Operational Mode TX Power Control

Operational Mode TX Power Control
Interfaces
Operational Mode
You can configure and view the operational mode for Wireless Interface B
(802.11b/g radio):
• Operational Mode: the mode of communication between the
wireless clients and the Access Point:
— 802.11b only
— 802.11g only
— 802.11bg
TX Power Control
The TX Power Control feature lets you configure the transmit power level
of the interface in the AP at one of four levels:
• 100% of the maximum transmit power level of the interface
• 50%
• 25%
• 12.5%
4-22
Avaya Wireless AP-8 User’s Guide
Interfaces
Configuring TX Power Control
1. Click Configure > Interfaces > Operational Mode.
2. Select Enable Transmit Power Control.
3. Select the transmit power level for interface A from the Wireless-A:
Transmit Power Level drop-down menu.
4. Select the transmit power level for interface B from the Wireless-B:
Transmit Power Level drop-down menu.
5. Click OK.
6. Select the transmit power control settings on the clients
appropriately.
Avaya Wireless AP-8 User’s Guide
4-23
Interfaces
Figure 4-5.
4-24
Operational Mode Screen - TX Power Control (AP-8)
Avaya Wireless AP-8 User’s Guide
Interfaces
Wireless Interface A (802.11a Radio)
You can configure and view the following parameters within the Wireless
Interface Configuration screen for the Wireless Interface A:
NOTE:
You must reboot the Access Point before any changes to these
parameters take effect.
Parameter
Description
Physical Interface
Type
For an 802.11a AP, this field reports:
“802.11a (OFDM 5 GHz).” OFDM stands for
Orthogonal Frequency Division Multiplexing;
this is the name for the radio technology used
by 802.11a devices.
MAC Address
This is a read-only field that displays the
unique MAC (Media Access Control) address
for the Access Point’s wireless interface. The
MAC address is assigned at the factory.
Continued
Avaya Wireless AP-8 User’s Guide
4-25
Interfaces
Parameter
Regulatory
Domain
Description
Reports the regulatory domain for which the
AP is certified. Not all features or channels
are available in all countries. The available
regulatory domains include:
• FCC - U.S./Canada, Mexico, and
Australia
• ETSI - Europe and the United Kingdom
• MKK: Japan
• SG: Singapore
• ASIA: China, Hong Kong, and South
Korea
• TW: Taiwan and Hong Kong
Primary Network
Name (SSID)
Enter a Network Name (between 2 and 31
characters long) for the primary wireless
network. You must configure each wireless
client to use this name as well. To configure
additional SSIDs and VLANs, go to
Configure and select SSID/VLAN/Security.
Continued
4-26
Avaya Wireless AP-8 User’s Guide
Interfaces
Parameter
Auto Channel
Select
Description
The AP scans the area for other
Access Points and selects a free or relatively
unused communication channel. This helps
prevent interference problems and increases
network performance. By default this feature
is enabled. See 802.11a Channel
Frequencies for a list of Channels.
NOTE:
You cannot disable Auto Channel Select for
802.11a products in Europe (see Dynamic
Frequency Selection (DFS) for details).
Frequency
Channel
When Auto Channel Select is enabled, this
field is read-only and displays the
Access Point’s current operating Channel.
When Auto Channel Select is disabled, you
can specify the Access Point’s channel. If
you decide to manually set the unit’s
Channel, ensure that nearby devices do not
use the same frequency. Available Channels
vary based on regulatory domain. See
802.11a Channel Frequencies.
NOTE:
You cannot manually set the channel for 802.11a
products in Europe (see Dynamic Frequency
Selection (DFS)).
Continued
Avaya Wireless AP-8 User’s Guide
4-27
Interfaces
Parameter
Transmit Rate
Description
Use the drop-down menu to select a specific
transmit rate for the AP. Choose between 6,
9, 12, 18, 24, 36, 48, 54 Mbits/s, and Auto
Fallback. Auto Fallback is the default setting;
it allows the AP unit to select the best
transmit rate based on the cell size.
NOTE:
Turbo mode is supported in 802.11a mode.
You cannot enable Turbo mode using the
Web interface. Use the CLI or SNMP to
enable. If Turbo mode is enabled, then it is
displayed in the Web interface and the
transmit speed and channels pull-down
menus are updated will all the valid values.
DTIM Period
The Deferred Traffic Indicator Map (DTIM) is
used with clients that have power
management enabled. DTIM should be left at
1, the default value, if any clients have power
management enabled. This parameter
supports a range between 1 and 255.
Continued
4-28
Avaya Wireless AP-8 User’s Guide
Interfaces
Parameter
Description
RTS/CTS Medium
Reservation
This parameter affects message flow control
and should not be changed under normal
circumstances. Range is 0 to 2347. When set
to a value between 0 and 2347, the
Access Point uses the RTS/CTS mechanism
for packets that are the specified size or
greater. When set to 2347 (the default
setting), RTS/CTS is disabled. See RTS/CTS
Medium Reservation for more information.
Closed System
Check this box to allow only clients
configured with the Access Point’s specific
Network Name to associate with the
Access Point. When enabled, a client
configured with the Network Name “ANY”
cannot connect to the AP. This option is
disabled by default.
Dynamic Frequency Selection (DFS)
AP-8s sold in Europe use a technique called Dynamic Frequency
Selection (DFS) to automatically select an operating channel. During
boot-up, the AP scans the available frequency and selects a channel that
is free of interference. If the AP subsequently detects interference on its
channel, it automatically reboots and selects another channel that is free
of interference.
Avaya Wireless AP-8 User’s Guide
4-29
Interfaces
DFS only applies to 802.11a APs used in Europe (i.e., units whose
regulatory domain is set to ETSI). The European Telecommunications
Standard Institute (ETSI) requires that 802.11a devices use DFS to
prevent interference with radar systems and other devices that already
occupy the 5 GHz band.
If you are using the AP-8 in Europe, keep in mind the following:
• DFS is not a configurable parameter. It is always enabled and
cannot be disabled.
• You cannot manually select the device’s operating channel; you
must let DFS select the channel.
• You cannot configure the Auto Channel Select option. Within the
HTTP interface, this option always appears enabled.
RTS/CTS Medium Reservation
The 802.11 standard supports optional RTS/CTS communication based
on packet size. Without RTS/CTS, a sending radio listens to see if
another radio is already using the medium before transmitting a data
packet. If the medium is free, the sending radio transmits its packet.
However, there is no guarantee that another radio is not transmitting a
packet at the same time, causing a collision. This typically occurs when
there are hidden nodes (clients that can communicate with the
Access Point but are out of range of each other) in very large cells.
4-30
Avaya Wireless AP-8 User’s Guide
Interfaces
When RTS/CTS occurs, the following occurs.
1. The sending radio first transmits a Request to Send (RTS) packet
to confirm that the medium is clear.
2. When the receiving radio successfully receives the RTS packet, it
transmits back a Clear to Send (CTS) packet to the sending radio.
3. When the sending radio receives the CTS packet, it sends the data
packet to the receiving radio. The RTS and CTS packets contain a
reservation time to notify other radios (including hidden nodes) that
the medium is in use for a specified period. This helps to minimize
collisions.
While RTS/CTS adds overhead to the radio network, it is particularly
useful for large packets that take longer to resend after a collision occurs.
RTS/CTS Medium Reservation is an advanced parameter and supports a
range between 0 and 2347 bytes. When set to 2347 (the default setting),
the RTS/CTS mechanism is disabled. When set to 0, the RTS/CTS
mechanism is used for all packets. When set to a value between 0 and
2347, the Access Point uses the RTS/CTS mechanism for packets that
are the specified size or greater. You should not need to enable this
parameter for most networks unless you suspect that the wireless cell
contains hidden nodes.
Avaya Wireless AP-8 User’s Guide
4-31
Interfaces
Multicast Rate
The multicast rate determines the rate at which broadcast and multicast
packets are transmitted by the Access Point to the wireless network.
Stations that are closer to the Access Point can receive multicast packets
at a faster data rate than stations that are farther away from the AP.
Therefore, you should set the Multicast Rate based on the size of the
Access Point’s cell.
NOTE:
Multicast Rate cannot be set by the HTTP interface, but must be set
via CLI.
Cells of different sizes have different capacities and, therefore, suit
different applications. For instance, a typical office has many stations that
require high bandwidth for complex, high-speed data processing. In
contrast, a typical warehouse has a few forklifts requiring low bandwidth
for simple transactions.
Cell capacities are compared in the following table, which shows that
small cells suit most offices and large cells suit most warehouses:
Small Cell
Large Cell
Physically accommodates few Physically accommodates
stations
many stations
High cell bandwidth per station Lower cell bandwidth per
station
High transmit rate
Lower transmit rate
4-32
Avaya Wireless AP-8 User’s Guide
Interfaces
Coverage
The number of Access Points in a set area determines the network
coverage for that area.
• A large number of Access Points covering a small area is a
high-density cell.
• A few Access Points, or even a single unit, covering the same small
area would result in a low-density cell.
In both cases the actual area did not change — only the number of
Access Points covering the area changed.
In a typical office, a high density area consists of a number of
Access Points installed every 20 feet and each Access Point generates a
small radio cell with a diameter of about 10 feet. In contrast, a typical
warehouse might have a low density area consisting of large cells (with a
diameter of about 90 feet) and Access Points installed every 200 feet.
Avaya Wireless AP-8 User’s Guide
4-33
Interfaces
Figure 4-6.
1 Mbits/s and 11 Mbits/s Multicast Rates
11 Mbits/s
1 Mbit/s
4-34
Avaya Wireless AP-8 User’s Guide
Interfaces
Wireless Interface B (802.11b/g Radio)
You can configure the following radio parameters for the Wireless B
interface:
NOTE:
You must reboot the Access Point before any changes to these
parameters take effect.
Avaya Wireless AP-8 User’s Guide
4-35
Interfaces
Parameter
Operational Mode
Description
An 802.11b/g wireless interface can be
configured to operate in the following modes:
• 802.11b mode only: The radio uses the
802.11b standard only.
• 802.11g mode only: The radio is
optimized to communicate with 802.11g
devices. This setting will provide the best
results if this radio interface will only
communicate with 802.11g devices.
• 802.11b/g mode: This is the default mode.
Use this mode if you want to support a mix
of 802.11b and 802.11g devices.
In general, you should use either 802.11g only
mode (if you want to support 802.11g devices
only) or 802.11b/g mode to support a mix of
802.11b and 802.11g devices.
Continued
4-36
Avaya Wireless AP-8 User’s Guide
Interfaces
Parameter
Physical Interface
Type
Description
Depending on the Operational Mode, this field
reports:
• For 802.11b mode only: “802.11b
(CCK/DSSS 2.4 GHz)”
• For 802.11g and 802.11g-wifi modes:
“802.11g (OFDM/DSSS 2.4 GHz)”
• For 802.11b/g mode: “802.11b/g
(ERP-CCK/DSSS/OFDM 2.4 GHz)”
OFDM stands for Orthogonal Frequency
Division Multiplexing; this is the name for the
radio technology used by 802.11a devices.
DSSS stands for Direct Sequence Spread
Spectrum; this is the name for the radio
technology used by 802.11b devices.
MAC Address
This is a read-only field that displays the unique
MAC (Media Access Control) address for the
Access Point’s wireless interface. The MAC
address is assigned at the factory.
