MIL-W2332G
ShAir™ AccessG Pro Wireless
Access Point/Bridge with PoE
USER GUIDE
ii
Regulatory Approval
- FCC Class A
- UL 1950
- CSA C22.2 No. 950
- EN60950
- CE
- EN55022 Class A
- EN55024
Canadian EMI Notice
This Class A digital apparatus meets all the requirements of the Canadian Interference-Causing Equipment Regulations.
Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel brouilleur du Canada.
European Notice
Products with the CE Marking comply with both the EMC Directive (89/336/EEC) and the Low Voltage Directive (73/23/EEC)
issued by the Commission of the European Community Compliance with these directives imply conformity to the following
European Norms:
EN55022 (CISPR 22) - Radio Frequency Interference
EN61000-X - Electromagnetic Immunity
EN60950 (IEC950) - Product Safety
Three-Year Limited Warranty
MiLAN Technology warrants to the original consumer or purchaser that each of it's products, and all components
thereof, will be free from defects in material and/or workmanship for a period of three years from the original factory
shipment date. Any warranty hereunder is extended to the original consumer or purchaser and is not assignable.
MiLAN Technology makes no express or implied warranties including, but not limited to, any implied warranty of merchantability or fitness for a particular purpose, except as expressly set forth in this warranty. In no event shall MiLAN
Technology be liable for incidental or consequential damages, costs, or expenses arising out of or in connection with
the performance of the product delivered hereunder. MiLAN Technology will in no case cover damages arising out of
the product being used in a negligent fashion or manner.
Trademarks
The MiLAN logo and MiLAN Technology trademarks are registered trademarks of MiLAN Technology in the
United States and/or other countries.
To Contact MiLAN Technology
For prompt response when calling for service information, have the following information ready:
- Product serial number and revision
- Date of purchase
- Vendor or place of purchase
You can reach MiLAN Technology technical support at:
E-mail: support@milan.com
Telephone: +1.408.744.2751
Fax: +1.408.744.2771
MiLAN Technology
1329 Moffett Park Drive
Sunnyvale, CA 94089
United States of America
Telephone: +1.408.744.2775
Fax: +1.408.744.2793
http://www.milan.com
info@milan.com
© Copyright 2005
MiLAN Technology
P/N: 90000435 Rev.A
i
Federal Communication Commission Interference Statement
This equipment has been tested and found to comply with the limits for a Class B digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses
and can radiated radio frequency energy and, if not installed and used in accordance with the
instructions, may cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does
cause harmful interference to radio or television reception, which can be determined by turning
the equipment off and on, the user is encouraged to try to correct the interference by one of the
following measures:
ƒ
Reorient or relocate the receiving antenna.
ƒ
Increase the separation between the equipment and receiver.
ƒ
Connect the equipment into an outlet on a circuit different from that to which the receiver is
connected.
ƒ
Consult the dealer or an experienced radio/TV technician for help.
FCC Caution: To assure continued compliance, (example – use only shielded interface cables
when connecting to computer or peripheral devices). Any changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate this equipment.
This transmitter must not be co-located or operating in conjunction with any other antenna or
transmitter.
FCC Radiation Exposure Statement
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm between the radiator & your body.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two
conditions: (1) This device may not cause harmful interference, and (2) this device must accept
any interference received, including interference that may cause undesired operation.
ii
R&TTE Compliance Statement
This equipment complies with all the requirements of DIRECTIVE 1999/5/CE OF THE EUROPEAN PARLIAMENT AND THE COUNCIL OF 9 March 1999 on radio equipment and telecommunication terminal equipment and the mutual recognition of their conformity (R&TTE).
The R&TTE Directive repeals and replaces in the directive 98/13/EEC (Telecommunications
Terminal Equipment and Satellite Earth Station Equipment) as of April 8,2000.
Safety
This equipment is designed with the utmost care for the safety of those who install and use it.
However, special attention must be paid to the dangers of electric shock and static electricity
when working with electrical equipment. All guidelines of this and of the computer manufacture
must therefore be allowed at all times to ensure the safe use of the equipment.
EU Countries Intended for Use
The ETSI version of this device is intended for home and office use in Austria, Belgium, Denmark, Finland, France (with Frequency channel restrictions), Germany, Greece, Ireland, Italy,
Luxembourg, Portugal, Spain, Sweden, The Netherlands, and United Kingdom.
The ETSI version of this device is also authorized for use in EFTA member states Norway and
Switzerland.
EU Countries Not Intended for Use
None.
Potential Restrictive Use
France: only channels 10, 11, 12, and 13.
iii
Table of Contents
1. Introduction
1.1. Overview
1.2. Features
1.3. LED Definitions
2. First-Time Installation and Configuration
2.1. Selecting a Power Supply Method
2.2. Mounting the AP on a Wall
2.3. Preparing for Configuration
2.3.1. Connecting the Managing Computer and the AP
2.3.2. Changing the TCP/IP Settings of the Managing Computer
2.4. Configuring the AP
2.4.1. Entering the User Name and Password
2.4.2. Step 1: Selecting an Operational Mode
2.4.3. Step 2: Configuring TCP/IP Settings
2.4.4. Step 3: Configuring IEEE 802.11 Settings
2.4.5. Step 4: Reviewing and Applying Settings
2.5. Deploying the AP
2.6. Setting up Client Computers
2.6.1. Configuring IEEE 802.11g-Related Settings
2.6.2. Configuring TCP/IP-Related Settings
2.7. Confirming the Settings of the AP and Client Computers
2.7.1. Checking if the IEEE 802.11g-Related Settings Work
2.7.2. Checking if the TCP/IP-Related Settings Work
3. Using Web-Based Network Manager
3.1. Overview
iv
3.1.1. Menu Structure
3.1.2. Save, Save & Restart, and Cancel Commands
3.1.3. Home and Refresh Commands
3.2. Viewing Status
3.2.1. Associated Wireless Clients
3.2.2. Current DHCP Mappings
3.2.3. System Log
3.2.4. Link Monitor
3.3. General Operations
3.3.1. Specifying Operational Mode
3.3.2. Changing Password
3.3.3. Managing Firmware
3.3.3.1. Upgrading Firmware by HTTP
3.3.3.2. Backing up and Restoring Configuration Settings by HTTP
3.3.3.3. Upgrading Firmware by TFTP
3.3.3.4. Backing up and Restoring Configuration Settings by TFTP
3.3.3.5. Resetting Configuration to Factory Defaults
3.4. Configuring TCP/IP Related Settings
3.4.1. Addressing
3.4.2. DHCP Server
3.4.2.1. Basic
3.4.2.2. Static DHCP Mappings
3.5. Configuring IEEE 802.11g-Related Settings
3.5.1. Communication
3.5.1.1. Basic
3.5.1.2. Link Integrity
v
3.5.1.3. Association Control
3.5.1.4. AP Load Balancing
3.5.1.5. Wireless Distribution System
3.5.2. Security
3.5.2.1. Basic
3.5.2.2. MAC-Address-Based Access Control
3.5.3. IEEE 802.1x/RADIUS
3.6. Configuring Advanced Settings
3.6.1. Packet Filters
3.6.1.1. Ethernet Type Filters
3.6.1.2. IP Protocol Filters
3.6.1.3. TCP/UDP Port Filters
3.6.2. Management
3.6.2.1. UPnP
3.6.2.2. System Log
3.6.2.3. SNMP
Appendix A: Default Settings
Appendix B: Troubleshooting
B-1: Wireless Settings Problems
B-2: TCP/IP Settings Problems
B-3: Unknown Problems
Appendix C: Additional Information
C-1: Firmware Upgrade Using Xmodem Upgrade
vi
1.
Introduction
1.1 Overview
The MIL-W2332G ShAir AccessG Pro Wireless Access Point/Bridge enables IEEE
802.11g or IEEE 802.11b client computers to access the resources on the Ethernet
network. With the sleek Web-based user interface and the included ShAir Wireless
Management Utility, a network administrator can easily and clearly manage the AP.
1.2 Features
•
IEEE 802.11g
ƒ
Operational modes
AP/Bridge. This mode provides both Access Point and Static LAN-to-LAN
Bridging functionality. The static LAN-to-LAN bridging function is supported
through Wireless Distribution System (WDS).
AP Client. This mode is for Dynamic LAN-to-LAN Bridging. The AP Client
automatically establishes bridge links with APs from any vendors.
ƒ
RF type selection. The RF type of the WLAN interface can be configured to
work in IEEE 802.11b only, IEEE 802.11g only, or mixed mode (802.11g and
802.11b simultaneously).
ƒ
64-bit and 128-bit WEP (Wired Equivalent Privacy). For authentication and
data encryption.
