Note: Any references to CN3000 in this draft also apply to the CN3200.
Page 2
: 2
First Edition (January 2004)43-10-3200-06
Colubris is a registered trademark of Colubris Networks Inc.
Microsoft, Windows, Windows 2000, Windows NT, Windows 95, Windows 98,
Windows ME, Internet Explorer, and the Windows logo are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
IBM is a registered trademark of International Business Machines.
All other names mentioned herein are trademarks or registered trademarks of
their respective owners.
Changes are periodically made to the information herein; these changes will be
incorporated into new editions of the document.
Step 2: Configure the RADIUS profile for the CN3200........339
Define the profile...........................................................339
Page 7
Chapter 1: Introduction7
Chapter 1: Introduction
DRAFT
Chapter 1
Introduction
This chapter presents an overview of the CN3200 and illustrates how it
can be used to deploy a public access network.
Page 8
Chapter 1: Introduction8
DRAFT
Introducing the CN3200
The CN3200 simplifies the process of installing a public access network by
integrating all the key components you need into a single, easy-to-install device.
It features an access controller with robust firewall and full-featured router, and a
high-speed wireless access point.
Scalable solution
Secure
infrastructure
To service large locations or areas with many customers, you can deploy multiple
CN3200s or use CN300 satellite stations to extend the reach of the wireless
network.
CN3200
P
U
N
B
A
L
L
I
C
W
CN300CN300CN300CN300
P
U
N
B
A
L
L
I
C
W
P
U
N
B
A
L
L
I
C
W
P
U
N
B
A
L
L
I
C
W
P
U
N
B
A
L
L
I
C
W
The CN3200 and the CN300s provide the wireless cells which customers use to
connect their mobile computers. Intelligent bridging software on the CN300s
restricts customer traffic so that it can only flow to and from the CN3200.
CN3200
P
U
B
L
N
A
L
I
C
W
Hacker
Authenticated
CN300
customer
Unauthenticated
customer
P
U
B
N
A
L
L
I
C
W
Generally, the CN3200 is configured to provide a ‘public’ area on the network that
is freely available to customers without logging in. However, to gain access to the
Internet (or restricted resources on the local network) customers are usually
required to login. This secures the network and enables billing to take place.
Page 9
Chapter 1: Introduction9
DRAFT
For added security, the CN3200 is protected from malicious Internet traffic by its
integrated firewall.
Integrated
Stations cannot
exchange data
Unauthenticated
Customer
Authenticated
Customer
Firewall
telnet
syn attack
RADIUS
server
Hacker
Network
Operating Center
Enhanced user
experience
The CN3200 makes it easy to deliver a completely customized experience for
your customers.
Customized
Web Page
Customer location and login
name are forwarded to web server
Custom page
is built based
on Customer ID
and location
Web server
At login time, customers are authenticated and their location within the network is
identified. This information is forwarded to an external web server, enabling it to
generate a custom experience for each location or even every customer.
Page 10
Chapter 1: Introduction10
DRAFT
Secure remote
management
Integrated VPN client software (PPTP and IPSec) enables the CN3200 to
establish a secure connection with a remote network operating center. This
provides a secure encrypted tunnel for management and accounting traffic,
enabling you to establish a centralized location from which to manage one or
more CN3200s.
Network
Operating
Center
Management
station
CN3200
RADIUS
server
VPN
server
Secure tunnels protected
by IPSec or PPTP.
CN3200CN3200
Wireless bridging
CN3200
P
U
B
L
N
A
L
I
C
W
P
U
B
N
A
L
L
I
C
W
P
U
B
N
A
L
L
I
C
W
P
U
B
A
L
L
I
C
W
Site #1Site #2Site #3
The CN3200s wireless bridging feature enables you to use the wireless radio to
create point-to-point wireless links to other access points. This feature can be
used locally to extend the reach of a network without laying cable. For example:
CN300
P
U
B
L
N
A
L
I
C
W
wireless bridge
CN300
P
U
B
L
N
A
L
I
C
W
Backbone LAN
N
Page 11
Chapter 1: Introduction11
DRAFT
Or, it can be used to create point-to-point links over longer distances, such as
between two buildings (as illustrated below). This requires that the appropriate
external antenna be installed on each unit (not included).
Building ABuilding B
antennaantenna
wireless bridge
CN3200
CN300
P
U
B
N
A
L
L
I
C
W
P
U
B
L
I
C
W
CN300
RADIUS
P
U
B
N
A
L
L
I
C
W
server
CN300
P
U
B
N
A
L
L
I
C
W
N
A
L
Page 12
Chapter 1: Introduction12
DRAFT
Multiple SSID
support
The CN3200 provides support for multiple SSIDs. This permits the wireless
network to be split into multiple distinct entities, each with its own SSID and
configuration settings.
By combining multiple SSIDs and IPSec VPNs, several WISPs (wireless Internet
service providers) can effectively share wireless access points in one or more
locations.
WISP #1
NOC
IPSec VPN #1
WISP #2
NOC
IPSec VPN #2
Internet
IPSec VPN #1
IPSec VPN #2
P
SSID #1
U
B
L
N
A
L
I
C
W
SSID #2
In this scenario, the CN3200 controls access to the Internet. However, it validates
customer logins and records accounting information using the RADIUS server in
each NOC. The CN3200 knows which RADIUS server to communicate with for a
particular customer based on the SSID the customer is associated with. IPSec
VPN tunnels provide full protection for all data transfers with the NOC.
Custom login pages can be hosted by each WISP, enabling the shared access
point to provide a distinct online experience for each WISP’s customers.
Page 13
Chapter 1: Introduction13
DRAFT
Feature summary
Wireless radio
The CN3200’s dual-band mini-PCI radio module is software configurable to
operate either in the 2.4GHz band (802.11b and 802.11g) or the 5GHz band
(802.11a).
Note: Customers are responsible for verifying approval and to identify the
regulatory domain that corresponds to a particular country. Not all regulatory
domains have been approved. Please consult the Colubris Networks web site
(www.colubris.com/certifications) for an up-to-date list.
802.11a
The following features apply when the radio is operating as IEEE 802.11a (5 Ghz
Unlicensed ISM radio band).
Data rates
• 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Frequency band
• North America: 5.150-5.350 GHz and 5.725 -5.825 GHz
• Europe: 5.150-5.350 GHz and 5.470-5.725 GHz and 5.725-5.825 GHz
• Japan: 5.150-5.250 GHz
Operating channels (non-overlapping)
• North America: 12
• Europe: 19
• Japan: 4
Modulation technique
Orthogonal Frequency Division Multiplexing (OFDM)
• BPSK @ 6 and 9 Mbps
• QPSK @ 12 and 18 Mbps
• 16-QAM @ 24 and 36 Mbps
• 64-QAM @ 48 and 54 Mbps
Media Access Protocol
• Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)
Receive sensitivity
• 6 Mbps: -85 dBm
• 54 Mbps: -65 dBm
Available Transmit Power Settings
• 6-24 Mbps: 17.5dBm +/- 2
• 54 Mbps: 12 dBm +/- 2
Note: Maximum power setting varies according to individual country regulations.
Standards compliance
Safety
• IEC 60950
• EN 60950
Page 14
Chapter 1: Introduction14
Radio Approvals
•Wi-Fi
• FCC Part 15.401-15.407
• RSS-210 (Canada)
• EN 300 440 (Europe)
• ARIB STD-T71 (Japan)
EMI and Susceptibility (Class B)
• FCC Part 15.107 and 15.109
• ICES-003 (Canada)
• VCCI (Japan)
• EN 301.489-1 and -17 (Europe)
Other
• IEEE 802.11a
• FCC Bulletin OET-65C
• RSS-102
DRAFT
IEEE 802.11h Support
• Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) are
supported as per the current draft of the IEEE 802.11h specification
Antenna
Two SMA (Female) connectors for use with external antenna (sold separately).
Security architecture client authentication
• SSL protected WEB-based Authentication
• 802.1X support including: PEAP, EAP-TLS, EAP-TTLS, and EAP-SIM to yield
mutual authentication
• Wi-Fi Protected Access (WPA) with AES support in HW (ready for WPA-2)·
Support for static and dynamic IEEE 802.11 WEP keys of 40 bits and 128 bits
802.11b/g
The following features apply when the radio is operating as IEEE 802.11b and
• Provides accounting by time used or data transferred/received by customers
• Traffic quotas
• Web-based management tool
• Secure local and remote management via HTTPS and VPN
• Scheduled configuration upgrades from a central server
• Remote Syslog
• Web-based firmware upgrades
• Real-time status and information protocol traces
• Site survey and monitoring tool
• SNMP V1, V2 MIB-II with traps and Colubris MIB
• RADIUS Authentication Client MIB (RFC 2618)
Interfaces
Operating
Environment
Regulatory
Approvals
• IEEE 802.11b wireless port
• 10/100BaseTX Ethernet port
• 10BaseT Ethernet port
• Temperature: 0ºC to 55ºC
• Humidity: 15% to 95% non-condensing
• FCC Part 15, CSA NRTL (C22.2 No 950, UL 1950)
• CE Mark (EN55022, EN55024, IEC 60950)
• Wi-Fi Certified
Page 19
Chapter 1: Introduction19
DRAFT
Package contents
Make sure that your package contains the following items. If an item is missing,
contact your reseller.
CN3200 Wireless Access Controller
Power supply (optional)
Power cord (optional)
Technical support
Cross-over Ethernet cable (yellow)
CN3200 warranty, license, and registration cards
CD-ROM
Contains the CN3200 Administrator’s Guide, Colubris
Backend Archive, and the Colubris Enterprise MIB.
To obtain technical support, contact your reseller.
Information about Colubris Networks products and services, including
documentation and software updates, is available on our web site at
www.colubris.com.
Page 20
Chapter 1: Introduction20
DRAFT
Syntax conventions
This manual uses the following formatting conventions.
ExampleDescription
NetworkWhen referring to the management tool
web interface, items in bold type identify
menu commands or input fields. They are
presented exactly as they appear on
screen.
Network > PortsWhen referring to the management tool
web interface, submenus are indicated
using the ‘>’ sign. The example refers to
the Ports submenu, which is found under
the Network menu.
ip_address
use-access-list=usename
ssl-certificate=URL [%s] [%n]
Items in italics are parameters that you
must supply a value for.
Monospaced text is used to present
command line output, program listings, or
commands that are entered into
configuration files or profiles.
Items enclosed in square brackets are
optional. You can either include them or
not. Do not type the brackets.
Page 21
Chapter 2: Important concepts21
Chapter 2: Important concepts
DRAFT
Chapter 2
Important concepts
This chapter covers important topics that will help to understand how
to install, deploy, and manage a wireless public access network.
Page 22
Chapter 2: Important concepts22
DRAFT
Networking areas
Wireless cells
Each wireless networking area is created by installing a CN3200, and if needed,
one or more CN300s. For example:
Protected network resources
P
U
B
N
A
L
L
I
C
W
CN300CN300
P
U
N
B
A
L
L
I
C
W
P
U
N
B
A
L
L
I
C
W
Coverage
As a starting point for planning your setup, you can assume that the CN3200
provides a wireless cell of up to 300 feet (100 meters) in diameter at high power.
Before creating a permanent installation, you should always perform a live test of
the coverage provided by each access point to determine its optimum settings
and location.
Coverage provided by an access point will be affected by all of the following
factors.
Transmission power of the radio
More power means better signal quality and bigger wireless cells. However, cell
size should generally not exceed the range of transmission supported by your
client stations. If it does, client stations will be able to receive signals from the
access point, but they will not be able to reply. Another limiting factor is proximity
of other access points in a multi-cell setup. In this case signal strength should be
adjusted to avoid interference between adjacent cells.
Note: Governmental regulations in different parts of the world determine the
maximum power output of the CN3200’s radio.