Continued
Avaya Wireless AP-8 User’s Guide
4-37
Interfaces
Parameter
Regulatory
Domain
Description
Reports the regulatory domain for which the AP
is certified. Not all features or channels are
available in all countries. The available
regulatory domains include:
• FCC - U.S./Canada, Mexico, and Australia
• ETSI - Europe, including the United
Kingdom, China and South Korea
• MKK - Japan
• IL - Israel
Primary Network
Name (SSID)
Enter a Network Name (between 2 and 31
characters long) for the wireless network. You
must configure each wireless client to use this
name as well. Configure additional SSIDs and
VLANs by selecting the Configure tab and then
SSID/VLAN Security. You can configure up to
16 SSID/VLAN pairs per wireless interface.
Auto Channel
Select
The AP scans the area for other Access Points
and selects a free or relatively unused
communication channel. This helps prevent
interference problems and increases network
performance. By default this feature is enabled;
see 802.11g Channel Frequencies for a list of
Channels.
Continued
4-38
Avaya Wireless AP-8 User’s Guide
Interfaces
Parameter
Description
Frequency
Channel
When Auto Channel Select is enabled, this field
is read-only and displays the Access Point’s
current operating channel. When Auto Channel
Select is disabled, you can specify the Access
Point’s operating channel. If you decide to
manually set the unit’s channel, ensure that
nearby devices do not use the same frequency
(unless you are setting up a WDS). Available
Channels vary based on regulatory domain.
See 802.11g Channel Frequencies.
Transmit Rate
Select a specific transmit rate for the AP. The
values available depend on the Operational
Mode. Auto Fallback is the default setting; it
allows the AP to select the best transmit rate
based on the cell size.
• For 802.11b only -- Auto Fallback, 1, 2,
5.5, 11 Mbits/sec
• For 802.11g only -- Auto Fallback, 6, 9,
12, 18, 24, 36, 48, 54 Mbits/sec
• For 802.11b/g -- Auto Fallback, 1, 2, 5.5,
6, 9, 11, 12, 18, 24, 36, 48, 54 Mbits/sec
Continued
Avaya Wireless AP-8 User’s Guide
4-39
Interfaces
Parameter
Description
DTIM Period
The Deferred Traffic Indicator Map (DTIM) is
used with clients that have power management
enabled. DTIM should be left at 1, the default
value, if any clients have power management
enabled. This parameter supports a range
between 1 and 255.
RTS/CTS Medium
Reservation
This parameter affects message flow control
and should not be changed under normal
circumstances. Range is 0 to 2347. When set to
a value between 0 and 2347, the Access Point
uses the RTS/CTS mechanism for packets that
are the specified size or greater. When set to
2347 (the default setting), RTS/CTS is disabled.
See RTS/CTS Medium Reservation for more
information.
Closed System
4-40
Check this box to allow only clients configured
with the Access Point’s specific Network Name
to associate with the Access Point. When
enabled, a client configured with the Network
Name “ANY” cannot connect to the AP. This
option is disabled by default.
Avaya Wireless AP-8 User’s Guide
Interfaces
Ethernet
Select the desired speed and transmission mode from the drop-down
menu. Half-duplex means that only one side can transmit at a time and
full-duplex allows both sides to transmit. When set to auto-duplex, the AP
negotiates with its switch or hub to automatically select the highest
throughput option supported by both sides.
For best results, Avaya recommends that you configure the Ethernet
setting to match the speed and transmission mode of the device the
Access Point is connected to (such as a hub or switch). If in doubt, leave
this setting at its default, auto-speed-auto-duplex. Choose between:
• 10 Mbit/s - half duplex, full duplex, or auto duplex
• 100 Mbit/s - half duplex or full duplex
• auto speed - half duplex or auto duplex
Wireless Distribution System (WDS)
A Wireless Distribution System (WDS) creates a link between two
802.11a, 802.11b, or 802.11b/g APs over their radio interfaces. This link
relays traffic from one AP that does not have Ethernet connectivity to a
second AP that has Ethernet connectivity. WDS allows you to configure
up to six (6) point-to-point links between Access Points.
Avaya Wireless AP-8 User’s Guide
4-41
Interfaces
In the WDS Example below, AP 1 and AP 2 communicate over a WDS
link (represented by the blue line). This link provides Client 1 with access
to network resources even though AP 1 is not directly connected to the
Ethernet network. Packets destined for or sent by the client are relayed
between the Access Points over the WDS link.
Figure 4-7.
WDS Example
Client 1
4-42
Client 2
Avaya Wireless AP-8 User’s Guide
Interfaces
Bridging WDS
Each WDS link is mapped to a logical WDS port on the AP. WDS ports
behave like Ethernet ports rather than like standard wireless interfaces:
on a BSS port, an Access Point learns by association and from frames;
on a WDS or Ethernet port, an Access Point learns from frames only.
When setting up a WDS, keep in mind the following:
• There are separate security settings for clients and WDS links.
The same WDS link security mode must be configured (currently
only None or WEP are supported) on each Access Point in the WDS
and the same WEP key must be configured.
• The WDS link shares the communication bandwidth with the clients.
Therefore, while the maximum data rate for the Access Point's cell
is 54 Mbits/second (802.11a, 802.11g only, or 802.bg modes) or 11
Mbits/second (802.11b only mode), client throughput will decrease
when the WDS link is active.
• If there is no partner MAC address configured in the WDS table, the
WDS port remains disabled.
• Each WDS port on a single AP should have a unique partner MAC
address. Do not enter the same MAC address twice in an AP’s WDS
port list.
• Each Access Point that is a member of the WDS must have the
same Channel setting to communicate with each other.
Avaya Wireless AP-8 User’s Guide
4-43
Interfaces
• If your network does not support spanning tree, be careful to avoid
creating network loops between APs. For example, creating a WDS
link between two Access Points connected to the same Ethernet
network will create a network loop (if spanning tree is disabled). For
more information, refer to the Spanning Tree section.
WDS Setup Procedure
NOTE:
You must disable Auto Channel Select to create a WDS. Each
Access Point that is a member of the WDS must have the same
Channel setting to communicate with each other.
To setup a wireless backbone follow the steps below for each AP that you
wish to include in the Wireless Distribution System.
1. Confirm that Auto Channel Select is disabled.
2. Write down the MAC Address of the radio that you wish to include
in the Wireless Distribution System.
3. Open the Wireless Interface Configuration screen.
4. Scroll down to the Wireless Distribution System heading.
5. Click the Edit button to update the Wireless Distribution System
(WDS) Table.
6. Enter the MAC Address that you wrote down in Step 2 in one of the
Partner MAC Address field of the Wireless Distribution Setup
window.
7. Set the Status of the device to Enable.
4-44
Avaya Wireless AP-8 User’s Guide
Interfaces
8. Click OK.
9. Reboot the AP.
Figure 4-8.
WDS Configuration
NOTE:
To set up a Wireless Distribution System (WDS) with 802.1x, set
each Access Point’s 802.1x Security Mode to Mixed and assign
each unit in the WDS the same Encryption Key 1. See RADIUS.
Avaya Wireless AP-8 User’s Guide
4-45
Management
Management
The Management category contains three sub-categories.
• Passwords
• IP Access Table
• Services
Passwords
You can configure the following passwords:
Type
Description
SNMP Read
Password
For read access to the AP using SNMP.
Enter a password in both the Password
field and the Confirm field. The default
password is “public”.
SNMP Read/Write
Password
For read and write access to the AP using
SNMP. Enter a password in both the
Password field and the Confirm field. The
default password is “public”.
Continued
4-46
Avaya Wireless AP-8 User’s Guide
Management
Type
Description
SNMPv3
Authentication
Password
For sending authenticated SNMPv3
messages. Enter a password in both the
Password field and the Confirm field. The
default password is “public”. Password
length is recommended to be at least 8
characters. Secure Management (Services
tab) must be enabled to configure SNMPv3.
SNMPv3 Privacy
Password
For sending encrypted SNMPv3 data. Enter
a password in both the Password field and
the Confirm field. The default password is
“public”. Password length is recommended
to be at least 8 characters. Secure
Management (Services tab) must be
enabled to configure SNMPv3.
Telnet (CLI)
Password
For the CLI interface (via serial or Telnet).
Enter a password in both the Password
field and the Confirm field. The default
password is “public”.
Continued
Avaya Wireless AP-8 User’s Guide
4-47
Management
Type
Description
HTTP (Web)
Password
For the Web browser HTTP interface. Enter
a password in both the Password field and
the Confirm field. The default password is
“public”.
NOTE:
For security purposes Avaya recommends changing ALL
PASSWORDS from the default “public” immediately, to restrict
access to your network devices to authorized personnel. If you
lose or forget your password settings, you can always perform
the Reset to Factory Default Procedure.
IP Access Table
The Management IP Access table limits in-band management access to
the IP addresses or range of IP addresses specified in the table. This
feature applies to all management options (SNMP, HTTP, and CLI)
except for CLI management over the serial port. To configure this table,
click Add and set the following parameters:
• IP Address: Enter the IP Address for the management station.
• IP Mask: Enter a mask that will act as a filter to limit access to a
range of IP Addresses based on the IP Address you already
entered.
4-48
Avaya Wireless AP-8 User’s Guide
Management
— The IP mask 255.255.255.255 would authorize the single
station defined by the IP Address to configure the
Access Point. The AP would ignore commands from any other
IP address. In contrast, the IP mask 255.255.255.0 would
allow any device that shares the first three octets of the IP
address to configure the AP. For example, if you enter an IP
address of 10.20.30.1 with a 255.255.255.0 subnet mask, any
IP address between 10.20.30.1 and 10.20.30.254 will have
access to the AP’s management interfaces.
• Comment: Enter an optional comment, such as the station name.
To edit or delete an entry, click Edit. Edit the information, or select
Enable, Disable, or Delete from the Status pull-down menu.
Services
You can configure the following management services:
• Secure Management
• SNMP Settings
• HTTP Access
• HTTPS Access (Secure Socket Layer)
• Telnet Configuration Settings
• Serial Configuration Settings
• Automatic Configuration
Avaya Wireless AP-8 User’s Guide
4-49
Management
NOTE:
You must reboot the Access Point if you change the HTTP Port or
Telnet Port.
Secure Management
Secure Management allows the use of encrypted and authenticated
communication protocols such as SNMPv3, and Secure Socket Link
(SSL), to manage the Access Point.
Setting
Enable Secure
Management
Description
Enables the further configuration of HTTPS
Access, and SNMPv3. After enabling
Secure Management, you can choose to
configure HTTPS (SSL) access on the
Services tab, and configure SNMPv3
passwords on the Passwords tab.
SNMP Settings
Setting
SNMP Interface
Bitmask
4-50
Description
Configure the interface or interfaces
(Ethernet, Wireless, All Interfaces) from
which you will manage the AP via SNMP.
You can also select Disabled to prevent a
user from accessing the AP via SNMP.
Avaya Wireless AP-8 User’s Guide
Management
HTTP Access
Setting
Description
HTTP Interface
Bitmap
Configure the interface or interfaces
(Ethernet, Wireless, All Interfaces) from
which you will manage the AP via the Web
interface. For example, to allow Web
configuration via the Ethernet network only,
set HTTP Interface Bitmask to Ethernet.
You can also select Disabled to prevent a
user from accessing the AP from the Web
interface.
HTTP Port
Configure the HTTP port from which you
will manage the AP via the Web interface.
By default, the HTTP port is 80.
Enable HTTP Setup
Wizard
The Setup Wizard appears automatically
the first time you access the HTTP
interface. If you exited out of the Setup
Wizard and want to relaunch it, enable this
option, click OK, and then close your
browser or reboot the AP. The Setup
Wizard will appear the next time you access
the HTTP interface.
Avaya Wireless AP-8 User’s Guide
4-51
Management
Figure 4-9.
Management Services Configuration Screen
HTTPS Access (Secure Socket Layer)
You can access the AP in a secure fashion using Secure Socket Layer
(SSL) over port 443. The AP supports SSLv3 with a 128-bit encryption
certificate maintained by the AP for secure communications between the
AP and the HTTP client. All communications are encrypted using the
server and the client-side certificate.
