions. Before you can perform this task, you must have added WLCs and WLAs to the network plan. 1. Select the Configuration Navigation Bar button. 2. Select the network plan in the Organizer panel. 3. Click Create Equipment Group to open the wizard. 4. Enter a unique name to identify the Equipment Group. 5. Click Next. 6. From the list of Available Devices, select one or more WLCs and click Add. 7. The WLC is now added to the list of Current Members. 8. Click Finish to complete the task. Equipment Groups appear in the Organizer panels with the Equipment Group name with brackets around the WLC icon. Copyright 2012, Juniper Networks, Inc. Creating an Equipment Group in a Network Plan 1

30 Setting Up a Network Domain A Network Domain is a system of centralized network administration and allows you to group WLCs together in a network group. Informational Note: You can configure only one Network Domain per Network Plan. 1. In the Organizer Panel, select Default, or your network plan name, as the network plan. 2. In the Tasks Panel, select Network Domain. 3. In the Setup Network Domain wizard, enter a name for the network domain. 4. Set up the network domain seeds by selecting a WLC from the Available Devices list, and clicking Add to move it to the Current Devices list. 5. Click Next. 6. Add any additional WLCs to the network domain or click Finish to complete the wizard. Copyright 2012, Juniper Networks, Inc. Setting Up a Network Domain 1

31 Changing the Country Code for a Network Plan Select a country code to apply to all WLCs in the network plan. To use different country codes within the network plan, configure the country code for the site where the WLCs are associated. After the country code has changed, you must recalculate the existing RF plans. 1. Select Configuration from the Navigation Bar. 2. In the Organizer panel, select Default or your network plan. 3. In the Tasks panel under Setup, select Country Code. 4. The Change Country Code window is displayed. 5. Select the country from the Country Code list. 6. Modify the Channel sets for 2.4 GHz and 5 GHz, if desired. 7. Click Next. 8. The Updating Country Code progress is displayed. All messages related to updating the country code are displayed in this window. 9. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Changing the Country Code for a Network Plan 1

32 Changing the Channel Set for a Network Plan Select a country code to apply to all WLCs in the network plan. To use different country codes within the network plan, configure the country code for the site where the WLCs are associated. After the country code has changed, you must recalculate the existing RF plans. 1. Select Configuration from the Navigation Bar. 2. In the Organizer panel, select Default or your network plan. 3. In the Tasks panel under Setup, select Channel Set. 4. The Channel Set Properties window is displayed. 5. Modify the Channel sets for 2.4 GHz and 5 GHz. 6. Click OK. Copyright 2012, Juniper Networks, Inc. Changing the Channel Set for a Network Plan 1

33 Disabling Auto-tune on a Network Plan One feature that RingMaster provides is the ability to apply Auto-Tune settings to WLAs in a network. This is useful when you want to use Auto-Tune to determine optimal channel and power settings and apply those settings to individual radios. If you disable Auto-Tune, you can manually apply power settings and channels to radios. To facilitate this, RingMaster provides the Disable Auto-Tune task. This task is available in the Tasks panel when a network plan object is selected in the Configuration panel. To use this feature: 1. Select Configuration from the Navigation Bar. 2. In the Organizer panel, select Default or your network plan. 3. In the Tasks panel under Setup, select Disable Auto-Tune. 4. The Select Scope window is displayed. 5. If desired, you can save the Auto-tune Values, including tuned channel and tuned power. 6. Select the scope to disable Auto-Tune. 7. Click Next. 8. The Applying Auto-Tune Settings progress is displayed. Information about the Auto-Tune settings is displayed in this window. 9. Click Finish. Copyright 2012, Juniper Networks, Inc. Disabling Auto-tune on a Network Plan 1

34 Removing Auto WLAs RingMaster automatically updates information for an Auto WLA in a network plan either when the WLA is converted into a configured WLA, or it re-boots and connects to a different WLC. If an Auto WLA leaves the network without being converted into a statically configured WLA or connecting to a different WLC, RingMaster continues to list the WLA as a device being managed by the WLC. In this case, you can manually remove the WLA from the Auto WLA list. Informational Note: This procedure does not remove an active Auto WLA. To remove an Auto WLA that is still attached to the network, remove it from the network. (Unplug it or power it down.) Then use this procedure to remove it from the Auto WLA list. To remove an Auto WLA: 1. Select the Configuration Navigation Bar button. 2. In the Organizer panel, select an WLC. 3. In the Tasks panel, select Remove Auto WLAs. The Remove Auto WLA wizard appears. WLAs that were configured using a Distributed WLA template are listed. 4. Select the Auto WLA that is no longer on the network. 5. Click Next. 6. Click Finish. Copyright 2012, Juniper Networks, Inc.Removing Auto WLAs 1

35 Converting an Auto WLA into a Static WLA Distributed WLAs not configured on any WLCs in a mobility domain can be booted and managed by an WLC if the WLC has a profile for distributed WLAs, and has capacity to manage the WLA. An WLA that is booted and managed using a distributed WLA profile is called an Auto WLA. You can convert the temporary connection of an Auto WLA to an WLC into a permanent, statically configured connection on the WLC. To convert an Auto WLA: 1. Select the Configuration Navigation Bar button. 2. In the Organizer panel, select an WLC. 3. In the Tasks panel, select Convert Auto WLAs. As that were configured using a Distributed WLA template are listed in the Convert Auto WLA wizard. 4. Select the WLAs you want to convert into statically configured WLAs. 5. Click Next. 6. Click Finish. Copyright 2012, Juniper Networks, Inc. Converting an Auto WLA into a Static WLA 1

36 Local Packet Switching on WLAs WLAs can be configured to perform local packet switching. Local packet switching allows packets to switch directly from an WLA to the wired network without passing through an intermediate WLC. When a WLA is configured to perform local switching, the WLC is removed from the forwarding path for client data traffic. When local switching is enabled, a client VLAN is directly accessible through the wired interface on an WLA. Packets can be switched directly to and from this interface. Using the wizard forces all devices in a network plan that have identically named VLAN profiles to have the same settings. This can also be used to correct problems when uploading WLCs with different local switching values. Normally, when local switching is disabled on an WLA, packets are tunneled through the network back to a WLC and traffic is placed on the client VLAN. This process is called overlay mode. Overlay mode requires packets to be encapsulated, un-encapsulated and possibly fragmented which introduces latency in the path. Omitting a WLC from the forwarding path for client traffic eliminates tunnel encapsulation, and results in improved network performance. Local packet switching is disabled by default. An WLA can be configured to switch packets for some VLANs locally and tunnel packets for other VLANs through the WLC switch. Notes Restricting Layer 2 forwarding for a VLAN is not supported if the VLAN is configured for local switching. The DHCP restrict feature is not supported for locally switched clients. When the set ap <apnum> port <portnum> type command is used to specify a port for a directly attached WLA, the WLA cannot be configured to perform local switching. However, a directly connected WLA with an unspecified port can perform local switching. IGMP snooping is not supported with local switching. Informational Note: You must have a VLAN and WLAs configured before you can configure local packet switching. 1. Select Configuration from the Navigation Bar. 2. In the Organizer panel, select Default or your network plan. 3. In the Tasks panel under Setup, select WLA Local Switching. 4. The Setup WLA Local Switching window is displayed and lists the following information: WLA Name WLA Model WLA Connections Local Switching Copyright 2012, Juniper Networks, Inc. Local Packet Switching on WLAs 1

37 Profile Tunnel Affinity 5. You can enable local switching on all WLAs or individual WLAs by selecting them in the list and clicking OK. 6. You can also create a new VLAN profile or modify or delete existing VLAN profiles from local switching. 7. To assign a VLAN Profile to local switching, click Assign VLAN Profile. 8. The Assign VLAN Profile dialogue is displayed. You can select a VLAN profile from the list, select WLAs from the list of Available WLAs, and move the WLAs to the list of Current WLAs. 9. Click Finish to return to the Setup WLA Local Switching window. 10. Click OK to complete the configuration. For detailed information on Local Switching, please see the Mobility System Software (MSS) Configuration Guide. 2 Local Packet Switching on WLAs Copyright 2012, Juniper Networks, Inc.

38 Configuring Web Portal Profiles WebAAA provides a simple and universal way to authenticate any user or device using a Web browser. A common application of WebAAA is to control access for guests on your network. When a user requests access to an SSID or attempts to access a Web page before logging onto the network, MSS displays a login page to the user s browser. After the user enters a username and password, MSS validates the user information on the local database or RADIUS servers and grants or denies access based on whether the user information is found. You can now customize your Web Portal Login pages as Web Portal Profiles, and then assign the profiles to users. 1. Select Configuration from the Navigation Bar. 2. In the Organizer panel, select Default or your network plan. 3. In the Tasks panel under Setup, select Web Portal Profile to display the configuration wizard. 4. The Web Portal Profile window is displayed and contains one default profile for use by education campuses. You can navigate to these by clicking Upload. The default pages and images are located under \Program Files\Juniper Networks\RingMaster\webapps\admin\. Profile Name - name of the Web Portal Profile Login Page - location of the HMTL page displayed for the login screen. Logout Page - location of the HMTL page displayed to users upon logging off of the network. Image Logo - location of any images displayed as a logo on the HTML pages. Service Profile - name of the service profile to apply the Web login. 5. Click Next. 6. Select a service profile from the list and move it to the Current Members list. 7. Click Finish to complete the configuration. You can create your own HTML pages and place them in the same location, \Program Files\Juniper Networks\RingMaster\webapps\admin\, as the default pages. Copyright 2012, Juniper Networks, Inc. Configuring Web Portal Profiles 1

39 Setting Up WLC to WLC Security You can enhance security on your network by enabling WLC-WLC security. WLC-WLC security encrypts management traffic exchanged by WLC switches in a Mobility Domain. When WLC-WLC security is enabled, management traffic among WLC switches in the Mobility Domain is encrypted using AES. The keying material is dynamically generated for each session and passed among switches using configured public keys. MSS supports 2048-bit keys in addition to 128-bit keys. 1. From the Organizer panel, select a Mobility Domain. 2. From the Task panel, under Setup, click WLC-WLC Security to display the wizard. 3. From the Security Mode list, select Required. None is selected by default. 4. Click Next. 5. If you are using public keys from a WLC, select Retrieve Keys. If you are not using this feature, click Next. 6. If you select Retrieve Keys, then the public keys are obtained from the WLCs in the Mobility Domain. 7. Verify the public keys and click Finish. Copyright 2012, Juniper Networks, Inc. Setting Up WLC to WLC Security 1

40 WLC Overview WLC Overview You can configure a WLC in your network plan as part of RingMaster. This section assumes that you are here: You can perform the following tasks: Using the System Setup Wizard Configuring Data Path Encryption on the WLC Changing the Software Version on a WLC Changing the WLC Model Configuring the Authentication Mode for a WLC Modifying Time Settings Adding System Information to a WLC Configuring Command Auditing Configuring AP Affinity Groups on the WLC Configuring LLDP on the WLC Copyright 2012, Juniper Networks, Inc. 1

41 Using the System Setup Wizard You can configure and display information for the following features on a WLC WLC Static Route SNMP VLANs AAA Wireless Services Access Points 1. From the Organizer panel, select an WLC and then System Setup. 2. The System Setup Wizard is displayed. To continue, click Next. 3. Enter a unique name for the WLC, and enter the serial number. Click Next. 4. From the System Configuration Areas, select the ares that you want to configure on the WLC.You can select from the following areas: See Configuring Static Routes Configuring SNMP Using SNMP V1 or V2c Configuring VLANs Creating a RADIUS Server Configuring Wireless Services Converting Auto APs 5. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Using the System Setup Wizard 1

42 Configuring Data Path Encryption on the WLC Overview Currently, the communication link between a WLA and a WLC is divided into Juniper Access Point Architecture (TWLAA) and Control And Provisioning of Wireless Access Points (CWLAWWLA) packets. The TWLAA packets contain control traffic information and the CWLAWWLA packets contain client data. Data Path Encryption (DPE) is a security feature designed to encrypt data across WLA and WLC tunnels. In the current security model, the WLC and WLA perform a security handshake that generates a key for the encryption of the TWLAA control channel. When global WLA security is enabled, the same key is used to encrypt the CWLAWWLA data channel. Therefore, global WLA security must be enabled before data path encryption can be enabled on the WLA. The Advanced Encryption Standard - Counter Mode CBC-MAC Protocol (AES-CCMP) algorithm is used to encrypt the data packets which is similar to the encryption used for TWLAA packets. It is not available on all WLCs and WLAs. The table below lists the supported WLAs and WLCs. WLA Model WLA432, WLA432F WLA522, WLA522E WLA532 WLA321 and WLA322 WLC Model WLC880R For more information on Data Path Encryption, refer to the Mobility System Software (MSS) Configuration Guide. In the Organizer panel, select a WLC from the list. 1. On the Navigation bar, click Configuration. 2. Select a WLC from the Organizer panel. 3. In the Configuration properties, under Tunnel Security, select Required. If you have WLAs on your network that are not configured for Data Path Encryption, select Optional. 4. Click Save to save the WLC configuration. 5. To deploy the changes on the network, click Deploy in the Tasks panel. Once you have configured the WLC, you must configure the WLAs for Data Path Encryption. See Managing Access Points Using RingMaster. Copyright 2012, Juniper Networks, Inc. Configuring Data Path Encryption on the WLC 1

43 Changing the Software Version on a WLC 1. To change the software version on a WLC, select the WLC in the Organizer panel. 2. In the Tasks list, under Setup, select Software Version. 3. Select the software version from the list, and click OK. Copyright 2012, Juniper Networks, Inc. Changing the Software Version on a WLC 1

44 Changing the WLC Model 1. To change the model of a WLC, select the WLC in the Organizer panel. 2. In the Tasks list, under Setup, select Model. 3. Select the model from the list, and click OK. 4. RingMaster updates the model on the WLC. You can see the changes in the Change Model Progress window. 5. Click Finish to complete the change. Copyright 2012, Juniper Networks, Inc. Changing the WLC Model 1

45 Configuring the Authentication Mode for a WLC Select the authentication mode for logging into a WLC. 1. In the Organizer panel, select a WLC from the list. 2. From the Tasks list, under Setup, select Authentication Mode to display the Change Authentication Mode window. 3. From the WLC Authentication Mode list, select Enable Password or AAA. 4. If you select Enable Password, enter the password into the Enable Password field. 5. Click Finish. 6. If you select AAA, enter the information for the Username and Password. 7. Click Next. Informational Note: Be sure to enable Access Control before changing the Authentication Mode to AAA. 8. The Changing Authentication Settings Progress window displays information about the status and also any errors encountered during the process. 9. Click Finish to close the wizard. Copyright 2012, Juniper Networks, Inc. Configuring the Authentication Mode for a WLC 1

46 Modifying Time Settings You can specify the number of hours (and optionally minutes) the real-time clock for an WLC is offset from Coordinated Universal Time (UTC) also known as Greenwich Mean Time (GMT). The Network Time Protocol (NTP) uses time zone information if it is enabled. You can also specify whether an WLC modifies this clock during daylight savings time or similar summertime period. To set the time zone properties: 1. From the Organizer panel, select a Mobility Domain. 2. From the Tasks panel, under Setup, click Time. In the Name field, type a name for the time zone (1 to 16 alphanumeric characters, with no spaces or tabs). 3. From the Offset Hours list, select the number of hours (between -23 and 23) to subtract from or add to UTC. 4. Optionally, in the Offset Minutes field, select a number of minutes (between -59 to 59) to subtract from or add to UTC. 5. In the DST Name field, type a name for the summertime offset (1 to 16 alphanumeric characters, with no spaces or tabs). 6. From the Start Month list, select the month of the year when the time change starts. 7. From the Start Week list, select the week of the month when the time change starts (First, Second, Third, Fourth, or Last). 8. From the Start Day list, select the day of the week when the time change starts. 9. In the Start Hour field, specify the hour (between 0 and 23) to start the time change. 10. In the Start Minute field, specify the minute (between 0 and 59) when the time change starts. 11. From the End Month list, select the month of the year when the time change ends. 12. From the End Week list, select the week of the month when the time change ends (First, Second, Third, Fourth, or Last). 13. From the End Day list, select the day of the week when the time change ends. 14. In the End Hour field, specify the hour (between 0 and 23) when the time change ends. 15. In the End Minute field, specify the minute (between 0 and 59) when the time change ends. 16. Click OK. Copyright 2012, Juniper Networks, Inc. Modifying Time Settings 1

47 Adding System Information to a WLC 1. To modify system information on a WLC, select the WLC in the Organizer panel. 2. In the Tasks list, under Setup, select System Information. 3. You can configure the following information on the WLC: Contact - enter contact information for a network administrator. Location - enter the location of the WLC. Prompt - change the prompt information on the CLI. Message of the Day - create a message of the day to display on the WLC. Acknowledge Mode - enable Acknowledge Mode and create an Acknowledge Message. 4. Click Finish to complete the change. Copyright 2012, Juniper Networks, Inc. Adding System Information to a WLC 1

48 Configuring Command Auditing MSS can log commands used at the CLI and send them to a RADIUS server. All commands, including show commands, that complete successfully or fail are logged on the RADIUS server. The command accounting message includes the following elements: Timestamp TTY Port Username Source IP address Command issued Command status (success or failure) You can also configure primary and secondary RADIUS servers to log CLI commands. When command auditing is enabled, all valid CLI commands are captured and logged to a RADIUS server. For details on the RADIUS commands, see the Mobility System Software (MSS) Configuration Guide. 1. To configure command auditing on a WLC, select the WLC in the Organizer panel. 2. In the Tasks list, under Setup, select Command Audit. 3. Select the log level of Command Auditing: Default tracks all operations that affect the state of the WLC. None no operations are tracked. All tracks all operations on the WLC. 4. Configure the size of the log file that saves the command audit trail. The default value is 500 KB on the WLC. 5. Select an AAA server from the list of configured Server Groups. You must select a RADIUS server group. 6. Add it to the list of Current AAA Server Groups. 7. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Configuring Command Auditing 1

49 Configuring the WLA Affinity Groups for a WLC WLA Affinity groups are configured on each cluster member. This information is shared in the cluster database so that seeds have information on the WLA affinity group memberships of all cluster members. Based on the IP address of the WLA, the seed selects the PAM from the group of WLCs with a configured affinity for that subnet. In the event of an WLC failure, the WLA fails over to a controller outside of a preferred group. When the WLC is restored, the WLA reverts back to the preferred WLC. WLA load balancing takes into consideration which subnet that the WLA is located and places the WLA in the appropriate affinity group. You must set the affinity on the Mobility Domain configuration. This information is shared in a cluster database, and based on the IP address of the WLA, the seed selects the PAM and SAM from the group of WLCs with the configured affinity for that subnet. Each cluster member can belong to one or more affinity subnets. 1. Select Configuration from the Navigation Bar. 2. In the Organizer panel, select an WLC. 3. In the Tasks panel, select WLA Affinity Groups. 4. The Setup WLA Affinity Groups wizard is displayed. 5. Click Create. 6. In the WLA Affinity Group IP Address field, enter the IP Address including the subnet. 7. Click Finish to complete the configuration. Copyright 2011, Juniper Networks, Inc. Configuring the WLA Affinity Groups for a WLC 1

51 Configuring LLDP on the WLC Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol used by network devices to advertise identity, capabilities, and neighbors. Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) is an extension to LLDP that operates between endpoint devices such as IP phones and network devices such as switches. Specifically, it provides support for voice over IP (VoIP) applications and provides additional TLVs for capabilities discover, network policy, Power over Ethernet (PoE), and inventory management. LLDP-MED supports the following TLVs: LLDP-MED capabilities TLV Allows LLDP-MED endpoints to determine the capabilities of a connected device and if those capabilities are enabled. Network Policy TLV Allows both network connectivity devices and endpoints to advertise VLAN configurations and associated Layer 2 and Layer 3 attributes for the specific appliance on that port. For example, an WLC can notify a VoIP phone to use a specific VLAN. Power management TLV Enables advanced power management between LLDP-MED endpoint and network connectivity devices. Allows WLCs and VoIP phones to convey power information, such as the type of power, power priority, and the amount of power required by the device. Inventory management TLVs Allows an endpoint to transmit detailed inventory information to an WLC, including hardware revision, firmware version, software version, serial number, manufacturer name, model name, and asset ID. LLDP and LLDP-MED cannot operate simultaneously on a network. By default, network devices send only LLDP packets until LLDP-MED packets are received from an endpoint device. The network device then sends out LLDP-MED packets until it receives LLDP packets. To configure LLDP using RingMaster, use the following steps: 1. In the Organizer panel, select a WLC from the Network Plan. 2. Under Setup, click LLDP Configuration. 3. Under Global Protocol Configuration, Enable LLDP is selected by default. LLDP is enabled by default. To disable the feature, clear the checkbox. 4. You can change the following values or leave them as the default values. a. Transmission Interval [seconds] the default value is 30 seconds with a range of 5 to seconds. b. Hold Time [seconds] the default value is 120 seconds with a range o 0 to seconds. c. Re-initialization Delay [seconds] the default value is 2 seconds with a range of 2 to 5 seconds. d. Transmit Delay [seconds] the default value is 2 seconds with a range of 1 to 8192 seconds. Copyright 2012, Juniper Networks, Inc. Configuring LLDP on the WLC 1

52 5. Under Advertised TLVs, you can select the type of TLVs to advertise on the network. Available TLVs are System Capabilities, System Name, and System Description. 6. Click OK to save the configuration. 7. Click Deploy to send the changes to the WLC. 8. To configure LLDP on a WLA, select Access Point in the Organizer panel to display a list of WLAs on the network. 9. Select a WLA, and click Properties. 10. On the LLDP tab, under LLDP Configuration, select a parameter from the LLDP Mode list.the WLA does not collect data about neighbors so the parameters RX and RXTX modes are not available. therefore, the WLA only advertises its presence, but cannot process incoming LLDP frames. 11. LLDP-MED is enabled by default. 12. To send information about power management, select Power via MDI. Media Dependent Interface (MDI) information is collected on the Ethernet interface. 13. To send information about inventory management, select Inventory. 14. Click OK to save the configuration. 15. To configure LLDP on a port, select Ports from the System list. 16. Select a port from the list of available ports, and click Properties. 17. For 10/100/1000 Ethernet Ports, under LLDP Configuration, select Tx, Rx, TxRx, or None. TxRx is selected by default. 18. For Gigabit Ethernet Ports, under LLDP Configuration, select Tx, Rx, TxRx, or None. TxRx is selected by default. 19. Click OK to save the configuration. 2 Configuring LLDP on the WLC Copyright 2012, Juniper Networks, Inc.

53 System Overview System Overview If you have a WLC in your network plan, you can configure WLC System features using RingMaster. The following features can be configured: Configuring Ports on a WLC Overview of Wired Authentication on a WLC Configuring Wired Authentication on a WLC Creating Port Groups on a WLC Creating a Syslog Server Configuring Static Routes Creating an IP Alias Creating an DNS Server Creating a NTP Server Creating an ARP Entry Copyright 2012, Juniper Networks, Inc. 1

55 Configuring Ports on a WLC An WLC port can be one of the following types: Network port A network port is a Layer 2 switch port connecting the WLC to other networking devices such as switches and routers. WLA port An WLA connects the WLC to an WLA. The port also can provide power to the WLA. Wireless users are authenticated on the network through an WLA port. Wired authentication port A wired authentication port connects the WLC to user devices, such as workstations, that must authenticate in order to access the network. All WLC ports are network ports by default. You must set the port type for ports directly connected to WLAs and for ports on wired user stations that must authenticate in order to access the network. When you change port type, MSS applies default settings appropriate for the port type. Table 2 lists the default settings applied for each port type. You can configure and display information for the following port parameters: Name State Type (network, WLA, or wired authentication) Speed and autonegotiation Power over Ethernet (PoE) state Media type (gigabit Ethernet ports only) Load sharing (see Port Groups.) 1. From the Organizer panel, select an WLC and then under System, select Ports. 2. To view the 10/100 Ethernet Port Properties, select a Port and then click Properties. 3. The 10/100 Ethernet Port Properties window is displayed. 4. In the Name field, type a port name (1 to 16 alphanumeric characters, no spaces or tabs). 5. The port is enabled by default. To disable the port, clear the Enabled checkbox. 6. Select SNMP Link Traps if desired. By default, notifications for link state changes are disabled. If you enable them, SNMP link traps are sent when the port state changes, and RingMaster also polls and monitors the status of the port. To generate the LinkDown and LinkUp SNMP traps, you must enable this option. NOTE: You must globally enable SNMP traps in order to receive notification. 7. To specify the speed of a 10/100 Ethernet port, select one of the following: Auto Sets the port to automatically detect the traffic speed and set the speed accordingly. This is the default value. 10 Sets the speed to 10 Mbps. 100 Sets the speed to 100 Mbps. The port speed for gigabit Ethernet ports is 1000 Mbps and cannot be configured. Copyright 2012, Juniper Networks, Inc. Configuring Ports on a WLC 1

56 8. To specify the operating mode of a 10/100 Ethernet port, select Half for half-duplex or Full for full-duplex mode. 9. To enable PoE on a 10/100 Ethernet port, select PoE Enabled. By default, PoE is disabled. To disable PoE, clear PoE Enabled. 10..For a gigabit Ethernet port (if supported by the WLC), select the interface you want to enable. GBIC Enables the fiber interface and disables the copper interface. RJ45 Enables the copper interface and disables the fiber interface. A port supports only the physical interface you select. The other interface is disabled. The port cannot dynamically move between one interface and the other. 11. To configure Link Layer Discovery Protocol (LLDP) for the selected port, you can select from one of the following Operation Modes: TxRx Transmit and Receive LLDP packets. Tx Transmit LLDP packets Rx Receive LLDP packets None Disable LLDP on the port. 12. Click Save. 2 Configuring Ports on a WLC Copyright 2012, Juniper Networks, Inc.

57 Changing Port Settings on a WLC Gigabit Ethernet Port Properties 1. In the Organizer panel, select a WLC from the list. 2. Expand the System options, and select Ports. 3. Select a port from the Gigabit Ethernet Port list and click Properties. 4. In the Name field, type a port name (1 to 16 alphanumeric characters, no spaces or tabs). 5. Clear the Enabled checkbox if you want to disable the port. Click OK to complete the configuration. If you want to make additional changes to the settings, go to the next step. 6. Select SNMP Link Traps if desired. By default, notifications for link state changes are disabled. If you enable them, SNMP link traps are sent when the port state changes, and RingMaster also polls and monitors the status of the port. To generate the LinkDown and LinkUp SNMP traps, you must enable this option. 7. The port speed for gigabit Ethernet ports is 1000 Mbps and cannot be configured. 8. The operating mode for a gigabit port is Full duplex by default. 9. Auto-negotiation is enabled by default. 10. PHY Media Type is SMF by default. 11. From the PHY Media Preference list, select RJ45 or SFP. 12. Click OK to save the configuration. 10 Gigabit Ethernet Port 1. In the Organizer panel, select a WLC from the list. 2. Expand the System options, and select Ports. 3. Select a port from the 10 Gigabit Ethernet Port list and click Properties. 4. In the Name field, type a port name (1 to 16 alphanumeric characters, no spaces or tabs). 5. Clear the Enabled checkbox if you want to disable the port. Click OK to complete the configuration. If you want to make additional changes to the settings, go to the next step. 6. Select SNMP Link Traps if desired. By default, notifications for link state changes are disabled. If you enable them, SNMP link traps are sent when the port state changes, and RingMaster also polls and monitors the status of the port. To generate the LinkDown and LinkUp SNMP traps, you must enable this option. 7. The port speed for 10 Gigabit Ethernet ports is 10Gbps and cannot be configured. 8. The operating mode for a gigabit port is Full duplex by default. 9. Auto-negotiation is enabled by default. 10. PHY Media Type is XFP by default. 11. the PHY Media Preference is None by default. 12. Click OK to save the configuration. Copyright 2012, Juniper Networks, Inc. Changing Port Settings on a WLC 1

58 Overview of Wired Authentication on a WLC A wired authentication port is an Ethernet port that has 802.1X authentication enabled for access control. Like wireless users, users that are connected to the WLC over Ethernet can be authenticated before they can be authorized to use the network. However, data for wired users is not encrypted after they are authenticated. Informational Note: For 802.1X clients, wired authentication works only if clients are directly attached to a wired authentication port, or attached through a hub that does not block forwarding of packets from a client to the PAE group address (01:80:c2:00:00:03). Wired authentication works in accordance with 802.1X specification, which prohibits a client from sending traffic directly to the MAC address of an authenticator until the client is authenticated. Instead of sending traffic to the MAC address of an authenticator, a client sends packets to the PAEgroup address. The 802.1X specification prohibits networking devices from forwarding PAE group address packets, because this would make it possible for multiple authenticators to acquire the same client. For non-802.1x clients who use MAC authentication, WebAAA, or last-resort authentication, wired authentication works whether clients are directly attached or indirectly attached. Informational Note: If you plan to specify a RADIUS server group, configure the group first, before using the wizard. The wizard does not provide a way to configure RADIUS servers or groups. (See RADIUS.) To configure Wired Auth, see Configuring Wired Authentication on a WLC. Copyright 2012, Juniper Networks, Inc. Overview of Wired Authentication on a WLC 1

59 Configuring Wired Authentication on a WLC 1. In the Tasks panel under Setup, click Wired Auth. 2. The Configure Wired Auth wizard is displayed. Selecting Open Access for Wired Authentication 3. Select Open Access from the Fall Through Authentication list to automatically authenticate the client and allow access to the SSID requested by the client, without requiring a username and password from the client. Selecting Web Portal for Wired Authentication 4. From the Fall Through Authentication list, select Web Portal to serve the client a web page from the nonvolatile storage of the WLC for login to the SSID. Selecting None for Wired Authentication 5. From the Fall Through Authentication list, select None to deny authentication and prohibit the client from accessing the SSID. This is the default. 6. To configure the maximum number of sessions, enter the number or use the up and down arrows. By default, only 1 session is allowed. 7. Enable Idle Timeout is selected by default. To disable this option, clear the checkbox. 8. Configure the maximum number of seconds that a client can be idle before the session is timed out. The default value is 300 seconds (five minutes). 9. Click Next. 10. From the VLAN Name list, select the VLAN used by wireless clients. Click Next. Create AAA Access 11. To allow 802.1X access, you must configure access rules that specify the AAA servers to use for authentication. If you have not previously configured a rule, click Create. 12. Enter a userglob to match specific usernames. or ** as a wildcard to match all users. ** is the default value. 13. From the EWLA Type list, select from the following options: External Authentication Server - use an AAA external server for authentication. EWLA-MD5 Offload - (Extensible Authentication Protocol - Message Digest 5) Offload to an external server. PEWLA Offload - (Protected Extensible Authentication Protocol) if you select PEWLA Offload, then MS-CHWLAV2 is selected as the EWLA Sub-protocol by default. Local EWLA-TLS 14. Click Next. 15. Add Authentication Servers from the Available AAA Server groups to the Current AAA Server Groups. Select LOCAL to use the database on the WLC. 16. Optionally, you can add Accounting Servers. See Creating AAA Profiles. Copyright 2012, Juniper Networks, Inc. Configuring Wired Authentication on a WLC 1

60 Create 802.1X Rules See Configuring 802.1X Global Parameters. MAC Access Rules See Creating a MAC Access Rule. Local User Database See Creating Users in the Local User Database. 17. Click Finish to complete the configuration. 2 Configuring Wired Authentication on a WLC Copyright 2012, Juniper Networks, Inc.

