User Guide
Table Of Contents
- Front
- Introduction
- Bridge GUI and Administrative Access
- 2.1 Bridge GUI
- 2.2 Administrative Accounts and Access
- 2.2.1 Global Administrator Settings
- 2.2.2 Individual Administrator Accounts
- 2.2.2.1 Administrator User Names
- 2.2.2.2 Account Administrative State
- 2.2.2.3 Administrative Role
- 2.2.2.4 Administrator Audit Requirement
- 2.2.2.5 Administrator Full Name and Description
- 2.2.2.6 Administrator Interface Permissions
- 2.2.2.7 Administrator Passwords and Password Controls
- 2.2.2.8 Adding Administrative Accounts
- 2.2.2.9 Editing Administrative Accounts
- 2.2.2.10 Deleting Administrative Accounts
- 2.2.2.11 Changing Administrative Passwords
- 2.2.2.12 Unlocking Administrator Accounts
- 2.2.3 Administrator IP Address Access Control
- 2.2.4 SNMP Administration
- Network and Radio Configuration
- 3.1 Network Interfaces
- 3.2 Bridging Configuration
- 3.3 Radio Settings
- 3.3.1 Advanced Global Radio Settings
- 3.3.2 Individual Radio Settings
- 3.3.3 DFS Operation and Channel Exclusion
- 3.3.4 Radio BSS Settings
- 3.3.4.1 BSS Administrative State and Name
- 3.3.4.2 BSS SSID and Advertise SSID
- 3.3.4.3 Wireless Bridge and Minimum RSS
- 3.3.4.4 User Cost Offset and FastPath Mesh Mode
- 3.3.4.5 BSS Switching Mode and Default VLAN ID
- 3.3.4.6 BSS G Band Only Setting
- 3.3.4.7 BSS WMM Setting
- 3.3.4.8 BSS DTIM Period
- 3.3.4.9 BSS RTS and Fragmentation Thresholds
- 3.3.4.10 BSS Unicast Rate Mode and Maximum Rate
- 3.3.4.11 BSS Multicast Rate
- 3.3.4.12 BSS Description
- 3.3.4.13 BSS Fortress Security Setting
- 3.3.4.14 BSS Wi-Fi Security Settings
- 3.3.4.15 Configuring a Radio BSS
- 3.3.5 ES210 Bridge STA Settings and Operation
- 3.3.5.1 Station Administrative State
- 3.3.5.2 Station Name and Description
- 3.3.5.3 Station SSID
- 3.3.5.4 Station BSSID
- 3.3.5.5 Station WMM
- 3.3.5.6 Station Fragmentation and RTS Thresholds
- 3.3.5.7 Station Unicast Rate Mode and Maximum Rate
- 3.3.5.8 Station Multicast Rate
- 3.3.5.9 Station Fortress Security Status
- 3.3.5.10 Station Wi-Fi Security Settings
- 3.3.5.11 Establishing an ES210 Bridge STA Interface Connection
- 3.3.5.12 Editing or Deleting the ES210 Bridge STA Interface
- 3.3.5.13 Enabling and Disabling ES210 Bridge Station Mode
- 3.4 Basic Network Settings Configuration
- 3.5 Location or GPS Configuration
- 3.6 DHCP and DNS Services
- 3.7 Ethernet Interface Settings
- 3.7.1 Port Administrative State
- 3.7.2 Port Speed and Duplex Settings
- 3.7.3 Port FastPath Mesh Mode and User Cost Offset
- 3.7.4 Port Fortress Security
- 3.7.5 Port 802.1X Authentication
- 3.7.6 Port Default VLAN ID and Port Switching Mode
- 3.7.7 Port QoS Setting
- 3.7.8 Port Power over Ethernet
- 3.7.9 Configuring Ethernet Ports
- 3.8 QoS Implementation
- 3.9 VLANs Implementation
- 3.10 ES210 Bridge Serial Port Settings
- Security, Access, and Auditing Configuration
- 4.1 Fortress Security
- 4.1.1 Operating Mode
- 4.1.2 MSP Encryption Algorithm
- 4.1.3 MSP Key Establishment
- 4.1.4 MSP Re-Key Interval
- 4.1.5 Access to the Bridge GUI
- 4.1.6 Secure Shell Access to the Bridge CLI
- 4.1.7 Blackout Mode
- 4.1.8 FIPS Self-Test Settings
- 4.1.9 Encrypted Data Compression
- 4.1.10 Encrypted Interface Cleartext Traffic
- 4.1.11 Encrypted Interface Management Access
- 4.1.12 Guest Management
- 4.1.13 Cached Authentication Credentials
- 4.1.14 Fortress Beacon Interval
- 4.1.15 Global Client and Host Idle Timeouts
- 4.1.16 Changing Basic Security Settings:
- 4.1.17 Fortress Access ID
- 4.2 Internet Protocol Security
- 4.3 Authentication Services
- 4.3.1 Authentication Server Settings