4-52
Avaya Wireless AP-8 User’s Guide
Management
NOTE:
SSL requires Internet Explorer version 6, 128 bit encryption, Service
Pack 1, and patch Q323308.
The AP comes pre-installed with all required SSL files: default certificate
and private key installed.
Configuring Secure Socket Layer (SSL)
After enabling SSL, the only configurable parameter is the SSL
passphrase.
If you decide to upload a new certificate and private key (using TFTP or
HTTP File Transfer), you need to change the SSL Certificate Passphrase
for the new SSL files.
Setting
Enable HTTPS
(Secure Web)
Description
Check this box to enable SSL on the AP
NOTE:
You need to reboot the AP after enabling or
disabling SSL for the changes to take effect.
SSL Certificate
Passphrase
Specifies the SSL Passphrase to use if
Enable HTTPS has been checked. You must
change the SSL passphrase when
uploading a new certificate/private key pair,
which will have a corresponding passphrase.
Avaya Wireless AP-8 User’s Guide
4-53
Management
Accessing the AP through the HTTPS interface
The user should use a SSL intelligent browser to access the AP through
the HTTPS interface. After configuring SSL, access the AP using https://
followed by the AP’s management IP address.
Telnet Configuration Settings
Setting
Description
Telnet Interface
Bitmask
Select the interface (Ethernet, Wireless,
All Interfaces) from which you can manage
the AP via telnet. This parameter can also
be used to Disable telnet management.
Telnet Port
The default port number for Telnet
applications is 23. However, you can use
this field if you want to change the Telnet
port for security reasons (but your Telnet
application also must support the new port
number you select).
Continued
4-54
Avaya Wireless AP-8 User’s Guide
Management
Setting
Description
Login Idle Timeout
(seconds)
Enter the number of seconds the system
will wait for a login attempt. The AP
terminates the session when it times out.
The range is 1 to 300 seconds; the default
is 30 seconds.
Session Idle
Timeout (seconds)
Enter the number of seconds the system
will wait during a session while there is no
activity. The AP will terminate the session
on timeout. The range is 1 to 36000
seconds; the default is 900 seconds.
Avaya Wireless AP-8 User’s Guide
4-55
Management
Serial Configuration Settings
The serial port interface on the AP is enabled at all times. See Setting IP
Address using Serial Port for information on how to access the CLI
interface via the serial port. You can configure and view following
parameters:
Setting
Description
Baud Rate
Select the serial port speed (bits per
second). Choose between 2400, 4800,
9600, 19200, 38400, or 57600; the default
Baud Rate is 9600.
Flow Control
Select either None (default) or Xon/Xoff
(software controlled) data flow control.
NOTE:
To avoid potential problems when communicating
with the AP through the serial port, Avaya
recommends that you leave the Flow Control
setting at None (the default value).
Serial Data Bits
This is a read-only field and displays the
number of data bits used in serial
communication (8 data bits by default).
Continued
4-56
Avaya Wireless AP-8 User’s Guide
Management
Setting
Description
Serial Parity
This is a read-only field and displays the
number of parity bits used in serial
communication (no parity bits by default).
Serial Stop Bits
This is a read-only field that displays the
number of stop bits used in serial
communication (1 stop bit by default).
NOTE:
The serial port bit configuration is
commonly referred to as 8N1.
Automatic Configuration
The Automatic Configuration feature which allows an AP to be
automatically configured by downloading a specific configuration file from
a TFTP server during the boot up process.
Automatic Configuration is disabled by default. The configuration process
for Automatic Configuration varies depending on whether the AP is
configured for dynamic or static IP.
When an AP is configured for dynamic IP, the Configuration filename and
the TFTP server IP address are contained in the DHCP response when
the AP gets its IP address dynamically from the DHCP server. When
configured for static IP, these parameters are instead configured in the
AP interface.
Avaya Wireless AP-8 User’s Guide
4-57
Management
After setting up automatic configuration you must reboot the AP. When
the AP reboots it receives the new configuration information and must
reboot one additional time. If Syslog is configured, a Syslog message will
appear indicating the success or failure of the Automatic Configuration.
Set up Automatic Configuration for Static IP
Perform the following procedure to enable and set up Automatic
Configuration when you have a static IP address for the TFTP server.
1. Click Configure > Management > AutoConfig. The Automatic
Configuration Screen appears.
2. Check Enable Auto Configuration.
3. Enter the Configuration Filename.
4. Enter the IP address of the TFTP server in the TFTP Server
Address field.
NOTE:
The default filename is “config”.
“169.254.128.133” for AP-8.
The default TFTP IP address is
5. Click OK to save the changes.
4-58
Avaya Wireless AP-8 User’s Guide
Management
6. Reboot the AP. When the AP reboots it receives the new
configuration information and must reboot one additional time. If a
Syslog server was configured, the following messages can be
observed on the Syslog server:
— AutoConfig for Static IP
— TFTP server address and configuration filename
— AutoConfg Successful
Figure 4-10.
Automatic Configuration Screen
Avaya Wireless AP-8 User’s Guide
4-59
Management
Set up Automatic Configuration for Dynamic IP
Perform the following procedure to enable and set up Automatic
Configuration when you have a dynamic IP address for the TFTP server
via DHCP.
The Configuration filename and the TFTP server IP address are
contained in the DHCP response when the AP gets its IP address
dynamically from the DHCP server. A Syslog server address is also
contained in the DHCP response, allowing the AP to send Auto
Configuration success and failure messages to a Syslog server.
NOTE:
The configuration filename and TFTP server IP address are
configured only when the AP is configured for Static IP. If the AP is
configured for Dynamic IP these parameters are not used and
obtained from DHCP.
1. Click Configure > Management > AutoConfig. The Automatic
Configuration Screen appears.
2. Check Enable Auto Configuration.
When the AP is Configured with Dynamic IP, the DHCP server
should be configured with the TFTP Server IP address (“Boot
Server Host Name”, option 66) and Configuration file (“Bootfile
name”, option 67) as follows:
3. Select DHCP Server > DHCP Option > Scope. The DHCP
Options: Scope Screen appears.
4-60
Avaya Wireless AP-8 User’s Guide
Management
Figure 4-11.
DHCP Options: Setting the Boot Server Host Name
4. Add the Boot Server host name and Boot Filename parameters to
the Active Options list.
5. Set the value of the Boot Server host name parameter to the host
name or IP Address of the TFTP server. For example: 11.0.0.7.
Avaya Wireless AP-8 User’s Guide
4-61
Management
Figure 4-12.
DHCP Options: Setting the Boot Server Host Name
6. Set the value of the Bootfile Name parameter to the Configuration
filename. For example: AP-Config
7. If using Syslog, set the Log server IP address (option 7, Log
Servers).
4-62
Avaya Wireless AP-8 User’s Guide
Filtering
8. Reboot the AP. When the AP reboots it receives the new
configuration information and must reboot one additional time. If a
Syslog server was configured, the following messages can be
observed on the Syslog server:
— AutoConfig for Dynamic IP
— TFTP server address and configuration filename
— AutoConfg Successful
Filtering
The Access Point’s Packet Filtering features help control the amount of
traffic exchanged between the wired and wireless networks. There are
four sub-categories under the Filtering heading.
• Ethernet Protocol
• Static MAC
• Advanced
• TCP/UDP Port
Avaya Wireless AP-8 User’s Guide
4-63
Filtering
Ethernet Protocol
The Ethernet Protocol Filter blocks or forwards packets based on the
Ethernet protocols they support.
Follow these steps to configure the Ethernet Protocol Filter:
1. Select the interface or interfaces that will implement the filter from
the Ethernet Protocol Filtering drop-down menu.
— Ethernet: Packets are examined at the Ethernet interface
— Wireless: Packets are examined at the Wireless interface
— All Interfaces: Packets are examined at both interfaces
— Disabled: The filter is not used
2. Select the Filter Operation Type.
— If set to Passthru, only the enabled Ethernet Protocols listed
in the Filter Table will pass through the bridge.
— If set to Block, the bridge will block enabled Ethernet
Protocols listed in the Filter Table.
4-64
Avaya Wireless AP-8 User’s Guide
Filtering
3. Configure the Ethernet Protocol Filter Table. This table is
pre-populated with existing Ethernet Protocol Filters, however, you
may enter additional filters by specifying the appropriate
parameters.
— To add an entry, click Add, and then specify the Protocol
Number and a Protocol Name.
• Protocol Number: Enter the protocol number. See
http://www.iana.org/assignments/ethernet-numbers for a
list of protocol numbers.
• Protocol Name: Enter related information, typically the
protocol name.
— To edit or delete an entry, click Edit and change the
information, or select Enable, Disable, or Delete from the
Status drop-down menu.
— An entry’s status must be enabled in order for the protocol to
be subject to the filter.
Static MAC
The Static MAC Address filter optimizes the performance of a wireless
(and wired) network. When this feature is properly configured, the AP can
block traffic between wired devices and wireless devices based on MAC
address.
Avaya Wireless AP-8 User’s Guide
4-65
Filtering
For example, you can set up a Static MAC filter to prevent wireless clients
from communicating with a specific server on the Ethernet network. You
can also use this filter to block unnecessary multicast packets from being
forwarded to the wireless network.
NOTE:
The Static MAC Filter is an advanced feature. You may find it easier
to control wireless traffic via other filtering options, such as Ethernet
Protocol Filtering.
Each static MAC entry contains the following fields:
• Wired MAC Address
• Wired Mask
• Wireless MAC Address
• Wireless Mask
• Comment: This field is optional.
Each MAC Address or Mask is comprised of 12 hexadecimal digits (0-9,
A-F) that correspond to a 48-bit identifier. (Each hexadecimal digit
represents 4 bits (0 or 1).)
4-66
Avaya Wireless AP-8 User’s Guide
Filtering
Taken together, a MAC Address/Mask pair specifies an address or a
range of MAC addresses that the AP will look for when examining
packets. The AP uses Boolean logic to perform an “AND” operation
between the MAC Address and the Mask at the bit level. However, for
most users, you do not need to think in terms of bits. It should be
sufficient to create a filter using only the hexadecimal digits 0 and F in the
Mask (where 0 is any value and F is the value specified in the MAC
address). A Mask of 00:00:00:00:00:00 corresponds to all MAC
addresses, and a Mask of FF:FF:FF:FF:FF:FF applies only to the
specified MAC Address.
Example
For example, if the MAC Address is 00:20:A6:12:54:C3 and the Mask is
FF:FF:FF:00:00:00, the AP will examine the source and destination
addresses of each packet looking for any MAC address starting with
00:20:A6. If the Mask is FF:FF:FF:FF:FF:FF, the AP will only look for the
specific MAC address (in this case, 00:20:A6:12:54:C3).
Avaya Wireless AP-8 User’s Guide
4-67
Filtering
When creating a filter, you can configure the Wired parameters only, the
Wireless parameters only, or both sets of parameters. Which parameters
to configure depends upon the traffic that you want block:
To block all traffic...
Configure...
from a specific wired
MAC address from
being forwarded to
the wireless network
only the Wired MAC Address and Wired
Mask (leave the Wireless MAC Address
and Wireless Mask set to all zeros).
from a specific
wireless MAC
address from being
forwarded to the
wired network
only the Wireless MAC address and
Wireless Mask (leave the Wired MAC
Address and Wired Mask set to all zeros).
between a specific
wired MAC address
and a specific
wireless MAC
address
all four parameters.
Creating an Entry
To create an entry, click Add and enter the appropriate MAC addresses
and Masks to setup a filter. The entry is enabled automatically when
saved. To edit an entry, click Edit. To disable or remove an entry, click
Edit and change the Status field from Enable to Disable or Delete.
4-68
Avaya Wireless AP-8 User’s Guide
Filtering
Figure 4-13.
