Page 1
User Manual
Configuration
Dualband Industrial Wireless LAN Access Point/Client
BAT54-Rail, BAT54-Rail FCC,
BAT54-F, BAT54-F FCC, BAT54-F X2
BAT54-F X2 FCC
BAT54-Rail/F..
Release 7.54 06/08
Technical Support
HAC-Support@hirschmann.de
Page 2
Windows®, Windows Vista™, Windows XP® and Microsoft® are registered trademarks of Microsoft, Corp. LCOS is registered trademarks of LANCOM Systems GmbH.
The naming of copyrighted trademarks in this manual, even when not specially indicated, should
not be taken to mean that these names may be considered as free in the sense of the trademark
and tradename protection law and hence that they may be freely used by anyone.
© 2008 Hirschmann Automation and Control GmbH
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction,
translation, conversion into any electronic medium or machine scannable form is not permitted,
either in whole or in part. An exception is the preparation of a backup copy of the software for
your own use. For devices with embedded software, the end-user license agreement on the enclosed CD applies.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http://www.openssl.org/.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
The performance features described here are binding only if they have been expressly guaranteed in the contract. This publication has been created by Hirschmann Automation and Control
GmbH according to the best of our knowledge. Hirschmann reserves the right to change the contents of this manual without prior notice. Hirschmann can give no guarantee in respect of the
correctness or accuracy of the details in this publication.
Hirschmann can accept no responsibility for damages, resulting from the use of the network
components or the associated operating software. In addition, we refer to the conditions of use
specified in the license contract.
Printed in Germany (30.6.2008)
Hirschmann Automation and Control GmbH
Stuttgarter Straße 45-51
72654 Neckartenzlingen
Tel. +49 1805 141538
Page 3
Contents
1 Preface 15
2 System design 19
2.1 Introduction 19
3 Wireless LAN – WLAN 21
3.1 What is a Wireless LAN? 21
3.1.1 Standardized radio transmission by IEEE 21
3.1.2 Operation modes of Wireless LANs and base stations 25
3.2 Development of WLAN security 33
3.2.1 Some basic concepts 33
3.2.2 WEP 35
3.2.3 WEPplus 37
3.2.4 EAP and 802.1x 37
3.2.5 TKIP and WPA 40
3.2.6 AES and 802.11i 42
3.2.7 Summary 44
3.3 Protecting the wireless network 45
3.3.1 LEPS—BAT Enhanced Passphrase Security 46
3.3.2 Standard WEP encryption 48
3.3.3 Background WLAN scanning 49
3.4 Configuration of WLAN parameters 52
3.4.1 WLAN security 53
3.4.2 General WLAN settings 62
3.4.3 WLAN routing (isolated mode) 63
3.4.4 The physical WLAN interfaces 64
3.4.5 The logical WLAN interfaces 78
3.4.6 Additional WLAN functions 82
3.5 Extended WLAN protocol filters 87
3.5.1 Protocol filter parameters 88
3.5.2 Procedure for filter test 90
3.5.3 Redirect function 91
3.5.4 DHCP address tracking 92
BAT54-Rail/F..
Release 7.54 06/08
3
Page 4
3.6 Client mode 93
3.6.1 Basic configuration 94
3.6.2 Advanced configuration 98
3.6.3 The roaming table 100
3.7 IEEE 802.11i for point-to-point connections in the WLAN 101
3.7.1 Antenna alignment for P2P operations 102
3.7.2 Configuration 104
3.7.3 Access points in relay mode 107
3.7.4 Security for point-to-point connections 107
3.7.5 LEPS for P2P connections 108
3.7.6 Geometric dimensioning of outdoor wireless network links
109
3.8 Establishing outdoor wireless networks 112
3.8.1 Geometrical layout of the transmission path 112
3.8.2 Antenna power 114
3.8.3 Emitted power and maximum distance 117
3.8.4 Transmission power reduction 117
3.9 Bandwidth limits in the WLAN 117
3.9.1 Operating as an access point 117
3.9.2 Operating as a Client 118
3.10 WLAN according to 802.11h 119
3.10.1 Standards 119
3.10.2 Radio channels in the 5 GHz band: 122
3.10.3 Frequency ranges for indoor and outdoor use 123
4 Configuration and management 125
4.1 Configuration tools and approaches 125
4.2 Configuration software 126
4.3 Searching and configuring devices 127
4.4 Configuration using different tools 128
4.4.1 LANconfig 128
4.4.2 WEBconfig 131
4.4.3 Telnet 133
4.4.4 TFTP 137
4.4.5 SNMP 138
4.4.6 Encrypted configuration with SSH access 139
4.4.7 SSH authentication 140
4.5 Working with configuration files 142
4
BAT54-Rail/F..
Release 7.54 06/08
Page 5
4.6 New firmware with Hirschmann FirmSafe 143
4.6.1 This is how Hirschmann FirmSafe works 143
4.6.2 How to load new software 145
4.7 How to reset the device? 148
4.8 Managing administrators rights 150
4.8.1 Rights for the administrators 150
4.8.2 Administrators' access via TFTP and SNMP 151
4.8.3 Configuration of user rights 153
4.8.4 Limitation of the configuration commands 155
4.8.5 HTTP tunnel 156
4.9 Named loopback addresses 159
4.9.1 Loopback addresses with ICMP polling 160
4.9.2 Loopback addresses for time servers 161
4.9.3 Loopback addresses for SYSLOG clients 162
5 LANtools network management 165
5.1 Switch UI language 166
5.2 Project management with LANconfig 166
5.2.1 User-specific settings for LANconfig 169
5.2.2 Directory structure 170
5.2.3 Multithreading 171
5.2.4 Better overview in LANconfig with more columns 172
5.2.5 Manual and automatic searches for firmware updates 173
5.2.6 Password protection for SNMP read-only access. 175
5.2.7 Device-specific settings for communications protocols 177
5.2.8 LANconfig behavior at Windows startup 179
5.3 Scripting 181
5.3.1 Applications 181
5.3.2 Scripting function 182
5.3.3 Generating script files 183
5.3.4 Uploading configuration commands and script files 186
5.3.5 Multiple parallel script sessions 190
5.3.6 Scripting commands 190
5.3.7 WLAN configuration with the wizards in LANconfig 194
5.4 Group configuration with LANconfig 196
5.4.1 Create a group configuration 197
5.4.2 Update device configurations 199
5.4.3 Update group configurations 200
5.4.4 Using multiple group configurations 200
BAT54-Rail/F..
