Colubris Networks Configuration Guide

Size: px
Start display at page:

Download "Colubris Networks Configuration Guide"

Transcription

1 Colubris Networks Configuration Guide

2 Release 5.1 (October 2006) Copyright 2006 Colubris Networks, Inc. All rights reserved, including those to reproduce this document or parts thereof in any form without written permission from Colubris Networks, Inc. Colubris is a registered trademark, and the Colubris Networks logo, the tag line The Intelligent Wireless Networking Choice and TriPlane are trademarks of Colubris Networks, Inc., in the United States and other countries. All other product and brand names are the service marks, trademarks, registered trademarks, or registered service marks of their respective owners. Changes are periodically made to the information herein; these changes will be incorporated into new editions of the document. You can download the most up-to-date product information from the Colubris Networks website. Go to and on the homepage at left select Support > Product Registration. Colubris Networks, Inc. 200 West Street Ste 300 Waltham, Massachusetts UNITED STATES Phone: Fax: Sales Information sales@colubris.com Customer Support support@colubris.com Training training@colubris.com

3 Contents Contents Chapter 1 Introduction 5 About this guide...6 Chapter 2 Management 9 Remote management...10 Chapter 3 Public access deployment series 13 Scenario 1a: Hotspot with Internet access (local config)...14 Scenario 1b: Hotspot with custom interface (local config)...17 Scenario 1c: Hotspot with satellites and roaming (local config)...20 Scenario 1d: Hotspot with layer 2 security (local config)...23 Scenario 2a: Hotspot with Internet access (AAA server)...26 Scenario 2b: Hotspot with custom interface (AAA server)...30 Scenario 2c: Hotspot with satellites and roaming (AAA server)...33 Scenario 2d: Hotspot with layer 2 security (AAA server)...36 Scenario 2e: Using dual radios to support A+B+G traffic...40 Scenario 3: Shared hotspot for public and private traffic...41 Scenario 4: Delivering custom HTML pages using VLANs...45 Scenario 5: Custom HTML pages on each MAP...50 Scenario 6: Multi-site installation (distributed architecture)...54 Scenario 7: Multi-site installation (centralized architecture)...58 Chapter 4 Public access deployment series 61 Scenario 1a: Hotspot with satellites and roaming (local config)...62 Scenario 1b: Hotspot with custom interface (local config)...65 Scenario 1c: Hotspot with layer 2 security (local config)...67 Scenario 2a: Hotspot with satellites and roaming (AAA server)...70 Scenario 2b: Hotspot with custom interface (AAA server)...74 Scenario 2c: Hotspot with layer 2 security (AAA server)...76 Scenario 2d: Using dual radios to support A+B+G traffic...79 Scenario 3: Shared hotspot for public and private traffic...81 Scenario 4: Delivering custom HTML pages using VLANs...86 Scenario 5: Custom HTML pages on each MAP...91 Scenario 6: Multi-site installation (centralized architecture)...95 WDS scenarios 125 Wireless bridging considerations Scenario 1: RF extension to expand a wired network (static) Scenario 2: Deploying a point-to-point wireless link (static) Scenario 3: Setting up multi-hop wireless links (static) Scenario 4a: Basic dynamic WDS deployment (3000 series) Scenario 4b: Basic dynamic WDS deployment (5000 series) Scenario 4c: Dynamic WDS links with load balancing Scenario 5: Creating a self-healing network Chapter 7 Configuring DHCP servers to use Colubris vendor classes 161 Windows Server ISC DHCP server Troubleshooting Chapter 8 Configuring a legal intercept 171 Redirecting traffic into a GRE tunnel Limiting NAT port range and tracking activity in the syslog Chapter 9 More from Colubris 181 Colubris.com Information by telephone and Chapter 5 Enterprise deployment 99 Scenario 1: Adding secure wireless networking Scenario 2a: Integrating wireless networking with authentication Scenario 2b: Using multiple wireless profiles and QoS Scenario 2c: Supporting wireless phones Scenario 3: Adding wireless networking to a segmented network Scenario 4: Roaming across different subnets (single MSC) Scenario 5: Roaming across different subnets (multiple MSCs) Scenario 6: Private and public access networks in the enterprise Chapter

4 Contents

5 Introduction Chapter 1 Introduction In this chapter you can find an explanation of the conventions used in this guide and an overview of its contents.

6 Chapter Introduction Chapter 1 About this guide This guide contains detailed scenarios for using Colubris Networks MultiService Access Points (MAPs) and MultiService Controllers (MSCs) in a wide range of applications. Although detailed configuration steps are provided for each scenario, the guide does not cover the basic procedures for operating and configuring Colubris Networks devices. This information can be found in the administrator s guides. You should be familiar with this information before you attempt to use the scenarios in this guide. The scenarios are grouped according to function. Typographical conventions The following table gives the typographical conventions used in Colubris Networks technical documentation. Example Description Network > Ports use-access-list=username ip_address ssl-certificate=url [%s] [ONE TWO] When referring to the Management Tool web interface, bold type identifies menu selections, input fields, or user supplied values. Submenus are indicated by the > sign. The example refers to the Ports submenu, which is found under the Network menu. Monospaced text identifies command-line output, program listings, or commands that you enter into configuration files or profiles. Items in italics are parameters for which you must supply a value. Items enclosed in square brackets are optional. You can either include them or not. Do not include the brackets. Items separated by a vertical line indicates one or more choices. Specify only one of the items. Warnings, cautions, and notes The following table explains some of the special symbols used in this guide. Lead Warning! Description Warnings provide information that you must follow to avoid risk of physical injury. Caution! Cautions provide information that you must follow to avoid damage to the hardware or software components of the system

7 Chapter Introduction Chapter 1 Acronyms The following table defines acronyms used in this guide. Acronym CIMS CNMS COS DWDS MAP MSC VSC WCB WDS Definition Colubris Intelligent Mobility System Colubris Networks Management System Colubris Operating System Dynamic wireless distribution system MultiService Access Point MultiService Controller Virtual service community Wireless client bridge Wireless distribution system Related documentation For information on related documentation, see the Colubris Networks Technical Documentation Road Map, available on the Colubris Networks Documentation CD and for download on the Colubris Networks web site. Software versions For information on using Colubris Netwokrs products with different software revisions, see the Software Compatibility Matrix available on the Colubris Networks Documentation CD and for download on the Colubris Networks web site

8 Chapter Introduction Chapter

9 Management Chapter 2 Management This chapter presents strategies for managing one or more devices across various network topologies.

10 Chapter Management Chapter 2 Remote management Note: When using a series 5000 MSC in conjunction with MAPs operating in controlled mode all MAP configuration is handled via the management tool on the MSC. Therefore, remote management does not need to be configured as described in this section. When a MAP is installed behind an MSC, enabling remote access to its management tool requires configuration settings to be defined on the MSC and the RADIUS server. This section explains how to configure remote management for the following two topologies. Topology A Topology B RADIUS server 20.1 Management station RADIUS server 20.2 VPN server VPN tunnel Management station (address in VPN tunnel) 30.3 (address in VPN tunnel) Router MSC 10.1 M S C MSC M S C 30.2 (address in VPN tunnel) MAP 1.3 MAP 1.2 MAP 1.3 MAP PUBLIC WL AN PUBLIC WL AN PUBLIC WL AN PUBLIC WL AN A B A B In topology A, the management tool is located behind a router and on a different network segment. In topology B, the management station is located at a remote site. Access occurs via the Internet using a VPN tunnel to safeguard the traffic

11 Chapter Management Chapter 2 Configure the management station To reach the management tool on the MAPs, the management station must specify the following addresses in its web browser. Specify the following IP addresses for Topology A: To reach MAP A: To reach MAP B: Specify the following IP addresses for Topology B: To reach MAP A: To reach MAP B: Static NAT mappings are used on the MSC to direct traffic to the proper MAP. MAC address authentication enables the MAPs to log into the public access network. Access list definitions allow traffic to be sent from the MSCs to the management stations. Configure the MSCs To direct management traffic to the proper MAP, you must create the following static NAT mappings: Map traffic on port 5002 to IP address and port 443. Map traffic on port 5003 to IP address and port 443. These mappings redirect HTTPS traffic to the new ports you defined on the MAPs. Configure the RADIUS server Create an MSC profile Create a RADIUS profile for the MSC as follows: For the MAP to communicate with the management station, it must log into the public access network provided by the MSC. To accomplish this, add a MAC address attribute to the MSC s RADIUS profile for each MAP. This attribute enables the access controller to authenticate devices (such as the MAPs) based on their MAC address. For example: mac-address=address[,username[,password]] Replace address and username with the MAC address of the MAP. Replace password with the same password that the MSC uses to communicate with the RADIUS server. Create an access list to ensure security In both topology A and B it makes sense to protect access to the RADIUS server and management station. This is required because once logged in, public access customers gain access to all resources connected to the MSCs Internet port. An access list definition can be used to block all traffic to , for topology A, and , for topology B. However, to enable the MAPs and the management station to communicate, an additional access list definition must be created as follows: Topology A: Create an access list that permits HTTPS traffic to address This is the IP address of the management station. For example: access-list=320,accept,tcp, ,443 Topology B: The list should permit HTTPS traffic to address This is the IP address of the management station inside the VPN tunnel. access-list=320,accept,tcp, ,

12 Chapter Management Chapter 2 Create a MAP profile Define a RADIUS profile for each MAP. The profile should activate the access list that was defined in the MSC s RADIUS profile. For example: use-access-list=320 Create a user account for each MSC Define a RADIUS user account for each MSC. Define a unique username and password for each device

13 Public access deployment series Chapter 3 Public access deployment series This chapter presents sample deployment strategies for common public access scenarios using an MSC-3000 series service controller and one or more MAPs operating in autonomous mode. These scenarios will give you a good idea about how to approach your installation.

14 LAN port Internet port Chapter Public access deployment series Chapter 3 Scenario 1a: Hotspot with Internet access (local config) This scenario shows you how to quickly deploy and test the MSC without installing a RADIUS server. Instead, customer authentication is handled locally on the MSC. How it works In this scenario a single 3000 series MSC is installed to provide a wireless network and access to the Internet. The MSC is connected to the Internet by way of a broadband modem, and the Internet connection is protected by the MSC s firewall and NAT features (which are enabled by default) LAN MSC 1.4 PUBLIC WL AN A local area network is connected to the MSC s LAN port to support wired customers. The MSC acts as the DHCP server on both the wireless and wired networks which are bridged together on subnet The MSC is operating in local mode, which means that: Customer authentication is handled locally by the MSC and accounts are created on the MSC for each customer. There is no support for accounting. A RADIUS server is not required to activate the public access interface. Instead, the default public access interface resident on the MSC is used by customers to login and manage their sessions

15 Chapter Public access deployment series Chapter 3 Configuration road map Install the MSC 1. Install the MSC as described in its Quickstart guide. 2. Connect the Internet port to a broadband modem and then restart the modem. 3. Connect the LAN port to the local area network. 4. Start the management tool. Configure the wireless network By default the MSC is configured to: automatically choose the best operating channel (frequency) support b/g clients create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default, one radio on the MSC-3300 is used to provide the wireless network and the other is placed into Monitor mode. Configure the Internet connection 1. Select Network > Ports > Internet port. 2. Select the addressing option supported by your ISP and click Configure. 3. Define all settings as required by your ISP. Define the list of users 1. Select Public access > Users. 2. Add usernames and passwords for all users/customers. Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. This is done by default if the wireless client is using DHCP. 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet

16 Chapter Public access deployment series Chapter 3 2. The MSC should intercept the URL and display the Login page. (Depending on the type of certificate that is installed on the MSC, you may see a security warning first.) 3. Specify a valid customer name and password to login. 4. The Session page will open. 5. Next, you are automatically redirected to the web site you originally requested

17 LAN port Internet port Chapter Public access deployment series Chapter 3 Scenario 1b: Hotspot with custom interface (local config) This scenario adds custom settings to the default public access interface used in Scenario 1a. This scenario illustrates how to customize the operation of the public access interface by defining all configuration options on the MSC. How it works In this scenario, a web server is used to store custom pages for the public access interface. The MSC loads these pages each time it is restarted. There are two ways to deploy this scenario. Topology 1 In this version, the web server is located on the Internet. Web server LAN MSC 1.4 PUBLIC WL AN

18 LAN port Internet port Chapter Public access deployment series Chapter 3 Topology 2 In this version, the web server is located on local LAN B along with a router/firewall which handles the connection to the Internet. Instead of being directly connected to the Internet the MSC is also connected to local LAN B Web server 5.1 Router Firewall LAN A LAN B MSC 1.4 PUBLIC WL AN In this scenario, the web server is also the DHCP server for LAN B, operating on subnet The MSC s Internet port is set to operate as a DHCP client. Configuration road map Important: Start with the configuration defined in Scenario 1a. Configure the Internet port (Topology 2 only) 1. Select Network > Ports > Internet port. 2. Select DHCP Client and click Save. Customize the login page and logo 1. Create a folder called newpages on the web server. 2. Create a file called logo.gif that contains your logo and place it in the newpages folder (recommended size less than 20K). This same image file is shared by all pages

19 Chapter Public access deployment series Chapter 3 3. Copy the following files from the \Doc\Samples\Internal_Pages folder on the Colubris Networks documentation CD and place them in the newpages folder. login.html transport.html session.html fail.html 4. Edit login.html to meet the requirements of your site, keeping the following restrictions in mind: Do not alter the ID tags <!-- Colubris --> & <!-- Custom --> located at the top of the page. Do not alter any JavaScript code. 5. Open the Public access > attributes page and add the following to the Configured attributes table: login-page=web_server_url/newpages/login.html transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the modified Login page. (Depending on the type of certificate that is installed on the MSC, you may see a security warning first.) 3. To login, specify a valid customer name and password. The Session page should open. 4. Next, you are automatically redirected to the web site you originally requested

20 LAN port Internet port Chapter Public access deployment series Chapter 3 Scenario 1c: Hotspot with satellites and roaming (local config) This scenario adds two MAPs to extend the wireless network in Scenario 1b. This scenario uses two MAPs to extend the reach of the public access network created by an MSC. How it works In this scenario two MAPs (operating in autonomous mode) are connected to an MSC using a backbone LAN to provide multiple wireless cells for a large physical location. Customers can log into the public access network at any location and can roam between access points without losing their connection. By default, each MAP is configured as a DHCP client and obtains its address from the MSC, which by default is configured as the DHCP server. Customer authentication is handled locally by the MSC, and accounts are created on the MSC for each customer. There is no support for accounting. The following diagrams illustrate how the two topologies described in Scenario 1b can be modified to support satellites and roaming. In both cases the configuration procedure is the same. Topology 1 Web server LAN MAP 1.9 MAP 1.8 MSC 1.1 PUBLIC WL AN PUBLIC WL AN 1.4 PUBLIC WL AN

21 LAN port Internet port Chapter Public access deployment series Chapter 3 Topology Web server Router Firewall LAN A LAN B MAP 1.9 MAP 1.8 MSC PUBLIC WL AN PUBLIC WL AN 1.4 PUBLIC WL AN Configuration road map Important: Start with the configuration defined in Scenario 1b. Install the MAPs Install the MAPs as described in the appropriate quickstart guide. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the wireless network By default the MAPs are configured to: support b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Important: All wireless networks must have the same network name () to support roaming. Set the shared secret on the MSC 1. Select Public access > Access control. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAPs to connect to the MSC when they send authentication requests. 3. Click Save

22 Chapter Public access deployment series Chapter 3 Configure the connection to the MSC on the MAPs Each MAP will use the services of the MSC to authenticate customer logins. Do the following on each MAP. 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. In the General box, select the Use Colubris access controller check box. 4. Click Save. 5. Select Security > Access controller 6. Set the Access controller shared secret to match the secret set on the MSC. 7. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting

23 LAN port Internet port Chapter Public access deployment series Chapter 3 Scenario 1d: Hotspot with layer 2 security (local config) This scenario adds support for WEP and WPA clients to scenario 1c. This scenario shows how to enable wireless protection to safeguard transmissions against eavesdropping. How it works This scenario creates three virtual service communities (VSCs) on each device. Each VSC provides support for a different security option: WEP, WPA (with preshared key), and none. To connect with the wireless network, customers must select the of the VSC that matches the option that they want to use. Roaming is supported, since the same VSCs are defined on all access points. The following diagrams illustrate how the two topologies described in Scenario 1c can be modified to support layer 2 security. In both cases the configuration procedure is the same. Topology Web server LAN None MAP WEP 1.5 WPA None MAP WEP 1.4 WPA None MSC 1.1 WPA WEP

24 LAN port Internet port Chapter Public access deployment series Chapter 3 Topology Web server Router Firewall LAN A LAN B None MAP WEP 1.5 WPA None MAP WEP 1.4 WPA None MSC WPA WEP Configuration road map Important: Start with the configuration defined in Scenario 1c. Create VSCs on the MAPs Use the following steps to create three virtual service communities on all MAPs. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as None. 4. On the Virtual Service Communities page, click Add New Profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WEP. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as WEP. Under Wireless protection: Select the checkbox and choose WEP. For Key, specify 13 ASCII characters as the key. 6. On the Virtual Service Communities page, click Add New Profile

25 Chapter Public access deployment series Chapter 3 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). For Key source, select Preshared key. For Key and Confirm key, set a unique key value. Create VSCs on the MSC Use the following steps to create virtual service communities on the MSC that match each VSC you configured on the MAPs: 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under Virtual AP, enter the WLAN name () as None. 4. On the Virtual Service Communities page, click Add New Profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WEP. Under Virtual AP, enter the WLAN name () as WEP. Under Wireless protection: Select the checkbox and choose WEP. For Key, specify the same 13 ASCII characters you defined on the MAPs. 6. On the Virtual Service Communities page, click Add New Profile. 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). For Key source, select Preshared key. For Key and Confirm key, set the same unique key value you defined on the MAPs

26 LAN port Internet port Chapter Public access deployment series Chapter 3 Scenario 2a: Hotspot with Internet access (AAA server) This installation shows you how to create a public access network using an AAA (authentication, administration, accounting) RADIUS server to handle customer authentication. How it works In this scenario a single 3000 series MSC is installed to provide a wireless network and access to the Internet. A local area network is connected to the MSC s LAN port to support wired customers. The MSC acts as the DHCP server on both the wireless and wired networks which are bridged together on subnet A RADIUS server (either local or remote) provides services for customer authentication and accounting. There are two ways to deploy this scenario as illustrated by topology 1 and topology 2 in the sections that follow. Topology 1 In this version, a NOC (network operations center) is located at a remote site. A RADIUS server is installed at the NOC along with a VPN server. The MSC is connected to the Internet using a broadband modem. The Internet connection is protected by the MSC s firewall and NAT features. The MSC connects to the VPN server at the NOC using its PPTP client. This provides a secure link through which authentication traffic can be exchanged with the RADIUS server. RADIUS server VPN server VPN tunnel myvpn.com LAN MSC 1.4 PUBLIC WL AN

27 LAN port Internet port Chapter Public access deployment series Chapter 3 Topology 2 In this version, the RADIUS server is located on local LAN B along with a router/firewall which handles the connection to the Internet. Instead of being directly connected to the Internet the MSC is also connected to local LAN B RADIUS server 5.1 Router Firewall LAN A LAN B MSC 1.4 PUBLIC WL AN Configuration road map On the RADIUS server Define RADIUS accounts for all customers that will use the public access network. Install the MSC 1. Install the MSC as described in its Quickstart guide. 2. If setting up Topology 1, connect the Internet port to a broadband modem and then restart the modem. If setting up Topology 2, connect the Internet port to LAN B. 3. Connect the LAN port to the local area network. 4. Start the management tool. Configure the wireless network By default the MSC is configured to: support b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default one radio on the MSC-3300 is used to provide the wireless network and the other is placed into Monitor mode

28 Chapter Public access deployment series Chapter 3 Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select the proper addressing option: For topology 1, select the option supported by your ISP (Topology 1) and click Configure. Define all settings as required. For topology 2, select DHCP client and click Save. Create a VPN connection (Topology 1 only) 1. Select Security > PPTP client. 2. Select the PPP client connection checkbox. 3. Under Connection, set the PPTP server address to the address of the VPN server (in this example, myvpn.com. 4. Under Account, set Username and Password as required by the VPN server. 5. Click Save. Create a RADIUS profile 1. Select Security > RADIUS. 2. Click Add New Profile. 3. In the Profile name box, assign RADIUS Profile 1 to the new profile. 4. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. 5. In the Primary RADIUS server box, specify the address of the RADIUS server and the secret the MSC will use to login. Enable RADIUS authentication of customers 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under HTML-based user logins,: Clear the Local authentication checkbox. Select the RADIUS authentication checkbox. For RADIUS profile, select RADIUS Profile 1. Select the RADIUS accounting checkbox

29 Chapter Public access deployment series Chapter 3 Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. (This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the Login page opens. Specify a valid customer name and password. 3. The Session page will open. 4. Next, you are automatically redirected to the web site you originally requested

30 LAN port Internet port Chapter Public access deployment series Chapter 3 Scenario 2b: Hotspot with custom interface (AAA server) This scenario adds custom settings to the default public access interface used in Scenario 2a. This scenario illustrates how to customize the operation of the public access interface when using a AAA RADIUS server. How it works In this scenario a web server is used to store custom pages for the public access interface. Attributes are defined on the MSC that enable the custom pages to be retrieved by the MSC and presented to customers in place of the default public access pages. The following diagrams show how the two topologies described in Scenario 2a can be extended to support a web server. In both cases the configuration procedure is the same. Topology 1 In this version the web server is located at the NOC and is accessed through the Internet. As in scenario 2a, traffic with the NOC is protected using a VPN tunnel. Web server RADIUS server VPN server VPN tunnel myvpn.com LAN MSC 1.4 PUBLIC WL AN

31 LAN port Internet port Chapter Public access deployment series Chapter 3 Topology 2 In this version the web server is located on local LAN B RADIUS server Web server Router Firewall LAN A LAN B MSC 1.4 PUBLIC WL AN Configuration road map Important: Start with the configuration defined in Scenario 2a. Customize the login page and logo 1. Create a folder called newpages on the web sever. 2. Create a file called logo.gif that contains your logo and place it in the newpages folder (recommended size less than 20K). This same image file is shared by all pages. 3. Copy the following files from the \Doc\Samples\Internal_Pages folder on the Colubris Networks documentation CD and place them in the newpages folder. login.html transport.html session.html fail.html 4. Edit login.html to meet the requirements of your site, keeping the following restrictions in mind: Do not alter the ID tags <!-- Colubris --> & <!-- Custom --> located at the top of the page. Do not alter any JavaScript code

32 Chapter Public access deployment series Chapter 3 Define attributes on the RADIUS server On the RADIUS server, define an account for the MSC and add the following entries to it. login-page=web_server_url/newpages/login.html transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif For more information on these attributes, consult the Public Access Administrator Guide. Configure the MSC to retrieve attributes from the RADIUS server The MSC will retrieve the configuration attributes defined on the RADIUS server each time it authenticates with the server. 1. Select Public access > Attributes. 2. Select the Retrieve attributes using RADIUS option. 3. Select the RADIUS profile you defined (RADIUS Profile 1) in scenario 2a. 4. Specify the username and password the MSC will use to login to the RADIUS server. 5. Click Retrieve Now. The MSC will login and retrieve the attributes. 6. Click Save. Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the modified Login page. (Depending on the type of certificate that is installed on the MSC, you may see a security warning first.) 3. To login, specify a valid customer name and password. The Session page should open. 4. Next, you are automatically redirected to the web site you originally requested

33 LAN port Internet port Chapter Public access deployment series Chapter 3 Scenario 2c: Hotspot with satellites and roaming (AAA server) This scenario adds multiple MAPs to extend the wireless network in Scenario 2b. MAP devices can be used to extend the reach of the public access network created by an InMotion MultiService Controller (MSC). How it works In this scenario several MAP devices are connected to a series 3000 MSC by way of a backbone LAN to provide multiple wireless cells for large physical location. Customers can log into the public access network at any location and can roam between access points without losing their connection. By default, each MAP is configured as a DHCP client and obtains its address from the MSC, which by default is configured as the DHCP server. A RADIUS server (either local or remote) provides services for customer authentication and accounting. The following diagrams illustrate how the two topologies described in Scenario 2b can be modified to support satellites and roaming. In both cases the configuration procedure is the same. Topology 1 Web server RADIUS server VPN server VPN tunnel myvpn.com LAN MAP 1.9 MAP MSC PUBLIC WL AN PUBLIC WL AN 1.4 PUBLIC WL AN