Antenna configuration
Antennas play a large roll in determining shape of the wireless cell and
transmission distance. Internal antennas are general omni-directional and
provide the same type of coverage in all directions around the access point.
Consult the specifications for the antenna to determine how it affects wireless
coverage.
Interference
Another limiting factor is interference from other access points or devices that
operate in the same frequency band.
Page 23
Chapter 2: Important concepts23
Access points operating in the 2.4 Ghz band may experience interference from
2.4 Ghz cordless phones and microwave ovens.
DRAFT
Physical characteristics of the location
To maximize coverage of the wireless cell, the wireless access points are best
installed in an open area with as few obstructions as possible. Try to choose a
location that is central to the area being served.
Radio waves cannot penetrate metal, instead they are reflected. This means that
the wireless access points are able to transmit through wood or plaster walls, and
closed windows. However, the steel reinforcing found in concrete walls and floors
may block transmissions, or reduce signal quality by creating reflections. This
can make it difficult for a single unit to serve users on different floors in a concrete
building. Such installations will require a separate wireless access points on each
floor.
Authentication and accounting
The CN3200 provides user authentication and accounting support for the
wireless customers and manages the security of the network. This means
ensuring that only authorized traffic is permitted to reach the protected network
resources.
Multiple SSIDs
The CN3200 supports the creation of multiple virtual wireless networks, all
sharing the same wireless port. Each virtual network has its own SSID, MAC
address, and configuration settings.
Security
To preserve network security, the CN3200 and the CN300 block all
communications between wireless client stations. If required, you can disable this
feature.
Protected network resources
All resources connected to the CN3200’s Internet port are protected. This means
that access to them is controlled by configuration settings on the CN3200. By
default, these settings are:
• unauthenticated customers cannot access any protected network resources
• authenticated customers can access all protected network resources
While this type of configuration may be suitable for a simple wireless hotspot that
provides access to the Internet, more complex setups will need more fine-grained
control of the protected network resources. To support this, the CN3200 provides
a fully-configurable access list mechanism, which has the following benefits:
• The ability to make specific protected resources available to unauthenticated
users. For example, when you want to have public web pages available to
customers before they log in, but locate the web server on a protected network.
• The ability to define a list of accessible resources for a single customer or a an
entire group. For example, if you have several customer groups (teachers,
students, visitors), each can be given access to specific network resources.
• The ability to block specific addresses for a single customer or entire group. For
example, you could disallow traffic to file swapping Internet sites to cut down on
bandwidth usage.
Page 24
Chapter 2: Important concepts24
DRAFT
Attaching to a wired
LAN
The CN3200 can be attached to a wired LAN. Computers on an attached wired
LAN are treated just like those on the wireless LAN. Each computer must be
authenticated before it can gain access to protected network resources.
To maintain network security, the wireless LAN and wired LAN are distinct. Traffic
is not forwarded between them.
Page 25
Chapter 2: Important concepts25
DRAFT
Network operating center (NOC)
The NOC is where the RADIUS, Web, SMTP, FTP, DHCP, DNS, VPN servers and
the management station are installed.
Network Operating Center
NOC components
SMTP
server
Web/FTP
server
RADIUS
server
DNS/DHCP
server
Management
station
VPN
server
RADIUS server
The RADIUS server is used to authenticate customers when they log onto the
network and record accounting information for each session. It is also used to
store configuration settings for the CN3200 and customers. Before the CN3200
activates the public network, it must authenticate itself to the RADIUS server and
retrieve its configuration information.
The CN3200 is compliant with RFC 2865 and RFC 2866 and will work with a
variety of RADIUS servers.
Web/FTP server
If you intend to customize the look and feel of the public access interface, you will
need a Web or FTP server to store your customized pages.
SMTP server
The CN3200 provides an e-mail redirection feature which enables customers to
send e-mail using a SMTP server that you supply. If you intend to support this
feature, you must install an SMTP server to handle redirected outgoing mail.
VPN server
The CN3200 can use its integrated VPN client (PPTP, IPSec) to create an
encrypted connection to a VPN server. This is useful if the CN3200 is connected
to a NOC via the Internet. The tunnel ensures the security of authentication traffic
and remote management activities and enables you to manage all your CN3200s
from a single remote site without security concerns.
DNS/DHCP server
The CN3200 can be configured to relay DHCP requests to an external server.
This enables you to control address allocation for all wireless cells from a central
location.
Page 26
Chapter 2: Important concepts26
DRAFT
Management station
This station is used to control and configure the CN3200 and any satellite
CN300s. Control can occur via an SNMP console or through the CN3200’s webbased management tool.
Sending traffic to
the NOC
For secure transmission of traffic between the CN3200 and the NOC, the
CN3200 features both PPTP and IPSec clients. Chapter 10 explains how to
configure secure remote connections.
Page 27
Chapter 2: Important concepts27
DRAFT
The public access interface
The public access interface is the sequence of web pages that customers use to
login to the wireless network and to manage their accounts.
The CN3200 ships with a default public access interface that you can customize
to meet the needs of your installation. However, before you do this, you should
initialize the default setup and test it with your network as described in Chapter 9.
Once the default interface is working, you can make changes to it as described in
Chapter 15.
Important: The CN3200 public access interface is not functional until the
CN3200 can successfully connect to a RADIUS server and authenticate itself.
This means that the login page for the public access interface will appear, but
customers will get an error when they try to log in. This occurs regardless of the
method you are using to authenticate customers.
Important: Customers using PDAs that only support a single browser window
will have difficulty using the public access interface in its standard configuration.
To solve this problem, see “Supporting PDAs” on page 172.
Page 28
Chapter 2: Important concepts28
DRAFT
Connecting to and using the wireless network
In order to access protected network resources, customers must:
• successfully connect to the wireless network
• open the login page in their web browser and supply a valid username and
password OR login with an 802.1x or WPA client (if this feature is enabled on
the CN3200)
The CN3200 provides several features that make it easy for customers to
accomplish these tasks.
Broadcast IP
address
Allow any IP
address
WPA/802.1x clients
This feature enables the CN3200 to broadcast its wireless network name (SSID)
to all client stations. Most wireless adapter cards have a setting that enables
them to automatically discover access points that broadcast their names and
automatically connect to the one with the strongest signal.
This feature is enabled by default. To disable it go to the Network > Wireless
page in the CN3200 management tool. If you disable this feature, customers
must manually specify the SSID you define for the wireless network.
This feature enables the CN3200 to connect with wireless client stations that are
using a static IP address that is not on the same segment as the wireless
network. This permits customers to access the wireless network without
reconfiguring their network settings.
For example, by default the CN3200 assigns creates the wireless network on the
subnet 192.168.1.0. If a client station is pre-configured with the address
10.10.4.99, it will still be able to connect to the CN3200 without changing its
address, or settings for DNS server and default gateway.
This feature is enabled by default. To disable it go to the Security > Authentication > Advanced Settings page in the CN3200 management tool.
The CN3200 provides complete support for these clients. User accounts are
managed remotely on a RADIUS server.
Proxy server
support
This feature enables the CN3200 to support client stations that are configured to
use a proxy server for HTTP and HTTPS, without requiring customers to
reconfigure their systems.
This feature is disabled by default. To enable it, go to the Client station settings
box on the Security > Authentication > Advanced Settings page.
For this feature to work, client stations:
• must not be using a proxy server on port 21, 23, 25, 110, 443, 8080, or 8090.
To support ports 8080 and 8090 change the settings for Security > Authentication > Advanced Settings > Access controller ports.
• must be using the same proxy server address and port number for both HTTP
and HTTPS.
• must not be using 802.1x.
Enabling this feature reduces the maximum number of supported wireless
customers to 50.
Page 29
Chapter 2: Important concepts29
DRAFT
The RADIUS server
Main tasks
The RADIUS server is a key component of the public access infrastructure. It is
used to perform a variety of tasks, including:
• authenticating the CN3200
• authenticating administrator logins
• authenticating customer logins
• storing accounting information for each customer
• storing customization information for the public access interface
Authenticating the CN3200 and storing config information
The CN3200 authenticates itself to a RADIUS server each time:
• it is powered up
• it is restarted
• the authentication interval expires (configured via the management tool)
At each authentication, the following configuration information is retrieved if
defined in the RADIUS profile for the CN3200:
• Access list defining the resources unauthenticated customers can access.
• URLs specifying the location of customized Web pages and supporting files.
• A URL specifying the location of a custom security certificate.
• A URL specifying the location of a configuration file.
• The MAC addresses of devices to authenticate.
• The default idle timeout for customer sessions.
• The default address for the SMTP redirection
When you set up a profile for the CN3200 on the RADIUS server you define this
information in the form of a Colubris Networks vendor-specific attribute. For
details see page 214.
More information
Authenticating customers and storing accounting information
See page 30 for details.
Authenticating administrator logins
The RADIUS server can also be used to authenticate administrator logins. This
enables you to have multiple administrators, each with their own username and
password, instead of the single account controlled on the Management > Management tool page.
For information on configuring the RADIUS server, see:
• Chapter 16, which explains all the settings you can define on the RADIUS
server for your customer accounts and network operation.
• Chapter 18, which provides a walkthrough of a sample RADIUS configuration
using Steel-belted Radius.
• Chapter 19, which provides a walkthrough of a sample RADIUS configuration
using Microsoft's RADIUS server: Internet Authentication Service.
Page 30
Chapter 2: Important concepts30
DRAFT
Customer authentication
This manual uses the term customer to refer to any person or device that logs
into the public access network created by the CN3200.
Customers can be authenticated in several ways.
RADIUS server
Local user list
This method enables you to use the services of a RADIUS server to manage
your customers, track and manage connection time, and generate billing
information.
Once the customer is authenticated, configuration information is retrieved for the
customer. This includes settings for:
• Connection time limit for the customer’s session.
• Idle time limit for the customer’s session.
• Access list for the customer.
• Address of the e-mail server to use for redirection of the customer’s e-mail.
• URLs specifying the location of customized Welcome and Goodbye pages for
the customer.
When you define a profile for each customer on the RADIUS server you define
this information in the form of regular RADIUS attributes and a Colubris Network
vendor-specific attribute. See “Creating customer profiles on the RADIUS server”
on page 225 for more information.
The CN3200 enables you to create local accounts that bypass RADIUS
authentication and accounting. To login, customers use the public access
interface, but instead of using the RADIUS server, authentication is handled
directly by the CN3200 and no RADIUS accounting information is logged. These
accounts are useful for system administrators and management personnel.
Note: Local users can must use HTML to login. WPA/802.1x users must be
authenticated via RADIUS.
MAC-based
authentication
WPA/802.1x
To setup these accounts, login to the management tool and open the Security >
User List page.
The CN3200 can authenticate devices based on their MAC address. This is
useful for authenticating devices that do not have a web browser (cash registers,
for example). These devices do not log in through the public access interface,
rather, as soon as the CN3200 sees their MAC address appear on the network,
the CN3200 attempts to authenticate them. To setup these accounts, see page
223.
The CN3200 provides full support for users with 802.1x or WPA client software.
The CN3200 terminates the session and authenticates users via an external
RADIUS server or by using preshared keys (WPA only).
The CN3200 supports 802.1x client software that uses EAP-TLS, EAP-TTLS,
and PEAP. Dynamic key rotation is supported.
Page 31
Chapter 3: Planning your installation31
Chapter 3: Planning your installation
DRAFT
Chapter 3
Planning your installation
This chapter provides sample deployment strategies for two common
scenarios. These scenarios will give you a good idea on how to approach
your installation.
