Advanced Configuration
Figure 4-13
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
Static MAC Configuration Screen
Static MAC Filter Examples
Consider a network that contains a wired server and three wireless clients. The MAC address for each unit is as
follows:
–
–
–
–
Wired Server: 00:40:F4:1C:DB:6A
Wireless Client 1: 00:02:2D:51:94:E4
Wireless Client 2: 00:02:2D:51:32:12
Wireless Client 3: 00:20:A6:12:4E:38
Prevent Two Specific Devices from Communicating
Configure the following settings to prevent the Wired Server and Wireless Client 1 from communicating:
•
•
•
Wired MAC Address: 00:40:F4:1C:DB:6A
Wired Mask: FF:FF:FF:FF:FF:FF
Wireless MAC Address: 00:02:2D:51:94:E4
•
Wireless Mask: FF:FF:FF:FF:FF:FF
Result: Traffic between the Wired Server and Wireless Client 1 is blocked. Wireless Clients 2 and 3 can still
communicate with the Wired Server.
51
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
Prevent Multiple Wireless Devices From Communicating With a Single Wired Device
Configure the following settings to prevent Wireless Clients 1 and 2 from communicating with the Wired Server.
•
•
•
•
Wired MAC Address: 00:40:F4:1C:DB:6A
Wired Mask: FF:FF:FF:FF:FF:FF
Wireless MAC Address: 00:02:2D:51:94:E4
Wireless Mask: FF:FF:FF:00:00:00
Result: When a logical “AND” is performed on the Wireless MAC Address and Wireless Mask, the result corresponds
to any MAC address beginning with the 00:20:2D prefix. Since Wireless Client 1 and Wireless Client 2 share the same
prefix (00:02:2D), traffic between the Wired Server and Wireless Clients 1 and 2 is blocked. Wireless Client 3 can still
communicate with the Wired Server since it has a different prefix (00:20:A6).
Prevent All Wireless Devices From Communicating With a Single Wired Device
Configure the following settings to prevent all three Wireless Clients from communicating with Wired Server 1.
•
•
•
•
Wired MAC Address: 00:40:F4:1C:DB:6A
Wired Mask: FF:FF:FF:FF:FF:FF
Wireless MAC Address: 00:00:00:00:00:00
Wireless Mask: 00:00:00:00:00:00
Result: The Access Point blocks all traffic between Wired Server 1 and all wireless clients.
Prevent A Wireless Device From Communicating With the Wired Network
Configure the following settings to prevent Wireless Client 3 from communicating with any device on the Ethernet.
•
•
•
•
Wired MAC Address: 00:00:00:00:00:00
Wired Mask: 00:00:00:00:00:00
Wireless MAC Address: 00:20:A6:12:4E:38
Wireless Mask: FF:FF:FF:FF:FF:FF
Result: The Access Point blocks all traffic between Wireless Client 3 and the Ethernet network.
Prevent Messages Destined for a Specific Multicast Group from Being Forwarded to the Wireless LAN
If there are devices on your Ethernet network that use multicast packets to communicate and these packets are not
required by your wireless clients, you can set up a Static MAC filter to preserve wireless bandwidth. For example, if
routers on your network use a specific multicast address (such as 01:00:5E:00:32:4B) to exchange information, you
can set up a filter to prevent these multicast packets from being forwarded to the wireless network:
•
•
•
•
Wired MAC Address: 01:00:5E:00:32:4B
Wired Mask: FF:FF:FF:FF:FF:FF
Wireless MAC Address: 00:00:00:00:00:00
Wireless Mask: 00:00:00:00:00:00
Result: The Access Point does not forward any packets that have a destination address of 01:00:5E:00:32:4B to the
wireless network.
Advanced
You can configure the following advanced filtering options:
•
Enable Proxy ARP: Place a check mark in the box provided to allow the Access Point to respond to Address
Resolution Protocol (ARP) requests for wireless clients. When enabled, the AP answers ARP requests for wireless
stations without actually forwarding them to the wireless network. If disabled, the Access Point will bridge ARP
requests for wireless clients to the wireless LAN.
52
Advanced Configuration
•
SYSTIMAX  AirSPEED  AP542 User Guide
User Guide
Enable IP/ARP Filtering: Place a check mark in the box provided to allow IP/ARP filtering based on the IP/ARP
Filtering Address and IP Mask. Leave the box unchecked to prevent filtering. If enabled, you should also configure
the IP/ARP Filtering Address and IP/ARP IP Mask.
– IP/ARP Filtering Address: Enter the Network filtering IP Address.
– IP/ARP IP Mask: Enter the Network Mask IP Address.
The following protocols are listed in the Advanced Filter Table:
•
•
•
•
•
Deny IPX RIP
Deny IPX SAP
Deny IPX LSP
Deny IP Broadcasts
Deny IP Multicasts
The AP can filter these protocols in the wireless-to-Ethernet direction, the Ethernet-to-wireless direction, or in both
directions. Click Edit and use the Status field to Enable or Disable the filter.
TCP/UDP Port
Port-based filtering enables you to control wireless user access to network services by selectively blocking TCP/UDP
protocols through the AP. A user specifies a Protocol Name, Port Number, Port Type (TCP, UDP, or TCP/UDP), and
filtering interfaces (Wireless only, Ethernet only, all interfaces, or no interfaces) in order to block access to services,
such as Telnet and FTP, and traffic, such as NETBIOS and HTTP.
For example, an AP with the following configuration would discard frames received on its Ethernet interface with a
UDP destination port number of 137, effectively blocking NETBIOS Name Service packets.
Protocol Type
(TCP/UDP)
Destination
Port Number
Protocol Name
Interface
Status
(Enable/Disable)
UDP
137
NETBIOS
Name Service
Ethernet
Enable
Adding TCP/UDP Port Filters
1.
2.
3.
4.
Place a check mark in the box labeled Enable TCP/UDP Port Filtering.
Click Add under the TCP/UDP Port Filter Table heading.
In the TCP/UDP Port Filter Table, enter the Protocol Names to filter.
