Scribd
Upload
823 views

7.41 User Guide

Enterasys Manual

Uploaded by

Ali Tariq
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
823 views

7.41 User Guide

Enterasys Manual

Uploaded by

Ali Tariq
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 458

Enterasys Wireless

Controller, Access Points and Convergence Software

User Guide
Version 7.41

P/N 9034530-07

Notice
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthisdocumentand itswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networkstodeterminewhetheranysuch changeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL,OR CONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS)ARISINGOUTOF ORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDINTHEM,EVENIF ENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWNOF,THEPOSSIBILITYOF SUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2011Enterasys Networks, Inc.Allrightsreserved. PartNumber: 903453007 June 2011 ENTERASYS,ENTERASYSNETWORKS,ENTERASYSSECURENETWORKS,DRAGON,ENTERASYSDRAGON, NETSIGHT,ENTERASYSNETSIGHT,andanylogosassociatedtherewith,aretrademarksorregisteredtrademarksof EnterasysNetworks,Inc.,intheUnitedStatesand/orothercountries.ForacompletelistofEnterasystrademarks,see http://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespectivecompanies. DocumentationURL:https://extranet.enterasys.com/downloads/

Enterasys Networks, Inc. Software License Agreement


Thisdocumentisanagreement(Agreement)betweenYou,theenduser,andEnterasysNetworks,Inc.onbehalfofitselfand itsAffiliates(Enterasys)thatsetsforthyourrightsandobligationswithrespecttothesoftwarecontainedinCDROMor othermedia.Affiliatesmeansanyperson,partnership,corporation,limitedliabilitycompany,orotherformofenterprisethat directlyorindirectlythroughoneormoreintermediaries,controls,oriscontrolledby,orisundercommoncontrolwiththe partyspecified.BYINSTALLINGTHEENCLOSEDPRODUCT,YOUAREAGREEINGTOBECOMEBOUNDBYTHETERMS OFTHISAGREEMENT,WHICHINCLUDESTHELICENSEANDTHELIMITATIONOFWARRANTYANDDISCLAIMER OFLIABILITY.IFYOUDONOTAGREETOTHETERMSOFTHISAGREEMENT,RETURNTHEUNOPENEDPRODUCTTO ENTERASYSORYOURDEALER,IFANY,WITHINTEN(10)DAYSFOLLOWINGTHEDATEOFRECEIPTFORAFULL REFUND. IFYOUHAVEANYQUESTIONSABOUTTHISAGREEMENT,CONTACTENTERASYSNETWORKS,INC.(978)6841000. Attn:LegalDepartment. EnterasyswillgrantYouanontransferable,nonexclusivelicensetousethemachinereadableformofsoftware(theLicensed Software)andtheaccompanyingdocumentation(theLicensedSoftware,themediaembodyingtheLicensedSoftware,andthe documentationarecollectivelyreferredtointhisAgreementastheLicensedMaterials)ononesinglecomputerifYouagree tothefollowingtermsandconditions: 1. TERM. ThisAgreementiseffectivefromthedateonwhichYouopenthepackagecontainingtheLicensedMaterials.You mayterminatetheAgreementatanytimebydestroyingtheLicensedMaterials,togetherwithallcopies,modificationsand mergedportionsinanyform.TheAgreementandyourlicensetousetheLicensedMaterialswillalsoterminateifYoufailto complywithanytermorconditionherein. 2. GRANTOFSOFTWARELICENSE. ThelicensegrantedtoYoubyEnterasyswhenYouopenthissealedpackage authorizesYoutousetheLicensedSoftwareonanyone,singlecomputeronly,oranyreplacementforthatcomputer,forinternal useonly.Aseparatelicense,underaseparateSoftwareLicenseAgreement,isrequiredforanyothercomputeronwhichYouor anotherindividualoremployeeintendtousetheLicensedSoftware.YOUMAYNOTUSE,COPY,ORMODIFYTHELICENSED MATERIALS,INWHOLEORINPART,EXCEPTASEXPRESSLYPROVIDEDINTHISAGREEMENT. 3. RESTRICTIONAGAINSTCOPYINGORMODIFYINGLICENSEDMATERIALS. Exceptasexpresslypermittedinthis Agreement,YoumaynotcopyorotherwisereproducetheLicensedMaterials.Innoeventdoesthelimitedcopyingor reproductionpermittedunderthisAgreementincludetherighttodecompile,disassemble,electronicallytransfer,orreverse engineertheLicensedSoftware,ortotranslatetheLicensedSoftwareintoanothercomputerlanguage. ThemediaembodyingtheLicensedSoftwaremaybecopiedbyYou,inwholeorinpart,intoprintedormachinereadable form,insufficientnumbersonlyforbackuporarchivalpurposes,ortoreplaceawornordefectivecopy.However,Youagree nottohavemorethantwo(2)copiesoftheLicensedSoftwareinwholeorinpart,includingtheoriginalmedia,inyour possessionforsaidpurposeswithoutEnterasyspriorwrittenconsent,andinnoeventshallYouoperatemorethanonecopyof theLicensedSoftware.Youmaynotcopyorreproducethedocumentation.Youagreetomaintainappropriaterecordsofthe locationoftheoriginalmediaandallcopiesoftheLicensedSoftware,inwholeorinpart,madebyYou.Youmaymodifythe machinereadableformoftheLicensedSoftwarefor(1)yourowninternaluseor(2)tomergetheLicensedSoftwareintoother programmaterialtoformamodularworkforyourownuse,providedthatsuchworkremainsmodular,butonterminationof thisAgreement,YouarerequiredtocompletelyremovetheLicensedSoftwarefromanysuchmodularwork.Anyportionofthe LicensedSoftwareincludedinanysuchmodularworkshallbeusedonlyonasinglecomputerforinternalpurposesandshall remainsubjecttoallthetermsandconditionsofthisAgreement. YouagreetoincludeanycopyrightorotherproprietarynoticesetforthonthelabelofthemediaembodyingtheLicensed SoftwareonanycopyoftheLicensedSoftwareinanyform,inwholeorinpart,oronanymodificationoftheLicensedSoftware oranysuchmodularworkcontainingtheLicensedSoftwareoranypartthereof. 4. TITLEANDPROPRIETARYRIGHTS. (a) TheLicensedMaterialsarecopyrightedworksandarethesoleandexclusivepropertyofEnterasys,anycompanyora divisionthereofwhichEnterasyscontrolsoriscontrolledby,orwhichmayresultfromthemergerorconsolidation withEnterasys(itsAffiliates),and/ortheirsuppliers.ThisAgreementconveysalimitedrighttooperatetheLicensed MaterialsandshallnotbeconstruedtoconveytitletotheLicensedMaterialstoYou.Therearenoimpliedrights.You shallnotsell,lease,transfer,sublicense,disposeof,orotherwisemakeavailabletheLicensedMaterialsoranyportion thereof,toanyotherparty. (b) YoufurtheracknowledgethatintheeventofabreachofthisAgreement,Enterasysshallsuffersevereandirreparable damagesforwhichmonetarycompensationalonewillbeinadequate.Youthereforeagreethatintheeventofabreach ofthisAgreement,Enterasysshallbeentitledtomonetarydamagesanditsreasonableattorneysfeesandcostsin enforcingthisAgreement,aswellasinjunctiverelieftorestrainsuchbreach,inadditiontoanyotherremediesavailable toEnterasys.

ii

5. PROTECTIONANDSECURITY. IntheperformanceofthisAgreementorincontemplationthereof,Youandyour employeesandagentsmayhaveaccesstoprivateorconfidentialinformationownedorcontrolledbyEnterasysrelatingtothe LicensedMaterialssuppliedhereunderincluding,butnotlimitedto,productspecificationsandschematics,andsuch informationmaycontainproprietarydetailsanddisclosures.AllinformationanddatasoacquiredbyYouoryouremployeesor agentsunderthisAgreementorincontemplationhereofshallbeandshallremainEnterasysexclusiveproperty,andYoushall useyourbestefforts(whichinanyeventshallnotbelessthantheeffortsYoutaketoensuretheconfidentialityofyourown proprietaryandotherconfidentialinformation)tokeep,andhaveyouremployeesandagentskeep,anyandallsuchinformation anddataconfidential,andshallnotcopy,publish,ordiscloseittoothers,withoutEnterasyspriorwrittenapproval,andshall returnsuchinformationanddatatoEnterasysatitsrequest.Nothinghereinshalllimityouruseordisseminationofinformation notactuallyderivedfromEnterasysorofinformationwhichhasbeenorsubsequentlyismadepublicbyEnterasys,orathird partyhavingauthoritytodoso. YouagreenottodeliverorotherwisemakeavailabletheLicensedMaterialsoranypartthereof,includingwithout limitationtheobjectorsourcecode(ifprovided)oftheLicensedSoftware,toanypartyotherthanEnterasysoritsemployees, exceptforpurposesspecificallyrelatedtoyouruseoftheLicensedSoftwareonasinglecomputerasexpresslyprovidedinthis Agreement,withoutthepriorwrittenconsentofEnterasys.Youagreetouseyourbesteffortsandtakeallreasonablestepsto safeguardtheLicensedMaterialstoensurethatnounauthorizedpersonnelshallhaveaccesstheretoandthatnounauthorized copy,publication,disclosure,ordistribution,inwholeorinpart,inanyformshallbemade,andYouagreetonotifyEnterasys ofanyunauthorizedusethereof.YouacknowledgethattheLicensedMaterialscontainvaluableconfidentialinformationand tradesecrets,andthatunauthorizeduse,copyingand/ordisclosurethereofareharmfultoEnterasysoritsAffiliatesand/or its/theirsoftwaresuppliers. 6. MAINTENANCEANDUPDATES. Updatesandcertainmaintenanceandsupportservices,ifany,shallbeprovidedto YoupursuanttothetermsofanEnterasysServiceandMaintenanceAgreement,ifEnterasysandYouenterintosuchan agreement.Exceptasspecificallysetforthinsuchagreement,EnterasysshallnotbeunderanyobligationtoprovideSoftware Updates,modifications,orenhancements,orSoftwaremaintenanceandsupportservicestoYou. 7. DEFAULTANDTERMINATION. IntheeventthatYoushallfailtokeep,observe,orperformanyobligationunderthis Agreement,includingafailuretopayanysumsduetoEnterasys,orintheeventthatYoubecomeinsolventorseekprotection, voluntarilyorinvoluntarily,underanybankruptcylaw,Enterasysmay,inadditiontoanyotherremediesitmayhaveunder law,terminatetheLicenseandanyotheragreementsbetweenEnterasysandYou. (a) ImmediatelyafteranyterminationoftheAgreementorifYouhaveforanyreasondiscontinueduseofSoftware,You shallreturntoEnterasystheoriginalandanycopiesoftheLicensedMaterialsandremovetheLicensedSoftwarefrom anymodularworksmadepursuanttoSection3,andcertifyinwritingthatthroughyourbesteffortsandtothebestof yourknowledgetheoriginalandallcopiesoftheterminatedordiscontinuedLicensedMaterialshavebeenreturned toEnterasys. (b) Sections4,5,7,8,9,10,11,and12shallsurviveterminationofthisAgreementforanyreason. 8. EXPORTREQUIREMENTS. YouunderstandthatEnterasysanditsAffiliatesaresubjecttoregulationbyagenciesofthe U.S.Government,includingtheU.S.DepartmentofCommerce,whichprohibitexportordiversionofcertaintechnicalproducts tocertaincountries,unlessalicensetoexporttheproductisobtainedfromtheU.S.Governmentoranexceptionfromobtaining suchlicensemayberelieduponbytheexportingparty. IftheLicensedMaterialsareexportedfromtheUnitedStatespursuanttotheLicenseExceptionCIVundertheU.S.Export AdministrationRegulations,YouagreethatYouareacivilenduseroftheLicensedMaterialsandagreethatYouwillusethe LicensedMaterialsforcivilendusesonlyandnotformilitarypurposes. IftheLicensedMaterialsareexportedfromtheUnitedStatespursuanttotheLicenseExceptionTSRundertheU.S.Export AdministrationRegulations,inadditiontotherestrictionontransfersetforthinSection4ofthisAgreement,Youagreenotto (i)reexportorreleasetheLicensedSoftware,thesourcecodefortheLicensedSoftwareortechnologytoanationalofacountry inCountryGroupsD:1orE:2(Albania,Armenia,Azerbaijan,Belarus,Cambodia,Cuba,Georgia,Iraq,Kazakhstan,Kyrgyzstan, Laos,Libya,Macau,Moldova,Mongolia,NorthKorea,thePeoplesRepublicofChina,Russia,Tajikistan,Turkmenistan, Ukraine,Uzbekistan,Vietnam,orsuchothercountriesasmaybedesignatedbytheUnitedStatesGovernment),(ii)exportto CountryGroupsD:1orE:2(asdefinedherein)thedirectproductoftheLicensedSoftwareorthetechnology,ifsuchforeign produceddirectproductissubjecttonationalsecuritycontrolsasidentifiedontheU.S.CommerceControlList,or(iii)ifthe directproductofthetechnologyisacompleteplantoranymajorcomponentofaplant,exporttoCountryGroupsD:1orE:2 thedirectproductoftheplantoramajorcomponentthereof,ifsuchforeignproduceddirectproductissubjecttonational securitycontrolsasidentifiedontheU.S.CommerceControlListorissubjecttoStateDepartmentcontrolsundertheU.S. MunitionsList.

iii

9. UNITEDSTATESGOVERNMENTRESTRICTEDRIGHTS. TheLicensedMaterials(i)weredevelopedsolelyatprivate expense;(ii)containsrestrictedcomputersoftwaresubmittedwithrestrictedrightsinaccordancewithsection52.22719(a) through(d)oftheCommercialComputerSoftwareRestrictedRightsClauseanditssuccessors,and(iii)inallrespectsis proprietarydatabelongingtoEnterasysand/oritssuppliers.ForDepartmentofDefenseunits,theLicensedMaterialsare consideredcommercialcomputersoftwareinaccordancewithDFARSsection227.72023anditssuccessors,anduse, duplication,ordisclosurebytheU.S.Governmentissubjecttorestrictionssetforthherein. 10. LIMITEDWARRANTYANDLIMITATIONOFLIABILITY. TheonlywarrantyEnterasysmakestoYouinconnection withthislicenseoftheLicensedMaterialsisthatifthemediaonwhichtheLicensedSoftwareisrecordedisdefective,itwillbe replacedwithoutcharge,ifEnterasysingoodfaithdeterminesthatthemediaandproofofpaymentofthelicensefeeare returnedtoEnterasysorthedealerfromwhomitwasobtainedwithinninety(90)daysofthedateofpaymentofthelicensefee. NEITHERENTERASYSNORITSAFFILIATESMAKEANYOTHERWARRANTYORREPRESENTATION,EXPRESSOR IMPLIED,WITHRESPECTTOTHELICENSEDMATERIALS,WHICHARELICENSEDASIS.THELIMITEDWARRANTY ANDREMEDYPROVIDEDABOVEAREEXCLUSIVEANDINLIEUOFALLOTHERWARRANTIES,INCLUDING IMPLIEDWARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE,WHICHAREEXPRESSLY DISCLAIMED,ANDSTATEMENTSORREPRESENTATIONSMADEBYANYOTHERPERSONORFIRMAREVOID.ONLY TOTHEEXTENTSUCHEXCLUSIONOFANYIMPLIEDWARRANTYISNOTPERMITTEDBYLAW,THEDURATIONOF SUCHIMPLIEDWARRANTYISLIMITEDTOTHEDURATIONOFTHELIMITEDWARRANTYSETFORTHABOVE.YOU ASSUMEALLRISKASTOTHEQUALITY,FUNCTIONANDPERFORMANCEOFTHELICENSEDMATERIALS.INNO EVENTWILLENTERASYSORANYOTHERPARTYWHOHASBEENINVOLVEDINTHECREATION,PRODUCTIONOR DELIVERYOFTHELICENSEDMATERIALSBELIABLEFORSPECIAL,DIRECT,INDIRECT,RELIANCE,INCIDENTALOR CONSEQUENTIALDAMAGES,INCLUDINGLOSSOFDATAORPROFITSORFORINABILITYTOUSETHELICENSED MATERIALS,TOANYPARTYEVENIFENTERASYSORSUCHOTHERPARTYHASBEENADVISEDOFTHEPOSSIBILITY OFSUCHDAMAGES.INNOEVENTSHALLENTERASYSORSUCHOTHERPARTYSLIABILITYFORANYDAMAGES ORLOSSTOYOUORANYOTHERPARTYEXCEEDTHELICENSEFEEYOUPAIDFORTHELICENSEDMATERIALS. Somestatesdonotallowlimitationsonhowlonganimpliedwarrantylastsandsomestatesdonotallowtheexclusionor limitationofincidentalorconsequentialdamages,sotheabovelimitationandexclusionmaynotapplytoYou.Thislimited warrantygivesYouspecificlegalrights,andYoumayalsohaveotherrightswhichvaryfromstatetostate. 11. JURISDICTION. TherightsandobligationsofthepartiestothisAgreementshallbegovernedandconstruedin accordancewiththelawsandintheStateandFederalcourtsoftheCommonwealthofMassachusetts,withoutregardtoitsrules withrespecttochoiceoflaw.Youwaiveanyobjectionstothepersonaljurisdictionandvenueofsuchcourts.Noneofthe1980 UnitedNationsConventionontheLimitationPeriodintheInternationalSaleofGoods,andtheUniformComputerInformation TransactionsActshallapplytothisAgreement. 12. GENERAL. (a) ThisAgreementistheentireagreementbetweenEnterasysandYouregardingtheLicensedMaterials,andallprior agreements,representations,statements,andundertakings,oralorwritten,areherebyexpresslysupersededand canceled. (b) ThisAgreementmaynotbechangedoramendedexceptinwritingsignedbybothpartieshereto. (c) YourepresentthatYouhavefullrightand/orauthorizationtoenterintothisAgreement. (d) ThisAgreementshallnotbeassignablebyYouwithouttheexpresswrittenconsentofEnterasys,Therightsof EnterasysandYourobligationsunderthisAgreementshallinuretothebenefitofEnterasysassignees,licensors,and licensees. (e) SectionheadingsareforconvenienceonlyandshallnotbeconsideredintheinterpretationofthisAgreement. (f) TheprovisionsoftheAgreementareseverableandifanyoneormoreoftheprovisionshereofarejudiciallydetermined tobeillegalorotherwiseunenforceable,inwholeorinpart,theremainingprovisionsofthisAgreementshall neverthelessbebindingonandenforceablebyandbetweenthepartieshereto. (g) Enterasyswaiverofanyrightshallnotconstitutewaiverofthatrightinfuture.ThisAgreementconstitutestheentire understandingbetweenthepartieswithrespecttothesubjectmatterhereof,andallprioragreements,representations, statementsandundertakings,oralorwritten,areherebyexpresslysupersededandcanceled.Nopurchaseordershall supersedethisAgreement. (h) ShouldYouhaveanyquestionsregardingthisAgreement,YoumaycontactEnterasysattheaddresssetforthbelow. AnynoticeorothercommunicationtobesenttoEnterasysmustbemailedbycertifiedmailtothefollowingaddress: ENTERASYSNETWORKS,INC.,50MinutemanRoad,Andover,MA01810Attn:ManagerLegalDepartment.

iv

Contents
About This Guide
Intended Audience ............................................................................................................................................xv Formatting Conventions .................................................................................................................................. xvi Additional Documentation ............................................................................................................................... xvii Getting Help .................................................................................................................................................... xvii Safety Information ......................................................................................................................................... xviii Sicherheitshinweise ....................................................................................................................................... xviii Consignes De Scurit .................................................................................................................................... xix

Chapter 1: Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution
Introduction ..................................................................................................................................................... 1-1 The Enterasys Wireless System .............................................................................................................. 1-2 Conventional Wireless LANs .......................................................................................................................... 1-2 Elements of the Enterasys Wireless Controller, Access Points and Convergence Software Solution ........... 1-3 Enterasys NetSight Suite Integration ....................................................................................................... 1-6 Enterasys Wireless Controller, Access Points and Convergence Software and Your Network ..................... 1-7 Network Traffic Flow ................................................................................................................................ 1-9 Network Security .................................................................................................................................... 1-10 Authentication................................................................................................................................... 1-10 Privacy.............................................................................................................................................. 1-11 Virtual Network Services ........................................................................................................................ 1-11 NAC integration with Enterasys Wireless WLAN.............................................................................. 1-12 VNS Components .................................................................................................................................. 1-14 Topology........................................................................................................................................... 1-14 Policy ................................................................................................................................................ 1-15 WLAN Services ................................................................................................................................ 1-15 Routing ................................................................................................................................................... 1-16 Mobility and Roaming ............................................................................................................................. 1-16 Network Availability ................................................................................................................................ 1-16 Quality of Service (QoS) ........................................................................................................................ 1-17 Enterasys Wireless Controller Product Family ............................................................................................. 1-18

Chapter 2: Configuring the Wireless AP


Wireless AP Overview .................................................................................................................................... 2-1 Enterasys Standard Wireless AP ............................................................................................................. 2-2 Enterasys Standard Wireless AP Radios ........................................................................................... 2-3 AP4102/4102C Access Points............................................................................................................ 2-4 Enterasys Wireless Outdoor APs ............................................................................................................. 2-5 Enterasys Wireless 802.11n AP ............................................................................................................... 2-5 Enterasys Wireless 802.11n APs Radios .......................................................................................... 2-7 Wireless AP International Licensing ......................................................................................................... 2-9 Wireless AP Default IP Address and First-time Configuration ................................................................. 2-9 Assigning a Static IP Address to the Wireless AP ................................................................................. 2-10 Discovery and Registration Overview ........................................................................................................... 2-10 Wireless AP Discovery ........................................................................................................................... 2-10 Registration After Discovery ................................................................................................................... 2-12 Default Wireless AP Configuration ................................................................................................... 2-12 Understanding the Wireless AP LED Status .......................................................................................... 2-12

Enterasys Wireless AP LED Status .................................................................................................. 2-12 Enterasys Wireless Outdoor AP3660 LED Indicators ............................................................................ 2-16 Enterasys Wireless Outdoor AP2660 LED Status ............................................................................ 2-17 Enterasys Wireless 802.11n AP LED Status .................................................................................... 2-19 AP4102 and AP2605 LED Status..................................................................................................... 2-22 Configuring Wireless AP LED Behavior ........................................................................................... 2-24 Configuring the Wireless APs for the First Time .................................................................................... 2-26 Defining Properties for the Discovery Process ....................................................................................... 2-26 Connecting and Initiating the Wireless AP Discovery and Registration Process ................................... 2-28 Adding and Registering a Wireless AP Manually ......................................................................................... 2-29 Configuring Wireless AP Settings ................................................................................................................. 2-30 Modifying a Wireless APs Status .......................................................................................................... 2-31 Configuring a Wireless APs Properties ................................................................................................. 2-32 AP Properties Tab Configuration ........................................................................................................... 2-32 Assigning Wireless AP Radios to a VNS ............................................................................................... 2-36 Configuring Wireless AP Radio Properties ............................................................................................ 2-37 Modifying Wireless 802.11n AP 3610/3620 Radio Properties .......................................................... 2-39 Achieving High Throughput with the Wireless 802.11n AP .............................................................. 2-51 Modifying Wireless AP 2610/2620 Radio Properties ........................................................................ 2-53 Setting Up the Wireless AP Using Static Configuration ......................................................................... 2-62 Configuring Telnet/SSH Access ............................................................................................................. 2-65 Configuring VLAN Tags for Wireless APs .................................................................................................... 2-66 Setting Up 802.1x Authentication for a Wireless AP .............................................................................. 2-66 Configuring 802.1x PEAP Authentication .........................................................................................2-67 Configuring 802.1x EAP-TLS Authentication.................................................................................... 2-69 Viewing 802.1x Credentials .............................................................................................................. 2-71 Deleting 802.1x Credentials ............................................................................................................. 2-72 Setting Up 802.1x Authentication for Wireless APs Using Multi-edit ..................................................... 2-72 Configuring the Default Wireless AP Settings ........................................................................................ 2-75 Configure Common Configuration Default AP Settings .................................................................... 2-76 Configure AP2610/20, AP2605, W788, BP200, and WB500 Default AP Settings ........................... 2-77 Configure AP3605/10/20/30/40/60 Default AP Settings ................................................................... 2-82 Configure AP2650/60 and W786 Default AP Settings...................................................................... 2-88 Configure AP4102 and AP4102C Default AP Settings..................................................................... 2-94 Modifying a Wireless APs Properties Based on a Default AP Configuration ............................................... 2-99 Modifying the Wireless APs Default Setting Using the Copy to Defaults Feature ..................................... 2-100 Configuring Multiple Wireless APs Simultaneously .................................................................................... 2-100 Configuring Co-located APs in Load Balance Groups ................................................................................ 2-103 How Availability Affects Load Balancing .............................................................................................. 2-107 Load Balance Group Statistics ............................................................................................................. 2-107 Configuring an AP Cluster .......................................................................................................................... 2-108 Converting the Enterasys Wireless AP to Standalone Mode ..................................................................... 2-109 Configuring an AP as a Sensor .................................................................................................................. 2-110 Performing Wireless AP Software Maintenance ......................................................................................... 2-112

Chapter 3: Configuring the Enterasys Wireless Controller


System Configuration Overview ..................................................................................................................... 3-1 Logging on to the Enterasys Wireless Controller ........................................................................................... 3-4 Working with the Basic Installation Wizard ..................................................................................................... 3-5 Configuring the Enterasys Wireless Controller for the First Time ................................................................... 3-9 Changing the Administrator Password ..................................................................................................... 3-9 Applying Product License Keys .............................................................................................................. 3-10 Installing the License Keys ............................................................................................................... 3-12 Setting Up the Data Ports ...................................................................................................................... 3-13

vi

Viewing and Changing the L2 Ports Information .............................................................................. 3-13 Viewing and Changing the Physical Topologies............................................................................... 3-14 Setting Up Internal VLAN ID and Multicast Support ............................................................................... 3-18 Setting Up Static Routes ........................................................................................................................ 3-18 Viewing the Forwarding Table .......................................................................................................... 3-19 Setting Up OSPF Routing ...................................................................................................................... 3-20 Configuring Filtering at the Interface Level ............................................................................................ 3-22 Built-in Interface-based Exception Filters ......................................................................................... 3-23 Working with Administrator-defined Interface-based Exception Filters ............................................ 3-24 Protecting the Controllers Interfaces and Internal Captive Portal Page ................................................ 3-26 Before Installing a Certificate............................................................................................................ 3-26 Installing a Certificate for a Enterasys Wireless Controller Interface................................................ 3-27 Configuring the Login Authentication Mode ........................................................................................... 3-30 Configuring the Local Login Authentication Mode and Adding New Users ...................................... 3-31 Configuring the RADIUS Login Authentication Mode ....................................................................... 3-33 Configuring the Local, RADIUS Login Authentication Mode ............................................................ 3-36 Configuring the RADIUS, Local Login Authentication Mode ............................................................ 3-37 Configuring SNMP ................................................................................................................................. 3-39 Configuring SNMPv1/v2c-specific Parameters................................................................................. 3-40 Configuring SNMPv3-specific Parameters ....................................................................................... 3-40 Editing an SNMPv3 User.................................................................................................................. 3-41 Deleting an SNMPv3 User................................................................................................................ 3-41 Configuring Network Time ...................................................................................................................... 3-42 Configuring the Network Time Using the Systems Time ................................................................. 3-42 Configuring the Network Time Using an NTP Server ....................................................................... 3-43 Configuring DNS Servers for Resolving Host Names of NTP and RADIUS Servers ............................. 3-44 Using an AeroScout Location Based Solution .............................................................................................. 3-45 Additional Ongoing Operations of the System .............................................................................................. 3-48

Chapter 4: Configuring Topologies


Topology Overview ......................................................................................................................................... 4-1 Configuring a Basic Topology ......................................................................................................................... 4-2 Enabling Management Traffic ......................................................................................................................... 4-3 Layer 3 Configuration ..................................................................................................................................... 4-3 IP Address Configuration ......................................................................................................................... 4-3 DHCP Configuration ................................................................................................................................. 4-4 Defining a Next Hop Route and OSPF Advertisement ............................................................................. 4-6 Exception Filtering .......................................................................................................................................... 4-7 Multicast Filtering .......................................................................................................................................... 4-10

Chapter 5: Configuring Policies


Policy Overview .............................................................................................................................................. 5-1 Configuring VLAN and Class of Service for a Policy ...................................................................................... 5-1 Filtering Rules ................................................................................................................................................. 5-3 Filtering Rules for a Non-Authenticated Filter .......................................................................................... 5-3 Non-authenticated Filter Examples .......................................................................................................... 5-4 Authenticated Filter Examples ................................................................................................................. 5-5 ICMP Type Enforcement .......................................................................................................................... 5-5 Filtering Rules for a Default Filter ............................................................................................................. 5-6 Default Filter Examples ...................................................................................................................... 5-6 Filtering Rules Between Two Wireless Devices ................................................................................. 5-6 Defining Filter Rules for Wireless APs ..................................................................................................... 5-7 Wireless AP Filtering .......................................................................................................................... 5-7 Configuring Filter Rules ............................................................................................................................ 5-7

vii

Chapter 6: Configuring WLAN Services


WLAN Services Overview .............................................................................................................................. 6-1 Third-party AP WLAN Service Type ............................................................................................................... 6-2 Configuring a Basic WLAN Service ................................................................................................................ 6-2 Configuring Privacy ........................................................................................................................................ 6-7 About Wi-Fi Protected Access (WPA V1 and WPA V2) ........................................................................... 6-8 Wireless 802.11n APs and WPA Authentication ...................................................................................... 6-9 WPA Key Management Options ............................................................................................................ 6-10 Configuring WLAN Service Privacy ........................................................................................................ 6-10 Configuring Accounting and Authentication .................................................................................................. 6-13 Vendor Specific Attributes ...................................................................................................................... 6-13 Defining Accounting Methods for a WLAN Service ................................................................................ 6-14 Configuring Authentication for a WLAN Service .................................................................................... 6-16 Assigning RADIUS Servers for Authentication ....................................................................................... 6-17 Defining the RADIUS Server Priority for RADIUS Redundancy ............................................................. 6-18 Configuring Assigned RADIUS Servers ................................................................................................. 6-18 Defining Common RADIUS Settings ................................................................................................6-18 Defining RADIUS Settings for Individual RADIUS Servers .............................................................. 6-19 Testing RADIUS Server Connections............................................................................................... 6-19 Viewing the RADIUS Server Configuration Summary ...................................................................... 6-20 Removing an Assigned RADIUS Server from a WLAN Service ....................................................... 6-21 Defining a WLAN Service with No Authentication .................................................................................. 6-21 Configuring Captive Portal for Internal or External Authentication ......................................................... 6-22 Configuring Basic Captive Portal Settings ........................................................................................ 6-22 Configuring the QoS Policy .......................................................................................................................... 6-32 Defining Priority Level and Service Class .............................................................................................. 6-34 Defining the Service Class ..................................................................................................................... 6-34 Configuring the Priority Override ............................................................................................................ 6-35 QoS Modes ............................................................................................................................................ 6-36

Chapter 7: Configuring a VNS


High Level VNS Configuration Flow ............................................................................................................... 7-1 Controller Defaults ................................................................................................................................... 7-2 VNS Global Settings ....................................................................................................................................... 7-3 Defining RADIUS Servers and MAC Address Format ............................................................................. 7-4 Defining RADIUS Servers for VNS Global Settings ........................................................................... 7-4 Configuring the Global MAC Address Format for Use with the RADIUS Servers .............................. 7-6 Including the SERVICE-TYPE Attribute in the Client ACCESS-REQUEST Messages...................... 7-6 Changing the Display Time of the Notice Web Page ......................................................................... 7-7 Configuring Dynamic Authorization Server Support ................................................................................. 7-7 Defining Wireless QoS Admission Control Thresholds ............................................................................ 7-8 Configuring QoS Admission Control Thresholds ................................................................................ 7-8 Configuring QoS Flexible Client Access ............................................................................................. 7-9 Working with Bandwidth Control Profiles ............................................................................................... 7-10 Configuring the Global Default Policy .................................................................................................... 7-11 Configuring the Topology and Rate Profiles..................................................................................... 7-11 Configuring the Filters ...................................................................................................................... 7-12 Using the Sync Summary ....................................................................................................................... 7-13 Methods for Configuring a VNS .................................................................................................................... 7-14 Manually Creating a VNS ............................................................................................................................. 7-15 Creating a VNS Using the Wizard ................................................................................................................ 7-16 Creating a NAC VNS Using the VNS Wizard ......................................................................................... 7-16 Creating a Voice VNS Using the VNS Wizard ....................................................................................... 7-18 Creating a Data VNS Using the VNS Wizard ......................................................................................... 7-22 Creating a Captive Portal VNS Using the VNS Wizard .......................................................................... 7-26

viii

Creating an Internal Captive Portal VNS .......................................................................................... 7-27 Creating an External Captive Portal VNS ......................................................................................... 7-31 Creating a GuestPortal VNS............................................................................................................. 7-35 Enabling and Disabling a VNS ..................................................................................................................... 7-42 Renaming a VNS .......................................................................................................................................... 7-43 Deleting a VNS ............................................................................................................................................. 7-43

Chapter 8: Working with a Mesh Network


About Mesh .................................................................................................................................................... 8-1 Simple Mesh Configuration ............................................................................................................................ 8-2 Wireless Repeater Configuration .................................................................................................................... 8-2 Wireless Bridge Configuration ........................................................................................................................ 8-3 Examples of Deployment ................................................................................................................................ 8-4 Mesh WLAN Services ..................................................................................................................................... 8-4 Mesh Setup with a Single Mesh WLAN Service ...................................................................................... 8-5 Mesh Setup with Multiple Mesh WLAN Services ..................................................................................... 8-6 Key Features of Mesh .................................................................................................................................... 8-6 Self-Healing Network ............................................................................................................................... 8-6 Tree-like Topology ................................................................................................................................... 8-7 Radio Channels ........................................................................................................................................ 8-8 Multi-root Mesh Topology ......................................................................................................................... 8-8 Link Security ............................................................................................................................................. 8-8 Deploying the Mesh System ........................................................................................................................... 8-9 Planning the Mesh Topology .................................................................................................................... 8-9 Provisioning the Mesh Wireless APs ....................................................................................................... 8-9 Mesh Deployment Overview .................................................................................................................... 8-9 Connecting the Mesh Wireless APs to the Enterprise Network for Discovery and Registration ............ 8-10 Configuring the Mesh Wireless APs Through the Enterasys Wireless Controller .................................. 8-10 Connecting the Mesh Wireless APs to the Enterprise Network for Provisioning ................................... 8-13 Moving the Mesh Wireless APs to the Target Location ......................................................................... 8-13 Changing the Pre-shared Key in a Mesh WLAN Service ............................................................................. 8-13

Chapter 9: Working with a Wireless Distribution System


About WDS ..................................................................................................................................................... 9-1 Simple WDS Configuration ............................................................................................................................. 9-2 Wireless Repeater Configuration .................................................................................................................... 9-2 Wireless Bridge Configuration ........................................................................................................................ 9-3 Examples of Deployment ................................................................................................................................ 9-4 WDS WLAN Services ..................................................................................................................................... 9-4 WDS Setup with a Single WDS WLAN Service ....................................................................................... 9-5 WDS Setup with Multiple WDS WLAN Services ...................................................................................... 9-6 Key Features of WDS ..................................................................................................................................... 9-6 Tree-like Topology ................................................................................................................................... 9-6 Radio Channels ........................................................................................................................................ 9-7 Multi-root WDS Topology ......................................................................................................................... 9-8 Automatic Discovery of Parent and Backup Parent Wireless APs ........................................................... 9-8 Link Security ............................................................................................................................................. 9-8 Deploying the WDS System ........................................................................................................................... 9-9 Planning the WDS Topology .................................................................................................................... 9-9 Provisioning the WDS Wireless APs ........................................................................................................ 9-9 WDS Deployment Overview ..................................................................................................................... 9-9 Connecting the WDS Wireless APs to the Enterprise Network for Discovery and Registration ............ 9-10 Configuring the WDS Wireless APs Through the Enterasys Wireless Controller .................................. 9-10 Assigning the Satellite Wireless APs Radios to the Network WLAN Services ...................................... 9-14 Connecting the WDS Wireless APs to the Enterprise Network for Provisioning .................................... 9-15
ix

Moving the WDS Wireless APs to the Target Location .......................................................................... 9-15 Changing the Pre-shared Key in a WDS WLAN Service .............................................................................. 9-16

Chapter 10: Availability and Session Availability


Availability ..................................................................................................................................................... 10-1 Events and Actions in Availability ........................................................................................................... 10-2 Availability Prerequisites ........................................................................................................................ 10-3 Configuring Availability Using the Availability Wizard ............................................................................ 10-3 Configuring Availability Manually ........................................................................................................... 10-5 Setting the Primary or Secondary Enterasys Wireless Controllers for Availability ........................... 10-6 Verifying Availability.......................................................................................................................... 10-7 Session Availability ....................................................................................................................................... 10-9 Events and Actions in Session Availability ........................................................................................... 10-11 Enabling Session Availability ............................................................................................................... 10-11 Configuring Fast Failover and Enabling Session Availability.......................................................... 10-12 Verifying Session Availability .......................................................................................................... 10-14 Verify Synchronization .................................................................................................................... 10-16 Viewing the Wireless AP Availability Display .............................................................................................. 10-17 Viewing SLP Activity ................................................................................................................................... 10-17

Chapter 11: Configuring Mobility


Mobility Overview ......................................................................................................................................... 11-1 Mobility Domain Topologies ......................................................................................................................... 11-3 Configuring Mobility Domain ......................................................................................................................... 11-4 Designating a Mobility Manager ............................................................................................................. 11-4 Designating a Mobility Agent .................................................................................................................. 11-5

Chapter 12: Working with Third-party APs


Define Authentication by Captive Portal for the Third-party AP WLAN Service ........................................... 12-1 Define the Third-party APs List ..................................................................................................................... 12-1 Define Filtering Rules for the Third-party APs .............................................................................................. 12-2

Chapter 13: Working with the Mitigator


Mitigator Overview ........................................................................................................................................ 13-1 Analysis Engine Overview ............................................................................................................................ 13-2 Enabling the Analysis and Data Collector Engines ...................................................................................... 13-2 Running Mitigator Scans .............................................................................................................................. 13-4 Working with Mitigator Scan Results ............................................................................................................ 13-5 Viewing Mitigator Scan Results .............................................................................................................. 13-5 Adding an AP from the Scan Results to the List of Friendly APs ........................................................... 13-7 Deleting an AP from the Scan Results ................................................................................................... 13-7 Working with Friendly APs ............................................................................................................................ 13-7 Viewing Friendly APs ............................................................................................................................. 13-7 Adding Friendly APs Manually ............................................................................................................... 13-8 Deleting Friendly APs ............................................................................................................................. 13-8 Modifying Friendly APs .......................................................................................................................... 13-8 Maintaining the Mitigator List of APs ............................................................................................................ 13-8 Viewing the Scanner Status Report .............................................................................................................. 13-9

Chapter 14: Working with Reports and Displays


Available Reports and Displays .................................................................................................................... 14-1 Viewing Reports and Displays ...................................................................................................................... 14-2 Viewing the Wireless AP Availability Display ................................................................................................ 14-3 Viewing Statistics for Wireless APs .............................................................................................................. 14-4
x

Viewing Load Balance Group Statistics ........................................................................................................ 14-8 About Radio Preference/Load Control Statistics .................................................................................... 14-8 About Client Balancing Statistics Reports .............................................................................................. 14-9 Viewing the System Information and Manufacturing Information Displays ................................................. 14-10 Viewing Displays for the Mobility Manager ................................................................................................. 14-11 Viewing Reports ......................................................................................................................................... 14-13 Call Detail Records (CDRs) ........................................................................................................................ 14-16 CDR File Naming Convention .............................................................................................................. 14-16 CDR File Types .................................................................................................................................... 14-17 CDR File Format .................................................................................................................................. 14-18 Viewing CDRs ...................................................................................................................................... 14-19 Backing Up and Copying CDR Files to a Remote Server .................................................................... 14-20

Chapter 15: Performing System Administration


Performing Wireless AP Client Management ............................................................................................... 15-1 Disassociating a Client ........................................................................................................................... 15-1 Blacklisting a Client ................................................................................................................................ 15-2 Defining Enterasys Wireless Assistant Administrators and Login Groups ................................................... 15-5

Chapter 16: Working with GuestPortal Administration


About GuestPortals ...................................................................................................................................... 16-1 Adding New Guest Accounts ........................................................................................................................ 16-2 Enabling or Disabling Guest Accounts ......................................................................................................... 16-4 Editing Guest Accounts ................................................................................................................................ 16-5 Removing Guest Accounts ........................................................................................................................... 16-6 Importing and Exporting a Guest File ........................................................................................................... 16-7 Viewing and Printing a GuestPortal Account Ticket ..................................................................................... 16-9 Working with the GuestPortal Ticket Page ................................................................................................. 16-11 Working with a Custom GuestPortal Ticket Page ................................................................................ 16-11 Activating a GuestPortal Ticket Page ................................................................................................... 16-11 Uploading a Custom GuestPortal Ticket Page ..................................................................................... 16-11 Deleting a Custom GuestPortal Ticket Page ........................................................................................ 16-12 Configuring Web Session Timeouts ........................................................................................................... 16-12

Appendix A: Glossary
Networking Terms and Abbreviations .............................................................................................................A-1 Controller, Access Points and Convergence Software Terms and Abbreviations ........................................A-14

Appendix B: Regulatory Information


Enterasys Wireless Controller C25/C20N/C20/C2400/C4110/C5110 ............................................................B-2 Rack Mounting Your System ....................................................................................................................B-2 Wireless APs 26XX and 36XX ........................................................................................................................B-3 Wi-Fi Certification .....................................................................................................................................B-3 AP2620 External Antenna AP ..................................................................................................................B-3 AP3620 External Antenna AP ..................................................................................................................B-4 United States ............................................................................................................................................B-4 FCC Declaration of Conformity Statement ........................................................................................ B-4 USA Conformance Standards ........................................................................................................... B-5 FCC RF Radiation Exposure Statement............................................................................................ B-5 External Antennas ............................................................................................................................. B-6 Canada .....................................................................................................................................................B-6 Industry Canada Compliance Statement ........................................................................................... B-6 Canada Conformance Standards ...................................................................................................... B-6 External Antennas ............................................................................................................................. B-7

xi

European Community ..............................................................................................................................B-7 Declaration of Conformity in Languages of the European Community.............................................. B-8 European Conformance Standards ................................................................................................... B-9 External Antennas ........................................................................................................................... B-10 Conditions of Use in the European Community............................................................................... B-10 European Spectrum Usage Rules ................................................................................................... B-11 Certifications of Other Countries ............................................................................................................B-13 AP2620 Approved External Antennas ....................................................................................................B-13 AP3620 Approved External Antennas ....................................................................................................B-14 Certified 3rd Party Antennas ..................................................................................................................B-15

Appendix C: Default GuestPortal Source Code


Ticket Page .....................................................................................................................................................C-1 Placeholders Used in the Default GuestPortal Ticket Page .....................................................................C-1 Default GuestPortal Ticket Page Source Code ........................................................................................C-2 GuestPortal Sample Header Page .................................................................................................................C-4 GuestPortal Sample Footer Page ...................................................................................................................C-5

Figures
1-1 1-2 1-3 1-4 1-5 2-1 2-2 2-3 2-4 2-5 2-6 2-7 3-1 5-1 5-2 5-3 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 7-1 8-1 8-2 8-3 8-4 8-5 8-6 8-7 8-8 8-9 8-10 9-1
xii

Standard Wireless Network Solution Example ................................................................................... 1-3 Enterasys Wireless Controller Solution .............................................................................................. 1-4 Traffic Flow Diagram .......................................................................................................................... 1-9 VNS as a Binding of Reusable Components .................................................................................... 1-11 WLAN and NAC Integration with External Captive Portal Authentication......................................... 1-13 Enterasys Standard Wireless APs Baseband.................................................................................... 2-3 MIMO in Enterasys Wireless 802.11n AP .......................................................................................... 2-6 Enterasys Wireless 802.11n APs Baseband ..................................................................................... 2-8 Enterasys Wireless AP LEDs ........................................................................................................... 2-13 AP3660 Bottom View........................................................................................................................ 2-16 Enterasys Wireless Outdoor AP LEDs. ............................................................................................ 2-17 Enterasys Wireless 802.11n AP LEDs ............................................................................................. 2-19 Generate Certificate Signing Request Window ................................................................................ 3-30 VLAN & Class of Service tab .............................................................................................................. 5-2 Filter Rules Page - HWC Filters tab ................................................................................................... 5-8 Filter Rules Page - AP Filters tab ....................................................................................................... 5-9 New WLAN Services Configuration Page .......................................................................................... 6-3 WLAN Services Configuration Page................................................................................................... 6-3 Auth & Acct page .............................................................................................................................. 6-23 Captive Portal Page Configuration page for Internal and Guest Splash Modes............................... 6-24 Captive Portal Page for External and 802.1x Modes........................................................................ 6-24 Captive Portal Page for Guest Portal Mode ..................................................................................... 6-25 Message Configuration Page ........................................................................................................... 6-28 Captive Portal Editor......................................................................................................................... 6-30 VNS Configuration Flow ..................................................................................................................... 7-1 Simple Mesh Configuration ................................................................................................................ 8-2 Wireless Repeater Configuration........................................................................................................ 8-3 Wireless Bridge Configuration ............................................................................................................ 8-3 Examples of Mesh Deployment.......................................................................................................... 8-4 Deployment Example ......................................................................................................................... 8-5 Mesh Setup with a Single Mesh WLAN Service ................................................................................. 8-5 Mesh Setup with Multiple Mesh WLAN Services................................................................................ 8-6 Parent-child Relationship Between Wireless APs in Mesh Configuration .......................................... 8-7 Multiple-root Mesh Topology .............................................................................................................. 8-8 Mesh Deployment............................................................................................................................. 8-11 Simple WDS Configuration ................................................................................................................. 9-2

9-2 9-3 9-4 9-5 9-6 9-7 9-8 9-9 9-10 10-1 10-2 10-3 11-1 14-1

Wireless Repeater Configuration........................................................................................................ 9-3 Wireless Bridge Configuration ............................................................................................................ 9-3 Examples of WDS Deployment .......................................................................................................... 9-4 Deployment Example ......................................................................................................................... 9-5 WDS Setup with a Single WDS WLAN Service.................................................................................. 9-5 WDS Setup with Multiple WDS WLAN Services ................................................................................ 9-6 Parent-child Relationship Between Wireless APs in WDS Configuration........................................... 9-7 Multiple-root WDS Topology............................................................................................................... 9-8 WDS Deployment ............................................................................................................................. 9-11 AP Fail Over to 2ndary Controller When Primary Goes Down ......................................................... 10-9 AP Fail Over to 2ndary Controller When Connectivity to Primary Fails............................................ 10-9 Session Availability Mode ............................................................................................................... 10-10 Mobility Domain with Fast Failover and Session Availability Features ............................................. 11-3 Sample .dat File.............................................................................................................................. 14-21

Tables
1-1 1-2 2-1 2-2 2-3 2-4 2-5 2-6 2-7 2-8 2-9 2-10 2-11 2-12 2-13 2-14 2-15 2-16 2-17 2-18 2-19 2-20 2-21 2-22 2-23 2-24 2-25 2-26 2-27 3-1 3-2 3-3 3-4 4-1 5-1 5-2 5-3 5-4 5-5 WLAN and NAC Integration Steps ................................................................................................... 1-13 Enterasys Wireless Controller Product Families .............................................................................. 1-18 Enterasys Standard Wireless AP Models ........................................................................................... 2-2 Available Antennas for the AP4102/4102C ........................................................................................ 2-4 CLI Commands to Configure a Static IP Address for a Wireless AP................................................ 2-10 CLI Commands to Configure a Static IP Address for a Wireless 802.11n AP.................................. 2-10 Center LED and Wireless APs Status ............................................................................................. 2-13 Left LED and Wireless APs High-level State ................................................................................... 2-14 Left and Right LEDs and Wireless APs Detailed State.................................................................... 2-14 Composite View of Three LED Lights............................................................................................... 2-15 AP2610 and AP2620 LEDs Indicating Signal Strength .................................................................... 2-16 AP3660 LED Status Indicators ......................................................................................................... 2-17 Enterasys Wireless Outdoor AP LED Status .................................................................................... 2-18 AP2650 and AP2660 LEDs Indicating Signal Strength .................................................................... 2-19 LED Color Codes.............................................................................................................................. 2-20 LED L1 and Wireless APs Status .................................................................................................... 2-20 LEDs L3, L4 and L1, and Wireless 802.11n APs Detailed State ..................................................... 2-20 LEDs L3 and L4, and Corresponding Radio State ........................................................................... 2-21 LED L2 and Ethernet Ports Status................................................................................................... 2-21 AP3610 and AP3620 LEDs Indicating Signal Strength .................................................................... 2-22 AP4102 and AP2605 Status Indicators ............................................................................................ 2-23 AP4102 and AP2605 Initialization and Discovery Indicators ............................................................ 2-23 AP4102 and AP2605 Composite View of LEDs ............................................................................... 2-23 AP4102 and AP2605 LEDs Indicating Signal Strength .................................................................... 2-24 LED Operational Modes ................................................................................................................... 2-24 Connecting and Powering a Wireless AP ......................................................................................... 2-28 Add Wireless AP window.................................................................................................................. 2-30 Static Configuration .......................................................................................................................... 2-63 Maximum Number of Load Balance Groups .................................................................................. 2-104 Platform Type / Wireless APs Allowed by Permanent Activation Key .............................................. 3-11 Supported Certificate and CA Formats............................................................................................. 3-26 Topologies Page: Certificates Tab Fields and Buttons..................................................................... 3-28 Generate Certificate Signing Request Page - Fields and Buttons.................................................... 3-30 Exception Filters page - Fields and Buttons ....................................................................................... 4-9 VLAN & Class of Service Tab - Fields and Buttons............................................................................ 5-2 Filter Types......................................................................................................................................... 5-3 Non-authenticated Filter Example A ................................................................................................... 5-4 Non-authenticated Filter Example B ................................................................................................... 5-5 Filtering Rules Example A .................................................................................................................. 5-5

xiii

5-6 5-7 5-8 5-9 5-10 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 6-9 6-10 6-11 6-12 6-13 6-14 7-1 9-1 14-1 14-2 16-1 B-1 B-2 B-3 B-4 B-5 C-1

Filtering Rules Example B .................................................................................................................. 5-5 Default Filter Example A..................................................................................................................... 5-6 Default Filter Example B..................................................................................................................... 5-6 Rules Between Two Wireless Devices ............................................................................................... 5-7 HWC and AP Filters tabs - Fields and Buttons................................................................................... 5-9 WLAN Services Configuration Page................................................................................................... 6-4 Advanced WLAN Service Configuration Page ................................................................................... 6-6 LAN Services Privacy Tab - Fields and Buttons ............................................................................... 6-11 Vendor Specific Attributes ................................................................................................................ 6-13 Configure Internal Captive Portal Page - Fields and Buttons ........................................................... 6-25 External Captive Portal Page - Fields and Buttons .......................................................................... 6-27 Message Configuration page - Fields and Buttons........................................................................... 6-28 Captive Portal Editor Fields and Buttons .......................................................................................... 6-30 DSCP Code-Points........................................................................................................................... 6-33 Service classes................................................................................................................................. 6-35 Relationship between service class and 802.1D UP ........................................................................ 6-35 QoS mode combinations .................................................................................................................. 6-36 Queues ............................................................................................................................................. 6-36 Traffic Prioritization........................................................................................................................... 6-37 Enterasys Wireless Controller Active and Defined VNS Support ..................................................... 7-42 Wireless APs and Their Roles .......................................................................................................... 9-13 AP Inventory Report Columns ........................................................................................................ 14-14 CDR Records and Their Description .............................................................................................. 14-18 Guest Account Import and Export .csv File Values .......................................................................... 16-7 Wireless AP Wi-Fi Certification ID ......................................................................................................B-3 European Spectrum Usage Rules ....................................................................................................B-11 List of FCC/IC/ETSI Approved Antennas AP2620 .......................................................................B-14 List of FCC/IC/ETSI Approved Antennas AP3620 .......................................................................B-15 Certified 3rd Party Antennas for Use with AP2620, AP260-1, AP3620 and AP3620-1 Models .......B-15 Default GuestPortal Ticket Page Template Placeholders ..................................................................C-1

xiv

About This Guide


Thisguidedescribeshowtoinstall,configure,andmanagetheEnterasysWirelessController, AccessPointsandConvergenceSoftwaresystem.Thisguideisalsoavailableasanonlinehelp system.

To Access the Online Help System:


1. 2. IntheEnterasysWirelessAssistantMainMenubar,clickHelp.TheAboutEnterasysWireless Assistantscreenisdisplayed. Intheleftpane,clickControllerDocumentation.Theonlinehelpsystemislaunched.

Intended Audience
ThisguideisareferenceforsystemadministratorswhoinstallandmanagetheEnterasysWireless system. Anyadministratorperformingtasksdescribedinthisguidemusthaveanaccountwith administrativeprivileges Thisprefaceprovidesanoverviewofthisguideandabriefsummaryofeachchapter;definesthe conventionsusedinthisdocument;andinstructshowtoobtaintechnicalsupportfromEnterasys Networks.Tolocateinformationaboutvarioussubjectsinthisguide,refertothefollowingtable For...
Provides an overview of the product, its features and functionality. Provides information about how to perform the installation, first time setup and configuration of the Enterasys Wireless Controller, as well as configuring the data ports and defining routing. Describes how to install the Wireless AP, how it discovers and registers with the Enterasys Wireless Controller, and how to view and modify radio configuration. Provides an overview of topologies and provides detailed information about how to configure them. Provides an overview of policies and provides detailed information about how to configure them. Provides an overview of WLAN services and provides detailed information about how to configure them. Refer to... Chapter 1, Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

Chapter 3, Configuring the Enterasys


Wireless Controller

Chapter 2, Configuring the Wireless AP

Chapter 4, Configuring Topologies Chapter 5, Configuring Policies Chapter 6, Configuring WLAN Services Chapter 7,ConfiguringaVNS

Provides an overview of Virtual Network Services (VNS), provides detailed instructions in how to configure a VNS, either using the Wizards or by manually creating the component parts of a VNS.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

xv

Formatting Conventions

For... Provides an overview of Mesh networks and provides detailed information about how to create a Mesh network.

Refer to...

Chapter 8,WorkingwithaMesh Network Chapter 9,WorkingwithaWireless DistributionSystem

Provides an overview of a Wireless Distribution System


(WDS) network configuration and provides detailed information about how to create a Mesh network. Describes how to set up the features that maintain service availability in the event of a Enterasys Wireless Controller failover. Describes how to set up the mobility domain that provides mobility for a wireless device user when the user roams from one Wireless AP to another in the mobility domain. Describes how to use the Controller, Access Points and Convergence Software features with third-party wireless access points. Describes the security tool that scans for, detects, and reports on rogue APs. Describes the various reports and displays available in the HiPath Wireless Controller, Access Points and Convergence Software system. Describes system administration activities, such as performing Wireless AP client management, defining management users, configuring the network time, and configuring Web session timeouts. Contains a list of terms and definitions for the Enterasys Wireless Controller and the Wireless AP as well as standard industry terms used in this guide. Provides the regulatory information for the Enterasys Wireless Controller and the Enterasys Wireless Access Points (APs). Provides the default GuestPortal ticket page source code.

Chapter 10,AvailabilityandSession Availability Chapter 11, Configuring Mobility

Chapter 12, Working with Third-party APs

Chapter 13, Working with the Mitigator Chapter 14, Working with Reports and
Displays

Chapter 15, Performing System


Administration

Appendix A, Glossary

Appendix B, Regulatory Information

Appendix C, Default GuestPortal Source


Code

Formatting Conventions
TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaredocumentationuses thefollowingformattingconventionstomakeiteasiertofindinformationandfollowprocedures: Boldtextisusedtoidentifycomponentsofthemanagementinterface,suchasmenuitems andsectionofpages,aswellasthenamesofbuttonsandtextboxes. Forexample:ClickLogout. Monospace fontisusedincodeexamplesandtoindicatetextthatyoutype. Forexample:Typehttps://<hwc-address>[:mgmt-port>]

xvi

About This Guide

Additional Documentation

Thefollowingnotesareusedtodrawyourattentiontoadditionalinformation:
Note: Notes identify useful information, such as reminders, tips, or other ways to perform a task.

Caution: Cautionary notes identify essential information, which if ignored can adversely affect the operation of your equipment or software. Warning: Warning notes identify essential information, which if ignored can lead to personal injury or harm.

Additional Documentation
ForadditionalEnterasysWirelessdocumentation,seetheEnterasysWirelessdocumentationat:
https://extranet.enterasys.com/downloads/

Getting Help
Foradditionalsupportrelatedtotheproductorthisdocument,contactEnterasysNetworksusing oneofthefollowingmethods:
World Wide Web www.enterasys.com/support 1-800-872-8440 (toll-free in U.S. and Canada) or 1-978-684-1000 Phone Internet mail To find the Enterasys Networks Support toll-free number in your country: www.enterasys.com/support [email protected] To expedite your message, type Enterasys Wireless in the subject line To send comments concerning this document to the Technical Publications Department: [email protected] Please include the document part number in your email message.

BeforecontactingEnterasysNetworksfortechnicalsupport,havethefollowinginformation ready: YourEnterasysNetworksservicecontractnumber Adescriptionofthefailure Adescriptionofanyaction(s)alreadytakentoresolvetheproblem(forexample,changing modeswitchesorrebootingtheunit) TheserialandrevisionnumbersofallinvolvedEnterasysNetworksproductsinthenetwork Adescriptionofyournetworkenvironment(suchaslayout,cabletype,otherrelevant environmentalinformation) Networkloadandframesizeatthetimeoftrouble(ifknown) Thedevicehistory(forexample,ifyouhavereturnedthedevicebefore,orifthisarecurring problem) AnypreviousReturnMaterialAuthorization(RMA)numbers

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

xvii

Safety Information

Safety Information
Dangers
Replacethepowercableimmediatelyifitshowsanysignofdamage. Replaceanydamagedsafetyequipment(covers,labelsandprotectivecables)immediately. Useonlyoriginalaccessoriesorcomponentsapprovedforthesystem.Failuretoobservethese instructionsmaydamagetheequipmentorevenviolatesafetyandEMCregulations. OnlyauthorizedEnterasysservicepersonnelarepermittedtoservicethesystem.

Warnings
ThisdevicemustnotbeconnectedtoaLANsegmentwithoutdoorwiring. Ensurethatallcablesareruncorrectlytoavoidstrain. Replacethepowersupplyadapterimmediatelyifitshowsanysignofdamage. Disconnectallpowerbeforeworkingnearpowersuppliesunlessotherwiseinstructedbya maintenanceprocedure. ExercisecautionwhenservicinghotswappableEnterasysWirelessControllercomponents: powersuppliesorfans.Rotatingfanscancauseseriouspersonalinjury. Thisunitmayhavemorethanonepowersupplycord.Toavoidelectricalshock,disconnectall powersupplycordsbeforeservicing.Inthecaseofunitfailureofoneofthepowersupply modules,themodulecanbereplacedwithoutinterruptionofpowertotheEnterasysWireless Controller.However,thisproceduremustbecarriedoutwithcaution.Wearglovestoavoid contactwiththemodule,whichwillbeextremelyhot. Thereisariskofexplosionifalithiumbatteryisnotcorrectlyreplaced.Thelithiumbattery mustbereplacedonlybyanidenticalbatteryoronerecommendedbythemanufacturer. Alwaysdisposeoflithiumbatteriesproperly. Donotattempttoliftobjectsthatyouthinkaretooheavyforyou.

Cautions
Checkthenominalvoltagesetfortheequipment(operatinginstructionsandtypeplate).High voltagescapableofcausingshockareusedinthisequipment.Exercisecautionwhen measuringhighvoltagesandwhenservicingcards,panels,andboardswhilethesystemis poweredon. Onlyusetoolsandequipmentthatareinperfectcondition.Donotuseequipmentwithvisible damage. Toprotectelectrostaticsensitivedevices(ESD),wearawristbandbeforecarryingoutany workonhardware. Laycablessoastopreventanyriskofthembeingdamagedorcausingaccidents,suchas tripping.

Sicherheitshinweise
Gefahrenhinweise
SolltedasNetzkabelAnzeichenvonBeschdigungenaufweisen,tauschenSieessofortaus. TauschenSiebeschdigteSicherheitsausrstungen(Abdeckungen,Typenschilderund Schutzkabel)sofortaus.

xviii

About This Guide

Consignes De Scurit

VerwendenSieausschlielichOriginalzubehrodersystemspezifischzugelassene Komponenten.DieNichtbeachtungdieserHinweisekannzurBeschdigungderAusrstung oderzurVerletzungvonSicherheitsundEMVVorschriftenfhren. DasSystemdarfnurvonautorisiertemEnterasysServicepersonalgewartetwerden.

Warnhinweise
DiesesGertdarfnichtberAuenverdrahtunganeinLANSegmentangeschlossenwerden. StellenSiesicher,dassalleKabelkorrektgefhrtwerden,umZugbelastungzuvermeiden. SolltedasNetzteilAnzeichenvonBeschdigungaufweisen,tauschenSieessofortaus. TrennenSiealleStromverbindungen,bevorSieArbeitenimBereichderStromversorgung vornehmen,soferndiesnichtfreineWartungsprozedurandersverlangtwird. GehenSievorsichtigvor,wennSieanHotswapfhigenEnterasysWirelessController Komponenten(StromversorgungenoderLftern)Servicearbeitendurchfhren.Rotierende LfterknnenernsthafteVerletzungenverursachen. DiesesGertistmglicherweisebermehralseinNetzkabelangeschlossen.UmdieGefahr eineselektrischenSchlageszuvermeiden,solltenSievorDurchfhrungvonServicearbeiten alleNetzkabeltrennen.FallseinesderStromversorgungsmoduleausfllt,kannes ausgetauschtwerden,ohnedieStromversorgungzumEnterasysWirelessControllerzu unterbrechen.BeidieserProzeduristjedochmitVorsichtvorzugehen.DasModulkann extremheisein.TragenSieHandschuhe,umVerbrennungenzuvermeiden. BeiunsachgememAustauschderLithiumBatteriebestehtExplosionsgefahr.DieLithium BatteriedarfnurdurchidentischeodervomHndlerempfohleneTypenersetztwerden. AchtenSiebeiLithiumBatterienaufdieordnungsgemeEntsorgung. VersuchenSieniemals,ohneHilfeschwereGegenstndezuheben.

Vorsichtshinweise
berprfenSiediefrdieAusrstungfestgelegteNennspannung(Bedienungsanleitungund Typenschild).DieseAusrstungarbeitetmitHochspannung,diemitderGefahreines elektrischenSchlagesverbundenist.GehenSiemitgroerVorsichtvor,wennSiebei eingeschaltetemSystemHochspannungenmessenoderKarten,SchalttafelnundBaugruppen warten. VerwendenSienurWerkzeugeundAusrstungineinwandfreiemZustand.VerwendenSie keineAusrstungmitsichtbarenBeschdigungen. TragenSiebeiArbeitenanHardwarekomponenteneinArmband,umelektrostatisch gefhrdeteBauelemente(EGB)vorBeschdigungenzuschtzen. VerlegenSieLeitungenso,dasssiekeineUnfallquelle(Stolpergefahr)bildenundnicht beschdigtwerden.

Consignes De Scurit
Dangers
Silecordonderaccordementausecteurestendommag,remplacezleimmdiatement. Remplacezsansdlailesquipementsdescuritendommags(caches,tiquetteset conducteursdeprotection).

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

xix

Consignes De Scurit

Utilisezuniquementlesaccessoiresdorigineoulesmodulesagrsspcifiquesausystme. Danslecascontraire,vousrisquezdendommagerlinstallationoudenfreindrelesconsignes enmatiredescuritetdecompatibilitlectromagntique. SeullepersonneldeserviceEnterasysestautorismaintenir/rparerlesystme.

Avertissements
CetappareilnedoitpastreconnectunsegmentdeLANlaideduncblageextrieur. Vrifiezquetouslescblesfonctionnentcorrectementpourviterunecontrainteexcessive. Siladaptateurdalimentationprsentedesdommages,remplacezleimmdiatement. Coupeztoujourslalimentationavantdetravaillersurlesalimentationslectriques,saufsila procduredemaintenancementionnelecontraire. Preneztouteslesprcautionsncessaireslorsdelentretien/rparationsdesmodulesdu EnterasysWirelessControllerpouvanttrebranchschaud:alimentationslectriquesou ventilateurs.Lesventilateursrotatifspeuventprovoquerdesblessuresgraves. Cetteunitpeutavoirplusieurscordonsdalimentation.Pourvitertoutchoclectrique, dbrancheztouslescordonsdalimentationavantdeprocderlamaintenance.Encasde pannedundesmodulesdalimentation,lemoduledfectueuxpeuttrechangsansteindre leEnterasysWirelessController.Toutefois,ceremplacementdoittreeffectuavec prcautions.Portezdesgantspourviterdetoucherlemodulequipeuttretrschaud. Leremplacementnonconformedelabatterieaulithiumpeutprovoqueruneexplosion. Remplacezlabatterieaulithiumparunmodleidentiqueouparunmodlerecommandpar lerevendeur. Samiseaurebutdoittreconformeauxprescriptionsenvigueur. Nessayezjamaisdesouleverdesobjetsquirisquentdtretroplourdspourvous.

Prcautions
Contrlezlatensionnominaleparamtresurlinstallation(voirlemodedemploietlaplaque signaltique).Destensionslevespouvantentranerdeschocslectriquessontutilisesdans cetquipement.Lorsquelesystmeestsoustension,preneztouteslesprcautionsncessaires lorsdelamesuredeshautestensionsetdelentretien/rparationdescartes,despanneaux,des plaques. Nutilisezquedesappareilsetdesoutilsenparfaittat.Nemettezjamaisenservicedes appareilsprsentantdesdommagesvisibles. Pourprotgerlesdispositifssensiblesllectricitstatique,portezunbraceletantistatique lorsdutravailsurlematriel. Acheminezlescblesdemanirecequilsnepuissentpastreendommagsetquilsne constituentpasunesourcededanger(parexemple,enprovoquantlachutedepersonnes).

xx

About This Guide

1
Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution
ThischapterdescribesEnterasysWirelessController,AccessPointsandConvergenceSoftware concepts,including:
For information about... Introduction Conventional Wireless LANs Elements of the Enterasys Wireless Controller, Access Points and Convergence Software Solution Enterasys Wireless Controller, Access Points and Convergence Software and Your Network Enterasys Wireless Controller Product Family Refer to page... 1-1 1-2 1-3 1-7 1-18

Introduction
ThenextgenerationofEnterasyswirelessnetworkingdevicesprovidesatrulyscalableWLAN solution.EnterasysWirelessAPsarefitaccesspointscontrolledthroughasophisticatednetwork device,theEnterasysWirelessController.Thissolutionprovidesthesecurityandmanageability requiredbyenterprisesandserviceproviders. TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresystemisahighly scalableWirelessLocalAreaNetwork(WLAN)solution.BasedonathirdgenerationWLAN topology,theController,AccessPointsandConvergenceSoftwaresystemmakeswirelesspractical forserviceprovidersaswellasmediumandlargescaleenterprises. TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresystemprovidesa secure,highlyscalable,costeffectivesolutionbasedontheIEEE802.11standard.Thesystemis intendedforenterprisenetworksoperatingonmultiplefloorsinmorethanonebuilding,andis idealforpublicenvironments,suchasairportsandconventioncentersthatrequiremultipleaccess points. ThischapterprovidesanoverviewofthefundamentalprinciplesoftheEnterasysWireless Controller,AccessPointsandConvergenceSoftwaresystem.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

1-1

Conventional Wireless LANs

The Enterasys Wireless System


TheEnterasysWirelessControllerisanetworkdevicedesignedtointegratewithanexisting wiredLocalAreaNetwork(LAN).TherackmountableEnterasysWirelessControllerprovides centralizedmanagement,networkaccess,androutingtowirelessdevicesthatuseWirelessAPsto accessthenetwork.Itcanalsobeconfiguredtohandledatatrafficfromthirdpartyaccesspoints. TheEnterasysWirelessControllerprovidesthefollowingfunctionality: ControlsandconfiguresWirelessAPs,providingcentralizedmanagement AuthenticateswirelessdevicesthatcontactaWirelessAP AssignseachwirelessdevicetoaVNSwhenitconnects Routestrafficfromwirelessdevices,usingVNS,tothewirednetwork Appliesfilteringpoliciestothewirelessdevicesession Providessessionloggingandaccountingcapability

Conventional Wireless LANs


Wirelesscommunicationbetweenmultiplecomputersrequiresthateachcomputerisequipped withareceiver/transmitteraWLANNetworkInterfaceCard(NIC)capableofexchanging digitalinformationoveracommonradiofrequency.Thisiscalledanadhocnetwork configuration.Anadhocnetworkconfigurationallowswirelessdevicestocommunicatetogether. Thissetupisdefinedasanindependentbasicserviceset(IBSS). Analternativetotheadhocconfigurationistheuseofanaccesspoint.Thismaybeadedicated hardwarebridgeoracomputerrunningspecialsoftware.Computersandotherwirelessdevices communicatewitheachotherthroughthisaccesspoint.The802.11standarddefinesaccesspoint communicationsasdevicesthatallowwirelessdevicestocommunicatewithadistribution system.Thissetupisdefinedasabasicserviceset(BSS)orinfrastructurenetwork. Toallowthewirelessdevicestocommunicatewithcomputersonawirednetwork,theaccess pointsmustbeconnectedtothewirednetworkprovidingaccesstothenetworkedcomputers. Thistopologyiscalledbridging.Withbridging,securityandmanagementscalabilityisoftena concern.

1-2

Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

Elements of the Enterasys Wireless Controller, Access Points and Con-

Figure 1-1

Standard Wireless Network Solution Example

RADIUS Authentication Server

DHCP Server

Ethernet

Router/Switch

Wireless AP

Wireless AP

Ethernet Wireless Devices Wireless Devices

Thewirelessdevicesandthewirednetworkscommunicatewitheachotherusingstandard networkingprotocolsandaddressingschemes.Mostcommonly,InternetProtocol(IP)addressing isused.

Elements of the Enterasys Wireless Controller, Access Points and Convergence Software Solution
TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresolutionconsistsof twodevices: EnterasysWirelessController WirelessAPs

ThisarchitectureallowsasingleEnterasysWirelessControllertocontrolmanyWirelessAPs, makingtheadministrationandmanagementoflargenetworksmucheasier. TherecanbeseveralEnterasysWirelessControllersinthenetwork,eachwithasetofregistered WirelessAPs.TheEnterasysWirelessControllerscanalsoactasbackupstoeachother,providing stablenetworkavailability. InadditiontotheEnterasysWirelessControllersandWirelessAPs,thesolutionrequiresthree othercomponents,allofwhicharestandardforenterpriseandserviceprovidernetworks: RADIUSServer(RemoteAccessDialInUserService)orotherauthenticationserver

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

1-3

Elements of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

DHCPServer(DynamicHostConfigurationProtocol).IfyoudonothaveaDHCPServeron yournetwork,youcanenablethelocalDHCPServerontheEnterasysWirelessController. ThelocalDHCPServerisusefulasageneralpurposeDHCPServerforsmallsubnets.For moreinformation,seeStep 10ofSettingUptheDataPortsonpage 313. SLP(ServiceLocationProtocol) Enterasys Wireless Controller Solution

Figure 1-2

RADIUS Authentication Server

DHCP Server

Wireless Controller

Router/Switch Ethernet

Wireless AP Ethernet Wireless Devices

Wireless AP

Wireless Devices

AsillustratedinFigure 12,theEnterasysWirelessControllerappearstotheexistingnetworkasif itwereanaccesspoint,butinfactoneEnterasysWirelessControllercontrolsmanyWirelessAPs. TheEnterasysWirelessControllerhasbuiltincapabilitiestorecognizeandmanagetheWireless APs.TheEnterasysWirelessController: ActivatestheWirelessAPs EnablesWirelessAPstoreceivewirelesstrafficfromwirelessdevices ProcessesthedatatrafficfromtheWirelessAPs Forwardsorroutestheprocesseddatatrafficouttothenetwork Authenticatesrequestsandappliesaccesspolicies

1-4

Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

Elements of the Enterasys Wireless Controller, Access Points and Con-

SimplifyingtheWirelessAPsmakesthemcosteffective,easytomanage,andeasytodeploy. PuttingcontrolonanintelligentcentralizedEnterasysWirelessControllerenables: Centralizedconfiguration,management,reporting,andmaintenance Highsecurity Flexibilitytosuitenterprise ScalableandresilientdeploymentswithafewEnterasysWirelessControllerscontrolling hundredsofWirelessAPs

TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresystem: ScalesuptoEnterprisecapacityEnterasysWirelessControllersarescalable: C5110Upto525APs C4110Upto250APs C2400Upto200APs C20Upto32APs C20NUpto32APs C25Upto48APs CRBT8210Upto72APs CRBT8110Upto24APs

Inturn,eachWirelessAPcanhandleupto254wirelessdevices,witheachradiosupportinga maximumof127.WithadditionalEnterasysWirelessControllers,thenumberofwireless devicesthesolutioncansupportcanreachintothethousands. IntegrateswithexistingnetworkAEnterasysWirelessControllercanbeaddedtoan existingenterprisenetworkasanewnetworkdevice,greatlyenhancingitscapabilitywithout interferingwithexistingfunctionality.IntegrationoftheEnterasysWirelessControllersand WirelessAPsdoesnotrequireanyreconfigurationoftheexistinginfrastructure(forexample, VLANs). IntegrateswiththeEnterasysNetSightSuiteofproducts.Formoreinformation,see EnterasysNetSightSuiteIntegrationonpage 16. Pluginapplicationsinclude: AutomatedSecurityManager InventoryManager NACManager PolicyControlConsole PolicyManager

OfferscentralizedmanagementandcontrolAnadministratoraccessestheEnterasys WirelessControllerinitscentralizedlocationtomonitorandadministertheentirewireless network.FromtheEnterasysWirelessControllertheadministratorcanrecognize,configure, andmanagetheWirelessAPsanddistributenewsoftwarereleases. ProvideseasydeploymentofWirelessAPsTheinitialconfigurationoftheWirelessAPs onthecentralizedEnterasysWirelessControllercanbedonewithanautomaticdiscovery technique. ProvidessecurityviauserauthenticationUsesexistingauthentication(AAA)serversto authenticateandauthorizeusers.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

1-5

Elements of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

ProvidessecurityviafiltersandprivilegesUsesvirtualnetworkingtechniquestocreate separatevirtualnetworkswithdefinedauthenticationandbillingservices,accesspolicies,and privileges. SupportsseamlessmobilityandroamingSupportsseamlessroamingofawirelessdevice fromoneWirelessAPtoanotheronthesameEnterasysWirelessControlleroronadifferent EnterasysWirelessController. IntegratesthirdpartyaccesspointsUsesacombinationofnetworkroutingand authenticationtechniques. PreventsroguedevicesUnauthorizedaccesspointsaredetectedandidentifiedasharmless ordangerousrogueAPs. ProvidesaccountingservicesLogswirelessusersessions,usergroupactivity,andother activityreporting,enablingthegenerationofconsolidatedbillingrecords. OfferstroubleshootingcapabilityLogssystemandsessionactivityandprovidesreports toaidintroubleshootinganalysis. OffersdynamicRFmanagementAutomaticallyselectschannelsandadjustsRadio Frequency(RF)signalpropagationandpowerlevelswithoutuserintervention.

Enterasys NetSight Suite Integration


TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresolutionnow integrateswiththeEnterasysNetSightSuiteofproducts.TheEnterasysNetSightSuiteofproducts providesacollectionoftoolstohelpyoumanagenetworks.Itsclient/serverarchitectureletsyou manageyournetworkfromasingleworkstationor,fornetworksofgreatercomplexity,fromone ormoreclientworkstations.Itisdesignedtofacilitatespecificnetworkmanagementtaskswhile sharingdataandprovidingcommoncontrolsandaconsistentuserinterface.Formore information,seehttp://www.enterasys.com/products/visibilitycontrol/index.aspx TheNetSightSuiteisafamilyofproductscomprisedofNetSightConsoleandasuiteofplugin applications,including: AutomatedSecurityManagerAutomatedSecurityManagerisauniquethreatresponse solutionthattranslatessecurityintelligenceintosecurityenforcement.Itprovides sophisticatedidentificationandmanagementofthreatsandvulnerabilities.Forinformation onhowtheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresolution integrateswiththeAutomatedSecurityManagerapplication,seetheEnterasysWireless Controller,AccessPointsandConvergenceSoftwareMaintenanceGuide. InventoryManagerInventoryManagerisatoolforefficientlydocumentingandupdating thedetailsoftheeverchangingnetwork.ForinformationonhowtheEnterasysWireless Controller,AccessPointsandConvergenceSoftwaresolutionintegrateswiththeAutomated SecurityManagerapplication,seetheEnterasysWirelessController,AccessPointsand ConvergenceSoftwareMaintenanceGuide. NACManagerNACManagerisaleadingedgeNACsolutiontoensureonlytheright usershaveaccesstotherightinformationfromtherightplaceattherighttime.TheEnterasys NACsolutionperformsmultiuser,multimethodauthentication,vulnerabilityassessment andassistedremediation.ForinformationonhowtheEnterasysWirelessController,Access PointsandConvergenceSoftwaresolutionintegrateswiththeEnterasysNACsolution,see NACintegrationwithEnterasysWirelessWLANonpage 112.

1-6

Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

Enterasys Wireless Controller, Access Points and Convergence Soft-

PolicyManager PolicyManagerrecognizestheEnterasysWirelessControllersuiteaspolicycapabledevices thatacceptpartialconfigurationfromPolicyManager.Currentlythisintegrationispartialin thesensethatNetSightisunabletocreateWLANservicesdirectly;TheWLANservicesneed tobedirectlyprovisionedonthecontrollerandarerepresentedtoPolicyManageraslogical ports.TheEnterasysWirelessControllerallowsPolicyManagerto: AttachTopologies(assignVLANtoport)totheEnterasysWirelessControllerphysical ports(Console). Attachpolicytothelogicalports(WLANService/SSID), AssignaDefaultRole/PolicytoaWLANService,thuscreatingtheVNS. Performauthenticationoperationswhichcanthenreferencedefinedpoliciesforstation specificpolicyenforcement.

Thiscanbeseenasathreestepprocess: a. Deploythecontrollerandperformlocalconfiguration b. TheEnterasysWirelessControllershipswithadefaultSSID,attachedbydefaulttoall APradios,whenenabled. UsethebasicinstallationwizardtocompletetheEnterasysWirelessController configuration.

UsePolicyManagerto: PushtheVLANlisttotheEnterasysWirelessController(Topologies) AttachVLANstoEnterasysWirelessControllerphysicalports(ConsoleComplete Topologydefinition) PushRADIUSserverconfigurationtotheEnterasysWirelessController PushpolicydefinitionstotheEnterasysWirelessController AttachthedefaultpolicytocreateaVNS

c.

Finetunecontrollersettings.Forexample,configuringfilteringatAPsandEnterasys WirelessControllerforabridgedatcontrollerorroutedtopologiesandassociatedVNSs.
Note: Complete information about integration with Policy Manager is outside the scope of this document.

Enterasys Wireless Controller, Access Points and Convergence Software and Your Network
ThissectionisasummaryofthecomponentsoftheEnterasysWirelessController,AccessPoints andConvergenceSoftwaresolutiononyourenterprisenetwork.Thefollowingaredescribedin detailinthisguide,unlessotherwisestated: EnterasysWirelessControllerArackmountablenetworkdevicethatprovidescentralized controloverallaccesspointsandmanagesthenetworkassignmentofwirelessdeviceclients associatingthroughaccesspoints. WirelessAPAwirelessLANfitaccesspointthatcommunicateswithaEnterasysWireless Controller.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

1-7

Enterasys Wireless Controller, Access Points and Convergence Software and Your Network

RADIUSServer(RemoteAccessDialInUserService)(RFC2865),orotherauthentication serverAnauthenticationserverthatassignsandmanagesIDandPasswordprotection throughoutthenetwork.Usedforauthenticationofthewirelessusersineither802.1xor CaptivePortalsecuritymodes.TheRADIUSServersystemcanbesetupforcertainstandard attributes,suchasfilterID,andfortheVendorSpecificAttributes(VSAs).Inaddition, RADIUSDisconnect(RFC3576)whichpermitsdynamicadjustmentofuserpolicy(user disconnect)issupported. DHCPServer(DynamicHostConfigurationProtocol)(RFC2131)Aserverthatassigns dynamicallyIPaddresses,gateways,andsubnetmasks.IPaddressassignmentforclientscan bedonebytheDHCPserverinternaltotheEnterasysWirelessController,orbyexisting serversusingDHCPrelay.ItisalsousedbytheWirelessAPstodiscoverthelocationofthe EnterasysWirelessControllerduringtheinitialregistrationprocessusingOptions43,60,and Option78.Options43and60specifythevendorclassidentifier(VCI)andvendorspecific information.Option78specifiesthelocationofoneormoreSLPDirectoryAgents.ForSLP, DHCPshouldhaveOption78enabled. ServiceLocationProtocol(SLP)(SLPRFC2608)ClientapplicationsareUserAgentsand servicesthatareadvertisedbyaServiceAgent.Inlargerinstallations,aDirectoryAgent collectsinformationfromServiceAgentsandcreatesacentralrepository.TheSiemens solutionreliesonregisteringsiemensasanSLPServiceAgent. DomainNameServer(DNS)Aserverusedasanalternatemechanism(ifpresentonthe enterprisenetwork)fortheautomaticdiscoveryprocess.EnterasysWirelessController, AccessPointsandConvergenceSoftwarereliesontheDNSforLayer3deploymentsandfor staticconfigurationofWirelessAPs.ThecontrollercanberegisteredinDNS,toprovideDNS assistedAPdiscovery.Inaddition,DNScanalsobeusedforresolvingRADIUSserver hostnames. WebAuthenticationServerAserverthatcanbeusedforexternalCaptivePortaland externalauthentication.TheEnterasysWirelessControllerhasaninternalCaptiveportal presentationpage,whichallowsWebauthentication(Webredirection)totakeplacewithout theneedforanexternalCaptivePortalserver. RADIUSAccountingServer(RemoteAccessDialInUserService)(RFC2866)Aserverthat isrequiredifRADIUSAccountingisenabled. SimpleNetworkManagementProtocol(SNMP)AManagerServerthatisrequiredif forwardingSNMPmessagesisenabled. NetworkinfrastructureTheEthernetswitchesandroutersmustbeconfiguredtoallow routingbetweenthevariousservicesnotedabove.Routingmustalsobeenabledbetween multipleEnterasysWirelessControllersforthefollowingfeaturestooperatesuccessfully: Availability Mobility Mitigatorfordetectionofrogueaccesspoints

Somefeaturesalsorequirethedefinitionofstaticroutes. WebBrowserAbrowserprovidesaccesstotheEnterasysWirelessControllerManagement userinterfacetoconfiguretheController,AccessPointsandConvergenceSoftware. SSHEnabledDeviceAdevicethatsupportsSecureShell(SSH)isusedforremote(IP)shell accesstothesystem. ZoneIntegrityTheZoneintegrityserverenhancesnetworksecuritybyensuringclients accessingyournetworkarecompliantwithyoursecuritypoliciesbeforegainingaccess.Zone IntegrityRelease5issupported.

1-8

Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

Enterasys Wireless Controller, Access Points and Convergence Soft-

Network Traffic Flow


Figure 13illustratesasimpleconfigurationwithasingleEnterasysWirelessControllerandtwo WirelessAPs,eachsupportingawirelessdevice.ARADIUSserveronthenetworkprovides authentication,andaDHCPserverisusedbytheWirelessAPstodiscoverthelocationofthe EnterasysWirelessControllerduringtheinitialregistrationprocess.Networkinterconnectivityis providedbytheinfrastructureroutingandswitchingdevices. Figure 1-3 Traffic Flow Diagram

Packet transmission Control and Routing >HWC authenticates wireless user >HWC forwards IP packet to wired network

RADIUS Authentication Server

DHCP Server

External CP Server

External Web Authentication Server

Tunnelling >AP sends data traffic to HWC through UDP tunnel called WASSP >HWC controls Wireless AP through WASSP tunnel >Using WASSP tunnels, HWC allows wireless clients to roam to Wireless APs on different HWCs

Router/Switch Enterasys Wireless

Wireless APs 802.11 packet transmission 802.11 beacon and probe, wireless device associates with a Wireless AP by its SSID Wireless Devices

EachwirelessdevicesendsIPpacketsinthe802.11standardtotheWirelessAP.TheWirelessAP usesaUDP(UserDatagramProtocol)basedtunnellingprotocol.Intunneledmodeofoperation,it encapsulatesthepacketsandforwardsthemtotheEnterasysWirelessController.TheEnterasys WirelessControllerdecapsulatesthepacketsandroutesthesetodestinationsonthenetwork.Ina typicalconfiguration,accesspointscanbeconfiguredtolocallybridgetraffic(toaconfigured VLAN)directlyattheirnetworkpointofattachment. TheEnterasysWirelessControllerfunctionslikeastandardL3routerorL2switch.Itisconfigured toroutethenetworktrafficassociatedwithwirelessconnectedusers.TheEnterasysWireless Controllercanalsobeconfiguredtosimplyforwardtraffictoadefaultorstaticrouteifdynamic routingisnotpreferredoravailable.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

1-9

Enterasys Wireless Controller, Access Points and Convergence Software and Your Network

Network Security
TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresystemprovides featuresandfunctionalitytocontrolnetworkaccess.Thesearebasedonstandardwireless networksecuritypractices. Currentwirelessnetworksecuritymethodsprovideprotection.Thesemethodsinclude: SharedKeyauthenticationthatreliesonWiredEquivalentPrivacy(WEP)keys OpenSystemthatreliesonServiceSetIdentifiers(SSIDs) 802.1xthatiscompliantwithWiFiProtectedAccess(WPA) CaptivePortalbasedonSecureSocketsLayer(SSL)protocol

TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresystemprovidesthe centralizedmechanismbywhichthecorrespondingsecurityparametersareconfiguredfora groupofusers. WiredEquivalentPrivacy(WEP)isasecurityprotocolforwirelesslocalareanetworks definedinthe802.11bstandard WiFiProtectedAccessversion1(WPA1)withTemporalKeyIntegrityProtocol(TKIP) WiFiProtectedAccessversion2(WPA2)withAdvancedEncryptionStandard(AES)and CounterModewithCipherBlockChainingMessageAuthenticationCode(CCMP)

Authentication
TheEnterasysWirelessControllerreliesonaRADIUSserver,orauthenticationserver,onthe enterprisenetworktoprovidetheauthenticationinformation(whethertheuseristobeallowedor deniedaccesstothenetwork).ARADIUSclientisimplementedtointeractwithinfrastructure RADIUSservers. TheEnterasysWirelessControllerprovidesauthenticationusing: CaptivePortalabrowserbasedmechanismthatforcesuserstoaWebpage RADIUS(usingIEEE802.1x)

The802.1xmechanismisastandardforauthenticationdevelopedwithinthe802.11standard.This mechanismisimplementedatthewirelessport,blockingalldatatrafficbetweenthewireless deviceandthenetworkuntilauthenticationiscomplete.Authenticationby802.1xstandarduses ExtensibleAuthenticationProtocol(EAP)forthemessageexchangebetweentheEnterasys WirelessControllerandtheRADIUSserver. When802.1xisusedforauthentication,theEnterasysWirelessControllerprovidesthecapability todynamicallyassignperwirelessdeviceWEPkeys(calledpersessionWEPkeysin802.11).In thecaseofWPA,theEnterasysWirelessControllerisnotinvolvedinkeyassignment.Instead,the controllerisinvolvedintheinformationexchangebetweenRADIUSserverandtheuserswireless devicetonegotiatetheappropriatesetofkeys.WithWPA2thematerialexchangeproducesa PairwiseMasterKeywhichisusedbytheAPandtheusertoderivetheirtemporalkeys.(Thekeys changeovertime.) TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresolutionprovidea RADIUSredundancyfeaturethatenablesyoutodefineafailoverRADIUSserverintheeventthat theactiveRADIUSserverbecomesunresponsive.

1-10

Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

Enterasys Wireless Controller, Access Points and Convergence Soft-

Privacy
Privacyisamechanismthatprotectsdataoverwirelessandwirednetworks,usuallyby encryptiontechniques. EnterasysWirelessController,AccessPointsandConvergenceSoftwaresupportstheWired EquivalentPrivacy(WEP)standardcommontoconventionalaccesspoints. ItalsoprovidesWiFiProtectedAccessversion1(WPAv.1)encryption,basedonPairwiseMaster Key(PMK)andTemporalKeyIntegrityProtocol(TKIP).Themostsecureencryptionmechanism isWPAversion2,usingAdvancedEncryptionStandard(AES).

Virtual Network Services


VirtualNetworkServices(VNS)provideaversatilemethodofmappingwirelessnetworkstothe topologyofanexistingwirednetwork. InreleasespriortoV7.0,aVNSwasacollectionofoperationalentities.StartingwithReleaseV7.0, aVNSbecomesthebindingofreusablecomponents: WLANServicecomponentsthatdefinetheradioattributes,privacyandauthentication settings,andQoSattributesoftheVNS Policycomponentsthatdefinethetopology(typicallyaVLAN),filterrules,andClassof Serviceappliedtothetrafficofastation.

Figure 14illustratesthetransitionoftheconceptofaVNStoabindingofreusablecomponents. Figure 1-4 VNS as a Binding of Reusable Components

WLANServicecomponentsandPolicycomponentscanbeconfiguredseparatelyandassociated withaVNSwhentheVNSiscreatedormodified.Alternatively,theycanbeconfiguredduringthe processofcreatingaVNS. Additionally,PoliciescanbecreatedusingtheEnterasysNetSightPolicyManagerandpushedto theEnterasysWirelessController.Policyassignmentensuresthatthecorrecttopologyandtraffic behaviorareappliedtoauserregardlessofWLANserviceusedorVNSassignment.


Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 1-11

Enterasys Wireless Controller, Access Points and Convergence Software and Your Network

WhenVNScomponentsaresetupontheEnterasysWirelessController,amongotherthings,a rangeofIPaddressesissetasidefortheEnterasysWirelessControllersDHCPservertoassignto wirelessdevices. IftheOSPFroutingprotocolisenabled,theEnterasysWirelessControlleradvertisestherouted topologiesasreachablesegmentstothewirednetworkinfrastructure.Thecontrollerroutestraffic betweenthewirelessdevicesandthewirednetwork. TheEnterasysWirelessControlleralsosupportsVLANbridgedassignmentforVNSs.Thisallows thecontrollertodirectlybridgethesetofwirelessdevicesassociatedwithaWLANservice directlytoaspecifiedcoreVLAN. EachEnterasysWirelessControllermodelcansupportaspecifiednumberofactiveVNSs,as listedbelow: C5110Upto128VNSs C4110Upto64VNSs C2400Upto64VNSs C20Upto8VNSs C20NUpto8VNSs C25Upto32VNSs CRBT8210Upto16VNSs CRBT8110Upto8VNSs

TheWirelessAPradioscanbeassignedtoeachoftheconfiguredWLANservicesand,therefore, VNSsinasystem.EachWirelessAPcanbethesubjectof16serviceassignments8assignments perradiowhichcorrespondstothenumberofSSIDsitcansupport.Oncearadiohasall8slots assigned,itisnolongereligibleforfurtherassignment.

NAC integration with Enterasys Wireless WLAN


EnterasysWirelessWLANsupportsintegrationwithaNAC(NetworkAdmissionControl) Gateway.TheNACGatewaycanprovideyournetworkwithauthentication,registration, assessment,remediation,andaccesscontrolformobileusers. NACGatewayintegrationwithEnterasysWirelessWLANsupportsSSIDVNSswhenusedin conjunctionwithMACbasedexternalcaptiveportalauthentication. Figure 15andTable 11depictthetopologyandworkflowrelationshipbetweenEnterasys WirelessWLANthatisconfiguredforexternalcaptiveportalandaNACGateway.Withthis configuration,theNACGatewayactslikeaRADIUSproxyserver.Analternativeistoconfigure theNACGatewaytoperformMACbasedauthenticationitself,usingitsowndatabaseofMAC addressesandpermissions.Formoreinformation,seeCreatingaNACVNSUsingtheVNS Wizardonpage 716.

1-12

Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

Enterasys Wireless Controller, Access Points and Convergence Soft-

Figure 1-5

WLAN and NAC Integration with External Captive Portal Authentication

Table 1-1
Step 1

WLAN and NAC Integration Steps


Description The client laptop connects to the Wireless AP. The Wireless AP determines that authentication is required, and sends an association request to the Enterasys Wireless Controller.

The Enterasys Wireless Controller forwards to the NAC Gateway an access-request message for the client laptop, which is identified by its MAC address. The NAC Gateway forwards the access-request to the RADIUS server. The NAC Gateway acts like a RADIUS proxy server.

The RADIUS server evaluates the access-request and sends an Access-Accept message back to the NAC. The NAC receives the access-accept packet. Using its local database, the NAC determines the correct policy to apply to this client laptop and updates the access-accept packet with the policy assignment. The updated Access-Accept message is forwarded to the Enterasys Wireless Controller and Wireless AP.

The Enterasys Wireless Controller and Wireless AP apply policy against the client laptop accordingly. The Enterasys Wireless Controller assigns a set of filters to the client laptops session and the Wireless AP allows the client laptop access to the network.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

1-13

Enterasys Wireless Controller, Access Points and Convergence Software and Your Network

Table 1-1
Step 5 6

WLAN and NAC Integration Steps (continued)


Description The client laptop interacts with a DHCP server to obtain an IP address. Eventually the client laptop uses its Web browser to access a Website. The Enterasys Wireless Controller determines that the target Website is blocked and that the client laptop still requires authentication. The Enterasys Wireless Controller sends an HTTP redirect to the client laptops browser. The redirect sends the browser to the Web server on the NAC Gateway. The NAC displays an appropriate Web page in the client laptops browser. The contents of the page depend on the current policy assignment (enterprise, remediation, assessing, quarantine, or unregistered) for the MAC address.

When the NAC determines that the client laptop is ready for a different policy assignment, it sends a disconnect message (RFC 3576) to the Enterasys Wireless Controller. When the Enterasys Wireless Controller receives the disconnect message sent by the NAC, the Enterasys Wireless Controller terminates the session for the client laptop. The Enterasys Wireless Controller forwards the command to terminate the client laptops session to the Wireless AP, which disconnects the client laptop.

VNS Components
ThedistinctconstituenthighlevelconfigurableumbrellaelementsofaVNSare: Topology Policy WLANServices

Topology
TopologiesrepresentthenetworkswithwhichtheEnterasysWirelessControlleranditsAPs interacts.Themainconfigurableattributesofatopologyare: Nameastringofalphanumericcharactersdesignatedbytheadministrator. VLANIDtheVLANidentifierasspecifiedintheIEEE802.1Qdefinition. VLANtaggingoptions. PortofpresenceforthetopologyontheEnterasysWirelessController.(Thisattributeisnot requiredforRoutedandBridgedatAPtopologies.) Interface.ThisattributeistheIP(L3)addressassignedtotheEnterasysWirelessControlleron thenetworkdescribedbythetopology.(Optional.) Type.Thisattributedescribeshowtrafficisforwardedonthetopology.Optionsare: Physicalthetopologyisthenativetopologyofadataplaneanditrepresentstheactual Ethernetports ManagementthenativetopologyoftheEnterasysWirelessControllermanagement port Routedthecontrolleristheroutinggatewayfortheroutedtopology. BridgedatControllertheusertrafficisbridged(intheL2sense)betweenwireless clientsandthecorenetworkinfrastructure.

1-14

Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

Enterasys Wireless Controller, Access Points and Convergence Soft-

BridgedatAPtheusertrafficisbridgedlocallyattheAPwithoutbeingredirectedto theEnterasysWirelessController.

ExceptionFilters.SpecifieswhichtraffichasaccesstotheEnterasysWirelessControllerfrom thewirelessclientsortheinfrastructurenetwork. Certificates. Multicastfilters.Definesthemulticastgroupsthatareallowedonaspecifictopologysegment.

Policy
APolicyisacollectionofattributesandrulesthatdetermineactionstakenusertrafficaccessesthe wirednetworkthroughtheWLANservice(associatedtotheWLANServicesSSID).Depending uponitstype,aVNScanhavebetween1and3AuthorizationPoliciesassociatedwithit: 1. DefaultnonauthorizedpolicyThisisamandatorypolicythatcoversalltrafficfrom stationsthathavenotauthenticated.Attheadministratorsdiscretionthedefaultnon authorizedpolicycanbeappliedtothetrafficofauthenticatedstationsaswell. DefaultauthorizedpolicyThisisamandatorypolicythatappliestothetrafficof authenticatedstationsforwhichnootherpolicywasexplicitlyspecified.Itcanbethesameas thedefaultnonauthorizedpolicy. ThirdpartyAPpolicyThispolicyappliestothelistofMACaddressescorrespondingtothe wiredinterfacesofthirdpartyAPsspecificallydefinedbytheadministratortobeproviding theRFaccessasanAPWLANService.Thispolicyisonlyrelevantwhenappliedtothirdparty APWLANServices.

2.

3.

Asmentionedpreviously,policiescanbeconfiguredusingtheNetSightPolicyManagerand pushedtotheEnterasysWirelessController,ortheycanbeconfigureddirectlyonthecontroller. WhenusingPolicyManager,youshouldnotethattheEnterasysWirelessControllerimplements mostofthePolicyManagerconceptofPolicyexceptforQoSassignment.TheEnterasysWireless Controllerimplementsperpolicyinboundandoutboundratelimits,butnotpolicybasedDSCP remarkingorqueueassignment.

WLAN Services
AWLANServicerepresentsalltheRF,authenticationandQoSattributesofawirelessaccess serviceofferedbytheEnterasysWirelessControlleranditsAPs.AWLANServicecanbeoneof threebasictypes: StandardAconventionalservice.OnlyAPsrunningEnterasysWirelesssoftwarecanbe partofthisWLANService.ThistypeofserviceisusableasaBridgedatController,Bridgedat AP,orRoutedTopology.Thistypeofserviceprovidesaccessformobilestations.Policiescan beassociatedwiththistypeofWLANservicetocreateaVNS. ThirdPartyAPAWirelessServiceofferedbythirdpartyAPs.Thistypeofserviceprovides accessformobilestations.PoliciescanbeassignedtothistypeofWLANservicetocreatea VNS. WDSThisrepresentagroupofAPsorganizedintoahierarchyforpurposesofprovidinga WirelessDistributionService.Thistypeofserviceisinessenceawirelesstrunkingservice ratherthanaservicethatprovidesaccessforstations.Assuch,thistypeofservicecannothave policiesattachedtoit.

InreleaseV7.0,thecomponentsofaWLANServicemaptothecorrespondingcomponentsofa VNSinpreviousreleases.TheexceptionisthatWLANServicesarenotclassifiedasSSIDbasedor AAAbased,aswasthecaseinpreviousreleases.Instead,theadministratormakesanexplicit choiceofthetypeofauthenticationtouseontheWLANService.Ifhischoiceofauthentication

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

1-15

Enterasys Wireless Controller, Access Points and Convergence Software and Your Network

optionconflictswithanyofhisotherauthenticationorprivacychoices,theWLANServicecannot beenabled.

Routing
RoutingcanbeusedontheEnterasysWirelessControllertosupporttheVNSdefinitions. ThroughtheuserinterfaceyoucanconfigureroutingontheEnterasysWirelessControllertouse oneofthefollowingroutingtechniques: StaticroutesUsestaticroutestosetthedefaultrouteofaEnterasysWirelessControllerso thatlegitimatewirelessdevicetrafficcanbeforwardedtothedefaultgateway. OpenShortestPathFirst(OSPF,version2)(RFC2328)UseOSPFtoallowtheEnterasys WirelessControllertoparticipateindynamicrouteselection.OSPFisaprotocoldesignedfor mediumandlargeIPnetworkswiththeabilitytosegmentroutesintodifferentareasby routinginformationsummarizationandpropagation.StaticRoutedefinitionandOSPF dynamiclearningcanbecombined,andtheprecedenceofastaticroutedefinitionover dynamicrulescanbeconfiguredbyselectingorclearingtheOverridedynamicroutesoption checkbox. NexthoproutingUsenexthoproutingtospecifyauniquegatewaytowhichtrafficona VNSisforwarded.DefininganexthopforaVNSforcesallthetrafficintheVNStobe forwardedtotheindicatednetworkdevice,bypassinganyroutingdefinitionsofthe controllersroutetable.

Mobility and Roaming


Intypicalsimpleconfigurations,APsaresetupasbridgesthatbridgewirelesstraffictothelocal subnet.Inbridgingconfigurations,theuserobtainsanIPaddressfromthesamesubnetastheAP, assumingnoVLANtrunkingfunctionality.IftheuserroamsbetweenAPsonthesamesubnet,itis abletokeepusingthesameIPaddress.However,iftheuserroamstoanotherAPoutsideofthat subnet,itsIPaddressisnolongervalid.TheusersclientdevicemustrecognizethattheIPaddress ithasisnolongervalidandrenegotiateanewoneonthenewsubnet.Thismechanismdoesnot mandateanyactionontheuser.Therecoveryprocedureisentirelyclientdevicedependent.Some clientsautomaticallyattempttoobtainanewaddressonroam(whichaffectsroaminglatency), whileotherswillholdontotheirIPaddress.ThislossofIPaddresscontinuityseriouslyaffectsthe clientsexperienceinthenetwork,becauseinsomecasesitcantakeminutesforanewaddressto benegotiated. TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresolutioncentralizes theusersnetworkpointofpresence,thereforeabstractinganddecouplingtheusersIPaddress assignmentfromthatoftheAPslocationsubnet.Thatmeansthattheuserisabletoroamacross anyAPwithoutloosingitsownIPaddress,regardlessofthesubnetonwhichtheservingAPsare deployed. Inaddition,aEnterasysWirelessControllercanlearnaboutotherEnterasysWirelessControllers onthenetworkandthenexchangeclientsessioninformation.Thisenablesawirelessdeviceuser toroamseamlesslybetweendifferentWirelessAPsondifferentEnterasysWirelessControllers.

Network Availability
TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresolutionprovides availabilityagainstWirelessAPoutages,EnterasysWirelessControlleroutages,andevennetwork outages.TheEnterasysWirelessControllerinaVLANbridgedtopologycanpotentiallyallowthe usertoretaintheIPaddressinafailoverscenario,iftheVNS/VLANiscommontoboth controllers.Forexample,availabilityisprovidedbydefiningapairedcontrollerconfigurationby

1-16

Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

Enterasys Wireless Controller, Access Points and Convergence Soft-

whicheachpeercanactasthebackupcontrollerfortheothersAPs.APsinonecontrollerare allowedtofailoverandregisterwiththealternatecontroller. IfaEnterasysWirelessControllerfails,allofitsassociatedWirelessAPscanautomaticallyswitch overtoanotherEnterasysWirelessControllerthathasbeendefinedasthesecondaryorbackup EnterasysWirelessController.IftheAPreboots,theoriginalEnterasysWirelessControlleris restored.TheoriginalEnterasysWirelessControllerisrestoredifitisactive.However,activeAPs willcontinuetobeattachedtothefailovercontrolleruntiltheadministratorreleasesthembackto theoriginalhomecontroller.

Quality of Service (QoS)


EnterasysWirelessController,AccessPointsandConvergenceSoftwaresolutionprovides advancedQualityofService(QoS)managementtoprovidebetternetworktrafficflow.Such techniquesinclude: WMM(WiFiMultimedia)WMMisenabledperWLANservice.TheEnterasysWireless ControllerprovidescentralizedmanagementoftheAPfeatures.FordeviceswithWMM enabled,thestandardprovidesmultimediaenhancementsforaudio,video,andvoice applications.WMMshortensthetimebetweentransmittingpacketsforhigherprioritytraffic. WMMispartofthe802.11estandardforQoS.InthecontextoftheEnterasysWireless Solution,theToS/DSCPfieldisusedforclassificationandproperclassofservicemapping, outputqueueselection,andprioritytagging. IPToS(TypeofService)orDSCP(DiffservCodepoint)TheToS/DSCPfieldintheIP headerofaframeindicatesthepriorityandclassofserviceforeachframe.TheIPTOSand/or DSCPismaintainedandtransportedwithinCTP(CAPWAPTunnelingProtocol)bycopying theuserIPQoSinformationtotheCTPheaderthisisreferredtoasAdaptiveQoS. RateControlRateControlforusertrafficcanalsobeconsideredasanaspectofQoS.As partofPolicydefinition,theusercanspecify(default)policythatincludesIngressandEgress ratecontrol.IngressratecontrolappliestotrafficgeneratedbywirelessclientsandEgressrate controlappliestotraffictargetingspecificwirelessclients.Thebitratescanbeconfiguredas partofgloballyavailableprofileswhichcanbeusedbyanyparticularconfiguration.Aglobal defaultisalsodefined.

QualityofService(QoS)managementisalsoprovidedby: AssigninghighprioritytoaWLANservice AdaptiveQoS(automaticandalltimefeature) SupportforlegacydevicesthatuseSpectraLinkVoiceProtocol(SVP)forprioritizingvoice traffic(configurable)

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

1-17

Enterasys Wireless Controller Product Family

Enterasys Wireless Controller Product Family


TheEnterasysWirelessControllerisavailableinthefollowingproductfamilies: Table 1-2 Enterasys Wireless Controller Product Families
Specifications Three data ports supporting up to 525 Wireless APs 2 fiber optic SR (10Gbps) 1 Ethernet port GigE One management port (Ethernet) GigE One console port (DB9 serial) Four USB ports two on each front and back panel (only one active at a time) Redundant dual power supply unit C4110 Four GigE ports supporting up to 250 Wireless APs One management port (Ethernet) GigE One console port (DB9 serial) Four USB ports (only one active at a time) Redundant dual power supply unit C2400 Four GigE ports supporting up to 200 Wireless APs One management port (10/100 BaseT) One console port (DB9 serial) Redundant dual power supply unit C20 Two GigE ports supporting up to 32 Wireless APs One management port GigE One console port (USB control) One USB port Power supply standard (R) C20N Two GigE ports supporting up to 32 Wireless APs One management port GigE One console port (DB9 serial) One USB port C25 Two GigE ports supporting up to 48 Wireless APs One management port GigE One console port (DB9 serial) One USB port CRBT8210 One GigE ports supporting up to 72 Wireless APs One management port (10/100 Base) One console port (DB9 serial) CRBT8110 One GigE ports supporting up to 24 Wireless APs One management port (10/100 Base) One console port (DB9 serial) One USB port

Enterasys Wireless Controller Model Number C5110

1-18

Overview of the Enterasys Wireless Controller, Access Points and Convergence Software Solution

2
Configuring the Wireless AP
ThischapterdescribestheWirelessaccesspoint(AP)andtheController,AccessPointsand ConvergenceSoftwaresolution,including:
For information about... Wireless AP Overview Discovery and Registration Overview Adding and Registering a Wireless AP Manually Configuring Wireless AP Settings Configuring VLAN Tags for Wireless APs Modifying a Wireless APs Properties Based on a Default AP Configuration Modifying the Wireless APs Default Setting Using the Copy to Defaults Feature Configuring Multiple Wireless APs Simultaneously Configuring Co-located APs in Load Balance Groups Configuring an AP Cluster Converting the Enterasys Wireless AP to Standalone Mode Configuring an AP as a Sensor Performing Wireless AP Software Maintenance Refer to page... 2-1 2-10 2-29 2-30 2-66 2-99 2-100 2-100 2-103 2-108 2-109 2-110 2-112

Wireless AP Overview
TheWirelessAPusesthe802.11wirelessstandards(802.11a/b/g/n)fornetworkcommunications andbridgesnetworktraffictoanEthernetLAN.TheWirelessAPrunsproprietarysoftwarethat allowsittocommunicateonlywiththeEnterasysWirelessController. TheWirelessAPphysicallyconnectstoaLANinfrastructureandestablishesanIPconnectionto theEnterasysWirelessController,whichmanagestheWirelessAPconfigurationthroughthe EnterasysWirelessAssistant.TheEnterasysWirelessControlleralsoprovidescentralized management(verificationandupgrade)oftheWirelessAPfirmwareimage. AUDPbasedprotocolenablescommunicationbetweentheWirelessAPandtheEnterasys WirelessController.TheUDPbasedprotocolencapsulatesIPtrafficfromtheWirelessAPand directsittotheEnterasysWirelessController.TheEnterasysWirelessControllerdecapsulatesthe packetsandroutesthemtotheappropriatedestinations,whilemanagingsessionsandapplying policies.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-1

Wireless AP Overview

Deploying a Wireless AP with External Antennas


SomeWirelessAPmodelssupportexternalantennas.Theexternalantennasareindividually certifiedanddeterminetheavailablechannellistandthemaximumtransmittingpowerforthe countryinwhichtheWirelessAPisdeployed.Foralistoftheexternalantennasthatcanbeused witheachantennamodelandhowtoinstallthem,refertotheEnterasysWirelessExternalAntenna SitePreparationandInstallationGuide. ThefollowingWirelessAPmodelssupportexternalantennas: AP2620anEnterasysStandardWirelessAPmodel. AP2660anEnterasysWirelessOutdoorAPmodel. AP3620anEnterasysWireless802.11nAPmodel. AP3640anEnterasysWirelessStandaloneAPmodel. AP3660anEnterasysWirelessOutdoorAPmodel. AP4102/4102Caccesspointsthatare802.11a/b/gAPmodels.

