User Guide

Manuals Brands NETGEAR Manuals Other WFS709TP-100NAS

Table Of Contents

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
Contents
About This Manual
- Conventions, Formats, and Scope
- How to Use This Manual
- How to Print this Manual
- Revision History
Chapter 1 Overview of the WFS709TP
- WFS709TP System Components
- Basic WLAN Configuration
- Wireless Client Access to the WLAN
- Configuring and Managing the WFS709TP
  - Tools
Chapter 2 Deploying a Basic WFS709TP System
- Configuration Overview
- Configuring the WFS709TP
- Deploying APs
- Additional Configuration
Chapter 3 Configuring Network Parameters
- Configuring VLANs
  - Assigning a Static Address to a VLAN
  - Configuring a VLAN to Receive a Dynamic Address
- Configuring Static Routes
- Configuring the Loopback IP Address
Chapter 4 RF Plan
- RF Plan Overview
- Before You Begin
  - Task Overview
  - Planning Requirements
- Using RF Plan
- RF Plan Example
Chapter 5 Configuring WLANS
- Before You Begin
  - Determine the Authentication Method
  - Determine the Default VLAN
- Basic WLAN Configuration in the Browser Interface
  - Example Configuration
- Advanced WLAN Configuration in the Browser Interface
- IntelliFi RF Management
Chapter 6 Configuring AAA Servers
- Configuring an External RADIUS Server
- Adding Users to the Internal Database
- Configuring Authentication Timers
Chapter 7 Configuring 802.1x Authentication
- 802.1x Authentication
  - Authentication with a RADIUS Server
  - Authentication Terminated on WFS709TP
- Configuring 802.1x Authentication
  - 802.1x Authentication Page
- Advanced Configuration Options for 802.1x
Chapter 8 Configuring the Captive Portal
- Overview of Captive Portal Functions
- Configuring Captive Portal
- Configuring Advanced Captive Portal Options
- Configuring the AAA Server for Captive Portal
  - Changing the Protocol to HTTP
- Personalizing the Captive Portal Page
Chapter 9 Configuring MAC-Based Authentication
- Configuring the WFS709TP
- Configuring Users
Chapter 10 Adding Local WFS709TPs
- Moving to a Multi-Switch Environment
- Configuring Local WFS709TPs
Chapter 11 Configuring Redundancy
- Virtual Router Redundancy Protocol
- Redundancy Configuration
Chapter 12 Configuring Wireless Intrusion Protection
- Rogue/Interfering AP Detection
- Misconfigured AP Detection
  - Configuring Misconfigured AP Protection
Chapter 13 Configuring Management Utilities
- Configuring Management Users
- Configuring SNMP
- Creating Guest Accounts
- Managing Files on the WFS709TP
- Installing a Server Certificate
Chapter 14 Configuring WFS709TP for Voice
- Voice over IP Proxy ARP
- Battery Boost
- Limiting the Number of Active Voice Calls
- WPA Fast Handover
Appendix A Configuring DHCP with Vendor-Specific Options
- Overview
- Windows-Based DHCP Servers
  - Configuring Option 60
  - Configuring Option 43
- Linux DHCP Servers
Appendix B Windows Client Example Configuration for 802.1x
- Window XP Wireless Client Example Configuration
Appendix C Internal Captive Portal
- Creating a New Internal Web Page
  - Basic HTML Example
- Installing a New Captive Portal Page
- Displaying Authentication Error Message
- Language Customization
- Customizing the Welcome Page
- Customizing the Pop-Up Box
- Customizing the Logged Out Box
Appendix D Related Documents
Index

202-10265-01

June 2007

NETGEAR, Inc.

4500 Great America Parkway

Santa Clara, CA 95054 USA

WFS709TP ProSafe

Smart Wireless Switch

Software Administration

Manual

Summary of content (222 pages)

PAGE 1

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual NETGEAR, Inc.
PAGE 2

© 2007 by NETGEAR, Inc. All rights reserved. Technical Support Please refer to the support information card that shipped with your product. By registering your product at http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product and software upgrades. NETGEAR, INC. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. E-mail: support@netgear.com North American NETGEAR http://www.
PAGE 3

NOTE: This product's firmware limits operation to only the channels allowed in a particular Region or Country. Therefore, all options described in this user's guide may not be available in your version of the product. United States FCC Class A This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules.
PAGE 4

VCCI - Class A Korea Class A Australia/New Zealand This product complies with AS/NZS CISPR 22 Class A standards. Rest of World This product complies with CISPR 22 Class A standards Lithium Battery Safety Notice This product contains a lithium battery which is replaceable only by a trained technician Caution: The lithium battery may explode if it is incorrectly replaced. A trained technician should replace the battery with the same or equivalent type battery recommended by the manufacturer.
PAGE 5

European Union RoHS Netgear products comply with the EU Restriction of Hazardous Substances Directive 2002/95/EC (RoHS). EU RoHS restricts the use of specific hazardous materials in the manufacture of electrical and electronic equipment. Specifically, restricted materials under the RoHS Directive are Lead (including Solder used in printed circuit assemblies), Cadmium, Mercury, Hexavalent Chromium, and Bromine compounds of PBB and PBDE.
PAGE 6

Product and Publication Details Model Number: WFS709TP Publication Date: June 2007 Product Family: Wireless Product Name: WFS709TP ProSafe Smart Wireless Switch Home or Business Product: Business Language: English Publication Part Number: 202-10265-01 Publication Version Number: 1.0 vi v1.
PAGE 7

Contents About This Manual Conventions, Formats, and Scope .................................................................................. xiii How to Use This Manual ................................................................................................. xiv How to Print this Manual.................................................................................................. xiv Revision History................................................................................................
PAGE 8

WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Configure the Switch for the Access Points .............................................................2-8 Configure a VLAN for Network Connection ............................................................2-10 Connect the WFS709TP to the Network ................................................................2-12 Configure the Loopback for the WFS709TP ..........................................................2-13 Deploying APs ..........
PAGE 9

WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Create a Building ....................................................................................................4-23 Model the Access Points ........................................................................................4-24 Model the Air Monitors ...........................................................................................4-25 Add and Edit a Floor .................................................................
PAGE 10

WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Authentication Terminated on WFS709TP ...............................................................7-3 Configuring 802.1x Authentication ..................................................................................7-4 802.1x Authentication Page .....................................................................................7-5 Advanced Configuration Options for 802.1x ..............................................................
PAGE 11

WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Classifying APs ......................................................................................................12-2 Configuring Rogue AP Detection ...........................................................................12-4 Misconfigured AP Detection .........................................................................................12-5 Configuring Misconfigured AP Protection ..................................................
PAGE 12

WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Appendix C. Internal Captive Portal Creating a New Internal Web Page ............................................................................... C-1 Basic HTML Example .............................................................................................. C-3 Installing a New Captive Portal Page ............................................................................ C-4 Displaying Authentication Error Message ................
PAGE 13

About This Manual The WFS709TP ProSafe™ Smart Wireless Switch Software Administration Manual describes how to deploy and configure the WFS709TP ProSafe Smart Wireless Switch. It also includes instructions for and examples of commonly used wireless LAN (WLAN) switch configurations such as Virtual Private Networks (VPNs) and redundancy. Conventions, Formats, and Scope The conventions, formats, and scope of this manual are described in the following paragraphs: • • Typographical Conventions.
PAGE 14

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Danger: This is a safety warning. Failure to take heed of this notice may result in personal injury or death. • Scope. This manual is written for the WFS709TP according to these specifications: Product Version WFS709TP ProSafe Smart Wireless Switch Manual Publication Date June 2007 For more information about network amd wireless technologies, see the links to the NETGEAR website in Appendix D, “Related Documents”.
PAGE 15

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe website at http://www.adobe.com. – Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page. – • Click the PDF of This Chapter link at the top left of any page in the chapter you want to print.
PAGE 16

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual xvi About This Manual v1.
PAGE 17

Chapter 1 Overview of the WFS709TP The WFS709TP ProSafe Smart Wireless Switch is a full-featured wireless switch that centrally manages NETGEAR Light access points, delivering integrated wireless mobility, security, and converged services for both wired and wireless users.
PAGE 18

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual You can connect an AP to a WFS709TP either directly with an Ethernet cable or remotely through an IP network. Figure 1-1 shows two APs connected to an WFS709TP. One AP is connected to a switch in the wiring closet that is connected to a router in the data center where the WFS709TP is located. The Ethernet port on the other AP is cabled directly to a port on the WFS709TP.
PAGE 19

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Protocol (DHCP). Once an AP locates its host switch, it automatically builds a secure Generic Routing Encapsulation (GRE) tunnel to it (Figure 1-2). The AP then downloads its firmware and configuration from the switch through the tunnel.
PAGE 20

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual . Wireless clients Floor Netgear AP Wiring closet Internet WFS709TP Data center Figure 1-3 Automatic RF Channel and Power Settings IntelliFi RF Management (IRM) is a radio frequency (RF) resource allocation algorithm that you can enable and configure in the WFS709TP system.
PAGE 21