Set the destination Port Number (a value between 0 and 65535) to filter. See the IANA Web site at
http://www.iana.org/assignments/port-numbers for a list of assigned port numbers and their descriptions.
5. Set the Port Type for the protocol: TCP, UDP, or both (TCP/UDP).
6. Set the Interface to filter:
•
Wireless
•
Ethernet
•
All interfaces
•
No interfaces
7. Click OK.
Editing TCP/UDP Port Filters
1.
2.
3.
4.
Click Edit under the TCP/UDP Port Filter Table heading.
Make any changes to the Protocol Name or Port Number for a specific entry, if necessary.
In the row that defines the port, set the Status to Enable, Disable, or Delete, as appropriate.
Select OK.
53
Advanced Configuration
SYSTIMAX  AirSPEED  AP542 User Guide
User Guide
Alarms
This category has three sub-categories.
–
–
–
Groups
Alarm Host Table
Syslog
Groups
There are seven alarm groups that can be enabled or disabled via the Web interface. Place a check mark in the box
provided to enable a specific group. Remove the check mark from the box to disable the alarms. Alarm Severity Levels
vary.
•
Configuration Alarm
Trap Name
oriTrapDNSIPNotConfigured
•
This traps is generated when the DNS IP Address has not been configured.
Severity Level: Major
Security Alarms
Trap Name
•
Description
Description
oriTrapAuthenticationFailure
This trap is generated when a client authentication failure occurs. The
authentication failures can range from:
- MAC Access Control Table
- RADIUS MAC Authentication
- 802.1x Authentication specifying the EAP-Type
Severity Level: Major
oriTrapUnauthorizedManagerDetected
This trap is generated when an unauthorized manager has attempted to
view and/or modify parameters.
Severity Level: Major
Wireless Alarms
Trap Name
Description
oriTrapWLCFailure
This trap is generated when a general failure occurs with the
wireless interface/radio.
Severity Level: Critical
oriTrapWLCFirmwareDownloadFailure
This trap is generated when a failure occurs during the firmware
download process of the wireless interface/radio.
Severity Level: Critical
54
Advanced Configuration
•
Operational Alarms
Trap Name
•
Description
oriTrapWatchDogTimerExpired
This trap is generated when the software watch dog timer
expires. This indicates that a problem has occurred with one
or more software modules and the AP will reboot
automatically.
Trap Severity Level: Critical
oriTrapRADIUSServerNotResponding
This trap is generated when no response is received from the
RADIUS server(s) for authentication requests sent from the
RADIUS client in the AP.
Trap Severity Level: Major
oriTrapModuleNotInitialized
This trap is generated when a certain software or hardware
module is not initialized or fails to initialize.
Trap Severity Level: Major
oriTrapDeviceRebooting
This trap is generated when the AP is rebooting.
Trap Severity Level: Informational
oriTrapTaskSuspended
This trap is generated when a software task in the AP is
suspended.
Trap Severity Level: Critical
oriTrapBootPFailed
In bootloader mode, this trap is generated when the AP does
not receive a response from the BootP server. The result is
that the Access Point reverts to its static IP configuration and
you will need to set reset configuration options.
Trap Severity Level: Major
oriTrapDHCPFailed
In operational mode, this trap is generated when the AP does
not receive a response from the DHCP server. The result is
that the Access Point reverts to its static IP configuration and
you will need to set reset configuration options.
Trap Severity Level: Major
FLASH Memory Alarms
Trap Name
•
SYSTIMAX  AirSPEED  AP542 User Guide
User Guide
Description
oriTrapFlashMemoryEmpty
This trap is generated when an error occurs while downloading a file to
the AP and no data is present in the flash memory.
Severity Level: Informational
oriTrapFlashMemoryCorrupted
This trap is generated when an error occurs while downloading a file to
the AP and the data in the flash memory is invalid or corrupted.
Severity Level: Critical
TFTP Alarms
Trap Name
Description
oriTrapTFTPFailedOperation
This trap is generated when a failure occurs during a TFTP upload
or download operation.
Severity Level: Major
oriTrapTFTPOperationInitiated
This trap is generated when a TFTP upload or download operation
is started.
Severity Level: Informational
oriTrapTFTPOperationCompleted
This trap is generated when a TFTP operation is complete (upload
or download).
Severity Level: Informational
55
Advanced Configuration
•
SYSTIMAX  AirSPEED  AP542 User Guide
User Guide
Image Alarms
Trap Name
Description
oriTrapZeroSizeImage
This trap is generated when a zero size image is loaded on the AP.
Trap Severity Level: Major
oriTrapInvalidImage
This trap is generated when an invalid image is loaded in the Access Point.
Trap Severity Level: Major
oriTrapImageTooLarge
This trap is generated when the image loaded in the AP exceeds the size
limitation of the flash memory.
Trap Severity Level: Major
oriTrapIncompatibleImage
This trap is generated when an incompatible image is loaded in the AP.
Trap Severity Level: Major
In addition, the AP supports these standard traps, which are always enabled:
•
RFC 1215-Trap
Trap Name
•
Description
coldStart
The AP has been turned on or rebooted.
Trap Severity Level: Informational
linkUp
The AP's Ethernet interface link is up (working).
Trap Severity Level: Informational
linkDown
The AP's Ethernet interface link is down (not working).
Trap Severity Level: Informational
Bridge MIB (RFC 1493) Alarms
Trap Name
Description
newRoot
This trap indicates that the AP has become the new root in the Spanning Tree
network.
Trap Severity Level: Informational
topologyChange
This trap is sent by the AP when any of its configured ports transitions from the
Learning state to the Forwarding state, or from the Forwarding state to the
Blocking state.
This trap is not sent if a newRoot trap is sent for the same transition.
Trap Severity Level: Informational
All these alarm groups correspond to System Alarms that are displayed in the System Status screen, including the
traps that are sent by the AP to the SNMP managers specified in the Alarm Host Table.
Severity Levels
There are three severity levels for system alarms:
–
–
–
Critical
Major
Informational
Critical alarms will often result in severe disruption in network activity or an automatic reboot of the AP.
