Extreme Networks A3502A Users Manual

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 http://www.extremenetworks.com

Published: September 2005 Part number: 100198-00 Rev 03

Alpine, Altitude, BlackDiamond, EPICenter, Ethernet Everywhere, Extreme Ethernet Everywhere, Extreme Networks, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, GlobalPx Content Director, the Go Purple Extreme Solution Partners Logo, ServiceWatch, Summit, the Summit7i Logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and other countries. Other names and marks may be the property of their respective owners.

Specifications are subject to change without notice.

The ExtremeWare XOS operating system is based, in part, on the Linux operating system. The machine-readable copy of the corresponding source code is available for the cost of distribution. Please direct requests to Extreme Networks for more information at the following address:

Software Licensing Department 3585 Monroe Street Santa Clara CA 95051

NetWare and Novell are registered trademarks of Novell, Inc. Merit is a registered trademark of Merit Network, Inc. Solaris and Java are trademarks of Sun Microsystems, Inc. F5, BIG/ip, and 3DNS are registered trademarks of F5 Networks, Inc. see/IT is a trademark of F5 Networks, Inc.

sFlow® is a registered trademark of InMon Corporation.

All other registered trademarks, trademarks and service marks are property of their respective owners.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Table of Contents

About this Guide.............................................................................................................................. 9

Who should use this guide ...........................................................................................................9

What is in this guide ...................................................................................................................9

Formatting conventions..............................................................................................................10

Documentation feedback ...........................................................................................................10

Protocols and standards.............................................................................................................11

Regulatory information ..............................................................................................................11

Chapter 1: The Summit WM-Series Switch Software solution ........................................................... 13

What is the Summit WM-Series Switch Software system?..............................................................13

Conventional wireless LANS .................................................................................................13

The Summit WM-Series Switch Software solution...................................................................14

Summit WM-Series Switch Software and your network ..................................................................17

Components of the solution: a summary ................................................................................17

Network traffic flow .............................................................................................................18

Network security .................................................................................................................19

Authentication ..............................................................................................................19

Privacy .........................................................................................................................19

Interaction with wired networks: Wireless Mobility Access Domain ...........................................20

Static routing and routing protocols ......................................................................................20

Policy: packet filtering .........................................................................................................21

Mobility and roaming...........................................................................................................21

Availability .........................................................................................................................22

Quality of Service (QoS) .......................................................................................................22

Chapter 2: Summit WM-Series Switch: Startup................................................................................ 23

Summit WM-Series Switch features and installation .....................................................................23

Installing the Summit WM-Series Switch ...............................................................................24

First-time setup of Summit WM-Series Switch .............................................................................24

Management port first-time setup .........................................................................................24

Changing the Management Port IP address: web browser method.......................................25

Adding the Summit WM-Series Switch to your enterprise network ......................................27

The graphical user interface (GUI): overview ................................................................................28

Chapter 3: Summit WM-Series Switch Software configuration.......................................................... 31

Configuration steps: overview .....................................................................................................31

Enabling the product key ...........................................................................................................31

Setting up the data ports ...........................................................................................................32

Setting up static routes..............................................................................................................35

Setting up OSPF Routing ...........................................................................................................36

Filtering at the interface level.....................................................................................................38

Port-based exception filters: built-in......................................................................................39

Port-based exception filters: user defined ..............................................................................39

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Table of Contents

Chapter 4: Altitude AP: startup ....................................................................................................... 41

Altitude AP features ..................................................................................................................41

Installing the Altitude APs .........................................................................................................43

Connecting and powering the Altitude AP ....................................................................................44

Discovery and registration: Altitude AP registration settings...........................................................44

Discovery and registration ..........................................................................................................46

Discovery steps ...................................................................................................................46

Altitude AP access approval .......................................................................................................49

Configuring properties and radios................................................................................................51

View and modify properties of registered Altitude APs.............................................................51

View and modify the radio settings of registered Altitude APs ..................................................52

Adding a Altitude AP manually .......................................................................................56

Altitude AP static configuration: branch office deployment......................................................57

Auto Cell software .....................................................................................................................58

Chapter 5: WM Access Domain Services (WM-AD): Introduction ...................................................... 61

Overview ..................................................................................................................................61

What is a WM-AD? ....................................................................................................................62

Topology of a WM-AD ................................................................................................................62

Network assignment and authentication for a WM-AD ...................................................................63

Authentication with SSID network assignment........................................................................63

Authentication with AAA (802.1x) network assignment ...........................................................64

Filtering for a WM-AD ................................................................................................................64

Privacy on a WM-AD: WEP and WPA ...........................................................................................66

Setting up a new WM-AD ...........................................................................................................66

Global Settings for a WM-AD ......................................................................................................68

Chapter 6: WM Access Domain Configuration ................................................................................. 71

Topology for a WM-AD ...............................................................................................................71

Topology for a WM-AD for Captive Portal................................................................................71

Topology for a WM-AD for AAA .............................................................................................75

Authentication for a WM-AD.......................................................................................................76

Authentication for a WM-AD for Captive Portal .......................................................................77

Authentication for a WM-AD for AAA .....................................................................................82

MAC-based authentication for a WM-AD ................................................................................82

Accounting for a WM-AD............................................................................................................84

RADIUS Policy for a WM-AD ......................................................................................................84

RADIUS Policy for Captive Portal ..........................................................................................85

RADIUS Policy for AAA and AAA groups ................................................................................85

Filtering rules for a WM-AD ........................................................................................................86

Filtering rules for an exception filter......................................................................................87

The non-authenticated filter for Captive Portal .......................................................................87

Filtering rules for a Filter ID group ........................................................................................90

Filtering rules for a default filter ...........................................................................................92

Filtering Rules for an AAA Group WM-AD.........................................................................94

