Access Points ® AT-WA7500 AT-WA7501 ◆ Installation and User’s Guide VERSION 2.
Copyright © 2005 Allied Telesyn, Inc. 3200 North First Street, San Jose, CA 95134 USA All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft is a registered trademark of Microsoft Corporation, Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners.
Contents Preface ............................................................................................................................................................................... 7 Document Conventions ....................................................................................................................................................... 8 Where to Find Web-based Guides ..............................................................................................................
Contents Connecting Power Over Ethernet ...................................................................................................................................... 59 External Antenna Placement Guidelines ........................................................................................................................... 60 Connecting Antennas to the Radios ...........................................................................................................................
AT-WA7500 and AT-WA7501 Installation and User’s Guide Chapter 6 Configuring Security .................................................................................................................................................... 169 Understanding Security ................................................................................................................................................... 170 When You Configure Different SSIDs with Different Security Settings ...............................
Contents Using the AP Monitor ....................................................................................................................................................... 266 Entering the AP Monitor ...........................................................................................................................................266 Using AP Monitor Commands ..................................................................................................................................
Preface This manual provides you with information about the features of the Allied Telesyn AT-WA7500 and AT-WA7501 access points with software release 2.0 (or later). This manual also describes how to install, configure, operate, maintain, and troubleshoot the access points.
Preface Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in Portable Document Format (PDF) from on our web site at www.alliedtelesyn.com. You can view the documents on-line or download them onto a local workstation or server.
Preface Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales or corporate information. Online Support You can request technical support online by accessing the Allied Telesyn Knowledge Base from the following web site: www.alliedtelesyn.com/kb. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
Chapter 1 Getting Started This chapter introduces the Allied Telesyn AT-WA7500 and AT-WA7501 access points, explains their features, and describes how you can use them to expand your data collection network.
Chapter 1: Getting Started Which Allied Telesyn Access Products Does This Manual Support? This system manual supports the AT-WA7500 and AT-WA7501 access points with software release 2.2.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Overview of the AT-WA7500 and AT-WA7501 Access Point Products The Allied Telesyn AT-WA7500 and AT-WA7501 access points deliver reliable and seamless wireless performance to almost any operational environment. They are designed for standards-based connectivity and they support industry standard IEEE 802.11g, 802.11b, and 802.11a wireless technologies. The AT-WA7500 and AT-WA7501 access points with an IEEE 802.
Chapter 1: Getting Started Management and Configuration Multiport Bridge MIB DHCP Agent DHCP Forwarding Database Spanning Tree TCP/IP TFTP File System HTTP Wireless ARP Server Bridging Telnet Configuration Settings Ethernet Port Radio Port 1 Radio Port 2 IP Port Configuration Port RS-232 Connector Ethernet Antenna Connection Connection Antenna Connection Figure 1.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Features This table lists the features of the access points. Table 1. Access Point Feature Comparison Feature AT-WA7500 AT-WA7501 Access Point Yes Yes Point-to-Point Bridge (Wireless Bridge) Yes Yes Wireless Access Point (WAP) or Repeater Yes Yes Secure Wireless Hops (SWAP) Yes Yes Secure Wireless Hops (TLS or TTLS) Yes Yes Radios 802.11g* 802.11b 802.11a 802.11g* 802.11b 802.
Chapter 1: Getting Started Table 1. Access Point Feature Comparison (Continued) Feature AT-WA7500 AT-WA7501 Power Over Ethernet Yes Yes Heater Option No Yes * The 802.11g radio is sometimes referred to as the 802.11b/g radio because it can be configured to communicate with any 802.11b and 802.11g radios that have the same SSID and security settings. For details, see “About the Radios” on page 97. Other features of all access points include: What’s New for Software Releases 2.
AT-WA7500 and AT-WA7501 Installation and User’s Guide reservation (including a fragmentation threshold and a reservation threshold). Understanding the LEDs AT-WA7500 Configuration Wizard: You can use the configuration wizard to help you configure and maintain your access point network. Ability to configure different SSIDs to use different authentication servers. The AT-WA7500 and AT-WA7501 access points have five LEDs. To understand the LEDs during normal use, see the next table.
Chapter 1: Getting Started This illustration shows the LEDs that are on the AT-WA7501 access point. For help understanding these LEDs, see the LED Descriptions table on page 17. Power Wireless #1 Wireless #2 Allied Telesyn Readiness Indicator Wired LAN Figure 2. AT-WA7501 LEDs This illustration shows the LEDs that are on the AT-WA7500 access point. For help understanding these LEDs, see the LED Descriptions table on page 17.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Understanding the Ports The access point may have up to four ports. Table 3. Port Descriptions Port Description Power (Not AT-WA7500, optional AT-WA7501) Used with an appropriate power cable, this port connects the access point to an AC power source. Serial Used with an RS-232 null-modem cable, this port connects the access point to a terminal or PC to perform configuration. Ethernet 10BaseT/100BaseTx port.
Chapter 1: Getting Started Cable access door Power port (optional) Serial port 10BaseT/ Fiber optic 100BaseTx Ethernet port port (optional) Figure 4. AT-WA7501 Ports The AT-WA7500 ports are located on the bottom of the access point. This illustration shows the ports that are on the AT-WA7500. For help understanding these ports, see the Port Descriptions table on page 19. 10BaseT/100BaseTx Ethernet port Serial port Figure 5.
AT-WA7500 and AT-WA7501 Installation and User’s Guide How the Access Point Fits in Your Network In general, the access point forwards data from wireless end devices to the wired Ethernet network. You can also use the access point as a pointto-point bridge, or if your access point has two radios, you can use it as a point-to-multipoint bridge or a WAP. Use the access point in the following locations and environments. Table 4.
Chapter 1: Getting Started In a simple wireless network, the access point that is connected to the wired network serves as a transparent bridge between the wired network and wireless end devices. To install a simple wireless network 1. Configure the initial IP address. For help, see “Configuring the Access Point (Setting the IP Address)” on page 38. 2. Install the access point. For help, see Chapter 2, “Getting Started” on page 11. 3. Configure the Ethernet network.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Allied Telesyn recommends that you always implement some type of security. Using Multiple Access Points and Roaming Wireless End Devices For larger or more complex environments, you can install multiple access points so wireless end devices can roam from one access point to another. Multiple access points establish coverage areas or cells similar to those of a cellular telephone network.
Chapter 1: Getting Started 2. Configure the LAN ID. For help, see “Configuring the Spanning Tree Parameters” on page 136. 3. Configure one of the access points to be a root access point. For help, see “About the Primary LAN and the Root Access Point” on page 131. 4. If your network has a switch that is not IEEE 802.1d-compliant and is located between access points, configure data link tunneling. For help, see “About Ethernet Bridging/Data Link Tunneling” on page 134. Example - Configuring an 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 6. 802.11g Access Points Parameter Settings Screen AP1 802.11g Radio (Root) Parameter AP2 802.11g Radio AP3 802.11g Radio 802.11g Radio Node Type Master Master Master SSID Op3rat!ons Op3rat!ons Op3rat!ons Spanning Tree Settings LAN ID 0 0 0 Root Priority 5 4 3 Ethernet Bridging Enabled Checked Checked Checked Secondary LAN Bridge Priority 0 0 0 The access points communicate with each other through the spanning tree.
Chapter 1: Getting Started Ethernet Host Access point WAP Figure 10. Access Point as a WAP WAPs send data from end devices to the access points via wireless hops. Wireless hops are formed when data from end devices move from one access point to another access point through the radio ports. The master radio in the access point transmits hello messages, which allow the WAPs to attach to the spanning tree in the same way as access points.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 3. (802.11g and 802.11b) Configure the station radio in the WAP to communicate with one of the master radio service sets in the access point: a. From the main menu, click the link corresponding to the station radio. The radio screen appears. b. In the Primary service set Node Type field, choose Station. c. In the Primary service set SSID (Network Name) field, type the SSID. In this example, the SSID is Manufacturing. d.
Chapter 1: Getting Started e. In the Primary service set SSID (Network Name) field, type the SSID that matches the SSID of the end device radio. In this example, the SSID is Manufacturing. 7. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. 8. Configure the access point to be a root access point.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 7. 802.11g Access Point and WAP Parameter Settings WAP 802.11g Radio-1 WAP 802.11b Radio-2 Parameter Access Point 802.11g 802.
Chapter 1: Getting Started Table 8. 802.11a Access Point and WAP Parameter Settings Access Point 802.11a WAP 802.11a Allow Wireless Access Points On Primary On Primary Primary Node Type Master Master SSID Manufacturing Manufacturing LAN ID 11 11 Root Priority 5 0 Ethernet Bridging Enabled Checked Checked Secondary LAN Bridge Priority 0 0 Screen 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide with access points that are acting as point-to-point bridges. Secondary LAN Primary LAN Host Root Designated bridge Figure 13. Access Points as Point-to-Point Bridges Point-to-point bridges send data from end devices on the secondary LAN to the root access point via wireless hops. Wireless hops are formed when data from end devices move from one access point to another access point through the radio ports.
Chapter 1: Getting Started You may also need to adjust the flooding parameters. Here are some recommendations: If there are no end devices on the secondary LAN, the bridge on the secondary LAN can use the default flooding settings. The Secondary LAN Flooding parameter is disabled. If there are end devices on the secondary LAN, the bridge on the secondary LAN should have Secondary LAN Flooding parameter set to Multicast. If you also want unicast flooding, you can set this parameter to Enabled.
AT-WA7500 and AT-WA7501 Installation and User’s Guide c. In the Secondary LAN Bridge Priority field, enter a number other than zero. d. In the Secondary LAN Flooding field, choose Enabled. 6. Configure the spanning tree settings for the point-to-point bridge on the primary LAN. a. From the main menu, click Spanning Tree Settings. The Spanning Tree Settings screen appears. b. In the Root Priority field, enter a number other than 0. c. In the Secondary LAN Bridge Priority field, enter 0. d.
Chapter 1: Getting Started c. In the Primary service set Node Type field, choose Master. d. In the Primary service set SSID (Network Name) field, type the SSID. In this example, the SSID is Manufacturing. e. Click Submit Changes. 10. Configure the spanning tree settings for the point-to-point bridge on the primary LAN: a. From the main menu, click Spanning Tree Settings. The Spanning Tree Settings screen appears. b. In the Root Priority field, enter a number other than 0. c.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 9. 802.11g Point-to-Point Bridges Parameter Settings Screen Parameter Bridge Primary LAN (Root) Bridge Secondary LAN (Designated Bridge) 802.
Chapter 1: Getting Started Example - Configuring an 802.11a Point-to-Multipoint Bridge In this example, each access point only has one 802.11a radio. Since the 802.11a radio can function as a master and a station, wireless end devices can communicate with either access point. Secondary LAN Primary LAN Host Root Designated bridge Figure 15. 802.11a Point-to-Point Bridges Table 10. 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Using Dual Radio Access Points for Redundancy You can configure AT-WA7500 units and AT-WA7501 units that have two 802.11g radios, two 802.11b radios, or two 802.11a radios to provide redundancy for your network. During normal operations, end devices send frames to the master radio in one of the access points, which bridges the frames to the wired network.
Chapter 1: Getting Started Configuring the Access Point (Setting the IP Address) The access point will work out of the box if you are using a DHCP server to assign it an IP address. By default, the access point is configured to be a DHCP client and will respond to offers from any DHCP server. However, if you are not using a DHCP server to assign an IP address, you can use: the Allied Telesyn AT-WA7500 Configuration Wizard, but you need to know the access point IP addresses.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To use the Allied Telesyn AT-WA7500 Configuration Wizard Note To use the AT-WA7500 Configuration Wizard, you must have a PC that is running Windows 95-OSR2/98SE/ME or Windows NT4/2000/ XP. 1. Install the AT-WA7500 Configuration Wizard on your PC. The wizard can be downloaded either from the documentation CD that is shipped with the access point, or from the ATI web site. 2. Extract the .zip file, double-click the .
Chapter 1: Getting Started 5. Proceed with the IP Address configuration by following the on-screen menus. Using a Communications Program You can use a communications program (such as HyperTerminal) to set the initial IP address for the access point. After you configure the IP address, you can continue to use the communications program to set other parameters or you can use a web browser or a telnet session to complete the configuration.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 4. Press Enter when the message “Starting system” appears on your PC screen. The Username field appears. 5. In the Username field type the default user name “atilan”, and then press Enter. The user name is case sensitive. 6. In the Password field type the default password “atilan”, and then press Enter. The password is case sensitive. The Access Point Configuration menu appears. 7. Press Enter to access the TCP/IP Settings menu. 8.
Chapter 1: Getting Started IP Address - A unique IP address. IP Subnet Mask - The subnet mask that matches the other devices in your network. IP Router (Gateway) - If the access point will communicate with devices on another subnet, enter the address of the router that will forward frames. Or, if you are using a DHCP server to automatically assign an IP address to your access point, configure these parameters in the TCP/ IP Settings menu: DHCP Mode - Set to
AT-WA7500 and AT-WA7501 Installation and User’s Guide To use a web browser interface 1. Determine the IP address of the access point. If a DHCP server assigned the IP address, you must get the IP address from the DHCP server. 2. Start the web browser application. 3. Access the access point using one of these methods: In the Address field (Internet Explorer) or in the Location field (Netscape Communicator), enter the IP address, and press Enter.
