Accton User Guide WLAN 11a+b/g Access Point 2.
User Guide Guide 2.4GHz/5GHz Wireless Access Point IEEE 802.11g and 802.
COMPLIANCES Federal Communication Commission Interference Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
COMPLIANCES High power radars are allocated as primary users (meaning they have priority) of the 5250-5350 MHz and 5650-5850 MHz bands. These radars could cause interference and /or damage to the access point when used in Canada. The term “IC:” before the radio certification number only signifies that Industry Canada technical specifications were met.
COMPLIANCES Important! Before making connections, make sure you have the correct cord set. Check it (read the label on the cable) against the following: Power Cord Set U.S.A. and Canada The cord set must be UL-approved and CSA certified. The minimum specifications for the flexible cord are: - No. 18 AWG - not longer than 2 meters, or 16 AWG.
COMPLIANCES Veuillez lire à fond l'information de la sécurité suivante avant d'installer l’appareil: AVERTISSEMENT: L’installation et la dépose de ce groupe doivent être confiés à un personnel qualifié. • Ne branchez pas votre appareil sur une prise secteur (alimentation électrique) lorsqu'il n'y a pas de connexion de mise à la terre (mise à la masse). • Vous devez raccorder ce groupe à une sortie mise à la terre (mise à la masse) afin de respecter les normes internationales de sécurité.
COMPLIANCES Cordon électrique - Il doit être agréé dans le pays d’utilisation Etats-Unis et Canada: Le cordon doit avoir reçu l’homologation des UL et un certificat de la CSA. Les spe'cifications minimales pour un cable flexible sont AWG No. 18, ouAWG No. 16 pour un cable de longueur infe'rieure a` 2 me'tres. - type SV ou SJ - 3 conducteurs Le cordon doit être en mesure d’acheminer un courant nominal d’au moins 10 A.
COMPLIANCES Stromkabel. Dies muss von dem Land, in dem es benutzt wird geprüft werden: U.S.A und Canada Der Cord muß das UL gepruft und war das CSA beglaubigt. Das Minimum spezifikation fur der Cord sind: - Nu. 18 AWG - nicht mehr als 2 meter, oder 16 AWG. - Der typ SV oder SJ - 3-Leiter Der Cord muß haben eine strombelastbarkeit aus wenigstens 10 A Dieser Stromstecker muß hat einer erdschluss mit der typ NEMA 5-15P (15A, 125V) oder NEMA 6-15P (15A, 250V) konfiguration.
TABLE OF CONTENTS 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Package Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Hardware Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Component Description . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 1 Introduction The 2.4GHz/5GHz Wireless Access Point is an IEEE 802.11a/g access point that provides transparent, wireless high-speed data communications between a wired LAN and fixed, portable or mobile devices equipped with an 802.11a, 802.11b or 802.11g wireless adapter. This solution offers fast, reliable wireless connectivity with considerable cost savings over wired LANs (which include long-term maintenance overhead for cabling). Using 802.11a and 802.
Introduction The access point supports a 54 Mbps half-duplex connection to Ethernet networks for each active channel . Package Checklist The 2.4GHz/5GHz Wireless Access Point package includes: • One 2.4GHz/5GHz Wireless Access Point • One Category 5 network cable • One RS-232 console cable • One AC power adapter and power cord • Four rubber feet • Three wall-mounting screws • This User Guide Inform your dealer if there are any incorrect, missing or damaged parts.
Hardware Description Hardware Description Antennas Top Panel LED Indicators WLAN A WLAN G Rear Panel Security Slot 5 VDC Power Socket RJ-45 Port, PoE Connector Reset Button Console Port 1-3
Introduction Component Description Antennas The access point includes integrated diversity antennas for wireless communications. A diversity antenna system uses two identical antennas to receive and transmit signals, helping to avoid multipath fading effects. When receiving, the access point checks both antennas and selects the one with the strongest signal. When transmitting, it will continue to use the antenna previously selected for receiving.
Hardware Description LED Status Description Ethernet Link On Indicates a valid 10/100 Mbps Ethernet cable link. Flashing Indicates that the access point is transmitting or receiving data on a 10/100 Mbps Ethernet LAN. Flashing rate is proportional to network activity. On Indicates a valid 802.11a wireless link. Very Slow Flashing Searching for network association. Slow Flashing Associated with network but no activity.