Static MAC Configuration Screen
Avaya Wireless AP-8 User’s Guide
4-69
Filtering
Static MAC Filter Examples
Consider a network that contains a wired server and three wireless
clients. The MAC address for each unit is as follows:
• Wired Server: 00:40:F4:1C:DB:6A
• wireless Client 1: 00:02:2D:51:94:E4
• Wireless Client 2: 00:02:2D:51:32:12
• Wireless Client 3: 00:20:A6:12:4E:38
Prevent Two Specific Devices from Communicating
Configure the following settings to prevent the Wired Server and Wireless
Client 1 from communicating:
• Wired MAC Address: 00:40:F4:1C:DB:6A
• Wired Mask: FF:FF:FF:FF:FF:FF
• Wireless MAC Address: 00:02:2D:51:94:E4
• Wireless Mask: FF:FF:FF:FF:FF:FF
Result: Traffic between the Wired Server and Wireless Client 1 is
blocked. Wireless Clients 2 and 3 can still communicate with the Wired
Server.
4-70
Avaya Wireless AP-8 User’s Guide
Filtering
Prevent Multiple Wireless Devices From Communicating With a
Single Wired Device
Configure the following settings to prevent Wireless Clients 1 and 2 from
communicating with the Wired Server.
• Wired MAC Address: 00:40:F4:1C:DB:6A
• Wired Mask: FF:FF:FF:FF:FF:FF
• Wireless MAC Address: 00:02:2D:51:94:E4
• Wireless Mask: FF:FF:FF:00:00:00
Result: When a logical “AND” is performed on the Wireless MAC
Address and Wireless Mask, the result corresponds to any MAC address
beginning with the 00:20:2D prefix. Since Wireless Client 1 and Wireless
Client 2 share the same prefix (00:02:2D), traffic between the Wired
Server and Wireless Clients 1 and 2 is blocked. Wireless Client 3 can still
communicate with the Wired Server since it has a different prefix
(00:20:A6).
Avaya Wireless AP-8 User’s Guide
4-71
Filtering
Prevent All Wireless Devices From Communicating With a Single
Wired Device
Configure the following settings to prevent all three Wireless Clients from
communicating with Wired Server 1.
• Wired MAC Address: 00:40:F4:1C:DB:6A
• Wired Mask: FF:FF:FF:FF:FF:FF
• Wireless MAC Address: 00:00:00:00:00:00
• Wireless Mask: 00:00:00:00:00:00
Result: The Access Point blocks all traffic between Wired Server 1 and
all wireless clients.
Prevent A Wireless Device From Communicating With the Wired
Network
Configure the following settings to prevent Wireless Client 3 from
communicating with any device on the Ethernet.
• Wired MAC Address: 00:00:00:00:00:00
• Wired Mask: 00:00:00:00:00:00
• Wireless MAC Address: 00:20:A6:12:4E:38
• Wireless Mask: FF:FF:FF:FF:FF:FF
Result: The Access Point blocks all traffic between Wireless Client 3 and
the Ethernet network.
4-72
Avaya Wireless AP-8 User’s Guide
Filtering
Prevent Messages Destined for a Specific Multicast Group from
Being Forwarded to the Wireless LAN
If there are devices on your Ethernet network that use multicast packets
to communicate and these packets are not required by your wireless
clients, you can set up a Static MAC filter to preserve wireless bandwidth.
For example, if routers on your network use a specific multicast address
(such as 01:00:5E:00:32:4B) to exchange information, you can set up a
filter to prevent these multicast packets from being forwarded to the
wireless network:
• Wired MAC Address: 01:00:5E:00:32:4B
• Wired Mask: FF:FF:FF:FF:FF:FF
• Wireless MAC Address: 00:00:00:00:00:00
• Wireless Mask: 00:00:00:00:00:00
Result: The Access Point does not forward any packets that have a
destination address of 01:00:5E:00:32:4B to the wireless network.
Avaya Wireless AP-8 User’s Guide
4-73
Filtering
Advanced
You can configure the following advanced filtering options:
• Enable Proxy ARP: Place a check mark in the box provided to allow
the Access Point to respond to Address Resolution Protocol (ARP)
requests for wireless clients. When enabled, the AP answers ARP
requests for wireless stations without actually forwarding them to
the wireless network. If disabled, the Access Point will bridge ARP
requests for wireless clients to the wireless LAN.
• Enable IP/ARP Filtering: Place a check mark in the box provided
to allow IP/ARP filtering based on the IP/ARP Filtering Address and
IP Mask. Leave the box unchecked to prevent filtering. If enabled,
you should also configure the IP/ARP Filtering Address and IP/ARP
IP Mask.
— IP/ARP Filtering Address: Enter the Network filtering IP
Address.
— IP/ARP IP Mask: Enter the Network Mask IP Address.
The following protocols are listed in the Advanced Filter Table:
• Deny IPX RIP
• Deny IPX SAP
• Deny IPX LSP
• Deny IP Broadcasts
• Deny IP Multicasts
4-74
Avaya Wireless AP-8 User’s Guide
Filtering
The AP can filter these protocols in the wireless-to-Ethernet direction, the
Ethernet-to-wireless direction, or in both directions. Click Edit and use the
Status field to Enable or Disable the filter.
TCP/UDP Port
Port-based filtering enables you to control wireless user access to
network services by selectively blocking TCP/UDP protocols through the
AP. A user specifies a Protocol Name, Port Number, Port Type (TCP,
UDP, or TCP/UDP), and filtering interfaces (Wireless only, Ethernet only,
all interfaces, or no interfaces) in order to block access to services, such
as Telnet and FTP, and traffic, such as NETBIOS and HTTP.
For example, an AP with the following configuration would discard frames
received on its Ethernet interface with a UDP destination port number of
137, effectively blocking NETBIOS Name Service packets.
Protocol
Type
(TCP/UDP)
UDP
Destination
Port
Number
137
Avaya Wireless AP-8 User’s Guide
Protocol
Name
NETBIOS
Name
Service
Interface
Ethernet
Status
(Enable/Disable)
Enable
4-75
Filtering
Adding TCP/UDP Port Filters
1. Place a check mark in the box labeled Enable TCP/UDP Port
Filtering.
2. Click Add under the TCP/UDP Port Filter Table heading.
3. In the TCP/UDP Port Filter Table, enter the Protocol Names to
filter.
4. Set the destination Port Number (a value between 0 and 65535) to
filter. See the IANA Web site at
http://www.iana.org/assignments/port-numbers for a list of
assigned port numbers and their descriptions.
5. Set the Port Type for the protocol: TCP, UDP, or both (TCP/UDP).
6. Set the Interface to filter:
— Wireless
— Ethernet
— All interfaces
— No interfaces
7. Click OK.
4-76
Avaya Wireless AP-8 User’s Guide
Alarms
Editing TCP/UDP Port Filters
1. Click Edit under the TCP/UDP Port Filter Table heading.
2. Make any changes to the Protocol Name or Port Number for a
specific entry, if necessary.
3. In the row that defines the port, set the Status to Enable, Disable,
or Delete, as appropriate.
4. Select OK.
Alarms
This category has three sub-categories.
• Groups
• Alarm Host Table
• Syslog
Avaya Wireless AP-8 User’s Guide
4-77
Alarms
Groups
There are seven alarm groups that can be enabled or disabled via the
Web interface. Place a check mark in the box provided to enable a
specific group. Remove the check mark from the box to disable the
alarms. Alarm Severity Levels vary.
• Configuration Alarm
Trap Name
oriTrapDNSIPNotConfigured
Description
This traps is generated when the
DNS IP Address has not been
configured.
Severity Level: Major
4-78
Avaya Wireless AP-8 User’s Guide
Alarms
• Security Alarms
Trap Name
oriTrapAuthenticationFailure
Description
This trap is generated when a client
authentication failure occurs. The
authentication failures can range
from:
- MAC Access Control Table
- RADIUS MAC Authentication
- 802.1x Authentication specifying
the EAP-Type
Severity Level: Major
oriTrapUnauthorizedManage
rDetected
This trap is generated when an
unauthorized manager has
attempted to view and/or modify
parameters.
Severity Level: Major
Avaya Wireless AP-8 User’s Guide
4-79
Alarms
• Wireless Alarms
Trap Name
oriTrapWLCFailure
Description
This trap is generated when a
general failure occurs with the
wireless interface/radio.
Severity Level: Critical
oriTrapWLCFirmwareDownlo
adFailure
This trap is generated when a failure
occurs during the firmware download
process of the wireless
interface/radio.
Severity Level: Critical
• Operational Alarms
Trap Name
oriTrapWatchDogTimerExpir
ed
Description
This trap is generated when the
software watch dog timer expires.
This indicates that a problem has
occurred with one or more software
modules and the AP will reboot
automatically.
Trap Severity Level: Critical
4-80
Avaya Wireless AP-8 User’s Guide
Alarms
Trap Name
oriTrapRADIUSServerNotRe
sponding
Description
This trap is generated when no
response is received from the
RADIUS server(s) for authentication
requests sent from the RADIUS
client in the AP.
Trap Severity Level: Major
oriTrapModuleNotInitialized
This trap is generated when a certain
software or hardware module is not
initialized or fails to initialize.
Trap Severity Level: Major
oriTrapDeviceRebooting
This trap is generated when the AP is
rebooting.
Trap Severity Level: Informational
oriTrapTaskSuspended
This trap is generated when a
software task in the AP is
suspended.
Trap Severity Level: Critical
Continued
Avaya Wireless AP-8 User’s Guide
4-81
Alarms
Trap Name
oriTrapRADIUSServerNotRe
sponding
Description
This trap is generated when no
response is received from the
RADIUS server(s) for authentication
requests sent from the RADIUS
client in the AP.
Trap Severity Level: Major
oriTrapModuleNotInitialized
This trap is generated when a certain
software or hardware module is not
initialized or fails to initialize.
Trap Severity Level: Major
oriTrapDeviceRebooting
This trap is generated when the AP is
rebooting.
Trap Severity Level: Informational
oriTrapTaskSuspended
This trap is generated when a
software task in the AP is
suspended.
Trap Severity Level: Critical
Continued
4-82
Avaya Wireless AP-8 User’s Guide
Alarms
Trap Name
oriTrapBootPFailed
Description
In bootloader mode, this trap is
generated when the AP does not
receive a response from the BootP
server. The result is that the Access
Point reverts to its static IP
configuration and you will need to set
reset configuration options.
Trap Severity Level: Major
oriTrapDHCPFailed
In operational mode, this trap is
generated when the AP does not
receive a response from the DHCP
server. The result is that the Access
Point reverts to its static IP
configuration and you will need to set
reset configuration options.
Trap Severity Level: Major
Avaya Wireless AP-8 User’s Guide
4-83
Alarms
• FLASH Memory Alarms
Trap Name
oriTrapFlashMemoryEmpty
Description
This trap is generated when an error
occurs while downloading a file to the
AP and no data is present in the flash
memory.
Severity Level: Informational
oriTrapFlashMemoryCorrupt
ed
This trap is generated when an error
occurs while downloading a file to the
AP and the data in the flash memory
is invalid or corrupted.
Severity Level: Critical
4-84
Avaya Wireless AP-8 User’s Guide
Alarms
• TFTP Alarms
Trap Name
oriTrapTFTPFailedOperation
Description
This trap is generated when a failure
occurs during a TFTP upload or
download operation.
Severity Level: Major
oriTrapTFTPOperationInitiat
ed
This trap is generated when a TFTP
upload or download operation is
started.
Severity Level: Informational
oriTrapTFTPOperationComp
leted
This trap is generated when a TFTP
operation is complete (upload or
download).
