Hewlett Packard Enterprise 55010016-1, 55010016-2 User Manual

CN3200

Administrator’s Guide

DRAFT

Note: Any references to CN3000 in this draft also apply to the CN3200.

: 2

First Edition (January 2004) 43-10-3200-06

Colubris is a registered trademark of Colubris Networks Inc.

Microsoft, Windows, Windows 2000, Windows NT, Windows 95, Windows 98,
Windows ME, Internet Explorer, and the Windows logo are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.

IBM is a registered trademark of International Business Machines.

All other names mentioned herein are trademarks or registered trademarks of
their respective owners.

Changes are periodically made to the information herein; these changes will be
incorporated into new editions of the document.

Copyright © 2004 Colubris Networks Inc. All rights reserved, including those to
reproduce this document or parts thereof in any form without permission in
writing from Colubris Networks, Inc.

Colubris Networks Inc.
420 Armand-Frappier (suite 200)
Laval (Quebec) Canada H7V 4B4
Telephone: +1 (450) 680-1661
Fax: +1 (450) 680-1910

: 3

DRAFT

Table of Contents

Chapter 1

Introduction.......................................... 7

Introducing the CN3200..........................................................8

Scalable solution...............................................................8

Secure infrastructure ........................................................8

Enhanced user experience ................................................9

Secure remote management ...........................................10

Wireless bridging............................................................10

Multiple SSID support.....................................................12

Feature summary ..................................................................13

Wireless radio.................................................................13

Hardware ........................................................................16

Networking .....................................................................16

Network management .....................................................17

Access controller functions.............................................17

Security...........................................................................17

RF Tools..........................................................................17

Compatibility...................................................................17

Authentication and accounting........................................18

Management ...................................................................18

Interfaces........................................................................18

Operating Environment ...................................................18

Regulatory Approvals......................................................18

Package contents..................................................................19

Technical support..................................................................19

Syntax conventions...............................................................20

Chapter 2

Important concepts ................................21

Networking areas ..................................................................22

Wireless cells..................................................................22

Attaching to a wired LAN ................................................24

Network operating center (NOC) ...........................................25

NOC components............................................................25

Sending traffic to the NOC ..............................................26

The public access interface ...................................................27

Connecting to and using the wireless network......................28

Broadcast IP address......................................................28

Allow any IP address ......................................................28

WPA/802.1x clients.........................................................28

Proxy server support ......................................................28

The RADIUS server ...............................................................29

Main tasks ......................................................................29

More information ............................................................29

Customer authentication .......................................................30

RADIUS server................................................................30

Local user list .................................................................30

MAC-based authentication ..............................................30

WPA/802.1x....................................................................30

Chapter 3

Planning your installation ........................31

Multi-site installation ............................................................32

About this installation .....................................................32

Installation strategy ........................................................33

Multi-area installation ...........................................................34

About this installation .....................................................34

Installation strategy ........................................................35

Chapter 4

Installation ......................................... 37

Anatomy............................................................................... 38

Antenna connectors ....................................................... 38

Ports .............................................................................. 38

Powering the CN3200 .................................................... 39

Status lights ................................................................... 39

Radio.............................................................................. 39

Reset button................................................................... 40

Installing the CN3200 ........................................................... 41

Mounting the CN3200 .................................................... 41

Configuring the CN3200 ................................................. 41

Chapter 5

The management tool ............................ 43

Overview .............................................................................. 44

Management station....................................................... 44

Management scenarios .................................................. 44

Default settings .............................................................. 44

Starting the management tool .............................................. 46

Menu summary .................................................................... 47

Home.............................................................................. 47

Wireless ......................................................................... 47

Network.......................................................................... 47

Security .......................................................................... 47

Management .................................................................. 48

Status............................................................................. 48

Tools............................................................................... 48

Maintenance ................................................................... 48

Management tool security .................................................... 49

Administrator password ................................................. 49

Connection security........................................................ 49

Security settings............................................................. 50

Firmware management......................................................... 51

Manual update................................................................ 51

Scheduled install ............................................................ 51

Using cURL .................................................................... 52

Configuration management .................................................. 53

Manual management ...................................................... 53

Using cURL .................................................................... 54

Chapter 6

WLAN configuration............................... 57

Setting up the wireless LAN ................................................. 58

Configuration procedure................................................. 58

Access point................................................................... 58

Radio.............................................................................. 59

Wireless port .................................................................. 60

Wireless protection ..................................................... 60

....................................................................................... 61

Dynamic keys ................................................................. 61

Addresses ............................................................................ 61

....................................................................................... 62

....................................................................................... 62

Wireless profiles................................................................... 63

Default profile................................................................. 63

Configuration considerations ......................................... 63

To create a wireless profile............................................. 63

Access point................................................................... 63

RADIUS accounting........................................................ 64

Wireless protection ...................................................... 64

....................................................................................... 65

Configuring overlapping wireless cells ................................. 66

Performance degradation and channel separation.......... 66

: 4

DRAFT

Choosing channels..........................................................67

Distance between access points .....................................70

Conducting a site survey and finding rouge access points ...71

Conducting a site survey.................................................71

Identifying unauthorized access points...........................71

Chapter 7

Connecting to a wired LAN .......................73

Overview ...............................................................................74

Addressing issues.................................................................75

Using DHCP ....................................................................75

Using static addressing...................................................75

Chapter 8

Connecting to the Internet........................77

Connecting cables.................................................................78

Configuring the Internet connection......................................79

Configuration procedure .................................................79

PPPoE client ...................................................................80

DHCP client.....................................................................81

Static addressing ............................................................82

Firewall .................................................................................83

Firewall presets...............................................................83

