User Guide AC2600 Dual-Band Wireless Access Point LAPAC2600 1
Contents Chapter 1 – Quick Start Guide ........................................................................... 4 Package Contents ................................................................................................................................... 4 Physical Details ........................................................................................................................................ 4 Mounting Guide .........................................................................
Appendix C - PC and Server Configuration ..............................................119 Overview ............................................................................................................................................... 119 Using WEP............................................................................................................................................ 119 Using WPA2-PSK ...............................................................................................
Chapter 1 --- Quick Start Guide Package Contents x Linksys Wireless Access Point x Quick Start Guide x Ethernet Cable x AC Power Adapter x CD with Documentation x Mounting Bracket x Mounting Kit x Ceiling Mount Back Plate x Drilling Layout Template Physical Details LED behavior LED Color Green Blue Red Activity Status Blinking System is booting. Solid System is normal; no wireless devices connected. Blinking Software upgrade in process.
Note—System power consumption is over 15W. Make sure your PoE switch or injector is 803.2at-capable (PoE+) and provides sufficient power. If your PoE switch or injector is not 802.3at-capable, use the provided power adapter. If the PoE and AC power adapters are connected to the LAPAC2600 at the same time, the device will get power from PoE. Ethernet Port 2—This is a non-PoE Ethernet port. It can be used instead of Ethernet port 1 but requires an AC power adapter.
Ceiling Installation 1. Select ceiling tile for mounting and remove tile. 2. Position drilling layout template at the desired location. 3. Drill four screw holes and Ethernet cable hole on the surface of ceiling tile. 4. Place back plate on the opposite side of ceiling tile. Secure mounting bracket to the ceiling tile with flathead screw and nut. Route the Ethernet cable through the Ethernet cable hole. 5. Replace tile in ceiling. 6. Connect the Ethernet cable and/or AC power adapter to your device 7.
Chapter 2 ---Quick Start Overview This chapter describes the setup procedure to connect the wireless access point to your LAN, and configure it as an access point for your wireless stations. Wireless stations may also require configuration. For details, see Appendix C - Wireless Station Configuration (p. 119). The wireless access point can be configured using a web browser. Note—Licenses and notices for third party software used in this product may be viewed on http://support.linksys.com/en-us/license.
4. Click Log in to launch the browser-based setup and follow the on-screen instructions. If you can't connect: It is likely that your PC’s IP address is incompatible with the wireless access point’s IP address. This can happen if your LAN does not have a DHCP Server. If there is no DHCP server in your network, the access point will fall back to its default IP address: 192.168.1.252, with a network mask of 255.255.255.0.
Setup Wizard If you are setting up the access point as a standalone device, run the Setup Wizard. If the access point will be part of a cluster – master or slave - go to Configuration > Cluster > Settings & Status page instead. 1. Click the Quick Start tab on the main menu. 2. On the first screen, click Launch... 3. Set the password on the Device Password screen, if desired. 4. Configure the time zone, date and time for the device on System Settings screen.
5. On the IPv4 Address screen configure the IP address of the device (Static or Automatic) then click Next.
6. Set the SSID information on the Wireless Network screen. Click Next. If you want to configure more than four SSIDs, go to Configuration > Wireless > Basic Settings. The access point supports up to eight SSIDs per radio. 7. On the Wireless Security Screen, configure the wireless security settings for the device. Click Next. If you are looking for security options that are not available in the wizard, go to Configuration > Wireless Security page.
8. On the Summary screen, check the data to make sure they are correct and then click Submit to save the changes. 9. Click Finish to leave the wizard.
Chapter 3 --- Configuration Administration User Accounts Go to Configuration > Administration and select User Accounts to manage user accounts. The access point supports up to five users: one administrator and four normal users.
User Account Table User Name Enter the User Name to connect to the access point’s admin interface. User Name is effective once you save settings. User Name can include up to 63 characters. Special characters are allowed. User Level Only administrator account has Read/Write permission to the access point’s admin interface. All other accounts have Read Only permission. New Password Enter the Password to connect to the access point’s admin interface. Password must be between 4 and 63 characters.
Time Current Time Display current date and time of the system. Manually Set date and time manually. Automatically When enabled (default setting) the access point will get the current time from a public time server. Time Zone Choose the time zone for your location from the drop-down list. If your location observes daylight saving time, enable Automatically adjust clock for daylight saving changes. Start Time Specify the start time of daylight saving.
Log Settings Go to Configuration > Administration and select Log Settings to configure logs. Logs record various types of activity on the access point. This data is useful for troubleshooting, but enabling all logs will generate a large amount of data and adversely affect performance.
Log Types Log Types Select events to log. Checking all options increase the size of the log, so enable only events you believe are required. Email Alert Email Alert Enable email alert function. SMTP Server Enter the e-mail server that is used to send logs. It can be an IPv4 address or a domain name. Valid characters include alphanumeric characters, "_", "" and ".". Maximum length is 64 characters. Data Encryption Enable if you want to use data encryption. Port Enter the port for the SMTP server.
Management Access Go to Configuration > Administration and select Management Access page to configure the management methods of the access point.
Web Access HTTP HTTP (HyperText Transfer Protocol) is the standard for transferring files (text, graphic images and other multimedia files) on the World Wide Web. Enable to allow Web access by HTTP protocol. HTTP Port Specify the port for HTTP. It can be 80 (default) or from 1024 to 65535. HTTP to HTTPS Enable to redirect Web access of HTTP to HTTPS automatically. Redirect This field is available only when HTTP access is disabled.