ƒ
Enabling/disabling SSID broadcasts. When the AP is in AP/Bridge mode, the
administrator can enable or disable the SSID broadcasts functionality for security reasons. When the SSID broadcasts functionality is disabled, a client computer cannot connect to the AP with an “any” network name (SSID, Service Set
ID); the correct SSID has to be specified on client computers.
ƒ
MAC-address-based access control. When the AP is in AP/Bridge mode, it
can be configured to block unauthorized wireless client computers based on
MAC (Media Access Control) addresses. The ACL (Access Control List) can be
downloaded from a TFTP server.
1
ƒ
IEEE 802.1x/RADIUS. When the AP is in AP/Bridge mode, it can be configured
to authenticate wireless users and distribute encryption keys dynamically by
IEEE 802.1x Port-Based Network Access Control and RADIUS (Remote Authentication Dial-In User Service).
ƒ
WPA (Wi-Fi Protected Access). The AP supports the WPA standard proposed
by the Wi-Fi Alliance (http://www.wi-fi.org). Both WPA-PSK (Pre-Shared Key)
mode and full WPA mode are supported. WPA is composed of TKIP (Temporal
Key Integrity Protocol) and IEEE 802.1x and serves as a successor to WEP for
better WLAN security.
ƒ
Repeater. When the AP is in AP/Bridge mode, it can communicate with other
APs or wireless bridges via WDS (Wireless Distribution System). Therefore, an
AP can wirelessly forward packets from wireless clients to another AP, and then
the later AP forwards the packets to the Ethernet network.
Antenna alignment assistance. The AP provides a WDS link quality indicator via Wireless Network Manager to facilitate alignment of directional
antennas when deploying pairs of wireless bridges.
Link health monitoring. This feature enables the administrator to see if
the WDS links of the AP to other peer wireless bridges are working fine.
ƒ
Wireless client isolation. When the AP is in AP/Bridge mode, wireless-to-wireless traffic can be blocked so that the wireless clients cannot see
each other. This capability can be used in hotspot applications to prevent wireless hackers from attacking other wireless users’ computers.
ƒ
AP load balancing. Several APs can form a load-balancing group. Within a
group, wireless client associations and traffic load can be shared among the
APs. This function is available when the AP is in AP/Bridge mode.
ƒ
Transmit power control. Transmit power of the AP’s RF module can be adjusted to change RF coverage of the AP.
ƒ
Link integrity. When the AP is in AP/Bridge mode and its Ethernet LAN interface is detected to be disconnected from the wired network, all currently associated wireless clients are disassociated by the AP and no wireless client can associate with it.
ƒ
Association control. When the AP is in AP/Bridge mode, it can be configured
to deny association requests when it has served too many wireless clients or
traffic load is too heavy.
ƒ
Associated wireless clients status. When the AP is in AP/Bridge mode, it can
show the status of all wireless clients that are associated with the AP.
ƒ
Detachable antennas. The factory-mounted antennas can be replaced with
2
high-gain antennas for different purposes.
•
•
•
•
DHCP client. The AP can automatically obtain an IP address from a DHCP server.
DHCP server. The AP can automatically assign IP addresses to computers or other
devices by DHCP (Dynamic Host Configuration Protocol).
ƒ
Static DHCP mappings. The administrator can specify static IP address to
MAC address mappings so that the specified IP addresses are always assigned
to the hosts with the specified MAC addresses.
ƒ
Showing current DHCP mappings. Showing which IP address is assigned to
which host identified by an MAC address.
Packet Filtering. The AP provides Layer 2, Layer 3, and Layer 4 filtering capabilities.
Firmware Tools
ƒ
Firmware upgrade. The firmware of the AP can be upgraded in the following
methods:
Xmodem-based. Upgrading firmware over RS232.
TFTP-based. Upgrading firmware by TFTP (Trivial File Transfer Protocol).
HTTP-based. Upgrading firmware by HTTP (HyperText Transfer Protocol).
•
ƒ
Configuration backup. The configuration settings of the AP can be backed up
to a file via TFTP or HTTP for later restoring.
ƒ
Configuration reset. Resetting the configuration settings to factory-default
values.
Management
ƒ
Windows-based Wireless Network Manager for configuring, monitoring, and
diagnosing the local computer and neighboring APs. The management protocol
is MAC-based.
ƒ
Web-based Network Manager for configuring and monitoring the AP via a Web
browser. The management protocol is HTTP (HyperText Transfer Protocol)-based.
3
ƒ
SNMP. SNMP (Simple Network Management Protocol) MIB I, MIB II, IEEE
802.1d, IEEE 802.1x, and Private Enterprise MIB are supported.
ƒ
UpnP. The AP responds to UpnP discovery messages so that a Windows XP
user can locate the AP in My Network Places and use a Web browser to configure it.
ƒ
Telnet. The user is enabled to manage the AP by Telnet.
ƒ
System log. For system operational status monitoring.
Local log. System events are logged to the on-board RAM of the AP and
can be viewed using a Web browser.
Remote log by SNMP trap. Systems events are sent in the form of
SNMP traps to a remote SNMP management server.
•
•
Power over Ethernet. Power-over-Ethernet is supported, power has to be sent via
data pairs 1:2/3:6
Hardware Watchdog Timer. If the firmware gets stuck in an invalid state, the hardware watchdog timer will detect this situation and restart the AP. This way, the AP
can provide continuous services.
1.3 LED Definitions
There are several LED indicators on the housing of the AP. They are defined as follows:
•
•
•
•
Alive: Blinks when the AP is working normally.
RF: IEEE 802.11g interfaces activity
LAN: Ethernet LAN interface activity
Power: Power
4
2.
First-Time Installation and Configuration
2.1 Selecting a Power Supply Method
Optionally, the AP can be powered by the supplied power adapter or PoE (Power over
Ethernet). The AP automatically selects the suitable one depending on your decision.
To power the AP by the supplied power adapter:
1.
Plug the power adapter to an AC socket.
2.
Plug the connector of the power adapter to the power jack of the AP.
NOTE: This product is intended to be power-supplied by a Listed Power Unit, marked
“Class 2” or “LPS” and output rated “5V DC, 1 A minimum” or equivalent statement.
To power the AP by PoE:
1.
Plug one connector of an Ethernet cable to an available port of a PoE hub.
2.
Plug the other connector of the Ethernet cable to the LAN/CONFIG port of the AP.
2.2 Mounting the AP on a Wall
The AP is wall-mountable.
1.
Stick the supplied sticker for wall-mounting.
2.
Use a 6.5mm driller to drill a 25mm-deep hole at each of the cross marks.
3.
Plug in a supplied plastic conical anchor in each hole.
4.
Screw a supplied screw in each plastic conical anchor for a proper depth so that
the wireless AP can be hung on the screws.
5.
Hang the wireless AP on the screws.
5
Fig. 1. Mounting the AP on a wall.
2.3 Preparing for Configuration
For you to configure an AP, a managing computer with a Web browser is needed. For
first-time configuration of an AP, an Ethernet network interface card (NIC) should have
been installed in the managing computer. For maintenance-configuration of a deployed
AP, either a wireless computer or a wired computer can be employed as the managing
computer.
NOTE: If you are using the browser, Opera, to configure an AP, click the menu item
File, click Preferences…, click File types, and edit the MIME type, text/html, to add a
file extension “.sht” so that Opera can work properly with the Web management pages
of the AP.
Since the configuration/management protocol is HTTP-based, you have to make sure
that the IP address of the managing computer and the IP address of the managed
AP are in the same IP subnet (the default IP address of an AP is Error! Reference
source not found. and the default subnet mask is 255.255.255.0.)
6
2.3.1 Connecting the Managing Computer and the AP
To connect the Ethernet managing computer and the managed AP for first-time configuration, you have two choices as illustrated in Fig. 2.
Cross-over
Ethernet
cable
ShAir AccessG
Pro AP
Normal
Ethernet
cable
Managing
Computer
Normal
Ethernet
cable
Ethernet
Hub/Switch
Fig. 2. Connecting a managing computer and an AP via Ethernet.
You can use either a cross-over Ethernet cable (included in the package) or a
switch/hub with 2 normal Ethernet cables.
NOTE: One connector of the Ethernet cable must be plugged into the LAN/CONFIG
Ethernet jack of the AP for configuration.
2.3.2 Changing the TCP/IP Settings of the Managing Computer
Use the Windows Network Control Panel Applet to change the TCP/IP settings of the
managing computer, so that the IP address of the computer and the IP address of the
AP are in the same IP subnet. Set the IP address of the computer to 192.168.1.xxx (the
default IP address of an AP is Error! Reference source not found.) and the subnet mask
to 255.255.255.0.