34 LAN port Internet port Chapter Public access deployment series Chapter 3 Topology RADIUS server Web server Router Firewall LAN LAN A LAN B MAP 1.9 MAP MSC PUBLIC WL AN PUBLIC WL AN 1.4 PUBLIC WL AN Configuration road map Important: Start with the configuration defined in Scenario 2b. Install the MAPs Install the MAPs as described in the appropriate quickstart guide. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the wireless network By default the MAPs are configured to: support b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default, one radio on the MAP-330 and the MSC-3300 is used to provide the wireless network, and the other is placed into Monitor mode. Set the shared secret on the MSC 1. Select Public access > Access control. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAPs to send authentication requests to the MSC. 3. Click Save

35 Chapter Public access deployment series Chapter 3 Configure the connection to the MSC on the MAPs Configure the following on each MAP. 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. In the General box, select the Use Colubris access controller check box. 4. Click Save. 1. Select Security > Access controller. 2. Set the Access controller shared secret to match the secret set on the MSC. 3. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting

36 LAN port Internet port Chapter Public access deployment series Chapter 3 Scenario 2d: Hotspot with layer 2 security (AAA server) This scenario adds support for 802.1x and WPA clients to scenario 2c. This scenario shows how to enable wireless protection to safeguard transmissions against eavesdropping. How it works This scenario creates three virtual service communities (VSCs) on each device. Each VSC provides support for a different security option: 802.1x (with WEP), WPA, and none. To connect with the wireless network, customers must select the that matches the option that they want to use. Roaming between MAPs is supported, since the same VSCs are defined on all access points. Authentication of client stations occurs as follows: On the s 8021x and WPA, authentication is handled by the MSC using accounts defined on the RADIUS server. On the None, client stations login to the public access interface and are authenticated by the MSC using accounts defined on the RADIUS server. The following diagrams show how the two topologies described in Scenario 2c can be modified to support layer 2 security. In both cases the configuration procedure is the same. Topology 1 Web server RADIUS server VPN server VPN tunnel myvpn.com LAN None MAP 8021x 1.9 WPA None MAP 8021x 1.8 WPA None MSC WPA 8021x

37 LAN port Internet port Chapter Public access deployment series Chapter 3 Topology RADIUS server Web server Router Firewall LAN LAN A LAN B MAP 1.9 MAP MSC None 8021x WPA None 8021x WPA None WPA 8021x Configuration road map Important: Start with the configuration defined in Scenario 2c. Create VSCs on the MAP Use the following steps to create three virtual service communities on all MAPs. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as None. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). Leave Key source as RADIUS. 6. On the Virtual Service Communities page, click Add new profile

38 Chapter Public access deployment series Chapter 3 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as 8021x. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as 8021x. Under Wireless protection: Select the checkbox and select 802.1x. Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. Create VSCs on the MSC Use the following steps to create virtual service communities on the MSC that match each VSC you configured on the MAPs: 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under Virtual AP, enter the WLAN name () as None. Under HTML-based user logins: Enable RADIUS authentication. For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario 2a). 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). Leave Key source as RADIUS. For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario 2a). Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. 6. On the Virtual Service Communities page, click Add new profile

39 Chapter Public access deployment series Chapter 3 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as 8021x. Under Virtual AP, enter the WLAN name () as 8021x. Under Wireless protection: Select the checkbox and select 802.1x. For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario 2a). Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox

40 Chapter Public access deployment series Chapter 3 Scenario 2e: Using dual radios to support A+B+G traffic This scenario adds support for a wireless clients to Scenario 2d. Important: This scenario is supported by dual-radio units only. Colubris Networks dual radio products can be configured to support the same on two different radios. This enables a single device to support wireless clients regardless of the type of radio they have: a, b, or g. How it works In this scenario an MSC-3300 is used in conjunction with two MAP-330s. Both products support dual radios. The radios on all these devices are configured to operate as follows: Radio 1: b/g mode Radio 2: a mode The three wireless profiles created in Scenario 2d are changed to transmit and receive on both radio 1 and radio 2. Customers are now able to connect regardless of their radio type, and since a customers are on a separate radio they do not share bandwidth with customer using b/g. Network topology Note: See scenario 2d for a diagram of the network topology. Configuration road map Important: Start with the configuration defined in Scenario 2d. Configure radio 2 1. Select Wireless > Radios. 2. Under Radio 2: Change Operating mode to Access point only. Change Wireless mode to a. 3. Click Save. Configure VSC profiles 1. Select VSC > Profiles 2. Edit each VSC created in Scenario 2d (8021x, WPA, and none) as follows: Click the profile name. Under Virtual AP, set Transmit/receive on to Radio 1 and

41 Chapter Public access deployment series Chapter 3 Scenario 3: Shared hotspot for public and private traffic In this scenario VLANs and multiple s are used to enable public and private users to share the same infrastructure with complete security. How it works This scenario shows you how to deploy a wireless network so that it can be shared between company employees and paying customers. It enables you to leverage a single wireless infrastructure to build a hotspot and provide easy access for mobile employees. Employees connect using the Private and are routed to the corporate network on VLAN 50. The MSC authenticates employees using the Corporate RADIUS server. Once authenticated, employee traffic is forwarded on VLAN 50 so that it can reach the corporate intranet. Customers connect using the Public and login using the MSC s public access interface. The MSC authenticates customers using the ISP RADIUS server. Once authenticated, customer traffic is forwarded on VLAN 60 so that it can reach the Internet. Corporate RADIUS server ISP RADIUS server Corporate Intranet Firewall VLAN 50 VLAN 60 Switch VLAN 50 VLAN 60 Employees MSC Employee = Private MAP Guest = Public

42 Chapter Public access deployment series Chapter 3 Configuration road map Define settings on the RADIUS servers 1. On the ISP RADIUS server create accounts for public users. 2. On the corporate RADIUS server create accounts for employees. Install the MSC and MAP 1. Install the MSC and MAP as described in the appropriate quickstart guide. 2. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Switch the MAP to autonomous mode By default the MAP is configured to operate in controlled mode. Switch it to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home page click Switch to Autonomous Mode. The MAP will restart. Configure the MSC Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select No address (Support VLAN traffic only. 3. Click Save. Create two RADIUS profiles 1. Select Security > RADIUS. 2. Click Add New Profile. In the Profile name box, assign CorporateRADIUS to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the corporate RADIUS server and the secret the MSC will use. 3. Click Add New Profile. In the Profile name box, assign ISPRADIUS to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the ISP RADIUS server and the secret the MSC will use

43 Chapter Public access deployment series Chapter 3 Create VLANs 1. Select Network > Ports. 2. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as Internet port. Set VLAN ID to 50. Set VLAN name to Private. Under Assign IP address via, select Static. Set IP address to Set Mask to Leave Gateway blank. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as Internet port. Set VLAN ID to 60. Set VLAN name to Public. Under Assign IP address via, select DHCP client. Create VSCs Use the following steps to create two virtual service communities on the MSC: Note: This Private profile must be defined first to enable it to also support wired employees, since untagged incoming traffic on the LAN port is always sent to the first VSC profile. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Private. Under General, select the Provide access control checkbox. Under Virtual AP, enter the WLAN name () as Private. Under VSC ingress mapping, select. Under VSC egress mapping, for Authenticated select Private. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select CorporateRADIUS. 4. On the Virtual Service Communities page, click Add new profile

44 Chapter Public access deployment series Chapter 3 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Public. Under Virtual AP, enter the WLAN name () as Public. Under VSC ingress mapping, select. Under VSC egress mapping, for Authenticated select Public. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select ISPRADIUS. Set the shared secret 1. Select Security > Authentication > Advanced Settings. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAP to send authentication requests to the MSC. 3. Click Save. Configure the MAP Create VSCs 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Public. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as Public. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Private. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as Private. Configure the connection to the MSC 1. Select Security > Access controller. 2. Set the Access controller shared secret to match the secret set on the MSC. 3. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting

45 Chapter Public access deployment series Chapter 3 Scenario 4: Delivering custom HTML pages using VLANs This scenario shows you how to split customers onto different VLANs and use this to deliver a customized user experience. How it works In this scenario a hotel assigns customer traffic to a different VLAN based on an access point s location within the building. The MAPs serving the hotel rooms on each floor are configured to return customer traffic on VLAN 40. The MAPs serving the hotel lobby, terrace, and restaurant are configured to return customer traffic on VLAN 50. VLAN 30 is defined for management purposes. It is used by the network administrator to reach the management tool on the MSC and MAPs. One advantage to this strategy is that it enables all devices to have the same (Hotspot, for example), making it easy for customers to connect. Custom content is triggered based on the VLAN ID that customer traffic is mapped to. RADIUS Server MSC VLAN 30 VLAN 40 VLAN 50 VLAN 30 VLAN 40 VLAN 30 VLAN 40 VLAN 30 VLAN 40 VLAN 30 VLAN 50 VLAN 30 VLAN 50 MAP MAP MAP MAP MAP Floor 3 Floor 2 Floor 1 Terasse Restaurant = Hotspot = Hotspot = Hotspot = Hotspot = Hotspot Hotel Rooms Public Spaces Note: In this scenario the MSC is used to provide access control functions only and is not configured to support wireless clients

46 Chapter Public access deployment series Chapter 3 Configuration road map On the RADIUS server Define accounts for all customers and the MSC on the RADIUS server. To deliver custom content based on the VLAN, add the following entry to the RADIUS profile for the MSC. welcome-url=web_server_url/premium/welcome.html?vlan=%v Create a server-side script to retrieve the VLAN value and then display a custom Login page as follows: If VLAN = 40, display the customer Login page. If VLAN = 50, display the public access Login page. Install the MSC and the MAPs 1. Install the devices as described in the appropriate quickstart guide. 2. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Switch the MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch each one to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home page click Switch to Autonomous Mode. The MAP will restart. Configure the wireless network By default the MSC is configured to: support b/g clients automatically choose the best operating channel (frequency) There is no need to change these settings for this scenario. Note: By default, one radio on the MAP-330 and MSC-3300 is used to provide the wireless network and the other is placed into Monitor mode. Configure the MSC Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select the addressing option as required by the LAN and click Configure. 3. Define all settings as required

47 Chapter Public access deployment series Chapter 3 Create a RADIUS profile 1. Select Security > RADIUS. 2. Click Add New Profile. In the Profile name box, assign RADIUS1 to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the corporate RADIUS server and the secret the MSC will use. Configure the MSC to retrieve attributes from the RADIUS server 1. Select Public access > Attributes. 2. Select the Retrieve attributes using RADIUS option. 3. Select the RADIUS profile you defined (RADIUS Profile 1). 4. Specify the username and password the MSC will use to login to the RADIUS server. 5. Click Retrieve Now. The MSC will login and retrieve the attributes. 6. Click Save. Create VLANs 1. Select Network > Ports. 2. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 30. Set VLAN name to Management. Under Assign IP address via, select Static. Set IP address to Set Mask to Leave Gateway blank. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 40. Set VLAN name to Guest. Under Assign IP address via, select None

48 Chapter Public access deployment series Chapter 3 4. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 50. Set VLAN name to Public. Under Assign IP address via, select None. Create VSCs The following two virtual service communities need to be created on the MSC: Guest: Installed in public spaces. Forwards guest traffic on VLAN 40. Public: Installed in hotel rooms. Forwards public traffic on VLAN Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Guest. Under General, select the Provide access control checkbox. Under VSC ingress mapping, clear the checkbox. Under VSC egress mapping, select VLAN then select Guest. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select RADIUS1. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Public. Under VSC ingress mapping, clear the checkbox. Under VSC egress mapping, select VLAN and then select Public. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select RADIUS1. Set the shared secret 1. Select Public access > Access control. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAPs to send authentication requests to the MSC. 3. Click Save

49 Chapter Public access deployment series Chapter 3 Configure the MAPs Set static addressing and management VLAN 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. Under Assign IP address via, select Static then click the Configure button. Define the following: For each MAP, set IP address to a unique address on the x subnet. Set Address mask to Set Default gateway to Configure management VLAN 1. Select Network > Ports. 2. Under Port configuration, click Port 1. Under VLAN Select the VLAN ID checkbox. Set VLAN ID to 30. Select the Restrict default VLAN to management traffic only checkbox. Configure a VSC 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Hotspot. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as Hotspot. Under Egress VLAN: If the MAP is serving a hotel room, set VLAN ID to 40 (which corresponds to the Guest VLAN). If the MAP is serving a public area, set VLAN ID to 50 (which corresponds to the Public VLAN). Configure the connection to the MSC 1. Select Security > Access controller. 2. Set the Access controller shared secret to match the secret set on the MSC. 3. Click Save

50 Chapter Public access deployment series Chapter 3 Scenario 5: Custom HTML pages on each MAP This scenario shows you how to create a customized user experience based on the MAP with which a customer is associated. This scenario uses locally configured attributes and does not require a RADIUS server. How it works In this scenario wireless networking for a condo complex is deployed using multiple MAPs and a single series 3000 MSC. The complex features three buildings, each with several condos serviced by a single MAP. Since tenant turnover is low, and network access is included in the monthly condo fee, accounting support is not needed. Therefore this scenario does not use a RADIUS server. Instead, all logins are validated by the MSC using a locally defined user list. To offer personalized service for each building, a set of custom web pages are created for each building and stored in a separate folder on a web server. (A third-party server on the Internet is used to keep costs down.) Customers are redirected to the appropriate set of pages based on the location-aware group name assigned to each MAP. Web server Internet port MSC 1.1 LAN port MAP 1 MAP 2 MAP 3 Condo complex 1 Condo complex 2 Condo complex 3 About the location-aware feature This feature, which is enabled by default, permits the MSC to determine the physical location where customers are logging into the network (as well as other information which can used for customer tracking). See the Public Access Administrator s Guide for more information on this feature. This scenario uses the location-aware group name feature to assign a unique name to each MAP. When a customer logs in, the MAP reports this name to the MSC. The name is then used to create a URL to a custom set of pages on the web server

51 Chapter Public access deployment series Chapter 3 Configuration road map Install the MSC and the MAPs 1. Install the devices as described in the appropriate quickstart guide. 2. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Switch the MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch each one to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home page click Switch to Autonomous Mode. The MAP will restart. Create the custom web pages 1. Create the following folder on the web server: \newpages 2. Create a file called logo.gif that contains a custom logo for the service being offered and place it in \newpages. 3. Copy the following files from the \Doc\Samples\External_Pages folder on the Colubris Networks documentation CD and place them in the newpages folder. welcome.html goodbye.html fail.html 4. Create the following three folders on the web server: \newpages\complex_1 \newpages\complex_2 \newpages\complex_3 5. Create the following three html files in each of the three new folders. Customize each file so that it provide content specific to each condo complex: login.html This is the page tenants will use to log in. The following sample code illustrates how to retrieve login credentials and send them to the MSC for validation. <form action= <input type= text name= username id= username /> <input type= text name= password id= password /> <input type= submit /> </form> welcome.html This is the page tenants will see after their login is approved. It is a standard HTML page and can be customized as required. goodbye.html This is the page tenants will see after they logout. It is a standard HTML page and can be customized as required

52 Chapter Public access deployment series Chapter 3 Configure the MAPs By default each MAP is configured to: Automatically select the best operating frequency. Create a wireless network named Colubris Networks. Act as a DHCP client on its LAN ports. Use the MSC as the access controller. There is no need to change these settings for this scenario. Configure the location-aware group name Set a unique group name on each MAP as follows: 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. Under General, make sure that the Use Colubris access controller checkbox is selected. 4. Under Location aware: For MAP 1, set Group name to Complex_1. For MAP 2, set Group name to Complex_2. For MAP 3, set Group name to Complex_3. 5. Click Save. Configure the connection to the MSC on the MAPs Each MAP will use the services of the MSC to authenticate customer logins. Do the following on each MAP. 1. Select Security > Access controller 2. Set the Access controller shared secret to the same unique value on all MAPs. For example: xr2t56. This password will be used by the MAPs to connect to the MSC when they send authentication requests. 3. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting. Configure the MSC Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select the addressing option required by your ISP. 3. Click Configure and define all settings as required

53 Chapter Public access deployment series Chapter 3 Configure attributes to activate the customized pages 4. Open the Public access > attributes page and add the following attributes to the Configured attributes table: The first four attributes provide support for the common pages that are generic for all tenants, and the shared logo file. transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif The next three attributes provide support for the custom pages. Each time a tenant logs in the MSC calls these pages, replacing the %G with the group name assigned to the MAP that the tenant is associated with. login-url=web_server_url/newpages/%g/login.html welcome-url=web_server_url/newpages/%g/welcome.html goodbye-url=web_server_url/newpages/%g/goodbye.html By default the MSC blocks access to any resources that are connected to its Internet port until a client station successfully logs in. However, to log in, a client station must be able to load the custom login page hosted on the web server. To solve this problem, an access list definition is added that permits access to the web server for all unauthenticated stations. Access-list=loginpage,ACCEPT,tcp,web_server_URL,80 Use-access-list=loginpage Define the list of condo tenants 1. Select Public access > Users. 2. Add usernames and passwords for all condo tenants. Set the shared secret on the MSC 1. Select Public access > Access control. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to the same value you set on the MAPs. 3. Click Save. Setup location aware 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. Under Location aware, set Called-Station-Id content to group. 4. Click Save. Using the public access interface To use the condo internet service, tenants do the following: Connect to the Colubris Networks using b or g. Start their web browser and enter the URL wireless.colubris.com which is the URL assigned to the MSC. The MSC will redirect the browser to the login page on the web server. After the tenant logs in and is validated, the Welcome page is displayed. The tenant can now surf the Internet

54 Chapter Public access deployment series Chapter 3 Scenario 6: Multi-site installation (distributed architecture) This scenario shows you how to create a multi-site installation using multiple MSCs. How it works In this scenario, multiple series 3000 MSCs are installed to offer public access networking at a number of different physical locations. Each MSC is connected to the Internet using a broadband modem. The Internet connection is protected by the MSC s firewall and NAT features. A NOC (network operations center) is located at a remote site and provides a RADIUS server for authentication, and a web server to store custom public access interface pages. Network Operating Center Web/FTP server RADIUS server Management station Router / Firewall Site #1 MSC Site #2 MSC Site #3 MSC PUBLIC WL AN PUBLIC WL AN PUBLIC WL AN Configuration road map On the RADIUS server Define RADIUS accounts for all customers that will use the public access network. Install the MSCs 1. Install the MSCs at each site as described in the appropriate quickstart guide. 2. Connect the Internet port on each unit to a broadband modem that is connected to the Internet. 3. Start the Management Tool and configure each unit as described in the sections that follow

55 Chapter Public access deployment series Chapter 3 Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select the addressing option as required by your ISP and click Configure. 3. Define all settings as required. Configure the wireless network By default the MSC is configured to: support b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Create a RADIUS profile 1. Select Security > RADIUS. 2. Click Add New Profile. In the Profile name box, assign RADIUS1 to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the RADIUS server at the NOC and the secret the MSC will use. Configure the VSC 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile. 3. On the Add/Edit Virtual Service Community page: Under HTML-based user logins: Clear the Local authentication checkbox. Select the RADIUS authentication checkbox. For RADIUS profile, select RADIUS1. Select the RADIUS accounting checkbox

56 Chapter Public access deployment series Chapter 3 Customize the login page and logo 1. Create a folder called newpages on the web sever. 2. Create a file called logo.gif that contains your logo and place it in the newpages folder (recommended size less than 20K). This same image file is shared by all pages. 3. Copy the following files from the \Doc\Samples\Internal_Pages folder on the Colubris Networks documentation CD and place them in the newpages folder. login.html transport.html session.html fail.html 4. Edit login.html to meet the requirements of your site, keeping the following restrictions in mind: Do not alter the ID tags <!-- Colubris --> & <!-- Custom --> located at the top of the page. Do not alter any JavaScript code. Define attributes on the RADIUS server On the RADIUS server, define an account for the MSC and add the following entries to it. login-page=web_server_url/newpages/login.html transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif For more information on these attributes, consult the Public Access Administrator Guide. Configure the MSC to retrieve attributes from the RADIUS server The MSC will retrieve the configuration attributes defined on the RADIUS server each time it authenticates with the server. 1. Select Public access > Attributes. 2. Select the Retrieve attributes using RADIUS option. 3. Select the RADIUS profile you defined earlier (RADIUS1). 4. Specify the username and password the MSC will use to login to the RADIUS server. 5. Click Retrieve Now. The MSC will login and retrieve the attributes. 6. Click Save

57 Chapter Public access deployment series Chapter 3 Using the public access interface To use the internet service, customers do the following: Connect to the Colubris Networks using b or g. Start their web browser and enter the URL wireless.colubris.com which is the URL assigned to the MSC. The MSC will redirect the browser to the custom login page on the web server. After the customer logs in and is validated, the Welcome page is displayed. The customer can now surf the Internet

58 Chapter Public access deployment series Chapter 3 Scenario 7: Multi-site installation (centralized architecture) This scenario shows you how to create a multi-site installation using multiple MSCs to tunnel traffic back to a central location. How it works In this scenario, multiple series 3000 MSCs are installed to offer public access networking at a number of different physical locations. The MSCs provide wireless network services at each site, but do not perform authenticate customers. Instead all customer traffic is forwarded to the third-party access controller at the NOC via secure GRE tunnels. Network Operating Center Web/FTP server RADIUS server Third Party Access Controller with GRE terminator Management station Router / Firewall GRE tunnels Site #1 MSC Site #2 MSC Site #3 MSC PUBLIC WL AN PUBLIC WL AN PUBLIC WL AN Configuration road map Install the MSCs 1. Install the MSCs at each site as described in the appropriate quickstart guide. 2. Connect the Internet port on each unit to a broadband modem that is connected to the Internet. 3. Start the Management Tool and configure each unit as described in the sections that follow

59 Chapter Public access deployment series Chapter 3 Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select the addressing option as required by your ISP and click Configure. 3. Define all settings as required. Configure the wireless network By default the MSC is configured to: support b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Configure the GRE tunnels 1. Select Network > Ports. 2. Under GRE tunnel configuration, click Add new GRE tunnel. 3. Under Tunnel settings, For Name, enter a name for this profile. For example: GRE_Tunnel. For Local tunnel IP address, enter the IP address of the MSC inside the tunnel. For Remote tunnel IP address, enter the IP address (inside the tunnel) of the GRE terminator in the NOC. For Tunnel IP mask, enter the mask associated with the IP addresses inside the tunnel. For GRE peer IP address, enter the IP address of the GRE terminator in the NOC. 4. Click Save. Configure the VSC 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile. 3. On the Add/Edit Virtual Service Community page: Under General, select the Provide access control checkbox. Under VSC egress mapping, select GRE_Tunnel for Unauthenticated, Authenticated, and Intercepted. Under HTML-based user logins, clear the Local authentication checkbox

60 Chapter Public access deployment series Chapter

61 Public access deployment series Chapter 4 Public access deployment series In this chapter you can find sample deployment strategies for common public access scenarios using a 5000 series MSC and one or more MAPs operating in controlled mode. When in controlled mode, all MAP configuration is handled by the MSC, greatly simplifying the task of deploying and managing a public access network.

62 LAN port Internet port Chapter Public access deployment series Chapter 4 Scenario 1a: Hotspot with satellites and roaming (local config) This scenario uses an MSC and two MAPs to create a simple public access network. How it works In this scenario two MAPs (operating in controlled mode) are connected to an MSC using a backbone LAN to provide multiple wireless cells for a large physical location. Customers can log into the public access network at any location and can roam between access points without losing their connection. The MAPs are set to operate in controlled mode, which means that their configuration is managed using the MSC. Customer authentication is handled locally by the MSC, and accounts are created on the MSC for each customer. There is no support for accounting. There are two ways to deploy this scenario. The configuration procedure for both scenarios is almost identical. Topology 1 In this version, the web server is located on the Internet. Web server LAN MAP 1.9 MAP 1.8 MSC 1.1 PUBLIC WL AN PUBLIC WL AN

63 LAN port Internet port Chapter Public access deployment series Chapter 4 Topology 2 In this version, the web server is located on local LAN B along with a router/firewall which handles the connection to the Internet. Instead of being directly connected to the Internet the MSC is also connected to local LAN B Web server Router Firewall LAN A LAN B MAP 1.9 MAP MSC PUBLIC WL AN PUBLIC WL AN 1.4 Configuration road map Install the MSC Install the MSC as described in the appropriate quickstart guide. To support topology 1 1. Connect the Internet port to a broadband modem and then restart the modem. 2. Connect the LAN port to the local area network. To support topology 2 1. Connect the Internet port to LAN B. 2. Connect the LAN port to the local area network. Install the MAPs Install the MSC as described in the appropriate quickstart guide. Enable the DHCP server By default, the DHCP server is disabled on the MSC. Enable it as follows: 1. Start the management tool. 2. On the Main Menu, click Service Controller. 3. In the right pane, select Network > Address allocation > DHCP server and click Configure. 4. The MSC will automatically define DHCP settings for subnet There is no need to change these settings. Click Save. MAP discovery By default the MAPs are configured to operate in controlled mode. This means that once connected to the network they will automatically establish a control channel with the MSC so that their configuration can be managed via the MSC s management tool. To verify that the MAPs have been discovered, do the following on the MSC: 1. On the Main Menu, click the + symbol next to Controlled APs

64 Chapter Public access deployment series Chapter 4 2. Click the + symbol next to Default Group. The two MAPs (identified by their serial numbers) should be shown, each with a green status light. Enable AP authentication Now that the APs have been discovered, authentication should be enabled so that APs cannot be added to the network without your knowledge. 1. On the Main Menu, click Service Controller. 2. In the right pane, select Security > Controlled APs. 3. Select the Controlled APs authentication checkbox. 4. Select the Use local authentication list checkbox. 5. Click Save. Configure the wireless network By default the MSC configures the wireless settings on the MAPs to: support b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Important: All wireless networks must have the same network name () to support roaming. Configure the Internet port Select Network > Ports > Internet port. For topology 1 Select the addressing option supported by your ISP and click Configure. Define all settings as required by your ISP. For topology 2 Select DHCP Client and click Save. Define the list of users 1. On the Main Menu, select Service Controller. 2. In the right pane, select Public access > Users. 3. Add usernames and passwords for all users/customers. Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the Login page. (Depending on the type of certificate that is installed on the MSC, you may see a security warning first.)