61 Creating Port Groups on a WLC A port group is a set of physical ports that function together as a single link and provide load sharingand link redundancy. Only network ports can participate in a port group. The WLC assigns traffic flows to ports based on the source and destination MAC addresses of the traffic, which balances port group traffic among the physical ports of the group. The WLC assigns a traffic flow to an individual port in the group and uses the same port for all subsequent traffic for that flow. A port group ensures link stability by providing redundant connections for the same link. If an individual port in a group fails, the WLC reassigns traffic to the remaining ports. When the failed port starts operating again, the WLC begins using it for new traffic flows. Traffic that belonged to the port before it failed continues to be assigned to other ports. Layer 2 configuration changes apply collectively to a port group as a whole but not to individual ports within the group. For example, Spanning Tree Protocol (STP) changes affect the entire port group rather than individual ports. When you make Layer 2 configuration changes, you can use a port group name in place of the port list. Ethernet port statistics continue to apply to individual ports and not to port groups. Configuring Port Groups 1. In the Tasks panel, select Create Port Group. The Create Port Group wizard is displayed. 2. In the Port Group Name field, type the name of the port group (1 to 16 alphanumeric characters, with no spaces or tabs). Click Next. 3. The Port Group Members list is displayed. 4. To add a port to a port group, select it from the Member list. To remove a Member, clear the Member checkbox. 5. To change the membership of a port in another port group, select Member for the port. The Port Group Member Remove dialog appears. Click Yes to change membership. Click No to leave the membership unchanged. 6. Click Finish. Copyright 2012, Juniper Networks, Inc. Creating Port Groups on a WLC 1

62 Configuring Management Services on a WLC Informational Note: By default, HTTPS is enabled on the WLC, allowing you to use Web View on port 443 for a secure session. If you disable HTTPS, you cannot use Web View. RingMaster communications also use HTTPS, but RingMaster is not affected by the HTTPS configuration on the WLC. For RingMaster, HTTPS is always enabled and listens on port From the Organizer panel, select a WLC. 2. Select System, and then Management Services. 3. You can manually select a service from the list of Management Services. You can select any of the following options: HTTPS Telnet SSH Web Portal SNMP TFTPD 4. To change the idle timeout for CLI sessions, edit the value in the Idle Timeout field. You can specify from 0 to seconds (one day). The default is 3600 (one hour). If you specify 0, the idle timeout is disabled. The timeout interval is in 30-second increments. For example, the interval can be 0, or 3 seconds, or 60 seconds, or 90 seconds, and so on. If you enter an interval that is not divisible by 30, the WLC rounds up to the next 30-second increment. 5. Select the port number for Management Port. The default value is Select the port number for HTTP Port. The default value is Select the port number for HTTPS Port. The default value is Select the port number for Telnet. The defaultvalue is Select the port number for SSH. The default value is Select the SSL Mode from the list. You can configure Partial, All, or None. 11. Specify the port number for TFTD Sevices. Copyright 2012, Juniper Networks, Inc. Configuring Management Services on a WLC 1

64 Configuring SNMP Using SNMP V1 or V2c On each WLC in the network plan, you must enable notifications and configure RingMaster Services as a notification target (trap receiver). RingMaster Services software does not start listening for SNMP notifications from an WLC until you add RingMaster Services as an SNMP notification target to the WLC. (For simple configuration of RingMaster Services as an SNMP notification target, see System Setup Wizard.) To configure SNMP v1 using RingMaster, use the following steps: 1. From the Organizer panel, select a WLC from the list. 2. Expand System and select Management Services. 3. From the list of Management Services, select SNMP. 4. In the SNMP interface, select V1 or V2c. 5. From the Task Panel under Create, select Create Community. 6. The Create Community wizard is displayed. 7. In the Community String field, type the name of the community. The name can be 1 to 32 alphanumeric characters, with no spaces or tabs. NOTE: Community string names are transmitted in clear text. NOTE: If you enable SNMP service on the WLC, Juniper Networks recommends that you do not use the well-known strings public (for READ) or private (for WRITE). These strings are commonly used and can easily be guessed. 8. Select the access type: Read-Only An SNMP management application using the string can get (read) object values on the WLC but cannot set (write) them. This is the default. Read-Notify An SNMP management application using the string can get object values on the WLC but cannot set them. The WLC can use the string to send notifications. Read-Write-Notify An SNMP management application using the string can get and set object values on the WLC. Read-Write An SNMP management application using the string can get and set object values on the WLC. The WLC can use the string to send notifications. Notify-Only The WLC can use the string to send notifications. 9. Click OK. Copyright 2012, Juniper Networks, Inc. Configuring SNMP Using SNMP V1 or V2c 1

66 Setting Up Trap Logging 1. From the Organizer panel, select a WLC. 2. From System, select Management Services. 3. Under SNMP in the Configuration pane.l, select Trap Log. 4. From the Tasks panel, under Setup, click Trap Logging. 5. You can log all or some of the following SNMP traps: Authentication LinkDown LinkUp DeviceFail DeviceOkay PoEFail MobilityDomainJoin MobilityDomainTimeout RFDetectAdhocUser ClientAuthenticationFailure ClientAuthorizationFailure ClientAuthorizationSuccess ClientAssociationFailure ClientRoaming ClientDeAssociation AutoTuneRadioChannelChange AutoTuneRadioPowerChange CounterMeasureStop CounterMEasureStart ClientCleared ClientDot1xFailure RFDetectClientViaRogueWiredWLA RFDetectDoS ClientAssociationSuccess RFDetectDoSPort RFDetectAdhocUserDisappear ClientIpAddrChange ClientAuthenticationSuccess ClientDeAuthentication Copyright 2012, Juniper Networks, Inc. Setting Up Trap Logging 1

67 ClientDeviceProfileChangeTraps ClientDeviceTypeChangeTraps MobilityDomainFailOver MobilityDomainFailBack ApRejectLicenseExceeded RFDetectBlacklisted RFDetectClassificationChange ClientDisconnect ClientDynAuthorChangeFailure ClientDynAuthorChangeSuccess RFDetectRogueDevice WLAOperRAdioStatus2 WLANonOperStatus2 ConfigurationSaved MichaelMICFailure RFDetectSuspectDeviceDisappear RFDetectSuspectDevice RFDetectRogueDeviceDisappear ClusterFail MobilityDomainResiliencyStatus ApManagerChange MultimediaCallFailure WLCTunnelLimitExceeded RFNoiseSource 6. Click OK. 2 Setting Up Trap Logging Copyright 2012, Juniper Networks, Inc.

68 Configuring SNMP Views 1. From the Organizer panel, select a WLC. 2. From System, select Management Services. 3. From the Tasks panel, under Create, click Create View. 4. In the View Name field, type the name of the view. The name can be 1 to 15 alphanumeric characters, with no spaces or tabs. 5. Enter a description of the View. 6. From the Root OID list, select None, Included or Excluded. 7. Define the SNMP Tree by adding in a subtree. This can be a name or an object ID. 8. Select Included or Excluded from the Type list. 9. Click Finish. 10. Click Ok to accept the configuration./ Copyright 2012, Juniper Networks, Inc. Configuring SNMP Views 1

70 Configuring SNMP Groups 1. From the Organizer panel, select a WLC. 2. From System, select Management Services. 3. From the Tasks panel, under Create, click Create Group. 4. In the Group Name field, type the name of the group. The name can be 1 to 15 alphanumeric characters, with no spaces or tabs. 5. Enter a description of the group. 6. Click Next. 7. Define the access permissions for this group by specifying the read,write, or notifiy view. 8. To add an Access Entry, click Add Access Entry. You can select one set of values for each security pair: a. From the Security Model, select V1, USM, or V2C. b. From the Security Level, select No Authen, No Priv. If you select USM, you can select from Auth & Priv, Authen, No Priv, or No Authen, No Priv. c. Configure the Read View, Write View or Notify View. d. Click OK. 9. Click Finish. Copyright 2012, Juniper Networks, Inc. Configuring SNMP Groups 1

72 Configuring SNMP Using USM 1. Access the Create USM User wizard: 2. Select the Configuration Navigation Bar button. 3. In the Organizer panel, click the plus sign next to an WLC. 4. Click the plus sign next to System. 5. Select Management Services. 6. In the Tasks panel, select Create USM User. 7. In the Username field, type the name of the SNMPv3 user. The name can be 1 to 32 alphanumeric characters, with no spaces or tabs. 8. Select the access type. Read-Only An SNMP management application using the string can get (read) object values on the WLC but cannot set (write) them. This is the default. Read-Notify An SNMP management application using the string can get object values on the WLC but cannot set them. The WLC can use the string to send notifications. Read-Write-Notify An SNMP management application using the string can get and set object values on the WLC. Read-Write An SNMP management application using the string can get and set object values on the WLC. The WLC can use the string to send notifications. Notify-Only The WLC can use the string to send notifications. 9. Specify the Engine ID, which is the unique identifier for this instance of the SNMP engine: 10. Select the format: Hex ID is a hexadecimal string. IP ID is based on the IP address of the station running the management application. Enter the IP address of the station. RingMaster calculates the engine ID based on the address. LocalID Uses the value computed from the system IP address for the WLC. NOTE: To send informs, you must specify the engine ID of the inform receiver. To send traps and to allow get and set operations and so on, specify local as the engine ID. 11. If you select Hex or IP, type the hexadecimal string or IP address in the Value field and click Next and go to Step 12. Otherwise, click Finish. 12. Select the authentication type used to authenticate communications with the remote SNMP engine: None No authentication is used. This is the default. MD5 Message-digest algorithm 5 is used. SHA Secure Hashing Algorithm (SHA) is used. 13. If you select MD5 or SHA, you can specify a passphrase or hexadecimal key: Select the format from the Format list. Copyright 2012, Juniper Networks, Inc. Configuring SNMP Using USM 1

73 Type the value in the Password field. If you selected Key as the format, type a 16-byte hexadecimal string for MD5 or a 20-byte hexadecimal string for SHA. If you selected Pass Phrase as the format, type a string at least 8 characters long. 14. Select the encryption type used for SNMP traffic: None No encryption is used. This is the default. DES Data Encryption Standard (DES) encryption is used. 3DES Triple DES encryption is used. AES Advanced Encryption Standard (AES) encryption is used. 15. If you select DES, 3DES, or AES, you can specify a passphrase or a hexadecimal key: Select the format from the Format pull-down list. Type the value in the Password field. If you selected Key as the format, type a 16-byte hexadecimal string. If you selected PassPhrase as the format, type a string at least 8 characters long for DES or 3DES, or at least 12 characters long for AES. Click Finish. 2 Configuring SNMP Using USM Copyright 2012, Juniper Networks, Inc.

74 Configuring a Notification Profile for SNMP A notification profile is a named list of all of the notification types that can be generated by a WLC, and for each notification type, the action to take (drop or send) when an event occurs. 1. Access the Create Notification Profile wizard. 2. Select the Configuration Navigation Bar button. 3. In the Organizer panel, click the plus sign next to an WLC. 4. Click the plus sign next to System. 5. Select Management Services. 6. In the Tasks panel, select Create Notification Profile. 7. In the Profile Name field, type the notification profile name. It can be 1 to 32 alphanumeric characters, with no spaces or tabs. The Notification Profile Traps dialog appears. 8. Click the checkbox next to each notification type you want to enable. To enable all notification types, select Enable at the top of the list. 9. Click Finish. Setting Up a Notification Target for SNMP You can configure a different IP address to use the source IP address for SNMP traps. To do this, you can configure notification targets for SNMP using these steps: 1. Select the Configuration Navigation Bar button. 2. In the Organizer panel, click the plus sign next to an WLC. 3. Click the plus sign next to System. 4. Select Management Services. 5. Click Setup Notification Target to display the wizard. 6. The ID, IP Address, and Port are set by default. The IP address is the IP address of the RingMaster server. 7. To use a different IP address as the source IP address, enter the desired IP address in the Source IP field. 8. Click Next. 9. Select the desired traps to send as SNMP traps. 10. Enter a name in the Community String field. 11. Select Access or Group. 12. Select from Notify-Only, Read-Notify, or Read-Write-Notify. 13. Click Finish to save the configuration. To modify a Notification Target, select it from the list, and click Properties. Copyright 2012, Juniper Networks, Inc. Configuring a Notification Profile for SNMP 1

76 Configuring SNMP Communities 1. From the Organizer panel, select a WLC. 2. From System, select Management Services. 3. From the Tasks panel, under Create, click Create Community. 4. In the Community String field, type the name of the community. The name can be 1 to 32 alphanumeric characters, with no spaces or tabs. These strings are transmitted in clear text, and it is recommended that you do not use the string public (for READ) or private (for WRITE). These strings are commonly used and can be easily guessed. 5. Select Access or Group. 6. Configure access by selecting from the Access type list. Read-Only An SNMP management application using the string can get (read) object values on the WLC but cannot set (write) them. This is the default. Read-Notify An SNMP management application using the string can get object valueson the WLC but cannot set them. The WLC can use the string to send notifications. Read-Write-Notify An SNMP management application using the string can get and set object values on the WLC. Read-Write An SNMP management application using the string can get and set object values on the WLC. The WLC can use the string to send notifications. Notify-Only The WLC can use the string to send notifications. 7. Click OK. Copyright 2012, Juniper Networks, Inc. Configuring SNMP Communities 1

78 Enabling Syslog Features Log and Trace Settings System logs provide information about system events that you can use to monitor and troubleshoot MSS. Event messages for the WLC and the associated WLAs can be stored or sent to the following destinations: Stored in a local buffer on the WLC Displayed on the WLC console port Displayed in an active Telnet session Sent to one or more syslog servers, as specified in RFC 3164 The system log is a file in which the newest record replaces the oldest. These entries are preserved in nonvolatile memory through system reboots. Traces enable you to perform diagnostic routines. You can set a trace with a keyword, such as authentication or sm, to trace activity for a particular feature, such as authentication or the session manager. Enabling Syslog Features 1. From the Organizer panel, select a WLC. 2. Under System, select Log. 3. Under Log, select Enabled. 4. To enable console logging, select Console Enabled. 5. To enable session logging, select Session Enabled. 6. To enable trace logging, select Trace Enabled. 7. From the Severity Filter list, select from the following: Emergency Alert Critical Error (Default) Warning Notice Info Debug (All) 8. From the Console Severity Filter list, select from the following: Emergency Alert Critical Error (Default) Warning Copyright 2012, Juniper Networks, Inc. Enabling Syslog Features 1

79 Notice Info Debug (All) 9. From the Session Filter Severity list, select from the following: Emergency Alert Critical Error Warning Notice Info (Default) Debug (All) 10. From the Trace Severity Filter list, select from the following: Emergency Alert Critical Error Warning Notice Info Debug (All) 11. Click Save to save the configuration. 12. To deploy the changes on the network, click Deploy. 2 Enabling Syslog Features Copyright 2012, Juniper Networks, Inc.

80 Creating an External Syslog Server 1. From the Organizer panel, select a WLC. 2. Under System, select Log. 3. From the Tasks panel, select Create Syslog Server. 4. Under Syslog Server, enter the IP Address of the Syslog Server. 5. You can change the port or leave it at the default value of You can select from the following Severity Filters: Emergency The WLC is down. Alert Action must be taken immediately. Critical You must resolve the critical situation. If left unresovled, the WLC can reboot or shutdown. Error WLC is missing data or unable to forma connection. Warning A possible problem exists. Notice Events that can cause system problems have occurred. These are logged for diagnostic purposes. Info Informational messages only No problems exist. Debug (All) Output from debugging. The default severity level is Error. 7. To map all of the facilities to a standard local facility and override the default MSS facility settings, select Facility Mapping. Some syslog servers require the facility to be set to a standard local facility name. 8. From the Map to Local Facility list, select from Local 0 to Local 7 to map the MSS event messages to one of the standard local log facilities specified by RFC Facility Number Facility Description 0 kernel messages 1 user-level-messages 2 mail system 3 system daemons 4 security/authorization messages 5 messages generated internally by syslogd 6 line printer subsystem 7 network news subsystems 9. Click Finish to save the configuration. Informational Note: If you are unfamiliar with configuring a Syslog Server, review the Troubleshooting section, Configuring and Managing the System Log, in the MSS Configuration Guide. Copyright 2012, Juniper Networks, Inc. 1

81 Creating a Trace Area 1. From the Organizer panel, select a WLC. 2. Under System, select Log. 3. From the Tasks panel, select Create Trace Area. 4. Under Trace Area, select the area to trace for logging purposes. 5. Select the trace level from the Level list. The default value is 5 and has a range of 0 to 10.0 provides the minimum amount of information and 10 proves the maximum amount of information. Optional Parameters 6. In the User Name field, enter the user name to trace on the network. Specify a username no longer than 60 alphanumeric characters with no spaces or tab characters. 7. In the MAC Address field, type the MAC address to trace on the network. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). 8. In the Port Name field, type the name of the port to trace on the network.. 9. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a Trace Area 1

82 Configuring Static Routes The IP routing table contains routes that RingMaster uses for determining the external communication interfaces for a WLC. When you add an IP interface to an active VLAN, MSS automatically adds corresponding entries to the IP routing table. For destination routes that are not directly attached, you can add static routes. A static route specifies the destination and the default router through which to forward traffic.you can add the following types of static routes: Explicit route Forwarding path for traffic to a specific destination. Default route Forwarding path for traffic to a destination without an explicit route. If the IP routing table contains an explicit route for a given destination, RingMaster uses the route. Otherwise, RingMaster uses a default route. (For more information about static routes, see the Configuring and Managing IP Routes section in the Configuring and Managing IP Interfaces and Services chapter of the Juniper Networks Mobility System Software Configuration Guide.) Configure a static route if a gateway is configured on the network. 1. Select an existing route or click Create. 2. If you select an existing route, you can highlight it in the list and click Properties to display information about the route. If you click Create, then you can configure a new route on the network. a. When you click Create, the Create Route interface is displayed. You can select Default Route to configure the network traffic to use this IP address for routing traffic. b. Enter a destination IP address, the Gateway IP address, and the metric for the route. 3. Click OK to save the route configuration. Copyright 2012, Juniper Networks, Inc. Configuring Static Routes 1

83 Creating an IP Alias You can map an IP address to a name by creating an IP alias. For example, if you create an IP alias carmel for IP address , you could type telnet carmel rather than telnet You can use IP aliases in conjunction with DNS. If you use IP aliases and DNS is enabled, the WLC looks up IP aliases before checking for entries on a DNS server. 1. From the Organizer panel, select a WLC. 2. From the Task panel, under Create, click Create IP Alias. 3. Enter a Host Name and a Host IP Address. Informational Note: You cannot use the word all in the host name. 4. Click OK to save the configuration. Copyright 2012, Juniper Networks, Inc. Creating an IP Alias 1

84 Creating an DNS Server You can configure an WLC to resolve hostnames to IP addresses by querying a Domain Name Service (DNS) server.(dns) server. By enabling DNS, you can specify a hostname rather than an IP address. For example, rather than typing telnet , you could type telnet monterey.example.com. By default, DNS is not enabled. You can specify one primary DNS server and up to five secondary DNS servers. You configure DNS by performing the following tasks: Enable the DNS client and configure a default domain name for DNS queries. Specify the IP addresses of the DNS servers. 1. From the Organizer panel, select a WLC. 2. From the Task panel, under Create, click Create DNS Server. 3. Enter the server IP Address and select Primary or Secondary from the Preference list. You can designate only one DNS server as the primary DNS server. All other DNS servers are secondary servers. 4. Select Enabled under DNS Service. 5. Enter the Default DNS Domain. 6. Click OK to save the configuration. Copyright 2012, Juniper Networks, Inc. Creating an DNS Server 1

85 Creating a NTP Server You can configure an WLC to use the Network Time Protocol (NTP) to automatically set the system date and time. NTP polls network time servers at regular intervals and synchronizes the system date and time with the servers. By default, NTP is not enabled. You can specify up to three NTP servers. Informational Note: If NTP is configured on a system where the current time differs from the NTP server time by more than 10 minutes, convergence of the WLC time can take many NTP update intervals. Juniper Networks recommends that you set the time manually to the NTP server time before enabling NTP to avoid a significant delay in convergence. 1. From the Organizer panel, select a WLC. 2. From the Task panel, under Create, click Create NTP Server. 3. Enter the server IP Address and click OK to save the configuration. 4. To enable the NTP Service, select Enabled under NTP Client. 5. You can customize the Update Interval [seconds] or leave at the default value of 64. The range is 16 to 1024 seconds. Copyright 2012, Juniper Networks, Inc. Creating a NTP Server 1

86 Creating an ARP Entry The Address Resolution Protocol (ARP) table maps IP addresses to MAC addresses. ARP is enabled by default on the WLC and cannot be disabled. An ARP entry is added to the table in one of the following ways: Automatically by an WLC The WLC adds a local entry for its MAC address and adds dynamic entries for addresses learned from traffic received by the WLC. When an WLC receives an IP packet, it adds the source MAC address and source IP address of a packet to the ARP table. By the system administrator Using RingMaster, you can add permanent entries to the ARP table. Permanent entries do not age out and remain in the table even after the WLC is rebooted. 1. From the Organizer panel, select a WLC. 2. From the Task panel, under Create, click CreateARP Entry. 3. Enter the IP Address and MAC Address. 4. Click OK to save the configuration. In the optional Aging Time field, specify the amount of time a dynamic entry can remain unused before the entry is removed from the ARP table. The value range for the aging timeout is 0 to 1,000,000 seconds. The default value is 1200 seconds. To disable aging, specify 0 as the aging timeout. The local entry for an WLC, static entries, and permanent entries in the ARP table are not affected by the aging timeout. Copyright 2012, Juniper Networks, Inc. Creating an ARP Entry 1

87 Overview of VLANs A virtual LAN (VLAN) is a Layer 2 broadcast domain that can span multiple wired or wireless LAN segments. Each VLAN is a separate logical network, and, if you configure IP interfaces on the VLANs, MSS treats each VLAN as a separate IP subnet. Configure VLANs on the network ports of a WLC by configuring them on the WLC. Configure a VLAN by assigning a name and network ports to the VLAN. Optionally, you can assign VLAN tag values on individual network ports. You can configure multiple VLANs on the network port of a WLC. Optionally, each VLAN can have an IP address. You do not need to configure VLANs on WLA access ports or wired authentication ports, because the VLAN membership of these types of ports is determined dynamically through the authentication and authorization process. Users who require authentication connect through WLC ports that are configured for WLA access points or wired authentication access. Users are assigned to VLANs automatically through authentication and authorization mechanisms such as 802.1X. By default, none of the ports of a WLC are in VLANs. A WLC cannot forward traffic on the network until you configure VLANs and add network ports to those VLANs. Users and VLANs When a user successfully authenticates to the network, the user is assigned to a specific VLAN. A user remains associated with the same VLAN throughout the user s session on the network, even when roaming from one WLC to another within a Mobility Domain. You assign a user to a VLAN by setting one of the following attributes on the RADIUS servers or in the local WLC user database: Tunnel-Private-Group-ID This attribute is described in RFC 2868, RADIUS Attributes for Tunnel Protocol Support. VLAN-Name This attribute is a Juniper vendor-specific attribute (VSA). Informational Note: You cannot configure the Tunnel-Private-Group-ID attribute in the local user database. Specify a VLAN name, not the number. If both attributes are used, the WLC uses the VLAN name in the VLAN-Name attribute. Copyright 2012, Juniper Networks, Inc. Overview of VLANs 1

88 Roaming and VLANs WLCs in a Mobility Domain contain a user traffic within the VLAN assigned to the user. For example, if you assign a user to VLAN red, the WLCs in the Mobility Domain contain the user traffic within VLAN red configured on the WLCs. The WLC that authenticates a user must be a member of the Mobility Domain assigned to that user. You are not required to configure a VLAN on all WLCs in a Mobility Domain. When a user roams to a WLC that is not a member of the VLAN the user is assigned to, the WLC can tunnel traffic for that user through another WLC that is a member of the VLAN. Informational Note: Because the default VLAN might not be in the same subnet on each WLC, you should not rename the default VLAN or use it for user traffic. Instead, configure other VLANs for user traffic. 2 Overview of VLANs Copyright 2012, Juniper Networks, Inc.

89 Configuring VLANs 1. Configure VLAN information. You can select a VLAN from the list or create a new. Click Create to create a new VLAN. 2. Enter a unique name for the VLAN and the VLAN ID. In the VLAN Name field, type a name for the VLAN (1 to 16 alphabetic characters long, with no spaces or tabs). You cannot use a number as the first character in a VLAN name. VLAN names must be globally unique across a mobility domain to ensure intended user connectivity as determined through authentication and authorization. Every VLAN on an WLC has a VLAN name for authorization and a VLAN number. VLAN numbers vary for each WLC and are not related to 802.1Q tag values if used. 3. Optionally, you can select ports or port groups to be members of thevlan. Do one of the following: To add a port or port group to the VLAN and remove previous VLAN membership, click Move. Moving a port or port group could potentially affect multiple VLANs. To add a port or group to a VLAN and retain previous VLAN membership, click Add. 4. Click Next. 5. Optional VLAN Interface: Select an existing route or click Create. a. Statically configure an address by editing the IP address and subnet mask (for example, /16). b. Select DHCP Client to use a DHCP server to dynamically obtain an IP address for the VLAN. Generally, VLANs are equivalent to IP subnets. If an WLC is connected to the network by only one IP subnet, the WLC must have at least one VLAN configured. Optionally, each VLAN can have its own IP address. However, no two IP addresses on the WLC can belong to the same IP subnet. Informational Note: MSS does not support assigning the system IP address of a WLC to an address received through the DHCP client. You should use the DHCP client only on WLC2s you plan to configure using the drop-ship method. 6. Click OK to save the route configuration. 7. Click Next, and click Finish to complete the configuration. Changing VLAN Membership A port or port group can be in one or more VLANs. To be in multiple VLANs, the port or group must have an 802.1Q VLAN tag. A tag is a numeric value that identifies a virtual port within a VLAN. The same VLAN can have different tag values on different ports. However, a port can have only one tag value in a given VLAN. A VLAN can also have untagged ports. An untagged port can be a member of only one VLAN. MSS supports the IEEE 802.1Q tag type, described in the IEEE 802.1Q specification. Copyright 2012, Juniper Networks, Inc. Configuring VLANs 1

90 The tagging capabilities of the WLC are flexible. You can assign 802.1Q tag values on a per-vlan, per-port basis. The same VLAN can have different tag values on different ports. In addition, the same tag value can be used by different VLANs but on different network ports. If you use a tag value, Juniper Networks recommends that you use the same value as the VLAN number. MSS does not require the VLAN number and tag value to be the same, but other vendors may require it. Informational Note: Do not assign the same VLAN multiple times using different tag values to the same network port. Although MSS does not prohibit you from doing so, this configuration is not supported. 2 Configuring VLANs Copyright 2012, Juniper Networks, Inc.

Configuring VLAN Pooling Overview VLAN Pooling is a feature that allows you to associate equivalent VLANs to a service which then improves scalability and reduces broadcast domains across VLANs.

91 Configuring VLAN Pooling Overview VLAN Pooling is a feature that allows you to associate equivalent VLANs to a service which then improves scalability and reduces broadcast domains across VLANs. Multiple VLANs can be grouped to form a VLAN Pool and all VLANs in the VLAN Pool are available at any time in a location. VLAN assignment is performed dynamically when a wireless client accesses the network and a VLAN is assigned to the wireless client. For example, if an enterprise network has 1000 wireless clients that can connect to the network from any location in the enterprise, five VLANs may be required to support the client load. The 5 VLANs are then placed into a VLAN pool which is available at any time on the enterprise network. When a wireless client accesses the network, the client is assigned a VLAN, typically one with the fewest clients based on the current client counts on the VLANs in the VLAN Pool by using a round robin algorithm. The VLAN pool can also be configured on an AAA server. VLAN Pools can be applied to the following attributes: Users User Groups MAC Users MAC User Groups Service Profiles Configuring VLAN Pools To configure VLAN Pools, select VLAN Pools located in the Organizer. VLAN Pools Note that VLAN Pools can be created using two mechanisms: Client MAC Hash This option assigns VLANs based on a hash value computed from the MAC address of the client. This can be beneficial in that it guarantees that a client will always be assigned to the same VLAN every time it attempts to connect. This mechanism is the default method. Copyright 2012 Configuring VLAN Pooling 1

92 Load Balancing With this option selected, the deployment will keep track of the total number of sessions supported by each VLAN in the domain. When a session gets assigned to the VLAN pool, the controller will direct the session to the VLAN that is under the least load at that time. Once you select VLAN Pools, click Create VLAN Pools from the Task list. A configuration wizard allows you to add VLANs to VLAN Pools. 2 Overview Copyright 2012, Juniper Networks, Inc.