NOTE: For some versions of Windows, the computer needs to be restarted for the
changes of TCP/IP settings to take effect.
TIP: After you have connected the managing computer and the AP via Ethernet, you
can install Wireless Network Manager on the managing computer and use it to configure the AP without being concerned about the TCP/IP settings of the managing computer. Refer to the on-line help of Wireless Network Manager for more information.
7
2.4 Configuring the AP
After the IP addressing issue is resolved, launch a Web browser on the managing
computer. Then, go to “http://Error! Reference source not found.” to access the
Web-based Network Manager Start page.
TIP: For maintenance configuration of an AP, the AP can be reached by its host name
using a Web browser. For example, if the AP is named “AP”, you can use the URL
“http://AP” to access the Web-based Network Manager of the AP.
2.4.1 Entering the User Name and Password
Before the start page is shown, you will be prompted to enter the user name and password to gain the right to access the Web-based Network Manager. For first-time configuration, use the default user name “root” and default password “root”, respectively.
Fig. 3. Entering the user name and password.
NOTE: It is strongly recommended that the password be changed to other value for security reasons. On the start page, click the General, Password link to change the value
of the password.
TIP: Since the start page shows the current settings and status of the AP, it can be
saved or printed within the Web browser for future reference.
8
Fig. 4. The Start page.
2.4.2 Step 1: Selecting an Operational Mode
Fig. 5. Operational modes settings.
Go to the General, Operational Mode section, select an operational mode and click
Save at the bottom of this page, and then you are brought back to the start page.
The AP supports 2 operational modes:
•
AP/Bridge. This mode provides both Access Point and Static LAN-to-LAN Bridging
functionality. The static LAN-to-LAN bridging function is supported through Wireless
Distribution System (WDS).
9
•
AP Client. This mode is for Dynamic LAN-to-LAN Bridging. The AP Client automatically establishes bridge links with APs from any vendors.
In either mode, the AP forwards packets between its Ethernet interface and wireless interface for wired hosts on the Ethernet side and wireless host(s) on the wireless side.
There are 2 types of wireless links as specified by the IEEE 802.11 standard.
•
•
STA-AP. This type of wireless link is established between an IEEE 802.11 Station
(STA) and an IEEE 802.11 Access Point (AP). A STA is usually a client computer
(PC or PDA) with a WLAN network interface card (NIC). The AP Client mode is actually an STA.
WDS. This type of wireless link is established between two IEEE 802.11 APs. Wireless packets transmitted along the WDS link comply with the IEEE 802.11 WDS
(Wireless Distribution System) format at the link layer.
The relationships among the operational modes and the wireless link types are shown
in the following table:
Table 1. Operational modes vs. wireless link types.
AP/Bridge
AP Client
AP/Bridge
WDS
STA-AP
AP Client
STA-AP
To establish a static bridge link based on WDS, the AP/bridges at both end of the WDS
link must be manually configured with each other’s MAC addresses (see Section 0 for
more information). To establish a dynamic bridge link between an AP and an AP Client,
both devices have to be configured with the same SSID and WEP settings. The AP Client automatically scans for any AP that is using the matched SSID and establishes a
bridge link with the scanned AP.
NOTE: Although it’s more convenient to use dynamic bridging, it has a limitation—the
AP Client only can forward TCP/IP packets between its wireless interface and Ethernet
interface; other type of traffic (such as IPX and AppleTalk) is not forwarded.
TIP: When the AP is configured to be in AP Client, it can be used as an
Ethernet-to-wireless network adapter. For example, a notebook computer equipped with
an Ethernet adapter can be connected to this device with a crossover Ethernet cable for
wireless connectivity to another access point.
10
2.4.3 Step 2: Configuring TCP/IP Settings
Fig. 6. TCP/IP settings.
Go to the TCP/IP, Addressing section to configure IP address settings. The IP address
can be manually set or automatically assigned by a DHCP server on the LAN. If you are
manually setting the IP address, Subnet mask, and Default gateway settings, set
them appropriately, so that they comply with your LAN environment. In addition, you can
specify the Host name and Domain (DNS suffix) of the AP.
When you are finished, click Save at the bottom of this page, and then you are brought
back to the start page.
2.4.4 Step 3: Configuring IEEE 802.11 Settings
Fig. 7. IEEE 802.11g communication settings.
Go to the IEEE 802.11, Communication section to configure IEEE 802.11g-related
communication settings, including Regulatory domain, Channel number, and Network name (SSID).
The number of available RF channels depends on local regulations; therefore you have
to choose an appropriate regulatory domain to comply with local regulations. The SSID
of a wireless client computer and the SSID of the AP must be identical for them to
communicate with each other.
When you are finished, click Save at the bottom of this page, and then you are brought
back to the start page.
11
2.4.5 Step 4: Reviewing and Applying Settings
Fig. 8. Settings changes are highlighted in red.
On the start page, you can review all the settings you have made. Changes are highlighted in red. If they are OK, click Restart to restart the AP for the new settings to take
effect.
NOTE: About 7 seconds are needed for the AP to complete its restart process.
12
2.5 Deploying the AP
After the settings have been configured, deploy the AP to the field application environment. Connect the AP to an Ethernet LAN through an Ethernet switch/hub.
If you are configuring a pair of the APs for a dynamic or static bridging application and
external high-gain directional antennas are used, it’s difficult to adjust alignments of the
antennas when the pair of devices is distance away.
To adjust the alignments of a pair of bridges’ directional antennas:
1.
Connect each bridge to a computer via Ethernet.
2.
Configure the date rate of each bridge to the lowest value, 1Mbps.
3.
Fix the alignment of the antenna on one side.
4.
Adjust the alignment of the antenna on other side by using response time information obtained from PINGing (run PING.exe) the “fixed-side” computer.
5.
Fine-tune the alignment of the antenna until you get a best response time.
6.
Increase the data rate of each bridge simultaneously until a maximal workable
data rate is reached. You may not be able to use the highest data rate, 54Mbps,
because of the distance and the gain of the antennas.
Adjust antenna alignment
WDS Link
Bridge 2
Bridge 1
PING (ICMP Echo Request)
Computer 1
ICMP Echo Reply
Computer 2
Fig. 9. Adjusting alignments of external directional antennas.
TIP: When doing dynamic bridging, configure Bridge 1 to be in AP Client mode and configure Bridge 2 to be in AP/Bridge mode.
TIP: If you are doing static bridging, you can make use of the Antenna Alignment Assistance feature to help you align the directional antennas.
13
Fig. 10. Antenna alignment assistance.
Instead of using PING.exe, you can run Wireless Network Manager on Computer 1, and
go to the Antenna Alignment tab. Click Start to begin monitoring the WDS link quality.
Adjust the alignment of the antenna of Bridge 1 until the Link quality indicator shows a
relatively maximal value. Finally, click Stop to stop monitoring WDS link quality.
TIP: If you are doing dynamic bridging, you can use the Link Monitor feature on the AP
Client side to help you align the directional antennas. Refer to Section 0 for more information.
Fig. 11. Link monitor.
14
2.6 Setting up Client Computers
The TCP/IP and IEEE 802.11g-related settings of wireless client computers must match
those of the AP.
2.6.1 Configuring IEEE 802.11g-Related Settings
Before the TCP/IP networking system of a wireless client computer can communicate
with other hosts, the underlying wireless link must be established between this wireless
computer and an AP.
To establish a wireless link to an AP:
1.
Launch the configuration/monitoring utility provided by the vendor of the installed
WLAN NIC.
2.
Use the utility to make appropriate Operating Mode, SSID and WEP settings.
NOTE: A wireless client computer must be in infrastructure mode, so that it can associate with an AP.
NOTE: The SSID of the wireless client computer and the SSID of the AP must be identical. Or, in case the SSID broadcasts capability of the AP is enabled (by default), the
SSID of the wireless client computer could be set to “any”.
NOTE: Both the wireless client computer and the AP must have the same WEP settings
for them to communicate with each other.
NOTE: For better wireless security, IEEE 802.1x capability of the AP must be enabled
so that only authenticated wireless users can access the wireless network. Refer to the
IEEE 802.1x-related white papers on the companion CD-ROM for more information
about deploying secure WLANs with IEEE 802.1x support.
2.6.2
Configuring TCP/IP-Related Settings
Use Windows Network Control Panel Applet to change the TCP/IP settings of the
client computers, so that the IP addresses of the client computers and the IP address of
the AP are in the same IP subnet.
If a client computer is originally set a static IP address, you can either change its IP address to match the IP address of the AP, or select an automatically-obtain-an-IP-address option if there is a DHCP server on the network.