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual You can also enable WFS709TPs to detect coverage holes, or areas where a good RF signal is not adequately reaching wireless clients. RF Monitoring An AP can function as either a dedicated or shared Air Monitor (AM) to monitor the RF spectrum to detect intrusions, denial of service (DoS) attacks, and other vulnerabilities. A dedicated AM performs monitoring functions exclusively and does not service wireless clients or advertise SSIDs.
PAGE 22

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual WFS709TP switches provide 10/100 Mbps Fast Ethernet, IEEE 802.3af-compliant ports that can provide Power over Ethernet (PoE) to directly connected APs. When you connect a PoE-capable port on the WFS709TP to a PoE-compatible device such as an AP, the port automatically detects the device and provides operating power through the connected Ethernet cable.
PAGE 23

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual . NETGEAR Wireless APs Local WFS709TP Master WFS709TP Local WFS709TP Figure 1-4 Your network can include one master WFS709TP, one or more backup master WFS709TPs, and any number of local WFS709TPs. Master WFS709TPs do not share information with each other, so APs that share roaming tables, security policies, and other configurations should be managed by the same master WFS709TP.
PAGE 24

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The base configuration software includes the following functions: • Centralized configuration and management of APs • Wireless client authentication to an external authentication server or to the WFS709TP’s local database • Encryption • Mobility with fast roaming • RF management and analysis tools Basic WLAN Configuration You have a wide variety of options for authentication, encryption, access management, and user rights when
PAGE 25

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • IEEE 802.1x. The IEEE 802.1x authentication standard allows for the use of keys that are dynamically generated on a per-user basic (as opposed to a static key that is the same on all devices in the network). Note: The 802.1x standard requires the use of a RADIUS authentication server. Most Lightweight Directory Access Protocol (LDAP) servers do not support 802.1x. With 802.
PAGE 26

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Encryption The Layer 2 encryption option you can select depends upon the authentication method chosen. Table 1-1 lists the authentication methods available, with their corresponding encryption options. Table 1-1. Encryption Options by Authentication Method Authentication Method Encryption Option None Null or Static WEP 802.
PAGE 27

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual VLAN Each authenticated user is placed into a VLAN, which determines the user’s DHCP server, IP address, and Layer 2 connection. While you could place all authenticated wireless users into a single VLAN, the system allows you to group wireless users into separate VLANs. This enables you to differentiate groups of wireless users and their access to network resources.
PAGE 28

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual . VLAN 20 Floor Netgear AP Wiring closet Internet VLAN 20 Data center WFS709TP Figure 1-5 A user is assigned to a VLAN by one of several methods, and there is an order of precedence to these methods.The methods for assignment of VLANs are (from lowest to highest precedence): 1. The VLAN is configured for the AP location. 2.
PAGE 29

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4. The VLAN is derived from attributes returned by the authentication server (server-derived rule). Within a set of server-derived rules, a rule that derives a specific VLAN takes precedence over a rule that derives a user role that may have a VLAN configured for it. 5. The VLAN is derived from Microsoft Tunnel attributes (Tunnel-Type, Tunnel Medium Type, and Tunnel Private Group ID). All three attributes must be present.
PAGE 30

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The client determines which AP is best for connecting to the WLAN and attempts to associate with it. During the association exchange, the client and WFS709TP negotiate the data rate, authentication method, and other options. Note: Because an AP connected to a WFS709TP is a Thin AP, all wireless traffic it receives is immediately sent through a GRE tunnel to the WFS709TP.
PAGE 31

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual beyond the authentication process; to ensure privacy of user data, some form of link-layer encryption (such as WEP or WPA-PSK) should be used when sensitive data will be sent over the wireless network.
PAGE 32

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring and Managing the WFS709TP The browser interface allows you to configure and manage WFS709TPs. The browser interface is accessible through a standard web browser from a remote management console or workstation. Before you can use the management interface from a remote console or workstation, you must configure the WFS709TP with an IP address and default gateway and connect it to your network.
PAGE 33

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual When you connect to the WFS709TP using the browser interface, the system displays the login page (Figure 1-6). Log in using the administrator user account. The password does not display. Figure 1-6 When you are logged in, the browser window shows the default Monitor Summary page (Figure 1-7).
PAGE 34

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • When you select a tab, the tool and its available pages appear in the navigation pane. You can navigate to any of the listed pages by clicking on the page name. Note: Some of the items in the listed pages are merely headings for their subpages and cannot be selected. Selectable pages become highlighted when you place the cursor over them. Non-selectable items do not react.
PAGE 35

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 1-3 describes the Basic Configuration pages in the browser interface. Table 1-3. Configuration Pages (Basic) Page Description WLAN These pages allow you to configure an SSID and related WLAN options. Security These pages allow you to configure the security Profile for Rogue AP detection. Network These pages allow you to configure ports, VLANs, IP interfaces, and DHCPrelated information.
PAGE 36

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1-20 Overview of the WFS709TP v1.
PAGE 37

Chapter 2 Deploying a Basic WFS709TP System This chapter describes how to connect a WFS709TP ProSafe Smart Wireless Switch and access points (APs) to your wired network.
PAGE 38

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Set the IP address of VLAN 1. • Set the default gateway to the IP address of the interface of the upstream router to which you will connect the WFS709TP. 2. Connect the uplink port on the WFS709TP to the switch or router interface. By default, all ports on the WFS709TP are access ports and will carry traffic for a single VLAN. 3. Deploy the APs. The APs will use the ADP protocol to locate the WFS709TP.
PAGE 39

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 2-2 shows a deployment scenario where the APs and the WFS709TP are on different subnetworks and the APs are on multiple subnetworks. The WFS709TP acts as a router for the wireless user subnetworks. (It is the default gateway for the wireless clients.) The uplink port on the WFS709TP is connected to a Layer 2 switch or router; this port is an access port in VLAN 1. You need to perform the following tasks: 1.
PAGE 40

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Deployment Scenario #3 Floor 3 subnet Floor 2 subnet Floor 1 subnet Data center Trunk port carries client traffic Router is default gateway for WFS709TP and clients Figure 2-3 In this deployment scenario (Figure 2-3), the APs and the WFS709TP are on different subnetworks and the APs are on multiple subnetworks, with routers between the APs and the WFS709TP.
PAGE 41

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual You need to perform the following tasks: 1. Run the initial setup (see“Run the Initial Setup” on page 2-6). • Use the default IP address for VLAN 1. Since VLAN 1 is not used to connect to the Layer 2 switch or router through the trunk port, you need to configure the appropriate VLAN in a later step. • Do not specify a default gateway (use the default “none”). In a later step, you configure the default gateway. 2.
PAGE 42

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. (“Deployment Scenario #3” only) Configure a VLAN to connect the WFS709TP to your network. Note: You do not need to perform this step if you are using VLAN 1 to connect the WFS709TP to the wired network. 3. Connect the ports on the WFS709TP to your network. 4. (Optional) Configure a loopback address for the WFS709TP. Note: You do not need to perform this step if you are using the VLAN 1 IP address as the WFS709TP’s IP address.
PAGE 43

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual To run the initial setup: 1. Connect the WFS709TP Smart Wireless Switch to your computer. a. Unpack the box and verify the contents. b. Prepare a PC with an Ethernet adapter. If this PC is already part of your network, record its TCP/IP configuration settings. Configure the PC with a static IP address of 192.168.0.200. c. Connect an Ethernet cable to the PC. d.
PAGE 44

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • • Master (if this will be the only switch on the network) • Local (if this will be managed by a master switch) Country code. The two-letter code for the country in which the switch will operate from the drop-down menu. This determines the 802.11 wireless transmission spectrum. You are responsible for assigning the correct country code and for changing it if the switch is moved to another country.
PAGE 45

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 2-5 c. In the Configuration UI, click the Configuration tab>Advanced option>DHCP Server, then enter the information to configure the DHCP server. (Figure 2-6) Figure 2-6 Connect the access points directly to the switch using an Ethernet cable to one of the Fast Ethernet Ports on the switch (this does not need to be the final installation location for the access points).
PAGE 46

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configure a VLAN for Network Connection Follow the instructions in this section only if you need to configure a trunk port between the WFS709TP and another Layer 2 switch (as in “Deployment Scenario #3” on page 2-4). This section shows how to use the browser interface for the following configurations: • Create a VLAN on the WFS709TP and assign it an IP address.
PAGE 47

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4. Navigate to the Configuration > Basic > Network > IP Interfaces page (Figure 2-8). Click Edit for the VLAN you just added. Enter the IP address and network mask of the VLAN interface. If required, you can also configure the address of the DHCP server for the VLAN by clicking Add. Figure 2-8 5. Click Apply to apply and save this configuration.
PAGE 48

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 2-9 5. Click Apply. Configure the Default Gateway The following configuration assigns a default gateway for the WFS709TP. 1. Navigate to the Configuration > Advanced > Switch > General > IP Routing page. 2. In the Default Gateway field, enter 10.3.22.1. 3. Click Apply. Connect the WFS709TP to the Network Connect the ports on the WFS709TP to the appropriately configured ports on an L2 switch or router.
PAGE 49

