User Manual

ManualsBrandsPsion ManualsComputers & AccessoriesPSION TEKLOGIX WIRELESS GATEWAY 802.11a/b/g

DRAFT

ISO 9001 Certified

Quality Management System

9160

Wireless Gateway

User Manual

December 21, 2005 Part No. 8000009.A

Summary of content (174 pages)

PAGE 1
DRAFT 9160 Wireless Gateway User Manual December 21, 2005 ISO 9001 Certified Quality Management System Part No. 8000009.
PAGE 2
© Copyright 2005 by Psion Teklogix Inc., Mississauga, Ontario This document and the information it contains is the property of Psion Teklogix Inc., is issued in strict confidence, and is not to be reproduced or copied, in whole or in part, except for the sole purpose of promoting the sale of Psion Teklogix manufactured goods and services. Furthermore, this document is not to be used as a basis for design, manufacture, or sub-contract, or in any manner detrimental to the interests of Psion Teklogix Inc.
PAGE 3
Return-To-Factory Warranty Psion Teklogix warrants a return-to-factory warranty for a period of one year. Please contact your local Psion Teklogix office for details. For a list of offices, please refer to Appendix A: “Support Services And Worldwide Offices”. The warranty on Psion Teklogix manufactured equipment does not extend to any product that has been tampered with, altered, or repaired by any person other than an employee of an authorized Psion Teklogix service organization.
PAGE 4
PAGE 5
TABLE OF CONTENTS Approvals and Safety Summary . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Chapter 1: Introduction 1.1 About This Manual . . . . . . . . . . . . . . . . . . . . . . . 1.2 Online Help Features, Supported Browsers, And Limitations . 1.3 Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Overview Of The 9160 Wireless Gateway . . . . . . . . . . . 1.5 Features and Benefits . . . . . . . . . . . . . . . . . . . . . . 1.5.
PAGE 6
Contents 2.2.1 Ports . . . . . . . . . . . . . . . . . . . . . . . 2.2.2 LAN Installation: Overview . . . . . . . . . . . 2.2.3 LAN Installation: Ethernet. . . . . . . . . . . . 2.2.3.1 Ethernet Cabling . . . . . . . . . . . . . . . 2.2.4 Status Indicators (LEDs) . . . . . . . . . . . . . 2.2.5 Connecting A Video Display Terminal . . . . . 2.3 Changing The Configuration With A Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Contents 4.7 What’s Next? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.7.1 Make Sure The Access Point Is Connected To The LAN. . . . . . 4.7.2 Test LAN Connectivity With Wireless Clients . . . . . . . . . . . 4.7.3 Secure And Fine-tune The Access Point Using Advanced Features . . . . . . . . . 44 . 44 . 44 . 44 . . . . . . . . . . . . . . . . . 47 . 48 . 49 . 50 . 51 . 51 . 52 . 52 Chapter 5: Configuring Basic Settings 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 Navigating To Basic Settings. .
PAGE 8
Contents 6.6 6.7 6.8 Removing An Access Point From The Cluster . . . . . . . . . . . . . . . 61 Adding An Access Point To A Cluster . . . . . . . . . . . . . . . . . . . 62 Navigating To Configuration Information For A Specific AP And Managing Standalone APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 6.8.1 Navigating To An AP By Using Its IP Address In A URL . . . . . . . 63 Chapter 7: Managing User Accounts 7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.
PAGE 9
Contents 9.3.1 Stopping/Starting Automatic Channel Assignment . . . . . . . . . . . . 84 9.3.2 Viewing Current Channel Assignments And Setting Locks . . . . . . . 85 9.3.2.1 Update Current Channel Settings (Manual). . . . . . . . . . . . . . 86 9.3.3 Viewing Last Proposed Set Of Changes . . . . . . . . . . . . . . . . . 86 9.3.4 Configuring Advanced Settings (Customizing And Scheduling Channel Plans) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 9.3.4.1 Update Advanced Settings .
PAGE 10
Contents Chapter 13: Configuring Security 13.1 Understanding Security Issues On Wireless Networks . . . . . . . . . . . 115 13.1.1 How Do I Know Which Security Mode To Use? . . . . . . . . . . . . 115 13.1.2 Comparison Of Security Modes For Key Management, Authentication And Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 116 13.1.2.1 When To Use Plain-text . . . . . . . . . . . . . . . . . . . . . . . 117 13.1.2.2 When To Use Static WEP . . . . . . . . . . . . . . . . . . . . . .
PAGE 11
Contents Chapter 15: Configuring VLANs 15.1 Navigating To Virtual Wireless Network Settings . . . . . . . . . . . . . 149 15.2 Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 15.3 Updating Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Chapter 16: Configuring Radio Settings 16.1 16.2 16.3 16.4 Understanding Radio Settings Navigating To Radio Settings Configuring Radio Settings. . Updating Settings. . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12
Contents 19.1.3.4 Packet Bursting For Better Performance . . . . . . . . . . . . 19.1.3.5 Transmission Opportunity (TXOP) Interval For Client Stations 19.2 Configuring QoS Queues . . . . . . . . . . . . . . . . . . . . . . . . 19.2.1 Configuring AP EDCA Parameters . . . . . . . . . . . . . . . . . 19.2.2 Enabling/Disabling Wi-Fi Multimedia. . . . . . . . . . . . . . . . 19.2.3 Configuring Station EDCA Parameters . . . . . . . . . . . . . . . 19.3 Updating Settings . . . . . . . . . . . . . . . . . . . . . .
PAGE 13
Contents 23.2.1.1 Understanding Remote Logging . . . . . . . . . . . . . . . . 23.2.1.2 Setting Up The Log Relay Host. . . . . . . . . . . . . . . . . 23.2.1.3 Enabling Or Disabling The Log Relay Host On The Status, Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 23.2.2 Events Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23.3 Transmit/Receive Statistics . . . . . . . . . . . . . . . . . . . . . . . 23.4 Associated Wireless Clients . . . . . . . . . . . . . . . . . . . . .
PAGE 14
Contents Appendices Appendix A: Support Services And Worldwide Offices A.1 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1 A.2 Product Repairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1 A.3 Worldwide Offices . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-2 Appendix B: Port Pinouts And Cable Diagrams B.1 Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 B.2 Serial Cable Descriptions . . . . . . . . . . . . .
PAGE 15
Contents C.10 Obtaining A TLS-EAP Certificate For A Client . . . . . . . . . . . . . C-34 Appendix D: Troubleshooting D.1 Wireless Distribution System (WDS) Problems And Solutions . . D.2 Cluster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . D.2.1 Reboot Or Reset Access Point . . . . . . . . . . . . . . . . . D.2.2 Stop Clustering And Reset Each Access Point In The Cluster . . . . . . . . . . . . . . . . . D-3 D-4 D-4 D-5 Appendix E: Glossary Index . . . . . . . . . . . . . . . . . .
PAGE 16
PAGE 17
APPROVALS AND SAFETY SUMMARY DECLARATION OF CONFORMITY Product: Application of Council Directives: Conformity Declared to Standards: 9160 Wireless Gateway EMC Directive:89/336/EEC Low Voltage Directive:73/23/EEC R&TTE Directive: 1999/5/EEC EN 55022: 2003 Class B EN 61000-3-2; EN 61000-3-3 EN 55024:2003 ETSI EN 300 328:2003 ETSI EN 301 489-17:2002 EN 60950-1: 2001 Manufacturer: PSION TEKLOGIX INC. 2100 Meadowvale Blvd.