NOTE: For some versions of Windows, the computer needs to be restarted for the
changes of TCP/IP settings to take effect.
15
2.7 Confirming the Settings of the AP and Client
Computers
After you have completed deploying the AP and setting up client computers, you have
to make sure the settings you have made are correct.
2.7.1Checking if the IEEE 802.11g-Related Settings Work
To check if a wireless client computer can associate with the AP:
1.
Launch the configuration/monitoring utility provided by the vendor of the installed
WLAN NIC.
2.
Check if the client computer is associated to an access point, and the access point
is the AP.
If the check fails, see Appendix B-1, “Wireless Settings Problems” for troubleshooting.
2.7.2 Checking if the TCP/IP-Related Settings Work
To check if a client computer can access the Internet:
1.
Open a Windows Command Prompt window on the client computer.
2.
Type “ping advap”, where advap is a placeholder for the IP address of the AP. Replace it with your real IP address—for example, 192.168.1.254. Then press Enter.
If the AP responds, go to the next step; else, see Appendix B-2, “TCP/IP Settings
Problems” for troubleshooting.
3.
Type “ping default_gateway”, where default_gateway is a placeholder for the IP
address of the default gateway of the wireless client computer. Then press Enter.
If the gateway responds, go to the next step; else, see Appendix B-2, “TCP/IP Settings Problems” for troubleshooting.
4.
Type “ping 1st_dns_server”, where 1st_dns_server is a placeholder for the IP address of the primary DNS server of the wireless client computer. Then press Enter.
If this DNS server responds, go to the next step; else, see Appendix B-2, “TCP/IP
Settings Problems” for troubleshooting.
16
5.
Type “ping 2nd_dns_server”, where 2nd_dns_server is a placeholder for the IP
address of the secondary DNS server of the wireless client computer. Then press
Enter.
If this DNS server responds the client should have no problem with TCP/IP networking; else, see Appendix B-2, “TCP/IP Settings Problems” for troubleshooting.
17
3.
Using Web-Based Network Manager
In this chapter, we’ll explain each Web management page of the Web-based Network
Manager.
3.1 Overview
Fig. 12. The Start page.
18
3.1.1 Menu Structure
The left side of the start page contains a menu for you to carry out commands. Here is a
brief description of the hyperlinks on the menu:
•
Home. For going back to the start page.
•
Status. Status information.
•
•
•
ƒ
Wireless Clients. The status of the wireless clients currently associated with
the AP.
ƒ
DHCP Mappings. Current IP-MAC address mappings of the built-in DHCP
server.
ƒ
System Log. System events log.
ƒ
Link Monitor. When the AP is in AP Client mode, this page shows the signal
strength and link quality of the wireless link to its associated access point.
General. Global operations.
ƒ
Operational Mode. Operational mode of the AP—AP/Bridge or AP Client.
ƒ
Password. For gaining rights to change the settings of the AP.
ƒ
Firmware Tools. For upgrading the firmware of the AP, backing up and restoring configuration, and configuration reset settings of the AP.
TCP/IP. TCP/IP-related settings.
ƒ
Addressing. IP address settings for the AP to work with TCP/IP.
ƒ
DHCP Server. Settings for the DHCP (Dynamic Host Configuration Protocol)
server on the AP.
IEEE 802.11. IEEE 802.11g-related settings.
ƒ
Communication. Basic settings for the IEEE 802.11g interface of the AP to
work properly with wireless clients.
ƒ
Security. Security settings for authenticating wireless users and encrypting
wireless data.
ƒ
IEEE 802.1x/RADIUS. IEEE 802.1x Port-Based Network Access Control and
19
RADIUS (Remote Authentication Dial-In User Service) settings for better wireless security.
•
Advanced. Advanced settings of the AP.
ƒ
Packet Filters. Ethernet Type Filters, IP Protocol Filters, and TCP/UDP Port
Filters settings.
ƒ
Management. UPnP, System Log, and SNMP settings.
20
3.1.2 Save, Save & Restart, and Cancel Commands
Fig. 13. Save, Save & Restart, and Cancel.
At the bottom of each page that contains settings you can configure, there are up to
three buttons—Save, Save & Restart, and Cancel. Clicking Save stores the settings
changes to the memory of the AP and brings you back to the start page. Clicking Save
& Restart stores the settings changes to the memory of the AP and restarts the AP
immediately for the settings changes to take effect. Clicking Cancel discards any settings changes and brings you back to the start page.
If you click Save, the start page will reflect the fact that the configuration settings have
been changed by showing two buttons—Restart and Cancel. In addition, changes are
highlighted in red. Clicking Cancel discards all the changes. Clicking Restart restarts
the AP for the settings changes to take effect.
Fig. 14. Settings have been changed.
21
3.1.3 Home and Refresh Commands
Fig. 15. Home and Refresh.
At the bottom of each status page that shows read-only information, there are two buttons—Home and Refresh. Clicking Home brings you back to the start page. Clicking
Refresh updates the shown status information.
3.2 Viewing Status
3.2.1 Associated Wireless Clients
Fig. 16. Status of associated wireless clients.
On this page, the status information of each associated client, including its MAC address, IP address, user name (if the client has been IEEE 802.1x authenticated), number of bytes it has send, number of bytes it has received, and the time of its last activity,
is shown.
22
3.2.2 Current DHCP Mappings
Fig. 17. Current DHCP mappings.
On this page, all the current static or dynamic DHCP mappings are shown. A DHCP
mapping is a correspondence relationship between an IP address assigned by the
DHCP server and a computer or device that obtains the IP address. A computer or device that acts as a DHCP client is identified by its MAC address.
A static mapping indicates that the DHCP client always obtains the specified IP address
from the DHCP server. You can set static DHCP mappings in the Static DHCP Mappings section of the DHCP Server configuration page. A dynamic mapping indicates
that the DHCP server chooses an IP address from the IP address pool specified by the
First allocateable IP address and Allocateable IP address count settings on the
DHCP Server configuration page.
23
3.2.3 System Log
Fig. 18. System log.
System events are recorded in the memory of the AP. The logged information is useful
for troubleshooting purposes. The system events are divided into several categories,
and you can select which categories of events to log.
3.2.4 Link Monitor
Fig. 19. Link monitor.
When the AP is in AP Client mode, you can use the Link Monitor status page to monitor
the link quality and signal strength sensed by its RF module. Larger values means better wireless connectivity to its associated Access Point. This feature is especially useful
when you are aligning a pair of directional antennas for bridging applications. Refer to
Section 2.5 for more information about antenna alignment.
NOTE: The values are updated every 20 seconds.
24
3.3 General Operations
3.3.1 Specifying Operational Mode
Fig. 20. Operational modes settings.
The AP supports 2 operational modes:
•
•
AP/Bridge. This mode provides both Access Point and Static LAN-to-LAN
Bridging functionality. The static LAN-to-LAN bridging function is supported
through Wireless Distribution System (WDS).
AP Client. This mode is for Dynamic LAN-to-LAN Bridging. The AP Client automatically establishes bridge links with APs from any vendors.
In either mode, the AP forwards packets between its Ethernet interface and wireless interface for wired hosts on the Ethernet side and wireless host(s) on the wireless side.
There are 2 types of wireless links as specified by the IEEE 802.11 standard.
•
•
STA-AP. This type of wireless link is established between an IEEE 802.11 Station (STA) and an IEEE 802.11 Access Point (AP). An STA is usually a client
computer (PC or PDA) with a WLAN network interface card (NIC). The AP Client
mode is actually an STA.
WDS. This type of wireless link is established between two IEEE 802.11 APs.
Wireless packets transmitted along the WDS link comply with the IEEE 802.11
WDS (Wireless Distribution System) format at the link layer.
The relationships among the operational modes and the wireless link types are shown
in the following table:
Table 2. Operational modes vs. wireless link types.
AP/Bridge
25
AP Client
AP/Bridge
WDS
AP Client
STA-AP
STA-AP
To establish a static bridge link based on WDS, the AP/bridges at both end of the WDS
link must be manually configured with each other’s MAC addresses (see Section 0 for
more information). To establish a dynamic bridge link between an AP and an AP Client,
both devices have to be configured with the same SSID and WEP settings. The AP Client automatically scans for any AP that is using the matched SSID and establishes a
bridge link with the scanned AP.
NOTE: Although it’s more convenient to use dynamic bridging, it has a limitation—the
AP Client only can forward TCP/IP packets between its wireless interface and Ethernet
interface; other type of traffic (such as IPX and AppleTalk) is not forwarded.
TIP: When the AP is configured to be in AP Client, it can be used as an
Ethernet-to-wireless network adapter. For example, a notebook computer equipped with
an Ethernet adapter can be connected to this device with a crossover Ethernet cable for
wireless connectivity to another access point.