Location Enter the area or location where the access point resides. The location includes 1 to 32 characters. Special characters are allowed. SNMP v1/v2 Settings Get Community Enter the name of Get Community. Get Community is used to read data from the access point and not for writing data into the access point. Get Community includes 1 to 32 characters. Special characters are allowed. Set Community Enter the name of Set Community. Set Community is used to write data into the access point.
SSL Certificate Go to Configuration > Administration and select SSL Certificate to manage the SSL certificate used by HTTPS.
Export/Restore to/from Local PC Export SSL Click to export the SSL certificate. Certificate Install Certificate Browse to choose the certificate file. Click Install Certificate. Export to TFTP Server Destination File Enter the name of the destination file. TFTP Server Enter the IP address for the TFTP server. Only support IPv4 address here. Export Click to export the SSL certificate to the TFTP server. Restore from TFTP Server Source File Enter the name of the source file.
LED Go to Configuration > Administration and select LED to enable or disable the LED on the top cover of LACAP2600. LED LED Display If disabled, the LED will be off even when the access point is working. By default, LED is enabled (on).
LAN Network Setup Go to Configuration > LAN > Network Setup to configure basic device settings, VLAN settings and settings for the LAN interface, including static or dynamic IPv4/IPv6 address assignment.
TCP/IP Host Name Assign a host name to this access point. Host name consists of 1 to 15 characters. Valid characters include A-Z, a-z, 0-9 and -. Character cannot be first and last character of hostname and hostname cannot be composed of all digits. VLAN Enables or disables VLAN function. Untagged Enables or disables VLAN tagging.
Advanced Go to Configuration > LAN > Advanced to configure advanced network settings of the access point.
Port Settings Auto Negotiation If enabled, Port Speed and Duplex Mode will become grey and cannot be configured. If disabled, Port Speed and Duplex Mode can be configured. Note—LAG (Link Aggregation) is enabled by default on Ethernet port 1 and 2. It is highly recommended you keep auto negotiation enabled on both sides of an aggregate link. Enable LACP (Link Aggregation Control Protocol) on this specific LAG interface when you create LAG interface on switch.
802.1x Supplicant 802.1x Supplicant Enable if your network requires this access point to use 802.1X authentication in order to operate. Authentication This feature supports following two kinds of authentication: x Authentication via MAC Address Select this if you want to use MAC Address for authentication. The access point uses lowercase MAC address for Name and Password, like xxxxxxxxxxxx. x Authentication via Name and Password Select this if you want to use name and password for authentication.
IGMP/MLD Snooping IGMP Snooping IGMP (Internet Group Management Protocol) is a communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. IGMP is an integral part of IP multicast. IGMP snooping streamlines multicast traffic handling by examining (snooping) IGMP membership report messages from interested hosts, multicast traffic is limited to the subset of ports on which the hosts reside.
Wireless Basic Settings Go to Configuration > Wireless > Basic Settings to configure your wireless radio and SSIDs. Advanced wireless settings such as Band Steering, Channel Bandwidth, are on the Advanced Settings screen.
Basic Wireless Settings Wireless Select the wireless radio from the list. Radio Radio 1 is for 2.4 GHz, and Radio 2 is for 5 GHz. Enable Radio Enable or disable the wireless radio. Wireless Select the desired option for radio 1: Mode G only - allow connection by 802.11G wireless stations only. N only - allow connection by 802.11N wireless stations only. B/G-Mixed - allow connection by 802.11B and G wireless stations only. B/G/N-Mixed (Default) - allow connections by 802.11N, 802.11B and 802.
SSID Settings SSID Name Enter the desired SSID Name. Each SSID must have a unique name. The name includes 1 to 32 characters. Broadcast Enable or disable the broadcast of the SSID. When the access point does not broadcast its SSID, the network name is not shown in the list of available networks on a client station. Instead, you must enter the exact network name manually into the wireless connection utility on the client so that it can connect.
Security Go to Configuration > Wireless > Security to configure security settings of SSIDs to provide data protection over the wireless network. Security Select SSID Select the desired SSID from the drop-down list. Security Mode Select the desired security method from the list. Security Mode x Disabled - No security. Anyone using the correct SSID can connect to your network. x WEP - The 802.11b standard. Data is encrypted before transmission, but the encryption system is not very strong.
x WPA2-Enterprise - Requires a RADIUS Server on your LAN to provide the client authentication according to the 802.1x standard. Data transmissions are encrypted using the WPA2 standard. If this option is selected: - This access point must have a client login on the RADIUS Server. - Each user must authenticate on the RADIUS Server. This is usually done using digital certificates. - Each user's wireless client must support 802.1x and provide the RADIUS authentication data when required.
WEP Authentication Select Open System or Shared Key. All wireless stations must use the same method. Default Select a transmit key. Transmit Key WEPEncryption Select an encryption option, and ensure your wireless stations have the same setting: 64-Bit Encryption - Keys are 10 Hex characters. 128-Bit Encryption - Keys are 26 Hex characters. Passphrase Generate a key or keys, instead of entering them directly.
WPA2-Personal This is a further development of WPA-Personal, and offers even greater security.
WPA2-Personal Fast Enable or disable Fast Roaming (802.11r) . Roaming(802.11r) Fast Roaming (802.11r) minimizes the delay when a voice client transitions from one BSS to another within the same ESS. Fast BSS Transition establishes security and QoS states at the target AP before or during a re-association. This minimizes the time required to resume data connectivity when a BSS transition happens. Important Points to Remember: y Fast Roaming (802.
WPA/WPA2-Personal This method, sometimes called Mixed Mode, allows clients to use either WPA-Personal or WPA2Personal. WPA/WPA2-Personal WPA Algorithm The encryption method is TKIP or AES. Pre-shared Key Enter the key value. It is 8 to 63 ASCII characters or 64 HEX characters. Other wireless stations must use the same key. Key Renewal Specify the value of Group Key Renewal. It’s a value from 600 to 36000, and default is 3600. WPA automatically changes secret keys after a certain period of time.