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • If you are using VLAN 1 to connect the WFS709TP to the network (see “Deployment Scenario #1” on page 2-1 and “Deployment Scenario #2” on page 2-2), ping the VLAN 1 IP address from a workstation on the network. • If you created and configured a new VLAN (see “Deployment Scenario #3” on page 2-4), ping the IP address of the new VLAN from a workstation on the network.
PAGE 50

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 2-10 3. Click Apply at the bottom of the page (you may need to scroll down the page). 4. At the top of the page, click Save Configuration. You need to reboot the WFS709TP for the new IP address to take effect. 5. Navigate to the Maintenance > Switch > Reboot Switch page (Figure 2-11). Figure 2-11 6. Click Continue.
PAGE 51

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. On the WFS709TP, configure the APs. (See “Configure the Switch for the Access Points” on page 2-8) The following sections describe the steps for these tasks. Enable APs to Connect to the WFS709TP Before you install APs in a network environment, you must ensure that the APs will be able to connect to the WFS709TP when powered on.
PAGE 52

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 2-12 2. Select the Enable DHCP Server checkbox. 3. In the Pool Configuration section, click Add. Figure 2-13 4. On the Add DHCP Pool page, enter information about the subnetwork for which IP addresses are to be assigned (Figure 2-13). Click Done. 5. If there are addresses that should not be assigned in the subnetwork: a. Click Add in the Excluded Address Range section. b.
PAGE 53

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • • From a DHCP server Using the ADPprotocol From a DNS Server. NETGEAR APs are factory-configured to use the host name netgearmaster for the WFS709TP. For the DNS server to resolve this host name to the IP address of the WFS709TP you must configure an entry on the DNS server for the name netgear-master.
PAGE 54

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • If the APs are not in the same broadcast domain as the WFS709TP, you need to enable multicast on the network for the WFS709TP to respond to the AP queries. ADP multicast queries are sent to the IP multicast group address 224.0.82.11. You also need to make sure that all routers are configured to listen for IGMP join requests from the WFS709TP and that they can route these multicast packets.
PAGE 55

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 2-14 2. Select the AP that is to be configured from the list by selecting the checkbox to the left of the AP and then clicking the Provision button. Figure 2-15 3. On the Provision page (Figure 2-15), enter the location code in the format explained at the beginning of this section. 4. Enter the antenna gain in dBi (for example, enter 5.0).
PAGE 56

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Additional Configuration After you have installed a basic WFS709TP system, the APs advertise the default netgear-ap SSID. Wireless users can connect to this SSID, but because you have not yet configured authentication, policies, or user roles, they will not have access to the network.
PAGE 57

Chapter 3 Configuring Network Parameters This chapter describes basic network configuration on the WFS709TP ProSafe Smart Wireless Switch. It includes the following topics: • “Configuring VLANs” on page 3-1 • “Configuring Static Routes” on page 3-5 • “Configuring the Loopback IP Address” on page 3-6 Configuring VLANs The WFS709TP ProSafe Smart Wireless Switch operates as a Layer 2 switch that uses a VLAN as a broadcast domain.
PAGE 58

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. On the Add New VLAN screen (Figure 3-1), enter the VLAN ID. Figure 3-1 4. To add physical ports to the VLAN, click Add in the VLAN Members section, then select the port to add to the VLAN. • You can specify whether the port uses 802.1q tagging. • For ports that use 802.1q tagging, you can also specify whether the VLAN is the native VLAN for the port (frames on the native VLAN are not tagged). 5. Click Add. 6. Click Apply.
PAGE 59

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. Enter the IP address and network mask of the VLAN interface. If required, you can also configure the address of the DHCP server for the VLAN by clicking Add. Figure 3-2 4. Click Apply. Configuring a VLAN to Receive a Dynamic Address A VLAN on the WFS709TP obtains its IP address in one of the following ways: • Manually configured by the network administrator.
PAGE 60

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual To allow the WFS709TP to obtain a dynamic IP address for a VLAN, you enable the DHCP client on the WFS709TP for the VLAN. The following restrictions apply when enabling DHCP on the WFS709TP: • You can enable the DHCP client on only one VLAN on the WFS709TP; this VLAN cannot be VLAN 1. • Only one port in the VLAN can be connected to the modem or uplink switch.
PAGE 61

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual For example, the following steps configure the DHCP server on the WFS709TP to assign addresses to authenticated employees; the IP address of the DNS server obtained by the WFS709TP via DHCP is provided to clients along with their IP address. 1. Navigate to the Configuration > Advanced > Switch > General > DHCP Server page. 2. Select Enable DCHP Server. 3. Under Pool Configuration, select Add. 4. For Pool Name, enter employee-pool. 5.
PAGE 62

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. Click Done to add the entry. Note: The route has not yet been added to the routing table. 4. Click Apply to add this route to the routing table. The message Configuration Updated Successfully confirms that the route has been added. Configuring the Loopback IP Address The loopback IP address is a logical IP interface that is used by the WFS709TP to communicate with APs.
PAGE 63

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1. Navigate to the Configuration > Advanced > Switch > General page on the browser interface (Figure 3-5). Figure 3-5 2. Modify the loopback IP address in the Loopback Interface section on this page as required. Click Apply to apply this configuration. Warning: If you are using the loopback IP address to access the browser interface, changing the loopback IP address will result in loss of connectivity.
PAGE 64

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3-8 Configuring Network Parameters v1.
PAGE 65

Chapter 4 RF Plan RF Plan is a built-in wireless deployment modeling tool that enables you to design an efficient wireless local area network (WLAN) for your corporate environment, optimizing coverage and performance, and eliminating complicated WLAN network setup.
PAGE 66

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Before You Begin Before you use RF Plan, review the following steps to create a building model and plan the WLAN for the model. Task Overview 1. Gather information about your building’s dimensions and floor plan. 2. Determine the level of coverage you want for your APs and AMs. 3. Create a new building and add its dimensions. 4. Enter the parameters of your AP coverage. 5. Enter the parameters of your AM coverage. 6.
PAGE 67

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Use a worksheet similar to the following to collect your information: Table 4-1. Building Dimensions Height: Width: Number of Floors: User Information Number of Users: Users per AP: Radio Types: Overlap Factor: AP Desired Rates 802.11b|g: 802.11a: AM Desired Rates 802.11b|g: 802.11a: Don’t Care/Don’t Deploy Areas: Using RF Plan This section describes how to use RF Plan and how to enter information in RF Plan pages.
PAGE 68

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Building List Page Building List is the first page you see when you start RF Plan. This list contains all the buildings you have defined using the RF Plan tool. The first time you run the application, there are no buildings in the list. You can add, edit, and delete buildings using this page. You can also import and export building information. This page includes the following buttons: • New Building.
PAGE 69

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-2 The Overview page includes the following: • Building Dimensions. Your building’s name and dimensions • Access Point Modeling Parameters. • Air Monitor Modeling Parameters. • Building Dimensions button (in the upper right of the page). Click this button to edit the building dimensions settings. There are several ways you can navigate through RF Plan pages when you create or edit information for a building.
PAGE 70

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-3 Enter the following information: • Building ID. The valid range for this field is any integer from 1 to 255. • Building Name. The Building Name is an alphanumeric string up to 64 characters in length. • Width and Length. Enter the rectangular exterior dimensions of the building. The valid range for this field is any integer from 1 to a value corresponding to 1x1012.
PAGE 71

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual When width and length are specified, RF Plan creates a rectangular area in the Planning feature pages that represent the overall area covered by the building. You need to import an appropriate background image (“Floor Editor Dialog Box” on page 4-12) to aid you in defining areas that don’t require coverage or areas in which you do not wish to deploy APs and AMs (“Area Editor Dialog Box” on page 4-13). • Inter-Floor Height.
PAGE 72

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Design Model. Use these radio buttons to specify which design model to use in the placement of APs. • Users. Use this field to specify the number of users on your WLAN. • Rates. Use this pull-down to specify the data rates desired on APs. Radio Type Specify the radio type or types of your APs using the pull-down Radio Type menu. Available Radio Type choices are: • 801.11a.
PAGE 73

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Users Note: The Users text boxes are active only when the Capacity model is selected. • Enter the number of users you expect to have on your WLAN in the Users text box. • Enter the number of users per AP you expect in the Users/AP text box. The numbers entered in the these two text boxes must be non-zero integers between 1 and 255, inclusive.
PAGE 74

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Design Model. Use these radio buttons to specify a design model to use in the placement of AMs. • Monitor Rate. Use this pull-down menu to specify the desired monitor rate for the AMs. • AMs. Use this field to manually specify the number of AMs to deploy (Custom Model only). Design Model Two radio buttons on the page allow you to specify the model used to determine the number and type of AMs. • Coverage.
PAGE 75

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-7 You can select or adjust the following features, which are described in more detail in this section: • Zoom. Use this pull-down menu or type a zoom factor in the text field to increase or decrease the size of the displayed floor area. • Approximate Coverage Map. Use this pull-down to select a particular radio type for which to show estimated coverage. • Coverage Rate.
PAGE 76

