Management Software AT-WA7400/EU User’s Guide 613-000485 Rev.
Copyright © 2007 Allied Telesyn, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesyn, Inc.
Contents Preface ................................................................................................................................................................................15 Where to Find Web-based Guides .......................................................................................................................................16 Contacting Allied Telesyn ........................................................................................................................
Contents Removing an Access Point from the Cluster .................................................................................................................49 Adding an Access Point to a Cluster .............................................................................................................................50 Navigating to Configuration Information for a Specific Access Point and Managing Standalone Access Points .................
AT+WA7400 Management Software User’s Guide When to Use WPA/WPA2 Personal (PSK) ..........................................................................................................110 When to Use WPA/WPA2 Enterprise (RADIUS)..................................................................................................111 Does Prohibiting the Broadcast SSID Enhance Security? ..........................................................................................
Contents WDS Guidelines ..........................................................................................................................................................176 Configuring WDS Settings ..................................................................................................................................................178 Example of Configuring a WDS Link .........................................................................................................................
AT+WA7400 Management Software User’s Guide Quick View of Commands and How to Get Help ................................................................................................................272 Commands and Syntax ...............................................................................................................................................272 Getting Help on Commands at the CLI............................................................................................................
Contents Get the Current Security Mode.............................................................................................................................305 Get Detailed Description of Current Security Settings..........................................................................................305 Set the Broadcast SSID (Allow or Prohibit) ..........................................................................................................306 Enable/Disable Station Isolation.............
AT+WA7400 Management Software User’s Guide Add MAC Addresses of Client Stations to the Filtering List .................................................................................334 Remove a Client Station’s MAC Address from the Filtering List ..........................................................................334 Getting Current MAC Filtering Settings ................................................................................................................
Contents 10
Figures Figure 1. AT-WA7400 CD Main Page..................................................................................................................................27 Figure 2. KickStart Page......................................................................................................................................................27 Figure 3. KickStart Welcome Dialog Box...........................................................................................................................
Figures Figure 51. WDS Bridge ......................................................................................................................................................175 Figure 52. Wireless Distribution System Page...................................................................................................................179 Figure 53. Interfaces Page ..........................................................................................................................................
Tables Table 1. Static WEP Configuration ...................................................................................................................................108 Table 2. IEEE 802.1x Configuration .................................................................................................................................109 Table 3. WPA/WPA2 Configuration ..................................................................................................................................
Tables 14
Preface This guide contains instructions on how to configure and maintain an AT-WA7400 Wireless Access Point using its management software and contains the following sections: “Where to Find Web-based Guides” on page 16 “Contacting Allied Telesyn” on page 17 15
Preface Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in portable document format (PDF) on our web site at www.alliedtelesyn.com. You can view the documents online or download them onto a local workstation or server.
AT-WA7400 Management Software User’s Guide Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales and corporate information. Online Support You can request technical support online by accessing the Allied Telesyn Knowledge Base: http://kb.alliedtelesyn.com. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
Preface 18
Chapter 1 Preparing to Set Up the AT-WA7400 Wireless Access Point Before you plug in and boot a new AT-WA7400 Wireless Access Point, review the following sections for a quick check of required hardware components, software, client configurations, and compatibility issues. Make sure you have everything you need ready to go for a successful launch and test of your new (or extended) wireless network.
Chapter 1: Preparing to Set Up the AT-WA7400 Wireless Access Point Setting Up the Administrator’s Computer You configure and administer the AT-WA7400 Wireless Access Point with the KickStart utility (which you run from the CD), through a web-based user interface (UI), or through the command line interface.
AT-WA7400 Management Software User’s Guide that is connected to the access point (via wired or wireless connection). It detects AT-WA7400 Wireless Access Points on the network. The wizard steps you through initial configuration of new access points, and provides a link to the AT-WA7400 management software where you finish the basic setup process in a step-by-step mode and launch the network. You can also download KickStart onto the administrator’s computer which makes it unnecessary to have the CD.
Chapter 1: Preparing to Set Up the AT-WA7400 Wireless Access Point Setting Up the Wireless Client Computers The AT-WA7400 Wireless Access Point provides wireless access to any client with a properly configured Wi-Fi client adapter for the 802.11 mode in which the access point is running. Multiple client operating systems are supported.
AT-WA7400 Management Software User’s Guide Understanding Dynamic and Static IP Addressing on the AT-WA7400 Management Software Very little setup is required for the first access point and no configuration required for additional access points subsequently joining a pre-configured cluster. When you run KickStart, it discovers the AT-WA7400 Wireless Access Points on the network and lists their IP addresses and MAC addresses.
Chapter 1: Preparing to Set Up the AT-WA7400 Wireless Access Point Recovering an IP Address 24 If you experience trouble communicating with the access point, you can recover a static IP address by resetting the access point configuration to the factory defaults (see “Resetting the Configuration to Factory Defaults” on page 206), or you can get a dynamically assigned address by connecting the access point to a network that has DHCP.
Chapter 2 Setting up the AT-WA7400 Management Software Setting up and deploying one or more AT-WA7400 Wireless Access Points is in effect creating and launching a wireless network. The KickStart utility and corresponding AT-WA7400 Management Software Basic Settings web page simplify this process. This chapter contains procedures for setting up your AT-WA7400 Wireless Access Points and the resulting wireless network.
Chapter 2: Setting up the AT-WA7400 Management Software Running KickStart to Find Access Points on the Network KickStart is an easy-to-use utility for discovering and identifying new AT-WA7400 Wireless Access Points. KickStart scans the network looking for access points, displays ID details on those it finds, and provides access to the AT-WA7400 Management Software. Note KickStart (and the other AT-WA7400 tools) recognizes and configures only AT-WA7400 Wireless Access Points.
AT-WA7400 Management Software User’s Guide 2. Insert the AT-WA7400 Wireless Access Point CD into the CD-ROM drive on your computer. The CD’s main page is shown in Figure 1. Figure 1. AT-WA7400 CD Main Page 3. Click KickStart Utility. The KickStart page, as shown in Figure 3, provides two options: Open KickStart and Install KickStart. Figure 2.
Chapter 2: Setting up the AT-WA7400 Management Software For information about installing KickStart, refer to “Installing KickStart on the Administrator’s PC” on page 30. Otherwise, continue with this procedure. 4. Click Open KickStart. The KickStart Welcome dialog box is displayed, as shown in Figure 3. Figure 3. KickStart Welcome Dialog Box 5. Click Next to search for access points. Wait for the search to complete, or until KickStart has found your new access points, as shown in Figure 4. Figure 4.
AT-WA7400 Management Software User’s Guide Note The KickStart utility only finds other AT-WA7400 Wireless Access Points. If KickStart does not find the AT-WA7400 Wireless Access Point you just installed, an informational window is displayed with troubleshooting information about your LAN and power connections. 6. Review the list of access points that KickStart found, as shown in the example in Figure 4 on page 28..
Chapter 2: Setting up the AT-WA7400 Management Software The AT-WA7400 management software is a centralized management tool that you can access through the IP address for any access point in a cluster. After your other access points are configured, you can also link to the AT-WA7400 management software web pages using the IP address for any of the other AT-WA7400 Wireless Access Points, for example http://IPAddressOfAccessPoint.
AT-WA7400 Management Software User’s Guide The Select Installation Folder dialog box is shown in Figure 7. Figure 7. Select Installation Folder Dialog Box 4. Do one of the following: To see how much disk space the files require, click Disk Cost. The KickStart Setup Disk Space window is shown in Figure 8. Figure 8. KickStart Setup Disk Space Dialog Box Select the drive where you want to install KickStart, and then click OK. Click Browse to select a specific location for the KickStart utility.
Chapter 2: Setting up the AT-WA7400 Management Software The KickStart Setup confirmation dialog box is shown in Figure 9. Figure 9. KickStart Installation Confirmation Dialog Box 6. Click Next to start the installation. The Installing KickStart dialog box is shown in Figure 10. Figure 10.
AT-WA7400 Management Software User’s Guide When the installation is complete, the Installation Complete dialog box is displayed, as shown in Figure 11. Figure 11. KickStart Installation Complete Dialog Box 7. Click Close. You can now run KickStart from the Programs folder under Allied Telesyn.
Chapter 2: Setting up the AT-WA7400 Management Software Logging in to the AT-WA7400 Management Software To access the AT-WA7400 management software, perform the following procedure: 1. In the KickStart Administration dialog box, click Administration. You are prompted for a user name and password, as shown in Figure 12. Figure 12. Login Dialog Box The defaults for user name and password are: Username manager Password friend Note You cannot modify the user name. 2.
AT-WA7400 Management Software User’s Guide Figure 13.
Chapter 2: Setting up the AT-WA7400 Management Software Navigating the Web Pages The web pages provide several ways that you can navigate through the software, as shown in Figure 14. Links Menu Help Figure 14. Navigational Aids Links 36 The three links at the top of all the pages allow you to navigate to the following locations: Home - The home page for the access point showing the Basic Settings page. Help - The entire help system for the access point.
AT-WA7400 Management Software User’s Guide Configuring the Basic Settings and Starting the Wireless Network Provide a minimal set of configuration information by defining the basic settings for your wireless network. These settings are all available on the Basic Settings page in the AT-WA7400 management software, and are categorized into steps 1-4 on the web page. Configuring the Basic Settings To configure initial settings, perform the following procedure: 1.
Chapter 2: Setting up the AT-WA7400 Management Software Telesyn recommends that you change the administrator password from the default which is “friend.” Enter the current administrator password. New Password Enter a new administrator password. The characters you enter are displayed as “*” characters to prevent others from seeing your password as you type. The Administrator password must be an alphanumeric string of up to 8 characters. Do not use special characters or spaces.
AT-WA7400 Management Software User’s Guide If you choose “are ignored,” new access points will not join the cluster; they will be considered standalone. You need to configure standalone access points manually using KickStart and the AT-WA7400 management software residing on the standalone access points. (To get to the web page for a standalone access point, use its IP address in a URL as follows: http://IPAddressOfAccessPoint.
Chapter 2: Setting up the AT-WA7400 Management Software A summary of the settings is shown in Figure 15. Figure 15. Summary of Settings Page At initial startup, no security is in place on the access point. An important next step is to configure security, as described in Chapter 10, “Configuring Security” on page 105. At this point, if you click Basic Settings again, the summary of settings page is replaced by the standard Basic Settings configuration options.
AT-WA7400 Management Software User’s Guide Next Steps To make sure the access point is connected to the LAN, bring up some wireless clients and connect the clients to the network. After you have tested the basics of your wireless network, you can enable more security and fine-tune the setup by modifying advanced configuration features on the access point.
Chapter 2: Setting up the AT-WA7400 Management Software Logging in After the Initial Setup When you log in again after you complete the initial setup, the default web page is the Interfaces page, as shown in Figure 16. Figure 16.
Chapter 3 Managing Access Points and Clusters The AT-WA7400 Management Software shows current basic configuration settings for clustered access points (location, IP address, MAC address, status, and availability) and provides a way of navigating to the full configuration for specific access points if they are cluster members. Standalone access points or those which are not members of this cluster do not show up in this listing.
Chapter 3: Managing Access Points and Clusters Understanding Clustering A key feature of the AT-WA7400 Management Software is the ability to form a dynamic, configuration-aware group (called a cluster) with other AT-WA7400 Wireless Access Points in a network in the same subnet. Access points can participate in a self-organizing cluster which makes it easier for you to deploy, administer, and secure your wireless network.
AT-WA7400 Management Software User’s Guide Which Settings are Shared as Part of the Cluster Configuration and Which Are Not? Most configuration settings that you define using the AT-WA7400 Management Software are propagated to cluster members as a part of the cluster configuration.
Chapter 3: Managing Access Points and Clusters Settings that are not shared must be configured individually on the AT-WA7400 Management Software web pages for each access point. To access the AT-WA7400 Management Software web pages for an access point that is a member of the current cluster, click on its IP Address link on the Cluster > Access Points page of the current access point. Cluster Mode When an access point is a cluster member, it is considered to be in cluster mode.
AT-WA7400 Management Software User’s Guide Cluster Formation A cluster is formed when the first AT-WA7400 Wireless Access Point is configured. (See “Configuring the Basic Settings and Starting the Wireless Network” on page 37.) If a cluster configuration policy is in place when a new access point is deployed, it attempts to rendezvous with an existing cluster. If it is unable to locate a cluster, then it establishes a new cluster on its own.
Chapter 3: Managing Access Points and Clusters Understanding and Changing Access Point Settings The Access Points page provides information about all access points in the cluster. From this page, you can view location descriptions, IP addresses, enable (activate) or disable (deactivate) clustered access points, and remove access points from the cluster. You can also modify the location description for an access point.
AT-WA7400 Management Software User’s Guide A MAC address is a permanent, unique hardware address for any device that represents an interface to the network. The MAC address is assigned by the manufacturer. You cannot change the MAC address. It is provided here for informational purposes as a unique identifier for the access point. The address shown here is the MAC address for the bridge (br0). This is the address by which the access point is known externally to other networks.
Chapter 3: Managing Access Points and Clusters Note In some situations it is possible for the cluster to become out of sync. If after removing an access point from the cluster, the access point list still reflects the deleted access point or shows an incomplete display; refer to the information on cluster recovery in “Cluster Recovery” on page 261. Adding an Access Point to a Cluster To add an access point that is currently in standalone mode back into a cluster, do the following. 1.
AT-WA7400 Management Software User’s Guide The access point is now a cluster member. Its Status (Mode) on the Cluster > Access Points page now indicates “Clustered.” Note In some situations it is possible for the cluster to become out of sync. If, after removing an access point from the cluster, the access point list still reflects the deleted access point or shows an incomplete display; refer to the information on cluster recovery in “Cluster Recovery” on page 261.
Chapter 3: Managing Access Points and Clusters Navigating to Configuration Information for a Specific Access Point and Managing Standalone Access Points In general, the AT-WA7400 Management Software is designed for central management of clustered access points. For access points in a cluster, all access points in the cluster reflect the same configuration. In this case, it does not matter which access point you actually connect to for administration.
AT-WA7400 Management Software User’s Guide Configuring MAC Address Filtering A media access control (MAC) address is a hardware address that uniquely identifies each node of a network. All IEEE 802 network devices share a common 48-bit MAC address format, usually displayed as a string of 12 hexadecimal digits separated by colons, for example FE:DC:BA:09:87:65. Each wireless network interface card (NIC) used by a wireless client has a unique MAC address.