Filtering rules between two wireless devices.....................................................................94

Multicast for a WM-AD ..............................................................................................................95

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Table of Contents

Privacy for a WM-AD..................................................................................................................96

Privacy for a WM-AD for Captive Portal ..................................................................................96

Privacy for a WM-AD for AAA................................................................................................97

A WM-AD with no authentication ..............................................................................................100

A WM-AD for voice traffic.........................................................................................................101

Chapter 7: Summit WM-Series Switch Configuration: Availability and Mobility ............................... 103

Availability .............................................................................................................................103

Mobility and the WM-AD Manager.............................................................................................107

VW-AD Manager and VW-AD Agent: Background...................................................................107

Chapter 8: Summit WM-Series Switch: configuring other functions ................................................ 111

Management users ..................................................................................................................111

Network time ..........................................................................................................................112

Check Point event logging ........................................................................................................113

Setting up SNMP ....................................................................................................................115

MIB support .....................................................................................................................115

Enabling SNMP on the Summit WM-Series Switch ...............................................................116

Chapter 9: Setting up third-party access points............................................................................. 119

Chapter 10: Summit Spy: detecting rogue access points................................................................ 123

Overview ................................................................................................................................123

Enabling the Analysis and RFDC Engines ..................................................................................124

Summit Spy: running scans .....................................................................................................125

The Analysis Engine ................................................................................................................126

Viewing the Scanner Status report ............................................................................................130

Chapter 11: Ongoing operation..................................................................................................... 131

Altitude AP maintenance: software ...........................................................................................131

Altitude AP client management ................................................................................................133

Client disassociate ............................................................................................................134

Client blacklist..................................................................................................................135

Summit WM-Series Switch software maintenance ......................................................................137

Summit WM-Series Switch Software logs and traces...................................................................140

Viewing log, alarm and trace messages ................................................................................141

Reports and displays ...............................................................................................................144

View displays ....................................................................................................................144

View reports......................................................................................................................146

Glossary ..................................................................................................................................... 147

Appendix A: Summit WM-Series Switch Software system states and LEDs ...................................... 167

Summit WM-Series Switch system states and LEDs....................................................................167

Altitude AP system states ........................................................................................................168

Appendix B: CLI command reference ............................................................................................ 169

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Table of Contents

Appendix C: DHCP, SLP, and Option 78 reference ......................................................................... 173

Service Location Protocol (SLP) (RFC2608)...............................................................................174

DHCP Options for Service Location Protocol (RFC2610) .............................................................174

SLP Directory Agent Option (Option 78) ....................................................................................174

SLP Service Scope Option (Option 79)......................................................................................175

Appendix D: Reference lists of standards ...................................................................................... 177

RFC list..................................................................................................................................177

802.11 standards list..............................................................................................................178

Appendix E: Support for Altitude AP.............................................................................................. 181

Altitude AP diagnostics by Telnet .............................................................................................181

Appendix F: RADIUS Attributes ..................................................................................................... 183

RADIUS Vendor-Specific Attributes (VSAs) ................................................................................183

RADIUS Accounting ................................................................................................................184

Account-Start Packet.........................................................................................................184

Account-Stop/Interim Packet..............................................................................................185

Termination Codes ............................................................................................................186

Appendix G: Logs and Events ....................................................................................................... 187

Overview ................................................................................................................................187

Critical...................................................................................................................................187

ACCESSPOINT..................................................................................................................187

CDR_COLLECTOR .............................................................................................................191

CONFIG_MANAGER ..........................................................................................................191

EVENT_SERVER ...............................................................................................................192

LANGLEY .........................................................................................................................194

RADIUS_ACCOUNTING .....................................................................................................194

RADIUS_CLIENT ..............................................................................................................194

RF_DATA_COLLECTOR......................................................................................................195

RU_MANAGER .................................................................................................................195

SECURITY_MANAGER.......................................................................................................196

STARTUP_MANAGER........................................................................................................197

STATS_SERVER................................................................................................................198

VNMGR............................................................................................................................199

Major .....................................................................................................................................200

ACCESSPOINT..................................................................................................................200

CDR_COLLECTOR .............................................................................................................201

CLI ..................................................................................................................................202

CONFIG_MANAGER ..........................................................................................................203

CPDP_AGENT_ID ..............................................................................................................203

EVENT_SERVER ...............................................................................................................204

LANGLEY .........................................................................................................................205

NSM_SERVER ..................................................................................................................205

OSPF_SERVER .................................................................................................................206

PORT_INFO_J_MANAGER..................................................................................................206

RADIUS_ACCOUNTING .....................................................................................................206

RADIUS_CLIENT ..............................................................................................................206

REDIR_ID ........................................................................................................................207

RF_DATA_COLLECTOR......................................................................................................207

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Table of Contents

RU_MANAGER .................................................................................................................208

SECURITY_MANAGER.......................................................................................................208

VNMGR............................................................................................................................210

Appendix H: Regulatory Information ............................................................................................. 213

Summit WM100 (15945), Summit WM1000 (15937) ...............................................................213

Safety ..............................................................................................................................213

Emissions.........................................................................................................................214

Environmental Operating Conditions for Summit WM100/1000 and Altitude 350-2 ................214

Altitude 350-2 Integrated Antenna AP (15938), Altitude 350-2 Detachable Antenna AP (15939) .215

United States - FCC Declaration of Conformity Statement .....................................................215

Conditions Under Which a Second party may replace a Part 15 Unlicensed Antenna ...............217

FCC RF Radiation Exposure Statement ..........................................................................217

Department of Communications Canada Compliance Statement.......................................217

European Community ........................................................................................................218

Declaration of Conformity with regard to R&TTE Directive of the European Union 1999/5/EC ...