Major alarms are usually activated due to a breach in the security of the system. Clients cannot be authenticated or an
attempt at unauthorized access into the AP has been detected.
Informational alarms are there to provide the network administrator with some general information about the activities
the AP is performing.
56
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
Alarm Host Table
To add an entry and enable the AP to send SNMP trap messages to a Trap Host, click Add, and then specify the IP
Address and Password for the Trap Host.
•
•
•
IP Address: Enter the Trap Host IP Address.
Password: Enter the password in the Password field and the Confirm field.
Comment: Enter an optional comment, such as the alarm (trap) host station name.
To edit or delete an entry, click Edit. Edit the information, or select Enable, Disable, or Delete from the Status
drop-down menu.
Syslog
The Syslog messaging system enables the AP to transmit event messages to a central server for monitoring and
troubleshooting. The AP can send messages to one Syslog server (it cannot send messages to more than one Syslog
server). The access point logs “Session Start (Log-in)” and “Session Stop (Log-out)” events for each wireless client as
an alternative to RADIUS accounting.
See RFC 3164 at http://www.rfc-editor.org for more information on the Syslog standard.
Figure 4-14
Syslog Configuration Screen
Setting Syslog Event Notifications
Syslog Events are logged according to the level of detail specified by the administrator. Logging only urgent system
messages will create a far smaller, more easily read log then a log of every event the system encounters. Determine
which events to log by selecting a priority defined by the following scale:
57
Advanced Configuration
SYSTIMAX  AirSPEED  AP542 User Guide
User Guide
Event
Priority
Description
LOG_EMERG
0
system is unusable
LOG_ALERT
1
action must be taken immediately
LOG_CRIT
2
critical conditions
LOG_ERR
3
error conditions
LOG_WARNING
4
warning conditions
LOG_NOTICE
5
normal but significant condition
LOG_INFO
6
informational
LOG_DEBUG
7
debug-level messages
Configuring Syslog Event Notifications
You can configure the following Syslog settings from the HTTP interface:
•
•
•
•
•
•
Enable Syslog: Place a check mark in the box provided to enable system logging.
Syslog Port Number: This field is read-only and displays the port number (514) assigned for system logging.
Syslog Lowest Priority Logged: The AP will send event messages to the Syslog server that correspond to the
selected priority and above. For example, if set to 6, the AP will transmit event messages labeled priority 0 to 6 to
the Syslog server(s). This parameter supports a range between 1 and 7; 6 is the default.
Syslog Heartbeat Status: When Heartbeat is enabled, the AP periodically sends a message to the Syslog server
to indicate that it is active.
Syslog Heartbeat Interval: If Syslog Heartbeat Status is enabled this field provides the interval for the heartbeat
in seconds. The default is 900 seconds.
Syslog Host Table: This table specifies the IP addresses of network servers that the AP will send Syslog
messages to. Click Add to create a new entry. Click Edit to change an existing entry. Each entry contains the
following field:
– IP Address: Enter the IP Address for the management host.
– Comment: Enter an optional comment such as the host name.
– Status: The entry is enabled automatically when saved (so the Status field is only visible when editing an
entry). You can also disable or delete entries by changing this field’s value.
Bridge
The AP is a bridge between your wired and wireless networking devices. As a bridge, the functions performed by the
AP include:
•
•
•
MAC address learning
Forward and filtering decision making
Spanning Tree protocol used for loop avoidance
Once the AP is connected to your network, it learns which devices are connected to it and records their MAC
addresses in the Learn Table. The table can hold up to 10,000 entries. To view the Learn Table, click on the Monitor
button in the web interface and select the Learn Table tab.
The Bridge tab has four sub-categories.
–
–
–
–
Spanning Tree
Storm Threshold
Intra BSS
Packet Forwarding
Spanning Tree
A Spanning Tree is used to avoid redundant communication loops in networks with multiple bridging devices. Bridges
do not have any inherent mechanism to avoid loops, because having redundant systems is a necessity in certain
networks. However, redundant systems can cause Broadcast Storms, multiple frame copies, and MAC address table
instability problems.
58
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
Complex network structures can create multiple loops within a network. The Spanning Tree configuration blocks
certain ports on AP devices to control the path of communication within the network, avoiding loops and following a
spanning tree structure.
For more information on Spanning Tree protocol, please see Section 8.0 of the IEEE 802.1d standard. The Spanning
Tree configuration options are advanced settings. SYSTIMAX recommends that you leave these parameters at their
default values unless you are familiar with the Spanning Tree protocol.
Storm Threshold
Storm Threshold is an advanced Bridge setup option that you can use to protect the network against data overload by:
•
•
Specifying a maximum number of frames per second as received from a single network device (identified by its
MAC address).
Specifying an absolute maximum number of messages per port.
The Storm Threshold parameters allow you to specify a set of thresholds for each port of the AP, identifying separate
values for the number of broadcast messages/second and Multicast messages/second.
When the number of frames for a port or identified station exceeds the maximum value per second, the AP will ignore
all subsequent messages issued by the particular network device, or ignore all messages of that type.
–
–
–
Address Threshold: Enter the maximum allowed number of packets per second.
Ethernet Threshold: Enter the maximum allowed number of packets per second.
Wireless Threshold: Enter the maximum allowed number of packets per second.
Intra BSS
The wireless clients (or subscribers) that associate with a certain AP form the Basic Service Set (BSS) of a network
infrastructure. By default, wireless subscribers in the same BSS can communicate with each other. However, some
administrators (such as wireless public spaces) may wish to block traffic between wireless subscribers that are
associated with the same AP to prevent unauthorized communication and to conserve bandwidth. This feature
enables you to prevent wireless subscribers within a BSS from exchanging traffic.
Although this feature is generally enabled in public access environments, Enterprise LAN administrators use it to
conserve wireless bandwidth by limiting communication between wireless clients. For example, this feature prevents
peer-to-peer file sharing or gaming over the wireless network.
To block Intra BSS traffic, set Intra BSS Traffic Operation to Block.