Chapter 3: Managing Access Points and Clusters 2. Configure the following settings: Filter Click one of the following radio buttons: Allow only stations in the list Allow any station unless in list Stations List To add a MAC Address to Stations List, enter its 48-bit MAC address into the lower text boxes, then click Add. The MAC Address is added to the Stations List. To remove a MAC Address from the Stations List, select its 48-bit MAC address, then click Remove.
AT-WA7400 Management Software User’s Guide MAC Filtering of Rogue Access Points When an access point is not listed in the access points list, the MAC filtering of rogue access points feature sends an SNMP trap to alert you to the unregistered (rogue) access point. To enable MAC filtering of rogue access points, perform the following procedure: 1. From the main menu, select Advanced > Pre-Config Rogue AP. The Configure MAC Filtering of Rogue Access Points page is shown in Figure 20. Figure 20.
Chapter 3: Managing Access Points and Clusters b. Click Add. c. Click Update.
Chapter 4 Managing User Accounts The AT-WA7400 Management Software includes user management capabilities for controlling client access to access points. User management and authentication must always be used in conjunction with the following two security modes, which require use of a RADIUS server for user authentication and management. IEEE 802.
Chapter 4: Managing User Accounts Adding a User To add a new user, perform the following procedure: 1. From the main menu, select Cluster > User Management. The User Management page is shown in Figure 21. Figure 21. User Management Page User accounts are shown at the top of the page under User Accounts The user name, real name and status (enabled or disabled) are shown. 2. In the Add a User section, provide the following information: User Name User names are alphanumeric strings of up to 237 characters.
AT-WA7400 Management Software User’s Guide Password Specify a password for this user. Passwords are alphanumeric strings of up to 256 characters. Do not use special characters or spaces. You must retype the password. 3. Click Add Account to add the account. The new user is then displayed in the User Accounts list. The user account is enabled by default when you first create it. Note A limit of 100 user accounts per access point is imposed by the web user interface.
Chapter 4: Managing User Accounts Editing a User Account After you create a user account, it is displayed in the User Accounts section at the top of the Cluster > User Management page. To edit an existing user account, perform the following procedure: 1. From the main menu, select Cluster > User Management. The User Management page is shown in Figure 21 on page 58. 2. In the User Accounts section, click the checkbox next to the user name so that the box is checked, as shown in Figure 22. Figure 22.
AT-WA7400 Management Software User’s Guide 2. In the User Accounts section, click the checkbox next to the user name you want to enable. 3. Click Enable. A user with an account that is enabled can log on to the wireless access points in your network as a client. Disabling a User Account To disable a user account, perform the following procedure: 1. From the main menu, select Cluster > User Management. The User Management page is shown in Figure 21 on page 58. 2.
Chapter 4: Managing User Accounts Backing Up and Restoring a User Database You can save a copy of the current set of user accounts to a backup configuration file. You can use the backup file at a later date to restore the user accounts on the access point to the previously saved configuration. Backing Up the User Database To create a backup copy of the user accounts for this access point, perform the following procedure: 1. From the main menu, select Cluster > User Management.
AT-WA7400 Management Software User’s Guide Restoring a User Database from a Backup File To restore a user database from a backup file, perform the following procedure: 1. From the main menu, select Cluster > User Management. The User Management page is shown in Figure 21 on page 58. 2. In the User Accounts section, click the backup or restore the user database link. The Backup or restore the user database for this access point page is displayed, as shown in Figure 23 on page 62. 3.
Chapter 4: Managing User Accounts 64
Chapter 5 Session Monitoring The AT-WA7400 Management Software provides real-time session monitoring information including which clients are associated with a particular access point, data rates, transmit/receive statistics, signal strength, and idle time. A session in this context is the period of time in which a user on a client device (station) with a unique MAC address maintains a connection with the wireless network.
Chapter 5: Session Monitoring Viewing Sessions Information To view session monitoring information, perform the following procedure: 1. From the main menu, select Cluster > Sessions. The Sessions page is shown in Figure 24 . Figure 24. Sessions Page The Sessions page displays the following information about client stations associated with access points in the cluster: User Name Indicates the client user name of IEEE 802.1x clients.
AT-WA7400 Management Software User’s Guide A station is considered to be idle when it is not receiving or transmitting data. Data Rate The speed at which this access point is transferring data to the specified client. The data transmission rate is measured in megabits per second (Mbps). This value should fall within the range of the advertised rate set for the IEEE 802.1x mode in use on the access point. For example, 6 to 54Mbps for 802.
Chapter 5: Session Monitoring Sorting Session Information To sort the information in the session list, perform the following procedure: 1. On the Sessions page, click the column label by which you want to sort the sessions. The display is refreshed to show the sessions in the order you chose.
Chapter 6 Channel Management This chapter contains the following sections: “Understanding Channel Management” on page 70 “Displaying the Channel Management Settings” on page 72 “Configuring the Channel Management Settings” on page 73 69
Chapter 6: Channel Management Understanding Channel Management When channel management is enabled, the AT-WA7400 Management Software automatically assigns radio channels used by clustered access points to reduce mutual interference (or interference with other access points outside of its cluster). This maximizes WiFi bandwidth and helps maintain the efficiency of communication over your wireless network.
AT-WA7400 Management Software User’s Guide Example: A Network Before and After Channel Management Channel 6 (802.11b) Without automated channel management, channel assignments to clustered access points might be made on consecutive channels, which would overlap and cause interference. For example, access point1 could be assigned to channel 6, access point2 to channel 6, and access point3 to channel 5 as shown in Figure 25. . Channel 6 (802.11b) Channel 6 (802.11b) Channel 7 (802.11b) Channel 5 (802.
Chapter 6: Channel Management Displaying the Channel Management Settings To view channel management information, perform the following procedure: 1. From the main menu, select Cluster > Channel Management. The Channel Management page is displayed, as shown in.Figure 27. Figure 27. Channel Management Page The Channel Management page shows previous, current, and planned channel assignments for clustered access points. By default, automatic channel assignment is disabled.
AT-WA7400 Management Software User’s Guide Configuring the Channel Management Settings This section contains the following procedures: Stopping or Starting Automatic Channel Assignment “Stopping or Starting Automatic Channel Assignment,” next “Viewing Current Channel Assignments and Setting Locks” on page 73 “Updating the Current Channel Settings Manually” on page 74 “Viewing the Last Proposed Set of Changes” on page 74 “Configuring Advanced Settings (Customizing and Scheduling Channel
Chapter 6: Channel Management Band Indicates the band (b/g or a) on which the access point is broadcasting. Current Indicates the radio channel on which this access point is currently broadcasting. Locked Click Locked if you want to this access point to remain on the current channel. When the Locked checkbox is checked (enabled) for an access point, automated channel management plans will not re-assign the access point to a different channel as a part of the optimization strategy.
AT-WA7400 Management Software User’s Guide Configuring Advanced Settings (Customizing and Scheduling Channel Plans) If you use channel management as provided (without updating the Advanced settings), channels are automatically fine-tuned once every hour if interference can be reduced by 25 percent or more. Channels are reassigned even if the network is busy. The appropriate channel sets are used (b/g for access points using IEEE 802.11b/g and a for access points using IEEE 802.11a).
Chapter 6: Channel Management Change channels if interference is reduced by at least Specify the minimum percentage of interference reduction a proposed plan must achieve in order to be applied. The default is 25 percent. Choose percentages ranging from 25 percent to 75 percent from the list. This setting lets you set a gating factor for channel reassignment so that the network is not continually disrupted for minimal gains in efficiency.
AT-WA7400 Management Software User’s Guide 4. Click Update to apply these settings. Advanced settings take effect when they are applied, and influence how automatic channel management is performed. (The new interference reduction minimum, scheduled tuning interval, channel set, and network busy settings are taken into account for automated and manual updates.
Chapter 6: Channel Management 78
Chapter 7 Wireless Neighborhoods The wireless neighborhood view shows those access points within range of any access point in the cluster. This page provides a detailed view of neighboring access points including identifying information (SSIDs and MAC addresses) for each, cluster status (which are members and nonmembers), and statistical information such as the channel each access point is broadcasting on, signal strength, and so forth.
Chapter 7: Wireless Neighborhoods Understanding Wireless Neighborhood Information The wireless neighborhood shows all access points within range of every member of the cluster, shows which access points are within range of which cluster members, and distinguishes between cluster members and nonmembers.
AT-WA7400 Management Software User’s Guide Displaying the Wireless Neighborhood Information To view the Wireless Neighborhood page, perform the following procedure: 1. From the main menu, select Cluster > Wireless Neighborhood. The Wireless Neighborhood page is shown in Figure 28. Figure 28.
Chapter 7: Wireless Neighborhoods Both - Shows all neighbor access points (cluster members and nonmembers) Cluster The Cluster list at the top of the table shows IP addresses for all access points in the cluster. (This is the same list of cluster members shown in the Cluster > Access Points page described in “Understanding and Changing Access Point Settings” on page 48.
AT-WA7400 Management Software User’s Guide Neighbor seen by the access point whose IP address is listed above that column.
Chapter 7: Wireless Neighborhoods Viewing Details of a Cluster Member To view details on a cluster member access point, perform the following procedure: 1. From the main menu, select Cluster > Wireless Neighborhood. The Wireless Neighborhood page is displayed, as shown in Figure 28 on page 81. 2. Click the IP address of a cluster member at the top of the page. The Neighbor Details section is displayed at the bottom of the page, as shown in Figure 29. Figure 29.
AT-WA7400 Management Software User’s Guide Channel Shows the channel on which the access point is currently broadcasting. The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving. The channel is set on the Advanced > Radio Settings page. (See Chapter 13, “Configuring Radio Settings” on page 145.) Rate Shows the rate (in megabits per second) at which this access point is currently transmitting.
Chapter 7: Wireless Neighborhoods 86
Chapter 8 Configuring Ethernet (Wired) Settings Ethernet (wired) settings describe the configuration of your Ethernet local area network (LAN). Note The Ethernet settings, including guest access, are not shared across the cluster. You must configure these settings on the web pages for each access point. To get to the web pages for an access point that is a member of the current cluster, click on its IP Address link on the Cluster > Access Points page of the current access point.
Chapter 8: Configuring Ethernet (Wired) Settings Setting the DNS Name To set the DNS name, perform the following procedure: 1. From the main menu, select Advanced > Ethernet (Wired) Settings. The Ethernet (Wired) Settings page is shown in Figure 30 . Figure 30.
AT-WA7400 Management Software User’s Guide 2. In the Ethernet (Wired) Settings page, enter the DNS name. The DNS name is the host name. It may be provided by your ISP or network administrator, or you can provide your own. The rules for DNS names are: The name can be up to 20 characters long. Only letters, numbers and dashes are allowed. The name must start with a letter and end with either a letter or a number.
Chapter 8: Configuring Ethernet (Wired) Settings Enabling or Disabling Guest Access You can provide controlled guest access over a secure internal LAN on the AT-WA7400 Wireless Access Point. Configuring an Internal LAN and a Guest Network A local area network (LAN) is a communications network covering a limited area, for example, one floor of a building. A LAN connects multiple computers and other network devices like storage and printers. Ethernet is the most common technology implementing a LAN.
AT-WA7400 Management Software User’s Guide 2. For the Virtual Wireless Networks setting, select one of the following: Select Enabled to enable VLANs for the internal network and for additional networks. If you choose this option, you can run the internal network on a VLAN whether or not you have guest access configured and you can set up additional networks on VLANs using the Advanced > Virtual Wireless Networks page as described in Chapter 12, “VLANs” on page 139.
Chapter 8: Configuring Ethernet (Wired) Settings Enabling or Disabling Spanning Tree The AT-WA7400 Management Software allows you to enable or disable spanning tree through both the wired and wireless interfaces. To enable or disable spanning tree, perform the following procedure: 1. From the main menu, select Advanced > Ethernet (Wired) Settings. The Ethernet (Wired) Settings page is shown in Figure 30 on page 88. 2.
AT-WA7400 Management Software User’s Guide Configuring the Internal Interface Ethernet Settings To configure Ethernet (wired) settings for the internal LAN, perform the following procedure: 1. From the main menu, select Advanced > Ethernet (Wired) Settings. The Ethernet (Wired) Settings page is shown in Figure 30 on page 88. 2.
Chapter 8: Configuring Ethernet (Wired) Settings wireless client associated with the AP, even if its IP address is defined in the Management IP Address field. Connection Type Select one of the following: DHCP - The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows a centralized server to provide network configuration information to devices on the network. This information includes the IP address and netmask plus the address of its DNS servers and gateway.
AT-WA7400 Management Software User’s Guide www.alliedtelesyn.com) to its numeric IP address (for example, 66.93.138.219). A DNS server is called a Nameserver. There are usually two Nameservers; a Primary Nameserver and a Secondary Nameserver. 3. Choose Dynamic or Manual mode. If you choose Manual, you should assign static IP addresses manually. If you choose Dynamic, the IP addresses for the DNS servers is assigned automatically through DHCP.
Chapter 8: Configuring Ethernet (Wired) Settings Configuring the Guest Interface Settings The guest interface settings allows a wireless client limited access to the network, for instance, to the Internet. To configure the guest interface settings, perform the following procedure: 1. From the main menu, select Advanced > Ethernet (Wired) Settings. The Ethernet (Wired) Settings page is shown in Figure 30 on page 88. 2.
Chapter 9 Configuring the Wireless Settings Wireless settings describe aspects of the local area network (LAN) related specifically to the radio device in the access point (802.11 mode and channel) and to the network interface to the access point (MAC address for access point and wireless network name, also known as SSID). The following sections describe how to configure the wireless address and related settings on the AT-WA7400 Wireless Access Point: “Configuring 802.
Chapter 9: Configuring the Wireless Settings Configuring 802.11d Regulatory Domain Support You can enable or disable IEEE 802.11d regulatory domain support to broadcast the access point country code information. To configure the IEEE 802.11d regulatory domain support, perform the following procedure: 1. From the main menu, select Advanced > Wireless Settings. The Wireless Settings page is shown in Figure 31. Figure 31. Wireless Settings Page 2.
AT-WA7400 Management Software User’s Guide 3. Choose the regulatory domain from the Regulatory Domain (Country Code) list. 4.
Chapter 9: Configuring the Wireless Settings Configuring the Radio Interface The radio interface allows you to set the radio channel and 802.11 mode for each radio. To configure the radio interface, perform the following procedure: 1. From the main menu, select Advanced > Wireless Settings. The Wireless Settings page is shown in Figure 31 on page 98. 2.
