LWN602A LWN600VMA LWN602AE LWN600CM-1 LWN602HA LWN600CM-3 LWN602HAE SmartPath Enterprise Wireless System User Guide Provides the speed, range, security, adapability, BLACK BOX at and manageability to replace wired networks an enterprise level. ® Intelligent 802.1n wireless access points work together to increase network efficiency. Customer Support Information Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S.
Trademarks Used in this Manual Trademarks Used in this Manual Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc. Kensington is a registered trademark of Acco Brands Corporation. AirMagnet is a registered trademark of AirMagnet, Inc. Apple, iPad, iPhone, Mac, and Macintosh are registered trademarks of Apple Computer, Inc. Bluetooth is a registered trademark of Bluetooth Sig, Inc. Cicso and Catalyst are registered trademarks of Cisco Technologies, Inc.
FCC and IC RFI Statements Federal Communications Commission and Industry Canada Radio Frequency Interference Statements This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause interference to radio communication.
NOM Statement/Radiation Exposure Statement Instrucciones de Seguridad (Normas Oficiales Mexicanas Electrical Safety Statement) 1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. 2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. 3. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas. 4.
Wi-Fi Certification/EC Conformance/European Community Wi-Fi Certification The Wi-Fi CERTIFIED™ Logo is a certification mark of the Wi-Fi Alliance®. The SmartPath APs have been certified for WPA™, WPA2™, WMM® (Wi-Fi Multimedia™), WMM Power Save, IEEE 802.11d, IEEE 802.
Countries of Operation and Conditions of Use in the European Community • SmartPath APs automatically limit the allowable channels determined by the current country of operation. Incorrectly entering the country of operation might result in illegal operation and cause harmful interference to other systems.
SmartPath AP Safety Compliance Danish: Undertegnede Black Box erklærer herved, at følgende udstyr Radio LAN device overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF. German: Hiermit erklärt Black Box, dass sich dieser/diese/ dieses Radio LAN device in Übereinstimmung mit den grundlegenden Anforderungen und den anderen relevanten Vorschriften der Richtlinie 1999/5/EG befindet".
SmartPath AP Safety Compliance • The attachment plug must be an earth-grounding type with NEMA 5-15P (15 A, 125 V) or NEMA 6-15 (15 A, 250 V) configuration. Denmark only: • The supply plug must comply with Section 107-2-D1, Standard DK2-1a or DK2-5a. • Switzerland: • The supply plug must comply with SEV/ASE 1011. U.K. only: • The supply plug must comply with BS1363 (3-pin 13 A) and be fitted with a 5-A fuse that complies with BS1362.
Table of Contents Table of Contents 1. Specifications ..............................................................................................................................................................................12 1.1 SmartPath AP (LWN602HA)................................................................................................................................................12 1.2 SmartPath AP (LWN602A)...............................................................................
Table of Contents 5. The Smart Path EMS VMA (LWN602VMA) ..................................................................................................................................63 5.1 Server Requirements...........................................................................................................................................................63 6. SmartPath EMS Online...................................................................................................................
Table of Contents 10.2.1 Device-Level Configurations.................................................................................................................................149 10.2.2 Policy-Level Configurations..................................................................................................................................149 10.3 SmartPathOS Configuration File Types...............................................................................................................
Chapter 1: Specifications 1. Specifications 1.1 Smart Path AP (LWN602HA) Antennas: (3) omnidirectional 802.11b/g/n antennas, and (3) omnidirectional 802.11a/n antennas NOTE: Antennas are not included. Interface: Serial Port: 9600 bps, 8 data bits, no parity, 1 stop bit, no flow control; Ethernet: Autosensing 10/100/1000 BASE-T/TX Mbps; both ports comply with the IEEE 802.3af and the 802.
Chapter 1: Specifications 1.3 Smart Path EMS Virtual Management Appliance (VMA) Software (LWN600VMA) Maximum Supported APs — 1500 Minimum System Requirements — Processor: Dual-core 2 GHz; Memory: 2 GB VM, 1 GB host; Storage: 10 GB available disk space Tested Virtualization Platforms —ESXi 4.0 or better; Player on CentOS; Player on Windows Vista® 724-746-5500 | blackbox.
Chapter 2: Preparing for a WAN Deployment 2. Preparing for a WAN Deployment To ensure a smooth WLAN deployment, you need to begin with a bit of planning. A straightforward review of your deployment plan before you begin will provide the best results in the least amount of time. The goals of this chapter are to assist you in assessing your readiness for WLAN implementation and to provide tips and tricks to resolve any issues that might arise in your environment.
Chapter 2: Preparing for a WAN Deployment Upgrading from a thin AP solution is also easy. However, because a thin AP makes use of an overlay tunneled network, you sometimes have to add a local VLAN for access or use tunnels to replicate the overlay network. However, because using VLANs rather than tunnels provides significant performance and scalability advantages, this is clearly the recommended path. 2.2.
Chapter 2: Preparing for a WAN Deployment • Deploy and Check I n this scenario, an initial site survey is not performed. Instead, wireless administrators make educated guesses on the best locations for the access points, or they use a planning tool to determine the locations more reliably. After deploying the access points, the administrators do a quick site survey. If they need to provide greater coverage, they deploy additional access points.
Chapter 2: Preparing for a WAN Deployment • Distance Between Access Points I n a standard office environment, it is a good idea to ensure that access points are between 30 and 100 feet from one another. A distance of 30 feet is needed in high-density environments and those with many walls separating access points. A distance of 100 feet is sufficient in low-density areas with plenty of open space. These three tips can help determine how many access points to deploy in a given area.
Chapter 2: Preparing for a WAN Deployment • Client Software - Depending on the deployment, users can use built-in Microsoft® Windows®, Linux® and/or Macintosh® client software (supplicants). - For better services and troubleshooting, consider a third-party supplicant such as Juniper Networks® Odyssey Client. 2.2.
Chapter 2: Preparing for a WAN Deployment • Configuring Antennas s anyone who has administered a WLAN system in the past knows, proper configuration of the access point antennas A at the outset can save you lots of trouble. The SmartPath AP (LWN602A) has internal antennas that cannot be adjusted. However, the antennas for the SmartPath (LWN602HA) are adjustable.
Chapter 2: Preparing for a WAN Deployment The following are some quick hints for deploying access points: • Standard sheetrock walls and dropped ceilings are the best locations for mounting access points. • When deploying WLANs in retail stores, doing a site survey at each store is likely to be impractical. It is more common to run detailed site surveys at a few locations and use the results to set up User Guidelines for the remaining sites.
Chapter 2: Preparing for a WAN Deployment 2.2.8 Online Planner Enhancements Several enhancements were made to improve the usability and accuracy of the on-line planner. Perimeter Wall Type: You can now specify a wall type for building perimeter walls. The perimeter is the blue line that defines the area of a building in which SmartPath EMS VMA can automatically place SmartPath AP icons.
Chapter 2: Preparing for a WAN Deployment Figure 2-5. AP details. Setting the Navigation Tree Width: By default, the width of the navigation tree is 180 pixels. If you want to make the tree wider or narrower, based on the length of map names and the depth of the nested structure, you can reset the width by clicking Operation > Update Tree Width (see Figure 2-6). Then enter a different value in pixels and click “Update.
Chapter 2: Preparing for a WAN Deployment Figure 2-7. Auto placement. 2.3 Operational Considerations To make your WLAN deployment process as smooth as possible, you should consider more than just the distribution and installation of access points. You should also consider how you will manage, optimize, and troubleshoot your WLAN after deployment. 2.3.1 Tuning Approach building an enterprise WLAN with the same life-cycle approach you would apply to a wired network.
Chapter 2: Preparing for a WAN Deployment The number of SmartPath APs that can perform a spectral scan concurrently varies depending on the SmartPath EMS VMA platform you use. SmartPath EMS VMA Virtual Appliance limits the number of concurrent scans to two (that is, only two SmartPath APs can perform spectrum analysis functions as the same time); the physical SmartPath EMS VMA permits up to 20 concurrent scans. To start the spectrum analyzer feature: 1.
Chapter 2: Preparing for a WAN Deployment Run Time: The run time determines how long the scanning process lasts. The default run time is five minutes, which is generally long enough to get a rough idea of the RF (radio frequency) environment. For more intense scrutiny of the RF environment, longer run times are called for. The maximum run time is eight hours. Return: The Return button returns you to the Monitor > Access Points > SmartPath APs page without stopping the analysis.
Chapter 2: Preparing for a WAN Deployment Each of the representations can be enlarged to fill the entire analysis pane to provide more detail or to increase its visibility, or be deleted from the array to simplify the display. To change the display in this manner, use the buttons in the upper right corner of each of the representations. Pause/Resume: You can suspend a trace by clicking the Pause button. When you click “Pause,” the button becomes a Resume button (right-pointing triangle).
Chapter 2: Preparing for a WAN Deployment On maximizing this display, you gain access to the following additional display parameters: Band: You can choose which band you want to monitor in this display: 2.400-2.500 GHz, 5.150-5.350 GHz, 5.470-5.725 GHZ, or 5.725-5.850 GHz. Channels: Choose one of the channel combinations in the drop-down list to display channel boundaries within the graph. Center: Use this control to scroll the graph right or left.
