Manualshelf

Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
ProCurve Secure Access 700wl Series Management and Configuration Guide 2-23
Using the 700wl Series System
The inner tunnel address is assigned per the Access Policy NAT setting, as discussed above.
However, if Real IP mode is used, the client’s IP address is assigned as specified through the
Tunneling Configuration page—either via the external DHCP service or from a specified address
range.
Layer 3 Roaming Support
One of the key features of the 700wl Series system is its support of layer 3 roaming—enabling clients to
move physically between access points without having to reauthenticate or lose their existing sessions.
Because the 700wl Series system identifies clients by MAC address, it is simple to detect when a device
roams. A Linger Timeout determines the length of time a client has to complete a roam, that is to appear
at a new physical location after disappearing from the old physical location. The settings for timing out
a roaming client are part of the client’s assigned Access Policy; different clients can have different
settings and a given client can have different settings depending on their location, time of day, and so
on. Configuring the Linger Timeout is discussed in Chapter 4, under Access Policies: “The Timeout
Tab” on page 4-58.
If the client completes the roam before the linger time has expired, no reconnect or authentication is
needed—the client’s connection state is maintained intact. Only if the client fails to complete the roam
before the linger timer expires does the system decide that the client has actually disconnected and logs
it off.
How the 700wl Series system handles roamed sessions depends on the protocol used by the client to
connect to the 700wl Series system, and whether the client’s IP address has been mapped using NAT or
not.
When a NAT’ed client roams between Access Controllers (rather than simply between ports on a
single Access Controller) the Access Control Server can move the entire connection state from the
original Access Controller to the “roamed-to” Access Controller. In general, sessions that are
currently running are tunneled back to the original Access Controller, but new sessions are
established through the new connection point.
If the client is using a “real” IP address (either via DHCP or a static IP address) then all connections
are tunneled back to the original Access Controller.
If the client is connected using PPTP or L2TP, the PPTP/L2TP session as a whole is tunneled back
to the original Access Controller.
Network Address Translation and Roaming
Based on the default Access Policy configuration, an Access Controller provides Network Address
Translation (NAT) services for clients that request a DHCP IP address when they initiate a connection
to the Access Controller. The 700wl Series system implements NAT as a form of “overloading,” where
a range of private IP addresses are mapped to a single public IP address (the IP address of the Access
Controller) by using TCP ports. When a client sends a packet through the Access Controller, the Access
Controller rewrites the IP address field and the port number field to a value that is unique within the
entire 700wl Series system and that can be used to identify any return packets.