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Coverage Select a radio type from the Coverage pull-down menu to view the approximate coverage area for each of the APs that RF Plan has deployed in the AP Plan or AM Plan (Figure 4-8). Adjusting the Coverage values help you to understand how the AP coverage works in your building. Note: You will not see coverage areas displayed here until you have executed either an AP Plan or an AM Plan.
PAGE 77

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-9 Naming. You can name the floor anything you choose as long as the name is an alphanumeric string with a maximum length of 64 characters. The name you specify appears to the right of the Floor Number displayed above the background image in the Planning view. Background Images. You can import a background floor plan image into RF Plan for each floor.
PAGE 78

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-10 Naming. You can name an area using an alphanumeric string of characters with a maximum length of 64 characters. Give areas meaningful names so that they are easily identified. Locating and Sizing. Specify absolute coordinates for the lower left corner and upper right corner of the box that represents the area you are defining.
PAGE 79

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Access Point Editor Page The Access Point Editor (Figure 4-13) allows you to manually create or modify a suggested AP. Figure 4-13 Naming. RF Plan automatically names APs using the default convention ap number, where number starts at 1 and increments by one for each new AP. When you manually create an AP, the new AP is assigned the next number and is added to the bottom of the suggested AP list. You can name an AP anything you wish.
PAGE 80

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Fixed. Fixed APs do not move when RF Plan executes the positioning algorithm. Note: You would typically set a fixed AP when you have a specific room, such as a conference room, in which you want saturated coverage. Consider also using fixed APs for areas with unusually high user density. Choose Yes or No from the drop-down menu. Choosing Yes locks the position of the AP as it is shown in the coordinate boxes of the Access Editor.
PAGE 81

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual AP Planning Page The AP Planning page (Figure 4-15) uses the information entered in the modeling pages to locate access points in the buildings you described. Figure 4-15 Initialize Initialize the optimizing algorithm by clicking the Initialize button. This makes an initial placement of the APs and prepares RF Plan for the task of determining the optimum location for each AP.
PAGE 82

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-16 Start Click Start to launch the optimizing algorithm. The AP symbols move on the page as RF Plan finds the optimum location for each. The process may take several minutes. You can watch the progress on the status bar of your browser. The algorithm stops when the movement is less than a threshold value calculated based on the number of APs.
PAGE 83

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-17 The Suggested Access Points and Air Monitors table (Figure 4-18) lists the coordinates, power, location, power setting, and channel for each of the APs shown in the floor plan. Figure 4-18 AM Planning Page The AM Planning page calculates the optimum placement for the air monitors. Initialize Initialize the algorithm by clicking Initialize.
PAGE 84

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual AMs. To obtain information about a specific AM, place the cursor over its symbol. An information box appears (Figure 4-19), containing information about the AM’s exact location, PHY type, channel, power, and so on. Figure 4-19 The Suggested Access Points and Air Monitors table (Figure 4-20) lists the coordinates, power, location, power setting, and channel for each of the AMs that are shown in the floor plan.
PAGE 85

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-21 When exporting a building file, NETGEAR recommends that you select the Include Images checkbox. When you click the Save to a file... button, you are prompted for the location and name for the exported file. Be sure to give the file the.XML file extension, for example, My_Building.XML.
PAGE 86

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The Deployed Access Points and Air Monitors table displays information on each of these devices. • To add a device, click Add Device. • To delete a device, click Remove Device. • To select a device, click Choose Devices. RF Plan Example This section guides you through the process of creating a building and using RF Plan to populate it with APs and AMs.
PAGE 87

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Create a Building In this section you create a building using the information supplied in the planning summary. 1. Click New Building. The Overview page appears. 2. Click Save. 3. Click Building Dimension. The Specification page appears. 4. Enter the information shown in Table 4-3 into the text boxes (Figure 4-23). Table 4-3.
PAGE 88

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Model the Access Points You now determine how many APs are required to cover your building with a specified data transfer rate and overlap. In this example, you use the Coverage Model. The following assumptions are made about the performance of the WLAN: • Radio Types: a/b/g • Overlap factor: Medium (150%) • 802.11a desired rate: 48 Mbps • 802.11b desired rate: 48 Mbps To model the access points: 1. Select 801.
PAGE 89

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Model the Air Monitors You now determine how many AMs are required to provide a specified monitoring rate. In this example you continue to use the Coverage Model and make the following assumptions: • 802.11 b|g monitor rate: 48 Mbps • 802.11 a monitor rate: 48 Mbps To model the air monitors: 1. Select 24 from the 802.11 b|g Monitor Rate drop-down menu. 2. Select 24 from the 802.11 a Monitor Rate drop-down menu.
PAGE 90

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Type Entrance Level in the Name box of the Floor Editor Dialog. 3. Use the Browse button to locate the background image for the first floor. 4. Click Apply. To add the background image and name the second floor: 1. Click the Edit Floor link at the right of the Floor 2 indicator. 2. Type Second Level in the Name box of the Floor Editor Dialog. 3. Use the Browse button to locate the background image for the second floor. 4. Click Apply.
PAGE 91

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual This example assumes the following: • You do not care if you have coverage in the Shipping and Receiving areas. • You do not want to deploy APs or AMs in the Lobby Area. Create a Don’t Care Area To create a Don’t Care area: 1. Click AP Plan in the Feature Tree at the left side of the browser window.
PAGE 92

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-27 8. Click Save. Create a Don’t Deploy Area To create a Don’t Deploy area: 1. Click the New link in the Areas section under Floor 1 to open the Area Editor. 2. Type Lobby in the Name text box in the Area Editor. 3. Select Don’t Deploy from the Type pull-down menu box. 4. Click Apply. An yellow box appears near the center of the floor plan. The information you typed in the editor appears in the box.
PAGE 93

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 6. Drag one corner of the box to a corresponding corner of the lobby and using one of the corner handles of the box, stretch it to fit exactly over the lobby area. Your floor plan with the Don’t Deploy box added should look similar to Figure 4-28. Figure 4-28 7. Click Save. Running the AP Plan In this section you run the algorithm that searches for the best place to put the APs.
PAGE 94

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The algorithm stops when the movement is less than a threshold value calculated based on the number of APs. The threshold value is displayed in the status bar at the bottom of the browser window. Note: To see the approximate coverage areas of each of the APs, select an AP type from the Approx. Coverage pull-down box and select a rate from the Coverage Rate pull-down box. The result should look similar to Figure 4-29. Figure 4-29 3.
PAGE 95

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Click Save. RF Plan 4-31 v1.
PAGE 96

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4-32 RF Plan v1.
PAGE 97

Chapter 5 Configuring WLANS This chapter explains how to configure a wireless LAN (WLAN) using the browser interface. It includes the following topics: • “Before You Begin” on page 5-1 • “Basic WLAN Configuration in the Browser Interface” on page 5-4 • “Advanced WLAN Configuration in the Browser Interface” on page 5-9 • “IntelliFi RF Management” on page 5-19 Before You Begin This section describes tasks that you need to do prior to configuring a WLAN.
PAGE 98

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Determine the Authentication Method A user must authenticate to the system in order to access WLAN resources. Table 5-1 describes the types of authentication that you can configure for a WLAN. Table 5-1. Authentication Methods Method Description None (also called open system authentication) This is the default authentication protocol.
PAGE 99

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The Layer 2 encryption depends upon the authentication method chosen (Table 5-2). Table 5-2. Encryption Options by Authentication Method Authentication Method Encryption Option None Open (Null) or Static WEP 802.
PAGE 100

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual ** Only when the AAA FastConnect feature is enabled and EAP-Generic Token Card (EAP-GTC) is used within the Protected EAP tunnel. See “Configuring 802.1x Authentication” on page 7-4. Determine the Default VLAN Each SSID is linked to a VLAN on the WFS709TP. Successful wireless client association to an AP places the user into the default VLAN specified by the SSID configuration.
PAGE 101

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • You can assign only one VLAN to the SSID. If you need to have multiple VLANs configured for a WLAN, you must configure the SSID using the WLAN Advanced Configuration pages. • The authentication server must be a RADIUS server or the WFS709TP’s internal database. If you specify a RADIUS server, you can configure the server’s IP address, authentication and accounting ports, and shared key.
PAGE 102

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 5-4 describes the options available from the WLAN Basic Configuration page. Table 5-4. WLAN Basic Configuration Parameters Parameter Definition Network Section: Network Name (SSID) A name that uniquely identifies the WLAN. Radio Type The radio type on which this SSID is configured: 802.11a only, 802.11b/ g only, or 802.11a/b/g 802.
PAGE 103

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 5-4. WLAN Basic Configuration Parameters (continued) Parameter Definition Authentication Server Configures the RADIUS authentication server. (Activated only if the authentication requires an authentication server and the server type is RADIUS.) If you have previously configured a RADIUS authentication server, select the server from the drop-down list.
PAGE 104

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Shared Key: radius123 The administrator for the RADIUS server must configure the server to support authentication. The administrator must also configure the server to allow communication with the WFS709TP. To configure the WLAN in the WLAN Basic Configuration page: 1. Navigate to the Configuration > Basic > WLAN page. Enter corpnet for Network Name (SSID). 2. Select 802.11 b/g for Radio Type. 3.
PAGE 105