AT-WA7400 Management Software User’s Guide The channel defines the portion of the radio spectrum the radio uses for transmitting and receiving. Each mode offers a number of channels, dependent on how the spectrum is licensed by national and transnational authorities such as the Federal Communications Commission (FCC) or the International Telecommunication Union (ITU-R). The default is Auto, which picks the least busy channel at startup time.
Chapter 9: Configuring the Wireless Settings Configuring Internal Wireless LAN Settings The Internal Settings describe the MAC address (read-only) and Network Name (also known as the SSID) for the internal wireless LAN (WLAN). To configure the internal settings, perform the following procedure: 1. From the main menu, select Advanced > Wireless Settings. The Wireless Settings page opens, as shown in Figure 31 on page 98. 2.
AT-WA7400 Management Software User’s Guide Configuring the Guest Network Wireless Settings The guest settings describe the MAC address (read-only) and wireless network name (SSID) for the guest network. Configuring an access point with two different network names (SSIDs) allows you to leverage the guest interface feature on the AT-WA7400 Wireless Access Point. To configure the guest network wireless settings, perform the following procedure: 1. From the main menu, select Advanced > Wireless Settings.
Chapter 9: Configuring the Wireless Settings 104
Chapter 10 Configuring Security The AT-WA7400 Management Software provides a number of authentication and encryption schemes to ensure that your wireless infrastructure is accessed only by the intended users.
Chapter 10: Configuring Security Understanding Security Issues on Wireless Networks Wireless mediums are inherently less secure than wired mediums. For example, an Ethernet NIC transmits its packets over a physical medium such as coaxial cable or twisted pair. A wireless NIC broadcasts radio signals allowing a wireless LAN to be easily tapped without physical access or sophisticated equipment.
AT-WA7400 Management Software User’s Guide Comparison of Security Modes for Key Management, Authentication and Encryption Algorithms Three major factors that determine the effectiveness of a security protocol are: How the protocol manages keys Presence or absence of integrated user authentication in the protocol Encryption algorithm or formula the protocol uses to encode/decode the data Following are the security modes available in the AT-WA7400 Wireless Access Point along with a description o
Chapter 10: Configuring Security Key for data encryption, as described in Table 1. Table 1. Static WEP Configuration Key Management Static WEP uses a fixed key that is provided by the administrator. WEP keys are indexed in different slots (up to four on the AT-WA7400 Wireless Access Point). The client stations must have the same key indexed in the same slot to access data on the access point.
AT-WA7400 Management Software User’s Guide Table 2. IEEE 802.1x Configuration Key Management IEEE 802.1x provides dynamically-generated keys that are periodically refreshed. There are different Unicast keys for each station. Encryption Algorithm An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame. User Authentication EEE 802.
Chapter 10: Configuring Security When to Use WPA/WPA2 Personal (PSK) Wi-Fi Protected Access 2 (WPA2) Personal Pre-Shared Key (PSK) is an implementation of the Wi-Fi Alliance IEEE 802.11 standard, which includes Advanced Encryption Algorithm (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. This mode offers the same encryption algorithms as WPA 2 with RADIUS but without the ability to integrate a RADIUS server for user authentication.
AT-WA7400 Management Software User’s Guide When to Use WPA/WPA2 Enterprise (RADIUS) Wi-Fi Protected Access 2 (WPA2) with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. This mode requires the use of a RADIUS server to authenticate users.
Chapter 10: Configuring Security The best security you can have on a wireless network is WPA/WPA2 Enterprise (RADIUS) mode using CCMP (AES) encryption algorithm. AES is a symmetric 128-bit block data encryption technique that works on multiple layers of the network. It is the most effective encryption system currently available for wireless networks. If all clients or other access points on the network are WPA/CCMP compatible, use this encryption algorithm.
AT-WA7400 Management Software User’s Guide For information on how to configure this security mode, see “WPA/WPA2 Enterprise (RADIUS)” on page 125. Does Prohibiting the Broadcast SSID Enhance Security? You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the access point’s broadcast SSID is suppressed, the network name is not displayed in the List of Available Networks on a client station.
Chapter 10: Configuring Security Configuring Security Settings The following section explains how to configure security modes on the access point. Keep in mind that each wireless client that wants to exchange data with the access point must be configured with the same security mode and encryption key settings consistent with access point security. On a two-radio access point, these Security Settings apply to both radios.
AT-WA7400 Management Software User’s Guide 2. Configure the following settings. Note Note you can also allow or prohibit the Broadcast SSID and enable/ disable Station Isolation as extra precautions as mentioned below. Broadcast SSID Select the Broadcast SSID setting by clicking Allow or Prohibit. By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames.
Chapter 10: Configuring Security Wireless Access Point is not encrypted. There are no further options for plain text mode. Plain text mode can be useful during initial network configuration or for problem solving, but it is not recommended for regular use on the internal network because it is not secure.
AT-WA7400 Management Software User’s Guide Client stations can use different keys to transmit data to the access point. (Or they can all use the same key, but this is less secure because it means one station can decrypt the data being sent by another.) If you selected Static WEP Security Mode, the settings in Figure 33 are displayed at the bottom of the page. Figure 33. Static WEP Security Mode Settings 1. Configure the following settings: Transfer Key Index Select a key index from the list.
Chapter 10: Configuring Security If you selected ASCII, enter any combination of integers and letters 09, a-z, and A-Z. If you selected HEX, enter hexadecimal digits (any combination of 0-9 and a-f or A-F). Use the same number of characters for each key as specified in the Characters Required field. These are the RC4 WEP keys shared with the stations using the access point. Each client station must be configured to use one of these same WEP keys in the same slot as specified here on the access point.
AT-WA7400 Management Software User’s Guide Rules to Remember for Static WEP All client stations must have the wireless LAN (WLAN) security set to WEP and all clients must have one of the WEP keys specified on the access point in order to de-code access point-to-station data transmissions. The access point must have all keys used by clients for station-toaccess point transmit so that it can de-code the station transmissions.
Chapter 10: Configuring Security Figure 35 illustrates setting the WEP key 1 on a Windows client. Figure 35. Providing a Wireless Client with a WEP Key If you have a second client station, that station also needs to have one of the WEP keys defined on the access point. You could give it the same WEP key you gave to the first station. Or for a more secure solution, you could give the second station a different WEP key (key 2, for example) so that the two stations cannot decrypt each other’s transmissions.
AT-WA7400 Management Software User’s Guide can decrypt WEP key 3 transmits in WEP key 1 WEP key 1 key 3 WEP Client Station 1 WEP key 3 can decrypt WEP key 3 transmits in WEP key 2 WEP key 2 Access Point transmits to both stations with same WEP key (e.g., WEP key 3) Client Station 2 Figure 36. Example of Using Multiple WEP Keys and Transfer Key Index on Client Stations IEEE 802.1x IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management.
Chapter 10: Configuring Security Figure 37. IEEE 802.1x Security Mode Settings 1. Configure the following settings: Authentication Server Select one of the following from the list: Built-in - To use the authentication server provided with the AT-WA7400 Wireless Access Point. If you choose this option, you do not need to provide the Radius IP and Radius Key; they are automatically provided. External - To use an external authentication server.
AT-WA7400 Management Software User’s Guide For information on setting up user accounts, see Chapter 4, “Managing User Accounts” on page 57. RADIUS Port The default port number is 1812. You can change this if your application requires it. RADIUS Key The Radius Key is the shared secret key for the RADIUS server. The text you enter is displayed as “*” characters to prevent others from seeing the RADIUS key as you type. (The AT-WA7400 Management Software internal authentication server key is secret.
Chapter 10: Configuring Security Figure 38. WPA/WPA2 Personal (PSK) Security Mode Settings 1. Configure the following settings: WPA Versions Select the types of client stations you want to support: WPA - If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA. WPA2 - If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard.
AT-WA7400 Management Software User’s Guide mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity. Both - When the authentication algorithm is set to Both, both TKIP and AES clients can associate with the access point. WPA clients must have one of the following to be able to associate with the access point: A valid TKIP key A valid CCMP (AES) key Clients not configured to use a WPA-PSK cannot associate with the access point.
Chapter 10: Configuring Security Figure 39. WPA/WPA2 Enterprise (RADIUS) Security Mode Settings 1. Configure the following settings: WPA Versions Select the types of client stations you want to support: WPA - If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA. WPA2 - If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard.
AT-WA7400 Management Software User’s Guide Cipher Suites Select the cipher you want to use: Temporal Key Integrity Protocol (TKIP) - This is the default. TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit temporal key shared by clients and access points.
Chapter 10: Configuring Security Note The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. With firmware version 1.0 and greater, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are configurable. (The AT-WA7400 Wireless Access Point defaults to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.) RADIUS IP The IP address of the RADIUS server.
AT-WA7400 Management Software User’s Guide Configuring the IAPP Mapping Table The Inter-Access-Point Protocol (IAPP) enforces a unique association through an extended service set (ESS) for the secure exchange of the station’s security information between access points. To configure the IAPP map table, perform the following procedure: 1. From the main menu, select Advanced > IAPP Table. The Configure IAPP map table page is shown in Figure 40. Figure 40. IAPP Map Table 2.
Chapter 10: Configuring Security 4. To remove a station from the map table: a. In map table, select the station you want to remove. b. Click Remove. c. Click Update.
AT-WA7400 Management Software User’s Guide Configuring SNMP Simple Network Management Protocol (SNMP) is another way for you to manage the access point. This type of management involves viewing and changing the management information base (MIB) objects on the device using an SNMP application program. To configure SNMP, perform the following procedure: 1. From the main menu, select Advanced > SNMP Configuration. The SNMP Configuration page is shown in Figure 41. Figure 41. SNMP Configuration Page 2.
Chapter 10: Configuring Security Location The physical location of the access point. Contact The contact person for the access point. System Name A unique name given to this access point. Trap Enabled/Disabled A trap is a signal sent to one or more management workstations by the access point to indicate the occurrence of a particular operating event on the access point. Choose Enabled or Disabled. Trap Host The IP address of the workstation where trap messages are sent. 3. Click Update.
Chapter 11 Setting Up Guest Access The guest interface features allow you to configure the AT-WA7400 Wireless Access Point for controlled guest access to an isolated network. You can configure the same access point to broadcast and function as two different wireless networks: a secure internal LAN and a public guest network. Guest clients can access the guest network without a username or password. When guests log in, they see a guest Welcome screen (also known as a captive portal).
Chapter 11: Setting Up Guest Access Understanding the Guest Interface You can define unique parameters for guest connectivity and isolate guest clients from other more sensitive areas of the network. No security is provided on the guest network; only plain text security mode is allowed.
AT-WA7400 Management Software User’s Guide Configuring the Guest Interface To configure the guest interface on the AT-WA7400 Wireless Access Point, perform these configuration steps: 1. Configure the access point to represent two virtually separate networks as described in “Configuring a Guest Network on a Virtual LAN” on page 135. 2. Set up the guest Welcome screen for the guest captive portal as described in “Configuring the Welcome Screen (Captive Portal)” on page 136.
Chapter 11: Setting Up Guest Access 5. Configure the guest splash screen as described in “Configuring the Welcome Screen (Captive Portal),” next. Configuring the Welcome Screen (Captive Portal) You can set up or modify the Welcome screen (captive portal) guest clients see when they open a web browser or try to browse the web. To set up the captive portal, perform the following procedure: 1. From the main menu, select Advanced > Guest Login. The Guest Login configuration page is shown in Figure 42.
AT-WA7400 Management Software User’s Guide Using the Guest Network as a Client After the guest network is configured, a client can access the guest network as follows: A guest client enters an area of coverage and scans for wireless networks. The guest network advertises itself via a guest AT-WA7400 Wireless Access Point SSID or some similar name, depending on how the guest SSID is specified in the web pages for the guest interface.
Chapter 11: Setting Up Guest Access 138
Chapter 12 VLANs This chapter describes how to configure Virtual LANs (VLANs) for multiple wireless networks and management and includes the following sections: “Configuring VLANs” on page 140 “Configuring the Management VLAN” on page 143 139
Chapter 12: VLANs Configuring VLANs Note To configure additional networks on VLANs, you must first enable virtual wireless networks on the Ethernet (wired) interface. See “Enabling or Disabling Virtual Wireless Networks on the Access Point” on page 90. Caution If you configure VLANs, you may lose connectivity to the access point. First, be sure to verify that the switch and DHCP server you are using can support VLANs per the IEEE 802.1Q standard.
AT-WA7400 Management Software User’s Guide Virtual Wireless Network Choose one of the following from the list to identify an additional network to configure: One Two Status To enable the specified network, click On. To disable the specified network, click Off. Wireless Network Name (SSID) Enter a name for the wireless network as a character string. This name applies to all access points on this network. As you add more access points, they will use this SSID.
Chapter 12: VLANs Note The Broadcast SSID you set here is specifically for this Virtual Network (One or Two). Other networks continue to use the security modes already configured: Your original internal network (configured on the Advanced > Ethernet [Wired] page) uses the Broadcast SSID set on the Advanced > Security page. If a Guest network is configured, the Broadcast SSID is always allowed.
AT-WA7400 Management Software User’s Guide Configuring the Management VLAN When you configure a management VLAN, only those users who have the required IP address and subnet mask of the management AP can make any management changes. To configure the management VLAN, perform the following procedure: 1. From the main menu, select Advanced > VLAN Management. The VLAN Management page is shown in Figure 44. Figure 44. VLAN Management Page To set up the management VLAN, you must first enable it. 2.
Chapter 12: VLANs 144
Chapter 13 Configuring Radio Settings This chapter describes how to configure radio settings on the AT-WA7400 Wireless Access Point, and includes the following sections: “Understanding Radio Settings” on page 146 “Configuring Radio Settings” on page 147 Note If you are using the two-radio version of the AT-WA7400 Access Point, keep in mind that both radio one and radio two are configured on this page.
Chapter 13: Configuring Radio Settings Understanding Radio Settings Radio settings directly control the behavior of the radio device in the access point and its interaction with the physical medium; that is, how/ what type of electromagnetic waves the access point emits. You can specify whether the radio is on or off, radio frequency (RF), broadcast channel, beacon interval (amount of time between access point beacon transmissions), transmit power, IEEE 802.11 mode in which the radio operates, and so on.
