ProSAFE Wireless Controller WC9500 Reference Manual May, 2013 202-11224-02 350 East Plumeria Drive San Jose, CA 95134 USA
ProSAFE Wireless Controller WC9500 Support Thank you for selecting NETGEAR products. After installing your device, locate the serial number on the label of your product and use it to register your product at https://my.netgear.com. You must register your product before you can use NETGEAR telephone support. NETGEAR recommends registering your product through the NETGEAR website. For product updates and web support, visit http://support.netgear.com. Phone (US & Canada only): 1-888-NETGEAR.
Contents Chapter 1 Introduction Key Features and Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Front Panel Ports, Slots, and LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Back Panel Features . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSAFE Wireless Controller WC9500 Chapter 4 Configure the System and Network Settings and Register the Licenses Configure General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Manage the Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 IP and VLAN Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Management VLAN Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSAFE Wireless Controller WC9500 Discover Access Points with the Discovery Wizard . . . . . . . . . . . . . . . . . .92 Access Points in Factory Default State and Access Points in a Layer 2 Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Access Points Installed and Working in Standalone Mode in Different Layer 3 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Manage the Managed AP List . . . . . . . . . . . . . . . . . . . . .
ProSAFE Wireless Controller WC9500 Rate Limiting for the Basic Profile Group . . . . . . . . . . . . . . . . . . . . . . . 149 Rate Limiting for an Advanced Profile Group . . . . . . . . . . . . . . . . . . . . 150 Chapter 9 Maintain the Wireless Controller and Access Points Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Back Up the Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Restore the Configuration File . . .
ProSAFE Wireless Controller WC9500 Troubleshoot a TCP/IP Network Using the Ping Utility. . . . . . . . . . . . . . .200 Use the Reset Button to Restore Default Settings . . . . . . . . . . . . . . . . . .201 Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Problems with Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Discovery Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. 1 Introduction This chapter includes the following sections: • Key Features and Capabilities • Package Contents • Hardware Features • WC9500 Wireless Controller System Components • NETGEAR ProSAFE Access Points • What Can You Do with the WC9500 Wireless Controller? • Licenses • Maintenance and Support Note: For more information about the topics covered in this manual, visit the support website at http://support.netgear.com.
ProSAFE Wireless Controller WC9500 Key Features and Capabilities The NETGEAR ProSAFE Wireless Controller WC9500 is a high-capacity, secured wireless controller intended for medium- to large-sized businesses, higher education institutions, hospitals, and hotels. One wireless controller with the appropriate licenses can support up to 600 access points (APs) with up to 6,000 users. In a stacked configuration (supported in a future release), a stack of three wireless controllers can support up to 18,000 users.
ProSAFE Wireless Controller WC9500 • • • - Up to eight profiles per access point profile group and eight profiles per radio (therefore, dual-band access points can support up to 16 profiles in one access point profile group). - Support for up to 144 profiles1 on one wireless controller (eight profiles per access point group and eight groups per radio). Each profile supports settings for SSID, network authentication, data encryption, client separation, VLAN, MAC ACL, and wireless QoS.
ProSAFE Wireless Controller WC9500 Package Contents The ProSAFE Wireless Controller WC9500 product package contains the following items: • ProSAFE Wireless Controller WC9500 appliance • One AC power cable • Rubber feet (four) with adhesive backing • One rack-mount kit • Straight-through Category 5 Ethernet cable • ProSAFE Wireless Controller WC9500 Installation Guide If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer.
ProSAFE Wireless Controller WC9500 From left to right, the wireless controller’s front panel shows the following counter, LEDs, button, ports, and slots: • Digital counter. Displays the number of connected access points that are in a healthy state. • From top to bottom: - Power LED - Status LED - Fan LED - Stack Master LED These LEDs are described in Table 1 on page 12. • Reset button.
ProSAFE Wireless Controller WC9500 Table 1. LED functions (continued) LED Status Description Status LED (continued) Off The wireless controller does not have power. Blinking yellow Firmware is being upgraded. Fan LED Green The fans are functioning correctly. Yellow One or more fans are not functioning correctly. Green The wireless controller functions as the primary controller (master) in a stack. (Stacking will be supported in a future release.
ProSAFE Wireless Controller WC9500 From left to right, the wireless controller’s back panel components are: • • Power supply. 100–240V, 5A, 47–63 Hz power supply, which includes the following external components: - AC power socket. Attach the power cord to this socket. (There is no separate on/off power switch.) - Handle. The handle allows for easy removal and insertion. - LED. The LED is lit green when the power supply functions correctly.
ProSAFE Wireless Controller WC9500 The WC9500 wireless controller system supports the following access point models: • NETGEAR WNAP210v2 ProSAFE Wireless-N Access Point • NETGEAR WNAP320 ProSAFE Wireless-N Access Point • NETGEAR WNDAP350 ProSAFE Dual Band Wireless-N Access Point • NETGEAR WNDAP360 ProSAFE Dual Band Wireless-N Access Point • NETGEAR WNDAP380R ProSAFE Dual Band Wireless-N Access Point with RFID support Future releases might support additional access point models.
ProSAFE Wireless Controller WC9500 - Concurrent operation in 2.4 GHz and 5 GHz radio band while in 802.11n mode. - Accepts optional antennas. - Requires minimum firmware version 2.1.7 or a newer version. For product documentation and firmware, see http://support.netgear.com/product/WNDAP350. • WNDAP360 ProSAFE Dual Band Wireless-N Access Point - Supports 802.11a, 802.11b, 802.11g, and 802.11n network devices. - Supports PoE with a power consumption of up to 10.51W. - Concurrent operation in 2.
ProSAFE Wireless Controller WC9500 • Discover Access Points in the Network and Provision IP Addresses and Firmware - Discover access points in the network. The access points can be in factory default state or functioning in standalone mode, but after discovery by the wireless controller and addition to the managed access point list, the access points become dependent (managed) access points. - Provision IP addresses to the access points.
ProSAFE Wireless Controller WC9500 For more information, see Chapter 10, Monitor the Wireless Network and Its Components. Licenses By default, the wireless controller comes with a trial license for five access points. You need to purchase and register licenses for the access points in your network. You can purchase a single 200–access point license or licenses in 10–, 50–, or 100–access point increments for support of up to 200 access points on a single wireless controller: • 10–AP license.
2.
ProSAFE Wireless Controller WC9500 Basic and Advanced Setting Concepts You can deploy the wireless controller in a small wireless network with 10 or 20 access points or in a large wireless network with up to 600 access points. Small networks require a basic configuration, but large networks can become very complex and require you to configure the advanced features of the wireless controller.
ProSAFE Wireless Controller WC9500 Before you start the configuration of your wireless controller, decide whether you can use a basic configuration (that is, follow the Basic submenus) or need to use an advanced configuration (that is, follow the Advanced submenus). Once you have made your choice, configuring the wireless controller should be fairly easy if you consistently follow either the Basic submenus or the Advanced submenus.
ProSAFE Wireless Controller WC9500 Group-2 Group-3 Group-1 Group-4 2 3 4 5 6 7 Group-7 Group-8 5 GHz radio 2.4 GHz radio 1 Group-6 Group-5 8 1 Security profiles 2 3 4 5 6 7 8 Security profiles Figure 6. Advanced profile group architecture The following figure shows an example of three access point profile groups, in which the first profile group (Group-1) has five security profiles.
ProSAFE Wireless Controller WC9500 System Planning This section includes the following subsections: • Preinstallation Planning • Before You Configure a Wireless Controller Preinstallation Planning Before you install any wireless controllers, determine the following: • Number of access points required to provide seamless coverage • Number of licenses required to cover all access points that need to be managed • Number of wireless controllers required • 802.
ProSAFE Wireless Controller WC9500 packets that are sent from the wireless controller do not carry the 802.1Q header, and all untagged packets that are sent to the wireless controller are treated as management VLAN traffic. Note: Use a tagged VLAN or change the tagged VLAN ID only if the hubs and switches on your LAN support 802.1Q. If they do not, and you have not configured a tagged VLAN with the same VLAN ID on the hubs and switches in your network, IP connectivity might be lost.
ProSAFE Wireless Controller WC9500 The encryption option that you can select depends upon the authentication method that you have selected. The following table lists the authentication methods available, with their corresponding encryption options: Table 2.
ProSAFE Wireless Controller WC9500 High-Level Configuration Examples This section includes the following subsections: • Single Controller Configuration with Basic Profile Group • Single Controller Configuration with Advanced Profile Groups Single Controller Configuration with Basic Profile Group A basic configuration consists of a single wireless controller that controls a collection of access points that are organized into the basic default group.
ProSAFE Wireless Controller WC9500 Single Controller Configuration with Advanced Profile Groups A more complex configuration consists of a single wireless controller that controls a collection of access points that are organized in access point profile groups and might use several profiles in each access point profile group. To set up a single wireless controller system with advanced profile groups: Step Configuration Web Management Interface Path 1.