PAGE 18
Approvals And Safety Summary FCC Statement FCC DECLARATION OF CONFORMITY (DOC) Applicant’s Name & Address: PSION TEKLOGIX 2100 Meadowvale Blvd. Mississauga, Ontario, Canada L5N 7J9 Telephone No.: (905) 813-9900 US Representative’s Name & Address: Psion Teklogix Corp. 1810 Airport Exchange Blvd., Suite 500 Erlanger, Kentucky, 41018, USA Telephone No.: (859) 372-4329 Equipment Type/ Environment Use: Computing Devices Trade Name / Model No.
PAGE 19
Approvals And Safety Summary These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used according to the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.
PAGE 20
Approvals And Safety Summary SAFETY APPROVALS CSA, NRTL/C and CB. CE MARKING When used in a residential, commercial or light industrial environment, the product and its approved UK and European peripherals fulfill all requirements for CE marking. R&TTE DIRECTIVE 1999/5/EC This equipment complies with the essential requirements of EU Directive 1999/5/EC (Declaration available: www.psionteklogix.com).
PAGE 21
Approvals And Safety Summary Dette utstyret er i overensstemmelse med hovedkravene i R&TTE-direktivet (1999/5/EC) fra EU. (Erklæring finnes på: www.psionteklogix.com). Utrustningen uppfyller kraven för EU-direktivet 1999/5/EC om ansluten teleutrustning och ömsesidigt erkännande av utrustningens överensstämmelse (R&TTE). (Förklaringen finns att läsa på: www.psionteklogix.com). Tämä laite vastaa EU:n radio- ja telepäätelaitedirektiivin (EU R&TTE Directive 1999/5/EC) vaatimuksia.
PAGE 22
Approvals And Safety Summary • • • To reduce risk of electric shock, unplug the 9160 from the outlet before attempting any maintenance or cleaning. An extension cord should not be used unless absolutely necessary. Use of an improper extension cord could result in fire or electric shock. If an extension cord must be used, make sure: • The plug pins on the extension cord are the same number, size, and shape as those on the adaptor.
PAGE 23
1 INTRODUCTION 1.1 1.2 1.3 1.4 1.5 About This Manual . . . . . . . . . . . . . . . . . . . . . . Online Help Features, Supported Browsers, And Limitations Text Conventions . . . . . . . . . . . . . . . . . . . . . . . Overview Of The 9160 Wireless Gateway . . . . . . . . . . Features and Benefits . . . . . . . . . . . . . . . . . . . . . 1.5.1 IEEE Standards Support And Wi-Fi Compliance . . . 1.5.2 Wireless Features . . . . . . . . . . . . . . . . . . . 1.5.3 Security Features . . . . . . . . . . . . . .
PAGE 24
PAGE 25
Chapter 1: Introduction About This Manual 1.1 About This Manual This manual describes the setup, configuration, administration, and maintenance of one or more 9160 Wireless Gateways on a wireless network. Chapter 1: Introduction provides an overview of this manual and 9160 Wireless Gateway features. Chapter 2: Installation Requirements explains the physical installation of the 9160 Wireless Gateway, and how to connect to the 9160 for diagnostics.
PAGE 26
Chapter 1: Introduction About This Manual Chapter 11: The Ethernet (Wired) Interface describes how to configure the wired interface settings on the 9160 Wireless Gateway. Chapter 12: Setting the Wireless Interface describes how to configure the wireless address and related settings on the 9160 Wireless Gateway. Chapter 13: Configuring Security provides a number of authentication and encryption schemes to ensure that your wireless infrastructure is accessed only by the intended users.
PAGE 27
Chapter 1: Introduction About This Manual Chapter 21: Network Time Protocol Server describes how to configure the 9160 Wireless Gateway to use a specified Network Time Protocol (NTP) server to synchronize computer clock times on your network. Chapter 22: The Administrator Password controls access to the Administration Web pages for the 9160 Wireless Gateway. When the administration password is set and applied, the new password is updated and shared by all access points in the cluster.
PAGE 28
Chapter 1: Introduction Online Help Features, Supported Browsers, And Limitations 1.2 Online Help Features, Supported Browsers, And Limitations Online Help for the 9160 Wireless Gateway provides information about all fields and features available on the user interface. The information in the Online Help is a subset of the information available in the full User Manual. Online Help information corresponds to each tab on the 9160 Wireless Gateway Administration user interface.
PAGE 29
Chapter 1: Introduction Text Conventions 1.3 Text Conventions Note: Notes highlight additional helpful information. Important: These statements provide particularly important instructions or additional information that is critical to the operation of the computer and other equipment. Warning: These statements provide important information that may prevent injury, damage to the equipment, or loss of data.
PAGE 30
Chapter 1: Introduction Features and Benefits The dual-band access point is capable of broadcasting in the following modes: • IEEE 802.11b mode. • IEEE 802.11g mode. • IEEE 802.11a mode. • Atheros Turbo 5 GHz. • Atheros Dynamic Turbo 5 GHz. • Atheros Turbo 2.4 GHz. • Atheros Dynamic Turbo 2.4 GHz. Important: Psion Teklogix terminals do not support Atheros Turbo modes and to prevent unnecessary radio overhead the use of Turbo mode is not recommended.
PAGE 31
Chapter 1: Introduction Wireless Features 1.5.2 Wireless Features • Auto channel selection at startup. • Transmit power adjustment. • Wireless Distribution System (WDS) for connecting multiple access points wirelessly. Extends your network with less cabling and provides a seamless experience for roaming clients. • Quality of Service (QoS) for enhanced throughput and better performance of time-sensitive wireless traffic like Video, Audio, Voice over IP (VoIP) and streaming media.
PAGE 32
Chapter 1: Introduction Out-of-the-Box Guest Interface 1.5.4 Out-of-the-Box Guest Interface • Unique network name (SSID) for the Guest interface. • Captive portal to guide guests to customized, guest-only Web page. • VLAN and ethernet options. 1.5.5 Clustering And Auto-Management • Automatic setup with Kickstart. • Provisioning and auto-configuration of APs through clustering and cluster rendezvous.
PAGE 33
Chapter 1: Introduction Networking 1.5.6 Networking • Dynamic Host Configuration Protocol (DHCP) support for dynamically assigning network configuration information to systems on the LAN. • Virtual Local Area Network (VLAN) support. 1.5.7 SNMP Support Release 1.1 of the 9160 Wireless Gateway ships with the following standard Simple Network Protocol (SNMP) Management Information Bases (MIB): • SNMP v1 and v2 MIBs. • IEEE802.11 MIB. • Two proprietary MIBs, based on the upcoming IEEE 802.
PAGE 34
PAGE 35
2 INSTALLATION REQUIREMENTS 2.1 Choosing The Right Location . . . . . . . . . . . . 2.1.1 Environment. . . . . . . . . . . . . . . . . 2.1.1.1 9160 Wireless Gateway. . . . . . . 2.1.2 Maintenance . . . . . . . . . . . . . . . . . 2.1.3 Radios . . . . . . . . . . . . . . . . . . . . 2.1.4 Power And Antenna Cables . . . . . . . . . 2.1.4.1 Power . . . . . . . . . . . . . . . . 2.1.4.2 Antennas . . . . . . . . . . . . . . 2.2 Connecting To External Devices . . . . . . . . . . 2.2.1 Ports . . . . . . . . . . .
PAGE 36
PAGE 37
Chapter 2: Installation Requirements Choosing The Right Location Warning: The 9160 must be installed by qualified Psion Teklogix personnel. 2.1 Choosing The Right Location Typically, Psion Teklogix conducts a site survey in the plant and then recommends the preferred locations for the 9160s. These locations provide good radio coverage, minimize the distance to the host computer or network controller, and meet the environmental requirements. 2.1.1 Environment 2.1.1.