WPA2-Enterprise This version of WPA2-Enterprise requires a RADIUS Server on your LAN to provide the client authentication. Data transmissions are encrypted using the WPA2 AES standard.
WPA2-Enterprise Fast Roaming Enable or disable Fast Roaming (802.11r). (802.11r) Fast Roaming (802.11r) minimizes the delay when a voice client transitions from one BSS to another within the same ESS. Fast BSS Transition establishes security and QoS states at the target AP before or during a re-association. This minimizes the time required to resume data connectivity when a BSS transition happens. Important Points to Remember: y Fast Roaming (802.
Key Renewal Timeout Specify the value of Group Key Renewal. It is a value from 600 to 36000, and default is 3600. WPA automatically changes secret keys after a certain period of time. The group key interval is the period of time in between automatic changes of the group key, which all devices on the network share. Constantly keying the group key protects your network against intrusion, as the would-be intruder must cope with an ever-changing secret key.
WPA/WPA2-Enterprise Primary Server Enter the IP address of the RADIUS Server on your network. Primary Server Port Enter the port number used for connections to the RADIUS Server. It is a value from 1 to 65534, and default is 1812. Primary Shared Secret Enter the key value to match the RADIUS Server. It consists of 1 to 64 characters. Backup Server The Backup Authentication Server will be used when the Primary Authentication Server is not available.
RADIUS Use RADIUS server for authentication and dynamic WEP key generation for data encryption. Authentication Server Primary Server Enter the IP address of the RADIUS Server on your network. Primary Server Port Enter the port number used for connections to the RADIUS Server. It is a value from 1 to 65534, and default is 1812. Primary Shared Enter the key value to match the RADIUS Server. It consists of 1 to 64 characters.
Rogue AP Detection Go to Configuration > Wireless > Rogue AP Detection to detect the unexpected or unauthorized access point installed in a secure network environment.
Radio Wireless Radio Select the desired radio from the list. Radio 1 is for 2.4GHz, and Radio 2 is for 5GHz. Rogue AP Enable or disable Rogue AP Detection on the selected radio. Note—Scanning happens when rouge AP is enabled or you can click Refresh to trigger scanning again. Detected Rogue AP List Action Click Trust to move the AP to the Trusted AP List. MAC Address The MAC address of the Rogue AP. SSID The SSID of the Rogue AP. Channel The channel of the Rogue AP.
Scheduler Go to Configuration > Wireless > Scheduler to configure a rule with a specific time interval for SSIDs to be operational. Automate enabling or disabling SSIDs based on the profile definition. Support up to 16 profiles and each profile can include four time rules.
Scheduler Wireless Scheduler Enable or disable wireless scheduler on the radio. It is disabled by default. If disabled, even if some SSIDs are associated with profiles, they will be always active. Scheduler Operational Status Status The operational status of the scheduler. Reason The detailed reason for the scheduler operational status. It includes the following situations. x System time is outdated. Scheduler is inactive because system time is outdated. x Administrative Mode is disabled.
Scheduler Association Go to Configuration > Wireless > Scheduler Association to associate defined scheduler profiles with SSIDs. Radio Wireless Radio Select the desired radio from the list. Radio 1 is for 2.4 GHz, and Radio 2 is for 5 GHz. Scheduler Association SSID The index of SSID. SSID Name The name of the SSID. Profile Name Choose the profile that is associated with the SSID. If the profile associated with the SSID is deleted, then the association will be removed.
Connection Control Go to Configuration > Wireless > Connection Control to define whether listed client stations may authenticate with the access point.
SSID Select the desired SSID from the list. Control Type Select the option from the drop-down list as desired. x Local: Choose either Allow only following MAC addresses to connect to wireless network or Prevent following MAC addresses from connection to wireless network. You can enter up to 20 MAC addresses of wireless stations or choose the MAC address from Wireless Client List. x RADIUS Primary/Backup RADIUS Server - Enter the IP address of the RADIUS Server.
Rate Limit Go to Configuration > Wireless > Rate Limit to limit downstream and upstream rate of SSIDs. Radio Wireless Radio Select the desired radio from the list. Radio 1 is for 2.4GHz, and Radio 2 is for 5GHz. Rate Limit SSID The index of SSID. SSID Name The name of the SSID. Upstream Enter a maximum upstream rate for the SSID. The range is from 0 to 400 Mbps for Radio 1 and from 0 to 1000 Mbps for Radio 2; 0 means no limitation. Rate Downstream Rate Enter a maximum downstream rate for the SSID.
QoS Go to Configuration > Wireless > QoS (Quality of Service) to specify priorities for different traffic coming from your wireless client. Lower priority traffic will be slowed down to allow greater throughput or less delay for high priority traffic.
QoS Setting Wireless Radio Select the desired radio from the list. Radio 1 is for 2.4GHz, and Radio 2 is for 5GHz. QoS Settings SSID The index of SSID. SSID Name The name of the SSID. VLAN ID The VLAN ID of the SSID. Priority Select the priority level from the list. VLAN must be enabled in order to set priority. The 802.1p will be included in the VLAN header of the packets which are received from the SSID and sent from Ethernet or WDS interface. WMM Enable or disable WMM.
WDS Go to Configuration > Wireless > WDS (Wireless Distribution System) to expand a wireless network through multiple access points instead of linking them with a wired backbone. WDS only works and interacts with LAPN300, LAPN600, LAPAC1200, LAPAC1750 or LAPAC2600 devices. The access point can act as WDS Root or WDS Station: x WDS Root - Receives WDS connections from remote WDS Stations. x WDS Station - Connects to remote WDS Root. Supports up to 4 WDS Stations on each wireless radio.