Release 7.54 06/08
5
Page 6
5.5 Rollout Wizard 201
5.5.1 General settings in the Rollout Wizard 201
5.5.2 Variables 202
5.5.3 Actions to be executed by the Rollout Wizard 203
5.5.4 Actions for managing the Rollout Wizard 204
5.6 Display functions in LANmonitor 205
5.7 LANmonitor—know what's going on 208
5.7.1 Extended display options 209
5.7.2 Enquiry of the CPU and Memory utilization over SNMP
210
5.7.3 Monitor Internet connection 210
5.7.4 Tracing with LANmonitor 212
5.8 Visualization of larger WLANs 214
5.8.1 Start the WLANmonitor 215
5.8.2 Search for access points 215
5.8.3 Add access points 216
5.8.4 Organize access points 216
5.8.5 Rogue AP and rogue client detection with the
WLANmonitor 217
5.9 Messaging 222
6 Diagnosis 225
6.1 Trace information—for advanced users 225
6.1.1 How to start a trace 225
6.1.2 Overview of the keys 225
6.1.3 Overview of the parameters 226
6.1.4 Combination commands 227
6.1.5 Trace filters 227
6.1.6 Examples of traces 228
6.1.7 Recording traces 228
6.2 SYSLOG storage in the device 229
6.2.1 Activate SYSLOG module 230
6.2.2 Configuring the SYSLOG client 230
6.2.3 Read-out SYSLOG messages 231
6.3 The ping command 232
6.4 Monitoring the switch 233
6.5 Cable testing 234
6
BAT54-Rail/F..
Release 7.54 06/08
Page 7
7 Security 237
7.1 Protection for the configuration 237
7.1.1 Password protection 237
7.1.2 Login barring 239
7.1.3 Restriction of the access rights on the configuration 240
7.2 The security checklist 244
8 Firewall 249
8.1 Threat analysis 249
8.1.1 The dangers 249
8.1.2 The ways of the perpetrators 250
8.1.3 The methods 250
8.1.4 The victims 251
8.2 What is a Firewall? 252
8.2.1 Tasks of a Firewall 252
8.2.2 Different types of Firewalls 253
8.3 The BAT Firewall 259
8.3.1 How the BAT Firewall inspects data packets 259
8.3.2 Special protocols 262
8.3.3 General settings of the Firewall 264
8.3.4 Parameters of Firewall rules 268
8.3.5 Alerting functions of the Firewall 274
8.3.6 Strategies for Firewall settings 279
8.3.7 Hints for setting the Firewall 281
8.3.8 Configuration of Firewall rules 285
8.3.9 Firewall diagnosis 295
8.3.10 Firewall limitations 301
8.4 Intrusion Detection 302
8.4.1 Examples for break-in attempts 302
8.4.2 Configuration of the IDS 303
8.5 Denial of Service 304
8.5.1 Examples of Denial of Service Attacks 304
8.5.2 Configuration of DoS blocking 307
8.5.3 Configuration of ping blocking and Stealth mode 309
9 Quality of Service 311
9.1 Why QoS? 311
BAT54-Rail/F..
Release 7.54 06/08
7
Page 8
9.2 Which data packets to prefer? 312
9.2.1 Guaranteed minimum bandwidths 313
9.2.2 Limited maximum bandwidths 315
9.3 The queue concept 315
9.3.1 Queues in transmission direction 315
9.3.2 Queues for receiving direction 317
9.4 Reducing the packet length 318
9.5 QoS parameters for Voice over IP applications 320
9.6 QoS in sending or receiving direction 324
9.7 QoS configuration 325
9.7.1 Evaluating ToS and DiffServ fields 325
9.7.2 Defining minimum and maximum bandwidths 328
9.7.3 Adjusting transfer rates for interfaces 329
9.7.4 Sending and receiving direction 331
9.7.5 Reducing the packet length 331
9.8 QoS for WLANs (IEEE 802.11e) 333
10 Virtual LANs (VLANs) 335
10.1 What is a Virtual LAN? 335
10.2 This is how a VLAN works 335
10.2.1 Frame tagging 336
10.2.2 Conversion within the LAN interconnection 337
10.2.3 Application examples 338
10.3 Configuration of VLANs 340
10.3.1 The network table 341
10.3.2 The port table 341
10.3.3 Configuration with LANconfig 342
10.3.4 Configuration with WEBconfig or Telnet 344
10.4 Configurable VLAN Protocol ID 345
10.5 Configurable VLAN IDs 346
10.5.1 Different VLAN IDs per WLAN client 346
10.5.2 Special VLAN ID for DSLoL interfaces 346
10.6 VLAN tags on layer 2/3 in the Ethernet 347
10.6.1 Configuring VLAN tagging on layer 2/3 348
10.7 VLAN tags for DSL interfaces 349
10.8 VLAN Q-in-Q tagging 350
8
BAT54-Rail/F..
Release 7.54 06/08
Page 9
11 Routing and WAN connections 353
11.1 General information 353
11.1.1 Bridges for standard protocols 353
11.1.2 What happens in the case of a request from the LAN?
354
11.2 IP routing 355
11.2.1 The IP routing table 355
11.2.2 Policy-based routing 358
11.2.3 Local routing 361
11.2.4 Dynamic routing with IP RIP 362
11.2.5 SYN/ACK speedup 365
11.3 Configuration of remote stations 366
11.3.1 Peer list 366
11.3.2 Layer list 368
11.4 IP masquerading 369
11.4.1 Simple masquerading 370
11.4.2 Inverse masquerading 372
11.4.3 Free translation of TCP/IP ports on masked connections
375
11.4.4 De-Militarized Zone (DMZ) 376
11.4.5 Unmasked Internet access for server in the DMZ 377
11.5 Demilitarized Zone (DMZ) 379
11.5.1 Assigning interfaces to the DMZ 379
11.5.2 Assigning network zones to the DMZ 380
11.5.3 Address check with DMZ and intranet interfaces 381
11.6 Advanced Routing and Forwarding 382
11.6.1 Introduction 382
11.6.2 Defining networks and assigning interfaces 386
BAT54-Rail/F..
Release 7.54 06/08
9
Page 10
11.7 Changes in other services 391
11.7.1 DHCP server 391
11.7.2 DHCP relay server 398
11.7.3 NetBIOS proxy 399
11.7.4 RIP 400
11.7.5 Automatic generation of VPN rules 406
11.7.6 Firewall rules for certain local networks 407
11.7.7 Virtual routers 408
11.7.8 Default routes filter 409
11.7.9 Extended port forwarding 410
11.7.10 IPX router 412
11.7.11 Assigning logical interfaces to bridge groups 413
11.7.12 Remote bridge 414
11.7.13 PPPoE Servers 415
11.8 Load balancing 415
11.8.1 DSL port mapping 417
11.8.2 Direct DSL channel bundling 420
11.8.3 Dynamic load balancing 420
11.8.4 Static load balancing 421
11.8.5 Configuration of load balancing 422
11.9 N:N mapping 425
11.9.1 Application examples 426
11.9.2 Configuration 430
11.10 Establishing connection with PPP 434
11.10.1 The protocol 434
11.10.2 Everything o.k.? Checking the line with LCP 436
11.10.3 Assignment of IP addresses via PPP 437
11.10.4 Settings in the PPP list 438
11.11 DSL Connection with PPTP 439
11.12 Extended connection for flat rates—Keep-alive 440
11.13 Callback functions 440
11.13.1 Callback for Microsoft CBCP 441
11.13.2 Fast callback 442
11.13.3 Callback with RFC 1570 (PPP LCP extensions) 443
11.13.4 Overview of configuration of callback function 443
10
BAT54-Rail/F..