PAGE 38
Chapter 2: Installation Requirements Maintenance Mounting Slot Cable Tie Mount Mounting Hole Figure 2.1 9160 Installation Position 2.1.2 Maintenance The 9160 has no internal option switches and does not require physical access; all configuration settings are done remotely (see “Navigating To Basic Settings” on page 47). Environmental and radio communication considerations do still apply. 2.1.3 Radios Mini-PCI 802.11g radio without integrated antenna (standard). Mini-PCI 802.
PAGE 39
Chapter 2: Installation Requirements Power And Antenna Cables To eliminate the need for AC wiring, the 9160 Wireless Gateway is compliant with IEEE 802.3af and can be powered over its Ethernet connection. For detailed information, please see “Power Over Ethernet Requirements” on page 230. Warning: To avoid electric shock, the power cord protective grounding conductor must always be connected to ground. 2.1.4.
PAGE 40
Chapter 2: Installation Requirements Connecting To External Devices nection to earth of the supplementary earthing conductor shall be in compliance with the appropriate rules for terminating bonding jumpers in the country of usage. Termination of the supplementary equipment earthing conductor is permitted to be made to building steel, to a metal electrical raceway system, or to any earthed item that is permanently and reliably connected to the electrical service equipment earthed. 4.
PAGE 41
Chapter 2: Installation Requirements LAN Installation: Overview Operating Status LED: 1 2 3 4 5 6 AC Power Socket RS-232 Console Port 10BaseT/100BaseT Ethernet Adaptor Figure 2.2 9160 Port And LED Locations 2.2.2 LAN Installation: Overview Because the 9160 provides Ethernet connectivity, it can be added to an existing LAN. Generally, LAN installations are handled with the help of the network administrators, as they are familiar with their network and its configuration.
PAGE 42
Chapter 2: Installation Requirements Status Indicators (LEDs) 2.2.4 Status Indicators (LEDs) The high-performance 9160 has six status indicators on the front of the enclosure, as shown in Figure 2.2 on page 19. The numbered and coloured LEDs on the front of the unit indicate the operating status for each port, as described in Table 2.1.
PAGE 43
PRELAUNCH CHECKLIST 3 3.1 The 9160 Wireless Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.1.1 Default Settings For The 9160 Wireless Gateway . . . . . . . . . 23 3.1.2 What The Access Point Does Not Provide . . . . . . . . . . . . . 26 3.2 Administrator’s Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.3 Wireless Client Computers . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.4 Understanding Dynamic And Static IP Addressing On The 9160 Wireless Gateway . .
PAGE 44
PAGE 45
Chapter 3: PreLaunch Checklist The 9160 Wireless Gateway Before you plug in and boot a new Access Point, review the following sections for a quick check of required hardware components, software, client configurations, and compatibility issues. Make sure you have everything you need ready to go for a successful launch and test of your new (or extended) wireless network. 3.1 The 9160 Wireless Gateway The 9160 Wireless Gateway is a wireless communications hub for devices on your network.
PAGE 46
Chapter 3: PreLaunch Checklist Default Settings For The 9160 Wireless Gateway Option Default Settings Related Information Network Name (SSID) “TEKLOGIX” for the Internal interface “Review / Describe The Access Point” on page 48 in “Configuring Basic Settings” on page 45 “TEKLOGIX Guest” for the Guest interface “Configuring “Internal” Wireless LAN Settings” on page 110 in “Setting the Wireless Interface” on page 105 “Configuring “Guest” Network Wireless Settings” on page 111 in “Setting the Wireless I
PAGE 47
Chapter 3: PreLaunch Checklist Default Settings For The 9160 Wireless Gateway Option Default Settings Related Information IEEE 802.11 Mode 802.11g or 802.11a+g “Configuring Radio Settings” on page 153 802.
PAGE 48
Chapter 3: PreLaunch Checklist What The Access Point Does Not Provide 3.1.2 What The Access Point Does Not Provide The 9160 Wireless Gateway is not designed to function as a Gateway to the Internet. To connect your Wireless LAN (WLAN) to other LANs or the Internet, you need a gateway device. 3.2 Administrator’s Computer Configuration and administration of the 9160 Wireless Gateway is accomplished with the KickStart utility (which you run from the CD) and through a Web-based user interface (UI).
PAGE 49
Chapter 3: PreLaunch Checklist Wireless Client Computers Required Components Description Web Browser / Operating System Configuration and administration of the 9160 Wireless Gateway is provided through a Web-based user interface hosted on the access point. We recommend using one of the following supported Web browsers to access the access point Administration Web pages: • Microsoft Internet Explorer version 5.5 or 6.
PAGE 50
Chapter 3: PreLaunch Checklist Understanding Dynamic And Static IP Addressing On The 9160 Wireless Gateway Required Component Description Wi-Fi Client Adaptor Portable or built-in Wi-Fi client adaptor that supports one or more of the IEEE 802.11 modes in which you plan to run the access point. (IEEE 802.11a, 802.11b, and 802.11g are supported.) Wi-Fi client adaptors vary considerably.
PAGE 51
Chapter 3: PreLaunch Checklist How Does The Access Point Obtain An IP Address At Startup? 3.4.1 How Does The Access Point Obtain An IP Address At Startup? When you deploy the access point, it looks for a network DHCP server and, if it finds one, obtains an IP Address from the DHCP server. If no DHCP server is found on the network, the AP will continue to use its default Static IP Address (192.168.1.
PAGE 52
Chapter 3: PreLaunch Checklist Static IP Addressing 3.4.3 Static IP Addressing The 9160 Wireless Gateway ships with a default Static IP Address of 192.168.1.10. (See “Default Settings For The 9160 Wireless Gateway” on page 23.) If no DHCP server is found on the network, the AP retains this static IP address at firsttime startup.
PAGE 53
QUICK STEPS FOR SETUP AND LAUNCH 4 4.1 Unpack The 9160 Wireless Gateway . . . . . . . . . . . . . . . . . . . . . 33 4.1.1 9160 Wireless Gateway Hardware And Ports. . . . . . . . . . . . 33 4.1.2 What’s Inside The 9160 Wireless Gateway? . . . . . . . . . . . . 34 4.2 Connect The Access Point To Network And Power. . . . . . . . . . . . . . 34 4.2.1 A Note About Setting Up Connections For A Guest Network . . . 36 4.2.1.1 Hardware Connections For A Guest VLAN . . . . . . . . 36 4.
PAGE 54
PAGE 55
Chapter 4: Quick Steps For Setup And Launch Unpack The 9160 Wireless Gateway Setting up and deploying one or more 9160 Wireless Gateways is in effect creating and launching a wireless network. The KickStart Wizard and corresponding Basic Settings Administration Web page simplify this process. Here is a step-by-step guide to setting up your 9160 Wireless Gateways and the resulting wireless network.
PAGE 56
Chapter 4: Quick Steps For Setup And Launch What’s Inside The 9160 Wireless Gateway? 4.1.2 What’s Inside The 9160 Wireless Gateway? The 9160 Wireless Gateway, as an Access Point (AP), is a single-purpose computer designed to function as a wireless hub. Inside the access point is a Wi-Fi radio system and a microprocessor. The access point boots from FlashROM using powered firmware with the configurable, runtime features summarized in “Overview Of The 9160 Wireless Gateway” on page 7.
PAGE 57
Chapter 4: Quick Steps For Setup And Launch Connect The Access Point To Network And Power For initial configuration with a direct Ethernet connection and no DHCP server, be sure to set your PC to a static IP address in the same subnet as the default IP address on the access point. (The default IP address for the access point is 192.168.1.10.