Firewall configuration......................................................85

Customizing the firewall..................................................85

Firewall examples............................................................85

Network address translation .................................................89

NAT overview..................................................................89

NAT security and static mappings...................................89

One-to-one NAT ..............................................................90

NAT IPSec passthrough..................................................91

NAT example...................................................................91

Chapter 9

Activating the public access interface..........93

Overview ...............................................................................94

Important........................................................................94

Supporting PDAs ............................................................94

Step 1: Setting up the CN3200 RADIUS client 95

Managing shared secrets ................................................95

Configuration procedure .................................................95

Profile name....................................................................96

RADIUS profile settings ..................................................96

Primary RADIUS server ..................................................97

Secondary RADIUS server ..............................................97

Step 2: Setting up CN3200 authentication ............................98

Configuration procedure .................................................98

Configuration parameters ...............................................98

Step 3: Setting up customer authentication ........................100

Configuration procedure ...............................................100

Step 4: Setting up the RADIUS server.................................101

Minimum setup.............................................................101

More information ..........................................................101

Step 5: Testing the public access interface .........................102

Chapter 10

Secure remote connectivity .................... 103

Secure remote connectivity using the PPTP client ..............104

Configuration procedure ...............................................105

Connection....................................................................105

Account.........................................................................105

Network Address Translation (NAT) ..............................106

Secure remote connectivity using IPSec .............................107

Preconfigured settings..................................................107

Configuration procedure............................................... 108

General......................................................................... 108

Peer.............................................................................. 109

Authentication method ................................................. 110

Security ........................................................................ 110

Chapter 11

Centralized architecture ........................ 113

Scenario #1: Centralized authentication.............................. 114

How it works ................................................................ 114

Configuration roadmap................................................. 115

Scenario #2: Wholesaling with GRE ................................... 117

How it works ................................................................ 117

Configuration roadmap................................................. 118

Scenario #3: Wholesaling with VPNs ................................. 119

How it works ............................................................... 119

Configuration roadmap................................................. 119

Scenario 4: Public/private access with VLANs.................... 122

How it works ............................................................... 122

Configuration roadmap................................................. 123

Chapter 12

Wireless bridging ............................... 125

Overview ............................................................................ 126

Scenarios ..................................................................... 126

Setting up a wireless link.................................................... 128

Wireless link status ...................................................... 128

Chapter 13

SNMP interface .................................. 129

Configuring the SNMP interface......................................... 130

To configure SNMP options.......................................... 130

Attributes...................................................................... 130

Agent............................................................................ 131

Traps ............................................................................ 131

Security ........................................................................ 131

Standard MIBs ................................................................... 132

Management consoles ................................................. 132

MIB II support details ................................................... 132

Colubris Enterprise MIB ..................................................... 134

COLUBRIS-IEEE802DOT11 MIB details .............................. 135

Chapter 14

SSL certificates .................................. 139

Overview of SSL certificates ............................................... 140

SSL authentication ....................................................... 140

Eliminating certificate warning messages........................... 142

Creating an SSL certificate ................................................. 143

Certificate tools ............................................................ 143

Obtaining a registered certificate .................................. 143

Becoming a CA ............................................................. 145

Creating a self-signed certificate .................................. 149

Converting a certificate to PKCS #12 format ...................... 152

Installing a new SSL certificate .......................................... 153

Manual installation ....................................................... 153

Installing certificates in a browser...................................... 154

Internet Explorer........................................................... 154

Netscape Navigator ...................................................... 157

Chapter 15

Customizing the public access interface .... 159

Overview ............................................................................ 160

: 5

DRAFT

Common configuration tasks........................................160

Site map..............................................................................161

Internal pages ...............................................................162

External pages ..............................................................164

How it works.................................................................165

Customizing the internal pages ...........................................166

Creating new internal pages ..........................................166

Important restrictions ...................................................166

Loading new internal pages ..........................................166

Examples ......................................................................168

Customizing the external pages ..........................................169

Creating new external pages .........................................169

Activating new external pages.......................................169

Examples ......................................................................171

Using a remote login page ..................................................173

Advantages ...................................................................173

Activating a remote login page......................................173

How it works.................................................................174

Location-aware authentication ............................................181

How it works.................................................................181

Security.........................................................................181

Roaming .......................................................................181

Configuration ................................................................181

Parameters ...................................................................182

iPass support......................................................................183

ASP functions .....................................................................184

Errors............................................................................184

RADIUS.........................................................................184

Page URLs ....................................................................185

Session status and properties.......................................185

Session quotas .............................................................188

iPass support................................................................190

Message file........................................................................192

Source code for the internal pages .....................................194

Login page ....................................................................194

Transport page..............................................................196

Session page ................................................................197

Fail page........................................................................198

Source code for the external pages .....................................200

Welcome page ..............................................................200

Goodbye page ...............................................................201

Login Error page ...........................................................202

Remote login page ........................................................204

Chapter 16

Customizing CN3200 and customer settings 207

Overview .............................................................................208

RADIUS attributes...............................................................209

Standard RADIUS attributes .........................................209

Colubris Networks vendor-specific attributes................210

RADIUS limitations .......................................................211

Terminate-Acct-Cause values........................................212

Creating a RADIUS client entry for the CN3200 ..................213

Configuration settings...................................................213

Managing shared secrets ..............................................213

Creating a profile for the CN3200 on the RADIUS server ....214

Supported standard RADIUS attributes ........................214

Colubris-AVPair attribute ..............................................216

Access lists...................................................................216

White list.......................................................................221

Custom SSL certificate .................................................222

Configuration file ..........................................................222

MAC authentication.......................................................223

Default user idle timeout ...............................................223

Default user session timeout ........................................224

Default SMTP server .................................................... 224

Creating customer profiles on the RADIUS server.............. 225

Supported RADIUS attributes....................................... 225

Colubris-AVPair attribute.............................................. 228

Colubris-Intercept attribute .......................................... 228

SMTP redirection ......................................................... 228

Access list .................................................................... 229