93 Configuring Spanning Tree Properties The standard STP timers delay traffic forwarding briefly after a topology change. The time a port takes to change from the listening state to the learning state or from the learning state to the forwarding state is called the forwarding delay. In some configurations, this delay is unnecessary. The WLC provides the following fast convergence features to bypass the forwarding delay: Backbone fast convergence Backbone fast convergence accelerates the recovery of a port following the failure of an indirect link. Normally, when a forwarding link fails, a bridge that is not directly connected to the link does not detect the link change until the maximum age timer expires. Backbone fast convergence enables the WLC to listen for bridge protocol data units (BPDUs) sent by a designated bridge when the designated link of a bridge to the root bridge fails, and immediately verifies whether BPDU information stored on a port is still valid. If the BPDU information on the port is no longer valid, the bridge immediately starts the listening stage on the port. Informational Note: If you plan to use the backbone fast convergence feature, enable it on all of the bridges in a spanning tree. Uplink fast convergence Uplink fast convergence enables an WLC that has redundant links to the network core to immediately change the state of a backup link to forwarding if the primary link to the root fails. Uplink fast convergence bypasses the listening and learning states to immediately enter the forwarding state. Informational Note: The uplink fast convergence feature is applicable to bridges that are acting as access WLCs to thenetwork core (distribution layer) but are not in the core themselves. Do not enable the feature on WLCs that are in the network core. 1. From the Organizer panel, select a WLC. 2. Under System, select VLANs. 3. Under Spanning Tree Properties, you can select Enable Uplink Fast and Enable Backbone Fast. Changing VLAN Spanning Tree Settings The purpose of the Spanning Tree Protocol (STP) is to maintain a loop-free network. A loop-free path is accomplished when a device recognizes a loop in the topology and blocks one or more redundant paths. Mobility System Software (MSS) supports 802.1D and Per-VLAN Spanning Tree (PVST+) protocol. MSS uses 802.1D bridge protocol data units (BPDUs) on VLAN ports that are untagged. However, each VLAN still runs its own instance of STP, even if two or more VLANs contain untagged ports. To run a single instance of STP in 802.1D mode on the entire WLC, configure all network ports as untagged members of the same VLAN. Copyright 2012, Juniper Networks, Inc. Configuring Spanning Tree Properties 1

94 MSS uses PVST+ BPDUs on VLAN ports that are tagged. PVST+ BPDUs include tag information in the 802.1Q field of the BPDUs. MSS runs a separate instance of PVST+ on each tagged VLAN. Informational Note: When you create a VLAN, STP is disabled on the new VLAN by default, regardless of the STP state of other VLANs on the WLCs. Informational Note: IEEE 802.1D spanning tree specifications refer to networking devices that forward Layer 2 traffic as bridges. In this context, a WLC is a bridge. Where this manual or the product interface uses the term bridge, you can assume the term is applicable to the WLC. To change the STP settings of a VLAN: Access the VLAN Properties multi-tabbed dialog box, then click on the Spanning Tree tab. Informational Note: This configures STP features for an individual VLAN but does not configure fast convergence features, which are global. 2. To enable STP, click Enabled. 3. Fill in the Instance Number field.in the Bridge Priority field, specify the priority of the STP bridge (0 to 65,535). The default is 32,768. The bridge with the lowest priority value becomes the root bridge for the spanning tree. 4. In the Protocol field, specify the maximum age value (6 to 40 seconds), which controls how long information from other bridges is kept. The default is 20 seconds. 5. In the Max Age field, specify the maximum age value (6 to 40 seconds), which controls how long information from other bridges is kept. The default is 20 seconds. 6. In the Hello Time field, specify the interval (1 to 10 seconds) between each configuration message from the root bridge. The default is 2 seconds. 7. In the Forward Delay field, specify the amount of time (4 to 30 seconds) a bridge waits after a topology change to begin forwarding data packets. The default is 15 seconds. Click OK. Changing STP Port Settings in a VLAN To change the STP Port settings of a VLAN: 1. Access the VLAN Properties multi-tabbed dialog box, then click on the Spanning Tree Ports tab. 2 Configuring Spanning Tree Properties Copyright 2012, Juniper Networks, Inc.

95 2. To enable spanning tree packet processing (Tx/Rx) on that port, make sure Enabled is selected. This is the default. To disable this feature, clear Enabled. If you disable spanning tree packet processing on the port, the following might happen: If STP is enabled on the VLAN, spanning tree packets are dropped at the port. If STP is disabled on the VLAN, spanning tree packets are forwarded transparently through the VLAN to and from that port. 3. In the Port Priority field, specify a priority value (0 to 255). The default is In the Path Cost field, specify a value (0 to 65,535) for the cost. The default depends on the port speed and link type: 1000 Mbps, full duplex aggregate link (port group) Mbps, full duplex Mbps, full duplex aggregate link (port group) Mbps, full duplex Mbps, half duplex Mbps, full duplex aggregate link (port group) Mbps, full duplex Mbps, half duplex 100 Specify 0 to use the default cost for the port based on link speed. 5. To enable port fast convergence, select the Port Fast checkbox. Port fast convergence bypasses both the listening and learning stages and immediately places a port in the forwarding state. Use port fast convergence on network ports that are directly connected to servers, hosts, or other MAC stations. Informational Note: Do not use port fast convergence on ports connected to other bridges. Copyright 2012, Juniper Networks, Inc. Configuring Spanning Tree Properties 3

96 Configuring IGMP for VLANs Internet Group Management Protocol (IGMP) snooping controls multicast traffic on a WLC by forwarding packets for a multicast group only on the ports that are connected to members of the group. IGMP is especially useful for WLANs because bandwidth is relatively constrained. The WLC listens for multicast packets and maintains a table of multicast groups, as well as their sources and receivers, based on the traffic. IGMP snooping is enabled by default. You can configure IGMP snooping parameters and enable or disable the feature on an individual VLAN basis. The current software version supports IGMP versions 1 and 2. To configure IGMP snooping: 1. Access the VLAN table: a. Select the Configuration Navigation Bar button. b. In the Organizer panel, click the plus sign next to a WLC. c. Click the plus sign next to System. d. Select VLANs. 2. Access the VLAN Properties multi-tabbed dialog box, then click on the IGMP tab. 3. To enable IGMP snooping, select Enable. To disable IGMP snooping, clear Enable. By default, IGMP snooping is enabled. 4. From the Version list, select Version 1 or Version 2 of IGMP. 5. If IGMP queriers are not on the subnet (for example, multicast routers), select Querier Enabled. you should use the pseudo-querier only when a VLAN contains local multicast traffic that is not routed. 6. In the Query Interval field, specify the interval (1 to 65,535 seconds) at which the WLC sends general IGMP queries on behalf of multicast routers to advertise multicast groups. The default interval is 125 seconds. 7. In the Other Querier Present Interval field, specify how long (1 to 65,535 seconds) the WLC waits for a general query to arrive before making itself the querier. The default interval is 255 seconds. 8. In the Query Response Interval field, specify how long (1 to 65,535 tenths of a second) a device can take to respond to an IGMP query. The default interval is 100 tenths of a second (10 seconds). 9. In the Last Member Query Interval field, specify how long (1 to 65,535 tenths of a second) the WLC waits for a response to a group query, after receiving a leave message for that group, before removing the group. The default value is 10 tenths of a second (1 second). 10. In the Robustness Value field, specify the robustness value (2 to 255), which sets IGMP timers to adjust to the amount of traffic loss on the network. Set the robustness value higher to adjust for more traffic loss. The default is To enable proxy reporting, which summarizes collected station IGMP reports, select Proxy Report. Copyright 2012, Juniper Networks, Inc. Configuring IGMP for VLANs 1

97 12. To enable multicast router solicitation, which allows an WLAN Controller to discover multicast routers on the subnet, select Multicast Router Solicitation. 13. In the Solicitation Interval field, specify the interval (1 to 65,535 seconds) between multicast router solicitations by a WLC. The default interval is 30 seconds. 14. Click OK. 2 Configuring IGMP for VLANs Copyright 2012, Juniper Networks, Inc.

98 Configuring Static Multicast Ports A WLC learns about multicast routers and receivers from multicast traffic received from those devices. When the WLC receives traffic from a multicast router or receiver, the WLC adds the port that received the traffic as a multicast router or receiver port. The WLC forwards traffic to multicast routers only on the multicast router ports and forwards traffic to multicast receivers only on the multicast receiver ports. The router and receiver ports that the WLC learns based on multicast traffic age out if they are unused. If necessary, you can statically configure multicast router ports or multicast receiver ports on the WLC. You can only add network ports as static multicast router ports or multicast receiver ports. Ports you add are immediately added to the list and do not age out. Informational Note: You cannot add MP ports or wired authentication ports as static multicast ports. However, MSS can dynamically add these port types to the list of multicast ports based on multicast traffic. To add or remove static multicast router and receiver ports: 1. Access the VLAN table: a. Select the Configuration Navigation Bar button. b. In the Organizer panel, click the plus sign next to an WLC. c. Click the plus sign next to System. d. Select VLANs. 2. In the Content panel, select a VLAN. 3. Click Properties. 4. Access the VLAN Properties multi-tabbed dialog box, then click on the VLAN Member Details tab. 5. To add a static multicast receiver port, select the Forward Multicast IP Out checkbox for each port you want to add. By default, ports are not selected. To remove a static multicast receiver port, clear the checkbox. 6. To add a multicast router port, click in the Multicast Router Present checkbox for each port you want added. By default, ports are not selected. To remove a static multicast receiver port, clear the checkbox. Click OK. Copyright 2012, Juniper Networks, Inc. Configuring Static Multicast Ports 1

99 Restricting Layer 2 Traffic Among Clients in a VLAN By default, clients within a VLAN are able to communicate with one another directly at Layer 2. You can enhance network security by restricting Layer 2 forwarding among clients in the same VLAN. When you restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwarding only between a client and a set of MAC addresses, generally the default routers (gateways) of a VLAN. Clients within the VLAN are not permitted to communicate among themselves directly. To communicate with another client, the client must use one of the specified default routers. You can specify up to four default router MAC addresses. The addresses must be unicast (not multicast or broadcast). Informational Note: For networks with IP-only clients, you can restrict client-to-client forwarding using Access Control Lists (ACLs). Use the Restrict L3 Traffic option. 1. Access the VLAN table: a. Select the Configuration Navigation Bar button. b. In the Organizer panel, click the plus sign next to a WLC. c. Click the plus sign next to System. d. Select VLANs. 2. In the Content panel, select a VLAN. 3. Access the VLAN Properties multi-tabbed dialog box, then click on the VLAN L2Restriction tab. 4. Select Restrict L2 Traffic to enable the feature for a VLAN. 5. Click Create. 6. In the MAC Address field, edit the address to be the MAC address of the default router (gateway) of a VLAN. 7. Click Finish. Copyright 2012, Juniper Networks, Inc. Restricting Layer 2 Traffic Among Clients in a VLAN 1

100 Configuring IP Security Destinations IPSec is a general purpose Internet security protocol, and can used for protecting Layer 4 network protocols including both TCP and UDP. IPSEc has an advantage over SSL and other methods because the application does not have to be designed to use IPSec like other higher-layer protocols that must be incorporated into the design of an application. To configure IP Security Destinations, follow these steps: 1. In the Task List, under Setup, click IP Security Destinations. This displays the IP Security Destination wizard. 2. To enable IP Security Destinations, select Enable. 3. In the Destination field, enter the IP address of the interface. 4. Enter a value for the SPI. 5. Select the type of Encryption Algorithm, either 3DES-CBC (triple Data Encryption Standard - Cipher Block Chaining) (less secure) or AES-CBC (Authentication Encryption Standard - Cipher Block Chaining) (more secure). 6. Enter the Encryption Key value. The default value is none, and you can use up to 24 hexadecimal characters. 7. Select HMAC-SHA1 (Hash-based Message Authentication Code - Secure Hash Authentication 1) as the Authentication Algorithm. 8. Enter the Authentication Key. The default is none, but you can use up to 20 hexadecimal characters. 9. Click OK to save the configuration. Copyright 2012, Juniper Networks, Inc. Configuring IP Security Destinations 1

101 Restricting Layer 3 Traffic Among Clients in a VLAN To restrict Layer 3 traffic among clients in the same VLAN, use an ACL. You can configure the ACL yourself or use the Restrict L3 Traffic option in RingMaster. 1. Access the VLAN table: a. Select the Configuration Navigation Bar button. b. In the Organizer panel, click the plus sign next to an WLC. c. Click the plus sign next to System. d. Select VLANs. 2. In the Content panel, select a VLAN. 3. In the Tasks panel, select Restrict L3 Traffic. 4. Type the IP address of the default router (gateway) of a VLAN. Click Next. 5. The configured ACL block L3 traffic and is displayed. Click Finish. Copyright 2012, Juniper Networks, Inc. Restricting Layer 3 Traffic Among Clients in a VLAN 1

102 Configuring the DHCP Server MSS has a Dynamic Host Configuration Protocol (DHCP) server that the WLC uses to allocate IP addresses to the following components. DHCP service for these items is enabled by default. Directly connected WLAs Host connected to a new (unconfigured) WLC2, WLC8, WLC200, or WLC216, to configure the WLC using the Web Quick Start Optionally, you can configure the DHCP server to also provide IP addresses to Distributed WLAs and to clients. Caution: Use of the MSS DHCP server to allocate client addresses is intended for temporary, demonstration deployments and not for production networks. We recommend you do not use the MSS DHCP server to allocate client addresses in a production network. To enable the MSS DHCP server on a VLAN: 1. Access the VLAN table: a. Select the Configuration Navigation Bar button. b. In the Organizer panel, click the plus sign next to a WLC. c. Click the plus sign next to System. d. Select VLANs. 2. In the Content panel, select a VLAN. 3. Click Properties. 4. Access the VLAN Properties multi-tabbed dialog box, then click on the DHCP Server tab. 5. Select DHCP Server to enable it on a VLAN To change the range of addresses available to a DHCP server, edit addresses in the Start IP Addresses and Stop IP Addresses fields. By default, all addresses except the host address of the VLAN, the network broadcast address, and the subnet broadcast address are included in the range. If you specify the range, the start address must be lower than the stop address, and all addresses must be in the same subnet. The IP interface of the VLAN must be within the same subnet but is not required to be within the range. 7. In the Primary DNS IP Address field, enter the IP address of the primary DNS server for clients who receive addresses from this VLAN. 8. To provide a backup DNS server, type the server IP address in the Secondary DNS IP Address field. 9. To specify the DNS domain name for hosts who receive IP addresses from this VLAN, enter the domain name in the DNS Name field. Copyright 2012, Juniper Networks, Inc. Configuring the DHCP Server 1

103 10. To specify the default router (gateway) for hosts who receive IP addresses from this VLAN, enter the address in the Default Gateway IP Address field. Click OK. 2 Configuring the DHCP Server Copyright 2012, Juniper Networks, Inc.

104 Changing the Aging Time for FDB Entries The aging timeout period specifies how long a dynamic entry can remain inactive before MSS removes the entry from the database. 1. Access the VLAN table: a. Select the Configuration Navigation Bar button. b. In the Organizer panel, click the plus sign next to a WLC. c. Click the plus sign next to System. d. Select VLANs. 2. In the Content panel, select a VLAN. 3. Click Properties 4. In the Aging Time field, specify the aging timeout period (0to 1,000,000 seconds) for dynamic entries in the forwarding database. The default is 300 seconds (5 minutes). If you specify 0, aging is disabled. 5. Click OK. Copyright 2012, Juniper Networks, Inc. Changing the Aging Time for FDB Entries 1

105 Overview of Access Control Lists (ACLs) Access Control Lists (ACLs) filter packets to restrict or permit network usage by certain users, networkdevices, or traffic types. You can also assign a Class of Service (CoS) level, which allows priority handling, to packets. For example, you can use ACLs to enable users to send and receive packets within an Intranet, but restrict incoming packets to the server that stores confidential salary information. An ACL is an ordered list of Access Control Entries (ACEs) rules that specify how to handle packets. A rule includes a filter and an action. When a packet matches a filter, a specific action is applied to the packet. If there are no ACE matches in an ACL, it contains an implicit rule that denies all access. If there is not at least one ACE that permits access in an ACL, no traffic is allowed. The implicit deny all rule is always the last ACE of an ACL. You can choose to count the number of times an ACE is matched. This hit count is useful for troubleshooting complex ACL configurations and for monitoring traffic load for specific network applications or protocols. The hit count can only be seen from the CLI. To start updating hit counter statistics in the CLI, you must first set the hits sampling rate to a nonzero value, such as 15 seconds. You cannot perform ACL functions that include permitting, denying, or marking with a Class of Service (CoS) level on packets with a multicast or broadcast destination address. MAC-based ACLs Access Control Lists (ACLs) filter packets based on certain fields in the packet such as ICMP, IP address, TCP, CoS or UDP. You can aslo configure ACLs using MAC addresses. The MAC address mask is similar to IP address masks, but specified in hexidecimal format. IPv6 ACLs IPv6 addresses can also be used for creating ACLs based on IP addresses. Configuring IPv6 addresses is not supported, but IPv6 clients are supported. The WLC can view IPv6 session information and control IPv6 ACLs. The session information now includes: IPv6 information of both dual-stack and IPv6 only clients. 16 of the most recent IPv6 addresses plus one local link address of a client. For dual stack clients, the IPv4 session is kept for storing IPv6 addresses..ipv6 and ACLs Previously, MSS only supported Layer 2 ACLs for IPv6. This has expanded with the release of MSS 8.0 to support: Source IPv6 addresses Destination IPv6 addresses Port Types including ICMP, TCP, and UDP The IPv6 ACLs are differentiated from IPv4 ALCs by using the keyword, ipv6. Copyright 2011, Juniper Networks, Inc. Overview of Access Control Lists (ACLs) 1

106 Creating an Access Control List (ACL) The Create ACL wizard enables you to configure ACEs with the following parameters: Source IP address Destination IP address Protocol - Source protocol port Destination protocol port Differentiated Services Code Point (DSCP) value or Type Of Service (TOS) and IP Precedence values Action: deny or permit Marking: Class of Service (CoS) value These parameters are sufficient for most ACEs. To configure additional parameters, use the wizard to configure the basic parameters, then select the ACE and click Properties. (See Configuring Advanced ACL Settings.) 1. From the Organizer panel, select a WLC. 2. Under System, select ACLs. 3. Under Create, click Create ACL. 4. Enter a unique name for the ACL. In the ACL Name field, type the name for the ACL (1 to 32 alphanumeric characters, with no spaces or tabs). The name can include hyphens (-), underscores (_), or periods (.). ACL names are case-sensitive and must begin with a letter. Do not include any of the following terms in the name: all, default-action, map, help, editbuffer. Informational Note: Any ACL that refers to a DWLA can be configured on the seed only as it references domain configuration. ACLs with mappings to ports, vports, and VLANs can be defined at member WLCs as well. If an ACL with the same name is defined in both the domain configuration and on a member WLC local configuration, the ACL from the WLC configuration is applied. Adding a MAC Based Rule To add a MAC based rule, follow these steps: 5. Click Add MAC Based Rule. The MAC Based Rules list is populated with default values. 6. To change the Source MAC from the default value of Any, click the arrow to display Source MAC Details. From the Source MAC Name list, select from Any or Other. If you select Other, enter the MAC address in the Source MAC Address field. Click OK. 7. Repeat Step 6 for the Destination MAC field. 8. To change the Ethertype, click the arrow to display Ethertype Details. From the Ethertype name list, you can select from Any, ARP, IPv4, IPv6, or Other. Click OK to close the window. Copyright 2011, Juniper Networks, Inc. Creating an Access Control List (ACL) 1

107 9. Select Permit or Deny from the Action list. 10. Adjust the CoS value if necessary. 11. If you have multiple rules configured, you can adjust the rule placement in the list by using the arrows at the end of each row to move the rule up or down in the list. 12. To delete a rule, select it from the list and click Delete. Adding an IP Based Rule To add an IP based rule, follow these steps: 13. Click Add IP Based Rule. Informational Note: Each ACL has a rule at the end that denies all source and destination IP addresses. This rule provides security be ensuring that the only traffic permitted by an ACL is the traffic you want to permit. This rule is automatically added to the end of each ACL and cannot be edited or removed. After adding an ACE to the table, each subsequent ACE appears above the implicit deny all ACE at the bottom of the list, but beneath all of the other configured ACEs. A WLC uses ACEs in the order in which they appear in the list, beginning at the top. Because the action in the first ACE that matches a packet is used, the order in which ACEs are listed is important. 14. The list is automatically populated with default values. 15. To add a Source IP or Destination IP, select the field and enter the IP addresses with subnet masks. 16. To change the Protocol, click the arrow to display Protocol Details information. From the Protocol Name list, select from any, tcp, udp, icmp, svp, or other. If you select other, adjust the Protocol Number accordingly. IP Protocol Number Protocol 1 Internet Control Message Protocol (ICWLA) 2 Internet Group Management Protocol (IGWLA) 6 Transmission Control Protocol (TCP) 9 Any private interior gateay (Used by Cisco Internet Gateway Protocol) 17 User Datagram Protocol (UDP) 41 IPv6 46 Reservation Protocol (RSVP) 47 Generic Routing Encapsulation (GRE) 50 Encapsulation Security Payload for IPSec (IPSec-ESP) 51 Authentication Header for IPSec (IPSec-AH) 55 IP Mobility (Mobile IP) 2 Creating an Access Control List (ACL) Copyright 2011, Juniper Networks, Inc.

108 IP Protocol Number Protocol 88 Enhanced Interior Gateway Routing Protocol (EIGRP) 89 Open Shortest Path First (OSPF) protocol 103 Protocol Independent Multicast (PIM) 112 Virtual Router Redundancy Protocol (VRRP) 115 Layer 2 Tunneling Protocol (L2TP) 17. To specify the TCP or UDP source port: Click the down arrow in the Source Port column. 18. Select the comparison operator from the Operator pull-down list: Less Than Greater Than Equal Not Equal Range None (no comparison is required) 19. Select the well-known port name from the Port Name list. If the name is not in the list, select Other and type or select a port number in the Port Number field. 20. If you selected Range as the comparison operator, type or select the ending port number of the range in the Range End field. The number must be higher than the port number in the Port Number field. 21. Specify the TCP or UDP destination source port. The options are the same as those for the source port. 22. To match based on DSCP value or IP TOS and IP precedence values: a. Click on the down arrow in the DSCP column. b. Select Type Of Service or Diff-Serv Code Point. 23. If you selected Type Of Service, select the IP precedence value from the Precedence list. Any (-1). All packets are subject to the ACL regardless of whether precedence is set. Routine (0). Packets with routine precedence are filtered. Priority (1). Packets with priority precedence are filtered. Immediate (2). Packets with immediate precedence are filtered. Flash (3). Packets with flash precedence are filtered. Flash Override (4). Packets with flash override precedence are filtered. CRITIC/ECP (5). Packets with critical precedence are filtered. Internetwork Control (6). Packets with internetwork control precedence are filtered. Network Control (7). Packets with network control precedence are filtered. 24. Select the ToS value in the TOS field. Copyright 2011, Juniper Networks, Inc. Creating an Access Control List (ACL) 3

109 -1 (any). All packets are subject to the ACE regardless of whether TOS is set. 0 (normal). Packets with normal TOS defined are filtered. 1 (minimum monetary cost). Packets with minimum monetary cost TOS defined are filtered (maximum reliability). Packets with maximum reliability TOS defined are filtered (maximum throughput). Packets with maximum throughput TOS defined are filtered (minimum delay). Packets with minimum delay TOS defined are filtered. By default, the TOS value is -1 (any). 28. In addition to these specific values, you can specify a number from 1 to 15 that is the sum of TOS option values. For example, to select minimum delay and maximum throughput as the TOS options, type 12, which is the sum of the two values. 29. Select the action from the Action list: Permit Allows access if the conditions in the ACE are matched Deny Refuses access if the conditions in the ACE are matched 30. To mark the packet with a CoS value, select a value in the CoS field. Table 1: CoS Values Packet Priority Desired CoS Value WLA Forwarding Queue Assignment Background 1 or 2 4 Best Effort 0 or 3 3 Video 4 or 5 2 Voice 6 or 7 1 By default, the CoS Value is -1 (any). 31. If you have multiple rules configured, you can adjust the rule placement in the list by using the arrows at the end of each row to move the rule up or down in the list. 32. Click OK to save the configuration. 33. To delete a rule, select it from the list and click Delete. 4 Creating an Access Control List (ACL) Copyright 2011, Juniper Networks, Inc.

110 Editing an Access Control List (ACL) Rules for an Existing Rule 1. From the Organizer panel, select a WLC. 2. Under System, select ACLs. 3. Select an ACL from the ACL Rules list. 4. Under Setup, click ACL Rules for rulename where rulename is a previously configured ACL. 5. Follow the steps in Create ACL to change the configuration. Copyright 2012, Juniper Networks, Inc. Editing an Access Control List (ACL) Rules for an Existing Rule 1

111 Editing an Access Control List (ACL) Hit Sample Rate 1. From the Organizer panel, select a WLC. 2. Under System, select ACLs. 3. Under Other, click Edit ACL Hit Sample Rate. 4. Adjust the Hit Sample Rate in seconds for access rules hits. Leaving the value at 0 disables the sampling rate. You can select from a range of 0 (disabled) to 100 seconds. 5. Click OK to save the configuration. Copyright 2012, Juniper Networks, Inc. Editing an Access Control List (ACL) Hit Sample Rate 1

112 Mapping an ACL An ACL does not take effect until you map it to a user or an interface. You can map ACLs to ports (or port groups), VLANs, or virtual ports. You cannot map an ACL to an WLA port or a wired authentication port. You can map ACLs to users by configuring the filter.in and filter.out user attributes. User-based ACLs are more specific than ACLs applied to interfaces and are therefore processed first. 1. From the Organizer panel, select a WLC. 2. Under System, select ACLs. 3. Select an ACL from the ACL Rules list. 4. Under Setup, click ACL Rules for rulename where rulename is a previously configured ACL. 5. Click ACL Mappings for rulename. 6. Select the mapping type: To map to a physical port, select port and go to step 5. To map to a virtual port, select vport and go to step 6. To map to a VLAN, select vlan and go to step 7. To map to a Distributed WLA, select distributed ap and go to step 8. Mapping an ACL to a Port 7. To map an ACL to a port: a. In the Port list, select a port or port group to which you want to map the ACL. You cannot map an ACL to an WLA port or a wired authentication port. b. In the Direction list, select In to filter incoming packets or Out to filter outgoing packets. 8. Click Finish. Mapping an ACL to a Virtual Port 9. To map an ACL to a virtual port: a. In the Tag Value field, specify the 802.1Q tag value that identifies a virtual port in a VLAN. The tag value can be a number from 1 to The default value is 1. Make sure that you do not specify duplicate mappings that specify the same port and tag value. b. In the Port list, select the port to which you want to map the ACL. You cannot map an ACL to an WLA port or a wired authentication port. c. In the Direction list, select In to filter incoming packets or Out to filter outgoing packets. Mapping an ACL to a VLAN 10. To map an ACL to a VLAN: a. In the Type list, select ID to identify the VLAN by number or Name to identify it by name. b. If you selected Name, select or type the VLAN name from the Name list. c. If you selected ID, select or type the VLAN number in the ID field. Copyright 2012, Juniper Networks, Inc. Mapping an ACL 1

113 Mapping ACL to a Distributed WLA 11. To map an ACL to a Distributed WLA: a. In the WLA ID list, select a Distributed WLA. b. In the Direction list, select In to filter incoming packets or Out to filter outgoing packets. 2 Mapping an ACL Copyright 2012, Juniper Networks, Inc.

114 Configuring Advanced ACL Settings After configuring an ACL, configure the following advanced settings: Hit counter (enable or disable) Hit sample rate (applies if the hit counter is enabled) Established option, to apply a new TCP ACE only to established (existing) TCP sessions. By default, TCP ACEs apply to new sessions as well as existing ones. ICWLA properties, to specify the type and code values for ICWLA ports (applies only to ACEs that have ICWLA as the protocol) Capture option, to redirect matching packets to the CPU (applies to ACEs used for Web Portal access) Hit Sample Rate The hit sample rate specifies the time interval, in seconds, at which the packet counter is sampled for each security ACE on which the hit counter is enabled. By default, the hit sample rate is 0, even when the hit counter is enabled. To use the hit counter, you must enable it and set the hit sample rate. The hit sample rate applies globally to all ACEs on which the hit counter is enabled. To change the hit sample rate: 1. From the Organizer panel, select a WLC. 2. Under System, select ACLs. 3. Under Other, click Edit ACL Hit Sample Rate. 4. Adjust the Hit Sample Rate in seconds for access rules hits. Leaving the value at 0 disables the sampling rate. You can select from a range of 0 (disabled) to 100 seconds. 5. You can enable the hit counter on an individual ACE basis.to enable the hit counter for an ACE: a. Select the ACE in the ACL table. b. In the Tasks panel, select Enable Hits for this rule. By default, a new TCP ACE applies to new sessions as well as established (existing) sessions. To apply the ACE only to established sessions, enable the established option. To enable the established option for TCP ACEs: 1. Select a TCP ACE in the ACL table. 2. In the Tasks panel, select Enable Established Connections. To specify the type and code for ICWLA ACEs: Select a ICWLA ACE in the ACL table. 1. In the Tasks panel, select ICWLA Properties. 2. Select or type the ICWLA message type in the Type field.select or type the ICWLA message code in the Code field. Copyright 2012, Juniper Networks, Inc. Configuring Advanced ACL Settings 1

115 3. Click OK. Table 1: ICWLA Messages ICWLA Message (Type Number) Echo Reply (0) Code (Number) None Destination Unreachable (3) Network Unreachable (0) Host Unreachable (1) Protocol Unreachable (2) Port Unreachable (3) Fragmentation Needed (4) Source Route Failed (5) Source Quench (4) None Redirect (5) Network Redirect (0) Host Redirect (1) TOS and Network Redirect (2) TOS and Host Redirect Echo (8) None Time Exceeded (11) TTL Exceeded Fragment Reassembly Time Exceeded (1) Parameter Problem (12) Timestamp (13) Timestamp Reply (14) Information Request (15) Information Reply (16) None None None None None 4. Click OK to save the configuration. If an ACE has the capture option, you can disable the option by selecting the ACE, then selecting Disable Capture for this rule in the Tasks panel. 2 Configuring Advanced ACL Settings Copyright 2012, Juniper Networks, Inc.