PAGE 58
Chapter 4: Quick Steps For Setup And Launch A Note About Setting Up Connections For A Guest Network ETHERNET CONNECTIONS WHEN USING STATIC IP FOR INITIAL CONFIGURATION Crossover Cable (or Ethernet cable if your AP supports auto MDI and MDI-X) Administrator Computer (This PC must have an IP address on the same subnet as Access Point.) Access Point Figure 4.2 Ethernet Connections Using Static IP 2.
PAGE 59
Chapter 4: Quick Steps For Setup And Launch Run KickStart To Find Access Points On The Network 4.4 Run KickStart To Find Access Points On The Network KickStart is an easy-to-use utility for discovering and identifying new 9160 Wireless Gateways. KickStart scans the network looking for access points, and displays ID details on those it finds. Notes: Keep in mind that KickStart (and the other Administration tools) recognizes and configures only 9160 Wireless Gateways.
PAGE 60
Chapter 4: Quick Steps For Setup And Launch Run KickStart To Find Access Points On The Network Click Next to search for access points. 2. Wait for the search to complete, or until KickStart has found your new access points.
PAGE 61
Chapter 4: Quick Steps For Setup And Launch Run KickStart To Find Access Points On The Network Note: If no access points are found, Kickstart indicate this and presents some troubleshooting information about your LAN and power connections. Once you have checked hardware power and Ethernet connections, you can click the Kickstart Back button to search again for access points. 3. Review the list of access points found. KickStart will detect the IP addresses of 9160 Wireless Gateways.
PAGE 62
Chapter 4: Quick Steps For Setup And Launch Run KickStart To Find Access Points On The Network Click Next. 4. Go to the Access Point Administration Web pages by taking the link provided on the KickStart page.
PAGE 63
Chapter 4: Quick Steps For Setup And Launch Log On To The Administration Web Pages Note: KickStart provides a link to the Administration Web pages via the IP address of the first access point of each model. (For more information about model types and clustering see “What Kinds Of APs Can Cluster Together?” on page 56.) The Administration Web pages are a centralized management tool that you can access via the IP address for any access point in a cluster.
PAGE 64
Chapter 4: Quick Steps For Setup And Launch Viewing Basic Settings For Access Points 4.5.1 Viewing Basic Settings For Access Points When you first log in, the Basic Settings page for 9160 Wireless Gateway administration is displayed. These are global settings for all access points that are members of the cluster and, if automatic configuration is specified, for any new access points that are added later. 4.
PAGE 65
Chapter 4: Quick Steps For Setup And Launch Configure ‘Basic Settings’ And Start The Wireless Network For a detailed description of these “Basic Settings” and how to properly configure them, please see Chapter 5: “Configuring Basic Settings”. Summarized briefly here, the steps are: 1. Review Description of this Access Point. Provide IP addressing information. For more information, see “Review / Describe The Access Point” on page 48. 2. Provide Network Settings.
PAGE 66
Chapter 4: Quick Steps For Setup And Launch Default Configuration 4.6.1 Default Configuration If you follow the steps above and accept all the defaults, the access point will have the default configuration described in “Default Settings For The 9160 Wireless Gateway” on page 23. 4.7 What’s Next? Next, make sure the access point is connected to the LAN, bring up some wireless clients, and connect the clients to the network.
PAGE 67
5 CONFIGURING BASIC SETTINGS 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 Navigating To Basic Settings . . . . . . . . . . . . . . . . . . Review / Describe The Access Point . . . . . . . . . . . . . . Provide Administrator Password And Wireless Network Name Set Configuration Policy For New Access Points . . . . . . . . Update Basic Settings . . . . . . . . . . . . . . . . . . . . . . Summary Of Settings . . . . . . . . . . . . . . . . . . . . . . Basic Settings For A Standalone Access Point . . . . . . . . .
PAGE 68
PAGE 69
Chapter 5: Configuring Basic Settings Navigating To Basic Settings 5.1 Navigating To Basic Settings To configure initial settings, click Basic Settings. If you use Kickstart to link to the Administration Web pages, the Basic Settings page is displayed by default. Fill in the fields on the Basic Settings screen as described in “Review / Describe The Access Point” on page 48.
PAGE 70
Chapter 5: Configuring Basic Settings Review / Describe The Access Point 5.2 Review / Describe The Access Point Field Description IP Address Shows IP address assigned to this access point. This field is not editable because the IP address is already assigned (either via DHCP, or statically through the Ethernet (wired) settings as described in “Configuring Guest Interface Ethernet (Wired) Settings” on page 104). MAC Address Shows the MAC address of the access point.
PAGE 71
Chapter 5: Configuring Basic Settings Provide Administrator Password And Wireless Network Name 5.3 Provide Administrator Password And Wireless Network Name Field Description Administrator Password Enter a new administrator password. The characters you enter will be displayed as “ * ”characters to prevent others from seeing your password as you type. The Administrator password must be an alphanumeric string of up to 8 characters. Do not use special characters or spaces.
PAGE 72
Chapter 5: Configuring Basic Settings Set Configuration Policy For New Access Points 5.4 Set Configuration Policy For New Access Points Field Description New Access Points Choose the policy you want to put in effect for adding New Access Points to the network. • If you choose “are configured automatically”, then when a new access point is added to the network it automatically joins the existing cluster.
PAGE 73
Chapter 5: Configuring Basic Settings Update Basic Settings 5.5 Update Basic Settings When you have reviewed the new configuration, click Update to apply the settings and deploy the access points as a wireless network. 5.6 Summary Of Settings When you update the Basic Settings, a summary of the new settings is shown, along with information about next steps. At initial startup, no security is in place on the access point.
PAGE 74
Chapter 5: Configuring Basic Settings Basic Settings For A Standalone Access Point 5.7 Basic Settings For A Standalone Access Point The Basic Settings tab for a standalone access point indicates only that the current mode is standalone and provides a button for adding the access point to a cluster (group).
PAGE 75
MANAGING ACCESS POINTS & CLUSTERS 6 6.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 6.2 Navigating To Access Points Management . . . . . . . . . . . . . . . . . . 55 6.3 Understanding Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 6.3.1 What Is A Cluster? . . . . . . . . . . . . . . . . . . . . . . . . . 56 6.3.2 How Many APs Can A Cluster Support? . . . . . . . . . . . . . . 56 6.3.3 What Kinds Of APs Can Cluster Together?. . . . . . . . . . . .
PAGE 76
PAGE 77
Chapter 6: Managing Access Points & Clusters Overview 6.1 Overview The 9160 Wireless Gateway shows current basic configuration settings for clustered access points (location, IP address, MAC address, status, and availability) and provides a way of navigating to the full configuration for specific APs if they are cluster members. Standalone access points or those which are not members of this cluster do not show up in this listing.
PAGE 78
Chapter 6: Managing Access Points & Clusters Understanding Clustering 6.3 Understanding Clustering A key feature of the 9160 Wireless Gateway is the ability to form a dynamic, configuration-aware group (called a cluster) with other 9160 Wireless Gateways in a network in the same subnet. Access points can participate in a self-organizing cluster which makes it easier for you to deploy, administer, and secure your wireless network.
PAGE 79
Chapter 6: Managing Access Points & Clusters Which Settings Are Shared As Part Of The Cluster Configuration And Which Are Not? • Access points of the same model will form a cluster. • Access points of other brands will not join the cluster. These APs should be administered with their own associated Administration tools. 6.3.
PAGE 80
Chapter 6: Managing Access Points & Clusters Cluster Mode 6.3.4.2 Settings Not Shared By The Cluster The few exceptions (settings not shared among clustered access points) are the following, most of which, by nature, must be unique: • IP addresses. • MAC addresses. • Location descriptions. • Load Balancing settings. • WDS bridges. • Ethernet (Wired) Settings. • Guest interface configuration.