ProSAFE Wireless Controller WC9500 The following illustration shows a simplified view of how you can use VLANs to segregate traffic by user category: Internet Management VLAN 100 Ethernet traffic Finance VLAN 10 Ethernet traffic Employee VLAN 20 Ethernet traffic Network printer Deploy the wireless controller on a trunk port if you use the internal DHCP server Backend L3 switch or router PoE switch Wireless controller WC9500 Finance computer Access point WNDAP360 Finance computer Employee Employee co
ProSAFE Wireless Controller WC9500 High-Level Deployment Scenarios This section provides three deployment scenarios to illustrate how the wireless controller can function in various network configurations: • Scenario Example 1: Network with Single VLAN • Scenario Example 2: Advanced Network with VLANs and SSIDs • Scenario Example 3: Advanced Network Scenario Example 1: Network with Single VLAN The following sample scenario consists of a simple network with a wireless controller, PoE switch, Layer 3 s
ProSAFE Wireless Controller WC9500 The access points and wireless controller are connected in the same subnet and use the same IP address range that is assigned for that subnet. There are no routers between the access points and the wireless controller. The access points are connected to a PoE switch, which, in turn, is connected to the wireless controller. The uplink of the PoE switch connects to a Layer 3 switch or router that provides Internet access.
ProSAFE Wireless Controller WC9500 Step Configuration Web Management Interface Path 5. When the access points are operating, open the Discovery Wizard to do the following: Access Point > Discovery Wizard 1. Specify the state of the access points by selecting the Out of Factory and L2 Subnet APs radio button or the Installed and working in Standalone Mode radio button. 2. Run the Discovery Wizard. 3.
ProSAFE Wireless Controller WC9500 Management VLAN 100 Ethernet traffic Client VLAN 10 Ethernet traffic Client VLAN 20 Ethernet traffic WC9500 SSID 1 Client VLAN 10 PoE switch WNDAP360 Backend L3 switch or router Internet WNDAP360 SSID 2 Client VLAN 20 Figure 10. Example: Advanced network with VLANs and SSIDs The access points and wireless controller are connected in the same subnet and same VLAN and use the same IP address range that is assigned for that subnet.
ProSAFE Wireless Controller WC9500 To provision the wireless controller: Step Configuration Web management interface path 1. Configure the basic system settings: 1. Configure the country code of operation. Configuration > System > General 2. Configure the time settings. Configuration > System > Time 3. Configure the IP address of wireless controller. Configuration > System > IP/VLAN 4.
ProSAFE Wireless Controller WC9500 Step Configuration Web management interface path 8. When the access points are operating, open the Discovery Wizard to do the following: Access Point > Discovery Wizard 1. Specify the state of the access points by selecting the Out of Factory and L2 Subnet APs radio button. 2. Run the Discovery Wizard. 3. Select and add the access points that you want to be managed by the wireless controller to the managed list.
ProSAFE Wireless Controller WC9500 • Building 2: - SSID 1 in VLAN 10 for staff traffic - SSID 2 in VLAN 40 for high school students - SSID 3 in VLAN 30 for guests Building 1 Internet SSID 1 Staff VLAN 10 SSID 2 Middle school VLAN 20 SSID 3 Guest VLAN 30 PoE switch Backend L3 switch or router WNDAP360 WC9500 Core switch Building 2 SSID 1 Staff VLAN 10 SSID 2 High school VLAN 40 SSID 3 Guest VLAN 30 Staff VLAN 10 Ethernet traffic Middle school VLAN 20 Ethernet traffic High school VLAN 40 Ethern
ProSAFE Wireless Controller WC9500 To provision the wireless controller: Step Configuration Web management interface path 1. Configure the basic system settings: 1. Configure the country code of operation. Configuration > System > General 2. Configure the time settings. Configuration > System > Time 3. Configure the IP address of wireless controller. Configuration > System > IP/VLAN 4. Verify that VLAN 1 is set as the management VLAN and is marked as untagged.
ProSAFE Wireless Controller WC9500 Step Configuration Web management interface path 5. When the access points are operating, open the Discovery Wizard to do the following: Access Point > Discovery Wizard 1. Specify the state of the access points by selecting the Out of Factory and L2 Subnet APs radio button. 2. Run the Discovery Wizard. 3. Select and add the access points that you want to be managed by the wireless controller to the managed list.
3.
ProSAFE Wireless Controller WC9500 Initial Set up and Log in To set up and log in to the wireless controller, follow the steps in this section. You can also access the ProSAFE Wireless Controller WC9500 Installation Guide that you can download from http://support.netgear.com/product/WC9500.
ProSAFE Wireless Controller WC9500 The wireless controller’s login screen displays: b. When prompted, enter admin for the user name and password for the password, both in lowercase letters. c. Click Login.
ProSAFE Wireless Controller WC9500 Web Management Interface Layout The following figure shows the menus at the top and the left of the wireless controller’s web management interface (the screen’s content has been removed for more clarity). 1st level: Main menu tab 2nd level: Configuration menu tab Action buttons 3rd level: Submenu link Figure 12. Web management interface components A web management interface screen can include the following components: • 1st level: Main menu tab.
ProSAFE Wireless Controller WC9500 - Delete or Remove. Removes the selected item from the table or screen configuration. - Back. Return to the previous screen. - Next. Advance to the next screen. Roadmap for Initial Configuration After you have connected and logged in to the wireless controller, you need to perform the initial configuration.
ProSAFE Wireless Controller WC9500 9. Click Apply. 10. (Optional) If no DHCP server is available in your network, configure the wireless controller’s DHCP server. For more information, see Manage the DHCP Server on page 51. 11. Click Apply. The connection to the wireless controller is terminated because you have changed its IP address. 12. Reconfigure your computer with an IP address and subnet mask that is in the same IP subnet as the new IP address of the wireless controller. 13.
ProSAFE Wireless Controller WC9500 For more information, see Manage Authentication Servers and Authentication Server Groups on page 85. c. (Optional) Configure MAC authentication. For more information, see Manage MAC Authentication and MAC Authentication Groups on page 81. d. (Optional) Assign the authentication servers and MAC ACLs to the security profiles.
ProSAFE Wireless Controller WC9500 Choose a Location for the Wireless Controller The wireless controller is suitable for use in an office environment where it can be freestanding on its runner feet or mounted into a standard 19-inch equipment rack. Alternatively, you can rack-mount the wireless controller in a wiring closet or equipment room. A mounting kit, containing two mounting brackets and screws, is provided in the wireless controller package.
4.
ProSAFE Wireless Controller WC9500 Configure General Settings Note: You need to select the correct country or region of operation. It might not be legal to operate the access points in a country or region not shown here. If your location is not listed, check with your local government agency or check the NETGEAR website for more information about which channels to use. The General Settings screen lets you configure the basic settings of your wireless controller. To configure general settings: 1.
ProSAFE Wireless Controller WC9500 Manage the Time Settings This screen lets you configure the time-related settings of your wireless controller and managed access points. To configure time settings: 1. Select Configuration > System > Time. The Time Settings screen displays: 2. Configure the settings as described in the following table: Setting Description Time Zone From the menu, select the local time zone for your country or region.
ProSAFE Wireless Controller WC9500 IP and VLAN Settings The IP Settings screen lets you configure the management IP address and VLAN settings of the wireless controller. Management VLAN Concepts Management VLANs are used for all SNMP and HTTP traffic to and from the wireless controller and managed access points.
ProSAFE Wireless Controller WC9500 The IP Settings screen displays: 2. Configure the settings as described in the following table: Setting Description IP Settings section IP Address Enter the IP address of the wireless controller. The default IP address is 192.168.0.250. To change it, enter an available IP address from the address range used on your LAN. IP Subnet Mask Enter the subnet mask value used on your LAN. The default value is 255.255.255.0.
ProSAFE Wireless Controller WC9500 Manage the DHCP Server Note: Make sure that a DHCP server is available; otherwise, the Discovery Wizard does not function correctly. If you already have a DHCP server on your network, do not enable the DHCP server on the wireless controller. The wireless controller can function as a DHCP server. You can add multiple DHCP server pools for different VLANs. By default, there is no DHCP server pool. The DHCP Server List screen lets you add a DHCP server pool.
ProSAFE Wireless Controller WC9500 2. Click Add. The Add DHCP Server pop-up screen displays: 3. Configure the settings as described in the following table: Setting Description Enabled Select this check box to enable the DHCP server. When the check box is cleared, the DHCP server is disabled. Use VLAN Interface Select this check box to allow the DHCP server to function with multiple VLANs. VLAN Enter the DHCP server VLAN ID. The range is between 1 and 4094. The DHCP server services this VLAN.
ProSAFE Wireless Controller WC9500 Setting Description Secondary DNS Server Enter the IP address of the secondary DNS server for the network. Use Default WINS Server Select this check box to allow the DHCP server to use the wireless controller’s default WINS server. The WINS Server field is masked out. WINS Server Enter the IP address of the WINS server for the network. 4. Click Add. The new DHCP server is added to the DHCP Server List. To edit a DHCP server: 1.
ProSAFE Wireless Controller WC9500 Register Your Licenses Make sure that your licenses cover the number of access points in your network. Before you can register your licenses, you need to configure the license server settings. Note: When you install your licenses, they replace the default trial license for five access points. For more information about licenses, see Licenses on page 18 and Manage Licenses on page 165.
ProSAFE Wireless Controller WC9500 3. Configure the settings as described in the following table: Setting Description Update From Select one of the following radio buttons to specify the license update server: • Default Update Server. The default license update server is used. • Specify Update Server. You need to specify the license update server. Fill in the Server Address field.
