-
HP MSM7xx Controllers Configuration Guide Abstract This document describes how to configure and manage the MSM7xx Controllers. This document applies to the MSM720, MSM760, MSM765 zl, and MSM775 zl Controllers. These products are hereafter referred to generically as controller.
-
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgments Microsoft®, Windows®, and Windows XP® are U.S.
-
Contents 1 Introduction.............................................................................................15 New in release 6.4.0.0...........................................................................................................15 2 Using the management tool.......................................................................16 Starting the management tool...................................................................................................16 Using automated workflows....
-
NAT security and static mappings........................................................................................63 VPN One-to-one NAT.........................................................................................................65 IP QoS..................................................................................................................................65 Configuring IP QoS profiles.................................................................................................
-
Wireless IP filter...............................................................................................................134 DHCP server........................................................................................................................134 DHCP relay agent.................................................................................................................135 VSC data flow..................................................................................................
-
AeroScout RTLS....................................................................................................................179 To enable AeroScout support.............................................................................................179 Viewing status information.................................................................................................180 Software retrieval/update......................................................................................................
-
User-assigned VLANs............................................................................................................221 VLAN assignment via RADIUS...........................................................................................221 VLAN assignment via the local user accounts......................................................................221 Traffic flow for wireless users..................................................................................................
-
Single controller team operating with non-teamed controllers.................................................275 Multiple teamed and non-teamed controllers.......................................................................276 Guest access and teaming.....................................................................................................276 Guest access with teamed controllers using the same subnet..................................................280 15 Mobility traffic manager.............
-
Configuring global 802.1X settings for wired users...............................................................338 Configuring global 802.1X settings for wireless users............................................................338 Configuring 802.1X support on an HP 517 or MSM317 switch port.........................................339 MAC-based authentication.....................................................................................................339 MAC-based filtering........................
-
Simultaneous AP and local mesh support............................................................................384 Using 802.11a/n for local mesh.........................................................................................385 Local mesh terminology.........................................................................................................385 Local mesh operational modes...............................................................................................
-
Persistence......................................................................................................................428 External billing records server profiles.................................................................................429 Billing records log............................................................................................................431 Table......................................................................................................................
-
Access list.......................................................................................................................484 Advertising.....................................................................................................................485 Bandwidth level...............................................................................................................485 Data rate...........................................................................................................
-
LLDP agent......................................................................................................................522 Media endpoint discovery (MED) features...........................................................................523 LLDP settings....................................................................................................................524 Application type profiles...................................................................................................
-
Securing the remote login page.........................................................................................551 Authenticating with the login application.............................................................................552 Authenticating the controller..............................................................................................552 NOC authentication list....................................................................................................
-
1 Introduction This guide describes how to configure and manage HP MSM7xx Controllers. This document applies to the MSM720, MSM760, and MSM765 zl, and MSM775 zl Controllers. These products are hereafter referred to generically as controller. See also the MSM7xx Controller Installation Guide specific to your controller model for details on how to install and initially configure your controller. New in release 6.4.0.0 Information on what is new and changed in release 6.4.0.
-
2 Using the management tool Starting the management tool Using Microsoft Internet Explorer 8+ or Mozilla Firefox 3+ (with SSL v3 support enabled), open page: https://192.168.1.1 and then log in. This assumes you are connected to the LAN port on the controller (ports 1, 2, 3, or 4 on the MSM720). About passwords: The default username and password is admin. New passwords must be 6 to 16 printable ASCII characters in length with at least 4 different characters. Passwords are case sensitive.
-
Three workflows are available: • Configure initial controller settings: This workflow helps you to initially configure the controller by defining network connections, security settings, and system time. HP recommends that you run this workflow on factory-default controllers. • Create a wireless network for employees: This workflow helps you create a new wireless network to provide wireless access for employees.
-
At this point you can: • Select a page link to make further configuration changes. When done, select Automated workflows to return to the confirmation page. • Select Done to return to the Automated workflows home page. TIP: See also the MSM7xx Controller Installation Guide specific to your controller model for more workflow information. Setting up manager and operator accounts Two types of administrative user accounts are defined on the controller: manager and operator.
-
Only one administrator (manager or operator) can be logged in at any given time. Options are provided to control what happens when an administrator attempts to log in while another administrator (or the same administrator in a different session) in already logged in. In every case, the manager's rights supersede those of an operator.
-
The following options can be used to prevent the management tool from being locked by an idle manager or operator: • Terminates the current manager session: When enabled, an active manager or operator session will be terminated by the login of another manager. This prevents the management tool from being locked by an idle session until the Account inactivity logout timeout expires.
-
Passwords Passwords must be 6 to 16 printable ASCII characters in length with at least 4 different characters. Passwords are case sensitive. Space characters and double quotes ( " ) cannot be used. Passwords must also conform to the selected security policy as follows. • Follow FIPS 140-2 guidelines: When selected, implements the following requirements from the FIPS 140-2 guidelines: ◦ All administrator passwords must be at least six characters long.
-
On all other controllers Allowed addresses Enables you to define a list of IP address from which to permit access to the management tool. To add an entry, specify the IP address and appropriate mask and select Add. When the list is empty, access is permitted from any IP address. For example: To allow access for a single computer with IP address 192.168.1.209, specify: IP address = 192.168.1.209 Mask = 255.255.255.255 To allow access for several computers in the IP address range 192.168.10.16 to 192.168.10.
-
Configuring Auto-refresh Select Controller >> Management > Management tool and configure the settings under Auto-Refresh. This option controls how often the controller updates the information in group boxes that show the auto-refresh icon in their title bar. Under Interval, specify the number of seconds between refreshes. Setting the system time Select Controller >> Management > System time to open the System time page. This page enables you to configure the time server and time zone information. 1. 2. 3.
-
LEDs On an MSM720 you can select Controller >> Tools > LEDs to control operation of the status lights. Until fully operational, status lights follow their normal behavior. This allows potential error conditions to be diagnosed. Power saving Select the behavior of all LEDs on the chassis LEDs. • On: All LEDs are off. • Off: All LEDs are on. Identify chassis Use this feature to help you physically identify a particular controller in your installation.
-
3 Dashboard The dashboard provides you with a quick way to view key information about the operation of the wireless network. It uses charts and graphs to display status and statistics, and shows 24-hour history for a number of items. To view the dashboard, select Controller >> Dashboard. For example: NOTE: • Unless otherwise specified, data is sampled every minute, and then an average is calculated to be displayed as the hourly value. • Data is updated at the top of the hour.
-
Admin Down Indicates the number of APs that are Offline and have been manually set to Admin Down (Administratively Down) by an administrator. This state is used to flag an AP that is known to be offline. For example, for maintenance or relocation. Access Points Utilization Indicates the number of APs that are able to exchange management information with the controller. Displays the number of APs currently operating in each bandwidth utilization range: <50%, 50% - 80%, >80%.
-
The tab title displays the following information: • Current: Indicates the total number of wireless clients that are currently connected. • Peak: Indicates the maximum number of wireless clients that were connected during the last 24 hours. • Avg: Indicates the average number of wireless clients that were connected during the last 24 hours. The information shown in the first box depends on the option you select in the drop-down menu on the right side of the title bar.
-
• Low: 16 to 25 dB • Very Low: 15 dB and lower Wireless Clients per Signal Quality - Last 24 Hours Displays the average number of connected wireless clients according to their signal quality per hour over the last 24 hours. Access Points per Number of Wireless Clients - Current Displays the number of access points that have currently connected wireless clients in one of three ranges: <10, 10 – 50, and >50.
-
The tab title displays the following information: • Online: Indicates the number of APs that are able to exchange management information with the controller. • Offline: Indicates the number of APs that have stopped sending management information to the controller. Rediscovery may re-establish the connection. If not, the APs may have lost power or a network failure has occurred. The APs will have a diagnostic value of Not responding on the Controller >> Controlled APs > Discovered APs page.
-
The tab title displays the number of APs currently operating in each bandwidth utilization range: <50%, 50% - 80%, >80%. Only online access points with radios that are enabled and operating in access point and/or local mesh mode are shown on this chart. The percent utilization is calculated by comparing the total throughput (transmitted/received) of all radios on an AP for the last minute against the maximum throughput that the radios could theoretically achieve.
-
The tab title displays the following information: • Total: Total number of active alarms for all severities. • Critical (Red): Alarms of this severity indicate a failure and signal the need for immediate attention. • Major (Orange): Alarms of this severity indicate an impending failure. • Minor (Yellow): Alarms of this severity indicate a warning condition that can escalate into a more serious problem. Most Recent Alarms Displays the ten most recent active alarms.
-
4 Network configuration Working with network profiles The controller uses logical entities called network profiles to manage the configuration of network settings. Network profiles let you define the characteristics of a network and assign a friendly name and VLAN to it. Once defined, network profiles can then be assigned to a port or a trunk (MSM720 only) as required. Network profiles make it easy to use the same settings in multiple places on the controller.
-
To define a new network profile 1. Select Controller >> Network > Network profiles. On the MSM720 On all other controllers 2. Select Add New Profile. 3. Configure profile settings as follows: • Under Settings, specify a Name for the profile. • To assign a VLAN, select VLAN ID and then specify a number. If needed, you can also define a range of VLANs. This enables a single VLAN definition to span a large number of contiguously assigned VLANs.
-
The following interfaces are created by default. They can be edited, but not deleted. On the MSM720 • Access network is assigned to VLAN 1 and is mapped to ports 1, 2, 3, and 4, untagged. (On an untagged port, the VLAN is only used internally to route/switch traffic.) • Internet network is assigned to VLAN 10 and is mapped to ports 5 and 6, untagged. (On an untagged port, the VLAN is only used internally to route/switch traffic.) On all other controllers • LAN port is assigned to the LAN port untagged.
-
5. Select the new profile in the table to open the Add/Edit VLAN mapping page. 6. Select the port to which you want to map the profile (in this case port 4). Next, select Untagged for Mode, then select Apply. 7. Select Save. The profile is mapped to the port 4 untagged. 8. Select Controller >> Network > IP interfaces to open the IPv4 interfaces page.
-
9. Select Add New Interface to open the Add/Edit interface page. 10. Under Interface, select the network profile that you defined earlier. 11. Under Assign IP address via, select the addressing method to use. • DHCP client: Dynamic host configuration protocol. The DHCP server will automatically assign an address to the network profile, which functions as a DHCP client. • Static: Specify an IP address, Mask, and Gateway. 12. Enable/disable NAT support if required. 13. Select Save.
-
3. Specify a name for the profile and assign a VLAN ID to it. This example uses the profile name Network A and a VLAN ID of 25. Select Save. 4. Select Controller >> Network > VLANs to open the VLANs page. 5. Select the new profile in the table to open the Add/Edit VLAN mapping page. 6. 7. Select the port to which you want to map the profile (in this case the LAN port). Select Save. The profile is mapped to the LAN port tagged. 8.
-
9. Select Add New Interface to open the Add/Edit interface page. 10. Under Interface, select the network profile that you defined earlier. 11. Under Assign IP address via, select the addressing method to use. • DHCP client: Dynamic host configuration protocol. The DHCP server will automatically assign an address to the network profile, which functions as a DHCP client. • Static: Specify an IP address, Mask, and Gateway. 12. Enable/disable NAT support if required. 13. Select Save.
-
Addressing The Access network/LAN port interface must be configured with a static IP address. By default, it is set to the address 192.168.1.1. Management address Use this option to assign a second IP address to the Access network/LAN port interface. This address provides a simple way to separate management traffic from user traffic without using VLANs. For example, by default the Access network/LAN port interface is set to 192.168.1.
-
By default, the Internet port operates as a DHCP client (except on the MSM765 zl and MSM775 zl, where it must be manually configured). Select the option you want to use and select Configure. See the following sections for additional configuration information.
-
1. Under Settings, define the following: • Username: Specify the username assigned to you by your ISP. The controller will use this username to log on to your ISP when establishing a PPPoE connection. • Password/Confirm password: Specify the password assigned to you by your ISP. The controller will use this password to log on to your ISP when establishing a PPPoE connection. • Maximum Receive Unit (MRU): Maximum size (in bytes) of a PPPoE packet when receiving.
-
Static addressing Under Port settings, define the following: • IP address: Specify the static IP address you want to assign to the port. • Address mask: Specify the appropriate mask for the IP address you specified. • Default gateway: Specify the address of the default gateway on the network. Additional IP addresses You need to configure these settings if you are making use of the VPN one-to-one NAT feature or the public IP address feature.
-
Jack Supported on the MSM765 zl and MSM775 zl only. Indicates the jack (physical interface) to which a port is assigned. Name Identifies the port. Duplex Not supported on the MSM765 zl and MSM775 zl. Indicates if the port is Full or Half duplex. Speed Not supported on the MSM765 zl and MSM775 zl. Indicates the speed at which the port is operating. Trunk type Only supported on the MSM720. Indicates the type of trunk to which the port is assigned: • None: The port is not assigned to a trunk.
-
Trunk settings Use these settings to map the port to a trunk group. For more information on trunking, see “Port trunking” (page 70). Type • None: The port is not assigned to a trunk group. Group • LACP: The port is assigned to a dynamic trunk that uses LACP. • Trunk: The port is assigned to a static trunk group. If Type is set to Trunk, select the trunk group to which the port will be assigned.
-
For information on VPN address pool, see “Configure an IPSec profile for wireless client VPN” (page 509). Configuring the global DHCP server The global DHCP server can be used to automatically assign IP addresses to devices that are connected to the controller via the LAN port or through the client data tunnel. If you do not have a DHCP server operating on your network, you can use the global DHCP server to assign addresses to your wired clients, wireless clients, and controlled APs.
-
3. 4. Under Addresses, define the following: • Start / End: Specify the starting and ending IP addresses that define the range of addresses the DHCP server can assign to client stations. The address assigned to the controller is automatically excluded from the range. • Gateway: Specify the IP address of the default gateway the controller will assign to DHCP users. In most cases you will specify the IP address of the controller LAN port as the Gateway.
-
• Logout HTML user on discovery request: When enabled, the controller will log out a client station if a DHCP discovery request is received from the client station while a DHCP address lease is currently assigned. This feature is useful when multiple users share the same client station. If a user forgets to log out before turning off the client station, the next user will have to wait until the lease expires before being able to log in. • 5.
-
NOTE: If a user’s account is configured for public IP address support and there is no free public IP address in the pool when the user tries to login, the login is refused. Assigning public IP addresses to users To obtain a public IP address, a user’s account must have its Public IP address option enabled.
-
3. Under Settings, define the following: • Under Listen for requests on, select the interface on which the DHCP relay agent will listen for requests. Enable the Client data tunnel option when the client data tunnel feature is active on one or more VSCs, and you want tunneled users to be able to receive an IP address via the DHCP relay agent. See Client data tunnel under “WLAN” (page 118).
-
4. Under Server, define the following: • Primary DHCP server address: Specify the IP address of the first DHCP server to which the controller should forward DHCP requests. • Secondary DHCP server address: Specify the IP address of the backup DHCP server to which the controller should forward DHCP requests.
-
Local tunnel IP address Specify the IP address of the controller inside the tunnel. Remote tunnel IP address Specify the IP address of the remote device inside the tunnel. Tunnel IP mask Specify the mask associated with the IP addresses inside the tunnel. GRE peer IP address Specify the IP address of the remote device that terminates the tunnel. Bandwidth control The controller incorporates a bandwidth management feature that enables control of all user traffic flowing through the controller.
-
Data rate limits These settings enable you to limit the total incoming or outgoing data rate on the Internet network profile (MSM720) or Internet port (all other controllers). If traffic exceeds the rate you set for short bursts, it is buffered. Long overages will result in data being dropped. To utilize the full available bandwidth, the Maximum transmit rate and Maximum receive rate should be set to match the incoming and outgoing data rates supported by the connection established on the Internet port.
-
Bandwidth rates for each level are defined by taking a percentage of the maximum transmit and receive rates defined for the Internet port. Each bandwidth level has four rate settings: • Transmit rate - guaranteed minimum: Minimum amount of bandwidth that will be assigned to a level as soon as outgoing traffic is present on the level. • Transmit rate - maximum: Maximum amount of outgoing bandwidth that can be consumed by the level.
-
On all other controllers CDP configuration The controller can be configured to transmit CDP (Cisco Discovery Protocol) information on the LAN and Internet ports. This information is used to advertise controller information to third-party devices, such as CDP-aware switches. Network managers can retrieve this information allowing them to determine the switch ports to which different controllers are connected.
-
LLDP configuration The IEEE 802.1AB Link Layer Discovery Protocol (LLDP) provides a standards-based method for network devices to discover each other and exchange information about their capabilities. An LLDP device advertises itself to adjacent (neighbor) devices by transmitting LLDP data packets on all ports on which outbound LLDP is enabled, and reading LLDP advertisements from neighbor devices on ports that are inbound LLDP-enabled.
-
Port Description TLV content Select the content to be included in and advertised as part of the port description TLV. Interface friendly name: Use the friendly name for the interface (the name you see in the management tool). For example: LAN port, Internet port. Interface internal name: Use the internal name for the interface. For example: eth0, eth1. Generate dynamic system names When enabled, this feature replaces the system name with a dynamically generated value which you can define.
-
NOTE: • Once AP names are dynamically changed by this feature, there is no way to return to the original AP names. • When the LLDP agent is active on both the LAN port (Access Network on the MSM720) and the Internet port (Internet Network on the MSM720), the name generated on the LAN port is used for both interfaces. • The dynamic name on the controller is only updated when a change is detected in the neighbor to which a port is connected.
-
controller can only have one system name. If both the LAN and Internet ports have active agents, then the name generated by the LAN port is used. System description (Type 6): Description of the system, comprised of the following information: operational mode, hardware type, hardware revision, and firmware version. System capabilities (Type 7): Indicates the primary function of the device. Set to: WLAN access point for APs Router for controllers.
-
When the Internet port (Internet network on the MSM720) is configured to use a static IP address: NOTE: When using Active Directory for user authentication, set the DNS servers to be the Active Directory servers or the devices that provide SRV records. (Important: The controller cannot be used with an Active Directory domain that is configured to support multiple DNS servers balanced by the Round Robin feature.
-
DNS switch on server failure Controls how the controller switches between servers: • When enabled, the controller switches servers if the current server replies with a DNS server failure message. • When disabled, the controller switches servers if the current server does not reply to a DNS request. DNS switch over Controls how the controller switches back to the primary server. • When enabled, the controller switches back to the primary server once the primary server becomes available again.
-
On all other controllers Active routes This table shows all active routes on the controller. You can add routes by specifying the appropriate parameters and then selecting Add. The routing table is dynamic and is updated as needed. This means that during normal operation the controller adds routes to the table as required. You cannot delete these system routes. The following information is shown for each active route: • Interface: The port through which traffic is routed.
-
• Metric: Priority of a route. If two routes exist for a destination address, the controller chooses the one with the lower metric. • Delete: Select the garbage can icon to delete a route. If the icon has a red line through it, then the route cannot be deleted. Default routes The Default routes table shows all default routes on the controller. Default routes are used when traffic does not match any route in the Active routes table.
-
Generally NAT is used to map all addresses on an internal network to a single address for use on an external network like the Internet. The main benefits are that NAT: • Enables several devices to share a single connection • Effectively hides the IP addresses of all devices on the internal network from the external network. This is illustrated as follows: NAT Web Page Web Page Web server addressed to 202.125.11.26 addressed to 192.168.1.2 192.168.1.2 HTTP reques t ISP AP Controller 192.168.1.
-
Common applications are affected by NAT as follows: Application NAT FTP (passive mode) Requires a static mapping to function. FTP (active mode) Requires a static mapping to function. NetMeeting Requires a static mapping to function. Telnet Requires a static mapping to function. Windows networking No effect The controller provides pre-configured static mappings for most common applications, which you can enable as needed. Most Web browsers use FTP in active mode.
-
5. 6. Select Add to save your changes and return to the NAT mappings page. The new mapping is added to the table. To support the FTP server, create two additional mappings with the following values: • Set Standard Services to ftp-data (TCP 20) and set IP address to 192.168.1.3. • Set Standard Services to ftp-control (TCP 21) and set IP address to 192.168.1.3.
-
To create an IP QoS profile, select Add New Profile. Settings • Profile name: Specify a unique name to identify the profile. • Protocol: Specify an IP protocol to use to classify traffic by specifying its Internet Assigned Numbers Authority (IANA) protocol number. Protocol numbers are pre-defined for a number of common protocols. If the protocol you require does not appear in the list, select Other and specify the appropriate number manually. You can find IANA-assigned protocol numbers on the Internet.
-
3. 4. 5. Under Protocol, from the drop-down list select TCP. Under Start port, from the drop-down list select SIP. Start port and End port are automatically populated with the correct value: 5060. Under Priority, from the drop-down list select Very High. 6. Select Save. NOTE: You could also create another profile using the same parameters but for UDP to cope with any kind of SIP traffic. 7. 8. 9. 10. On the IP QoS Profile page select Add New Profile. Under Profile name, specify Web.
-
3. 4. In IP QoS profiles, Ctrl-click each profile. Select Save. Customizing DiffServ DSCP mappings (These settings do not apply to IP QoS.) You can create custom DSCP mappings that let you override the standard DSCP mappings that are defined by default when you enable DiffServ as the QoS priority mechanism for a VSC or for local mesh links. This enables you to customize how traffic is assigned to the QoS priority queues. To view and configure DSCP mappings, select Controller >>Network > IP QoS.
-
On all other controllers IGMP proxy 69
-
5 Port trunking Port trunking enables the MSM720 to combine multiple physical links into a single logical link (trunk) to provide redundancy in the case of link failure. The MSM720 supports static trunking, and dynamic trunking using the LACP (Link Aggregation Control Protocol).
-
• Creating multiple trunks for traffic aggregation and routing: This example shows two trunks being used to aggregate traffic from APs, while a third trunk is used to egress traffic onto the private network. Deployment considerations • All port trunk links must be point-to-point connections between the MSM720 and the other device configured for port trunking (switch, router, server, etc.) No intervening, non-trunking devices are allowed.
-
• A maximum of six trunks can be created. • Static trunks and dynamic trunks are supported at the same time. Static trunks • Ports on both ends of a static trunk must have the same link speed and duplex settings, and be of the same media type (Ethernet or fiber). • A static trunk can combine a maximum of two ports. • A static trunk can support multiple tagged and untagged VLANs. Dynamic trunks • All ports in a dynamic trunk must have the same media type (Ethernet or fiber) and speed.
-
2. Select Add New Profile. 3. Configure profile settings as follows: • Set Name to Static Trunk. • Select VLAN ID and set a value of 11. 4. Select Save. The new profile appears on the Network profiles page. 5. Select Controller >> Network > Ports. 6. 7. Select Port 3. Under Trunk settings make the following settings. • Set Type to Trunk. • Set Group to Trunk 1.
-
8. 9. Select Save. Select Port 4. Repeat steps 7 and 8. When done, the ports page will look like this: 10. Select Controller >> Network > VLANs. 11. Select Static Trunk. The Add/Edit VLAN mapping page opens. (Note that under Map To, Port 3 and Port 4 do not appear because they are already mapped to Trunk 1.
-
12. Under Map to, select Trunk 1 and set Mode to Tagged, then select Apply. 13. Select Save. The trunk is now configured and is ready for use. (Note that Trunk 1 remains mapped to the Access network as untagged. A trunk can be mapped to more than one network profile as tagged, but only one network profile as untagged. For example, if another network profile was created on VLAN 12, Trunk 1 could also be mapped to that profile as tagged.
-
In this example, the trunk will connect to an HP switch using ports 3, 4 and 6 on the MSM720. Traffic on the trunk will use the default VLAN, which will be set to 22. 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile. 3. 4. 76 Configure profile settings as follows: • Set Name to LACP Trunk. • Select VLAN ID and set a value of 22. Select Save. The new profile appears on the Network profiles page.
-
5. Select Controller >> Network > Ports. 6. 7. Select Port 3. Under Trunk settings, set Type to LACP. 8. Select Save. 9. Repeat steps 7 and 8 for ports 4 and 6. 10. Select Controller >> Network > VLANs. Currently, the Access network profile is set as the default VLAN, so ports 3, 4, 6 appear in the untagged column for this profile. Since LACP trunks always use the default VLAN, you must move it to the LACP Trunk profile.