Chapter 2: Preparing for a WAN Deployment AP Name: The name of the SmartPath AP that is reporting the interference. If an interference source is reported by a few SmartPath APs, but not others, you can use this to approximate the physical location of the interference. Device Type: SmartPath EMS VMA maps the signature of the interference to a specific device type such as a cordless phone, microwave oven, or Bluetooth, which it then reports in the Device Type column.
Chapter 2: Preparing for a WAN Deployment After creating a WIPS policy on the Configuration > Advanced Configuration > Security Policies > WIPS Policies > New page, define how you want to perform rogue AP and client mitigation: manually, automatically, or semi-automatically. Each approach is described below. Manual Mitigation To mitigate rogue APs and their clients manually, expand the Optional Settings section and select Manual.
Chapter 2: Preparing for a WAN Deployment All the parameters in the Mitigation Parameters for Rogue APs and Their Clients section apply to SmartPath APs that perform automatic mitigation. In addition to the parameters explained above, there is one other: Max number of mitigator APs per rogue AP: For automatic and semi-automatic mitigation, cluster members choose one SmartPath AP to be the arbitrator AP, which is the one to which all the detector APs send reports.
Chapter 2: Preparing for a WAN Deployment In RF, there is also a relative measurement that you can use to compare two numbers. This measurement is simply dB (without the “m”). To see how this concept is applied, consider how radio signal propagation changes over a distance and how it can be affected. Figure 2-3 shows signal strength over distance as a curve that has the best signal strength closer to the access point. It also shows noise.
Chapter 2: Preparing for a WAN Deployment Received Signal Wall Signal-to-Noise Ratio Noise Distance Figure 2-11. Path loss through a wall. Microwave ovens, wireless video cameras, Bluetooth headsets, and cordless phones can all interfere with Wi-Fi signals (see Figure 2-5). Excess noise in an environment is often difficult to diagnose and can have a major negative impact on network performance. To discover noise sources, a spectrum analysis system is needed.
Chapter 2: Preparing for a WAN Deployment In the 2.4 GHz spectrum, there are 11 channels in the United States. However, a Wi-Fi signal consumes more than one channel. Consequently, there are only 3 non-overlapping channels: 1, 6, and 11. To achieve optimal performance, you need to design a channel layout pattern such as the one on the left in Figure 2-6.
Chapter 2: Preparing for a WAN Deployment 2.5 New and Enhanced SmartPath OS Features for Release 4.0r1 Spectrum Analysis: You can use up to ten SmartPath APs to function as spectrum analyzers for fixed lengths of time. You can use the spectrum analyzer feature to monitor both the 2.4-GHz and 5-GHz bands.
Chapter 2: Preparing for a WAN Deployment CAPWAP Latency Reports: SmartPath EMS VMA tracks the average latency in its CAPWAP connections to each managed SmartPath AP and displays an icon indicating the average amount of current latency in the Connection column on the Monitor > Access Points > SmartPath APs page when viewed in Monitor mode. A green hexagon indicates normal latency, based on an average that SmartPath EMS VMA has calculated from periodic SmartPath AP reports.
Chapter 3: The SmartPath AP (LWN602HA) Overview 3. The SmartPath AP (LWN602HA) Overview The SmartPath AP is a high-performance and highly reliable 802.11n wireless access point. The SmartPath AP provides dual concurrent 802.11b/g/n and 802.11a/n radios for 3x3 MIMO (Multiple In, Multiple Out) and dual 10/100/1000 Ethernet ports for link aggregation or link redundancy.
Chapter 3: The SmartPath AP (LWN602HA) Overview Table 3-1. SmartPath (LWN602HA) component descriptions. Component Description Status LEDs The status LEDs convey operational states for system power, firmware, Ethernet interfaces, and radios. For details, see Section 3.3, Status LEDs.
Chapter 3: The SmartPath AP (LWN602HA) Overview NOTE: The rear surface of the SmartPath AP is used for heat dissipation to reduce the internal temperature. Consequently, it can become hot, so use caution when handling it. 3.2 Ethernet and Console Ports There are three ports on the SmartPath AP: two RJ-45 10/100/1000BASE-T/TX Ethernet ports and an RJ-45 console port. The pin assignments in the PoE (Power over Ethernet) Ethernet ports follow the TIA/EIA-568-B standard (see Figure 3-3 and Table 3-2).
Chapter 3: The SmartPath AP (LWN602HA) Overview Table 3-3. T568A Wire Color. Pin T568A Wire Color 1 1 8 White/Green 2 Green 3 White/Orange 4 Blue 5 White/Blue 6 Orange 7 White/Brown 8 Brown Figure 3-4. T568A Terminated Ethernet Cable with an RJ-45 connector. Table 3-4. T568B Wire Color. Pin 1 8 T568A Wire Color 1 White/Orange 2 Orange 3 White/Green 4 Blue 5 White/Blue 6 Green 7 White/Brown 8 Brown Figure 3-5. T568B Terminated Ethernet Cable with an RJ-45 connector.
Chapter 3: The SmartPath AP (LWN602HA) Overview • No adjustments are needed when the power level is 20 W (watts) or higher. If the available power drops to a range between 18 and 20 W, the SmartPath AP disables its ETH1 interface, assuming that it is drawing power through its ETH0 interface. If it is drawing power solely through its ETH1 interface, then it disables its ETH0 interface instead.
Chapter 3: The SmartPath AP (LWN602HA) Overview Switch(config-if)#exi Switch(config)#int fastEthernet 0/2 Switch(config-if)#switchport mode access Switch(config-if)#channel-group 1 mode on Switch(config-if)#spanning-tree portfast Switch(config-if)#exit Switch(config)#exit Switch#wr mem Finally, you must cable the Cisco switch and the SmartPath AP together: Cisco 0/1 to SmartPath AP eth0, and Cisco 0/2 to SmartPath AP eth1.
Chapter 3: The SmartPath AP (LWN602HA) Overview Table 3-5. Console port pin assignments. 8 1 CONSOLE Figure 3-6. View of the console port on the SmartPath AP (LWN602HA).
Chapter 3: The SmartPath AP (LWN602HA) Overview Table 3-6. Wiring details for making a serial cable with an RJ-45-to-female DB9 adapter.
Chapter 3: The SmartPath AP (LWN602HA) Overview 3.4 Antennas Antennas are an integral part of the SmartPath AP. The SmartPath AP can accept up to six detachable dipole antennas. The three shorter antennas are designed for the 5-GHz band and have a 2-dBi gain. The three longer antennas are designed for the 2.4-GHz band and have a 4.9-dBi gain. These antennas are omnidirectional, providing fairly equal coverage in all directions in a toroidal (donut-shaped) pattern around each antenna (see Figure 2-1).
Chapter 3: The SmartPath AP (LWN602HA) Overview Generally, orient the antennas vertically for improved radio coverage, as shown here: When mounting the SmartPath AP (LWN602HA) on a ceiling, orient its antennas downward. When mounting the SmartPath AP on a wall or post, fully extend its antennas upward and downward. When mounting the SmartPath AP above a ceiling or on a horizontal beam, orient its antennas upward. Figure 3-9. SmartPath AP antennas, installed. 3.4.
Chapter 3: The SmartPath AP (LWN602HA) Overview In previous 802.11 standards, access points and clients each used a single set of components, or RF chain, for transmitting or receiving. Although two antennas are often used for diversity, only the one with the best signal-to-noise ratio is used at any given moment, and that antenna makes use of the single RF chain while the other antenna remains inactive.
Chapter 3: The SmartPath AP (LWN602HA) Overview 3.4.2 Using MIMO with Legacy Clients In addition to supporting up to 300-Mbps throughput per radio for 802.11n clients, MIMO can improve the reliability and speed of legacy 802.11a/b/g client traffic. When an 802.11a/b/g access point does not receive acknowledgement that a frame it sent was received, it resends that frame, possibly at a somewhat lower transmission rate.
Chapter 3: The SmartPath AP (LWN602HA) Overview (worms’seye eyeview viewwith with ceiling ceiling Worm’s tiles removed tiles removed for forclarity) clarity. 1 Ceiling Track Press the track clips against the ceiling track and swivel them until they snap into place, gripping the edges of the track. If necessary, slide one or both of the clips along the track to position them at the proper distance 2 (21⁄41/4” " or 7 cm) to fit through the holes in the mounting plate.
Chapter 3: The SmartPath AP (LWN602HA) Overview (side view) (side view) 4 Mounting Plate SmartPath AP (shown as transparent for clairty) With the SmartPath AP upside down, align its port side with the bottom end of the plate. Tab Slot Tab inside slot. 5 Push the SmartPath AP upward, inserting the four tabs on the plate into the four slots on the SmartPath AP. 6 Slide the SmartPath AP toward the bottom end of the plate, locking the tabs inside the slots.