Introduction Console Port This port is used to connect a console device to the access point through a serial cable. This connection is described under “Console Port Pin Assignments” on page B-4. The console device can be a PC or workstation running a VT-100 terminal emulator, or a VT-100 terminal. Ethernet Port The access point has one 10BASE-T/100BASE-TX RJ-45 port that can be attached directly to 10BASE-T/100BASE-TX LAN segments. These segments must conform to the IEEE 802.3 or 802.3u specifications.
Features and Benefits Reset Button This button is used to reset the access point or restore the factory default configuration. If you hold down the button for less than 5 seconds, the access point will perform a hardware reset. If you hold down the button for 5 seconds or more, any configuration changes you may have made are removed, and the factory default configuration is restored to the access point. Power Connector The access point does not have a power switch.
Introduction • Advanced security through 64/128/152-bit Wired Equivalent Protection (WEP) encryption, IEEE 802.1x port authentication, Wi-Fi Protected Access (WPA), remote authentication via RADIUS server, and MAC address filtering features to protect your sensitive data and authenticate only authorized users to your network • Provides seamless roaming within the IEEE 802.11a, 802.11b and 802.
Applications • Temporary LANs for special projects or peak times Trade shows, exhibitions and construction sites which need temporary setup for a short time period. Retailers, airline and shipping companies that need additional workstations for a peak period. Auditors who require workgroups at customer sites. • Access to databases for mobile workers Doctors, nurses, retailers, or white-collar workers who need access to databases while being mobile in a hospital, retail store, or an office campus.
Introduction System Defaults The following table lists some of the access point’s basic system defaults. To reset the access point defaults, use the CLI command “reset configuration” from the Exec level prompt. Feature Parameter Default Identification System Name MEAP Administration User Name admin Password null HTTP Server Enabled HTTP Server Port 80 DHCP Enabled IP Address 192.168.1.1 Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 Primary DNS IP 0.0.0.0 Secondary DNS IP 0.0.
System Defaults Feature Parameter Default MAC Authentication MAC Local MAC Authentication Session Timeout 0 seconds (Disabled) Local MAC System Default Allowed Local MAC Permission Allowed Status Disabled Broadcast Key Refresh 0 minutes (Disabled) Session Key Refresh 0 minutes (Disabled) Reauthentication Refresh Rate 0 seconds (Disabled) Native VLAN ID 1 VLAN Tag Support Disabled Local Bridge Disabled Local Management Disabled Ethernet Type Disabled Status Enabled Location n
Introduction 1-12 Feature Parameter Default System Logging Syslog Disabled Logging Host Disabled Logging Console Disabled IP Address / Host Name 0.0.0.0 Logging Level Informational Logging Facility Type 16 Ethernet Interface Speed and Duplex Auto Wireless Interface 802.
System Defaults Feature Parameter Default Wireless Security 802.11a Authentication Type Open System WEP Encryption Disabled WEP Key Length 128 bits WEP Key Type Hexadecimal WEP Transmit Key Number 1 WEP Keys null WPA Configuration Mode All clients WPA Key Management WPA authentication over 802.
Introduction 1-14 Feature Parameter Default Wireless Security 802.11b/g Authentication Type Open System WEP Encryption Disabled WEP Key Length 128 bits WEP Key Type Hexadecimal WEP Transmit Key Number 1 WEP Keys null WPA Configuration Mode All clients WPA Key Management WPA authentication over 802.
Chapter 2 Hardware Installation 1. Select a Site – Choose a proper place for the access point. In general, the best location is at the center of your wireless coverage area, within line of sight of all wireless devices. Try to place the access point in a position that can best cover its Basic Service Set (refer to “Infrastructure Wireless LAN” on page 3-3).
Hardware Installation 3. Lock the Access Point in Place – To prevent unauthorized removal of the access point, you can use a Kensington Slim MicroSaver security cable (not included) to attach the access point to a fixed object. 4. Connect the Power Cord – Connect the power adapter to the access point, and the power cord to an AC power outlet. Otherwise, the access point can derive its operating power directly from the RJ-45 port when connected to a device that provides IEEE 802.
Hardware Installation 6. Connect the Ethernet Cable – The access point can be wired to a 10/100 Mbps Ethernet through a network device such as a hub or a switch. Connect your network to the RJ-45 port on the back panel with category 3, 4, or 5 UTP Ethernet cable. When the access point and the connected device are powered on, the Ethernet Link LED should light indicating a valid network connection.
Hardware Installation 2-4
Chapter 3 Network Configuration The wireless solution supports a stand-alone wireless network configuration as well as an integrated configuration with 10/100 Mbps Ethernet LANs. Wireless network cards, adapters, and access points can be configured as: • Ad hoc for departmental, SOHO or enterprise LANs • Infrastructure for wireless LANs • Infrastructure wireless LAN for roaming wireless PCs The 802.11b and 802.11g frequency band which operates at 2.4 GHz can easily encounter interference from other 2.