-
11. Select LACP Trunk. 12. Under Selected network profiles, select Default. This assigns the LACP Trunk as the default VLAN (VLAN 22). 13. Select Save. The trunk is now configured and is ready for use. 14. Connect ports 3, 4, and 6 to the switch. 15. Select Controller >> Network > Ports. The status lights for ports 3, 4, and 6 should be green and all ports should be assigned to Trunk type LACP and Trunk group Dynamic 1. 16. Select Controller >> Network > VLANs.
-
17. Select Controller >> Status > LACP. The table indicates that: • Ports 3 and 4 are active members of the LACP trunk and are sending traffic according to the LACP load balancing algorithm. • Port 6 is in standby mode, waiting in case an active port fails. Traffic on the port is blocked.
-
6 Wireless configuration Wireless coverage IMPORTANT: This section describes factors that affect wireless coverage. The Radio Resource Management (RRM) feature will account for these factors and enable you to automatically manage the wireless network for optimum performance. See “Radio Resource Management” (page 182).
-
Physical characteristics of the location To maximize coverage of a wireless cell, wireless APs are best installed in an open area with as few obstructions as possible. Try to choose a location that is central to the area being served. Radio waves cannot penetrate metal; they are reflected instead.
-
Selecting channels in the 2.4 GHz band In the 2.4 GHz band, the center frequency of each channel is spaced 5 MHz apart (except for channel 14). Each 802.
-
Reducing transmission delays by using different operating frequencies in North America. Alternatively, you can stagger cells to reduce overlap and increase channel separation, as shown in the following figure. Using only three frequencies across multiple cells in North America. This strategy can be expanded to cover an even larger area using three channels, as shown in the following figure.
-
Using three frequencies to cover a large area in North America. Gray areas indicate overlap between two cells that use the same frequency. Distance between APs In environments where the number of wireless frequencies is limited, it can be beneficial to adjust the receiver sensitivity of the AP. To make the adjustment, select Controlled APs >> Radio management > Radio configuration > [radio] and set the Distance between access points option.
-
devices in the network, the collision rate will grow exponentially and prevent any useful throughput from the wireless network. 802.11n clients face the same problem as described above – legacy 802.11b clients cannot detect the High Throughput (HT) rates that 802.11n uses. So to avoid causing excessive collisions, 802.11n clients must use the same protection mechanisms when a legacy client is present.
-
Wireless configuration
-
Radio configuration parameters This section provides definitions for all configuration parameters that are present on all products. Regulatory domain Indicates the geographical region in which the AP is operating. To set the regulatory domain, see “Assigning country settings to a group” (page 170). Operating mode Select the operating mode for the radio. Available options are: • Access point and Local mesh: Standard operating mode provides support for all wireless functions.
-
Product Access point and Local mesh Access point only Local mesh only Monitor Sensor ✔ ✔ ✔ ✔ ✕ ✕ ✔ ✕ ✔ ✕ MSM466 MSM466-R nl nl HP 517 The following table shows all radio parameters that are configurable for each operating mode.
-
Access point and Local mesh Access point only Local mesh only Monitor Sensor “Transmit power control” (page 99) ✔ ✔ ✔ ✕ ✕ “Neighborhood scanning” (page 101) ✕ ✔ ✕ ✔ ✕ Parameter Certain parameters are not supported on all radios. Refer to the parameter descriptions that follow for details. Wireless mode Supported wireless modes are determined by the regulations of the country in which the AP is operating, and are controlled by the country setting on the AP.
-
Radio 1 on: HP 425, MSM430, MSM460 (not supported in Monitor mode) Frequency band 5 GHz Data rates Up to 54 Mbps. This is a legacy mode that can be used to support older wireless client stations. 802.11n/b/g (2.4 GHz) Supported on MSM410, MSM422, HP 517 Radio 2 on: HP 425, MSM430, MSM460, MSM466 Frequency band 2.4 GHz Data rates For 802.11n clients: Up to 130 Mbps on the MSM410, MSM422, HP 425, MSM430, MSM460, MSM466, MSM466-R.
-
802.11b (2.4 GHz) Supported on MSM310, MSM317, MSM320, MSM335 Frequency band 2.4 GHz Data rates Up to 11 Mbps. This is a legacy mode that can be used to support older wireless client stations. 802.11a Turbo Supported on MSM310, MSM320, MSM335 Frequency band 5 GHz Data rates Up to 108 Mbps. Provides channel bonding in the 5 GHz frequency band for enhanced performance. Useful to provide increased throughput when creating local mesh links between two APs.
-
This setting only appears when Wireless mode is set to 802.11n/b/g and Channel width is set to Auto 20/40 MHz. This setting determines where the second 20 MHz channel is located. • Above the beacon (+1): The secondary channel is located on a channel above the currently selected channel. • Below the beacon (-1): The secondary channel is located on a channel below the currently selected channel. Channel Select channel (frequency) for wireless services.
-
MHz channel is formed from the indicated channel plus the next channel. A (-1) indicates that the 40 MHz channel is formed from the indicated channel plus the previous channel. With a 40 MHz Channel width in the 5 GHz band, channel selection and usage is as follows for the first four channels: Channel selected Channels used 36(1) 36+40 40(-1) 40+36 44(1) 44+48 48(-1) 48+44 NOTE: The channel selected is the primary channel and the channel above or below it becomes the secondary channel.
-
When the Automatic option is selected for Channel, this parameter determines how often the AP re-evaluates the channel setting. Select Time of day to have the channel setting re-evaluated at a specific time of day. • Select Time of day to have the channel setting re-evaluated at a specific time of day. Note that to prevent all APs from re-evaluating their channel at the same time, a random delay between 0 and 2 hours is added to the time of day for each AP.
-
MSM310, MSM310-R, and MSM320 Select Diversity, Main, or Auxiliary according to the following guidelines: • For a single antenna, connect one antenna to either Main or Aux and select the corresponding value. • For maximum wireless coverage, install an omnidirectional antenna on the Main and Aux antenna connectors and select Diversity. • When creating a point-to-point wireless bridge, HP recommends that a single directional antenna be used on either Main or Aux.
-
MIMO uses spatial multiplexing to transport two or more data streams simultaneously on the same channel to increase throughput. For example, under most conditions, multiplexing two streams can result in double the throughput of a single stream. MIMO mode 2x2 is automatically used, which means that both antennas (either internal or external) are used to transmit and receive the spatial streams. Antenna gain Supported on: MSM310.
-
HP APs support the following two explicit beamforming techniques: • Non-compressed beamforming, in which the client station calculates and sends the steering matrix to the AP. • Compressed beamforming, in which the client station sends a compressed steering matrix to the AP. Radio calibration is not required to use either of these two methods. NOTE: Beamforming only works with wireless clients that are configured to support it. RTS threshold Not available in Monitor or Sensor modes.
-
Tx protection Supported on: MSM410, HP 425, MSM430, MSM460, MSM466, MSM466-R Not available in Monitor or Sensor modes. When an AP is operating in an 802.11n mode, and legacy (a/b/g) traffic is present on the same channel as 802.11n traffic, this feature can be used to ensure maximum 802.11n throughput. The following options are available: • CTS-to-self: 802.11n transmissions are protected by sending a Clear To Send (CTS) frame that blocks other wireless clients from accessing the wireless network.
-
Distance between APs Not available in Monitor or Sensor modes. Use this parameter to adjust the receiver sensitivity of the AP only if you have a very dense deployment where many APs are close together. In all other cases, use the default setting of Large. If you have installed multiple APs, reducing the receiver sensitivity helps to keep clients with low signal quality from connecting, thereby increasing the probability that client stations connect with the nearest AP.
-
When using antennas not originally supplied with the AP, it is your responsibility to ensure that the Transmit power control settings are configured so that the radio will not exceed permissible power levels for the regulatory domain in which the AP is operating. Depending on the regulatory domain, the specific antenna chosen, the wireless mode, channel width, band or channel selected, you may need to configure the radio with a reduced transmit power setting.
-
• 15 - 29 dBm: HP 517 operating at 2.4 GHz. • 16 - 28 dBm: HP 517 operating at 5 GHz. Automatic power control Select this checkbox to have the AP automatically determine the optimal power setting within the defined power limits (i.e., up to the specified percentage/dBm value). Interval Specify the interval at which the Automatic power control feature adjusts the optimal power setting.
-
Recommended settings for dual radio APs: • With IDS disabled, configure both radios for Operating band only. • With IDS enabled, configure the 2.4 GHz radio for Operating band only (with a small scan ratio), and configure the 5 GHz radio for All bands (with a larger scan ratio). The 2.4 GHz band is probably much busier than the 5 GHz band, so IDS scanning using the 5 GHz radio has a reduced performance impact. Channels to scan • All channels: Scan all channels supported by the current operating mode.
-
Duration Indicates how long the client station has been authorized. Signal Indicates the strength of the radio signal received from client stations. Signal strength is expressed in decibel milliwatt (dBm). The higher the number the stronger the signal. Noise Indicates how much background noise exists in the signal path between client stations and the AP. Noise is expressed in decibel milliwatt (dBm). The lower (more negative) the value, the weaker the noise.
-
This page shows the volume of traffic sent and received at each data rate for each client station. Headings in bold indicate the data rates that are currently active for the wireless mode being used. Supported wireless rates depend on the AP model. Legacy rate traffic Displays information for users connected via any 802.11 a/b/g mode. The size of the bar indicates the amount of traffic sent or received at each rate. High throughput (HT) rate traffic Displays information for users connected via any 802.
-
Data rates in Mbps MCS Channel width / Guard interval 20 MHz/ 800 ns 20 MHz/ 400 ns 40 MHz/ 800 ns 40 MHz/ 400 ns 9 26.00 28.90 54.00 60.00 10 39.00 43.30 81.00 90.00 11 52.00 57.80 108.00 120.00 12 78.00 86.70 162.00 180.00 13 104.00 115.6 216.00 240.00 14 117.00 130.00 243.00 270.00 15 130.00 144.40 270.00 300.00 16 19.50 21.70 40.50 45.00 17 39.00 43.30 81.00 90.00 18 58.50 65.00 121.50 135.00 19 78.00 86.70 162.00 180.00 20 117.00 144.
-
One spacial stream Data rates in Mbps - Nss=1 Channel width / Guard interval MCS 20 MHz/ 800 ns 20 MHz/ 400 ns 40 MHz/ 800 ns 40 MHz/ 400 ns 80 MHz/ 800 80 MHz/ 400 ns ns 0 6.50 7.20 13.50 15.00 29.3 32.5 1 13.00 14.4 47.00 30.00 58.5 65 2 19.50 21.70 40.50 45.00 87.8 97.5 3 26.00 28.90 54.00 60.00 117 130 4 39.00 43.30 81.00 90.00 175.5 195 5 52.00 57.80 108.00 120.00 234 260 6 58.50 65.00 121.50 135.00 263.3 292.5 7 65.00 72.20 135.00 150.00 292.
-
Data rates in Mbps - Nss=3 Channel width / Guard interval MCS 20 MHz/ 800 ns 20 MHz/ 400 ns 40 MHz/ 800 ns 40 MHz/ 400 ns 80 MHz/ 800 80 MHz/ 400 ns ns 2 58.5 65 121.5 135 263.3 292.5 3 78 86.7 162 180 351 390 4 117 130 243 270 526.5 585 5 156 173.3 324 360 702 780 6 175.5 195 364.5 405 n/a n/a 7 195 216.7 405 450 877.5 975 8 234 260 496 540 1053 1170 9 260 288.
-
Wireless status Wireless port • Up: Port is operating normally. • Down: Port is not operating. Frequency The current operating frequency. Wireless mode Current wireless mode. Operating mode Current operating mode. Tx power Current transmission power. Transmit protection status • Disabled: HT protection / G protection is disabled. • B clients: G protection is enabled because a B client is connected to the AP.
-
Tx unicast octets The number of octets transmitted successfully as part of successfully transmitted unicast MSDUs. These octets include MAC Header and Frame Body of all associated fragments. Tx fragments The number of MPDUs of type Data or Management delivered successfully; i.e., directed MPDUs transmitted and being ACKed, as well as non-directed MPDUs transmitted.
-
Tx dropped Not shown on the MSM410, HP 425, MSM430, MSM460, MSM466, and MSM466–R. The number of packets that could not be transmitted. This can occur when the wireless configuration is being changed. Tx errors Not shown on the MSM410, HP 425, MSM430, MSM460, MSM466, and MSM466–R. The total number of packets that could not be sent due to the following errors: Rx retry limit exceeded and TX discards wrong SA. Rx packets Not shown on the MSM410, HP 425, MSM430, MSM460, MSM466, and MSM466–R.
-
Rx WEP undecryptable The number of received MPDUs, with the WEP subfield in the Frame Control field set to one, that were discarded because it should not have been encrypted or due to the receiving station not implementing the privacy option. Rx FCS errors The number of MPDUs, considered to be destined for this station (Address matches), received with an FCS error. Note that this does not include data received with an incorrect CRC in the PLCP header. These are not considered to be MPDUs.
-
7 Working with VSCs Key concepts A VSC (virtual service community) is a collection of configuration settings that define key operating characteristics of the controller and controlled APs. In most cases, a VSC is used to define the characteristics of a wireless network and to control how wireless user traffic is distributed onto the wired network. Multiple VSCs can be active at the same time, allowing for great flexibility in the configuration of services.
-
The HP VSC profile is defined by default. • To add a VSC, select VSCs >> Overview > VSC profiles > Add New VSC Profile. • To edit a VSC, select its name in the VSC list, or in the Network Tree. In either case, the VSC profile page opens. In this page sample, only the top of the VSC profile page is shown. The default VSC The default VSC is used as a fallback for any traffic that goes through the controller and that cannot be identified as coming from an MSM AP.
-
About access control and authentication The availability of certain VSC features and their functionality is controlled by the settings of two important parameters in the Global box. These parameters determine how authentication and access control are handled by the VSC: Use Controller for: Authentication Determines if user authentication services (802.1X, WPA, WPA2, HTML-based, MAC-based) are provided by the controller. When enabled, APs forward user login requests to the controller.
-
When both authentication and access control are enabled In this configuration, the controlled AP forwards authentication requests from users on the VSC to the controller. The controller resolves these requests using the local user list, or the services of a third-party authentication server (Active Directory or RADIUS server). The controller then manages access to the protected network using its access control features (public access, interface, access lists, etc.).
-
Summary of VSC configuration options The following table lists the VSC configuration options that are available depending on how access control and authentication are configured.
-
NOTE: Display of the Session page (and other pages that are part of the public access interface) may not work for all users. These pages will fail if the initial traffic from the users computer is sent by an application other than the users browser. For example: messaging software, automatic software update services, e-mail applications. Identify stations based on IP address only This option only applies when the HTML-based user logins option is enabled.
-
WLAN Settings Name (SSID) Specify a name to uniquely identify the wireless network associated with this VSC. The wireless network is created by the controlled APs and managed by the controller. Each wireless user that wants to connect to this VSC must use the WLAN name. The name is case-sensitive. DTIM count Specify the DTIM period in the wireless beacon sent by the controlled APs. Client stations use the DTIM to wake up from low-power mode to receive multicast traffic. APs transmit a beacon every 100 ms.
-
An AP uses the following methods to encourage a wireless client to associate at 5 GHz instead of 2.4 GHz. • The AP waits 200 ms before responding to the first probe request sent by a client at 2.4 GHz. • If the AP has learned that a client is capable of transmitting at 5 GHz, the AP refuses the first association request sent by the client at 2.4 GHz. • Once a client is associated at 5 GHz, the AP will not respond to any 2.
-
Generally, most clients will be involved in the bidirectional exchange of unicast packets. In this case, the rules can be simplified by assuming that the most restrictive setting for this option takes precedence. For example: • If VSC1 is set to No and VSC2 is set to All, no communication is permitted between clients on the two VSCs, or between clients on VSC1. However, all clients on VSC2 can communicate with each other. • If VSC1 is set to 802.1X and VSC2 set to All, only 802.
-
Quality of service The quality of service (QoS) feature provides a number of different mechanisms to prioritize wireless traffic sent to wireless client stations. See “Quality of service” (page 139). Allowed wireless rates Select the wireless transmission speeds (in Mbps) that this VSC will support for each wireless mode. Clients will only be able to connect at the rates that you select. If a client does not support the selected rate and mode, it will not be able to connect to this VSC.
-
To ensure a high quality of service for voice applications, disable all rates below 5.5. Also, ensure that the radio is configured as follows: • Operating mode is set to Access point only. • Channel is set to a fixed channel, or Automatic with interval set to Disabled. • Automatic power control is disabled under Transmit power control. Notes on 802.11ac/n • 802.11n supports legacy rates (1 to 54), as well as high-throughput (HT) rates MCS 0 to MCS 23.
-
When the SSID option is enabled, the VSC accepts incoming traffic that has its SSID set to the WLAN name (SSID) defined under Virtual AP. The Ethernet Switch option enables the VSC to be bound to the switch ports on an HP 517 or MSM317. See the HP 517 802.11ac Unified Walljack Configuration Guide and the MSM317 Access Device Installation and Configuration Guide. If a VSC is bound to an HP 517 or MSM317 switch port, it cannot handle traffic from wireless clients on the HP 517/MSM317 or any other APs.
-
Default user data rates These options enable you to set the default data rates for authenticated users that do not have a data rate set in their RADIUS accounts, and for unauthenticated users. For details on setting user data rates using RADIUS attributes, see “Public/guest network access” (page 396) and “Working with RADIUS attributes” (page 435). Settings Max transmit Specify the maximum rate (in kbps) at which users can send data.
-
• Bind the same VSC to all APs that will support roaming. • Configure the Wireless security filters so that they do not interfere with roaming functionality. In most cases, these filters should be disabled. If you need to use them, note that: ◦ The Restrict wireless traffic to: Access point default gateway option is not supported.
-
• All APs must have VSCs with the same name, SSID, and wireless protection settings. • Wireless protection must be WPA, or 802.1X authentication must be enabled. NOTE: RADIUS accounting is not supported when this option is enabled. Wireless security filters APs feature an intelligent bridge that can apply security filters to safeguard the flow of wireless traffic.
-
• IP broadcast packets, except NetBIOS • Certain address management protocols (ARP, DHCP) regardless of their source address. • Any traffic addressed to the AP, including 802.1X. Blocked • All traffic that is not accepted is blocked. This includes NetBIOS traffic regardless of its source/destination address. HTTPS traffic not addressed to the AP (or upstream device) is also blocked, which means wireless users cannot access the management tool on other HP APs.
-
WPA This option enables support for users with WPA / WPA2 client software. Mode Support is provided for: • WPA (TKIP): (Not supported on the HP 517.) WPA with TKIP encryption. When you enable this option, the VSC can only support legacy a/b/g traffic. All 802.11n features on a radio are disabled for this VSC.. • WPA2 (AES/CCMP): WPA2 (802.11i) with AES/CCMP encryption. • WPA or WPA2: Mixed mode supports both WPA (version 1) and WPA2 (version 2) at the same time.
-
Terminate WPA at the controller This feature is intended for low throughput applications, such as supporting point of sale (POS) terminals. Enabled When enabled, the controller acts as the termination point for all WPA/WPA2 sessions. This enables the network to meet PCI (Payment Card Industry) compliance supporting the connection of point of sale (POS) terminals. Disabled When disabled, WPA/WPA2 sessions are terminated at the AP.
-
The key is generated via the configured 802.1X authentication method. Therefore, when you enable this option, the 802.1X authentication feature is automatically enabled. • Static key: This is a static key that you must define. ◦ Key: The number of characters you specify for the key determines the level of encryption. For 40-bit encryption, specify 5 ASCII characters or 10 HEX digits. For 128-bit encryption, specify 13 ASCII characters or 26 HEX digits.
-
RADIUS authentication realms When realms are enabled for accounting or authentication, selection of the RADIUS server to use is based on the realm name. If no match is found, then the configured RADIUS profile name is used. This applies to any VSC authentication or accounting setting that uses a RADIUS server. Realm names are extracted from user names as follows: if the username is person1@mydomain.com then mydomain.com is the realm.
-
HTML-based user logins This option defines settings for users who log in to the public access interface using a Web browser. If you disable this option, the public access interface Login page is not shown to these users. However, login is still possible via other methods such as MAC authentication and 802.1X. For configuration details, see “Configuring HTML-based authentication on a VSC” (page 348).
-
Location-aware This option enables you to control logins to the public access network based on the AP, or group of APs, to which a user is connected. It is automatically enabled when a VSC is set to Access control. Location-aware is always enabled when using the controller for authentication or access-control with a remote RADIUS server. For each user login, location-aware sends the PHY Type, SSID, and VLAN to the remote RADIUS server. It also includes the specified Called-Station-Id content.
-
Client address Filter action When used alone When used with MAC-based authentication When used with 802.1X authentication Client Allow address is not in the MAC address list. Access is denied. Access is granted or denied based on result of MAC-based authentication. (Not supported on access-controlled VSCs.) Access is granted or denied based on result of 802.1X authentication. Client Block address is not in the MAC address list. Access is granted.
-
To receive traffic from users, the controller assigns the Gateway address you specify to its LAN port. NOTE: These configuration options do not appear for the default VSC. The default VSC uses the same settings as defined on the Controller >> Network > Address allocation page. DHCP relay agent This option is only available if the controller is currently configured as a DHCP relay agent on the Controller >> Network > Address allocation page. Refer to “Configuring the DHCP relay agent” (page 48).
-
Access control enabled This diagram shows traffic flow when an access-controlled VSC is bound to an AP.
-
VSC on controller Ingress • SSID (Client data tunnel): When a client data tunnel has been created between the AP and the controller, all user traffic comes in on it. See Client data tunnel. The tunnel is established using same interface on which the AP was discovered. (LAN or Internet port). • SSID: SSID is retrieved using the location-aware function. • VLAN (LAN or Internet port): Traffic with a VLAN ID is handled by the VSC with a matching VLAN definition. See “Using multiple VSCs” (page 138).
-
Features • Authentication: The AP supports 802.1X or MAC authentication. To validate user login credentials the AP makes use of a third-party authentication server (controller or third-party RADIUS server). See “User authentication, accounts, and addressing” (page 331). • Wireless security filters: Enables the AP to block traffic unless it is addressed to a specific destination (like the controller). See “Wireless security filters” (page 126).
-
Incoming traffic properties Port Untagged If ... Then ... No VLAN exists. Traffic is blocked. LAN Traffic is sent on the egress mapping defined on the default VSC. About the default VSC The default VSC is automatically created by the controller. It is identified with the label (Default) in the VSC list. Initially, this VSC is named HP and has the following properties: • Wireless network name: HP • Use Controller for Authentication is enabled.
-
The QoS feature defines four traffic queues based on the Wi-Fi Multimedia (WMM) access categories. In order of priority, these queues are: Queue WMM access category Typically used for 1 AC_VO Voice traffic 2 AC_VI Video traffic 3 AC_BE Best effort data traffic 4 AC_BK Background data traffic Outgoing wireless traffic on the VSC is assigned to a queue based on the selected priority mechanism. Traffic delivery is based on strict priority (per the WMM standard).
-
mechanism supported by associated client stations. For example, if you set VSC-based low priority, then all devices that connect to the VSC have their traffic set at this priority, including SVP clients.
-
Up to 10 profiles can be selected. To select more than one profile, hold down the CTRL key as you select profile names in the list. To define an IP QoS profile, see “Configuring IP QoS profiles” (page 65). Upstream DiffServ tagging Enable this option to have the AP apply differentiated services marking to upstream traffic. Layer 3 upstream marking ensures end-to-end quality of service in your network.
-
Downstream traffic marking This table describes the marking applied to traffic received from the wired network by an AP and then sent to connected wireless client stations. Mechanism INCOMING OUTGOING TRAFFIC TRAFFIC Wireless traffic sent from the AP to client stations Traffic received from wired network 802.1p 802.1p DiffServ DiffServ TOS TOS VSC-based All traffic on the VSC. IP QoS All traffic that matches the ports/protocols specified in the selected IP QoS profiles.
-
Creating a new VSC To add a VSC, select Controller > VSCs >>VSC Profiles > Add New VSC Profile. Define VSC parameters and select Save. Familiarize yourself with sections of interest in “VSC configuration options” (page 113). See the online help for parameter descriptions. Assigning a VSC to a group When working with controlled APs, VSC definitions must be bound to a group so that they will automatically be activated on the APs in the group.