Release 7.54 06/08
Page 11
11.14 serial interface 444
11.14.1 Introduction 444
11.14.2 System requirements 445
11.14.3 Installation 445
11.14.4 Set the serial interface to modem operation 446
11.14.5 Configuration of modem parameters 447
11.14.6 Direct entry of AT commands 449
11.14.7 Statistics 450
11.14.8 Trace output 450
11.14.9 Configuration of remote sites for V.24 WAN interfaces
450
11.14.10 Configuration of a backup connection on the serial in-
terface 452
11.14.11 Contact assignment of BAT modem adapter kit 453
11.15 Manual definition of the MTU 453
11.15.1 Configuration 454
11.15.2 Statistics 454
11.16 WAN RIP 454
11.17 The rapid spanning tree protocol 456
11.17.1 Classic and rapid spanning tree 457
11.17.2 Improvements from rapid spanning tree 457
11.17.3 Configuring the Spanning Tree Protocol 458
11.17.4 Status reports via the Spanning Tree Protocol 461
12 More services 465
12.1 Automatic IP address administration with DHCP 465
12.1.1 The DHCP server 465
12.1.2 DHCP—'on', 'off', 'auto', 'client' or 'forwarding'? 466
12.1.3 How are the addresses assigned? 467
12.2 Vendor Class and User Class Identifier on the DHCP Client 472
12.3 DNS 473
12.3.1 What does a DNS server do? 473
12.3.2 DNS forwarding 474
12.3.3 Setting up the DNS server 475
12.3.4 URL blocking 478
12.3.5 Dynamic DNS 479
12.4 Accounting 481
BAT54-Rail/F..
Release 7.54 06/08
11
Page 12
12.5 The SYSLOG module 484
12.5.1 Setting up the SYSLOG module 484
12.5.2 Example configuration with LANconfig 484
12.6 Time server for the local net 486
12.6.1 Configuration of the time server under LANconfig 487
12.6.2 Configuration of the time server with WEBconfig or Telnet
488
12.6.3 Configuring the NTP clients 488
12.7 Scheduled Events 491
12.7.1 Regular Execution of Commands 491
12.7.2 CRON jobs with time delay 492
12.7.3 Configuring the CRON job 493
12.8 PPPoE Servers 495
12.8.1 Introduction 495
12.8.2 Example application 495
12.8.3 Configuration 498
12.9 RADIUS 500
12.9.1 How RADIUS works 502
12.9.2 Configuration of RADIUS as authenticator or NAS 502
12.9.3 Configuring RADIUS as server 509
12.10 Extensions to the RADIUS server 511
12.10.1 New authentication method 511
12.10.2 EAP authentication 512
12.10.3 RADIUS forwarding 513
12.10.4 RADIUS server parameters 515
12.11 RADSEC 517
12.11.1 Configuring RADSEC for the client 517
12.11.2 Certificates for RADSEC 518
13 Appendix 519
13.1 Error messages in LANmonitor 519
13.1.1 General error messages 519
13.1.2 VPN error messages 519
13.2 SNMP Traps 523
13.3 Radio channels 524
13.3.1 Radio channels in the 2,4 GHz frequency band 524
13.3.2 Radio channels in the 5 GHz frequency band 524
13.3.3 Radio channels and frequency ranges for Indoor and Outdoor operating 526
12
BAT54-Rail/F..
Release 7.54 06/08
Page 13
13.4 RFCs supported 528
13.5 Glossary 529
14 Index 533
BAT54-Rail/F..
Release 7.54 06/08
13
Page 14
14
BAT54-Rail/F..
Release 7.54 06/08
Page 15
Preface
1 Preface
U User manual installation and user manual configuration
The documentation of your device consists of two parts: The user manual installation and the user manual configuration.
D The hardware of the BAT devices is documented in the respective user
manual installation. Apart from a description of the specific feature set of
the different models, you find in the user manual installation information
about interfaces and display elements of the devices, as well as instructions for basic configuration by means of the wizards.
D You are now reading the user manual configuration. The user manual
configuration describes all functions and settings of the current version of
LCOS, the operating system of all BAT routers and BAT Router Access
Points. The user manual configuration refers to a certain software version,
but not to a special hardware.
It completes the user’s manual and describes topics in detail, which are
valid for several models simultaneously. These are for example:
D Systems design of the LCOS operating system
D Configuration
D Management
D Diagnosis
D Security
D Routing and WAN functions
D Firewall
D Quality of Service (QoS)
D Virtual Local Networks (VLAN)
D Wireless Networks
D Further server services (DHCP, DNS, charge management)
BAT54-Rail/F..
Release 7.54 06/08
15
Page 16
Preface
U LCOS, the operating system of BAT devices
All BAT routers and BAT Router Access Points use the same operating system: LCOS. The operating system is not attackable from the outside, and
thus offers high security. The consistent use of LCOS ensures a comfortable
and constant operation of all BAT products. The extensive feature set is
available throughout all BAT products (provided respective support by hardware), and continuously receives further enhancements by free, regular software updates.
This user manual configuration applies to the following definitions of software, hardware and manufacturers:
D ’LCOS’ describes the device-independent operating system
D ’BAT’ stands as generic term for all BAT routers and BAT Router Access
Points
D ’Hirschmann’ stands as shortened form for the manufacturer, Hirschmann
Automation and Control GmbH, Germany
U Validity
The present user manual configuration applies to all
BAT routers and BAT
Router Access Points with firmware version 7.54 or better.
The functions and settings described in this user manual configuration are
not supported by all models and/or all firmware versions.
Illustrations of devices, as well as screenshots always represent just examples, which need not necessarily correspond to the actual firmware version.
U Security settings
For a carefree use of your device, we recommend to carry out all security settings (e.g. Firewall, encryption, access protection, charge lock), which are not
already activated at the time of purchase of your device. The LANconfig wizard ’Check Security Settings’ will support you accomplishing this. Further information regarding this topic can be found in chapter ’Security’ → page 237.
We ask you additionally to inform you about technical developments and actual hints to your product on our Web page www.hirschmann.com
, and to
download new software versions if necessary.
This documentation was created by …
U
... several members of our staff from a variety of departments in order to ensure you the best possible support when using your
16
BAT
product.
BAT54-Rail/F..
Release 7.54 06/08
Page 17
Preface
In case you encounter any errors, or just want to issue critics enhancements,
please do not hesitate to send an email directly to:
info@hirschmann.com
BAT54-Rail/F..