Network Configuration Network Topologies Ad Hoc Wireless LAN (no AP or Bridge) An ad hoc wireless LAN consists of a group of computers, each equipped with a wireless adapter, connected via radio signals as an independent wireless LAN. Computers in a specific ad hoc wireless LAN must therefore be configured to the same radio channel. An ad hoc wireless LAN can be used for a branch office or SOHO operation.
Network Topologies Infrastructure Wireless LAN The access point also provides access to a wired LAN for wireless workstations. An integrated wired/wireless LAN is called an Infrastructure configuration. A Basic Service Set (BSS) consists of a group of wireless PC users, and an access point that is directly connected to the wired LAN.
Network Configuration Infrastructure Wireless LAN for Roaming Wireless PCs The Basic Service Set (BSS) defines the communications domain for each access point and its associated wireless clients. The BSS ID is a 48-bit binary number based on the access point’s wireless MAC address, and is set automatically and transparently as clients associate with the access point. The BSS ID is used in frames sent between the access point and its clients to identify traffic in the service area.
Network Topologies A wireless infrastructure can also support roaming for mobile workers. More than one access point can be configured to create an Extended Service Set (ESS). By placing the access points so that a continuous coverage area is created, wireless users within this ESS can roam freely. All wireless network cards and adapters and wireless access points within a specific ESS must be configured with the same SSID.
Chapter 4 Specifications General Specifications Maximum Channels 802.11a: US & Canada: 13 (normal mode), 5 (turbo mode) Japan: 4 (normal mode), 1 (turbo mode) ETSI: 11 channels (normal mode), 4 (turbo mode) Taiwan: 8 (normal mode), 3 (turbo mode) 802.11b/g: FCC/IC: 1-11,1 (turbo mode) , ETSI: 1-13, France: 10-13, MKK: 1-14 Taiwan: 1-11, 1 (turbo mode) Maximum Clients 64 per radio Operating Range See “Maximum Distance Table” on page A-4 Data Rate 802.
Specifications Network Configuration Infrastructure Operating Frequency 802.11a: 5.15 ~ 5.25 GHz (lower band) US/Canada, Japan 5.25 ~ 5.35 GHz (middle band) US/Canada 5.725 ~ 5.825 GHz (upper band) US/Canada 5.50 ~ 5.70 GHz Europe 5.25 ~ 5.35 GHz (middle band) Taiwan 5.725 ~ 5.825 GHz (high band) Taiwan 802.11b: 2.4 ~ 2.4835 GHz (US, Canada, ETSI) 2.4 ~ 2.497 GHz (Japan) 2.400 ~ 2.4835 GHz ,(Taiwan) AC Power Adapter Input: 100-240 AC, 50-60 Hz Output: 5 VDC, 3 A Maximum Power: 13.
General Specifications LED Indicators PWR (Power), Ethernet Link (Ethernet Link/Activity), .11a and .11g (Wireless Link/Activity) Network Management Web-browser, RS232 console, Telnet, SNMP Temperature Operating: 0 to 50 °C (32 to 122 °F) Storage: 0 to 70 °C (32 to 158 °F) Humidity 15% to 95% (non-condensing) Compliances FCC Class B (US) ICES-003 (Canada) RTTED 1999/5/EC VCCI (Japan) DGT (Taiwan) Radio Signal Certification FCC Part 15.247 (2.4GHz) FCC part 15 15.407(b), CISPR 22-96 RSS-210 (Canada) EN 300.
Chapter 5 System Configuration Before continuing with advanced configuration, first complete the initial configuration steps described in Chapter 4 to set up an IP address for the access point. The access point can be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Enter the configured IP address of the access point, or use the default address: http://192.168.1.
System Configuration The information in this chapter is organized to reflect the structure of the web screens for easy reference. However, we recommend that you configure a user name and password as the first step under advanced configuration to control management access to this device (page 5-30). Advanced Configuration The Advanced Configuration pages include the following options.
Advanced Configuration Menu Description Page Controls logging of error messages; sets the system clock via SNTP server or manual configuration 5-36 Configures the IEEE 802.11a interface 5-42 Radio Settings Configures radio signal parameters, such as radio channel, transmission rate, and beacon settings 5-43 Security Configures data encryption with Wired Equivalent Protection (WEP) or Wi-Fi Protected Access (WPA) 5-52 System Log Radio Interface 1 Radio Interface 2 Configures the IEEE 802.