Chapter 3: The SmartPath AP (LWN602HA) Overview 3.5.2 Plenum Mount To mount the SmartPath AP in the plenum space above a dropped ceiling grid, you need the mounting plate, hanger clip, and a standard 24"-wide hanger frame, which can be ordered separately (call Black Box Technical Support at 724-746-5500 for details). 1. With the recessed side of the mounting plate facing downward, insert the hanger clip through the large hole in the center of the plate. 2.
Chapter 3: The SmartPath AP (LWN602HA) Overview 4. Remove the ceiling tile next to the area where you want to mount the device. 5. Press the hanger frame downward into place on the ceiling track until the claws on each leg grips the track below the top ridge (see Figure 3-17). Remove the ceiling tile and enter the plenum. Press the hanger frame onto the ceiling track. Figure 3-17. Clipping the hanger frame onto the track. 6.
Chapter 3: The SmartPath AP (LWN602HA) Overview Bird’s eye view with the ceiling tiles and ceiling tracks removed for clarity SmartPath AP attached to the mounting plate Hanger frame Insert the hanger clip upward through the center slot in the hanger frame. Rotate the SmartPath AP and the attached mounting accessories counterclockwise until the clip locks in place against the sides of the crossbar. Figure 3-18. Securing the SmartPath AP to the hanger frame. 7.
Chapter 3: The SmartPath AP (LWN602HA) Overview 2. Push the tabs into the slots and slide the SmartPath AP toward its port panel. This repositions the tabs in the narrower, rectangular section of the slots and holds the device firmly in place below the mounting plate. Mounting Plate The recommended holes for the four strands are shaded in. 1 To secure each of the four strands to the mounting plate: Mounting plate Mounting Plate 1.
Chapter 3: The SmartPath AP (LWN602HA) Overview 3 Wrap the wire rope around a beam, clip the hook to the rope, and then pull the rope downward until it is taut against the beam. 4 Push the wire rope through the side hole in the locking device and then through the loop in the quad-toggle. 5 Pass the wire rope upward through the center hole in the locking device, and continue pulling the rope to raise the SmartPath AP to the height you want.
Chapter 3: The SmartPath AP (LWN602HA) Overview 3.5.4 Surface Mount You can use the mounting plate to attach the SmartPath AP to any surface that supports its weight, and to which you can screw or nail the plate. First, mount the plate to the surface. Then, through one of the two large openings in the plate, make a hole in the wall so that you can pass the cables through to the SmartPath AP.
Chapter 3: The SmartPath AP (LWN602HA) Overview 3.6 Device, Power, and Environmental Specifications Understanding the range of specifications for the SmartPath AP is necessary for optimal deployment and device operation. The following specifications describe the physical features and hardware components, the power adapter and PoE electrical requirements, and the temperature and humidity ranges in which the device can operate. Device Specifications • Chassis dimensions: 8.5" W x 1.25" H x 8" D (21.5 x 3.
Chapter 4: The SmartPath AP (LWN602A) Overview 4. SmartPath AP (LWN602A) Overview The SmartPath AP LWN602A is a high-performance wireless access point suitable for small offices, mobile employees, and telecommuters. The SmartPath AP has two radios—one for 802.11a/n and one for 802.11b/g/n, both of which can operate concurrently. Both platforms provide 2x2 MIMO and a single 10/100/1000 Ethernet port through which they can be powered using PoE that follows the IEEE 802.3af standard or the 802.
Chapter 4: The SmartPath AP (LWN602A) Overview Table 4-1. SmartPath AP component descriptions. Component Description Status Indicator The status indicator conveys operational states for system power, firmware updates, Ethernet and wireless interface activity, and major alarms. For details, see Section 4.3, Status Indicator. Device Lock Slot You can physically secure the SmartPath AP by attaching a Kensington lock and cable to the device lock slot.
Chapter 4: The SmartPath AP (LWN602A) Overview • Yellow: The default route is through a backhaul Wi-Fi interface, but not all conditions for normal operations (white) have been met. • White: The device is powered on and the firmware is operating normally; that is, a wireless interface in access mode is up, a wired or wireless backhaul link is up, and the SmartPath AP has a CAPWAP connection to either SmartPath EMS VMA or a management AP.
Chapter 4: The SmartPath AP (LWN602A) Overview 4.5 Mounting a SmartPath AP (LWN602A) Using one of the track clips included in the box with the SmartPath AP, you can mount it to a track in a dropped ceiling grid. To mount the SmartPath AP to any flat surface that can support its weight (1.75 lb., 0.8 kg), use two #6 or #8 screws to mount it on a wall and three screws to mount it on a ceiling.
Chapter 4: The SmartPath AP (LWN602A) Overview With the SmartPath AP upside 4 With the SmartPath AP upside down,down, lift it lift until thethe threaded it until threadedstud stud the track clip enters holeinin on theontrack clip enters thethe hole the SmartPath AP. Revolve the the SmartPath AP. Rotate the SmartPath AP until it is securely SmartPath AP to until is securely attached the it clip. attached to the clip. \ SmartPath AP Figure 4-6. Attaching the SmartPath AP to the track clip. 5.
Chapter 4: The SmartPath AP (LWN602A) Overview 1. Position two #6 or #8 screws 2" (5 cm) apart and fasten them to a secure object such as a wall, post, or beam. Wall 2. Cut or drill a hole in the wall 1–2" (2.5–5 cm) above the screws to pass the cables through to the SmartPath AP. 3. Position the SmartPath AP so that the screws enter the two upper keyhole-shaped slots on the underside of the SmartPath AP. Then push the SmartPath AP downward to lock it in place. 4.
Chapter 5: The SmartPath EMS 5. The SmartPath EMS The SmartPath Enterprise Management System (EMS), available as a cloud-based service (LWN600CM-1 or LWN600CM-3) or as a virtual management appliance (VMA) (LWN600VMA), is a GUI for centrally configuring and monitoring the APs as well as setting security and guest log-in parameters.
Chapter 6: SmartPath EMS VMA Online (Cloud-Based Service) 6. SmartPath EMS VMA Online (Cloud-Based Service) In addition to a SmartPath EMS VMA, the SmartPath EMS VMA network management system is available in one other form. SmartPath EMS Online is a cloud-based service running on hardware hosted and maintained by Black Box (see Figure 6-1). This management system provides cost-effective alternatives for managing WLAN networks that might not require the investment of a physical appliance.
Chapter 6: SmartPath EMS VMA Online (Cloud-Based Service) SmartPath.blackbox.com Online Server VSPM-1 2 (3) When you log in to SmartPath.blackbox.com VSPM-1, you can see the SmartPath AP listed on the Monitor > Access Points > SmartPath APs page. Home Page 1 (1) The SmartPath AP initially forms a CAPWAP connection with SmartPath.blackbox.com. (2) When the online server discovers an entry for the SmartPath AP assigning it to VSPM-1, it redirects the SmartPath AP to that VSPM.
Chapter 7: Using SmartPath EMS VMA 7. Using SmartPath EMS VMA Think of the cooperative control architecture as consisting of three broad planes of communication. On the data plane, wireless clients gain network access by forming associations with SmartPath APs. On the control plane, SmartPath APs communicate with each other to coordinate functions such as best-path forwarding, fast roaming, and automatic RF management.
Chapter 7: Using SmartPath EMS VMA NOTE: SmartPath EMS VMA has two Ethernet interfaces—MGT and LAN. You can put just the MGT interface on the network and use it for all types of traffic, or you can use both interfaces—which must be in different subnets—and separate SmartPath EMS VMA management traffic (MGT) from SmartPath AP management traffic (LAN). Besides SmartPath EMS VMA and your management system, you need two or three Ethernet cables and a serial cable (or “null modem”).
Chapter 7: Using SmartPath EMS VMA When you enable both interfaces, SmartPath EMS VMA management traffic uses the MGT interface while SmartPath AP management traffic uses the LAN interface, as shown in Figure 7-2. LAN 10.1.1.8/24 SmartPath EMS VMA MGT 10.1.2.8/24 Switch 10.1.2.1 Admin 10.1.7.34 10.1.1.1 Router Clusters in different subnets Clusters in different subnets 10.1.3.0/24 10.1.4.0/24 Router 10.1.5.0/24 SCP Server 10.1.6.12 Each cluster contains multiple SmartPath APs.
Chapter 7: Using SmartPath EMS VMA 3. Open a Web browser and enter the IP address of the MGT interface in the address field. For example, if you changed the IP address to 10.1.1.8, enter this in the address field: https://10.1.1.8. NOTE: If you ever forget the IP address of the MGT interface and cannot make an HTTPS connection to SmartPath EMS VMA, make a serial connection to its console port and enter 1 for "Network Settings and Tools" and then 1 again for "View/Set IP/Netmask/Gateway/DNS Settings.
Chapter 7: Using SmartPath EMS VMA Change the cluster name for your SmartPath APs (default: blackbox), change your SmartPath EMS VMA login password, and set the time zone where you are located, which might be the same time zone as that for SmartPath EMS VMA or a different one. If you have an entitlement key, click Enter Key. The following dialog box appears. Figure 7-6. Entitlement key screen. For a physical appliance with Internet access, select “Enter Entitlement Key.