3.3.2 Changing Password
Fig. 21. Password.
On this page, you can change the user name and password for the right to modify the
configuration of the bridge. The new password must be typed twice for confirmation.
26
3.3.3 Managing Firmware
Fig. 22. Firmware management protocol setting.
Firmware management operations for the AP include firmware upgrade, configuration
backup, configuration restore, and configuration reset. Firmware upgrade, configuration
backup, and configuration restore can be achieved via HTTP or TFTP. The
HTTP-based way is suggested because it’s more user friendly. However, due to different behavior of different Web browser types and versions, HTTP-based firmware management operations may not work properly with some Web browsers. If you cannot successfully perform HTTP-based firmware management operations with your Web
browser, try the TFTP-based way.
TIP: You can use Upgrade Wizard of Wireless Network Manager to upgrade firmware.
See the on-line help of Wireless Network Manager for more information.
3.3.3.1 Upgrading Firmware by HTTP
Fig. 23. Firmware upgrade by HTTP.
To upgrade firmware of the AP by HTTP:
1.
Click Browse and then select a correct firmware .bin file. The firmware file path will
be shown in the Firmware file name text box.
2.
Click Upgrade to begin the upgrade process.
27
3.3.3.2 Backing up and Restoring Configuration Settings by HTTP
Fig. 24. Firmware backup by HTTP.
To back up configuration of the AP by HTTP:
1.
Click Back Up.
2.
You’ll be prompted to open or save the configuration file. Click Save.
3.
The configuration file is named by the AP’s MAC address. For example, if the AP’s
MAC address is 00-01-02-33-44-55, the configuration backup file should be
“000102334455.hex”. Don’t change the configuration file name in the Save As dialog box. Select a folder in which the configuration file is to be stored. And then, click
Save.
NOTE: The procedure may be a little different with different Web browsers.
Fig. 25. Configuration restore by HTTP.
To restore configuration of the AP by HTTP:
1.
Click Browse and then select a correct configuration .hex file. You have to make
sure the file name is the AP’s MAC address. The firmware file path will be shown in
the Firmware file name text box.
2.
Click Restore to upload the configuration file to the AP.
28
3.3.3.3 Upgrading Firmware by TFTP
Fig. 26. TFTP server settings.
When use TFTP as the firmware management protocol, you can configure settings for
the AP’s TFTP client to communicate with a TFTP server. If the TFTP client does not
get a response from the TFTP server within a period specified by the Timeout setting, it
will resend the previous request. The Max number of retries setting specifies the
maximal number of resend before the TFTP client stops communicating with the TFTP
server.
Within the folder “Utilities” on the companion CD-ROM disk, we offered a TFTP server
program (TftpSrvr.exe) for firmware upgrade. Run this program on the computer that is
to serve as a TFTP server.
Fig. 27. Firmware upgrade by TFTP.
To upgrade firmware of the AP by TFTP:
1.
Get a computer that will be used as a TFTP server and as a managing computer to
trigger the upgrade process.
2.
Connect the computer and one of the LAN Ethernet switch port with a normal
Ethernet cable.
3.
Configure IP address of the computer so that the AP and the computer are in the
same IP subnet.
4.
On the computer, run the TFTP Server utility. And specify the folder in which the
firmware files reside.
5.
On the computer, run a Web browser and click the General, Firmware Tools hyperlink.
6.
Choose TFTP as the Firmware management protocol.
7.
Specify the IP address of the computer, which acts as a TFTP server. If you don’t
know the IP address of the computer, open a Command Prompt, and type IpConfig,
then press the Enter key.
29
8.
Trigger the firmware upgrade process by clicking Upgrade.
Fig. 28. TFTP Server.
NOTE: After the dialog box of the TFTP server program appears, be sure to specify the
working folder within which the downloaded firmware files reside.
NOTE: Make sure the Accept read requests check box of TFTP Server is selected.
NOTE: The LAN IP address of the AP and the IP address of the TFTP server must be in
the same IP subnet for TFTP to work.
NOTE: Due to the unreliable nature of wireless media, it’s highly recommended that the
TFTP server and the to-be-upgraded wireless AP be connected by Ethernet, and on the
same LAN, so that the upgrade process would be smooth.
NOTE: After the firmware is upgraded, be sure to delete the contents of the Web
browser cache, so that the Web management pages can be shown correctly.
NOTE: A failed upgrade may corrupt the firmware and make the AP unstartable. When
this occurs, call for technical support.
TIP: If you want to remotely upgrade the firmware of a deployed AP from the Internet,
adjust the Timeout and Max no. of retries settings of TFTP Server for remote TFTP
upgrade to succeed.
30
3.3.3.4 Backing up and Restoring Configuration Settings by TFTP
Fig. 29. Configuration backup/restore.
To back up configuration of the AP by TFTP:
Get a computer that will be used as a TFTP server and as a managing computer to
trigger the backup process.
1.
Connect the computer and one of the LAN Ethernet switch port with a normal
Ethernet cable.
2.
Configure the IP address of the computer so that the computer and the AP are in
the same IP subnet.
3.
On the computer, run the TFTP Server utility. Select the Accept write requests
check box, and specify the folder to which the configuration settings of the AP will
be saved.
4.
On the computer, run a Web browser and click the General, Firmware Tools hyperlink.
5.
Choose TFTP as the Firmware management protocol.
6.
Within the Configuration Backup/Restore section, specify the IP address of the
computer, which acts as a TFTP server. If you don’t know the IP address of the
computer, open a Command Prompt, and type IpConfig, then press the Enter key.
7.
Trigger the backup process by clicking Back Up. The AP’s configuration settings
will be saved as “AaBbCcDdEeFf.hex” by the TFTP server, where
“AaBbCcDdEeFf” is the AP’s MAC address. For example, if the AP’s MAC address
is 00-01-02-33-44-55, the configuration backup file will be “000102334455.hex”.
NOTE: Remember to select the Accept write requests check box of TFTP Server.
To restore configuration of the AP by TFTP:
1.
Get a computer that will be used as a TFTP server and as a managing computer to
trigger the restoring process.
2.
Connect the computer and one of the LAN Ethernet switch port with a normal
Ethernet cable.
3.
Configure the IP address of the computer so that the computer and the AP are in
the same IP subnet.
31
4.
On the computer, run the TFTP Server utility. And specify the folder in which the
configuration backup file resides. A configuration backup file is named by the AP’s
MAC address. For example, if the AP’s MAC address is 00-01-02-33-44-55, the
configuration backup file should be “000102334455.hex”.
5.
On the computer, run a Web browser and click the General, Firmware Tools hyperlink.
6.
Choose TFTP as the Firmware management protocol.
7.
Within the Configuration Backup/Restore section, specify the IP address of the
computer, which acts as a TFTP server. If you don’t know the IP address of the
computer, open a Command Prompt, and type IpConfig, then press the Enter key.
8.
Trigger the restoring process by clicking Restore. The AP will then download the
configuration backup file from the TFTP server.
NOTE: Make sure the file is a valid configuration backup file for the AP.
TIP: If you want to remotely back up or restore configuration from the Internet, adjust
the Timeout and Max no. of retries settings of TFTP Server for remote TFTP configuration backup/restore to succeed.
3.3.3.5 Resetting Configuration to Factory Defaults
Fig. 30. Configuration reset.
Clicking the Reset button resets the device configuration to factory defaults.
WARNING: Think twice before clicking the Reset button. You’ll lose all your current
configuration settings.
32
3.4
Configuring TCP/IP Related Settings
3.4.1 Addressing
Fig. 31. TCP/IP settings.
The IP address of the AP can be manually set (Set Manually) or automatically assigned
by a DHCP server on the LAN (Obtain from a DHCP Server). If you are manually setting the IP address, Subnet mask, and Default gateway settings, set them appropriately, so that they comply with your LAN environment. In addition, you can specify the
Host name and Domain (DNS suffix) of the AP.
33
3.4.2 DHCP Server
3.4.2.1 Basic
Fig. 32. Basic DHCP server settings.
The AP can automatically assign IP addresses to client computers by DHCP. In this
section of the management page, you can specify the Default gateway, Subnet mask,
Primary DNS server, and Secondary DNS server settings that will be sent to a client
at its request. Additionally, you can specify the first IP address that will be assigned to
the clients and the number of allocateable IP addresses.
NOTE: There should be only one DHCP server on the LAN; otherwise, DHCP would not
work properly. If there is already a DHCP server on the LAN, disable the DHCP server
functionality of the AP.
NOTE: By default the DHCP server function is disabled.