PAGE 81
Chapter 6: Managing Access Points & Clusters Cluster Formation Standalone access points are not listed on the Cluster, Access Points tab in the Administration UIs of APs that are cluster members. You need to know the IP addresses for standalone access points in order to configure and manage them directly. (See “Navigating To An AP By Using Its IP Address In A URL” on page 63.
PAGE 82
Chapter 6: Managing Access Points & Clusters Intra-Cluster Security 6.3.9 Intra-Cluster Security To ensure that the security of the cluster as a whole is equivalent to the security of a single access point, communication of certain data between access points in a cluster is done using Secure Sockets Layer (typically referred to as SSL) with private key encryption. Both the cluster configuration file and the user database are transmitted among access points using SSL. 6.3.
PAGE 83
Chapter 6: Managing Access Points & Clusters Modifying The Location Description Table 6.1 describes the access point settings and information display in detail. Field Description Location Description of where the access point is physically located. MAC Address Media Access Control (MAC) address of the access point. A MAC address is a permanent, unique hardware address for any device that represents an interface to the network. The MAC address is assigned by the manufacturer.
PAGE 84
Chapter 6: Managing Access Points & Clusters Adding An Access Point To A Cluster 2. Click Remove from Cluster. The change will be reflected under Status for that access point; the access point will now show as standalone (instead of cluster). Note: In some situations it is possible for the cluster to become out of sync.
PAGE 85
Chapter 6: Managing Access Points & Clusters Navigating To Configuration Information For A Specific AP And Managing Standalone APs 6.8 Navigating To Configuration Information For A Specific AP And Managing Standalone APs In general, the 9160 Wireless Gateway is designed for central management of clustered access points. For access points in a cluster, all access points in the cluster reflect the same configuration.
PAGE 86
PAGE 87
MANAGING USER ACCOUNTS 7 7.1 7.2 7.3 7.4 7.5 7.6 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Navigating To User Management For Clustered Access Points. . . . . . . . 68 Viewing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Adding A User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Editing A User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Enabling And Disabling User Accounts. . . . . . . . . .
PAGE 88
PAGE 89
Chapter 7: Managing User Accounts Overview 7.1 Overview The 9160 Wireless Gateway includes user management capabilities for controlling client access to access points. User management and authentication must always be used in conjunction with the following two security modes, which require use of a RADIUS server for user authentication and management. • IEEE 802.1x mode (see “IEEE 802.1x” on page 131 in Chapter 13: “Configuring Security”).
PAGE 90
Chapter 7: Managing User Accounts Navigating To User Management For Clustered Access Points 7.2 Navigating To User Management For Clustered Access Points To set up or modify user accounts, click the Cluster, User Management tab. 7.3 Viewing User Accounts User accounts are shown at the top of the screen under User Accounts... . User name, real name, and status (enabled or disabled) are shown.
PAGE 91
Chapter 7: Managing User Accounts Adding A User 7.4 Adding A User To create a new user, do the following: 1. Under Add a User..., provide information in the following fields. Field Description Username Provide a user name. User names are alphanumeric strings of up to 237 characters. Do not use special characters or spaces. Real Name For information purposes, provide the user’s full name. There is a 256 character limit on real names. Password Specify a password for this user.
PAGE 92
Chapter 7: Managing User Accounts Editing A User Account 7.5 Editing A User Account Once you have created a user account, it is displayed under User Accounts... at the top of the User Management Administration Web page. To make modifications to an existing user account, first click the checkbox next to the user name so that the box is checked. Then, choose an action such Edit, Enable, Disable, or Remove. 7.
PAGE 93
Chapter 7: Managing User Accounts Enabling A User Account 7.6.1 Enabling A User Account To enable a user account, click the checkbox next to the user name and click Enable. A user with an account that is enabled can log on to the wireless access points in your network as a client. 7.6.2 Disabling A User Account To disable a user account, click the checkbox next to the user name and click Disable.
PAGE 94
Chapter 7: Managing User Accounts Restoring A User Database From A Backup File Use the file browser to navigate to the directory where you want to save the file, and click OK to save the file. You can keep the default file name (wirelessUsers.ubk) or rename the backup file, but be sure to save the file with a .ubk extension. 7.8.2 Restoring A User Database From A Backup File To restore a user database from a backup file: 1.
PAGE 95
8 SESSION MONITORING 8.1 8.2 8.3 8.4 8.5 Navigating To Session Monitoring . . . . . . . Understanding Session Monitoring Information Viewing Session Information For Access Points Sorting Session Information . . . . . . . . . . . Refreshing Session Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 . 76 . 77 . 78 .
PAGE 96
PAGE 97
Chapter 8: Session Monitoring Navigating To Session Monitoring The 9160 Wireless Gateway provides real-time session monitoring information, including which clients are associated with a particular access point, data rates, transmit/receive statistics, signal strength, and idle time. 8.1 Navigating To Session Monitoring To view session monitoring information, click the Cluster, Sessions tab.
PAGE 98
Chapter 8: Session Monitoring Understanding Session Monitoring Information 8.2 Understanding Session Monitoring Information The Sessions page shows information on client stations associated with access points in the cluster. Each client is identified by user name and user MAC address, along with the AP (location) to which it is currently connected. To view a particular statistic for client sessions, select an item from the Display drop-down list and click Go.
PAGE 99
Chapter 8: Session Monitoring Viewing Session Information For Access Points Field Description Idle Time Indicates the amount of time this station has remained inactive. A station is considered to be “idle” when it is not receiving or transmitting data. Data Rate The speed at which this access point is transferring data to the specified client. The data transmission rate is measured in megabits per second (Mbps). This value should fall within the range of the advertised rate set for the IEEE 802.
PAGE 100
Chapter 8: Session Monitoring Sorting Session Information 8.4 Sorting Session Information To order (sort) the information shown in the tables by a particular indicator, click on the column label by which you want to order things. For example, if you want to see the table rows ordered by Utilization rate, click on the Utilization column label. The entries will be sorted by Utilization rate. 8.
PAGE 101
CHANNEL MANAGEMENT 9 9.1 Navigating To Channel Management . . . . . . . . . . . . . . . . . . . . . 81 9.2 Understanding Channel Management . . . . . . . . . . . . . . . . . . . . . 81 9.2.1 How It Works In A Nutshell . . . . . . . . . . . . . . . . . . . . 82 9.2.2 For The Curious: More About Overlapping Channels . . . . . . . 82 9.2.3 Example: A Network Before And After Channel Management . . 82 9.3 Configuring And Viewing Channel Management Settings . . . . . . . . . . 84 9.3.
PAGE 102
PAGE 103
Chapter 9: Channel Management Navigating To Channel Management 9.1 Navigating To Channel Management To view session monitoring information, click the Cluster, Channel Management tab. 9.2 Understanding Channel Management When Channel Management is enabled, the 9160 Wireless Gateway automatically assigns radio channels used by clustered access points to reduce mutual interference (or interference with other access points outside of its cluster).
PAGE 104
Chapter 9: Channel Management How It Works In A Nutshell 9.2.1 How It Works In A Nutshell At a specified interval (the default is 1 hour) or on demand (click Update), the Channel Manager maps APs to channel use and measures interference levels in the cluster. If significant channel interference is detected, the Channel Manager automatically re-assigns some or all of the APs to new channels per an efficiency algorithm (or automated channel plan). 9.2.