Chapter 1: Getting Started 5. Click Login. The TCP/IP Settings screen appears. Your web browser session is established. Note Although you can use several different methods to manage the access point remotely, this manual assumes you are using a web browser. Using a Telnet Session After you have configured the IP address, you can configure, manage, and troubleshoot the access point from a remote location using a telnet session. Only one session can be active with the access point at a time.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 2. From a command prompt, type: telnet IPaddress where IPaddress is the IP address of the access point. 3. Press Enter. 4. If necessary, enter the user name and press Enter. Then, enter the password and press Enter. The default user name is “atilan” and the default password is “atilan”. You can define a user name and password. For help, see “Setting Up Logins” on page 176. The Access Point Configuration menu appears.
Chapter 1: Getting Started Saving Configuration Changes When you are done configuring the access point, you may want to activate your changes immediately or you may want to save the changes now and activate them later. If you choose to activate the changes later, they will become active the next time the access point is booted. Table 11. Access Point Configuration Files Configuration File Description Default This configuration file is the factory default configuration.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Using a Web Browser Interface 1. On the menu bar, click Save/Discard Changes. This screen appears. Select to use new configuration settings immediately Lists possible configuration changes that still need to be made Select to use new configuration settings the next time you reboot the access point Lists configuration changes that have been made 2. Resolve any error messages listed under the heading Possible Configurations Errors.
Chapter 1: Getting Started Using a Telnet Session 1. From the Access Point Configuration menu, choose Save Configuration. 2. Choose Reboot to reboot the access point and immediately use your new active configuration.
Chapter 2 Installing the Access Points This chapter explains how to install the Allied Telesyn AT-WA7500 and AT-WA7501 access points in your data collection network, provides some tips on how to position access points to improve your network performance, and provides some external antenna guidelines.
Chapter 2: Installing the Access Points Installation Guidelines Allied Telesyn recommends that you have an Allied Telesyn-certified RF specialist conduct a site survey to determine the ideal locations for all your Allied Telesyn wireless network devices. To conduct a proper site survey, you need to have special equipment and training. The following general practices should be followed in any installation: Locate access points centrally within areas requiring coverage.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Other Access Points Access points that are configured for the same frequency and that are in the same radio coverage area may interfere with each other and decrease throughput. You can reduce the chance of interference by configuring access points at least five channels apart, such as channels 1, 6, and 11.
Chapter 2: Installing the Access Points Installing the AT-WA7501 You can place the AT-WA7501 horizontally or vertically on a desk or counter. If you want to mount the AT-WA7501 to a wall or beam using an Allied Telesyn mounting bracket kit, you need one of these mounting kits: Mounting bracket kit (to be purchased separately) Rotating mounting bracket kit (to be purchased separately) To order one of these kits, contact your Allied Telesyn representative.
AT-WA7500 and AT-WA7501 Installation and User’s Guide option. For help, see “Connecting to Your Fiber Optic Network” on page 55. To connect the AT-WA7501 to the Ethernet network Connecting the AT-WA7501 to Power Attach one end of the Ethernet cable to the 10BaseT/100BaseTx port on the AT-WA7501 and attach the other end to your Ethernet network or a power bridge (if you are using power over Ethernet), a Cisco power bridge or another 802.3af-compliant power bridge.
Chapter 2: Installing the Access Points Installing the AT-WA7500 You can place the AT-WA7500 horizontally on a desk or counter. The AT-WA7500 also ships with a mounting bracket that lets you mount it vertically to a wall. Additional mounting options that you can use with the mounting bracket include a cubicle bracket that lets you mount the AT-WA7500 on a cubicle wall or in a locking bracket.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Connecting to Your Fiber Optic Network You can order your AT-WA7501 access point with a fiber optic option. Using an appropriate patch cord and adapter (as described in the next section), you can connect your access point to: Using and Purchasing the Required Patch Cord and Adapter an MT-RJ network. a square connector (SC) network. a straight tip (ST) network.
Chapter 2: Installing the Access Points Note All cables must be multimode, 62.5/125 µm. Connecting to an MT-RJ Network To connect to an MT-RJ network, you need: a patch cord with a female MT-RJ connector to insert into the access point’s male MT-RJ fiber optic port, and another female MT-RJ connector to insert into the MT-RJ adapter. an adapter for connecting the patch cord to the MT-RJ network. To connect to an MT-RJ network 1. Remove any cable protectors attached to the patch cord and adapter.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 2. Connect the access point to your network as shown in the next two illustrations. Female MT-RJ connector To access point SC connector SC adapter SC connector Patch cord To SC network Note The patch cord shown above must connect to the access point with a female MT-RJ connector. For details, see “Using and Purchasing the Required Patch Cord and Adapter” on page 55.
Chapter 2: Installing the Access Points a patch cord with a female MT-RJ connector to insert into the access point’s male MT-RJ fiber optic port, and an ST connector to insert into the ST adapter. an adapter for connecting the patch cord to the ST network. To connect to an ST network 1. Remove any cable protectors attached to the patch cord and adapter. 2. Connect the access point to your network as shown in the next illustration.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Connecting Power Over Ethernet The AT-WA7500 is powered by power over Ethernet. The AT-WA7501 can be powered by AC power or by power over Ethernet or both. For all access points, you need a power bridge. For a list of the power bridges that Allied Telesyn sells, contact your local Allied Telesyn representative. This illustration shows how you connect the AT-WA7500 to a power bridge with a typical Ethernet cable to run power over Ethernet.
Chapter 2: Installing the Access Points External Antenna Placement Guidelines Antennas and their placement play a vital role when installing a wireless network. Every wireless network environment presents its own unique obstacles. Therefore, the exact range that you will achieve with each access point is difficult to determine. Allied Telesyn recommends that you allow an Allied Telesyn-certified RF specialist to perform a site survey before you install a wireless network.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Allied Telesyn recommends that you use two antennas for each radio to achieve optimal performance (antenna diversity) of the radios. Positioning Antennas for Dual Radio Access Points Positioning Antennas for Antenna Diversity In addition to the earlier antenna guidelines, if you have a dual radio access point, you need to also follow these recommendations: Cable the antennas at least 3.05 m (10 ft) from the access point.
Chapter 2: Installing the Access Points Follow the recommended antenna separation precisely when using the closest distances. Movement of as little as 3.05 cm (1.2 in) may strongly affect performance. You should choose the greatest distance possible within the constraints of your environment. Stacked Antenna Positioning for Dual Radio Access Points As an alternative to the physical separation of omni antennas, you can mount them along a single axis to minimize the antenna-to-antenna coupling.
AT-WA7500 and AT-WA7501 Installation and User’s Guide When antenna diversity is enabled, both ports can receive, but only the primary port transmits. To achieve optimum placement for the two antennas, you must place the transmit/receive antenna so that it is within range of all the radios that the receive-only antenna can hear. About Antenna Diversity for 802.11b Radios The 802.11b radios support antenna diversity and it is automatically enabled when you have two antennas connected to one radio.
Chapter 3 Configuring the Ethernet Network This chapter explains how to configure the AT-WA7500 and AT-WA7501 access points so that they communicate with your Ethernet network.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring the TCP/IP Settings If you are using a DHCP server to automatically assign an IP address to the access point, go to “Configuring the Access Point as a DHCP Client” on page 67. If you are not using a DHCP server, you need to manually assign some TCP/IP parameters. Note You should have already configured an IP address for the access point. For help, see “Configuring the Access Point (Setting the IP Address)” on page 38.
Chapter 3: Configuring the Ethernet Network 4. If you want to configure the access point as a NAT server, see “About Network Address Translation (NAT)” on page 75. 5. If you want to configure the access point to send ARP requests, see “Configuring the Access Point to Send ARP Requests” on page 76. 6. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 13. TCP/IP Settings Descriptions (Continued) Parameter DNS Suffix 1 Explanation Enter a domain name suffix that will be appended to DNS names that cannot be resolved. If the access point is a DHCP server, this is the only DNS suffix that is delivered to DHCP clients. For example, enter a suffix of UVW.COM. When you try to resolve ABC, the DNS will look for ABC.UVW.COM.
Chapter 3: Configuring the Ethernet Network To configure the access point as a DHCP client 1. From the menu, click TCP/IP Settings. The TCP/IP Settings screen appears. 2. Configure the DHCP parameters to make this access point a DHCP client. For help, see the next table. Note If you set DHCP Mode to Disable DHCP and the IP address for this access point is 0.0.0.0, all IP communications are disabled for this access point.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 14.
Chapter 3: Configuring the Ethernet Network Table 14. DHCP Client Parameter Descriptions (Continued) Parameter DHCP for Access Point Network Explanation Determines which DHCP servers may be used by access points and wireless devices: Use Any Available DHCP Server: Access points and wireless devices may receive DHCP responses and addresses from any available DHCP server.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To configure the access point as a DHCP server 1. From the menu, click TCP/IP Settings. The TCP/IP Settings screen appears. 2. Verify that the IP Address field, IP Subnet Mask field, and IP Router field are configured. For help, see “Configuring the TCP/IP Settings” on page 65. 3. Configure the DHCP parameters to make this access point a DHCP server. For help, see the next table. Table 15.
Chapter 3: Configuring the Ethernet Network Table 15. DHCP Server Parameter Descriptions (Continued) Parameter DHCP User Class Explanation Leave the field blank if you want this access point to respond to requests from any client. Or enter the DHCP user class identifier as defined in RFC 3004. When this access point acts as a DHCP server, the access point offers addresses to client requests only when the client requests contain a matching user class identifier.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 5. From the menu, click DHCP Server Setup. The DHCP Server Setup screen appears. 6. Configure the DHCP server. For help, see the next table. 7. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 16.
Chapter 3: Configuring the Ethernet Network Table 16. DHCP Server Setup Parameter Descriptions (Continued) Parameter Lease Time Explanation Specifies the duration of the leases that are granted by the DHCP server. Enter the lease time in the format days:hours:minutes. If you set the lease time to 0, infinite leases are granted. Permanently Save IP Address Mappings If you check this check box, the DHCP server stores permanent mappings of IP addresses to DHCP client identifiers.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Unsupported DHCP Server Options When the access point is acting as a DHCP server, it does not support any DHCP options other than those listed. The DHCP server disregards any DHCP options that are not explicitly required by the DHCP specification. The DHCP server ignores all frames with a non-zero giaddr (gateway IP address). The DHCP server only responds to requests from its own subnet.
Chapter 3: Configuring the Ethernet Network To configure the access point as a NAT server 1. From the menu, click TCP/IP Settings. The TCP/IP Settings screen appears. 2. Verify that the IP Address field and IP Subnet Mask field are configured. For help, see “Configuring the TCP/IP Settings” on page 65. 3. In the DHCP Mode field, choose This AP is a DHCP Server. 4. Click Submit Changes to save your changes. 5.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring Other Ethernet or Fiber Optic Settings Many of the standard Ethernet or fiber optic settings are configured in the TCP/IP Settings screen. For help, see “Configuring the TCP/IP Settings” on page 65. In the Ethernet screen, you can set the port type, set the link speed, and enable or disable the link status check. To configure the Ethernet or fiber optic settings 1. From the main menu, click Ethernet. The Ethernet screen appears. 2.
Chapter 3: Configuring the Ethernet Network Table 17. Ethernet Parameter Descriptions Parameter Port Type Explanation Appears only if the access point has a fiber optic port. This field specifies the port that the access point uses to communicate with the Ethernet network: 10/100 Mb Twisted-Pair: The access point communicates with the Ethernet network through the Ethernet port. 100 Mb Fiber Optic: The access point communicates with the Ethernet network through the fiber optic port.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring the Ethernet Address Table If you have a secondary LAN, you should configure the Ethernet address table in the designated bridge or WAP on the secondary LAN. This table contains all the MAC addresses on the secondary LAN that are communicating with the primary LAN. You must enter the MAC addresses of all devices on the secondary LAN that do not always initiate communication.
Chapter 3: Configuring the Ethernet Network Configuring Ethernet Filters You can set both Ethernet and IP tunnel filters, and you can create protocol filters for both predefined and user-defined protocol types. In addition, you can define arbitrary frame filters based on frame content. Setting Ethernet filters prevents the Ethernet port from sending out unnecessary traffic to the wireless network.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To set frame type filters 1. From the main menu, click Ethernet > Frame Type Filters. The Frame Type Filters screen appears. 2. For each frame type field, check or clear the Allow/Pass check box to configure if the frame types are allowed to pass or are dropped. If you check the check box, the frame type is allowed to pass. For help, see the next table. 3. For each frame type field, set the Scope field to Unlisted or All. For help, see the next table.
Chapter 3: Configuring the Ethernet Network 5. If you set the Scope field to Unlisted for any of the frame types, you must also configure predefined subtype filters or customizable subtype filters. For help, see the next section, “Using Predefined Subtype Filters” on page 83 or “Customizing Subtype Filters” on page 83. Table 18.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Using Predefined Subtype Filters You can configure the access point to pass or drop certain predefined frame subtypes. To configure predefined subtype filters 1. From the main menu, click Ethernet > Predefined Subtype Filters. The Predefined Subtype Filters screen appears. 2. For each frame subtype field, check or clear the Allow/Pass check box to configure if the frame subtypes are allowed to pass or are dropped.
Chapter 3: Configuring the Ethernet Network To customize subtype filters 1. From the main menu, click Ethernet > Customizable Subtype Filters. The Customizable Subtype Filters screen appears. 2. For each subtype field, check or clear the Allow/Pass check box to configure if the subtypes are allowed to pass or are dropped. If you check the check box, the subtype is allowed to pass. 3. In the SubType field, choose the customizable frame subtype. For help, see the next table. 4.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 19. Subtype Filter Descriptions (Continued) SubType Value SNAP-IP-UDP-Port Port value in hexadecimal. SNAP-IP-Protocol Port value in hexadecimal. SNAP-IPX-Socket Socket value in hexadecimal. SNAP-EtherType SNAP type in hexadecimal. To filter on both SNAP type and OUI, use advanced filters. 802.3-IPX-Socket Socket value in hexadecimal. 802.2-IPX-Socket Socket value in hexadecimal. 802.2-SAP 802.2 SAP in hexadecimal.
