Extreme Networks AP3917E User Guide

Download

ExtremeWireless™ V10.41.06 User Guide

9035198-03-REV01

Published April 2018

Legal Notice

Trademarks

Software Licensing

Support

Extreme Networks, Inc. reserves the right to make changes in speciﬁcations and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made.

The hardware, ﬁrmware, software or any speciﬁcations described or referred to in this document are subject to change without notice.

Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries.

All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners.

For additional information on Extreme Networks trademarks, please see:

www.extremenetworks.com/company/legal/trademarks

Some software ﬁles have been licensed under certain open source or third-party licenses. Enduser license agreements and open source declarations can be found at:

www.extremenetworks.com/support/policies/software-licensing

For product support, phone the Global Technical Assistance Center (GTAC) at 1-800-998-2408 (toll-free in U.S. and Canada) or +1-408-579-2826. For the support phone number in other countries, visit: http://www.extremenetworks.com/support/contact/

For product documentation online, visit: https://www.extremenetworks.com/documentation/

Table of Contents

Preface......................................................................................................................................... 7

Text Conventions...................................................................................................................................................................7

Safety Information................................................................................................................................................................7

Sicherheitshinweise..............................................................................................................................................................8

Consignes De Sécurité....................................................................................................................................................... 9

Providing Feedback to Us...............................................................................................................................................10

Getting Help............................................................................................................................................................................ 11

Extreme Networks Documentation.............................................................................................................................11

Chapter 1: About This Guide................................................................................................... 12

Who Should Use This Guide...........................................................................................................................................12

How to Use This Guide......................................................................................................................................................12

Chapter 2: Overview of the ExtremeWireless Solution......................................................14

Introduction............................................................................................................................................................................14

Conventional Wireless LANs..........................................................................................................................................15

Elements of the ExtremeWireless Solution.............................................................................................................15

ExtremeWireless and Your Network.......................................................................................................................... 19

ExtremeWireless Appliance Product Family.........................................................................................................29

Chapter 3: Conﬁguring the ExtremeWireless Appliance....................................................31

System Conﬁguration Overview...................................................................................................................................31

Logging on to the ExtremeWireless Appliance...................................................................................................33

Wireless Assistant Home Screen................................................................................................................................ 34

Working with the Basic Installation Wizard.......................................................................................................... 39

Conﬁguring the ExtremeWireless Appliance for the First Time................................................................. 45

Using a Third-party Location-based Solution......................................................................................................95

Additional Ongoing Operations of the System...................................................................................................99

Chapter 4: Conﬁguring the ExtremeWireless APs.............................................................101

Wireless AP Overview..................................................................................................................................................... 101

Discovery and Registration..........................................................................................................................................120

Viewing a List of All APs................................................................................................................................................125

Wireless AP Default Conﬁguration...........................................................................................................................134

Conﬁguring Wireless AP Properties........................................................................................................................ 156

Outdoor Access Point Installation............................................................................................................................ 167

Assigning Wireless AP Radios to a VNS............................................................................................................... 168

Conﬁguring Wireless AP Radio Properties...........................................................................................................174

Conﬁguring IoT Applications...................................................................................................................................... 189

Setting Up the Wireless AP Using Static Conﬁguration................................................................................199

Setting Up 802.1x Authentication for a Wireless AP......................................................................................203

Conﬁguring Co-Located APs in Load Balance Groups.................................................................................. 213

Conﬁguring an AP Cluster...........................................................................................................................................220

Conﬁguring an AP as a Guardian..............................................................................................................................221

Conﬁguring a Captive Portal on an AP.................................................................................................................222

AP3916ic Integrated Camera Deployment.......................................................................................................... 226

Performing AP Software Maintenance.................................................................................................................. 235

Understanding the ExtremeWireless LED Status............................................................................................ 242

ExtremeWireless™ V10.41.06 User Guide

Table of Contents

Chapter 5: Conﬁguring Topologies.....................................................................................262

Topology Overview.........................................................................................................................................................262

Conﬁguring the Admin Port.......................................................................................................................................263

Conﬁguring a Basic Data Port Topology..............................................................................................................266

Creating a Topology Group........................................................................................................................................ 270

Edit or Delete a Topology Group...............................................................................................................................271

Enabling Management Trac.................................................................................................................................... 272

Layer 3 Conﬁguration.................................................................................................................................................... 272

Exception Filtering..........................................................................................................................................................278

Multicast Filtering..............................................................................................................................................................281

Chapter 6: Conﬁguring Roles.............................................................................................. 284

Roles Overview.................................................................................................................................................................284

Conﬁguring Default VLAN and Class of Service for a Role........................................................................284

Policy Rules.........................................................................................................................................................................288

Chapter 7: Conﬁguring WLAN Services..............................................................................318

WLAN Services Overview.............................................................................................................................................318

Third-party AP WLAN Service Type....................................................................................................................... 319

Conﬁguring a Basic WLAN Service......................................................................................................................... 319

Conﬁguring Privacy.........................................................................................................................................................327

Conﬁguring Accounting and Authentication.....................................................................................................334

Conﬁguring QoS Modes...............................................................................................................................................370

Conﬁguring Hotspots.................................................................................................................................................... 376

Chapter 8: Conﬁguring a VNS............................................................................................. 390

Conﬁguring a VNS.......................................................................................................................................................... 390

VNS Global Settings.......................................................................................................................................................392

Methods for Conﬁguring a VNS............................................................................................................................... 423

Manually Creating a VNS............................................................................................................................................. 423

Creating a VNS Using the Wizard...........................................................................................................................426

Enabling and Disabling a VNS...................................................................................................................................485

Renaming a VNS..............................................................................................................................................................486

Deleting a VNS................................................................................................................................................................. 486

Chapter 9: Conﬁguring Classes of Service........................................................................ 487

Classes of Service Overview...................................................................................................................................... 487

Conﬁguring Classes of Service................................................................................................................................. 487

CoS Rule Classiﬁcation.................................................................................................................................................490

Priority and ToS/DSCP Marking................................................................................................................................ 491

Rate Limiting......................................................................................................................................................................492

Chapter 10: Conﬁguring Sites............................................................................................. 494

VNS Sites Overview.......................................................................................................................................................494

Conﬁguring Sites.............................................................................................................................................................494

Recommended Deployment Guidelines...............................................................................................................495

Radius Conﬁguration.....................................................................................................................................................499

Selecting AP Assignments......................................................................................................................................... 500

Selecting WLAN Assignments...................................................................................................................................501

Chapter 11: Working with a Mesh Network........................................................................ 502

About Mesh........................................................................................................................................................................ 502

ExtremeWireless™ V10.41.06 User Guide 4

Table of Contents

Simple Mesh Conﬁguration.........................................................................................................................................502

Wireless Repeater Conﬁguration.............................................................................................................................503

Wireless Bridge Conﬁguration..................................................................................................................................504

Examples of Deployment............................................................................................................................................ 505

Mesh WLAN Services.................................................................................................................................................... 505

Key Features of Mesh.................................................................................................................................................... 509

Deploying the Mesh System......................................................................................................................................... 511

Changing the Pre-shared Key in a Mesh WLAN Service............................................................................... 517

Chapter 12: Working with a Wireless Distribution System...............................................518

About WDS..........................................................................................................................................................................518

Simple WDS Conﬁguration.......................................................................................................................................... 518

Wireless Repeater Conﬁguration.............................................................................................................................. 519

Wireless Bridge Conﬁguration.................................................................................................................................. 520

Examples of Deployment..............................................................................................................................................521

WDS WLAN Services......................................................................................................................................................521

Key Features of WDS..................................................................................................................................................... 525

Deploying the WDS System....................................................................................................................................... 528

Changing the Pre-shared Key in a WDS WLAN Service..............................................................................536

Chapter 13: Availability and Session Availability.............................................................. 537

Availability........................................................................................................................................................................... 537

Session Availability..........................................................................................................................................................545

Viewing SLP Activity......................................................................................................................................................553

Chapter 14: Conﬁguring Mobility........................................................................................ 555

Mobility Overview............................................................................................................................................................555

Mobility Domain Topologies....................................................................................................................................... 556

Conﬁguring a Mobility Domain................................................................................................................................. 558

Chapter 15: Working with Third-party APs.........................................................................561

Deﬁning Authentication by Captive Portal for the Third-party AP WLAN Service.........................561

Deﬁning the Third-party APs List.............................................................................................................................561

Deﬁning Policy Rules for the Third-party APs....................................................................................................561

Chapter 16: Working with ExtremeWireless Radar.......................................................... 563

Radar Overview................................................................................................................................................................563

Radar Components.........................................................................................................................................................564

Radar License Requirements.....................................................................................................................................565

Enabling the Analysis Engine.....................................................................................................................................565

Radar Scan Proﬁles.........................................................................................................................................................566

AirDefense Proﬁle............................................................................................................................................................567

Viewing Existing Radar Proﬁles................................................................................................................................. 571

Adding a New Radar Proﬁle....................................................................................................................................... 573

Conﬁguring an In-Service Scan Proﬁle..................................................................................................................574

Conﬁguring a Guardian Scan Proﬁle...................................................................................................................... 577

Assigning an AP to a Proﬁle........................................................................................................................................581

Viewing the List of Assigned APs.............................................................................................................................581

Maintaining the Radar List of APs........................................................................................................................... 582

Working with Radar Reports..................................................................................................................................... 593

Chapter 17: Working with Location Engine.......................................................................605

Location Engine Overview..........................................................................................................................................605

ExtremeWireless™ V10.41.06 User Guide 5

Table of Contents

Location Engine on the Controller..........................................................................................................................607

Deploying APs for Location Aware Services.....................................................................................................608

Conﬁguring the Location Engine............................................................................................................................ 609

ExtremeLocation Support............................................................................................................................................619

Chapter 18: Working with Reports and Statistics..............................................................621

Application Visibility and Device ID.........................................................................................................................621

Viewing AP Reports and Statistics..........................................................................................................................627

Available Client Reports...............................................................................................................................................642

Viewing Role Filter Statistics..................................................................................................................................... 646

Viewing Topology Reports......................................................................................................................................... 648

Viewing Mobility Reports............................................................................................................................................ 650

Viewing Controller Status Information..................................................................................................................654

Viewing Routing Protocol Reports..........................................................................................................................657

Viewing RADIUS Reports............................................................................................................................................660

Call Detail Records (CDRs).........................................................................................................................................663

Chapter 19: Performing System Administration................................................................669

Performing Wireless AP Client Management.................................................................................................... 669

Deﬁning Wireless Assistant Administrators and Login Groups................................................................ 673

Chapter 20: Logs, Traces, Audits and DHCP Messages................................................... 676

ExtremeWireless Appliance Messages..................................................................................................................676

Working with Logs..........................................................................................................................................................676

Viewing Wireless AP Traces....................................................................................................................................... 684

Viewing Audit Messages..............................................................................................................................................684

Viewing the DHCP Messages.....................................................................................................................................685

Viewing the NTP Messages........................................................................................................................................ 686

Viewing Software Upgrade Messages................................................................................................................... 687

Viewing Conﬁguration Restore/Import Messages..........................................................................................689

Chapter 21: Working with GuestPortal Administration................................................... 690

About GuestPortals........................................................................................................................................................690

Adding New Guest Accounts....................................................................................................................................690

Enabling or Disabling Guest Accounts................................................................................................................. 693

Editing Guest Accounts................................................................................................................................................693

Removing Guest Accounts.........................................................................................................................................694

Importing and Exporting a Guest File...................................................................................................................695

Viewing and Printing a GuestPortal Account Ticket...................................................................................... 698

Working with the Guest Portal Ticket Page.......................................................................................................700

Conﬁguring Guest Password Patterns................................................................................................................... 701

Conﬁguring Web Session Timeouts.......................................................................................................................704

Appendix A: Regulatory Information................................................................................. 705

ExtremeWireless APs 37XX , 38XX, and 39XX................................................................................................. 705

Appendix B: Default GuestPortal Ticket Page.................................................................. 706

Example Ticket Page..................................................................................................................................................... 706

Glossary.........................................................................................................................................709

ExtremeWireless™ V10.41.06 User Guide 6

Preface

Icon Notice Type Alerts you to...

Convention Description

enter

type

This section discusses the conventions used in this guide, ways to provide feedback, additional help, and other Extreme Networks publications.

Text Conventions

The following tables list text conventions that are used throughout this guide.

Table 1: Notice Icons

General Notice Helpful tips and notices for using the product.

Note Important features or instructions.

Caution Risk of personal injury, system damage, or loss of data.

Warning Risk of severe personal injury.

New!

Table 2: Text Conventions

Screen displays

The words e

[Key] names Key names are written with brackets, such as [Return] or [Esc]. If you must press two

Words in italicized type Italics emphasize a point or denote new terms at the place where they are deﬁned in

and

Safety Information

Dangers

Replace the power cable immediately if it shows any sign of damage.

•

Replace any damaged safety equipment (covers, labels and protective cables) immediately.

•

New Content Displayed next to new content. This is searchable text within the PDF.

This typeface indicates command syntax, or represents information as it appears on the screen.

When you see the word “enter” in this guide, you must type something, and then press the Return or Enter key. Do not press the Return or Enter key when an instruction simply says “type.”

or more keys simultaneously, the key names are linked with a plus sign (+). Example: Press [Ctrl]+[Alt]+[Del]

the text. Italics are also used when referring to publication titles.

ExtremeWireless™ V10.41.06 User Guide

Use only original accessories or components approved for the system. Failure to observe these

•

instructions may damage the equipment or even violate safety and EMC regulations. Only authorized Extreme Networks service personnel are permitted to service the system.

•

Warnings

This device must not be connected to a LAN segment with outdoor wiring.

•

Ensure that all cables are run correctly to avoid strain.

•

Replace the power supply adapter immediately if it shows any sign of damage.

•

Disconnect all power before working near power supplies unless otherwise instructed by a

•

maintenance procedure. Exercise caution when servicing hot swappable components: power supplies or fans. Rotating fans

•

can cause serious personal injury. This unit may have more than one power supply cord. To avoid electrical shock, disconnect all power

•

supply cords before servicing. In the case of unit failure of one of the power supply modules, the module can be replaced without interruption of power to the ExtremeWireless Appliance. However, this procedure must be carried out with caution. Wear gloves to avoid contact with the module, which will be extremely hot.

There is a risk of explosion if a lithium battery is not correctly replaced. The lithium battery must be

•

replaced only by an identical battery or one recommended by the manufacturer. Always dispose of lithium batteries properly.

•

Do not attempt to lift objects that you think are too heavy for you.

•

Preface

Cautions

Check the nominal voltage set for the equipment (operating instructions and type plate). High

•

voltages capable of causing shock are used in this equipment. Exercise caution when measuring high voltages and when servicing cards, panels, and boards while the system is powered on.

Only use tools and equipment that are in perfect condition. Do not use equipment with visible

•

damage. To protect electrostatic sensitive devices (ESD), wear a wristband before carrying out any work on

•

hardware. Lay cables so as to prevent any risk of them being damaged or causing accidents, such as tripping.

•

Sicherheitshinweise

Gefahrenhinweise

Sollte das Netzkabel Anzeichen von Beschädigungen aufweisen, tauschen Sie es sofort aus.

•

Tauschen Sie beschädigte Sicherheitsausrüstungen (Abdeckungen, Typenschilder und Schutzkabel)

•

sofort aus. Verwenden Sie ausschließlich Originalzubehör oder systemspeziﬁsch zugelassene Komponenten.

•

Die Nichtbeachtung dieser Hinweise kann zur Beschädigung der Ausrüstung oder zur Verletzung von Sicherheits- und EMV-Vorschriften führen.

Das System darf nur von autorisiertem Extreme Networks-Servicepersonal gewartet werden.

•

ExtremeWireless™ V10.41.06 User Guide 8

Warnhinweise

Dieses Gerät darf nicht über Außenverdrahtung an ein LAN-Segment angeschlossen werden.

•

Stellen Sie sicher, dass alle Kabel korrekt geführt werden, um Zugbelastung zu vermeiden.

•

Sollte das Netzteil Anzeichen von Beschädigung aufweisen, tauschen Sie es sofort aus.

•

Trennen Sie alle Stromverbindungen, bevor Sie Arbeiten im Bereich der Stromversorgung

•

vornehmen, sofern dies nicht für eine Wartungsprozedur anders verlangt wird. Gehen Sie vorsichtig vor, wenn Sie an Hotswap-fähigen Wireless Controller-Komponenten

•

(Stromversorgungen oder Lüftern) Servicearbeiten durchführen. Rotierende Lüfter können ernsthafte Verletzungen verursachen.

Dieses Gerät ist möglicherweise über mehr als ein Netzkabel angeschlossen. Um die Gefahr eines

•

elektrischen Schlages zu vermeiden, sollten Sie vor Durchführung von Servicearbeiten alle Netzkabel trennen. Falls eines der Stromversorgungsmodule ausfällt, kann es ausgetauscht werden, ohne die Stromversorgung zum Wireless Controller zu unterbrechen. Bei dieser Prozedur ist jedoch mit Vorsicht vorzugehen. Das Modul kann extrem heiß sein. Tragen Sie Handschuhe, um Verbrennungen zu vermeiden.

Bei unsachgemäßem Austausch der Lithium-Batterie besteht Explosionsgefahr. Die Lithium-Batterie

•

darf nur durch identische oder vom Händler empfohlene Typen ersetzt werden. Achten Sie bei Lithium-Batterien auf die ordnungsgemäße Entsorgung.

•

Versuchen Sie niemals, ohne Hilfe schwere Gegenstände zu heben.

•

Preface

Vorsichtshinweise

Überprüfen Sie die für die Ausrüstung festgelegte Nennspannung (Bedienungsanleitung und

•

Typenschild). Diese Ausrüstung arbeitet mit Hochspannung, die mit der Gefahr eines elektrischen Schlages verbunden ist. Gehen Sie mit großer Vorsicht vor, wenn Sie bei eingeschaltetem System Hochspannungen messen oder Karten, Schalttafeln und Baugruppen warten.

Verwenden Sie nur Werkzeuge und Ausrüstung in einwandfreiem Zustand. Verwenden Sie keine

•

Ausrüstung mit sichtbaren Beschädigungen. Tragen Sie bei Arbeiten an Hardwarekomponenten ein Armband, um elektrostatisch gefährdete

•

Bauelemente (EGB) vor Beschädigungen zu schützen. Verlegen Sie Leitungen so, dass sie keine Unfallquelle (Stolpergefahr) bilden und nicht beschädigt

•

werden.

Consignes De Sécurité

Dangers

Si le cordon de raccordement au secteur est endommagé, remplacez-le immédiatement.

•

Remplacez sans délai les équipements de sécurité endommagés (caches, étiquettes et conducteurs

•

de protection). Utilisez uniquement les accessoires d'origine ou les modules agréés spéciﬁques au système. Dans le

•

cas contraire, vous risquez d'endommager l'installation ou d'enfreindre les consignes en matière de sécurité et de compatibilité électromagnétique.

