How it Works
Extreme Networks
Loading...
E
F
G
H
I
M
N
O
P
R
S
Loading...
Loading...
OAP36B
User Manual
146 pgs1.68 Mb0
User Manual
50 pgs1.61 Mb0
User Manual
428 pgs4.57 Mb0

Extreme Networks OAP36B User Manual

Download
Documentation
HiPath Wireless Controller, Access Points and Convergence Software V7.31
User Guide
9034530-04
Communication for the open minded
Siemens Enterprise Communications www.siemens.com/open
Communication for the open minded
Siemens Enterprise Communications www.siemens.com/open
Siemens Enterprise Communications GmbH & Co. KG a Trademark Licensee of Siemens AG
Reference No.: 9034530-04 The information provided in this document contains
merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of fur ­ther development of the products. An obligation to pro­vide the respective characteristics shall only exist if ex­pressly agreed in the terms of contract. Availability and technical specifications are subject to change without no­tice. OpenScape, OpenStage and HiPath are registered trade­marks of Siemens Enterprise Communications GmbH & Co. KG. All other company, brand, product and service names are trademarks or registered trademarks of their respective holders.
Siemens Enterprise
is
hwc_user_guideTOC.fm
Nur für den internen Gebrauch Contents
Contents 0
1 About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1 Who should use this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 What is in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Formatting conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4 Additional documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.5 Getting Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.6 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.7 Sicherheitshinweise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.8 Consignes de sécurité . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution . . . 19
2.1 Conventional wireless LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2 Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution . . . . . . . 22
2.2.1 Enterasys NetSight Suite integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3 HiPath Wireless Controller, Access Points and Convergence Software and your network. . . . . . . . . . . . . 27
2.3.1 Network traffic flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.3.2 Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3.2.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.3.2.2 Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.3.3 Virtual Network Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.4 VNS components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.3.4.1 Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.3.4.2 Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.3.4.3 WLAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.3.5 Static routing and routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.3.6 Mobility and roaming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.3.7 Network availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.3.8 Quality of Service (QoS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.4 HiPath Wireless Controller product family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3 Configuring the HiPath Wireless Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.1 System configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.2 Logging on to the HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.3 Working with the basic installation wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4 Configuring the HiPath Wireless Controller for the first time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.4.1 Changing the administrator passw or d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.4.2 Applying product license keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.4.2.1 Installing the license keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.4.3 Setting up the data ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.4.3.1 Viewing and changing the L2 ports information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.4.3.2 Viewing and changing the L2 port related topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.4.4 Setting up Internal VLAN ID and multi-cast support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.4.5 Setting up static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.4.5.1 Viewing the forwarding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.4.6 Setting up OSPF Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.4.7 Configuring filtering at the interface level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.4.7.1 Built-in interface-based exception filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.4.7.2 Working with administrator-defined interface-based exception filters. . . . . . . . . . . . . . . . . . . . . . 70
9034530-04, September 2010 HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 3
hwc_user_guideTOC.fm
Contents Nur für den internen Gebrauch
3.4.8 Installing certificates on the HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.4.8.1 Installing a certificate for a HiPath Wireless Controller interface . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.4.9 Configuring the login authentication mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.4.9.1 Configuring the local login authentication mode and adding new users . . . . . . . . . . . . . . . . . . . 79
3.4.9.2 Configuring the RADIUS login authentication mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.4.9.3 Configuring the local, RADIUS login authentication mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.4.9.4 Configuring the RADIUS, local login authentication mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.4.10 Configuring SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3.4.10.1 Configuring SNMPv1/v2c-specific parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.4.10.2 Configuring SNMPv3-specific parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.4.10.3 Editing an SNMPv3 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.4.10.4 Deleting an SNMPv3 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.4.11 Configuring network time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.4.11.1 Configuring the network time using the syst em ’s tim e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.4.11.2 Configuring the network time using an NTP serve r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.4.12 Configuring DNS servers for resolving host names of NTP and RADIUS servers . . . . . . . . . . . . . . 95
3.5 Using an AeroScout location based solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.6 Additional ongoing operations of the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
4 Configuring the Wireless AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.1 Wireless AP overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.1.1 HiPath Standard Wireless AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
4.1.1.1 HiPath Standard Wireless AP radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.1.1.2 AP4102/4102C Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4.1.2 HiPath Wireless Outdoor AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.1.3 HiPath Wireless 802.11n AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.1.3.1 HiPath Wireless 802.11n AP’s radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.1.4 Wireless AP international licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.1.5 Wireless AP default IP address and first-time configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.6 Assigning a static IP address to the Wireless AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.2 Discovery and registration overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.2.1 Wireless AP discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.2.2 Registration after discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.2.2.1 Default Wireless AP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.2.3 Understanding the Wireless AP LED status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.2.3.1 HiPath Wireless AP LED status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.2.3.2 HiPath Wireless Outdoor AP LED status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.2.3.3 HiPath Wireless 802.11n AP LED status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.2.3.4 AP4102 and AP2605 LED status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.2.3.5 Configuring Wireless AP LED behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4.2.4 Configuring the Wireless APs for the first time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
4.2.5 Defining properties for the discovery process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
4.2.6 Connecting the Wireless AP to a power source and initiating the discovery and registration process 134
4.3 Adding and registering a Wireless AP manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.4 Configuring Wireless AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.4.1 Modifying a Wireless AP’s status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.4.2 Configuring a Wireless AP’s properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.4.3 AP properties tab configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.4.4 Assigning Wireless AP radios to a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.4.5 Configuring Wireless AP radio properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
4.4.5.1 Modifying Wireless 802.11n AP 3610/3620 radio properties. . . . . . . . . . . . . . . . . . . . . . . . . . . 148
4.4.5.2 Achieving high throughput with the Wireless 802.11n AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
9034530-04, September 2010
4 HiPath Wireless Controller, Access Points and Convergen ce Sof twa re V 7.31 , User Guide
hwc_user_guideTOC.fm
Nur für den internen Gebrauch Contents
4.4.5.3 Modifying Wireless AP 2610/2620 radio properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
4.4.6 Setting up the Wireless AP using static configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
4.4.7 Configuring Telnet/SSH Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
4.5 Configuring VLAN tags for Wireless APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
4.5.1 Setting up 802.1x authentication for a Wireless AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
4.5.1.1 Configuring 802.1x PEAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
4.5.1.2 Configuring 802.1x EAP-TLS authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
4.5.1.3 Viewing 802.1x credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
4.5.1.4 Deleting 802.1x credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
4.5.2 Setting up 802.1x authentication for Wireless APs using Multi-edit . . . . . . . . . . . . . . . . . . . . . . . . . . 192
4.5.3 Configuring the default Wireless AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
4.5.3.1 Configure common configuration default AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
4.5.3.2 Configure AP2610/20, AP2605, W788, BP200, and WB500 default AP settings. . . . . . . . . . . . 198
4.5.3.3 Configure AP3605/10/20 default AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
4.5.3.4 Configure AP2650/60 and W786 default AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
4.5.3.5 Configure AP4102 and AP4102C default AP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
4.6 Modifying a Wireless AP’s properties based on a default AP configuration. . . . . . . . . . . . . . . . . . . . . . . . 228
4.7 Modifying the Wireless AP’s default setting using the Copy to Defaults feature . . . . . . . . . . . . . . . . . . . . 228
4.8 Configuring multiple Wireless APs simultaneously . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
4.9 Configuring co-located APs in load balance groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
4.9.1 How availability affects load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
4.9.2 Load balance group statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
4.10 Configuring AP clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
4.11 Converting the Wireless Standalone 802.11n AP to standalone mode . . . . . . . . . . . . . . . . . . . . . . . . . . 237
4.12 Configuring an AP as a sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
4.13 Performing Wireless AP software maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
5 Virtual Network Services concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
5.1 VNS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
5.1.1 Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
5.1.2 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
5.1.3 WLAN Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
5.1.4 New VNS definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
5.2 Setting up a VNS checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
5.3 NAC integration with HiPath WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
5.4 Assigning Wireless APs to WLAN Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
5.5 Authentication for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
5.5.1 Authentication with Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
5.5.2 Authentication with 802.1x and WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
5.6 Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
5.6.1 Final filter rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
5.6.2 Filtering sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
5.6.3 Legacy compatibility with Policy-based filtering and VNS assignment. . . . . . . . . . . . . . . . . . . . . . . . 261
5.7 Multicast traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
5.8 Data protection — WEP and WPA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
5.9 QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
5.10 Flexible Client Access (FCA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
6 Configuring a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
6.1 High level VNS configuration flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
6.1.1 Controller defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
6.2 VNS global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
6.2.1 Defining RADIUS servers and MAC address format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
9034530-04, September 2010 HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 5
hwc_user_guideTOC.fm
Contents Nur für den internen Gebrauch
6.2.2 Configuring Dynamic Authorization Server support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
6.2.3 Defining Wireless QoS Admission Control Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
6.2.4 Defining Wireless QoS Flexible Client Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
6.2.5 Working with bandwidth control profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
6.2.6 Configuring the Global Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
6.2.7 Using the Sync Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
6.3 Methods for configuring a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
6.4 Working with the VNS wizard to create a new VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
6.4.1 Creating a NAC VNS using the VNS wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
6.4.2 Creating a voice VNS using the VNS wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
6.4.3 Creating a data VNS using the VNS wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
6.4.4 Creating a Captive Portal VNS using the VNS wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
6.5 Working with a GuestPortal VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
6.5.1 Creating a GuestPortal VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
6.6 Creating a VNS using the advanced method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
6.7 Working with existing VNSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
6.7.1 Enabling and disabling a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
6.7.2 Renaming a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
6.7.3 Deleting a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
6.8 Configuring a Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
6.8.1 Configuring a basic topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
6.8.1.1 Physical Port Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
6.8.1.2 Enabling management traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
6.8.2 Layer 3 configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
6.8.2.1 IP address configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
6.8.2.2 DHCP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
6.8.2.3 Defining a next hop route and OSPF advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
6.8.3 Exception filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
6.8.4 Multicast filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
6.9 Configuring WLAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
6.9.1 Configuring a WLAN Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
6.9.1.1 Third-party AP WLAN Service Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
6.9.1.2 Configuring a basic WLAN service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
6.9.1.3 Assigning an optional default topology to a service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
6.9.1.4 Assigning Wireless APs to a service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
6.9.2 Configuring privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
6.9.2.1 About Wi-Fi Protected Access (WPA v1 and WPA v2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
6.9.2.2 Wireless 802.11n APs and WPA authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
6.9.2.3 WPA Key Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
6.9.2.4 Configuring WLAN Service privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
6.9.3 Configuring accounting and authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
6.9.3.1 Vendor Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
6.9.3.2 Defining accounting methods for a WLAN Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
6.9.3.3 Configuring authentication for a WLAN Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
6.9.3.4 Defining the RADIUS server priority for RADIUS redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . 353
6.9.3.5 Configuring assigned RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
6.9.3.6 Defining a WLAN Service with no authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
6.9.3.7 Configuring Captive Portal for internal or external authentication . . . . . . . . . . . . . . . . . . . . . . . 358
6.9.4 Configuring the QoS policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
6.9.4.1 Defining priority level and service class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
6.9.4.2 Defining the service class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
6.9.4.3 Configuring the priority override. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
9034530-04, September 2010
6 HiPath Wireless Controller, Access Points and Convergen ce Sof twa re V 7.31 , User Guide
hwc_user_guideTOC.fm
Nur für den internen Gebrauch Contents
6.9.4.4 QoS modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
6.10 Configuring Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
6.10.1 Configuring VLAN and Class of Service for a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
6.10.2 About filtering rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
6.10.3 Configuring Filter Rules for a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
6.10.3.1 Non-authenticated filter examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
6.10.3.2 Authenticated filter examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
6.10.4 ICMP Type enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
6.10.5 Filtering rules for a default filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
6.10.5.1 Default filter examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
6.10.5.2 Filtering rules between two wireless devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
6.10.6 Defining filter rules for Wireless APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
6.11 Working with a Wireless Distribution System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
6.11.1 Simple WDS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
6.11.2 Wireless Repeater configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
6.11.3 Wireless Bridge configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
6.11.4 Examples of deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
6.11.5 WDS WLAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
6.11.6 Key features of WDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
6.11.6.1 Tree-like topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
6.11.6.2 Radio Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
6.11.6.3 Multi-root WDS topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
6.11.6.4 Automatic discovery of parent and backup parent Wireless APs . . . . . . . . . . . . . . . . . . . . . . . 397
6.11.6.5 Link security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
6.11.7 Deploying the WDS system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
6.11.7.1 Connecting the WDS Wireless APs to the enterprise network for discovery and registration. . 399
6.11.7.2 Configuring the WDS Wireless APs through the HiPath Wireless Controller . . . . . . . . . . . . . . 400
6.11.7.3 Assigning the Satellite Wireless APs’ radios to the network WLAN Services . . . . . . . . . . . . . . 404
6.11.7.4 Connecting the WDS Wireless APs to the enterprise network for provisioning. . . . . . . . . . . . . 405
6.11.7.5 Moving the WDS Wireless APs to the target location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
6.11.8 Changing the pre-shared key in a WDS WLAN Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
7 Availability and session availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
7.1 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
7.1.1 Events and actions in availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
7.1.2 Availability prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
7.2 Configuring availability using the availability wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
7.3 Configuring availability manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
7.4 Session availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
7.4.1 Events and actions in session availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
7.4.2 Enabling session availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
7.4.2.1 Configuring fast failover and enabling session availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
7.4.2.2 Verifying session availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
7.4.2.3 Verify synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
7.5 Viewing the Wireless AP availability display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
7.6 Viewing SLP activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
8 Configuring Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
8.1 Mobility overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
8.2 Mobility domain topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
8.3 Configuring mobility domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
9 Working with third-party APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
9034530-04, September 2010 HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 7
hwc_user_guideTOC.fm
Contents Nur für den internen Gebrauch
9.1 Define authentication by Captive Portal for the third-party AP WLAN Service: . . . . . . . . . . . . . . . . . . . . 439
9.2 Define the third-party APs list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
9.3 Define filtering rules for the third-party APs:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
10 Working with the Mitigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
10.1 Mitigator overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
10.2 Enabling the Analysis and data collector engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
10.3 Running Mitigator scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
10.4 Analysis engine overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
10.5 Working with Mitigator scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
10.6 Working with friendly APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
10.7 Maintaining the Mitigator list of APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
10.8 Viewing the Scanner Status report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
11 Working with reports and displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
11.1 Available reports and displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
11.2 Viewing reports and displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
11.3 Viewing the Wireless AP availability display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
11.4 Viewing statistics for Wireless APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
11.5 Viewing load balance group statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
11.6 Viewing the System Information and Manufacturing Information displays . . . . . . . . . . . . . . . . . . . . . . . 464
11.7 Viewing displays for the mobility manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
11.8 Viewing reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
11.9 Call Detail Records (CDRs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
11.9.1 CDR files naming convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.9.2 CDR file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.9.3 CDR file format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
11.9.4 Viewing CDRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
12 Performing system administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
12.1 Performing Wireless AP client management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
12.1.1 Disassociating a client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
12.1.2 Blacklisting a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
12.2 Defining HiPath Wireless Assistant administrators and login groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
12.2.1 Working with GuestPortal Guest administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
12.2.1.1 Adding new guest accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
12.2.1.2 Enabling or disabling guest accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
12.2.1.3 Editing guest accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
12.2.1.4 Removing guest accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
12.2.1.5 Importing and exporting a guest file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
12.2.1.6 Viewing and printing a GuestPortal account ticket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
12.2.1.7 Working with the GuestPortal ticket page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
12.3 Configuring Web session timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
13 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 499
13.1 Networking terms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
13.2 Controller, Access Points and Convergence Software terms and abbreviations . . . . . . . . . . . . . . . . . . 512
A HiPath Wireless Controller’s physical description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
A.1 HiPath Wireless Controller C5110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
A.2 HiPath Wireless Controller C4110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
A.3 HiPath Wireless Controller C2400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
A.4 HiPath Wireless Controller C20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
A.5 HiPath Wireless Controller C20N. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
A.6 HiPath Wireless Controller CRBT8210/8110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
9034530-04, September 2010
8 HiPath Wireless Controller, Access Points and Convergen ce Sof twa re V 7.31 , User Guide
hwc_user_guideTOC.fm
Nur für den internen Gebrauch Contents
B Regulatory information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
B.1 HiPath Wireless Controller C20N/C20/C2400/C4110/C5110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
B.2 Wireless APs 26XX and 36XX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
C optiPoint WL2 Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
C.1 optiPoint WL2 wireless telephone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
C.2 HiPath Wireless Controller configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
D SpectraLink Wireless Telephones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
D.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
D.2 Configuring HiPath Wireless Controller for SpectraLink telephones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
E Default GuestPortal source code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
E.1 Ticket page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
E.1.1 Placeholders used in the default GuestPortal ticket page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
E.1.2 Default GuestPortal ticket page source code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
E.2 GuestPortal sample header page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
E.3 GuestPortal sample footer page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
9034530-04, September 2010 HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 9
hwc_user_guideTOC.fm
Contents Nur für den internen Gebrauch
9034530-04, September 2010
10 HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
1 About this Guide
This guide describes how to install, configure, and manage the HiPath Wireless Controller, Access Point s and Conver gence Software system. This guide is also available as an online help system.