Chapter 3: Configuring the Ethernet Network Table 20. Example – Customizable Subtype Filter Filter 1 2 Parameter Value Allow/Pass Clear (drop) Subtype DIX-IP-UDPPort Value 00 43 Allow/Pass Clear (drop) Subtype DIX-IP-UDPPort Value 00 44 Explanation This filter drops DHCP responses to wireless end devices communicating with this access point. This filter drops DHCP requests from DHCP clients on the Ethernet network.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 2. Enter up to 22 value IDs and values. 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Setting Filter Expressions You can set filter expressions by specifying parameters for frame filters.
Chapter 3: Configuring the Ethernet Network 2. Configure the filter expressions parameters. For help, see the next table. 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 21. Filter Expressions Parameter Descriptions Parameter ExprSeq (Expression Sequence) Explanation Indicates the order in which the filters will be executed.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 21. Filter Expressions Parameter Descriptions (Continued) Parameter Mask Explanation Applies a data pattern to the frame. If the data pattern in the mask matches the frame, then the specific action is performed. The mask indicates the bits that are significant at the specified offset. A bit is significant if a bit in the mask is set to one.
Chapter 3: Configuring the Ethernet Network Table 22. Example 1 - Filter Values Value ID 90 Value Description 1 ff ff ff ff ff ff Allows multicast traffic to enter the wireless network, which is necessary for IP end devices to communicate 2 00 02 2d 04 b7 a4 The MAC address of an end device you want to be able to communicate. 3 00 02 2d 0d 54 25 The MAC address of an end device you want to be able to communicate.
AT-WA7500 and AT-WA7501 Installation and User’s Guide For this example, set these filter expressions. Table 23. Example 1 – Filter Expressions Parameter Value Explanation ExprSeq 10 The order that you want the expressions executed. You must have an expression for each Value ID that is listed in the Filter Values menu. Offset 0 Since the filter is applied to the destination address, which is the first value in the frame, the offset is 0.
Chapter 3: Configuring the Ethernet Network Example 2 This example shows how to use Ethernet filters to discard all DIX IP multicast frames except those from selected devices. Three entries have a value ID of 3 to demonstrate how to enter a list. All entries with the same value ID belong to the same list. For this example, set these filter values. Table 24. Example 2 - Filter Values Value ID Value Description 1 08 00 Check for a DIX IP frame. 2 01 Check for a multicast frame.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Set the first filter expression as shown below. Table 25. Example 2 – First Filter Expression Parameter Value Explanation ExprSeq 1 The first expression that is executed. You must have an expression for each Value ID that is listed in the Filter Values menu. Offset 0 Since the filter is applied to the destination address, which is the first value in the frame, the offset is 0. Mask 01 Checks only the Ethernet multicast bit.
Chapter 3: Configuring the Ethernet Network Set the second filter expression as shown below. Table 26. Example 2 – Second Filter Expression Parameter 94 Value Explanation ExprSeq 2 The second expression that is executed. Offset 12 Checks for the DIX IP frame type, which starts 12 bytes from the destination address. Mask ff ff Checks the 2-byte DIX IP frame type for an exact match.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Set the third filter expression as shown below. Table 27. Example 2 – Third Filter Expression Parameter Value Explanation ExprSeq 3 The third expression that is executed. Offset 6 Checks the source Ethernet address, which starts 6 bytes from the destination address. Mask ff ff ff ff ff ff Checks the 6-byte source Ethernet address for an exact match.
Chapter 4 Configuring the Radios This chapter explains how to configure the radios in the AT-WA7500 and AT-WA7501 access points so that they communicate with your wireless end devices. This chapter covers these topics: “About the Radios” on page 97 “Configuring the 802.11g Radio” on page 98 “Configuring the 802.11b Radio” on page 110 “Configuring the 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide About the Radios The AT-WA7500 and AT-WA7501 access products may contain one or two radios. You can use access points that contain two different types of radios to support two different types of wireless networks, such as legacy networks. You can use access points with two of the same type of radios as WAPs, as point-to-multipoint bridges, to increase throughput in a busy network, or to provide redundancy. Table 28.
Chapter 4: Configuring the Radios Configuring the 802.11g Radio You can configure the 802.11g radio to communicate with other 802.11g and 802.11b radios that have the same: SSID (Network Name) Security For each radio, you can assign up to four service sets, creating one primary service set and up to three secondary service sets. Each service set shares the same Advanced Configuration and Inbound Filters settings, but you can customize the security settings.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 2. Configure the parameters for the radio. For help, see the next table. 3. Configure the advanced parameters for the radio. For help, see “Configuring 802.11g Radio Advanced Parameters” on page 102. 4. (Master only) Configure inbound filters. For help, see “Configuring 802.11g Radio Inbound Filters” on page 107. 5. Click Submit Changes to save your changes.
Chapter 4: Configuring the Radios Table 29. 802.11g Radio Parameter Descriptions (Continued) Parameter Node Type Explanation Configure the 802.11g radio to master, station, or disabled: Master: The radio always operates in Master mode. The radio becomes active to accept connections for wireless devices when the access point joins the spanning tree. All service sets to be configured for a VLAN must be set to Master. Station: The radio always operates in Station mode.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 30. Worldwide Frequencies for 802.11g and 802.
Chapter 4: Configuring the Radios Configuring 802.11g Radio Advanced Parameters You can configure advanced parameters for the 802.11g radio primary service set. These settings are shared by any secondary service sets defined for the radio. To configure advanced parameters 1. From the main menu, click 802.11g Radio > Advanced Configuration. The Advanced Configuration screen appears. 2. Configure the advanced parameters. For help, see the next table. 3. Click Submit Changes to save your changes.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 31. 802.11g Radio Advanced Parameter Descriptions Parameter Client Type/Performance Description Specifies if this radio will communicate with 802.11b and/or 802.11g radios: 11b/11g with range reliability (Not Wi-Fi): Allows clients with 802.11b or 802.11g radios. Parameters are adjusted for longer range. Basic rates are 1 or 2 Mbps. Extended rates are 6, 12, or 24 Mbps. Data rates are 1, 2, 5.
Chapter 4: Configuring the Radios Table 31. 802.11g Radio Advanced Parameter Descriptions (Continued) Parameter Power Output Level* Description Set the transmitted power level: Maximum (63 mW): Sets the output power to the highest level supported by the radio. Medium (32 mW): Sets the output power to 3 dB lower than the highest level supported by the radio. Low (16 mW): Sets the output power to a level higher than the minimum level supported by the radio.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 31. 802.11g Radio Advanced Parameter Descriptions (Continued) Parameter Fragmentation Threshold Description Specifies the largest data frame that can be transmitted without fragmentation. Range is 256 to 1600. On certain radios, the fragmentation does not occur unless the radio detects interference. Larger frame sizes can improve throughput on a reliable connection. Smaller frame sizes can improve throughput on a poor connection.
Chapter 4: Configuring the Radios Table 31. 802.11g Radio Advanced Parameter Descriptions (Continued) Parameter Disallow SSID (Network Name) of ‘ANY (Master radio only) Description Determines if end devices that have their SSID set to ANY or are left blank (empty) can associate with this radio. Clear this check box to allow these end devices to associate with this radio. Although this setting is 802.11 compliant, it is not very secure.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring 802.11g Radio Inbound Filters You can configure inbound filters for the 802.11g radio primary service set. These settings are shared by any secondary service sets defined for the radio. You can filter different types of wireless traffic that it may receive. You may want to use this feature by itself or with an access control list (ACL) to help secure your network.
Chapter 4: Configuring the Radios 2. For each frame type, check or clear each check box. For help, see the next table. 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 32. 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 3. From the main menu, click Apply Hot Settings to save your changes to the “active” configuration file (as defined in “Saving Configuration Changes” on page 46). The Apply Hot Settings screen appears. This screen is read-only. Configuring the 802.
Chapter 4: Configuring the Radios Configuring the 802.11b Radio The 802.11b radio will communicate with other 802.11b radios that have the same: SSID (Network Name) Security To configure the 802.11b radio 1. From the main menu, click 802.11b Radio. The 802.11b Radio screen appears. 2. Configure the parameters for the radio. For help, see the next table. 3. Configure the advanced parameters for the radio. For help, see “Configuring 802.11b Radio Advanced Parameters” on page 112. 4.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 33. 802.11b Radio Parameter Descriptions Parameter Description Node Type Configure the 802.11b radio as a master or station. You can also disable the radio. SSID (Network Name) Enter the SSID (network name) for this radio. The network name is case sensitive and can be no more than 32 alphanumeric characters. 802.11b radios communicate with other 802.11b radios with the same SSID.
Chapter 4: Configuring the Radios Configuring 802.11b Radio Advanced Parameters 1. From the main menu, click 802.11b Radio > Advanced Configuration. The Advanced Configuration screen appears. 2. Configure the advanced parameters. For help, see the next table. 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 34. 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 34. 802.11b Radio Advanced Parameter Descriptions (Continued) Parameter Description Basic Rate Choose the rate at which the access point transmits multicast and beacon frames. In general, higher speeds mean shorter range and lower speeds mean longer range. Do not set this rate higher than the maximum rate at which your end devices can receive multicast frames. You can set this rate to 11, 5.5, 2, or 1 Mbps.
Chapter 4: Configuring the Radios Table 34. 802.11b Radio Advanced Parameter Descriptions (Continued) Parameter Description Enable Load Balancing Determines if end devices can distribute their connections across multiple access points. Enable Medium Density Distribution Determines if these access point parameters— Enable Medium Reservation, Distance Between APs, Enable Microwave Oven Robustness—are distributed to end devices that support this feature.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring 802.11b Radio Inbound Filters When configuring a master radio, you can filter different types of wireless traffic that it may receive. You may want to use this feature by itself or with an access control list (ACL) to help secure your network. If you clear all the check boxes, the radio cannot communicate with any other radios.
Chapter 4: Configuring the Radios 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 35. 802.11b Radio Inbound Filter Descriptions Parameter 116 Description Allow IAPP Determines if this radio accepts IAPP (Inter Access Point Protocol) frames from other access point station radios. The IAPP frames must match Ethernet protocol 875c.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring a SpectraLink Network SpectraLink wireless telephone systems simplify network infrastructure and network management by combining voice and data traffic over one wireless network, leveraging 802.11b wireless LAN technology. You use your SpectraLink telephone to make and receive calls, just like a regular telephone, subject to the restrictions of your PBX.
Chapter 4: Configuring the Radios 2. In the Data/Voice Settings field, choose either Data and SpectraLink Traffic or SpectraLink Traffic Only. For help, see “Configuring 802.11b Radio Advanced Parameters” on page 112. 3. Check the Allow Data Rate Fallback check box. 4. In the Basic Rate field: if you are using a 2 Mbps SpectraLink telephone, set it to 2 Mbps. if you are using a 1 Mbps SpectraLink telephone, set it to 1 Mbps. 5. Click Submit Changes to save your changes.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring the 802.11a Radio The 802.11a radio will communicate with other 802.11a radios that have the same: SSID (Network Name) Security For each radio, you can assign up to four SSIDs, creating one primary service set and up to three secondary service sets. Each service set shares the same Advanced Configuration and Inbound Filters settings, but you can customize the security settings.
Chapter 4: Configuring the Radios If your screen does not look like the previous one, your primary service set may be configured as station (instead of master), so that the secondary service sets are not available, as shown next. 2. Configure the parameters for the radio. For help, see the next table. 3. Configure the advanced parameters for the radio. For help, see “Configuring 802.11a Radio Advanced Parameters” on page 124. 4. (Master only) Configure inbound filters. For help, see “Configuring 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 5. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. 6. (Optional) Configure security by clicking Configure security settings for this radio. For help, see Chapter 6, “Configuring Security” on page 169. Table 37. 802.
Chapter 4: Configuring the Radios Table 37. 802.11a Radio Parameter Descriptions (Continued) Parameter Node Type Explanation Configure the 802.11a radio to master, station, or disabled: Master: The radio operates in Master mode when it sees the root access point on its Ethernet port. If it cannot see the root, it operates in Master/ Station mode and tries to find the root through its radio port. Station: The radio always operates in Station mode. Disabled: The radio is disabled.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 38. Worldwide Frequencies for the 802.
Chapter 4: Configuring the Radios Configuring 802.11a Radio Advanced Parameters 1. From the main menu, click 802.11a Radio > Advanced Configuration. The Advanced Configuration screen appears. 2. Configure the advanced parameters. For help, see the next table. 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 39. 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 39. 802.11a Radio Advanced Parameter Descriptions (Continued) Parameter Data Rate Description Choose the rate at which the access point transmits data. In general, higher speeds mean shorter range and lower speeds mean longer range. If you choose the Speed Mode to be 802.11 compliant, you can set this rate to 54, 48, 36, 24, 12, or 6 Mbps.
Chapter 4: Configuring the Radios Table 39. 802.11a Radio Advanced Parameter Descriptions (Continued) Parameter Description Disallow SSID (Network Name) of ‘ANY’ (Master radio only) Determines if end devices that have their SSID (Network Name) set to ANY or are left blank can associate with this access point. Clear this check box to allow these end devices to associate with this access point. Although this setting is 802.11 compliant, it is not very secure.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Note If any of the devices are also DHCP clients, you need to check the Allow DHCP check box. To configure 802.11a radio inbound filters 1. From the main menu, click 802.11a Radio > Inbound Filters. The Inbound Filters screen appears. 2. For each frame type, check or clear each check box. For help, see the next table. 3. Click Submit Changes to save your changes.