-
8 Working with controlled APs Key concepts The controller provides centralized management of APs operating in controlled mode. Controlled mode greatly simplifies the set up and maintenance of a Wi-Fi infrastructure by centralizing the configuration and management of distributed APs. NOTE: Starting with software version 5.x, APs operate in controlled mode by default. If you update an AP from an earlier release, the AP boots in autonomous mode.
-
AP licensing For every controlled AP that will be managed by the controller, you must install a valid AP license. The exception to this rule is the MSM317. Any number of MSM317s can be managed by a controller up the maximum number of APs that it supports. See “License management” (page 542). To view the current status of AP licensing limits, select Controller >> Status > AP limits. The AP limits page opens.
-
Controller AP Configure AP authentication. For security purposes, the controller can require that APs be authenticated before they can be managed. Deploy an AP with its default configuration OR manually provision initial AP configuration. • See “Authentication of controlled APs” (page 159). Set up groups. Groups allow you to apply the same configuration settings to many APs at the same time. You can create multiple groups, allowing you to maintain distinct settings for different types of APs.
-
Controller AP Controller accepts the secure management tunnel. AP establishes secure management tunnel with the controller. The controller updates the AP configuration. AP receives new software and configuration. Discovery complete. Wireless services become available. On the HP 517 and MSM317, the switch ports also become active. Discovery of controllers by controlled APs This section describes how the discovery process works and how it can be customized.
-
4. The AP is now managed by the controller, and it can be configured and monitored using the controller management tool. NOTE: • APs must be connected to the network via Port 1 (or the Uplink port on an HP 517 or MSM317) for discovery to work. • Unprovisioned APs must obtain an IP address from a DHCP server before discovery can be initiated. When discovery occurs on a VLAN, the DHCP server must be active on the VLAN.
-
Add the IP address for each controller that is active on the network. When working with a controller team you should add the IP address of each team member. This list is sent to all devices that request an IP address, encoded as DHCP option 43 (Vendor-specific information). However, this information is only interpreted by HP APs that are operating in controlled mode. Controlled mode APs use these addresses to connect with the controllers in the order that they appear in the list.
-
Unprovisioned APs Once an unprovisioned AP has received its IP address from a DHCP server, it attempts to discover a controller using the following methods, in order: • UDP broadcast • DHCP • DNS These discovery methods are applied on the following interfaces, in order: • Last interface on which a controller was discovered.
-
provision discovery settings on the AP. For more information on using custom names, see “Provisioning discovery” (page 175). ◦ Specific IP discovery: This method needs to be used when you do not have control over the DHCP and DNS servers and no domain is registered to the controller. For example, if the connection to the controller is routed over the public Internet. 102.27.3.42 35.12.33.57 AP Provisioned to discover the controller at the address 102.27.3.
-
On the MSM720 On all other controllers Active interfaces Select the physical interfaces on which the controller or team manager will listen for discovery requests from controlled APs. The control channel to an AP is always established on the interface on which it is discovered.
-
Discovery authentication Authentication can be enabled during the discovery process to allow a controller and AP to validate each other prior to establishing a control channel. Authentication can be mutual, or can be performed by either the controller or AP, depending on how you define the configuration. • Shared secret/Confirm shared secret: Specify the shared secret that the controller will use when authenticating an AP, or when responding to an authentication request from an AP.
-
Viewing all discovered APs To display information about APs discovered by the controller, select Controlled APs >> Overview > Discovered APs. The Discovered APs page provides the following information: • Number of access points: Indicates the number of APs that were discovered. • Select the action to apply to all listed APs: Lets you apply the selected action to all APs in the list. Select an action and then Apply. • • ◦ Authorize Locally: Use this option to manually authorize an AP.
-
• Serial number: Unique serial number assigned to the AP at the factory. Cannot be changed. • Wireless services: Indicates the status of wireless services on the AP. A separate icon appears for each radio on the AP. See the legend under the table for the meaning of each icon. • Wireless clients: Indicates the number of wireless clients currently associated with the AP. Select the number to see more information.
-
Diagnostic Suspicious device Description The AP unexpectedly requested new authentication certificates from the controller. Possible causes are as follows: ◦ A previously synchronized AP was reset to factory defaults. ◦ An unauthorized AP may be using the same MAC address. This is a possible security breach that should be investigated before authorizing the AP again.
-
Viewing all configured APs To display information about APs configured by the controller, select Controlled APs >> Overview > Configured APs. The Configured APs page provides the following information: • Number of displayed access points: Number of configured APs that were discovered. • Filter APs by: To narrow down the list of APs in the table, select a category and enter text on which to filter the AP list. Select Apply to activate the filter.
-
Table Select the title of a column to sort the entries according to the values in the column. • Check boxes: Use the check box to select an AP to move it to another group. Select the check box in the title bar to select all APs on this page. • Detected: ◦ Yes: The AP has been discovered and is listed on the AP overview page, where more information is provided on the AP. ◦ No: The AP has not been discovered. • AP name: Name assigned to the AP. Select the name to open its AP management page.
-
The controller authenticates APs using their MAC addresses. When an AP sends a discovery request to the controller, it includes its Ethernet Base MAC address. The controller validates this address against its AP address authentication list. If the address appears in the list, the AP is authenticated and gains access to the service control features on the controller.
-
Authenticate Now Causes the controller to retrieve authentication list entries from all selected sources. Use file authentication list When this option is selected, the controller retrieves authentication list entries from a file. This must be an ASCII file with one or more MAC addresses in it. Each address must be entered on a separate line. For example: 00:03:52:00:00:01 00:03:52:00:00:02 00:03:52:00:00:03 A label affixed to each AP indicates its Ethernet Base MAC Address.
-
Use the local authentication list When this option is selected, the controller creates authentication list entries based on the set of APs that are currently defined on the controller. For reference purposes, the table shows the AP name, Serial number and MAC address of all APs that are defined and will be included in the authentication list.
-
Inheritance Configuration settings are inherited as follows: • Settings made at the Controlled APs level are inherited by all groups. • Settings made at the Group level are inherited by all the APs in a group. To change inherited configuration settings you must first clear the Inherited checkbox. For example, the following image shows the 802.1X page with the Inherited checkbox cleared, allowing all settings on this page to be customized.
-
NOTE: On an HP 517 or MSM317, VSCs can also be bound to a switch port. See the HP 517 802.11ac Unified Walljack Configuration Guide and the MSM317 Access Device Installation and Configuration Guide. Synchronizing APs After making configuration changes to an AP or a group, you must update all affected controlled APs with the new settings by synchronizing them. See “Synchronizing APs” (page 169).
-
To delete a group, do the following: 1. Select Controlled APs >> Group management. 2. Select the name of the group you want to delete. 3. Select Delete. Binding a VSC to a group This procedure applies to wireless users only. On the HP 517 or MSM317, VSC binding for wired users (connected to the switch ports) are done individually for each port. To bind a VSC to a group, do the following: 1. Select the target group under Controlled APs. 2. In the right pane, select VSC bindings, then select Add New Binding.
-
3. In the Device box, identify the new AP, specifying at a minimum, Device Name, Ethernet BASE MAC (printed on the label affixed to each AP), and Group. Select Save. The AP is added to the selected group in the Network Tree and will also be shown in the Configured APs list. NOTE: • When the AP is physically connected to the network, it will discover the controller and automatically be accepted into the selected group.
-
1. Select Controlled APs > [group ] > [ap]. The AP management page opens. 2. Configure settings as follows: 3. • Device name: Specify the name to assign to the AP. The name must not contain spaces. • Use AP name as DHCP client hostname: Use this option to control how the DHCP hostname is assigned to the AP. ◦ Enabled: The AP will use the Access point name as the hostname for all DHCP requests (using DHCP option 12). This is the name that will identify the AP in the hosts DHCP table.
-
To delete an AP: 1. Select Controlled APs >> Overview > Configured APs. 2. Select the AP name in the Overview table. This opens the AP management page. Select Delete. The AP is then deleted. Moving an AP to a different group NOTE: Moving an AP to a different group causes it to be restarted. Using drag-and-drop The easiest way to move an AP to a different group is to drag-and-drop it from the old group to the new group. Both groups must be visible in the Network Tree for this to work.
-
1. Use the check boxes in the table to select one or more APs. Select the check box in the table header to select all the APs in the table. 2. 3. Select the group into which to move the APs from the list next to Move selected APs to group. Select Apply. Synchronizing APs Depending on the type of configuration changes that are being synchronized, wireless users may be forced to reassociate or log in again.
-
4. As each synchronization completes, the Status light icon and background color of the synchronized AP changes to green. The status light icon next to the AP name under the pertinent group name in the Network Tree also changes to green. This indicates that the AP is fully operational and using its new configuration. Assigning egress VLANs to a group When you bind an AP to a VSC, you are able to assign an egress network to the binding.
-
After changing the country setting, APs must be synchronized. CAUTION: Incorrectly setting the country may result in illegal operation and may cause harmful interference to other systems. Please consult with a professional installer who is trained in RF installation and knowledgeable about local regulations to ensure that the AP is operating in accordance with channel, power, indoor/outdoor restrictions and license requirements for the intended country.
-
Define provisioning settings as described in “Displaying the provisioning pages” (page 172). NOTE: • Until this option is enabled, provisioned settings defined on the controller are not sent to any controlled APs. • After an AP has been updated with provisioned settings, these settings do not become active until the AP is restarted, or a Remove and rediscover action is executed on the Controlled APs >> Configured APs page.
-
NOTE: The Provision button is only available if the AP is in its factory-default state, meaning it has not yet been provisioned and that the AP has never discovered a controller (since last factory default). To force an AP into its factory-default state, press and hold its reset button until the status lights blink three times. 3. Configure provisioning settings as described in the sections that follow.
-
The following page will appear on the HP 517 and MSM317. Enable provisioning here: Settings Interface Select the interface you want to configure and then define its settings using the other options on this page. Set VLAN ID if applicable. Assign IP address via • DHCP client: Address is assigned using a DHCP server. Enable this option to have the interface act as a DHCP client. The AP sends DHCP requests on the specified VLAN. If no VLAN is specified, the request is sent untagged.
-
802.1X Enable this option when the AP is connected to a secured switch port that requires 802.1X authentication. Once the AP is authenticated, controller discovery proceeds as usual. NOTE: • If this option is enabled and the AP is connected to a unsecured switch port, 802.1X is ignored and discovery proceeds as usual.
-
Discover using DNS The AP attempts to connect with a controller using the names in the order that they appear in this list. To discover the controller on the network, the AP appends each name with the specified Domain name. In the above example, the AP will search for controllers with the names: • service-controller-1.mydomain.com • service-controller-2.mydomain.com If you define a name that contains a dot, then the domain name is not appended. For example, if the name is controller.yourdomain.
-
for the controller under Controller >> Management > Device discovery > Discovery authentication. • Authenticate controllers before connecting: Enable this option to have the AP authenticate a controller before establishing a control channel with it. If you do not enable this option, the controller may still authenticate the AP depending on the settings you make under Controller >> Management > Device discovery > Discovery authentication.
-
AP survivability APs that are configured with non-access-controlled VSCs using distributed deployment can continue providing services even when communication with the controller has been interrupted. This minimizes service interruptions caused by the AP needing to rediscover or resynchronize with the controller. Distributed deployment means that the AP directly handles the service. It does not use the controller. For example: • 802.
-
Disable switch ports if controller is unreachable • If this option is enabled, the HP 517 or MSM317 disables services on all switch ports after it loses contact with its controller. This means AP survivability is disabled. • If this option is disabled, the HP 517 or MSM317 continues to offer services on all switch ports even after it loses contact with its controller. • This option is disabled by default.
-
Viewing status information Basic AP and AeroScout tag status information is available by selecting Controller > Controlled APs >> Overview > RTLS. For example: All AeroScout management and monitoring is performed in the AeroScout software itself. Aeroscout documentation and AeroScout software must be used to operate and monitor the tags. Values AP name Name of the AP on which HP RTLS is enabled. AP MAC address MAC address of the AP. Radio Radio on the AP to which the AeroScout tag is connected.
-
Monitoring The controller provides a series of pages that present monitoring and status information for controlled APs. You can view these pages for all controlled APs, for all APs in a group, or for just a specific AP. All options appear on the Overview menu, which can be reached by selecting: • Controlled APs >> Overview. • Controlled APs > [group ] >> Overview. • Controlled APs > [group ] > [AP ] >> Overview. See the online help for details about the information provided on these status pages.
-
9 Radio Resource Management The radio resource management (RRM) feature provides effective auto-channel and auto-power mechanisms that enable administrators to optimize their wireless RF environment. RRM can create a system-wide channel/power plan that maximizes capacity, coverage, and usage across all the AP radios in a network. Once this RF plan is in place, RRM can continuously monitor the RF environment to detect issues that impact performance and automatically make adjustments to mitigate any problems.
-
Mitigation of poor RF performance RRM provides several features that help to mitigate wireless performance issues. AP/radio down detection and mitigation Each AP in the network maintains a list of neighboring APs, with information gathered from the beacons it receives. These beacons may be received on the current operating channel and also by scanning non-operating channels in both frequency bands (2.4 GHz or 5 GHz). Each AP monitors the state of its neighbors to detect radio-down transitions.
-
Spectrum analysis (Only supported on the HP 425, MSM430, MSM460, and MSM466/466-R.) RRM gathers spectrum analysis samples to derive a measure of the non-802.11 RF noise for each scanned channel. This is used for channel-planning purposes and as one indicator of severe RF interference. RRM also uses an intensive-sampling mode of operation to classify an RF interference source when a channel-switch is needed due to significant RF interference.
-
The scanning mode that an AP uses is determined by the setting of the Operating mode parameter. Choices are as follows: • Access point only: In these modes, scanning operates in the background.
-
non-operating channels. The amount of time dedicated for scanning is defined by the settings you define for Neighborhood scanning. • Monitor: In this mode, the radio only performs scanning, wireless services are not available. • Local mesh only and Access point and Local mesh: Scanning is not supported in these modes. To support the system-wide auto-channel feature, set Channel to Automatic. To support the system-wide auto-power feature, enable Automatic power control under Transmit power control.
-
band is probably much busier than the 5 GHz band, so IDS scanning using the 5 GHz radio has a reduced performance impact. Channels to scan • All channels: Scan all channels supported by the current operating mode. • Regulatory channels only: Scan only channels supported by the current regulatory domain (country). • Non-excluded channels only: When enabled, the AP will not scan any channels in the Automatic channel exclusion list. Neighbor detection time Estimated time in seconds to detect a neighbor.
-
◦ L: Legacy radio. Any radio that does not support RRM. (For example, the MSM3xx series.) ◦ M: Monitor mode. Radio is operating in monitor mode. ◦ S: Sensor mode. Radio is operating in sensor mode. ◦ U: Uncontrolled. An radio that is not controlled by this controller. In IDS it is known as an External or Rogue radio. • Last detected: Date and time when the radio was last known to be active in the RF environment. (The date and time that a beacon from the radio was received by a controlled AP.
-
IMPORTANT: RRM analysis cannot be run until the network is complete and stable. This means that all of the following conditions must be true: • All controlled APs are synchronized with the configuration settings on the controller. • The number of controlled radios in the network has not changed during the last 30 minutes. • No controlled radio in the network has had its configuration changed and synchronized during the last 30 minutes.
-
How it works In the 5 GHz band, auto-channel attempts to choose the best operating channel based on achieving the following goals: • Minimize co-channel operation by avoiding the use of the same channel as on neighboring radios. • Minimize adjacent channel interference on neighboring radios. For example, channels 36 and 40 are adjacent channels. There will be interference if radios using these channels are near each other. • Operate at the highest transmit power.
-
can be reduced. Otherwise, it is better to accept the fact that the radios must share the channel, and to operate the radios at full power. Radio-down mitigation (system-wide) When this option is enabled, the controller will attempt to mitigate wireless coverage issues created by inoperable radios. Each AP in the network maintains a list of neighboring AP radios, with information gathered from the beacons it receives.
-
The load balancing algorithm runs individually on each AP. It is activated only when more than fifteen clients are associated with an AP. For each radio, the AP determines which load balancing action to take: • Operate normally: The radio client load is comparable to its neighbors. • Discourage new clients: The radio is overloaded compared to its neighbors. (Only done if the number of clients on a radio differs from the average on all radios by more than five.
-
field. If changes are found, and the numbers are large (compared to the Total radios field) then it may be time to run a new analysis to optimize your network. • Total radios: The total number of controlled radios managed by the controller (including legacy radios). • Enabled: The total number of controlled radios that were enabled since the last baseline was applied. (In other words, radios that were disabled in the last baseline but are now enabled.
-
The third baseline was created by clicking the Save Current State As Baseline button. This saves the settings that are currently active on all APs in a new baseline, and lets you name the baseline and add a description to it. For example: To see the contents of a baseline, click its name. For example: (The Radio analysis details box is only displayed for an RRM_AFTER baseline to allow for comparison of the configuration changes suggested by the RRM analysis.
-
1. A baseline is manually created by clicking the Save Current State As Baseline button. It is named User-defined baseline and then applied by clicking the Apply button in the RRM available baselines box. A copy is automatically added to the RRM applied baseline box. 2. Next, an analysis is run by selecting Analyze and Apply, and then clicking Start. The BEFORE and AFTER baselines are automatically created. 3.
-
10 Intrusion detection system (IDS) The intrusion detection system offers administrators the ability to proactively detect potential threats to the wireless network. When enabled, IDS will detect and classify all wireless APs and client stations operating within range providing a complete picture of all wireless activity in the area. Supported products IDS is available in controlled mode only. It is supported on the following products: • HP MSM720 (Requires the Premium Mobility Controller license.
-
• DoS EAPOL logoff flood • DoS EAPOL start flood • DoS Premature EAP success • DoS Premature EAP failure • DoS Beacon CFP • DoS PS-Poll • Bridging STP • Misbehaving clients • Ad-hoc networks • Bridging Wireless client classification Automatic classification policies also divide clients into distinct groups. (Manual classification by the administrator is not supported.
-
• Deauthentication broadcast attack in progress • Authentication flood attack in progress • EAPOL Logoff flood attack in progress • EAPOL Start flood attack in progress • Premature EAP Success attack in progress • Premature EAP Failure attack in progress • Beacon packet with large Contention Free Period (CFP) duration detected • PS-Poll attack in progress IDS modes Three modes of operation are available: • • AP mode: In this mode, besides offering client services, background scanning is pe
-
Deployment strategy The mode(s) of operation you choose will depend on the deployment strategy for your wireless network: overlay, time-slicing, or hybrid (a combination of overlay and time-slicing). Each method has its strengths and weaknesses as follows: • Overlay: When using this strategy, some of the 802.11 radios in the wireless network are configured to operate as dedicated IDS sensors. These radios do not offer access point services, and spend 100% of the time scanning for IDS threats.
-
Configuration considerations for VoIP traffic If your wireless network supports VoIP traffic, consider the following: • If voice traffic is detected on a radio (i.e., the traffic is marked with a QoS setting of AC_VO), background scanning is disabled on the radio. Not all VoIP traffic is properly QoS-tagged. Scanning will not be disabled for this traffic. • Setting a high dwell time (under Neighborhood scanning on the Radio page), may cause packet loss in VoIP traffic.
-
4. by other devices on your network), you need to create special network detector VLAN assignments as follows: To detect rogue APs, IDS needs connectivity to all VLANs in use by the network. By default, APs monitor the network on which the management tunnel with the controller is established. If your network has other VLANs, it requires that you define one or more APs with network detector capabilities as follows: a. Select Controlled APs >> Security > Network detector. b.
-
Customizing scanning settings To customize scanning settings for an AP, select Controlled APs >> Radio management and then select the AP in the list. Scanning is controlled by the option selected for Operating mode and the settings under Neighborhood scanning. Scanning services are used by both RRM (radio resource management) and IDS (intrusion detection system). Available options are different depending on the Operating mode.
-
The scanning mode that an AP uses is determined by the setting of Operating mode. • Access point only: In these modes, scanning operates in the background. The radio periodically switches away from the operating channel for a short period of time to listen for activity on non-operating channels. The amount of time dedicated for scanning is defined by the settings you make for Neighborhood scanning. • Monitor: In this mode, the radio only performs scanning. Wireless services are not available.
-
• Average time to detect a rogue AP: Estimated time to detect a rogue AP, averaged across all radios that are scanning. • Max Time to detect a rogue AP: Longest amount of time to detect a rogue AP for all radios that are scanning. • Group: Group name. • Scanning radios: Number of radios that are performing IDS scanning in the group. • Total radios: Total number of radios on all APs in the group.
-
Ad-hoc cells page Shows all devices that are providing wireless services but are not access points. For example, if a user sets up their laptop to create a wireless network to share files with co-workers. The ad-hoc cell remains active until the last user connected to it shuts it down. Click the MAC address for a device to see detailed information.
-
Neighborhood page This page shows the results of IDS scanning. Refer to the Classification column to find rogue AP radios. By default, rogues are shown at the top of the list.
-
Table • MAC address: MAC address of the radio. Click the address to see detailed information about the AP. • SSID: SSID on which the radio is broadcasting. • Mode: Wireless mode in which the raio is operating. • Channel: Channel on which the raio is operating. • SNR: Signal to noise ratio detected. • Info: Encryption being used.
-
AP information • BSSIDs: MAC addresses of the AP. Click the address to see detailed information about the AP. • SSIDs: SSIDs on which the AP is broadcasting. • Channels: Channels on which the AP is operating. • Classification: Rogue. • Manual override: Indicates if the AP was classified manually by the administrator or automatically by the controller. • Info: Encryption being used. • Last seen: Date and time the AP was last detected. • Security: Type of security active on the AP.
-
Manually changing AP radio classification By default, IDS will classify all detected radios. It may be necessary to adjust these classifications based on your knowledge of the network. For example, to change a rogue radio to authorized, do the following: 1. Select the radio that you want to classify as authorized. 2. Select the Classify radio as authorized action. 3. Click Apply. The rogue radio is changed to Authorized and the indicator Manual appears next to the classification.
-
Importing/exporting IDS classifications The information that appears on the Neighborhood page can be exported as a CSV file for use in other applications. You can also import information, in the same CSV format. This is useful when you need to classify a large number of APs. For example, if you have manually classified the APs detected on one controller, you can export and then import these definitions on a second controller.
-
11 Events and alarms The events and alarms features provides a logging and notification system that can be used by administrators and support personnel to easily monitor and troubleshoot system issues. Note: For backward compatibility, the system log feature that was available in previous releases is still available on the Controller >> Tools menu.
-
The Severity, Device, Alarm, and Timestamp columns display detailed information if you hover the mouse pointer over an entry in the table as shown. You can also sort events in any column (except Description) by clicking the column title. Filter events by To see only a subset of all events, select a filter condition and click Apply. Filters are saved across sessions and can be cleared by selecting Clear filters. To see only a subset of all events, select a filter condition and click Apply.
-
Type Classifies the event within a category. Alarm If an event triggers an alarm, the appropriate alarm indicator appears in this column. Hover the mouse pointer over the alarm to see its severity and ID. The association between an event and an alarm is predefined and is not configurable. Description Detailed information about the event. Timestamp Date and time that the event occurred.
-
Select the action to apply to the selected alarm Lets you apply an action to all selected alarms in the list. Select an action and then click Apply. • Acknowledge: Marks the selected alarms as acknowledged. An acknowledged alarm is not cleared. The acknowledgment serves as an indicator that an administrator is aware of the alarm. • Unacknowledge: Returns the selected alarms to the acknowledged state.
-
Timestamp Date and time that the alarm occurred. Ack Indicates if the alarm has been acknowledged. An acknowledged alarm is not cleared. The acknowledgment serves as an indicator that an administrator is aware of the alarm. Note A yellow note icon indicates the presence of an annotation. Hover over the icon to see the contents of the annotation. To edit an annotation, open the Alarm details page. State Alarm state (active or cleared).
-
1. Select Controller >> Management > SNMP. The SNMP agent configuration page opens. 2. 3. 4. Select the SNMP agent configuration checkbox and then select Save. Under Attributes, select the Notifications checkbox. Select Configure Notifications. The SNMP notification configuration page opens.