To access the online help system:
1. In the HiPath Wireless Assistant Main Menu bar, click Help. The About HiPath Wireless Assistant screen is displayed.
2. In the left pane, click Controller Documentation. The online help system is launched.
1.1 Who should use this guide
hwc_pref.fm
About this Guide
Who should use this guide
This guide is a reference for system administrators who install and manage the HiPath Wireless Controller, Access Points and Convergence Software system.
Any administrator performing tasks described in this guide must have an account with administrative privileges.
1.2 What is in this guide
This guide contains the following:
Chapter 1, “About this Guide”, describes the target audience and content of
Chapter 2, “Overview of the HiPath Wireless Controller, Access Points and
Chapter 3, “Configuring the HiPath Wireless Controller”, describes how to
Chapter 4, “Configuring the Wireless AP”, describes how to install the
the guide, the formatting conventions used in it, and how to provide feedback on the guide.
Convergence Software solution”, provides an overview of the product, its
features and functionality.
perform the installation, first time setup and configuration of the HiPath Wireless Controller, as well as configuring the data ports and de fining routing.
Wireless AP, how it discovers and registers with the HiPath Wireless Controller, and how to view and modify radio configuration.
Chapter 5, “Virtual Network Services concepts”, provides an overview of
Virtual Network Services (VNS), the mechanism by which the HiPath Wireless Controller, Access Points and Convergence Software controls and manages network access.
9034530-04, September 2010 HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
11
hwc_pref.fm
About this Guide
What is in this guide
Chapter 6, “Configuring a VNS”, provides detailed instructions in how to
configure a VNS, either using the Wizards or by manually creating the component parts of a VNS.
Chapter 7, “Availability and session availability”, describes how to set up the
features that maintain service availability in the event of a HiPath Wireless Controller failover.
Chapter 8, “Configuring Mobility”, describes how to set up the mobility domain
that provides mobility for a wireless device user when the user roams from one Wireless AP to another in the mobility domain.
Chapter 9, “Working with third-party APs”, describes how to use the
Controller , Access Points and Convergence Software features with third-pa rty wireless access points.
Chapter 10, “Working with the Mitigator”, describes the security tool that
scans for, detects, and reports on rogue APs.
Chapter 11, “Working with reports and displays”, describes the various
reports and displays available in the HiPath Wireless Controller, Access Points and Convergence Software system.
Chapter 12, “Performing system administration”, describes system
administration activities, such as performing Wireless AP client management, defining management users, configu rin g the ne two r k time , an d co nfig u ring Web session timeouts.
Chapter 13, “Glossary”, contains a list of terms and definitions for the HiPath
Wireless Controller and the Wireless AP as well as standard industry terms used in this guide.
Appendix A, describes the physical description and LED states of the HiPath
Wireless Controller.
Appendix B, provides the regulatory information for the HiPath Wireless
Controller and the HiPath Wireless Access Points (APs).
Appendix C, describes how to configure the WL2 phone.
Appendix D, describes how to configure NetLink Wireless Telephones and
WLAN infrastructure products.
Appendix E, provides the default GuestPortal ticket page source code.
9034530-04, September 2010
12 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
1.3 Formatting conventions
The HiPath Wireless Controller, Access Points and Convergence Software documentation uses the following formatting conventions to make it easier to find information and follow procedures:
•Bold text is used to identify components of the management inte rface, such as menu items and section of pages, as well as the names of buttons and text boxes.
For example: Click Logout.
Monospace font is used in code examples and to indicate text that you type. For example: T ype https://<hwc-address>[:mgmt-port>]
The following notes are used to draw your attention to additional information:
hwc_pref.fm
About this Guide
Formatting conventions
Note: Notes identify useful information, such as reminders, tips, or other ways to perform a task.
Caution: Cautionary notes identify essential information, which if ignored can adversely affect the operation of your equipment or software.
Warning: Warning notes identify essential information, which if ignored can lead to personal injury or harm.
1.4 Additional documentation
For additional HiPath Wireless documentation, see the HiPath Wireless documentation at
http://www.enterasys.com/support/manuals
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 13
September 2010
hwc_pref.fm
About this Guide
Getting Help
1.5 Getting Help
For additional support related to the product or this docu ment, contact Enterasys Networks using one of the following methods:
World Wide Web www.enterasys.com/support Phone 1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1000 To find the Enterasys Networks Support toll-free number in your country: www.enterasys.com/support
Internet mail support@enterasys.com
To expedite your message, type HiPath Wireless in the subject line
To send comments concerning this document to the Technical Publications Department:
techpubs@enterasys.com
Please include the document part number in your email message.
Before contacting Enterasys Networks for technical support, have the following information ready:
Your Enterasys Networks service contract number
A description of the failure
A description of any action(s) already taken to resolve the problem (for
The serial and revision numbers of all involved Enterasys Networks products
A description of your network environment (such as layout, cable type, other
Network load and frame size at the time of trouble (if known)
The device history (for example, if you have returned the device before, or if
Any previous Return Material Authorization (RMA) numbers
1.6 Safety Information
Dangers
example, changing mode switches or rebooting the unit)
in the network
relevant environmental information)
this a recurring problem)
Replace the power cable immediately if it shows any sign of damage.
Replace any damaged safety equipment (covers, labels and protective
cables) immediately.
Use only original accessories or components approved for the system. Failure to observe these instructions may damage the equipment or even violate safety and EMC regulations.
9034530-04, September 2010
14 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_pref.fm
About this Guide
Safety Information
Only authorized Siemens service personnel are permitted to service the system.
Warnings
This device must not be connected to a LAN segment with outdoor wiring.
Ensure that all cables are run correctly to avoid strain.
Replace the power supply adapter immediately if it shows any sign of
damage.
Disconnect all power before working near power supplies unless otherwise instructed by a maintenance procedure.
Exercise caution when servicing hot swappable HiPath Wireless Controller components: power supplies or fans. Rotating fans can cause serious personal injury.
This unit may have more than one power supply cord. To avoid electrical shock, disconnect all power supply cords before servicing. In the case of unit failure of one of the power supply modules, the mo du le ca n be rep lac ed without interruption of power to the HiPath Wireless Controller. However , this procedure must be carried out with caution. We ar gloves to avoid contact with the module, which will be extremely hot.
There is a risk of explosion if a lithium battery is not correctly replaced. The lithium battery must be replaced only by an identical battery or one recommended by the manufacturer.
Always dispose of lithium batteries properly.
Do not attempt to lift objects that you think are too heavy for you.
Cautions
Check the nominal voltage set for the equipment (o per ating in stru ctions a nd
type plate). High voltages capable of causing shock are used in this equipment. Exercise caution when measuring high voltages and when servicing cards, panels, and boards while the system is powered on.
Only use tools and equipment that are in perfect condition. Do not use equipment with visible damage.
To protect electrostatic sensitive devices (ESD), wear a wristband before carrying out any work on hardware.
Lay cables so as to prevent any risk of them being damaged or causing accidents, such as tripping.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 15
hwc_pref.fm
About this Guide
Sicherheitshinweise
1.7 Sicherheitshinweise
Gefahrenhinweise
Sollte das Netzkabel Anzeichen von Beschädigungen aufweisen, tausch en
Tauschen Sie beschädigte Sicherheitsausrüstungen (Abdeckungen,
Verwenden Sie ausschließlich Originalzubehör oder systemspezifisch
Das System darf nur von autorisiertem Siemens-Servicepersonal gewartet
Warnhinweise
Sie es sofort aus.
Typenschilder und Schutzkabel) sofort aus.
zugelassene Komponenten. Die Nichtbeachtung dieser Hinweise kann zur Beschädigung der Ausrüstung oder zur Verletzung von Sicherheits- und EMV-Vorschriften führen.
werden.
Dieses Gerät darf nicht über Außenverdrahtung an ein LAN-Segment angeschlossen werden.
Stellen Sie sicher, dass alle Kabel korrekt geführt werden, um Zugbelastung zu vermeiden.
Sollte das Netzteil Anzeichen von Beschädigung aufweisen, tauschen Sie es sofort aus.
Trennen Sie alle Stromverbindungen, bevor Sie Arbeiten im Bereich der Stromver sorgung vornehmen, sofern dies nicht für eine Wartungsprozedur anders verlangt wird.
Gehen Sie vorsichtig vor, wenn Sie an Hotswap-fähigen HiPath Wireless Controller-Komponenten (Stromversorgungen oder Lüftern) Servicearbeiten durchführen. Rotierende Lüfter können ernsthafte Verletzungen verursachen.
Dieses Gerät ist möglicherweise über mehr als ein Netzkab el angeschlossen. Um die Gefahr eines elektrischen Schlages zu vermeiden, sollten Sie vor Durchführung von Servicearbeiten alle Netzkabel trennen. Falls eines der Stromversorgungsmodule ausfällt, kann es ausgetauscht werden, ohne die Stromversorgung zum HiPath Wireless Controller zu unterbrechen. Bei dieser Prozedur ist jedoch mit Vorsicht vorzugehen. Das Modul kann extrem heiß sein. Tragen Sie Handschuhe, um Verbrennungen zu vermeiden.
Bei unsachgemäßem Austausch der Lithium-Batte rie be ste ht Explosionsgefahr. Die Lithium-Batterie darf nur durch identische oder vom Händler empfohlene Typen ersetzt werden.
Achten Sie bei Lithium-Batterien auf die ordnungsgemäße Entsorgung.
Versuchen Sie niemals, ohne Hilfe schwere Gegenstände zu heben.
9034530-04, September 2010
16 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_pref.fm
About this Guide
Consignes de sécurité
Vorsichtshinweise
Überprüfen Sie die für die Ausrüstung festgelegte Nennspannung
(Bedienungsanleitung und Typenschild). Diese Ausrüstung arbeitet mit Hochspannung, die mit der Gefahr eines elektrischen Schlages verbunden ist. Gehen Sie mit großer V orsicht vor , wenn Sie bei eingeschaltetem System Hochspannungen messen oder Karten, Schaltt afeln und Baugruppen warten.
Verwenden Sie nur Werkzeuge und Ausrüstung in einwandfreiem Zustand. Verwenden Sie keine Ausrüstung mit sichtbaren Beschädigungen.
Tragen Sie bei Arbeiten an Hardwarekomponenten ein Armband, um elektrostatisch gefährdete Bauelemente (EGB) vor Beschädigungen zu schützen.
Verlegen Sie Leitungen so, dass sie keine Unfallquelle ( S tolpergefahr) bilden und nicht beschädigt werden.
1.8 Consignes de sécurité
Dangers
Si le cordon de raccordement au secteur est endommagé, remplacez-le
immédiatement.
Remplacez sans délai les équipements de sécurité endommagés (caches, étiquettes et conducteurs de protection).
Utilisez uniquement les accessoires d'origine ou les modules agréés spécifiques au système. Dans le cas contraire, vous risquez d'endommager l'installation ou d'enfreindre les consignes en matière de sécurité et de compatibilité électromagnétique.
Seul le personnel de service Siemens est autorisé à maintenir/réparer le système.
Avertissements
Cet appareil ne doit pas être connecté à un segment de LAN à l'aide d'un
câblage extérieur.
Vérifiez que tous les câbles fonctionnent correctement pour éviter une contrainte excessive.
Si l'adaptateur d'alimentation présente des dommages , rem place z- le immédiatement.
Coupez toujours l'alimentation avant de travailler sur les alimentations électriques, sauf si la procédure de maintenance mentionne le contraire.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 17
September 2010
hwc_pref.fm
About this Guide
Consignes de sécurité
Prenez toutes les précautions nécessaires lors de l'entretien/rép arations des modules du HiPath Wireless Controller pouvant être branchés à chaud : alimentations électriques ou ventilateurs.Les ventilateurs rotatifs peuvent provoquer des blessures graves.
Cette unité peut avoir plusieurs cordons d'alimenta tion.Pour éviter tout cho c électrique, débranchez tous les cordons d'alimentation avant de procéder à la maintenance.En cas de panne d'un des modules d'aliment ation, le module défectueux peut être changé sans éteindre le HiPath Wireless Controller. Toutefois, ce remplacement doit être effectué avec précautions. Portez des gants pour éviter de toucher le module qui peut être très chaud.
Le remplacement non conforme de la batterie au lithium peut provoquer une explosion. Remplacez la batterie au lithium par un modèle identique ou par un modèle recommandé par le revendeur.
Sa mise au rebut doit être conforme aux prescriptions en vigueur.
N'essayez jamais de soulever des objets qui risquent d' être tr op lou rds p our
vous.
Précautions
Contrôlez la tension nominale paramétrée sur l'installation (voir le mode
d'emploi et la plaque signalétique). Des tensions élevées pouvant entraîner des chocs électriques sont utilisées dans cet équipement. Lorsque le système est sous tension, prenez toutes les précautions nécessaires lors de la mesure des hautes tensions et de l'entretien/réparation des cartes, des panneaux, des plaques.
N'utilisez que des appareils et des outils en parfait état. Ne mettez jamais en service des appareils présentant des dommages visibles.
Pour protéger les dispositifs sensibles à l'électricité statique, portez un bracelet antistatique lors du travail sur le matériel.
Acheminez les câbles de manière à ce qu'ils ne puissent pas être endommagés et qu'ils ne constituent pas une source de danger (par exemple, en provoquant la chute de personnes).
9034530-04, September 2010
18 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
2 Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
This chapter describes HiPath Wireless Controller, Access Points and Convergence Software concepts, including:
Conventional wireless LANs
Elements of the HiPath Wireless Controller , Access Point s and Convergence
Software solution
HiPath Wireless Controller, Access Points and Convergence Sof tware and
your network
The next generation of Siemens wireless networking devices provides a truly scalable WLAN solution. Siemens Wireless APs are fit access points controlled through a sophisticated network device, the HiPath Wireless Controller. This solution provides the security and manageability required by enterprises and service providers.
The HiPath Wireless Controller, Access Points and Convergence Software system is a highly scalable Wireless Local Area Network (WLAN) solution developed by Siemens. Based on a third generation WLAN topology, the Controller, Access Points and Convergence Software system makes wireless practical for service providers as well as medium and large-scale enterprises.
The HiPath Wireless Controller, Access Points and Convergence Software system provides a secure, highly scalable, cost-effective solution based on the IEEE 802.1 1 standard. The system is intended for enterprise networks operating on multiple floors in more than one building, and is ideal for public environments, such as airports and convention centers that require multiple access points.
This chapter provides an overview of the fundamental principles of the HiPath Wireless Controller, Access Points and Convergence Software system.