Release 7.54 06/08
17
Page 18
Preface
18
BAT54-Rail/F..
Release 7.54 06/08
Page 19
System design
2.1 Introduction
2 System design
2.1 Introduction
The BAT operating system LCOS is a collection of different software modules, the BAT devices themselves have different interfaces to the WAN and
LAN. Depending on the particular application, data packets flow through different modules on their way from one interface to another.
The following block diagram illustrates in abstract the general arrangement
of BAT interfaces and LCOS modules. In the course of this user manual configuration the descriptions of the individual functions will refer to this illustration to show important connections of the particular applications and to
deduce the resulting consequences.
The diagram can thus explain for which data streams the firewall comes into
play, or, in case of address translations (IP masquerading or N:N mapping),
at which place which addresses are valid.
VPN services
VPN / PPTP
WAN interfaces
DSLoL
Assignment via Switch
ADSL
DSL
Assignment via Switch
ISDN
N:N mapping
DHCP client / PPP
IP masquerading
IPX over PPTP/VPN
BAT
user manage-
ment
IP module: NetBIOS, DNS,
DHCP server, RADIUS,
RIP, NTP, SNMP, SYS-
LOG, SMTP
Firewall / IDS / DoS / QoS
/ Policy Based Routing
Load Balancing
IP-Redirect
Configuration &
management:
WEBconfig, Telnet,
Filter
TFTP
client / server
IP router
IPX router
LANCAPI
RADIUS
LAN interfaces
LAN
Assignment via Switch
WLAN-1-1
to
WLAN-1-8
WLAN-2-1
WLAN-2-8
DMZ
to
Port-Mapping
Encryption:
802.11i/WPA/
MAC/protocol filter
Virtual LANs (VLAN)
LAN bridge with “isolated mode”
Filter
Assignment over Switch
Switch
LAN
DSL
DSLoL
DMZ
Notes regarding the respective modules and interfaces:
D The IP router takes care of routing data on IP connections between the
interfaces from LAN and WAN.
BAT54-Rail/F..
Release 7.54 06/08
19
Page 20
System design
2.1 Introduction
D With IP redirect requests in the LAN are redirected to a specific computer
D The firewall (with the services “Intrusion Detection”, “Denial of Service”
and “Quality of Service”) encloses the IP router like a shield. All connections via the IP router automatically flow through the firewall as well.
D BAT devices provide either a separate LAN interface or an integrated
switch with multiple LAN interfaces as interfaces to the LAN.
D BAT Router access points resp. BAT routers with wireless modules offer
additionally one or, depending on the respective model, also two wireless
interfaces for the connection of Wireless LANs. Depending on the model
every wireless interface can build up to eight different wireless networks
(“multi SSID”).
D A DMZ interface enables for some models a ’demilitarized zone’ (DMZ),
which is also physically separated within the LAN bridge from other LAN
interfaces.
D The LAN bridge provides a protocol filter that enables blocking of dedicat-
ed protocols on the LAN. Additionally, single LAN interfaces can be separated by the “isolated mode”. Due to VLAN functions, virtual LANs may
be installed in the LAN bridge, which permit the operating of several logical networks on a physical cabling.
D Applications can communicate with different IP modules (NetBIOS, DNS,
DHCP server, RADIUS, RIP, NTP, SNMP, SYSLOG, SMTP) either via
the IP router, or directly via the LAN bridge.
D The functions “IP masquerading” and “N:N mapping” provide suitable IP
address translations between private and public IP ranges, or also between multiple private networks.
D Provided according authorization, direct access to the configuration and
management services of the devices (WEBconfig, Telnet, TFTP) is provided from the LAN and also from the WAN side. These services are protected by filters and login barring, but do not require any processing by
the firewall. Nevertheless, a direct access from WAN to LAN (or vice versa) using the internal services as a bypass for the firewall is not possible.
D The IPX router and the LANCAPI access on the WAN side only the ISDN
interface. Both modules are independent from the firewall, which controls
only data traffic through the IP router.
D The VPN services (including PPTP) enable data encryption in the Internet
and thereby enable virtual private networks over public data connections.
D Depending on the specific model, either xDSL/Cable, ADSL or ISDN are
available as different WAN interfaces.
D The DSLoL interface (DSL over LAN) is no physical WAN interface, but
more a “virtual WAN interface”. With appropriate LCOS settings, it is possible to use on some models a LAN interface as an additional xDSL/Cable interface.
20
BAT54-Rail/F..
Release 7.54 06/08
Page 21
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
3 Wireless LAN – WLAN
3.1 What is a Wireless LAN?
Note: The following sections are a general description of the LCOS operating
system functions in wireless networks. The precise functions supported
by your device are described in its manual.
In this chapter we will show you briefly the technology of wireless networks.
In addition, we give you an overview of the various applications, functions
and abilities of your BAT Access Points and WLAN Router.
A Wireless LAN connects single terminals (e.g. PCs or notebooks) to a local
network (also LAN – Local Area Network). In contrast to a conventional LAN,
communication takes place via radio links rather than via network cables.
This is the reason why a Wireless LAN is also called a Wireless Local Area
Network (WLAN).
All functions of a cable-bound network are also available in a Wireless LAN:
access to files, servers, printers etc. is as possible as the connection of individual stations to an internal mail system or to the Internet access.
The advantages of Wireless LANs are obvious: notebooks and PCs can be
set up just where they are needed. Due to Wireless LANs, problems with
missing connections or structural alterations belong to the past.
3.1.1 Standardized radio transmission by IEEE
IEEE 802.11
BAT network products comply with the IEEE 802.11 standards. These standard’s family represents an extension to the already existing IEEE standards
for LANs, of which IEEE 802.3 for Ethernet is the most popular one. Within
the IEEE 802.11 family, different standards exist for the radio transmission in
different frequency ranges and with different speeds. BAT base stations and
WLAN client adapters support according to their respective type different
standards:
D IEEE 802.11a with up to 54 Mbps transfer rate in the 5 GHz band, up to
108 Mbps in turbo mode. (complement to standard)
D IEEE 802.11b with up to 11 Mbps transfer rate in the 2,4 GHz band
D IEEE 802.11g with up to 54 Mbps transfer rate in the 2,4 GHz band, up to
108 Mbps in turbo mode. (complement to standard)
BAT54-Rail/F..
Release 7.54 06/08
21
Page 22
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
U IEEE 802.11a: 54 Mbps
IEEE 802.11a describes the operation of Wireless LANs in the 5 GHz frequency band (5,15 GHz to 5,75 GHz), with up to 54 Mbps maximum transfer
rate. The real throughput depends however on the distance and/or on the
quality of the connection. With increasing distance and diminishing connecting quality, the transmission rate lowers to 48 Mbps, afterwards to 36 Mbps
etc., up to a minimum of 6 Mbps. The distance of transmission ranges from
up to 125 m in open expanses, in buildings typically up to 25 m. The IEEE
802.11a standard uses OFDM (Orthogonal Frequency Division Multiplexing)
as modulation scheme.