Chapter 4: Configuring the Radios Table 40. 802.11a Radio Inbound Filter Descriptions (Continued) Parameter Allow DHCP Description Determines if this radio accepts DHCP frames. The DHCP frames must match UDP destination port 67 and ARP. Check this check box if the end devices are DHCP clients. Allow All Other Protocols Determines if this radio accepts all other protocols that are not filtered by one of the filters in this screen.
Chapter 5 Configuring the Spanning Tree This chapter explains how to configure the AT-WA7500 and AT-WA7501 access points so that they create a spanning tree topology.
Chapter 5: Configuring the Spanning Tree About the Access Point Spanning Tree AT-WA7500 and AT-WA7501 access points with the same LAN ID arrange themselves into a self-organized network using a spanning tree topology. The spanning tree provides efficient, loop-free forwarding of frames through the network and allows efficient roaming of wireless end devices. It contains at least a primary LAN and a root access point, but it may also contain secondary LANs, designated bridges, and other access points.
AT-WA7500 and AT-WA7501 Installation and User’s Guide About the Primary LAN and the Root Access Point The primary LAN (also called the root IP subnet) contains the root access point, which initiates the spanning tree. When choosing the primary LAN, ideally you should choose the IP subnet that contains gateways or servers for the wireless end devices. However, these gateways and servers may also be on another subnet.
Chapter 5: Configuring the Spanning Tree 3. Configure the LAN ID. All access points that want to participate in the spanning tree must have the same LAN ID. 4. Set the Root Priority parameter to be the highest number of all access points on the primary LAN. Verify that the Enable Ethernet Bridging check box is checked. The range is 1 to 7. The value 1 is the highest priority. 5. Verify that the Secondary LAN Bridge Priority is zero. 6. Verify that the Secondary LAN Flooding parameter is Disabled. 7.
AT-WA7500 and AT-WA7501 Installation and User’s Guide The designated bridge must be configured so that the Secondary LAN Bridge Priority value is a non-zero number. The designated bridge must have at least one radio set to Station mode, or the designated bridge must be the endpoint of an IP tunnel (as defined in “About IP Tunnels” on page 140). If more than one access point meets these requirements, the access point with the highest secondary LAN bridge priority is the designated bridge.
Chapter 5: Configuring the Spanning Tree About Ethernet Bridging/Data Link Tunneling Ethernet bridging is simply forwarding a frame received on the radio port to the Ethernet port, and vice versa. Using this default mode, the access point acts as a bridge between the wireless and wired networks. Note Allied Telesyn recommends that you enable Ethernet bridging on all access points.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 3. On all other access points on the primary LAN, clear the Enable Ethernet Bridging check box. 4. Make sure that the Root Priority parameter for all other access points is less than the root access point. The range is 1 to 7. The value 1 is the highest priority. To enable data link tunneling on the secondary LAN 1. Make sure that all access points have the same LAN ID as the ones on the primary LAN. 2.
Chapter 5: Configuring the Spanning Tree Configuring the Spanning Tree Parameters When you configure the spanning tree parameters, you identify the access point as part of the spanning tree. That is, you specify if this access point is a root, or a candidate to become a root, or a designated bridge, or a candidate to become a designated bridge. You also specify if the access point uses Ethernet bridging to forward frames between the wired and wireless networks.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 4. (Optional) Configure security by clicking Configure Spanning Tree Security. For help, see “Creating a Secure Spanning Tree” on page 181. Table 42. Spanning Tree Parameter Descriptions Parameter Explanation AP Name Enter a unique name for this access point. The name can be from 1 to 16 characters. The default is the access point serial number. LAN ID (Domain) Enter the LAN ID.
Chapter 5: Configuring the Spanning Tree Table 42. Spanning Tree Parameter Descriptions (Continued) Parameter Explanation Rightmost LED Behavior Choosing Spanning Tree Root Indicator causes the LED to blink if the access point is configured as the root and remain on if an error is detected. Enable Ethernet Bridging Determines how frames from end devices are moved between the wired and wireless networks. For more details, see “About Ethernet Bridging/ Data Link Tunneling” on page 134.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 42. Spanning Tree Parameter Descriptions (Continued) Parameter Secondary LAN Flooding (Outbound) Explanation Appears for Designated Bridge only. Specifies the types of frames it forwards from the primary LAN to the secondary LAN: Disabled: No flooding occurs unless the root access point (in the Global Flooding screen) enables the Multicast or Unicast Outbound to Secondary LANs parameter.
Chapter 5: Configuring the Spanning Tree About IP Tunnels The physical boundary of a network is usually defined by the existence of an IP router. Before IP tunnels technology was developed, wireless end devices could only operate within the limited coverage area of their own network and could not roam across IP subnet boundaries. Using IP tunnel technology, end devices can roam across IP subnet boundaries.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Host Root AP2 Primary LAN (root IP subnet) IP router IP network IP router Designated bridge AP4 AP5 Secondary LAN (remote IP subnet) IP tunnels use encapsulation to establish a virtual LAN (VLAN) segment through IP routers. The VLAN segment includes the root IP subnet and logically extends to include end devices attached to access points on remote IP subnets. IP tunnels are branches in the spanning tree topology.
Chapter 5: Configuring the Spanning Tree When an access point at the endpoint of the IP tunnel receives data from an end device, it uses a standard IP protocol called Generic Router Encapsulation (GRE) to encapsulate the data into a frame. These encapsulated IP/GRE frames use normal IP routing to pass through IP routers to the root access point. The root access point unencapsulates the frame and forwards it to the host.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 2. Make sure that the root access point and the access point at the endpoint of the IP tunnel have the same LAN ID. 3. On the root access point, set the Mode parameter to Originate if Root. For help configuring a root access point, see “About the Primary LAN and the Root Access Point” on page 131. 4. On the access point at the endpoint of the IP tunnel, set the Mode parameter to Listen. 5. On the root access point, click IP Tunnels > IP Addresses.
Chapter 5: Configuring the Spanning Tree Using One IP Multicast Address for Multiple IP Tunnels IP tunneling supports IP multicast and Internet Group Management Protocol (IGMP). IP multicast provides an ideal way to distribute IP hello messages. These hello messages are only forwarded to those IP subnets and IP hosts (such as access points) that participate in the multicast group. IP multicast has these advantages: You do not have to know the unicast or directed broadcast IP addresses in advance.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 3. Make sure that the root access point and the access point at the endpoint of the IP tunnel have the same LAN ID. 4. On the root access point, set the Mode parameter to Originate if Root. For help configuring a root access point, see “About the Primary LAN and the Root Access Point” on page 131. 5. On the access point at the endpoint of the IP tunnel, set the Mode parameter to Listen. 6. On the root access point, click IP Tunnels > IP Addresses.
Chapter 5: Configuring the Spanning Tree away from their root IP subnet. Unicast frames are not flooded. Unicast frames are only forwarded outbound through an IP tunnel if the destination address identifies an end device that has roamed to a remote IP subnet. End devices attach to the root access point, which maintains entries for these devices in its forwarding database. The database entries indicate the correct subnet for outbound forwarding.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Frame Types That Are Never Forwarded Certain frame types are never forwarded through IP tunnels. Frame types that are never forwarded include IP frames used for coordinating routers and MAC frames used for coordinating bridges. Other frame types that are never forwarded include: 802.
Chapter 5: Configuring the Spanning Tree Configuring IP Tunnels For guidelines, see “About IP Tunnels” on page 140. To configure the IP Tunnels screen 1. From the main menu, click IP Tunnels. The IP Tunnels screen appears. 2. Configure the IP tunnels parameters. For help, see the next table. 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 43. IP Tunnel Parameter Descriptions (Continued) Parameter Allow IP Multicast Explanation Appears only if Mode parameter is Originate if Root. Determines if the root access point should forward IP multicast frames through its IP tunnels. Check this check box if you have a DHCP server issuing TCP/IP information to end devices. Enable IGMP Appears only if Mode parameter is Listen. Determines if IGMP is enabled or disabled.
Chapter 5: Configuring the Spanning Tree 2. If you enabled IGMP, enter the Class D IP multicast address. The default is 224.0.1.65. 3. Enter the IP addresses or DNS names of all the access points that can be the endpoints of IP tunnels. 4. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46.
AT-WA7500 and AT-WA7501 Installation and User’s Guide through an IP tunnel by the root access point unless the destination IP address belongs to the root IP subnet. (Frames are only forwarded outbound to end devices that have roamed away from the root IP subnet.) For detailed information about other frame types that are never forwarded, see “Frame Types That Are Never Forwarded” on page 147.
Chapter 5: Configuring the Spanning Tree 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. 4. If you set the Scope field to Unlisted for any of the frame types, you must also configure predefined subtype filters or customizable subtype filters.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Using Predefined Subtype Filters You can configure the access point to pass or drop certain predefined frame subtypes. To configure predefined subtype filters 1. From the main menu, click IP Tunnels > Predefined Subtype Filters. The Predefined Subtype Filters screen appears. 2. For each frame subtype field, check or clear the check box to configure if the frame subtypes are passed or are dropped.
Chapter 5: Configuring the Spanning Tree Subtype: Selects the frame subtype you wish to configure. Value: The next table describes frame subtypes and their values. The value must be two hex pairs. When a match is found between frame subtype and value, the specified action is taken. To customize subtype filters 1. From the main menu, click IP Tunnels > Customizable Subtype Filters. The Customizable Subtype Filters screen appears. 2.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 45. Subtype Filter Descriptions (Continued) Subtype Value DIX-IPX-Socket Socket value in hexadecimal. DIX-EtherType Specify the registered DIX type in hexadecimal. SNAP-IP-TCP-Port Port value in hexadecimal. SNAP-IP-UDP-Port Port value in hexadecimal. SNAP-IP-Protocol Port value in hexadecimal. SNAP-IPX-Socket Socket value in hexadecimal. SNAP-EtherType SNAP type in hexadecimal.
Chapter 5: Configuring the Spanning Tree Filter Examples These examples illustrate how to set both Ethernet and IP tunnel filters to optimize network performance. The next illustration includes: wireless end devices using TCP/IP to communicate with other devices. a secondary LAN containing IP and IPX hosts, linked by AP2 and AP4. an IPX router connecting to another Novell network. DIX and 802.3 SNAP frames. This illustration shows a typical network that will be used in the next examples.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Example 1 The root (AP1), AP3, AP5, and AP6 service only wireless end devices. These access points need to pass IP traffic, but not pass IPX traffic that does not need to be forwarded to the primary or secondary LAN. For this example, set these options on the Ethernet Frame Type Filters screen. No subtype filters are needed. Example 2 AP2 and AP4 (designated bridge) service end devices and the IP host and IPX host on the secondary LAN.
Chapter 5: Configuring the Spanning Tree For this example, set these options on the Ethernet Frame Type Filters screen. In the Predefined Subtype Filters screen, set the 802.2-IPX-RIP field to drop 802.2, DIX, and 802.3 frames.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Example 3 If you have a DHCP server on a Windows NT server and you want to use this DHCP server to assign TCP/IP parameters to end devices on a remote IP subnet, you need to set these filters to allow for the necessary IP tunneling. 1. On the root access point, set these filters: On the IP Tunnels screen, check the Allow IP Multicast check box. In the IP Tunnel Frame Type Filter table, configure DIX-IP-UDP Ports to pass all frames. 2.
Chapter 5: Configuring the Spanning Tree Comparing IP Tunnels to Mobile IP The AT-WA7500 and AT-WA7501 access points support IP tunneling, which allows end devices to roam across different subnets (routers) without having to change IP addresses. IP tunneling supports IETF RFC 1701 using GRE and the same encapsulation technique as mobile IP.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 46. IP Tunnels and Mobile IP Comparison (Continued) Issue Special network software IP Tunneling Standard network feature. No additional network software is required. Mobile IP Requires home and foreign agents located on each network or subnetwork.
Chapter 5: Configuring the Spanning Tree Configuring Global Parameters Global parameters are configured on the root access point and on any other access point that is a root candidate (does not have a root priority of 0). The root access point sends these settings to all other access points in the spanning tree. You should set the same global parameters for the root access point and its backup candidates.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 2. Configure the Global Flooding parameters. For help, see the next table. 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 47.
Chapter 5: Configuring the Spanning Tree Table 47. Global Flooding Parameter Descriptions (Continued) Parameter Explanation Allow Multicast Outbound to Terminals Appears only if Multicast Flooding is enabled. Unicast Flooding Determines the flooding structure when this access point receives inbound unicast frames on non-root ports with unknown destination addresses: Determines if outbound multicast frames with unknown destination addresses are flooded toward end devices.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 47. Global Flooding Parameter Descriptions (Continued) Parameter Enable ARP Flooding Explanation Check this check box to enable ARP flooding. When an access point receives an ARP request, it checks its ARP cache to determine if the destination end device’s IP address is known.
Chapter 5: Configuring the Spanning Tree The Global RF Parameters screen appears. Click to set the global RF 2. Configure the global RF parameters. Click the links in the Global RF Parameters menu to set more parameters. For help, see the next table.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 48. Global RF Parameter Descriptions Parameter Explanation Perform RFC1042/ DIX Conversion Determines how the access point will handle the conversion of RFC1042/DIX frames that are received on its radio ports.