The HiPath Wireless system
The HiPath Wireless Controller is a network device designed to integrate with an existing wired Local Area Network (LAN). The rack-mountable HiPath Wireless Controller provides centralized management, network access, and routing to wireless devices that use Wireless APs to access the network. It can also be configured to handle data traffic from third-party access points.
The HiPath Wireless Controller provides the following functionality:
Controls and configures Wireless APs, providing centralized management
Authenticates wireless devices that contact a Wireless AP
Assigns each wireless device to a VNS when it connects
Routes traffic from wireless devices, using VNS, to the wired network
9034530-04, September 2010 HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
19
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Conventional wireless LANs
Applies filtering policies to the wireless device session
Provides session logging and accounting capability
2.1 Conventional wireless LANs
Wireless communication between multiple computers requires that each computer is equipped with a receiver/transmitter—a WLAN Network Interface Card (NIC)—capable of exchanging digital information over a common radio frequency. This is called an ad hoc network configuration. An ad hoc network configuration allows wireless devices to communicate together. This setup is defined as an independent basic service set (IBSS).
An alternative to the ad hoc configuration is the use of an access point. This may be a dedicated hardware bridge or a computer running special software. Computers and other wireless devices communicate with e ach other through this access point. The 802.11 standard defines access point communications as devices that allow wireless devices to communicate with a distribution system. This setup is defined as a basic service set (BSS) or infrastructure network.
T o allow the wireless devices to communicate with computers on a wired network, the access points must be connected to the wired network providing access to the networked computers. This topology is called bridging. With bridging, security and management scalability is often a concern.
9034530-04, September 2010
20 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Conventional wireless LANs
RADIUS Authentication Server
Wireless AP
Wireless Devices
Ethernet
DCHP Server
Router/Switch
Wireless AP
Ethernet
Wireless Devices
Figure 1 Standard wireless network solution example
The wireless devices and the wired networks communicate with each other using standard networking protocols and addressing schemes. Most commonly, Internet Protocol (IP) addressing is used.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 21
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution
2.2 Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution
The HiPath Wireless Controller, Access Points and Convergence Software solution consists of two devices:
HiPath Wireless Controller
Wireless APs
This architecture allows a single HiPath Wireless Controller to control many Wireless APs, making the administration and management of large networks much easier.
There can be several HiPath Wireless Controllers in the network, each with a set of registered Wireless APs. The HiPath Wireless Controllers can also act as backups to each other, providing stable network availability.
In addition to the HiPath Wireless Controllers and Wireless APs, the solution requires three other components, all of which are standard for enterprise and service provider networks:
RADIUS Server (Remote Access Dial-In User Service) or other authentication server
DHCP Server (Dynamic Host Configuration Protocol). If you do not have a DHCP Server on your network, you can enable the local DHCP Server on the HiPath Wireless Controller. The local DHCP Server is useful as a general purpose DHCP Server for small subnets. For more information, see Step 10 of Section 3.4.3, “Setting up the data ports”, on page 55.
SLP (Service Location Protocol)
9034530-04, September 2010
22 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points an d Convergence Software solution
RADIUS Authentication Server
HiPath Wireless Controller
Wireless AP
Wireless Devices
Ethernet
DCHP Server
Router/Switch
Wireless AP
Ethernet
Wireless Devices
Figure 2 Siemens HiPath Wireless Controller solution
As illustrated in Figure 2, the HiPath Wireless Controller appears to the existing network as if it were an access point, but in fact one HiPath Wireless Controller controls many Wireless APs. The HiPath Wireless Controller has built-in capabilities to recognize and manage the Wireless APs. The HiPath Wireless Controller:
Activates the Wireless APs
Enables Wireless APs to receive wireless traffic from wireless devices
Processes the data traffic from the Wireless APs
Forwards or routes the processed data traffic out to the network
Authenticates requests and applies access policies
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 23
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution
Simplifying the Wireless APs makes them cost-effective, easy to manage, and easy to deploy. Putting control on an intelligent centralized HiPath Wireless Controller enables:
Centralized configuration, management, reporting, and maintenance
High security
Flexibility to suit enterprise
Scalable and resilient deployments with a few HiPath Wireless Controllers
controlling hundreds of Wireless APs
The HiPath Wireless Controller, Access Points and Convergence Software system:
Scales up to Enterprise capacityHiPath Wireless Controllers are scalable:
C5110 – Up to 525 APs
C4110 – Up to 250 APs
C2400 – Up to 200 APs
C20 – Up to 32 APs
C20N – Up to 32 APs
CRBT8210 – Up to 72 APs
CRBT8110 – Up to 24 APs
In turn, each Wireless AP can handle up to 254 wireless devices, with each radio supporting a maximum of 127. With additional HiPath Wireless Controllers, the number of wireless devices the solution can support can reach into the thousands.
Integrates with existing network A HiPath Wireless Controller can be added to an existing enterprise network as a new network device, greatly enhancing its capability without interfering with existing functionality. Integration of the HiPath Wireless Controllers and Wireless APs does not require any re-configuration of the existing infrastructure (for example, VLANs).
Integrates with the Enterasys NetSight Suite of products. For more information, see Section 2.2.1, “Enterasys NetSight Suite integration”, on
page 26.
Plug-in applications include:
Automated Security Manager
Inventory Manager
NAC Manager
9034530-04, September 2010
24 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points an d Convergence Software solution
Policy Control Console
Policy Manager
Offers centralized management and control – An administrator accesses
the HiPath Wireless Controller in its centralized location to monitor and administer the entire wireless network. From the HiPath Wireless Controller the administrator can recognize, configure, and manage the Wireless APs and distribute new software releases.
Provides easy deployment of Wireless APs The initial configuration of the Wireless APs on the centralized HiPath Wireless Controlle r can be do ne with an automatic “discovery” technique. For more information, see Section
4.2, “Discovery and registration overview”, on page 107.
Provides security via user authentication Uses existing authentication (AAA) servers to authenticate and authorize users.
Provides security via filters and privileges Uses virtual networking techniques to create separate virtual networks with defined authentication and billing services, access policies, and privileges.
Supports seamless mo bility and roaming – Supports sea mless roaming of a wireless device from one Wireless AP to another on the same HiPath Wireless Controller or on a different HiPath Wireless Controller.
Integrates third-party access points Uses a combination of network routing and authentication techniques.
Prevents rogue devices – Unauthorized access points are detected and identified as harmless or dangerous rogue APs.
Provides accounting services Logs wireless user sessions, user group activity, and other activity reporting, enabling the generation of consolidated billing records.
Offers troubleshooting capabilityLogs system and session activity and provides reports to aid in troubleshooting analysis.
Offers dynamic RF management Automatically selects channels and adjusts Radio Frequency (RF) signal propagation and power levels without user intervention.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 25
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution
2.2.1 Enterasys NetSight Suite integration
The HiPath Wireless Controller, Access Points and Convergence Software solution now integrates with the Enterasys NetSight Suite of products. The Enterasys NetSight Suite of products provides a collection of tools to help you manage networks. Its client/server architecture lets you manage your network from a single workstation or , for networks of greater complexity, from one or more client workstations. It is designed to facilitate specific network management tasks while sharing data and providing common controls and a consistent user interface. For more information, see http://www.enterasys.com/products/visibility-
control/index.aspx
The NetSight Suite is a family of products comprised of NetSight Console and a suite of plug-in applications, including:
Automated Security Manager – Automated Security Manager is a unique threat response solution that translates security intelligence into security enforcement. It provides sophisticated identification and management of threats and vulnerabilities. For information on how the HiPath Wireless Controller , Access Points and Convergence Sof tware solution integrates with the Automated Security Manager application, see the HiPath Wireless Controller, Access Points and Convergence Software Maintenance Guide.
Inventory Manager – Inventory Manager is a tool for ef ficiently documenting and updating the details of the ever-changing network. For information on how the HiPath Wireless Controller, Access Points and Convergence Software solution integrates with the Automated Security Manager application, see the HiPath Wireless Controller, Access Points and Convergence Software Maintenance Guide.
NAC Manager – NAC Manager is a leading-edge NAC solution to ensure only the right users have access to the right information from the right place at the right time. The Enterasys NAC solution performs multi-user, multi­method authentication, vulnerability assessment and assisted remediation. For information on how the HiPath Wireless Controller, Access Points and Convergence Software solution integrates with the Enterasys NAC solution, see Section 5.3, “NAC integration with HiPath WLAN”, on page 253.
Policy Manager Policy Manager recognizes the HiPath Wireless Controller suite as policy
capable devices that accept partial configuration from Policy Manager. Currently this integration is partial in the sense that NetSight is unable to create WLAN services directly; The WLAN services need to be directly provisioned on the controller and are represented to Policy Manager as logical ports. The HiPath Wireless Controller allows Policy Manager to:
Attach T opo logies (assign VLAN to port) to the HiPath Wireless Controller
physical ports (Console).
Attach policy to the logical ports (WLAN Service/SSID),
9034530-04, September 2010
26 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
Assign a Default Role/Policy to a WLAN Service, thus creating the VNS.
Perform authentication operations which can then reference defined
policies for station-specific policy enforcement.
This can be seen as a three step process:
1. Deploy the controller and perform local configuration – The HiPath Wireless Controller ships with a default SSID, attached by
default to all AP radios, when enabled.
Use the basic installation wizard to complete the HiPath Wirele ss
Controller configuration.
2. Use Policy Manager to: – Push the VLAN list to the HiPath Wireless Controller (Topologies) – Attach VLANs to HiPath Wireless Controller physical ports (Console
- Complete Topology definition) – Push RADIUS server configuration to the HiPath Wireless Controller – Push policy definitions to the HiPath Wireless Controller – Attach the default policy to create a VNS
3. Fine tune controller settings. For example, configuring filtering at APs and HiPath Wireless Controller for a bridged at controller or routed topologies and associated VNSs.
Note: Complete information about in tegration with Policy Manager is outside the scope of this document.
2.3 HiPath Wireless Controller, Access Points and Convergence Software and your network
This section is a summary of the components of the HiPath Wireless Controller, Access Points and Convergence Software solution on your enterprise network. The following are described in detail in this guide, unless otherwise stated:
HiPath Wireless Controller – A rack-mountable network device that provides centralized control over all access points and manages the network assignment of wireless device clients associating through access points.
Wireless AP – A wireless LAN fit access point that communicates with a HiPath Wireless Controller. A Wireless AP can also be configured as a sensor, which monitors and interdicts intrusions by rogue APs and rogue clients.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 27
September 2010
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
HiPath Wireless Manager – An optional component of the solution, the HiPath Wireless Manager monitors the performance and health of the wireless network. The HiPath Wireless Manager is particularly valuable for installations that incorporate more than one HiPath Wireless Controller. For more information, see the HiPath Wireless Manager User Guide.
RADIUS Server (Remote Access Dial-In User Service) (RFC2865), or other authentication server – An authentication server that assigns and manages ID and Password protection throughout the network. Used for authentication of the wireless users in either 802.1x or Captive Portal security modes. The RADIUS Server system can be set up for certain st andard attributes, such as filter ID, and for the Vendor Specific Attributes (VSAs). In addition, Radius Disconnect (RFC3576) which permits dynamic adjustment of user policy (user disconnect) is supported.
DHCP Server (Dynamic Host Configuration Protocol) (RFC2131) – A server that assigns dynamically IP addresses, gateways, and subnet masks. IP address assignment for clients can be done by the DHCP server internal to the HiPath Wireless Controller, or by existing servers using DHCP relay . It is also used by the Wireless APs to discover the location of the HiPath Wireless Controller during the initial registration process using Options 43, 60, and Option 78. Options 43 and 60 specify the vendor class identifier (VCI) and vendor specific information. Option 78 specifies the location of one or more SLP Directory Agents. For SLP, DHCP should have Opti on 78 ena ble d.
Service Location Protocol (SLP) (SLP RFC2608) – Client applications are User Agents and services that are advertised by a Service Agent. In larger installations, a Directory Agent collects information fro m Service Agent s and creates a central repository. The Siemens solution relies on registering “siemens” as an SLP Service Agent.
Domain Name Server (DNS) – A server used as an alternate mechanism (if present on the enterprise network) for the automatic discovery process. HiPath Wireless Controller, Access Points and Conver gence Sof tware relies on the DNS for Layer 3 deployments and for static configuration of Wireless APs. The controller can be registered in DNS, to provide DNS assisted AP discovery. In addition, DNS can also be used for resolving RADIUS server hostnames.
Web Authentication Server – A server that can be used for external Captive Portal and external authentication. The HiPath Wireless Controller has an internal Captive portal presentation page, which allows Web authentication (Web redirection) to take place without the need for an external Captive Portal server.
RADIUS Accounting Server (Remote Access Dial-In User Service) (RFC2866) – A server that is required if RADIUS Accounting is enabled.
Simple Network Management Protocol (SNMP) – A Manager Server that is required if forwarding SNMP messages is enabled.
9034530-04, September 2010
28 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
Network infrastructure The Ethernet switches and routers must be configured to allow routing between the various services noted above. Routing must also be enabled between multiple HiPath Wireless Controllers for the following features to operate successfully:
Availability
Mobility
Mitigator for detection of rogue access points
Some features also require the definition of static routes.
Web Browser A browser provides access to the HiPath Wireless Controller Management user interface to configure the Controller, Access Points and Convergence Software.
SSH Enabled Device – A device that supports Secure Shell (SSH) is used for remote (IP) shell access to the system.
Zone Integrity – The Zone integrity server enhances network security by ensuring clients accessing your network are compliant with your security policies before gaining access. Zone Integrity Release 5 is supported.
HiPath HiGuard – Provides continuous active intrusion detection and prevention capabilities. For more information, see the HiPath HiGuard documentation.
2.3.1 Network traffic flow
Figure 3 illustrates a simple configuration with a single HiPath Wireless Controller
and two Wireless APs, each supporting a wireless device. A RADIUS server on the network provides authentication, and a DHCP server is used by the Wireless APs to discover the location of the HiPath Wireless Controller during the initial registration process. Network inter-connectivity is provided by the infrastructure routing and switching devices.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 29
September 2010
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
Packet transmission
Control and Routing
>HWC authenticates wireless user >HWC forwards IP packet to wired
network
Tunnelling
>AP sends data traffic to HWC through UDP tunnel called WASSP >HWC controls Wireless AP through WASSP tunnel >Using WASSP tunnels, HWC allows wireless clients to roam to Wireless APs on different HWCs
802.11 packet transmission
RADIUS Authentication Server
HiPath Wireless Controller
DHCP Server
External CP Server
Wireless APs
External Web Authentication Server
Router/Switch
802.11 beacon and probe, wireless device associates with a Wireless AP by its SSID
Figure 3 Traffic Flow diagram
Each wireless device sends IP packets in the 802.1 1 standard to the Wireless AP. The Wireless AP uses a UDP (User Datagram Protocol) based tunnelling protocol. In tunneled mode of operation, it encapsulates th e packets and forwards them to the HiPath Wireless Controller. The HiPath Wireless Controller decapsulates the packets an d routes these to destinations on the network. In a typical configuration, access points can be configured to locally bridge traffic (to a configured VLAN) directly at their network point of attachment.
The HiPath Wireless Controller functions like a standard L3 router or L2 switch. It is configured to route the network traffic associated with wireless connected users. The HiPath Wireless Controller can also be configured to simply forward traffic to a default or static route if dynamic routing is not preferred or available.
Wireless Devices
9034530-04, September 2010
30 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
2.3.2 Network security
The HiPath Wireless Controller, Access Points and Convergence Software system provides features and functionality to control network access. These are based on standard wireless network security practices.
Current wireless network security methods provide protection. These methods include:
Shared Key authentication that relies on Wired Equivalent Privacy (WEP) keys
Open System that relies on Service Set Identifiers (SSIDs)
802.1x that is compliant with Wi-Fi Protected Access (WPA)
Captive Portal based on Secure Sockets Layer (SSL) protocol
The HiPath Wireless Controller, Access Points and Convergence Software system provides the centralized mechanism by which the corresponding securi ty parameters are configured for a group of users.
Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks defined in the 802.11b standard
Wi-Fi Protected Access version 1 (WPA1™) with Temporal Key Integrity Protocol (TKIP)
Wi-Fi Protected Access version 2 (WPA2™) with Advanced Encryption Standard (AES) and Counter Mode with Cipher Block Chaining Message Authentication Code (CCMP)
HiPath HiGuard
The HiPath HiGuard solution provides network security, including:
Monitoring – 2.4 GHz and 5 GHz, all channels association activity
Identifying – Detect all Wi-Fi activity and correlate information from multiple
sensors
Auto-Classifying – Limit user intervention to maximize the protection of all devices from all threats
•Preventing – Automatically block threats through dedicated sensors to prevent any impact on the service level
Visualizing – Visualize measured coverage for service, detection, and prevention
Locating – Identify the position of rogue APs and clients on the floor -plan for permanent removal
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 31
September 2010
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
2.3.2.1 Authentication
The HiPath Wireless Controller relies on a RADIUS server, or authentication server, on the enterprise network to provide the authentication information (whether the user is to be allowed or denied access to the network). A RADIUS client is implemented to interact with infrastructure RADIUS servers.
The HiPath Wireless Controller provides authen tic at i on usin g:
Captive Portal – a browser-based mechanism that forces users to a Web page
RADIUS (using IEEE 802.1x)
The 802.1x mechanism is a standard for authentication developed within the
802.11 standard. This mechanism is implemented at the wireless Port, blocking
all data traffic between the wireless de vice and the network until authentica tion is complete. Authentication by 802.1x standard uses Extensible Authentication Protocol (EAP) for the message exchange between the HiPath Wireless Controller and the RADIUS server .
When 802.1x is used for authentication, the HiPath Wireless Controller provides the capability to dynamically assign per-wireless-device WEP keys (called per session WEP keys in 802.11). In the case of WP A, the HiPath Wireless Controller is not involved in key assignment. Instead, the controller is involved in the information exchange between RADIUS server and the user’s wireless device to negotiate the appropriate set of keys . With WP A2 the material exchange produces a Pairwise Master Key which is used by the AP and the user to der ive their temporal keys. (The keys change over time.)
The HiPath Wireless Controller, Access Points and Convergence Software solution provide a RADIUS redundancy feature that enables you to define a failover RADIUS server in the event that the active RADIUS serve r be co m es unresponsive.
2.3.2.2 Privacy
Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques.
HiPath Wireless Controller, Access Points and Convergence Software supports the Wired Equivalent Privacy (WEP) standard common to conventional access points.
It also provides Wi-Fi Protected Access version 1 (WPA v .1) encryption, based on Pairwise Master Key (PMK) and Temporal Key Integrity Protocol (TKIP). The most secure encryption mechanism is WPA version 2, using Advanced Encryption Standard (AES).
9034530-04, September 2010
32 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
2.3.3 Virtual Network Services
Virtual Network Services (VNS) provide a versatile method of mapping wireless networks to the topology of an existing wired ne twork.
In releases prior to V7.0, a VNS was a collection of operational entities. Starting with Release V7.0, a VNS becomes the binding of reusable comp on en ts:
•WLAN Service components that define the radio attributes, privacy and authentication settings, and QoS attributes of the VNS
•Policy components that define the topology (typically a VLAN), filter rule s, and Class of Service applied to the traffic of a station.
Figure 4 illustrates the transition of the concept of a VNS to a binding of reusable
components.
Figure 4 VNS as a binding of reusable components
WLAN Service components and Policy components can be configu red separately and associated with a VNS when the VNS is created or modified. Alternatively, they can be configured during the process of creating a VNS.
Additionally, Policies can be created using the Enterasys NetSight Policy Manager and pushed to the HiPath Wireless Controller. Policy assignment ensures that the correct topology and traffic behavior are applied to a user regardless of WLAN service used or VNS assignment.
When VNS components are set up on the HiPath Wireless Controller, among other things, a range of IP addresses is set aside for the HiPath Wireless Controller’s DHCP server to assign to wireless devices.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 33
September 2010
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
If the OSPF routing protocol is enabled, the HiPath Wireless Controller advertises the routed topologies as reachable segments to the wired network infra structure. The controller routes traffic between the wireless devices and the wired network.
The HiPath Wireless Controller also supports VLAN-bridge d assig nme nt for VNSs. This allows the controller to directly bridge the set of wireless devices associated with a WLAN service directly to a specified core VLAN.
Each HiPath Wireless Controller model can support a specified number of active VNSs, as listed below:
C5110 – Up to 128 VNSs
C4110 – Up to 64 VNSs
C2400 – Up to 64 VNSs
C20 – Up to 8 VNSs
C20N – Up to 8 VNSs
CRBT8210 – Up to 16 VNSs
CRBT8110 – Up to 8 VNSs
The Wireless AP radios can be assigned to each of the configured WLAN services and, therefore, VNSs in a system. Each Wireless AP can be the subject of 16 service assignments — 8 assignments per radio — which corresponds to the number of SSIDs it can support. Once a radio has all 8 slot s assigned, it is no longer eligible for further assignment.
2.3.4 VNS components
The distinct constituent high-level configurable umbrella elements of a VNS are:
Topology
Policy
WLAN Services
2.3.4.1 Topology
T opologi es represent the networks with which the HiPath Wireless Controller and its APs interacts. The main configurable attributes of a topology are:
Name - a string of alphanumeric ch aracte rs designated by the administrator.
VLAN ID - the VLAN identifier as specified in the IEEE 802.1Q definition.
VLAN tagging options.
9034530-04, September 2010
34 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
Port of presence for the topology on the HiPath Wireless Controller. (This attribute is not required for Routed and Bridged at AP topologies.)
Interface. This attribute is the IP (L3) address assigned to the HiPath Wireless Controller on the network described by the topology. (Optional.)
Type. This attribute describes how traffic is forwarded on the topology. Options are:
“Physical” - the topology is the native topology of a data plane and it
represents the actual Ethernet ports
“Management” - the native topology of the HiPa th Wireless Co ntr o ller
management port – “Routed” - the controller is the routing gateway for the routed topology. – “Bridged at Controller” - the user traffic is bridged (in the L2 sense)
between wireless clients and the core network infrastr uct ur e. – “Bridged at AP” - the user traffic is bridged loca lly at the AP without being
redirected to the HiPath Wireless Controller.
Exception Filters. Specifies which traffic has access to the HiPath Wireless Controller from the wireless clients or the infrastructure network.
Certificates.
Multicast filters. Defines the multicast groups that are allowed on a specific
topology segment.
2.3.4.2 Policy
A Policy is a collection of attributes and rules that determine actions taken user traffic accesses the wired network through the WLAN service (associated to the WLAN Service's SSID). Depending upon its type, a VNS can have between 1 and 3 Authorization Policies associated with it:
1. Default non-authorized policy — This is a mandatory policy that covers all traffic from stations that have not authenticated. At the administrator's discretion the default non-authorized policy can be applied to the traffic of authenticated stations as well.
2. Default authorized policy — This is a mandatory policy that applies to the traffic of authenticated stations for which no other policy was explicitly specified. It can be the same as the default non-authorized policy.
3. Third party AP policy — This policy applies to the list of MAC addresses corresponding to the wired interfaces of third party APs specifically defined by the administrator to be providing the RF access as an AP WLAN Service. This policy is only relevant when applied to third party AP WLAN Services.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 35
September 2010
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
As mentioned previously, policies can be configured using the NetSight Policy Manager and pushed to the HiPath Wireless Controller, o r they can be configured directly on the controller. When using Policy Manager, you should note that the HiPath Wireless Controller implements most of the Policy Manager concept of Policy except for QoS assignment. The HiPath Wireless Controller implements per policy inbound and outbound rate limits, but not po licy-based DSCP remarking or queue assignment.
2.3.4.3 WLAN Services
A WLAN Service represents all the RF, authentication and QoS attributes of a wireless access service offered by the HiPath Wireless Controller and its APs. A WLAN Service can be one of three basic types:
Standard — A conventional service. Only APs running HiPath Wireless software can be part of this WLAN Service. This type of service is usable as a Bridged at Controller, Bridged at AP, or Routed Topology. This type of service provides access for mobile stations. Policies can be associated with this type of WLAN service to create a VNS.
Third Party AP — A Wireless Service offered by third p arty APs. This type of service provides access for mobile stations. Policies can be assigned to this type of WLAN service to create a VNS.
WDS — This represent a group of APs organized into a hierarchy for purposes of providing a Wireless Distribution Service. This type of service is in essence a wireless trunking service rather than a service that provides access for stations. As such, this type of service cannot have policies attached to it.
In release V7.0, the components of a WLAN Service map to the corresponding components of a VNS in previous releases. The exception is that WLAN Services are not classified as SSID-based or AAA-based, as was the case in previous releases. Instead, the administrator makes an explicit choice of the type of authentication to use on the WLAN Service. If his choice of authentication option conflicts with any of his other authentication or privacy choices, the WLAN Service cannot be enabled.
2.3.5 Static routing and routing protocols
Routing can be used on the HiPath Wireless Controller to support the VNS definitions. Through the user interface you can configure routing on the HiPath Wireless Controller to use one of the following routing techniques:
•Static routes – Use static routes to set the default route of a HiPath Wireless Controller so that legitimate wireless device traffic can be forwarded to the default gateway.
9034530-04, September 2010
36 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
Open Shortest Path First (OSPF, version 2) (RFC2328) – Use OSPF to allow the HiPath Wireless Controller to participate in dynamic route selection. OSPF is a protocol designed for medium and large IP networks with the ability to segment routes into different areas by routing info r ma tio n su mm a riz at io n and propagation. Static Route definition and OSPF dynamic learning can be combined, and the precedence of a st atic route definition o ver dynamic rules can be configured by selecting or clearing the Override dynamic routes option checkbox.
Next-hop routing – Use next-hop routing to specify a unique gateway to which traffic on a VNS is forwarded. Defining a next-hop for a VNS forc es all the traffic in the VNS to be forwarded to the indicated network device, bypassing any routing definitions of the controller's route table.
2.3.6 Mobility and roaming
In typical simple configurations, APs are setup as bridges that bridge wireless traffic to the local subnet. In bridging configurations, the user obtains an IP address from the same subnet as the AP, assuming no VLAN trunking functionality . If the user roams between APs on the same subnet, it is able to ke ep using the same IP address. However , if the user roa ms to another AP outside of that subnet, its IP address is no longer valid. The user's client device must recognize that the IP address it has is no longer valid and re-negotiate a new one on the new subnet. This mechanism does not mandate any action on the user. The recovery procedure is entirely client device dependent. Some clients automatically attempt to obtain a new address on roam (which affects roaming latency), while others will hold on to their IP address. This loss of IP address continuity seriously affects the client's experience in the network, because in some cases it can take minutes for a new address to be negotiated.
The HiPath Wireless Controller, Access Points and Convergence Software solution centralizes the user's network point of presence, therefore abstracting and decoupling the user's IP address assignment from that of the APs location subnet. That means that the user is able to roam across any AP without loosing its own IP address, regardless of the subnet on which the serving APs are deployed.
In addition, a HiPath Wireless Controller can learn about other HiPath Wireless Controllers on the network and then exchange client session information. This enables a wireless device user to roam seamlessly between different Wirele ss APs on different HiPath Wireless Controllers.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 37
September 2010
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
2.3.7 Network availability
The HiPath Wireless Controller, Access Points and Convergence Software solution provides availability against Wireless AP outages, HiPath Wireless Controller outages, and even network out ages. The HiPath Wireless Controller in a VLAN bridged topology can potentially allow the user to retain the IP address in a failover scenario, if the VNS/VLAN is common to both controllers. For example, availability is provided by defining a paired controller configuration by which each peer can act as the backup controller for the other's APs. APs in one controller are allowed to failover and register with the alternate contro ller.
If a HiPath Wireless Controller fails, all of its associated Wireless APs can automatically switch over to another HiPath Wireless Controller that has been defined as the secondary or backup HiPath Wireless Controller. If the AP reboots, the original HiPath Wireless Controller is restored. The original HiPath Wireless Controller is restored if it is active. However, active APs will continue to be attached to the failover controller until the administrator releases them back to the original home controller.
2.3.8 Quality of Service (QoS)
HiPath Wireless Controller, Access Points and Convergence Software solution provides advanced Quality of Service (QoS) management to provide better network traffic flow. Such techniques include:
WMM (Wi-Fi Multimedia) – WMM is enabled per WLAN service. The HiPath Wireless Controller provides centralized management of the AP features. For devices with WMM enabled, the standard provides multimedia enhancements for audio, video, and voice applications. WMM shortens the time between transmitting packets for higher priority traffic. WMM is part of the 802.1 1e stand ard for QoS. In the context of the HiPath Wir eless Solution, the ToS/DSCP field is used for classification and proper class of service mapping, output queue selection, and priority tag ging.
IP ToS (Type of Service) or DSCP (Diffserv Codepoint) – The ToS/DSCP field in the IP header of a frame indicates th e priority and class of service for each frame. The IP TOS and/or DSCP is maintained and tran sported within CTP (CAPWAP Tun neling Protoco l) by copying the user IP QoS information to the CTP header—this is referred to as Adaptive QoS.
Rate Control – Rate Control for user traffic can also be considered as an aspect of QoS. As part of Policy definition, the user can specify (defau lt) policy that includes Ingress and Egress rate control. Ingress rate control applies to traffic generated by wireless client s and Egress rate control applies to traffic targeting specific wireless clients. The bit-rates can be configured as part of globally available profiles which can be used by any particular configuration. A global default is also defined.
9034530-04, September 2010
38 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Quality of Service (QoS) management is also provided by:
Assigning high priority to a WLAN service
Adaptive QoS (automatic and all time feature)
Support for legacy devices that use SpectraLink Voice Protocol (SVP) for
prioritizing voice traffic (configurable)
2.4 HiPath Wireless Controller product family
The HiPath Wireless Controller is available in the following product families:
hwc_intro.fm
HiPath Wireless Controller product family
HiPath Wireless Controller Model Number
C5110 Three data ports supporting up to 525 Wireless APs
C4110 Four GigE ports supporting up to 250 Wireless APs
C2400 Four GigE ports supporting up to 200 Wireless APs
C20 Two GigE ports supporting up to 32 Wireless APs
C20N Two GigE ports supporting up to 32 Wireless APs
CRBT8210 One GigE ports supporting up to 72 Wireless APs
CRBT8110 One GigE ports supporting up to 24 Wireless APs
Specifications
– 2 fiber optic SR (10Gbps) – 1 Ethernet port GigE
One management port (Ethernet) GigE
One console po rt (DB9 serial)
Four USB ports — two on each front and back panel
(only one active at a time)
Redundant dual power supply unit
One management port (Ethernet) GigE
One console po rt (DB9 serial)
Four USB ports (only one active at a time)
Redundant dual power supply unit
One management port (10/100 BaseT)
One console po rt (DB9 serial)
Redundant dual power supply unit
One management port GigE
One consol e po rt (USB contro l )
One USB port
Power supply standard (R)
One management port GigE
One console po rt (DB9 serial)
One USB port
One management port (10/100 Base)
One console po rt (DB9 serial)
One management port (10/100 Base)
One console po rt (DB9 serial)
One USB port
Table 1 HiPath Wireless Controller product families
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 39
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller product family
9034530-04, September 2010
40 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
Configuring the HiPath Wireless Controller
System configuration overview
3 Configuring the HiPath Wireless Controller
This chapter describes the step s involved in the initial configuration and setup, o f the HiPath Wireless Controller, including:
System configuration overview
Logging on to the HiPath Wireless Controller
Working with the basic installation wizard
Configuring the HiPath Wireless Controller for the first time
Using an AeroScout location based solution
Additional ongoing operations of the system
hwc_startup.fm
3.1 System configuration overview
The following section provides a high-level overview of the steps involved in the initial configuration of your system:
1. Before you begin the configuration process, research the type of WLAN deployment that is required. For example, topology and VLAN IDs, SSIDs, security requirements, and filter policies.