Spanning Tree (recommended if you configure WDS connections) Spanning Tree When enabled, STP helps prevent switching loops. WDS Settings Radio Select the desired radio from the list. Radio 1 is for 2.4 GHz, and Radio 2 is for 5 GHz. WDS Root Interface Enable or Disable the WDS Root. Status Be sure the following settings on WDS Root device are determined and configured. The WDS Station must use the same settings as Root afterwards. x Radio x IEEE 802.
Allowed VLAN Enter the list of VLANs accepted by the WDS Root. List When VLAN is enabled, WDS Root receives from WDS Stations only packets in the VLAN list. Packets not in the list will be dropped. The VLAN list is only applicable when VLAN is enabled. The VLAN list includes 1 to 16 VLAN IDs separated by "," such as "100,200,300,400,500,600,700,800". Security Settings Setting can be Disabled, WPA-Personal, WPA2-Personal, WPA2-Enterprise or WPA/WPA2-Enterprise.
Remote MAC Address MAC address of the access point on the other end of the WDS link. Optional WDS Station connects to remote WDS Root by matching SSIDs. When there is more than one remote WDS Root with the same SSID, the WDS Station can differentiate them by MAC address. The format is xx:xx:xx:xx:xx:xx. VLAN List Enter the list of VLANs that are accepted by the WDS Station. When VLAN is enabled, the WDS Station forwards to the remote WDS Root only packets in the VLAN list.
Workgroup Bridge Go to Configuration > Wireless > Workgroup Bridge to extend the accessibility of a remote network. In Workgroup Bridge mode, the access point acts as a wireless station (STA) on the wireless LAN. It can bridge traffic between a remote wired network and a wireless LAN. When Workgroup Bridge is enabled, SSID configuration still works to provide wireless services to clients. All access points participating in Workgroup Bridge must have the identical settings for Radio interface, IEEE 802.
Workgroup Bridge Radio Select the desired radio from the list. Radio 1 is for 2.4 GHz, and Radio 2 is for 5 GHz. Workgroup Bridge Status Status Enable or disable Workgroup Bridge function. Before configuring Workgroup Bridge, make sure all devices in Workgroup Bridge have the following identical settings. x Radio x IEEE 802.11 Mode x Channel Bandwidth x Channel Note—It is highly recommended that static channel is configured on both APs.
Security Mode Select the desired mode from the list. x Disabled x WPA-Personal x WPA2-Personal x x WPA-Enterprise WPA2-Enterprise Advanced Settings Go to Configuration >Wireless >Workgroup Bridge to configure advanced parameters of wireless radios.
Band Steering Band Steering Enable or disable Band Steering function. Band Steering is a technology that detects whether the wireless client is dual-band capable. If it is, band steering pushes the client to connect to the lesscongested 5GHz network. It does this by actively blocking the client’s attempts to connect with the 2.4GHz network. Isolation Isolation between SSIDs Define whether to isolate traffic between SSIDs. If enabled, wireless clients in different SSIDs cannot communicate with each other.
CTS Protection Mode CTS (Clear-To-Send) Protection Mode boosts the access point's ability to catch all Wireless-G transmissions, but it severely decreases performance. By default, CTS Protection Mode is disabled, but the access point will automatically enable this feature when Wireless-G devices are not able to transmit to the access point in an environment with heavy 802.11b traffic.
RTS Threshold Enter the Request to Send (RTS) Threshold value, an integer from 1 to 2347. The default is 2347 octets. The RTS threshold indicates the number of octets in a Medium Access Control Protocol Data Unit (MPDU) below which an RTS/CTS handshake is not performed. Changing the RTS threshold can help control traffic flow through the access point, especially one with a lot of clients.
Captive Portal Captive Portal is a method of securing access to the Internet from within a wireless network. Users must enter authentication credentials before their wireless client devices can access the Internet. Global Configuration Go to Configuration > Captive Portal > Global Configuration to change settings and modify captive portal authentication access port number if needed.
Captive Portal Enable or Disable Captive Portal function globally. Captive Portal is disabled by default. Authentication Timeout The number of seconds the access point keeps an authentication session open with a wireless client. If the client fails to enter authentication credentials within the timeout period, the client may need to refresh the web authentication page. The range is from 60 to 600 seconds. Default is 300.
Portal Profiles Go to Configuration > Captive Portal > Portal Profiles to define detailed settings for Captive Portal profile. Create up to two profiles.
Portal Profiles Captive Portal Select a profile to configure. Profile Protocol Select the protocol used to access the Portal Authentication web server. It can be HTTP or HTTPS. Authentication Select an authentication method for clients. Local - The access point uses a local database to authenticated wireless clients. Radius - The access point uses a database on a remote RADIUS server to authenticate wireless clients. The RADIUS server must support EAP-MD5.
Radius Authentication Primary Server Enter the IP address of the RADIUS Server on your network. Primary Server Port Enter the port number used for connections to the RADIUS Server. Primary Shared Enter the key value to match the RADIUS Server. Secret Backup Server The Backup Authentication Server will be used when the Primary Authentication Server is not available. Backup Server Port Enter the port number used for connections to the Backup RADIUS Server.
Local User Go to Configuration > Captive Portal > Local User to configure user settings for Captive Portal. Up to 128 users are supported. User Name Enter the name of the user account. The user name includes 1 to 32 characters. Special characters except ':' and ';' are allowed. Password Enter the password of the user account. The password must be between 4 and 32 characters in length. Special characters except ':' and ';' are allowed. Confirm Password Re-enter the password to confirm it.