PAGE 105
Chapter 9: Channel Management Example: A Network Before And After Channel Management Channel 6 (802.11b) Channel 6 (802.11b) Interference from APs on adjacent channels (5,6,7) Channel 6 (802.11b) AP1 Interference from APs on same channel (6) Channel 7 (802.11b) Channel 5 (802.11b) AP4 AP2 AP3 AP5 Client Station Client Station Figure 9.
PAGE 106
Chapter 9: Channel Management Configuring And Viewing Channel Management Settings 9.3 Configuring And Viewing Channel Management Settings The Channel Management page shows previous, current, and planned channel assignments for clustered access points. By default, automatic channel assignment is disabled. You can start channel management to optimize channel usage across the cluster on a scheduled interval.
PAGE 107
Chapter 9: Channel Management Viewing Current Channel Assignments And Setting Locks odically maps radio channels used by clustered access points and, if necessary, re-assigns channels on clustered APs to reduce interference (with cluster members or other APs outside the cluster). Note: • Channel Management overrides the default cluster behaviour, which is to synchronize radio channels of all APs across a cluster.
PAGE 108
Chapter 9: Channel Management Viewing Last Proposed Set Of Changes 9.3.2.1 Update Current Channel Settings (Manual) You can run a manual channel management update at any time by clicking Update under the Current Channel Settings display. 9.3.3 Viewing Last Proposed Set Of Changes The Last Proposed Set of Channel Changes shows the last channel plan. The plan lists all access points in the cluster by IP Address, and shows the current and proposed channels for each AP.
PAGE 109
Chapter 9: Channel Management Configuring Advanced Settings (Customizing And Scheduling Channel Plans) Field Description Advanced Click the “Advanced” toggle to show / hide display settings that modify timing and details of the channel planning algorithm. By default, these settings are hidden. Change channels if interference is reduced by at least__ Specify the minimum percentage of interference reduction a proposed plan must achieve in order to be applied. The default is 25 percent.
PAGE 110
Chapter 9: Channel Management Configuring Advanced Settings (Customizing And Scheduling Channel Plans) 9.3.4.1 Update Advanced Settings Click Update under Advanced Settings to apply these settings. Advanced Settings will take effect when they are applied, and influence how automatic channel management is performed. (The new interference reduction minimum, scheduled tuning interval, channel set, and network busy settings will be taken into account for automated and manual updates.
PAGE 111
10 WIRELESS NEIGHBORHOOD 10.1 10.2 10.3 10.4 Navigating To Wireless Neighborhood . . . . . . . Understanding Wireless Neighborhood Information. Viewing Wireless Neighborhood. . . . . . . . . . . Viewing Details For A Cluster Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 . 91 . 92 .
PAGE 112
PAGE 113
Chapter 10: Wireless Neighborhood Navigating To Wireless Neighborhood The Wireless Neighborhood screen shows those access points within range of any access point in the cluster. This page provides a detailed view of neighboring access points, including identifying information (SSIDs and MAC addresses) for each, cluster status (which are members and non-members), and statistical information such as the channel each AP is broadcasting on, signal strength, and so forth. 10.
PAGE 114
Chapter 10: Wireless Neighborhood Viewing Wireless Neighborhood For each neighbor access point, the Wireless Neighborhood view shows identifying information (SSID or Network Name, IP Address, MAC address) along with radio statistics (signal strength, channel, beacon interval). You can click on an AP to get additional statistics about the APs in radio range of the currently selected AP.
PAGE 115
Chapter 10: Wireless Neighborhood Viewing Wireless Neighborhood Field Description Neighbors Access points which are neighbors of one or more of the clustered APs are listed in the left column by SSID (Network Name). An access point which is detected as a neighbor of a cluster member can also be a cluster member itself. Neighbors who are also cluster members are always shown at the top of the list with a heavy bar above and include a location indicator.
PAGE 116
Chapter 10: Wireless Neighborhood Viewing Details For A Cluster Member 10.4 Viewing Details For A Cluster Member To view details on a cluster member AP, click on the IP address of a cluster member at the top of the page. Figure 10.
PAGE 117
Chapter 10: Wireless Neighborhood Viewing Details For A Cluster Member The following table explains the details shown about the selected AP. Field Description SSID The Service Set Identifier (SSID) for the access point. The SSID is an alphanumeric string of up to 32 characters that uniquely identifies a wireless local area network. It is also referred to as the Network Name.
PAGE 118
PAGE 119
11 THE ETHERNET (WIRED) INTERFACE 11.1 Navigating To Ethernet (Wired) Settings. . . . . . . . . . . . . . . . . . . 99 11.1.1 Setting The DNS Name . . . . . . . . . . . . . . . . . . . . . .100 11.1.2 Enabling Or Disabling Guest Access . . . . . . . . . . . . . . .100 11.1.2.1 Configuring An Internal LAN And A Guest Network . .100 11.1.2.2 Enabling Or Disabling Guest Access . . . . . . . . . . .101 11.1.2.3 Specifying A Virtual Guest Network . . . . . . . . . . .101 11.1.
PAGE 120
PAGE 121
Chapter 11: The Ethernet (Wired) Interface Navigating To Ethernet (Wired) Settings Ethernet (Wired) Settings describe the configuration of your Ethernet local area network (LAN). Note: The Ethernet Settings are not shared across the cluster. These settings must be configured individually on the Administration pages for each access point.
PAGE 122
Chapter 11: The Ethernet (Wired) Interface Setting The DNS Name 11.1.1 Setting The DNS Name Field Description DNS Name Enter the DNS name for the access point in the text box. This is the host name. It may be provided by your ISP or network administrator, or you can provide your own. The rules for system names are: • This name can be up to 20 characters long. • Only letters, numbers and dashes are allowed. • The name must start with a letter and end with either a letter or a number. Table 11.
PAGE 123
Chapter 11: The Ethernet (Wired) Interface Enabling Or Disabling Guest Access 11.1.2.2 Enabling Or Disabling Guest Access The 9160 Wireless Gateway ships with the Guest Access feature disabled by default. If you want to provide guest access on your AP, enable Guest access on the Ethernet (Wired) Settings tab. Field Description Guest Access By default, the 9160 Wireless Gateway ships with Guest Access disabled. • To enable Guest Access, click Enabled. • To disable Guest Access, click Disabled. Table 11.
PAGE 124
Chapter 11: The Ethernet (Wired) Interface Enabling / Disabling Virtual Wireless Networks On The AP 11.1.3 Enabling / Disabling Virtual Wireless Networks On The AP If you want to configure the Internal network as a VLAN (whether or not you have a Guest network configured), you can enable “Virtual Wireless Networks” on the access point.
PAGE 125
Chapter 11: The Ethernet (Wired) Interface Configuring Internal Interface Ethernet Settings Field Description Connection Type You can select DHCP or Static IP. The Dynamic Host Configuration Protocol (DHCP) is a protocol specifying how a centralized server can provide network configuration information to devices on the network. A DHCP server “offers” a “lease” to the client system. The information supplied includes the IP addresses and netmask, plus the address of its DNS servers and gateway.
PAGE 126
Chapter 11: The Ethernet (Wired) Interface Configuring Guest Interface Ethernet (Wired) Settings Field Description Default Gateway Enter the Default Gateway in the text boxes. DNS Nameservers The Domain Name Service (DNS) is a system that resolves the descriptive name (domainname) of a network resource (for example, www.psionteklogix.com) to its numeric IP address (for example, 66.93.138.219). A DNS server is called a Nameserver.