Seul le personnel de service Extreme Networks est autorisé à maintenir/réparer le système.

•

ExtremeWireless™ V10.41.06 User Guide 9

Avertissements

Cet appareil ne doit pas être connecté à un segment de LAN à l'aide d'un câblage extérieur.

•

Vériﬁez que tous les câbles fonctionnent correctement pour éviter une contrainte excessive.

•

Si l'adaptateur d'alimentation présente des dommages, remplacez-le immédiatement.

•

Coupez toujours l'alimentation avant de travailler sur les alimentations électriques, sauf si la

•

procédure de maintenance mentionne le contraire. Prenez toutes les précautions nécessaires lors de l'entretien/réparations des modules du Wireless

•

Controller pouvant être branchés à chaud : alimentations électriques ou ventilateurs.Les ventilateurs rotatifs peuvent provoquer des blessures graves.

Cette unité peut avoir plusieurs cordons d'alimentation.Pour éviter tout choc électrique, débranchez

•

tous les cordons d'alimentation avant de procéder à la maintenance.En cas de panne d'un des modules d'alimentation, le module défectueux peut être changé sans éteindre le Wireless Controller. Toutefois, ce remplacement doit être eectué avec précautions. Portez des gants pour éviter de toucher le module qui peut être très chaud.

Le remplacement non conforme de la batterie au lithium peut provoquer une explosion. Remplacez

•

la batterie au lithium par un modèle identique ou par un modèle recommandé par le revendeur. Sa mise au rebut doit être conforme aux prescriptions en vigueur.

•

N'essayez jamais de soulever des objets qui risquent d'être trop lourds pour vous.

•

Preface

Précautions

Contrôlez la tension nominale paramétrée sur l'installation (voir le mode d'emploi et la plaque

•

signalétique). Des tensions élevées pouvant entraîner des chocs électriques sont utilisées dans cet équipement. Lorsque le système est sous tension, prenez toutes les précautions nécessaires lors de la mesure des hautes tensions et de l'entretien/réparation des cartes, des panneaux, des plaques.

N'utilisez que des appareils et des outils en parfait état. Ne mettez jamais en service des appareils

•

présentant des dommages visibles. Pour protéger les dispositifs sensibles à l'électricité statique, portez un bracelet antistatique lors du

•

travail sur le matériel. Acheminez les câbles de manière à ce qu'ils ne puissent pas être endommagés et qu'ils ne

•

constituent pas une source de danger (par exemple, en provoquant la chute de personnes).

Providing Feedback to Us

We are always striving to improve our documentation and help you work better, so we want to hear from you! We welcome all feedback but especially want to know about:

Content errors or confusing or conﬂicting information.

•

Ideas for improvements to our documentation so you can ﬁnd the information you need faster.

•

Broken links or usability issues.

•

If you would like to provide feedback to the Extreme Networks Information Development team about this document, please contact us using our short online feedback form. You can also email us directly at

internalinfodev@extremenetworks.com.

ExtremeWireless™ V10.41.06 User Guide 1

Getting Help

GTAC (Global Technical Assistance Center) for Immediate Support

Phone:

Email:

Extreme Portal

The Hub

If you require assistance, contact Extreme Networks using one of the following methods:

•

1-800-998-2408 (toll-free in U.S. and Canada) or +1 408-579-2826. For the support

•

phone number in your country, visit: www.extremenetworks.com/support/contact

support@extremenetworks.com. To expedite your message, enter the product name or

•

model number in the subject line.

•

download software, and obtain product licensing, training, and certiﬁcations.

•

share ideas and feedback. This community is monitored by Extreme Networks employees, but is not intended to replace speciﬁc guidance from GTAC.

Before contacting Extreme Networks for technical support, have the following information ready:

Your Extreme Networks service contract number and/or serial numbers for all involved Extreme

•

Networks products A description of the failure

•

A description of any action(s) already taken to resolve the problem

•

A description of your network environment (such as layout, cable type, other relevant environmental

•

information) Network load at the time of trouble (if known)

•

The device history (for example, if you have returned the device before, or if this is a recurring

•

problem) Any related RMA (Return Material Authorization) numbers

•

— Search the GTAC knowledge base, manage support cases and service contracts,

— A forum for Extreme customers to connect with one another, answer questions, and

Preface

Extreme Networks Documentation

To ﬁnd Extreme Networks product guides, visit our documentation pages at:

Current Product Documentation www.extremenetworks.com/documentation/

Archived Documentation (for earlier versions and legacy products)

Release Notes www.extremenetworks.com/support/release-notes

Open Source Declarations

Some software ﬁles have been licensed under certain open source licenses. More information is available at: www.extremenetworks.com/support/policies/software-licensing.

www.extremenetworks.com/support/documentation-archives/

ExtremeWireless™ V10.41.06 User Guide

1 About This Guide

Who Should Use This Guide

How to Use This Guide

For... Refer to...

This guide describes how to install, conﬁgure, and manage the Extreme Networks ExtremeWireless software. This guide is also available as an online help system.

To access the online help, click Help in the ExtremeWireless Assistant top menu bar.

Who Should Use This Guide

This guide is a reference for system administrators who install and manage the ExtremeWireless system.

Any administrator performing tasks described in this guide must have an account with administrative privileges.

How to Use This Guide

To locate information about various subjects in this guide, refer to the following table.

An overview of the product, its features and functionality. Overview of the ExtremeWireless Solution on

page 14

Information about how to perform the installation, ﬁrst time setup and conﬁguration of the controller, as well as conﬁguring the data ports and deﬁning routing.

Information on how to install the ExtremeWireless AP, how it discovers and registers with the controller, and how to view and modify radio conﬁguration.

An overview of topologies and provides detailed information about how to conﬁgure them.

An overview of roles and provides detailed information about how to conﬁgure them.

An overview of WLAN (Wireless Local Area Network) and provides detailed information about how to conﬁgure them.

An overview of Virtual Network Services (VNS), provides detailed instructions in how to conﬁgure a VNS, either using the Wizards or by manually creating the component parts of a VNS.

Information about conﬁguring CoS (Class of Service) conﬁguration entity containing QoS Marking (802.1p and ToS/ DSCP), Inbound/Outbound Rate Limiting and Transmit Queue Assignments.

services

which are a

Conﬁguring the ExtremeWireless Appliance on

page 31

Conﬁguring the ExtremeWireless APs on page

101

Conﬁguring Topologies on page 262

Conﬁguring Roles on page 284

Conﬁguring WLAN Services on page 318

Conﬁguring a VNS on page 390

Conﬁguring Classes of Service on page 487

ExtremeWireless™ V10.41.06 User Guide

For... Refer to...

About This Guide

Information about conﬁguring Sites which is a mechanism for grouping APs and refers to speciﬁc Roles, Classes of Service (CoS) and RADIUS servers that are grouped to form a single conﬁguration.

An overview of Mesh networks and provides detailed information about how to create a Mesh network.

An overview of a Wireless Distribution System (WDS) network conﬁguration and provides detailed information about how to create a Mesh network.

Information on how to set up the features that maintain service availability in the event of a controller failover.

Information on how to set up the mobility domain that provides mobility for a wireless device user when the user roams from one ExtremeWireless AP to another in the mobility domain.

Information on how to use the ExtremeWireless AP features with third-party wireless access points.

Information on the security tool that scans for, detects, provides countermeasures, and reports on rogue APs.

Information on the various reports and displays available in the system.

Information on system administration activities, such as performing ExtremeWireless AP client management, deﬁning management users, conﬁguring the network time, and conﬁguring Web session timeouts.

Conﬁguring Sites on page 494

Working with a Mesh Network on page 502

Working with a Wireless Distribution System

on page 518

Availability and Session Availability on page

537

Conﬁguring Mobility on page 555

Working with Third-party APs on page 561

Working with ExtremeWireless Radar on page

563

Working with Reports and Statistics on page

621

Performing System Administration on page

669

Information on how to view and interpret the logs, traces, audits and DHCP (Dynamic Host Conﬁguration Protocol)

Information on how to conﬁgure GuestPortal accounts. Working with GuestPortal Administration on

A list of terms and deﬁnitions for the ExtremeWireless Appliance and the ExtremeWireless AP as well as standard industry terms used in this guide.

Regulatory information for the ExtremeWireless Appliances and the ExtremeWireless APs.

The default GuestPortal ticket page source code. Default GuestPortal Ticket Page on page 706

messages.

Logs, Traces, Audits and DHCP Messages on

page 676

page 690

Glossary terms are displayed as links in the text. Hover over a glossary term to display the deﬁnition, or click the link to go to the Glossary.

Regulatory Information on page 705

ExtremeWireless™ V10.41.06 User Guide

2 Overview of the ExtremeWireless

Introduction

Conventional Wireless LANs Elements of the ExtremeWireless Solution ExtremeWireless and Your Network ExtremeWireless Appliance Product Family

Solution

Introduction

The next generation of wireless networking devices provides a truly scalable WLAN (Wireless Local Area Network) solution. ExtremeWireless Access Points (APs, wireless APs) are ﬁt access points controlled

through a sophisticated network device, the controller. This solution provides the security and manageability required by enterprises and service providers for huge industrial wireless networks.

The ExtremeWireless system is a highly scalable Wireless Local Area Network (WLAN) solution. Based on a third generation WLAN topology, the ExtremeWireless system makes wireless practical for service providers as well as medium and large-scale enterprises.

The ExtremeWireless controller provides a secure, highly scalable, cost-eective solution based on the IEEE 802.11 standard. The system is intended for enterprise networks operating on multiple ﬂoors in more than one building, and is ideal for public environments, such as airports and convention centers that require multiple access points.

This chapter provides an overview of the fundamental principles of the ExtremeWireless System.

The ExtremeWireless Appliance

The ExtremeWireless Appliance is a network device designed to integrate with an existing wired Local Area Network (LAN). The rack-mountable controller provides centralized management, network access, and routing to wireless devices that use Wireless APs to access the network. It can also be conﬁgured to handle data trac from third-party access points.

The controller provides the following functionality:

Controls and conﬁgures Wireless APs, providing centralized management.

•

Authenticates wireless devices that contact a Wireless AP.

•

Assigns each wireless device to a VNS when it connects.

•

Routes trac from wireless devices, using VNS, to the wired network.

•

Applies ﬁltering roles to the wireless device session.

•

Provides session logging and accounting capability.

•

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

Conventional Wireless LANs

Wireless communication between multiple computers requires that each computer be equipped with a receiver/transmitter—a WLAN Network Interface Card (NIC)—capable of exchanging digital information over a common radio frequency. This is called an ad hoc network conﬁguration. An ad hoc network conﬁguration allows wireless devices to communicate together. This setup is deﬁned as an independent basic service set (IBSS).

An alternative to the ad hoc conﬁguration is the use of an access point. This may be a dedicated hardware bridge or a computer running special software. Computers and other wireless devices communicate with each other through this access point. The 802.11 standard deﬁnes access point communications as devices that allow wireless devices to communicate with a distribution system. This setup is deﬁned as a basic service set (BSS) or infrastructure network.

To allow the wireless devices to communicate with computers on a wired network, the access points must be connected to the wired network providing access to the networked computers. This topology is called bridging. With bridging, security and management scalability is often a concern.

Figure 1: Standard Wireless Network Solution Example

The wireless devices and the wired networks communicate with each other using standard networking protocols and addressing schemes. Most commonly, Internet Protocol (IP) addressing is used.

Elements of the ExtremeWireless Solution

The ExtremeWireless solution consists of two devices:

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

ExtremeWireless Appliance

•

ExtremeWireless AP

•

This architecture allows a single controller to control many APs, making the administration and management of large networks much easier.

There can be several controllers in the network, each with a set of registered APs. The controllers can also act as backups to each other, providing stable network availability.

In addition to the controllers and APs, the solution requires three other components, all of which are standard for enterprise and service provider networks:

RADIUS Server (Remote Access Dial-In User Service) or other authentication server

•

DHCP (Dynamic Host Conﬁguration Protocol) Server (Dynamic Host Conﬁguration Protocol). If you

•

do not have a DHCP Server on your network, you can enable the local DHCP Server on the controller. The local DHCP Server is useful as a general purpose DHCP Server for small subnets. For more information, see Setting Up the Data Ports on page 51.

SLP (Service Location Protocol)

•

Figure 2: ExtremeWireless Appliance Solution

As illustrated in ExtremeWireless Appliance Solution, the ExtremeWireless Appliance appears to the existing network as if it were an access point, but in fact one controller controls many APs. The controller has built-in capabilities to recognize and manage the APs. The controller:

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

Activates the APs

•

Enables APs to receive wireless trac from wireless devices

•

Processes the data trac from the APs

•

Forwards or routes the processed data trac out to the network

•

Authenticates requests and applies access roles

•

Simplifying the APs makes them cost-eective, easy to manage, and easy to deploy. Putting control on an intelligent centralized controller enables:

Centralized conﬁguration, management, reporting, and maintenance

•

High security

•

Flexibility to suit enterprise

•

Scalable and resilient deployments with a few controllers controlling hundreds of APs

•

The ExtremeWireless system:

Scales up to Enterprise capacity — ExtremeWireless Appliances are scalable:

•

C5215 — Up to 1000 APs, 2000 APs in Controller availability mode

•

C5210 — Up to 1000 APs, 2000 APs in Controller availability mode

•

C5110 — Up to 525 APs, 1050 APs in Controller availability mode

•

C4110 — Up to 250 APs, 500 APs in Controller availability mode

•

C25 — Up to 50 APs, 100 APs in Controller availability mode

•

C35 — Up to 125 APs, 250 APs in Controller availability mode

•

V2110 (Small Proﬁle) — Up to 50 APs, 100 APs in Controller availability mode

•

V2110 (Medium Proﬁle) — Up to 250 APs, 500 APs in Controller availability mode

•

V2110 (Large Proﬁle) — Up to 525 APs, 1050 APs in Controller availability mode

•

In turn, each wireless AP can handle a mixture of secure and non-secure clients. AP per radio

•

support is up to 200 clients, of which 127 are clients with security. With additional controllers, the number of wireless devices the solution can support can reach into the thousands.

Integrates with existing network — A controller can be added to an existing enterprise network as a

•

new network device, greatly enhancing its capability without interfering with existing functionality. Integration of the controllers and APs does not require any re-conﬁguration of the existing infrastructure (for example, VLAN (Virtual LAN)

Integrates with the Extreme Networks Extreme Management Center Suite of products. For more

•

information, see Extreme Networks Extreme Management Center Integration on page 18.

s).

Plug-in applications include:

Automated Security Manager

•

Inventory Manager

•

NAC Manager

•

Role Control Console

•

Policy Manager

•

Oers centralized management and control — An administrator accesses the controller in its

•

centralized location to monitor and administer the entire wireless network. From the controller the administrator can recognize, conﬁgure, and manage the APs and distribute new software releases.

Provides easy deployment of APs — The initial conﬁguration of the APs on the centralized controller

•

can be done with an automatic “discovery” technique.

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

Provides security via user authentication — Uses existing authentication (AAA) servers to

•

authenticate and authorize users. Provides security via ﬁlters and privileges — Uses virtual networking techniques to create separate

•

virtual networks with deﬁned authentication and billing services, access roles, and privileges. Supports seamless mobility and roaming — Supports seamless roaming of a wireless device from

•

one wireless AP to another on the same controller or on a dierent controller. Integrates third-party access points — Uses a combination of network routing and authentication

•

techniques. Prevents rogue devices — Unauthorized access points are detected and identiﬁed as either harmless

•

or dangerous rogue APs. Provides accounting services — Logs wireless user sessions, user group activity, and other activity

•

reporting, enabling the generation of consolidated billing records. Oers troubleshooting capability — Logs system and session activity and provides reports to aid in

•

troubleshooting analysis. Oers dynamic RF management — Automatically selects channels and adjusts Radio Frequency

•

(RF) signal propagation and power levels without user intervention.

Extreme Networks Extreme Management Center Integration

The ExtremeWireless solution now integrates with the Extreme Management Center suite of products, a collection of tools to help you manage networks. Its client/server architecture lets you manage your network from a single workstation or, for networks of greater complexity, from one or more client workstations. It is designed to facilitate speciﬁc network management tasks while sharing data and providing common controls and a consistent user interface.

The Extreme Management Center is a family of products comprising the Extreme Management Center Console and a suite of plug-in applications, including:

Automated Security Manager — Automated Security Manager is a unique threat response solution

•

that translates security intelligence into security enforcement. It provides sophisticated identiﬁcation and management of threats and vulnerabilities. For information on how the ExtremeWireless solution integrates with the Automated Security Manager application, see the Maintenance Guide.

Inventory Manager — Inventory Manager is a tool for eciently documenting and updating the

•

details of the ever-changing network. For information on how the ExtremeWireless solution integrates with the Automated Security Manager application, see the Maintenance Guide .

NAC Manager — NAC Manager is a leading-edge NAC solution to ensure only the right users have

•

access to the right information from the right place at the right time. The Extreme Networks NAC solution performs multi-user, multi-method authentication, vulnerability assessment and assisted remediation. For information on how the ExtremeWireless solution integrates with the Extreme Networks NAC solution, see NAC Integration with the Wireless WLAN on page 24.

Policy Manager — Policy Manager recognizes the ExtremeWireless suite as role capable devices that

•

accept partial conﬁguration from Policy Manager. Currently this integration is partial in the sense that Extreme Management Center is unable to create WLAN need to be directly provisioned on the controller and are represented to Policy Manager as logical ports.

services directly; The WLAN services

The ExtremeWireless Appliance allows Policy Manager to:

ExtremeWireless™ V10.41.06 User Guide

Note

Overview of the ExtremeWireless Solution

Attach Topologies (assign VLAN to port) to the ExtremeWireless Appliance physical ports

•

(Console). Attach role to the logical ports (WLAN Service/SSID),

•

Assign a Default Role/Role to a WLAN Service, thus creating the VNS.

•

Perform authentication operations which can then reference deﬁned roles for station-speciﬁc

•

role enforcement.

This can be seen as a three-step process:

1 Deploy the controller and perform local conﬁguration

The ExtremeWireless Appliance ships with a default SSID, attached by default to all AP radios,

•

when enabled. Use the basic installation wizard to complete the ExtremeWireless Appliance conﬁguration.

•

2 Use Policy Manager to:

Push the VLAN list to the ExtremeWireless Appliance (Topologies)

•

Attach VLANs to ExtremeWireless Appliance physical ports (Console - Complete Topology

•

deﬁnition) Push RADIUS server conﬁguration to the ExtremeWireless Appliance

•

Push role deﬁnitions to the ExtremeWireless Appliance

•

Attach the default role to create a VNS

•

3 Fine tune controller settings. For example, conﬁguring ﬁltering at APs and ExtremeWireless

Appliance for a bridged at controller or routed topologies and associated VNSs.

Complete information about integration with Policy Manager is outside the scope of this document.