To allow Intra BSS traffic, set Intra BSS Traffic Operation to Passthru.
Packet Forwarding
The Packet Forwarding feature enables you to redirect traffic generated by wireless clients that are all associated to
the same AP to a single MAC address. This filters wireless traffic without burdening the AP and provides additional
security by limiting potential destinations or by routing the traffic directly to a firewall. You can redirect to a specific port
(Ethernet or WDS) or allow the bridge’s learning process (and the forwarding table entry for the selected MAC
address) to determine the optimal port.
NOTE
The gateway to which traffic will be redirected should be a node on the Ethernet network. It should not be a
wireless client.
Configuring Interfaces for Packet Forwarding
Configure your AP to forward packets by specifying interface port(s) to which packets are redirected and a destination
MAC address.
1. Within the Packet Forwarding Configuration screen, check the box labeled Enable Packet Forwarding.
2. Specify a destination Packet Forwarding MAC Address. The AP will redirect all unicast, multicast, and broadcast
packets received from wireless clients to the address you specify.
59
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
3. Select a Packet Forwarding Interface Port from the drop-down menu. You can redirect traffic to:
– Ethernet
– A WDS connection (see Wireless Distribution System (WDS) for details)
– Any (traffic is redirected to a port based on the bridge learning process)
4. Click OK to save your changes.
60
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
RADIUS
The AP communicates with a network’s RADIUS server to provide the following features:
–
–
–
MAC Access Control Via RADIUS Authentication
RADIUS Authentication with 802.1x
RADIUS Accounting
The network administrator can configure multiple RADIUS Authentication Servers for different Authentication types.
The current available authentication types are EAP/802.1x authentication and MAC-based authentication.You can
configure two separate sets of Primary and Secondary RADIUS Servers for each of the two supported Authentication
types, 802.1x EAP Based authentication and MAC based authentication.
You can configure the AP to communicate with up to six different RADIUS servers:
•
•
•
•
Primary Authentication Server (MAC-based authentication)
Back-up Authentication Server (MAC-based authentication)
Primary Authentication Server (EAP/802.1x authentication)
Back-up Authentication Server (EAP/802.1x authentication)
•
•
Primary Accounting Server
Back-up Accounting Server
NOTE
You must have configured the settings for at least one Authentication server before configuring the settings for
an Accounting server.
The back-up servers are optional, but when configured, the AP will communicate with the back-up server if the primary
server is off-line. After the AP has switched to the backup server, it will periodically check the status of the primary
RADIUS server every five (5) minutes. Once the primary RADIUS server is again online, the AP automatically reverts
from the backup RADIUS server back to the primary RADIUS server. All subsequent requests are then sent to the
primary RADIUS server.
You can view monitoring statistics for each of the configured RADIUS servers.
MAC Access Control Via RADIUS Authentication
If you want to control wireless access to the network and if your network includes a RADIUS Server, you can store the
list of MAC addresses on the RADIUS server rather than configure each AP individually. From the RADIUS
Authentication tab, you can define the IP Address of the server that contains a central list of MAC Address values that
identify the authorized stations that may access the wireless network. You must specify information for at least the
primary RADIUS server. The back-up RADIUS server is optional.
NOTE
Contact your RADIUS server manufacturer if you have problems configuring the server or have problems
using RADIUS authentication.
Follow these steps to enable RADIUS MAC Access Control:
1. Within the RADIUS Auth screen, place a check mark in the box labeled Enable RADIUS MAC Access Control.
2. Place a check mark in the box labeled Enable Primary RADIUS Authentication Server.
3. If you want to configure a back-up RADIUS server, place a check mark in the box labeled Enable Back-up
RADIUS Authentication Server.
4. Enter the time, in seconds, each client session may be active before being automatically re-authenticated in the
Authorization Lifetime field. This parameter supports a value between 900 and 43200 sec; the default is 900 sec.
5. Select a MAC Address Format Type. This should correspond to the format in which the clients’ 12-digit MAC
addresses are listed within the RADIUS server. Available options include:
•
Dash delimited: dash between each pair of digits: xx-yy-zz-aa-bb-cc
•
Colon delimited: colon between each pair of digits: xx:yy:zz:aa:bb:cc
•
Single dash delimited: dash between the sixth and seventh digits: xxyyzz-aabbcc
•
No delimiters: No characters or spaces between pairs of hexadecimal digits: xxyyzzaabbcc
6. Select a Server Addressing Format type (IP Address or Name).
61
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
•
If you want to identify RADIUS servers by name, you must configure the AP as a DNS Client. See DNS Client
for details.
7. Enter the server’s IP address or name in the field provided.
8. Enter the port number which the AP and the server will use to communicate. By default, RADIUS servers
communicate on port 1812.
9. Enter the Shared Secret in the Shared Secret and Confirm Shared Secret field. This is a password shared by the
RADIUS server and the AP. The same password must also be configured on the RADIUS server.
10. Enter the maximum time, in seconds, that the AP should wait for the RADIUS server to respond to a request in the
Response Time field. Range is 1-10 seconds; default is 3 seconds.
11. Enter the maximum number of times an authentication request may be retransmitted in the Maximum
Retransmissions field. Range is 1-4; default is 3.
12. If you are configuring a back-up server, repeat Steps 6 through 11 for the back-up server.
13. Click OK to save your changes.
14. Reboot the AP for these changes to take effect.
Figure 4-15
RADIUS MAC-Based Access Control Screen
RADIUS Authentication with 802.1x
You must configure a primary EAP/802.1x Authentication server to use 802.1x security. A back-up server is optional.
NOTE
Contact your RADIUS server manufacturer if you have problems configuring the server or using RADIUS
authentication.
62
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
Follow these steps to enable a RADIUS Authentication server for 802.1x security:
1.
2.
3.
4.
Click the RADIUS tab.
Click the EAP/802.1x Auth sub-tab.
Place a check mark in the box labeled Enable Primary EAP/802.1x Authentication Server.
If you want to configure a back-up RADIUS server, place a check mark in the box labeled Enable Backup
EAP/802.1x Authentication Server.