Severity Level: Informational
Avaya Wireless AP-8 User’s Guide
4-85
Alarms
• Image Alarms
Trap Name
oriTrapZeroSizeImage
Description
This trap is generated when a zero
size image is loaded on the AP.
Trap Severity Level: Major
oriTrapInvalidImage
This trap is generated when an
invalid image is loaded in the Access
Point.
Trap Severity Level: Major
oriTrapImageTooLarge
This trap is generated when the
image loaded in the AP exceeds the
size limitation of the flash memory.
Trap Severity Level: Major
oriTrapIncompatibleImage
This trap is generated when an
incompatible image is loaded in the
AP.
Trap Severity Level: Major
4-86
Avaya Wireless AP-8 User’s Guide
Alarms
In addition, the AP supports these standard traps, which are always
enabled:
• RFC 1215-Trap
Trap
Name
coldStart
Description
The AP has been turned on or rebooted.
Trap Severity Level: Informational
linkUp
The AP's Ethernet interface link is up (working).
Trap Severity Level: Informational
linkDown
The AP's Ethernet interface link is down (not
working).
Trap Severity Level: Informational
Avaya Wireless AP-8 User’s Guide
4-87
Alarms
• Bridge MIB (RFC 1493) Alarms
Trap Name
newRoot
Description
This trap indicates that the AP has become
the new root in the Spanning Tree network.
Trap Severity Level: Informational
topologyChan
ge
This trap is sent by the AP when any of its
configured ports transitions from the Learning
state to the Forwarding state, or from the
Forwarding state to the Blocking state.
This trap is not sent if a newRoot trap is sent
for the same transition.
Trap Severity Level: Informational
All these alarm groups correspond to System Alarms that are displayed in
the System Status screen, including the traps that are sent by the AP to
the SNMP managers specified in the Alarm Host Table.
4-88
Avaya Wireless AP-8 User’s Guide
Alarms
Severity Levels
There are three severity levels for system alarms:
• Critical
• Major
• Informational
Critical alarms will often result in severe disruption in network activity or
an automatic reboot of the AP
Major alarms are usually activated due to a breach in the security of the
system. Clients cannot be authenticated or an attempt at unauthorized
access into the AP has been detected.
Informational alarms are there to provide the network administrator with
some general information about the activities the AP is performing.
Avaya Wireless AP-8 User’s Guide
4-89
Alarms
Alarm Host Table
Add an Entry or Enable the AP
To add an entry and enable the AP to send SNMP trap messages to a
Trap Host, click Add, and then specify the IP Address and Password.
• IP Address: Enter the Trap Host IP Address.
• Password: Enter the password in the Password field and the
Confirm field.
• Comment: Enter an optional comment, such as the alarm (trap)
host station name.
Edit or Delete an Entry
To edit or delete an entry, click Edit. Edit the information, or select
Enable, Disable, or Delete from the Status drop-down menu.
Syslog
The Syslog messaging system enables the AP to transmit event
messages to a central server for monitoring and troubleshooting. The AP
can send messages to one Syslog server (it cannot send messages to
more than one Syslog server).The access point logs “Session Start
(Log-in)” and “Session Stop (Log-out)” events for each wireless client as
an alternative to RADIUS accounting.
4-90
Avaya Wireless AP-8 User’s Guide
Alarms
See RFC 3164 at http://www.rfc-editor.org for more information on the
Syslog standard.
Figure 4-14.
Syslog Configuration Screen
Avaya Wireless AP-8 User’s Guide
4-91
Alarms
Setting Syslog Event Notifications
Syslog Events are logged according to the level of detail specified by the
administrator. Logging only urgent system messages will create a far
smaller, more easily read log then a log of every event the system
encounters. Determine which events to log by selecting a priority defined
by the following scale:
Event
Priority
Description
LOG_EMERG
0
system is unusable
LOG_ALERT
1
action must be taken immediately
LOG_CRIT
2
critical conditions
LOG_ERR
3
error conditions
LOG_WARNING
4
warning conditions
LOG_NOTICE
5
normal but significant condition
LOG_INFO
6
informational
LOG_DEBUG
7
debug-level messages
4-92
Avaya Wireless AP-8 User’s Guide
Alarms
Configuring Syslog Event Notifications
You can configure the following Syslog settings from the HTTP interface:
• Enable Syslog: Place a check mark in the box provided to enable
system logging.
• Syslog Port Number: This field is read-only and displays the port
number (514) assigned for system logging.
• Syslog Lowest Priority Logged: The AP will send event messages
to the Syslog server that correspond to the selected priority and
above. For example, if set to 6, the AP will transmit event messages
labeled priority 0 to 6 to the Syslog server(s). This parameter
supports a range between 0 and 7; 6 is the default.
• Syslog Heartbeat Status: When Heartbeat is enabled, the AP
periodically sends a message to the Syslog server to indicate that it
is active.
• Syslog Heartbeat Interval: If Syslog Heartbeat Status is enabled,
this field provides the interval for the heartbeat in seconds. The
default is 900 seconds.
• Syslog Host Table: This table specifies the IP addresses of a
network servers that the AP will send Syslog messages to. Click
Add to create a new entry. Click Edit to change an existing entry.
Each entry contains the following field:
— IP Address: Enter the IP Address for the management host.
— Comment: Enter an optional comment such as the host
name.
Avaya Wireless AP-8 User’s Guide
4-93
Bridge
— Status: The entry is enabled automatically when saved (so
the Status field is only visible when editing an entry). You can
also disable or delete entries by changing this field’s value.
Bridge
The AP is a bridge between your wired and wireless networking devices.
As a bridge, the functions performed by the AP include:
• MAC address learning
• Forward and filtering decision making
• Spanning Tree protocol used for loop avoidance
Once the AP is connected to your network, it learns which devices are
connected to it and records their MAC addresses in the Learn Table. The
table can hold up to 10,000 entries. To view the Learn Table, click on the
Monitor button in the web interface and select the Learn Table tab.
The Bridge tab has four sub-categories.
• Spanning Tree
• Storm Threshold
• Intra BSS
• Packet Forwarding
4-94
Avaya Wireless AP-8 User’s Guide
Bridge
Spanning Tree
A Spanning Tree is used to avoid redundant communication loops in
networks with multiple bridging devices. Bridges do not have any inherent
mechanism to avoid loops, because having redundant systems is a
necessity in certain networks. However, redundant systems can cause
Broadcast Storms, multiple frame copies, and MAC address table
instability problems.
Complex network structures can create multiple loops within a network.
The Spanning Tree configuration blocks certain ports on AP devices to
control the path of communication within the network, avoiding loops and
following a spanning tree structure.
For more information on Spanning Tree protocol, please see Section 8.0
of the IEEE 802.1d standard. The Spanning Tree configuration options
are advanced settings. Avaya recommends that you leave these
parameters at their default values unless you are familiar with the
Spanning Tree protocol.
Storm Threshold
Storm Threshold is an advanced Bridge setup option that you can use to
protect the network against data overload by:
• Specifying a maximum number of frames per second as received
from a single network device (identified by its MAC address).
• Specifying an absolute maximum number of messages per port.
Avaya Wireless AP-8 User’s Guide
4-95
Bridge
The Storm Threshold parameters allow you to specify a set of thresholds
for each port of the AP, identifying separate values for the number of
broadcast messages/second and Multicast messages/second.
When the number of frames for a port or identified station exceeds the
maximum value per second, the AP will ignore all subsequent messages
issued by the particular network device, or ignore all messages of that
type.
• Address Threshold: Enter the maximum allowed number of
packets per second.
• Ethernet Threshold: Enter the maximum allowed number of
packets per second.
• Wireless Threshold: Enter the maximum allowed number of
packets per second.
Intra BSS
The wireless clients (or subscribers) that associate with a certain AP form
the Basic Service Set (BSS) of a network infrastructure. By default,
wireless subscribers in the same BSS can communicate with each other.
However, some administrators (such as wireless public spaces) may wish
to block traffic between wireless subscribers that are associated with the
same AP to prevent unauthorized communication and to conserve
bandwidth. This feature enables you to prevent wireless subscribers
within a BSS from exchanging traffic.
4-96
Avaya Wireless AP-8 User’s Guide
Bridge
Although this feature is generally enabled in public access environments,
Enterprise LAN administrators use it to conserve wireless bandwidth by
limiting communication between wireless clients. For example, this
feature prevents peer-to-peer file sharing or gaming over the wireless
network.
• To block Intra BSS traffic, set Intra BSS Traffic Operation to Block.
• To allow Intra BSS traffic, set Intra BSS Traffic Operation to
Passthru.
Packet Forwarding
The Packet Forwarding feature enables you to redirect traffic generated
by wireless clients that are all associated to the same AP to a single MAC
address. This filters wireless traffic without burdening the AP and
provides additional security by limiting potential destinations or by routing
the traffic directly to a firewall. You can redirect to a specific port (Ethernet
or WDS) or allow the bridge’s learning process (and the forwarding table
entry for the selected MAC address) to determine the optimal port.
NOTE:
The gateway to which traffic will be redirected should be node on
the Ethernet network. It should not be a wireless client.
Avaya Wireless AP-8 User’s Guide
4-97
Bridge
Configuring Interfaces for Packet Forwarding
Configure your AP to forward packets by specifying interface port(s) to
which packets are redirected and a destination MAC address.
1. Within the Packet Forwarding Configuration screen, check the
box labeled Enable Packet Forwarding.
2. Specify a destination Packet Forwarding MAC Address. The AP
will redirect all unicast, multicast, and broadcast packets received
from wireless clients to the address you specify.
3. Select a Packet Forwarding Interface Port from the drop-down
menu. You can redirect traffic to:
— Ethernet
— A WDS connection (see Management for details)
— Any (traffic is redirected to a port based on the bridge learning
process)
4. Click OK to save your changes.
4-98
Avaya Wireless AP-8 User’s Guide
RADIUS
RADIUS
The AP communicates with a network’s RADIUS server to provide the
following features:
• MAC Access Control by Means of RADIUS Authentication
• RADIUS Authentication with 802.1x
• RADIUS Accounting
The network administrator can configure multiple RADIUS Authentication
Servers for different Authentication types. The current available
authentication types are EAP/802.1x authentication and MAC-based
authentication.You can configure two separate sets of Primary and
Secondary RADIUS Servers for each of the two supported Authentication
types, 802.1x EAP Based authentication and MAC based authentication.
You can configure the AP to communicate with up to six different RADIUS
servers:
• Primary Authentication Server (MAC-based authentication)
• Back-up Authentication Server (MAC-based authentication)
• Primary Authentication Server (EAP/802.1x authentication)
• Back-up Authentication Server (EAP/802.1x authentication)
• Primary Accounting Server
• Back-up Accounting Server
Avaya Wireless AP-8 User’s Guide
4-99
RADIUS
NOTE:
You must have configured the settings for at least one
Authentication server before configuring the settings for an
Accounting server.
The back-up servers are optional, but when configured, the AP will
communicate with the back-up server if the primary server is off-line. After
the AP has switched to the backup server, it will periodically check the
status of the primary RADIUS server every five (5) minutes. Once the
primary RADIUS server is again online, the AP automatically reverts from
the backup RADIUS server back to the primary RADIUS server. All
subsequent requests are then sent to the primary RADIUS server.
You can view monitoring statistics for each of the configured RADIUS
servers.
MAC Access Control by Means of RADIUS Authentication
If you want to control wireless access to the network and if your network
includes a RADIUS Server, you can store the list of MAC addresses on
the RADIUS server rather than configure each AP individually. From the
RADIUS Authentication tab, you can define the IP Address of the server
that contains a central list of MAC Address values that identify the
authorized stations that may access the wireless network. You must
specify information for at least the primary RADIUS server. The back-up
RADIUS server is optional.