One-to-one NAT............................................................ 229

Quotas.......................................................................... 229

Group name ................................................................. 230

SSID............................................................................. 230

VLAN support............................................................... 231

Creating administrator profiles on the RADIUS server ....... 232

Supported RADIUS attributes....................................... 232

Chapter 17

Sample setup - Backend software ............ 233

Overview ............................................................................ 234

CAUTION ...................................................................... 234

Prerequisites ................................................................ 234

Equipment setup ................................................................ 235

Topology....................................................................... 235

About the components ................................................. 236

Step 1: Retrieve software 237

Server 1........................................................................ 237

Server 2........................................................................ 237

Step 2: Install configure software on Server 1.................... 238

Windows 2000 ............................................................. 238

Colubris backend archive ............................................. 238

Steel-Belted Radius ...................................................... 238

Apache ......................................................................... 239

Sample pages............................................................... 240

PHP 4.2.3 ..................................................................... 241

MySQL ......................................................................... 241

Configure the OBDC data source .................................. 241

phpMyAdmin................................................................ 243

Setting the path ............................................................ 243

Start mysql................................................................... 244

Test PHP....................................................................... 244

Create the sample RADIUS database............................ 244

Step 3: Configure Steel-Belted Radius on Server 1 ............ 245

Modify the default configuration files ........................... 245

Start and connect to the server .................................... 245

Define a RAS client for the CN3200 .............................. 246

Create RADIUS profiles ................................................ 248

Update the Steel-Belted Radius configuration .............. 249

Step 4: Install web server certificates on Server 1.............. 250

Install the public key certificate .................................... 250

Install the private key certificate ................................... 250

Verify the certificates.................................................... 250

Step 5: Install and configure the CN3200 ........................... 253

Start Apache................................................................. 253

Assign a static address................................................. 253

Configure RADIUS settings .......................................... 254

Certificates ................................................................... 256

Step 6: Install and configure software on Server 2............. 257

Step 7: Test the installation ................................................ 258

Step 8: Test the remote login page feature ......................... 260

Enable the remote login feature .................................... 260

Test the remote login feature........................................ 261

Step 9: Test the NOC authentication feature ....................... 263

Enable NOC authentication ........................................... 263

Test NOC authentication ............................................... 264

Tools................................................................................... 266

Batch files..................................................................... 266

phpMyadmin ................................................................ 266

: 6

DRAFT

Troubleshooting..................................................................268

Chapter 18

Sample setup - Steel-Belted Radius.......... 271

Overview .............................................................................272

Prerequisites.................................................................272

Equipment setup .................................................................273

Topology.......................................................................273

About the components..................................................273

Step 1: Install software on Server 1 274

Windows 2000..............................................................274

Steel-Belted Radius.......................................................274

Internet Explorer ...........................................................274

Step 1: Add support for Colubris Networks attributes 275

Step 2: Connect to the Steel-Belted Radius server..............276

Step 3: Create a RADIUS client profile for the CN3200 .......278

Step 4: Define RADIUS profiles...........................................280

Defining a CN3200 profile .............................................280

Defining a Customer profile ..........................................282

Defining an CN3200 administrator profile....................284

Step 5: Define user accounts ..............................................286

Defining user accounts .................................................286

Step 6: Install and configure the CN3200............................288

Assign a static address .................................................288

Configure RADIUS settings...........................................288

Step 7: Install Server 2........................................................291

Step 8: Test the installation.................................................292

Testing administrator logins..........................................293

Chapter 19

Sample setup - Microsoft RADIUS ............ 295

Overview .............................................................................296

Prerequisites.................................................................296

Equipment setup .................................................................297

Topology.......................................................................297

About the components..................................................297

Step 1: Install software on Server 1 298

Windows 2000..............................................................298

Internet Explorer ...........................................................298

Step 2: Define user accounts ..............................................299

Step 3: Define groups and add users to them.....................300

Step 4: Start the RADIUS server .........................................302

Step 5: Create a RADIUS client account..............................303

Step 6: Create an access policy for the CN3200..................305

Step 7: Create an access policy for customers ...................314

Step 8: Create an access policy for CN3200 admins...........324

Step 9: Install and configure the CN3200............................330

Assign a static address .................................................330

Configure RADIUS settings...........................................330

Step 10: Install Server 2......................................................332

Step 11: Test the installation...............................................333

Testing administrator logins..........................................334

Force authentication ..................................................... 339

Step 3: Configure Server 1 ................................................. 340

Install certificates ......................................................... 340

Verifying that winhttpcertcfg.exe is installed ................ 343

Granting access to the private key for noc-client.......... 344

Configuring the hosts file on Server 1.......................... 345

Experimenting with noc-authenticate.vbs ........................... 346

Retrieve noc-authenticate.vbs ...................................... 346

Running the program ................................................... 346

Examples...................................................................... 346

Authentication results........................................................ 348

noc.h contents ........................................................ 348

Returned values ........................................................... 349

Examples...................................................................... 351

Chapter 21

The configuration file ........................... 353

Manually editing the config file ........................................... 354

Retrieving/restoring the configuration file .................... 354

Configuration file structure................................................. 355

Chapter 22

Building a cross-over cable.................... 357

Wiring details ..................................................................... 358

Chapter 23

Troubleshooting ................................. 359

CN3200 issues ................................................................... 360

Client station issues ........................................................... 361

Management issues ........................................................... 365

Chapter 24

Regulatory, wireless interoperability,

and health information ......................... 367

Regulatory information....................................................... 368

Health Information ............................................................. 370

Important ........................................................................... 371

Ports ............................................................................ 371

Installation.................................................................... 371

Chapter 20

Experimenting with NOC authentication ..... 335

Overview .............................................................................336

About the certificates ....................................................336

Requirements ...............................................................336

Equipment setup .................................................................337

Topology.......................................................................337

Step 1: Configure the CN3000 338

Step 2: Configure the RADIUS profile for the CN3200........339

Define the profile...........................................................339

Chapter 1: Introduction 7

Chapter 1: Introduction

DRAFT

Chapter 1

Introduction

This chapter presents an overview of the CN3200 and illustrates how it
can be used to deploy a public access network.