OFDM
In the 5 GHz frequency band, the OFDM modulation scheme is used for IEEE
802.11a. OFDM is a modulation scheme, which utilizes multiple independent
carrier frequencies for the signal transmission, and which modulates these
multiple carriers each with a reduced data transfer rate. Thus the OFDM
modulation scheme is very insensitive in particular to echoes and other impairments and enables high data transfer rates.
Turbo mode
In ’turbo mode’, BAT Wireless Router base stations are able to use simultaneously two radio channels and can so increase the transfer rate up to maximum 108 Mbps. The turbo mode can be used in conjunction with the IEEE
802.11a standard between BAT base stations and WLAN wireless network
cards. The increase of the transfer rate must be switched on in the base station, but can also reduce the transmitting power and the range of the radio
connection.
U IEEE 802.11b: 11 Mbps
IIEEE 802.11b describes the operation of local Wireless LANs in the ISM frequency band (Industrial, Scientific, Medical: 2.4 up to 2.483 GHz). The maximum transfer rate is up to 11 Mbps. The real through-put depends however
on the distance and/or on the quality of the connection. With increasing distance and diminishing connecting quality the transmission rate lowers to 5,5
Mbps, afterwards to 2 and finally to 1 Mbps. The range of the transmission
distances is between up to 150 m in open expanses and in buildings typically
up to 30 m. Due to different frequency bands in use, IEEE 802.11b is not
compatible to IEEE 802.11a.
22
BAT54-Rail/F..
Release 7.54 06/08
Page 23
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
DSSS
For shielding against interferences by other transmitters, which have possibly the same frequency band, the DSSS procedure (Direct Sequence Spread
Spectrum) is used for IEEE 802.11b in the 2,4 GHz frequency band. A transmitter normally uses only a very narrow range of the available frequency
band for transmission. If exactly this range is used by another transmitter, interferences in transmission would be the result. With the DSSS procedure
the transmitter uses a broader spread of the possible frequencies and becomes more insensitive to narrow-band disturbances then. This procedure is
also used in military range for increasing tap-proof security.
U IEEE 802.11g: 54 Mbps
The IEEE 802.11g standard works likewise with up to 54 Mbps data transmission rate in the 2,4 GHz ISM-frequency band. Contrary to IEEE 802.11b,
the OFDM modulation is used for IEEE 802.11g, like already introduced for
IEEE 802.11a. IEEE 802.11g contains a special compatibility mode that ensures a downward compatibility to the popular IEEE 802.11b standard . However, in this compatibility mode you encounter reduced transmission speeds.
Due to the different frequency bands, IEEE 802.11g can not be compatible
to IEEE 802.11a. The transmission distances of IEEE 802.11g products are
comparable with those of IEEE 802.11b products.
Turb o mo de
With the 802.11g standard in 'turbo mode' the transfer rate can be increased
to a maximum of 108 Mbps, by using two radio channels. But as a 2.4 GHz
band uses less channels than the 5 GHz band, the turbo mode limits in this
case the options of channels.
U Transfer rates
The indicated transfer rates are always to be interpreted as gross data rates,
i.e. the entire protocol overhead - as for example the complex protocols to secure the radio transmission - is included in the indicated transfer rates. The
net data transfer rate can be thus lower than the indicated gross data rates,
typically over up to the half for all IEEE 802.11 standards mentioned above.
BAT54-Rail/F..
Release 7.54 06/08
23
Page 24
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
U Ranges
The actually obtained distances for radio transfers depend strongly on the individual environment. In particular influences of noise and obstacles have an
effect on the range. Decisive is an optimal placement of the radio stations
(both network adapters and base stations). For further increase of the transfer distance, we recommend the operation with additional antennas.
U IEEE standards
In order to guarantee a maximum of compatibility, Hirschmann Systems fully
1
complies with the industry standards of the IEEE
described in the preceding
paragraph. For this reason, your BAT base station operates without problems and with reliably also with devices of other manufacturers.
Your BAT base station supports - according to the model type - the standards
IEEE 802.11g (downward-compatible to IEEE 802.11b), and/or IEEE
802.11a.
1. Institute of Electrical and Electronic Engineers – International association, which established i.a. numerous
technology standards.
24
BAT54-Rail/F..
Release 7.54 06/08
Page 25
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
The operation of the integrated wireless card of your base station is only possible in one single frequency band, that is, either 2,4 GHz or 5 GHz. Thus a
simultaneous operation of IEEE 802.11g and IEEE 802.11a is not possible.
Since IEEE 802.11g is downward-compatible to IEEE 802.11b, an simultaneous operating of these two standards is possible, but with certain speed
constraints.
U Transfer rates in
compatibility mode
Please notice that the reached
data transfer rates depend on
the used 2,4 GHz mode. You
will achieve the highest transfer rates with a base station
operating in the 802.11g
mode. The transfer rate will go
down when starting the compatibility mode, even, if only
inactivated 802.11b stations
are near to your base station.
When these 802.11b stations
start to be activated in a wireless network with operating
compatibility mode, the actual
transfer rate will fall again.
That’s why you should only
activate the compatibility
mode, when you have really
operating 802.11b and
802.11g stations in your wireless network.
Note: Please notice that not all frequencies are permitted in each country!
You will find a table with the allotted frequencies and the permission regulations in the appendix.
3.1.2 Operation modes of Wireless LANs and base
stations
Wireless LAN technology and base stations in Wireless LANs are used in the
following operation modes:
BAT54-Rail/F..
Release 7.54 06/08
25
Page 26
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
D Simple direct connections between terminals without base station (ad-hoc
mode, only with 2.4 GHz)
D Larger Wireless LANs, connection to LANs with one or more base sta-
tions (infrastructure network)
D Connecting two LANs via a direct radio link (point-to-point mode, point-to-
multipoint)
D Connecting of devices with Ethernet interface via base stations (client
mode)
D Extending an existing Ethernet network with WLAN (bridge mode)
D Multiple radio cells with one access point (Multi-SSID)
U The ad-hoc mode
When two terminals are equipped with compatible wireless interfaces, they
both can communicate directly via radio. This simplest use is the so-called
ad-hoc mode.
Only in IEEE 802.11b or IEEE 802.11g standard
In ad-hoc networks you connect two or more PCs with own wireless interfaces directly together for building a Wireless LAN.
This operation mode is generally called peer-to-peer network (spontaneous
network). PCs can immediately get in touch and exchange data.
U The infrastructure network
By use of one or more base stations (also called access point), a Wireless
LAN becomes more comfortable and more efficient. A Wireless LAN with one
or more base stations is referred to as an infrastructure network in Wireless
LAN terminology.
Note: In some devices the access point is built in, so called WLAN router.
26
BAT54-Rail/F..