Chapter 5: Configuring the Spanning Tree Table 48. Global RF Parameter Descriptions (Continued) Parameter S-UHF/902 MHz Awake Time (S-UHF and 902 MHz radios only) RFC1042 Types to Pass Through (802.11g, 802.11b, or 802.11a radios only) Explanation Specifies the amount of time that a wireless end device stays awake when radios are inactive. A sleeping device is less responsive to radio activity; however, the longer a device is kept fully awake, the larger the drain on the battery.
Chapter 6 Configuring Security This chapter explains how to use different security solutions to ensure that you have a secure wireless network.
Chapter 6: Configuring Security Understanding Security The AT-WA7500 and AT-WA7501 access points provide many different security features and solutions that you can use to create a secure wireless network. To create a secure wireless network, you need to be concerned about: securing your backbone. Only authorized users should be able to communicate with your network. keeping your data private. Make it difficult for an eavesdropper, such as a rogue access point, to monitor your data.
AT-WA7500 and AT-WA7501 Installation and User’s Guide These security features and solutions are listed below in the order of amount of security and ease of use (most basic/least secure to most secure). Allied Telesyn recommends you configure your wireless network for the maximum possible security that you deem necessary for the integrity of your network. 1. Change the SSID from its default value of ATILAN and check the Disallow Network Name of ‘ANY’ check box.
Chapter 6: Configuring Security Use an 802.1x security solution. 802.1x security provides a framework to authenticate user traffic to a protected wireless network. Using 802.1x security provides secure data transmission by creating a secure spanning tree and dynamically rotating the WEP keys. You configure the access point as an authenticator. For the authentication server, you can either use an external RADIUS server or you can use the access point’s embedded authentication server (EAS).
AT-WA7500 and AT-WA7501 Installation and User’s Guide 802.11b radio is configured with no security and you expect it to associate with the secondary 1 service set. However, when the end device receives the beacon from the access point that indicates that some type of security is being used, the end device does not communicate with the access point.
Chapter 6: Configuring Security Controlling Access to Access Point Menus There are several ways that you can manage who can configure and manage the access points in your network: Enable/disable access methods. Set up individual logins. Change the default logins and create a read-only login. The next sections explain how to implement these strategies.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To enable or disable access methods 1. From the main menu, click Security. The Security screen appears. 2. Enable or disable the access methods that users can use to connect to the access point. For help, see the next table. 3. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 50.
Chapter 6: Configuring Security Table 50. Security Parameter Descriptions (Continued) Parameter Allow Telnet Access (Port 23) Description Determines if users can use a telnet session (or communications program) to configure or manage this access point. Do not clear this check box if you plan to configure the Telnet Gateway and allow wireless clients to upgrade the access point over the telnet port. For details, see page 210.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Note Each time the service password login attempt fails, the process may take up to 8 seconds. If you do not want to enable RADIUS authorization, you should change the default login user name and password. You may also want to change the read-only password. For help, see “Changing the Default Login” on page 178.
Chapter 6: Configuring Security 5. Configure the password server by clicking Select a RADIUS server for login authorization. The RADIUS Server List screen appears. 6. For each password server, enter the IP address or DNS name, enter the shared secret key, port number, and check the Login check box. Note If you enter more than one password server, see page 130 for a description of how the access point uses the servers. 7.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To set up logins 1. From the main menu, click Security > Passwords. The Passwords screen appears. 2. Verify that the Use RADIUS for Login Authorization check box is cleared. 3. Click Submit Changes to save your changes. 4. Configure the parameters. For help, see the next table. 5. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot.
Chapter 6: Configuring Security Table 51. Password Parameter Descriptions Parameter Description Use RADIUS for Login Authorization Determines if you are using a password server to authenticate end devices that can communicate with this access point. Clear this check box. User Name Enter the user name you need to use to log in to this access point. This parameter can be from 0 to 16 characters long.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Creating a Secure Spanning Tree When you configure a radio to use 802.1x security, you automatically enable spanning tree security, which can be used for both wired and wireless access points (WAPs). However, if you configure a radio to use another security solution, you may want to still create a secure spanning tree. A secure spanning tree has two functions: 1. To require authentication of any access point attempting to join the spanning tree. 2.
Chapter 6: Configuring Security To create a secure spanning tree Note You do not need to perform this procedure if you are implementing an 802.1x security solution. 802.1x authentication automatically enables secure IAPP and secure wireless hops. See “Implementing an 802.1x Security Solution” on page 192. 1. From the main menu, click Security > Spanning Tree Security. The Spanning Tree Security screen appears. 2. Check the Secure IAPP check box. 3. Click Submit Changes to save your changes. 4.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 6. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. 7. Repeat Steps 1 through 6 for each access point in your spanning tree. All access points must have the same IAPP secret key to communicate with each other.
Chapter 6: Configuring Security Enabling Secure Communications Between Access Points and End Devices There are several ways that you can ensure secure communications between access points and wireless end devices in your network: Use an access control list (ACL). Configure virtual LANs (VLANs). Configure WEP 64/128/152 security. Implement an 802.1x security solution. Configure Wi-Fi Protected Access (WPA) security. The next sections explain how to configure these methods.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To use an ACL 1. From the main menu, click Security and then click the radio service set you are configuring. The appropriate radio screen appears. 2. Check the Enable ACL Client Authorization check box if you want to use an ACL to authorize end devices to communicate with the network. 3. Click Submit Changes to save your changes. 4.
Chapter 6: Configuring Security 7. Configure the RADIUS server by clicking Select a RADIUS server for ACL authorization. The RADIUS Server List screen appears. 8. For each RADIUS server, enter the IP address or DNS name, enter the shared secret key, port number, and check the ACL or Login check box. Note If you enter more than one server, see page 130 for a description of how the access point uses the servers. 9. Configure the database.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring VLANs Virtual LANs (VLANs) make it easy to create and manage logical groups of wireless end devices that communicate as if they were on the same LAN. You can group all wireless users on a particular VLAN in order to manage the IP address space differently. Or, you can use VLANs to separate secure and non-secure traffic.
Chapter 6: Configuring Security To configure a VLAN 1. From the main menu, click Spanning Tree Settings. The Spanning Tree Settings screen appears. 2. Check or clear the Enable GVRP for VLAN check box:. Check the check box if the VLAN switch is configured to dynamically configure its ports based on the end devices’ needs. Clear the check box if the VLAN switch is statically configured to always forward specific VLANs to specific ports. 3. Click Submit Changes to save your changes. 4.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 5. Under the Security link, click the radio service set you want to configure for the VLAN. This screen appears. 6. In the VLAN field, enter the VLAN number that encapsulates all frames received on this radio port. This value must match the values that are set in the VLAN-capable Ethernet switches on the primary LAN. Note The value in the VLAN field is also called the VLAN tag. 7.
Chapter 6: Configuring Security Since static WEP keys can be difficult to update, the AT-WA7500 and AT-WA7501 access products let you enter up to four WEP keys, and then pick a WEP transmit key (1-4). It is easier to rotate the WEP transmit key than to individually change all the WEP keys. 802.11g and 802.11b radios support WEP 64/128 security, and 802.11a radios supports 64/128/152 security: WEP 64 has four 40-bit encryption keys and one 24-bit initialization vector (IV) key.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 3. Click Submit Changes to save your changes. This screen appears. 4. Configure the parameters for WEP configuration. To ensure maximum security, configure each WEP key with a different WEP code. For help, see the next table. 5. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. Table 52.
Chapter 6: Configuring Security Implementing an 802.1x Security Solution You can implement 802.1x security in your network. The IEEE 802.1x standard provides an authentication protocol for 802.11 LANs. 802.1x provides strong authentication, access control, and key management, and lets wireless networks scale by allowing centralized authentication of wireless end devices. The 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Any device with an EAP-TLS supplicant (end device or child access point) needs both the CA certificate and the server certificate. If the child access point is using SWAP and is an authenticator, it does not need any certificates loaded on it. Only the authentication server and supplicants need certificates. If the access point has two radios, or if the access point contains one 802.11g or 802.
Chapter 6: Configuring Security 2. In the Security Level field, select Dynamic WEP/802.1x. 3. Click Submit Changes to save your changes. This screen appears. 4. In the Key Rotation Period (Minutes) field, enter how often (in minutes) the access point generates a new WEP key to distribute to the end devices.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 5. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. 6. Configure the RADIUS server by clicking Select a RADIUS server for 802.1x authentication. The RADIUS Server List screen appears. 7.
Chapter 6: Configuring Security Enabling Secure Communications Between Access Points When you configure a radio to use 802.1x security, you automatically enable spanning tree security, which can be used for both wired access points and WAPs. A secure spanning tree has two functions: 1. To require authentication of any access point attempting to join the spanning tree. 2. To provide encryption of critical Inter-Access Point Protocol (IAPP) frames.
AT-WA7500 and AT-WA7501 Installation and User’s Guide SWAP. Note that SWAP authentication is susceptible to downgrade attacks from rogue supplicants as it is easier to break SWAP than TLS or TTLS. Configuring Spanning Tree Security Note If you are implementing an 802.1x security solution, secure IAPP and secure wireless hops are automatically enabled. 1. From the main menu, click Security > Spanning Tree Security. The Spanning Tree Security screen appears. 2.
Chapter 6: Configuring Security 5. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. 6. Repeat Steps 1 through 5 for each access point in your spanning tree. All access points must have the same IAPP secret key to communicate with each other. In the access point that contains the master radio, click Maintenance > AP Connections.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring WiFi Protected Access (WPA) Security Wi-Fi Protected Access (WPA) is a strongly enhanced, interoperable Wi-Fi security that addresses many of the vulnerabilities of Wired Equivalent Privacy (WEP). WPA bundles authentication, key management, data encryption, message integrity checks and counter measures in the event of a message attack into one implementation standard.
Chapter 6: Configuring Security To configure WPA security 1. From the main menu, click Security and then click the radio service set you are configuring. The appropriate radio screen appears. 2. In the Security Level field, choose either WPA - PSK or WPA - 802.1x. 3. Click Submit Changes to save your changes. The screen changes, depending on the security level you choose. For help, see one of the next two screens. 4. Fill in the fields. For help, see one of the next two tables. 5.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To continue configuring WPA security for WPA – 802.1x mode 1. Configure the RADIUS server by clicking Select a RADIUS server for 802.1x authentication. The RADIUS Server List screen appears. 2. For each authentication server, enter the IP address or DNS name, enter the shared secret key, port number, and check the 802.1x check box.
Chapter 6: Configuring Security Configuring WPA PSK Security Table 54. WPA PSK Security Parameter Descriptions Parameter Explanation Multicast Encryption Type Indicates that TKIP is used as the data encryption method for broadcast and multicast for this radio port. A station connected to this port may not select a weaker encryption method to exchange unicast frames. Pre-shared Key Allows you to enter the pre-shared key for WPA.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Configuring WPA 802.1x Security Table 55. WPA 802.1x Security Parameter Descriptions Parameter Explanation Multicast Encryption Type Allows you to select the data encryption method for broadcast and multicast for this radio port. A station connected to this port may not select a weaker encryption method to exchange unicast frames. Key Rotation Period (Minutes) Allows you to specify the key rotation policy for encryption keys when using WEP in 802.
Chapter 7 Configuring the Embedded Authentication Server (EAS) This chapter explains how to configure the embedded authentication server (EAS) in your access point for different security solutions to ensure that you have a secure wireless network.
AT-WA7500 and AT-WA7501 Installation and User’s Guide About the Embedded Authentication Server (EAS) The AT-WA7500 and AT-WA7501 access points have an embedded authentication server (EAS), which is an internal RADIUS server. In your network, you can use the EAS on any access point. The EAS can act as: a password server that maintains a list of logins of users who can configure and manage the access point.
Chapter 7: Configuring the Embedded Authentication Server (EAS) About Certificates Certificates encrypt communication between the internal RADIUS server, RADIUS clients, and the supplicants and HTTPS clients. There are two types of certificates: Understanding Which Access Points Need Certificates The trusted certificate authority (CA) certificate (commonly referred to as the “root certificate” or “root cert”) is the public key. Trusted CA certificates can be in *.PEM format or *.CER format.
AT-WA7500 and AT-WA7501 Installation and User’s Guide representative. Or you can install certificates from a third-party certificate authority. Note Access points also come with a default server certificate (ValidforHTTPSOnly). This default certificate supports the secure web browser interface and provides basic security for clients running the TTLS authentication type.
Chapter 7: Configuring the Embedded Authentication Server (EAS) Installing and Uninstalling Certificates Once you have determined that you need to install a certificate, use this procedure. To install certificates 1. From the main menu, click Security > Certificate Details. The Certificate Details screen appears. 2. Click Install certificates in the certificate store. The Import Certificate screen appears. Note If you are not using the secure web browser, you will be prompted to log in again.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To uninstall all certificates Note If you follow the procedure to uninstall all certificates, you will lose the unique server certificate and the trusted CA certificate. You will need to contact your local Allied Telesyn representative to purchase new certificates. 1. From the main menu, click Security > Certificate Details. The Certificate Details screen appears. 2. Click Uninstall All Certificates.
Chapter 7: Configuring the Embedded Authentication Server (EAS) Configuring the EAS Once you decide which access point will be configured to use its EAS, you need to enable the EAS on that access point and configure its database. To configure the EAS 1. Install any certificates. For help, see “Installing and Uninstalling Certificates” on page 208. 2. On the access point that will contain the EAS, enable the EAS. For help, see “Enabling the EAS” in the next section. 3. Configure the EAS database.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To enable the EAS 1. Log in to the access point whose EAS you are enabling. 2. From the main menu, click Security > Embedded Authentication Server. The Embedded Authentication Server screen appears. 3. Check the Enable Server check box. 4. Click Submit Changes to save your changes. 5. Configure the parameters. For help, see the next table. 6. Click Submit Changes to save your changes.