AT-WA7400 Management Software User’s Guide Configuring Radio Settings To configure the radio settings, perform the following procedure: 1. From the main menu, select Advanced > Radio. The Radio page for radio one is shown in Figure 45. Figure 45. Radio One Page 2. Configure the following settings as necessary: Radio Choose radio one or radio two. Be sure to configure settings for both radios. Status (On/Off) Specify whether you want the radio on or off by clicking On or Off.
Chapter 13: Configuring Radio Settings Mode The Mode defines the Physical Layer (PHY) standard being used by the radio. Note With a two-radio access point, different modes may be available depending on whether radio one or radio two is selected in the Radio field above. Atheros Turbo 5 GHz is IEEE 802.11a Turbo mode. Atheros Turbo 2.4 GHz is IEEE 802.11g Turbo mode. Super AG Enabling Super AG provides better performance by increasing radio throughput for a radio mode (IEEE 802.11b, g, a, and so on).
AT-WA7400 Management Software User’s Guide Table 5. Worldwide Frequencies for 802.11g and 802.11b Radios Channel FCC ETSI France Japan 9 2452 2452 10 2457 2457 2457 2457 11 2462 2462 2462 (default) 2462 12 2467 2467 2467 13 2472 2472 2472 14 Israel 2452 2484 The 802.11g and 802.11b channels that are allowed in a given country may change without notice. Be sure you use only those frequencies that are permissible in the given country.
Chapter 13: Configuring Radio Settings you set this to 2, clients check on every other beacon. If you set this to 10, clients check on every 10th beacon. Fragmentation Threshold Specify a number between 256 and 2,346 to set the frame size threshold in bytes. The fragmentation threshold is a way of limiting the size of packets (frames) transmitted over the network. If a packet exceeds the fragmentation threshold set here, the fragmentation function is activated and the packet is sent as multiple 802.
AT-WA7400 Management Software User’s Guide Transmit Power Provide a percentage value to set the transmit power for this access point. The default is to have the access point transmit using 100 percent of its power. In most situations, Allied Telesyn recommends keeping the default and having the transmit power set to 100 percent. This is more cost-efficient because it gives the access point a maximum broadcast range and reduces the number of access points needed.
Chapter 13: Configuring Radio Settings Configuring the Rate Sets Why do the different radios have different rate sets??? Rate sets specify the transmission rate sets you want the access point to support and the basic rate sets you want the access point to advertise. Rates are expressed in megabits per second. Supported Rate Sets indicate rates that the access point supports. You can check multiple rates (click a checkbox to select or de-select a rate).
AT-WA7400 Management Software User’s Guide To configure the rate sets, perform the following procedure: 1. From the main menu, select Advanced > Radio. The Radio page for radio one is shown in Figure 45 on page 147. Figure 46 on page 152 shows the rate sets for radio one, and Figure 47 on page 152 shows the rate sets for radio two. 2. Make your radio rate set choices 3. Click Update to save your settings.
Chapter 13: Configuring Radio Settings 154
Chapter 14 Load Balancing The AT-WA7400 Management Software allows you to balance the distribution of wireless client connections across multiple access points. Using load balancing, you can prevent scenarios where a single access point in your network shows performance degradation because it is handling a disproportionate share of the wireless traffic.
Chapter 14: Load Balancing Understanding Load Balancing Like most configuration settings on the AT-WA7400 Wireless Access Point, load balancing settings are shared among clustered access points. Note In some cases you might want to set limits for only one access point that is consistently over-utilized. You can apply unique settings to a particular access point if it is operating in standalone mode.
AT-WA7400 Management Software User’s Guide Configuring Load Balancing To configure load balancing, you enable load balancing and set limits and behavior to be triggered by a specified utilization rate of the access point. Note To view the current Utilization Rates for access points, click Cluster > Sessions on the web pages. (See Chapter 5, “Session Monitoring” on page 65.
Chapter 14: Load Balancing The Load Balancing page is shown in Figure 48. Figure 48. Load Balancing Page 2. Configure the following settings as required: Load Balancing To enable load balancing on this access point, click Enable. To disable load balancing on this access point, click Disable. Utilization for No New Associations Utilization rate limits relate to wireless bandwidth utilization.
AT-WA7400 Management Software User’s Guide for disassociation. If the number of client stations associated with the access point at any one time is equal to or less than the number you specify here, no stations will be disassociated regardless of the “Utilization for Disassociation” value. Theoretically, the maximum number of client stations allowed is 2007. Allied Telesyn recommends setting the maximum to between 30 and 50 client stations.
Chapter 14: Load Balancing 160
Chapter 15 Configuring Quality of Service (QoS) Quality of Service (QoS) provides you with the ability to specify parameters on multiple queues for increased throughput and better performance of differentiated wireless traffic like Voice-over-IP (VoIP), other types of audio, video, and streaming media as well as traditional IP data over the AT-WA7400 Wireless Access Point.
Chapter 15: Configuring Quality of Service (QoS) Understanding QoS A primary factor that affects QoS is network congestion due to an increased number of clients attempting to access the air waves and higher traffic volume competing for bandwidth during a busy time of day. The most noticeable degradation in service on a busy, overloaded network will be evident in time-sensitive applications such as video, Voice-over-IP (VoIP), and streaming media.
AT-WA7400 Management Software User’s Guide critical applications, and rely on best-effort parameters for traditional IP data. For example, time-sensitive voice, video, and multimedia are given effectively higher priority for transmission (lower wait times for channel access), while other applications and traditional IP data which are less time-sensitive but often more data-intensive are expected to tolerate longer wait times.
Chapter 15: Configuring Quality of Service (QoS) Data 2 (Best Effort). Medium priority queue, medium throughput and delay. Most traditional IP data is sent to this queue. Data 3 (Background). Lowest priority queue, high throughput. Bulk data that requires maximum throughput and is not time-sensitive is sent to this queue (FTP data, for example). Packets in a higher priority queue will be transmitted before packets in a lower priority queue.
AT-WA7400 Management Software User’s Guide Note A frame is similar in concept to a packet. The difference is that a packet operates on the network layer (layer 3 in the OSI model) whereas a frame operates on the data-link layer (layer 2 in the OSI model). Each frame includes a source and destination MAC address, a control field with protocol version, frame type, frame sequence number, frame body (with the actual information to be transmitted) and frame check sequence for error detection. The 802.
Chapter 15: Configuring Quality of Service (QoS) would occur if multiple access points got access to the medium at the same time and tried to transmit data simultaneously. The more active users you have on a network, the more significant the performance gains of the backoff timer will be in reducing the number of collisions and retransmissions.
AT-WA7400 Management Software User’s Guide Configuring QoS Queues Configuring Quality of Service (QoS) on the AT-WA7400 Wireless Access Point consists of setting parameters on existing queues for different types of wireless traffic, and effectively specifying minimum and maximum wait times (via Contention Windows) for transmission. The settings described here apply to data transmission behavior on the access point only, not to that of the client stations.
Chapter 15: Configuring Quality of Service (QoS) The Quality of Service page is shown in Figure 49. Figure 49. Quality of Service Page The Quality of Service page has three sections: AP EDCA parameters Wi-FI Multimedia (WMM) Station EDCA Parameters The following procedures describe how to configure the parameters in these sections. Configuring AP EDCA Parameters AP Enhanced Distributed Channel Access (EDCA) Parameters affect traffic flowing from the access point to the client station.
AT-WA7400 Management Software User’s Guide Data 2 (best effort) - Medium priority queue, medium throughput and delay. Most traditional IP data is sent to this queue. Data 3 (Background) - Lowest priority queue, high throughput. Bulk data that requires maximum throughput and is not time-sensitive is sent to this queue (FTP data, for example). For more information, see “QoS Queues and Parameters to Coordinate Traffic Flow” on page 162.
Chapter 15: Configuring Quality of Service (QoS) When the Maximum Contention Window size is reached, retries will continue until a maximum number of retries allowed is reached. Valid values for the cwmax are 1, 3, 7, 15, 31, 63, 127, 255, 511, or 1024. The value for cwmax must be higher than the value for cwmin. For more information, see “Random Backoff and Minimum / Maximum Contention Windows” on page 165. Max. Burst Length AP EDCA Parameter Only (The Max.
AT-WA7400 Management Software User’s Guide Configuring Station EDCA Parameters Station Enhanced Distributed Channel Access (EDCA) parameters affect traffic flowing from the client station to the access point. To configure the EDCA parameters, perform the following procedure: 1.
Chapter 15: Configuring Quality of Service (QoS) backoff value reaches the number defined in the Maximum Contention Window. For more information, see “Random Backoff and Minimum / Maximum Contention Windows” on page 165. cwMax (Maximum Contention Window) The value specified here in the Maximum Contention Window is the upper limit (in milliseconds) for the doubling of the random backoff value. This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached.
Chapter 16 Configuring the Wireless Distribution System (WDS) The AT-WA7400 Management Software lets you connect multiple access points using a wireless distribution system (WDS). WDS allows access points to communicate with one another wirelessly in a standardized way. This capability is critical in providing a seamless experience for roaming clients and for managing multiple wireless networks. It can also simplify the network infrastructure by reducing the amount of cabling required.
Chapter 16: Configuring the Wireless Distribution System (WDS) Understanding the Wireless Distribution System A wireless distribution system (WDS) is an 802.11f technology that wirelessly connects access points, known as Basic Service Sets (BSS), to form what is known as an Extended Service Set (ESS).
AT-WA7400 Management Software User’s Guide Ethernet cabling. You can solve this problem by placing a second access point closer to second group of stations (Poolside in the example) and bridge the two access points with a WDS link. This extends your network wirelessly by providing an extra hop to get to distant stations, as shown in Figure 51. Client Station Client Station WDS Bridge Client Station "East Wing" AP Client Station "Poolside" AP net) ther E ( ed Wir nection o C n LAN Figure 51.
Chapter 16: Configuring the Wireless Distribution System (WDS) You can enable Static WEP on the WDS link (bridge). When WEP is enabled, all data exchanged between the two access points in a WDS link is encrypted using a fixed WEP key that you provide. Static WEP is the only security mode available for the WDS link, and it does not provide effective data protection to the level of other security modes available for service to client stations.
AT-WA7400 Management Software User’s Guide If you can trace more than one path between any pair of access points going through any combination of Ethernet or WDS links, you have a loop. You can only extend or bridge either the internal or guest network but not both.
Chapter 16: Configuring the Wireless Distribution System (WDS) Configuring WDS Settings You must configure the WDS settings for each access point intended to receive hands-off and send information from the sending access point. To configure WDS on an AT-WA7400 Access Point, perform the following procedure: 1. From the main menu, select Advanced > Wireless Distribution System. The Wireless Distribution System page is shown in Figure 52 on page 179.
AT-WA7400 Management Software User’s Guide Figure 52. Wireless Distribution System Page 2.
Chapter 16: Configuring the Wireless Distribution System (WDS) Radio For each WDS link, select Radio One or Radio Two. The rest of the settings for the link apply to the radio selected in this field. The readonly “Local Address” changes depending on which radio you select here. Local Address Indicates the media access control (MAC) addresses for this access point. A MAC address is a permanent, unique hardware address for any device that represents an interface to the network.
AT-WA7400 Management Software User’s Guide 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryption. Specify whether you want Wired Equivalent Privacy (WEP) encryption enabled for the WDS link.
Chapter 16: Configuring the Wireless Distribution System (WDS) The MAC address for MyAP1 (the access point you are currently viewing) are displayed as the Local Address at the top of the page. 3. Configure a WDS interface for data exchange with MyAP2. Start by entering the MAC address for MyAP2 as the Remote Address and fill in the rest of the fields to specify the network (guest or internal), security, and so on. Save the settings (click Update). 4.
Chapter 17 Maintenance and Monitoring The maintenance and monitoring tasks described here all pertain to viewing and modifying settings on specific access points; not on a cluster configuration that is automatically shared by multiple access points. Therefore, it is important to ensure that you are accessing the management software web pages for the particular access point you want to configure. For information on this, see Chapter 3, “Managing Access Points and Clusters” on page 43.
Chapter 17: Maintenance and Monitoring Monitoring Wired and Wireless LAN Settings To monitor wired LAN and wireless LAN (WLAN) settings, perform the following procedure: 1. From the main menu, select Status > Interfaces. The Interfaces page is shown in Figure 53. Note On a two-radio access point, current wireless settings for both radio one and radio two are shown. On a one-radio access point, settings are shown for one radio. The Interfaces page for a two-radio access point is shown in Figure 53.
AT-WA7400 Management Software User’s Guide The guest Interface includes the MAC address, VLAN ID, and Associated Network Wireless Name (SSID). 2. To change these settings, click Configure, and the Advanced > Ethernet (Wired) Settings page is displayed. The wireless settings for the Radio Interface settings include the radio mode and channel. Also shown here are MAC addresses (read-only) for internal and guest interfaces.
Chapter 17: Maintenance and Monitoring Viewing the Event Logs To view system events and the kernel log for a particular access point, perform the following procedure: 1. From the main menu, select Status > Events. The Events page is shown in Figure 54. Figure 54. Events Page This page lists the most recent events generated by this access point (see “Events Log” on page 188). This page also gives you the option of enabling a remote log relay host to capture all system events and errors in a Kernel Log.
AT-WA7400 Management Software User’s Guide For information on setting the network time protocol, see Chapter 18, “Enabling the Network Time Protocol (NTP) Server” on page 202. Log Relay Host for Kernel Messages The kernel log is a comprehensive list of system events (shown in the system log) and kernel messages such as error conditions like dropping frames. You cannot view kernel Log messages directly from the web pages for an access point.
Chapter 17: Maintenance and Monitoring Consult the man pages to get more information on syslog.conf command options. (Type man syslog.conf at the command line.) 4. Restart the syslog server by typing the following at the command line prompt: /etc/init.d/sysklogd restart Note The syslog process will default to use port 514. Allied Telesyn recommends keeping this default port.
AT-WA7400 Management Software User’s Guide events log is always shown on the Status > Events page for the access point you are monitoring.
Chapter 17: Maintenance and Monitoring Viewing the Transmit/Receive Statistics To view transmit/receive statistics for a particular access point, perform the following procedure: 1. From the main menu of the access point you want to monitor, select Status > Transmit/Receive Statistics. Note The following figure shows the Transmit / Receive page for a tworadio access point. The page for the one-radio access point will look slightly different. The Transmit/Receive Statistics page is shown in Figure 55.
AT-WA7400 Management Software User’s Guide MAC Address Media access control (MAC) address for the specified interface. A MAC address is a permanent, unique hardware address for any device that represents an interface to the network. The MAC address is assigned by the manufacturer. The AT-WA7400 Wireless Access Point has a unique MAC address for each interface. A two-radio access point has a different MAC address for each interface on each of its two radios. VLAN ID Virtual LAN (VLAN) ID.