Local Group Go to Configuration > Captive Portal > Local Group to configure group settings. Groups include multiple local users and are mapped to Captive Portal profiles. Up to two groups are supported.
Group Name Enter the name of the new group. The group name includes 1 to 32 characters. Special characters except ':' and ';' are allowed. Click Add. Group Selection Select one group to delete or configure its user members. Members User members of the selected group. You can select one user and click ">>" button to remove it. Other Users Other users which don't belong to the selected group. You can select one user and click "<<" button to add it into the group.
Profile Select a profile to configure. New Logo Upload Logos display in the web page. Select an image file from your local PC and click Upload. Formats .gif, .png and .jpg are supported. File size cannot exceed 5KB. One profile can support one default and one new logo image. If a second new logo is uploaded, it will replace the first new logo. Logo Selection Select a logo image from the list. Background Color The HTML code for the background color in 6-digit hexadecimal format.
Terms of Use Customize the text to go with Terms of Use. Enter up to 1024 characters. The default is Terms of Use. Success Text Customize the text that shows when the client has been authenticated. The default is You have logged on successfully! Please keep this window open when using the wireless network. Failure Text Customize the text that shows when authentication fails. Enter up to 128 characters. The default is Bad username or password.
SSID A list of available SSIDs. SSID Name The name of the SSID. Profile Name Choose the profile that is associated with the SSID. If the profile associated with the SSID is deleted, then the association will be removed. If None is selected, it means no profile is associated. Client Information Go to Configuration > Captive Portal > Client Information to view the status of wireless clients that are authenticated by Captive Portal.
MAC Address MAC address of the client. IP Address IP address of the client. User Name User name used by the client to log in. SSID Name Name of the SSID to which the client is connected. Online Time How long the client has been online. Measured in seconds. Away Timeout An authenticated client that has been disconnected from the access point has a specific amount of time within which it may reconnect without reauthentication. The timer starts when the client disconnects from the SSID.
ACL ACLs are a collection of permit and deny conditions that can block unwarranted attempts to reach network resources. Each ACL is a set of up to 10 rules. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network. Rule can be based on various criteria and may apply to one or more fields with a packet. The priority of each rule will be determined by the rule index.
ACL Profiles Go to Configuration > ACL > ACL Profiles to configure ACL profiles and their rules.
ACL Profile ACL Name A name can include from 1 to 32 alphanumeric characters to identify an ACL. ACL Type Configuration type of ACL is IPv4 or IPv6. Click Add ACL to add one new ACL profile. Rule Configuration ACL Names Select a profile to configure. An ACL profile includes ACL name and type. Click Delete ACL to delete an ACL. Rule Index Select and configure a new rule for the selected ACL. Enable Rule Enable or disable the ACL rule. It's disabled by default.
Match Source IP Permit or deny packet by source IP address. y If the ACL type is IPv4, set an IPv4 address and its wildcard mask. Note—Wildcard 0 means to match that value, 1 means don’t match. For example, a mask of 0000 0000 0000 0000 0000 0000 1111 1111 which means that you match on the bits where there is 0 and don't match on the bits where there are 1s. You need to translate the 1s to a decimal integer and you write 0 for each four zeros.
Match Destination IP Permit or deny packet by destination IP address. y If the type of ACLs is IPv4, set an IPv4 address and its wildcard mask. Note—Wildcard 0 means to match that value, 1 means don’t match. For example, a mask of 0000 0000 0000 0000 0000 0000 1111 1111 which means that you match on the bits where there is 0 and don't match on the bits where there are 1s. You need to translate the 1s to a decimal integer and you write 0 for each four zeros.
Match IP DSCP Matches packets based on IP DSCP value. y Select From List Choose a DSCP value from the list.
Match IP TOS Matches a type of service from the dropdown list. This is applicable only when the type of ACLs is IPv4. Normal Service – 0000 Minimize Monetary Cost – 0001 Maximize Reliability – 0010 Maximize Throughput – 0100 Minimize Delay - 1000 IPv6 Flow Label A number that is unique to an IPv6 packet is used by end stations to signify QoS handling in routers. The range is 0 to 1048575. ACL Association Go to Configuration > ACL > ACL Association to associate defined ACL profiles with SSIDs.
ACL Association SSID The index of SSID. ACL Name Down Choose the profile that is associated with the SSID for downstream (from access point to wireless client) traffic. If the profile associated with the SSID is deleted, the association will be removed. If None is selected, no profile is associated. After switching the packet or frame to the outbound interface, the ACL's rules are checked for a match. The packet or frame is transmitted if it is permitted and discarded if it is denied.
The access points within a cluster must have the same management VLAN configured. A cluster can support 16 LAPAC2600access points as long as they are same model number. In each cluster, one access point must be manually configured as the master access point. There can only be one master in a cluster. This master will propagate configuration information, such as wireless settings, time settings etc. to the other team members within a cluster.
Settings & Status Go to Configuration > Cluster > Settings & Status to manage the AP cluster function. Choose a member type. Type Disabled—Disable the cluster function. Master—Enable the cluster function and assign the access point to be the master. Note— If system detects there is one Master already existed in the same cluster, the new access point that likes to become master will be assigned to slave automatically. Slave—Enable the cluster function and assign the access point to be the slave.
Master 86
Status Disabled—Cluster function is disabled. Active—Cluster function is enabled and master is active. Active (Backup Master)—Cluster function is enabled and backup master is active. Inactive (Cannot reach the master)—Cluster function is enabled but it's inactive because device cannot reach the master. Member Number Location (Optional) Number of the active members in the cluster. If an access point joins the cluster but is powered off or cannot reach the master, it is not counted.