65 Chapter Public access deployment series Chapter 4 Scenario 1b: Hotspot with custom interface (local config) This scenario adds custom settings to the default public access interface used in Scenario 1a. This scenario illustrates how to customize the operation of the public access interface by defining all configuration options on the MSC. How it works In this scenario, a web server is used to store custom pages for the public access interface. The MSC loads these pages each time it is restarted. Network topology Note: See scenario 1a for a diagram of the network topology. Configuration road map Important: Start with the configuration defined in Scenario 1a. Customize the login page and logo 1. Create a folder called newpages on the web server. 2. Create a file called logo.gif that contains your logo and place it in the newpages folder (recommended size less than 20K). This same image file is shared by all pages. 3. Copy the following files from the \Doc\Samples\Internal_Pages folder on the Colubris Networks documentation CD and place them in the newpages folder. login.html transport.html session.html fail.html 4. Edit login.html to meet the requirements of your site, keeping the following restrictions in mind: Do not alter the ID tags <!-- Colubris --> & <!-- Custom --> located at the top of the page. Do not alter any JavaScript code. 5. On the Main Menu, select Service Controller. 6. In the right pane, select Public access > Attributes and add the following to the Configured attributes table: login-page=web_server_url/newpages/login.html transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif

66 Chapter Public access deployment series Chapter 4 Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the modified Login page. (Depending on the type of certificate that is installed on the MSC, you may see a security warning first.) 3. To login, specify a valid customer name and password. The Session page should open. 4. Next, you are automatically redirected to the web site you originally requested

67 LAN port Internet port Chapter Public access deployment series Chapter 4 Scenario 1c: Hotspot with layer 2 security (local config) This scenario adds support for WEP and WPA clients to scenario 1c. This scenario shows how to enable wireless protection to safeguard transmissions against eavesdropping. How it works This scenario creates three virtual service communities (VSCs) on each device. Each VSC provides support for a different security option: WEP, WPA (with preshared key), and none. To connect with the wireless network, customers must select the of the VSC that matches the option that they want to use. Roaming is supported, since the same VSCs are defined on all access points. The following diagrams illustrate how the two topologies described in Scenario 1a can be modified to support layer 2 security. In both cases the configuration procedure is the same. Topology Web server LAN None MAP 1.5 WPA None MAP 1.4 WPA MSC 1.1 WEP WEP

68 LAN port Internet port Chapter Public access deployment series Chapter 4 Topology Web server Router Firewall LAN A LAN B MAP 1.5 MAP None WPA None WPA MSC WEP WEP Configuration road map Important: Start with the configuration defined in Scenario 1a. Create VSCs Use the following steps to create three virtual service communities on all MAPs. 1. On the Main Menu, select VSCs. 2. In the VSC profiles table in the right pane, click the Colubris Networks profile to edit it. 3. On the VSC profile page: Under General, enter the Name as None. Under General, select the Access control check box. Under Virtual AP, enter the WLAN name () as None. 4. Under the VSC profiles table in the right pane, click Add New Profile. 5. On the VSC profile page: Under General, enter the Name as WEP. Under General, select the Access control check box. Under Virtual AP, enter the WLAN name () as WEP. Under Wireless protection: Select the checkbox and choose WEP. For Key, specify 13 ASCII characters as the key. 6. Under the VSC profiles table in the right pane, click Add New Profile. 7. On the VSC profile page: Under General, enter the Name as WPA. Under General, select the Access control check box. Under Virtual AP, enter the WLAN name () as WPA

69 Chapter Public access deployment series Chapter 4 Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). For Key source, select Preshared key. For Key and Confirm key, set a unique key value. Bind VSCs to the MAPs The new VSC definitions now need to be bound to the MAPs as follows: 1. On the Main Menu, select Default Group. 2. In the right pane, click VSC bindings. 3. Click Add New Binding. 4. Under VSC profile, select None and then click Save. 5. Click Add New Binding. 6. Under VSC profile, select WEP and then click Save. 7. Click Add New Binding. 8. Under VSC profile, select WPA and then click Save. Synchronize the MAPs To update the MAPs with the new VSC definitions, do the following: 1. On the Main Menu, select Default Group. 2. In the right pane, in the Select the action to apply to all listed APs list, choose Synchronize Configuration. 3. Click Apply. 4. Wait for the status light for each MAP to turn green. This indicates that the MAP is fully operational with the new configuration settings

70 LAN port Internet port Chapter Public access deployment series Chapter 4 Scenario 2a: Hotspot with satellites and roaming (AAA server) This scenario uses an MSC and two MAPs to create a simple public access network. How it works In this scenario two MAPs (operating in controlled mode) are connected to an MSC using a backbone LAN to provide multiple wireless cells for a large physical location. Customers can log into the public access network at any location and can roam between access points without losing their connection. The MAPs are set to operate in controlled mode, which means that their configuration is managed using the MSC. A RADIUS server (either local or remote) provides services for customer authentication and accounting. The following diagrams illustrate how the two topologies described in Scenario 2b can be modified to support satellites and roaming. In both cases the configuration procedure is the same. Topology 1 In this version, a NOC (network operations center) is located at a remote site. A RADIUS server is installed at the NOC along with a VPN server. The MSC is connected to the Internet using a broadband modem. The Internet connection is protected by the MSC s firewall and NAT features. The MSC connects to the VPN server at the NOC using its PPTP client. This provides a secure link through which authentication traffic can be exchanged with the RADIUS server. Web server RADIUS server VPN server VPN tunnel myvpn.com LAN MAP 1.9 MAP MSC PUBLIC WL AN PUBLIC WL AN

71 LAN port Internet port Chapter Public access deployment series Chapter 4 Topology 2 In this version, the RADIUS server is located on local LAN B along with a router/firewall which handles the connection to the Internet. Instead of being directly connected to the Internet the MSC is also connected to local LAN B RADIUS server Web server Router Firewall LAN LAN A LAN B MAP 1.9 MAP MSC PUBLIC WL AN PUBLIC WL AN Configuration road map Install the MSC Install the MSC as described in the appropriate quickstart guide. To support topology 1 1. Connect the Internet port to a broadband modem and then restart the modem. 2. Connect the LAN port to the local area network. To support topology 2 1. Connect the Internet port to LAN B. 2. Connect the LAN port to the local area network. Install the MAPs Install the MSC as described in the appropriate quickstart guide. Enable the DHCP server By default, the DHCP server is disabled on the MSC. Enable it as follows: 1. Start the management tool. 2. On the Main Menu, click Service Controller. 3. In the right pane, select Network > Address allocation > DHCP server and click Configure. 4. The MSC will automatically define DHCP settings for subnet There is no need to change these settings. Click Save. MAP discovery By default the MAPs are configured to operate in controlled mode. This means that once connected to the network they will automatically establish a control channel with the MSC so that their configuration can be managed via the MSC s management tool. To verify that the MAPs have been discovered, do the following on the MSC: 1. On the Main Menu, click the + symbol next to Controlled APs

72 Chapter Public access deployment series Chapter 4 2. Click the + symbol next to Default Group. The two MAPs (identified by their serial numbers) should be shown, each with a green status light. Enable AP authentication Now that the APs have been discovered, authentication should be enabled so that APs cannot be added to the network without your knowledge. 1. On the Main Menu, click Service Controller. 2. In the right pane, select Security > Controlled APs. 3. Select the Controlled APs authentication checkbox. 4. Select the Use local authentication list checkbox. 5. Click Save. Configure the wireless network By default the MAPs are configured to: support b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default, one radio on the MAP-330 and the MSC-3300 is used to provide the wireless network, and the other is placed into Monitor mode. Configure the Internet port 1. On the Main Menu, select Service controller. 2. In the right pane, select Network > Ports > Internet port. 3. Select the proper addressing option: For topology 1, select the option supported by your ISP (Topology 1) and click Configure. Define all settings as required. For topology 2, select DHCP client and click Save. Create a VPN connection (Topology 1 only) 1. On the Main Menu, select Service controller. 2. In the right pane, select Security > PPTP client. 3. Select the PPP client connection checkbox. 4. Under Connection, set the PPTP server address to the address of the VPN server (in this example, myvpn.com. 5. Under Account, set Username and Password as required by the VPN server. 6. Click Save. Create a RADIUS profile 1. On the Main Menu, select Service controller. 1. In the right pane, select Security > RADIUS. 2. Click Add New Profile. 3. In the Profile name box, assign RADIUS Profile 1 to the new profile

73 Chapter Public access deployment series Chapter 4 4. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. 5. In the Primary RADIUS server box, specify the address of the RADIUS server and the secret the MSC will use to login. Enable RADIUS authentication of customers 1. On the Main Menu select VSCs. 2. In the VSC profiles table in the right pane, click the Colubris Networks profile to edit it. 3. On the VSC profile page: Under HTML-based user logins,: Clear the Local authentication checkbox. Select the RADIUS authentication checkbox. For RADIUS profile, select RADIUS Profile 1. Select the RADIUS accounting checkbox. Synchronize the MAPs To update the MAPs with the new settings, do the following: 1. On the Main Menu, select Default Group. 2. In the right pane, in the Select the action to apply to all listed APs list, choose Synchronize Configuration. 3. Click Apply. 4. Wait for the status light for each MAP to turn green. This indicates that the MAP is fully operational with the new configuration settings

74 Chapter Public access deployment series Chapter 4 Scenario 2b: Hotspot with custom interface (AAA server) This scenario adds custom settings to the default public access interface used in Scenario 2a. This scenario illustrates how to customize the operation of the public access interface by defining all configuration options on the MSC. How it works In this scenario, a web server is used to store custom pages for the public access interface. The MSC loads these pages each time it is restarted. Network topology Note: See scenario 2a for a diagram of the network topology. Configuration road map Important: Start with the configuration defined in Scenario 2a. Customize the login page and logo 1. Create a folder called newpages on the web server. 2. Create a file called logo.gif that contains your logo and place it in the newpages folder (recommended size less than 20K). This same image file is shared by all pages. 3. Copy the following files from the \Doc\Samples\Internal_Pages folder on the Colubris Networks documentation CD and place them in the newpages folder. login.html transport.html session.html fail.html 4. Edit login.html to meet the requirements of your site, keeping the following restrictions in mind: Do not alter the ID tags <!-- Colubris --> & <!-- Custom --> located at the top of the page. Do not alter any JavaScript code. 5. On the Main Menu, select Service Controller. 6. In the right pane, select Public access > Attributes and add the following to the Configured attributes table: login-page=web_server_url/newpages/login.html transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif

75 Chapter Public access deployment series Chapter 4 Define attributes on the RADIUS server On the RADIUS server, define an account for the MSC and add the following entries to it. login-page=web_server_url/newpages/login.html transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif For more information on these attributes, consult the Public Access Administrator Guide. Configure the MSC to retrieve attributes from the RADIUS server The MSC will retrieve the configuration attributes defined on the RADIUS server each time it authenticates with the server. 1. On the Main Menu, select Service controller. 1. In the right pane, select Public access > Attributes. 2. Select the Retrieve attributes using RADIUS option. 3. Select the RADIUS profile you defined (RADIUS Profile 1) in scenario 2a. 4. Specify the username and password the MSC will use to login to the RADIUS server. 5. Click Retrieve Now. The MSC will login and retrieve the attributes. 6. Click Save. Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the modified Login page. (Depending on the type of certificate that is installed on the MSC, you may see a security warning first.) 3. To login, specify a valid customer name and password. The Session page should open. 4. Next, you are automatically redirected to the web site you originally requested

76 LAN port Internet port Chapter Public access deployment series Chapter 4 Scenario 2c: Hotspot with layer 2 security (AAA server) This scenario adds support for 802.1x and WPA clients to scenario 2a. This scenario shows how to enable wireless protection to safeguard transmissions against eavesdropping. How it works This scenario creates three virtual service communities (VSCs) on each MAP. Each VSC provides support for a different security option: 802.1x (with WEP), WPA, and none. To connect with the wireless network, customers must select the of the VSC that matches the option that they want to use. Roaming is supported, since the same VSCs are defined on all access points. Authentication of client stations occurs as follows: For the s 8021x and WPA, authentication is handled by the MSC using accounts defined on a RADIUS server. For the None, client stations login to the public access interface and are authenticated by the MSC using accounts defined on the RADIUS server. The following diagrams illustrate how the two topologies described in Scenario 2a can be modified to support layer 2 security. In both cases the configuration procedure is the same. Topology 1 Web server RADIUS server VPN server VPN tunnel myvpn.com LAN None MAP 1.9 WPA None MAP 1.8 WPA MSC x 8021x

77 LAN port Internet port Chapter Public access deployment series Chapter 4 Topology RADIUS server Web server Router Firewall LAN LAN A LAN B MAP 1.9 MAP None WPA None WPA MSC x 8021x Configuration road map Important: Start with the configuration defined in Scenario 2a. Create VSCs Use the following steps to create three virtual service communities on all MAPs. 1. On the Main Menu, select VSCs. 2. In the VSC profiles table in the right pane, click the Colubris Networks profile to edit it. 3. On the VSC profile page: Under General, enter the Name as None. Under General, select the Access control checkbox. Under Virtual AP, enter the WLAN name () as None. Under HTML-based user logins: Enable RADIUS authentication. For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario 2a). 4. Under the VSC profiles table in the right pane, click Add New Profile. 5. On the VSC profile page: Under General, enter the Name as WPA. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). Leave Key source as RADIUS. For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario 2a)

78 Chapter Public access deployment series Chapter 4 Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. 6. Under the VSC profiles table in the right pane, click Add New Profile. 7. On the VSC profile page: Under General, enter the Name as 8021x. Under Virtual AP, enter the WLAN name () as 8021x. Under Wireless protection: Select the checkbox and select 802.1x. For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario 2a). Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. Bind VSCs to the MAPs The new VSC definitions now need to be bound to the MAPs as follows: 1. On the Main Menu, select Default Group. 2. In the right pane, click VSC bindings. 3. Click Add New Binding. 4. Under VSC profile, select None and then click Save. 5. Click Add New Binding. 6. Under VSC profile, select WPA and then click Save. 7. Click Add New Binding. 8. Under VSC profile, select 8021x and then click Save. Synchronize the MAPs To update the MAPs with the new VSC definitions, do the following: 1. On the Main Menu, select Default Group. 2. In the right pane, in the Select the action to apply to all listed APs list, choose Synchronize Configuration. 3. Click Apply. 4. Wait for the status light for each MAP to turn green. This indicates that the MAP is fully operational with the new configuration settings

79 Chapter Public access deployment series Chapter 4 Scenario 2d: Using dual radios to support A+B+G traffic This scenario adds support for a wireless clients to Scenario 2c. Important: This scenario is supported by dual-radio units only. Colubris Networks dual radio products can be configured to support the same on two different radios. This enables a single device to support wireless clients regardless of the type of radio they have: a, b, or g. How it works In this scenario an MSC-5000 series is used in conjunction with two MAP-330s. Both products support dual radios. The radios on all these devices are configured to operate as follows: Radio 1: b/g mode Radio 2: a mode The three wireless profiles created in Scenario 2c are changed to transmit and receive on both radio 1 and radio 2. Customers are now able to connect regardless of their radio type, and since a customers are on a separate radio they do not share bandwidth with customer using b/g. Network topology Note: See scenario 2c for a diagram of the network topology. Configuration road map Important: Start with the configuration defined in Scenario 2c. Configure radio 2 1. On the Main Menu, select Controlled APs. 1. In the right pane, select Configuration > Dual radios. 2. Under Radio 2: Change Operating mode to Access point only. Change Wireless mode to a. 3. Click Save. Configure VSC profiles 1. On the Main Menu, select VSCs. 2. In the right pane, edit each VSC created in Scenario 2c (8021x, WPA, and none) as follows: Click the profile name. Under Virtual AP, set Transmit/receive on to Radio 1 and 2. Synchronize the MAPs To update the MAPs with the new VSC settings, do the following:

80 Chapter Public access deployment series Chapter 4 1. On the Main Menu, select Default Group. 2. In the right pane, in the Select the action to apply to all listed APs list, choose Synchronize Configuration. 3. Click Apply. 4. Wait for the status light for each MAP to turn green. This indicates that the MAP is fully operational with the new configuration settings

81 Chapter Public access deployment series Chapter 4 Scenario 3: Shared hotspot for public and private traffic In this scenario VLANs and multiple s are used to enable public and private users to share the same infrastructure with complete security. How it works This scenario shows you how to deploy a wireless network so that it can be shared between company employees and paying customers. It enables you to leverage a single wireless infrastructure to build a hotspot and provide easy access for mobile employees. Employees connect using the Private and are routed to the corporate network on VLAN 50. The MSC authenticates employees using the Corporate RADIUS server. Once authenticated, employee traffic is forwarded on VLAN 50 so that it can reach the corporate intranet. Customers connect using the Public and login using the MSC s public access interface. The MSC authenticates customers using the ISP RADIUS server. Once authenticated, customer traffic is forwarded on VLAN 60 so that it can reach the Internet. Topology Corporate RADIUS server ISP RADIUS server Corporate Intranet Firewall VLAN 50 VLAN 60 Switch VLAN 50 VLAN 60 Employees MSC Employee = Private MAP Guest = Public

82 Chapter Public access deployment series Chapter 4 Configuration road map Define settings on the RADIUS servers 1. On the ISP RADIUS server create accounts for public users. 2. On the corporate RADIUS server create accounts for employees. Install the MSC Install the MSC as described in the appropriate quickstart guide. 1. Connect the Internet port to LAN B. 2. Before you connect the MSC to the LAN, start the Management Tool and configure it as described in the sections that follow. Install the MAPs Install the MSC as described in the appropriate quickstart guide. Enable the DHCP server By default, the DHCP server is disabled on the MSC. Enable it as follows: 1. Start the management tool. 2. On the Main Menu, click Service Controller. 3. In the right pane, select Network > Address allocation > DHCP server and click Configure. 4. The MSC will automatically define DHCP settings for subnet There is no need to change these settings. Click Save. MAP discovery By default the MAPs are configured to operate in controlled mode. This means that once connected to the network they will automatically establish a control channel with the MSC so that their configuration can be managed via the MSC s management tool. To verify that the MAPs have been discovered, do the following on the MSC: 1. Start the management tool. 2. On the Main Menu, click the + symbol next to Controlled APs. 3. Click the + symbol next to Default Group. The two MAPs (identified by their serial numbers) should be shown, each with a green status light. Enable AP authentication Now that the APs have been discovered, authentication should be enabled so that APs cannot be added to the network without your knowledge. 1. On the Main Menu, click Service Controller. 2. In the right pane, select Security > Controlled APs. 3. Select the Controlled APs authentication checkbox. 4. Select the Use local authentication list checkbox. 5. Click Save. Configure the Internet port 1. On the Main Menu, select Service controller. 2. In the right pane, select Network > Ports > Internet port

83 Chapter Public access deployment series Chapter 4 3. Select No address (Support VLAN traffic only. 4. Click Save. Create two RADIUS profiles 1. On the Main Menu, select VSCs. 1. In the right pane, select Security > RADIUS. 2. Click Add New Profile. In the Profile name box, assign CorporateRADIUS to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the corporate RADIUS server and the secret the MSC will use. 3. Click Add New Profile. In the Profile name box, assign ISPRADIUS to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the ISP RADIUS server and the secret the MSC will use. Create VLANs 1. On the Main Menu, select Service controller. 2. In the right pane, select Network > Ports. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as Internet port. Set VLAN ID to 50. Set VLAN name to Private. Under Assign IP address via, select Static. Set IP address to Set Mask to Leave Gateway blank. 4. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as Internet port. Set VLAN ID to 60. Set VLAN name to Public. Under Assign IP address via, select DHCP client

84 Chapter Public access deployment series Chapter 4 Create VSCs Use the following steps to create two virtual service communities: Note: This Private profile must be defined first to enable it to also support wired employees, since untagged incoming traffic on the LAN port is always sent to the first VSC profile. 1. On the Main Menu, select VSCs. 2. In the VSC profiles table in the right pane, click the Colubris Networks profile to edit it. 3. On the VSC profile page: Under General, enter the Name as Private. Under General, select the Provide access control checkbox. Under Virtual AP, enter the WLAN name () as Private. Under VSC ingress mapping, select. Under VSC egress mapping, for Authenticated select Private. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select CorporateRADIUS. 4. Under the VSC profiles table in the right pane, click Add New Profile. 5. On the VSC profile page: Under General, enter the Name as Public. Under Virtual AP, enter the WLAN name () as Public. Under VSC ingress mapping, select. Under VSC egress mapping, for Authenticated select Public. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select ISPRADIUS. Bind VSCs to the MAPs The new VSC definitions now need to be bound to the MAPs as follows: 1. On the Main Menu, select Default Group. 2. In the right pane, click VSC bindings. 3. Click Add New Binding. 4. Under VSC profile, select Private and then click Save. 5. Click Add New Binding. 6. Under VSC profile, select Public and then click Save. Synchronize the MAPs To update the MAPs with the new VSC definitions, do the following: 1. On the Main Menu, select Default Group

85 Chapter Public access deployment series Chapter 4 2. In the right pane, in the Select the action to apply to all listed APs list, choose Synchronize Configuration. 3. Click Apply. 4. Wait for the status light for each MAP to turn green. This indicates that the MAP is fully operational with the new configuration settings

86 Chapter Public access deployment series Chapter 4 Scenario 4: Delivering custom HTML pages using VLANs This scenario shows you how to split customers onto different VLANs and use this to deliver a customized user experience. How it works In this scenario a hotel assigns customer traffic to a different VLAN based on an access point s location within the building. The MAPs serving the hotel rooms on each floor are configured to return customer traffic on VLAN 40. The MAPs serving the hotel lobby, terrace, and restaurant are configured to return customer traffic on VLAN 50. One advantage to this strategy is that it enables all devices to have the same (Hotspot, for example), making it easy for customers to connect. Custom content is triggered based on the VLAN ID that customer traffic is mapped to. Topology RADIUS Server MSC VLAN 40 VLAN 50 VLAN 40 VLAN 40 VLAN 40 VLAN 50 VLAN 50 MAP MAP MAP MAP MAP Floor 3 Floor 2 Floor 1 Terrasse Restaurant = Hotspot = Hotspot = Hotspot = Hotspot = Hotspot Hotel Rooms Public Spaces

87 Chapter Public access deployment series Chapter 4 Configuration road map On the RADIUS server Define accounts for all customers and the MSC on the RADIUS server. To deliver custom content based on the VLAN, add the following entry to the RADIUS profile for the MSC. welcome-url=web_server_url/premium/welcome.html?vlan=%v Create a server-side script to retrieve the VLAN value and then display a custom Login page as follows: If VLAN = 40, display the customer Login page. If VLAN = 50, display the public access Login page. Install the MSC Install the MSC as described in the appropriate quickstart guide. 1. Connect the Internet port to LAN B. 2. Before you connect the MSC to the LAN, start the Management Tool and configure it as described in the sections that follow. Install the MAPs Install the MSC as described in the appropriate quickstart guide. Enable the DHCP server By default, the DHCP server is disabled on the MSC. Enable it as follows: 1. Start the management tool. 2. On the Main Menu, click Service Controller. 3. In the right pane, select Network > Address allocation > DHCP server and click Configure. 4. The MSC will automatically define DHCP settings for subnet There is no need to change these settings. Click Save. MAP discovery By default the MAPs are configured to operate in controlled mode. This means that once connected to the network they will automatically establish a control channel with the MSC so that their configuration can be managed via the MSC s management tool. To verify that the MAPs have been discovered, do the following on the MSC: 1. Start the management tool. 2. On the Main Menu, click the + symbol next to Controlled APs. 3. Click the + symbol next to Default Group. The MAPs (identified by their serial numbers) should be shown, each with a green status light. Enable AP authentication Now that the APs have been discovered, authentication should be enabled so that APs cannot be added to the network without your knowledge. 1. On the Main Menu, click Service Controller. 2. In the right pane, select Security > Controlled APs. 3. Select the Controlled APs authentication checkbox