Page 32
Chapter 3: Planning your installation32
DRAFT
Multi-site installation
Network Operating Center
SMTP
server
Web/FTP
server
RADIUS
server
DNS/DHCP
server
Management
station
VPN
server
Router/Firewall
Site #1Site #2Site #3
CN3200
P
U
N
B
A
L
L
I
C
W
CN300CN300CN300CN300
CN3200
P
U
N
B
A
L
L
I
C
W
CN3200
P
U
N
B
A
L
L
I
C
W
P
U
N
B
A
L
L
I
C
W
About this
installation
P
U
N
B
A
L
L
I
C
W
P
U
N
B
A
L
L
I
C
W
P
U
N
B
A
L
L
I
C
W
• A single CN3200 is installed along with one or more CN300 satellites at sites
#1 and #3.
• At site #2, the CN3200 provides a wireless network and is also connected to a
LAN to enable a number of wired computers to act as public access stations.
• Each CN3200 is connected to the Internet via a broadband modem. The
Internet connection is protected by the CN3200’s firewall.
• A VPN connection is established between each CN3200 and the VPN server at
the NOC. This protects all management traffic exchanged between the
CN3200s and the NOC, which includes:
• RADIUS authentication and accounting data.
• Management session used to control CN3200 configuration and firmware
updates.
• Centralized management of customer profiles on the RADIUS server enables
customers to login at any location.
Page 33
Chapter 3: Planning your installation33
DRAFT
Installation strategy
General configuration tasks
Step DescriptionSee
1Setup and configure profiles on the RADIUS server(s). Pages 213 to 232
2Create custom web pages for the public access
interface. (optional)
3Create custom certificates. (optional)Chapter 14
Chapter 15
Site #1 and #3
Step DescriptionSee
1Setup the CN3200.Chapter 4
2Establish a connection to the management tool.Pages 44 and 46
3Define management tool security settings.Page 49
4Configure and deploy the multi-cell wireless network
with the CN300s.
5Configure the Internet connection and firewall.Chapter 8
6Start the public access interface.Chapter 9
Chapter 6
7Configure a VPN connection to the NOC.Chapter 10
Site #2
Step DescriptionSee
1Setup the CN3200.Chapter 4
2Establish a connection to the management tool.Pages 44 and 46
3Define management tool security settings.Page 49
4Configure the wireless network.Chapter 6
5Connect the CN3200 to the local wired LAN.Chapter 7
6Configure the Internet connection and firewall.Chapter 8
7Start the public access interface.Chapter 9
8Configure a VPN connection to the NOC.Chapter 10
Page 34
Chapter 3: Planning your installation34
DRAFT
Multi-area installation
Network Operating Center
CN1500
SMTP
server
Web/FTP
server
RADIUS
server
Backbone LAN
Area #1Area #2Area #3
CN3200
CN3200
HDDPWR
12345678
GPIO
Reset
Management
station
modem
CN3200
P
U
P
U
N
B
A
L
L
I
C
W
About this
installation
P
N
B
A
L
L
I
C
W
U
N
B
A
L
L
I
C
W
CN300CN300
P
U
N
B
A
L
L
I
C
W
P
U
N
B
A
L
L
I
C
W
CN300CN300
P
U
N
B
A
L
L
I
C
W
P
U
N
B
A
L
L
I
C
W
• A single CN3200 is installed along with one or more CN300 satellites at areas
#1 and #3.
• At area #2, the CN3200 provides a wireless network and is also connected to a
LAN to enable a number of wired computers to act as public access stations.
• Each CN3200 is connected to the NOC via the backbone LAN.
• Centralized management of customer profiles on the RADIUS server enables
customers to login to the wireless network in any area.
Page 35
Chapter 3: Planning your installation35
DRAFT
Installation strategy
General configuration tasks
Step DescriptionSee
1Setup and configure profiles on the RADIUS server(s). Pages 213 to 232
2Create custom web pages for the public access
interface. (optional)
3Create and install a custom certificate (optional).Chapter 14
Chapter 15
Area #1 and #3
Step DescriptionSee
1Install the CN3200.Chapter 4
2Establish a connection to the management tool.Pages 44 and 46
3Define management tool security settings.Page 49
4Configure and deploy the multi-cell wireless network
with the CN300s.
5Connect the Internet port to the backbone LAN and
configure IP addressing.
Chapter 6
Page 79
6Start the public access interface.Chapter 9
Area #2
Step DescriptionSee
1Install the CN3200.Chapter 4
2Establish a connection to the management tool.Pages 44 and 46
3Define management tool security settings.Page 49
4Configure the wireless network.Chapter 6
5Connect the CN3200 to the local wired LAN.Chapter 7
6Connect the Internet port to the backbone LAN and
configure IP addressing.
7Start the public access interface.Chapter 9
Page 79
Page 36
Chapter 3: Planning your installation36
DRAFT
Page 37
Chapter 4: Installation37
Chapter 4: Installation
DRAFT
Chapter 4
Installation
This chapter provides an overview of the CN3200 hardware and explains
how to install it.
Page 38
Chapter 4: Installation38
DRAFT
Anatomy
Antenna Connectors
LAN portInternet port
Serial port
Antenna
connectors
Ports
Power
light
Power
connector
The CN3200 has two antenna connectors. Both can transmit and receive. If a
single antenna is used it can be attached to either connector.
The connectors are SMA male with reverse polarity. This means antennas or cable
connectors must be SMA female with reverse polarity. Antennas should be 2 dBi or less
and can be either directly attached or attached via a coax cable.
Ethernet
light
Wireless
light
Reset button
Antenna diversity
The CN3200 supports antenna diversity. One benefit of this feature is that for a
given client station connection, the CN3200 always transmits on the antenna it
receives.
If transmission fails, the CN3200 automatically switches antennas and retries.
The CN3200 has three ports:
LAN port
The CN3200 has two antenna connectors. Both can transmit and receive. If a
single antenna is used it can be attached to either connector. The connectors are
SMA male with reverse polarity. This means antennas or cable connectors must
be SMA female with reverse polarity. Antennas should be 2 dBi or less and can
be either directly attached or attached via a coax cable.
Serial port
For future use. Do not connect this port to telecommunications equipment or a phone line.
Internet port
10/100 mbps Ethernet port with RJ-45 connector. Do not connect this port directly to a
metropolitan area network (MAN) or wide area network (WAN).
Page 39
Chapter 4: Installation39
DRAFT
Powering the
CN3200
Status lights
There are two ways to power the CN3200: DC adapter or PoE.
DC power adapter
The supplied DC power adaptor provides 2A at 5V.
Important: The power adapter is not rated for use in plenum installations.
Power over Ethernet (PoE)
The CN3200 supports PoE on the LAN port and can be used with any IEEE
802.3af-compliant power injector.
Important: Cisco PoE injectors are not compliant with IEEE 802.3af and cannot
be used with the CN3200.
The status lights provide the following operational information.
Power
onThe CN3200 is fully operational.
flashingThe CN3200 is starting up.
offPower is off.
Ethernet
onLED comes on for a short period when the link is established.
flashingIndicates that either port is transmitting or receiving.
offPorts are not connected or there is no activity.
Radio
Wireless
flashingWireless port is receiving data.
Startup behavior
When power is applied to the CN3200, the power light will start flashing. When
the power light stops flashing, initialization is complete and the CN3200 is fully
operational.
The CN3200 provides support for IEEE 802.11a and 802.11b/g technologies in a
single radio which can be configured in real-time for complete flexibility of
operation.
• When operating in 802.11a mode, the radio supports data rates of up to 54
Mbps and eight non-overlapping channels.
• When operating in 802.11b/g mode, the radio provides data rates up to 54
Mbps and three non-overlapping channels to support both 802.11b and
802.11/g client stations.
Page 40
Chapter 4: Installation40
DRAFT
Reset button
The reset button is located on the rear of the CN3200. Use the end of a paper
clip or another pointy object to press the button.
Restarting
Press and release the button quickly to restart the CN3200. This is equivalent to
disconnecting and reconnecting the power. The CN3200 will restart immediately.
Resetting to factory defaults
To reset the CN3200 to its factory default settings, do the following:
1. Press and hold the reset button. All the lights on the CN3200 front panel will
light up.
2. When the lights begin to flash (after about five seconds), immediately release
the button.
3. The CN3200 will restart with factory default settings. When the power light
stops flashing, the CN3200 is fully operational.
Important: Resetting the CN3200 deletes all your configuration settings, resets
the Administrator username and password to ‘admin’, and sets the Wireless port
IP address to 192.168.1.1 and the LAN port IP address 192.168.4.1.
The management tool can also be used to reset the CN3200 to its factory
defaults. See “Configuration management” on page 53 for details.
Page 41
Chapter 4: Installation41
DRAFT
Installing the CN3200
Important: Installation must be performed by a professional installer familiar with
local regulations governing wireless devices.
Mounting the
CN3200
Configuring the
CN3200
When mounting the CN3200 on a wall, ceiling or other surface, make sure that:
• the surface you attach the CN3200 to and the fasteners you use are able to
support at least 5.1 kg (11.25 pounds)
• cable pull (accidental or otherwise), must not make the unit exceed the 5.1 kg
(11.25 pound) limit
Plenum installations
Plenum rated cables and attachment hardware must be used if the CN3200 is
installed in a plenum. Since the power adapter is not rated for plenum
installations, only the CN3200 and appropriate cabling can be located in the
plenum.
Note: If Colubris Networks supplied PoE injectors are used in a plenum
installation, they must be located outside the plenum.
Before attaching the CN3200 to your network, it is recommended that you start
the management tool and define basic configuration settings as described in
Chapter 5.
By default, the CN3200 is configured to operate as a DHCP server with a
network address of 192.168.1.1 on the wireless and 192.168.4.1 on the LAN
port.
The Internet port is configured to operate as a DCHP client.
Refer to Chapter 7 for complete instructions on how to attach the CN3200 to your
network.
Page 42
Chapter 4: Installation42
DRAFT
Page 43
Chapter 5: The management tool43
Chapter 5: The management tool
Chapter 5
The management tool
This chapter provides an overview of the Web-based management tool
and explains how to use it to perform management and configuration
tasks.
Page 44
Chapter 5: The management tool44
Overview
The management tool is a Web-based interface to the CN3200 that provides
easy access to all configuration functions.
Important: Only one administrator can be logged into the management tool at a
given time. If a second administrator logs in while the first is connected, the first
administrator is logged out.
Management
station
The management station is the computer that you use to connect to the
management tool. To act as a management station, a computer must:
• have a JavaScript-enabled Web browser installed (Netscape 4.04 or higher, or
Internet Explorer 5.0 or higher).
• be able to establish an IP connection with the CN3200
Configuring the management station for wireless access
Install and configure the wireless adapter in the management station according
to the directions that came with it. During installation make sure that:
• encryption is disabled
• TCP/IP is installed and configured. IP addressing can be either static or DHCP.
A unique feature of the CN3500 is its ability to support connections from client
stations that have a preconfigured static IP address.
• Set the SSID to be “Colubris Networks”.
Configuring the management station for wired access
Install and configure a network adapter in the management station according to
the directions that came with it. During installation make sure that:
• TCP/IP is installed and configured. IP addressing can be either static or DHCP.
A unique feature of the CN3500 is its ability to support connections from client
stations that have a preconfigured static IP address.
Management
scenarios
Default settings
The CN3200 can be managed both locally and remotely for complete flexibility.
The following management scenarios are supported:
Local Management
Remote management
The following are some important default settings
Wireless port
• IP address: 192.168.1.1
• Wireless network name: Colubris Networks
• Operating frequency: Channel 10
• ESSID broadcast: On
Page 45
Chapter 5: The management tool45
• Relay between wireless station: Off
• Security: None
LAN port
• IP address: 192.168.1.1
•
DHCP server: On
Internet port
• IP address: (DHCP client is active)
• Firewall: High security
Management tool
• Allow access via LAN port and port
• Login name: admin
• Password: admin
Page 46
Chapter 5: The management tool46
Starting the management tool
1. Start your Web browser.
2. Press Enter. You will be prompted to accept a Colubris Networks security
certificate. Do so to continue. (To eliminate this warning message you can
install your own certificate as described in Chapter 14.)