5. Select a Server Addressing Format type (IP Address or Name).
•
If you want to identify RADIUS servers by name, you must configure the AP as a DNS Client. See DNS Client
for details.
6. Enter the server’s IP address or name in the field provided.
7. Enter the port number which the AP and the server will use to communicate. By default, RADIUS servers
communicate on port 1812.
8. Enter the Shared Secret in the Shared Secret and Confirm Shared Secret field. This is a password shared by the
RADIUS server and the AP. The same password must also be configured on the RADIUS server.
9. Enter the maximum time, in seconds, that the AP should wait for the RADIUS server to respond to a request in the
Response Time field. Range is 1-10 seconds; default is 3 seconds.
10. Enter the maximum number of times an authentication request may be retransmitted in the Maximum
Retransmissions field. Range is 1-4; default is 3.
11. If you are configuring a back-up server, repeat Steps 7 through 12 for the back-up server.
12. Click OK to save your changes.
13. Reboot the AP device for these changes to take effect.
Figure 4-16
RADIUS EAP/802.1x Authentication Screen
63
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
RADIUS Accounting
Using an external RADIUS server, the AP can track and record the length of client sessions on the access point by
sending RADIUS accounting messages per RFC2866. When a wireless client is successfully authenticated, RADIUS
accounting is initiated by sending an “Accounting Start” request to the RADIUS server. When the wireless client
session ends, an “Accounting Stop” request is sent to the RADIUS server.
Session Length
Accounting sessions continue when a client reauthenticates to the same AP. Sessions are terminated when:
•
•
•
A client disassociates.
A client does not transmit any data to the AP for a fixed amount of time.
A client is detected on a different interface.
If the client roams from one AP to another, one session is terminated and a new session is begun.
NOTE
This feature requires RADIUS authentication using MAC Access Control or 802.1x. Wireless clients
configured in the Access Point’s static MAC Access Control list are not tracked.
Configuring RADIUS Accounting
Follow these steps to enable RADIUS accounting on the AP:
1. Within the RADIUS Accounting Configuration screen, place a check mark in the Enable RADIUS Accounting
box to turn on this feature.
2. Place a check mark in the box labeled Enable Primary RADIUS Accounting Server.
3. If you want to configure a back-up RADIUS server, place a check mark in the box labeled Enable Back-up
RADIUS Accounting Server.
4. Enter the session timeout interval in minutes within the Accounting Inactivity Timer field. An accounting session
automatically ends for a client that is idle for the period of time specified. Range is 1-60 minutes; default is
5 minutes.
5. Select a Server Addressing Format type (IP Address or Name).
•
If you want to identify RADIUS servers by name, you must configure the Access Point as a DNS Client. See
DNS Client for details.
6. Enter the server’s IP address or name in the field provided.
7. Enter the port number which the AP and the server will use to communicate. By default, RADIUS accounting uses
port 1813.
8. Enter the Shared Secret in the Shared Secret and Confirm Shared Secret field. This is a password shared by the
RADIUS server and the AP. The same password must also be configured on the RADIUS server.
9. Enter the maximum time, in seconds, that the AP should wait for the RADIUS server to respond to a request in the
Response Time field. Range is 1-10 seconds; default is 3 seconds.
10. Enter the maximum number of times an authentication request may be retransmitted in the Maximum
Retransmissions field. Range is 1-4; default is 3.
11. If you are configuring a back-up server, repeat Steps 5 through 10 for the back-up server.
12. Click OK to save your changes.
13. Reboot the AP device for these changes to take effect.
64
Advanced Configuration
Figure 4-17
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
RADIUS Accounting Server Configuration
65
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
Security Overview
The AP provides several security features to protect your network from unauthorized access.
•
•
Authentication and Encryption Modes
MAC Access
Authentication and Encryption Modes
The AP supports the following Security features:
•
•
•
WEP Encryption: The original encryption technique specified by the IEEE 802.11 standard.
802.1x Authentication: An IEEE standard for client authentication.
Wi-Fi Protected Access (WPA): A new standard that provides improved encryption security over WEP.
WEP Encryption
The IEEE 802.11 standards specify an optional encryption feature, known as Wired Equivalent Privacy or WEP, that is
designed to provide a wireless LAN with a security level equal to what is found on a wired Ethernet network. WEP
encrypts the data portion of each packet exchanged on an 802.11 network using an Encryption Key (also known as a
WEP Key).
When Encryption is enabled, two 802.11 devices must have the same Encryption Keys and both devices must be
configured to use Encryption in order to communicate. If one device is configured to use Encryption but a second
device is not, then the two devices will not communicate, even if both devices have the same Encryption Keys.
802.1x Authentication
IEEE 802.1x is a standard that provides a means to authenticate and authorize network devices attached to a LAN
port. A port in the context of IEEE 802.1x is a point of attachment to the LAN, either a physical Ethernet connection or
a wireless link to an Access Point. 802.1x requires a SSID, VLAN, and Security Modes server and uses the Extensible
Authentication Protocol (EAP) as a standards-based authentication framework, and supports automatic key
distribution for enhanced security. The EAP-based authentication framework can easily be upgraded to keep pace with
future EAP types.
Popular EAP types include:
•
EAP-Message Digest 5 (MD5): Username/Password-based authentication; does not support automatic key
distribution
•
EAP-Transport Layer Security (TLS): Certificate-based authentication (a certificate is required on the server and
each client); supports automatic key distribution
EAP-Tunneled Transport Layer Security (TTLS): Certificate-based authentication (a certificate is required on the
server; a client’s username/password is tunneled to the server over a secure connection); supports automatic key
distribution
PEAP - Protected EAP with MS-CHAP v2: Secure username/password-based authentication; supports automatic
key distribution
•
•
Different servers support different EAP types and each EAP type provides different features. Refer to the
documentation that came with your RADIUS server to determine which EAP types it supports.
NOTE
The AP supports the following EAP types when Authentication Mode is set to 802.1x or WPA: EAP-TLS,
PEAP, and EAP-TTLS. When Authentication Mode is set to Mixed, the AP supports the following EAP types:
EAP-TLS, PEAP, EAP-TLLS, and EAP-MD5 (MD5 does not support automatic key distribution; therefore, if
you choose this method you need to manually configure each client with the network's encryption key).