Client Sessions Go to Configuration > Cluster > Client Sessions to see the status of wireless clients within the cluster. The session is the period of time in which a user on a client device (station) with a unique MAC address maintains a connection with the wireless network. The session begins when the WLAN client logs on to the network, and the session ends when the WLAN client either logs off intentionally or loses the connection for some other reason.
IP Address IP address of the access point to which the client connects. Location Location of the access point to which the client connects. SSID SSID name of the access point to which the client connects. User MAC MAC address of the client. Online Time Displays how long this client has been online since it is authenticated. Unit is second. Link Rate Indicates the link rate of the client. Unit is Mbps. Signal The signal strength of the client is displayed. Unit is dBm.
Channel Management Go to Configuration > Cluster > Channel Management to manage the channel assignments for access points within a cluster. When channel management is enabled, the access point automatically assigns radio channels within a cluster. Auto channel assignment reduces mutual interference (or interference with other access points outside of its cluster) and maximizes Wi-Fi bandwidth to help maintain efficient communication over the wireless network.
Auto Channel Auto Channel Access point scans available Wi-Fi channels and changes the channel if better network performance is possible. Disabled by default. Scan Day Choose the day of the week when Auto Channel scans Wi-Fi channels. You may choose specific days or have the access point scan and select the best channel daily. ScanTime Choose the time of day when Auto Channel performs scan.
Chapter 4 - System Status Status System Summary Go to System Status > Status > System Summary for status of the access point.
System Summary Device SKU The SKU is often used to identify device model number and region. Firmware Version The version of the firmware currently installed. Firmware Checksum The checksum of the firmware running in the access point. Hardware Version The version of the hardware. Local MAC Address The MAC (physical) address of the wireless access point. Serial Number The serial number of the device. Host Name The host name assigned to the access point.
Buttons Refresh Click to update the data on the screen.
LAN Status Go to System Status >Status >LAN Status to see settings and status of LAN interface.
VLAN VLAN Enabled or disabled (default). Untagged VLAN Enabled (default) or disabled. When enabled, and if its VLAN ID is equal to Untagged VLAN ID, all traffic is untagged when sent from LAN ports. Untagged traffic can be accepted by LAN ports. If disabled, traffic is always tagged when sent from LAN port and only tagged traffic can be accepted from LAN port. By default, all traffic on the access point uses VLAN 1, the default untagged VLAN.
IPv4/v6 IP Address The IP address of the wireless access point. Subnet Mask The Network Mask (Subnet Mask) for the IP address above. Default Gateway Enter the gateway for the LAN segment to which the wireless access point is attached (the same value as the PCs on that LAN segment). Primary DNS The primary DNS address provided by the DHCP server or configured manually. Secondary DNS The secondary DNS address provided by the DHCP server or configured manually.
Radio Status Wireless Radio Select the desired radio from the list. Radio 1 is for 2.4GHz, and Radio 2 is for 5GHz. Radio Status Indicates whether the radio is enabled. Mode Current 802.11 mode (a/b/g/n/ac) of the radio. Channel The channel currently in use. Channel Current channel bandwidth of the radio. Bandwidth When set to 20 MHz, only the 20 MHz channel is in use.
WDS Root Status Status of the WDS Root: Enabled or Disabled. Local SSID Name of the WDS Root. Local MAC MAC Address of the WDS Root. VLAN List VLAN List of the WDS Root. When VLAN function is enabled, WDS Root only receives packets in the VLAN list from WDS Stations and packets not in the list will be dropped. WDS Station Interface The index of WDS Station. Status Status of the WDS Station: Enabled or Disabled. Local MAC MAC Address of the WDS Root.
Wireless Clients Go to System Status > Status > Wireless Clients to see connected clients based on each wireless interface. Wireless Interface Select the desired interface from the list. The interfaces include eight SSIDs per radio. SSID Name Name of the SSID to which the client connects. Client MAC The MAC address of the client. SSID MAC MAC of the SSID to which the client connects. Link Rate The link rate of the client. Unit is Mbps. RSSI The signal strength of the client. Unit is dBm.
Statistics Go to System Status > Status > Statistics to see real-time statistics on data transmitted and received based on each SSID per Radio, and LAN interface. Wireless Radio Select the desired radio from the list. Radio 1 is for 2.4GHz, and Radio 2 is for 5GHz. Transmit/Receive x Total Packets—The total packets sent (in Transmit table) or received (in Received table) by the interface. x Total Bytes—The total bytes sent (in Transmit table) or received (in Received table) by the interface.
Log View Go to System Status > Status > Log View to see a list of system events such as login attempts and configuration changes. Log Messages Log Messages Show the log messages. Buttons Refresh Update the data on screen. Save Save the log to a file on your PC. Clear Delete the existing logs from device.
Chapter 5 --- Maintenance Maintenance Firmware Upgrade Go to Maintenance > Maintenance > Firmware Upgrade to upgrade the firmware in the wireless access point by using HTTP/HTTPS, or TFTP. Check the Linksys support website (http://www.linksys.com/support) and download the latest firmware release to a storage device or PC. Perform the firmware upgrade by following the steps below. If an access point works as master of an AP cluster, all slaves within the same cluster will be updated, as well.
To perform a firmware upgrade from the Internet: 1. Click Check for Upgrade to see if there is new firmware available. 2. Click the OK on the popup dialogue box to start the firmware download and upgrade if a new version of firmware is available. Configuration Copy/Save Go to Maintenance > Maintenance > Configuration Copy/Save to copy configurations within the access point and delete copied configurations.