Chapter 7: Using SmartPath EMS VMA Figure 7-8. Start here screen. 9. To save your settings and enter the SmartPath EMS VMA GUI in Enterprise mode, click “Update.” 10. A message appears prompting you to confirm your selection of Enterprise mode. After reading the confirmation message, click “Yes.” NOTE: You can change the SmartPath AP root admin name in the Credentials section of the SmartPath AP configuration dialog box (Monitor > Access Points >SmartPath AP > smartpathap_name > Modify).
Chapter 7: Using SmartPath EMS VMA Figure 7-9. Important sections of the SmartPath EMS VMA GUI. Menu Bar: The items in the menu bar open the major sections of the GUI. You can then use the navigation tree to navigate to specific topics within the selected section. Search: This is a tool for finding a text string anywhere in the GUI (except in Reports). You can do a global search or confine a search to a specific part of the GUI. Log Out: Click to log out of your administrative session.
Chapter 7: Using SmartPath EMS VMA Clients > client_mac_addr) or a report defined as a "New Report Version", moving your mouse over a color box in the legend hides all other lines except the one matching that color (see Figures 7-10 and 7-11). Figure 7-10. Working with graphs in reports. Moving the mouse over a measurement point in a graph displays data about that measurement. If measurement points on multiple lines happen to converge at the same point, SmartPath EMS VMA displays data for all of them.
Chapter 7: Using SmartPath EMS VMA 7.2.3 Searching The SmartPath EMS VMA GUI provides a search feature that you can use to find text strings throughout the SmartPath EMS VMA database and the entire GUI (except in Reports and Topology) or within one or more specified sections of the GUI. By default, SmartPath EMS VMA searches through the following sections of the GUI: Configuration, Access Points, Clients, Administration, and Tools. You can also include Events and Alarms in your search, but not Topology.
Chapter 7: Using SmartPath EMS VMA Figure 7-13. Search results. NOTE: Do not use quotation marks to enclose a phrase of two or more words. Simply enter the phrase that you want to find with spaces. See the SmartPath EMS VMA on-line Help for more information on the Search tool. 7.2.4 Multiselecting You can select multiple objects to make the same modifications or perform the same operation to all of them at once.
Chapter 7: Using SmartPath EMS VMA Figure 7-14. Selecting multiple new SmartPath APs. Here, you use the shift-click multiselection method to select a set of the topmost eight SmartPath APs in the list; that is, you select the checkbox for the top SmartPath AP and hold down the SHIFT key while selecting the checkbox for the eighth SmartPath AP from the top. 7.2.
Chapter 7: Using SmartPath EMS VMA Figure 7-15. Cloning a cluster. 7.2.6 Sorting Displayed Data You can control how the GUI displays data in the main panel by clicking a column header. This causes the displayed content to reorder itself alphanumerically or chronologically in either ascending or descending order. Clicking the header a second time reverses the order in which the data is displayed. By default, displayed objects are sorted alphanumerically from the top by name.
Chapter 7: Using SmartPath EMS VMA By clicking the heading of a column, you can reorder the display of objects either alphanumerically or chronologically, depending on the content of the selected column. Here you reorder the data chronologically. Figure 7-17. Click to reorder the display of objects. Indicates that the list appears in descending order from the top Indicates that the list appears in ascending order from the bottom 7.
Chapter 7: Using SmartPath EMS VMA Table 7-1. Typical Workflow.
Chapter 7: Using SmartPath EMS VMA F ile Path: Enter the directory path and SmartPath EMS VMA software file name. If the file is in the root directory of the SCP server, you can simply enter the file name. User Name: Type a user name with which SmartPath EMS VMA can access the SCP server. Password: Type a password with which SmartPath EMS VMA can use to log in securely to the SCP server.
Chapter 7: Using SmartPath EMS VMA File Path: Enter the path to the SmartPathOS image file and the file name. If the file is in the root directory of the SCP server, you can simply enter the file name. User Name: Type a user name with which SmartPath EMS VMA can access the SCP server. Password: Type a password that SmartPath EMS VMA can use to log in securely to the SCP server. NOTE: To delete an old SmartPathOS file, select the file in the "Available Images" list, and then click Remove. 7. Click Upload.
Chapter 7: Using SmartPath EMS VMA When updating SmartPath APs in a mesh environment, the SmartPath EMS VMA communicates with mesh points through their portal and, if there are any intervening mesh points, through them as well. While updating SmartPath APs in such an environment, it is important to keep the path from the SmartPath EMS VMA to all SmartPath APs clear so that the data transfer along that path is not disrupted.
Chapter 8: Basic Configuration Examples 8. Basic Configuration Examples This chapter introduces the SmartPath EMS VMA GUI in Enterprise mode through a series of examples showing how to create a basic configuration of an SSID, cluster, and WLAN policy. It then explains how to connect several SmartPath APs to SmartPath EMS VMA, accept them for management, and push the configuration to them over the network.
Chapter 8: Basic Configuration Examples A PSK is the simplest way to provide client authentication and data encryption: simply configure an SSID with the same PSK on the SmartPath AP and its clients. A PSK authenticates clients by the simple fact that the clients and SmartPath AP have the same key. For data encryption, both the SmartPath AP and clients use the PSK as a pairwise master key (PMK) from which they generate a pairwise transient key (PTK), which they use to encrypt unicast traffic.
Chapter 8: Basic Configuration Examples Enable MAC Authentication: (clear) User profile assigned to users that associate with this SSID: default-profile The predefined user profile "default-profile" applies the standard SmartPath Quality of Service level through the predefined QoS policy "def-user-qos" and assigns user traffic to VLAN 1. SSID Broadcast Band: 2.4 GHz (11n/b/g) S martPath APs have two radios: a 2.4-GHz radio, which supports 802.11n/b/g, and a 5-GHz radio, which supports 802.11n/a.
Chapter 8: Basic Configuration Examples 8.2 Example 2: Creating a Cluster A cluster is a group of SmartPath APs that exchanges information with each other to form a collaborative whole.
Chapter 8: Basic Configuration Examples • Device-level features—These features control how cluster members communicate with the network and how radios operate in different modes, frequencies, and signal strengths. A WLAN policy is an assembly of policy-level feature configurations that SmartPath EMS VMA pushes to all SmartPath APs that you assign to the policy. Because these configurations are policy-based, they can apply across multiple physical devices.
Chapter 8: Basic Configuration Examples 8.4 Access and Backhaul on the Same Radio Black Box SmartPath APs have the ability to provide both wireless client access and backhaul services on the same interface. When you configure a SmartPath AP mesh point to operate in this way, you create a redundant pathway if one of the interfaces fails. This capability allows single radio SmartPath APs to operate as a mesh point with client access abilities, which was not possible previously.
Chapter 8: Basic Configuration Examples Wired Ethernet Backhaul All SmartPath APs: wifi0 = access wifi1 = dual (default settings) SmartPath AP loses its Ethernet connectivity. SmartPathOS 4.0 detects the failure and begins scanning on wifi1 for the best neighbor. SmartPath AP judges signal conditions and determines that SmartPath AP 3 has the best signal quality. SmartPath AP 2 changes its channel to match that of SmartPath AP 3, and establishes a mesh link on Channel 161. Figure 8-4.
Chapter 8: Basic Configuration Examples Figure 8-5. Select radio. By selecting the Enable the bridging of Ethernet connection devices over the wireless mesh network checkbox, you enable advanced bridging features, such as bridge-access and bridge-802.1Q modes. To configure these modes, click Optional Settings > Interface and Network Settings. 8.5 Example 4: Connecting SmartPath APs to SmartPath EMS VMA In this example, you set up three SmartPath APs for management through SmartPath EMS VMA.
Chapter 8: Basic Configuration Examples NOTE: To illustrate all possible CAPWAP states, Figure 8-5 begins by showing a SmartPath AP and SmartPath EMS VMA already in the Run state. When a SmartPath AP first attempts to discover a SmartPath EMS VMA—after the SmartPath AP has an IP address for its mgt0 interface and has discovered or has been configured with the SmartPath EMS VMA IP address—it begins in the Discovery state.
Chapter 8: Basic Configuration Examples CAPWAP Client (SmartPath AP) Run State CAPWAP Server (SmartPath EMS VMA) The CAPWAP client (SmartPath AP) pings the CAPWAP server (SmartPath EMS VMA) but receives no responses within the neighbor-dead-interval. ... Idle State Discovery State When the client determines its neighbor is dead, it transitions from the Run state to the Idle state. The client transitions to the Discovery state and begins sending Discovery Request messages (broadcast or unicast). ...
Chapter 8: Basic Configuration Examples The page displays the three SmartPath APs that you put on the network. If you see the three SmartPath APs, refer to Figure 8-6. If you do not see them, check the following: • Do the SmartPath APs have power? heck the PWR (Power) status LED on the top of the devices. If it is glowing steady green, it has power and has finished bootC ing up. If the PWR status LED on a SmartPath AP (LWN602HA) is pulsing green, it is still loading the SmartPathOS firmware.