To safeguard the security of the CN3200, access to the management tool
must occur via a secure connection. Before this connection can be
established, you must accept a Colubris Networks security certificate. The
procedure for accepting the certificate varies depending on the browser you
are using.
3. After you accept the Colubris Networks certificate, the management tool
home page opens.
By default, the username and password are both set to admin.
Page 47
Chapter 5: The management tool47
Menu summary
The following is a brief overview of the management tool menu options. For
detailed information on each option and its parameters, consult the online
help, which isavailable by clicking the help icon that appears in the top right
corner of most boxes:
Home
Wireless
Network
Displays basic status information on the operation of the CN3200. For a
description of the information on the home page, see page 14.
Wireless overview
Provides a summary of important wireless settings.
Wi-Fi
Use this page to configure the operating characteristics of the wireless network.
WLAN profiles
Use this page to define multiple SSIDs.
Wireless links
Use this page to define point-to-point links to other access points.
Neighborhood
Use this page to do s site survey and discover other wireless access points that
are operating nearby.
Address allocation
Lets you configure the CN3200 to act as a DHCP server or DHCP relay agent,
and also to setup bandwidth management.
Security
IP routes
Lets you define routes to send traffic to the appropriate destination. This is useful
when the CN3200 is connected to a wired LAN which provides access to other
networks.
DNS
Enables you to override the default DNS servers assigned to the CN3200.
GRE
Lets you define GRE tunnels.
NAT
Lets you define static IP routes to make computers on the internal network
(WLAN or a connected wired LAN) visible to external computers. For example,
this can be used to run an FTP or Web server on the internal network.
RIP
Configures support for RIP.
The security menu lets you define all security-related settings.
Page 48
Chapter 5: The management tool48
RADIUS
This is where you define the settings the CN3200 uses to communicate with
external RADIUS servers.
Firewall
Configures the settings for the built-in firewall that protects the Internet port.
PPTP client
Configures the settings for the PPTP client which enables the CN3200 to
establish a secure connection to a remote PPTP server via the Internet port.
IPSec
Configures the settings for the IPSec client which enables the CN3200 to
establish a secure connection to an IPSec peer via the Internet port.
Certificates
Use this option to manage the SSL certificates used by the CN3200.
Users
This is where you define user accounts when customer authentication is handled
directly by the CN3200, rather than using a RADIUS server.
Management
Status
Tools
The management menu enables you to configure the operation of the
management tool and its SNMP implementation.
Management tool
Use this page to set the admin name and password, and define security
parameters that control access to the management tool.
SNMP
Configures SNMP properties and security settings.
System time
Configures system time.
Lets you view the status of other active Colubris access points.
Use this option to view the status of the various components on the CN3200.
Provides diagnostic tools that can be used to investigate anomalies. Generally,
you will use these only under the direction of your reseller. These tools also
enable you to view the system log. The system log contains a record of all
significant events that occur on the CN3200. This information is useful when
troubleshooting the CN3200 with the assistance of your reseller. If needed, the
system log can be configured to forward entries to a remote syslog server on the
LAN or via the Internet.
Maintenance
Lets you manage configuration and firmware files and save system information
for troubleshooting purposes.
Page 49
Chapter 5: The management tool49
Management tool security
The management tool is protected by the following security features.
Administrator
password
Access to the CN3200 management tool is protected by a username and
password to safeguard configuration settings. The factory default setting for both
is admin. It is recommended that you change both.
To change the username and/or password, do the following:
1. On the main menu, click Management. The Management tool configuration
page opens.
2. In the Administrator authentication box, enter the new username, current
password, the new password, and then repeat the new password for
confirmation.
3. Click Save when you are done.
Validating administrator logins using a RADIUS server
You can use a RADIUS server to authenticate logins to the management tool.
One advantage of this is that it enables you to create several administrator
accounts, each with its own username and password.
Important: Make sure that the RADIUS profile you select is configured and that
the administrator account is defined on a functioning RADIUS server. If not, you
will not be able to log back into the CN3200 because the administrator password
cannot be authenticated.
To setup RADIUS authentication, do the following:
1. On the main menu, click Security then click RADIUS.
2. Click Add a New Profile.
3. Define the settings for the RADIUS profile you want to use to validate
administrator logins. Either use an existing profile or add a new profile.
Connection
security
4. Click Save.
5. On the main menu, click Management.
6. Click Management tool.
7. In the Administrator authentication box, select the RADIUS server you
defined in step 2.
8. Click Save.
If you forget the administrator password
The only way to gain access to the management tool if you forget the
administrator password is to reset the CN3200 to factory default settings.
“
Resetting to factory defaults” on page 40
To maintain the integrity of the configuration settings, only one user can be
connected to the management tool at a given time. To prevent the management
tool from being locked up by an idle user two mechanisms are in place:
• If a user’s connection to the management tool remains idle for more than ten
minutes, the CN3200 automatically logs the user out.
Page 50
Chapter 5: The management tool50
• If a second user connects to the management tool and logs in with the correct
username and password, the first user’s session is terminated.
HTTPS
Communications between the management station and the CN3200 occurs via
HTTPS. Before logging onto the management tool, users must accept a Colubris
Networks certificate. You can replace this certificate with your own. For more
information see, Chapter 14.
Remote management security
Secure remote management is possible using the integrated PPTP and IPSec
client software. This enables the CN3200 to create a secure tunnel to a remote
server using a public network (Internet). This can also be used to secure
automatic configuration updates and communications with a remote RADIUS
server or Web server. For details, see Chapter 10.
Security settings
The CN3200 can be managed both locally and remotely for complete flexibility.
Management occurs via the Web-based management tool which resides on the
CN3200. For details see “Management scenarios” on page 44.
To configure security options
1. On the main menu, click Management. The Management tool configuration
page opens.
2. In the Security box, enable the management options you require. The
options are described in the section that follows.
3. Click Save.
Security options
Allowed addresses
Lets you define a list of IP address from which access to the management tool is
permitted. To add an entry, specify the IP address and appropriate mask and
click Add.
When the list is empty, access is permitted from any IP address.
Active interfaces
Choose the interfaces through which client stations will be able to access the
management tool.
Page 51
Chapter 5: The management tool51
Firmware management
The firmware is special software that controls the operation of the CN3200.
Periodically, Colubris Networks will make new versions of the firmware available.
Firmware updates can be handled manually, automatically, or with a tool like
cURL.
Manual update
1. On the Maintenance menu, click Firmware updates.
2. In the Download firmware box, click the Download button to retrieve the
latest firmware from the Colubris Networks web site and save it to your
computer’s hard drive.
3. Unzip the file.
Scheduled install
4. In the Install firmware box, click the Browse button and select the *.cim file
you just unzipped.
5. Click Install.
Note: The CN3200 will automatically restart after the firmware has been installed
to activate it. This will disconnect all client stations. Once the CN3200 resumes
operation, all client stations will have to reconnect.
Note: Configuration settings are preserved during firmware upgrades.
The CN3200 can automatically retrieve and install firmware from a local or
remote URL. By placing CN3200 firmware on a web or ftp server, you can
automate the update process for multiple units.
When the update process is triggered, the CN3200 retrieves the first few bytes of
the firmware file to determine if it is different than the active version. If different,
the firmware is download and installed. Configuration settings are preserved.
However, all connections will be terminated forcing customers to log in again.
Page 52
Chapter 5: The management tool52
Using cURL
It is possible to automate management tasks using a tool like cURL. cURL is a
software client that can be used to get/send files to/from a server using a number
of different protocols (HTTP, HTTPS, FTP, GOPHER, DICT, TELNET, LDAP or
FILE).
cURL is designed to work without user interaction or any kind of interactivity. It is
available for Windows and LINUX at: http://curl.haxx.se/. You must use version
7.9.8 or higher.
The following cURL commands illustrate how to update the firmware. The
following setup is assumed:
• IP address of the CN3200’s Internet port is 24.28.15.22.
The configuration file contains all the settings that customize the operation of the
CN3200.
You can save and restore the configuration file manually, automatically, or with a
tool like cURL.
Manual
management
Use the Config file management option on the Maintenance menu to manage
your configuration file.
The following three options are available:
Backup configuration file
This option enables you to backup your configuration settings so they can be
easily restored in case of failure. This option is also used when you want to
directly edit the configuration file. See Chapter 21 for details.
Reset configuration
Use this option to return the configuration of the CN3200 to its factory default
settings.
Note: Resetting sets the administrator password to ‘admin’ and resets all
configuration settings.
Restore configuration file
Enables you to restore a configuration from a previously saved backup.
This feature enables you to maintain several configuration files with different
settings, which can be useful if you frequently need to alter the configuration of
the CN3200, or if you are managing several CN3200s from a central site.
Page 54
Chapter 5: The management tool54
Using cURL
It is possible to automate management tasks using a tool like cURL. cURL is a
software client that can be used to get/send files to/from a server using a number
of different protocols (HTTP, HTTPS, FTP, GOPHER, DICT, TELNET, LDAP or
FILE).
cURL is designed to work without user interaction or any kind of interactivity. It is
available for Windows and LINUX at: http://curl.haxx.se/. You must use version
7.9.8 or higher.
The following cURL commands illustrate how to manage the configuration file.
The following setup is assumed:
• IP address of the CN3200’s Internet port is 24.28.15.22.
This chapter explains how to setup a wireless network with the CN3200.
Page 58
Chapter 6: WLAN configuration58
Setting up the wireless LAN
Configuration
procedure
1. On the main menu, click Wireless, and then click Wi-Fi. The Wireless
configuration page opens.
Access point
2. Configure the parameters as described in the sections that follow.
3. Click Save when you are done.
Enable this option to activate the wireless access point. When this option is
disabled, wireless client stations will not be able to connect.
WLAN name (SSID)
Specify a name to uniquely identify your wireless network. Each client computer
that wants to connect to the CN3200 must use this name. The name is casesensitive.
Maximum number of wireless client stations
Specify the maximum number of wireless client stations that can be connected to
the CN3200 at the same time.
Important: The total number of wireless connections that can be active at any
given time across all WLAN profiles is 100.
Broadcast WLAN name (SSID)
When this option is enabled, the CN3200 will broadcast its wireless network
name (SSID) to all client stations. Most wireless adapter cards have a setting that
enables them to automatically discover access points that broadcast their names
and automatically connect to the one with the strongest signal.
If you disable this option, client stations will have to specify the network name you
enter for WLAN name when they connect.
Page 59
Chapter 6: WLAN configuration59
Radio
Regulatory domain
This parameter is not supported for all wireless cards. It will only appear when
the appropriate wireless card is installed in the CN3200.
Choose your country. This changes the available operating frequencies
according to the regulatory standards in your country.
Wireless mode
Choose the mode the radio will operate in.
Operating frequency
Select the frequency the CN3200 will operate at. The frequencies that are
available are determined by the radio installed in your CN3200 and the
regulations that apply in your country.
For optimum performance, choose a frequency that differs from other wireless
access points operating in neighboring cells by at least 25 MHz. For more
information see “Configuring overlapping wireless cells” on page 66. Consult the
Wireless > Neighborhood page to view a list of access points currently
operating in your area. (If this option is not visible, it is not supported by the radio
installed in the CN3200.)
Best channel detected
The CN3200 automatically scans all available channels and lists the channel with
the best signal quality. Use this as a guide to select the best operating frequency.
Distance between access points
Use this parameter to adjust the receiver sensitivity of the CN3200. This
parameter should only be changed if:
• you have more than one wireless access point installed in your location
• you are experiencing throughput problems
In all other cases, use the default setting of Large.
If you have installed multiple CN3200s, reducing the receiver sensitivity of the
CN3200 from its maximum will help to reduce the amount of crosstalk between
the wireless stations to better support roaming clients. By reducing the receiver
sensitivity, client stations will be more likely to connect with the nearest access
point.