88 Chapter Public access deployment series Chapter 4 4. Select the Use local authentication list checkbox. 5. Click Save. Configure the wireless network By default the MAPs are configured to: support b/g clients automatically choose the best operating channel (frequency) There is no need to change these settings for this scenario. Configure the Internet port 1. On the Main Menu, select Service controller. 2. In the right pane, select Network > Ports > Internet port. 3. Select the addressing option required by the LAN and configure all settings. Create a RADIUS profile 1. On the Main Menu, select Service controller. 2. In the right pane, select Security > RADIUS. 3. Click Add New Profile. In the Profile name box, assign RADIUS1 to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the corporate RADIUS server and the secret the MSC will use. Configure the MSC to retrieve attributes from the RADIUS server 1. On the Main Menu, select Service controller. 2. In the right pane, select Public access > Attributes. 3. Select the Retrieve attributes using RADIUS option. 4. Select the RADIUS profile you defined (RADIUS1). 5. Specify the username and password the MSC will use to login to the RADIUS server. 6. Click Retrieve Now. The MSC will login and retrieve the attributes. 7. Click Save. Create VLAN A single VLAN definition is required supporting supporting the range On the Main Menu, select Service controller. 2. In the right pane, select Network > Ports. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to

89 Chapter Public access deployment series Chapter 4 Set VLAN name to Hotspot. Under Assign IP address via, select None. Create VSCs A single VSC, called Hotspot, must be created to manage all traffic. 1. On the Main Menu, select VSCs. 2. In the VSC profiles table in the right pane, click the Colubris Networks profile to edit it. 3. On the VSC profile page: Under General, enter the Name as Guest. Under General, select the Provide access control checkbox. Under VSC ingress mapping, select VLAN then select Hotspot. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select RADIUS1. Create AP groups Two AP groups need to be created: Guest: Used for MAPs installed in public spaces. Forwards guest traffic on VLAN 40. Public: Used for MAPs installed in hotel rooms. Forwards public traffic on VLAN On the Main Menu, select Controlled APs. 2. In the right pane, click Group management. 3. Click Add New Group. 4. Under Group settings, set Name to Public. 5. Click Save. 6. Click Add New Group. 7. Under Group settings, set Name to Guest. 8. Click Save. Configure AP groups The two AP groups now need to be configured and populated with the correct MAPs. Configure the Public group 1. On the Main Menu, select the Public group. 2. In the right pane, click VSC binding. 3. Click Add New Binding. 4. Under VSC profile, select Hotspot. 5. Under VLAN: Select the Use egress VLAN checkbox. Set VLAN ID to Click Save

90 Chapter Public access deployment series Chapter 4 7. Click the + symbol next to Default Group. The MAPs (identified by their serial numbers) should be shown, each with a green status light. 8. Drag each MAP that is installed in a public area from the Default Group and drop it in the Public group. Configure the Guest group 1. On the Main Menu, select the Guest group. 2. In the right pane, click VSC binding. 3. Click Add New Binding. 4. Under VSC profile, select Hotspot. 5. Under VLAN: Select the Use egress VLAN checkbox. Set VLAN ID to Click Save. 7. Click the + symbol next to Default Group. The MAPs (identified by their serial numbers) should be shown, each with a green status light. 8. Drag each MAP that is installed in a hotel room from the Default Group and drop it in the Guest group. Synchronize the MAPs To update the MAPs with the new definitions, do the following: 1. On the Main Menu, select Default Group. 2. In the right pane, in the Select the action to apply to all listed APs list, choose Synchronize Configuration. 3. Click Apply. 4. Wait for the status light for each MAP to turn green. This indicates that the MAP is fully operational with the new configuration settings

91 Chapter Public access deployment series Chapter 4 Scenario 5: Custom HTML pages on each MAP This scenario shows you how to create a customized user experience based on the MAP with which a customer is associated. This scenario uses locally configured attributes and does not require a RADIUS server. How it works In this scenario wireless networking for a condo complex is deployed using multiple MAPs and a single series 5000 MSC. The complex features three buildings, each with several condos serviced by a single MAP. Since tenant turnover is low, and network access is included in the monthly condo fee, accounting support is not needed. Therefore this scenario does not use a RADIUS server. Instead, all logins are validated by the MSC using a locally defined user list. To offer personalized service for each building, a set of custom web pages are created for each building and stored in a separate folder on a web server. (A third-party server on the Internet is used to keep costs down.) Customers are redirected to the appropriate set of pages based on the location-aware group name assigned to each MAP. Web server Internet port MSC 1.1 LAN port MAP 1 MAP 2 MAP 3 Condo complex 1 Condo complex 2 Condo complex 3 About the location-aware feature This feature, which is enabled by default, permits the MSC to determine the physical location where customers are logging into the network (as well as other information which can used for customer tracking). See the Public Access Administrator s Guide for more information on this feature. This scenario uses the location-aware group name feature to assign a unique name to each MAP. When a customer logs in, the MAP reports this name to the MSC. The name is then used to create a URL to a custom set of pages on the web server

92 Chapter Public access deployment series Chapter 4 Configuration road map Install the MSC Install the MSC as described in the appropriate quickstart guide. 1. Connect the Internet port to the Internet connection. 2. Connect the MSC to the LAN, and start the Management Tool to configure it as described in the sections that follow. Install the MAPs Install the MSC as described in the appropriate quickstart guide. Enable the DHCP server By default, the DHCP server is disabled on the MSC. Enable it as follows: 1. Start the management tool. 2. On the Main Menu, click Service Controller. 3. In the right pane, select Network > Address allocation > DHCP server and click Configure. 4. The MSC will automatically define DHCP settings for subnet There is no need to change these settings. Click Save. MAP discovery By default the MAPs are configured to operate in controlled mode. This means that once connected to the network they will automatically establish a control channel with the MSC so that their configuration can be managed via the MSC s management tool. To verify that the MAPs have been discovered, do the following on the MSC: 1. Start the management tool. 2. On the Main Menu, click the + symbol next to Controlled APs. 3. Click the + symbol next to Default Group. The MAPs (identified by their serial numbers) should be shown, each with a green status light. Enable AP authentication Now that the APs have been discovered, authentication should be enabled so that APs cannot be added to the network without your knowledge. 1. On the Main Menu, click Service Controller. 2. In the right pane, select Security > Controlled APs. 3. Select the Controlled APs authentication checkbox. 4. Select the Use local authentication list checkbox. 5. Click Save. Configure the location-aware group name By default, the location-aware group name is taken from the controlled AP group that a MAP is assigned to. Therefore, to set a unique group name for each MAP, create three groups called Complex1, Complex2, and Complex3 as follows: 1. On the Main Menu, click Controlled APs. 2. In the right pane, click Group Management. 3. Click Add New Group

93 Chapter Public access deployment series Chapter 4 4. Under Group settings, set Name to Complex1, Complex2, or Complex3. 5. Click Save. 6. Drag the MAP installed at each complex from the Default Group and drop it into the appropriate new group. Create the custom web pages 1. Create the following folder on the web server: \newpages 2. Create a file called logo.gif that contains a custom logo for the service being offered and place it in \newpages. 3. Copy the following files from the \Doc\Samples\Internal_Pages and \Doc\Samples\External_Pages folders on the Colubris Networks documentation CD and place them in the newpages folder. login.html welcome.html goodbye.html 4. Create the following three folders on the web server: \newpages\complex_1 \newpages\complex_2 \newpages\complex_3 5. Create the following three html files in each of the three new folders. Customize each file so that it provide content specific to each condo complex: login.html This is the page tenants will use to log in. You need to modify this page to accept logins from tenants and send them to the MSC for validation. The following sample code illustrates how to do this. <form action= <input type= text name= username id= username /> <input type= text name= password id= password /> <input type= submit /> </form> welcome.html This is the page tenants will see after their login is approved. It is a standard HTML page and can be customized as required. goodbye.html This is the page tenants will see after they logout. It is a standard HTML page and can be customized as required. Configure attributes to activate the customized pages Open the Public access > attributes page and add the following attributes to the Configured attributes table: The first four attributes provide support for the common pages that are generic for all tenants, and the shared logo file. transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif The next three attributes provide support for the custom pages. Each time a tenant logs in the MSC calls these pages, replacing the %G with the group name assigned

94 Chapter Public access deployment series Chapter 4 to the MAP that the tenant is associated with. login-url=web_server_url/newpages/%g/login.html welcome-url=web_server_url/newpages/%g/welcome.html goodbye-url=web_server_url/newpages/%g/goodbye.html By default the MSC blocks access to any resources that are connected to its Internet port until a client station successfully logs in. However, to log in, a client station must be able to load the custom login page hosted on the web server. To solve this problem, an access list definition is added that permits access to the web server for all unauthenticated stations. Access-list=loginpage,ACCEPT,tcp,web_server_URL,80 Use-access-list=loginpage Define the list of condo tenants 1. On the Main Menu, select Service Controller. 2. Select Public access > Users. 3. Add usernames and passwords for all condo tenants. Configure the MSCs Internet port 1. Select Network > Ports > Internet port. 2. Select the addressing option required by the ISP. 3. Click Configure and define all settings as required. Using the public access interface To use the condo internet service, tenant s do the following: Connect to the Colubris Networks using b or g. Start their web browser and enter the URL wireless.colubris.com which is the URL assigned to the MSC. The MSC will redirect the browser to the login page on the web server. After the tenant logs in and is validated, the Welcome page is displayed. The tenant can now surf the Internet. Synchronize the MAPs To update the MAPs with the new VSC definitions, do the following: 1. On the Main Menu, select Default Group. 2. In the right pane, in the Select the action to apply to all listed APs list, choose Synchronize Configuration. 3. Click Apply. 4. Wait for the status light for each MAP to turn green. This indicates that the MAP is fully operational with the new configuration settings

95 Chapter Public access deployment series Chapter 4 Scenario 6: Multi-site installation (centralized architecture) This scenario shows you how to create a multi-site installation using multiple MAPs in combination with a series 5000 MSC. How it works In this scenario, multiple MAPs are installed to offer public access networking at a number of different physical locations. The MAPs operate in controlled mode, which means that management and configuration of the MAPs is handled centrally on the MSC. The MAPs automatically discover the MSC and establish a secure GRE tunnel with it, through which they can exchange management and control information. Note: By default, the GRE tunnel between a MAP and MSC is automatically created whenever a the connection between a MAP and MSC must traverse a router. In cases where no router is used, the tunnel must be manually enabled on the MSC using the Configuration > Access control page for each MAP group. Wireless security is provided by enabling 802.1x on the MAPs, using the services of the RADIUS server to validate logins. Address allocation for all devices on the network, including wireless client stations, is provided by the DHCP server. The DHCP server is configured to support the Colubris vendor-specific class. This enables it to return Colubris-specific information to DHCP clients. The MAPs use this information to locate and connect with the MSC. (Note: The routers on the network must be configured to support DHCP relay.) Network Operating Center Web/FTP server RADIUS DHCP server MSC Management station Router GRE tunnels Site #1 MAP Site #2 MAP Site #3 MAP PUBLIC WL AN PUBLIC WL AN PUBLIC WL AN

96 Chapter Public access deployment series Chapter 4 Configuration road map Configure the DHCP server When operating in controlled mode, MAPs are configured as DHCP clients by default. This enables them to obtain the list of available MSCs from any DHCP server that is properly configured to support the Colubris Networks Vendor Class. The Vendor Class enables an administrator to define a list of available MSC on the network that the MAPs can connect to. In this scenario, the DHCP server is configured to return the address of the MSC at For details on how to configure the DHCP server, see Chapter 7. Install the MSC 1. Install the MSC as described in the appropriate quickstart guide. 2. Connect the MSC s LAN port to the network, start the Management Tool and configure it as described in the sections that follow. Configure MSC addressing By default, the MSC s LAN port is set to the static IP address For this scenario, the address needs to be changed to On the Main Menu, select Service controller. 2. In the right pane, select Maintenance > Licenses. 3. Under Port configuration, click LAN port. 4. Under Addressing, set LAN IP port address to Under Addressing, set LAN port mask to Click Save. Note: After clicking Save you will have to reconnect to the management tool using the new address. Install the MAPs Install the MSC as described in the appropriate quickstart guide. MAP discovery By default the MAPs are configured to operate in controlled mode. This means that once connected to the network they will automatically establish a control channel with the MSC so that their configuration can be managed via the MSC s management tool. To verify that the MAPs have been discovered, do the following on the MSC: 1. Start the management tool. 2. On the Main Menu, click the + symbol next to Controlled APs. 3. Click the + symbol next to Default Group. The three MAPs (identified by their serial numbers) should be shown, each with a green status light. Enable AP authentication Now that the APs have been discovered, authentication should be enabled so that APs cannot be added to the network without your knowledge. 1. On the Main Menu, click Service Controller. 2. In the right pane, select Security > Controlled APs. 3. Select the Controlled APs authentication checkbox. 4. Select the Use local authentication list checkbox

97 Chapter Public access deployment series Chapter 4 5. Click Save. Configure the wireless network By default the MSC configures the wireless settings on the MAPs to: support b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Create a RADIUS profile 1. On the Main Menu, select Service controller. 2. In the right pane, select Security > RADIUS. 3. Click Add New Profile. In the Profile name box, assign RADIUS1 to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the RADIUS server in the NOC and the secret the MSC will use. Enable DHCP relay 1. On the Main Menu, select Service controller. 2. In the right pane, select Network > Address allocation. 3. Select DCHP relay agent and click Confgure. 4. Under Server, set Primary server address to the address of the DHCP server in the NOC. 5. Under Addressing, set LAN IP port address to Under Addressing, set LAN port mask to Click Save

98 Chapter Public access deployment series Chapter

99 Enterprise deployment Chapter 5 Enterprise deployment In this chapter you can find sample deployment strategies for common enterprise scenarios using series 3000 and series 5000 MSCs and one or more MAPs. These scenarios will give you a good idea about how to approach your installation.

100 Chapter Enterprise deployment Chapter 5 Scenario 1: Adding secure wireless networking The MAP makes it easy to add secure wireless connectivity to an existing local area network. How it works In this scenario a MAP is installed on an existing corporate network to provide wireless networking services for employees. Since the MAP functions as a DHCP client and all its ports are bridged, it simply creates a wireless extension to the existing network. Wireless transmissions are protected using WPA with preshared keys, ensuring that network traffic cannot be compromised by eavesdroppers. DCHP server Corporate Network MAP WPA WPA WLAN Configuration road map Install the MAP Install the MAP as described in the quickstart guide. Switch MAPs to autonomous mode By default the MAP is configured to operate in controlled mode. Switch it to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect the MAP to the LAN, start the Management Tool and configure it as described in the sections that follow

101 Chapter Enterprise deployment Chapter 5 Configure the wireless network By default the MAP is configured to Automatically select the best operating frequency Create a wireless network named Colubris Networks Note: By default one radio on the MAP-330 is used to provide the wireless network, and the other is placed into Monitor mode. Configure addressing By default, the MAP is set to operate as a DHCP client. In the sample topology it is automatically assigned the IP address 5.7 by the corporate DHCP server. To make the MAP easier to manage, it may be useful to assign a static IP address to it as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters and click Save. Configure a VSC 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in order to edit it. 3. Clear the Wireless security filters checkbox. 4. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). For Key source, select Preshared key. For Key and Confirm key, set a unique key value. 5. Click Save

102 Chapter Enterprise deployment Chapter 5 Scenario 2a: Integrating wireless networking with authentication The MAP can easily be integrated into an existing networking infrastructure to provide secure wireless networking by levering an existing RADIUS server. How it works In this scenario a MAP is installed on an existing corporate network to provide wireless networking services for employees. Since the MAP functions as a DHCP client and all its ports are bridged, it simply creates a wireless extension to the existing network. Security for the wireless network is provided using 802.1x. The MAP uses the existing RADIUS server on the corporate network to validate employee logins. RADIUS server DCHP server Corporate Network MAP 802.1x 802.1x WLAN Configuration road map Install the MAP Install the MAP as described in the quickstart guide. Switch MAPs to autonomous mode By default the MAP is configured to operate in controlled mode. Switch it to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect the MAP to the LAN, start the Management Tool and configure it as described in the sections that follow

103 Chapter Enterprise deployment Chapter 5 Configure the wireless network By default the MAP is configured to Automatically select the best operating frequency Create a wireless network named Colubris Networks Note: By default, one radio on the MAP-330 is used to provide the wireless network, and the other is placed into Monitor mode. Configure addressing By default, the MAP is set to operate as a DHCP client. In the sample topology it is automatically assigned the IP address 5.7 by the corporate DHCP server. To make the MAP easier to manage, it may be useful to assign a static IP address to it as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters and click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. Under Profile Name, enter Corporate. 4. Under Primary RADIUS server, enter the Server address and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. Configure a VSC 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. Clear the Wireless security filters checkbox. 4. Under Wireless protection Select the checkbox. Select 802.1x For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. 5. Click Save

104 Chapter Enterprise deployment Chapter 5 Scenario 2b: Using multiple wireless profiles and QoS This scenario expands scenario 2a by using virtual service communities to add a variety of wireless services. The MAP can create multiple virtual service communities (VSCs) to support different types of services, including wireless security options, authentication, and quality of service (QoS). How it works In this scenario the MAP provides three different wireless networks and uses QoS settings to prioritize traffic: Employee: This network is for use by all employees. It features 802.1x security and a QoS setting that provides for normal traffic priority. Guest: This network is for use by guests. It features WEP security and a QoS setting that provides for low traffic priority. Guest traffic is restricted using the MAP s security filter capability so that guests traffic can only reach the router for Internet access. For this to work, the DHCP server must be configured to return the router as the default gateway. Video: This network is for video conferencing. It features 802.1x security and a QoS setting that provides for high traffic priority. RADIUS server DCHP server Corporate Network Router/Firewall =Guest QoS=VSC Based Low 5.7 =Video QoS=VSC Based High =Employee QoS=VSC Based Normal MAP

105 Chapter Enterprise deployment Chapter 5 Configuration road map Important: Start with the configuration defined in Scenario 2a. Configure VSCs Use the following steps to define the three virtual service communities required for this scenario. 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. Under Name, enter Employee. Under WLAN name (), enter Employee. Under Virtual AP, QoS priority mechanism, select VSC Based Normal. Clear the Wireless security filters checkbox. Under Wireless protection Select the checkbox. Select 802.1x For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. 3. Click Add New Profile. Under Name, enter Guest. Under WLAN name (), enter Guest. Under Virtual AP, QoS priority mechanism, select VSC Based Low. Under Wireless protection Select the checkbox. Select WEP. Define a set of unique WEP keys. 4. Click Add New Profile. Under Name, enter Video. Under WLAN name (), enter Video. Under Virtual AP, QoS priority mechanism, select VSC Based High. Clear the Wireless security filters checkbox. Under Wireless protection Select the checkbox. Select 802.1x For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication

106 Chapter Enterprise deployment Chapter 5 Scenario 2c: Supporting wireless phones This scenario adds support for wireless phones to Scenario 2b. The MAP provides two features to support SIP and Spectralink phones: SVP quality of service support and MAC-based authentication. How it works This scenario adds two virtual service communities to provide support for wireless phones. Authentication of phones is accomplished by adding the MAC address of each phone to an internal list maintained on the MAP. Only phones that appear in the list can connect. A separate VSC is added for each type of phones: Spectralink and SIP. RADIUS server DHCP server SIP server Corporate Network Router/Firewall =Guest QoS=VSC Based Low 5.7 =Video QoS=VSC Based High =Employee QoS=VSC Based Normal MAP =Spectralink QoS=Diffsrv =SIP QoS=VSC Based High

107 Chapter Enterprise deployment Chapter 5 Configure the VSC Important: Start with the configuration defined in Scenario 2b. Add VSCs Use the following steps to define the VSCs required for this scenario. 1. Select VSC > Profiles. 2. Click Add New Profile. Under Name, enter Phone. Under WLAN name (), enter Spectralink. Under Virtual AP, QoS priority mechanism, leave the default selection Diffsrv, which maps phone traffic to traffic queue 1. Clear the Wireless security filters checkbox. Under MAC Filter Enable the MAC Filter checkbox. Select Allow. Under MAC address, enter the MAC address for each phone. Click Add. 3. Click Add New Profile. Under Name, enter Phone. Under WLAN name (), enter SIP. Clear the Wireless security filters checkbox. Under Virtual AP, QoS priority mechanism, leave the default selection VSC Based Very High, which maps phone traffic to traffic queue 1. Under MAC Filter Enable the MAC Filter checkbox. Select Allow. Under MAC address, enter MAC address for each phone. Click Add. 4. Click Save

108 Chapter Enterprise deployment Chapter 5 Scenario 3: Adding wireless networking to a segmented network With support for VLANs and multiple s, the MAP provides for seamless integration into an existing segmented network architecture. How it works In this scenario, multiple VSCs are used to provide a wireless architecture that mirrors the segmented configuration of the backbone LAN. Wireless traffic is secured using either 802.1x or WPA and leverages the existing corporate RADIUS server for employee authentication. Since all MAPs are installed on the same network segment, and each features an identical wireless setup, employees are able to roam between wireless cells without losing their network connection. An unprotected guest network is provided, allowing company guests to access the Internet through a wireless connection. RADIUS and DHCP server Server 1 Server 2 Router/Firewall VLAN 40 VLAN 50 VLAN Q trunk Layer 3 switch with trunk port 802.1Q trunk MAP MAP 2 LAN port VLAN= =Guest VLAN=40 MAP 3 =Priv_802.1x VLAN=60 =Priv_WPA VLAN=

109 Chapter Enterprise deployment Chapter 5 About the s and VLANs This scenario uses the following s and VLANs: Guest: This has no encryption enabled and is mapped to VLAN 40. This permits guests to access the Internet only. Priv_802.1x: This is defined with 802.1x security and is mapped to VLAN 60. Employee authentication occurs by way of the corporate RADIUS server. Priv_WPA: This is defined with WPA security and is mapped to VLAN 60. Default VLAN: The default VLAN is set to 50. Since all user traffic on the MAP is mapped to either 40 or 60, only management traffic is sent on VLAN 50, which includes all communication with the corporate RADIUS server and configuration activities. For this to work, LAN port 1 must be used to connect the MAP to the corporate network. Addressing details Following are addressing details used in this scenario: The MAPs are connected to the layer 3 switch through LAN port 1. Each MAP has a unique static IP address on the 50.0 segment. Employees on the Guest, Priv_802.1x, and Priv_WPA s are bridged to the appropriate VLAN. This means that they receive an IP address from the DHCP server on the network. The Layer 3 switch provides routing between VLAN 60 and VLAN 40, enabling employees to access the Internet. Configuration road map Install the MAPs Install the MAP as described in the quickstart guide. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the wireless network By default each MAP is configured to: Automatically select the best operating frequency Create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default, one radio on the MAP-330 is used to provide the wireless network, and the other is placed into Monitor mode

110 Chapter Enterprise deployment Chapter 5 Define the VLANs and network addressing Define VLANs 40 and 60 so that later they can be mapped to VSCs. 1. Select Network > VLAN. 2. Click Add New VLAN. Under General Leave the Port selection as Port 1. Set VLAN ID to 40. Set VLAN name to Guest. Under Assign IP address via, select DHCP client. 3. Click Add New VLAN. Under General Leave the Port selection as Port 1. Set VLAN ID to 60. Set VLAN name to Employee. Under Assign IP address via, select DHCP client. 4. Select Network > Ports. 5. Click Bridge port. Under Assign IP address via, select Static, then click Configure. Define static addressing as required by your corporate network. 6. Select Network > Ports. 7. Click Port 1. Under VLAN, select VLAN ID and set it to 50. Select the Restrict default VLAN to management traffic only checkbox. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. For Profile Name, enter Corporate. 4. Under Primary RADIUS server, specify the Server address and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save

111 Chapter Enterprise deployment Chapter 5 Configure the VSCs Use the following steps to define three virtual service communities on each MAP: 1. Select VSC > Profiles. 2. Click Add New Profile. Under General, set Name to Guest. Under, set WLAN name to Guest. Under Egress VLAN, select the VLAN ID of 40, which corresponds to Guest. Clear the Wireless Security Filters checkbox. 3. Click Add New Profile. Under General, set Name to Priv_WPA. Under, set WLAN name to Priv_WPA. Under Egress VLAN, select the VLAN ID of 60, which corresponds to Employee. Clear the Wireless Security Filters checkbox. Under Wireless protection: Enable the checkbox and select WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. 4. Click Add New Profile. Under General, set Name to Priv_8021x. Under, set WLAN name to Priv_8021x. Under Egress VLAN, select the VLAN ID of 60, which corresponds to Employee. Disable the Wireless Security Filters checkbox. Under Wireless protection: Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. Configure the RADIUS server Configure the RADIUS server to return VLAN 60 for employee accounts. You can do this by setting the following standard RADIUS attributes on the server: tunnel-type=vlan tunnel-medium-type=802 tunnel-private-group-id=