Chapter 8: Basic Configuration Examples If the SmartPath AP does not have any network settings, check that it can reach the DHCP server. To check if a DHCP server is accessible, enter interface mgt0 dhcp-probe vlan-range , in which and indicate the range of VLAN IDs on which you want the SmartPath AP to probe for DHCP servers. The results of this probe indicate if a DHCP server is present and has responded.
Chapter 8: Basic Configuration Examples NOTE: If you see a different group of SmartPath AP settings, make sure that Monitor is selected as the view mode at the top of the SmartPath APs page. The GUI provides two view modes for SmartPath APs, one that focuses on monitoring SmartPath APs (Monitor) and another that focuses on configuring them (Config).
Chapter 8: Basic Configuration Examples 1. If the DNS server cannot resolve the domain name to an IP address, the SmartPath AP broadcasts CAPWAP Discovery messages on its local subnet for a CAPWAP server (SmartPath EMS VMA). If SmartPath EMS VMA is on the local network and responds, they form a secure CAPWAP connection. The SmartPath AP tries to connect to SmartPath EMS VMA using the following default domain name: smartpathEMS.
Chapter 8: Basic Configuration Examples WLAN Policy: DHCP client: enabled wlan-policy-test1 Credentials: SSID: test1-psk Name: testadmin1 Cluster: cluster1-test Password: testpass1 SSID: test1-psk DHCP client: enabled Cluster: cluster1-test Credentials: Name: testadmin1 Password: testpass1 SmartPath AP1 (Portal) SmartPath AP2 (Portal) SmartPath EMS VMA SmartPath AP3 (Mesh Point) CAPWAP traffic secured with DTLS Note: The CAPWAP path to SmartPath AP3 really passes through one of the portals (SmartPath
Chapter 8: Basic Configuration Examples Figure 8-11. Monitor > Access Points > SmartPath APs (view mode: Config). Updating the Country Code For SmartPath APs intended for use in the United States, the region code is preset as "FCC"—for "Federal Communications Commission"—and the country code is preset as "United States". If this is the case, you can skip this section.
Chapter 8: Basic Configuration Examples Because SmartPath AP3 is a mesh point and the update involves changing its cluster—from cluster0 to cluster1-test—you must make sure to update its configuration before updating the configurations on SmartPath AP1 and SmartPath AP2.
Chapter 8: Basic Configuration Examples S martPath EMS VMA begins transferring the configuration to SmartPath AP3 and displays the Monitor > Access Points > SmartPath AP Update Results page where you can observe the progress and the result of the operation. After SmartPath AP3 reboots to activate its new configuration, it tries to reconnect with SmartPath EMS VMA.
Chapter 9: Common Configuration Examples 9. Common Configuration Examples Through the use of examples, this chapter shows how to use SmartPath EMS VMA in Enterprise mode to configure several features that are somewhat more advanced than those covered in the previous chapter. The examples cover topics such as topological maps, IEEE 802.
Chapter 9: Common Configuration Examples x8 Floors 4 SmartPath APs per Floor x8 Floors 2 SmartPath APs per Floor 64 SmartPath APs Total 8 SmartPath APs Total Corporate Headquarters Branch Office VPN Tunnel HQ-B1 x4 Floors Branch1 HQ-B2 SmartPath EMS (in “HQ-B1”) Figure 9-1. Deployment overview. 9.1.1 Setting Up Topology Maps In this example, you upload maps to SmartPath EMS VMA showing floor plans for three office buildings and organize them in a hierarchical structure. You need to make .
Chapter 9: Common Configuration Examples Level 1 CorpOffices (Level-1 Map) This map shows 3 buildings and 20 icons that link to level-2 maps. 8 icons linking to level-2 maps 8 icons linking to level-2 maps 4 icons linking to level-2 maps Double-clicking a floor icon on the CorpOffices map (level 1) opens the corresponding level-2 map. You can also navigate to any map within the Topology Maps section of the navigation tree in the SmartPath EMS VMA GUI.
Chapter 9: Common Configuration Examples Map showing one of the floor plans SmartPath EMS VMA Uploading map to Management SmartPath EMS VMA system Figure 9-3. Uploading a map of a building floor plan. 4. Repeat this for all the image files that you need to load, and then close the dialog box when done.
Chapter 9: Common Configuration Examples A floor icon labeled "HQ-B1-F2" appears on the CorpOffices image, and a new entry named "HQ-B1-F2" appears nested under "CorpOffices" in the navigation tree. 6. Select the icon and drag it to the location you want.
Chapter 9: Common Configuration Examples NOTE: For a summary of how SmartPath APs use CAPWAP to discover and connect to SmartPath EMS VMA, see “How SmartPath APs Connect to SmartPath EMS VMA” in Section 8.4, Connecting SmartPath APs to SmartPath EMS VMA. Using MAC Addresses With this approach, you write down the MAC address labelled on the underside of each SmartPath AP and its location while installing the SmartPath APs throughout the buildings. The MAC address on the label is for the mgt0 interface.
Chapter 9: Common Configuration Examples When a SmartPath AP connects to SmartPath EMS VMA, SmartPath EMS VMA checks its SNMP location and automatically associates it with the map specified in its SNMP location description. You can then click the icon to see its location and drag it to the specified location on the map. Also, on the Monitor > Access Points > SmartPath APs page (view mode: Config), you can sort detected SmartPath APs by map name to assign them more easily to WLAN policies.
Chapter 9: Common Configuration Examples Configuring a SmartPath AP through the NetConfig UI When you log in to the NetConfig UI, there are three pages that provide settings for an initial configuration: Local Network Settings: Configure the SmartPath AP to be a DHCP client or use static network settings for the IP address and netmask of its mgt0 interface, its default gateway, and DNS server.
Chapter 9: Common Configuration Examples Port: Type the port number that the SmartPath AP uses to connect to the HTTP proxy server. Authenticate the SmartPath AP on the HTTP proxy server: Select this checkbox if the HTTP proxy server requires connections to be authenticated. Selecting this checkbox activates the user name and password fields. User Name: Enter the user name that the SmartPath AP submits to authenticate itself to the HTTP proxy server.
Chapter 9: Common Configuration Examples The RADIUS authentication server checks authentication requests against user accounts stored in its database. RADIUS Authentication Server IP Address: 10.1.1.10 Authentication Port: 1812 Shared Secret: radius123 Authentication Replies Authentication Requests SmartPath AP RADIUS Authenticators (NAS Devices) 10.1.1.0/24 subnet SSID: corp-wifi Auto-(WPA or WPA2)-EAP (802.
Chapter 9: Common Configuration Examples 3. To create a VLAN object for IT staff traffic, select the check box for the newly created VLAN object “VLAN-10” in the list on the Configuration > Advanced Configuration > Network Objects > VLANs page, and then click Clone. The VLANs dialog box appears with the settings for VLAN-10. 4. For VLAN Name, enter VLAN-20; in the VLAN ID field, change 10 to 20; modify the Description field to VLAN for IT staff; and then click “Save.
Chapter 9: Common Configuration Examples Object Name: AuthServer-10.1.1.10 Enter the following, and then click Apply to add the IP address to the address configuration: IP Entry: 10.1.1.10 Type: Global S etting the type as "Global" means that SmartPath EMS VMA applies the IP entry to all SmartPath APs that include the IP address/host name object in their configuration. Description: RADIUS auth server at 10.1.1.10 Click “Save” to save the address configuration and return to the AAA Client Settings page.
Chapter 9: Common Configuration Examples This field is only relevant when both primary and backup RADIUS authentication servers are configured. The retry interval defines how long a SmartPath AP RADIUS authenticator waits before retrying a previously unresponsive primary RADIUS server, even if the current backup server is responding. When there is only a single RADIUS authentication server, as in this example, the retry interval does not matter.
Chapter 9: Common Configuration Examples When cleared, this setting allows access to authenticated users even when the Tunnel-Private-Group-ID attribute that the RADIUS authentication server returns matches another user profile configured on the SmartPath AP but not specified for this SSID. If you do not mind granting access to all valid user accounts on the RADIUS authentication server, disable this option by clearing the checkbox. This is the default setting.
Chapter 9: Common Configuration Examples Data encryption: AES Enable IEEE 802.1X authentication for this network: (select) EAP type: Protected EAP (PEAP) Authenticate as computer when computer information is available: (clear) Authenticate as guest when user or computer information is unavailable: (clear) Validate server certificate: (clear) Select Authentication Method: Secured password (EAP-MSCHAP v2) Automatically use my WIndows logon name and password (and domain if any): (clear) 2.
Chapter 9: Common Configuration Examples Both (Auth/Self-reg) Self-Registration Authentication at the The user self-registers by entering data top and self-registration that can then be saved to a syslog server at the bottom (the user for tracking and auditing. submits one of them). User Authentication The user submits a name and password, which are sent to a RADIUS server for authentication. Use Policy Acceptance The user must accept a network use policy to gain network access. Figure 9-7.
Chapter 9: Common Configuration Examples 1 Forming an association Wireless Client Wireless Access Point 2 Address and TCP/IP assignments DHCP Client DHCP Server DHCP Discover Association Request Association Response DHCP Offer DHCP Request DHCP ACK The client forms an association with the SmartPath AP but the visitor has not yet registered. The SmartPath AP allows DHCP, DNS, and ICMP* services through. It redirects all HTTP and HTTPS traffic to its own web server and drops all other traffic.