System Configuration System Identification The system information parameters for the access point can be left at their default settings. However, modifying these parameters can help you to more easily distinguish different devices in your network. You should set a Service Set Identification (SSID) to identify the wireless network service provided by the access point. Only clients with the same SSID can associate with the access point.
Advanced Configuration CLI Commands for System Identification – Enter the global configuration mode, and use the system name command to specify a new system name. Enter the wireless configuration mode (either 11a or 11g), and use the ssid command to set the service set identifier. Then return to the Exec mode, and use the show system command to display the changes to the system identification settings.
System Configuration TCP / IP Settings Configuring the access point with an IP address expands your ability to manage the access point. A number of access point features depend on IP addressing to operate. Note: You can use the web browser interface to access IP addressing only if the access point already has an IP address that is reachable through your network. By default, the access point will be automatically configured with IP settings from a Dynamic Host Configuration Protocol (DHCP) server.
Advanced Configuration DHCP Client (Enable) – Select this option to obtain the IP settings for the access point from a DHCP (Dynamic Host Configuration Protocol) server. The IP address, subnet mask, default gateway, and Domain Name Server (DNS) address are dynamically assigned to the access point by the network DHCP server. (Default: Enabled) DHCP Client (Disable) – Select this option to manually configure a static address for the access point. • IP Address: The IP address of the access point.
System Configuration CLI Commands for TCP/IP Settings – From the global configuration mode, enter the interface configuration mode with the interface ethernet command. Use the ip dhcp command to enable the DHCP client, or no ip dhcp to disable it. To manually configure an address, specify the new IP address, subnet mask, and default gateway using the ip address command. To specify DNS server addresses use the dns server command.
Advanced Configuration Radius Remote Authentication Dial-in User Service (RADIUS) is an authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of user credentials for each user that requires access to the network. A primary RADIUS server must be specified for the access point to implement IEEE 802.1x network access control and Wi-Fi Protected Access (WPA) wireless security.
System Configuration Primary Radius Server Setup – Configure the following settings to use RADIUS authentication on the access point. • IP Address: Specifies the IP address or host name of the RADIUS server. • Port: The UDP port number used by the RADIUS server for authentication messages. (Range: 1024-65535; Default: 1812) • Key: A shared text string used to encrypt messages between the access point and the RADIUS server. Be sure that the same text string is specified on the RADIUS server.
Advanced Configuration CLI Commands for RADIUS – From the global configuration mode, use the radius-server address command to specify the address of the primary or secondary RADIUS servers. (The following example configures the settings for the primary RADIUS server.) Configure the other parameters for the RADIUS server. Then use the show show radius command from the Exec mode to display the current settings for the primary and secondary RADIUS servers.
System Configuration PPPoE Settings The access point can use a Point-to-Point Protocol over Ethernet (PPPoE) connection, or tunnel, for management traffic between the access point and a remote PPPoE server (typically at an ISP). Examples of management traffic that may be initiated by the access point and carried over a PPPoE tunnel are RADIUS, Syslog, or DHCP traffic.
Advanced Configuration Confirm Password – Use this field to confirm the PPPoE password. PPPoE Service Name – The service name assigned for the PPPoE tunnel. The service name is normally optional, but may be required by some service providers. (Range: 1-63 alphanumeric characters) IP Allocation Mode – This field specifies how IP addresses for the PPPoE tunnel are configured on the RJ-45 interface. The allocation mode depends on the type of service provided by the PPPoE server.
System Configuration Authentication Wireless clients can be authenticated for network access by checking their MAC address against the local database configured on the access point, or by using a database configured on a central RADIUS server. Alternatively, authentication can be implemented using the IEEE 802.1x network access control protocol. MAC Authentication – You can configure a list of the MAC addresses for wireless clients that are authorized to access the network.
Advanced Configuration • Local MAC: The MAC address of the associating station is compared against the local database stored on the access point. The Local MAC Authentication section enables the local database to be set up. • Radius MAC: The MAC address of the associating station is sent to a configured RADIUS server for authentication. When using a RADIUS authentication server for MAC address authentication, the server must first be configured in the Radius window (page 5-9).
System Configuration • Update: Enters the specified MAC address and permission setting into the local database. MAC Authentication Table: Displays current entries in the local MAC database. Note: Client station MAC authentication occurs prior to the IEEE 802.1x authentication procedure configured for the access point. However, a client’s MAC address provides relatively weak user authentication, since MAC addresses can be easily captured and used by another station to break into the network. Using 802.