Chapter 17: Maintenance and Monitoring Viewing the Associated Wireless Clients To view the client stations associated with a particular access point, perform the following procedure: 1. From the main menu, select Status > Client Associations. The Client Associations page is shown in Figure 56. Figure 56. Client Associations Page The associated stations are displayed along with information about packet traffic transmitted and received for each station.
AT-WA7400 Management Software User’s Guide Viewing the Status of Neighboring Access Points The status page for neighboring access points provides real-time statistics for all access points within range of the access point on which you are viewing the web pages. To view information about other access points on the wireless network, perform the following procedure: 1. From the main menu, select Status > Neighboring Access Points. The Neighboring Access Points page is shown in Figure 57. Figure 57.
Chapter 17: Maintenance and Monitoring wlan0 (radio one) wlan1 (radio two) One-Radio Access Points - This field is not included on the Neighboring Access Points pages of one-radio access points. Beacon Interval Shows the beacon interval being used by this access point. Beacon frames are transmitted by an access point at regular intervals to announce the existence of the wireless network. The default behavior is to send a beacon frame once every 100 milliseconds (or 10 per second).
AT-WA7400 Management Software User’s Guide For more information on security settings, see Appendix B, “Configuring Security on Wireless Clients” on page 217. WPA Indicates whether WPA security is “on” or “off” for this access point. Band This indicates the IEEE 802.11 mode being used on this access point. (For example, IEEE 802.11a, IEEE 8-2.11b, IEEE 802.11g.) The number shown indicates the mode according to the following list: 2.4 indicates IEEE 802.11b mode or IEEE 802.
Chapter 17: Maintenance and Monitoring access point will always be the rates currently specified for that access point in its Radio Settings.
AT-WA7400 Management Software User’s Guide Viewing System Information You can view information about a particular access point, such as its hardware version and current firmware version, by viewing the System Information page. To view system information, perform the following procedure: 1. From the main menu, select Status > Information. The System Information page is shown in Figure 58. Figure 58.
Chapter 17: Maintenance and Monitoring System Up Time The length of time that the access point has been running since it was installed or last booted. This is shown in days, hours, minutes, and seconds. Telnet Timeout Displays the length of time that a Telnet session is available before it times out. You cannot change this parameter. HTTP Timeout The length of time that an HTTP session is available before it times out from inactivity.
AT-WA7400 Management Software User’s Guide Setting the Administrator Password The administrator password controls access to the AT-WA7400 Management Software web pages for the AT-WA7400 Wireless Access Point. This setting is also available on the Basic Settings administration page. When you set the administration password in either place and apply the change, the new password is updated and shared by all access points in the cluster. To set the administrator password, perform the following procedure: 1.
Chapter 17: Maintenance and Monitoring The Basic Settings page is shown in Figure 59. Figure 59. Basic Settings Page 2. In the Provide Network Settings section, enter the current administrator password. (The default is “manager.”) The text you enter is displayed as “*” characters to prevent others from seeing your password as you type.
AT-WA7400 Management Software User’s Guide 3. In the New Password field, enter the new password. (The default is “friend.”) The Administrator password must be an alphanumeric string of up to 8 characters. Do not use special characters or spaces. 4. Re-enter the new administrator password to confirm that you typed it as intended. 5. Click Update to save the changes.
Chapter 17: Maintenance and Monitoring Enabling the Network Time Protocol (NTP) Server The Network Time Protocol (NTP) is an Internet standard protocol that synchronizes computer clock times on your network. NTP servers transmit Coordinated Universal Time (UTC, also known as Greenwich Mean Time) to their client systems. NTP sends periodic time requests to servers, using the returned time stamp to adjust its clock. The timestamp is used to indicate the date and time of each event in log messages.
AT-WA7400 Management Software User’s Guide Enabled Daylight saving time is automatically adjusted. Diabled No adjustment is made for daylight saving time. Note If the time zone you select in the next setting is not one that participates in daylight saving time, then this selection is unavailable. 4. For the NTP Server setting, specify the NTP server by host name or IP address. 5. For the Time Zone, select your time zone from the list. 6.
Chapter 17: Maintenance and Monitoring Setting the HTTP Timeout You can set the length of time that an HTTP session is available before it times out from inactivity. The default is 5 minutes. To set the HTTP timeout, perform the following procedure: 1. From the main menu, select Advanced > HTTP timeout. The HTTP timeout page is shown in Figure 61. Figure 61. HTTP TImeout 2. Change the timeout time and click Update.
AT-WA7400 Management Software User’s Guide Rebooting the Access Point For maintenance purposes or as a troubleshooting measure, you can reboot the AT-WA7400 Wireless Access Point. To reboot the access point, perform the following procedure: 1. From the main menu, select Advanced > Reboot. The Reboot page is shown in Figure 62. Figure 62. Reboot Page 2. Click Reboot. The access point reboots. Note Another option is to press and release the Reset button on the back of the AT-WA7400 Wireless Access Point.
Chapter 17: Maintenance and Monitoring Resetting the Configuration to Factory Defaults If the AT-WA7400 Wireless Access Point is not functioning correctly and if you have tried all other troubleshooting measures, use the Reset Configuration function. This feature restores the factory defaults and clears all settings, including settings such as a new password or wireless settings. To reboot the access point, perform the following procedure: 1. From the main menu, select Advanced > Reset Configuration.
AT-WA7400 Management Software User’s Guide Upgrading the Firmware As new versions of the AT-WA7400 Wireless Access Point firmware become available, you can upgrade the firmware on your devices to take advantages of new features and enhancements. Caution Do not upgrade the firmware from a wireless client that is associated with the access point you are upgrading. Doing so causes the upgrade to fail. Furthermore, all wireless clients are disassociated and no new associations are allowed.
Chapter 17: Maintenance and Monitoring The Upgrade Firmware page is shown in Figure 64. Figure 64. Upgrade Firmware Page Information about the current firmware version is displayed and an option to upgrade to a new firmware image is provided. 2. If you know the path to the New Firmware Image file, enter it in the text box. Otherwise, click Browse and locate the firmware image file. 3. Click Update to apply the new firmware image. A confirmation window is displayed that describes the upgrade process. 4.
AT-WA7400 Management Software User’s Guide SNMP Firmware Upgrade To upgrade the firmware using SNMP, perform the following procedure: 1. From the main menu, select Advanced > SNMP Firmware Upgrade. The Configure SNMP Firmware Upgrade page is shown in Figure 65. Figure 65. Configure SNMP Firmware Upgrade Page 2. For the SNMP Firmware option, click Enabled. 3. In the TFTP Server IP Address field, enter the IP address of the server where the software is located. 4.
Chapter 17: Maintenance and Monitoring 210
Chapter 18 Backing Up and Restoring a Configuration You can save a copy of the current settings on the AT-WA7400 Wireless Access Point to a backup configuration file. You can use the backup file at a later date to restore the access point to the previously saved configuration.
Chapter 18: Backing Up and Restoring a Configuration Backing up the Configuration Settings for an Access Point To save a copy of the current settings on an access point to a backup configuration file (.cbk format), perform the following procedure: 1. From the main menu, select Advanced > Backup/Restore. The Backup/Restore page is shown in Figure 66. Figure 66. Backup/Restore Page 2. In the top section of the page, click download configuration. A File Download or Open dialog box is displayed 3.
AT-WA7400 Management Software User’s Guide Restoring Access Point Settings to a Previous Configuration To restore the configuration on an access point to previously saved settings, perform the following procedure: 1. From the main menu, select Advanced > Backup/Restore. The Backup/Restore page opens, as shown in Figure 66 on page 212. 2. Select the backup configuration file you want to use, either by typing the full path and file name in the Restore field or clicking Browse and selecting the file.
Chapter 18: Backing Up and Restoring a Configuration 214
Appendix A Management Software Default Settings Table 1 lists the management software default settings. Table 1. Management Software Default Settings Setting Default System Name WA7400 User Name manager Password friend Network Name (SSID) Allied Network Time Protocol (NTP) None IP Address 192.168.1.230 Connection Type DHCP Subnet Mask None Radio On IEEE 802.11 Mode 802.11g 802.
Appendix A: Management Software Default Settings Table 1. Management Software Default Settings (Continued) Setting 216 Default Rate Sets Supported (Mbps) IEEE 802.1a: 54, 48, 36, 24, 18, 12, 9, 6 (Upgrade required) IEEE 802.1g: 54, 48, 36, 24, 18, 12, 11, 9, 5.5, 2, 1 IEEE 802.1b: 11, 5.5, 2, 1 Atheros Turbo 5 Ghz: 108, 96, 72, 48, 36, 24, 18, 12 (Upgrade required) Rate Sets (Mbps) (Basic/ Advertised) IEEE 802.1a: 24, 12, 6 (Upgrade required) IEEE 802.1g: 11, 5.5, 2, 1 IEEE 802.
Appendix B Configuring Security on Wireless Clients Users will typically configure security on their wireless clients for access to many different networks (access points). The list of Available Networks changes depending on the location of the client and which access points are online and detectable in that location. The exception to this setup is if the access point is set to prohibit the broadcast of its network name.
Appendix B: Configuring Security on Wireless Clients security modes on wireless clients of a network served by the AT-WA7400 Wireless Access Point.
AT-WA7400 Management Software User’s Guide Network Infrastructure and Choosing Between the Built-in or External Authentication Server Network security configurations including Public Key Infrastructures (PKI), Remote Authentication Dial-in User Server (RADIUS) servers, and Certificate Authority (CA) can vary a great deal from one organization to the next in terms of how they provide Authentication, Authorization, and Accounting (AAA).
Appendix B: Configuring Security on Wireless Clients Make Sure the Wireless Client Software is Up to Date Before starting out, please keep in mind that service packs, patches, and new releases of drivers and other supporting technologies for wireless clients are being generated at a fast pace. A common problem encountered in client security setup is not having the right driver or updates to it on the client.
AT-WA7400 Management Software User’s Guide Accessing the Microsoft Windows Wireless Client Security Settings To access the Microsoft Windows wireless client settings, perform the following procedure: 1. Use one of the following two ways to access the security properties for a wireless client: a. From the wireless connection icon on the Windows task bar: – Right-click on the wireless connection icon in your Windows task bar and select View available wireless networks.
Appendix B: Configuring Security on Wireless Clients List of available networks changes depending on client location. Each network (or access point) that that is detected by the client shows up in this list. (“Refresh” updates the list with current information.) For each network you want to connect to, configure security settings on the client to match the security mode being used by that network.
AT-WA7400 Management Software User’s Guide The Wireless Network Connection Properties dialog box (Figure 2) opens with the Association and Authentication tabs for the selected network. Figure 2. Wireless Network Properties Dialog Box Use this dialog box to configure the types of client security described in the following sections.
Appendix B: Configuring Security on Wireless Clients a. For Network Authentication, choose Open. b. For Data encryption, choose Disabled. Set Network Authentication to Open Set Data Encryption to Disabled Figure 3. Wireless Network Properties Dialog Box Configuring Static WEP Security on a Client Static Wired Equivalent Privacy (WEP) encrypts data moving across a wireless network based on a static (non-changing) key. The encryption algorithm is a stream cipher called RC4.
AT-WA7400 Management Software User’s Guide shown in Figure 4. Figure 4. Security Settings Page 2. Configure WEP security on each client as shown in Figure 5.
Appendix B: Configuring Security on Wireless Clients Figure 5. Wireless Network Properties Dialog Box Network Authentication Choose Open or Shared, depending on how you configured this option on the access point. Note When the Authentication Algorithm on the access point is set to Both, clients set to either Shared or Open can associate with the access point. Clients configured to use WEP in Shared mode must have a valid WEP key in order to associate with the access point.
AT-WA7400 Management Software User’s Guide Static WEP clients should now be able to associate and authenticate with the access point. As a client, you will not be prompted for a WEP key. The WEP key configured on the client security settings is automatically used when you connect. Configuring IEEE 802.1x Security on a Client IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.
Appendix B: Configuring Security on Wireless Clients 802.1x security mode as shown in Figure 6, Figure 6. Security Settings Page 633Then configure IEEE 802.1x security with PEAP authentication on each client as follows. Choose Open Choose WEP Data Encryption mode Enable (click to check) IEEE 8021x authentication . . . then, click Choose Protected EAP (PEAP) Properties Enable auto key option 1 2 Figure 7.
AT-WA7400 Management Software User’s Guide 2. Configure the following settings on the Association tab in the Network Properties dialog box: Network Authentication Open Data Encryption WEP Note An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each IEEE 802.11 frame. This is the same encryption algorithm as is used for Static WEP; therefore, the data encryption method configured on the client for this mode is WEP.
Appendix B: Configuring Security on Wireless Clients Disable (click to uncheck) “Validate server certificate” Choose “secured password (EAP-MSCHAP v2)” . . . then click Configure Disable (click to uncheck) option to automatically use Windows logon name and password 3 4 Figure 8. Protected EAP Properties Dialog Box and EAP Properties Dialog Box 4.
AT-WA7400 Management Software User’s Guide 7. Click OK on all dialog boxes (starting with the EAP MSCHAP v2 Properties dialog box) to close and save your changes. IEEE 802.1x PEAP clients should now be able to associate with the access point. Client users will be prompted for a user name and password to authenticate with the network. IEEE 802.
Appendix B: Configuring Security on Wireless Clients 5. Verify that you configured the AT-WA7400 Wireless Access Point to use IEEE 802.1x security mode with an external RADIUS server, as shown in Figure 9. Figure 9. Security Settings Page 6. Then configure IEEE 802.1x security with certificate authentication on each client as follows (Figure 10).
AT-WA7400 Management Software User’s Guide Choose Open Choose WEP Data Encryption mode Enable (click to check) IEEE 8021x authentication Choose Smart Card/Certificate . . . then, click Properties Enable auto key option 1 2 Figure 10. Association and Authentication Tabs 7. Configure the following settings on the Association tab in the Network Properties dialog box.
Appendix B: Configuring Security on Wireless Clients Enable IEEE 802.1x authentication for this network Enable (click to check) this option. EAP Type Choose Smart Card or other Certificate. Enable (click to check) "Validate server certificate" Select (check) the name of certificate on this client (downloaded from RADIUS server in a prerequisite procedure) 3 Figure 11. Smart Card or other Certificate Properties Dialog Box 9.