Chapter 9: Common Configuration Examples 3 4 DNS address resolution DNS Querient DNS Server HTTP connection to the captive web portal HTTP Client HTTP GET DNS Query Reply DNS Reply The SmartPath AP allows DNS queries and replies between the client of an ungregistered user and a DNS server.
Chapter 9: Common Configuration Examples 1 Association Using SSID “guest” Wireless Client Wireless Access Point 2 Address and TCP/IP Assignments DHCP Client DHCP Server DHCP Discover Association Request DHCP Offer DHCP Request Association Response DHCP ACK SSID “guest” The client forms an association with the SmartPath AP but the visitor has not yet registered.
Chapter 9: Common Configuration Examples 5 6 Registration HTTP Client HTTP Server DHCP, DNS, and HTTP forwarding Wireless Client Wireless Acess Point Servers Registration DHCP DNS Quarantine MAC: 0016:cf8c:57bc Registered MAC: 0016:cf8c:57bc After a guest agrees to the acceptable use policy, fills in the form, and submits the registration, the SmartPath AP moves the client’s MAC address from a quarantined list to a registered list.
Chapter 9: Common Configuration Examples blackbox_spacer.png (transparent image to offset the registration section from the top; size 200 x 103 px; 72 dpi) blackbox_3d_bg.png (solid background; color #031e2f; size 5 x 5 px.; 96 dpi) blackbox_3d.jpg (background image: 842 x 595 px; 72 dpi) blackbox_logo_reverse.png (111 x 48 px; 72 dpi) Figure 9-14. Components of the captive Web portal self-registration page.
Chapter 9: Common Configuration Examples F oreground Color: The foreground color controls the color of the text that appears on the page. By default, it is white (RGB 255, 255, 255), which shows up clearly against the dark blue of the default background image smartpath_3d.jpg. If you change the background image to something with lighter colors, such as blackbox_hex_light.jpg, you can make the foreground color darker to provide greater contrast.
Chapter 9: Common Configuration Examples • Files and Configuration Upload—Push the captive web portal files and the WLAN policy to the managed SmartPath APs. Guests use a preshared key to secure wireless traffic between their wireless clients and SmartPath APs. After forming a secure association with a SmartPath AP, the SmartPath AP intercepts all outbound traffic—except DHCP, DNS, and ICMP traffic—and presents them with a self-registration page.
Chapter 9: Common Configuration Examples The rate limit for network control and voice is 0 kbps because guests are not permitted to run any applications that would generate network control traffic or use VoIP applications. In this example, guests are expected to use cell phones or other phones provided for them. (If you want to provide VoIP for guests, then you must enable the SIP ALG, add another rule to the firewall policy permitting SIP traffic, and set the rate limit for voice at 128 kbps.
Chapter 9: Common Configuration Examples Table 9-2. CTRL-click to select multiple services. (Action) Source Destination Service‡ Action Logging* (Action) [-any] [-any-]* DHCP-Server, DNS† Permit Off Click “Apply.” Click “New.” [-any-] 10.0.0.0/8 [-any-] Deny Dropped Packets Click “Apply.” Click “New.” [-any-] 172.16.0.0/12 [-any-] Deny Dropped Packets Click “Apply.” Click “New.” [-any-] 192.168.0.0/16 [-any-] Deny Dropped Packets Click “Apply.” Click “New.
Chapter 9: Common Configuration Examples To save the firewall policy and close the dialog box, click “Save.” NOTE: You do not have to create a policy to control incoming traffic because you will set the default action to deny all incoming and outgoing traffic not specified in any of the policy rules. User Profile A user profile contains the rate control and queuing QoS settings, VLAN, firewall policies, tunnel policy, and schedules that you want the SmartPath AP to apply to traffic from certain users.
Chapter 9: Common Configuration Examples To-Access: (nothing) Default Action: Deny Expand QoS Settings, and enter the following: Rate Control & Queuing Policy: QoS-Guests This is the policy that you created in "QoS Rate Limiting.” The SmartPath AP applies these rates and scheduling to users that belong to this user profile on an individual basis.
Chapter 9: Common Configuration Examples Receptionist Visitor Visitor’s Laptop SmartPath AP Internet The visitor enters the preshared key “guest123” when forming an association with the SmartPath AP using the SSID “guest”. Figure 9-16. Guest access using a preshared key. The guest SSID provides secure network access for visitors.
Chapter 9: Common Configuration Examples Upload and activate configuration: (select) Upload and activate CWP pages and Server key: (select) Upload and activate certificate for RADIUS and VPN services: (clear) Upload and activate employee, guests, and contractor credentials: (clear) List of all SmartPath APs selected on the Monitor > Access Points > SmartPath APs page: (select) Because the WLAN policy for the selected SmartPath APs contains an SSID using captive Web portal files, upload and activate the f
Chapter 9: Common Configuration Examples 9.4 Example 4: Private PSKs Private PSKs are unique preshared keys created for individual users on the same SSID.3 They offer unique keys per user and user profile flexibility (similar to 802.1X) with the simplicity of preshared keys. For this example, the steps for generating, applying, and distributing private PSK user data are as follows: 1. Define two user profiles. 2. Create two private PSK user groups.
Chapter 9: Common Configuration Examples 9.4.1 Private PSK Enhancements You can set up a captive Web portal that allows users to self-register and receive their own, individual private PSKs (preshared keys). In addition, you can configure a SmartPath AP to generate sets of private PSK users with admin-defined validity periods, which is convenient for users such as contractors that require temporary network access for lengths of time longer than a day.
Chapter 9: Common Configuration Examples Number of New Users: Enter the number of private PSK users that you want to generate. Description: Type a note about the private PSK. If you send the keys to users through e-mail, this description appears in the e-mail message, so you might want to enter the SSID that users access when connecting to the network.
Chapter 9: Common Configuration Examples Registration Type: Private PSK Server Description: Add a note about the captive Web portal for future reference. Captive Web Portal Login Page Settings Private PSK Server Registration Type: Self-registration There are two options: Authentication and Self-registration. When you select Self-registration, users must complete and submit a registration form to obtain their private PSKs.
Chapter 9: Common Configuration Examples The diagram below shows the flow of traffic between client, authenticator, and private PSK server. Wireless Client Private PSK Authenticator captive Web portal on wifi0.1: 1.1.1.1/24 Private PSK Server mgt0: 10.1.1.1/24 A wireless client forms an association with the SmartPath AP acting as a private PSK authenticator at 1.1.1.1 using SSID-1 (open authentication). The client sends an HTTP GET message, which the SmartPath AP intercepts and . . . . . .
Chapter 9: Common Configuration Examples Recurring Automatic Generation of Private PSKs For private PSK generation, the recurring option refreshes keys every day. This option satisfies the needs of guest access for daily visitors, but is less suitable for temporary users for longer stays, such as contractors who might need to access the wireless network for several days or several weeks.
Chapter 9: Common Configuration Examples Private PSK Users to Create per Rotation: Set the number of private PSK users to generate in each set. You can generate from 1 to 9999 users in each set. The default is 10, which means that each set will contain 10 private PSK users. (1–9999) Example: To create a user group that generates 10 private PSK users at 8:00 A.M. every day for a year starting on 06/14/2011 and make each user valid for two days, enter the following: Figure 9-19. PSK validity period.
Chapter 9: Common Configuration Examples SmartPath AP Private PSK Server: Choose the SmartPath AP that you want to use as the private PSK server from the dropdown list. This is the SmartPath AP that will store all the private PSK users and act as a server that the other SmartPath APs will contact when checking and requesting a binding of a user-submitted private PSK to the MAC address of the user's client.
Chapter 9: Common Configuration Examples * The three addresses "10.0.0.0/8", "172.16.0.0/12", and "192.168.0.0/16" that define private network address space were created in a previous example. See “Address Objects” in Figure 9-15. Click “Save” to save the IP firewall policy and return to the User Profile dialog box. From-Access: contractors-outgoing-IP-policy (This is the firewall policy that you just created.) To-Access: (nothing) Default Action: DenyUser Profile Reassignment 9.4.
Chapter 9: Common Configuration Examples • Mac® OS X • iPad • iPhone® • Android™ If one or more of these predefined OS objects satisfies your needs, you can skip this step. Click Configuration > Advanced Configuration > Network Objects > OS Objects > New, enter the following, and then click Save: Object Name: Type the name of the OS object. This is the name that appears in the OS Object drop-down list when you configure a client classification policy in the User Profile dialog box.
Chapter 9: Common Configuration Examples To add another domain name, click New, click the empty space at the top of the drop-down list and type a new domain name, add an optional description, and then click “Apply.” You can create up to 32 entries for a single device domain object, and there can be up to 64 device domain objects per SmartPath AP.
Chapter 9: Common Configuration Examples VLAN ID: 1 I f you leave this field empty, the SmartPath AP applies the VLAN ID set in the Employees(30) user profile, which is already set as 1. If you set a different VLAN ID here than the one in the user profile, this setting takes precedence over the one in user profile.