Chapter 1: Introduction 8

DRAFT

Introducing the CN3200

The CN3200 simplifies the process of installing a public access network by
integrating all the key components you need into a single, easy-to-install device.
It features an access controller with robust firewall and full-featured router, and a
high-speed wireless access point.

Scalable solution

Secure
infrastructure

To service large locations or areas with many customers, you can deploy multiple
CN3200s or use CN300 satellite stations to extend the reach of the wireless
network.

CN3200

P

U

N

B

A

L

L

I

C

W

CN300CN300CN300 CN300

P

U

N

B

A

L

L

I

C

W

P

U

N

B

A

L

L

I

C

W

P

U

N

B

A

L

L

I

C

W

P

U

N

B

A

L

L

I

C

W

The CN3200 and the CN300s provide the wireless cells which customers use to
connect their mobile computers. Intelligent bridging software on the CN300s
restricts customer traffic so that it can only flow to and from the CN3200.

CN3200

P

U

B

L

N

A

L

I

C

W

Hacker

Authenticated

CN300

customer

Unauthenticated

customer

P

U

B

N

A

L

L

I

C

W

Generally, the CN3200 is configured to provide a ‘public’ area on the network that
is freely available to customers without logging in. However, to gain access to the
Internet (or restricted resources on the local network) customers are usually
required to login. This secures the network and enables billing to take place.

Chapter 1: Introduction 9

DRAFT

For added security, the CN3200 is protected from malicious Internet traffic by its
integrated firewall.

Integrated

Stations cannot

exchange data

Unauthenticated

Customer

Authenticated

Customer

Firewall

telnet

syn attack

RADIUS

server

Hacker

Network

Operating Center

Enhanced user
experience

The CN3200 makes it easy to deliver a completely customized experience for
your customers.

Customized

Web Page

Customer location and login

name are forwarded to web server

Custom page
is built based

on Customer ID

and location

Web server

At login time, customers are authenticated and their location within the network is
identified. This information is forwarded to an external web server, enabling it to
generate a custom experience for each location or even every customer.

Chapter 1: Introduction 10

DRAFT

Secure remote
management

Integrated VPN client software (PPTP and IPSec) enables the CN3200 to
establish a secure connection with a remote network operating center. This
provides a secure encrypted tunnel for management and accounting traffic,
enabling you to establish a centralized location from which to manage one or
more CN3200s.

Network

Operating

Center

Management

station

CN3200

RADIUS

server

VPN

server

Secure tunnels protected
by IPSec or PPTP.

CN3200 CN3200

Wireless bridging

CN3200

P

U

B

L

N

A

L

I

C

W

P

U

B

N

A

L

L

I

C

W

P

U

B

N

A

L

L

I

C

W

P

U

B

A

L

L

I

C

W

Site #1 Site #2 Site #3

The CN3200s wireless bridging feature enables you to use the wireless radio to
create point-to-point wireless links to other access points. This feature can be
used locally to extend the reach of a network without laying cable. For example:

CN300

P

U

B

L

N

A

L

I

C

W

wireless bridge

CN300

P

U

B

L

N

A

L

I

C

W

Backbone LAN

N

Chapter 1: Introduction 11

DRAFT

Or, it can be used to create point-to-point links over longer distances, such as
between two buildings (as illustrated below). This requires that the appropriate
external antenna be installed on each unit (not included).

Building A Building B

antenna antenna

wireless bridge

CN3200

CN300

P

U

B

N

A

L

L

I

C

W

P

U

B

L

I

C

W

CN300

RADIUS

P

U

B

N

A

L

L

I

C

W

server

CN300

P

U

B

N

A

L

L

I

C

W

N

A

L

Chapter 1: Introduction 12

DRAFT

Multiple SSID
support

The CN3200 provides support for multiple SSIDs. This permits the wireless
network to be split into multiple distinct entities, each with its own SSID and
configuration settings.

By combining multiple SSIDs and IPSec VPNs, several WISPs (wireless Internet
service providers) can effectively share wireless access points in one or more
locations.

WISP #1

NOC

IPSec VPN #1

WISP #2

NOC

IPSec VPN #2

Internet

IPSec VPN #1

IPSec VPN #2

P

SSID #1

U

B

L

N

A

L

I

C

W

SSID #2

In this scenario, the CN3200 controls access to the Internet. However, it validates
customer logins and records accounting information using the RADIUS server in
each NOC. The CN3200 knows which RADIUS server to communicate with for a
particular customer based on the SSID the customer is associated with. IPSec
VPN tunnels provide full protection for all data transfers with the NOC.

Custom login pages can be hosted by each WISP, enabling the shared access
point to provide a distinct online experience for each WISP’s customers.

Chapter 1: Introduction 13

DRAFT

Feature summary

Wireless radio

The CN3200’s dual-band mini-PCI radio module is software configurable to
operate either in the 2.4GHz band (802.11b and 802.11g) or the 5GHz band
(802.11a).

Note: Customers are responsible for verifying approval and to identify the
regulatory domain that corresponds to a particular country. Not all regulatory
domains have been approved. Please consult the Colubris Networks web site
(www.colubris.com/certifications) for an up-to-date list.