AT-WA7400 Management Software User’s Guide certificate is automatically sent to the RADIUS server for authentication and authorization.
Appendix B: Configuring Security on Wireless Clients Configuring WPA/WPA2 Enterprise (RADIUS) Security on a Client Wi-Fi Protected Access 2 (WPA2) with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11 standard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. This mode requires the use of a RADIUS server to authenticate users.
AT-WA7400 Management Software User’s Guide Note The following example assumes that you are using the built-in authentication server that is shipped with the AT-WA7400 Wireless Access Point. If you are setting up EAP/PEAP on a client of an access point that is using an external RADIUS server, the client configuration process will differ somewhat from this example especially with regard to certificate validation.
Appendix B: Configuring Security on Wireless Clients 2. Set up user accounts on the access point (Cluster > User Management) as shown in Figure 13. Figure 13. User Management Accounts Page 3. Then configure WPA security with PEAP authentication on each client as shown in Figure 14.
AT-WA7400 Management Software User’s Guide Choose WPA 1 Choose either TKIP or AES for the Data Encryption mode Choose Protected EAP (PEAP) . . . then, click Properties 2 Figure 14. Wireless Network Properties Dialog Box 4. Configure the following settings on the Association and Authentication tabs in the Network Properties dialog box. Network Authentication WPA Data Encryption TKIP or AES depending on how this option is configured on the access point.
Appendix B: Configuring Security on Wireless Clients Click Properties to open the Protected EAP Properties dialog box as shown in Figure 15. Disable (click to uncheck) Validate server certificate Choose secured password (EAP-MSCHAP v2) . . . then click Configure Disable (click to uncheck) this option 3 4 Figure 15. Protected AP Properties Dialog Box 6. Configure the following settings. Validate Server Certificate Disable this option (click to uncheck the box).
AT-WA7400 Management Software User’s Guide 9. Click OK in all dialog boxes (starting with the EAP MSCHAP v2 Properties dialog) to close and save your changes. WPA/WPA2 Enterprise (RADIUS) PEAP clients should now be able to associate with the access point. Client users will be prompted for a user name and password to authenticate with the network.
Appendix B: Configuring Security on Wireless Clients 5. Verify that you configured the AT-WA7400 Wireless Access Point to use WPA/WPA2 Enterprise (RADIUS) security mode with an external RADIUS server, as shown in Figure 16. Figure 16. Security Settings Page 6. Configure WPA security with certificate authentication on each client as shown in Figure 17.
AT-WA7400 Management Software User’s Guide Choose WPA 1 Choose Smart Card or other Choose either TKIP or AES for the certificate and enable Authenticate Data Encryption mode as computer when info is available . . . then, click Properties 2 Figure 17. Association and Authentication Tabs 7. Configure the following settings on the Association tab on the Network Properties dialog. Network Authentication WPA Data Encryption TKIP or AES depending on how this option is configured on the access point.
Appendix B: Configuring Security on Wireless Clients 9. Click Properties to open the Smart Card or other Certificate Properties dialog and enable the “Validate server certificate” option, as shown in Figure 18. Validate Server Certificate Enable this option (click to check the box). Certificates In the certificate list shown, select the certificate for this client.
AT-WA7400 Management Software User’s Guide Configuring WPA/WPA2 Personal (PSK) Security on a Client Wi-Fi Protected Access (WPA) with Pre-Shared Key (PSK) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), Advanced Encryption Algorithm (AES), and Counter mode/CBC-MAC Protocol (CCMP) mechanisms. PSK employs a preshared key for an initial check of client credentials. To configure WPA/WPA2 security on a client, perform the following procedure: 1.
Appendix B: Configuring Security on Wireless Clients 2. Configure WPA/WPA2 Personal (PSK) security on each client as shown in Figure 20. Choose WPA-PSK Choose either TKIP or AES for the Data Encryption mode Enter a network key that matches the one specified on the access point (and confirm by re-typing) Figure 20. Association Tab 3.
AT-WA7400 Management Software User’s Guide The key is provided for me automatically This box should be disabled automatically based on other settings. 4. Configure the following settings on the Authentication tab: Enable IEEE 802.1x authentication for this network Make sure that IEEE 802.1x authentication is disabled (unchecked). (Setting the encryption mode to WEP should automatically disable authentication.) 5. Click OK in the Wireless Network Properties dialog box to close it and save your changes.
Appendix B: Configuring Security on Wireless Clients Configuring an External RADIUS Server to Recognize the AT-WA7400 Wireless Access Point An external Remote Authentication Dial-in User Server (RADIUS) server running on the network can support of EAP-TLS smart card/certificate distribution to clients in a Public Key Infrastructure (PKI) as well as EAPPEAP user account setup and authentication. By external RADIUS server, we mean an authentication server external to the access point itself.
AT-WA7400 Management Software User’s Guide To configure an external RADIUS server, perform the following procedure: 1. On the Security Settings page, verify that the Authentication Server field is set to “External,” as shown in Figure 21. Figure 21. Security Settings Page Note The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. With firmware version 1.
Appendix B: Configuring Security on Wireless Clients 2. Log on to the system hosting your RADIUS server and open the Internet Authentication Service window (Figure 22). Figure 22. Internet Authentication Service Window 3. In the left panel, right click on the RADIUS Clients node and choose New > Radius Client from the menu. 4.
AT-WA7400 Management Software User’s Guide Figure 23. New RADIUS Client Dialog Box, Name and Address Dialog Box 5. Click Next. 6. For the Shared secret, enter the RADIUS Key you provided to the access point (on the Advanced > Security page) as shown in Figure 24. Figure 24. New RADIUS Client Wizard Additional Information Dialog Box 7. Re-type the key to confirm. 8. Click Finish.
Appendix B: Configuring Security on Wireless Clients The access point is now displayed as a client of the Authentication Server (Figure 25). Figure 25.
AT-WA7400 Management Software User’s Guide Obtaining a TLS-EAP Certificate for a Client Note If you want to use IEEE 802.1x mode with EAP-TLS certificates for authentication and authorization of clients, you must have an external RADIUS server and a Public Key Authority Infrastructure (PKI), including a Certificate Authority (CA), server configured on your network. It is beyond the scope of this document to describe these configuration of the RADIUS server, PKI, and CA server.
Appendix B: Configuring Security on Wireless Clients Where IPAddressOfServer is the IP address of your external RADIUS server, or of the Certificate Authority (CA), depending on the configuration of your infrastructure, as shown in Figure 26. Figure 26. Security Alert Window 2. Click Yes to open the secure web page for the server. The Welcome page for the Certificate Server is displayed in the browser, as shown in Figure 27. Figure 27. Certificate Server Welcome Page 3. Click Request a certificate.
AT-WA7400 Management Software User’s Guide The login window for the RADIUS server opens, as shown in Figure 28. Figure 28. RADIUS Server Login Window 4. Provide a valid user name and password to access the RADIUS server. Note The user name and password you need to provide here is for access to the RADIUS server, for which you will already have user accounts configured at this point. This document does not describe how to set up Administrative user accounts on the RADIUS server.
Appendix B: Configuring Security on Wireless Clients The Security Warning dialog box opens, as shown in Figure 30. Figure 30. Security Warning Dialog Box 6. Click Yes. The User Certificate dialog box opens, as shown in Figure 31. Figure 31. User Certificate Dialog Box 7. Click Submit to complete. The Potential Scripting Violation dialog box opens, as shown in Figure 32. Figure 32. Potential Scripting Violation Dialog Box 8. Click Yes.
AT-WA7400 Management Software User’s Guide The Certificate Issued dialog box opens, as shown in Figure 33. Figure 33. Certificate Issued Dialog Box 9. Click Install this certificate to install the newly issued certificate on your client station. The Potential Scripting Violation dialog box opens, as shown in Figure 34. Figure 34. Potential Scripting Error Dialog Box 10. Click Yes. The Root Certificate Store dialog box is displayed, as shown in Figure 35. Figure 35. Root Certificate Store Dialog Box 11.
Appendix B: Configuring Security on Wireless Clients A success message (Figure 36) is displayed indicating the certificate is now installed on the client. Figure 36.
Appendix C Troubleshooting This appendix provides information about how to solve common problems you might encounter in the course of updating network configurations on networks served by multiple, clustered access points.
Appendix C: Troubleshooting Wireless Distribution System (WDS) Problems and Solutions If you are having trouble configuring a WDS link, read the following list of guidelines for configuring WDS. The most common problem Administrators encounter with WDS setups is forgetting to set both access points in the link to the same radio channel and IEEE 802.11 mode.
AT-WA7400 Management Software User’s Guide Cluster Recovery In cases where the access points in a cluster become out of sync or an access point cannot join or be removed from a cluster, the following methods for cluster recovery are recommended. Reboot or Reset the Access Point Stop Clustering and Reset Each Access Point in the Cluster These recovery methods are given in the order you should try them.
Appendix C: Troubleshooting The Stop Clustering page for this access point is displayed, as shown in Figure 37. Figure 37. Stop Clustering Page 2. Click Stop Clustering. Repeat this stop clustering step for every access point in the cluster. Caution Do not proceed to the next step of resetting any access points until you have stopped clustering on all of them.
AT-WA7400 Management Software User’s Guide The Reset Configuration page is shown in Figure 38. Figure 38. Reset Configuration Page 5. Click Reset to restore the factory defaults on the access point. (This will clear all of your previous settings, including updated passwords.) 6. Repeat this reset step for every access point in the cluster. Caution Do not proceed to the next step until you have stopped clustering on all of access points in the pre-existing cluster. 7.
Appendix C: Troubleshooting All previous cluster members are displayed in the list. Before proceeding to the last step, verify that the cluster has reformed by making sure all are access points are listed. 9. Review all configuration settings and make modifications as needed. Pay special attention to the security settings because after a reset, access points run without any security in place.
Appendix D Command Line Interface (CLI) for Access Point Configuration In addition to the web-based user interface, the AT-WA7400 Wireless Access Point includes a command line interface (CLI) for administering the access point. The CLI lets you view and modify status and configuration information. From the client station perspective, even a single deployed AT-WA7400 Wireless Access Point broadcasting its network name to clients constitutes a wireless network.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Comparison of Settings Configurable with the CLI and Web UI The command line interface (CLI) and the web user interface (UI) to the AT-WA7400 Wireless Access Point are designed to suit the preferences and requirements of different types of users and scenarios. Most administrators will probably use both UIs in different contexts.
AT-WA7400 Management Software User’s Guide Table 2. Comparison of CLI to Web Browser Interface Settings (Continued) Feature or Setting Configurable from CLI Configurable from Web Wireless Neighborhood No Yes, as described in Chapter 7, “Wireless Neighborhoods” on page 79. Displaying Status Yes Yes Ethernet (Wired) Interface Yes You can configure all Ethernet (Wired) settings from the CLI except the Connection Type.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Table 2. Comparison of CLI to Web Browser Interface Settings (Continued) Feature or Setting Back Up and Restore 268 Configurable from CLI No Configurable from Web Yes, as described in Chapter 18, “Backing Up and Restoring a Configuration” on page 211.
AT-WA7400 Management Software User’s Guide Accessing the CLI for an Access Point You can use any of these methods to access the CLI for the access point or wireless network: Telnet Connection to the Access Point “Telnet Connection to the Access Point,” next “SSH Connection to the Access Point” on page 270 If you know already have your network deployed and know the IP address of your access point, you can use a remote Telnet connection to the access point to view the system console over the networ
Appendix D: Command Line Interface (CLI) for Access Point Configuration Enter after each. (The password is masked, so it will not be displayed on the screen.) When the user name and password is accepted, the screen displays the AT-WA7400 Wireless Access Point help command prompt. AT-WA7400 login: manager Password: friend Enter 'help' for help. You are now ready to enter CLI commands at the command line prompt.
AT-WA7400 Management Software User’s Guide Figure 40. PuTTY Configuration Dialog Box 2. Enter the IP address of access point and click Open. (If your Domain Name Server is configured to map domain names to IP addresses via DHCP, you can enter the domain name of the access point instead of an IP address.) This brings up the SSH command window and establishes a connection to the access point. The login prompt is displayed. login as: 3.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Quick View of Commands and How to Get Help Caution Settings you update from the CLI (with the get, set, add, and remove commands) are not saved to the startup configuration unless you explicitly save them using the save-running command. For a description of configurations maintained on the access point and details on how to save your updates, see “Saving Configuration Changes” on page 281.
AT-WA7400 Management Software User’s Guide Table 3. Commands and Syntax Command get Description The get command allows you to get the field values of existing instances of a class. Classes can be named or unnamed. The command syntax is: get unnamed-class [ field ... | detail ] get named-class [ instance | all [ field ... | name | detail ] ] The rest of the command line is optional. If provided, it is either a list of one or more fields, or the keyword detail.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Table 3. Commands and Syntax (Continued) Command set Description The set command allows you to set the field values of existing instances of a class, for example: set unnamed-class [ with qualifier-field qualifier-value ... to ] field value . . . The first argument is an unnamed class in the configuration. After this is an optional qualifier that restricts the set to only some instances.
AT-WA7400 Management Software User’s Guide Table 3. Commands and Syntax (Continued) Command remove Description The remove command allows you to remove an existing instance of a class. remove unnamed-class [ field value . . . ] remove named-class instance | all [ field value . . .] For example: remove radius-user wally save-running The save-running command saves the running configuration as the startup configuration. For more information, see “Saving Configuration Changes” on page 281.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Example 2: Type get TAB TAB (including a space after get) to see a list of all field options for the get command.
AT-WA7400 Management Software User’s Guide For detailed examples on getting help, see “Keyboard Shortcuts and Tab Completion Help” on page 349.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Command Usage and Configuration Examples The following sections provide examples of using the CLI to perform functions similar to those documented in the web browser interface chapters in this book: Understanding Interfaces as Presented in the CLI 278 “Understanding Interfaces as Presented in the CLI,” next “Saving Configuration Changes” on page 281 “Basic Settings” on page 282 “Access Point and Cluster Settings” on p
AT-WA7400 Management Software User’s Guide Table 4. Interfaces in the CLI Interface Description lo Local loopback for data meant for the access point itself. eth0 The wired (Ethernet) interface for the internal network. br0 The internal bridge represents the internal interface for the access point. To telnet or ssh into the access point, use the IP address for this interface.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Table 4. Interfaces in the CLI Interface brvwn2 Description This is for the second virtual wireless network (VWN) 2. On a one-radio access point, the bridge interface for VWN2 consists of: wlan0vwn1 vlanVLANID where VLANID is a four-digit VLAN ID that you provided. (For example, if you provided a VLAN ID of 1234, the VLAN interface would be vlan1234.