ExtremeWireless and Your Network

This section is a summary of the components of the ExtremeWireless solution on your enterprise network. The following are described in detail in this guide, unless otherwise stated:

ExtremeWireless Appliance — A rack-mountable network device or virtual appliance that provides

•

centralized control over all access points and manages the network assignment of wireless device clients associating through access points.

Wireless AP — A wireless LAN ﬁt access point that communicates with a controller.

•

RADIUS Server (Remote Access Dial-In User Service) (RFC2865), or other authentication server —

•

An authentication server that assigns and manages ID and Password protection throughout the network. Used for authentication of the wireless users in either 802.1x or Captive Portal security modes. The RADIUS Server system can be set up for certain standard attributes, such as ﬁlter ID, and for the Vendor Speciﬁc Attributes (VSAs). In addition, RADIUS Disconnect (RFC3576) which permits dynamic adjustment of user role (user disconnect) is supported.

DHCP Server (Dynamic Host Conﬁguration Protocol) (RFC2131) — A server that assigns dynamically

•

IP addresses, gateways, and subnet masks. IP address assignment for clients can be done by the DHCP server internal to the controller, or by existing servers using DHCP relay. It is also used by the APs to discover the location of the controller during the initial registration process using Options 43, 60, and Option 78. Options 43 and 60 specify the vendor class identiﬁer (VCI) and vendor speciﬁc

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

information. Option 78 speciﬁes the location of one or more SLP Directory Agents. For SLP, DHCP should have Option 78 enabled.

Service Location Protocol (SLP) (SLP RFC2608) — Client applications are User Agents and services

•

that are advertised by a Service Agent. In larger installations, a Directory Agent collects information from Service Agents and creates a central repository. The Extreme Networks solution relies on registering “Extreme Networks” as an SLP Service Agent.

Domain Name Server (DNS) — A server used as an alternate mechanism (if present on the

•

enterprise network) for the automatic discovery process. Controller, Access Points and Convergence Software relies on the DNS for Layer 3 deployments and for static conﬁguration of the APs. The controller can be registered in DNS, to provide DNS assisted AP discovery. In addition, DNS can also be used for resolving RADIUS server hostnames.

Web Authentication Server — A server that can be used for external Captive Portal and external

•

authentication. The controller has an internal Captive portal presentation page, which allows web authentication (web redirection) to take place without the need for an external Captive Portal server.

RADIUS Accounting Server (Remote Access Dial-In User Service) (RFC2866) — A server that is

•

required if RADIUS Accounting is enabled. SNMP (Simple Network Management Protocol) — A Manager Server that is required if forwarding

•

SNMP messages is enabled. Network Infrastructure — The Ethernet switches and routers must be conﬁgured to allow routing

•

between the various services noted above. Routing must also be enabled between multiple controllers for the following features to operate successfully:

Availability

•

Mobility

•

ExtremeWireless Radar for detection of rogue access points

•

Some features also require the deﬁnition of static routes.

Web Browser — A browser provides access to the controller Management user interface to conﬁgure

•

the ExtremeWireless system. SSH Enabled Device — A device that supports Secure Shell (SSH) is used for remote (IP) shell access

•

to the system. Zone Integrity — The Zone integrity server enhances network security by ensuring clients accessing

•

your network are compliant with your security roles before gaining access. Zone Integrity Release 5 is supported.

(Optional) Online Signup Server — For use with Hotspot Networks.

•

Network Trac Flow

Figure 3 illustrates a simple conﬁguration with a single controller and two APs, each supporting a

wireless device. A RADIUS server on the network provides authentication, and a DHCP the APs to discover the location of the controller during the initial registration process. Network interconnectivity is provided by the infrastructure routing and switching devices.

server is used by

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

Figure 3: Trac Flow Diagram

Each wireless device sends IP packets in the 802.11 standard to the AP. The AP uses a UDP (User Datagram Protocol) based tunnelling protocol. In tunneled mode of operation, it encapsulates the packets and forwards them to the controller. The controller decapsulates the packets and routes these to destinations on the network. In a typical conﬁguration, access points can be conﬁgured to locally bridge trac (to a conﬁgured VLAN

The controller functions like a standard L3 router or L2 switch. It is conﬁgured to route the network trac associated with wireless connected users. The controller can also be conﬁgured to simply forward trac to a default or static route if dynamic routing is not preferred or available.

) directly at their network point of attachment.

Network Security

The Extreme Networks ExtremeWireless system provides features and functionality to control network access. These are based on standard wireless network security practices.

Current wireless network security methods provide protection. These methods include:

Shared Key authentication that relies on Wired Equivalent Privacy (WEP) keys

•

Open System that relies on Service Set Identiﬁers (SSIDs)

•

802.1x that is compliant with Wi-Fi Protected Access (WPA)

•

Captive Portal based on Secure Sockets Layer (SSL) protocol

•

The Extreme Networks ExtremeWireless system provides the centralized mechanism by which the corresponding security parameters are conﬁgured for a group of users.

Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks deﬁned in the

•

802.11b standard

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

Wi-Fi Protected Access version 1 (WPA1™) with Temporal Key Integrity Protocol (TKIP)

•

Wi-Fi Protected Access version 2 (WPA2™) with Advanced Encryption Standard (AES) and Counter

•

Mode with Cipher Block Chaining Message Authentication Code (CCMP)

Authentication

The controller relies on a RADIUS server, or authentication server, on the enterprise network to provide the authentication information (whether the user is to be allowed or denied access to the network). A RADIUS client is implemented to interact with infrastructure RADIUS servers.

The controller provides authentication using:

Captive Portal — a browser-based mechanism that forces users to a Web page

•

RADIUS (using IEEE 802.1x)

•

The 802.1x mechanism is a standard for authentication developed within the 802.11 standard. This mechanism is implemented at the wireless port, blocking all data trac between the wireless device and the network until authentication is complete. Authentication by 802.1x standard uses Extensible Authentication Protocol (EAP) for the message exchange between the controller and the RADIUS server.

When 802.1x is used for authentication, the controller provides the capability to dynamically assign perwireless-device WEP keys (called per session WEP keys in 802.11). In the case of WPA, the controller is not involved in key assignment. Instead, the controller is involved in the information exchange between RADIUS server and the user’s wireless device to negotiate the appropriate set of keys. With WPA2 the material exchange produces a Pairwise Master Key which is used by the AP and the user to derive their temporal keys. (The keys change over time.)

The Extreme Networks ExtremeWireless solution provide a RADIUS redundancy feature that enables you to deﬁne a failover RADIUS server in the event that the active RADIUS server becomes unresponsive.

Privacy

Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques.

Extreme Networks ExtremeWireless supports the Wired Equivalent Privacy (WEP) standard common to conventional access points.

It also provides Wi-Fi Protected Access version 1 (WPA v.1) encryption, based on Pairwise Master Key (PMK) and Temporal Key Integrity Protocol (TKIP). The most secure encryption mechanism is WPA version 2, using Advanced Encryption Standard (AES).

Virtual Network Services

Virtual Network Services (VNS) provide a versatile method of mapping wireless networks to the topology of an existing wired network.

In releases prior to V7.0, a VNS was a collection of operational entities. Starting with Release V7.0, a VNS becomes the binding of reusable components:

ExtremeWireless™ V10.41.06 User Guide 2

Overview of the ExtremeWireless Solution

WLAN Service components that deﬁne the radio attributes, privacy and authentication settings, and

•

QoS attributes of the VNS Role components that deﬁne the topology (typically a VLAN), policy rules, and Class of Service

•

applied to the trac of a station.

Figure 4 illustrates the transition of the concept of a VNS to a binding of reusable components.

Figure 4: VNS as a Binding of Reusable Components

WLAN Service components and Role components can be conﬁgured separately and associated with a VNS when the VNS is created or modiﬁed. Alternatively, they can be conﬁgured during the process of creating a VNS.

Additionally, Roles can be created using the Extreme Networks Extreme Management Center Policy Manager or Extreme Management Center Wireless Manager and pushed to the ExtremeWireless Appliance. Role assignment ensures that the correct topology and trac behavior are applied to a user regardless of WLAN service used or VNS assignment.

When VNS components are set up on the controller, among other things, a range of IP addresses is set aside for the controller’s DHCP

If the OSPF (Open Shortest Path First) routing protocol is enabled, the controller advertises the routed topologies as reachable segments to the wired network infrastructure. The controller routes trac between the wireless devices and the wired network.

The controller also supports VLAN-bridged assignment for VNSs. This allows the controller to directly bridge the set of wireless devices associated with a WLAN service directly to a speciﬁed core VLAN.

ExtremeWireless™ V10.41.06 User Guide

server to assign to wireless devices.

Controller Model Max Number of Deﬁned

VNS

Max Number of Deﬁned WLAN Services

Max Number of Active WLAN Services

Overview of the ExtremeWireless Solution

Each controller model can support a deﬁnable number and an active number of VNSs. See Table 3.

Table 3: VNS and WLAN Service Capacity

C5110 256 256 128

C4110 128 128 64

C25 32 32 16

V2110 Small 32 32 16

V2110 Medium V2110-HyperV

V2110 Large 256 256 128

C5215 256 256 128

C5210 256 256 128

C35 32 16 32

128 128 64

The AP radios can be assigned to each of the conﬁgured WLAN services and, therefore, VNSs in a system. Each AP can be the subject of 16 service assignments—eight assignments per radio—which corresponds to the number of SSIDs it can support. Once a radio has all eight slots assigned, it is no longer eligible for further assignment.

The AP3912 has three additional client ports that can be assigned to a single WLAN Service. For more information, see Assigning WLAN Services to Client Ports on page 170.

NAC Integration with the Wireless WLAN

The Extreme Networks Wireless WLAN

supports integration with a NAC (Network Admission Control) Gateway. The NAC Gateway can provide your network with authentication, registration, assessment, remediation, and access control for mobile users.

NAC Gateway integration with Wireless WLAN supports SSID VNSs when used in conjunction with MAC-based external captive portal authentication.

Figure 5 depicts the topology and workﬂow relationship between Wireless WLAN that is conﬁgured for

external captive portal and a NAC Gateway. With this conﬁguration, the NAC Gateway acts like a RADIUS proxy server. An alternative is to conﬁgure the NAC Gateway to perform MAC-based authentication itself, using its own database of MAC addresses and permissions. For more information, see Creating a NAC VNS Using the VNS Wizard on page 426.

ExtremeWireless™ V10.41.06 User Guide

Note

Overview of the ExtremeWireless Solution

Figure 5: WLAN and NAC Integration with External Captive Portal Authentication

11The client laptop connects to the AP.

The AP determines that authentication is required, and sends an association request to the appliance.

The appliance forwards to the NAC Gateway an access-request message for the client laptop, which is identiﬁed by its MAC address.

The NAC Gateway forwards the access-request to the RADIUS server. The NAC Gateway acts like a RADIUS proxy server.

The RADIUS server evaluates the access-request and sends an AccessAccept message back to the NAC.

RADIUS servers with captive portal and EAP authentication can be tested for connectivity using the

radtest command. For more information, see the ExtremeWireless CLI Guide.

The NAC receives the access-accept packet. Using its local database, the NAC determines the correct role to apply to this client laptop and updates the access-accept packet with the role assignment. The updated AccessAccept message is forwarded to the appliance and AP.

The appliance and the AP apply role against the client laptop accordingly. The appliance assigns a set of ﬁlters to the client laptop’s session and the AP allows the client laptop access to the network.

The client laptop interacts with a DHCP server to obtain an IP address.

Eventually the client laptop uses its web browser to access a website.

The appliance determines that the target website is blocked and that the client laptop still requires

•

authentication.

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

The appliance sends an HTTP redirect to the client laptop’s browser. The redirect sends the browser to the

•

web server on the NAC Gateway. The NAC displays an appropriate web page in the client laptop’s browser. The contents of the page depend

•

on the current role assignment (enterprise, remediation, assessing, quarantine, or unregistered) for the MAC address.

When the NAC determines that the client laptop is ready for a dierent role assignment, it sends a ‘disconnect message’ (RFC 3576) to the appliance.

When the appliance receives the ‘disconnect message’ sent by the NAC, the appliance terminates the session for the client laptop.

The appliance forwards the command to terminate the client laptop’s session to the AP, which disconnects the client laptop.

VNS Components

The distinct constituent high-level conﬁgurable umbrella elements of a VNS are:

Topology

•

Role

•

Classes of Service

•

WLAN Service

•

Topology

Topologies represent the networks with which the controller and its APs interact. The main conﬁgurable attributes of a topology are:

Name - a string of alphanumeric characters designated by the administrator.

•

VLAN ID - the VLAN identiﬁer as speciﬁed in the IEEE 802.1Q deﬁnition.

•

VLAN tagging options.

•

Port of presence for the topology on the controller. (This attribute is not required for Routed and

•

Bridged at AP topologies.) Interface. This attribute is the IP (L3) address assigned to the controller on the network described by

•

the topology. (Optional.) Type. This attribute describes how trac is forwarded on the topology. Options are:

•

“Physical” - the topology is the native topology of a data plane and it represents the actual

•

Ethernet ports “Management” - the native topology of the controller management port

•

“Routed” - the controller is the routing gateway for the routed topology.

•

“Bridged at Controller” - the user trac is bridged (in the L2 sense) between wireless clients and

•

the core network infrastructure. “Bridged at AP” - the user trac is bridged locally at the AP without being redirected to the

•

controller

Exception Filters. Speciﬁes which trac has access to the controller from the wireless clients or the

•

infrastructure network. Certiﬁcates.

•

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

Multicast ﬁlters. Deﬁnes the multicast groups that are allowed on a speciﬁc topology segment.

•

For information about Topology groups, see Creating a Topology Group on page 270.

•

Role

A Role is a collection of attributes and rules that determine actions taken user trac accesses the wired network through the WLAN a VNS can have between one and three Authorization Roles associated with it:

1 Default non-authorized role — This is a mandatory role that covers all trac from stations that have

not authenticated. At the administrator's discretion the default non-authorized role can be applied to the trac of authenticated stations as well.

2 Default authorized role — This is a mandatory role that applies to the trac of authenticated stations

for which no other role was explicitly speciﬁed. It can be the same as the default non-authorized role.

3 Third-party AP role — This role applies to the list of MAC addresses corresponding to the wired

interfaces of third party APs speciﬁcally deﬁned by the administrator to be providing the RF access as an AP WLAN Service. This role is only relevant when applied to third party AP WLAN Services.

service (associated to the WLAN Service's SSID). Depending upon its type,

Classes of Service

In general, CoS (Class of Service) it is forwarded through the network relative to other packets, and to the maximum throughput per time unit that a station or port assigned to a speciﬁc role is permitted. The CoS deﬁnes actions to be taken when rate limits are exceeded.

All incoming packets may follow these steps to determine a CoS:

Classiﬁcation - identiﬁes the ﬁrst matching rule that deﬁnes a CoS.

•

Marking - modiﬁes the L2 802.1p and/or L3 ToS based on CoS deﬁnition.

•

Rate limiting (drop) is set.

•

The system limit for the number of CoS proﬁles on a controller is identical to the number of roles. For example, the maximum number of CoS proﬁles on a C4110 is 512.

WLAN Services

A WLAN oered by the controller and its APs. A WLAN Service can be one of the following types:

•

Service represents all the RF, authentication and QoS attributes of a wireless access service

Standard — A conventional service. Only APs running ExtremeWireless software can be part of this WLAN Service. This type of service can be used as a Bridged at Controller, Bridged at AP, or Routed Topology. This type of service provides access for mobile stations. Roles can be associated with this type of WLAN service to create a VNS. Hotspot can be enabled for standard WLAN services.

Third Party AP — A Wireless Service oered by third party APs. This type of service provides access for mobile stations. Roles can be assigned to this type of WLAN service to create a VNS.

Dynamic Mesh and WDS (Static Mesh)— This is to conﬁgure a group of APs organized into a hierarchy for purposes of providing a Wireless Distribution Service. This type of service is in essence

refers to a set of attributes that deﬁne the importance of a frame while

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

a wireless trunking service rather than a service that provides access for stations. As such, this service cannot have roles attached to it.

Remote — A service that resides on the edge (foreign) controller. Pairing a remote service with a

•

remoteable service on the designated home controller allows you to provision centralized WLAN Services in the mobility domain. This is known as centralized mobility.

The components of a WLAN Service map to the corresponding components of a VNS in previous releases. The administrator makes an explicit choice of the type of authentication to use on the WLAN Service. If the choice of authentication option conﬂicts with any other authentication or privacy choices, the WLAN Service cannot be enabled.

Routing

Routing can be used on the controller to support the VNS deﬁnitions. Through the user interface you can conﬁgure routing on the controller to use one of the following routing techniques:

Static routes — Use static routes to set the default route of a controller so that legitimate wireless

•

device trac can be forwarded to the default gateway. OSPF (version 2) (RFC2328) — Use OSPF to allow the controller to participate in dynamic route

•

selection. OSPF is a protocol designed for medium and large IP networks with the ability to segment routes into dierent areas by routing information summarization and propagation. Static Route deﬁnition and OSPF dynamic learning can be combined, and the precedence of a static route deﬁnition over dynamic rules can be conﬁgured by selecting or clearing the Override dynamic routes option check box.

Next-hop routing — Use next-hop routing to specify a unique gateway to which trac on a VNS is

•

forwarded. Deﬁning a next-hop for a VNS forces all the trac in the VNS to be forwarded to the indicated network device, bypassing any routing deﬁnitions of the controller's route table.

Mobility and Roaming

In typical simple conﬁgurations, APs are set up as bridges that bridge wireless trac to the local subnet. In bridging conﬁgurations, the user obtains an IP address from the same subnet as the AP, assuming no VLAN trunking functionality. If the user roams between APs on the same subnet, it is able to keep using the same IP address. However, if the user roams to another AP outside of that subnet, its IP address is no longer valid. The user's client device must recognize that the IP address it has is no longer valid and re-negotiate a new one on the new subnet. This mechanism does not mandate any action on the user. The recovery procedure is entirely client device dependent. Some clients automatically attempt to obtain a new address on roam (which aects roaming latency), while others will hold on to their IP address. This loss of IP address continuity seriously aects the client's experience in the network, because in some cases it can take minutes for a new address to be negotiated.

The Extreme Networks ExtremeWireless solution centralizes the user's network point of presence, therefore abstracting and decoupling the user's IP address assignment from that of the APs location subnet. That means that the user is able to roam across any AP without losing its own IP address, regardless of the subnet on which the serving APs are deployed.

In addition, a controller can learn about other controllers on the network and then exchange client session information. This enables a wireless device user to roam seamlessly between dierent APs on dierent controllers.

ExtremeWireless™ V10.41.06 User Guide

Overview of the ExtremeWireless Solution

Network Availability

The Extreme Networks ExtremeWireless solution provides availability against AP outages, controller outages, and even network outages. The controller in a VLAN bridged topology can potentially allow the user to retain the IP address in a failover scenario, if the VNS/VLAN is common to both controllers. For example, availability is provided by deﬁning a paired controller conﬁguration by which each peer can act as the backup controller for the other's APs. APs in one controller are allowed to fail over and register with the alternate controller.