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 5-2 7. Click Apply. Advanced WLAN Configuration in the Browser Interface The Advanced WLAN configuration pages allow you to configure the following features: • Global SSID and radio parameters that affect all APs in the network • SSID and radio parameters for APs in specific locations in the network The parameters that you configure for global or location-specific SSID and radio configurations are identical.
PAGE 106

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Navigate to the Configuration > Advanced > WLAN > Network > SSID page to add or modify SSIDs. • Navigate to the Configuration > Advanced > WLAN > Network > General page to configure or modify AP parameters. • Navigate to the Configuration > Advanced > WLAN > Radio page to configure radio settings. Configuring Location-Specific Parameters To configure parameters that only affect APs in specific locations in the network: 1.
PAGE 107

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The SSID configuration page appears. To add or modify an SSID for APs in a specific location in the network: 1. Navigate to the Configuration > Advanced > WLAN > Advanced page (Table 5-3). 2. Click Add to add a new location. 3. Enter a location ID in the format building.floor.plan, where each value is an integer. 4. Click Add. 5. Select the SSID tab to add or modify SSIDs. Figure 5-3 Default SSID The default SSID is netgear-ap.
PAGE 108

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Ignore Broadcast Probe Request. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls whether or not the system responds for this SSID. When enabled, no response is sent and clients must know the SSID in order to associate to the SSID. When disabled, a probe response frame is sent for this SSID. This setting can also be configured on a per-radio basis in the radio settings pages.
PAGE 109

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 5-4 The General configuration in the Advanced WLAN pages allows you to configure the following settings: • LMS IP and Backup LMS IP. Specifies the local management switch (LMS) that the AP uses in multi-switch networks. The LMS is responsible for terminating user traffic from the APs, processing it, and forwarding it to the wired network.
PAGE 110

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Power Management. Enables power management. • Bootstrap Threshold. Number of heartbeat misses before an AP reboots. • VoIP CAC Disconnect Extra Call. Enables disconnecting of calls that exceed the high capacity threshold. • RF Band. RF band in which the AP should operate: g = 2.4 GHz, a=5GHz. Configuring Radio Settings You can fine-tune radio settings on a per-radio (802.11a or 802.11b/g) basis.
PAGE 111

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 5-5 The radio configuration in the Advanced WLAN pages allow you to configure the following settings: • RTS Threshold. Wireless clients transmitting frames larger than this threshold must issue Request to Send (RTS) and wait for the AP to respond with Clear to Send (CTS).
PAGE 112

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • DTIM Period. Specifies the interval between the sending of Delivery Traffic Indication Messages (DTIMs) in the beacon. This is the maximum number of beacon cycles before unacknowledged network broadcasts are flushed. When using wireless clients that employ power management features to sleep, the client must revive at least once during the DTIM period to receive broadcasts. The default is 2. • Max Clients.
PAGE 113

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The radio configuration in the Advanced WLAN pages also allow you to configure IntelliFi RF Management (IRM) parameters, which are described in “IntelliFi RF Management” on page 5-19 and voice parameters, which are described in Chapter 14, “Configuring WFS709TP for Voice”. Example Configuration The following example includes: • An 802.11 a/b/g SSID called Corpnet with dynamic WEP. • An 802.11 b/g SSID called Voice with static WEP.
PAGE 114

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 5-7 3. Configure the Guest SSID for location 4.2.6 (Figure 5-8). Add the location 4.2.6. Once the location is added, the location page is opened up with the inherited SSID. Click Add to add a new SSID Guest. Configure the SSID with open system and native VLAN. Figure 5-8 5-18 Configuring WLANS v1.
PAGE 115

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual IntelliFi RF Management IntelliFi RF Management (IRM) is an RF management technology for a stable, self-healing RF design. IRM takes the distributed algorithm approach, allowing APs to determine their transmit power and channel settings based on what they detect. The APs make their channel and power setting decisions based on the RF environment as they hear it, independent of the WFS709TP.
PAGE 116

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • The AP response time to noise is quick and reliable, even to non-802.11 noise, especially when client traffic starts generating errors due to the noise. • Non-802.11 noise detection is disabled by default and must be explicitly enabled. • The IRM algorithm is based on what the AP hears, which means that the system can compensate for scenarios like broken antennas or blocked signal coverage on neighboring APs.
PAGE 117

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Set IRM Assignment to Single Band from the pull-down menu. Note: The Multi Band option is currently unavailable. Selecting Multi Band automatically sets the selection to Single Band 3. Select IRM Scanning to enable scanning on the AP. 4. (Optional) Set the IRM Scan Interval and IRM Scan Time on a per-AP basis These values can be left to the default setting unless they need to be modified for a specific environment. 5.
PAGE 118

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 5-22 Configuring WLANS v1.
PAGE 119

Chapter 6 Configuring AAA Servers You can use an external authentication server or an internal user database to authenticate users who need to access the wireless network. This chapter describes how to configure theWFS709TP ProSafe Smart Wireless Switch to interface with an external Remote Authentication Dial-In User Service (RADIUS) server, and how to add entries into the internal database.
PAGE 120

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 6-1. RADIUS Server Configuration Information Parameter Description Num Retries Maximum number of retries sent to the server by the WFS709TP before the server is marked as down (default is 3) Timeout Maximum time, in seconds, that the WFS709TP waits before timing out the request and resending it (default is 5 seconds NAS Source IP Address Network Access Server (NAS) IP address to send in RADIUS packets.
PAGE 121

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4. Set the Mode to Enable to activate the authentication server. Note: When you configure a server, you can set the VLAN for users based on attributes returned for the user during authentication. These values take precedence over the default VLAN configured for the user. See “Configuring Authentication Timers” on page 6-4 for more information. 5. Click Apply to apply the configuration.
PAGE 122

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Navigate to the Configuration > Advanced > Security > AAA Servers > Internal Database page. 3. Click Add User in the Users section. The user configuration page displays. 4. Enter the information for the user. 5. Click Enabled to activate this entry on creation. 6. Click Apply to apply the configuration. To edit or delete an internal database entry, click Edit or Delete in the Action column of the entry.
PAGE 123

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Configure the timers as described above. 3. Click Apply before moving on to another page or closing the browser window. Failure to do this results in loss of configuration, and you will have to reconfigure the settings. . Configuring AAA Servers 6-5 v1.
PAGE 124

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 6-6 Configuring AAA Servers v1.
PAGE 125

Chapter 7 Configuring 802.1x Authentication 802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for wireless LANs (WLANs). 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.
PAGE 126

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual You can terminate the 802.1x authentication on the WFS709TP. The switch passes user authentication to its internal database or to a “backend” non-802.1x server. This feature, also called AAA FastConnect, is useful for deployments where an 802.1x EAP-compliant RADIUS server is not available or required for authentication.
PAGE 127

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual For the WFS709TP to communicate with the authentication server, you must configure the IP address, authentication port, and accounting port of the server on the WFS709TP. The authentication server must be configured with the IP address of the RADIUS client, which here is the WFS709TP. Both the WFS709TP and the authentication server must be configured to use the same shared secret.
PAGE 128

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual In this scenario, the supplicant must be configured for Protected EAP (PEAP), as the WFS709TP only supports PEAP. PEAP uses Transport Layer Security (TLS) to create an encrypted tunnel. Within the tunnel, one of the following EAP methods is used: • EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to server.
PAGE 129

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4. Configure the WLAN, specifying the authentication and encryption that matches the wireless client configuration. 802.1x Authentication Page In the browser interface, you configure 802.1x authentication in the Configuration > Advanced > Security > Authentication Methods > 802.1x Authentication page (Figure 7-3). Figure 7-3 Table 7-1 describes the options on the 802.1x Authentication page: Table 7-1. 802.
PAGE 130

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 7-1. 802.1x Authentication Browser Interface Page Options (continued) Parameter Description Default Enable Opportunistic Key Enables the same pairwise master key (PMK) derived with a Disabled Caching (WPA2) client and an associated AP to be used when the client roams to a new AP. This allows users faster roaming without having to reauthenticate. Make sure that the wireless client (the 802.
PAGE 131

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 7-4 Table 7-2 describes the Advanced Configuration page fields. Table 7-2. Advanced Authentication Fields Field Description Default Authentication Server Timeout Time in seconds after which the authentication server is timed 30 if it fails to respond. Client Response Timeout Time in seconds after which the client is timed out if it fails to respond.
PAGE 132

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 7-2. Advanced Authentication Fields (continued) Field Description Default Multicast Key Rotation Time Interval The time period between each multicast key rotation. 1800 seconds Enable Unicast Key Rotation Enables the rotation of unicast keys. (Many wireless clients do not support this function.) Disabled Unicast Key Rotation Time Interval The time period between each unicast key rotation. 900 seconds Reset 802.
PAGE 133

Chapter 8 Configuring the Captive Portal One of the methods of authentication supported by the WFS709TP ProSafe Smart Wireless Switch is Captive Portal. A Captive Portal presents a web page that requires action on the part of the wireless user before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password that must be validated against a database of authorized users.
PAGE 134