116 Deleting an ACL 1. From the Organizer panel, select a WLC. 2. Under System, select ACLs. 3. Select an ACE in an ACL that you want to delete. 4. In the Tasks panel, click Delete. 5. Verify the selection and click Finish. Deleting an Individual ACE from an ACL 1. From the Organizer panel, select a WLC. 2. Under System, select ACLs. 3. Select an ACE in an ACL that you want to delete. 4. In the Tasks panel, click Delete. 5. Verify the selection and click Finish. Copyright 2012, Juniper Networks, Inc. Deleting an ACL 1

117 Creating a Quality of Service (QoS) Profile 1. From the Organizer panel, select a WLC. 2. Under System, select QoS. 3. In the Tasks panel, click Create QoS Profile. 4. Enter a QoS Profile Name and click Next. Sessions QoS Profile Settings 5. You can use the checkbox to enforce and select a bandwidth limit, and to enable and assign a value to a CoS value. To enable static CoS, select Enable Static CoS. To enable DSCP for upstream packet classification, slect Trust Client DSCP. 6. Click Next. Flow-based QoS Profile Settings 7. Enable SIP Awareness by selecting voip-data fromthe Traffic Class list. Integrated SIP awareness in a wireless network adds a new level of intelligence that allows granular and dynamic control of voice applications between wireless, wired infrastructure, and wireless handsets as well as wireless clients in the area of security and system resource management. 8. You can use the checkbox to enforce and select a bandwidth limit, and to enable and assign a value to a CoS value. To enable static CoS, select Enable Static CoS. 9. Click Next. QoS Profile Mapping You can add authorization attributes such as users, user groups, MAC user groups, or SSIDs. 10. Select a Named User from the list. 11. Select a User MAC Address. 12. Select a Named User Group. 13. Select a MAC User Group. 14. Select an SSID. 15. You can also map this profile to a Location Policy by selecting Map to a Location Policy. 16. Click Next. Location Policy Rules 17. From the list of available Location Policies, select one and click Finish. If you want to check the properties of the policy, click Properties. Copyright 2012, Juniper Networks, Inc. Creating a Quality of Service (QoS) Profile 1

118 Setting Up DSCP to CoS Mapping MSS supports Layer 2 and Layer 3 classification and marking of traffic, to help provide end-to-end Quality of Service (QoS) throughout a network. QoS support includes support of Wi-Fi Multimedia (WMM), which provides wireless QoS for time-sensitive applications such as voice and video. QoS support is automatically enabled. WLCs and WLA access points each provide QoS: WLCs classify and mark traffic based on 802.1p tag value (for tagged traffic) or Differentiated Services Code Point (DSCP) value. WLA access points classify ingress traffic from wireless clients based on the service type value in the header, and mark the DSCP value in the IP tunnel on which the WLA forwards the user traffic to the WLC. WLAs place traffic from an WLC to a wireless client in a forwarding queue based on the DSCP value in the tunnel carrying the traffic, then forward the traffic based on the priority. MSS performs classification on ingress to determine the CoS value. This CoS value is used to mark the packet at the egress interface. Classification and marking performed by an WLC depend on whether the ingress interface has an 802.1p or DSCP value other than 0, and whether the egress interface is tagged or is an IP tunnel. The mappings between DSCP and CoS values are configurable. 1. From the Organizer panel, select a WLC. 2. Under System, select QoS. 3. In the Tasks panel, under Setup, click DSCP to CoS Mapping. 4. The QoS window displays the DSCP to CoS and CoS to DSCP mapping tables. 5. In the DSCP to CoS table, change the CoS value using the up and down arrows at the end of the row. 6. In the CoS to DSCP table, change the DSCP value using the up and down arrows at the end of the row. 7. Under Setup, you can reset the values to default values or set the DSCP to CoS range. To configure the DSCP Range, click Set DSCP to CoS Range. 8. Set the first and last DSCP value as well as the CoS value. Click Finish to save the configuration. Copyright 2012, Juniper Networks, Inc. Setting Up DSCP to CoS Mapping 1

Wireless Services Overview Wireless Services Overview If you have a WLC in your network plan, you can configure WLC Wireless features using RingMaster.

119 Wireless Services Overview Wireless Services Overview If you have a WLC in your network plan, you can configure WLC Wireless features using RingMaster. The following features are available: Configuring Wireless Services Using Interworking Services Understanding Radio Profiles Local Switching Creating APs using RingMaster Configuring Radio Properties Configuring RF Detection Creating RF Snoop Filters Copyright 2012, Juniper Networks, Inc. 1

120 Configuring Wireless Services RingMaster provides wizards for configuring the following types of wireless services: 802.1X Service Profile Provides wireless access to 802.1X clients. Voice Service Profile Provides wireless access to Voice over IP (VoIP) devices. Web Portal Service Profile Provides wireless access to clients using a Web page. Open Access Service Provides wireless access to clients without requiring login. Mesh Service Profile Provides wireless services to clients without a wired WLA interface. Custom Service Profile Provides wireless access based on the options you choose. (Use this option only if none of the other options applies to the type of service you want to offer.) Service Profile Parameters A service profile configures an SSID. The table below lists service profile parameters. For parameters that are assigned default values, the table also lists these. Service Profile Parameter Description Service Profile Name Name of the Service Profile Note: Service Profiles must have unique names. Default Value Based on the Service Profiles, the Default names are 802.1X Voice Web-Portal Open Access Mesh Service Custom 11n Configure 11n parameters a-mpdu-max-length a-msdu-max-length frame-aggregation mode-na mode-ng short-guard-interval txbf active-call-idle-timeout Set the length of time for an active call to time out on the A range of seconds from network after becoming idle. SSID Name SSID name associating with clients Blank - no default value Copyright 2012, Juniper Networks, Inc. Configuring Wireless Services 1

121 Service Profile Parameter Description Default Value SSID Type Beaconing State Bridging Encryption setting for data: Encrypted Clear (unencrypted) Advertisement of the SSID using beaconings Enable or disable bridging mode Based on Service Profile: 802.1X Voice Encrypted Web-Portal Clear Open Clear Custom Clear Mesh Encrypted Enabled Disable Fallthru Access Type Access type attempted if neither 802.1Xnor MAC access are applicable to the client. Based on Service Profile type: 802.1X None Keep Initial VLAN Mesh Enabled Load Balance Exempt Bandwidth Limit Backup SSID Mode Enable Backup SSID Timeou Keep Clients Keeps roaming users on the VLAN assigned by the WLC when the user logged onto the network. Configures the radio as part of a mesh configuration. The radio on the WLA does not participate in load balancing on the network. Configures the amount of bandwidth for the service profile. The service profile is used in backup mode on a remote WLA. You can configure it as disabled, outage-only, or dual mode. Specify the length of time that the backup SSID is enabled. Specifies whether clients (sessions) are dropped or not during an outage period. Voice None Web-Portal Web Portal Open Access Last Resort Custom Depends on the type of custom profile Disabled Disabled. Disabled Disabled Disabled Disabled Enabled 2 Configuring Wireless Services Copyright 2012, Juniper Networks, Inc.

122 Service Profile Parameter Description Default Value Device Fingerprint Enable Multicast Conversion Custom Web Portal Login Page Security Modes Configure device fingerprinting parameters Enables multicast to unicast conversion on packets. Subdirectory path and file name of an HTML page customized for login to the SSID For encrypted SSIDs only, support encryption types include the following: Robust Security Network (RSN) also known as WPA2 WiFi Protected Access (WPA) Dynamic Wired Equivalent Privacy (WEP) Static WEP device-detect device-detect-acl device-detect-timeout Disabled Blank (default page with Juniper Networks Logo) Based on the Service Profile Based on service profile type: 802.X Dynamic WEP Voice Static WEP Web-Portal No default Open Access Not default Mesh RSN (WPA2) Custom Dynamic WEP for 802.X access; no default for other access types Encryption Algorithms For encrypted SSIDs only, the algorithms used to encrypt data when the WPA or RSN security mode is used: Advanced Encryption Standard (AES) with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCWLA) Temporal Key Integrity Protocol (TKIP) WEP with 04-bit keys Multiple cipers are now allowed in a servuce profile. WEP with 40-bit keys Authentication Method Location of user information the switch checks when authenticating and authorizing users. Can be one or more RADIUS server groups, the local database of the switch, or both. Voice LOCAL (a RADIUS server group cannot be selected) All others Blank (you must select the method) Copyright 2012, Juniper Networks, Inc. Configuring Wireless Services 3

123 Service Profile Parameter Description Default Authorization Attributes Radio Profile Attributes assigned to the service profile. An attribute value is used only if the attribute is not otherwise set, for example on a user group or individual user radios and settings for them Default Value Blank (not set) Radio profile named default VLAN Assigned VLAN Blank (not set) VoIP Assign VoIP parameters cac-mode cac-session cac-voip-call You do not need to select values for all these parameters when you configure a service. Service Profile wizards help you configure essential parameters and assign appropriate values to the rest. Some parameters automatically set by RingMaster are not configurable using Service Profile wizards. To view all settings (except access rules) or change settings, select a service profile and click Properties. 4 Configuring Wireless Services Copyright 2012, Juniper Networks, Inc.

124 Encryption Types The following table describes various encryption types for each type of Authentication Type: Table 1: Encryption Types for Each Authentication Type Encryption Types Authentication Type None Static WEP (shared secret) Dynamic WEP (rotating key) WPA Ciphers: CCA (AES) TKIP RSN (WPA/ ciphers) Notes WEP104 WEP40 CCA (AES) TKIP WEP104 WEP40 None? X X X Free public access MAC Client Address? X X X Authentication usually performed against a database (RADIUS?), often used for older VoIP/WiFi phones Web Portal? X X X Authentication through a Web page 802.1X with subprotocols: Enterprise authentication PEWLA-MSCHWLA- X X offload option V2 EWLA-TLS X X EWLA-MD5 X X Legend = Supported X = Not Supported? = Possibly but not generally useful in an enterprise deployment Copyright 2012, Juniper Networks, Inc. Configuring Wireless Services 5

125 Configuring a 802.1X Service Profile for Wireless Access NOTE: The 802.1X Service Profile wizard requires you to select one or more RADIUS server groups and does not allow you to complete the configuration without selecting one. Before you configure a 802.1X profile, a RADIUS server group must already be configured. 1. Access the 802.1X Service Profile wizard: a. In the Organizer panel, click the plus sign next to an WLC to configure the service profile. b. Click on the plus sign next to Wireless. c. Select Wireless Services. d. In the Tasks panel, select 802.1X Service Profile. 2. Read the description of the wizard on the first page, then click Next. 3. Type a service name in the Name field. Type a SSID name in the SSID field. Click Next. 4. Select the security standards supported by the SSID. Click Next. 5. The Wireless Encryption Cipher Suites dialog appears: Select from the following: AES (CCWLA) Usually used with RSN (WPA2) TKIP Usually used with WPA WEP-104 Used with dynamic WEP WEP-40 Used with dynamic WEP 6. Click Next. 7. Select one of the following from the Authentication Server(s) dialog. 8. Select an EWLA Type: EWLA-MD5 Offload PEWLA Offload Local EWLA-TLS External RADIUS Server If you select PEWLA, the EWLA Sub-Protocol is MS-CHWLAV2. 9. The Available RADUS Server Groups in the left column of the dialog can be added to the right column list of Current RADIUS Server Groups or they can be moved up, down or removed. Click Next. 10. To assign a default VLAN to the SSID, select a VLAN from the VLAN Name list. 11. VLAN and other authorization attributes can be assigned to users in the local database, on remote servers, or in the service profile of the SSID a user logs into. The VLAN selected here is used only if a VLAN attribute is not configured for a user on the RADIUS server or in the local database of a switch. 12. Click Next. Copyright 2012, Juniper Networks, Inc. Configuring a 802.1X Service Profile for Wireless Access 1

126 13. The Optional: Local User Database dialog is displayed. Select an existing user or click Create to configure a new user. 14. If you select an existing User, go to step 11. If you clicked Create, you next see the User Information dialog. 15. After selecting in the Local User Database, the optional Device Detection dialogue is displayed. 16. You can select from Disable to disable the feature. It is enabled by default. Or, Just Detect, which allows device detection but does not enforce any rules. Or, you can select Enforce, which enforces the device detection authorization rules. If you select Enforce, then you can configure the device detection timeout with a range of 1 to 60 seconds with a default value of 5 seconds. When you select enforce, the default ACL deviceacl is enabled. This ACL prevents access to the network until the device is recoginized. Click Next. 17. The Radio Profile Selection dialog is displayed. 18. By default, the default radio profile is selected. Click Create new Radio Profile if you want to configure another radio profile. (link to subtask here) Select a Radio Profile and click Next. 19. You now see the n Attributes dialog. Select desired modes and settings and click Finish. 20. The service profile appears in the Service Profile table in the Content panel. 2 Configuring a 802.1X Service Profile for Wireless Access Copyright 2012, Juniper Networks, Inc.

127 Creating a 802.1X New User 1. Enter a user Name, Password, and select a Password Expiration Time [Hours] and User Group. Click Next. 2. You now see the Optional: Authorization Attributes dialog. 3. Enter or select a VLAN Name and use pop-up menus to set encryption-type and end-date. 4. Click Finish. Copyright 2012, Juniper Networks, Inc. Creating a 802.1X New User 1

128 Creating a Web Portal Service Profile A Web Portal Service Profile creates a wireless service that allows users to authenticate using a Web browser. When the user attempts to connect to an SSID with this type of service profile, the user is redirected to a login page in a Web browser. After entering a username and password, the information is checked against a RADIUS server, or a local database, and access is granted or denied based on this information. You can configure this type of profile for an encrypted or unencrypted SSID. 1. From the Organizer panel, select a WLC. 2. Under Wireless, select Wireless Services. 3. In the Task panel, under Create, click Web Portal Service Profile. 4. A brief description of the wizard is displayed. 5. Click Next. 6. Create a unique name to identify the profile. 7. Enter an SSID for the profile. 8. From the SSID Type list, select Encrypted (most secure) or Clear (least secure). 9. Click Next. 10. If you selected Encrypted, select the encryption type: RSN (WPA2) most secure WPA moderately secure Static WEP least secure 11. Click Next. 12. If you selected RSN or WPA, enter the preshared key or click Generate to create a new one. Click Next. 13. Select one or more of the following Wireless Encryption Cipher Suites: AES (CCMP) most secure TKIP moderately secure WEP-104 least secure WEP-40 least secure Click Next. 14. From the VLAN Name list, select the VLAN for Web Portal Users. Click Next. 15. A Web Portal ACL (portalacl) is created by default. This prevents users from accessing the network before completing the authentication process. At this point, you can add additional IP-based rules if you require them. 16. Click Next. 17. Select a AAA Server from the list of Available Server Groups. Click Add to move it to the Current AAA Server Groups. If there is no group configured, click Create Server Group. Click Next to continue the configuration. Copyright 2012, Juniper Networks, Inc. Creating a Web Portal Service Profile 1

129 18. Select a radio profile from the Radio Profiles list, or you can create a new one. 19. Optionally, you can select radios as members of the Service Profile. Select radio profile members and move them from Available Members to Current members with the Move button and the reverse with the Reset to Default button. 20. Click Finish to complete the configuration. 2 Creating a Web Portal Service Profile Copyright 2012, Juniper Networks, Inc.

130 Creating an Avaya Voice Service Profile Creating an Avaya VoWIP Service Profile: 1. Select Configuration on the toolbar. 2. In the Organizer panel, expand the WLC. 3. Expand Wireless, then select Wireless Services. 4. In the Tasks panel, select Voice Service Profile. 5. Click Next. 6. Change the service profile name to Voice-Avaya, and use the name Voice-Avaya for the SSID. Select Avaya from the Vendor list. 7. Click Next. 8. Select Open Access and clear the MAC Access checkbox. 9. Click Next. 10. Select WPA and clear Static WEP. 11. Click Next. 12. Leave TKIP enabled and click Next. 13. Type a passphrase from 8 to 63 characters long in the Pre-shared Key field and click Generate. 14. Click Next. 15. Type or select the name of the VLAN you want to place voice users in. For this example, use Voice-VLAN Click Next. 17. An ACL is automatically created for this type of Voice Profile. The first rule in the ACL provides high -priority treatment of SVP traffic by marking IP protocol 119 (SVP) packets with CoS 7. The second rule permits all other traffic in the VLAN. 18. Enter the Source and Destination MAC Addresses. 19. Click Next. 20. Select a Radio Profile from the Radio Profiles list. and click Finish. A wireless profile Voice-Avaya is created and is displayed in the content panel. Copyright 2012, Juniper Networks, Inc. Creating an Avaya Voice Service Profile 1

131 Creating a Spectralink Voice Service Profile Creating a Spectralink VoWIP Service Profile: 1. Select Configuration on the toolbar. 2. In the Organizer panel, expand the WLC. 3. Expand Wireless, then select Wireless Services. 4. In the Tasks panel, select Voice Service Profile. 5. Click Next. 6. Change the service profile name to Voice-SVP, and use the name Voice-SVP for the SSID. Select Spectralink from the Vendor list. 7. Click Next. 8. Select Open Access and clear MAC Access checkbox. 9. Click Next. 10. Select WPA and clear Static WEP. 11. Click Next. 12. Leave TKIP enabled and click Next. 13. Type a passphrase from 8 to 63 characters long in the Pre-shared Key field and click Generate. 14. Click Next. 15. Type or select the name of the VLAN you want to place voice users in. For this example, use VLAN Click Next. 17. An ACL is automatically created for this type of Voice Profile. The first rule in the ACL provides high -priority treatment of SVP traffic by marking IP protocol 119 (SVP) packets with CoS 7. The second rule permits all other traffic in the VLAN. 18. Click Next. 19. Select a Radio Profile from the Radio Profiles list. and click Finish. A wireless profile Voice-SVP is created and is displayed in the content panel. Copyright 2012, Juniper Networks, Inc. Creating a Spectralink Voice Service Profile 1

132 Creating an Vocera Voice Service Profile Creating an Vocera VoWIP Service Profile: 1. Select Configuration on the toolbar. 2. In the Organizer panel, expand the WLC. 3. Expand Wireless, then select Wireless Services. 4. In the Tasks panel, select Voice Service Profile. 5. Click Next. 6. Change the service profile name to Voice-Vocera, and use the name VoceraBadges for the SSID. Select Vocera from the Vendor list. 7. Click Next. 8. Leave MAC Access enabled. 9. Click Next. 10. Leave Static WEP enabled. 11. Click Next. Specify WEP keys.. For each key (up to four), type the key value in the corresponding key field.. By default, data in unicast and multicast packets are encrypted using WEP key 1. To use another key for either type of packet, select the key number in the WEP Unicast Key Index or WEP Multicast Key Index field. 12. Click Next. 13. Type or select the name of the VLAN you want to place voice users in. For this example, use Voice-VLAN. 14. Click Next. 15. Click Create to add MAC users to the local database WLC. a. In the User MAC Address field, type the MAC address for the user device, using colons (:) as delimiters. You must specify all 6 bytes of the MAC address. b. In the MAC User Group list, select the MAC user group for the user device, if the group is already configured. c. In the VLAN Name field, select or type the name of the VLAN of the user device (1 to 16 alphanumeric characters, with no spaces or tabs). The WLC authorizes the user for that VLAN. 16. d. Click Next. In the attribute row you want to configure, click the Attribute Value column. d. Click Finish. 17. Click Next. Select RadioProfileVoice in the Radio Profiles list. 18. Click Finish. Copyright 2012, Juniper Networks, Inc. Creating an Vocera Voice Service Profile 1

133 Creating a W-Fi Multimedia (WMM) Voice Service Profile Voice over Wireless IP (VoWIP) is a new technology, merging VoIP (Voice over IP) with wireless LANs to create a wireless telephone system. Organizations that add VoWIP to the wireless LANs can deploy and manage voice and data over a single wireless backbone, reserving some portion of network bandwidth to support real-time voice communications. For a VoWIP service (sometimes also referred to simply as VoIP, or Voice over IP), you can configure either local or RADIUS server authentication, and add Access Lists (ACLs) to restrict user access. The Voice Service Profile dialog tailors options based on the selected vendor. The dialog has the following vendor options: SpectraLink Avaya Vocera Other The SpectraLink, Avaya, and Vocera options configure service for proprietary VoWIP solutions from these vendors. If you are configuring VoWIP for devices that use the Wi-Fi Multimedia (WMM) standard, or a proprietary solution other than one of the listed vendors, use the Other option. Creating a WMM VoWIP Service Profile: 1. Select Configuration on the toolbar. 2. In the Organizer panel, expand the WLC. 3. Expand Wireless, then select Wireless Services. 4. In the Tasks panel, select Voice Service Profile. 5. Click Next. 6. Change the service profile name to Voice1, and use the name Voice1 for the SSID. Select Other from the Vendor list. 7. Click Next. 8. Select Open Access and clear MAC Access checkbox. 9. Click Next. 10. Select WPA and clear Static WEP. 11. Click Next. 12. Leave TKIP enabled and click Next. 13. Type a passphrase from 8 to 63 characters long in the Pre-shared Key field and click Generate. 14. Click Next. 15. Type or select the name of the VLAN you want to place voice users in. For this example, use VLAN2. Copyright 2012, Juniper Networks, Inc. Creating a W-Fi Multimedia (WMM) Voice Service Profile 1

134 16. Click Next. 17. Select Enable WMM. 18. Click Next. 19. Select a Radio Profile from the Radio Profiles list. and click Finish. A wireless profile Voice1 has been created and is shown in the content panel. 2 Creating a W-Fi Multimedia (WMM) Voice Service Profile Copyright 2012, Juniper Networks, Inc.

135 Creating an Open Access Service Profile 1. From the Organizer panel, select a WLC. 2. Under Wireless, select Wireless Services. 3. In the Task panel, under Create, click Open Access Service Profile. 4. A brief description of the wizard is displayed. 5. Click Next. 6. Create a unique name to identify the profile. 7. Enter an SSID for the profile. 8. From the SSID Type list, select Encrypted (most secure) or Clear (least secure). 9. If you selected Encrypted, select the encryption type: RSN (WPA2) (Robust Security Network) most secure WPA (Wi-Fi Protected Access) moderately secure Static WEP (Wired Equivalent Privacy) least secure 10. Click Next. 11. If you selected RSN or WPA, enter the preshared key or click Generate to create a new one. Click New. 12. Select one or more of the following Wireless Encryption Cipher Suites: AES (CCMP) (AES-Counter Mode CBC-MAC Protocol) most secure TKIP (Temporal Key Integrity Protocol) moderately secure WEP-104 least secure WEP-40 least secure Click Next. 13. If you selected Static WEP, specify WEP keys. For each key (up to four), type the key value in the corresponding key field.. By default, data in unicast and multicast packets are encrypted using WEP key 1. To use another key for either type of packet, select the key number in the WEP Unicast Key Index or WEP Multicast Key Index field. 14. From the VLAN Name list, select the VLAN for Open Access Users. Click Next. 15. Select a radio profile from the Radio Profiles list, or you can create a new one. 16. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating an Open Access Service Profile 1

136 Creating an Mesh Service Profile WLAN mesh services allow an WLA to provide wireless services to clients without a wired interface on the WLA. Instead of a wired interface, there is a radio link to another WLA with a wired interface. WLAN mesh services can be used at sites when running Ethernet cable to a location is inconvenient, expensive or impossible. Note that power must be available at the location where the Mesh WLA is installed. 1. From the Organizer panel, select a WLC. 2. Under Wireless, select Wireless Services. 3. In the Task panel, under Create, click Mesh Service Profile. 4. Create a unique name to identify the profile. 5. Enter an SSID for the profile. 6. If desired, Select Bridging to allow an WLA to bridge wireless traffic destined for a wired network. 7. Select the type of access for this profile: Authenticate WLAs by MAC Address (default) Allow Access to any WLA with a valid pre-shared key. 8. If you select authentication using a MAC address, select a MAC Address User from the list or click Create to add a new user. 9. If you select authentication using a pre-shared key, enter a preshared key in raw hexidecimal format. Or, enter a passphrase into the Preshared Key field and click Generate to obtain the hexidecimal format. You should set this key in the boot configuration of an WLA. 10. Select a radio profile from the Radio Profiles list, or you can create a new one. You must have a unique radio profile for mesh services. 11. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating an Mesh Service Profile 1

137 Creating a Custom Service Profile If none of the other service types is appropriate, you can use the Custom Service Profile wizard to configure a service. The screens and options displayed depend on access types and elections you make as you use a wizard. All pages and options occur in at least one of the other service profile wizards 1. From the Organizer panel, select a WLC. 2. Under Wireless, select Wireless Services. 3. In the Task panel, under Create, click Custom Service Profile. 4. Create a unique name to identify the profile. 5. Enter an SSID for the profile. 6. From the SSID Type list, select Encrypted (most secure) or Clear (least secure). 7. Select the type of access for this profile: 802.1X Access MAC Access Web Access Open Access 8. Click Next. 9. Select one or more wireless security standards.click Next. 10. If you have a preshared key authenticating clients, enter it into the Preshared Key field and click Encrypt to encrypt the key. Click Next. 11. Select one or more wireless encryption suites. Click Next. 12. Select a VLAN for Open Access users. 13. Select a radio profile and click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a Custom Service Profile 1

138 Setting Up Client Types You can configure on a per service profile basis the client types allowed on a specific service profile. To configure this feature, use the following steps: 1. Select a WLC from the network plan. 2. Under Wireless, select RF Detection. 3. Under Setup, click Client Types. 4. From the list of Service Profiles, select or clear the following client types from the profile: a b g n@2.5 GHz n@5 GHz 5. Click OK to save the changes. Copyright 2012, Juniper Networks, Inc. Setting Up Client Types 1

139 Understanding Interworking Services Interworking Services allow users to configure hotspot profiles that are intended to help offload network traffic from cellular carriers to a Wi-Fi network to reduce traffic on expensive 3G/4G networks. Current solutions for hot spots require client devices to manually identify and select the local network as well authenticate to it. However, this service may offer only varying levels of security, bandwidth capability, and quality. The Juniper wireless LAN (WLAN) solution supports Hot Spot requirements and can seamlessly onboard Wi-Fi client devices at Hot Spot deployments that enables both mobile operators and Multiple System Operators (MSOs) to also offload mobile data traffic onto Wi-Fi Hot Spots. This feature is not supported in Local switching or WAN outage mode. The following is a typical process for wireless devices when a hotspot is present: 1. A device with cellular and realms capability detects the Hot Spot capabilities in the access point beacon frame. 2. The device then queries the ANQP server on the controller for Third Generation Partnership Project (3GPP) cellular network information and roaming consortium organization identifiers (OIs). 3. The device matches the information and OIs received against a list of credentials and preferred networks. 4. The device automatically associates with the Hot Spot access point. 5. Authentication is performed using 802.1X to home authentication, authorization, and accounting (AAA) server using Extensible Authentication Protocol-Subscriber Identity Module (EWLA-SIM), EWLA-Authentication and Key Agreement (EWLA-AKA), EWLA-Transport Layer Security (EWLA-TLS), or EWLA-Tunneled Transport Layer Security (EWLA-TTLS). Note that interworking profiles must be assigned to an existing SSID in order to be active. This is performed via the Service Profile Wizard via the u tab. Copyright 2012, Juniper Networks, Inc. Understanding Interworking Services 1

140 Configuring an Interworking Service Profile for Wireless Access 1. Access the Interworking Service Profile wizard: a. In the Organizer panel, click the plus sign next to an WLC to configure the service profile. b. Click on the plus sign next to Wireless. c. Select Interworking Services. d. In the Tasks panel, select Interworking Profile. 2. Type a profile name in the Name field and click Next. This can be up to 16 characters. 3. Enter the desired HESSID. The Homogenous Extended Service Set Identifier (HESSID) that should be identical to one of the BSSIDs in HESS and is used to set the HESSID in the Interworking ID. 4. Use the Access Network Type options to specify whether the hotspot is public and allows Internet access and click Next. 5. Specify IP Address Type and Network Authentication Types using the drop-down menus provided. If needed, provide the Network Authentication Redirect URL as well. 6. Specify the Domain Name of the Hotspot provider and click Next. 7. To add Roaming Consortiums, click Create and follow the steps indicated. The Roaming Consortium IE contains information identifying the roaming consortium and or the subscription service provider (SSP) whose security credentials can be used to authenticate with the access point transmitting this element. Click Next when finished. 8. To add Network Access Identifier Realms, click Create and follow the steps indicated. Click Next to proceed. 9. Enter any Operator Names needed and click Next. 10. Check Enable Hotspot to enable the feature and click Next. 11. Click Create to configure 3rd Generation Partner Project (3GPP) codes. A public land mobile network (PLMN) is identified by the Mobile Country Code (MCC) and Mobile Network Code (MNC). This option configures a list of cellular networks that assist a non-access point with access to a 3GPP Cellular Network. Click Next when finished. 12. Click Finish to complete the profile creation. Copyright 2012, Juniper Networks, Inc. Configuring an Interworking Service Profile for Wireless Access 1

141 Understanding Radio Profiles A radio profile is a set of attributes that you can apply to multiple radios. A default radio profile named default is provided and cannot be deleted. Rather than configuring each radio individually, you can create a new radio profile and apply it to multiple radios that you select. You can also create a radio profile as part of a domain policy and apply the policy to WLAs on different WLCs. The default radio profile is associated with the WLAs of an WLC, unless you created a new radio profile while configuring the coverage area and configured the WLCs with the information in the floor plan. If you create a new radio profile while configuring a coverage area for a floor, RingMaster automatically copies the new profile to the domain policy of the Mobility Domain selected for the coverage area. Later, when you configure WLCs in the Mobility Domain using the information in the floor plan, RingMaster also copies the radio profile to the Radio Profiles policy of each of the switches. Copyright 2012, Juniper Networks, Inc. Understanding Radio Profiles 1

142 Creating Radio Profiles To create a Radio Profile, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, select Radio Profiles. 3. In the Tasks panel, under Create, click Create Radio Profile. 4. Enter a unique radio profile name in the Name field. 5. Click Next. 6. Select a radio or radios from the Available Members, and click Move to add it to the Current Members. 7. Click Next to continue configuring additional options or click Finish to save the Profile. 8. Click Next. 9. Select a Service Profile to apply to the Radio Profile and click add to move it to the Current Service Profiles. 10. Click Finish to save the configuration. Configuring Advanced Radio Settings After configuring a radio profile, select the radio profile, and click Properties to display a series of tabs that contain all of the configurable parameters for the radio profile. You can configure the following settings: Radio Profile Name Radio profile name Countermeasures Mode: None Radios do not use countermeasures. This is the default. Rogue and Suspect Sends probe any requests (probe requests with a null SSID name), to solicit probe responses from other access points. Radios also passively scan by listening for beacons and probe responses. When active scan is disabled, radios perform passive scanning only. Rogue A rogue is a device that is in the Juniper network but does not belong there. An interfering device is not part of the Juniper network but also is not a rogue. MSS classifies a device as an interfering device if no client connected to the device has been detected communicating with any network entity listed in the forwarding database (FDB) of any WLC in the Mobility Domain. Although the interfering device is not connected to your network, the device might be causing RF interference with WLA radios. Radios use countermeasures against devices classified by MSS as rogues, but do not use countermeasures against devices classified by MSS as interfering devices. Enable RFID Enables support for RFID tags. Enable U-WLASD Enables Unscheduled Automatic Powersave Delivery (U-WLASD) on WLA radios managed by the radio profile. U-WLASD enables WMM clients that use powersave mode to more efficiently request buffered unicast packets from WLA radios. Copyright 2012, Juniper Networks, Inc. Creating Radio Profiles 1

143 Restrict DFS Channels Client Tx Power Constraint Change Auto Power Change Auto Channel RF Scanning Mode Channel Scope Send CTS-to-Self Enable/Disable Spectral Scan enables Spectrum Analysis on the profile Attributes Beacon Interval Interval that the MP advertises the SSIDs. You can specify from 25 to 8191 milliseconds (ms). The default is 100 ms. DTIM Period (Delivery Traffic Information Message) Number of beacons (1 to 31) the WLA transmits before transmitting the multicast and broadcast frames stored in its buffers. The default is 1. Fragment Threshold (bytes) Frame length (256 to 2346 bytes) at which the long-retry-count is applicable instead of the short-retry-count. The default is 2,346 bytes. Max Tx MDSU Lifetime (ms) (MAC Data Service Unit) Maximum amount of time, from 500 ms to 250,000 ms (250 seconds), the MP can hold an outbound frame in buffer storage. The default value is 2,000 ms (2 seconds). Max Rx MDSU Lifetime (ms) Maximum amount of time, from 500 ms to 250,000 ms (250 seconds), the MP can hold an inbound frame in buffer storage. The default is 2000 ms (2 seconds). RTS Threshold (bytes) Minimum length (256 to 3000 bytes) a frame can be for the MP to use the Request-To-Send/Clear-To-Send (RTS/CTS) method to send the frame. Frames smaller than the RTS threshold are not sent using the RTS/CTS method. The default is 2346 bytes. Enable Long Preambles Enables advertisement of long preambles for b/g radios. This option is enabled by default. This option applies only to b/g radios. Enable Rate Enforcement When data rate enforcement is enabled, clients transmitting at the disabled rates are not allowed to associate with the WLA. Data rate enforcement is disabled by default n Attributes Channel Width Auto Tune Tx Power Tuning Interval (seconds) Interval at which RF Auto-Tuning decides whether to change the power level on radios. You can specify from 1 to seconds. The default is 300 seconds. 2 Creating Radio Profiles Copyright 2012, Juniper Networks, Inc.