Release 7.54 06/08
Page 27
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
Interesting applications arise for the Wireless LAN from the LAN connection
of base stations:
D Connecting the Wireless LAN to an existing LAN
D Extending the coverage of a Wireless LAN
Additionally, the use of a base station enables a central administration of the
Wireless LAN.
Connection to an existing LAN
An infrastructure network is ideally suitable as an extension to existing wired
LANs. For extension of a LAN in areas, where a wiring is not possible or uneconomical, the infrastructure network represents an ideal alternative.
Wireless LAN
LAN
base station
Larger extension by roaming function
The area, in which mobile stations can get in touch with a base station, is
called radio cell.
If the range of a radio cell is not sufficient any longer to serve all mobile stations of a wireless network, several base stations can be brought in action. It
is possible to change from a radio cell into another one without interruption
of the network connection. The transmission of roaming information and data
between the base stations is enabled by the wired LAN connection.
BAT54-Rail/F..
Release 7.54 06/08
27
Page 28
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
workstation
Mobile station leaves ra-
dio cell A and …
radio cell A
connection via
LAN
… changes into radio
cell B.
radio cell B
In the example above, the roaming function of the mobile station enables the
access to the workstation in radio cell A also after changing into radio cell B.
After the radio cell change, the base station in radio cell B passes on the data
of the mobile station via LAN to the base station in radio cell A. From there,
they arrive via radio at the workstation in radio cell A. In this way, the connection between both devices remains existing at any time.
A Wireless LAN can consist of as many as desired radio cells. Thus the extension of a Wireless LAN is unlimited.
U Base station as router
The BAT Wireless Router base station possesses a WAN connector for all
current broadband modems with cable-bound Ethernet connection (DSL or
cable modem). In this operation mode, the base station offers all functions of
a complete IP and IPX router as well. The base station serves in this connection variant as gateway to the Internet. The router checks for all received data
packets whether they need to be transferred to another network or workstation. The router itself establishes the connections as required.
The integrated Stateful Inspection Firewall prevents effectively the penetration of undesired data traffic into the own network by permitting incoming data
only as reaction to outgoing data traffic. For accessing the Internet, the IP
masquerading function of the router hides all workstations of the LAN behind
a single public IP address. The real identities (IP addresses) of the individual
workstations remain concealed. Firewall filters of the router permit specific IP
addresses, protocols and ports to be blocked. With MAC address filters it is
also possible to specifically control the access of workstations in the LAN to
the IP routing function of the device.
28
BAT54-Rail/F..
Release 7.54 06/08
Page 29
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
WLAN
firewall
LAN
base station
WAN
DSL modem or any broadband
connection
Internet
U VPN pass-through
VPN technology (VPN=Virtual Private Network) is more and more frequently
in use to protect sensitive data. The BAT base station is able to route and
mask simultaneously the encrypted data between a VPN client of the WLAN
and another workstation of the cable-bound LAN. This “passing-through” of
VPN encrypted data is called in technical jargon “VPN pass-through”. Following are provided:
D PPTP pass through
D IPsec pass through
VPN client
Note: The BAT base stations support VPN pass-through function for multiple
stations within a wireless network.
U Wireless bridge between two Ethernet segments
With two base stations, two LANs can be connected via a radio link (point-topoint mode). In this so-called bridge mode, all data is transferred automatically to the remote network.
BAT54-Rail/F..
Release 7.54 06/08
VPN remote station
29
Page 30
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
By the use of narrow beam antennas, also larger distances can be bridged
securely. An additional increase of reach can be achieved by use of further
base stations, which operate in relay mode between two LAN segments.
Point-to-multipoint operation
It is possible to couple up to seven remote network segments to an united
network by wireless bridges in the so-called P2MP operation (point-to-multipoint) mode.
Point-to-station operation
The so-called P2Station operation (point-to-station) connects a single station
is to a remote LAN.
30
BAT54-Rail/F..
Release 7.54 06/08
Page 31
Wireless LAN – WLAN
3.1 What is a Wireless LAN?
U Base station in client mode
For binding single devices with Ethernet interfaces to a Wireless LAN, BAT
Wireless base stations can be put into the so-called client mode, in which
they behave like a conventional Wireless LAN adapter and not like a base
station. Due to the client mode, it is also possible to integrate devices like
PCs or printers having only one Ethernet interface into a Wireless LAN.
base stations in
client mode
base stations in
standard mode
Note: An Access Point in normal mode further clients can log on, but not in
client mode.
U Multiple radio cells with Multi-SSID
Conventionally, a wireless network card supports exactly one radio cell.
These radio cells are given a network name, known as the ‘SSID’ (Service
Set Identifier), that is entered into the access points and network cards during
configuration. Certain settings that apply to the radio cell can be defined under the SSID during the configuration of the access point. The settings include, for example, the data transfer speed and the first WEP key, which is
also used as passphrase for encryption with 802.11i and WPA. Those clients
that are programmed with the SSID can make use of the radio cell and work
with the parameters as defined. The access point treats all clients on an
equal basis
BAT54-Rail/F..
Release 7.54 06/08
31
Page 32
Wireless LAN – WLAN
SSID='WLAN'
LAN
3.1 What is a Wireless LAN?
In some applications, however, it may be desirable to divide the clients the
radio cell into different groups, each of which is treated in a certain way by
the access point. It may be necessary, for example, to operate a public wireless network without any encryption simultaneous to a protected, 802.11i-,
WPA- or WEP-encrypted wireless network that excludes unauthorized parties.
The Multi-SSID function of the BAT access points is ideally suited to scenarios like this. This function enables a physical WLAN interface of an access
point to be assigned with more than one SSID. Up to eight different logical
radio cells—each with its own SSID—can be supported by a single WLAN interface.
32
SSID='PUBLIC'SSID='PUBLIC'
SSID='CLOSED'
LAN
BAT54-Rail/F..
Release 7.54 06/08
Page 33
Wireless LAN – WLAN
3.2 Development of WLAN security
3.2 Development of WLAN
security
The WLAN standards WPA and 802.11i are currently redeeming the reputation of WLAN security, an issue which has recently been under attack. The
processes incorporated into the original standard proved insufficient in practice. This lack led on the one hand to a series of proprietary extensions of the
standard, like "CKIP" from Cisco, or "KeyGuard" from Symbol Technologies,
and on the other hand to solutions which offered the required security on
higher protocol layers with tools like PPTP or IPSec. All these processes are
quite functional, but they introduce limitations, for instance those relative to
interoperability or data transmission rates.
In the standard 802.11i released in Summer, 2004, the IEEE Committee has
redefined the topic "WLAN and security" from the ground up. The result is a
set of standardized methods that enable the construction of secure and manufacturer-independent WLANs in line with current standards.
On the way from the original WEP of the 802.11 standard to 802.11i, a whole
series of concepts have arisen that have tended to increase confusion and
insecurity among the users. This chapter should help to explain the concepts
and the processes used, in chronological order of their development.