RTS threshold
Use this parameter to control collisions on the link that can reduce throughput. If
the Status -> Wireless page shows increasing values for Tx multiple retry frames or Tx single retry frames, you should adjust this value until the errors
clear up. Start with the largest value and slowly decrease until errors are
minimized. Note that using a small value for RTS threshold can affect
throughput.
How it works
If a packet is larger than the threshold, the local CN3200 will hold it and issue a
request to send (RTS) message to the remote CN3200. Only when the remote
CN3200 replies with a clear to send (CTS) message will the local CN3200 send
the packet. Packets smaller than the threshold are transmitted without this
handshake.
Transmit power
This parameter is not supported for all wireless cards. It will only appear when
the appropriate wireless card is installed in the CN3200.
Use this parameter to set the transmission power of the wireless radio.
Depending on the card you may have the option of selecting values from a list or
by directly specifying power in dBM.
Page 60
Chapter 6: WLAN configuration60
Important: Regardless of the power value you set, the maximum power output
will be adjusted internally based on the selected regulatory domain (if supported)
and operating frequency.
List values
• HIGH: Sets the maximum transmission power the wireless card is capable of. It
will be either 100mW (20dBm) or 200mW for North America (23dBm).
• MEDIUM - 17dBm (17 dBm)
• LOW - 13dBm (13 (dBm)
Wireless port
Wireless
protection
IP address
Specify the IP address you want to assign to the wireless port. By default, this is
192.168.1.1.
Note: Changing the IP address of the wireless port will cause you to lose contact
with the management tool. To reconnect, restart your computer or release/renew
your IP address, and enter the new address into your browser.
Note: If wireless client stations are currently using the CN3200, changing the IP
address will cause them to lose their connections. To reconnect, each client must
reboot or release/renew its IP address.
Mask
Specify the appropriate subnet mask for the IP address you specified.
Select the type of protection you want to use for the wireless network.
WPA
This option enables support for users with WPA client software.
Key transmission protection
This option determines how the TKIP keys are generated.
• RADIUS: The CN3200 obtains the MPPE key from the RADIUS server. This is
a dynamic key that changes each time the user logins in and is authenticated.
The MPPE key is used to generate the TKIP keys that encrypt the wireless
data stream.
• Preshared Key: The CN3200 uses the key you specify to generate the TKIP
keys that encrypt the wireless data stream. Since this is a static key, it is not as
secure as the RADIUS option.
Key/Confirm key
Specify a key that is between 8 and 64 characters in length.
802.1x
This option enables support for users with 802.1x client software. The CN3200
supports 802.1x client software that uses EAP-TLS, EAP-TTLS, and PEAP.
RADIUS profile
Select the RADIUS profile the CN3200 will use to validate user logins.
Page 61
Chapter 6: WLAN configuration61
Dynamic WEP encryption
Enable the use of dynamic WEP keys for all 802.1x sessions. Dynamic key
rotation occurs on key 1, which is the broadcast key. Key 0 is the pairwise key. It
is automatically generated by the CN3200.
WEP
Key 1, 2, 3, 4
The number of characters you specify for a key determines the level of encryption
the CN3200 will provide.
• For 40-bit encryption, specify 5 ASCII characters or 10 HEX digits.
• For 128-bit encryption, specify 13 ASCII characters or 26 HEX digits.
When encryption is enabled, wireless stations that do not support encryption
cannot communicate with the CN3200. The definition for each encryption key
must be the same on the CN3200 and all client stations. Keys must also be in the
same position. For example, if you are using key 3 to encrypt transmissions, then
each client station must also define key 3 to communicate with the CN3200.
Transmission key
Select the key the CN3200 will use to encrypt transmitted data. All four keys are
used to decrypt received data.
Dynamic keys
Key format
Select the format you used to specify the encryption keys:
ASCII
ASCII keys are much weaker than carefully chosen HEX keys. You can include
ASCII characters between 32 and 126, inclusive, in the key. However, note that
not all client stations support non-alphanumeric characters such as spaces,
punctuation, or special symbols in the key.
HEX
Your keys should only include the following digits: 0-9, a-f, A-F
WEP key length
This setting determines the level of encryption the CN3200 will provide for 802.1x
and WPA.
Key change interval
Specifies how often key rotation occurs for 802.1x and WPA.
Addresses
If the LAN and wireless ports are not bridged (Network > Ports > LAN port
page), the CN3200 provides a separate DHCP server on each port. Use the
check box to enable/disable each one.
The CN3200 provides its own IP address as the DNS server address. The
CN3200 acts as a DNS relay and redirects all DNS requests to the DNS servers
specified on the DNS/WINS page.
If a WINS server is defined on the DNS/WINS page, its address is provided to
DHCP clients as well.
Page 62
Chapter 6: WLAN configuration62
Start / End
Specify the starting and ending IP addresses that define the range of addresses
the DHCP server can assign to client stations.
Gateway
Specify the IP address of the default gateway the CN3200 will return to DHCP
clients.
Address/mask
Shows the current settings for the port.
The host name in the currently installed SSL certificate is automatically assigned
as the domain name of the CN3200. The factory default SSL certificate that is
installed on the CN3200 has the host name wireless.colubris.com.
You do not have to add this name to your DNS server for it to be resolved. The
CNx intercepts all DNS requests it receives on the wireless or LAN ports. It
resolves any request that matches the certificate host name by returning the IP
address assigned to the Internet port. All other DNS requests are forwarded to
the appropriate DNS servers as configured on the Network > DNS/WINS
To summarize, this means that by default, any DNS request by a client station on
the wireless or LAN ports that matches wireless.colubris.com will return the IP
address of the CN3200’s Internet port.
4.
page.
Page 63
Chapter 6: WLAN configuration63
Wireless profiles
The CN3200 enables you to create multiple wireless networks (also knows as
virtual access points) all sharing the same wireless port. Each network has its
own SSID (network name), BSSID (MAC address), and configuration settings
that are defined in a profile. Up to 16 profiles can be created.
All profiles shared basic settings defined in the Default profile (see below).
Default profile
Configuration
considerations
To create a
wireless profile
The default profile (named “Colubris Networks”) controls the settings for the
parameters that are shared by all profiles. This includes:
• radio settings (operating frequency, distance between access points, transmit
power)
• wireless port address and mask
• dynamic key length and key change interval for 802.1x/WPA
Configure this profile on the Wireless > Wi-Fi page.
Up to 16 profiles can be defined. Since all profiles share the same radio,
bandwidth is also shared. To manage the load on the network, each profile can
should be configured to limit the maximum number of wireless client stations.
1. On the main menu, click Wireless, and then click WLAN profiles. The WLAN
profiles page opens. Initially, it displays the default WLAN profile.
Access point
2. Click Add New Profile.
3. Specify the settings for the profile. Refer to the sections that follow for details.
4. Click Save when you are done.
Enable this option to activate the wireless access point. When this option is
disabled, wireless client stations will not be able to connect.
WLAN name (SSID)
Specify a name to uniquely identify your wireless network. Each client computer
that wants to connect to this profile must use this name. The name is casesensitive.
Maximum number of wireless client stations
Specify the maximum number of wireless client stations that can be associated
with this SSID at the same time.
Important: The total number of wireless connections that can be active at any
given time across all WLAN profiles is 100.
Page 64
Chapter 6: WLAN configuration64
Broadcast WLAN name (SSID)
When this option is enabled, the CN3200 will broadcast its wireless network
name (SSID) of this profile to all client stations. Most wireless adapter cards have
a setting that enables them to automatically discover access points that
broadcast their names and automatically connect to the one with the strongest
signal.
If you disable this option, client stations will have to specify the network name you
enter for WLAN name when they connect.
RADIUS
accounting
Wireless
protection
Enable this option to have the CN3200 generate a RADIUS accounting request
ON/OFF for each user authentication. The CN3200 respects the RADIUS
interim-update-interval attribute if present inside the RADIUS access accept of
the authentication.
Select the type of protection you want to use for the wireless network.
WPA
This option enables support for users with WPA client software.
Key transmission protection
This option determines how the TKIP keys are generated.
• RADIUS: The CN3200 obtains the MPPE key from the RADIUS server. This is
a dynamic key that changes each time the user logins in and is authenticated.
The MPPE key is used to generate the TKIP keys that encrypt the wireless
data stream.
• Preshared Key: The CN3200 uses the key you specify to generate the TKIP
keys that encrypt the wireless data stream. Since this is a static key, it is not as
secure as the RADIUS option.
Key/Confirm key
Specify a key that is between 8 and 64 characters in length.
802.1x
This option enables support for users with 802.1x client software. The CN3200
supports 802.1x client software that uses EAP-TLS, EAP-TTLS, and PEAP.
RADIUS profile
Select the RADIUS profile the CN3200 will use to validate user logins.
Dynamic WEP encryption
Enable the use of dynamic WEP keys for all 802.1x sessions. Dynamic key
rotation occurs on key 1, which is the broadcast key. Key 0 is the pairwise key. It
is automatically generated by the CN3200.
WEP
Key 1, 2, 3, 4
The number of characters you specify for a key determines the level of encryption
the CN3200 will provide.
Page 65
Chapter 6: WLAN configuration65
• For 40-bit encryption, specify 5 ASCII characters or 10 HEX digits.
• For 128-bit encryption, specify 13 ASCII characters or 26 HEX digits.
When encryption is enabled, wireless stations that do not support encryption
cannot communicate with the CN3200. The definition for each encryption key
must be the same on the CN3200 and all client stations. Keys must also be in the
same position. For example, if you are using key 3 to encrypt transmissions, then
each client station must also define key 3 to communicate with the CN3200.
Transmission key
Select the key the CN3200 will use to encrypt transmitted data. All four keys are
used to decrypt received data.
Key format
Select the format you used to specify the encryption keys:
ASCII
ASCII keys are much weaker than carefully chosen HEX keys. You can include
ASCII characters between 32 and 126, inclusive, in the key. However, note that
not all client stations support non-alphanumeric characters such as spaces,
punctuation, or special symbols in the key.
HEX
Your keys should only include the following digits: 0-9, a-f, A-F
Page 66
Chapter 6: WLAN configuration66
Configuring overlapping wireless cells
Overlapping wireless cells are caused when two or more access points are within
transmission range of each other. This may be under your control (when setting
up multiple cells to cover a large location), or out of your control (when your
neighbors set up their own wireless networks). In either case, the problems you
face are similar.
Performance
degradation and
channel
separation
When two wireless cells operating on the same frequency overlap, it can cause a
reduction in throughput in both cells. This occurs because a wireless station that
is attempting to transmit will defer (delay) its transmission if another station is
currently transmitting. On a network with many clients and a lot of traffic, this can
severely affect performance as stations defer multiple times before the channel
becomes available. If a station is forced to delay its transmission too many times,
data may be lost.
Delays and lost transmissions can severely reduce throughput on a network. Use
the Wireless option on the Status menu to view this information on your
network.
The following example shows two overlapping wireless cells operating on the
same frequency. Since both access points are within range of each other, the
number of deferred transmissions will be large.
cell 1cell 2
cell 1cell 2
Overlapping wireless cells can cause transmission delays.
The solution to this problem is to set the two networks to different channels with
as great a separation as possible in their operating frequencies. This reduces
Page 67
Chapter 6: WLAN configuration67
cross-talk, and enables client stations connected to each access point to transmit
at the same time.
Choosing
channels
The minimum recommended separation between channels is 25 Mhz. Note
however, that this is the recommended minimum. Two channels with this
separation will always perform worse than two channels using the maximum
separation. So, it is always best to use the greatest separation possible between
overlapping networks.
With the proliferation of wireless networks, it is very possible that the wireless
cells of access points outside your control may overlap your intended area of
coverage. To help you choose the best operating frequency, the CN3200 will
automatically scan all channels and provide a recommendation on the Wireless > Wi-Fi page. To generate a list of all access points operating near you and view
their operating frequencies, go to Wireless > Neighborhood.