144 Power Policy This drop-down allows the user to select which method of tuning will be used: Maximum Coverage Sets all radios to maximum transmit power based on the regulatory domain restrictions and access point model limitations. This is the default selection. When selected, none of the other options listed below the Power Policy field need to be modified. Cell Parity Set the same power on all radios, based on the radio capability and regulation. You can configure per-band power levels and the system accommodates these levels as allowed by regulatory constraints. For an equally spaced access point deployment, this power policy is better suited as it will not compute transmit power at run time. However, for very dense deployments, this policy may cause co-channel interference. When selected, users may specify the Cell Parity Power for both 2 GHz and 5 GHz bands. Maximum Channel Capacity This power policy automatically determines the best power levels for channel capacity, and avoids contention from other access points using the same channel. The administrator can change the parameters such as interval, minimum, and maximum power levels for the range, and the rate and degree to which power levels differ between access points in the vicinity. When selected, users can specify the minimum and maximum power ranges as well as the power density to be used. Service Profile Selection The Profile Selection tab lists the service profiles mapped to a radio profile. Radios managed by a radio profile provide wireless service for service profile SSIDs. To map a radio profile to a service profile, select a service profile from the Available Service Profiles list. Click Add to move the profile name to the Current Service Profiles list. To remove mapping between a radio profile and aservice profile, select a service profile from the Current Service Profiles list. Click Remove to move the profile name to the Available Service Profiles list. Available Service Profiles Current Service Profiles Radio Selection The Radio Selection tab lists the radios managed by the radio profile. A radio can be managed by only one radio profile. To add a radio to the radio profile, select the radio in the Available Members list. Click Add to move the radio to the Current Members list. To remove a radio from the radio profile, select the radio from the Current Members list. Click Reset to Default to return the radio to the default radio profile. Available Members Current Members Voice Configuration QoS Mode Classification and marking of high priority traffic on the WLC and WLA WMM Classifies, marks, and forwards traffic for Wi-Fi Multimedia (WMM) devices based on 802.1p and DSCP values. SVP Optimizes forwarding of SpectraLink Voice Priority (SVP) traffic by setting the random wait time an WLA radio waits before transmitting the traffic to 0 microseconds WMM CAC Configuration Background 0 ACM Mode (Adaptive Coding and Modulation protocol) Copyright 2012, Juniper Networks, Inc. Creating Radio Profiles 3

145 Background 0 ACM Limit (%) Background 0 ACM Policing Best-effort 1 ACM Mode Best-effort 1 ACM Limit (%) Best-effort 1 ACM Policing Video 2 ACM Mode Video 2 ACM Limit (%) Video 2 ACM Policing Voice 3 Mode Voice 3 ACM Limit (%) Voice ACM Policing Bandwidth Management Enable Weighted Queuing Snoop Map Available Snoop Filters Current Snoop Filters Adaptive Channel Planner (Auto-Tune Enhancements) Overview A successful wireless LAN depends on efficient channel assignment by the WLAs. Channel assignment defines strategy of channel allocation that targets minimizing interference. Wireless interference, which causes low throughput due to collisions on the network, severely limits network capacity and can be minimized by using non-overlapping channels for neighboring WLAs. The Adaptive Channel Planner improves radio channel assignment in the following situations: New deployment - no existing channel configuration using either RingMaster or manually configuring the channels on the WLCs. Existing configuration - improvement desired for any reason. Moving or adding WLAs Interference sources with channel-specific effects. ACP provides better wireless connectivity to clients by dynamically assigning operating channels on WLAs. The benefits include: Optimizing the use of available spectrum across the entire wireless network. Reducing interference by avoiding medium access contention Maximizing channel reuse Avoiding performance degradation generated by spectrum overlap. Restoring wireless connectivity in the presence of severe interference. 4 Adaptive Channel Planner (Auto-Tune Enhancements) Copyright 2012, Juniper Networks, Inc.

146 Minimize the impact of channel changes for wireless services. Avoiding channel changing that makes the network plan less optimal than the previous plan. Minimizing the impact of non interference on the overall quality of service experience. Functionality Adaptive Channel Planner (ACP) dynamically assigns the WLA operating channel so that the wireless network can efficiently adapt to the RF environment conditions. Dynamic assignment can be changed when significant changes are measured in the interference level or in the network topology. Eventually, Wi-Fi bandwidth is maximized and maintains the efficiency of communication over the wireless network. ACP is enabled by default, but you can disable it. It is also overwritten if a static channel set is configured. If ACP is not configured, channels on the WLAs are static and require manual intervention to change the channels. Here's how it works: Measure - MSS monitors the RF environment and collects interference information. Calculate - MSS uses the measured data to calculate the best channel to assign on the WLA. This is a background function that does not impact other functions on the WLA. Deploy - MSS changes the operational channels when it is determined to have minimal impact on connected clients. You can configure ACP to run at periodic intervals in order to calculate the next auto channel based on a measured interference level or when network changes are detected. MSS continuously searches for better channel assignment configurations, and separately monitors and controls a and b/g networks preventing unnecessary changes to one network if the other network is impacted. You can select from channel sets and the default channel list includes only non-overlapping channels that meet regulatory requirements. This means that different channel sets are available based on the county code used in the configuration. Because of limited availability, channels are reused. The same channel is assigned to two WLAs, located far enough apart, if the overlapping channel interference signal detected by each WLA is less than a defined threshold. However, if radar is detected on the network, the channel is not available in the channel list for 30 minutes. To improve the scaling characteristics of ACP, a new concept called "Interference Domain" is introduced. An InDo is defined as a set of radios in a MoDo that can interfere with each other. It only exists for the duration of an ACP cycle. If a cluster configuration is enabled on the MoDo, ACP is applicable across the entire MoDo. Otherwise, the settings are restricted to the local configuration. To configure Adaptive Channel Planner, select a radio profile and click Properties. 1. Click on the Adaptive Channel Planner tab. 2. To add specific channels on the b/g radio, select the tab and add channels by moving them from Available Channels to Current Channels. Copyright 2012, Juniper Networks, Inc. Adaptive Channel Planner (Auto-Tune Enhancements) 5

147 3. To add specific channels on the a radio, select the tab and add channels by moving them from Available Channels to Current Channels. 6 Adaptive Channel Planner (Auto-Tune Enhancements) Copyright 2012, Juniper Networks, Inc.

148 Setting Up Bandwidth Management Select one or more options to manage bandwidth. You can enformce per SSID bandwidth limits, control how a radio bandwidth is shared across SSIDs, and confogire QoS profiles to limit bandwidth and prioritize traffic individual users or SSIDs. 1. From the Organizer panel, select an WLC and then Wireless Services. 2. In the Tasks panel, under Setup, click Bandwidth Management. 3. All Bandwidth Management Options are selected by default. To disable an option, clear the corresponding checkbox. 4. Click Finish if you have disabled an option. To continue the configuration, click Next. 5. To configure limits for an SSID, select a Service Profile from the list. 6. Click Next. 7. To configure SSID Access Time for a radio profile, select the name from the Radio Profile Name list. To enable weighted queuing, select Enable Weighted Queuing. 8. Click Next. 9. Manage any configured QoS profiles, or create one. 10. Click Finish. Copyright 2012, Juniper Networks, Inc. Setting Up Bandwidth Management 1

149 Creating a VLAN Profile To create a VLAN Profile for Local Switching, use the following steps: 1. From the Organizer panel, select a WLC. 2. Under Wireless, select Local Switching. 3. In the Tasks panel, click Create VLAN Profile. 4. In the Name field, enter a unique name to identify the profile. 5. Click Next. 6. Select a VLAN from the Network Plan VLANs, and click Add to move it the the Current VLANs list. 7. If you do not have any VLANs configure, click Add VLAN to create a new one. 8. Click Next. 9. From the Available WLAs list, select WLAs to apply the profile. Click Move to add it to the Current WLAs list. 10. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a VLAN Profile 1

150 Setting Up L2 Restrictions for Local Switching To set up L2 Restrictions for Local Switching, use the following steps: 1. From the Organizer panel, select a WLC. 2. Under Wireless, select Local Switching. 3. In the Tasks panel, under Setup, select L2 Restrictions. 4. From the VLANs list, select an available VLAN. 5. Click Next. 6. To enable L2 Traffic Restrictions on the VLAN, select Enable. 7. If there are no restrictions configured, click Create. 8. Enter a MAC address to use for the configuration, and click Finish. 9. Select the MAC address from the list, and click Finish. Copyright 2012, Juniper Networks, Inc. Setting Up L2 Restrictions for Local Switching 1

151 Creating WLAs using RingMaster To add WLAs, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Access Points. 3. In the Tasks panel, under Create, click WLA. 4. Create a unique identity for the WLA. Enter a number, unique name, connection type, and description. Click Next. 5. Enter the WLA serial number in the Serial Number field. If you plan to configure security between the WLA and an WLC, enter the unique fingerprint for the WLA. 6. Click Next. 7. Select the WLA type from the WLA Model list. The Radio 1 Type and Radio 2 Type are automatically populated when you select the WLA Model. 8. Click Next. 9. Configure the Radio 1 parameters: Number Radio Mode Radio Profile Channel Number Transmit Power [dbm] Antenna Location Antenna Type 10. Click Next. 11. Configure the Radio 2 parameters: Number Radio Mode Radio Profile Channel Number Transmit Power [dbm] Antenna Location Antenna Type 12. Click Finish to save the configuration. Copyright 2012, Juniper Networks, Inc. Creating WLAs using RingMaster 1

152 Managing Access Points Using RingMaster If you currently have access points in a RingMaster plan, use these steps to change the configuration 1. From the Organizer panel, select a WLC. 2. Under Wireless, select Access Points. 3. In the Configuration panel, you can change the following settings: Security Mode - select from Optional, None, or Required. Enable Auto WLA Load Balancing - enabled by default. 4. For existing WLAs in RingMaster, you can highlight them in the list and click Properties. 5. You can change or add the following properties to a WLA: Access Point WLA Number Name WLA Mode Descriptionl Radio Type Serial Number Connection Fingerprint Location Contact WLA Communication Timeout Enable Data Security Bias Enable Firmware Update Force Image Download Enable Blink LED Mode Local Switching Remote WLA Enable Remote WLA Outage Duration [hours] Connection Evaluation Period [seconds] Remote Site Copyright 2012, Juniper Networks, Inc. Managing Access Points Using RingMaster 1

153 Path MTU Persistent Config LLDP LLDP Mode LLDP-MED Mode Power via MDI Inventory ng Radio Number Radio Mode Radio Profile Channel Number Transmit Power [dbm] Antenna Location Antenna Type Antenna Span [degrees] Antenna Direction [degrees] Cable Loss [dbm] Auto Tune > Max Transmit Power Load Balancing > Enable Load Balancing > Load Balance Group > Rebalance Clients na Radio Number Radio Mode Radio Profile Channel Number Transmit Power [dbm] Antenna Location Antenna Type Antenna Span [degrees] Antenna Direction [degrees] Cable Loss [dbm] 2 Managing Access Points Using RingMaster Copyright 2012, Juniper Networks, Inc.

154 Auto Tune > Max Transmit Power Load Balancing > Enable Load Balancing > Load Balance Group > Rebalance Clients WLA Redundancy Select or Create a Connection 6. Click OK to save the changes. Deleting an Existing WLA To delete an WLA from the current configuration, select the WLA from the list and click Delete. The WLA is removed from the configuration. Copyright 2012, Juniper Networks, Inc. Managing Access Points Using RingMaster 3

155 Creating an WLA Number To set up WLA Number, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Access Points. 3. In the Tasks panel, under Setup, click WLA Number. 4. Create a new and unique WLA number. 5. Click OK to change the WLA Number. Copyright 2012, Juniper Networks, Inc. Creating an WLA Number 1

156 Setting Up WLA Model To set up WLAModel, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Access Points. 3. In the Tasks panel, under Setup, click WLA Model. 4. From the WLA list, select an WLA model. 5. Click OK to change the WLA Model. Copyright 2012, Juniper Networks, Inc. Setting Up WLA Model 1

157 Setting Up WLA Boot Configuration To set up WLA Boot Configuration, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Access Points. 3. In the Tasks panel, under Setup, click WLA Boot Configuration. 4. From the WLA list, select an WLA to apply the configuration. 5. Click Change Boot Parameters. 6. To clear the boot configuration, select Clear Configuration. 7. Under Mesh, to enable the feature, select Mesh Enabled. You can also generate a Mesh PSK and add the SSID. 8. Under IP, if the WLA boots from a static IP address, select Static IP Enabled. Enter the Gateway, Static IP Address, and Netmask. 9. Under Switch, if the WLA boots from a specific WLC, select Static WLC Enabled. Enter the Static IP WLC Address, Static WLC Name, and Static IP DNS Address. 10. Under VLAN, if the WLA is assigned to a VLAN, select Static VLAN Enabled, and the Static VLAN Tag. 11. Click OK to add the configuration. 12. Click Next to deploy the changes. 13. Click Finish to close the wizard. Copyright 2012, Juniper Networks, Inc. Setting Up WLA Boot Configuration 1

158 Setting Up Load Balancing RF load balancing is the ability to reduce network congestion over an area by distributing client sessions across the WLAs with overlapping coverage in the area. When the total demand of nearby wireless clients exceeds the capacity of a single WLA, there is no interruption of wireless services on the network. For example, in an auditorium or lecture hall, there may be a substantial number of clients in a relatively small amount of space. While a single WLA may be sufficient for providing an RF signal to the entire area, more WLAs are required to deliver enough aggregate bandwidth for all of the clients. When additional WLAs are installed in the room, RF load balancing allows the client sessions to be spread evenly across the WLAs, increasing the available aggregate bandwidth by increasing the number of WLAs. RF load balancing is enabled by default. In addition, RF load balancing is done on a per-radio basis, rather than a per-wla basis. For radios managed by a given radio profile, RingMaster automatically assesses radios with overlapping coverage in an area and balances the client load across them. RingMaster balances the client load by adjusting how WLAs are perceived by clients. As the capacity of an WLA handling new clients is relative to other WLAs in the area, RingMaster makes the WLA more difficult for potential new clients to detect, which causes a client to associate with an WLA with more capacity. An WLA becomes more difficult to detect and clients then associate with an WLA with higher capacity for client sessions. By default RingMaster only prevents clients from associating with an WLA if there are other WLAs with available capacity. Clients are not prevented from associating with a WLA if it is the only one available. You can optionally place WLA radios into load balancing groups. When two or more WLA radios are placed in the same load balancing group, RingMaster assumes that they have exactly the same coverage area, and attempts to distribute the client load across them equally. The WLA radios do not have to be on the same WLC. A balanced set of WLA radios can span multiple WLC switches in a Mobility Domain. To set up Load Balancing, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Access Points. 3. In the Tasks panel, under Setup, click Load Balancing. 4. To enable Load Balancing between WLAs, select Load Balancing. 5. Configure the Load Balancing Strictness, by selecting from the following options: Low - No clients are denied service. Medium - Clients attempting to connect to overloaded WLAs are redirected to other WLAs causing a few seconds delay before connecting to the network. High - Clients may be delayed up to a minute before connecting to the network. Max - 6. Select the preferred bandwidth, and click Next. Copyright 2012, Juniper Networks, Inc. Setting Up Load Balancing 1

159 7. Configure Load Balancing for each radio. You can enable the Rebalance Clients option, and click Next. 8. Select the Service Profiles to apply Load Balancing, and also select which Service Profiles are exempt from this feature. 9. Click Finish to add the configuration. 2 Setting Up Load Balancing Copyright 2012, Juniper Networks, Inc.

160 Setting Up WLA Redundancy To setup WLA Redundancy, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Access Points. 3. In the Tasks panel, under Setup, click WLA Redundancy. 4. To add an WLA, click Create. 5. If you have a directly connected WLA, configure the WLA Connection settings: a. WLC - select an WLC from the list. b. Port c. Bias d. PoE - if you want the WLA to receive power from the WLC, select this option. 6. Click Finish to add the connection. 7. If you have an WLA previously configured for redundancy, you can edit the connection properties by selecting the WLA, and then clicking Properties. Copyright 2012, Juniper Networks, Inc. Setting Up WLA Redundancy 1

161 Setting Up WLA Radio Type To set up WLARadio Type, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Access Points. 3. In the Tasks panel, under Setup, click WLA Radio Type. 4. Select a Radio Type from the list. 5. Click OK to change the WLA Radio Type. Copyright 2012, Juniper Networks, Inc. Setting Up WLA Radio Type 1

162 Configuring Remote WLA using RingMaster Overview In some network deployments, it is common to have a central network site with WLCs and remote sites with WLAs. The central and remote sites are connected by a WAN link. If the WAN link becomes unavailable, then the remote sites with WLAs remain active and continue to provide connectivity to wireless clients. Once an outage has occurred, a periodic timer sends discovery messages to the primary access manager (PAM) to detect when the WLC is available on the network again. This timer, called an evaluation timer, is configurable and can be used as a hold-down timer to confirm detection of the WAN outage and as a mechanism to detect when the connection is restored. A remote office can be any one of the following types of environments: Small retail store using the corporate database for inventory control and the Internet for financial transactions. Remote investment office with local servers, IP/PBX, and access to the corporate network for financial information. Remote sales office with access to the corporate network only. A temporary office at an event or exhibition with local printers and access to the corporate database across the WAN. A hot spot deployed at a retail facility, such as a coffee shop, providing Internet access only. A healthcare clinic that requires access to centralized hospital data in addition to local networking services such as printers and servers. Once you have installed RingMaster Version 7.5 or later, you can configure WLAs for Remote WLA using the following steps: 1. In the Organizer panel, select a WLC from the list and then Access Points. 2. On the Navigation bar, click Configuration. 3. Select an Access Point from the list of Access Points, and click Properties. 4. Click the Remote WLA tab to display the options for configuring a Remote WLA. 5. Select Enable Remote WLA. 6. In the Outage Duration [hours], configure the length of time for the WLA to stay in outage mode.the default setting is 0 (stay in outage mode indefinitely) and the range is from 0 to 120 hours (5 days). This period indicates the maximum length of time that a WLA remains in outage mode. 7. In the Connection Evaluation Period [seconds], configure the length of time for the keepalive interval of the pings sent to detect when the WAN link is active on the network. The default value is 300 seconds with a range of 5 to seconds. 8. Click OK to save the changes in RingMaster. Copyright 2012, Juniper Networks, Inc. Configuring Remote WLA using RingMaster 1

Using Persistent Configuration The persistent configuration feature is an enhancement to the existing remote access point feature, which provides the ability to have the access points remember its

163 Using Persistent Configuration The persistent configuration feature is an enhancement to the existing remote access point feature, which provides the ability to have the access points remember its configuration once it is configured on the controller. With this feature, the access point continues to work indefinitely without being connected to the controller. The remote sites remain connected even when an access point in the outage mode becomes unreachable to the centrally located controller and the access point reboots after the expiration of the outage expiration timer. New clients can also join the detached access point. With the extended authorization support, the access point can authenticate sessions of new 802.1x, mac, dot1x pass-through, and last-resort sessions. To enable persistent configuration: 1. Check the Enable Persistent Config box. 2. Use the Remote Site drop-down field to specify the WLA s location and the Path MTU drop-down to set the MTU value. You can also configure WAN Outage on Auto WLAs when you use the Auto WLA wizard. Select Enable Auto WLA on the Access Points Configuration panel, then click Auto WLA under Setup on the Tasks panel. To receive alarms about Remote WLAs, configure SNMPv2, and add the trap WLANonOperStatus2 trap 3 to the Notification Profile. The following events occur when the WLA is in Remote WLA mode: When a WLA changes to an outage state, an WLA Status Alarm is sent with the reason Connection Lost 4. If the WLA recovers and exits the outage mode before the Extended Timeout expires, an WLA Status Alarm is sent with reason Connection Restored 5. If the Extended Timeout expires, an WLA Status Alarm is sent with reason Connection Outage Extended Timeout 6. In the first two instances, the WLA stays active, but in the last instance, the WLA is down. Configuring a Remote Site with RingMaster To configure a Remote Site with RingMaster, select Remote Site located in the Organizer. Remote Sites 2 Configuring Remote WLA using RingMaster Copyright 2012, Juniper Networks, Inc.

164 Once you select Remote Sites in the Organizer, click Create Remote Site to launch the configuration wizard. The wizard allows you to configure the following parameters: Unique Name Country Code Enable Security VLAN Profile Path MTU Enable Backup SSIDs Mode Add WLAs Customize Extended Authorization Attributes Set up u Enable Intrusion Detection Logging - See WLA Intrusion Detection System (IDS) Logging on page 9. Copyright 2012, Juniper Networks, Inc. Configuring Remote WLA using RingMaster 3

165 Converting Auto WLAs To an Auto WLA to a configured WLA, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Access Points. 3. In the Tasks panel, under Other, click Convert Auto WLA. 4. From the list of Auto WLAs, select one to convert to a configured WLA, and click Next. 5. Change the WLA Number to a unique number, and click Next. 6. The selected WLA is converted to a configured WLA. 7. Click Finish. Copyright 2012, Juniper Networks, Inc. Converting Auto WLAs 1

166 Removing Auto WLAs To remove an Auto WLA, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Access Points. 3. In the Tasks panel, under Other, click Remove Auto WLA. 4. From the list of Auto WLAs, select one to remove, and click Next. 5. The selected WLA is removed from the network plan. 6. Click Finish. Copyright 2012, Juniper Networks, Inc. Removing Auto WLAs 1

167 Configuring a Remote Site In some network deployments, it is common to have a central network site with WLCs and remote sites with WLAs. The central and remote sites are connected by a WAN link. If the WAN link becomes unavailable, then the remote sites with WLAs should remain active and continue to provide connectivity to wireless clients. Once an outage has occurred, a periodic timer sends discovery messages to the primary access manager (PAM) to detect when the WLC is available on the network again. This timer, called an evaluation timer, is configurable and can be used as a hold-down timer to confirm detection of the WAN outage and as a mechanism to detect when the connection is restored. For detailed information on this feature, refer to the MSS Configuration Guide. To configure a WLA for a remote site, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Remote Sites. 3. In the Tasks panel, under Create, click Create Remote Site. 4. The Create Remote Site wizard is displayed. 5. Enter a name for the remote site. 6. Select a Country Code. WLAs can reside in different countries other than the network plan. 7. Select a VLAN Profile. 8. Configure the Path MTU, if desired. 9. Backup SSIDs Mode is enabled by default. 10. Click Next. 11. Select a WLA from the list and click Add. 12. Click Next. 13. Intrusion Detection Logging is enabled by default. You need to enter the IP address of the server that is logging the events, and the port. You can also select the Severity Filter level. 14. Specify Extended Authorization Attributes as needed and click Next. 15. If desired, use the u page to create a hotspot profile. 16. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Configuring a Remote Site 1

168 Configuring Radio Properties To configure or modify radio properties, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click Radios. 3. In the 2.4 GHz or 5 GHz section, you can select a radio and change the following properties: Radio Mode select Enabled, Disabled, or Sentry Channel select a channel from 1 to 11. Tx Power select a transmit power from 5 to 18. Antenna select the antenna type, either Internal or a specific model. Radio Profile select from a list of configured Radio Profiles to apply to the radio. 4. To display all of the Radio Properties, highlight the radio in the list, and click Properties. 5. Additional properties are now displayed that can be configured. Additional Antenna options include Antenna Span, Antenna Direction, Antenna Tilt, and Cable Loss. Auto Tune select the default setting or 1 to 20 for the maximum transmit power. Load Balancing see WLA Load Balancing 6. Auto Channel is selected by default. To manually configure a channel, clear the checkbox, and then select a channel from the Channel Number list. 7. To add a Snoop Map to the radio, click the Snoop Map tab. 8. Snoop Filters are displayed in the Available Snoop Filters list. To add a Snoop Filter, select it from the list and click Add. The Snoop Filter is now displayed in the Current Snoop Filters list. 9. Click OK to save the configuration. Copyright 2012, Juniper Networks, Inc. Configuring Radio Properties 1

169 Changing Radio Modes To change the radio mode, use the following steps: 1. Select a radio from the list of available radios. You can select all radios by by checking Select. 1. From the Radio Mode options, select Enabled to allow radio operations. To configure the radio in Sentry mode, select Sentry. 2. Click OK to complete the configuration. Copyright 2012, Juniper Networks, Inc. Changing Radio Modes 1

170 Configuring RF Detection To configure RF Detection, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click RF Detection. 3. In the Configuration - RF section, you can select Enable WLA Signature, and add an WLA Signature to detect on the network. 4. If you enable Dynamic Blacklist, client MAC addresses are automatically prevented from joining the wireless network. You can specify a length of time from 0 to 300 seconds. The default value is 300 seconds. 5. Click Save to save the configuration. Copyright 2012, Juniper Networks, Inc. Configuring RF Detection 1

171 Setting Up RF Classification The RF Classification Rules are used to determine if a device is classified as a Rogue, Suspect, or Neighbor. The rules are applied in the order that they appear in the list. The following is a list of RF Classification Rules that can be modified to change the classification of devices: RF Classification Rule Value In Rogue List Classify as Rogue WLA is part of the Mobility Domain Classify as Member In Neighbor List Classify as Neighbor SSID Masquerade Classify as Rogue (default) Skip test classifcation Client or Client DST MAC seen in the network Classify as Rogue (default) Skip test classifcation Ad Hoc Device Classify as Rogue Skip test classifcation (default) In SSID List Classify as Neighbor Default Classify as Rogue Classify as Suspect (default) Classify as Neighbor Click OK to save the configuration. Copyright 2012, Juniper Networks, Inc. Setting Up RF Classification 1

172 Setting Up Countermeasures Mode You can configure on a per radio profile basis how the network responds to intrusive traffic on the network. To configure this feature, use the following steps: 1. Select a WLC from the network plan. 2. Under Wireless, select RF Detection. 3. On the Configuration - RF Detection page, under Device Containment, select a Radio Profile from the list. 4. Select the type of Countermeasures Mode from the list. You can select from the following options: None Rogue and Suspect Rogue 5. If you select Properties, you can change the Radio Profile options. See Configuring a Radio Profile. Copyright 2012, Juniper Networks, Inc. Setting Up Countermeasures Mode 1

173 Creating a Rogue List Entry To add an entry to the Rogue list, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click RF Detection. 3. In the Task list, under Create, click Rogue List Entry. 4. Enter the MAC address of the Rogue Device. 5. Click OK. 6. The MAC address is now displayed in the Rogue List. 7. To delete the MAC address from the Rogue List, select the MAC address and click Delete. Copyright 2012, Juniper Networks, Inc. Creating a Rogue List Entry 1

174 Creating a Neighbor List Entry To add an entry to the Rogue list, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click RF Detection. 3. In the Task list, under Create, click Neighbor List Entry. 4. Select MAC or Vendor IDs as the Device Identifier. 5. Click Next. 6. If you select MAC, enter the MAC address. 7. Click Finish to add the MAC address. 8. If you selected Vendor IDs, select the vendor from the Vendor list. 9. Then select the Vendor IDs from the list, and click Add to add the to the Selected Vendor ID list. You can also add a Vendor that is not listed, and add the OUI. to the list. 10. Click Finish. 11. The Neighbor Entry is now displayed in the Neighbor List. 12. To delete the MAC address from the Rogue List, select the MAC address and click Delete. Copyright 2012, Juniper Networks, Inc. Creating a Neighbor List Entry 1

175 Creating a Known SSID List Entry To add an entry to the Known SSID list, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click RF Detection. 3. In the Task list, under Create, click Known SSID List Entry. 4. Enter the SSID name in the SSID field. 5. Click OK. 6. The SSID Entry is now displayed in the Known SSID List. 7. To delete the SSID from the Known SSID List, select the SSID and click Delete. Copyright 2012, Juniper Networks, Inc. Creating a Known SSID List Entry 1

176 Creating a Client Blacklist Entry To add an entry to the Client Blacklist, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click RF Detection. 3. In the Task list, under Create, click Client Blacklist Entry. 4. Enter the MAC address in the Client MAC Address field. 5. Click OK. 6. The Client Blacklist Entry is now displayed in the Client Blacklist. 7. To delete the entry from the Client Blacklist, select the MAC address and click Delete. Copyright 2012, Juniper Networks, Inc. Creating a Client Blacklist Entry 1

177 Creating RF Snoop Filters To configure this feature, use the following steps: 1. Select a WLC from the network plan. 2. Under Wireless, select RF Snoop. 3. Under Create, click Create Snoop Filter. 4. Enter a name for the Snoop Filter. To enable the filter, select Enabled. 5. Click Next. 6. Select an Observer IP from the list of configured Snoop Observers. If one is not configured, click Create Snoop Filter Observer. a. Enter the Target IP Address. b. Select the Snap Length Limit. c. Select Frame Gap Limit. d. Select Transmission Mode from the list: > tzsp > batched-tzsp 7. Click Finish to add it to the Observer IP list. 8. Optionally, you can create Snoop Filter Conditions. Click Create, and then select from the list of filters: (this may need to be its own subtopic) Direction Frame type Channel BSSID Transmitter Type Source MAC Destination MAC] Host MAC MAC Pair 9. Optionally, you can map radios to the snoop filter. Select a radio from the list of Available WLA Radios, and click Add. The radio is now added to the list of Current WLA Radios. 10. Optionally, you can map a radio profile to a snoop filter, Select a Radio Profile from the list of Available Radio Profiles, and click Add. The radio is now added to the list of Current Radio Profiles. 11. Click Finish to close the wizard. You can change any of the configured Snoop Filter parameters by selecting a Snoop Filter from the Snoop Filter Table and then clicking Properties. Copyright 2011, Juniper Networks, Inc. Creating RF Snoop Filters 1

178 You can change any of the Snoop Observers parameter by selecting an Observer from the Snoop Observers table, and clicking Properties. 2 Creating RF Snoop Filters Copyright 2011, Juniper Networks, Inc.