3.2.1 Some basic concepts
Even though one constantly hears the blanket term 'Security' when talking
about computer networks, it is still important for the coming exposition to differentiate a little more closely between the requirements it actually entails.
U Authentication
The first point in security is access security:
D Here, a protective mechanism is involved which allows access to the net-
work only to authorized users.
D On the other hand, however, it must also be ensured that the client is con-
nected to the precise desired access point, and not with some other access point with the same name which has been smuggled in by some
nefarious third party. Such an authentication can be provided, for example, using certificates or passwords.
BAT54-Rail/F..
Release 7.54 06/08
33
Page 34
Wireless LAN – WLAN
3.2 Development of WLAN security
U Authenticity
Authenticity: Proof of the authorship of the data and the originality of the data
content; the process of establishing this proof is known as authentication.
U Integrity
Once access is provided, one would like to ensure that data packets reach
the receiver without any falsification, that is, that no-one can change the
packets or insert other data into the communication path. The manipulation
of data packets themselves cannot be prevented, but changed packets can
indeed be identified using suitable checksum processes, and then discarded.
U Confidentiality
Quite separate from access security is confidentiality, that is, unauthorized
third parties must not be able to read the data traffic. To this end, the data are
encrypted. This sort of encryption process is exemplified by DES, AES, RC4,
or Blowfish. Along with encryption, of course, there must also be a corresponding decryption on the receiving end, generally with the same key (a socalled symmetric encryption process). The problem naturally then arises,
how the sender can give the key to the receiver for the first time—a simple
transmission could very easily be read by a third party, who could then easily
decrypt the data traffic.
In the simplest case, this problem is left to the user, that is, one simply assumes that the user can make the key known at both ends of the connection.
In this case, one speaks of pre-shared keys, or 'PSK'.
More sophisticated processes come into play when the use of pre-shared
keys is impractical, for instance in an HTTP connection built over SSL—in
this case, the user can't retrieve a key from a remote web server quite so easily. In this case, so-called asymmetric encryption methods such as RSA can
be used, that is, to decrypt the data, a different key is used than the one used
to encrypt it, meaning that key pairs are used. Such methods are, however,
much slower than symmetric encryption methods, which leads to a twophase solution:
D The sender possesses an asymmetric key pair. It transmits the public part
of the key pair, i.e. the key for encryption, to the receiver as a certificate,
for example. Since this part of the key pair cannot be used for decryption,
there are no misgivings with regard to security.
34
BAT54-Rail/F..
Release 7.54 06/08
Page 35
Wireless LAN – WLAN
3.2 Development of WLAN security
D The receiver selects any symmetrical key. This symmetrical key that is
used both for encryption and for decryption, must now be securely transmitted to the sender. It is encrypted with the sender's public key and returned to the sender. The only way that the symmetrical key can be
decrypted again is with the sender's private key. Potential eavesdroppers
observing the key exchange cannot decrypt this information, and conse-
quently the transmission of the symmetrical key is secure.
This method can be used for the safe transmission of symmetrical keys via
the Internet. In the following sections, we will see these methods again,
sometimes in modified form.
3.2.2 WEP
WEP is an abbreviation for Wired Equivalent Privacy. The primary goal of
WEP is the confidentiality of data. In contrast to signals which are transmitted
over cables, radio waves spread out in all directions—even into the street in
front of the house and other places where they really aren't desired. The
problem of undesired interception is particularly obvious in wireless data
transmission, even though it can also arise in larger installations with wired
networks—however, access to cables is far more easily restricted than is the
case with radio waves.
During the development of the WLAN security standard, the IEEE Committee
did not intend to develop a "perfect" encryption method. Such high-security
encryption methods are, for instance, required and also used in electronic
banking—in this case, however, the applications themselves use high-quality
encryption methods, and it would be unnecessary to repeat this effort at the
radio transmission level. With the new security standards, only those applications which normally work without encryption in wired LANs should be provided with sufficient security against eavesdropping by unauthorized third
parties.
WEP is a symmetrical method of encryption and uses RC4 algorithm as its
basic encryption technology, a process already well-known in other areas
and considered highly secure. RC4 uses a key between 8 and 2048 bits in
length, which is used to generate a pseudo-random series of bytes using a
predetermined process. The data packet for encryption is then XOR'd byte
by byte with this byte stream. The receiver simply repeats this procedure with
the same key and in the same order to produce the original data packet
again.
BAT54-Rail/F..
Release 7.54 06/08
35
Page 36
Wireless LAN – WLAN
3.2 Development of WLAN security
However, RC4 has one serious disadvantage: one may only use a particular
RC4 key once for a single packet, as two different packets that have been
coded with the same RC4 key potentially provide the basis to reproduce the
original data. As it would be impracticable for the user to enter a new code
key for every data packet, WEP combines this key with an additional internal
key, the initial vector (IV). This is automatically changed from packet to packet.
The IEEE standard originally foresaw a relatively short key length of 40 bits,
which was probably oriented towards the then-existing US export restrictions
on strong cryptography; this variant in combination with the 24 bits of the IV
is usually referred to as WEP64. Most WLAN cards today support a variant
in which the user can configure a 104-bit key, which results in a 128 bit long
RC4 key—correspondingly, this is often called WEP128. More seldom are
key lengths of 128 bits (WEP152) or 232 bits (WEP 256). In principle RC4
can work with key lengths of up to 2048 bits (WEP keys of up to 2024 bits),
although in practice key lengths reach a simple limit at which the user can
manage to enter the columns of digits without making a mistake.
The IEEE standard specifies that up to four different WEP keys can exist in
one WLAN. The sender encodes the number of the WEP key used in the encrypted packet along with the initial vector, so that the receiver can use the
appropriate key. The idea behind this was that old keys in a WLAN could
gradually be exchanged for new keys, in that stations which had not yet received the new key could still use an old key during a transition period.
One of the chief weakness of WEP is the length of the initial vector, which is
far too short. As mentioned previously, the repetition of a key with RC4 presents a significant security loophole which, with a length of just 24 bits, can
occur within just a few hours depending on the data rate. Since particular portions of the encrypted data packets can quickly offer conclusive information
about the key, an eavesdropper only needs to process a small amount of the
data traffic with specialized sniffer tools in order to crack the key. These
weaknesses unfortunately degraded WEP to an encryption scheme which at
best could be used to protect a home network against 'accidental eavesdroppers.'
36
BAT54-Rail/F..
Release 7.54 06/08
Page 37
Wireless LAN – WLAN
3.2 Development of WLAN security
3.2.3 WEPplus
As explained in the previous section, the use of 'weak' IV values was the
problem which weakened the WEP process most. A first 'quick shot' to secure WLANs against this kind of program was the simple notion that the weak
IV values are known, and that they could simply be skipped during encryption—since the IV used is after all transmitted in the packet, this procedure
would be completely compatible with WLAN cards which didn't understand
this extension, dubbed WEPplus. A true improvement in security would naturally only result once all partners in the WLAN were using this method.