34
3.4.2.2 Static DHCP Mappings
Fig. 33. Static DHCP mappings.
IP addresses of servers are often static so that clients could always locate the servers
by the static IP addresses. By Static DHCP Mappings, you can ensure that a host will
get the same IP address when it requests one from the DHCP server. Therefore, instead of configuring the IP address of an intranet server manually, you can configure
the server to obtain an IP address by DHCP and it is always assigned the same IP address.
To always assign a static IP address to a specific DHCP client:
1.
Specify the MAC address of the DHCP client and the IP address to be assigned to
it. Then, give a description for this mapping.
2.
Select the corresponding Enabled check box.
35
3.5
Configuring IEEE 802.11g-Related Settings
3.5.1 Communication
3.5.1.1 Basic
Basic IEEE 802.11g-related communication settings include AP functionality, RF type,
Regulatory domain, Channel number, Network name (SSID), Data rate, and
Transmit power.
Fig. 34. Basic IEEE 802.11g communication settings.
For specific needs such as configuring the AP as a wireless LAN-to-LAN bridge, the AP
functionality can be disabled, so that no wireless client can associate with the AP.
The RF type of the WLAN interface can be configured to work in IEEE 802.11b only (b
Only), IEEE 802.11g only (g Only), or mixed mode (Mixed—802.11g and 802.11b simultaneously).
The number of available RF channels depends on local regulations; therefore you have
to choose an appropriate regulatory domain to comply with local regulations. The SSID
of a wireless client computer and the SSID of the AP must be identical for them to
communicate with each other.
If there is RF interference, you may want to reduce the Data rate for more reliable wireless transmission. In most cases, leave the setting to Auto.
The transmit power of the RF module of the AP can be adjusted so that the RF coverage of the AP can be changed.
36
3.5.1.2 Link Integrity
Fig. 35. Link integrity settings.
When the Ethernet LAN interface is detected to be disconnected from the wired network,
all currently associated wireless clients are disassociated by the AP and no wireless
client can associate with the AP. The detection mechanism is based on pinging the IP
address specified in Reference host.
3.5.1.3 Association Control
Fig. 36. Association control settings.
If the number of currently associated wireless clients exceeds the value specified in the
Max number of clients setting, no more wireless client can associate with the AP. If
traffic load of the AP exceeds the load specified in the Block clients if traffic load exceeds setting, no more wireless client can associate with the AP.
3.5.1.4 AP Load Balancing
Fig. 37. AP load balancing settings.
Several Aps can form a load-balancing group if they are set with the same Group ID.
The load-balancing policy can be by Number of Users or by Traffic Load.
If the by-number-of-users policy is selected, a new wireless user can only associate with
an AP that has the smallest number of associated wireless users in the group. On the
other hand, if the by-traffic-load policy is selected, a new wireless user can only associate with an AP that has the less traffic load in the group.
37
3.5.1.5 Wireless Distribution System
Notebook
Computer
WDS
LAN
AP 2
AP 1
Fig. 38. Wireless Distribution System.
Traditionally, access points are connected by Ethernet. By Wireless Distribution System
(WDS), Aps can communicate with one another wirelessly. For example, in Fig. 38, AP
2 acts as an access point for the notebook computers and it forwards packets sent from
the notebook computers to AP 1 through WDS. Then, AP 1 forwards the packets to the
Ethernet LAN. Packets destined for the notebook computers follow a reverse path from
the Ethernet LAN through the Aps to the notebook computers. In this way, AP 2 plays a
role of “AP repeater”.
WDS Link
LAN
Segment 1
Bridge 1
LAN
Segment 2
Bridge 2
Fig. 39. LAN-to-LAN bridging.
By WDS, two or more LAN segments can be connected wirelessly. As illustrated in Fig.
39, a pair of wireless LAN-to-LAN bridges is used to connect two LAN segments. Since
the AP is WDS-enabled, it can be used as a wireless bridge.
NOTE: An AP can have up to 6 WDS links to other Aps or wireless bridges.
38
Fig. 40. Wireless Distribution System settings.
To enable a WDS link:
1.
Specify the MAC address of the AP at the other end of the WDS link.
2.
Select the corresponding Enabled check box.
For example, assume you want two APs with MAC addresses 00-02-65-01-62-C5 and
00-02-65-01-62-C6 to establish a WDS link between them. On AP 00-02-65-01-62-C5,
set the peer MAC address of port 1 to 00-02-65-01-62-C6 and on AP
00-02-65-01-62-C6, set the peer MAC address of port 1 to 00-02-65-01-C5.
TIP: Plan your wireless network and draw a diagram, so that you know how an AP is
connected to other peer Aps or wireless bridges by WDS.
TIP: Plan your wireless network and draw a diagram, so that you know how a bridge is
connected to other peer bridges by WDS. See the following figure for an example network-planning diagram.
39
Fig. 41. Sample wireless bridge network topology.
WARNING: Don’t let your network topology consisting of wireless bridges, Ethernet
switches, Ethernet links, and WDS links contain loops. If any loops exist, packets will
circle around the loops and network performance will be seriously degraded.
Fig. 42. Network topology containing a loop.
TIP: You can check whether the WDS links of the AP are functioning by using Wireless
Network Manager.
40
Fig. 43. Link health monitoring.
Run Wireless Network Manager on a computer and locate the AP you want to manage.
Go to the WDS tab, and then click Test. The test results (OK or Broken) will be shown
in the Link Status column of the WDS links table.
If external high-gain directional antennas are used, it’s difficult to align the antennas
when the distance between the bridges is long.
To adjust the alignments of a pair of bridges’ directional antennas:
7.
Connect each bridge to a computer via Ethernet.
8.
Configure the date rate of each bridge to the lowest value, 1Mbps.
9.
Fix the alignment of the antenna on one side.
10. Adjust the alignment of the antenna on other side by using response time information obtained from PINGing (run PING.exe) the “fixed-side” computer.
11. Fine-tune the alignment of the antenna until you get a best response time.
12. Increase the data rate of each bridge simultaneously until a maximal workable
data rate is reached. You may not be able to use the highest data rate, 11Mbps,
because of the distance and the gain of the antennas.
41
Adjust antenna alignment
WDS Link
Bridge 1
Bridge 2
PING (ICMP Echo Request)
Computer 1
ICMP Echo Reply
Computer 2
Fig. 44. Adjusting alignments of external directional antennas.
TIP: You can make use of the Antenna Alignment Assistance feature to help you align
the directional antennas.
Fig. 45. Antenna alignment assistance.
Instead of using PING.exe, you can run Wireless Network Manager on Computer 1, and
go to the Antenna Alignment tab. Click Start to begin monitoring the WDS link quality.
Adjust the alignment of the antenna of DRBAP as Bridge 1 until the Link quality indicator shows a relatively maximal value. Finally, click Stop to stop monitoring WDS link
quality.
42
3.5.2 Security
IEEE 802.11g security settings include SSID broadcasts, Wireless client isolation,
Security mode, IEEE 802.11 Authentication algorithm, WEP keys,
MAC-Address-Based Access Control.
3.5.2.1 Basic
Fig. 46. Basic IEEE 802.11g security settings.
For security reasons, it’s highly recommended that the security mode be set to options
other than Open System. When the security mode is set to Open System, no Authentication and data encryption will be performed. Additionally, you can disable the SSID
broadcasts functionality so that a wireless client computer with an “any” SSID cannot
associate with the AP.
When the Wireless client isolation setting is set to This AP Only, wireless clients of
this AP cannot see each other, and wireless-to-wireless traffic is blocked. When the setting is set to All Aps in This Subnet, traffic among wireless users of different APs in
the same IP subnet is blocked. This feature is useful for WLANs deployed in public
places. In this way, hackers have no chance to attack other wireless users in a hotspot.
When the Wireless client isolation setting is set to This AP Only, wireless clients
(STAs) of this AP cannot see each other, and wireless-to-wireless traffic between the
STAs is blocked. When the setting is set to All APs in This Subnet, traffic among
wireless users of different Aps in the same IP subnet is blocked. The behaviors are illustrated in the following figures.
43
STA 1
STA 3
STA 2
AP 1
AP 2
WCI:
This AP Only
WCI:
This AP Only
Switch
Wireless Link
Ethernet Link
Fig. 47. Behavior of the “This AP Only” wireless client isolation option.
STA 1
STA 3
STA 2
AP 1
AP 2
WCI:
All APs in This
Subnet
WCI:
All APs in This
Subnet
Switch
Wireless Link
Ethernet Link
Fig. 48. Behavior of the “All APs on This Subnet” wireless client isolation option.