179 Configuring RF Autotune Overview A successful wireless LAN depends on efficient channel assignment by the WLAs. Channel assignment defines strategy of channel allocation that targets minimizing interference. Wireless interference, which causes low throughput due to collisions on the network, severely limits network capacity and can be minimized by using non-overlapping channels for neighboring WLAs. The Adaptive Channel Planner improves radio channel assignment in the following situations: New deployment - no existing channel configuration using either RingMaster or manually configuring the channels on the WLCs. Existing configuration - improvement desired for any reason. Moving or adding WLAs Interference sources with channel-specific effects. ACP provides better wireless connectivity to clients by dynamically assigning operating channels on WLAs. The benefits include: Optimizing the use of available spectrum across the entire wireless network. Reducing interference by avoiding medium access contention Maximizing channel reuse Avoiding performance degradation generated by spectrum overlap. Restoring wireless connectivity in the presence of severe interference. Minimize the impact of channel changes for wireless services. Avoiding channel changing that makes the network plan less optimal than the previous plan. Minimizing the impact of non interference on the overall quality of service experience. Functionality Adaptive Channel Planner (ACP) dynamically assigns the WLA operating channel so that the wireless network can efficiently adapt to the RF environment conditions. Dynamic assignment can be changed when significant changes are measured in the interference level or in the network topology. Eventually, Wi-Fi bandwidth is maximized and maintains the efficiency of communication over the wireless network. ACP is enabled by default, but you can disable it. It is also overwritten if a static channel set is configured. If ACP is not configured, channels on the WLAs are static and require manual intervention to change the channels. Here's how it works: Measure - MSS monitors the RF environment and collects interference information. Calculate - MSS uses the measured data to calculate the best channel to assign on the WLA. This is a background function that does not impact other functions on the WLA. Deploy - MSS changes the operational channels when it is determined to have minimal impact on connected clients. Copyright 2012, Juniper Networks, Inc. Configuring RF Autotune 1

180 You can configure ACP to run at periodic intervals in order to calculate the next auto channel based on a measured interference level or when network changes are detected. MSS continuously searches for better channel assignment configurations, and separately monitors and controls a and b/g networks preventing unnecessary changes to one network if the other network is impacted. You can select from channel sets and the default channel list includes only non-overlapping channels that meet regulatory requirements. This means that different channel sets are available based on the county code used in the configuration. Because of limited availability, channels are reused. The same channel is assigned to two WLAs, located far enough apart, if the overlapping channel interference signal detected by each WLA is less than a defined threshold. However, if radar is detected on the network, the channel is not available in the channel list for 30 minutes. To improve the scaling characteristics of ACP, a new concept called "Interference Domain" is introduced. An InDo is defined as a set of radios in a MoDo that can interfere with each other. It only exists for the duration of an ACP cycle. If a cluster configuration is enabled on the MoDo, ACP is applicable across the entire MoDo. Otherwise, the settings are restricted to the local configuration. To configure RF Autotune, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under Wireless, click RF Autotune. 3. RF Autotune is enabled by default for b/g and a radios. To disable RF Autotune, clear the Enable checkbox. 4. You can configure the Week Day that the radios perform autotuning. You can select a specific day of the week, Work Days (M-F), or Everyday. 5. You can also configure the hour, minute and Interference Domain Threshold. The default value for Interference Domain Threshold is 85 with a range of 0 to Click Save to save the configuration, and then click Deploy to send the changes to the WLC. 2 Configuring RF Autotune Copyright 2012, Juniper Networks, Inc.

181 AAA Overview AAA Overview If you have a WLC in your network plan, you can configure WLC AAA features using RingMaster. The following features can be configured: Creating Users in the Local Database Creating a RADIUS Server Creating a LDAP Server Creating AAA Profiles Creating an 802.1X Authentication Rule Creating a MAC Access Rule Creating a Web Authentication Rule Creating a Open Access Rule Creating an Admin Access Rule Creating a Console Access Rule Creating RADIUS Proxy Client Creating a Location Policy Rule Creating a Mobility Profile Configuring Device Fingerprinting Copyright 2012, Juniper Networks, Inc. 1

183 Creating Users in the Local User Database To add users to the WLC local user database, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select Local Users Database. 3. In the Configuration panel, you can view entries in the following categories: Users User Groups MAC Users MAC User Groups 4. For existing entries in RingMaster, you can highlight them in the list and click Properties. 5. To add a user to the Local User Database, click Create User. 6. Enter a unique name and password for the user. If you have users with common attributes, you can add them to a User Group. 7. Configure the Password Expiration Time (Hours). The range is from 0 to 3600 hours with a default value of Click Next. 9. From the VLAN Name list, select a VLAN for user access. Optional Authorization Attributes 10. You can also configure optional Authorization Attributes. This includes the following attributes: Attribute Description Value end-date Date and time after which the user is no longer allowed to be on the network. Date and time, in the following format: YY/MM/DD-HH:MM You can use end-date alone or with start-date. You also can use start-date, end-date, or both in conjunction with time-of-day ssid SSID the user is allowed to access after authentication. Name of the SSID for the user. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to Juniper radios in the Mobility Domain. termination-action idle-timeout The type of action taken to terminate a client on the network. The length of time that a client can be idle on the network before automatically disconnecting from the network. The attribute has these options: 0 (Disconnect) 1 (Re-authentication) Number between 180 and seconds with a default value of 3600, or 0 to disable periodic accounting updates. The WLC ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds. Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence. session-timeout Maximum number of seconds for the user s session. Number between 0 and 1,728,000 seconds (20 days). Copyright 2012, Juniper Networks, Inc. Creating Users in the Local User Database 1

184 Attribute Description Value filter-id time-of-day simultaneous-logins start-date mobility-profile Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WLC. Day(s) and time(s) during which the user is permitted to log into the network. After authorization, the user s session can last until either the Time-Of-Day range or the Session-Timeout duration (if set) expires, whichever is shorter. Note: Time-Of-Day is a Juniper vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 4. The number of times that a user can log into the network from different locations. Date and time that the user becomes eligible toaccess the network. MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified). Mobility Profile attribute forthe user. (For more information, see ViewingMobility Profiles.). Note: Mobility-Profile is ajuniper vendor-specific attribute (VSA). The vendor ID is 14525, the vendor type is 2. Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces. Use acl-name.in to filter traffic that enters the WLC from users via an MP access port or wired authentication port, or from the network via a network port. Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port.. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate. One of the following: never Access is always denied. any time Access is always allowed. Enter Days Access is allowed on specific days and hours. One or more ranges of values that consist of one of the following day designations (required), and a time range in hhmm-hhmm 4-digit 24-hour format (optional): mo Monday, tu Tuesday, we Wednesday, th Thursday, fr Friday, sa Saturday, su Sunday, wk Anyday between Monday and Friday Separate values or a series of ranges (except time ranges)with commas (,) or a vertical bar ( ). Do not use spaces. The maximum number of characters is 253. For example, to allow access only on Tuesdays and Thursdays between 10 a.m. and 4 p.m., specify the following: time-of-day tu ,th To allow access only on weekdays between 9 a.m and 5 p.m., and on Saturdays from 10 p.m. until 2 a.m., specify the following: time-of-day wk ,sa Note: You can use time-of-day in conjunction with start-date, end-date, or both. The range is from 1 to 1000 with a default value of 1. Date and time, in the following format: YY/MM/DD-HH:MM You can use start-date alone or with end-date. You also can use start-date, end-date, or both in conjunction with time-of-day. Name of an existing Mobility Profile. Note: If the Mobility Profile feature is enabled, and a user is assigned the name of a nonexistent Mobility Profile on the WLC, the user is denied access. 2 Creating Users in the Local User Database Copyright 2012, Juniper Networks, Inc.

185 Attribute Description Value acct-interim-interval Interval in seconds between accounting updates, if accounting is enabled and the Start-Stop record type is specified. Select Enable Updates and then a number between 180 and 3,600 seconds, or 0 to disable periodic accounting updates. The WLC ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds. Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence. qos-profile You can assign a user to a specific QoS profile. Select the profile from the list of configured QoS Profiles.. url URL to which the user is redirected after successful WebAAA. Web URL, in standard format. For example: Note: You must include the portion. service-type Type of access the user is requesting. Access type, which can be one of the following: 2 Framed; for network user access 6 Administrative; for administrative access, with authorization to access the enabled (configuration) mode. The user must enter the enable command and the correct enable password to access the enabled mode. 7 NAS-Prompt; for administrative access to the nonenabled mode only. In this mode, the user can still enter the enable command and the correct enable password to access the enabled mode. For administrative sessions, the WLC always sends 6. A RADIUS server can reply with one of the listed values. If the service-type is not set on the RADIUS server, administrative users receive NAS-Prompt access, and network users receive Framed access.. Note: MSS quietly accepts Callback Framed but you cannot select this access type in MSS. user-name User name to be displayed. User name up to 80 characters and can be numbers and special characters.. Copyright 2012, Juniper Networks, Inc. Creating Users in the Local User Database 3

186 Attribute Description Value encryption-type filter-id Type of encryption requiredfor access by the client.clients who attempt to use an unauthorized encryption method are rejected. Note: Encryption-Type is a Juniper vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 3. Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WLC. (For more information about security ACLs, see ACLs.) One of the following numbers that identifies an encryptionalgorithm: 1 AES_CCM (Advanced Encryption Standard using Counter with CBC-MAC) 4 TKIP (Temporal Key Integrity Protocol) 8 WEP_104 (the default) (Wired-Equivalent Privacy protocol using 104 bits of key strength) 16 WEP_40 (Wired-Equivalent Privacy protocol using 40 bits of key strength) 32 NONE (no encryption) 64 Static WEP In addition to these values, you can specify a sum of them for a combination of allowed encryption types. For example, to specify WEP_104 and WEP_40, use 24. Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces. Use acl-name.in to filter traffic that enters the WLC from users via an WLA access port or wired authentication port, or from the network via a network port. Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate. 11. Click Finish to complete the configuration. Deleting an Existing User, User Group, MAC User, or MAC User Group To delete existing users or user groups from the current configuration, select the name from the list and click Delete. The information is removed from the configuration. 4 Creating Users in the Local User Database Copyright 2012, Juniper Networks, Inc.

187 Creating User Groups in the Local User Database To create User Groups on the WLC local user database, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select Local User Database. 3. In the Configuration panel, you can view entries in the following categories: Users User Groups MAC Users MAC User Groups 4. For existing entries in RingMaster, you can highlight them in the list and click Properties. You can modify any configured options and then save the changes. 5. To add a User Group to the Local User Database, click Create User Group. 6. Enter a unique name for the User Group. 7. Set the expiration time for the password in the Password Expiration Time box. 8. Click Next. 9. From the VLAN Name list, select a VLAN for user access. Optional Authorization Attributes 10. You can also configure optional Authorization Attributes. This includes the following attributes: Attribute Description Value end-date Date and time after which the user is no longer allowed to be on the network. Date and time, in the following format: YY/MM/DD-HH:MM You can use end-date alone or with start-date. You also can use start-date, end-date, or both in conjunction with time-of-day ssid SSID the user is allowed to access after authentication. Name of the SSID for the user. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to Juniper radios in the Mobility Domain. termination-action idle-timeout The type of action taken to terminate a client on the network. The length of time that a client can be idle on the network before automatically disconnecting from the network. The attribute has these options: 0 (Disconnect) 1 (Re-authentication) Number between 180 and 86400, or 0 to disable periodic accounting updates. The default value is 3600 seconds. The WLC ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds. Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence. session-timeout Maximum number of seconds for the user s session. Number between 0 and 1,728,000 seconds (20 days). Copyright 2012, Juniper Networks, Inc. Creating User Groups in the Local User Database 1

188 Attribute Description Value filter-id time-of-day simultaneous-logins start-date mobility-profile Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WLC. Day(s) and time(s) during which the user is permitted to log into the network. After authorization, the user s session can last until either the Time-Of-Day range or the Session-Timeout duration (if set) expires, whichever is shorter. Note: Time-Of-Day is a Juniper vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 4. The number of times that a user can log into the network from different locations. Date and time that the user becomes eligible toaccess the network. MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified). Mobility Profile attribute forthe user. (For more information, see ViewingMobility Profiles.). Note: Mobility-Profile is ajuniper vendor-specific attribute (VSA). The vendor ID is 14525, the vendor type is 2. Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces. Use acl-name.in to filter traffic that enters the WLC from users via an MP access port or wired authentication port, or from the network via a network port. Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port.. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate. One of the following: never Access is always denied. any time Access is always allowed. enter days laccess is allowed on specific days at specific times. One or more ranges of values that consist of one of the following day designations (required), and a time range in hhmm-hhmm 4-digit 24-hour format (optional): mo Monday, tu Tuesday, we Wednesday, th Thursday, fr Friday, sa Saturday, su Sunday, wk Anyday between Monday and Friday Separate values or a series of ranges (except time ranges)with commas (,) or a vertical bar ( ). Do not use spaces. The maximum number of characters is 253. For example, to allow access only on Tuesdays and Thursdays between 10 a.m. and 4 p.m., specify the following: time-of-day tu ,th To allow access only on weekdays between 9 a.m and 5 p.m., and on Saturdays from 10 p.m. until 2 a.m., specify the following: time-of-day wk ,sa Note: You can use time-of-day in conjunction with start-date, end-date, or both. The range is from 1 to 1000 with a default value of 1. Date and time, in the following format: YY/MM/DD-HH:MM You can use start-date alone or with end-date. You also can use start-date, end-date, or both in conjunction with time-of-day. Name of an existing Mobility Profile. Note: If the Mobility Profile feature is enabled, and a user is assigned the name of a nonexistent Mobility Profile on the WLC, the user is denied access. 2 Creating User Groups in the Local User Database Copyright 2012, Juniper Networks, Inc.

189 Attribute Description Value acct-interim-interval Interval in seconds between accounting updates, if accounting is enabled and the Start-Stop record type is specified. Select Enable Updates and then a number between 180 and 3,600 seconds, or 0 to disable periodic accounting updates. The WLC ignores the acct-interim-interval value and issuesa log message if the value is below 60 seconds. Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence. qos-profile You can assign a user to a specific QoS profile. Select the profile from the list of configured QoS Profiles.. url URL to which the user is redirected after successful WebAAA. Web URL, in standard format. For example: Note: You must include the portion. service-type Type of access the user is requesting. Access type, which can be one of the following: 2 Framed; for network user access 6 Administrative; for administrative access, with authorization to access the enabled (configuration) mode. The user must enter the enable command and the correct enable password to access the enabled mode. 7 NAS-Prompt; for administrative access to the nonenabled mode only. In this mode, the user can still enter the enable command and the correct enable password to access the enabled mode. For administrative sessions, the WLC always sends 6. A RADIUS server can reply with one of the listed values. If the service-type is not set on the RADIUS server, administrative users receive NAS-Prompt access, and network users receive Framed access.. Note: MSS quietly accepts Callback Framed but you cannot select this access type in MSS. user-name User name to be displayed. User name up to 80 characters and can be numbers and special characters.. Copyright 2012, Juniper Networks, Inc. Creating User Groups in the Local User Database 3

190 Attribute Description Value encryption-type filter-id Type of encryption requiredfor access by the client.clients who attempt to use an unauthorized encryption method are rejected. Note: Encryption-Type is a Juniper vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 3. Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WLC. (For more information about security ACLs, see ACLs.) One of the following numbers that identifies an encryptionalgorithm: 1 AES_CCM (Advanced Encryption Standard using Counter with CBC-MAC) 4 TKIP (Temporal Key Integrity Protocol) 8 WEP_104 (the default) (Wired-Equivalent Privacy protocol using 104 bits of key strength) 16 WEP_40 (Wired-Equivalent Privacy protocol using 40 bits of key strength) 32 NONE (no encryption) 64 Static WEP In addition to these values, you can specify a sum of them for a combination of allowed encryption types. For example, to specify WEP_104 and WEP_40, use 24. Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces.. Use acl-name.in to filter traffic that enters the WLC from users via an MP access port or wired authentication port, or from the network via a network port.. Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port.. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate. 11. Click Next. 12. From the list of Available Users, select desired users and click Add to move them into the Current Users group. 13. Click Finish to complete the configuration. Deleting an Existing User, User Group, MAC User, or MAC User Group To delete existing users or user groups from the current configuration, select the name from the list and click Delete. The information is removed from the configuration. 4 Creating User Groups in the Local User Database Copyright 2012, Juniper Networks, Inc.

191 Managing User Passwords Formatting Password Restrictions If password restrictions are enabled, the following rules apply for the enable password and all user passwords: The password must have at least two of the following: Uppercase letter Lowercase letter Number Special Character The new password must differ from the old password by four characters. The new password cannot match any of the previous 10 passwords. This rule does not apply for network users or the enable password. To manage user passwords, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select Local User Database. 3. Under Setup, select Password Management. 4. After reading the password format restrictions, click Next. 5. Configure the maximum number of times that a user can login incorrectly before getting locked out of the network. 6. Configure the minimum password length. The range is from 0 to 32 with a default value of Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Managing User Passwords 1

192 Creating MAC User Groups in the Local User Database To create User Groups on the WLC local user database, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select Local User Database. 3. In the Configuration panel, you can view entries in the following categories: Users User Groups MAC Users MAC User Groups 4. For existing entries in RingMaster, you can highlight them in the list and click Properties. You can modify any configured options and then save the changes. 5. To add a MAC User Group to the Local Database, click Create MAC User Group. 6. Enter a unique name for the MAC User Group. 7. Click Next. 8. Select a VLAN for the MAC User Group. Optional Authorization Attributes 9. You can also configure optional Authorization Attributes. This includes the following attributes: Attribute Description Value end-date Date and time after which the user is no longer allowed to be on the network. Date and time, in the following format: YY/MM/DD-HH:MM You can use end-date alone or with start-date. You also can use start-date, end-date, or both in conjunction with time-of-day ssid SSID the user is allowed to access after authentication. Name of the SSID for the user. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to Juniper radios in the Mobility Domain. termination-action idle-timeout The type of action taken to terminate a client on the network. The length of time that a client can be idle on the network before automatically disconnecting from the network. The attribute has these options: 0 (Disconnect) 1 (Re-authentication) Number between 180 and with a default value of 3,600 seconds, or 0 to disableperiodic accounting updates. The WLC ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds. Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence. session-timeout Maximum number of seconds for the user s session. Number between 0 and 1,728,000 seconds (20 days). Copyright 2012, Juniper Networks, Inc. Creating MAC User Groups in the Local User Database 1

193 Attribute Description Value filter-id time-of-day simultaneous-logins start-date mobility-profile Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WLC. Day(s) and time(s) during which the user is permitted to log into the network. After authorization, the user s session can last until either the Time-Of-Day range or the Session-Timeout duration (if set) expires, whichever is shorter. Note: Time-Of-Day is a Juniper vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 4. The number of times that a user can log into the network from different locations. Date and time that the user becomes eligible toaccess the network. MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified). Mobility Profile attribute forthe user. (For more information, see ViewingMobility Profiles.). Note: Mobility-Profile is ajuniper vendor-specific attribute (VSA). The vendor ID is 14525, the vendor type is 2. Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces. Use acl-name.in to filter traffic that enters the WLC from users via an MP access port or wired authentication port, or from the network via a network port. Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port.. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate. One of the following: never Access is always denied. any time Access is always allowed. enter days Access is allowed on specific days at specific times. One or more ranges of values that consist of one of the following day designations (required), and a time range in hhmm-hhmm 4-digit 24-hour format (optional): mo Monday, tu Tuesday, we Wednesday, th Thursday, fr Friday, sa Saturday, su Sunday, wk Anyday between Monday and Friday Separate values or a series of ranges (except time ranges)with commas (,) or a vertical bar ( ). Do not use spaces. The maximum number of characters is 253. For example, to allow access only on Tuesdays and Thursdays between 10 a.m. and 4 p.m., specify the following: time-of-day tu ,th To allow access only on weekdays between 9 a.m and 5 p.m., and on Saturdays from 10 p.m. until 2 a.m., specify the following: time-of-day wk ,sa Note: You can use time-of-day in conjunction with start-date, end-date, or both. The range is from 1 to 1000 with a default value of 1. Date and time, in the following format: YY/MM/DD-HH:MM You can use start-date alone or with end-date. You also can use start-date, end-date, or both in conjunction with time-of-day. Name of an existing Mobility Profile. Note: If the Mobility Profile feature is enabled, and a user is assigned the name of a nonexistent Mobility Profile on the WLC, the user is denied access. 2 Creating MAC User Groups in the Local User Database Copyright 2012, Juniper Networks, Inc.

194 Attribute Description Value acct-interim-interval Interval in seconds between accounting updates, if accounting is enabled and the Start-Stop record type is specified. Select Enable Updates and then a number between 180 and 3,600 seconds, or 0 to disable periodic accounting updates. The WLC ignores the acct-interim-interval value and issuesa log message if the value is below 60 seconds. Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence. qos-profile You can assign a user to a specific QoS profile. Select the profile from the list of configured QoS Profiles.. url URL to which the user is redirected after successful WebAAA. Web URL, in standard format. For example: Note: You must include the portion. service-type Type of access the user is requesting. Access type, which can be one of the following: 2 Framed; for network user access 6 Administrative; for administrative access, with authorization to access the enabled (configuration) mode. The user must enter the enable command and the correct enable password to access the enabled mode. 7 NAS-Prompt; for administrative access to the nonenabled mode only. In this mode, the user can still enter the enable command and the correct enable password to access the enabled mode. For administrative sessions, the WLC always sends 6. A RADIUS server can reply with one of the listed values. If the service-type is not set on the RADIUS server, administrative users receive NAS-Prompt access, and network users receive Framed access.. Note: MSS quietly accepts Callback Framed but you cannot select this access type in MSS. user-name User name to be displayed. User name up to 80 characters and can be numbers and special characters.. Copyright 2012, Juniper Networks, Inc. Creating MAC User Groups in the Local User Database 3

195 Attribute Description Value encryption-type filter-id Type of encryption requiredfor access by the client.clients who attempt to use an unauthorized encryption method are rejected. Note: Encryption-Type is a Juniper vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 3. Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WLC. (For more information about security ACLs, see ACLs.) One of the following numbers that identifies an encryptionalgorithm: 1 AES_CCM (Advanced Encryption Standard using Counter with CBC-MAC) 4 TKIP (Temporal Key Integrity Protocol) 8 WEP_104 (the default) (Wired-Equivalent Privacy protocol using 104 bits of key strength) 16 WEP_40 (Wired-Equivalent Privacy protocol using 40 bits of key strength) 32 NONE (no encryption) 64 Static WEP In addition to these values, you can specify a sum of them for a combination of allowed encryption types. For example, to specify WEP_104 and WEP_40, use 24. Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces.. Use acl-name.in to filter traffic that enters the WLC from users via an MP access port or wired authentication port, or from the network via a network port.. Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port.. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate. 10. Click Next. 11. From the list of Available Users, select desired users and click Add to move them into the Current Users group. 12. Click Finish to complete the configuration. Deleting an Existing User, User Group, MAC User, or MAC User Group To delete existing users or user groups from the current configuration, select the name from the list and click Delete. The information is removed from the configuration. 4 Creating MAC User Groups in the Local User Database Copyright 2012, Juniper Networks, Inc.

196 Creating MAC Users in the Local User Database To add users to the WLC local user database, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select Local User Database. 3. In the Configuration panel, you can view entries in the following categories: Users User Groups MAC Users MAC User Groups 4. For existing entries in RingMaster, you can highlight them in the list and click Properties. 5. To add a MAC user to the Local User Database, click Create MAC User. 6. Enter a User MAC Address or a range of MAC addresses. 7. From the Vendors list, select the vendor. 8. To add an OUI, select it from the OUI list. 9. If you want to add the MAC User to a MAC User Group, select the group from the list of configured groups. 10. Select a VLAN for the user. Optional Authorization Attributes 11. You can also configure optional Authorization Attributes. This includes the following attributes: Attribute Description Value end-date Date and time after which the user is no longer allowed to be on the network. Date and time, in the following format: YY/MM/DD-HH:MM You can use end-date alone or with start-date. You also can use start-date, end-date, or both in conjunction with time-of-day ssid SSID the user is allowed to access after authentication. Name of the SSID for the user. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to Juniper radios in the Mobility Domain. termination-action idle-timeout The type of action taken to terminate a client on the network. The length of time that a client can be idle on the network before automatically disconnecting from the network. The attribute has these options: 0 (Disconnect) 1 (Re-authentication) Number between 180 and 86400seconds with a default value of 3600, or 0 to disableperiodic accounting updates. The WLC ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds. Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence. session-timeout Maximum number of seconds for the user s session. Number between 0 and 1,728,000 seconds (20 days). Copyright 2012, Juniper Networks, Inc. Creating MAC Users in the Local User Database 1

197 Attribute Description Value filter-id time-of-day simultaneous-logins start-date mobility-profile Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WLC. Day(s) and time(s) during which the user is permitted to log into the network. After authorization, the user s session can last until either the Time-Of-Day range or the Session-Timeout duration (if set) expires, whichever is shorter. Note: Time-Of-Day is a Juniper vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 4. The number of times that a user can log into the network from different locations. Date and time that the user becomes eligible toaccess the network. MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified). Mobility Profile attribute forthe user. (For more information, see ViewingMobility Profiles.). Note: Mobility-Profile is ajuniper vendor-specific attribute (VSA). The vendor ID is 14525, the vendor type is 2. Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces. Use acl-name.in to filter traffic that enters the WLC from users via an MP access port or wired authentication port, or from the network via a network port. Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port.. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate. One of the following: never Access is always denied. any time Access is always allowed. enter days Access is allowed on specific days at specific times. One or more ranges of values that consist of one of the following day designations (required), and a time range in hhmm-hhmm 4-digit 24-hour format (optional): mo Monday, tu Tuesday, we Wednesday, th Thursday, fr Friday, sa Saturday, su Sunday, wk Anyday between Monday and Friday Separate values or a series of ranges (except time ranges)with commas (,) or a vertical bar ( ). Do not use spaces. The maximum number of characters is 253. For example, to allow access only on Tuesdays and Thursdays between 10 a.m. and 4 p.m., specify the following: time-of-day tu ,th To allow access only on weekdays between 9 a.m and 5 p.m., and on Saturdays from 10 p.m. until 2 a.m., specify the following: time-of-day wk ,sa Note: You can use time-of-day in conjunction with start-date, end-date, or both. The range is from 1 to 1000 with a default value of 1. Date and time, in the following format: YY/MM/DD-HH:MM You can use start-date alone or with end-date. You also can use start-date, end-date, or both in conjunction with time-of-day. Name of an existing Mobility Profile. Note: If the Mobility Profile feature is enabled, and a user is assigned the name of a nonexistent Mobility Profile on the WLC, the user is denied access. 2 Creating MAC Users in the Local User Database Copyright 2012, Juniper Networks, Inc.

198 Attribute Description Value acct-interim-interval Interval in seconds between accounting updates, if accounting is enabled and the Start-Stop record type is specified. Select Enable Updates and then a number between 180 and 3,600 seconds, or 0 to disable periodic accounting updates. The WLC ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds. Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence. qos-profile You can assign a user to a specific QoS profile. Select the profile from the list of configured QoS Profiles.. url URL to which the user is redirected after successful WebAAA. Web URL, in standard format. For example: Note: You must include the portion. service-type Type of access the user is requesting. Access type, which can be one of the following: 2 Framed; for network user access 6 Administrative; for administrative access, with authorization to access the enabled (configuration) mode. The user must enter the enable command and the correct enable password to access the enabled mode. 7 NAS-Prompt; for administrative access to the nonenabled mode only. In this mode, the user can still enter the enable command and the correct enable password to access the enabled mode. For administrative sessions, the WLC always sends 6. A RADIUS server can reply with one of the listed values. If the service-type is not set on the RADIUS server, administrative users receive NAS-Prompt access, and network users receive Framed access.. Note: MSS quietly accepts Callback Framed but you cannot select this access type in MSS. user-name User name to be displayed. User name up to 80 characters and can be numbers and special characters.. Copyright 2012, Juniper Networks, Inc. Creating MAC Users in the Local User Database 3

199 Attribute Description Value encryption-type filter-id Type of encryption requiredfor access by the client.clients who attempt to use an unauthorized encryption method are rejected. Note: Encryption-Type is a Juniper vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 3. Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WLC. (For more information about security ACLs, see ACLs.) One of the following numbers that identifies an encryptionalgorithm: 1 AES_CCM (Advanced Encryption Standard using Counter with CBC-MAC) 4 TKIP (Temporal Key Integrity Protocol) 8 WEP_104 (the default) (Wired-Equivalent Privacy protocol using 104 bits of key strength) 16 WEP_40 (Wired-Equivalent Privacy protocol using 40 bits of key strength) 32 NONE (no encryption) 64 Static WEP In addition to these values, you can specify a sum of them for a combination of allowed encryption types. For example, to specify WEP_104 and WEP_40, use 24. Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces.. Use acl-name.in to filter traffic that enters the WLC from users via an MP access port or wired authentication port, or from the network via a network port.. Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port.. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate. 12. Click Finish to complete the configuration. Deleting an Existing User, User Group, MAC User, or MAC User Group To delete existing users or user groups from the current configuration, select the name from the list and click Delete. The information is removed from the configuration. 4 Creating MAC Users in the Local User Database Copyright 2012, Juniper Networks, Inc.