ProSAFE Wireless Controller WC9500 The Registration screen displays. The following figure shows some licenses already registered and installed. If you register licenses for the first time, the screen does not yet show any licenses. 4. Complete the Customer Information fields with the customer information that is associated with the key that you want to add and register. These fields are self-explanatory. 5.
ProSAFE Wireless Controller WC9500 6. In the Registration Key field at the top of the screen, enter the registration key for the license that you want to add and register. 7. Click Add. The license is added to the table. The key details have the same meaning as those shown on the Inventory screen (see the Key Details section in the table in View Your Licenses on page 165). 8. Click Apply. Your license is registered. 9. (Optional) Repeat these steps to register another license.
ProSAFE Wireless Controller WC9500 The Add Certificates screen displays: 2. Configure the settings as described in the following table: Setting Description Password Enter the password for wireless controller certificates. Controller Key Click Browse, and select the controller key. Controller Certificate Click Browse, and select the controller certificate. CA Certificate Click Browse, and select the CA certificate. 3. Click Apply.
ProSAFE Wireless Controller WC9500 The Logs Settings screen displays: 2. In the Logs Settings section of the screen, configure either event tracing or a log level (these selections are mutually exclusive): • Event tracing. To configure event tracing: a. Select the Event Tracing check box. • b. Next to Time Duration, use the menus to specify the period during which event tracing should occur. Log level. From the Log Level menu, select one of the following levels: - LOG_LEVEL_CRIT.
ProSAFE Wireless Controller WC9500 Configure Syslog Settings This screen lets you configure the settings to connect to a syslog server, if you have one configured in your network. To configure syslog settings: 1. Select Configuration > System > Alerts/Logs > Logs/Syslog. The Logs Settings screen displays: 2.
ProSAFE Wireless Controller WC9500 Configure Alarm Notification Settings You can classify certain events as critical, major, normal, or minor. Some events you can classify only as critical or major. For example, on the RF Management screen, you can specify whether a coverage hole should be classified as critical or major (see RF Management for the Basic Profile Group on page 141). To configure alarm actions: 1. Select Configuration > System > Alerts/Logs > Alarms. The Alarm Actions screen displays: 2.
ProSAFE Wireless Controller WC9500 Configure the Email Notification Server The email notification server is the location from which the email alerts originate. To configure email settings: 1. Select Configuration > System > Alerts/Logs > Email Setup. The Email Configuration screen displays: 2. Configure the settings as described in the following table: Setting Description Server Address Enter the IP address of the server from which email notifications are sent.
5.
ProSAFE Wireless Controller WC9500 Wireless Security Profile Concepts Profiles are sets of configurations that you can apply to an access point. The configuration includes radio parameters, load-balancing parameters, and rate-limit parameters. Each wireless radio on an access point can support eight profiles. This means that the dual-band WNDAP350 access point can support a total of 16 profiles.
ProSAFE Wireless Controller WC9500 Larger WLAN Networks For larger network deployments that consist of different sets of WLAN networks, consider using the advanced configuration to create multiple profile groups. The access points that belong to the same profile group use the same wireless, security, and QoS configurations. The wireless controller supports up to eight profile groups. Each profile group can have its own wireless, security, and QoS configurations.
ProSAFE Wireless Controller WC9500 Note: You can configure profiles to function with different authentication servers. For example, you could set up a guest profile with no authentication, an engineering profile that uses external RADIUS authentication, and a marketing profile that uses external LDAP authentication. You can also use additional external RADIUS servers in other profiles. • MAC authentication.
ProSAFE Wireless Controller WC9500 Configure Security Profiles for the Basic Profile Group The basic profile group works well for small-scale WLAN networks. NETGEAR recommends that you read the information in the previous section, Wireless Security Profile Concepts, before you configure any profiles.
ProSAFE Wireless Controller WC9500 3. Click the + button to add the profile to the basic profile group. The Add Profiles pop-up screen displays. 4. (Optional) Clone an existing profile: a. Select the Clone an existing Profile check box. The previous figure shows that you can clone an existing profile with the name VLAN10. b. Select a profile from the Profiles menu. 5. Click Add.
ProSAFE Wireless Controller WC9500 Setting Description Broadcast Wireless Network Name Select the Yes radio button to enable broadcast of the SSID. This is the default setting. Select the No radio button to disable broadcast of the SSID, in which case only devices that have the correct SSID can connect to the access point. Client Authentication section Note: The options that display onscreen depend on your selection from Network Authentication menu.
ProSAFE Wireless Controller WC9500 Setting Description Note: Captive Portal displays only when you select Open System, Shared Key, WPA-PSK, WPA2-PSK, or WPA-PSK & WPA2-PSK from the Network Authentication menu. Captive Portal Select this check box if you want to enable the captive portal. For more information, see Manage Guest Network Access on page 111.
ProSAFE Wireless Controller WC9500 5. Click Apply. To remove an existing profile: 1. Select Configuration > Profile > Basic > Radio. The Edit Profile (Basic) screen displays. 2. Click the tab for the radio for which you want to remove a profile. 3. Click the tab for the profile that you want to remove. 4. Click Delete. 5. Confirm that you want to delete the profile. Configure Security Profiles for Advanced Profile Groups Advanced profile groups are useful for larger deployments.
ProSAFE Wireless Controller WC9500 The Profile Groups screen displays: Click + to add another profile group. 2. To add a profile group, click the + button. The new profile group displays on the Profile Groups screen. By default, an NG_11g-0 profile and an NG_11a-0 profile are present in a profile group. Note: By default, profile groups are named Group-1, Group-2, Group-3, and so on. You cannot change these profile group names.
ProSAFE Wireless Controller WC9500 Configure Profiles in an Advanced Profile Group For each profile group, the Edit Profile (Group-X) screen lets you create and configure up to eight security profiles per wireless radio (eight profiles for a single-band access point; 16 profiles for a dual-band access point). Separate profiles are applied to 802.11b/bg/ng-mode and 802.11a/na-mode radios. To add a security profile to an advanced profile group and configure the security profile: 1.
ProSAFE Wireless Controller WC9500 Click + to add another profile. Your selection from the Network Authentication menu determines the information that is displayed onscreen. Select the Local radio button to display the Local MAC ACL Group menu. Select the External radio button to display the External Radius Server menu. 7. Configure the settings as described in the following table: Setting Description Profile Definition section Name Enter a unique name to identify the profile.
ProSAFE Wireless Controller WC9500 Setting Description Client Authentication section Note: The options that display onscreen depend on your selection from Network Authentication menu. Network Authentication From the menu, select the authentication type to be used. Table 3 on page 78 lists all the authentication type options. Data Encryption From the menu, select the data encryption type to be used.
ProSAFE Wireless Controller WC9500 Setting Description Note: Captive Portal displays only when you select Open System, Shared Key, WPA-PSK, WPA2-PSK, or WPA-PSK & WPA2-PSK from the Network Authentication menu. Captive Portal Select this check box if you want to enable the captive portal. For more information, see Manage Guest Network Access on page 111.
ProSAFE Wireless Controller WC9500 5. Click the tab for the profile that you want to edit. 6. Change the settings. For information about how to change the settings, see Configure Profiles in an Advanced Profile Group on page 73. 7. Click Apply. To remove an existing profile from an advanced profile group: 1. Select Configuration > Profile > Advanced > Radio. The Profile Groups screen displays. 2. Click the tab for the profile group for which you want to remove a profile. 3. Click Edit.
ProSAFE Wireless Controller WC9500 Table 3. Network authentication and data encryption settings Network Authentication Selection Data Encryption Configuration Steps Options Open None WEP You can use an open system without any encryption or with WEP encryption: • No encryption. An open system without encryption is the default setting. No further authentication and encryption configuration is required. • WEP encryption.
ProSAFE Wireless Controller WC9500 Table 3. Network authentication and data encryption settings (continued) Network Authentication Selection Data Encryption Configuration Steps Options WPA with Radius TKIP TKIP + AES To configure WPA authentication with a RADIUS server: 1. Set up and enable an internal or external (RADIUS or LDAP) authentication server. For information, see Manage Authentication Servers and Authentication Server Groups on page 85. 2.
ProSAFE Wireless Controller WC9500 Table 3. Network authentication and data encryption settings (continued) Network Authentication Selection Data Encryption Configuration Steps Options WPA-PSK TKIP TKIP + AES To configure WPA-PSK authentication: 1. From the Data Encryption menu, select the type of encryption: - TKIP. Supports TKIP only. TKIP + AES. Supports both TKIP and AES. 2. (Optional) Select the Show Passphrase check box to display the characters in the WPA Passphrase (Network Key) field. 3.
ProSAFE Wireless Controller WC9500 Manage MAC Authentication and MAC Authentication Groups MAC authentication lets you set up an external or a local access control list (ACL) with MAC addresses of clients to either allow or deny the network access privilege of the specified clients with the wireless controller–managed access point. The settings are applied only to managed access points. Note: The wireless controller can support an aggregate number of 4096 MAC addresses for all its local ACLs.