If the primary controller fails, all of its associated APs can automatically switch over to another controller that has been deﬁned as the secondary or backup controller. If an AP reboots, the primary controller is restored if it is active. However, active APs will continue to be connected to the backup controller until the administrator releases them back to the primary home controller.

Quality of Service (QoS)

Extreme Networks ExtremeWireless solution provides advanced Quality of Service (QoS) management to provide better network trac ﬂow. Such techniques include:

WMM (Wi-Fi Multimedia) — WMM is enabled per WLAN service. The controller provides centralized

•

management of the AP features. For devices with WMM enabled, the standard provides multimedia enhancements for audio, video, and voice applications. WMM shortens the time between transmitting packets for higher priority trac. WMM is part of the 802.11e standard for QoS. In the context of the ExtremeWireless Solution, the ToS/DSCP ﬁeld is used for classiﬁcation and proper class of service mapping, output queue selection, and priority tagging.

IP ToS (Type of Service) or DSCP (Diserv Codepoint) — The ToS/DSCP ﬁeld in the IP header of a

•

frame indicates the priority and class of service for each frame. Adaptive QoS ensures correct priority handling of client payload packets tunneled between the controller and AP by copying the IP ToS/DSCP setting from client packet to the header of the encapsulating tunnel packet.

Rate Control — Rate Control for user trac can also be considered as an aspect of QoS. As part of

•

Role deﬁnition, the user can specify (default) role that includes Ingress and Egress rate control. Ingress rate control applies to trac generated by wireless clients and Egress rate control applies to trac targeting speciﬁc wireless clients. The bit-rates can be conﬁgured as part of globally available proﬁles which can be used by any particular conﬁguration. A global default is also deﬁned.

Quality of Service (QoS) management is also provided by:

Assigning high priority to a WLAN service

•

Adaptive QoS (automatic and all time feature)

•

Support for legacy devices that use SpectraLink Voice Protocol (SVP) for prioritizing voice trac

•

(conﬁgurable)

ExtremeWireless Appliance Product Family

The ExtremeWireless Appliance is available in the following product families:

ExtremeWireless™ V10.41.06 User Guide

Table 4: ExtremeWireless Product Families

ExtremeWireless Appliance Model

Number

Speciﬁcations

Overview of the ExtremeWireless Solution

C5110

C5210/C5215

C4110

Three data ports supporting up to 525 APs

•

2 ﬁber optic SR (10Gbps)

•

1 Ethernet port GigE

•

One management port (Ethernet) GigE

•

One console port (DB9 serial)

•

Four USB ports — two on each front and back panel (only one

•

port active at a time) Redundant dual power supply unit

•

Four data ports supporting up to 1000 APs

•

2 SFP+ (10Gbps)

•

2 Ethernet port GigE

•

One management port (Ethernet) GigE

•

One console port (RJ-45 serial)

•

Five USB ports — two on front and three on back panel (only one

•

port active at a time) Redundant dual power supply unit

•

Four GigE ports supporting up to 250 APs

•

One management port (Ethernet) GigE

•

One console port (DB9 serial)

•

Four USB ports (only one active at a time)

•

Redundant dual power supply unit

•

C25

V2110

C35

Two GigE ports supporting up to 50 APs

•

One management port GigE

•

One console port (DB9 serial)

•

Two USB ports

•

Two GigE ports or 10G ﬁber ports supporting up to 525 APs

•

One management port GigE

•

USB ports (only one active at a time)

•

Four GigE ports supporting up to 125 APs

•

One management port GigE

•

One console port

•

Two USB ports

•

ExtremeWireless™ V10.41.06 User Guide

3 Conﬁguring the ExtremeWireless

System Conﬁguration Overview

Logging on to the ExtremeWireless Appliance Wireless Assistant Home Screen Working with the Basic Installation Wizard Conﬁguring the ExtremeWireless Appliance for the First Time Using a Third-party Location-based Solution Additional Ongoing Operations of the System

Interfaces

Appliance

System Conﬁguration Overview

The following section provides a high-level overview of the steps involved in the initial conﬁguration of ExtremeWireless:

1 Before you begin the conﬁguration process, research the type of WLAN (Wireless Local Area

Network) deployment that is required. For example, topology and VLAN (Virtual LAN) IDs, SSIDs, security requirements, and ﬁlter roles.

2 Prepare the network servers. Ensure that the external servers, such as DHCP (Dynamic Host

Conﬁguration Protocol) and RADIUS servers (if applicable) are available and appropriately

conﬁgured. 3 Install the controller. For more information, see the documentation for your controller. 4 Perform the ﬁrst time setup of the controller on the physical network, which includes conﬁguring the

IP addresses of the interfaces on the controller.

a Create a new physical topology and provide the IP address to be the relevant subnet point of

attachment to the existing network.

b To manage the controller through the interface conﬁgured above, select the Mgmt check box on

the I

c Conﬁgure the data port interfaces to be on separate VLANs, matching the VLANs conﬁgured in

step 3 above. Ensure also that the tagged vs. untagged state is consistent with the switch port conﬁguration.

d Conﬁgure the time zone. Because changing the time zone requires restarting the controller, it is

recommended that you conﬁgure the time zone during the initial installation and conﬁguration of

ExtremeWireless™ V10.41.06 User Guide

tab.

Caution

Conﬁguring the ExtremeWireless Appliance

the controller to avoid network interruptions. For more information, see Conﬁguring Network

Time on page 89.

e Apply an activation key ﬁle. If an activation key is not applied, the controller functions with some

features enabled in demonstration mode. Not all features are enabled in demonstration mode. For example, mobility is not enabled and cannot be used.

C Whenever the licensed region changes on the ExtremeWireless Appliance, all APs are changed to Auto Channel Select to prevent possible infractions to local RF regulatory requirements. If this occurs, all manually conﬁgured radio channel settings will be lost.Installing the new license key before upgrading will prevent the ExtremeWireless Appliance from changing the licensed region, and in addition, manually conﬁgured channel settings will be maintained. For more information, see the ExtremeWireless

Maintenance Guide.

5 Conﬁgure the controller for remote access:

a Set up an administration station (laptop) on subnet 192.168.10.0/24. By default, the controller's

Management interface is conﬁgured with the static IP address 192.168.10.1. b Conﬁgure the controller’s management interface. c Conﬁgure the data interfaces. d Set up the controller on the network by conﬁguring the physical data ports. e Conﬁgure the routing table. f Conﬁgure static routes or OSPF (Open Shortest Path First)

network.

parameters, if appropriate to the

For more information, see Conﬁguring the ExtremeWireless Appliance for the First Time on page

45.

6 Conﬁgure the trac topologies your network must support. Topologies represent the controller’s

points of network attachment, and therefore VLANs and port assignments need to be coordinated with the corresponding network switch ports. For more information, see Conﬁguring a Basic Data

Port Topology on page 266.

7 Conﬁgure roles. Roles are typically bound to topologies. Role application assigns user trac to the

corresponding network point.

Roles deﬁne user access rights (ﬁltering or ACL (Access Control List))

•

Polices reference user's rate control proﬁle.

•

For more information, see Conﬁguring Roles on page 284.

8 Conﬁgure WLAN services.

Deﬁne SSID and privacy settings for the wireless link.

•

Select the set of APs/Radios on which the service is present.

•

Conﬁgure the method of credential authentication for wireless users (None, Internal CP, External

•

CP, GuestPortal, 802.1x[EAP])

For more information, see Conﬁguring WLAN Services on page 318.

9 Create the VNSs.

A VNS binds a WLAN Service to a Role that will be used for default assignment upon a user’s network attachment.

ExtremeWireless™ V10.41.06 User Guide

AP Registration

Conﬁguring the ExtremeWireless Appliance

You can create topologies, roles, and WLAN services ﬁrst, before conﬁguring a VNS, or you can select one of the wizards (such as the VNS wizard), or you can simply select to create new VNS.

The VNS page then allows for in-place creation and deﬁnition of any dependency it may require, such as:

Creating a new WLAN Service

•

Creating a new role

•

Creating a new class of service (within a role)

•

Creating a new topology (within a role)

•

Creating new rate controls, and other Class of Service parameters

•

The default shipping conﬁguration does not ship any pre-conﬁgured WLAN Services, VNSs, or

Roles.

10 Install, register, and assign APs to the VNS.

Conﬁrm the latest ﬁrmware version is loaded. For more information, see Performing AP Software

•

Maintenance on page 235.

Deploy APs to their corresponding network locations.

•

If applicable, conﬁgure a default AP template for common radio assignment, whereby APs

•

automatically receive complete conﬁguration. For typical deployments where all APs are to have

the same conﬁguration, this feature will expedite deployment, as an AP will automatically receive

full conﬁguration (including VNS-related assignments) upon initial registration with the

controller. If applicable, modify the properties or settings of the APs. For more information, see

Conﬁguring the ExtremeWireless APs on page 101.

Connect the APs to the controller.

•

Once the APs are powered on, they automatically begin the Discovery process of the controller,

•

based on factors that include:

Their Registration mode (on the A

•

The enterprise network services that will support the discovery process

•

screen)

Logging on to the ExtremeWireless Appliance

1 Start your Web browser (Internet Explorer version 11 or later, FireFox, or Chrome).

See the Release Notes for the supported web browsers.

ExtremeWireless™ V10.41.06 User Guide

Wireless Assistant Home

Note

Wireless Assistant Home

Conﬁguring the ExtremeWireless Appliance

2 In the browser address bar, type the following, using the IP address of your controller:

https://192.168.10.1:5825

This launches the Wireless Assistant. The login screen displays.

3 Type your user name and password and click Login . The W

The default User Name is "admin". The default Password is "abc123".

screen displays.

Wireless Assistant Home Screen

The W wireless network. Information is grouped under multiple functional areas, and the Wireless Assistant Home Screen provides a graphical representation of information related to the active APs (such as the number of wired packets, stations, and total APs). Navigate the Wireless Assistant using the top menu bar tabs.

Figure 6: Wireless Assistant Top Menu Bar

The bottom status bar displays the type and description of the current wireless controller, user and admin login status, ﬂash status, software version and the number of admin users currently logged into the controller.

screen provides real-time status information on the current state of the

ExtremeWireless™ V10.41.06 User Guide

raft

Wireless Assistant Home

Conﬁguring the ExtremeWireless Appliance

Figure 7: Wireless Assistant Home Screen

Table 5 describes the panes on the W

Screen.

ExtremeWireless™ V10.41.06 User Guide

Home Screen Heading Description

Conﬁguring the ExtremeWireless Appliance

Table 5: Wireless Assistant Home Screen

Network Status Includes real-time totals for the following components. Click the number

displayed to display additional information, such as name, serial number, and IP address.

Local APs - total number of active or inactive local conﬁgured APs.

•

Foreign APs - total number of active or inactive foreign conﬁgured APs.

•

Availability pair must be conﬁgured to display additional information. Pending APs - total APs pending veriﬁcation.

•

Load Groups - total active load groups. Click to display the Active Wireless

•

Load Groups report. Local Stations - total number of active mobile stations. Click to display the All

•

Active Client report. Local & Foreign - total number of active and foreign stations. Click to display

•

the All Active Client report. VNS - total deﬁned VNSs (enabled and disabled). Click to display the total

•

number of enabled and disabled VNS assignments, respectively, conﬁgured on the system.

Availability - status of the controller availability. Click to display controller

•

settings (Stand-alone, Paired, Fast Failover FFO). Mobility Tunnels - status of the mobility tunnel. Click to display controller

•

settings.

Admin Sessions Displays information on the total number of recent administrative activities

including:

Read/Write sessions - total number of currently active GUI and CLI (either

•

SSH or serial console ones) Read/Write sessions. Read-only sessions - total number of currently active GUI and CLI (either SSH

•

or serial console ones) Read only sessions. Guest Access sessions - total number of currently active GuestPortal Manager

•

sessions that can only be achieved through the GUI. Auth Type - lists the presently conﬁgured login mode.

•

Click each heading to access the Wireless Controller > Login Management screen. For more information, see Conﬁguring the Login Authentication Mode on page 75.

Stations by Protocol Displays a graphical representation of the total number of active stations

grouped by protocol. Click the Stations by Protocol heading to access the All Active Clients Report. For more information, see Viewing Statistics for APs on page 627.

APs by Channel Displays a graphical representation of the total number of active stations and the

number of APs. Click the APs by Channel heading to access the Active Wireless AP Report. For more information, see Viewing Statistics for APs on page 627.

Stations by AP Displays a graphical representation of the total number of active APs grouped by

channel. Click the Status by AP heading to access the Active Clients by Wireless APs Report. For more information, see Viewing Statistics for APs on page 627.

ExtremeWireless™ V10.41.06 User Guide

Home Screen Heading Description

WLAN Conﬁguration

Conﬁguring the ExtremeWireless Appliance

Table 5: Wireless Assistant Home Screen (continued)

Applications by WLAN If Application Visibility is enabled on the W

displaying the top ﬁve applications on that WLAN displays. If Application Visibility is not enabled, click Enable Application Visibility to display the Apps, operating systems, and devices used by clients. The Application Visibility option displays the following information for clients associated with a selected WLAN:

IPv4 and IPv6 Addresses

•

Host Name

•

Operating System

•

Device Type

•

Top 5 Application Groups by Throughput (2-minute interval)

•

Top 5 current Application Groups by Bytes, from session start.

•

Throughput chart for an application group.

•

Average TCP Round Trip Time.

•

Average DNS Round Trip Time.

•

For more information, see Enabling Application Visibility with Device

Identiﬁcation on page 626 and Device Identiﬁcation on page 625.

screen, a pie chart

ExtremeWireless™ V10.41.06 User Guide

Home Screen Heading Description

Conﬁguring the ExtremeWireless Appliance

Table 5: Wireless Assistant Home Screen (continued)

Licensing Displays licensing information including:

License mode: License Manager can operate in Lone or Paired mode.

•

Lone (standalone) - Only local APs are counted against locally installed capacity keys. ALL Radar In-Service and Guardian APs are counted against locally installed Radar keys. This is the default license mode. License Manager switches to Paired mode on the following conditions: Availability is enabled while License Manager is running and it receives a license request or Availability is enabled before the License Manger starts up and the database has counters for the peers capacity and Radar keys.

Paired - Both local and foreign APs are counted against sum of locally installed capacity keys and capacity keys, pooled from the peer controller. ALL Radar In-Service and Guardian APs are counted against sum or locally installed Radar keys, installed on the peer controller. License Manager switches to Lone (standalone) mode if Availability is disabled or if the peer IP address is changed.

Unused AP Licenses: total number of unassigned AP licenses (for more

•

information, see Applying Product License Keys on page 47). Local AP Licenses: total number of AP licenses local to the primary controller.

•

Foreign AP Licenses: total number of AP licenses local to the secondary

•

(backup) controller. Local Radar Licenses: total number of Radar licenses local to the primary

•

controller. Foreign Radar Licenses: total number of Radar licenses local to the secondary

•

(backup) controller. Unused Radar Licenses: total number of unassigned licenses for Radar (for

•

more information, see Radar License Requirements on page 565). Days Remaining: number of days remaining on this license key.

•

Regulatory Domain: Domain information for this license period.

•

Click the Licensing heading to access the Wireless Controller > Software Maintenance screen. For more information, see Installing the License Keys on page 49.

Health Displays network health statistics including:

•

Click each heading to access the Active Wireless APs Report. For more information, see Viewing Statistics for APs on page 627.

ExtremeWireless™ V10.41.06 User Guide

Local AP Uptime (min) APs with > 30 clients APs in low power mode

This feature is for AP39xx only. This option displays when there is one or more AP39xx in low power mode. Click to display details of the AP.

Failed VNS RADIUS Txs

Home Screen Heading Description

Conﬁguration

Wireless Controller Conﬁguration

Conﬁguring the ExtremeWireless Appliance

Table 5: Wireless Assistant Home Screen (continued)

Radar Displays totals for the following security related statistics:

AP Remote Access - click to access the APs > AP Registration page

•

Unsecured WLANs - click to access the WLAN Security Report

•

Uncategorized APs - click to access the list of Uncategorized APs

•

Active Threats - click to access the Active Threats Report

•

Active Countermeasures - click to access the Active Countermeasures Report

•

APs denied by license - click to access the list of APs denied by license

•

constraints.

For more information, see Wireless AP Registration on page 123, and Working

with Radar Reports on page 593.

Events Displays major events that impact network performance and eciency. Each

event listed includes a timestamp of the event, the type or classiﬁcation of the event, which component is impacted by the event, and a log message providing speciﬁc information for the event. Click the Events heading to access the Log > Logs & Traces page. For more information, see Working with Reports and Statistics on page 621.

Working with the Basic Installation Wizard

The Extreme Networks ExtremeWireless system provides a basic installation wizard that can help administrators conﬁgure the minimum controller settings that are necessary to deploy a functioning ExtremeWireless system solution on a network.

Use the Basic Installation Wizard to quickly conﬁgure the controller for deployment, and later to revise the controller conﬁguration as needed.

The Basic Installation Wizard launches when you log on to the controller for the ﬁrst time and when the system has been reset to the factory default settings. You can also launch the wizard from the left pane of the controller C

To conﬁgure the controller using the Basic Installation Wizard:

1 Log on to the controller. For more information, see Logging on to the ExtremeWireless Appliance on

page 33.

2 From the top menu, click Controller. The W

screen anytime.

screen displays.

ExtremeWireless™ V10.41.06 User Guide

Basic Installation Wizard

Note

Conﬁguring the ExtremeWireless Appliance

3 In the left pane, click Administration > Installation Wizard.

The B

screen displays.

4 In the Time Settings section, conﬁgure the controller timezone:

Continent or Ocean — Select the continent for the time zone.

•

Time Zone Region — Select the appropriate time zone region for the selected continent.

•

5 To conﬁgure the controller’s time, do one of the following:

To manually set the controller time, click Set time. The Year, Month, Day, HR, and Min. ﬁelds

•

display, where you can use the drop-down lists to specify the time values.

To use the controller as the NTP time server, select the Run local NTP Server option. In the

•

Server ﬁeld, enter the IP address or Domain Name for the NTP server.

To use NTP to set the controller time, select the Use NTP option, and then type the IP address of

•

an NTP time server that is accessible on the enterprise network.

The Network Time Protocol is a protocol for synchronizing the clocks of computer systems over

packet-switched data networks.

6 In the Server ﬁeld, enter the IP address or Domain Name for the NTP server.

The Server Address ﬁeld supports both IPv4 and IPv6 addresses.

ExtremeWireless™ V10.41.06 User Guide

Management

Note

Conﬁguring the ExtremeWireless Appliance

7 In the Topology Conﬁguration section, the physical interface of the controller data port, the IP

Address and Netmask values for the data port, and the VLAN ID display as read-only values.

For information on how to obtain a temporary IP address from the network, click How to obtain a temporary IP address.