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual If an appropriate server certificate is not installed in the WFS709TP, wireless clients that use Captive Portal may see a Security Alert message when logging in (Figure 8-1). Figure 8-1 To prevent this message from appearing on clients, install a valid server certificate as described in “Installing a Server Certificate” on page 13-19. You enable Captive Portal on a per-ESSID basis.
PAGE 135

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The easiest way to complete these tasks is by using the browser interface Basic WLAN configuration page. Navigating to the Configuration > Basic > WLAN page allows you to configure an ESSID for either Registration Web Page or Captive Portal users. To configure either Registration Web Page or Captive Portal for a single ESSID: 1. Navigate to the Configuration > Basic > WLAN page. 2. Enter the SSID name, for example WLAN-01. 3. Under 802.
PAGE 136

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 8-2 Table 8-1 describes the configuration options on this page. Table 8-1. Captive Portal Authentication Browser Interface Page Options Parameter Description Default Authentication Enabled Enables Captive Portal authentication. Enable Guest Logon Enables Captive Portal logon without authentication. Enable User Logon Enables Captive Portal with authentication of user credentials.
PAGE 137

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 8-1. Captive Portal Authentication Browser Interface Page Options (continued) Parameter Description Default Login Page Location The page that appears for the user logon. This can be set to any URL. /auth /index.html Logon Wait Interval Time range, in seconds, the user will have to wait for the logon 5–10 seconds page to pop up if the CPU load is high. Works in conjunction with the CPU Utilization Threshold.
PAGE 138

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1. Navigate to the Configuration > Advanced > Security > Authentication Methods > Captive Portal page. 2. For Protocol Type, select http and click Apply. Personalizing the Captive Portal Page You can personalize the following elements on the Captive Portal page: • Captive Portal background • Page text • Acceptance Use Policy To personalize the Captive Portal page: 1.
PAGE 139

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. (Optional) Customize the captive portal background text. a. Set the background color in the Custom page background color field. The color code must a hexadecimal value in the format #hhhhhh. b. Click Submit on the bottom on the page. c. To view the background setting, click the View Captive Portal link. This displays the Captive Portal page as it will be seen by users (Figure 8-4). Figure 8-4 4.
PAGE 140

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 8-5 The text you entered appears in a text box when the user clicks the Acceptable Use Policy on the Captive Portal web page. 8-8 Configuring the Captive Portal v1.
PAGE 141

Chapter 9 Configuring MAC-Based Authentication This chapter describes how to configure media access control (MAC) based authentication on the WFS709TP ProSafe Smart Wireless Switch using the browser interface. Use MAC-based authentication to authenticate devices based on their physical MAC address. While not the most secure and scalable method, MAC-based authentication implicitly provides an additional layer of security to authentication devices.
PAGE 142

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 9-1 2. Check the Authentication Enabled checkbox to enable authentication. 3. Configure the authentication servers. This is the authentication server to which the WFS709TP will send authentication requests. a. To add an authentication server, click Add under Choose an Authentication Server. Note: Select the internal database option to use the local database on the WFS709TP for MAC-based authentication. b.
PAGE 143

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 9-2 3. Enter the user information. a. In the User Name field, enter the MAC address of the device to be used, (this is the MACaddress of the physical interface that will be used to access the network). By default, the entry should be in the format xxxxxx. b. Enter the same address in the same format in the Password and Verify Password fields. c. Select the Enabled checkbox to activate the user. 4.
PAGE 144

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 9-4 Configuring MAC-Based Authentication v1.
PAGE 145

Chapter 10 Adding Local WFS709TPs This chapter explains how to expand your network by adding a local WFS709TP ProSafe Smart Wireless Switch to a master WFS709TP configuration. Typically, this is the first expansion of a network with just one WFS709TP (which is a by definition a master switch). This chapter is a basic discussion of creating master-local WFS709TP configurations. More complicated multiswitch configurations are discussed Chapter 11, “Configuring Redundancy”.
PAGE 146

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring Local WFS709TPs A single master WFS709TP configuration can be one WFS709TP or a master redundant configuration with one master WFS709TP and the VRRP redundant backup WFS709TP. This chapter covers migration to both of those scenarios. The steps involved in migrating from a single-switch to a multi-switch WFS709TPenvironment are: 1. Configure the role of the local WFS709TP to local and specify the IP address of the master. 2.
PAGE 147

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Verify connectivity to the master WFS709TP by pinging it from the local WFS709TP. • Ensure that the master WFS709TP recognizes the new WFS709TP as its local WFS709TP. Figure 10-2 The local WFS709TP should be listed with type local in the Monitoring > Network > All WLAN Switches page on the master (see Figure 10-2). It takes about 4–5 minutes for the master and local WFS709TPs to synchronize configurations.
PAGE 148

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 10-3 3. Apply the configuration on the master. Note: To verify that the local WFS709TP has obtained a copy of the global settings, check the local WFS709TP for the global configuration changes made on the master, such as authentication changes and WMS settings. Rebooting APs The configuration changes take effect only after rebooting the affected APs; this allows them to reassociate with the local WFS709TP.
PAGE 149

Chapter 11 Configuring Redundancy This chapter describes the following topics: • • “Virtual Router Redundancy Protocol” on page 11-1 “Redundancy Configuration” on page 11-1 Virtual Router Redundancy Protocol The underlying mechanism for NETGEAR’s redundancy solutions is the Virtual Router Redundancy Protocol (VRRP).
PAGE 150

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Local WFS709TP redundancy refers to providing redundancy for a WFS709TP such that the APs under its control failover to a backup WFS709TP if their master WFS709TPr becomes unavailable. Local WFS709TP redundancy is provided by running VRRP between a pair of WFS709TPs. Note: The two WFS709TPs need to be connected on the same broadcast domain (or Layer 2 connected) for VRRP operation, and both should be running the same firmware version.
PAGE 151

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 11-1. VRRP Parameters for Local WFS709TP Redundancy Expected or Recommended Values Parameter Explanation Virtual Router ID The Virtual Router ID that uniquely Configure this with the same value identifies this VRRP instance. as the VLAN ID for easy administration. Recommended to Advertisement Interval The interval between successive VRRP advertisements sent by the current master.
PAGE 152

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 11-1. VRRP Parameters for Local WFS709TP Redundancy (continued) Parameter Explanation Expected or Recommended Values Admin State Administrative state of the VRRP instance. To start the VRRP instance, change the admin state to UP. VLAN VLAN on which the VRRP protocol Configure this to be the VLAN ID. will run. 4. Configure the values in the respective fields and click Done to enter the values. 5.
PAGE 153

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. Enter the parameters shown in Table 11-1. For this topology, the following values are recommended: • Priority: Set the “initially preferred” master to 110 and set the backup master to 100. • Enable pre-emption. • Configure master up time or master state tracking with an add value of 20. 4. Configure the values in the respective fields, then click Done to enter the values. 5.
PAGE 154

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual any one of the local WFS709TPs becomes unavailable, the master takes over the APs controlled by that local WFS709TP for the time that the local WFS709TP remains unavailable. When the local WFS709TP comes back again, it resumes control over the APs. This type of redundant solution is illustrated by Figure 11-2. Note: This solution requires that the master WFS709TP have Layer 2 connectivity to all the local WFS709TPs. Master VLAN 1, 2, ..
PAGE 155

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Virtual IP addresses that have been reserved to be used for the VRRP instances 3. Navigate to the Configuration > Advanced> Switch > General > VRRP page. 4. Enter the parameters shown in Table 11-1. For this topology, the following values are recommended: • Priority: Set the master to 100 and set the local to 110 • Enable pre-emption • Configure master up time or master state tracking on the master with an add value of 20 5.
PAGE 156

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 11-8 Configuring Redundancy v1.
PAGE 157

Chapter 12 Configuring Wireless Intrusion Protection This chapter outlines configuring various wireless intrusion protection features. The topics covered are: • “Rogue/Interfering AP Detection” on page 12-1 • “Misconfigured AP Detection” on page 12-5 Rogue/Interfering AP Detection The most important intrusion protection functionality offered in the WFS709TP ProSafe Smart Wireless Switch system is the ability to classify an access point as either a rogue AP or an interfering AP.
PAGE 158

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Enabling AP Learning AP learning allows the system to classify all newly discovered APs as valid APs. By default, AP learning is not enabled and all newly discovered APs are classified as interfering APs. You can enable or disable AP learning from the browser interface.
PAGE 159

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Valid AP. An AP that is part of the enterprise providing WLAN service. APs that successfully connect to the WFS709TP and load software and configuration should be classified as valid APs. Note: Any client that successfully authenticates with a valid AP and passes encrypted traffic is classified as a valid client. (Encrypted traffic includes encrypted 802.11 frames and unencrypted 802.11 frames that are VPN encrypted.
PAGE 160

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring Rogue AP Detection Follow the steps below to configure the network to detect insecure APs and to classify them as rogue and interfering respectively as defined in the section above. Navigate to the Configuration > Advanced > Security > Rogue AP page on the browser interface of the master WFS709TP (Figure 12-3). Figure 12-3 Table 12-1 explains the fields for this configuration and what it means to select each of them.
PAGE 161