ProSAFE Wireless Controller WC9500 Configure Basic Local MAC Authentication Settings You would typically use the basic MAC authentication group in the profiles of a basic profile group of a small-scale network. However, you can assign the basic MAC authentication group to any profile, whether in the basic profile group or in an advanced profile group. The wireless controller supports a maximum of 256 MAC addresses per SSID.
ProSAFE Wireless Controller WC9500 3. Add wireless clients to the Selected Wireless Clients list through one of the following methods: • The MAC address that you want to add is in Available Wireless Clients list, which contains wireless stations that are present in the vicinity of the access point: a. Select the MAC address from the Available Wireless Clients list. • b. Click Move. The MAC address that you want to add is not in Available Wireless Clients list: a.
ProSAFE Wireless Controller WC9500 5. Click Import. 6. Click Apply. Configure Local MAC Authentication Groups For greater security flexibility, you can create up to eight MAC authentication groups (MAC ACLs) to block or allow network access privilege of different clients. You can assign any MAC authentication group, including the basic MAC authentication group, to any profile, whether in the basic profile group or in an advanced profile group.
ProSAFE Wireless Controller WC9500 5. Compile the Selected Wireless Clients list. For information about how to compile a wireless clients list, see Configure Basic Local MAC Authentication Settings on page 82. 6. Click Apply. For information about how to add a MAC authentication group to a security profile in the basic profile group, see Configure Profiles in the Basic Profile Group on page 67.
ProSAFE Wireless Controller WC9500 See the following configuration guidelines for external RADIUS servers: • - You need to add only the IP address of the wireless controller as a RADIUS client to the RADIUS server. All managed access points are then automatically known to the RADIUS server. - For configuration guidelines for external MAC authentication, see Guidelines for External MAC Authentication on page 81.
ProSAFE Wireless Controller WC9500 The basic Authentication Server screen displays. The following figure shows the fields for an external LDAP server: 2. Select the radio button that corresponds to the authentication server that you want to set up: • External RADIUS Server • Internal Authentication Server • External LDAP Server 3.
ProSAFE Wireless Controller WC9500 Setting Description Internal Reauthentication Time Authentication (seconds) Server Update Global Key Every (seconds) Specify the time (in seconds) after which reauthentication occurs for all wireless clients. To enable update of the global key: 1. Select this check box. 2. Specify the interval (in seconds) after which the global key is updated for all wireless clients.
ProSAFE Wireless Controller WC9500 The advanced Authentication Server screen displays: Click + to add another authentication group. 2. Click the + button to create an additional authentication group. The new authentication group displays on the advanced Authentication Server screen, and the tab for the new authentication is automatically selected to let you configure the new group. 3. (Optional) In the Group Name field, enter a unique name for the authentication group.
6. Discover and Manage Access Points This chapter includes the following sections: • Access Point Discovery Guidelines • Discover Access Points with the Discovery Wizard • Manage the Managed AP List • Assign Access Points to Advanced Profile Groups IMPORTANT: Before you use the wireless controller to discover your access points and push the configurations to the access points: 1. Make sure that you have registered sufficient licenses. 2. Determine which profiles and security you require. 3.
ProSAFE Wireless Controller WC9500 Access Point Discovery Guidelines You need to run the Discovery Wizard for the wireless controller to discover supported NETGEAR access points on the LAN or WAN. The wireless controller can discover access points that are still in their factory default state and access points that are deployed and running. After the access points are discovered, you can add them to the Managed AP List.
ProSAFE Wireless Controller WC9500 To compose the address, start with 02:04: and then add each of the four address octets in hexadecimal format, separated by colons. For example: 192.168.33.27 in decimal format equals c0:a8:21:1b in hexadecimal format. After you have added the vendor-specific octets, the complete address is 02:04:c0:a8:21:1b. - Linux- or Windows-based DHCP server.
ProSAFE Wireless Controller WC9500 The Discovery Wizard Step 1 of 2 : Choose state of Access Points screen displays: 2. Select the Out of Factory and L2 Subnet APs radio button. Note: The I am not sure radio button directs you to the product documentation. 3. Click Next. The Discovery Wizard Step 2 of 2 : Select Access Points to manage screen displays. The wireless controller searches for NETGEAR products on the LAN based on MAC address and identifies which products are supported access point models.
ProSAFE Wireless Controller WC9500 The effectiveness of the discovery process depends in part on how the access points on your LAN are set up. If each access point is configured with a unique IP address and is running current firmware, discovery is usually simple. If the discovery results are not what you expect, check the following: • Access points that are already managed by the wireless controller are not in the discovery list. To view the Managed AP List, select Access Point > Managed AP List.
ProSAFE Wireless Controller WC9500 10. If necessary, enter the login name and password. The Managed AP List screen displays. Because this is a wide screen, it is shown in the following two figures: After the access points are added to the Managed AP List, the wireless controller upgrades the firmware of the access points to the latest firmware that is loaded on the wireless controller, and the access points become managed access points.
ProSAFE Wireless Controller WC9500 Access Points Installed and Working in Standalone Mode in Different Layer 3 Networks Access points that are installed and working in standalone mode in different Layer 3 networks are access points that do not function in the same subnet as the wireless controller but in different IP ranges and that are connected to the wireless controller through a router. If you have a very large wireless network, you might have to run the Discovery Wizard several times.
ProSAFE Wireless Controller WC9500 4. In the Range 1 section, fill in the Start IP and End IP fields. These IP addresses specify the range in which the wireless controller should discover access points. 5. (Optional) Add additional IP address ranges for the wireless controller to search in: a. Click Add. The screen adjusts to display a second set of Start IP and End IP fields. b. In the Range 2 section, fill in the Start IP and End IP fields. c. Click Add.
ProSAFE Wireless Controller WC9500 If the discovery results are not what you expect, check the following: • Access points managed already by the wireless controller are not in the discovery list. To view the Managed AP List, select Access Point > Managed AP List. • Make sure that a DHCP server is available in the network or on the wireless controller. For information about the wireless controller’s DHCP server, see Manage the DHCP Server on page 51.
ProSAFE Wireless Controller WC9500 The Managed AP List screen displays. Because this is a wide screen, it is shown in the following two figures: After the access points are added to the Managed AP List, the wireless controller upgrades the firmware of the access points to the latest firmware that is loaded on the wireless controller, and the access points become managed access points. Depending on the number of access points that you add to the Managed AP List, this process might take several minutes.
ProSAFE Wireless Controller WC9500 Manage the Managed AP List After you have added discovered access points to the Managed AP List, you can view the status of the access points on the list, edit information for selected access point on the list, and remove access points from the list. View the Managed AP List The managed AP List displays the status, IP addresses, MAC addresses, model numbers, names, and other information for the managed access points.
ProSAFE Wireless Controller WC9500 The Managed AP List screen shows the following entries for each access point that you added to the list: Item Description IP The IP address of the access point. MAC The MAC address of the access point. Model The model of the access point. Name The name of the access point. Status Shows one of the following status options: • Authentication in progress. This status can last several minutes. • Applying configurations. • Firmware upgrade. • AP is rebooting.
ProSAFE Wireless Controller WC9500 2. Select the access point that you want to edit by selecting its radio button in the Edit column of the Managed AP List. 3. Click Edit. The Edit Access Point screen displays: 4. Configure the settings as described in the following table. Setting Description Access Point Info section Name Enter a unique value that indicates the access point name.
ProSAFE Wireless Controller WC9500 Setting Description Group The group to which the access point is assigned. After the access point discovery process, the access point is automatically assigned to the basic group. If you have set up profile groups, you can assign the access point to another profile group by selecting one from the menu. You can also change the group assignment later on the WLAN Group Assignment screen.
ProSAFE Wireless Controller WC9500 Setting Description Building The building designation is always Building-1, which is a fixed selection from the menu. Floor The floor designation is always Floor-1, which is a fixed selection from the menu. Location Enter a name that is meaningful to you. 5. Click Apply. 6. Click Back. The Managed AP List screen displays. Changes that you made on the Edit Access Point screen are displayed in the table. 7.
ProSAFE Wireless Controller WC9500 To view the WLAN Group Assignment screen: Select Configuration > WLAN Network. The settings are explained in the following table: Setting Description IP The IP address of the access point. MAC The MAC address of the access point. Model The model of the access point. Name The name that you specified for the access point. Building The building designation is always Building-1. Floor The floor designation is always Floor-1.
ProSAFE Wireless Controller WC9500 Tip: To view all members of a profile group, sort the access points by profile group. You do this by clicking the icon next to the Group Name header in the table. To assign one or more access points to another profile group: 1. Select Configuration > WLAN Network. The WLAN Group Assignment screen displays. 2. Take one of the following actions: • Assign a single access point to another group by selecting the check box to the right of the access point.
7.
ProSAFE Wireless Controller WC9500 Manage Rogue Access Points Rogue access point detection is disabled by default on the wireless controller. If you want to detect rogue access points, you need to enable rogue access point detection. Scanning might affect the service availability of the access point temporarily. An access point is defined as rogue if: • The access point’s radio basic service set identifier (BSSID) is detected by any of the managed access points.
ProSAFE Wireless Controller WC9500 The basic Rogue AP screen displays: The wireless controller can support a total of up to 512 access points from the known and unknown lists combined. 2. Next to Rogue AP Detection, select the enable radio button. 3. Next to Alert Severity, select the severity of the alarm when a rogue access point is detected: • Major. A major alarm is triggered. • Minor. A minor alarm is triggered. 4. Click Apply.