218

Conditions of Use in the European Community...............................................................219

Permitted 5 GHz Channels for the European Community .................................................221

European Spectrum Usage Rules ..................................................................................221

Declarations of Conformity ...........................................................................................223

Certifications of Other Countries ...............................................................................................224

Index .......................................................................................................................................... 225

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Table of Contents

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

About this Guide

This guide describes how to install, configure, and manage the Summit WM-Series Switch Software.

Who should use this guide

This guide is a reference for system administrators who install and manage the Summit WM-Series Switch Software.

What is in this guide

This guide contains the following chapters:

● About this Guide describes the target audience and content of the guide, the formatting conventions

used in it, and how to provide feedback on the guide.

● Chapter 1 provides an overview of the product, its features and functionality.

● Chapter 2 describes how to perform the installation and first-time setup of the Summit WM-Series

Switch.

● Chapter 3 describes setting up the initial configuration, as well as configuring the data ports and

defining routing.

● Chapter 4 tells how to install the Altitude AP, how it discovers and registers with the Summit WM-

Series Switch, how to view and modify the radio configuration, and how to enable Dynamic Radio Frequency Management.

● Chapter 5 provides an overview of WM Access Domain Services (WM-AD), the mechanism by

which the Summit WM-Series Switch Software controls and manages network access.

● Chapter 6 gives detailed instructions in how to configure a WM-AD, its topology, authentication,

accounting, RADIUS policy, multicast, filtering and privacy. Both Captive Portal and AAA types of WM-AD are described.

● Chapter 7 describes how to set up the features that provide availability in the event of a Summit

WM-Series Switch failover, and mobility for a wireless device user.

● Chapter 8 includes functions, such as user privileges, network time, Check Point event logging and

SNMP.

● Chapter 9 describes how to use the Summit WM-Series Switch Software features with third-party

Altitude APs.

● Chapter 10 explains the security tool that scans for, detects and reports on rogue access points.

● Chapter 11 describes maintenance activities, such as software upgrades on both the Summit WM-

Series Switch and the Altitude AP. This chapter also includes information on the logs, traces, reports and displays available.

● Appendix A provides a reference on the LED displays and their significance.

● Appendix B provides a list of the CLI command line syntax.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

About this Guide

● Appendix C provides background information on how the discovery process uses these network

services.

● Appendix D provides a reference list of RFCs supported.

● Appendix E provides information on a support tool.

● Appendix F provides a reference list of the RADIUS Attributes that are supported by the Summit

WM-Series Switch Software.

● Appendix G provides a reference list of the log and event messages.

● Appendix H provides regulatory information for the 6XPPLW:06HULHV6ZLWFKDQGWKH$OWLWXGH

:LUHOHVV$FFHVV3RLQW

This guide also contains a glossary of standard industry terms used in this guide.

Formatting conventions

The Summit WM-Series Switch Software documentation uses the following formatting conventions to make it easier to find information and follow procedures:

● Bold text is used to identify components of the management interface, such as menu items and

section of pages, as well as the names of buttons and text boxes.

For example: Click Logout.

● Monospace font is used in code examples and to indicate text that you type.

For example:

● The following symbols are used to draw your attention to additional information:

Type https://<hls-address>[:mgmt-port>]

NOTE

Notes identify useful information that is not essential, such as reminders, tips, or other ways to perform a task.

WARNING!

Warnings identify essential information. Ignoring a warning can lead to problems with the application.

Documentation feedback

If you have any problems using this document, please contact your next level of support:

● Customers should contact the Extreme Networks Technical Assistance Center (TAC).

When you call, please have the following information ready. This will help us to identify the document that you are referring to.

● Title: Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

● Part Number: 100198-00 Rev 01

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Protocols and standards

Appendix D lists the protocols and standards supported by the Summit WM-Series Switch Software.

These lists include the Requests for Comment (RFCs) of the Internet Engineering Task Force (IETF) and the 802.11 standards developed by the Institute of Electrical and Electronics Engineers (IEEE).

Regulatory information

Appendix H provides regulatory information for the Summit WM-Series Switch and the $OWLWXGH

:LUHOHVV$FFHVV3RLQW

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

About this Guide

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

1 The Summit WM-Series Switch Software

solution

The next generation of Extreme Networks wireless networking devices provides a truly scalable WLAN solution. Extreme Networks Altitude APs are thin access points that are controlled through a sophisticated network device, the Summit WM-Series Switch. This solution provides the security and manageability required by enterprises and service providers alike.

The Summit WM-Series Switch Software system is a highly scalable wireless local area network (WLAN) solution developed by Extreme Networks. Based on a third generation WLAN topology, the Summit WM-Series Switch Software system makes wireless practical for medium and large-scale enterprises and for service providers.

The Summit WM-Series Switch Software system provides a secure, highly scalable, cost-effective solution based on the IEEE 802.11standard. The solution is intended for enterprise networks operating on many floors in more than one building, as well as in public environments such as airports and convention centers that require more than two access points.

This section provides an overview of the fundamental principles of the Summit WM-Series Switch Software system: what it is, how it works, and its advantages.

What is the Summit WM-Series Switch Software system?

The Summit WM-Series Switch Software system replaces the conventional access points used in wireless networking with two network devices that work as a system:

● Summit WM-Series Switch: A network device that provides smart centralized control over the

elements (Altitude APs) in the wireless network.

● Altitude APs: The access points for 802.11 clients (wireless devices) in the network, controlled by the

Summit WM-Series Switch. The Altitude AP is a “fit access point” because its wireless control is handled by the Summit WM-Series Switch. The Altitude AP is a dual-band access point, with both

802.11a and 802.11b/g radios.

Together, the Summit WM-Series Switch Software products enable a radically simplified new approach to setting up, administering and maintaining a WLAN. Summit WM-Series Switch Software provides a Layer 3 IP routed WLAN architecture. This architecture can be implemented over several subnets without requiring the configuration of virtual local area networks (VLANs).