Configuration files copy/save Configuration Files There are two kinds of configuration files in the access point. y Backup Configuration — An additional configuration file saved in the flash memory for use as a backup. y Current Configuration — The configuration which is running in the device currently. When device boots up, device will read the settings from this file. Configuration Files Copy configuration file from one to another.
Configuration Backup/Restore Go to Maintenance > Maintenance > Configuration Backup/Restore to download the configuration file from the device. You can save it to external storage, e.g., your PC, or network storage. You can also upload a previously saved configuration file from external storage to the device. It is highly recommended you save one extra copy of the configuration file to external storage after you are done with access point setup.
Backup/Restore to/from Local PC Backup Configuration Once you have the access point working properly, you should back up the settings to a file on your computer. You can later restore the access point's settings from this file, if necessary. To create a backup file of the current settings: Restore Configuration x Choose a source file. It can be Backup Configuration or Current Configuration. x Click Backup.
Restore Configuration To restore settings from a backup file: 1. Choose a destination file and it can be Backup Configuration or Current Configuration. 2. Enter the source file name stored in TFTP server. 3. Enter the IP address for the TFTP server. Only IPv4 addresses are supported. 4. Click Restore. Factory Default It’s highly recommended you save your current configuration file before you restore to factory default settings.
Factory Default To restore your access point to its factory defaults, select an option and click Save. x Reset Parameters shared with Slaves ONLY When current AP is a master of a cluster, select this option to restore all sharable parameters of current AP and its slaves to factory defaults. Cluster settings and nonsharable parameters will not reset. x Reset All Parameters to Factory Default x No Don’t restore to factory defaults.
Diagnostics Ping Test Go to Maintenance > Diagnostics > Ping Test to determine the accessibility of a host on the network. General IP Type Enter the IP type of destination address. IP or URL Address Enter the IP address or domain name that you want to ping. Packet Size Enter the size of the packet. Times to Ping Select the desired number from the drop-list.
Packet Capture Go to Maintenance > Diagnostics > Packet Capture to capture and store 802.3 packets received and transmitted by the access point based on one specified network interface. The network interface can be radio, SSID or LAN. Network Interface Select the desired network interface from the dropdown list. The interface can be Radio, SSID or Ethernet. Start Capture Click to start the capture. You will be asked to specify a local file to store the packets. Stop Capture Click to stop the capture.
Diagnostic Log Go to Go to Maintenance > Diagnostics > Diagnostic Log to get system detail information, such as configuration file, system status and statistics data, hardware information, operational status. The information is useful in troubleshooting and working with technical support. Click Download to download the device diagnostic log into a local file.
Appendix A - Troubleshooting Overview This chapter covers some common problems encountered while using the wireless access point, and some possible solutions to them. If you follow the suggested steps and the wireless access point still does not function properly, contact your dealer for further advice. General Problems I can't find new access point on my network. Check the following: x The wireless access point is properly installed, LAN connections are OK, and it is powered ON.
If there is no DHCP Server found, the wireless access point will roll back to an IP address and mask of 192.168.1.252 and 255.255.255.0. My PC can't connect to the LAN via the wireless access point. Check the following: x The SSID and security settings on the PC match the settings on the access point. x On the PC, the wireless mode is set to Infrastructure. x If using the Access Control feature, the PC's name and address is in the Trusted Stations list. x If using 802.1x mode, ensure the PC's 802.
Appendix B - About Wireless LANs Overview Wireless networks have their own terms and jargon. You must understand many of these terms in order to configure and operate a wireless LAN. Wireless LAN Terminology Modes Wireless LANs can work in either of two (2) modes: x Ad-hoc x Infrastructure Ad-hoc Mode Ad-hoc Mode does not require an access point or a wired (Ethernet) LAN. Wireless stations, e.g., notebook PCs with wireless cards, communicate directly with each other.
ESS/ESSID A group of wireless stations, and multiple access points all using the same ID (ESSID), form an Extended Service Set (ESS). Different access points within an ESS can use different channels. To reduce interference, it is recommended that adjacent access points use different channels. As wireless stations are physically moved through the area covered by an ESS, they will automatically change to the access point that has the least interference or best performance.
WPA-PSK In WPA-PSK, like WEP, data is encrypted before transmission. WPA is more secure than WEP. The PSK (pre-shared key) must be entered on each wireless station. The 256-bit encryption key is derived from the PSK, and changes frequently. WPA2-PSK This is a further development of WPA-PSK, and offers even greater security, using the AES (Advanced Encryption Standard) method of encryption. It should be used if possible.
802.1x This uses the 802.1X standard for client authentication, and WEP for data encryption. If possible, you should use WPA-Enterprise instead, because WPA encryption is much stronger than WEP encryption. If this option is used: x The access point must have a client login on the RADIUS server. x Each user must have a user login on the RADIUS server. x Each user's wireless client must support 802.1X and provide the login data when required. x All data transmission is encrypted using the WEP standard.
Appendix C - PC and Server Configuration Overview All wireless stations need to have settings that match the wireless access point. These settings depend on the mode in which the access point is being used. x If using WEP or WPA2-PSK, it is only necessary to ensure that each wireless station's settings match those of the wireless access point, as described below. x For 802.1x modes, configuration is much more complex.
Using WPA2-PSK For each of the following items, each wireless station must have the same settings as the wireless access point. Mode On each PC, the mode must be set to Infrastructure. SSID (ESSID) This must match the value used on the wireless access point. The default value is LinksysSMB24Gfor radio 1 and LinksysSMB5Gfor radio 2. Note—The SSID is case sensitive. Wireless Security On each client, wireless security must be set to WPA2-PSK.