As illustrated in Fig. 47 when AP 1 and AP 2 are using the “This AP Only” option, wireless traffic between STA 1 and STA 2 is blocked by AP 1, while wireless traffic between
STA 2 and STA 3, which are associated with different APs, is still allowed. If the “All
APs in This Subnet” option is used as shown in Fig. 48, AP 1 and AP 2 communicates
with each other via an inter-AP protocol to share their STA association information to
block wireless traffic among all the STAs.
There are up to 7 security modes depending on AP model variations:
•
Open System. No authentication, no data encryption.
44
•
Static WEP. WEP (Wired Equivalent Privacy) keys must be manually configured.
•
Static TKIP (WPA-PSK). Only TKIP (Temporal Key Integrity Protocol) mechanism
of WPA (Wi-Fi Protected Access) is enabled. In this mode, you have to specify the
Pre-shared key, which will be used by the TKIP engine as a master key to generate keys that actually encrypt outgoing packets and decrypt incoming packets.
NOTE: The number of characters of the Pre-shared key setting must be at least 8
and can be up to 63.
•
IEEE 802.1x EAP without Encryption (EAP-MD5). The IEEE 802.1x functionality
is enabled and the user-name/password-based EAP-MD5 authentication is used.
No data encryption.
•
IEEE 802.1x EAP with Static WEP (EAP-MD5). The IEEE 802.1x functionality is
enabled and the user-name/password-based EAP-MD5 authentication is used.
Data encryption is achieved by static WEP.
•
IEEE 802.1x EAP with Dynamic WEP (EAP-TLS, EAP-TTLS, PEAP). The IEEE
802.1x functionality is enabled and dynamic WEP key distribution authentication
(EAP-TLS, EAP-TTLS, or PEAP) is used. Data encryption is achieved by dynamic
WEP.
•
IEEE 802.1x EAP with Dynamic TKIP (WPA). This is a full WPA mode, in which
both the TKIP and IEEE 802.1x dynamic key exchange mechanisms are enabled.
The AP is highly secured in this mode.
In the above security modes, a back-end RADIUS (Remote Authentication Dial-In User
Service) server is needed if IEEE 802.1x functionality is enabled. See Section 3.5.3 for
more information about IEEE 802.1x and RADIUS.
According to the IEEE 802.11 standard, WEP can be used for authentication and data
encryption. Normally, Shared Key authentication is used if WEP data encryption is enabled. In rare cases, Open System authentication may be used when WEP data encryption is enabled. The Authentication algorithm setting is provided for better compatibility with wireless clients with various WLAN network adapters. There are three options
available, including Open System, Shared Key, and Auto.
When WEP is enabled by a security mode, the Key length can be specified to be 64
Bits or 128 Bits. The Selected key setting specifies the key to be used as a send-key
for encrypting traffic from the AP side to the wireless client side. All 4 WEP keys are
used as receive-keys to decrypt traffic from the wireless client side to the AP side.
NOTE: Each field of a WEP key setting is a hex-decimal number from 00 to FF. For
example, when the security mode is Static WEP and the key length is 64 Bits, you
could set Key 1 to “00012E3ADF”.
45
3.5.2.2 MAC-Address-Based Access Control
Fig. 49. MAC-address-based access control settings.
With MAC-Address-Based Access Control, you can specify the wireless client computers that are permitted or not permitted to associate with the AP. When the table type
is set to inclusive, entries in the table are permitted to associate with the AP. When the
table type is set to exclusive, entries in the table are not permitted to associate with the
AP.
To deny wireless clients’ access to the wireless network:
1.
Select Enabled from the Functionality drop-down list.
2.
Set the Access control type to exclusive.
3.
Specify the MAC address of a wireless client to be denied access, and then click
Add.
4.
Repeat Steps 3 for other wireless clients.
To grant wireless clients’ access to the wireless network:
1.
Select Enabled from the Functionality drop-down list.
2.
Set the Access control type to inclusive.
3.
Specify the MAC address of a wireless client to be denied access, and then click
Add.
4.
Repeat Steps 3 for other wireless clients.
To delete an entry in the access control table:
•
Click Delete next to the entry.
NOTE: The size of the access control table is 64.
46
Fig. 50. MAC ACL download settings.
Instead of manually entering MAC addresses to the access control table one by one,
you can prepare a text file that contains all the MAC addresses and put it on a TFTP
server, and then command the AP to download the MAC ACL (Access Control List) file
from the TFTP server. Fig. 51 shows the contents of a sample ACL file.
Fig. 51. Sample MAC ACL file.
To download a MAC ACL file from a TFTP server:
1.
Specify the IP address of the TFTP server in the TFTP server IP address text box.
2.
Specify the name of the MAC ACL file on the TFTP server in the MAC ACL file
name text box.
3.
Click Download.
47
3.5.3
IEEE 802.1x/RADIUS
IEEE 802.1x Port-Based Network Access Control is a new standard for solving some
security issues associated with IEEE 802.11, such as lack of user-based authentication
and dynamic encryption key distribution. With IEEE 802.1x and the help of a RADIUS
(Remote Authentication Dial-In User Service) server and a user account database, an
enterprise or ISP (Internet Service Provider) can manage its mobile users’ access to its
wireless LANs. Before granted access to a wireless LAN supporting IEEE 802.1x, a
user has to issue his or her user name and password or digital certificate to the backend
RADIUS server by EAPOL (Extensible Authentication Protocol Over LAN). The RADIUS
server can record accounting information such as when a user logs on to the wireless
LAN and logs off from the wireless LAN for monitoring or billing purposes.
The IEEE 802.1x functionality of the access point is controlled by the security mode
(see Section 0). So far, the wireless access point supports two authentication mechanisms—EAP-MD5 (Message Digest version 5), EAP-TLS (Transport Layer Security). If
EAP-MD5 is used, the user has to give his or her user name and password for authentication. If EAP-TLS is used, the wireless client computer automatically gives the user’s
digital certificate that is stored in the computer hard disk or a smart card for authentication. And after a successful EAP-TLS authentication, a session key is automatically
generated for wireless packets encryption between the wireless client computer and its
associated wireless access point. To sum up, EAP-MD5 supports only user authentication, while EAP-TLS supports user authentication as well as dynamic encryption key
distribution.
IEEE 802.1x-Compliant
Wireless Client
Wireless AP
user authentication
Internet
Wireless AP
user authentication
RADIUS
Server
User
Database
Fig. 52. IEEE 802.1x and RADIUS.
An access point supporting IEEE 802.1x can be configured to communicate with two
48
RADIUS servers. When the primary RADIUS server fails to respond, the wireless access point will try to communicate with the secondary RADIUS server. You can specify
the length of timeout and the number of retries before communicating with the secondary RADIUS server after failing to communicate with the primary RADIUS server.
An IEEE 802.1x-capable wireless access point and its RADIUS server(s) share a secret
key so that they can authenticate each other. In addition to its IP address, a wireless
access point can identify itself by an NAS (Network Access Server) identifier. Each
IEEE 802.1x-capable wireless access point must have a unique NAS identifier.
Fig. 53. IEEE 802.1x/RADIUS settings.
TIP: Refer to the IEEE 802.1x-related white papers on the companion CD-ROM for
more information about deploying secure WLANs with IEEE 802.1x support.
49
3.6 Configuring Advanced Settings
3.6.1 Packet Filters
The AP provides layer 2 (Ethernet Type Filters), layer 3 (IP Protocol Filters), and layer 4
(TCP/UDP Port Filters) filtering capabilities. The configuration processes for the filters
are similar.
Functionality: whether this filtering capability is enabled or disabled.
Policy for matched packets: how a matched packet is processed—discard or pass.
To enable a filtering rule: select the check box to the left of the rule.
3.6.1.1 Ethernet Type Filters
Fig. 54. Ethernet type filters settings.
The Ethernet type filed of the MAC (Media Access Control) header of a packet incoming
from the WLAN or Ethernet interface is inspected for filtering. In a rule, specify the
hex-decimal Ethernet type number and give the rule a name.
50
3.6.1.2 IP Protocol Filters
Fig. 55. IP protocol filters settings.
The protocol, source address, and destination address fields of a packet incoming from
the WLAN or Ethernet interface is inspected for filtering. In a rule, specify the
hex-decimal protocol number, source IP address range (Source IP Address AND
Source Subnet Mask), and destination IP address range (Destination IP Address AND
Destination Subnet Mask).
A source (destination) IP address range is determined by performing an AND operation
on the source (destination) IP address field and the source (destination) subnet mask
field. For example, if the source IP address field is 192.168.1.254 and the source subnet
mask field is 255.255.255.0, the resultant source IP address range is 192.168.0.0 to
192.168.0.255.
3.6.1.3 TCP/UDP Port Filters
Fig. 56. TCP/UDP port filters settings.