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Note: Use caution when enabling both “Mark Unknown APs as Rogue” and “Disable Users from Connecting to Rogue APs.” If the system is installed in an area where APs from neighboring locations can be detected, these two options will disable all APs in the area. Misconfigured AP Detection If desired, you can specify the valid channels for an AP.
PAGE 162

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 12-6 Configuring Wireless Intrusion Protection v1.
PAGE 163

Chapter 13 Configuring Management Utilities This chapter describes management utilities for a WFS709TP ProSafe Smart Wireless Switch wireless network.
PAGE 164

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring SNMP WFS709TP switches and access points (APs) support versions 1, 2c, and 3 of SNMP for reporting purposes only. SNMP cannot be used for setting values in a WFS709TP system in the current version. SNMP for the WFS709TP Follow the steps below to configure a WFS709TP’s basic SNMP parameters: 1. Configure the host name by navigating to the Configuration > Basic > Management > SNMP page on the browser interface (Figure 13-1).
PAGE 165

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-1. Basic WFS709TP SNMP Parameters (continued) Field Description Expected/Recommended Value Read Community Strings Community strings used to authenticate requests for SNMP versions before version 3. These are the community strings that are allowed to access the SNMP data from the WFS709TP (only needed if using SNMP v2c). Enable Trap Generation Enables generation of SNMP traps to configured SNMP trap receivers.
PAGE 166

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-2. SNMPv3 User Details (continued) Field Description Expected/Recommended Value Privacy protocol An indication of whether messages This takes the value DES (CBC-DES sent on behalf of this user can be Symmetric Encryption Protocol). protected from disclosure, and if so, the type of privacy protocol being used. Privacy protocol password If messages sent on behalf of this user String password for DES.
PAGE 167

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1. Navigate to the Configuration > Advanced > WLAN > Network > General page of the master WFS709TP (Figure 13-2). This page includes fields for configuring the SNMP parameters on all access points in the network. Figure 13-2 2. Configure the basic SNMP parameters in the SNMP System Information area. The fields are similar to those for the WFS709TP, and are explained in Table 13-3. Table 13-3.
PAGE 168

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-3. Basic Access Point SNMP Parameters (continued) Field Description Expected/Recommended Values Enable SNMP Traps Enables generation of SNMP traps from all Access Points. Refer to “SNMP Traps” on page 13-9 for a complete list of traps that may be generated by access points in the network. Select this option to enable generation of traps. Ensure that at least one trap receiver is configured to complete the traps configuration.
PAGE 169

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-4. SNMPv3 Access Point User Details (continued) Field Description Expected/Recommended Values Privacy protocol An indication of whether messages This takes the value DES (CBC-DES sent on behalf of this user can be Symmetric Encryption Protocol). protected from disclosure, and if so, the type of privacy protocol that is used. Privacy protocol password If messages sent on behalf of this user String password for DES.
PAGE 170

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. Navigate to Configuration > Advanced > WLAN > Network > SSID to configure the SSID for the added APs (Figure 13-4). Figure 13-4 4. Click the General tab to configure the SNMP parameters for the set of APs (Figure 13-5). Figure 13-5 5. Refer to Table 13-3 and Table 13-4 for the fields to be configured for the set of APs. 6. Click Apply to apply the configuration. 13-8 Configuring Management Utilities v1.
PAGE 171

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual SNMP Traps WFS709TP Traps Table 13-5 lists the key traps generated by the WFS709TP. Table 13-5. WFS709TP SNMP Traps Trap Description Priority Level WFS709TP IP changed The WFS709TP IP has been changed. The WFS709TP IP is Critical either the loopback IP address or the IP address of the VLAN 1 interface (if no loopback IP address is configured).
PAGE 172

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-5. WFS709TP SNMP Traps (continued) Trap Description Priority Level Authentication ACL table full The maximum number of ACL entries in the ACL table has been exceeded. The limit is 2048 entries on a WFS709TP. High Power supply failure One of the two possible power supplies in the WFS709TP has Critical failed. Fan failure The fan in the WFS709TP has failed.
PAGE 173

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-6. Access Point SNMP Traps (continued) Trap Description Priority Level OUI misconfiguration This trap indicates an error in the Organizationally Unique Identifier (OUI) configuration of an AP. The AP generates the trap and includes its BSSID, the configured SSID, and the location of the AP in the trap. High SSID misconfiguration This trap indicates an error in the SSID configuration of an AP.
PAGE 174

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-6. Access Point SNMP Traps (continued) Trap Description Priority Level Frame Bandwidth rate exceeded This trap refers to the event of the bandwidth rate for a station Medium exceeding a configured threshold (High Watermark). Frame low speed rate exceeded This trap refers to the event when the percentage of received and transmitted frames at low speed (less that 5.5Mbps for 802.11b and less that 24 Mbps for 802.
PAGE 175

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1. Navigate to the Configuration > Advanced > Switch > Management > Logging page on the browser interface (Figure 13-6). Figure 13-6 2. To add a logging server, click Add in the Logging Server section. 3. Click Add to add the logging server to the list of logging servers. Ensure that the syslog server is enabled and configured on this host. 4. Determine if the logging levels are set as required.
PAGE 176

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual In the example shown in Figure 13-7, the logging level of the Authentication and VPN server module is being modified to debugging. Figure 13-7 5. Click Done to make the modification. 6. Click Apply to apply the configuration. Creating Guest Accounts You can create a special administrative login that allows a user, such as a front desk receptionist, to create guest accounts on a browser interface page. To create the user login: 1.
PAGE 177

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 5. For Role, select guest-provisioning from the drop-down list. Figure 13-8 6. Click Apply. When a user logs into the browser interface on the WFS709TP (in a multi-switch system, this must be the master WFS709TP) using the login and password you just created: 1. A special browser interface page is displayed that allows them to create guest accounts in the WFS709TP’s internal database (Figure 13-9). Figure 13-9 2.
PAGE 178

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. The user can then define a user name and password for the guest account and configure the expiration for the account. Clicking Apply adds the guest account to the database (Figure 13-11). The user can then disable, delete, or modify the guest account as needed.
PAGE 179

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Note: you cannot copy log files with SCP; the file must be an image, flash, or configuration file. For example, you can copy an OS image file from an SCP server to a system partition on a WFS709TP or copy the startup configuration on a WFS709TP to a file on a TFTP server. You can also store the contents of a WFS709TP’s flash file system to an archive file that you can then copy to an FTP server.
PAGE 180

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. Click Copy Backup to enter the Copy Files page where you can select the destination server for the file. 4. Click Apply. To restore the backup file to the flash file system: 1. Navigate to the Maintenance > File > Copy Files page. a. For Source Selection, specify the server to which the flashbackup.tar.gz file was previously copied. b. For Destination Selection, select Flash File System. c. Click Apply. 2.
PAGE 181

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. Select the destination to where the file or image is to be copied. 4. Click Apply. Installing a Server Certificate Captive Portal and IEEE 802.1x with AAA FastConnect require that you install a server certificate in the WFS709TP (see “802.1x Authentication” on page 7-1 and “Overview of Captive Portal Functions” on page 8-1).
PAGE 182

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 13-20 Configuring Management Utilities v1.
PAGE 183

Chapter 14 Configuring WFS709TP for Voice This chapter outlines the steps required to configure a WFS709TP ProSafe Smart Wireless Switch for voice devices, including SIP phones and SVP phones. Since voice applications are more vulnerable to delay and jitter, the network infrastructure should be able to prioritize the voice traffic over the data traffic. This chapter also describes voice-related features that you can configure in the WFS709TP operating system.
PAGE 184

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Battery Boost Battery boost converts all multicast traffic to unicast before delivery to the client. This feature is disabled by default. Enabling battery boost on an SSID allows you to set the DTIM interval from 10 to 100, equating to 1,000–10,000 milliseconds.
PAGE 185

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Limiting the Number of Active Voice Calls You can limit the number of active voice calls allowed on a radio. This feature is disabled by default. When the disconnect extra call feature is enabled, the system monitors the number of active voice calls, and if the defined threshold is reached, any new calls are disconnected. The AP denies association requests from a device that is on call. You enable this feature in the WLAN configuration.
PAGE 186

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual WPA Fast Handover In 802.1x authentication, the WPA fast handover feature allows certain WPA clients to use a preauthorized Pairwise Master Key (PMK), significantly reducing handover interruption. Check with the manufacturer of your handset to see if this feature is supported. This feature is disabled by default. Note: This feature supports WPA clients, while opportunistic key caching (also configured in 802.
PAGE 187

Appendix A Configuring DHCP with Vendor-Specific Options A standards-compliant DHCP server can be configured to return the host WFS709TP ProSafe Smart Wireless Switch’s IP address through the Vendor-Specific Option Code (option 43) in the DHCP reply. In the WFS709TP system, this information can allow a NETGEAR access point to automatically discover the IP address of a master WFS709TP for its configuration and management.
PAGE 188