112 Chapter Enterprise deployment Chapter 5 Scenario 4: Roaming across different subnets (single MSC) Colubris supports roaming across different subnets by utilizing MAPs in combination with an MSC. This scenario shows how a single MSC can be used to service MAPs on different subnets. How it works In this scenario multiple MAPs are installed to provide wireless networking coverage on two different subnets. Client stations are able to roam between MAPs without loosing their connection, even across different subnets. The MAPs are operating in controlled mode, which means that management and configuration of the MAPs is handled centrally on the MSC. The MAPs automatically discover the MSC and establish a secure tunnel with it, through which they can exchange management and control information to support features such as fast authentication and layer 3 mobility. The layer 3 mobility feature is used in this scenario to support client station roaming between subnets. The fast authentication feature enables quick handoff between MAPs on the same subnet. Wireless security is provided by enabling 802.1x on the MAPs, using the services of the RADIUS server to validate logins. Address allocation for all devices on the network, including wireless client stations, is provided by the DHCP server. The DHCP server is configured to support the Colubris vendor-specific class. This enables it to return Colubris-specific information to DHCP clients. The MAPs use this information to locate and connect with the MSC. (Note: The routers on the network must be configured to support DHCP relay.) Router Firewall DHCP server RADIUS server LAN port MSC Router Router MAP A MAP B MAP C MAP D WLAN WLAN WLAN WLAN Area 1 Area

113 Chapter Enterprise deployment Chapter 5 Configuration road map Install the MAPs 1. Install the MAP and MSCs as described in the quickstart guide. 2. Before you connect the devices to the network, configure them as described in the sections that follow. Configure the DHCP server When operating in controlled mode, MAPs are configured as DHCP clients by default. This enables them to obtain the list of available MSCs from any DHCP server that is properly configured to support the Colubris Networks Vendor Class. The Vendor Class enables an administrator to define a list of available MSC on the network that the MAPs can connect to. In this scenario, the DHCP server is configured to return the address of the MSC at For details on how to configure the DHCP server, see Chapter 7. Install the COS Services Pack license To support fast authentication and layer 3 mobility the MSC must have the COS Services Pack license installed. 1. On the Main Menu, select Service controller. 2. In the right pane, select Maintenance > Licenses. 3. Order a COS services pack license from Colubris Networks using the License ordering information. 4. Under Install license file, click Browse and select the license file sent to you by Colubris Networks. 5. Click Install license. The license will be added to the Installed Licenses table. Configure addressing By default, the MSC s LAN port is set to the static IP address For this scenario, the address needs to be changed to On the Main Menu, select Service controller. 2. In the right pane, select Network > Ports. 3. Under Port configuration, click LAN port. 4. Under Addressing, set LAN IP port address to Under Addressing, set LAN port mask to Click Save. Note: After clicking Save you will have to reconnect to the management tool using the new address. Create a RADIUS profile 1. On the Main Menu, select Service controller. 2. In the right pane, select Security > RADIUS. 3. Click Add New Profile. In the Profile name box, assign RADIUS1 to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server

114 Chapter Enterprise deployment Chapter 5 In the Primary RADIUS server box, specify the address of the corporate RADIUS server and the secret the MSC will use. Configure the VSC Use the following steps to configure the default virtual service community to support layer 2 roaming on each MAP: 1. On the Main Menu, select VSCs. 2. In the right pane, click the Colubris Networks profile in the list. Under General, disable Access control. This removes support for the public access interface and enables support for mobility features. Under, set WLAN name to Priv_8021x. Under Wireless mobility, Select the Enable L2 Fast Authentication checkbox. Select the Enable L3 Mobility checkbox. Disable the Wireless Security Filters checkbox. Under Wireless protection: Enable the checkbox and select 802.1x. For RADIUS profile, select RADIUS1. Select RADIUS accounting. Select Mandatory authentication. 3. Click Save. Synchronize the MAPs To update the MAPs with the new VSC definitions, do the following: 1. On the Main Menu, select Default Group. 2. In the right pane, in the Select the action to apply to all listed APs list, choose Synchronize Configuration. 3. Click Apply. 4. Wait for the status light for each MAP to turn green. This indicates that the MAP is fully operational with the new configuration settings

115 Chapter Enterprise deployment Chapter 5 Scenario 5: Roaming across different subnets (multiple MSCs) Colubris supports roaming across different subnets by utilizing MAPs in combination with an MSC. This scenario shows how multiple MSCs can be used, by installing one on each subnet. How it works In this scenario multiple MAPs are installed to provide wireless networking coverage on two different subnets. Client stations are able to roam between MAPs without loosing their connection, even across different subnets. The MAPs are operating in controlled mode, which means that management and configuration of the MAPs is handled centrally on the MSC. The MAPs will automatically discover and connect to the MSC that is on the same subnet. This means MAPs A and B will connect to MSC A, and MAPs C and D will connect to MSC B. Once connected the MAPs establish a secure tunnel with the MSC through which they can exchange management and control information to support features such as fast authentication and layer 3 mobility. The layer 3 mobility feature is used in this scenario to support client station roaming between subnets. The fast authentication feature enables quick handoff between MAPs on the same subnet. Wireless security is provided by enabling 802.1x on the MAPs, using the services of the RADIUS server to validate logins. Address allocation for all devices on the network, including wireless client stations, is provided by the DHCP server. (Note: The router on the network must be configured to support DHCP relay.) DHCP server RADIUS server Router Firewall MSC A 1.6 Router 2.6 MSC B MAP A MAP B MAP C MAP D WLAN WLAN WLAN WLAN Area 1 Area

116 Chapter Enterprise deployment Chapter 5 Configuration road map Install the MAPs and the MSC 1. Install the MAP and MSCs as described in the quickstart guide. 2. Before you connect the devices to the network, configure them as described in the sections that follow. Install the COS Services Pack license To support fast authentication and layer 3 mobility the MSC must have the COS Services Pack license installed. 1. On the Main Menu, select Service controller. 2. In the right pane, select Maintenance > Licenses. 3. Order a COS services pack license from Colubris Networks using the License ordering information. 4. Under Install license file, click Browse and select the license file sent to you by Colubris Networks. 5. Click Install license. The license will be added to the Installed Licenses table. Configure addressing By default, the LAN ports on the MSCs are set to the static IP address For this scenario, the addresses need to be changed. 1. On the Main Menu, select Service controller. 2. In the right pane, select Network > Ports. 3. Under Port configuration, click LAN port. 4. Under Addressing, set LAN IP port address to for MSC A and for MSC B. 5. Under Addressing, set LAN port mask to for both units. 6. Click Save. Note: After clicking Save you will have to reconnect to the management tool using the new address. Configure controller discovery on MSC A 1. On the Main Menu, select Service controller. 2. In the right pane, select Management > Device discovery. 3. Enable the Service controller checkbox. Select the This MSC is the primary controller checkbox. 4. Click Save. Configure controller discovery on MSC B 1. On the Main Menu, select Service controller. 2. In the right pane, select Management > Device discovery. 3. Enable the Service controller checkbox. Clear the This MSC is the primary controller checkbox. For IP address of primary controller, specify Click Save

117 Chapter Enterprise deployment Chapter 5 Scenario 6: Private and public access networks in the enterprise This scenario shows you how to support both private traffic and public access using the same access points. How it works In this scenario two MAPs are installed to provide wireless networking for an office. An MSC (3000 series or 5000 series) is also installed to provide a public access interface for guests. VLANs are used to segregate employee, guest, and management traffic on the backbone LAN. DHCP DNS server RADIUS server Router Firewall Router Internet port MSC VLAN 10 (Private) LAN port VLAN 20 (Guest) (DHCP relay enabled on VLAN 10) VLAN 30 (Management) VLAN Switch VLAN 10 (Private) VLAN 20 (Guest) VLAN 30 (Management) MAP A MAP B LAN port 1 LAN port VLAN 10 (Private) VLAN 20 (Guest) VLAN 30 (Management) Private Guest Private Guest IP= Gateway= IP= Gateway= Each MAP is configured with two VSCs Private: This VSC is used by employees to access the corporate network. It is not access controlled, which means that the MAP validates logins directly using the corporate RADIUS server x is used to provide secure networking. Once authenticated, employee traffic is forwarded on VLAN 10. Employees are able to roam between MAPs without loosing their connection, even across different subnets

118 Chapter Enterprise deployment Chapter 5 Guest: This VSC is used by company guests. It is access controlled by the MSC, which means: Guest authentication is handled by the MSC in conjunction with the RADIUS server, rather than on the MAP. Guests log in through the public access interface that is provided by the MSC. Guests cannot roam between subnets. (Roaming is only supported on the same subnet when a VSC is access controlled.) This VSC forwards guest traffic to the MSC on VLAN 20. Once authenticated, guest traffic is forwarded through the Internet port on the MSC. An access list definition is used to restrict guest traffic to the router/firewall. This way customers gain access to the Internet but not the corporate network. Addressing details The MAPs are assigned addresses on by the DHCP server by way of the DHCP relay function on the router. The DHCP server must return the default gateway as the router ( ) for the MAPs. Client stations on the Private VSC are assigned addresses on by the DHCP server by way of the DHCP relay function on the router. The DHCP server must return the default gateway as the router ( ) for these stations. Client stations on the Guest VSC are assigned addresses on by the DHCP server by way of the DHCP relay function on the MSC. The DHCP server must return the default gateway as the MSC ( ) for these stations. The management VLAN on both MAPs must be configured as the default VLAN on LAN port 1. The corporate DHCP server must be configured to serve addresses on subnet for DHCP requests from the MSC s relay agent, and on subnets and for DHCP requests from the router relay agent. For the DHCP relay function to work on the MSC and on the router, Network Address Translation (NAT) must be disabled on both devices. As a result, routes for the , and subnets must exist on the corporate servers (DHCP, DNS, and RADIUS). Configuration road map Install the MAPs and the MSC Install the MAP and MSCs as described in the quickstart guide. Switch the MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the MAPs Configure the wireless network By default each MAP is configured to automatically select the best operating frequency There is no need to change this setting for this scenario

119 Chapter Enterprise deployment Chapter 5 Configure the connection to the access controller By default, the MAPs are configured to use the default gateway returned by the DHCP server as the access controller. In this scenario, the default gateway is not the access controller, therefore the address of the access controller must be statically configured. on both MAPs as follows: 1. Select Security > Access controller. 2. Under Access controller address, select Specify access controller MAC address and specify the MAC address of the MSC s LAN port which is Click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. For Profile Name, enter Corporate. 4. Under Primary RADIUS server, specify the Server address ( ) and Secret for the corporate RADIUS server. 5. Click Save. Create VLANs Three VLANs need to be defined on each MAP. VLAN 10 for employee traffic, VLAN 20 for guest traffic, and VLAN 30 to permit management traffic to reach the MSC. 1. Select Network > Ports. 2. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 10. Set VLAN name to Private. Under Assign IP address via, select Static. On MAP A, set IP address to On MAP B, set IP address to Set Mask to Leave Gateway blank. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 20. Set VLAN name to Guest. Under Assign IP address via, select None

120 Chapter Enterprise deployment Chapter 5 4. Under Port configuration, click Port 1. Under VLAN Select the VLAN checkbox. Set VLAN ID to 30. Select the Restrict default VLAN to management traffic only checkbox. Configure the VSCs Use the following steps to define two VSCs (Private and Guest) on each MAP: 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in the list to edit it. Under General, set Name to Private. Under General, disable Use Colubris access controller. Under, set WLAN name to Private. Disable the Wireless security filters checkbox. Under Wireless protection: Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. 3. Click the Add New Profile button. Under General, set Name to Guest. Under General, enable Use Colubris access controller. Under, set WLAN name to Guest. Disable Wireless protection. Configure the MSCs Note: If using a 3000 series MSC, disable the radio(s) as follows: select Wireless > Radio(s) and clear the checkboxes for all radios. Configure Internet port addressing By default, the MSC is set to operate a a DHCP client on its Internet port. The DHCP server should be configured to assign the default gateway to be the router/firewall at Enable DHCP relay Enable the DHCP relay option. DHCP requests will be forwarded to the DHCP server assigned to the Internet port. 1. Select Network > Address allocation. 2. Select DHCP relay agent. 3. Click Save

121 Chapter Enterprise deployment Chapter 5 Disable NAT on the Internet port For DHCP relay to work on the MSC, NAT must be disabled on the internet port. 1. Select Network > Ports. 2. Select Internet port. 3. Clear the Network address translation (NAT) checkbox. 4. Click Save. Configure LAN port addressing By default, the MSC s LAN port is set to the static IP address For this scenario, the address needs to be changed as follows: 1. Select Network > Ports. 2. Under Port configuration, click LAN port. 3. Under Addressing, set LAN IP port address to Under Addressing, set LAN port mask to Click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. For Profile Name, enter Corporate. 4. Under Primary RADIUS server, specify the Server address ( ) and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. Configure VLANs VLAN 20 needs to be defined to support guest traffic. It will be associated with the Guest VSC. VLAN 30 needs to be defined for management traffic. It is not associated with a VSC. 1. Select Network > Ports. 2. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 20. Set VLAN name to Private. Under Assign IP address via, select None. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 30. Set VLAN name to Management

122 Chapter Enterprise deployment Chapter 5 Under Assign IP address via, select Static. Set IP address to Set Mask to Leave Gateway blank. Configure the guest VSC To handle guest traffic, a guest VSC that matches the one defined on the MAPs must be created on the MSC as follows: Series 3000 MSCs 1. Select VSC > Profiles. 2. The Virtual service communities page opens. Click the Colubris Networks profile in the list to edit it. Series 5000 MSCs 1. On the Main Menu, select VSCs. 2. In the VSC profiles table in the right pane, click the Colubris Networks profile to edit it. 3. Configure settings as follows: Under General, enter the Name as Public. Under Virtual AP, enter the WLAN name () as Guest. Under VSC ingress mapping, disable the checkbox. Under VSC ingress mapping, select the VLAN and then select Guest. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select Corporate. Define access list To maintain network security, customer traffic needs to be restricted to the router/firewall only. Do this on both MSCs by defining an access list as follows: 1. Select Public access > Attributes. 2. Under Configured attributes, click the Add New Attribute button. 3. Under Attribute: Set Name to ACCESS-LIST. Set Value to guest,accept,tcp, ,all Click Add. 4. Click the Add New Attribute button. 5. Under Attribute: Under Attribute, set Name to USE-ACCESS-LIST. Under Attribute, set Value to guest Click Add. Bind VSCs to the MAPs The new VSC definitions now need to be bound to the MAPs as follows: 1. On the Main Menu, select Default Group

123 Chapter Enterprise deployment Chapter 5 2. In the right pane, click VSC bindings. 3. Click Add New Binding. 4. Under VSC profile, select Private and then click Save. 5. Click Add New Binding. 6. Under VSC profile, select Guest and then click Save. Synchronize the MAPs To update the MAPs with the new VSC definitions, do the following: 1. On the Main Menu, select Default Group. 2. In the right pane, in the Select the action to apply to all listed APs list, choose Synchronize Configuration. 3. Click Apply. 4. Wait for the status light for each MAP to turn green. This indicates that the MAP is fully operational with the new configuration settings

124 Chapter Enterprise deployment Chapter

125 WDS scenarios Chapter 6 WDS scenarios In this chapter you can find sample deployment strategies for using WDS wireless distribution system to wirelessly extend and interconnect networks.

126 Chapter WDS scenarios Chapter 6 Wireless bridging considerations Single or dual radios? A single-radio access point can be configured to simultaneously support wireless clients and the creation of one or more wireless bridges, Although this is an economical solution, it offers reduced throughput since the total available bandwidth is be shared between the bridge and the wireless clients. A more effective solution is to use a dual-radio access point, with one radio dedicated to support wireless client stations and the other used for wireless bridging. Another solution would be to used two single-radio access points, with one servicing wireless clients and the other dedicated to bridging. Dynamic or static links? Dynamic WDS (DWDS) enables an access point to automatically find and connect with other access points (nodes) to dynamically create wireless links. While static WDS relies on the knowledge of the peer's MAC address to establish a link, DWDS works with group IDs. The group ID is a number that uniquely identifies nodes that are allowed to connect together. This enables automatic setup of many nodes without manual intervention for quick coverage of large areas with changing configurations. Static links are best suited for deployments that rarely change, such as building-tobuilding links, or permanent wireless extensions. Using 802.1a for WDS Colubris Networks recommends using a for wireless bridging whenever possible. This optimizes throughput and reduces the potential for interference because: Most Wi-Fi clients support b or b/g, therefore most APs are set to operate in the 2.4 GHz band. This frees the 5 GHz (802.11a) band for use in other applications such as WDS a provides more channels and more non-overlapping channels than b/g. Assuming an optimal implementation, a supports up to 54 Mbps for data throughput, providing a fat pipe for Point-Point or Point-Multipoint WDS communications. Keep in mind that there are limitations inherent in using a, most notably shorter reach when compared to 2.4 GHz-based technology. Even so, a is a good choice in general for WDS. Ack distance This is a global setting that fine tunes internal timeout settings to account for the distance that a link spans. For normal operation, the ack distance is optimized for links of less than 1 km. Important: Ack distance is a global setting that applies to all wireless connection made with a radio, not just for wireless links. Therefore, if you are also using a radio to serve local wireless client stations, adjusting this setting may lower the performance for clients with marginal signal strength or when interference is present. (Essentially, it means that if a frame needs to be retransmitted it will take longer before the actual retransmit takes place.)

127 Chapter WDS scenarios Chapter 6 Scenario 1: RF extension to expand a wired network (static) Extending a wired network using WDS technology is a quick and effective solution for increasing network coverage. How it works In this scenario a corporate network uses three MAP-330s to provide wireless access for employees. MAPs 1 and 2 are installed in locations that are currently served by the backbone network. MAP 3 is deployed in an area without cabling support and uses a a static wireless bridge to link with MAP 2. Each MAP is configured with two VSCs: one supporting 802.1x and one WPA. Both use the corporate RADIUS server to authenticate wireless clients. The corporate DHCP server assigns addresses to all stations, even those on the other side of the wireless bridge. Employee workstations RADIUS server DCHP server Corporate Network MAP MAP MAP 3 wireless bridge Radio 2 operating in a mode b/g b/g b/g Single radio operating in b/g mode. Radio 1 operating in b/g mode. Radio 1 operating in b/g mode. Note: For the bridge to be successful, the wireless cells of units 2 and 3 must overlap, and both units must be operating in the same wireless mode and on the same channel. Configuration road map Install the MAPs Install the MAP as described in the quickstart guide. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow

128 Chapter WDS scenarios Chapter 6 Configure the wireless network For optimum performance, the wireless channel used for the wireless bridge should be different and non-overlapping with the channel used to support wireless client stations. One effective way to meet this challenge is to use b/g mode to support wireless clients and a mode to create the bridge. Radio 2 will be used to create the bridge on units 2 and 3, Do the following on MAP 2 and MAP 3: 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Wireless mode to b g. Set Channel to Automatic. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Wireless mode to a. Set Channel to Channel 44. Set Antenna selection to Main antenna. 4. Click Save. Enable the wireless bridge Do the following on MAP 2 and MAP 3: 1. Select Wireless > WDS groups. 2. Under Ack distance, set Radio 2 Ack distance to the distance between MAP 2 and MAP Click WDS Group #1 to edit it. 4. Under Settings, select Enabled. 5. Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 6. Under Addressing Select Static WDS. Set Remote MAC address to the address of wireless port 2 on the other MAP. 7. Click Save

129 Chapter WDS scenarios Chapter 6 Make performance adjustments Make performance adjustments to MAP 2 and MAP 3 with the following steps: 1. Select Network > Discovery protocol. 2. Under Discovery protocol settings, select Disabled. (This suppresses the unnecessary generation of CDP packets to improve throughput on the bridge.) 3. Open the Tools > Ping page on one unit and ping the other one to ensure that the bridge is working. 4. Select Status > WDS groups and then click Static link under WDS Group #1. 5. Use the SNR value as a guide to adjust the antennas to obtain the best possible value. A value greater than 20 is good. After each change, allow a minimum of two minutes for Tx Rate to report its new value. Configure addressing By default, the MAPs are set to operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. Under Profile Name, enter Corporate. 4. Under Primary RADIUS server, enter the Server address and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. Configure a VSC 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in order to edit it. Under General, set Name to 8021x. Under, set WLAN name to 8021x. Clear the Wireless security filters checkbox. Under Wireless protection: Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting

130 Chapter WDS scenarios Chapter 6 3. Click Add New Profile. Under General, set Name to WPA. Under, set WLAN name to WPA. Clear the Wireless security filters checkbox. Under Wireless protection: Enable the checkbox and select WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication

131 Chapter WDS scenarios Chapter 6 Scenario 2: Deploying a point-to-point wireless link (static) This scenario shows you how to use a point-to-point wireless bridge to connect two networks located in different buildings. In many cases, it can be more practical and far less expensive to connect two networks wirelessly than by running cable between them. For example, when: the distance between two buildings exceeds Ethernet cabling limits an obstacle (body of water, street, public park) separates the two buildings. the characteristics of one or both buildings precludes adding wires due to safety risks or building code restrictions the link is required for a temporary or short-term solution or needs to be deployed quickly How it works In this scenario two MAPs are used to wirelessly link the networks in two offices located in neighboring buildings, enabling workers in both offices to share data and resources as if they were on the same network. To maximize signal power, directional antennas are used to establish the connection, which must be line-of-sight. Single-radio When using single-radio units with a directional antenna, a local wireless network cannot be created at each office. Instead the MAPs are directly connected to the backbone LANs in each office. antenna wireless bridge Radio operating in a mode. antenna Employee workstations RADIUS server MAP 1 main main MAP Employee workstations DCHP server Building 1 Building

132 Chapter WDS scenarios Chapter 6 Dual-radio With dual-radio units, radio 1 can be used to provide wireless networking, and radio 2 can be used to establish the wireless bridge. Each MAP on radio 1 features two VSCs, one supporting 802.1x and one WPA. Both use the corporate RADIUS server to authenticate wireless clients. antenna wireless bridge Radio 2 operating in a mode. antenna Employee workstations RADIUS server main Radio 1 operating in b/g mode. MAP 1 MAP 2 main Radio 1 operating in b/g mode Employee workstations DCHP server Building 1 Building 2 Configuration road map single radio Install the MAPs 1. Install the MAP as described in the quickstart guide. 2. Attach a directional antenna to the Main radio connector. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow

133 Chapter WDS scenarios Chapter 6 Configure the wireless network 1. Select Wireless > Radio. 2. Under Radio: Set Operating mode to Wireless links only. Set Wireless mode to a. Set Channel to Channel 44. Set Antenna selection to Main antenna. 3. Click Save. Configure addressing By default, the MAPs are set to operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. Enable the wireless bridge Do the following on both MAPs: 1. Select Wireless > WDS groups. 2. Click WDS Group #1 to edit it. 3. Under Ack distance, set Radio 1 Ack distance to the distance between MAP 1 and MAP Under Settings, select Enabled. 5. Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 6. Under Addressing Select Static WDS. Set Remote MAC address to the address of wireless port 2 on the other MAP. 7. Click Save. Make performance adjustments Make performance adjustments to MAP 2 and MAP 3 with the following steps: 1. Open the Tools > Ping page on one unit and ping the other one to ensure that the bridge is working. 2. Select Status > WDS groups and then click Static link under WDS Group #1. 3. Use the SNR value as a guide to adjust the antennas to obtain the best possible value. A value greater than 20 is good. After each change, allow a minimum of two minutes for Tx Rate to report its new value

134 Chapter WDS scenarios Chapter 6 Configuration road map dual radios Install the MAPs 1. Install the MAP as described in the quickstart guide. 2. Attach a directional antenna to the Main connector for radio 2. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the wireless network For optimum performance, the wireless channel used for the wireless bridge should be different and non-overlapping with the channel used to support wireless client stations. One effective way to meet this challenge is to use b/g mode to support wireless clients and a mode to create the bridge. Radio 2 will be used to create the bridge. Do the following on both MAPs: 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Wireless mode to b g. Set Channel to Automatic. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Wireless mode to a. Set Channel to Channel 44. Set Antenna selection to Main antenna. 4. Click Save. Configure addressing By default, the MAPs are set to operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save