8 Click Next. The Management screen displays

Basic Installation Wizard - Management Screen

The M

screen displays:

1 In the AP Password section, enter a password for the AP. Click Unmask to display the password

characters as you type. Access Points are shipped with default passwords. You must create a new SSH Access Password here.

Passwords can include the following characters: A-Z a-z 0-9 ~!@#$%^&*()_+|-=\{}[];<>?,. Password cannot include the following characters: / ` ' " : or a space.

ExtremeWireless™ V10.41.06 User Guide

Note

Conﬁguring the ExtremeWireless Appliance

2 In the Management Port section, conﬁrm the port conﬁguration values that were deﬁned when the

controller was physically deployed on the network. If applicable, edit these values:

Static IP Address — Displays the IPv4 address for the controller’s management port. Revise this

•

as appropriate for the enterprise network.

Netmask — Displays the appropriate subnet mask for the IP address to separate the network

•

portion from the host portion of the address.

Gateway — Displays the default gateway of the network.

•

Static IPv6 Address — Displays the IPv6 address for the controller’s management port. Revise

•

this as appropriate for the enterprise network.

Preﬁx Length — Length of the IPv6 preﬁx. Maximum is 64 bits.

•

Gateway — Displays the default gateway of the network.

•

3 In the SNMP section, click V2c or V3 in the Mode drop-down list to enable SNMP (Simple Network

Management Protocol), if applicable.

If you selected V2c, the Community options display:

Read Community — Type the password that is used for read-only SNMP communication.

•

Write Community — Type the password that is used for write SNMP communication.

•

Trap Destination — Type the IP address of the server used as the network manager that will

•

receive SNMP messages.

The Trap Destination Address ﬁeld supports both IPv4 and IPv6 addresses.

If you selected V3, the Syslog Server options display:

Enable — Click to enable Syslog Server.

•

IP Address — Enter the IP address for the Syslog Server.

•

4 In the OSPF section, select the Enable check box to enable OSPF, if applicable. Use OSPF to allow

the controller to participate in dynamic route selection. OSPF is a protocol designed for medium and large IP networks with the ability to segment routes into dierent areas by routing information summarization and propagation.

Do the following:

Area ID — Type the desired area. Area 0.0.0.0 is the main area in OSPF.

•

5 In the Syslog Server section, select the Enable check box to enable the syslog protocol for the

controller, if applicable. Syslog is a protocol used for the transmission of event notiﬁcation messages across networks.

In the IP Address ﬁeld, type the IP address of the syslog server.

The Syslog Server IP Address ﬁeld supports both IPv4 and IPv6 addresses.

6 Click Next. The Services screen displays.

ExtremeWireless™ V10.41.06 User Guide

Basic Installation Wizard - Services Screen

Conﬁguring the ExtremeWireless Appliance

1 In the RADIUS section, select the Enable check box to enable RADIUS login authentication, if

applicable.

RADIUS login authentication uses a RADIUS server to authenticate user login attempts. RADIUS is a client/server authentication and authorization access protocol used by a network access server (NAS) to authenticate users attempting to connect to a network device.

Do the following:

Server Alias — Type a name that you want to assign to the RADIUS server. You can type a name

•

or IP address of the server.

IP Address — Type the RADIUS server's hostname or IP address.

•

Shared Secret — Type the password that will be used to validate the connection between the

•

controller and the RADIUS server.

ExtremeWireless™ V10.41.06 User Guide 4

Note

Conﬁguring the ExtremeWireless Appliance

2 In the Mobility section, select the Enable check box to enable the controller mobility feature, if

applicable. Mobility allows a wireless device user to roam seamlessly between dierent APs on the same or dierent controllers.

A dialog informs you that NTP is required for the mobility feature and prompts you to conﬁrm you want to enable mobility.

N If the ExtremeWireless Appliance is conﬁgured as a mobility agent, it will act as an NTP client and use the mobility manager as the NTP server. If the appliance is conﬁgured as a mobility manager, its local NTP will be enabled for the mobility domain.

3 Click OK to continue, and then do the following:

Role — Select the role for the controller, Manager or Agent. One controller on the network is

•

designated as the mobility manager and all other controllers are designated as mobility agents.

Port — Click the interface on the controller to be used for communication between mobility

•

manager and mobility agent. Ensure that the selected interface is routable on the network. For

more information, see Conﬁguring Mobility on page 555.

Manager IP — Type the IP address of the mobility manager port if the controller is conﬁgured as

•

the mobility agent.

4 In the Default VNS section, select the Enable check box to enable a default VNS for the controller.

Refer to Virtual Network Services on page 22 for more information about the default VNS.

The default VNS parameters display.

5 Click Finish.

The Success screen displays.

Basic Installation Wizard - Success Screen

ExtremeWireless™ V10.41.06 User Guide

Note

Wireless Assistant

Conﬁguring the ExtremeWireless Appliance

1 We recommend that you change the factory default administrator password.

2 To change the administrator password:

a Type a new administrator password in the New Password. b Conﬁrm the new password in the Conﬁrm Password ﬁeld. c Click Save. Your new password is saved.

3 Click OK, and then click Close.

N The ExtremeWireless Appliance reboots after you click Save if the time zone is changed during the Basic Install Wizard. If the IP address of the management port is changed during the conﬁguration with the Basic Install Wizard, the ExtremeWireless Assistant session is terminated and you will need to log back in with the new IP address.

The W

home screen displays.

Conﬁguring the ExtremeWireless Appliance for the First Time

After the ExtremeWireless Appliance is deployed, perform the following conﬁguration tasks:

ExtremeWireless™ V10.41.06 User Guide

Note

Conﬁguring the ExtremeWireless Appliance

Changing the Administrator Password on page 46

•

Applying Product License Keys on page 47

•

Setting Up the Data Ports on page 51

•

Setting Up Internal VLAN ID and Multicast Support on page 58

•

Setting Up Static Routes on page 59

•

Setting Up OSPF Routing on page 61

•

Conﬁguring Filtering at the Interface Level on page 65

•

Protecting Controller Interfaces and the Internal Captive Portal Page on page 69

•

Conﬁguring the Login Authentication Mode on page 75

•

Conﬁguring SNMP on page 85

•

Conﬁguring Network Time on page 89

•

Conﬁguring DNS Servers for Resolving Host Names of NTP and RADIUS Servers on page 94

•

The basic installation wizard automatically conﬁgures aspects of the controller deployment. You can modify that conﬁguration according to your network speciﬁcations.

Changing the Administrator Password

Extreme Networks recommends that you change your default administrator password once your system is deployed. The ExtremeWireless Appliance default password is abc123. When the controller is installed and you elect to change the default password, the new password must be a minimum of eight characters.

The minimum eight character password length is not applied to existing passwords. For example, if a six character password is already being used and an upgrade of the software is performed, the software does not require the password to be changed to a minimum of eight characters. However, once the upgrade is completed and a new account is created, or the password of an existing account is changed, the new password length minimum will be enforced.

To Change the Administrator Password:

1 From the top menu, click Controller. 2 In the left pane, click Login Management. 3 In the Full Administrator table, click the administrator user name. 4 In the Password ﬁeld, type the new administrator password. 5 In the Conﬁrm Password ﬁeld, type the new administrator password again. 6 Click Change Password.

N The ExtremeWireless Controller provides you with local login authentication mode, the RADIUS-based login authentication mode, and combinations of the two authentication modes. The local login authentication is enabled by default. For more information, see

Conﬁguring the Login Authentication Mode on page 75.

ExtremeWireless™ V10.41.06 User Guide

Note

Conﬁguring the ExtremeWireless Appliance

Applying Product License Keys

The controller’s license system works on simple software-based key strings. A key string consists of a series of numbers and/or letters. Using these key strings, you can license the software, and enhance the capacity of the controller to manage additional APs.

The key strings can be classiﬁed into the following variants:

Activation Key — Activates the software. This key is further classiﬁed into sub-variants:

•

Temporary Activation Key — Activates the software for a trial period of 90 days.

•

Permanent Activation Key — Activates the software for an inﬁnite period.

•

Cloud provider license.

•

Subscription license.

•

N You must obtain a speciﬁc activation key to run release v10.01 or later. Once installed, the number of available Radar licenses increments by 2.

Option Key — Activates the optional feature:

•

Capacity Enhancement Key Format — For AP:

•

Enhances the capacity of the controller to manage additional APs.

You may have to add multiple capacity enhancement keys to reach the ExtremeWireless's limit.

Depending on the appliance model, a capacity enhancement key adds the following APs:

C5110 — Adds 25 wireless APs C5210 — Adds 25 or 100 wireless APs C5215 — Adds 25 or 100 wireless APs C4110 — Adds 25 wireless APs C25 — Adds 1 or 16 wireless APs C35 — Adds 1 or 16 wireless APs V2110 — Adds 1 or 16 wireless APs

If you connect additional wireless APs to an ExtremeWireless controller that has a permanent activation key without installing a capacity enhancement key, a grace period of seven days will start. You must install the correct key during the grace period. If you do not install the key, the controller will start generating event logs every 15 minutes, indicating that the key is required. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters.

Capacity Enhancement Key Format — For Radar:

•

Enhances the capacity of the controller to manage Radar licenses for multiple APs. Radar

capacity licenses are only required for In-Service Scan Proﬁles (for more information, see Radar

License Requirements on page 565). The capacity enhancement key includes a capacity

increment which determines the number of APs supported as follows:

License format: RADCAP<nnn> (where <nnn> is the capacity increment):

RADCAP001 — Adds 1 wireless AP RADCAP016 — Adds 16 wireless APs

ExtremeWireless™ V10.41.06 User Guide

Note

Platform Wireless APs permitted by

permanent activation key

Platform’s optimum limit

Number of capacity enhancement keys to reach the optimum limit

Conﬁguring the ExtremeWireless Appliance

RADCAP025 — Adds 25 wireless APs RADCAP100 — Adds 100 wireless APs

N Any AP assigned to an In-Service scan proﬁle counts as 1 against the licensed Radar capacity.

The controller can be in the following licensing modes:

Unlicensed — When the controller is not licensed, it operates in ‘demo mode.’ In ‘demo mode,’ the

•

controller allows you to operate as many APs as you want, subject to the maximum limit of the platform type. In demo mode, you can use only the b/g radio, with channels 6, 11, and auto. 11n support and Mobility are disabled in demo mode.

Licensed with a temporary activation key — A temporary activation key comes with a regulatory

•

domain. With the temporary activation key, you can select a country from the domain and operate the APs on any channel permitted by the country. A temporary activation key allows you to use all software features. You can operate as many APs as you want, subject to the maximum limit of the platform type.

A temporary activation key is valid for 90 days. Once the 90 days are up, the temporary key expires. You must get a permanent activation key and install it on the controller. If you do not install a permanent activation key, the controller will start generating event logs every 15 minutes, indicating that an appropriate license is required for the current software version. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters.

Cloud Provider — A Cloud Provider license is valid for a period of 5 years. License pooling is not

•

supported because the values are set at the platform limits. Cloud Provider licenses enable local APs with the system limit of the platform, while the radar licenses are set at twice the system limits. e.g. for V2110 medium, local AP licenses available are 250 and Local radar licenses available are 500.

Subscription — A subscription license can be generated for a period between 1 to 255 days. License

•

pooling is not supported because the values are set at the platform limits. A Subscription license enables local APs with the system limit of the platform, while the radar licenses are set at twice the system limits. e.g. for V2110 medium, local AP licenses available are 250 and Local radar licenses available are 500.

Licensed with permanent activation key — A permanent activation key is valid for an inﬁnite

•

period. In addition, unlike the temporary activation key, the permanent activation key allows you to operate a stipulated number of the APs, depending upon the platform type. If you want to connect additional APs, you have to install a capacity enhancement key. You may even have to install multiple capacity enhancement keys to reach the controller’s limit.

The Table 6 lists the platform type and the corresponding number of the APs allowed by the permanent activation key.

Table 6: Platform Type / Wireless APs Allowed by Permanent Activation Key

C25 16 50 4 to 34 (depending on the

C35 50 125 15 to 75 (depending on the

ExtremeWireless™ V10.41.06 User Guide

enhancement license type used)

Platform Wireless APs permitted by

permanent activation key

Platform’s optimum limit

Number of capacity enhancement keys to reach the optimum limit

Conﬁguring the ExtremeWireless Appliance

Table 6: Platform Type / Wireless APs Allowed by Permanent Activation Key (continued)

C4110 50 250 8

C5110 150 525 15

C5210 100 1000 9 to 36 (depending on the

C5215 100 1000 9 to 36 (depending on the

V2110 (Small) 8 50 17 to 42 (depending on the

enhancement license type used)

V2110 (Medium)

V2110 (Large) 8 525 37 to 517 (depending on the

8 250 12 to 242 (depending on the

enhancement license type used)

If the controller detects multiple license violations, such as capacity enhancement, a grace period counter starts from the moment the ﬁrst violation occurred. The controller generates event logs for every violation. To leave the grace period, clear all outstanding license violations.

The controller can be in an unlicensed state for an inﬁnite period. However, if you install a temporary activation key, the unlicensed state is terminated. After the validity of a temporary activation key and the related grace period expire, the controller generates event logs every 15 minutes, indicating that an appropriate license is required for the current software version. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters.

License Pooling

If the controller is paired with an availability partner, you can redistribute licenses when a Capacity Enhancement Key (AP or Radar) is installed. Both controllers must be running at least v9.01 and both members must have a permanent license key. Separate pools will be introduced for each type of license, and licenses installed on either member of an availability pair are shared across the pair automatically. License pooling is supported in fast failover and legacy availability setups. The limit of distribution is set by the license key; therefore if a controller has two keys of 25 APs each, then you will be allowed to transfer 25 or 50 APs to the former peer controller (for more information, see Availability on page 537).

License pooling is not supported for Cloud Provider and Subscription license types since the values are already set at the platform system limits.

Installing the License Keys

This section describes how to install the license key on the controller. It does not explain how to generate the license key. For information on how to generate the license key, see the ExtremeWireless License Certiﬁcate, which is sent to you via traditional mail.

For more information on licensing, see Licensing Considerations on page 108.

ExtremeWireless™ V10.41.06 User Guide

Conﬁguring the ExtremeWireless Appliance

You have to type the license keys on the Wireless Assistant GUI.

To install the license keys:

1 From the top menu, click Controller. 2 In the left pane, click Administration > Software Maintenance. 3 Click the EWC Product Keys tab.

The bottom pane displays the license summary.

Figure 8: Product Keys Tab

4 If you are installing a temporary or permanent activation license key, type the key in the Activation

Key ﬁeld, and then click the Apply Activation Key button.

5 If you are installing a capacity enhancement, type the key in the Option Key ﬁeld, and then click the

Apply Option Key button.

ExtremeWireless™ V10.41.06 User Guide 5

Installed Licensed Keys

Note

Conﬁguring the ExtremeWireless Appliance

6 To view installed keys, click View Installed Keys. The I

dialog displays.

Figure 9: Installed License Keys

Setting Up the Data Ports

A new controller is shipped from the factory with all its data ports set up. Support of management trac is disabled on all data ports. By default, data interface states are enabled. A disabled interface does not allow data to ﬂow (receive/transmit).

Physical ports are represented by the L2 (Ethernet) Ports. The L2 port can be accessed from L2 Ports tabs under ExtremeWireless Controller Conﬁguration. The L2 Ports cannot be removed from the system but their operational status can be changed. Refer to Viewing and Changing the L2 Ports Information on page 52.

Link Aggregation ports are represented by the L2 (peer-to-peer) LAG (Link Aggregation Group) The L2 port and Topology information can be accessed from L2 Ports and Topology tabs under ExtremeWireless Controller Conﬁguration. The LAG L2 Ports cannot be removed from the system but their operational status can be changed. Refer to Viewing and Changing the L2 Ports Information on page 52.

You can redeﬁne a data port to function as a Third-Party AP Port. Refer to Viewing and

Changing the Physical Topologies on page 54 for more information.

Ports.

ExtremeWireless™ V10.41.06 User Guide

Viewing and Changing the L2 Ports Information

L2 Ports

To view and change the l2 port information:

1 From the top menu, click Controller. 2 In the left pane, click Network > L2 Ports. The L

Conﬁguring the ExtremeWireless Appliance

tab is displayed.

3 The L2 Ports tab presents the Physical (that is, Ethernet) and LAG (peer to peer) data ports that

exist on the controller. These ports cannot be deleted and new ones cannot be created.

LAG ports are statically conﬁgured by adding/removing physical ports from the LAG. Physical port belong to at most one LAG at one time. L2 port attached to a LAG port does not have any properties and could not be attached to any topology. The L2 ports attached to LAG ports can be enabled or disabled. Optional, if changes occur to the port physical parameters (speed, half or full duplex), a warning will be displayed to indicate that the L2 port does not meet LAG conditions.

Considerations for attaching/detaching regular L2 ports to LAG ports:

Regular L2 port should not have any bridged and physical topologies associated with the port.

•

Regular L2 port should not be disabled.

•

L2 ports can be detached from LAG ports regardless of any topologies attached to the LAG port.

•

If the L2 port is the last remaining in LAG, a warning will be issued. If last port of the LAG has

•

been detached, the LAG should be in operational DOWN state.

After detaching the L2 port, it could be attached to any bridged or physical topology or points

•

via a routing table to the port any Routed topology.

Jumbo Frames support is a feature that allows the conﬁguration of physical Maximum

•

Transmission Unit (MTU) sizes larger than the standard 1500 bytes on the AP and controller.

When Jumbo Frames is enabled, the maximum MTU is 1800 bytes.

ExtremeWireless™ V10.41.06 User Guide

Note

Conﬁguring the ExtremeWireless Appliance

4 Assigning any bridged or physical topology without specifying an L2 port is not supported.

However, you can move any bridged and physical topology to either a physical or LAG L2 port.

Physical:

C5110 — Three data ports, displayed as esa0, esa1, and esa2.

•

C5210 — Four data ports, displayed as esa0, esa1, esa2, and esa3.

•

C5215 — Four data ports, displayed as esa0, esa1, esa2, and esa3.

•

C4110 — Four data ports, displayed as Port1, Port2, Port3, and Port4.

•

C25 — Two data ports, displayed as esa0 and esa1.

•

C35 — Four data ports, displayed as esa0, esa1, esa2, and esa3.

•

V2110 — Two data ports, displayed as esa0 and esa1.

•

Link Aggregation:

C5110 — One data port, displayed as lag1

•

C5210 — Two data ports, displayed as lag1 and lag2.

•

C5215 — Two data ports, displayed as lag1 and lag2.

•

C4110 — Two data ports, displayed as lag1 and lag2.

•

C35 — Two data ports, displayed as lag1 and lag2.

•

C25 — One data port, displayed as lag1.

•

5 An “Admin” port is created by default. This represents a physical port, separate from the other data

ports, being used for management connectivity. For more information, see Conﬁguring the Admin

Port on page 263.