Conventional wireless LANS

At its simplest, wireless communication between two or more computers requires that each one is equipped with a receiver/transmitter – a WLAN Network Interface Card (NIC) – capable of exchanging digital information over a common radio frequency. This is called an ad hoc configuration. An ad hoc network allows wireless devices to communicate together. This is an independent basic service set (IBSS).

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

The Summit WM-Series Switch Software solution

An alternative to the ad hoc configuration is the use of an access point. This may be a dedicated hardware router or a computer running special software. Computers and other wireless devices communicate with each other through this access point. The 802.11 standard defines Access Point communications as devices that allow wireless devices to communicate with a “distribution system”. This is a basic service set (BSS) or infrastructure network.

For the wireless devices to communicate with computers on a wired network, the access points must be connected into the wired network, and provide access to the networked computers. This is called bridging. Clearly, there are security issues and management scalability issues in this arrangement.

Figure 1: Standard wireless network solution

5$',86

DXWKHQWLFDWLRQ

VHUYHU

:LUHOHVV

GHYLFH

'+&3 VHUYHU

5RXWHU

(WKHUQHWVZLWFK

$FFHVV

SRLQW

:LUHOHVV

GHYLFH

The wireless devices and the wired networks communicate with each other using standard networking protocols and addressing schemes. Most commonly, Internet Protocol (IP) addressing is used.

While this topology works well enough for small installations, as the network grows the difficulty of setting up and administering all the individual access points expands as well. When the expanding network has to cope with a large number of wireless users all signing on and off at random times, the complexity grows rapidly. Imagine, for example, a university library filled with professors and students – all equipped with laptops. Or a conference full of delegates and exhibitors.

Clearly, there must be a better way than setting up each access point individually.

The Summit WM-Series Switch Software solution

The Summit WM-Series Switch Software solution consists of two devices:

● The Summit WM-Series Switch is a rack-mountable network device designed to be integrated into an

existing wired Local Area Network (LAN). It provides centralized control over all access points (both Altitude APs and third-party access points) and manages the network assignment of wireless device clients associating through access points.

● The Altitude AP is a wireless LAN fit access point (IEEE 802.11) provided with unique software that

allows it to communicate only with a Summit WM-Series Switch. (A fit access point handles the radio

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

What is the Summit WM-Series Switch Software system?

frequency (RF) communication but relies on a controller to handle WLAN elements such as authentication.) The Altitude AP also provides local processing such as encryption.

This architecture allows a single Summit WM-Series Switch to control many Altitude APs, making the administration and management of large networks much easier.

There can be several Summit WM-Series Switchs in the network, each with its set of registered Altitude APs. The Summit WM-Series Switchs can also act as backups to each other, providing stable network availability.

In addition to the Summit WM-Series Switchs and Altitude APs, the solution requires three other components, which are standard for enterprise and service provider networks:

● RADIUS Server (Remote Access Dial-In User Service) (RFC2865 and RFC2866), or other

authentication server. Assigns and manages ID and Password protection throughout the network. Used for authentication of the wireless users.

● DHCP Server (Dynamic Host Configuration Protocol) (RFC2131). Assigns IP addresses, gateways

and subnet masks dynamically. Also used by the Altitude APs to discover the location of the Summit WM-Series Switch during the initial registration process.

● SLP (Service Location Protocol) (RFC2608) supported on the DHCP server, when SLP is used as part

of the discovery mechanism.

Figure 2: Summit WM-Series Switch Software solution

5$',86

DXWKHQWLFDWLRQ

VHUYHU

6XPPLW:0

:LUHOHVV&RQWUROOHU

(WKHUQHWVZLWFK

:LUHOHVV$3

:LUHOHVV

GHYLFH

The Summit WM-Series Switch appears to the existing network as if it were an access point, but in fact one Summit WM-Series Switch controls many Altitude APs.

'+&3 VHUYHU

5RXWHU

(WKHUQHWVZLWFK

:LUHOHVV

GHYLFH

The Summit WM-Series Switch has built-in capabilities to recognize and manage the Altitude APs. The Summit WM-Series Switch activates the Altitude APs, enables them to receive wireless traffic from wireless devices, processes the data traffic from the Altitude APs and forwards or routes that data traffic out to the network. This processing includes authenticating requests and applying access policies.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

The Summit WM-Series Switch Software solution

Simplifying the Altitude APs makes them:

● cost-effective

● easy to manage

● easy to deploy

Putting control on an intelligent centralized Summit WM-Series Switch enables:

● centralized configuration, management, reporting, maintenance

● high security

● flexibility to suit enterprise

● scalable and resilient deployments with a few Summit WM-Series Switches controlling hundreds of

Altitude APs

Here are some of the Summit WM-Series Switch Software system advantages:

Table 1: Advantages of the Summit WM-Series Switch Software system

Scales up to Enterprise capacity One Summit WM-Series Switch controls as many as 200 Altitude APs. In turn

each Altitude AP can handle up to 127 wireless devices. With additional Summit WM-Series Switches, the number of wireless devices the system can support is in the thousands.

Integrates in existing network A Summit WM-Series Switch can be added to an existing enterprise network as

a new network device, greatly enhancing its capability without interfering with existing functionality. Integration of the Summit WM-Series Switches and Altitude APs does not require any reconfiguration of the existing infrastructure (e.g., VLANs).