802.11a

The following features apply when the radio is operating as IEEE 802.11a (5 Ghz
Unlicensed ISM radio band).

Data rates

• 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Frequency band

• North America: 5.150-5.350 GHz and 5.725 -5.825 GHz

• Europe: 5.150-5.350 GHz and 5.470-5.725 GHz and 5.725-5.825 GHz

• Japan: 5.150-5.250 GHz

Operating channels (non-overlapping)

• North America: 12

• Europe: 19

• Japan: 4

Modulation technique

Orthogonal Frequency Division Multiplexing (OFDM)

• BPSK @ 6 and 9 Mbps

• QPSK @ 12 and 18 Mbps

• 16-QAM @ 24 and 36 Mbps

• 64-QAM @ 48 and 54 Mbps

Media Access Protocol

• Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)

Receive sensitivity

• 6 Mbps: -85 dBm

• 54 Mbps: -65 dBm

Available Transmit Power Settings

• 6-24 Mbps: 17.5dBm +/- 2

• 54 Mbps: 12 dBm +/- 2

Note: Maximum power setting varies according to individual country regulations.

Standards compliance

Safety

• IEC 60950

• EN 60950

Chapter 1: Introduction 14

Radio Approvals

•Wi-Fi

• FCC Part 15.401-15.407

• RSS-210 (Canada)

• EN 300 440 (Europe)

• ARIB STD-T71 (Japan)

EMI and Susceptibility (Class B)

• FCC Part 15.107 and 15.109

• ICES-003 (Canada)

• VCCI (Japan)

• EN 301.489-1 and -17 (Europe)

Other

• IEEE 802.11a

• FCC Bulletin OET-65C

• RSS-102

DRAFT

IEEE 802.11h Support

• Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) are
supported as per the current draft of the IEEE 802.11h specification

Antenna

Two SMA (Female) connectors for use with external antenna (sold separately).

Security architecture client authentication

• SSL protected WEB-based Authentication

• 802.1X support including: PEAP, EAP-TLS, EAP-TTLS, and EAP-SIM to yield
mutual authentication

• Wi-Fi Protected Access (WPA) with AES support in HW (ready for WPA-2)·
Support for static and dynamic IEEE 802.11 WEP keys of 40 bits and 128 bits

802.11b/g

The following features apply when the radio is operating as IEEE 802.11b and

802.11g (2.4 Ghz Unlicensed ISM radio band).

Data rates

• IEEE 802.11b: 1, 2, 5.5, and 11 Mbps

• IEEE 802.11g (OFDM only): 6, 9, 12, 18, 24, 36, 48, 54Mbps

Frequency band

• North America: 2.412 to 2.462 GHz

• Europe: 2.412 to 2.472 GHz

• Japan: 2.412 to 2.484 GHz

Operating channels

• North America/China: 1

• Europe: 13

• Japan: 14

Non-overlapping operating channels

• Worldwide: 3

Chapter 1: Introduction 15

DRAFT

Modulation technique

IEEE 802.11b: Direct sequence spread spectrum (DSSS)

• DBPSK @ 1 Mbps

• DQPSK @ 2 Mbps

• CCK @ 5.5 and 11 Mbps

IEEE 802.11g: Orthogonal Frequency Division Multiplexing (OFDM)

• BPSK @ 6 and 9 Mbps

• QPSK @ 12 and 18 Mbps

• 16-QAM @ 24 and 36 Mbps

• 64-QAM @ 48 and 54 Mbps

Media Access Protocol

• Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)

Receive sensitivity

IEEE 802.11b

• 11 Mbps: -86 dBm

IEEE 802.11g:

• 6 Mbps: -85 dBm

• 54 Mbps: -65 dBm

Available Transmit Power Settings

IEEE 802.11b

• 1-11 Mbps: 18 dBm +/- 2

IEEE 802.11g:

• 6-24 Mbps: 17 dBm +/- 2

• 54 Mbps: 11.5 dBm +/- 2

Note: Maximum power setting varies according to individual country regulations.

Standards compliance

Safety

• IEC 60950

• EN 60950

Radio Approvals

•Wi-Fi

• FCC Part 15.247

• RSS-139-1, RSS-210 (Canada)

• EN 300.328 (Europe)

• TELEC 33B (Japan)

EMI and Susceptibility (Class B)

• FCC Part 15.107 and 15.109

• ICES-003 (Canada)

• VCCI (Japan)

• EN 301.489-1 and -17 (Europe)

Other

• IEEE 802.11a

• FCC Bulletin OET-65C

• RSS-102

Chapter 1: Introduction 16

DRAFT

Antenna

Two SMA (Female) connectors for use with external antenna (sold separately).

Security architecture client authentication

• SSL protected WEB-based Authentication

• 802.1x support including: PEAP, EAP-TLS, EAP-TTLS, and EAP-SIM to yield
mutual authentication

• Wi-Fi Protected Access (WPA) with AES support in HW (ready for WPA-2)·
Support for static and dynamic IEEE 802.11 WEP keys of 40 bits and 128 bits

Hardware

Status LEDs

Provide status of wireless port, LAN ports, and power

Uplink ports

Two auto-sensing 802.3 10/100BASE-T Ethernet ports

Memory

• 32 Mbytes RAM

• 16 Mbytes FLASH

Input power requirements

• 90 to 240 VAC +/- 10% (power supply)

• IEEE 802.3af 48 VDC +/- 10%(device)

Power draw

8 watts

Dimensions

• Length: 165.7 mm

• Width: 162.5 mm

• Height: 48 mm

Temperature range

• Operating: 0°C to 60°C

• Storage: -40°C to 70°C

Networking

Humidity

5% to 95% typical (non-condensing)

Warranty

One year

• IEEE 802.1d compliant bridging

• GRE (RFC 2784)

• DHCP Server (RFC 2131)