Chapter 7: Configuring the Embedded Authentication Server (EAS) Table 58. EAS Parameter Descriptions Parameter Configuring the Database Explanation Enable Server Determines if you are using a password server to authenticate end devices that can communicate with this access point. Clear this check box. Default Secret Key Enter a default secret key that is used between the EAS and all access points. This secret key can be from 1 to 32 characters in ASCII or in hexadecimal.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Note Allied Telesyn recommends that when you are done configuring the database, you export it and save the file in a safe place. If you restore the access point to its default configuration, the database is not saved. For help, see “Exporting and Importing Databases” on page 217. To configure the database 1. Log in to the access point whose EAS you are using. 2. From the main menu, click Security > Embedded Authentication Server > Database.
Chapter 7: Configuring the Embedded Authentication Server (EAS) 8. Click Save/Discard changes, and then click Save Changes without Reboot. Table 59. Embedded Authentication Server Entry Descriptions Type Field Login Description Enter user names and passwords for users who are authorized to configure and maintain access points using the password server.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 59. Embedded Authentication Server Entry Descriptions (Continued) Type Field 802.1x (TTLS/ PEAP) Description Enter the login name and password of all end devices that are authorized to communicate with the 802.1x-enabled network. User Name Field Password Field End device login name End device login password Client certificate common name None For more security, you should delete the user name “anonymous” and the password “anonymous.” 802.
Chapter 7: Configuring the Embedded Authentication Server (EAS) 4. Add users and devices to the database. For help see “Adding Entries to the Database” on page 216. Table 60. Rejected List Values Column Description Type Lists the type of authentication that failed. The type can be: Login, ACL, TTLS/PAP, TTLS/CHAP, TTLS/EAP, TTLS/MSCHAP, TTLS/MSCHAP-V2, PEAP/MSCHAPV2, PEAP/GTC, or TLS.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Clearing the Rejected List To clear the rejected list, you can either reboot the access point or perform these steps. 1. Click Select All Entries. A check box appears next to all entries. 2. Click Clear Selected Entries. Exporting and Importing Databases Note Allied Telesyn recommends that you use the secure web browser interface (HTTPS) when you export and import databases. Otherwise, the information in the databases is sent in the clear.
Chapter 7: Configuring the Embedded Authentication Server (EAS) 3. If you are not using the secure web browser, click “A secure session is available.” Repeat Steps 1 and 2. 4. Click Export the EAS database from this access point. A File Download dialog box appears. 5. Make sure Save this file to disk is selected, and then click OK. The Save As dialog box appears.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 6. Choose the location and filename of the database. If you use the *.CSV extension, you can import it into Microsoft Excel, which recognizes it as a comma separated text file. 7. Click Save. To import a database Note As soon as you import the database, it is active. 1. Log in to the access point whose EAS you are using. 2. From the menu bar, click File Import/Export > Read or write the EAS RADIUS database. The EAS Database Import/Export screen appears.
Chapter 8 Managing, Troubleshooting, and Upgrading Access Points This chapter explains how to manage, maintain, troubleshoot, and upgrade the access products.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Managing the Access Points There are several methods that you can use to manage the access points: Wavelink Avalanche client management system: You can install the Wavelink Avalanche system to help you manage your wireless network. To use Avalanche, you need Avalanche Manager v3.0 or later. For help, see “Using the Wavelink Avalanche Client Management System” on page 221.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Table 61. Wavelink Avalanche Components (Continued) Component Console Description The administrative user interface that lets you configure and communicate with the Avalanche Agent. From the console, you can configure and monitor devices and build and install software packages and software collections. The enabler is already installed on access points with software release 2.0 or later.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To configure your access points to use Avalanche 1. From the main menu, click Network Management. The Network Management page appears. 2. In the Avalanche Agent Name field, enter the IP address or DNS name of the console. Or, leave this field blank and the access point sends out a broadcast request looking for any available agent. 3. Click Submit Changes to save your changes. 4. From the main menu, click Security. The Security page appears.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points 5. Verify that the Allow Avalanche Access check box is checked. 6. Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. For help, see “Saving Configuration Changes” on page 46. 7. Repeat Steps 1 through 6 for each access point.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 3. Install the software package using the Avalanche Management Console. 4. Schedule access point updates or manually initiate an update using the console. For more information on using the Wavelink Avalanche client management system, see the Wavelink Avalanche documentation and online help. Or, visit the Wavelink web site at www.wavelink.com. Table 62. Avalanche Parameters Parameter Explanation Package Title A descriptive title of the application.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Using Simple Network Management Protocol (SNMP) The access point can be managed using Simple Network Management Protocol (SNMP); that is, you access the access point from an SNMP management station. Contact your Allied Telesyn representative if you need to obtain a copy of the MIB. Before you can use an SNMP management station, you must define the access point’s SNMP community strings. To configure the SNMP community strings 1.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 63. SNMP Community Parameter Descriptions (Continued) Parameter SNMP Secret Community Description Specify a password that provides read and write access and lets the user change the community strings. This password can be from 1 to 15 characters and is case sensitive. The default is Secret.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Maintaining the Access Points The Maintenance menu lets you view different parameters configured for the access point, including connections, port statistics, and a configuration summary. This information may be needed when you contact Allied Telesyn Technical Support. You can also view security events that are in the Security Events log, and then you can export them to a file.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 64. AP Connections Screen Fields Display Field Spanning Tree Connection Status Description Indicates the current status of this access point in relation to the spanning tree: This access point is root: This access point has formed a spanning tree and is serving as root. Connected to root: This access point is participating in a spanning tree as a child directly connected to the root access point.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Table 64. AP Connections Screen Fields (Continued) Display Field MAC Address Description Shows the address of the connected device. If another access point is connected to this access point, you see the Ethernet MAC address. If a WAP is connected to this access point, you see the radio MAC address. Click the hyperlink to perform a MAC ping or display a radio link statistics screen.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 64. AP Connections Screen Fields (Continued) Display Field Port Description Displays the port through which the connection is established: E: Ethernet port 1, 1:1, 1:2, or 1:3: First radio slot (primary, secondary 1, secondary 2, or secondary 3). 2, 2:1, 2:2, or 2:3: Second radio slot (primary, secondary 1, secondary 2, or secondary 3). I: IP tunnel port.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points To view AP neighbors From the menu, click Maintenance > AP Neighbors. The AP Neighbors screen appears. For help interpreting the information on this read-only screen, see the next table. Table 65. AP Neighbors Screen Fields Display Field 232 Description Address Displays the MAC address of the originator of the contact. Channel Displays the channel advertised in the beacon.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 65. AP Neighbors Screen Fields (Continued) Display Field Capabilities Description This information is derived from the capability information sent in the beacon. Capabilities may include: ESS: Set for an access point and cleared for an end device or ad-hoc device. IBSS: Cleared for an access point and set for an end device or ad-hoc device. Privacy: Indicates that encryption is required on this service set.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Viewing Port Statistics The Port Statistics screen shows the total number of frames and bytes that the access point has received and transmitted since it was last booted. You can also view graphs of inbound and outbound packets for the port. To view port statistics 234 From the menu, click Maintenance > Port Statistics. The Port Statistics screen appears. This screen is read-only.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Viewing DHCP Status The DHCP Status screen shows a status report for the DHCP client or DHCP server. If the access point is a DHCP server and if the Permanently Save IP Address Mappings check box is checked, you can delete entries from the server’s permanent address map. To view DHCP status From the menu, click Maintenance > DHCP Status. The DHCP Status screen appears.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Viewing the Events Log The Events Log screen shows a the events that have been logged by this access point. These events are cleared when the access point loses power or is rebooted. To view the Events Log From the menu, click Maintenance > Events Log. The Events Log screen appears. For help understanding the events on this read-only screen, see the next table. Table 66.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Viewing the About This Access Point Screen This screen shows information about the access point, such as the software version, radio versions, and MAC addresses. It also provides a configuration summary section, which can either show you the configuration settings that are different from the factory default settings or it can show you all the configuration settings. Also, you can view a processor utilization graph. To view About This Access Point 1.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points 4. Click the button under the Configuration Summary title to switch between displaying all configuration settings and displaying the configuration settings that are different from the factory default settings. To view a processor utilization graph 1. From the main menu, click Maintenance > About This Access Point. The About This Access Point screen appears. This screen is readonly. 2. Click the Processor and Revision link.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Restoring the Access Point to the Default Configuration You may need to restore the access point to the factory default configuration. For a list of the default settings, see Appendix B, “Default Settings.” To restore the access point to the default configuration, you can use the Web browser interface, as explained in the following procedure: 1. In the menu bar, click Save/Discard Changes. This screen appears. 2. Click Restore Factory Defaults.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Troubleshooting the Access Points This section provides you with information on the installation, configuration, and operation of the access point. Using the Configuration Error Messages When you click Save/Discard Changes, the access point checks for potential problems with the network configuration and security settings. The access point displays error messages under the Possible Configuration Errors heading.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 3. Click each error message to jump to the configuration screen where you can resolve the possible configuration error. The configuration error messages are listed in the next table. Most are self explanatory, but a few require additional information. Table 68. Alphabetized List of Configuration Error Messages Configuration Error Message Additional Information A RADIUS entry in the RADIUS database has a IP address but no secret key (password).
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Table 68. Alphabetized List of Configuration Error Messages (Continued) Configuration Error Message Additional Information All SSID values must be unique per physical radio. While configuring multiple service sets, you did not specify a unique SSID (network name) for each service set. For help, see “Configuring the 802.11g Radio” on page 98 or “Configuring the 802.11a Radio” on page 119.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 68. Alphabetized List of Configuration Error Messages (Continued) Configuration Error Message Additional Information The access point is set to originate IP tunnels but no there are no tunnel IP addresses. On the IP Tunnels screen, Mode is set to Originate if Root, but no IP addresses have been added to the IP Addresses screen. Either change the mode or add some addresses.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Table 68. Alphabetized List of Configuration Error Messages (Continued) Configuration Error Message Additional Information The IP Address and IP Router must share the same subnet. For help, see “Configuring the TCP/IP Settings” on page 65. The IP Subnet Mask is invalid. For help, see “Configuring the TCP/IP Settings” on page 65. The IP Subnet Mask should not be zero. For help, see “Configuring the TCP/IP Settings” on page 65.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 68. Alphabetized List of Configuration Error Messages (Continued) Troubleshooting With the LEDs Configuration Error Message Additional Information You have enabled the embedded authentication server but you have not installed a server certificate to identify this device. You need to install a server certificate. For help, see “Installing and Uninstalling Certificates” on page 208.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Table 69. MobileLAN access LED Boot Sequence for Release 2.2 (or later) (Continued) Only Boot ROM code is available on access point. Load new files. (Wireless #1 and #2 blink in unison.) LED On LED Off LED Flashing After the AT-WA7500 or AT-WA7501 successfully boots, the LEDs display one of these patterns: Table 70. AT-WA7500 and AT-WA7501 Normal LED Pattern After Booting (Blinks for wireless data traffic.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 71. General Troubleshooting (Continued) Problem/Question The Power LED is not on. Possible Solution/Answer 1.Make sure the power cable is firmly plugged into the AT-WA7501 access point and the power source. Or make sure the Ethernet cable is firmly plugged into the AT-WA7500 access point and the power over Ethernet bridge. 2.Verify that the power injector has power and will work with another access point at the port in question. 3.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Table 71. General Troubleshooting (Continued) Problem/Question Possible Solution/Answer You cannot connect to the access point using a web browser. 1.Verify that you are not using a crossover cable if connected to a hub or a switch. Verify that you are using a crossover cable if connected directly to the PC or server. 2.Verify that you did not disable the Browser Access field in the Security screen. 3.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 71. General Troubleshooting (Continued) Problem/Question The end device cannot connect to the network. Possible Solution/Answer From the Maintenance menu, choose AP Connections and verify that the MAC address of your end device appears on your PC screen. If it does not appear, your end device is not communicating with the access point. Check your radio configuration settings.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Table 71. General Troubleshooting (Continued) Problem/Question You need to verify the static WEP keys. You cannot verify the WEP keys. The keys are encrypted after you enter them and are never displayed again. You may need to reconfigure your access points and end devices to reset the WEP keys. The filters are not filtering properly. Check all of your filter settings. Conflicts may exist between the various filters.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Troubleshooting the Radios If you are having problems communicating with your wireless network, you can use the access point LEDs, error messages, Radio MAC Ping, or ICMP Echo to troubleshoot any radio problems. Using LEDs If the access point LEDs show the following pattern after it boots, the radio may be faulty or the configuration matrix string is incorrect. Contact your local Allied Telesyn representative to help you correct the problem. Table 72.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points In this table, “Radio A” refers to the radio in slot 1 and “Radio B” refers to the radio in slot 2. These error messages may appear for either radio. Table 73. Radio Error Messages Error Message Explanation Couldn’t read country code from radio A The radio may be faulty. Invalid country code in string for radio A The country code in the configuration matrix string does not match the country code in the radio in the access point.