-
5. 6. 7. 8. 9. Enable Event notifications and/or Alarm notifications, and select the notifications that you want to send for each. Select Save. You are returned to he SNMP agent configuration page. In the Notifications receivers box, select Add New Receiver. The Add/Edit SNMP notifications receiver page opens. Define the settings for the receiver as follows: • Host: Specify the domain name or IP address of the SNMP notifications receiver to which the controller will send notifications.
-
12 Working with VLANs Key concepts The controller provides a robust and flexible virtual local area network (VLAN) implementation that supports a wide variety of scenarios. Up to 80 VLAN definitions can be created on the controller. VLAN ranges are supported, enabling a single definition to span a range of VLAN IDs. The following controller features are supported on a VLAN: • Network address translation (However, static NAT mappings are not supported.
-
Defining a VLAN Defining a VLAN on a controller port Define a VLAN on a controller port as follows: 1. Define a network profile with the required VLAN as described under “To define a new network profile” (page 33) This example uses a new network profile called Guest, assigned to VLAN 100. 2. Select Controller >> Network > VLANs. On the MSM720 On all other controllers 3. Select the network profile you defined in step 1 (Guest). This opens the Add/Edit VLAN mapping page.
-
On all other controllers 4. 5. 6. Under Map to, select the port to which the VLAN will be bound. On the MSM720, you can select multiple ports or a trunk (Only static trunks appear in the list, dynamic trunks are automatically mapped to the default VLAN). On the MSM720, select one of the following for Mode and then select Apply: • None: No VLAN is assigned to the port. • Tagged: Traffic on the port is sent/received using the VLAN tag defined for the selected network profile(s).
-
The Add/Edit VLAN mapping page shows both ports and enables you to map them both to a port on the AP. User-assigned VLANs VLANs can be assigned on a per-user basis using attributes defined in a users RADIUS account, or via VLAN definitions in a local user account profile. These user-assigned VLANs are also called dynamic VLANs because they are applied dynamically after a user is authenticated and override the static definitions on VSCs or VSC bindings.
-
Binding to a VSC that has Wireless mobility disabled VSC type Egress network Client data in VSC binding tunnel Access-controlled Defined Active Disabled User-assigned VLAN is not assigned via RADIUS or local user accounts User-assigned VLAN is assigned via RADIUS or local user accounts The Egress network setting in the VSC binding is ignored. The Egress network setting in the VSC binding is ignored. Traffic is sent to the controller in the client data tunnel.
-
VSC type Egress network Client data in VSC binding tunnel Not defined Non access controlled Defined Not defined User-assigned VLAN is not assigned via RADIUS or local user accounts User-assigned VLAN is assigned via RADIUS or local user accounts Active Traffic is sent to the controller in the client data tunnel and is mapped to a VSC on the controller by SSID. It exits the controller on the egress mapping defined on the appropriate VSC.
-
Binding to a VSC that has Wireless mobility and Mobility traffic manager enabled Egress network in User-assigned VSC binding VLAN is not assigned via RADIUS or local user accounts User-assigned VLAN is assigned via RADIUS or local user account Defined Assign the Egress network defined in the VSC binding as the users home network. The Egress network setting in the VSC binding is ignored.
-
Binding to a VSC that has Wireless mobility and Subnet-based mobility enabled Egress network in VSC User-assigned VLAN binding is not assigned via RADIUS or local user accounts Defined. User-assigned VLAN exists in the mobility domain The IP address of the user is compared against the list of home subnets defined for the AP to determine if the user is at home or roaming.
-
Terms used in the tables • Egress network in VSC binding: This column refers to the Egress network option that can be configured when an AP group is bound to a VSC. The egress network can be used to assign a specific VLAN. How this VLAN is applied to the routing of traffic is illustrated by the tables. • Client data tunnel: The client data tunnel can be used by an AP to transport wireless user traffic to the controller.
-
Example 1 Overriding the VSC egress on a controller with a user-assigned VLAN This example illustrates how a user-assigned VLAN can override a VSC egress setting on the controller.
-
Example 2 Overriding the egress network in a VSC binding with a user-assigned VLAN In this scenario, a non-access-controlled VSC is used to illustrate how a user-assigned VLAN can override the egress network defined for a VSC binding.
-
• User B has a VLAN of 20 assigned via their RADIUS account, which overrides the egress network defined in the VSC binding. As a result, traffic from User B is sent on the APs Ethernet port tagged with VLAN 30, allowing it to reach the network 2.
-
13 Managing Bonjour traffic Overview Bonjour is a zero configuration networking protocol that enables devices to automatically publish and discover IP-based services on a local area network. However, because Bonjour was designed for small, unmanaged networks, it creates several challenges for the enterprise network administrator: • Bonjour is based on Multicast DNS (mDNS). Heavy use of multicast greatly affects throughput on 802.
-
Limitations Bonjour features are not supported in the following cases: • Roaming users that are making use of mobility traffic manager (MTM) • On APs that are connected via local mesh links • When WPA security is enabled on a VSC and it is terminated at the controller • Over any PPP tunnel created by the following features: PPTP client, PPPoE, PPTP server • Over any GRE, L2TP, or IPSec tunnel • Over a static NAT mapping • For access-controlled wired clients • For client stations connected to
-
nl Access controlled VSC with VLANs 232 Managing Bonjour traffic
-
NOTE: • Bonjour announcements originating from wireless clients on access-controlled VSCs are discarded. This means that it is not possible to have an access-controlled wireless client advertise services via Bonjour. • If you assign a VLAN to a VSC egress mapping, access-controlled clients can only reach Bonjour services that are on the same VLAN (as long as it is not the same VLAN used for the control channel between the AP and controller).
-
NOTE: • Since the controller is not in the data path of non-access-controlled wireless clients, an external router must provide the data path to any Bonjour services on another network. Otherwise, wireless clients will see service announcements from devices that they are not able to reach. (The Bonjour gateway on the controller will relay Bonjour traffic between subnets, but it will not relay data traffic from client stations clients.
-
it must have an IP address assigned to it. The Selected interfaces list shows all interfaces on which the Bonjour gateway is enabled. When working with access-controlled VSCs: ◦ Assign at least one interface to the Selected interfaces list. This is required so that access-controlled clients can reach Bonjour services on another network. Typically, you would assign the VSC egress mapping you defined on the VSC page to the Selected interfaces list.
-
1. 2. 3. 4. User 1 sends a multicast query for a printer. AP 1 receives the query and stores it. AP 1 checks its records for printer announcements. There is one from Printer 1, so AP 1 unicasts the query to Printer 1. It also multicasts the query onto Network 1. • Printer 1 receives the query and sends a multicast response. • Printer 2 receives the query and sends a multicast response onto Network 1. • The controller receives the query.
-
When using an access-controlled VSC In this example, all wireless stations are connected to an access-controlled VSC. Bonjour gateway is enabled on the controller and configured to relay Bonjour traffic between Network 1 and Network 2. Traffic management is also enabled. 1. User 1 sends a multicast query for a printer. 2. AP 1 forwards the query through the control channel to the controller. It does not multicast the query onto Network 1. 3. The controller receives the query.
-
1. Select Controller >> Network > Bonjour. The Bonjour configuration page opens. 2. Enable and configure the gateway described in the section “Configuring Bonjour gateway” (page 234). In the Traffic management box, enable Bonjour traffic management as follows: 3. • All access-controlled VSCs: Select this option to enable traffic management on all access-controlled VSCs that are defined on the controller and are bound to any APs.
-
For example: • If you define a Bonjour inbound filter to block all Bonjour announcements on a particular VSC, then no wireless clients using that VSC will be able to send Bonjour announcements. (Inbound traffic is traffic received by an AP from a wireless client.) • If you define a Bonjour outbound filter to block all Bonjour announcements except printing services on a particular VSC, then all wireless clients using that VSC will only receive Bonjour announcements advertising printing services.
-
1. Select Controller >> Network > Bonjour. The Bonjour configuration page opens. 2. Enable and configure the gateway described in the section “Configuring Bonjour gateway” (page 234). Traffic filtering cannot be enabled without first activating Bonjour gateway. Enable and configure traffic management described in the section “Configuring traffic management” (page 237). Traffic filtering cannot be enabled without first activating traffic management.
-
6. In the Traffic filtering box, select Manage Bonjour Filter Profiles. The Bonjour filter profiles page opens. 7. In the Default filter box, specify the action associated with the default filter. The default filter is applied to all inbound and outbound announcements after all other active filter profiles have been applied and no match has been found. Inbound Bonjour announcements Select the action to apply to inbound Bonjour announcements.
-
9. In the Bonjour filter profiles box, select Add New Profile. The Add/Edit Bonjour profile page opens. 10. For Profile name, specify a unique name to identify the profile. Names can be up to 64 characters long, but cannot start with a number or contain spaces. Valid characters are: 0-9, a-z, A-Z, and the special characters: ! $ % ’ ( ) * + - . : ; = ? @ [ ] ^ _ ` { | } The following characters are not supported: " / \ # & < > ~ 11.
-
• ◦ Protocol: Select the protocol used by the service: TCP, UDP, or ANY ◦ Domain: The domain is not configurable, but is always appended to each filter. It is always set to .local and cannot be changed. Custom: Two types of custom names are supported: standard format and custom. Each can be up to 255 characters long. ◦ Defining a custom rule using the standard naming format Use the following format to define a custom name: ...
-
◦ Defining a custom rule using a custom naming format Use this option to match names that do not follow the standard format. Up to three wildcard symbols * can be used to match any number of characters. For example: Definition Description *music* Matches any string with the string music in it. For example: – rock_music – music_2 – my_music_rock my*computer* Matches any string starting with the string my and then containing the string computer.
-
Assigning a filter profile to a user profile 1. 2. Select Controller >> Users > Account profiles. For a new user profile, select Add New Profile. For an existing VSC, select its name in the list. 3. Under Bonjour traffic filtering, select an inbound and/or outbound profile. 4. Select Save.
-
14 Controller teaming This chapter describes how to combine multiple controllers into a team. Controller teaming provides the following key benefits: centralized management and monitoring, service scalability, and redundancy in case of controller failure. Teaming overview Teaming operates slightly differently depending on the controller model you use to create a team.
-
Team control channel The team control channel is a connection that is established between each team member and the team manager. The control channel is used to exchange team management information. On the MSM720, it is HP recommends that you use a dedicated port for the control channel. Firmware updates The team manager is responsible for enforcing and updating the firmware of team members.
-
Licensing • MSM720 and MSM760 controllers must have the Premium Mobility License installed to support teaming. (Licenses must be installed individually on each controller that is part of the team.) MSM765 zl and MSM775 zl controllers are shipped with this license pre-installed. • You must install enough AP licenses to support all the APs you intend to manage with the team. When teaming is enabled, AP licenses are pooled across all controllers.
-
Users • Wired users are only supported if connected to a switch port on the HP 517 or MSM317. Wired users cannot connect directly to the Ethernet ports on any controller that is part of a team. • The local user accounts do not support subscription plans when teaming is enabled. • Accounting persistence is not supported. Firmware • When a controller becomes a member of a team, its firmware and configuration will be updated by the team manager.
-
disabled when the teaming is enabled.) In addition, you may need to enable DHCP relay on the team, depending on your network topology, to forward DHCP requests to the third-party DHCP server. • Configure the team: Enable teaming on each controller by selecting Controller >> Management > Teaming. On the controller that will act as the team manager, set the Team name and Team IP address.
-
Controller 1 Team Manager Controller 2 Team Member Controller 3 Team Member DHCP server on subnet 192.168.1.0 Team IP= 1.99 1.10 1.11 1.13 1.12 1.1 Management station AP 1 WLA N 1.21 AP 2 1.22 WLA N AP 3 1.23 WLA N AP 4 1.24 WLA N Controlled APs The controllers are connected to the network (192.168.1.0) via their LAN ports. Static addressing is used on each port.
-
6. The Network Tree will no longer be visible. The Summary box will show Teaming with a blinking gray status light. This indicates that the controller is searching for a team. On controller 1, do the following: 1. Select Controller >> Management > Teaming. 2. Select the Controller teaming checkbox. 3. 4. 5. Under Connectivity, set Establish control channel on to LAN port. Select No VLAN.
-
8. Under Network Tree, select Controllers to view more detailed information about the discovery process. The two new controllers should be listed in red. Select Authorize in the Action column for each controller. 9. The manager will now attempt to authorize and synchronize controllers 2 and 3. Once synchronized, their status will change to green. For more information on summary states and the Network Tree, see “Monitoring the discovery process” (page 262).
-
Controller 2 Team Member Controller 1 Team Manager Port 6 IP address = 192.168.2.1 Port 6 IP address = 192.168.2.2 VLAN switch Port 1 VLAN ID = 5 IP address = 192.168.5.1 VLAN switch Port 1 VLAN ID = 5 IP address = 192.168.5.2 The controllers are connected to each other using port 1 and the teaming control channel will be established on this port. (Note that the port used for the teaming control channel cannot be part of a trunk.) A VLAN (5) and an IP address (192.168.5.1 or 192.168.5.
-
3. 4. 5. Under Control channel: • Set Establish control channel on to Port 1. • Select the Dedicate this port for teaming checkbox. • Set VLAN ID to 5. This creates the teaming control channel on VLAN 5, tagged, on port 1 on the controller. (Important: This VLAN is not shown on the Controller > Network > VLANs page, and is not created using a network profile. It is explicitly defined here only.) Make sure that the network switch to which this port is connected is also configured with VLAN 5, tagged.
-
4. 5. 6. Select the Team manager checkbox, and configure the following settings under it: • Set Team name to a name that identifies the team. This example uses Team 1. The team name provides a convenient way to identify a team. • Set Team management IP address to the virtual IP address that will be used to provide access to the management tool on the team manager. This example uses the address 192.168.2.200. This address must be on a different subnet than the IP address assigned under Control channel.
-
8. The manager will now attempt to authorize and synchronize controller 2. Once synchronized, their status will change to green. For more information on summary states and the Network Tree, see “Monitoring the discovery process” (page 262). Once all members are synchronized, the team is ready for further configuration. See “Team configuration” (page 267) for details.
-
VLAN 5. If you want to use another port on the controller, read the following information regarding network loops. To avoid creating a network loop it is important that you configure each MSM720 first before interconnecting them. The reason a loop can occur is due to the default configuration setting of the MSM720, which is: • Ports 1, 2, 3, 4 are untagged on the Access network (VLAN 1). • Ports 5, 6 are untagged on the Internet network (VLAN 10).
-
3. 4. 5. Under Connectivity: • Set Communicate using to Port 1. • Set VLAN ID to 5. This creates the teaming control channel on VLAN 5, tagged, on port 1 on the controller. (Important: This VLAN is not shown on the Controller > Network > VLANs page, and is not created using a network profile. It is explicitly defined here only.) Make sure that the network switch to which this port is connected is also configured with VLAN 5, tagged. • Set IP address to 192.168.5.
-
This address must be on a different subnet than the IP address assigned under Connectivity. However, it can be on the same subnet as the selected interface. 5. 6. • Set Mask to 255.255.255.0. • Set Interface to Access network. This makes the Team IP address available on port 1. Select Save. Controller 2 will now attempt to discover the manager. Monitor the Summary box until you see an Unauthorized controller in the list. Indicates team manager is synchronized.
-
8. The manager will now attempt to authorize and synchronize controller 2. Once synchronized, their status will change to green. For more information on summary states and the Network Tree, see “Monitoring the discovery process” (page 262). Once all members are synchronized, the team is ready for further configuration. See “Team configuration” (page 267) for details.
-
Manager Controller If controller has software that is out of date, the manager tells the controller to update its software. The controller retrieves new software from the manager, installs it, and then restarts. Discovery is performed again. The manager accepts the secure management tunnel. Once the manager has been discovered, the controller establishes a secure management tunnel with the manager. The manager updates the controllers configuration. The controller receives new configuration settings.
-
Settings Teaming light This light indicates how the team is being managed. • Green: This controller is the primary team manager. • Yellow: The primary team manager has become inoperative and an interim team manager has taken over. For details, see “Failover” (page 271). Controllers This section shows the number of controllers that are active in each management state. A controller may be active in more than one state at the same time. For example, a controller may be both Detected and Synchronized.
-
Settings Team: team name Select Team: [name ] to access configuration items that apply to all members of the team and their controlled APs. Configure these options using the main menu in the right pane. VSC Select the VSCs node to manage the virtual service communities that are defined on the team. Once you define a VSC it is automatically synchronized on all member controllers, and can be assigned (bound) to one or more controlled APs. Status lights A status is light is displayed for each VSC.
-
Viewing discovered controllers To display information about controllers discovered by the manager, select Controllers >> Overview > Discovered controllers. The Discovered controllers page provides the following: • Select the action to apply to all listed controllers: Lets you apply the selected action to all controllers in the list. Select an action and then Apply.
-
• Diagnostic Description Resetting configuration The controller configuration is being reset to factory defaults. This is normal and will occur when the software version on the manager is changed or if the controller is not synchronized. Restoring configuration The controller is currently restoring its previous configuration settings. Synchronized The controller had its software and configuration settings successfully updated by the team manager and is fully operational.
-
The Team members page provides the following information: • Number of controllers: Number of controllers that are configured as members of the team. • Detected: Status light icon indicating if the controller has been discovered on the network. ◦ Green: The controller has been discovered on the network and is listed on the Overview > Discovered controllers page, where more information is provided about the controller.
-
The following table lists the configuration options that are affected when teaming is active. Configuration option Notes Network > IP interfaces IP addresses cannot be assigned at the team level. Network > Address allocation The DHCP server option is not supported when teaming is enabled. The VPN address pool option is not supported when teaming is enabled. Security > Certificate stores Not available at the team level. Security > Certificate usage Not available at the team level.
-
3. Select Delete. Disable teaming on the controller 1. 2. Open the management tool directly on the controller. Select Management > Teaming. 3. 4. Disable the Controller teaming option. Select Save. Editing team member settings To change settings for a team member: 1. Under Controllers, select a team member. 2. In the right pane, select Device management.
-
3. 4. Change settings as required. Note that the Ethernet base MAC address cannot be changed. To change the MAC address you must delete the controller and then add it again. Select Save. Manually adding a controller to a team Instead of using the automatic discovery to find controllers and add controllers to the team, you can manually preconfigure one or more controllers as team members.
-
3. 4. 5. Define settings as follows: • Controller name: Specify a name to identify the controller. • Ethernet base MAC: Specify the MAC address of the controller. This value cannot be changed once the controller information is saved. • Product: Displays the product type of the controller. • Contact: Specify contact information for the controller. • Location: Specify the location where the controller is installed. Select Save.
-
For example: Number of team members required to support redundancy Number of APs you want to deploy APs / 200 120 N+1 N+2 N+3 .6 2 3 4 200 1 2 3 4 400 2 3 4 5 440 2.2 4 5 - 520 2.
-
Replacing the team manager If the primary team manager has failed and will not be returning, you can promote the interim manager (or any other team member) to primary so that configuration options will be available. IMPORTANT: Once you promote the interim manager to primary manager, you cannot return the old team manager to the team without changing its configuration so that it becomes a team member. Only one manager is supported per team. 1.
-
Controller team Primary mobility controller Primary mobility controller 2 1 L3 switch 1 WLA N Independent controllers 2 1 L3 switch 2 WLA N 1 WLA N 2 WLA N In the controller team, the primary mobility controller is also the team manager. If the team manager becomes inoperable, then controller 2 is automatically promoted to become the interim manager and assumes the role of primary mobility controller as well.
-
5. Select Save. You can now configure mobility options, such as home networks, as explained in “Mobility traffic manager” (page 285). Single controller team operating with non-teamed controllers In this type of setup, the team is configured as the primary mobility controller and the non-teamed controllers set the IP address of primary controller parameter to the team IP address. (In this scenario, the team IP address is defined on the LAN port of the team manager.
-
5. Select Save. Configure controller #3 and #4 1. 2. 3. 4. Start the management tool each independent controller by pointing your browser to appropriate IP address. Select Management > Device discovery. Select Mobility controller discovery. Set IP address of the primary mobility controller to 192.168.1.99. 5. Select Save. You can now configure wireless mobility options, as explained in “Mobility traffic manager” (page 285).
-
unauthenticated wireless users once they successfully connect to the wireless network. Access to the protected network is restricted by the controller and typically requires that users be authenticated by the controller before they gain access.
-
To successfully configure support for guest access on a controller team, the following limitations must be respected: • • DHCP relay agent: Must be used instead of the internal DHCP server, but only the following options are supported (blue lines mark options that are not supported and should be left blank): ◦ Listen for requests on LAN port: This setting needs to be disabled, as support for relaying DHCP requests for wired clients is not supported. This option is disabled by default.
-
• Creating a VSC for guest access You must create a new VSC to support guest access. Respect the following limitations: ◦ VSC egress mapping: If VLANs are not being used to egress traffic, only the Internet port (Internet network on the MSM720) can be used to provide access to the protected network for authenticated clients. This occurs because the DHCP relay agent option Forward to egress interface always sends traffic to the Internet port for DHCP requests.
-
Guest access with teamed controllers using the same subnet In this scenario, a pair of controlled APs tunnel user traffic to the LAN ports on a controller team composed of two MSM760s. Once authenticated, users are able to access the Internet via the Internet ports. Both ports (LAN and Internet) are untagged (no VLANs are assigned).
-
The following steps illustrate how to configure this scenario. (These steps assume that the controller team has already been created, and that the APs have been discovered, are properly synchronized and are ready to accept additional configuration settings.) Disable NAT on the egress interface Since the Internet port will be used to egress traffic, NAT needs to be disabled on it. 1. Select Team >> Network > IP interfaces. 2. Select Internet port. The Internet interface configuration page opens.
-
3. 4. Disable Network address translation (NAT). Select Save. Enable DHCP relay globally In order for wireless client stations to obtain an IP address, the controller must act as a DHCP relay agent to forward requests to the external DHCP server at 10.0.0.1. 1. Select Team >> Network > Address allocation. The Address allocation configuration page opens. 2. Select DHCP relay agent and then select the Configure button next to it. 3. The DHCP relay agent configuration page opens.
-
Create a new VSC for guest access The default VSC cannot be used for guest access when teaming is enabled, so a new VSC must be created. 1. Select VSC >> Add new VSC profile. 2. The VSC profile page opens. Configure the following settings: 3. • Define a name for the VSC and enable Authentication and Access control. • Define the SSID name for the wireless network. • Enable the HTML-based user logins option. (This allows users to log in to the protected network using their web browsers.
-
4. Make sure that the VSC is bound to the APs, and that the APs are synchronized. Now, when a wireless client station connects to the Guest SSID, it will obtain an IP address on the subnet assigned to the Internet port via the external DHCP server. Once the wireless client is authenticated, it will gain access to the subnet connected to the Internet port (and by extension, the Internet).
-
15 Mobility traffic manager Key concepts NOTE: This chapter discusses how to use and configure Mobility traffic manager (MTM) with non-teamed controllers. If you are working with a controller team, most of the same information applies. Essentially, a controller team is treated the same way as a single non-teamed controller. For more information, see “Mobility support” (page 273).
-
LAN port 192.168.1.1 Internet port 192.168.40.1 User B User A Network 1 Network 2 Network 3 Network 4 192.168.10.0 192.168.20.0 192.168.30.0 192.168.40.0 2 1 WLA N WLA N User A User B Home network = Network 4 Home network = Network 3 If a user roams between APs, MTM adjusts the tunnel to maintain the users connection to their home network. (On an MSM720, replace LAN port with Access network and Internet port with Internet network in the following diagram.) LAN port 192.168.1.
-
IMPORTANT: • MTM is only available on non-access-controlled VSCs. • The same VSCs must be defined on all controllers in the mobility domain, even on controllers that are not managing any APs. The mobility domain The mobility domain is an interconnection between controllers allowing for the exchange of information about wireless users and the home/local networks managed by controllers.
-
Network requirements The network that interconnects the controllers and APs that make up a mobility domain must not block any of the following ports/protocols: • UDP port 1194 • UDP port 12141 • UDP port 3000 • UDP port 3001 • UDP port 3518 • TCP port 5432 • Internet protocol number 47 (GRE) • NAT must not be used. The IP address of each AP must be visible to the controller. Home networks A home network is the root network for a user within a mobility domain.