PAGE 127
12 SETTING THE WIRELESS INTERFACE 12.1 12.2 12.3 12.4 12.5 12.6 Navigating To Wireless Settings . . . . . . . . . . Configuring 802.11d Regulatory Domain Support Configuring The Radio Interface. . . . . . . . . . Configuring “Internal” Wireless LAN Settings . . Configuring “Guest” Network Wireless Settings . Updating Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 128
PAGE 129
Chapter 12: Setting the Wireless Interface Navigating To Wireless Settings Wireless Settings describes aspects of the local area network (LAN) related specifically to the radio device in the access point (802.11 Mode and Channel) and to the network interface to the access point (MAC address for access point and Wireless Network name, also known as SSID). The following sections describe how to configure the “Wireless” address and related settings on the 9160 Wireless Gateway. 12.
PAGE 130
Chapter 12: Setting the Wireless Interface Configuring 802.11d Regulatory Domain Support 12.2 Configuring 802.11d Regulatory Domain Support You can enable or disable IEEE 802.11d Regulatory Domain Support to broadcast the access point country code information as described below. 802.11d Regulatory Domain Support Enabling support for IEEE 802.11d on the access point causes the AP to broadcast which country it is operating in as a part of its beacons: • To enable 802.
PAGE 131
Chapter 12: Setting the Wireless Interface Configuring The Radio Interface Field Description Mode The Mode defines the Physical Layer (PHY) standard being used by the radio. The 9160 Wireless Gateway is available as a single or dual-band access point with one or two radios. The configuration options for Mode differ depending on which product you have. Single-Band AP: For the Single-Band AP, select one of these modes: • IEEE 802.11b • IEEE 802.
PAGE 132
Chapter 12: Setting the Wireless Interface Configuring “Internal” Wireless LAN Settings 12.4 Configuring “Internal” Wireless LAN Settings The Internal Settings describe the MAC Address (read-only) and Network Name (also known as the SSID) for the internal Wireless LAN (WLAN) as described in Table 12.3. Field Description MAC Address Shows the MAC address(es) for Internal interface for this access point. This is a read-only field that you cannot change.
PAGE 133
Chapter 12: Setting the Wireless Interface Configuring “Guest” Network Wireless Settings 12.5 Configuring “Guest” Network Wireless Settings The Guest Settings describe the MAC Address (read-only) and wireless network name (SSID) for the Guest Network as described in Table 12.4. Configuring an access point with two different network names (SSIDs) allows you to leverage the Guest interface feature on the 9160 Wireless Gateway. For more information, see Chapter 14: “Setting up Guest Access”.
PAGE 134
PAGE 135
CONFIGURING SECURITY 13 13.1 Understanding Security Issues On Wireless Networks . . . . . . . . . . 115 13.1.1 How Do I Know Which Security Mode To Use? . . . . . . . . .115 13.1.2 Comparison Of Security Modes For Key Management, Authentication And Encryption Algorithms . . . . . . . . . . . . . . . . . .116 13.1.2.1 When To Use Plain-text . . . . . . . . . . . . . . . . . .117 13.1.2.2 When To Use Static WEP . . . . . . . . . . . . . . . . .117 13.1.2.3 When To Use IEEE 802.1x . . . . . . . . . . . . . .
PAGE 136
PAGE 137
Chapter 13: Configuring Security Understanding Security Issues On Wireless Networks The following sections describe how to configure Security settings on the 9160 Wireless Gateway. 13.1 Understanding Security Issues On Wireless Networks Wireless mediums are inherently less secure than wired mediums. For example, an Ethernet NIC transmits its packets over a physical medium such as coaxial cable or twisted pair.
PAGE 138
Chapter 13: Configuring Security Comparison Of Security Modes For Key Management, Authentication And Encryption Algorithms That said, however, security may not be as much of a priority on some types of networks. If you are simply providing internet and printer access, as on a guest network, plain-text mode (no security) may be the appropriate choice.
PAGE 139
Chapter 13: Configuring Security Comparison Of Security Modes For Key Management, Authentication And Encryption Algorithms 13.1.2.1 When To Use Plain-text Plain-text mode by definition provides no security. In this mode, the data is not encrypted but rather sent as “plain-text” across the network. No key management, data encryption or user authentication is used. Recommendations Plain-text mode is not recommended for regular use on the Internal network because it is not secure.
PAGE 140
Chapter 13: Configuring Security Comparison Of Security Modes For Key Management, Authentication And Encryption Algorithms Recommendations Static WEP was designed to provide security equivalent of sending unencrypted data through an Ethernet connection, however it has major flaws and it does not provide even this intended level of security. Therefore, Static WEP is not recommended as a secure mode.
PAGE 141
Chapter 13: Configuring Security Comparison Of Security Modes For Key Management, Authentication And Encryption Algorithms Additionally, compatibility issues may be cumbersome because of the variety of authentication methods supported and the lack of a standard implementation method. Therefore, IEEE 802.1x mode is not as secure a solution as Wi-Fi Protected Access (WPA) or WPA2. If you cannot use WPA because some of your client stations do not have WPA, then a better solution than using IEEE 802.
PAGE 142
Chapter 13: Configuring Security Comparison Of Security Modes For Key Management, Authentication And Encryption Algorithms Recommendations WPA/WPA2 Personal (PSK) is not recommended for use with the 9160 Wireless Gateway when WPA/WPA2 Enterprise (RADIUS) is an option. We recommend that you use WPA/WPA2 Enterprise (RADIUS) mode instead, unless you have interoperability issues that prevent you from using this mode.
PAGE 143
Chapter 13: Configuring Security Comparison Of Security Modes For Key Management, Authentication And Encryption Algorithms Recommendations WPA/WPA2 Enterprise (RADIUS) mode is the recommended mode. The CCMP (AES) and TKIP encryption algorithms used with WPA modes are far superior to the RC4 algorithm used for Static WEP or IEEE 802.1x modes. Therefore, CCMP (AES) or TKIP should be used whenever possible.
PAGE 144
Chapter 13: Configuring Security Does Prohibiting The Broadcast SSID Enhance Security? standard WPA mode, and most interoperable mode with client Wireless software security features. TKIP is the only encryption algorithm that is being tested in Wi-Fi WPA certification. Notes: If there are older client stations on your network that do not support WPA or WPA2, you can configure WPA/WPA2 Enterprise (RADIUS) with Both, CCMP, or TKIP and check the “Allow non-WPA IEEE 802.
PAGE 145
Chapter 13: Configuring Security How Does Station Isolation Protect The Network? This offers a very minimal level of protection on an otherwise exposed network (such as a guest network) where the priority is making it easy for clients to get a connection and where no sensitive information is available. (See also “Guest Network” on page 126.) 13.1.4 How Does Station Isolation Protect The Network? When Station Isolation is enabled, the access point blocks communication between wireless clients.
PAGE 146
Chapter 13: Configuring Security Configuring Security Settings: Broadcast SSID, Station Isolation, and Security Mode 13.2 Configuring Security Settings: Broadcast SSID, Station Isolation, and Security Mode To set the security mode, navigate to the Advanced, Security tab, and update the fields as described below. The following configuration information explains how to configure security modes on the access point.
PAGE 147
Chapter 13: Configuring Security Configuring Security Settings: Broadcast SSID, Station Isolation, and Security Mode Note: You can also allow or prohibit the Broadcast SSID and enable/disable Station Isolation as extra precautions as mentioned below.) Field Description Broadcast SSID Select the Broadcast SSID setting by clicking the Allow or Prohibit radio button. By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames.
PAGE 148
Chapter 13: Configuring Security Plain-text 13.2.1 Plain-text Plain-text means any data transferred to and from the 9160 Wireless Gateway is not encrypted. There are no further options for “Plain-text” mode. Plain-text mode can be useful during initial network configuration or for problem solving, but it is not recommended for regular use on the Internal network because it is not secure. 13.2.1.