Parameters displayed for the L2 Ports are:

Operational status, represented graphically with a green checkmark (UP) or red X (DOWN). This

•

is the only conﬁgurable parameter.

Port name, as described above.

•

MAC address, as per Ethernet standard.

•

Untagged VLAN, displays the associated untagged VLAN ID. This ID is unique among topologies.

•

Tagged VLAN, displays the associated tagged VLAN ID.

•

Attached Physical L2 Ports (Link Aggregation L2 Ports only) select the physical L2 ports

•

associated with the link aggregation L2 Ports.

Refer to Viewing and Changing the Physical Topologies on page 54 for more information about L2 port topologies.

6 If desired, change the operational status by clicking the Enable check box.

You can change the operational state for each port. By default, data interface states are enabled. If they are not enabled, you can enable them individually. A disabled interface does not allow data to ﬂow (receive/transmit).

7 If support of MTU sizes above 1500 bytes is required, click Enable Jumbo Frames support. This will

extend the MTU size to 1800 bytes on the data link layer.

Enabling Jumbo Frames support requires that port speed to be 1Gbps or higher on the controller and the APs which support Jumbo Frames. Jumbo Frames are not supported on 10 or 100 Mbps speeds.

ExtremeWireless™ V10.41.06 User Guide

Viewing and Changing the Physical Topologies

Topologies

To view and change the L2 Port topologies:

1 From the top menu, click Controller. 2 In the left pane, click Network > Topologies.

An associated topology entry is created by default for each L2 Port with the same name. The T

tab is displayed.

Conﬁguring the ExtremeWireless Appliance

ExtremeWireless™ V10.41.06 User Guide

3 To make changes, select a speciﬁc topology.

Edit Topology

The E

dialog appears.

Conﬁguring the ExtremeWireless Appliance

For the data ports predeﬁned in the system, Name and Mode are not conﬁgurable.

4 Optionally, conﬁgure one of the physical topologies for Third Party AP connectivity by clicking the

3rd Party AP Topology check box.

You must conﬁgure a topology to which you will be connecting third-party APs by checking this box. Only one topology can be conﬁgured for third-party APs.

Third-party APs must be deployed within a segregated network for which the controller becomes the single point of access (i.e., routing gateway). When you deﬁne a third-party AP topology, the interface segregates the third-party AP from the remaining network.

5 To conﬁgure an interface for VLAN

assignment, conﬁgure the VLAN Settings in the Layer 2 box.

When you conﬁgure a controller port to be a member of a VLAN, you must ensure that the VLAN conﬁguration (VLAN ID, tagged or untagged attribute, and Port ID) is matched with the correct conﬁguration on the network switch.

6 To replicate topology settings, click Synchronize in the Status ﬁeld. 7 If the desired IP conﬁguration is dierent from the one displayed, change the Interface IP and Mask

accordingly in the Layer 3 box.

For this type of data interface, the Layer 3 check box is selected automatically. This allows for IP Interface and subnet conﬁguration together with other networking services.

ExtremeWireless™ V10.41.06 User Guide

Note

DHCP conﬁguration

Note

Conﬁguring the ExtremeWireless Appliance

8 The MTU value speciﬁes the Maximum Transmission Unit or maximum packet size for this topology.

The ﬁxed value is 1500 bytes for physical topologies.

If you are using OSPF, be sure that the MTU of all the interfaces in the OSPF link match.

If the routed connection to an AP traverses a link that imposes a lower MTU than the default 1500 bytes, the controller and AP participate in automatic MTU discovery and adjust their settings accordingly. At the controller, MTU adjustments are tracked on a per AP basis. If the ExtremeWireless software cannot discover the MTU size, it enforces the static MTU size.

9 To enable AP registration through this interface, select the AP Registration check box.

Wireless APs use this port for discovery and registration. Other controllers can use this port to enable inter-controller device mobility if this port is conﬁgured to use SLP or the controller is running as a manager and SLP is the discovery protocol used by the agents.

10 To enable management trac, select the Management Trac check box. Enabling management

provides access to SNMP

(v1/v2c, v3), SSH, and HTTPs management interfaces.

This option does not override the built-in protection ﬁlters on the port. The built-in protection ﬁlters for the port, which are restrictive in the types of packets that are allowed to reach the management plane, are extended with a set of deﬁnitions that allow for access to system management services through that interface (SSH, SNMP, HTTPS:5825).

11 To enable the local DHCP Server on the controller, in the DHCPﬁeld, select Local Server. Then, click

on the Conﬁgure button to open the D

pop-up window.

The local DHCP Server is useful as a general-purpose DHCP Server for small subnets.

ExtremeWireless™ V10.41.06 User Guide

Note

Conﬁguring the ExtremeWireless Appliance

a In the Domain Name ﬁeld, type the name of the domain that you want the APs to use for DNS

Server’s discovery. b In the Lease (seconds) default ﬁeld, type the time period for which the IP address will be

allocated to the APs (or any other device requesting it). c In the Lease (seconds) max ﬁeld, type the maximum time period in seconds for which the IP

address will be allocated to the APs. d In the DNS Servers ﬁeld, type the DNS Server’s IP address if you have a DNS Server. e In the WINS ﬁeld, type the WINS Server’s IP address if you have a WINS Server.

N You can type multiple entries in the DNS Servers and WINS ﬁelds. Each entry must be separate by a comma. These two ﬁelds are not mandatory to enable the local DHCP feature.

f In the Gateway ﬁeld, type the IP address of the default gateway.

Since the controller is not allowed to be the gateway for the segment, including APs, you cannot use the Interface IP address as the gateway address for physical and Bridged at Controller topology. For Routed topology, the controller IP address must be the gateway.

g Conﬁgure the address range from which the local DHCP Server will allocate IP addresses to the

APs.

In the Address Range: from ﬁeld, type the starting IP address of the IP address range.

•

In the Address Range: to ﬁeld, type the ending IP address of the IP address range.

•

h Click the Exclusion(s) button to exclude IP addresses from allocation by the DHCP Server. The

DHCP Address Exclusion window opens.

The controller automatically adds the IP addresses of the Interfaces (Ports), and the default gateway to the exclusion list. You cannot remove these IP addresses from the exclusion list.

ExtremeWireless™ V10.41.06 User Guide

Note

Conﬁguring the ExtremeWireless Appliance

Select Range. In the From ﬁeld, type the starting IP address of the IP address range that you

•

want to exclude from the DHCP allocation.

In the To ﬁeld, type the ending IP address of the IP address range that you want to exclude from

•

the DHCP allocation.

To exclude a single address, select the Single Address radio button and type the IP address in the

•

adjacent ﬁeld.

In the Comment ﬁeld, type any relevant comment. For example, you can type the reason for

•

which a certain IP address is excluded from the DHCP allocation.

Click Add. The excluded IP addresses are displayed in the IP Address(es) to exclude from DHCP

•

Address Range ﬁeld.

To delete a IP Address from the exclusion list, select it in the IP Address(es) to exclude from

•

DHCP Range ﬁeld, and then click Delete.

To save your changes, click OK.

•

N The Broadcast (B’cast) Address ﬁeld is view only. This ﬁeld is computed from the mask and the IP addresses.

Setting Up Internal VLAN ID and Multicast Support

You can conﬁgure the Internal VLAN ID, and enable multicast support. The internal VLAN used only internally and is not visible on the external trac. The physical topology used for multicast is represented by a physical topology to/from which the multicast trac is forwarded in conjunction with

ExtremeWireless™ V10.41.06 User Guide

Topologies

Conﬁguring the ExtremeWireless Appliance

the virtual routed topologies (and VNSs) conﬁgured on the controller. Please note that no multicast routing is available at this time.

To conﬁgure the Internal VLAN ID and enable multicast support:

1 From the top menu, click Controller. 2 In the left pane, click Network > Topologies.

The T

tab is displayed.

3 In the Internal VLAN ID ﬁeld, type the internal VLAN ID. 4 From the Multicast Support drop-down list, select the desired physical topology. 5 To save your changes, click Save.

Setting Up Static Routes

When setting up a controller routing protocol, you must deﬁne a default route to your enterprise network, either with a static route or by using the OSPF protocol. A default route enables the controller to forward packets to destinations that do not match a more speciﬁc route deﬁnition.

To Set a Static Route on the controller:

ExtremeWireless™ V10.41.06 User Guide

1 From the top menu, click Controller.

Wireless Controller Conﬁguration

Static Routes

Edit route

Note

The W

2 In the left pane, click Network > Routing Protocols.

The S

tab is displayed.

screen displays.

Conﬁguring the ExtremeWireless Appliance

3 To add a new route, click New, and in the E

In the Destination Address ﬁeld, type the IP address of the destination controller.

•

To deﬁne a default static route for any unknown address not in the routing table, type 0.0.0.0.

In the Subnet Mask ﬁeld, type the appropriate subnet mask to separate the network portion from

•

the host portion of the IP address (typically 255.255.255.0). To deﬁne the default static route for

any unknown address, type 0.0.0.0.

In the Gateway ﬁeld, type the IP address of the adjacent router port or gateway on the same

•

subnet as the controller to which to forward these packets. This is the IP address of the next hop

between the controller and the packet’s ultimate destination.

Select the Override dynamic routes check box to give priority over the OSPF learned routes,

•

including the default route, which the controller uses for routing. This option is enabled by

default.

To remove this priority for static routes, so that routing is controlled dynamically at all times, clear

•

the Override dynamic routes check box.

If you enable dynamic routing (OSPF), the dynamic routes will normally have priority for outgoing routing. For internal routing on the controller, the static routes normally have priority.

dialog, enter the following information:

ExtremeWireless™ V10.41.06 User Guide

Available AP Reports

Forwarding Table

Related Links

Conﬁguring the ExtremeWireless Appliance

4 To save your changes, click Save.

Viewing the Forwarding Table

You can view the deﬁned routes, whether static or OSPF, and their current status in the forwarding table.

To view the forwarding table on the controller:

1 From the Routing Protocols Static Routes tab, click View Forwarding Table. The Forwarding Table

is displayed.

2 Alternatively, from the top menu, click Reports. The A

screen displays.

3 In the left pane, click Routing Protocols, then click Forwarding Table.

The F

is displayed.

This report displays all deﬁned routes, whether static or OSPF, and their current status.

4 To update the display, click Refresh.

Setting Up OSPF Routing

Open Shortest Path First (OSPF) is a robust link-state routing protocol. OSPF forms adjacencies with neighbors and shares information via the Designated Router (DR) and Backup DR using link state advertisements. Areas in OSPF are used to limit LSAs and summarize routes. Everyone connects to area zero, the backbone.

Enabling OSPF Routing on page 62

Setting OSPF Routing Settings on page 62

ExtremeWireless™ V10.41.06 User Guide

Related Links

Static Routes

Conﬁguring the ExtremeWireless Appliance

Conﬁrming OSPF Ports on page 65

Enabling OSPF Routing

To enable OSPF (OSPF RFC2328) routing, you must:

1 Specify at least one topology on which OSPF is enabled on the Port Settings option of the OSPF tab.

This is the interface on which you can establish OSPF adjacency.

2 Enable OSPF globally on the controller. 3 Deﬁne the global OSPF parameters. 4 Ensure that the OSPF parameters deﬁned here for the controller are consistent with the adjacent

routers in the OSPF area. This consistency includes the following:

If the peer router has dierent timer settings, the protocol timer settings in the controller must

•

be changed to match to achieve OSPF adjacency.

The MTU of the ports on either end of an OSPF link must match. The MTU for ports on the

•

controller is ﬁxed at 1500. This matches the default MTU in standard routers. The maximum MTU

can be increased to 1800 bytes by enabling Jumbo Frames support (for more information, see

Setting Up the Data Ports on page 51).

It is important to ensure that the MTU of the ports on either end of an OSPF link match. If there is a mismatch in the MTU, then the OSPF adjacency between the controller and the neighboring router might not get established.

Setting Up OSPF Routing on page 61 Setting OSPF Routing Settings on page 62

Conﬁrming OSPF Ports on page 65

Setting OSPF Routing Settings

To set OSPF routing global settings on the controller:

1 From the top menu, click Controller. 2 In the left pane, click Network > Routing Protocols. The S

tab is displayed by default.

ExtremeWireless™ V10.41.06 User Guide

raft

OSPF

Conﬁguring the ExtremeWireless Appliance

3 Click the O

tab.

4 From the OSPF Status drop-down list, click On to enable OSPF.

In the Router ID ﬁeld, type the IP address of the controller. This ID must be unique across the OSPF area. If left blank, the OSPF daemon automatically picks a router ID from one of the controller’s interface IP addresses.

5 In the Area ID ﬁeld, type the area. 0.0.0.0 is the main area in OSPF. 6 In the Area Type drop-down list, click one of the following:

Default — The default acts as the backbone area (also known as area zero). It forms the core of

•

an OSPF network. All other areas are connected to it, and inter-area routing happens via a router

connected to the backbone area.

Stub — The stub area does not receive external routes. External routes are deﬁned as routes

•

which were distributed in OSPF via another routing protocol. Therefore, stub areas typically rely

on a default route to send trac routes outside the present domain.

Not-so-stubby — The not-so-stubby area is a type of stub area that can import autonomous

•

system (AS) external routes and send them to the default/backbone area, but cannot receive AS

external routes from the backbone or other areas.

7 To save your changes, click Save.

ExtremeWireless™ V10.41.06 User Guide

Edit Port

Note

Related Links

Conﬁguring the ExtremeWireless Appliance

8 To add a new OSPF interface, click New or select a port to conﬁgure by clicking on the desired port

in the Port Settings table.

The E

9 In the Link Cost ﬁeld, type the OSPF standard value for your network for this port. This is the cost of

sending a data packet on the interface. The lower the cost, the more likely the interface is to be used to forward data trac.

10 In the Authentication drop-down list, click the authentication type for OSPF on your network: None

or Password. The default setting is None.

11 If Password is selected as the authentication type, in the Password ﬁeld, type the password.

If None is selected as the Authentication type, leave this ﬁeld empty. This password must match on either end of the OSPF connection.

12 Type the following:

dialog displays.

If more than one port is enabled for OSPF, it is important to prevent the controller from serving as a router for other network trac (other than the trac from wireless device users on routed topologies controlled by the controller). For more information, see Policy

Rules on page 288.

Hello-Interval — Speciﬁes the time in seconds (displays OSPF default).The default setting is 10

•

seconds.

Dead-Interval — Speciﬁes the time in seconds (displays OSPF default). The default setting is 40

•

seconds.

Retransmit-Interval — Speciﬁes the time in seconds (displays OSPF default). The default setting

•

is 5 seconds.

Transmit Delay— Speciﬁes the time in seconds (displays OSPF default). The default setting is 1

•

second.

13 To save your changes, click Save.

Setting Up OSPF Routing on page 61 Enabling OSPF Routing on page 62

Conﬁrming OSPF Ports on page 65

ExtremeWireless™ V10.41.06 User Guide

Forwarding Table

Related Links

Conﬁguring the ExtremeWireless Appliance

Conﬁrming OSPF Ports

To conﬁrm that the ports are set up for OSPF, and that advertised routes from the upstream router are recognized:

1 Click View Forwarding Table. The F

The following additional reports display OSPF information when the protocol is in operation:

OSPF Neighbor — Displays the current neighbors for OSPF (routers that have interfaces to a

•

common network)

OSPF Linkstate — Displays the Link State Advertisements (LSAs) received by the currently

•

running OSPF process. The LSAs describe the local state of a router or network, including the

state of the router’s interfaces and adjacencies.

2 To update the display, click Refresh.

Setting Up OSPF Routing on page 61 Enabling OSPF Routing on page 62

Setting OSPF Routing Settings on page 62

is displayed.

Conﬁguring Filtering at the Interface Level

The ExtremeWireless solution has a number of built-in ﬁlters that protect the system from unauthorized trac. These ﬁlters are speciﬁc only to the controller. These ﬁlters are applied at the network interface level and are automatically invoked. By default, these ﬁlters provide stringent-level rules to allow only access to the system's externally visible services. In addition to these built-in ﬁlters, the administrator can deﬁne speciﬁc exception ﬁlters at the interface-level to customize network access. These ﬁlters depend on Topology Modes and the conﬁguration of an L3 interface for the topology.

For Bridged at Controller topologies, exception ﬁlters are deﬁned only if L3 (IP) interfaces are speciﬁed. For Physical, Routed, and 3rd Party AP topologies, exception ﬁltering is always conﬁgured since they all have an L3 interface presence.

Built-in Interface-based Exception Filters

On the controller, various interface-based exception ﬁlters are built in and invoked automatically. These ﬁlters protect the controller from unauthorized access to system management functions and services via the interfaces. Access to system management functions is granted if the administrator selects the allow management trac option in a speciﬁc topology.

Allow management trac is possible on the topologies that have L3 IP interface deﬁnitions. For example, if management trac is allowed on a physical topology (esa0), only users connected through ESA0 will be able to get access to the system. Users connecting on any other topology, such as Routed or Bridged Locally at Controller, will no longer be able to target ESA0 to gain management access to the system. To allow access for users connected on such a topology, the given topology conﬁguration itself must have allow management trac enabled and users will only be able to target the topology interface speciﬁcally.

On the controller’s L3 interfaces (associated with either physical, Routed, or Bridged Locally at Controller topologies), the built-in exception ﬁlter prohibits invoking SSH, HTTPS, or SNMP such trac is allowed, by default, on the management port.

. However,

ExtremeWireless™ V10.41.06 User Guide

Topologies

Edit Topology

Conﬁguring the ExtremeWireless Appliance

If management trac is explicitly enabled for any interface, access is implicitly extended to that interface through any of the other interfaces (VNS). Only trac speciﬁcally allowed by the interface’s exception ﬁlter is allowed to reach the controller itself. All other trac is dropped. Exception ﬁlters are dynamically conﬁgured and regenerated whenever the system's interface topology changes (for example, a change of IP address for any interface).

Enabling management trac on an interface adds additional rules to the exception ﬁlter, which opens up the well-known IP(TCP/UDP) ports, corresponding to the HTTPS, SSH, and SNMP applications.

The interface-based built-in exception policy rules, in the case of trac from wireless users, are applicable to trac targeted directly for the topology L3 interface. For example, a ﬁlter speciﬁed by a Role may be generic enough to allow trac access to the controller's management (for example, Allow All [*.*.*.*]). Exception policy rules are evaluated after the user's assigned ﬁlter role, as such, it is possible that the role allows the access to management functions that the exception ﬁlter denies. These packets are dropped.

To enable SSH, HTTPS, or SNMP access through a physical data interface:

1 From the top menu, click Controller. 2 In the left pane, click Network > Topologies. The T

tab is displayed.

3 On the Topologies tab, click the appropriate data port topology. The E

ExtremeWireless™ V10.41.06 User Guide

window displays.

Warning

Topologies

Edit Topology

Conﬁguring the ExtremeWireless Appliance

4 Select the Management Trac check box if the topology has speciﬁed an L3 IP interface presence. 5 To save your changes, click Save.