135 Chapter WDS scenarios Chapter 6 Enable the wireless bridge Do the following on both MAPs: 1. Select Wireless > WDS groups. 2. Under Ack distance, set Radio 2 Ack distance to the distance between MAP 1 and MAP Click WDS Group #1 to edit it. 4. Under Settings: Select Enabled. For Transmit/receive on, select Radio Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 6. Under Addressing Select Static WDS. Set Remote MAC address to the address of wireless port 2 on the other MAP. 7. Click Save. Make performance adjustments Make performance adjustments to MAP 2 and MAP 3 with the following steps: 1. Open the Tools > Ping page on one unit and ping the other one to ensure that the bridge is working. 2. Select Status > WDS groups and then click Static link under WDS Group #1. 3. Use the SNR value as a guide to adjust the antennas to obtain the best possible value. A value greater than 20 is good. After each change, allow a minimum of two minutes for Tx Rate to report its new value. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. Under Profile Name, enter Corporate. 4. Under Primary RADIUS server, enter the Server address and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. Configure a VSC 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in order to edit it. Under General, set Name to 8021x. Under, set WLAN name to 8021x. Clear the Wireless Security Filters checkbox

136 Chapter WDS scenarios Chapter 6 Under Wireless protection Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting. 3. Click Add New Profile. Under General, set Name to WPA. Under, set WLAN name to WPA. Clear the Wireless Security Filters checkbox. Under Wireless protection: Enable the checkbox and select WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication

137 Chapter WDS scenarios Chapter 6 Scenario 3: Setting up multi-hop wireless links (static) The Colubris WDS implementation can be used to provide repeater-like functionality to extend the distance that a wireless bridging solution can span. When signal loss or excessive distance between the two stations precludes the use of a single hop/high gain directional antenna solution, a multi-hop strategy can be used to deploy the service. How it works In this scenario three MAPs are used to create static wireless link between two buildings that are not within direct line of sight. Employee workstations RADIUS server antenna Radio 1 operating in b/g mode. Channel 44 antennas Channel 36 Both radios operating Both radios operating in a mode. in a mode. Radio 2 Radio 1 Radio 2 Radio 2 MAP 1 MAP 2 MAP 3 antenna Radio 1 operating in b/g mode Employee workstations DCHP server Building 1 Building 2 MAP 3 is within line of sight of both MAP 1 and MAP 2. The two radios on MAP 3 are set to operate on different channels to avoid interference and increase throughput. (Every added WDS-link on the same frequency cuts throughput roughly by a factor of two.) This concept can be extended to cover even longer ranges as follows: Channel 44 Channel 36 Channel 44 Channel 36 Radio 2 Radio 1 Radio 2 Radio 1 Radio 2 Radio 1 Radio 2 Radio 2 Radio 1 Radio 1 MAP 1 MAP 2 MAP 3 MAP 4 MAP 5 Building 1 Building 2 Note: After four hops latency becomes an issue

138 Chapter WDS scenarios Chapter 6 Configuration road map Install the MAPs 1. Install the MAP as described in the quickstart guide. 2. Attach directional antennas to the Main radio connectors as follows: On MAPs 1 and 2, attach to radio 2. On MAP 3 attach to both radio 1 and radio 2. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the wireless network For optimum performance, the wireless channel used for the wireless bridge should be different and non-overlapping with the channel used to support wireless client stations. One effective way to meet this challenge is to use b/g mode to support wireless clients and a mode to create the bridge. MAP 1 and MAP 2 configuration 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Wireless mode to b g. Set Channel to Automatic. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Wireless mode to a. On MAP 1, set Channel to Channel 44. On MAP 2, set Channel to Channel 36. Set Antenna selection to Main antenna. 4. Click Save. MAP 3 configuration 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Wireless links only. Set Operating mode to a. Set Channel to Channel 44. Set Antenna selection to Main antenna

139 Chapter WDS scenarios Chapter 6 3. Under Radio 2: Set Operating mode to Wireless links only. Set Operating mode to a. Set Channel to Channel 36. Set Antenna selection to Main antenna. 4. Click Save. Configure addressing By default MAPs operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. Enable the wireless bridge MAP 1 and MAP 2 configuration 1. Select Wireless > WDS groups. 2. Click WDS Group #1 to edit it. 3. Under Settings: Select Enabled. For Transmit/receive on, select Radio Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 5. Under Addressing, Select Static WDS. Set Remote MAC address as follows: On MAP 1, set the MAC address of wireless port 1 on MAP 3. On MAP 2, set the MAC address of wireless port 2 on MAP Click Save. MAP 3 configuration 1. Select Wireless > WDS groups. 2. Click WDS Group #1 to edit it. 3. Under Settings, select Enabled

140 Chapter WDS scenarios Chapter 6 4. Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 5. Under Addressing. Select Static WDS. Set Remote MAC address to the MAC address of wireless port 2 on MAP Click Save. 7. Click Wireless link #2 to edit it. 8. Under Settings: Select Enabled. For Transmit/receive on, select Radio Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 10. Under Addressing. Select Static WDS. Set Remote MAC address to the MAC address of wireless port 2 on MAP Click Save. Make performance adjustments Use the following steps to make performance adjustments to MAP 1 and MAP 2, and then repeat for MAP 2 and MAP Open the Tools > Ping page on one unit and ping the other one to ensure that the bridge is working. 2. Select Status > WDS groups and then click Static link under WDS Group #1. 3. Use the SNR value as a guide to adjust the antennas to obtain the best possible value. A value greater than 20 is good. After each change, allow a minimum of two minutes for Tx Rate to report its new value

141 Chapter WDS scenarios Chapter 6 Scenario 4a: Basic dynamic WDS deployment (3000 series) The Colubris WDS implementation features dynamic links which can be used to automatically configure wireless bridging setups. How it works In this scenario several MAP-330s are used to provide wireless networking to a large exhibition hall. To eliminate setup time, and to increase the flexibility of wireless coverage, dynamic wireless bridges are used to link the MAPs to a central MSC The MAPs are configured as DWDS slave nodes, all with the same DWDS channel ID. This ensures that they all connect to the master, resulting in a single wireless hop for all network traffic. Three virtual service communities (VSCs) are defined on each device. Each VSC provides support for a different security option: WEP, WPA (with preshared key), and none. To connect with the wireless network, customers must select the of the VSC that matches the option that they want to use and then login using the public access interface. Roaming is supported, since the same VSCs are defined on all access points. For optimum performance, the MAPs and the MSC use b/g mode to support wireless clients and a mode to create the bridge Router Firewall RADIUS server Web server MASTER MSC 5.3 None WPA None SLAVE MAP A 8021x WPA None DWDS Link SLAVE MAP B 8021x DWDS Link WPA 8021x DWDS Link None 8021x SLAVE MAP C WPA

142 Chapter WDS scenarios Chapter 6 Configuration road map Install the MAPs and the MSC Install the MAPs and the MSC as described in their quickstart guides. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. MAP configuration Configure addressing By default MAPs operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server on the MSC. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. 5. Set IP address to x. Replace x with a different number for each MAP. 6. Set Address mask to Set Default gateway to (which is the address of the MSC). Configure the radios For optimum performance, the wireless channel used for the wireless bridge should be different and non-overlapping with the channel used to support wireless client stations. One effective way to meet this challenge is to use b/g mode to support wireless clients and a mode to create the bridge. Configure all MAPs as follows: 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Wireless mode to b g. Set Channel to Automatic. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Wireless mode to a. Set Channel to Automatic. 4. Click Save

143 Chapter WDS scenarios Chapter 6 Configure the wireless links Configure all MAPs as follows: 1. Select Wireless > WDS groups. 2. Click WDS Group #1 to edit it. 3. Under Settings: Select Enabled. For Radio, select Radio Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 5. Under Addressing, Select Dynamic WDS. For DWDS mode, select Slave. Leave DWDS group ID set to the default value of Click Save. Configure the connection to the MSC on the MAPs Configure the following on each MAP. 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. In the General box, select the Use Colubris access controller check box. 4. Click Save. 1. Select Security > Access controller. 2. Set the Access controller shared secret to match the secret set on the MSC. 3. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting. Create VSCs on the MAPs Use the following steps to create three virtual service communities on all MAPs. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as None. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA

144 Chapter WDS scenarios Chapter 6 Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). Leave Key source as RADIUS. 6. On the Virtual Service Communities page, click Add new profile. 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as 8021x. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as 8021x. Under Wireless protection: Select the checkbox and select 802.1x. Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. MSC configuration Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select Static and click Configure. 3. Under Settings: Set IP address to Set Address mask to Set the shared secret on the MSC 1. Select Public access > Access control. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAPs to send authentication requests to the MSC. 3. Click Save. Create a RADIUS profile 1. Select Security > RADIUS. 2. Click Add New Profile. 3. In the Profile name box, assign RADIUS Profile 1 to the new profile. 4. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. 5. In the Primary RADIUS server box, specify the address of the RADIUS server and the secret the MSC will use to login

145 Chapter WDS scenarios Chapter 6 Create VSCs on the MSC Use the following steps to create virtual service communities on the MSC that match each VSC you configured on the MAPs: 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under Virtual AP, enter the WLAN name () as None. Under HTML-based user logins: Enable RADIUS authentication. For RADIUS profile, select RADIUS Profile On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). Leave Key source as RADIUS. For RADIUS profile, select RADIUS Profile 1. Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. 6. On the Virtual Service Communities page, click Add new profile. 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as 8021x. Under Virtual AP, enter the WLAN name () as 8021x. Under Wireless protection: Select the checkbox and select 802.1x. For RADIUS profile, select RADIUS Profile 1. Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. Configure the radios 1. Select Wireless > Radios

146 Chapter WDS scenarios Chapter 6 2. Under Radio 1: Set Operating mode to Wireless links only. Set Wireless mode to a. Set Channel to Automatic. 3. Clear the Radio 2 checkbox. 4. Click Save. Configure the wireless link 1. Select Wireless > WDS groups. 2. Click WDS Group #1 to edit it. 3. Under Settings: Select Enabled. For Radio, select Radio Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 5. Under Addressing, Select Dynamic WDS. For DWDS mode, select Master. 6. Click Save

147 Chapter WDS scenarios Chapter 6 Scenario 4b: Basic dynamic WDS deployment (5000 series) This example illustrates how to deploy scenario 4a using a series 5000 MSC. How it works In this scenario several MAP-330s are used to provide wireless networking to a large exhibition hall. To eliminate setup time, and to increase the flexibility of wireless coverage, dynamic wireless bridges are used to link the MAPs to a central series 5000 MSC. One MAP functions as the DWDS master and is physically connected to a series 5000 MSC, while the other MAPs are configured as DWDS slave nodes. This ensures that they all connect to the master, resulting in a single wireless hop for all network traffic. Three virtual service communities (VSCs) are defined on each device. Each VSC provides support for a different security option: WEP, WPA (with preshared key), and none. To connect with the wireless network, customers must select the of the VSC that matches the option that they want to use and then login using the public access interface. Roaming is supported, since the same VSCs are defined on all access points. For optimum performance, the MAPs use b/g mode to support wireless clients and a mode to create the bridge Router Firewall 10.1 RADIUS server Web server MASTER MAP 10.2 None WPA None SLAVE MAP A 8021x WPA None DWDS Link SLAVE MAP B 8021x DWDS Link WPA 8021x DWDS Link None 8021x SLAVE MAP C WPA

148 Chapter WDS scenarios Chapter 6 Configuration road map Install the MAPs and the MSC Install the MAPs and the MSC as described in their quickstart guides. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. MAP configuration Configure addressing By default MAPs operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server on the MSC. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. 5. Set IP address to x. Replace x with a different number for each MAP. 6. Set Address mask to Set Default gateway to (which is the address of the MSC). Configure the radios For optimum performance, the wireless channel used for the wireless bridge should be different and non-overlapping with the channel used to support wireless client stations. One effective way to meet this challenge is to use b/g mode to support wireless clients and a mode to create the bridge. Configure all MAPs as follows: 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Wireless mode to b g. Set Channel to Automatic. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Wireless mode to a. Set Channel to Automatic. 4. Click Save

149 Chapter WDS scenarios Chapter 6 Configure the wireless links Configure all SLAVE MAPs as follows: 1. Select Wireless > WDS groups. 2. Click WDS Group #1 to edit it. 3. Under Settings: Select Enabled. For Radio, select Radio Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 5. Under Addressing, Select Dynamic WDS. For DWDS mode: On the SLAVE MAPs, select Slave. On the MASTER MAP, select Master. Leave DWDS group ID set to the default value of Click Save. Configure the connection to the MSC on the MAPs Configure the following on each MAP. 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. In the General box, select the Use Colubris access controller check box. 4. Click Save. 1. Select Security > Access controller. 2. Set the Access controller shared secret to match the secret set on the MSC. 3. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting. Create VSCs on the MAPs Use the following steps to create three virtual service communities on all MAPs. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as None. 4. On the Virtual Service Communities page, click Add new profile

150 Chapter WDS scenarios Chapter 6 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). Leave Key source as RADIUS. 6. On the Virtual Service Communities page, click Add new profile. 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as 8021x. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as 8021x. Under Wireless protection: Select the checkbox and select 802.1x. Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. MSC configuration Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select Static and click Configure. 3. Under Settings: Set IP address to Set Address mask to Enable the DHCP server 1. Select Network > Adress allocation. 2. Select DHCP server and click Configure. 3. Select LAN port. Set the Start to Set End to Set Gateway to Click Save. Set the shared secret on the MSC 1. Select Public access > Access control

151 Chapter WDS scenarios Chapter 6 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAPs to send authentication requests to the MSC. 3. Click Save. Create a RADIUS profile 1. Select Security > RADIUS. 2. Click Add New Profile. 3. In the Profile name box, assign RADIUS Profile 1 to the new profile. 4. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. 5. In the Primary RADIUS server box, specify the address of the RADIUS server and the secret the MSC will use to login. Create VSCs on the MSC Use the following steps to create virtual service communities on the MSC that match each VSC you configured on the MAPs: 1. On the Main Menu, select VSCs. 2. In the VSC profiles table in the right pane, click the Colubris Networks profile to edit it. 3. Configure settings as follows: Under General, enter the Name as None. Under Virtual AP, enter the WLAN name () as None. Under HTML-based user logins: Enable RADIUS authentication. For RADIUS profile, select RADIUS Profile On the VSC profiles page, click Add new profile. 5. Configure settings as follows: Under General, enter the Name as WPA. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). Leave Key source as RADIUS. For RADIUS profile, select RADIUS Profile 1. Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. 6. On the VSC profiles page, click Add new profile. 7. Configure settings as follows: Under General, enter the Name as 8021x. Under Virtual AP, enter the WLAN name () as 8021x

152 Chapter WDS scenarios Chapter 6 Under Wireless protection: Select the checkbox and select 802.1x. For RADIUS profile, select RADIUS Profile 1. Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox

153 Chapter WDS scenarios Chapter 6 Scenario 4c: Dynamic WDS links with load balancing This scenario adds a second DWDS group to scenario 4a. This scenario illustrates how to use DWDS groups to split traffic. How it works In this scenario, MSC 2 is added to support traffic from additional slaves. MSC 2 is also configured as a master node, but with a different DWDS group ID from MSC 1. As slaves are added to the network, traffic can be balanced by setting their DWDS group ID to either 1 or Router Firewall RADIUS server Web server MASTER 5.3 MASTER 5.4 MSC 1 MSC 2 SLAVE MAP A DWDS Link DWDS Link DWDS Link None WPA DWDS Link DWDS Link 8021x SLAVE MAP B SLAVE MAP C SLAVE MAP D SLAVE MAP E None WPA None WPA None WPA None WPA 8021x 8021x 8021x 8021x GROUP 1 GROUP 2 Note: The s created on MSC 1 and MSC 2 are the same as in scenario 4a and are not shown in this diagram. Configuration road map Important: Start with the configuration defined in Scenario 4a. Install and configure the MAP D and MAP E Install and configure MAP D and MAP E with the same settings used for the MAPs in scenario 4a with the following difference: when configuring the wireless links, change the DWDS group ID from its default setting of 1 to

154 Chapter WDS scenarios Chapter 6 Install and configure MSC 2 Install and configure the MSC 2 with the same settings used for MSC 1 in scenario 4a, with the following difference: when configuring the wireless links, change the DWDS group ID from its default setting of 1 to

155 Chapter WDS scenarios Chapter 6 Scenario 5: Creating a self-healing network This scenario illustrates how to use DWDS to deploy a wireless infrastructure that can automatically adjust to network changes. How it works In this scenario, an MSC is deployed with several MAP-330s to provide wireless coverage. The MSC is configured as the master node and the MAPs are all configured as alternate master nodes. The links between the nodes are automatically established, based on a balance between SNR (signal to noise ratio) and hops, to provide the most efficient network topology. If a node becomes unavailable, the DWDS links will automatically adjust to find the optimum path to the master Router Firewall Router Firewall RADIUS server Web server RADIUS server Web server MASTER MSC 5.2 MASTER MSC 5.2 ALTERNATE MASTER MAP A ALTERNATE MASTER MAP C ALTERNATE MASTER MAP A ALTERNATE MASTER MAP C ALTERNATE MASTER MAP B ALTERNATE MASTER MAP B ALTERNATE MASTER MAP D ALTERNATE MASTER MAP E ALTERNATE MASTER MAP D ALTERNATE MASTER MAP E Initial network configuration is automatically established When MAP B is unavailable, the network dynamically reconfigures itself

156 Chapter WDS scenarios Chapter 6 For optimum performance, the MAPs use b/g mode on radio 1 to support wireless clients and a mode on radio 2 to create the bridge. MAP None WPA 8021x Configuration road map Install the MAPs Install the MAP as described in the quickstart guide. Switch MAPs to autonomous mode By default the MAPs are configured to operate in controlled mode. Switch them to autonomous mode as follows: 1. Start the Management Tool and login. 2. On the home click Switch to Autonomous Mode. The MAP will restart. 3. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. MAP configuration Configure addressing By default MAPs operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server on the MSC. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. 5. Set IP address to x. Replace x with a different number for each MAP. 6. Set Address mask to Set Default gateway to (which is the address of the MSC). Configure the radios Configure all MAPs as follows: 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Wireless mode to b g

157 Chapter WDS scenarios Chapter 6 Set Channel to Automatic. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Wireless mode to a. Set Channel to Automatic. 4. Click Save. Configure the wireless links Configure all MAPs as follows: 1. Select Wireless > WDS groups. 2. Click WDS Group #1 to edit it. 3. Under Settings: Select Enabled. For Radio, select Radio Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 5. Under Addressing, Select Dynamic WDS. For DWDS mode, select Alternate Master. For DWDS group ID, leave the default setting of Click Save. Configure the connection to the MSC on the MAPs Configure the following on each MAP. 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. In the General box, select the Use Colubris access controller check box. 4. Click Save. 1. Select Security > Access controller. 2. Set the Access controller shared secret to match the secret set on the MSC. 3. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting. Create VSCs on the MAPs Use the following steps to create three virtual service communities on all MAPs. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it

158 Chapter WDS scenarios Chapter 6 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as None. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). Leave Key source as RADIUS. 6. On the Virtual Service Communities page, click Add new profile. 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as 8021x. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name () as 8021x. Under Wireless protection: Select the checkbox and select 802.1x. Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. MSC configuration Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select Static and click Configure. 3. Under Settings: Set IP address to Set Address mask to Set the shared secret on the MSC 1. Select Public access > Access control. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAPs to send authentication requests to the MSC. 3. Click Save

159 Chapter WDS scenarios Chapter 6 Create a RADIUS profile 1. Select Security > RADIUS. 2. Click Add New Profile. 3. In the Profile name box, assign RADIUS Profile 1 to the new profile. 4. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. 5. In the Primary RADIUS server box, specify the address of the RADIUS server and the secret the MSC will use to login. Create VSCs on the MSC Use the following steps to create virtual service communities on the MSC that match each VSC you configured on the MAPs: 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under Virtual AP, enter the WLAN name () as None. Under HTML-based user logins: Enable RADIUS authentication. For RADIUS profile, select RADIUS Profile On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under Virtual AP, enter the WLAN name () as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA (TKIP) or WPA2 (AES/CCMP). Leave Key source as RADIUS. For RADIUS profile, select RADIUS Profile 1. Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. 6. On the Virtual Service Communities page, click Add new profile. 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as 8021x. Under Virtual AP, enter the WLAN name () as 8021x

160 Chapter WDS scenarios Chapter 6 Under Wireless protection: Select the checkbox and select 802.1x. For RADIUS profile, select RADIUS Profile 1. Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. Configure the radios 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Wireless mode to a. Set Channel to Automatic. 3. Clear the Radio 2 checkbox. 4. Click Save. Configure the wireless link 1. Select Wireless > WDS groups. 2. Click WDS Group #1 to edit it. 3. Under Settings: Select Enabled. For Radio, select Radio Under Security: Enable the checkbox. Select AES/CCMP. For Key, specify between 8 and 64 ASCII characters. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 5. Under Addressing, Select Dynamic WDS. For DWDS mode, select Master. For DWDS group ID, leave the default setting of Click Save

161 Configuring DHCP servers to use Colubris vendor classes Chapter 7 Configuring DHCP servers to use Colubris vendor classes In this chapter you can find information about how to configure the following DHCP servers to use the Colubris vendor-specific class: Windows Server 2003 on page 162 ISC DHCP server on page 166 A vendor class allows certain devices to request specific information from a Dynamic Host Configuration Protocol server. Specifically, the Colubris Networks vendor class enables you to define a list of available InMotion MultiService Controllers (MSCs) to which InReach MultiService Access Points (MAPs) can connect. When DHCP clients send the Colubris vendor class identifier in a DHCP request, a properly configured DHCP server returns the Colubris-specific options defined on the server. These values are returned as DHCP option 43 vendor-specific information and can be interpreted only by a Colubris Networks device. Note: You must configure the Colubris vendor class only on the DHCP server. You do not need to configure the Colubris vendor class on the MSCs or the MAPs.