Authentication Process
There are three main components in the authentication process. The standard refers to them as:
1.
supplicant (client PC)
2.
3.
authenticator (Access Point)
authentication server (RADIUS server)
66
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
When the Authentication Mode is set to 802.1x, WPA, or Mixed mode (802.1x and WEP), you need to configure your
RADIUS server for authentication purposes.
Prior to successful authentication, an unauthenticated client PC cannot send any data traffic through the AP device to
other systems on the LAN. The AP inhibits all data traffic from a particular client PC until the client PC is authenticated.
Regardless of its authentication status, a client PC can always exchange 802.1x messages in the clear with the AP
(the client begins encrypting data after it has been authenticated).
Figure 4-18
RADIUS Authentication Illustrated
The AP acts as a pass-through device to facilitate communications between the client PC and the RADIUS server. The
AP (2) and the client (1) exchange 802.1x messages using an EAPOL (EAP Over LAN) protocol (A). Messages sent
from the client station are encapsulated by the AP and transmitted to the RADIUS (3) server using EAP extensions (B).
Upon receiving a reply EAP packet from the RADIUS server, the message is typically forwarded to the client, after
translating it back to the EAPOL format. Negotiations take place between the client and the RADIUS server. After the
client has been successfully authenticated, the client receives an Encryption Key from the AP (if the EAP type supports
automatic key distribution). The client uses this key to encrypt data after it has been authenticated.
For 802.11a and 802.11b/g clients that communicate with an AP, each client receives its own unique encryption key;
this is known as Per User Per Session Encryption Keys.
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA) is a security standard designed by the Wi-Fi Alliance in conjunction with the Institute of
Electrical and Electronics Engineers (IEEE). WPA is a sub-set of the IEEE 802.11i security standard. (IEEE 802.11i is
also referred to as "WPA2").
WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11
standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and
provides a stronger security system to protect wireless networks.
WPA provides the following new security measures not available with WEP:
•
•
•
•
Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity
Check (MIC).
Per-user, per-session dynamic encryption keys:
– Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
– A client's key is different for every session; it changes each time the client associates with an AP
– The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
– Encryption keys change periodically based on the Re-keying Interval parameter
– WPA uses 128-bit encryption keys
Dynamic Key distribution
– The AP generates and maintains the keys for its clients
– The AP securely delivers the appropriate keys to its clients
Client/server mutual authentication
– 802.1x
–
Pre-shared key (for networks that do not have an 802.1x solution implemented)
67
Advanced Configuration
SYSTIMAX  AirSPEED  AP542 User Guide
User Guide
NOTE
For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.
The AP supports two WPA authentication modes:
•
WPA: The AP uses 802.1x to authenticate clients. You should only use an EAP that supports mutual authentication
and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See 802.1x Authentication for details.
WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits. The AP also
supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an
easy-to-remember phrase rather than a string of characters).
•
Configuring Security Settings
You can configure each SSID/VLAN to operate in one of the following security modes:
1. No Security: This is the default setting for the Primary SSID (Network Name) for each wireless interface.
2. Enable WEP Encryption: The AP and clients use the same static WEP keys to encrypt data.
3. Enable 802.1x Security: The AP uses the 802.1x standard to communicate with a RADIUS server and authenticate
clients. The AP generates and distributes dynamic, per user WEP Keys to each client following successful
authentication.
4. Enable Mixed Mode (802.1x and WEP Encryption): The AP uses 802.1x Mode for clients that support 802.1x (and
have an 802.1x supplicant application installed). The AP uses static WEP Encryption for clients that do not use
802.1x.
5. Enable WPA Mode: The AP uses 802.1x to communicate with a RADIUS server and authenticate clients. The AP
generates and distributes dynamic, per user encryption keys (based on the Temporal Key Integrity Protocol (TKIP))
to each client following successful authentication. WPA mode provides message integrity checking to guard
against replay type attacks. This mode is not available for all radio types.
6. Enable WPA-PSK Mode: The AP uses a Pre-shared Key (manually configured on both the AP and the clients) to
authenticate clients. The AP generates and distributes dynamic, per user encryption keys (based on TKIP) to each
client following successful authentication. This mode is for customers who want to use WPA but do not have a
RADIUS server installed on their network. This mode is not available for all radio types.
You configure an SSID/VLAN to use a particular security mode by setting the Security Mode parameter in the SSID,
VLAN, and Security table (refer to Configure Multiple SSID/VLAN/Security Mode Entries). The following table
summarizes the Security Mode options available in the HTTP Interface's Configure > SSID/VLAN/Security Mode >
Wireless Interface screen and describes how each of these options correspond to the six Security Modes listed
above:
Authentication Mode Setting
Authentication Method Employed
Encryption Method Employed
None
None
None or manually configured Static WEP
settings (from Configure > Security >
Encryption screen)
802.1x
802.1x
Dynamic WEP Keying
Mixed
802.1x or None (depends on a client's
configuration)
Dynamic WEP Keying or Static WEP (depends
on client's configuration)
WPA
802.1x
Dynamic TKIP Keying
WPA-PSK
Manually configured Pre-shared Key
Dynamic TKIP Keying
NOTE
Before enabling the 802.1x, Mixed, or WPA mode, the 802.1x server should be configured.
68
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
SSID, VLAN, and Security Modes
The AirSPEED AP542 allows you to segment wireless networks into multiple sub-networks based on Network Name
(SSID) and VLAN membership, and to apply security modes per SSID.
A Network Name (SSID) identifies a wireless network. Clients associate with Access Points that share an SSID. During
installation, the Setup Wizard prompts you to configure a Primary Network Name for each wireless interface.
After initial setup and once VLAN is enabled, the AP can be configured to support up to 16 SSIDs per wireless
interface to segment wireless networks based on VLAN membership.
Refer to Configure Multiple SSID/VLAN/Security Mode Entries for configuration details.