AT-WA7500 and AT-WA7501 Installation and User’s Guide ping will have their MAC address listed with a hyperlink. 2. Click a MAC address hyperlink. The access point pings the device, and then this screen appears showing the results. By default, the Refresh Mode is Manual. To configure the software to refresh automatically at a set interval, click 10 Sec or 1 Min. By default, the Pings per refresh is None. To increase the number of pings that occur after each refresh, click 25 or 100. 3.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Using ICMP Echo ICMP (Internet Control Message Protocol) echo lets you ping devices using their IP address. ICMP echo can only be used if the access point has determined the IP address of the end device or another access point. If the access point is acting as an ARP server, it will determine the IP addresses of the end devices that are attached to it and allow you to use ICMP echo on the wireless network.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 2. Click an IP address hyperlink. The access point pings the device, and then the Ping Utility screen appears showing the results. Note The information on this screen varies with the type of request sent and the capabilities of the medium through which it is sent. Echo requests sent through different radios may report different results. 3. Click Return to connections to return to the AP Connections screen.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points To view the Security Events log From the menu, click Security > Security Events. The Security Events log appears. For help understanding the events, see the next table. Table 74. Security Events Log Description Column Description MAC Address Indicates the Ethernet MAC address of the device that caused the event. IP Address Indicates the IP address of the device that caused the event.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Note If you use an SNMP management station or another network management tool, the age represents how much time has passed since the access point was booted that this event occurred. Exporting the Security Events Log You can export the Security Events log from the web browser interface to a comma-separated file. You can open this file using Microsoft Excel or Notepad. To export the security events log 1. From the menu, click Security > Security Events.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Table 75. General Security Troubleshooting (Continued) Problem/Question You are implementing 802.1x security and you cannot get an end device to authenticate with a RADIUS server. Recovering a Failed Access Point Possible Solution/Answer Verify that the root access point is running software release 1.72 or later. Verify that the RADIUS server IP address is correct.
AT-WA7500 and AT-WA7501 Installation and User’s Guide You can recover a failed access point using a Windows NT4/2000/XP PC. The procedure is explained in the next subsection. Using a Windows NT4/2000/XP PC You can use a Windows NT4/2000/XP PC and a command prompt to recover a failed access point. To access a command prompt, see your Windows documentation. For this procedure you will need to contact Allied Telesyn Technical Support to obtain the AP824X.DNL file. To recover a failed access point 1.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Once the TFTP transfer is complete, the access point will begin booting the image that was just passed to it. This image is only resident in RAM. If you reboot the access point or if the access point loses power, the AP824X.DNL image will be lost. 5. Type this command to remove the static ARP cache entry from your PC. arp –d IPaddress where IPaddress is the access point IP address you assigned in Step 1.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Upgrading the Access Points For optimal performance, you should install the most current software version on all the access points in your network. To upgrade the software, you must copy the software release to your PC and then upload the release to your root access point and other access points. However, you can also configure the root access point to copy the release to all other access points in its spanning tree.
Chapter 8: Managing, Troubleshooting, and Upgrading Access Points Note If you have not already copied the upgrade file to your PC, follow the instructions in “Upgrading the Access Points” on page 261. 4. Click Upgrade to start the upgrade. The upgrade may take up to 3 minutes to complete. 5. When the upgrade is complete, click Save Changes and Reboot. When the access point is done rebooting, it is upgraded to the new software. Repeat this procedure for each access point you want to upgrade.
Chapter 9 Additional Access Point Features This chapter explains some of the more advanced ways that you can maintain the access points.
Chapter 9: Additional Access Point Features Understanding the Access Point Segments The AT-WA7500 and AT-WA7501 access points contain one flash memory segment, as well as temporary memory (RAM). Several of the commands described in this chapter require that you specify the segment where a file is located on the access point. To indicate the segment where the file is located, you precede the filename with either a segment number or name followed by a colon. For example, 1:ap824x.prg refers to the AP824X.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Understanding Transparent Files The AT-WA7500 and AT-WA7501 access points with software release 2.2 support transparent files, which are files without file headers. Transparent files all have the date May 14, 2002 (5-14-2002) and have no version. The advantage of using file headers is that the date and file versions are correct when you use the FD command to view the directory. All provided .DNL files have file headers.
Chapter 9: Additional Access Point Features Using the AP Monitor The AP (access point ROM) monitor is system software that lets you manipulate the access point files and file segments. You can only access the AP monitor through the serial port using a communications program. Note Certain functions available through the AP monitor can erase the access point configuration. Allied Telesyn strongly recommends that you only use the AP monitor when absolutely necessary.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To list AP monitor commands Press any key (except the letter B, which reboots the access point), and then press Enter. A list of AP monitor commands appears. B Purpose: Reboots the access point. Syntax: B FD Purpose: Displays the flash file system directory, including information about the boot file.
Chapter 9: Additional Access Point Features MR Purpose: Displays the manufacturing record for the access point. Use the MR command to display the MAC address, configuration string, and serial number for your access point. Syntax: MR SR Purpose: Sets the baud rate of the access point. Syntax: SR z where z is the baud rate. You must enter the baud rate as a whole number with no commas. For example, to enter a baud rate of 19,200, you must enter 19200.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To display CAM commands Using Test Mode Commands Type any letter or number other than B and press Enter. The CAM commands appear on the screen. Within the AP monitor, Test mode lets you perform certain test functions. Because the commands can cause undesirable results if not properly executed, you should contact Technical Support for assistance if you are unsure about the proper procedure to use. To enter Test mode 1. Type TEST and press Enter. 2.
Chapter 9: Additional Access Point Features To display test commands Using Service Mode Commands Type any letter or number other than B and press Enter. The test commands appear on the screen. In Service mode, you can perform file functions and segment functions such as deleting a file, downloading a file using the Ymodem protocol, and erasing a segment. To enter Service mode 1. At the ap prompt, type SRVC and press Enter. 2. Enter the service password.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To list service commands Press any key (except the letter B, which reboots the access point), and then press Enter. The service commands appear on the screen. Many of the commands that are available in Service mode are also available in the AP monitor or Console Command mode. B Purpose: Reboots the access point. Syntax: B FB Purpose: Makes an inactive segment the active segment.
Chapter 9: Additional Access Point Features To make segment 2 the active boot segment and segment 4 the active data segment, enter: FB 2 4 You can use an asterisk instead of a segment name if you want to leave that segment unchanged. For example, to leave the active boot segment unchanged and make segment 4 the active data segment, you could enter: FB * 4 After loading software into the access point a common task is to activate the new software.
AT-WA7500 and AT-WA7501 Installation and User’s Guide FDEL Purpose: Deletes a particular file. Note When you use the FDEL command, the file is marked as invalid and remains in the file system. To reclaim the file space, you must erase the entire segment. Use the FE command to erase a segment. Syntax: FDEL f (s) where: f is the name of the file to be deleted. s is the optional segment location of the file. Examples: To delete the file AP824X.PRG from the flash memory segment, enter: FDEL 1:AP824X.
Chapter 9: Additional Access Point Features To erase the contents of the memory card, enter: FE APP: FFR Purpose: Runs a program f, from a location s. Syntax: FFR f (s) where: f is the program name. s is the optional segment location of the program. Example: To run program UAPBOOT.PRG from the flash memory segment, enter: FFR UAPBOOT.PRG 1 FI Purpose: Reinitializes the access point file system. If the access point file system or a file segment becomes corrupt, use this command to reset it.
AT-WA7500 and AT-WA7501 Installation and User’s Guide where: f is the FPGA configuration filename. s is the optional segment where you want to load the configuration file.
Chapter 9: Additional Access Point Features Using Command Console Mode You can use the Command Console mode to manipulate some access point files and file segments. You can also use Command Console mode to upgrade access points using TFTP and script files. You access the Command Console mode through the serial port using a communications program or over the network using a telnet session. You cannot access Command Console mode using a web browser interface. Entering Command Console Mode 1.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Using the Commands Several of these commands require that you enter filenames. To indicate the segment where the file is located, you precede the filename with either a segment number or name followed by a colon. For example, 1:ap824x.prg refers to the AP824X.PRG file is located in segment 1.
Chapter 9: Additional Access Point Features FD Purpose: Displays the flash file system directory, which includes information about the boot file and file type: E (executable), D (data), and T (transparent). Use this command to ensure that the correct version of the file is in the active boot segment. For information about transparent files, see “Understanding Transparent Files” on page 265.
AT-WA7500 and AT-WA7501 Installation and User’s Guide FE Purpose: Erases all the files in a particular segment, including those that have been “deleted” with FDEL. To recover the files after they have been erased, you must reload them from another source. Note You must execute the FE command before you execute a TFTP transfer. Syntax: FE s where s is the segment to be erased. You can use any segment number or name (1, 2, 3, 4, id, ib, ad, or ab) to specify the one flash memory segment on the access point.
Chapter 9: Additional Access Point Features In general, TFTP client sessions should fail only if the server is not responding either because it is busy serving other clients or because it has not been started. In either case, the access point backoff algorithm should prevent excessive network traffic when many access points are trying to contact a TFTP server. TFTP GET Purpose: TFTP client requests a file from the TFTP server.
AT-WA7500 and AT-WA7501 Installation and User’s Guide The following command gets file UAP.DNL from a directory on a PC server with IP address 1.2.3.4 and stores it in the flash memory segment on the access point. TFTP GET 1.2.3.4 C:\STARTUP\UAP.DNL 1: The access point may generate these error messages when it issues a TFTP GET command. Other error messages may be returned from the server and displayed by the access point. See your server documentation for additional information. Table 77.
Chapter 9: Additional Access Point Features Example: The following command takes file AP824X.PRG that is saved in the active boot drive on the access point client and stores it in the flash memory segment on the access point server that has IP address 1.2.3.4. TFTP PUT 1.2.3.4 IB:AP824X.PRG 1:AP824X.PRG The access point may generate these error messages when it issues a TFTP PUT command. Other error messages may be returned from the server and displayed by the access point.
AT-WA7500 and AT-WA7501 Installation and User’s Guide TFTP SERVER STOP Purpose: When you are done transferring files, you can stop the access point from being a TFTP server by using this command. Syntax: TFTP SERVER STOP After you issue this command, the access point no longer responds to TFTP client requests; however, current TFTP sessions with the server are allowed to complete. This table lists error messages that can be issued from the TFTP server.
Chapter 9: Additional Access Point Features Table 79. TFTP Server Stop Using sdvars Commands Error Message Explanation Invalid opcode during write This error should not occur under normal operating conditions. This error indicates that the TFTP client does not conform to the protocol. Use sdvars commands to manipulate certain software download variables. Sdvars commands support both GET and SET arguments.
AT-WA7500 and AT-WA7501 Installation and User’s Guide sdvars set starttime Purpose: Sets the internal variable starttime. Starttime is a countdown time; that is, when zero is reached, the software download process begins. Set this variable to reflect how far into the future the access point is to begin downloading and executing the script file from the TFTP server. When the timer reaches 0, the access point uses the values in serveripaddress and scriptfilename to get the script file that is to be executed.
Chapter 9: Additional Access Point Features sdvars set checkpoint 2 TFTP get * ap824x.prg 1 sdvars set checkpoint 3 reboot When the software download is started, you can use SNMP to query its progress by reading the checkpoint variable. If the variable has a value of 2, you know that the access point is trying to execute the TFTP get statement. If the value is 3, you know the script has completed and the reboot was executed.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Example: To change the inactive boot and data segments to active at the next reboot, enter: sdvars set setactivepointers both sdvars set nextpoweruptime Purpose: Sets the nextpoweruptime command to set the internal variable nextpoweruptime to a countdown time so that when 0 is reached, the access point will reboot.
Chapter 9: Additional Access Point Features Creating Script Files You can create a script file that executes a series of commands. For example, when you upgrade the access point, you typically need to erase the flash memory segment, download the new files, and reboot using the new software. You can create a script file to perform these commands. Script files are ASCII text files with a 32-byte file system header appended.
AT-WA7500 and AT-WA7501 Installation and User’s Guide file tftp get * software\cert.dnl 1: file tftp get * software\closed.dnl 1: file tftp get * software\discinca.dnl 1: file tftp get * software\easdb.dnl 1: file tftp get * software\echo.dnl 1: file tftp get * software\favicon.dnl 1: file tftp get * software\file.dnl 1: file tftp get * software\fileimp.dnl 1: file tftp get * software\filemenu.dnl 1: file tftp get * software\fpga8245.dnl 1: file tftp get * software\fsys.
Chapter 9: Additional Access Point Features Legacy Sample Script for Upgrading Any Access Point This sample script file was created for older access points with multiple segments. Although this script specifies segments that do not exist on AT-WA7500 and AT-WA7501 access points, you can run this script on the access points without generating errors. For help understanding these commands, see the command descriptions in this chapter.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Copying Files To and From the Access Point You can accomplish a variety of file import/export tasks from the File Import/Export screen. In the menu bar, click File Import/Export, and the File Import and Export screen appears.
Chapter 9: Additional Access Point Features Importing or Exporting an EAS RADIUS Database File To import or export an EAS RADIUS database file 1. Click Read or write the EAS RADIUS database. The EAS Database Import/Export screen appears. 2. To import a file, enter of select the name of the database file to import and click Import Database. Note For details about the purpose and format of import files, scroll down this screen and read the help text. 3.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Transferring Files Using Your Web Browser To transfer files to the access point using your web browser 1. Click Transfer files to this device using your browser. The File Import screen appears. 2. (Optional) You can type a filename in the first input field to specify the name that the file will have on the access point. To import a file to the memory card, use the app segment identifier alone (app) or with a file name (app:test.txt). 3.
Chapter 9: Additional Access Point Features Viewing and Copying Files Using Your Web Browser To view and copy files from the access point using your web browser 1. Click View the file system directory from this device using your browser. The File System Directory screen appears. Note The segment column on this screen contains the identifier AB, which indicates that single flash memory segment on an access point. For help, see “Understanding the Access Point Segments” on page 264.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Transferring Files to and from a TFTP Server To transfer files to and from a TFTP server 1. Click Transfer files to or from this device using the TFTP client. The TFTP Client screen appears. 2. In the Server IP Address field, enter the IP address or DNS name of the TFTP server. 3. In the Server File Name field, type the name in the format required by the operating system of the server. 4.