162 Chapter Configuring DHCP servers to use Colubris vendor classes Chapter 7 Windows Server 2003 This section shows you how to configure a Windows 2003 DHCP server to use the Colubris Networks vendor class. The following procedure assumes that you have a Windows 2003 Server that has a DHCP server configured and running. For more information see Configuring Options and Classes on Windows Server at 42b21828dc mspx Creating the vendor class Use the following steps to create the Colubris vendor class on the DHCP server. 1. Select Start > Settings > Control Panel > Administrative Tools > DHCP. The DHCP administration page opens. 2. On the DHCP administration page in the navigation pane at left, select the name of the DHCP server to manage, and then select Action > Define Vendor Classes. The DHCP Vendor Classes page opens. Several default Microsoft vendor classes are preconfigured

163 Chapter Configuring DHCP servers to use Colubris vendor classes Chapter 7 3. On the DHCP Vendor Classes page, click Add. The New Class page opens. 4. On the New Class page Under Display name, enter Colubris. Under Description, enter any desired descriptive information for this vendor class. Click under ASCII and enter Colubris-AP. Click OK. 5. The New Class page closes, and you return to the DHCP Vendor Classes page. To close the DHCP Vendor Classes page and return to the DHCP administration page, click Close

164 Chapter Configuring DHCP servers to use Colubris vendor classes Chapter 7 Defining vendor class options Use the following steps to define Colubris vendor class options on the DHCP server. 1. On the DHCP administration page, select Action > Set Predefined Options. From the Option class drop-down menu, select Colubris, and then click Add. The Option Type page appears. 2. On the Option Type page, Under Name, enter MSC. Under Data type, select IP Address and enable the Array checkbox. Under Code, enter 1. Under Description, enter List of MSC IP addresses. 3. Click OK to close the Option Type page, and then click OK again to return to the DHCP administration page. Applying the vendor class After you define the Colubris vendor class and its options, you can apply the class to specific Scopes or to the entire DHCP server. You must define the Colubris vendor class for every Scope from which a MAP can get an address. Use the following steps to add the Colubris vendor-specific option to one Scope on the DHCP server. 1. On the DHCP administration page, in the navigation pane, open the folder that corresponds to the desired Scope. 2. Right-click Scope Options, and from the resulting menu select Configure Options. The Scope Options page appears. Select the Advanced tab

165 Chapter Configuring DHCP servers to use Colubris vendor classes Chapter 7 3. On the Advanced tab, configure the following: From the Vendor class drop-down menu, select Colubris. Under Available options, enable the 001 MSC checkbox. Under IP address, enter the IP address of the primary MSC in your network and click Add. Continue to build a list by entering the IP addresses of all MSCs in your network, in descending order of importance. Click OK. 4. The MSC IP addresses now appear on the DHCP administration page under Scope Options. When a MAP requests an IP address, these addresses are returned in a DHCP Ack message as option 43. Note: For information about solving problems, see Troubleshooting on page

166 Chapter Configuring DHCP servers to use Colubris vendor classes Chapter 7 ISC DHCP server This section shows you how to configure a Linux machine running an Internet Systems Consortium (ISC) DHCP server to use the Colubris Networks vendor class. The procedure assumes that you have a Linux or Unix server that is running the ISC DHCP server. For more information see the Linux Documentation Project s DHCP mini-howto at You configure the ISC DHCP server by editing its configuration file; specifically, the main configuration file, /etc/dhcpd.conf. Following is a simple example of the /etc/dhcpd.conf configuration file: # dhcpd.conf ddns-update-style ad-hoc; option domain-name "colubris.com"; option domain-name-servers ; default-lease-time 3600; subnet netmask { range ; option routers ; option subnet-mask ; option broadcast-address ; } subnet netmask { range ; option routers ; option subnet-mask ; option broadcast-address ; } This sample file defines some general options to apply to all clients, as well as two DHCP Scopes x and x. You must add lines to the dhcpd.conf file to define the following for the ISC server: What the Colubris vendor class identifier looks like What to return to the client when it sees that identifier The following explains the changes that you must make to this sample file and the function of each added line. Create an option space called Colubris and define a variable called msc-address within the space by adding the following lines. option space Colubris; option Colubris.msc-address code 1 = array of ip-address; Tell the server what to do when the client sends the vendor class identifier Colubris-AP by adding the following lines. In this case you want the server to return the options defined in the Colubris space that was created in the first step. Using the vendor-option-space command tells the server to return these values using DHCP option 43. if option vendor-class-identifier = "Colubris-AP" { vendor-option-space Colubris; }

167 Chapter Configuring DHCP servers to use Colubris vendor classes Chapter 7 Specify the MSC IP addresses to return to the client by adding the following lines, where and are the specific IP addresses that you want returned. You can define this option globally or in one or more Scopes. You must define this option on all subnets from which a MAP can potentially get an IP address. In this example only clients on the x subnet get this option. option Colubris.msc-address , ; Following is a revised sample configuration file that contains these additions, which appear in bold: # dhcpd.conf ddns-update-style ad-hoc; option domain-name "colubris.com"; option domain-name-servers ; default-lease-time 3600; option space Colubris; option Colubris.msc-address code 1 = array of ip-address; if option vendor-class-identifier = "Colubris-AP" { vendor-option-space Colubris; } subnet netmask { range ; option routers ; option subnet-mask ; option broadcast-address ; option Colubris.msc-address , ; } subnet netmask { range ; option routers ; option subnet-mask ; option broadcast-address ; }

168 Chapter Configuring DHCP servers to use Colubris vendor classes Chapter 7 Troubleshooting This section shows an Ethereal trace of a DHCP transaction, with the frames edited for readability. Four frames must be exchanged between the client and the server: 1. Client sends a DHCP-Discover 2. Server sends a DHCP-Offer 3. Client sends a DHCP-Request 4. Server sends a DHCP-Ack The client sends its vendor class identifier in the DHCP-Request frame. The DHCP field of Frame 3 is expanded below. The server sends the MSC addresses encapsulated as option 43 in the DHCP-Ack frame. Unfortunately the only way to decode these values is to look at the hexidecimal data. In this case the server returned the following 10 bytes: 2b 0a ac ac which can be decoded as shown in the following table. Segment Value Description 2b 43 DHCP option 43 0a 10 Field is 10 bytes long Colubris option code 1 as defined in the DHCP server Option code 1 is 8 bytes long ac ac MSC IP addresses to return to the client Frame 1 - DHCP-Discover Frame 1 (346 bytes on wire, 346 bytes captured) Ethernet II, Src: Colubris_01:5f:05 (00:03:52:01:5f:05), Dst: Broadcast (ff:ff:ff:ff:ff:ff) 802.1Q Virtual LAN Internet Protocol, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67) Bootstrap Protocol Frame 2 - DHCP-Offer Frame 2 (346 bytes on wire, 346 bytes captured) Ethernet II, Src: Cisco_23:0e:80 (00:0d:bc:23:0e:80), Dst: Colubris_01:5f:05 (00:03:52:01:5f:05) 802.1Q Virtual LAN Internet Protocol, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68) Bootstrap Protocol

169 Chapter Configuring DHCP servers to use Colubris vendor classes Chapter 7 Frame 3 - DHCP-Request Frame 3 (346 bytes on wire, 346 bytes captured) Ethernet II, Src: Colubris_01:5f:05 (00:03:52:01:5f:05), Dst: Broadcast (ff:ff:ff:ff:ff:ff) 802.1Q Virtual LAN Internet Protocol, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67) Bootstrap Protocol Message type: Boot Request (1) Hardware type: Ethernet Hardware address length: 6 Hops: 0 Transaction ID: 0x4262bc18 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) Client IP address: ( ) Your (client) IP address: ( ) Next server IP address: ( ) Relay agent IP address: ( ) Client MAC address: Colubris_01:5f:05 (00:03:52:01:5f:05) Server host name not given Boot file name not given Magic cookie: (OK) Option 53: DHCP Message Type = DHCP Request Option 54: Server Identifier = Option 50: Requested IP Address = Option 60: Vendor class identifier = "Colubris-AP" Option 12: Host Name = "R " Option 55: Parameter Request List End Option Padding Frame 4 - DHCP-Ack Frame 4 (358 bytes on wire, 358 bytes captured) Ethernet II, Src: Cisco_23:0e:80 (00:0d:bc:23:0e:80), Dst: Colubris_01:5f:05 (00:03:52:01:5f:05) 802.1Q Virtual LAN Internet Protocol, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68) Bootstrap Protocol Message type: Boot Reply (2) Hardware type: Ethernet Hardware address length: 6 Hops: 0 Transaction ID: 0x4262bc18 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) Client IP address: ( ) Your (client) IP address: ( ) Next server IP address: ( ) Relay agent IP address: ( ) Client MAC address: Colubris_01:5f:05 (00:03:52:01:5f:05) Server host name not given Boot file name not given Magic cookie: (OK) Option 53: DHCP Message Type = DHCP ACK Option 58: Renewal Time Value = 12 hours Option 59: Rebinding Time Value = 21 hours Option 51: IP Address Lease Time = 1 day Option 54: Server Identifier = Option 1: Subnet Mask = Option 3: Router = Option 15: Domain Name = "mgorr.local" Option 6: Domain Name Server = Option 43: Vendor-Specific Information (10 bytes) End Option

170 Chapter Configuring DHCP servers to use Colubris vendor classes Chapter f d bc 23 0e R._...#...e ff 11 de 33 ac 19..E..T.h ac c ec C.D.@h bc ac 19..Bb c ac f 05...R._ a b c d e f c.Sc a a8 c0 3b :...;...'P ac ff ff ff Q ac f 0c 6d 67 6f e 6c 6f 63...mgorr.loc c ac b 0a ac al ac ff

171 Configuring a legal intercept Chapter 8 Configuring a legal intercept This chapter explains how to configuring a legal intercept using a Colubris Networks MSC-3000 or MSC-5000 series MultiService Controller. Wiretapping of which legal intercept is a part comprises three steps: Capture Collecting a superset of information that contains the subset of what is desired. Filtering Extracting the subset of desired information from the superset of information. Delivery Transmitting the desired information to those who want it. Legal intercept involves both capture and filtering activities. Colubris provides two methods of legal interception, which are described as follows: Redirecting traffic into a GRE tunnel on page 172 Limiting NAT port range and tracking activity in the syslog on page 180

172 Chapter Configuring a legal intercept Chapter 8 Redirecting traffic into a GRE tunnel This section gives a sample configuration that shows you how to use the Colubris legal intercept feature on Colubris MultiService Controllers (MSCs) to route user traffic through a GRE tunnel. GRE standards are described in RFCs 1701 and GRE tunnels on this MSC configuration interface are for IP tunneling and are compatible with third-party equipment. Their purpose is to provide a tunnel to another network; for example, to direct VSC traffic to a central site using the egress function of the VSC or for legal interception, by sending only the traffic of a particular user over the tunnel. Overview of configuration steps In addition to a Colubris Networks MSC, this scenario requires a RADIUS server to process user login requests. In summary, you can redirect traffic into a GRE tunnel for legal intercept by using the following high-level steps: 1. On the MSC Define a RADIUS profile Define a GRE tunnel Reboot Configure a virtual service community 2. On the RADIUS server Add Colubris-Intercept attribute to the RADIUS dictionary Create a RADIUS user account The following sections walk you through detailed steps for a sample legal intercept configuration scenario

173 Chapter Configuring a legal intercept Chapter 8 Configuring the MSC Use the following steps to configure the MSC as required for this scenario. Note: The sample scenario shows screen shots from the MSC-5100; however, you can perform this procedure on any Colubris Networks MultiService Controller. In the left pane of 5000 series MSC, ensure that Service Controller remains selected, as shown in this scenario. This is not an issue for 3000 series MSCs. Define a RADIUS profile Use the following steps to define a RADIUS profile to use for the implementation of legal intercept. In this example the RADIUS profile is named Colubris RADIUS. 1. Select Security > RADIUS. 2. The RADIUS profiles page opens. Click Add new profile. 3. The RADIUS Profile page opens. Under Profile name, enter a name for this RADIUS profile; for example, Colubris RADIUS. Under Settings, you can retain the default values unless your network configuration requires otherwise. Under Primary RADIUS server, for Server address, enter the IP address of the appropriate RADIUS server in standard notation; for example, You can optionally enable the Alias address checkbox in order to enter a second IP address for the Primary RADIUS server. The MSC accepts responses from the server that originate at this address, as well as at the Server address. The MSC always communicates with the server using the address specified for Server address. Under Secret, enter the password used for authentication with the selected RADIUS server; for example, colubris. Under Confirm Secret, reenter the correct password

174 Chapter Configuring a legal intercept Chapter 8 Under Secondary RADIUS server and Authentication realms, you can retain the default values. 4. Click Save

175 Chapter Configuring a legal intercept Chapter 8 Define a GRE tunnel Use the following steps to define a GRE profile to use for the implementation of legal intercept. In this example the GRE profile is named My_GRE_Tunnel. 1. Select Network > Ports. 2. Under GRE tunnels configuration, click Add new GRE tunnel. The GRE - Add/Edit tunnel page opens. 3. On the GRE - Add/Edit tunnel page under Tunnel settings, For Name, enter a name for this profile; for example, My_GRE_Tunnel. For Local tunnel IP address, enter the IP address of the MSC inside the tunnel in standard notation; for example, For Remote tunnel IP address, enter the IP address of the remote device inside the tunnel in standard notation; for example, For Tunnel IP mask, enter the mask associated with the IP addresses inside the tunnel in standard notation; for example, For GRE peer IP address, use standard notation to enter the IP address of the remote device that terminates the tunnel; for example, Click Save. Reboot You must reboot the MSC in order for the legal intercept to work properly with the newly defined GRE tunnel. You must reboot every time that you create a new GRE tunnel

176 Chapter Configuring a legal intercept Chapter 8 Configure a virtual service community Use the following steps to configure a virtual service community (VSC) to use for legal intercept. In this example the VSC is named Legal_Intercept. Series 3000 MSCs 1. Select VSC > Profiles. 2. The Virtual service communities page opens. Click Add new profile. 3. The Add/Edit Virtual Service Community page opens, similar to the figure shown on page 177. Series 5000 MSCs 1. On the Main Menu, select VSCs. 2. In the VSC profiles table in the right pane, click Add new profile. 3. The VSC profile page opens, as shown on page Configure settings as follows: Under General, for Name, enter a name for this profile; for example, Legal_Intercept. Under Virtual AP, for WLAN name (), enter a service set identifier for this profile; for example, Legal_Intercept. Under VSC egress mapping, for the desired Traffic type, select a Map to value that corresponds to the GRE tunnel that you configured earlier. For example, for a Traffic type of Intercepted, select My_GRE_Tunnel. Under HTML-based user logins, select the RADIUS authentication checkbox. The RADIUS profile parameter appears. Under RADIUS profile, select the RADIUS profile that you configured earlier. In this example that value is Colubris RADIUS. 5. Click Save

177 Chapter Configuring a legal intercept Chapter

178 Chapter Configuring a legal intercept Chapter 8 Configuring your RADIUS server On your RADIUS server, define user accounts to include the Colubris-Intercept=1 attribute. This attribute is used in the Radius Access Accept message for user login to enforce legal interception of traffic. Add Colubris-Intercept attribute to the RADIUS dictionary In your RADIUS server s dictionary, you must define the Colubris attribute Colubris-Intercept. All Colubris attributes are identified by the vendor code Your RADIUS dictionary may already support Colubris-AVPairs, (Type 0), but Colubris-Intercept must be Type 1. This section provides some guidelines for adding this attribute to your RADIUS server s dictionary; however, consult with your RADIUS vendor on the exact procedure and syntax needed. For example, for Funk's Steel-Belted Radius, you can define Colubris attributes as follows: ATTRIBUTE Colubris-AVPAIR 26 [vid=8744 type1=0 len1=+2 data=string] RO ATTRIBUTE Colubris-Intercept 26 [vid=8744 type1=1 len1=+2 data=integer] RO For FreeRADIUS, you can define Colubris attributes as follows: VENDOR Colubris 8744 ATTRIBUTE Colubris-AVPair 0 string Colubris ATTRIBUTE Colubris-Intercept 1 integer Colubris Create a RADIUS user account Define a RADIUS user account on your RADIUS server that includes the following attribute: Colubris-Intercept=1 Testing your legal intercept configuration When you log in to the user account where the Colubris-Intercept=1 attribute is set, all traffic for that user account is redirected into the GRE tunnel that you defined in this scenario. You can use one or both of the following methods to verify that this is the case: Check the syslog by issuing the CLI command logging filter with the debug option. Confirm that traffic is now destined for the GRE tunnel by examining the appropriate log messages. Run a network trace on the Internet port using the filter ip proto 47 in order to view GRE trace entries. Use Ethereal to view GRE source and destination IP details in order to determine if the traffic is going inside the GRE tunnel. You can run a network trace from the MSC s Management Tool interface by selecting Tools > Network trace. For complete information see the administrator s guide for your MSC

179 Chapter Configuring a legal intercept Chapter

180 Chapter Configuring a legal intercept Chapter 8 Limiting NAT port range and tracking activity in the syslog This section shows you how to implement the Colubris legal intercept feature by limiting NAT port range on an MSC. This method enables you to restrict a logged-in user to an assigned source port range. You can then check the syslog to see which source ports are used for each user. The MSC does not track the information that the user sends or receives. Use the following steps to limit NAT port range. When this option is enabled, the MSC reserves a range of 50 TCP and 50 UDP ports for each customer starting at port 5000 and maps all outgoing traffic for the customer within the range. Note: Enabling this feature affects only outgoing TCP/UDP traffic. Applications that set an incoming port may select a port that is outside of the allocated port range for example, Active FTP. 1. For series 5000 MSCs, in the left pane select Service Controller. 2. Select Network > Ports. 3. Under Port configuration, click the Internet port hyperlink. The Internet port configuration page opens. 4. Under Network address translation (NAT), enable the Limit NAT port range checkbox. 5. Click Save. Note: If you enable this feature, do not assign static NAT mappings in the range 5000 to

MSC-5100 Promotional Bundle Quickstart

MSC-5100 Promotional Bundle Quickstart MSC-5100 Promotional Bundle Quickstart This Quickstart shows you how to install, configure, and use the MSC-5100 Promotional Bundle. For detailed configuration and operating information on the MSC-5100

More information

MSM320, MSM410, MSM422, MSM430,

MSM320, MSM410, MSM422, MSM430, Polycom VIEW Certified Configuration Guide Hewlett-Packard MSM710/720/760/765 Wireless LAN Controller With MSM310, MSM320, MSM410, MSM422, MSM430, MSM46x APs September 2012 1725-36068-001 Rev H Trademarks

More information

VIEW Certified Configuration Guide. Colubris Networks Series MultiService Controllers with MAP-320/330 MultiService Access Points

VIEW Certified Configuration Guide. Colubris Networks Series MultiService Controllers with MAP-320/330 MultiService Access Points VIEW Certified Configuration Guide Colubris Networks 5000 Series MultiService Controllers with MAP-320/330 MultiService Access Points January 2008 Edition 1725-36068 Version E Configuration Guide Trademark

More information

PePWave Mesh Connector User Manual

PePWave Mesh Connector User Manual PePWave Mesh Connector User Manual Document Rev. 1.0 Jun-07 COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. Copyright 1999-2007 PePWave Ltd. All Rights Reserved. PePWave and

More information

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016 HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016 CONTENTS Introduction... 5 MSM and AP Deployment Options... 5 MSM User Interfaces... 6 Assumptions... 7 Network Diagram...

More information

EnGenius Quick Start Guide

EnGenius Quick Start Guide T he operates seamlessly in the 2.4 GHz frequency spectrum supporting the 802.11b (2.4GHz, 11Mbps) and the newer, faster 802.11g (2.4GHz, 54Mbpswireless standard. High output power and high sensitivity

More information

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo Vendor: HP Exam Code: HP2-Z32 Exam Name: Implementing HP MSM Wireless Networks Version: Demo QUESTION 1 A network administrator deploys several HP MSM APs and an HP MSM Controller. The APs discover the

More information

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ] s@lm@n HP Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ] HP HP2-Z32 : Practice Test Question No : 1 What is a proper use for an ingress VLAN in an HP MSM VSC?

More information

Simple, full featured and budgetary deployment of single AP or distributed APs Hot-Spot for small scale projects.

Simple, full featured and budgetary deployment of single AP or distributed APs Hot-Spot for small scale projects. Colubris Wireless Hot-Spot solution for small and medium scale deployments 1. Definitions, goals, and objectives Simple, full featured and budgetary deployment of single AP or distributed APs Hot-Spot

More information

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help,

More information

DWS-4000 Series DWL-3600AP DWL-6600AP

DWS-4000 Series DWL-3600AP DWL-6600AP Unified Wired & Wireless Access System Configuration Guide Product Model: Release 1.0 DWS-4000 Series DWL-8600AP DWL-6600AP DWL-3600AP Page 1 Table of Contents 1. Scenario 1 - Basic L2 Edge Setup: 1 Unified

More information

HP M n Access Point Configuration and Administration Guide

HP M n Access Point Configuration and Administration Guide HP M220 802.11n Access Point Configuration and Administration Guide HP Part Number: 5998-5753 Published: April 2014 Edition: 3 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained

More information

Hardware overview. Package contents V-M200, documentation, three antennas, and power supply.

Hardware overview. Package contents V-M200, documentation, three antennas, and power supply. The HP V-M200 is a Wi-Fi Alliance authorized Wi-Fi CERTIFIED 802.11a/b/g and 802.11n product. The Wi-Fi CERTIFIED Logo is a certification mark of the Wi-Fi Alliance. In HP V-M200 802.11n Access Point Quickstart

More information

Chapter 1 Introduction

Chapter 1 Introduction Copyright Statement is the registered trademark of Zonet Technology Inc. All the products and product names mentioned herein are the trademarks or registered trademarks of their respective holders. Copyright

More information

ProCurve MSM3xx 5400zl Switches / MSM4xx Access Points

ProCurve MSM3xx 5400zl Switches / MSM4xx Access Points Management and Configuration Guide for HP ProCurve MSM3xx / MSM4xx Access Points ProCurve MSM3xx 5400zl Switches / MSM4xx Access Points Installation and Getting Started Guide Management and Configuration

More information

NBG-416N. Wireless N-lite Home Router. Default Login Details. IMPORTANT! READ CAREFULLY BEFORE USE.

NBG-416N. Wireless N-lite Home Router. Default Login Details.  IMPORTANT! READ CAREFULLY BEFORE USE. NBG-416N Wireless N-lite Home Router IMPORTANT! Default Login Details LAN IP https://192.168.1.1 Address User Name admin Password 1234 READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. IMPORTANT!

More information

Wireless LAN Controller Web Authentication Configuration Example

Wireless LAN Controller Web Authentication Configuration Example Wireless LAN Controller Web Authentication Configuration Example Document ID: 69340 Contents Introduction Prerequisites Requirements Components Used Conventions Web Authentication Web Authentication Process

More information

Quick Start Guide for Standalone EAP

Quick Start Guide for Standalone EAP Quick Start Guide for Standalone EAP CHAPTERS 1. Determine the Management Method 2. Build the Network Topology 3. Log In to the EAP 4. Edit the SSID 5. Configure and Manage the EAP This guide applies to:

More information

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0 LevelOne WAP-0005 108Mbps PoE Wireless AP User Manual V3.0.0 i TABLE OF CONTENTS CHAPTER 1 INTRODUCTION... 1 FIGURE 1: WIRELESS ACCESS POINT... 1 FEATURES OF YOUR WIRELESS ACCESS POINT... 1 Security Features...

More information

AirCruiser G Wireless Router GN-BR01G

AirCruiser G Wireless Router GN-BR01G AirCruiser G Wireless Router GN-BR01G User s Guide i Contents Chapter 1 Introduction... 1 Overview...1 Features...1 Package Contents...2 AirCruiser G Wireless Router Rear Panel...2 AirCruiser G Wireless

More information

Cisco Meraki. Spectralink VIEW Certified Configuration Guide

Cisco Meraki. Spectralink VIEW Certified Configuration Guide Spectralink VIEW Certified Configuration Guide Cisco Meraki Meraki Cloud-Controlled APs MR26, MR30H, MR32, MR33, MR34, MR42, MR52, MR53, MR72, MR74, MR84 721-1013-000 Rev: A August 2017 Copyright Notice

More information

Secure Access Configuration Guide For Wireless Clients

Secure Access Configuration Guide For Wireless Clients ProCurve Networking Secure Access Configuration Guide For Wireless Clients Secure Access Configuration Guide For Wireless Clients Introduction... 2 Configuration Scenarios... 2 Required Network Services...

More information

Light Mesh AP. User s Guide. 2009/2/20 v1.0 draft

Light Mesh AP. User s Guide. 2009/2/20 v1.0 draft Light Mesh AP User s Guide 2009/2/20 v1.0 draft i FCC Certifications This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules.

More information

VIEW Certified Configuration Guide. Cisco

VIEW Certified Configuration Guide. Cisco VIEW Certified Configuration Guide Cisco 4400 Series Wireless LAN Controller (WLC), Wireless Services Module (WiSM), and 3750G Integrated Wireless LAN Controller with 1100, 1200, 1300 Series APs January

More information

Configuring OfficeExtend Access Points

Configuring OfficeExtend Access Points Information About OfficeExtend Access Points, page 1 OEAP 600 Series Access Points, page 2 OEAP in Local Mode, page 3 Supported WLAN Settings for 600 Series OfficeExtend Access Point, page 3 WLAN Security

More information

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0 Configuration Guide TL-ER5120/TL-ER6020/TL-ER6120 1910012186 REV3.0.0 June 2017 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Viewing Status Information... 2 System

More information

User Guide TL-R470T+/TL-R480T REV9.0.2

User Guide TL-R470T+/TL-R480T REV9.0.2 User Guide TL-R470T+/TL-R480T+ 1910012468 REV9.0.2 September 2018 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Accessing the Router Overview... 3 Web Interface

More information

BW1330. High Performance Hotspot Access Point

BW1330. High Performance Hotspot Access Point BW1330 High Performance Hotspot Access Point 9 July 2008 Overview Hardware Introduction Product Specification Product Features Application Overview Overview The BW1330 Hotspot Access Point is a high-performance

More information

300M Wireless-N Broadband Router User Manual

300M Wireless-N Broadband Router User Manual 300M Wireless-N Broadband Router Model No.: ib-wrb314n User Manual Ver.: 1.0.0 Contents...Error! Bookmark not defined. Chapter 1 Product Overview... 3 Package Contents 3 Conventions....4 Panel Overview...