-
Primary mobility controller Mobility controller 1 2 LAN port 192.168.10.1/24 LAN port 192.168.20.1/24 Network 1 Network 2 192.168.10.0 192.168.20.0 L3 switch 10.2 20.2 1 2 WLA N WLA N User A User A roams from AP 1 to AP 2 User A Local networks In order for a wireless users traffic to be sent to the appropriate destination within the mobility network, local networks must be defined on controllers, and optionally APs.
-
NOTE: • All controllers in the mobility domain must be running the same software version. This means that the first two numbers in the software revision must be the same. For example: All controllers running 5.4.x, or all controllers running 5.5.x. • Discovery automatically takes place on both the LAN port and Internet port (Access network and Internet network on the MSM720). VLANs are not supported. (Meaning the ports on the MSM720 must be untagged.
-
• Configure mobility settings for each VSC. (The same VSCs must be defined on all controllers in the mobility domain, even on controllers that are not managing any APs.) • Bind VSCs to the APs. Each task is described in more detail in the sections that follow. Defining the mobility domain When MTM will be used on more than one controller, or with a controller team, you must define a mobility domain. The following instructions apply to non-teamed controllers.
-
On other controllers 4. Select Save. Defining network profiles Global definitions for all home networks and local networks are created using the network profiles feature which is found on the Controller >> Network > Network profiles page (“About the default network profiles” (page 32)).
-
A number of configuration settings on the controller can affect how user traffic is routed. Some of these settings may override the choices you make to assign user traffic to a home network. See “Traffic flow for wireless users” (page 221). NOTE: At least one controller must be assigned to each home network defined in the mobility domain. See “Local networks” (page 289).
-
Local networks Select the local networks that are connected to the Ethernet port(s) on the AP. • Available networks: This box lists all network profiles defined on the controller. Select a network profile and then select the right arrow to assign it as a local network on the AP. • Local networks: This box lists all the networks that are local to the AP. These networks are used to determine if a user is roaming or at home when they connect to the AP.
-
If you are using MTM to tunnel the traffic from wireless users to their home networks, set the following parameter to determine how MTM routes traffic if no home network is assigned to a user (via their RADIUS account or local user account), or if the users home network is not found in the mobility domain. If no matching network is assigned 4. 5. • Block user: User access is blocked.
-
To view this page: • On a non-teamed controller, select Controller >> Status > Mobility. • On a controller team, select Team:[Team-name] > Controllers [Team-manager] >> Status > Mobility. Controllers This table lists all controllers that are part of the mobility domain. • Name: Name assigned to the controller. • IP address: IP address of the controller. • MAC address: Medium access control address of the associated controller.
-
Handler A handler is the AP or controller that provides the data path to a network. • If the network is handled by an AP managed by this controller, then this column shows the names of controlled APs supporting the network. Up to five APs can be displayed (the first five APs registered by the controller for the specific network). • If the network is local to this controller, then this column shows This controller.
-
Mobility client event log This page lists all events for a roaming client. Date and time Date and time that the even occurred. Category Always set to Mobility. Operation Possible values are: • Client tunneling: Client tunneling events indicate activities related to establishing the data tunnel to a remote controller or AP for the purposes of transporting client data to its home network.
-
• Mobility Initiated at Home Interface: A request to setup a client connection at its home network has been received. • Mobile Terminated at Home Interface: A client connection at its home network has been terminated. This normally happens only when the client has disconnected or the network path to its connection point has been disrupted. • Mobility Initiated at Client Interface: A request to setup a client connection at its connection point (the AP where the client is associated) has been received.
-
LAN port 192.168.30.1 User A User B Network 1 Network 2 Network 3 192.168.10.0 192.168.20.0 192.168.30.0 1 2 WLA N WLA N User A User B Configuration overview The following sections provide a summary of the settings needed to configure MTM support for this scenario. VSC configuration Enable MTM support on the VSC. 1. Select Controller >> VSCs > HP. • Under Global, clear Access control. (For a complete screenshot of this page, see “VSC configuration options” (page 113).
-
Network profiles This scenario uses the default network profiles, so no configuration is necessary. VSC binding This scenario assumes that all APs are part of the Default Group. Set the egress for the group to the Internet port on the controller. 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. 2. • Under VSC Profile, set VSC profile to HP. • Select Egress network, and under it, set Network profile to LAN port network.
-
LAN port 192.168.1.1 Internet port 192.168.40.1 VLAN 40 Network 1 Network 2 Network 3 Network 4 192.168.10.0 192.168.20.0 192.168.30.0 VLAN 40 1 2 3 WLA N WLA N WLA N User B User C User A Configuration overview The following sections provide a summary of the settings needed to configure MTM support for this scenario. VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP. • Under Global, clear Access control.
-
Network profiles Define a network profile with a VLAN ID of 40. 1. Select Controller >> Network > Network profiles. 2. 3. 4. Select Add New Profile. Under Settings, set Name to All-Traffic. Select the VLAN ID checkbox, and specify a value of 40. 5. Select Save. Map the profile to a port Map the profile to the Internet port. 1. Select Controller >> Network > VLANs. 2. Select All-Traffic in the table. The Add/Edit VLAN mapping page opens.
-
3. 4. Under Map To, select Internet port. Select Save. VSC binding This scenario assumes that all APs are part of the Default Group. 1. Select Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. 2. • Under VSC Profile, set VSC profile to HP. • Select Egress network, and under it set Network profile to All-Traffic. Select Save.
-
WPA is enabled on the VSC to control user authentication. When the user logs in, the VLAN is retrieved from the account profile and is used by MTM to route the users traffic to the appropriate network via the Internet port. LAN port 192.168.1.1 Internet port 192.168.40.1 User B User A Network 1 Network 2 Network 3 Network 4 192.168.10.0 192.168.20.0 192.168.30.0 192.168.40.
-
1. Select Controller >> VSCs > HP. • Under Global, clear Access control. (For a complete screenshot of this page, see “VSC configuration options” (page 113).) • Select Wireless mobility, then under it: • Select Mobility traffic manager. • Select Block user. • Select Wireless protection, and then select WPA. Under it, do the following: • Set Mode to WPA (TKIP). • Set Key source to Dynamic. This will automatically enable the 802.
-
1. Select Controller >> Network > Network profiles. 2. 3. 4. Select Add New Profile. Under Settings, set Name to Network 3. Select VLAN ID, and specify a value of 30. 5. 6. 7. 8. Select Save. Select Add New Profile. Under Settings, set Name to Network 4. Select VLAN ID, and specify a value of 40. 9. Select Save. Map the profiles to a port Map the network profiles to port 1 on the MSM720 or the Internet port on other controllers. 1. Select Controller >> Network > VLANs.
-
2. 3. Select Network 3 and Network 4 in the list. For Select the action to apply to the selected network profiles, select Add New Mapping, then select Apply. The Add/Edit VLAN mapping page opens. 4. 5. Under Map To, select Internet port. Select Save. The VLANs page opens showing the profiles mapped to the Internet port. User accounts Next you need to define user accounts and account profiles. 1. Select Controller >> Users > Account profiles. 2. 3. 4. Select Add New Profile.
-
5. 6. 7. 8. Select Save. Select Add New Profile. Under General, set Profile name to Network 4 and disable Access-controlled profile. Select Egress interface, and under it select Egress VLAN ID and set it to 40. 9. Select Save. The profiles list should now look like this: 10. Select Controller >> Users > User accounts. Initially, no accounts are defined.
-
11. Select Add New Account. 12. Under General: • Set User name to User A. • Set Password to a secure password. • Clear Access-controlled account. 13. Select Account profiles, and under it move Network 3 to the box titled Set account attributes using these profiles. 14. Select Save. 15. Select Add New Account.
-
16. Under General: • Set User name to User B. • Set Password to a secure password. • Clear Access-controlled account. 17. Select Account profiles, and under it move Network 4 to the box titled Set account attributes using these profiles. 18. Select Save. VSC binding This scenario assumes that all APs are part of the Default Group. 1. Select Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. • 2. Under VSC Profile, set VSC profile to HP. Select Save.
-
Scenario 4: Assigning home networks on a per-user basis This scenario illustrates how to assign home networks on a per-user basis using RADIUS attributes. (On an MSM720, replace LAN port with Access network in the following descriptions.) How it works In this scenario, wireless services have been added to two wired networks. A single controller and multiple APs are installed on each network. The two networks are connected with an L3 switch. The following diagram provides an overview of the setup.
-
Each profile must be assigned to an AP as well as a controller. This is done to ensure that when a user logs in on an AP installed on the same subnet as the home network, traffic is not routed through the controller, but is sent directly onto the network via the Ethernet port on the AP. For example: • When User A logs onto AP 1, RADIUS returns the VLAN ID Net1. Since Net1 is defined as a home network on AP 1, traffic is sent directly onto network 1 via the Ethernet port on the AP.
-
VSC 1. Select Controller >> VSCs > HP. • Under Global • Clear Access control. (For a complete screenshot of this page, see “VSC configuration options” (page 113).) • Select Wireless mobility, then under it: • Select Mobility traffic manager. • Select Block user. (For a complete screenshot of this page, see “VSC configuration options” (page 113).) 2. Select Save. Network profiles 314 1. Select Controller >> Network > Network profiles. 2. 3. Select LAN port network.
-
Controller 2 configuration Mobility domain 1. Select Controller >> Management > Device discovery. (For a complete screenshot of this page, see “Defining the mobility domain” (page 291).) 2. • Select Mobility controller discovery. • Clear This is the primary mobility controller. • Specify the IP address of the primary mobility controller. In this example: 192.168.10.1. Select Save. VSC VSC configuration is the same as for controller 1. Network profiles 1.
-
AP configuration VSC binding 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. (For complete screenshot see “VSC configuration options” (page 113).) • 2. Set VSC profile to HP. Select Save. Local network assignment 1. 2. Select Controlled APs > Default group >> Configuration > Home networks. • For each AP on network 1, double-click Net1 to add it to the Local networks list.
-
The following diagram provides a logical overview of the setup. (Only two APs are shown for clarity). Primary mobility controller 2 1 LAN port 192.168.5.2/24 LAN port 192.168.5.3/24 DHCP server RADIUS server 192.168.5.1/24 NOC Network 1 VLAN 1 VLAN 10 Network 2 VLAN switch 1 VLAN 20 APs Network 3 VLAN 2 VLAN 30 2 WLA N WLA N User A User B Home network via RADIUS = Net1 Home network via RADIUS = Net2 Wireless clients receive their DHCP address from the DHCP server on the network.
-
By assigning different VLANs to different controller ports, traffic can be split between controllers. To reduce the amount of traffic that needs to be tunneled between controllers, APs are assigned to controllers based on their expected use: • AP 1 is physically located in an area where most of the users as assigned to network 1, therefore it is managed by controller 1. • AP 2 is physically located in an area where most of the users as assigned to network 2, therefore it is managed by controller 2.
-
VSC 1. Select Controller >> VSCs > HP. • Under Global, disable Access control. (For complete screenshot see “VSC configuration options” (page 113).) • Select Wireless mobility, then under it: • Select Mobility traffic manager. • Select Block user. (For a complete screenshot of this page, see “VSC configuration options” (page 113).) 2. Select Save. Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile. 3. • Under Settings, set Name to Net1.
-
4. 5. Repeat steps 2 and 3 to define the following profiles: • Profile name = NOC, VLAN ID = 1 • Profile name = APs, VLAN ID = 2 When done, the list of network profiles should look like this: VLANs 1. Select Controller >> Network > VLANs. 2. Select APs, Net1, and NOC. For Select the action to apply to the selected network profiles, select Add New Mapping, then select Apply. The Add/Edit VLAN mapping page opens 3. Under Map to, set Port to LAN port.
-
4. Select Save. The list of VLANs should look like this: Controller 2 configuration Mobility domain 1. Select Controller >> Management > Device discovery. (For complete screenshot see “Defining the mobility domain” (page 291).) 2. • Select Mobility controller discovery. • Clear This is the primary mobility controller. • Set the IP address of the primary mobility controller to 192.168.5.2. Select Save. VSC Configuration is the same as for controller 1. Network profiles 1.
-
3. 4. 5. • Under Settings, set Name to Net2. • Select VLAN ID and set a value of 20. Select Save. Repeat steps 2 and 3 to define the following profiles: • Profile name = Net3, VLAN ID = 30 • Profile name = APs, VLAN ID = 2 When done, the list of network profiles should look like this: VLANs 1. Select Controller >> Network > VLANs. 2. Select APs, Net1, and NOC. For Select the action to apply to the selected network profiles, select Add New Mapping, then select Apply.
-
3. 4. Under Map to, set Port to LAN port. Select Save. The list of VLANs should look like this: AP configuration VSC binding 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. (For complete screenshot see “Binding a VSC to a group” (page 165).) • 2. Set VSC profile to HP. Select Save.
-
in the same manner. Rather than manually assigning APs and/or groups of users to specific VLANs, MTM can be configured to automatically disperse traffic across a VLAN range. In fact, by defining multiple network profiles, traffic can be mapped to several different ranges, allowing groups of users or APs to be mapped to specific VLAN ranges. The following diagram provides a logical overview of the setup. (Only two APs are shown for clarity). Primary mobility controller 2 1 LAN port 192.168.5.
-
By assigning a different profile name to AP groups, traffic can be split between controllers. In this example, the APs are split into two groups: • Group 1: The VSC binding is configured with Egress network set to Net1, putting traffic from this group onto VLAN range 10-30. • Group 2: The VSC binding is configured with Egress network set to Net2, putting traffic from this group onto VLAN range 31-50. MTM uses a round-robin mechanism to distribute traffic across the VLANs range.
-
VSC 1. Select Controller >> VSCs > HP. Under Global • Clear Access control. (For a complete screenshot of this page, see “VSC configuration options” (page 113).) • Select Wireless mobility, then under it: • Select Mobility traffic manager. • Select Block user. (For a complete screenshot of this page, see “VSC configuration options” (page 113).) 2. Select Save. Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile. • Under Settings, set Name to Net1.
-
3. Select Save. VLANs 1. Select Controller >> Network > VLANs. 2. Select Net1. The Add/Edit VLAN mapping page opens. • 3. Under Map to, set Port to LAN port. Select Save. Controller 2 configuration Mobility domain 1. Select Controller >> Management > Device discovery. (For complete screenshot see “Defining the mobility domain” (page 291).) 2. • Select Mobility controller discovery. • Clear This is the primary mobility controller.
-
VSC Configuration is the same as for controller 1. Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile. 3. • Under Settings, set Name to Net2. • Select VLAN ID and set a value of 31–50. Select Save. VLANs 1. Select Controller >> Network > VLANs. 2. Select Net2. The Add/Edit VLAN mapping page opens.
-
• 3. Under Map to, set Port to LAN port. Select Save. AP configuration Split the APs into two groups as explained in “Working with groups” (page 164). Call them Group 1 and Group 2. VSC binding for Group 1 1. 2. Select Controller > Controlled APs > Group 1 >> VSC bindings and then select HP. The VSC binding page appears. • Set VSC profile to HP. • Select Egress network, then for Network profile, select Net1 (10–30). Select Save.
-
VSC binding for Group 2 1. 2. Select Controller > Controlled APs > Group 2 >> VSC bindings and then select HP. The VSC binding page appears. • Set VSC profile, to HP. • Select Egress network, then for Network profile, select Net2 (31-50). Select Save. Subnet-based mobility This feature has been deprecated. If you are creating a new installation, use Mobility Traffic Manager. If you are upgrading from a previous release, your subnet-based configuration will still work.
-
16 User authentication, accounts, and addressing Introduction NOTE: This chapter discusses user authentication as it applies to the controller and controlled APs only. For information on authentication when working with autonomous APs, see “Working with autonomous APs” (page 533). User authentication tasks can be handled either by the AP or by the controller. This is controlled by the settings of the access control and authentication options on the VSC to which a user is connected.
-
The Use controller for option in a VSC is set to: Auth type Authentication HTML-based Not supported Authentication and Access control Wireless users authenticated via: Neither For more information, see ... Not supported “Configuring HTML-based authentication on a VSC” (page 348).
-
option in the VSC. The following table lists all possible combinations of authentication types (and other features) that can be activated, and shows the order in which they are applied. The Use controller for option in a VSC is set to: Authentication • MAC lockout + Authentication and Access control Neither • MAC lockout + • MAC lockout + Wireless MAC filter + Wireless MAC filter + Wireless MAC filter + MAC-based (VSC) + MAC-based (Global) + MAC-based (VSC) + 802.1X (VSC) HTML-based 802.
-
Switch port not bound to a VSC When a switch port is not bound to a VSC, the following authentication options are supported: • 802.1X (Switch port) • MAC-based (Switch port) If both options are enabled at the same time, then: • 802.1X takes priority for client stations that are 802.1X enabled. If 802.1X authentication fails, MAC authentication is not checked and the client station fails to authenticate. • MAC authentication takes priority for client stations that are not 802.1X enabled.
-
VSC Switch port User credentials can be validated using: User credentials can be validated using: • Local user accounts on the controller • External RADIUS server • External RADIUS server • Active Directory (Depends on how the VSC is configured.) See: • “Configuring 802.1X support on a VSC” (page 336). See “Configuring 802.1X support on an HP 517 or MSM317 switch port” (page 339). • “Configuring global 802.1X settings for wired users” (page 338). • “Configuring global 802.
-
NOTE: LEAP is not supported on access-controlled VSCs. • PEAPv0: Protected Extensible Authentication Protocol. One of the most supported implementations across all client platforms. Uses MSCHAPv2 as the inner protocol. • PEAPv1: Protected Extensible Authentication Protocol. Alternative to PEAPv0 that permits other inner protocols to be used. • EAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunneling. Can use a pre-shared key instead of server-side certificate.
-
Authentication Local User logins are authenticated with the list defined on the Controller >> Users > User accounts page. Local user accounts use the authentication services of the internal RADIUS server which supports the following 802.1X protocols: EAP-TLS, EAP-TTLS, and PEAPv0. Other protocols may work but have not been tested. Remote • Active Directory: User logins are authenticated via Active Directory. To setup Active Directory support go to the Controller >> Security > Active Directory page.
-
• BSSID: Basic service set ID of the wireless network defined for this VSC. • macaddress:ssid: The MAC address of the AP radio, followed by a colon, followed by the SSID configured on this VSC. Configuring global 802.1X settings for wired users Configure global 802.1X settings by selecting Controller >> Authentication > 802.1X. These settings only apply to: • Wired clients connected to the controller via the LAN port.
-
Supplicant timeout Specify the maximum length of time for the to wait for a client station to respond to an EAPOL packet before resending it. EAPOL (Extensible Authentication Protocol over LAN) is used for 802.1X port access control. 802.1X can be used to authenticate at "network connect time" when using either wired or wireless LAN adapters. If client stations are configured to manually enter the 802.1X username or password or both, increase the value of the timeout to 15 to 20 seconds.
-
authenticating devices that do not have a Web browser and are permanently installed on a network (a printer or point-of-sale terminal, for example), but can also be used for regular users. MAC authentication can be configured at several different levels as described in the following table. Global VSC Switch port Authentication is handled by the controller. Authentication is handled by either the Authentication is handled by the HP controller or the AP. (Depends on how 517 or MSM317.
-
VSC Switch port MAC addresses are validated against a custom list for each VSC. MAC addresses are validated against a global list that is defined on the controller and applies across all devices. See “Configuring MAC-based filters on a VSC” (page 344). See “Configuring MAC-based filters on an HP 517 or MSM317 switch port” (page 345). NOTE: MAC-based filter are always applied before MAC-based authentication.
-
Configuring MAC-based authentication on a VSC Each VSC can have unique settings for MAC authentication of wireless client stations. These settings are defined on the VSC profile page. (To open this page, see “Viewing and editing VSC profiles” (page 112)). • When the Use Controller for Authentication option is enabled under Global, MAC-based authentication tasks are managed by the controller.
-
The MAC address sent by the controller or controlled AP in the RADIUS REQUEST packet for both username and password is 12 hexadecimal numbers in the format defined on the Controller >> Authentication > MAC format page. See “Configuring MAC address format” (page 347). The RADIUS server will reply to the REQUEST with either an ACCEPT or REJECT RADIUS RESPONSE packet. In the case of an ACCEPT, the RADIUS server can return the session-timeout RADIUS attribute (if configured for the account).
-
Configuring global MAC lockout This feature lets you block traffic from client stations based on their MAC address. MAC lockout applies to globally to all client stations connected to: • Wireless ports on controlled APs • Wired ports (including switch ports) on controlled APs • Local mesh ports on controlled APs • The LAN port (Access network on the MSM720) on the controller NOTE: MAC lockout does not apply to the Internet port (Internet network on the MSM720).
-
Filter action The following table describes how the wireless MAC filter functions when it is used alone and in combination with other authentication options: Client address Filter action When used alone When used with MAC-based authentication When used with 802.1X authentication Client Allow address is in the MAC address list. Access is granted. Access is granted. MAC-based Access is granted or denied based authentication is not on result of 802.1X authentication. performed.
-
Configuring MAC address lists MAC lists are used by several options to allow/deny access to client stations. You can define up to 75 MAC address lists with up to 256 entries in each list. The lists can be used to define MAC addresses for the following features: • The MAC filter option on a switch port (Controlled APs >> Configuration > Switch ports), permitting you to limit switch port access to a specific devices based on their MAC address.
-
Matching MAC addresses Matching a single MAC address To match a single MAC address, specify the address using 12 hexadecimal numbers in the format: nn:nn:nn:nn:nn:nn, and set the Mask to: FF:FF:FF:FF:FF:FF For example, this definition matches a single MAC address: MAC address = 00:03:52:07:2B:43 Mask = FF:FF:FF:FF:FF:FF Matching a range of MAC addresses To match a range of MAC addresses, you need to use the wildcard feature.
-
HTML-based authentication has the following properties: • Authentication is handled by the controller. • Settings are defined on a per-VSC basis. • Can only be used on access-controlled VSCs. • Configured using the Add/Edit Virtual Service Community configuration page in the management tool.
-
Remote • Active Directory: User logins are authenticated via Active Directory. To setup Active Directory support go to the Controller >> Security > Active Directory page. • RADIUS: User logins are authenticated via an external RADIUS server. To setup the connection to an external RADIUS server, go to the Controller >> Authentication > RADIUS profiles page. ◦ • Request RADIUS CUI: Enable this option to support the Chargeable User Identity (CUI) attribute as defined in RFC-4372.
-
Configuring VPN-based authentication on a VSC Each VSC can have unique settings for VPN-based user logins. These settings are defined on the VSC profile page. (To open this page, see “Viewing and editing VSC profiles” (page 112)). When the Use controller for Authentication and Access control options are enabled under General, VPN-based user login options can be defined. Authentication Local User logins are authenticated with the list defined on the Controller >> Users > User accounts page.
-
accounts is done using the options on the Controller >> Users menu, which includes the following configuration pages: User accounts, Account profiles, Subscription plans, and Session persistence. Each user account: • Obtains account properties from one or more account profiles. • Obtains account durations from one or more subscription plans. • Is restricted for use with one or more VSCs.
-
Attribute For more info see default-user-goodbye-url “Default user URLs” (page 475). default-user-one-to-one-nat “Default user one-to-one NAT” (page 474). default-user-idle-timeout “Default user idle timeout” (page 473). default-user-session-timeout “Default user session timeout” (page 474). default-user-acct-interim-update “Default user interim accounting update interval” (page 472). default-user-max-output-packets “Default user quotas” (page 473).
-
These two attributes appear in the Default AC profile under Session time attributes: Locally-defined user accounts 353
-
And the attributes appear in access-controlled user accounts under Effective attributes: 354 User authentication, accounts, and addressing
-
Defining a user account 1. Select Controller >> Users > User accounts. The User accounts page opens. It presents a list of all defined user accounts. Initially this list is empty.
-
2. Select Add New Account. The Add/Edit user account page opens. If you disable the Access-controlled account option, the page will look like this: 3. Configure account options as described in the online help.
-
Defining account profiles 1. Select Controller >> Users > Account profiles. The Account profiles page opens. It presents a list of all defined profiles. Initially this list will contain the profile Default AC. 2. Select Add New Profile. The Add/Edit account profile page opens.
-
3. Configure profile options as described in the online help. Defining subscription plans 1. Select Controller >> Users > Subscription plans. The Subscription plans page opens. It presents a list of all defined subscription plans.