Working with Administrator-deﬁned Interface-based Exception Filters

You can add speciﬁc policy rules at the interface level in addition to the built-in rules. Such rules give you the capability of restricting access to a port, for speciﬁc reasons, such as a Denial of Service (DoS) attack.

The policy rules are set up in the same manner as policy rules deﬁned for a Role — specify an IP address, select a protocol if applicable, and then either allow or deny trac to that address. For more information, see Policy Rules on page 288.

The rules deﬁned for port exception ﬁlters are prepended to the normal set of restrictive exception ﬁlters and have precedence over the system's normal protection enforcement (that is, they are evaluated ﬁrst).

W If deﬁned improperly, user exception rules may seriously compromise the system’s normal security enforcement rules. They may also disrupt the system's normal operation and even prevent system functionality altogether. It is advised to only augment the exception-ﬁltering mechanism if absolutely necessary.

To deﬁne interface exception ﬁlters:

1 From the top menu, click Controller. 2 In the left pane, click Network > Topologies. The T 3 Select a topology to be conﬁgured. The E

screen displays.

window is displayed.

ExtremeWireless™ V10.41.06 User Guide

Exception Filters

Conﬁguring the ExtremeWireless Appliance

4 If the topology has an L3 interface deﬁned, an E

The Exception Filter rules are displayed.

tab is available. Select this tab.

ExtremeWireless™ V10.41.06 User Guide

Conﬁguring the ExtremeWireless Appliance

5 Add rules by either:

Click Add Predeﬁned , select a ﬁlter from the drop down list, and click Add.

•

Click Add, conﬁgure the following parameters, then click OK:

•

In the IP / subnet:port ﬁeld, type the destination IP address. You can also specify an IP range, a

port designation, or a port range on that IP address.

In the Protocol drop-down list, click the protocol you want to specify for the ﬁlter. This list may

include UDP, TCP, GRE, IPsec-ESP, IPsec-AH, ICMP (Internet Control Message Protocol)

default is N/A.

6 The new ﬁlter is displayed in the upper section of the screen. 7 Click the new ﬁlter entry. 8 To allow trac, select the Allow check box. 9 To adjust the order of the policy rules, click Up or Down to position the rule. The policy rules are

executed in the order deﬁned here.

10 To save your changes, click Save.

Protecting Controller Interfaces and the Internal Captive Portal Page

By default, the controller is shipped with a self-signed certiﬁcate used to perform the following tasks:

Protect all interfaces that provide administrative access to the controller

•

Protect the internal Captive Portal page

•

. The

This certiﬁcate is associated with topologies that have a conﬁgured L3 (IP) interface.

If you continue to use the default certiﬁcate to secure the controller and internal Captive Portal page, your web browser will likely produce security warnings regarding the security risks of trusting self-

ExtremeWireless™ V10.41.06 User Guide

Note

Certiﬁcate Format Description

Note

Topologies

Conﬁguring the ExtremeWireless Appliance

signed certiﬁcates. To avoid the certiﬁcate-related web browser security warnings, you can install customized certiﬁcates on the controller.

N To avoid the certiﬁcate-related web browser security warnings when accessing the controller, you must also import the customized certiﬁcates into your web browser application.

Before Installing a Certiﬁcate

Before you create and install a certiﬁcate:

1 Select a certiﬁcate format to install. The controller supports several types of certiﬁcates, as shown in

Table 7.

Table 7: Supported Certiﬁcate and CA Formats

PKCS#12 The PKCS#12 certiﬁcate (.pfx) ﬁle contains both a certiﬁcate and the

corresponding private key. The controller will accept the PKCS#12 ﬁle as long as the format of the private key and certiﬁcate are valid.

PEM/DER The PEM/DER certiﬁcate (.crt) ﬁle requires a separate PEM/DER

private key (.key) ﬁle. The controller uses OpenSSL PKCS12 command to convert the .crt and .key ﬁles into a single .pfx PKCS#12 certiﬁcate ﬁle. The controller will accept the PEM/DER ﬁle as long as the format of the private key and certiﬁcate are valid.

PEM-formatted CA public certiﬁcate ﬁle If you choose to install this optional certiﬁcate, you must do so when

specifying the PCKCS#12 or PEM/DER certiﬁcates.

When generating the PKCS#12 certiﬁcate ﬁle or PEM/DER certiﬁcate and key ﬁles, you must ensure that the interface identiﬁed in the certiﬁcate corresponds to the controller’s interface for which the certiﬁcate is being installed.

2 Understand how the controller monitors the expiration date of installed certiﬁcates.

The controller generates an entry in the events information log as the certiﬁcate expiry date approaches, based on the following schedule: 15, 8, 4, 2, and 1 day prior to expiration. The log messages cease when the certiﬁcate expires. For more information, refer to the Extreme Networks ExtremeWireless Maintenance Guide.

3 Understand how the controller manages certiﬁcates during upgrades and migrations.

Installed certiﬁcates will be backed up and restored with the controller conﬁguration data. Installed certiﬁcates will also be migrated during an upgrade and during a migration.

Installing a Certiﬁcate for a Controller Interface

To install a certiﬁcate for a Controller Data Interface:

1 From the top menu, click Controller. 2 In the left pane, click Network > Topologies. The T

ExtremeWireless™ V10.41.06 User Guide

tab is displayed.

Certiﬁcates

Conﬁguration for Topologies

Note

Field/Button Description

Conﬁguring the ExtremeWireless Appliance

3 Click the C

tab. Topologies with an L3 interface will be listed.

4 In the Interface Certiﬁcates table, click to select the topology for which you want to install a

certiﬁcate.

The C

section displays.

There are separate certiﬁcates if IPv4 and IPv6 is conﬁgured for Admin topology.

The Conﬁguration for Topologies section and the Generate Signing Request button become available. Use the ﬁeld and button descriptions in Table 8 to create and install certiﬁcates.

The certiﬁcate Common Name (CN) must match the interface IP or DNS addresses (Admin only).

Table 8: Topologies Page: Certiﬁcates Tab Fields and Buttons

Interface Certiﬁcates

Topology Topology name

Expiry Date Date when the certiﬁcate expires

ExtremeWireless™ V10.41.06 User Guide

Field/Button Description

Note:

Conﬁguring the ExtremeWireless Appliance

Table 8: Topologies Page: Certiﬁcates Tab Fields and Buttons (continued)

CA Cert. Identiﬁes whether or not a CA certiﬁcate has been installed on the

topology.

Name (CN) The IP address of DNS address associated with the topology that

the certiﬁcate applies to.

The Name ﬁeld supports both IPv4 or IPv6 addresses.

Org Unit (OU) Name of the organization’s unit.

Organization Name of the organization

Conﬁguration for Topology

Replace/Install selected Topology’s certiﬁcate

To replace/install the existing port’s certiﬁcate and key using this option, do the following:

1 From the click the Generate Signing Request button to create

the certiﬁcate and key. 2 Download the CSR when prompted. 3 Use a 3rd party certiﬁcate service to sign the CSR and create a

certiﬁcate and a Certiﬁcate Authority (CA) ﬁle. 4 Save the certiﬁcate on your computer. 5 Return to the Certiﬁcates tab on the ExtremeWireless UI. 6 Select the topology for which you created the certiﬁcate and

select Replace/Install selected Topologies certiﬁcate. 7 Click Browse next to the Signed certiﬁcate to install ﬁeld. 8 Navigate to the certiﬁcate ﬁle you want to install for this port,

and then click Open. The certiﬁcate ﬁle name is displayed in the

Certiﬁcate ﬁle to install ﬁeld. 9 (Optional) Click Browse next to the Optional:Enter PEM-

encoded CA public certiﬁcates ﬁle ﬁeld. The Choose ﬁle dialog

is displayed. 10 (Optional) Navigate to the certiﬁcate ﬁle you want to install for

this port, and then click Open. The certiﬁcate ﬁle name is

displayed in the Optional:Enter PEM-encoded CA public

certiﬁcates ﬁle ﬁeld.

If you choose to install a CA public certiﬁcate, you must install

it when you install the PEM/DER certiﬁcate and key.

ExtremeWireless™ V10.41.06 User Guide

Field/Button Description

Choose ﬁle

Note:

Choose ﬁle

Note:

Conﬁguring the ExtremeWireless Appliance

Table 8: Topologies Page: Certiﬁcates Tab Fields and Buttons (continued)

Replace/Install selected Topology’s certiﬁcate and key from a single ﬁle

Replace/Install selected Topology’s certiﬁcate and key from separate ﬁles

To replace the existing port’s certiﬁcate and key using this option, do the following:

1 Click Browse next to the PKCS #12 ﬁle to install ﬁeld. The

2 Navigate to the certiﬁcate ﬁle you want to install for this port,

and then click Open. The certiﬁcate ﬁle name is displayed in the

PKCS #12 ﬁle to install ﬁeld. 3 In the Private key password box, type the password for the key

ﬁle. The key ﬁle is password protected. 4 (Optional) Click Browse next to the Optional:Enter PEM-

encoded CA public certiﬁcates ﬁle ﬁeld. The C

is displayed. 5 (Optional) Navigate to the certiﬁcate ﬁle you want to install for

this port, and then click Open. The certiﬁcate ﬁle name is

displayed in the Optional:Enter PEM-encoded CA public

certiﬁcates ﬁle ﬁeld.

If you choose to install a CA public certiﬁcate, you must install

it when you install the PEM/DER certiﬁcate and key.

To replace the existing port’s certiﬁcate and key using this option, do the following:

1 Click Browse next to the PKCS #12 ﬁle to install ﬁeld. The

2 Navigate to the certiﬁcate ﬁle you want to install for this port,

and then click Open. The certiﬁcate ﬁle name is displayed in the

PKCS #12 ﬁle to install ﬁeld. 3 Click Browse next to the Private key ﬁle to install ﬁeld. The

4 Navigate to the key ﬁle you want to install for this port, and then

click Open. The key ﬁle name is displayed in the Private key ﬁle

to install ﬁeld. 5 In the Private key password box, type the password for the key

ﬁle. The key ﬁle is password protected. 6 (Optional) Click Browse next to the Optional:Enter PEM-

encoded CA public certiﬁcates ﬁle ﬁeld. The C

is displayed. 7 (Optional) Navigate to the certiﬁcate ﬁle you want to install for

this port, and then click Open. The certiﬁcate ﬁle name is

displayed in the Optional:Enter PEM-encoded CA public

certiﬁcates ﬁle ﬁeld.

dialog is displayed.

dialog

Reset selected Topology to the factory default certiﬁcate and key

No change No change.

ExtremeWireless™ V10.41.06 User Guide

If you choose to install a CA public certiﬁcate, you must install

it when you install the PEM/DER certiﬁcate and key.

Remove custom certiﬁcate that user installed.

Field/Button Description

Generate Certiﬁcate Signing Request

Note

Field/Button Description

Conﬁguring the ExtremeWireless Appliance

Table 8: Topologies Page: Certiﬁcates Tab Fields and Buttons (continued)

Generate Signing Request To generate a CSR for the controller, click Generate Signing Request.

The G

10).

Save Click to save the changes to this Topology.

window displays (Figure

To avoid the certiﬁcate-related web browser security warnings when accessing the Wireless Assistant, you must also import the customized certiﬁcates into your web browser application.

Figure 10: Generate Certiﬁcate Signing Request Window

Table 9: Generate Certiﬁcate Signing Request Page - Fields and Buttons

Country name The two-letter ISO abbreviation of the name of the country

State or Province name The name of the State/Province

Locality name (city) The name of the city.

Organization name The name of the organization

Organizational Unit name The name of the unit within the organization.

Common Name Set the common name to be one of the following:

ExtremeWireless™ V10.41.06 User Guide

the IP address of the interface that the CSR applies to. a DNS address associated with the IP address of the interface that the CSR applies to.

Field/Button Description

File Download

Note

Conﬁguring the ExtremeWireless Appliance

Table 9: Generate Certiﬁcate Signing Request Page - Fields and Buttons (continued)

Email address The email address of the organization

Generate Signing Request Click to generate a signing request. A certiﬁcate request ﬁle is

generated (.csr ﬁle extension). The name of the ﬁle is the IP address of the topology you created the CSR for. The F displayed.

Conﬁguring the Login Authentication Mode

You can conﬁgure the following login authentication modes to authenticate administrator login attempts:

Local authentication — The controller uses locally conﬁgured login credentials and passwords. See

•

Conﬁguring the Local Login Authentication Mode and Adding New Users on page 75.

RADIUS authentication — The controller uses login credentials and passwords conﬁgured on a

•

RADIUS server. See Conﬁguring the RADIUS Login Authentication Mode on page 78. Local authentication ﬁrst, then RADIUS authentication — The controller ﬁrst uses locally conﬁgured

•

login credentials and passwords. If this login fails, the controller attempts to validate login credentials and passwords conﬁgured on a RADIUS server. See Conﬁguring the Local, RADIUS Login

Authentication Mode on page 82.

RADIUS authentication ﬁrst, then local authentication — The controller ﬁrst uses login credentials

•

and passwords conﬁgured on a RADIUS server. If this login fails, the controller attempts to validate login credentials and passwords conﬁgured locally. See Conﬁguring the RADIUS, Local Login

Authentication Mode on page 84.

dialog is

The ExtremeWireless Appliance enables you to recover the controller via the Rescue mode if you have lost its login password. For more information, see the ExtremeWireless Maintenance Guide.

Conﬁguring the Local Login Authentication Mode and Adding New Users

Local login authentication mode is enabled by default. If the login authentication was previously set to another authentication mode, you can change it to the local authentication. You can also add new users and assign them to a login group — as full administrators, read-only administrators, or as a GuestPortal managers. For more information, see Deﬁning Wireless Assistant Administrators and Login Groups on page 673.

To conﬁgure the local login authentication mode:

1 From the top menu, click Controller.

ExtremeWireless™ V10.41.06 User Guide

Conﬁguring the ExtremeWireless Appliance

2 In the left pane, click Administration > Login Management.

The L

screen displays.

3 In the Authentication mode section, click Conﬁgure.

The L

ExtremeWireless™ V10.41.06 User Guide

window is displayed.

Note

Administrator Password Conﬁrmation

Conﬁguring the ExtremeWireless Appliance

4 Select the Local check box.

If the RADIUS check box is selected, deselect it. 5 Click OK. 6 In the Add User section, select one of the following from the Group drop-down list:

Full Administrator — Grants the administrator’s access rights to the administrator.

•

Read-only Administrator — Grants read-only access right to the administrator.

•

GuestPortal Manager — Grants the user GuestPortal manager rights.

•

7 In the User ID box, type the user’s ID. 8 In the Password box, type the user’s password.

N UNICODE characters are not supported in passwords for local and remote RADIUS/ TACACS+ authentication. All passwords must be 8 to 24 characters long.

9 In the Conﬁrm Password box, re-type the password. 10 To add the user, click Add User. The new user is added. 11 Click Save.

The A

window is displayed.

12 Select the appropriate option.

Yes — Change authentication mode to local. Use the administrator password currently deﬁned on

•

the controller. Yes, but I want to change administrator’s password ﬁrst — Change authentication mode to

•

local and change the administrator password currently deﬁned on the controller. No — Do not change the authentication mode to local.

•

13 Click Submit. 14 If you chose Yes, but I want to change administrator’s password ﬁrst, you are prompted to change

the administrator’s password.

ExtremeWireless™ V10.41.06 User Guide

Note

Global Settings

Note

Conﬁguring the ExtremeWireless Appliance

Conﬁguring the RADIUS Login Authentication Mode

The local login authentication mode is enabled by default. You can change the local login authentication mode to RADIUS-based authentication.

N Before you change the default local login authentication to RADIUS-based authentication, you must conﬁgure the RADIUS Server on the G see VNS Global Settings on page 392.

RADIUS is a client/server authentication and authorization access protocol used by a network access server (NAS) to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses User Datagram Protocol (UDP) for sending the packets between the RADIUS client and server.

You can conﬁgure a RADIUS key on the client and server. If you conﬁgure a key on the client, it must be the same as the one conﬁgured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all RADIUS packets transmitted. If you do not conﬁgure a RADIUS key, packets are not encrypted. The key itself is never transmitted over the network.

screen. For more information,

Before you conﬁgure the system to use RADIUS-based login authentication, you must conﬁgure the Service-Type RADIUS attribute on the RADIUS server.

EWC uses the standard RADIUS attribute Service-Type to put the user into the

appropriate groups:

Administrator Service-Type = 6

•

Read-Only Service-Type = 7

•

GuestPortal Manager Service-Type = 8

•

To conﬁgure the RADIUS login authentication mode:

1 From the top menu, click Controller. 2 In the left pane, click Administration > Login Management. The L

screen displays.

ExtremeWireless™ V10.41.06 User Guide

3 Click the RADIUS Authentication tab.

Conﬁguring the ExtremeWireless Appliance

4 In the Authentication mode section, click Conﬁgure.

The L

ExtremeWireless™ V10.41.06 User Guide

window is displayed.

Note

Global Settings

Note

Conﬁguring the ExtremeWireless Appliance

5 Deselect Local and select the RADIUS check box.

6 Click OK. 7 From the drop-down list, located next to the Use button, select the RADIUS Server that you want to

use for the RADIUS login authentication, and then click Use. The RADIUS Server’s name is displayed

in the Conﬁgured Servers box, and in the Auth section, and the following default values of the

RADIUS Server are displayed.

N The RADIUS Servers displayed in the list located against the Use button are deﬁned on

The following values can be edited:

NAS IP address — The IP address of Network Access Server (NAS).

•

NAS Identiﬁer — The Network Access Server (NAS) identiﬁer. The NAS identiﬁer is a RADIUS

•

attribute that identiﬁes the server responsible for passing information to designated RADIUS servers, and then acting on the response returned.

Auth Type — The authentication protocol type (PAP, CHAP, MS-CHAP, or MS-CHAP2).

•

Set as Primary Server — Speciﬁes the primary RADIUS server when there are multiple RADIUS

•

servers.

8 To add additional RADIUS servers, repeat step 7.

You can add up to three RADIUS servers to the list of login authentication servers. When you add two or more RADIUS servers to the list, you must designate one of them as the Primary server. The controller ﬁrst attempts to connect to the Primary server. If the Primary Server is not available, it tries to connect to the second and third server according to their order in the Conﬁgured Servers box. You can change the order of RADIUS servers in the Conﬁgured Servers box by clicking on the Up and Down buttons.

screen. For more information, see VNS Global Settings on page 392.

ExtremeWireless™ V10.41.06 User Guide

9 Click Te st to test connectivity to the RADIUS server.

Note

N You can also test the connectivity to the RADIUS server after you save the conﬁguration. If you do not test the RADIUS server connectivity, and you have made an error in conﬁguring the RADIUS-based login authentication mode, you will be locked out of the controller when you switch the login mode to the RADIUS login authentication mode. If you are locked out, access Rescue mode via the console port to reset the authentication method to local.

The following window is displayed.