4-100
Avaya Wireless AP-8 User’s Guide
RADIUS
NOTE:
Contact your RADIUS server manufacturer if you have problems
configuring the server or have problems using RADIUS
authentication.
Follow these steps to enable RADIUS MAC Access Control:
1. Within the RADIUS Auth screen, place a check mark in the box
labeled Enable RADIUS MAC Access Control.
2. Place a check mark in the box labeled Enable Primary RADIUS
Authentication Server.
3. If you want to configure a back-up RADIUS server, place a check
mark in the box labeled Enable Back-up RADIUS Authentication
Server.
4. Enter the time, in seconds, each client session may be active
before being automatically re-authenticated in the Authorization
Lifetime field. This parameter supports a value between 7200 and
43200 sec; the default is 0 sec.
Avaya Wireless AP-8 User’s Guide
4-101
RADIUS
5. Select a MAC Address Format Type. This should correspond to
the format in which the clients’ 12-digit MAC addresses are listed
within the RADIUS server. Available options include:
— Dash delimited: dash between each pair of digits:
xx-yy-zz-aa-bb-cc
— Colon delimited: colon between each pair of digits:
xx:yy:zz:aa:bb:cc)
— Single dash delimited: dash between the sixth and seventh
digits: xxyyzz-aabbcc
— No delimiters: No characters or spaces between pairs of
hexadecimal digits: xxyyzzaabbcc
6. Select a Server Addressing Format type (IP Address or Name).
— If you want to identify RADIUS servers by name, you must
configure the AP as a DNS Client. See DNS Client for details.
7. Enter the server’s IP address or name in the field provided.
8. Enter the port number which the AP and the server will use to
communicate. By default, RADIUS servers communicate on port
1812.
9. Enter the Shared Secret in the Shared Secret and Confirm
Shared Secret field. This is a password shared by the RADIUS
server and the AP. The same password must also be configured
on the RADIUS server.
10. Enter the maximum time, in seconds, that the AP should wait for
the RADIUS server to respond to a request in the Response Time
field. Range is 1-10 seconds; default is 3 seconds.
4-102
Avaya Wireless AP-8 User’s Guide
RADIUS
11. Enter the maximum number of times an authentication request
may be retransmitted in the Maximum Retransmissions field.
Range is 1-4; default is 3.
12. If you are configuring a back-up server, repeat Steps 6 through 11
for the back-up server.
13. Click OK to save your changes.
14. Reboot the AP for these changes to take effect.
Avaya Wireless AP-8 User’s Guide
4-103
RADIUS
Figure 4-15.
4-104
RADIUS MAC-Based Access Control Screen
Avaya Wireless AP-8 User’s Guide
RADIUS
RADIUS Authentication with 802.1x
You must configure a primary EAP/802.1x Authentication server to use
802.1x security. A back-up server is optional.
NOTE:
Problems with RADIUS Server configuration or RADIUS
Authentication should be referred to the RADIUS Server developer.
Follow these steps to enable a RADIUS Authentication server for 802.1x
security:
1. Click the RADIUS tab.
2. Click the EAP/802.1x sub-tab.
3. Place a check mark in the box labeled Enable Primary
EAP/802.1x Authentication Server.
4. If you want to configure a back-up RADIUS server, place a check
mark in the box labeled Enable Back-up EAP/802.1x
Authentication Server.
5. Select a Server Addressing Format type (IP Address or Name).
— If you want to identify RADIUS servers by name, you must
configure the AP as a DNS Client. See DNS Client for details.
6. Enter the server’s IP address or name in the field provided.
7. Enter the port number which the AP and the server will use to
communicate. By default, RADIUS servers communicate on port
1812.
Avaya Wireless AP-8 User’s Guide
4-105
RADIUS
8. Enter the Shared Secret in the Shared Secret and Confirm
Shared Secret field. This is a password shared by the RADIUS
server and the AP. The same password must also be configured
on the RADIUS server.
9. Enter the maximum time, in seconds, that the AP should wait for
the RADIUS server to respond to a request in the Response Time
field. Range is 1-10 seconds; default is 3 seconds.
10. Enter the maximum number of times an authentication request
may be retransmitted in the Maximum Retransmissions field.
Range is 1-4; default is 3.
11. If you are configuring a back-up server, repeat Steps 7 through 12
for the back-up server.
12. Click OK to save your changes.
13. Reboot the AP device for these changes to take effect.
4-106
Avaya Wireless AP-8 User’s Guide
RADIUS
Figure 4-16.
EAP/802.1x Authentication Screen
Avaya Wireless AP-8 User’s Guide
4-107
RADIUS
RADIUS Accounting
Using an external RADIUS server, the AP can track and record the length
of client sessions on the access point by sending RADIUS accounting
messages per RFC2866. When a wireless client is successfully
authenticated, RADIUS accounting is initiated by sending an “Accounting
Start” request to the RADIUS server. When the wireless client session
ends, an “Accounting Stop” request is sent to the RADIUS server.
Session Length
Accounting sessions continue when a client reauthenticates to the same
AP. Sessions are terminated when:
• A client disassociates.
• A client does not transmit any data to the AP for a fixed amount of
time.
• A client is detected on a different interface.
If the client roams from one AP to another, one session is terminated and
a new session is begun.
NOTE:
This feature requires RADIUS authentication using MAC Access
Control or 802.1x. Wireless clients configured in the Access Point’s
static MAC Access Control list are not tracked.
4-108
Avaya Wireless AP-8 User’s Guide
RADIUS
Configuring RADIUS Accounting
Follow these steps to enable RADIUS accounting on the AP:
1. Within the RADIUS Accounting Configuration screen, place a
check mark in the Enable RADIUS Accounting box to turn on this
feature.
2. Place a check mark in the box labeled Enable Primary RADIUS
Accounting Server.
3. If you want to configure a back-up RADIUS server, place a check
mark in the box labeled Enable Back-up RADIUS Accounting
Server.
4. Enter the session timeout interval in minutes within the
Accounting Inactivity Timer field. An accounting session
automatically ends for a client that is idle for the period of time
specified. Range is 1-60 minutes; default is 5 minutes.
5. Select a Server Addressing Format type (IP Address or Name).
— If you want to identify RADIUS servers by name, you must
configure the Access Point as a DNS Client. See DNS Client
for details.
6. Enter the server’s IP address or name in the field provided.
7. Enter the port number which the AP and the server will use to
communicate. By default, RADIUS accounting uses port 1813.
Avaya Wireless AP-8 User’s Guide
4-109
RADIUS
8. Enter the Shared Secret in the Shared Secret and Confirm
Shared Secret field. This is a password shared by the RADIUS
server and the AP. The same password must also be configured
on the RADIUS server.
9. Enter the maximum time, in seconds, that the AP should wait for
the RADIUS server to respond to a request in the Response Time
field. Range is 1-10 seconds; default is 3 seconds.
10. Enter the maximum number of times an authentication request
may be retransmitted in the Maximum Retransmissions field.
Range is 1-4; default is 3.
11. If you are configuring a back-up server, repeat Steps 5 through 10
for the back-up server.
12. Click OK to save your changes.
13. Reboot the AP device for these changes to take effect.
4-110
Avaya Wireless AP-8 User’s Guide
RADIUS
Figure 4-17.
RADIUS Accounting Server Configuration
Avaya Wireless AP-8 User’s Guide
4-111
Security Overview
Security Overview
The AP provides several security features to protect your network from
unauthorized access.
• Authentication and Encryption Modes
• Typical VLAN Management Configurations
Authentication and Encryption Modes
The AP supports the following Security features:
Type
Description
WEP Encryption
The original encryption technique specified
by the IEEE 802.11 standard.
802.1x
Authentication
An IEEE standard for client authentication.
Wi-Fi Protected
Access (WPA)
A new standard that provides improved
encryption security over WEP.
4-112
Avaya Wireless AP-8 User’s Guide
Security Overview
WEP Encryption
The IEEE 802.11 standards specify an optional encryption feature, known
as Wired Equivalent Privacy or WEP, that is designed to provide a
wireless LAN with a security level equal to what is found on a wired
Ethernet network. WEP encrypts the data portion of each packet
exchanged on an 802.11 network using an Encryption Key (also known
as a WEP Key).
When Encryption is enabled, two 802.11 devices must have the same
Encryption Keys and both devices must be configured to use Encryption
in order to communicate. If one device is configured to use Encryption but
a second device is not, then the two devices will not communicate, even if
both devices have the same Encryption Keys.
• An 802.11b only radio supports 64-bit and 128-bit encryption:
— For 64-bit encryption, an encryption key is 10 hexadecimal
characters (0-9 and A-F) or 5 ASCII characters (see ASCII
Character Chart).
— For 128-bit encryption, an encryption key is 26 hexadecimal
characters or 13 ASCII characters.
Avaya Wireless AP-8 User’s Guide
4-113
Security Overview
• An 802.11a or 802.11b/g AP supports 64-bit, 128-bit, and 152-bit
encryption:
— For 64-bit encryption, an encryption key is 10 hexadecimal
characters (0-9 and A-F) or 5 ASCII characters (see ASCII
Character Chart).
— For 128-bit encryption, an encryption key is 26 hexadecimal
characters or 13 ASCII characters.
— For 152-bit encryption, an encryption key is 32 hexadecimal
characters or 16 ASCII characters.
NOTE:
64-bit encryption is sometimes referred to as 40-bit encryption;
128-bit encryption is sometimes referred to as 104-bit encryption.
802.1x Authentication
IEEE 802.1x is a standard that provides a means to authenticate and
authorize network devices attached to a LAN port. A port in the context of
IEEE 802.1x is a point of attachment to the LAN, either a physical
Ethernet connection or a wireless link to an Access Point. 802.1x requires
a RADIUS server and uses the Extensible Authentication Protocol (EAP)
as a standards-based authentication framework, and supports automatic
key distribution for enhanced security. The EAP-based authentication
framework can easily be upgraded to keep pace with future EAP types.
4-114
Avaya Wireless AP-8 User’s Guide
Security Overview
Popular EAP types include:
Type
Description
EAP-Message
Digest 5 (MD5)
Username/Password-based authentication;
does not support automatic key distribution
EAP-Transport
Layer Security (TLS)
Certificate-based authentication (a
certificate is required on the server and
each client); supports automatic key
distribution
EAP-Tunneled
Transport Layer
Security (TTLS)
Certificate-based authentication (a
certificate is required on the server; a
client’s username/password is tunneled to
the server over a secure connection);
supports automatic key distribution
PEAP - Protected
EAP with MS-CHAP
v2
Secure username/password-based
authentication; supports automatic key
distribution
Avaya Wireless AP-8 User’s Guide
4-115
Security Overview
Different servers support different EAP types and each EAP type provides
different features. Refer to the documentation that came with your
RADIUS server to determine which EAP types it supports.
NOTE:
The AP supports the following EAP types when Authentication
Mode is set to 802.1x or WPA: EAP-TLS, PEAP, and EAP-TTLS.
When Authentication Mode is set to Mixed, the AP supports the
following EAP types: EAP-TLS, PEAP, EAP-TLLS, and EAP-MD5
(MD5 does not support automatic key distribution; therefore, if you
choose this method you need to manually configure each client with
the network's encryption key).
Authentication Process
There are three main components in the authentication process. The
standard refers to them as:
1. supplicant (client PC)
2. authenticator (Access Point)
3. authentication server (RADIUS server)
When using Authentication Mode is set to 802.1x, WPA, or Mixed mode
(802.1x and WEP), you need to configure your RADIUS server for
authentication purposes.
4-116
Avaya Wireless AP-8 User’s Guide
Security Overview
Prior to successful authentication, an unauthenticated client PC cannot
send any data traffic through the AP device to other systems on the LAN.