Advanced Configuration The 802.1x EAP packets are also used to pass dynamic unicast session keys and static broadcast keys to wireless clients. Session keys are unique to each client and are used to encrypt and correlate traffic passing between a specific client and the access point. You can also enable broadcast key rotation, so the access point provides a dynamic broadcast key and changes it at a specified interval. You can enable 802.
System Configuration 5-18 • Session Key Refresh Rate: The interval at which the access point refreshes unicast session keys for associated clients. (Range: 0-1440 minutes; Default: 0 means disabled) • 802.1x Re-authentication Refresh Rate: The time period after which a connected client must be re-authenticated. During the re-authentication process of verifying the client’s credentials on the RADIUS server, the client remains connected the network.
Advanced Configuration CLI Commands for Local MAC Authentication – Use the mac-authentication server command from the global configuration mode to enable local MAC authentication. Set the default for MAC addresses not in the local table using the address filter default command, then enter MAC addresses in the local table using the address filter entry command. To remove an entry from the table, use the address filter delete command.
System Configuration CLI Commands for RADIUS MAC Authentication – Use the mac-authentication server command from the global configuration mode to enable remote MAC authentication. Set the timeout value for re-authentication using the mac-authentication session-timeout command. Be sure to also configure connection settings for the RADIUS server (not shown in the following example). To display the current settings, use the show authentication command from the Exec mode.
Advanced Configuration CLI Commands for 802.1x Authentication – Use the 802.1x supported command from the global configuration mode to enable 802.1x authentication. Set the session and broadcast key refresh rate, and the re-authentication timeout. To display the current settings, use the show authentication command from the Exec mode. AP(config)#802.1x supported AP(config)#802.1x broadcast-key-refresh-rate 5 AP(config)#802.1x session-key-refresh-rate 5 AP(config)#802.
System Configuration Filter Control The access point can employ VLAN ID and network traffic frame filtering to control access to network resources and increase security. Native VLAN ID – The VLAN ID assigned to wireless clients that are not assigned to a specific VLAN by RADIUS server configuration. VLAN – Enables or disables VLAN tagging support on the access point.
Advanced Configuration A VLAN ID (1-4095) is assigned to a client after successful authentication using IEEE 802.1x and a central RADIUS server. The user VLAN IDs must be configured on the RADIUS server for each user authorized to access the network. If a user does not have a configured VLAN ID, the access point assigns the user to its own configured native VLAN ID.
System Configuration • Enable: Blocks wireless-to-wireless communications between clients through the access point. AP Management Filter – Controls management access to the access point from wireless clients. Management interfaces include the web, Telnet, or SNMP. • Disabled: Allows management access from wireless clients. • Enable: Blocks management access from wireless clients.
Advanced Configuration To view the current VLAN settings, use the show system command. AP#show system System Information =========================================================== Serial Number : A252014354 System Up time : 0 days, 1 hours, 28 minutes, 9 seconds System Name : MEAP System Location : System Contact : Contact System Country Code : 99 - NO_COUNTRY_SET MAC Address : 00-30-F1-71-D6-40 IP Address : 192.168.1.1 Subnet Mask : 255.255.255.0 Default Gateway : 0.0.0.
System Configuration CLI Commands for Bridge Filtering – Use the filter local-bridge command from the global configuration mode to prevent wireless-to-wireless communications through the access point. Use the filter ap-manage command to restrict management access from wireless clients. To configure Ethernet protocol filtering, use the filter ethernet-type enable command to enable filtering and the filter ethernet-type protocol command to define the protocols that you want to filter.
Advanced Configuration SNMP You can use a network management application such as HP’s OpenView to manage the access point via the Simple Network Management Protocol (SNMP) from a network management station. To implement SNMP management, the access point must have an IP address and subnet mask, configured either manually or dynamically. Once an IP address has been configured, appropriate SNMP communities and trap receivers should be configured.
System Configuration Location – A text string that describes the system location. (Maximum length: 20 characters) Contact – A text string that describes the system contact. (Maximum length: 255 characters) Community Name (Read Only) – Defines the SNMP community access string that has read-only access. Authorized management stations are only able to retrieve MIB objects.
Advanced Configuration CLI Commands for SNMP – Use the snmp-server enable server command from the global configuration mode. To set read/write and read-only community names, use the snmp-server community command. Use the snmp-server location and snmp-server contact commands to indicate the physical location of the access point and define a system contact. The snmp-server host command defines a trap receiver host. To view the current SNMP settings, use the show snmp command.