-
2. Select Add New Plan. The Add/Edit subscription plan page opens. 3. Configure plan options as described in the online help. Public IP address This feature enables a public IP address to be assigned to any client station. This makes the client station address visible to devices on the external network, allowing external devices to create connections with the client station. For more information, see “Assigning public IP addresses” (page 47).
-
User addressing and related features The controller provides a number of features related to user addressing, including: Feature Description For more information, see ... DHCP server Enables the controller to dynamically assign IP addresses to users. “Configuring the global DHCP server” (page 45) Fixed leases The controller assigns the same IP addresses to “Assigning fixed DHCP leases” (page 47) specific users each time they connect.
-
17 Authentication services Introduction This chapter explains how to configure the different authentication services that the controller can use to authenticate user logins and administrator logins. The following table summarizes the services that are available and what they can be used for. Service Description For details, see ... Integrated RADIUS server User authentication via the local user lists.
-
• Allows RADIUS accounting data to be sent to an external RADIUS server. (The internal RADIUS server does not provide support for accounting.) • Local user accounts and account profiles have been designed to match the same functionality and support as can be provided by an external RADIUS server. Most of the AVPairs supported on an external RADIUS server are also supported by the integrated RADIUS server.
-
Server authentication support Select the authentication protocols that the internal RADIUS server will support: • PAP: This protocol must be enabled if any VSCs are configured to use MAC-based authentication or HTML authentication. • EAP-TTLS • EAP-PEAP • EAP-TLS RADIUS authorization NOTE: Applies to autonomous and third-party APs. Requests from controlled APs are always accepted because they use the management tunnel. Enable this option to restrict access to the RADIUS server.
-
Using a third-party RADIUS server A third-party RADIUS server can be used to perform a number of authentication and configuration tasks, as shown in the following table. Task For more information, see ... Validating administrative user credentials. “Setting up manager and operator accounts” (page 18). Validating user credentials for 802.1X, MAC, MAC-based, “Wireless protection” (page 127). and HTML—based authentication types. “HTML-based user logins” (page 132). “MAC-based authentication” (page 132).
-
Configuration procedure 1. Select Controller >> Authentication > RADIUS profiles. The RADIUS profiles page opens. 2. Select Add New Profile. The Add/Edit RADIUS Profile page opens. 3. 4. Configure the profile settings as described in the following section. Select Save. Configuration parameters Profile name Specify a name to identify the profile. Settings Authentication port: Specify a port on the RADIUS server to use for authentication. By default RADIUS servers use port 1812.
-
Retry interval Specify the number of seconds that the controller waits before access and accounting requests time out. If the controller does not receive a reply within this interval, the controller switches between the primary and secondary RADIUS servers, if a secondary server is defined. A reply that is received after the retry interval expires is ignored.
-
Force NAS-Port to ingress VLAN ID: When enabled, sets the RADIUS NAS-Port attribute content to the ingress VLAN ID for the VSC profile the user is connected to. If no ingress VLAN is defined, NAS-Port is set to 0. The value of the NAS-Port in other locations, such as in placeholders or the system log, is not changed by enabling this option. Override NAS ID when acting as a RADIUS proxy This option applies only when this profile is used with VSCs that do not provide access control.
-
Support for regular expressions in realm names Standard regular expressions can be used in realm names. For example: Expression Matches mycompany[1-3].com mycompany1.com mycompany2.com mycompany3.com .*mycompany.com Matches mycompany.com with any number of characters in front of it. For example: headoffice.mycompany.com or server-mycompany.com. .*\.mycompany.com Matches.mycompany.com with any number of characters in front of it. For example: headoffice.mycompany.com or server.mycompany.
-
Using an Active Directory server Active Directory is the Windows service that is used by many organizations for user authentication. The controller can communicate with an Active Directory server to authenticate user login credentials and retrieve configurations settings (attributes) that are applied to a users session. An active directory server can be used to support the following authentication types: Service For details, see ... 802.1X (VSC) “802.
-
Active directory settings General Device name Specify a name that identifies the controller to Active Directory. The controller uses this name to connect to the active directory server, just like any standard active directory client does. Domain NetBIOS name Specify the NetBIOS domain to which the controller belongs. Generally, the NetBIOS domain name is the first segment of the Windows domain name. For example: if Windows domain is rd.mycompany.com, then NetBIOS would be rd.
-
Active Directory groups attributes Displays all Active Directory groups that are defined on the controller. These groups are used to assign attributes to a user once they have been authenticated by Active Directory. NOTE: Group names on the controller must be identical to existing Active Directory security group names configured on the Active Directory Server.
-
Configuration parameters General Group name Specify a name to identify the group. This name must match an existing Active Directory Security Group configured on the Active Directory Server. Active Enable this option to activate the group. The group cannot be used until it is active. Access-controlled group Determines whether the group is access-controlled or not. • Access-controlled groups can only be used to log in on VSCs that are access-controlled.
-
Attribute For information, see default-user-idle-timeout “Default user idle timeout” (page 473). default-user-session-timeout “Default user session timeout” (page 474). default-user-acct-interim-update “Default user interim accounting update interval” (page 472). default-user-max-output-packets “Default user quotas” (page 473). default-user-max-input-packets “Default user quotas” (page 473). default-user-max-total-packets “Default user quotas” (page 473).
-
18 Security Firewall To safeguard your network from intruders, the controller features a customizable stateful firewall. The firewall operates on the traffic streaming through the Internet port. It can be used to control both incoming and outgoing data. A number of predefined firewall rules let you achieve the security level you need without going to the trouble of designing your own rules.
-
Outgoing traffic Application Firewall setting Low High IPSec pass-through Passed NetBIOS Blocked Incoming traffic Application Firewall setting Low High FTP (passive mode) Passed Blocked FTP (active mode) Passed Blocked Web (HTTPS) Passed Blocked Web (HTTP) Passed Blocked Telnet Passed Blocked Windows networking Passed Blocked PPTP from remote client to a server on the local network Passed Blocked ping client on local network Passed Blocked IPSec pass-through Passed Blocke
-
Customizing the firewall To customize the firewall, you define one or more rules. A rule lets you target a specific type of data traffic. If the controller finds data traffic that matches the rule, the rule is triggered, and the traffic is rejected or accepted by the firewall. To add a rule, select Custom Firewall on page Controller >> Security > Firewall, select Edit, and then select Add New Rule. Rules operate on IP datagrams (sometimes called packets).
-
Trusted CA certificate store This list displays all root CA (certificate authority) certificates installed on the controller. The controller uses these CA certificates to validate the certificates supplied by peers during authentication. Multiple CA certificates can be installed to support validation of clients with certificates issued by different CAs. The controller uses these certificates to validate certificates supplied by: • Managers or operators accessing the controller's management tool.
-
CA certificate import formats The import mechanism supports importing the ASN.1 DER encoded X.509 certificate directly or as part of two other formats: • PKCS #7 (widely used by Microsoft products) • PEM, defined by OpenSSL (popular in the Unix world) • The CRL can be imported as an ASN.1 DER encoded X.509 certificate revocation list directly or as part of a PEM file. Content and file format Items carried in the file Description ASN.1 DER encoded X.509 certificate One X.
-
Status indicator Indicates the certificate state. • Green: Certificate is valid. • Yellow: Certificate will expire soon. • Red: Certificate has expired. ID A sequentially assigned number to help identify certificates with the same common name. Issued to Name of the certificate holder. Select the name to view the contents of the certificate. Issued by Name of the CA that issued the certificate. Current usage Lists the services that are currently using this certificate.
-
NOTE: When a Web browser connects to the controller using SSL/TLS, the controller sends only its own X.509 certificate to the browser. This means that if the certificate has been signed by an intermediate certificate authority, and if the Web browser only knows about the root certificate authority that signed the public key certificate of the intermediate certificate authority, the Web browser does not get the whole certificate chain it needs to validate the identity of the controller.
-
Under Authentication to the peer, select a new Local certificate and then select Save. About certificate warnings Access to the management tool and the public access interface Login page occur through a secure connection (SSL/TLS). An X.509 certificate is used to validate this connection. The default X.509 certificate installed on the controller for SSL/TLS for access to the management tool and the public access interface is not registered with a certificate authority.
-
IPSec Trusted CA certificates The controller uses the CA certificates to validate the certificates supplied by peers during the authentication process. Multiple CA certificates can be installed to support validation of peers with certificates issued by different CAs. • Certificate file: Specify the name of the certificate file or select Browse to choose from a list. CA certificates must be in X.509 or PKCS #7 format. • Install: Select to install the specified certificate.
-
IPSec Manage certificate revocation list Use this box to manage the CRL. • CRLs: Shows a list of installed certificate revocation lists. • Remove: Deletes the item shown under CRLs. • View: Opens the item shown under CRLs for viewing. Certificate expiration alerts The following warnings are generated when a certificate is about to expire: • The status light for the certificate turns yellow. See “Trusted CA certificate store” (page 377). • A message appears on the management tool home page.
-
19 Local mesh Key concepts The local mesh feature enables you to create wireless links between two or more APs. These links provide a wireless bridge that interconnects the networks connected to the Ethernet port on each AP. The local mesh feature replaces the need for Ethernet cabling between APs, making it easy to extend your network in hard-to-wire locations or in outdoor areas.
-
Using 802.11a/n for local mesh HP recommends that 802.11a/n in the 5 GHz band be used for local mesh links whenever possible. This optimizes throughput and reduces the potential for interference because: • Most Wi-Fi clients support 802.11b or b/g, therefore most APs are set to operate in the 2.4 GHz band. This frees the 5 GHz (802.11a/n) band for other applications such as local mesh. • 802.11a/n channels in the 5 GHz band are non-overlapping. • 802.
-
Term Definition Link The wireless connection between two nodes. Downstream link A link that transports data away from the root network. Upstream link A link that transports data towards the root network. Peer Any two connected nodes are peers. In the diagram, AP 1 is the peer of both AP 2 and AP 3. Local mesh operational modes Three different roles can be assigned to a local mesh node: Master, Alternate Master, or Slave.
-
Local mesh profiles Each node supports up to six profiles plus one provisioning profile. When a profile is active, a node constantly scans and tries to establish links as defined by the profile. The local mesh provisioning profile is used by the wireless link created on a provisioned AP to support discovery of the controller. Initially, this link operates in slave mode.
-
General Enabled/Disabled Specify if the profile is enabled or disabled. The profile is only active when enabled. Name Name of the profile. On dual-radio products use/On triple-radio products use Select the radio to use for this link. Settings Mode Three different roles can be assigned to a node: master, alternate master, or slave. The role assigned to a node, governs how the node will establish upstream or downstream links with its peers.
-
• Alternate Master: An alternate master node must first establish an upstream link with a master or alternate master node before it can establish downstream connections with an alternate master or slave node. Security Enable this option to secure data transmitted on the wireless link. The APs on both sides of the wireless link must be configured with the same security options. WEP This feature has been deprecated. If you are creating a new installation, use AES/CCMP.
-
AES/CCMP Enables AES with CCMP encryption to secure traffic on the wireless link. This is the most secure method. The node uses the key you specify in the PSK field to generate the keys that encrypt the wireless data stream. Specify a key that is between 8 and 63 ASCII characters in length. HP recommends that the key be at least 20 characters long and be a mix of letters and numbers. Settings Three different roles can be assigned to a node: master, alternate master, or slave.
-
Mesh ID A unique number that identifies a series of nodes that can connect together to form a local mesh network. Minimum SNR (Alternate master or slave nodes) This node will only connect with other nodes whose SNR is above this setting (in dB). SNR cost per hop (Alternate master or slave nodes) This value is an estimate of the cost of a hop in terms of SNR.
-
In this example, AP 1, AP 2, and AP 4 are all provisioned with the same settings as follows: Use the Local mesh radio configuration table to define local mesh settings for each product type. • Product: Indicates the product type. • Radio: Select the radio that will be used for the local mesh.
-
• Wireless mode: Select the wireless mode that will be used for the local mesh. • Antenna selection: Select the antenna(s) on which the radio transmits and receives. ◦ Internal: The internal antenna is used to transmit and receive. ◦ External: The external antenna is used to transmit and receive. NOTE: All APs must all be configured for the same country so that the local mesh established respects local RF regulations.
-
Controller AP 1 AP 2 wireless link WLA N WLA N Building-to-building connection You can also use local mesh to create point-to-point links over longer distances. in this scenario, two dual-radio APs create a wireless link between networks in two adjacent buildings. Each AP is equipped with a directional external antenna attached to radio 1 to provide the wireless link. Omnidirectional antennas are installed on radio 2 to provide AP capabilities. The two APs are placed within line of sight.
-
Controller Controller MASTER AP 1 MASTER AP 1 ALTERNATE MASTER AP 2 ALTERNATE MASTER AP 3 ALTERNATE MASTER AP 2 ALTERNATE MASTER AP 4 ALTERNATE MASTER AP 4 ALTERNATE MASTER AP 5 ALTERNATE MASTER AP 3 ALTERNATE MASTER AP 6 Initial network configuration is automatically established. ALTERNATE MASTER AP 5 ALTERNATE MASTER AP 6 When AP 4 is unavailable, the network dynamically reconfigures itself.
-
20 Public/guest network access Introduction The Public/Guest Network Access feature enables you to provide controlled network access for a variety of deployments. Some common applications of this feature are: • Providing Internet access to wireless customers in airports, restaurants, train stations, conference halls, etc. • Providing wireless and wired access to staff and guests in hospitals, corporations, and government buildings.
-
For more information on access control, see “Configuring global access control options” (page 399). NOTE: If authentication is not enabled on a VSC, all users connected to the VSC can access the protected network. Access lists An access list is a set of rules that governs how the controller manages access to the public and private network resources.
-
After the user successfully logs in, the session and welcome pages appear.
-
The session page provides details on the users session, and a Logout button. The welcome page is the starting point for the user once logged in. You can customize this page to present important information about your network. If the user selects Continue browsing, they are redirected to the original Web site that they were attempting to reach after they associated with the wireless network. When done browsing, the user selects Logout on the session page to terminate their session.
-
The access control mechanism is used by the controller to manage user access to network resources. Access control is applied on a per-VSC basis. When the Use Controller for Access control option is enabled on a VSC, the configuration options on this page take effect with regards to client station configuration, authentication, and authorization.
-
Add idle-timeout to RADIUS accounting session-time When enabled, the controller includes the idle time-out in the total session time for a user when the session is terminated due to idle time-out. To remove the idle time-out from the total session time, disable this option. Automatically reauthenticate HTML-based users for nn min When this option is enabled, you can specify the amount of time that the controller will remember the login credentials for an HTML-based user after they log out.
-
The initial query is always done after the client station has been idle for 60 seconds. If there is no answer to this query, the settings for Interval and Retries are used to control additional retries. Polling interval Specify how long to wait between polls. Consecutive retries Specify how many consecutive polls to which a client station can fail to reply before it is disconnected.
-
Display advertisements When this option is enabled, it causes users to be redirected to an ad content page while they are browsing. The ads page can be either ads.asp or ads-frameset.asp, depending on the setting of Use frames when presenting ads under Site options on the Public access > Web content page. Redirection occurs on TCP port 80. Display advertisements every nnn sec Specify the interval at which users are redirected to the ads page.
-
A Wait for user to attempt browse User remembered? Welcome Back page (welcome-back.asp) Yes C1, D B Login page (index.asp) Login type? Subscribe P2 next page Free Access C, D Yes C, D Existing User Name / Password B Authenticated? No C D Transport page (transport.asp) Session page (session.asp) Public IP page (public-ip.asp) plan Welcome page (welcome.asp) Subscription Details page (subscription_ details.
-
P2 Subscribe page (subscribe.asp) Credit Card (WorldPay *1) Payment method? Credit Card (Authorize.net *1) Account page (account.asp) Name / Password Account page (account.asp) Name / Password Payment page (payment.asp) Go to WorldPay Payment page (payment.asp) Credit card info. WorldPay server payment pages Review page (review.asp) Confirm payment Purchase result? User Cancel Authorize.net contacted for purchase approval Approved Failed WorldPay Cancel page (worldpaycancel.
-
advanced HTML skills and knowledge of ASP and Javascript will be able to fully-customize all site operations. See “Customizing the public access Web pages” (page 412). • Setting public access attributes: Configuration of a number of public access features can be accomplished by setting various RADIUS attributes. There categories of attributes are available: ◦ Site attributes: These attributes are used to configure site-related options and global settings that apply to all user sessions.
-
are using access lists to restrict each group to a different section of the public network as described in “Access list example” (page 464)). 1. Retrieve the Public Access Examples zip file at www.hp.com/networking/ public-access-examples. 2. Create the following two folders on your Web server: basic and premium. 3. Copy the files welcome.html and goodbye.html from the Examples zip file into both the basic and premium folders on the web server. 4.
-
Adds a warning to this page that tells smartphone users to bookmark the Welcome page so that they can logout. 4. Add the following entry to the RADIUS profile for all smartphone users: welcome-url=web_server_URL/PDAusers/welcome.html Customizing error messages To customize the error messages, edit the appropriate messages in the files listed in the following table, using the Controller >> Public access > Web content page. If an error occurs on Messages are taken from Login page (index.
-
How it works 1. 2. 3. When a user enters http://network.logout in their browser, the controller resolves it to 10.10.1.1. The controller then intercepts any TCP traffic destined for 10.10.1.1 on port 80 and redirects it to 192.168.1.1 on port 8081. The logout service running on controller port 8081 then logs the user out. Setting site configuration options To view, edit, and manage site options, select Controller >> Public access > Web content and configure the settings under Site options.
-
This option provides a link to the default Subscription page (subscribe.asp), where users can choose one of the subscription plans defined on the Controller >> Users > Subscription plans page. Existing users must enter their username and password to update their current account. New users enter a username and password to create a new account.
-
Support a local Welcome page Use this feature to host the Welcome page on the controller Web server. • When enabled, users are redirected to welcome.asp on the controller Web server. • When disabled, you can use the welcome-url attribute (see “Default user URLs” (page 475)) to define a remotely hosted welcome page. Use frames when presenting ads This option controls how advertising is displayed: • When this option is enabled, the logo and advertisement displayed in a frame at the top of the page.
-
Allow SSLv2 authentication Enable this option to support client stations that use SSL v2 for their HTTPS connections. When disabled, the controller only supports client stations that are using SSL v3 for HTTPS connections. SSL v2 clients are refused. Redirect users to the Login page via Select the protocol that will be used when redirecting users to the default Login page (index.asp). • HTTP: This option does not provide any encryption for protecting user login credentials.
-
FTP server The FTP server provides an easy way to manage the public access interface files on the Web server, allowing you to use third-party Web site editing tools to customize content. Select Configure to its define operational settings. On the MSM720 On all other controllers NOTE: For security reasons you should disable the FTP server once the controller is deployed. Or at minimum, define security filters to restrict FTP access.
-
NOTE: When using FTP, the username and password are not encrypted. They are sent as clear text. Security Allowed addresses Enables you to define a list of IP address from which to permit access to the FTP server. To add an entry, specify the IP address and appropriate mask and select Add. When the list is empty, access is permitted from any IP address. Active interfaces Select the interfaces through which client stations can access the FTP server.
-
ads.asp text/html Page that is used to display advertisements without frames. Users are redirected to this page while browsing and must select the Continue Browsing button to return to their original Web page. ads.jpg image/jpeg This is the default advertisement that is displayed. fail.asp text/html This is a generic error reporting page that is called by various other pages to present an error message. goodbye.asp text/html When a user logs out (by selecting the Logout button on the session.
-
For the Authorize.Net payment service • Credit card information is requested. • Selecting Review, launches review.asp. • Errors in payment information cause this page to be redisplayed. • Selecting Cancel returns the user to the Login page (index.asp). For the WorldPay payment service • Selecting Go to WorldPay launches the payment processing page on the WorldPay site. • Selecting Cancel returns the user to the Login page (index.asp). See WorldPay-cancel.asp/WorldPay-error.asp/WorldPay-success.
-
This page is displayed if payment fails. redirect.asp text/html This is the page that is sent when the controller intercepts a connection from a non-authenticated user. Its function is to redirect the browser to the Login page. review.asp text/html This page is called by payment.asp and applies to Authorize.Net payments only. It displays a summary of the users subscription selections and presents a Pay button. Selecting Pay completes the Authorize.Net transaction.
-
subscription_details.js application/javascript Included by subscription_details.asp. Provides smart updates for Javascript-based browsers. subscription_details_ajax.asp text/html Included by subscription_details.asp. Provides smart updates for Javascript-based browsers. This page is specially designed for AJAX, and provides a JSON page format for use by subscription_details.js to provide the same content as subscription_details.asp but for Javascript-enabled browsers.
-
Configuring the public access Web server The controller features an integrated Web server that, by default, is used to host the Web pages that make up the public access interface. Public access Web pages can also be hosted on third-party Web servers. Web server configuration settings are defined on the Controller >> Public access > Web server page. On the MSM720 On all other controllers Options NOC-based authentication Enable this option to support NOC-based authentication.
-
NOC-based authentication must be used in conjunction with the remote login page feature. The remote login page feature enables users to be redirected to a remote Web server to log in instead of using the internal login page on the controller. To validate user logins, a login application on the remote server must collect user login information and send it to the controller for authentication. See “NOC authentication” (page 480) and “NOC authentication” (page 549).
-
MIME type Specify the content-type string that identifies this MIME-type. This is the value that must appear in an HTTP Content-type header for the controller to recognize this MIME type. Types should be specified in the following format: type/subtype For example: text/xml MIME type is text-based Enable this option if the MIME type identifies files that are text-based. Security Use this option to control access to the Web server.
-
Service settings Payment method: Credit card Enable this option to allow users to pay for services via credit card. The controller makes use of a third-party credit card processing service (either Authorize.NET or WorldPay) to handle credit card transactions. Communications with the credit card service occurs via an SSL connection. In the case of Worldpay, you must purchase the appropriate certificate as required and install it on the Controller >> Security > Certificates stores page.
-
If different, replace *worldpay.com with whatever is configured. • You must configure the payment response URL in your Worldpay customer account to point to the public access web server on the controller. This tells Worldpay where to post information about transactions. The format for the URL is: https://host_name:port/goform/HtmlWorldpayPaymentResponse Where: ◦ host_name is the name of the public access web server as defined in the X.509 (SSL) certificate installed on the controller.
-
For more information on using the test server, see the PayPal developer network at https://www.x.com/community/ppx/testing • Production: Requests are set to the PayPal server at: https://api-3t.paypal.com/nvp When users select the Checkout with PayPal button, they are redirected to: https:// www.paypal.com/ Override default PayPal URLs Enable this option to override the default PayPal URLs for both Test and Production modes with a custom value.
-
page name= account.asp 4. The user selects the Checkout with PayPal button to pay. page name= payment.asp 5. The user is redirected to the PayPal site. A banner placed at the top of the page shows the merchant's name. The user enters their PayPal username and password and selects Log In to sign into PayPal. 6. PayPal presents billing information for the user to review. If satisfied, the user selects Continue to proceed.
-
7. The user is redirected back to the controller public access interface, which presents a summary of the transaction. To continue, the user selects Confirm. The controller queries the PayPal server to approve the transaction. page name= paypal-return.asp 8. If the transaction is approved, the user can login to the network by selecting Login. purchase_approved.
-
9. The users session starts. page name= welcome.asp Billing record logging The billings records logging system provides a simple audit trail of all billing transactions. The log supports the buffering and retransmission of up to 2000 billing records to one or more external billing records servers. Log transmission occurs using HTTP/1.1 POST method with a completely customizable data format.
-
Settings Suspend payment system when log is full of queued records Use this option to halt the payment system if external billing servers are unable to receive records and the log is full of untransmitted records. (Records with a status of "Queued"). For more information on how the log entries are managed, see “Billing records log” (page 431). When this options is disabled, the oldest untransmitted record is removed from the log to make room for the new record.
-
External billing records server profiles This list displays all configured billing records server profiles. Billing records are sent to the servers defined in this list as follows: • A copy of the current billing record is sent to each primary server. By adding multiple primary servers you create data mirroring and reduce the risk of a record being lost. • If a primary server fails to acknowledge the record, the controller retries.
-
URL URL to which the HTTP post will be sent. Transmission timeout Amount of time that the controller waits for an HTTP response for a transmitted record. If the response is not received within this period, this is considered as a failed transmission. Failover Use this box to define one or more backup server profiles for the current primary server profile. Use these backup servers Lists all backup server profiles for this primary server profile.