The destination port field the TCP or UDP header of a packet incoming from the WLAN
or Ethernet interface is inspected for filtering. In a rule, specify the decimal Destination
Port, Protocol type (TCP/UDP), and the name of the higher-level protocol (Application
Name).
51
3.6.2 Management
3.6.2.1 UPnP
Fig. 57. UpnP settings.
UpnP (Universal Plug and Play) enables a Windows XP user to automatically discover
peripheral devices by HTTP. When the UpnP functionality is enabled, you can see the
AP in My Network Places of Windows XP. The AP can be given a friend name that will
be shown in My Network Places. Double-clicking the icon in My Network Places that
stands for the AP will launch the default Web browser for you to configure the AP.
52
3.6.2.2 System Log
Fig. 58. System log settings.
System events can be logged to the on-board RAM of the AP (Local log) or sent to a
remote computer on which an SNMP trap monitor program runs (Remote log by SNMP
trap). See the next subsection for more information about SNMP trap settings.
The system events are divided into the following categories:
•
General: system and network connectivity status changes.
•
Built-in AP: wireless client association and WEP authentication status changes.
•
•
MIB II traps: Cold Start, Warm Start, Link Up, Link Down and SNMP Authentication Failure.
RADIUS user authentication: RADIUS user authentication status changes.
NOTE: The SNMP Authentication Failure trap is issued when using an incorrect community string to manage the AP via SNMP and the SNMP MIB II OID, snmpEnableAuthenTraps, is enabled (disabled by default).
53
3.6.2.3 SNMP
Fig. 59. SNMP settings.
The SNMP (Simple Network Management Protocol) functionality can be disabled, and
you can specify the name (used as a password) of the read-only and read-write community. In addition, up to 5 SNMP trap targets can be set in the SNMP Trap Table.
To specify a trap target:
1.
Type the IP address of the target host.
2.
Type the Community for the host.
3.
Select the corresponding check box next to the IP address text box.
54
Appendix A: Default Settings
TIP: Press the Default (SF-Reset, or Soft-Reset) switch on the housing of a powered-on AP to reset the configuration settings to factory-default values.
Setting Name
Global
User Name
Password
IEEE 802.11g
Regulatory Domain
Channel Number
SSID
SSID Broadcasts
Transmission Rate
Transmit Power
MAC Address
Security Mode
Selected WEP Key
WEP Key #1
WEP Key #2
WEP Key #3
WEP Key #4
MAC-Address-Based Access
Control
Access Control Table Type
Wireless Client Isolation
AP Load balancing
Link Integrity
Association Control
Max Number of Clients
Block Clients if Traffic
Load Exceeds
LAN Interface
Method of obtaining an IP Address
IP Address
Subnet Mask
Default Gateway
DHCP Server
Management
UPnP
Default Value
root
root
FCC (U.S.)
11
wireless
Enabled
Auto
High
See the label on the accompanying
PCMCIA card or the label on the
housing of the AP.
Open System
Key #1
00-00-00-00-00
00-00-00-00-00
00-00-00-00-00
00-00-00-00-00
Disabled
Inclusive
Disabled
Disabled
Disabled
64
Disabled
Set manually
192.168.1.254
255.255.255.0
0.0.0.0
Disabled
Enabled
55
System Log
SNMP
SNMP read community
SNMP write community
Telnet
Local Log
Enabled
public
private
Enabled
56
Appendix B: Troubleshooting
Check the following first:
•
Make sure that the power of the AP is on and the Ethernet cables are connected
firmly to the RJ-45 jacks of the AP.
•
Make sure that the LED ALV of the AP is blinking to indicate the AP is working.
•
Make sure the types of the Ethernet cables are correct. Recall that there are two
types—normal and crossover.
B-1: Wireless Settings Problems
•
The wireless client computer cannot associate with an AP.
ƒ
Is the wireless client set in infrastructure mode?
Check the operating mode of the WLAN NIC.
ƒ
Is the SSID of the WLAN NIC identical to that of the prospective AP?
Check the SSID setting of the WLAN NIC and of the AP.
ƒ
Is the WEP functionality of the prospective AP enabled?
Make appropriate WEP settings of the client computer to match those of the AP.
ƒ
Is the prospective AP within range of wireless communication?
Check the signal strength and link quality sensed by the WLAN NIC.
57
B-2: TCP/IP Settings Problems
Correspondent
Host
IEEE 802.11g
Internet
Ethernet LAN
Stage A
Client
Computer
State B
AP
Stage D
Default Gateway
of Client Computer
DNS Server
of Client Computer
Fig. 60. Communication stages for a client to reach its correspondent host.
For a wireless client computer to communicate with a correspondent host on the Internet by the host’s domain name (e.g. http://www.wi-fi.com), it first sends a DNS request
to a DNS server on the Internet. The DNS request travels first to the AP, then the AP
relays this request to the default gateway of the client computer. Finally, this request is
forwarded by the gateway to the DNS server on the Internet. The DNS reply issued by
the DNS server is transmitted back to the client computer following a reverse path.
When the client computer receives the DNS reply, it knows the IP address of the correspondent host and sends further packets to this IP address.
As illustrated in Fig. 60, the communication path could be broken at some of the stages.
The OS-provided network diagnostic tool, ping.exe, can be employed to find out
TCP/IP-related communication problems.
NOTE: If two or more NICs are installed and operating on a client computer, TCP/IP
may not work properly due to incorrect entries in the routing table. Use the OS-provided
command-line network tool, route.exe, to add or delete entries from the routing table.
Or, use Windows-provided Device Manager to disable unnecessary NICs.
Solve the following problems in order:
•
The AP does not respond to ping from the client computer.
ƒ
Are two or more NICs installed on the client computer?
58
Use the OS-provided command-line network tool, route.exe, to modify the
contents of the routing table.
Use Windows-provided Device Manager to disable unnecessary NICs.
ƒ
Is the underlying link (Ethernet or IEEE 802.11g) established?
Make sure the Ethernet link is OK.
Make sure the wireless settings of the wireless client computer and of the
AP match.
ƒ
Are the IP address of the client computer and the IP address of the AP in the
same IP subnet?
Use WinIPCfg.exe or IPConfig.exe to see the current IP address of the
client computer. Make sure the IP address of the client computer and the
IP address of the AP are in the same IP subnet.
TIP: If you forget the current IP address of the AP, use Wireless Router/AP
Browser to get the information (see Appendix B-3).
•
•
The default gateway of the client computer does not respond to ping from the
client computer.
ƒ
Solve the preceding problem first.
ƒ
Are the IP address of the AP and the IP address of the client computer in the
same IP subnet?
ƒ
If you cannot find any incorrect settings of the AP, the default gateway may be
really down or there are other communication problems on the network backbone.
The DNS server(s) of the client computer do not respond to ping from the client computer.
ƒ
Solve the preceding problems first.
ƒ
If you cannot find any incorrect settings of the AP, the default gateway of the AP
may be really down or there are other communication problems on the network
backbone.
59
B-3: Unknown Problems
•
The AP has been set to obtain an IP address automatically by DHCP. How can I know
its acquired IP address so that I can manage it using a Web browser?
ƒ
Use the utility, Wireless Router/AP Browser (WLBrwsr.exe), in the “Utilities” folder on
the companion CD-ROM disc. This utility can discover nearby APs and show their MAC
addresses and IP addresses. In addition, it can launch the default Web browser on
your computer.
Fig. 61. Wireless Router/AP Browser.
•
The AP stops working and does not respond to Web management requests.
ƒ
The firmware of the AP may be stuck in an incorrect state.
Unplug the power connector from the power jack, and then re-plug the connector
to restart the AP.
Contact our technical support representatives to report this problem, so that the
bugs can be static in future firmware versions.
ƒ
If the AP still does not work after restarting, there may be hardware component failures
in the AP.
Contact our technical support representatives for repair.
60
Appendix C: Additional Information
C-1: Firmware Upgrade Using Xmodem Upgrade
Fig. 62. Xmodem Upgrade.
To upgrade the firmware of AP using Xmodem Upgrade over RS232:
1.
Power off the AP whose firmware will be upgraded.
2.
Connect the managing PC and the AP with an RS232 Null Modem cable.
3.
Select the serial port (COM1 or COM2) you use for connecting the device from the
Serial port drop-down list and click Connect.
4.
Chose the folder in which the firmware files reside by clicking Browse.
5.
Power on the AP and you'll see bootup information.
6.
Click Start to begin the firmware upgrade of the AP.
7.
You will be prompted when the upgrade process is complete.
Click Erase Config to reset the configuration settings of the AP to default values.
61
90000435 Rev A
62