Chapter 9: Additional Access Point Features Starting or Stopping the TFTP Server To start or stop the TFTP server 1. Click Start or stop the TFTP server. The TFTP Server screen appears. 2. Click Stop Server to stop the TFTP server. Or click Start Server to start the TFTP server. You can also use the TFTP SERVER START and STOP commands, described on page 282, to start and stop the TFTP server.
AT-WA7500 and AT-WA7501 Installation and User’s Guide 2. In the Server IP Address field, type the IP address of an active TFTP server from which the software download script file will be retrieved. 3. In the Script File Name field, type the name of a file on the TFTP server that contains the commands that define the download process. 4. In the Start Time field, enter the time in the format dd:hh:mm:ss (days:hours:minutes:seconds).
Appendix A Specifications This appendix contains AT-WA7500 and AT-WA7501 specifications for reference purposes only. Actual product performance and compliance with local telecommunications regulations may vary from country to country. Allied Telesyn only ships products that are type approved in the destination country.
AT-WA7500 and AT-WA7501 Installation and User’s Guide AT-7500 Access Point Table 80. AT-7500 Technical Specifications Dimensions HxLxW 4.6 cm x 25.0 cm x 15.9 cm (1.8 in x9.8 in x 6.3 in) Weight 526 g (1.
Appendix A: Specifications AT-7501 Access Point Table 81. AT-7501 Technical Specifications 300 Dimensions HxLxW 9.5 cm x 35.0 cm x 23.6 cm (3.8 in x 14.0 in x 5.8 in) Weight 2.63 kg (5.8 lb) AC electrical rating Standard: ~100 to 240V, 1.0 to 0.5A, 50 to 60 Hz Heater (optional) ~100 to 120V, 1.0A, 50 to 60 Hz or ~200 to 240V, 0.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 81. AT-7501 Technical Specifications Serial port maximum data rate 115,200 bps Management interfaces Web browser-based manager, text-based menu system, serial port, Telnet, SNMP SNMP agent RFC 1213 (MIB-2), RFC 1398 (dot3), RFC 1493 (Bridge), 802.11, 802.
Appendix A: Specifications Radio Specifications IEEE 802.11g Table 82. IEEE 802.11g Radio Technical Specifications Frequency band 2.4 to 2.5 GHz worldwide Type Direct sequence, spread spectrum Modulation Direct sequence, spread spectrum (CCK, DQPSK, DBPSK) Power output 63 mW (18 dBm) Basic data rate 11, 5.5, 2, and 1 Mbps Extended data rate 54, 48, 36, 24, 18, 12, 9, and 6 Mbps Channels 11 (North America), 13 (Europe), 4 (France), 14 (Japan).
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 83. IEEE 802.11b Radio Technical Specifications Channels 11 (North America), 13 (Europe), 4 (France), 14 (Japan). 1 (Israel) Range (11 Mbps) 160 m (525 ft) open environment 50 m (165 ft) semi-open environment 24 m (80 ft) in closed environment Unlimited range with roaming Receiver sensitivity (11 Mbps) -82 dBm Security IEEE 802.11 Wired Equivalent Privacy (WEP) standard, WEP 64, WEP 128, Wi-Fi Protected Access (WPA) IEEE 802.11a Table 84.
Appendix A: Specifications Table 84. IEEE 802.11a Radio Technical Specifications 304 Range (depending on environment) 248 m (813.7 ft) 240 m (787.4 ft) 175 m (574.2 ft) 132 m (433.1 ft) 56 m (183.7 ft) 37 m (121.4 ft) 19 m (62.
Appendix B Default Settings This appendix provides factory defaults for reference purposes only. The factory default settings for the access points are listed in this section. You can record the settings for your installation in each table for reference.
Appendix B: Default Settings TCP/IP Settings Menu Defaults Table 85. TCP/IP Settings Menu Defaults Parameter Name 306 Range Default IP Address 4 nodes, 0 to 255 or DNS name 0.0.0.0 IP Subnet Mask 4 nodes, 0 to 255 255.255.255.0 IP Router (Gateway) 4 nodes, 0 to 255 0.0.0.0 DNS Address 1 4 nodes, 0 to 255 0.0.0.0 DNS Address 2 4 nodes, 0 to 255 0.0.0.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 85.
Appendix B: Default Settings DHCP Server Setup Menu Defaults Table 86. DHCP Server Setup Menu Defaults Parameter Name 308 Range Default Low Address 4 nodes, 0 to 255 10.10.10.100 High Address 4 nodes, 0 to 255 10.10.10.199 Lease Time days:hours:minutes 0:00:20 Permanently Save IP Address Mappings Check/Clear Clear IP Subnet Mask 4 nodes, 0 to 255 255.255.255.
AT-WA7500 and AT-WA7501 Installation and User’s Guide IEEE 802.11g Radio Menu Defaults Table 87. 802.
Appendix B: Default Settings Table 87. 802.11g Radio Menu Defaults Parameter Name Range Default Antenna Control Two Antennas/ One Antenna One Antenna Mixed Mode Performance Optimize Mixed (802.11b and 802.11g), Optimize for 802.11g clients, Optimize for 802.11b clients Optimize Mixed (802.11b and 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide IEEE 802.11b Radio Menu Defaults Table 88. 802.11b Radio Menu Defaults Parameter Name Range Default Node Type Master, Station, Disabled Master SSID (Network Name) 0 to 32 characters atilan Frequency Channel 1 to 11, 2412 to 2462 MHz Channel 03, 2422 MHz Your Site? Advanced Configuration Parameters Data Rate 11, 5.5, 2, or 1 Mbps 11 Mbps (High) Allow Data Rate Fallback Check/Clear Check Basic Rate 11, 5.
Appendix B: Default Settings Table 88. 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide IEEE 802.11a Radio Menu Defaults Table 89. 802.
Appendix B: Default Settings Table 89. 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Spanning Tree Settings Menu Defaults Table 90.
Appendix B: Default Settings Global Flooding Menu Defaults Table 91.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Global RF Parameters Menu Defaults Table 92.
Appendix B: Default Settings Table 92. Global RF Parameters Menu Defaults Parameter Name 3 through 20 318 Range Two sets of hexadecimal pairs 00 through FF.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Telnet Gateway Configuration Menu Defaults Table 93.
Appendix B: Default Settings Ethernet Configuration Menu Defaults Table 94. Ethernet Configuration Menu Defaults Parameter Name Range Default Port Type 10/100 Mb TwistedPair 100 Mb Fiber Optic 10/100 Mb Twisted-Pair Link Speed Auto Select, 100 Mbps Full-Duplex, 100 Mbps HalfDuplex, 10 Mbps Full-Duplex, 10 Mbps Half-Duplex Auto Select Enable Link Status Check Check/Clear Clear Six sets of hexadecimal pairs 00 through FF.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Ethernet Advanced Filters Menu Defaults Table 95. Ethernet Advanced Filters Menu Defaults Parameter Name Range Default Your Site? Customizable Subtype Filters Allow/Pass Check/Clear Check SubType DIX-IP-TCP-Port, DIX-IP-UDP-Port, DIX-IP-Protocol, DIX-IPX-Socket, DIX-EtherType, SNAP-IP-TCP-Port, SNAP -IP-UDP-Port, SNAP -IP-Protocol, SNAP -IPX-Socket, SNAP -EtherType, 802.3-IPX-Socket, 802.2 -IPX-Socket, 802.
Appendix B: Default Settings IP Tunnels Menu Defaults Table 96. IP Tunnels Menu Defaults Parameter Name Range Default Mode Listen, Originate If Root, Disabled Listen Enable IGMP (Appears if Mode is Listen) Check/Clear Clear Multicast Address (Appears if Enable IGMP is checked) 4 nodes, 0 to 255 224.0.1.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 97. Tunnel Filters Menu Defaults Parameter Name Range Default SubType DIX-IP-TCP-Port, DIX-IP-UDP-Port, DIX-IP-Protocol, DIX-IPX-Socket, DIX-EtherType, SNAP-IP-TCPPort, SNAP -IP-UDPPort, SNAP -IP-Protocol, SNAP -IPX-Socket, SNAP -EtherType, 802.3-IPX-Socket, 802.2 -IPX-Socket, 802.2-SAP DIX-IP-TCPPort Value Two sets of hexadecimal pairs 00 through FF.
Appendix B: Default Settings Network Management Menu Defaults Table 98. Network Management Menu Defaults Parameter Name Instant On Menu Defaults Default SNMP Read Community 1 to 15 characters public SNMP Write Community 1 to 15 characters CR52401 SNMP Secret Community 1 to 15 characters Secret Avalanche Agent Name IP address or DNS name (blank) Your Site? Table 99.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Security Menu Defaults Table 100.
Appendix B: Default Settings Table 101. Password Menu Defaults Parameter Name IEEE 802.11 (g, b or a) Radio Security Menu Defaults 326 Range Default Password 1 to 32 characters (Not case sensitive) atilan Read Only Password 1 to 32 characters (Not case sensitive) (blank) Allow Service Password Check/Clear Check Your Site? Table 102. IEEE 802.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 102. IEEE 802.11g/b/a Radio Security Menu Defaults Parameter Name Range Default Your Site? If Security Level is Static WEP WEP Transmit Key 1, 2, 3, or 4 1 WEP Key 1 to 4 5 ASCII characters (or hex pairs) to 16 ACSII characters (or hex pairs) 80211 If Security Level is Dynamic WEP/802.
Appendix B: Default Settings RADIUS Server List Menu Defaults Table 103. RADIUS Server List Menu Defaults Parameter Name Range Default IP Address/ DNS name 4 nodes, 0 to 255 or DNS name 0.0.0.0 Secret Key 16 to 32 bytes (factory default) Port 1-65535 Recommended range is 49152-65535 1812 802.1x Check/Clear Clear except Servers 5 and 6 ACL Check/Clear Clear except Servers 3 and 4 Login Check/Clear Clear except Servers 1 and 2 Spanning Tree Security Menu Defaults Table 104.
AT-WA7500 and AT-WA7501 Installation and User’s Guide Table 104. Spanning Tree Security Menu Defaults Parameter Name Embedded Authentication Server Menu Defaults Range Default Password 1 to 31 characters anonymous Verify CA Certificate Check/Clear Clear Your Site? Table 105.
Appendix C Glossary ARP (Address Resolution Protocol) cache A table that stores IP addresses and their corresponding MAC addresses. The access point maintains an ARP cache and can act as an ARP server. BFSK (Binary Frequency Shift Key) A broadcasting method that lengthens the range but halves the throughput as compared to the QFSK method.
AT-WA7500 and AT-WA7501 Installation and User’s Guide To enable data link tunneling, disable Ethernet bridging. designated bridge Also called a secondary LAN bridge. An access point that is assigned the role of bridging frames destined for or received from a secondary LAN. A designated bridge connects a secondary LAN with the primary LAN. In the access point, the secondary LAN bridge priority parameter determines if the access point is a candidate to become the designated bridge.
Appendix C: Glossary Ethernet bridging When an access point receives wireless traffic and the destination address is known, it forwards frames to the port with the shortest path to the destination address. When the access point has not learned the direction of the shortest path for the destination address, it forwards frames based on flooding settings to try to locate the destination address. flooding A frame is flooded when the destination location is unknown.
AT-WA7500 and AT-WA7501 Installation and User’s Guide IGMP (Internet Group Management Protocol) A standard protocol that lets you originate multiple IP tunnels using one IP multicast address. IGMP allows IP multicast frames to be routed to remote IP subnets that have hosts participating in the multicast group. By enabling IGMP, access points can act as IP hosts and participate in an IP multicast group. inbound frames Frames moving toward the primary LAN.
Appendix C: Glossary activity. The MIB for the access point is available from the Allied Telesyn web site at www.alliedtelesyn.com. multicast address A form of broadcast address through which copies of the frame are delivered to a subset of all possible destinations that have a common multicast address. NAT (Network Address Translation) A mechanism for reducing the need for different IP addresses.
AT-WA7500 and AT-WA7501 Installation and User’s Guide point-to-point bridge See also wireless bridge. A bridge that connects two wired networks with similar architectures. Two access points can be used to provide a point-topoint bridge between two buildings so that wired and wireless devices in each building can communicate with devices in the other building.
Appendix C: Glossary root port The access point port that provides the inbound connection to the spanning tree. The root port provides a link to a parent access point. Note that a root access point does not have a root port. root IP subnet Also called the home IP subnet and primary LAN. The IP subnet that contains the root access point. If wireless end devices need to roam between IP subnets, each end device needs to have an IP address from the root IP subnet.
AT-WA7500 and AT-WA7501 Installation and User’s Guide with the MIB to obtain information about network activity. spanning tree A form of network organization in which each device on the network has only one path to the root. The access points automatically configure into a self-organized network that provides efficient, loop-free forwarding of frames through the network. splitter A splitter converts 48V input power to 5V or 3.3V output power.
Appendix C: Glossary to the home subnet of the end device. If the end device has roamed to another subnet, the frame must be forwarded to the remote subnet where the end device currently resides. unicast address A unique Ethernet address assigned to a single device on the network. VLAN (virtual LAN) A network of wireless end devices that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a local area network.
AT-WA7500 and AT-WA7501 Installation and User’s Guide WPA (Wi-Fi Protected Access) A feature that can be implemented in the 802.11g, 802.11b, and 802.11a radios for security in a wireless network. WPA is a strongly enhanced, interoperable Wi-Fi security protocol that addresses many of the vulnerabilities of WEP. It provides stronger RC4 encryption over standard WEP with TKIP.