• DHCP Client

• DHCP Relay

• DHCP Option 82 (RFC 3046)

• PPPoE Client (RFC 2516)

• DNS Relay

• Static IP Routing

• Network Address Translation (RFC 1631)

• One-to-one NAT for VPN support

Chapter 1: Introduction 17

• RIP v1 (RFC 1058) and v2 (RFC 1723)

• SMTP (e-mail) redirection

• ICMP (RFC 792)

• ARP (RFC 826)

• CIDR (RFC 1519)

DRAFT

Network
management

Access controller
functions

• SNMP v1 and v2

• MIB-II with TRAPS

• Colubris Hot Spot MIB for user session control and downstream AP
management

• RADIUS Authentication MIB (RFC 2618)

• RIP v2 extension MIB (RFC 1724)

• Secure access (SSL and VPN) to embedded HTML Management Tool

• Scheduled configuration and firmware upgrades from central server

• Real-time status, information and protocol traces (layer 2 and 3)

• Secure HTML login page

• Support for centralized WEB Portal

• WEB-Proxy server

• Fixed-IP address spoofing

• Location-aware user authentication

• Support for 802.1x using EAP-SIM, EAP-TLS, EAP-TTLS and PEAP

• MAC-level authentication for non-HTTP or 802.1x devices

• RADIUS AAA using EAP-MD5, PAP, CHAP, MSCHAP v2

• Provides detailed accounting based on session duration and/or volume of data

• Flexible support for pre-paid subscription

• Support up to 100 concurrent users at location

Security

RF Tools

Compatibility

• RADIUS Client (RFC 2865 and 2866)

• Layer-2 Wireless Isolation

• Integrated VPN client (IPSec or PPTP) for secure connection to central
RADIUS Server

• Per-user customizable firewall

• Rogue AP detection

• Embedded Site Survey tools

• Communicates with all Wi-Fi certified wireless adapters

• Supports all operating systems

Chapter 1: Introduction 18

DRAFT

Authentication and
accounting

Management

• Secure HTML login page

• Support for 802.1x using EAP-MD5, EAP-TLS, EAP-TTLS, PEAP

• RADIUS AAA supporting EAP-MD5, PAP, CHAP, MSCHAP v2, MSCHAP v1

• MAC-level authentication for non-HTTP devices

• Supports up to 100 concurrent users

• Provides accounting by time used or data transferred/received by customers

• Traffic quotas

• Web-based management tool

• Secure local and remote management via HTTPS and VPN

• Scheduled configuration upgrades from a central server

• Remote Syslog

• Web-based firmware upgrades

• Real-time status and information protocol traces

• Site survey and monitoring tool

• SNMP V1, V2 MIB-II with traps and Colubris MIB

• RADIUS Authentication Client MIB (RFC 2618)

Interfaces

Operating
Environment

Regulatory
Approvals

• IEEE 802.11b wireless port

• 10/100BaseTX Ethernet port

• 10BaseT Ethernet port

• Temperature: 0ºC to 55ºC

• Humidity: 15% to 95% non-condensing

• FCC Part 15, CSA NRTL (C22.2 No 950, UL 1950)

• CE Mark (EN55022, EN55024, IEC 60950)

• Wi-Fi Certified

Chapter 1: Introduction 19

DRAFT

Package contents

Make sure that your package contains the following items. If an item is missing,
contact your reseller.

CN3200 Wireless Access Controller

Power supply (optional)

Power cord (optional)

Technical support

Cross-over Ethernet cable (yellow)

CN3200 warranty, license, and registration cards

CD-ROM

Contains the CN3200 Administrator’s Guide, Colubris

Backend Archive, and the Colubris Enterprise MIB.

To obtain technical support, contact your reseller.

Information about Colubris Networks products and services, including
documentation and software updates, is available on our web site at

www.colubris.com.

Chapter 1: Introduction 20

DRAFT

Syntax conventions

This manual uses the following formatting conventions.

Example Description

Network When referring to the management tool

web interface, items in bold type identify
menu commands or input fields. They are
presented exactly as they appear on
screen.

Network > Ports When referring to the management tool

web interface, submenus are indicated
using the ‘>’ sign. The example refers to
the Ports submenu, which is found under
the Network menu.

ip_address

use-access-list=usename

ssl-certificate=URL [%s] [%n]

Items in italics are parameters that you
must supply a value for.

Monospaced text is used to present
command line output, program listings, or
commands that are entered into
configuration files or profiles.

Items enclosed in square brackets are
optional. You can either include them or
not. Do not type the brackets.

Chapter 2: Important concepts 21

Chapter 2: Important concepts

DRAFT

Chapter 2

Important concepts

This chapter covers important topics that will help to understand how
to install, deploy, and manage a wireless public access network.

Chapter 2: Important concepts 22

DRAFT

Networking areas

Wireless cells

Each wireless networking area is created by installing a CN3200, and if needed,
one or more CN300s. For example:

Protected network resources

P

U

B

N

A

L

L

I

C

W

CN300CN300

P

U

N

B

A

L

L

I

C

W

P

U

N

B

A

L

L

I

C

W

Coverage

As a starting point for planning your setup, you can assume that the CN3200
provides a wireless cell of up to 300 feet (100 meters) in diameter at high power.
Before creating a permanent installation, you should always perform a live test of
the coverage provided by each access point to determine its optimum settings
and location.

Coverage provided by an access point will be affected by all of the following
factors.

Transmission power of the radio

More power means better signal quality and bigger wireless cells. However, cell
size should generally not exceed the range of transmission supported by your
client stations. If it does, client stations will be able to receive signals from the
access point, but they will not be able to reply. Another limiting factor is proximity
of other access points in a multi-cell setup. In this case signal strength should be
adjusted to avoid interference between adjacent cells.