WhenyoudeployaWirelessAPwithexternalantennas,youmust: ConfiguretheWirelessAPtoindicateiftheexternalantennas,andnottheWirelessAP,are deployedindoororoutdoor. ConfiguretheantennaselectionfortheWirelessAP.


Note: An individual Enterasys Wireless AP cannot support an indoor mounted antenna and an outdoor mounted antenna simultaneously. The AP4102/4102C, however, can support both indoor and outdoor antennas simultaneously.

DeployingaWirelessAPwithexternalantennasispartoftheWirelessAPconfigurationprocess. Formoreinformation,seeConfiguringWirelessAPSettingsonpage 230.

Enterasys Standard Wireless AP


TheEnterasysStandardWirelessAPisavailableinthefollowingmodels: Table 2-1
AP Model AP2610 AP2620 AP2605 AP4012/4102C

Enterasys Standard Wireless AP Models


Description

Internalantenna,internaldual(multimode)diversity antennas Externalantenna(dualexternalantennas),RPSMA connectors Twoexternal,nondetachableantennas Integratedandexternalantenna

Eachmodel,exceptfortheAP4102/4102CAPs,hastworadiosRadio1andRadio2.Figure 21 showsablockdiagramoftheEnterasysStandardWirelessAPequippedwithexternalantennas.

2-2

Configuring the Wireless AP

Wireless AP Overview

Enterasys Standard Wireless AP Radios


Note: The following access point radio discussion does not apply to the AP4102/4102C access points. For more information on the AP4102/4102C access points, see AP4102/4102C Access Points on page 2-4.

TheEnterasysStandardWirelessAPisequippedwithtworadiosRadio1andRadio2. Radio1supportsthe5GHzradio,withradiomodea. Radio2supportsthe2.4GHzradio,withradiomodesb,g,andb/g.

Radio1andRadio2areconnectedtobothexternalantennasEA1andEA2. ThefollowingisablockdiagramoftheEnterasysStandardWirelessAPequippedwithexternal antennas. Figure 2-1 Enterasys Standard Wireless APs Baseband

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-3

Wireless AP Overview

Figure 21illustratesthefollowing: TheEnterasysStandardWirelessAPhastworadiosRadio1andRadio2. Radio1supportsthe5GHzradio,withradiomodea. Radio2supportsthe2.4GHzradio,withradiomodesb,g,andb/g. Radio1andRadio2areconnectedtobothexternalantennasEA1andEA2.

5GHzradiosupportingthe802.11astandardThe802.11astandardisanextensionto802.11 thatappliestowirelessLANsandprovidesupto54Mbpsinthe5GHzband.The802.11a standardusesanorthogonalfrequencydivisionmultiplexingencodingscheme,ratherthan FrequencyHoppingSpreadSpectrum(FHSS)orDirectSequenceSpreadSpectrum(DSSS). 2.4GHzradiosupportingthe802.11b/gstandardsThe802.11gstandardappliestowireless LANsandspecifiesatransmissionrateof54Mbps.The802.11b(HighRate)standardisan extensionto802.11thatspecifiesatransmissionrateof11Mbps.Since802.11gusesthesame communicationfrequencyrangeas802.11b(2.4GHz),802.11gdevicescancoexistwith802.11b devicesonthesamenetwork. TheradiosareenabledordisabledthroughtheEnterasysWirelessAssistant.Bothradioscanbe enabledtoofferservicesimultaneously.Formoreinformation,seeModifyingWirelessAP2610/ 2620RadioPropertiesonpage 253. TheUnlicensedNationalInformationInfrastructure(UNII)bandsarethreefrequencybandsof 100MHzeachinthe5GHzband,designatedforshortrange,highspeed,wirelessnetworking communication. TheWirelessAPsupportsthefullrangeof802.11a: 5.15to5.25GHzUNIILowBand 5.25to5.35GHzUNIIMiddleBand 5.47to5.725GHzUNII2+ 5.725to5.825GHzUNIIHighBand

AP4102/4102C Access Points


TheAP4102andAP4102CaccesspointsareEnterasysmanufacturedaccesspointsthatrun EnterasysWLANsoftware.TheAP4102/4102Caccesspointhas2integrateddualbandantennas. Diversity,whichistheuseoftwoantennastoincreasetheoddsthatabetterradiostreamis receivedoneitheroftheantennas,issupportedonlywithintegratedantennas. TheavailableexternalantennasfortheAP4102/4102CaccesspointarelistedinTable 22 Table 2-2 Available Antennas for the AP4102/4102C
Right Antennas Left Antennas

RBT4KAGIA,2dBi RBTESBGM08M,8dBi RBTESBGP18M,18dBi RBTESBGS1490M,14dBi

RBT4KAGIA,4dBi RBTESAHM10M,110dBi RBTESAHP23M,23dBi RBTESAMM10M,10dBi RBTESAWS1590M,15dBi90Deg RBTESAWS1590M,16dBi60Deg

Theantennaselectionautomaticallyrestrictschannelsandrespectivepowersettingsaccordingto certifications.

2-4

Configuring the Wireless AP

Wireless AP Overview

Enterasys Wireless Outdoor APs


TheEnterasysWirelessOutdoorAPenablesyoutoextendyourWirelessLANbeyondthe confinesofindoorlocations.TheEnterasysWirelessOutdoorAPisresistanttoharshoutdoor conditionsandextremetemperatures.Usingtheadvancedwirelessdistributionfeatureofthe EnterasysWirelessLAN,theEnterasysWirelessOutdoorAPcanextendyourWirelessLANto outdoorlocationswithoutEthernetcabling.Amountingbracketisavailabletoenablequickand easymountingoftheEnterasysWirelessOutdoorAPstowalls,rails,andpoles. TheEnterasysWirelessOutdoorAPsupports802.11a,802.11g,andfullbackwardcompatibility withlegacy802.11bdevices. TheEnterasysWirelessOutdoorAPisavailableinthreemodels: AP2650Internalantenna,internaldual(multimode)diversityantennas AP2660Externalantenna(dualexternalantennas),RPSMAconnectors AP3660Externalantenna(dualexternalantennas),RPSMAconnectors
Note: Any Outdoor AP model number in the Hardware Version box on the AP Properties tab that ends with -1 is an Outdoor AP that contains the new radio card. For example, the Enterasys Wireless AP2650-1 Internal.

Enterasys Wireless 802.11n AP


TheEnterasysWireless802.11nAPdeliverstotaldataratesofupto300Mbps,dependingonits configuration.Theimprovedthroughputof300Mbpsisspreadoveranumberofsimultaneous userssothattheWireless802.11nAPprovidesmobileuserswithanexperiencesimilartothatofa wired100MbpsEthernetconnectionthestandardfordesktopconnectivity. ToconfiguretheEnterasysWireless802.11nAPtoachievethishighlinkrate,seeAchievingHigh ThroughputwiththeWireless802.11nAPonpage 251.
Note: The Wireless 802.11n AP is backward-compatible with existing 802.11a/b/g networks.

Note: The Wireless 802.11n AP cannot operate as a stand-alone access point.

MIMO
Themainstayof802.11APisMIMO(multipleinput,multipleoutput)atechnologythatuses advancedsignalprocessingwithmultipleantennastoimprovethethroughput.MIMOtakes advantageofmultipathpropagationtodecreasepacketretriestoimprovethefidelityofthe wirelessnetwork. The802.11nAPsMIMOradiosendsoutoneortworadiosignalsthroughitsthreeantennas.Each ofthesesignalsiscalledaspatialstream.Becausethelocationoftheantennasonthe802.11nAPis spacedout,eachspatialstreamfollowsaslightlydifferentpathtotheclientdevice.Furthermore, thetwospatialstreamsgetmultipliedintoseveralstreamsastheybounceofftheobstructionsin thevicinity.Thisphenomenoniscalledmultipath.Sincethesestreamsarebouncedfromdifferent surfaces,theyfollowdifferentpathstotheclientdevice.Theclientdevice,whichisalso802.11n compliant,alsohasmultipleantennas.Eachoftheantennasindependentlydecodesthearriving signal.Theneachantennasdecodedsignaliscombinedwiththedecodedsignalsfromtheother antennas.Thesoftwarealgorithmusestheredundancytoextractoneortwospatialstreamsand enhancesthestreamssignaltonoiseratio.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-5

Wireless AP Overview

Theclientdevicetoosendsoutoneortwospatialstreamsthroughitsmultipleantennas.These spatialstreamsgetmultipliedintoseveralsteamsastheybounceofftheobstructionsinthe vicinityenroutetothe802.11nAP.The802.11nAPsMIMOreceiverreceivesthesemultiple streamswiththreeantennas.Eachofthethreeantennasindependentlydecodesthearriving signal.Theneachantennassdecodedsignaliscombinedwiththedecodedsignalsfromtheother antennas.The802.11nAPsMIMOreceiveragainusestheredundancytoextractoneortwo spatialstreamsandenhancesthestreamssignaltonoiseratio. Byusingthemultiplestreams,MIMOdoublesthethroughput. Figure 2-2 MIMO in Enterasys Wireless 802.11n AP

Note: MIMO should not be confused with the Diversity feature. While Diversity is the use of two antennas to increase the odds that a better radio stream is received on either of the antennas, MIMO antennas radiate and receive multi-streams of the same packet to achieve the increased throughput. The Diversity feature is meant to offset the liability of RF corruption, arising out of multipath, whereas MIMO converts the liability of multipath to its advantage.

Becausethe802.11nAPoperateswithmultipleantennas,itiscapableofpickingupeventhe weakestsignalsfromtheclientdevices.

Channel Bonding
InadditiontoMIMOtechnology,the802.11nAPmakesanumberofadditionalchangestothe radiotoincreasetheeffectivethroughputoftheWirelessLAN.TheradiosofregularEnterasys
2-6 Configuring the Wireless AP

Wireless AP Overview

WirelessAPsuseradiochannelsthatare20MHzwide.Thismeansthatthechannelsmustbe spacedat20MHztoavoidinterference.Theradiosof802.11nAPcanusetwochannelsatthe sametimetocreatea40MHzwidechannel.Byusingthetwo20MHzchannelsinthismanner,the 802.11nAPachievesmorethandoublethroughput.The40MHzchannelsin802.11naretwo adjacent20MHzchannels,bondedtogether.Thistechniqueofusingtwochannelsatthesame timeiscalledchannelbonding.

Shortened Guard Interval


Thepurposeoftheguardintervalistointroduceimmunitytopropagationdelays,echoesand reflectionsofsymbolsinorthogonalfrequencydivisionmultiplexing(OFDM)amethodby whichinformationistransmittedviaaradiosignalinWirelessAPs. InOFDM,thebeginningofeachsymbolisprecededbyaguardinterval.Aslongastheechoesfall withinthisinterval,theywillnotaffectthesafedecodingoftheactualdata,asdataareonly interpretedoutsidetheguardinterval.Longerguardperiodsreducethechannelefficiency.The 802.11nAPprovidesreducedguardperiods,therebyincreasingthethroughput.

MAC Enhancements
The802.11nAPalsohasanimprovedMAClayerprotocolthatreducesoverhead(intheMAC layerprotocol)andcontentionlosses.Thisresultsinincreasedthroughput.

Models
TheWireless802.11nAPisavailableinthefollowingmodels: ModelAP3605Sixinternalantennas ModelAP3610Sixinternalantennas ModelAP3620Threeexternalantennas ModelAP3630Threeinternalantennas ModelAP3640Threeexternalantennas
Note: Any Wireless 802.11n AP model number in the Hardware Version box on the Properties tab that ends with -1 is a Wireless 802.11n AP that has its DFS channels disabled. For more information, see Appendix B.

Environment
TheWireless802.11nAPcannotbedeployedinanoutdoorenvironment.

Enterasys Wireless 802.11n APs Radios


TheEnterasysWireless802.11nAPisequippedwithtworadiosRadio1andRadio2.The followingisablockdiagramoftheEnterasysWireless802.11nAPequippedwithexternal antennas.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-7

Wireless AP Overview

Figure 2-3

Enterasys Wireless 802.11n APs Baseband

Figure 23illustratesthefollowing: TheEnterasysWireless802.11nAPhastworadiosRadio1andRadio2. Radio1supportsthe5GHzradio,withradiomodesa,a/n,andnstrict. Radio2supportsthe2.4GHzradio,withradiomodesb,b/g,b/g/n,andnstrict. Radio1andRadio2areconnectedtoallthreeantennasEA1,EA2,andEA3.

5GHzradiosupportingthe802.11a/nstandardWheninlegacy802.11amode,theAP36xx supportsdataratesupto54Mbps,identicaltotheAP26xx.ThemodulationusedisOFDM.In 802.11nmodethereare2supportedchannelbandwidths,20MHzand40MHz.The802.11nAP supportsupto300Mbpsin40MHzchannelsand130Mbpsin20MHzchannels.Themodulation usedisMIMOOFDMwithoneortwospatialstreams.

2-8

Configuring the Wireless AP

Wireless AP Overview

2.4GHzradiosupportingthe802.11b/g/nstandardWheninlegacy802.11b/gmode,the AP36xxsupportsdataratesupto54Mbps,identicaltotheAP26xx.ThemodulationusedisOFDM for11gandCCKfor11b.In802.11nmodethereare2supportedchannelbandwidths,20MHzand 40MHz.TheAP36xxsupportsupto300Mbpsin40MHzchannelsand130Mbpsin20MHz channels.ThemodulationusedisMIMOOFDMwithoneortwospatialstreams. TheradiosareenabledordisabledthroughtheEnterasysWirelessAssistant.Formore information,seeModifyingWireless802.11nAP3610/3620RadioPropertiesonpage 239. TheUnlicensedNationalInformationInfrastructure(UNII)bandsarethreefrequencybandsof 100MHzeachinthe5GHzband,designatedforshortrange,highspeed,wirelessnetworking communication. The802.11nAPsupportsthefullrangeoffrequenciesavailableinthe5GHzband: 5150to5250MHzUNIILowband 5250to5350MHzUNIImiddleband 5470to5700MHzUNIIWorldwide 5725to5825MHzUNIIhighband
Note: The Wireless 802.11n AP can achieve link rates of up to 300Mbps. To achieve this level of high link rates, specific items need to be configured through the Enterasys Wireless Assistant. For more information, see Achieving High Throughput with the Wireless 802.11n AP on page 2-51.

Wireless AP International Licensing


TheWirelessAPmustbeconfiguredtooperateontheappropriateradiobandinaccordancewith theregulationsofthecountryinwhichitisbeingused.Formoreinformation,seeAppendix B. Toconfiguretheappropriateradiobandaccordingtothecountryofoperation,usetheEnterasys WirelessAssistant.Formoreinformation,seeConfiguringWirelessAPSettingsonpage 230.

Wireless AP Default IP Address and First-time Configuration


TheWirelessAPsareshippedfromthefactorywithadefaultIPaddress192.168.1.20.The defaultIPaddresssimplifiesthefirsttimeIPaddressconfigurationprocessforWirelessAPs.If theWirelessAPfailsinitsdiscoveryprocess,itreturnstoitsdefaultIPaddress.ThisWirelessAP behaviorensuresthatonlyoneWirelessAPatatimecanusethedefaultIPaddressonasubnet. Formoreinformation,seeDiscoveryandRegistrationOverviewonpage 210. TheWirelessAPscanacquiretheirIPaddressesbyoneoftwomethods: DHCPassignmentWhentheWirelessAPispoweredon,itattemptstoreachtheDHCP serveronthenetworktoacquiretheIPaddress.IftheWirelessAPissuccessfulinreachingthe DHCPserver,theDHCPserverassignsanIPaddresstotheWirelessAP. IftheDHCPassignmentisnotsuccessfulinthefirst60seconds,theWirelessAPreturns toitsdefaultIPaddress. TheWirelessAPwaitsfor30secondsindefaultIPaddressmodebeforeagainattempting toacquireanIPaddressfromtheDHCPserver. TheprocessrepeatsitselfuntiltheDHCPassignmentissuccessful,oruntilan administratorassignstheWirelessAPanIPaddress,usingstaticconfiguration.
Note: DHCP assignment is the default method for the Wireless AP configuration. DHCP assignment is part of the discovery process. For more information, see Discovery and Registration Overview on page 2-10.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-9

Discovery and Registration Overview

StaticconfigurationYoucanassignastaticIPaddresstotheWirelessAP,usingthestatic configurationoption.Formoreinformation,seethefollowingsection.
Note: You can establish a telnet or SSH session with the Wireless AP during the time window of 30 seconds when the Wireless AP returns to its default IP address mode. If a static IP address is assigned during this period, you must reboot the Wireless AP for the configuration to take effect. For more information, see Assigning a Static IP Address to the Wireless AP on page 2-10.

Assigning a Static IP Address to the Wireless AP


Dependinguponthenetworkcondition,youcanassignastaticIPaddresstotheWirelessAP usingtheEnterasysWirelessAssistant(ControllersGUI).RefertoSettingUptheWirelessAP UsingStaticConfigurationonpage 262formoreinformation. Table 2-3 CLI Commands to Configure a Static IP Address for a Wireless AP
Description By default, the Wireless AP is configured to acquire its IP address via the DHCP assignment. The command disables the DHCP server. Specifies the static IP address. Specifies the subnet

Parameter Name dhcp disable ipaddr ipmask

Table 2-4

CLI Commands to Configure a Static IP Address for a Wireless 802.11n AP


Description By default, the Wireless AP is configured to acquire its IP address via the DHCP assignment. The command disables the DHCP server. Specifies the IP address. Specifies the subnet. Specifies the IP address of the network gateway. Applies the configuration. Saves the configuration.

Parameter Name dhcp disable ipaddr ipmask gateway capply csave

Discovery and Registration Overview


WhentheWirelessAPispoweredon,itautomaticallybeginsadiscoveryprocesstodetermineits ownIPaddressandtheIPaddressoftheEnterasysWirelessController.Whenthediscovery processissuccessful,theWirelessAPregisterswiththeEnterasysWirelessController.
Warning: Only use power supplies that are recommended by Enterasys. For example, for the Wireless 802.11n AP use WS-PS361020-MR (AP3610/AP3620 AC Power Supply-Multi-Region).

Wireless AP Discovery
WirelessAPsdiscovertheIPaddressofaEnterasysWirelessControllerusingasequenceof mechanismsthatallowforthepossibleservicesavailableontheenterprisenetwork.Thediscovery processissuccessfulwhentheWirelessAPsuccessfullylocatesaEnterasysWirelessControllerto whichitcanregister.

2-10

Configuring the Wireless AP

Discovery and Registration Overview

Ensurethattheappropriateservicesonyourenterprisenetworkarepreparedtosupportthe discoveryprocess.Thefollowingstepssummarizethediscoveryprocess: 1. UsetheIPaddressofthelastsuccessfulconnectiontoaEnterasysWirelessController. OnceaWirelessAPhassuccessfullyregisteredwithaEnterasysWirelessController,itrecalls thatcontrollersIPaddress,andusesthataddressonsubsequentreboots.TheWirelessAP bypassesdiscoveryandgoesstraighttoregistration. Ifthisdiscoverymethodfails,itcyclesthroughtheremainingstepsuntilsuccessful. 2. UsethepredefinedstaticIPaddressesfortheEnterasysWirelessControllersonthenetwork (ifconfigured). YoucanspecifyalistofstaticIPaddressesoftheEnterasysWirelessControllersonyour network.OntheStaticConfigurationtab,addtheaddressestotheWirelessController SearchList.
Caution: Wireless APs configured with a static Wireless Controller Search List can only connect to Enterasys Wireless Controllers in the list. Improperly configured Wireless APs cannot connect to a non-existent Enterasys Wireless Controller address, and therefore cannot receive a corrected configuration.

3.

UseDynamicHostConfigurationProtocol(DHCP)Option60toquerytheDHCPserverfor availableEnterasysWirelessControllers.TheDHCPserverwillrespondtotheWirelessAP withOption43,whichwilllisttheavailableEnterasysWirelessControllers. FortheDHCPservertorespondtoaWirelessAPsOption60request,youmustconfigurethe DHCPserverwiththevendorclassidentifier(VCI)foreachWirelessAP.Youmustalso configuretheDHCPserverwiththeIPaddressesoftheEnterasysWirelessControllers.For moreinformation,refertoEnterasysWirelessController,AccessPointsandConvergenceSoftware V7.21GettingStartedGuide.

4.

UseaDomainNameServer(DNS)lookupforthehostnameController.domainname. TheWirelessAPtriestheDNSserverifitisconfiguredinparallelwithSLPunicastandSLP multicast. Ifyouusethismethodfordiscovery,placeanArecordintheDNSserverfor Controller.<domainname>.The<domainname>isoptional,butifused,ensureitislisted withtheDHCPserver.

5.

UseamulticastSLPrequesttofindSLPSAs TheWirelessAPsendsamulticastSLPrequest,lookingforanySLPServiceAgentsproviding theSiemensservice. TheWirelessAPwilltrySLPmulticastinparallelwithotherdiscoverymethods.

6.

UseDHCPOption78tolocateaServiceLocationProtocol(SLP)DirectoryAgent(DA), followedbyaunicastSLPrequesttotheDirectoryAgent. TousetheDHCPandunicastSLPdiscoverymethod,youmustensurethattheDHCPserver onyournetworksupportsOption78(DHCPforSLPRFC2610).TheWirelessAPsusethis methodtodiscovertheEnterasysWirelessController. Thissolutiontakesadvantageoftwoservicesthatarepresentonmostnetworks: DHCP(DynamicHostConfigurationProtocol)Thestandardisameansofproviding IPaddressesdynamicallytodevicesonanetwork. SLP(ServiceLocationProtocol)Ameansofallowingclientapplicationstodiscover networkserviceswithoutknowingtheirlocationbeforehand.Devicesadvertisetheir servicesusingaServiceAgent(SA).Inlargerinstallations,aDirectoryAgent(DA)collects informationfromSAsandcreatesacentralrepository(SLPRFC2608).
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 2-11

Discovery and Registration Overview

TheEnterasysWirelessControllercontainsanSLPSAthat,whenstarted,queriestheDHCP serverforOption78andiffound,registersitselfwiththeDAasservicetypeSiemens.The EnterasysWirelessControllercontainsaDA(SLPD). TheWirelessAPqueriesDHCPserversforOption78tolocateanyDAs.TheWirelessAPsSLP UserAgentthenqueriestheDAsforalistofSiemensSAs. Option78mustbesetforthesubnetsconnectedtotheportsoftheEnterasysWireless ControllerandthesubnetsconnectedtotheWirelessAPs.Thesesubnetsmustcontainan identicallistofDAIPaddresses.

Registration After Discovery


Anyofthediscoverysteps2through6caninformtheWirelessAPofalistofmultipleIP addressestowhichtheWirelessAPmayattempttoconnect.OncetheWirelessAPhasdiscovered theseaddresses,itsendsoutconnectionrequeststoeachofthem.Theserequestsaresent simultaneously.TheWirelessAPwillattempttoregisteronlywiththefirstwhichrespondstoits request. WhentheWirelessAPobtainstheIPaddressoftheEnterasysWirelessController,itconnectsand registers,sendingitsserialnumberidentifiertotheEnterasysWirelessController,andreceiving fromtheEnterasysWirelessControlleraportIPaddressandbindingkey. OncetheWirelessAPisregisteredwithaEnterasysWirelessController,youmustconfigurethe WirelessAP.AftertheWirelessAPisregisteredandconfigured,youcanassignittoaVirtual NetworkServices(VNS)tohandlewirelesstraffic.

Default Wireless AP Configuration


DefaultWirelessAPconfiguration,whichsimplifiestheregistrationafterdiscoveryprocess,acts asaconfigurationtemplatethatcanbeautomaticallyassignedtonewregisteringWirelessAPs. ThedefaultWirelessAPconfigurationallowsyoutospecifycommonsetsofradioconfiguration parametersandVNSassignmentsforWirelessAPs.Formoreinformation,seeConfiguringthe DefaultWirelessAPSettingsonpage 275.

Understanding the Wireless AP LED Status


WhenyoupoweronandboottheWirelessAP,youcanfollowitsprogressthroughthe registrationprocessbyobservingtheLEDsequenceasdescribedinthefollowingsections: EnterasysWirelessAPLEDStatus EnterasysWirelessOutdoorAP2660LEDStatus EnterasysWireless802.11nAPLEDStatus AP4102andAP2605LEDStatus

AfteryoupoweronandboottheWirelessAPforthefirsttime,youcanconfigureLEDbehavioras describedinConfiguringWirelessAPLEDBehavior.

Enterasys Wireless AP LED Status


ThefollowingfiguredepictsthelocationofthethreeLEDsontheEnterasysWirelessAP.

2-12

Configuring the Wireless AP

Discovery and Registration Overview

Figure 2-4

Enterasys Wireless AP LEDs

Status Left LED LED 2.4 GHz radio activity

Right LED 5 GHz radio activity

Warning: Never disconnect a Wireless AP from its power supply during a firmware upgrade. Disconnecting a Wireless AP from its power supply during a firmware upgrade may cause firmware corruption rendering the AP unusable.

LED Color Codes


TheAPLEDsindicatenormaloperation,warning/special,orfailedstateoftheWirelessAP inthefollowingcolorcodes: GreenIndicatesthenormaloperationstate. Orange/AmberIndicatesthewarning,orspecialstatesuchasWDS. RedIndicatestheerrorstate. BlinkingIndicatesthatthestate,suchasinitialization,ordiscoveryisinprogress. SteadyIndicatesthatthestateisstable/completed.Forexample,initializationfinished,or discoverycompleted.

Center LED
TheCenterLEDindicatesthegeneralstatusoftheWirelessAP: Table 2-5 Center LED and Wireless APs Status
Enterasys Wireless APs status Initialization and discovery in progress via Ethernet link Initialization and discovery in progress via WDS link Error during initialization/discovery process Irrecoverable error Discovery finished via Ethernet link Discovery finished via WDS link

Center LED Blinking Green Blinking Orange/Amber Blinking Red Solid Red Solid Green Solid Orange/Amber

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-13

Discovery and Registration Overview

Left LED
TheLeftLEDindicatesthehighlevelstateoftheWirelessAPduringtheinitializationand discoveryprocess: Table 2-6
Left LED Off Blinking Green Solid Green

Left LED and Wireless APs High-level State


Enterasys Wireless APs high-level state Initialization Network Discovery Connecting with the Enterasys Wireless Controller

Left and Right LEDs


TheRightLEDindicatesthedetailedstateduringtheinitializationanddiscoveryprocesses: Table 2-7
Left LED Off

Left and Right LEDs and Wireless APs Detailed State


Right LED Off Blinking Green Solid Green Enterasys Wireless APs detailed state Initialization: Power-on self-test (POST) Initialization: Random delay Initialization: Vulnerable period Network Discovery: 802.1x authentication Network Discovery: Attempting to obtain IP address via DHCP Network Discovery: Discovered Enterasys Wireless Controller Connecting to Enterasys Wireless Controller: Attempting to register with the Enterasys Wireless Controller Connecting to Enterasys Wireless Controller: Upgrading to higher version Connecting to Enterasys Wireless Controller: Configuring itself

Blinking Green

Off Blinking Green Solid Green

Solid Green

Off Blinking Green Solid Green

Composite View of the Three LEDs


TheCenter,LeftandtheRightLEDsworkinconjunctiontoindicatethegeneral,highlevelstate andthedetailedstaterespectively.

2-14

Configuring the Wireless AP

Discovery and Registration Overview

Table 28providesacompositeviewofthethreeLEDlightsoftheWirelessAPsstate: Table 2-8


Left LED Off

Composite View of Three LED Lights


Right LED Off Blinking Green Center LED Blinking Green Blinking Green Blinking Red Solid Green Blinking Green Blinking Red Blinking Orange Enterasys Wireless APs Detailed state Initialization: Power-on self-test (POST) Initialization: Random delay Initialization: Neither Ethernet nor WDS link Initialization: Vulnerable period Reset to factory defaults WDS scanning Network discovery: 802.1x authentication Failed 802.1x authentication Network discovery: DHCP Default IP address Network discovery: HWC discovery / connect Discovery failed Connecting with Enterasys Wireless Controller: Registration Registration failed Connecting with Enterasys Wireless Controller: Image upgrade AP operating normally: Forced image upgrade Image upgrade failed Connecting with Enterasys Wireless Controller: Configuration Configuration failed

Blinking Green

Off

Blinking Green/ Orange Blinking Red

Blinking Green

Blinking Green/ Orange Blinking Red

Solid Green

Blinking Green/ Orange Blinking Red

Solid Green

Off

Blinking Green/ Orange Blinking Red

Blinking Green

Blinking Green/ Orange Solid Green/ Orange Blinking Red

Solid Green

Blinking Green/ Orange Blinking Red

Note: The Left and Right LEDs turn on after the Center LED. This allows you to distinguish easily between the Center LED and the Left/Right LEDs.

Note: If the Center LED begins blinking RED, it indicates that the Wireless APs state has failed.

Note: Random delays do not occur during normal reboot. A random delay only occurs after a vulnerable period power-down. The Wireless AP can be reset to its factory default settings. For more information, see the Enterasys Wireless Controller, Access Points and Convergence Software Maintenance Guide.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-15

Discovery and Registration Overview

LEDS Indicating WDS Strength for AP2610 and AP2620


TheAPindicatestheWDSsignalstrengthasabargraph.ToavoidconfusionwithstartupLED behavior,thepatternsgofromrighttoleftandanLEDisalwaysblinkingatleasttwiceasfastas theLEDsinnormalmode. Table 29illustratesthebehaviorofthethreeLEDlightsoftheWirelessAPsWDSstrength. Table 2-9
RSS (dBm) RSS < -84 -84 < RSS < -77 -77 < RSS < -70 -70 < RSS < -63 RSS < -63

AP2610 and AP2620 LEDs Indicating Signal Strength


Left LED Off Off Off Blinking green Fast Blinking green Middle LED Off Off Blinking green Solid green Solid green Right LED Blinking green FastBlinking green Solid green Solid green Solid green

Enterasys Wireless Outdoor AP3660 LED Indicators


TheAP3660providesfourLEDindicators(seeFigure 25).TheLEDsprovidestatusinformation (seeTable 210onpage 217)onthecurrentstateoftheAP3660. Figure 2-5 AP3660 Bottom View

1 2 3 4

Radio 2 - Middle Antenna 12V DC Connector Status LEDs Radio 2 - Right Antenna

5 6 7

Reset Switch Console Port (RJ45) LAN Port (RJ45)

Note: The AP3660 provides six external antenna ports. The network administrator determines which antenna port will be used based on the external antenna selected. The AP3660 can also be configured to select the antenna that provides the best possible data transmission (diversity).

2-16

Configuring the Wireless AP

Discovery and Registration Overview

Table 2-10
LED 1 (Power)

AP3660 LED Status Indicators


Status On Green Description Indicates the AP3660 is working normally. Indicates: running a self test loading software program On Red Indicates a CPU or system failure.

Flashing Green

2 (Ethernet Link)

On Blue On Green

Indicates a valid 1Gbps Ethernet link. Indicates a valid 100Mbps Ethernet link.

On Red

Indicates a valid 10Mbps Ethernet link.

3 (Wireless Link)

On Green

Indicates Radio 1 (5GHz) is enabled.

Flashing Green

Indicates the AP3660 is transmitting or receiving data. Indicates Radio 2 (2.4GHz) is enabled.

4 (Wireless Link)

On Green

Flashing Green

Indicates the AP3660 is transmitting or receiving data.

Enterasys Wireless Outdoor AP2660 LED Status


ThefollowingfiguredepictsthelocationoftheLEDsontheEnterasysWirelessOutdoorAP. Figure 2-6 Enterasys Wireless Outdoor AP LEDs.

TheR1,R2andFLEDsworkinconjunctiontoindicatethegeneral,highlevelanddetailedstate respectively.TheremainingLEDsindicatelinkstatus.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-17

Discovery and Registration Overview

Table 211providesacompositeviewoftheR1,R2andFLEDs: Table 2-11


R1 LED Off

Enterasys Wireless Outdoor AP LED Status


R2 LED Off Blinking Green Solid Green F LED Blinking Red Blinking Red Blinking Red Solid Red Solid Green Blinking Red Blinking Red Solid Red Blinking Green/ Yellow Solid Green/ Yellow Blinking Red Solid Red Blinking Red Solid Red Blinking Red Solid Red Blinking Green/ Yellow Solid Green/ Yellow Blinking Green/ Yellow Blinking Red Solid Red Blinking Red Solid Red Off Solid Red Enterasys Wireless Outdoor APs detailed status Initialization: Power-on-self test (POST) Initialization: Random delay Initialization: Vulnerable Period Reset to factory defaults WDS scanning Network discovery: 802.1x authentication Failed 802.1x authentication Network discovery: DHCP Default IP address Network discovery: HWC discovery/connect Discovery failed Connecting with HWC: Registration Registration failed Connecting with HWC: Image upgrade Image upgrade failed Connecting with HWC: Configuration Configuration failed AP operating and running normally: Forced image upgrade Image upgrade failed

Blinking Green/ Yellow

Off

Solid Green

Off

Note: After discovery is finished, the Left and Right LEDs will be Green for Ethernet uplink, and Yellow for WDS uplink.

Note: If a fatal AP error occurs, the Status LED will be solid Red.

LEDS Indicating WDS Strength for AP2650 and AP2660


TheAPindicatestheWDSsignalstrengthasabargraph.ToavoidconfusionwithstartupLED behavior,thepatternsgofromrighttoleftandanLEDisalwaysblinkingatleasttwiceasfastas theLEDsinnormalmode. Table 212illustratesthebehavioroftheLEDinWDSSignalStrengthforAPmodelsAP2650and AP2660.

2-18

Configuring the Wireless AP

Discovery and Registration Overview

Table 2-12
RSS (dBm)

AP2650 and AP2660 LEDs Indicating Signal Strength


LED L1 PoE Off Off Off Off Off Blinking green Solid green Solid green P1 Off Off Off Off Blinking green Solid green Solid green Solid green R1 Off Off Off Blinking green Solid green Solid green Solid green Solid green R2 Off Off Blinking green Solid green Solid green Solid green Solid green Solid green F Blinking green Fast Blinking green Solid green Solid green Solid green Solid green Solid green Solid green

RSS < -84 -84 < RSS < -77 -77 < RSS < -70 -70 < RSS < -63 -63 < RSS < -56 -56 < RSS < -49 -49 < RSS < -42 RSS < -42

Off Off Off Off Off Off Blinking green Fast Blinking green

Enterasys Wireless 802.11n AP LED Status


Figure 27depictsthelocationoftheLEDsontheEnterasysWireless802.11n. Figure 2-7 Enterasys Wireless 802.11n AP LEDs

LEDsL1,L3,andL4workinconjunctiontoindicatethegeneral,highlevel,anddetailedstate respectively.LEDL2indicatesthestatusoftheEthernetport. Afterinitializationanddiscoveryiscompletedandthe802.11nAPisconnectedtotheEnterasys WirelessController,LEDsL3andL4indicatethestateofthecorrespondingradioL3forRadio 5GHz,andL4forRadio2.4GHz.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-19

Discovery and Registration Overview

LEDs Color Codes


The802.11nAPLEDsindicatenormaloperation,warning/special,orfailedstateofthe WirelessAPinthefollowingcolorcodes: Table 2-13 LED Color Codes
Description Normal operational state. Warning or special state, such as WDS. AP state, such as initialization or discovery, is in progress. Error state AP state is stable; process is completed. For example, initialization is finished or discovery completed.

LED Color/State Green Orange/amber Blinking Red Steady color

LED L1
LEDL1indicatesthegeneralstateofthe802.11nAP: Table 2-14
L1 Blink Green Blink Amber Blink Red Solid Green Solid Amber

LED L1 and Wireless APs Status


Enterasys Wireless 802.11n APs general state Initialization and discovery in progress via Ethernet Initialization and discovery in progress via WDS Error during initialization and discovery Discovery finished via Ethernet Discovery finished via WDS

LEDs L3 and L4
LEDsL3andL4indicatethedetailedstateoftheWirelessAP.LEDsL1,L3,andL4workin conjunctiontoindicatethegeneralanddetailedstateofthe802.11nAP. Table 215providesacompositeviewofthethreeLEDsandthecorrespondingstateofthe802.11n AP: Table 2-15
L3 Off

LEDs L3, L4 and L1, and Wireless 802.11n APs Detailed State
L4 Off Blink Green L1 Blink Green Blink Green Blink Red Solid Green Blink Green Blink Red Blink Amber Enterasys Wireless 802.11n APs detailed state Initialization: Power-on self test (POST)

2-20

Configuring the Wireless AP

Discovery and Registration Overview

Table 2-15
L3 Blink Green

LEDs L3, L4 and L1, and Wireless 802.11n APs Detailed State (continued)
L4 Off L1 Blink Green / Orange Blink Red Blink Green Blink Green / Amber Blink Red Solid Green Blink Green / Amber Blink Red Enterasys Wireless 802.11n APs detailed state Network discovery: 802.1x authentication Failed 802.1x authentication Network discovery: DHCP Default IP address Network discovery: HWC discovery / connect Discovery failed Connecting to HWC: Registration Registration failed Connecting to HWC: Image upgrade AP operating normally: Forced image upgrade Image upgrade failed Connecting to HWC: Configuration Configuration failed

Solid Green

Off

Blink Green / Amber Blink Red

Blink Green

Blink Green Amber Solid Green / Amber Blink Red

Solid Green

Blink Green / Amber Blink Red

Afterinitializationanddiscoveryiscompletedandthe802.11nAPisconnectedtotheEnterasys WirelessController,theLEDsL3andL4indicatethestateofthecorrespondingradioL3for Radio5GHz,andL4forRadio2.4GHz. Figure 216providesaviewoftheLEDsL3andL4andthecorrespondingradiostateafterthe discoveryiscompleted. Table 2-16


L3/L4 Off Solid Blue Solid Green

LEDs L3 and L4, and Corresponding Radio State


Radio status Radio off Radio in HT mode Radio in legacy mode

LED L2
TheLEDL2indicatesthestatusoftheEthernetport: Table 2-17
L2 Off Solid Blue Solid Green

LED L2 and Ethernet Ports Status


Ethernet ports status No Ethernet connection: WDS is enabled 1 Gb Ethernet connection 100 Mb Ethernet connection

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-21

Discovery and Registration Overview

Table 2-17
L2 Solid Amber

LED L2 and Ethernet Ports Status (continued)


Ethernet ports status 10 Mb Ethernet connection

Note: A 10 Mb Ethernet connection is considered a warning state since it is not sufficient to sustain a single radio in the legacy 11g or 11a modes.

LEDS Indicating WDS Strength for AP3610 and AP3620


TheAPindicatestheWDSsignalstrengthasabargraph.ToavoidconfusionwithstartupLED behavior,thepatternsgofromrighttoleftandanLEDisalwaysblinkingatleasttwiceasfastas theLEDsinnormalmode. Table 218illustratesthebehavioroftheLEDbehaviorinWDSSignalStrengthmodeforAP modelsAP3610andAP3620. Table 2-18 AP3610 and AP3620 LEDs Indicating Signal Strength
LED RSS (dBm) RSS < -84 -84 < RSS < -77 -77 < RSS < -70 -70 < RSS < -63 -63 < RSS < -56 RSS < -56 L1 Off Off Off Off Blinking green Fast Blinking green L2 Off Off Off Blinking green Solid green Solid green L3 Off Off Blinking green Solid green Solid green Solid green L4 Blinking green Fast Blinking green Solid green Solid green Solid green Solid green

Note: The LEDs on the AP3605 do not indicate WDS signal strength.

AP4102 and AP2605 LED Status


ThefollowingfigureshowstheLEDsontheAP4102andAP2605AccessPoints.

Status LED
TheStatusLEDindicatesthegeneralstatusoftheaccesspoint.

2-22

Configuring the Wireless AP

Discovery and Registration Overview

Table 2-19
Status LED Blink green Blink amber Solid green

AP4102 and AP2605 Status Indicators


AP Status Initialization and discovery in progress via Ethernet or WDS link Error during initialization and discovery Discovery finished via Ethernet or WDS link

Radio B/G LED


TheRadioB/GLEDwillshowthegeneralhighlevelstateduringinitializationanddiscoveryfor theaccesspoint. Table 2-20 AP4102 and AP2605 Initialization and Discovery Indicators
AP High-Level State Initialization Network discovery Connecting with Enterasys Wireless Controller

Radio B/G LED Off Blink green Solid green

Composite View of LEDs


ThefollowingtablesummarizesallLEDsduringtheinitializationanddiscovery. ThesestateswillbeshowntogetherwithastatusLEDblinkinggreenororange.IfthestatusLED isblinkinggreen,thestatewillbetheoneexecutedbytheAPinthatmoment.IfthestatusLEDis blinkingorange,thestatewillbetheonethattheAPfailed. ThestatusandradioLEDswillblinkwith1/3pulsewidth,buttheradioLEDswillturnonafter thestatusLED.ThissolutionalsoallowstheusertodistinguisheasilybetweenthestatusLEDand theradioLEDs. Table 2-21
Radio B/G LED Off

AP4102 and AP2605 Composite View of LEDs


Radio A LED Off Blink green Status LED Blink green Blink green Blink orange Solid green Blink green Blink orange Solid green Blink green Blink green Blink orange Blink green Blink green Blink orange Solid green Blink green Blink orange AP Detailed State Initialization: Power-on self test (POST) Initialization: Random delay Initialization: No Ethernet nor WDS link Initialization: Vulnerable period Reset to factory defaults WDS scanning Network discovery: 802.1x authentication Failed 802.1x authentication Network discovery: DHCP Default IP address Network discovery: HWC discovery / connect Discovery failed

Blink green

Off

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-23

Discovery and Registration Overview

Table 2-21
Radio B/G LED Solid Green

AP4102 and AP2605 Composite View of LEDs (continued)


Radio A LED Off Status LED Blink green Blink orange Blink green Blink green Blink orange Solid green Blink green Blink orange Blink green Solid green Blink orange AP Detailed State Connecting with HWC: Registration Registration failed Connecting with HWC: Image upgrade Image upgrade failed Connecting with HWC: Configuration Configuration failed AP up and running: Forced image upgrade Image upgrade failed

LEDS Indicating WDS Strength for AP4102 and AP2605


TheAPindicatestheWDSsignalstrengthasabargraph.ToavoidconfusionwithstartupLED behavior,thepatternsgofromrighttoleftandanLEDisalwaysblinkingatleasttwiceasfastas theLEDsinnormalmode. Table 222illustratestheLEDbehaviorinWDSSignalStrengthmodeforAPmodelsAP4102and AP2605. Table 2-22
RSS (dBm)

AP4102 and AP2605 LEDs Indicating Signal Strength


LED Status Link Eth state Eth state Eth state Eth state Eth state Radio A Off Off Blinking green Solid green Solid green Radio B/G Blinking green Fast Blinking green Solid green Solid green Solid green

RSS < -84 -84 < RSS < -77 -77 < RSS < -70 -70 < RSS < -63 RSS < -63

Off Off Off Blinking green Fast Blinking green

Configuring Wireless AP LED Behavior


YoucanconfigurethebehavioroftheLEDssothattheyprovidethefollowinginformation: Table 2-23
LED Mode Off Normal Identify

LED Operational Modes


Information Displayed Displays fault patterns only. LEDs do not light when the AP is fault free and the discovery is complete. Identifies the AP status during the registration process during power on and boot process. All LEDs blink simultaneously approximately two to four times every second.

2-24

Configuring the Wireless AP

Discovery and Registration Overview

Table 2-23
LED Mode

LED Operational Modes (continued)


Information Displayed Indicates the WDS signal strength as a bar graph. See Table 2-9, Table 2-12, Table 2-18, and Table 2-22 for a description of LED behavior. This setting helps to align external antennas in WDS deployments by correlating the WDS link RSS with the LED pattern. Use this setting only if the AP operates in WDS mode by being a member of a WDS VNS.

WDS Signal Strength

YoucanconfiguretheAPLEDmodewhenyouconfigure: AnindividualWirelessAP. MultipleWirelessAPssimultaneously. DefaultWirelessAPbehavior.


Note: You can configure all four AP LED modes if you configure an individual Wireless AP or multiple Wireless APs simultaneously. If you configure the default Wireless AP behavior, the only LED modes available are Off and Normal.

To Configure the AP LED Operational Mode When Configuring an Individual Wireless AP:
1. 2. 3. 4. 5. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreen displays. Inthelefthandpane,clickAllAPs.TheAPConfigurationpagedisplayswiththeAP Propertiestabexposed. Inthesecondcolumnfromtheleft,selecttheappropriate OntheAPPropertiestab,clicktheAdvancedbutton.TheAdvancedwindowdisplays. IntheLEDfield,clickthearrowandselectanLEDoperationalmode.SeeTable 223fora descriptionofeachoption.

To Set the AP LED Operational Mode When Using the AP Mulit-edit Feature:
1. 2. 3. 4. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPwindow displays. Inthelefthandpane,clickAPMultiedit.TheAPMultieditwindowdisplays. IntheWirelessAPsection,selectoneormoreWirelessAPs.TheAPConfigurationscreen displays. IntheAPConfigurationsection,locatetheLEDfield.ClickthearrowandselectanLED operationalmode.SeeTable 223foradescriptionofeachoption.

To Set the AP LED Operational Mode When Configuring Default AP Behavior:


1. 2. 3. 4. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAPDefaultSettings.TheAPDefaultSettingspagedisplayswiththe CommonConfigurationtabexposed. ClicktheAPtabthatcorrespondstothetypeofAPthatyouwanttoconfigure.TheAP PropertiesandRadiosettingsbecomeavailable. ClicktheAdvancedbutton.TheAdvancedwindowdisplays.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 2-25

Discovery and Registration Overview

5.

IntheLEDfield,clickthearrowandselectanLEDoperationalmode.SeeTable 223fora descriptionofeachoption.

Configuring the Wireless APs for the First Time


BeforetheWirelessAPisconfiguredforthefirsttime,youmustfirstconfirmthatthefollowing hasalreadyoccurred: TheEnterasysWirelessControllerhasbeensetup.Formoreinformation,seeChapter 3, ConfiguringtheEnterasysWirelessController. TheEnterasysWirelessController,AccessPointsandConvergenceSoftwarehasbeen configured.Formoreinformation,seeChapter 3,ConfiguringtheEnterasysWireless Controller. TheWirelessAPshavebeeninstalled. IfyouareinstallingtheEnterasysWirelessAP,seetheEnterasysWirelessAPInstallation Instructions. IfyouareinstallingtheEnterasysWireless802.11nAP,seetheEnterasysWireless802.11n APInstallationInstructions. IfyouareinstallingtheEnterasysWirelessOutdoorAP,seetheEnterasysWireless OutdoorAPInstallationInstructionsandtheEnterasysWirelessOutdoorAPInstallation Guide.

Oncetheinstallationsarecompleted,youcanthencontinuewiththeWirelessAPinitial configuration.TheWirelessAPinitialconfigurationinvolvestwosteps: 1. 2. Defineparametersforthediscoveryprocess.Formoreinformation,seeDefiningProperties fortheDiscoveryProcessonpage 226. ConnecttheWirelessAPtoapowersourcetoinitiatethediscoveryandregistrationprocess. Formoreinformation,seeConnectingandInitiatingtheWirelessAPDiscoveryand RegistrationProcessonpage 228.

Adding a Wireless AP Manually Option


AnalternativetotheautomaticdiscoveryandregistrationprocessoftheWirelessAPisto manuallyaddandregisteraWirelessAPtotheEnterasysWirelessController.Formore information,seeAddingandRegisteringaWirelessAPManuallyonpage 229.

Defining Properties for the Discovery Process


BeforeaWirelessAPisconfigured,youmustdefinethefollowingpropertiesforthediscovery process: SecurityMode DiscoveryTimers

ThediscoveryprocessistheprocessbywhichtheWirelessAPsdeterminetheIPaddressofthe EnterasysWirelessController.

Security Mode
SecuritymodedefineshowtheEnterasysWirelessControllerbehaveswhenregisteringnew, unknowndevices.Duringtheregistrationprocess,theEnterasysWirelessControllersapprovalof theWirelessAPsserialnumberdependsonthesecuritymodethathasbeenset:
2-26

AllowallWirelessAPstoconnect

Configuring the Wireless AP

Discovery and Registration Overview

IftheEnterasysWirelessControllerdoesnotrecognizetheregisteringserialnumber,a newregistrationrecordisautomaticallycreatedfortheAP(ifwithinMDLlicenselimit). TheAPreceivesadefaultconfiguration.Thedefaultconfigurationcanbethedefault templateassignment. IftheEnterasysWirelessControllerrecognizestheserialnumber,itindicatesthatthe registeringdeviceispreregisteredwiththecontroller.Thecontrollerusestheexisting registrationrecordtoauthenticatetheAPandtheexistingconfigurationrecordto configuretheAP.

AllowonlyapprovedWirelessAPstoconnect(thisisalsoknownassecuremode) IfEnterasysWirelessControllerdoesnotrecognizetheAP,theAPsregistrationrecordis createdinpendingstate(ifwithinMDLlimits).Theadministratorisrequiredtomanually approveapendingAPforittoprovideactiveservice.ThependingAPreceivesminimum configuration,whichonlyallowsittomaintainanactivelinkwiththecontrollerforfuture statechange.TheAPsradiosarenotconfiguredorenabled.PendingAPsarenoteligible forconfigurationoperations(VNSAssignment,defaulttemplate,Radioparameters)until approved. IftheEnterasysWirelessControllerrecognizestheserialnumber,thecontrollerusesthe existingregistrationrecordtoauthenticatetheAP.Followingsuccessfulauthentication, theAPisconfiguredaccordingtoitsstoredconfigurationrecord.
Note: During the initial setup of the network, Enterasys recommends that you select the Allow all Wireless APs to connect option. This option is the most efficient way to get a large number of Wireless APs registered with the Enterasys Wireless Controller. Once the initial setup is complete, Enterasys recommends that you reset the security mode to the Allow only approved Wireless APs to connect option. This option ensures that no unapproved Wireless APs are allowed to connect. For more information, see Configuring Wireless AP Settings on page 2-30.

Discovery Timers
Thediscoverytimerparametersdictatethenumberofretryattemptsandthetimedelaybetween eachattempt.

To Define the Discovery Process Parameters:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAPRegistration.TheWirelessAPRegistrationscreenisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-27

Discovery and Registration Overview

3.

IntheSecurityModesection,selectoneofthefollowing: AllowallWirelessAPstoconnect AllowonlyapprovedWirelessAPstoconnect

TheAllowallWirelessAPstoconnectoptionisselectedbydefault.Formoreinformation, seeSecurityModeonpage 226. 4. IntheDiscoveryTimerssection,typethediscoverytimervaluesinthefollowingboxes: Numberofretries Delaybetweenretries

Thenumberofretriesislimitedto255forthediscovery.Thedefaultnumberofretriesis3,and thedefaultdelaybetweenretriesis3seconds. 5. Tosaveyourchanges,clickSave.

Oncethediscoveryparametersaredefined,youcanconnecttheWirelessAPtoapowersource.

Connecting and Initiating the Wireless AP Discovery and Registration Process


WhenaWirelessAPispoweredon,itautomaticallybeginsthediscoveryandregistrationprocess withtheEnterasysWirelessController. Table 224liststhewaysinwhichWirelessAPscanbeconnectedandpowered. Table 2-24
Wireless AP Enterasys Wireless AP

Connecting and Powering a Wireless AP


Method of Connecting and Powering Power over Ethernet (802.3af): PoE enabled switch port PoE Injector Power by AC adaptor

2-28

Configuring the Wireless AP

Adding and Registering a Wireless AP Manually

Table 2-24
Wireless AP

Connecting and Powering a Wireless AP (continued)


Method of Connecting and Powering Power over Ethernet (802.3af) PoE enabled switch port PoE Injector Power by 48VDC (Direct Current) 110-230 VAC (Alternating Current) For more information, see the Enterasys Wireless Outdoor Access Point Installation Guide.

Enterasys Wireless Outdoor AP

Enterasys Wireless 802.11n AP

Power over Ethernet (802.3af) PoE enabled switch port PoE Injector Note: Use a 1 GB PoE injector to ensure optimum performance of the Enterasys Wireless 802.11n AP. Power by AC adaptor

Adding and Registering a Wireless AP Manually


YoucanmanuallyaddandregisteraWirelessAPtothecontrollerinsteadofusingtheautomatic discoveryandregistration.WhenyoumanuallyaddandregisteranAP, ThesystemappliesthedefaultsettingstotheAP.AfterthesystemregisterstheAP,youcangoin andedititsconfigurationsettings.Formoreinformation,seeConfiguringWirelessAPSettings onpage 230. ThesystemlistsamanuallyaddedAPtothecontrollerdatabaseonlyanddoesnotassignittoa specificcontroller. ToaddandregisteraWirelessAPmanually: 1. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Regardlessofthetabyouclickon,theAddWirelessButtondisplaysatthebottomofthepage. 2. ClicktheAddWirelessAPbutton. TheAddWirelessAPscreendisplays.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-29

Configuring Wireless AP Settings

Table 2-25
Field Serial #

Add Wireless AP window


Description

TypethewirelessAPsuniqueidentifier. SelectthehardwaremodelofthisAPfromthedropdown menu TypeauniquenamefortheWirelessAPthatidentifiesthe accesspoint.ThedefaultvalueistheWirelessAPsserial number. SelecttheroleforthisAP:accesspointorsensor. Ifthehardwaretypeyouselectonlysupportstheaccess pointrole,theitemsinthedropdownlistmaybeview only.NotallwirelessAPhardwaretypessupportthe sensorrole.

Hardware Type Name

Role

Description Add Wireless AP

EnteradescriptionofthisAP. ClicktoaddthewirelessAPwithdefaultsettings.Youcan latermodifythesesettings. WhenaWirelessAPisaddedmanually,itisaddedtothe controllerdatabaseonlyanddoesnotgetassigned.

Close

Clicktoclosethiswindow.

Configuring Wireless AP Settings


WirelessAPsareaddedwithdefaultsettings,whichyoucanadjustandconfigureaccordingto yournetworkrequirements.Inaddition,youcanmodifythepropertiesandthesettingsforeach radioontheWirelessAP. YoucanalsolocateandselectWirelessAPsinspecificregistrationstatestomodifytheirsettings. Forexample,thisfeatureisusefulwhenapprovingpendingWirelessAPswhentherearealarge numberofotherWirelessAPsthatarealreadyregistered.OntheAccessApprovalscreen,click PendingtoselectallpendingWirelessAPs,thenclickApprovetoapproveallselectedWireless APs. ConfiguringWirelessAPsettingscanincludethefollowingprocesses:
2-30

ModifyingaWirelessAPsStatus

Configuring the Wireless AP

Configuring Wireless AP Settings

ConfiguringaWirelessAPsProperties ConfiguringWirelessAPRadioProperties SettingUptheWirelessAPUsingStaticConfiguration SettingUp802.1xAuthenticationforaWirelessAP

WhenconfiguringWirelessAPs,youcanchoosetoconfigureindividualWirelessAPsor simultaneouslyconfigureagroupofWirelessAPs.Formoreinformation,seeConfiguring MultipleWirelessAPsSimultaneouslyonpage 2100.

Modifying a Wireless APs Status


Ifduringthediscoveryprocess,theEnterasysWirelessControllersecuritymodewasAllowonly approvedWirelessAPstoconnect,thenthestatusoftheWirelessAPisPending.Youmust modifythesecuritymodetoAllowallWirelessAPstoconnect.Formoreinformation,see SecurityModeonpage 226.

To Modify a Wireless AP's Registration Status:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAccessApproval.TheAccessApprovalscreenisdisplayed,alongwith theregisteredWirelessAPsandtheirstatus.

3.

ToselecttheWirelessAPsforstatuschange,dooneofthefollowing: ForaspecificWirelessAP,selectthecorrespondingcheckbox. ForWirelessAPsbycategory,clickoneoftheSelectWirelessAPsoptions.

ToclearyourWirelessAPselections,clickDeselectAll. 4. ClicktheappropriatePerformactiononselectedWirelessAPsoption: ApprovedChangeaWirelessAPsstatustoApprovedaWirelessAPsstatus changesfromPendingtoApprovediftheAPRegistrationscreenwasconfiguredto registeronlyapprovedWirelessAPs.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-31

Configuring Wireless AP Settings

PendingAPisremovedfromtheActivelist,andisforcedintodiscovery. ReleaseReleaseforeignWirelessAPsafterrecoveryfromafailover.ReleasinganAP correspondstotheAvailabilityfunctionality.Formoreinformation,seeChapter 10, AvailabilityandSessionAvailability. RebootReboottheAPwithoutusingTelnetorSSHtoaccessit. DeleteReleasestheWirelessAPfromtheEnterasysWirelessControlleranddeletesthe WirelessAPsentryintheEnterasysWirelessControllersmanagementdatabase. StandaloneModeThe802.11nAPrunningV7.31orlaterconvertsfromfitmodeto standalonemode.Formoreinformation,seeConvertingtheEnterasysWirelessAPto StandaloneModeonpage 2109.

Configuring a Wireless APs Properties


OnceaWirelessAPhassuccessfullyregistered,youcanthencontinuetoconfigureitsproperties. ConfiguringWirelessAPpropertiesincludesworkingwiththefollowingWirelessAPtabs: APproperties VNSAssignment Radio1 Radio2 StaticConfiguration 802.1x

AP Properties Tab Configuration


UsetheAPPropertiestabtoviewandconfigurebasicWirelessAPproperties.Someofthe WirelessAPpropertiescanbeviewedandconfiguredviatheAdvanceddialog.Thefollowing WirelessAPpropertiesonthistabarereadonly: Serial#Displaysauniqueidentifierthatisassignedduringthemanufacturingprocess. HostNameThisvalue,whichisbasedonAPName,cannotbedirectlyedited.Thisvalue depictstheAPHostNamevalue.IftheAPNamevaluedoesbeginwithanumber,for examplewhenitistheAPsserialnumber,theAPsmodelisprependedtothevalue.This valueisusedfortrackingpurposesontheDHCPserver. PortDisplaystheEthernetportoftheEnterasysWirelessControllertowhichtheWireless APisconnected. HardwareVersionDisplaysthecurrentversionoftheWirelessAPhardware. ApplicationVersionDisplaysthecurrentversionoftheWirelessAPsoftware. Status: ApprovedIndicatesthattheWirelessAPhasreceiveditsbindingkeyfromthe EnterasysWirelessControllerafterthediscoveryprocess. Ifnostatusisshown,thatindicatesthattheWirelessAPhasnotyetsuccessfullybeen approvedforaccesswiththesecureEnterasysWirelessController.

YoucanmodifythestatusofaWirelessAPontheAccessApprovalscreen.Formore information,seeModifyingaWirelessAPsStatusonpage 231.

2-32

Configuring the Wireless AP

Configuring Wireless AP Settings

ActiveClientsDisplaysthenumberofwirelessdevicescurrentlyassociatedwiththe WirelessAP.

To Modify a Wireless APs Properties


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. IntheWirelessAPlist,clicktheWirelessAPwhosepropertiesyouwanttomodify.TheAP PropertiestabdisplaysWirelessAPinformation.

3.

ModifytheWirelessAPsinformation: NameTypeauniquenamefortheWirelessAPthatidentifiestheaccesspoint.The defaultvalueistheWirelessAPsserialnumber. LocationThelocationoftheWirelessAP. DescriptionTypecommentsfortheWirelessAP. APEnvironmentClicktheWirelessAPsenvironmentIndoororOutdoor.


Note: The AP Environment drop-down is displayed on the AP Properties tab only if the selected Wireless AP is the Enterasys Outdoor Wireless AP. The Enterasys Outdoor Wireless AP can be deployed in both indoor and outdoor environments.

CountryClickthecountryofoperation.Thisoptionisonlyavailablewithsome licenses.
Note: The antenna you select determines the available channel list and the maximum transmitting power for the country in which the Wireless AP is deployed.

Untilyouselectarealantennatype,theexternalantennatypesaresetasfollows: NoAntennaThisantennasettingisinplacefornewexternalantennaAPsaddedtoa newinstallationorfornewexternalantennaAPsaddedtoanexistinginstallation.The radioisoff,evenifaVNSisconfiguredontheAP/radio.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-33

Configuring Wireless AP Settings

DefaultThisantennasettingisinplaceforexistinginstallationsupgradedtoV7.21.As longasthissettingisinplace,youcannotchangetheMaxTxPowersetting.

Afteryouselectarealantenna,youcannotsettheantennatypebacktotheNoAntennaor Defaultsettings. 4. TomodifyWirelessAPadvancedsettings,clickAdvanced.TheAdvanceddialogisdisplayed. PollTimeoutTypethetimeoutvalue,inseconds,fortheWirelessAPtoreestablishthe linkwiththeEnterasysWirelessControllerifit(WirelessAP)doesnotgetananswertoits polling.Thedefaultvalueis10seconds.


Note: If you are configuring session availability, the Poll Timeout value should be 1.5 to 2 times the Detect link failure value on the AP Properties screen. For more information, see Session Availability on page 10-9.

TelnetAccess/SSHAccessClicktoenableordisabletelnetoraccesstotheWirelessAP.
Note: The name of this field depends on type of Wireless AP that you have selected.

LocationbasedserviceEnableordisabletheAeroScoutlocationbasedserviceforthe WirelessAP. MaintainclientsessionineventofpollfailureSelectthisoption(ifusingabridgedat APVNS)iftheWirelessAPshouldremainactiveifalinklosswiththecontroller occurs.Thisoptionisenabledbydefault. RestartserviceintheabsenceofcontrollerSelectthisoption(ifusingabridgedatAP VNS)toensuretheWirelessAPsradioscontinueprovidingserviceiftheWirelessAPs connectiontotheEnterasysWirelessControllerislost.Ifthisoptionisenabled,itallows theWirelessAPtostartabridgedatAPVNSevenintheabsenceofaEnterasysWireless Controller. UsebroadcastfordisassociationSelectthisoptionifyouwanttheWirelessAPtouse broadcastdisassociationwhendisconnectingallclients,insteadofdisassociatingeach clientonebyone.ThiswillaffectthebehavioroftheWirelessAPunderthefollowing conditions: IftheWirelessAPispreparingtorebootortoenteroneofthespecialmodes(DRM initialchannelselection). IfaBSSIDisdeactivatedorremovedontheWirelessAP.

Thisoptionisdisabledbydefault. LLDPClicktoenableordisabletheWirelessAPfrombroadcastingLLDPinformation. Thisoptionisdisabledbydefault. IfSNMPisenabledontheEnterasysWirelessControllerandyouenableLLDP,theLLDP Confirmationdialogisdisplayed.

2-34

Configuring the Wireless AP

Configuring Wireless AP Settings

Selectoneofthefollowing: Proceed(notrecommended)SelectthisoptiontoenableLLDPandkeepSNMP running,andthenclickOK. DisableSNMPpublishing,andproceedSelectthisoptiontoenableLLDPand disableSNMP,andthenclickOK.

FormoreinformationonenablingSNMP,seetheEnterasysWirelessController,Access PointsandConvergenceSoftwareMaintenanceGuide. AnnouncementIntervalIfLLDPisenabled,typehowoftentheWirelessAPadvertises itsinformationbysendinganewLLDPpacket.Thisvalueismeasuredinseconds. IftherearenochangestotheWirelessAPconfigurationthatimpacttheLLDP information,theWirelessAPsendsanewLLDPpacketaccordingtothisschedule.


Note: The Time to Live value cannot be directly edited. The Time to Live value is calculated as four times the Announcement Interval value.

AnnouncementDelayIfLLDPisenabled,typetheannouncementdelay.Thisvalueis measuredinseconds.IfachangetotheWirelessAPconfigurationoccurswhichimpacts theLLDPinformation,theWirelessAPsendsanupdatedLLDPpacket.The announcementdelayisthelengthoftimethatdelaysthenewpacketdelivery.The announcementdelayhelpsminimizeLLDPpackettraffic.

5. 6.

ClickClose.TheAdvanceddialogisclosed. Tosaveyourchanges,clickSave.

To Modify a Wireless APs Properties as a Sensor:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. IntheWirelessAPlist,clicktheWirelessAPwhosepropertiesyouwanttomodify.TheAP PropertiestabdisplaysWirelessAPinformation.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-35

Configuring Wireless AP Settings

3.

ModifytheWirelessAPsinformation: NameTypeauniquenamefortheWirelessAPthatidentifiestheAP.Thedefaultvalue istheWirelessAPsserialnumber. HostNameThisvalue,whichisbebasedonAPName,cannotbedirectlyedited.This valuedepictstheAPHostNamevalue.IftheAPNamevaluedoesbeginwithanumber, forexamplewhenitistheAPsserialnumber,theAPsmodelisprependedtothevalue. ThisvalueisusedfortrackingpurposesontheDHCPserver. LocationThelocationoftheWirelessAP. DescriptionTypecommentsfortheWirelessAP. RoleClicktherolefortheAP,eitherAccessPointorSensor.OncetheAPisconfigured asaSensor,theAPnolongerperformsRFservicesandisnolongermanagedbythe EnterasysWirelessController.Formoreinformation,seeConfiguringanAPasaSensor onpage 2110.

4.

Tosaveyourchanges,clickSave.

Assigning Wireless AP Radios to a VNS


TherearethreemethodsofassigningWirelessAPradiostoaVNS: VNSconfigurationWhenaVNSisconfigured,youcanassignWirelessAPradiostothe VNSthroughitsassociatedWLANService.Formoreinformation,seeConfiguringWLAN Servicesonpage 61.
Note: To configure foreign Wireless AP radios to a VNS, use the VNS configuration method. Foreign Wireless APs are only listed and available for VNS assignment from the WLAN Services tab. For more information, see Chapter 7, Configuring a VNS.

APMultieditWhenyouconfiguremultipleWirelessAPssimultaneously,youcanusethe APMultieditfeature.Formoreinformation,seeConfiguringMultipleWirelessAPs Simultaneouslyonpage 2100. WirelessAPconfigurationWhenyouconfigureanindividualWirelessAP,youcanassign itsradiostoaspecificWLANService.

2-36

Configuring the Wireless AP

Configuring Wireless AP Settings

To Assign Wireless AP Radios When Configuring an Individual Wireless AP:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. ClicktheappropriateWirelessAPinthelist.TheAPPropertiestabisdisplayed. ClicktheWLANAssignmenttab.

4. 5.

IntheRadio1andRadio2columns,selecttheWirelessAPradiosthatyouwanttoassignfor eachWLANService. Tosaveyourchanges,clickSave.

Configuring Wireless AP Radio Properties


ModifyingWirelessAPradiopropertiescanvarysignificantlydependingonthemodelofthe WirelessAPyourareconfiguring: ForspecificinformationonmodifyingaWireless802.11nAP,seeModifyingWireless 802.11nAP3610/3620RadioPropertiesonpage 239. ForspecificinformationonmodifyingaWirelessAP2610/2620orEnterasysWirelessOutdoor AP,seeModifyingWirelessAP2610/2620RadioPropertiesonpage 253.

Dynamic Radio Management (DRM)


WhenyoumodifyaWirelessAPsradioproperties,theDynamicRadioManagement(DRM) functionalityoftheEnterasysWirelessControllercanbeusedtohelpestablishtheoptimumradio configurationforyourWirelessAPs.DRMisenabledbydefault.TheEnterasysWireless ControllersDRM: AdjuststransmitpowerlevelstobalancecoveragebetweenWirelessAPsassignedtothesame RFdomainandoperatingonthesamechannel. ScansandcoordinateswithotherWirelessAPstoselectanoptimaloperatingchannel.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-37

Configuring Wireless AP Settings

TheDRMfeatureconsistsofthreefunctions: AutoChannelSelection(ACS)ACSprovidesaneasywaytooptimizechannel arrangementbasedonthecurrentsituationinthefield.ACSprovidesanoptimalsolution onlyifitistriggeredonallWirelessAPsinadeployment.TriggeringACSonasingleWireless APoronasubsetofWirelessAPsprovidesausefulbutsuboptimalsolution.Also,ACSonly reliesontheinformationobservedatthetimeitistriggered.OnceaWirelessAPhasselecteda channel,itwillremainoperatingonthatchanneluntiltheuserchangesthechannelortriggers ACS. ACScanbetriggeredbyoneofthefollowingevents: AnewWirelessAPregisterswiththeEnterasysWirelessControllerandtheAPDefault SettingschannelisAuto. AuserselectsAutofromtheRequestNewChanneldropdownlistontheWirelessAPs radioconfigurationtabs. AuserselectsAutofromtheChanneldropdownlistontheAPMultieditscreen. IfDynamicChannelSelection(DCS)isenabledinactivemodeandaDCSthresholdis exceeded. AWirelessAPdetectsradaronitscurrentoperatingchannelanditemploysACStoselect anewchannel. ChannelPlan IfACSisenabled,youcandefineachannelplanfortheWirelessAP. Definingachannelplanallowsyoutolimitwhichchannelsareavailableforuseduringan ACSscan.Forexample,youmaywanttoavoidusingspecificchannelsbecauseoflow power,regulatorydomain,orradarinterference.Selectfromthefollowingoptions: Dependingontheradioused,whendefiningachannelplanyoucaneithercreateyour customizedchannelplanbyselectingindividualchannelsoryoucanselectadefault3or4 channelplan. Youcanusethechannelplantoavoidtransmissionoverlapon40MHzchannelsofthe Wireless802.11nAPs.ToavoidchanneloverlapbetweenWireless802.11nAPsthat operateon40MHzchannels,configurethechannelplanforthe5GHzradiobandtouse everyotherchannelavailable. Ifusinghalfoftheavailablechannelsisnotanoptionforyourenvironment,donot configureachannelplan.Instead,allowACStoselectfromallavailablechannels.This alternatesolutionmaycontributetoincreasedcongestionontheextensionchannels.
Note: ACS in the 2.4GHz radio band with 40MHz channels is not recommended due to severe cochannel interference.

DynamicChannelSelection(DCS)DCSallowsaWirelessAPtomonitortrafficandnoise levelsonthechannelonwhichtheWirelessAPiscurrentlyoperating.DCScanoperateintwo modes: MonitorWhenDCSisenabledinmonitormodeandtrafficornoiselevelsexceedthe configuredDCSthresholds,analarmistriggeredandaninformationlogisgenerated. TheDCSmonitoralarmisusedforevaluatingtheRFenvironmentofyourdeployed WirelessAPs. ActiveWhenDCSisenabledinactivemodeandtrafficornoiselevelsexceedthe configuredDCSthresholds,analarmistriggeredandaninformationlogisgenerated.In addition,theWirelessAPwillceaseoperatingonthecurrentchannelandACSis employedtoautomaticallyselectanalternatechannelfortheWirelessAPtooperateon. DCSwillnottriggerchannelchangesonneighboringWirelessAPs.

2-38

Configuring the Wireless AP

Configuring Wireless AP Settings

Note: If DCS is enabled, DCS statistics can be viewed in the Wireless Statistics by Wireless APs display. For more information, see Chapter 14, Working with Reports and Displays.

AutoTxPowerControl(ATPC)ATPCguaranteesyourLANastableRFenvironmentby automaticallyadaptingtransmissionpowersignalsaccordingtothecoverageprovidedbythe WirelessAPs.ATPCcanbeeitherenabledordisabled. WhenyoudisableATPC,youaregiventheoptionofautomaticallyadjustingtheMaxTx PowersettingtomatchtheCurrentTxPowerLevel.InthecaseofAPMultiedit,ifyoureply yes,theneachindividualWirelessAPsMaxTxPowersettingwillbeadjustedtocorrespond withitsCurrentTxPowerLevelinthedatabase.

Modifying Wireless 802.11n AP 3610/3620 Radio Properties


TheWireless802.11nAP3610/3620isa802.11ncompliantaccesspoint.Thefollowingsection describeshowtomodifyaWireless802.11nAP. ForinformationonhowtomodifyaWirelessAP2610/2620ortheEnterasysWirelessOutdoorAP, seeModifyingWirelessAP2610/2620RadioPropertiesonpage 253.

Channel Bonding
ChannelbondingimprovestheeffectivethroughputofthewirelessLAN.Incontrasttothe WirelessAP26xxwhichusesradiochannelspacingsthatareonly20MHzwide,theWireless 802.11nAPcanusetwochannelsatthesametimetocreatea40MHzwidechannel.Toachievea 40MHzchannelwidth,theWireless802.11nAPemployschannelbondingtwo20MHz channelsatthesametime. The40MHzchannelwidthisachievedbybondingtheprimarychannel(20MHz)withan extensionchannelthatiseither20MHzabove(bondingup)or20MHzbelow(bondingdown)of theprimarychannel. DependingontheRadio,channelbondingcanbepredefined: Radio1Bondingpairsarepredefined. Radio2Channelscanbondupordownaslongasthebandedgeisnotexceeded,butsome channelshavepredefinedbondingdirections.

ChannelbondingisenabledbyselectingtheChannelWidthontheRadiotabs.Whenselecting ChannelWidth,thefollowingoptionsareavailable: 20MHzChannelbondingisnotenabled: 802.11nclientsusetheprimarychannel(20MHz) Non802.11nclients,aswellasbeaconsandmulticasts,usethe802.11a/b/gradio protocols.

40MHzChannelbondingisenabled: 802.11nclientsthatsupportthe40MHzfrequencycanuse40MHz,20MHz,orthe802.11a/ b/gradioprotocols. 802.11nclientsthatdonotsupportthe40MHzfrequencycanuse20MHzorthe802.11a/b/ gradioprotocols. Non802.11nclients,beacons,andmulticastsusethe802.11a/b/gradioprotocols. Iftheprimarychannelallowsforbothbondingtypes(upanddown),youcanselectthe channelbondingtypefromtheChannelBondingdropdownlist.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-39

Configuring Wireless AP Settings

Iftheprimarychannelallowsforonlyoneofthebondingtypes(upordown),that channelbondtypeisdisplayedintheChannelBondingdropdownlist.

AutoChannelbondingisautomaticallyenabledordisabled,switchingbetween20MHz and40MHz,dependingonhowbusytheextensionchannelis.Iftheextensionchannelisbusy aboveaprescribedthresholdpercentage,whichisdefinedinthe40MHzChannelBusy Thresholdbox,channelbondingisdisabled.

Channel Selection Primary and Extension


TheprimarychanneloftheWireless802.11nAPisselectedfromtheRequestNewChanneldrop downlist.Ifautoisselected,theACSfeatureselectstheprimarychannel.Dependingonthe primarychannelthatisselected,channelbondingmaybeallowed:upordown.

Guard Interval
Theguardintervalsensurethatindividualtransmissionsdonotinterferewithoneanother.The Wireless802.11nAPprovidesashorterguardintervalthatincreasesthechannelthroughput. Whena40MHzchannelisused,youcanselecttheguardintervaltoimprovethechannel efficiency.TheguardintervalisselectedfromtheGuardIntervaldropdownlist.Longerguard periodsreducethechannelefficiency.

Aggregate MSDU and MPDU


TheWireless802.11nAPprovidesaggregateMacServiceDataUnit(MSDU)andaggregateMac ProtocolDataUnit(MPDU)functionality,whichcombinesmultipleframestogetherintoone largerframeforasingledelivery.Thisaggregationreducestheoverheadofthetransmissionand resultsinincreasedthroughput.Theaggregatemethodsareenabledanddefinedselectedfromthe AggregateMSDUsandAggregateMPDUsdropdownlists.

Antenna Selection
TheWireless802.11nAPhasthreeantennas:left,middle,andright.Theillustrationbelow identifiestheleftandrightantennas.

Left antenna

Right antenna

TheWireless802.11nAPisconfigured,bydefault,totransmitonallthreeantennas.Dependingon yourdeploymentrequirements,youcanconfiguretheWireless802.11nAPtotransmitonspecific antennas.YoucanconfiguretheWireless802.11nAPtotransmitonspecificantennasforboth radios,includingalltheavailablemodes: Radio1a,a/nmodes Radio2b,b/g,b/g/nmodes

2-40

Configuring the Wireless AP

Configuring Wireless AP Settings

WhenyouconfiguretheWireless802.11nAPtousespecificantennas,thefollowingoccurs: TransmissionpowerisrecalculatedTheCurrentTxPowerLevelvaluefortheradiois automaticallyadjustedtoreflecttherecentantennaconfiguration.Ittakesapproximately30 secondsforthechangetotheCurrentTxPowerLevelvaluetobereflectedintheEnterasys WirelessAssistant. RadioisresetTheradioisresetcausingclientconnectionsonthisradiotobelost.

To Modify Wireless 802.11n AP Radio Properties:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. ClicktheappropriateWireless802.11nAPinthelist.TheAPPropertiestabisdisplayed. ClicktheRadiotabyouwanttomodify. EachRadiotabdisplaystheradiosettingsforeachradioontheWirelessAP.IftheRadiohas beenassignedtoaVNS,theVNSnamesandMACaddressesaredisplayedintheBase Settingssection.TheEnterasysWirelessControllercansupportthefollowingactiveVNSs: C5110Upto128VNSs C4110Upto64VNSs C2400Upto64VNSs C20Upto8VNSs C20NUpto8VNSs CRBT8210Upto16VNSs CRBT8110Upto8VNSs

TheWirelessAPradioscanbeassignedtoeachoftheconfiguredVNSsinasystem.Each radiocansupporteightWLANassignments,correspondingtothenumberofSSIDsitcan support.Oncearadiohasall8slotsassigned,itisnolongereligibleforfurtherassignment. TheBSSInfosectionisviewonly.AfterVNSconfiguration,theBasicServiceSet(BSS) sectiondisplaystheMACaddressontheWirelessAPforeachWLANServiceaswellasthe SSIDsoftheWLANServicestowhichthisradiohasbeenassigned.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-41

Configuring Wireless AP Settings

4.

Ifapplicable,clicktheRadio1tab.

5.

IntheBaseSettingssection,dothefollowing: AdminModeSelectOntoenabletheradio;selectOfftodisabletheradio. RadioModeClickoneofthefollowingradiooptions: aClicktoenablethe802.11amodeofRadio1without802.11ncapability. a/nClicktoenablethe802.11amodeofRadio1with802.11ncapability. nstrictClicktoenablethe802.11amodeofRadio1with802.11nstrictcapability


Note: Depending on the radio modes you select, some of the radio settings may not be available for configuration. The Wireless AP hardware version dictates the available radio modes.

ChannelWidthClickthechannelwidthfortheradio: 20MHzClicktoallow802.11nclientstousetheprimarychannel(20MHz)andnon 802.11nclients,aswellasbeaconsandmulticasts,tousethe802.11b/gradioprotocols. 40MHzClicktoallow802.11nclientsthatsupportthe40MHzfrequencytouse 40MHz,20MHz,orthe802.11b/gradioprotocols.802.11nclientsthatdonotsupport the40MHzfrequencycanuse20MHzorthe802.11b/gradioprotocolsandnon 802.11nclients,beacons,andmulticastsusethe802.11b/gradioprotocols. AutoClicktoautomaticallyswitchbetween20MHzand40MHzchannelwidths, dependingonhowbusytheextensionchannelis.

6.

IntheBasicRadioSettingssection,dothefollowing: RFDomainTypeastringthatuniquelyidentifiesagroupofAPsthatcooperatein managingRFchannelsandtransmissionpowerlevels.Themaximumlengthofthestring is16characters.TheRFDomainisusedtoidentifyagroupofWirelessAPs. RequestNewChannelClickthewirelesschannelyouwanttheWireless802.11nAPto usetocommunicatewithwirelessdevices.

2-42

Configuring the Wireless AP

Configuring Wireless AP Settings

ClickAutotorequesttheACStosearchforanewchannelfortheWirelessAP,usinga channelselectionalgorithm.ThisforcestheWirelessAPtogothroughtheautochannel selectionprocessagain.


Note: ACS in the 2.4GHz radio band with 40MHz channels is not recommended due to severe cochannel interference.

Dependingontheregulatorydomain(basedoncountry),somechannelsmaybe restricted.ThedefaultvalueisbasedonNorthAmerica.Formoreinformation,see Appendix B. AutoTxPowerCtrl(ATPC)SelecttoenableATPC.ATPCautomaticallyadapts transmissionpowersignalsaccordingtothecoverageprovidedbytheWirelessAPs.After aperiodoftime,thesystemwillstabilizeitselfbasedontheRFcoverageofyourWireless APs.


Note: If you disable ATPC, you can still choose to maintain using the current Tx power setting ATPC had established. If you elect to maintain using the ATPC power setting, the displayed Current Tx Power Level value becomes the new Max Tx Power value for the Wireless AP.

ChannelBondingClickthebondingmethod,UporDown.Theprimarychannel (20MHz)isbondedwithanextensionchannelthatiseither20MHzabove(bondingup)or 20MHzbelow(bondingdown)oftheprimarychannel.Notethattheavailablechoicesfor ChannelBondinginthedropdownlistmaydependonthechannelfirstselectedin RequestNewChannel. GuardIntervalClickaguardinterval,LongorShort,whena40MHzchannelisused. Enterasysrecommendsthatyouuseashortguardintervalinsmallrooms(forexample,a smallofficespace)andalongguardintervalinlargerooms(forexample,aconference hall). MaxTxPowerClickthemaximumTxpowerleveltowhichtherangeoftransmit powercanbeadjusted:0to24dBm.Enterasysrecommendsthatyouselect24dBmtouse theentirerangeofpotentialTxpower.
Note: In reality, the lowest achievable power level is 5 dBm for the Wireless 802.11n AP 3610 and 2 dBm for the Wireless 802.11n AP 3620. If you assign a lower value, it will automatically default to the lowest achievable level.

MinTxPowerIfATPCisenabled,clicktheminimumTxpowerleveltowhichthe rangeoftransmitpowercanbeadjusted.Enterasysrecommendsthatyouselectthe lowestvalueavailabletousetheentirerangeofpotentialTxpower.


Note: The Minimum Tx Power level is subject to the regulatory compliance requirement for the selected country.

AutoTxPowerCtrlAdjustIfATPCisenabled,clicktheTxpowerlevelthatcanbe usedtoadjusttheATPCpowerlevelsthatthesystemhasassigned.Enterasys recommendsthatyoutouse0dBduringyourinitialconfiguration.IfyouhaveanRFplan thatrecommendedTxpowerlevelsforeachWirelessAP,comparetheactualTxpower levelsyoursystemhasassignedagainsttherecommendedvaluesyourRFplanhas provided.UsetheAutoTxPowerCtrlAdjustvaluetoachievetherecommendedvalues.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-43

Configuring Wireless AP Settings

Note: The following fields are view only. Current Channel The actual channel the ACS has assigned to the Wireless AP radio. The Current Channel value and the Last Requested Channel value may be different because the ACS automatically assigns the best available channel to the Wireless AP, ensuring that a Wireless APs radio is always operating on the best available channel. Last Requested Channel The last wireless channel that you had selected to communicate with the wireless devices. Current Tx Power Level The actual Tx power level assigned to the Wireless AP radio.

ChannelPlanIfACSisenabled,youcandefineachannelplanfortheWirelessAP. Definingachannelplanallowsyoutolimitwhichchannelsareavailableforuseduringan ACSscan.Forexample,youmaywanttoavoidusingspecificchannelsbecauseoflow power,regulatorydomain,orradarinterference.Clickoneofthefollowing: AllchannelsACSscansallchannelsforanoperatingchannelandreturnsboth DFSandnonDFSchannels,ifavailable. AllNonDFSChannels ACSscansallnonDFSchannelsforanoperatingchannel. ThisselectionisavailablewhenthereisatleastoneDFSchannelsupportedforthe selectedcountry. CustomToconfigureindividualchannelsfromwhichtheACSwillselectan operatingchannel,clickConfigure.TheCustomChannelPlandialogdisplays. By default,allchannelsparticipateinthechannelplan.Clicktheindividualchannelsyou wanttoincludeinthechannelplan. Toselectcontiguouschannels,usetheShiftkey. Toselectmultiple,noncontiguouschannelsinthelist,usetheCTRLkey.ClickOKto savetheconfiguration.

AntennaSelectionClicktheantenna,orantennacombination,youwanttoconfigure onthisradio.
Note: The antennas listed are the only antennas approved for use with the AP. The pull down list contains currently available WS-XXXXX antennas as well as legacy antenna part numbers that may have been in use prior to the v7.11 release. Note: When you configure the Wireless 802.11n AP to use specific antennas, the transmission power is recalculated; the Current Tx Power Level value for the radio is automatically adjusted to reflect the recent antenna configuration. It takes approximately 30 seconds for the change to the Current Tx Power Level value to be reflected in the Enterasys Wireless Assistant. Also, the radio is reset which may cause client connections on this radio to be lost.

2-44

Configuring the Wireless AP

Configuring Wireless AP Settings

7. 8.

TomodifyRadio1advancedsettings,clickAdvanced.TheAdvanceddialogisdisplayed. IntheAdvanceddialogBaseSettingssection,dothefollowing: DTIMPeriodTypethedesiredDTIM(DeliveryTrafficIndicationMessage)period thenumberofbeaconintervalsbetweentwoDTIMbeacons.Toensurethebestclient powersavings,usealargenumber.Useasmallnumbertominimizebroadcastand multicastdelay.Thedefaultvalueis5. BeaconPeriodTypethedesiredtime,inmilliseconds,betweenbeacontransmissions. Thedefaultvalueis100milliseconds. RTS/CTSThresholdTypethepacketsizethreshold,inbytes,abovewhichthepacket willbeprecededbyanRTS/CTS(RequesttoSend/CleartoSend)handshake.Thedefault valueis2346,whichmeansallpacketsaresentwithoutRTS/CTS.Reducethisvalueonlyif necessary. Frag.ThresholdTypethefragmentsizethreshold,inbytes,abovewhichthepackets willbefragmentedbytheWirelessAPpriortotransmission.Thedefaultvalueis2346, whichmeansallpacketsaresentunfragmented.Reducethisvalueonlyifnecessary. Max%ofnonunicasttrafficperBeaconperiodEnterthemaximumpercentageof timethattheAPwilltransmitnonunicastpackets(broadcastandmulticasttraffic)for eachconfiguredBeaconPeriod.Foreachnonunicastpackettransmitted,thesystem calculatestheairtimeusedbyeachpacketanddropsallpacketsthatexceedthe configuredmaximumpercentage.Byrestrictingnonunicasttraffic,youlimittheimpact ofbroadcastsandmulticastsonoverallsystemperformance. MaximumDistanceEnteravaluefrom100to15,000metersthatidentifiesthe maximumlinkdistancebetweenAPsthatparticipateinaWDS.Thisvalueensuresthat theacknowledgementofcommunicationbetweenAPsdoesnotexceedthetimeoutvalue predefinedbythe802.11standard.Thedefaultvalueis100meters.Ifthelinkdistance betweenAPsisgreaterthan100meters,configurethemaximumdistanceupto15,000 meterssothatthesoftwareincreasesthetimeoutvalueproportionallywiththedistance betweenAPs. Donotchangethedefaultsettingfortheradiothatprovidesserviceto802.11clientsonly.

9.

IntheAdvanceddialogBasicRadioSettingssection,dothefollowing: DynamicChannelSelectionToenableDynamicChannelSelection,clickoneofthe following: MonitorModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated. ActiveModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated.Inaddition,theWirelessAP willceaseoperatingonthecurrentchannelandACSisemployedtoautomatically selectanalternatechannelfortheWirelessAPtooperateon. DCSNoiseThresholdTypethenoiseinterferencelevel,measuredindBm,after whichACSwillscanforanewoperatingchannelfortheWirelessAPifthethreshold isexceeded. DCSChannelOccupancyThresholdTypethechannelutilizationlevel,measured asapercentage,afterwhichACSwillscanforanewoperatingchannelforthe WirelessAPifthethresholdisexceeded. DCSUpdatePeriodTypethetime,measuredinminutesthatdeterminesthe periodduringwhichtheWirelessAPaveragestheDCSNoiseThresholdandDCS ChannelOccupancyThresholdmeasurements.Ifeitheroneofthesethresholdsis exceeded,thentheWirelessAPwilltriggerACS.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 2-45

Configuring Wireless AP Settings

10. IntheAdvanceddialog11nSettingssection,dothefollowing: ProtectionModeClickaprotectionmode:EnabledorDisabled.Thisprotectshigh throughputtransmissionsonprimarychannelsfromnon11nAPsandclients.Click Disabledifnon11nAPsandclientsarenotexpected.ClickEnabledifyouexpectmany non11nAPsandclients.TheoverallthroughputisreducedwhenProtectionModeis enabled. 40MHzProtectionModeClickaprotectiontype,CTSOnlyorRTSCTS,orNone, whena40MHzchannelisused.Thisprotectshighthroughputtransmissionsonextension channelsfrominterferencefromnon11nAPsandclients. 40MHzProt.ChannelOffsetSelecta20MHzchanneloffsetifthedeploymentisusing channelsthatare20MHzapart(forexample,usingchannels1,5,9,and13)ora25MHz channeloffsetifthedeploymentisusingchannelsthatare25MHzapart(forexample, usingchannels1,6,and11). 40MHzChannelBusyThresholdTypetheextensionchannelthresholdpercentage, whichifexceeded,willdisabletransmissionsontheextensionchannel(40MHz). AggregateMSDUsClickanaggregateMSDUmode:EnabledorDisabled.Aggregate MSDUincreasesthemaximumframetransmissionsize. AggregateMSDUMaxLengthTypethemaximumlengthoftheaggregateMSDU.The valuerangeis22904096bytes. AggregateMPDUsClickanaggregateMPDUmode:EnabledorDisabled.Aggregate MPDUprovidesasignificantimprovementinthroughput. AggregateMPDUMaxLengthTypethemaximumlengthoftheaggregateMPDU.The valuerangeis102465535bytes. Agg.MPDUMax#ofSubframesTypethemaximumnumberofsubframesofthe aggregateMPDU.Thevaluerangeis264. ADDBASupportClickanADDBAsupportmode:EnabledorDisabled.ADDBA,or blockacknowledgement,providesacknowledgementofagroupofframesinsteadofa singleframe.ADDBASupportmustbeenabledifAggregateAPDUisenable.

11. ClickClose.TheAdvanceddialogisclosed. 12. ClickSavetosaveyourchanges. 13. Ifapplicable,clicktheRadio2tab. 14. IntheBaseSettingssection,dothefollowing: AdminModeSelectOntoenabletheradio;selectOfftodisabletheradio. RadioModeClickoneofthefollowingradiooptions: offClicktodisableRadio2. bClicktoenablethe802.11bonlymodeofRadio2.Ifselected,theAPwilluseonly 11b(CCK)rateswithallassociatedclients. gClicktoenablethe802.11gonlymodeofRadio2. b/gClicktoenableboththe802.11gmodeandthe802.11bmodeofRadio2.If selected,theAPwilluse11b(CCK)and11gspecific(OFDM)rateswithallofthe associatedclients.TheAPwillnottransmitorreceive11nrates. g/nClicktoenableboththe802.11gmodeandthe802.11nbmodeofRadio2.If selected,theAPwilluse11nand11gspecific(OFDM)rateswithalloftheassociated clients.TheAPwillnottransmitorreceive11brates.

2-46

Configuring the Wireless AP

Configuring Wireless AP Settings

b/g/nClicktoenableb/g/nmodesofRadio2.Ifselected,theAPwilluseall available11b,11g,and11nrates. nstrictClicktoenablethe802.11nstrictmodeofRadio2.Ifselected,theAPwill use11nstrictrateswithalloftheassociatedclients.TheAPwillnottransmitor receive11bor11grates.


Note: Depending on the radio modes you select, some of the radio settings may not be available for configuration.

ChannelWidthClickthechannelwidthfortheradio: 20MHzClicktoallow802.11nclientstousetheprimarychannel(20MHz)andnon 802.11nclients,beacons,andmulticaststousethe802.11b/gradioprotocols. 40MHzClicktoallow802.11nclientsthatsupportthe40MHzfrequencytouse 40MHz,20MHz,orthe802.11b/gradioprotocols.802.11nclientsthatdonotsupport the40MHzfrequencycanuse20MHzorthe802.11b/gradioprotocolsandnon 802.11nclients,beacons,andmulticastsusethe802.11b/gradioprotocols. AutoClicktoautomaticallyswitchbetween20MHzand40MHzchannelwidths, dependingonhowbusytheextensionchannelis.

15. IntheBasicRadioSettingssection,dothefollowing: RFDomainTypeastringthatuniquelyidentifiesagroupofAPsthatcooperatein managingRFchannelsandtransmissionpowerlevels.Themaximumlengthofthestring is16characters.TheRFDomainisusedtoidentifyagroupofWirelessAPs. RequestNewChannelClickthewirelesschannelyouwanttheWireless802.11nAPto usetocommunicatewithwirelessdevices. ClickAutotorequesttheACStosearchforanewchannelfortheWireless802.11nAP, usingachannelselectionalgorithm.ThisforcestheWireless802.11nAPtogothroughthe autochannelselectionprocessagain.
Note: ACS in the 2.4GHz radio band with 40MHz channels is not recommended due to severe cochannel interference.

Dependingontheregulatorydomain(basedoncountry),somechannelsmaybe restricted.Formoreinformation,seeAppendix B. AutoTxPowerCtrl(ATPC)SelecttoenableATPC.ATPCautomaticallyadapts transmissionpowersignalsaccordingtothecoverageprovidedbytheWirelessAPs.After aperiodoftime,thesystemwillstabilizeitselfbasedontheRFcoverageofyourWireless APs.


Note: If you disable ATPC, you can still choose to maintain using the current Tx power setting ATPC had established. If you elect to maintain using the ATPC power setting, the displayed Current Tx Power Level value becomes the new Max Tx Power value for the Wireless AP.

ChannelBondingClickthebondingmethod,UporDown.Theprimarychannel (20MHz)isbondedwithanextensionchannelthatiseither20MHzabove(bondingup)or 20MHzbelow(bondingdown)oftheprimarychannel.Notethattheavailablechoicesfor ChannelBondinginthedropdownlistmaydependonthechannelfirstselectedin RequestNewChannel. GuardIntervalClickaguardinterval,LongorShort,whena40MHzchannelisused. Enterasysrecommendsthatyouuseashortguardintervalinsmallrooms(forexample,a

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-47

Configuring Wireless AP Settings

smallofficespace)andalongguardintervalinlargerooms(forexample,aconference hall). MaxTxPowerClickthemaximumTxpowerleveltowhichtherangeoftransmit powercanbeadjusted:0to23dBm.Enterasysrecommendsthatyouselect23dBmtouse theentirerangeofpotentialTxpower.


Note: The lowest Max Tx Power level that can be assigned is 5 dBm for the Wireless 802.11n AP 3610 and 4 dBm for the Wireless 802.11n AP 3620; a lower Max Tx Power level assignment will automatically default to the lowest allowed levels.

MinTxPowerIfATPCisenabled,clicktheminimumTxpowerleveltowhichthe rangeoftransmitpowercanbeadjusted.Enterasysrecommendsthatyouselectthe lowestvalueavailabletousetheentirerangeofpotentialTxpower.


Note: The Minimum Tx Power level is subject to the regulatory compliance requirement for the selected country.

AutoTxPowerCtrlAdjustIfATPCisenabled,clicktheTxpowerlevelthatcanbe usedtoadjusttheATPCpowerlevelsthatthesystemhasassigned.Enterasys recommendsthatyouuse0dBduringyourinitialconfiguration.IfyouhaveanRFplan thatrecommendsTxpowerlevelsforeachWirelessAP,comparetheactualTxpower levelsyoursystemhasassignedagainsttherecommendedvaluesyourRFplanhas provided.UsetheAutoTxPowerCtrlAdjustvaluetoachievetherecommendedvalues.


Note: The following fields are view only. Current Channel The actual channel the ACS has assigned to the Wireless AP radio. The Current Channel value and the Last Requested Channel value may be different because the ACS automatically assigns the best available channel to the Wireless AP, ensuring that a Wireless APs radio is always operating on the best available channel. Last Requested Channel The last wireless channel that you had selected to communicate with the wireless devices. Current Tx Power Level The actual Tx power level assigned to the Wireless AP radio.

ChannelPlanIfACSisenabled,youcandefineachannelplanfortheWirelessAP. Definingachannelplanallowsyoutolimitwhichchannelsareavailableforuseduringan ACSscan.Forexample,youmaywanttoavoidusingspecificchannelsbecauseoflow power,regulatorydomain,orradarinterference.Clickoneofthefollowing: 3ChannelPlanACSwillscanthefollowingchannels:1,6,and11inNorth America,and1,7,and13inmostotherpartsoftheworld. 4ChannelPlanACSwillscanthefollowingchannels:1,4,7,and11inNorth America,and1,5,9,and13inmostotherpartsoftheworld. AutoACSwillscanthedefaultchannelplanchannels:1,6,and11inNorth America,and1,5,9,and13inmostotherpartsoftheworld. CustomIfyouwanttoconfigureindividualchannelsfromwhichtheACSwill selectanoperatingchannel,clickConfigure.TheAddChannelsdialogisdisplayed. Clicktheindividualchannelsyouwanttoaddtothechannelplanwhilepressingthe CTRLkey,andthenclickOK.

2-48

Configuring the Wireless AP

Configuring Wireless AP Settings

AntennaSelectionClicktheantenna,orantennacombination,youwanttoconfigure onthisradio.
Note: The antennas listed are the only antennas approved for use with the AP. The pull down list contains currently available WS-XXXXX antennas as well as legacy antenna part numbers that may have been in use prior to the v7.11 release. Note: When you configure the Wireless 802.11n AP to use specific antennas, the transmission power is recalculated; the Current Tx Power Level value for the radio is automatically adjusted to reflect the recent antenna configuration. It takes approximately 30 seconds for the change to the Current Tx Power Level value to be reflected in the Enterasys Wireless Assistant. Also, the radio is reset which may cause client connections on this radio to be lost.

16. TomodifyRadio2advancedsettings,clickAdvanced.TheAdvanceddialogisdisplayed. 17. IntheAdvanceddialogBaseSettingssection,dothefollowing: DTIMPeriodTypethedesiredDTIM(DeliveryTrafficIndicationMessage)period thenumberofbeaconintervalsbetweentwoDTIMbeacons.Toensurethebestclient powersavings,usealargenumber.Useasmallnumbertominimizebroadcastand multicastdelay.Thedefaultvalueis5. BeaconPeriodTypethedesiredtime,inmilliseconds,betweenbeacontransmissions. Thedefaultvalueis100milliseconds. RTS/CTSThresholdTypethepacketsizethreshold,inbytes,abovewhichthepacket willbeprecededbyanRTS/CTS(RequesttoSend/CleartoSend)handshake.Thedefault valueis2346,whichmeansallpacketsaresentwithoutRTS/CTS.Reducethisvalueonlyif necessary. Frag.ThresholdTypethefragmentsizethreshold,inbytes,abovewhichthepackets willbefragmentedbytheWirelessAPpriortotransmission.Thedefaultvalueis2346, whichmeansallpacketsaresentunfragmented.Reducethisvalueonlyifnecessary. Max%ofnonunicasttrafficperBeaconperiodEnterthemaximumpercentageof timethattheAPwilltransmitnonunicastpackets(broadcastandmulticasttraffic)for eachconfiguredBeaconPeriod.Foreachnonunicastpackettransmitted,thesystem calculatestheairtimeusedbyeachpacketanddropsallpacketsthatexceedthe configuredmaximumpercentage.Byrestrictingnonunicasttraffic,youlimittheimpact ofbroadcastsandmulticastsonoverallsystemperformance. MaximumDistanceEnteravaluefrom100to15,000metersthatidentifiesthe maximumlinkdistancebetweenAPsthatparticipateinaWDS.Thisvalueensuresthat theacknowledgementofcommunicationbetweenAPsdoesnotexceedthetimeoutvalue predefinedbythe802.11standard.Thedefaultvalueis100meters.Ifthelinkdistance betweenAPsisgreaterthan100meters,configurethemaximumdistanceupto15,000 meterssothatthesoftwareincreasesthetimeoutvalueproportionallywiththedistance betweenAPs. Donotchangethedefaultsettingfortheradiothatprovidesserviceto802.11clientsonly.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-49

Configuring Wireless AP Settings

18. IntheAdvanceddialogBasicRadioSettingssection,dothefollowing: DynamicChannelSelectionToenableDynamicChannelSelection,clickoneofthe following: MonitorModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated. ActiveModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated.Inaddition,theWirelessAP willceaseoperatingonthecurrentchannelandACSisemployedtoautomatically selectanalternatechannelfortheWirelessAPtooperateon. DCSNoiseThresholdTypethenoiseinterferencelevel,measuredindBm,after whichACSwillscanforanewoperatingchannelfortheWirelessAPifthethreshold isexceeded. DCSChannelOccupancyThresholdTypethechannelutilizationlevel,measured asapercentage,afterwhichACSwillscanforanewoperatingchannelforthe WirelessAPifthethresholdisexceeded. DCSUpdatePeriodTypethetime,measuredinminutesthatdeterminesthe periodduringwhichtheWirelessAPaveragestheDCSNoiseThresholdandDCS ChannelOccupancyThresholdmeasurements.Ifeitheroneofthesethresholdsis exceeded,thentheWirelessAPwilltriggerACS.

19. IntheAdvanceddialog11bSettingssection,dothefollowing: PreambleClickapreambletypefor11bspecific(CCK)rates:ShortorLong.Click Shortifyouaresurethatthereisnopre11bAPoraclientinthevicinityofthisWireless 802.11nAP.ClickLongifcompatibilitywithpre11bclientsisrequired.

20. IntheAdvanceddialog11gSettingssection,dothefollowing: ProtectionModeClickaprotectionmode:None,Auto,orAlways.Thedefaultand recommendedsettingisAuto.ClickNoneif11bAPsandclientsarenotexpected.Click Alwaysifyouexpectmany11bonlyclients. ProtectionRateClickaprotectionrate:1,2,5.5,or11Mbps.Thedefaultand recommendedsettingis11.Onlyreducetherateiftherearemany11bclientsinthe environmentorifthedeploymenthasareaswithpoorcoverage.Forexample,rateslower than11Mbpsarerequiredtoensurecoverage. ProtectionTypeClickaprotectiontype:CTSOnlyorRTSCTS.Thedefaultand recommendedsettingisCTSOnly.ClickRTSCTSonlyifan11bAPthatoperatesonthe samechannelisdetectedintheneighborhood,oriftherearemany11bonlyclientsinthe environment.
Note: The overall throughput is reduced when Protection Mode is enabled, due to the additional overhead caused by the RTS/CTS. The overhead is minimized by setting Protection Type to CTS Only and Protection Rate to 11 Mbps. The overhead causes the overall throughput to be sometimes lower than if just 11b mode is used. If there are many 11b clients, Enterasys recommends that you disable 11g support (11g clients are backward compatible with 11b APs). An alternate approach, although potentially a more expensive method, is to dedicate all APs on a channel for 11b (for example, disable 11g on these APs) and disable 11b on all other APs. The difficulty with this method is that the number of APs must be increased to ensure coverage separately for 11b and 11g clients.

21. IntheAdvanceddialog11nSettingssection,dothefollowing: ProtectionModeClickaprotectionmode:EnabledorDisabled.Thisprotectshigh throughputtransmissionsonprimarychannelsfromnon11nAPsandclients.Click Disabledifnon11nAPsandclientsarenotexpected.ClickEnabledifyouexpectmany

2-50

Configuring the Wireless AP

Configuring Wireless AP Settings

non11nAPsandclients.TheoverallthroughputisreducedwhenProtectionModeis enabled. 40MHzProtectionModeClickaprotectiontype,CTSOnlyorRTSCTS,orNone, whena40MHzchannelisused.Thisprotectshighthroughputtransmissionsonextension channelsfrominterferencefromnon11nAPsandclients. 40MHzProt.ChannelOffsetSelecta20MHzchanneloffsetifthedeploymentisusing channelsthatare20MHzapart(forexample,usingchannels1,5,9,and13)ora25MHz channeloffsetifthedeploymentisusingchannelsthatare25MHzapart(forexample, usingchannels1,6,and11). 40MHzChannelBusyThresholdTypetheextensionchannelthresholdpercentage, whichifexceeded,willdisabletransmissionsontheextensionchannel(40MHz). AggregateMSDUsClickanaggregateMSDUmode:EnabledorDisabled.Aggregate MSDUincreasesthemaximumframetransmissionsize. AggregateMSDUMaxLengthTypethemaximumlengthoftheaggregateMSDU.The valuerangeis22904096bytes. AggregateMPDUsClickanaggregateMPDUmode:EnabledorDisabled.Aggregate MPDUprovidesasignificantimprovementinthroughput. AggregateMPDUMaxLengthTypethemaximumlengthoftheaggregateMPDU.The valuerangeis102465535bytes. Agg.MPDUMax#ofSubframesTypethemaximumnumberofsubframesofthe aggregateMPDU.Thevaluerangeis264. ADDBASupportClickanADDBAsupportmode:EnabledorDisabled.ADDBA,or blockacknowledgement,providesacknowledgementofagroupofframesinsteadofa singleframe.ADDBASupportmustbeenabledifAggregateAPDUisenable.

22. ClickClose.TheAdvanceddialogisclosed. 23. Tosaveyourchanges,clickSave.

Achieving High Throughput with the Wireless 802.11n AP


Toachievelinkratesofupto300MbpswiththeWireless802.11nAP,configureyoursystemas describedinthefollowingsection.
Note: Maximum throughput cannot be achieved if both 802.11n and legacy client devices are to be supported. Note: Some client devices will choose a 2.4GHz radio even when a 5GHz high-speed radio network is available; you may need to force those client devices to use only 5GHz if you have configured high throughput only on the 5GHz radio.

To Achieve High Throughput with the Wireless 802.11n AP:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. IntheWirelessAPlist,clicktheWireless802.11nAPyouwanttoconfigure. ClicktheRadio2tab,andthendothefollowing: IntheRadioModedropdownlist,clickb/g/n. IntheChannelWidthdropdownlist,click40MHz.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-51

Configuring Wireless AP Settings

Note: Some client devices do not support 40MHz in b/g/n mode. To accommodate these clients, you must enable a/n mode on the Radio 1 tab. Otherwise, the client device will connect at only 130Mbps.

IntheGuardIntervaldropdownlist,clickShort. Inthe11gSettingssection,clickNoneintheProtectionModedropdownlist.
Note: Do not disable 802.11g protection mode if you have 802.11b or 802.11g client devices using this Wireless AP; instead, configure only Radio 1 for high throughput unless it is acceptable to achieve less than maximum 802.11n throughput on Radio 2.

Ifonly802.11ndevicesarepresent,youmustdisable11nprotectionand40Mzprotection: ProtectionModeClickDisabled. 40MHzProtectionModeClickNone.


Note: Do not disable 802.11n protection mode if you have 802.11b or 802.11g client devices using this Wireless AP; instead, configure only Radio 1 for high throughput unless it is acceptable to achieve less than maximum 802.11n throughput on Radio 2.

4.

AggregateMSDUsClickEnabled. AggregateMSDUMaxLengthType4096 AggregateMPDUClickEnabled. AggregateMPDUMaxLengthClick65535 Agg.MPDUMax#ofSubframesType64. ADDBASupportClickEnabled.

ClicktheRadio1tab,andthendothefollowing: IntheAdminModedropdownlist,clicktheOnoption. IntheRadioModedropdownlist,clickthea/noption. IntheChannelWidthdropdownlist,click40MHz. IntheGuardIntervaldropdownlist,clickShort. Ifonly802.11ndevicesarepresent,youmustdisable11nprotectionand40Mzprotection: ProtectionModeClickDisabled. 40MHzProtectionModeClickNone.

AggregateMSDUsClickEnabled. AggregateMSDUMaxLengthType4096 AggregateMPDUClickEnabled. AggregateMPDUMaxLengthClickEnabled. Agg.MPDUMax#ofSubframesType64. ADDBASupportClickEnabled.

5. 6.

Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneVirtualNetworkslist,clicktheVNSyouwanttoconfigure.TheTopologytab isdisplayed.

2-52

Configuring the Wireless AP

Configuring Wireless AP Settings

7.

ClickthePrivacytab.Someclientdeviceswillnotuse802.11nmodeiftheyareusingWEPor TKIPforsecurity.Therefore,dooneofthefollowing: SelectNone. SelectWPAPSK,andthencleartheWPAv.1option: SelectWPAv.2. IntheEncryptiondropdownlist,clickAESonly.


Note: To achieve the strongest encryption protection for your VNS, Enterasys recommends that you use WPA v.1 or WPA v.2.

8. 9.

ClicktheQoSPolicytab. IntheWirelessQoSsection,selecttheWMMoption.Some802.11nclientdeviceswillremain at54MbpsunlessWMMisenabled.

Modifying Wireless AP 2610/2620 Radio Properties


ThefollowingsectiondescribeshowtomodifyaWirelessAP2610/2620andtheEnterasys WirelessOutdoorAP.ForinformationonhowtomodifyaWireless802.11nAP3610/3620,see ModifyingWireless802.11nAP3610/3620RadioPropertiesonpage 239.

To Modify the Wireless APs Radio Properties:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. ClicktheappropriateWirelessAPinthelist.TheAPPropertiestabisdisplayed. ClicktheRadiotabyouwanttomodify. EachRadiotabdisplaystheradiosettingsforeachradioontheWirelessAP.Iftheradiohas beenassignedtoaVNS,theVNSnamesandMACaddressesaredisplayedintheBase Settingssection.TheEnterasysWirelessControllercansupportthefollowingactiveVNSs: C5110Upto128VNSs C4110Upto64VNSs C2400Upto64VNSs C20Upto8VNSs C20NUpto8VNSs CRBT8210Upto16VNSs CRBT8110Upto8VNSs

TheWirelessAPradioscanbeassignedtoeachoftheconfiguredVNSsinasystem.Each radiocanbethesubjectof8VNSassignments(correspondingtothenumberofSSIDsitcan support).Oncearadiohasall8slotsassigned,itisnolongereligibleforfurtherassignment. TheBSSInfosectionisviewonly.AfterVNSconfiguration,theBasicServiceSet(BSS) sectiondisplaystheMACaddressontheWirelessAPforeachVNSandtheSSIDsoftheVNSs towhichthisradiohasbeenassigned.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-53

Configuring Wireless AP Settings

4.

Ifapplicable,clicktheRadio1tab.

5.

IntheBaseSettingssection,dothefollowing: AdminModeSelectOntoenabletheradio;selectOfftodisabletheradio. RadioModeClickatoenable802.11amodeofRadio1.


Note: The Wireless AP hardware version dictates the available radio modes.

6.

IntheBasicRadioSettingssection,dothefollowing: RFDomainTypeastringthatuniquelyidentifiesagroupofAPsthatcooperatein managingRFchannelsandtransmissionpowerlevels.Themaximumlengthofthestring is16characters.TheRFDomainisusedtoidentifyagroupofWirelessAPs. RequestNewChannelClickthewirelesschannelyouwanttheWirelessAPtouseto communicatewithwirelessdevices. ClickAutotorequesttheACStosearchforanewchannelfortheWirelessAP,usinga channelselectionalgorithm.ThisforcestheWirelessAPtogothroughtheautochannel selectionprocessagain. Dependingontheregulatorydomain(basedoncountry),somechannelsmaybe restricted.ThedefaultvalueisbasedonNorthAmerica.Formoreinformation,see Appendix B. AutoTxPowerCtrl(ATPC)SelecttoenableATPC.ATPCautomaticallyadapts transmissionpowersignalsaccordingtothecoverageprovidedbytheWirelessAPs.After aperiodoftime,thesystemwillstabilizeitselfbasedontheRFcoverageofyourWireless APs.
Note: If you disable ATPC, you can elect to maintain using the current Tx power setting ATPC had established. If you elect to maintain using the ATPC power setting, the displayed Current Tx Power Level value becomes the new Max Tx Power value for the Wireless AP.

2-54

Configuring the Wireless AP

Configuring Wireless AP Settings

MaxTxPowerClickthemaximumTxpowerleveltowhichtherangeoftransmit powercanbeadjusted:0to23dBm.Enterasysrecommendsthatyouselect23dBmtouse theentirerangeofpotentialTxpower. MinTxPowerIfATPCisenabled,clicktheminimumTxpowerleveltowhichthe rangeoftransmitpowercanbeadjusted.Enterasysrecommendsthatyouselectthe lowestvalueavailabletousetheentirerangeofpotentialTxpower.


Note: The Minimum Tx Power level is subject to the regulatory compliance requirement for the selected country.

AutoTxPowerCtrlAdjustIfATPCisenabled,clicktheTxpowerlevelthatcanbe usedtoadjusttheATPCpowerlevelsthatthesystemhasassigned.Enterasys recommendsthatyouuse0dBduringyourinitialconfiguration.IfyouhaveanRFplan thatrecommendsTxpowerlevelsforeachWirelessAP,comparetheactualTxpower levelsyoursystemhasassignedagainsttherecommendedvaluesyourRFplanhas provided.UsetheAutoTxPowerCtrlAdjustvaluetoachievetherecommendedvalues.


Note: The following fields are view only. Current Channel The actual channel the ACS has assigned to the Wireless AP radio. The Current Channel value and the Last Requested Channel value may be different because the ACS automatically assigns the best available channel to the Wireless AP, ensuring that a Wireless APs radio is always operating on the best available channel. Last Requested Channel The last wireless channel that you had selected for the Wireless AP to communicate with the wireless devices. Current Tx Power Level The actual Tx power level assigned to the Wireless AP radio.

ChannelPlanIfACSisenabled,youcandefineachannelplanfortheWirelessAP. Definingachannelplanallowsyoutolimitwhichchannelsareavailableforuseduringan ACSscan.Forexample,youmaywanttoavoidusingspecificchannelsbecauseoflow power,regulatorydomain,orradarinterference.Clickoneofthefollowing: AllchannelsACSscansallchannelsforanoperatingchannelandreturnsboth DFSandnonDFSchannels,ifavailable. AllNonDFSChannels ACSscansallnonDFSchannelsforanoperatingchannel. ThisselectionisavailablewhenthereisatleastoneDFSchannelsupportedforthe selectedcountry. CustomToconfigureindividualchannelsfromwhichtheACSwillselectan operatingchannel,clickConfigure.TheCustomChannelPlandialogdisplays. By default,allchannelsparticipateinthechannelplan.Clicktheindividualchannelsyou wanttoincludeinthechannelplan. Toselectcontiguouschannels,usetheShiftkey. Toselectmultiple,noncontiguouschannelsinthelist,usetheCTRLkey.ClickOKto savetheconfiguration.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-55

Configuring Wireless AP Settings

MinBasicRateClicktheminimumdataratethatmustbesupportedbyallstationsina BSS:6,12,or24Mbps.Ifnecessary,theMaxBasicRatechoicesadjustautomaticallytobe higherorequaltotheMinBasicRate. MaxBasicRateClickthemaximumdataratethatmustbesupportedbyallstationsin aBSS:6,12,or24Mbps.Ifnecessary,theMaxBasicRatechoicesadjustautomaticallyto behigherorequaltotheMinBasicRate. MaxOperationalRateClickthemaximumdataratethatclientscanoperateatwhile associatedwiththeWirelessAP:24,36,48,or54Mbps.Ifnecessary,theMaxOperational RatechoicesadjustautomaticallytobehigherorequaltotheMaxBasicRate.

7. 8.

TomodifyRadio1advancedsettings,clickAdvanced.TheAdvanceddialogisdisplayed. IntheAdvanceddialogBaseSettingssection,dothefollowing: DTIMPeriodTypethedesiredDTIM(DeliveryTrafficIndicationMessage)period thenumberofbeaconintervalsbetweentwoDTIMbeacons.Toensurethebestclient powersavings,usealargenumber.Forexample,5.Useasmallnumbertominimize broadcastandmulticastdelay.Thedefaultvalueis5. BeaconPeriodTypethedesiredtime,inmilliseconds,betweenbeacontransmissions. Thedefaultvalueis100milliseconds. RTS/CTSThresholdTypethepacketsizethreshold,inbytes,abovewhichthepacket willbeprecededbyanRTS/CTS(RequesttoSend/CleartoSend)handshake.Thedefault valueis2346,whichmeansallpacketsaresentwithoutRTS/CTS.Reducethisvalueonlyif necessary. Frag.ThresholdTypethefragmentsizethreshold,inbytes,abovewhichthepackets willbefragmentedbytheWirelessAPpriortotransmission.Thedefaultvalueis2346, whichmeansallpacketsaresentunfragmented.Reducethisvalueonlyifnecessary. Max%ofnonunicasttrafficperBeaconperiodEnterthemaximumpercentageof timethattheAPwilltransmitnonunicastpackets(broadcastandmulticasttraffic)for eachconfiguredBeaconPeriod.Foreachnonunicastpackettransmitted,thesystem calculatestheairtimeusedbyeachpacketanddropsallpacketsthatexceedthe configuredmaximumpercentage.Byrestrictingnonunicasttraffic,youlimittheimpact ofbroadcastsandmulticastsonoverallsystemperformance. MaximumDistanceEnteravaluefrom100to15,000metersthatidentifiesthe maximumlinkdistancebetweenAPsthatparticipateinaWDS.Thisvalueensuresthat theacknowledgementofcommunicationbetweenAPsdoesnotexceedthetimeoutvalue predefinedbythe802.11standard.Thedefaultvalueis100meters.Ifthelinkdistance betweenAPsisgreaterthan100meters,configurethemaximumdistanceupto15,000 meterssothatthesoftwareincreasesthetimeoutvalueproportionallywiththedistance betweenAPs. Donotchangethedefaultsettingfortheradiothatprovidesserviceto802.11clientsonly.

2-56

Configuring the Wireless AP

Configuring Wireless AP Settings

9.

IntheAdvanceddialogBasicRadioSettingssection,dothefollowing: DynamicChannelSelectionToenableDynamicChannelSelection,clickoneofthe following: MonitorModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated. ActiveModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated.Inaddition,theWirelessAP willceaseoperatingonthecurrentchannelandACSisemployedtoautomatically selectanalternatechannelfortheWirelessAPtooperateon. DCSNoiseThresholdTypethenoiseinterferencelevel,measuredindBm,after whichACSwillscanforanewoperatingchannelfortheWirelessAPifthethreshold isexceeded. DCSChannelOccupancyThresholdTypethechannelutilizationlevel,measured asapercentage,afterwhichACSwillscanforanewoperatingchannelforthe WirelessAPifthethresholdisexceeded. DCSUpdatePeriodTypethetime,measuredinminutesthatdeterminesthe periodduringwhichtheWirelessAPaveragestheDCSNoiseThresholdandDCS ChannelOccupancyThresholdmeasurements.Ifeitheroneofthesethresholdsis exceeded,thentheWirelessAPwilltriggerACS.

RxDiversityClickBestforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityantennas.Thedefaultandrecommendedselectionis Best.Ifonlyoneantennaeisconnected,usethecorrespondingLeftorRightdiversity setting.DonotuseBestiftwoidenticalantennasarenotused. TxDiversityClickAlternateforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityantennas.ThedefaultselectionisAlternatethat maximizesperformanceformostclients.However,someclientsmaybehaveoddlywith TxDiversitysettoAlternate.Underthosecircumstances,Enterasysrecommendsthatyou useeitherLeftorRightforTxDiversity.Ifonlyoneantennaeisconnected,usethe correspondingLeftorRightdiversitysetting.DonotuseAlternateiftwoidentical antennasarenotused. Total#ofRetriesforBackgroundBKClickthenumberofretriesfortheBackground transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate). Total#ofRetriesforBestEffortBEClickthenumberofretriesfortheBestEffort transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate). Total#ofRetriesforVideoVIClickthenumberofretriesfortheVideotransmission queue.Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive (multirate). Total#ofRetriesforVoiceVOClickthenumberofretriesfortheVoicetransmission queue.Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive (multirate). Total#ofRetriesforTurboVoiceTVOClickthenumberofretriesfortheTurboVoice transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate).

10. ClickClose.TheAdvanceddialogisclosed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-57

Configuring Wireless AP Settings

11. Ifapplicable,clicktheRadio2tab.

12. IntheBaseSettingssection,dothefollowing: AdminModeSelectOntoenabletheradio;selectOfftodisabletheradio. RadioModeClickoneofthefollowingradiooptions: bClicktoenablethe802.11bonlymodeofRadio2.Ifselected,theAPwilluseonly 11b(CCK)rateswithallassociatedclients. gClicktoselectthe802.11gonlymodeofRadio2.Ifselected,theAPwillnot acceptassociationsfrom11bclients,butitwillstilluseallCCKandOFDM11grates withitsassociatedclients.TodisableCCKrates,usetheMin/MaxBasicRateand MaxOperationRatecontrolstoselectOFDMonlyrates. b/gClicktoenableboththe802.11gmodeandthe802.11bmodeofRadio2.If selected,theAPwilluse11b(CCK)and11gspecific(OFDM)rateswithallofthe associatedclients.TheAPwillnottransmitorreceive11nrates.
Note: Depending on the radio modes you select, some of the radio settings may not be available for configuration.

13. IntheBasicRadioSettingssection,dothefollowing: RFDomainTypeastringthatuniquelyidentifiesagroupofAPsthatcooperatein managingRFchannelsandtransmissionpowerlevels.Themaximumlengthofthestring is16characters.TheRFDomainisusedtoidentifyagroupofWirelessAPs. RequestNewChannelClickthewirelesschannelyouwanttheWirelessAPtouseto communicatewithwirelessdevices. ClickAutotorequesttheACStosearchforanewchannelfortheWirelessAP,usinga channelselectionalgorithm.ThisforcestheWirelessAPtogothroughtheautochannel selectionprocessagain. Dependingontheregulatorydomain(basedoncountry),somechannelsmaybe restricted.ThedefaultvalueisbasedonNorthAmerica.Formoreinformation,see Appendix B.
2-58 Configuring the Wireless AP

Configuring Wireless AP Settings

AutoTxPowerCtrl(ATPC)SelecttoenableATPC.ATPCautomaticallyadapts transmissionpowersignalsaccordingtothecoverageprovidedbytheWirelessAPs.After aperiodoftime,thesystemwillstabilizeitselfbasedontheRFcoverageofyourWireless APs.


Note: If you disable ATPC, you can elect to maintain using the current Tx power setting ATPC had established. If you elect to maintain using the ATPC power setting, the displayed Current Tx Power Level value becomes the new Max Tx Power value for the Wireless AP.

MaxTxPowerClickthemaximumTxpowerleveltowhichtherangeoftransmit powercanbeadjusted:8to18dBm.Enterasysrecommendsthatyouselect18dBmtouse theentirerangeofpotentialTxpower. MinTxPowerIfATPCisenabled,clicktheminimumTxpowerleveltowhichthe rangeoftransmitpowercanbeadjusted.Enterasysrecommendsthatyouselectthe lowestvalueavailabletousetheentirerangeofpotentialTxpower.


Note: The Minimum Tx Power level is subject to the regulatory compliance requirement for the selected country.

AutoTxPowerCtrlAdjustIfATPCisenabled,clicktheTxpowerlevelthatcanbe usedtoadjusttheATPCpowerlevelsthatthesystemhasassigned.Enterasys recommendsthatyouuse0dBduringyourinitialconfiguration.IfyouhaveanRFplan thatrecommendsTxpowerlevelsforeachWirelessAP,comparetheactualTxpower levelsyoursystemhasassignedagainsttherecommendedvaluesyourRFplanhas provided.UsetheAutoTxPowerCtrlAdjustvaluetoachievetherecommendedvalues.


Note: The following fields are view only. Current Channel The ACS has assigned to the Wireless AP radio. The Current Channel value and the Last Requested Channel value may be different because the ACS automatically assigns the best available channel to the Wireless AP, ensuring that a Wireless APs radio is always operating on the best available channel. Last Requested Channel The last wireless channel that you had selected for the Wireless AP to communicate with the wireless devices. Current Tx Power Level The actual Tx power level assigned to the Wireless AP radio.

ChannelPlanIfACSisenabled,youcandefineachannelplanfortheWirelessAP. Definingachannelplanallowsyoutolimitwhichchannelsareavailableforuseduringan ACSscan.Forexample,youmaywanttoavoidusingspecificchannelsbecauseoflow power,regulatorydomain,orradarinterference.Clickoneofthefollowing: 3ChannelPlanACSwillscanthefollowingchannels:1,6,and11intheUS,and1, 7,and13inEurope. 4ChannelPlanACSwillscanthefollowingchannels:1,4,7,and11intheUS,and 1,5,9,and13inEurope. AutoACSwillscanthedefaultchannelplanchannels:1,6,and11intheUS,and1, 5,9,and13inEurope. CustomIfyouwanttoconfigureindividualchannelsfromwhichtheACSwill selectanoperatingchannel,clickConfigure.TheAddChannelsdialogisdisplayed. Clicktheindividualchannelsyouwanttoaddtothechannelplanwhilepressingthe CTRLkey,andthenclickOK.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-59

Configuring Wireless AP Settings

MinBasicRateClicktheminimumdataratethatmustbesupportedbyallstationsina BSS:1,2,5.5,or11Mbps.Ifnecessary,theMaxBasicRatechoicesadjustautomaticallyto behigherorequaltotheMinBasicRate. MaxBasicRateClickthemaximumdataratethatmustbesupportedbyallstationsin aBSS:1,2,5.5,or11Mbps.Ifnecessary,theMaxBasicRatechoicesadjustautomatically tobehigherorequaltotheMinBasicRate. MaxOperationalRateClickthemaximumdataratethatclientscanoperateatwhile associatedwiththeWirelessAP:11,12,18,24,36,48,or54Mbps.Ifnecessary,theMax OperationalRatechoicesadjustautomaticallytobehigherorequaltotheMaxBasic Rate.

14. TomodifyRadio2advancedsettings,clickAdvanced.TheAdvanceddialogisdisplayed. 15. IntheAdvanceddialogBaseSettingssection,dothefollowing: DTIMPeriodTypethedesiredDTIM(DeliveryTrafficIndicationMessage)period thenumberofbeaconintervalsbetweentwoDTIMbeacons.Toensurethebestclient powersavings,usealargenumber.Forexample,5.Useasmallnumbertominimize broadcastandmulticastdelay.Thedefaultvalueis5. BeaconPeriodTypethedesiredtime,inmilliseconds,betweenbeacontransmissions. Thedefaultvalueis100milliseconds. RTS/CTSThresholdTypethepacketsizethreshold,inbytes,abovewhichthepacket willbeprecededbyanRTS/CTS(RequesttoSend/CleartoSend)handshake.Thedefault valueis2346,whichmeansallpacketsaresentwithoutRTS/CTS.Reducethisvalueonlyif necessary. Frag.ThresholdTypethefragmentsizethreshold,inbytes,abovewhichthepackets willbefragmentedbytheWirelessAPpriortotransmission.Thedefaultvalueis2346, whichmeansallpacketsaresentunfragmented.Reducethisvalueonlyifnecessary. Max%ofnonunicasttrafficperBeaconperiodEnterthemaximumpercentageof timethattheAPwilltransmitnonunicastpackets(broadcastandmulticasttraffic)for eachconfiguredBeaconPeriod.Foreachnonunicastpackettransmitted,thesystem calculatestheairtimeusedbyeachpacketanddropsallpacketsthatexceedthe configuredmaximumpercentage.Byrestrictingnonunicasttraffic,youlimittheimpact ofbroadcastsandmulticastsonoverallsystemperformance. MaximumDistanceEnteravaluefrom100to15,000metersthatidentifiesthe maximumlinkdistancebetweenAPsthatparticipateinaWDS.Thisvalueensuresthat theacknowledgementofcommunicationbetweenAPsdoesnotexceedthetimeoutvalue predefinedbythe802.11standard.Thedefaultvalueis100meters.Ifthelinkdistance betweenAPsisgreaterthan100meters,configurethemaximumdistanceupto15,000 meterssothatthesoftwareincreasesthetimeoutvalueproportionallywiththedistance betweenAPs. Donotchangethedefaultsettingfortheradiothatprovidesserviceto802.11clientsonly.

2-60

Configuring the Wireless AP

Configuring Wireless AP Settings

16. IntheAdvanceddialogBasicRadioSettingssection,dothefollowing: DynamicChannelSelectionToenableDynamicChannelSelection,clickoneofthe following: MonitorModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated. ActiveModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated.Inaddition,theWirelessAP willceaseoperatingonthecurrentchannelandACSisemployedtoautomatically selectanalternatechannelfortheWirelessAPtooperateon. DCSNoiseThresholdTypethenoiseinterferencelevel,measuredindBm,after whichACSwillscanforanewoperatingchannelfortheWirelessAPifthethreshold isexceeded. DCSChannelOccupancyThresholdTypethechannelutilizationlevel,measured asapercentage,afterwhichACSwillscanforanewoperatingchannelforthe WirelessAPifthethresholdisexceeded. DCSUpdatePeriodTypethetime,measuredinminutesthatdeterminesthe periodduringwhichtheWirelessAPaveragestheDCSNoiseThresholdandDCS ChannelOccupancyThresholdmeasurements.Ifeitheroneofthesethresholdsis exceeded,thentheWirelessAPwilltriggerACS.

RxDiversityClickBestforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityantennas.Thedefaultandrecommendedselectionis Best.Ifonlyoneantennaeisconnected,usethecorrespondingLeftorRightdiversity setting.DonotuseBestiftwoidenticalantennasarenotused. TxDiversityClickAlternateforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityantennas.ThedefaultselectionisAlternatethat maximizesperformanceformostclients.However,someclientsmaybehaveoddlywith TxDiversitysettoAlternate.Underthosecircumstances,Enterasysrecommendsthatyou useeitherLeftorRightforTxDiversity.Ifonlyoneantennaeisconnected,usethe correspondingLeftorRightdiversitysetting.DonotuseAlternateiftwoidentical antennasarenotused. Total#ofRetriesforBackgroundBKClickthenumberofretriesfortheBackground transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate). Total#ofRetriesforBestEffortBEClickthenumberofretriesfortheBestEffort transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate). Total#ofRetriesforVideoVIClickthenumberofretriesfortheVideotransmission queue.Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive (multirate). Total#ofRetriesforVoiceVOClickthenumberofretriesfortheVoicetransmission queue.Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive (multirate). Total#ofRetriesforTurboVoiceTVOClickthenumberofretriesfortheTurboVoice transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate).

17. IntheAdvanceddialog11bSettingssection,selectthePreamble.Clickapreambletypefor 11bspecific(CCK)rates:ShortorLong.ClickShortifyouaresurethatthereisnopre11bAP oraclientinthevicinityofthisAP.ClickLongifcompatibilitywithpre11bclientsis required.


Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 2-61

Configuring Wireless AP Settings

18. IntheAdvanceddialog11gSettingssection,dothefollowing: ProtectionModeClickaprotectionmode:None,Auto,orAlways.Thedefaultand recommendedsettingisAuto.ClickNoneif11bAPsandclientsarenotexpected.Click Alwaysifyouexpectmany11bonlyclients. ProtectionRateClickaprotectionrate:1,2,5.5,or11Mbps.Thedefaultand recommendedsettingis11.Onlyreducetherateiftherearemany11bclientsinthe environmentorifthedeploymenthasareaswithpoorcoverage.Forexample,rateslower than11Mbpsarerequiredtoensurecoverage. ProtectionTypeClickaprotectiontype:CTSOnlyorRTSCTS.Thedefaultand recommendedsettingisCTSOnly.ClickRTSCTSonlyifan11bAPthatoperatesonthe samechannelisdetectedintheneighborhood,oriftherearemany11bonlyclientsinthe environment.
Note: The overall throughput is reduced when Protection Mode is enabled, due to the additional overhead caused by the RTS/CTS. The overhead is minimized by setting Protection Type to CTS Only and Protection Rate to 11 Mbps. The overhead causes the overall throughput to be sometimes lower than if just 11b mode is used. If there are many 11b clients, Enterasys recommends that you disable 11g support (11g clients are backward compatible with 11b APs). An alternate approach, although a more expensive method, is to dedicate all APs on a channel for 11b (for example, disable 11g on these APs) and disable 11b on all other APs. The difficulty with this method is that the number of APs must be increased to ensure coverage separately for 11b and 11g clients.

19. ClickClose.TheAdvanceddialogisclosed. 20. Tosaveyourchanges,clickSave.

Setting Up the Wireless AP Using Static Configuration


TheWirelessAPstaticconfigurationfeatureprovidestheEnterasysWirelessController,Access PointsandConvergenceSoftwaresolutionwiththecapabilityforanetworkwitheitheracentral officeorabranchofficemodel.Thestaticconfigurationsettingsassistinthesetupofbranchoffice support.Thesesettingsarenotdependentofbranchtopology,butinsteadcanbeemployedatany timeifrequired.Inthebranchofficemodel,WirelessAPsareinstalledinremotesites,whilethe EnterasysWirelessControllerisinacentraloffice.TheWirelessAPsmustbeabletointeractin boththelocalsitenetworkandthecentralnetwork.Toachievethismodel,astaticconfigurationis used.
Note: If a Wireless AP with a statically configured IP address (without a statically configured Wireless Controller Search List) cannot register with the Enterasys Wireless Controller within the specified number of retries, the Wireless AP will use SLP, DNS, and SLP multicast as a backup mechanism.

To Set Up a Wireless AP Using Static Configuration:


1. 2. 3. 4. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. ClicktheappropriateWirelessAPinthelist. ClicktheStaticConfigurationtab.TheStaticConfigurationpagedisplays. ConfigurethesettingsontheStaticConfigurationpage.Youmust:

2-62

Configuring the Wireless AP

Configuring Wireless AP Settings

SelectaVLANsettingfortheWirelessAP
Caution: Caution should be exercised when using this feature. For more information, see Configuring VLAN Tags for Wireless APs on page 2-66. If the Wireless AP VLAN is not configured properly (wrong tag), connecting to the Wireless AP may not be possible. To recover from this situation, you will need to reset the Wireless AP to its factory default settings. For more information, see the Enterasys Wireless Controller, Access Points and Convergence Software Maintenance Guide.

SelectamethodofIPaddressassignmentfortheWirelessAP
Note: For the initial configuration of a Wireless AP to use a static IP address assignment, the following is recommended: Allow the Wireless AP to first obtain an IP address using DHCP. By default, Wireless APs are configured to use the DHCP IP address configuration method. Allow the Wireless AP to connect to the Enterasys Wireless Controller using the DHCP assigned IP address. After the Wireless AP has successfully registered to the Enterasys Wireless Controller, use the Static Configuration tab to configure a static IP address for the Wireless AP, and then save the configuration. Once the static IP address has been configured on the Wireless AP, the Wireless AP can then be moved to its target location, if applicable. (A branch office scenario is an example of a setup that may require static IP assignment.)

Table 2-26
Field/Button

Static Configuration
Description

VLAN Settings Tagged Untagged VLAN ID IP Address Assignment

SelectifyouwanttoassignthisAPtoaspecificVLANandtypethevalue inthebox. SelectifyouwantthisAPtobeuntagged.Thisoptionisselectedby default.


Enter a VLAN ID. Valid values are 1 to 4094

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-63

Configuring Wireless AP Settings

Table 2-26
Field/Button Use DHCP Static Values IP Address Netmask Gateway

Static Configuration (continued)


Description Select to enable Dynamic Host Configuration Protocol (DHCP). This option is enabled by default. Select to specify the IP address of the Wireless AP. Type the IP address of the AP. Type the appropriate subnet mask to separate the network portion from the host portion of the address. Type the default gateway of the network.

Ethernet Port Ethernet Speed Ethernet Mode Tunnel MTU If the Wireless AP has an Ethernet port, select values in the Ethernet Speed and Ethernet Mode drop down lists. If the Wireless AP has an Ethernet port, select values in the Ethernet Speed and Ethernet Mode drop down lists. Enter a static MTU value, from 600 to 1500, in the Tunnel MTU box. If the Enterasys wireless software cannot discover the MTU size, it enforces the static MTU size. Set the MTU size to allow the source to reduce the packet size and avoid the need to fragment data packets in the tunnel.

Wireless Controller Search List Up Select a controller and click the Up button to modify the order of the controllers. When an AP searches for a controller to register with, it begins with the first controller in the list. Select a controller and click the Up button to modify the order of the controllers. When an AP searches for a controller to register with, it begins with the first controller in the list. Click to remove the controller from the list so that it can no longer control the wireless AP. In the Add box, type the IP address of the Enterasys Wireless Controller that will control this Wireless APthen click the Add button to add the IP address is added to the list. Repeat this process to add the IP address of up to three controllers. This feature allows the Wireless AP to bypass the discovery process. If the Wireless Controller Search List box is not populated, the Wireless AP will use SLP unicast/multicast, DNS, or DHCP vendor option 43 to discover a Enterasys Wireless Controller. For the initial Wireless AP deployment, it is necessary to use one of the described options in Discovery and Registration Overview on page 2-10. Copy to Defaults To make this Wireless APs configuration be the systems default AP settings, click Copy to Defaults. A pop-up dialog asking you to confirm the configuration change is displayed.To confirm resetting the systems default Wireless AP settings, click OK. If you have a Wireless AP that is already configured with its own settings, but would like the Wireless AP to be reset to use the systems default AP settings, use the Reset to Defaults feature Click to manuallyaddandregisteraWirelessAPtotheEnterasys

Down

Delete Add

Reset to Defaults

Add Wireless AP Save

WirelessController
Click Tosaveyourchanges.

2-64

Configuring the Wireless AP

Configuring Wireless AP Settings

Configuring Telnet/SSH Access


IfyouareconfiguringastaticIPaddresseitherfortheWirelessAPorOutdoorWirelessAP,you mustensurethatTelnetAccess/SSHAccessisEnabledontheWirelessAPConfigurationscreen.
Note: The new telnet access password that you set up over the controllers user interface overrides the default telnet access password.

ToenableordisabletelnetorSSHaccess: 1. 2. 3. 4. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. IntheWirelessAPlist,clicktheWirelessAPforwhichyouwanttoenableordisabletelnet. ClickAdvanced.TheAdvanceddialogisdisplayed. IntheTelnetAccess/SSHAccessdropdownlist,clickoneofthefollowing: EnableEnablestelnetaccess DisableDisablestelnetaccess


Note: The option to enable or disable telnet access or SSH access will only be displayed if the Wireless AP is a Standard Wireless AP or Outdoor AP. For 11n Wireless APs, SSH is always enabled by default.

5.

Tosaveyourchanges,clickSave.

Tosetupanewtelnet/SSHaccesspassword: 1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickAPRegistration.TheWirelessAPRegistrationscreenisdisplayed.

Note: The SSH Access section on the AP Registration screen is applicable to the 11n Wireless APs. The Telnet Access section is applicable to the Standard Wireless AP or the Enterasys Wireless Outdoor AP.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-65

Configuring VLAN Tags for Wireless APs

3.

IfyouaresettingupanewtelnetaccesspasswordforeithertheWirelessAPorWireless OutdoorAP,typethenewpasswordinthePasswordboxundertheTelnetAccesssection.If youaresettingupanewSSHaccesspasswordfortheWireless802.11nAP,typethenew passwordinthePasswordboxundertheSSHAccesssection. IntheConfirmPasswordbox,retypethepassword. Tosaveyourchanges,clickSave.

4. 5.

Configuring VLAN Tags for Wireless APs


Caution: You must exercise caution while configuring a VLAN ID tag. If a VLAN tag is not configured properly, the connectivity between the Enterasys Wireless Controller and the Wireless AP will be lost.

ToconfiguretheVLANtagfortheWirelessAP,youmustconnecttheWirelessAPtoapointon thecentralofficenetworkthatdoesnotrequireVLANtagging.IftheVLANtaggingisconfigured correctlyandyouarestillonthecentralofficenetwork,theWirelessAPwillloseconnectionwith theEnterasysWirelessControllerafteritisrebooted(theWirelessAPrebootswhenthe configurationsettingsaresaved). IftheWirelessAPdoesnotloseitsconnectionwiththeEnterasysWirelessControllerafterthe reboot,theVLANIDhasnotbeenconfiguredcorrectly.AftertheVLANisconfiguredcorrectly, youcanmovetheWirelessAPtothetargetlocation.

To Configure Wireless APs with a VLAN Tag:


1. 2. 3. 4. 5. 6. 7. 8. 9. ConnecttheWirelessAPinthecentralofficetotheEnterasysWirelessControllerport(ortoa networkpoint)thatdoesnotrequireVLANtagging. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. ClicktheStaticConfigurationtab. IntheVLANSettingssection,selectTaggedVLANID. IntheTaggedVLANIDtextbox,typetheVLANIDonwhichtheWirelessAPwilloperate. Tosaveyourchanges,clickSave.TheWirelessAPrebootsandlosesconnectionwiththe EnterasysWirelessController. LogoutfromtheEnterasysWirelessController. DisconnecttheWirelessAPfromthecentralofficenetworkandmoveittothetargetlocation. PoweruptheWirelessAP.TheWirelessAPconnectstotheEnterasysWirelessController. IftheWirelessAPdoesnotconnecttotheEnterasysWirelessController,theWirelessAPwas notconfiguredproperly.Torecoverfromthissituation,youmustresettheWirelessAPtoits factorydefaultsettings,andreconfigurethestaticIPaddress.Formoreinformation,seethe EnterasysWirelessController,AccessPointsandConvergenceSoftwareUserGuide.

Setting Up 802.1x Authentication for a Wireless AP


802.1xisanauthenticationstandardforwiredandwirelessLANs.The802.1xstandardcanbe usedtoauthenticateaccesspointstotheLANtowhichtheyareconnected.802.1xsupport providessecurityfornetworkdeploymentswhereaccesspointsareplacedinpublicspaces. Tosuccessfullysetup802.1xauthenticationofaWirelessAP,theWirelessAPmustbeconfigured for802.1xauthenticationbeforetheWirelessAPisconnectedtoa802.1xenabledswitchport.

2-66

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

Caution: If the switch port, to which the Wireless AP is connected to, is not 802.1x enabled, the 802.1x authentication will not take effect.

802.1xauthenticationcredentialscanbeupdatedatanytime,whetherornottheWirelessAPis connectedwithanactivesession.IftheWirelessAPisconnected,thenewcredentialsaresent immediately.IftheWirelessAPisnotconnected,thenewcredentialsaredeliveredthenexttime theWirelessAPconnectstotheEnterasysWirelessController. Therearetwomainaspectstothe802.1xfeature: CredentialmanagementTheEnterasysWirelessControllerandtheWirelessAPare responsiblefortherequesting,creating,deleting,orinvalidatingthecredentialsusedinthe authenticationprocess. AuthenticationTheWirelessAPisresponsiblefortheactualexecutionoftheEAPTLSor PEAPprotocol.

802.1xauthenticationcanbeconfiguredonaperaccesspointbasis.Forexample,802.1x authenticationcanbeappliedtospecificWirelessAPsindividuallyorwithamultieditfunction. The802.1xauthenticationsupportstwoauthenticationmethods: PEAP(ProtectedExtensibleAuthenticationProtocol) Istherecommended802.1xauthenticationmethod Requiresminimalconfigurationeffortandprovidesequalauthenticationprotectionto EAPTLS UsesuserIDandpasswordsforauthenticationofaccesspoints

EAPTLS Requiresmoreconfigurationeffort RequirestheuseofathirdpartyCertificateAuthenticationapplication Usescertificatesforauthenticationofaccesspoints EnterasysWirelessControllercanoperateineitherproxymodeorpassthroughmode. ProxymodeTheEnterasysWirelessControllergeneratesthepublicandprivate keypairusedinthecertificate. PassthroughmodeThecertificateandprivatekeyiscreatedbythethirdparty CertificateAuthenticationapplication.


Note: Although a Wireless AP can support using both PEAP and EAP-TLS credentials simultaneously, it is not recommended to do so. Instead, Enterasys recommends that you use only one type of authentication and that you install the credentials for only that type of authentication on the Wireless AP.

Configuring 802.1x PEAP Authentication


PEAPauthenticationusesuserIDandpasswordsforauthentication.Tosuccessfullyconfigure 802.1xauthenticationofaWirelessAP,theWirelessAPmustfirstbeconfiguredfor802.1x authenticationbeforetheWirelessAPisdeployedona802.1xenabledswitchport.
Note: User names and passwords for PEAP authentication credentials each have a maximum length of 128 characters.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-67

Configuring VLAN Tags for Wireless APs

To Configure 802.1x PEAP Authentication:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreen displays. IntheWirelessAPlist,clicktheWirelessAPforwhichyouwanttoconfigure802.1xPEAP authentication. Clickthe802.1xtab.

4.

IntheUsernamedropdownlist,clickthevalueyouwanttoassignastheusername credential: NameThenameoftheWirelessAP,whichisassignedontheAPPropertiestab.The WirelessAPnamecanbeedited. SerialTheserialnumberoftheWirelessAP.Thissettingcannotbeedited. MACTheMACaddressoftheWirelessAP.Thesettingcannotbeedited. OtherClicktospecifyacustomvalue.Atextboxisdisplayed.Inthetextbox,typethe valueyouwanttoassignastheusernamecredential.

5.

InthePassworddropdownlist,clickthevalueyouwanttoassignasthepasswordcredential: NameThenameoftheWirelessAP,whichisassignedontheAPPropertiestab.The WirelessAPnamecanbeedited. SerialTheserialnumberoftheWirelessAP.Thesettingcannotbeedited. MACTheMACaddressoftheWirelessAP.Thesettingcannotbeedited. OtherClicktospecifyacustomvalue.Atextboxisdisplayed.Inthetextbox,typethe valueyouwanttoassignasthepasswordcredential.

6.

Tosaveyourchanges,clickSave. The802.1xPEAPauthenticationconfigurationisassignedtotheWirelessAP.TheWirelessAP cannowbedeployedtoa802.1xenabledswitchport.

2-68

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

Configuring 802.1x EAP-TLS Authentication


EAPTLSauthenticationusescertificatesforauthentication.AthirdpartyCertificate AuthenticationapplicationisrequiredtoconfigureEAPTLSauthentication.Certificatescanbe overwrittenwithnewonesatanytime. WithEAPTLSauthentication,theEnterasysWirelessControllercanoperateinthefollowing modes: ProxyMode PassThroughMode
Note: When a Wireless AP configured with 802.1x EAP-TLS authentication is connected to a Enterasys Wireless Controller, the Wireless AP begins submitting logs to the Enterasys Wireless Controller 30 days before the certificate expires to provide administrators with a warning of the impending expiry date.

Proxy Mode
Inproxymode,EnterasysWirelessControllergeneratesthepublicandprivatekeypairusedin thecertificate.YoucanspecifythecriteriausedtocreatetheCertificateRequest.TheCertificate RequestthatisgeneratedbytheEnterasysWirelessControlleristhenusedbythethirdparty CertificateAuthenticationapplicationtocreatethecertificateusedforauthenticationofthe WirelessAP.Tosuccessfullyconfigure802.1xauthenticationofaWirelessAP,theWirelessAP mustfirstbeconfiguredfor802.1xauthenticationbeforetheWirelessAPisdeployedona802.1x enabledswitchport.

To Configure 802.1x EAP-TLS Authentication in Proxy Mode:


1. 2. 3. 4. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. IntheWirelessAPlist,clicktheWirelessAPforwhichyouwanttoconfigure802.1xEAPTLS authentication. Clickthe802.1xtab. ClickGeneratecertificaterequest.TheGenerateCertificateRequestwindowisdisplayed.

5.

Typethecriteriatobeusedtocreatethecertificaterequest.Allfieldsarerequired: CountrynameThetwoletterISOabbreviationofthenameofthecountry StateorProvincenameThenameoftheState/Province Localityname(city)Thenameofthecity OrganizationnameThenameoftheorganization

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-69

Configuring VLAN Tags for Wireless APs

OrganizationalUnitnameThenameoftheunitwithintheorganization CommonnameClickthevalueyouwanttoassignasthecommonnameofthe WirelessAP: NameThenameoftheWirelessAP,whichisassignedontheAPPropertiestab. TheWirelessAPnamecanbeedited. SerialTheserialnumberoftheWirelessAP.Thesettingcannotbeedited. MACTheMACaddressoftheWirelessAP.Thesettingcannotbeedited. OtherClicktospecifyacustomvalue.Atextboxisdisplayed.Inthetextbox,type thevalueyouwanttoassignasthecommonnameoftheWirelessAP.

6. 7. 8. 9.

EmailaddressTheemailaddressoftheorganization

ClickGeneratecertificaterequest.Acertificaterequestfileisgenerated(.csrfileextension). ThenameofthefileistheWirelessAPserialnumber.TheFileDownloaddialogisdisplayed. ClickSave.TheSaveaswindowisdisplayed. Navigatetothelocationonyourcomputerthatyouwanttosavethegeneratedcertificate requestfile,andthenclickSave. InthethirdpartyCertificateAuthenticationapplication,usethecontentofthegenerated certificaterequestfiletogeneratethecertificatefile(.cerfileextension).

10. Onthe802.1xtab,clickBrowse.TheChoosefilewindowisdisplayed. 11. Navigatetothelocationofthecertificatefile,andclickOpen.Thenameofthecertificatefileis displayedintheX509DER/PKCS#12filebox. 12. Tosaveyourchanges,clickSave. The802.1xEAPTLS(certificateandprivatekey)authenticationinproxymodeisassignedto theWirelessAP.TheWirelessAPcannowbedeployedtoa802.1xenabledswitchport.

Pass Through Mode


Inpassthroughmode,thecertificateandprivatekeyiscreatedbythethirdpartyCertificate Authenticationapplication.Tosuccessfullyconfigure802.1xauthenticationofaWirelessAP,the WirelessAPmustfirstbeconfiguredfor802.1xauthenticationbeforetheWirelessAPisdeployed ona802.1xenabledswitchport. Beforeyouconfigure802.1xusingEAPTLSauthenticationinpassthroughmode,youmustfirst createacertificateusingthethirdpartyCertificateAuthenticationapplicationandsavethe certificatefileinPKCS#12fileformat(.pfxfileextension)onyoursystem.

To Configure 802.1x EAP-TLS Authentication in Pass Through Mode:


1. 2. 3. 4. 5. 6. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. IntheWirelessAPlist,clicktheWirelessAPforwhichyouwanttoconfigure802.1xEAPTLS authentication. Clickthe802.1xtab. ClickBrowse.TheChoosefilewindowisdisplayed. Navigatetothelocationofthecertificatefile(.pfx)andclickOpen.Thenameofthecertificate fileisdisplayedintheX509DER/PKCS#12filebox. InthePasswordbox,typethepasswordthatwasusedtoprotecttheprivatekey.

2-70

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

Note: The password that was used to protect the private key must be a maximum of 31 characters long.

7.

Tosaveyourchanges,clickSave. The802.1xEAPTLSauthenticationinpassthroughmodeisassignedtotheWirelessAP.The WirelessAPcannowbedeployedtoa802.1xenabledswitchport.

Viewing 802.1x Credentials


When802.1xauthenticationisconfiguredonaWirelessAP,thelightbulbicononthe802.1xtab fortheconfiguredWirelessAPislittoindicatewhich802.1xauthenticationmethodisused.A WirelessAPcanbeconfiguredtousebothEAPTLSandPEAPauthenticationmethods.For example,whenbothEAPTLSandPEAPauthenticationmethodsareconfiguredfortheWireless AP,bothlightbulbiconsonthe802.1xtabarelit.
Note: You can only view the 802.1x credentials of Wireless APs that have an active session with the Enterasys Wireless Controller. If you attempt to view the credentials of a Wireless AP that does not have an active session, the Wireless AP Credentials window displays the following message: Unable to query Wireless AP: not connected.

To View Current 802.1x Credentials:


1. 2. 3. 4. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. IntheWirelessAPlist,clicktheWirelessAPforwhichyouwanttoviewitscurrent802.1x credentials. Selectthe802.1xtab. IntheCurrentCredentialssection,clickGetCertificatedetails.TheWirelessAPCredentials windowisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-71

Configuring VLAN Tags for Wireless APs

Deleting 802.1x Credentials


Caution: Exercise caution when deleting 802.1x credentials. For example, deleting 802.1x credentials may prevent the Wireless AP from being authenticated or to lose its connection with the Enterasys Wireless Controller.

To Delete Current 802.1x Credentials:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. IntheWirelessAPlist,clicktheWirelessAPforwhichyouwanttodeleteitscurrent802.1x credentials. Dothefollowing: TodeleteEAPTLScredentials,clickDeleteEAPTLScredentials. TodeletePEAPcredentials,clickDeletePEAPcredentials.

ThecredentialsaredeletedandtheWirelessAPsettingsareupdated.
Note: If you attempt to delete the 802.1x credentials of a Wireless AP that currently does not have an active session with the Enterasys Wireless Controller, the credentials are only deleted after the Wireless AP connects with the Enterasys Wireless Controller.

Setting Up 802.1x Authentication for Wireless APs Using Multi-edit


InadditiontoconfiguringWirelessAPsindividually,youcanalsoconfigure802.1xauthentication formultipleWirelessAPssimultaneouslybyusingtheAP802.1xMultieditfeature. WhenyouusetheAP802.1xMultieditfeature,youcanchooseto: AssignEAPTLSauthenticationbasedongeneratedcertificatestomultipleWirelessAPsby uploadinga.pfx,.cer,or.zipfile. AssignPEAPcredentialstomultipleWirelessAPsbasedonausernameandpasswordthat youdefine

To Configure 802.1x EAP-TLS Authentication in Proxy Mode Using Multi-edit:


1. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed.

2-72

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

2.

Intheleftpane,clickAP802.1xMultiedit.

3. 4.

IntheWirelessAPslist,clickoneormoreWirelessAPstoconfigure.Toselectmultiple WirelessAPs,clicktheWirelessAPsfromthelistwhilepressingtheCTRLkey. IntheCertificateSigningRequestsection,typethefollowing: CountrynameThetwoletterISOabbreviationofthenameofthecountry StateorProvincenameThenameoftheState/Province Localityname(city)Thenameofthecity OrganizationnameThenameoftheorganization OrganizationalUnitnameThenameoftheunitwithintheorganization CommonnameClickthevalueyouwanttoassignasthecommonnameofthe WirelessAP: NameThenameoftheWirelessAP,whichisassignedontheAPPropertiestab. TheWirelessAPnamecanbeedited. SerialTheserialnumberoftheWirelessAP.TheWirelessAPserialnumbercannot beedited. MACTheMACaddressoftheWirelessAP.TheWirelessAPMACaddresscannot beedited.

EmailaddressTheemailaddressoftheorganization

5.

ClickGenerateCertificates.TheAP802.1xMultieditprogresswindowisdisplayed,which providesthestatusoftheconfigurationprocess.Oncecomplete,theFileDownloaddialogis displayed. ClickSave.TheSaveaswindowisdisplayed. Navigatetothelocationonyourcomputerthatyouwanttosavethegenerated certificate_requests.tarfile,andthenclickSave. Thecertificate_requests.tarfilecontainsacertificaterequest(.csr)fileforeachWirelessAP.

6. 7.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-73

Configuring VLAN Tags for Wireless APs

8.

Dooneofthefollowing: Foreachcertificaterequest,generateacertificateusingthethirdpartyCertificate Authenticationapplication.ThismethodwillproduceacertificateforeachWirelessAP. Oncecomplete,zipallthecertificatesfiles(.cer)intoone.zipfile. UseoneofthecertificaterequestsandgenerateonecertificateusingtheCertificate Authenticationapplication.Thismethodwillproduceonecertificatethatcanbeapplied toallWirelessAPs.

9.

IntheBulkCertificateUploadsection,clickBrowse.TheChoosefilewindowisdisplayed.

10. Navigatetothelocationofthefile(.zipor.cer),andthenclickOpen.Thenameofthefileis displayedinthePFX,CERorZIPArchivebox. 11. ClickUploadandSetcertificates.Oncecomplete,theSettingsupdatedmessageisdisplayed inthefooteroftheEnterasysWirelessAssistant. The802.1xEAPTLSauthenticationconfigurationisassignedtotheWirelessAPs.The WirelessAPscannowbedeployedto802.1xenabledswitchports.

Configuring 802.1x EAP-TLS Authentication in Pass Through Mode Using Multiedit:


Whenyouconfigure802.1xEAPTLSauthenticationinpassthroughmodeusingMultiedit,do oneofthefollowing: GenerateacertificateforeachWirelessAPusingthethirdpartyCertificateAuthentication application.Whengeneratingthecertificates: UsetheCommonnamevalue(eitherName,Serial,orMAC)oftheWirelessAPtoname eachgeneratedcertificate. Useacommonpasswordforeachgeneratedcertificate. All.pfxfilescreatedbythethirdpartyCertificateAuthenticationapplicationmustbe zippedintoonefile.

Generateonecertificate,usingthethirdpartyCertificateAuthenticationapplication,tobe appliedtoallWirelessAPs.Whengeneratingthecertificate,usetheCommonnamevalue (eitherName,Serial,orMAC)oftheWirelessAPtonamethegeneratedcertificate.

To Configure 802.1x EAP-TLS Authentication in Pass Through Mode Using Multiedit:


1. 2. 3. 4. 5. 6. 7. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAP802.1xMultiedit. IntheWirelessAPslist,clickoneormoreWirelessAPstoconfigure.Toselectmultiple WirelessAPs,clicktheWirelessAPsfromthelistwhilepressingtheCTRLkey. IntheBulkCertificateUploadsection,clickBrowse.TheChoosefilewindowisdisplayed. Navigatetothelocationofthefile(.zipor.pfx),andthenclickOpen.Thenameofthefileis displayedinthePFX,CERorZIPArchivebox. InthePasswordbox,typethepasswordusedduringthecertificatesgenerationprocess. ClickUploadandSetcertificates.Oncecomplete,theSettingsupdatedmessageisdisplayed inthefooteroftheEnterasysWirelessAssistant. The802.1xEAPTLSauthenticationconfigurationisassignedtotheWirelessAPs.The WirelessAPscannowbedeployedto802.1xenabledswitchports.

2-74

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

To Configure 802.1x PEAP Authentication Using Multi-edit:


1. 2. 3. 4. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAP802.1xMultiedit. IntheWirelessAPslist,clickoneormoreAPstoedit.ToselectmultipleAPs,clicktheAPs fromthelistwhilepressingtheCTRLkey. InthePEAPAuthenticationsection,dothefollowing: IntheUsernamedropdownlist,clickthevalueyouwanttoassignastheusername credential: NameThenameoftheWirelessAP,whichisassignedontheAPPropertiestab. TheWirelessAPnamecanbeedited. SerialTheserialnumberoftheWirelessAP.TheWirelessAPserialnumbercannot beedited. MACTheMACaddressoftheWirelessAP.TheWirelessAPMACaddresscannot beedited.

InthePassworddropdownlist,clickthevalueyouwanttoassignasthepassword credential: NameThenameoftheWirelessAP,whichisassignedontheAPPropertiestab. TheWirelessAPnamecanbeedited. SerialTheserialnumberoftheWirelessAP.TheWirelessAPserialnumbercannot beedited. MACTheMACaddressoftheWirelessAP.TheWirelessAPMACaddresscannot beedited.

5.

ClickSetPEAPcredentials.TheAP802.1xMultieditprogresswindowisdisplayed,which providesthestatusoftheconfigurationprocess.Oncecomplete,theSettingsupdated messageisdisplayedinthefooteroftheEnterasysWirelessAssistant. The802.1xPEAPauthenticationconfigurationisassignedtotheWirelessAPs.TheWireless APscannowbedeployedto802.1xenabledswitchports.

Configuring the Default Wireless AP Settings


WirelessAPsareaddedwithdefaultsettings.YoucanmodifythesystemsWirelessAPdefault settings,andthenusethesedefaultsettingstoconfigurenewlyaddedWirelessAPs.Inaddition, youcanbasethesystemsWirelessAPdefaultsettingsonanexistingWirelessAPconfigurationor haveconfiguredWirelessAPsinheritthepropertiesofthedefaultWirelessAPconfiguration whentheyregisterwiththesystem. TheprocessofconfiguringthedefaultWirelessAPsettingsisdividedintofivetabs: CommonConfigurationConfigurecommonconfiguration,suchasWLANassignments andstaticconfigurationoptionsforallWirelessAPs.SeeConfigureCommonConfiguration DefaultAPSettingsonpage 276. AP2610AP2620AP2605W788BP200WB500Configurethedefaultsettingsforthe standardWirelessAPs,andtheW788,BP200,andWB500accesspoints.SeeConfigure AP2610/20,AP2605,W788,BP200,andWB500DefaultAPSettingsonpage 277. AP3605AP3610AP3620ConfigurethedefaultsettingsfortheWireless802.11nAPs.See ConfigureAP3605/10/20/30/40/60DefaultAPSettingsonpage 282.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-75

Configuring VLAN Tags for Wireless APs

AP2650AP2660W786ConfigurethedefaultsettingsfortheEnterasysWirelessOutdoor APsandtheW786accesspoints.SeeConfigureAP2650/60andW786DefaultAPSettings onpage 288. AP4102AP4102CConfigurethedefaultsettingsfortheAP4102andtheAP4102Caccess points.SeeConfigureAP4102andAP4102CDefaultAPSettingsonpage 294.

Configure Common Configuration Default AP Settings


To Configure Common Configuration Default AP Settings:
1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAPDefaultSettings.TheCommonConfigurationtabisdisplayed.

3.

IntheStaticConfigurationsection,dooneofthefollowing: ToalloweachWirelessAPtoprovideitsownHWCSearchList,selecttheLearnHWC SearchListfromAPcheckbox. TospecifyacommonHWCSearchListforallWirelessAPs,cleartheLearnHWCSearch ListfromAPcheckbox,andthendothefollowing:

TheWirelessAPissuccessfulwhenitfindsaEnterasysWirelessControllerthatwillallowit toregister. ThisfeatureallowstheWirelessAPtobypassthediscoveryprocess.IftheWireless ControllerSearchListboxisnotpopulated,theWirelessAPwilluseSLPunicast/multicast, DNS,orDHCPvendoroption43todiscoveraEnterasysWirelessController. TheDHCPfunctionforwirelessclientsmustbeprovidedlocallybyalocalDHCPserver, unlesseachwirelessclienthasastaticIPaddress. FortheinitialWirelessAPdeployment,itisnecessarytouseoneofthedescribedoptionsin DiscoveryandRegistrationOverviewonpage 210. 4. IntheWLANAssignmentssection,assigntheRadiosforeachVNSinthelistbyselectingor clearingtheoptionboxes.

2-76

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

5.

Tosaveyourchanges,clickSaveSettings.

Configure AP2610/20, AP2605, W788, BP200, and WB500 Default AP Settings


To Configure AP2610/20, AP2605, W788, BP200, and WB500 Default AP Settings:
1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAPDefaultSettings.TheCommonConfigurationtabisdisplayed. ClicktheAP2610AP2620AP2605W788BP200WB500tab.

4.

IntheAPPropertiessection,dothefollowing: LLDPClicktoEnableorDisabletheWirelessAPfrombroadcastingLLDP information.Thisoptionisdisabledbydefault. IfSNMPisenabledontheEnterasysWirelessControllerandyouenableLLDP,theLLDP Confirmationdialogisdisplayed.

Selectoneofthefollowing: Proceed(notrecommended)SelectthisoptiontoenableLLDPandkeepSNMP running,andthenclickOK.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-77

Configuring VLAN Tags for Wireless APs

DisableSNMPpublishing,andproceedSelectthisoptiontoenableLLDPand disableSNMP,andthenclickOK.

FormoreinformationonenablingSNMP,seetheEnterasysWirelessController,Access PointsandConvergenceSoftwareMaintenanceGuide. AnnouncementIntervalIfLLDPisenabled,typehowoftentheWirelessAPadvertises itsinformationbysendinganewLLDPpacket.Thisvalueismeasuredinseconds. IftherearenochangestotheWirelessAPconfigurationthatimpacttheLLDP information,theWirelessAPsendsanewLLDPpacketaccordingtothisschedule.


Note: The Time to Live value cannot be directly edited. The Time to Live value is calculated as four times the Announcement Interval value.

AnnouncementDelayIfLLDPisenabled,typetheannouncementdelay.Thisvalueis measuredinseconds.IfachangetotheWirelessAPconfigurationoccurswhichimpacts theLLDPinformation,theWirelessAPsendsanupdatedLLDPpacket.The announcementdelayisthelengthoftimethatdelaysthenewpacketdelivery.The announcementdelayhelpsminimizeLLDPpackettraffic. CountryClickthecountryofoperation.Thisoptionisonlyavailablewithcertain licenses.

5.

IntheRadioSettingssection,dothefollowingforeachradio: AdminmodeSelectOntoenablethisradio;SelectOfftodisablethisradio. RadiomodeClicktheradiomodeyouwanttoenable: Radio1a. Radio2b,g,orb/g.


Note: Depending on the radio modes you select, some of the radio settings may not be available for configuration.

RFDomainTypeastringthatuniquelyidentifiesagroupofAPsthatcooperatein managingRFchannelsandtransmissionpowerlevels.Themaximumlengthofthestring is16characters.TheRFDomainisusedtoidentifyagroupofWirelessAPs. AutoTxPowerCtrlClicktoeitherenableordisableATPCfromtheAutoTxPower Ctrldropdownlist.ATPCautomaticallyadaptstransmissionpowersignalsaccordingto thecoverageprovidedbytheWirelessAPs.Afteraperiodoftime,thesystemwill stabilizeitselfbasedontheRFcoverageofyourWirelessAPs. MaxTxPowerClicktheappropriateTxpowerlevelfromtheMaxTXPowerdrop downlist.ThevaluesintheMaxTXPowerdropdownareindBm. MinTxPowerIfATPCisenabled,clicktheminimumTxpowerleveltowhichthe rangeoftransmitpowercanbeadjusted:0to23(b/gorb/g/n)or24(aora/n)dBm. Enterasysrecommendsthatyouuse0dBmifyoudonotwanttolimitthepotentialTx powerlevelrangethatcanbeused. AutoTxPowerCtrlAdjustIfATPCisenabled,clicktheTxpowerlevelthatcanbe usedtoadjusttheATPCpowerlevelsthatthesystemhasassigned.Enterasys recommendsthatuse0dBmduringyourinitialconfiguration.IfyouhaveanRFplanthat recommendsTxpowerlevelsforeachWirelessAP,comparetheactualTxpowerlevels yoursystemhasassignedagainsttherecommendedvaluesyourRFplanhasprovided. UsetheAutoTxPowerCtrlAdjustvaluetoachievetherecommendedvalues.

2-78

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

ChannelPlanIfACSisenabledyoucandefineachannelplanfortheWirelessAP. Definingachannelplanallowsyoutolimitwhichchannelsareavailableforuseduringan ACSscan.Forexample,youmaywanttoavoidusingspecificchannelsbecauseoflow power,regulatorydomain,orradarinterference. ForRadio1,clickoneofthefollowing: AllchannelsACSscansallchannelsforanoperatingchannelandreturnsboth DFSandnonDFSchannels,ifavailable. AllNonDFSChannels ACSscansallnonDFSchannelsforanoperatingchannel. ThisselectionisavailablewhenthereisatleastoneDFSchannelsupportedforthe selectedcountry. CustomToconfigureindividualchannelsfromwhichtheACSwillselectan operatingchannel,clickConfigure.TheCustomChannelPlandialogdisplays. By default,allchannelsparticipateinthechannelplan.Clicktheindividualchannelsyou wanttoincludeinthechannelplan. Toselectcontiguouschannels,usetheShiftkey. Toselectmultiple,noncontiguouschannelsinthelist,usetheCTRLkey.ClickOKto savetheconfiguration.

ForRadio2,clickoneofthefollowing: 3ChannelPlanACSwillscanthefollowingchannels:1,6,and11intheUS,and1, 7,and13inEurope. 4ChannelPlanACSwillscanthefollowingchannels:1,4,7,and11intheUS,and 1,5,9,and13inEurope. AutoACSwillscanthedefaultchannelplanchannels:1,6,and11intheUS,and1, 5,9,and13inEurope. CustomIfyouwanttoconfigureindividualchannelsfromwhichtheACSwill selectanoperatingchannel,clickConfigure.TheAddChannelsdialogisdisplayed. Clicktheindividualchannelsyouwanttoaddtothechannelplanwhilepressingthe CTRLkey,andthenclickOK.

6. 7.

Tomodifydefaultaccesspointadvancedsettings,clickAdvanced.TheAdvanceddialogis displayed. IntheAdvanceddialogAPPropertiessection,dothefollowing: PollTimeoutTypethetimeoutvalue,inseconds.TheWirelessAPusesthisvalueto triggerreestablishingthelinkwiththeEnterasysWirelessControllerifit(WirelessAP) doesnotgetananswertoitspolling.Thedefaultvalueis10seconds.


Note: If you are configuring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AP Properties screen. For more information, see Session Availability on page 10-9.

RemoteAccessClicktoEnableorDisabletelnetorSSHaccesstotheWirelessAP. LocationbasedserviceClicktoEnableorDisablelocationbasedserviceonthis WirelessAP.LocationbasedserviceallowsyoutousethisWirelessAPwithanAeroScout solution. MaintainclientsessionineventofpollfailureClicktoEnableorDisable(ifusinga bridgedatAPVNS)iftheAPshouldremainactiveifalinklosswiththecontroller occurs.Thisoptionisenabledbydefault. RestartserviceintheabsenceofcontrollerClicktoEnableorDisable(ifusinga bridgedatAPVNS)toensuretheWirelessAPsradioscontinueprovidingserviceifthe WirelessAPsconnectiontotheEnterasysWirelessControllerislost.Ifthisoptionis

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-79

Configuring VLAN Tags for Wireless APs

enabled,itallowstheWirelessAPtostartabridgedatAPVNSevenintheabsenceofa EnterasysWirelessController. UsebroadcastfordisassociationClicktoEnableorDisableifyouwanttheWireless APtousebroadcastdisassociationwhendisconnectingallclients,insteadof disassociatingeachclientonebyone.ThiswillaffectthebehavioroftheAPunderthe followingconditions: IftheWirelessAPispreparingtorebootortoenteroneofthespecialmodes(DRM initialchannelselection). IfaBSSIDisdeactivatedorremovedontheWirelessAP.

Thisoptionisdisabledbydefault. 8. IntheAdvanceddialogRadioSettingssection,dothefollowing: DTIMTypethedesiredDTIM(DeliveryTrafficIndicationMessage)periodthe numberofbeaconintervalsbetweentwoDTIMbeacons.Toensurethebestclientpower savings,usealargenumber.Forexample,5.Useasmallnumbertominimizebroadcast andmulticastdelay.Thedefaultvalueis5. BeaconPeriodTypethedesiredtime,inmilliseconds,betweenbeacontransmissions. Thedefaultvalueis100milliseconds. RTS/CTSTypethepacketsizethreshold,inbytes,abovewhichthepacketwillbe precededbyanRTS/CTS(RequesttoSend/CleartoSend)handshake.Thedefaultvalueis 2346,whichmeansallpacketsaresentwithoutRTS/CTS.Reducethisvalueonlyif necessary. Frag.ThresholdTypethefragmentsizethreshold,inbytes,abovewhichthepackets willbefragmentedbytheAPpriortotransmission.Thedefaultvalueis2346,which meansallpacketsaresentunfragmented. Max%ofnonunicasttrafficperBeaconperiodEnterthemaximumpercentageof timethattheAPwilltransmitnonunicastpackets(broadcastandmulticasttraffic)for eachconfiguredBeaconPeriod.Foreachnonunicastpackettransmitted,thesystem calculatestheairtimeusedbyeachpacketanddropsallpacketsthatexceedthe configuredmaximumpercentage.Byrestrictingnonunicasttraffic,youlimittheimpact ofbroadcastsandmulticastsonoverallsystemperformance. MaximumDistanceEnteravaluefrom100to15,000metersthatidentifiesthe maximumlinkdistancebetweenAPsthatparticipateinaWDS.Thisvalueensuresthat theacknowledgementofcommunicationbetweenAPsdoesnotexceedthetimeoutvalue predefinedbythe802.11standard.Thedefaultvalueis100meters.Ifthelinkdistance betweenAPsisgreaterthan100meters,configurethemaximumdistanceupto15,000 meterssothatthesoftwareincreasesthetimeoutvalueproportionallywiththedistance betweenAPs. Donotchangethedefaultsettingfortheradiothatprovidesserviceto802.11clientsonly. DynamicChannelSelectionClickoneofthefollowing: OffDisablesDCS. MonitorModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated. ActiveModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated.Inaddition,theWirelessAP willceaseoperatingonthecurrentchannelandACSisemployedtoautomatically selectanalternatechannelfortheWirelessAPtooperateon.

2-80

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

DCSNoiseThresholdIfDCSisenabled,typethenoiseinterferencelevel, measuredindBm,afterwhichACSwillscanforanewoperatingchannelforthe WirelessAPifthethresholdisexceeded. DCSChannelOccupancyThresholdIfDCSisenabled,typethechannel utilizationlevel,measuredasapercentage,afterwhichACSwillscanforanew operatingchannelfortheWirelessAPifthethresholdisexceeded. DCSUpdatePeriodIfDCSisenabled,typethetime,measuredinminutesthat determinestheperiodduringwhichtheWirelessAPaveragestheDCSNoise ThresholdandDCSChannelOccupancyThresholdmeasurements.Ifeitheroneof thesethresholdsisexceeded,thentheWirelessAPwilltriggerACS.

RxDiversityClickBestforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityreceivingantennas.Thedefaultandrecommended selectionisBest.Ifonlyoneantennaisconnected,usethecorrespondingLeftorRight diversitysetting.DonotuseBestiftwoidenticalantennasarenotused. TxDiversityClickAlternateforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityreceivingantennas.ThedefaultselectionisAlternate thatmaximizesperformanceformostclients.However,someclientsmaybehaveoddly withTxDiversitysettoAlternate.Underthosecircumstances,Enterasysrecommends thatyouuseeitherLeftorRightforTxDiversity.Ifonlyoneantennaisconnected,usethe correspondingLeftorRightdiversitysetting.DonotuseAlternateiftwoidentical antennasarenotused. PreambleClickapreambletypefor11bspecific(CCK)rates:Short,Long,orAuto.The recommendedvalueisAuto.ClickShortifyouaresurethatthereisnopre11bAPora clientinthevicinityofthisAP.ClickLongifcompatibilitywithpre11bclientsisrequired. ProtectionModeClickaprotectionmode:None,Auto,orAlways.Thedefaultand recommendedsettingisAuto.ClickNoneif11bAPsandclientsarenotexpected.Click Alwaysifyouexpectmany11bonlyclients. ProtectionRateClickaprotectionrate:1,2,5.5,or11Mbps.Thedefaultand recommendedsettingis11.Onlyreducetherateiftherearemany11bclientsinthe environmentorifthedeploymenthasareaswithpoorcoverage.Forexample,rateslower than11Mbpsarerequiredtoensurecoverage. ProtectionTypeClickaprotectiontype:CTSOnlyorRTSCTS.Thedefaultand recommendedsettingisCTSOnly.ClickRTSCTSonlyifan11bAPthatoperatesonthe samechannelisdetectedintheneighborhood,oriftherearemany11bonlyclientsinthe environment.

9.

IntheAdvanceddialogEnhancedRateControlsection,dothefollowing: MinBasicRateForeachradio,clicktheminimumdataratethatmustbesupportedby allstationsinaBSS:1,2,5.5,or11Mbpsfor11band11b+11gmodes.Click1,2,5.5,6,11, 12,or24Mbpsfor11gonlymode.Click6,12,or24Mbpsfor11amode.Ifnecessary,the MaxBasicRatechoicesadjustautomaticallytobehigherorequaltotheMinBasicRate. IfbothMinBasicRateandMaxBasicRatearesettoan11gspecific(OFDM)rate,(for example,6,12,or24Mbps)allbasicrateswillbe11gspecific. MaxBasicRateForeachradio,clickthemaximumdataratethatmustbesupportedby allstationsinaBSS:1,2,5.5,or11Mbpsfor11band11b+11gmodes.Click1,2,5.5,6,11, 12,or24Mbpsfor11gonlymode.Click6,12,or24Mbpsfor11amode.Ifnecessary,the MaxBasicRatechoicesadjustautomaticallytobehigherorequaltotheMinBasicRate. IfbothMinBasicRateandMaxBasicRatearesettoan11gspecific(OFDM)rate,(for example,6,12,or24Mbps)allbasicrateswillbe11gspecific. MaxOperationalRateForeachradio,clickthemaximumdataratethatclientscan operateatwhileassociatedwiththeAP:1,2,5.5,or11Mbpsfor11bonlymode.Click1,2,
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 2-81

Configuring VLAN Tags for Wireless APs

5.5,6,9,11,12,18,24,36,28,or54Mbpsfor11b+11gor11gonlymodes.Click6,9,12,18, 24,36,48,or54Mbpsfor11amode.Ifnecessary,theMaxOperationalRatechoicesadjust automaticallytobehigherorequaltotheMinBasicRate. 10. IntheAdvanceddialogNoofRetriessection,dothefollowing: BackgroundBKForeachradio,clickthenumberofretriesfortheBackground transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate). BestEffortBEForeachradio,clickthenumberofretriesfortheBestEffort transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate). VideoVIForeachradio,clickthenumberofretriesfortheVideotransmissionqueue. Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive(multi rate). VoiceVOForeachradio,clickthenumberofretriesfortheVoicetransmissionqueue. Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive(multi rate). TurboVoiceTVOForeachradio,clickthenumberofretriesfortheTurboVoice transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate).

11. ClickClose.TheAdvanceddialogisclosed. 12. Tosaveyourchanges,clickSaveSettings.

Configure AP3605/10/20/30/40/60 Default AP Settings


To Configure AP3605/10/20/30/40/60 Default AP Settings:
1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAPDefaultSettings.TheCommonConfigurationtabisdisplayed.

2-82

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

3.

ClicktheAP3605AP3610AP3620AP3630AP3640AP3660tab.

4.

IntheAPPropertiessection,dothefollowing: LLDPClicktoenableordisabletheWirelessAPfrombroadcastingLLDPinformation. Thisoptionisdisabledbydefault. IfSNMPisenabledontheEnterasysWirelessControllerandyouenableLLDP,theLLDP Confirmationdialogisdisplayed.

Selectoneofthefollowing: Proceed(notrecommended)SelectthisoptiontoenableLLDPandkeepSNMP running,andthenclickOK. DisableSNMPpublishing,andproceedSelectthisoptiontoenableLLDPand disableSNMP,andthenclickOK.

FormoreinformationonenablingSNMP,seetheEnterasysWirelessController,Access PointsandConvergenceSoftwareMaintenanceGuide. AnnouncementIntervalIfLLDPisenabled,typehowoftentheWirelessAPadvertises itsinformationbysendinganewLLDPpacket.Thisvalueismeasuredinseconds. IftherearenochangestotheWirelessAPconfigurationthatimpacttheLLDP information,theWirelessAPsendsanewLLDPpacketaccordingtothisschedule.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-83

Configuring VLAN Tags for Wireless APs

Note: The Time to Live value cannot be directly edited. The Time to Live value is calculated as four times the Announcement Interval value.

AnnouncementDelayIfLLDPisenabled,typetheannouncementdelay.Thisvalueis measuredinseconds.IfachangetotheWirelessAPconfigurationoccurswhichimpacts theLLDPinformation,theWirelessAPsendsanupdatedLLDPpacket.The announcementdelayisthelengthoftimethatdelaysthenewpacketdelivery.The announcementdelayhelpsminimizeLLDPpackettraffic. CountryClickthecountryofoperation.Thisoptionisonlyavailablewithsome licenses.

5.

IntheRadioSettingssection,dothefollowingforeachradio: AdminModeForradios1and2,SelectOfftodisabletheradioorselectOntoenable theradio: RadiomodeClicktheradiomodeyouwanttoenable: Radio1a,a/nornstrict. Radio2b,b/g,g/nb/g/nornstrict.


Note: Depending on the radio modes you select, some of the radio settings may not be available for configuration.

ChannelWidthClickthechannelwidthfortheradio: 20MHzClicktoallow802.11nclientstousetheprimarychannel(20MHz)andnon 802.11nclients,beacons,andmulticaststousethe802.11b/gradioprotocols. 40MHzClicktoallow802.11nclientsthatsupportthe40MHzfrequencytouse 40MHz,20MHz,orthe802.11b/gradioprotocols.802.11nclientsthatdonotsupport the40MHzfrequencycanuse20MHzorthe802.11b/gradioprotocolsandnon 802.11nclients,beacons,andmulticastsusethe802.11b/gradioprotocols. AutoClicktoautomaticallyswitchbetween20MHzand40MHzchannelwidths, dependingonhowbusytheextensionchannelis.

RFDomainTypeastringthatuniquelyidentifiesagroupofAPsthatcooperatein managingRFchannelsandtransmissionpowerlevels.Themaximumlengthofthestring is16characters.TheRFDomainisusedtoidentifyagroupofWirelessAPs. GuardIntervalClickaguardinterval,LongorShort,whena40MHzchannelisused. Enterasysrecommendsthatyouuseashortguardintervalinsmallrooms(forexample,a smallofficespace)andalongguardintervalinlargerooms(forexample,aconference hall). AutoTxPowerCtrlClicktoenableordisableATPCfromtheAutoTxPowerCtrl dropdownlist.ATPCautomaticallyadaptstransmissionpowersignalsaccordingtothe coverageprovidedbytheWirelessAPs.Afteraperiodoftime,thesystemwillstabilize itselfbasedontheRFcoverageofyourWirelessAPs. MaxTxPowerClicktheappropriateTxpowerlevelfromtheMaxTXPowerdrop downlist.ThevaluesintheMaxTXPowerdropdownareindBm. MinTxPowerIfATPCisenabled,clicktheminimumTxpowerleveltowhichthe rangeoftransmitpowercanbeadjusted:0to23(b/gorb/g/n)or24(aora/n)dBm. Enterasysrecommendsthatyouselect0dBmtousetheentirerangeofpotentialTx power.

2-84

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

AutoTxPowerCtrlAdjustIfATPCisenabled,clicktheTxpowerlevelthatcanbe usedtoadjusttheATPCpowerlevelsthatthesystemhasassigned.Enterasys recommendsthatyouuse0dBmduringyourinitialconfiguration.IfyouhaveanRFplan thatrecommendsTxpowerlevelsforeachWirelessAP,comparetheactualTxpower levelsyoursystemhasassignedagainsttherecommendedvaluesyourRFplanhas provided.UsetheAutoTxPowerCtrlAdjustvaluetoachievetherecommendedvalues. ChannelPlanIfACSisenabled,youcandefineachannelplanfortheWirelessAP. Definingachannelplanallowsyoutolimitwhichchannelsareavailableforuseduringan ACSscan.Forexample,youmaywanttoavoidusingspecificchannelsbecauseoflow power,regulatorydomain,orradarinterference. ForRadio1,clickoneofthefollowing: AllchannelsACSscansallchannelsforanoperatingchannelandreturnsboth DFSandnonDFSchannels,ifavailable. AllNonDFSChannels ACSscansallnonDFSchannelsforanoperatingchannel. ThisselectionisavailablewhenthereisatleastoneDFSchannelsupportedforthe selectedcountry. CustomToconfigureindividualchannelsfromwhichtheACSwillselectan operatingchannel,clickConfigure.TheCustomChannelPlandialogdisplays. By default,allchannelsparticipateinthechannelplan.Clicktheindividualchannelsyou wanttoincludeinthechannelplan. Toselectcontiguouschannels,usetheShiftkey. Toselectmultiple,noncontiguouschannelsinthelist,usetheCTRLkey.ClickOKto savetheconfiguration.

ForRadio2,clickoneofthefollowing: 3ChannelPlanACSwillscanthefollowingchannels:1,6,and11intheUS,and1, 7,and13inEurope. 4ChannelPlanACSwillscanthefollowingchannels:1,4,7,and11intheUS,and 1,5,9,and13inEurope. AutoACSwillscanthedefaultchannelplanchannels:1,6,and11intheUS,and1, 5,9,and13inEurope. CustomIfyouwanttoconfigureindividualchannelsfromwhichtheACSwill selectanoperatingchannel,clickConfigure.TheAddChannelsdialogisdisplayed. Clicktheindividualchannelsyouwanttoaddtothechannelplanwhilepressingthe CTRLkey,andthenclickOK.

AntennaSelectionClicktheantenna,orantennacombination,youwanttoconfigure onthisradio.
Note: The antennas listed are the only antennas approved for use with the AP. The pull down list contains currently available WS-XXXXX antennas as well as legacy antenna part numbers that may have been in use prior to the v7.11 release.

WhenyouconfiguretheWireless802.11nAPtousespecificantennas,thetransmission powerisrecalculated;theCurrentTxPowerLevelvaluefortheradioisautomatically adjustedtoreflecttherecentantennaconfiguration.Ittakesapproximately30secondsfor thechangetotheCurrentTxPowerLevelvaluetobereflectedintheEnterasysWireless Assistant.Also,theradioisresetcausingclientconnectionsonthisradiotobelost.


Note: Antenna Selection is not applicable to the AP3605.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-85

Configuring VLAN Tags for Wireless APs

6. 7.

Tomodifydefaultaccesspointadvancedsettings,clickAdvanced.TheAdvanceddialogis displayed. IntheAdvanceddialogAPPropertiessection,dothefollowing: PollTimeoutTypethetimeoutvalue,inseconds.TheWirelessAPusesthisvalueto triggerreestablishingthelinkwiththeEnterasysWirelessControllerifit(WirelessAP) doesnotgetananswertoitspolling.Thedefaultvalueis10seconds.


Note: If you are configuring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AP Properties screen. For more information, see Session Availability on page 10-9.

RemoteAccessClicktoEnableorDisabletelnetorSSHaccesstotheWirelessAP. LocationbasedserviceClicktoEnableorDisablelocationbasedserviceonthis WirelessAP.LocationbasedserviceallowsyoutousethisWirelessAPwithanAeroScout solution. MaintainclientsessionineventofpollfailureSelectthisoption(ifusingabridgedat APVNS)iftheAPshouldremainactiveifalinklosswiththecontrolleroccurs.This optionisenabledbydefault. RestartserviceintheabsenceofcontrollerSelectthisoption(ifusingabridgedatAP VNS)toensuretheWirelessAPsradioscontinueprovidingserviceiftheWirelessAPs connectiontotheEnterasysWirelessControllerislost.Ifthisoptionisenabled,itallows theWirelessAPtostartabridgedatAPVNSevenintheabsenceofaEnterasysWireless Controller. UsebroadcastfordisassociationSelectifyouwanttheWirelessAPtousebroadcast disassociationwhendisconnectingallclients,insteadofdisassociatingeachclientoneby one.ThiswillaffectthebehavioroftheAPunderthefollowingconditions: IftheWirelessAPispreparingtorebootortoenteroneofthespecialmodes(DRM initialchannelselection). IfaBSSIDisdeactivatedorremovedontheWirelessAP.

Thisoptionisdisabledbydefault. 8. IntheAdvanceddialogRadioSettingssection,dothefollowing: DTIMTypethedesiredDTIM(DeliveryTrafficIndicationMessage)periodthe numberofbeaconintervalsbetweentwoDTIMbeacons.Toensurethebestclientpower savings,usealargenumber.Forexample,5.Useasmallnumbertominimizebroadcast andmulticastdelay.Thedefaultvalueis5. BeaconPeriodTypethedesiredtime,inmilliseconds,betweenbeacontransmissions. Thedefaultvalueis100milliseconds. RTS/CTSTypethepacketsizethreshold,inbytes,abovewhichthepacketwillbe precededbyanRTS/CTS(RequesttoSend/CleartoSend)handshake.Thedefaultvalueis 2346,whichmeansallpacketsaresentwithoutRTS/CTS.Reducethisvalueonlyif necessary. Frag.ThresholdForeachradio,typethefragmentsizethreshold,inbytes,above whichthepacketswillbefragmentedbytheAPpriortotransmission.Thedefaultvalueis 2346,whichmeansallpacketsaresentunfragmented.Reducethisvalueonlyifnecessary. Max%ofnonunicasttrafficperBeaconperiodEnterthemaximumpercentageof timethattheAPwilltransmitnonunicastpackets(broadcastandmulticasttraffic)for eachconfiguredBeaconPeriod.Foreachnonunicastpackettransmitted,thesystem calculatestheairtimeusedbyeachpacketanddropsallpacketsthatexceedthe

2-86

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

configuredmaximumpercentage.Byrestrictingnonunicasttraffic,youlimittheimpact ofbroadcastsandmulticastsonoverallsystemperformance. MaximumDistanceEnteravaluefrom100to15,000metersthatidentifiesthe maximumlinkdistancebetweenAPsthatparticipateinaWDS.Thisvalueensuresthat theacknowledgementofcommunicationbetweenAPsdoesnotexceedthetimeoutvalue predefinedbythe802.11standard.Thedefaultvalueis100meters.Ifthelinkdistance betweenAPsisgreaterthan100meters,configurethemaximumdistanceupto15,000 meterssothatthesoftwareincreasesthetimeoutvalueproportionallywiththedistance betweenAPs. Donotchangethedefaultsettingfortheradiothatprovidesserviceto802.11clientsonly. DynamicChannelSelectionToenableDynamicChannelSelection,clickoneofthe following: MonitorModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated. ActiveModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated.Inaddition,theWirelessAP willceaseoperatingonthecurrentchannelandACSisemployedtoautomatically selectanalternatechannelfortheWirelessAPtooperateon.

DCSNoiseThresholdTypethenoiseinterferencelevel,measuredindBm,afterwhich ACSwillscanforanewoperatingchannelfortheWirelessAPifthethresholdis exceeded. DCSChannelOccupancyThresholdTypethechannelutilizationlevel,measuredasa percentage,afterwhichACSwillscanforanewoperatingchannelfortheWirelessAPif thethresholdisexceeded. DCSUpdatePeriodTypethetime,measuredinminutesthatdeterminestheperiod duringwhichtheWirelessAPaveragestheDCSNoiseThresholdandDCSChannel OccupancyThresholdmeasurements.Ifeitheroneofthesethresholdsisexceeded,then theWirelessAPwilltriggerACS. PreambleClickapreambletypefor11bspecific(CCK)rates:Short,Long,orAuto.The recommendedvalueisAuto.ClickShortifyouaresurethatthereisnopre11bAPora clientinthevicinityofthisAP.ClickLongifcompatibilitywithpre11bclientsisrequired. ProtectionModeClickaprotectionmode:None,Auto,orAlways.Thedefaultand recommendedsettingisAuto.ClickNoneif11bAPsandclientsarenotexpected.Click Alwaysifyouexpectmany11bonlyclients. ProtectionRateClickaprotectionrate:1,2,5.5,or11Mbps.Thedefaultand recommendedsettingis11.Onlyreducetherateiftherearemany11bclientsinthe environmentorifthedeploymenthasareaswithpoorcoverage.Forexample,rateslower than11Mbpsarerequiredtoensurecoverage. ProtectionTypeClickaprotectiontype:CTSOnlyorRTSCTS.Thedefaultand recommendedsettingisCTSOnly.ClickRTSCTSonlyifan11bAPthatoperatesonthe samechannelisdetectedintheneighborhood,oriftherearemany11bonlyclientsinthe environment.

9.

IntheAdvanceddialog11nSettingssection,dothefollowing: ProtectionModeClickaprotectionmode:None,Auto,orAlways.Thedefaultand recommendedsettingisAuto.ClickNoneif11bAPsandclientsarenotexpected.Click Alwaysifyouexpectmany11bonlyclients.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-87

Configuring VLAN Tags for Wireless APs

40MHzProtectionModeClickaprotectiontype,CTSOnlyorRTSCTS,orNone, whena40MHzchannelisused.Thisprotectshighthroughputtransmissionsonextension channelsfrominterferencefromnon11nAPsandclients. 40MHzProt.ChannelOffsetSelecta20MHzchanneloffsetifthedeploymentisusing channelsthatare20MHzapart(forexample,usingchannels1,5,9,and13)ora25MHz channeloffsetifthedeploymentisusingchannelsthatare25MHzapart(forexample, usingchannels1,6,and11). 40MHzChannelBusyThresholdTypetheextensionchannelthresholdpercentage, whichifexceeded,willdisabletransmissionsontheextensionchannel(40MHz). AggregateMSDUsClickanaggregateMSDUmode:EnabledorDisabled.Aggregate MSDUincreasesthemaximumframetransmissionsize. AggregateMSDUMaxLengthTypethemaximumlengthoftheaggregateMSDU.The valuerangeis22904096bytes. AggregateMPDUsClickanaggregateMPDUmode:EnabledorDisabled.Aggregate MPDUprovidesasignificantimprovementinthroughput. AggregateMPDUMaxLengthTypethemaximumlengthoftheaggregateMPDU.The valuerangeis102465535bytes. Agg.MPDUMax#ofSubframesTypethemaximumnumberofsubframesofthe aggregateMPDU.Thevaluerangeis264. ADDBASupportClickanADDBAsupportmode:EnabledorDisabled.ADDBA,or blockacknowledgement,providesacknowledgementofagroupofframesinsteadofa singleframe.ADDBASupportmustbeenabledifAggregateAPDUisenable.

10. ClickClose.TheAdvanceddialogisclosed. 11. Tosaveyourchanges,clickSaveSettings.

Configure AP2650/60 and W786 Default AP Settings


To Configure AP2650/60 and W786 Default Access Point Settings:
1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAPDefaultSettings.TheCommonConfigurationtabisdisplayed.

2-88

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

3.

ClicktheAP2650AP2660W786tab.

4.

IntheAPPropertiessection,dothefollowing: LLDPClicktoEnableorDisabletheWirelessAPfrombroadcastingLLDP information.Thisoptionisdisabledbydefault. IfSNMPisenabledontheEnterasysWirelessControllerandyouenableLLDP,theLLDP Confirmationdialogisdisplayed.

Selectoneofthefollowing: Proceed(notrecommended)SelectthisoptiontoenableLLDPandkeepSNMP running,andthenclickOK. DisableSNMPpublishing,andproceedSelectthisoptiontoenableLLDPand disableSNMP,andthenclickOK.

FormoreinformationonenablingSNMP,seetheEnterasysWirelessController,Access PointsandConvergenceSoftwareMaintenanceGuide. AnnouncementIntervalIfLLDPisenabled,typehowoftentheWirelessAPadvertises itsinformationbysendinganewLLDPpacket.Thisvalueismeasuredinseconds. IftherearenochangestotheWirelessAPconfigurationthatimpacttheLLDP information,theWirelessAPsendsanewLLDPpacketaccordingtothisschedule.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-89

Configuring VLAN Tags for Wireless APs

Note: The Time to Live value cannot be directly edited. The Time to Live value is calculated as four times the Announcement Interval value.

AnnouncementDelayIfLLDPisenabled,typetheannouncementdelay.Thisvalueis measuredinseconds.IfachangetotheWirelessAPconfigurationoccurswhichimpacts theLLDPinformation,theWirelessAPsendsanupdatedLLDPpacket.The announcementdelayisthelengthoftimethatdelaysthenewpacketdelivery.The announcementdelayhelpsminimizeLLDPpackettraffic.

5. 6.

CountryClickthecountryofoperation.Thisoptionisonlyavailablewithsomelicenses. IntheRadioSettingssection,dothefollowingforeachradio: AdminModeForradios1and2,SelectOfftodisabletheradioorselectOntoenable theradio: RadiomodeClicktheradiomodeyouwanttoenable: Radio1b,g,b/g,ora. Radio2b,g,b/g,ora.


Note: Depending on the radio modes you select, some of the radio settings may not be available for configuration.

RFDomainTypeastringthatuniquelyidentifiesagroupofAPsthatcooperatein managingRFchannelsandtransmissionpowerlevels.Themaximumlengthofthestring is16characters.TheRFDomainisusedtoidentifyagroupofWirelessAPs. AutoTxPowerCtrlClicktoeitherenableordisableATPCfromtheAutoTxPower Ctrldropdownlist.ATPCautomaticallyadaptstransmissionpowersignalsaccordingto thecoverageprovidedbytheWirelessAPs.Afteraperiodoftime,thesystemwill stabilizeitselfbasedontheRFcoverageofyourWirelessAPs. MaxTxPowerClicktheappropriateTxpowerlevelfromtheMaxTXPowerdrop downlist.ThevaluesintheMaxTXPowerdropdownareindBm. MinTxPowerIfATPCisenabled,clicktheminimumTxpowerleveltowhichthe rangeoftransmitpowercanbeadjusted:0to23(b/gorb/g/n)or24(aora/n)dBm. Enterasysrecommendsthatyouselect0dBmtousetheentirerangeofpotentialTx power. AutoTxPowerCtrlAdjustIfATPCisenabled,clicktheTxpowerlevelthatcanbe usedtoadjusttheATPCpowerlevelsthatthesystemhasassigned.Enterasys recommendsthatyouuse0dBmduringyourinitialconfiguration.IfyouhaveanRFplan thatrecommendsTxpowerlevelsforeachWirelessAP,comparetheactualTxpower levelsyoursystemhasassignedagainsttherecommendedvaluesyourRFplanhas provided.UsetheAutoTxPowerCtrlAdjustvaluetoachievetherecommendedvalues. ChannelPlanIfACSisenabledyoucandefineachannelplanfortheWirelessAP. Definingachannelplanallowsyoutolimitwhichchannelsareavailableforuseduringan ACSscan.Forexample,youmaywanttoavoidusingspecificchannelsbecauseoflow power,regulatorydomain,orradarinterference. Ifyouhavesettheradioto802.11a,clickoneofthefollowing: AllchannelsACSscansallchannelsforanoperatingchannelandreturnsboth DFSandnonDFSchannels,ifavailable.

2-90

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

AllNonDFSChannels ACSscansallnonDFSchannelsforanoperatingchannel. ThisselectionisavailablewhenthereisatleastoneDFSchannelsupportedforthe selectedcountry. CustomToconfigureindividualchannelsfromwhichtheACSwillselectan operatingchannel,clickConfigure.TheCustomChannelPlandialogdisplays. By default,allchannelsparticipateinthechannelplan.Clicktheindividualchannelsyou wanttoincludeinthechannelplan. Toselectcontiguouschannels,usetheShiftkey. Toselectmultiple,noncontiguouschannelsinthelist,usetheCTRLkey.ClickOKto savetheconfiguration.

Ifyouhavesettheradioto802.11b,g,orb/g,clickoneofthefollowing: 3ChannelPlanACSwillscanthefollowingchannels:1,6,and11intheUS,and1, 7,and13inEurope. 4ChannelPlanACSwillscanthefollowingchannels:1,4,7,and11intheUS,and 1,5,9,and13inEurope. AutoACSwillscanthedefaultchannelplanchannels:1,6,and11intheUS,and1, 5,9,and13inEurope. CustomIfyouwanttoconfigureindividualchannelsfromwhichtheACSwill selectanoperatingchannel,clickConfigure.TheAddChannelsdialogisdisplayed. Clicktheindividualchannelsyouwanttoaddtothechannelplanwhilepressingthe CTRLkey,andthenclickOK.

7. 8.

Tomodifydefaultaccesspointadvancedsettings,clickAdvanced.TheAdvanceddialogis displayed. IntheAdvanceddialogAPPropertiessection,dothefollowing: PollTimeoutTypethetimeoutvalue,inseconds.TheWirelessAPusesthisvalueto triggerreestablishingthelinkwiththeEnterasysWirelessControllerifit(WirelessAP) doesnotgetananswertoitspolling.Thedefaultvalueis10seconds.


Note: If you are configuring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AP Properties screen. For more information, see Session Availability on page 10-9.

RemoteAccessClicktoEnableorDisabletelnetorSSHaccesstotheWirelessAP. LocationbasedserviceClicktoEnableorDisablelocationbasedserviceonthis WirelessAP.LocationbasedserviceallowsyoutousethisWirelessAPwithanAeroScout solution. MaintainclientsessionineventofpollfailureSelectthisoption(ifusingabridgedat APVNS)iftheAPshouldremainactiveifalinklosswiththecontrolleroccurs.This optionisenabledbydefault. RestartserviceintheabsenceofcontrollerSelectthisoption(ifusingabridgedatAP VNS)toensuretheWirelessAPsradioscontinueprovidingserviceiftheWirelessAPs connectiontotheEnterasysWirelessControllerislost.Ifthisoptionisenabled,itallows theWirelessAPtostartabridgedatAPVNSevenintheabsenceofaEnterasysWireless Controller. UsebroadcastfordisassociationSelectifyouwanttheWirelessAPtousebroadcast disassociationwhendisconnectingallclients,insteadofdisassociatingeachclientoneby one.ThiswillaffectthebehavioroftheAPunderthefollowingconditions: IftheWirelessAPispreparingtorebootortoenteroneofthespecialmodes(DRM initialchannelselection).

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-91

Configuring VLAN Tags for Wireless APs

IfaBSSIDisdeactivatedorremovedontheWirelessAP.

Thisoptionisdisabledbydefault. 9. IntheAdvanceddialogRadioSettingssection,dothefollowing: DTIMTypethedesiredDTIM(DeliveryTrafficIndicationMessage)periodthe numberofbeaconintervalsbetweentwoDTIMbeacons.Toensurethebestclientpower savings,usealargenumber.Forexample,5.Useasmallnumbertominimizebroadcast andmulticastdelay.Thedefaultvalueis5. BeaconPeriodTypethedesiredtime,inmilliseconds,betweenbeacontransmissions. Thedefaultvalueis100milliseconds. RTS/CTSTypethepacketsizethreshold,inbytes,abovewhichthepacketwillbe precededbyanRTS/CTS(RequesttoSend/CleartoSend)handshake.Thedefaultvalueis 2346,whichmeansallpacketsaresentwithoutRTS/CTS.Reducethisvalueonlyif necessary. Frag.ThresholdTypethefragmentsizethreshold,inbytes,abovewhichthepackets willbefragmentedbytheAPpriortotransmission.Thedefaultvalueis2346,which meansallpacketsaresentunfragmented.Reducethisvalueonlyifnecessary. Max%ofnonunicasttrafficperBeaconperiodEnterthemaximumpercentageof timethattheAPwilltransmitnonunicastpackets(broadcastandmulticasttraffic)for eachconfiguredBeaconPeriod.Foreachnonunicastpackettransmitted,thesystem calculatestheairtimeusedbyeachpacketanddropsallpacketsthatexceedthe configuredmaximumpercentage.Byrestrictingnonunicasttraffic,youlimittheimpact ofbroadcastsandmulticastsonoverallsystemperformance. MaximumDistanceEnteravaluefrom100to15,000metersthatidentifiesthe maximumlinkdistancebetweenAPsthatparticipateinaWDS.Thisvalueensuresthat theacknowledgementofcommunicationbetweenAPsdoesnotexceedthetimeoutvalue predefinedbythe802.11standard.Thedefaultvalueis100meters.Ifthelinkdistance betweenAPsisgreaterthan100meters,configurethemaximumdistanceupto15,000 meterssothatthesoftwareincreasesthetimeoutvalueproportionallywiththedistance betweenAPs. Donotchangethedefaultsettingfortheradiothatprovidesserviceto802.11clientsonly. DynamicChannelSelectionClickoneofthefollowing: OffDisablesDCS. MonitorModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated. ActiveModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated.Inaddition,theWirelessAP willceaseoperatingonthecurrentchannelandACSisemployedtoautomatically selectanalternatechannelfortheWirelessAPtooperateon. DCSNoiseThresholdIfDCSisenabled,typethenoiseinterferencelevel, measuredindBm,afterwhichACSwillscanforanewoperatingchannelforthe WirelessAPifthethresholdisexceeded. DCSChannelOccupancyThresholdIfDCSisenabled,typethechannel utilizationlevel,measuredasapercentage,afterwhichACSwillscanforanew operatingchannelfortheWirelessAPifthethresholdisexceeded. DCSUpdatePeriodIfDCSisenabled,typethetime,measuredinminutesthat determinestheperiodduringwhichtheWirelessAPaveragestheDCSNoise

2-92

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

ThresholdandDCSChannelOccupancyThresholdmeasurements.Ifeitheroneof thesethresholdsisexceeded,thentheWirelessAPwilltriggerACS. RxDiversityClickBestforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityreceivingantennas.Thedefaultandrecommended selectionisBest.Ifonlyoneantennaisconnected,usethecorrespondingLeftorRight diversitysetting.DonotuseBestiftwoidenticalantennasarenotused. TxDiversityClickAlternateforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityreceivingantennas.ThedefaultselectionisAlternate thatmaximizesperformanceformostclients.However,someclientsmaybehaveoddly withTxDiversitysettoAlternate.Underthosecircumstances,Enterasysrecommends thatyouuseeitherLeftorRightforTxDiversity.Ifonlyoneantennaisconnected,usethe correspondingLeftorRightdiversitysetting.DonotuseAlternateiftwoidentical antennasarenotused. PreambleClickapreambletypefor11bspecific(CCK)rates:Short,Long,orAuto.The recommendedvalueisAuto.ClickShortifyouaresurethatthereisnopre11bAPora clientinthevicinityofthisAP.ClickLongifcompatibilitywithpre11bclientsisrequired. ProtectionModeClickaprotectionmode:None,Auto,orAlways.Thedefaultand recommendedsettingisAuto.ClickNoneif11bAPsandclientsarenotexpected.Click Alwaysifyouexpectmany11bonlyclients. ProtectionRateClickaprotectionrate:1,2,5.5,or11Mbps.Thedefaultand recommendedsettingis11.Onlyreducetherateiftherearemany11bclientsinthe environmentorifthedeploymenthasareaswithpoorcoverage.Forexample,rateslower than11Mbpsarerequiredtoensurecoverage. ProtectionTypeClickaprotectiontype:CTSOnlyorRTSCTS.Thedefaultand recommendedsettingisCTSOnly.ClickRTSCTSonlyifan11bAPthatoperatesonthe samechannelisdetectedintheneighborhood,oriftherearemany11bonlyclientsinthe environment.

10. IntheAdvanceddialogEnhancedRateControlsection,dothefollowing: MinBasicRateForeachradio,clicktheminimumdataratethatmustbesupportedby allstationsinaBSS:1,2,5.5,or11Mbpsfor11band11b+11gmodes.Click1,2,5.5,6,11, 12,or24Mbpsfor11gonlymode.Click6,12,or24Mbpsfor11amode.Ifnecessary,the MaxBasicRatechoicesadjustautomaticallytobehigherorequaltotheMinBasicRate. IfbothMinBasicRateandMaxBasicRatearesettoan11gspecific(OFDM)rate,(for example,6,12,or24Mbps)allbasicrateswillbe11gspecific. MaxBasicRateForeachradio,clickthemaximumdataratethatmustbesupportedby allstationsinaBSS:1,2,5.5,or11Mbpsfor11band11b+11gmodes.Click1,2,5.5,6,11, 12,or24Mbpsfor11gonlymode.Click6,12,or24Mbpsfor11amode.Ifnecessary,the MaxBasicRatechoicesadjustautomaticallytobehigherorequaltotheMinBasicRate. IfbothMinBasicRateandMaxBasicRatearesettoan11gspecific(OFDM)rate,(for example,6,12,or24Mbps)allbasicrateswillbe11gspecific. MaxOperationalRateForeachradio,clickthemaximumdataratethatclientscan operateatwhileassociatedwiththeAP:1,2,5.5,or11Mbpsfor11bonlymode.Click1,2, 5.5,6,9,11,12,18,24,36,28,or54Mbpsfor11b+11gor11gonlymodes.Click6,9,12,18, 24,36,48,or54Mbpsfor11amode.Ifnecessary,theMaxOperationalRatechoicesadjust automaticallytobehigherorequaltotheMinBasicRate.

11. IntheAdvanceddialogNoofRetriessection,dothefollowing: BackgroundBKForeachradio,clickthenumberofretriesfortheBackground transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate).

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-93

Configuring VLAN Tags for Wireless APs

BestEffortBEForeachradio,clickthenumberofretriesfortheBestEffort transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate). VideoVIForeachradio,clickthenumberofretriesfortheVideotransmissionqueue. Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive(multi rate). VoiceVOForeachradio,clickthenumberofretriesfortheVoicetransmissionqueue. Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive(multi rate). TurboVoiceTVOForeachradio,clickthenumberofretriesfortheTurboVoice transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate).

12. ClickClose.TheAdvanceddialogisclosed. 13. Tosaveyourchanges,clickSaveSettings.

Configure AP4102 and AP4102C Default AP Settings


To Configure AP4102 and AP4102C Default AP Settings:
1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAPDefaultSettings.TheCommonConfigurationtabisdisplayed. ClicktheAP4102AP4102Ctab.

4.

IntheAPPropertiessection,dothefollowing: LLDPClicktoEnableorDisabletheWirelessAPfrombroadcastingLLDP information.Thisoptionisdisabledbydefault. IfSNMPisenabledontheEnterasysWirelessControllerandyouenableLLDP,theLLDP Confirmationdialogisdisplayed.

2-94

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

Selectoneofthefollowing: Proceed(notrecommended)SelectthisoptiontoenableLLDPandkeepSNMP running,andthenclickOK. DisableSNMPpublishing,andproceedSelectthisoptiontoenableLLDPand disableSNMP,andthenclickOK.

FormoreinformationonenablingSNMP,seetheEnterasysWirelessController,Access PointsandConvergenceSoftwareMaintenanceGuide. AnnouncementIntervalIfLLDPisenabled,typehowoftentheWirelessAPadvertises itsinformationbysendinganewLLDPpacket.Thisvalueismeasuredinseconds. IftherearenochangestotheWirelessAPconfigurationthatimpacttheLLDP information,theWirelessAPsendsanewLLDPpacketaccordingtothisschedule.


Note: The Time to Live value cannot be directly edited. The Time to Live value is calculated as four times the Announcement Interval value.

AnnouncementDelayIfLLDPisenabled,typetheannouncementdelay.Thisvalueis measuredinseconds.IfachangetotheWirelessAPconfigurationoccurswhichimpacts theLLDPinformation,theWirelessAPsendsanupdatedLLDPpacket.The announcementdelayisthelengthoftimethatdelaysthenewpacketdelivery.The announcementdelayhelpsminimizeLLDPpackettraffic. CountryClickthecountryofoperation.Thisoptionisonlyavailablewithsome licenses.

5.

IntheRadioSettingssection,dothefollowingforeachradio: AdminModeForradios1and2,SelectOfftodisabletheradioorselectOntoenable theradio: RadiomodeClicktheradiomodeyouwanttoenable: Radio1a. Radio2b,g,orb/g.


Note: Depending on the radio modes you select, some of the radio settings may not be available for configuration.

RFDomainTypeastringthatuniquelyidentifiesagroupofAPsthatcooperatein managingRFchannelsandtransmissionpowerlevels.Themaximumlengthofthestring is16characters.TheRFDomainisusedtoidentifyagroupofWirelessAPs. AutoTxPowerCtrlClicktoeitherenableordisableATPCfromtheAutoTxPower Ctrldropdownlist.ATPCautomaticallyadaptstransmissionpowersignalsaccordingto thecoverageprovidedbytheWirelessAPs.Afteraperiodoftime,thesystemwill stabilizeitselfbasedontheRFcoverageofyourWirelessAPs.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-95

Configuring VLAN Tags for Wireless APs

MaxTxPowerClicktheappropriateTxpowerlevelfromtheMaxTXPowerdrop downlist.ThevaluesintheMaxTXPowerdropdownareindBm. MinTxPowerIfATPCisenabled,clicktheminimumTxpowerleveltowhichthe rangeoftransmitpowercanbeadjusted:0to23(b/gorb/g/n)or24(aora/n)dBm. Enterasysrecommendsthatyouselect0dBmtousetheentirerangeofpotentialTx power. AutoTxPowerCtrlAdjustIfATPCisenabled,clicktheTxpowerlevelthatcanbe usedtoadjusttheATPCpowerlevelsthatthesystemhasassigned.Enterasys recommendsthatyouuse0dBmduringyourinitialconfiguration.IfyouhaveanRFplan thatrecommendsTxpowerlevelsforeachWirelessAP,comparetheactualTxpower levelsyoursystemhasassignedagainsttherecommendedvaluesyourRFplanhas provided.UsetheAutoTxPowerCtrlAdjustvaluetoachievetherecommendedvalues. ChannelPlanIfACSisenabledyoucandefineachannelplanfortheWirelessAP. Definingachannelplanallowsyoutolimitwhichchannelsareavailableforuseduringan ACSscan.Forexample,youmaywanttoavoidusingspecificchannelsbecauseoflow power,regulatorydomain,orradarinterference. ForRadio1,clickoneofthefollowing: AllchannelsACSscansallchannelsforanoperatingchannelandreturnsboth DFSandnonDFSchannels,ifavailable. AllNonDFSChannels ACSscansallnonDFSchannelsforanoperatingchannel. ThisselectionisavailablewhenthereisatleastoneDFSchannelsupportedforthe selectedcountry. CustomToconfigureindividualchannelsfromwhichtheACSwillselectan operatingchannel,clickConfigure.TheCustomChannelPlandialogdisplays. By default,allchannelsparticipateinthechannelplan.Clicktheindividualchannelsyou wanttoincludeinthechannelplan. Toselectcontiguouschannels,usetheShiftkey. Toselectmultiple,noncontiguouschannelsinthelist,usetheCTRLkey.ClickOKto savetheconfiguration.

ForRadio2,clickoneofthefollowing: 3ChannelPlanACSwillscanthefollowingchannels:1,6,and11intheUS,and1, 7,and13inEurope. 4ChannelPlanACSwillscanthefollowingchannels:1,4,7,and11intheUS,and 1,5,9,and13inEurope. AutoACSwillscanthedefaultchannelplanchannels:1,6,and11intheUS,and1, 5,9,and13inEurope. CustomIfyouwanttoconfigureindividualchannelsfromwhichtheACSwill selectanoperatingchannel,clickConfigure.TheAddChannelsdialogisdisplayed. Clicktheindividualchannelsyouwanttoaddtothechannelplanwhilepressingthe CTRLkey,andthenclickOK.

6. 7.

Tomodifydefaultaccesspointadvancedsettings,clickAdvanced.TheAdvanceddialogis displayed. IntheAdvanceddialogAPPropertiessection,dothefollowing: PollTimeoutTypethetimeoutvalue,inseconds.TheWirelessAPusesthisvalueto triggerreestablishingthelinkwiththeEnterasysWirelessControllerifit(WirelessAP) doesnotgetananswertoitspolling.Thedefaultvalueis10seconds.

2-96

Configuring the Wireless AP

Configuring VLAN Tags for Wireless APs

Note: If you are configuring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AP Properties screen. For more information, see Session Availability on page 10-9.

RemoteAccessClicktoEnableorDisabletelnetorSSHaccesstotheWirelessAP. LocationbasedserviceClicktoEnableorDisablelocationbasedserviceonthis WirelessAP.LocationbasedserviceallowsyoutousethisWirelessAPwithanAeroScout solution. MaintainclientsessionineventofpollfailureClicktoEnableorDisable(ifusinga bridgedatAPVNS)iftheAPshouldremainactiveifalinklosswiththecontroller occurs.Thisoptionisenabledbydefault. RestartserviceintheabsenceofcontrollerClicktoEnableorDisable(ifusinga bridgedatAPVNS)toensuretheWirelessAPsradioscontinueprovidingserviceifthe WirelessAPsconnectiontotheEnterasysWirelessControllerislost.Ifthisoptionis enabled,itallowstheWirelessAPtostartabridgedatAPVNSevenintheabsenceofa EnterasysWirelessController. UsebroadcastfordisassociationClicktoEnableorDisableifyouwanttheWireless APtousebroadcastdisassociationwhendisconnectingallclients,insteadof disassociatingeachclientonebyone.ThiswillaffectthebehavioroftheAPunderthe followingconditions: IftheWirelessAPispreparingtorebootortoenteroneofthespecialmodes(DRM initialchannelselection). IfaBSSIDisdeactivatedorremovedontheWirelessAP.

Thisoptionisdisabledbydefault. 8. IntheAdvanceddialogRadioSettingssection,dothefollowing: DTIMTypethedesiredDTIM(DeliveryTrafficIndicationMessage)periodthe numberofbeaconintervalsbetweentwoDTIMbeacons.Toensurethebestclientpower savings,usealargenumber.Forexample,5.Useasmallnumbertominimizebroadcast andmulticastdelay.Thedefaultvalueis5. BeaconPeriodTypethedesiredtime,inmilliseconds,betweenbeacontransmissions. Thedefaultvalueis100milliseconds. RTS/CTSTypethepacketsizethreshold,inbytes,abovewhichthepacketwillbe precededbyanRTS/CTS(RequesttoSend/CleartoSend)handshake.Thedefaultvalueis 2346,whichmeansallpacketsaresentwithoutRTS/CTS.Reducethisvalueonlyif necessary. Frag.ThresholdTypethefragmentsizethreshold,inbytes,abovewhichthepackets willbefragmentedbytheAPpriortotransmission.Thedefaultvalueis2346,which meansallpacketsaresentunfragmented.Reducethisvalueonlyifnecessary. Max%ofnonunicasttrafficperBeaconperiodEnterthemaximumpercentageof timethattheAPwilltransmitnonunicastpackets(broadcastandmulticasttraffic)for eachconfiguredBeaconPeriod.Foreachnonunicastpackettransmitted,thesystem calculatestheairtimeusedbyeachpacketanddropsallpacketsthatexceedthe configuredmaximumpercentage.Byrestrictingnonunicasttraffic,youlimittheimpact ofbroadcastsandmulticastsonoverallsystemperformance. MaximumDistanceEnteravaluefrom100to15,000metersthatidentifiesthe maximumlinkdistancebetweenAPsthatparticipateinaWDS.Thisvalueensuresthat theacknowledgementofcommunicationbetweenAPsdoesnotexceedthetimeoutvalue predefinedbythe802.11standard.Thedefaultvalueis100meters.Ifthelinkdistance betweenAPsisgreaterthan100meters,configurethemaximumdistanceupto15,000
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 2-97

Configuring VLAN Tags for Wireless APs

meterssothatthesoftwareincreasesthetimeoutvalueproportionallywiththedistance betweenAPs. Donotchangethedefaultsettingfortheradiothatprovidesserviceto802.11clientsonly. DynamicChannelSelectionClickoneofthefollowing: OffDisablesDCS. MonitorModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated. ActiveModeIftrafficornoiselevelsexceedtheconfiguredDCSthresholds,an alarmistriggeredandaninformationlogisgenerated.Inaddition,theWirelessAP willceaseoperatingonthecurrentchannelandACSisemployedtoautomatically selectanalternatechannelfortheWirelessAPtooperateon. DCSNoiseThresholdIfDCSisenabled,typethenoiseinterferencelevel, measuredindBm,afterwhichACSwillscanforanewoperatingchannelforthe WirelessAPifthethresholdisexceeded. DCSChannelOccupancyThresholdIfDCSisenabled,typethechannel utilizationlevel,measuredasapercentage,afterwhichACSwillscanforanew operatingchannelfortheWirelessAPifthethresholdisexceeded. DCSUpdatePeriodIfDCSisenabled,typethetime,measuredinminutesthat determinestheperiodduringwhichtheWirelessAPaveragestheDCSNoise ThresholdandDCSChannelOccupancyThresholdmeasurements.Ifeitheroneof thesethresholdsisexceeded,thentheWirelessAPwilltriggerACS.

RxDiversityClickBestforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityreceivingantennas.Thedefaultandrecommended selectionisBest.Ifonlyoneantennaisconnected,usethecorrespondingLeftorRight diversitysetting.DonotuseBestiftwoidenticalantennasarenotused. TxDiversityClickAlternateforthebestsignalfrombothantennas,orLeftorRightto chooseeitherofthetwodiversityreceivingantennas.ThedefaultselectionisAlternate thatmaximizesperformanceformostclients.However,someclientsmaybehaveoddly withTxDiversitysettoAlternate.Underthosecircumstances,Enterasysrecommends thatyouuseeitherLeftorRightforTxDiversity.Ifonlyoneantennaisconnected,usethe correspondingLeftorRightdiversitysetting.DonotuseAlternateiftwoidentical antennasarenotused. PreambleClickapreambletypefor11bspecific(CCK)rates:Short,Long,orAuto.The recommendedvalueisAuto.ClickShortifyouaresurethatthereisnopre11bAPora clientinthevicinityofthisAP.ClickLongifcompatibilitywithpre11bclientsisrequired. ProtectionModeClickaprotectionmode:None,Auto,orAlways.Thedefaultand recommendedsettingisAuto.ClickNoneif11bAPsandclientsarenotexpected.Click Alwaysifyouexpectmany11bonlyclients. ProtectionRateClickaprotectionrate:1,2,5.5,or11Mbps.Thedefaultand recommendedsettingis11.Onlyreducetherateiftherearemany11bclientsinthe environmentorifthedeploymenthasareaswithpoorcoverage.Forexample,rateslower than11Mbpsarerequiredtoensurecoverage. ProtectionTypeClickaprotectiontype:CTSOnlyorRTSCTS.Thedefaultand recommendedsettingisCTSOnly.ClickRTSCTSonlyifan11bAPthatoperatesonthe samechannelisdetectedintheneighborhood,oriftherearemany11bonlyclientsinthe environment.

2-98

Configuring the Wireless AP

Modifying a Wireless APs Properties Based on a Default AP Configura-

9.

IntheAdvanceddialogEnhancedRateControlsection,dothefollowing: MinBasicRateForeachradio,clicktheminimumdataratethatmustbesupportedby allstationsinaBSS:1,2,5.5,or11Mbpsfor11band11b+11gmodes.Click1,2,5.5,6,11, 12,or24Mbpsfor11gonlymode.Click6,12,or24Mbpsfor11amode.Ifnecessary,the MaxBasicRatechoicesadjustautomaticallytobehigherorequaltotheMinBasicRate. IfbothMinBasicRateandMaxBasicRatearesettoan11gspecific(OFDM)rate,(for example,6,12,or24Mbps)allbasicrateswillbe11gspecific. MaxBasicRateForeachradio,clickthemaximumdataratethatmustbesupportedby allstationsinaBSS:1,2,5.5,or11Mbpsfor11band11b+11gmodes.Click1,2,5.5,6,11, 12,or24Mbpsfor11gonlymode.Click6,12,or24Mbpsfor11amode.Ifnecessary,the MaxBasicRatechoicesadjustautomaticallytobehigherorequaltotheMinBasicRate. IfbothMinBasicRateandMaxBasicRatearesettoan11gspecific(OFDM)rate,(for example,6,12,or24Mbps)allbasicrateswillbe11gspecific. MaxOperationalRateForeachradio,clickthemaximumdataratethatclientscan operateatwhileassociatedwiththeAP:1,2,5.5,or11Mbpsfor11bonlymode.Click1,2, 5.5,6,9,11,12,18,24,36,28,or54Mbpsfor11b+11gor11gonlymodes.Click6,9,12,18, 24,36,48,or54Mbpsfor11amode.Ifnecessary,theMaxOperationalRatechoicesadjust automaticallytobehigherorequaltotheMinBasicRate.

10. IntheAdvanceddialogNoofRetriessection,dothefollowing: BackgroundBKForeachradio,clickthenumberofretriesfortheBackground transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate). BestEffortBEForeachradio,clickthenumberofretriesfortheBestEffort transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate). VideoVIForeachradio,clickthenumberofretriesfortheVideotransmissionqueue. Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive(multi rate). VoiceVOForeachradio,clickthenumberofretriesfortheVoicetransmissionqueue. Thedefaultvalueisadaptive(multirate).Therecommendedsettingisadaptive(multi rate). TurboVoiceTVOForeachradio,clickthenumberofretriesfortheTurboVoice transmissionqueue.Thedefaultvalueisadaptive(multirate).Therecommendedsetting isadaptive(multirate).

11. ClickClose.TheAdvanceddialogisclosed. 12. Tosaveyourchanges,clickSaveSettings.

Modifying a Wireless APs Properties Based on a Default AP Configuration


IfyouhaveaWirelessAPthatisalreadyconfiguredwithitsownsettings,butwouldlikethe WirelessAPtoberesettousethesystemsdefaultAPsettings,usetheResettoDefaultsfeature ontheAPPropertiestab.

To Configure a Wireless AP with the Systems Default AP Settings:


1. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-99

Modifying the Wireless APs Default Setting Using the Copy to Defaults Feature

2. 3. 4.

IntheWirelessAPlist,clicktheWirelessAPwhosepropertiesyouwanttomodify.TheAP PropertiestabdisplaysWirelessAPinformation. TohavetheWirelessAPinheritthesystemsdefaultAPsettings,clickResettoDefaults.A popupdialogaskingyoutoconfirmtheconfigurationchangeisdisplayed. ToconfirmresettingtheWirelessAPtothedefaultsettings,clickOK.


Caution: If you reset an AP to defaults, its HWC Search List will be deleted, regardless of the settings in Common Configuration.

Modifying the Wireless APs Default Setting Using the Copy to Defaults Feature
YoucanmodifythesystemsdefaultAPsettingsbyusingtheCopytoDefaultsfeatureontheAP Propertiestab.ThisfeatureallowsthepropertiesofanalreadyconfiguredWirelessAPtobecome thesystemsdefaultWirelessAPsettings.

To Modify the Systems Default AP Settings Based on an Already Configured AP:


1. 2. 3. 4. 5. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. IntheWirelessAPlist,clicktheWirelessAPwhosepropertiesyouwanttobecomethe systemsdefaultAPsettings.TheAPPropertiestabisdisplayed. Ifapplicable,modifytheWirelessAPsproperties.Formoreinformation,seeConfiguringa WirelessAPsPropertiesonpage 232. TomakethisWirelessAPsconfigurationbethesystemsdefaultAPsettings,clickCopyto Defaults.Apopupdialogaskingyoutoconfirmtheconfigurationchangeisdisplayed. ToconfirmresettingthesystemsdefaultWirelessAPsettings,clickOK.

Configuring Multiple Wireless APs Simultaneously


InadditiontoconfiguringWirelessAPsindividually,youcanalsoconfiguremultipleWireless APssimultaneouslybyusingtheAPMultieditfunction.ConfiguringWirelessAPs simultaneouslyissimilartomodifyingthesystemsdefaultAPsettingsorindividualWireless APs. WhenselectingwhichWirelessAPstoconfiguresimultaneously,youcanusethefollowing criteria: SelecttheWirelessAPsbyhardwaretype SelecttheWirelessAPsindividually

YoucanselectmultiplehardwaretypesandindividualWirelessAPsbypressingtheCtrlkeyand selectingthehardwaretypesandspecificWirelessAPs. WhenyouconfiguremultipleWirelessAPsusingtheAPMultieditscreen,itisimportanttonote thatforsomeWirelessAPsettingstobeavailableforconfiguration,otherWirelessAPsettings mustbeenabledorconfiguredfirst.


Note: Only settings and options supported by all of the currently selected hardware types are available for configuring.

2-100

Configuring the Wireless AP

Configuring Multiple Wireless APs Simultaneously

To Configure Wireless APs Simultaneously:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAPMultiedit.

3.

Dothefollowing: IntheHardwareTypeslist,clickoneormoreWirelessAPhardwaretypes. IntheWirelessAPslist,clickoneormoreWirelessAPstoedit.ToclickmultipleWireless APs,clicktheAPsfromthelistwhilepressingtheCTRLkey.TheAPprofilepage displays.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-101

Configuring Multiple Wireless APs Simultaneously

Note: When using the Multi-edit function, any box or option that is not explicitly modified will not be changed by the update. The Wireless APs shown in the Wireless APs list can be from any version of the software. Attributes that are common between software versions are set on all Wireless APs. Attributes that are not common, are only sent to the AP versions to which the attributes apply. Attempting to set an attribute that does not apply for an AP will not abort the multi-edit operation. Field/Button Hardware Types Wireless APs AP Properties Radio Settings Static Configuration HWC Search List Click one of the following: Clear search list Click to clear previously assigned Enterasys Wireless Controllers that were configured to control this Wireless AP. Re-configure search list Click to assign Enterasys Wireless Controllers to control this Wireless AP. This causes the Add box to become available. Add box Enter the IP address of the Enterasys Wireless Controller that will control this Wireless AP. This box is available only if you selected Re-configure search list when configuring the HWC search list. Click the Add button to add the IP address to the list. Repeat to add additional Enterasys Wireless Controllers. The maximum is three Enterasys Wireless Controllers. Click Up and Down to modify the order of the Enterasys Wireless Controllers. The Wireless AP is successful when it finds a Enterasys Wireless Controller that will allow it to register. This feature allows the Wireless AP to bypass the discovery process. If the HWC Search List is not populated, the Wireless AP will use SLP unicast/multicast, DNS, or DHCP vendor option 43 to discover a Enterasys Wireless Controller. For the initial Wireless AP deployment, it is necessary to use one of the described options in Discovery and Registration Overview on page 2-10. Tunnel MTU Enter a static MTU value, from 600 to 1500. If the Enterasys wireless software cannot discover the MTU size, it enforces the static MTU size. Set the MTU size to allow the source to reduce the packet size and avoid the need to fragment data packets in the tunnel. Description The wireless AP hardware model. The name assigned to the wireless AP.

Formoreinformation,seeConfiguring a Wireless APs


Properties on page 2-32.

Formoreinformation,seeConfiguringWirelessAPRadio Propertiesonpage 237.

WLAN Assignments

2-102

Configuring the Wireless AP

Configuring Co-located APs in Load Balance Groups

Field/Button WLAN Assignments

Description

Fromthedropdownlist,clickoneofthefollowing:
Clear WLAN list Click to clear previously assigned WLAN services of the Wireless APs. Re-configure WLAN list Click to assign WLAN services to the Wireless APs. In the Radio 1 and Radio 2 columns, select the Wireless AP radios that you want to assign for each WLAN service.

Save

Clicktosaveyourchanges.

Configuring Co-located APs in Load Balance Groups


YoucanconfigureAPsthatarecolocatedinanopenarea,suchasaclassroom,aconferencehall, oranentrancelobby,toactasaloadbalancegroup.Loadbalancingdistributesclientsacrossthe colocatedAPsthataremembersoftheloadbalancegroup.ThecolocatedAPsshouldprovide thesameSSID,haveLOSbetweeneachother,andbedeployedonmultiplechannelswith overlappingcoverage. YoumustassignanAPsradiototheloadbalancegroupfortheclientdistributiontooccur.Load balancingoccursonlyamongtheassignedAPradiosoftheloadbalancegroup.Eachradiocanbe assignedtoonlyoneloadbalancegroup.MultipleradiosonthesameAPdonothavetobeinthe sameloadbalancegroup.TheradiosthatyouassigntotheloadbalancegroupmustbeonAPs thatarecontrolledbythesameEnterasysWirelessController. TheloadbalancegroupusesoneormoreWLANservicesforallAPsassignedtotheloadbalance group.Youcanconfiguretwotypesofloadbalancegroups: Youcanconfiguretwotypesofloadgroups: ClientBalancingloadgrouppreformsloadbalancingbasedonthenumberofclientsacross allAPsinthegroupandonlyfortheWLANsassignedtotheloadgroup.Thisisdifferent fromloadcontrolintheRadioPreferencegrouploadcontrolAPsmadedecisionsin isolationfromeachother. RadioPreferenceloadgroupperformsbandpreferencesteeringandloadcontrol.Band preferencesteeringisamechanismtomove11acapableclientstothe11aradioontheAP, relievingcongestiononthe11gradio.Nobalancingisdonebetweenthe11aand11gradios. Loadcontrolisdisabledbydefault.Aradioloadgroupexecutesbandpreferencesteering and/orloadcontrolacrosstheradiosoneachAPinthegroup.EachAPbalancesinisolation fromtheotherAPs,butallAPsintheloadgrouphavethesameconfigurationrelatedtothe bandpreferenceandloadcontrol.

ClientbalancingontheEnterasysWirelessControllerisAPcentricandrequiresnoinputfromthe client.TheAPradiosintheclientbalancegroupshareinformationwithsecure(AES)SIAPP (EnterasysInterAPProtocol)messagingusingmulticastonthewirednetwork.AllAPsinaclient balancegroupmustbeinthesameSIAPPclustertoensurethateachAPcanreachallotherAPsin theclientbalancegroupoverthewiredsubnet.IftheAPsinaclientbalancegrouparenotinsame SIAPPcluster,clientbalancingwillhappenindependentlywithinthesubgroupsdefinedby SIAPPclusters. ThebenefitsofconfiguringyourcolocatedAPsthatarecontrolledbythesameEnterasysWireless Controllerasaclientbalancegrouparethefollowing: ResourcesharingofthebalancedAP Efficientuseofthedeployed2.4and5GHzchannels

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-103

Configuring Co-located APs in Load Balance Groups

Reduceclientinterferencebydistributingclientsondifferentchannels Scalable802.11deployment:ifmoreclientsneedtobeservedinthearea,additionalAPscan bedeployedonanewchannel

Youcanassignamaximumof32APstoaclientbalancegroup.Table 227liststhemaximum numberofloadbalancegroupsforeachEnterasysWirelessController. Table 2-27 Maximum Number of Load Balance Groups
Number of load balance groups 8 32 32 64 8 8

Enterasys Wireless Controller C20 C4110 C2400 C5100 C20N C25

Currently,thefollowingWirelessAPmodelssupportloadbalancegroups: AP3605 AP3610 AP3620 AP3630(infitmodeonly) AP3640(infitmodeonly)

To Create a Load Balance Group:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickLoadGroups.TheWirelessAPLoadGroupspagedisplays.

2-104

Configuring the Wireless AP

Configuring Co-located APs in Load Balance Groups

3.

ClickNew.TheAddLoadGroupwindowdisplays.

If you are adding a Radio Prefence load balancing group, the Radio Preference tab becomes available.

Field/Button Load Group ID

Description Enter a unique name for the load group. You can create load groups with the same name on different Enterasys Wireless Controllers; however, the groups will be treated as separate groups according to the home controller where the group was originally created. The type of load group is displayed. Options include: Client Balancing - select to perform load balancing based on the number of clients across all APs in the load balance group and only for the WLANs assigned to the group. Radio Preference - select to perform band preference steering and enforce load control settings on this load group.

Type

New Delete Save

Click to create a new load group. The Add Load Group window. Click to delete this load group Click to save your changes.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-105

Configuring Co-located APs in Load Balance Groups

Field/Button

Description

Radio Assignment tab - this tab is available only for load groups assigned the Client Balancing type Select AP Radios From the drop-down menu, select the AP radios that you want to assign to the load group. Options include: All radios Radio 1 Radio 2 Clear all radios You can assign a radio to only one load balance group. A radio that is assigned to another load balance group will have an asterisk next to it. If you select a radio that has been assigned to another load balance group, the radio is reassigned to the new load balance group. Note: You can assign each radio of an AP to different load balance groups. Radio Preference tab - this tab is available only for load groups assigned the Radio Preference type Band Preference Select the Enable checkbox to enable band preference for this load group. For the AP36xx models only, you can apply band preference only to a VNS assigned in the load group. Enabling band preference enables you to move an 11a-capable client to an 11a radio to relieve congestion on an 11g radio. A client is considered 11a capable if the AP receives requests on an 11a VNS that already belongs to a load group with band preference enabled. After you configure band preference, if a client tries to reassociate with an 11g radio, it will be rejected if the AP determines that the client is 11a capable. AP Assignment Load Control Select the APs on which you want to enforce the Band Preference and Load Control settings. Select the Enable checkbox to enable load control for this load group. Enabling load control causes the controller to enforce the limit you specify for the number of clients for each radio. Enter the maximum number of clients for Radio 1 and Radio 2. The default limit is 60. The valid range is: 5 to 60.

Max # of Clients: Radio 1 Radio 2 WLAN Assignment tab WLAN Name

Click the checkbox of the one or more WLAN services that you want to assign to all member radios of the load balance group. You can select up to the radio limit of eight VNSs. When you assign a radio to a load group, WLAN service assignment can only be done from the WLAN Assignment tab on the Wireless AP Load Groups screen. On all other WLAN Assignment tabs associated with the member AP radios, the radio checkbox associated with the member AP radios will be grayed out. When you remove a radio from a load group, the load groups WLAN service will remain assigned to the radio, but you can now assign a different WLAN service to the radio.

2-106

Configuring the Wireless AP

Configuring Co-located APs in Load Balance Groups

Field/Button Add Load Group Window Load Group ID Type

Description

Enter a unique name for this load group. From the drop-down menu, select the type of load balancing to be used for this load group. Options are: Client Balancing Radio Preference

Add

Click to add this new load group. The new load group is the currently displayed load group in the Wireless AP Load Groups screen. After you add the new load group, navigate to the Radio Preference and WLAN Assignment tabs to assign radios and one or more WLAN services to the load group.

Cancel

Click to discard the new load group configuration

How Availability Affects Load Balancing


AllradiosassignedtoaloadgroupmustbelongtoAPsthatareallcontrolledbythesame EnterasysWirelessController.Ifyouhaveenabledavailabilityconfigurationofaloadgroupis onlypossiblefromthehomecontrollerwheretheloadgroupwascreated.Loadbalancingwill continuetooperateifmemberAPsfailovertotheforeigncontrolleraslongastheWLANservice assignmentremainsthesame. Toensurethatloadbalancingworksproperlyinavailability,youshouldenablesynchronizationof thesystemconfigurationandtheWLANservicesusedbytheloadgroupwhenyouconfigure availability.Ifyoudonotenablesynchronization,theradiosonanyAPthatfailsovermaybe removedfromtheirassignedloadgroups.Formoreinformation,seeConfiguringAvailability UsingtheAvailabilityWizardonpage 103. Ifyouhavenotconfiguredsynchronization,inafailoversituationyouwillbeabletochangethe loadbalancegroupsWLANserviceassignmentfromtheVNSConfigurationscreensandthe WirelessAPsWLANAssignmentscreensontheforeigncontroller.
Note: If you have configured synchronization, you cannot change the WLAN assignments from the foreign controller.

Ifyouhavenotconfiguredsynchronization,youmustconfiguretheforeigncontrollertoensure thatallAPradiosintheloadbalancegrouphavethesameWLANservicesassignedbeforetheAP failsover,asoriginallyconfiguredfortheloadgroup.IftheWLANservicesassigneddonot matchwhenanAPfailsover,theaffectedAPradioswillberemovedfromtheloadgroup.Ifyou changetheWLANservicestomatchaftertheAPfailsover,theAPradiosstillwillnotbeallowed tobeintheloadgroup.YoumustreconnecttheAPtothehomecontrollertohavetheradios becomepartoftheloadgroupagain.

Load Balance Group Statistics


YoucanviewloadbalancegroupstatisticsthroughtheActiveWirelessLoadGroupsreport.For moreinformation,seeViewingLoadBalanceGroupStatisticsonpage 148.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-107

Configuring an AP Cluster

Configuring an AP Cluster
APsoperatinginbothfitmodeandstandalonemodeoperateinaclustersetup.Aclusterisa groupofwirelessAPsconfiguredtocommunicatewitheachother.Mobileusers(MU)can seamlesslyroambetweentheAPsparticipatinginthecluster.TheProductFamilyShort ProductNameLongextendsbasicclusterfunctionalitywiththefollowingenhancements: Supportforfastroaming AutomaticChannelSelection(ACS)forallAPsinthecluster Clustermemberinformationisavailabletotheuser MUstatistichistory Preauthentication

AclusterformswhenAPsoperatingarewithinthesamesubnetandmulticastandIGMP snoopingareenabled.TheAPsintheclusteruseadefaultclusterID(sharedsecret)oraclusterID thatyouassign. AnAPclustercanexistatanypointinyournetwork.Eachclustermemberperiodically(30 seconds)sendsasecureSIAPP(EnterasysInterAPProtocol)multicastmessagetoupdateother clustermembers.TheSIAPPmessageincludes: TheAPname TheAPEthernetMACaddress TheAPIPaddress Theclientcount ThebaseBSSIDsforbothradios

EachAPcacheslocallystoredinformationaboutotherclustermembersandmaintainsitsown viewofthecluster.

To Change an AP Clusters Configuration:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAPRegistration.TheAPRegistrationscreenisdisplayed.

2-108

Configuring the Wireless AP

Converting the Enterasys Wireless AP to Standalone Mode

3. 4. 5. 6.

IntheSecureClustersection,enteraclustersharedsecret. EnableclusterencryptionbyclickingontheUserClusterEncryptioncheckbox.APsonwhich userclusterencryptionisdisabledcannotparticipateinthecluster. EnableordisablesupportforinterAProamingbyclickingontheInterAPRoamcheckbox. ClickSave.

Converting the Enterasys Wireless AP to Standalone Mode


TheEnterasysWirelessAPbydefaultoperatesinstandalone(thick)APmode.However,aslong astheEnterasysWirelessAPisrunningreleaseV7.31orlater,youcanconfigureittooperateinfit modeinacontrollerbaseddeployment.Conversionfromstandalonetofitmodeisseamlessand canbeperformedfromeithertheUIorCLI.Conversionfromthintostandalonemodeis performedfromtheEnterasysWirelessAssistantUIorfromtheHWCCLI.

To Convert the AP Operating in Fit Mode Back to Standalone Mode:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickAccessApproval.TheAccessApprovalscreenisdisplayed.

3.

SelectoneormoreAPsthatyouwanttoconverttostandalonemode.
Note: If you try to convert an AP other than an AP3630/40 or an inactive or foreign AP running V7.31 to standalone mode, the system returns an error. Only an AP3630/40 running V7.31 can operate in both standalone and fit mode.

4.

InthePerformActiononSelectedWirelessAPsection,clicktheStandaloneModebutton. ThesystemwarnsyouthattheAPwillberemovedfromtheEnterasysWirelessController. ClickOKtocontinue.


Note: After you convert the ProductFamilyShort ProductNameLong to standalone mode, you can no longer access it using the Wireless Assistant UI or HWC CLI. Instead, you must access AP using the ProductFamilyShort ProductNameLong UI or CLI.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-109

Configuring an AP as a Sensor

Configuring an AP as a Sensor
OnlytheEnterasysWirelessAP2610/2620andAP3610/3620canbeconfiguredassensors. AWirelessAPthatisconfiguredasasensorperformsscanningservicesandrelaysinformationto WirelessAdvancedServices(WAS).WhenanAPisApprovedasSensor: TheAPseversitsconnectiontotheEnterasysWirelessController TheAPregisterswithWirelessAdvancedServices(WAS) TheAPperformsscanningservices TheAPnolongerperformsRFservicesfortheEnterasysWirelessController

WhenanAPisoperatingasasensor,ithasnointeractionwiththeEnterasysWirelessController, anditdoesnotperformlikeanAP:itdoesnotallowdevicestoassociatetoitandtrafficisnot forwardedthroughit.AnAPoperatingasasensorismanagedbyEnterasysWirelessAdvanced Services(WAS).TheWASssensordomainlicense(SDL)limitgovernsthenumberofsensorsthe customercanhave. WhenanAPisconfiguredasasensor,theAPscurrentconfigurationisretainedinthecontroller database.IfthesensorislaterconfiguredbacktoperformRFservices,itspreviousconfiguration dataisreassignedtoit.Formoreinformation,seetheEnterasysWirelessManagerUserGuideand theEnterasysWirelessAdvancedServicesUserGuide. BeforeAPscanbeconfiguredassensors,youmustfirstdownloadthesensorimagefromaTFTP servertotheEnterasysWirelessController:

To Download the Sensor Image from a TFTP Server to the Enterasys Wireless Controller:
1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAPscreenis displayed. Intheleftpane,clickSensorManagement.TheWirelessAPSensorManagementscreenis displayed.

3.

IntheSensorPlatformfield,selectAP26xxorAP36xx.

2-110

Configuring the Wireless AP

Configuring an AP as a Sensor

4.

Typethefollowing: TFTPServerTheIPaddressoftheTFTPservertheAPistoretrievethesensorimage filefrom. DirectoryThelocationoftheAP26xxorAP36xxsensorimageontheTFTPserver. FilenameThefilenameoftheAP26xxorAP36xxsensorimageontheTFTPserver.

5. 6.

ClickDownload. Onceyouhavedownloadedthesensorimage,configuretheappropriateWirelessAPasa sensorfromeithertheWirelessAPsAllAPsscreenortheWirelessAPsAccessApproval screen. ToconfiguretheWirelessAPasasensorfromtheWirelessAPsAllAPsscreen: a. b. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAP screenisdisplayed. IntheWirelessAPlist,clicktheWirelessAPwhosepropertiesyouwanttomodify.The APPropertiestabdisplaysWirelessAPinformation.

c.

SelecttheAPthatyouwanttoconfigureasasensor.

d. IntheRolefield,selectSensor. e. ClickSave.

ToconfiguretheWirelessAPasasensorfromtheWirelessAPsAccessApprovalscreen: a. b. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPscreenis displayed. Intheleftpane,clickAccessApproval.TheAccessApprovalscreenisdisplayed,along withtheregisteredWirelessAPsandtheirstatus. SelectthecheckboxnexttotheWirelessAPthatyouwanttoconfigureasasensor.

c.

d. ClickSensor.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-111

Performing Wireless AP Software Maintenance

Performing Wireless AP Software Maintenance


WhenanewversionofAPsoftwarebecomesyoucaninstallitfromtheEnterasysWireless Controller. YoucanconfigureeachWirelessAPtouploadthenewsoftwareversioneitherimmediately,orthe nexttimetheWirelessAPconnectstothecontroller.PartoftheWirelessAPbootsequenceseeks andinstallitssoftwarefromtheEnterasysWirelessController. YoucanmodifymostoftheradiopropertiesonaWirelessAPwithoutrequiringarebootofthe AP. Duringupgrade,theWirelessAPkeepsabackupcopyofitssoftwareimage.Whenasoftware upgradeissenttotheWirelessAP,theupgradebecomestheWirelessAPscurrentimageandthe previousimagebecomesthebackup.Intheeventoffailureofthecurrentimage,theWirelessAP willrunthebackupimage.
Note: The Enterasys Wireless Controller does not ship with sensor software. You must download sensor software from a TFTP server to the local controller.

To Maintain the List of Current Wireless AP Software Images:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickAPMaintenance.TheAPSoftwareMaintenancetabisdisplayed.

3. 4. 5.

IntheAPImagesforPlatformdropdownlist,clicktheappropriateplatform. Toselectanimagetobethedefaultimageforasoftwareupgrade,clickitinthelist,andthen clickSetasdefault. IntheUpgradeBehaviorsection,selectoneofthefollowing: UpgradewhenAPconnectsusingsettingsfromControlled UpgradeTheControlledUpgradetabisdisplayedwhenyouclickSave.Controlled upgradeallowsyoutoindividuallyselectandcontrolthestateofanAPimageupgrade: whichAPstoupgrade,whentoupgrade,howtoupgrade,andtowhichimagethe

2-112

Configuring the Wireless AP

Performing Wireless AP Software Maintenance

upgradeordowngradeshouldbedone.Administratorsdecideonthelevelsofsoftware releasesthattheequipmentshouldberunning. AlwaysupgradeAPtodefaultimage(overridesControlledUpgradesettings) Selectedbydefault.Allowsfortheselectionofadefaultrevisionlevel(firmwareimage) forallAPsinthedomain.AstheAPregisterswiththecontroller,thefirmwareversionis verified.Ifitdoesnotmatchthesamevalueasdefinedforthedefaultimage,theAPis automaticallyrequestedtoupgradetothedefaultimage.

6.

Tosaveyourchanges,clickSave.

To Delete a Wireless AP Software Image:


1. 2. 3. 4. 5. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickAPMaintenance.TheAPSoftwareMaintenancetabisdisplayed. IntheAPImagesforPlatformdropdownlist,clicktheappropriateplatform. IntheAPImageslist,clicktheimageyouwanttodelete. ClickDelete.Theimageisdeleted.

To Download a New Wireless AP Software Image:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickAPMaintenance.TheAPSoftwareMaintenancetabisdisplayed. IntheDownloadAPImageslist,typethefollowing: 4. FTPServerTheIPoftheFTPservertoretrievetheimagefilefrom. UserIDTheuserIDthatthecontrollershouldusewhenitattemptstologintothe FTPserver. PasswordThecorrespondingpasswordfortheuserID. ConfirmThecorrespondingpasswordfortheuserIDtoconfirmitwastyped correctly. DirectoryThedirectoryontheserverinwhichtheimagefilethatistoberetrievedis stored. FilenameThenameoftheimagefiletoretrieve. PlatformTheAPhardwaretypetowhichtheimageapplies.Theareseveraltypesof APandtheyrequiredifferentimages.

ClickDownload.Thenewsoftwareimageisdownloaded.

To Define Parameters for a Wireless AP Controlled Software Upgrade:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickAPMaintenance.TheAPSoftwareMaintenancetabisdisplayed. ClicktheControlledUpgradetab.
Note: The Controlled Upgrade tab is displayed only when the Upgrade Behavior is set to Upgrade when AP connects using settings from Controlled Upgrade on the AP Software Maintenance tab.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

2-113

Performing Wireless AP Software Maintenance

4. 5. 6. 7. 8. 9.

IntheSelectAPPlatformdropdownlist,clickthetypeofAPyouwanttoupgrade. IntheSelectanimagetousedropdownlist,clickthesoftwareimageyouwanttouseforthe upgrade. InthelistofregisteredWirelessAPs,selectthecheckboxforeachWirelessAPtobeupgraded withtheselectedsoftwareimage. ClickApplyAPimageversion.TheselectedsoftwareimageisdisplayedintheUpgradeTo columnofthelist. Tosavethesoftwareupgradestrategytoberunlater,clickSaveforlater. Torunthesoftwareupgradeimmediately,clickUpgradeNow.TheselectedWirelessAP reboots,andthenewsoftwareversionisloaded.
Note: The Always upgrade AP to default image checkbox on the AP Software Maintenance tab overrides the Controlled Upgrade settings.

2-114

Configuring the Wireless AP

3
Configuring the Enterasys Wireless Controller
Thischapterdescribesthestepsinvolvedintheinitialconfigurationandsetup,oftheEnterasys WirelessController,including:
For information about... System Configuration Overview Logging on to the Enterasys Wireless Controller Working with the Basic Installation Wizard Configuring the Enterasys Wireless Controller for the First Time Using an AeroScout Location Based Solution Additional Ongoing Operations of the System Refer to page... 3-1 3-4 3-5 3-9 3-45 3-48

System Configuration Overview


Thefollowingsectionprovidesahighleveloverviewofthestepsinvolvedintheinitial configurationofyoursystem: 1. Beforeyoubegintheconfigurationprocess,researchthetypeofWLANdeploymentthatis required.Forexample,topologyandVLANIDs,SSIDs,securityrequirements,andfilter policies. Preparethenetworkservers.Ensurethattheexternalservers,suchasDHCPandRADIUS servers(ifapplicable)areavailableandappropriatelyconfigured. InstalltheEnterasysWirelessController.Formoreinformation,seethedocumentationfor yourEnterasysWirelessController. IfyouaredeployingtheEnterasysWirelessControllerC20N,usetheDFECLItoconfigurethe VLANassignmentsforthecorrespondingPCportsontheControllerModule.Forexample: setportvlanpc.slot.port# vlan-id
Note: The VLAN configuration of the PC ports on the DFE module (VLAN ID and tagged vs. untagged) must match the VLAN configuration of the controllers data ports defined using the Enterasys Wireless Assistant.

2. 3.

4.

PerformthefirsttimesetupoftheEnterasysWirelessControlleronthephysicalnetwork, whichincludesconfiguringtheIPaddressesoftheinterfacesontheEnterasysWireless Controller. ChangethedefaultIPaddresstobetherelevantsubnetpointofattachmenttotheexisting network.TheIPaddressis10.0.#.1issetbydefaultthefirsttimeyoustartupthe controller.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-1

System Configuration Overview

TomanagetheEnterasysWirelessControllerthroughtheinterfaceconfiguredabove, selecttheMgmtcheckboxontheInterfacestab. ConfigurethedataportinterfacestobeonseparateVLANs,matchingtheVLANs configuredinstep3above.Ensurealsothatthetaggedvs.untaggedstateisconsistent withtheswitchport(DFEifconfiguringtheEnterasysWirelessControllerC20N) configuration. Configurethetimezone.BecausechangingthetimezonerequiresrestartingtheEnterasys WirelessController,Enterasysrecommendsthatyouconfigurethetimezoneduringthe initialinstallationandconfigurationoftheEnterasysWirelessControllertoavoid networkinterruptions.Formoreinformation,seeConfiguringNetworkTimeon page 342. Applyanactivationkeyfile.Ifanactivationkeyisnotapplied,theEnterasysWireless Controllerfunctionswithsomefeaturesenabledindemonstrationmode.Notallfeatures areenabledindemonstrationmode.Forexample,mobilityisnotenabledandcannotbe used.
Caution: Whenever the licensed region changes on the Enterasys Wireless Controller, all Wireless APs are changed to Auto Channel Select to prevent possible infractions to local RF regulatory requirements. If this occurs, all manually configured radio channel settings will be lost. Installing the new license key before upgrading will prevent the Enterasys Wireless Controller from changing the licensed region, and in addition, manually configured channel settings will be maintained. For more information, see the Enterasys Wireless Controller, Access Points and Convergence Software Maintenance Guide.

ConfiguretheEnterasysWirelessControllerforremoteaccess: Setupanadministrationstation(laptop)onsubnet192.168.10.0/24.Bydefault,the EnterasysWirelessControllersManagementinterfaceisconfiguredwiththestaticIP address192.168.10.1. ConfiguretheEnterasysWirelessControllersmanagementinterface. Configurethedatainterfaces. SetuptheEnterasysWirelessControlleronthenetworkbyconfiguringthephysical dataports. Configuretheroutingtable. ConfigurestaticroutesorOSPFparameters,ifappropriatetothenetwork.

Formoreinformation,seeConfiguringtheEnterasysWirelessControllerfortheFirstTime onpage 39. 5. Configurethetraffictopologiesyournetworkmustsupport.Topologiesrepresentthe Controllerspointsofnetworkattachment,thereforeVLANsandportassignmentsneedtobe coordinatedwiththecorrespondingnetworkswitchports.Formoreinformation,see ConfiguringaBasicTopologyonpage 42. Configurepolicies.Policiesaretypicallyboundtotopologies.Policyapplicationassignsuser traffictothecorrespondingnetworkpoint. Policiesdefineuseraccessrights(filteringorACL) Policesreferenceusersratecontrolprofile.

6.

Formoreinformation,seeConfiguringPoliciesonpage 51.

3-2

Configuring the Enterasys Wireless Controller

System Configuration Overview

7.

ConfigureWLANservices. DefineSSIDandprivacysettingsforthewirelesslink. SelectthesetofAPs/Radiosonwhichtheserviceispresent. Configurethemethodofcredentialauthenticationforwirelessusers(None,InternalCP, ExternalCP,GuestPortal,802.1x[EAP])

Formoreinformation,seeConfiguringWLANServicesonpage 61. 8. CreatetheVNSs. AVNSbindsaWLANServicetoaPolicythatwillbeusedfordefaultassignmentupona usersnetworkattachment. Youcancreatetopologies,policies,andWLANservicesfirst,beforeVNSconfigurationaVNS, oryoucanselectoneofthewizards(suchastheVNSwizard),oryoucansimplyselectto createnewVNS. TheVNSpagethenallowsforinplacecreationanddefinitionofanydependencyitmay require,suchas: CreatinganewWLANService Creatinganewpolicy Creatinganewtopology(withinapolicy) Creatingnewratecontrols,etc.

ThedefaultshippingconfigurationdoesnotshipanypreconfiguredWLANServices,VNSs, orPolicies. 9. Install,register,andassignAPstotheVNS. Confirmthelatestfirmwareversionisloaded.Formoreinformation,seePerforming WirelessAPSoftwareMaintenanceonpage 2112. DeployWirelessAPstotheircorrespondingnetworklocations. Ifapplicable,configureadefaultAPtemplateforcommonradioassignment,whereby APsautomaticallyreceivecompleteconfiguration.FortypicaldeploymentswhereallAPs aretohavethesameconfiguration,thisfeaturewillexpeditedeployment,asanAPwill automaticallyreceivefullconfiguration(includingVNSrelatedassignments)uponinitial registrationwiththeEnterasysWirelessController.Ifapplicable,modifythepropertiesor settingsoftheWirelessAPs.Formoreinformation,seeChapter 2,Configuringthe WirelessAP. ConnecttheWirelessAPstotheEnterasysWirelessController. OncetheWirelessAPsarepoweredon,theyautomaticallybegintheDiscoveryprocessof theEnterasysWirelessController,basedonfactorsthatinclude: TheirRegistrationmode(ontheWirelessAPRegistrationscreen) Theenterprisenetworkservicesthatwillsupportthediscoveryprocess

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-3

Logging on to the Enterasys Wireless Controller

Logging on to the Enterasys Wireless Controller


1. LaunchyourWebbrowser(InternetExplorerversion6.0orhigher,orFireFox). SeetheV7.31releasenotesforthesupportedWebbrowsers. 2. Inthebrowseraddressbar,typethefollowing: https://192.168.10.1:5825 ThislaunchestheEnterasysWirelessAssistant.Theloginscreenisdisplayed.

3. 4.

IntheUserNamebox,typeyourusername. InthePasswordbox,typeyourpassword.
Note: The Enterasys Wireless Controller default user name is admin. The default password is abc123.

5.

ClickLogin.TheEnterasysWirelessAssistantmainmenuscreenisdisplayed.

3-4

Configuring the Enterasys Wireless Controller

Working with the Basic Installation Wizard

Working with the Basic Installation Wizard


TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresystemprovidesa basicinstallationwizardthatcanhelpadministratorsconfiguretheminimumEnterasysWireless ControllersettingsthatarenecessarytodeployafunctioningEnterasysWirelesssolutionona network. AdministratorscanusethebasicinstallationwizardtoquicklyconfiguretheEnterasysWireless Controllerfordeployment,andthenoncetheinstallationiscomplete,continuetorevisethe EnterasysWirelessControllerconfigurationaccordingly. Thebasicinstallationwizardisautomaticallylaunchedwhenanadministratorlogsontothe EnterasysWirelessControllerforthefirsttime,includingifthesystemhasbeenresettothe factorydefaultsettings.Inaddition,thebasicinstallationwizardcanalsobelaunchedatanytime fromtheleftpaneoftheEnterasysWirelessControllerConfigurationscreen.

To Configure the Enterasys Wireless Controller with the Basic Installation Wizard:
1. 2. 3. LogontotheEnterasysWirelessController.Formoreinformation,seeLoggingontothe EnterasysWirelessControlleronpage 34. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickInstallationWizard.TheBasicInstallationWizardscreenisdisplayed.

4.

IntheTimeSettingssection,configuretheEnterasysWirelessControllertimezone: ContinentorOceanClicktheappropriatelargescalegeographicgroupingforthetime zone. CountryClicktheappropriatecountryforthetimezone.Thecontentsofthedrop downlistchange,basedontheselectionintheContinentorOceandropdownlist. TimeZoneRegionClicktheappropriatetimezoneregionfortheselectedcountry.

5.

ToconfiguretheEnterasysWirelessControllerstime,dooneofthefollowing: TomanuallysettheEnterasysWirelessControllertime,usetheYear,Month,Day,HR, andMin.dropdownliststospecifythetime.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-5

Working with the Basic Installation Wizard

TousetheEnterasysWirelessControllerastheNTPtimeserver,selecttheRunlocalNTP Serveroption. TouseNTPtosettheEnterasysWirelessControllertime,selecttheUseNTPoption,and thentypetheIPaddressofanNTPtimeserverthatisaccessibleontheenterprise network.

TheNetworkTimeProtocolisaprotocolforsynchronizingtheclocksofcomputersystems overpacketswitcheddatanetworks. 6. InthePortConfigurationsection,clickthephysicalinterfaceoftheEnterasysWireless Controlleryouwanttoassignasadataport.ThesystemassignsdefaultIPAddressand Netmaskvaluesforthedataport.Ifapplicable,typeadifferentIPaddressandnetmaskfor theselectedphysicalinterface. ForinformationonhowtoobtainatemporaryIPaddressfromthenetwork,clickHowto obtainatemporaryIPaddress. 7. ClickNext.TheManagementscreenisdisplayed.

8.

IntheManagementPortsection,confirmtheportconfigurationvaluesthatweredefined whentheEnterasysWirelessControllerwasphysicallydeployedonthenetwork.If applicable,editthesevalues: IPAddressDisplaystheIPaddressfortheEnterasysWirelessControllers managementport.Revisethisasappropriatefortheenterprisenetwork. NetmaskDisplaystheappropriatesubnetmaskfortheIPaddresstoseparatethe networkportionfromthehostportionoftheaddress. GatewayDisplaysthedefaultgatewayofthenetwork.

9.

IntheSNMPsection,clickV2corV3intheModedropdownlisttoenableSNMP,if applicable.Onlyonemodecanbesupportedonthecontrolleratatime. IfyouselectedV2c,dothefollowing: ReadCommunityTypethepasswordthatisusedforreadonlySNMP communication. WriteCommunityTypethepasswordthatisusedforwriteSNMPcommunication.

3-6

Configuring the Enterasys Wireless Controller

Working with the Basic Installation Wizard

TrapDestinationTypetheIPaddressoftheserverusedasthenetworkmanagerthat willreceiveSNMPmessages.

10. IntheOSPFsection,selecttheEnablecheckboxtoenableOSPF,ifapplicable.UseOSPFto allowtheEnterasysWirelessControllertoparticipateindynamicrouteselection.OSPFisa protocoldesignedformediumandlargeIPnetworkswiththeabilitytosegmentroutesinto differentareasbyroutinginformationsummarizationandpropagation. Dothefollowing: PortClickthephysicalinterfaceoftheEnterasysWirelessControlleryouwantto assignasarouterport. AreaIDTypethedesiredarea.Area0.0.0.0isthemainareainOSPF.

11. IntheSyslogServersection,selecttheEnablecheckboxtoenablethesyslogprotocolforthe EnterasysWirelessController,ifapplicable.Syslogisaprotocolusedforthetransmissionof eventnotificationmessagesacrossnetworks. IntheIPAddressbox,typetheIPaddressofthesyslogserver. 12. ClickNext.TheServicesscreenisdisplayed.

13. IntheRADIUSsection,selecttheEnablecheckboxtoenableRADIUSloginauthentication,if applicable.RADIUSloginauthenticationusesaRADIUSservertoauthenticateuserlogin attempts.RADIUSisaclient/serverauthenticationandauthorizationaccessprotocolusedby anetworkaccessserver(NAS)toauthenticateusersattemptingtoconnecttoanetwork device. Dothefollowing: ServerAliasTypeanamethatyouwanttoassigntotheRADIUSserver.Youcantype anameorIPaddressoftheserver. Hostname/IPTypetheRADIUSservershostnameorIPaddress. SharedSecretTypethepasswordthatwillbeusedtovalidatetheconnectionbetween theEnterasysWirelessControllerandtheRADIUSserver.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-7

Working with the Basic Installation Wizard

14. IntheMobilitysection,selecttheEnablecheckboxtoenabletheEnterasysWireless Controllermobilityfeature,ifapplicable.Mobilityallowsawirelessdeviceusertoroam seamlesslybetweendifferentWirelessAPsonthesameordifferentEnterasysWireless Controllers. AdialogisdisplayedinformingyouthatNTPisrequiredforthemobilityfeatureand promptingyoutoconfirmyouwanttoenablemobility.


Note: If the Enterasys Wireless Controller is configured as a mobility agent, it will act as an NTP client and use the mobility manager as the NTP server. If the Enterasys Wireless Controller is configured as a mobility manager, the Enterasys Wireless Controllers local NTP will be enabled for the mobility domain.

ClickOKtocontinue,andthendothefollowing: RoleSelecttherolefortheEnterasysWirelessController,ManagerorAgent.One EnterasysWirelessControlleronthenetworkisdesignatedasthemobilitymanagerandall otherEnterasysWirelessControllersaredesignatedasmobilityagents. PortClicktheinterfaceontheEnterasysWirelessControllertobeusedforcommunication betweenmobilitymanagerandmobilityagent.Ensurethattheselectedinterfaceisroutable onthenetwork.Formoreinformation,seeChapter 11,ConfiguringMobility. ManagerIPTypetheIPaddressofthemobilitymanagerportiftheEnterasysWireless Controllerisconfiguredasthemobilityagent. 15. IntheDefaultVNSsection,selecttheEnablecheckboxtoenableadefaultVNSforthe EnterasysWirelessController.ThedefaultVNSparametersaredisplayed.RefertoVirtual NetworkServicesonpage 111formoreinformationaboutthedefaultVNS. 16. ClickFinish.TheSuccessscreenisdisplayed.Enterasysrecommendsthatyouchangethe factorydefaultadministratorpassword. Dothefollowing: NewPasswordTypeanewadministratorpassword. ConfirmPasswordTypethenewadministratorpasswordagain.

17. ClickSave.Yournewpasswordissaved. 18. ClickOK,andthenclickClose.TheEnterasysWirelessAssistantmainmenuscreenis displayed.


Note: The Enterasys Wireless Controller reboots after you click Save if the time zone is changed during the Basic Install Wizard. If the IP address of the management port is changed during the configuration with the Basic Install Wizard, the Enterasys Wireless Assistant session is terminated and you will need to log back in with the new IP address.

3-8

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

Configuring the Enterasys Wireless Controller for the First Time


AssoonastheEnterasysWirelessControllerisdeployed,youshouldperformaseriesof configurationtasks.Thesetasksinclude:
Changing the Administrator Password Applying Product License Keys Setting Up the Data Ports Setting Up Internal VLAN ID and Multicast Support Setting Up Static Routes Setting Up OSPF Routing Configuring Filtering at the Interface Level Protecting the Controllers Interfaces and Internal Captive Portal Page Configuring the Login Authentication Mode Configuring SNMP Configuring Network Time Configuring DNS Servers for Resolving Host Names of NTP and RADIUS Servers

AlthoughthebasicinstallationwizardhasalreadyconfiguredsomeaspectsoftheEnterasys WirelessControllerdeployment,youcancontinuetorevisetheEnterasysWirelessController configurationaccordingtoyournetworkneeds.

Changing the Administrator Password


Enterasysrecommendsthatyouchangeyourdefaultadministratorpasswordonceyoursystemis deployed.TheEnterasysWirelessControllerdefaultpasswordisabc123.WhentheEnterasys WirelessControllerisinstalledandyouelecttochangethedefaultpassword,thenewpassword mustbeaminimumofeightcharacters. Theminimumeightcharacterpasswordlengthisnotappliedtoexistingpasswords.Forexample, ifasixcharacterpasswordisalreadybeingusedandanupgradeofthesoftwareisperformed,the softwaredoesnotrequirethepasswordtobechangedtoaminimumofeightcharacters.However,
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 3-9

Configuring the Enterasys Wireless Controller for the First Time

oncetheupgradeiscompletedandanewaccountiscreated,orthepasswordofanexisting accountischanged,thenewpasswordlengthminimumwillbeenforced.

To Change the Administrator Password:


1. 2. 3. 4. 5. 6. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickLoginManagement. IntheFullAdministratortable,clicktheadministratorusername. InthePasswordbox,typethenewadministratorpassword. IntheConfirmPasswordbox,typethenewadministratorpasswordagain. ClickChangePassword.
Note: The Enterasys Wireless Controller provides you with local login authentication mode, the RADIUS-based login authentication mode, and combinations of the two authentication modes. The local login authentication is enabled by default. For more information, see Configuring the Login Authentication Mode on page 3-30.

Applying Product License Keys


TheEnterasysWirelessControllerslicensesystemworksonsimplesoftwarebasedkeystrings.A keystringconsistsofaseriesofnumbersand/orletters.Usingthesekeystrings,youcanlicense thesoftware,enabletheoptionalexternalcaptiveportalfeature,andenhancethecapacityofthe EnterasysWirelessControllertomanageadditionalWirelessAPs. Thekeystringscanbeclassifiedintothefollowingvariants: ActivationKeyActivatesthesoftware.Thiskeyisfurtherclassifiedintotwosubvariants: TemporaryActivationKeyActivatesthesoftwareforatrialperiodof90days. PermanentActivationKeyActivatesthesoftwareforaninfiniteperiod.

OptionKeyActivatestheoptionalfeatures.Thiskeyisfurtherclassifiedintotwosub variants: CapacityEnhancementKeyEnhancesthecapacityoftheEnterasysWireless ControllertomanageadditionalWirelessAPs.Youmayhavetoaddmultiplecapacity enhancementkeystoreachtheEnterasysWirelessControllerslimit.Dependingonthe EnterasysWirelessControllermodel,acapacityenhancementkeyaddsthefollowing WirelessAPs: C5110Adds25WirelessAPs C4110Adds25WirelessAPs C2400Adds25WirelessAPs C20NAdds16WirelessAPs C20Adds16WirelessAPs C25Adds48WirelessAPs

ExternalCaptivePortalKeyEnablestheexternalCaptivePortalforthemobileusers authentication.FormoreinformationontheexternalCaptivePortal,seeNAC integrationwithEnterasysWirelessWLANonpage 112.

3-10

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

Note: If you connect additional Wireless APs to a Enterasys Wireless Controller that has a permanent activation key without installing a capacity enhancement key, or if you configure an external Captive Portal without installing the appropriate key, a grace period of seven days will start. You must install the correct key during the grace period. If you do not install the key, the Enterasys Wireless Controller will start generating event logs every 15 minutes, indicating that the key is required. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters.

TheEnterasysWirelessControllercanbeinthefollowinglicensingmodes: UnlicensedWhentheEnterasysWirelessControllerisnotlicensed,itoperatesindemo mode.Indemomode,theEnterasysWirelessControllerallowsyoutooperateasmany WirelessAPsasyouwant,subjecttothemaximumlimitoftheplatformtype,andenablesyou toconfiguretheoptionalexternalcaptiveportalforauthentication.Indemomode,youcan useonlytheb/gradio,withchannels6,11,andauto.11nsupportandMobilityaredisabledin demomode. LicensedwithatemporaryactivationkeyAtemporaryactivationkeycomeswitha regulatorydomain.Withthetemporaryactivationkey,youcanselectacountryfromthe domainandoperatetheWirelessAPsonanychannelpermittedbythecountry.Atemporary activationkeyallowsyoutouseallsoftwarefeatures.YoucanoperateasmanyWirelessAPs asyouwant,subjecttothemaximumlimitoftheplatformtype.Inaddition,youcanconfigure theexternalcaptiveportalfeature. Atemporaryactivationkeyisvalidfor90days.Oncethe90daysareup,thetemporarykey expires.YoumustgetapermanentactivationkeyandinstallitontheEnterasysWireless Controller.Ifyoudonotinstallapermanentactivationkey,theEnterasysWirelessController willstartgeneratingeventlogsevery15minutes,indicatingthatanappropriatelicenseis requiredforthecurrentsoftwareversion.Inaddition,youwillnotbeabletoedittheVirtual NetworkServices(VNS)parameters. LicensedwithpermanentactivationkeyApermanentactivationkeyisvalidforan infiniteperiod.Inaddition,unlikethetemporaryactivationkey,thepermanentactivationkey allowsyoutooperateastipulatednumberoftheWirelessAPs,dependingupontheplatform type.IfyouwanttoconnectadditionalWirelessAPs,youhavetoinstallacapacity enhancementkey.Youmayevenhavetoinstallmultiplecapacityenhancementkeystoreach theEnterasysWirelessControllerslimit. ThefollowingtableliststheplatformtypeandthecorrespondingnumberoftheWirelessAPs allowedbythepermanentactivationkey. Table 3-1 Platform Type / Wireless APs Allowed by Permanent Activation Key
Wireless APs permitted by permanent activation key 16 16 16 50 24 72 50 150 Platforms optimum limit 32 32 48 200 24 72 250 525 Number of capacity enhancement keys to reach the optimum limit 1 1 2 6 0 0 8 15

Platform C20 C20N C25 C2400 CRBT8110 CRBT8210 C4110 C5110

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-11

Configuring the Enterasys Wireless Controller for the First Time

Similarly,ifyouwanttoconfiguretheexternalcaptiveportalfeature,youhavetoinstallthe optionalfeaturekey. IftheEnterasysWirelessControllerdetectsmultiplelicenseviolations,suchascapacity enhancementandoptionalfeatureviolations,agraceperiodcounterwillstartfromthemoment thefirstviolationoccurred.TheEnterasysWirelessControllerwillgenerateeventlogsforevery violation.Theonlywaytoleavethegraceperiodistoclearalloutstandinglicenseviolations. TheEnterasysWirelessControllercanbeinanunlicensedstateforaninfiniteperiod.However,if youinstallatemporaryactivationkey,theunlicensedstateisterminated.Afterthevalidityofa temporaryactivationkeyandtherelatedgraceperiodexpire,theEnterasysWirelessController willgenerateeventlogsevery15minutes,indicatingthatanappropriatelicenseisrequiredforthe currentsoftwareversion.Inaddition,youwillnotbeabletoedittheVirtualNetworkServices (VNS)parameters.

Installing the License Keys


ThissectiondescribeshowtoinstallthelicensekeyontheEnterasysWirelessController.Itdoes notexplainhowtogeneratethelicensekey.Forinformationonhowtogeneratethelicensekey, seetheEnterasysWirelessLicenseCertificate,whichissenttoyouviatraditionalmail. YouhavetotypethelicensekeysontheEnterasysWirelessAssistantGUI.

To Install the License Keys:


1. 2. 3. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickSoftwareMaintenance. ClicktheHWCProductKeystab. Thebottompanedisplaysthelicensesummary.

4. 5. 6.
3-12

Ifyouareinstallingatemporaryorpermanentactivationlicensekey,typethekeyinthe ActivationKeybox,andthenclicktheApplyActivationKeybutton. Ifyouareinstallingacapacityenhancementoroptionalfeaturelicensekey,typethekeyInthe OptionKeybox,andthenclicktheApplyOptionKeybutton. Toviewinstalledkeys,clickViewInstalledKeys.

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

Setting Up the Data Ports


AnewEnterasysWirelessControllerisshippedfromthefactorywithallitsdataportssetup. Supportofmanagementtrafficisdisabledonalldataports.Bydefault,datainterfacestatesare enabled.Adisabledinterfacedoesnotallowdatatoflow(receive/transmit). PhysicalportsarerepresentedbytheL2(Ethernet)PortsandassociatedTopologieswhichare createdbydefaultwhenthecontrollerisfirstpoweredup.TheL2portandTopologyinformation canbeaccessedfromL2PortsandTopologytabsunderEnterasysWirelessController Configuration.TheL2Portscannotberemovedfromthesystembuttheiroperationalstatuscan bechanged(togetherwithafewotherparameters,asexplainedbelow).
Note: You can redefine a data port to function as a Third-Party AP Port. Refer to Viewing and Changing the Physical Topologies for more information.

Viewing and Changing the L2 Ports Information


To View and Change the L2 Port Information:
1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickL2Ports.TheL2Portstabisdisplayed.

TheL2PortstabpresentsthePhysical(thatis,Ethernet)portsthatexistontheEnterasys WirelessController.Theseportscannotbedeletedandnewonescannotbecreated.The numberofEthernetportsandtheirnamespercontrollerare: C5110Threedataports,displayedasesa0,esa1,andesa2. C4110Fourdataports,displayedasPort1,Port2,Port3,andPort4. C2400Fourdataports,displayedasesa0,esa1,esa2,andesa3. C20Twodataports,displayedasesa0andesa1. C20NTwodataports,displayedasPC.1andPC.2. C25Twodataports,displayedasesa0andesa1.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-13

Configuring the Enterasys Wireless Controller for the First Time

CRBT8210Onedataport,displayedasesa0. CRBT8110Onedataport,displayedasesa0.

AlsoanAdminportiscreatedbydefault.Thisrepresentsaphysicalport,separatefromthe otherdataports,beingusedformanagementconnectivity. ParametersdisplayedfortheL2Portsare: 3. Operationalstatus,representedgraphicallywithagreencheckmark(UP)orredX (DOWN).Thisistheonlyconfigurableparameter. Portname,asdescribedabove. MACaddress,asperEthernetstandard. VLANID,fordifferenttypesoftopology.RefertoViewingandChangingthePhysical TopologiesformoreinformationaboutL2porttopologies.

Ifdesired,changetheoperationalstatusbyclickingtheEnablecheckbox. Youcanchangetheoperationalstateforeachport.Bydefault,datainterfacestatesare enabled.Iftheyarenotenabled,youcanenablethemindividually.Adisabledinterfacedoes notallowdatatoflow(receive/transmit).

Viewing and Changing the Physical Topologies


EachL2porthasapredefinedphysicaltopologyassociatedwithit.

To View and Change the L2 Port Topologies:


1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickTopology.TheTopologiestabisdisplayed. AnassociatedtopologyentryiscreatedbydefaultforeachL2Portwiththesamename.

3-14

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

3.

Tochangeanyoftheassociatedparameters,clickonthetopologyentrytobemodified.An EditTopologypopupwindowappears.

Forthedataportspredefinedinthesystem,NameandModearenotconfigurable. 4. Optionally,configureoneofthephysicalportsforThirdPartyAPconnectivitybyclickingthe 3rdPartycheckbox. YoumustconfigureaporttowhichyouwillbeconnectingthirdpartyAPsbycheckingthis box.OnlyoneportcanbeconfiguredforthirdpartyAPs. ThirdpartyAPsmustbedeployedwithinasegregatednetworkforwhichtheEnterasys WirelessControllerbecomesthesinglepointofaccess(i.e.,routinggateway).Whenyou defineaportasthethirdpartyAPport,theinterfacesegregatesthethirdpartyAPfromthe remainingnetwork. 5. ToconfigureaninterfaceforVLANassignment,configuretheVLANSettingsintheLayer2 box. WhenyouconfigureaEnterasysWirelessControllerporttobeamemberofaVLAN,you mustensurethattheVLANconfiguration(VLANIDandtaggedvs.untaggedattribute)is matchedwiththecorrectconfigurationonthenetworkswitch. 6. IfthedesiredIPconfigurationisdifferentfromtheonedisplayed,changetheInterfaceIPand MaskaccordinglyintheLayer3box. Forthistypeofdatainterface,theLayer3checkboxisselectedautomatically.Thisallowsfor IPInterfaceandsubnetconfigurationtogetherwithothernetworkingservices. 7. Ifdesired,changetheMTUvalue.ThisvaluespecifiestheMaximumTransmissionUnitor maximumpacketsizeforthisport.Thedefaultvalueis1500bytesforphysicaltopologies. IfyouchangethissettingandareusingOSPF,besurethattheMTUofalltheportsinthe OSPFlinkmatch.
Note: If the routed connection to an AP traverses a link that imposes a lower MTU than the default 1500 bytes, the Enterasys Wireless Controller and AP participate in automatic MTU discovery and adjust their settings accordingly.At the Enterasys Wireless Controller, MTU adjustments are tracked on a per AP basis. If the Enterasys wireless software cannot discover the MTU size, it enforces the static MTU size.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-15

Configuring the Enterasys Wireless Controller for the First Time

8.

ToenableAPregistrationthroughthisinterface,selecttheAPRegistrationcheckbox. WirelessAPsusethisportfordiscoveryandregistration.Othercontrollerscanusethisportto enableintercontrollerdevicemobilityifthisportisconfiguredtouseSLPortheEnterasys WirelessControllerisrunningasamanagerandSLPisthediscoveryprotocolusedbythe agents.

9.

Toenablemanagementtraffic,selecttheManagementTrafficcheckbox.Enabling managementprovidesaccesstoSNMP(v2,V3,get),SSH,andHTTPsmanagementinterfaces.
Note: This option does not override the built-in protection filters on the port. The built-in protection filters for the port, which are restrictive in the types of packets that are allowed to reach the management plane, are extended with a set of definitions that allow for access to system management services through that interface (SSH, SNMP, HTTPS:5825).

10. ToenablethelocalDHCPServerontheEnterasysWirelessController,intheDHCPbox, selectLocalServer.Then,clickontheConfigurebuttontoopentheDHCPconfigurationpop upwindow.

Note: The local DHCP Server is useful as a general purpose DHCP Server for small subnets.

a. b. c.

IntheDomainNamebox,typethenameofthedomainthatyouwanttheWirelessAPsto useforDNSServersdiscovery. IntheLease(seconds)defaultbox,typethetimeperiodforwhichtheIPaddresswillbe allocatedtotheWirelessAPs(oranyotherdevicerequestingit). IntheLease(seconds)maxbox,typethemaximumtimeperiodinsecondsforwhichthe IPaddresswillbeallocatedtotheWirelessAPs.

d. IntheDNSServersbox,typetheDNSServersIPaddressifyouhaveaDNSServer. e. IntheWINSbox,typetheWINSServersIPaddressifyouhaveaWINSServer.
Note: You can type multiple entries in the DNS Servers and WINS boxes. Each entry must be separate by a comma. These two fields are not mandatory to enable the local DHCP feature.

f.

IntheGatewaybox,typetheIPaddressofthedefaultgateway.

3-16

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

Note: Since the Enterasys Wireless Controller is not allowed to be the gateway for the segment, including Wireless APs, you cannot use the Interface IP address as the gateway address.

g.

ConfiguretheaddressrangefromwhichthelocalDHCPServerwillallocateIPaddresses totheWirelessAPs. IntheAddressRange:frombox,typethestartingIPaddressoftheIPaddressrange. IntheAddressRange:tobox,typetheendingIPaddressoftheIPaddressrange.

h. ClicktheExclusion(s)buttontoexcludeIPaddressesfromallocationbytheDHCPServer. TheDHCPAddressExclusionwindowopens. TheEnterasysWirelessControllerautomaticallyaddstheIPaddressesoftheInterfaces (Ports),andthedefaultgatewaytotheexclusionlist.YoucannotremovetheseIP addressesfromtheexclusionlist.

i.

SelecttheRangeradiobutton.IntheFrombox,typethestartingIPaddressoftheIP addressrangethatyouwanttoexcludefromtheDHCPallocation. IntheTobox,typetheendingIPaddressoftheIPaddressrangethatyouwantto excludefromtheDHCPallocation. Toexcludeasingleaddress,selecttheSingleAddressradiobuttonandtypetheIP addressintheadjacentbox. IntheCommentbox,typeanyrelevantcomment.Forexample,youcantypethe reasonforwhichacertainIPaddressisexcludedfromtheDHCPallocation. ClickonAdd.TheexcludedIPaddressesaredisplayedintheIPAddress(es)to excludefromDHCPAddressRangebox. TodeleteaIPAddressfromtheexclusionlist,selectitintheIPAddress(es)to excludefromDHCPRangebox,andthenclickDelete. Tosaveyourchanges,clickOK.

ClickClosetoclosetheDHCPconfigurationwindow.
Note: The Broadcast (Bcast) Address field is view only. This field is computed from the mask and the IP addresses.

11. YouarereturnedtotheL2porttopologyeditwindow.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 3-17

Configuring the Enterasys Wireless Controller for the First Time

Setting Up Internal VLAN ID and Multicast Support


YoucanconfiguretheInternalVLANID,andenablemulticastsupport.TheinternalVLANused onlyinternallyandisnotvisibleontheexternaltraffic.Thephysicaltopologyusedformulticastis representedbyaphysicalportto/fromwhichthemulticasttrafficisforwardedinconjunctionwith thevirtualroutedtopologies(andVNSs)configuredonthecontroller.Pleasenotethatno multicastroutingisavailableatthistime. ToconfiguretheInternalVLANIDandenablemulticastsupport: 1. 2. 3. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickTopology.TheTopologiestabisdisplayed. ClicktheInterfacestab.

4. 5.

IntheInternalVLANIDbox,typetheinternalVLANID. FromtheMulticastSupportdropdownlist,selectthedesireddataport(physicalEthernet topology). IfyouareconfiguringaEnterasysWirelessControllerC20N,thedataportsarePC.1andPC.2. IfyouareconfiguringaEnterasysWirelessControllerC4110,thedataportsarePort1,Port2, Port3,andPort4.

6.

Tosaveyourchanges,clickSave.

Setting Up Static Routes


Enterasysrecommendsthatyoudefineadefaultroutetoyourenterprisenetwork,eitherwitha staticrouteorbyusingtheOSPFprotocol.AdefaultrouteenablestheEnterasysWireless Controllertoforwardpacketstodestinationsthatdonotmatchamorespecificroutedefinition.

To Set a Static Route on the Enterasys Wireless Controller:


1. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed.

3-18

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

2.

Intheleftpane,clickRoutingProtocols.TheStaticRoutestabisdisplayed.

3.

Toaddanewroute,intheDestinationAddressboxtypethedestinationIPaddressofa packet. Todefineadefaultstaticrouteforanyunknownaddressnotintheroutingtable,type0.0.0.0.

4.

IntheSubnetMaskbox,typetheappropriatesubnetmasktoseparatethenetworkportion fromthehostportionoftheIPaddress(typically255.255.255.0).Todefinethedefaultstatic routeforanyunknownaddress,type0.0.0.0. IntheGatewaybox,typetheIPaddressofthespecificrouterportorgatewayonthesame subnetastheEnterasysWirelessControllertowhichtoforwardthesepackets.ThisistheIP addressofthenexthopbetweentheEnterasysWirelessControllerandthepacketsultimate destination. ClickAdd.Thenewrouteisaddedtothelistofroutes. SelecttheOverridedynamicroutescheckboxtogivepriorityovertheOSPFlearnedroutes, includingthedefaultroute,whichtheEnterasysWirelessControllerusesforrouting.This optionisenabledbydefault. Toremovethispriorityforstaticroutes,sothatroutingiscontrolleddynamicallyatalltimes, cleartheOverridedynamicroutescheckbox.
Note: If you enable dynamic routing (OSPF), the dynamic routes will normally have priority for outgoing routing. For internal routing on the Enterasys Wireless Controller, the static routes normally have priority.

5.

6. 7.

8.

Tosaveyourchanges,clickSave.

Viewing the Forwarding Table


Youcanviewthedefinedroutes,whetherstaticorOSPF,andtheircurrentstatusinthe forwardingtable.

To View the Forwarding Table on the Enterasys Wireless Controller:


1. FromtheRoutingProtocolsStaticRoutestab,clickViewForwardingTable.TheForwarding Tableisdisplayed.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 3-19

Configuring the Enterasys Wireless Controller for the First Time

2.

Alternatively.fromthemainmenu,clickReports&Displays.TheReports&Displaysscreen isdisplayed.Then,clickForwardingTable.TheForwardingTableisdisplayed.

Thisreportdisplaysalldefinedroutes,whetherstaticorOSPF,andtheircurrentstatus. 3. Toupdatethedisplay,clickRefresh.

Setting Up OSPF Routing


ToenableOSPF(OSPFRFC2328)routing,youmust: SpecifyatleastonedataportonwhichOSPFisenabledonthePortSettingsoptionofthe OSPFtab.ThisistheinterfaceonwhichyoucanestablishOSPFadjacency. EnableOSPFgloballyontheEnterasysWirelessController DefinetheglobalOSPFparameters

EnsurethattheOSPFparametersdefinedherefortheEnterasysWirelessControllerareconsistent withtheadjacentroutersintheOSPFarea.Thisconsistencyincludesthefollowing: Ifthepeerrouterhasdifferenttimersettings,theprotocoltimersettingsintheEnterasys WirelessControllermustbechangedtomatchtoachieveOSPFadjacency. TheMTUoftheportsoneitherendofanOSPFlinkmustmatch.TheMTUforportsonthe EnterasysWirelessControllerisdefinedas1500,ontheL2Porttab,duringdataportsetup. ThismatchesthedefaultMTUinstandardrouters.

To Set OSPF Routing Global Settings on the Enterasys Wireless Controller:


1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickRoutingProtocols.TheStaticRoutestabisdisplayedbydefault.

3-20

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

3.

ClicktheOSPFtab.

4.

FromtheOSPFStatusdropdownlist,clickOntoenableOSPF. IntheRouterIDbox,typetheIPaddressoftheEnterasysWirelessController.ThisIDmust beuniqueacrosstheOSPFarea.Ifleftblank,theOSPFdaemonautomaticallypicksarouter IDfromoneoftheEnterasysWirelessControllersinterfaceIPaddresses.

5. 6.

IntheAreaIDbox,typethearea.0.0.0.0isthemainareainOSPF. IntheAreaTypedropdownlist,clickoneofthefollowing: DefaultThedefaultactsasthebackbonearea(alsoknownasareazero).Itformsthe coreofanOSPFnetwork.Allotherareasareconnectedtoit,andinterarearouting happensviaarouterconnectedtothebackbonearea. StubThestubareadoesnotreceiveexternalroutes.Externalroutesaredefinedas routeswhichweredistributedinOSPFviaanotherroutingprotocol.Therefor,stubareas typicallyrelyonadefaultroutetosendtrafficroutesoutsidethepresentdomain. NotsostubbyThenotsostubbyareaisatypeofstubareathatcanimport autonomoussystem(AS)externalroutesandsendthemtothedefault/backbonearea,but cannotreceiveASexternalroutesfromthebackboneorotherareas.

7.

Tosaveyourchanges,clickSave.

To Set OSPF Routing Port Settings on the Enterasys Wireless Controller:


1. 2. 3. 4. 5. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickRoutingProtocols. ClicktheOSPFtab. SelectaporttoconfigurebyclickingonthedesiredportinthePortSettingstable. InthePortStatusdropdownlist,clickEnabledtoenableOSPFontheport.Thedefault settingisDisabled.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-21

Configuring the Enterasys Wireless Controller for the First Time

6.

IntheLinkCostbox,typetheOSPFstandardvalueforyournetworkforthisport.Thisisthe costofsendingadatapacketontheinterface.Thelowerthecost,themorelikelytheinterface istobeusedtoforwarddatatraffic.


Note: If more than one port is enabled for OSPF, it is important to prevent the Enterasys Wireless Controller from serving as a router for other network traffic (other than the traffic from wireless device users on routed topologies controlled by the Enterasys Wireless Controller). For more information, see Filtering Rules on page 5-3.

7. 8.

IntheAuthenticationdropdownlist,clicktheauthenticationtypeforOSPFonyournetwork: NoneorPassword.ThedefaultsettingisNone. IfPasswordisselectedastheauthenticationtype,inthePasswordbox,typethepassword. IfNoneisselectedastheAuthenticationtype,leavethisboxempty.Thispasswordmust matchoneitherendoftheOSPFconnection.

9.

Typethefollowing: HelloIntervalSpecifiesthetimeinseconds(displaysOSPFdefault).Thedefaultsetting is10seconds. DeadIntervalSpecifiesthetimeinseconds(displaysOSPFdefault).Thedefault settingis40seconds. RetransmitIntervalSpecifiesthetimeinseconds(displaysOSPFdefault).Thedefault settingis5seconds. TransmitDelaySpecifiesthetimeinseconds(displaysOSPFdefault).Thedefault settingis1second.

10. Tosaveyourchanges,clickSave.

To Confirm That Ports Are Set for OSPF:


1. ToconfirmthattheportsaresetupforOSPF,andthatadvertisedroutesfromtheupstream routerarerecognized,clickViewForwardingTable.TheForwardingTableisdisplayed. ThefollowingadditionalreportsdisplayOSPFinformationwhentheprotocolisinoperation: OSPFNeighborDisplaysthecurrentneighborsforOSPF(routersthathaveinterfaces toacommonnetwork) OSPFLinkstateDisplaystheLinkStateAdvertisements(LSAs)receivedbythe currentlyrunningOSPFprocess.TheLSAsdescribethelocalstateofarouterornetwork, includingthestateoftheroutersinterfacesandadjacencies.

2.

Toupdatethedisplay,clickRefresh.

Configuring Filtering at the Interface Level


TheHiPathWirelesssolutionhasanumberofbuiltinfiltersthatprotectthesystemfrom unauthorizedtraffic.ThesefiltersarespecificonlytotheEnterasysWirelessController.These filtersareappliedatthenetworkinterfacelevelandareautomaticallyinvoked.Bydefault,these filtersprovidestringentlevelrulestoallowonlyaccesstothesystemsexternallyvisibleservices. Inadditiontothesebuiltinfilters,theadministratorcandefinespecificexceptionfiltersatthe interfaceleveltocustomizenetworkaccess.ThesefiltersdependonTopologyModesandthe configurationofanL3interfaceforthetopology. ForBridgedatControllertopologies,exceptionfiltersaredefinedonlyifL3(IP)interfacesare specified.ForPhysical,Routed,and3rdPartyAPtopologies,exceptionfilteringisalways configuredsincetheyallhaveanL3interfacepresence.

3-22

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

Built-in Interface-based Exception Filters


OntheEnterasysWirelessController,variousinterfacebasedexceptionfiltersarebuiltinand invokedautomatically.ThesefiltersprotecttheEnterasysWirelessControllerfromunauthorized accesstosystemmanagementfunctionsandservicesviatheinterfaces.Accesstosystem managementfunctionsisgrantediftheadministratorselectstheallowmanagementtrafficoption inaspecifictopology. AllowmanagementtrafficispossibleonthetopologiesthathaveL3IPinterfacedefinitions.For example,ifmanagementtrafficisallowedonaphysicaltopology(esa0),onlyusersconnected throughESA0willbeabletogetaccesstothesystem.Usersconnectingonanyothertopology, suchasRoutedorBridgedLocallyatController,willnolongerbeabletotargetESA0togain managementaccesstothesystem.Toallowaccessforusersconnectedonsuchatopology,the giventopologyconfigurationitselfmusthaveallowmanagementtrafficenabledanduserswill onlybeabletotargetthetopologyinterfacespecifically. OntheEnterasysWirelessControllersL3interfaces(associatedwitheitherphysical,Routed,or BridgedLocallyatControllertopologies),thebuiltinexceptionfilterprohibitsinvokingSSH, HTTPS,orSNMP.However,suchtrafficisallowed,bydefault,onthemanagementport. Ifmanagementtrafficisexplicitlyenabledforanyinterface,accessisimplicitlyextendedtothat interfacethroughanyoftheotherinterfaces(VNS).Onlytrafficspecificallyallowedbythe interfacesexceptionfilterisallowedtoreachtheEnterasysWirelessControlleritself.Allother trafficisdropped.Exceptionfiltersaredynamicallyconfiguredandregeneratedwheneverthe systemsinterfacetopologychanges(forexample,achangeofIPaddressforanyinterface). Enablingmanagementtrafficonaninterfaceaddsadditionalrulestotheexceptionfilter,which opensupthewellknownIP(TCP/UDP)ports,correspondingtotheHTTPS,SSH,andSNMP applications. Theinterfacebasedbuiltinexceptionfilteringrules,inthecaseoftrafficfromwirelessusers,are applicabletotraffictargeteddirectlyforthetopologyL3interface.Forexample,afilterspecified byaPolicymaybegenericenoughtoallowtrafficaccesstotheEnterasysWirelessControllers management(forexample,AllowAll[*.*.*.*]).Exceptionfilterrulesareevaluatedaftertheusers assignedfilterpolicy,assuch,itispossiblethatthepolicyallowstheaccesstomanagement functionsthattheexceptionfilterdenies.Thesepacketsaredropped.

To Enable SSH, HTTPS, or SNMP Access Through a Physical Data Interface:


1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickTopology.TheTopologiestabisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-23

Configuring the Enterasys Wireless Controller for the First Time

3. 4. 5.

OntheTopologiestab,clicktheappropriatedataporttopology.TheEditTopologywindow displays. SelecttheManagementTrafficcheckboxifthetopologyhasspecifiedanL3IPinterface presence. Tosaveyourchanges,clickSave.

Working with Administrator-defined Interface-based Exception Filters


Youcanaddspecificfilteringrulesattheinterfacelevelinadditiontothebuiltinrules.Suchrules giveyouthecapabilityofrestrictingaccesstoaport,forspecificreasons,suchasaDenialof Service(DoS)attack. ThefilteringrulesaresetupinthesamemannerasfilteringrulesdefinedforaPolicyspecifyan IPaddress,selectaprotocolifapplicable,andtheneitherallowordenytraffictothataddress.For moreinformation,seeFilteringRulesonpage 53. Therulesdefinedforportexceptionfiltersareprependedtothenormalsetofrestrictiveexception filtersandhaveprecedenceoverthesystemsnormalprotectionenforcement(thatis,theyare evaluatedfirst).
Warning: If defined improperly, user exception rules may seriously compromise the systems normal security enforcement rules. They may also disrupt the system's normal operation and even prevent system functionality altogether. It is advised to only augment the exception-filtering mechanism if absolutely necessary.

To Define Interface Exception Filters:


1. 2. 3. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickTopology.TheTopologiesscreenisdisplayed. Selectatopologytobeconfigured.TheEditTopologywindowisdisplayed.

3-24

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

4.

IfthetopologyhasanL3interfacedefined,anExceptionFilterstabisavailable.Selectthistab. TheExceptionFilterrulesaredisplayed.

5.

Addrulesbyeither: ClickingtheAddPredefinedbutton,selectingafilterfromthedropdownlist,and clickingAdd.

ClickingtheAddbutton,fillinginthefollowingfields,thenclickingOK: (1) IntheIP/subnet:portbox,typethedestinationIPaddress.YoucanalsospecifyanIP range,aportdesignation,oraportrangeonthatIPaddress. (2) IntheProtocoldropdownlist,clicktheprotocolyouwanttospecifyforthefilter. ThislistmayincludeUDP,TCP,GRE,IPsecESP,IPsecAH,ICMP.ThedefaultisN/ A.

6. 7. 8.

Thenewfilterisdisplayedintheuppersectionofthescreen. Clickthenewfilterentry. Toallowtraffic,selecttheAllowcheckbox.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-25

Configuring the Enterasys Wireless Controller for the First Time

9.

Toadjusttheorderofthefilteringrules,clickUporDowntopositiontherule.Thefiltering rulesareexecutedintheorderdefinedhere.

10. Tosaveyourchanges,clickSave.

Protecting the Controllers Interfaces and Internal Captive Portal Page


Bydefault,theEnterasysWirelessControllerisshippedwithaselfsignedcertificateusedto performthefollowingtasks: ProtectallinterfacesthatprovideadministrativeaccesstotheEnterasysWirelessController ProtecttheinternalCaptivePortalpage

ThiscertificateisassociatedwithtopologiesthathaveaconfiguredL3(IP)interface. IfyoucontinuetousethedefaultcertificatetosecuretheEnterasysWirelessControllerand internalCaptivePortalpage,yourWebbrowserwilllikelyproducesecuritywarningsregarding thesecurityrisksoftrustingselfsignedcertificates.ToavoidthecertificaterelatedWebbrowser securitywarnings,youcaninstallcustomizedcertificatesontheEnterasysWirelessController.


Note: To avoid the certificate-related Web browser security warnings when accessing the Enterasys Wireless Assistant, you must also import the customized certificates into your Web browser application.

Before Installing a Certificate


Beforeyoucreateandinstallacertificate: 1. Selectacertificateformattoinstall.TheEnterasysWirelessControllersupportsseveraltypes ofcertificates,asshowninTable 32. Supported Certificate and CA Formats
Description The PKCS#12 certificate (.pfx) file contains both a certificate and the corresponding private key. The Enterasys Wireless Controller will accept the PKCS#12 file as long as the format of the private key and certificate are valid. PEM/DER The PEM/DER certificate (.crt) file requires a separate PEM/DER private key (.key) file. The Enterasys Wireless Controller uses OpenSSL PKCS12 command to convert the .crt and .key files into a single .pfx PKCS#12 certificate file. The Enterasys Wireless Controller will accept the PEM/DER file as long as the format of the private key and certificate are valid. PEM-formatted CA public certificate file If you choose to install this optional certificate, you must do so when specifying the PCKCS#12 or PEM/DER certificates.

Table 3-2

Certificate Format PKCS#12

Note:WhengeneratingthePKCS#12certificatefileorPEM/DERcertificateandkeyfiles, youmustensurethattheinterfaceidentifiedinthecertificatecorrespondstothe EnterasysWirelessControllersinterfaceforwhichthecertificateisbeinginstalled. 2. Understandhowthecontrollermonitorstheexpirationdateofinstalledcertificates. TheEnterasysWirelessControllergeneratesanentryintheeventsinformationlogasthe certificateexpirydateapproaches,basedonthefollowingschedule:15,8,4,2,and1dayprior toexpiration.Thelogmessagesceasewhenthecertificateexpires.Formoreinformation,see theEnterasysWirelessController,AccessPointsandConvergenceSoftwareMaintenanceGuide.

3-26

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

3.

Understandhowthecontrollermanagescertificatesduringupgradesandmigrations. InstalledcertificateswillbebackedupandrestoredwiththeEnterasysWirelessController configurationdata.Installedcertificateswillalsobemigratedduringanupgradeandduringa migration.

Installing a Certificate for a Enterasys Wireless Controller Interface


YoucaninstallacertificatefromtheCertificatestabavailableontheTopologiespage.

To Install a Certificate for a Enterasys Wireless Controller Data Interface:


1. 2. 3. 4. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickTopology.TheTopologiestabisdisplayed. ClicktheCertificatestab. IntheInterfaceCertificatestable,clicktoselectthetopology(whichhasanL3interface)for whichyouwanttoinstallacertificate. TheConfigurationforTopologysectionandtheGenerateSigningRequestbuttonbecome available.UsethefieldandbuttondescriptionsinTable 33tocreateandinstallcertificates.
Note: The interface identified in the certificate must correspond to the Enterasys Wireless Controllers interface for which the certificate is being installed.

TheConfigurationforTopologysectiondisplays.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-27

Configuring the Enterasys Wireless Controller for the First Time

Table 3-3

Topologies Page: Certificates Tab Fields and Buttons


Description

Field/Button Interface Certificates Topology Expiry Date CA Cert. Name (CN) Org Unit (OU) Organization Configuration for Topology Replace/Install selected Topologys certificate

Topology name Date when the certificate expires Identifies whether or not a CA certificate has been installed on the topology. The IP address of DNS address associated with the topology that the certificate applies to. Name of the organizations unit. Name of the organization

To replace the existing ports certificate and key using this option, do the following: 1. From the click the Generate Signing Request button to create the certificate and key. 2. Download the key and CSR when prompted. 3. Use a 3rd party certificate service to sign the CSR and create a certificate and a Certificate Authority (CA) file. 4. Save the certificate on your computer. 5. Return to the Certificates tab on the Enterasys Wireless Assistant UI. 6. Select the topology for which you created the certificate and select Replace/Install selected Topologies certificate. 7. Click Browse next to the Signed certificate to install box. 8. Navigate to the certificate file you want to install for this port, and then click Open. The certificate file name is displayed in the Certificate file to install box. 9. (Optional) Click Browse next to the Optional:Enter PEMencoded CA public certificates file box. The Choose file dialog is displayed. 10.(Optional) Navigate to the certificate file you want to install for this port, and then click Open. The certificate file name is displayed in the Optional:Enter PEM-encoded CA public certificates file box. Note: If you choose to install a CA public certificate, you must install it when you install the PEM/DER certificate and key.

3-28

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

Table 3-3

Topologies Page: Certificates Tab Fields and Buttons (continued)


Description To replace the existing ports certificate and key using this option, do the following: 1. Click Browse next to the PKCS #12 file to install box. The Choose file dialog is displayed. 2. Navigate to the certificate file you want to install for this port, and then click Open. The certificate file name is displayed in the PKCS #12 file to install box. 3. In the Private key password box, type the password for the key file. The key file is password protected. 4. (Optional) Click Browse next to the Optional:Enter PEMencoded CA public certificates file box. The Choose file dialog is displayed. 5. (Optional) Navigate to the certificate file you want to install for this port, and then click Open. The certificate file name is displayed in the Optional:Enter PEM-encoded CA public certificates file box. Note: If you choose to install a CA public certificate, you must install it when you install the PEM/DER certificate and key.

Field/Button Replace/Install selected Topologys certificate and key from a single file

Replace/Install selected Topologys certificate and key from separate files

To replace the existing ports certificate and key using this option, do the following: 1. Click Browse next to the PKCS #12 file to install box. The Choose file dialog is displayed. 2. Navigate to the certificate file you want to install for this port, and then click Open. The certificate file name is displayed in the PKCS #12 file to install box. 3. Click Browse next to the Private key file to install box. The Choose file dialog is displayed. 4. Navigate to the key file you want to install for this port, and then click Open. The key file name is displayed in the Private key file to install box 5. In the Private key password box, type the password for the key file. The key file is password protected. 6. (Optional) Click Browse next to the Optional:Enter PEMencoded CA public certificates file box. The Choose file dialog is displayed. 7. (Optional) Navigate to the certificate file you want to install for this port, and then click Open. The certificate file name is displayed in the Optional:Enter PEM-encoded CA public certificates file box. Note: If you choose to install a CA public certificate, you must install it when you install the PEM/DER certificate and key.

Reset selected Topology to the factory default certificate and key No change Generate Signing Request

Select to assign the factory default certificate and key to the interface. The default setting.

TogenerateaCSRforthecontroller,clickGenerate SigningRequest.TheGenerateCertificateSigning Requestwindowdisplays(Figure 3-1)


Click to save the changes to this Topology.

Save

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-29

Configuring the Enterasys Wireless Controller for the First Time

Note: To avoid the certificate-related Web browser security warnings when accessing the Enterasys Wireless Assistant, you must also import the customized certificates into your Web browser application.

Figure 3-1

Generate Certificate Signing Request Window

Table 3-4

Generate Certificate Signing Request Page - Fields and Buttons


Description

Field/Button

Countryname StateorProvincename Localityname(city) Organizationname OrganizationalUnitname


Common Name

ThetwoletterISOabbreviationofthenameofthecountry ThenameoftheState/Province Thenameofthecity. Thenameoftheorganization Thenameoftheunitwithintheorganization.


Set the common name to be one of the following: the IP address of the interface that the CSR applies to. a DNS address associated with the IP address of the interface that the CSR applies to.

Emailaddress GenerateSigningRequest

Theemailaddressoftheorganization Clicktogenerateasigningrequest.Acertificaterequestfile isgenerated(.csrfileextension).Thenameofthefileisthe IPaddressofthetopologyyoucreatedtheCSRfor.TheFile Downloaddialogisdisplayed.

Configuring the Login Authentication Mode


Youcanconfigurethefollowingloginauthenticationmodestoauthenticateadministratorlogin attempts: LocalauthenticationTheEnterasysWirelessControlleruseslocallyconfiguredlogin credentialsandpasswords.SeeConfiguringtheLocalLoginAuthenticationModeand AddingNewUsersonpage 331. RADIUSauthenticationTheEnterasysWirelessControlleruseslogincredentialsand passwordsconfiguredonaRADIUSserver.SeeConfiguringtheRADIUSLogin AuthenticationModeonpage 333.

3-30

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

Localauthenticationfirst,thenRADIUSauthenticationTheEnterasysWirelessController firstuseslocallyconfiguredlogincredentialsandpasswords.Ifthisloginfails,theEnterasys WirelessControllerattemptstovalidatelogincredentialsandpasswordsconfiguredona RADIUSserver.SeeConfiguringtheLocal,RADIUSLoginAuthenticationModeon page 336. RADIUSauthenticationfirst,thenlocalauthenticationTheEnterasysWirelessController firstuseslogincredentialsandpasswordsconfiguredonaRADIUSserver.Ifthisloginfails, theEnterasysWirelessControllerattemptstovalidatelogincredentialsandpasswords configuredlocally.SeeConfiguringtheRADIUS,LocalLoginAuthenticationModeon page 337.
Note: The Enterasys Wireless Controller, Access Points and Convergence Software enables you to recover the Enterasys Wireless Controller via the Rescue mode if you have lost its login password. For more information, see the Enterasys Wireless Controller, Access Points and Convergence Software Maintenance Guide.

Configuring the Local Login Authentication Mode and Adding New Users
Localloginauthenticationmodeisenabledbydefault.Iftheloginauthenticationwaspreviously settoanotherauthenticationmode,youcanchangeittothelocalauthentication.Youcanalsoadd newusersandassignthemtoalogingroupasfulladministrators,readonlyadministrators,or asaGuestPortalmanagers.Formoreinformation,seeDefiningEnterasysWirelessAssistant AdministratorsandLoginGroupsonpage 155. Toconfigurethelocalloginauthenticationmode: 1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickLoginManagement.TheLoginManagementscreenisdisplayed.

3.

IntheAuthenticationmodesection,clickConfigure. TheLoginAuthenticationModeConfigurationwindowisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-31

Configuring the Enterasys Wireless Controller for the First Time

4.

SelecttheLocalcheckbox. IftheRADIUScheckboxisselected,deselectit.

5. 6.

ClickOK. IntheAddUsersection,selectoneofthefollowingfromtheGroupdropdownlist: FullAdministratorGrantstheadministratorsaccessrightstotheadministrator. ReadonlyAdministratorGrantsreadonlyaccessrighttotheadministrator. GuestPortalManagerGrantstheuserGuestPortalmanagerrights.

7. 8.

IntheUserIDbox,typetheusersID. InthePasswordbox,typetheuserspassword.
Note: The password must be 8 to 24 characters long.

9.

IntheConfirmPasswordbox,retypethepassword.

10. Toaddtheuser,clickAddUser.Thenewuserisadded. 11. ClickSave. TheAdministratorPasswordConfirmationwindowisdisplayed.

12. Selecttheappropriateoption. YesChangeauthenticationmodetolocal.Usetheadministratorpasswordcurrently definedonthecontroller. Yes,butIwanttochangeadministratorspasswordfirstChangeauthenticationmode tolocalandchangetheadministratorpasswordcurrentlydefinedonthecontroller. NoDonotchangetheauthenticationmodetolocal.

13. ClickSubmit. 14. IfyouchoseYes,butIwanttochangeadministratorspasswordfirst,youarepromptedto changetheadministratorspassword.

3-32

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

Configuring the RADIUS Login Authentication Mode


Thelocalloginauthenticationmodeisenabledbydefault.Youcanchangethelocallogin authenticationmodetoRADIUSbasedauthentication.
Note: Before you change the default local login authentication to RADIUS-based authentication, you must configure the RADIUS Server on the Global Settings screen. For more information, see VNS Global Settings on page 7-3.

RADIUSisaclient/serverauthenticationandauthorizationaccessprotocolusedbyanetwork accessserver(NAS)toauthenticateusersattemptingtoconnecttoanetworkdevice.TheNAS functionsasaclient,passinguserinformationtooneormoreRADIUSservers.TheNASpermits ordeniesnetworkaccesstoauserbasedontheresponseitreceivesfromoneormoreRADIUS servers.RADIUSusesUserDatagramProtocol(UDP)forsendingthepacketsbetweenthe RADIUSclientandserver. YoucanconfigureaRADIUSkeyontheclientandserver.Ifyouconfigureakeyontheclient,it mustbethesameastheoneconfiguredontheRADIUSservers.TheRADIUSclientsandservers usethekeytoencryptallRADIUSpacketstransmitted.IfyoudonotconfigureaRADIUSkey, packetsarenotencrypted.Thekeyitselfisnevertransmittedoverthenetwork.
Note: Before you configure the system to use RADIUS-based login authentication, you must configure the Service-Type RADIUS attribute on the RADIUS server. For more information, see the RADIUS-based login authentication section in the Enterasys Wireless Controller, Access Points and Convergence Software Technical Reference Guide.

ToconfiguretheRADIUSloginauthenticationmode: 1. 2. 3. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickLoginManagement.TheLoginManagementscreenisdisplayed. ClicktheRADIUSAuthenticationtab.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-33

Configuring the Enterasys Wireless Controller for the First Time

4.

IntheAuthenticationmodesection,clickConfigure. TheLoginAuthenticationModeConfigurationwindowisdisplayed.

5.

SelecttheRADIUScheckbox. IftheLocalcheckboxisselected,deselectit.

6. 7.

ClickOK. Fromthedropdownlist,locatednexttotheUsebutton,selecttheRADIUSServerthatyou wanttousefortheRADIUSloginauthentication,andthenclickUse.TheRADIUSServers nameisdisplayedintheConfiguredServersbox,andintheAuthsection,andthefollowing defaultvaluesoftheRADIUSServeraredisplayed.


Note: The RADIUS Servers displayed in the list located against the Use button are defined on Global Settings screen. For more information, see VNS Global Settings on page 7-3.

Thefollowingvaluescanbeedited: NASIPaddressTheIPaddressofNetworkAccessServer(NAS). NASIdentifierTheNetworkAccessServer(NAS)identifier.TheNASidentifierisa RADIUSattributethatidentifiestheserverresponsibleforpassinginformationto designatedRADIUSservers,andthenactingontheresponsereturned. AuthTypeTheauthenticationprotocoltype(PAP,CHAP,MSCHAP,orMSCHAP2). SetasPrimaryServerSpecifiestheprimaryRADIUSserverwhentherearemultiple RADIUSservers.

8.

ToaddadditionalRADIUSservers,repeatStep 7.
Note: You can add up to three RADIUS servers to the list of login authentication servers. When you add two or more RADIUS servers to the list, you must designate one of them as the Primary server. The Enterasys Wireless Controller first attempts to connect to the Primary server. If the Primary Server is not available, it tries to connect to the second and third server according to their order in the Configured Servers box. You can change the order of RADIUS servers in the Configured Servers box by clicking on the Up and Down buttons.

9.

ClickTesttotestconnectivitytotheRADIUSserver.
Note: You can also test the connectivity to the RADIUS server after you save the configuration. If you do not test the RADIUS server connectivity, and you have made an error in configuring the RADIUS-based login authentication mode, you will be locked out of the Enterasys Wireless Controller when you switch the login mode to the RADIUS login authentication mode. If you are locked out, access Rescue mode via the console port to reset the authentication method to local.

3-34

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

Thefollowingwindowisdisplayed.

10. IntheUserIDandthePasswordboxes,typetheusersIDandthepassword,whichwere configuredontheRADIUSServer,andthenclickTest.TheRADIUSconnectivityresultis displayed.


Note: To learn how to configure the User ID and the Password on the RADIUS server, refer to your RADIUS servers user guide.
.

Ifthetestisnotsuccessful,thefollowingmessagewillbedisplayed:

11. IftheRADIUSconnectivitytestdisplaysSuccessfulresult,clickSaveontheRADIUS Authenticationscreentosaveyourconfiguration. Thefollowingwindowisdisplayed:

12. IfyoutestedtheRADIUSserverconnectivityearlierinthisprocedure(Step 9andStep 10), clickNo.IfyouclickYes,youwillbeaskedtoentertheRADIUSserveruserIDandpassword. SeeStep 10formoreinformation.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-35

Configuring the Enterasys Wireless Controller for the First Time

Thefollowingmessageisdisplayed:

13. TochangetheauthenticationmodetoRADIUSauthentication,clickOK. YouwillbeloggedoutoftheEnterasysWirelessControllerimmediately.Youmustusethe RADIUSloginusernameandpasswordtologontheEnterasysWirelessController. Tocanceltheauthenticationmodechanges,clickCancel.

Configuring the Local, RADIUS Login Authentication Mode


ToconfiguretheLocal,RADIUSloginauthenticationmode: 1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickLoginManagement.TheLoginManagementscreenisdisplayed.

3.

IntheAuthenticationmodesection,clickConfigure. TheLoginAuthenticationModeConfigurationwindowisdisplayed.

3-36

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

4.

SelecttheLocalandRADIUScheckboxes.

5.

Ifnecessary,selectLocalandusetheMoveUpbuttontomoveLocaltothetopofthelist.

6. 7.

ClickOK. OntheLoginManagementscreen,clickSave.

Forinformationonsettinglocalloginauthenticationsettings,seeConfiguringtheLocalLogin AuthenticationModeandAddingNewUsersonpage 331. ForinformationonsettingRADIUSloginauthenticationsettings,seeConfiguringtheRADIUS LoginAuthenticationModeonpage 333.

Configuring the RADIUS, Local Login Authentication Mode


ToconfiguretheRADIUS,Localloginauthenticationmode: 1. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-37

Configuring the Enterasys Wireless Controller for the First Time

2.

Intheleftpane,clickLoginManagement.TheLoginManagementscreenisdisplayed.

3.

IntheAuthenticationmodesection,clickConfigure. TheLoginAuthenticationModeConfigurationwindowisdisplayed.

4.

SelecttheLocalandRADIUScheckboxes.

3-38

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

5.

Ifnecessary,selectRADIUSandusetheMoveUpbuttontomoveRADIUStothetopofthe list.

6. 7.

ClickOK. OntheLoginManagementscreen,clickSave.

ForinformationonsettingRADIUSloginauthenticationsettings,seeConfiguringtheRADIUS LoginAuthenticationModeonpage 333. Forinformationonsettinglocalloginauthenticationsettings,seeConfiguringtheLocalLogin AuthenticationModeandAddingNewUsersonpage 331.

Configuring SNMP
TheEnterasysWirelessControllersupportstheSimpleNetworkManagementProtocol(SNMP) forretrievingstatisticsandconfigurationinformation.IfyouenableSNMPontheEnterasys WirelessController,youcanchooseeitherSNMPv3orSNMPv1/v2mode.Ifyouconfigurethe EnterasysWirelessControllertouseSNMPv3,thenanyrequestotherthanSNMPv3requestis rejected.ThesameistrueifyouconfiguretheEnterasysWirelessControllertouseSNMPv1/v2.

To Configure SNMP:
1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickSNMP.TheSNMPscreenisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-39

Configuring the Enterasys Wireless Controller for the First Time

3.

IntheSNMPCommonSettingssection,configurethefollowing: ModeSelectSNMPv1/v2corSNMPv3toenableSNMP. ContactNameThenameoftheSNMPadministrator. LocationThephysicallocationoftheEnterasysWirelessControllerrunningtheSNMP agent. SNMPPortThedestinationportfortheSNMPtraps.Possibleportsare 065555. ForwardTrapsThelowestseveritylevelofSNMPtrapthatyouwanttoforward. PublishAPasinterfaceofcontrollerEnableordisableSNMPpublishingoftheaccess pointasaninterfacetotheEnterasysWirelessController.

4.

ContinuewiththeappropriateprocedureforconfiguringSNMPv1/v2cspecificorSNMPv3 specificparameters. ConfiguringSNMPv1/v2cspecificParameters ConfiguringSNMPv3specificParameters

Configuring SNMPv1/v2c-specific Parameters


1. ConfigurethefollowingparametersontheSNMPv1/v2ctab: 2. ReadCommunityNameThepasswordthatisusedforreadonlySNMP communication. Read/WriteCommunityNameThepasswordthatisusedforwriteSNMP communication. ManagerATheIPaddressoftheserverusedastheprimarynetworkmanagerthatwill receiveSNMPmessages. ManagerBTheIPaddressoftheserverusedasthesecondarynetworkmanagerthat willreceiveSNMPmessages.

ClickSave.

Configuring SNMPv3-specific Parameters


1. ConfiguretheparametersfollowingontheSNMPv3tab: ContextStringAdescriptionoftheSNMPcontext. EngineIDTheSNMPv3engineIDfortheEnterasysWirelessControllerrunningthe SNMPagent.TheengineIDmustbefrom5to32characterslong. RFC3411CompliantTheengineIDwillbeformattedasdefinedbySnmpEngineID textualconvention(thatis,theengineIDwillbeprependedwithSNMPagentsprivate enterprisenumberassignedbyIANAasaformattedHEXtextstring).

2. 3.

ClickAddUserAccount.TheAddSNMPv3UserAccountwindowdisplays. Configurethefollowingparameters: UserEnterthenameoftheuseraccount. SecurityLevelSelectthesecuritylevelforthisuseraccount.Choicesare:authPriv, authNoPriv,noAuthnoPriv. AuthProtocolIfyouhaveselectedasecuritylevelofauthPrivorauthNoPriv,selectthe authenticationprotocol.Choicesare:MD5,SHA,None.

3-40

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

4. 5. 6.

AuthPasswordIfyouhaveselectedasecuritylevelofauthPrivorauthNoPriv,enteran authenticationpassword. PrivacyProtocolIfyouhaveselectedthesecuritylevelofauthPriv,selecttheprivacy protocol.Choicesare:DES,None PrivacyPasswordIfyouhaveselectedthesecuritylevelofauthPriv,enteraprivacy password. EngineIDIfdesired,enteranengineID.TheIDcanbebetween5and32byteslong, withnospaces,controlcharacters,ortabs. TrapDestinationIfdesired,entertheIPaddressofatrapdestination.

ClickOK.TheAddSNMPv3UserAccountwindowcloses. Repeatsteps2through4toaddadditionalusers. IntheTrap1andTrap2sections,configurethefollowingparameters: DestinationIPTheIPaddressofthemachinemonitoringSNMPv3traps UserNameTheSNMPv3usertoconfigureforusewithSNMPv3traps

7.

ClickSave.

Editing an SNMPv3 User


To Edit an SNMPv3 User:
1. 2. 3. 4. 5. 6. 7. 8. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickSNMP.TheSNMPscreenisdisplayed. ClicktheSNMPv3tab. SelectanSNMPuser. ClickEditSelectedUser.TheEditSNMPv3UserAccountwindowdisplays. Edittheuserconfigurationasdesired. ClickOK.TheEditSNMPv3UserAccountwindowcloses. ClickSave.

Deleting an SNMPv3 User


To Delete an SNMPv3 User:
1. 2. 3. 4. 5. 6. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickSNMP.TheSNMPscreenisdisplayed. ClicktheSNMPv3tab. SelectanSNMPuser. ClickDeleteSelectedUser.Youarepromptedtoconfirmthatyouwanttodeletetheselected user. ClickOK.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-41

Configuring the Enterasys Wireless Controller for the First Time

Configuring Network Time


YoushouldsynchronizetheclocksoftheEnterasysWirelessControllerandtheWirelessAPsto ensurethatthelogsandreportsreflectaccuratetimestamps.Formoreinformation,see Chapter 14,WorkingwithReportsandDisplays. ThenormaloperationoftheEnterasysWirelessControllerwillnotbeaffectedifyoudonot synchronizetheclock.Theclocksynchronizationisnecessarytoensurethatthelogsdisplay accuratetimestamps.Inaddition,clocksynchronizationofnetworkelementsisaprerequisitefor thefollowingconfiguration: MobilityManager SessionAvailability

Network Time Synchronization


Networktimeissynchronizedinoneoftwoways: UsingthesystemstimeThesystemstimeistheEnterasysWirelessControllerstime. UsingNetworkTimeProtocol(NTP)TheNetworkTimeProtocolisaprotocolfor synchronizingtheclocksofcomputersystemsoverpacketswitcheddatanetworks.
Note: If the Enterasys Wireless Controller C2400 is left powered-down for more than 78 hours. In such a case, you must synchronize the network time, using the NTP server. If the NTP server is not reachable, you must manually set the system to the correct time.

TheEnterasysWirelessControllerautomaticallyadjustsforanytimechangeduetoDaylight Savingstime.

Configuring the Network Time Using the Systems Time


To Configure the Network Time, Using the Systems Time:
1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickNetworkTime.TheNetworkTimescreenisdisplayed.

3-42

Configuring the Enterasys Wireless Controller

Configuring the Enterasys Wireless Controller for the First Time

3. 4.

FromtheContinentorOceandropdownlist,clicktheappropriatelargescalegeographic groupingforthetimezone. FromtheCountrydropdownlist,clicktheappropriatecountryforthetimezone.The contentsofthedropdownlistchange,basedontheselectionintheContinentorOceandrop downlist. FromtheTimeZoneRegiondropdownlist,clicktheappropriatetimezoneregionforthe selectedcountry. ClickApplyTimeZone. IntheSystemTimebox,typethesystemtime. ClickSetClock. TheWLANnetworktimeissynchronizedinaccordancewiththeEnterasysWireless Controllerstime.

5. 6. 7. 8. 9.

Configuring the Network Time Using an NTP Server


ToconfigurethenetworktimeusinganNTPserver: 1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickNetworkTime.TheNetworkTimescreenisdisplayed.

3. 4.

FromtheContinentorOceandropdownlist,clicktheappropriatelargescalegeographic groupingforthetimezone. FromtheCountrydropdownlist,clicktheappropriatecountryforthetimezone.The contentsofthedropdownlistchange,basedontheselectionintheContinentorOceandrop downlist. FromtheTimeZoneRegiondropdownlist,clicktheappropriatetimezoneregionforthe selectedcountry. ClickApplyTimeZone. IntheSystemTimebox,typethesystemtime.

5. 6. 7.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-43

Configuring the Enterasys Wireless Controller for the First Time

8.

SelecttheUseNTPcheckbox.
Note: If you want to use the Enterasys Wireless Controller as the NTP Server, select the Run local NTP Server checkbox, and then skip to Step 11.

9.

IntheTimeServer1textbox,typetheIPaddressorFQDN(FullQualifiedDomainName)of anNTPtimeserverthatisaccessibleontheenterprisenetwork.

10. RepeatforTimeServer2andTimeServer3textboxes. IfthesystemisnotabletoconnecttotheTimeServer1,itwillattempttoconnecttothe additionalserversthathavebeenspecifiedinTimeServer2andTimeServer3textboxes. 11. ClickApply. 12. TheWLANnetworktimeissynchronizedinaccordancewiththespecifiedtimeserver.

Configuring DNS Servers for Resolving Host Names of NTP and RADIUS Servers
SincetheGlobalSettingsscreen(MainMenu>VirtualNetworkConfiguration>Global Settings)allowsyoutosetupNTPandRADIUSserversbydefiningtheirhostnames,youhaveto configureyourDNSserverstoresolvethehostnamesofNTPandRADIUSserverstothe correspondingIPaddresses.
Note: For more information on RADIUS server configuration, see Defining RADIUS Servers and MAC Address Format on page 7-4.

YoucanconfigureuptothreeDNSserverstoresolveNTPandRADIUSserverhostnamestotheir correspondingIPaddresses. TheEnterasysWirelessControllersendsthehostnamequerytothefirstDNSserverinthestackof threeconfiguredDNSservers.TheDNSserverresolvesthequerieddomainnametoanIPaddress andsendstheresultbacktotheEnterasysWirelessController. Ifforsomereason,thefirstDNSserverinthestackofconfiguredDNSserversisnotreachable,the EnterasysWirelessControllersendsthehostnamequerytothesecondDNSserverinthestack.If thesecondDNSserverisalsonotreachable,thequeryissenttothethirdDNSserverinthestack. ToconfigureDNSserversforresolvinghostnamesofNTPandRADIUSservers: 1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickHostAttributes.TheHostAttributesscreenisdisplayed.

3-44

Configuring the Enterasys Wireless Controller

Using an AeroScout Location Based Solution

3.

IntheDNSbox,typetheDNSserversIPaddressintheServerAddressfieldandthenclick AddServer.ThenewserverisdisplayedintheDNSserverslist.
Note: You can configure up to three DNS servers.

4.

Tosaveyourchanges,clickSave.

Using an AeroScout Location Based Solution


YoucandeployyourEnterasysWirelessControllerandWirelessAPsaspartofanAeroScout locationbasedsolution. OntheEnterasysWirelessController,youconfiguretheAeroScoutserverIPaddressandenable thelocationbasedservice.TheAeroScoutserverisawareonlyoftheEnterasysWireless ControllerIPaddressandisnotifiedoftheoperationalAPsbytheController. OntheAPsthatyouwanttoparticipateinthelocationbasedservice,youenablethelocation basedservice.
Note: Participating Wireless APs must use the 2.4 GHz band.

OnceyouhaveenabledthelocationbasedserviceontheEnterasysWirelessControllerandthe participatingWirelessAPs,atleastoneoftheparticipatingWirelessAPswillreceivereportsfrom anAeroScoutWiFiRFIDtaginthe2.4GHZband.ThetagreportsarecollectedbytheAPand forwardedtotheAeroScoutserverbyencapsulatingthetagreportsinaWASSPtunneland routingthemasIPpacketsthroughtheEnterasysWirelessController.


Note: Tag reports are marked with UP=CS5, and DSCP = 0xA0. On the Enterasys Wireless Controller, tag reports are marked with UP=CS5 to the core (if 802.1p exists).

AnAPstagreportcollectionstatusisreportedintheWirelessAPInventoryreport.Formore information,seeViewingReportsonpage 1413.


Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 3-45

Using an AeroScout Location Based Solution

Ifavailabilityisenabled,tagreporttransmissionpausesonfailedoverAPsuntiltheyare configuredandnotifiedbytheAeroScoutserver. WhenAeroScoutsupportisdisabledontheEnterasysWirelessController,theEnterasysWireless ControllerdoesnotcommunicatewiththeAeroScoutserverandtheAPsdonotperformany AeroScoutrelatedfunctionality. EnsurethatyourAeroScouttagsareconfiguredtotransmitonallnonoverlappingchannels(1,6 and11)andalsoonchannelsabove11forcountrieswherechannelsabove11areallowed.Referto AeroScoutdocumentationforproperdeploymentoftheAeroScoutlocationbasedsolution.

To Configure a Enterasys Wireless Controller for Use with an AeroScout Solution:


1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickLocationBasedService.TheLocationBasedServicescreenisdisplayed.

3. 4. 5.

SelecttheEnableLocationBasedServicecheckboxtoenablethelocationbasedserviceonthe EnterasysWirelessController. IntheAeroscoutAddressfield,entertheIPaddressoftheAeroScoutserver. ClickSave. YoumustnowassignWirelessAPstoparticipateinthelocationbasedservice.

3-46

Configuring the Enterasys Wireless Controller

Using an AeroScout Location Based Solution

6.

Fromthetopmenu,clickWirelessAPs.TheAllAPsscreenisdisplayed.

7. 8.

SelectanAP. ClickAdvanced.TheAdvancedwindowdisplays.

9.

IntheLocationbasedServicefield,selectEnable.

10. ClickClose.TheAdvancedwindowcloses. 11. Repeatssteps7through10foreachadditionalAPthatyouwanttoparticipateinthelocation basedservice. 12. ClickSave.


Note: You can also enable location based service on APs through the Location based service field on the AP Multi-edit screen and the Advanced window of the AP Default Settings screen.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

3-47

Additional Ongoing Operations of the System

Additional Ongoing Operations of the System


OngoingoperationsoftheEnterasysWirelessController,AccessPointsandConvergence Softwaresystemcanincludethefollowing: EnterasysWirelessControllerSystemMaintenance WirelessAPMaintenance ClientDisassociate LogsandTraces ReportsandDisplays

Formoreinformation,seeChapter 15,PerformingSystemAdministrationortheEnterasys WirelessController,AccessPointsandConvergenceSoftwareMaintenanceGuide.

3-48

Configuring the Enterasys Wireless Controller

4
Configuring Topologies
Thischapterdescribestopologyconfiguration,including:
For information about... Topology Overview Configuring a Basic Topology Enabling Management Traffic Layer 3 Configuration Exception Filtering Multicast Filtering Refer to page... 4-1 4-2 4-3 4-3 4-7 4-10

Topology Overview
TopologyconfigurationisindependentoftheWLANservicesorPoliciesthataredefinedinthe system.YoucannavigatetotheTopologyconfigurationpagefromeitherWirelessController ConfigurationorVirtualNetworkConfigurationoptionsoftheEnterasysWirelessAssistantmain menu.Also,thePolicydefinitionpageallowstheusertoeditorcreateaTopologydefinitionat anytime. TopologiesarenotactivateduntiltheyarereferencedbyaPolicy.CreatinganinterfaceonaVLAN willnottakeeffectuntilaPolicyreferencesitsusage. Topologiescannotbedeletedwhiletheyareactive(thatis,referencedbyaPolicy). OntheTopologyconfigurationpage,thekeyfieldistheMode,whichdeterminessomeofthe otherfactorsofthetopology.WhenyouhavecompleteddefiningthetopologyforyourVNS,save thetopologysettings.Onceyourtopologyissaved,youcanthenaccesstheremainingVNStabs andcontinueconfiguringyourVNS. OntheTopologyconfigurationpage,anumberofparametersrelatedtonetworktopologycanbe defined: VLANIDandassociatedL2port L3(IP)interfacepresenceandtheassociatedIPaddressandsubnetrange TherulesforusingDHCP Enablingordisablingtheuseoftheassociatedinterfaceformanagement/controltraffic SelectionofaninterfaceforAPregistration Multicastfilterdefinition Exceptionfilterdefinition

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

4-1

Configuring a Basic Topology

StartingwithV7.0,PhysicalPortsreferstothedataplanephysicalports.Theattributesofa physicalportare: Administrativestatus(readwrite) Name(readonly) MACaddress(readonly) MTUsize MulticastSupportforRoutedVNS

PhysicalporttopologiesarepredefinedbytheEnterasysWirelessControllerandcannotbe removedfromtheEnterasysWirelessControllerconfiguration.Bydefault,allphysicalportsare setwithmulticastsupportforRoutedVNSdisabled.Atmost,onenonmanagementplaneport canbeenabledforthemulticastsupportforRoutedVNS.Thiscanbeconfiguredonthenew physicalportGUI.

Configuring a Basic Topology


Theconfigurationprocedurebelowissufficienttocreateandbeabletosaveanewtopology. Optionalconfigurationoptionsaredescribedinthefollowingsections.

To Configure a Basic Topology:


1. 2. Fromthemainmenu,clickeitherWirelessControllerConfigurationorVirtualNetwork Configuration.Then,intheleftpane,selectTopology.TheTopologieswindowdisplays. Ifyouwanttoeditanexistingtopology,selectthedesiredtopology.Ifyouwanttocreatea newtopology,clicktheNewbutton.Dependingonyourselection,twoorthreetabsare displayed. OntheGeneraltab,enteranameforthetopologyintheNamefield. SelectamodeofoperationfromtheModedropdownlist.Choicesare: RoutedRoutedtopologiesdonotneedanyLayer2configuration,butdorequireLayer 3configuration.SeeLayer3Configurationonpage 43formoreinformation. BridgeTrafficLocallyatAPRequiresLayer2configuration.DoesnotrequireLayer3 configuration.BridgeTrafficattheAPVNSsdonotrequirethedefinitionofa correspondingIPaddresssincealltrafficforusersinthatVNSwillbedirectlybridgedby theWirelessAPatthelocalnetworkpointofattachment(VLANatAPport). BridgeTrafficLocallyatHWCRequiresLayer2configuration.Mayoptionallyhave Layer3configuration.Layer3configurationwouldbenecessaryifservices(suchas DHCP,captiveportal,etc.)arerequiredovertheconfigurednetworksegment,orif controllermanagementoperationsareintendedtobedonethroughtheconfigured interface.

3. 4.

5.

ConfiguretheLayer2parameters,dependingonthepreviouslyselectedMode. ForBridgeTrafficLocallyatHWC,enteraVLANidentifierthatisvalidforyoursystem andentertheporttowhichthisVLANisattachedto,accordingtothenetworking deploymentmodelpreestablishedduringplanning. ForBridgeTrafficLocallyatAP,enteraVLANidentifierthatisvalidforyoursystem, andspecifywhethertheVLANconfigurationisTaggedorUntagged.

6.

ClickSavetosaveyourchanges.

Thesestepsaresufficienttocreateandsaveatopology.Thefollowingconfigurationoptionsare optionalanddependonthemodeofthetopology.
4-2 Configuring Topologies

Enabling Management Traffic

Enabling Management Traffic


IfmanagementtrafficisenabledforaVNS,itoverridesthebuiltinexceptionfiltersthatprohibit trafficontheEnterasysWirelessControllerdatainterfaces.Formoreinformation,see ConfiguringPoliciesonpage 51.

To enable Management Traffic for a Topology:


1. Fromthemainmenu,clickeitherWirelessControllerConfigurationorVirtualNetwork Configuration.Then,intheleftpane,selectTopologyorTopologies.TheTopologieswindow displays. Selectthedesiredphysicalorroutedtopology.IftheLayer3parametersarenotdisplayed, checktheLayer3checkbox. SelecttheManagementTrafficcheckbox. Tosaveyourchanges,clickSave.

2. 3. 4.

Layer 3 Configuration
ThissectiondescribesconfiguringIPaddresses,DHCPoptions,NextHopandOSPFparameters, forPhysicalport,Routed,andBridgeTrafficLocallyatHWCtopologies.

IP Address Configuration
TheL3(IP)addressdefinitionisonlyrequiredforPhysicalportandRoutedtopologies.ForBridge TrafficLocallyatHWCtopologies,L3configurationisoptional.L3configurationwouldbe necessaryifservices(suchasDHCP,captiveportal,etc.)arerequiredovertheconfigurednetwork segmentorifcontrollermanagementoperationsareintendedtobedonethroughtheconfigured interface. BridgeTrafficLocallyatAPVNSsdonotrequirethedefinitionofacorrespondingIPaddress sincealltrafficforusersinthatVNSwillbedirectlybridgedbytheWirelessAPatthelocal networkpointofattachment(VLANatAPport).

To Define the IP Address for the Topology:


1. Fromthemainmenu,clickWirelessControllerConfigurationandthenfromtheleftpane selectTopology.Alternatively,fromthemainmenuselectVirtualNetworkConfiguration andthenpressTopologiesbutton. Ifalreadydefined,clickthetopologyyouwanttodefinetheIPaddressfor.TheTopology windowisdisplayed.Alternatively,presstheNewbuttontocreateanewtopology. Dependingonthepreselectedoptions,twoorthreetabsaredisplayed. ForIPinterfaceconfigurationforRoutedtopologies,configurethefollowingLayer3 parameters. a. IntheGatewayfield,typetheEnterasysWirelessControllersownIPaddressinthat VNS.ThisIPaddressisthedefaultgatewayfortheVNS.TheEnterasysWireless Controlleradvertisesthisaddresstothewirelessdeviceswhentheysignon.Forrouted VNSs,itcorrespondstotheIPaddressthatiscommunicatedtoMUs(intheVNS)asthe defaultgatewayfortheVNSsubnet.(MUstargettheEnterasysWirelessControllers interfaceintheirefforttoroutepacketstoanexternalhost). IntheMaskfield,typetheappropriatesubnetmaskfortheIPaddress.toseparatethe networkportionfromthehostportionoftheaddress(typically,255.255.255.0).

2.

3.

b.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

4-3

Layer 3 Configuration

c.

Ifnecessary,configuretheMTUvalue.Typically,youwillnotchangethisvaluefromthe default.

d. Ifdesired,enableManagementtraffic. 4. ForIPinterfaceconfigurationforBridgeTrafficLocallyatHWCtopologies,configurethe followingLayer3parameters. a. IntheInterfaceIPfield,typetheIPaddressthatcorrespondstotheEnterasysWireless ControllersownpointofpresenceontheVLAN.Inthiscase,thecontrollersinterfaceis typicallynotthegatewayforthesubnet.Thegatewayforthesubnetistheinfrastructure routerdefinedtohandletheVLAN. IntheMaskfield,typetheappropriatesubnetmaskfortheIPaddress.toseparatethe networkportionfromthehostportionoftheaddress(typically,255.255.255.0). ConfigureStrictSubnetAdherence.

b. c.

d. Ifnecessary,configuretheMTUvalue.Typically,youwillnotchangethisvaluefromthe default. e. f. Ifdesired,configureAPRegistration.Ifselected,WirelessAPscanusethisportfor discoveryandregistration. Ifdesired,enableManagementtraffic.

DHCP Configuration
YoucanconfigureDHCPsettingsforallmodesexceptBridgeTrafficLocallyatAPmodesinceall trafficforusersinthatVNSwillbedirectlybridgedbytheWirelessAPatthelocalnetworkpoint ofattachment(VLANatAPport).DHCPassignmentisdisabledbydefaultforBridgedtoVLAN mode.However,youcanenableDHCPserver/relayfunctionalitytohavethecontrollerservicethe IPaddressesfortheVLAN(andwirelessusers).

To Configure DHCP Options:


1. 2. 3. NavigatetotheTopologypage. OntheTopologypage,clicktheGeneraltabandenableLayer3. FromtheDHCPdropdownlist,selectoneofthefollowingoptionsandclicktheConfigure button. LocalServeriftheEnterasysWirelessControllerslocalDHCPserverisusedfor managingIPaddressallocation. UseRelayiftheEnterasysWirelessControllerforwardsDHCPrequeststoanexternal DHCPserverontheenterprisenetwork.DHCPrelaybypassesthelocalDHCPserverfor theEnterasysWirelessControllerandallowstheenterprisetomanageIPaddress allocationtoaVNSfromitsexistinginfrastructure.

4-4

Configuring Topologies

Layer 3 Configuration

4.

IfyouselectedLocalServer,thefollowingwindowdisplays.Configurethefollowing parameters:

a. b.

IntheDomainNamebox,typetheexternalenterprisedomainnameservertobeused. IntheLeasedefaultbox,typethedefaulttimelimit.Thedefaulttimelimitdictateshow longawirelessdevicecankeeptheDHCPserverassignedIPaddress.Thedefaultvalueis 36000seconds(10hours). IntheDNSServersbox,typetheIPAddressoftheDomainNameServerstobeused.

c.

d. IntheWINSbox,typetheIPaddressiftheDHCPserverusesWindowsInternetNaming Service(WINS). e. ChecktheEnableDLSDHCPOptioncheckboxifyouexpectoptiPointWL2wireless phonetrafficontheVNS.EnterasysDLS(EnterasysDeploymentService)isanapplication thatprovidesconfigurationmanagementandsoftwaredeploymentandlicensingfor optiPointWL2phones. IntheGatewayfield,typetheEnterasysWirelessControllersownIPaddressinthat topology.ThisIPaddressThisIPaddressisthedefaultgatewayforthetopology.Thec Controlleradvertisesthisaddresstothewirelessdeviceswhentheysignon.Forrouted topologies,itcorrespondstotheIPaddressthatiscommunicatedtoWirelessclientsasthe defaultgatewayforthesubnet.(wirelessclientstargettheEnterasysWirelessControllers interfaceintheirefforttoroutepacketstoanexternalhost). ForaBridgetrafficlocallyattheHWCtopology,theIPaddresscorrespondstothe EnterasysWirelessControllersownpointofpresenceontheVLAN.Inthiscase,the controllersinterfaceistypicallynotthegatewayforthesubnet.Thegatewayforthe subnetistheinfrastructurerouterdefinedtohandletheVLAN. g. TheAddressRangeboxes(fromandto)populateautomaticallywiththerangeofIP addressestobeassignedtowirelessdevicesusingthisVNS,basedontheIPaddressyou provided. TomodifytheaddressintheAddressRangefrombox,typethefirstavailable address. TomodifytheaddressintheAddressRangetobox,typethelastavailableaddress. IftherearespecificIPaddressestobeexcludedfromthisrange,clickExclusion(s). TheDHCPAddressExclusiondialogisdisplayed.

f.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

4-5

Layer 3 Configuration

IntheDHCPAddressExclusiondialog,dooneofthefollowing: TospecifyanIPrange,typethefirstavailableaddressintheFromboxandtypethe lastavailableaddressinthetobox.ClickAddforeachIPrangeyouprovide. TospecifyanIPaddress,selecttheSingleAddressoptionandtypetheIPaddressin thebox.ClickAddforeachIPaddressyouprovide. Tosaveyourchanges,clickOK.TheDHCPAddressExclusiondialogcloses.

h. TheBroadcastAddressboxpopulatesautomaticallybasedontheGatewayIPaddress andsubnetmaskoftheVNS. i. 5. ClickClose.

IfyouselectedUseRelay,thefollowingwindowdisplays.

a.

intheDHCPServersbox,typetheIPaddressoftheDHCPservertowhichDHCP discoverandrequestmessageswillbeforwardedforclientsonthisVNS.TheEnterasys WirelessControllerdoesnothandleDHCPrequestsfromusers,butinsteadforwardsthe requeststotheindicatedDHCPserver.


Note: The DHCP Server must be configured to match the topology settings. In particular for Routed topologies, the DHCP server must identify the Enterasys Wireless Controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.)

6.

Tosaveyourchanges,clickSave.

Defining a Next Hop Route and OSPF Advertisement


Thenexthopdefinitionallowstheadministratortodefineaspecifichostasthetargetforall nonVNStargetedtrafficforusersinaVNS.ThenexthopIPidentifiesthetargetdevicetowhich allVNS(usertraffic)willbeforwardedto.Nexthopdefinitionsupersedesanyotherpossible definitionintheroutingtable. IfthetrafficdestinationfromawirelessdeviceonaVNSisoutsideoftheVNS,itisforwardedto thenexthopIPaddress,wherethisrouterappliespolicyandforwardsthetraffic.Thisfeature appliestounicasttrafficonly.Inaddition,youcanalsomodifytheOpenShortestPathFirst (OSPF)routecost.

4-6

Configuring Topologies

Exception Filtering

OSPFisaninteriorgatewayroutingprotocoldevelopedforIPnetworksbasedontheshortest pathfirstorlinkstatealgorithm.UsingOSPF,ahostthatobtainsachangetoaroutingtableor detectsachangeinthenetworkimmediatelydistributestheinformationtoallotherhostsinthe networksothatallwillhavethesameroutingtableinformation.ThehostusingOSPFsendsonly thepartthathaschanged,andonlywhenachangehastakenplace.

To Define a Next Hop Route and OSPF Advertisement:


1. 2. 3. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheTopologiespane,thenclicktheroutedTopologyyouwantto defineanexthoproutefor.TheTopologytabisdisplayed. IntheLayer3area,clicktheConfigurebutton.TheDHCPconfigurationdialogwindow displays.

4. 5.

IntheNextHopAddressbox,typetheIPaddressofthenexthoprouteronthenetwork throughwhichyouwishalltrafficontheVNSusingthisTopologytobedirected. IntheOSPFRouteCostbox,typetheOSPFcostofreachingtheVNSsubnet. TheOSPFcostvalueprovidesarelativecostindicationtoallowupstreamrouterstocalculate whetherornottousetheEnterasysWirelessControllerasabetterfitorlowestcostpathto reachdevicesinaparticularnetwork.Thehigherthecost,thelesslikelyofthepossibilitythat theEnterasysWirelessControllerwillbechosenasaroutefortraffic,unlessthatEnterasys WirelessControlleristheonlypossiblerouteforthattraffic.

6. 7. 8.

TodisableOSPFadvertisementonthisVNS,selecttheDisableOSPFAdvertisement checkbox. ClickClose. Tosaveyourchanges,clickSave.

Exception Filtering
Theexceptionfilterprovidesasetofrulesaimedatrestrictingthetypeoftrafficthatisdelivered tothecontroller.Bydefault,yoursystemisshippedwithasetofrestrictivefilteringrulesthathelp controlaccessthroughtheinterfacestoonlyabsolutelynecessaryservices. Byconfiguringtoallowmanagementonaninterface,anadditionalsetofrulesisaddedtothe shippedfilterrulesthatprovideaccesstothesystemsmanagementconfigurationframework (SSH,HTTPS,SNMPAgent).Mostofthisfunctionalityishandleddirectlybehindthescenesby

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

4-7

Exception Filtering

thesystem,rollingandunrollingcannedfiltersasthesystemstopologyanddefinedaccess privilegesforaninterfacechange.
Note: An interface for which Allow Management is enabled, can be reached by any other interface. By default, Allow Management is disabled and shipped interface filters will only permit the interface to be visible directly from it's own subnet.

Thevisibleexceptionfilterdefinitions,bothinphysicalportsandtopologydefinitions,allow administratorstodefineasetofrulestobeprependedtothesystemsdynamicallyupdated exceptionfilterprotectionrules.Ruleevaluationisperformedtoptobottom,untilanexactmatch isdetermined.Therefore,theseuserdefinedrulesareevaluatedbeforethesystemsown generatedrules.Assuch,theseuserdefinedrulesmayinadvertentlycreatesecuritylapsesinthe systemsprotectionmechanismorcreateascenariothatfiltersoutpacketsthatarerequiredbythe system.


Note: Use exception filters only if absolutely necessary. Enterasys recommends that you avoid defining general allow all or deny all rule definitions since those definitions can easily be too liberal or too restrictive to all types of traffic.

Theexceptionrulesareevaluatedinthecontextofreferringtothespecificcontrollersinterface. ThedestinationaddressforthefilterruledefinitionistypicallydefinedastheinterfacesownIP address.Theportnumberforthefilterdefinitioncorrespondstothetarget(destination)port numberfortheapplicableservicerunningonthecontrollersmanagementplane. Theexceptionfilteronantopologyappliesonlytothepacketsdirectedtothecontrollerandcan beappliedtothedestinationportionofthepacket,ortothesourceportionofthepacketwhen filteringisenabled.TraffictoaspecifiedIPaddressandIPportiseitherallowedordenied. Addingexceptionfilteringrulesallowsnetworkadministratorstoeithertightenorrelaxthebuilt infilteringthatautomaticallydropspacketsnotspecificallyallowedbyfilteringruledefinitions. TheexceptionfilteringrulescandenyaccessintheeventofaDoSattack,orcanallowcertain typesofmanagementtrafficthatwouldotherwisebedenied.Typically,AllowManagementis enabled.

To Define Exception Filters:


1. OntheTopologypage,clicktheExceptionFilterstab. TheExceptionsFilterpagedisplays.

4-8

Configuring Topologies

Exception Filtering

2.

Selectanexistingtopologyfromtherighthandpanetoeditanexistingtopology,orclickNew. tocreateanewtopology. TheTopologyconfigurationpagedisplays.TheExceptionFilterstabisavailableonlyifLayer 3(L3)configurationisenabled.

3.

ClicktheExceptionFilterstabtodisplaytheExceptionFilterspage. Exception Filters page - Fields and Buttons


Description Identifies the type of filter rule. Options are: D - Default rule I - Internal (read-only) T - Local interface rule U - user-defined rule

Table 4-1

Field/Button Rule

In

Identifies the rule applies to traffic from the network host or wireless device that is trying to get to a controller. You can change this setting using the drop-down menu. Options include: Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only

Allow IP:Port Protocol Up, Down

Select the Allow checkbox to allow this rule. Otherwise the rule is denied. Identifies the IP address and port to which this filter rule applies. In the Protocol drop-down list, click the applicable protocol. The default is N/A. Select a filter rule and click to either move the rule up or down in the list. The filtering rules are executed in the order you define here

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

4-9

Multicast Filtering

Table 4-1

Exception Filters page - Fields and Buttons (continued)


Description Click to add a filter rule. The fields in the Add Filter area are enabled. Click to remove this filter rule. Select a predefined filter rule.Click Add to add the rule to the rule table, otherwise click Cancel Click to save the configuration. Advanced filtering mode provides the ability to create bidirectional filters. If this controller participates in a mobility zone, before enabling advanced mode be sure that all controllers in the mobility zone are running v7.41 or greater. Note: After enabling advanced filtering mode you can no longer use NMS Wireless Manager V4.0 to manage the controllers policies and you cannot switch back to basic filter mode unless you return the controller to its default state.

Field/Button Add Delete Add Predefined Save Advanced Mode

Add Filter section IP/subnet:port Protocol In Filter Type the destination IP address. You can also specify an IP range, a port designation, or a port range on that IP address In the Protocol drop-down list, click the applicable protocol. The default is N/A. In the drop-down menu, select an option that refers to traffic from the network host that is trying to get to a wireless device. Options include: Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only By default, user-defined rules are enabled on ingress (In), and are assumed to be Allow rules. To disable the rule in either direction, or to make it a Deny rule, click the new filter, then de-select the relevant checkbox. OK Cancel Click to add the filter rule to the filter group. The information displays in the filter rule table. Click Cancel to discard your changes.

Note: For external Captive Portal, you need to add an external server to a non-authentication filter.

Multicast Filtering
Amechanismthatsupportsmulticasttrafficcanbeenabledaspartofatopologydefinition.This mechanismisprovidedtosupportthedemandsofVoIPandIPTVnetworktraffic,whilestill providingthenetworkaccesscontrol.

4-10

Configuring Topologies

Multicast Filtering

Note: To use the mobility feature with this topology, you must select the Enable Multicast Support checkbox for the data port.

DefinealistofmulticastgroupswhosetrafficisallowedtobeforwardedtoandfromtheVNS usingthistopology.Thedefaultbehavioristodropthepackets.Foreachgroupdefined,youcan enableMulticastReplicationbygroup.


Note: Before enabling multicast filters and depending on the topology, you may need to define which physical interface to use for multicast relay. Define the multicast port on the IP Addresses tab. For more information, see Setting Up the Data Ports on page 3-13.

To Enable Multicast for a Topology:


1. OntheTopologypage,clicktheMulticastFilterstab.

2. 3.

Toenablethemulticastfunction,selectEnableMulticastSupport. Definethemulticastgroupsbyselectingoneoftheradiobuttons: IPGroupTypetheIPaddressrange. DefinedgroupsClickfromthedropdownlist.

4. 5. 6.

ClickAdd.Thegroupisaddedtothelistabove. Toenablethewirelessmulticastreplicationforthisgroup,selectthecorrespondingWireless Replicationcheckbox. Tomodifythepriorityofthemulticastgroups,clickthegrouprow,andthenclicktheUpor Downbuttons. ADenyAllruleisautomaticallyaddedasthelastrule,IP=*.*.*.*andtheWireless Replicationcheckboxisnotselected.Thisruleensuresthatallothertrafficisdropped.

7.

Tosaveyourchanges,clickSave.
Note: The multicast packet size should not exceed 1450 bytes.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

4-11

Multicast Filtering

4-12

Configuring Topologies

5
Configuring Policies
Thischapterdescribespolicyconfiguration,including:
For information about... Policy Overview Configuring VLAN and Class of Service for a Policy Filtering Rules Refer to page... 5-1 5-1 5-3

Policy Overview
Policyconfigurationdefinesthebindingofatopology(VLAN),ingressandegressrateprofiles appliedtothetrafficofastation,andfilterrules. Policiesdontneedtobefullyspecified;Unspecifiedattributesareretainedbytheuseror inheritedfromGlobalPolicydefinitions(seeConfiguringtheGlobalDefaultPolicyonpage 711 formoreinformation). DefaultGlobalPolicydefinitionsprovideaplaceholderforcompletionofincompletepoliciesfor initialdefaultassignment.IfapolicyisdefinedasDefaultforaparticularVNS,thepolicyinherits incompleteattributesfromDefaultGlobalPolicydefinitions

Configuring VLAN and Class of Service for a Policy


FromtheVLAN&ClassofServicetabyoucanassignapreviouslyconfiguredtopologytoa policy.YoucanalsolaunchtheTopologyConfigurationpagetoeditanexistingtopologyorcreate anewone.Forinformationabouthowtoconfigureatopology,refertoChapter 4,Configuring Topologies. Ingeneral,ClassofService(CoS)referstoasetofattributesthatdefinetheimportanceofaframe whileitisforwardedthroughthenetworkrelativetootherpackets,andtothemaximum throughputpertimeunitthatastationorportassignedtothepolicyispermitted.TheCoSdefines actionstobetakenwhenratelimitsareexceeded. ToconfigureVLANandClassofServiceforapolicy: 1. Fromthemainmenu,clickVirtualNetworkConfiguration. TheVirtualNetworkConfigurationscreendisplays. 2. IntheleftpaneexpandthePoliciespaneandclickthepolicyyouwanttoedit,orclickthe Newbuttontocreateanewpolicy. ThePolicyconfigurationpagedisplays.Bydefault,theVLAN&ClassofServicetabdisplays (Figure 51).Table 51describesthefieldsandbuttonsontheVLAN&ClassofServicetab.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

5-1

Configuring VLAN and Class of Service for a Policy

Figure 5-1

VLAN & Class of Service tab

Table 5-1

VLAN & Class of Service Tab - Fields and Buttons


Description

Field/Button Core Policy Name Topology Assigned Topology

Enter a name to assign to this policy.

Select an existing topology from the Assigned Topology dropdown list, or click the New button to create a new topology. To edit an existing topology, select the topology and then click the Edit button. The Edit Topology page displays. For information about how to configure a topology, go to Configuring Topologies on page 4-1.

Rate Profiles Ingress Rate Profile Select an existing Ingress Rate Profile from the drop-down lists, or click the New button to create a new rate control profile. To edit an existing profile, click Edit. The Add/Edit Rate Control Profile Window displays. Select an existing Egress Rate Profile from the drop-down lists, or click the New button to create a new rate control profile. To edit an existing profile, click Edit. The Add/Edit Rate Control Profile Window displays. Click to save the configuration.

Egress Rate Profile

Save Add/Edit Rate Control Profile Profile Name Average Rate (CIR)

Enter a unique name for the rate profile. Enter a value for the CIR (Committed Information Rate) in Kbps. Valid range is 128 to 25000 kbps.

5-2

Configuring Policies

Filtering Rules

Table 5-1

VLAN & Class of Service Tab - Fields and Buttons (continued)


Description Optionally enable or disable synchronization by selecting the Synchronize checkbox. This field is available for Availability Pairs only. Click to save your changes and return to the VLAN & Class of Service tab. Click to delete this rate profile. Click Save to save your changes. This button displays only when you make changes to an existing rate profile. Click Cancel to discard your changes.

Field/Button Synchronize

Add Delete Save Cancel

Formoreinformationaboutratecontrolprofiles,gotoWorkingwithBandwidthControl Profilesonpage 710formoreinformation.

Filtering Rules
Optionally,youcandefinefilterrulesforthepolicy.ThepolicynameshouldmatchfilterIDvalues setupontheRADIUSservers. Ifyoudonotdefinefilterrules,thenthesystemusesthedefaultfilterforauthenticatedusers. However,ifyourequireuserspecificfilterdefinitions,thenthefilterIDconfigurationidentified thespecificpolicythatshouldbeappliedtotheuser. YoucanconfigureafilterdefinitiontobestaticontheEnterasysWirelessControlleritself,ortobe dynamicallyprovisionedifRADIUSauthenticationisused.ThestandardRADIUSattributecan beusedtoidentifyaspecificfilterdefinitiontoapplytoincoming/outgoingusertrafficupon successfulauthenticationoftheuserduringauthentication.Youcanconfigureuptothreetypesof filters,dependingonyournetworkassignmenttype. Table 5-2
Filter Type Exception filter Non-authenticated filter Default filter

Filter Types
AAA Network Assignment Yes Yes SSID Assignment Yes Yes Yes

Forinformationaboutconfiguringexceptionfilters,refertogotoExceptionFilteringon page 47

Filtering Rules for a Non-Authenticated Filter


Definingnonauthenticatedfiltersallowsadministratorstoidentifydestinationstowhicha mobileuserisallowedtoaccesswithoutincurringanauthenticationredirection.Typically,the recommendeddefaultruleistodenyall.Administratorsshoulddefinearulesetthatwillpermit userstoaccessessentialservices: DNS(IPofDNSserver) DefaultGateway(VNSInterfaceIP)

AnyHTTPstreamsrequestedbytheclientfordeniedtargetswillberedirectedtothespecified location.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 5-3

Filtering Rules

ThenonauthenticatedfiltershouldallowaccesstotheCaptivePortalpageIPaddress,aswellas toanyURLsfortheheaderandfooteroftheCaptivePortalpage.Thisfiltershouldalsoallow networkaccesstotheIPaddressoftheDNSserverandtothenetworkaddressthegatewayof theTopology.ThegatewayisusedastheIPforaninternalCaptivePortalpage.Anexternal CaptivePortalwillprovideaspecificIPdefinitionofaserveroutsidetheEnterasysWireless Controller. RedirectionandCaptivePortalcredentialsapplytoHTTPtrafficonly.Awirelessdeviceuser attemptingtoreachWebsitesotherthanthosespecificallyallowedinthenonauthenticatedfilter willberedirectedtothealloweddestinations.MostHTTPtrafficoutsideofthosedefinedinthe nonauthenticatedfilterwillberedirected.
Note: Although non-authenticated filters definitions are used to assist in the redirection of HTTP traffic for restricted or denied destinations, the non-authenticated filter is not restricted to HTTP operations. The filter definition is general. Any traffic other than HTTP that the filter does not explicitly allow will be discarded by the controller.

ThenonauthenticatedfilterisappliedbytheEnterasysWirelessControllertosessionsuntilthey successfullycompleteauthentication.Theauthenticationprocedureresultsinanadjustmenttothe usersapplicablefiltersforaccesspolicy. Typically,defaultfilterIDaccessislessrestrictivethananonauthenticatedprofile.Itisthe administratorsresponsibilitytodefinethecorrectsetofaccessprivileges.


Note: Administrators must ensure that the non-authenticated filter allows access to the corresponding authentication server: Internal Captive Portal IP address of the VNS interface External Captive Portal IP address of external Captive Portal server

Non-authenticated Filter Examples


AbasicnonauthenticatedfilterforinternalCaptivePortalshouldhavethreerules,inthe followingorder: Table 5-3
In x x x Out x x x

Non-authenticated Filter Example A


Allow x x IP / Port IP address of default gateway (VNS Interface IP) IP address of the DNS Server *.*.*.* Description Allow all incoming wireless devices access to the default gateway of the VNS. Allow all incoming wireless devices access to the DNS server of the VNS. Deny everything else.

Note: For external Captive Portal, an additional rule to Allow (in/out) access to the external Captive Portal authentication/Web server is required.

IfyouplaceURLsintheheaderandfooteroftheCaptivePortalpage,youmustexplicitlyallow accesstoanyURLsmentionedintheauthenticationsserverpage,suchas: InternalCaptivePortalURLsreferencedinaheaderorfooter ExternalCaptivePortalURLsmentionedinthepagedefinition

Hereisanotherexampleofanonauthenticatedfilterthataddstwomorefilteringrules.Thetwo additionalrulesdothefollowing: DenyaccesstoaspecificIPaddress.

5-4

Configuring Policies

Filtering Rules

AllowsonlyHTTPtraffic. Non-authenticated Filter Example B


Allow x x IP / Port IP address of the default gateway IP address of the DNS Server [a specific IP address, or address plus range] x *.*.*.*:80 *.*.*.* Description Allow all incoming wireless devices access to the default gateway of the VNS. Allow all incoming wireless devices access to the DNS server of the VNS. Deny all traffic to a specific IP address, or to a specific IP address range (such as:0/24). Allow all port 80 (HTTP) traffic. Deny everything else.

Table 5-4
In x x x x x Out x x x x x

OnceawirelessdeviceuserhasloggedinontheCaptivePortalpage,andhasbeenauthenticated bytheRADIUSserver,thenthefollowingfilterswillapply: PolicyfiltersIfafilterIDassociatedwiththisuserwasreturnedbytheauthentication server,thenthePolicywiththesamenameasthefilterIDwillbeapplied. DefaultfilterIfnomatchingfilterIDwasreturnedfromtheauthenticationserver.

Authenticated Filter Examples


Belowaretwoexamplesofpossiblefilteringrulesforauthenticatedusers.Thefirstexample disallowssomespecificaccessbeforeallowingeverythingelse. Table 5-5
In x x x Out x x x x

Filtering Rules Example A


Allow IP / Port *.*.*.*:22-23 [specific IP address, range] *.*.*.*. Description SSH and telnet sessions Deny all traffic to a specific IP address or address range Allow everything else

Thesecondexampledoestheoppositeofthefirstexample.Itallowssomespecificaccessand denieseverythingelse. Table 5-6


In x x Out x x

Filtering Rules Example B


Allow x IP / Port [specific IP address, range] *.*.*.*. Description Allow traffic to a specific IP address or address range. Deny everything else.

ICMP Type Enforcement


ICMPfilterrulescannowbeconstrainedtoICMPtype/range.YoucandefinetheICMPtype/ rangeinthePortfieldusingtheTCP/UDPportdefinitionnomenclature.Thatis,definetheruleas anormalIP/subnet:portsignature(10.0.0.0/24:8),wheretheICMPtypeisenteredinthePortfield.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

5-5

Filtering Rules

ThisfeatureallowsfortightergranularityoverenforcementofICMPrestrictions.Youcanallow redirectsandDF/MTUindications,anddenyICMPEcho(pings)forusers.

Filtering Rules for a Default Filter


Afterauthenticationofthewirelessdeviceuser,thedefaultfilterwillapplyonlyafter: NofilterIDattributevalueisreturnedbytheauthenticationserverforthisuser. NoPolicymatchisfoundontheEnterasysWirelessControllerforthefilterIDvalue.

Thefinalruleinthedefaultfiltershouldbeacatchallruleforanytrafficthatdidnotmatcha filter.AfinalAllowAllruleinadefaultfilterwillensurethatapacketisnotdroppedentirelyifno othermatchcanbefound.VNSPolicyisalsoapplicableforCaptivePortalandMACbased authorization.

Default Filter Examples


Thefollowingareexamplesoffilteringrulesforadefaultfilter: Table 5-7
In x x x x Out x x x x x

Default Filter Example A


Allow IP / Port Intranet IP, range Port 80 (HTTP) Intranet IP *.*.*.*. Description Deny all access to an IP range Deny all access to Web browsing Deny all access to a specific IP Allow everything else

Table 5-8
In Out x x

Default Filter Example B


Allow IP / Port Port 80 (HTTP) on host IP Intranet IP 10.3.0.20, ports 1030 Description Deny all incoming wireless devices access to Web browsing the host Deny all traffic from the network to the wireless devices on the port range, such as telnet (port 23) or FTP (port 21) Allow all other traffic from the wireless devices to the Intranet network Allow all other traffic from Intranet network to wireless devices Deny everything else

x x x x

x x

Intranet IP 10.3.0.20 Intranet IP 10.3.0.20 *.*.*.*.

Filtering Rules Between Two Wireless Devices


TrafficfromtwowirelessdevicesthatareonthesameVNSandareconnectedtothesame WirelessAPwillpassthroughtheEnterasysWirelessControllerandthereforebesubjectto filteringpolicy.Youcansetupfilteringrulesthatalloweachwirelessdeviceaccesstothedefault gateway,butalsopreventeachdevicefromcommunicatingwitheachother.

5-6

Configuring Policies

Filtering Rules

AddthefollowingtworulestoafilterIDfilter,beforeallowingeverythingelse: Table 5-9


In x x x Out x x x x

Rules Between Two Wireless Devices


Allow x IP / Port [Intranet IP] [Intranet IP, range] *.*.*.*. Description Allow access to the Gateway IP address of the VNS only Deny all access to the VNS subnet range (such as 0/24) Allow everything else

Note: You can also prevent the two wireless devices from communicating with each other by setting Block Mu to MU traffic. See Configuring a Basic WLAN Service on page 6-2.

Defining Filter Rules for Wireless APs


YoucanalsoapplyfilterrulesontheWirelessAP.ApplyingfilterrulesattheWirelessAPhelps restrictunwantedtrafficattheedgeofyournetwork.TheWirelessAPscansupportuptoa maximumof32filtersrulespergroup.FilteringattheWirelessAPcanbeconfiguredwiththe followingTopologytypes: BridgeTrafficLocallyattheAPIffilteringattheWirelessAPisenabledonaBridgeTraffic LocallyattheAPtopology,thefilteringisappliedtotrafficinboththeuplinkanddownlink directiontheuplinkdirectionisfromthewirelessdevicetothenetwork,anddownlink directionisfromthenetworktothewirelessdevice. RoutedandBridgeTrafficLocallyattheHWCIffilteringattheWirelessAPisenabledon aRoutedorBridgeTrafficLocallyattheHWCtopology,thefilteringisappliedonlytotraffic intheULdirection.ThefiltersappliedintheULdirectionattheWirelessAPcanbethesame ordifferentfromfiltersappliedattheEnterasysWirelessController.

Wireless AP Filtering
WhenfilteringattheWirelessAPisenabled,WirelessAPsobtainclientfilterinformationfromthe EnterasysWirelessController.Inaddition,directinterWirelessAPcommunicationallow WirelessAPstoexchangeclientfilterinformationasclientsroamfromoneWirelessAPtoanother. Thisallowsthesystemtoachieveaveryfastroamingtime.TotakeadvantageofinterWirelessAP communication,youshouldconfigurethenetworksothatWirelessAPsinthemobilitydomain cancommunicatewitheachotherthroughtheWirelessAPsEthernetinterface.Also,multicast trafficwithanIPaddressof224.0.1.178shouldbeallowedbetweenWirelessAPs.

Configuring Filter Rules


ToconfigurefilterrulesforthecontrollerorwirelessAP: 1. 2. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandthePoliciespaneandclickthePolicyyouwanttoedit,orclickthe Newbuttontocreateanewpolicy. ThePolicyconfigurationpageisdisplayed. 3. ClicktheFilterRulestab. TheHWCFilterstabdisplays. Configurefilterrulesforthecontroller.ToconfigurefilterrulesforthewirelessAP:

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

5-7

Filtering Rules

(1) SelecttheAPFilteringcheckboxtoenablethefilterrulesdefinedontheHWCFilters tabtobeappliedbyWirelessAPs.TheCustomAPFilterscheckboxbecomes available. (2) SelecttheCustomAPFilterscheckboxtoconfigureadditionalfiltersfortheAPs.An APFilterstabisaddedtothewindow. (3) ClicktheAPFilterstab.TheAPFilterstabdisplays. Figure 5-2 Filter Rules Page - HWC Filters tab

5-8

Configuring Policies

Filtering Rules

Figure 5-3

Filter Rules Page - AP Filters tab

Table 5-10
Field/Button

HWC and AP Filters tabs - Fields and Buttons


Description Select if you do not want to apply new filter settings. If you do not apply new filter settings, the wireless client uses filter settings from a previously applied policy. If filters were never defined, then the system enforces the filters from the Global Default Policy. If you choose to apply new filter settings by not selecting this option, the new filter settings will overwrite any pre-existing filter settings.

Inherit filter rules from currently applied policy

AP Filtering Custom AP Filters Rule

Select to apply the configured filters to the wireless AP. Select to create a new filter definition to apply to the wireless AP. Identifies the type of filter rule. Options are: D - Default rule I - Internal (read-only) T - Local interface rule U - user-defined rule

In

Identifies the rule applies to traffic from the wireless device that is trying to get on the network. You can change this setting using the drop-down menu. Options include: Destination (dest) - available in Advanced Filtering Mode only Source (src) None Both - available in Advanced Filtering Mode only

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

5-9

Filtering Rules

Table 5-10
Field/Button Out

HWC and AP Filters tabs - Fields and Buttons (continued)


Description Identifies the rule applies to traffic from the network host that is trying to get to a wireless device. You can change this setting using the drop-down menu. Options include: Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only

Allow IP:Port Protocol Up, Down

SelecttheAllowcheckboxtoallowthisrule.Otherwisethe ruleisdenied.
Identifies the IP address and port to which this filter rule applies.

IntheProtocoldropdownlist,clicktheapplicable protocol.ThedefaultisN/A.
Select a filter rule and click to either move the rule up or down in the list. Thefilteringrulesareexecutedintheorderyou

definehere
Add Delete Save Advanced Mode Click to add a filter rule. The fields in the Add Filter area are enabled. Click to remove this filter rule. Click to save the configuration. Advanced filtering mode provides the ability to create bidirectional filters. If this controller participates in a mobility zone, before enabling advanced mode be sure that all controllers in the mobility zone are running v7.41 or greater. Note: After enabling advanced filtering mode you can no longer use NMS Wireless Manager V4.0 to manage the controllers policies and you cannot switch back to basic filter mode unless you return the controller to its default state. Add Filter section IP/subnet Select one of the following: User Defined, then type the destination IP address and mask. Use this option to explicitly define the IP/subnet aspect of the filter rule. IP - select to map the rule to the associated Topology IP address. Subnet - select to map the rule to the associated Topology segment definition (IP address/mask). Port From the Port drop-down list, select one of the following: User Defined, then type the port number. Use this option to explicitly specify the port number. A specific port type. The appropriate port number or numbers are added to the Port text field. Protocol In the Protocol drop-down list, click the applicable protocol. The default is N/A. ICMP Type Enforcement on page 5-5 provides more information about selecting the ICMP protocol.

5-10

Configuring Policies

Filtering Rules

Table 5-10
Field/Button In Filter

HWC and AP Filters tabs - Fields and Buttons (continued)


Description In the drop-down menu, select an option that refers to traffic from the network host that is trying to get to a wireless device. Options include: Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only

Out Filter

In the drop-down menu, select an option that refers to traffic from the wireless device that is trying to get on the network. Options include: Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only

OK Cancel

Click to add the filter rule to the filter group. The information displays in the filter rule table. Click Cancel to discard your changes.

Note: For Captive Portal assignment, define a rule to allow access to the default gateway for this controller. You should also configure a rule denying HTTP on the controller.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

5-11

Filtering Rules

5-12

Configuring Policies

6
Configuring WLAN Services
ThischapterdescribesWLANserviceconfiguration,including:
For information about... WLAN Services Overview Third-party AP WLAN Service Type Configuring a Basic WLAN Service Configuring Privacy Configuring Accounting and Authentication Configuring the QoS Policy Refer to page... 6-1 6-2 6-2 6-7 6-13 6-32

WLAN Services Overview


AWLANServicerepresentsalltheRF,authenticationandQoSattributesofawirelessaccess service.TheWLANServicecanbeoneofthefollowingtypes: StandardAconventionalservice.OnlyAPsrunningEnterasysWirelesssoftwarecanbe partofthisWLANService.ThistypeofserviceisusableasaBridged@Controller,Bridged@ AP,orRoutedVNS.Thistypeofserviceprovidesaccessformobilestations.Therefore, policiescanbeassignedtothistypeofWLANservicetocreateaVNS. ThirdPartyAPAwirelessserviceofferedbythirdpartyAPs.Thistypeofserviceprovides accessformobilestations.Therefore,policiescanbeassignedtothistypeofWLANserviceto createaVNS. DynamicMeshandWDS(StaticMesh)AgroupofAPsorganizedintoahierarchyfor purposesofprovidingaWirelessDistributionService.Thistypeofserviceisinessencea wirelesstrunkingserviceratherthanaservicethatprovidesaccessforstations.Assuch,this servicecannothavepoliciesattachedtoit. RemoteAservicethatresidesontheedge(foreign)EnterasysWirelessController.Pairinga remoteservicewitharemoteableserviceonthedesignatedhomeEnterasysWireless ControllerallowsyoutoprovisioncentralizedWLANServicesinthemobilitydomain.Thisis knownascentralizedmobility. TheremoteserviceshouldhavethesameSSIDnameandprivacyasthehomeremoteable service.AnyWLANService/VNScanbearemoteableservice,thoughdeploymentpreference isgiventotunneledtopologies(Bridged@ControllerandRouted). Toreducetheamountofinformationdistributedacrossthemobilitydomain,youwill explicitlyselectwhichWLANServicesareavailablefromonecontrollertoanyother controllerinthemobilitydomain.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-1

Third-party AP WLAN Service Type

TheWLANServiceremoteablepropertyissynchronizedwiththeavailabilitypeer,making theWLANservicepublishedbyboththehomeandforeigncontrollers. ThefollowingtypesofauthenticationaresupportedforremoteWLANservices: None Internal/ExternalCaptivePortal GuestPortal AAA/802.1x

WiththeintroductionofV7.0,thecomponentsoftheWLANServicemapmoreorlesscompletely tothecorrespondingcomponentsofaVNSinV6Rx.TheexceptionisthatWLANServicesarenot classifiedasSSIDbasedorAAAbased,astheywereinV6Rx.Instead,theadministratormakesan explicitchoiceofthetypeofauthenticationtouseontheWLANService.Ifthechoiceof authenticationoptionconflictswithanyoftheotherauthenticationorprivacychoices,theWLAN Servicecannotbeenabled.

Third-party AP WLAN Service Type


Formoreinformation,seeChapter 12,WorkingwithThirdpartyAPs. AthirdpartyAPWLANServiceallowsforthespecificationofasegregatedsubnetbywhichnon EnterasysWirelessAPsareusedtoprovideRFservicestouserswhilestillutilizingtheEnterasys WirelessControllerforuserauthenticationanduserpolicyenforcement.
Note: Third-party AP devices are not fully integrated with the system and therefore must be managed individually to provide the correct user access characteristics.

ThedefinitionofthirdpartyAPidentificationparametersallowsthesystemtobeableto differentiatethethirdpartyAPdevice(andcorrespondingtraffic)fromuserdevicesonthat segment.DevicesidentifiedasthirdpartyAPsareconsideredpreauthenticated,andarenot requiredtocompletethecorrespondingauthenticationverificationstagesdefinedforusersinthat segment(typicallyCaptivePortalenforcement). Inaddition,thirdpartyAPshaveaspecificsetoffilters(thirdparty)appliedtothembydefault, whichallowstheadministratortoprovidedifferenttrafficaccessrestrictionstothethirdpartyAP devicesfortheusersthatusethoseresources.Thethirdpartyfilterscouldbeusedtoallowaccess tothirdpartyAPsmanagementoperations(forexample,HTTP,SNMP).

Configuring a Basic WLAN Service


To Configure a WLAN Service:
1. Fromthemainmenu,clickeitherWirelessControllerConfigurationorVirtualNetwork Configuration.Then,intheleftpane,selectWLANServices. TheWLANServiceswindowdisplays. 2. Tocreateanewservice,clicktheNewbutton.TheNewWLANServicesconfiguration windowdisplays(Figure 61).

6-2

Configuring WLAN Services

Configuring a Basic WLAN Service

Figure 6-1

New WLAN Services Configuration Page

a. b. c.

EnteranamefortheWLANservice. Selecttheservicetype. ClickSave. TheWLANServicesConfigurationpagedisplays.

3.

Toeditanexistingservice,selectthedesiredservicefromtheleftpane.TheWLANServices Configurationpagedisplays WLAN Services Configuration Page.

Figure 6-2

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-3

Configuring a Basic WLAN Service

Table 6-1

WLAN Services Configuration Page


Description

Field/Button Core Name Service Type

Enter a name for this WLAN service Select the type of service to apply to this WLAN service. Options include: Standard WDS Mesh Third Party AP Remote If you selected Remote as the Service Type, select the Privacy type. If you set Service Type as either Standard or Remote, select Synchronize, in the Status area, if desired. Enabling this feature allows availability pairs to be synchronized automatically

SSID

The software automatically populates this field with the WLAN service name that you supply. Optinally, you cna change this. If you are creating a remote WLAN service, select the SSID of the remoteable service that this remote service will be paired with. From the drop-down list, select a preconfigured topology or click New Topology to create a new one. Refer to Configuring a Basic Topology on page 4-2 for information about how to create a new topology. A WLAN service uses the topology of the policy assigned to the VNS, if such a topology is defined. If the policy doesn't define a topology, you can assign an existing topology as the default topology to the WLAN service. If you choose not to assign a default topology to the WLAN service, the WLAN service will use the topology of the global default policy (by default, Bridged at AP Untagged). Note: You cannot assign a default topology to a WDS, 3rd party, or remote WLAN service.

Default Topology

Status Enable Select the checkbox to enable this WLAN service. Otherwise, deselect this checkbox. The WLAN service is enabled by default.

6-4

Configuring WLAN Services

Configuring a Basic WLAN Service

Table 6-1

WLAN Services Configuration Page (continued)


Description

Field/Button Wireless APs Select APs

Select APs and their radios by grouping. Options include: all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. clear all selections Click to clear all of the AP radio assignments. original selections Click to return to the AP radio selections prior to the most recent save. Note: If two Enterasys Wireless Controllers have been paired for availability (for more information, see Availability on page 10-1), each Enterasys Wireless Controller's registered Wireless APs are displayed as foreign in the list of available Wireless APs on the other Enterasys Wireless Controller

Radio 1

Assign the Wireless APs Radios to the service by selecting the individual radios checkboxes. Alternatively, you can use the the Select APs list. Assign the Wireless APs Radios to the service by selecting the individual radios checkboxes. lternatively, you can use the the Select APs list. Click to access the WLAN service advanced configuration options. Click to create a new WLAN service. Click to delete this WLAN service. Click to save the changes to this WLAN service. If you are creating a new service, the WLAN Services configuration window is redisplayed, allowing you to assign Wireless APs to the service.

Radio 2

Advanced New Delete Save

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-5

Configuring a Basic WLAN Service

Table 6-2

Advanced WLAN Service Configuration Page


Description

Field/Button Timeout Idle (pre)

SpecifytheamountoftimeinminutesthataMobileuser canhaveasessiononthecontrollerinpreauthenticated statebutnoactivetrafficispassed.Thesessionwillbe terminatedifnoactivetrafficispassedwithinthistime. Thedefaultvalueis5minutes SpecifytheamountoftimeinminutesthataMobileuser canhaveasessiononthecontrollerinauthenticatedstate butnoactivetrafficispassed.Thesessionwillbe terminatedifnoactivetrafficispassedwithinthistime. Thedefaultvalueis30minutes. Specifythemaximumnumberofminutesofservicetobe providedtotheuserbeforeterminationofthesession

Idle (post)

Session

RF - select one or more of the following options: Suppress SSID Select to prevent this SSID from appearing in the beacon message sent by the Wireless AP. The wireless device user seeking network access will not see this SSID as an available choice, and will need to specify it. Select to enable TPC (Transmission Power Control) reports. By default this option is disabled. Enterasys recommends that you enable this option. Select to enable the Wireless AP to use reduced power (as does the 11h client). By default this option is disabled. Enterasys recommends that you enable this option. This option is available only if you enable 11h support. Process client IE requests Select to enable the Wireless AP to accept IE requests sent by clients via Probe Request frames and responds by including the requested IEs in the corresponding Probe Response frames. By default this option is disabled. Enterasys recommends that you enable this option. Select to reduce the number of beacons the AP transmits on a BSSID when no client is associated with the BSSID. This reduces both the power consumption of the AP and the interference created by the AP when no client is associated.

Enable 11h support

Apply power reduction to 11h clients

Energy Save Mode

Client Behavior Block MU to MU traffic

selecttheBlockMutoMUtrafficcheckboxifyouwantto preventtwodevicesassociatedwiththisSSIDand registeredasusersofthecontroller,tobeabletotalkto eachother.TheblockingisenforcedattheL2(device) classificationlevel.

802.1D

Remotable8021DBasePort:xxx

The802.1DBasePortnumberinthe802.1Dareaistheport numberbywhichNetSightrecognizestheSSID.Itisread only.

6-6

Configuring WLAN Services

Configuring Privacy

Table 6-2

Advanced WLAN Service Configuration Page (continued)


Description

Field/Button Remote Service Remoteable Inter-WLAN Service Roaming Permit Inter-WLAN Service Roaming

Selectthecheckboxifyouwanttopairthisservicewitha remoteservice.

Select to enable a client on a controller to maintains the session, including the IP address and policy assignment, while roaming between VNSs having the same SSID and privacy settings. If not selected, when the client roams among VNSs, the existing session terminates and a new session starts with the client having to associated and authenticate again. The list of VNSs that share the same SSID and privacy settings displays below.

Close

Click to close this page. Note: If two Enterasys Wireless Controllers have been paired for availability (for more information, see Availability on page 10-1), each Enterasys Wireless Controller's registered Wireless APs are displayed as foreign in the list of available Wireless APs on the other Enterasys Wireless Controller.

AfteryouhaveassignedaWirelessAPRadiotoeightWLANServices,itwillnotappearinthelist foranotherWLANServicesetup.EachRadiocansupportuptoeightSSIDs(16perAP).EachAP canbeassignedtoanyoftheVNSsdefinedwithinthesystem.TheEnterasysWirelessController cansupportthefollowingactiveVNSs: C5110Upto128VNSs C4110Upto64VNSs C2400Upto64VNSs C20Upto8VNSs C20NUpto8VNSs C25Upto16VNSs CRBT8210Upto8VNSs CRBT8110Upto8VNSs
Note: You can assign the Radios of all three Wireless AP variants Enterasys Wireless AP, Enterasys Wireless Outdoor AP, and Wireless 802.11n AP to any VNS.

Configuring Privacy
Privacyisamechanismthatprotectsdataoverwirelessandwirednetworks,usuallyby encryptiontechniques.TheEnterasysWirelessControllerprovidesseveralprivacymechanismto protectdataovertheWLAN. Therearefiveprivacyoptions: None StaticWiredEquivalentPrivacy(WEP)KeysforaselectedVNS,sothatitmatchesthe WEPmechanismusedontherestofthenetwork.EachAPcanparticipateinupto50VNSs.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-7

Configuring Privacy

ForeachVNS,onlyoneWEPkeycanbespecified.ItistreatedasthefirstkeyinalistofWEP keys. DynamicKeysThedynamickeyWEPmechanismchangesthekeyforeachuserandeach session. WifiProtectedAccess(WPA) version1withencryptionbytemporalkeyintegrityprotocol(TKIP) version2withencryptionbyadvancedencryptionstandardwithcountermode/CBC MACprotocol(AESCCMP)

WiFiProtectedAccess(WPA)PreSharedkey(PSK)PrivacyinPSKmode,usingaPre SharedKey(PSK),orsharedsecretforauthentication.WPAPSKisasecuritysolutionthat addsauthenticationtoenhancedWEPencryptionandkeymanagement.WPAPSKmode doesnotrequireanauthenticationserver.Itissuitableforhomeorsmalloffice.


Note: Regardless of the Wireless AP model or WLAN Service type, a maximum of 112 simultaneous clients, per radio, are supported by all of the data protection encryption techniques.

About Wi-Fi Protected Access (WPA V1 and WPA V2)


Note: To achieve the strongest encryption protection for your VNS, Enterasys recommends that you use WPA v.1 or WPA v.2.

WPAv1andWPAv2addauthenticationtoWEPencryptionandkeymanagement.Keyfeatures ofWPAprivacyinclude: Specifies802.1xwithExtensibleAuthenticationProtocol(EAP) RequiresaRADIUSorotherauthenticationserver UsesRADIUSprotocolsforauthenticationandkeydistribution Centralizesmanagementofusercredentials

TheencryptionportionofWPAv1isTemporalKeyIntegrityProtocol(TKIP).TKIPincludes: Aperpacketkeymixingfunctionthatsharesastartingkeybetweendevices,andthen changestheirencryptionkeyforeverypacket(unicastkey)orafterthespecifiedrekeytime interval(broadcastkey)expires AnextendedWEPkeylengthof256bits AnenhancedInitializationVector(IV)of48bits,insteadof24bits,makingitmoredifficultto compromise AMessageIntegrityCheckorCode(MIC),anadditional8bytecodethatisinsertedbefore thestandardWEP4byteIntegrityCheckValue(ICV).Theseintegritycodesareusedto calculateandcompare,betweensenderandreceiver,thevalueofallbitsinamessage,which ensuresthatthemessagehasnotbeentamperedwith.

TheencryptionportionofWPAv2isAdvancedEncryptionStandard(AES).AESincludes: A128bitkeylength,fortheWPA2/802.11iimplementationofAES Fourstagesthatmakeuponeround.Eachroundisiterated10times. Aperpacketkeymixingfunctionthatsharesastartingkeybetweendevices,andthen changestheirencryptionkeyforeverypacketorafterthespecifiedrekeytimeinterval expires.

6-8

Configuring WLAN Services

Configuring Privacy

TheCounterMode/CBCMACProtocol(CCMP),anewmodeofoperationforablockcipher thatenablesasinglekeytobeusedforbothencryptionandauthentication.Thetwo underlyingmodesemployedinCCMinclude: Countermode(CTR)thatachievesdataencryption CipherBlockChainingMessageAuthenticationCode(CBCMAC)toprovidedata integrity

ThefollowingisanoverviewoftheWPAauthenticationandencryptionprocess: 1. 2. ThewirelessdeviceclientassociateswithWirelessAP. WirelessAPblockstheclientsnetworkaccesswhiletheauthenticationprocessiscarriedout (theEnterasysWirelessControllersendstheauthenticationrequesttotheRADIUS authenticationserver). ThewirelessclientprovidescredentialsthatareforwardedbytheEnterasysWireless Controllertotheauthenticationserver. Ifthewirelessdeviceclientisnotauthenticated,thewirelessclientstaysblockedfrom networkaccess. Ifthewirelessdeviceclientisauthenticated,theEnterasysWirelessControllerdistributes encryptionkeystotheWirelessAPandthewirelessclient. ThewirelessdeviceclientgainsnetworkaccessviatheWirelessAP,sendingandreceiving encrypteddata.ThetrafficiscontrolledwithpermissionsandpolicyappliedbytheEnterasys WirelessController.

3. 4. 5. 6.

Wireless 802.11n APs and WPA Authentication


Note: If you configure a WLAN Service to use either WEP or TKIP authentication, any Wireless 802.11n AP associated to a VNS using that service will be limited to legacy AP performance rates.

IfaVNSisconfiguredtouseWPAauthentication,anyWireless802.11nAPwithinthatVNSwill dothefollowing: WPAv.1IfWPAv.1isenabled,theWireless802.11nAPwilladvertiseonlyTKIPasan availableencryptionprotocol. WPAv.2IfWPAv.2isenabled,theWireless802.11nAPwilldothefollowing: IfWPAv.1isenabled,theWireless802.11nAPwilladvertiseTKIPasanavailable encryptionprotocol.


Note: If WPA v.2 is enabled, the Wireless 802.11n AP does not support the Auto option.

IfWPAv.1isdisabled,theWireless802.11nAPwilladvertisetheencryptioncipherAES (AdvancedEncryptionStandard).
Note: The security encryption for some network cards must not to be set to WEP or TKIP to achieve a data rate beyond 54 Mbps.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-9

Configuring Privacy

WPA Key Management Options


WiFiProtectedAccess(WPAv1andWPAv2)privacyoffersyouthefollowingkeymanagement options: NoneThewirelessclientdeviceperformsacomplete802.1xauthenticationeachtimeit associatesortriestoconnecttoaWirelessAP. OpportunisticKeyingOpportunisticKeyingoropportunistickeycaching(OKC)enables theclientdevicestoroamfastandsecurelyfromoneWirelessAPtoanotherin802.1x authenticationsetup. TheclientdevicesthatrunapplicationssuchasvideostreamingandVoIPrequirerapid reassociationduringroaming.OKChelpssuchclientdevicesbyenablingthemtorapidly reassociatewiththeWirelessAPs.Thisavoidsdelaysandgapsintransmissionandthushelps insecurefastroaming(SFR).
Note: The client devices should support OKC to use the OKC feature in the Enterasys WLAN.

PreauthenticationPreauthenticationenablesaclientdevicetoauthenticate simultaneouslywithmultipleWirelessAPsin802.1xauthenticationsetup.Whentheclient deviceroamsfromoneWirelessAPtoanother,itdoesnothavetoperformthecomplete 802.1xauthenticationtoreassociatewiththenewWirelessAPasitisalreadypre authenticatedwithit.Thisreducesthereassociationtimeandthushelpsinseamlessroaming.


Note: The client devices should support pre-authentication to use the pre-authentication feature in Enterasys WLAN.

OpportunisticKeying&PreauthOpportunisticKeyingandPreauthoptionsismeantfor thedeviceclientsthatsupportboththeauthenticationprocesses.Forexample,theMicrosoft operateddeviceclientssupportopportunistickeyingbydefault,buttheycanbeconfiguredto supportpreauthenticationtoo.

Configuring WLAN Service Privacy


To Configure Privacy:
1. IftheWLANServiceconfigurationpageisnotalreadydisplayed,fromthemainmenu,click eitherWirelessControllerConfigurationorVirtualNetworkConfiguration.Then,intheleft pane,selectWLANServices.TheWLANServiceswindowdisplays. Selectthedesiredservicetoeditfromtheleftpane.TheWLANServiceconfigurationpageis displayed. ClickthePrivacytab,thenselectthedesiredprivacymethod.TheWLANServicesPrivacytab displays(Figure 63)

2. 3.

6-10

Configuring WLAN Services

Configuring Privacy

Table 6-3

LAN Services Privacy Tab - Fields and Buttons


Description Select to configure a WLAN service with no privacy settings. Select to configure static key (WEP ) privacy settings. From the WEP Key Index drop-down list, select the WEP encryption key index. Options are 1 to 4. Specifying the WEP key index is supported only for AP36XX Wireless APs. This field is available only when configuring static keys.

Field/Button None Static Keys (WEP) WEP Key Index

WEP Key Length

From the WEP Key Length drop-down list, click the WEP encryption key length. Options are: 64-bit, 128-bit, and 152bit. This field is available only when configuring static keys. Select one of the following input methods: Input Hex If you select Input Hex, type the WEP key input in the WEP Key box. The key is generated automatically, based on the input. Input String If you select Input String, type the secret WEP key string used for encrypting and decrypting in the Strings box. The WEP Key box is automatically filled by the corresponding Hex code. This field is available only when configuring static keys.

Input Method

WEP Key Dynamic Keys (WEP) WPA WPA - PSK Select to configure dynamic keys (WEP ) privacy settings. Select to configure WPA privacy settings. Select to configure dynamic keys (WEP ) privacy settings.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-11

Configuring Privacy

Table 6-3

LAN Services Privacy Tab - Fields and Buttons (continued)


Description

Field/Button WPA v.1

SelectthecheckboxtoebableWPAv.1encryption,andthen
select an encryption method: Auto If you click Auto, the Wireless AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Auto is the default. AES only If you click AES, the Wireless AP advertises CCMP as an available encryption protocol. It will not advertise TKIP This field is available only when configuring WPA and WPA - PSK privacy settings.

WPA v.2

Select the checkbox to enable WPA v.2 encryption, and then select an encryption method: Auto If you click Auto, the Wireless AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Auto is the default. AES only If you click AES, the Wireless AP advertises CCMP as an available encryption protocol. It will not advertise TKIP This field is available only when configuring WPA and WPA - PSK privacy settings.

Key Management Options

Click one of the following key management options: None The mobile units (client devices) performs a complete 802.1x authentication each time it associates or connects to a Wireless AP. Opportunistic Keying Enables secure fast roaming (SFR) of mobile units. For more information, see Configuring WLAN Service Privacy on 6-10. Pre-authentication Enables seamless roaming. For more information, see Configuring WLAN Service Privacy on 6-10. Opportunistic Keying & Pre-auth For more information, see Configuring WLAN Service Privacy on 6-10.

Broadcase re-key interval

To enable re-keying after a time interval, select the Broadcast rekey interval box, then type the time interval after which the broadcast encryption key is changed automatically. The default is 3600 seconds. If this checkbox is not selected, the Broadcast encryption key is never changed and the Wireless AP will always use the same broadcast key for Broadcast/Multicast transmissions. which will reduce the level of security for wireless communications.

Group Key Power Save Retry

To enable the group key power save retry The group key power save retry is only supported for AP36XX Wireless APs.

6-12

Configuring WLAN Services

Configuring Accounting and Authentication

Table 6-3

LAN Services Privacy Tab - Fields and Buttons (continued)


Description

Field/Button Input Method Pre-shared key String

In the Pre-Shared Key box, type the shared secret key to be used between the wireless device and Wireless AP. The shared secret key is used to generate the 256-bit key. To proofread your entry before saving the configuration, click Unmask to display the Pre-Shared Key. To mask the key, click Mask

Save

Click to save the configuration.

Configuring Accounting and Authentication


ThenextstepinconfiguringaWLANServiceistosetuptheauthenticationmechanism.Thereare variousauthenticationmodesavailable: none CaptivePortalusinginternalCaptivePortal CaptivePortalusingexternalCaptivePortal MACbasedauthentication 802.1xauthentication,thewirelessdeviceusermustbeauthenticatedbeforegainingnetwork access
Note: You cannot configure accounting and authentication for a remote WLAN service. The authentication that you configure for the corresponding remoteable WLAN service applies to the remote WLAN service as well.

ThefirststepforanytypeofauthenticationistoselectRADIUSserversforthefollowing: Authentication Accounting MACbasedauthentication

Vendor Specific Attributes


InadditiontothestandardRADIUSmessage,youcanincludeVendorSpecificAttributes(VSAs). TheController,AccessPointsandConvergenceSoftwareauthenticationmechanismprovidessix VSAsforRADIUSandotherauthenticationmechanisms. Table 6-4 Vendor Specific Attributes
ID 1 2 Type string string Messages Returned from RADIUS server Sent to RADIUS server Sent to RADIUS server Description A URL that can be returned to redirect a session to a specific Web page. The name of the AP the client is associating to. It can be used to assign policy based on AP name or location. The AP serial number. It can be used instead of (or in addition to) the AP name.

Attribute Name Siemens-URLRedirection Siemens-AP-Name

Siemens-AP-Serial

string

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-13

Configuring Accounting and Authentication

Table 6-4

Vendor Specific Attributes (continued)


ID 4 Type string Messages Sent to RADIUS server Description The name of the Virtual Network the client has been assigned to. It is used in assigning policy and billing options, based on service selection. The name of the SSID the client is associating to. It is used in assigning policy and billing options, based on service selection. The name of the BSS-ID the client is associating to. It is used in assigning policy and billing options, based on service selection and location.

Attribute Name Siemens-VNSName

Siemens-SSID

string

Sent to RADIUS server

Siemens-BSS-MAC

string

Sent to RADIUS server

ThefirstfiveoftheseVSAsprovideinformationontheidentityofthespecificWirelessAPthatis handlingthewirelessdevice,enablingtheprovisionoflocationbasedservices. TheRADIUSmessagealsoincludesRADIUSattributesCalledStationIdandCallingStationIdto includetheMACaddressofthewirelessdevice.


Note: Siemens-URL-Redirection is supported by MAC-based authentication.

Defining Accounting Methods for a WLAN Service


Accountingtrackstheactivityofwirelessdeviceusers.Therearetwotypesofaccounting available: EnterasysWirelessControlleraccountingEnablestheEnterasysWirelessControllerto generateCallDataRecords(CDRs),containingusageinformationabouteachwirelesssession. CDRgenerationisenabledonaperVNSbasis.FormoreinformationonCDRs,refertosection CallDetailRecords(CDRs)onpage 1416. RADIUSaccountingEnablestheEnterasysWirelessControllertogenerateanaccounting requestpacketwithanaccountingstartrecordaftersuccessfulloginbythewirelessdevice user,andanaccountingstoprecordbasedonsessiontermination.TheEnterasysWireless ControllersendstheaccountingrequeststoaremoteRADIUSserver.

EnterasysWirelessControlleraccountingcreatesCallDataRecords(CDRs).IfRADIUS accountingisenabled,aRADIUSaccountingserverneedstobespecified.

To Define Accounting Methods:


1. 2. 3. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANServiceyouwantto defineaccountingmethodsfor.TheWLANServicesconfigurationpageisdisplayed. ClicktheAuth&Accttab.

6-14

Configuring WLAN Services

Configuring Accounting and Authentication

4. 5.

ToenableEnterasysWirelessControlleraccounting,selectCollectAccountingInformationof WirelessController. ToenableRADIUSaccounting,fromtheRADIUSServersdropdownlist,clicktheRADIUS serveryouwanttouseforRADIUSaccounting,andthenclickUse. TheservernameisaddedtotheServertableofassignedRADIUSservers.Theselectedserver isnolongeravailableintheRADIUSserversdropdownlist. TheRADIUSserversaredefinedontheGlobalSettingsscreen.Formoreinformation,see DefiningRADIUSServersandMACAddressFormatonpage 74.

6. 7.

IntheServertable,selectthecheckboxintheAcctcolumntoenableaccountingforeach applicableRADIUSserver. IntheServertableclicktheRADIUSserver,andthenclickConfigure.TheRADIUS Parametersdialogisdisplayed. Theconfiguredvaluesfortheselectedserveraredisplayedinthetableatthetop.

8.

ForNASIPAddress,acceptthedefaultofUseVNSIPaddressordeselectthecheckbox andtypetheIPaddressofaNetworkAccessServer(NAS).

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-15

Configuring Accounting and Authentication

9.

ForNASIdentifier,acceptthedefaultofUseVNSnameortypetheNetworkAccessServer (NAS)identifier.TheNASidentifierisaRADIUSattributethatidentifiestheserver responsibleforpassinginformationtodesignatedRADIUSserversandthenactingonthe responsereturned.

10. ClickOK. 11. Tosaveyourchanges,clickSave.

Configuring Authentication for a WLAN Service


802.1xAuthenticationIf802.1xauthenticationmodeisconfigured,thewirelessdevicemust successfullycompletetheuserauthenticationverificationpriortobeinggrantednetwork access.ThisenforcementisperformedbyboththeusersclientandtheAP.Thewireless devicesclientutilitymustsupport802.1x.TheusersEAPpacketsrequestfornetworkaccess alongwithloginidentificationorauserprofileisforwardedbytheEnterasysWireless ControllertoaRADIUSserver. CaptivePortalAuthenticationForCaptivePortalauthentication,thewirelessdevice connectstothenetwork,butcanonlyaccessthespecificnetworkdestinationsdefinedinthe nonauthenticatedfilter.Formoreinformation,seeFilteringRulesonpage 53.Oneofthese destinationsshouldbeaserver,eitherinternalorexternal,whichpresentsaWebloginpage theCaptivePortal.ThewirelessdeviceusermustinputanIDandapassword.Thisrequest forauthenticationissentbytheEnterasysWirelessControllertoaRADIUSserverorother authenticationserver.Basedonthepermissionsreturnedfromtheauthenticationserver,the EnterasysWirelessControllerimplementspolicyandallowstheappropriatenetworkaccess. CaptivePortalauthenticationreliesonaRADIUSserverontheenterprisenetwork.Thereare threemechanismsbywhichCaptivePortalauthenticationcanbecarriedout: InternalCaptivePortalTheEnterasysWirelessControllerdisplaystheCaptivePortal Webpage,carriesouttheauthentication,andimplementspolicy. ExternalCaptivePortalAfteranexternalserverdisplaystheCaptivePortalWebpage andcarriesouttheauthentication,theEnterasysWirelessControllerimplementspolicy. ExternalCaptivePortalwithinternalauthenticationAfteranexternalserverdisplays theCaptivePortalWebpage,theEnterasysWirelessControllercarriesoutthe authenticationandimplementspolicy.

RADIUSserversRADIUSserverscanperformthefollowingforaWLANService: AuthenticationRADIUSserversareconfiguredtoprovideauthentication. MACauthenticationRADIUSserversareconfiguredtoprovideMACbased authentication. AccountingRADIUSserversareconfiguredtoprovideaccountingservices.

MACbasedauthenticationMACbasedauthenticationenablesnetworkaccesstobe restrictedtospecificdevicesbyMACaddress.TheEnterasysWirelessControllerqueriesa RADIUSserverforaMACaddresswhenawirelessclientattemptstoconnecttothenetwork. MACbasedauthenticationcanbesetuponanytypeofWLANService.TosetupaRADIUS serverforMACbasedauthentication,youmustsetupauseraccountwithUserID=MACand Password=MAC(orapassworddefinedbytheadministrator)foreachuser.Specifyinga MACaddressformatandpolicydependsonwhichRADIUSserverisbeingused. IfMACbasedauthenticationistobeusedinconjunctionwiththe802.1xorCaptivePortal authentication,anadditionalaccountwitharealUserIDandPasswordmustalsobesetupon theRADIUSserver.

6-16

Configuring WLAN Services

Configuring Accounting and Authentication

MACbasedauthenticationresponsesmayindicatetotheEnterasysWirelessControllerwhat VNSausershouldbeassignedto.Authentication(ifenabled)canapplyoneveryroam.

Assigning RADIUS Servers for Authentication


To Assign RADIUS Servers for Authentication:
1. 2. 3. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheAuth&Accttab.

4.

Ifapplicable,intheMACBasedAuthorizationsection,selecttheEnablecheckboxtoenable theRADIUSservertoperformMACbasedauthenticationfortheVNSwithCaptivePortal. MACbasedauthorizationonroamIfMACbasedauthenticationisenabled,selectthe MACbasedauthorizationonroamcheckbox.


Note: Only select this checkbox if you want your clients to be authorized every time they roam to another Wireless AP. If this option is not enabled, and MAC-based authentication is in use, the client is authenticated only at the start of a session.

5.

IntheRADIUSServersdropdownlist,clicktheserveryouwanttoassigntotheWLAN Service,andthenclickUse. TheservernameisaddedtotheServertableofassignedRADIUSservers.Theselectedserver isnolongeravailableintheRADIUSserversdropdownlist. TheRADIUSserversaredefinedontheGlobalSettingsscreen.Formoreinformation,see DefiningRADIUSServersandMACAddressFormatonpage 74.

6. 7.

IntheServertable,selectthecheckboxesintheAuth,MAC,orAcctcolumns,toenablethe authenticationoraccounting,ifapplicable. Tosaveyourchanges,clickSave.


Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 6-17

Configuring Accounting and Authentication

Defining the RADIUS Server Priority for RADIUS Redundancy


Ifmorethanoneserverhasbeendefinedforanytypeofauthentication,youcandefinethe priorityoftheserversinthecaseoffailover. IntheeventofafailoverofthemainRADIUSserverifthereisnoresponseafterthesetnumber ofretriesthentheotherserversinthelistwillbepolledonaroundrobinbasisuntilaserver responds. IfalldefinedRADIUSserversfailtorespond,acriticalmessageisgeneratedinthelogs.

To Define the RADIUS Server Priority for RADIUS Redundancy:


1. 2. 3. 4. 5. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheAuth&Accttab. IntheServertable,clicktheRADIUSserverandthenclickMoveUporMoveDownto arrangetheorder.Thefirstserverinthelististheactiveone. Tosaveyourchanges,clickSave.

Configuring Assigned RADIUS Servers


ConfiguringassignedRADIUSserversforaVNScanincludethefollowing: DefiningCommonRADIUSSettings DefiningRADIUSSettingsforIndividualRADIUSServers TestingRADIUSServerConnections ViewingtheRADIUSServerConfigurationSummary RemovinganAssignedRADIUSServerfromaWLANService

Defining Common RADIUS Settings


To Define Common RADIUS Settings:
1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheAuth&Accttab. IntheCommonRADIUSSettingssection,selecttheappropriatecheckboxestoincludethe VendorSpecificAttributesinthemessagetotheRADIUSserver: APs VNSs SSID

TheVendorSpecificAttributesmustbedefinedontheRADIUSserver. 5. Tosaveyourchanges,clickSave.

6-18

Configuring WLAN Services

Configuring Accounting and Authentication

Defining RADIUS Settings for Individual RADIUS Servers


To Define RADIUS Settings for Individual RADIUS Servers:
1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheAuth&Accttab. IntheServertable,clicktheRADIUSserveryouwanttodefine,andthenclickConfigure.The RADIUSParametersdialogisdisplayed.

5. 6.

ForNASIPAddress,acceptthedefaultofUseVNSIPaddressordeselectthecheckbox andtypetheIPaddressofaNetworkAccessServer(NAS). ForNASIdentifier,acceptthedefaultofUseVNSnameortypetheNetworkAccessServer (NAS)identifier.TheNASidentifierisaRADIUSattributethatidentifiestheserver responsibleforpassinginformationtodesignatedRADIUSserversandthenactingonthe responsereturned. ClickOK. Tosaveyourchanges,clickSave.

7. 8.

Testing RADIUS Server Connections


To Test RADIUS Server Connections:
1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheAuth&Accttab. IntheServertable,clicktheRADIUSserverwhoseconnectionyouwanttotest,andthenclick Test.TheTestRADIUSServersscreenisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-19

Configuring Accounting and Authentication

TheRADIUStestisatestofconnectivitytotheRADIUSserver,notoffullRADIUS functionality.TheEnterasysWirelessControllersRADIUSconnectivitytestinitiatesan AccessRequest,towhichtheRADIUSserverwillrespond.Ifaresponseisreceived(either AccessRejectorAccessAccept),thenthetestisdeemedtohavesucceeded.Ifaresponseis notreceived,thenthetestisdeemedtohavefailed.Ineithercase,thetestendsatthispoint. IftheWLANServiceAuthenticationmodeisInternalorExternalCaptivePortal,orifMAC BasedAuthorizationisselected,thenthistestcanalsotestauseraccountconfiguredonthe RADIUSserver.Inthesecases,ifpropercredentialsarefilledinforUserIDandPassword,an AccessAcceptcouldbereturned. IftheWLANServiceAuthenticationmodeis802.1x,however,anAccessRejectisexpectedif theRADIUSserverisaccessible,andthetextisconsideredasuccess. 5. 6. 7. 8. 9. IntheUserIDbox,typetheuserIDthatyouknowcanbeauthenticated. InthePasswordbox,typethecorrespondingpassword.Apasswordisnotrequiredfora AAAVNS. ClickTest.TheTestResultscreenisdisplayed. ClickCloseafterreviewingthetestresults. Tosaveyourchanges,clickSave.

Viewing the RADIUS Server Configuration Summary


To View the RADIUS Server Configuration Summary:
1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheAuth&Accttab. IntheServertable,clickaRADIUSserverwhoseconfigurationsummaryyouwanttoview, andthenclickSummary.TheRADIUSSummaryscreenisdisplayed.

6-20

Configuring WLAN Services

Configuring Accounting and Authentication

5. 6.

ClickClose. Tosaveyourchanges,clickSave.

Removing an Assigned RADIUS Server from a WLAN Service


To Remove an Assigned RADIUS Server from a WLAN Service:
1. 2. 3. 4. 5. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANServiceyouwantto defineaccountingmethodsfor.TheWLANServicesconfigurationpageisdisplayed. ClicktheAuth&Accttab. IntheServertable,clicktheassignedRADIUSserverthatyouwanttoremovefromtheVNS, andthenclickRemove.TheRADIUSserverisremovedfromtheVNS. Tosaveyourchanges,clickSave.

Defining a WLAN Service with No Authentication


YoucansetupaWLANServicethatwillbypassallauthenticationmechanismsandrunthe EnterasysWirelessController,AccessPointsandConvergenceSoftwarewithnoauthenticationof awirelessdeviceuser. AWLANServicewithnoauthenticationcanstillcontrolnetworkaccessusingfilteringrules.For moreinformationonhowtosetupfilteringrulesthatallowaccessonlytospecifiedIPaddresses andports,seeFilteringRulesonpage 53.

To Define a WLAN Service with No Authentication:


1. 2. 3. 4. 5. 6. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANServiceyouwantto configureorclickNew.TheWLANServicesconfigurationpageisdisplayed. ConfiguretheserviceasdescribedinWLANServicesOverviewonpage 61. ClicktheAuth&Accttab. FromtheAuthenticationModedropdownlist,selectDisabled. Tosaveyourchanges,clickSave.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-21

Configuring Accounting and Authentication

Configuring Captive Portal for Internal or External Authentication


CaptivePortalallowsyoutorequirenetworkuserstocompleteadefinedprocess,suchaslogging inoracceptinganetworkusagepolicy,beforeaccessingtheinternet. TherearefiveCaptivePortaloptions: 802.1xDefinetheparametersoftheexternalCaptivePortalpagedisplayedbyanexternal server.Theauthenticationcanbecarriedoutbyanexternalauthenticationserverorbythe EnterasysWirelessControllerrequesttoaRADIUSserver. InternalCaptivePortalDefinetheparametersoftheinternalCaptivePortalpage displayedbytheEnterasysWirelessController,andtheauthenticationrequestfromthe EnterasysWirelessControllertotheRADIUSserver. ExternalCaptivePortalDefinetheparametersoftheexternalCaptivePortalpage displayedbyanexternalserver.Theauthenticationcanbecarriedoutbyanexternal authenticationserverorbytheEnterasysWirelessControllerrequesttoaRADIUSserver. GuestPortalDefinetheparametersforaGuestPortalCaptivePortalpage.AGuestPortal provideswirelessdeviceuserswithtemporaryguestnetworkservices. GuestSplashDefinetheparametersoftheGuestSplashpagedisplayedbytheEnterasys WirelessController.TheseparametersaresimilartothoseforaninternalCaptivePortalpage, exceptthattheoptionstoconfigurethelabelsforuseridandpasswordfieldsarenotpresent sincelogininformationisnotrequiredwhentheuserisredirectedtotheauthorizationWeb page.ThistypeofCaptivePortalcouldbeusedwheretheuserisexpectedtoreadandaccept sometermsandconditionsbeforebeinggrantednetworkaccess.

Configuring Basic Captive Portal Settings


Whenconfiguringcaptiveportal,differentsettingsbecomeavailabledependingonthecaptive portaloptionyouchoose.

To Configure the Captive Portal Settings:


1. 2. 3. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheAuth&Accttab.TheAuth&ACCTpagedisplays(Figure 63).

6-22

Configuring WLAN Services

Configuring Accounting and Authentication

Figure 6-3

Auth & Acct page

4.

IntheAuthenticationModedropdownlist,selectaCaptivePortaloption: Disabled 802.1x Internal External GuestPortal GuestSplash

5.

ClickConfigure.TheCaptivePortalconfigurationpagedisplays.Thepagedisplaydiffers dependingonthemodeselected.SeeFigure 64forInternalandSplashmodes,Figure 65for Externaland802.1xmodes,andFigure 66forGuestPortalmode.Usethefieldsandbuttons availableoneachpagetoconfigureCaptivePorts. Table 65describedtheinternalcaptiveportalconfigurationfieldsandbuttons.Figure 66 describedtheexternalcaptiveportalconfigurationfieldsandbuttons.Usethesefieldand buttondescriptionstoconfigurecaptiveportal.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-23

Configuring Accounting and Authentication

Figure 6-4

Captive Portal Page Configuration page for Internal and Guest Splash Modes

Figure 6-5

Captive Portal Page for External and 802.1x Modes

6-24

Configuring WLAN Services

Configuring Accounting and Authentication

Figure 6-6

Captive Portal Page for Guest Portal Mode

Table 6-5

Configure Internal Captive Portal Page - Fields and Buttons


Description

Field/Button

Guest Portal - this section becomes available only when configuring a Guest Portal. Manage Guest Users Click to add and configure guest user accounts. The Manage Guest Users page displays. For information about adding and managing guest users, see Working with GuestPortal Administration on page 16-1 Click to configure the guest portal ticket. The Configure ticket page displays. For information about how guest portal ticket pages and how to activate them, see Working with GuestPortal Administration on page 16-1. Account Lifetime Guest Admin Can Set Account Lifetime Maximum Session Lifetime Type the account lifetime, in days, for the guest account. A value of 0 specifies no limit to the account lifetime. Select to enable the guest administrator to set the amount of time for which this account will be active. Type the maximum session lifetime, in hours, for the guest account. The default 0 value does not limit a session lifetime. The session lifetime is the allowed cumulative total in hours spent on the network during the account lifetime. Type a prefix that will be added to all guest account user IDs. The default is Guest. Type a minimum password length that will be applied to all guest accounts.

Configure Ticket Page

User ID Prefix Minimum Password Length Message Configuration

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-25

Configuring Accounting and Authentication

Table 6-5

Configure Internal Captive Portal Page - Fields and Buttons (continued)


Description Click to configure error messages that may display on the internal captive portal page. The Message Configuration page displays (Table 6-7).

Field/Button Configure

Communication Options Replace Gateway IP with FDQN Send Successful Login To: Manual Settings Select this option if you want to manually define the elements on the Captive Portal page. When you select this option, you enable the Launch Captive Portal Editor button. Select this option to upload a zip file that contains custom Captive Portal content. The zip file you upload must have a flat structure it cannot contain any sub-directories. The contents of the zip must adhere to the following file formats: Content to be used in the captive portal login page muyst be in a file named login.htm Content to be used in the captive portal index page must be in a file named index.htm. The number of graphics and the size of the graphics is unlimited, and can be either .gif, .jpg, or .png. Upload Zip File View Sample Login Page View Sample Index Page Download Launch Captive Portal Editor Click the Browse button and navigate to the zip file to use for setting up the captive portal. Click to view the sample login page for this captive portal. Click to view the sample index page for this captive portal. Click to download the specified zip file. The File Download page displays. Click to launch the Captive Portal Editor. Using the Captive Portal Editor (Figure 6-8), you can configure the elements on the captive portal page. This button becomes available when you select the Manual Setting radio button. Close Cancel Click to save your changes and close this page. Click to discard your configuration changes and closE this page. Type the appropriate name if a Fully Qualified Domain Name (FQDN) is used as the gateway address.

Use Zip File

6-26

Configuring WLAN Services

Configuring Accounting and Authentication

Table 6-6

External Captive Portal Page - Fields and Buttons


Description

Field/Button Session Control Interface HWC Connection

In the drop-down list, click the IP address of the external Web server. and then enter the port of the Enterasys Wireless Controller. If there is an authentication server configured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the Enterasys Wireless Controller to allow the Enterasys Wireless Controller to continue with the RADIUS authentication and filtering.

Enable HTTPS support Encryption

Select Enable https support if you want to enable HTTPS support (TLS/SSL) for this external captive portal. Select the data encryption to use. Options are: None Legacy AES

Shared Secret

Type the password common to both the Enterasys Wireless Controller and the external Web server if you want to encrypt the information passed between the Enterasys Wireless Controller and the external Web server. Type the URL to which the wireless device user will be directed to after authentication.

Redirection URL

Add HWC IP & Port to redirection URL Select the checkbox to enable redirection. Special ToS override for NAC Close Cancel Allows for ToS marking results in redirection to a captive portal vai a NAC server. Click to save your changes and close this page. Click to discard the configuration

Note: You must add a filtering rule to the non-authenticated filter that allows access to the external Captive Portal site. For more information, see Filtering Rules on page 5-3.

Error Message Configuration


Youcanconfigureinformationalanderrormessagesthatausermayencounterwhentryingto accessacaptiveportal. Toconfiguretheerrorandinformationalmessages: 1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheAuth&Accttab.TheAuth&Accountingpagedisplays(Figure 63). IntheAuthenticationModedropdownlist,selectaCaptivePortaloption.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-27

Configuring Accounting and Authentication

5. 6.

ClickConfigure.TheCaptivePortalConfigurationpagedisplays. IntheMessageConfigurationsection,clicktheConfigurebutton.TheMessageConfiguration pagedisplays(). Message Configuration Page

Figure 6-7

Table 6-7

Message Configuration page - Fields and Buttons


Description Enter a message indicating that the user entered an invalid username or password combination. Enter a message to indicate when a user successfully logs in. Enter an error message that indicates the a user login was unsuccessful. Enter a message indicating an internal error. Enter an error message indicating that the user authentication timed out.

Field/Button Invalid Success Access Fail Fail Timeout

RADIUS shared secret security key fail Enter an error message indicating that RADIUS shared secret failed. RADIUS internal error Max RADIUS login fail Invalid Login parameters General failure Invalid third party parameters Enter an error message indicating an internal RADIUS client error Enter a message that indicates that the maximum number of simultaneous captive portal logins have been reached. Enter a message indicating that the user entered an invalid username or password combination. Enter a message indicating that a general failure has occurred. Enter an error message indicating that one or more parameters passed from the external captive portal server to the controller is either invalid or missing. Enter a message indicating that the user credentials were not authenticated.

Authentication in progress fail

6-28

Configuring WLAN Services

Configuring Accounting and Authentication

Table 6-7

Message Configuration page - Fields and Buttons (continued)


Description Enter an error message indicating that the topology failed. Click to save your changes and close this page. Click to discard your configuration changes and close this page.

Field/Button Topology Change Close Cancel

Using the Captive Portal Editor


TheCaptivePortalEditorenablesyoutoconfigurethelookandfeelofacaptiveportalpage. TolaunchthecaptivePortalEditor: 1. 2. 3. 4. 5. 6. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheAuth&Accttab.TheAuth&Accountingpagedisplays(Figure 63). IntheAuthenticationModedropdownlist,selectaCaptivePortaloption. ClickConfigure.TheCaptivePortalConfigurationpagedisplays. IntheCommunicationsOptionssection,selectManualSettingsandthenclicktheLaunch CaptivePortalEditorbutton.TheCaptivePortalEditorpagedisplays(Figure 68).
Note: The Captive Portal Editor page supports only one administer editing a captive portal page at one time.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-29

Configuring Accounting and Authentication

Figure 6-8

Captive Portal Editor

Table 6-8

Captive Portal Editor Fields and Buttons


Description Click to view and configure the elements that will display on the Captive Portal login page. By default, widgets for a Login username and Password, as well as an Accept button are configured by default. You can accept or change these widgets using the Captive Portal Editor widget management tools in the right-hand panel. Using the Captive Portal Editor widget management tools in the right-hand pane on this page you can: configure the background colors and forms add graphics add an external cascading style sheet (.CSS) VSA attributes

Field/Button Login Page tab

Index Page Tab

Click to view and configure the elements that will display on the Captive Portal Index page. Using the Captive Portal Editor widget management tools in the right-hand pane on this page you can: configure the background colors and forms add graphics add a Logoff button. The Logoff button launches a pop-up logoff page, allowing users to control their logoff. add a Status Check button The Status check button launches a pop-up window, which allows users to monitor session statistics such as system usage and time left in a session. add an external cascading style sheet (.CSS)

6-30

Configuring WLAN Services

Configuring Accounting and Authentication

Table 6-8

Captive Portal Editor Fields and Buttons (continued)


Description Click to view and configure the elements that will display on the Captive Portal Topology change page. By default, a login confirmation and informational message, as well as a Close button, are preconfigured. You can accept or change these elements using the Captive Portal Editor widget management tools in the right-hand panel. Using the Captive Portal Editor widget management tools in the right-hand pane on this page you can: configure the background colors and forms add graphics add an external cascading style sheet (.CSS)

Field/Button Topology Change Tab

Design Management Cached Preview Close Save Save&Close Data Management Import Select and click Browse to navigate to the directory and filename of the a configuration that you want to import. Click OK to import the configuration. Select to save this configuration and enter the name of the file you want to save it in. Click the Browse button to navigate to a directory where you want to store the configuration file. Click OK. to save the configuration. Use the fields in this section to configure the widgets. Click to locate and upload a graphic. The graphic becomes available in the Show Images section of the Property Editor. Click to configure the background color of the page Click to identify a cascading style sheet (.CSS) that will determine the page format. Click to configure the following VSA attributes: AP Serial AP Name VNS Name SSID MAC Address The selections influence what URL is returned in either section. For example, wireless users can be identified by which Wireless AP or which VNS they are associated with, and can be presented with a Captive Portal Web page that is customized for those identifiers. Select to cache most of the widgets from the design to resuce the amount of time it takes a captive portal page to load. Select to view the way the configured widgets will display to a user. Select to close this page without saving the configuration. Select to save the configuration changes. Select to save the configuration changes and close this window.

Export

Widget Management Graphics Background External CSS VSA

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-31

Configuring the QoS Policy

Table 6-8

Captive Portal Editor Fields and Buttons (continued)


Description Use the fields in this section to add the configured widgets to the page. Select to add a graphic to the page. Use the Property Editor select a preconfigured graphic, and to determine the size and location of the graphic. Select to add text to the page. Use the Property Editor to type and format the text, and to determine the location of the text and the conditions under which it displays. Select to add a a VSA attribute to the page. Use the Property Editor to determine the size and position of the VSA attribute, and the conditions under which it displays, and identify the link and select the type of VSA attribute to include. Select to add an external HTML link to the page. Use the Property Editor select a preconfigured graphic, and to determine the size and location of the graphic Select to add scrollable text to the page. Use the Property Editor to type and format the text, and to determine the location of the text and the conditions under which it displays.

Field/Button Add Widget to Panel Graphic

Text

VSA

External HTML

Text (Scrollable)

Caution: In order for Captive Portal authentication to be successful, all the URLs referenced in the Captive Portal setup must also be specifically identified and allowed in the non-authenticated filter. For more information, see Filtering Rules on page 5-3.

Caution: If you use logos or graphics, ensure that the graphics or logos are appropriately sized. Large graphics or logos may force the login section out of view.

Configuring the QoS Policy


ThefollowingisanoverviewofthestepsinvolvedinconfiguringtheQoSforWLANServices.

Step One Define the QoS Mode for the Service:


LegacyEnablesDL(downlink)classificationforallclients WMM: EnablesWMMsupport EnablesDLclassificationforWMMclients EnablesUL(uplink)classificationinWMMclients

802.11e: Enables802.11esupport EnablesDLclassificationfor802.11eclients EnablesULclassificationin802.11eclients

WMMand802.11earesimilarbut,theyusedifferentsignaling(sameasWPAandWPA2).

6-32

Configuring WLAN Services

Configuring the QoS Policy

SteptwoEnableTurboVoice: Ensurestrafficisoptimizedforvoiceperformanceandcapacity CanbeenabledordisabledonindividualWLANServices IfTurboVoiceisenabled,togetherwithQoSmodesLegacy,WMM,or802.11e,DLvoice trafficissentviaTurboVoicequeueinsteadofvoicequeue.Aseparateturbovoicequeue allowsforsomeVNSstousetheTurboVoiceparametersforvoicetraffic,whileother VNSsusethevoiceparametersforvoicetraffic. IfWMMmodeisalsoenabled,WMMclientsuseTurboVoicelikecontentionparameters forULvoicetraffic. If802.11emodeisalsoenabled,802.11eclientsuseTurboVoicelikecontentionparameters forULvoicetraffic.
Note: The Wireless 802.11n AP does not support the Turbo Voice option.

Step 3 Define the DSCP and Service Class Classifications:


All64DSCPcodepointsaresupported.TheIETFdefinedcodesarelistedbynameandcode.Un definedcodesarelistedbycode.ThefollowingisthedefaultDSCPserviceclassclassification (whereSCisServiceClassandUPisUserPriority): Table 6-9
DSCP CS0/DE CS1 CS2 CS3 CS4 CS5 CS6 CS7

DSCP Code-Points
SC/UP 2/0 0/1 1/2 3/3 4/4 5/5 6/6 7/7 DSCP AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 SC/UP 2/0 2/0 2/0 3/3 3/3 3/3 4/4 4/4 DSCP AF33 AF41 AF42 AF43 EF Others SC/UP 4/4 5/5 5/5 5/5 6/6 0/1

Step 4 If Preferred Instead of DSCP Classification, Enable Priority Override:


ClicktheapplicableserviceclassandimplicitlydesiredUP UpdatesUPinuserpacket UpdatesUPforWASSPframe(iffieldexists)sentbyAP

SelectthedesiredDSCP UpdatesDSCPforWASSPframessentbyAP DoesnotchangeDSCPinuserpacket

Step 5 Configure the Advanced Wireless QoS:


EnabletheUnscheduledAutomaticPowerSaveDelivery(UAPSD)feature WorksinconjunctionwithWMMand/or802.11e,anditisautomaticallydisabledifboth WMMand802.11earedisabled

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-33

Configuring the QoS Policy

Step 6 Configure Global Admission Control:


Enableadmissioncontrol.Admissioncontrolprotectsadmittedtrafficagainstnewbandwidth demands.AdmissioncontrolisavailableforVoiceandVideo. Ifadmissioncontrolisenabled,youcanconfiguretheULandDLpoliceraction. TheULandDLpolicersactasenforcementofatrafficmanagementsystem.Dependingonthe TSPECnegotiationpertrafficclass,VoiceandVideo,youcanconfigurewhatactionsthe WirelessAPtakeswhenadmittedtraffichasviolateditsTSPEC. YoucanconfiguretheULandDLpolicersperVNS TSPECstatisticscanbeviewedintheAdmissionControlStatisticsbyWirelessAP display.Formoreinformation,seeChapter 14,WorkingwithReportsandDisplays.

Step 7 Apply Bandwidth Control Profile


SelecttheBandwidthControlProfilethatyouwanttoapplytotheVNS.TheBandwidthControl ProfilesensurethatnosingleuseronanyVNSisabletoconsumedisproportionateamountof bandwidth.Formoreinformation,seeWorkingwithBandwidthControlProfilesonpage 710.

Defining Priority Level and Service Class


VoiceoverInternetProtocol(VoIP)using802.11wirelesslocalareanetworksareenablingthe integrationofinternettelephonytechnologyonwirelessnetworks.Variousissuesincluding QualityofService(QoS),callcontrol,networkcapacity,andnetworkarchitecturearefactorsin VoIPover802.11WLANs. Wirelessvoicedatarequiresaconstanttransmissionrateandmustbedeliveredwithinatime limit.Thistypeofdataiscalledisochronousdata.Thisrequirementforisochronousdataisin contradictiontotheconceptsinthe802.11standardthatallowfordatapacketstowaittheirturnto avoiddatacollisions.Regulartrafficonawirelessnetworkisanasynchronousprocessinwhich datastreamsarebrokenupbyrandomintervals. Toreconciletheneedsofisochronousdata,mechanismsareaddedtothenetworkthatgivevoice datatrafficoranothertraffictypepriorityoverallothertraffic,andallowforcontinuous transmissionofdata. Toprovidebetternetworktrafficflow,theController,AccessPointsandConvergenceSoftware providesadvancedQualityofService(QoS)management.Thesemanagementtechniquesinclude: WMM(WiFiMultimedia)EnabledonindividualWLANServices,isastandardthat providesmultimediaenhancementsthatimprovetheuserexperienceforaudio,video,and voiceapplications.WMMispartofthe802.11estandardforQoS. IPToS(TypeofService)orDSCP(DiffservCodepoint)TheToS/DSCPfieldintheIP headerofaframeisusedtoindicatethepriorityandQualityofServiceforeachframe.TheIP TOSand/orDSCPismaintainedwithinCTP(CAPWAPTunnelingProtocol)bycopyingthe userIPQoSinformationtotheCTPheaderthisisreferredtoasAdaptiveQoS.

Defining the Service Class


Serviceclassisdeterminedbythecombinationofthefollowingoperations: Theclassoftreatmentgiventoapacket.Forexample,queuingorperhopbehavior(PHB). Thepacketmarkingoftheoutputpackets(usertrafficand/ortransport).

6-34

Configuring WLAN Services

Configuring the QoS Policy

Table 6-10

Service classes
Priority level 7 (highest priority) 6 5 4 3 2 1 0 (lowest priority)

Service class name (number) Network Control (7) Premium (Voice) (6) Platinum (video) (5) Gold (4) Silver (3) Bronze (2) Best Effort (1) Background (0)

Theserviceclassisequivalenttothe802.1DUP(userpriority). Table 6-11


SC name Network Control Premium (voice) Platinum (video) Gold Silver Bronze Best Effort Background

Relationship between service class and 802.1D UP


SC Value 7 6 5 4 3 2 1 0 802.1d UP 7 6 5 4 3 0 2 1 AC VO VO VI VI BE BE BK BK Queue VO or TVO VO or TVO VI VI BE BE BK BK

Configuring the Priority Override


Priorityoverrideallowsyoutodefineandforcethetraffictoadesiredprioritylevel.Priority overridecanbeusedwithanycombination,asdisplayedinTable 611.Youcanconfigurethe serviceclassandtheDSCPvalues. WhenPriorityOverrideisenabled,theconfiguredserviceclassoverridesthequeueselectionin thedownlinkanduplinkdirection,the802.1PUPfortheVLANtaggedEthernetpackets,andthe UPforthewirelessQoSpackets(WMMor802.11e)accordingtothemappinginTable 610.If PriorityOverrideisenabledandtheVNSisnotlocallybridged,theconfiguredDSCPvalueis usedtotagtheIPheaderoftheencapsulatedpackets.TheAPdoesnotoverridetheDSCPintheIP headeroftheuserpacket.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-35

Configuring the QoS Policy

QoS Modes
YoucanenablethefollowingQosmodesforaWLANService: LegacyIfenabled,theAPwillclassifyandprioritizethedownlinktrafficforallclients accordingtothesamerules. WMMIfenabled,theAPwillacceptWMMclientassociations,andwillclassifyand prioritizethedownlinktrafficforallWMMclients.WMMclientswillalsoclassifyand prioritizetheuplinktraffic. 802.11eIfenabled,theAPwillacceptWMMclientassociations,andwillclassifyand prioritizethedownlinktrafficforall802.11eclients.The802.11eclientswillalsoclassifyand prioritizetheuplinktraffic. TurboVoiceIfanyoftheaboveQoSmodesareenabled,theTurboVoicemodeisavailable. Ifenabled,allthedownlinktrafficthatisclassifiedtotheVoice(VO)ACandbelongstothat VNSistransmittedbytheAPviaaqueuecalledTurboVoice(TVO)insteadofthenormal Voice(VO)queue.TheTVOqueueistailoredintermsofcontentionparametersandnumber ofretriestomaximizevoicequalityandvoicecapacity.

Allcombinationsofthethreemodesarevalid.Thefollowingtablesummarizesallpossible combinations: Table 6-12


Configuration

QoS mode combinations


Legacy mode WMM mode 802.11e mode To legacy client From legacy client x x x x x x x x x x x x x x x x

Traffic that is classified and prioritized

To WMM client From WMM client To 802.11e client From 802.11e client

x x

x x x x x

x x

x x x x

x x

x x

TheAPsarecapableofsupporting5queues.Thequeuesareimplementedperradio.Forexample, 5queuesperradio.Thequeuesare: Table 6-13 Queues


Purpose Voice Video Background Best Effort Turbo Voice Queue Name AC_VO AC_VI AC_BK AC_BE AC_TVO

TheEnterasysWirelessControllersupportsthedefinitionof8levelsofuserpriority(UP).These prioritylevelsaremappedattheAPtothebestappropriateaccessclass.Ofthe8levelsofuser priority,6areconsideredlowprioritylevelsand2areconsideredhighprioritylevels.

6-36

Configuring WLAN Services

Configuring the QoS Policy

WMMclientshavethesame4ACqueues.WMMclientswillclassifythetrafficandusethese queueswhentheyareassociatedwithaWMMenabledAP.WMMclientswillbehavelike nonWMMclientsmapalltraffictotheBestEffort(BE)queuewhennotassociatedwith WMMenabledAP. Theprioritizationofthetrafficonthedownstream(forexample,fromwiredtowireless)andon theupstream(forexample,fromwirelesstowired)isdictatedbytheconfigurationoftheWLAN ServiceandtheQoStaggingwithinthepackets,assetbythewirelessdevicesandthehostdevices onthewirednetwork. BothLayer3tagging(DSCP)andLayer2(802.1d)taggingaresupported,andthemappingis conformantwiththeWMMspecification.IfbothL2andL3prioritytagsareavailable,thenboth aretakenintoaccountandthechosenACisthehighestresultingfromL2.Ifonlyoneofthe prioritytagsispresent,itisusedtoselectthequeue.Ifnoneispresent,thedefaultqueueAC_BEis chosen.
Note: If the wireless packets to be transmitted must include the L2 priority (send to a WMM client from a WMM-enabled AP), the outbound L2 priority is copied from the inbound L2 priority if available, or it is inferred from the L3 priority using the above table if the L2 inbound priority is missing.
.

Table 6-14
VNS type Tunneled Branch Branch

Traffic Prioritization
Packet Source Wired Wired Wired Wireless Wireless Packet type Untagged VLAN tagged Untagged WMM non-WMM L2 No Yes No Yes No L3 Yes Yes Yes Yes Yes

Branch or Tunneled Branch or Tunneled

To Configure QoS Policy:


1. 2. 3. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheWLANServicespane,thenclicktheWLANService.TheWLAN Servicesconfigurationpageisdisplayed. ClicktheQoStab.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-37

Configuring the QoS Policy

4.

FromtheWirelessQoSlist,dothefollowing: LegacySelectifyourservicewillsupportlegacydevices. WMMSelecttoenabletheAPtoacceptWMMclientassociations,andclassifyand prioritizethedownlinktrafficforallWMMclients.NotethatWMMclientswillalso classifyandprioritizetheuplinktraffic.WMMispartofthe802.11estandardforQoS.If selected,theTurboVoiceandEnableUAPSDoptionsaredisplayed. 802.11eSelecttoenabletheAPtoacceptWMMclientassociations,andclassifyand prioritizethedownlinktrafficforall802.11eclients.The802.11eclientswillalsoclassify andprioritizetheuplinktraffic.Ifselected,theTurboVoiceandtheEnableUAPSD optionsaredisplayed: TurboVoiceSelecttoenablealldownlinktrafficthatisclassifiedtotheVoice(VO)AC andbelongstothatVNStobetransmittedbytheAPviaaqueuecalledTurboVoice(TVO) insteadofthenormalVoice(VO)queue.WhenTurboVoiceisenabledtogetherwith WMMor802.11e,theWMMand/or802.11eclientsinthatVNSareinstructedbytheAP totransmitalltrafficclassifiedtoVOACwithspecialcontentionparameterstailoredto maximizevoiceperformanceandcapacity. EnableUAPSDSelecttoenabletheUnscheduledAutomaticPowerSaveDelivery(U APSD)feature.Thisfeaturecanbeusedbymobiledevicestoefficientlysustainoneor morerealtimestreamswhilebeinginpowersavemode.Thisfeatureworksin conjunctionwithWMMand/or802.11e,anditisautomaticallydisabledifbothWMMand 802.11earedisabled.

5.

ToconfigureadvancedQoSpolicysettings,clickAdvanced.TheAdvanceddialogis displayed.

6-38

Configuring WLAN Services

Configuring the QoS Policy

6.

ToforceaserviceclassandDSCPmarking,selectthePriorityOverridecheckbox.Forthe ServiceClassselection,youcanclickoneoftheeightserviceclasses. ServiceclassFromthedropdownlist,clicktheappropriateprioritylevel: Networkcontrol(7)Thehighestprioritylevel. Premium(Voice)(6) Platinum(5) Gold(4) Silver(3) Bronze(2) BestEffort(1) Background(0)Thelowestprioritylevel

DSCPmarkingFromthedropdownlist,clicktheDSCPvalueusedtotagtheIP headeroftheencapsulatedpackets.

WhenPriorityOverrideisenabled,theconfiguredserviceclassforcesqueueselectioninthe downlinkdirection,the802.1PuserpriorityfortheVLANtaggedEthernetpacketsandthe userpriorityforthewirelessQoSpackets(WMMor802.11e),accordingtothemapping betweenserviceclassanduserpriority.IfPriorityOverrideisenabledandtheVNSisnot locallybridged,theconfiguredDSCPvalueisusedtotagtheIPheaderoftheencapsulated packets.TheAPdoesnotoverridetheDSCPintheIPheaderoftheuserpacket. 7. 8. IfyouwanttoassignaserviceclasstoeachDSCPmarking,clearthePriorityOverride checkboxanddefinetheDSCPserviceclassprioritiesintheDSCPclassificationtable. TheAdvancedWirelessQoSoptionsareonlydisplayediftheWMMor802.11echeckboxes areselected: UseGlobalAdmissionControlforVoice(VO)Selecttoenableadmissioncontrolfor Voice.Withadmissioncontrol,clientsareforcedtorequestadmissiontousethehigh priorityaccesscategoriesinbothdownlinkanduplinkdirection.Admissioncontrol protectsadmittedtrafficagainstnewbandwidthdemands. UseGlobalAdmissionControlforVideo(VI)ThisfeatureisonlyavailableIf admissioncontrolisenabledforVoice.SelecttoenableadmissioncontrolforVideo.With admissioncontrol,clientsareforcedtorequestadmissiontousethehighpriorityaccess categoriesinbothdownlinkanduplinkdirection.Admissioncontrolprotectsadmitted trafficagainstnewbandwidthdemands.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

6-39

Configuring the QoS Policy

ULPolicerActionIfUseGlobalAdmissionControlforVoice(VO)orUseGlobal AdmissionControlforVideo(VI)isenabled,clicktheactionyouwanttheWirelessAP totakewhenTSPECviolationsoccurringontheuplinkdirectionarediscovered: DonothingClicktoallowTSPECviolationstocontinuewhentheyarediscovered. Datatransmissionswillcontinueandnoactionistakenagainsttheviolating transmissions. SendDELTStoClientClicktoendTSPECviolationswhenittheyarediscovered. ThisactiondeletestheTSPEC.

DLPolicerActionIfUseGlobalAdmissionControlforVoice(VO)orUseGlobal AdmissionControlforVideo(VI)isenabled,clicktheactionyouwanttheWirelessAP totakewhenTSPECviolationsoccurringonthedownlinkdirectionarediscovered: DonothingClicktoallowTSPECviolationstocontinuewhentheyarediscovered. Datatransmissionswillcontinueandnoactionistakenagainsttheviolating transmissions. DowngradeClicktoforcethetransmissionsdatapacketstobedowngradedtothe nextprioritywhenaTSPECviolationisdiscovered. DropClicktoforcethetransmissionsdatapacketstobedroppedwhenaTSPEC violationisdiscovered.

9.

ClosetheAdvancedwindow.

10. ChecktheUseFlexibleClientAccesscheckboxtoenableflexibleclientaccess.Flexibleclient accesslevelsaresetaspartoftheVNSglobalsettings.


Note: TSPEC must be disabled when using Flexible Client Access.

11. Tosaveyourchanges,clickSave.

6-40

Configuring WLAN Services

7
Configuring a VNS
ThischapterdescribesVNS(VirtualNetworkServices)configuration,including:
For information about... High Level VNS Configuration Flow VNS Global Settings Methods for Configuring a VNS Manually Creating a VNS Creating a VNS Using the Wizard Enabling and Disabling a VNS Renaming a VNS Deleting a VNS Refer to page... 7-1 7-3 7-14 7-15 7-16 7-42 7-43 7-43

High Level VNS Configuration Flow


SettingupaVNSdefinesabindingbetweenadefaultpolicyspecifiedforwirelessusersandan associatedWLANServiceset,asshowninFigure 71below. ThereareconceptuallyhierarchicaldependenciesontheconfigurationelementsofaVNS. However,theprovisioningframeworkisflexibleenoughthatyoumayselectanexisting dependentelementorcreateoneonthefly.Therefore,eachelementcanbeprovisioned independently(WLANservices,Topologies,andPolicies).Forserviceactivation,allthepieceswill needtobeinplace,ordefinedduringVNSconfiguration. Figure 7-1 VNS Configuration Flow

YoucanusetheVNSCreationWizardtoguideyouthroughthenecessarystepstocreateavirtual networkservice(andthenecessarysubcomponentsduringtheprocess).Theendresultisafully resolvedsetofelementsandanactiveservice.


Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 7-1

High Level VNS Configuration Flow

Therecommendedorderofconfigurationeventsis: 1. Beforeyoubegin,draftoutthetypeofservicesthesystemisexpectedtoprovidewireless services,encryptiontypes,infrastructuremapping(VLANs),andconnectivitypoints(switch ports).SwitchportVLANconfiguration/trunksmustmatchthecontrollers. SetupbasiccontrollerservicessuchasNTP,Routing,DNS,andRADIUSServers,usingoneof thefollowingmethods: 3. RuntheBasicConfigurationWizard,or ManuallydefinethenecessaryinfrastructurecomponentssuchasRADIUSServers. RADIUSServersaredefinedviatheVNSConfiguration>Global>Authenticationtab.

2.

DefineTopologies.Topologiesrepresentthecontrollerspointsofnetworkattachment. Therefore,VLANsandportassignmentsneedtobecoordinatedwiththecorresponding switchports. DefinePolicies.PoliciesaretypicallyboundtoTopologies.Policyapplicationassignsuser traffictothecorrespondingnetworkpointofattachment. Policiesdefinemobileuseraccessrightsbyfiltering. Policesreferencethemobileuserstrafficratecontrolprofiles.

4.

5.

DefinetheWLANService. DefineSSIDandprivacysettingsforthewirelesslink. SelectthesetofAPsandRadiosonwhichtheserviceispresent. Configurethemethodofcredentialauthenticationforwirelessusers(None,InternalCP, ExternalCP,GuestPortal,802.1x[EAP]).

6.

CreateaVNSthatbindstheWLANServicetothePolicythatwillbeusedfordefault assignmentuponusernetworkattachment. TheVNSconfigurationpageinturnallowsforinplacecreationofanydependenciesitmay require.Forexample: CreateanewWLANService. CreateanewPolicy. CreateanewTopology. Createnewingressandegressratecontrolpolicies.

Controller Defaults
ThedefaultshippingEnterasysWirelessControllerconfigurationdoesnotincludeanypre configuredWLANServices,VNSs,orPolicies. TheEnterasysWirelessControllersystemdoesshipwithTopologyentitiesrepresentingeachof itsphysicalinterfaces,plusanadmininterface. Thereare,however,globaldefaultsettingscorrespondingto: ADefaultTopologynamedBridged@APUntagged AnUnlimitedRateControlProfile AFilterDefinitionofDenyall

TheseentitiesaresimplyplaceholdersforPolicycompletion,incasepoliciesareincompletely defined.Forexample,aPolicymaybedefinedasnochangeforTopologyassignment.

7-2

Configuring a VNS

VNS Global Settings

IfanincompletePolicyisassignedasthedefaultforaVNS/WLANService(wirelessport),the incompletePolicyneedstobefullyqualified,atwhichpointthemissingvaluesarepickedfrom theDefaultGlobalPolicydefinitions,andtheresultingpolicyisappliedasdefault.


Note: You can edit the attributes of the Default Global Policy (in the VNS > Globals tab) to any other parameters of your choosing (for example, any other topology, more permissive filter sets, more restrictive Rate Control profile).

ItispossibletodefineaDefaultGlobalPolicytorefertoaspecificTopology(forexample, Topology_VLAN),andthenconfigureeveryotherPolicystopologysimplyasNochange.This willcausethedefaultassignmenttoTopology_VLAN,sothatallusertraffic,regardlessofwhich policytheyrecurrentlyusing(withdifferentaccessrights,differentratecontrols)willbecarried throughthesameVLAN.

VNS Global Settings


BeforedefiningaspecificVNS,definetheglobalsettingsthatwillapplytoallVNSdefinitions. Theseglobalsettingsinclude: Authentication ConfiguringRADIUSserversontheenterprisenetwork.Thedefinedserversare displayedasavailablechoiceswhenyousetuptheauthenticationmechanismforeach WLANService. ConfiguringtheMACformat.

DAS(DynamicAuthorizationService) ConfiguringDynamicAuthorizationService(DAS)support.DAShelpssecureyour networkbyprovidingtheabilitytodisconnectamobiledevicefromyournetwork.

WirelessQoS,comprisingAdmissionControlThresholdsandFlexibleClientAccessFairness Policy. Admissioncontrolthresholdsprotectadmittedtrafficagainstoverloads,providedistinct thresholdsforVO(voice)andVI(video),anddistinctthresholdsforroamingandnew streams. FlexibleClientAccessprovidestheabilitytoadjustmediaaccessfairnessinfivelevels betweenPacketFairnessandAirtimeFairness.

BandwidthControl TheBandwidthControlProfilesyoudefinearedisplayedasavailablechoicesintheRate ProfilesmenuwhenyousetupQoSpolicy.

DefaultPolicy TheGlobalDefaultPolicyspecifies: AtopologytousewhenaVNSiscreatedusingapolicythatdoesnotspecifyatopology AnInboundRateProfile AnOutboundRateProfile ASetoffilters

TheEnterasysWirelessControllershipsfromthefactorywithadefaultGlobalDefault Policythathasthefollowingsettings: TopologyissettoanBridgedatAPuntaggedtopology.Thistopologywillitselfbe definedinV7.31EnterasysWirelessControllersbydefault.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-3

VNS Global Settings

InboundRateProfileNoratecontrol(Unlimited) OutboundRateProfileNoratecontrol(Unlimited) FiltersAsingleDenyAllfilter.

TheGlobalDefaultPolicyisuserconfigurable.ChangestotheGlobalDefaultPolicy immediatelyeffectallshadowpoliciescreatedfromit,justasiftheadministratorhadmadea comparablechangedirectlytotheincompletepolicy. SyncSummary TheSyncSummaryscreenprovidesanoverviewofthesynchronizationstatusofpaired controllers.Thescreenisdividedinto4sections:VirtualNetworks,WLANservices,Policies andTopologies.Eachsectionliststhenameofthecorrespondingconfigurationobject,its synchronizationmode,andthestatusoflastsynchronizationattempt.Formoreinformation, seeUsingtheSyncSummaryonpage 713.

Defining RADIUS Servers and MAC Address Format


TheAuthenticationglobalsettingsincludeconfiguringRADIUSservers,theMACformattobe used,theSERVICETYPEattributeintheclientACCESSREQUESTmessages,andhowlonga noticeWebpagedisplaysifatopologychangeoccursduringauthentication.ThenoticeWebpage indicatesthatauthenticationwassuccessfulandthattheusermustrestartthebrowsertogain accesstothenetwork.

Defining RADIUS Servers for VNS Global Settings


To Define RADIUS Servers for VNS Global Settings:
1. 2. 3. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,clickGlobal,thenAuthentication. ToenablechangingRADIUSserversettingsperWLANService,selectStrictMode.

7-4

Configuring a VNS

VNS Global Settings

4.

TodefineanewRADIUSserveravailableonthenetwork,clicktheNewbutton.TheRADIUS Settingspopupwindowdisplays.

5.

IntheServerAliasbox,typeanamethatyouwanttoassigntotheRADIUSserver.
Note: You can also type the RADIUS servers IP address in the Server Alias box in place of a nickname. The RADIUS server will identify itself by the value typed in the Server Alias box in the RADIUS Servers drop down list on the RADIUS Authentication tab of the Login Management screen (Main Menu > Wireless Controller Configuration > Login Management). For more information, see Configuring the Login Authentication Mode on page 3-30.

6.

IntheHostname/IPbox,typeeithertheRADIUSserversFQDN(fullyqualifieddomain name)orIPaddress.
Note: If you type the host name in the Hostname/IP address box, the Enterasys Wireless Controller will send a host name query to the DNS server for host name resolution. The DNS servers must be appropriately configured for resolving the RADIUS servers host names. For more information, see Configuring DNS Servers for Resolving Host Names of NTP and RADIUS Servers on page 3-44.

7.

IntheSharedSecretbox,typethepasswEnterasysWirelessordthatwillbeusedtovalidate theconnectionbetweentheEnterasysWirelessControllerandtheRADIUSserver. Toproofreadyoursharedsecretkey,clickUnmask.Thepasswordisdisplayed.


Note: You should always proofread your Shared Secret key to avoid any problems later when the Enterasys Wireless Controller attempts to communicate with the RADIUS server.

8. 9.

Ifdesired,changetheDefaultProtocolusingthedropdownlist.ChoicesarePAP,CHAP,MS CHAP,orMSCHAP2. Ifdesired,changethepredefineddefaultvaluesforAuthenticationandAccounting operations: a. b. c. Prioritydefaultis4 Totalnumberoftriesdefaultis3 RADIUSRequesttimeoutdefaultis5seconds

d. PortdefaultAuthenticationportis1812.DefaultAccountingportis1813.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 7-5

VNS Global Settings

e.

ForAccountingoperations,theInterimAccountingIntervaldefaultis30minutes.

10. Tosaveyourchanges,clickSave.ThenewserverisdisplayedintheRADIUSServerslist.

Note: The RADIUS server is identified by its Server Alias.

11. Toeditanexistingserver,clicktherowcontainingtheserver.TheRADIUSSettingswindow displays,containingtheserversconfigurationvalues. 12. Toremoveaserverfromthelist,selectthecheckboxnexttotheserver,andthenclickDelete Selected.YoucannotremoveaserverthatisusedbyanyVNS.

Configuring the Global MAC Address Format for Use with the RADIUS Servers
To Configure the Global MAC Address Format for Use with the RADIUS Servers:
1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,clickGlobal,thenAuthentication. IntheMACAddressarea,selecttheMACAddressFormatfromthedropdownlist. ClickSavetosaveyourchanges.

Including the SERVICE-TYPE Attribute in the Client ACCESS-REQUEST Messages


To Include the SERVICE-TYPE Attribute in the Client ACCESS-REQUEST Messages:
1. 2. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,clickGlobal,thenAuthentication.

7-6

Configuring a VNS

VNS Global Settings

3. 4. 5. 6.

IntheMACAddressarea,clickAdvanced. SelectIncludeServiceTypeattributeinClientAccessRequestmessages. ClickClose. ClickSavetosaveyourchanges.

Changing the Display Time of the Notice Web Page


To Change How Long the Notice Web Page Displays If a Topology Change Occurs During Authentication:
1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,clickGlobal,thenAuthentication. IntheMACAddressarea,clickAdvanced. IntheDelayforClientMessageforTopologyChangefield,specifyhowlong,inseconds,the Webpageisdisplayedtotheclientwhenthetopologychangesasaresultofapolicychange. TheWebpageindicatesthatauthenticationwassuccessfulandthattheusermustcloseall browserwindowsandthenrestartthebrowserforaccesstothenetwork. CurrentlythisissupportedforInternalCaptivePortal,GuestPortal,andGuestSplash. 5. 6. ClickClose. ClickSavetosaveyourchanges.

Configuring Dynamic Authorization Server Support


DAShelpssecureyournetworkbyforcingthedisconnectionofanymobiledevicefromyour network.Typically,youwouldwanttodisconnectanyunwelcomeorunauthorizedmobiledevice fromyournetwork.ThedisconnectmessagethatisdefinedinRFC3576isenforcedbytheDAS support.Ifanunauthorizedmobiledeviceisdetectedonthenetwork,theDASclientsendsa disconnectpacket,forcingthemobiledeviceoffthenetwork.YourDASclientcanbean integrationwithNACoranotherthirdpartyapplication,includingRADIUSapplications.For moreinformation,seeNACintegrationwithEnterasysWirelessWLANonpage 112. DASsupportisavailabletoallphysicalinterfacesoftheEnterasysWirelessController,andby defaultDASlistenstothestandardspecifiedUDPport3799.

To Configure Dynamic Authorization Server Support:


1. 2. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,clickGlobal,thenclickDAS.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-7

VNS Global Settings

3. 4.

InthePortbox,typetheUDPportyouwantDAStomonitor.Bydefault,DASisconfigured forthestandardspecifiedUDPport3799.Itisunlikelythisportvalueneedstoberevised. IntheReplayIntervalbox,typehowlongyouwantDAStoignorerepeatedidentical messages.Bydefault,DASisconfiguredfor300seconds. Thistimebufferhelpsdefendagainstreplaynetworkattacks.

5.

Tosaveyourchanges,clickSave.

Defining Wireless QoS Admission Control Thresholds


DefiningthewirelessQoSglobalsettingsincludethefollowing: ConfiguringQoSAdmissionControlThresholds ConfiguringQoSFlexibleClientAccess

Configuring QoS Admission Control Thresholds


To Define Admission Control Thresholds for VNS Global Settings:
1. 2. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,clickGlobal,thenclickWirelessQoS.

7-8

Configuring a VNS

VNS Global Settings

3.

IntheAdmissionControlThresholdsarea,definethethresholdsforthefollowing: MaxVoice(VO)BWforroamingstreamsThemaximumallowedoverallbandwidth onthenewAPwhenaclientwithanactivevoicestreamroamstoanewAPandrequests admissionforthevoicestream. MaxVoice(VO)BWfornewstreamsThemaximumallowedoverallbandwidthonan APwhenanalreadyassociatedclientrequestsadmissionforanewvoicestream. MaxVideo(VI)BWforroamingstreamsThemaximumallowedoverallbandwidth onthenewAPwhenaclientwithanactivevideostreamroamstoanewAPandrequests admissionforthevideostream. MaxVideo(VI)BWfornewstreamsThemaximumallowedoverallbandwidthonan APwhenanalreadyassociatedclientrequestsadmissionforanewvideostream.

TheseglobalQoSsettingsapplytoallAPsthatserveQoSenabledVNSswithadmission control. 4. Tosaveyourchanges,clickSave.

Configuring QoS Flexible Client Access


Thisfeatureallowsyoutoadjustclientaccesspolicyinmultiplestepsbetweenpacketfairness andairtimefairness. Packetfairnessisthedefault802.11accesspolicy.EachWLANparticipantgetsthesame (equal)opportunitytosendpackets.AllWLANclientswillshowthesamethroughput, regardlessoftheirPHYrate. AirtimefairnessgiveseachWLANparticipantthesame(equal)timeaccess.WLANclients throughputwillbeproportionaltotheirPHYrate.

To Define Flexible Client Access for VNS Global Settings:


1. 2. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,clickGlobal,thenclickWirelessQoS.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-9

VNS Global Settings

3.

IntheFlexibleClientAccessarea,selectapolicyfromtheFairnessPolicydropdownlist. Choicesrangefrom100%packetfairnessto100%airtimefairness.
Note: TSPEC must be disabled when using Flexible Client Access.

4.

Tosaveyourchanges,clickSave.

Working with Bandwidth Control Profiles


Bandwidthcontrollimitstheamountofbidirectionaltrafficfromamobiledevice.Abandwidth controlprofileprovidesagenericdefinitionforthelimitappliedtocertainwirelessclientstraffic.A bandwidthcontrolprofileisassignedonaperpolicybasis.Abandwidthcontrolprofileisnot appliedtomulticasttraffic. Abandwidthcontrolprofileconsistsofthefollowingparameters: ProfileNameNameassignedtoaprofile CommittedInformationRate(CIR)Rateatwhichthenetworksupportsdatatransfer undernormaloperations.Itismeasuredinkilobytespersecond(Kbps).

ThebandwidthcontrolprofilesyoudefineontheVNSGlobalSettingsscreenaredisplayedas availablechoicesintheBandwidthControlProfileslistonthePolicyscreen. Tocreateabandwidthcontrolprofile: 1. 2. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,clickGlobal,thenclickBandwidthControl.

7-10

Configuring a VNS

VNS Global Settings

3.

Createabandwidthcontrolprofilebydoingthefollowing: ProfileNameTypeanameforthebandwidthcontrolprofile. IntheAverageRate(CIR)TypetheCIRvalueforthebandwidthcontrolprofile.

4. 5. 6.

ClickAddProfile.TheprofileiscreatedanddisplayedintheBandwidthControlProfileslist. Createadditionalbandwidthcontrolprofiles,ifapplicable. Tosaveyourchanges,clickSave.

Configuring the Global Default Policy


TheEnterasysWirelessControllershipswithaGlobalDefaultPolicythatcanbeconfigured.The GlobalDefaultPolicyspecifies: AtopologytousewhenaVNSiscreatedusingapolicythatdoesnotspecifyatopology.The defaultassignedtopologyisnamedBridgedatAPuntagged. AnInboundRateProfile AnOutboundRateProfile Asetoffilters

Configuring the Topology and Rate Profiles


To Configure the Topology and Rate Profiles:
1. 2. 3. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,clickGlobal,thenclickDefaultPolicy. SelecttheVLAN&ClassofServicetab.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-11

VNS Global Settings

4.

IntheTopologyarea,selectatopologyusingoneofthefollowingmethods: SelectanexistingtopologyfromtheAssignedTopologydropdownlist. SelectanexistingtopologyfromtheAssignedTopologydropdownlist,thenclickEdit. TheEditTopologywindowdisplays,showingthecurrentvaluesfortheselected topology. ClicktheNewbutton.TheNewTopologywindowdisplays.

EditorcreatetheselectedtopologyasdescribedinConfiguringaBasicTopologyon page 42. 5. IntheRateProfilesarea,selectingressandegressrateprofilesusingoneofthefollowing methods: SelectanexistingIngressRateProfileandEgressRateProfilefromthedropdownlists. Selectanexistingratefromthedropdownlists,thenclickEdit.TheEditRateControl Profilewindowdisplays. ClicktheNewbutton.TheAddRateControlProfilewindowdisplays.

EditorcreatetheratecontrolprofileasdescribedinConfiguringFilterRulesonpage 57.

Configuring the Filters


To Configure the Filters:
1. ClicktheFilterRulestab.TheHWCFilterstabdisplays,allowingyoutocreatefilterrules thatwillbeappliedbythecontrollerwhendefaultnonauthenticationpolicydoesnotspecify filters.

7-12

Configuring a VNS

VNS Global Settings

2. 3. 4.

Toaddarule,clickAdd.ThefieldsintheAddFilterareaareenabled. Configurethefieldsasdesired.Formoreinformation,seeFilteringRulesonpage 53. ToconfigurecustomAPfilters,selecttheEnableAPFilteringcheckbox,thenselectthe CustomAPFilterscheckboxandclicktheAPFilterstab.Thenconfiguretherulesasdesired. Formoreinformation,seeDefiningFilterRulesforWirelessAPsonpage 57.

Using the Sync Summary


TheSyncSummaryscreenprovidesanoverviewofthesynchronizationstatusofpaired controllers.Thescreenisdividedintofoursections:VirtualNetworks,WLANservices,Policies andTopologies.Eachsectionliststhenameofthecorrespondingconfigurationobject,its synchronizationmode,andthestatusoflastsynchronizationattempt. IfSynchronizationofanobjectisnotenabled,thenthereisabuttonintheStatusfieldwhichsays SynchronizeNow,whichperformsasinglesynchronizationoftheobject,pushingtheobject fromlocalcontrollertothepeer. IfSynchronizationofanobjectisenabled,thentheStatusfieldcanhavethefollowingvalues: Synchronized NotSynchronized Failed Conflict(withabuttoncalledResolve)

ThecheckboxEnableSynchronizationofSystemConfigurationactsasaglobalsynchronization flag.Whenitsdisabled,synchronizationisnotperformedinthebackground.Whenitisenabled, onlytheobjectsthathaveSyncenabledaresynchronized.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-13

Methods for Configuring a VNS

AnobjectmayhaveasynchronizationstateofConflictifitwasupdatedonbothcontrollersin theavailabilitypairwhiletheavailabilitylinkwasdown.Insuchacase,theResolvebuttonlets youchoosewhichversionoftheobjectshouldbetaken,localorremote.Pleasenotethat controllersdontcomparetheactualconfigurationwhentheydeclareaconflictonlythefact thattheobjectwasupdatedonbothcontrollersintheavailabilitypairtriggerstheConflictstate.

Methods for Configuring a VNS


ToconfigureaVNS,youcanuseoneofthefollowingmethods: ManualconfigurationAllowsyoutocreateanewVNSbyfirstconfiguringthetopology, policy,andWLANservicesandthenconfiguringanyremainingindividualVNStabsthatare necessarytocompletetheprocess. WhenconfiguringaVNS,youcannavigatebetweenthevariousVNStabsanddefineyour configurationwithouthavingtosaveyourchangesoneachindividualtab.AfteryourVNS configurationiscomplete,clickSaveonanyVNStabtosaveyourcompletedVNS configuration.
Note: If you navigate away from the VNS configuration tabs without saving your VNS changes, your VNS configuration changes will be lost.

WizardconfigurationTheVNSwizardhelpscreateandconfigureanewVNSby promptingyouforaminimumamountofconfigurationinformation.TheVNSiscreated usingminimumparameters.Theremainingparametersareautomaticallyassignedin accordancewithbestpracticestandards. AftertheVNSwizardcompletestheVNScreationprocess,youcantheneditorreviseanyof theVNSconfigurationtosuityournetworkneeds.

7-14

Configuring a VNS

Manually Creating a VNS

Manually Creating a VNS


AdvancedconfigurationallowsadministratorstocreateanewVNSoncethetopology,policy,and WLANservicesrequiredbytheVNSparametersareavailable.Thetopology,policyandWLAN servicescouldbecreatedinadvanceorcouldbecreatedatthetimeofVNSconfiguration. WhenyoucreateanewVNS,additionaltabsaredisplayeddependingontheselectionsmadein theCoreboxofthemainVNSconfigurationtab. WhenconfiguringaVNS,youcannavigatebetweenthevariousVNStabsanddefineyour configurationwithouthavingtosaveyourchangesoneachindividualtab.AfteryourVNS configurationiscomplete,clickSaveonanyVNStabtosaveyourcompleteVNSconfiguration.
Note: If you navigate away from the VNS Configuration tabs without saving your VNS changes, your VNS configuration changes will be lost.

ThefollowingprocedureliststhestepsnecessarytocreateaVNSinadvancedmode.Eachstep referencesasectioninthisdocumentthatdescribesthefulldetails.Followthelinksprovidedto godirectlytotheappropriatesections.

To Create a VNS Manually:


1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheVirtualNetworkspaneandselectanexistingVNStoedit,orclick theNewbutton. EnteranamefortheVNS. SelectanexistingWLANServicefortheVNS,orcreateanewWLANService,oreditan existingone. Formoreinformation,seeConfiguringaBasicWLANServiceonpage 62. 5. ConfiguretheDefaultPoliciesfortheVNS.Selectexistingpolicies,orcreatenewpolicies,or editexistingones. Formoreinformation,see: 6. ConfiguringPoliciesonpage 51. ConfiguringTopologiesonpage 41.

ConfiguretheStatusparametersfortheVNS: SynchronizeEnableautomaticsynchronizationwithitsavailabilitypeer.Referto UsingtheSyncSummaryonpage 713forinformationaboutviewingsynchronization status.IfthisVNSispartofanavailabilitypair,Siemensrecommendsthatyouenablethis feature. RestrictPolicySetThisfeatureprovidesbackwardcompatibilityforlegacyVNSsthat wereupgradedfromsoftwarereleasespriortoV7.0.Whenitisenabled,thecontroller respectsthepriorhierarchicalviewofparent/childVNSsandmapsexternalreferencesto properlynamed(thatis,hierarchicallynamed)Policies. EnabledChecktoenabletheVNS.

7.

ClickSavetosaveyourchanges.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-15

Creating a VNS Using the Wizard

Also,aswithcreatinganewVNS,youcan: ConfigureatopologyfortheVNS ConfigureapolicyfortheVNS ConfigureWLANservicesfortheVNS ConfigureadditionalpoliciesfortheVNS

Creating a VNS Using the Wizard


TheVNSwizardhelpscreateandconfigureanewVNSbypromptingyouforaminimumamount ofconfigurationinformationduringthesequentialconfigurationprocess.AftertheVNSwizard completestheVNScreationprocess,youcanthencontinuetoconfigureorreviseanyoftheVNS configurationtosuityournetworkneeds. WhenusingtheVNSwizardtocreateanewVNS,youcancreatethefollowingtypesofVNSs: NACSSIDbasedVNSNACgatewaycompatibleVNS.TheEnterasysWirelessController integrateswithanEnterasysNACControllertoprovideauthentication,assessment, remediationandaccesscontrolformobileusers.Formoreinformation,seeCreatingaNAC VNSUsingtheVNSWizardonpage 716. VoiceVoicespecificVNSthatcansupportvariouswirelesstelephones,includingoptiPoint, Spectralink,Vocera,andMobileConnectNokia.Formoreinformation,seeCreatingaVoice VNSUsingtheVNSWizardonpage 718. DataDataspecificVNS,thatcanbeconfiguredtouseeitherSSIDorAAAauthentication. Formoreinformation,seeCreatingaDataVNSUsingtheVNSWizardonpage 722. CaptivePortalAVNSthatemploysaCaptivePortalpage,whichrequiresmobileusersto providelogincredentialswhenpromptedtoaccessnetworkservices.Inaddition,usetheVNS wizardtoconfigureaGuestPortalVNSusingtheCaptivePortaloption.Formoreinformation, seeCreatingaCaptivePortalVNSUsingtheVNSWizardonpage 726. OtherUsethisVNSwizardoptiontocreateaVNSasyouwouldifyouwerecreatinganew VNSusingtheadvancedconfigurationmethod.Formoreinformation,seeEnablingand DisablingaVNSonpage 742.

TheVNStypedictatestheconfigurationinformationthatisrequiredduringtheVNScreation process.

Creating a NAC VNS Using the VNS Wizard


TheEnterasysWirelessControllerintegrateswithanEnterasysNACControllertoprovide authentication,assessment,remediationandaccesscontrolformobileusers.Formore information,seeNACintegrationwithEnterasysWirelessWLANonpage 112. UsetheVNSwizardtoconfigureaNACgatewaycompatibleVNSbydefiningthefollowing essentialparameters:
7-16

VNSNameThenamethatwillbeassignedtotheVNSandSSID. IPAddressTheIPaddressoftheEnterasysWirelessControllersinterfaceontheVLAN. MaskThesubnetmaskfortheIPaddresstoseparatethenetworkportionfromthehost portionoftheaddress. VLANIDIDnumberoftheVLANtowhichtheEnterasysWirelessControllerisbridged fortheVNS. PortPhysicalL2porttowhichtheconfiguredVLANisattached.

Configuring a VNS

Creating a VNS Using the Wizard

RADIUSserverIPaddressoftheEnterasysNACController. RedirectionURLTheURLthatpointstotheNACControllerswebserver.

TheVNSwizardcreatesaBridgeTrafficLocallyatHWCVNS.ThisVNShasthecrucial attributesSSIDNetworkAssignmentType,MACbasedexternalcaptiveportalauthentication andWPAPSKencryptionthatmakesitcompatiblewiththeEnterasysNACController.The remainingVNSparametersaredefinedautomaticallyaccordingtobestpracticestandards. ToconfigureaNACVNSusingtheVNSwizard: 1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheNewpane,thenclickSTARTVNSWIZARD.TheVNSCreation Wizardscreenisdisplayed. IntheNamebox,typeanamefortheNACSSIDbasedVNS. IntheCategorydropdownlist,clickNACVNS,andthenclickNext.TheNACcompatible SSIDbasedVNSscreenisdisplayed.

5.

Dothefollowing: IntheIPaddressbox,typetheIPaddressoftheEnterasysWirelessControllersinterface ontheVLAN. IntheMaskbox,typetheappropriatesubnetmaskforthisIPaddresstoseparatethe networkportionfromthehostportionoftheaddress(typically255.255.255.0). IntheVLANIDbox,typetheVLANtagtowhichtheEnterasysWirelessControllerwill bebridgedfortheVNS. IntheInterfacedropdownlist,selectthephysicalportthatprovidestheaccesstothe VLAN. IntheNASdropdownlist,clicktheinterface/portthroughwhichtheNACgatewaywill communicatewiththeEnterasysWirelessController.TheIPaddressinthisfieldwillbe usedastheNASIPRADIUSattributewhencommunicatingwiththeNACgateway.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-17

Creating a VNS Using the Wizard

IntheNACserverdropdownlist,clicktheexistingNACserveryouwanttouseforthe VNS,orselecttheAddnewserveroption,andthendothefollowing: (1) IntheServerAliasbox,typethenameorIPaddressoftheNACserver. (2) IntheHostname/IPbox,typetheNACserversFQDN(fullyqualifieddomainname) orIPaddress. (3) IntheSharedSecretbox,typethepasswordthatwillbeusedtovalidatethe connectionbetweentheEnterasysWirelessControllerandtheNACserver. (4) Toproofreadyoursharedsecretkey,clickUnmask.Thepasswordisdisplayed. AfterthenewNACserverisadded,itwillbedisplayedintheUseexistingserverdrop downlistthenexttimeyouusetheVNSwizard.
Note: You should always proofread your Shared Secret key to avoid any problems later when the Enterasys Wireless Controller attempts to communicate with the NAC Controller.

(5) IntheNACwebserverIPbox,typetheNACwebserverIPaddress. 6. 7. 8. Tosaveyourchanges,clickFinish.TheVNSwizardcreatesaSSIDbasedNACController compatibleVNS,anddisplaystheconfigurationsummary. ToclosetheVNSwizard,clickClose. Ifapplicable,youcancontinuetoconfigureoreditthenewVNSbyclickingtheindividual VNSconfigurationtabs.

Creating a Voice VNS Using the VNS Wizard


UsetheVNSwizardtocreateavoicespecificVNSthatcansupportvariouswirelesstelephones, includingoptiPoint,Spectralink,Vocera,andMobileConnectNokia. WhenyouusetheVNSwizardtocreateavoicespecificVNS,youoptimizethevoiceVNSto supportonewirelesstelephonevendor.IfthevoiceVNSneedstobeoptimizedformorethanone wirelessphonevendor,usetheadvancedmethodtocreatethevoicespecificVNS.Formore information,seeEnablingandDisablingaVNSonpage 742. WhenyoucreateanewvoiceVNSusingtheVNSwizard,youconfiguretheVNSinthefollowing stages: Basicsettings Authenticationsettings,ifapplicable DHCPsettings Privacysettings Radioassignmentsettings Summary

To Configure a Voice VNS Using the VNS Wizard:


1. 2. 3. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheNewpane,thenclickSTARTVNSWIZARD.TheVNSCreation Wizardscreenisdisplayed. ClickStartVNSWizard.TheVNSCreationWizardscreenisdisplayed.

7-18

Configuring a VNS

Creating a VNS Using the Wizard

4. 5. 6.

IntheNamebox,typeanameforthevoiceVNS. IntheCategorydropdownlist,clickVoice,andthenclickNext.TheBasicSettingsscreenis displayed. ConfiguretheVNSbasicsettings.TheVNStypeandmodeyouconfigureontheBasic SettingsscreenwilldictatetheVNSinformationyouwillneedtoprovide. EnabledBydefault,theEnabledcheckboxforthenewVNSisenabled.AVNSmustbe enabledforittobeabletoprovideserviceformobileusertraffic. TypeClickthewirelessphoneyouwanttosupportforthenewvoiceVNSyouare creating. ModeClicktheVNSmodeyouwanttoassign: RoutedisaVNStypewhereusertrafficistunneledtotheEnterasysWireless Controller. BridgeTrafficLocallyatHWCisaVNStypethathasassociatedwithitaTopology withamodeofBridgeTrafficLocallyatHWC.Usertrafficistunneledtothe EnterasysWirelessControllerandisdirectlybridgedatthecontrollertoaspecific VLAN.WiththisVNStype,mobileusersbecomeanaturalextensionofaVLAN subnet.ForeachBridgeTrafficLocallyatHWCVNSthatiscreated,aVLANneedsto bespecified.Inaddition,thenetworkportonwhichtheVLANisassignedmustbe configuredontheswitch,andthecorrespondingEnterasysWirelessController interfacemustmatchthecorrectVLAN.

IfyouconfigurearoutedvoiceVNS,dothefollowing: (1) GatewayTypetheEnterasysWirelessControllersownIPaddressofthetopology associatedwiththatVNS.ThisIPaddressisalsothedefaultgatewayfortheVNS.The EnterasysWirelessControlleradvertisesthisaddresstothewirelessdeviceswhen theysignon.ForroutedVNSs,itcorrespondstotheIPaddressthatiscommunicated tomobileusers(intheVNS)asthedefaultgatewayfortheVNSsubnet.(Mobileusers targettheEnterasysWirelessControllersinterfaceintheirefforttoroutepacketsto anexternalhost). (2) MaskTypetheappropriatesubnetmaskforthisIPaddresstoseparatethenetwork portionfromthehostportionoftheaddress(typically255.255.255.0). (3) Gateway/SVPIfthevoiceVNSistosupportSpectralinkwirelessphones,typethe IPaddressoftheSpectraLinkVoiceProtocol(SVP)gateway. (4) VoceraServerIfthevoiceVNSistosupportVocerawirelessphones,typetheIP addressoftheVoceraserver. (5) PBXIfthevoiceVNSistosupporteitherWL2orMobileConnectNokiawireless phones,typethePBXIPaddress. (6) EnableAuthenticationIfapplicable,selectthischeckboxtoenableauthentication forthenewvoiceVNS. (7) EnableDHCPBydefault,thisoptionisselected. IfyouconfigureabridgetrafficlocallyattheHWCvoiceVNS,dothefollowing: (1) InterfaceClickthephysicalinterfacethatprovidestheaccesstotheVLAN. (2) InterfaceIPaddressTypetheIPaddressoftheEnterasysWirelessControllers interfaceontheVLAN. (3) MaskTypetheappropriatesubnetmaskforthisIPaddresstoseparatethenetwork portionfromthehostportionoftheaddress(typically255.255.255.0).

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-19

Creating a VNS Using the Wizard

(4) VLANIDTypetheVLANtagtowhichtheEnterasysWirelessControllerwillbe bridgedfortheVNS. (5) Gateway/SVPIfthevoiceVNSistosupportSpectralinkwirelessphones,typethe IPaddressoftheSpectraLinkVoiceProtocol(SVP)gateway. (6) VoceraServerIfthevoiceVNSistosupportVocerawirelessphones,typetheIP addressoftheVoceraserver. (7) PBXServerIfthevoiceVNSistosupporteitherWL2orMobileConnectNokia wirelessphones,typethePBXIPaddress. (8) EnableAuthenticationIfapplicable,selectthischeckboxtoenableauthentication forthenewvoiceVNS. (9) EnableDHCPIfapplicable,selectthischeckboxtoenableDHCPauthentication forthenewvoiceVNS. 7. ClickNext. IftheEnableAuthenticationcheckboxisselected,younowmustconfigurethe AuthenticationpropertiesofthenewvoiceVNS.ContinuewithStep 8. IftheEnableAuthenticationcheckboxisclear,youmustnowconfiguretheDHCPproperties ofthenewvoiceVNS.ContinuewithStep 10. 8. OntheAuthenticationscreen,dothefollowing: RadiusServerClicktheRADIUSserveryouwanttoassigntothenewvoiceVNS,or clickAddNewServerandthendothefollowing: ServerAliasTypeanameyouwanttoassigntothenewRADIUSserver. Hostname/IPTypeeithertheRADIUSserversFQDN(fullyqualifieddomain name)orIPaddress. SharedSecretTypethepasswordthatwillbeusedtovalidatetheconnection betweentheEnterasysWirelessControllerandtheRADIUSserver. Mask/UnmaskClicktodisplayorhideyoursharedsecretkey.

RolesSelecttheauthenticationroleoptionsfortheRADIUSserver. MACbasedAuthenticationSelecttoenabletheRADIUSservertoperformMAC basedauthenticationonthevoiceVNS. Ifapplicable,andtheMACbasedauthenticationoptionisenabled,selecttoenable MACbasedauthorizationonroam.

9.

ClickNext.TheDHCPscreenisdisplayed.

10. OntheDHCPscreen,intheDHCPOptiondropdownlist,clickoneofthefollowing: UseDHCPRelayUsingDHCPrelayforcestheEnterasysWirelessControllerto forwardDHCPrequeststoanexternalDHCPserverontheenterprisenetwork.DHCP relaybypassesthelocalDHCPserverfortheEnterasysWirelessControllerandallowsthe enterprisetomanageIPaddressallocationtoaVNSfromitsexistinginfrastructure. DHCPServersTypetheIPaddressoftheDHCPservertowhichDHCPdiscover andrequestmessageswillbeforwardedforclientsonthisVNS.TheEnterasys WirelessControllerdoesnothandleDHCPrequestsfromusers,butinsteadforwards therequeststotheindicatedDHCPserver. TheDHCPservermustbeconfiguredtomatchtheVNSsettings.Inparticularfora RoutedVNS,theDHCPservermustidentifytheEnterasysWirelessControllers interfaceIPasthedefaultGateway(router)forthesubnet.(Usersintendingtoreach

7-20

Configuring a VNS

Creating a VNS Using the Wizard

devicesoutsideofthesubnetwillforwardthepacketstothedefaultgateway (controller)fordeliveryupstream.) LocalDHCPServerIfapplicable,editthelocalDHCPserversettings.

11. IntheDNSServersbox,typetheIPAddressoftheDomainNameServerstobeused. 12. IntheWINSbox,typetheIPaddressiftheDHCPserverusesWindowsInternetNaming Service(WINS). 13. ClickNext.ThePrivacyscreenisdisplayed.Mostoptionsonthisscreenareviewonly. 14. OnthePrivacyscreen,dothefollowing: PresharedkeyTypethesharedsecretkeytobeusedbetweenthewirelessdeviceand WirelessAP.Thesharedsecretkeyisusedtogeneratethe256bitkey. Mask/UnmaskClicktodisplayorhideyoursharedsecretkey.

15. ClickNext.TheRadioAssignmentscreenisdisplayed. 16. OntheRadioAssignmentscreen,dothefollowing: IntheAPDefaultSettingssection,selecttheradiosoftheAPdefaultsettingsprofilethat youwanttobroadcastthevoiceVNS. IntheAPSelectionsection,selectthegroupofAPsthatwillbroadcastthevoiceVNS: allradiosClicktoassignalloftheAPsradios. radio1ClicktoassignonlytheAPsRadio1. radio2ClicktoassignonlytheAPsRadio2. localAPsallradiosClicktoassignonlythelocalAPs. localAPsradio1ClicktoassignonlythelocalAPsRadio1. localAPsradio2ClicktoassignonlythelocalAPsRadio2. foreignAPsallradiosClicktoassignonlytheforeignAPs. foreignAPsradio1ClicktoassignonlytheforeignAPsRadio1. foreignAPsradio2ClicktoassignonlytheforeignAPsRadio2.

Ifapplicable,selecttheWMMcheckbox.WMM(WiFiMultimedia),ifenabledonan individualVNS,providesmultimediaenhancementsthatimprovetheuserexperiencefor audio,video,andvoiceapplications.WMMispartofthe802.11estandardforQoS.If enabled,theAPwillacceptWMMclientassociations,andwillclassifyandprioritizethe downlinktrafficforallWMMclients.WMMclientswillalsoclassifyandprioritizethe uplinktraffic.

17. ClickNext.TheSummaryscreenisdisplayed. 18. ConfirmyourvoiceVNSconfiguration.Toreviseyourconfiguration,clickBack. 19. TocreateyourVNS,clickFinish,andthenclickClose. 20. Ifapplicable,youcancontinuetoconfigureoreditthenewVNSbyclickingtheindividual VNSconfigurationtabs.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-21

Creating a VNS Using the Wizard

Creating a Data VNS Using the VNS Wizard


UsetheVNSwizardtocreateadataspecificVNSthatcanbeconfiguredtouseeitherSSIDor AAAauthentication. WhenyoucreateanewdataVNSusingtheVNSwizard,youconfiguretheVNSinthefollowing stages: Basicsettings Authenticationsettings DHCPsettings Filtersettings Privacysettings Radioassignmentsettings Summary

ToconfigureadataVNSusingtheVNSwizard: 1. 2. 3. 4. 5. 6. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheNewpane,thenclickSTARTVNSWIZARD.TheVNSCreation Wizardscreenisdisplayed. ClickStartVNSWizard.TheVNSCreationWizardscreenisdisplayed. IntheNamebox,typeanameforthedataVNS. IntheCategorydropdownlist,clickData,andthenclickNext.TheBasicSettingsscreenis displayed. ConfigurethedataVNSbasicsettings.TheVNStypeandmodeyouconfigureontheBasic SettingsscreenwilldictatetheVNSinformationyouwillneedtoprovide. EnabledBydefault,theEnabledcheckboxforthenewVNSisenabled.AVNSmustbe enabledforittobeabletoprovideserviceformobileusertraffic. TypeClickthetypeofnetworkassignmentfortheVNS.Therearetwooptionsfor networkassignment,Disabledor802.1x. ModeClicktheVNSmodeyouwanttoassign: RoutedisaVNStypewhereusertrafficistunneledtotheEnterasysWireless Controller. BridgeTrafficLocallyatHWCisaVNStypewhereusertrafficistunneledtothe EnterasysWirelessControllerandisdirectlybridgedatthecontrollertoaspecific VLAN.WiththisVNStype,mobileusersbecomeanaturalextensionofaVLAN subnet.ForeachBridgeTrafficLocallyatHWCVNSthatiscreated,aVLANneedsto bespecified.Inaddition,thenetworkportonwhichtheVLANisassignedmustbe configuredontheswitch,andthecorrespondingEnterasysWirelessController interfacemustmatchthecorrectVLAN. BridgeTrafficLocallyatAPisaVNStypewhereusertrafficisdirectlybridgedtoa VLANattheAPnetworkpointofaccess(switchport).

IfyouareconfiguringarouteddataVNS,dothefollowing: (1) GatewayTypetheEnterasysWirelessControllersownIPaddressofthetopology associatedwiththatVNS.ThisIPaddressisthedefaultgatewayfortheVNS.The EnterasysWirelessControlleradvertisesthisaddresstothewirelessdeviceswhen

7-22

Configuring a VNS

Creating a VNS Using the Wizard

theysignon.ForroutedVNSs,itcorrespondstotheIPaddressthatiscommunicated tomobileusers(intheVNS)asthedefaultgatewayfortheVNSsubnet.(Mobileusers targettheEnterasysWirelessControllersinterfaceintheirefforttoroutepacketsto anexternalhost). (2) MaskTypetheappropriatesubnetmaskforthisIPaddresstoseparatethenetwork portionfromthehostportionoftheaddress(typically255.255.255.0). (3) EnableAuthenticationThisoptionisenabledbydefaultiftheTypeis802.1x. (4) EnableDHCPBydefault,thisoptionisenabledforarouteddataVNS. IfyouconfiguringabridgetrafficlocallyatAPdataVNS,dothefollowing: (1) TaggedSelectifyouwanttoassignthisVNStoaspecificVLAN. (2) VLANIDTypetheVLANtagtowhichtheEnterasysWirelessControllerwillbe bridgedforthedataVNS. (3) UntaggedSelectifyouwantthisVNStobeuntagged.Thisoptionisselectedby default. (4) EnableAuthenticationIfapplicable,selectthischeckboxtoenableauthentication forthenewdataVNS.ThisoptionisenabledbydefaultiftheTypeis802.1x. IfyouareconfiguringabridgetrafficlocallyatHWCdataVNS,dothefollowing: (1) InterfaceClickthephysicalportthatprovidestheaccesstotheVLAN. (2) InterfaceIPaddressTypetheIPaddressoftheEnterasysWirelessControllers interfaceontheVLAN. (3) MaskTypetheappropriatesubnetmaskforthisIPaddresstoseparatethenetwork portionfromthehostportionoftheaddress(typically255.255.255.0). (4) VLANIDTypetheVLANtagtowhichtheEnterasysWirelessControllerwillbe bridgedfortheVNS. (5) EnableAuthenticationIfapplicable,selectthischeckboxtoenableauthentication forthenewdataVNS.ThisoptionisenabledbydefaultiftheTypeis802.1x. (6) EnableDHCPIfapplicable,selectthischeckboxtoenableDHCPauthentication forthenewdataVNS. 7. 8. ClickNext.TheAuthenticationscreenisdisplayed. OntheAuthenticationscreen,dothefollowing: RadiusServerClicktheRADIUSserveryouwanttoassigntothenewdataVNS,or clickAddNewServerandthendothefollowing: ServerAliasTypeanameyouwanttoassigntothenewRADIUSserver. Hostname/IPTypeeithertheRADIUSserversFQDN(fullyqualifieddomain name)orIPaddress. SharedSecretTypethepasswordthatwillbeusedtovalidatetheconnection betweentheEnterasysWirelessControllerandtheRADIUSserver. Mask/UnmaskClicktodisplayorhideyoursharedsecretkey.

RolesSelecttheauthenticationroleoptionsfortheRADIUSserver: MACbasedAuthenticationSelecttoenabletheRADIUSservertoperformMAC basedauthenticationonthedataVNS. Ifapplicable,andtheMACbasedauthenticationoptionisenabled,selecttoenable MACbasedauthorizationonroam.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-23

Creating a VNS Using the Wizard

9.

ClickNext.TheDHCPscreenisdisplayed,ifDHCPwasenabledpreviously.

10. IntheDHCPOptiondropdownlist,clickoneofthefollowing: UseDHCPRelayUsingDHCPrelayforcestheEnterasysWirelessControllerto forwardDHCPrequeststoanexternalDHCPserverontheenterprisenetwork.DHCP relaybypassesthelocalDHCPserverfortheEnterasysWirelessControllerandallowsthe enterprisetomanageIPaddressallocationtoaVNSfromitsexistinginfrastructure. DHCPServersIfUseDHCPRelaywasselected,typetheIPaddressoftheDHCP servertowhichDHCPdiscoverandrequestmessageswillbeforwardedforclientson thisVNS.TheEnterasysWirelessControllerdoesnothandleDHCPrequestsfrom users,butinsteadforwardstherequeststotheindicatedDHCPserver. TheDHCPservermustbeconfiguredtomatchtheVNSsettings.Inparticularfora RoutedVNS,theDHCPservermustidentifytheEnterasysWirelessControllers interfaceIPasthedefaultGateway(router)forthesubnet.(Usersintendingtoreach devicesoutsideofthesubnetwillforwardthepacketstothedefaultgateway (controller)fordeliveryupstream.) LocalDHCPServerIfapplicable,editthelocalDHCPserversettings.

11. IntheDNSServersbox,typetheIPAddressoftheDomainNameServerstobeused. 12. IntheWINSbox,typetheIPaddressiftheDHCPserverusesWindowsInternetNaming Service(WINS). 13. ClickNext.TheFilteringscreenisdisplayed. 14. OntheFilteringscreen,dothefollowing: IntheFilterIDdropdownlist,clickoneofthefollowing: DefaultControlsaccessifthereisnomatchingfilterIDforauser. ExceptionProtectsaccesstotheEnterasysWirelessControllersowninterfaces, includingtheVNSsowninterface.VNSexceptionfiltersareappliedtousertraffic intendedfortheEnterasysWirelessControllersowninterfacepointontheVNS. ThesefiltersareappliedaftertheusersspecificVNSstateassignedfilters.

15. IntheFiltertable,selecttheAlloworDenyoptionbuttonsforeachfilterifapplicable,and thenselecttheEnablecheckboxaccordingly. 16. ClickNext.ThePrivacyscreenisdisplayed. 17. OnthePrivacyscreen,selectoneofthefollowing: StaticKeysSelecttoconfigurestatickeys.Thenenter: WEPKeyIndexClicktheWEPencryptionkeyindex:1,2,3,or4.


Note: Specifying the WEP key index is supported only for AP36XX Wireless APs.

WEPKeyLengthClicktheWEPencryptionkeylength:64bit,128bit,or152bit. SelectanInputMethod: InputHextypetheWEPkeyinputintheWEPKeybox.Thekeyisgenerated automaticallybasedontheinput. InputStringtypethesecretWEPkeystringusedforencryptinganddecryptingin theWEPKeyStringbox.TheWEPKeyboxisautomaticallyfilledbythe correspondingHexcode.

7-24

Configuring a VNS

Creating a VNS Using the Wizard

WPAPSKSelecttoconfigureWiFiProtectedAccess(WPAv1andWPAv2),asecurity solutionthataddsauthenticationtoenhancedWEPencryptionandkeymanagement. ToenableWPAv1encryption,selectWPAv.1.IntheEncryptiondropdownlist, selectoneofthefollowingencryptiontypes: AutoTheWirelessAPwilladvertisebothTKIPandCCMP(CounterModewith CipherBlockChainingMessageAuthenticationCodeProtocol)forWPAv1.CCMPis anIEEE802.11iencryptionprotocolthatusestheencryptioncipherAES(Advanced EncryptionStandard). TKIPonlyTheAPwilladvertiseTKIPasanavailableencryptionprotocolfor WPAv1.ItwillnotadvertiseCCMP. ToenableWPAv2encryption,selectWPAv.2.IntheEncryptiondropdownlist,click oneofthefollowingencryptiontypes: AutoTheAPadvertisesbothTKIPandCCMP(countermodewithcipherblock chainingmessageauthenticationcodeprotocol).CCMPisanIEEE802.11iencryption protocolthatusestheencryptioncipherAES(AdvancedEncryptionStandard). AESonlyTheAPadvertisesCCMPasanavailableencryptionprotocol.Itwillnot advertiseTKIP. Toenablerekeyingafteratimeinterval,selectBroadcastrekeyinterval,thentype thetimeintervalafterwhichthebroadcastencryptionkeyischangedautomatically. Thedefaultis3600. Ifthischeckboxisnotselected,theBroadcastencryptionkeyisneverchangedandthe WirelessAPwillalwaysusethesamebroadcastkeyforBroadcast/Multicast transmissions.Thiswillreducethelevelofsecurityforwirelesscommunications. Toenablethegroupkeypowersaveretry,selectGroupKeyPowerSaveRetry.
Note: The group key power save retry is only supported for AP36XX Wireless APs.

InthePresharedkeybox,typethesharedsecretkeytobeusedbetweenthewireless deviceandWirelessAP.Thesharedsecretkeyisusedtogeneratethe256bitkey. Mask/UnmaskClicktodisplayorhideyoursharedsecretkey.

18. ClickNext.TheRadioAssignmentscreenisdisplayed. 19. OntheRadioAssignmentscreen,dothefollowing: IntheAPDefaultSettingssection,selecttheradiosoftheAPdefaultsettingsprofilethat youwanttobroadcastthedataVNS. IntheAPSelectionsection,selectthegroupofAPsthatwillbroadcastthedataVNS: allradiosClicktoassignalloftheAPsradios. radio1ClicktoassignonlytheAPsRadio1. radio2ClicktoassignonlytheAPsRadio2. localAPsallradiosClicktoassignonlythelocalAPs. localAPsradio1ClicktoassignonlythelocalAPsRadio1. localAPsradio2ClicktoassignonlythelocalAPsRadio2. foreignAPsallradiosClicktoassignonlytheforeignAPs. foreignAPsradio1ClicktoassignonlytheforeignAPsRadio1.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 7-25

Creating a VNS Using the Wizard

foreignAPsradio2ClicktoassignonlytheforeignAPsRadio2.

Ifapplicable,selecttheWMMcheckbox.WMM(WiFiMultimedia),ifenabledonan individualVNS,providesmultimediaenhancementsthatimprovetheuserexperiencefor audio,video,andvoiceapplications.WMMispartofthe802.11estandardforQoS.If enabled,theAPwillacceptWMMclientassociations,andwillclassifyandprioritizethe downlinktrafficforallWMMclients.WMMclientswillalsoclassifyandprioritizethe uplinktraffic.

20. ClickNext.TheSummaryscreenisdisplayed. 21. ConfirmyourdataVNSconfiguration.Toreviseyourconfiguration,clickBack. 22. TocreateyourVNS,clickFinish,andthenclickClose. ThedataVNSiscreatedandsaved. 23. Ifapplicable,youcancontinuetoconfigureoreditthenewVNSbyclickingtheindividual VNSconfigurationtabs. IftheEnterasysWirelessControllerisconfiguredtobepartofanavailabilitypair,youcan chosetosynchronizetheVNSonthesecondaryEnterasysWirelessController.SeeChapter 10, AvailabilityandSessionAvailabilityformoreinformation.

Creating a Captive Portal VNS Using the VNS Wizard


UsetheVNSwizardtocreateaCaptivePortalVNS.ACaptivePortalVNSemploysan authenticationmethodthatusesaWebredirectionwhichdirectsamobileusersWebsessiontoan authenticationserver.Typically,themobileusermustprovidetheircredentials(userID, password)tobeauthenticated.TherearethreetypesofCaptivePortalVNSsyoucancreate: InternalCaptivePortalTheEnterasysWirelessControllersownCaptivePortal authenticationpageconfiguredasaneditableformisusedtorequestusercredentials. Theredirectiontriggersthelocallystoredauthenticationpagewherethemobileusermust providetheappropriatecredentials,whichthenischeckedagainstwhatislistedinthe configuredRADIUSserver. ExternalCaptivePortalAnentityoutsideoftheEnterasysWirelessControlleris responsibleforhandlingthemobileuserauthenticationprocess,presentingthecredentials requestformsandperforminguserauthenticationprocedures.TheexternalWebserver locationmustbeexplicitlylistedasanalloweddestinationinthenonauthenticatedfilter. GuestPortalAGuestPortalVNSprovideswirelessdeviceuserswithtemporaryguest networkservices.

WhenyoucreateanewcaptiveportalVNSusingtheVNSwizard,youconfiguretheVNSinthe followingstages: Basicsettings Authenticationsettings DHCPsettings Filtersettings Privacysettings Radioassignmentsettings Summaryreview

7-26

Configuring a VNS

Creating a VNS Using the Wizard

Creating an Internal Captive Portal VNS


To Configure an Internal Captive Portal VNS Using the VNS Wizard:
1. 2. 3. 4. 5. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheNewpane,thenclickSTARTVNSWIZARD.TheVNSCreation Wizardscreenisdisplayed. IntheNamebox,typeanamefortheCaptivePortalVNS. IntheCategorydropdownlist,clickCaptivePortal,andthenclickNext.TheBasicSettings screenisdisplayed. ConfiguretheCaptivePortalVNSbasicsettings.TheVNStypeandmodeyouconfigureon theBasicSettingsscreenwilldictatetheVNSinformationyouwillneedtoprovide. EnabledBydefault,theEnabledcheckboxforthenewVNSisenabled.AVNSmustbe enabledforittobeabletoprovideserviceformobileusertraffic. TypeClickInternalCaptivePortal. ModeClicktheVNSmodeyouwanttoassign: RoutedisaVNStypewhereusertrafficistunneledtotheEnterasysWireless Controller. BridgeTrafficLocallyatHWCisaVNStypewhereusertrafficistunneledtothe EnterasysWirelessControllerandisdirectlybridgedatthecontrollertoaspecific VLAN.WiththisVNStype,mobileusersbecomeanaturalextensionofaVLAN subnet.ForeachBridgeTrafficLocallyatHWCVNSthatiscreated,aVLANneedsto bespecified.Inaddition,thenetworkportonwhichtheVLANisassignedmustbe configuredontheswitch,andthecorrespondingEnterasysWirelessController interfacemustmatchthecorrectVLAN.

IfconfiguringaroutedinternalCaptivePortalVNS,dothefollowing: (1) GatewayTypetheEnterasysWirelessControllersownIPaddressinthatVNS. ThisIPaddressisthedefaultgatewayfortheVNS.TheEnterasysWirelessController advertisesthisaddresstothewirelessdeviceswhentheysignon.ForroutedVNSs,it correspondstotheIPaddressthatiscommunicatedtomobileusers(intheVNS)as thedefaultgatewayfortheVNSsubnet.(MobileuserstargettheEnterasysWireless Controllersinterfaceintheirefforttoroutepacketstoanexternalhost). (2) MaskTypetheappropriatesubnetmaskforthisIPaddresstoseparatethenetwork portionfromthehostportionoftheaddress(typically255.255.255.0). (3) MessageTypeabriefmessage. (4) EnableAuthenticationBydefault,thisoptionisselectediftheVNSTypeis InternalCaptivePortal,whichenablesauthenticationforthenewCaptivePortal VNS. (5) EnableDHCPBydefault,thisoptionisselectediftheVNSTypeisInternal CaptivePortal,whichenablesDHCPauthenticationforthenewCaptivePortalVNS. IfconfiguringabridgetrafficlocallyatHWCinternalCaptivePortalVNS,dothe following: (1) InterfaceClickthephysicalportthatprovidestheaccesstotheVLAN. (2) InterfaceIPaddressTypetheIPaddressoftheEnterasysWirelessControllers interfaceontheVLAN.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-27

Creating a VNS Using the Wizard

(3) MaskTypetheappropriatesubnetmaskforthisIPaddresstoseparatethenetwork portionfromthehostportionoftheaddress(typically255.255.255.0). (4) VLANIDTypetheVLANtagtowhichtheEnterasysWirelessControllerwillbe bridgedfortheVNS. (5) MessageTypeabriefmessagethatwillbedisplayedabovetheLoginbuttonthat greetsthemobiledeviceuser. (6) EnableAuthenticationBydefault,thisoptionisselectediftheVNSTypeis InternalCaptivePortal,whichenablesauthenticationforthenewCaptivePortal VNS. (7) EnableDHCPIfapplicable,selectthischeckboxtoenableDHCPauthentication forthenewCaptivePortalVNS. 6. 7. ClickNext.TheAuthenticationscreenisdisplayed. OntheAuthenticationscreen,dothefollowing: RadiusServerClicktheRADIUSserveryouwanttoassigntothenewCaptivePortal VNS,orclickAddNewServerandthendothefollowing: ServerAliasTypeanameyouwanttoassigntothenewRADIUSserver. Hostname/IPTypeeithertheRADIUSserversFQDN(fullyqualifieddomain name)orIPaddress. SharedSecretTypethepasswordthatwillbeusedtovalidatetheconnection betweentheEnterasysWirelessControllerandtheRADIUSserver. Mask/UnmaskClicktodisplayorhideyoursharedsecretkey.

RolesSelecttheauthenticationroleoptionsfortheRADIUSserver: AuthenticationBydefault,thisoptionisselectediftheVNSTypeisInternal CaptivePortal,whichenablestheRADIUSservertoperformauthenticationonthe CaptivePortalVNS. MACbasedAuthenticationSelecttoenabletheRADIUSservertoperformMAC basedauthenticationontheCaptivePortalVNS. IftheMACbasedauthenticationoptionisenabled,selecttoenableMACbased authorizationonroam,ifapplicable. AccountingSelecttoenabletheRADIUSservertoperformaccountingonthe CaptivePortalVNS.

8. 9.

ClickNext.TheDHCPscreenisdisplayed. OntheDHCPscreen,dothefollowing: IntheDHCPOptiondropdownlist,clickoneofthefollowing: UseDHCPRelayUsingDHCPrelayforcestheEnterasysWirelessControllerto forwardDHCPrequeststoanexternalDHCPserverontheenterprisenetwork. DHCPrelaybypassesthelocalDHCPserverfortheEnterasysWirelessController andallowstheenterprisetomanageIPaddressallocationtoaVNSfromitsexisting infrastructure. DHCPServersTypetheIPaddressoftheDHCPservertowhichDHCPdiscover andrequestmessageswillbeforwardedforclientsonthisVNS.TheEnterasys WirelessControllerdoesnothandleDHCPrequestsfromusers,butinsteadforwards therequeststotheindicatedDHCPserver. TheDHCPservermustbeconfiguredtomatchtheVNSsettings.Inparticularfora RoutedVNS,theDHCPservermustidentifytheEnterasysWirelessControllers

7-28

Configuring a VNS

Creating a VNS Using the Wizard

interfaceIPasthedefaultGateway(router)forthesubnet.(Usersintendingtoreach devicesoutsideofthesubnetwillforwardthepacketstothedefaultgateway (controller)fordeliveryupstream.) LocalDHCPServerIfapplicable,editthelocalDHCPserversettings.

10. IntheDNSServersbox,typetheIPAddressoftheDomainNameServerstobeused. 11. IntheWINSbox,typetheIPaddressiftheDHCPserverusesWindowsInternetNaming Service(WINS). 12. ClickNext.TheFilteringscreenisdisplayed. 13. OntheFilteringscreen,dothefollowing: IntheFilterIDdropdownlist,clickoneofthefollowing: DefaultControlsaccessifthereisnomatchingfilterIDforauser. ExceptionProtectsaccesstotheEnterasysWirelessControllersowninterfaces, includingtheVNSsowninterface.VNSexceptionfiltersareappliedtousertraffic intendedfortheEnterasysWirelessControllersowninterfacepointontheVNS. ThesefiltersareappliedaftertheusersspecificVNSstateassignedfilters. NonAuthenticatedControlsnetworkaccessandalsousedtodirectmobileusers toaCaptivePortalWebpageforlogin.

14. IntheFiltertable,selecttheAlloworDenyoptionbuttonsforeachfilterifapplicable,and thenselecttheEnablecheckboxaccordingly. 15. ClickNext.ThePrivacyscreenisdisplayed. 16. OnthePrivacyscreen,dothefollowing: NoneSelectifyoudonotwanttoassignanyprivacymechanism. StaticKeysSelecttoconfigurestatickeys. WEPKeyIndexClicktheWEPencryptionkeyindex:1,2,3,or4.
Note: Specifying the WEP key index is supported only for AP36XX Wireless APs.

WEPKeyLengthClicktheWEPencryptionkeylength:64bit,128bit,or152bit. Selectoneofthefollowinginputmethods: InputHexIfyouselectInputHex,typetheWEPkeyinputintheWEPKeybox. Thekeyisgeneratedautomaticallybasedontheinput. InputStringIfyouselectInputString,typethesecretWEPkeystringusedfor encryptinganddecryptingintheWEPKeyStringbox.TheWEPKeyboxis automaticallyfilledbythecorrespondingHexcode.

WPAPSKSelecttouseaPreSharedKey(PSK),orsharedsecretforauthentication. WPAPSK(WiFiProtectedAccessPreSharedkey)isasecuritysolutionthatadds authenticationtoenhancedWEPencryptionandkeymanagement.WPAPSKmodedoes notrequireanauthenticationserver.Itissuitableforhomeorsmalloffice. ToenableWPAv1encryption,selectWPAv.1.IfWPAv.1isenabled,clickoneofthe followingencryptiontypesfromtheEncryptiondropdownlist: AutoTheAPwilladvertisebothTKIPandCCMP(CounterModewithCipher BlockChainingMessageAuthenticationCodeProtocol)forWPAv1.CCMPisanIEEE

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-29

Creating a VNS Using the Wizard

802.11iencryptionprotocolthatusestheencryptioncipherAES(Advanced EncryptionStandard).Autoisthedefault. TKIPonlyTheAPwilladvertiseTKIPasanavailableencryptionprotocolfor WPAv1.ItwillnotadvertiseCCMP.

ToenableWPAv2typeencryption,selectWPAv.2.Theotheroptionsforthisdropdown listare: AutoIfyouclickAuto,theWirelessAPadvertisesbothTKIPandCCMP(counter modewithcipherblockchainingmessageauthenticationcodeprotocol).CCMPisan IEEE802.11iencryptionprotocolthatusestheencryptioncipherAES(Advanced EncryptionStandard). AESonlyIfyouclickAES,theWirelessAPadvertisesCCMPasanavailable encryptionprotocol.ItwillnotadvertiseTKIP.

Toenablerekeyingafteratimeinterval,selectBroadcastrekeyinterval.Ifthischeckbox isnotselected,theBroadcastencryptionkeyisneverchangedandtheWirelessAPwill alwaysusethesamebroadcastkeyforBroadcast/Multicasttransmissions.Thiswill reducethelevelofsecurityforwirelesscommunications. IntheBroadcastrekeyintervalbox,typethetimeintervalafterwhichthebroadcast encryptionkeyischangedautomatically.

Toenablethegroupkeypowersaveretry,selectGroupKeyPowerSaveRetry.
Note: The group key power save retry is only supported for AP36XX Wireless APs.

InthePresharedkeybox,typethesharedsecretkeytobeusedbetweenthewireless deviceandWirelessAP.Thesharedsecretkeyisusedtogeneratethe256bitkey. Mask/UnmaskClicktodisplayorhideyoursharedsecretkey.

17. ClickNext.TheRadioAssignmentscreenisdisplayed. 18. OntheRadioAssignmentscreen,dothefollowing: IntheAPDefaultSettingssection,selecttheradiosoftheAPdefaultsettingsprofilethat youwanttobroadcasttheCaptivePortalVNS. IntheAPSelectionsection,selectthegroupofAPsthatwillbroadcasttheCaptivePortal VNS: allradiosClicktoassignalloftheAPsradios. radio1ClicktoassignonlytheAPsRadio1. radio2ClicktoassignonlytheAPsRadio2. localAPsallradiosClicktoassignonlythelocalAPs. localAPsradio1ClicktoassignonlythelocalAPsRadio1. localAPsradio2ClicktoassignonlythelocalAPsRadio2. foreignAPsallradiosClicktoassignonlytheforeignAPs. foreignAPsradio1ClicktoassignonlytheforeignAPsRadio1. foreignAPsradio2ClicktoassignonlytheforeignAPsRadio2.

Ifapplicable,selecttheWMMcheckbox.WMM(WiFiMultimedia),ifenabledonan individualVNS,providesmultimediaenhancementsthatimprovetheuserexperiencefor audio,video,andvoiceapplications.WMMispartofthe802.11estandardforQoS.If

7-30

Configuring a VNS

Creating a VNS Using the Wizard

enabled,theAPwillacceptWMMclientassociations,andwillclassifyandprioritizethe downlinktrafficforallWMMclients.WMMclientswillalsoclassifyandprioritizethe uplinktraffic. 19. ClickNext.TheSummaryscreenisdisplayed. 20. ConfirmyourdataVNSconfiguration.Toreviseyourconfiguration,clickBack. 21. TocreateyourVNS,clickFinish,andthenclickClose. 22. Ifapplicable,youcancontinuetoconfigureoreditthenewVNSbyclickingtheindividual VNSconfigurationtabs.

Creating an External Captive Portal VNS


ToconfigureanexternalCaptivePortalVNSusingtheVNSwizard: 1. 2. 3. 4. 5. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheNewpane,thenclickSTARTVNSWIZARD.TheVNSCreation Wizardscreenisdisplayed. IntheNamebox,typeanamefortheCaptivePortalVNS. IntheCategorydropdownlist,clickCaptivePortal,andthenclickNext.TheBasicSettings screenisdisplayed. ConfiguretheCaptivePortalVNSbasicsettings.TheVNStypeandmodeyouconfigureon theBasicSettingsscreenwilldictatetheVNSinformationyouwillneedtoprovide. EnabledBydefault,theEnabledcheckboxforthenewVNSisenabled.AVNSmustbe enabledforittobeabletoprovideserviceformobileusertraffic. TypeClickExternalCaptivePortal. ModeClicktheVNSmodeyouwanttoassign: RoutedisaVNStypewhereusertrafficistunneledtotheEnterasysWireless Controller. BridgeTrafficLocallyatHWCisaVNStypewhereusertrafficistunneledtothe EnterasysWirelessControllerandisdirectlybridgedatthecontrollertoaspecific VLAN.WiththisVNStype,mobileusersbecomeanaturalextensionofaVLAN subnet.ForeachBridgeTrafficLocallyatHWCVNSthatiscreated,aVLANneedsto bespecified.Inaddition,thenetworkportonwhichtheVLANisassignedmustbe configuredontheswitch,andthecorrespondingEnterasysWirelessController interfacemustmatchthecorrectVLAN.

IfconfiguringaroutedexternalCaptivePortalVNS,dothefollowing: (1) GatewayTypetheEnterasysWirelessControllersownIPaddressinthatVNS. ThisIPaddressisthedefaultgatewayfortheVNS.TheEnterasysWirelessController advertisesthisaddresstothewirelessdeviceswhentheysignon.ForroutedVNSs,it correspondstotheIPaddressthatiscommunicatedtomobileusers(intheVNS)as thedefaultgatewayfortheVNSsubnet.(MobileuserstargettheEnterasysWireless Controllersinterfaceintheirefforttoroutepacketstoanexternalhost). (2) MaskTypetheappropriatesubnetmaskforthisIPaddresstoseparatethenetwork portionfromthehostportionoftheaddress(typically255.255.255.0). (3) HWCConnectionClicktheEnterasysWirelessControllerIPaddress.Alsotype theportoftheEnterasysWirelessControllerintheaccompanyingbox.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-31

Creating a VNS Using the Wizard

IfthereisanauthenticationserverconfiguredforthisVNS,theexternalCaptive Portalpageontheexternalauthenticationserverwillsendtherequestbacktothe EnterasysWirelessControllertoallowtheEnterasysWirelessControllertocontinue withtheRADIUSauthenticationandfiltering. (1) RedirectionURLTypetheURLtowhichthewirelessdeviceuserwillbedirected toafterauthentication. (2) SharedSecretTypethepasswordthatiscommontoboththeEnterasysWireless ControllerandtheexternalWebserverifyouwanttoencrypttheinformationpassed betweentheEnterasysWirelessControllerandtheexternalWebserver. (3) EnableAuthenticationSelectthischeckboxtoenableauthenticationforthenew CaptivePortalVNS. (4) EnableDHCPSelectthischeckboxtoenableDHCPservicesforthisnewCaptive PortalVNS. IfconfiguringabridgetrafficlocallyatHWCexternalCaptivePortalVNS,dothe following: (1) InterfaceClickthephysicalportthatprovidestheaccesstotheVLAN. (2) InterfaceIPaddressTypetheIPaddressoftheEnterasysWirelessControllers interfaceontheVLAN. (3) MaskTypetheappropriatesubnetmaskforthisIPaddresstoseparatethenetwork portionfromthehostportionoftheaddress(typically255.255.255.0). (4) VLANIDTypetheVLANtagtowhichtheEnterasysWirelessControllerwillbe bridgedfortheVNS. (5) HWCConnectionClicktheEnterasysWirelessControllerIPaddress.Alsotype theportoftheEnterasysWirelessControllerintheaccompanyingbox. IfthereisanauthenticationserverconfiguredforthisVNS,theexternalCaptive Portalpageontheexternalauthenticationserverwillsendtherequestbacktothe EnterasysWirelessControllertoallowtheEnterasysWirelessControllertocontinue withtheRADIUSauthenticationandfiltering. (6) RedirectionURLTypetheURLtowhichthewirelessdeviceuserwillbedirected toafterauthentication. (7) SharedSecretTypethepasswordthatiscommontoboththeEnterasysWireless ControllerandtheexternalWebserverifyouwanttoencrypttheinformationpassed betweentheEnterasysWirelessControllerandtheexternalWebserver. (8) EnableAuthenticationSelectthischeckboxtoenableauthenticationforthenew CaptivePortalVNS. (9) EnableDHCPSelectthischeckboxtoenableDHCPauthenticationforthenew CaptivePortalVNS. 6. 7. ClickNext.TheVNSwizarddisplaystheappropriateconfigurationscreens,dependingon yourselectionoftheEnableAuthenticationandEnableDHCPcheckboxes. Ifapplicable,ontheAuthenticationscreen,dothefollowing: RadiusServerClicktheRADIUSserveryouwanttoassigntothenewCaptivePortal VNS,orclickAddNewServerandthendothefollowing: ServerAliasTypeanameyouwanttoassigntothenewRADIUSserver. Hostname/IPTypeeithertheRADIUSserversFQDN(fullyqualifieddomain name)orIPaddress.

7-32

Configuring a VNS

Creating a VNS Using the Wizard

SharedSecretTypethepasswordthatwillbeusedtovalidatetheconnection betweentheEnterasysWirelessControllerandtheRADIUSserver. Mask/UnmaskClicktodisplayorhideyoursharedsecretkey.

RolesSelecttheauthenticationroleoptionsfortheRADIUSserver: AuthenticationSelecttoenabletheRADIUSservertoperformauthenticationon theCaptivePortalVNS. MACbasedAuthenticationSelecttoenabletheRADIUSservertoperformMAC basedauthenticationontheCaptivePortalVNS. IftheMACbasedauthenticationoptionisenabled,selecttoenableMACbased authorizationonroam,ifapplicable. AccountingSelecttoenabletheRADIUSservertoperformaccountingonthe CaptivePortalVNS.

8. 9.

ClickNext. Ifapplicable,ontheDHCPscreen,dothefollowing: IntheDHCPOptiondropdownlist,clickoneofthefollowing: UseDHCPRelayUsingDHCPrelayforcestheEnterasysWirelessControllerto forwardDHCPrequeststoanexternalDHCPserverontheenterprisenetwork. DHCPrelaybypassesthelocalDHCPserverfortheEnterasysWirelessController andallowstheenterprisetomanageIPaddressallocationtoaVNSfromitsexisting infrastructure. DHCPServersTypetheIPaddressoftheDHCPservertowhichDHCPdiscover andrequestmessageswillbeforwardedforclientsonthisVNS.TheEnterasys WirelessControllerdoesnothandleDHCPrequestsfromusers,butinsteadforwards therequeststotheindicatedDHCPserver. TheDHCPservermustbeconfiguredtomatchtheVNSsettings.Inparticularfora RoutedVNS,theDHCPservermustidentifytheEnterasysWirelessControllers interfaceIPasthedefaultGateway(router)forthesubnet.(Usersintendingtoreach devicesoutsideofthesubnetwillforwardthepacketstothedefaultgateway (controller)fordeliveryupstream.) LocalDHCPServerIfapplicable,editthelocalDHCPserversettings.

10. IntheDNSServersbox,typetheIPAddressoftheDomainNameServerstobeused. 11. IntheWINSbox,typetheIPaddressiftheDHCPserverusesWindowsInternetNaming Service(WINS). 12. ClickNext.TheFilteringscreenisdisplayed. 13. OntheFilteringscreen,dothefollowing: IntheFilterIDdropdownlist,clickoneofthefollowing: DefaultControlsaccessifthereisnomatchingfilterIDforauser. ExceptionProtectsaccesstotheEnterasysWirelessControllersowninterfaces, includingtheVNSsowninterface.VNSexceptionfiltersareappliedtousertraffic intendedfortheEnterasysWirelessControllersowninterfacepointontheVNS. ThesefiltersareappliedaftertheusersspecificVNSstateassignedfilters. NonAuthenticatedControlsnetworkaccessandalsousedtodirectmobileusers toaCaptivePortalWebpageforlogin.

14. IntheFiltertable,selecttheAlloworDenyoptionbuttonsforeachfilterifapplicable,and thenselecttheEnablecheckboxaccordingly.


Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 7-33

Creating a VNS Using the Wizard

15. ClickNext.ThePrivacyscreenisdisplayed. 16. OnthePrivacyscreen,dothefollowing: NoneSelectifyoudonotwanttoassignanyprivacymechanism. StaticKeysSelecttoconfigurestatickeys. WEPKeyIndexClicktheWEPencryptionkeyindex:1,2,3,or4.


Note: Specifying the WEP key index is supported only for AP36XX Wireless APs.

WEPKeyLengthClicktheWEPencryptionkeylength:64bit,128bit,or152bit. Selectoneofthefollowinginputmethods: InputHexIfyouselectInputHex,typetheWEPkeyinputintheWEPKeybox. Thekeyisgeneratedautomaticallybasedontheinput. InputStringIfyouselectInputString,typethesecretWEPkeystringusedfor encryptinganddecryptingintheWEPKeyStringbox.TheWEPKeyboxis automaticallyfilledbythecorrespondingHexcode.

WPAPSKSelecttouseaPreSharedKey(PSK),orsharedsecretforauthentication. WPAPSK(WiFiProtectedAccessPreSharedkey)isasecuritysolutionthatadds authenticationtoenhancedWEPencryptionandkeymanagement.WPAPSKmodedoes notrequireanauthenticationserver.Itissuitableforhomeorsmalloffice. ToenableWPAv1encryption,selectWPAv.1.IfWPAv.1isenabled,clickoneofthe followingencryptiontypesfromtheEncryptiondropdownlist: AutoTheAPwilladvertisebothTKIPandCCMP(CounterModewithCipher BlockChainingMessageAuthenticationCodeProtocol)forWPAv1.CCMPisanIEEE 802.11iencryptionprotocolthatusestheencryptioncipherAES(Advanced EncryptionStandard).Autoisthedefault. TKIPonlyTheAPwilladvertiseTKIPasanavailableencryptionprotocolfor WPAv1.ItwillnotadvertiseCCMP. ToenableWPAv2typeencryption,selectWPAv.2.Theotheroptionsforthisdrop downlistare: AutoIfyouclickAuto,theWirelessAPadvertisesbothTKIPandCCMP(counter modewithcipherblockchainingmessageauthenticationcodeprotocol).CCMPisan IEEE802.11iencryptionprotocolthatusestheencryptioncipherAES(Advanced EncryptionStandard). AESonlyIfyouclickAES,theWirelessAPadvertisesCCMPasanavailable encryptionprotocol.ItwillnotadvertiseTKIP.

Toenablerekeyingafteratimeinterval,selectBroadcastrekeyinterval.Ifthischeckbox isnotselected,theBroadcastencryptionkeyisneverchangedandtheWirelessAPwill alwaysusethesamebroadcastkeyforBroadcast/Multicasttransmissions.Thiswill reducethelevelofsecurityforwirelesscommunications. IntheBroadcastrekeyintervalbox,typethetimeintervalafterwhichthebroadcast encryptionkeyischangedautomatically.

Toenablethegroupkeypowersaveretry,selectGroupKeyPowerSaveRetry.

7-34

Configuring a VNS

Creating a VNS Using the Wizard

Note: The group key power save retry is only supported for AP36XX Wireless APs.

InthePresharedkeybox,typethesharedsecretkeytobeusedbetweenthewireless deviceandWirelessAP.Thesharedsecretkeyisusedtogeneratethe256bitkey. Mask/UnmaskClicktodisplayorhideyoursharedsecretkey.

17. ClickNext.TheRadioAssignmentscreenisdisplayed. 18. OntheRadioAssignmentscreen,dothefollowing: IntheAPDefaultSettingssection,selecttheradiosoftheAPdefaultsettingsprofilethat youwanttobroadcasttheCaptivePortalVNS. IntheAPSelectionsection,selectthegroupofAPsthatwillbroadcasttheCaptivePortal VNS: allradiosClicktoassignalloftheAPsradios. radio1ClicktoassignonlytheAPsRadio1. radio2ClicktoassignonlytheAPsRadio2. localAPsallradiosClicktoassignonlythelocalAPs. localAPsradio1ClicktoassignonlythelocalAPsRadio1. localAPsradio2ClicktoassignonlythelocalAPsRadio2. foreignAPsallradiosClicktoassignonlytheforeignAPs. foreignAPsradio1ClicktoassignonlytheforeignAPsRadio1. foreignAPsradio2ClicktoassignonlytheforeignAPsRadio2.

Ifapplicable,selecttheWMMcheckbox.WMM(WiFiMultimedia),ifenabledonan individualVNS,providesmultimediaenhancementsthatimprovetheuserexperiencefor audio,video,andvoiceapplications.WMMispartofthe802.11estandardforQoS.If enabled,theAPwillacceptWMMclientassociations,andwillclassifyandprioritizethe downlinktrafficforallWMMclients.WMMclientswillalsoclassifyandprioritizethe uplinktraffic.

19. ClickNext.TheSummaryscreenisdisplayed. 20. ConfirmyourdataVNSconfiguration.Toreviseyourconfiguration,clickBack. 21. TocreateyourVNS,clickFinish,andthenclickClose. 22. Ifapplicable,youcancontinuetoconfigureoreditthenewVNSbyclickingtheindividual VNSconfigurationtabs.

Creating a GuestPortal VNS


AGuestPortalprovideswirelessdeviceuserswithtemporaryguestnetworkservices.A GuestPortalisservicedbyaGuestPortaldedicatedVNS.AnEnterasysWirelessControlleris allowedonlyoneGuestPortaldedicatedVNSatatime.GuestPortaluseraccountsare administeredbyaGuestPortalmanager.AGuestPortalmanagerisalogingroupGuestPortal managersmusthavetheiraccountscreatedforthemontheEnterasysWirelessController.For moreinformation,seeWorkingwithGuestPortalAdministrationonpage 161 TheGuestPortalVNSisaCaptivePortalauthenticationbasedVNSthatusesadatabaseonthe EnterasysWirelessControllerformanaginguseraccounts.Thedatabaseisadministeredthrough asimple,userfriendlygraphicuserinterfacethatcanbeusedbynontechnicalstaff.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-35

Creating a VNS Using the Wizard

TheGuestPortalVNScanbeaRoutedoraBridgeTrafficLocallyattheHWCVNS,withSSID basednetworkassignment.TheGuestPortalVNSisasimplifiedVNS.Itdoesnotsupportthe following: RADIUSauthenticationoraccounting MACbasedauthorization ChildVNSsupport

TheGuestPortalVNScanbecreatedasanewVNSorcanbeconfiguredfromanalreadyexisting VNS.WhenyoucreateanewVNSusingtheVNSwizard,youconfiguretheVNSinthefollowing stages: Basicsettings DHCPsettings Filtersettings Privacysettings Radioassignmentsettings Summary

UsethefollowinghighleveldescriptiontosetupaGuestPortalonyoursystem: 1. CreateaGuestPortalVNS. TheGuestPortalVNScanbecreatedasanewVNSorcanbeconfiguredfromanalready existingVNS. 2. ConfiguretheGuestPortalticket. AGuestPortalaccountticketisaprintreadyformthatdisplaystheguestaccountinformation, systemrequirements,andinstructionsonhowtologontotheguestaccount.Formore information,seeWorkingwiththeGuestPortalTicketPageonpage 1611. 3. Configureavailability,ifapplicable. AvailabilitymaintainsserviceavailabilityintheeventofaEnterasysWirelessController outage.Formoreinformation,seeChapter 10,AvailabilityandSessionAvailability. 4. CreateGuestPortalmanageranduseraccounts. Formoreinformation,seeWorkingwithGuestPortalAdministrationonpage 161 5. ManageyourguestaccountsandGuestPortallogs. Formoreinformation,seetheEnterasysWirelessController,AccessPointsandConvergence SoftwareMaintenanceGuide. TheGuestPortalVNScanbecreatedasanewVNSorcanbeconfiguredfromanalreadyexisting VNS.AEnterasysWirelessControllerisallowedonlyoneGuestPortaldedicatedVNSatatime.

To Create a GuestPortal VNS from an Already Existing VNS:


1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,selectandexpandtheVirtualNetworkspane. ClickontheVNSyouwanttoconfigureasaGuestPortalVNS.TheVNSconfiguration windowCoretabisdisplayed. SelectapreconfiguredWLANServiceandclickEdit,orpressNewtocreateanewWLAN Service.

7-36

Configuring a VNS

Creating a VNS Using the Wizard

5. 6. 7.

IntheEditWLANServicewindow,clicktheAuth&Accttab. IntheAuthenticationModedropdownlist,clickGuestPortal. Tosaveyourchanges,clickSave.

To Create a New GuestPortal VNS Using the VNS Wizard:


1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheNewpane,thenclickSTARTVNSWIZARD.TheVNSCreation Wizardscreenisdisplayed. IntheNamebox,typeanamefortheGuestPortalVNS. IntheCategorydropdownlist,clickCaptivePortal,andthenclickNext.TheBasicSettings screenisdisplayed.

5.

ConfiguretheVNSbasicsettings: EnabledBydefault,theEnabledcheckboxforthenewVNSisenabled.AVNSmustbe enabledforittobeabletoprovideserviceformobileusertraffic. AuthenticationModeInthedropdownlist,clickExternalCaptivePortal. ModeInthedropdownlist,clickoneofthefollowingtheVNSmodes: RoutedUsertrafficistunneledtotheEnterasysWirelessController. IntheGatewaybox,typetheEnterasysWirelessControllersownIPaddressinthat VNS.ThisIPaddressisthedefaultgatewayfortheVNS.TheEnterasysWireless Controlleradvertisesthisaddresstothewirelessdeviceswhentheysignon.For routedVNSs,itcorrespondstotheIPaddressthatiscommunicatedtomobileusers (intheVNS)asthedefaultgatewayfortheVNSsubnet.(Mobileuserstargetthe EnterasysWirelessControllersinterfaceintheirefforttoroutepacketstoanexternal host). IntheMaskbox,typetheappropriatesubnetmaskforthisIPaddresstoseparatethe networkportionfromthehostportionoftheaddress(typically255.255.255.0).

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-37

Creating a VNS Using the Wizard

BridgeTrafficLocallyattheHWCUsertrafficistunneledtotheEnterasys WirelessControllerandisdirectlybridgedatthecontrollertoaspecificVLAN.With thisVNStype,mobileusersbecomeanaturalextensionofaVLANsubnet.Foreach BridgeTrafficLocallyatHWCVNSthatiscreated,aVLANneedstobespecified.In addition,thenetworkportonwhichtheVLANisassignedmustbeconfiguredonthe switch,andthecorrespondingEnterasysWirelessControllerinterfacemustmatchthe correctVLAN. IntheInterfacedropdownlist,clickthephysicalinterfacethatprovidestheaccessto theVLAN. IntheInterfaceIPaddressbox,typetheIPaddressoftheEnterasysWireless ControllersinterfaceontheVLAN. IntheMaskbox,typetheappropriatesubnetmaskforthisIPaddresstoseparatethe networkportionfromthehostportionoftheaddress(typically255.255.255.0). IntheVLANIDbox,typetheVLANtagtowhichtheEnterasysWirelessController willbebridgedfortheVNS. Ifapplicable,selecttheEnableDHCPcheckbox.

6.

ClickNext.TheDHCPscreenisdisplayed. IfDHCPisdisabled,continuewithstep 11onpage 739.TheFilteringscreenisdisplayed.

7.

ConfiguretheDHCPsettings.IntheDHCPOptiondropdownlist,clickoneofthefollowing: UseDHCPRelayUsingDHCPrelayforcestheEnterasysWirelessControllerto forwardDHCPrequeststoanexternalDHCPserverontheenterprisenetwork.DHCP relaybypassesthelocalDHCPserverfortheEnterasysWirelessControllerandallowsthe enterprisetomanageIPaddressallocationtoaVNSfromitsexistinginfrastructure. DHCPServersTypetheIPaddressoftheDHCPservertowhichDHCPdiscover andrequestmessageswillbeforwardedforclientsonthisVNS.TheEnterasys WirelessControllerdoesnothandleDHCPrequestsfromusers,butinsteadforwards therequeststotheindicatedDHCPserver. TheDHCPservermustbeconfiguredtomatchtheVNSsettings.Inparticularfora RoutedVNS,theDHCPservermustidentifytheEnterasysWirelessControllers

7-38

Configuring a VNS

Creating a VNS Using the Wizard

interfaceIPasthedefaultGateway(router)forthesubnet.(Usersintendingtoreach devicesoutsideofthesubnetwillforwardthepacketstothedefaultgateway (controller)fordeliveryupstream.) 8. 9. LocalDHCPServerIfapplicable,editthelocalDHCPserversettings.

IntheDNSServersbox,typetheIPAddressoftheDomainNameServerstobeused. IntheWINSbox,typetheIPaddressiftheDHCPserverusesWindowsInternetNaming Service(WINS).

10. ClickNext.TheFilteringscreenisdisplayed.

11. ConfiguretheVNSfilteringsettings: 12. IntheFilterIDdropdownlist,clickoneofthefollowing: AuthenticatedControlsnetworkaccessaftertheuserhasbeenauthenticated. NonauthenticatedControlsnetworkaccessandtodirectuserstoaCaptivePortalWeb pageforlogin.

13. IntheFiltertable,selecttheEnablecheckboxforthedesiredfilters,thenselecttheAllowor Denyoptionbuttonsforeachfilterasneeded. 14. AtthebottomoftheFilterlist,selectAlloworDenyforAllOtherTraffic. 15. ClickNext.ThePrivacyscreenisdisplayed. 16. ConfiguretheVNSPrivacysettings: NoneSelectifyoudonotwanttoassignanyprivacymechanism. StaticKeys(WEP)SelecttousekeysontheVNSthatmatchtheWEPmechanismused ontherestofthenetwork.EachAPcanparticipateinupto50VNSs.ForeachVNS,only oneWEPkeycanbespecified.ItistreatedasthefirstkeyinalistofWEPkeys. FromtheWEPKeyIndexdropdownlist,clicktheWEPencryptionkeyindex:1,2,3, or4.
Note: Specifying the WEP key index is supported only for AP36XX Wireless APs.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-39

Creating a VNS Using the Wizard

FromtheWEPKeyLengthdropdownlist,clicktheWEPencryptionkeylength:64 bit,128bit,or152bit. InputMethodSelectoneofthefollowing: InputHexIfyouselectInputHex,typetheWEPkeyinputintheWEPKeybox. Thekeyisgeneratedautomatically,basedontheinput. InputStringIfyouselectInputString,typethesecretWEPkeystringusedfor encryptinganddecryptingintheStringsbox.TheWEPKeyboxisautomatically filledbythecorrespondingHexcode.

WPAPSKSelecttouseaPreSharedKey(PSK),orsharedsecretforauthentication. WPAPSK(WiFiProtectedAccessPreSharedkey)isasecuritysolutionthatadds authenticationtoenhancedWEPencryptionandkeymanagement.WPAPSKmodedoes notrequireanauthenticationserver.Itissuitableforhomeorsmalloffice. ToenableWPAv1encryption,selectWPAv.1.IfWPAv.1isenabled,clickoneofthe followingencryptiontypesfromtheEncryptiondropdownlist: AutoTheAPwilladvertisebothTKIPandCCMP(CounterModewithCipher BlockChainingMessageAuthenticationCodeProtocol)forWPAv1.CCMPisanIEEE 802.11iencryptionprotocolthatusestheencryptioncipherAES(Advanced EncryptionStandard).Autoisthedefault. TKIPonlyTheAPwilladvertiseTKIPasanavailableencryptionprotocolfor WPAv1.ItwillnotadvertiseCCMP.

ToenableWPAv2typeencryption,selectWPAv.2.Theotheroptionsforthisdropdown listare: AutoIfyouclickAuto,theWirelessAPadvertisesbothTKIPandCCMP(counter modewithcipherblockchainingmessageauthenticationcodeprotocol).CCMPisan IEEE802.11iencryptionprotocolthatusestheencryptioncipherAES(Advanced EncryptionStandard).Autoisthedefault. AESonlyIfyouclickAES,theWirelessAPadvertisesCCMPasanavailable encryptionprotocol.ItwillnotadvertiseTKIP.

Toenablerekeyingafteratimeinterval,selectBroadcastrekeyinterval.Ifthischeckbox isnotselected,theBroadcastencryptionkeyisneverchangedandtheWirelessAPwill alwaysusethesamebroadcastkeyforBroadcast/Multicasttransmissions.Thiswill reducethelevelofsecurityforwirelesscommunications. IntheBroadcastrekeyintervalbox,typethetimeintervalafterwhichthebroadcast encryptionkeyischangedautomatically.Thedefaultis3600. Toenablethegroupkeypowersaveretry,selectGroupKeyPowerSaveRetry.


Note: The group key power save retry is only supported for AP36XX Wireless APs.

InthePresharedkeybox,typethesharedsecretkeytobeusedbetweenthewireless deviceandWirelessAP.Thesharedsecretkeyisusedtogeneratethe256bitkey. Mask/UnmaskClicktodisplayorhideyoursharedsecretkey.

17. ClickNext.TheRadioAssignmentscreenisdisplayed.

7-40

Configuring a VNS

Creating a VNS Using the Wizard

18. Configuretheradioassignments: IntheAPDefaultSettingssection,selecttheradiosoftheAPdefaultsettingsprofilethat youwanttobroadcasttheVNS. IntheAPSelectionsection,selectthegroupofAPsthatwillbroadcasttheVNS: allradiosClicktoassignalloftheAPsradios. radio1ClicktoassignonlytheAPsRadio1. radio2ClicktoassignonlytheAPsRadio2. localAPsallradiosClicktoassignonlythelocalAPs. localAPsradio1ClicktoassignonlythelocalAPsRadio1. localAPsradio2ClicktoassignonlythelocalAPsRadio2. foreignAPsallradiosClicktoassignonlytheforeignAPs. foreignAPsradio1ClicktoassignonlytheforeignAPsRadio1. foreignAPsradio2ClicktoassignonlytheforeignAPsRadio2.

Ifapplicable,selecttheWMMcheckbox.WMM(WiFiMultimedia),ifenabledonan individualVNS,providesmultimediaenhancementsthatimprovetheuserexperiencefor audio,video,andvoiceapplications.WMMispartofthe802.11estandardforQoS.If enabled,theAPwillacceptWMMclientassociations,andwillclassifyandprioritizethe downlinktrafficforallWMMclients.WMMclientswillalsoclassifyandprioritizethe uplinktraffic.

19. ClickNext.TheSummaryscreenisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-41

Enabling and Disabling a VNS

20. ConfirmyourVNSconfiguration.Toreviseyourconfiguration,clickBack. 21. TocreateyourVNS,clickFinish,andthenclickClose. IftheEnterasysWirelessControllerisconfiguredtobepartofanavailabilitypair,youcan chosetosynchronizetheVNSonthesecondaryEnterasysWirelessController. 22. Ifapplicable,youcancontinuetoconfigureoreditthenewVNSbyclickingtheindividual VNSconfigurationtabs.

Enabling and Disabling a VNS


Bydefault,whenanewVNSiscreated,theVNSisaddedtothesystemasanenabledVNS.A VNScanbeenabledordisabled.DisablingaVNSprovidestheabilitytotemporarilystopwireless serviceonaVNS.ThedisabledVNSconfigurationremainsinthedatabaseforfutureuse. AEnterasysWirelessControllercansupportthefollowingVNSs: Table 7-1
Platform C5110 C4110 C2400 C20/C20N CRBT8210 CRBT8110

Enterasys Wireless Controller Active and Defined VNS Support


Active VNSs 128 64 64 8 16 8 Defined VNSs 256 128 128 16 32 16

To Enable or Disable a VNS:


1. 2. 3. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheVirtualNetworkspaneandselecttheVNStoenableordisable. OntheCoretab,intheStatusbox,selectordeselecttheEnabledcheckbox.

7-42

Configuring a VNS

Renaming a VNS

4.

ClickSave.TheVNSisenabledordisabledaccordingly.

Renaming a VNS
To Rename a VNS:
1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheVirtualNetworkspane,thenselecttheVNSyouwanttorename. OntheCoretab,intheVNSNamefield,enterthenewname. ClickSave.TheVNSisrenamed.

Deleting a VNS
YoucandeleteaVNSthatisnolongernecessary. TodeleteaVNS: 1. 2. 3. 4. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. IntheleftpaneexpandtheVirtualNetworkspane,thenselecttheVNSyouwanttorename. OntheCoretab,clicktheDeletebutton.Apopupwindowpromptsyoutoconfirmyouwant todeletetheVNS.ClickOK. ClickSave.TheVNSisdeleted.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

7-43

Deleting a VNS

7-44

Configuring a VNS

8
Working with a Mesh Network
ThischapterdescribesaWirelessDistributionSystem(Mesh),including:
For information about... About Mesh Simple Mesh Configuration Wireless Repeater Configuration Wireless Bridge Configuration Examples of Deployment Mesh WLAN Services Key Features of Mesh Deploying the Mesh System Changing the Pre-shared Key in a Mesh WLAN Service Refer to page... 8-1 8-2 8-2 8-3 8-4 8-4 8-6 8-9 8-13

About Mesh
MeshnetworksenableyoutoexpandthewirelessnetworkbyinterconnectingtheWirelessAPs throughwirelesslinksinadditiontothetraditionalmethodofinterconnectingWirelessAPsviaa wirednetwork.InaMeshdeployment,eachnodenotonlycapturesanddisseminatesitsown data,butitalsoservesasarelayforothernodes,thatis,itcollaboratestopropagatethedatainthe network. AMeshdeploymentisideallysuitedforlocationswhereinstallingEthernetcablingistoo expensive,orphysicallyimpossible. TheMeshnetworkcanbedeployedinthreeconfigurations: SimpleMeshConfiguration WirelessRepeaterConfiguration WirelessBridgeConfiguration
Note: Mesh is supported on all AP36xx models only, excluding the AP3605.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

8-1

Simple Mesh Configuration

Simple Mesh Configuration


InatypicalMeshconfiguration,theWirelessAPsareconnectedtothedistributionsystemviaan Ethernetnetwork,whichprovidesconnectivitytotheEnterasysWirelessController. However,whenaWirelessAPisinstalledinaremotelocationandcantbewiredtothe distributionsystem,anintermediateWirelessAPisconnectedtothedistributionsystemviathe Ethernetlink.ThisintermediateWirelessAPforwardsandreceivestheusertrafficfromthe remoteWirelessAPoveraradiolink. TheintermediateWirelessAPthatisconnectedtothedistributionsystemviatheEthernet networkiscalledMeshportal,andtheWirelessAPthatisremotelylocatediscalledtheMeshAP. ThefollowingfigureillustratestheSimpleMeshconfiguration: Figure 8-1 Simple Mesh Configuration
Mesh Portal

Mesh AP Wireless Controller

Client Devices

Wireless Repeater Configuration


InWirelessRepeaterconfiguration,aMeshAPisinstalledbetweentheMeshPortalandthe destinationMeshAP.TheMeshAPrelaystheusertrafficbetweentheMeshPortalandthe destinationMeshAP.ThisincreasestheWLANrange.

8-2

Working with a Mesh Network

Wireless Bridge Configuration

ThefollowingfigureillustratestheWirelessRepeaterconfiguration: Figure 8-2 Wireless Repeater Configuration


Mesh Portal

Mesh AP Enterasys Wireless Controller

Mesh AP

Client Devices

Note: You should restrict the number of repeater hops in a Wireless Repeater configuration to three for optimum performance.

Wireless Bridge Configuration


InWirelessBridgeconfiguration,thetrafficbetweentwoWirelessAPsthatareconnectedtotwo separatewiredLANsegmentsisbridgedviaMeshlink.YoumayalsoinstallaMeshAPbetween thetwoWirelessAPsconnectedtotwoseparateLANsegments. Figure 8-3
Wireless Controller

Wireless Bridge Configuration


Mesh Portal Mesh AP

Mesh AP

LAN Segment 1

LAN Segment 2

WhenyouareconfiguringtheWirelessBridgeconfiguration,youmustspecifyontheuser interfacethattheMeshAPisconnectedtothewiredLAN.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

8-3

Examples of Deployment

Examples of Deployment
ThefollowingillustrationdepictsafewexamplesofMeshdeployment. Figure 8-4 Examples of Mesh Deployment

Mesh WLAN Services


InatraditionalWLANdeployment,eachradiooftheWirelessAPcaninteractwiththeclient devicesonamaximumofeightnetworks. InMeshdeployment,oneoftheradiosofeveryMeshWirelessAPestablishesaMeshlinkonan exclusiveWLANService.TheMeshWirelessAPisthereforelimitedtosevennetworkWLAN ServicesontheMeshradio.Theotherradiocaninteractwiththeclientdevicesonamaximumof eightWLANServices. TheWLANServiceonwhichtheWirelessAPsestablishtheMeshlinkiscalledtheMeshWLAN Service. AMeshcanbesetupeitherbyusingeitherasingleMeshWLANServiceormultipleMeshWLAN Services.Thefollowingfiguresillustratethepoint.

8-4

Working with a Mesh Network

Mesh WLAN Services

Figure 8-5

Deployment Example
The rectangular enclosure denotes an office building The four Wireless APs Minoru, Yosemite, Bjorn and Lancaster are within the confines of the building and are connected to the wired network. The space around the office building is a ware house. The solid arrows point towards Current Parents. The dotted arrows point towards Alternative Parents.

Mesh Setup with a Single Mesh WLAN Service


DeployingtheMeshfortheaboveexampleusingasingleMeshWLANServiceresultsinthe followingstructure. Figure 8-6 Mesh Setup with a Single Mesh WLAN Service

Wireless Controller

Lancaster

Minoru

Ion

Urso

Dove

Theodore

Client Devices

ThetreewilloperateasasingleMeshentity.ItwillhaveasingleMeshSSIDandasinglepre sharedkeyforMeshlinks.Thistreewillhavemultipleroots.Formoreinformation,seeMulti rootMeshTopologyonpage 88.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

8-5

Key Features of Mesh

Mesh Setup with Multiple Mesh WLAN Services


YoucanalsodeploythesameMeshinFigure 85usingtwoMeshWLANServices.TheTwoMesh WLANServiceswillcreatetwoindependentMeshtrees.Boththetreeswilloperateonseparate SSIDsanduseseparatepresharedkeys. Figure 8-7 Mesh Setup with Multiple Mesh WLAN Services
Wireless Controller

Lancaster

Minoru

Ion

Urso

Dove

Theodore

Client Devices

Key Features of Mesh


SomekeyfeaturesofMeshare: SelfHealingNetwork TreelikeTopology RadioChannels MultirootMeshTopology LinkSecurity

Self-Healing Network
DatainaMeshnetworkpropagatesalongapath,byhoppingfromnodetonodeuntilthe destinationisreached.Toensurethatallitspathsavailability,theMeshnetworkallowsfor continuousconnectionsandreconfigurationaroundbrokenorblockedpaths,referredtoasself healing.Theselfhealingcapabilityenablesaroutingbasednetworktooperatewhenonenode breaksdownoraconnectiongoesbad.

8-6

Working with a Mesh Network

Key Features of Mesh

Tree-like Topology
TheWirelessAPsinMeshconfigurationcanberegardedasnodes,andthesenodesformatree likestructure.ThetreebuildsinatopdownmannerwiththeMeshPortalbeingthetreeroot,and theMeshAPbeingthetreeleaves. Thenodesinthetreestructurehaveaparentchildrelationship.TheMeshAPdynamicallyselects thebestparentforconnectingtotheMeshportal.AMeshAPcanhavetheroleofbothparentand childatthesametimeandtheAPsrolecanchangedynamically. ThefollowingfigureillustratestheparentchildrelationshipbetweenthenodesinaMesh topology. Figure 8-8 Parent-child Relationship Between Wireless APs in Mesh Configuration
Mesh Portal Wireless Controller Mesh AP 1 Mesh Portal is the parent of Mesh AP 1. Mesh AP 1 is the child of Mesh Portal. Mesh AP 1 is the parent of Mesh AP 2. Mesh AP 2 is the child of Mesh AP 1. Mesh AP 2 is the parent of the following Wireless APs: Mesh AP 5 Mesh AP 4 Mesh AP 3 All the three Mesh APs are the children of Mesh AP 2.

Mesh AP 2

Mesh AP 5

Mesh AP 4

Mesh AP 3

Client Devices

Client Devices

Note: Enterasys recommends that you limit the number of APs participating in a Mesh tree to 50. This limit guarantees decent performance in most typical situations.

Note: If a Wireless AP is configured to serve as a scanner in Mitigator, it cannot be used in a Mesh tree. For more information, see Chapter 13, Working with the Mitigator.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

8-7

Key Features of Mesh

Radio Channels
AllAPsinameshdeploymentmusthaveMeshconfiguredonthesameradio.Onthebackhaul radio,thefollowingsettingsmustbesetthesamewayforallAPsintheMesh: Radiomode MinimumBasicRate

Multi-root Mesh Topology


AMeshtopologycanhavemultipleMeshPortals.Figure 89illustratesthemultiplerootMesh topology. Figure 8-9 Multiple-root Mesh Topology
Wireless Controller
Mesh Portal 1 Mesh Portal 2 Mesh Portal 3

Mesh AP 1

Mesh AP 2

Mesh AP 3

Mesh AP 4

Mesh AP 5

Mesh AP 6

Wireless Devices

Wireless Devices

Link Security
TheMeshlinkisencryptedusingAdvanceEncryptionStandard(AES).
Note: The keys for AES are configured prior to deploying the Repeater or Mesh APs.

8-8

Working with a Mesh Network

Deploying the Mesh System

Deploying the Mesh System


BeforeyoustartconfiguringtheMeshWirelessAPs,youmustensurethefollowing: TheWirelessAPsthatarepartofthewiredWLANareconnectedtothewirednetwork. ThewiredWirelessAPsthatwillserveastheMeshPortaloftheproposedMeshtopologyare operatingnormally. TheWLANisoperatingnormally.

Planning the Mesh Topology


YoumaysketchtheproposedWLANtopologyonpaperbeforeyoustarttheMeshdeployment process.Youshouldclearlyidentifythefollowinginthesketch: MeshWirelessAPswiththeirnames RadiosthatyouwillchoosetolinktheWirelessAPs

Provisioning the Mesh Wireless APs


ThisstepisofcrucialimportanceandinvolvesconnectingtheMeshWirelessAPstotheenterprise networkviatheEthernetlink.ThisisdonetoenabletheMeshWirelessAPstoconnecttothe EnterasysWirelessControllersothattheycanderivetheirMeshconfiguration. TheMeshWirelessAPsconfigurationincludespresharedkeyanditsrole,preferredparentname andthebackupparentname.
Note: The provisioning of Mesh Wireless APs must be done before they are deployed at the target location. If the Wireless APs are not provisioned, they will not work at their target location.

Mesh Deployment Overview


ThefollowingisthehighleveloverviewoftheMeshdeploymentprocess: 1. ConnectingtheMeshWirelessAPstotheenterprisenetworkviatheEthernetnetworkto enablethemtodiscoverandregisterthemselveswiththeEnterasysWirelessController.For moreinformation,seeDiscoveryandRegistrationOverviewonpage 210. DisconnectingtheMeshWirelessAPsfromtheenterprisenetworkaftertheyhavediscovered andregisteredwiththeEnterasysWirelessController. CreatingaMeshVNS. Assigningroles,parentsandbackupparentstotheMeshWirelessAPs. AssigningtheMeshAPsradiostothenetworkVNSs. ConnectingtheMeshWirelessAPstotheenterprisenetworkviatheEthernetlinkfor provisioning.Formoreinformation,seeProvisioningtheMeshWirelessAPsonpage 89. DisconnectingtheMeshWirelessAPsfromtheenterprisenetworkandmovingthemtothe targetlocation.
Note: During the Mesh deployment process, the Mesh Wireless APs are connected to the enterprise network on two occasions first to enable them to discover and register with the Enterasys Wireless Controller, and then the second time to enable them to obtain the provisioning from the Enterasys Wireless Controller.

2. 3. 4. 5. 6. 7.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

8-9

Deploying the Mesh System

Connecting the Mesh Wireless APs to the Enterprise Network for Discovery and Registration
ConnecteachMeshWirelessAPtotheenterprisenetworktoenableittodiscoverandregister itselfwiththeEnterasysWirelessController.
Note: Before you connect the Mesh Wireless APs to the enterprise network for discovery and registration, you must ensure that the Security mode property of the Enterasys Wireless Controller is defined according to your security needs. The Security mode property dictates how the Enterasys Wireless Controller behaves when registering new and unknown devices. For more information, see Defining Properties for the Discovery Process on page 2-26. If the Security mode is set to Allow only approved Wireless APs to connect (this is also known as secure mode), you must manually approve the Mesh Wireless APs after they are connected to the network for the discovery and registration. For more information, see Adding and Registering a Wireless AP Manually on page 2-29.

DependinguponthenumberofEthernetportsavailable,youmayconnectoneormoreMesh WirelessAPsatatime,oryoumayconnectallofthemtogether. OnceaMeshWirelessAPhasdiscoveredandregistereditselfwiththeEnterasysWireless Controller,disconnectitfromtheenterprisenetwork.

Configuring the Mesh Wireless APs Through the Enterasys Wireless Controller
ConfiguringtheMeshWirelessAPsinvolvesthefollowingsteps: 1. 2. CreatingaMeshWLANService. DefiningtheSSIDnameandthepresharedkey.

Foreaseofunderstanding,theMeshconfigurationprocessisexplainedwithanexample. Figure 810depictsasitewiththefollowingfeatures: Anofficebuilding,denotedbyarectangularenclosure. FourWirelessAPsArdal,Arthur,AthensandAuberonarewithintheconfinesofthe building,andareconnectedtothewirednetwork. Thespacearoundthebuildingisthewarehouse.

8-10

Working with a Mesh Network

Deploying the Mesh System

Figure 8-10

Mesh Deployment
The solid arrows point toward Current Parents. The dotted arrows point toward Alternative Parents.

Note: With the single Mesh VNS, the tree structure for the Mesh deployment will be as depicted on the bottom right of Figure 8-10. You can also implement the same deployment using four Mesh VNSs, each for a set of Wireless APs in the four corners of the building. Each set of Wireless APs will form an isolated topology and will operate using a separate SSID and a separate Pre-shared key. For more information, see Mesh WLAN Services on page 8-4.

To Configure the Mesh Wireless APs Through the Enterasys Wireless Controller:
BeforeconfiguringMesh,besurethatthefollowingconditionsaremet: EnergySaveissettoOff BeaconIntervalissetto100msec APnamesare32charactersorlessforstatisticsdisplaypurposes ATPCandDCSarebothdisabled.

Ifpossible,followtheseguidelinesforthebackhaulradiotoachieveabalanceofstability, throughput,andlatency: 1. Usea5.2GHzbandforbackhaul SelectanonDFSchannelfortheMeshPortal Usea40MHzChannelWidthandShortguardinterval DisableAggregateMSDUs EnableAggregateMPDUs EnableADDBAsupport ConfigurethesettingsontheRadioconfigurationpagethesameforallAPsintheMesh. SetthePollTimeouttobeatleast60seconds. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

8-11

Deploying the Mesh System

2. 3. 4. 5.

Intheleftpane,expandtheWLANServicespaneandselectaMeshservicetoeditorclickthe Newbutton. EnteranamefortheserviceintheNamefield. TheSSIDfieldisautomaticallyfilledinwiththename,butyoucanchangeitifdesired. ForServiceType,selectMesh.

6.

Tosaveyourchanges,clickSave.TheWLANconfigurationwindowisredisplayedtoshow additionalconfigurationfields.

7.

IntheMeshPresharedKeybox,typethekey.

8-12

Working with a Mesh Network

Changing the Pre-shared Key in a Mesh WLAN Service

Note: The pre-shared key must be 8 to 63 characters long. The Mesh Wireless APs use this pre-shared key to establish a Mesh link between them.

Note: Changing the pre-shared key after the Mesh is deployed can be a lengthy process. For more information, see Changing the Pre-shared Key in a Mesh WLAN Service on page 8-13.

8.

Assignabackhaulradio.
Note: After you save the configuration, you cannot change the backhaul radio. Please configure this setting wisely.

9.

Tosaveyourchanges,clickSave.
Note: The Mesh Bridge feature on the user interface relates to Mesh Bridge configuration. When you are configuring the Mesh Bridge topology, you must select Mesh Bridge for Mesh AP that is connected to the wired network. For more information, see Wireless Bridge Configuration on page 8-3.

Connecting the Mesh Wireless APs to the Enterprise Network for Provisioning
YoumustconnecttheMeshWirelessAPstotheenterprisenetworkoncemoretoenablethemto obtaintheirconfigurationfromtheEnterasysWirelessController.Theconfigurationincludesthe presharedkey,theWirelessAPsrole,preferredparentandbackupparent.Formoreinformation, seeProvisioningtheMeshWirelessAPson89.
Warning: If you skip this step, the Mesh Wireless APs will not work at their target location.

Moving the Mesh Wireless APs to the Target Location


1. 2. 3. DisconnecttheMeshWirelessAPsfromtheenterprisenetwork,andmovethemtothetarget location. InstalltheMeshWirelessAPsatthetargetlocation. ConnecttheWirelessAPstoapowersource.Thediscoveryandregistrationprocessesare initiated.
Note: If you change any of the following radio properties of a Mesh Wireless AP, the Mesh Wireless AP will reject the change: Disabling the radio on which the Mesh link is established Changing the radios Tx Power of a radio on which the Mesh link is established Changing the country

Changing the Pre-shared Key in a Mesh WLAN Service


To Change the Pre-shared Key in a Mesh WLAN Service
1. 2. CreateanewMeshWLANServicewithanewpresharedkey. AssigntheRFoftheWirelessAPsfromtheoldMeshtothenewMeshWLANService.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 8-13

Changing the Pre-shared Key in a Mesh WLAN Service

3. 4.

Waitatleast30secondstoensurethatallAPsgottheconfiguration,thendisabletheoldMesh WLANservice. ChecktheMeshStatisticsreportpagetoensurethatalltheMeshWirelessAPshave connectedtotheEnterasysWirelessControllerviathenewMeshVNS.Formoreinformation, seeViewingStatisticsforWirelessAPsonpage 144. DeletetheoldMeshWLANService.Formoreinformation,seeDeletingaVNSon page 743.

5.

8-14

Working with a Mesh Network

9
Working with a Wireless Distribution System
ThischapterdescribesaWirelessDistributionSystem(WDS),including:
For information about... About WDS Simple WDS Configuration Wireless Repeater Configuration Wireless Bridge Configuration Examples of Deployment WDS WLAN Services Key Features of WDS Deploying the WDS System Changing the Pre-shared Key in a WDS WLAN Service Refer to page... 9-1 9-2 9-2 9-3 9-4 9-4 9-6 9-9 9-16

About WDS
TheWirelessDistributionSystem(WDS)enableyoutoexpandthewirelessnetworkby interconnectingtheWirelessAPsthroughwirelesslinksinadditiontothetraditionalmethodof interconnectingWirelessAPsviaawirednetwork.
Note: The Scalance AP W788-2 and AP2605 do not support WDS.

AWDSdeploymentisideallysuitedforlocations,whereinstallingEthernetcablingistoo expensive,orphysicallyimpossible. TheWDScanbedeployedinthreeconfigurations: SimpleWDSConfiguration WirelessRepeaterConfiguration WirelessBridgeConfiguration

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

9-1

Simple WDS Configuration

Simple WDS Configuration


InatypicalWDSconfiguration,theWirelessAPsareconnectedtothedistributionsystemviaan Ethernetnetwork,whichprovidesconnectivitytotheEnterasysWirelessController. However,whenaWirelessAPisinstalledinaremotelocationandcantbewiredtothe distributionsystem,anintermediateWirelessAPisconnectedtothedistributionsystemviathe Ethernetlink.ThisintermediateWirelessAPforwardsandreceivestheusertrafficfromthe remoteWirelessAPoveraradiolink. TheintermediateWirelessAPthatisconnectedtothedistributionsystemviatheEthernet networkiscalledRootAP,andtheWirelessAPthatisremotelylocatediscalledtheSatelliteAP. ThefollowingfigureillustratestheSimpleWDSconfiguration: Figure 9-1 Simple WDS Configuration
Root Wireless AP

Satellite Wireless AP Wireless Controller

Client Devices

Wireless Repeater Configuration


InWirelessRepeaterconfiguration,aRepeaterWirelessAPisinstalledbetweentheRootWireless APandtheSatelliteWirelessAP.TheRepeaterWirelessAPrelaystheusertrafficbetweenthe RootWirelessAPandtheSatelliteWirelessAP.ThisincreasestheWLANrange.

9-2

Working with a Wireless Distribution System

Wireless Bridge Configuration

ThefollowingfigureillustratestheWirelessRepeaterconfiguration: Figure 9-2 Wireless Repeater Configuration


Root Wireless AP

Repeater Wireless AP Enterasys Wireless Controller

Satellite Wireless AP

Client Devices

Note: You should restrict the number of repeater hops in a Wireless Repeater configuration to three for optimum performance.

Wireless Bridge Configuration


InWirelessBridgeconfiguration,thetrafficbetweentwoWirelessAPsthatareconnectedtotwo separatewiredLANsegmentsisbridgedviaWDSlink.YoumayalsoinstallaRepeaterWireless APbetweenthetwoWirelessAPsconnectedtotwoseparateLANsegments. Figure 9-3
Wireless Controller

Wireless Bridge Configuration


Root AP Satellite AP

Repeater AP

LAN Segment 1

LAN Segment 2

WhenyouareconfiguringtheWirelessBridgeconfiguration,youmustspecifyontheuser interfacethattheSatelliteAPisconnectedtothewiredLAN.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

9-3

Examples of Deployment

Examples of Deployment
ThefollowingillustrationdepictsafewexamplesofWDSdeployment. Figure 9-4 Examples of WDS Deployment

WDS WLAN Services


InatraditionalWLANdeployment,eachradiooftheWirelessAPcaninteractwiththeclient devicesonamaximumofeightnetworks. InWDSdeployment,oneoftheradiosofeveryWDSWirelessAPestablishesaWDSlinkonan exclusiveWLANService.TheWDSWirelessAPisthereforelimitedtosevennetworkWLAN ServicesontheWDSradio.Theotherradiocaninteractwiththeclientdevicesonamaximumof eightWLANServices.
Note: The Root Wireless AP and the Repeater Wireless APs can also be configured to interact with the client-devices. For more information, see Assigning the Satellite Wireless APs Radios to the Network WLAN Services on page 9-14.

TheWLANServiceonwhichtheWirelessAPsestablishtheWDSlinkiscalledtheWDSWLAN Service. AWDScanbesetupeitherbyusingeitherasingleWDSWLANServiceormultipleWDSWLAN Services.Thefollowingfiguresillustratethepoint.

9-4

Working with a Wireless Distribution System

WDS WLAN Services

Figure 9-5

Deployment Example
The rectangular enclosure denotes an office building The four Wireless APs Minoru, Yosemite, Bjorn and Lancaster are within the confines of the building and are connected to the wired network. The space around the office building is a ware house. The solid arrows point towards Preferred Parents. The dotted arrows point towards Backup Parents.

WDS Setup with a Single WDS WLAN Service


DeployingtheWDSfortheaboveexampleusingasingleWDSWLANServiceresultsinthe followingstructure. Figure 9-6 WDS Setup with a Single WDS WLAN Service

Wireless Controller

Lancaster

Minoru

Ion

Urso

Dove

Theodore

Client Devices

ThetreewilloperateasasingleWDSentity.ItwillhaveasingleWDSSSIDandandasinglepre sharedkeyforWDSlinks.Thistreewillhavemultipleroots.Formoreinformation,seeMulti rootWDSTopologyonpage 98.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

9-5

Key Features of WDS

WDS Setup with Multiple WDS WLAN Services


YoucanalsodeploythesameWDSinFigure 95usingtwoWDSWLANServices.TheTwoWDS WLANServiceswillcreatetwoindependentWDStrees.Boththetreeswilloperateonseparate SSIDsanduseseparatepresharedkeys. Figure 9-7 WDS Setup with Multiple WDS WLAN Services
Wireless Controller

Lancaster

Minoru

Ion

Urso

Dove

Theodore

Client Devices

Key Features of WDS


SomekeyfeaturesofWDSare: TreelikeTopology RadioChannels MultirootWDSTopology AutomaticDiscoveryofParentandBackupParentWirelessAPs LinkSecurity

Tree-like Topology
TheWirelessAPsinWDSconfigurationcanberegardedasnodes,andthesenodesformatree likestructure.ThetreebuildsinatopdownmannerwiththeRootWirelessAPbeingthetreeroot, andtheSatelliteWirelessAPbeingthetreeleaves. Thenodesinthetreestructurehaveaparentchildrelationship.TheWirelessAPthatprovidesthe WDSservicetotheotherWirelessAPsinthedownstreamdirectionisaparent.TheWirelessAPs thatestablishalinkwiththeWirelessAPintheupstreamdirectionforWDSservicearechildren.

9-6

Working with a Wireless Distribution System

Key Features of WDS

Note: If a parent Wireless AP fails or stops to act a parent, the children Wireless APs will attempt to discover their backup parents. If the backup parents are not defined, the children Wireless APs will be left stranded.

ThefollowingfigureillustratestheparentchildrelationshipbetweenthenodesinaWDS topology. Figure 9-8 Parent-child Relationship Between Wireless APs in WDS Configuration
Root Wireless AP Wireless Controller Repeater Wireless AP 1 Root Wireless AP is the parent of Repeater Wireless AP 1. Repeater Wireless AP 1 is the child of Root Wireless AP. Repeater Wireless AP 1 is the parent of Repeater Wireless AP 2. Repeater Wireless AP 2 is the child of Repeater Wireless AP 1. Repeater Wireless AP 2 is the parent of the following Wireless APs: Satellite Wireless AP 1 Satellite Wireless AP 2 Satellite Wireless AP 3 All the three Satellite APs are the children of Repeater Wireless AP 2.

Repeater Wireless AP 2

Satellite Wireless AP 1

Satellite Wireless AP 2

Satellite Wireless AP 3

Client Devices

Client Devices

TheWDSsystemenablesyoutoconfiguretheWirelessAPsroleparent,childorbothfrom theEnterasysWirelessControllersinterface.IftheWDSWirelessAPwillbeservingasaparent andachildinagiventopology,itsroleisconfiguredasboth.


Note: Siemens recommends that you limit the number of APs participating in a WDS tree to 8. This limit guarantees decent performance in most typical situations.

Note: If a Wireless AP is configured to serve as a scanner in Mitigator, it cannot be used in a WDS tree. For more information, see Chapter 13, Working with the Mitigator.

Radio Channels
TheradiochannelonwhichthechildWirelessAPoperatesisdeterminedbytheparentWireless AP. AWirelessAPmayconnecttoitsparentWirelessAPandchildrenWirelessAPsonthesame radio,orondifferentradios.Similarly,aWirelessAPcanhavetwochildrenoperatingontwo differentradios.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 9-7

Key Features of WDS

Note: When a Wireless AP is connecting to its parent Wireless AP and children APs on the same radio, it uses the same channel for both the connections.

Multi-root WDS Topology


AWDStopologycanhavemultipleRootWirelessAPs.Figure 99illustratesthemultipleroot WDStopology. Figure 9-9 Multiple-root WDS Topology
Wireless Controller
Root Wireless AP 1 Root Wireless AP 2 Root Wireless AP 3

Repeater AP 1

Repeater AP 2

Repeater AP 3

Satellite AP 1

Satellite AP 2

Satellite AP 3

Wireless Devices

Wireless Devices

Automatic Discovery of Parent and Backup Parent Wireless APs


ThechildrenWirelessAPs,includingtheRepeaterWirelessAPandtheSatelliteWirelessAPs, scanfortheirrespectiveparentsatastartup. YoucanmanuallyconfigureaparentandbackupparentforthechildrenWirelessAPsoryoucan enablethechildrenWirelessAPstoautomaticallyselectthebestparentoutofalloftheavailable APs.IfyouchooseautomaticparentWirelessAPselection,achildWirelessAPselectsaparent WirelessAPbasedonitsreceivedsignalstrengthandthenumberofhopstotherootWirelessAP. AfteraparentWirelessAPandbackupparentWirelessAPisselected,theWirelesscontrollerwill firsttrytonegotiateaWDSlinkwiththeparentWirelesscontroller.IftheWDSlinknegotiationis unsuccessful,theWirelessProductNameShortwilltrytonegotiatealinkwiththebackupparent.

Link Security
TheWDSlinkisencryptedusingAdvanceEncryptionStandard(AES).
Note: The keys for AES are configured prior to deploying the Repeater or Satellite Wireless APs.

9-8

Working with a Wireless Distribution System

Deploying the WDS System

Deploying the WDS System


BeforeyoustartconfiguringtheWDSWirelessAPs,youmustensurethefollowing: TheWirelessAPsthatarepartofthewiredWLANareconnectedtothewirednetwork. ThewiredWirelessAPsthatwillserveastheRootAP/RootAPsoftheproposedWDS topologyareoperatingnormally. TheWLANisoperatingnormally.

Planning the WDS Topology


YoumaysketchtheproposedWLANtopologyonpaperbeforeyoustarttheWDSdeployment process.Youshouldclearlyidentifythefollowinginthesketch: WDSWirelessAPswiththeirnames ParentchildrelationshipsbetweenWirelessAPs RadiosthatyouwillchoosetolinktheWirelessAPsparentsandchildren

Provisioning the WDS Wireless APs


ThisstepisofcrucialimportanceandinvolvesconnectingtheWDSWirelessAPstotheenterprise networkviatheEthernetlink.ThisisdonetoenabletheWDSWirelessAPstoconnecttothe EnterasysWirelessControllersothattheycanderivetheirWDSconfiguration. TheWDSWirelessAPsconfigurationincludespresharedkey,itsrole,preferredparentnameand thebackupparentname.
Note: The provisioning of WDS Wireless APs must be done before they are deployed at the target location. If the Wireless APs are not provisioned, they will not work at their target location.

WDS Deployment Overview


ThefollowingisthehighleveloverviewoftheWDSdeploymentprocess: 1. ConnectingtheWDSWirelessAPstotheenterprisenetworkviatheEthernetnetworkto enablethemtodiscoverandregisterthemselveswiththeEnterasysWirelessController.For moreinformation,seeDiscoveryandRegistrationOverviewonpage 210. DisconnectingtheWDSWirelessAPsfromtheenterprisenetworkaftertheyhavediscovered andregisteredwiththeEnterasysWirelessController. CreatingaWDSVNS. Assigningroles,parentsandbackupparentstotheWDSWirelessAPs. AssigningtheSatelliteWirelessAPsradiostothenetworkVNSs. ConnectingtheWDSWirelessAPstotheenterprisenetworkviatheEthernetlinkfor provisioning.Formoreinformation,seeProvisioningtheWDSWirelessAPsonpage 99. DisconnectingtheWDSWirelessAPsfromtheenterprisenetworkandmovingthemtothe targetlocation.

2. 3. 4. 5. 6. 7.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

9-9

Deploying the WDS System

Note: During the WDS deployment process, the WDS Wireless APs are connected to the enterprise network on two occasions first to enable them to discover and register with the Enterasys Wireless Controller, and then the second time to enable them to obtain the provisioning from the Enterasys Wireless Controller.

Connecting the WDS Wireless APs to the Enterprise Network for Discovery and Registration
ConnecteachWDSWirelessAPtotheenterprisenetworktoenableittodiscoverandregister itselfwiththeEnterasysWirelessController.
Note: Before you connect the WDS Wireless APs to the enterprise network for discovery and registration, you must ensure that the Security mode property of the Enterasys Wireless Controller is defined according to your security needs. The Security mode property dictates how the Enterasys Wireless Controller behaves when registering new and unknown devices. For more information, see Defining Properties for the Discovery Process on page 2-26. If the Security mode is set to Allow only approved Wireless APs to connect (this is also known as secure mode), you must manually approve the WDS Wireless APs after they are connected to the network for the discovery and registration. For more information, see Adding and Registering a Wireless AP Manually on page 2-29.

DependinguponthenumberofEthernetportsavailable,youmayconnectoneormoreWDS WirelessAPsatatime,oryoumayconnectallofthemtogether. OnceaWDSWirelessAPhasdiscoveredandregistereditselfwiththeEnterasysWireless Controller,disconnectitfromtheenterprisenetwork.

Configuring the WDS Wireless APs Through the Enterasys Wireless Controller
ConfiguringtheWDSWirelessAPsinvolvesthefollowingsteps: 1. 2. 3. CreatingaWDSWLANService. DefiningtheSSIDnameandthepresharedkey. Assigningroles,parentsandbackupparentstotheWDSWirelessAPs.

Foreaseofunderstanding,theWDSconfigurationprocessisexplainedwithanexample. Figure 910depictsasitewiththefollowingfeatures: Anofficebuilding,denotedbyarectangularenclosure. FourWirelessAPsArdal,Arthur,AthensandAuberonarewithintheconfinesofthe building,andareconnectedtothewirednetwork. Thespacearoundthebuildingisthewarehouse.

9-10

Working with a Wireless Distribution System

Deploying the WDS System

Figure 9-10

WDS Deployment
The solid arrows point toward Preferred Parents. The dotted arrows point toward Backup Parents.

Note: With the single WDS VNS, the tree structure for the WDS deployment will be as depicted on the bottom right of Figure 9-10. You can also implement the same deployment using four WDS VNSs, each for a set of Wireless APs in the four corners of the building. Each set of Wireless APs will form an isolated topology and will operate using a separate SSID and a separate Pre-shared key. For more information, see WDS WLAN Services on page 9-4.

To Configure the WDS Wireless APs Through the Enterasys Wireless Controller:
Note: You must identify and mark the Preferred Parents, Backup Parents and the Child Wireless APs in the proposed WDS topology before starting the configuration process.

1. 2. 3. 4. 5.

Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheWLANServicespaneandselectaWDSservicetoeditorclickthe Newbutton. EnteranamefortheserviceintheNamefield. TheSSIDfieldisautomaticallyfilledinwiththename,butyoucanchangeitifdesired. ForServiceType,selectWDS.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

9-11

Deploying the WDS System

6.

Tosaveyourchanges,clickSave.TheWLANconfigurationwindowisredisplayedtoshow additionalconfigurationfields.

7.

IntheWDSPresharedKeybox,typethekey.
Note: The pre-shared key must be 8 to 63 characters long. The WDS Wireless APs use this pre-shared key to establish a WDS link between them.

Note: Changing the pre-shared key after the WDS is deployed can be a lengthy process. For more information, see Changing the Pre-shared Key in a WDS WLAN Service on page 9-16.

8.
9-12

Assigntheroles,preferredparentsandbackupparentstotheWirelessAPRadios.

Working with a Wireless Distribution System

Deploying the WDS System

Note: The roles parent, child, and both are assigned to the Radios of the Wireless APs. A Wireless AP may connect to its parent Wireless AP and children Wireless APs on the same Radio, or on a different Radio. Similarly, a Wireless AP can have two children operating on two different Radios. The Radio on which the child Wireless AP operates is determined by the parent Wireless AP. If the Wireless AP will be serving both as parent and child, you must select both as its role.

ToconfiguretheWDSasillustratedinFigure 910withasingleWDSVNS,youmustassign theroles,preferredparentsandbackupparentstotheWirelessAPsaccordingtoTable 91. Table 9-1 Wireless APs and Their Roles
Radio b/g Parent Parent Parent Parent Both Both Both Both Child Child Child Child Radio a Parent Parent Parent Parent Child Child Child Child Child Child Child Child Preferred Parent See the note below. See the note below. See the note below. See the note below. Ardal Arthur Athens Auberon Bawdy Bern Barend Barett Backup Parent See the note below. See the note below. See the note below. See the note below. Arthur Ardal Auberon Athens Ardal Arthur Athens Auberon

Wireless AP Ardal Arthur Athens Auberon Bawdy Bern Barend Barett Osborn Oscar Orson Oswald

Note: Since the Root Wireless APs Ardal, Arthur, Athens and Auberon are the highest entities in the tree structure, they do not have parents. Therefore, the Preferred Parent and Backup Parent drop-down lists of the Root Wireless APs do not display any Wireless AP. You must leave these two fields blank. Note: You must first assign the parent role to the Wireless APs that will serve as the parents. Unless this is done, the Parent Wireless APs will not be displayed in the Preferred Parent and Backup Parent drop-down lists of other Wireless APs. Note: The WDS Bridge feature on the user interface relates to WDS Bridge configuration. When you are configuring the WDS Bridge topology, you must select WDS Bridge for Satellite Wireless AP that is connected to the wired network. For more information, see Wireless Bridge Configuration on page 9-3.

Toassigntheroles,preferredparentandbackupparent: a. b. c. Fromtheradiob/gdropdownlistoftheRootWirelessAPsArdal,Arthur,Athensand Auberon,clickParent. FromtheradioadropdownlistoftheRootWirelessAPsArdal,Arthur,Athensand Auberon,clickParent. Fromtheradioaandradiob/gdropdownlistofotherWirelessAPs,clicktheroles accordingtoTable 91.

d. FromthePreferredParentdropdownlistofotherWirelessAPs,clicktheparents accordingtoTable 91.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

9-13

Deploying the WDS System

e.

FromtheBackupParentdropdownlistofotherWirelessAPs,clickthebackupparents accordingtoTable 91.

9.

Tosaveyourchanges,clickSave.

Assigning the Satellite Wireless APs Radios to the Network WLAN Services
YoumustassigntheSatelliteWirelessAPssradiostothenetworkWLANServices.
Note: Network WLAN Services are the typical WLAN Services on which the Wireless APs service the client devices: Routed, Bridge Traffic Locally at HWC, and Bridge Traffic Locally at AP. For more information, see VNS Global Settings on page 7-3.

To Assign the Satellite Wireless APs Radios to the Network WLAN Service:
1. 2. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheWLANServicespaneandselectanetworkWDSservicetoedit

3.

IntheWirelessAPslist,selecttheradiosoftheSatelliteAPsOsborn,Oscar,Orsonand Oswald.

9-14

Working with a Wireless Distribution System

Deploying the WDS System

Note: If you want the Root Wireless AP and the Repeater Wireless APs to service the client devices, you must select their radios in addition to the radios of the Satellite Wireless APs.

4. 5.

Tosaveyourchanges,clickSave. LogoutfromtheEnterasysWirelessController.

Connecting the WDS Wireless APs to the Enterprise Network for Provisioning
YoumustconnecttheWDSWirelessAPstotheenterprisenetworkoncemoretoenablethemto obtaintheirconfigurationfromtheEnterasysWirelessController.Theconfigurationincludesthe presharedkey,theWirelessAPsrole,preferredparentandbackupparent.Formoreinformation, seeProvisioningtheWDSWirelessAPson99.
Warning: If you skip this step, the WDS Wireless APs will not work at their target location.

Moving the WDS Wireless APs to the Target Location


1. 2. 3. DisconnecttheWDSWirelessAPsfromtheenterprisenetwork,andmovethemtothetarget location. InstalltheWDSWirelessAPsatthetargetlocation. ConnecttheWirelessAPstoapowersource.Thediscoveryandregistrationprocessesare initiated.
Note: If you change any of the following configuration parameters of a WDS Wireless AP, the WDS Wireless AP will reject the change: Reassigning the WDS Wireless APs role from Child to None Reassigning the WDS Wireless APs role from Both to Parent Changing the Preferred Parent of the WDS Wireless AP However, the Enterasys Wireless Controller will display your changes, as these changes will be saved in the database. To enable the WDS Wireless AP to obtain your changes, you must remove it from the WDS location and then connect it to the Enterasys Wireless Controller via the wired network. Note: If you change any of the following radio properties of a WDS Wireless AP, the WDS Wireless AP will reject the change: Disabling the radio on which the WDS link is established Changing the radios Tx Power of a radio on which the WDS link is established Changing the country

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

9-15

Changing the Pre-shared Key in a WDS WLAN Service

Changing the Pre-shared Key in a WDS WLAN Service


To Change the Pre-shared Key in a WDS WLAN Service
1. 2. 3. CreateanewWDSWLANServicewithanewpresharedkey. AssigntheRFoftheWirelessAPsfromtheoldWDStothenewWDSWLANService. ChecktheWDSWirelessAPStatisticsreportpagetoensurethatalltheWDSWirelessAPs haveconnectedtotheEnterasysWirelessControllerviathenewWDSVNS.Formore information,seeViewingStatisticsforWirelessAPsonpage 144. DeletetheoldWDSWLANService.Formoreinformation,seeDeletingaVNSonpage 743.

4.

9-16

Working with a Wireless Distribution System

10
Availability and Session Availability
Thischapterdescribestheavailabilityfeature,including:
For information about... Availability Session Availability Viewing the Wireless AP Availability Display Viewing SLP Activity Refer to page... 10-1 10-9 10-17 10-17

Availability
TheEnterasysWirelessController,AccessPointsandConvergenceSoftwaresystemprovidesthe availabilityfeaturetomaintainserviceavailabilityintheeventofaEnterasysWirelessController outage. TheavailabilityfeaturelinkstwoEnterasysWirelessControllerstheprimarycontrollerandthe secondarycontroller(backupcontroller).Theprimaryandthesecondarycontrollersshare informationabouttheirWirelessAPs.Iftheprimarycontrollerfails,itsWirelessAPsfailoverto thesecondarycontroller.Thesecondarycontrollerprovidesthewirelessnetworkandpre assignedVNSsfortheWirelessAPs.
Note: During the failover event, the maximum number of failover APs the secondary controller can accommodate is equal to the maximum number of APs supported by the hardware platform.

WirelessAPsthatattempttoconnecttothesecondarycontrollerduringafailovereventare assignedtotheWLANServicethatisdefinedinthesystemsdefaultAPconfiguration,provided theadministratorhasnotassignedthefailoverWirelessAPstooneormoreVNSs.Ifasystem defaultAPconfigurationdoesnotexistforthecontroller(andtheadministratorhasnotassigned thefailoverWirelessAPstoanyWLANService),theAPswillnotbeassignedtoanyWLAN Serviceduringthefailover. AEnterasysWirelessControllerwillnotacceptaconnectionbyaforeignAPiftheEnterasys WirelessControllerbelievesitsavailabilitypartnercontrollerisinservice. Also,thedefaultWirelessAPconfigurationassignmentisonlyapplicabletonewAPsthatfailover tothebackupcontroller.AnyWirelessAPthathaspreviouslyfailedoverandisalreadyknownto thebackupsystemwillreceivetheconfigurationalreadypresentonthatsystem.Formore information,seeConfiguringtheDefaultWirelessAPSettingsonpage 275. DuringthefailovereventwhentheWirelessAPconnectstothesecondarycontroller,theusersare disassociatedfromtheWirelessAP.Consequently,theusersmustlogonagainandbe authenticatedonthesecondarycontrollerbeforethewirelessserviceisrestored.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

10-1

Availability

Note: If you want the mobile users session to be maintained, you must use the session availability feature that enables the primary controllers Wireless APs to failover to the secondary controller fast enough to maintain the session availability (user session). For more information, see Session Availability on page 10-9.

TheavailabilityfeatureprovidesWirelessAPswithalistoflocalactiveinterfacesfortheactive controlleraswellastheactiveinterfacesforthebackupcontroller.Thelistissortedbytopdown priority. Iftheconnectionwithanactivecontrollerlinkislost(pollfailure),theWirelessAPautomatically scans(pings)alladdressesinitsavailabilityinterfacelist.TheWirelessAPthenconnectstothe highestpriorityinterfacethatrespondstoitsprobe.

Events and Actions in Availability


IfoneoftheEnterasysWirelessControllersinapairfails,thecommunicationbetweenthetwo EnterasysWirelessControllersstops.Thistriggersafailoverconditionandacriticalmessageis displayedintheinformationlogofthesecondaryEnterasysWirelessController.

AfteraWirelessAPonthefailedEnterasysWirelessControllerlosesitsconnection,itwilltryto connecttoallenabledinterfacesonbothcontrollerswithoutrebooting.IftheWirelessAPisnot successful,itwillbeginthediscoveryprocess.IftheWirelessAPisnotsuccessfulinconnectingto theEnterasysWirelessControllerafterfiveminutesofattempting,theWirelessAPwillrebootif thereisnoBridgetrafficlocallyattheAPtopologyassociatedtoit. AllmobileuserssessionsusingthefailoverWirelessAPwillterminateexceptthoseassociatedto aBridgetrafficlocallyattheAPandiftheMaintainclientsessionsineventofpollfailure optionisenabledontheAPPropertiestaborAPDefaultSettingsscreen. WhentheWirelessAPsconnecttothesecondEnterasysWirelessController,theyareeither assignedtotheVNSthatisdefinedinthesystemsdefaultAPconfigurationormanually configuredbytheadministrator.Themobileuserslogonagainandareauthenticatedonthe secondEnterasysWirelessController. WhenthefailedEnterasysWirelessControllerrecovers,eachEnterasysWirelessControllerinthe pairgoesbacktonormalmode.Theyexchangeinformationincludingthelatestlistsofregistered WirelessAPs.TheadministratormustreleasetheWirelessAPsmanuallyonthesecondEnterasys

10-2

Availability and Session Availability

Availability

WirelessController,sothattheymayreregisterwiththeirhomeEnterasysWirelessController. ForeignAPscannowallbereleasedatoncebyusingtheForeignbuttonontheAccessApproval screentoselectallforeignAPs,andthenclickingRelease. Tosupporttheavailabilityfeatureduringafailoverevent,youneedtodothefollowing: 1. Monitorthecriticalmessagesforthefailovermodemessage,intheinformationlogofthe remainingEnterasysWirelessController(intheLogs&TracessectionoftheEnterasys WirelessAssistant). Afterrecovery,ontheEnterasysWirelessControllerthatdidnotfail,selecttheforeign WirelessAPs,andthenclickReleaseontheAccessApprovalscreen.

2.

Availability Prerequisites
Beforeyouconfigureavailability,youmustdothefollowing: ChoosetheprimaryandsecondaryEnterasysWirelessControllers. VerifythenetworkaccessibilityfortheUDPconnectionbetweenthetwocontrollers.The availabilitylinkisestablishedasaUDPsessiononport13911. SetupaDHCPserverforAPsubnetstosupportOption78forSLP,sothatitpointstotheIP addressesofthephysicalinterfacesonboththeEnterasysWirelessControllers. EnsurethatthePollTimeoutvalueontheAPPropertiestabAdvanceddialogissetto1.5to2 timesofDetectlinkfailurevalueontheEnterasysWirelessController>Availabilityscreen. Formoreinformation,seeConfiguringaWirelessAPsPropertiesonpage 232. IfthePollTimeoutvalueislessthan1.5to2timesofDetectlinkfailurevalue,theWireless APfailoverwillnotsucceedbecausethesecondarycontrollerwillnotbereadytoacceptthe failoverAPs. Ontheotherhand,ifthePollTimeoutvalueismorethan1.5to2timesofDetectlinkfailure value,theWirelessAPsfailoverwillbeunnecessarilydelayed,becausetheWirelessAPswill continuepollingtheprimarycontrollereventhoughthesecondarycontrollerisreadyto acceptthemasthefailoverAPs. Toachieveidealavailabilitybehavior,youmustsetthePollTimeoutvalueforallWireless APsto15seconds,andtheDetectlinkfailureontheEnterasysWirelessController> Availabilityscreentotenseconds.

Configuring Availability Using the Availability Wizard


TheavailabilitywizardallowsyoutocreateanavailabilitypairfromoneoftheEnterasysWireless Controllersthatwillbeintheavailabilitypair.Whencreatingtheavailabilitypair,youalsohave theoptiontosynchronizeVNSdefinitionsandGuestPortaluseraccountsbetweenthepaired EnterasysWirelessControllers.

To Configure Availability Using the Availability Wizard:


1. 2. 3. Fromthemainmenu,clickWirelessControllerConfiguration.TheEnterasysWireless ControllerConfigurationscreenisdisplayed. Intheleftpane,clickAvailability.Theavailabilityconfigurationscreenisdisplayed. IntheAvailabilityWizardsection,clickStart.TheAvailabilityPairWizardscreenis displayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

10-3

Availability

4.

IntheConnectionDetailssection,dothefollowing: SelectPortSelecttheportandIPaddressoftheprimarycontrollerthatistobeusedto establishtheavailabilitylink. PeerControllerIPTypetheIPaddressofthepeer(secondary)controller. UserTypetheloginusernamecredentialsofanaccountthathasfulladministrative privilegesonthepeercontroller. PasswordTypetheloginpasswordusedwiththeuserIDtologintothepeercontroller. EnableFastFailoverSelectthischeckboxtoenableFastFailoverfortheavailability pair.

5.

IntheSynchronizeOptionssection,dothefollowing: SynchronizeSystemConfigurationSelectthischeckboxtopushtheconfigured RoutedandBridgeTrafficLocallyatHWCVNSdefinitionsfromtheprimarycontroller tothepeercontroller.WDSand3rdPartyAPVNSdefinitionsareignoredandnot synchronized.


Note: Synchronizing the VNS definitions will delete and replace existing VNS definitions on the peer controller.

6.

SynchronizeGuestPortalAccountsSelectthischeckboxtopushGuestPortaluser accountstothepeercontroller.

ClickNext. Ifyouaresynchronizingtopologydefinitions,theTopologyDefinitionsscreenis displayed.Dothefollowing: (1) IntheSynchronizationSettingssection,completethetopologypropertiesthatare missing.Anytopologythatdidnotalreadyexistonthepeercontrollerwillhave missingpropertiesontheTopologyDefinitionsscreen. Thefieldsconfiguredareactualparametervaluesthatareconfiguredattheremote Controllerwithrespecttoassociatedtopologieschosenforsynchronization.Someof

10-4

Availability and Session Availability

Availability

theseparametersare:InterfaceIPaddress,Netmask,L2port,VLANID,DHCPrange, etc. (2) ClickFinish. 7. Ifyouarenotsynchronizingtopologydefinitions,theavailabilitywizardcompletesthe configuration.

ClickClose.

Thisoperationmarksthedesiredtopologiesforsynchronization.Thetwocontrollersexchange informationandtheconfigurationisappliedtotheremotecontroller. Onthelocalcontroller,theEnableSynchronizationofSystemConfigurationbecomesselected. ThiscanbedoublecheckedbynavigatingtoVNSConfiguration,GlobalandthenSyncSummary. Thistabalsolistsalltopologies,policies,WLANServicesandVNSeswiththeirsynchronization status(onoroff). TheSyncstatusforanyoftheseelementscanalsobechangedfromthistab. AlltheseconfigurableelementshaveaSynchronizecheckbox(ontheirmain/general configurationtab)thatallowsforindividualcontrolandselectionofavailabilityfromthemain elementconfigurationpage.

Configuring Availability Manually


Whenconfiguringavailabilitymanually,youconfigureeachEnterasysWirelessController separately. 1. 2. OntheEnterasysWirelessControllerConfigurationAvailabilityscreen,setuptheEnterasys WirelessControllerinPairedMode. OntheVNSconfigurationwindow,defineaVNS(throughtopology,WLANservice,policy andVNSconfiguration)oneachEnterasysWirelessControllerwiththesameSSID.TheIP addressesmustbeunique.Formoreinformation,seeManuallyCreatingaVNSon page 715.AEnterasysWirelessControllerVLANBridgedtopologycanpermittwo controllerstosharethesamesubnet.Thissetupprovidessupportformobilityusersina VLANBridgedVNS. OnbothEnterasysWirelessControllers,ontheWirelessAPRegistrationscreen,selectthe SecurityModeAllowonlyapprovedWirelessAPstoconnectoptionsothatnomore WirelessAPscanregisterunlesstheyareapprovedbytheadministrator. OneachEnterasysWirelessController,ontheWirelessAPconfigurationAccessApproval screen,checkthestatusoftheWirelessAPsandapproveanyAPsthatshouldbeconnectedto thatcontroller. SystemAPdefaultscanbeusedtoassignagroupofVNSstotheforeignAPs: IftheAPsarenotyetknowntothesystem,theAPwillbeinitiallyconfiguredaccordingto APdefaultsettings.Toensurebettertransitioninavailability,Siemensrecommendsthat theAPdefaultsettingsmatchthedesiredassignmentforfailoverAPs. APassignmenttoWLANServicesaccordingtotheAPdefaultsettingscanbeoverwritten bymanuallymodifyingtheAPassignment.(Forexample,selectandassigneachWLAN servicethattheAPshouldconnectto.) IfspecificforeignAPshavebeenassignedtoaWLANservice,thosespecificforeignAP assignmentsareused.

3.

4.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

10-5

Availability

AnalternatemethodtosettingupAPsincludes: 1. 2. 3. AddeachWirelessAPmanuallytoeachEnterasysWirelessController. OntheAPPropertiesscreen,clickAddWirelessAP. DefinetheWirelessAP,andthenclickAddWirelessAP. ManuallydefinedAPswillinheritthedefaultAPconfigurationsettings.


Caution: If two Enterasys Wireless Controllers are paired and one has the Allow All option set for Wireless AP registration, all Wireless APs will register with that Enterasys Wireless Controller.

Setting the Primary or Secondary Enterasys Wireless Controllers for Availability


To Set the Primary or Secondary Enterasys Wireless Controllers for Availability:
1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickAvailability.

3. 4.

Toenableavailability,selectthePairedoption. Dooneofthefollowing: Foraprimarycontroller,intheWirelessControllerIPAddressbox,typetheIPaddress ofthedatainterfaceofthesecondaryEnterasysWirelessController.ThisIPaddressmust beonaroutablesubnetbetweenthetwoEnterasysWirelessControllers. Forasecondarycontroller,intheWirelessControllerIPAddressbox,typetheIPaddress oftheManagementportordatainterfaceoftheprimaryEnterasysWirelessController.

5.

SetthisEnterasysWirelessControllerastheprimaryorsecondaryconnectionpoint: TosetthisEnterasysWirelessControllerastheprimaryconnectionpoint,selectthe CurrentWirelessControllerisprimaryconnectpointcheckbox. TosetthisEnterasysWirelessControllerasthesecondaryconnectionpoint,clearthe CurrentWirelessControllerisprimaryconnectpointcheckbox.

10-6

Availability and Session Availability

Availability

IftheCurrentWirelessControllerisprimaryconnectpointcheckboxisselected,the specifiedcontrollersendsaconnectionrequest.IftheCurrentWirelessControllerisprimary connectpointcheckboxiscleared,thespecifiedcontrollerwaitsforaconnectionrequest. Confirmthatonecontrollerhasthischeckboxselected,andthesecondcontrollerhasthis checkboxcleared,sinceimproperconfigurationofthisoptionwillresultinincorrectnetwork configuration. 6. Onboththeprimaryandsecondarycontrollers,typetheDetectlinkfailurevalue.


Note: Ensure that the Detect link failure value on both the controllers is identical.

7. 8. 9.

Onboththeprimaryandsecondarycontrollers,selecttheSynchronizeGuestPortalGuest UsersoptiontosynchronizeGuestPortalguestaccountsbetweenthecontrollers. Fromthemainmenu,clickWirelessAPConfiguration.TheEnterasysWirelessAP Configurationscreenisdisplayed. Intheleftpane,clickAPRegistration.TosetthesecuritymodefortheEnterasysWireless Controller,selectoneofthefollowingoptions: AllowallWirelessAPstoconnectIftheEnterasysWirelessControllerdoesnot recognizetheserialnumber,itsendsadefaultconfigurationtotheWirelessAP.Or,ifthe EnterasysWirelessControllerrecognizestheserialnumber,itsendsthespecific configuration(portandbindingkey)setforthatWirelessAP. AllowonlyapprovedWirelessAPstoconnectIftheEnterasysWirelessController doesnotrecognizetheserialnumber,theWirelessAPswillbeinpendingmodeandthe administratormustmanuallyapprovethem.Or,iftheEnterasysWirelessController recognizestheserialnumber,itsendstheconfigurationforthatWirelessAP.
Note: During the initial setup of the network, Siemens recommends that you select the Allow all Wireless APs to connect option. This option is the most efficient way to get a large number of Wireless APs registered with the Enterasys Wireless Controller. Once the initial setup is complete, Siemens recommends that you reset the security mode to the Allow only approved Wireless APs to connect option. This option ensures that no unapproved Wireless APs are allowed to connect. For more information, see Configuring Wireless AP Settings on page 2-30.

10. Tosaveyourchanges,clickSave.
Note: When two Enterasys Wireless Controllers have been paired as described above, each Enterasys Wireless Controller's registered Wireless APs will appear as foreign on the other controller in the list of available Wireless APs when configuring a VNS topology.

11. Verifythatavailabilityisconfiguredcorrectly.

Verifying Availability
Toverifythatavailabilityisconfiguredcorrectly: a. Fromthemainmenuofeitherofthetwocontrollers,clickReports.TheEnterasysReports &Displaysscreenisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

10-7

Availability

b.

FromtheReportsandDisplaysmenu,clickWirelessAPAvailability.TheWireless AvailabilityReportisdisplayed.

c.

Checkthestatementatthetopofthescreen. IfthestatementreadsAvailabilitylinkisup,theavailabilityfeatureisconfigured correctly.IfthestatementreadsAvailabilitylinkisdown,checktheconfigurationerror logs.Formoreinformationonlogs,seetheEnterasysWirelessController,AccessPointsand ConvergenceSoftwareMaintenanceGuide.

10-8

Availability and Session Availability

Session Availability

Session Availability
SessionavailabilityenablesWirelessAPstoswitchovertoastandby(secondary)Enterasys WirelessControllerfastenoughtomaintainthemobileuserssessionavailabilityinthefollowing scenarios: TheprimaryEnterasysWirelessControllergoesdown(Figure 101). AP Fail Over to 2ndary Controller When Primary Goes Down

Figure 10-1

TheWirelessAPsnetworkconnectivitytotheprimaryEnterasysWirelessControllerfails (Figure 102). AP Fail Over to 2ndary Controller When Connectivity to Primary Fails

Figure 10-2

ThesecondaryEnterasysWirelessControllerdoesnothavetodetectitslinkfailurewiththe primaryEnterasysWirelessControllerforthesessionavailabilitytokickin.IftheWirelessAP losesfiveconsecutivepollstotheprimarycontrollereitherduetothecontrolleroutageor connectivityfailure,itfailsovertothesecondarycontrollerfastenoughtomaintaintheuser session.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

10-9

Session Availability

Insessionavailabilitymode(Figure 103),theWirelessAPsconnecttoboththeprimaryand secondaryEnterasysWirelessControllers.WhiletheconnectivitytotheprimaryEnterasys WirelessControllerisviatheactivetunnel,theconnectivitytothesecondaryEnterasysWireless Controllerisviathebackuptunnel. Figure 10-3 Session Availability Mode
Secondary Controller

Primary Controller

Wireless AP

ThefollowingisthetrafficflowofthetopologyillustratedinFigure 103: TheWirelessAPestablishestheactivetunneltoconnecttotheprimaryEnterasysWireless Controller. TheEnterasysWirelessControllersendstheconfigurationtotheWirelessAP.This configurationalsocontainstheportinformationofthesecondaryEnterasysWireless Controller. OnthebasisofthesecondaryEnterasysWirelessControllersportinformation,theWireless APconnectstothesecondarycontrollerviathebackuptunnel. Aftertheconnectionisestablishedviathebackuptunnel,thesecondaryEnterasysWireless ControllersendsthebackupconfigurationtotheWirelessAP. TheWirelessAPreceivesthebackupconfigurationandstoresitinitsmemorytouseitfor failingovertothesecondarycontroller.Allthiswhile,theWirelessAPisconnectedtothe primaryEnterasysWirelessControllerviatheactivetunnel.

Sessionavailabilityappliesonlytothefollowingtopologies: BridgeTrafficLocallyatHWC BridgeTrafficLocallyatAP

SessionavailabilityisnotavailabletousersonconventionalRoutedVNSs.
Note: Session availability is not supported in a VNS that is configured for AAA network assignment.

10-10

Availability and Session Availability

Session Availability

Events and Actions in Session Availability


IntheeventofaprimaryEnterasysWirelessControlleroutage,orthenetworkconnectivityfailure totheprimarycontroller,theWirelessAP: SendsatunnelactivereqrequestmessagetothesecondaryEnterasysWirelessController. ThesecondaryEnterasysWirelessControlleracceptstherequestbysendingthetunnel activateresponsemessage. TheWirelessAPappliesthebackupconfigurationandstartssendingthedata.Theclient devicesauthenticationstateisnotpreservedduringfailover.

Whenthefastfailovertakesplace,acriticalmessageisdisplayedintheinformationlogofthe secondaryEnterasysWirelessController.
Note: In session availability, the maximum number of failover APs that the secondary controller can accommodate is equal to the maximum number of APs supported by the hardware platform.

WhenthefailedEnterasysWirelessControllerrecovers,eachEnterasysWirelessControllerinthe pairgoesbacktonormalmode.Theyexchangeinformationthatincludesthelatestlistsof registeredWirelessAPs.TheadministratormustreleasetheWirelessAPsmanuallyonthesecond EnterasysWirelessController,sothattheymayreregisterwiththeirhomeEnterasysWireless Controller.ForeignAPscannowallbereleasedatoncebyusingtheForeignbuttonontheAccess ApprovalscreentoselectallforeignAPs,andthenclickingReleased. Tosupporttheavailabilityfeatureduringafailoverevent,administratorsneedtodothe following: 1. Monitorthecriticalmessagesforthefailovermodemessage,intheinformationlogofthe secondaryEnterasysWirelessController(intheLogs&TracessectionoftheEnterasys WirelessAssistant). Afterrecovery,onthesecondaryEnterasysWirelessController,selecttheforeignWireless APs,andthenclickReleaseontheAccessApprovalscreen.

2.

AftertheWirelessAPsarereleased,theyestablishtheactivetunneltotheirhomecontrollerand backuptunneltothesecondarycontroller.

Enabling Session Availability


StartingwithV7.0,sessionavailabilityissupportedwhenfastfailoverisenabledandwhen SynchronizeSystemConfigurationisselected.Formoreinformation,seeConfiguringFast FailoverandEnablingSessionAvailabilityonpage 1012. Insessionavailability,mobileuserdevicesareabletoretaintheirIPaddress.Inaddition,the mobileuserdevicedoesnothavetohavetoreassociateafterthefailover.Thesecharacteristics ensurethatthefailoverisachievedwithin5seconds,whichisfastenoughtomaintainthemobile userssession.
Note: In session availability, the fast failover is achieved within 5 seconds only if there is at least one client device (mobile unit) associated to the Wireless AP. In the absence of any client device, the Wireless AP takes more time to failover since there is no need to preserve the user session.

Theauthenticationstateisnotpreservedduringfastfailover.IfaWLANServicerequires authentication,theclientdevicemustreauthenticate.However,insuchacase,thesession availabilityisnotguaranteedbecauseauthenticationmayrequireadditionaltimeduringwhich theusersessionmaybedisrupted.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

10-11

Session Availability

SessionavailabilityisnotsupportedinaWLANServicethatusesCaptivePortal(CP) authentication. Sessionavailabilitydoesnotsupportuserspecificfiltersasthesefiltersarenotsharedbetweenthe primaryandsecondaryEnterasysWirelessControllers.

Configuring Fast Failover and Enabling Session Availability


Beforeyouconfigurethefastfailoverfeature,ensurethefollowing: TheprimaryandsecondaryEnterasysWirelessControllersareproperlyconfiguredin availabilitymode.Formoreinformation,seeAvailabilityonpage 101. ThepairofEnterasysWirelessControllersinavailabilitymodeisformedbyoneofthe followingcombinations: C5110andC5110 C4110andC4110 C2400andC2400 C20NandC20N C20andC20 CRBT8110andCRBT8110 CRBT8210andCRBT8210 C4110andC2400 C5110andC2400 C5110andC4110 C2400andC20 C2400andC20N C20NandC20 CRBT8110andCRBT8210

BoththeprimaryandsecondaryEnterasysWirelessControllersarerunningthemostrecent EnterasysWirelessConvergenceSoftwarereleases. AnetworkconnectionexistsbetweenthetwoEnterasysWirelessControllers. TheWirelessAPsareoperatinginavailabilitymode. ThedeploymentisdesignedinsuchawaythattheserviceprovidedbytheWirelessAPsisnot dependentonwhichEnterasysWirelessControllertheAPsassociatewith.Forexample,the fastfailoverfeaturewillnotsupportthedeploymentinwhichthetwoEnterasysWireless ControllersinavailabilitymodeareconnectedviaaWANlink. BoththeprimaryandsecondaryEnterasysWirelessControllershaveequivalentupstream accesstotheserversonwhichtheydepend.Forexample,boththecontrollersmusthave accesstothesameRADIUSandDHCPservers. Theusers(clientdevices)thatuseDHCPmustobtaintheiraddressesfromaDHCPServer thatisexternaltotheEnterasysWirelessController. Timeonallthenetworkelements(boththeEnterasysWirelessControllersinavailabilitypair, WirelessAPs,DHCPandRADIUSserversetc.)issynchronized.Formoreinformation,see ConfiguringNetworkTimeonpage 342.

10-12

Availability and Session Availability

Session Availability

Note: The fast failover feature works optimally in fast networks (preferably switched networks).

To Configure Fast Failover and Enable Session Availability:


1. 2. 3. LogontoboththeprimaryandsecondaryEnterasysWirelessControllers. FromthemainmenuoftheprimaryEnterasysWirelessController,clickWirelessController Configuration.TheWirelessControllerConfigurationscreenisdisplayed. Intheleftpane,clickAvailability.

4. 5. 6.

UnderControllerAvailabilitySettings,selectPaired. SelecttheEnableFastFailovercheckbox. TypetheappropriatevalueintheDetectlinkfailurebox. TheDetectlinkfailurefieldspecifiestheperiodwithinwhichthesystemdetectslinkfailure afterthelinkhasfailed.Forfastfailoverconfiguration,thisparameteristiedcloselytothe PollTimeoutparameterontheAPPropertiestabAdvanceddialog.ThePollTimeoutfield specifiestheperiodforwhichtheWirelessAPwaitsbeforereattemptingtoestablishalink whenitspollingtotheprimaryEnterasysWirelessControllerfails. Forthefastfailoverfeaturetoworkwithin5seconds,thePollTimeoutvalueshouldbe1.5to 2timestheDetectlinkfailurevalue.Forexample,ifyouhavesettheDetectlinkfailure valueto2seconds,thePollTimeoutvalueshouldbesetto3or4seconds.

7.

IntheSynchronizationOptionarea,selectSynchronizeSystemConfiguration. ThisisaglobalparameterthatenablessynchronizationofVNSconfigurationcomponents (topology,policy,WLANService,VNS)onbothcontrollerspairedforavailabilityand/orfast failover. Formoreinformationaboutsynchronization,seeUsingtheSyncSummaryonpage 713.

8. 9.

ClickSave. SettheWirelessAPsPollTimeoutvalueforfastfailover.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

10-13

Session Availability

a. b.

FromthemainmenuoftheprimaryEnterasysWirelessController,clickWirelessAP Configuration.TheAPPropertiesscreenisdisplayed. Intheleftpane,clickAPMultiedit.TheAPMultieditscreenisdisplayed.

c.

IntheHardwareTypeslist,selectthehardwaretypeoftheWirelessAPsthatarepartof yourdeployment.YoucanselectmultiplehardwaretypesbypressingtheCTRLkeyand clickingthehardwareintheHardwareTypeslist.

d. IntheWirelessAPslist,selecttheWirelessAPsforwhichyouwanttosetthePoll Timeoutvalue.YoucanselectmultipleWirelessAPsbypressingtheCTRLkeyand clickingtheWirelessAPsintheWirelessAPslist. e. f. InthePollTimeoutbox,type/edittheappropriatevalue. Tosaveyourchanges,clickSave.


Note: The fast failover configuration must be identical on both the primary and secondary Enterasys Wireless Controllers. Logs are generated if the configuration is not identical. For more information, see the Enterasys Wireless Controller, Access Points and Convergence Software Maintenance Guide.

Afteryouhaveconfiguredfastfailover,youcanverifysessionavailabilitytopreservetheuser sessionduringthefailover.

Verifying Session Availability


Tohavesessionavailability,youmustensurethefollowing: TheprimaryandsecondaryEnterasysWirelessControllersareproperlyconfiguredin availabilitymode.Formoreinformation,seeAvailabilityonpage 101. Thefastfailoverfeatureisproperlyconfigured.Formoreinformation,seeConfiguringFast FailoverandEnablingSessionAvailabilityonpage 1012.
Note: If you havent configured the fast failover feature, the Enable Session Availability checkbox is not displayed.

10-14

Availability and Session Availability

Session Availability

TimeonallthenetworkelementsboththeEnterasysWirelessControllersinavailability pair,WirelessAPs,DHCPandRADIUSserversetc.issynchronized.Formoreinformation, seeConfiguringNetworkTimeonpage 342. BoththeEnterasysWirelessControllersinfastfailovermodemustberunningthemostrecent EnterasysWirelessConvergenceSoftwarerelease. IfyouareusingBridgeTrafficLocallyatHWCtopology,youmustselectNonefromthe DHCPOptiondropdownmenu. TheBridgeTrafficLocallyatHWCmustbemappedtothesameVLANonboththeprimary andsecondaryEnterasysWirelessControllers.

To Verify the Session Availability Feature Is Configured Correctly:


1. Fromthemainmenuofeitherofthetwocontrollers,clickReports.TheReports&Displays screenisdisplayed.

2.

FromtheReportsandDisplaysmenu,clickWirelessAPAvailability.TheWireless AvailabilityReportisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

10-15

Session Availability

3.

Checkthestatementatthetopofthescreen. IfthestatementreadsAvailabilitylinkisup,theavailabilityfeatureisconfiguredcorrectly.If thestatementreadsAvailabilitylinkisdown,checktheconfigurationerrorinlogs.Formore informationonlogs,seetheEnterasysWirelessController,AccessPointsandConvergence SoftwareMaintenanceGuide.

Verify Synchronization
Toverifythatallelementshavebeensynchronizedcorrectly,navigatetotheVNStabonboththe primaryandsecondaryEnterasysWirelessControllers,andconfirmthatthetopologies,WLAN services,policiesanddesiredVNSsaredisplayedas[synchronized]. YoucanverifythisbyselectingtheappropriatetabsandtheninspectingtheSynchronizedflagsor bynavigatingtoVNSConfiguration,Global,andthenSyncSummarypage.

10-16

Availability and Session Availability

Viewing the Wireless AP Availability Display

Configurationsynchronization: VNSconfigurationrelatedsynchronizationwillbesupportedwithlegacyorfastfailover availabilityconfigurationaslongasthereisanavailabilitylinkestablished. SynchronizationforVNS,WLANServices,Policies,Topologies,andRateLimitProfilescanbe enabled/disabledindividually. VNS,WLANService,Policy,Topology,andRateLimitProfileconfigurationwillbe dynamicallysynchronizedwhensynchronizationisenabledindividuallybetweenapairof EnterasysWirelessControllers.

MUsessionsynchronization: MUsessionsynchronizationwillbesupportedonlywhenthereisfastfailoverconfigured betweentwoEnterasysWirelessControllers. Ifmobilityisdisabled,MUsessionwithBridgeTrafficLocallyatAP,BridgeTrafficLocallyat HWC,andRoutedtopologieswillallbesynchronizedbetweenapairofEnterasysWireless Controllers. Ifmobilityisenabled,anMUsessionwithRoutedtopologieswillnotbesynchronized.

Viewing the Wireless AP Availability Display


Formoreinformation,seeViewingtheWirelessAPAvailabilityDisplayonpage 143.

Viewing SLP Activity


Innormaloperations,theprimaryEnterasysWirelessControllerregistersasanSLPservicecalled ac_manager.ThecontrollerservicedirectstheWirelessAPstotheappropriateEnterasysWireless Controller.Duringanoutage,iftheremainingEnterasysWirelessControlleristhesecondary controller,itregistersastheSLPserviceru_manager.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

10-17

Viewing SLP Activity

To View SLP Activity:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPsscreenisdisplayed. Intheleftpane,clickAPRegistration.TheWirelessAPRegistrationscreenisdisplayed. ToconfirmSLPregistration,clickViewSLPRegistration.Apopupscreendisplaysthe resultsofthediagnosticslpdumptool,toconfirmSLPregistration.

10-18

Availability and Session Availability

11
Configuring Mobility
Thischapterdescribesthemobilityconcept,including:
For information about... Mobility Overview Mobility Domain Topologies Configuring Mobility Domain Refer to page... 11-1 11-3 11-4

Mobility Overview
TheHiPathWirelessController,AccessPointsandConvergenceSoftwaresystemallowsupto12 EnterasysWirelessControllersonanetworktodiscovereachotherandexchangeinformation aboutaclientsession.Thistechniqueenablesawirelessdeviceusertoroamseamlesslybetween differentWirelessAPsondifferentEnterasysWirelessControllers. Thesolutionintroducestheconceptofamobilitymanager;oneEnterasysWirelessControlleron thenetworkisdesignatedasthemobilitymanagerandallothersaredesignatedasmobility agents. ThewirelessdevicekeepstheIPaddress,andtheserviceassignmentsitreceivedfromitshome EnterasysWirelessControllertheEnterasysWirelessControllerthatitfirstconnectedto.The WLANServiceoneachEnterasysWirelessControllermusthavethesameSSIDandRFprivacy parametersettings. Youhavetwooptionsforchoosingthemobilitymanager: RelyonSLPwithDHCPOption78 DefineattheagenttheIPaddressofthemobilitymanager.ByexplicitlydefiningtheIP address,theagentandthemobilitymanagerareabletofindeachotherdirectlywithoutusing theSLPdiscoverymechanisms.DirectIPdefinitionisrecommendedtoprovidetightercontrol oftheregistrationstepsformultidomaininstallations.

TheEnterasysWirelessControllerdesignatedasthemobilitymanager: Isexplicitlyidentifiedasthemanagerforaspecificmobilitydomain.Agentswillconnectto thismanagertoestablishamobilitydomain. DefinesattheagenttheIPaddressofthemobilitymanager,whichallowsforthebypassof SLP.Agentsdirectlyfindandattempttoregisterwiththemobilitymanager. UsesSLP,ifthismethodispreferred,toregisteritselfwiththeSLPDirectoryAgentas SiemensNet.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

11-1

Mobility Overview

Definestheregistrationbehaviorforamulticontrollermobilitydomainset: OpenmodeAnewagentisautomaticallyabletoregisteritselfwiththemobility managerandimmediatelybecomespartofthemobilitydomain SecuremodeThemobilitymanagerdoesnotallowanewagenttoautomatically register.Instead,theconnectionwiththenewagentisplacedinpendingstateuntilthe administratorapprovesthenewdevice.

Listensforconnectionattemptsfrommobilityagents. Establishesconnectionsandsendsamessagetothemobilityagentspecifyingtheheartbeat interval,andthemobilitymanagersIPaddressifitreceivesaconnectionattemptfromthe agent. Sendsregularheartbeatmessagescontainingwirelessdevicesessionchangesandagent changestothemobilityagentsandwaitsforareturnedupdatemessage

TheEnterasysWirelessControllerdesignatedasamobilityagentdoesthefollowing: UsesSLPorastaticallyconfiguredIPaddresstolocatethemobilitymanager DefinesattheagenttheIPaddressofthemobilitymanager,whichallowsforthebypassof SLP.Agentsdirectlyfindandattempttoregisterwiththemobilitymanager. AttemptstoestablishaTCP/IPconnectionwiththemobilitymanager Sendsupdates,inresponsetotheheartbeatmessage,onthewirelessdeviceusersandthedata tunnelstothemobilitymanager.

Ifacontrollerconfiguredasthemobilitymanagerislost,thefollowingoccurs: Agenttoagentconnectionsremainactive. Mobilityagentscontinuetooperatebasedonthemobilityinformationlastcoordinatedbefore themanagerlinkwaslost.Themobilitylocationlistremainsrelativelyunaffectedbythe controllerfailure.Onlyentriesassociatedwiththefailedcontrollerareclearedfromthe registrationlist,andusersthathaveroamedfromthemanagercontrollertootheragentsare terminatedandrequiredtoreregisteraslocaluserswiththeagentwheretheyarecurrently located. Thedatalinkbetweenactivecontrollersremainsactiveafterthelossofamobilitymanager Mobilityagentscontinuetousethelastsetofmobilitylocationliststoserviceknownusers Existingusersremaininthemobilityscenario,andiftheusersareknowntothemobility domain,theycontinuetobeabletoroambetweenconnectedcontrollers Newusersbecomelocalatattachingcontroller Roamingtoanothercontrollerresetssession

ThemobilitynetworkthatincludesalltheEnterasysWirelessControllersandtheWirelessAPsis calledtheMobilityDomain.
Note: The mobility feature is not backward compatible. This means that all the Enterasys Wireless Controllers in the mobility domain must be running the most recent Enterasys Wireless Convergence Software release.

11-2

Configuring Mobility

Mobility Domain Topologies

Mobility Domain Topologies


Youcanconfigureamobilitydomaininthefollowingscenarios: Mobilitydomainwithoutanyavailability Mobilitydomainwithavailability Mobilitydomainwithsessionavailability
Note: If you are configuring mobility, you must synchronize time on all the Enterasys Wireless Controllers that are part of the mobility domain. For more information, see Configuring Network Time on page 3-42.

Figure 11-1

Mobility Domain with Fast Failover and Session Availability Features


HWC1 and HWC2 are configured for session availability.

HWC1, HWC2, HWC3, Wireless AP1, Wireless AP2 and Wireless AP3 form a Mobility Domain

HWC3 is the Mobility Manager whereas HWC1 and HWC2 are Mobility Agents

TheusershomesessioniswithHWC1. WhentheuserroamsfromWirelessAP1toWirelessAP2,heestablisheshishomesession withHWC2. Whentheuserroams,theWirelessAP1receivesanotificationthattheuserhasroamedaway followingwhichitmarkstheusersessionasinactive.Consequently,nostatisticsaresentto theHWC1forthatuser. Inresponsetotheheartbeatmessagefromthemobilitymanager(HWC3),theHWC2sends updatesthattheuserhasanewhomeonHWC2.Uponreceivingtheupdates,themobility managerupdatesitsowntables.


Note: The mobility managers heart beat time is configurable. If you are configuring a mobility domain with session availability, you should configure the heart beat time as one second to enable the mobility manager to update its tables quickly.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

11-3

Configuring Mobility Domain

Ifafailovertakesplace,andtheuserisstillassociatedwithWirelessAP1: TheWirelessAP1failsover,andestablishesanactivesessionwithHWC2. Inresponsetotheheartbeatmessagefromthemobilitymanager(HWC3),theHWC2 sendsupdatestothemobilitymanageronthefailoverWirelessAPanditsuser.

Ifafailovertakesplace,andtheuserhasroamedtoWirelessAP2: Aspartofroaming,theusershomesessionmovesfromHWC1toHWC2. WirelessAP1establishesactivesessionwithHWC2.WirelessAP2isnotimpactedbythe failover.

Configuring Mobility Domain


Ifyouareconfiguringamobilitydomainwithavailabilityorsessionavailability,youmust synchronizetimeonalltheEnterasysWirelessControllersthatarepartofyourmobilitydomain. Formoreinformation,seeConfiguringNetworkTimeonpage 342.

Designating a Mobility Manager


To Designate a Mobility Manager:
1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickMobilityManager.TheMobilityManagerSettingsscreenisdisplayed.

3. 4. 5.

Toenablemobilityforthiscontroller,selecttheEnableMobilitycheckbox.Thecontroller mobilityoptionsaredisplayed. SelecttheThisWirelessControllerisaMobilityManageroption.Themobilitymanager optionsaredisplayed. InthePortdropdownlist,selecttheinterfaceontheEnterasysWirelessControllertobeused forthemobilitymanagerprocess.EnsurethattheselectedinterfacesIPaddressisroutableon thenetwork.

11-4

Configuring Mobility

Configuring Mobility Domain

6.

IntheHeartbeatbox,typethetimeinterval(inseconds)atwhichthemobilitymanagersends aHeartbeatmessagetoamobilityagent.
Note: If the mobility domain is configured for fast failover and session availability, you should configure the mobility managers heart beat time as one second.

7. 8.

IntheSLPRegistrationdropdownlist,selectwhethertoenableordisableSLPregistration. InthePermissionlist,selecttheagentIPaddressesyouwanttoapprovethatareinpending state,byselectingtheagentandclickingApprove.Newagentsareonlyaddedtothedomain iftheyareapproved. Youcanalsoaddordeletecontrollersthatyouwanttobepartofthemobilitydomain.Toadd acontroller,typetheagentIPaddressinthebox,andthenclickAdd.Todeleteacontroller, clickthecontrollerinthelist,andthenclickDelete.

9.

SelecttheSecurityModeoption: AllowallmobilityagentstoconnectAllmobilityagentscanconnecttothemobility manager. AllowonlyapprovedmobilityagentstoconnectOnlyapprovedmobilityagentscan connecttothemobilitymanager.

10. Tosaveyourchanges,clickSave.
Note: If you set up one Enterasys Wireless Controller on the network as a mobility manager, all other Enterasys Wireless Controllers must be set up as mobility agents.

Designating a Mobility Agent


To Designate a Mobility Agent:
1. 2. 3. 4. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickMobilityManager.TheMobilityManagerSettingsscreenisdisplayed. Toenablemobilityforthiscontroller,selecttheEnableMobilitycheckbox.Thecontroller mobilityoptionsaredisplayed. SelecttheThisWirelessControllerisaMobilityAgentoption.Themobilityagentoptions aredisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

11-5

Configuring Mobility Domain

5. 6.

FromthePortdropdownlist,selecttheportontheEnterasysWirelessControllertobeused forthemobilityagentprocess.Ensurethattheportselectedisroutableonthenetwork. FromtheDiscoveryMethoddropdownlist,selectoneofthefollowing: SLPDServiceLocationProtocolDaemon,abackgroundprocessactingasanSLP server,providesthefunctionalityoftheDirectoryAgentandServiceAgentforSLP.Use SLPtosupportthediscoveryofsiemensNETservicetoattempttolocatetheareamobility managercontroller. StaticConfigurationYoumustprovidetheIPaddressofthemobilitymanager manually.DefiningastaticconfigurationforamobilitymanagerIPaddressbypassesSLP discovery. IntheMobilityManagerAddressbox,typetheIPaddressforthedesignatedmobility manager.

7.

Tosaveyourchanges,clickSave.

Forinformationaboutviewingmobilitymanagerdisplays,seeViewingDisplaysfortheMobility Manageronpage 1411.

11-6

Configuring Mobility

12
Working with Third-party APs
YoucansetuptheEnterasysWirelessControllertohandlewirelessdevicetrafficfromthirdparty APs,whilestillprovidingpolicyandnetworkaccesscontrol.Thisprocessrequiresthefollowing steps:
For information about... Define Authentication by Captive Portal for the Third-party AP WLAN Service Define the Third-party APs List Define Filtering Rules for the Third-party APs Refer to page... 12-1 12-1 12-2

Define Authentication by Captive Portal for the Third-party AP WLAN Service


802.1xAuthenticationisnotsupporteddirectlybytheEnterasysWirelessController.However, thistypeofauthenticationcanbesupportedbytheactualthirdpartyAP.Allotheroptionsfor authenticationaresupportedatthecontroller. 1. 2. 3. OntheWLANconfigurationwindowforthethirdpartyWLANService,clicktheAuth& Accttab. IntheAuthenticationModedropdownlist,clickInternalorExternal,thenclickthe Configurebutton. DefinetheCaptivePortalconfigurationasdescribedinConfiguringCaptivePortalfor InternalorExternalAuthenticationonpage 622.

Define the Third-party APs List


1. 2. 3. 4. 5. IntheWLANServicespanel,selectthethirdpartyWLANService. IntheIPAddressfield,typetheIPaddressofathirdpartyAP. IntheWiredMACAddressfield,typetheMACaddressoftheAP. ClicktheAddbuttontoaddtheAPtothelist. RepeatforallthirdpartyAPstobeassignedtothisWLANService.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

12-1

Define Filtering Rules for the Third-party APs

Define Filtering Rules for the Third-party APs


1. BecausethethirdpartyAPsaremappedtoaphysicalport,youmustdefinetheException filtersonthephysicaltopology,usingtheExceptionFilterstab.Formoreinformation,see ExceptionFilteringonpage 47. Definefilteringrulesthatallowaccesstootherservicesandprotocolsonthenetworksuchas HTTP,FTP,telnet,SNMP. OntheMulticastFilterstab,selectEnableMulticastSupportandconfigurethemulticast groupswhosetrafficisallowedtobeforwardedtoandfromtheVNSusingthistopology.For moreinformation,seeMulticastFilteringonpage 410.

2. 3.

Inaddition,modifythefollowingfunctionsonthethirdpartyAP: DisabletheAPsDHCPserver,sothattheIPaddressassignmentforanywirelessdeviceon theAPisfromtheDHCPserverattheEnterasysWirelessControllerwithVNSinformation. DisablethethirdpartyAPslayer3IProutingcapabilityandsettheaccesspointtoworkasa layer2bridge.

ThefollowingarethedifferencesbetweenthirdpartyAPsandWirelessAPsontheHiPath WirelessController,AccessPointsandConvergenceSoftwaresystem: AthirdpartyAPexchangesdatawiththeEnterasysWirelessControllersdataportusing standardIPoverEthernetprotocol.Thethirdpartyaccesspointsdonotsupportthe tunnellingprotocolforencapsulation. ForthirdpartyAPs,theVNSismappedtothephysicaldataportandthisisthedefault gatewayformobileunitssupportedbythethirdpartyaccesspoints. AEnterasysWirelessControllercannotdirectlycontrolormanagetheconfigurationofa thirdpartyaccesspoint. ThirdpartyAPsarerequiredtobroadcastanSSIDuniquetotheirsegment.ThisSSIDcannot beusedbyanyotherVNS. RoamingfromthirdpartyAPstoWirelessAPsandviceversaisnotsupported.

12-2

Working with Third-party APs

13
Working with the Mitigator
ThischapterdescribesMitigatorconcepts,including:
For information about... Mitigator Overview Analysis Engine Overview Enabling the Analysis and Data Collector Engines Running Mitigator Scans Working with Mitigator Scan Results Working with Friendly APs Maintaining the Mitigator List of APs Viewing the Scanner Status Report Refer to page... 13-1 13-2 13-2 13-4 13-5 13-7 13-8 13-9

Mitigator Overview
TheMitigatorisamechanismthatassistsinthedetectionofrogueAPs. MitigatorfunctionalityontheWirelessAPdoesthefollowing: Runsaradiofrequency(RF)scanningtask. Alternatingbetweenscanfunctions,providingitsregularservicetothewirelessdeviceson thenetwork.
Note: If a Wireless AP is part of a WDS link you cannot configure it to act as a scanner in Mitigator.

MitigatorfunctionalityontheEnterasysWirelessControllerdoesthefollowing: RunsadatacollectorapplicationthatreceivesandmanagestheRFscanmessagessentbythe WirelessAP.RFdatacollectordataincludeslistsofallconnectedWirelessAPs,thirdparty APs,andtheRFscaninformationthathasbeencollectedfromtheWirelessAPsselectedto performthescan. RunsanAnalysisEnginethatprocessesthescandatafromthedatacollectorthrough algorithmsthatmakedecisionsaboutwhetheranyofthedetectedAPsorclientsarerogue APsorarerunninginanunsecureenvironment(forexample,adhocmode).

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

13-1

Analysis Engine Overview

Note: In a network with more than one Enterasys Wireless Controller, it is not necessary for the data collector to be running on the same controller as the Analysis Engine. One controller can be a dedicated Analysis Engine while the other controllers run data collector functionality. No more than one Analysis Engine can be running at a time. You must ensure that the controllers are all routable.

Analysis Engine Overview


TheAnalysisenginereliesonadatabaseofknowndevicesontheController,AccessPointsand ConvergenceSoftwaresystem.TheAnalysisenginecomparesthedatafromtheRFDataCollector withthedatabaseofknowndevices. Thisdatabaseincludesthefollowing: WirelessAPsRegisteredwithanyEnterasysWirelessControllerwithitsRFDataCollector enabledandassociatedwiththeAnalysisEngineonthisEnterasysWirelessController. ThirdpartyAPsDefinedandassignedtoaVNS. FriendlyAPsAlistcreatedintheMitigatoruserinterfaceaspotentialrogueaccesspoints aredesignatedbytheadministratorasFriendly. WirelessdevicesRegisteredwithanyEnterasysWirelessControllerthathasitsRFData CollectorenabledandhasbeenassociatedwiththeAnalysisEngineonthisEnterasys WirelessController.

TheAnalysisEnginelooksforaccesspointswithoneormoreofthefollowingconditions: UnknownMACaddressandunknownSSID(criticalalarm) UnknownMAC,withavalidSSIDaknownSSIDisbeingbroadcastbytheunknownaccess point(criticalalarm) KnownMAC,withanunknownSSIDaroguemaybespoofingaMACaddress(critical alarm) InactiveWirelessAPwithvalidSSID(criticalalarm) InactiveWirelessAPwithunknownSSID(criticalalarm) KnownWirelessAPwithanunknownSSID(majoralarm) Inadhocmode(majoralarm)
Note: In the current release, there is no capability to initiate a DoS attack on the detected rogue access point. Containment of a detected rogue requires an inspection of the geographical location of its Scan Group area, where its RF activity has been found.

Enabling the Analysis and Data Collector Engines


BeforeusingtheMitigator,youmustenableanddefinetheAnalysisanddatacollectorengines.

To Enable the Analysis Engine:


1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickMitigator.TheMitigatorConfigurationscreenisdisplayed.

13-2

Working with the Mitigator

Enabling the Analysis and Data Collector Engines

3. 4.

ToenabletheMitigatorAnalysisEngine,selecttheEnableMitigatorAnalysisEngine checkbox. ToidentifytheremoteRFDataCollectorEnginethattheAnalysisEnginewillpollfordata, typetheIPaddressoftheEnterasysWirelessControlleronwhichtheremoteDataCollector residesintheIPAddressbox.


Note: Currently, the Enterasys Wireless Controller C20N/C20 does not support the Remote Collection Engines functionality of the Enterasys Wireless Controller, Access Points and Convergence Software solution.

5.

Setthefollowingforthedatacollectionengine: InthePollintervalbox,type(inseconds)theintervalthattheAnalysisEnginewillpoll theRFDataCollectortomaintainconnectionstatus.Thedefaultis30seconds. InthePollretrycountbox,typethenumberoftimestheAnalysisEnginewillattemptto polltheRFDataCollectortomaintainconnectionstatus,beforeitstopssendingrequests. Thedefaultis2attempts.

6.

ClickAdd.TheIPaddressoftheDataCollectionEngine,withitsPollIntervalandPollRetry parameters,isdisplayedinthelist.
Note: For each remote RF Data Collection Engine defined here, you must do the following: Enable it by selecting the Enable Mitigator Analysis Engine checkbox on the remote Enterasys Wireless Controller. Ensure that the controllers are routable by whatever means you use (for example, static routes or OSPF).

7. 8. 9.

Toaddanewcollectionengine,clickAddCollectionEngine. Repeatsteps4to7. Tosaveyourchanges,clickApply.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

13-3

Running Mitigator Scans

Running Mitigator Scans


TheMitigatorfeatureallowsyoutoviewthefollowing: ScanGroups FriendlyAPs APMaintenance
Note: A scan will not run on an inactive AP, even though it is displayed as part of the Scan Group. If it becomes active, it will be sent a scan request during the next periodic scan.

To Run the Mitigator Scan Task Mechanism:


1. 2. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheScanGroupstab

3. 4.

IntheScanGroupNamebox,typeauniquenameforthisscangroup. IntheWirelessAPslist,selectthecheckboxcorrespondingtotheWirelessAPsyouwant includedinthenewscangroup,whichwillperformthescanfunction.


Note: A Wireless AP can participate in only one Scan Group at a time. Siemens recommends that the Scan Groups represent geographical groupings of Wireless APs.

5.

IntheRadiodropdownlist,clickoneofthefollowing: BothRadio1andRadio2bothperformthescanfunction. radio1OnlyRadio1performsthescanfunction. radio2OnlyRadio2performsthescanfunction.

6.

IntheChannelListdropdownlist,clickoneofthefollowing: AllScanningisperformedonallchannels. CurrentScanningisperformedononlythecurrentchannel.

13-4

Working with the Mitigator

Working with Mitigator Scan Results

7.

IntheScanTypedropdownlist,clickoneofthefollowing: ActiveTheWirelessAPsendsoutProbeRequestsandwaitsforProbeResponse messagesfromanyaccesspoints. PassiveTheWirelessAPlistensfor802.11beacons.

8. 9.

IntheChannelDwellTimebox,typethetime(inmilliseconds)forthescannertowaitfora responsefromeither802.11beaconsinpassivescanning,orProbeResponseinactivescanning. IntheScanTimeIntervalbox,typethetime(inminutes)todefinethefrequencyatwhicha WirelessAPwithintheScanGroupwillinitiateascanoftheRFspace.Therangeisfromone minuteto120minutes.

10. Toinitiateascanusingtheperiodicscanningparametersdefinedabove,clickStartScan. 11. Toinitiateanimmediatescanthatwillrunonlyonce,clickRunNow.


Note: If necessary, you can stop a scan by clicking Stop Scan. A scan must be stopped before modifying any parameters of the Scan Group, or before adding or removing a Wireless AP from a Scan Group.

TheScanActivityboxdisplaysthecurrentstateofthescanengine. 12. Toviewapopupreportdisplayingthetimelineofscanactivityandscanresults,clickShow Details. 13. Tosaveyourchanges,clickSave.

Working with Mitigator Scan Results


WhenviewingtheMitigatorscanresults,youcandeleteindividualoralloftheaccesspointsfrom thescanresults.YoucanalsoaddaccesspointsfromthescanresultstotheFriendlyAPlist.

Viewing Mitigator Scan Results


To View Mitigator Scan Results:
1. 2. 3. 4. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheRogueDetectiontab. Tomodifythepagesrefreshrate,typeatime(inseconds)intheRefreshevery__seconds box. ClickApply.Thenewrefreshrateisapplied.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

13-5

Working with Mitigator Scan Results

5.

ToviewtheRogueSummaryreport,clickRogueSummary.TheRogueSummaryreportis displayedinapopupwindow.

6.

Toclearalldetectedroguedevicesfromthelist,clickClearDetectedRogues.
Note: To avoid the Mitigator's database becoming too large, Siemens recommends that you either delete Rogue APs or add them to the Friendly APs list, rather than leaving them in the Rogue list.

13-6

Working with the Mitigator

Working with Friendly APs

Adding an AP from the Scan Results to the List of Friendly APs


To Add an AP from the Mitigator Scan Results to the List of Friendly APs:
1. 2. 3. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheRogueDetectiontab. ToaddaWirelessAPtotheFriendlyAPslist,clickAddtoFriendlyList.TheAPisremoved fromthislistandisdisplayedintheFriendlyAPDefinitionssectionoftheFriendlyAPstab.

Deleting an AP from the Scan Results


To Delete an AP from the Mitigator Scan Results:
1. 2. 3. 4. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheRogueDetectiontab. TodeleteaspecificAPfromtheMitigatorscanresults,clickthecorrespondingDeletebutton. TheAPisremovedfromthelist. ToclearallrogueaccesspointsfromtheMitigatorscanresults,clickClearDetectedRogues. AllAPsareremovedfromthelist.

Working with Friendly APs


Viewing Friendly APs
To View the Friendly APs:
1. 2. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheFriendlyAPstab.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

13-7

Maintaining the Mitigator List of APs

Adding Friendly APs Manually


To Add Friendly APs Manually:
1. 2. 3. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheFriendlyAPstab. ToaddfriendlyaccesspointsmanuallytotheFriendlyAPDefinitionslist,typethe following: 4. MACAddressSpecifiestheMACaddressforthefriendlyAP SSIDSpecifiestheSSIDforthefriendlyAP ChannelSpecifiesthecurrentoperatingchannelforthefriendlyAP DescriptionSpecifiesabriefdescriptionforthefriendlyAP

ClickAdd.Thenewaccesspointisdisplayedinthelistabove.

Deleting Friendly APs


To Delete a Friendly AP:
1. 2. 3. 4. 5. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheFriendlyAPstab. IntheFriendlyAPDefinitionslist,clicktheaccesspointyouwanttodelete. ClickDelete.TheselectedaccesspointisremovedfromtheFriendlyAPDefinitionslist. Tosaveyourchanges,clickSave.

Modifying Friendly APs


To Modify a Friendly AP:
1. 2. 3. 4. 5. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheFriendlyAPstab. IntheFriendlyAPDefinitionslist,clicktheaccesspointyouwanttomodify. Modifytheaccesspointbymakingtheappropriatechanges. Tosaveyourchanges,clickSave.

Maintaining the Mitigator List of APs


To Maintain the Wireless APs:
1. 2. 3. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheAPMaintenancetab.InactiveAPsandknownthirdpartyAPsaredisplayed. SelecttheapplicableAPs.

13-8

Working with the Mitigator

Viewing the Scanner Status Report

4.

TodeletetheselectedAPs,clickDeletemarkedAPs.
Note: The selected APs are deleted from the Mitigator database, not from the Enterasys Wireless Controller database. You can delete the APs from the Enterasys Wireless Controller database after you delete them from the Wireless AP Configuration Access Approval screen of the corresponding RF Data Collector Engine. You can also delete the selected third-party APs if they are removed from the corresponding VNS in the RF Collector Engine, or if that VNS has been deleted from the VNS list.

Viewing the Scanner Status Report


WhentheMitigatorisenabled,youcanviewareportontheconnectionstatusoftheRFData CollectorEngineswiththeAnalysisEngine.

To View the Mitigator Scanner Engine Status Display:


1. 2. Fromthemainmenu,clickMitigator.TheMitigatorscreenisdisplayed. ClicktheReports:ScannerStatus.TheScannerStatusreportisdisplayed.

TheboxesdisplaytheIPaddressoftheDataCollectorengine.ThestatusoftheDataCollector engineisindicatedbyoneofthefollowingcolors: GreenTheAnalysisEnginehasconnectionwiththeDataCollectoronthatEnterasys WirelessController. YellowTheAnalysisEnginehasconnectedtothecommunicationsystemoftheother controller,buthasnotsynchronizedwiththeDataCollector.EnsurethattheDataCollectoris runningontheremotecontroller.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

13-9

Viewing the Scanner Status Report

RedTheAnalysisEngineisawareoftheDataCollectorandattemptingconnection.

Ifnoboxisdisplayed,theAnalysisEngineisnotattemptingtoconnectwiththatDataCollector Engine.
Note: If the box is displayed red and remains red, ensure your IP address is correctly set up to point to an active controller. If the box remains yellow, ensure the Data Collector is running on the remote controller.

13-10

Working with the Mitigator

14
Working with Reports and Displays
ThischapterdescribesthevariousreportsanddisplaysavailableintheHiPathWireless Controller,AccessPointsandConvergenceSoftwaresystem.
For information about... Available Reports and Displays Viewing Reports and Displays Viewing the Wireless AP Availability Display Viewing Statistics for Wireless APs Viewing Load Balance Group Statistics Viewing the System Information and Manufacturing Information Displays Viewing Displays for the Mobility Manager Viewing Reports Call Detail Records (CDRs) Refer to page... 14-1 14-2 14-3 14-4 14-8 14-10 14-11 14-13 14-16

Available Reports and Displays


ThefollowingdisplaysareavailableintheEnterasysWirelessController,AccessPointsand ConvergenceSoftwaresystem: ActiveWirelessAPs ActiveClientsbyWirelessAP ActiveClientsbyVNS AllActiveClients PolicyFilterStatistics TopologyFilterStatistics TopologyStatistics RADIUSStatistics WirelessControllerPortStatistics WirelessAPAvailability WiredEthernetStatisticsbyWirelessAP WirelessStatisticsbyWirelessAP MeshStatistics
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 14-1

Viewing Reports and Displays

ActiveWirelessLoadGroups AdmissionControlStatisticsbyWirelessAP RemotableVNSInformation ExternalConnectionsStatistics RemoteableVNSInformation SystemInformation ManufacturingInformation


Note: The Client Location in Mobility Zone and Mobility Tunnel Matrix displays only appear if you have enabled the mobility manager function for the controller. Otherwise, the Agent Mobility Tunnel Matrix display is listed.

Viewing Reports and Displays


To View Reports and Displays:
1. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed.

Note: The Client Location in Mobility Zone and Mobility Tunnel Matrix displays only appear if you have enabled the mobility manager function for the controller.

2.

IntheListofDisplays,clickthedisplayyouwanttoview.

14-2

Working with Reports and Displays

Viewing the Wireless AP Availability Display

Note: Statistics are expressed in respect to the AP. Therefore, Packets Sent indicates the packets the AP has sent to a client and Packets Recd indicates the packets the AP has received from a client.

Viewing the Wireless AP Availability Display


Insessionavailability,theWirelessAvailabilityreportdisplaysthestateofboththetunnels activetunnelandbackuptunnelonboththeprimaryandsecondaryEnterasysWireless Controllers. ThereportusestheColorLegendtoindicatethetunnelstate: GreenWirelessAPhasestablishedanactivetunnel. BlueWirelessAPhasestablishedabackuptunnel. RedWirelessAPisnotconnected.

Inthereport,eachWirelessAPisrepresentedbyabox. Thelabel,ForeignorLocal,indicateswhethertheWirelessAPislocalorforeignonthe EnterasysWirelessController. Thecolorintheupperpaneoftheboxrepresentsthestateofthetunnelthatisestablishedto thecurrentEnterasysWirelessController.


Note: The current Enterasys Wireless Controller is the one on which the Wireless AP Availability report is viewed.

Thecolorinthelowerpaneoftheboxrepresentsthestateofthetunnelthatisestablishedwith theotherEnterasysWirelessController.

Fortheeaseofunderstanding,taketheexampleofthefollowingscenario: HWC1andHWC2arepairedinsessionavailability AWirelessAPhasestablishedanactivetunneltoHWC1. ThesameWirelessAPhasestablishedabackuptunneltoHWC2.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

14-3

Viewing Statistics for Wireless APs

IfyouopentheWirelessAPAvailabilityreportonHWC2,thereportwillappearasfollows:

Intheaboveexample,thecircledWirelessAPhasestablishedabackuptunneltotheforeign (secondary)EnterasysWirelessController,andanactivetunneltothelocal(Primary)Enterasys WirelessController.

Viewing Statistics for Wireless APs


SeveraldisplaysaresnapshotsofactivityatthatpointintimeonaselectedWirelessAP: WiredEthernetStatisticsbyWirelessAP WirelessStatisticsbyWirelessAP ActiveClientsbyWirelessAP WDSVNSWirelessAPStatistics AdmissionControlStatisticsbyWirelessAP

Thestatisticsdisplayedarethosedefinedinthe802.11MIB,intheIEEE802.11standard. ThefollowingWirelessAPdisplaysallowyoutosearchforclients,eitherbyusername,MAC address,orIPaddressthatareassociatedtotheWirelessAPs. ActiveClientsbyWirelessAP ActiveClientsbyVNS AdmissionControlStatisticsbyWirelessAP AllActiveClients

YoucanalsousetheSelectAllandDeselectAllbuttonsforselectingtheWirelessAPonthose displays.

To View Wired Ethernet Statistics by Wireless AP:


1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. ClicktheWiredEthernetStatisticsbyWirelessAPdisplayoption.TheWiredEthernet StatisticsbyWirelessAPsdisplayopensinanewbrowserwindow.

14-4

Working with Reports and Displays

Viewing Statistics for Wireless APs

3.

IntheWiredEthernetStatisticsbyWirelessAPsdisplay,clickaregisteredWirelessAPto displayitsinformation.

To View Wireless Statistics by Wireless AP:


1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. ClicktheWirelessStatisticsbyWirelessAPdisplayoption.TheWirelessStatisticsby WirelessAPsdisplayopensinanewbrowserwindow.

3. 4.

IntheWirelessStatisticsbyWirelessAPsdisplay,clickaregisteredWirelessAPtodisplayits information. ClicktheappropriatetabtodisplayinformationforeachRadioontheWirelessAP.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

14-5

Viewing Statistics for Wireless APs

5.

Toviewinformationontheassociatedclients,clickViewClients.TheAssociatedClients displayopensinanewbrowserwindow.

To View Active Clients by Wireless AP Statistics:


1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. ClicktheActiveClientsbyWirelessAPsdisplayoption.TheActiveClientsbyWirelessAPs displayopensinanewbrowserwindow.

StatisticsareexpressedinrespecttotheAP.Therefore,PacketsSentindicatesthepackets theAPhassenttoaclientandPacketsRecdindicatesthepacketstheAPhasreceived fromaclient. Thegreencheckmarkiconinthefirstcolumnindicatesthattheclientisauthenticated. TimeConnisthetimethataclienthasbeenonthesystem,notjustonanAP.Iftheclient roamsfromoneAPtoanother,thesessionstays,thereforeTimeConndoesnotreset. Aclientisdisplayedassoonastheclientconnects(orafterarefreshofthescreen).The clientdisappearsassoonasittimesout. TheRSS(receivedsignalstrength)ofaclientistheaverageofthetransmittedand receivedRSSonhardwareplatformswherebothvaluesareavailable.

To View Mesh VNS Wireless AP Statistics:


1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. ClicktheMeshStatisticsdisplayoption.TheMeshStatisticsdisplayopensinanewbrowser window.

14-6

Working with Reports and Displays

Viewing Statistics for Wireless APs

Note: The Rx RSS value on the Mesh Statistics display represents the received signal strength (in dBm).

To View Admission Control Statistics by Wireless AP:


1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. ClicktheAdmissionControlStatisticsbyWirelessAPdisplayoption.TheAdmission ControlStatisticsbyWirelessAPdisplayopensinanewbrowserwindow.

3. 4.

IntheAdmissionControlStatisticsbyWirelessAPdisplay,clickaregisteredWirelessAPto displayitsinformation: TheAdmissionControlStatisticsbyWirelessAPliststheTSPECstatisticsassociatedwiththis WirelessAP: ACAccessclasswhereTSPECisapplied, DirectionUplink,DownlinkorBidirectional, MDRMeanDataRate NMSNominalPacketSize


Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 14-7

Viewing Load Balance Group Statistics

SBASurplusBandwidth(ratio)

Thefollowingstatisticsareofmeasuredtraffic: RateRatein30secondintervals(uplinkanddownlink) ViolationNumberofbitsinexcessinthelast30seconds(uplinkanddownlink)

Viewing Load Balance Group Statistics


TheActiveWirelessLoadGroupsreportlistsallloadgroups,andfortheselectedloadgroup,all activeAPradios.

To View the Active Wireless Load Groups Report:


1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. ClicktheActiveWirelessLoadGroupsreport. TheActiveWirelessLoadGroupsreportopensinanewbrowserwindow.Reportsdisplay differentlywhenreportingonclientbalanceloadgroupsandradiopreferenceloadgroups.

About Radio Preference/Load Control Statistics

Thestatisticsreportedforeachradiopreferenceloadbalancegroupare: MembersThenumberofAPmembers

Thestatisticsreportedforeachmemberoftheloadbalancegroupare: APAPname BandPreference StatusTheoperationalstatus:enabledordisabled ProbesDeclinedThenumberofprobesdeclined Auth/AssocRequestsDeclinedThenumberofauthenticationsorassociationsdeclined

LoadControl

14-8

Working with Reports and Displays

Viewing Load Balance Group Statistics

Radio1 StatusTheoperationalstatus:enabledordisable RejectedThenumberofclientsdeclinedatthefirstassociationattempt

Radio2 StatusTheoperationalstatus:enabledordisabled RejectedThenumberofclientsdeclinedatthefirstassociationattempt ReturnedThenumberofclientsdeclinedatthesecondassociationattempt

LoadbalancegroupstatisticsarereportedontheforeigncontrollerwhenAPsfailoverwithload groupsfromadifferentcontrollerindicatedwithan(F)followingtheloadgroupname.

About Client Balancing Statistics Reports

Inaclientbalancing/loadcontrolstatisticsreport,thestatisticsreportedforeachclientbalancing loadbalancegroupare: MembersNumberofradiomembers ClientsTotalnumberofclientsforallradiomembers AverageLoadAverageloadforthegroup Thereportedaverageloadmaynotbecorrectinafailoversituation.IfsomeAPsintheload balancegroupfailovertheforeigncontroller,thoseAPswillreporttotheforeigncontroller. ThememberAPswillcontinuetousethemembercountforthewholegroup,butthemember countdisplayedonthecontrollerwillbeforonlythoseAPsthatarereporting.Sincethe membercountreportedonthecontrollerisnotthecompleteset,theaveragewillnotbe consistentwithwhattheAPsareusingforthestatedetermination. Thestatisticsreportedforeachmemberoftheloadbalancegroupare: APAPname RadioRadionumber LoadLoadvalue(numberofclientscurrentlyassociatedwiththeAP) StateLoadstate ProbesDeclined
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 14-9

Viewing the System Information and Manufacturing Information Displays

Auth/AssocRequestsDeclined RebalanceEventClientsremovedbecauseofanoverloadedstate

ThereportidentifiesSIAPPsubgroupingsandprovideseparategroupstatisticsforeachsub group. Whentheloadgroupincludessubgroups,AverageLoad,inred,istheaverageoftheentire group.Theaverageforeachsubgroupisalsoreported.Thesubgroupaverageisreportedinred whengroupmembershipchangesandnotallmembershavebeenupdatedwiththenewmember count. LoadbalancegroupstatisticsarereportedontheforeigncontrollerwhenAPsfailoverwithload groupsfromadifferentcontrollerindicatedwithan(F)followingtheloadgroupname.

Viewing the System Information and Manufacturing Information Displays


SystemInformationDisplayssysteminformationincludingmemoryusageandCPUand boardtemperatures. ManufacturingInformationDisplaysmanufacturinginformationincludingthecardserial numberandCPUtypeandfrequency.

To View System Information:


1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. ClicktheSystemInformationdisplayoption.TheSystemInformationdisplayopensina newbrowserwindow.

To View Manufacturing Information:


1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. ClicktheManufacturingInformationdisplayoption.TheManufacturingInformation displayopensinanewbrowserwindow.

14-10

Working with Reports and Displays

Viewing Displays for the Mobility Manager

Note: In the latest models of the Enterasys Wireless Controller C2400, the IXP2800 Network Processor in the NPE Card has been replaced by the new IXP2805 Network Processor. Consequently, the Manufacturing Information in all such latest models displays CPU Type as 2805.

Viewing Displays for the Mobility Manager


WhenaEnterasysWirelessControllerhasbeenconfiguredasamobilitymanager,twoadditional displaysappearasoptionsontheEnterasysReports&Displaysscreen: ClientLocationinMobilityZoneDisplaystheactivewirelessclientsandtheirstatus MobilityTunnelMatrixDisplaysacrossconnectionviewofthestateofintercontroller tunnels,aswellasrelativeloadingforuserdistributionacrossthemobilitydomain
Note: The Client Location in Mobility Zone and Mobility Tunnel Matrix displays only appear if the mobility manager function has been enabled for the controller. Otherwise, the Agent Mobility Tunnel Matrix display is listed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

14-11

Viewing Displays for the Mobility Manager

To View Mobility Manager Displays:


1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. Clicktheappropriatemobilitymanagerdisplay: ClientLocationinMobilityZone MobilityTunnelMatrix

Thecoloredstatusindicatesthefollowing: GreenThemobilitymanagerisincommunicationwithanagentandthedatatunnelhas beensuccessfullyestablished. YellowThemobilitymanagerisincommunicationwithanagentbutthedatatunnelisnot yetsuccessfullyestablished. RedThemobilitymanagerisnotincommunicationwithanagentandthereisnodata tunnel.

Client Location in Mobility Zone


Youcandothefollowing: Sortthisdisplaybyhomeorforeigncontroller SearchforaclientbyMACaddress,username,orIPaddress,andtypingthesearchcriteriain thebox Definetherefreshratesforthisdisplay Exportthisinformationasanxmlfile

Mobility Tunnel Matrix


Providesconnectivitymatrixofmobilitystate Providesaviewof: Tunnelstate Ifatunnelbetweencontrollersisreporteddown,itishighlightedinred Ifonlyacontroltunnelispresent,itishighlightedinyellow Ifdataandcontroltunnelsarefullyestablished,itishighlightedingreen TunnelUptime Numberofclientsroamed(Mobilityloading) Localcontrollerloading Mobilitymembershiplist

AEnterasysWirelessControllerisonlyremovedfromthemobilitymatrixifitisexplicitly removedbytheadministratorfromtheMobilitypermissionlist.Ifaparticularlinkbetween controllers,orthecontrollerisdown,thecorrespondingmatrixconnectionsareidentifiedinred colortoidentifythelink. TheActiveClientsbyVNSreportforthecontrolleronwhichtheuserishome(homecontroller) willdisplaytheknownusercharacteristics(IP,statistics,etc.).Ontheforeigncontroller,theClients byVNSreportdoesnotshowusersthathaveroamedfromothercontrollers,sincetheusers remainassociatedwiththehomecontrollersVNS. TheActiveClientsbyAPreportoneachcontrollerwillshowboththeloadingoflocalandforeign users(usersroamedfromothercontrollers)thataretakingresourcesontheAP.
14-12 Working with Reports and Displays

Viewing Reports

Note: Although you can set the screen refresh period less than 30 seconds, the screen will not be refreshed quicker than 30 seconds. The screen will be refreshed according to the value you set only if you set the value above 30 seconds.

Viewing Reports
ThefollowingreportsareavailableintheEnterasysWirelessController,AccessPointsand ConvergenceSoftwaresystem: ForwardingTable(routesdefinedontheRoutingProtocolsscreens) OSPFNeighbor(ifOSPFisenabledontheRoutingProtocolsscreens) OSPFLinkstate(ifOSPFisenabledontheRoutingProtocolsscreens) APInventory(aconsolidatedsummaryofWirelessAPsetup)

To View Reports:
1. 2. Fromthemainmenu,clickReports&Displays.TheEnterasysReports&Displaysscreenis displayed. IntheReportslist,clickthereportyouwanttoview.
Note: The AP Inventory report opens in a new browser window. All other reports appear in the current browser window.

ThefollowingisanexampleofaForwardingTablereport:

Note: If you open only automatically refreshed reports, the Web management session timer will not be updated or reset. Your session will eventually time out.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

14-13

Viewing Reports

ThefollowingisanexampleoftheWirelessAPInventoryreport:

Table 141liststhecolumnnamesandabbreviationsfoundintheAPInventoryreport: Table 14-1 AP Inventory Report Columns


Description Ethernet port and associated IP address of the interface on the Enterasys Wireless Controller through which the Wireless AP communicates. Hardware version of the Wireless AP. Software version executing on theWireless AP. Country in which the AP is deployed Antennas used Telnet or SSH access (enabled or disabled) Location based service (enabled or disabled) Broadcast disassociation (enabled or disabled). Enabled or disabled Poll timeout. If polling is enabled, a numeric value. Poll interval. If polling is enabled, a numeric value. The physical address of the Wireless AP's wired Ethernet interface. As defined on the AP Properties screen. Radios: 1 or 2. 802.11a radio. The data entry for an Wireless AP indicates whether the a radio is on or off. 802.11b protocol enabled. Possible values are on or off.

Column Name Port

HW SW Country Antennas Telnet/SSH LBS BD Persistence P/To P/I Wired MAC Description Rdo Ra Rb

14-14

Working with Reports and Displays

Viewing Reports

Table 14-1

AP Inventory Report Columns (continued)


Description 802.11g protocol enabled. Possible values are on or off. 802.11n protocol enabled. Possible values are on or off. DTIM period Beacon Period RTS Threshold Fragmentation Threshold Channel served by the corresponding radio. Channel Tx Tx power level, in decibels Minimum Tx power, in decibels Maximum Tx power, in decibels RF domain Minimum Basic Rate (For more information, see the Wireless AP radio configuration tabs.) Maximum Basic Rate Maximum Operational Rate Receive Diversity Tx Diversity Preamble (long, short) Protection Mode Protection Rate Protection Type Also called BSSID, this is the MAC address of a (virtual) wireless interface on which the Wireless AP serves a BSS/VNS. There could be 8 per radio. 20MHz, 40MHz, or auto If 11n Channel Width is 40MHz, long or short Enabled only if 11n Channel Width is 40MHz Protects high throughput transmissions on primary channels from non11n APs and clients. Enabled or disabled. Maintain MU sessions on Wireless AP when the Wireless AP loses the connection to the Enterasys Wireless Controller. Assignment (address assignment method) Wireless AP's IP address if statically configured (same as the Static Values radio button on the AP Static Configuration screen). If the Wireless AP's IP address is configured statically, the net mask that is statically configured for the Wireless AP.

Column Name Rg Rn DP BP RT FT Req Ch Ch / Tx Aj TxMn TxMx Dom MnBR MxBR MxOR RxDV TxDV Pmb PM PR PT VNS Name: MAC

11n Channel Width 11n Guard Interval 11n Channel Bonding 11n Protection Mode Failure Maintn. Assn IP Address Netmask

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

14-15

Call Detail Records (CDRs)

Table 14-1

AP Inventory Report Columns (continued)


Description If the Wireless AP's IP address is configured statically, the IP address of the gateway router that the Wireless AP will use. 802.1x EAP-TLS authentication configuration 802.1x PEAP authentication configuration The list of IP addresses that the Wireless AP is configured to try to connect to in the event that the current connection to the Enterasys Wireless Controller is lost.

Column Name Gateway TLS PEAP HWC Search List

To Export and Save a Report in XML:


1. 2. Onthereportscreen,clickExport.AWindowsFileDownloaddialogisdisplayed. ClickSave.AWindowsSaveAsdialogisdisplayed.
Note: If your default XML viewer is Internet Explorer or Netscape, clicking Open will open the exported data to your display screen. You must right-click to go back to the export display. The XML data file will not be saved to your local drive.

3. 4.

BrowsetothelocationwhereyouwanttosavetheexportedXMLdatafile,andintheFile nameboxenteranappropriatenameforthefile. ClickSave.TheXMLdatafileissavedinthespecifiedlocation.

Call Detail Records (CDRs)


YoucanconfiguretheEnterasysWirelessControllertogenerateCallDetailRecords(CDRs), whichcontainusageinformationabouteachwirelesssessionperVNS.Formoreinformationon howtoconfiguretheEnterasysWirelessControllertogenerateCDRs,refertoDefining AccountingMethodsforaWLANServiceonpage 614. CDRsarelocatedinaCDRdirectoryontheEnterasysWirelessController.ToaccesstheCDRfile, youmustfirstbackupthefileonthelocaldrive,andthenuploadittoaremoteserver.Afterthe CDRfileisuploadedtoaremoteserver,youcanworkwiththefiletoviewCDRsorimportthe recordstoareportingtool. YoucanbackupanduploadthefileontheremoteservereitherviatheEnterasysWireless Assistant(GUI)orCLI.

CDR File Naming Convention


CDRsarewrittentoafileontheEnterasysWirelessController.Thefilenameisbasedonthe creationtimeoftheCDRfilewiththefollowingformat:YYYYMMDDhhmmss.<ext> YYYYFourdigityear MMTwodigitmonth,paddedwithaleadingzeroifthemonthnumberislessthan10 DDTwodigitdayofthemonth,paddedwithaleadingzeroifthedaynumberislessthan 10 hhTwodigithour,paddedwithaleadingzeroifthehournumberislessthan10 mmTwodigitminute,paddedwithaleadingzeroiftheminutenumberislessthan10 ssTwodigitsecond,paddedwithaleadingzeroifthesecondnumberislessthan10

14-16

Working with Reports and Displays

Call Detail Records (CDRs)

<ext>Fileextension,either.workor.dat

CDR File Types


TwotypesofCDRfilesexistintheCDRdirectoryontheEnterasysWirelessControllerC2400: .workTheactivefilethatisbeingupdatedbytheaccountingsystem.Thefileisclosedand renamedwiththe.datextensionwhenitattainsitsmaximumsize(16MB)orithasbeenopen forthemaximumallowedduration(12hours).Youcanbackupandcopythe.workfilefrom theEnterasysWirelessControllertoaremoteserver. .datTheinactivefilethatcontainsthearchivedaccountrecords.Youcanbackupandcopy the.datfilefromtheEnterasysWirelessControllertoaremoteserver.
Note: The CDR directory on the Enterasys Wireless Controller only has two files a .work file and a .dat file. When the .work file attains its maximum size of 16 MB, or it has been open for 12 hours, it is saved as a .dat file. This new .dat file overwrites the existing .dat file. If you want to copy the existing .dat file, you must do so before it is overwritten by the new .dat file.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

14-17

Call Detail Records (CDRs)

CDR File Format


ACDRfilecontainsasequenceofCDRrecords.ThefileisastandardASCIItextfile.Recordsare separatedbyasequenceofdashesfollowedbyalinebreak.Theindividualfieldsofarecordare reportedoneperline,infield=valueformat. ThefollowingtabledescribestherecordsthataredisplayedinaCDRfile.
Note: Most of the CDR records are typical RADIUS server attributes. For more information, refer to the user manual of your RADIUS server.

Table 14-2

CDR Records and Their Description


Description A unique CDR ID The name of the user, who was authenticated. The name of the filter list for the user. The number of seconds between interim accounting updates. The maximum number of seconds of service to be provided to the user before termination of the session. This field is copied from the Access-Accept message sent by the RADIUS server during authentication. Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). Indicates how many seconds the client tried to authenticate send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this AccountingRequest. Indicates how the user was authenticated, whether by RADIUS (AAA), Local (Internal CP) or Remote (External CP). The field displays one of the following values: 1 AAA authentication 2 Internal CP authentication 3 External CP authentication

CDR Records Acct-Session-ID User-Name Filter-ID Acct-Interim-Interval Session-Timeout Class Acct-Status-Type Acct-Delay-Time

Acct-Authentic

Framed-IP-Address Connect-Info NAS-Port-Type Called-Station-ID Calling-Station-ID Siemens-AP-Serial Siemens-AP-Name Siemens-VNS-Name Siemens-SSID Acct-Session-Time

Indicates the address to be configured for the user This field is sent from the NAS to indicate the nature of the users connection 802.11b for Radio b/g or 802.11a for radio a. Indicates RADIUS NAS Port Type is Wireless 802.11 The Wireless APs MAC address. The clients MAC address. The Wireless APs serial number. The Wireless APs name. The VNS name on which the session took place. The SSID name on which the session took place. The number of seconds the user has received the service.

14-18

Working with Reports and Displays

Call Detail Records (CDRs)

Table 14-2

CDR Records and Their Description (continued)


Description The number of packets that were sent to the port in the course of delivering this service to a framed user. The number of packets that have been received from the port over the course of this service being provided to a Framed User. The number of octets that were sent to the port in the course of delivering the service. The number of octets that were received from the port over the course of the service. Indicates how the session was terminated. The field displays one of the following values: 1 User Request 4 Idle Timeout 5 Session Timeout 6 Admin Reset 11 NAS Reboot 16 Callback 17 User Error

CDR Records Acct-Output-Packets Acct-Input-Packets Acct-Output-Octets Acct-Input-Octets Acct-Terminate-Cause

Authenticated_time

Indicates the time at which the client was authenticated. The time is in the following format: Date hh:mm:ss. For example, April 21 2008 14:50:24 Indicates the time at which the client was disassociated from the Wireless AP. The time is in the following format: Date hh:mm:ss. For example, April 21 2008 14:57:20.

Disassociation_time

Viewing CDRs
ThefollowingisahighleveloverviewofhowtoviewCDRs: 1. 2. 3. 4. BackuptheCDRfilesonthelocaldriveoftheEnterasysWirelessController. CopytheCDRfilesfromtheEnterasysWirelessControllertotheremoteserver. Unzipthefile. DownloadtheCDRfilesfromtheremoteservertoviewCDRs.
Note: You cannot access the CDR files directly from the CDR directory.

WhenyoubackupCDRs,boththe.workand.datfilesarezippedintoasingle.zipfile.This.zip fileisuploadedontheremoteserver.Youcanunzipthisfilefromtheremoteservertoextractthe .workand.datfiles. YoucanbackupanduploadthefilesontheremoteservereitherviatheEnterasysWireless Assistant(GUI)orCLI. ThissectiondescribeshowtobackupandcopytheCDRfilestoaremoteserverviatheEnterasys WirelessAssistant(GUI).FormoreinformationonhowtocopytheCDRfiletotheremoteserver viaCLI,refertotheEnterasysWirelessController,AccessPointsandConvergenceSoftwareCLI ReferenceGuide.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

14-19

Call Detail Records (CDRs)

Backing Up and Copying CDR Files to a Remote Server


To Back Up and Copy the CDR Files to a Remote Server:
1. 2. 3. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickSoftwareMaintenance.TheSoftwareMaintenancescreenisdisplayed. ClicktheBackuptab.

4.

FromtheSelectwhattobackupdropdownmenu,clickCDRsonly,andthenclickBackup Now.Thefollowingwindowdisplaysthebackupstatus.

5.

Toclosethewindow,clickClose.ThebackedupfileisdisplayedintheAvailableBackups box.
Note: The .work and .dat files are zipped into a single file.

14-20

Working with Reports and Displays

Call Detail Records (CDRs)

6.

Touploadabackup,intheUploadBackupsection,dothefollowing: ProtocolSelectthefiletransferprotocolyouwanttousetouploadthebackupfile,SCP orFTP. ServerTypetheIPaddressoftheserverwherethebackupwillbestored. UserIDTypetheuserIDtologintotheserver. PasswordThepasswordtologintotheserver. ConfirmThepasswordtoconfirmthepassword. DirectoryThedirectoryinwhichyouwanttouploadtheCDRfile. FilenameTypethezippedCDRfilename.


Note: After you back up CDRs, the zipped CDR file name is selected by default in the Filename box.

7. 8. 9.

IntheUploadBackupsection,clickUpload.The.zipfileisuploadedontotheserver. Unzipthefile.ThetwoCDRfiles.workand.datarevisibleontheserver. ToviewCDRs,downloadthefiles. Sample .dat File

Figure 14-1

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

14-21

Call Detail Records (CDRs)

14-22

Working with Reports and Displays

15
Performing System Administration
Thischapterdescribessystemadministrationprocesses,including:
For information about... Performing Wireless AP Client Management Defining Enterasys Wireless Assistant Administrators and Login Groups Refer to page... 15-1 15-5

Performing Wireless AP Client Management


Therearetimeswhenforbusiness,service,orsecurityreasonsyouwanttocuttheconnection withaparticularwirelessdevice.Youcanviewalltheassociatedwirelessdevices,byMAC address,onaselectedWirelessAPanddothefollowing: DisassociateaselectedwirelessdevicefromitsWirelessAP. AddaselectedwirelessdevicesMACaddresstoablacklistofwirelessclientsthatwillnotbe allowedtoassociatewiththeWirelessAP. BackupandrestoretheEnterasysWirelessControllerdatabase.Formoreinformation,seethe EnterasysWirelessController,AccessPointsandConvergenceSoftwareMaintenanceGuide.

Disassociating a Client
Inadditiontothefollowingprocedurebelow,youcanalsodisassociatewirelessusersdirectly fromtheActiveClientsbyVNSscreen.Formoreinformation,seeChapter 14,Workingwith ReportsandDisplays.

To Disassociate a Wireless Device Client:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickClientManagement.TheDisassociatetabisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

15-1

Performing Wireless AP Client Management

3. 4.

IntheSelectAPlist,clicktheAPthatisconnectedtotheclientthatyouwanttodisassociate. IntheSelectClient(s)list,selectthecheckboxnexttotheclientyouwanttodisassociate.
Note: You can search for a client by MAC Address, IP Address or User ID, by selecting the search parameters from the drop-down lists and typing a search string in the Search box and clicking Search. You can also use the Select All or Clear All buttons to help you select multiple clients.

5.

ClickDisassociate.Theclientssessionterminatesimmediately.

Blacklisting a Client
TheBlacklisttabdisplaysthecurrentlistofMACaddressesthatarenotallowedtoassociate.A clientisaddedtotheblacklistbyselectingitfromalistofassociatedAPsorbytypingitsMAC address.

To Blacklist a Wireless Device Client:


1. 2. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickClientManagement.TheDisassociatetabisdisplayed.

15-2

Performing System Administration

Performing Wireless AP Client Management

3. 4.

IntheSelectAPlist,clicktheAPthatisconnectedtotheclientthatyouwanttoblacklist. IntheSelectClient(s)list,selectthecheckboxnexttotheclientyouwanttoblacklist,if applicable.


Note: You can search for a client by MAC Address, IP Address or User ID, by selecting the search parameters from the drop-down lists and typing a search string in the Search box and clicking Search. You can also use the Select All or Clear All buttons to help you select multiple clients.

5.

ClickAddtoBlacklist.TheselectedwirelessclientsMACaddressisaddedtotheblacklist.

To Blacklist a Wireless Device Client Using Its MAC Address:


1. 2. 3. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickClientManagement.TheDisassociatetabisdisplayed. ClicktheBlacklisttab.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

15-3

Performing Wireless AP Client Management

4. 5.

ToaddanewMACaddresstotheblacklist,intheMACAddressboxtypetheclientsMAC address. ClickAdd.TheclientisdisplayedintheMACAddresseslist.


Note: You can use the Select All or Clear All buttons to help you select multiple clients.

6.

Tosaveyourchanges,clickSave.

To Clear an Address from the Blacklist:


1. 2. 3. 4. 5. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickClientManagement.TheDisassociatetabisdisplayed. ClicktheBlacklisttab. Toclearanaddressfromtheblacklist,selectthecorrespondingcheckboxintheMAC Addresseslist. ClickRemoveSelected.Theselectedclientisremovedfromthelist.
Note: You can use the Select All or Clear All buttons to help you select multiple clients.

6.

Tosaveyourchanges,clickSave.

To Import a List of MAC Addresses for the Blacklist:


1. 2. 3. 4. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickClientManagement.TheDisassociatetabisdisplayed. ClicktheBlacklisttab. ClickBrowseandnavigatetothefileofMACaddressesyouwanttoimportandaddtothe blacklist.

15-4

Performing System Administration

Defining Enterasys Wireless Assistant Administrators and Login Groups

5.

Clickthefile,andthenclickImport.ThelistofMACaddressesisimported.

To Export a List of MAC Addresses for the Blacklist:


1. 2. 3. 4. 5. Fromthemainmenu,clickWirelessAPConfiguration.TheWirelessAPConfiguration screenisdisplayed. Intheleftpane,clickClientManagement.TheDisassociatetabisdisplayed. ClicktheBlacklisttab. ClickExport.Thesavedblacklistfileisexported. Toexportthecurrentblacklist,usethebrowserssaveoptiontosavethefileasatext(.txt)file. Itisrecommendthatadescriptivefilenameisused.

Defining Enterasys Wireless Assistant Administrators and Login Groups


Youcandefinetheloginusernamesandpasswordsforadministratorsthathaveaccesstothe EnterasysWirelessAssistant.Youcanalsoassignthemtoalogingroupasfulladministrators, readonlyadministrators,orasGuestPortalmanagers.Foreachuseradded,youcandefineand modifyauserIDandpassword. FulladministratorsUsersassignedtothislogingrouphavefulladministratoraccessrights ontheEnterasysWirelessController.Fulladministratorscanmanageallaspectsofthe EnterasysWirelessController,includingGuestPortaluseraccounts. ReadonlyadministratorsUsersassignedtothislogingrouphavereadonlyaccessrights ontheEnterasysWirelessController,includingtheGuestPortaluseraccounts. GuestPortalmanagersUsersassignedtothislogingroupcanonlymanageGuestPortal useraccounts.AnyuserwhologsontotheEnterasysWirelessControllerandisassignedto thisgroupcanonlyaccesstheGuestPortalGuestAdministrationpageoftheEnterasys WirelessAssistant.
Note: When adding or modifying a user, note the following password character constraints: Allowed characters include A-Z a-z 0-9 ~!@#$%^&*()_+|-=\{}[];<>?,. Characters not allowed include / ` ' " : and space is not valid.

To Add a Enterasys Wireless Controller Administrator to a Login Group:


1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickLoginManagement.TheLocalAuthenticationtabisdisplayed.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

15-5

Defining Enterasys Wireless Assistant Administrators and Login Groups

3.

IntheGroupdropdownlist,clickoneofthefollowing: FullAdministratorUsersassignedtothislogingrouphavefulladministratoraccess rightsontheEnterasysWirelessController. FulladministratorscanmanageGuestPortaluseraccounts. ReadonlyAdministratorUsersassignedtothislogingrouphavereadonlyaccess rightsontheEnterasysWirelessController. ReadonlyadministratorshavereadaccesstotheGuestPortaluseraccounts. GuestPortalManagerUsersassignedtothislogingroupcanonlymanageGuestPortal useraccounts.AnyuserwhologsontotheEnterasysWirelessControllerandisassigned tothisgroupcanonlyaccesstheGuestPortalGuestAdministrationpageofthe EnterasysWirelessAssistant.Formoreinformation,seeWorkingwithGuestPortal Administrationonpage 161.

4. 5. 6. 7.

IntheUserIDbox,typetheuserIDforthenewuser.AuserIDcanonlybeusedonce,inonly onecategory. InthePasswordbox,typethepasswordforthenewuser. IntheConfirmPassword,retypethepassword. ClickAddUser.Thenewuserisaddedtotheappropriatelogingrouplist.

To Modify a Enterasys Wireless Controller Administrators Password:


1. 2. 3. 4. 5. 6. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickLoginManagement.TheLocalAuthenticationtabisdisplayed. Clicktheuserwhosepasswordyouwanttomodify. InthePasswordbox,typethenewpasswordfortheuser. IntheConfirmPassword,retypethenewpassword. Tochangethepassword,clickChangePassword.

15-6

Performing System Administration

Defining Enterasys Wireless Assistant Administrators and Login Groups

To Remove a Enterasys Wireless Controller Administrator:


1. 2. 3. 4. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickLoginManagement.TheLocalAuthenticationtabisdisplayed. Clicktheuseryouwanttoremove. ClickRemoveuser.Theuserisremovedfromthelist.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

15-7

Defining Enterasys Wireless Assistant Administrators and Login Groups

15-8

Performing System Administration

16
Working with GuestPortal Administration
ThischapterdescribesGuestPortaladministration,including:
For information about... About GuestPortals Adding New Guest Accounts Enabling or Disabling Guest Accounts Editing Guest Accounts Removing Guest Accounts Importing and Exporting a Guest File Viewing and Printing a GuestPortal Account Ticket Working with the GuestPortal Ticket Page Configuring Web Session Timeouts Refer to page... 16-1 16-2 16-4 16-5 16-6 16-7 16-9 16-11 16-12

About GuestPortals
AGuestPortalprovideswirelessdeviceuserswithtemporaryguestnetworkservices.A GuestPortalisservicedbyaGuestPortaldedicatedVNS.TheGuestPortaldedicatedVNSis configuredbyanadministratorwithfulladministratoraccessrights.Formoreinformation,see CreatingaGuestPortalVNSonpage 735. AGuestPortaladministratorisassignedtotheGuestPortalManagerlogingroupandcanonly createandmanageguestuseraccountsaGuestPortaladministratorcannotaccessanyother areaoftheEnterasysWirelessAssistant.Formoreinformation,seeDefiningEnterasysWireless AssistantAdministratorsandLoginGroupsonpage 155. FromtheGuestPortalGuestAdministrationpageoftheEnterasysWirelessAssistant,youcan add,edit,configure,andimportandexportguestaccounts.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

16-1

Adding New Guest Accounts

Adding New Guest Accounts


To Add a New Guest Account:
1. Dooneofthefollowing: IfyouhaveGuestPortalManagerrights,logontotheEnterasysWirelessController. Ifyouhavefulladministratorrights: (1) Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. (2) Intheleftpane,expandtheWLANServicespane,clickthededicatedWLANService thatprovidesthetemporaryguestnetworkservices.TheWLANServices configurationwindowforthatservicedisplays. (3) ClicktheAuth&Accttab. (4) MakesuretheModeissettoGuestPortalandthenclickConfigure.The Configurationpagedisplays. (5) IntheGuestPortalsection,clickManageGuestUsers. TheGuestPortalGuestAdministrationscreenisdisplayed.
Note: You have 3 minutes to add new guest user accounts. If that time expires, close the GuestPortal Guest Administration screen and click Manage Guest Users again. You can also increase the Start date time to be within 3 minutes of the current network time.

2.

IntheAccountManagementsection,clickAddGuestAccount.TheAddGuestUserscreenis displayed.

16-2

Working with GuestPortal Administration

Adding New Guest Accounts

3. 4.

Toenablethenewguestaccount,selecttheEnabledcheckbox.Formoreinformation,see EnablingorDisablingGuestAccountsonpage 164. IntheCredentialssection,dothefollowing: UserNameTypeausernameforthepersonwhowillusethisguestaccount. UserIDTypeauserIDforthepersonwhowillusethisguestaccount.Thedefaultuser IDcanbeedited. PasswordTypeapasswordforthepersonwhowillusethisguestaccount.Thedefault passwordcanbeedited. TogglebetweenMask/Unmasktohideorseethepassword. DescriptionTypeabriefdescriptionforthenewguestaccount.

5.

IntheAccountSettingssection,dothefollowing: StartdateSpecifythestartdateandtimeforthenewguestaccount. AccountlifetimeSpecifytheaccountlifetime,indays,forthenewguestaccount.The default0valuedoesnotlimittheaccountlifetime.Onlyauserwithadministrative privilegescanchangethevalueoftheAccountlifetime.

6.

IntheSessionSettingssection,dothefollowing: SessionlifetimeSpecifyasessionlifetime,inhours,forthenewguestaccount.The default0valuedoesnotlimitasessionlifetime.Thesessionlifetimeistheallowed cumulativetotalinhoursspentonthenetworkduringtheaccountlifetime. StartTimeSpecifyastarttimeforthesessionforthenewguestaccount. EndTimeSpecifyanendtimeforthesessionforthenewguestaccount.

7.

Tosaveyourchanges,clickOK.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

16-3

Enabling or Disabling Guest Accounts

Enabling or Disabling Guest Accounts


Aguestaccountmustbeenabledinorderforawirelessdeviceusertousetheguestaccountto obtainguestnetworkservices. Whenaguestaccountisdisabled,itremainsinthedatabase.Adisabledguestaccountcannot provideaccesstothenetwork.

To Enable or Disable Guest Accounts:


1. Dooneofthefollowing: IfyouhaveGuestPortalManagerrights,logontotheEnterasysWirelessController. Ifyouhavefulladministratorrights: (1) Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. (2) Intheleftpane,expandtheWLANServicespane,clickthededicatedWLANService thatprovidesthetemporaryguestnetworkservices.TheWLANServices configurationwindowforthatservicedisplays. (3) ClicktheAuth&Accttab,andthenclickConfigure.TheSettingsscreenisdisplayed. (4) IntheGuestPortalsection,clickManageGuestUsers. TheGuestPortalGuestAdministrationscreenisdisplayed.

2. 3. 4.

Intheguestaccountlist,selectthecheckboxnexttotheusernameoftheguestaccountthat youwanttoenableordisable. IntheAccountEnable/Disablesection,clickEnableSelectedAccountsorDisableSelected Accountsaccordingly.Adialogisdisplayedrequestingyoutoconfirmyourselection. ClickOk.AconfirmationmessageisdisplayedintheGuestPortalGuestAdministration screenfooter.

16-4

Working with GuestPortal Administration

Editing Guest Accounts

Editing Guest Accounts


Analreadyexistingguestaccountcanbeedited.

To Edit a Guest Account:


1. Dooneofthefollowing: IfyouhaveGuestPortalManagerrights,logontotheEnterasysWirelessController. Ifyouhavefulladministratorrights: (1) Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. (2) Intheleftpane,expandtheWLANServicespane,clickthededicatedWLANService thatprovidesthetemporaryguestnetworkservices.TheWLANServices configurationwindowforthatservicedisplays. (3) ClicktheAuth&Accttab,andthenclickConfigure.TheSettingsscreenisdisplayed. (4) IntheGuestPortalsection,clickManageGuestUsers. TheGuestPortalGuestAdministrationscreenisdisplayed.

2. 3. 4. 5.

Intheguestaccountlist,selectthecheckboxnexttotheusernameoftheguestaccountthat youwanttoedit. IntheAccountManagementsection,clickEditSelectedAccounts.TheEditGuestUser screenisdisplayed. Edittheguestaccountaccordingly.Formoreinformationonguestaccountproperties,see AddingNewGuestAccountsonpage 162. Tosaveyourchanges,clickOK.AconfirmationmessageisdisplayedintheGuestPortal GuestAdministrationscreenfooter.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

16-5

Removing Guest Accounts

Removing Guest Accounts


Analreadyexistingguestaccountcanberemovedfromthedatabase.

To Remove a Guest Account:


1. Dooneofthefollowing: IfyouhaveGuestPortalManagerrights,logontotheEnterasysWirelessController. Ifyouhavefulladministratorrights: (1) Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. (2) Intheleftpane,expandtheWLANServicespane,clickthededicatedWLANService thatprovidesthetemporaryguestnetworkservices.TheWLANServices configurationwindowforthatservicedisplays. (3) ClicktheAuth&Accttab,andthenclickConfigure.TheSettingsscreenisdisplayed. (4) IntheGuestPortalsection,clickManageGuestUsers. TheGuestPortalGuestAdministrationscreenisdisplayed.

2. 3. 4.

Intheguestaccountlist,selectthecheckboxnexttotheusernameoftheguestaccountthat youwanttoremove. IntheAccountManagementsection,clickRemoveSelectedAccounts.Adialogisdisplayed requestingyoutoconfirmyourremoval. ClickOK.AconfirmationmessageisdisplayedintheGuestPortalGuestAdministration screenfooter.

16-6

Working with GuestPortal Administration

Importing and Exporting a Guest File

Importing and Exporting a Guest File


Tohelpadministratorsmanagelargenumbersofguestaccounts,youcanimportandexport.csv (commaseparatedvalue)guestfilesfortheEnterasysWirelessController. Thefollowingdescribesthecolumnvaluesofthe.csvguestfile. Table 16-1
Column A B C D E F G H I J K L

Guest Account Import and Export .csv File Values


Value User ID User name Password Description Account activation date Account lifetime, measured in days Session lifetime, measured in hours Is the account enabled (1) or disabled (0) Time of day, start time Time of day, duration Total time of the session lifetime that has been used, measured in minutes Is the guest user account synchronized on a secondary Enterasys Wireless Controller in an availability pair, yes (1) no (0)

To Export a Guest File


1. Dooneofthefollowing: IfyouhaveGuestPortalManagerrights,logontotheEnterasysWirelessController. Ifyouhavefulladministratorrights: (1) Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. (2) Intheleftpane,expandtheWLANServicespane,clickthededicatedWLANService thatprovidesthetemporaryguestnetworkservices.TheWLANServices configurationwindowforthatservicedisplays. (3) ClicktheAuth&Accttab,andthenclickConfigure.TheSettingsscreenisdisplayed. (4) IntheGuestPortalsection,clickManageGuestUsers.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

16-7

Importing and Exporting a Guest File

TheGuestPortalGuestAdministrationscreenisdisplayed.

2. 3. 4. 5. 6.

IntheFileManagementsection,clickExportGuestFile.AFileDownloaddialogis displayed. ClickSave.TheSaveAsdialogisdisplayed. Nametheguestfile,andthennavigatetothelocationwhereyouwanttosavethefile.By default,theexportedguestfileisnamedexportguest.csv. ClickSave.TheFileDownloaddialogisdisplayedasthefileisexported. ClickClose.AconfirmationmessageisdisplayedintheGuestPortalGuestAdministration screenfooter.

To Import a Guest File


1. Dooneofthefollowing: IfyouhaveGuestPortalManagerrights,logontotheEnterasysWirelessController. Ifyouhavefulladministratorrights: (1) Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. (2) Intheleftpane,expandtheWLANServicespane,clickthededicatedWLANService thatprovidesthetemporaryguestnetworkservices.TheWLANServices configurationwindowforthatservicedisplays. (3) ClicktheAuth&Accttab,andthenclickConfigure.TheSettingsscreenisdisplayed. (4) IntheGuestPortalsection,clickManageGuestUsers.

16-8

Working with GuestPortal Administration

Viewing and Printing a GuestPortal Account Ticket

TheGuestPortalGuestAdministrationscreenisdisplayed.

2. 3. 4. 5.

IntheFileManagementsection,clickImportGuestFile.TheImportGuestFiledialogis displayed. ClickBrowsetonavigatetothelocationofthe.csvguestfilethatyouwanttoimport,andthen clickOpen. ClickImport.ThefileisimportedandaconfirmationmessageisdisplayedintheImport GuestFiledialog. ClickClose.

Viewing and Printing a GuestPortal Account Ticket


YoucanviewandprintaGuestPortalaccountticketfromtheGuestPortalGuestAdministration screen.AGuestPortalaccountticketisaprintreadyformthatdisplaystheguestaccount information,systemrequirements,andinstructionsonhowtologontotheguestaccount. TheEnterasysWirelessControllerisshippedwithadefaulttemplatefortheGuestPortalaccount ticket.Thetemplateisanhtmlpagethatisaugmentedwithsystemplaceholdersthatdisplay informationabouttheuser. YoucanalsouploadacustomGuestPortaltickettemplatefortheEnterasysWirelessController.To uploadacustomGuestPortaltickettemplateyouneedfulladministratoraccessrightsonthe EnterasysWirelessController.ThefilenameofacustomGuestPortaltickettemplatemustbe .html.Formoreinformation,seeWorkingwiththeGuestPortalTicketPageonpage 1611.

To View Print a GuestPortal Account Ticket:


1. Dooneofthefollowing: IfyouhaveGuestPortalManagerrights,logontotheEnterasysWirelessController. Ifyouhavefulladministratorrights: (1) Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. (2) Intheleftpane,expandtheWLANServicespane,clickthededicatedWLANService thatprovidesthetemporaryguestnetworkservices.TheWLANServices configurationwindowforthatservicedisplays.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide 16-9

Viewing and Printing a GuestPortal Account Ticket

(3) ClicktheAuth&Accttab,andthenclickConfigure.TheSettingsscreenisdisplayed. (4) IntheGuestPortalsection,clickManageGuestUsers. TheGuestPortalGuestAdministrationscreenisdisplayed.

2.

Intheguestaccountlist,selectthecheckboxnexttotheusernamewhoseguestaccountticket youwanttoprintaticket,andthenclickPrintTicketforSelectedAccount.TheGuestPortal ticketisdisplayed.

3. 4.

ClickPrint.ThePrintdialogisdisplayed. ClickPrint.
Note: The default GuestPortal ticket page uses placeholder tags. For more information, see Appendix C, Default GuestPortal Source Code

16-10

Working with GuestPortal Administration

Working with the GuestPortal Ticket Page

Working with the GuestPortal Ticket Page


WorkingwiththeGuestPortalticketpagecanincludeactivatingaGuestPortalticketpage, uploadingacustomizedGuestPortalticketpagetotheEnterasysWirelessController,anddeleting acustomizedGuestPortalticketpage.
Note: The default GuestPortal ticket page cannot be deleted.

ToworkwiththeGuestPortalaccountticketpage,youneedfulladministratorrights.Youcan workwiththeguestaccountticketpagefromtheSettingsscreen.Aguestaccountticketisaprint readyformthatdisplaystheguestaccountinformation,systemrequirements,andinstructionson howtologontotheguestaccount.

Working with a Custom GuestPortal Ticket Page


AcustomizedGuestPortalticketpagecanbeuploadedtotheEnterasysWirelessController.When designingyourcustomizedGuestPortalticketpage,besuretousetheguestaccountinformation placeholdertagsthataredepictedinthedefaultGuestPortalticketpage.Formoreinformation, seeAppendix C,DefaultGuestPortalSourceCode.

Activating a GuestPortal Ticket Page


To Activate a GuestPortal Ticket Page:
1. 2. Fromthemainmenu,clickVirtualNetworkConfiguration.TheVirtualNetwork Configurationscreenisdisplayed. Intheleftpane,expandtheWLANServicespane,clickthededicatedWLANServicethat providesthetemporaryguestnetworkservices.TheWLANServicesconfigurationwindow forthatservicedisplays. ClicktheAuth&Accttab,andthenclickConfigure.TheSettingsscreenisdisplayed. IntheGuestPortalsection,clickConfigureTicketPage.TheTicketSettingsdialogis displayed. IntheActiveTemplatelist,clicktheGuestPortalticketpageyouwanttoactivate,andthen clickApply. ThislistincludesallGuestPortalticketpagesthathavebeenuploadedtotheEnterasys WirelessController.

3. 4. 5.

Uploading a Custom GuestPortal Ticket Page


To Upload a Custom GuestPortal Ticket Page:
1. 2. OntheTicketSettingsdialog,clickBrowse.TheChoosefiledialogisdisplayed. Navigatetothe.htmlGuestPortalticketpagefilethatyouwanttouploadtotheEnterasys WirelessController,andthenclickOpen.ThefilenameisdisplayedintheUploadTemplate box. ClickApply.ThefileisuploadedtotheEnterasysWirelessController. TheActiveTemplatelistincludesallGuestPortalticketpagesthathavebeenuploadedtothe EnterasysWirelessController.

3.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

16-11

Configuring Web Session Timeouts

Deleting a Custom GuestPortal Ticket Page


To Delete a Custom GuestPortal Ticket Page:
1. OntheTicketSettingsdialog,intheActiveTemplatelist,clicktheGuestPortalticketpage youwanttodelete,andthenclickDelete.Adialogpromptsyoutoconfirmyouwanttodelete theGuestPortalticketpage. Todeletethefile,clickOK,andthenclickApply.,

2.

Configuring Web Session Timeouts


YoucanconfigurethetimeperiodtoallowWebsessionstoremaininactivebeforetimingout.

To Configure Web Session Timeouts:


1. 2. Fromthemainmenu,clickWirelessControllerConfiguration.TheWirelessController Configurationscreenisdisplayed. Intheleftpane,clickWebSettingsTheWirelessControllerWebManagementSettings screenisdisplayed.

3.

IntheWebSessionTimeoutbox,typethetimeperiodtoallowtheWebsessiontoremain inactivebeforeittimesout.Thiscanbeenteredashour:minutes,orasminutes.Therangeis1 minuteto168hours. IntheGuestPortalManagerWebSessionTimeoutbox,typethetimeperiodtoallowthe GuestPortalWebsessiontoremaininactivebeforeittimesout.Thiscanbeenteredas hour:minutes,orasminutes.Therangeis1minuteto168hours. SelecttheShowWLANnamesontheWirelessAPSSIDlistcheckboxtoallowthenamesof theWLANservicestoappearintheSSIDlistforWirelessAPs. Tosaveyoursettings,clickSave.


Note: Screens that auto-refresh will time-out unless a manual action takes place prior to the end of the timeout period.

4.

5. 6.

16-12

Working with GuestPortal Administration

A
Glossary
For information about... Networking Terms and Abbreviations Controller, Access Points and Convergence Software Terms and Abbreviations Refer to page... A-1 A-14

Networking Terms and Abbreviations


Term AAA Explanation Authentication, Authorization and Accounting. A system in IP-based networking to control what computer resources users have access to and to keep track of the activity of users over a network. A wireless LAN transceiver or base station that can connect a wired LAN to one or many wireless devices. An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an access point (AP). (Compare Infrastructure Mode) Advanced Encryption Standard (AES) is an algorithm for encryption that works at multiple network layers simultaneously. As a block cipher, AES encrypts data in fixed-size blocks of 128 bits. AES was created by the National Institute of Standards and Technology (NIST). AES is a privacy transform for IPSec and Internet Key Exchange (IKE). AES has a variable key length - the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. For the WPA2/802.11i implementation of AES, a 128 bit key length is used. AES encryption includes 4 stages that make up one round. Each round is then iterated 10, 12 or 14 times depending upon the bit-key size. For the WPA2/802.11i implementation of AES, each round is iterated 10 times. AES-CCMP AES uses the Counter-Mode/CBC-MAC Protocol (CCMP). CCM is a new mode of operation for a block cipher that enables a single key to be used for both encryption and authentication. The two underlying modes employed in CCM include Counter mode (CTR) that achieves data encryption and Cipher Block Chaining Message Authentication Code (CBC-MAC) to provide data integrity. Address Resolution Protocol. A protocol used to obtain the physical addresses (such as MAC addresses) of hardware units in a network environment. A host obtains such a physical address by broadcasting an ARP request, which contains the IP address of the target hardware unit. If the request finds a unit with that IP address, the unit replies with its physical hardware address. A connection between a wireless device and an Access Point.

Access Point (AP) Ad-hoc mode AES

ARP

Association

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

A-1

Networking Terms and Abbreviations

Term asynchronous

Explanation Asynchronous transmission mode (ATM). A start/stop transmission in which each character is preceded by a start signal and followed by one or more stop signals. A variable time interval can exist between characters. ATM is the preferred technology for the transfer of images. Basic Service Set. A wireless topology consisting of one Access Point connected to a wired network and a set of wireless devices. Also called an infrastructure network. See also IBSS. A browser-based authentication mechanism that forces unauthenticated users to a Web page. Sometimes called a reverse firewall. Call Data (Detail) Record In Internet telephony, a call detail record is a data record that contains information related to a telephone call, such as the origination and destination addresses of the call, the time the call started and ended, the duration of the call, the time of day the call was made and any toll charges that were added through the network or charges for operator services, among other details of the call. In essence, call accounting is a database application that processes call data from your switch (PBX, iPBX, or key system) via a CDR (call detail record) or SMDR (station message detail record) port. The call data record details your system's incoming and outgoing calls by thresholds, including time of call, duration of call, dialing extension, and number dialed. Call data is stored in a PC database Challenge-Handshake Authentication Protocol. One of the two main authentication protocols used to verify a user's name and password for PPP Internet connections. CHAP is more secure than PAP because it performs a three-way handshake during the initial link establishment between the home and remote machines. It can also repeat the authentication anytime after the link has been established. Command Line Interface. Two Ethernet packets attempting to use the medium simultaneously. Ethernet is a shared media, so there are rules for sending packets of data to avoid conflicts and protect data integrity. When two nodes at different locations attempt to send data at the same time, a collision will result. Segmenting the network with bridges or switches is one way of reducing collisions in an overcrowded network. A datagram is a self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network. (RFC1594). The term has been generally replaced by the term packet. Datagrams or packets are the message units that the Internet Protocol deals with and that the Internet transports. An abbreviation for the power ratio in decibels (dB) of the measured power referenced to one milliwatt. See tunnelling. A specialized, network-based hardware device designed to perform a single or specialized set of server functions. Print servers, terminal servers, remote access servers and network time servers are examples of device servers.

BSS Captive Portal CDR

CHAP

CLI Collision

Datagram

dBm Decapsulation Device Server

A-2

Glossary

Networking Terms and Abbreviations

Term DHCP

Explanation Dynamic Host Configuration Protocol. A protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. In some systems, the device's IP address can even change while it is still connected. DHCP also supports a mix of static and dynamic IP addresses. DHCP consists of two components: a protocol for delivering host-specific configuration parameters from a DHCP server to a host and a mechanism for allocation of network addresses to hosts. (IETF RFC1531.) Option 78 specifies the location of one or more SLP Directory Agents. Option 79 specifies the list of scopes that a SLP Agent is configured to use.(RFC2610 - DHCP Options for Service Location Protocol) A method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network. Using SLP, networking applications can discover the existence, location and configuration of networked devices. With Service Location Protocol, client applications are 'User Agents' and services are advertised by 'Service Agents'. The User Agent issues a multicast 'Service Request' (SrvRqst) on behalf of the client application, specifying the services required. The User Agent will receive a Service Reply (SrvRply) specifying the location of all services in the network which satisfy the request. For larger networks, a third entity, called a 'Directory Agent', receives registrations from all available Service Agents. A User Agent sends a unicast request for services to a Directory Agent (if there is one) rather than to a Service Agent. (SLP version 2, RFC2608, updating RFC2165) The AP has two antennae. Receive diversity refers to the ability of the AP to provide better service to a device by receiving from the user on which ever of the two antennae is receiving the cleanest signal. Transmit diversity refers to the ability of the AP to use its two antenna to transmit on a specific antenna only, or on a alternate antennae. The antennae are called diversity antennae because of this capability of the pair. Domain Name Server Direct-Sequence Spread Spectrum. A transmission technology used in Local Area Wireless Network (LAWN) transmissions where a data signal at the sending station is combined with a higher data rate bit sequence, or chipping code, that divides the user data according to a spreading ratio. The chipping code is a redundant bit pattern for each bit that is transmitted, which increases the signal's resistance to interference. If one or more bits in the pattern are damaged during transmission, the original data can be recovered due to the redundancy of the transmission. (Compare FHSS) DTIM delivery traffic indication message (in 802.11 standard) The IEEE introduced the concept of user-based authentication using per-user encryption keys to solve the scalability issues that surrounded static WEP. This resulted in the 802.1x standard, which makes use of the IETF's Extensible Authentication Protocol (EAP), which was originally designed for user authentication in dial-up networks. The 802.1x standard supplemented the EAP protocol with a mechanism to send an encryption key to a Wireless AP. These encryption keys are used as dynamic WEP keys, allowing traffic to each individual user to be encrypted using a separate key.

Directory Agent (DA)

Diversity antenna and receiver

DNS DSSS

DTIM Dynamic WEP

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

A-3

Networking Terms and Abbreviations

Term EAP-TLS EAP-TTLS

Explanation EAP-TLS Extensible Authentication Protocol - Transport Layer Security. A general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. IEEE 802.1x specifies how EAP should be encapsulated in LAN frames. In wireless communications using EAP, a user requests connection to a WLAN through an access point, which then requests the identity of the user and transmits that identity to an authentication server such as RADIUS. The server asks the access point for proof of identity, which the access point gets from the user and then sends back to the server to complete the authentication. EAP-TLS provides for certificate-based and mutual authentication of the client and the network. It relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys. EAP-TTLS (Tunneled Transport Layer Security) is an extension of EAP-TLS to provide certificate-based, mutual authentication of the client and network through an encrypted tunnel, as well as to generate dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates. (See also PEAP) Event Logging API (Application Program Interface) for OPSEC, a module in Check Point used to enable third-party applications to log events into the Check Point VPN-1/FireWall-1 management system. See tunnelling. Extended Service Set (ESS). Several Basic Service Sets (BSSs) can be joined together to form one logical WLAN segment, referred to as an extended service set (ESS). The SSID is used to identify the ESS. (See BSS and SSID.) Frequency-Hopping Spread Spectrum. A transmission technology used in Local Area Wireless Network (LAWN) transmissions where the data signal is modulated with a narrowband carrier signal that hops in a random but predictable sequence from frequency to frequency as a function of time over a wide band of frequencies. This technique reduces interference. If synchronized properly, a single logical channel is maintained. (Compare DSSS)

ELA (OPSEC)

Encapsulation ESS

FHSS

Fit, thin and fat APs

A thin AP architecture uses two components: an access point that is essentially a strippeddown radio and a centralized management controller that handles the other WLAN system functions. Wired network switches are also required. A fit AP, a variation of the thin AP, handles the RF and encryption, while the central management controller, aware of the wireless users' identities and locations, handles secure roaming, quality of service, and user authentication. The central management controller also handles AP configuration and management. A fat (or thick) AP architecture concentrates all the WLAN intelligence in the access point. The AP handles the radio frequency (RF) communication, as well as authenticating users, encrypting communications, secure roaming, WLAN management, and in some cases, network routing.

FQDN

Fully Qualified Domain Name. A friendly designation of a computer, of the general form computer.[subnetwork.].organization.domain. The FQDN names must be translated into an IP address in order for the resource to be found on a network, usually performed by a Domain Name Server. Forwarding Table Manager File Transfer Protocol In the wireless world, an access point with additional software capabilities such as providing NAT and DHCP. Gateways may also provide VPN support, roaming, firewalls, various levels of security, etc.

FTM FTP Gateway

A-4

Glossary

Networking Terms and Abbreviations

Term Gigabit Ethernet GUI Heartbeat message

Explanation The high data rate of the Ethernet standard, supporting data rates of 1 gigabit (1,000 megabits) per second. Graphical User Interface A heartbeat message is a UDP data packet used to monitor a data connection, polling to see if the connection is still alive. In general terms, a heartbeat is a signal emitted at regular intervals by software to demonstrate that it is still alive. In networking, a heartbeat is the signal emitted by a Level 2 Ethernet transceiver at the end of every packet to show that the collision-detection circuit is still connected. (1) A computer (usually containing data) that is accessed by a user working on a remote terminal, connected by modems and telephone lines. (2) A computer that is connected to a TCP/IP network, including the Internet. Each host has a unique IP address. Hypertext Transfer Protocol is the set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. A Web browser makes use of HTTP. HTTP is an application protocol that runs on top of the TCP/IP suite of protocols. (RFC2616: Hypertext Transfer Protocol -- HTTP/1.1) Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL, is a Web protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS uses Secure Socket Layer (SSL) as a sublayer under its regular HTTP application layering. (HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.) SSL uses a 40-bit key size for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange. Independent Basic Service Set. See BSS. An IBSS is the 802.11 term for an adhoc network. See adhoc network. Internet Control Message Protocol, an extension to the Internet Protocol (IP) defined by RFC792. ICMP supports packets containing error, control, and informational messages. The PING command, for example, uses ICMP to test an Internet connection. ICV (Integrity Check Value) is a 4-byte code appended in standard WEP to the 802.11 message. Enhanced WPA inserts an 8-byte MIC just before the ICV. (See WPA and MIC) Internet Explorer. Institute of Electrical and Electronics Engineers, a technical professional association, involved in standards activities. Internet Engineering Task Force, the main standards organization for the Internet. An 802.11 networking framework in which devices communicate with each other by first going through an Access Point (AP). In infrastructure mode, wireless devices can communicate with each other or can communicate with a wired network. (See ad-hoc mode and BSS.) IP or Internet telephony are communications, such as voice, facsimile, voice-messaging applications, that are transported over the Internet, rather than the public switched telephone network (PSTN). IP telephony is the two-way transmission of audio over a packet-switched IP network (TCP/IP network). An Internet telephone call has two steps: (1) converting the analog voice signal to digital format, (2) translating the signal into Internet protocol (IP) packets for transmission over the Internet. At the receiving end, the steps are reversed. Over the public Internet, voice quality varies considerably. Protocols that support Quality of Service (QoS) are being implemented to improve this.

Host

HTTP

HTTPS

IBSS ICMP

ICV IE IEEE IETF Infrastructure Mode

Internet or IP telephony

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

A-5

Networking Terms and Abbreviations

Term IP

Explanation Internet Protocol is the method or protocol by which data is sent from one computer to another on the Internet. Each computer (host) on the Internet has at least one IP address that uniquely identifies it. Internet Protocol specifies the format of packets, also called datagrams, and the addressing scheme. Most networks combine IP with a higher-level protocol called Transmission Control Protocol (TCP), which establishes a virtual connection between a destination and a source. Interprocess Communication. A capability supported by some operating systems that allows one process to communicate with another process. The processes can be running on the same computer or on different computers connected through a network. Internet Protocol security (IPSec) Internet Protocol security Encapsulating Security Payload (IPsec-ESP). The encapsulating security payload (ESP) encapsulates its data, enabling it to protect data that follows in the datagram.Internet Protocol security Authentication Header (IPsec-AH). AH protects the parts of the IP datagram that can be predicted by the sender as it will be received by the receiver.IPsec is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs). IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates. Isochronous data is data (such as voice or video) that requires a constant transmission rate, where data must be delivered within certain time constraints. For example, multimedia streams require an isochronous transport mechanism to ensure that data is delivered as fast as it is displayed and to ensure that the audio is synchronized with the video. Compare: asynchronous processes in which data streams can be broken by random intervals, and synchronous processes, in which data streams can be delivered only at specific intervals. Internet Service Provider. IV (Initialization Vector), part of the standard WEP encryption mechanism that concatenates a shared secret key with a randomly generated 24-bit initialization vector. WPA with TKIP uses 48-bit IVs, an enhancement that significantly increases the difficulty in cracking the encryption. (See WPA and TKIP) Local Area Network.

IPC

IPsec IPsec-ESP IPsec-AH

isochronous

ISP IV

LAN License installation LSA

Link State Advertisements received by the currently running OSPF process. The LSAs describe the local state of a router or network, including the state of the router's interfaces and adjacencies. See also OSPF. Media Access Control layer. One of two sublayers that make up the Data Link Layer of the OSI model. The MAC layer is responsible for moving data packets to and from one Network Interface Card (NIC) to another across a shared channel. Media Access Control address. A hardware address that uniquely identifies each node of a network. Management Information Base is a formal description of a set of network objects that can be managed using the Simple Network Management Protocol (SNMP). The format of the MIB is defined as part of the SNMP. A MIB is a collection of definitions defining the properties of a managed object within a device. Every managed device keeps a database of values for each of the definitions written in the MIB. Definition of the MIB conforms to RFC1155 (Structure of Management Information).

MAC

MAC address MIB

A-6

Glossary

Networking Terms and Abbreviations

Term MIC

Explanation Message Integrity Check or Code (MIC), also called Michael, is part of WPA and TKIP. The MIC is an additional 8-byte code inserted before the standard 4-byte integrity check value (ICV) that is appended in by standard WEP to the 802.11 message. This greatly increases the difficulty in carrying out forgery attacks. Both integrity check mechanisms are calculated by the receiver and compared against the values sent by the sender in the frame. If the values match, there is assurance that the message has not been tampered with. (See WPA, TKIP and ICV). Maximum Transmission Unit. The largest packet size, measured in bytes, that a network interface is configured to accept. Any messages larger than the MTU are divided into smaller packets before being sent. Mobile Unit, a wireless device such as a PC laptop. Multicast: transmitting a single message to a select group of recipients. Broadcast: sending a message to everyone connected to a network. Unicast: communication over a network between a single sender and a single receiver. Network Access Server, a server responsible for passing information to designated RADIUS servers and then acting on the response returned. A NAS-Identifier is a RADIUS attribute identifying the NAS server. (RFC2138) Network Address Translator. A network capability that enables a group of computers to dynamically share a single incoming IP address. NAT takes the single incoming IP address and creates new IP address for each client computer on the network. In administering Internet sites, a netmask is a string of 0's and 1's that mask or screen out the network part of an IP address, so that only the host computer part of the address remains. A frequently-used netmask is 255.255.255.0, used for a Class C subnet (one with up to 255 host computers). The .0 in the 255.255.255.0 netmask allows the specific host computer address to be visible. Network Interface Card. An expansion board in a computer that connects the computer to a network. Network Management System. The system responsible for managing a network or a portion of a network. The NMS talks to network management agents, which reside in the managed nodes. Network Time Protocol, an Internet standard protocol (built on top of TCP/IP) that assures accurate synchronization to the millisecond of computer clock times in a network of computers. Based on UTC, NTP synchronizes client workstation clocks to the U.S. Naval Observatory Master Clocks in Washington, DC and Colorado Springs CO. Running as a continuous background client program on a computer, NTP sends periodic time requests to servers, obtaining server time stamps and using them to adjust the client's clock. (RFC1305) Orthogonal frequency division multiplexing, a method of digital modulation in which a signal is split into several narrowband channels at different frequencies. OFDM is similar to conventional frequency division multiplexing (FDM). The difference lies in the way in which the signals are modulated and demodulated. Priority is given to minimizing the interference, or crosstalk, among the channels and symbols comprising the data stream. Less importance is placed on perfecting individual channels. OFDM is used in European digital audio broadcast services. It is also used in wireless local area networks. Object Identifier. OPSEC (Open Platform for Security) is a security alliance program created by Check Point to enable an open industry-wide framework for interoperability of security products and applications. Products carrying the Secured by Check Point seal have been tested to guarantee integration and interoperability. Operating system.

MTU

MU multicast, broadcast, unicast

NAS

NAT

Netmask

NIC NMS

NTP

OFDM

OID OPSEC

OS

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

A-7

Networking Terms and Abbreviations

Term OSI

Explanation Open System Interconnection. An ISO standard for worldwide communications that defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, down through the presentation, session, transport, network, data link layer to the physical layer at the bottom, over the channel to the next station and back up the hierarchy. At the Data Link layer (OSI Layer 2), data packets are encoded and decoded into bits. The data link layer has two sublayers: the Logical Link Control (LLC) layer controls frame synchronization, flow control and error checking The Media Access Control (MAC) layer controls how a computer on the network gains access to the data and permission to transmit it.

OSI Layer 2

OSI Layer 3

The Network layer (OSI Layer 3) provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node. Routing and forwarding are functions of this layer, as well as addressing, internetworking, error handling, congestion control and packet sequencing. Open Shortest Path First, an interior gateway routing protocol developed for IP networks based on the shortest path first or link-state algorithm. Routers use link-state algorithms to send routing information to all nodes in an internetwork by calculating the shortest path to each node based on a topography of the Internet constructed by each node. Each router sends that portion of the routing table (keeps track of routes to particular network destinations) that describes the state of its own links, and it also sends the complete routing structure (topography). Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately multicasts the information to all other hosts in the network so that all will have the same routing table information. The host using OSPF sends only the part that has changed, and only when a change has taken place. (RFC2328) Organizationally Unique Identifier (used in MAC addressing). The unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network. When any file is sent from one place to another on the Internet, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into packets. Each packet is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file (by the TCP layer at the receiving end). Password Authentication Protocol is the most basic form of authentication, in which a user's name and password are transmitted over a network and compared to a table of namepassword pairs. Typically, the passwords stored in the table are encrypted. (See CHAP). Protocol Data Unit. A data object exchanged by protocol machines (such as management stations, SMUX peers, and SNMP agents) and consisting of both protocol control information and user data. PDU is sometimes used as a synonym for packet''. PEAP (Protected Extensible Authentication Protocol) is an IETF draft standard to authenticate wireless LAN clients without requiring them to have certificates. In PEAP authentication, first the user authenticates the authentication server, then the authentication server authenticates the user. If the first phase is successful, the user is then authenticated over the SSL tunnel created in phase one using EAP-Generic Token Card (EAP-GTC) or Microsoft Challenged Handshake Protocol Version 2 (MSCHAP V2). (See also EAP-TLS). Hypertext Preprocessor Public Key Infrastructure Power over Ethernet. The Power over Ethernet standard (802.3af) defines how power can be provided to network devices over existing Ethernet connection, eliminating the need for additional external power supplies.

OSPF

OUI Packet

PAP

PDU

PEAP

PHP server PKI PoE

A-8

Glossary

Networking Terms and Abbreviations

Term POST

Explanation Power On Self Test, a diagnostic testing sequence performed by a computer to determine if its hardware elements are present and powered on. If so, the computer begins its boot sequence. The push-to-talk (PTT) is feature on wireless telephones that allows them to operate like a walkie-talkie in a group, instead of standard telephone operation. The PTT feature requires that the network be configured to allow multicast traffic. A PTT call is initiated by selecting a channel and pressing the talk key on the wireless telephone. All wireless telephones on the same network that are monitoring the channel will hear the transmission. On a PTT call you hold the button to talk and release it to listen. Quality of Service. A term for a number of techniques that intelligently match the needs of specific applications to the network resources available, using such technologies as Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks. QoS features provide better network service by supporting dedicated bandwidth, improving loss characteristics, avoiding and managing network congestion, shaping network traffic, setting traffic priorities across the network. Quality-of-Service (QoS): A set of service requirements to be met by the network while transporting a flow. (RFC2386) Remote Authentication Dial-In User Service. An authentication and accounting system that checks User Name and Password and authorizes access to a network. The RADIUS specification is maintained by a working group of the IETF (RFC2865 RADIUS, RFC2866 RADIUS Accounting, RFC2868 RADIUS Attributes for Tunnel Protocol Support). Radio Frequency, a frequency in the electromagnetic spectrum associated with radio wave propagation. When an RF current is supplied to an antenna, an electromagnetic field is created that can propagate through space. These frequencies in the electromagnetic spectrum range from Ultra-low frequency (ULF) -- 0-3 Hz to Extremely high frequency (EHF) -- 30GHz - 300 GHz. The middle ranges are: Low frequency (LF) -- 30 kHz - 300 kHz, Medium frequency (MF) -- 300 kHz - 3 MHz, High frequency (HF) -- 3MHz - 30 MHz, Very high frequency (VHF) -- 30 MHz - 300 MHz, Ultra-high frequency (UHF)-- 300MHz - 3 GHz. Request for Comments, a series of notes about the Internet, submitted to the Internet Engineering Task Force (IETF) and designated by an RFC number, that may evolve into an Internet standard. The RFCs are catalogued and maintained on the IETF RFC website: www.ietf.org/rfc.html. In 802.11, roaming occurs when a wireless device (a station) moves from one Access Point to another (or BSS to another) in the same Extended Service Set (ESS) -identified by its SSID. Reverse Polarity-Subminiature version A, a type of connector used with wireless antennas Robust Security Network. A new standard within IEEE 802.11 to provide security and privacy mechanisms. The RSN (and related TSN) both specify IEEE 802.1x authentication with Extensible Authentication Protocol (EAP). RSSI received signal strength indication (in 802.11 standard) RTS request to send, CTS clear to send (in 802.11 standard) In Ethernet networks, a section of a network that is bounded by bridges, routers or switches. Dividing a LAN segment into multiple smaller segments is one of the most common ways of increasing available bandwidth on the LAN.

push-to-talk (PTT)

QoS

RADIUS

RF

RFC

Roaming

RP-SMA RSN

RSSI RTS / CTS Segment

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

A-9

Networking Terms and Abbreviations

Term SLP

Explanation Service Location Protocol. A method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network. Using SLP, networking applications can discover the existence, location and configuration of networked devices. With Service Location Protocol, client applications are 'User Agents' and services are advertised by 'Service Agents'. The User Agent issues a multicast 'Service Request' (SrvRqst) on behalf of the client application, specifying the services required. The User Agent will receive a Service Reply (SrvRply) specifying the location of all services in the network which satisfy the request. For larger networks, a third entity, called a 'Directory Agent', receives registrations from all available Service Agents. A User Agent sends a unicast request for services to a Directory Agent (if there is one) rather than to a Service Agent. (SLP version 2, RFC2608, updating RFC2165) Structure of Management Information. A hierarchical tree structure for information that underlies Management Information Bases (MIBs), and is used by the SNMP protocol. Defined in RFC1155 and RFC1442 (SNMPv2). Station ManagemenT. The object class in the 802.11 MIB that provides the necessary support at the station to manage the processes in the station such that the station may work cooperatively as a part of an IEEE 802.11 network. The four branches of the 802.11 MIB are: dot11smt - objects related to station management and local configuration dot11mac - objects that report/configure on the status of various MAC parameters dot11res - Objects that describe available resources dot11phy - Objects that report on various physical items.

SMI

SMT (802.11)

SNMP

Simple Network Management Protocol. A set of protocols for managing complex networks. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. SNMP includes a limited set of management commands and responses. The management system issues Get, GetNext and Set messages to retrieve single or multiple object variables or to establish the value of a single variable. The managed agent sends a Response message to complete the Get, GetNext or Set. An event notification sent by the SNMP managed agent to the management system to identify the occurrence of conditions (such as a threshold that exceeds a predetermined value). Secure Shell, sometimes known as Secure Socket Shell, is a Unix-based command interface and protocol for securely getting access to a remote computer. SSH is a suite of three utilities - slogin, ssh, and scp - secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. With SSH commands, both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted. Service Set Identifier. A 32-character unique identifier attached to the header of packets sent over a Wireless LAN that acts as a password when a wireless device tries to connect to the Basic Service Set (BSS). Several BSSs can be joined together to form one logical WLAN segment, referred to as an extended service set (ESS). The SSID is used to identify the ESS. In 802.11 networks, each Access Point advertises its presence several times per second by broadcasting beacon frames that carry the ESS name (SSID). Stations discover APs by listening for beacons, or by sending probe frames to search for an AP with a desired SSID. When the station locates an appropriately-named Access Point, it sends an associate request frame containing the desired SSID. The AP replies with an associate response frame, also containing the SSID. Some APs can be configured to send a zero-length broadcast SSID in beacon frames instead of sending their actual SSID. The AP must return its actual SSID in the probe response.

SNMP trap

SSH

SSID

A-10

Glossary

Networking Terms and Abbreviations

Term SSL

Explanation Secure Sockets Layer. A protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection. URLs that require an SSL connection start with https: instead of http. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. The sockets part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-andprivate key encryption system from RSA, which also includes the use of a digital certificate. SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL. (See netmask) Portions of networks that share the same common address format. A subnet in a TCP/IP network uses the same first three sets of numbers (such as 198.63.45.xxx), leaving the fourth set to identify devices on the subnet. A subnet can be used to increase the bandwidth on the network by breaking the network up into segments. SpectraLink Voice Protocol, a protocol developed by SpectraLink to be implemented on access points to facilitate voice prioritization over an 802.11 wireless LAN that will carry voice packets from SpectraLink wireless telephones. In networks, a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs. A protocol used for the transmission of event notification messages across networks, originally developed on the University of California Berkeley Software Distribution (BSD) TCP/IP system implementations, and now embedded in many other operating systems and networked devices. A device generates a messages, a relay receives and forwards the messages, and a collector (a syslog server) receives the messages without relaying them. Syslog uses the user datagram protocol (UDP) as its underlying transport layer mechanism. The UDP port that has been assigned to syslog is 514. (RFC3164) Transmission Control Protocol. TCP, together with IP (Internet Protocol), is the basic communication language or protocol of the Internet. Transmission Control Protocol manages the assembling of a message or file into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. Internet Protocol handles the address part of each packet so that it gets to the right destination. TCP/IP uses the client/server model of communication in which a computer user (a client) requests and is provided a service (such as sending a Web page) by another computer (a server) in the network. Trivial File Transfer Protocol. An Internet software utility for transferring files that is simpler to use than the File Transfer Protocol (FTP) but less capable. It is used where user authentication and directory visibility are not required. TFTP uses the User Datagram Protocol (UDP) rather than the Transmission Control Protocol (TCP). TFTP is described formally in Request for Comments (RFC) 1350. Temporal Key Integrity Protocol (TKIP) is an enhancement to the WEP encryption technique that uses a set of algorithms that rotates the session keys. TKIPs enhanced encryption includes a per-packet key mixing function, a message integrity check (MIC), an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. The encryption keys are changed (rekeyed) automatically and authenticated between devices after the rekey interval (either a specified period of time, or after a specified number of packets has been transmitted). Transport Layer Security. (See EAP, Extensible Authentication Protocol)

Subnet mask Subnets

SVP

Switch

syslog

TCP / IP

TFTP

TKIP

TLS

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

A-11

Networking Terms and Abbreviations

Term ToS / DSCP

Explanation ToS (Type of Service) / DSCP (Diffserv Codepoint). The ToS/DSCP box contained in the IP header of a frame is used by applications to indicate the priority and Quality of Service (QoS) for each frame. The level of service is determined by a set of service parameters which provide a three way trade-off between low-delay, high-reliability, and high-throughput. The use of service parameters may increase the cost of service. Transition Security Network. A subset of Robust Security Network (RSN), which provides an enhanced security solution for legacy hardware. The Wi-Fi Alliance has adopted a solution called Wireless Protected Access (WPA), based on TSN. RSN and TSN both specify IEEE 802.1x authentication with Extensible Authentication Protocol (EAP). Tunnelling (or encapsulation) is a technology that enables one network to send its data via another network's connections. Tunnelling works by encapsulating packets of a network protocol within packets carried by the second network. The receiving device then decapsulates the packets and forwards them in their original format. User Datagram Protocol. A connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive packets over an IP network. It is used primarily for broadcasting messages over a network. Unlicensed National Information Infrastructure. Designated to provide short-range, highspeed wireless networking communication at low cost, U-NII consists of three frequency bands of 100 MHz each in the 5 GHz band: 5.15-5.25GHz (for indoor use only), 5.25-5.35 GHz and 5.725-5.825GHz. The three frequency bands were set aside by the FCC in 1997 initially to help schools connect to the Internet without the need for hard wiring. U-NII devices do not require licensing. Uniform Resource Locator. the unique global address of resources or files on the World Wide Web. The URL contains the name of the protocol to be used to access the file resource, the IP address or the domain name of the computer where the resource is located, and a pathname -- a hierarchical description that specifies the location of a file in that computer. Virtual Local Area Network. A network of computers that behave as if they are connected to the same wire when they may be physically located on different segments of a LAN. VLANs are configured through software rather than hardware, which makes them extremely flexible. When a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration. The standard is defined in IEEE 802.1Q - Virtual LANs, which states that 'IEEE 802 Local Area Networks (LANs) of all types may be connected together with Media Access Control (MAC) Bridges, as specified in ISO/IEC 15802-3. This standard defines the operation of Virtual LAN (VLAN) Bridges that permit the definition, operation and administration of Virtual LAN topologies within a Bridged LAN infrastructure. Virtual Network Services (VNS). A Siemens specific technique that provides a means of mapping wireless networks to a wired topology. Voice Over Internet Protocol. An internet telephony technique. With VoIP, a voice transmission is cut into multiple packets, takes the most efficient path along the Internet and is reassembled when it reaches the destination. Virtual Private Network. A private network that is constructed by using public wires to connect nodes. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. Vendor Specific Attribute, an attribute for a RADIUS server defined by the manufacturer.(compared to the RADIUS attributes defined in the original RADIUS protocol RFC2865). A VSA attribute is defined in order that it can be returned from the RADIUS server in the Access Granted packet to the Radius Client. A restricted subset of network content that wireless devices can access.

TSN

Tunnelling

UDP

U-NII

URL

VLAN

VNS VoIP

VPN

VSA

Walled Garden

A-12

Glossary

Networking Terms and Abbreviations

Term WEP

Explanation Wired Equivalent Privacy. A security protocol for wireless local area networks (WLANs) defined in the 802.11b standard. WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another. Wireless fidelity. A term referring to any type of 802.11 network, whether 802.11b, 802.11a, dual-band, etc. Used in reference to the Wi-Fi Alliance, a nonprofit international association formed in 1999 to certify interoperability of wireless Local Area Network products based on IEEE 802.11 specification. Windows Internet Naming Service. A system that determines the IP address associated with a particular network computer, called name resolution. WINS supports network client and server computers running Windows and can provide name resolution for other computers with special arrangements. WINS supports dynamic addressing (DHCP) by maintaining a distributed database that is automatically updated with the names of computers currently available and the IP address assigned to each one. DNS is an alternative system for name resolution suitable for network computers with fixed IP addresses. Wireless Local Area Network. Wi-Fi Multimedia (WMM), a Wi-Fi Alliance certified standard that provides multimedia enhancements for Wi-Fi networks that improve the user experience for audio, video, and voice applications. This standard is compliant with the IEEE 802.11e Quality of Service (QoS) extensions for 802.11 networks. WMM provides prioritized media access by shortening the time between transmitting packets for higher priority traffic. WMM is based on the Enhanced Distributed Channel Access (EDCA) method. Wireless Protected Access, or Wi-Fi Protected Access is a security solution adopted by the Wi-Fi Alliance that adds authentication to WEPs basic encryption. For authentication, WPA specifies IEEE 802.1x authentication with Extensible Authentication Protocol (EAP). For encryption, WPA uses the Temporal Key Integrity Protocol (TKIP) mechanism, which shares a starting key between devices, and then changes their encryption key for every packet. Certificate Authentication (CA) can also be used. Also part of the encryption mechanism are 802.1x for dynamic key distribution and Message Integrity Check (MIC) a.k.a. Michael. WPA requires that all computers and devices have WPA software. Wi-Fi Protected Access with Pre-Shared Key, a special mode of WPA for users without an enterprise authentication server. Instead, for authentication, a Pre-Shared Key is used. The PSK is a shared secret (passphrase) that must be entered in both the Wireless AP or router and the WPA clients. This preshared key should be a random sequence of characters at least 20 characters long or hexadecimal digits (numbers 0-9 and letters A-F) at least 24 hexadecimal digits long. After the initial shared secret, the Temporal Key Integrity Protocol (TKIP) handles the encryption and automatic rekeying.

Wi-Fi

WINS

WLAN WMM

WPA

WPA-PSK

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

A-13

Controller, Access Points and Convergence Software Terms and Abbreviations

Controller, Access Points and Convergence Software Terms and Abbreviations


Table 1 Term CTP Explanation CAPWAP Tunnelling Protocol (CTP). The Wireless AP uses a UDP (User Datagram Protocol) based tunnelling protocol called CAPWAP Tunnelling Protocol (CTP) to encapsulate the 802.11 packets and forward them to the Enterasys Wireless Controller. The CTP protocol defines a mechanism for the control and provisioning of Wireless APs (CAPWAP) through centralized access controllers. In addition, it provides a mechanism providing the option to tunnel the mobile client data between the access point and the access controller. Dynamic Radio Management (DRM) functionality of the Enterasys Wireless Controller is used to help establish the optimum radio configuration for your Wireless APs. DRM is enabled by default. The Enterasys Wireless Controllers DRM: Adjusts power levels to balance coverage if another Wireless AP, which is assigned to the same SSID and is on the same channel, is added to or leaves the network. Allows wireless clients to be moved to another Wireless AP if the load is too high. Scans automatically for a channel, using a channel selection algorithm. Avoids other WLANs by reducing transmit power whenever other Wireless APs with the same channel, but different SSIDs are detected. The DRM feature is comprised of two functions: Auto Channel Selection (ACS) ACS provides an easy way to optimize channel arrangement based on the current situation in the field. ACS provides an optimal solution only if it is triggered on all Wireless APs in a deployment. Triggering ACS on a single Wireless AP or on a subset of Wireless APs provides a useful but suboptimal solution. Also, ACS only relies on the information observed at the time it is triggered. Once a Wireless AP has selected a channel, it will remain operating on that channel until the user changes the channel or triggers ACS. Auto Tx Power Control (ATPC) ATPC guarantees your LAN a stable RF environment by automatically adapting transmission power signals according to the coverage provided by the Wireless APs. ATPC can be either enabled or disabled. Enterasys Wireless Controller The Enterasys Wireless Controller is a rack-mountable network device designed to be integrated into an existing wired Local Area Network (LAN). It provides centralized control over all access points (both Wireless APs and third-party access points) and manages the network assignment of wireless device clients associating through access points. Langley Mitigator Langley is a Controller, Access Points and Convergence Software term for the interprocess messaging infrastructure on the Enterasys Wireless Controller. The Mitigator is a mechanism that assists in the detection of rogue access points. The feature has three components: (1) a radio frequency (RF) scanning task that runs on the Wireless AP, (2) an application called the Data Collector on the Enterasys Wireless Controller that receives and manages the RF scan messages sent by the Wireless AP, (3) an Analysis Engine on the Enterasys Wireless Controller that processes the scan data. The technique in Controller, Access Points and Convergence Software by which multiple Enterasys Wireless Controllers on a network can discover each other and exchange information about a client session. This enables a wireless device user to roam seamlessly between different Wireless APs on different Enterasys Wireless Controllers, to provide mobility to the wireless device user. One Enterasys Wireless Controller on the network must be designated as the mobility manager. All other Enterasys Wireless Controllers are designated as mobility agents. Relying on SLP, the mobility manager registers with the Directory Agent and the mobility agents discover the location of the mobility manager.

DRM (dynamic radio/RF management)

Mobility manager (and mobility agent)

A-14

Glossary

Controller, Access Points and Convergence Software Terms and Abbre-

Table 1 Term Data Collector Explanation The Data Collector is an application on the Enterasys Wireless Controller that receives and manages the Radio Frequency (RF) scan messages sent by the Wireless AP. This application is part of the Mitigator technique, working in conjunction with the scanner mechanism and the Analysis Engine to assist in detecting rogue access points. The Virtual Network Services (VNS) technique is Siemens's means of mapping wireless networks to the topology of an existing wired network. When you set up Virtual Network Services (VNS) on the Enterasys Wireless Controller, you are defining subnets for groups of wireless users. This VNS definition creates a virtual IP subnet where the Enterasys Wireless Controller acts as a default gateway for wireless devices. This technique enables policies and authentication to be applied to the groups of wireless users on a VNS, as well as the collecting of accounting information. When a VNS is set up on the Enterasys Wireless Controller, one or more Wireless APs (by radio) are associated with it. A range of IP addresses is set aside for the Enterasys Wireless Controller's DHCP server to assign to wireless devices. The Wireless AP is a wireless LAN thin access point (IEEE 802.11) provided with unique software that allows it to communicate only with a Enterasys Wireless Controller. (A thin access point handles the radio frequency (RF) communication but relies on a controller to handle WLAN elements such as authentication.) The Wireless AP also provides local processing such as encryption. The Wireless AP is a dual-band access point, with 802.11a/ b/g/n radios.

Virtual Network Services (VNS)

Wireless AP

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

A-15

Controller, Access Points and Convergence Software Terms and Abbreviations

A-16

Glossary

B
Regulatory Information
Warning: Warnings identify essential information. Ignoring a warning can lead to problems with the application.

ThisappendixprovidesregulatoryinformationfortheEnterasysWirelessControllerC25/C20N/ C20/C2400/C4110/C5110andtheEnterasysWirelessAPmodels
For information about... Enterasys Wireless Controller C25/C20N/C20/C2400/C4110/C5110 Wireless APs 26XX and 36XX Refer to page... B-2 B-3

Note: Throughout this appendix, the term Wireless AP refers to both AP models (AP26XX series and AP36XX series). Specific AP models are only identified in this appendix where it is necessary to do so. Note: For technical specifications and certification information for the Enterasys Wireless Outdoor AP, models AP 2650/2660, see the Enterasys Wireless Outdoor AP Installation Guide. For technical specifications and certification information for the Enterasys Wireless Outdoor AP3660, see the Enterasys Wireless Outdoor AP3660 Installation Guide.

ConfigurationoftheWirelessAPfrequenciesandpoweroutputarecontrolledbytheregional softwarelicenseandproperselectionofthecountryduringinitialinstallationandsetup. Customersareonlyallowedtoselectthepropercountryfromtheirlicensedregulatorydomain relatedtothatcustomersgeographiclocation,thusallowingthepropersetupofaccesspointsin accordancewithlocallawsandregulations.TheWirelessAPmustnotbeoperateduntilproperly configuredwiththecorrectcountrysettingoritmaybeinviolationofthelocallawsand regulations.


Warning: Changes or modifications made to the Enterasys Wireless Controller or the Wireless APs which are not expressly approved by Enterasys could void the user's authority to operate the equipment. Only authorized Enterasys service personnel are permitted to service the system. Procedures that should be performed only by Enterasys personnel are clearly identified in this guide. Note: The Enterasys Wireless Controllers and the Wireless APs are in compliance with the European Directive 2002/95/EC on the restriction of the use of certain hazardous substances (RoHS) in electrical and electronic equipment.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

B-1

Enterasys Wireless Controller C25/C20N/C20/C2400/C4110/C5110

Enterasys Wireless Controller C25/C20N/C20/C2400/C4110/C5110


Conformance Standards and Directives Safety
UL609501(U.S) CSAC22.2No.609500103(Canada) 2006/95/ECLowVoltageDirective(LVD) EN609501(Europe) IEC609501withapplicableNationalDifferences AS/NZS60950.1(Australia/NewZealand)

EMC (Emissions / Immunity)


FCCPart15,SubpartB,ClassA(NorthAmerica) ICES003,ClassA(CanadianEmissions) 2004/108/ECEMCDirective EN55022:ClassA(EuropeanEmissions) ENEN55024:includesEN6100042,3,4,5,6,11(EuropeanImmunity) EN6100032:(Harmonics) EN6100033:(Flicker) IEC/CISPR22:ClassA(InternationalEmissions) IEC/CISPR24:includesIEC/EN6100042,3,4,5,6,11(InternationalImmunity) Australia/NewZealandAS/NZS3548viaEUstandards(ACMA)

RoHS
EuropeanDirective2002/95/EC

Rack Mounting Your System


RefertothefollowingguidelineswhensettingupyourEnterasysWirelessControllersand WirelessAPs.

Elevated Operating Ambient


Ifinstalledinaclosedormultiunitrackassembly,theoperatingambienttemperatureoftherack environmentmaybegreaterthanroomambient.Therefore,considerationshouldbegivento installingtheequipmentinanenvironmentcompatiblewiththemaximumambienttemperature (Tma)specifiedbythemanufacturer.

Reduced Air Flow


Installationoftheequipmentinarackshouldbesuchthattheamountofairflowrequiredforsafe operationoftheequipmentisnotcompromised.

Mechanical Loading
Mountingoftheequipmentintherackshouldbesuchthatahazardousconditionisnotachieved duetounevenmechanicalloading.
B-2 Regulatory Information

Wireless APs 26XX and 36XX

Circuit Overloading
Considerationshouldbegiventotheconnectionoftheequipmenttothesupplycircuitandthe effectthatoverloadingofthecircuitsmighthaveonovercurrentprotectionandsupplywiring. Appropriateconsiderationofequipmentnameplateratingsshouldbeusedwhenaddressingthis concern.

Reliable Earthing
Reliableearthingofrackmountedequipmentshouldbemaintained.Particularattentionshould begiventosupplyconnectionsotherthandirectconnectionstothebranchcircuit(e.g.useof powerstrips).

Wireless APs 26XX and 36XX


ThisdeviceissuitableforuseinenvironmentalairspaceinaccordancewithSection300.22.Cof theNationalElectricalCode,andSections2128,12010(3)and12100oftheCanadianElectrical Code,Part1,C22.1.

Wi-Fi Certification
TheAP26XXisWiFicertifiedforoperationinaccordancewith IEEE802.11a/b/g.TheAP2610/20WirelessAPswithinternalandexternalantennasaredesigned andintendedtobeusedindoors. TheAP36XXisWiFicertifiedforoperationinaccordancewith IEEE802.11a/b/g/n.TheAP36XXWirelessAPswithinternalandexternalantennasaredesigned andintendedtobeusedindoors. Table B-1 Wireless AP Wi-Fi Certification ID
Wi-Fi certification ID WFA7482 WFA7432 WFA7387 WFA7386 WFA7431 WFA9173 WFA6025 WFA5917

Wireless AP model AP2605 AP2610 AP2620 AP2650 AP2660 AP3605 AP3610 AP3620

Note: Operation in the European Community and rest of the world may be dependant on securing local licenses, certifications, and regulatory approvals.

AP2620 External Antenna AP


Approved External Antennas
TheAP2620externalantennaAPscanalsobeusedwithoptionalcertifiedexternalantennas: TheexternalantennasontheAP2620mustbeidentical.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide B-3

Wireless APs 26XX and 36XX

Anyunusedantennaportsmustbeterminatedwhenanexternalantennaisusedwiththe AP2620.

Antenna Diversity
TherearesomelimitationsforusingdifferentantennasandTx/Rxdiversity: IfAlternateantennadiversityisusedforTxorRx,thenthesameantennamodelmustbeused asleftandrightantennas.Inaddition,ifcablesareusedtoconnectexternalantennas,the cablesmustbeofthesamelengthandsimilarattenuation.Iftheserulesarenotrespected, antennadiversitywillnotfunctionproperlyandtherewillbedegradationinthelinkbudget inbothdirections. YoucanchoosetoinstallonlyoneantennaprovidedthatbothTxandRxdiversityare configuredtousethatantennaandonlythatantenna.Youcanchoosetoinstalloneantenna for11b/gbandandoneantennafor11aband,providedthattheantennadiversityis configuredappropriatelyonbothradios.

AP3620 External Antenna AP


Approved External Antennas
TheAP3620externalantennaAPscanalsobeusedwithoptionalcertifiedexternalantennas: Anyunusedantennaportsmustbeterminatedwhenanexternalantennaisusedwiththe AP3620.

United States
FCC Declaration of Conformity Statement
ThisdevicecomplieswithPart15oftheFCCRules.Operationissubjecttothefollowingtwo conditions: Thisdevicemaynotcauseharmfulinterference. Thisdevicemustacceptanyinterferencereceived,includinginterferencethatmaycause undesiredoperation.

ThisequipmenthasbeentestedandfoundtocomplywiththelimitsforaClassBdigitaldevice, pursuanttoPart15oftheFCCRules.Theselimitsaredesignedtoprovidereasonableprotection againstharmfulinterferencewhentheequipmentisoperatedinaresidentialandbusiness environment.Thisequipmentgenerates,uses,andradiatesradiofrequencyenergy,andifnot installedandusedinaccordancewithinstructions,maycauseharmfulinterference.However, thereisnoguaranteethatinterferencewillnotoccur.Ifthisequipmentdoescauseharmful interference,whichcanbedeterminedbyturningtheequipmentoffandon,theuseris encouragedtotrytocorrecttheinterferencebyoneormoreofthefollowingmeasures: Reorientorrelocatethereceivingantenna. Increasetheseparationbetweentheequipmentordevices. Connecttheequipmenttoanoutletotherthanthereceivers. Consultadealeroranexperiencedradio/TVtechnicianforsuggestions.

B-4

Regulatory Information

Wireless APs 26XX and 36XX

USA Conformance Standards


Thisequipmentmeetsthefollowingconformancestandards:

Safety
UL609501 UL2043PlenumRatedaspartofUL609501.Suitableforuseinenvironmentalairspacein accordancewithSection300.22.CoftheNationalElectricalCode.

EMC
FCCCFR47Part15,ClassB

Radio Transceiver
CFR47Part15.247,SubpartC CFR47Part15.407,SubpartE

Other
IEEE802.11a(5GHz) IEEE802.11b/g(2.4GHz) IEEE802.11n(AP36XX) IEEE802.3af(PoE)
Warning: The Wireless APs must be installed and used in strict accordance with the manufacturer's instructions as described in this guide and related documentation for the device to which the Wireless AP is connected. Any other installation or use of the product violates FCC Part 15 regulations. Operation of the Wireless AP is restricted for indoor use only, specifically in the UNII 5.15 - 5.25 GHz band in accordance with 47 CFR 15.407(e). This Part 15 radio device operates on a non-interference basis with other devices operating at the same frequency when using antennas provided or other Enterasys certified antennas. Any changes or modification to the product not expressly approved by Enterasys could void the user's authority to operate this device. For the product available in the USA market, only channels 1 to 11 can be operated. Selection of other channels in the 2.4 GHz band is not possible.

FCC RF Radiation Exposure Statement


TheWirelessAPcomplieswithFCCRFradiatedexposurelimitssetforthforanuncontrolled environment.EndusersmustfollowthespecificoperatinginstructionsforsatisfyingRFexposure compliance.Thisdevicehasbeentestedandhasdemonstratedcompliancewhensimultaneously operatedinthe2.4GHzand5GHzfrequencyranges.Thisdevicemustnotbecolocatedor operatedinconjunctionwithanyotherantennaortransmitter.
Caution: The radiated output power of the Wireless AP is below the FCC radio frequency exposure limits as specified in Guidelines for Human Exposure to Radio Frequency Electromagnetic Fields (OET Bullet 65, Supplement C). This equipment should be installed and operated with a minimum distance of 25 cm between the radiator and your body or other co-located operating antennas. For all external antennas, the minimum separation distance should be 25 cm. However, when using the WS-AO-5D23009 antenna, the minimum separation distance should be increased to 71cm. When using the WS-AIO-2S18018 antenna, the minimum separation distance should be increased to 34cm.
Enterasys Wireless Controller, Access Points, and Convergence Software User Guide B-5

Wireless APs 26XX and 36XX

External Antennas
TheAP2620/AP3620externalantennaAPscanalsobeusedwithcertifiedexternalantennas. However,tocomplywiththelocallawsandregulations,anapprovalmayberequiredbythelocal regulatoryauthorities. Foralistofapprovedexternalantennas,seeAP2620ApprovedExternalAntennas.

RF Safety Distance
Theantennasusedforthistransmittermustbeinstalledtoprovideaseparationdistanceofatleast 25cmfromallpersonsandmustnotbecolocatedoroperatinginconjunctionwithanother antennaortransmitter. Forallexternalantennas,theminimumseparationdistanceshouldbe25cm.However,when usingtheWSAO5D23009antenna,theminimumseparationdistanceshouldbeincreasedto 71cm.WhenusingtheWSAIO2S18018antenna,theminimumseparationdistanceshouldbe increasedto34cm.

Canada
Industry Canada Compliance Statement
ThisdigitalapparatusdoesnotexceedtheClassBlimitsforradionoiseemissionsfromdigital apparatusassetoutintheinterferencecausingequipmentstandardentitledDigitalApparatus, ICES003ofIndustryCanada. Cetappareilnumeriquerespecteleslimitesdebruitsradioelectriquesapplicablesauxappareils numeriquesdeClasseBprescritesdanslanormesurlematerielbrouilleur:Appareils Numeriques,NMB003edicteeparleIndustrieCanada. ThisdevicecomplieswithPart15oftheFCCRulesandCanadianStandardRSS210.Operationis subjecttothefollowingconditions: Thisdevicemaynotcauseharmfulinterference. Thisdevicemustacceptanyinterferencereceived,includinginterferencethatmaycause undesiredoperation. ThisClassBdigitalapparatuscomplieswithCanadianICES003. Operationinthe51505250MHzbandisonlyforindoorusagetoreducepotentialforharmful interferencetocochannelmobilesatellitesystems. Pleasenotethathighpowerradarsareallocatedasprimaryusers(meaningtheyhave priority)andcancauseinterferenceinthe52505350MHzand54705725MHzbandsofLE LANdevices. FortheproductavailableintheCanadianmarket,onlychannels1to11canbeoperated. Selectionofotherchannelsinthe2.4GHzbandisnotpossible.

Canada Conformance Standards


Thisequipmentmeetsthefollowingconformancestandards:

Safety
C22.2No.60950103 UL2043PlenumRatedaspartofUL609501.Suitableforuseinenvironmentalairspacein accordancewithSections2128,12010(3)and12100oftheCanadianElectricalCode,Part1, C22.1

B-6

Regulatory Information

Wireless APs 26XX and 36XX

EMC
ICES003,ClassB

Radio Transceiver
RSS210(2.4GHzand5GHz)

Other
IEEE802.11a(5GHz) IEEE802.11b/g(2.4GHz) IEEE802.11n(AP36XX) IEEE802.3af(PoE)

External Antennas
TheAP2620/AP3620externalantennaAPscanalsobeusedwithcertifiedexternalantennas. However,tocomplywiththelocallawsandregulations,anapprovalmayberequiredbythelocal regulatoryauthorities. Foralistofapprovedexternalantennas,seeAP2620ApprovedExternalAntennas.

RF Safety Distance
Theantennasusedforthistransmittermustbeinstalledtoprovideaseparationdistanceofatleast 25cmfromallpersonsandmustnotbecolocatedoroperatinginconjunctionwithanother antennaortransmitter. Forallexternalantennas,theminimumseparationdistanceshouldbe25cm.However,when usingtheWSAO5D23009antenna,theminimumseparationdistanceshouldbeincreasedto 71cm.WhenusingtheWSAIO2S18018antenna,theminimumseparationdistanceshouldbe increasedto34cm.

European Community
TheWirelessAPsaredesignedforuseintheEuropeanUnionandothercountrieswithsimilar regulatoryrestrictionswheretheenduserorinstallerisallowedtoconfiguretheWirelessAPfor operationbyentryofacountrycoderelativetoaspecificcountry.Uponconnectiontothe controller,thesoftwarewillprompttheusertoselectacountrycode.Afterthecountrycodeis selected,thecontrollerwillsetuptheWirelessAPwiththeproperfrequenciesandpoweroutputs forthatcountrycode. Althoughoutdoorusemaybeallowedandmayberestrictedtocertainfrequenciesand/ormay requirealicenseforoperation,theWirelessAPisintendedforindooruseandmustbeinstalledin aproperindoorlocation.Usetheinstallationutilityprovidedwiththecontrollersoftwareto ensurepropersetupinaccordancewithallEuropeanspectrumusagerules.Contactlocal Authorityforproceduretofollowandregulatoryinformation.Formoredetailsonlegal combinationsoffrequencies,powerlevelsandantennas,contactEnterasys. DeclarationofConformitywithR&TTEDirectiveoftheEuropeanUnion1999/5/EC ThefollowingsymbolindicatescompliancewiththeEssentialRequirementsoftheR&TTE DirectiveoftheEuropeanUnion(1999/5/EC).

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

B-7

Wireless APs 26XX and 36XX

Declaration of Conformity in Languages of the European Community


English Finnish Dutch Hereby, Enterasys, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Valmistaja Enterasys vakuuttaa tten ett Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hierbij verklaart Enterasys dat het toestel Radio LAN device in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart Enterasys dat deze Radio LAN device voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. French Par la prsente Enterasys dclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE. Par la prsente, Enterasys dclare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables. Swedish Hrmed intygar Enterasys att denna Radio LAN device str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Undertegnede Enterasys erklrer herved, at flgende udstyr Radio LAN device overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt Enterasys die bereinstimmung des "WLAN Wireless Controller bzw. Access Points" mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. Enterasys Radio LAN device 1999/5/. Enterasys lysir her med yfir a thessi bunadur, Radio LAN device, uppfyllir allar grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC. Con la presente Enterasys dichiara che questo Radio LAN device conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Por medio de la presente Enterasys declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Enterasys declara que este Radio LAN device est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/CE. Hawnhekk, Enterasys, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC.

Danish German

Greek

Icelandic Italian Spanish

Portuguese Malti

New Member States Requirements of Declaration of Conformity


Estonian Kesolevaga kinnitab Enterasys seadme Radio LAN device vastavust direktiivi 1999/5/E phinuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele stetele. Alulrott, Enterasys nyilatkozom, hogy a Radio LAN device megfelel a vonatkoz alapvet kvetelmnyeknek s az 1999/5/EC irnyelv egyb elrsainak.

Hungary

B-8

Regulatory Information

Wireless APs 26XX and 36XX

Slovak

Enterasys tmto vyhlasuje, e Radio LAN device spa zkladn poiadavky a vetky prslun ustanovenia Smernice 1999/5/ES. Enterasys tmto prohlauje, e tento Radio LAN device je ve shod se zkladnmi poadavky a dalmi pslunmi ustanovenmi smrnice 1999/5/ES." iuo Enterasys deklaruoja, kad is Radio LAN device atitinka esminius reikalavimus ir kitas 1999/5/EB Direktyvos nuostatas. Ar o Enterasys deklar, ka Radio LAN device atbilst Direktvas 1999/5/EK btiskajm prasbm un citiem ar to saisttajiem noteikumiem Enterasys deklaruoja, kad Radio LAN device atitinka 1999/5/EC Direktyvos esminius reikalavimus ir kitas nuostatas". Niniejszym, Enterasys, deklaruj, e Radio LAN device spenia wymagania zasadnicze oraz stosowne postanowienia zawarte Dyrektywie 1999/5/EC.

Czech

Slovenian

Latvian

Lithuanian

Polish

European Conformance Standards


Thisequipmentmeetsthefollowingconformancestandards:

Safety
2006/95/ECLowVoltageDirective(LVD) IEC/EN609501+NationalDeviations

EMC (Emissions / Immunity)


2004/108/ECEMCDirective EN55011/CISPR11,ClassB,Group1ISM EN55022/CISPR22,ClassB EN55024/CISPR24,includesIEC/EN6100042,3,4,5,6,11 EN6100032and33(HarmonicsandFlicker) EN6060112(EMCimmunityformedicalequipment) EN50385(EMF) ETSI/EN3014891&17

Radio Transceiver
R&TTEDirective1999/5/EC ETSI/EN300328(2.4GHz) ETSI/EN301893(5GHz)

Other
IEEE802.11a(5GHz) IEEE802.11b/g(2.4GHz)

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

B-9

Wireless APs 26XX and 36XX

IEEE802.11n(AP36XX) IEEE802.3af(PoE)

RoHS
EuropeanDirective2002/95/EC

External Antennas
TheAP2620/AP3620externalantennaAPscanalsobeusedwithcertifiedexternalantennas. However,tocomplywiththelocallawsandregulations,anapprovalmayberequiredbythelocal regulatoryauthorities. Foralistofapprovedexternalantennas,seeAP2620ApprovedExternalAntennas.

RF Safety Distance
Theantennasusedforthistransmittermustbeinstalledtoprovideaseparationdistanceofatleast 25cmfromallpersonsandmustnotbecolocatedoroperatinginconjunctionwithanother antennaortransmitter. Forallexternalantennas,theminimumseparationdistanceshouldbe25cm.However,when usingtheWSAO5D23009antenna,theminimumseparationdistanceshouldbeincreasedto 71cm.WhenusingtheWSAIO2S18018antenna,theminimumseparationdistanceshouldbe increasedto34cm.

Conditions of Use in the European Community


TheWirelessAPswithinternalandexternalantennasaredesignedandintendedtobeused indoors.SomeEUcountriesallowoutdooroperationwithlimitationsandrestrictions,whichare describedinthissection.Itistheresponsibilityoftheendusertoensureoperationinaccordance withtheserules,frequencies,andtransmitterpoweroutput.TheWirelessAPmustnotbe operateduntilproperlyconfiguredforthecustomersgeographiclocation.
Caution: The user or installer is responsible to ensure that the Wireless AP is operated according to channel limitations, indoor / outdoor restrictions, license requirements, and within power level limits for the current country of operation. A configuration utility has been provided with the Enterasys Wireless Controller to allow the end user to check the configuration and make necessary configuration changes to ensure proper operation in accordance with the spectrum usage rules for compliance with the European R&TTE directive 1999/5/EC. The Wireless APs with internal and external antennas are designed to be operated only indoors within all countries of the European Community. Some countries require limited channels of operation. These restrictions are described in this section.

B-10

Regulatory Information

Wireless APs 26XX and 36XX

Caution: The Wireless AP is completely configured and managed by the Enterasys Wireless Controller connected to the network. Please follow the instructions in this user guide to properly configure the Wireless AP. The Wireless APs require the end user or installer to ensure that they have a valid license prior to operating the Wireless AP. The license contains the region and the region exposes the country codes which allow for proper configuration in conformance with European National spectrum usage laws There is a default group of settings that each Wireless AP receives when it connects to the controller. There is the ability to change these settings. The user or installer is responsible to ensure that each Wireless AP is properly configured. The software within the controller will automatically limit the allowable channels and output power determined by the selected country code. Selecting the incorrect country of operation or identifying the proper antenna used, may result in illegal operation and may cause harmful interference to other systems. This device employs a radar detection feature required for European Community operation in the 5 GHz band. This feature is automatically enabled when the country of operation is correctly configured for any European Community country. The presence of nearby radar operation may result in temporary interruption of operation of this device. The radar detection feature will automatically restart operation on a channel free of radar. The 5 GHz Turbo Mode feature is not enabled for use on the Wireless APs. The 5150- 5350 MHz band, channels 36, 40, 44, 48, 52, 56, 60, or 64, are restricted to indoor use only. The external antenna APs must only use antennas that are certified by Enterasys. The 2.4 GHz band, channels 1 - 13, may be used for indoor or outdoor use but there may be some channel restrictions. In Greece and Italy, the end user must apply for a license from the national spectrum authority to operate outdoors. In France, outdoor operation is not permitted in the 2.4 GHz band.

European Spectrum Usage Rules


TheAPconfiguredwithapprovedinternalorexternalantennascanbeusedforindoorand outdoortransmissionsthroughouttheEuropeancommunityasdisplayedinTable B2.Some restrictionsapplyinBelgium,France,Greece,andItaly. Table B-2 European Spectrum Usage Rules
5.15-5.25 (GHz) Channels: 36,40,44,48 Indoor only Indoor only Indoor only Indoor only Indoor only 5.25-5.35 (GHz) Channels: 52,56,60,64 Indoor only Indoor only Indoor only Indoor only Indoor only 5.47-5.725 (GHz) Channels: 100,104,108,112,116, 132,136,140 Indoor or outdoor Indoor or outdoor * Indoor or outdoor Indoor or outdoor Indoor or outdoor 2.4-2.4835 (GHz) Channels: 1 to 13 (Except Where Noted) Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor

Country Austria Belgium Bulgaria Denmark Croatia

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

B-11

Wireless APs 26XX and 36XX

Table B-2

European Spectrum Usage Rules (continued)


5.15-5.25 (GHz) Channels: 36,40,44,48 Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only 5.25-5.35 (GHz) Channels: 52,56,60,64 Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only Indoor only 5.47-5.725 (GHz) Channels: 100,104,108,112,116, 132,136,140 Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor (Outdoor w/License) Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor 2.4-2.4835 (GHz) Channels: 1 to 13 (Except Where Noted) Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor only Indoor or outdoor Indoor (Outdoor w/license) Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor (Outdoor w/license) Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor Indoor or outdoor

Country Cyprus Czech Rep. Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia Liechtenstein Lithuania Luxembourg Netherlands Malta Norway Poland Portugal Romania Slovak Rep. Slovenia Spain Sweden Switzerland Turkey U.K

Note: * Belgium requires notifying the spectrum agency if deploying > 300 meter wireless links in outdoor public areas.

B-12

Regulatory Information

Wireless APs 26XX and 36XX

Certifications of Other Countries


TheWirelessAPshavebeencertifiedforuseinvariousothercountries.WhentheWirelessAPis connectedtotheEnterasysEnterasysWirelessController,theuserispromptedtoselectacountry code.Oncethecorrectcountrycodeisselected,thecontrollerautomaticallysetsuptheWireless APwiththeproperfrequenciesandpoweroutputsforthatcountrycode.
Note: It is the responsibility of the end user to select the proper country code for the country the device will be operated within or run the risk violating local laws and regulations.

Approved External Antennas


TheexternalantennaWirelessAPscanalsobeusedwithcertifiedexternalantennas.However,to complywiththelocallawsandregulations,anapprovalmayberequiredbythelocalregulatory authorities. Foralistofapprovedexternalantennas,seeAP2620ApprovedExternalAntennas.

Other Country Specific Compliance Standards, Approvals and Declarations


IEC609501CBScheme+NationalDeviations AS/NZS60950.1(Safety) AS/NZS3548(EmissionsviaEUstandardsACMA) AS/NZS4288(RadioviaEUstandards) EN300328(2.4GHz) EN301893(5GHz) EN3014891&17(RLAN) IEEE802.11a(5GHz) IEEE802.11b/g(2.4GHz) IEEE802.11n(AP36XX) IEEE802.3af(PoE)

AP2620 Approved External Antennas


TheAP2620canbeusedwithcertifiedexternalantennas.However,tocomplywiththelocallaws andregulations,anapprovalmayberequiredbythelocalregulatoryauthorities.Theoptional antennaslistedinTable B3havebeentestedandapprovedforusewiththeexternalantenna models. Thisdevicehasbeendesignedtooperatewiththeoptionalantennaslistedbelow,andhavinga maximumgainof18dB.Antennasnotincludedinthislistorhavingagaingreaterthan18dBare strictlyprohibitedforusewiththisdevice.Therequiredantennaimpedanceis50ohms. Toreducepotentialradiointerferencetootherusers,theantennatypeanditsgainshouldbeso chosenthattheequivalentisotropicallyradiatedpower(e.i.r.p)isnotmorethanthatpermittedfor successfulcommunication.

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

B-13

Wireless APs 26XX and 36XX

Table B-3
Model WS-ANT01

List of FCC/IC/ETSI Approved Antennas AP2620


Application outdoor Shape omni Gain (dBi) 4 Frequency (MHz) 2400-2500 5150-5900 Connector Type RPSMA

WS-AO-DS05360 WS-AIO-5S12060 WS-AI-2S03360 WS-AI-DS06360

outdoor indoor indoor indoor

omni panel omni omni

5 12 3.5 5 6

2400-2500 5150-5350 2400-2500 4900-5990 2400-2500 2300-2700 4900-6000 2400-2500 2300-2600 4900-6000 5470-5850 2400-2485 4900-6000 2300-2500

Reverse Polarity Type-N Reverse Polarity Type-N RPSMA RPSMA

WS-AIO-DS05120 WS-AIO-2S07060 WS-AIO-5S17017 WS-AIO-2514090 WS-AIO-5S15090 WS-AIO-2S18018

indoor/outdoor indoor/outdoor indoor/outdoor indoor/outdoor indoor/outdoor indoor/outdoor

panel panel panel panel panel panel

5 7.5 17 14 15 18

Reverse Polarity Type-N Reverse Polarity Type-N Reverse Polarity Type-N Reverse Polarity Type-N Reverse Polarity Type-N Reverse Polarity Type-N

RF Safety Distance
Theantennasusedforthistransmittermustbeinstalledtoprovideaseparationdistanceofatleast 25cmfromallpersonsandmustnotbecolocatedoroperatinginconjunctionwithanother antennaortransmitter. Forallexternalantennas,theminimumseparationdistanceshouldbe25cm.However,when usingtheWSAO5D23009antenna,theminimumseparationdistanceshouldbeincreasedto 71cm.WhenusingtheWSAIO2S18018antenna,theminimumseparationdistanceshouldbe increasedto34cm.

AP3620 Approved External Antennas


TheAP3620canbeusedwithcertifiedexternalantennas.However,tocomplywiththelocallaws andregulations,anapprovalmayberequiredbythelocalregulatoryauthorities.Theoptional antennaslistedinTable B4havebeentestedandapprovedforusewiththeexternalantenna models. Thisdevicehasbeendesignedtooperatewiththeoptionalantennaslistedbelow,andhavinga maximumgainof23dB.Antennasnotincludedinthislistorhavingagaingreaterthan23dBare strictlyprohibitedforusewiththisdevice.Therequiredantennaimpedanceis50ohms. Toreducepotentialradiointerferencetootherusers,theantennatypeanditsgainshouldbeso chosenthattheequivalentisotropicallyradiatedpower(e.i.r.p)isnotmorethanthatpermittedfor successfulcommunication.
B-14 Regulatory Information

Wireless APs 26XX and 36XX

Table B-4
Model WS-ANT02

List of FCC/IC/ETSI Approved Antennas AP3620


Application indoor Shape omni Gain (dBi) 4 Frequency (MHz) 2400-2500 5150-5900 Connector Type RPSMA

WS-AO-DS05360 WS-AO-D16060 WS-AO-5D23009 WS-AI-DT04360

outdoor outdoor outdoor indoor

omni 60 degree sector directional, 2 inputs panel, 2 inputs omni, 3 inputs

5 16 23 3 4

2400-2500 5150-5350 5150-5875 5150-5875 2400-2500 4900-5990 2300-2700 4900-6100

Reverse Polarity Type-N Reverse Polarity Type-N Reverse Polarity Type-N RPSMA, 3ea.

WS-AI-DT05120

indoor

120 degree sector directional, 3 inputs

RPSMA

RF Safety Distance
Theantennasusedforthistransmittermustbeinstalledtoprovideaseparationdistanceofatleast 25cmfromallpersonsandmustnotbecolocatedoroperatinginconjunctionwithanother antennaortransmitter. Forallexternalantennas,theminimumseparationdistanceshouldbe25cm.However,when usingtheWSAO5D23009antenna,theminimumseparationdistanceshouldbeincreasedto 71cm.WhenusingtheWSAIO2S18018antenna,theminimumseparationdistanceshouldbe increasedto34cm.

Certified 3rd Party Antennas


Table B5liststhe3rdpartyantennasthataresupportedforAP2620,AP2601,AP3620and AP36201modelsforETSIandFCC.Theseantennasaresupportedonlyforexistingcustomers priortoV7.11. Table B-5
AP

Certified 3rd Party Antennas for Use with AP2620, AP260-1, AP3620 and AP3620-1 Models
Manufacture r Cushcraft Cushcraft Cushcraft Cushcraft Hyperlink Part Number SR2405135D S24493DS SL24513P S24497P HG2458CU Type Sector, 135 Deg Single Feed Omni, Dual Feed Omni, Single Feed 60 Deg Sector, Single Feed Omni, Single Feed Usage Indoor Indoor Indoor Indoor Indoor Frequenc y 2.4 2.4, 5 2.4, 5 2.4, 5 2.4, 5 Gain 5 3 3 7 3 Connector N-F Reverse TNCx2 SMA-F Reverse TNC N-F

Regulator y

2620 FCC/IC 2620 FCC/IC 2620 FCC/IC 2620 FCC/IC 2620 FCC/IC

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

B-15

Wireless APs 26XX and 36XX

Table B-5
AP

Certified 3rd Party Antennas for Use with AP2620, AP260-1, AP3620 and AP3620-1 Models
Manufacture r Maxrad Huber and Suhner Huber and Suhner Huber and Suhner Huber and Suhner Huber and Suhner Huber and Suhner Huber and Suhner Cushcraft Part Number MDO24005PT SOA 2454/360/7/20/ DF SWA 2459/360/4/45/V SPA 2456/75/9/0/DF Type Omni, Dual Feed Omni Omni Plannar Usage Indoor Outdoo r Outdoo r Outdoo r Outdoo r Outdoo r Outdoo r Outdoo r Indoor Frequenc y 2.4 2.4, 5 2.4, 5 2.4, 5 Gain 5.2 6&8 4 9 Connector SMA, TNC, N N-F N-F/SMA-F SMA-F/ TNC-F/ QN-F N-F/TNC-F N-F/TNC-F SMA-F/ TNC-F/ QMA-F N-F/TNC-F RPSMA

Regulator y

2620 FCC/IC 2620 ETSI 2620 ETSI 2620 ETSI

2620 ETSI 2620 ETSI 2620 ETSI

SOA 2400/360/4/0/DS SWA 0859/360/4/10/V SPA 2400/80/9/0/DS

Omni Omni Plannar

2.4, 5 2.4, 5 2.4

3.5 7 8.5

2620 ETSI 3620 FCC/IC

SPA 2400/40/14/0/DS SR249120D

Plannar 120 Deg, Sector, Single Feed Omni, Triple Feed Omni 60 Deg Sector, Single Feed Omni Omni, Dual Feed Omni Omni Plannar

2.4 2.4, 5

13.5 5

3620 FCC/IC 3620 FCC/IC 3620 FCC/IC 3620 FCC/IC 3620 FCC/IC 3620 ETSI 3620 ETSI 3620 ETSI

Cushcraft Cushcraft Cushcraft Hyperlink Maxrad Huber and Suhner Huber and Suhner Huber and Suhner Huber and Suhner Huber and Suhner Huber and Suhner

S24493TS SL24513WP S24497P HG2458CU MDO24005PT SOA 2454/360/7/20/ DF SWA 2459/360/4/45/V SPA 2456/75/9/0/DF

Indoor Indoor Indoor Indoor Indoor Outdoo r Outdoo r Outdoo r Outdoo r Outdoo r Outdoo r

2.4, 5 2.4, 5 2.4, 5 2.4, 5 2.4 2.4, 5 2.4, 5 2.4, 5

3 3 7&8 3 5.2 6&8 4 9

RPSMA 3 ea. RPSMA RPSMA N-F RPSMA N-F N-F/SMA-F SMA-F/ TNC-F/ QN-F N-F/TNC-F N-F/TNC-F SMA-F/ TNC-F/ QMA-F

3620 ETSI 3620 ETSI 3620 ETSI

SOA 2400/360/4/0/DS SWA 0859/360/4/10/V SPA 2400/80/9/0/DS

Omni Omni Plannar

2.4, 5 2.4, 5 2.4

3.5 7 8.5

B-16

Regulatory Information

Wireless APs 26XX and 36XX

Table B-5
AP

Certified 3rd Party Antennas for Use with AP2620, AP260-1, AP3620 and AP3620-1 Models
Manufacture r Huber and Suhner Part Number SPA 2400/40/14/0/DS Type Plannar Usage Outdoo r Frequenc y 2.4 Gain 13.5 Connector N-F/TNC-F

Regulator y

3620 ETSI

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

B-17

Wireless APs 26XX and 36XX

B-18

Regulatory Information

C
Default GuestPortal Source Code
For information about... Ticket Page GuestPortal Sample Header Page GuestPortal Sample Footer Page Refer to page... C-1 C-4 C-5

Ticket Page

Placeholders Used in the Default GuestPortal Ticket Page


Table C-1 Default GuestPortal Ticket Page Template Placeholders
Description Guest Name Guest Comment Time-of-day start Time-of-day session duration Maximum session time Placeholder tag !GuestName !GuestComment !TimeOfDayStart !TimeOfDayDuration !SessionLifeTime

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

C-1

Ticket Page

Table C-1

Default GuestPortal Ticket Page Template Placeholders (continued)


Description User ID for the guest Password for the guest SSID to connect to Account available time Account life time

Placeholder tag !UserID !Password !SSID !AccountActivationTime !AccountLifeTime

Default GuestPortal Ticket Page Source Code


Note: The GuestPortal account information placeholders used in the html code are preceded by the ! character. <HTML> <HEAD> <title></title> <meta content="text/html;charset=utf-8" http-equiv="Content-Type"/> </HEAD> <body style="text-align:center"> <table cellspacing="0" cellpadding="0" border="0" align="center" width="790"> <tr> <td style="background-color:#6666b0;color:white;fontweight:bold;font-size:30;padding:5px"

align="center" width="790">GuestPortal</td> </tr> </table> <table cellspacing="5" cellpadding="0" border="0" style="margin:0 auto"> <tr> <td align="right"><b>Guest Name:</b></td> <td align="left">!GuestName</td> </tr> <tr> <td align="right"><b>User ID:</b></td> <td align="left">!UserID</td> </tr> <tr> <td align="right"><b>Password:</b></td> <td align="left">!Password</td> </tr> <tr>
C-2 Default GuestPortal Source Code

Ticket Page

<td align="right"><b>Account Start:</b></td> <td align="left">!AccountActivationTime</td> </tr> <tr> <td align="right"><b>Duration:</b></td> <td align="left">!AccountLifeTime</td> </tr> <tr> <td align="right"><b>Valid Daily Login Time:</b></td> <td align="left">!TimeOfDayStart -- !TimeOfDayDuration</td> </tr> <tr> <td align="right"><b>Comment:</b></td> <td align="left">!GuestComment</td> </tr> </table> <div style="width:790px;margin:0 auto;text-align:left"> <b>System Requirements:</b> <hr width=790 size=2 noshade> <div style="padding-left:30px"> <ul> <li>A laptop with WLAN capabilities (801.11a/b/ g). This functionality can be either embedded into your device or via a PCMCIA card. <li>Web browser software. You can use any standard Internet browser (ie, Internet Explorer, Netscape, etc). </ul> </div> </div> <div style="width:790px;margin:10px auto;text-align:left"> <b>Instructions:</b> <hr width=790 size=2 noshade> <div style="padding-left:30px;"> <ul> <li>Enable your wireless device to connect to the '!SSID' SSID. <li>Once connected, launch your Internet browser and you will be redirected to the Guest Access webpage. <li>Enter the user ID and password supplied above. By logging into the network, you are accepting the terms and conditions below. <li>You're connected! </ul> </div> </div>

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

C-3

GuestPortal Sample Header Page

</div> </body> </HTML>

GuestPortal Sample Header Page

Sample Header Page Source Code


<HTML><HEAD><TITLE>your company name</TITLE> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <STYLE type=text/css>BODY { FONT-SIZE: 11px; COLOR: #000000; FONT-FAMILY: Verdana, Arial, Helvetica, sansserif } TD { FONT-SIZE: 11px; COLOR: #000000; FONT-FAMILY: Verdana, Arial, Helvetica, sansserif } H3 { FONT-SIZE: 14px; COLOR: #000066; FONT-FAMILY: Verdana, Arial, Helvetica, sansserif } </STYLE> <META content="Microsoft FrontPage 5.0" name=GENERATOR></HEAD> <BODY> <SPAN id=0 style="DISPLAY: none;"> <CENTER> <span id="1" style="DISPLAY: true;"><span id="1"> <img border="0" src="your_logo.gif" width="198" height="49"></span></span> </CENTER> <H3>Wireless Guest Access Login</H3> <BR> Please enter the <strong>Username and Password</strong> you were assigned from the Receptionist. <br> <INPUT type=hidden value=wba_login name=fname>
C-4 Default GuestPortal Source Code

GuestPortal Sample Footer Page

<TABLE cellPadding=3 border=0> <TBODY> <TR> <TD align=right>Username:</TD> <TD><INPUT maxLength=32 size=15 name=username></TD> </TR> <TR> <TD align=right>Password:</TD> <TD><INPUT type=password maxLength=32 size=15 name=key></TD> </TR> <TR> <TD align=right colSpan=2> </TD> </TR> </TBODY> </TABLE> <br> For assistance please contact our Operations Center at 555.555.5555 <BR> </SPAN> <SPAN id=1 style="DISPLAY: true;"> <p align="center"><span id="1"> <img border="0" src="your_logo.gif" width="198" height="49"></span><br> <br> As a guest of our company, you have the ability to access our guest wireless network. This service is provided as a benefit of visiting our Executive Briefing Center. Please respect our rules and regulations while you are using our network. You may also visit our Demo Area to see our complete suite of products and solutions. </p>

GuestPortal Sample Footer Page

Sample Footer Page Source Code


<html> <body>

Enterasys Wireless Controller, Access Points, and Convergence Software User Guide

C-5

GuestPortal Sample Footer Page

<strong>Terms and Conditions</strong><br> Access to the information and contents available through this network are proprietary and confidential. Only authorized users may access this system. You may use the information and contents solely in the manner for which it is intended and authorized. We reserve the right to monitor your use of this network at any time and in any manner. Misuse or unauthorized access may result in legal prosecution. <BR> <BR> <input type="checkbox" name="agree" value="on"> I Agree to the Terms and Conditions <SPAN id=2 style="DISPLAY: none; FONTWEIGHT: bold; FONT-SIZE: x-small; COLOR: red">Required</SPAN> <br> <br> <br> <br> For assistance please contact the Operations Center at 555.555.5555 </p> </SPAN> </BODY></HTML>

C-6

Default GuestPortal Source Code

You might also like