More information

w w w.apc.com APC 3-in-1 Wireless Mobile Router User s Manual

w w w.apc.com APC 3-in-1 Wireless Mobile Router User s Manual w w w.apc.com APC 3-in-1 Wireless Mobile Router User s Manual 990-2149 Copyright 2005 American Power Conversion. All rights reserved. American Power Conversion and TravelPower are registered trademarks

More information

Network Controller 3500 Quick Start Guide

Network Controller 3500 Quick Start Guide Network Controller 3500 Quick Start Guide Firmware Version 1.00.82 1. Configuring the Controller 1.1. Connect to the Controller: The default LAN IP Address of the Controller is: IP: 192.168.1.1 Set you

More information

Vigor2900 Series Broadband Security Router Highly integrated broadband security router, combining high-speed routing technology with a comprehensive

Vigor2900 Series Broadband Security Router Highly integrated broadband security router, combining high-speed routing technology with a comprehensive Vigor2900 Series Broadband Security Router Highly integrated broadband security router, combining high-speed routing technology with a comprehensive security suite of firewall, VPN, URL content filtering

More information

1. Package contents. 2. Connecting ADSL modem and wireless router

1. Package contents. 2. Connecting ADSL modem and wireless router 1. Package contents WL-500W wireless router x 1 Power adapter x 1 Utility CD x 1 RJ45 cable x 1 Quick Start Guide x 1 2. Connecting ADSL modem and wireless router 1) Cable connection Wall power outlet

More information

LevelOne User Manual WGR-8031

LevelOne User Manual WGR-8031 LevelOne User Manual WGR-8031 Version : v1.0_20160321 1 Table of Contents 1 Introduction... 9 Features... 9 Device Requirements... 9 Using this Document... 10 Notational conventions... 10 Typographical

More information

UNIFIED ACCESS POINT ADMINISTRATOR S GUIDE

UNIFIED ACCESS POINT ADMINISTRATOR S GUIDE UNIFIED ACCESS POINT ADMINISTRATOR S GUIDE PRODUCT MODEL: DWL-2600AP, DWL-3600AP, DWL-6600AP, DWL-8600AP, DWL-8610AP UNIFIED WIRED & WIRELESS ACCESS SYSTEM RELEASE 5.00 OCTOBER 2014 COPYRIGHT 2014. ALL

More information

MikroTik Router Certified Network Associate (MTCNA) + Unifi Wifi Access Point (only got at CISMIC)

MikroTik Router Certified Network Associate (MTCNA) + Unifi Wifi Access Point (only got at CISMIC) MikroTik Router Certified Network Associate (MTCNA) + Unifi Wifi Access Point (only got at CISMIC) Course s Course Outline By the end of this training session, the student will be familiar with Router

More information

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps Cisco 300-375 Dumps with Valid 300-375 Exam Questions PDF [2018] The Cisco 300-375 Securing Cisco Wireless Enterprise Networks (WISECURE) exam is an ultimate source for professionals to retain their credentials

More information

Using the Terminal Services Gateway Lesson 10

Using the Terminal Services Gateway Lesson 10 Using the Terminal Services Gateway Lesson 10 Skills Matrix Technology Skill Objective Domain Objective # Deploying a TS Gateway Server Configure Terminal Services Gateway 2.2 Terminal Services (TS) Web

More information

The MSM335 is a Wi-Fi Alliance authorized Wi-Fi CERTIFIED product. The Wi-Fi CERTIFIED Logo is a certification mark of the Wi-Fi Alliance.

The MSM335 is a Wi-Fi Alliance authorized Wi-Fi CERTIFIED product. The Wi-Fi CERTIFIED Logo is a certification mark of the Wi-Fi Alliance. The MSM335 is a Wi-Fi Alliance authorized Wi-Fi CERTIFIED product. The Wi-Fi CERTIFIED Logo is a certification mark of the Wi-Fi Alliance. In MSM335 Access Point Quickstart This Quickstart shows you how

More information

TestsDumps. Latest Test Dumps for IT Exam Certification

TestsDumps.  Latest Test Dumps for IT Exam Certification TestsDumps http://www.testsdumps.com Latest Test Dumps for IT Exam Certification Exam : PW0-200 Title : Certified wireless security professional(cwsp) Vendors : CWNP Version : DEMO Get Latest & Valid PW0-200

More information

Application Example (Standalone EAP)

Application Example (Standalone EAP) Application Example (Standalone EAP) CHAPTERS 1. Determine the Network Requirements 2. Build the Network Topology 3. Log In to the EAP 4. Configure the EAP 5. Test the Network This guide applies to: EAP225-Outdoor

More information

GHz. VPN Router with RangeBooster User Guide WRV200 WIRELESS. Model No.

GHz. VPN Router with RangeBooster User Guide WRV200 WIRELESS. Model No. GHz 2.4 802.11g Wireless-G VPN Router with RangeBooster User Guide WIRELESS Model No. WRV200 Copyright and Trademarks Specifications are subject to change without notice. Linksys is a registered trademark

More information

HP0-Y44. Implementing and Troubleshooting HP Wireless Networks.

HP0-Y44. Implementing and Troubleshooting HP Wireless Networks. HP HP0-Y44 Implementing and Troubleshooting HP Wireless Networks http://killexams.com/exam-detail/hp0-y44 C. The user s access list does not permit any traffic. D. The users egress VLAN does not match

More information

Learn How to Configure EnGenius Wi-Fi Products for Popular Applications

Learn How to Configure EnGenius Wi-Fi Products for Popular Applications Learn How to Configure EnGenius Wi-Fi Products for Popular Applications Operation Modes Access Point (AP) / WDS AP Client Bridge (CB) Repeater WDS Bridge Client Router AP Router Access Point An access

More information

802.11N Wireless Broadband Router

802.11N Wireless Broadband Router 802.11N Wireless Broadband Router Pre-N Wireless Access Point Broadband Internet Access WPS 4-Port Switching Hub User's Guide Table of Contents CHAPTER 1 INTRODUCTION... 1 Wireless Router Features... 1

More information

Configuring a VAP on the WAP351, WAP131, and WAP371

Configuring a VAP on the WAP351, WAP131, and WAP371 Article ID: 5072 Configuring a VAP on the WAP351, WAP131, and WAP371 Objective Virtual Access Points (VAPs) segment the wireless LAN into multiple broadcast domains that are the wireless equivalent of

More information

Security SSID Selection: Broadcast SSID:

Security SSID Selection: Broadcast SSID: 69 Security SSID Selection: Broadcast SSID: WMM: Encryption: Select the SSID that the security settings will apply to. If Disabled, then the device will not be broadcasting the SSID. Therefore it will

More information

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO Exam : PW0-200 Title : Certified wireless security professional(cwsp) Version : DEMO 1. Given: John Smith often telecommutes from a coffee shop near his home. The coffee shop has an 802.11g access point

More information

EOC5611P. Wireless a/b/g Outdoor AP. Package Content PRODUCT DESCRIPTION. 2.4GHz / 5 GHz 54Mbps a/b/g 24V PoE

EOC5611P. Wireless a/b/g Outdoor AP. Package Content PRODUCT DESCRIPTION. 2.4GHz / 5 GHz 54Mbps a/b/g 24V PoE Wireless 802.11 a/b/g Outdoor AP 2.4 / 5 54Mbps 802.11 a/b/g 24V PoE PRODUCT DESCRIPTION is a long range outdoor wireless Access Point / Client Bridge that operates in both 5 and 2.4 frequency. It provides

More information

UNIFIED ACCESS POINT ADMINISTRATOR S GUIDE

UNIFIED ACCESS POINT ADMINISTRATOR S GUIDE UNIFIED ACCESS POINT ADMINISTRATOR S GUIDE PRODUCT MODEL: DWL-2600AP, DWL-3600AP, DWL-3610AP, DWL-6600AP, DWL-6610AP, DWL-6610APE, DWL-6700AP, DWL-8600AP, DWL-8610AP, DWL-8710AP,DWL-6620APS, DWL-7620AP

More information

WHG311 V1.03. Secure WLAN Controller

WHG311 V1.03. Secure WLAN Controller WHG311 V1.03 Secure WLAN Controller Copyright Notice This document is protected by USA copyright laws and other laws and is the property of 4IPNET, INC. You may not copy, reproduce, distribute, publish,

More information

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module About the HP 830 Series Switch and HP 10500/7500 20G Unified Module s Part number: 5998-3903 Software version: 3308P29 (HP 830 Series Switch) 2308P29 (HP 10500/7500 20G Unified Module) Document version:

More information

A Division of Cisco Systems, Inc. GHz 2, g. Wireless-G. User Guide. Access Point WIRELESS WAP54G (EU/LA/UK) Model No.

A Division of Cisco Systems, Inc. GHz 2, g. Wireless-G. User Guide. Access Point WIRELESS WAP54G (EU/LA/UK) Model No. A Division of Cisco Systems, Inc. GHz 2,4 802.11g WIRELESS Wireless-G Access Point User Guide Model No. WAP54G (EU/LA/UK) Copyright and Trademarks Specifications are subject to change without notice. Linksys

More information

Wireless LAN Device Series. ZW-2000-IA User Manual

Wireless LAN Device Series. ZW-2000-IA User Manual Wireless LAN Device Series WLAN Outdoor Bridge ZW-2000-IA User Manual Version. TABLE OF CONTENTS PREFACE...3 CH 1. ZW-2000 INSTALLATION...4 PACKING LIST...4 HARDWARE INSTALLATION...5 CH 2. FIRST TIME CONFIGURATION...8

More information

Management and Configuration Guide for HP HP ProCurve M111 Client Bridge. Installation and Getting Started Guide Management and Configuration Guide

Management and Configuration Guide for HP HP ProCurve M111 Client Bridge. Installation and Getting Started Guide Management and Configuration Guide Management and Configuration Guide for HP HP ProCurve M111 Client Bridge HP ProCurve ProCurve 5400zl M111 Switches Client Bridge Installation and Getting Started Guide Management and Configuration Guide

More information

M5000. Wireless a/b/g Outdoor AP PRODUCT DESCRIPTION

M5000. Wireless a/b/g Outdoor AP PRODUCT DESCRIPTION Wireless 802.11 a/b/g Outdoor AP 2.4GHz / 5GHz 54Mbps 802.11 a/b/g MESH Function PRODUCT DESCRIPTION is a long range outdoor wireless Access Point / Client Bridge that operates in both 5GHz and 2.4GHz

More information

M5000. Wireless a/b/g Outdoor AP PRODUCT DESCRIPTION

M5000. Wireless a/b/g Outdoor AP PRODUCT DESCRIPTION Wireless 802.11 a/b/g Outdoor AP 2.4 / 5 54Mbps 802.11 a/b/g MESH Function PRODUCT DESCRIPTION is a long range outdoor wireless Access Point / Client Bridge that operates in both 5 and 2.4 frequency. It

More information

HPE IMC BYOD WLAN MAC Authentication Configuration Examples

HPE IMC BYOD WLAN MAC Authentication Configuration Examples HPE IMC BYOD WLAN MAC Authentication Configuration Examples Part Number: 5200-1389 Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject to change without

More information

EOC5611P. Wireless a/b/g Outdoor AP PRODUCT DESCRIPTION. 2.4GHz / 5 GHz 54Mbps a/b/g 24V PoE

EOC5611P. Wireless a/b/g Outdoor AP PRODUCT DESCRIPTION. 2.4GHz / 5 GHz 54Mbps a/b/g 24V PoE Wireless 802.11 a/b/g Outdoor AP 2.4 / 5 54Mbps 802.11 a/b/g 24V PoE PRODUCT DESCRIPTION is a long range outdoor wireless Access Point / Client Bridge that operates in both 5 and 2.4 frequency. It provides

More information

LevelOne WBR User s Manual. 11g Wireless ADSL VPN Router. Ver

LevelOne WBR User s Manual. 11g Wireless ADSL VPN Router. Ver LevelOne WBR-3407 11g Wireless ADSL VPN Router User s Manual Ver 1.00-0510 Table of Contents CHAPTER 1 INTRODUCTION... 1 Wireless ADSL Router Features... 1 Package Contents... 5 Physical Details... 6 CHAPTER

More information

Copyright 2011 Nomadix, Inc. All Rights Reserved Agoura Road Suite 102 Agoura Hills CA USA White Paper

Copyright 2011 Nomadix, Inc. All Rights Reserved Agoura Road Suite 102 Agoura Hills CA USA   White Paper Nomadix Service Engine Access in Large Public Venues Copyright 2011 Nomadix, Inc. All Rights Reserved. 30851 Agoura Road Suite 102 Agoura Hills CA 91301 USA www.nomadix.com 230-1026-001 Sheet 2 of 9 Introduction

More information

M5000 Wireless a/b/g Outdoor AP

M5000 Wireless a/b/g Outdoor AP M5000 is a long range outdoor wireless Access Point / Client Bridge that operates in both 5 and 2.4 frequency. It provides high bandwidth up to 54Mbps and features high transmitted output power as well

More information

User Manual. SSV Remote Access Gateway. Web ConfigTool

User Manual. SSV Remote Access Gateway. Web ConfigTool SSV Remote Access Gateway Web ConfigTool User Manual SSV Software Systems GmbH Dünenweg 5 D-30419 Hannover Phone: +49 (0)511/40 000-0 Fax: +49 (0)511/40 000-40 E-mail: sales@ssv-embedded.de Document Revision:

More information

D-Link AirPlus G DI-524

D-Link AirPlus G DI-524 D-Link AirPlus G DI-524 802.11g/ 2.4 GHz Wireless Router TM Manual Building Networks for People Contents Package Contents... 3 Introduction... 4 Wireless Basics... 8 Getting Started...11 Using the Configuration

More information

BW1330. High Performance Hotspot Access Point. Browan Communications. 6 August 2007 Version 1.0

BW1330. High Performance Hotspot Access Point. Browan Communications. 6 August 2007 Version 1.0 BW1330 High Performance Hotspot Access Point Browan Communications 6 August 2007 Version 1.0 Overview Hardware Introduction Product Specification Product Features Application Customer Type Page 2 Overview

More information

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Identity Services Engine Guest Portal Local Web Authentication Configuration Example Identity Services Engine Guest Portal Local Web Authentication Configuration Example Document ID: 116217 Contributed by Marcin Latosiewicz, Cisco TAC Engineer. Jun 21, 2013 Contents Introduction Prerequisites

More information

Contents. Cisco WAP121 and WAP321 Wireless Access Points, Firmware Version Release Notes. This document includes the following topics:

Contents. Cisco WAP121 and WAP321 Wireless Access Points, Firmware Version Release Notes. This document includes the following topics: Release Notes for the WAP121 Wireless-N Access Point with Single Point Setup and the WAP321 Wireless-N Selectable-Band Access Point with Single Point Setup Contents This document includes the following

More information

WHG711 V3.20. Secure WLAN Controller

WHG711 V3.20. Secure WLAN Controller WHG711 V3.20 Secure WLAN Controller Copyright Notice This document is protected by USA copyright laws and other laws and is the property of 4IPNET, INC. You may not copy, reproduce, distribute, publish,

More information

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with SRX 400. User Guide WIRELESS WMP54GX4. Model No.

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with SRX 400. User Guide WIRELESS WMP54GX4. Model No. A Division of Cisco Systems, Inc. GHz 2.4 802.11g WIRELESS Wireless-G PCI Adapter with SRX 400 User Guide Model No. WMP54GX4 Copyright and Trademarks Specifications are subject to change without notice.

More information

Startup Tool TG - Getting Started Guide

Startup Tool TG - Getting Started Guide Startup Tool TG - Getting Started Guide For Classic Ingate SIParator Version 5.0.10 or later Document revision 17B, February 20, 2017 1(24) Table of Contents 0 Quick Start... 2 1 Ingate Startup Tool TG...

More information

LevelOne. Quick Installation Guide. WHG series Secure WLAN Controller. Introduction. Getting Started. Hardware Installation

LevelOne. Quick Installation Guide. WHG series Secure WLAN Controller. Introduction. Getting Started. Hardware Installation Introduction LevelOne WHG series Secure WLAN Controller LevelOne Secure WLAN Controller is the most advanced yet simple deployment and cost-effective wireless solution; it is an ideal security solution

More information

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy CHAPTER 9 DEVELOPING NETWORK SECURITY STRATEGIES Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy Network Security Design

More information

VIEW Configuration Guide. Cisco. 1131, 1232 and 1242 Autonomous APs. June 2010 Edition Version D

VIEW Configuration Guide. Cisco. 1131, 1232 and 1242 Autonomous APs. June 2010 Edition Version D VIEW Configuration Guide Cisco 1131, 1232 and 1242 Autonomous APs June 2010 Edition 1725-36193-001 Version D Configuration Guide Patent Information The accompanying product is protected by one or more

More information

VIEW Certified Configuration Guide. Nortel. WLAN Security Switch 2300 Series with AP January 2008 Edition Version F

VIEW Certified Configuration Guide. Nortel. WLAN Security Switch 2300 Series with AP January 2008 Edition Version F VIEW Certified Configuration Guide Nortel WLAN Security Switch 2300 Series with AP-2330 January 2008 Edition 1725-36082-001 Version F Configuration Guide Trademark Information Polycom and the logo designs

More information

WELL WRC5020N User s Manual WELL WRC5020N. User s Manual

WELL WRC5020N User s Manual WELL WRC5020N. User s Manual WELL WRC5020N User s Manual 1 Table of Contents 1 Introduction... 7 Features... 7 Device Requirements... 7 Using this Document... 8 Notational conventions... 8 Typographical conventions... 8 Special messages...

More information

FortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E

FortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E FortiNAC Aerohive Wireless Access Point Integration Version 8.x 8/28/2018 Rev: E FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET KNOWLEDGE BASE

More information

Wireless LAN, WLAN Security, and VPN

Wireless LAN, WLAN Security, and VPN Wireless LAN, WLAN Security, and VPN 麟瑞科技台南辦事處技術經理張晃崚 WLAN & VPN FAQ What is WLAN?802.11a?802.11b?802.11g? Which standard (product) should we use? How to deploy WLAN? How to block intruders? How to authenticate

More information

Grandstream Networks, Inc. GWN76xx Wi-Fi Access Points Master/Slave Architecture Guide

Grandstream Networks, Inc. GWN76xx Wi-Fi Access Points Master/Slave Architecture Guide Grandstream Networks, Inc. GWN76xx Wi-Fi Access Points Master/Slave Architecture Guide Table of Contents INTRODUCTION... 4 DISCOVER AND PAIR GWN76XX ACCESS POINTS... 5 Discover GWN76xx... 5 Method 1: Discover

More information

WHG405 V2.10. Secure WLAN Controller

WHG405 V2.10. Secure WLAN Controller WHG405 V2.10 Secure WLAN Controller Copyright Notice This document is protected by USA copyright laws and other laws and is the property of 4IPNET, INC. You may not copy, reproduce, distribute, publish,

More information

FlyBoost CL100 USER MANUAL A02-OCL100 A02-OCL100_ME01

FlyBoost CL100 USER MANUAL A02-OCL100 A02-OCL100_ME01 FlyBoost CL100 A02-OCL100 USER MANUAL A02-OCL100_ME01 Table of Contents OVERVIEW THE PRODUCT... 1 Introduction... 1 Features and Benefits... 2 When to Use Which Mode... 3 Access Point Client Mode... 3

More information

Wireless LAN Device Series. DLB2300-A User Manual

Wireless LAN Device Series. DLB2300-A User Manual Wireless LAN Device Series WLAN Outdoor Bridge DLB2300-A User Manual Version. 1.2.1 (25.03.2005) Table of Contents Preface...3 Ch 1. DLB2300A Installation...4 Packing List...4 Ch 2. First Time Configuration...5

More information

WNRT-627. Data Sheet. Europe/ ETSI: 2.412~2.472GHz (13 Channels) Japan/ TELEC: 2.412~2.484GHz (14 Channels) RF Power.

WNRT-627. Data Sheet. Europe/ ETSI: 2.412~2.472GHz (13 Channels) Japan/ TELEC: 2.412~2.484GHz (14 Channels) RF Power. 300Mbps 802.11n Wireless Broadband Router Ultra High Speed 802.11n Wireless The WNRT-627 features latest IEEE 802.11n radio with 2T2R MIMO antenna technology to provide improved wireless speed and coverage

More information

PRODUCT OVERVIEW. Learn more about EnGenius Solutions at

PRODUCT OVERVIEW. Learn more about EnGenius Solutions at Dual Radio Multi-Function Repeater 2.4 GHz / 5 GHz 300Mbps 802.11a/b/g/n Multi Function PRODUCT OVERVIEW equips with two powerful independent RF interfaces which support 802.11a/b/g and 802.11b/g/n. With

More information

WL5041 Router User Manual

WL5041 Router User Manual TECOM WL5041 Router User Manual TECOM CO., LTD. March 2003 2003 by TECOM CO., LTD. All rights reserved. Printed in Taiwan Table of contents Package Contents--------------------------------------- 2 Installing

More information

PMS 138 C Moto Black spine width spine width 100% 100%

PMS 138 C Moto Black spine width spine width 100% 100% Series MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. 2009 Motorola, Inc. Table of

More information

802.11N Wireless ADSL Router

802.11N Wireless ADSL Router 802.11N Wireless ADSL Router Pre-N Wireless Access Point ADSL Modem NAT Router WPS 4-Port Switching Hub User's Guide Table of Contents CHAPTER 1 INTRODUCTION...1 Wireless ADSL Router Features...1 Package

More information

FEATURES HARDWARE CONNECTION

FEATURES HARDWARE CONNECTION 1 FEATURES 1. Support ANSI T1.413 ISSUE 2, ITU G.992.1 (G.DMT), ITU G.992.2 (G.LITE), ITU G992.3, ITU G992.5 2. Web-based configuration and monitoring. 3. Support multiple PVCs. 4. Routing function. 5.

More information

MIMO Wireless Broadband Route r User s Manual 1

MIMO Wireless Broadband Route r User s Manual 1 MIMO Wireless Broadband Router User s Manual 1 Introduction...4 Features...4 Minimum Requirements...4 Package Content...4 Note...4 Get to know the Broadband Router...5 Back Panel...5 Front Panel...6 Setup

More information

NBG-418N. Wireless N Home Router. Default Login Details. IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE.

NBG-418N. Wireless N Home Router. Default Login Details.   IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. NBG-418N Wireless N Home Router IMPORTANT! Default Login Details LAN IP http://192.168.1.1 Address User Name admin Password 1234 READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. IMPORTANT!

More information

Wireless-G VPN Router with RangeBooster. Quick Install Guide

Wireless-G VPN Router with RangeBooster. Quick Install Guide Wireless-G VPN Router with RangeBooster Quick Install Guide Package Contents * * * * * Wireless-G VPN Router with 2 Fixed Antennae CD-ROM with User Guide and Setup Wizard Network Cable Power Adapter Quick

More information

Wireless Access Point

Wireless Access Point 802.11g / 802.11b / WPA Wireless Access Point User's Guide TABLE OF CONTENTS CHAPTER 1 INTRODUCTION... 1 Features of your Wireless Access Point... 1 Package Contents... 4 Physical Details... 4 CHAPTER

More information

Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1

Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1 Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1 Last revised: February 1, 2008 Contents Overview section on page 1 Configuring Guest Access on the Cisco Wireless

More information

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter. User Guide WIRELESS WUSB54G. Model No.

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter. User Guide WIRELESS WUSB54G. Model No. A Division of Cisco Systems, Inc. GHz 2.4 802.11g WIRELESS Wireless-G USB Network Adapter User Guide Model No. WUSB54G Copyright and Trademarks Specifications are subject to change without notice. Linksys

More information

Management Software AT-S79. User s Guide. For use with the AT-GS950/16 and AT-GS950/24 Smart Switches. Version Rev.

Management Software AT-S79. User s Guide. For use with the AT-GS950/16 and AT-GS950/24 Smart Switches. Version Rev. Management Software AT-S79 User s Guide For use with the AT-GS950/16 and AT-GS950/24 Smart Switches Version 1.0.0 613-000207 Rev. A Copyright 2005 Allied Telesyn, Inc. All rights reserved. No part of this

More information

Wireless Broadband Router

Wireless Broadband Router LW6005A-R2 Wireless Broadband Router Manual 1 Introduction... 4 Features... 4 Minimum Requirements... 4 Package Content... 4 Note... 4 Get to know the Broadband Router... 5 Back Panel... 5 Front Panel...

More information

EnGenius Networks Singapore Pte Ltd M-Series Products Launch Oct., 2009

EnGenius Networks Singapore Pte Ltd M-Series Products Launch Oct., 2009 EnGenius Networks Singapore Pte Ltd M-Series Products Launch Oct., 2009 What is Wireless Mesh Network? A collection of wireless devices maintaining RF connectivity to create a seamless path for data packets

More information

Management Software AT-S101. User s Guide. For use with the AT-GS950/8POE Gigabit Ethernet WebSmart Switch. Version Rev.

Management Software AT-S101. User s Guide. For use with the AT-GS950/8POE Gigabit Ethernet WebSmart Switch. Version Rev. Management Software AT-S101 User s Guide For use with the AT-GS950/8POE Gigabit Ethernet WebSmart Switch Version 1.0.0 613-000985 Rev. A Copyright 2008 Allied Telesis, Inc. All rights reserved. No part

More information

PRODUCT DESCRIPTION. Learn more about EnGenius Solutions at

PRODUCT DESCRIPTION. Learn more about EnGenius Solutions at Wireless Long Range Multi-function Client Bridge 2.4 GHz EIRP up to 400mW Access point Client Bridge Repeater Client Router PRODUCT DESCRIPTION is a powerful client bridge. It supports several networking

More information

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0 WLAN 9100 Release Notes Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release 8.1.0 WAP9114 Release 8.1.0 Avaya Inc - External Distribution 1. Introduction This document provides

More information

Release Notes for Avaya WLAN 9100 Access Point Operating System (AOS) Release

Release Notes for Avaya WLAN 9100 Access Point Operating System (AOS) Release WLAN 9100 Release Notes Release Notes for Avaya WLAN 9100 Access Point Operating System (AOS) Release 8.4.3-7312 Avaya Inc - External Distribution PRODUCT: Avaya WLAN 9100 Access Point Operating System

More information