The set of available channels is automatically determined by the CN3200 based
on the Country setting you define on the Wi-Fi page, which means that the
number of non-overlapping channels available to you will also vary. This will
affect how you setup your multi-cell network.
Example
When operating in 802.11b/g mode, the CN3200 supports the following 14
channels in the 2.4 Ghz band:
ChannelFrequencyChannelFrequency
1
2
3
4
5
6
7
2412
2417
2422
2427
2432
2437
2442
8
9
10
11
12
13
14
2447
2452
2457
2462
2467
2472
2477
However, the number of channels available for use in a particular country are
determined by the regulations defined by the local governing body. For example:
RegionAvailable channels
North America 1 to 11
Japan1 to 14
Europe1 to 13
France1 to 13
Spain10 to 13
Since the minimum recommended separation between overlapping channels is
25 MHz (5 cells), the recommended maximum number of overlapping cells you
can have in most regions is three. For example:
North AmericaEuropeJapan
• cell 1 on channel 1
• cell 2 on channel 6
• cell 3 on channel 11
• cell 1 on channel 1
• cell 2 on channel 7
• cell 3 on channel 13
• cell 1 on channel 1
• cell 2 on channel 7
• cell 3 on channel 14
Page 68
Chapter 6: WLAN configuration68
In North America, you would create the following installation:
cell 1
channel = 1
cell 1
channel = 1
cell 2
channel = 6
cell 2
channel = 6
cell 3
channel = 11
cell 3
channel = 11
Reducing transmission delays by using different operating frequencies.
However, It is possible to stagger your cells to reduce overlap and increase
channel separation. Consider the following:
100m100m100m
300 feet300 feet300 feet
cell 1
channel = 1
cell 2
channel = 6
cell 3
channel = 11
cell 4
channel 1
Page 69
Chapter 6: WLAN configuration69
150m150m150m
450 feet450 feet450 feet
cell 1
channel = 1
cell 2
channel = 6
cell 3
channel = 11
cell 4
channel 1
Using only three frequencies across multiple cells (North America).
This strategy can be expanded to cover an even larger area using three channels
as follows:
cell 1
channel = 1
cell 2
channel = 6
cell 3
channel = 11
cell 4
channel 1
cell 5
channel = 11
cell 6
channel = 1
cell 7
channel = 6
cell 8
channel 11
Page 70
Chapter 6: WLAN configuration70
cell 1
channel = 1
cell 5
channel = 11
cell 2
channel = 6
cell 6
channel = 1
cell 3
channel = 11
cell 7
channel = 6
cell 4
channel 1
cell 8
channel 11
Using three frequencies to cover a large area (North America).
The areas in gray indicate where two cells using the same frequency overlap.
Distance between
access points
In environments where the number of wireless frequencies are limited, it can be
beneficial to adjust the receiver sensitivity of the CN3200. To make the
adjustment, open the Wi-Fi page on the Wireless menu.
For most installations, the large setting should be used. However, if you are
installing multiple CN3200s, and the channels available to you do not provide
enough separation, then reducing the receiver sensitivity can help you reduce the
amount of crosstalk between the CN3200s.
Another benefit to using reduced settings is that it will improve roaming
performance. Client stations will switch between CN3200s more frequently.
Note: The distance between access points option provides the best performance
benefit when client stations are equipped with wireless adapters that are
configured with the same setting. However, not all manufacturers support this
setting.
Page 71
Chapter 6: WLAN configuration71
Conducting a site survey and finding rouge access points
The integrated site survey tool permits easy detection of currently operating
access points, and lets you automatically flag unauthorized (rouge) units.
Conducting a site
survey
To discover the operating frequencies of other access points in your area, open
the Wireless> Neighborhood page. The CN3200 will automatically scan to find
all active access points. For example:
Note: If an access point is not broadcasting its name, the SSID is blank.
Identifying
unauthorized
access points
Improperly configured wireless access points can seriously compromise the
security of a corporate network. Therefore, it is important that they be identified
as quickly as possible.
The wireless neighborhood feature can be configured to automatically list all nonauthorized access points that are operating nearby.
To identify unauthorized access points, the CN1050 compares the MAC address
of each discovered access point against the list of authorized access points
(which you must define). If the discovered access point does not appear in the
list, it is displayed in the Unauthorized access points list.
List of authorized access points
The format of this file is XML. Each entry in the file is composed of two items:
MAC address and SSID. Each entry should appear on a new line. The easiest
way to create this file is to wait for a scan to complete, then open the list of all
access points in Brief format. Edit this list so that it contains only authorized
access points and save it. Then, specify the address of this file for the List of authorized access points parameter.
Page 72
Chapter 6: WLAN configuration72
Page 73
Chapter 7: Connecting to a wired LAN73
Chapter 7: Connecting to a wired LAN
DRAFT
Chapter 7
Connecting to a wired LAN
This chapter explains how to configure a connection to a wired LAN.
Page 74
Chapter 7: Connecting to a wired LAN74
DRAFT
Overview
The CN3200 provides a LAN port for connection to a wired network. Generally,
this is used to:
• connect the CN3200 to one or more CN300s
• connect wired computers to the public access network
For example:
CN3200
CN300CN300
P
U
B
N
A
L
L
I
C
W
P
U
B
L
N
A
L
I
C
W
Page 75
Chapter 7: Connecting to a wired LAN75
DRAFT
Addressing issues
Using DHCP
To configure the DHCP server
1. Click Network.
2. Click Address Allocation.
3. Select the DHCP server and click Configure.
4. Configure the appropriate settings. Refer to the online help for details.
5. Click Save.
LAN port address
The CN3200 connects to the wired LAN via its LAN port. You must assign a static
IP address to this port because the CN3200 cannot function as a DHCP client on
its LAN port.
To assign a static LAN port address
1. Click Wireless.
2. Click Wi-Fi.
3. Assign the new IP address and associated mask in the Wireless port box.
4. Click Save.
DHCP relay agent
If you have multiple CN3200s on your network, configuring each one to act as a
DHCP relay agent enables you to assign all IP addresses from a single DHCP
server to reduce management overhead.
Take note of the following regarding the DHCP relay option on the CN3200:
• DHCP relay occurs via the CN3200’s Internet port.
• DHCP relay is not supported if PPPoE is active on the Internet port.
• DHCP relay is will not function if the firewall is set to High and NAT is enabled
on the Internet port. The reason for this it that the DCHP server must be able to
ping the assigned address to prevent duplicate assignments.
• Routes must be defined on the remote DHCP server so that it can successfully
send DHCP packets back to the DHCP relay agent running on the CN3200.
These routes must identify the segment assigned to the CN3200’s LAN port.
Using static
addressing
To activate the DHCP relay agent
1. Click Network.
2. Click Address allocation.
3. Select the DHCP relay agent and click Configure.
4. Specify the address for the primary and secondary DHCP servers.
5. Click Save.
If the wired LAN uses static IP addressing, you have two options:
1. Disable the DHCP server on the CN3200 and manually define static IP
addresses for all client stations.
Page 76
Chapter 7: Connecting to a wired LAN76
2. Leave the DCHP server on the CN3200 operational and configure it to assign
IP addresses outside the range of the static addresses already in use on the
wired LAN.
DRAFT
Page 77
Chapter 8: Connecting to the Internet77
Chapter 8: Connecting to the Internet
DRAFT
Chapter 8
Connecting to the Internet
This chapter explains how to connect the CN3200 to the Internet via a
broadband modem and how to use the security features provided by the
firewall and network address translation
Page 78
Chapter 8: Connecting to the Internet78
DRAFT
Connecting cables
Connect cables as follows:
1. Turn off your broadband modem, then turn it back on.
2. Use a standard Ethernet cable to connect the CN3200 Internet port to the
broadband modem.
3. If the CN3200 is already running, press the reset button to restart it.
Page 79
Chapter 8: Connecting to the Internet79
DRAFT
Configuring the Internet connection
This section describes how to configure the CN3200 to successfully connect to
the Internet. To create a secure connection to a remote network via the Internet,
see Chapter 10.
The Internet port can also be used to link the CN3200 to a local area network.
Just choose the addressing method that is appropriate for your setup.
Configuration
procedure
1. On the main menu, click Network.
2. Click Ports.
3. In the table, click Internet port. The Internet port configuration page opens.
4. The CN3200 automatically attempts to detect the type of server on the
network. If incorrect, select the correct option and configure the settings
described in the sections that follow.
5. Click Save when you are done.
Assign IP address via
PPPoE client
Point-to-point protocol over Ethernet. Your ISP will automatically assign an IP
address to the CN3200. You need to supply a username and password so the
CN3200 can log on.
DHCP client
Dynamic host configuration protocol. Your ISP’s DHCP server will automatically
assign an address to the CN3200, which functions as a DHCP client.
Static
This option enables you to manually assign an IP address to the CN3200 Internet
port.
Link
The title bar shows the current status of the link.
Speed
• Auto: Lets the CN3200 automatically set port speed based on the type of
equipment it is connected to.
• 10: Forces the port to operate at 10 mbps.
Duplex
• Auto: Lets the CN3200 automatically set duplex mode based on the type of
equipment it is connected to
• Full: Forces the port to operate in full duplex mode.
• Half: Forces the port to operate in half duplex mode.
Network address translation (NAT)
Enable this option to permit all the computers on the wireless network to
simultaneously share the connection to the Internet using a single ISP account. If
Page 80
Chapter 8: Connecting to the Internet80
you disable NAT, client stations will not be able to access the Internet unless their
IP addresses are valid on the Internet.
If the CN3200 is connected to a wired LAN, computers on the wired LAN can
also take advantage of NAT to share the Internet connection.
DRAFT
PPPoE client
Settings
Username
Specify the username assigned to you by your ISP. The CN3200 will use this
username to log on to your ISP when establishing a PPPoE connection.
Password/Confirm password
Specify the password assigned to you by your ISP. The CN3200 will use this
password to log on to your ISP when establishing a PPPoE connection.
Maximum Receive Unit (MRU)
Maximum size (in bytes) of a PPPoE packet when receiving. Changes to this
parameter only should be made according to the recommendations of your ISP.
Incorrectly setting this parameter can reduce the throughput of your Internet
connection.
Maximum Transmit Unit (MTU)
Maximum size (in bytes) of a PPPoE packet when transmitting. Changes to this
parameter should only be made according to the recommendations of your ISP.
Incorrectly setting this parameter can reduce the throughput of your Internet
connection.
Auto-reconnect
The CN3200 will automatically attempt to reconnect if the connection is lost.
Un-numbered mode
This feature is useful when the CN3200 is connected to the Internet and NAT is
not being used. Instead of assigning two IP addresses to the CN3200, one to the
Internet port and one to the LAN port, both ports can share a single IP address.
This is especially useful when a limited number of IP addresses are available to
you.
Page 81
Chapter 8: Connecting to the Internet81
DRAFT
Assigned by PPPoE server
These settings are assigned to the CN3200 by your ISP’s PPPoE server. The
Internet connection is not active until this occurs.
Service provider
Identifies your Internet service provider. Not all ISPs provide this information.
Connection status
Indicates the state of the PPPoE connection. If the connection is not active, a
message indicates why.
IP address
Identifies the IP address assigned to the CN3200 by the ISP.
Mask
Identifies the subnet mask that corresponds to the assigned IP address.
Primary DNS address
Identifies the IP address of the main DNS server the CN3200 will use to resolve
DNS requests.
Secondary DNS address
Identifies the IP address of the backup server the CN3200 will use to resolve
DNS requests.
DHCP client
Default gateway
Identifies the IP address of the gateway the CN3200 will forward all outbound
traffic to.