Chapter 9: Common Configuration Examples Bill Li, 3, Contractors(35), Cm$7)3bO1!, hm-admin@apis.com;mgr@apis.com, Use SSID star, home Notice that the private PSK user definitions for employees are sent directly to the people who will use them, but those for contractors are sent to a department manager for dissemination. All definitions are also sent to the SmartPath EMS VMA administrator as a backup. 2.
Chapter 9: Common Configuration Examples 9.4.8 E-mail Notification To distribute the private PSK user definitions to the employees and the manager in charge of the contractors, click Configuration > Advanced Configuration > Authentication > Local Users, select the users, and then click Email PSK.
Chapter 9: Common Configuration Examples SmartPath EMS Branch Office #3 VLAN: 30 VLAN definition: 30; type: branch3 SmartPath AP classifier: branch3 Main Office Branch Office #2 VLAN: 20 Branch Office #1 VLAN: 10 VLAN definition: 10; type: global SmartPath AP classifier: (nothing) VLAN definition: 20; type: branch2 SmartPath AP classifier: branch2 Figure 9-20. SmartPath AP classifiers and VLANs.
Chapter 9: Common Configuration Examples 9.5.
Chapter 9: Common Configuration Examples The SmartPath AP Update Results page appears so that you can monitor the progress of the upload procedure. When complete, “100%” appears in the Upload Rate column and “Successful” appears in the Update Result column. Check that the VLANs are being applied properly: I n the Upload and Activate Configuration dialog box, click the host name of a SmartPath AP at Branch Office 1, and then select View Configuration.
Chapter 10: SmartPath Operating System (OS) 10. SmartPath Operating System (OS) You can deploy a single SmartPath AP and it will provide wireless access as an autonomous AP. However, if you deploy two or more SmartPath APs in a cluster, you can provide superior wireless access with many benefits. A cluster is a set of SmartPath APs that exchanges information with each other to form a collaborative whole (see Figure 10-1).
Chapter 10: SmartPath Operating System (OS) Table 10-1. Common default settings and commands.
Chapter 10: SmartPath Operating System (OS) 10.2 Configuration Overview The amount of configuration depends on the complexity of your deployment. As you can see in "Deployment Examples (CLI)" in Chapter 11, you can enter a minimum of three commands to deploy a single SmartPath AP, and just a few more to deploy a cluster. However, for cases when you need to fine tune access control for more complex environments, SmartPathOS offers a rich set of CLI commands.
Chapter 10: SmartPath Operating System (OS) qos { classifier-map | classifier-profile | marker-map | marker-profile | policy } … • User profiles user-profile string … • SSIDs ssid string … • AAA (authentication, authorization, and accounting) settings for IEEE 802.
Chapter 10: SmartPath Operating System (OS) • backup: a flash file that the SmartPath AP attempts to load during the reboot process if there is a newly uploaded current config file or if it cannot load the current config file. See Figures 10-4 and 10-5. • bootstrap: a flash file containing a second config composed of a combination of default and admin-defined settings.
Chapter 10: SmartPath Operating System (OS) SmartPath EMS VMA or TFTP Server or SCP Server SmartPath AP Current Config Config File New Backup Config (in flash memory) When you upload a config file from SmartPath EMS VMA or a TFTP or SCP server, the SmartPath AP saves the uploaded file as a backup config. This file replaces any previous backup config file that might have been there. Previous Backup Config (overwritten) Figure 10-4.
Chapter 10: SmartPath Operating System (OS) When a SmartPath AP ships from the factory, it is loaded with a default config file, which acts initially as the running and current configs. If you enter and save any commands, the SmartPath AP then stores a separate config file as the current config, combining the default settings with the commands you entered and saved. If you want to return to the default settings, you can press the reset button or enter the reset config command.
Chapter 10: SmartPath Operating System (OS) To create and load a bootstrap config, make a text file containing a set of commands that you want the SmartPath AP to load as its bootstrap configuration (for an example, see Section 11.5).
Chapter 11: Deployment Examples CLI 11. Deployment Examples CLI This chapter presents several deployment examples to introduce the primary tasks involved in configuring SmartPath APs through the SmartPathOS CLI. In Deploying a Single SmartPath AP in Section 11.1, you deploy one SmartPath AP as an autonomous access point. This is the simplest configuration: You only need to enter and save three commands. In Deploying a Cluster in Section 11.
Chapter 11: Deployment Examples CLI 11.1 Example 1: Deploying a Single SmartPath AP In this example, you deploy one SmartPath AP (SmartPath AP-1) to provide network access to a small office with 15–20 wireless clients.
Chapter 11: Deployment Examples CLI 4. On your management system, run a VT100 terminal emulation program, such as Tera Term Pro (a free terminal emulator) or Hilgraeve Hyperterminal (provided with Windows operating systems). Use the following settings: • Bits per second (baud rate): 9600 • Data bits: 8 • Parity: none • Stop bits: 1 • Flow control: none F or SmartPath APs set with "FCC" as the region code, the Initial CLI Configuration Wizard appears.
Chapter 11: Deployment Examples CLI Step 3: Configure the wireless clients. Define the “employee” SSID on all the wireless clients. Specify WPA-PSK for network authentication, AES or TKIP for data encryption, and the preshared key N38bu7Adr0n3. Step 4: Position and power on the SmartPath AP. 1. Place the SmartPath AP within range of the wireless clients and, optionally, mount it as explained in the mounting section in the chapter about the SmartPath AP model that you are using. 2.
Chapter 11: Deployment Examples CLI 11.2 Example 2: Deploying a Cluster Building on "Deploying a Single SmartPath AP" in Section 11.1, the office network has expanded and requires more SmartPath APs to provide greater coverage. In addition to the basic configuration covered in the previous example, you configure all three SmartPath APs to form a cluster within the same Layer 2 switched network.
Chapter 11: Deployment Examples CLI You create a cluster, which is a set of SmartPath APs that collectively distribute data and coordinate activities among themselves, such as client association data for fast roaming, route data for making optimal data-path forwarding decisions, and policy enforcement for QoS and security. cluster cluster1 password s1r70ckH07m3s You define the password that cluster members use to derive the preshared key for securing backhaul communications with each other.
Chapter 11: Deployment Examples CLI interface wifi0 ssid employee cluster cluster1 cluster cluster1 password s1r70ckH07m3s interface mgt0 cluster cluster1 3. (Optional) Change the name and password of the superuser. admin superuser mwebster password 3fF8ha 4. Check that the channel ID for wifi1 and wifi1.1 is now 149. show interface If the channel ID for wifi1 and wifi1.1 is not 149, set it to 149 so that SmartPath AP-2 uses the same channel as SmartPath AP-1 for backhaul communications.
Chapter 11: Deployment Examples CLI Log in to SmartPath AP-3 and enter this command to see its neighbors in SmartPath AP-1: show cluster cluster1 neighbor SmartPath AP-3 Chan=channel number; Pow=Power in dBm; A-Mode=Authentication mode; Cipher=Encryption mode; Conn-Time=Connected time; Cstate=Cluster State; Mac Addr Chan Tx Rate Rx Rate Pow A-Mode Cipher Conn-Time Cstate Phymode Cluster -------------- ---- ------- ------- --- ------ ------- --------- ------ ------- -------- 0019:7700:
Chapter 11: Deployment Examples CLI After associating a wireless client with SmartPath AP-1, log in to SmartPath AP-1 and enter this command: show ssid employee station SmartPath AP-1 Chan=channel number; Pow=Power in dBm; A-Mode=Authentication mode; Cipher=Encryption mode; A-Time=Associated time; Auth=Authenticated; UPID=User profile Identifier; Phymode=Physical mode; Mac Addr -------------- 0016:cf8c:57bc IP Addr Chan Tx Rate ---------- ---- ------- 10.1.1.
Chapter 11: Deployment Examples CLI The setup of cluster1 is complete. Wireless clients can now associate with the SmartPath APs using SSID “employee” and access the network. The SmartPath APs communicate with each other to share client associations (to support fast roaming) and routing data (to select optimal data paths). 11.3 Example 3: Using IEEE 802.1x Authentication In this example, you use a Microsoft AD (Active Directory) server and a RADIUS server to authenticate wireless network users.
Chapter 11: Deployment Examples CLI The IP address of the RADIUS server is 10.1.1.10, and the shared secret that SmartPath AP-1 and the RADIUS server use to authenticate each other is "s3cr3741n4b10X". You must also enter the same shared secret on the RADIUS server when you define the SmartPath APs as access devices (see Step 4). Step 2: Change the SSID on SmartPath AP-1. 1. Change the authentication method in the SSID.
Chapter 11: Deployment Examples CLI If the supplicant is Windows based and you are not on a domain. 1. Configure the SSID on your client as follows: Network name (SSID): employee Network authentication: WPA2 Data encryption: AES Enable IEEE 802.