-
Stop after failed nnn retransmissions Select this option to have the controller stop retransmitting a record when the total number of retransmissions on all servers (primary and backup) exceeds the specified number. When this occurs the record is flagged as Transmission Failed in the log. Record transmission overview Transmission of a billing record occurs as follows: • Billing record is transmitted to the primary server.
-
Transaction ID Credit card transaction ID generated by the credit card service. Transaction time Date and time of the transaction. Charge Amount charged on the transaction. Billing method Identifies the billing method: • CC_WORLDPAY • CC_AUTHORIZE_NET • CC_PAYPAL Transmission state • Transmitting: The record is being transmitted. • Queued: The record is queued for transmission. • Transmission Disabled: Transmission of the record was disabled.
-
NOTE: When re-authenticating users, the returned RADIUS attribute Service-Type is set to 8744 (decimal). Called-Station-ID value By default, this is the MAC address of the wireless port (radio) to which the user is associated. This is the MAC address of the wvlan0 or wvlan1 interface in IEEE format as displayed by Tools > System Tools > Interface info. If required, the controller can return other values for this attribute by setting the Called-Station-Id content on a per-VSC basis.
-
Broadband modem Data center Controller Web/FTP server 20.2 20.5 Management station RADIUS server 20.1 20.4 SMTP server 192.168.10.0 A 10.1 AP PU BLIC WL A N Conference Room AP PU BLIC WL A N B 10.2 AP PU BLIC WL A N C 10.
-
21 Working with RADIUS attributes Introduction RADIUS attributes can be used to customize a wide range of configuration settings on the controller. This includes defining configuration settings for the public access interface, customizing the settings of access-controlled user accounts, or configuring credentials for the administrative accounts that are used to manage/operate the controller. Attributes can be defined both locally on the controller or retrieved from a third-party RADIUS server.
-
IMPORTANT: The documentation for this product frequently uses the terms site attributes and user attributes to refer to the Colubris AV-Pair attribute values depending on whether the AV-Pair attribute values are set with a value that applies to the public access site or to an individual user. Defining and retrieving site attributes Site attributes can be retrieved from a third-party RADIUS server or specified directly on the controller.
-
NOTE: A maximum of 256 attributes can be active at any one time (including both the RADIUS and the Configured attributes list). The maximum attribute size that the controller can receive in a single RADIUS request is 4096 bytes. However, some networks may limit RADIUS request size to around 1500 bytes because they discard UDP fragments. Configure the Retrieve attributes using RADIUS options as follows: • RADIUS profile: Select a RADIUS profile.
-
3. Once you select a Name, information appears regarding the correct syntax to specify under Value. Use the correct syntax to specify the desired Value. For a complete list of all supported site attributes and their syntax, see “Colubris AV-Pair - Site attribute values” (page 458), or consult the online help. 4. Select Add. Controller attribute definitions The following table lists all RADIUS attributes supported by the controller. A brief description of each attribute follows the table.
-
• Vendor-specific (Microsoft) • Calling-Station-Id • Class ◦ MSCHAP-Challenge • Framed-IP-Address ◦ MSCHAP-Response ◦ • NAS-Identifier • NAS-Ip-Address MSCHAPv2-Response • NAS-Port • Vendor-specific (WISPr) • NAS-Port-Type ◦ Location-Name ◦ Location-ID ◦ Logoff-url • User-Name Accounting Response No attributes are supported. In the attribute descriptions, a string is defined as 1 to 253 characters.
-
Framed-MTU (32-bit unsigned integer) Hard-coded to 1496 (802.1X). Hard-coded value of 1496. The value is always four bytes lower than the wireless MTU maximum which is 1500 bytes in order to support IEEE802dot1x authentication. NAS-Identifier (string) The NAS ID set on the Controller >> Authentication > RADIUS profiles > Add New Profile page for the RADIUS profile being used. NAS-Ip-Address (32-bit unsigned integer) The IP address of the port the controller is using to communicate with the RADIUS server.
-
MSCHAPv2-Response (string) As defined in RFC 2759. Only present when the authentication method for the RADIUS profile is set to MSCHAPv2. Length = 49 bytes. Vendor-specific (WISPr) HP ProCurve supports the following Wi-Fi Alliance vendor-specific attributes. Location-Name The WISPr location name assigned to the controller.
-
Multiple instances of the Colubris AV-pair can be defined in a RADIUS account to configure a variety of settings. For a complete list of all supported attributes, see “Colubris AV-Pair - Site attribute values” (page 458). Access reject No attributes are supported. Access challenge No attributes are supported. Accounting request Acct-Authentic (32-bit unsigned integer) Always set to 1 which means RADIUS. Acct-Delay-Time (32-bit unsigned integer) As defined in RFC 2869.
-
Always 0. NAS-Port-Type (32-bit unsigned integer) Always set to 19, which represents WIRELESS_802_11. User-Name (string) The RADIUS username assigned to the controller on the Public access > Attributes page. Accounting response No attributes are supported. User attributes The controller provides support for a number of standard RADIUS user attributes, including those for authentication and accounting. See “User attribute definitions” (page 448) for a list of these attributes and a brief definition.
-
Example In this example, two user profiles (called Employee and Guest) are defined on the Controller >> Users > Account profiles page. The settings for each profile are shown below. Employee profile Sets the attributes that will be used to define employee accounts. Guest profile Sets the attributes that will be used to define guest accounts.
-
Once account profiles have been defined, user accounts can be created. The following sample page shows the initial configuration of a user account for an employee named Bill. Notice that before any account profile is assigned, the Effective attributes box shows a couple of active attributes: Idle timeout, and Session timeout.
-
These attributes come from the Default AC profile. Attributes from this profile are automatically assigned to all access-controlled user accounts. To customize the attributes for the Default AC profile you need to select Controller >> Public access > Attributes. (The default AC profile cannot be edited via the Controller >> Users > Account profiles page.) See “About the Default AC profile” (page 351).
-
Retrieving attributes from a RADIUS server When you are using a RADIUS server to authenticate users, attributes can be set in individual user accounts to define the same settings that are available via the local user profiles. These settings are accomplished by adding both standard RADIUS attributes (“User attribute definitions” (page 448)) and one or more instances of the Colubris AV-Pair (user) attribute (“Colubris AV-Pair - User attribute values” (page 484)) to the appropriate RADIUS user accounts.
-
PCM setting Description Supported on VSCs that are ... mapped to the user account as follows: Requires that the Bandwidth control feature is enabled on the controller (Controller >> Network > Bandwidth control) when access-controlled VSCs are used. 6, 7 = VERY-HIGH 4, 5 = HIGH 0, 2 = NORMAL 1, 3 = LOW Ingress/Egress rate limit Sets the users ingress and egress data Access controlled rates in bytes. Network resources access rule Sets a custom access control list for the user.
-
• NAS-Ip-Address • NAS-Port • NAS-Port-Type • Message-Authenticator • Service-Type • State • User-Name • User-Password • Vendor-specific (Microsoft) ◦ MSCHAP-Challenge ◦ MSCHAP-Response ◦ MSCHAPv2-Response • Vendor-specific (WISPr) ◦ Location-Name ◦ Location-ID ◦ Logoff-url • Vendor-specific (Microsoft) ◦ MS-MPPE-Recv-Key ◦ MS-MPPE-Send-Key • Vendor-specific (Colubris) • NAS-Ip-Address • NAS-Port • NAS-Port-Type • User-Name • Vendor-specific (WISPr) ◦ Colubris AV-Pair ◦ Location-Name
-
Connect-Info (string) The string "HTTPS" or "IEEE802.1X". EAP-Message (string) As defined in RFC 2869. Only present when the authentication method for the RADIUS profile is set to EAP-MD5. Framed-IP-Address (32-bit unsigned integer) IP Address as configured on the client station (if known by the controller). Framed-MTU (32-bit unsigned integer) Hard-coded value of 1496. The value is always four bytes lower than the wireless MTU maximum which is 1500 bytes in order to support IEEE802dot1x authentication.
-
Vendor-specific (Microsoft) HP ProCurve supports the following Microsoft vendor-specific attributes. MSCHAP-Challenge (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1 or MSCHAPv2. Length = 8 bytes. MSCHAP-Response (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1. Length = 49 bytes. MSCHAPv2-Response (string) As defined in RFC 2759.
-
As defined in RFC 2865. Multiple instances are supported. EAP-Message (string) Only supported when authentication is EAP-MD5. Note that the content will not be read as the RADIUS Access Accept overrides whatever indication is contained inside this packet. Idle-Timeout (32-bit unsigned integer) Maximum idle time in seconds allowed for the user. Once reached, the user session is terminated with termination-cause IDLE-TIMEOUT. Omitting the attribute or specifying 0 disables the feature.
-
Vendor-specific (Colubris) (string) Colubris AV-Pair The Colubris AV-Pair is a HP ProCurve a vendor-specific attribute defined by HP to support configuration of user session settings. This attribute conforms to RADIUS RFC 2865.
-
One or more occurrences of this attribute is supported inside the same packet. All occurrences are concatenated and transmitted to the IEEE802dot1x client as is. As defined in RFC 2869. State (string) As defined in RFC 2865. Accounting request Accounting start, stop. and interim-update Acct-Authentic (32-bit unsigned integer) Always set to 1 which means RADIUS. Acct-Delay-Time (32-bit unsigned integer) As defined in RFC 2869. Acct-Event-Timestamp (32-bit unsigned integer) As defined in RFC 2869.
-
The IP address of the port the controller is using to communicate with the RADIUS server. NAS-Port (32-bit unsigned integer) A virtual port number starting at 1. Assigned by the controller. NAS-Port-Type (32-bit unsigned integer) Always set to 19, which represents WIRELESS_802_11. User-Name (string) The username assigned to the user or to a device when using MAC authentication. Vendor-specific (WISPr) HP ProCurve supports the following Wi-Fi Alliance vendor-specific attributes.
-
Acct-Output-Gigawords (32-bit unsigned integer) High 32-bit value of the number of octets/bytes sent by the user. Only present when Acct-Status-Type is Interim-Update or Stop. As defined in 2869. Acct-Output-Octets (32-bit unsigned integer) Low 32-bit value of the number of octets/bytes sent by the user. Only present when Acct-Status-Type is Interim-Update or Stop. Acct-Output-Packets (32-bit unsigned integer) Low 32-bit value of the number of packets/bytes sent by the user.
-
ID Cause Notes 18 Host Request Not Supported. (not applicable) 0x8744 (34628 decimal) Termination HP-specific termination cause. Accounting response No attributes are supported. Administrator attributes If you want to support multiple administrator names and passwords, you must use a RADIUS server to manage them. The controller only supports a single admin name and password internally (defined on the Controller >> Management > Management tool page).
-
The username assigned to the administrator. Service-Type (32-bit unsigned integer) As defined in RFC 2865. Set to a value of 6, which indicates SERVICE_TYPE_ADMINISTRATIVE. Vendor-specific (Microsoft) HP ProCurve supports the following Microsoft vendor-specific attributes. MSCHAP-Challenge (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1 or MSCHAPv2. Length = 8 bytes. MSCHAP-Response (string) As defined in RFC 2433.
-
Colubris AV-Pair keyword For more information see transport-page These keywords have been deprecated. If you are creating a new installation, use the custom-pages keyword or the site file archive feature on the Controller >> Public access > Web content page. If you are upgrading from a previous release, your existing configuration will still work.
-
Colubris AV-Pair keyword For more information see primary-dnat-server-status-url secondary-dnat-server-status-url Access list Access lists enable you to create public areas on your network that all users can browse, and protected areas that are restricted to specific user accounts or groups. Each access list is a set of rules that governs how the controller controls access to network resources.
-
Incoming user traffic Service Controller Access List NO MATCH DENY Unauthenticated Authenticated and a user access list exists ACCEPT Authenticated and no user access list exists User Access List DENY NO MATCH ACCEPT Dropped To protected network via the Internet port Within each access list, traffic cascades through the list rules in a similar manner.
-
Tips on using the access list With certificates • If you replaced the default SSL certificate on the controller with one signed by a well-known CA, you should define the access list to permit access to the CA certificate for all non-authenticated users. This enables the users browser to verify that the certificate is valid without displaying any warning messages.
-
A default access list can defined by adding the following Colubris AV-Pair value string to the RADIUS profile for a controller or to the local list (Public access > Attributes page). This defines the access list to use for all users whose profiles do not contain an access list value.
-
Parameter Description example, one use for this feature could be to block access to a popular protocol, then prompt the user for additional fees to activate support. • WARN: Reject traffic matching this rule and return an HTTP error message (which is not customizable) indicating that access to the site is not allowed by the network.
-
Data center Router/Firewall 20.7 Faculty subnet SMTP server 20.3 20.6 DNS/DHCP server Web/FTP server 20.2 20.5 Management station RADIUS server 20.1 20.4 VPN server File server 30.2 Printer server 20.1 30.1 192.168.20.0 192.168.30.0 Student subnet Admin subnet File server 40.2 Printer server 40.1 Public Web server 50.2 Registration Web server 50.1 192.168.40.0 192.168.50.0 192.168.10.0 Building #1 Building #2 Controller 10.1 Building #3 Controller 10.2 Controller 10.
-
access-list=everyone,ACCEPT,tcp,192.168.50.2,80 access-list=students,ACCEPT,tcp,192.168.50.1,80,students_reg,500 access-list=students,ACCEPT,all,192.168.40.0/24,all access-list=students,DENY,all,192.168.20.0/24,all access-list=students,DENY,all,192.168.30.0/24,all access-list=students,ACCEPT,all,all.all,student_internet_use,5000 access-list=faculty,ACCEPT,tcp,192.168.50.1,80,faculty_reg,500 access-list=faculty,ACCEPT,all,192.168.30.0/24,all access-list=faculty,DENY,all,192.168.20.
-
access-list=faculty,ACCEPT,all,all.all,faculty_internet_use,5000 Enables all other traffic to reach the Internet (via routers on the backbone LAN and the router in the NOC). If this last rule did not exist, this traffic would be dropped. Configuration file The controller can retrieve and load a new configuration file automatically, based on the URL you specify. Syntax configuration-file=URL [placeholder ] Where: Parameter Description URL Specify the URL that points to the new configuration file.
-
Placeholder Description %i Returns the domain name assigned to the controller Internet port. %a Returns the IP address of the controller Internet port. The certificate is encoded using PKCS#12 format, and contains: • the private key of the Web server • the certificate of the Web server The file is locked using a password. NOTE: The password with which the certificate was locked must be the same as the password specified on the Public access > Attributes page.
-
Can be omitted if a remote login page is being used. See Remote login page. Transport page transport-page=URL_of_page [placeholder ] Session page session-page=URL_of_page [placeholder ] Fail page fail-page=URL_of_page [placeholder ] Logo logo=URL_of_gif_file [placeholder ] Placeholder The following placeholder is only available when using a RADIUS server. If these values are specified under Controller >> Public access > Attributes > Configured attributes, the placeholder cannot be used.
-
login (as described in this section), or by using the NOC-based authentication feature (described in “NOC authentication” (page 549). The following diagram shows the sequence of events for a typical user session when using a remote login page and a RADIUS server for authentication. User Non-authenticated user attempts to browse a web site on the protected network. Controller RADIUS server Web server hosting remote login page Request is intercepted. Web browser is redirected. Login page is sent.
-
Placeholder Description %s Returns the RADIUS login name assigned to the controller. By default, this is the unit serial number. %u Returns the login name of the user. %o Returns the original URL requested by the user. By default, this value is URL encoded. (To enable/disable URL encoding, set the value of url-encode in the section in the configuration file.) %i Returns the domain name assigned to the controller Internet port.
-
3. Add the following entries to the Configured attributes table on the Public access > Attributes page. (You can also define these attributes in the RADIUS profile for the controller if you are using a RADIUS server.) login-url=web_server_URL/newlogin/login.html?loginurl=%l transport-page=web_server_URL/newlogin/transport.html session-page=web_server_URL/newlogin/session.html fail-page=web_server_URL/newlogin/fail.html logo=web server URL/newlogin/logo.
-
Default user bandwidth level This keyword lets you define the bandwidth level for all users that do not have a specific level set in their profile. Syntax bandwidth-level=level Where: Parameter Description level Specify one of the following the bandwidth levels for the users session. The actual data rate associated with a bandwidth level is defined on the Network > Bandwidth control page.
-
When a user session is terminated based on a quota, a new non-standard termination cause is used. The value for this termination cause is 0x8744. You can customize this by modifying the value of "radius-quota-exceeded-cause" in the "ACCESS-CONTROLLER" section of the configuration file. The text value for the termination cause is defined in the message.txt file under the token "stat-quota-exceeded". The default value for this token is "Logged out. (Quota Exceeded.)".
-
Default user public IP address Use this to set the default value for public IP address assignment for users whose RADIUS profile does not contain a value for use-public-ip-subnet (“Public IP address” (page 486)). For more information using public IP addresses, see “Assigning public IP addresses” (page 47). Syntax default-user-use-public-ip-subnet=value Where: Parameter Description value Set this to 1 to activate assignment of a public IP address. Set to 0 to disable.
-
proxy requests. HTTP requests such as GET / HTTP/1.0 are transformed into GET http://www.website.com/HTTP/1.0 before being forwarded to the third-party server. NOTE: The HTTP proxy upstream feature targets the HTTP protocol and not HTTPS. Because of this, HTTPS only works if users have configured their browsers for HTTP proxy usage. In the case of transparent proxy, the connection will not be detected as HTTP-compatible and will not be redirected to the upstream proxy server.
-
To make use of this feature you need to define a local user account or a RADIUS user account for each device as follows: • username: Set this to the username you specified in the mac-address value string. If no username is specified, set the account name to the MAC address of the device. Use dashes to separate characters in the address. For example: 00-20-E0-6B-4B-44. • password: Set this to the password you specified in the mac-address value string.
-
Parameter Description Change the line to indicate the status of the server as follows: Server is UP UP Server is DOWN DOWN Do not change any other lines in the file. Polling The controller attempts to retrieve the server status file from the primary server first.
-
login-url=https://srv2.abc.com/loginpage.html welcome-url=http://srv2.abc.com/mywelcome.html • If both servers are down, then the URLs are not changed. Redirect URL The redirect-url value is used to specify the target URL for redirection when using an access list with the REDIRECT action. Only one redirect-url value can be specified in each controller or user RADIUS account.
-
Placeholder Description %G When the location-aware feature is enabled, returns the group name of the wireless access point the user is associated with. %C When the location-aware feature is enabled, returns the Called-station-id content for the wireless access point the user is associated with. %r Returns the string sent by the RADIUS server when an authentication request fails. The RADIUS server must be configured to support this feature.
-
HP WISPr support WISPr login URL This keyword lets you define the location of the WISPr login page. The controller automatically redirects users with WISPr-compatible wireless client software to this page. To customize the redirection use the WISPr redirect page keyword. Syntax wispr-login-url=URL_of_page Where: Parameter Description URL_of_page URL of the WISPr login page. WISPr abort login URL This keyword lets you define the destination where the WISPr abort login will be POSTed.
-
Traffic forwarding (dnat-server) This keyword defines the external server to which the controller will forward traffic when an access list rule with the DNAT-SERVER action matches incoming traffic. NOTE: SSL traffic cannot be forwarded as this breaks SSL security during connection negotiation resulting in the connection not being established. Two external servers can be defined with this keyword.
-
Parameter Description PAGE 484
The following entry is added to the local profile for the controller: access-list=redirect,DNAT-SERVER,tcp,all,80 access-list=redirect,ACCEPT,all,all,all The following entry is added to the RADIUS profile for each user: dnat-server=redirect,srv1.mycompany.com,8080,srv2.mycompany.com,8080 Colubris AV-Pair - User attribute values User values let you define settings for individual user accounts.
-
Where: Parameter Description uselistname Specify the name of an existing access list. This list is activated for the current user. Advertising Add this keyword to enable the presentation of advertising at preconfigured intervals while the user is browsing. Syntax ads-presentation=value Where: Parameter Description value Set this to 1 to activate the display of advertising. Set to 0 to disable. Bandwidth level This keyword sets bandwidth level for a users session.
-
Syntax max-output-rate=rate max-input-rate=rate Where: Parameter Description rate Maximum transmit or receive speed in Kbps. One-to-one NAT NOTE: This feature only applies to client traffic using IPSec or PPTP on the Internet port. Add this keyword if the user requires a unique IP address when NAT is enabled on the controller. For more information, see “VPN one-to-one NAT” (page 515) and “Default user one-to-one NAT” (page 474).
-
Where: Parameter Description value For packets: 32-bit unsigned integer value. For octets: 64-bit unsigned integer value. When a user session is terminated based on a quota, a new non-standard termination cause is used. The value for this termination cause is 0x8744. The text value of for the termination cause is defined in the message.txt file under the token "stat-quota-exceeded". The default value for this token is "Logged out. (Quota Exceeded.)".
-
Parameter Description Access control page. Works with SMTP servers that support PLAIN, CRAM-MD5, and no authentication. Example 3 Proxy support on smtp-redirect=smtp.mycompany.com,jimmy,letMEin smtp-redirect=smtp.mycompany.com:8025,jimmy,letMEin Example 4 Proxy support off smtp-redirect=smtp.mycompany.com smtp-redirect=smtp.mycompany.com:8025 Station polling The controller continually polls authenticated client stations to ensure they are active.
-
Where: Parameter Description URL_of_page Specify the URL of a Web page on an external Web server. placeholder Placeholder as defined in the following table. Placeholders By appending the following optional placeholders, you can pass important information to the Web server about the user. Server-side code can process this information to generate custom pages on-the-fly. Placeholder Description %l Returns the URL on the controller where user login information should be posted for authentication.
-
Administrative role Use this AV-Pair value to identify the role of administrative accounts. Syntax web-administrative-role=role Where: Parameter Description role Use one of the following values to identify the role of the account: • Manager: A manager is able to access all configuration pages and can change and save all configuration settings. • Operator: An operator is able to view all configuration pages, but is limited in the types of changes that can be made.
-
Control flow Syntax Description () Priority of evaluation. if If then else statement. (logical condition ) {} else {} for(start; Looping. until; steps) { } Forms The following forms can be used to gather information from a user and submit it to the public access interface for processing. HtmlSubscriptionRequest This form can be used create a user account and to execute a payment. To complete certain form actions, you may be required to submit several parameters.
-
• username: Username of the user account. • valid_fields: Specify the names of the fields that should be validated. Separate field names with a space. For example: valid_fields "username password confirm_password".
-
• password: Password to use for authentication. Applies to access_type = login. • subscription_url: The URL to which the user is sent when access_type = subscribe. • success_url: The URL to which the user is sent if the login is successful. Applies to access_type = login or free_access. • username: Username to use for authentication. Applies to access_type = login. • valid_fields: Name of the form fields to do validation upon. HtmlLogout This form performs a logout operation.
-
RADIUS GetMsChapV2Failed() Displays the MS CHAP V2 error string received in the last RADIUS Reject or RADIUS Accept packet for the user. This function is only supported if you select MSCHAP V2 as the authentication scheme on the controller (Controller >> Authentication > RADIUS profiles page). The RADIUS server must also support this feature. For a list of possible return values see RFC 2759. This is not a normal return value.
-
$NASid, // identifies the controller the user is connected to $NASip ); // set URL to redirect browser to $targetURL = "location: https:// " . $NASip . ":8090/goform/HtmlLoginRequest? username=" . $username . "&password=" . $password; // When done header($targetURL); The target URL is built using the NAS IP and username and password. The form name is hard-coded. Page URLs GetFailRetryUrl() This feature has been deprecated.
-
TruncateSessionTime(unit) Returns session duration for the current user truncated to the specified unit. See TruncateMaxSessionTime(unit). GetSessionTimeHMS() Returns session duration for the current user in hours, minutes and seconds in the format: hh:mm:ss. GetSessionRemainingTime() Returns the amount of connection time remaining for the current user session in minutes and seconds in the format: mm:ss.
-
m Minutes s Seconds For example if the user account is configured for 5000 seconds, then: • TruncateSessionTime("y") returns 0. • TruncateSessionTime("d") returns 0. • TruncateSessionTime("h") returns 1. • TruncateSessionTime("m") returns 23. • TruncateSessionTime("s") returns 20. Session input/output/totals If you specify a value for the optional parameter div, then the return value is divided by div.