ProSAFE Wireless Controller WC9500 The advanced Rogue AP screen displays: The screen displays the Rogue List, which shows all detected rogue access points with essential information, including information about their last beacon. If there are many entries that are spread out over several pages, click Next or Previous to scroll through the Rogue List. Note: As an option, you can import a list of access points from a file. For more information, see the next section. 2.
ProSAFE Wireless Controller WC9500 To import a list of known access points from a file: 1. Create a text file that includes a list of MAC addresses for the access points. Each MAC address should be on a separate line with hard returns between lines as shown in the following example: 00:00:11:11:22:29 00:00:11:11:22:28 00:00:11:11:22:27 00:00:11:11:22:26 00:00:11:11:22:25 2. Select Configuration > Security > Advanced > Rogue AP. The advanced Rogue AP screen displays. 3.
ProSAFE Wireless Controller WC9500 There are two types of portal settings: • Guest portal. Use this portal if all wireless users are allowed to access the network by supplying only their email address. You do not need to define user names and passwords for these users. • Captive portal. Use this portal type if wireless users need to supply their login name and password before being allowing access the network.
ProSAFE Wireless Controller WC9500 Configure a Portal You can configure a guest portal or captive portal with a local or external authentication server. To configure a guest portal or a captive portal: 1. Select Configuration > Captive Portal. The Portal Settings screen displays. The following figure shows the settings for a captive portal. The settings for a guest portal are identical, except for the RADIUS server settings, which you cannot configure for a guest portal.
ProSAFE Wireless Controller WC9500 2. Configure the settings as described in the following table. Setting Description Portal Settings section Portal Type Select one of the following radio buttons: • Guest. A guest portal with a field for entering an email address. Guests do not need to provide a password and can have unlimited access to the network. You do not need to configure guest accounts. • Captive. A captive portal with a field for entering a login user name and a field for entering a password.
ProSAFE Wireless Controller WC9500 5. Assign the captive portal or guest portal to a security profile in the basic profile group, in an advanced profile group, or in both: • Basic profile group. Assign the captive portal or guest portal to a security profile in the basic profile group: a. Select Configuration > Profile > Basic > Radio. The Edit Profile (Basic) screen displays. b. Click the tab for the radio for which you want to assign the portal. c.
ProSAFE Wireless Controller WC9500 Manage Users, Accounts, and Passwords The wireless controller supports three types of users: management users, WiFi clients, and captive portal users. All of these users need to provide their login name and password to be authenticated by the wireless controller’s internal authentication server and to access the wireless controller’s web management interface or wireless network. • Management users.
ProSAFE Wireless Controller WC9500 The User Management screen displays with the Management tab and associated screen in view. The following figure contains some account examples. 2. Click Add. The Add User pop-up screen displays. 3. Configure the user settings as described in the following table. Setting Description User Name Enter a unique user name. Only alphanumerical characters and underscore characters (_) are supported.
ProSAFE Wireless Controller WC9500 The user is added to the table on the User Management screen. Add a WiFi Client You can add a user who is allowed to access the wireless network but who does not need to go through the captive portal or the guest portal. To add a WiFi client: 1. Select Maintenance > User Management. The User Management screen displays with the Management tab and associated screen in view. 2. Click the WiFi Clients tab. The WiFi Client screen displays.
ProSAFE Wireless Controller WC9500 4. Configure the client settings as described in the following table. Setting Description User Name Enter a unique user name. Only alphanumerical characters and underscore characters (_) are supported. Password Enter a password in the Password field. Confirm the password in the Confirm Password field. Authentication Type From the menu, select one of the following protocols: • EAP. Extensible Authentication Protocol. • PEAP. Protected EAP. 5. Click Apply.
ProSAFE Wireless Controller WC9500 The Add Account pop-up screen displays. 4. Configure the account settings as described in the following table. Setting Description Account Name Enter a unique account name. Only alphanumerical characters and underscore characters (_) are supported. Amount Enter the total amount that is charged for the period during which access is available. Enter whole numbers only. Currency Sign Enter the currency that is associated with the amount.
ProSAFE Wireless Controller WC9500 The Captive Portal Users screen displays. The following figure contains some account examples. 3. Click Add. The Add User pop-up screen displays. 4. Configure the user settings as described in the following table. Setting Description User Name Enter a unique user name. Only alphanumerical characters and underscore characters (_) are supported. Password There are two methods to populate the password fields. Use either one method. Method one: 1.
ProSAFE Wireless Controller WC9500 Setting Description Expiry Select one of the following radio buttons, all of which are mutually exclusive: • Account. Select a captive portal account from the menu. Wireless access expires according to the expiration period that is specified for the selected account (see Add a Captive Portal Account on page 119). • No Expiry. Wireless access does not expire. • Expires in. Wireless access expires within one hour.
ProSAFE Wireless Controller WC9500 Export a List of Users or Accounts You can export a list of users or account as a comma-separated values (CSV) file. To export a list of users or accounts: 1. Select Maintenance > User Management. The User Management screen displays with the Management tab and associated screen in view. 2. Click one of the following tabs: • Management • WiFi Clients • Captive Portal Account • Captive Portal Users 3. Click Export.
8.
ProSAFE Wireless Controller WC9500 Basic and Advanced Wireless and QoS Configuration Concepts It is important to know how to configure your network and decide which configuration model better fits your needs, basic or advanced. Once you follow one, it is easy to use the same configuration model for the wireless and Quality of Service (QoS) settings. Before you configure the wireless settings, read Basic and Advanced Setting Concepts on page 20. • • • Basic wireless settings.
ProSAFE Wireless Controller WC9500 Configure the Radio Radio On/Off is a green feature that can be used during scheduled vacations or plant shutdowns, on evenings, or on weekends. Configure the Radio for the Basic Profile Group To schedule the radio for the basic profile group: 1. Select Configuration > Wireless > Basic > Radio On/Off. The basic Schedule screen displays: 2.
ProSAFE Wireless Controller WC9500 Configure the Radio for an Advanced Profile Group You can schedule the radio for specific groups to match their network usage. For example, during registration, a school could leave the radios on for the main office or administration building, and turn off radios in buildings that contain only classrooms that are not in use. To schedule the radio for an advanced profile group: 1. Select Configuration > Wireless > Advanced > Radio On/Off.
ProSAFE Wireless Controller WC9500 Configure Wireless Settings During initial setup, you entered your country and region in the General Settings screen (see Configure General Settings on page 47). Based on your location and environment, the wireless controller determined the best wireless settings for the discovered access points and pushed these settings to your managed access points.
ProSAFE Wireless Controller WC9500 The Basic Wireless Settings screen displays: 2. Click the tab for the radio for which you want to configure the wireless settings. 3. Select the Turn Radio On check box. The wireless settings become accessible and you can configure them. If you cannot select the Turn Radio On check box, see the requirements are the beginning of this section.
ProSAFE Wireless Controller WC9500 4. Configure the settings as described in the following table: Setting Description Wireless Mode The selections that are available depend on the selected radio mode. From the menu select the wireless mode: • 802.11b/bg/ng mode: - 11ng. This is the default setting. - 11bg. - 11b. • 802.11a/na mode: - 11na. This is the default setting. - 11a. Note: If you select 802.11bg or 802.11b mode, both 802.11n- and 802.11g-compliant devices can connect to the access points.
ProSAFE Wireless Controller WC9500 Setting Description AMPDU (802.11n only) Select the On radio button to allow the aggregation of several MAC frames into a single large frame to achieve higher throughput. Enabling AMPDU can lead to better network performance. Select the Off radio button to disable this option. RIFS Transmission (802.11n only) Select the On radio button to enable the reduced interframe space (RIFS) option to allow transmission of successive frames at different transmit powers.
ProSAFE Wireless Controller WC9500 The Basic Wireless Settings screen displays. 2. Click the tab for the radio for which you want to configure the wireless settings. 3. Configure the settings in the table at the bottom of the screen as described in the following table: Setting Description AP Name The name of the access point. Access Point Channel Override these settings only if there is a specific need. From the menu, select a channel and frequency for the access point to operate in.
ProSAFE Wireless Controller WC9500 Setting Description Tx Power From the menu, select the transmission power of the access point. Note: By default, the access point’s transmission power is set to the configuration that is selected on the basic RF Management screen. For more information, see RF Management for the Basic Profile Group on page 141. 4. Click Apply.
ProSAFE Wireless Controller WC9500 2. Click the tab for the profile group for which you want to configure the wireless settings. 3. Click the tab for the radio for which you want to configure the wireless settings. 4. Select the Turn Radio On check box. The wireless settings become accessible and you can configure them. If you cannot select the Turn Radio On check box, see the requirements are the beginning of this section. 5.
ProSAFE Wireless Controller WC9500 Setting Description Fragmentation Length (256-2346) Enter the size that specifies the maximum fragmentation length for data packets. Packets larger than the specified fragmentation length are broken up into smaller packets before being transmitted. The fragmentation length needs to be an even number. Beacon Interval (100-1000) Enter the time interval for each beacon transmission that allows the access point to synchronize the wireless network.