200 Creating a RADIUS Server To add a RADIUS Server to RingMaster, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select RADIUS. 3. In the Task Panel, under Create, click Create RADIUS Server. 4. Enter a name to identify the RADIUS Server. 5. Enter the IP address in the IP Address field. 6. Enter the authentication key in the Key field. 7. To use the MAC address as the password, select Use MAC as Password. 8. Enter the Authorization password. 9. If you are using the MAC address as the password, select the format from the MAC Address Format list. 10. Create a RADIUS Server Group for the RADIUS server. A RADIUS Server Group can contain multiple RADIUS servers and allows you to create redundancy and load balancing for AAA. 11. Click Next. 12. Since the RADIUS Server Group was created in the previous step, the server group appears in the list of Current RADIUS Server Groups. 13. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a RADIUS Server 1

201 Creating a RADIUS Server Group To create a RADIUS Server Group, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select RADIUS. 3. In the Tasks panel, under Create, click Create RADIUS Server Group. 4. Enter a name to identify the RADIUS Server Group. 5. Select one or more RADIUS Servers to be member of the RADIUS Server Group. Click Add to move them to the list of Current RADIUS Servers. 6. To allow load balancing between servers, select Load Balance. 7. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a RADIUS Server Group 1

202 Configuring RADIUS Accounting Properties To enable RADIUS Accounting, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select RADIUS. 3. In the Task Panel, under Setup, click System Accounting. 4. Select a RADIUS Server Group (or multiple RADIUS server groups) from the Available AAA Server Groups, and click Add. The server is moved to the Current AAA Server Groups. As you add servers, you can also change the order that they appear in the list. Use the Up and Down arrows to change the server order in the list. 5. Click OK to complete the configuration. Copyright 2012, Juniper Networks, Inc. Configuring RADIUS Accounting Properties 1

203 Creating a RADIUS Dynamic Authorization Client (DAC) To create a RADIUS DAC, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select RADIUS. 3. In the Tasks panel, under Create, click Create RADIUS DAC. 4. Enter a name to identify the RADIUS DAC. 5. Enter the IP Address of the RADIUS DAC. 6. Enter the authentication key. 7. Click Next. 8. To apply a Wired Access Rule, enable it by selecting Wired Access Rule. 9. Select the SSIDs that the RADIUS DAC can modify connection properties and authorization attributes. Select Any to allow the RADIUS DAC to modify any SSID. 10. Click Add to add the SSID to the list of Associated SSIDs. 11. Click Finish. Copyright 2012, Juniper Networks, Inc. Creating a RADIUS Dynamic Authorization Client (DAC) 1

204 Setting Up RADIUS Defaults You can specify default settings that apply to all RADIUS servers configured on a WLC. You can also specify RADIUS DAC settings that apply to all DACs connecting to the RADIUS DAC server. To configure default RADIUS settings, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select RADIUS. 3. In the Task Panel, under Setup, click RADIUS Defaults. 4. The following default settings can be configured: Timeout [seconds] The range is from 1 to seconds with a default value of 5 seconds. Retry Count Specifiy how many times that a RADISU request is retried on the RADIUS server.the range is 1 to 100 with a default value of 3. Dead Time [minutes] Specify how long to wait after a RADIUS server times out. The range is 0 to 1440 minutes with a default value of 5 minutes. Key Enter the authentication key used to communicate with the RADIUS server. Use MAC as Password Use the MAC address of the server as the password. Authorization Password Enter the default authorization password for the server. MAC Address Format Select the MAC address format for the server. You can select one of the following options: None Hyphens Colons One Hyphen Raw Authentication Protocol Select the Authentication Protocol for the server. You can select one of the following options: PWLA CHWLA MSCHWLA-V2 RADIUS DAS Port Configure the port for the Dynamic Authentication Server. The default value is Click OK to complete the configuration. Copyright 2012, Juniper Networks, Inc. Setting Up RADIUS Defaults 1

205 Configuring CDR Accounting Properties To enable CDR Accounting, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select RADIUS. 3. In the Task Panel, under Setup, click CDR Accounting. 4. Select a RADIUS Server Group from the list of Available AAA Server Groups. Click Add to move it to the list of Current AAA Server Groups. You can reorder the servers in the list by using the Up and Down arrows. Once you add the server to the Current AAA Server Group list, CDR Accounting is automatically enabled. 5. Click OK to complete the configuration. Copyright 2012, Juniper Networks, Inc. Configuring CDR Accounting Properties 1

206 Configuring RADIUS Ping RingMaster provides a RADIUS ping utility to enhance troubleshooting capabilities if there are problems communicating with a RADIUS server. The radping command allows an WLC to send an authentication request to a RADIUS server to determine if that server is active or offline. You must authenticate on the RADIUS server using MSCHWLAv2 authentication. To configure RADIUS Ping, use the following steps: 1. From the Organizer panel, select a WLC. 2. Under AAA, select RADIUS. 3. In the Task Panel, under Other, click RADIUS Ping. 4. You can configure the following RADIUS Ping command parameters: Target Selecte a RADIUS Server from the list of servers. Request Type Select one of the following Request Types: Authentication requires a username and password. Start Accounting Begin collecting statistics for user accounts on the server. Stop Accounting Stop collecting statistics for user accounts on the server. Update Accounting Update the accounting statistics. Accounting On Enable accounting statistics collection on the server. Accounting Off Enable accounting statistics collection on the server. 5. Enter the Username and Password to authenticate on the RADIUS Server. 6. Click Start. 7. The ping information is displayed in the Status panel. 8. Click Stop to end the session. Configuring Split Authentication and Authorization With the implementation of RADIUS Ping, a RADIUS server authenticates a user but authorization attributes are received from the WLC local user database. This is accomplished by including a Vendor-Specific Attribute (VSA) in the RADIUS Accept response. When the WLC receives the RADIUS Accept response, the WLC uses the group name and attempts to match it to authorization attibutes of a corresponding user group in the local user database. To configure this feature, additional attributes must be configured on the RADIUS server. For the user-group name, specify a string consisting of 1-32 characters. Additional values consist of Type - 26, Vendor ID , Vendor Type - 9 (Juniper VSA). Informational Note: The VSA value remains Juniper until it is converted to Juniper in the next release of MSS and RingMaster. Copyright 2012, Juniper Networks, Inc. Configuring RADIUS Ping 1

207 Attributes that appear in the RAIDUS Accept response are added to the session attributes. If the Access Accept has a Juniper group-name VSA, the attributes from the corresponding user group in the local database are applied. 2 Configuring RADIUS Ping Copyright 2012, Juniper Networks, Inc.

208 Configuring SmartPass Servers for AAA This wizard assists you with configuring SmartPass servers for Authentication, Accounting, Dynamic Authorization, and CDR Accounting. You can also configure a SmartPass server as an External Captive Portal. To configure a SmartPass Server for AAA, use the following steps: 1. From the Organizer pane, select a WLC. 2. Under AAA, select RADIUS. 3. In the Task Panel, under Setup, click SmartPass. 4. After reading the description of the feature, click Next. 5. From the list of Available SmartPass Servers, select one and click Add to move it to the list of Current SmartPass Servers. 6. Click Next. 7. Configure the SmartPass RADIUS Server Group by selecting an available AAA Server from the list. Click Add to move it to the list of Current RADIUS Servers. If you want to load balance network traffic between the servers, select Load Balance. 8. Select the options from the SmartPass Options list to add to the configuration. You can select from the following options: Authentication Accounting Dynamic Authorization CDR Accounting 9. Click Next. 10. Select an existing Service Profile, either 802.1X or Web Portal. You can also create a new one by selecting Create New Service Profile. (Link to service profile information) 11. To edit the properties of an existing profile, select it from the list of Service Profiles and click Properties. (Link to Service Profile Type. 12. Click Next. 13. To configure Accounting options, select the SSIDs and the corresponding Access Rules are automatically created. 14. If you select RADIUS DAC, you can configure the RADIUS Server as Self or the SmartPass server. 15. Select Configure as DAC if you want the server to act as a Dynamic Client. 16. Select a SSID from the list of Available SSIDs and click Add to move it to the Associated SSIDs. 17. Click Next. Copyright 2012, Juniper Networks, Inc. Configuring SmartPass Servers for AAA 1

209 18. To configure the CDR Accounting options, select the SmartPass server group from the list of Available AAA Server Groups and click Add to move it to the list of Current AAA Server Groups. 19. Click Finish to complete the configuration. 2 Configuring SmartPass Servers for AAA Copyright 2012, Juniper Networks, Inc.

210 Creating a LDAP Server To create a LDAP Server, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under AAA, click LDAP Server. 3. From the Tasks panel, click Create LDAP Server. 4. Enter a unique name for the LDAP Server. 5. Enter the IP Address of the server. 6. Enter the Fully Qualified Domain Name (FQDN) of the LDAP server. 7. Optional: If desired, check the Author Password User MAC box. If enabled, this will set the User s MAC address as the password. If this option is left unchecked, the user may then specify a password instead. 8. Click Next. 9. An LDAP Server Group is automatically created with the name of the LDAP Server. 10. Click Next. 11. The LDAP Server Group appears in the list of Current LDAP Server Groups. If you want to remove it from the server group, select it and click Remove. 12. Click Finish to complete the configuration. Changing LDAP Server Properties To change any of the LDAP Server properties, select it from the list of servers and click Properties. Change the desired options, and click OK to complete the configuration. You can change the following options: IP Address Timeout [seconds] - Sets the timeout for communication with the LDAP server. You can set the time in seconds with a range of 1 to seconds. The default value is 5 seconds. Authentication Port - The default port is 389. Dead Time [minutes] - The length of time to wait before recontacting a LDAP server. The range is 0 to 1440 minutes with a default value of 5 minutes. Bind Mode - Select from NONE, SIMPLE-AUTH, SASL-MD5. MAC Address Format - Select from None, Hyphens, Colons, One Hyphen, or Raw. Base DN - Prefix DN - Author Password User MAC - If checked, sets the User s MAC address as the password. Deleting a LDAP Server To delete any of the LDAP Servers, select it from the list of servers and click Delete. Click Finish to confirm that you want to delete the server. Copyright 2012, Juniper Networks, Inc. Creating a LDAP Server 1

211 Creating a LDAP Server Group To create a LDAP Server Group, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under AAA, click Create LDAP Server Group. 3. Enter a unique name for the LDAP Server Group. 4. Select one or more LDAP Servers to add to the group. 5. Click Add to move the servers to the Current LDAP Servers list. You can change the order of the servers by using the Up and Down arrows. 6. Click Finish to complete the configuration. Changing LDAP Server Group Properties To change the LDAP Server Group properties, select it from the list of LDAP Server Groups, and click Properties. You can change the following properties: Load Balancing Adding or Removing LDAP Servers from the LDAP Server Group. Deleting a LDAP Server Group To delete any of the LDAP Server Groups, select it from the list of servers and click Delete. Click Finish to confirm that you want to delete the server group. Copyright 2012, Juniper Networks, Inc. Creating a LDAP Server Group 1

212 Configuring LDAP Default Settings To create a LDAP Server Group, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under AAA, select LDAP. 3. In the Tasks panel, under Setup, click LDAP Defaults. 4. You can change the following default settings Timeout [seconds] - Sets the timeout for communication with the LDAP server. You can set the time in seconds with a range of 1 to seconds. The default value is 5 seconds. Authentication Port - The default port is 389. Dead Time [minutes] - The length of time to wait before recontacting a LDAP server. The range is 0 to 1440 minutes with a default value of 5 minutes. Bind Mode - Select from NONE, SIMPLE-AUTH, SASL-MD5. MAC Address Format - Select from Hyphens, Colons, One Hyphen, or Raw. Fully Qualified Domain Name (FQDN) - the domain name for the LDAP Server. Base DN - Prefix DN - 5. Click OK to complete the configuration. Copyright 2012, Juniper Networks, Inc. Configuring LDAP Default Settings 1

213 Configuring 802.1X Global Parameters 802.1X Access Rules include information about the Extensible Authentication Protocol (EWLA) type to use for AAA communication between the client and the AAA server. The EWLA type can be one of the following: EWLA-MD5 Offload EWLA with Message-Digest (algorithm)5 (MD5). Select this protocol for wired clients. Uses challenge-response to compare hashes. Dynamic Authorization Server Port the UDP where the DAS listens for Disconnect and CoA requests sent by the DAC. To configure 802.1X global parameters, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under AAA, click 802.1X. 3. In the 802.1X section, you can configure the following parameters: 802.1X System Authentication Control To enable 802.1X authentication for all wired authentication ports on the WLC, select System Authentication Control. To disable 802.1X authentication for all wired authentication ports, clear System Authentication Control. By default, 802.1X authentication is enabled. Retransmit Timeout [seconds] To specify the number of seconds before retransmitting an Extensible Authentication Protocol over LAN (EWLAoL) packet, specify the timeout value (1 to 65,535 seconds) in the Retransmit Timeout field. The default is 5 seconds. Authentication Server Timeout [seconds] To specify the number of seconds before timing out a request to an authentication server, specify the timeout value (1 to 65,535 seconds) in the Authentication Server Timeout field. The default is 30 seconds. Key Transmit To enable encryption key information to be sent to the client after authentication in EWLAoL-Key PDUs, select Key Transmit. The WLC sends EWLAoL key messages after successfully authenticating the client and receiving authorization attributes for the client. If the client is using dynamic WEP, the EWLAoL key messages are sent immediately after authorization. To disable this option, clear Key Transmit. By default, this option is enabled. Reauthentication Attempts To specify the number of reauthentication requests before a client becomes unauthorized, specify the value (1 to 10) in the Reauthentication Attempts field. The default is 2 attempts. Bonded Period [seconds] To specify the number of seconds MSS retains session information for Bonded Auth (bonded authentication), specify the value, from 1 to 300 seconds, in the Bonded Period field. The default is 0 seconds. Quiet Period Timeout [seconds] To specify the number of seconds before attempting reauthentication, specify the timeout value (0 to 65,535 seconds) in the Quiet Period Timeout field. The default is 60 seconds. Copyright 2012, Juniper Networks, Inc. Configuring 802.1X Global Parameters 1

214 Supplicant Timeout [seconds] To specify the number of seconds before timing out an authentication session with an 802.1X client (supplicant), specify the timeout value (1 to 65,535 seconds) in the Supplicant Timeout field. The default is 30 seconds. Maximum Requests To set the maximum number of times an EWLA request is transmitted to the client before timing out the authentication session, specify the value (0 to 10) in the Maximum Requests field. The default is 2 attempts. Informational Note: To support SSIDs that have both 802.1X and static WEP clients, MSS sends a maximum of two ID requests, even if this parameter is set to a higher value. Setting the parameter to a higher value does affect all other types of EWLA messages. Reauthentication To enable reauthentication of 802.1X clients, select Reauthentication. To disable reauthentication, clear Reauthentication. By default, reauthentication is enabled. Informational Note: If the number of reauthentications for a wired authentication client is greater than the maximum number of reauthentications allowed, MSS sends an EWLA failure packet to the client and removes the client from the network. However, MSS does not remove a wireless client from the network under these circumstances. Reauthentication Period [seconds] To specify the number of seconds before reauthentication is attempted, specify the timeout value, from 60 to 1,641,600 seconds (19 days), in the Reauthentication Period field. The default is 3600 seconds (one hour). MSS re-authenticates dynamic WEP clients based on a re-authentication timer. MSS also re-authenticates WPA clients if they use WEP-40 or WEP-104 cipher. For each dynamic WEP client or WPA client using a WEP cipher, the reauthentication timer is set to the lesser of the global setting or the value returned by the AAA server with the rest of the authorization attributes for that client. Handshake Timeout [msecs] Set the handshake timeout period. You can enter a value in mseconds from 20 to The default value is 2000 mseconds. WEP Key Rolling WEP Key Rolling To enable WEP key rolling (rotation) of the broadcast and multicast WEP keys, select WEP Key Rolling. WEP Key Rolling Period [seconds] To specify the time to wait before rotating the WEP key, specify the value, from 30 to 1,641,600 seconds, (19 days) in the WEP Key Rolling Period field. The default is 1800 seconds (30 minutes). TKIP/CCMP Key Rolling To maintain secure wireless access to the network, keys used to encrypt packets should be difficult to guess or hack by a third party. 2 Configuring 802.1X Global Parameters Copyright 2012, Juniper Networks, Inc.

215 Adding the option to enable or disable unicast periodic rekeying with a configurable intervalvalue. When the timer expires, the client unicast key (PTK) is changed when a 4-way handshake is initiated. Adding the option to enable multicast periodic rekeying with a configurable interval value. Whenthe timer expires, all VLAN keys (GTK) is changed by initiating a 4-way or 2-way handshake. Unicast Key Rolling select to enable Unicast Key Rolling. Unicast Key Rolling Period [seconds] Configure a value from 30 to seconds. The default value is 300 seconds. Multicast Key Rolling select to enable Multicast Key Rolling. Multicast Key Rolling [seconds] Configure a value from 30 to seconds. The default value is 300 seconds. Copyright 2012, Juniper Networks, Inc. Configuring 802.1X Global Parameters 3

216 Creating AAA Profiles To configure AAA Profiles, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under AAA, click AAA Profiles. 3. In the Tasks panel, under Create, click Create AAA Profile. 4. Enter a unique name to identify the profile. 5. Click Next. 6. You can add, modify, or create Access Rules associated with this profile. Creating an Access Rule 7. Click Create. You can create one of the following types of Access Rules: 802.1X Authentication Rule (x-ref to configuring this type of rule) MAC Authentication Rule Web Authentication Rule 8. Click Finish to complete the configuration. If you want to modify the Access Rule, select the Rule and then click Properties. Edit any of the available parameters and click OK. You can reorder the rules in the list using the Up and Down arrows. Copyright 2012, Juniper Networks, Inc. Creating AAA Profiles 1

217 Creating AAA Profile Access To configure AAA Profile Access, use the following steps: 1. In the Organizer panel, select a WLC. 2. Under AAA, click AAA Profiles. 3. In the Tasks panel, under Create, click Create AAA Profile Access. 4. From the SSID list, select a SSID to apply the access rule. If the rule applies to Wired Auth users, select Wired Auth. 5. Select an AAA Profile from the list. 6. Click Next. Optional: Accounting Servers 7. To enable accounting for the profile, select Enabled. 8. From the Record Type list, select from the following options: Start-Stop Start-Only 9. From the list of Available AAA Server Groups, select one from the list and click Add to move it to the list of Current AAA Server Groups. You can reorder the server groups in the list by using the Up and Down arrows. 10. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating AAA Profile Access 1

218 Overview of Access Rules Service Profile wizards create network access rules to control access to the SSIDs configured by each wizard. Access rules match on all usernames or MAC addresses for voice service profiles. Table 1lists the access rules automatically created by the service profile wizards. Table 1: Access Rules Created Automatically by Service Profile Type Service Profile Type Access Rule Type Default Access Glob 802.1X 802.1X ** Voice MAC * Mesh MAC * Web-Portal (WebAAA) Web ** Custom Can be one or more of the above, depending on the type of Service Profile. None. No access rules are configured automatically. You must configure them as part of the wizard steps. The ** and * values are wildcards. The ** wildcard matches on all usernames. To match on all MAC addresses, use only a single *. You can restrict access by specifying part of the username or MAC address along with a wildcard *. In this case, only the usernames or MAC addresses that match the partial username or address are allowed access to the network. User Globs and MAC Address Globs A user glob is a string containing wildcards that matches on one or more usernames. The format of a user glob depends on the client type and Extensible Authentication Protocol (EWLA) method. For Windows domain clients using Protected EWLA (PEWLA), the user glob is in the format Windows_domain_name\username. The Windows domain name is the NetBIOS domain name and must be specified in capital letters. For example, EXAMPLE\sydney, or EXAMPLE\*.*, which specifies that all users with usernames containing a period are allowed access. For EWLA with Transport Layer Security (EWLA-TLS) clients, the format is username@domain.name. For example, sydney@example.com specifies the user sydney in the domain name example.com. The *@marketing.example.com specifies all users in the marketing department in example.com. The user glob sydney@engineering.example.com specifies the user sydney in the engineering department at example.com. For a MAC address glob, type a full or partial username to be matched during authentication. MAC addresses must be specified with colons as the delimiters, for example, 00:12:34:56:78. You can use wildcards by specifying an asterisk (*) in MAC addresses. Copyright 2012, Juniper Networks, Inc. Overview of Access Rules 1

219 The following lists examples of using wildcards in MAC addresses: * (all MAC addresses) 00:* 00:01:* 00:01:02* 00:01:02:03:* 00:01:02:03:04:* 00:01:02:03:04::0* 2 User Globs and MAC Address Globs Copyright 2012, Juniper Networks, Inc.

220 Creating an 802.1X Authentication Rule To configure an 802.1X Access Rule, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and the 802.1X Access Rules. 3. From the Tasks panel, under Create, select 802.1X Access Rule. 4. Select a SSID from the SSID list. 5. If the rule applies to a Wired Auth user, select Wired. 6. In the Matching User Glob field, enter specific usernames or ** to match all usernames. 7. Click Next. EWLA Type 8. Select the EWLA Type from the list. You can select from the following options: External Authentication Server No protocol is used by the WLC. Mobility System Software (MSS) sends the EWLA processing to a RADIUS server. If you select PEWLA, the EWLA Sub-Protocol is MS-CHWLAV2. For other protocols, there is no the EWLA Sub-Protocol to select. EWLA-MD5 Offload Extensible Authentication Protocol (EWLA) with message-digest algorithm 5. Select this protocol for wired authentication clients. Uses challenge-response to compare hashes. Provides no encryption or integrity checking for the connection. PEWLA Offload Protected EWLA with Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHWLA-V2). Select this protocol for wireless clients. Uses TLS for encryption and data integrity checking. Provides MS-CHWLA-V2 mutual authentication. Only the server side of the connection needs a certificate. Local EWLA-TLS EWLA with TLS. Provides mutual authentication, integrity-protected negotiation, and key exchange. Requires X.509 public key certificates on both sides of the connection. Provides encryption and integrity checking for the connection. Cannot be used with RADIUS server authentication (requires user information to be in the local database of the WLC). 9. If you selected PEWLA as the EWLA type, MS-CHWLAV2 is selected by default as the EWLA Sub-Protocol. 10. Click Next. Authentication Servers 11. To enable authentication, select Enabled. Copyright 2012, Juniper Networks, Inc. Creating an 802.1X Authentication Rule 1

221 12. Select a server group from the list of Available AAA Server Groups, and click Add to move it to the list of Current AAA Server Groups. You can reorder the list by using the Up and Down arrows. If you select Local, you are adding the local database on the WLC. 13. Click Next. Optional: Accounting Servers 14. To enable accounting for the profile, select Enabled. 15. From the Record Type list, select from the following options: Start-Stop Stop-Only 16. From the list of Available AAA Server Groups, select one from the list and click Add to move it to the list of Current AAA Server Groups. You can reorder the server groups in the list by using the Up and Down arrows. 17. Click OK to complete the configuration. 2 Creating an 802.1X Authentication Rule Copyright 2012, Juniper Networks, Inc.

222 Creating a MAC Access Rule To create a MAC Access Rule, use the following steps: 1. From the Organizer panel, select a WLC. 2. Under AAA, select MAC Access Rules. 3. In the Tasks panel, under Create, click MAC Network Access. 4. Select a SSID from the SSID list. 5. If the rule applies to a Wired Auth user, select Wired. 6. In the Matching MAC Address Glob field, you can either specify a user MAC address or a MAC Address Glob up to 5 bytes long ending with *: to match specific MAC addresses or * to match all MAC addresses. 7. Click Next. Authentication Servers 8. To enable authentication, select Enabled. 9. To use the MAC Address Prefix, select MAC Prefix. 10. Select a server group from the list of Available AAA Server Groups, and click Add to move it to the list of Current AAA Server Groups. You can reorder the list by using the Up and Down arrows. If you select Local, you are adding the local database on the WLC. MAC Authentication allows you to select from RADIUS or LDAP servers. Optional: Accounting Servers 11. To enable accounting for the profile, select Enabled. 12. From the Record Type list, select from the following options: Start-Stop Stop-Only 13. From the list of Available AAA Server Groups, select one from the list and click Add to move it to the list of Current AAA Server Groups. You can reorder the server groups in the list by using the Up and Down arrows. 14. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a MAC Access Rule 1

223 Creating a Web Authentication Rule To configure a Web Access Rule, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and theweb Access Rules. 3. From the Tasks panel, under Create, select Web Access Rule. 4. Select a SSID from the SSID list. 5. If the rule applies to a Wired Auth user, select Wired. 6. In the Matching User Glob field, enter specific usernames or ** to match all usernames. 7. Click Next. 8. Select a server group from the list of Available AAA Server Groups, and click Add to move it to the list of Current AAA Server Groups. You can reorder the list by using the Up and Down arrows. If you select Local, you are adding the local database on the WLC. MAC Authentication allows you to select from RADIUS or LDAP servers. Optional: Accounting Servers 9. To enable accounting for the profile, select Enabled. 10. From the Record Type list, select from the following options: Start-Stop Stop-Only 11. From the list of Available AAA Server Groups, select one from the list and click Add to move it to the list of Current AAA Server Groups. You can reorder the server groups in the list by using the Up and Down arrows. 12. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a Web Authentication Rule 1

224 Creating a Open Access Rule To configure an Open Access Rule, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and then Open Access Rules. 3. From the Tasks panel, under Create, select Open Access Rule. 4. Select a SSID from the SSID list. 5. If the rule applies to a Wired Auth user, select Wired. 6. Click Next. Optional: Accounting Servers 7. To enable accounting for the profile, select Enabled. 8. From the Record Type list, select from the following options: Start-Stop Stop-Only 9. From the list of Available AAA Server Groups, select one from the list and click Add to move it to the list of Current AAA Server Groups. You can reorder the server groups in the list by using the Up and Down arrows. Click OK to complete the configuration. 10. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a Open Access Rule 1

225 Creating an Admin Access Rule To configure an Admin Access Rule, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and then Admin Access Rules. 3. From the Tasks panel, under Create, select Create Admin Access. 4. Create and enter a User Glob for the Admin User Name. 5. Click Next. 6. Select an Authentication Server from the list of Available AAA Server Groups and click Add to add it to the list of Current AAA Server Groups. 7. Click Next. Optional: Accounting Servers 8. To enable accounting for the profile, select Enabled. 9. From the Record Type list, select from the following options: Start-Stop Stop-Only 10. From the list of Available AAA Server Groups, select one from the list and click Add to move it to the list of Current AAA Server Groups. You can reorder the server groups in the list by using the Up and Down arrows. 11. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating an Admin Access Rule 1

227 Creating a Console Access Rule To configure a Console Access Rule, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and then Admin Access Rules. 3. From the Tasks panel, under Create, select Console Access. 4. In the Matching User Glob field, enter specific usernames or ** to match all usernames. 5. To enable authentication, select Enabled. 6. Select a server group from the list of Available AAA Server Groups, and click Add to move it to the list of Current AAA Server Groups. You can reorder the list by using the Up and Down arrows. If you select Local, you are adding the local database on the WLC. 7. Click Next. Optional: Accounting Servers 8. To enable accounting for the profile, select Enabled. 9. From the Record Type list, select from the following options: Start-Stop Stop-Only 10. From the list of Available AAA Server Groups, select one from the list and click Add to move it to the list of Current AAA Server Groups. You can reorder the server groups in the list by using the Up and Down arrows. 11. Click OK to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a Console Access Rule 1

229 Creating RADIUS Proxy Client To create RADIUS Proxy Client, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and then RADIUS Proxy. 3. From the Tasks panel, under Create, select RADIUS Proxy Client. 4. Enter the IP address of the RADIUS client (third party WLA). Optional: RADIUS Messaging Ports You can enter the UDP ports where the WLCs listens for RADIUS access-requests and stop-accounting records.you can leave Authentication Port and Accpunting Port at the default values 5. Click Next. 6. Enter the Client Key for authenticating and encrypting RADIUS communication. 7. Click Finish. Copyright 2012, Juniper Networks, Inc. Creating RADIUS Proxy Client 1

231 Creating Proxy Access To configure Proxy Access, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and then RADIUS Proxy. 3. From the Tasks panel, under Create, select Proxy Access. 4. In the Matching User Glob field, enter specific usernames or ** to match all usernames. 5. Choose or select the desired SSID. 6. Select a server group from the list of Available AAA Server Groups, and click Add to move it to the list of Current AAA Server Groups. You can reorder the list by using the Up and Down arrows. If you select Local, you are adding the local database on the WLC. 7. Click Next. Optional: RADIUS Server Group 8. From the list of Available AAA Server Groups, select one from the list and click Add to move it to the list of Current AAA Server Groups. You can reorder the server groups in the list by using the Up and Down arrows. If you select Local, you are adding the local database on the WLC. 9. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating Proxy Access 1

233 Creating 802.1Q Mappings To create 802.1Q Mappings, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and then RADUIS Proxy. 3. From the Tasks panel, under Create, select 802.1Q Mappings. 4. Select a Port. 5. Enter the SSID. 6. Create a unique tag for the mapping. 7. Click OK. Copyright 2012, Juniper Networks, Inc. Creating 802.1Q Mappings 1

235 Creating a Location Policy Rule To configure a Location Policy Rule, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and then Location Policy. 3. From the Tasks panel, under Create, select Create Location Policy Rule. 4. Configure the Location Rule Match Option. You can select from the following options: SSID User Glob VLAN Time of Day Port List DWLA List 5. For each of the listed options, select the values to use for the Location Policy. Click Next. Optional: Port Criteria 6. Select a physical port to apply the location policy. Click Next. Optional: Distributed WLAs Criteria 7. Select from a distributed WLA from the list of Available Distributed WLAs, and click Add to put it in the Current Distributed WLAs list. 8. Click Next. Location Rule Action 9. Configure the Location Rule to allow or deny access to the network. If access is allowed you can override authorization attributes by specifying new values. You can configure the following parameters: Action In ACL Out ACL VLAN Name Time of Day Action URL QoS Profile Termination Action 10. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Creating a Location Policy Rule 1

236 Creating a Mobility Profile To configure a Location Policy Rule, use the following steps. 1. From the Organizer panel, select a WLC. 2. Select AAA, and then Mobility Profiles. 3. From the Tasks panel, under Create, select Create Mobility Profile. 4. Create a unique name for the Mobility Profile. Optional: Mobility Profile Port Selection 5. Select a physical port from the list of Available Physical Ports, and click Add to put it in the Current Physical Ports list. 6. Click Next. Optional: Distributed WLAs Criteria 7. Select from a distributed WLA from the list of Available Distributed WLAs, and click Add to put it in the Current Distributed WLAs list. 8. Click Finish. Copyright 2012, Juniper Networks, Inc. Creating a Mobility Profile 1

238 Configuring Device Fingerprinting Configuring Device Fingerprinting DHCP Fingerprinting Overview This feature supports the ability of MSS to detect the type of device used by a client when authenticating on the wireless LAN. Devices include ipads, iphones, Windows PC, tablets, etc. This feature implements the DHCP fingerprinting method. What is a DHCP Fingerprint? A DHCP fingerprint is almost a unique identifier for a specific operating system or device type. Due to the broadcast and pervasive nature of DHCP, DHCP fingerprinting provides a low cost and minimal effort method of passive system identification and inventory. MSS examines the DHCP message from various devices and identifies unique characteristics for each device. This information is used to compile a fingerprint database which is then used to identify the device type for clients as they join the network. When a mobile device attempts to connect to the wireless network, it sends a DHCP Discover packet in an attempt to locate a DHCP server on the network. This is a conversation starter between the device and the DHCP server. The second phase of the conversation is the return of a DHCP Offer packet from the DHCP server to the mobile device. After reserving an IP address for the client, the DHCP server sends a DHCP Offer packet with the client MAC address, the IP Address, lease duration, and the IP address of the DHCP server sending the Offer packet. In the third phase, the mobile client returns a DHCP Request packet to the DHCP server accepting the IP address. And in the final fourth phase, the DHCP Server sends a DHCP Acknowledgement packet with the lease duration and any other information requested by the mobile device client. The Role of DHCP in Device Fingerprinting Copyright 2012, Juniper Networks, Inc. DHCP Fingerprinting Overview 331

Configuring Device Fingerprinting When a DHCP client of an operating system sends a DHCP request Discover or Request), the request contains DHCP options such as DNS server, WINS server, or default

239 Configuring Device Fingerprinting When a DHCP client of an operating system sends a DHCP request Discover or Request), the request contains DHCP options such as DNS server, WINS server, or default gateway, and the WLA looks for DHCP options. The option order is relatively unique and identifies the specific operating system version. Option 55, Parameter Request List, contains the options requested by the client. The DHCP Discover or Request packet is inspected for Option 55, and the option list is matched against the database to determine the client type. DHCP Option 55 is not unique and the same parameters may be sent by different clients. In this case, other DHCP options are inspected by MSS. Figure 1: An example of a DHCP Packet Exchange In the diagram, you can see the different DHCP Options that are communicated during the process. Once the DHCP Discover information is exchanged, a DHCP Request packet is sent from the mobile device. 332 DHCP Fingerprinting Overview Copyright 2012, Juniper Networks, Inc.