Conﬁguring the ExtremeWireless Appliance

10 In the User ID and the Password ﬁelds, type the user’s ID and the password, which were conﬁgured

on the RADIUS Server, and then click Te st .

The RADIUS connectivity result is displayed.

To learn how to conﬁgure the User ID and the Password on the RADIUS server, refer to your RADIUS server’s user guide.

If the test is not successful, the following message will be displayed:

ExtremeWireless™ V10.41.06 User Guide

RADIUS Authentication

Conﬁguring the ExtremeWireless Appliance

11 If the RADIUS connectivity test displays “Successful” result, click Save on the R

screen to save your conﬁguration.

The following window is displayed:

12 If you tested the RADIUS server connectivity earlier in this procedure, click No. If you click Yes , you

will be asked to enter the RADIUS server user ID and password. 13 To change the authentication mode to RADIUS authentication, click OK.

You will be logged out of the controller immediately. You must use the RADIUS login user name and

password to log on the controller.

To cancel the authentication mode changes, click Cancel.

Conﬁguring the Local, RADIUS Login Authentication Mode

To conﬁgure the Local, RADIUS login authentication mode:

1 From the top menu, click Controller.

ExtremeWireless™ V10.41.06 User Guide

Conﬁguring the ExtremeWireless Appliance

2 In the left pane, click Administration > Login Management. The L

screen displays.

3 In the Authentication mode section, click Conﬁgure. 4 Select the Local and RADIUS check box.

ExtremeWireless™ V10.41.06 User Guide

Conﬁguring the ExtremeWireless Appliance

5 If necessary, select Local and use the Move Up button to move Local to the top of the list. 6 Click OK. 7 On the L

screen, click Save.

For information on setting local login authentication settings, see Conﬁguring the Local Login

Authentication Mode and Adding New Users on page 75.

For information on setting RADIUS login authentication settings, see Conﬁguring the RADIUS Login

Authentication Mode on page 78.

Conﬁguring the RADIUS, Local Login Authentication Mode

To conﬁgure the RADIUS, Local login authentication mode:

1 From the top menu, click Controller. 2 In the left pane, click Administration > Login Management. The L

screen displays.

3 In the Authentication mode section, click Conﬁgure.

The L 4 Select the Local and RADIUS check box.

ExtremeWireless™ V10.41.06 User Guide

window is displayed.

Wireless Controller Conﬁguration

Conﬁguring the ExtremeWireless Appliance

5 If necessary, select the RADIUS ﬁeld and use the Move Up button to move RADIUS to the top of the

list.

6 Click OK. 7 On the L

screen, click Save.

For information on setting RADIUS login authentication settings, see Conﬁguring the RADIUS Login

Authentication Mode on page 78.

For information on setting local login authentication settings, see Conﬁguring the Local Login

Authentication Mode and Adding New Users on page 75.

Conﬁguring SNMP

The controller supports the SNMP for retrieving statistics and conﬁguration information. If you enable SNMP on the controller, you can choose either SNMPv3 or SNMPv1/v2 mode. If you conﬁgure the controller to use SNMPv3, then any request other than SNMPv3 request is rejected. The same is true if you conﬁgure the controller to use SNMPv1/v2.

To conﬁgure SNMP:

1 From the top menu, click Controller. The W

screen displays.

ExtremeWireless™ V10.41.06 User Guide

2 In the left pane, click Network > SNMP.

SNMP

The S

screen displays.

Conﬁguring the ExtremeWireless Appliance

3 In the SNMP Common Settings section, conﬁgure the following:

Mode — Select SNMPv1/v2c or SNMPv3 to enable SNMP.

•

Contact Name — The name of the SNMP administrator.

•

Location — The physical location of the controller running the SNMP agent.

•

SNMP Port — The destination port for the SNMP traps. Possible ports are 0–65555.

•

Forward Traps — The lowest severity level of SNMP trap that you want to forward.

•

Publish AP as interface of controller — Enable or disable SNMP publishing of the access point as

•

an interface to the controller.

4 Select the tab for the SNMP version you are conﬁguring. For more information, see:

Conﬁguring SNMPv1/v2c-speciﬁc Parameters on page 87

•

Conﬁguring SNMPv3-speciﬁc Parameters on page 87

•

ExtremeWireless™ V10.41.06 User Guide

Conﬁguring SNMPv1/v2c-speciﬁc Parameters

SNMPv1/v2c

Note

SNMPv3

Add SNMPv3 User Account

Note

Add SNMPv3 User Account

Conﬁguring the ExtremeWireless Appliance

1 Conﬁgure the following parameters on the S

Read Community Name — The password that is used for read-only SNMP communication.

•

Read/Write Community Name — The password that is used for write SNMP communication.

•

Manager A — The IP address of the server used as the primary network manager that will receive

•

SNMP messages. Manager B — The IP address of the server used as the secondary network manager that will

•

receive SNMP messages.

Manager A and Manager B address ﬁelds support both IPv4 or IPv6 addresses.

2 Click Save.

Conﬁguring SNMPv3-speciﬁc Parameters

1 Conﬁgure the parameters following on the S

Context String — A description of the SNMP context.

•

Engine ID — The SNMPv3 engine ID for the controller running the SNMP agent. The engine ID

•

must be from 5 to 32 characters long. RFC3411 Compliant — The engine ID will be formatted as deﬁned by SnmpEngineID textual

•

convention (that is, the engine ID will be prepended with SNMP agents' private enterprise

number assigned by IANA as a formatted HEX text string). 2 Click Add User Account. The A 3 Conﬁgure the following parameters:

tab:

window displays.

User — Enter the name of the user account.

•

Security Level — Select the security level for this user account. Choices are: authPriv, authNoPriv,

•

noAuthnoPriv.

Auth Protocol — If you have selected a security level of authPriv or authNoPriv, select the

•

authentication protocol. Choices are: MD5 (Message-Digest algorithm 5)

Auth Password — If you have selected a security level of authPriv or authNoPriv, enter an

•

authentication password.

Privacy Protocol — If you have selected the security level of authPriv, select the privacy protocol.

•

Choices are: DES, None

Privacy Password — If you have selected the security level of authPriv, enter a privacy password.

•

Engine ID — If desired, enter an engine ID. The ID can be between 5 and 32 bytes long, with no

•

spaces, control characters, or tabs.

Destination IP — If desired, enter the IP address of a trap destination.

•

The Destination IP address ﬁeld supports both IPv4 or IPv6 addresses.

4 Click OK. The A 5 Repeat steps 2 through 4 to add additional users.

window closes.

, SHA, None.

ExtremeWireless™ V10.41.06 User Guide

6 In the Trap 1 and Trap 2 sections, conﬁgure the following parameters:

Note

SNMP

Edit SNMPv3 User Account

Destination IP — The IP address of the machine monitoring SNMPv3 traps

•

N The Destination IP address ﬁeld supports both IPv4 or IPv6 addresses.

User Name — The SNMPv3 user to conﬁgure for use with SNMPv3 traps

•

7 Click Save.

Editing an SNMPv3 User

To edit an SNMPv3 user:

1 From the top menu, click Controller. 2 In the left pane, click SNMP. The S 3 Click the SNMPv3 tab. 4 Select an SNMP 5 Click Edit Selected User. The E 6 Edit the user conﬁguration as desired. 7 Click OK. The E 8 Click Save.

user.

screen displays.

window closes.

Conﬁguring the ExtremeWireless Appliance

window displays.

Deleting an SNMPv3 User

To delete an SNMPv3 user:

1 From the top menu, click Controller. 2 In the left pane, click SNMP. The SNMP screen displays. 3 Click the SNMPv3 tab. 4 Select an SNMP 5 Click Delete Selected User. You are prompted to conﬁrm that you want to delete the selected user. 6 Click OK.

SNMP Trap Types

The SNMP component failures, and disconnection of Access Points. Administrators can conﬁgure the Agent and the Controller, deﬁning the level of trap to receive. The following trap types are supported by ExtremeWireless Controllers:

•

agent generates traps to notify the administrator of events such as conﬁguration changes,

Interfaces MIB (IF-MIB) linkDown (.1.3.6.1.6.3.1.1.5.3) Interfaces MIB (IF-MIB) linkUp (.1.3.6.1.6.3.1.1.5.4) HIPATH-WIRELESS-HWC-MIB apTunnelAlarm (.1.3.6.1.4.1.4329.15.3.19.4)

Sent by the controller when it detects that it has lost the connection to an AP. The trap identiﬁes

•

the AP that the controller can no longer contact.

HIPATH-WIRELESS-HWC-MIB hiPathWirelessLogAlarm (.1.3.6.1.4.1.4329.15.3.9.6)

user.

ExtremeWireless™ V10.41.06 User Guide

Network Time Synchronization

Conﬁguring the ExtremeWireless Appliance

A generic trap that contains speciﬁc information relevant to the event. The information is carried

•

in the trap, and the information varies from event to event.

The trap contains the trap severity, the component on the controller that raised the event, and

•

the text string associated with the event, as it appears in the controller GUI.

A trap containing one event that also is displayed in the controller’s Event / Log report page. The

•

trap is sent when the event is raised and recorded on the controller.

This trap accounts for the vast majority of traps messages sent by the controller at most sites.

•

Conﬁguring Network Time

You should synchronize the clocks of the controller and the APs to ensure that the logs and reports reﬂect accurate time stamps. For more information, see Working with Reports and Statistics on page

621.

The normal operation of the controller will not be aected if you do not synchronize the clock. The clock synchronization is necessary to ensure that the logs display accurate time stamps. In addition, clock synchronization of network elements is a prerequisite for the following conﬁguration:

Mobility Manager

•

Session Availability

•

Network time is synchronized in one of two ways:

Using the system’s time — The system’s time is the controller’s time.

•

Using Network Time Protocol (NTP) — The Network Time Protocol is a protocol for synchronizing

•

the clocks of computer systems over packet-switched data networks.

The controller automatically adjusts for any time change due to Daylight Savings time.

Conﬁguring the Network Time Using the System’s Time

1 From the top menu, click Controller.

ExtremeWireless™ V10.41.06 User Guide

Network Time

Conﬁguring the ExtremeWireless Appliance

2 In the left pane, click Network > Network Time. The N

screen displays.

3 From the Continent or Ocean drop-down list, click the appropriate large-scale geographic grouping

for the time zone.

4 From the Time Zone Region drop-down list, click the appropriate time zone region for the selected

country. 5 Click Apply Time Zone. 6 In the System Time ﬁeld, type the system time. 7 Click Set Clock. The WLAN

network time is synchronized in accordance with the controller’s time.

Conﬁguring the Network Time Using an NTP Server

1 From the top menu, click Controller.

ExtremeWireless™ V10.41.06 User Guide

Network Time

Note

Conﬁguring the ExtremeWireless Appliance

2 In the left pane, click Network > Network Time. The N

screen displays.

3 From the Continent or Ocean drop-down list, click the appropriate large-scale geographic grouping

for the time zone. 4 From the Time Zone Region drop-down list, click the appropriate time zone region for the selected

country. 5 Click Apply Time Zone. 6 In the System Time box, type the system time. 7 Select the Use NTP check box.

If you want to use the controller as the NTP Server, select the Run local NTP Server check box, and click Apply.

8 In the Time Server 1 text box, type the IP address or FQDN (Full Qualiﬁed Domain Name) of an NTP

time server that is accessible on the enterprise network.

The Time Server ﬁelds supports both IPv4 and IPv6 addresses.

9 Repeat for Time Server2 and Time Server3 text boxes.

If the system is not able to connect to the Time Server 1, it will attempt to connect to the additional

servers that have been speciﬁed in Time Server 2 and Time Server 3 text boxes.

ExtremeWireless™ V10.41.06 User Guide

Conﬁguring the ExtremeWireless Appliance

10 Click Apply. The WLAN network time is synchronized in accordance with the speciﬁed time server.

Conﬁguring Secure Connections

The controllers communicate amongst themselves using a secure protocol. Among other things, this protocol is used to share between controllers the data required for high availability. They also use this protocol to communicate with NMS Wireless Manager. The protocol requires the use of a shared secret for mutual authentication of the end points.

By default the controllers and NMS Wireless Manager use a well known factory default shared secret. This makes it easy to get up and running but is not as secure as some sites require.

The controllers and NMS Wireless Manager allow the administrator to change the shared secret used by the secure protocol. In fact the controllers and Wireless Manager can use a dierent shared secret for each individual end point to which they connect with the protocol.

To conﬁgure the shared secret for a connection on the controller:

1 From the top menu, click Controller.

ExtremeWireless™ V10.41.06 User Guide

2 In the left pane, click Network > Secure Connections.

Secure Connections

Note

The S

screen displays.

Conﬁguring the ExtremeWireless Appliance

3 Select Enable Weak Ciphers to enable weak ciphers for the remote connections. Disabling weak

ciphers prevents users from accessing various web pages on the controller using less secure

methods. 4 Enter the Server IP address of the other end of the secure protocol tunnel and the shared secret to

use. 5 Click Add/Update. 6 Click Save.

Conﬁgure the same shared secret onto the devices at each end of the connection. Otherwise, the two controllers or controller and NMS Wireless Manager will not be able to communicate.

ExtremeWireless™ V10.41.06 User Guide

Global Settings

Note

Conﬁguring the ExtremeWireless Appliance

Conﬁguring DNS Servers for Resolving Host Names of NTP and RADIUS Servers

Because the G names, you have to conﬁgure your DNS servers to resolve the host names of NTP and RADIUS servers to the corresponding IP addresses. Go to VNS > Global Settings.

You can conﬁgure up to three DNS servers to resolve NTP and RADIUS server host names to their corresponding IP addresses.

The controller sends the host name query to the ﬁrst DNS server in the stack of three conﬁgured DNS servers. The DNS server resolves the queried domain name to an IP address and sends the result back to the controller.

If for some reason, the ﬁrst DNS server in the stack of conﬁgured DNS servers is not reachable, the controller sends the host name query to the second DNS server in the stack. If the second DNS server is also not reachable, the query is sent to the third DNS server in the stack.

To conﬁgure DNS servers for resolving host names of NTP and RADIUS servers:

1 From the top menu, click Controller.

For more information on RADIUS server conﬁguration, see Deﬁning RADIUS Servers and MAC

Address Format on page 394.

screen allows you to set up NTP and RADIUS servers by deﬁning their host

ExtremeWireless™ V10.41.06 User Guide

2 In the left pane, click Administration > Host Attributes.

Host Attributes

Note

The H

screen displays.

Conﬁguring the ExtremeWireless Appliance

3 In the DNS box, type the DNS server’s IP address in the Server Address ﬁeld and then click Add

Server. The new server is displayed in the DNS servers’ list.

You can conﬁgure up to three DNS servers. The Server Address ﬁeld supports both IPv4 and IPv6 addresses.

4 Int the Default Gateway IP box, enter the IP address of the Default Gateway. 5 To save your changes, click Save.

Using a Third-party Location-based Solution

ExtremeWireless supports the following location-based solutions:

AeroScout

•

Ekahau

•

Centrak

•

On the controller, conﬁgure the AeroScout/Ekahau/Centrak server IP address and enable the locationbased service. When using AeroScout or Ekahau, the location-based server is aware of the controller IP address. And if using AeroScout, the controller notiﬁes the AeroScout server of the operational APs.

ExtremeWireless™ V10.41.06 User Guide

Note

Related Links

Conﬁguring the ExtremeWireless Appliance

Enable the location-based service on the APs that you want to participate.

N Participating APs must use the 2.4 GHz band and the radio that receives location-based service tags must have at least one WLAN service associated with it.

Once you have enabled the location-based service on the controller and the participating APs, at least one of the participating APs will receive reports from a location-based service Wi-Fi RFID tag in the 2.4 GHz band. The tag reports are collected by the AP and forwarded to the location-based server by encapsulating the tag reports in a WASSP tunnel and routing them as IP packets through the controller. When using Ekahau or Centrak, the controller does not converse directly with the location-based service server.

Tag reports are marked with UP=CS5, and DSCP = 0xA0. On the wireless controller, tag reports are marked with UP=CS5 to the core (if 802.1p exists).

An AP’s tag report collection status is reported in the AP Inventory report. For more information, see

Viewing Routing Protocol Reports on page 657.

If availability is enabled, tag report transmission pauses on failed over APs until they are conﬁgured and notiﬁed by the location-based server. With an availability pair, it is good practice to conﬁgure both controllers with the same location-based service.

When location-based service support is disabled on the controller, the controller does not communicate with the location-based server and the APs do not perform any location-based functionality.

Ensure that your location-based service tags are conﬁgured to transmit on all non-overlapping channels (1, 6 and 11) and also on channels above 11 for countries where channels above 11 are allowed. For information about proper deployment of the location-based solution, refer to the third-party documentation (AeroScout/Ekahau/Centrak).

Conﬁguring Location-Based Services on page 96 AP Multi-Edit Properties on page 111 AP Properties Tab - Advanced Settings on page 164

Conﬁguring Location-Based Services

To conﬁgure a controller for use with an AeroScout/Ekahau/Centrak solution:

1 From the top menu, click Controller.

ExtremeWireless™ V10.41.06 User Guide

Conﬁguring the ExtremeWireless Appliance

2 In the left pane, click Services > Location-based Service.

3 Select the desired location-based service for the controller.

Enter the IP address of the location based service server.

•

Centrak and Ekahau conﬁguration oer a default port number and multicast address, but you

•

can modify the default values if necessary.

4 Click Save.

Now assign APs to participate in the location-based service.

ExtremeWireless™ V10.41.06 User Guide 9

5 From the top menu, click AP. In the left pane, click APs.

Note

AP Multi-edit

Advanced

AP Default Settings

AP Status

Conﬁguration

N You can enable location-based service on APs using the Location-based service ﬁeld on the A

screen and the A

window of the A following procedure shows you how to enable location-based services on one AP at a time.

Conﬁguring the ExtremeWireless Appliance

screen. The

6 Click on an AP row.

The A

dashboard displays.

7 Click Conﬁgure to display the C

ExtremeWireless™ V10.41.06 User Guide

dialog.

8 Click Advanced.

Advanced

Related Links

The A

Conﬁguring the ExtremeWireless Appliance

dialog displays.

9 Select Enable location-based service and close the dialog. 10 Enable Location-based services on each additional AP that you want to participate. 11 Click Save.

Using a Third-party Location-based Solution on page 95 AP Multi-Edit Properties on page 111 AP Properties Tab - Advanced Settings on page 164

Additional Ongoing Operations of the System

Ongoing operations of the Extreme Networks ExtremeWireless system can include the following:

Controller System Maintenance

•

Client Disassociate

•

Logs and Traces

•

Reports and Displays

•

ExtremeWireless™ V10.41.06 User Guide

Conﬁguring the ExtremeWireless Appliance

100

For more information, see Performing System Administration on page 669 or the Extreme Networks ExtremeWireless Maintenance Guide.

ExtremeWireless™ V10.41.06 User Guide 1

Extreme Networks AP3917E User Guide

Specifications and Main Features

Frequently Asked Questions

User Manual