Offers centralized management and control

Provides easy deployment of Altitude APs

Provides security via user authentication

Provides security via filters and privileges

Supports seamless mobility and roaming

Integrates third-party access points

Prevents rogue devices Unauthorized access points will be detected and identified as harmless or

Provides accounting services Summit WM-Series Switch Software logs wireless user sessions, user group

Offers troubleshooting capability Summit WM-Series Switch Software logs system and session activity and

Offers dynamic RF management Summit WM-Series Switch Software can automatically select channels and

An administrator accesses the Summit WM-Series Switch in its centralized location to monitor and administer the entire wireless network. The Summit WM-Series Switch has functionality to recognize, configure, and manage the Altitude APs and distribute new software releases.

The initial configuration of the Altitude APs on the centralized Summit WMSeries Switch can be done with an automatic “discovery” technique.

Summit WM-Series Switch Software uses existing authentication (AAA) servers to authenticate and authorize users.

Summit WM-Series Switch Software uses virtual networking techniques to create separate virtual networks with defined authentication and billing services, access policies and privileges.

Summit WM-Series Switch Software supports seamless roaming of a wireless device from one Altitude AP to another on the same Summit WM-Series Switch or on a different Summit WM-Series Switch.

Summit WM-Series Switch Software can integrate legacy third-party access points, using a combination of network routing and authentication techniques.

dangerous rogue APs.

activity, and other activity reporting, enabling the generation of consolidated billing records.

provides reports to aid in troubleshooting analysis.

adjust Radio Frequency (RF) signal propagation power levels without user intervention.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Summit WM-Series Switch Software and your network

Components of the solution: a summary

The following is a summary checklist of the components of the Summit WM-Series Switch Software solution on your enterprise network. These are described in detail in this guide.

● The Summit WM-Series Switch, providing centralized control over all access points (both Altitude

APs and third-party access points) and manages the network assignment of wireless device clients associating through access points.

● The Altitude AP is a wireless LAN thin access point (IEEE 802.11) that communicates only with a

Summit WM-Series Switch.

● RADIUS Server (Remote Access Dial-In User Service) (RFC2865), or other authentication server.

Assigns and manages ID and Password protection throughout the network. Used for authentication of the wireless users in either 802.1x or Captive Port security modes.

The RADIUS Server system can be set up for certain standard attributes, such as Filter-ID, and for the Vendor Specific Attributes (VSAs).

● DHCP Server (Dynamic Host Configuration Protocol) (RFC2131). Assigns IP addresses, gateways

and subnet masks dynamically. IP address assignment for clients can be done by the DCHP server internal to the Summit WM-Series Switch, or by existing servers using DHCP relay. Also used by the Altitude APs to discover the location of the Summit WM-Series Switch during the initial registration process. For SLP, DHCP should have Option 78 enabled (Option 78 specifies the location of one or more SLP Directory Agents).

● Service Location Protocol (SLP) (SLP RFC2608). Client applications are User Agents and services are

advertised by Service Agents. In larger installations, a Directory Agent collects information from Service Agents and creates a central repository. The Extreme Networks solution relies on registering “extreme” as an SLP Service Agent.

● Domain Name Server (DNS), for an alternate mechanism (if present on the enterprise network) for

the automatic discovery process. Summit WM-Series Switch Software relies on the DNS for Layer 3 deployments and for static configuration of Altitude APs. The Extreme Networks solution relies on registering “controller” as the DNS name.

● Web Authentication Server, if desired for external authentication.

● RADIUS Accounting Server (Remote Access Dial-In User Service) (RFC2866), if RADIUS

Accounting is enabled.

● Simple Network Management Protocol (SNMP) Manager Server, if forwarding SNMP messages is

enabled.

● Check Point Server, Check Point Event Logging API (ELA), for security event logging if a firewall

application is enabled.

● Network infrastructure, Ethernet switches and routers, must be configured to allow routing between

the various services noted above.

Routing must also be enabled between multiple Summit WM-Series Switches, for such Summit WMSeries Switch Software features as Availability, WM-AD Manager for mobility, Third-Party Access Points, and Summit Spy for detection of rogue access points (some features require the definition of static routes).

● Web Browser, providing access to the Summit WM-Series Switch Management GUI to configure

Summit WM-Series Switch Software.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

The Summit WM-Series Switch Software solution

● a device that supports SSH, for serial port access to the Command Line Interface (CLI), for file

management and monitoring by a network technician.

Network traffic flow

Figure 3: Traffic Flow diagram

6XPPLW:0:LUHOHVV&RQWUROOHU

FRQWUROURXWLQJ

6:&DXWKHQWLFDWHV

ZLUHOHVVXVHUIRUZDUGV,3

SDFNHWWRZLUHGQHWZRUN

6XPPLW:0:LUHOHVV&RQWUROOHU

:LUHOHVV$3WXQQHOLQJ

$3VHQGVGDWDWUDIILFWR6:&

WKURXJKD8'3WXQQHO

6:&FRQWUROV$3WKURXJK

D8'3WXQQHO

8VLQJWKH8'3WXQQHOV6:&

DOORZVZLUHOHVVFOLHQWVWR

URDPWR$3VRQGLIIHUHQW6:&V



,3SDFNHWWUDQVPLVVLRQ

EHDFRQSUREH

ZLUHOHVVGHYLFHDVVRFLDWHV

ZLWKD:LUHOHVV$3E\LWV66,'

6XPPLW:0

:LUHOHVV&RQWUROOHU

:LUHOHVV$3

:LUHOHVVGHYLFH

5$',86

DXWKHQWLFDWLRQ

VHUYHU

'+&3 VHUYHU

(WKHUQHW

VZLWFK

([WHUQDOZHE

DXWKHQWLFDWLRQ

VHUYHU

5RXWHU

(WKHUQHWVZLWFK

:LUHOHVVGHYLFH

The diagram above shows a simple configuration with a single Summit WM-Series Switch and two Altitude APs, each supporting a wireless device. A RADIUS server on the network provides authentication, and a DHCP server is used by the Altitude APs to discover the location of the Summit WM-Series Switch during the initial registration process. Also present in the network are routers and ethernet switches.