AT-WA7400 Management Software User’s Guide Saving Configuration Changes The AT-WA7400 Wireless Access Point maintains three different configurations. Factory Default Configuration - This configuration consists of the default settings shipped with the access point (as specified in Appendix A, “Management Software Default Settings” on page 215).
Appendix D: Command Line Interface (CLI) for Access Point Configuration Basic Settings Note Before configuring this feature, make sure you are familiar with the names of the interfaces as described in “Understanding Interfaces as Presented in the CLI” on page 278. The interface name you reference in a command determines whether a setting applies to a wired or wireless interface, the internal or guest network, or (on a two-radio access point) to radio one or radio two.
AT-WA7400 Management Software User’s Guide Table 5.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Field Value --------------------ip 10.10.55.
AT-WA7400 Management Software User’s Guide AT-WA7400# get cluster location not set Set the Location for an Access Point To set the location for an access point, use the set command as follows: AT-WA7400# set system location hallway AT-WA7400# set system location "Vicky's Office" To check to make sure that the location was set properly, use the get command again to find out the location AT-WA7400# get system location Vicky’s Office Get the Current Password AT-WA7400# get system encrypted-password 2yn.
Appendix D: Command Line Interface (CLI) for Access Point Configuration links to detailed examples. Table 6.
AT-WA7400 Management Software User’s Guide Configure the Access Point as a Standalone Device set cluster clusterable 0 User Accounts The following command examples show configuration tasks related to user accounts. These tasks correspond to the Cluster > User Management page in the web UI. Table 7 provides a quick view of User Management commands and provides links to detailed examples. Table 7.
Appendix D: Command Line Interface (CLI) for Access Point Configuration To view all user accounts: AT-WA7400# get radius-user all name username disabled password realname ------------------------------------------------------------ larry David White Add Users In this example, four new users are added: (1) samantha, (2) endora, (3) darren, and (4) wally, and their user names, real names, and passwords are set up. 1. Add username "samantha": AT-WA7400# add radius-user samantha 2.
AT-WA7400 Management Software User’s Guide name username disabled password realname -----------------------------------------------------------larry David White samantha Elizabeth Montgomery endora Agnes Moorhead darren Dick York wally Tony Dow Remove a User Account To remove a user account, type the following: AT-WA7400# remove radius-user wally Use the get command to view all user names. (You can see that “wally” has been removed.
Appendix D: Command Line Interface (CLI) for Access Point Configuration examples. Table 8. Status Commands Function Command Understanding Interfaces as Presented in the CLI Reference of interface names and purposes as described in “Understanding Interfaces as Presented in the CLI” on page 278. Global command to get all detail on a Basic Service Set (BSS). This is a useful command to use to get a comprehensive picture of how the access point is currently configured.
AT-WA7400 Management Software User’s Guide Table 8. Status Commands (Continued) Function Command Enable Remote Logging and Specify the Log Relay Host for the Kernel Log As a prerequisite to remote logging, the Log Relay Host must be configured first as described in “Setting Up the Log Relay Host” on page 187. See a complete explanation of CLI commands at “Enable Remote Logging and Specify the Log Relay Host for the Kernel Log” on page 295.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Get All Wired Settings for the Wired Internal Interface AT-WA7400# get interface br0 Field Value -------------------mac 00:a0:c9:8c:c4:7e ip 192.168.1.1 mask 255.255.255.
AT-WA7400 Management Software User’s Guide Note You can get specifics on the guest interface by using the same types of commands as for the internal interface but substituting brguest for wlan0. For example, to get the MAC address for the guest interface: get interface wlan0 ssid Get Current Wireless (Radio) Settings The following examples show how to use the CLI to get wireless radio settings on an access point, such as mode, channel, and so on.
Appendix D: Command Line Interface (CLI) for Access Point Configuration rts-threshold 2347 ap-detection on beacon-interval 100 Get All Radio Settings on the Internal Interface AT-WA7400# get radio wlan0 detail Field Value ---------------------------------------------------status up description IEEE 802.
AT-WA7400 Management Software User’s Guide Get Status on Events AT-WA7400# get log-entry all Number Time Priority Daemon Message -----------------------------------------------------1 Apr 20 21:39:55 debug udhcpc info udhcpc Sending renew... 2 Apr 20 21:39:55 Lease of 10.10.55.216 obtained, lease time 300 3 Apr 20 21:37:25 debug udhcpc info udhcpc Sending renew... 4 Apr 20 21:37:25 Lease of 10.10.55.
Appendix D: Command Line Interface (CLI) for Access Point Configuration To view the current log settings: AT-WA7400# get log Field Value -------------------------depth 15 relay-enabled 0 relay-host relay-port 514 When you start a new access point, the Log Relay Host is disabled.
AT-WA7400 Management Software User’s Guide set log relay-host Host_Name_Of_LogRelayHost Where Host_Name_Of_LogRelayHost is the a DNS name for the Log Relay Host. For example: AT-WA7400# set log relay-host myserver Specify the Relay Port To specify the Relay Port for the syslog server: set log relay-port Number_Of_LogRelayPort Where Number_Of_LogRelayPort is the port number for the Log Relay Host.
Appendix D: Command Line Interface (CLI) for Access Point Configuration AT-WA7400# get interface all ip mac ssid tx-packets tx-bytes tx-errors rx-packets rx-bytes rxerrors Name Ip Tx-bytes Mac Tx-errors Ssid Rx-packets Tx-packets Rx-bytes Rx-errors --------------------------------------------------------------------------lo 127.0.0.
AT-WA7400 Management Software User’s Guide Get Client Associations AT-WA7400# get association Interf Station Authen Associ Rx-pac Tx-pac Rx-byt Tx-byt Tx-rat wlan0 00:0c:41:8f:a7:72 Yes Yes 126 29 9222 3055 540 wlan0 00:09:5b:2f:a5:2f Yes Yes 382 97 16620 10065 110 AT-WA7400# get association detail Inter Station Authe Assoc Rx-pa Tx-pa Rx-byt Tx-byt Tx-ra Liste wlan0 00:0c:41:8f:a7:72 Yes Yes 126 29 9222 3055 540 1 wlan0 00:09:5b:2f:a5:2f Yes Yes 382 97 16620 10065
Appendix D: Command Line Interface (CLI) for Access Point Configuration rate Rate signal Signal strength ssid Name) Service Set IDentifier (a.k.a., Network supported-rates Supported rates list type Type (AP, Ad hoc, or Other) wpa WPA security enabled To get the neighboring access points, type get detected-ap.
AT-WA7400 Management Software User’s Guide type AP privacy Off ssid domani channel 6 signal 3 Field Value ----------------------------------------mac 00:e0:b8:76:28:c0 type AP privacy Off ssid domani channel 6 signal 4 Ethernet (Wired) Interface Note Before configuring this feature, make sure you are familiar with the names of the interfaces as described in “Understanding Interfaces as Presented in the CLI” on page 278.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Table 9. Wired Interface Commands (Continued) Function Command Get Current Settings for the Ethernet (Wired) Internal Interface get interface br0 Find out if guest access is enabled and configured.) get interface brguest status Set DNS Nameservers to Use Static IP Addresses (Dynamic to Manual Mode) See example below. Set DNS Nameservers to Use DHCP IP Addressing (Manual to Dynamic Mode) See example below.
AT-WA7400 Management Software User’s Guide Set DNS Nameservers to Use Static IP Addresses (Dynamic to Manual Mode) This example shows how to reconfigure DNS Nameservers from Dynamic mode (where name server IP addresses are assigned through DHCP) to Manual mode, and specify static IP addresses for them. 1. Check to see which mode the DNS Name Service is running in. (In our example, DNS naming is running in DHCP mode when we start because the following command returns up for the mode.
Appendix D: Command Line Interface (CLI) for Access Point Configuration AT-WA7400# get host dns-via-dhcp up Setting Up the Wireless Interface To set up a wireless (radio) interface, configure the following on each interface (Internal or guest) as described in other sections of this CLI document. Configure the Radio Mode and Radio Channel as described in “Configuring Radio Settings” on page 147. Configure the Network Name as described in “Configuring Internal Wireless LAN Settings” on page 102.
AT-WA7400 Management Software User’s Guide Table 10. Security Commands (Continued) Function Command Enable/Disable Station Isolation get interface br0 port-isolation off set radio wlan0 station-isolation off Set Security to Plain Text set interface wlan0 security plain-text Set Security to Static WEP See detailed example in “Set Security to Static WEP” on page 307. Set Security to IEEE 802.1x See detailed example in “Set Security to IEEE 802.1x” on page 312.
Appendix D: Command Line Interface (CLI) for Access Point Configuration radius-ip 127.0.0.
AT-WA7400 Management Software User’s Guide channel 6 tx-power 100 tx-rx-status up beacon-interval 100 rts-threshold 2347 fragmentation-threshold 2346 load-balance-disassociation-utilization 0 load-balance-disassociation-stations 0 load-balance-no-association-utilization 0 ap-detection off station-isolation off frequency 2437 wme on Set Security to Plain Text AT-WA7400# set interface wlan0 security plain-text Set Security to Static WEP Set the Security Mode AT-WA7400# set interfac
Appendix D: Command Line Interface (CLI) for Access Point Configuration Note The Key Length values used by the CLI do not include the initialization vector in the length. On the web UI, longer Key Length values may be shown which include the 24-bit initialization vector. A Key Length of 40 bits (not including initialization vector) is equivalent to a Key Length of 64 bits (with initialization vector).
AT-WA7400 Management Software User’s Guide If Key Length is 40 bits and Key Type is “Hex,” then each WEP key must be 10 characters long. If Key Length is 104 bits and Key Type is “ASCII,” then each WEP Key must be 13 characters long. If Key Length is 104 bits and Key Type is “Hex,” then each WEP Key must be 26 characters long. Although the CLI will allow you to enter WEP keys of any number of characters, you must use the correct number of characters for each key to ensure a valid security configuration.
Appendix D: Command Line Interface (CLI) for Access Point Configuration command gets the security mode in use on the internal network: AT-WA7400# get interface wlan0 security static-wep The following command gets details on how the internal network is configured, including details on Security.
AT-WA7400 Management Software User’s Guide Key settings, specifically. AT-WA7400# get interface wlan0 detail Field Value ------------------------------------------type service-set status up description Wireless - Internal mac 00:0C:41:16:DF:A6 ip 0.0.0.0 static-ip 0.0.0.
Appendix D: Command Line Interface (CLI) for Access Point Configuration bss wlan0bssInternal security static-wep wpa-personal-key wep-key-ascii yes wep-key-length 104 wep-default-key 4 wep-key-1 abcde wep-key-2 fghij wep-key-3 klmno wep-key-4 vlan-interface vlan-id radio remote-mac wep-key Set Security to IEEE 802.
AT-WA7400 Management Software User’s Guide Table 14. Authentication Server Commands (Continued) Function Command Set the access point to use an external RADIUS server set bsswlan0bss Internal radius-ip radius_ip_address where radius_ip_address is the IP address of an external RADIUS server. The following example sets the access point to use the built-in server: AT-WA7400# set bss wlan0bssInternal radius-ip 127.0.0.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Get Current Security Settings After Re-Configuring to IEEE 802.1x Security Mode Now use the get command again to view the updated security configuration and see the results of our new settings. The following command gets the security mode in use on the internal network: AT-WA7400# get interface wlan0 security dot1x The following command gets details on how the internal BSS is configured, including details on Security.
AT-WA7400 Management Software User’s Guide wpa-allowed off wpa2-allowed off rsn-preauthentication off Set Security to WPA/WPA2 Personal (PSK) 1. Set the Security Mode AT-WA7400# set interface wlan0 security wpa-personal 2. Set the WPA Versions Select the WPA version based on what types of client stations you want to support, as shown in Table 16. Table 16. WPA Version Function Command WPA: If all client stations on the network support the original WPA but none support the newer WPA2, then use WPA.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Set the cipher suite you want to use. The options are shown in Table 17. Table 17. Cipher Commands Function Commands TKIP: Temporal Key Integrity Protocol (TKIP), which is the default. set bss wlan0bssIngernal wpa-cipher-tkip on CCMP (AES): Counter mode/ CBC-MAC protocol (CCMP) is an encryption method for IEEE 802.11i. that uses the Advanced Encryption Algorithm (AES).
AT-WA7400 Management Software User’s Guide 5. Get Current Security Settings After Reconfiguring to WPA/WPA2 Personal (PSK) Now use the get command again to view the updated security configuration and see the results of the new settings. The following command gets the security mode in use on the internal network: AT-WA7400# get interface wlan0 security wpa-personal The following command gets details on how the internal network is configured, including details on Security.
Appendix D: Command Line Interface (CLI) for Access Point Configuration wpa-allowed on wpa2-allowed on rsn-preauthentication Set Security to WPA/WPA2 Enterprise (RADIUS) Set the Security Mode AT-WA7400# set interface wlan0 security wpa-enterprise Set the WPA Versions Select the WPA version based on what types of client stations you want to support, as shown in Table 18. Table 18.
AT-WA7400 Management Software User’s Guide authentication for WPA2 clients, as shown in Table 19.. Table 19. Preauthentication Commands Function Command Enable pre-authentication if you want WPA2 wireless clients to send preauthentication packet. The pre-authentication information will be relayed from the access point the client is currently using to the target access point. Enabling this feature can help speed up authentication for roaming clients who connect to multiple access points.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Table 20. Cipher Commands (Continued) Function Commands Both: When the authentication algorithm is set to Both, both TKIP and AES clients can associate with the access point. WPA clients must have either a valid TKIP key or a valid CCMP (AES) key to be able to associate with the access point.
AT-WA7400 Management Software User’s Guide This command sets the RADIUS key to KeepSecret for an external RADIUS server. AT-WA7400# set bss wlan0bssInternal radius-key KeepSecret Enable RADIUS Accounting (External RADIUS Server Only) You can enable RADIUS Accounting if you want to track and measure the resources a particular user has consumed such system time, amount of data transmitted and received, and so on. The commands to enable or disable RADIUS accounting are shown in Table 22.
Appendix D: Command Line Interface (CLI) for Access Point Configuration and see the results of our new settings. The following command gets the security mode in use on the internal network: AT-WA7400# get interface wlan0 security wpa-enterprise The following command gets details on how the internal network is configured, including details on Security.