VLAN Overview
Virtual Local Area Networks (VLANs) are logical groupings of network hosts. Defined by software settings, other VLAN
members or resources appear (to clients) to be on the same physical segment, no matter where they are attached on
the logical LAN or WAN segment. They simplify traffic flow between clients and their frequently-used or restricted
resources.
VLANs now extend as far as the reach of the access point signal. Clients can be segmented into wireless
sub-networks via SSID and VLAN assignment. A Client can access the network by connecting to an AP configured to
support its assigned SSID/VLAN.
AP devices are fully VLAN-ready; however, by default VLAN support is disabled. Before enabling VLAN support,
certain network settings should be configured, and network resources such as a VLAN-aware switch, a RADIUS
server, and possibly a DHCP server should be available.
Once enabled, VLANs are used to conveniently, efficiently, and easily manage your network in the following ways:
–
–
–
–
Manage adds, moves, and changes from a single point of contact
Define and monitor groups
Reduce broadcast and multicast traffic to unnecessary destinations
•
Improve network performance and reduce latency
Increase security
•
Secure network restricts members to resources on their own VLAN
•
Clients roam without compromising security
VLAN tagged data is collected and distributed through an AP's wireless interface(s) based on Network Name (SSID).
An Ethernet port on the access point connects a wireless cell or network to a wired backbone. The access points
communicate across a VLAN-capable switch that analyzes VLAN-tagged packet headers and directs traffic to the
appropriate ports. On the wired network, a RADIUS server authenticates traffic and a DHCP server manages IP
addresses for the VLAN(s). Resources like servers and printers may be present, and a hub may include multiple APs,
extending the network over a larger area.
In this figure, the numbered items correspond to the following components:
1.
2.
3.
VLAN-enabled access point
VLAN-aware switch (IEEE 802.1Q uplink)
AP management via wired host (SNMP, Web interface or CLI)
4.
5.
6.
7.
DHCP Server
RADIUS Server
VLAN 1
VLAN 2
69
Advanced Configuration
Figure 4-19
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
Components of a typical VLAN
70
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
VLAN Workgroups and Traffic Management
Access Points that are not VLAN-capable typically transmit broadcast and multicast traffic to all wireless Network
Interface Cards (NICs). This process wastes wireless bandwidth and degrades throughput performance. In
comparison, a VLAN-capable AP is designed to efficiently manage delivery of broadcast, multicast, and unicast traffic
to wireless clients.
The AP assigns clients to a VLAN based on a Network Name (SSID). The AP can support up to 16 SSID/VLAN pairs
per radio.
The AP matches packets transmitted or received to a network name with the associated VLAN. Traffic received by a
VLAN is only sent on the wireless interface associated with that same VLAN. This eliminates unnecessary traffic on
the wireless LAN, conserving bandwidth and maximizing throughput.
Traffic Management
In addition to enhancing wireless traffic management, the VLAN-capable AP supports easy assignment of wireless
users to workgroups. In a typical scenario, each user VLAN represents a workgroup; for example, one VLAN could be
used for an EMPLOYEE workgroup and the other, for a GUEST workgroup.
In this scenario, the AP would assign every packet it accepted to a VLAN. Each packet would then be identified as
EMPLOYEE or GUEST, depending on which wireless NIC received it. The AP would insert VLAN headers or “tags”
with identifiers into the packets transmitted on the wired backbone to a network switch.
Finally, the switch would be configured to route packets from the EMPLOYEE workgroup to the appropriate corporate
resources such as printers and servers. Packets from the GUEST workgroup could be restricted to a gateway that
allowed access to only the Internet. A member of the GUEST workgroup could send and receive e-mail and access the
Internet, but would be prevented from accessing servers or hosts on the local corporate network.
Typical User VLAN Configurations
VLANs segment network traffic into workgroups, which enable you to limit broadcast and multicast traffic. Workgroups
enable clients from different VLANs to access different resources using the same network infrastructure. Clients using
the same physical network are limited to those resources available to their workgroup.
The AP can segment users into a maximum of 16 different workgroups (32 for the AirSPEED AP542 which has two
radios) based on an SSID/VLAN pair (also referred as a VLAN Workgroup or a Sub-network).
The four primary scenarios for using VLAN workgroups are as follows:
1.
2.
3.
4.
VLAN disabled: Your network does not use VLANs, but you can configure the AP to use multiple SSIDs.
VLAN enabled, all VLAN Workgroups use the same VLAN ID Tag
VLAN enabled, each VLAN workgroup uses a different VLAN ID Tag
VLAN enabled, a mixture of Tagged and Untagged workgroups
71
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
Configure Multiple SSID/VLAN/Security Mode Entries
Each SSID/VLAN can have its own security mode, so that customers can have multiple types of clients (non-WEP,
WEP, 802.1x, WPA) on the same system, but separated per VLAN.
NOTE
You must reboot the AP before any changes to these parameters take effect.
1. Click Configure > SSID/VLAN/Security > Mgmt VLAN.
2. Place a check mark in the Enable VLAN Protocol box to enable VLAN support. If VLAN is disabled, all table
entries on the SSID/VLAN/Security page will be disabled.
3. Click the tab for Wireless A or Wireless B.
Figure 4-20
SSID, VLAN, and Security Table - Wireless A
72
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
4. Add one or more new SSID/VLAN/security mode entries. Each wireless interface supports up to 16 entries.
Follow these steps:
1. Click Add to create a new SSID/VLAN/security mode entry.
Figure 4-21
2.
3.
SSID, VLAN, and Security Table - Wireless A - Add Entries
Enter a Network Name (SSID), between 2 and 31 characters, in the field provided. This parameter is
mandatory.
Enter a VLAN ID in the field provided. This parameter is mandatory.
— You must specify a unique VLAN ID for each SSID on the interface. As defined by the 802.1Q
standard, a VLAN ID is a number between 1 and 4094. A value of -1 means that an entry is
"untagged".
— You can set the VLAN ID to "-1" or "untagged" if you do not want clients that are using a specific SSID
to be members of a VLAN workgroup. Only one “untagged” VLAN ID is allowed per interface.