ProSAFE Wireless Controller WC9500 For you to be able to configure these settings in the table, there are two requirements: • Channel. To enable the Access Point Channel menu in the table, you need to disable automatic channel allocation on the Channel Allocation screen (see Configure Channels on page 137). • Transmission power.
ProSAFE Wireless Controller WC9500 4. Configure the settings in the table at the bottom of the screen as described in the following table. Setting Description AP Name The name of the access point. Access Point Channel Override these settings only if there is a specific need. From the menu, select a channel and frequency for the access point to operate in. Note: Changing a channel might temporarily affect the traffic on the access point.
ProSAFE Wireless Controller WC9500 The allocated channels apply to all access points, irrespective of whether they are managed in profiles of the basic profile group or profiles of an advanced profile group. However, you can override the general channel allocation settings for individual access points on the Basic Wireless Settings screen and on the Advanced Wireless Settings screen.
ProSAFE Wireless Controller WC9500 2. Configure the settings as described in the following table: Setting Description Automatic channel allocation Ensure that the enable radio button is selected during normal operation. Automatic channel allocation distributes channels across the managed access points to reduce interference. To disable automatic channel allocation, select the disable radio button. Valid corporate channels Specify the wireless band by selecting the 2.4 GHz or 5 GHz check box.
ProSAFE Wireless Controller WC9500 Specify RF Management RF management optimizes the channel allocation for access points based on clients, user data traffic, and the nearby RF environment of access points. The wireless controller periodically checks the radio neighborhood maps and detects changes in the radio neighborhood maps or loss of connectivity to the wireless controller by an access point. WLAN healing is a special feature of RF management.
ProSAFE Wireless Controller WC9500 RF Management for the Basic Profile Group The basic RF Management screen lets you configure the wireless transmission power, WLAN healing, and wireless coverage hole detection for the basic profile group. To configure RF management for access points in the basic profile group: 1. Select Configuration > Wireless > Basic > RF Management. The basic RF Management screen displays: 2.
ProSAFE Wireless Controller WC9500 Setting Description WLAN Healing Maximum Neighbors to Participate From the menu, select the maximum number of neighboring access in Self-healing points that increase or decrease power to cover for a failing access point. Selecting 0 (zero) disables this feature. Use close neighbors, not a distant access point, and do not use all access points.
ProSAFE Wireless Controller WC9500 The advanced RF Management screen displays: 2. Click the tab for the profile group for which you want to configure RF management. 3. Configure the settings as described in the following table. Setting Description TX Power Settings Default Tx Power Make a selection from the menu to specify how the transmission (Tx) power is configured on the access points: Full, Half, Quarter, Eighth, or Minimum.
ProSAFE Wireless Controller WC9500 Setting Description Self healing wait Time after AP Failure From the menu, select the number of minutes to validate (that is, wait) before confirming a failed access point and increasing transmit power to cover the area. Enter a value greater than the access point reboot time, which is usually one minute. This allows for fluctuations in the power of nearby access points when access points are rebooted.
ProSAFE Wireless Controller WC9500 The Advanced QoS Settings screen lets you modify the QoS settings per profile group and per radio for upstream traffic flowing from the station (that is, the wireless client) to managed access points and the downstream traffic flowing from managed access points to the station. These settings are applied only to managed access points that are capable of supporting these settings.
ProSAFE Wireless Controller WC9500 Setting Description AIFS Specify a wait time (in milliseconds) for data frames. Valid values for arbitration inter-frame space (AIFS) are 1 through 255. These are the default values for the AP EDCA parameters: • Data 0 (Best Effort) 3 • Data 1 (Background) 7 • Data 2 (Video) 1 • Data 3 (Voice) 1 CwMin Specify an upper limit (in milliseconds) of a range from which the initial random backoff wait time is determined.
ProSAFE Wireless Controller WC9500 Setting Description TXOP Limit Specify the transmission opportunity (TXOP) limit. Note: Station EDCA The TXOP limit applies only to station AP EDCA parameters and specifies the maximum period during which the client station client can initiate transmissions. parameters only These are the default values for the Station EDCA parameters: • Data 0 (Best Effort) 0 • Data 1 (Background) 0 • Data 2 (Video) 3008 • Data 3 (Voice) 1504 5. Click Apply.
ProSAFE Wireless Controller WC9500 To configure load balancing for all access points of one model: 1. Select Configuration > Profile > Basic > Load Balancing. The Load Balancing screen displays: 2. Click the tab for the access point model for which you want to configure load balancing. 3.
ProSAFE Wireless Controller WC9500 use the 802.11b/bg/ng mode cannot exceed 100 percent; similarly, the combined percentages of the two profiles that use the 802.11a/na mode cannot exceed 100 percent. On each managed access point (or on each radio in a managed dual-band access point), the available bandwidth is distributed in the specified percentages among the profiles in a profile group. The percentage that is configured for a single profile is shared among all the clients connected to it.
ProSAFE Wireless Controller WC9500 Rate Limiting for an Advanced Profile Group For each profile group, and for each radio mode (802.11b/bg/ng mode and 802.11a/na mode), rate limiting per profile adds up to a maximum of 100 percent. (It can be less than 100 percent.) There is a tab for each group and for each wireless radio mode. To configure rate limiting for an advanced profile group: 1. Select Configuration > Profile > Advanced > Rate Limit. The advanced Rate Limit screen displays: 2.
9.
ProSAFE Wireless Controller WC9500 Manage the Configuration File This section includes the following subsections: • Back Up the Configuration File • Restore the Configuration File • Upgrade the Firmware The configuration settings of the wireless controller are stored in a configuration file on the wireless controller. This file can be saved (backed up) to a computer, retrieved (restored) from the computer, cleared to factory default settings, and replaced by a newer version (upgraded).
ProSAFE Wireless Controller WC9500 Restore the Configuration File Restore only settings that were backed up from a WC9500 wireless controller. (You cannot restore settings on a WC9500 wireless controller that were backed up from a WC7520 wireless controller.) To restore the configuration file from a backed-up file: 1. Select Maintenance > Backup/Restore. The Backup/Restore screen displays. 2. Click the Browse button. 3. Navigate to the saved configuration file.
ProSAFE Wireless Controller WC9500 To upgrade the firmware: 1. (Optional) Download the firmware from NETGEAR: a. Visit the NETGEAR support page for the WC9500 wireless controller at http://support.netgear.com/product/WC9500. b. Download the firmware and save it to your computer. 2. Select Maintenance > Upgrade > Firmware Upgrade. The Firmware Upgrade screen displays. The following figure shows the fields that display when you have selected the FTP radio button.
ProSAFE Wireless Controller WC9500 Setting Description Server Parameters section (TFTP and FTP only) Server IP Enter the IP address of the TFTP or FTP server. File Name Enter the file name of the firmware. User Name (FTP only) Enter the user name to access the FTP server. Password (FTP only) Enter the password to access the FTP server. Boot Information section Active Partition This is an informational field that displays the active partition and the current firmware version.
ProSAFE Wireless Controller WC9500 Note: After you have upgraded the firmware, if the browser does not display the latest features of the web management interface, clear the browser’s cache, and refresh the screen. Reboot or Reset the Wireless Controller The Reboot/Reset Controllers screen lets you reboot or reset the wireless controller. There are two types of reset: • Hard reset. The settings of the wireless controller are restored to factory default settings.
ProSAFE Wireless Controller WC9500 To reset the wireless controller: 1. Select Maintenance > Reboot/Reset > Controllers. The Reboot/Reset Controllers screen displays. 2. Select the reset radio button. 3. Select one of the following radio buttons to specify a hard reset or soft reset: - hard. Restore the factory default settings to the wireless controller. The factory default settings are listed in Appendix A, Factory Default Settings and Technical Specifications. - soft.
ProSAFE Wireless Controller WC9500 To enable and configure SNMP: 1. Select Maintenance > Remote Management > SNMP. The SNMP screen displays: 2. Enable SNMP and configure the settings as described in the following table: Setting Description SNMP Select this check box to enable SNMP for the wireless controller. Read-Only Community Name Enter the community string that allows the SNMP manager to read the wireless controller’s MIB objects. The default setting is public.
ProSAFE Wireless Controller WC9500 Specify Session Time-Outs If an HTTP session times out, the user is redirected to the login screen for password verification. To specify the length of the HTTP session time-out for the wireless controller: 1. Select Maintenance > Remote Management > Session Timeout. The Session Timeout screen displays: 2. In the Timeout (minutes) field, specify number of minutes before an active HTTP login session expires. The default session time-out is five minutes. 3. Click Apply.
ProSAFE Wireless Controller WC9500 The Query System Logs screen displays: 2. (Optional) In the Search field, enter the status (for example, Connected or Disconnected), IP address, MAC address, model, or name of an access point for which you want to query the logs. The table displays only the access point or access points that match the information that you entered in the Search field. 3.
ProSAFE Wireless Controller WC9500 If any logs are available, they are displayed onscreen: 5. (Optional) Click Save. 6. Follow the directions of your browser to save the logs to your computer. The default name of the zipped log file is -WC9500-Query.txt, in which is the IP address of the wireless controller. 7. Click Back. The Query System Logs screen displays again. To save all system logs: 1. Select Maintenance > Logs & Alerts > Logs. The Query System Logs screen displays. 2.