Restart Connection button
Click this button to manually establish the PPPoE connection. During normal
operation, you will not need to do this because the CN3200 will automatically
reconnect if the PPPoE connection is interrupted. However, for certain types of
connection failures, the CN3200 may not be able to re-establish the connection,
even after several retries. When this occurs, the cause of the failure is displayed
in the Connection status field and you must click the Restart Connection
button to manually establish the connection.
Page 82
Chapter 8: Connecting to the Internet82
DRAFT
Settings
DHCP client ID
Specify an ID to identify the CN3200 to the DHCP server. This parameter is not
required by all ISPs.
Assigned by DHCP server
These settings are assigned to the CN3200 by your ISP’s DHCP server. The
Internet connection is not active until this occurs.
IP address
Identifies the IP address assigned to the CN3200 by the ISP.
Mask
Identifies the subnet mask that corresponds to the assigned IP address.
Primary DNS address
Identifies the IP address of the main DNS server the CN3200 will use to resolve
DNS requests.
Secondary DNS address
Identifies the IP address of the backup server the CN3200 will use to resolve
DNS requests.
Static addressing
Default gateway
Identifies the IP address of the gateway the CN3200 will forward all outbound
traffic to.
Expiration time
Indicates how long the address is valid.
Release
Click to release the CN3200’s IP address.
Renew
Click to renew the CN3200’s IP address.
Settings
IP address
Specify the static IP address you want to assign to the port.
Address mask
Select the appropriate mask for the IP address you specified.
Default gateway
Identifies the IP address of the gateway the CN3200 will forward all outbound
traffic to.
Note:
Page 83
Chapter 8: Connecting to the Internet83
DRAFT
Firewall
To safeguard your network from intruders, the CN3200 features a customizable
firewall. The firewall stops external computers from gaining access to the
wireless
The firewall operates on the traffic streaming through the Internet port. It can be
used to control both incoming and outgoing data.
The CN3200 offers a number of predefined rules to let you achieve the required
security level without going to the trouble of designing your own rules.
If the CN3200 is connected to a wired LAN, the firewall protects the wired LAN as
well.
network through the Internet port.
Integrated
Firewall
Hacker
telnet
syn attack
Firewall presets
ftp
Blocking unauthorized access with the firewall.
The easiest way to make use of the firewall is to use one of the preset settings.
Three levels of security are provided:
• High: Permits all outgoing traffic. Blocks all externally initiated connections.
• Medium: Same as High except that it permits incoming PPTP and IPSec
connections.
• Low: Permits all incoming and outgoing traffic, except for NetBIOS traffic. Use
this option if you require active FTP sessions.
Important: If you enable access to the Management tool or SNMP interface via
the Internet port (you do this on the Management tool or SNMP pages), the
appropriate rules are automatically added to the firewall to allow this traffic. If you
modify or delete these rules, it will affect remote access.
The following tables indicate how some common applications are affected by the
preset firewall settings.
Page 84
Chapter 8: Connecting to the Internet84
DRAFT
Outgoing traffic
Firewall setting
Application LowMediumHigh
FTP (passive mode)
FTP (active mode)
Web (HTTP, HTTPS)PassedPassedPassed
SNMPPassedPassedPassed
TelnetPassedPassedPassed
Windows networking BlockedBlockedBlocked
pingPassedPassedPassed
1
PassedPassedPassed
1
PassedPassedPassed
PPTP from client
station to remote server
NetMeeting (make call)PassedPassedPassed
IPSec pass-throughPassedPassedBlocked
NetBIOSBlockedBlockedBlocked
PassedPassedPassed
Incoming traffic
Firewall setting
Application LowMediumHigh
FTP (passive mode)
FTP (active mode)
Web (HTTPS)PassedBlockedBlocked
Web (HTTP)PassedBlockedBlocked
TelnetPassedBlockedBlocked
Windows networking BlockedBlockedBlocked
PPTP from remote
client to a server on
the local network
1
PassedBlockedBlocked
1
PassedBlockedBlocked
PassedPassedBlocked
ping client on local
network
IPSec pass-throughPassedPassedBlocked
NetBIOSBlockedBlockedBlocked
NetMeeting (receive
call)
1
Most Web browsers execute FTP in active mode. Some browsers provide a
configuration setting that enables you to alter this. For example, in Internet
Explorer choose Internet options on the Tools menu, click the Advanced tab,
and then under Browsing enable Use Passive FTP for compatibility with some firewalls and DSL modems.
PassedBlockedBlocked
PassedBlockedBlocked
Page 85
Chapter 8: Connecting to the Internet85
DRAFT
Firewall
configuration
To configure the firewall, on the main menu, click Security and then click
Firewall. The firewall configuration page opens.
Preset firewall
The easiest way to make use of the firewall is to use one of the preset settings.
Three levels of security are provided:
Custom Firewall
If you have specific security requirements, you may want to create a custom
firewall. This enables you to target specific protocols or ports. See the examples
that follow for applications that require the use of a custom firewall.
Customizing the
firewall
Firewall examples
To customize the firewall, you define one or more rules. A rule lets you target a
specific type of data. If the CN3200 finds data that matches the rule, the rule is
triggered, and the data is rejected by the firewall.
Rules operate on IP datagrams (sometimes also called packets). Datagrams are
the individual packages of data that travel on an IP network. Each datagram
contains addressing and control information along with the data it is transporting.
The firewall analyses the addressing and control information to apply the rules
you define.
The CN3200 applies the firewall rules in the order that they appear in the list. An
intelligent mechanism automatically adds the new rules to the list based on their
scope. Rules that target a large amount of data are added at the bottom. Rules
that target specific addresses appear at the top.
The examples in this section will help you understand how to customize the
firewall for several different applications.
Allowing Web traffic
This example illustrates how to create a custom firewall that allows HTTP
requests from the external network (Internet). You would do this if, for example,
you wanted to provide a Web server on the internal network. To run a server on
the internal network also requires static NAT mappings.
1. On the main menu, click Security and then click Firewall.
2. Select Custom Firewall and click the Edit button. The Custom firewall
configuration page opens.
Page 86
Chapter 8: Connecting to the Internet86
3. Click Reset To High. This imports all the rules from the predefined high
security firewall.
4. Click the last rule to edit it. The Custom firewall configuration - Edit rule page
opens.
DRAFT
5.
6.
7.
8.
9. Remove the following rule.
SourceDestinationDirectionActionServicePort
ANYANYInputAcceptAny TCP0 to 442
SourceDestinationDirectionActionServicePort
ANYANYInputAcceptAny TCP0 to 442
10.
11.
To remove a rule, click the Source column to open the Custom firewall
configuration - Edit rule page and click Delete.
12. Add the following rules.
SourceDestinationPortDirectionService
Page 87
Chapter 8: Connecting to the Internet87
ANYANY0 to 79InAny TCP
ANYANY81 to 442InAny TCP
DRAFT
Page 88
Chapter 8: Connecting to the Internet88
13. To add a rule, click Add New Rule. The Custom firewall configuration - Add
rule page opens.
14. Fill in the appropriate fields and then click Add to save the rule and return to
the Custom firewall configuration page.
15. When done, click Save to activate the firewall.
DRAFT
Allowing FTP traffic
To run an FTP server on the internal network requires changes to the firewall,
similar to those done in the previous example. Follow the same steps, except in
step 5, add the following rules instead:
SourceDestinationDirectionPortProtocol
ANYANYIn0 to 19Any TCP
ANYANYIn22 to 442Any TCP
Allowing both Web and FTP traffic
If you intend to run both an Web and FTP server, follow the same steps
presented in the Web example, except in step 5, add the following rules instead:
SourceDestinationDirectionPortProtocol
ANYANYIn0 to 19Any TCP
ANYANYIn22 to 79Any TCP
ANYANYIn81 to 442Any TCP
Page 89
Chapter 8: Connecting to the Internet89
DRAFT
Network address translation
NAT overview
NAT is an address mapping service that enables one set of IP addresses to be
used on an internal network, while a second set is used on an external network.
NAT handles the mapping between the two sets of addresses.
Generally, NAT is used to map all the addresses on a internal network to a single
address for use on an external network like the Internet. The main benefits of this
are:
• It enables multiple devices to share a single connection.
• It effectively hides the IP addresses of all devices on the internal network from
the outside network.
NAT
Web Page
addressed to
192.168.1.2
HTTP request
192.168.1.2
202.125.11.26
192.168.1.3
Internal addresses are invisible
to computers on the Internet.
Web Page
addressed to
202.125.11.26
All traffic uses the
same external IP
address assigned
by the ISP.
Web
server
ISP
NAT security and
static mappings
NAT can also be useful in conjunction with VPN software. When two networks
are connected via a VPN tunnel, it may be desirable to obscure the address of
local computers for security reasons. NAT makes this possible.
One of the benefits of NAT is that it effectively hides the IP addresses of all
computers on the internal network from the outside network (i.e., the Internet or a
remote site via VPN). While this is great for security, in some cases it is useful to
make a computer on the internal network accessible externally. For example, if
you want to run a Web server or FTP server.
To address this problem, NAT provides the ability to route specific incoming traffic
to an IP address on the internal network, through what is called a static NAT
mapping. For example, to support a Web server, you would define a static NAT
mapping to route traffic on TCP port 80 to an internal computer running a Web
server. Note that this may also require changes to the firewall settings to accept
the incoming traffic.
A limitation of NAT mappings is that they only allow one internal IP address to act
as the destination for a particular protocol (unless you map the protocol to a nonstandard port). This means, for example, that you can only run one Web server
on the internal network.
Page 90
Chapter 8: Connecting to the Internet90
Important: If you use NAT to enable a secure (HTTPS) Web server on the
internal network, remote access to the management tool will no longer be
possible, as all incoming HTTPS requests will be routed to the internal Web
server and not the management tool.
Important: NAT mappings bypass the firewall. If you create a static mapping, the
firewall is automatically opened to accept the traffic. However, this firewall rule
will not be visible on the Firewall configuration page.
The following table indicates how some common applications are affected by
NAT.
Most Web browsers execute FTP in active mode. Some browsers provide a
configuration option that enables you to alter this. For example, in Internet
Explorer choose Internet options on the Tools menu, click the Advanced tab,
and then under Browsing enable Use Passive FTP for compatibility with some firewalls and DSL modems.
The CN3200 provides a list of preset settings for many commonly used
applications.
In its default configuration, NAT translates all internal IP address to a single
external one. This means that all client station sessions to an external resource
appear to originate from the same IP address. Certain applications do not allow
multiple connections from the same IP address, or impose a limit. For example:
some PPTP servers want a unique IP address for each client station.
To resolve this problem, the CN3200 allows you to assign multiple IP addresses
to the Internet port and use them to distinguish outgoing NAT traffic for customers
making VPN connections.
No effect
How it works
One-to-one NAT functions as follows:
• Define alternate static addresses for the Internet port on the Network > Ports
> Internet Port > Static page. These addresses must be valid on the Internet.
• Define the attribute “one-to-one-nat” in the RADIUS account for each customer
that requires a unique IP address. See “One-to-one NAT” on page 229 for
details.
• When a customer with one-to-one NAT support logs into the public access
interface and establishes a VPN session, the CN3200 reserves the next
available alternate IP address for that customer. If all alternate IP addresses
are in use, or none have been defined, then the default IP address of the
Internet port is used.
The address is reserved for as long as the customer is logged in and using a
VPN connection. Therefore, you need to define enough alternate IP addresses
to support the maximum number of active VPN sessions you expect to have at
any one time.
Page 91
Chapter 8: Connecting to the Internet91
DRAFT
NAT IPSec
passthrough
NAT example
IPSec passthrough enables the CN3200 to support older IPSec clients that do
not support NAT traversal. These older IPSec clients are unable to establish an
IPSec connection through a gateway, like the CN3200, that is running NAT.
All recent IPSec clients support NAT traversal, so Colubris recommends that
IPSec passthrough be disabled unless specifically required.