System Configuration Administration Changing the Password Management access to the web and CLI interface on the access point is controlled through a single user name and password. You can also gain additional access security by using control filters (see “Filter Control” on page 5-22). To protect access to the management interface, you need to configure an Administrator’s user name and password as soon as possible.
Advanced Configuration CLI Commands for the User Name and Password – Use the username and password commands from the CLI configuration mode.
System Configuration Upgrading Firmware You can upgrade new access point software from a local file on the management workstation, or from an FTP or TFTP server. New software may be provided periodically from your distributor. After upgrading new software, you must reboot the access point to implement the new code. Until a reboot occurs, the access point will continue to run the software it was using before the upgrade started.
Advanced Configuration If you need to download from an FTP or TFTP server, take the following additional steps: • Obtain the IP address of the FTP or TFTP server where the access point software is stored. • If upgrading from an FTP server, be sure that you have an account configured on the server with a user name and password.
System Configuration Firmware Upgrade Remote – Downloads an operation code image file from a specified remote FTP or TFTP server. After filling in the following fields, click Start Upgrade to proceed. • New firmware file: Specifies the name of the code file on the server. The new firmware file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.
Advanced Configuration CLI Commands for Downloading Software from a TFTP Server – Use the copy tftp file command from the Exec mode and then specify the file type, name, and IP address of the TFTP server. When the download is complete, the dir command can be used to check that the new file is present in the access point file system. To run the new software, use the reset board command to reboot the access point. AP#copy config tftp TFTP Source file name:syscfg TFTP Server IP:192.168.1.
System Configuration System Log The access point can be configured to send event and error messages to a System Log Server. The system clock can also be synchronized with a time server, so that all the messages sent to the Syslog server are stamped with the correct time and date. Enabling System Logging The access point supports a logging process that can control error messages saved to memory or sent to a Syslog server.
Advanced Configuration Logging Console – Enables the logging of error messages to the console. Logging Level – Sets the minimum severity level for event logging. The system allows you to limit the messages that are logged by specifying a minimum severity level. The following table lists the error message levels from the most severe (Emergency) to least severe (Debug). The message levels that are logged include the specified minimum level up to the Emergency level.
System Configuration CLI Commands for System Logging – To enable logging on the access point, use the logging on command from the global configuration mode. The logging level command sets the minimum level of message to log. Use the logging console command to enable logging to the console. Use the logging host command to specify up to four Syslog servers. The CLI also allows the logging facility-type command to set the facility-type number to use on the Syslog server.
Advanced Configuration Configuring SNTP Simple Network Time Protocol (SNTP) allows the access point to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the access point enables the system log to record meaningful dates and times for event entries. If the clock is not set, the access point will only record the time from the factory default set at the last bootup.
System Configuration Enable Daylight Saving – The access point provides a way to automatically adjust the system clock for Daylight Savings Time changes. To use this feature you must define the month and date to begin and to end the change from standard time. During this period the system clock is set back by one hour.
Advanced Configuration CLI Commands for the System Clock – The following example shows how to manually set the system time when SNTP server support is disabled on the access point.
System Configuration Radio Interface The IEEE 802.11a and 802.11g interfaces include configuration options for radio signal characteristics and wireless security features. The configuration options are nearly identical, and are therefore both covered in this section of the manual. The access point can operate in four modes, IEEE 802.11a only, 802.11b & g, 802.11g only and 802.11b only. Also note that 802.11g is backward compatible with 802.11b.
Radio Settings (802.11a) The IEEE 802.11a interface operates within the 5 GHz band, at Radio Interface up to 54 Mbps in normal mode or up to 108 Mbps in Turbo mode. 108 Enable – Enables radio communications on the access point. (Default: Enabled) Turbo Mode – The normal 802.11a wireless operation mode provides connections up to 54 Mbps. Turbo Mode is an enhanced mode (not regulated in IEEE 802.11a) that provides a higher data rate of up to 108 Mbps.
System Configuration Radio Channel – The radio channel that the Normal Mode access point uses to communicate with wireless clients. When multiple access points are deployed in the same area, set the channel on neighboring access points at least four channels apart to avoid interference with each other. For example, in the United States you can deploy up to four access points in the same area .
Radio Interface Beacon Interval – The rate at which beacon signals are transmitted from the access point. The beacon signals allow wireless clients to maintain contact with the access point. They may also carry power-management information. (Range: 20-1000 TUs; Default: 100 TUs) Data Beacon Rate – The rate at which stations in sleep mode must wake up to receive broadcast/multicast transmissions.