PAGE 149
Chapter 13: Configuring Security Static WEP WEP encrypts data moving across the wireless network based on a static key. (The encryption algorithm is a “stream” cipher called RC4.) The access point uses a key to transmit data to the client stations. Each client station must use that same key to decrypt data it receives from the access point. Client stations can use different keys to transmit data to the access point.
PAGE 150
Chapter 13: Configuring Security Static WEP Field Description Characters Required Indicates the number of characters required in the WEP key. The number of characters required updates automatically based on how you set Key Length and Key Type. WEP Keys You can specify up to four WEP keys. In each text box, enter a string of characters for each key. If you selected “ASCII”, enter any combination of integers and letters 0-9, a-z, and A-Z.
PAGE 151
Chapter 13: Configuring Security Static WEP 13.2.2.1 Rules To Remember For Static WEP • All client stations must have the Wireless LAN (WLAN) security set to WEP and all clients must have one of the WEP keys specified on the AP in order to de-code AP-to-station data transmissions. • The AP must have all keys used by clients for station-to-AP transmit so that it can de-code the station transmissions. • The same key must occupy the same slot on all nodes (AP and clients).
PAGE 152
Chapter 13: Configuring Security Static WEP You must then set all client stations to use WEP and provide each client with one of the slot/key combinations you defined on the AP. For this example, we’ll set WEP key 1 on a Windows client. Figure 13.8 Providing A Wireless Client With A WEP Key If you have a second client station, that station also needs to have one of the WEP keys defined on the AP. You could give it the same WEP key you gave to the first station.
PAGE 153
Chapter 13: Configuring Security IEEE 802.1x 13.2.2.3 Static WEP With Transfer Key Indexes On Client Stations Some Wireless client software (like Funk Odyssey) lets you configure multiple WEP keys and set a transfer index on the client station, then you can specify different keys to be used for station-to-AP transmissions. (The standard Windows wireless client software does not allow you to do this.
PAGE 154
Chapter 13: Configuring Security IEEE 802.1x The access point requires a RADIUS server capable of EAP, such as the Microsoft Internet Authentication Server or the 9160 Wireless Gateway internal authentication server. To work with Windows clients, the authentication server must support Protected EAP (PEAP) and MSCHAP V2. When configuring IEEE 802.1x mode, you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide.
PAGE 155
Chapter 13: Configuring Security WPA/WPA2 Personal (PSK) Field Description Radius IP Enter the Radius IP in the text box. The Radius IP is the IP address of the RADIUS server. (The 9160 Wireless Gateway internal authentication server is 127.0.0.1.) For information on setting up user accounts, see Chapter 7: “Managing User Accounts”. Radius Key Enter the Radius Key in the text box. The Radius Key is the shared secret key for the RADIUS server.
PAGE 156
Chapter 13: Configuring Security WPA/WPA2 Personal (PSK) If you selected “WPA/WPA2 Personal (PSK)” Security Mode, complete the settings as described in Table 13.11. Field Description WPA Versions Select the types of client stations you want to support: • WPA • WPA2 • Both WPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA. WPA2.
PAGE 157
Chapter 13: Configuring Security WPA/WPA2 Personal (PSK) Field Description Cipher Suites Select the cipher you want to use from the drop-down menu: • TKIP • CCMP (AES) • Both Temporal Key Integrity Protocol (TKIP) is the default. TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP).
PAGE 158
Chapter 13: Configuring Security WPA/WPA2 Enterprise (RADIUS) 13.2.5 WPA/WPA2 Enterprise (RADIUS) Wi-Fi Protected Access 2 (WPA2) with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms.
PAGE 159
Chapter 13: Configuring Security WPA/WPA2 Enterprise (RADIUS) Field Description WPA Versions Select the types of client stations you want to support: • WPA • WPA2 • Both WPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA. WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard. Both.
PAGE 160
Chapter 13: Configuring Security WPA/WPA2 Enterprise (RADIUS) Field Description Cipher Suites Select the cipher you want to use from the drop-down menu: • TKIP • CCMP (AES) • Both Temporal Key Integrity Protocol (TKIP) is the default. TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP).
PAGE 161
Chapter 13: Configuring Security Updating Settings Field Description Authentication Server Select one of the following from the drop-down menu: • Built-in - To use the authentication server provided with the 9160 Wireless Gateway. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided. • External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use.
PAGE 162
PAGE 163
SETTING UP GUEST ACCESS 14.1 Understanding The Guest Interface . . . . . . . . . . . . . 14.2 Configuring The Guest Interface . . . . . . . . . . . . . . . 14.2.1 Configuring A Guest Network On A Virtual LAN . 14.2.2 Configuring The Welcome Screen (Captive Portal) . 14.3 Using The Guest Network As A Client . . . . . . . . . . . 14.4 Deployment Example . . . . . . . . . . . . . . . . . . . . 14 . . . . . . . 143 . . . . . . . 144 . . . . . . .144 . . . . . . .145 . . . . . . . 146 . . . . . . .
PAGE 164
PAGE 165
Chapter 14: Setting up Guest Access Understanding The Guest Interface Out-of-the-box Guest Interface features allow you to configure the 9160 Wireless Gateway for controlled guest access to an isolated network. You can configure the same access point to broadcast and function as two different wireless networks: a secure “Internal” LAN and a public “Guest” network. Guest clients can access the guest network without a username or password.
PAGE 166
Chapter 14: Setting up Guest Access Configuring The Guest Interface 14.2 Configuring The Guest Interface To configure the Guest interface on the 9160 Wireless Gateway, perform these steps: 1. Configure the access point to represent two virtually separate networks as described in the section below, “Configuring A Guest Network On A Virtual LAN”. 2. Set up the guest Welcome screen for the guest captive portal as described in the section, “Configuring The Welcome Screen (Captive Portal)” on page 145.
PAGE 167
Chapter 14: Setting up Guest Access Configuring The Welcome Screen (Captive Portal) 2. Configure Ethernet (wired) Settings for Internal and Guest networks on VLANs as described in the sections in Chapter 11: “The Ethernet (Wired) Interface”. (Start by enabling Guest Access and choosing “For Internal and Guest access, use two: VLANs” as described in “Specifying A Virtual Guest Network” on page 101.) 3.
PAGE 168
Chapter 14: Setting up Guest Access Using The Guest Network As A Client 3. In the Welcome Screen Text field, type the text message you would like guest clients to see on the captive portal. 4. Click Update to apply the changes. 14.3 Using The Guest Network As A Client Once the guest network is configured, a client can access the guest network as follows: 1. A guest client enters an area of coverage and scans for wireless networks. 2.
PAGE 169
CONFIGURING VLANS 15 15.1 Navigating To Virtual Wireless Network Settings . . . . . . . . . . . . . 149 15.2 Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 15.3 Updating Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 170
PAGE 171
Chapter 15: Configuring VLANs Navigating To Virtual Wireless Network Settings The following sections describe how to configure multiple wireless networks on Virtual LANs (VLANs). 15.1 Navigating To Virtual Wireless Network Settings To set up multiple networks on VLANs, navigate to the Advanced, Virtual Wireless Networks tab, and update the fields as described below. 15.
PAGE 172
Chapter 15: Configuring VLANs Configuring VLANs re-connect via the Administration Web pages to the new IP address. (If necessary, check with the infrastructure support administrator regarding the VLAN and DHCP configurations.) Field Description Virtual Wireless Network Choose one of the following from the drop-down menu to identify an additional network to configure: • One • Two Status You can enable or disable a configured network. • To enable the specified network, click On.
PAGE 173
Chapter 15: Configuring VLANs Updating Settings Field Description Broadcast SSID Select the Broadcast SSID setting by clicking the Allow or Prohibit radio button. By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames. You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point.
PAGE 174