Each wireless device sends IP packets in the 802.11 standard to the Altitude AP. The Altitude AP uses a UDP (User Datagram Protocol) based tunnelling protocol to encapsulate the packets and forward them to the Summit WM-Series Switch.

The Summit WM-Series Switch decapsulates the packets, and routes these to destinations on the network, after authentication by the RADIUS server.

The Summit WM-Series Switch functions like a standard router, except that it is configured to route only network traffic associated with wireless connected users. The Summit WM-Series Switch can also be configured to simply forward traffic to a default or static route if dynamic routing is not preferred.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Summit WM-Series Switch Software and your network

Network security

The Summit WM-Series Switch Software system provides features and functionality to control network access. These are based on standard wireless network security practices.

Current wireless network security methods provide a degree of protection. These methods include:

● Shared Key authentication that relies on Wired Equivalent Privacy (WEP) keys

● Open System that relies on Service Set Identifiers (SSIDs)

● 802.1x that is compliant with Wi-Fi Protected Access (WPA)

● Captive Portal based on Secure Sockets Layer (SSL) protocol

The Summit WM-Series Switch Software system supports these encryption approaches:

● Wired Equivalent Privacy (WEP), a security protocol for wireless local area networks defined in the

802.11b standard

● Wi-Fi Protected Access version 1 (WPA1

● Wi-Fi Protected Access version 2 (WPA2

Mode with Chipher Block Chaining Message Authentication Code (CCMP).

) with Temporal Key Integrity Protocol (TKIP)

) with Advanced Encryption Standard (AES) and Counter

Authentication

The Summit WM-Series Switch relies on a RADIUS server, or authentication server, on the enterprise network to provide the authentication information (whether the user is to be allowed or denied access to the network).

The Summit WM-Series Switch provides authentication using:

● Captive Portal, a browser-based mechanism that forces users to a web page

● RADIUS (using IEEE 802.1x)

The 802.1x mechanism is a standard for authentication developed within the 802.11 standard. This mechanism is implemented at the port, blocking all data traffic between the wireless device and the network until authentication is complete. Authentication by 802.1x standard uses Extensible Authentication Protocol (EAP) for the message exchange between the Summit WM-Series Switch and the RADIUS server.

When 802.1x is used for authentication, the Summit WM-Series Switch provides the capability to dynamically assign per-wireless-device WEP keys (called per-station WEP keys in 802.11).

In Summit WM-Series Switch Software, a RADIUS redundancy feature is provided, where you can define a failover RADIUS server (up to 2 servers) in the event that the active RADIUS server fails.

Privacy

Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques.

Summit WM-Series Switch Software supports the Wired Equivalent Privacy (WEP) standard common to conventional access points.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

The Summit WM-Series Switch Software solution

It also provides Wi-Fi Protected Access version 1 (WPA v.1) encryption, based on Pairwise Master Key (PMK) and Temporal Key Integrity Protocol (TKIP). The most secure encryption mechanism is WPA version 2 using Advanced Encryption Standard (AES).

Interaction with wired networks: Wireless Mobility Access Domain

Summit WM-Series Switch Software provides a versatile means of mapping wireless networks to the topology of an existing wired network. This is accomplished through the assignment of WM Access Domain Services.

When you set up WM Access Domain Services (WM-AD) on the Summit WM-Series Switch, you are defining subnets for groups of wireless users. This WM-AD definition creates a virtual IP subnet where the Summit WM-Series Switch acts as a default gateway for wireless devices.

This technique enables policies and authentication to be applied to the groups of wireless users on a WM-AD, as well as the collecting of accounting information on user sessions that can be used for billing.

When a WM-AD is set up on the Summit WM-Series Switch:

● one or more Altitude APs (by radio) are associated with it

● a range of IP addresses is set aside for the Summit WM-Series Switch’s DHCP server to assign to

wireless devices

If routing protocol is enabled, the Summit WM-Series Switch advertises the WM-AD as a routable network segment to the wired network, and routes traffic between the wireless devices and the wired network.

Each radio on a Altitude AP can participate in up to four WM-ADs, via the multi-SSID function.

Static routing and routing protocols

Routing can be used on the Summit WM-Series Switch to support the WM-AD definitions.

In the User Interface, you can configure routing on the Summit WM-Series Switch to use one of the following routing techniques:

● Static routes: Use static routes to set the default route of a Summit WM-Series Switch so that

legitimate wireless device traffic can be forwarded to the default gateway.

● Open Shortest Path First (OSPF, version 2) (RFC2328): Use OSPF to specify the next best hop (route)

of a Summit WM-Series Switch. Open Shortest Path First (OSPF) is a protocol designed for medium and large IP networks, with the ability to segment routers into different routing areas for routing information summarization and propagation.

● Next Hop Routing: Use next hop routing as part of a WM-AD definition to specify a unique default

gateway to which traffic on a unique WM-AD is forwarded.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Summit WM-Series Switch Software and your network

Policy: packet filtering

Policy refers to the rules that allow different network access to different groups of users. The Summit WM-Series Switch Software system can link authorized users to user groups. These user groups then can be confined to predefined portions of the network.

In the Summit WM-Series Switch Software system, policy is carried out by means of packet filtering, within a WM-AD.

In the Summit WM-Series Switch user interface, you set up a filtering policy by defining a set of hierarchical rules that allow (or deny) traffic to specific IP addresses, IP address ranges, or services (ports). The sequence and hierarchy of these filtering rules must be carefully designed, based on your enterprise’s user access plan.

The authentication technique selected determines how filtering is carried out:

● If authentication is by SSID and Captive Portal, a non-authenticated filter will allow all users to get

as far as the Captive Portal web page, where login occurs. When authentication is returned, then filters are applied, based on user ID and permissions.