System Configuration The access points contending for the medium may not be aware of each other. The RTS/CTS mechanism can solve this “Hidden Node Problem.” (Range: 0-2347 bytes: Default: 2347 bytes) CLI Commands for the 802.11a Wireless Interface – From the global configuration mode, enter the interface wireless a command to access the 802.11a radio interface. Set the interface SSID using the ssid command and, if required, configure a name for the interface using the description command.
Radio Interface AP#show interface wireless a 6-107 Wireless Interface 802.11a Information ========================================================== ----------------Identification---------------------------Description : Enterprise 802.11a Access Point SSID : r&d Turbo Mode : ON Channel : 42 (AUTO) Status : Enabled ----------------802.
Radio Settings (802.11g) The IEEE 802.11g standard operates within the 2.4 GHz band at up to 108 Mbps (include turbo mode) . Also note that because the IEEE 802.11g System Configuration standard is an extension of the IEEE 802.11b standard, it allows clients with 802.11b wireless network cards to associate to an 802.11g access point. 108 Enable – Enables radio communications on the access point.
Radio Interface set to the same as that used by the access point to which it is linked. (Range: 1-11; Default: 1) Auto Channel Select – Enables the access point to automatically select an unoccupied radio channel. (Default: Enabled) Maximum Supported Rate – The maximum data rate at which a client can connect to the access point. The maximum transmission distance is affected by the data rate. The lower the data rate, the longer the transmission distance.
System Configuration CLI Commands for the 802.11g Wireless Interface – From the global configuration mode, enter the interface wireless g command to access the 802.11g radio interface. Set the interface SSID using the ssid command and, if required, configure a name for the interface using the description command. You can also use the closed-system command to stop sending the SSID in beacon messages. Select a radio channel or set selection to Auto using the channel command.
Radio Interface AP#show interface wireless g 6-107 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11g Access Point SSID : r&d Channel : 11 (AUTO) Status : Enabled ----------------802.
System Configuration Security The access point is configured by default as an “open system,” which broadcasts a beacon signal including the configured SSID. Wireless clients can read the SSID from the beacon, and automatically reset their SSID to allow immediate connection to the nearest access point. To improve wireless network security, you have to implement two main functions: • Authentication: It must be verified that clients attempting to connect to the network are authorized users.
Radio Interface The security mechanisms that may be employed depend on the level of security required, the network and management resources available, and the software support provided on wireless clients. A summary of wireless security considerations is listed in the following table. Security Mechanism Client Support Implementation Considerations WEP Built-in support on all 802.11a and 802.11g devices • Provides only weak security • Requires manual key management WEP over 802.1x Requires 802.
System Configuration Wired Equivalent Privacy (WEP) WEP provides a basic level of security, preventing unauthorized access to the network and encrypting data transmitted between wireless clients and the access point. WEP uses static shared keys (fixed-length hexadecimal or alphanumeric strings) that are manually distributed to all clients that want to use the network. WEP is the security protocol initially specified in the IEEE 802.11 standard for wireless communications.
Radio Interface If you choose to use WEP shared keys instead of an open system, be sure to define at least one static WEP key for user authentication and data encryption. Also, be sure that the WEP shared keys are the same for each client in the wireless network. Authentication Type Setup – Sets the access point to communicate as an open system that accepts network access attempts from any client, or with clients using pre-configured static shared keys.
System Configuration Shared Key Setup – Select 64 Bit, 128 Bit, or 152 Bit key length. Note that the same size of encryption key must be supported on all wireless clients. 152 Bit key length is only supported on 802.11a radio.
Radio Interface CLI Commands for WEP Shared Key Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to enable WEP shared-key authentication and the encryption command to enable WEP encryption. Use the multicast-cipher command to select WEP cipher type. To enter WEP keys, use the key command, and then set one key as the transmit key using the transmit-key command. Then disable 802.1x port authentication with the 802.1x command.
System Configuration ----------------Security---------------------------------Closed System : DISABLED Multicast cipher : WEP Unicast cipher : TKIP WPA clients : SUPPORTED WPA Key Mgmt Mode : PRE SHARED KEY WPA PSK Key Type : HEX Encryption : 128-BIT ENCRYPTION Default Transmit Key : 1 Static Keys : Key 1: ***** Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Authentication Type : SHARED ========================================================== AP# Note: The index and length values used in the key command must be
Radio Interface Wi-Fi Protected Access (WPA) WPA employs a combination of several technologies to provide an enhanced security solution for 802.11 wireless networks. The access point supports the following WPA components and features: IEEE 802.1x and the Extensible Authentication Protocol (EAP): WPA employs 802.1x as its basic framework for user authentication and dynamic key management. The 802.