Note: Governmental regulations in different parts of the world determine the
maximum power output of the CN3200’s radio.

Antenna configuration

Antennas play a large roll in determining shape of the wireless cell and
transmission distance. Internal antennas are general omni-directional and
provide the same type of coverage in all directions around the access point.
Consult the specifications for the antenna to determine how it affects wireless
coverage.

Interference

Another limiting factor is interference from other access points or devices that
operate in the same frequency band.

Chapter 2: Important concepts 23

Access points operating in the 2.4 Ghz band may experience interference from

2.4 Ghz cordless phones and microwave ovens.

DRAFT

Physical characteristics of the location

To maximize coverage of the wireless cell, the wireless access points are best
installed in an open area with as few obstructions as possible. Try to choose a
location that is central to the area being served.

Radio waves cannot penetrate metal, instead they are reflected. This means that
the wireless access points are able to transmit through wood or plaster walls, and
closed windows. However, the steel reinforcing found in concrete walls and floors
may block transmissions, or reduce signal quality by creating reflections. This
can make it difficult for a single unit to serve users on different floors in a concrete
building. Such installations will require a separate wireless access points on each
floor.

Authentication and accounting

The CN3200 provides user authentication and accounting support for the
wireless customers and manages the security of the network. This means
ensuring that only authorized traffic is permitted to reach the protected network
resources.

Multiple SSIDs

The CN3200 supports the creation of multiple virtual wireless networks, all
sharing the same wireless port. Each virtual network has its own SSID, MAC
address, and configuration settings.

Security

To preserve network security, the CN3200 and the CN300 block all
communications between wireless client stations. If required, you can disable this
feature.

Protected network resources

All resources connected to the CN3200’s Internet port are protected. This means
that access to them is controlled by configuration settings on the CN3200. By
default, these settings are:

• unauthenticated customers cannot access any protected network resources

• authenticated customers can access all protected network resources

While this type of configuration may be suitable for a simple wireless hotspot that
provides access to the Internet, more complex setups will need more fine-grained
control of the protected network resources. To support this, the CN3200 provides
a fully-configurable access list mechanism, which has the following benefits:

• The ability to make specific protected resources available to unauthenticated
users. For example, when you want to have public web pages available to
customers before they log in, but locate the web server on a protected network.

• The ability to define a list of accessible resources for a single customer or a an
entire group. For example, if you have several customer groups (teachers,
students, visitors), each can be given access to specific network resources.

• The ability to block specific addresses for a single customer or entire group. For
example, you could disallow traffic to file swapping Internet sites to cut down on
bandwidth usage.

Chapter 2: Important concepts 24

DRAFT

Attaching to a wired
LAN

The CN3200 can be attached to a wired LAN. Computers on an attached wired
LAN are treated just like those on the wireless LAN. Each computer must be
authenticated before it can gain access to protected network resources.

To maintain network security, the wireless LAN and wired LAN are distinct. Traffic
is not forwarded between them.

Chapter 2: Important concepts 25

DRAFT

Network operating center (NOC)

The NOC is where the RADIUS, Web, SMTP, FTP, DHCP, DNS, VPN servers and
the management station are installed.

Network Operating Center

NOC components

SMTP

server

Web/FTP

server

RADIUS

server

DNS/DHCP
server

Management
station

VPN
server

RADIUS server

The RADIUS server is used to authenticate customers when they log onto the
network and record accounting information for each session. It is also used to
store configuration settings for the CN3200 and customers. Before the CN3200
activates the public network, it must authenticate itself to the RADIUS server and
retrieve its configuration information.

The CN3200 is compliant with RFC 2865 and RFC 2866 and will work with a
variety of RADIUS servers.

Web/FTP server

If you intend to customize the look and feel of the public access interface, you will
need a Web or FTP server to store your customized pages.

SMTP server

The CN3200 provides an e-mail redirection feature which enables customers to
send e-mail using a SMTP server that you supply. If you intend to support this
feature, you must install an SMTP server to handle redirected outgoing mail.

VPN server

The CN3200 can use its integrated VPN client (PPTP, IPSec) to create an
encrypted connection to a VPN server. This is useful if the CN3200 is connected
to a NOC via the Internet. The tunnel ensures the security of authentication traffic
and remote management activities and enables you to manage all your CN3200s
from a single remote site without security concerns.

DNS/DHCP server

The CN3200 can be configured to relay DHCP requests to an external server.
This enables you to control address allocation for all wireless cells from a central
location.

Chapter 2: Important concepts 26

DRAFT

Management station

This station is used to control and configure the CN3200 and any satellite
CN300s. Control can occur via an SNMP console or through the CN3200’s web­based management tool.

Sending traffic to
the NOC

For secure transmission of traffic between the CN3200 and the NOC, the
CN3200 features both PPTP and IPSec clients. Chapter 10 explains how to
configure secure remote connections.

Chapter 2: Important concepts 27

DRAFT

The public access interface

The public access interface is the sequence of web pages that customers use to
login to the wireless network and to manage their accounts.

The CN3200 ships with a default public access interface that you can customize
to meet the needs of your installation. However, before you do this, you should
initialize the default setup and test it with your network as described in Chapter 9.
Once the default interface is working, you can make changes to it as described in

Chapter 15.

Important: The CN3200 public access interface is not functional until the
CN3200 can successfully connect to a RADIUS server and authenticate itself.
This means that the login page for the public access interface will appear, but
customers will get an error when they try to log in. This occurs regardless of the
method you are using to authenticate customers.

Important: Customers using PDAs that only support a single browser window
will have difficulty using the public access interface in its standard configuration.
To solve this problem, see “Supporting PDAs” on page 172.