-
GetSessionMaxOutputPackets() nl GetSessionMaxOutputOctets(div) Returns the maximum number of packets/octets that can be sent by the current user session. Session quotas These functions let you retrieve the quota limits that are set for the current user session. If any of these limits are reached, the user is logged out. See “Quotas” (page 486). If you specify a value for the optional parameter div, then the return value is the number of octets divided by div.
-
iPassGetRedirectResponseCode() Checks if the iPass authentication server is reachable and enabled. Returns one of the following values: 0 Authentication server is reachable and enabled. 105 The authentication server could not be reached or is unavailable. 255 The authentication server could not be reached due to an error on the controller (Internet port not up, for example). iPassGetAccessProcedure() Returns the access procedure supported by the controller. The controller supports procedure version 1.
-
GetHTTPProtocol() Returns the protocol used when requesting the current Web page as a string. Possible values are: • http • https Example var protocol = GetHTTPProtocol(); write(protocol); /* will write either "http" or "https" depending on the URL you typed to view the page. */ Client information LoadClientInformation() This function initializes a set of variables that provide information on the user that is requesting the current page.
-
• client_subscription_plan_state: Users subscription plan state: 0 - Plan is invalid, expired or no plan exists for that client. 1 - Plan is valid. • client_ads_presentation: Users advertisement presentation state. 0 - Advertisements are enabled for the user. 1 - Advertisements are displayed for the user. • client_public_ip: Indicates if the users IP address is public or private. 0 - IP address is private. 1 - IP address is public. For more information, see “Assigning public IP addresses” (page 47).
-
• client_account_status_remaining_input_octets: Amount of traffic the user can still download. • client_account_status_remaining_output_octets: Amount of traffic the user can still upload. • client_account_status_remaining_total_octets: Total amount of traffic the user can still upload or download. • client_account_status_active_sessions: Number of sessions active on this account.
-
ConditionalDisplay(condition, state ) This function is used to dynamically control execution of a block of code based on the value of a logical expression. An effective use for this function is to control blocks of display code, for certain features for example, that need to be turned on/off depending on user selections. Parameters • Condition: A logical embedded Javascript expression. If the expression is true, all content between the Begin and End function calls is executed.
-
ASP variables • payment_currency: Contains the 3-letter code identifying the currency that will be used for all transactions. • payment_cc_gateway: Returns a string that identifies the payment service that is configured. Either authorize.net or worldpay. Example LoadPaymentInformation(); if (payment_currency == "USD") { write(subscription_plan_fee + " $"); } LoadWorldPayInformation() This function initializes a set of variables that contain WorldPay-specific information.
-
Session variables The following session variables are provided: • last_login_error: Contains the error number generated by the last login attempt. This is converted into the appropriate visual representation by the file login_error_messages.asp. Value Description 0 or "" No error occurred. 1 A problem occurred that caused the current login process to stop before it completed. This is normally an issue related to an administrator changing the configuration which may cause a temporary failure.
-
• Value Description 3 The wrong password was supplied for the specified username. 4 An error occurred when creating the user account. 5 The subscription plan name is invalid. 6 The credit card payment failed. 7 The credit card payment succeeded, however an error occurred when activating the user account. 8 Reserved. 9 Reserved. 10 Same as #3, but indicates that user account creation is currently not allowed. last_form_error: Contains specific errors for each field in a form.
-
22 Working with VPNs Overview Virtual private networks (VPNs) create secure tunnels across non-secure infrastructure such as the Internet or publicly-accessible networks. The controller features virtual private network (VPN) capabilities that enable it to do the following: • Secure wireless client sessions with a VPN tunnel between wireless clients such as wireless point-of-sale (POS) terminals and the controller. IPSec, L2TP, and PPTP are all supported. (VPN tunnel represented in green.
-
7.1.1.3 LAN port 7.1.1.1 7.1.1.2 Internet port 24.1.1.4 3.1.1.2 10.0.0.0 10.0.0.2 VPN Server/ Gateway (Peer) Router Secure resource Internet Wireless POS 5.1.1.3 AP Controller 5.1.1.2 5.1.1.0 Wireless POS AP Router To use VPNs to secure wireless client sessions, configure an IPSec policy for this purpose, or configure the L2TP server or PPTP server. NOTE: Wireless clients are typically assigned IP addresses from the VPN address pool.
-
Configure an IPSec profile for wireless client VPN • On the page Controller >> VPN > IPSec select Add New Policy, and define a policy similar to this: Note the selections made in the sample Add/Edit security policy page above. See the online help for option descriptions. Option Value to set Notes General Enabled Name User-defined Phase 1 mode Aggressive mode Aggressive mode requires that a group be configured.
-
Configure L2TP server for wireless client VPN 1. On the page Controller >> VPN > L2TP server enable L2TP over IPSec configuration - LAN port. (On the MSM720, replace LAN port with Access network.) 2. Either select X.509 certificates and install an X.509 security certificate (see “IPSec certificates” (page 381)), or specify a Preshared key. NOTE: The VPN client running on the wireless device must also be configured with a matching X.509 certificate, or the Preshared key specified here. 3.
-
• 3. For Use external DHCP server, specify settings that correspond to your external DHCP server configuration. Set Use port to the controller port that will send out DHCP requests. Select Save. See the online help for option descriptions. Securing controller communications to remote VPN servers To secure the communications between the controller and remote VPN servers, create a VPN tunnel from the controller to the remote VPN server.
-
Configure an IPSec policy for a remote VPN server On the page Controller >> VPN > IPSec select Add New Policy and define a policy similar to this, substituting your own IP addresses: Note the selections made in the sample Add/Edit security policy page above.
-
Option Value to set Notes 7.1.1.0. This must match the value defined in the policy on the peer (VPN server). Only permit outgoing... Identify the remote subnet Identify the remote subnet for which you wish to filter traffic, for example, 10.0.0.0. This must match the value defined in the policy on the peer (VPN server). See the online help for option descriptions. See “Keeping user traffic out of the VPN tunnel” (page 514).
-
Auto-route discovery Enable this option if you want the controller to automatically discover and add routes to IP addresses on the other side of the PPTP tunnel. The addresses must be part of the specified domain. Routes are added only when an attempt is made to access the addresses. LCP echo requests Certain VPN servers may terminate your connection if it is idle. If you enable this option, the controller will send a packet from time to time to keep the connection alive.
-
available, you must assign an IP address to it on the Controller >> Network > IP interfaces page. For example, if you create a VLAN on the Internet port, you must assign an IP address to it or it will not appear as a choice in the list. On the MSM720, Interface 2 can only be set to Access Network. Local group list When using IPSec aggressive mode, groups can be used to authenticate IPSec connections from clients (peers).
-
The address pool contains all the IP addresses that can be assigned to users. You can define up to 30 addresses. Addresses must be valid for the network to which the Internet port is connected. Specify a single address or an address range as follows: address1 - address2. For example, the following defines a range of 20 addresses: 192.168.1.1-192.168.1.20 This feature can only be used with authenticated, access-controlled users.
-
23 LLDP Overview The IEEE 802.1AB Link Layer Discovery Protocol (LLDP) provides a standards-based method for network devices to discover each other and exchange information about their capabilities. An LLDP device advertises itself to adjacent (neighbor) devices by transmitting LLDP data packets on all ports on which outbound LLDP is enabled, and reading LLDP advertisements from neighbor devices on ports that are inbound LLDP-enabled.
-
and PoE management. This class includes such devices as IP call controllers and communication-related servers. • Class 2 (Media Endpoint Devices): These devices offer all Class 1 features plus media streaming capability, and include such devices as voice/media gateways, conference bridges, and media servers.
-
LLDP agents Select this option to globally activate LLDP support on the controller. LAN port / Internet port / Port 1-6 For each port, select whether the agent will transmit and/or receive LLDP information. Select Configure TLVs to customize TLV support for each interface. Transmit Enable this option to have the agent transmit LLDP information to its neighbors. Receive Enable this option to have the agent accept LLDP information from its neighbors.
-
Generate dynamic system names When enabled, this feature replaces the system name with a dynamically generated value which you can define. Controller name Specify how the dynamically generated name will be created. You can use regular text in combination with placeholders to create the name. Placeholders are automatically expanded each time the name is regenerated. If the placeholders cause the generated name to exceed 32 characters, it is truncated.
-
Basic TLVs The controller supports all mandatory and optional TLVs (type, length, value) information elements that are part of the basic management set. Mandatory TLVs The controller always sends these TLVs with the values as shown. • Chassis ID (Type 1): The MAC address of the controller. • Port ID (Type 2): The MAC address of the port on which the TLV will be transmitted. • Time to live (Type 3): Defines the length of time that neighbors will consider LLDP information sent by this agent to be valid.
-
• Bit-rate and duplex capability • Current duplex and bit-rating • Whether these settings were the result of auto-negotiation during link initiation or manual override. Configuring LLDP on an AP AP settings are defined by selecting Controlled APs >> Configuration > LLDP. LLDP agent Enable this option to activate LLDP support on the AP. When active, the agent will transmit and receive LLDP information. When operating in controlled mode: • The LLDP agent on an AP will not respond to SNMP requests.
-
Optional TLVs • Port description (Type 4): A description of the port. • System name (Type 5): Administrative name assigned to the device from which the TLV was transmitted. By default this is the SNMP system name. If the Dynamic name option is enabled, the system name is replaced by the dynamically generated name. • System description (Type 6): Description of the system, comprised of the following information: operational mode, hardware type, hardware revision, and firmware version.
-
TLV name Description • Power priority • Power value MAC/PHY Configuration/Status Indicates the following: • Bit-rate and duplex capability • Current duplex and bit-rating • Whether these settings were the result of auto-negotiation during link initiation or manual override ELIN location Emergency Call Services ELIN as described, for example, by NENA TID 07-501. Fast Start timer After an MED LLDPDU is received, this timer is started and the agent sends one MED LLDPDU to the MED device each second.
-
Placeholders • %RN: System name of the neighboring device to which the port is connected, obtained via the System Name TLV. Since this is an optional TLV, if it is not available, the Chassis ID TLV is used instead. • %RP: Port description of the port on the neighboring device to which the local port is connected, obtained via the Port Description TLV. Since this is an optional TLV, if it is not available, the Port ID TLV is used instead. • %SN: The AP serial number. • %IP: The AP IP address.
-
Specify a value for the Differentiated Services codepoint (DSCP) field in IPv4 and IPv6 packet headers (as defined in RFC2474). The codepoint is composed of the six most significant bits of the DS field.
-
24 sFlow Overview sFlow is a technology for monitoring traffic in high speed switched or routed networks. The standard sFlow monitoring system is comprised of the following: • An sFlow Agent that runs on a network device such as an AP, switch, or router. The agent uses sampling techniques to capture information about the data traffic flowing through the device and forwards this information to an sFlow collector. • An sFlow Collector that receives monitoring information from sFlow agents.
-
MIB support The following MIBs are supported: • sFlow-MIB base OID: 1.3.6.1.4.1.14706 • SNMP MIB2 System base OID: 1.3.6.1.2.1.1 • SNMP MIB2 Interfaces base OID: 1.3.6.1.2.1.2 Note: The ifType OID of the SNMP MIB2 Interfaces will have the value 71 (ieee802.11) for the wireless interfaces. • SNMP MIB2 IPAddrTable base OID: 1.3.6.1.2.1.4.20 • SNMP MIB2 ifXTable base OID: 1.3.6.1.2.1.31.1.1.1 • SNMP MIB: HP-WLAN-SFLOW-EXTENSIONS-MIB base OID: 1.3.6.1.4.1.11.2.14.11.6.4.
-
Disabled Turns sFlow support off. Advanced configuration Select this button to define advanced sFlow configuration settings. Advanced configuration settings are not persistent. They are lost after a restart and are not saved when doing a configuration backup. MIB version Version number of the supported sFlow-MIB. Management address This is the IP address that a collector will use to configure sFlow.
-
• Max datagram size: The maximum number of data bytes that will be sent to the collector in a single sFlow datagram. • HP PMM compatibility: When enabled, information not supported by HP PMM network management software is dropped from the sFlow data to conserve network bandwidth. Collector configuration settings A collector profile defines the settings that will be used to communicate with a collector. Name Friendly name used to identify the collector. IP address IP address of the collector.
-
• Product: Product name of the AP. • Group name: Name of the group to which the AP is assigned. sFlow agent settings This page displays all data sources that are available for sampling on an AP. Each data source can support up to three configurable sampling instances. Data source Name of a port on which the sFlow agent is active. Global ifIndex Each port on an AP is automatically assigned a unique number starting at 32001. This uniquely identifies the port across all ports on all controlled APs.
-
Collector Select the collector to which data will be sent. Sampling rate Specify the approximate number of packets between samples. For example, if set to 5, approximately every fifth packet will be sampled (There is some jitter introduced purposefully into the sample collection). A value of 0 disables sampling. Max header size Specify the maximum number of bytes to copy and forward from the header of the sampled packet.
-
25 Working with autonomous APs Key concepts This chapter describes how to use the controller in conjunction with autonomous APs. TIP: Most of this chapter applies to working with autonomous MSM APs. For third-party autonomous APs, see “Working with third-party autonomous APs” (page 536). APs can operate in either controlled mode or autonomous mode. In controlled mode, the controller provides centralized management of APs. This is the preferred operation mode. See “Working with controlled APs” (page 145).
-
As shown in the above image, the Summary list includes a Detected link and count in the Summary list, and the Network Tree includes an Autonomous APs branch on Controller. These elements only appear when at least one autonomous APs has been detected. As shown, when Autonomous APs is selected, the list of Detected Autonomous APs list appears in the right pane.
-
NOTE: The AP will restart and lose all configuration settings received from the controller, returning to its default configuration. You can then configure it via its management tool. Configuring autonomous APs Autonomous APs must be configured via their own management tool. For convenience, you can launch an autonomous AP management tool from within the controller management tool by selecting the link in the IP address column of the Detected Autonomous APs page, providing network access is possible.
-
In this example, the traffic for each wireless network is carried on its own VLAN. This leaves only management traffic from the autonomous AP on VLAN 10. A static IP is assigned on both ends to permit the two devices to communicate. Working with third-party autonomous APs Third-party APs can be used with a controller with both access controlled and non-access-controlled VSCs. VSC selection User traffic from third-party APs is mapped to a VSC on the controller in the same way as for MSM APs.
-
Working with third-party autonomous APs 537
-
26 Maintenance Config file management The configuration file contains all the settings that customize the operation of the controller. You can save and restore the configuration file manually or automatically. Select Controller >> Maintenance > Config file management. Manual configuration file management The following options are available for manual configuration file management.
-
Reset configuration See “Resetting to factory defaults” (page 547). Restore configuration The Restore configuration option enables you to load a previously saved configuration file. This option enables you to maintain several configuration files with different settings, which can be useful if you must frequently alter the configuration of the controller or if you are managing several controllers from a central site. Use the following steps to restore a saved configuration file. 1.
-
CAUTION: • Before updating be sure to check for update issues in the Release Notes. • Even though configuration settings are preserved during software updates, HP recommends that you backup your configuration settings before updating. • After updating the controller software, controlled APs are automatically updated to the same version that is installed on the controller. At the end of the update process, the controller and all controlled APs automatically restart, causing all users to be disconnected.
-
4. 5. Select Validate URL to test that the specified URL points to a firmware file. Select Save, or to commit the schedule and also update the software immediately, select Save and Install Now. NOTE: Before a scheduled software update is performed, only the first few bytes of the software file are downloaded to determine if the software is newer than the currently installed version. If it is not, the download stops and the software is not updated.
-
License management Use these options to order, install, and backup license files. License ordering information When ordering a license file from HP you will need to supply the information displayed in this box. Once you receive your License Registration card for your purchased license, you will need to generate and install the license as described in “Generating and installing a feature license” (page 542).
-
6. 7. Optionally type a reminder for yourself in the Customer Notes field. Select Next. Review and accept the License Agreement. Select Next. The license key is generated and made available to you for saving or sending by E-mail. For example: 8. Use the Save As button to save the license key file on your system or use Send Email to send the license key file and information to an E-mail address. The E-mail will contain both the license file and the license key information displayed on this page.
-
9. When done, select Generate license(s) to return to the main licenses page. Installing a license If you are ready to install your new license, go back to the controller management tool and do the following: 1. Select Controller>> Maintenance > Licenses. 2. Under Install license file, select Browse and browse to your license file. Select the file and then select Open. 3. Select Install license to complete the license installation.
-
27 Support and other resources Online documentation You can download documentation from the HP Support Center website at: www.hp.com/support/ manuals. Search by product number or name. Contacting HP For worldwide technical support information, see the HP Support Center website: www.hp.
-
A Console ports Overview Console port and cable information for the MSM7xx controllers is provided in their Installation Guide. Using the console port The console port can be used to do the following: • Reset the controller to factory default settings. For complete instructions, see “Using the Console (serial) port” (page 547)). • Reset the manager username and password to factory default settings. For complete instructions, see “To reset manager credentials on a controller” (page 546).
-
B Resetting to factory defaults How it works Depending on the controller model, there may be more than one way to reset the controller to its factory default settings. This appendix describes the methods available for each model type. To reset only the manager username and password, see “To reset manager credentials on a controller” (page 546).
-
1. 2. Power off the controller. Connect a serial cable to the controller console port as follows: • 3. For the MSM760, see the MSM760 Controllers Installation Guide. Configure a communications terminal program (such as Microsoft Hyperterminal for Windows, or Minicom for Linux) as follows: • Terminal: VT-100 (ANSI) • Speed: Set speed according to the controller model: ◦ 4. 5. 6. For the MSM760, set speed to 9600 bps.
-
C NOC authentication Main benefits Using a remote login page with NOC (network operations center) authentication provides you with the following benefits: • The login page is completely customizable. You are not bound by the limits imposed by loading a login page onto the controller. • Users can login to the public access interface without exposing their Web browsers to the SSL certificate on the controller.
-
Activating a remote login page with NOC authentication To activate a remote login page, you must define several controller attributes. These attributes can be defined in the RADIUS account for the controller (if you are using a RADIUS server) or they can be locally configured. The following table summarizes the Colubris-AVPair value strings for the remote login page with NOC authentication.
-
The following placeholders can be added to the login-url string. Placeholder Description %c Returns the IP address of the users computer. %d Returns the WISPr location-ID. Supported for login-url only. %e Returns the WISPr location-Name. Supported for login-url only. %l Returns the URL on the controller where user login information should be posted for authentication. By default, this value is URL encoded.
-
Authenticating with the login application The connection between the login application and the controller is secured using SSL. When establishing the SSL connection with the controller, the login application must supply its SSL certificate. In a standard SSL setup, the controller uses the CA for this certificate to validate the certificates identity and authenticate the login application. However, the controller does not want to accept SSL connections from just any remote entity with a valid certificate.
-
Certificate of the certificate authority (CA) that issued the NOC certificate. ssl-certificate = URL_of_the_certificate Custom certificate installed on the controller. Install a certificate on controller NOTE: This step is optional, but recommended. Install an SSL certificate on the controller to replace its default SSL certificate. This certificate is used to secure communications between the controller and the login application on the Web server.
-
Example 5 Example 1 Assume that the controller is not behind a NATing device, and that its IP address is 192.168.4.2. The subject DN in its SSL certificates is www.noc-cn3.com. The Host HTTP header should be set to one of: • Host: www.noc-cn3.com:8090 • Host: 192.168.4.2:8090 Example 6 Example 2 Assume that the controller is behind a NATting device. The device has the address 192.168.30.173, and the controller has the address 192.168.4.2.
-
Certificate not valid yet The login application sent an SSL certificate that matches the one defined by ssl-noc-certificate in the RADIUS profile for the controller. However, the certificate that was sent is not yet valid. NOC_INFO_STATUS=NOC_STATUS_FAILURE NOC_INFO_INT_ERR_MESSAGE=NOC_CERT_NOT_YET_VALID Certificate not valid anymore The login application sent an SSL certificate that matches the one defined by ssl-noc-certificate in the RADIUS profile for the controller.
-
Examples of returned HTML code The following examples show the actual HTML code returned file for various authentication conditions. User was successfully authenticated by the RADIUS server status=success welcome-url=https://206.162.167.226:8888/cebit-php/ welcome.php?site=www.noc-controller.com&user=user00&wantedurl=&nasipaddress=&nasid=L003-00069 session-url=http://192.168.1.1:8080/session.
-
11. Add the following entries to the Configured attributes table on the Public access > Attributes page. (You can also define these attributes in the RADIUS profile for the controller if you are using a RADIUS server.) login-url=URL_of_page_on_remote_server access-list=loginserver,ACCEPT,tcp,web_server_IP_address, 443 ssl-noc-certificate=URL_of_the_certificate ssl-noc-ca-certificate=URL_of_the_certificate transport-page=web_server_URL /newlogin/transport.html session-page=web_server_URL /newlogin/session.
-
D DHCP servers and Colubris vendor classes Overview This section shows you how to configure the following DHCP servers to use the vendor-specific class: • “Windows Server 2003 configuration” (page 558). • “ISC DHCP server configuration” (page 562). A vendor class allows certain devices to request specific information from a Dynamic Host Configuration Protocol server.
-
3. On the DHCP Vendor Classes page, select Add. The New Class page opens. 4. On the New Class page 5. • Under Display name, specify Colubris. • Under Description, specify any desired descriptive information for this vendor class. • Select under ASCII and specify Colubris-AP. • Select OK. The New Class page closes, and you return to the DHCP Vendor Classes page. To close the DHCP Vendor Classes page and return to the DHCP administration page, select Close.
-
1. On the DHCP administration page, select Action > Set Predefined Options. From the Option class drop-down menu, select Colubris, and then select Add. The Option Type page opens. 2. On the Option Type page, 3. • Under Name, specify MSC (for MSM controllers). • Under Data type, select IP Address and enable the Array checkbox. • Under Code, specify 1. • Under Description, specify List of MSC IP addresses (for MSM controller IP addresses).
-
3. 4. On the Advanced tab, configure the following: • From the Vendor class drop-down menu, select Colubris. • Under Available options, enable the 001 MSC checkbox. • Under IP address, specify the IP address of the primary controller in your network and select Add. Continue to build a list by specifying the IP addresses of all controllers in your network, in descending order of importance. • Select OK. The controller IP addresses now appear on the DHCP administration page under Scope Options.
-
ISC DHCP server configuration This section shows you how to configure a Linux machine running an Internet Systems Consortium (ISC) DHCP server to use the Colubris Networks vendor class. The procedure assumes that you have a Linux or Unix server that is running the ISC DHCP server. You configure the ISC DHCP server by editing its configuration file; specifically, the main configuration file, /etc/dhcpd.conf. Following is a simple example of the /etc/dhcpd.conf configuration file: # dhcpd.
-
Following is a revised sample configuration file that contains these additions, which appear in bold: # dhcpd.conf ddns-update-style ad-hoc; option domain-name "colubris.com"; option domain-name-servers 172.25.1.3; default-lease-time 3600; option space Colubris; option Colubris.msc-address code 1 = array of ip-address; if option vendor-class-identifier = "Colubris-AP" { vendor-option-space Colubris; } subnet 172.25.1.0 netmask 255.255.255.0 { range 172.25.1.100 172.25.1.150; option routers 172.25.1.
-
Segment Value Meaning 08 08 Option code 1 is 8 bytes long ac 19 02 02 172.25.2.2 ac 19 03 02 172.25.3.2 Controller IP addresses to return to the client Frame 1 - DHCP-Discover Frame 1 (346 bytes on wire, 346 bytes captured) Ethernet II, Src: Colubris_01:5f:05 (00:03:52:01:5f:05), Dst: Broadcast (ff:ff:ff:ff:ff:ff) 802.1Q Virtual LAN Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.
-
Client MAC address: Colubris_01:5f:05 (00:03:52:01:5f:05) Server host name not given Boot file name not given Magic cookie: (OK) Option 53: DHCP Message Type = DHCP ACK Option 58: Renewal Time Value = 12 hours Option 59: Rebinding Time Value = 21 hours Option 51: IP Address Lease Time = 1 day Option 54: Server Identifier = 172.24.50.4 Option 1: Subnet Mask = 255.255.255.0 Option 3: Router = 172.25.1.1 Option 15: Domain Name = "mgorr.local" Option 6: Domain Name Server = 172.24.50.