The AP inhibits all data traffic from a particular client PC until the client PC
is authenticated. Regardless of its authentication status, a client PC can
always exchange 802.1x messages in the clear with the AP (the client
begins encrypting data after it has been authenticated).
Figure 4-18.
RADIUS Authentication Illustrated
The AP acts as a pass-through device to facilitate communications
between the client PC and the RADIUS server. The AP (2) and the client
(1) exchange 802.1x messages using an EAPOL (EAP Over LAN)
protocol (A). Messages sent from the client station are encapsulated by
the AP and transmitted to the RADIUS (3) server using EAP extensions
(B).
Avaya Wireless AP-8 User’s Guide
4-117
Security Overview
Upon receiving a reply EAP packet from the RADIUS, the message is
typically forwarded to the client, after translating it back to the EAPOL
format. Negotiations take place between the client and the RADIUS
server. After the client has been successfully authenticated, the client
receives an Encryption Key from the AP (if the EAP type supports
automatic key distribution). The client uses this key to encrypt data after it
has been authenticated.
For 802.11a and 802.11b/g clients that communicate with an AP, each
client receives its own unique encryption key; this is known as Per User
Per Session Encryption Keys.
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA) is a security standard designed by the
Wi-Fi Alliance in conjunction with the Institute of Electrical and Electronics
Engineers (IEEE). WPA is a sub-set of the forthcoming IEEE 802.11i
security standard, currently in draft form. (IEEE 802.11i is also referred to
as “WPA2” and will be available in 2004.)
4-118
Avaya Wireless AP-8 User’s Guide
Security Overview
WPA is a replacement for Wired Equivalent Privacy (WEP), the
encryption technique specified by the original 802.11 standard. WEP has
several vulnerabilities that have been widely publicized. WPA addresses
these weaknesses and provides a stronger security system to protect
wireless networks.
WPA provides the following new security measures not available with
WEP:
• Improved packet encryption using the Temporal Key Integrity
Protocol (TKIP) and the Michael Message Integrity Check (MIC).
• Per-user, per-session dynamic encryption keys:
— Each client uses a different key to encrypt and decrypt unicast
packets exchanged with the AP
— A client's key is different for every session; it changes each
time the client associates with an AP
— The AP uses a single global key to encrypt broadcast packets
that are sent to all clients simultaneously
— Encryption keys change periodically based on the Re-keying
Interval parameter
— WPA uses 128-bit encryption keys
• Dynamic Key distribution
— The AP generates and maintains the keys for its clients
— The AP securely delivers the appropriate keys to its clients
Avaya Wireless AP-8 User’s Guide
4-119
Security Overview
• Client/server mutual authentication
— 802.1x
— Pre-shared key (for networks that do not have an 802.1x
solution implemented)
NOTE:
For more information on WPA, see the Wi-Fi Alliance Web site at
http://www.wi-fi.org.
The AP supports two WPA authentication modes:
• WPA: The AP uses 802.1x to authenticate clients. You should only
use an EAP that supports mutual authentication and session key
generation, such as EAP-TLS, EAP-TTLS, and PEAP. See 802.1x
Authentication for details.
• WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x
implemented, you can configure the AP to authenticate clients
based on a Pre-Shared Key. This is a shared secret that is manually
configured on the AP and each of its clients. The Pre-Shared Key
must be 256 bits long, which is either 64 hexadecimal digits. The AP
also supports a PSK Pass Phrase option to facilitate the creation of
the Pre-Shared Key (so a user can enter an easy-to-remember
phrase rather than a string of characters).
4-120
Avaya Wireless AP-8 User’s Guide
Security Overview
Configuring Security Settings
You can configure each wireless interface to operate in one of the
following Security modes:
Security Mode
Description
No Security
This is the default setting for an AP.
SSID, VLAN, and
Security Modes
The AP and clients use the same static
WEP keys to encrypt data.
Enable 802.1x
Security
The AP uses the 802.1x standard to
communicate with a RADIUS server and
authenticate clients. The AP generates and
distributes dynamic, per user WEP Keys to
each client following successful
authentication.
Enable Mixed Mode
(802.1x and WEP
Encryption)
The AP uses 802.1x Mode for clients that
support 802.1x (and have an 802.1x
supplicant application installed). The AP
uses static WEP Encryption for clients that
do not use 802.1x.
Continued
Avaya Wireless AP-8 User’s Guide
4-121
Security Overview
Security Mode
Description
Enable WPA Mode
The AP uses 802.1x to communicate with a
RADIUS server and authenticate clients.
The AP generates and distributes dynamic,
per user encryption keys (based on the
Temporal Key Integrity Protocol (TKIP)) to
each client following successful
authentication. WPA mode provides
message integrity checking to guard
against replay type attacks. This mode is
not available for all radio types.
Enable WPA-PSK
Mode
The AP uses a Pre-shared Key (manually
configured on both the AP and the clients)
to authenticate clients. The AP generates
and distributes dynamic, per user
encryption keys (based on TKIP) to each
client following successful authentication.
This mode is for customers who want to use
WPA but do not have a RADIUS server
installed on their network. This mode is not
available for all radio types.
4-122
Avaya Wireless AP-8 User’s Guide
Security Overview
You configure the AP to use a particular Security mode by setting the
Authentication Mode parameter. The following table summarizes the
Authentication Mode options available in the HTTP Interface's Configure
> Security > Authentication screen and describes how each of these
options correspond to the six Security Modes listed on previous pages:
Authentication
Mode Setting
Authentication
Method Employed
Encryption Method
Employed
None
None
None or manually
configured Static
WEP settings (from
Configure >
Security >
Encryption screen)
802.1x
802.1x
Dynamic WEP
Keying
Mixed
802.1x or None
(depends on a
client's
configuration)
Dynamic WEP
Keying or Static
WEP (depends on
client's
configuration)
WPA
802.1x
Dynamic TKIP
Keying
WPA-PSK
Manually configured
Pre-shared Key
Dynamic TKIP
Keying
Avaya Wireless AP-8 User’s Guide
4-123
SSID, VLAN, and Security Modes
NOTE:
Before enabling the 802.1x, Mixed, or WPA mode, the 802.1x server
should be configured.
SSID, VLAN, and Security Modes
The AP-8 allows you to:
• segment wireless networks into multiple sub-networks based on
Network Name (SSID) and VLAN membership, and
• apply security modes per SSID.
A Network Name (SSID) identifies a wireless network. Clients associate
with Access Points that share an SSID. During installation, the Setup
Wizard prompts you to configure a Primary Network Name for each
wireless interface.
After initial setup and once VLAN is enabled, the AP can be configured to
support up to 16 SSIDs per wireless interface to segment wireless
networks based on VLAN membership.
Refer to Configure Multiple SSID/VLAN/Security Mode Entries for
configuration details.
4-124
Avaya Wireless AP-8 User’s Guide
SSID, VLAN, and Security Modes
VLAN Overview
Virtual Local Area Networks (VLANs) are logical groupings of network
hosts. Defined by software settings, other VLAN members or resources
appear (to clients) to be on the same physical segment, no matter where
they are attached on the logical LAN or WAN segment. They simplify
traffic flow between clients and their frequently-used or restricted
resources.
VLANs now extend as far as the reach of the access point signal. Clients
can be segmented into wireless sub-networks via SSID and VLAN
assignment. A Client can access the network by connecting to an AP
configured to support its assigned SSID/VLAN.
AP devices are fully VLAN-ready; however, by default VLAN support is
disabled. Before enabling VLAN support, certain network settings should
be configured, and network resources such as a VLAN-aware switch, a
RADIUS server, and possibly a DHCP server should be available.
Once enabled, VLANs are used to conveniently, efficiently, and easily
manage your network in the following ways:
• Manage adds, moves, and changes from a single point of contact
• Define and monitor groups
• Reduce broadcast and multicast traffic to unnecessary destinations
— Improve network performance and reduce latency
• Increase security
Avaya Wireless AP-8 User’s Guide
4-125
SSID, VLAN, and Security Modes
— Secure network restricts members to resources on their own
VLAN
— Clients roam without compromising security
VLAN tagged data is collected and distributed through an AP's wireless
interface(s) based on Network Name (SSID). An Ethernet port on the
access point connects a wireless cell or network to a wired backbone.
The access points communicate across a VLAN-capable switch that
analyzes VLAN-tagged packet headers and directs traffic to the
appropriate ports. On the wired network, a RADIUS server authenticates
traffic and a DHCP server manages IP addresses for the VLAN(s).
Resources like servers and printers may be present, and a hub may
include multiple APs, extending the network over a larger area.
In this figure, the numbered items correspond to the following
components:
1. VLAN-enabled access point
2. VLAN-aware switch (IEEE 802.1Q uplink)
3. AP management via wired host (SNMP, Web interface or CLI)
4. DHCP Server
5. RADIUS Server
6. VLAN 1
7. VLAN 2
4-126
Avaya Wireless AP-8 User’s Guide
SSID, VLAN, and Security Modes
Figure 4-19.
Components of a Typical VLAN
Avaya Wireless AP-8 User’s Guide
4-127
SSID, VLAN, and Security Modes
VLAN Workgroups and Traffic Management
Access Points that are not VLAN-capable typically transmit broadcast and
multicast traffic to all wireless Network Interface Cards (NICs). This
process wastes wireless bandwidth and degrades throughput
performance. In comparison, VLAN-capable AP is designed to efficiently
manage delivery of broadcast, multicast, and unicast traffic to wireless
clients.
The AP assigns clients to a VLAN based on a Network Name (SSID). The
AP can support up to 16 SSID/VLAN pairs per radio.
The AP matches packets transmitted or received to a network name with
the associated VLAN. Traffic received by a VLAN is only sent on the
wireless interface associated with that same VLAN. This eliminates
unnecessary traffic on the wireless LAN, conserving bandwidth and
maximizing throughput.
Traffic Management
In addition to enhancing wireless traffic management, the VLAN-capable
AP supports easy assignment of wireless users to workgroups. In a
typical scenario, each user VLAN represents a workgroup; for example,
one VLAN could be used for an EMPLOYEE workgroup and the other, for
a GUEST workgroup.
4-128
Avaya Wireless AP-8 User’s Guide
SSID, VLAN, and Security Modes
In this scenario, the AP would assign every packet it accepted to a VLAN.
Each packet would then be identified as EMPLOYEE or GUEST,
depending on which wireless NIC received it. The AP would insert VLAN
headers or “tags” with identifiers into the packets transmitted on the wired
backbone to a network switch.
Finally, the switch would be configured to route packets from the
EMPLOYEE workgroup to the appropriate corporate resources such as
printers and servers. Packets from the GUEST workgroup could be
restricted to a gateway that allowed access to only the Internet. A
member of the GUEST workgroup could send and receive e-mail and
access the Internet, but would be prevented from accessing servers or
hosts on the local corporate network.
Typical User VLAN Configurations
VLANs segment network traffic into workgroups, which enable you to limit
broadcast and multicast traffic. Workgroups enable clients from different
VLANs to access different resources using the same network
infrastructure. Clients using the same physical network are limited to
those resources available to their workgroup.
The AP can segment users into a maximum of 16 different workgroups
(32 for the AP-8 which has two radios) based on an SSID/VLAN pair (also
referred as a VLAN Workgroup or a Sub-network).
The four primary scenarios for using VLAN workgroups are as follows:
Avaya Wireless AP-8 User’s Guide
4-129
SSID, VLAN, and Security Modes
1. VLAN disabled: Your network does not use VLANs, but you can
configure the AP to use multiple SSIDs.
2. VLAN enabled, all VLAN Workgroups use the same VLAN ID Tag
3. VLAN enabled, each VLAN workgroup uses a different VLAN ID
Tag
4. VLAN enabled, a mixture of Tagged and Untagged workgroups
Configure Multiple SSID/VLAN/Security Mode Entries
Each SSID/VLAN can have its own security mode, so that customers can
have multiple types of clients (non-WEP, WEP, 802.1x, WPA) on the
same system, but separated per VLAN.