240 Configuring Device Fingerprinting In addition, there are differences between an initial DHCP request packet and a DHCP Request packet sent after a mobile device wakes up. Figure 2: An Example of a DHCP Request Packet If a mobile device receives the information it needs to connect to the network, and successfully connects, it retains the information for the active session. If the device goes to sleep, and then wakes up, it sends a DHCP Request packet asking if the initial information is still available. If it is, the mobile device reconnects using that information. Table 1: Common DHCP Options Code Name Length 12 Host Name minimum of 1 octet 50 Requested IP address 4 octets 51 IP Address Lease Time 4 octets 53 DHCP Message Type 1 octet 54 Server Identifier 4 octets 55 Parameter Request List minimum of 1 octet 57 Maximum DHCP Message Size 2 octets 58 Renewal (T1) Time Value 4 octets 60 Vendor class identifier minimum of 1 octet 61 Client-identifier minimum of 2 octets 81 FQDN Option 1 octet Copyright 2012, Juniper Networks, Inc. DHCP Fingerprinting Overview 333

241 Configuring Device Fingerprinting Option 55 Parameter Request List It possible to configure device fingerprint rules based on the Parameter Request List in DHCP Option 55. You can put them in the order of priority but the DHCP server may not process them specifically in the requested order. The table lists DHCP Option 55 parameters: Table 2: DHCP Option 55 Parameters Parameter Number Definition 1 Subnet Mask 2 Time Offset 3 Router 6 Domain Name Server 31 Perform Router Discover 33 Static Route 43 Vendor-specific information 44 NetBIOS over TCP/IP Server 47 NetBIOS over TCP/IP Node Type 78 Directory Agent Information 79 Service Location Agent Scope 95 Lightweight Directory Access Protocol 112 NetInfo Parent Server Address 113 NetInfo Parent Server Tag 249 Classless Static Route 252 Proxy autodiscovery When a device attempts to join the wireless LAN, information is gathered from the device and matched against the fingerprint database to identify the device type. Once the device type is detected, that information is used to apply policies or report information useful to the network administrator. Informational Note: The WLA captures the device fingerprint information and sends it to the WLC to determine policy enforcement. Also, when the WLA sends DHCP Discover and Request packets, DHCP Option 12 now contains the WLA serial number, and DHCP Option 77 contains WLA (without the quotes). By default, MSS has a database with 19 fingerprints that identify the following devices: iphone ipad PC with Windows XP 334 DHCP Fingerprinting Overview Copyright 2012, Juniper Networks, Inc.

242 Configuring Device Fingerprinting Android-based phones including Samsun, Motorola, HTC, LG, etc. OSX devices (Apple) WiFi-enabled game consoles such as PS3, Xbox, Wii for detection in school dorms. WinMobile and Nokia phones Kindle Fire Nook Printers Figure 3: An Example of Wireless Access based on Device Fingerprinting Device fingerprints are processed in the configured order by MSS, and the MSS fingerprint database has the following characteristics: Maximum of 50 fingerprints supported Fingerprints must be uniquely named You can add, modify, or delete entries. The following information is required by the device fingerprinting feature: Device type - used to identify the device. Rules - each rule defines these parameters: Number - used to identify the rule Type - the type of rule such as MAC address. Data - contains the data from the packet. Copyright 2012, Juniper Networks, Inc. DHCP Fingerprinting Overview 335

243 Configuring Device Fingerprinting Value - the value to match against the data. Method - matching method used for the data and value. The following rule types are supported: MAC Address Data - the device MAC address Value - MAC glob using the existing MAC rules in MSS Method - MAC glob comparison DHCP Flags Data - DHCP flags field Value - 2 byte mask - Method - Bitwise AND DHCP Option Data - Byte data from the specified DHCP option. Option number is an integer. Option content is a string of consisting of either a string, hex, or an order sensitive list of DHCP option numbers. Method - eq or neq based on the current MSS implementation. It matches if both are eq. Contains and Not Contains are also supported/ DHCP Options List Data - List of DHCP Options from the DHCP packet Value - list of desired DHCP options in a format consistent with Options content list. Method - one of eq or neq or contains or not contain Combination of rules - rules are not used directly in the detection process but combined to gether to create a rule expression. This consists of a logical expression specified as a string and can contain the following tokens: rule number - one of the defined rules for this fingerprint and and or used for logical tests ( and ) used for grouping white space - used for separation of the tokens. Interactions between the User Policy and the Device Policy Who wins? All attributes from a device policy and user policy are applied to a session except when there are conflicts. When there is a conflict, device policies take precedence over user policies by default. You can change the precedence in the CLI. Other Functionalities Supported by Device Fingerprinting Device detection works in parallel with AAA, so all AAA methods are compatible. It is also supported in a cluster (high availability) environment. 336 DHCP Fingerprinting Overview Copyright 2012, Juniper Networks, Inc.

244 Configuring Device Fingerprinting Use Cases Controlling Network Access on a Corporate WLAN for a Personal ipad A user joins the network through an 802.1X authentication process while using his personal ipad. Authentication is performed through a RADIUS server, credentials accepted, and an attribute is returned to the user allowing him to join VLAN1. The WLC detects that the user s device is an ipad and applies a new ACL that only allows the user access to an server, and public internet access. Controlling User Bandwidth by Applying Different QoS Levels per Device Type You want to apply a different CoS level when an authorized user authenticates onto the WLAN with an iphone instead of a corporate device. A device-profile, iphone, is configured with an attribute that caps the bandwidth at 2 Mbps. When an iphone user authenticates successfully using 802.1X and a RADIUS server, an attribute is sent that allows the user to access VLAN RED. The WLC detects that the user has an iphone and applies the QoS profile restricting bandwidth to 2 Mbps. Creating Device Fingerprints Using RingMaster Informational Note: RingMaster contains a number of preconfigured device fingerprints, but you must install MSS 8.0 on a WLC and upload the configuration into RingMaster. Otherwise, you must configure the device fingerprints individually. See the MSS Configuration Guide Version 8.0 for more information. Copyright 2012, Juniper Networks, Inc. Creating Device Fingerprints Using RingMaster 337

as time-of-day, you should configure them before configuring your Device Fingerprint rules.

245 Configuring Device Fingerprinting Device Fingerprinting is located under AAA in the WLC Configuration tree. Figure 4: Device Fingerprinting in RingMaster If you are going to use Device Profiles to apply QoS profiles or other attributes such as time-of-day, you should configure them before configuring your Device Fingerprint rules. Configuring Device Profiles Using RingMaster 8.0, select Device Detection, and then click Create Device Profile. 338 Creating Device Fingerprints Using RingMaster Copyright 2012, Juniper Networks, Inc.

246 Configuring Device Fingerprinting 1. Enter a name for the Device Profile. In this example, you ll create a Device Profile for mobile devices using ios from Apple. Click Next. 2. If you select Deny All Matching Sessions, any device with this profile cannot connect to the WLAN. If you select additional attributes, such as time-of-day, then the mobile device cannot connect during the specified time period. In this example, you allow devices with ios to access the network. 3. Select a VLAN for the mobile devices. You may want to put all of your mobile devices on one VLAN to segregate them from the rest of the wireless network. 4. You can apply the following attributes to the Device Profile: QoS Profile - applies QoS policies to the devices. Filter id - adds the portalacl.out to the profile. This will direct users to a Web portal for logging out of the network. Time of day - configure specific times during the day that devices can access the network. Filter id - applies the portal acl.in to direct users to a Web portal for logging onto the network. 5. Click Next to display the configured Device Fingerprints. 6. Select the fingerprint from the list of Available Device Fingerprints to apply the device profile, and move it to the Current Device Fingerprint list. 7. Click Finish to complete the configuration. You now have a Device Profile for mobile devices using ios. Configuring Device Fingerprints Using RingMaster Informational Note: Default Device Fingerprints are available in RingMaster. This section provides instructions on creating an iphone Device Fingerprint as example of creating rules and using Boolean expression to create logical expressions. You can now add device fingerprints to the RingMaster configuration. You may want to use the rule examples in the previous section to guide you through the rule configuation. Let s add a Device Fingerprint for iphones on your wireless network: Copyright 2012, Juniper Networks, Inc. Creating Device Fingerprints Using RingMaster 339

Configuring Device Fingerprinting 1. Click Configure Device Fingerprint to display the configuration wizard. 2. In the Device Type field, type iphone. 3. In the Device Group field, type ios. 4.

247 Configuring Device Fingerprinting 1. Click Configure Device Fingerprint to display the configuration wizard. 2. In the Device Type field, type iphone. 3. In the Device Group field, type ios. 4. From the Device Profile list, select ios, and click Next. You need to create four rules that are used for DHCP device fingerprints as well as a logical rule expression for the device fingerprint. 5. Select DHCP Option to display the properties. Enter 12 as the DHCP Option, and then select contains as the operator. In the Option value field, enter iphone. 6. Click Ok. 340 Creating Device Fingerprints Using RingMaster Copyright 2012, Juniper Networks, Inc.

248 Configuring Device Fingerprinting 7. Select DHCP Option List and click Next. 8. Select the Option Number, the operand is, and then enter the content for the selected option. For this rule, the DHCP Options are 53,55,57,61,61,51,12. Copyright 2012, Juniper Networks, Inc. Creating Device Fingerprints Using RingMaster 341

250 Integrating a WLM1200-SP into RingMaster With the release of RingMaster 7.5 and later, you can integrate your WLM1200-SP (SmartPass) server into RingMaster and use RingMaster to manage your WLM1200-SP server. Informational Note: You must have an active SmartPass server before you can integrate it into RingMaster. RingMaster communicates with the SmartPass server to synchronize the information in SmartPass with RingMaster. If the SmartPass server is inactive, then synchronization fails with RingMaster. Caution: To take advantage of the full functionality of SmartPass, install SmartPass Version on your server. Earlier versions have less functionality than the latest version of SmartPass. To integrate SmartPass into RingMaster, follow these steps: 1. In RingMaster, select your Network Plan. 2. From the Organizer panel, select Application Servers. 3. From the Tasks panel, select Create SmartPass Server. 4. To configure the SmartPass Server Connection Settings, you need the following information: Server Name IP Address Port Number Username Password 5. Once you have entered the appropriate information, RingMaster sends a synchronization request to the SmartPass server. 6. The SmartPass server is now managed by RingMaster and displayed in the list of SmartPass Servers. 7. To configure the server settings, select it from the list and click Properties. 8. Adjust the necessary settings and click Ok to save the configuration. 9. After adding the SmartPass Server, and you synchronize the server with RingMaster successfully, additional tasks are now available in RingMaster. These are the same tasks available in a standalone installation of SmartPass. You can refer to the SmartPass documentation for more information on configuring these features. The following tasks are now available: Setup Copyright 2012, Juniper Networks, Inc. Integrating a WLM1200-SP into RingMaster 3

251 Synchronize Edit SmartPass Server Shared Key Other Server Settings RADIUS Client Settings Web Portal Management User Management User Type Management Clicking on any of the tasks under Other opens the current installation of SmartPass. 4 Integrating a WLM1200-SP into RingMaster Copyright 2012, Juniper Networks, Inc.

252 Integrating a WMS1200-LA to RingMaster To add an WMS1200-LA to RingMaster, you must install an WMS1200-LA in your wiring closet or located somewhere in your network. After installation, you need the following information to add the WMS1200-LA to RingMaster: IP Address User Name Password You also need a Location Appliance license in order to activate the feature in RingMaster. After installing the license, the Create Location Server task is available in the RingMaster interface. To add an WMS1200-LA to RingMaster, follow these steps: Open RingMaster and click Configuration from the menu bar. 1. From the Organizer panel, select Application Servers. 2. From the Task list, select Create Location Server and the associated wizard opens. 3. Select Managed to allow RingMaster to manage the location appliance. 4. In the Name field, enter the name of the WMS1200-LA. 5. Enter the IP address. 6. Enter the User Name. 7. Enter the Password. 8. If there is a management password, enter the password in the Management Password field. 9. Click Next. RingMaster connects to the WMS1200-LA and establishes a connection. 10. Click Finish to complete the configuration. 11. The WMS1200-LA now appears in the Organizer panel under Application Servers. 12. To review WMS1200-LA settings, highlight the Location Appliance in the list and click Properties. You can then change any of the original settings for the server. Available Tasks for All Managed WMS1200-LA Location Appliances There is a list of available tasks for all location appliances managed by RingMaster. You can select any of the following tasks: Create Location Server Setup Synchronization Parameters Edit a Location Server Configure a Snoop Filter Configure SNMP Settings From the Other List, you can select from the following tasks: Platform Management Appliance Logs Backup and Restore Copyright 2012, Juniper Networks, Inc. Integrating a WMS1200-LA to RingMaster 1

253 Configuration Factory Reset Schedule Reboot System Update User Management Selecting any of the Other tasks opens the corresponding software feature on the location appliance. For more information on using these features, refer to the Juniper Networks WMS1200-LA User's Guide. Available Location Appliance Tasks If the location appliance already has a configuration, the details are displayed when you select the WMS1200-LA in the Organizer panel. After it is selected, the following information is displayed: Location Server Managed Name Port Version IP Address Locales Name Description Associated Fingerprints Associated Floor RF Fingerprints Name Description Associated Locale In the Tasks panel, you can select from a list of available tasks. Under Create, you can select Create Locale Create RF Fingerprint Under Setup, you can select Synchronize Edit Location Server Snoop Filter SNMP Under Other, you can select 2 Integrating a WMS1200-LA to RingMaster Copyright 2012, Juniper Networks, Inc.

254 Platform Management Appliance Logs Backup and Restore Configuration Factory Reset Schedule Reboot System Update User Management Selecting any tasks under Other, opens the operating system of the location appliance and you can perform any of these tasks directly on the location appliance. Creating Locales Using RingMaster Select an WMS1200-LA from the Application Servers list in the Organizer panel. The Task list is now populated with available tasks to perform on the location appliance. To create a locale, use the following steps: 1. Under Create, click Create Locale. The Create Locale Wizard is displayed. 2. Enter the name and description of the locale in the appropriate fields. Create RF Fingerprint is selected by default. If you do not want to create an RF Fingerprint, clear the checkbox. If you are also using Active Asset on the location appliance, you must follow a specific format for the description. The format is Campus:Building:Floor. Click Next. 3. Enter the RF Fingerprint information including Name and Description. Click Next. 4. If there are other RF Fingerprints configured on the location appliance, they are displayed in the Available RF Fingerprints list. You can select one and add it to the Current RF Fingerprints list. You can also remove RF Fingerprints by selecting one from the Current RF Fingerprints list and clicking Remove. 5. Click Finish to complete the configuration. The new locale and RF Fingerprints appear in the Location Server and RF Fingerprints section. You can view the properties of a RF Fingerprints by selecting it and then clicking Properties. Creating Locales Using RF Planning You can also create Locales using the RF Planning feature of RingMaster. Click RF Planning and select a plan from the Organizer. You can also import locales from CAD drawings. 1. Under Location Services, click Create Locale. The Create Locale wizard is displayed. 2. When you use the Drawing tools to draw the Locale, the Create a Locale wizard is displayed. 3. Select a Location Server from the list and click Next. 4. You can now select an existing locale or create a new locale. If you select an existing locale, click Finish to complete the configuration. If you select Create a Locale, click Next. 5. Type a name and description of the Locale in the Name and Description fields. Click Finish to complete the configuration. Copyright 2012, Juniper Networks, Inc. Integrating a WMS1200-LA to RingMaster 3

255 Adding RF Fingerprints Using RF Planning You can add RF Fingerprints to the Locale you just created by clicking RF Fingerprint in the Task list. When you move your cursor over the locale, it changes to a crosshair. Click and drag to display the RF Fingerprint wizard. Enter a name and description for the RF Fingerprint and click OK. The RF Fingerprint now appears on the Locale. Calibrating RF Fingerprints Using RF Planning 1. To calibrate an RF Fingerprint, click on the fingerprint icon in the locale to select it. Then click Calibrate RF Fingerprint. 2. Enter the MAC address of the device and click Start. You can see the status in the Progress bar. Once the process is complete, you can click Next to add it to the locale. 3. Creating RF Fingerprints 4. Select an WMS1200-LA from the Application Servers list in the Organizer panel. The Task list is now populated with available tasks to perform on the location appliance. To create a RF Fingerprint, use the following steps: 5. Under Create, click Create RF Fingerprint. The wizard is displayed. 6. Enter a name and description for the RF Fingerprint. 7. Click Next. 8. Select a locale from the Associated Locale list to associate with the RF Fingerprint. 9. Click Finish to complete the configuration. 10. The RF Fingerprint now appears in the Locales list and the RF Fingerprints list. 11. Setting Up a Location Appliance Using RingMaster 12. Select an WMS1200-LA from the Application Servers list in the Organizer panel. The Task list is now populated with available tasks to perform on the location appliance. 13. Synchronizing Changes on a Location Appliance using RingMaster 14. To synchronize configurations on a location appliance, use the following steps: 15. In the Task list, click Synchronize. 16. The Review Changes panel is displayed. 17. You can select from two types of action: 18. Deploy Changes to the location appliance - changes made using RingMaster are applied to the location appliance. 19. Accept Changes from the location appliance - changes made on the location appliance are uploaded to RingMaster You cannot undo this operation. Once you click Next, the changes are synchronized between RingMaster and the LA Integrating a WMS1200-LA to RingMaster Copyright 2012, Juniper Networks, Inc.

256 23. Click Next. The changes are synchronized between RingMaster and the location appliance. 24. Click Finish to complete the operation. The WMS1200-LA image created using RingMaster is transferred to the WMS1200-LA where it is used by other applications such as Active Asset. It is recommended that you create a backup of your current image before transferring the new on to the WMS1200-LA. Editing Location Appliance Attributes Using RingMaster To edit a location appliance, select it from the list of Application Servers. Then follow these steps: 1. Click Edit Location Server to display the attributes for the server. 2. You can modify any of the listed attributes, and click Next. 3. RingMaster establishes a connection with the location appliance.click Finish to send the changes to the location appliance. 4. Configuring a Snoop Filter for a Location Appliance 5. You can configure a snoop filter on an WLC using RingMaster and apply it to a location appliance. To configure a snoop filter, follow these steps: 6. In the Task list, under Setup, click Snoop Filter. 7. Select an WLC to target from the Select a WLC list. 8. Click Next. 9. If there is an existing Snoop Filter on the WLC, you can select it from the Filters list. If a Snoop Filter is not configured, you can select Create a Filter. Click Next.e Snoop Filter Name field, enter a name for the filter. Select Enabled to begin using the filter. Click Next. 10. Configure the Snoop Filter Observer. You must specify the following information: Target IP Address Snap Length Limit (optional) Frame Gap Limit (optional) 11. Click Next. 12. Optionally, you can create Snoop Filter Conditions by specifying a list of conditions that match the criteria for packets. The following conditions can be added to the Snoop Filter: Direction Frame Type Channel BSSID Source MAC Destination MAC Host MAC MAC Pair Copyright 2012, Juniper Networks, Inc. Integrating a WMS1200-LA to RingMaster 5

257 13. When you select a condition, a list of attributes is displayed that can be applied to it. Click Next. 14. You can also configure optional Snoop Mapping by selecting radios on an MP to map the Snoop Filter. Click Next. 15. Additionally, you can map a Snoop Filter to a specific radio profile. Select one from the Available Radio Profiles list and click Add to move it into the Current Radio Profiles list. 16. Click Finish to complete the Snoop Filter configuration. Configuring SNMP for a Location Appliance You can configure SNMP settings for the Location Appliance using the RingMaster interface. Select a Location Appliance from the list in the Organizer panel and then click SNMP. You need the following information to configure SNMP targets on the Location Appliance: Destination Host Destination Port SNMP Version If you select SNMP Version v2c, then you configure the SNMPv2c Settings. If you select SNMPv3, then you configure the SNMPV3 settings. Click Next to continue with the configuration. If you a secondary SNMP target, you can configure it by entering the appropriate information. Click Finish to complete the configuration. All tasks listed under Other are performed on the WMS1200-LA using the WMS1200-LA user interface. Consult the documentation for the WMS1200-LA to perform any of these tasks. Coverage of these tasks is beyond the scope of this document. Monitoring the WMS1200-LA You can see the following status information on the WMS1200-LA when you click Monitoring and then select the WMS1200-LA from the Organizer panel. The Monitor feature displays the following information: Status Summary click Details for more information. Appliance Name Status Admin Status IP Address Server Type Management Port Version Up Time Alarm Summary click Details for more information. 6 Integrating a WMS1200-LA to RingMaster Copyright 2012, Juniper Networks, Inc.

258 Clients by Locale you can also click Find Clients to search for clients on the network. Tracked Devices by Type Additional WMS1200-LA Areas Monitored by RingMaster There are additional features on the WMS1200-LA that can be monitored by RingMaster. When you select a floor with a WMS1200-LA, a new Show Devices task is available. This task displays all the devices tracked by the WMS1200-LA including: Clients Tags WLAs Rogue WLAs You can filter the devices displayed using the following strings: SSID User Name MAC Address IP Address End Address for SIP Radio Technology When you use the filtering capabilities, only the devices matching the filter are displayed. Once you clear the criteria, all devices are displayed again. You can also hide or display the following items on the Monitoring interface: Locales Fingerprints WLAs Clients (Voice and Data) Tags Rogue WLAs Client and WLA Connections When you select Show Devices and then select an asset tag, you can see the temperature of the tag as well as the battery life for the tag. Configuring NAS-ID for an MP Using the CLI To set the NAS-ID of an MP, use the following command: WLC# set ap apnum ap-nas-id string The maximum length of the string value is 24 hexadecimal characters. To set the URL format, use the following command: WLC# set service-profile profilename web-redirect-url-format [standard cmcc] To set the NAS-ID for the WLC as a RADIUS attribute, use the following command: WLC# set radius nas-id string Copyright 2012, Juniper Networks, Inc. Integrating a WMS1200-LA to RingMaster 7

259 The maximum length of the string value is 24 hexadecimal characters. To display the status of external sessions, use the following command: WLC# show sessions external-web-auth [client-ip ipaddr] verbose Client Portal SessionID User Name State user-1 Exchange If verbose is specified, the output is displayed as follows: Client IP: Username: user-1 Portal: Portal Port: Portal Serial: 0xabcd Session ID: 10 State: Accounting Last Error code: 0 For RingMaster, the configuration is located under Access Points. WMS1200-LA Alarms Displayed by RingMaster The following WMS1200-LA alarms are displayed in the Alarms panel of RingMaster: WLA Snoop Status Agent Status Asset Tag Button Pressed Asset Tag Battery Low Asset Tag Detached 8 Integrating a WMS1200-LA to RingMaster Copyright 2012, Juniper Networks, Inc.

260 Integrating an AirTight Server into RingMaster Overview SpectraGuard Enterprise is a complete, end-to-end wireless intrusion prevention solution (WIPS) used by some of the world s largest enterprise firms. You can now add AirTight servers to your RingMaster configuration. AirTight is a wireless security system that can track unwanted access or attempts to access your wireless network. For more information on AirTight, see the Web site at Informational Note: Before you can integrate an AirTight Server, you must purchase and install the RingMaster license, RMTS-SECURITY-ADV. Adding the AirTight Server to RingMaster 1. After you log into RingMaster, click Configuration. In the Organizer panel, select Application Servers. 2. The options for Application Server are displayed in the Tasks panel. Click Create AirTight SGD Server to launch the configuration wizard. 3. Enter the configuration information into the following fields: Name The name of the AirTight server IP Address Enter the IP Address of the AirTight server. Username The username required to authenticate on the server. Password The password required to complete the authentication process on the server. 4. If you are not enabling SNMP for the AirTight server, clear Enable Traps. It is selected by default. 5. Click Next. 6. RingMaster now attempts to connect to the AirTight SGE server and synchronize with it. 7. After RingMaster synchronizes with the AirTight server, click Next to continue the integration. 8. You can now configure SNMP on RingMaster to process traps from the AirTight SGE Server. Select the SNMP version from the list and then configure the v2c settings. Informational Note: Because AirTight uses a proprietary configuration for SNMP, you cannot configure SNMP Version 3 as the SNMP setting. 9. Click Next to complete the configuration. The AirTight Server is now displayed in the Security Servers section of the Application Servers page. 10. To edit the AirTight Server properties, select the AirTight SGE Server and click Properties. You can edit the same information that you configured using the wizard. Copyright 2012, Juniper Networks, Inc. Integrating an AirTight Server into RingMaster 3

261 For specific information about AirTight SGE Server and its configuration, please consult the AirTightSGE Server documentation. Adding Alarms for the AirTight Application Server You can configure RingMaster to display alarms for the AirTight application server. To add or remove alarm categories, follow these steps: 1. Click Alarms, and then Setup. 2. Click the AirTight SGE Settings tab. 3. All AirTight alarms are enabled by default. Clear checkboxes next to the alarms that you do not want monitored. 4. Click Close to save your alarm settings. 5. You can also query the Alarms database for AirTight-specific alarms. Click Query, and then select Security Server from the Type list. 6. From the Instance list, select Application Servers: AirTight. 7. Select the date and time range for the query. 8. Then select the Categories, Severities, and the States. 9. Click OK to execute the query against the Alarm database. Creating AirTight Reports Using RingMaster You can create AirTight reports by clicking on Reports in the RingMaster interface, and then clicking Report under Generate in the Task list. 1. From the Organizer list, select Alarms and then Alarm Summary. 2. From the Task list, under Generate, click Report. 3. From the Report Scope Type list, select Security Server. 4. Click Next. 5. Select the type of format for the report from the Report Format list. Also, specify an address if you want the report sent via . Then specify if you want the report sent as a hyperlink in the or attached as a PDF. You can also copy the report to an FTP server. You must configure the FTP server as part of the overall Report Settings located under Setup in the Tasks list. 6. When you click Next, a link is generated to the report. 7. When you click on the link, the Alarm Summary Report is displayed in your Web browser. 4 Integrating an AirTight Server into RingMaster Copyright 2012, Juniper Networks, Inc.

262 Policies Overview Policies Overview A policy is a set of WLC configuration parameters defined in RingMaster and then applied to multiple WLCs. When you apply a policy to a set of WLCs, all parameter settings in the policy are applied to the WLCs and update previous settings on these WLCs. Managing Changes When you create a new policy, none of the settings for the policy are applied to WLC switches (even the ones you associate with the policy when you create it), until you explicitly apply the policy to the switches. After associating a new policy with a switch, all new switches that match the WLA model and version number of the policy automatically receive the parameter settings in the policy. New switches are switches created using the WLC Switch wizard or any uploaded switches. However, policy changes are not automatically applied to switches. Reapply the changed policy to associated switches after making any changes to the policy. Example of a Policy for a Large Network Deployment In some cases, large network deployments consist of multiple instances of the same WLC models. A policy can be created in RingMaster and applied to the same modes without configuring the individual controllers. For example, you may want to apply the same AAA parameters or wireless profile parameters to all WLC800s in your network. By creating a policy that is applied to all WLC800s, the policy is automatically applied by default when new WLC800s are added to the network. Copyright 2012, Juniper Networks, Inc. Managing Changes 1

Policy Example for Provisioning WLCs based on Roles As you expand your network,you may have some criteria for your network that includes smaller controllers in the branch and larger ones in the data

263 Policy Example for Provisioning WLCs based on Roles As you expand your network,you may have some criteria for your network that includes smaller controllers in the branch and larger ones in the data center. These controllers may offer different services based on a role they have in the network. Applying these configurations on multiple controllers, based on model filtering, is easily performed at the policy application phase. For example, you could have remote WLAs connected to WLC2s which require remote WLA features based on a location or a policy such as guest access. 2 Policy Example for Provisioning WLCs based on Roles Copyright 2012, Juniper Networks, Inc.

Wireless LAN Services

Wireless LAN Services Configuration Guide for RingMaster Software Release 7.7 April 2012 (Release Date) Copyright 2012, Juniper Networks, Inc. Juniper Network, Inc. 1194 N. Mathilda Avenue Sunnyvale, CA