AT-WA7400 Management Software User’s Guide rsn-preauthentication Enabling and Configuring the Guest Login Welcome Page off The guest login and welcome page commands are shown in Table 24. Table 24.
Appendix D: Command Line Interface (CLI) for Access Point Configuration welcome-screen-text Thank you for using wireless Guest Access as provided by this Allied Telesyn AT-WA7400 wireless access point. When you click "Accept", you will gain access to our wireless guest network. This network allows complete access to the Internet but is external to the corporate network. Please note that this network is not configured to provide any level of wireless security.
AT-WA7400 Management Software User’s Guide Configuring Multiple BSSIDs on Virtual Wireless Networks Note Before you configure this feature, make sure you are familiar with the names of the interfaces as described in “Understanding Interfaces as Presented in the CLI” on page 278. The interface name you reference in a command determines whether a setting applies to a wired or wireless interface, the internal or guest network, or (on a two-radio access point) to radio one or radio two.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Use the CLI to set the Network Name (SSID) for the New Virtual Wireless Network AT-WA7400# set interface wlan0vwn1 ssid my-vwn-one Creating VWN “Two” on Radio One with WPA security To configure the second virtual wireless network, repeat the previous procedures as with the following differences: Create a second VLAN ID from the web UI with a new SSID In the CLI commands, replace wlan0bssvwn1 with wlan0bssvwn2.
AT-WA7400 Management Software User’s Guide (The radio in the example is using IEEE 802.11g mode.) Get Radio Channel To get the current setting for radio Channel: AT-WA7400# get radio wlan0 channel 6 (The radio in this example is on Channel 6.
Appendix D: Command Line Interface (CLI) for Access Point Configuration mode g static-channel 6 channel 6 tx-power 100 tx-rx-status up beacon-interval 100 rts-threshold 2347 fragmentation-threshold 2346 load-balance-disassociation-utilization 0 load-balance-disassociation-stations 0 load-balance-no-association-utilization 0 ap-detection off station-isolation off frequency 2437 wme on Get Supported Rate Set The Supported Rate Set is what the access point supports.
AT-WA7400 Management Software User’s Guide wlan0 6 wlan0 5.5 wlan0 2 wlan0 1 Get Basic Rate Set The Basic Rate Set is what the access point will advertise to the network for the purposes of setting up communication with other access points and client stations on the network. It is generally more efficient to have an access point broadcast a subset of its supported rate sets. AT-WA7400# get basic-rate name rate ----------wlan0 11 wlan0 5.
Appendix D: Command Line Interface (CLI) for Access Point Configuration how you would use the CLI to set each one are shown in Table 27. Table 27. Radio Mode Commands Function Command IEEE 802.11b set radio wlan0 mode b IEEE 802.11g set radio wlan0 mode g IEEE 802.11a set radio wlan0 mode a Atheros Turbo 5 GHz set radio wlan0 mode turbo-a Atheros Dynamic Turbo 5 GHz set radio wlan0 mode dynamicturbo-a Atheros Turbo 2.4 GHz set radio wlan0 mode turbo-g Atheros Dynamic Turbo 2.
AT-WA7400 Management Software User’s Guide AT-WA7400# set bss wlan0bssInternal dtim-period 3 To get the updated value for DTIM interval after you have changed it: AT-WA7400# get bss wlan0bssInternal dtim-period 3 Set the Fragmentation Threshold You can specify a fragmentation threshold as a number between 256 and 2,346 to set the frame size threshold in bytes. The fragmentation threshold is a way of limiting the size of packets (frames) transmitted over the network.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Table 28.
AT-WA7400 Management Software User’s Guide 1 2 5.5 6 11 12 18 24 36 48 54 9 Note You can use the get command to view current rate sets from the CLI as described in “Get Supported Rate Set” on page 328 and “Get Basic Rate Set” on page 329. However, you cannot reconfigure Supported Rate Sets or Basic Rate Sets from the CLI. You must use the Advanced > Radio page on the web UI to configure this feature.
Appendix D: Command Line Interface (CLI) for Access Point Configuration to configure. The commands are shown in Table 29. Table 29. Accept and Deny List Commands Function Command Set up an Accept list: (With this type of list, client stations whose MAC addresses are listed will be allowed access to the access point.) set bss wlan0bssInternal macacl-mode accept-list Set up a Deny list: (With this type of list, the access point will prevent access to client stations whose MAC addresses are listed.
AT-WA7400 Management Software User’s Guide Getting Current MAC Filtering Settings Get the Type of MAC Filtering List Currently Set (Accept or Deny) The following command shows which type of MAC filtering list is currently configured: AT-WA7400# get bss wlan0bssInternal mac-acl-mode accept-list Get MAC Filtering List The following command shows the clients on the MAC filtering list: AT-WA7400# get mac-acl name mac ----------------------------------wlan0bssInternal 00:01:02:03:04:05 wlan0bssInternal 0
Appendix D: Command Line Interface (CLI) for Access Point Configuration AT-WA7400# get radio wlan0 load-balance-disassociation-stations 2 AT-WA7400# set radio wlan0 load-balance-disassociationutilization 25 AT-WA7400# AT-WA7400# get radio wlan0 load-balance-disassociationutilization 25 AT-WA7400# set radio wlan0 load-balance-no-associationutilization 50 AT-WA7400# AT-WA7400# get radio wlan0 load-balance-no-associationutilization 50 Quality of Service Note Before configuring this feature from the CLI, make
AT-WA7400 Management Software User’s Guide Table 30 provides a quick view of QOS commands. Table 30. QoS Commands Function Command Enable/Disable Wi-Fi Multimedia set radio wlan0 wme off set radio wlan0 wme on get radio wlan0 wme About Access Point and Station EDCA Parameters See “About Access Point and Station EDCA Parameters” on page 338. Understanding the Queues for Access Point and Station See “Understanding the Queues for Access Point and Station” on page 339.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Table 30. QoS Commands (Continued) Function Command Set Transmission Opportunity Limit (txop-limit) for WMM client stations set wme-queue wlan0 with queue Queue_Name to txop-limit txop-limit_Value See examples in “Set Transmission Opportunity Limit (txoplimit) for WMM client stations” on page 344. Enable/Disable Wi-Fi Multimedia By default, Wi-Fi MultiMedia (WMM) is enabled on the access point.
AT-WA7400 Management Software User’s Guide Understanding the Queues for Access Point and Station The same types of queues are defined for different kinds of data transmitted from access point-to-station and station-to-access point but they are referenced by differently depending on whether you are configuring access point or station parameters. The commands are shown in Table 31. Table 31. Queue Commands Access Point Data Station Voice - High priority queue, minimum delay.
Appendix D: Command Line Interface (CLI) for Access Point Configuration wlan0 data3 7 15 1023 0 Get QoS Settings on the Client Station To view the current QoS settings queue names for station-to-access point parameters: AT-WA7400# get wme-queue name queue aifs cwmin cwmax txop-limit -------------------------------------------wlan0 vo 2 3 7 47 wlan0 vi 2 7 15 94 wlan0 be 3 15 1023 0 wlan0 bk 7 15 1023 0 Set Arbitration Interframe Spaces (aifs) Arbitration Inter-Frame Spac
AT-WA7400 Management Software User’s Guide wlan0 data1 1 7 15 3.0 wlan0 data2 3 15 63 0 wlan0 data3 7 15 1023 0 Set AIFs on the Client Station To set the AIFs on station-to-access point traffic: set wme-queue wlan0 with queue Queue_Name to aifs AIFs_Value Where Queue_Name is the queue on the station to which you want the setting to apply and AIFs_Value is the wait time value you want to specify for AIFs.
Appendix D: Command Line Interface (CLI) for Access Point Configuration detailed field description for this value in that topic.) Valid values for the cwmax are 1, 3, 7, 15, 31, 63, 127, 255, 511, or 1024. The value for cwmax must be higher than the value for cwmin.
AT-WA7400 Management Software User’s Guide AT-WA7400# set wme-queue wlan0 with queue vi cwmin 7 cwmax 15 View the results of this configuration update (bold in the command output highlights the modified values): AT-WA7400# get wme-queue name queue aifs cwmin cwmax txop-limit -------------------------------------------wlan0 vo 14 3 7 47 wlan0 vi 2 7 15 94 wlan0 be 3 15 1023 0 wlan0 bk 7 15 1023 0 Set the Maximum Burst Length (burst) on the Access Point The Maximum Burst Length
Appendix D: Command Line Interface (CLI) for Access Point Configuration wlan0 data2 3 15 63 0.5 wlan0 data3 7 15 1023 0 Set Transmission Opportunity Limit (txop-limit) for WMM client stations The Transmission Opportunity Limit (txop-limit) specifies an interval of time (in milliseconds) when a WMM client station has the right to initiate transmissions on the wireless network. The txop-limit applies only to the client stations (station-to-access point traffic).
AT-WA7400 Management Software User’s Guide Table 32 provides a list of the WDS commands. Table 32. WDS Commands Function Command Configure a WDS Link See detailed command example below.
Appendix D: Command Line Interface (CLI) for Access Point Configuration static-ip static-mask nat rx-bytes 0 rx-packets 0 rx-errors 0 rx-drop 0 rx-fifo 0 rx-frame 0 rx-compressed 0 rx-multicast 0 tx-bytes 0 tx-packets 0 tx-errors 0 tx-drop 0 tx-fifo 0 tx-colls 0 tx-carrier 0 tx-compressed 0 port-isolation ssid bss security wpa-personal-key wep-key-ascii no wep-key-length 104 wep-default-key wep-key-1 wep-key-2 346
AT-WA7400 Management Software User’s Guide wep-key-3 wep-key-4 vlan-interface vlan-id Time Protocol radio wlan0 remote-mac 00:E0:B8:76:1B:14 The Network Time Protocol (NTP) is an Internet standard protocol that synchronizes computer clock times on your network. NTP servers transmit Coordinated Universal Time (UTC, also known as Greenwich Mean Time) to their client systems. NTP sends periodic time requests to servers, using the returned time stamp to adjust its clock.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Rebooting the Access Point Resetting the Access Point to the Factory Defaults To reboot the access point, type reboot at the command line: AT-WA7400# reboot If you are experiencing extreme problems with the AT-WA7400 Wireless Access Point and have tried all other troubleshooting measures, you can reset the access point.
AT-WA7400 Management Software User’s Guide Keyboard Shortcuts and Tab Completion Help The CLI provides keyboard shortcuts to help you navigate the command line and build valid commands, along with “tab completion” hints on available commands that match what you have typed so far. Using the CLI will be easier if you use the tab completion help and learn the keyboard shortcuts. Keyboard Shortcuts Table 33 lists the keyboard shortcuts that are available when you use the CLI. Table 33.
Appendix D: Command Line Interface (CLI) for Access Point Configuration Table 33. Keyboard Shortcuts (Continued) Keyboard Shortcut CLI Action Display next command in history. (Ctrl-p and Ctrl-n let you cycle through a history of all executed commands like Up and Down arrow keys typically do. Up/Down arrow keys also work for this.) Ctrl-n Down Arrow key Exit the CLI. (At a blank command prompt, typing Ctrl-d closes the CLI.
AT-WA7400 Management Software User’s Guide bridge-port Bridge ports of bridge interfaces bss Basic Service Set of radios cluster Clustering-based configuration settings cluster-member Member of a cluster of like-configured accesspoints config Configuration settings detected-ap Detected access point dhcp-client DHCP client settings dot11 IEEE 802.
Appendix D: Command Line Interface (CLI) for Access Point Configuration AT-WA7400# get system version Example 4: Type set TAB TAB (including a space after set) to get a list of all field options for the set command. AT-WA7400# set bss Basic Service Set of radios cluster Clustering-based configuration settings cluster-member Member of a cluster of like-configured access points config Configuration settings dhcp-client DHCP client settings dot11 IEEE 802.
AT-WA7400 Management Software User’s Guide AT-WA7400# set cluster cluster Clustering-based configuration settings cluster-member access points Member of a cluster of like-configured Example 7: Type add TAB TAB (including a space after add) to get a list of all field options for the add command.
Appendix D: Command Line Interface (CLI) for Access Point Configuration CLI Classes and Fields Reference The following is an introduction to the CLI classes and fields. Configuration information for the AT-WA7400 Wireless Access Point is represented as a set of classes and objects. Different kinds of information uses different classes. For example, information about a network interface is represented by the interface class, while information about an NTP client is represented by the ntp class.
AT-WA7400 Management Software User’s Guide field with a value of 255.0.0.0. Figure 41.
Appendix D: Command Line Interface (CLI) for Access Point Configuration 356
Appendix E Radio Bands Allied Telesyn’s AT-WA7400 Wireless Access Point is capable of operating in the 2.4GHZ (IEEE 802.11g/b) AND in the 5GHZ band (IEEE 802.11a) simultaneously. The access point is shipped with the 802.11g/b radio enabled and is software upgradeable to operate in 802.11g/b and 802.11a. For further information about this upgrade, please contact your Allied Telesyn sales representative. Some of the advantages of the 802.11a option are: Higher performance. 802.
Appendix E: Radio Bands 358
Index A access point adding to cluster 50 clustering 44 factory default configuration 281 navigating to 52 removing from cluster 49 running configuration 281 startup configuration 281 Access Points page 48 administrator name, default setting 215 administrator password changing 38 configuring 199 default setting 215 administrator’s PC, setting up 20 AP EDCA parameters, configuring 168 associated wireless clients, displaying 192 AT-WA7400 Wireless Access Point rebooting 205 resetting to factory defaults 206
Index session, definition 65 See also stations client workstations, setting up 22 cluster adding access point 50 adding an access point to 50 auto-synch 47 configuration changes 47 configuration settings 45 definition 44 description 44 formation 47 mode 46 recovering 261 recovery 261 removing access point 49 removing an access point from 49 security 47 size 44, 47 size and membership 47 troubleshooting 261 types of access points supported 44 understanding 44 viewing 48 cluster member, viewing 84 cluster mo
AT-WA7400 Management Software User’s Guide K MAC address filtering configuring 53 default setting 216 MAC address, configuring 37 master access point, described 44 configuring 147 configuring one or two radio AP 147 DTIM period 147 fragmentation threshold 147 IEEE 802.
Index on WDS bridge 175 station isolation configuring 114 described 113 stations configuring maximum allowed 147 See also client Stop Clustering page 262 subnet mask, default setting 215 supported platforms administrator 20 client 22 synchronization of cluster 47 system name, default setting 215 T Telnet connection to AP 269 TLS-EAP configuring on IEEE 802.