NOTE:
You must reboot the AP before any changes to these parameters
take effect.
1. Click Configure > SSID/VLAN/Security > Mgmt VLAN.
2. Place a check mark in the Enable VLAN Protocol box to enable
VLAN support. If VLAN is disabled, all table entries on the
SSID/VLAN/Security page will be disabled.
3. Click the tab for Wireless A or Wireless B.
4-130
Avaya Wireless AP-8 User’s Guide
SSID, VLAN, and Security Modes
Figure 4-20.
SSID, VLAN, and Security Table - Wireless A
4. Add one or more new SSID/VLAN/security mode entries. Each
wireless interface supports up to 16 entries.
Follow these steps:
a. Click Add to create a new SSID/VLAN/security mode entry.
Avaya Wireless AP-8 User’s Guide
4-131
SSID, VLAN, and Security Modes
Figure 4-21.
Entries
SSID, VLAN, and Security Table - Wireless A - Add
b. Enter a Network Name (SSID), between 2 and 31 characters,
in the field provided. This parameter is mandatory.
c. Enter a VLAN ID in the field provided. This parameter is
mandatory.
4-132
Avaya Wireless AP-8 User’s Guide
SSID, VLAN, and Security Modes
— You must specify a unique VLAN ID for each SSID on the
interface. As defined by the 802.1Q standard, a VLAN ID is
a number between 1 and 4094. A value of -1 means that an
entry is "untagged".
— You can set the VLAN ID to "-1" or "untagged" if you do not
want clients that are using a specific SSID to be members of
a VLAN workgroup. Only one “untagged” VLAN ID is
allowed per interface.
— The VLAN ID must match an ID used by your network;
contact your network administrator if you need assistance
defining the VLAN IDs.
d. Select the security mode for the SSID/VLAN entry and
configure the security mode parameters according to one of
the following procedures:
NOTE:
If you have two or more SSIDs per interface with a security mode of
None, be aware that security being applied in the VLAN is not being
applied in the wireless network.
Avaya Wireless AP-8 User’s Guide
4-133
SSID, VLAN, and Security Modes
Enable WEP Encryption
Follow these steps to set up WEP encryption on an SSID/VLAN pair:
1. Set Security Mode to WEP (if necessary).
2. Enter Encryption Key 0 only; the transmit key (the key used to
encrypt outgoing data) will automatically be set to zero. Keep in
mind the following:
— For 64-bit encryption, an encryption key is 10 hexadecimal
characters (0-9 and A-F) or 5 ASCII characters (see ASCII
Character Chart).
— For 128-bit encryption, an encryption key is 26 hexadecimal
characters or 13 ASCII characters.
— For 152-bit encryption, an encryption key is 32 hexadecimal
characters or 16 ASCII characters.
Enable 802.1x Security
Follow these steps to enable 802.1x on an SSID/VLAN pair:
1. Set Security Mode to 802.1x.
2. Select an Encryption Key Length. The AP-8 supports 64-bit or
128-bit encryption for 802.1x security mode.
4-134
Avaya Wireless AP-8 User’s Guide
SSID, VLAN, and Security Modes
3. Enter a Re-keying Interval.
— The Re-keying Interval determines how often a client’s
encryption key is changed and can be set to any value
between 60 - 65535 seconds. Rekeying frustrates hacking
attempts without taxing system resources. Setting a fairly
frequent rekey value (900 seconds=15 minutes) effectively
protects against intrusion without disrupting network activities.
Enable Mixed Mode (802.1x and WEP Encryption)
Follow these steps to use both 802.1x and WEP Encryption
simultaneously (clients that do not support 802.1x use WEP Encryption
for security purposes):
1. Click Security Mode to Mixed.
2. Enter a Re-keying Interval.
— The Re-keying Interval determines how often a client’s
encryption key is changed and can be set to any value
between 60 - 65535 seconds. Rekeying frustrates hacking
attempts without taxing system resources. Setting a fairly
frequent rekey value (900 seconds=15 minutes) effectively
protects against intrusion without disrupting network activities.
3. Click the Encryption tab.
4. Place a check mark in the box labeled Enable Encryption (WEP).
Avaya Wireless AP-8 User’s Guide
4-135
SSID, VLAN, and Security Modes
5. Configure Encryption Key 1 only (for example, do not configure
Keys 2 through 4). Keep in mind the following:
— For 64-bit encryption, an encryption key is 10 hexadecimal
characters (0-9 and A-F) or 5 ASCII characters (see ASCII
Character Chart).
— For 128-bit encryption, an encryption key is 26 hexadecimal
characters or 13 ASCII characters.
— For 152-bit encryption, an encryption key is 32 hexadecimal
characters or 16 ASCII characters.
Enable WPA Mode
Follow this step to enable WPA on an SSID/VLAN pair:
• Set Security Mode to WPA.
Enable WPA-PSK Mode
Follow these steps to enable WPA-PSK on an SSID/VLAN pair:
1. Set the Security Mode to WPA-PSK.
2. Configure the Pre-Shared Key. You must also configure your
clients to use this same key.
Do one of the following:
— Enter 64 hexadecimal digits in the Pre-Shared Key field.
4-136
Avaya Wireless AP-8 User’s Guide
SSID, VLAN, and Security Modes
— Enter a phrase in the PSK Pass Phrase field. The AP will
automatically generate a Pre-Shared Key based on the phrase
you enter. Enter between 8 and 63 characters; Avaya
recommends using a pass phrase of at least 13 characters,
including both numbers and upper and lower case letters, to
ensure that the generated key cannot be easily deciphered by
network infiltrators.
3. When finished configuring all parameters, click OK.
4. If you selected a Security Mode of 802.1x, Mixed Mode, or WPA
you must configure a Radius 802.1x/EAP server (see RADIUS
Authentication with 802.1x for details).
5. Click Edit if you want to modify an existing entry. You can also
disable or delete an entry from the Edit screen.
NOTE:
When editing the primary Network Name (SSID) entry, disabling or
deleting that entry is not allowed.
6. Click the tab for the second wireless interface (if applicable) and
create or modify SSID/VLAN entries as necessary.
7. Reboot the AP.
Avaya Wireless AP-8 User’s Guide
4-137
SSID, VLAN, and Security Modes
Typical VLAN Management Configurations
Control Access to the AP
Management access to the AP can easily be secured by making
management stations or hosts and the AP itself members of a common
VLAN. Simply configure a non-zero management VLAN ID and enable
VLAN to restrict management of the AP to members of the same VLAN.
! CAUTION:
If a non-zero management VLAN ID is configured then management
access to the AP is restricted to wired or wireless hosts that are members
of the same VLAN. Ensure your management platform or host is a member of the same VLAN before attempting to manage the AP.
1. Click Configure > VLAN.
2. Set the VLAN Management ID to a value between 0 and 4094 (a
value of 0 disables VLAN management).
3. Place a check mark in the Enable VLAN Protocol box.
Provide Access to a Wireless Host in the Same Workgroup
The VLAN feature can allow wireless clients to manage the AP. If the
VLAN Management ID matches a VLAN User ID, then those wireless
clients who are members of that VLAN will have AP management access.
4-138
Avaya Wireless AP-8 User’s Guide
SSID, VLAN, and Security Modes
! CAUTION:
Once a VLAN Management ID is configured and is equivalent to one of
the VLAN User IDs on the AP, all members of that User VLAN will have
management access to the AP. Be careful to restrict VLAN membership
to those with legitimate access to the AP.
1. Click Configure > VLAN.
2. Set the VLAN Management ID to use the same VLAN ID as one
of the configured SSID/VLAN pairs. See Typical VLAN
Management Configurations for details.
3. Place a check mark in the Enable VLAN Protocol box.
Disable VLAN Management
1. Click Configure > VLAN.
2. Remove the check mark from the Enable VLAN Protocol box (to
disable all VLAN functionality) or set the VLAN Management ID to
0 (to disable VLAN Management only).
MAC Access
The MAC Access tab allows you to build a list of stations, identified by
their MAC addresses, authorized to access the network through the AP.
The list is stored inside each AP within your network. Note that you must
reboot the AP for any changes to the MAC Access Control Table to take
effect.
Avaya Wireless AP-8 User’s Guide
4-139
SSID, VLAN, and Security Modes
• Enable MAC Access Control: Check this box to enable the Control
Table.
• Operation Type: Choose between Passthru and Block. This
determines how the stations identified in the MAC Access Control
Table are filtered.
— If set to Passthru, only the addresses listed in the Control
Table will pass through the bridge.
— If set to Block, the bridge will block traffic to or from the
addresses listed in the Control Table.
• MAC Access Control Table: Click Add to create a new entry. Click
Edit to change an existing entry. Each entry contains the following
field:
— MAC Address: Enter the wireless client’s MAC address.
— Comment: Enter an optional comment such as the client’s
name.
• Status: The entry is enabled automatically when saved (so the
Status field is only visible when editing an entry). You can also
disable or delete entries by changing this field’s value.
NOTE:
For larger networks that include multiple Access Points, you may
prefer to maintain this list on a centralized location using the MAC
Access Control by Means of RADIUS Authentication.
4-140
Avaya Wireless AP-8 User’s Guide
SSID, VLAN, and Security Modes
Figure 4-22.
MAC Access Configuration Screen
Avaya Wireless AP-8 User’s Guide
4-141
Rogue Access Point Detection (RAD)
Rogue Access Point Detection (RAD)
The Rogue AP Detection (RAD) feature provides an additional security
level for wireless LAN deployments. Rogue AP detection provides a
mechanism for detecting Rogue Access Points by utilizing the coverage
of the trusted Access Point deployment.
The Rogue AP Scan employs background scanning using low-level
802.11 scanning functions for effective wireless detection of Access
Points in its coverage area with minimal impact on the normal operation of
the Access Point.
This RAD feature can be enabled on an Access Point via its HTTP, CLI,
or SNMP Interfaces. The scan repetition duration is configurable. The
Access Point will periodically scan the wireless network and report all the
available Access Points within its coverage area using SNMP traps. For
additional reliability the results are stored in the Access Point in a table,
which can be queried via SNMP. The BSSID and Channel number of the
detected Access Points are provided in the scan results.
The RAD scan is done on a channel list initialized based on the regulatory
domain of the device. The RAD Scan then performs background scanning
on all the channels in this channel list using 802.11 MAC scanning
functions. It will either actively scan the network by sending probe
requests or passively scan by only listening for beacons. The access
point information is then gathered from the probe responses and
beacons.
4-142
Avaya Wireless AP-8 User’s Guide
Rogue Access Point Detection (RAD)
To minimize traffic disruption and maximize the scanning efficiency, the
RAD feature employs an enhanced background-scanning algorithm and
uses the CTS to Self mechanism to keep the clients silent. The scanning
algorithm allows traffic to be serviced between each channel scan. Before
start of every scan (except scan on the working channel) the CTS to
self-mechanism is used to set the NAV values of clients to keep them
silent during the scanning period. In addition, the scan repetition duration
can also be configured to reduce the frequency of RAD scan cycles to
maximize Access Point performance.
RAD Configuration Requirements
The RAD feature can be configured/monitored via the HTTP, CLI, or
SNMP management interfaces.
The following management options are provided:
• The RAD feature can be enabled or disabled.
• The repetition interval of RAD can be configured.
• The interface on which RAD can operate can be configured.
• SNMP Traps are sent after completion of a RAD scan cycle and also
whenever a new Access Point is detected.
• Additionally, the RAD scan results are maintained in a table that can
be queried via SNMP.
Avaya Wireless AP-8 User’s Guide
4-143
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement