Loading...
Designing AirPort
Extreme Networks
For Windows XP and Windows 2000
Contents
Chapter 1 |
5 |
Getting Started |
|
6 |
How AirPort Works |
|
6 |
How Wireless Internet Access Is Provided |
|
7 |
Configuring AirPort Extreme Base Station Internet Access |
|
7 |
AirPort Extreme Admin Utility for Windows |
|
7 |
Extending the Range of Your AirPort Network |
|
7 |
Printing via an AirPort Extreme Base Station |
|
8 |
Sharing Your Computer’s Internet Connection |
Chapter 2 |
9 |
AirPort Security |
|
9 |
Security for AirPort Networks at Home |
10Security for AirPort Networks in Business and Education
11Wi-Fi Protected Access (WPA)
Chapter 3 |
13 |
AirPort Extreme Network Designs |
|
14 |
Using AirPort Extreme Admin Utility for Windows |
|
15 |
Setting Up the AirPort Network |
|
21 |
Configuring and Sharing Internet Access |
|
38 |
Setting Advanced Options |
|
51 |
Solving Problems |
|
52 |
More Information About AirPort |
Chapter 4 |
53 |
Behind the Scenes |
|
53 |
Basic Networking |
|
56 |
Using the AirPort Extreme Base Station |
|
57 |
Items That Can Cause Interference With AirPort |
3
Getting Started |
1 |
|
|
|
|
With this version of the AirPort Extreme Admin Utility you can set up and manage an AirPort network using Microsoft Windows, and wirelessly share a single Internet connection with multiple computers.
Instead of using traditional cables to create a network, AirPort uses wireless local area network (WLAN) technology to provide communication between computers. Through a wireless network you can access the Internet, share files, play multiplayer games, and more.
Using AirPort technology, you can:
•Create a wireless network in your home or school using an AirPort Extreme Base Station, then connect to the Internet and share the connection among several computers simultaneously. An entire family or classroom can be on the Internet at the same time.
•Create a wireless connection between a single computer and a standard computer network. Wireless computers can then have access to an entire network without being connected using a cable.
•Connect multiple computers in a wireless “ad-hoc” network so that you can share files or play network games.
You can set up an AirPort Extreme Base Station and connect to the Internet without wires in minutes. But since the AirPort Extreme Base Station is a flexible and powerful networking device, you can also create an AirPort network that does much more.
If you want to design an AirPort network that provides Internet access to non-wireless computers via Ethernet, or take advantage of some of the base station’s more advanced features, use this document to design and implement your network.
Note: This version of the AirPort Extreme Admin Utility is compatible with Windows XP and Windows 2000. The instructions and screen images in this book are for Windows XP. If you are using Windows 2000, the images on your screen may look slightly different.
5
How AirPort Works
Traditionally, sharing files and information between computers required them to be connected by wires. With AirPort, the data is transferred between computers using radio waves through a wireless network.
You can create a wireless network using an AirPort Extreme Base Station, and all wireless communication goes through the base station to the Internet or to other computers on the network.
You can also incorporate AirPort technology into an existing Ethernet network by connecting an AirPort Extreme Base Station to the network. This allows non-AirPort computers to communicate with AirPort computers.
The typical indoor range for an AirPort connection is up to 150 feet (45 meters). Range in a wireless network may vary with site conditions.
How Wireless Internet Access Is Provided
Wireless Internet access requires an 802.11b or 802.11g wireless adapter, an AirPort Extreme Base Station, and an account with an Internet service provider (fees may apply). Some Internet service providers (ISPs) are not currently compatible with AirPort. Some cable modem and DSL providers may not be compatible with AirPort. Contact your service provider for more information.
AirPort technology is similar to cordless telephone technology. The handset of the cordless phone makes a wireless connection to the base, which is connected to the telephone system. Likewise, with AirPort, your computer does not establish a
wireless connection with your ISP directly. You set up a wireless connection from the computer to a base station that is connected to the Internet by a wire, such as a DSL or telephone line.
You can use AirPort to provide wireless Internet access and share a single Internet connection among multiple computers in the following ways:
•Connect the AirPort Extreme Base Station to a DSL or cable modem. (If the base station has an internal modem, you can connect it to a telephone line.) The AirPort Extreme Base Station receives content from the Internet, such as webpages and email, via its Internet connection and then sends it to AirPort-equipped computers, using the wireless network.
•Connect the AirPort Extreme Base Station to an existing network that already has Internet access, such as in a school or small office. Wireless computers connect wirelessly to the base station and receive network and Internet content.
6 |
Chapter 1 Getting Started |
|
|
Configuring AirPort Extreme Base Station Internet Access
Like your computer, the AirPort Extreme Base Station must be set up with the appropriate Internet Protocol (IP) networking information to connect to the Internet. To provide the Internet configuration information, you can use the AirPort Extreme Admin Utility for Windows to set up your base station and control the AirPort network it creates.
AirPort Extreme Admin Utility for Windows
The AirPort Extreme Admin Utility for Windows is a convenient way to make quick adjustments to your base station configuration.
Use AirPort Extreme Admin Utility for Windows to:
•Provide Internet access to computers that connect to the base station using Ethernet
•Change settings, such as the phone number for your ISP
•Configure advanced base station settings, such as channel frequency, security options, closed networks, DHCP lease time, access control, WAN privacy, power controls, remote dial-in, or port mapping
For instructions on using AirPort Extreme Admin Utility for Windows, see “Using AirPort Extreme Admin Utility for Windows” on page 14.
Extending the Range of Your AirPort Network
You can extend the range of your network by setting up wireless connections between multiple base stations in your network, known as a Wireless Distribution System (WDS), or connecting the base stations via Ethernet to create a roaming network. If your base station has an antenna port, you can also extend the range of your wireless network by connecting an Apple-certified external antenna to the antenna port. For more information on setting up a Wireless Distribution System or a roaming network,
see “Connecting Additional Base Stations to Your AirPort Network” on page 38.
Printing via an AirPort Extreme Base Station
If you have a USB printer connected to the base station, computers on the network can print to the printer by setting it up in Windows XP or Windows 2000. For detailed instructions on setting up a printer connected to the base station, see “Connecting a USB Printer to the AirPort Extreme Base Station” on page 50.
Check the AirPort website at www.apple.com/airport for a list of supported printers.
Chapter 1 Getting Started |
7 |
|
|
Sharing Your Computer’s Internet Connection
If you have a wireless card installed in your computer and you are connected to the Internet, you can share your Internet connection with other computers. This is sometimes called using your computer as a software access point.
You can share your Internet connection as long as your computer is connected to the Internet. If your computer goes to sleep or is restarted, or if you lose your Internet connection, you need to restart Internet sharing.
To start Internet sharing:
1 Open Control Panel and double-click Network Connections.
2Click the network connection you want to share and click “Change settings of this connection” under Network Tasks.
3Click Advanced and then select “Allow other network users to connect through this computer’s Internet connection.”
Note: If your Internet connection and your local network use the same port (built-in Ethernet, for example), contact your ISP before you turn on Internet sharing. In some cases (if you use a cable modem, for example) you might unintentionally affect the network settings of other ISP customers, and your ISP might terminate your service to prevent you from disrupting its network.
8 |
Chapter 1 Getting Started |
|
|
AirPort Security |
2 |
|
|
|
|
This chapter provides an overview of the security features available with the AirPort Extreme Base Station.
Apple has designed the AirPort Extreme Base Station to provide multiple levels of security, so you can enjoy peace of mind when you access the Internet, manage online financial transactions, or send and receive email. The base station also includes a slot for inserting a Kensington lock to deter theft.
For information and instructions for setting up these security features, see “Setting Up the AirPort Network” on page 15.
Security for AirPort Networks at Home
Network attacks can occur through wireless as well as wired networks. Apple gives you ways to protect your entire AirPort network as well as the data that travels over it.
Firewall
You can separate your wireless network from the outside world with firewall protection. The AirPort Extreme Base Station has a built-in firewall that creates a barrier between your network and the Internet, protecting data from Internet-based IP attacks. The firewall is automatically turned on when you set up the base station to share a single Internet connection. For computers with a cable or DSL modem, AirPort can actually be safer than a wired connection.
Closed Network
Creating a closed network keeps the network name and the very existence of your network private. The network will not show up in a scan of available networks, so prospective users of your network must know the network name and password to access it.
9
Password Protection and Encryption
AirPort uses password protection and encryption to deliver a level of security comparable to traditional wired networks. Users can be required to enter a password to log in to the AirPort network. When transmitting data and passwords, the base station uses up to 128-bit encryption, through either Wi-Fi Protected Access™ (WPA) or Wireless Equivalent Privacy (WEP), to scramble data and help keep it safe.
Note: WPA security features are available only to AirPort Extreme Base Stations, AirPort and AirPort Extreme clients using Mac OS X 10.3 or later and AirPort 3.2 or later, and wireless clients using other 802.11 wireless adapters that support WPA.
If you’re using AirPort in conjunction with an America Online account, you can use AOL parental controls on the AirPort Extreme Base Station to further restrict access. The settings you configure are used for all clients connected to that base station.
Security for AirPort Networks in Business and Education
Businesses, schools, colleges, and universities want to restrict network communications to authorized users and keep data safe from prying eyes, so AirPort Extreme hardware and software provide a robust suite of security mechanisms.
Transmitter Power Control
Because radio waves travel in all directions, they can extend outside the confines of a specific building. The Transmitter Power setting in AirPort Extreme Admin Utility for Windows lets you adjust the transmission range of your base station’s network. Only users within the network vicinity have access to the network.
MAC Filtering
Every AirPort and wireless card has a unique MAC address. For AirPort and AirPort Extreme Cards, the MAC address is sometimes referred to as the AirPort ID. Support for MAC (Media Access Control) filtering lets administrators set up a list of MAC addresses and restrict access to the network to only those users whose MAC addresses are in the access control list.
RADIUS Support
The Remote Authentication Dial-In User Service (RADIUS) makes securing a large network easy. RADIUS is an access control protocol that allows a system administrator to create a central list of the computers that can access the network. Placing this list on a centralized server allows many base stations to access the list and makes it easy to update. If the MAC address of a user’s computer or wireless card (which is unique to each 802.11 wireless card) is not on your approved MAC address list, the user cannot join your network.
10 |
Chapter 2 AirPort Security |
|
|
LEAP Support
The Lightweight Extensible Authentication Protocol (LEAP) is a security protocol used by Cisco access points to dynamically assign a different WEP key to each user. AirPort Extreme is compatible with Cisco’s LEAP security protocol, enabling users to join Ciscohosted wireless networks using LEAP.
Wi-Fi Protected Access (WPA)
There has been increasing concern about the vulnerabilities of WEP. In response, the Wi-Fi Alliance, in conjunction with the IEEE, has developed a strongly enhanced, interoperable security standard called Wi-Fi Protected Access (WPA).
WPA is a specification that brings together standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for wireless LANs. WPA provides wireless LAN users with a high level of assurance that their data remains protected and that only authorized network users can access the network. A wireless network that uses WPA requires that all computers that access the wireless network have WPA support. It provides a high level of data protection and (when used in Enterprise mode) requires user authentication.
The main standards-based technologies that comprise WPA include Temporal Key Integrity Protocol (TKIP), 802.1X, Message Integrity Check (MIC), and Extensible Authentication Protocol (EAP).
TKIP provides enhanced data encryption by addressing the WEP encryption vulnerabilities, including the frequency with which keys are used to encrypt the wireless connection. 802.1X and EAP provide the ability to authenticate a user on the wireless network.
802.1X is a port-based network access control method for wired as well as wireless networks. The IEEE adopted 802.1X as a standard in August 2001.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them, and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, the data is assumed to have been tampered with and the packet is dropped.
Some of the EAP protocols handle the presentation of a user’s credentials in the form of digital certificates. A user’s digital certificates can comprise user names and passwords, smart cards, secure IDs, or any other identity credentials that the IT administrator is comfortable using. WPA uses a wide variety of standards-based EAP implementations, including EAP-Transport Layer Security (EAP-TLS), EAP-Tunnel Transport Layer Security (EAP-TTLS), and Protected Extensible Authentication Protocol (PEAP).
Chapter 2 AirPort Security |
11 |
|
|
WPA on the AirPort Extreme Base Station has two modes: “WPA for enterprise,” or WPA Enterprise, which uses a RADIUS server for user authentication, and “WPA for home/ small office,” or WPA Personal, which relies on the capabilities of TKIP without requiring a RADIUS server.
Note: WPA security features are available only to AirPort Extreme Base Stations, AirPort and AirPort Extreme clients using Mac OS X 10.3 or later and AirPort 3.2 or later, and clients using other 802.11 wireless adapters that support WPA.
WPA Enterprise
WPA is a subset of the draft IEEE 802.11i standard and effectively addresses the Wireless Local Area Network (WLAN) security requirements for the enterprise and provides a strong encryption and authentication solution prior to the ratification of the 802.11i standard. In an enterprise with IT resources, WPA should be used in conjunction with an authentication server such as RADIUS to provide centralized access control and management. With this implementation in place, the need for add-on solutions such as Virtual Private Networks (VPN) may be eliminated, at least for securing the wireless link in a network.
WPA Personal
For Small Office/Home Office (SO/HO) networks, WPA runs in WPA Personal mode, taking into account the typical household or small office does not have an authentication server. Instead of authenticating with a RADIUS server, users manually enter a password to log in to the wireless network. When the user enters the password correctly, the base station starts the encryption process using TKIP. TKIP takes the original password and derives its encryption keys mathematically from the network password. TKIP then regularly changes and rotates the encryption key so that the same encryption key is never used twice. This all happens behind the scenes. Other than entering the network password, the user isn’t required to do anything to make WPA Personal work in the home.
12 |
Chapter 2 AirPort Security |
|
|
AirPort Extreme Network Designs |
3 |
This chapter provides overview information and instructions for the types of AirPort networks you can set up using the AirPort Extreme Admin Utility for Windows.
Configuring your base station to implement a network design involves three steps:
Step 1: Setting Up the AirPort Network
Computers communicate with the AirPort Extreme Base Station over the AirPort wireless network. When you set up the AirPort network created by the base station, you can name the wireless network, assign a password needed to join the wireless network, and set other options.
Step 2: Configuring and Sharing Internet Access
When computers access the Internet via the AirPort network, the base station connects to the Internet and transmits information to the computers over the network. You provide the base station with settings appropriate for your ISP and configure how the base station shares this connection with other computers.
Step 3: Setting Advanced Options
You can set up the base station as a bridge between your AirPort network and an Ethernet network, control access to an AirPort network, set advanced security options, set up a Wireless Distribution System (WDS) to extend the AirPort network to other base stations, and fine-tune other AirPort settings.
For specific instructions on all these steps, refer to the sections later in this chapter.
13
Using AirPort Extreme Admin Utility for Windows
To modify the base station configuration, make sure you are connected to the network the base station creates.
To connect to the network created by the base station:
mHold the pointer over the wireless connection icon until you see your AirPort network name (SSID), and choose it from the list if there are multiple networks available.
The network name (or SSID) of a new AirPort Extreme Base Station is “Apple Network xxxxxx,” where xxxxxx is the last six characters of the AirPort ID, located on the label on the bottom of the base station.
If you can’t join the AirPort network, right-click the wireless connection icon and choose View Available Wireless Networks. Select your network and click Connect.
To open your base station’s configuration:
1 Open AirPort Extreme Admin Utility for Windows.
2 Select your base station in the Base Station Chooser, and click Configure.
3Enter the base station password, if necessary. The default base station password is public.
If you don’t see your base station in the Base Station Chooser window:
1 Make sure that you have joined the AirPort network created by your base station.
2Make sure your network and TCP/IP settings are configured properly:
a Right-click the wireless connection icon that displays the AirPort network, and choose Status.
b Click Properties, select Internet Protocol (TCP/IP), and then click Properties. c Make sure “Obtain an IP address automatically” is selected.
If you can’t open the base station’s configuration:
1 Make sure your network and TCP/IP settings are configured properly.
2Make sure you entered the AirPort Extreme Base Station password correctly. The default password is public. If you have forgotten the base station password, you can reset it to public by resetting the base station.
To reset the base station password to public, press and hold the reset button for one second.
14 |
Chapter 3 AirPort Extreme Network Designs |
|
|
If you are on an Ethernet network that has other base stations, or you are using Ethernet to connect to the base station:
The AirPort Extreme Admin Utility for Windows scans the Ethernet network to create the list of base stations in the Base Station Chooser. As a result, when you open AirPort Extreme Admin Utility for Windows, you may see base stations that you cannot configure.
Setting Up the AirPort Network
The first step in configuring your base station is setting up the AirPort network it will create. Use the AirPort Extreme Admin Utility for Windows.
1To join the network for the base station you want to set up, open Control Panel from the Start menu and click Network Connections.
2 Right-click the Wireless Network Connection icon and choose View Available Networks.
3 Select the network of the base station you want to configure, and then click Connect.
4Open AirPort Extreme Admin Utility for Windows and select the base station from the list. If you don’t see the base station you want to configure, click Rescan to scan for available base stations, then select the base station.
5If you are prompted for a password, enter it, then click Configure.
When AirPort Extreme Admin Utility for Windows opens, it displays a summary of the base station’s current settings. To enter or change settings, click the tabs to open the panes.
Chapter 3 AirPort Extreme Network Designs |
15 |
|
|
6In the AirPort pane, enter a base station name and password, a name for your AirPort network, and other information. (See the following sections for descriptions of the fields in the AirPort pane.)
Naming the Base Station
Give the base station an easily identifiable name. This makes it easy for administrators to locate a specific base station on an Ethernet network with multiple base stations. The optional Contact and Location fields may also be helpful if you have more than one base station on your network.
Changing the Base Station Password
The base station password protects the base station configuration so that only the administrator can modify it. The default password is public. It is a good idea to change the base station password to prevent unauthorized changes to the base station.
Naming the AirPort Network
Give your AirPort network a name. This name appears in the wireless connection icon on the wireless-equipped computers that are in range of your AirPort network.
16 |
Chapter 3 AirPort Extreme Network Designs |
|
|
Password-Protecting Your Network
To password-protect your network, you can choose from a number of wireless security options. In the AirPort pane of AirPort Extreme Admin Utility for Windows, click Network Security and choose one of the following options.
•Off Choosing this option turns off all password protection for the network. Any computer with a wireless adapter or card can join the network.
•128-bit or 40-bit WEP Choose either of these options to protect your network with a Wireless Equivalent Protection password. Choose standard 40-bit encryption for maximum compatibility, or choose 128-bit encryption, which provides maximum WEP security.
If you choose 128-bit encryption, only computers with 128-bit encryption-capable wireless networking cards will be able to join your network. If you choose 40-bit encryption, computers with 40-bit and 128-bit encryption-capable wireless networking cards will be able to join your wireless network, but they will join with only 40-bit encryption.
•WPA for home/small office Choose this option and enter a password for the wireless network. When a wireless client enters the password, the base station starts the encryption process using TKIP.
The password you choose can be between 8 and 63 ASCII characters, or if you choose to enter a Pre-Shared Key, it must be exactly 64 hexadecimal characters.
•WPA for enterprise Choose this option if you are setting up a network that includes a RADIUS server. Enter the IP address and port number for the RADIUS server, and enter a “shared secret,” which is the password for the server.
Note: WPA security features are available only to AirPort Extreme Base Stations, AirPort and AirPort Extreme clients using Mac OS X 10.3 or later and AirPort 3.2 or later, and clients using other 802.11 wireless adapters that support WPA.
For more information and instructions for setting up WPA on your network, see “Using Wi-Fi Protected Access (WPA)” on page 45.
Chapter 3 AirPort Extreme Network Designs |
17 |
|
|
Joining a 128-Bit Encrypted Wireless Network
If you want to join a wireless network that requires 128-bit encryption, you have two options for entering a password, depending on the password scheme the network administrator has set up.
If you were given a password that is 13 characters, enter it exactly. Thirteen-character passwords are usually case-sensitive.
Example: password12345
If you were given a password that is 26 characters, put a dollar sign ($) before the password. Twenty-six-character passwords may be case-sensitive.
Example: $12345678901234567890abcdef
If you need additional information on your 128-bit password, contact your network administrator.
Joining a WPA Personal Network
If you want to join a wireless network that is protected by “WPA for home/small office” (also known as Pre-Shared Key), you must enter a password of either 8 to 63 ASCII characters, or exactly 64 hexadecimal characters. Check with your system administrator to find out which to use.
Example of an ASCII password: pass1234
Example of a hexadecimal password: abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
Joining a WPA Enterprise Network
If you are joining a “WPA for enterprise” network, you were probably given a configuration file that contains network settings specific to the network you want to join. Double-click the configuration file to open it. If prompted, enter the user name and password you were given for the network, and if necessary, choose the network from the wireless connection icon.
Some authentication protocols, such as TLS, require a digital certificate to authenticate the user before joining the network.
Check with your network administrator for more information about digital certificates and joining a WPA Enterprise network.
18 |
Chapter 3 AirPort Extreme Network Designs |
|
|
Loading...