System Configuration Note: To implement WPA on wireless clients requires a WPA-enabled network card driver and 802.1x client software that supports the EAP authentication type that you want to use. Windows XP provides native WPA support, other systems require additional software. Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the data encryption method to replace WEP. TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys.
Radio Interface multicast and broadcast traffic must be the same for all clients, therefore it restricts encryption to a WEP key. When access is opened to both WPA and WEP clients, no authentication is provided for the WEP clients through shared keys. To support authentication for WEP clients in this mixed mode configuration, you can use either MAC authentication or 802.1x authentication. Advanced Encryption Standard (AES) Support: WPA specifies AES encryption as an optional alternative to TKIP and WEP.
System Configuration WPA Key Management – WPA can be configured to work in an enterprise environment using IEEE 802.1x and a RADIUS server for user authentication. For smaller networks, WPA can be enabled using a common pre-shared key for client authentication with the access point. • WPA authentication over 802.1x: The WPA enterprise mode that uses IEEE 802.1x to authenticate users and to dynamically distribute encryption keys to clients.
Radio Interface WPA Pre-Shared Key Type – If the WPA pre-shared-key mode is used, all wireless clients must be configured with the same key to communicate with the access point. • Hexadecimal: Enter a key as a string of 64 hexadecimal numbers. • Alphanumeric: Enter a key as an easy-to-remember form of letters and numbers. The string must be from 8 to 63 characters, which can include spaces. The configuration settings for WPA are summarized below: WPA pre-shared key only WPA over 802.
System Configuration CLI Commands for WPA Pre-shared Key Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to set the access point to “Open System.” Use the WEP encryption command to enable all types of encryption. To enable WPA to be required for all clients, use the wpa-clients command. Use the wpa-mode command to enable the Pre-shared Key mode.
Radio Interface CLI Commands for WPA over 802.1x Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to set the access point to “Open System.” Use the WEP encryption command to enable all types of encryption. Use the wpa-clients command to set WPA to be required or supported for clients. Use the wpa-mode command to enable WPA dynamic keys over 802.1x. Set the broadcast and multicast key encryption using the multicast-cipher command. Then set 802.
System Configuration Status Information The Status page includes information on the following items: Menu Description AP Status Displays configuration settings for the basic system and the wireless interface 5-66 Station Status Shows the wireless clients currently associated with the access point 5-69 Event Logs Shows log messages stored in memory 5-71 Access Point Status The AP Status window displays basic system configuration settings, as well as the settings for the wireless interface.
Status Information AP System Configuration – The AP System Configuration table displays the basic system configuration settings: • System Up Time: Length of time the management agent has been up. • MAC Address: The physical layer address for this device. • System Name: Name assigned to this system. • System Contact: Administrator responsible for the system. • IP Address: IP address of the management interface for this device.
System Configuration • 802.1x: Shows if IEEE 802.1x access control for wireless clients is enabled. CLI Commands for Displaying System Settings – To view the current access point system settings, use the show system command from the Exec mode. To view the current radio interface settings, use the show interface wireless a or show interface wireless g command (see page 6-107).
Status Information Station Status The Station Status window shows the wireless clients currently associated with the access point. The Station Configuration page displays basic connection information for all associated stations as described below. Note that this page is automatically refreshed every five seconds. • Station Address: The MAC address of the wireless client. • Authenticated: Shows if the station has been authenticated. The two basic methods of authentication supported for 802.
System Configuration • Associated: Shows if the station has been successfully associated with the access point. Once authentication is completed, stations can associate with the current access point, or reassociate with a new access point. The association procedure allows the wireless system to track the location of each mobile client, and ensure that frames destined for each client are forwarded to the appropriate access point. • Forwarding Allowed: Shows if the station has passed 802.
Status Information Event Logs The Event Logs window shows the log messages generated by the access point and stored in memory. The Event Logs table displays the following information: • Log Time: The time the log message was generated. • Event Level: The logging level associated with this message. For a description of the various levels, see “logging level” on page 5-36. • Event Message: The content of the log message.
System Configuration • Access point was set to “Shared Key Authentication,” but a client sent an authentication frame for “Open System.” • WEP keys do not match: When the access point uses “Shared Key Authentication,” but the key used by client and access point are not the same, the frame will be decrypted incorrectly, using the wrong algorithm and sequence number. CLI Commands for Displaying the Event Logs – From the global configuration mode, use the show logging command.