Note: If you enables this option, it is possible that certain IPSec clients that
support NAT traversal may fail to work.
To disable this option go to the Network > Ports > Internet port page.
The following example illustrates how to configure static NAT mappings to run a
Web server and an FTP server on the internal network. This might occur when
the CN3200 is used in a enterprise environment.
NAT
Web
browser
FTP
client
Web
server
FTP
server
192.168.1.2
192.168.1.3
Web (HTTP) traffic
192.168.1.1
FTP traffic
202.125.11.26
NAT mapping used to support internal Web and FTP servers.
By creating static NAT mappings, FTP and HTTP (Web) traffic can be routed to
the proper client station. Note that the addresses of these stations are still not
visible externally. Remote computers send their requests to 202.125.11.26 and
the CN3200 routes them to the proper client.
To configure the CN3200 to support this example, you would do the following:
1. On the main menu, click Network, then click NAT. The NAT mappings page
appears. Initially it is empty.
Page 92
Chapter 8: Connecting to the Internet92
2. Click Add New Static NAT Mapping. The NAT mappings - Add static
mapping page appears.
• Under Requests for, choose Standard Services, then choose http (TCP
80).
• Under Translate to, specify the IP address of the Web server. In the
example, it is 192.168.1.2.
3. Click Add to save your changes and return to the NAT mappings page. The
new mapping is added to the table.
4. To support the FTP server, two additional mappings need to be created with
the following values:
DRAFT
• Standard Services = ftp-data (TCP 20) and IP address = 192.168.1.3.
• Standard Services = ftp-control (TCP 21) and IP address = 192.168.1.3.
Depending on the firewall settings you are using, you may have to modify the
firewall to permit FTP and HTTP traffic to enter via the Internet port.
Page 93
Chapter 9: Activating the public access interface93
Chapter 9: Activating the public access interface
DRAFT
Chapter 9
Activating the public access interface
This chapter explains how to configure and start the public access
interface.
Page 94
Chapter 9: Activating the public access interface94
DRAFT
Overview
The public access interface is the sequence of web pages that customers use to
login, logout, and view the status of their wireless sessions. The CN3200 ships
with a default interface which you can customize to meet the needs of your
installation. However, before you do this, you should initialize the default setup
and test it with your network. Once the default interface is working, you can make
changes to it as described in Chapter 15.
This chapter presents the minimum tasks required to get the public access
interface working and enable customer authentication via a RADIUS server.
TaskFor instructions
Setting up the CN3200 RADIUS clientSee page 95.
Setting up CN3200 authenticationSee page 98.
Setting up customer authenticationSee page 100.
Setting up the RADIUS serverSee page 101.
Testing the public access interfaceSee page 102.
Important
Supporting PDAs
The CN3200 public access interface will not be functional until the CN3200
can successfully connect to a RADIUS server and authenticate itself. This
means that the login page for the public access interface will appear, but
customers will get an error when they try to log in. This applies regardless
of the method you are using to authenticate customers.
Until you define access lists (see page 216 for details) the following
conditions apply:
• Unauthenticated customers cannot reach any network resources other
than the CN3200 login page.
• Authenticated customers have access to any network resources
connected to the CN3200’s Internet port.
Customers using PDAs that only support a single browser window will have
difficulty using the public access interface in its standard configuration.
To solve this problem, see “Supporting PDAs” on page 172.
Page 95
Chapter 9: Activating the public access interface95
DRAFT
Step 1: Setting up the CN3200 RADIUS client
The CN3200 lets you define up to 16 RADIUS client profiles. Each profile defines
the settings for a RADIUS client connection. To support a client connection, you
must create a client account (sometimes called a RAS account) on the RADIUS
server. The settings for this account must match the profile settings you define on
the CN3200.
For backup redundancy, each profile supports a primary and secondary server.
The CN3200 will function with any RADIUS server that supports RFC 2865 and
RFC 2866. Authentication occurs via EAP-MD5, CHAP, MSCHAP v1/v2, or PAP.
Important: To safeguard the integrity of the customer accounts, it is important
that you protect communications between the CN3200 and the RADIUS server.
The CN3200 lets you use PPTP or IPSec to create a secure tunnel to the
RADIUS server. Refer to Chapter 10 for complete instructions on how to
accomplish this.
Managing shared
secrets
Configuration
procedure
If you are installing multiple CN3200s, and you intend to use VPNs to secure the
connection each unit will establish with the RADIUS server, make sure that the
shared secret for each device is the same. This is required because there is no
way to guarantee that a specific CN3200 will receive a specific IP address when
connecting to the VPN server. Since the RADIUS server requires that you
associate an IP addresses with a secret, the only way to avoid problems is to use
the same secret for all CN3200s. The username and password assigned to each
CN3200 can be different, enabling you to differentiate between devices.
1. Click Security, then click RADIUS. The RADIUS profiles list page opens.
2. Click Add New Profile. The RADIUS profile page opens.
Page 96
Chapter 9: Activating the public access interface96
3. Configure the settings as required. Refer to the sections that follow for
detailed configuration information on each parameter.
4. Click Save when you are done.
DRAFT
Profile name
RADIUS profile
settings
Specify a name to identify the profile.
Authentication port
Specify the port to use for authentication. By default, RADIUS servers use port
1812.
Accounting port
Specify the port to use for accounting. By default, RADIUS servers use port
1813.
Retry interval
Controls the retry interval (in seconds) for access and accounting requests that
time-out. If no reply is received within this interval, the CN3200 switches between
the primary and secondary RADIUS servers (if defined). If a reply is received
after the interval expires, it is ignored.
This parameter applies to access and accounting requests generated by the
following:
• administrator logins to the management tool
• customer logins via HTML
• MAC-based authentication of devices
• authentication of the CN3200
The maximum number of retries can be determined as follows:
• HTML-based logins: The number of retries is calculated by taking the setting
for HTML-based logins Authentication Timeout parameter and dividing it by the
value of this parameter. The default settings result in 4 retries (40 / 10).
• MAC-based and CN3200 authentication: Number of retries is infinite.
• 802.1x authentication. Retries are controlled by the 802.1x client software.
Page 97
Chapter 9: Activating the public access interface97
DRAFT
Authentication method
Choose the default authentication method the CN3200 will use when exchanging
authentication packets with the primary/secondary RADIUS server defined for
this profile.
For 802.1x users, the authentication method is always determined by the 802.1x
client software and is not controlled by this setting.
If traffic between the CN3200 and the RADIUS server is not protected by a VPN,
it is recommended that you use EAP-MD5 or MSCHAP V2 if supported by your
RADIUS Server. (PAP, MSCHAP V1 and CHAP are less secure protocols.)
NAS Id
Specify the network access server ID you want to use for the CN3200. By default,
the serial number of the CN3200 is used. The CN3200 includes the NAS-ID
attribute in all packets that it sends to the RADIUS server.
Always try primary server first
Set this option to force the CN3200 to contact the primary server first.
Otherwise, the CN3200 sends the first RADIUS access request to the last known
RADIUS server that replied to any previous RADIUS access request. If the
request times out, the next request is sent to the other RADIUS server if defined.
For example, assume that the primary RADIUS server was not reachable and
that the secondary server responded to the last RADIUS access request. When
a new authentication request is received, the CN3200 sends the first RADIUS
access request to the secondary RADIUS server.
If it does not reply, the RADIUS access request is retransmitted to the primary
RADIUS server. The CN3200 always alternates between the two servers, when
configured.
Primary RADIUS
server
Secondary RADIUS
server
Server address
Specify the IP address of the RADIUS server.
Secret/Confirm secret
Specify the secret (password) that CN3200 will use when communicating with
the RADIUS server. The shared secret is used to authenticate all packets
exchanged with the server to prove that they originate from a valid/trusted
source.
Server address
Specify the IP address of the RADIUS server.
Secret/Confirm secret
Specify the secret (password) that CN3200 will use when communicating with
the RADIUS server. The shared secret is used to authenticate all packets
exchanged with the server to prove that they originate from a valid/trusted
source.
Page 98
Chapter 9: Activating the public access interface98
DRAFT
Step 2: Setting up CN3200 authentication
Important: The CN3200 public access interface will not be functional until the
CN3200 can successfully connect to a RADIUS server and authenticate itself.
This means that the login page for the public access interface will appear, but
customers will get an error when they try to log in. This applies regardless of the
method you are using to authenticate customers.
The CN3200 authenticates itself to a RADIUS server each time:
• it is powered up
• it is restarted
• the authentication interval expires
At each authentication, the CN3200 can retrieve configuration information (if
defined), which includes settings such as:
• Access list defining the network resources unauthenticated customers have
access to.
• URLs specifying the location of any customized Web pages and their support
files.
• a URL specifying the location of a custom security certificate.
• a URL specifying the location of a configuration file.
• MAC addresses of devices to authenticate.
When you set up a profile for the CN3200 on the RADIUS server you define this
information in the form of a Colubris Networks vendor-specific attribute. See
“Creating a profile for the CN3200 on the RADIUS server” on page 214 for
details.
Configuration
procedure
Configuration
parameters
1. Click Security, then click Authentication. The Authentication page opens.
2. Configure the settings for the CN3200 as required. Refer to the
“Configuration parameters” section that follows for detailed configuration
information on each parameter.
3. Click Save, when you are done.
4. If the profile for the CN3200 is configured on the RADIUS server, click the
Force authentication button. The red indicator will change to green if the
CN3200 successfully connects to the RADIUS server and is authenticated.
RADIUS profile
Choose the RADIUS profile that will be used to authenticate the CN3200.
RADIUS username
Name of the RADIUS account assigned to the CN3200.
RADIUS password / Confirm password
Password of the RADIUS account assigned to the CN3200.
Authentication interval
The CN3200 will re-authenticate itself each time this interval expires. This
enables it to retrieve updated operating information at regular intervals.
To avoid potential service interruptions that may occur when new operating
information is activated by the CN3200, it is strongly recommended that a large
interval (12 hours or more) be used.
Page 99
Chapter 9: Activating the public access interface99
DRAFT
You can override this value using the RADIUS Attribute Session-timeout,
which enables the following effective strategy: Configure Authentication interval to a small value (10 to 20 minutes) and set the RADIUS Attribute
Session-timeout to override it with a large value (12 hours) when
authentication is successful. Since the Authentication interval is also
respected for Access Reject packets, this configuration results in a short
re-authentication interval in the case of failure, and a long one in the case
of success.
Accounting
Enable this option to have the CN3200 generate a RADIUS accounting request
ON/OFF each time its authentication state changes.
Last authenticated
Indicates when the CN3200 was last successfully authenticated.
Force authentication
Click this button to force the CN3200 to authenticate now. This lets you test your
settings.
Advanced settings
Click this button to set additional authentication-related settings.
Page 100
Chapter 9: Activating the public access interface100
DRAFT
Step 3: Setting up customer authentication
The CN3200 uses the services of a RADIUS server to authenticate customer
logins, track and manage connection time, and generate billing information.
To login to the public access network, each customer must supply a username
and password. The CN3200 sends this information to the RADIUS server for
authentication. If the customer login is approved, the RADIUS server returns
configuration information for the customer. This includes settings for:
• Connection time limit for the customer’s session.
• Idle time limit for the customer’s session.
• Access list for the customer.
• Address of the e-mail server to use for redirection of the customer’s e-mail.
• URLs specifying the location of customized Welcome and Goodbye pages for
the customer.
When you set up a profile for a customer on the RADIUS server you define this
information in the form of a Colubris Networks vendor-specific attribute. See
“Creating customer profiles on the RADIUS server” on page 225 for details.
Configuration
procedure
1. On the main menu, click Security.
2. Click Authentication. The Authentications settings page opens.
3. Configure the settings for HTML-based user logins as defined below. This
controls the authentication procedure for customers who will login via the
public access interface on the CN3200.
4. Click Save, when you are done.
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.