ProSAFE Wireless Controller WC9500 View Alerts and Events The wireless controller lets you view the following alerts and events: • System alerts. System alerts such as an access point coming up or being shut down, the wireless controller coming up or being shut down, and a firmware upgrade. • RF events. Radio frequency events such as the detection of a coverage hole, a change of channel, or a managed access point going down. • Load balancing event.
ProSAFE Wireless Controller WC9500 Each screen lets you refresh the alerts or events, export the alerts or events, and clear the alerts or events from the screen and from the memory: • To display the latest alerts or events onscreen, click Refresh. • To clear all alerts or events from the screen and from memory, click Clear All. NETGEAR recommends that you save the logs or alerts before you clear them. • To save the alerts or events: a. Click Export. b.
ProSAFE Wireless Controller WC9500 To view RF events: Select Maintenance > Logs & Alerts > RF Events. The RF Events screen displays: To view load-balancing events: Select Maintenance > Logs & Alerts > Load Balancing.
ProSAFE Wireless Controller WC9500 To view rate-limit events: Select Maintenance > Logs & Alerts > Rate Limit. The Rate Limit screen displays: Manage Licenses The License screen allows you to import, register, and view the licenses that you require for your network. For more information about licenses, see Licenses on page 18. The License screen consists of four separate screens: • Inventory. Provides an overview of your licenses. For information, see View Your Licenses on page 165.
ProSAFE Wireless Controller WC9500 2. Click the Inventory tab. The Inventory screen displays: The following table describes the fields of the screen: Setting Description Summary section Total AP License The number of access points that your licenses support. Nmode License Status Availability of the 802.11n mode license. (This license is available by default, indicated by either Pre-installed or Available.
ProSAFE Wireless Controller WC9500 Your license information is refreshed onscreen. Retrieve Your Licenses If NETGEAR exchanged your wireless controller for another one, your licenses no longer display on the Inventory and Registration screens. You need to retrieve your licenses from the license update server. To retrieve licenses after you have received a replacement unit from NETGEAR: 1. Make sure that the wireless controller is connected to the Internet. 2.
ProSAFE Wireless Controller WC9500 The Reboot Access Points screen displays: 2. (Optional) In the Search field, enter the IP address, MAC address, model, or name of an access point that you want to reboot, or enter other information to narrow down the information that is displayed in the table. The table displays only the access point or access points that match the information that you entered in the Search field. 3.
ProSAFE Wireless Controller WC9500 Change the Multicast Firmware Upgrade Settings By default, the wireless controller uses IP range 239.255.0.0–239.255.0.255 for the multicast firmware upgrade process. If your network requires that the wireless controller uses a different multicast IP range, you can configure the IP range on the AP Upgrade Settings screen. To configure another multicast IP address range and port for the firmware upgrade process: 1. Select Maintenance > Upgrade > AP Upgrade Settings.
ProSAFE Wireless Controller WC9500 The AP Upgrade Settings screen displays. 2. Clear the Enable Multicast check box. This check box is selected by default. 3. Click Apply.
10. Monitor the Wireless Network and Its Components 10 This chapter includes the following sections: • Common Tasks on the Monitoring Screens • Monitor the Wireless Controller • Monitor the SSIDs • Monitor Local Clients Note: The information that is shown in the figures in this chapter is not always consistent. That is, the information in one figure might be for a different network configuration than the information in another figure.
ProSAFE Wireless Controller WC9500 Common Tasks on the Monitoring Screens The monitoring screens display read-only status information of the network that is managed by the wireless controller. The following sections describe common tasks that you can perform on many monitoring screens. Sort a Table You can sort a table on any column header that has a double triangle icon or single triangle icon placed to the right of it.
ProSAFE Wireless Controller WC9500 • To save the information that is shown onscreen: a. Click Export. b. Follow the directions of your browser to save the alerts or events to your computer. Note: The Location button that is shown on some screens is not functional in this release. The location functionality will be added in a later release. Monitor the Wireless Controller You can view a summary of the status of the wireless controller and its components and view individual components: • Summary.
ProSAFE Wireless Controller WC9500 The following table describes the fields of the Network Status, Wireless Clients, Most Active APs, Most Active Clients and Most Active SSIDs tables of the screen. The Controller Info section is self-explanatory. Item Description Network Status Total Alarms Up The total number of managed devices that are running correctly. Down The total number of managed devices that cannot be pinged.
ProSAFE Wireless Controller WC9500 Item Description Most Active SSIDs For the most active SSIDs, the following information displays: SSID The name of the wireless network SSID. Clients The number of clients that are using the SSID. View Wireless Controller Usage The screen displays graphics that show the access point usage, SSID usage, and number of clients on the wireless controller. Note: Adobe Flash player 10 or later is required to display the graphics.
ProSAFE Wireless Controller WC9500 Data for the 2.4 GHz network (for the combined 802.11b-, 802.11bg-, and 802.11ng-modes) is shown in purple; data for the 5 GHz network (for the combined 802.11a- and 802.11na-modes) is shown in green. The screen shows the following graphs: • AP Usage. Displays the 2.4 GHz and 5 GHz traffic usage in MB for access points. • SSID Usage. Displays the 2.4 GHz and 5 GHz traffic usage in MB for SSIDs. • Number of Clients.
ProSAFE Wireless Controller WC9500 The following table describes the fields of the Access Point table: Item Description Select The radio button that lets you select the access point. Status The status of the access point (healthy or down). Name The name of the access point (see Edit Access Point Information on the Managed AP List on page 101). Model The model of the access point (WNAP210, WNAP320, WNDAP350, WNDAP360, or WNDAP380R). MAC The MAC address of the access point.
ProSAFE Wireless Controller WC9500 Item Description 2.4/5 GHz Channel The active 2.4 GHz or 5 GHz channel on the access point. This information can change after initial configuration of the access point because of automatic channel allocation. The color coding specifies the channel utilization on each radio and has the following meaning: • Green. 0–40 percent utilization. • Light green. 41–60 percent utilization. • Orange. 61–80 percent utilization. • Red. 81–100 percent utilization. • NA.
ProSAFE Wireless Controller WC9500 The following table describes the fields of the AP Details screen: Item Description AP Info This information is self-explanatory. Profile Info For each security profile that is configured on the selected access point, the following information displays: Type The type of profile (802.11b/bg/ng or 802.11a/na). SSID The wireless network SSID for the security profile. Security The security mode (Open, WEP, WPA, WPA2, or WPA/WPA2) for the security profile.
ProSAFE Wireless Controller WC9500 Item Description SSID The wireless network SSID that the wireless client is using to connect to the access point. Security The security mode that the wireless client is using to connect to the access point (Open, WEP, WPA, WPA2, or WPA/WPA2).
ProSAFE Wireless Controller WC9500 Because this screen is a wide screen, it is shown in the following two figures: Monitor the Wireless Network and Its Components 181
ProSAFE Wireless Controller WC9500 The following table describes the fields of the Clients table: Item Description Select The radio button that lets you select the client. MAC The MAC address of the wireless client. IP The IP address of the wireless client. Note the following: • If clients and the access point to which they are connected are in the same VLAN, all receive an IP address from the same DHCP server.
ProSAFE Wireless Controller WC9500 The Client Details pop-up screen displays: The following table describes the fields of the Client Details screen: Item Description MAC The MAC address of the wireless client. Access Point The name of the access point to which the wireless client is connected. BSSID The MAC address of the access point’s radio to which the wireless client is connected. SSID The wireless network SSID that the wireless client is using to connect to the access point.
ProSAFE Wireless Controller WC9500 Item Description Tx Bytes The number of bytes that the wireless client transmitted. Rx Rate The receive rate in Mbps of the wireless client. Rx Bytes The number of bytes that the wireless client received. Tx Packets The number of packets that the wireless client transmitted. Rx Packets The number of packets that the wireless client received. 5. Click Cancel. The Client Details screen closes, and the Clients screen displays again.
ProSAFE Wireless Controller WC9500 Item Description RSSI The received signal strength indicator (RSSI) of the neighboring client. Rogue Shows whether or not (Yes or No) the neighboring client is connected to a rogue access point. View Neighboring Access Points Detected by the Wireless Controller The Rogue AP screen lets you monitor the access points that the wireless controller detected but that are not managed by the wireless controller.
ProSAFE Wireless Controller WC9500 View Security Profiles Managed by the Wireless Controller The Profiles screen lets you monitor all security profiles on the access points that are managed by the wireless controller. To view the Profiles screen: Select Monitor > Controller > Profiles. The following table describes the fields of the Profiles table: Item Description SSID The wireless network SSID for the security profile. Profile Name The name of the security profile.
ProSAFE Wireless Controller WC9500 View DHCP Leases Provided by the Wireless Controller The DHCP Leases screen displays the current DHCP clients that have been allocated IP addresses by the DHCP server on the wireless controller. To view the DHCP Leases screen: Select Monitor > Controller > DHCP Lease. The following table describes the fields of the DHCP Leases table: Item Description Host Name The host name of the DHCP client. IP The IP address that is allocated to the DHCP client.