● If authentication is by AAA (802.1x), users will already have logged in and have been authenticated

before being assigned an IP address. At this point, filters are applied, based on user ID and permissions.

Mobility and roaming

The 802.11 standard allows a wireless device to preserve its IP connection when it roams from one access point to another on the same subnet. However, if a user roams to an access point on a different subnet, the user is disconnected.

Summit WM-Series Switch Software has functionality that supports mobility on any subnet in the network. Wireless device users can roam between Altitude APs on any subnet without having to renew the IP connection.

The Summit WM-Series Switch stores the wireless device’s current session information, such as IP address and MAC address. If the wireless device has not disassociated, then when it requests network access on a different Altitude AP, the Summit WM-Series Switch can match its session information and recognize it as still in a current session.

In addition, a Summit WM-Series Switch can learn about other Summit WM-Series Switches on the network, and then exchange client session information. This enables a wireless device user to roam seamlessly between different Altitude APs on different Summit WM-Series Switches.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

The Summit WM-Series Switch Software solution

Availability

Summit WM-Series Switch Software provides seamless availability against Altitude AP outages, Summit WM-Series Switch outages, and even network outages.

For example, if one Altitude AP fails, coverage for the wireless device is automatically provided by the next nearest Altitude AP.

If a Summit WM-Series Switch fails, all of its associated Altitude APs, or access points, can automatically migrate to another Summit WM-Series Switch that has been defined as the secondary or backup Summit WM-Series Switch. When the original Summit WM-Series Switch returns to the network, the Altitude APs automatically re-establish their normal connection with their original Summit WM-Series Switch.

Quality of Service (QoS)

Summit WM-Series Switch Software provides advanced Quality of Service (QoS) management, in order to provide better network traffic flow. Such techniques include:

● WMM (Wi-Fi Multimedia): enabled globally on the Altitude AP. For devices with WMM enabled.,

the standard provides multimedia enhancements for audio, video, and voice applications. WMM shortens the time between transmitting packets for higher priority traffic. WMM is part of the

802.11e standard for QoS.

● IP ToS (Type of Service) or DSCP (Diffserv Codepoint): the ToS/DSCP field in the IP header of a

frame is used to indicate the priority and Quality of Service for each frame. The IP TOS and/or DSCP is maintained within CTP (CAPWAP Tunneling Protocol) by copying the user IP QoS information to the CTP header — this is referred to as Adaptive QoS.

Quality of Service (QoS) management is also provided by:

● assigning high priority to an SSID (configurable)

● Adaptive QoS (automatic)

● support for legacy devices that use SpectraLink Voice Protocol (SVP) for prioritizing voice traffic

(configurable)

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

2 Summit WM-Series Switch: Startup

Summit WM-Series Switch features and installation

The Summit WM-Series Switch is a network device designed to be integrated into an existing wired Local Area Network (LAN).

Figure 4: The Summit WM-Series Switch

The Summit WM-Series Switch provides centralized management, network access and routing to wireless devices that are using Altitude APs to access the network. It can also be configured to handle data traffic from third-party access points.

The Summit WM-Series Switch performs the following functions:

● Controls and configures Altitude APs, providing centralized management

● Authenticates wireless devices that contact a Altitude AP

● Assigns each wireless device to a WM-AD when it connects

● Routes traffic from wireless devices, using WM-ADs, to the wired network

● Applies filtering policies to the wireless device session

● Provides session logging and accounting capability

The Summit WM-Series Switch is rack-mountable. It comes in the following product families:

Model Number Specifications

Summit WM-Series Switch Summit WM100

Summit WM-Series Switch Summit WM1000

• Four Fast-Ethernet ports, (10/100 BaseT), supporting up to 75 Altitude APs

• One management port, (10/100 BaseT)

• One console port (DB9 serial)

• Power supply redundant (R)

• Two GigE ports (dual 1GB SX network interfaces), supporting up to 200 Altitude APs

• One management port, (10/100 BaseT)

• One console port (DB9 serial)

• Power supply redundant (R)

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Summit WM-Series Switch: Startup

Installing the Summit WM-Series Switch

Before you begin installation, make sure that a site survey has been done, to determine the number and location of Altitude APs and Summit WM-Series Switches required. The site survey should take a number of factors into consideration, including:

● coverage areas

● number of users

● architectural features that affect transmission

● existing wired network and access to ethernet cabling

● type of mount (wall, ceiling, plenum) for Altitude APs

● type of power (Power-over-Ethernet or AC adaptor) for Altitude APs

● physical security of the Summit WM-Series Switch, including access control

Installing the Summit WM-Series Switch

1 Unpack and mount the Summit WM-Series Switch following the detailed instructions in the Quick

Start Guide

2 Install the ferrite beads provided, black for the power cord and white for the ethernet cables, as

described in the Quick Start Guide.

3 Plug the Summit WM-Series Switch power supply (single or dual) in to the back of the Controller.

Figure 5: The Summit WM-Series Switch – back view diagram

3RZHUVXSSO\ 3RZHU2Q2IIVZLWFK

4 Perform initial setup of the Summit WM-Series Switch to change its factory default IP address.

5 After that, connect the Summit WM-Series Switch to the enterprise LAN.

'DWDSRUWVRU

0DQDJHPHQWSRUWV

First-time setup of Summit WM-Series Switch

Management port first-time setup

Before you can connect the Summit WM-Series Switch to the enterprise network, you must change the IP address of the Summit WM-Series Switch management port from its factory default to the IP address suitable for your enterprise network.

Access the Summit WM-Series Switch for initial setup by one of two methods:

● a device supporting VT100 emulation such as a PC running HyperTerm, attached to the Summit

WM-Series Switch’s DB9 serial port (COM1 port) via a cross-over (null modem) cable. The

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

First-time setup of Summit WM-Series Switch

Command Line Interface (CLI) commands for the initial setup are described in an attached appendix.