— The VLAN ID must match an ID used by your network; contact your network administrator if you need
assistance defining the VLAN IDs.
73
Advanced Configuration
4.
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
Select the security mode for the SSID/VLAN entry and configure the security mode parameters according
to one of the following procedures:
NOTE
If you have two or more SSIDs per interface with a security mode of None, be aware that security being
applied in the VLAN is not being applied in the wireless network.
Enable WEP Encryption
Follow these steps to set up WEP encryption on an SSID/VLAN pair:
1.
2.
•
•
•
Set Security Mode to WEP (if necessary).
Enter Encryption Key 0 only; the transmit key (the key used to encrypt outgoing data) will be automatically
set to zero. Keep in mind the following:
For 64-bit encryption, an encryption key is 10 hexadecimal characters (0-9 and A-F) or 5 ASCII
characters (see ASCII Character Chart).
For 128-bit encryption, an encryption key is 26 hexadecimal characters or 13 ASCII characters.
For 152-bit encryption, an encryption key is 32 hexadecimal characters or 16 ASCII characters.
Enable 802.1x Security
Follow these steps to enable 802.1x on an SSID/VLAN pair:
1.
2.
•
3.
Set Security Mode to 802.1x.
Select an Encryption Key Length.
The AirSPEED AP542 supports 64-bit or 128-bit encryption for 802.1x security mode.
Enter a Re-keying Interval.
•
The Re-keying Interval determines how often a client’s encryption key is changed and can be set to any
value between 60 - 65535 seconds. Re-keying frustrates hacking attempts without taxing system
resources. Setting a fairly frequent re-key value (900 seconds=15 minutes) effectively protects against
intrusion without disrupting network activities.
Enable Mixed Mode (802.1x and WEP Encryption)
Follow these steps to use both 802.1x and WEP Encryption simultaneously (clients that do not support 802.1x use
WEP Encryption for security purposes) on an SSID/VLAN pair:
1.
2.
•
3.
4.
5.
•
•
•
Set Security Mode to Mixed.
Enter a Re-keying Interval.
The Re-keying Interval determines how often a client’s encryption key is changed and can be set to any
value between 60 - 65535 seconds. Re-keying frustrates hacking attempts without taxing system
resources. Setting a fairly frequent re-key value (900 seconds=15 minutes) effectively protects against
intrusion without disrupting network activities.
Click the Encryption tab.
Place a check mark in the box labeled Enable Encryption (WEP).
Configure Encryption Key 1 only (i.e., do not configure Keys 2 through 4). Keep in mind the following:
For 64-bit encryption, an encryption key is 10 hexadecimal characters (0-9 and A-F) or 5 ASCII
characters (see ASCII Character Chart).
For 128-bit encryption, an encryption key is 26 hexadecimal characters or 13 ASCII characters.
For 152-bit encryption, an encryption key is 32 hexadecimal characters or 16 ASCII characters.
Enable WPA Mode
Follow this step to enable WPA on an SSID/VLAN pair:
•
Set Security Mode to WPA.
Enable WPA-PSK Mode
Follow these steps to enable WPA-PSK on an SSID/VLAN pair:
1.
Set the Security Mode to WPA-PSK.
74
Advanced Configuration
User Guide
SYSTIMAX  AirSPEED  AP542 User Guide
2.
•
Configure the Pre-Shared Key. You must also configure your clients to use this same key.
Do one of the following:
— Enter 64 hexadecimal digits in the Pre-Shared Key field.
— Enter a phrase in the PSK Pass Phrase field. The AP will automatically generate a Pre-Shared Key
based on the phrase you enter. Enter between 8 and 63 characters; SYSTIMAX recommends using
a pass phrase of at least 13 characters, including both numbers and upper and lower case letters, to
ensure that the generated key cannot be easily deciphered by network infiltrators.
5. When finished configuring all parameters, click OK.
6. If you selected a Security Mode of 802.1x, Mixed Mode, or WPA you must configure a
Radius 802.1x/EAP server (see RADIUS Authentication with 802.1x for details).
7. Click Edit if you want to modify an existing entry. You can also disable or delete an entry from the Edit screen.
NOTE
When editing the primary Network Name (SSID) entry, disabling or deleting that entry is not allowed.
8. Click the tab for the second wireless interface (if applicable) and create or modify SSID/VLAN entries as
necessary.
9. Reboot the AP.
Typical VLAN Management Configurations
Control Access to the AP
Management access to the AP can easily be secured by making management stations or hosts and the AP itself
members of a common VLAN. Simply configure a non-zero management VLAN ID and enable VLAN to restrict
management of the AP to members of the same VLAN.
!
CAUTION
If a non-zero management VLAN ID is configured then management access to the AP is restricted to wired or
wireless hosts that are members of the same VLAN. Ensure your management platform or host is a member
of the same VLAN before attempting to manage the AP.
1. Click Configure > VLAN.
2. Set the VLAN Management ID to a value between 0 and 4094 (a value of 0 disables VLAN management).
3. Place a check mark in the Enable VLAN Protocol box.
Provide Access to a Wireless Host in the Same Workgroup
The VLAN feature can allow wireless clients to manage the AP. If the VLAN Management ID matches a VLAN User ID,
then those wireless clients who are members of that VLAN will have AP management access.
!
CAUTION
Once a VLAN Management ID is configured and is equivalent to one of the VLAN User IDs on the AP, all
members of that User VLAN will have management access to the AP. Be careful to restrict VLAN membership
to those with legitimate access to the AP.
1. Click Configure > VLAN.
2. Set the VLAN Management ID to use the same VLAN ID as one of the configured SSID/VLAN pairs. See Typical
User VLAN Configurations for details.
3. Place a check mark in the Enable VLAN Protocol box.
Disable VLAN Management
1. Click Configure > VLAN.
2. Remove the check mark from the Enable VLAN Protocol box (to disable all VLAN functionality) or set the VLAN
Management ID to 0 (to disable VLAN Management only).
75
Download PDF
Similar pages