2. Prepare the network servers. Ensure that the external servers, such as DHCP and RADIUS servers (if applicable) are available and appropriately configured.
3. Install the HiPath Wireless Controller. For more information, see the documentation for your HiPath Wireless Controller.
If you are deploying the HiPath Wireless Controller C20N, use the DFE CLI to configure the VLAN assignments for the corresponding PC ports on the Controller Module. For example:
set port vlan pc.slot.port# vlan-id
Note: The VLAN configuration of the PC port s on the DFE mo dule (VLAN ID and tagged vs. untagged) must match the VLAN configur ation of the controller’s data ports defined using the HiPath Wireless Assistant.
4. Perform the first time setup of the HiPath Wireless Controller on the p hysical network, which includes configuring the IP addresses of the interfaces on the HiPath Wireless Controller.
9034530-04, September 2010 HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
41
hwc_startup.fm
Configuring the HiPath Wireless Controller
System configuration overview
Change the default IP address to be the relevant subnet point of
attachment to the existing network. The IP address is 10.0.#.1 is set by default the first time you start up the controller.
To manage the HiPath Wireless Controller through the interface
configured above, select the Mgmt checkbox on the Interfaces tab.
Configure the data port interfaces to be on separate VLANs, matching the
VLANs configured in step 3 above. Ensure also that the tagged vs. untagged state is consistent with the switch port (DFE if configuring the HiPath Wireless Controller C20N) configuration.
Configure the time zone. Because changing the time zone requires
restarting the HiPath Wireless Controller, Siemens reco mmends that you configure the time zone during the initial installation and configuration of the HiPath Wireless Controller to avoid network interruptions. For more information, see Section 3.4.11, “Configuring network time”, on page 92.
Apply an activation key file. If an activation key is not applied, the HiPath
Wireless Controller functions with some features enabled in demonstration mode. Not all features are enabled in demonstration mode. For example, mobility is not enabled and cannot be used.
Caution: Whene ver the licensed region change s on the HiPath Wirele ss Controller, all Wireless APs are changed to Auto Channel Select to prevent possible infractions to local RF regulatory requirements. If this occurs, all manually configured radio channel settings will be lost.
Installing the new license key before upgrading will prevent the HiPath Wireless Controller from changing the licensed region, and in addition, manually configured channel settings will be maintained. For more information, see the HiPath Wireless Controller, Access Points and Convergence Software Maintenance Guide.
Configure the HiPath Wireless Controller for remote access:
Set up an administration station (laptop) on subnet 192.168.10.0/24. By default, the HiPath Wireless Controller's Management interface is configured with the static IP address 192.168.10.1.
Configure the HiPath Wireless Controller’s management interface.
Configure the data interfaces.
Set up the HiPath Wireless Controller on the network by configuring
the physical data ports.
Configure the routing table.
Configure static routes or OSPF parameters, if appropriate to the
network.
9034530-04, September 2010
42 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
System configuration overview
For more information, see Section 3.4, “Configuring the HiPath Wireless
Controller for the first time”, on page 51.
5. Configure the traffic topologies your network must support. Topologies represent the Controller’s points of network attachment, therefore VLANs and port assignments need to be coordinated with the corresponding network switch ports. For more information, see Section 6.8, “Configuring a T opology”,
on page 319.
6. Configure policies. Policies are typically bound to topologies. Policy application assigns user traffic to the corresponding netwo r k point.
Policies define user access rights (filtering or ACL) – Polices reference user's rate control profile.
For more information, see Section 6.10, “Configuring Policy”, on page 377.
7. Configure WLAN services. – Define SSID and privacy settings for the wireless link. – Select the set of APs/Radios on which the service is present . – Configure the method of credential authentication for wireless users
(None, Internal CP, External CP, GuestPortal, 802.1x[EAP])
For more information, see Section 6.9, “Configuring WLAN Services”, on
page 331.
8. Create the VNSs. A VNS binds a WLAN Service to a Policy that will be used for default
assignment upon a users’ network attachment. You can create topologies, policies, and WLAN services first, before VNS
configuration a VNS, or you can select one of the wizards (such as the VNS wizard), or you can simply select to create new VNS.
The VNS page then allows for in-place creation and definition of any dependency it may require, such as:
Creating a new WLAN Service – Creating a new policy – Creating a new topology (within a policy) – Creating new rate controls, etc.
The default shipping configuration does not ship an y pr e- co nf igu red WLAN Services, VNSs, or Policies.
9. Install, register, and assign APs to the VNS.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 43
hwc_startup.fm
Configuring the HiPath Wireless Controller
Logging on to the HiPath Wireless Controller
Confirm the latest firmware version is loaded. For more information, see
Section 4.11, “Performing Wireless AP software maintenance”, on page
190.
Deploy Wireless APs to their corresponding network locations. – If applicable, configure a default AP template for common radio
assignment, whereby APs automatically receive complete configuration. For typical deployments where all APs are to have the same configuration, this feature will expedite deployment, as an AP will automatically receive full configuration (including VNS-related assignments) upon initial registration with the HiPath Wireless Controller. If applicable, modify the properties or settings of the Wireless APs. For
more information, see Chapter 4, “Configuring the Wireless AP”. – Connect the Wireless APs to the HiPath Wireless Controller. – Once the Wireless APs are powered on, they automatically begin the
Discovery process of the HiPath Wireless Controller, based on factors
that include:
Their Registration mode (on the Wireless AP Registration screen)
The enterprise network services that will support the discovery
process
3.2 Logging on to the HiPath Wireless Controller
1. Launch your Web browser (Internet Explorer version 6.0 or higher, or FireFox).
See the V7.31 release notes for the supporte d Web browser s.
2. In the browser address bar, type the following:
https://192.168.10.1:5825
This launches the HiPath Wireless Assistant. The login screen is displayed.
9034530-04, September 2010
44 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
Configuring the HiPath Wireless Controller
Logging on to the HiPath Wireless Controller
3. In the User Name box, type your user name.
hwc_startup.fm
4. In the Password box, type your password.
Note: The HiPath Wireless Controller default user name is admin. The default password is abc123.
5. Click Login. The HiPath Wireless Assistant main menu screen is displayed.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 45
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
3.3 Working with the basic installation wizard
The HiPath Wireless Controller, Access Points and Convergence Software system provides a basic installation wizard that can help administrators configure the minimum HiPath Wireless Controller settings that are necessary to deploy a functioning HiPath wireless solution on a network.
Administrators can use the basic installation wizard to quickly configure the HiPath Wireless Controller for deployment, and then once the installation is complete, continue to revise the HiPath Wireless Controller configuration accordingly.
The basic installation wizard is automatically launched when an administrator logs on to the HiPath Wireless Controller for the first time, including if the system has been reset to the factory default settings. In addition, the basic installation wizard can also be launched at any time from the lef t pane of the HiPath Wireless Controller Configuration screen.
To configure the HiPath Wireless Controller with the basic installation wizard:
1. Log on to the HiPath Wireless Controller. For more information, see Section
3.2, “Logging on to the HiPath Wireless Controller”, on page 44.
2. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
3. In the left pane, click Installation Wizard. The Basic Installation Wizard screen is displayed.
4. In the Time Settings section, configure the HiPath Wireless Controller timezone:
9034530-04, September 2010
46 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
Continent or Ocean – Click the appropriate large-scale geographic grouping for the time zone.
Country – Click the appropriate country for the time zone. The contents of the drop-down list change, based on the selection in the Continent or
Ocean drop-down list.
Time Zone Region – Click the appropriate time zone region for the
selected country.
5. To configure the HiPath Wireless Controller’s time, do one of the following:
To manually set the HiPath Wireless Controller time, use the Year, Month, Day, HR, and Min. drop-down lists to specify the time.
To use the HiPath Wireless Controller as the NTP time server, select the Run local NTP Server option.
To use NTP to set the HiPath Wireless Controller time, select the Use NTP option, and then type the IP address of an NTP time server that is
accessible on the enterprise network.
The Network Time Protocol is a protocol for synchronizing the clocks of computer systems over packet-switched data networks.
6. In the Port Configuration section, click the physical interface of the HiPath Wireless Controller you want to assign as a data port. The system assigns default IP Address and Netmask values for the data port. If applicable, type a different IP address and netmask for the selected physical interface.
For information on how to obtain a temporary IP address from the network, click How to obtain a temporary IP address.
7. Click Next. The Management screen is displayed.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 47
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
8. In the Management Port section, confirm the port configuration values that were defined when the HiPath Wireless Controller was physically deployed on the network. If applicable, edit these values:
•IP Address – Displays the IP address for the HiPath Wireless Controller’s
management port. Revise this as appropriate for the enterprise network.
Netmask – Displays the appropriate subnet mask for the IP address to
separate the network portion from the host portion of the address.
Gateway – Displays the default gateway of the network.
9. In the SNMP section, click V2c or V3 in the Mode drop-down list to enable SNMP, if applicable. Only one mode can be supported on the controller at a time.
If you selected V2c, do the following:
Read Community – T ype the pa ssword that is used for read-only SNMP
communication.
Write Community – Ty pe the password that is used for write SNMP
communication.
Trap Destination – Type the IP address of the server used as the
network manager that will receive SNMP messages.
10. In the OSPF section, select the Enable checkbox to enable OSPF, if applicable. Use OSPF to allow the HiPath Wireless Controller to participate in dynamic route selection. OSPF is a protocol designed for medium and large IP networks with the ability to segment routes into different areas by routing information summarization and propagation.
Do the following:
•Port – Click the physical interface of the HiPath Wireless Controller you
want to assign as a router port.
•Area ID – Type the desired ar ea. Area 0.0.0.0 is the main area in OSPF.
11. In the Syslog Server section, select the Enable checkbox to enable the syslog protocol for the HiPath Wireless Controller, if applicable. Syslog is a protocol used for the transmission of event notification messages across networks.
In the IP Address box, type the IP address of the syslog server.
12. Click Next. The Services screen is displayed.
9034530-04, September 2010
48 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
13. In the RADIUS section, select the Enable checkbox to enable RADIUS login authentication, if applicable. RADIUS login authentication uses a RADIUS server to authenticate user login attempts. RADIUS is a client/server authentication and authorization access protocol used by a network access server (NAS) to authenticate users attempting to connect to a network device.
Do the following:
Server Alias – Type a name that you want to assign to the RADIUS
server. You can type a name or IP address of the server.
•Hostname/IP – Type the RADIUS server’s hostname or IP address.
•Shared Secret – Type the password that will be used to validate the
connection between the HiPath Wireless Controller and the RADI US server.
14. In the Mobility section, select the Enable checkbox to enable the HiPath Wireless Controller mobility feature, if applicable. Mobility allows a wireless device user to roam seamlessly between different Wire less APs on the same or different HiPath Wireless Controllers.
A dialog is displayed informing you that NTP is required for the mobility feature and prompting you to confirm you want to enable mobility.
Note: If the HiPath Wireless Controller is configured as a mobility agent, it will act as an NTP client and use the mobility manager as the NTP server. If the HiPath Wireless Controller is configured as a mobility manager, the HiPath Wireless Controller’s local NTP will be enabled for the mobility domain.
Click OK to continue, and then do the following:
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 49
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
Role – Select the role for the HiPath Wireless Controller, Manager or Agent. One HiPath Wireless Controller on the network is designated as the mobility manager and all other HiPath Wireless Controllers are designated as mobility agents.
Port – Click the interface on the HiPath Wireless Controller to be used for communication between mobility manager and mobility agent. Ensure that the selected interface is routable on the network. For more information, see
Chapter 8, “Configuring Mobility”.
Manager IP – Type the IP add ress of the mobility manager por t if the HiPath Wireless Controller is configured as the mobility agent.
15. In the Default VNS section, select the Enable checkbox to enable a default VNS for the HiPath Wireless Controller. The default VNS parameters are displayed. Refer to Chapter 5, “Virtual Network Services concepts” for more information about the default VNS.
16. Click Finish. The Success screen is displayed. Siemens recommends that you change the factory default administrator password.
Do the following:
New Password – Type a new administrator password.
Confirm Password – Type the new administrator password again.
17. Click Save. Your new password is saved.
18. Click OK, and then click Close. The HiPath Wireless Assistant main menu screen is displayed.
Note: The HiPath Wireless Controller reboots after you click Save if the time zone is changed during the Basic Install Wizard. If the IP address of the management port is changed during the configuration with the Basic Install Wizard, the HiPath Wireless Assistant session is terminated and you will need to log back in with the new IP address.
9034530-04, September 2010
50 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4 Configuring the HiPath Wireless Controller for the first time
This section describes HiPath Wireless Controller configuration that is typically performed as soon as the HiPath Wireless Controller is deployed.
Although the basic installation wizard has already configured some aspect s of the HiPath Wireless Controller deployment, you can continue to revise the HiPath Wireless Controller configuration according to your network needs.
3.4.1 Changing the administrator password
Siemens recommends that you change your default administrato r password once your system is deployed. The HiPath Wireless Controller default password is abc123. When the HiPath Wireless Controller is installed and you elect to change the default password, the new password must be a minimum of eight characters.
The minimum eight character password length is not applied to existing passwords. For example, if a six character password is already being used and an upgrade of the software is performed, the software does not require the password to be changed to a minimum of eight characters. However, once the upgrade is completed and a new account is created, or the password of an existing account is changed, the new password length minimum will be enforced.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 51
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
To change the administrator password:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management.
3. In the Full Administrator table, click the administrator user name.
4. In the Password box, type the new administrator password.
5. In the Confirm Password box, type the new administrator password again.
6. Click Change Password.
Note: The HiPath Wireless Controller provides you with local login authentication mode, the RADIUS-based login authentication mode, and combinations of the two authentication modes. The local login authentication is enabled by default. For more information, see Section 3.4.9, “Configuring the login authentication
mode”, on page 78.
3.4.2 Applying product license keys
The HiPath Wireless Controller’s license system works on simple software-based key strings. A key string consists of a series of numbers and/or letters. Using these key strings, you can license the software, enable the optional external captive portal feature, and enhance the capacity of the HiPath Wireless Controller to manage additional Wireless APs.
The key strings can be clas sified into the following variants:
Activation Key – Activates the software. This key is further classified into two sub-variants:
T emporary Activation Key – Activates the software for a trial period of
90 days.
Permanent Activation Key – Activates the software for an infinite period.
•Option Key – Activates the optional features. This key is further classified
into two sub-variants:
Capacity Enhancement Key – Enhances the capacity of the HiPath
Wireless Controller to manage additional Wireless APs. You may have to add multiple capacity enhancement keys to reach the HiPath Wireless Controller’s limit. Depending on the HiPath Wireless Controller model, a capacity enhancement key adds the following Wireless APs:
C5110 – Adds 25 Wireless APs
9034530-04, September 2010
52 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
C4110 – Adds 25 Wireless APs
C2400 – Adds 25 Wireless APs
C20N – Adds 16 Wireless APs
C20 – Adds 16 Wireless APs
External Captive Portal Key – Enables the external Captive Portal for
the mobile user’s authentication. For more information on the external Captive Portal, see Section 5.5.1, “Authentication with Ca ptive Portal”, on
page 258.
Note: If you connect additi onal Wireless APs to a HiPath Wireless Controller that has a permanent activation key without installing a capacity enhancement key, or if you configure an external Captive Portal without installing the appropriate key, a grace period of seven days will start. You must install the correct key during the grace period. If you do not install the key, the HiPath Wireless Controller will start generating event logs every 15 minutes, indicating that the key is required. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters.
The HiPath Wireless Controller can be in the following licensing modes:
•Unlicensed – When the HiPath Wireless Controller is not licensed, it operates in ‘demo mode.’ In ‘demo mode,’ the HiPath Wireless Contr oller allows you to operate as many Wireless APs as you want, subject to the maximum limit of the platform type, and en ables you to configure the optional external captive portal for authentication. In demo mode, you can use only the b/g radio, with channels 6, 1 1, and auto. 11n support and Mobility are disabled in demo mode.