Chapter 2: Important concepts 28

DRAFT

Connecting to and using the wireless network

In order to access protected network resources, customers must:

• successfully connect to the wireless network

• open the login page in their web browser and supply a valid username and
password OR login with an 802.1x or WPA client (if this feature is enabled on
the CN3200)

The CN3200 provides several features that make it easy for customers to
accomplish these tasks.

Broadcast IP
address

Allow any IP
address

WPA/802.1x clients

This feature enables the CN3200 to broadcast its wireless network name (SSID)
to all client stations. Most wireless adapter cards have a setting that enables
them to automatically discover access points that broadcast their names and
automatically connect to the one with the strongest signal.

This feature is enabled by default. To disable it go to the Network > Wireless
page in the CN3200 management tool. If you disable this feature, customers
must manually specify the SSID you define for the wireless network.

This feature enables the CN3200 to connect with wireless client stations that are
using a static IP address that is not on the same segment as the wireless
network. This permits customers to access the wireless network without
reconfiguring their network settings.

For example, by default the CN3200 assigns creates the wireless network on the
subnet 192.168.1.0. If a client station is pre-configured with the address

10.10.4.99, it will still be able to connect to the CN3200 without changing its

address, or settings for DNS server and default gateway.

This feature is enabled by default. To disable it go to the Security >
Authentication > Advanced Settings page in the CN3200 management tool.

The CN3200 provides complete support for these clients. User accounts are
managed remotely on a RADIUS server.

Proxy server
support

This feature enables the CN3200 to support client stations that are configured to
use a proxy server for HTTP and HTTPS, without requiring customers to
reconfigure their systems.

This feature is disabled by default. To enable it, go to the Client station settings
box on the Security > Authentication > Advanced Settings page.

For this feature to work, client stations:

• must not be using a proxy server on port 21, 23, 25, 110, 443, 8080, or 8090.
To support ports 8080 and 8090 change the settings for Security >
Authentication > Advanced Settings > Access controller ports.

• must be using the same proxy server address and port number for both HTTP
and HTTPS.

• must not be using 802.1x.

Enabling this feature reduces the maximum number of supported wireless
customers to 50.

Chapter 2: Important concepts 29

DRAFT

The RADIUS server

Main tasks

The RADIUS server is a key component of the public access infrastructure. It is
used to perform a variety of tasks, including:

• authenticating the CN3200

• authenticating administrator logins

• authenticating customer logins

• storing accounting information for each customer

• storing customization information for the public access interface

Authenticating the CN3200 and storing config information

The CN3200 authenticates itself to a RADIUS server each time:

• it is powered up

• it is restarted

• the authentication interval expires (configured via the management tool)

At each authentication, the following configuration information is retrieved if
defined in the RADIUS profile for the CN3200:

• Access list defining the resources unauthenticated customers can access.

• URLs specifying the location of customized Web pages and supporting files.

• A URL specifying the location of a custom security certificate.

• A URL specifying the location of a configuration file.

• The MAC addresses of devices to authenticate.

• The default idle timeout for customer sessions.

• The default address for the SMTP redirection

When you set up a profile for the CN3200 on the RADIUS server you define this
information in the form of a Colubris Networks vendor-specific attribute. For
details see page 214.

More information

Authenticating customers and storing accounting information

See page 30 for details.

Authenticating administrator logins

The RADIUS server can also be used to authenticate administrator logins. This
enables you to have multiple administrators, each with their own username and
password, instead of the single account controlled on the Management >
Management tool page.

For information on configuring the RADIUS server, see:

• Chapter 16, which explains all the settings you can define on the RADIUS
server for your customer accounts and network operation.

• Chapter 18, which provides a walkthrough of a sample RADIUS configuration
using Steel-belted Radius.

• Chapter 19, which provides a walkthrough of a sample RADIUS configuration
using Microsoft's RADIUS server: Internet Authentication Service.

Chapter 2: Important concepts 30

DRAFT

Customer authentication

This manual uses the term customer to refer to any person or device that logs
into the public access network created by the CN3200.

Customers can be authenticated in several ways.

RADIUS server

Local user list

This method enables you to use the services of a RADIUS server to manage
your customers, track and manage connection time, and generate billing
information.

Once the customer is authenticated, configuration information is retrieved for the
customer. This includes settings for:

• Connection time limit for the customer’s session.

• Idle time limit for the customer’s session.

• Access list for the customer.

• Address of the e-mail server to use for redirection of the customer’s e-mail.

• URLs specifying the location of customized Welcome and Goodbye pages for
the customer.

When you define a profile for each customer on the RADIUS server you define
this information in the form of regular RADIUS attributes and a Colubris Network
vendor-specific attribute. See “Creating customer profiles on the RADIUS server”

on page 225 for more information.

The CN3200 enables you to create local accounts that bypass RADIUS
authentication and accounting. To login, customers use the public access
interface, but instead of using the RADIUS server, authentication is handled
directly by the CN3200 and no RADIUS accounting information is logged. These
accounts are useful for system administrators and management personnel.

Note: Local users can must use HTML to login. WPA/802.1x users must be
authenticated via RADIUS.

MAC-based
authentication

WPA/802.1x

To setup these accounts, login to the management tool and open the Security >
User List page.

The CN3200 can authenticate devices based on their MAC address. This is
useful for authenticating devices that do not have a web browser (cash registers,
for example). These devices do not log in through the public access interface,
rather, as soon as the CN3200 sees their MAC address appear on the network,
the CN3200 attempts to authenticate them. To setup these accounts, see page

223.

The CN3200 provides full support for users with 802.1x or WPA client software.
The CN3200 terminates the session and authenticates users via an external
RADIUS server or by using preshared keys (WPA only).

The CN3200 supports 802.1x client software that uses EAP-TLS, EAP-TTLS,
and PEAP. Dynamic key rotation is supported.