Chapter 11: Deployment Examples CLI show ssid employee station Chan=channel number; Pow=Power in dbm; A-Mode=Authentication mode; Cipher=Encryption mode; A-Time=Associated time; Auth=Authenticated; UPID=User profile Identifier; Phymode=Physical mode; Mac Addr IP Addr -------------- --------- Chan Rate Pow A-Mode Cipher A-Time VLAN Auth UPID Phymode ---- ---- ---- -------- ------- -------- ---- ---- ---- ------- 54M -38 wpa2-psk aes ccm 00:00:56 1 Yes 0 11g 0016:cf8c:57bc 10
Chapter 11: Deployment Examples CLI Default Domain Domain: Type the DNS domain name to which the SmartPath AP RADIUS server and Active Directory server belong; for example, blackbox.com. Active Directory Server: Choose a previously defined IP object/host name for the Active Directory server from the drop-down list. If you do not see the one that you need, click the New icon ( + ) and define it, or select the blank space at the top of the drop-down list and type the IP address or host name of the server.
Chapter 11: Deployment Examples CLI Password: Enter the password that the SmartPath AP RADIUS server supplies when requesting a user account lookup on the Active Directory server. The password must exactly match the password entered for the user account defined on the Active Directory server for the SmartPath AP RADIUS server. It can be up to 64 characters long. To ensure accuracy, enter the password again in the Confirm Password field.
Chapter 11: Deployment Examples CLI LDAP User Group Attribute: Enter the attribute name defined on the Active Directory server that you want to use to link users to user profiles on SmartPath AP authenticators. The default LDAP user group attribute name on Active Directory is "memberOf". (The attribute type set on the Active Directory server must be "string".) The LDAP user group attribute string can be up to 32 characters long.
Chapter 11: Deployment Examples CLI To configure SmartPath EMS VMA to authenticate administrators whose login accounts are stored on an external RADIUS server: 1. Log in to the home system as an admin with super-user privileges. Either note the name and attribute number of one of the predefined admin groups or create a new one. To create a new admin group, click “Home > Administration > Administrators > Admin Groups > New,” enter the following, and then click “Save:” Name: Type a name for the group.
Chapter 11: Deployment Examples CLI Voice traffic is very sensitive to delay and cannot tolerate packet loss without loss of voice quality. When other traffic is competing with voice traffic for bandwidth, it becomes essential to prevent that traffic from interfering with voice traffic.
Chapter 11: Deployment Examples CLI QoS Policy: “voice” Voice qos policy voice qos 6 strict 512 0 The policy assigns the highest priority to voice traffic (class 6). For each voice session up to 512 Kbps, cluster members provide “strict” forwarding; that is, they forward traffic immediately without queuing it. Streaming Media qos policy voice qos 5 wrr 20000 90 Because streaming media (class 5) needs more bandwidth than voice does, the policy defines a higher forwarding rate for it: 20,000 Kbps.
Chapter 11: Deployment Examples CLI 2. Define the custom services that you need. service mms tcp 1755 service smtp tcp 25 service pop3 tcp 110 The Microsoft Media Server (MMS) protocol can use several transports (UDP, TCP, and HTTP). However, for a SmartPath AP to be able to map a service to a SmartPath QoS class, it must be able to identify that service by a unique characteristic such as a static destination port number or a nonstandard protocol number.
Chapter 11: Deployment Examples CLI Step 3: Apply QoS on SmartPath AP-1. 1. Create a QoS policy. For SmartPath APs supporting IEEE 802.11a/b/g: qos policy voice qos 5 wrr 20000 90 qos policy voice qos 3 wrr 54000 60 For SmartPath APs supporting IEEE 802.11a/b/g/n: qos policy voice qos 6 strict 512 0 qos policy voice qos 5 wrr 20000 90 qos policy voice qos 3 wrr 1000000 60 By default, a newly created QoS policy attempts to forward traffic mapped to Classes 6 and 7 immediately upon receipt.
Chapter 11: Deployment Examples CLI The user profile rate defines the total amount of bandwidth for all users to which this policy applies. The user rate defines the maximum amount for any single user. The user rate can be equal to but not greater than the user profile rate. (Note: The maximums shown here are for SmartPath APs that support 802.11n data rates. For other SmartPath APs, the maximum rates are 54,000 Kbps.
Chapter 11: Deployment Examples CLI qos classifier-map oui 00:12:3b qos 6 service mms tcp 1755 service smtp tcp 25 service pop3 tcp 110 qos classifier-map service mms qos 5 qos classifier-map service smtp qos 3 qos classifier-map service pop3 qos 3 qos classifier-profile employee-voice mac qos classifier-profile employee-voice service qos classifier-profile eth0-voice mac qos classifier-profile eth0-voice service ssid employee qos-classifier employee-voice interface eth0 qos-classifier eth0-voice For Smart
Chapter 11: Deployment Examples CLI 11.7 Loading a Bootstrap Configuration As explained in Section 10.3, SmartPathOS Configuration File Types, a bootstrap config file is typically a small set of commands to which a SmartPath AP can revert when the configuration is reset or if the SmartPath AP cannot load its current and backup configs.
Chapter 11: Deployment Examples CLI By default, the wifi0 and wifi0.1 interfaces are down, but the mgt0, eth0, wifi1, and wifi1.1 subinterfaces are up. The cluster members need to use wifi1.1, which is in backhaul mode, so that SmartPath AP-3 can rejoin cluster1 and, through cluster1, access DHCP and DNS servers to regain network connectivity. (By default, mgt0 is a DHCP client.) You leave the eth0 interface up so that Cluster-1 and Cluster-2 can retain an open path to the wired network.
Chapter 11: Deployment Examples CLI Step 3: Load the bootstrap config file on SmartPath AP-2 and SmartPath AP-3. 1. Make a serial connection to the console port on SmartPath AP-2 and log in. 2. Upload the bootstrap-cluster1.txt config file from the TFTP server to SmartPath AP-2 as a bootstrap config. save config tftp://10.1.1.31:bootstrap-cluster1.txt bootstrap 3. Check that the uploaded config file is now the bootstrap config. show config bootstrap 4.
Chapter 11: Deployment Examples CLI SmartPath AP-3: ssid employee ssid employee security protocol-suite wpa-auto-psk ascii-key N38bu7Adr0n3 interface wifi0.1 ssid employee cluster cluster1 cluster cluster1 password s1r70ckH07m3s interface mgt0 cluster cluster1 save config 11.8.3 Commands for Example 3 Enter the following commands to configure the cluster members to support IEEE 802.1X authentication in Example 3 in Section 11.3: SmartPath AP-1: aaa radius-server first 10.1.1.
Chapter 11: Deployment Examples CLI qos classifier-profile employee-voice mac qos classifier-profile employee-voice service qos classifier-profile eth0-voice mac qos classifier-profile eth0-voice service ssid employee qos-classifier employee-voice interface eth0 qos-classifier eth0-voice For SmartPath APs supporting IEEE 802.11a/b/g: qos policy voice qos 5 wrr 20000 90 qos policy voice qos 3 wrr 54000 60 For SmartPath APs supporting IEEE 802.
Chapter 11: Deployment Examples CLI qos policy voice qos 3 wrr 1000000 60 user-profile employee-net qos-policy voice attribute 2 save config SmartPath AP-3: qos classifier-map oui 00:12:3b qos 6 service mms tcp 1755 service smtp tcp 25 service pop3 tcp 110 qos classifier-map service mms qos 5 qos classifier-map service smtp qos 3 qos classifier-map service pop3 qos 3 qos classifier-profile employee-voice mac qos classifier-profile employee-voice service qos classifier-profile eth0-voice mac qos classifier-
Chapter 11: Deployment Examples CLI show config bootstrap SmartPath AP-2 save config tftp://10.1.1.31:bootstrap-security.txt bootstrap show config bootstrap SmartPath AP-3 save config tftp://10.1.1.31:bootstrap-meshpoint.txt bootstrap show config bootstrap Page 184 724-746-5500 | blackbox.
Chapter 12: Traffic Types 12. Traffic Types This is a list of all the types of traffic that might be involved with a SmartPath AP and SmartPath EMS VMA deployment. If a firewall lies between any of the sources and destinations listed below, make sure that it allows these traffic types. Table 12-1. Traffic supporting network access for wireless clients.
Chapter 12: Traffic Types Table 12-2. Traffic supporting management of SmartPath APs.
Chapter 12: Traffic Types Table 12-2 (continued). Traffic supporting management of SmartPath APs.
Appendix: Country Codes Appendix. Country Codes When the region code on a SmartPath AP is preset as “world,” you must set a country code for the location where you intend to deploy the SmartPath AP. This code determines the radio channels and power settings that the SmartPath AP can use when deployed in that country. For SmartPath APs intended for use in the United States, the region code is preset as “FCC”—for “Federal Communications Commission”—and the country code is preset for the United States.
Appendix: Country Codes Table A-1 (continued). Countries and country codes.
NOTES Page 190 724-746-5500 | blackbox.
NOTES 724-746-5500 | blackbox.
Black Box Tech Support: FREE! Live. 24/7. Tech support the way it should be. Great tech support is just 30 seconds away at 724-746-5500 or blackbox.com. About Black Box Black Box Network Services is your source for an extensive range of networking and infrastructure products. You’ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free, live 24/7 Tech support available in 30 seconds or less. © Copyright 2011.