Licensed with a temporary activation key – A temporary activation key comes with a regulatory domain. With the temporary activation key, you can select a country from the domain and operate the Wireless APs on any channel permitted by the country. A temporary activation key allows you to use all software features. You can operate as many Wireless APs as you want, subject to the maximum limit of the platform type. In addition, you can configure the external captive portal feature.
A temporary activation key is valid for 90 days. Once the 90 days ar e up, the temporary key expires. Y ou must get a permanent activation key and inst all it on the HiPath Wireless Controller . If you do not inst all a permanent activatio n key, the HiPath Wireless Controller will start generating event logs every 15 minutes, indicating that an appropriate license is required for the current software version. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 53
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Licensed with permanent activation key – A permanent activation key is valid for an infinite period. In addition, unlike the temporary activation key, the permanent activation key allows you to operate a stipulated number of the Wireless APs, depending upon the platform type. If you want to connect additional Wireless APs, you have to install a capacity enhancement key. You may even have to install multiple capacity enhancement keys to reach the HiPath Wireless Controller’s limit.
The following table lists the pla tform type and the corresponding number of the Wireless APs allowed by the permanent activation key.
Platform Wireless APs permitted
by permanent activation key
C20 16 32 1 C20N 16 32 1 C2400 50 200 6 CRBT8110 24 24 0 CRBT8210 72 72 0 C4110 50 250 8 C5110 150 525 15
T able 2 Platform type and corresponding number of Wireless APs allowed by
a permanent activation key
Platform’s optimum limit
Number of capacity enhancement keys to reach the optimum limit
Similarly , if you want to configure the external captive port al feature, you have to install the optional feature key.
If the HiPath Wireless Controller detects multiple license violations, such as capacity enhancement and optional feature violations, a grace period counter will start from the moment the first violation occurred. The HiPath Wireless Controller will generate event logs for every violation. The only way to leave the grace period is to clear all outstanding license violations.
The HiPath Wireless Controller can be in an unlicensed state for an infinite period. However, if you install a tempora ry activation key, the unlicensed state is terminated. After the validity of a temporary activation key and the related grace period expire, the HiPath Wireless Controller will generate event logs every 15 minutes, indicating that an appropriate license is required for the current software version. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters.
3.4.2.1 Installing the license keys
This section describes how to install the license key on the HiPath Wireless Controller. It does not expl ain how to generate the license key . For informatio n on how to generate the license key, see the HiPath Wireless License Certificate, which is sent to you via traditional mail.
9034530-04, September 2010
54 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
You have to type the license keys on the HiPath Wireless Assistant GUI.
To install the license keys:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click Software Maintenance.
3. Click the HWC Product Keys tab. The bottom pane displays the license summary.
4. If you are installing a temporary or permanent activation license key , type the key in the Activation Key box, and then click the Apply Activation Key button.
5. If you are installing a capacity enhancement or optional feature license key, type the key In the Option Key box, and then click the Apply Option Key button.
6. To view installed keys, click View Installed Keys.
3.4.3 Setting up the data ports
A new HiPath Wireless Controller is shipped from the factory with all its data ports set up. Support of management traffic is disabled on all data ports. By default, data interface states are enabled. A disabl ed interface does not allow data to flow (receive/transmit).
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 55
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Physical ports are represented by the L2 (Ethernet) Ports and associated Topologies which are created by default when the controller is first powered up. The L2 port and Topology information can be accessed from L2 Ports and Topology tabs under HiPath Wireless Controller Configuration. The L2 Ports cannot be removed from the system but their operational status can be chan ged (together with a few other parameters, as explained below).
Note: You can redefine a data port to function as a Third-Party AP Port. Refer to Section 3.4.3.2, “Viewing and changing the L2 port related topologies” for more information.
3.4.3.1 Viewing and changing the L2 ports information
To view and change the L2 port information:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click L2 Ports. The L2 Ports tab is displayed.
The L2 Ports tab presents the Physical (that is, Ethernet) ports that exist o n the HiPath Wireless Controller. These port s cannot be deleted and ne w ones cannot be created. The number of Ethernet ports and their names per controller are:
C5110 – Three data ports, displayed as esa0, esa1, and esa2.
C4110 – Four data ports, displayed as Port1, Port2, Port3, and Port4.
9034530-04, September 2010
56 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
C2400 – Four data ports, displayed as esa0, esa1, esa2, and esa3.
C20 – Two data ports, displayed as esa0 and esa1.
C20N – Two data ports, displayed as PC.1 and PC.2.
CRBT8210 – One data port, displayed as esa0.
CRBT8110 – One data port, displayed as esa0.
Also an “Admin” port is created by default. This represents a physical port, separate from the other data por ts, being used for mana gement connectivity.
Parameters displayed for the L2 Ports are:
Operational status, represented graphically with a green checkmark (UP) or red X (DOWN). This is the only configurable parameter.
Port name, as described above.
MAC address, as per Ethernet standard.
VLAN ID, for different types of topology. Refer to Section 3.4.3 .2, “Viewing
and changing the L2 port related topologies” for more information about
L2 port topologies.
3. If desired, change the operational status by clicking the Enable checkbox. Y ou can change th e operational state for each por t. By default, data interfa ce
states are enabled. If they are not enabled, you can enable them individually. A disabled interface does not allow data to flow (receive/transmit).
3.4.3.2 Viewing and changing the L2 port related topologies
Each of the L2 Ports has a predefined Topology associated with it.
To view and change the L2 port topologies:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies tab is displayed. An associated topology entry is created by default for each L2 Port with the
same name.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 57
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. T o change any of the associated para meters, click on the topology entry to be modified. An “Edit Topology” pop up window appears.
For the data ports predefined in the system, Name and Mode are not configurable.
4. Optionally , configure one of the physical port s for Third Party AP connectivity by clicking the 3rd Party checkbox.
You must configure a port to which you will be connecting third-party APs by checking this box. Only one port can be configured for third-party APs.
9034530-04, September 2010
58 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Third-party APs must be deployed within a segregated network for which the HiPath Wireless Controller becomes the single point of access (i.e., routing gateway). When you define a port as the third-party AP port, the interface segregates the third-party AP from the remaining network.
5. T o configure an interface for VLAN assignment, configure the VLAN Settings in the Layer 2 box.
When you configure a HiPath Wireless Controller port to be a member of a VLAN, you must ensure that the VLAN configuration (VLAN ID and t agged vs. untagged attribute) is matched with the correct configuration on the network switch.
6. If the desired IP configuration is different fro m the one displayed, change th e Interface IP and Mask accordingly in the Layer 3 box.
For this type of data interface, the Layer 3 check box is selected automatically. This allows for IP Interface and subnet configuration together with other networking services.
7. If desired, change the MTU value. This value specifies the Maximum Transmission Unit or maximum packet size for this port. The default value is 1500 bytes for physical topologies.
If you change this setting and are using OSPF, be sure that the MTU of all the ports in the OSPF link match.
Note: If the routed connection to an AP traverses a link that imposes a lower MTU than the default 1500 bytes, the HiPath Wireless Controller and AP participate in automatic MTU discovery and adjust their settings accordingly. At the HiPath Wireless Controller, MTU adjustments are tracked on a per AP basis.
8. To enable AP registration through this interface, select the AP Registration checkbox.
Wireless APs use this port for discovery and registration. Other controllers can use this port to enable inter-controller device mobility if this port is configured to use SLP or the HiPath Wireless Controller is running as a manager and SLP is the discovery protocol used by the agents.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 59
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
9. To enable management traffic, select the Management Traffic checkbox. Enabling management provides access to SNMP (v2, V3, get), SSH, and HTTPs management interfaces.
Note: This option does not override the built-in protection filters on the port. The built-in protection filters for the port, which are restrictive in the types of packets that are allowed to reach the management plane, are extended with a set of definitions that allow for access to system management services through that interface (SSH, SNMP, HTTPS:5825).
10. To enable the local DHCP Server on the HiPath Wireless Controller, in the DHCP box, select Local Server. Then, click on the Configure button to open the DHCP configuration pop up window.
Note: The local DHCP Server is useful as a general purpose DHCP Server for small subnets.
a) In the Domain Name box, type the na me of the domain that you want the
Wireless APs to use for DNS Server’s discovery.
b) In the Lease (seco nds) default box, type the time period for which the IP
address will be allocated to the Wireless APs (or any other device requesting it).
c) In the Lease (seconds) max box, type the maximum time period in
seconds for which the IP address will be allocated to the Wireless APs.
d) In the DNS Servers box, type the DNS Server’s IP address if you have a
DNS Server.
9034530-04, September 2010
60 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
e) In the WINS box, type the WINS Server’s IP address if you have a WINS
Server.
Note: You can type multiple entries in the DNS Servers and WINS boxes. Each entry must be separate by a comma. These two fields are not mandatory to enable the local DHCP feature.
f) In the Gateway box, type the IP address of the default gateway.
Note: Since the HiPath Wireless Controller is not allowed to be the gate wa y for the segment, including Wireless APs, you cannot use the Interface IP address as the gateway address.
g) Configure the address range from which the local DHCP Server will
allocate IP addresses to the Wireless APs.
In the Address Range: from box, type the star ting IP address of the IP address range.
In the Address Range: to box, type the ending IP address of the IP address range.
h) Click the Exclusion(s) button to exclude IP addresses from allocation by
the DHCP Server. The DHCP Address Exclusion window opens. The HiPath Wireless Controller automatically adds the IP addresses of
the Interfaces (Ports), and the default gateway to the exclusion list. You can not remove these IP addresses from the exclusion list.
Select the Range radio button. In the From box, type the starting IP address of the IP address range that you want to exclude from the DHCP allocation.
In the To box, type the ending IP address of the IP address range that you want to exclude from the DHCP allocation.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 61
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
To exclude a single address, select the Single Address radio button and type the IP address in the adjacent box.
In the Comment box, type any relevant comment. For example, you can type the reason for which a certain IP address is excluded from the DHCP allocation.
Click on Add. The excluded IP addresses are displayed in the IP Address(es) to exclude from DHCP Address Range box.
To delete a IP Address from the exclusion list, select it in the IP Address(es) to exclude from DHCP Range box, and then click Delete.
To save your changes, click OK.
i) Click Close to close the DHCP configuration window.
Note: The Broadcast (B’cast) Address field is view only. This field is
computed from the mask and the IP addresses.
11. You are returned to the L2 port topology edit window.
3.4.4 Setting up Internal VLAN ID and multi-cast support
You can configure the Internal VLAN ID, and enable multicast support. The internal VLAN used only internally and is not visible on the external traffic. The physical topology used for multicast is represented by a physical port to/from which the multicast traffic is forwarded in conjunction with the virtual routed topologies (and VNSs) configured on the controller. Please note that no multicast routing is available at this time.
To configure the Internal VLAN ID and enable multicast support:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies tab is displayed.
3. Click the Interfaces tab.
9034530-04, September 2010
62 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. In the Internal VLAN ID box, type the internal VLAN ID.
5. From the Multicast Support drop-down list, select the desired data port (physical Ethernet topology).
If you are configuring a HiPath Wireless Controller C20N, the data ports are PC.1 and PC.2.
If you are configuring a HiPath Wireless Controller C4110, the data ports are Port1, Port2, Port3, and Port4.
6. To save your changes, click Save.
3.4.5 Setting up static routes
Siemens recommends that you define a d efault route to your enterprise network, either with a static route or by using the OSPF protocol. A default route enables the HiPath Wireless Controller to forward packets to destinations that do not match a more specific route definition.
To set a static route on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click Routing Protocols. The Static Routes t ab is displayed.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 63
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. To add a new route, in the Destination Address box type the destination IP address of a packet.
To define a default static route for any unknown address not in the routing table, type 0.0.0.0.
4. In the Subnet Mask box, type the appropriate subnet mask to separate the network portion from the host portion of the IP address (typically
255.255.255.0). To define the default static route for any unknown address, type 0.0.0.0.
5. In the Gateway box, type the IP address of the specific router port or gateway on the same subnet as the HiPath Wireless Controller to which to forward these packets. This is the IP address of the next hop between the HiPath Wireless Controller and the packet’s ultimate destination.
6. Click Add. The new route is added to the list of routes.
7. Select the Override dynamic routes checkbox to give priority over the OSPF learned routes, including the default route, which the HiPath Wireless Controller uses for routing. This option is enabled by default.
To remove this priority for static routes, so that routing is controlled dynamically at all times, clear the Override dynamic routes checkbox.
Note: If you enable dynamic routing (OSPF), the dynamic routes will normally have priority for outgoing routing. For internal routing on the HiPath Wireless Controller, the static routes normally have priority.
8. To save your changes, click Save.
9034530-04, September 2010
64 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.5.1 Viewing the forwarding table
Y ou can view the defined routes, whether st atic or OSPF, and their current status in the forwarding table.
To view the forwarding table on the HiPath Wireless Controller:
1. From the Routing Protocols Static Routes tab, click View Forwarding Table. The Forwarding Table is displayed.
2. Alternatively. from the main menu, click Reports & Displays. The HiPath Reports & Displays screen is displayed. Then, click Forwarding T a ble. The Forwarding Table is displayed.
This report displays all defined routes, whether static or OSPF, and their current status.
3. To update the display, click Refresh.
3.4.6 Setting up OSPF Routing
To enable OSPF (OSPF RFC2328) routing, you must:
Specify at least one data port on which OSPF is enabled on the Port Settings option of the OSPF tab. This is the inte rface on which you can establish OSPF adjacency.
Enable OSPF globally on the HiPath Wireless Controller
Define the global OSPF parameters
Ensure that the OSPF parameters define d here for the HiPath Wireless Controller are consistent with the adjacent routers in the OSPF area. This consistency includes the following:
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 65
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
If the peer router has different timer settings, the protocol timer settings in the HiPath Wireless Controller must be changed to match to achieve OSPF adjacency.
The MTU of the ports on either end of an OSPF link must match. The MTU for ports on the HiPath Wireless Contr oller is defined as 1500, on the L2 Port tab, during data port setu p. This matches the default MTU in standard routers.
To set OSPF Routing Global Settings on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click Routing Protocols. The Static Routes t ab is displayed by default.
3. Click the OSPF tab.
4. From the OSPF Status drop-down list, click On to enable OSPF. In the Router ID box, type the IP address of the HiPath Wireless Controller.
This ID must be unique across the OSPF area. If left blank, the OSPF daemon automatically picks a router ID from one of the HiPath Wireless Controller’s interface IP addresses.
5. In the Area ID box, type the area. 0.0.0.0 is the main area in OSPF.
6. In the Area Type drop-down list, click one of the following:
Default – The default acts as the backbone area (also known as area
zero). It forms the core of an OSPF network. All other areas are connected to it, and inter-area routing happens via a router connected to the backbone area.
9034530-04, September 2010
66 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•Stub – The stub area does not receive external routes. External routes are defined as routes which were distributed in OSPF via another routing protocol. Therefor, stub areas typically rely on a default route to send traffic routes outside the present domain.
Not-so-stubby – The not-so-stubby area is a type of stub area that can import autonomous system (AS) external routes and send them to the default/backbone area, but cannot receive AS external routes from the backbone or other areas.
7. To save your changes, click Save.
To set OSPF Routing Port Settings on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click Routing Protocols.
3. Click the OSPF tab.
4. Select a port to configure by clicking on the desired port in the Port Settings table.
5. In the Port Status drop-d own list, click Enabled to enable OSPF on the port. The default setting is Disabled.
6. In the Link Cost box, type the OSPF standard value for your networ k for this port. This is the cost of sending a data packet on the interface. The lower the cost, the more likely the interface is to be used to forward data traffic.
Note: If more than one port is enabled for OSPF, it is important to prevent the HiPath Wireless Controller from serving as a router for other network traffic (other than the traffic from wireless device users on routed topologies controlled by the HiPath Wireless Controller). For more information, see Section 6.10.2, “About
filtering rules”, on page 379.
7. In the Authentication drop-down list, click the authentication type for OSPF on your network: None or Password. The default setting is None.
8. If Password is selected as the authenticat ion type, in the Password box, type the password.
If None is selected as the Authentication type, leave this box empty. This password must match on either end of the OSPF connection.