ProSAFE Wireless Controller WC9500 View Captive Portal Users Managed by the Wireless Controller The Captive Portal Users screen displays the current guests and users that are logged in to a captive portal on the access points that are managed by the wireless controller. To view the Captive Portal Users screen: Select Monitor > Controller > Captive Portal Users. The following table describes the fields of the Captive Portal Users table: Item Description User Name The login name of the user.
ProSAFE Wireless Controller WC9500 The SSID Mapping screen displays: 2. From the Active SSID present menu, select an SSID. The Active SSID table for the selected SSID displays.
ProSAFE Wireless Controller WC9500 The following table describes the fields of the Active SSID table with access points: Item Description Select The radio button that lets you select the access point. Location The location of the access point (see Edit Access Point Information on the Managed AP List on page 101). Name The name of the access point (see Edit Access Point Information on the Managed AP List on page 101). Status The status of the access point (healthy or down).
ProSAFE Wireless Controller WC9500 The AP Details pop-up screen displays. Because this is a tall screen that you need to scroll through, it is shown in the following two figures: The following table describes the fields of the AP Details screen: Item Description AP Info This information is self-explanatory.
ProSAFE Wireless Controller WC9500 Item Description Profile Info For each security profile that is configured on the selected access point, the following information displays: Type The type of profile (802.11b/bg/ng or 802.11a/na). SSID The wireless network SSID for the security profile. Security The security mode (Open, WEP, WPA, WPA2, or WPA/WPA2) for the security profile. VLAN The VLAN ID or VLAN name for the security profile.
ProSAFE Wireless Controller WC9500 Monitor Local Clients You can monitor the clients that have been accepted into the wireless network. Note: Although the web management interface provides a Blacklisted Clients submenu link, monitoring of blacklisted clients is not supported. Monitoring of blacklisted clients will be supported in a future release.
ProSAFE Wireless Controller WC9500 The following table describes the fields of the Clients table on the Local Client List screen: Item Description Select The radio button that lets you select the client. MAC The MAC address of the wireless client. IP The IP address of the wireless client. Location The location of the access point (see Edit Access Point Information on the Managed AP List on page 101) to which the wireless client is connected.
ProSAFE Wireless Controller WC9500 Item Description Building The building designation is always Building-1. Floor The floor designation is always Floor-1. SSID The wireless network SSID that the wireless client is using to connect to the access point. Security The security mode (Open, WEP, WPA, WPA2, or WPA/WPA2) that the wireless client is using to connect to the access point. 2. (Optional) To see details about a client: a.
ProSAFE Wireless Controller WC9500 Item Description Frequency The channel frequency that the wireless client is using to connect to the access point. Auth The security mode that the wireless client is using to connect to the access point (Open, WEP, WPA, WPA2, or WPA/WPA2). Client Type The wireless mode that the wireless client is using to connect to the access point (802.11ng, 802.11 bg, 802.11 b, 802.11na, or 802.11 a).
11.
ProSAFE Wireless Controller WC9500 Troubleshoot Basic Functioning After you turn on power to the wireless controller, the following sequence of events should occur: 1. When power is first applied, verify that the Power LED is lit green and that the Status LED is lit yellow. 2. After approximately two minutes, verify the following: a. The Status LED is lit green. b. The left Ethernet port LED is lit for any local port that is connected.
ProSAFE Wireless Controller WC9500 Ethernet Port LEDs Are Not Lit If the Ethernet LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the wireless controller and at the hub, switch, or router. • Make sure that power is turned on to the connected hub, switch, or router. • Be sure that you are using the correct cables.
ProSAFE Wireless Controller WC9500 If you do not want to revert to the factory default settings and lose your configuration settings, you could use one of the following methods to discover the IP address of the wireless controller: - Reboot the wireless controller and use a sniffer to capture packets sent during the reboot. Look at the ARP packets to locate the wireless controller’s LAN interface address.
ProSAFE Wireless Controller WC9500 2. In the field provided, type ping followed by the IP address of the wireless controller, as in this example: ping 192.168.0.250 3. Click OK.
ProSAFE Wireless Controller WC9500 Problems with Date and Time The Time Settings screen displays the current date and time of day (see Manage the Time Settings on page 48). The wireless controller uses the Network Time Protocol (NTP) to obtain the current time from one of several network time servers on the Internet. Each entry in the log is stamped with the date and time of day. When the date shown is January 1, 2000, the wireless controller has not yet successfully reached a network time server.
ProSAFE Wireless Controller WC9500 Connection Problems When an access point is converted from standalone AP mode to managed AP mode, its static IP address is changed to an IP address that is issued by the DHCP server, either one in the network or one that is configured on the wireless controller. This occurs to ensure that each managed access point has a unique IP address.
ProSAFE Wireless Controller WC9500 2. In the Ping Count field, enter the number of ping packets to be sent. The default number is 10. 3. From the Access Point menu, select the access point to be pinged. After you have made your selection, the IP address of the access point displays in the IP Address field. 4. Click Start. The results are shown in the Ping Result field. To trace a route to an access point: 1. Select Diagnostics > Trace Route. The Trace Route screen displays (see the following figure). 2.
A.
ProSAFE Wireless Controller WC9500 Factory Default Settings You can restore the wireless controller to its factory default settings on the Reboot/Reset Controllers screen (see Reboot or Reset the Wireless Controller on page 156) or by using the Reset button on the front panel (see Use the Reset Button to Restore Default Settings on page 201). The wireless controller returns to the factory configuration settings that are shown in the following table: Table 4.
ProSAFE Wireless Controller WC9500 Table 5. Technical and physical specifications (continued) Feature Default Setting Storage temperatures –20° to 70°C (–4° to 158°F) Storage humidity 95% maximum relative humidity, noncondensing Major regulatory compliance CCC Note: For more information, see the ProSAFE Wireless Controller WC9500 data sheet at http://support.netgear.com/product/WC9500. Password Requirements The following table lists the password requirements. Table 6.
ProSAFE Wireless Controller WC9500 Table 6. Password requirements (continued) Web Management Interface Path Basic profile: User Type or Data Encryption 2. Select a profile. 3. Make a selection from the Network Authentication menu. WPA-PSK Section in This Manual Allowed Characters Length Hexadecimal 10 fixed 128-bit WEP Hexadecimal 26 fixed 152-bit WEP Hexadecimal 32 fixed TKIP Alphanumerics and Up to 63 special characters, excluding quotes Shared Key 64-bit WEP 1.
Index viewing on the managed access point 180, 192 viewing on the wireless controller 185 standalone mode autodiscovery 96 returning to 104 supported models 15 tracing a route 204 troubleshooting 202 Tx power automatically controlling 141, 143 manually controlling 133, 137 overriding 131, 135 viewing on the wireless controller 177 security profiles 179, 192 statistics 180, 192 VLAN settings 103 access, remote 157 accounts, captive portal 116 active SSIDs, viewing 190 active voice calls, preventing channel a
ProSAFE Wireless Controller WC9500 channel width 130, 134 classify rogue access points 109 client separation 69, 75 client VLANs 24, 27 clients, DHCP 103 clients, viewing in the network 194 neighboring in the network 184 on the access point 179, 192 on the wireless controller 174, 182 clients, wireless, maximum number 147 color coding, channels 178 community names, SNMP 158 compliance, regulatory 207 configuration roadmaps 42–44 configuration, backing up and restoring 152–153 connection problems, troublesh
ProSAFE Wireless Controller WC9500 discovering access points 91 discovery problems, troubleshooting 202 DNS servers 50 DTIM (delivery traffic indication message) interval 131, 135 dual-band access points 15, 21, 64, 149 healing, WLAN 140 high traffic load, preventing channel allocation 139 hotspot users 111 humidity, operating and storage 206 E interference sources 23 internal antenna 103 internal authentication server 88 internal RADIUS server 85 inventory, licenses 165 IP addresses access points 103 D
ProSAFE Wireless Controller WC9500 number and types required 18 registering 54–57 load balancing 147 load balancing logs, viewing and saving 164 local access points 91, 98, 101 location, placement wireless controller 45 logs configuring 58 viewing and saving 159 ports and slots 11 Power LED described 12 troubleshooting 198 power supplies 14 preamble type 131, 135 preventing channel allocation 139 product label 14 profile groups. See access point profile groups. advanced profile groups.
ProSAFE Wireless Controller WC9500 rogue access points detecting and managing 108 viewing on the managed access point 180, 192 on the wireless controller 174, 185 RSSI (received signal strength indication) 148 RTS threshold 130, 134 system logs, viewing and saving 159 system planning 23 T tagged VLANs 49 TCP/IP network, troubleshooting 200 technical specifications 206 technical support 2 temperatures, operating and storage 206 Temporal Key Integrity Protocol (TKIP) 79 TFTP server, firmware upgrade 154 ti
ProSAFE Wireless Controller WC9500 untagged VLANs 49, 103 upgrading firmware, wireless controller 153 USB port 12 users, managing 116 WLAN healing 140 WMM (Wi-Fi multimedia) 144 WNAP210, WNAP320, WNDAP350, WNDAP360, and WNDAP380R 15 WPA and WPA2 authentication 79–80 WPA passphrase requirements 207 V VAR information, licenses 56 video QoS queue 144 VLANs 49 clients 24, 27 DHCP server 52 management 23, 27 security profiles 69, 75 settings, access points 103 untagged 49, 103 voice calls, preventing channel