Wireless Station Configuration For each of the following, wireless stations must have the same settings as the wireless access point. Mode On each PC, the mode must be set to Infrastructure. SSID (ESSID) This must match the value used on the wireless access point. The default value is LinksysSMB24Gfor radio 1 and LinksysSMB5Gfor radio 2. Note—The SSID is case sensitive. 802.1x Authentication 802.1x Encryption Each client must obtain a certificate for authentication for the RADIUS server.
802.1x Server Setup (Windows 2000 Server) This section describes using Microsoft Internet Authentication Server as the RADIUS server, since it is the most common RADIUS server available that supports the EAP-TLS authentication method. The following services on the Windows 2000 Domain Controller (PDC) are also required. x dhcpd x dns x rras x webserver (IIS) x RADIUS Server (Internet Authentication Service) x Certificate Authority Windows 2000 Domain Controller Setup 1. Run dcpromo.
4. Click Next. 5. Select Enterprise root CA, and click Next. 6. Enter the information for the Certificate Authority, and click Next.
7. Click Next if you don't want to change the CA's configuration data. 8. Installation will warn you that Internet Information Services are running, and must be stopped before continuing. Click OK, then Finish. DHCP server configuration 1. Click on Start > Programs > Administrative Tools > DHCP. 2. Right-click on the server entry, and select New Scope. 3. Click Next when the New Scope Wizard Begins. 4. Enter the name and description for the scope, click Next.
5. Define the IP address range. Change the subnet mask if necessary. Click Next. 6. Add exclusions in the address fields if required. If no exclusions are required, leave it blank. Click Next. 7. Change the Lease Duration time if preferred. Click Next. 8. Select Yes, I want to configure these options now, and click Next. 9. Enter the router address for the current subnet. The router address may be left blank if there is no router. Click Next. 10.
13. Right-click on the server, and select Authorize. It may take a few minutes to complete. Certificate Authority Setup 1. Select Start > Programs > Administrative Tools > Certification Authority. 2. Right-click Policy Settings, and select New > Certificate to Issue. 3. Select Authenticated Session and Smartcard Logon (select more than one by holding down the Ctrl key). Click OK. 4. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. 5.
6. Select the Group Policy tab, chooseDefault Domain Policy then click Edit. 7. Select Computer Configuration > Windows Settings > Security Settings > Public Key Policies, right-click Automatic Certificate Request Settings > New > Automatic Certificate Request.
8. When the Certificate Request Wizard appears, click Next. 9. Select Computer, click Next. 10. Ensure that your Certificate Authority is checked, click Next. 11. Review the policy change information and click Finish. 12. Click Start>Run, type “cmd” and press Enter. Enter “secedit /refreshpolicy machine_policy”. This command may take a few minutes to take effect.
Internet Authentication Service (RADIUS) Setup 1. Select Start > Programs > Administrative Tools > Internet Authentication Service. 2. Right-click on Clients, and select New Client. 3. Enter a name for the access point, click Next. 4. Enter the address or name of the wireless access point, and set the shared secret, as entered on the Security Settings of the wireless access point. 5. Click Finish. 6. Right-click on Remote Access Policies, select New Remote Access Policy. 7.
9. Click Permitted, then OK. Select Next. 10. Select Grant remote access permission. Click Next. 11. Click Edit Profile... and select the Authentication tab. Enable Extensible Authentication Protocol, and select Smart Card or other Certificate. Deselect other authentication methods listed. Click OK.
12. Select No if you don't want to view the help for EAP. Click Finish.
Remote Access Login for Users 1. Select Start > Programs > Administrative Tools> Active Directory Users and Computers. 2. Double-click on the user who you want to enable. 3. Select the Dial-in tab, and enable Allow access. Click OK. 802.1x Client Setup on Windows XP Windows XP ships with a complete 802.1x client implementation. If using Windows 2000, you can install SP3 (Service Pack 3) to gain the same functionality. If you don't have either of these systems, you must use the 802.
Client Certificate Setup 1. Connect to a network that doesn't require port authentication. 2. Start your Web browser. In the address box, enter the IP address of the Windows 2000 Server, followed by “/certsrv”, e.g., “http://192.168.0.2/certsrv”. 3. You will be prompted for a user name and password. Enter the User name and Password assigned to you by your network administrator, and click OK.
4. On the first screen (below), select Request a certificate, click Next. 5. Select User certificate request and selectUser Certificate, click Next. 6. Click Submit.
7. A message will be displayed,and the certificate will be returned to you. Click Install this certificate. 8. You will receive a confirmation message. Click Yes.
Certificate setup is now complete. 802.1x Authentication Setup 1. Select Start > Control Panel > Network Connections. 2. Right-click on the Wireless Network Connection, and select Properties. 3. Select the Authentication tab, and ensure that Enable network access control using IEEE 802.1X is selected, and Smart Card or other Certificate is selected from the EAP type.
Encryption Settings The encryption settings must match the access point’s on the wireless network you wish to join. x Windows XP will detect any available wireless networks, and allow you to configure each network independently. x Your network administrator can advise you of the correct settings for each network. 802.1x networks typically use EAP-TLS. This is a dynamic key system, so there is no need to enter key values. Enabling Encryption To enable encryption for a wireless network: 1.
Setup for Windows XP and 802.1x client is now complete.
Using 802.1x Mode (without WPA) This is very similar to using WPA-Enterprise. The only difference is that on your client, you must NOT enable the setting The key is provided for me automatically. Instead, you must enter the WEP key manually, ensuring it matches the WEP key used on the access point. Note—On some systems, the 64-bit WEP key is shown as 40-bit and the 128-bit WEP key is shown as 104-bit.
LNKPG-00333 Rev.