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Windows-Based DHCP Servers Configuring a Microsoft Windows-based DHCP server to send option 43 to the DHCP client on an AP connected to a WFS709TP consists of two tasks: • Configuring Option 60 • Configuring Option 43 Configuring Option 60 The Vendor Class Identifier Code (option 60) identifies and associates a DHCP client with a particular vendor.
PAGE 189

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring Option 43 Option 43 returns the IP address of the master WFS709TP to a DHCP client. This information allows the APs to auto-discover the master WFS709TP and obtain their configuration. To configure option 43 on the Windows DHCP server: 1. On the DHCP server, open the DHCP server administration tool by clicking Start > Administration Tools > DHCP. 2.
PAGE 190

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Option 43 is configured for this DHCP scope. Note that even though you entered the IP address in ASCII text, it displays in binary form (Figure A-2). Figure A-2 Linux DHCP Servers The following code is an example configuration for the Linux dhcpd.conf file. Note: After you enter the configuration, you must restart the DHCP service. option serverip code 43 = ip-address; class "vendor-class" { match option vendor-class-identifier; } .
PAGE 191

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual subnet 10.200.10.0 netmask 255.255.255.0 { default-lease-time 200; max-lease-time 200; option subnet-mask 255.255.255.0; option routers 10.200.10.1; option domain-name-servers 10.4.0.12; option domain-name "vlan10.aa.netgear.com"; subclass "vendor-class" "NetgearAP" { option vendor-class-identifier "NetgearAP"; option serverip 10.200.10.10; } range 10.200.10.200 10.200.10.252; } Configuring DHCP with Vendor-Specific Options v1.
PAGE 192

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual A-6 Configuring DHCP with Vendor-Specific Options v1.
PAGE 193

Appendix B Windows Client Example Configuration for 802.1x This appendix provides an example configuration for a wireless client (the 802.1x supplicant) in a Windows environment. Note: For detailed information about configuring computers in a Windows environment for PEAP-MS-CHAPv2 and EAP-TLS authentication, see the Microsoft document “Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab,” available from Microsoft’s Download Center at http://www.microsoft.com/ downloads.
PAGE 194

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual This screen displays the available wireless networks and the list of preferred networks (Figure B-1). Windows connects to the preferred networks in the order in which they appear. Figure B-1 4. Click the Advanced button to display the Networks to access window (Figure B-2). Figure B-2 This window determines what types of wireless networks the client can access. By default, Windows connects to any type of wireless network.
PAGE 195

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 5. Make sure that the option Computer-to-computer (ad hoc) networks only is not selected, then click Close. 6. In the Wireless Networks tab, click Add to add a wireless network. 7. Click the Association tab to enter the network properties for the ESSID. This tab configures the authentication and encryption used between the wireless client and the WFS709TP system.
PAGE 196

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure B-3 shows the configuration for the ESSID WLAN-01 that uses dynamic WEP. Figure B-3 8. Click the Authentication tab to enter the 802.1x authentication parameters for the ESSID. This tab configures the EAP type used between the wireless client and the authentication server. 9. Configure the following, as shown in Figure B-4: • Select Enable IEEE 802.1x authentication for this network.
PAGE 197

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual . Figure B-4 10. Under EAP type, select Properties to display the Protected EAP Properties window. Configure the client PEAP properties, as shown in Figure B-5: • Select Validate server certificate. This instructs the client to check the validity of the server certificate from an expiration, identity, and trust perspective. • Select the trusted Certification Authority (CA) that can issue server certificates for the network.
PAGE 198

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Select Enable Fast Reconnect to speed up authentication in some cases. Figure B-5 11. Under Select Authentication Method, click Configure to display the EAP-MSCHAPv2 Properties window. Select the option Automatically use my Windows logon name and password, and domain if any (Figure B-6). This option specifies that the user’s Windows logon information is used for authentication to the wireless network.
PAGE 199

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure B-6 Windows Client Example Configuration for 802.1x v1.
PAGE 200

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual B-8 Windows Client Example Configuration for 802.1x v1.
PAGE 201

Appendix C Internal Captive Portal You can customize the default captive portal page through the browser interface, as described in Chapter 8, “Configuring the Captive Portal”.You can also create your own web page to display rather than the default page. This appendix discusses creating and installing a new internal captive portal page and other customizations.
PAGE 202

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
...
A recommended option for the
element is: autocomplete="off" This tells Internet Explorer not to cache form inputs. The form variables can be input using any form control method available such as INPUT, SELECT, TEXTAREA and BUTTON. Example HTML code follows.
PAGE 203

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Recommended Options: None. You must also include an input button: Basic HTML Example PAGE 204
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Installing a New Captive Portal Page You install the captive portal page by using the Maintenance function of the browser interface. Log into the browser interface and navigate to Maintenance > Captive Portal > Upload Custom Login Pages. This page lets you upload your own files to the WFS709TP ProSafe Smart Wireless Switch.
PAGE 205

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual { function createCookie(name,value,days) { if (days) { var date = new Date(); date.setTime(date.getTime()+(days*24*60*60*1000)); var expires = "; expires="+date.toGMTString(); } else var expires = ""; document.cookie = name+"="+value+expires+"; path=/"; } var q = window.location.search; var errmsg = null; if (q && q.length > 1) { q = q.substring(1).split(/[=&]/); for (var i = 0; i < q.
PAGE 206

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual } } if (errmsg && errmsg.length > 0) { errmsg = "
\n" + errmsg + "\n
\n"; document.write(errmsg); } } Language Customization The ability to customize the internal captive portal provides you with a very flexible interface to the captive portal system.
PAGE 207

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4. Once you have a page you find acceptable, click on View Captive Portal one more time to display your login page. From your browser, choose View->Source or its equivalent. Your system will display the HTML source for the captive portal page. Save this source as a file on your local system. 5. Open the file that you saved using a standard text editor.and make the following changes: a. Fix the character set. The default ...
PAGE 208

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual b. Fix the references: If you have used the built-in preferences, you will need to update the reference for the logo image and the CSS style sheet.
PAGE 209

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual To localize the authentication failure message, replace the following text (it is just a few lines below the tag):

with the script below. You will need to translate the Authentication Failed error message into your local language and add it into the script below where it states localized_msg="...". d. Translate the web page text. Once you have made the changes as above, you only need to translate the rest of the text that appears on the page. The exact text that appears will depend on the WFS709TP settings when you originally viewed the captive portal.
PAGE 211

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual If you require this to be a page on the WFS709TP, you must create you own web page using the charset meta attribute, and upload this page as “content” to the designated WFS709TP. Any required CSS, Client-side Script files, and media files can also be uploaded, however file space is limited. Check the available space using “show memory” under “flash free” and remember to leave ample room for system files.
PAGE 212

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Customizing the Welcome Page Once a user has authenticated to the WFS709TP, they are presented with the welcome page. The default welcome page will depend slightly on your configuration, but will look similar to Figure C-2. Figure C-2 You can customize this welcome page by building your own HTML page and uploading it to the WFS709TP.
PAGE 213

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual { var nameEQ = name + "="; var ca = document.cookie.split(';'); for(var i=0;i < ca.length;i++) { var c = ca[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length); } return null; } var cookieval = readCookie('url'); if (cookieval.length>0) document.
PAGE 214

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual If you customize the welcome page, then you must also customize the pop-up, box if you want to have one. Customizing the Pop-Up Box Before you can customize the pop-up box, you must customize your welcome page.
PAGE 215

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual These are some common elements to change: • URL: Set the URL to be the name of the pop-up HTML file that you created and uploaded.
PAGE 216

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual <img src=/auth/logout.html width=0 height=0>
You have now logged out.

PAGE 217
Appendix D Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP Addressing http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Communications http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for Network Access http://documentation.netgear.com/reference/enu/wsdhcp/index.
PAGE 218

WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide D-2 Related Documents v1.
PAGE 219

Index server certificate, 7-4, 8-2, 13-19 servers for, 5-3 types of, 1-8, 5-3 Numbers 802.
PAGE 220

NETGEAR FrameMaker Templates for the Reference Print Manual DTIM (Delivery Traffic Indication Message), 5-12, 5-16, 14-1, 14-2 E EAP (Extensible Authentication Protocol), 1-9, 7-1 encryption and authentication, 1-10 types of, 1-10 G management utilities configuring logging, 13-12 configuring SNMP, 13-2 configuring user roles, 13-1 creating guest accounts, 13-14 manmageing files, 13-16 multi-switch environment, reasons for, 10-1 guest accounts, 13-14 O open system authentication, 1-8 I IGMP (Internet
PAGE 221

NETGEAR FrameMaker Templates for the Reference Print Manual S wireless intrusion protection classifying access points, 12-2 configuring risconfigured AP detection, 12-5 configuring rogue AP detection, 12-4 enabling AP learning, 12-2 server certificate, 8-2, 13-19 server certificates, 7-4 SNMP (Simple Network Management Protocol) access point/air monitor traps, 13-10 configuring for access points, 13-4 configuring for WFS709TP, 13-2 WFS709TP traps, 13-9 WLAN (wireless local area network) advanced configu
PAGE 222

NETGEAR FrameMaker Templates for the Reference Print Manual Index-4 Index v1.