● a laptop computer, running a web browser such as Internet Explorer 6.0 (or higher), attached to the

Summit WM-Series Switch’s ethernet Management Port (RJ45 port) via an ethernet cross-over cable (cable provided with the Summit WM-Series Switch). The steps for initial setup in the Graphical User Interface are described below.

The factory default management port setup of the Summit WM-Series Switch is:

Hostname: SWM

Management Port IP address: 192.168.10.1:5825

Management Network Mask: 255.255.255.0

Changing the Management Port IP address: web browser method

1 Connect a cross-over ethernet cable between the ethernet port of the laptop and ethernet

Management Port of the Summit WM-Series Switch.

2 Statically assign an unused IP address in the 192.168.10.0/24 subnet for the ethernet port of the PC

(for example, 192.168.10.205).

3 Run Internet Explorer (version 6.0 or above) or other web browser on the laptop.

4 Point the browser to the URL https://192.168.10.1:5825. This URL launches the web-based GUI on

the Summit WM-Series Switch. The login screen appears.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Summit WM-Series Switch: Startup

5 Key in the factory default User Name (“admin”) and Password (“abc123”). Click on the Login

button. The main menu screen appears.

6 Click on the Summit WM-Series Switch Configuration menu option to navigate to the Summit WM-

Series Switch Configuration screen.

7 In the left-hand list, click on the IP Addresses option. The Management Port Settings area (top

portion of the screen) displays the factory settings for the Summit WM-Series Switch.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

First-time setup of Summit WM-Series Switch

8 To modify Management Port Settings, click the Modify button. The System Port Configuration screen

appears.

9 Key in:

Hostname The name of the Summit WM-Series Switch

Domain The IP domain name of the enterprise network

Management IP Address The new IP address for the Summit WM-Series Switch’s

management port (change this as appropriate to the enterprise network).

Subnet mask For the IP address, the appropriate subnet mask to separate the

network portion from the host portion of the address (typically

255.255.255.0)

Management Gateway The default gateway of the network.

Primary DNS The primary name server used by the network.

Secondary DNS The secondary name server used by the network

10 Click OK to return to the Summit WM-Series Switch Configuration screen.

11 Click on the Save button to save the port changes.

The web connection between the laptop and the Summit WM-Series Switch is now lost, because their IP addresses are now on different networks.

Adding the Summit WM-Series Switch to your enterprise network

1 Disconnect the laptop from the Summit WM-Series Switch Management Port.

2 Connect the Summit WM-Series Switch Management Port to the enterprise ethernet LAN.

The Summit WM-Series Switch resets automatically. Now you will be able to launch the Summit WMSeries Switch Software GUI again, with the system visible to the enterprise network.

The remaining steps in initial configuration of the Summit WM-Series Switch Software system are described in the next topic, after an overview of the GUI.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Summit WM-Series Switch: Startup

The graphical user interface (GUI): overview

The administrator can configure and administer the Summit WM-Series Switch Software system using the web-based Graphical User Interface.

To run the graphical user interface

1 Launch Microsoft Internet Explorer (version 6.0 or above), or other web browser.

2 In the address bar, key in the URL https://x.x.x.x:5825 (your management gateway as defined in

initial setup plus port 5825, formerly factory default 192.168.10.1:5825). The Summit WM-Series Switch Software login screen appears.

3 Key in the factory default User Name (”admin”) and Password (“abc123”). Click on the Login

button. The main menu screen appears.

NOTE

You can define which user names have full read/write access to the user interface (“Admin” users) and which users have “read-only” privileges. This is done the Summit WM-Series Switch Configuration: Management Users screen.

The main areas in the Summit WM-Series Switch Software user interface are accessed from the main menu, or by clicking on the appropriate tab across the top of each screen. Within each area, to access the associated subscreens, click on the screen name in the left-hand list.

Table 2: Summit WM-Series Switch Software user interface summary

Tab Screen Function

Logs & Traces Logs normal events and alarm events

Trace logs are by component.

Reports & Displays Access to various on-screen reports

Summit WM-Series Switch Configuration

Altitude AP Configuration Highlight a AP

System Maintenance Routing Protocols IP Addresses

Check Point Summit Spy WM-AD Manager SNMP Network Time Management Users Software Maintenance

Access Approval AP Maintenance AP Registration Client Disassociate

Tasks including shutdown, enable syslog. Define static routes, configure OSPF. Set up management port (Modify screen) Set up the data ports. Enable event logging for Check Point. Enable “detect rogue APs” mechanism. Manage multiple Summit WM-Series Switches. Enable SNMP messages to be sent. Configure synchronized time. Define user level.< Product Keys and software upgrades.

Modify properties, radios, static config. Modify the status of a Altitude AP. View and set up AP software upgrade. Define registration mode, pairing of APs. Force a wireless device to disassociate.

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

The graphical user interface (GUI): overview

Table 2: Summit WM-Series Switch Software user interface summary (Continued)

Tab Screen Function

WM-AD Configuration Global Settings

Add a subnet WM-AD Topology WM-AD Authen & Acct WM-AD RADIUS Policy WM-AD Filtering WM-AD Privacy

Summit Spy Configure and view reports for the Summit Spy

Define RADIUS servers,& global settings Left-hand list. Enter name. Click to add. Define the WM-AD topology, authentication and accounting set up Define Filter IDs Define filtering rules to control access Set up WEP keys or WPA privacy.

(rogue access point detection)

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

Summit WM-Series Switch: Startup

Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide

+ 198 hidden pages

Extreme Networks A3502A Users Manual

Specifications and Main Features

Frequently Asked Questions

User Manual