9. Type the following:
Hello-Interval – Specifies the time in seconds (displays OSPF
default).The default setting is 10 seconds.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 67
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Dead-Interval – Specifies the time in seconds (displays OSPF default). The default setting is 40 seconds.
Retransmit-Interval – Specifies the time in seconds (displays OSPF default). The default setting is 5 seconds.
Transmit Delay– Specifies the time in seconds (displays OSPF default). The default setting is 1 second.
10. To save your changes, click Save.
To confirm that ports are set for OSPF:
1. T o confirm that th e ports are set up for OSPF, and that advertised routes from the upstream router are recognized, click View Forwarding Table. The Forwarding Table is displayed.
The following additional reports displa y OSPF information when the protoco l is in operation:
OSPF Neighbor – Displays the current neighbors for OSPF (routers that
have interfaces to a common network)
OSPF Linkstate – Displays the Link State Advertisements (LSAs)
received by the currently running OSPF process. The LSAs describe the local state of a router or network, including the state of the router’s interfaces and adjacencies.
2. To update the display, click Refresh.
3.4.7 Configuring filtering at the interface level
The HiPath Wireless solution has a number of built-in filters that protect the system from unauthorized traffic. These filters are specific only to the HiPath Wireless Controller. These filters are applied at the network interface level and are automatically invoked. By default, these filters provide stringent-level rules to allow only access to the system's externally visible services. In addition to these built-in filters, the administrator can define specific exception filters at the interface-level to customize network access. These filters depend on Topology Modes and the configuration of an L3 interface for the topology.
For Bridged at Controller topologies, exception filters are defined only if L3 (IP) interfaces are specified. For Physical, Routed, and 3rd Party AP topologies, exception filtering is always configured since they all have an L3 interface presence.
9034530-04, September 2010
68 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.7.1 Built-in interface-based exception filters
On the HiPath Wireless Controller, various interface-based exception filters are built in and invoked automatically. These filters protect the HiPath Wireless Controller from unauthorized access to system management functions and services via the interfaces. Access to system management functions is granted if the administrator selects the allow management traffic option in a specific topology.
Allow management traffic is possible on the topologies that have L3 IP interface definitions. For example, if management traffic is allowed on a physical topology (esa0), only users connected through ESA0 will be able to get access to the system. Users connecting on any other topology, such as Routed or Bridged Locally at Controller, will no longer be able to target ESA0 to gain management access to the system. To allow access for users connected on such a topology, the given topology configuration itself must have allow management traffic enabled and users will only be able to target the topology interface specifically.
On the HiPath Wireless Controller’s L3 interfaces (associated with either physical, Routed, or Bridged Locally at Controller topologies), the built-in exception filter prohibits invoking SSH, HTTPS, or SNMP. However, such traffic is allowed, by default, on the management port.
If management traffic is explicitly enabled for any interface, access is implicitly extended to that interface through any of the other interfaces (VNS). Only traffic specifically allowed by the interface’s exception filter is allowed to reach the HiPath Wireless Controller itself. All other traffic is dropped. Exception filter s are dynamically configured and regenerated whenever the system's interface topology changes (for example, a change of IP address for any interface).
Enabling management traffic on an interface adds additional rules to the exception filter, which opens up the well-known IP(TCP/UDP) ports, corresponding to the HTTPS, SSH, and SNMP applicatio ns .
The interface-based built-in exception filtering rules, in the case of traffic from wireless users, are applicable to traffic targeted directly for the topology L3 interface. For example, a filter specified by a Policy may be generic enough to allow traffic access to the HiPath Wireless Controller's management (for example, Allow All [*.*.*.*]). Exception filter rules are evaluated after the user's assigned filter policy, as such, it is possible that the policy allows the access to management functions that the exception filter denies. These packets are dropped.
To enable SSH, HTTPS, or SNMP access through a physical data interface:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies tab is displayed.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 69
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. On the Topologies tab, click the appropriate data port topology. The Edit Topology window displays.
4. Select the Management T raffic ch eckbox if the topology has specified an L3 IP interface presence.
5. To save your changes, click Save.
3.4.7.2 Working with administrator-defined interface-based
exception filters
You can add specific filtering rules at the interface level in addition to the built-in rules. Such rules give you the capability of restricting access to a port, for specific reasons, such as a Denial of Service (DoS) attack.
The filtering rules are set up in the same manner as filtering rules defined for a Policy — specify an IP address, select a protocol if applicable, and then either allow or deny traffic to that address. For more information, see Section 6.10.2,
“About filtering rules”, on page 379.
9034530-04, September 2010
70 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
The rules defined for port exception filters are prepended to the normal set of restrictive exception filters and have precedence over the system's normal protection enforcement (that is, they are evaluated first).
Warning: If defined imp roper ly, user exception rules may seriousl y co mpr omi se the system’s normal security enforcement rules. They may also disrupt the system's normal operation and even prevent system functionality altogether. It is advised to only augment the exception-filtering mechanism if absolutely necessary.
To define interface exception filters:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies screen is displayed.
3. Select a topology to be configured. The Edit Topology window is displayed.
4. If the topology has an L3 interface defined, an Exception Filters tab is available. Select this tab. The Exception Filter rules are displayed.
5. Add rules by either:
Clicking the Add Predefined button, selecting a filter from the drop down
list, and clicking Add.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 71
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Clicking the Add button, filling in the following fields, then clicking OK: a) In the IP / subn et:port box, type the destination IP address. Y ou can
also specify an IP range, a port designation, or a port range on that IP address.
b) In the Protocol drop-down list, click the protocol you want to specify
for the filter. This list may include UDP, TCP, GRE, IPsec-ESP, IPsec- AH, ICMP. The default is N/A.
6. The new filter is displayed in the upper section of the screen.
7. Click the new filter entry.
8. To allow traffic, select the Allow checkbox.
9. To adjust the order of the filtering rules, click Up or Down to position the rule. The filtering rules are executed in the order defined here.
10. To save your changes, click Save.
3.4.8 Installing certificates on the HiPath Wireless
Controller
Y ou can install certificates on the HiPath Wireless Controller that help secure the HiPath Wireless Controller’s interfaces and internal Captive Portal pages.
The Interface certificates are actually associated with Topologies that have configured a L3 (IP) interface. For simplicity, they will be called Interface certificates in this document.
9034530-04, September 2010
72 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Factory default certificate
By default, the HiPath Wireless Controller is shipped with a self-signed certificate. The self-signed certificate does the following:
Protects all interfaces that provide administrative access to the HiPath Wireless Controller
Protects the internal Captive Portal page
If you chose to use the default certificate to secure the HiPath Wireless Controller and internal Captive Portal page, your Web browser will likely continue to produce security warnings regarding the security risks of trusting self-signed certificates. To avoid the certificate-related Web browser security warnings, you can install customized certificates on the HiPath Wireless Controller.
Note: To avoid the certificate-related Web browser security warnings when accessing the HiPath Wireless Assistant, you must also import the customized certificates into your Web browser application.
Certificate formats
The HiPath Wireless Controller supports the following formats:
PKCS#12 — The PKCS#12 certificate (.pfx) file contains both a certificate and the corresponding private key.
PEM/DER — The PEM/DER certificate (.crt) file requires a separate PEM/ DER private key (.key) file. The HiPath Wireless Controller uses Ope nS S L PKCS12 command to convert the .crt and .key files into a single .pfx PKCS#12 certificate file.
CA public certificate
You also have the option of installing a PEM-formatted CA public certificate file. If you choose to install this optional certificate, you must do so when specifying the PCKCS#12 or PEM/DER certificates.
Certificate monitoring
The HiPath Wireless Controller monitors the expiration date of installed certificates. The HiPath Wireless Controller generates an entry in the events information log as the certificate expiry date approaches, based on the following schedule: 15, 8, 4, 2, and 1 day prior to expiration. The log messages cease wh en the certificate expires. For more information, see the HiPath Wireless Controller,
Access Points and Convergence Software Maintenance Guide.
Upgrades and migrations
Installed certificates will be backed up and restored with the HiPath Wireless Controller configuration data. Installed certificates will also be migrated during an upgrade and during a migration.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 73
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Prerequisite for installing a certificate
You can chose your preferred CA to generate the PKCS#12 file or PEM/DER files. The HiPath Wireless Controller will accept the PKCS#12 file or PEM/DER files as long as the format of the private key and certificate are valid.
When generating the PKCS#12 certificate file or PEM/DER certificate and key files, you must ensure that the interface id entified in the certificate corresponds to the HiPath Wireless Controller’s interface for which the certificate is being installed.
Certificate Common Name
To avoid getting security warnings, the common name of the certificate should match the interface IP (port IP or Topology gateway IP) that the WLAN service uses.
HiPath Wireless Controller ports (pcX, esaX, and eth0) – Physical interface IP address
Internal Captive Portal – VNS gateway IP address.
3.4.8.1 Installing a certificate for a HiPath Wireless Controller
interface
To install a certificate for a HiPath Wireless Controller data interface:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies tab is displayed.
3. Click the Certificates tab.
9034530-04, September 2010
74 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. In the Interface Certificates t able, click the topology (which has an L3 interface) for which you want to install a certificate.
Note: The interface identified in the certificate m ust correspond to the HiPath Wireless Controller’s interface for which the certificate is being installed.
The Configuration for Topology section is displayed.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 75
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
5. In the Configuration for Topology section, select one of the following:
Replace/Install selected Topology’s certificate and key – Select to
replace the existing port’s certificate and key, and then do the following: a) Click Browse next to the PKCS #12 file to install box. The Choose
file dialog is displayed.
b) Navigate to the .pfx certificate file you want to install for this port, and
then click Open. The certificate .pfx file name is displayed in the PKCS #12 file to install box.
c) In the Private key password box, type the password for the
certificate file. The PKCS#12 file is password protected.
d) (Optional) Click Browse next to the Optional:Enter PEM-encoded
CA public certificates file box. The Choose file dialog is displayed.
Note: If you choose to install a CA public certificate, you must install it
when you install the PKCS#12 certificate and key.
e) (Optional) Navigate to the certificate file you want to install for this
port, and then click Open. The certificate file name is displayed in the
Optional:Enter PEM-encoded CA public certificates file box.
Replace/Install selected Topology’s certificate and key from
separate files – Select to replace the existing port’s certificate and key,
and then do the following:
9034530-04, September 2010
76 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
a) Click Browse next to th e Certificate file to install box. The Choose
file dialog is displayed.
b) Navigate to the certificate file you want to install for this port, and then
click Open. The certificate file name is displayed in the Certificate file to install box.
c) Click Browse next to the Private key file to install box. The Choose
file dialog is displayed.
d) Navigate to the key file you want to inst all for this port, and th en click
Open. The file name is displayed in the Private key file to install box.
e) In the Private key p assword box, type the password for the key file.
The key file is password protected.
f) (Optional) Click Browse next to the Optional:Enter PEM-encoded
CA public certificates file box. The Choose file dialog is displayed.
Note: If you choose to install a CA public certificate, you must install it
when you install the PEM/DER certificate and key.
g) (Optional) Navigate to the certificate file you want to install for this
port, and then click Open. The certificate file name is displayed in the
Optional:Enter PEM-encoded CA public certificates file box.
Reset selected Topology to the factory default certificate and key –
Select to assign the factory default certificate and key to the interface.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 77
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
No change
6. To save your changes, click Save. A message in the footer will be displayed to confirm if the certificate installation is successful or fails.
Note: To avoid the certificate-re la ted Web browser security warnings when accessing the HiPath Wireless Assistant, you must also import the customized certificates into your Web browser application.
3.4.9 Configuring the login authentication mode
You can configure the following login authentication modes to authenticate administrator login attempts:
Local authentication — The HiPath Wireless Controller uses locally configured login credentials and passwords. See Sectio n 3. 4.9 .1 ,
“Configuring the local login authentication mode and adding new users”, on page 79.
RADIUS authentication — The HiPath Wireless Controller uses login credentials and passwords configured on a RADIUS server. See Section
3.4.9.2, “Configuring the RADIUS login authentication mode”, on page 81.
Local authentication first, then RADIUS authentication — The HiPath Wireless Controller first uses locally configured login credentials and passwords. If this login fails, the HiPath Wireless Controller attempts to validate login credentials and passwords configured on a RADIUS server. See Section 3.4.9.3, “Configuring the local, RADIUS login authentication
mode”, on page 85.
RADIUS authentication first, then local authentication — The HiPath Wireless Controller first uses login credentials and passwords configured on a RADIUS server. If this login fails, the HiPath Wireless Controller attempts to validate login credentials and passwords configured locally. See Section 3.4.9.4,
“Configuring the RADIUS, local login authentication mode”, on page 86.
Note: The HiPath Wireless Controller , Access Points and Convergence Software enables you to recover the HiPath Wireless Controller via the Rescue mode if you have lost its login password. For more information, see the HiPath Wireless Controller, Access Points and Convergence Software Maintenance Guide.
9034530-04, September 2010
78 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.9.1 Configuring the local login authentication mode and adding new users
Local login authentication mode is enabled by defa ult. If the login au thentication was previously set to another authentication mode, you can change it to the local authentication. You can also add new users and assign them to a login group — as full administrators, read-only administrators, or as a GuestPortal managers. For more information, see Section 12.2, “Defining HiPath Wireless Assistant
administrators and login groups”, on page 483
To configure the local login auth en ti ca tion mode:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management. The Login Management screen is displayed.
3. In the Authentication mode section, click Configure. The Login Authentication Mode Configuration window is displayed.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 79
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. Select the Local checkbox. If the RADIUS checkbox is selected, deselect it.
5. Click OK.
6. In the Add User section, select one of the following from the Group drop- down list:
Full Administrator – Grants the administrator’s access rights to the
administrator.
Read-only Administrator – Grants read-only access right to the
administrator.
GuestPortal Manager – Grants the user GuestPortal manager rights.
7. In the User ID box, type the user’s ID.
8. In the Password box, type the user’s password.
Note: The password must be 8 to 24 characters long.
9. In the Confirm Password box, re-type the password.
10. To add the user, click Add User. The new user is added.
11. Click Save. The Administrator Password Confirmation window is displayed.
12. Select the appropri at e op tio n. – Yes — Change authentication mode to local. Use the administrator
password currently defined on the controller.
Yes, but I want to change administrator’s password first — Change
authentication mode to local and change the administrator password currently defined on the controller.
No — Do not change the authentication mode to local.
13. Click Submit.
14. If you chose Yes, but I want to change administrator’ s password first, you are prompted to change the administrator’s password.
9034530-04, September 2010
80 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.9.2 Configuring the RADIUS login authentication mode
The local login authentication mode is enabled by default. You can change the local login authentication mode to RADIUS-based authentication.
Note: Before you change the default local login authentication to RADIUS-based authentication, you must configure the RADIUS Server on the Global Settings screen. For more information, see Section 6.2, “VNS global settings”, on page
267.
RADIUS is a client/server authentication and authorization access protocol used by a network access server (NAS) to authenticate use rs attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses User Datagram Protocol (UDP) for sending the packets between the RADIUS client and server.
You can configure a RADIUS key on the client and server. If you configure a key on the client, it must be the same as the one configured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all RADIUS packets transmitted. If you do not configure a RADIUS key, packets are not encrypted . The key itself is never transmitted over the network.
Note: Before you configure the system to use RADIUS-based login authentication, you must configure the Service-Type RADIUS attribute on the RADIUS server. For more information, see the RADIUS-based login authentication section in the HiPath Wireless Controller, Access Points and Convergence Software Technical Reference Guide.
To configure the RADIUS login authen tication mode:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management. The Login Management screen is displayed.
3. Click the RADIUS Authentication tab.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 81
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. In the Authentication mode section, click Configure. The Login Authentication Mode Configuration window is displayed.
5. Select the RADIUS checkbox. If the Local checkbox is selected, deselect it.
6. Click OK.
7. From the drop-down list, located next to the Use button, select the RADIUS Server that you want to use for the RADIUS login authentication, and then click Use. The RADIUS Server’s name is displayed in the Configured Servers box, and in the Auth section, and the following default values of the RADIUS Server are displayed.