- 4.3.2 The Local Authentication Server
- 4.3.2.1 Local Authentication Server State
- 4.3.2.2 Local Authentication Server Port and Shared Key
- 4.3.2.3 Local Authentication Server Priority
- 4.3.2.4 Local Authentication Server Max Retries and Retry Interval
- 4.3.2.5 Local Authentication Server Default Idle and Session Timeouts
- 4.3.2.6 Local Authentication Server Global Device, User and Administrator Settings
- 4.3.2.7 Local 802.1X Authentication Settings
- 4.3.2.8 Configuring the Local RADIUS Server
- 4.3.3 Local User and Device Authentication
- 4.4 Local Session and Idle Timeouts
- 4.5 ACLs and Cleartext Devices
- 4.6 Remote Audit Logging
- 4.1 Fortress Security
- System and Network Monitoring
- System and Network Maintenance
- Index
- Glossary
Bridge GUI Guide: Security Configuration
119
4.1.3 MSP Key Establishment
You can configure the method that the Bridge and its Secure
Clients (and other connecting controller devices) use to
establish data encryption keys.
NOTE:
On wire-
less networks, sep-
arate multicast packets
are sent for each config-
ured key group. To max-
imize throughput, limit
the number selected.
In Normal operating mode (Section 4.1.1) the Bridge supports
three Diffie-Hellman groups (DH groups) for key
establishment—identified by the size of the modulus, in
numbers of bits, used to generate the secret shared key:
DH-512 (Normal [non-FIPS] operating mode only)
DH-1024 (Normal [non-FIPS] operating mode only)
DH-2048 (default selection)
When operating the Bridge in
FIPS mode (Section 4.1.1), you
cannot use DH-512 or DH-1024 key establishment, because
the smaller Diffie-Hellman group moduli are no longer
compliant with FIPS 140-2 Security Level 2.
When NSA (National Security Agency) Suite B
5
cryptography
is licensed on the Bridge, an additional elliptic curve Diffie-
Hellman key establishment method is available for selection:
Suite B (specified by the NSA as compliant with the Suite B set
of cryptographic algorithms). When Suite B is not licensed on
the Bridge, the Bridge GUI displays a link to the features
licensing page (refer to Section 6.3).
While a Secure Client can employ only one key establishment
option at a time, the Bridge supports multiple key establishment
selections, allowing connecting Clients to use any enabled key
establishment option.
NOTE: Secure Cli-
ent versions earli-
er than 3.1 support only
DH-512 key establish-
ment. If you need to
support pre-3.1 Secure
Client devices, you
must include DH-512.
A Secure Client logging on to the Bridge must use a key
establishment option enabled on the Bridge. For information on
configuring key establishment on Fortress Secure Clients, refer
to the Secure Client’s user guide.
When two Fortress controller devices are connected, they will
negotiate keys using the highest security option mutually
supported by the devices.
When Suite B key establishment has been licensed on the
Bridge, this option represents the highest available security.
NOTE: DH-512 key
establishment can-
not be selected when a
32-digit Access ID (Sec-
tion 4.1.17) is in effect.
Larger key moduli equate to more security for the standard
Diffie-Hellman group key establishment options, as well.
DH-512 is therefore the least secure DH group, and if you do
not need the Bridge to support Secure Client versions earlier
than 3.1 (which require DH-512), Fortress recommends more
secure key establishment.
Larger key moduli result in somewhat longer initial connection
times.
Refer to the Suite B requirements specific to your site and
implementation for guidance on Suite B.
5. Refer to Footnote 1 on page 2.