Note: The RADIUS Servers displayed in the list located against the Use button are defined on Global Settings screen. For more information, see
Section 6.2, “VNS global settings”, on page 267.
9034530-04, September 2010
82 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
The following values can be edited:
NAS IP address – The IP address of Network Access Server (NAS).
NAS Identifier – The Network Access Server (NAS) identifier. The NAS
identifier is a RADIUS attribute that identifies the server responsible for passing information to designated RADIUS servers, and then acting on the response returned.
Auth T ype – The authentication protocol type (PAP, CHAP, MS-CHAP , or MS-CHAP2).
Set as Primary Server – Specifies the primary RADIUS server when there are multiple RADIUS servers.
8. To add additional RADIUS servers, repeat step 7.
Note: You can add up to three RADIUS servers to the list of login authentication servers. When you add two or more RADIUS servers to the list, you must designate one of them as the Primary server. The HiPath Wireless Controller first attempts to connect to the Primary server. If the Primary Server is not available, it tries to connect to the second and third server according to their order in the Configured Servers box. You can change the order of RADIUS servers in the Configured Servers box by clicking on the Up and Down buttons.
9. Click Test to test connectivity to the RADIUS server.
Note: You can also test the connectivity to the RADIUS server af ter you save the configuration.
If you do not test the RADIUS server connectivity, and you have made an error in configuring the RADIUS-based login authentication mode, you will be locked out of the HiPath Wireless Controller when you switch the login mode to the RADIUS login authentication mode. If you are locked out, access Rescue mode via the console port to reset the authentication method to local.
The following window is displayed.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 83
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
10. In the User ID and the Password boxes, type the user’s ID and the password, which were configured on the RADIUS Server, and then click Test. The RADIUS connectivity result is displayed.
Note: To learn how to configure the User ID and the Password on the RADIUS server, refer to your RADIUS server’s user guide.
.
If the test is not successful, the following message will be displayed:
1 1. If the RADIUS connectivity test displays “Successful” result, click Save on the
RADIUS Authentication screen to save your configuration. The following window is displayed:
12. If you tested the RADIUS server connectivity earlier in this procedure (steps
9 and 10), click No. If you click Yes, you will be asked to enter the RADIUS
server user ID and password. See step 10 for more information. The following message is displayed:
13. To change the authentication mode to RADIUS authentication, click OK.
9034530-04, September 2010
84 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
You will be logged out of the HiPath Wireless Controller immediately. You must use the RADIUS login user name and password to log on the HiPath Wireless Controller.
To cancel the authentication mode changes, click Cancel.
3.4.9.3 Configuring the local, RADIUS login authentication mode
To configure the Local, RADIUS login authentication mode:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management. The Login Management screen is displayed.
3. In the Authentication mode section, click Configure. The Login Authentication Mode Configuration window is displayed.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 85
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. Select the Local and RADIUS checkboxes.
5. If necessary, select Local and use the Move Up button to move Local to the top of the list.
6. Click OK.
7. On the Login Management screen, click Save.
For information on setting local login authentication settings, see Section 3.4.9.1,
“Configuring the local login authentication mode and adding new users”, on p age
79.
For information on setting RADIUS login authentication settings, see Section
3.4.9.2, “Configuring the RADIUS login authentication mode”, on page 81.
3.4.9.4 Configuring the RADIUS, local login authentication
mode
To configure the RADIUS, Local login authentication mode:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management. The Login Management screen is displayed.
9034530-04, September 2010
86 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. In the Authentication mode section, click Configure. The Login Authentication Mode Configuration window is displayed.
4. Select the Local and RADIUS checkboxes.
5. If necessary, select RADIUS and use the Move Up button to move RADIUS to the top of the list.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 87
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
6. Click OK.
7. On the Login Management screen, click Save. For information on setting RADIUS login authentication settings, see Section
3.4.9.2, “Configuring the RADIUS login authentication mode”, on page 81.
For information on setting local login authentication settings, see Section 3.4.9.1,
“Configuring the local login authentication mode and adding new users”, on p age
79.
3.4.10 Configuring SNMP
The HiPath Wireless Controller supports the Simple Network Management Protocol (SNMP) for retrieving statistics and configuration information. If you enable SNMP on the HiPath Wireless Controller, you can choose either SNMPv3 or SNMPv1/v2 mode. If you configure the HiPath Wireless Controller to use SNMPv3, then any request other than SNMPv3 request is rejected. The same is true if you configure the HiPath Wireless Controller to use SNMPv1/v2.
To configure SNMP:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click SNMP. The SNMP screen is displayed.
9034530-04, September 2010
88 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. In the SNMP Common Settings section, configure the following:
Mode — Select SNMPv1/v2c or SNMPv3 to enable SNMP.
Contact Name — The name of the SNMP administrator.
•Location — The physical location of the HiPath Wireless Controller
running the SNMP agent.
SNMP Port
0–65555.
The destination port for the SNMP traps. Possible ports are
•Forward Traps — The lowest severity level of SNMP trap that you want to forward.
Publish AP as interface of controller — Enable or disable SNMP publishing of the access point as an interface to the HiPath Wireless Controller.
4. Continue with the appropriate procedure for configuring SNMPv1/v2c­specific or SNMPv3-specific parameters.
Section 3.4.10.1, “Configuring SNMPv1/v2c-specific parameters”
Section 3.4.10.2, “Configuring SNMPv3-specific parameters”
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 89
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.10.1 Configuring SNMPv1/v2c-specific parameters
1. Configure the following parameters on the SNMPv1/v2c tab:
Read Community Name — The password that is used for read-only
SNMP communication.
Read/Write Community Name — The password that is used for write SNMP communication.
Manager A — The IP address of the server used as the primary network manager that will receive SNMP messages.
Manager B — The IP address of the server used as the secondary network manager that will receive SNMP messages.
2. Click Save.
3.4.10.2 Configuring SNMPv3-specific parameters
1. Configure the parameters following on the SNMPv3 tab:
Context String — A description of the SNMP context.
Engine ID — T
the SNMP agent. The engine ID must be from 5 to 32 characters long.
RFC3411 Compliant — The engine ID will be formatted as defined by SnmpEngineID textual convention (that is, the engine ID will be prepended with SNMP agents' private enterprise number assigned by IANA as a formatted HEX text string).
2. Click Add User Account. The Add SNMPv3 User Account window displays.
3. Configure the following parameters:
User — Enter the name of the user account.
Security Level — Select the security level for this user account. Choices
are: authPriv, authNoPriv, noAuthnoPriv.
Auth Protocol — If you have selected a security level of authPriv or
authNoPriv, select the authentication protocol. Choices are: MD5, SHA, None.
he SNMPv3 engine ID for the HiPath Wireless Controller running
Auth Password — If you have selected a security level of authPriv or
authNoPriv, enter an authentication password.
Privacy Protocol — If you have selected the security level of authPriv,
select the privacy protocol. Choices are: DES, None
9034530-04, September 2010
90 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Privacy Password — If you have selected the security level of authPriv, enter a privacy password.
Engine ID — If desired, enter an engine ID. The ID can be between 5 and 32 bytes long, with no spaces, control characters, or tabs.
Trap Destination — If desired, ente r the IP address of a trap destination.
4. Click OK. The Add SNMPv3 User Account window closes.
5. Repeat steps 2 through 4 to add additional users.
6. In the Trap 1 and Trap 2 sections, configure the following parameters:
Destination IP
User NameThe SNMPv3 user to configure for use with SNMPv3 traps
7. Click Save.
The IP address of the machine monitoring SNMPv3 traps
3.4.10.3 Editing an SNMPv3 User
To edit an SNMPv3 user:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click SNMP. The SNMP screen is displayed.
3. Click the SNMPv3 tab.
4. Select an SNMP user.
5. Click Edit Selected User. The Edit SNMPv3 User Account window displays.
6. Edit the user configuration as desired.
7. Click OK. The Edit SNMPv3 User Account window closes.
8. Click Save.
3.4.10.4 Deleting an SNMPv3 User
To delete an SNMPv3 user:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click SNMP. The SNMP screen is displayed.
3. Click the SNMPv3 tab.
4. Select an SNMP user.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 91
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
5. Click Delete Selected User. You are prompted to confirm that you want to delete the selected user.
6. Click OK.
3.4.11 Configuring network time
You should synchronize the clocks of the HiPath Wireless Controller and the Wireless APs to ensure that the logs and report s reflect accurate time stamps. For more information, see Chapter 11, “Working with reports and displays”.
The normal operation of the HiPath Wireless Controller will not be affected if you do not synchronize the clock. The clock synchronization is necessary to ensure that the logs display accurate time stamps. In addition, clock synchronization of network elements is a prerequisite for the following configuration:
Mobility Manager
Session Availability
Network time synchronization
Network time is synchronized in one of two ways:
Using the system’s time – The system’s time is the HiPath Wireless Controller’s time.
Using Network Time Protocol (NTP) – The Network Time Protocol is a protocol for synchronizing the clocks of computer systems over packet-switched data networks.
Note: If the HiPath Wireless Controller C2400 is left powered-down for more than 78 hours. In such a case, you must synchronize the network time, using the NTP server. If the NTP server is not reachable, you must manually set the system to the correct time.
The HiPath Wireless Controller automatically adjusts for any time change due to Daylight Savings time.
3.4.1 1.1 Configuring the network time using the system’s time
To configure the network time, using the system’s time:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click Network Time. The Network Ti me screen is displayed.
9034530-04, September 2010
92 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. From the Continent or Ocean drop-down list, click the appropriate large-scale geographic grouping for the time zone.
4. From the Country drop-down list, click the appropriate country for the time zone. The contents of the drop-down list change, based on the selection in the Continent or Ocean drop-down list.
5. From the Time Zone Region drop-down list, click the appropriate time zone region for the selected country.
6. Click Apply Time Zone.
7. In the System Time box, type the system time.
8. Click Set Clock.
9. The WLAN network time is synchronized in acco rd ance with th e H iPat h Wireless Controller’s time.
3.4.11.2 Configuring the network time using an NTP server
To configure the network time using an NTP server:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click Network T ime. The Network Time scre en is displayed.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 93
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. From the Continent or Ocean drop-down list, click the appropriate large-scale geographic grouping for the time zone.
4. From the Country drop-down list, click the appropriate country for the time zone. The contents of the drop-down list change, base d on the sele ctio n in the Continent or Ocean drop-down list.
5. From the Time Zone Region drop-down list, click the appr opriate time zo ne region for the selected country.
6. Click Apply Time Zone.
7. In the System Time box, type the system time.
8. Select the Use NTP checkbox.
Note: If you want to use the HiPath Wireless Controller as the NTP Server, select the Run local NTP Server checkbox, and then skip to Step 11.
9. In the Time Server 1 text box, type the IP address or FQDN (Full Qualified Domain Name) of an NTP time server that is accessible on the enterprise network.
10. Repeat for Time Server2 and Time Server3 text boxes. If the system is not able to connect to the Time Server 1, it will attempt to
connect to the additional servers that have been specified in Time Server 2 and Time Server 3 text boxes.
11. Click Apply.
9034530-04, September 2010
94 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
12. The WLAN network time is synchron ize d in acco rd an ce with the s pecified time server.
3.4.12 Configuring DNS servers for resolving host
names of NTP and RADIUS servers
Since the Global Settings screen (Main Menu > Virtual Network Configuration > Global Settings) allows you to set up NTP and RADIUS
servers by defining their host names, you have to configure your DNS servers to resolve the host names of NTP and RADIUS servers to the corresponding IP addresses.
Note: For more information on RADIUS server configuration, see Section 6.2.1,
“Defining RADIUS servers and MAC address format”, on page 269.
You can configure up to three DNS servers to resolve NTP and RADIUS server host names to their corresponding IP addresses.
The HiPath Wireless Controller sends the host name query to the first DNS server in the stack of three configured DNS servers. The DNS server resolves the queried domain name to an IP address and sends the result back to the HiPath Wireless Controller.
If for some reason, the first DNS server in the stack of configured DNS servers is not reachable, the HiPath Wireless Controller sends the host name query to the second DNS server in the stack. If the second DNS server is also not reachable, the query is sent to the third DNS server in the stack.
To configure DNS servers for resolving host names of NTP and RADIUS servers:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click Host Attributes. The Host Attributes screen is displayed.
9034530-04, HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 95
September 2010
hwc_startup.fm
Configuring the HiPath Wireless Controller
Using an AeroScout location based solution
3. In the DNS box, type the DNS server’s IP address in the Server Address field and then click Add Server. The new server is displayed in the DNS servers’ list.
Note: You can configure up to three DNS servers.
4. To save your changes, click Save.
3.5 Using an AeroScout location based solution
You can deploy your HiPath Wireless Controller and Wireless APs as part of an AeroScout location based solution.
On the HiPath Wireless Controller, you configure the AeroScout server IP address and enable the location based service. The AeroScout server is aware only of the HiPath Wireless Controller IP address and is notified of the operation al APs by the Controller.
On the APs that you want to participate in the location based service, you enable the location based service.
Note: Participating Wireless APs must use the 2.4 GHz band.
9034530-04, September 2010
96 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Using an AeroScout location based solution
Once you have enabled the location based service on the HiPath Wireless Controller and the participating Wireless APs, at least one of the participating Wireless APs will receive reports from an AeroScout Wi-Fi RFID tag in the
2.4GHZ band. The tag reports are collected by the AP and forwarded to the AeroScout server by encapsulating the tag reports in a WASSP tunnel and routing them as IP packets through the HiPath Wireless Controller.
Note: Tag reports are marked with UP=CS5, and DSCP = 0xA0. On the HiPath Wireless Controller, tag reports are marked with UP=CS5 to the core (if 802.1p exists).
An AP’s tag report collection status is reported in the Wireless AP Inventory report. For more information, see Section 11.8, “Viewing reports”, on page 467.
If availability is enabled, tag report transmission pauses on failed over APs until they are configured and notified by the AeroScout server.
When AeroScout support is disabled on the HiPath Wireless Controller, the HiPath Wireless Controller does not communicate with the AeroScout server and the APs do not perform any AeroScout-related functionality.
Ensure that your AeroScout tags are configured to transmit on all non­overlapping channels (1, 6 and 11) and also on channels above 11 for countries where channels above 11 are allowed. Refer to AeroScout documentation for proper deployment of the AeroScout location based solution.
To configure a HiPath Wireless Controller for use with an AeroScout solution:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen is displayed.
2. In the left pane, click Location Based Service. The Location Based Service screen is displayed.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 97
hwc_startup.fm
Configuring the HiPath Wireless Controller
Using an AeroScout location based solution
3. Select the Enable Location Based Service checkbox to enable the location based service on the HiPath Wireless Controller.
4. In the Aeroscout Address field, enter the IP address of the AeroScout server.
5. Click Save. You must now assign Wireless APs to participate in the location based
service.
6. From the top menu, click Wireless APs. The All APs screen is displayed.
9034530-04, September 2010
98 HiPath Wireless Controller, Access Points and Conver ge n ce Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Using an AeroScout location based solution
7. Select an AP.
8. Click Advanced. The Advanced window displays.
9. In the Location-based Service field, select Enable.
10. Click Close. The Advanced window closes. 1 1. Repeats steps 7 through 10 for each additional AP that you want to participate
in the location based service.
12. Click Save.
Note: You can also enable location based service on APs through the Location based service field on the AP Multi-edit screen and the Advanced window of
the AP Default Settings screen.
9034530-04,
September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide 99
hwc_startup.fm
Configuring the HiPath Wireless Controller
Additional ongoing operations of the system
3.6 Additional ongoing operations of the system
Ongoing operations of the HiPath Wireless Controller, Access Points and Convergence Software system can include the following:
HiPath Wireless Controller System Maintenance
Wireless AP Maintenance
Client Disassociate
Logs and Traces
Reports and Displays
For more information, see Chapter 12, “Performing system admin istration” or the
HiPath Wireless Controller, Access Points and Convergen ce Software Maintenance Guide.
9034530-04, September 2010
100 HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use