In a network equipped with WEPplus, a potential attacker again has the
chore of listening to the entire data traffic, waiting for IV repetitions—simply
waiting for the few packets with weak IVs is no longer an option. This raises
the bar for an attacker once again. Objectively speaking, WEPplus is a slight
improvement--it is suitable for home use, provided that the key of reconfigured often enough. For use in a professional environment, however, this is
not sufficient.
3.2.4 EAP and 802.1x
Obviously, an 'add-on' like WEPplus can't eliminate the basic problem of tooshort IVs, without changing the format of packets on the WLAN, thus rendering all existing WLAN cards incompatible. There is, however, a possibility of
solving several of our problems with one central change: no longer use the
formerly fixed WEP key, but to negotiate them dynamically instead. As the
process to be used for this purpose, the Extensible Authentication Protocol
has emerged. As the name suggests, the original purpose of EAP is authentication, that is, the regulated access to a WLAN—the possibility of installing
a valid WEP key for the next session is more or less a byproduct. Figure 2
shows the basic process of a session secured by EAP.
BAT54-Rail/F..
Release 7.54 06/08
37
Page 38
Wireless LAN – WLAN
3.2 Development of WLAN security
Client RADIUS server
WLAN registration
session key
Access point
EAP/802.1x negotiation
sharing of Master Secret
Normal data traffic
new session key
more normal data traffic
Figure 2: Schematic process of a WLAN session with EAP/802.1x
In the first phase, the client registers with the access point as usual, and enters the state in which it can now send and receive over the access point in
normal WEP or WEPplus—but not with EAP, because in this state the client
still doesn't have a key to secure its data traffic from eavesdropping. Instead,
the client is in an 'intermediate state' from the point of view of the access
point, in which only particular packets from the client are forwarded, and
these are only directed to an authentication server. These packets are the
EAÜ/802.1x mentioned previously. The access point packs these packets in
RADIUS queries and sends them on to the authentication server. The access
point converts the replies coming from the RADIUS server back into EAP
packets, and sends them back to the client.
38
BAT54-Rail/F..
Release 7.54 06/08
Page 39
Wireless LAN – WLAN
3.2 Development of WLAN security
The access point is thus a sort of middle man between client and server. it
doesn't have to check the contents of these packets, it just has to check that
no other data traffic to or from the client can occur. Over this "tunnel" through
the access point, the client and server authenticate one another, that is, the
server checks the client's access privilege to the network, and the client
checks that it is talking to the right network. "Wild" access points set up by
hackers can be recognized in this way.
A whole series of authentication processes exist which can be used in this
tunnel. A current process (and one supported by Windows XP) is for instance
TLS, in which server and client exchange certificates; another is TTLS, in
which only the server supplies a certificate—the client is authenticated using
only a username and password.
After the authentication phase, a secure tunnel even without WEP encryption
has been set up, in which the access point is connected in the next step. For
this, the RADIUS server sends the so-called 'Master Secret', a session key
calculated during the negotiation, to the access point. The LAN behind the
access point is considered secure in this scenario, so that this transmission
can be performed in clear text.
With this session key, the access point now takes over the tunnel and can
use it to provide the actual WEP key to the client. Depending on the capabilities of the access point hardware, this can be a true session key (that is, a
WEP key which will only be used for data packets between the access point
and precisely this client), or a so-called group key, which the access point will
use for communication with multiple clients. Classical WEP hardware can
usually handle only group keys, these being the four mentioned in the chapter on WEP.
The particular advantage of this procedure is that the access point can regularly change the WEP key over the EAP tunnel, that is, it can perform a socalled rekeying. In this way, WEP keys can be replaced by new ones long
before they run the risk of being cracked due to IV collisions. A common 'use
time' for such WEP keys might be 5 minutes.
The disadvantage of the procedure is its complexity. The maintenance of the
central RADIUS server and the certificates stored there is generally only possible in large installations with a separate IT department—it is less suitable
for use in the home or in smaller companies. These practical hurdles have
thus limited EAP/802.1x to professional use so far—the home user must simply make do with WEPplus, or address security problems on the applications
level.
BAT54-Rail/F..
Release 7.54 06/08
39
Page 40
Wireless LAN – WLAN
3.2 Development of WLAN security
3.2.5 TKIP and WPA
As clarified in the last section, the WEP algorithm is flawed and insecure in
principle; the measures taken so far were largely either 'quick fixes' with limited improvement, or so complicated that they were basically impractical for
home use or smaller installations.
After the problems with WEP became public knowledge, the IEEE began with
the development of the standard IEEE 802.11i. As an interim solution, the
WiFi Alliance defined the Wifi Protected Access (WPA) 'standard'. WPA uses
the following changes:
D TKIP and Michael as replacement for WEP
D A standardized handshake procedure between client and access point for
determination/transmission of the session key.
D A simplified procedure for deriving the Master Secret mentioned in the last
section, which can be performed without a RADIUS server.
D Negotiation of encryption procedure between access point and client.
U TKIP
TKIP stands for Temporal Key Integrity Protocol. As the name suggests, it
involves an intermediate solution for temporary use until a truly strong encryption procedure is introduced, but which deals with the problems of WEP,
never the less. A requirement of this method was compatibility with existing
WEP/RC4 hardware.
Encryption makes use of components familiar from WEP but benefits from
decisive improvements with the "Michael hash" from improved encryption
and the TKIP method for calculation of the RC4 key. Furthermore, the internally incremented IV transmitted in clear text in the packet is 48 bits long instead of 24--thus the problem with the repeating IV value is practically
excluded.
As a further detail, TKIP also mixes the MAC address of the sender into the
calculation of the key. This ensures that the use of identical IVs by different
senders cannot lead to identical RC4 keys and thus again to attack possibilities.
The Michael hash does not, however, represent a particularly tough cryptographic hurdle: if the attacker can break the TKIP key or get encrypted packets past the CRC check via modifications similar to those for WEP, then not
many barriers remain. For this reason, WPA defines countermeasures if a
WLAN card detects more than two Michael errors per minute: both the client
and the access point break data transfer off for one minute, afterwards renegotiating TKIP and Michael keys.
40
BAT54-Rail/F..
Release 7.54 06/08
Page 41
Wireless LAN – WLAN
3.2 Development of WLAN security
U The key handshake
In the discussion of 802.1x it was already noted that EAP/802.1x provides a
possibility to inform the client at the outset of a session of the key valid for it.
WPA now places that on a standardized basis, and considers the sessionkey option offered by modern access points that, in addition to the four 'global' keys, assigns each registered client with a session key that is used exclusively with data packets to or from that client. The key handshake under
WPA involves first of all the exchange of the pairwise keys and then the
group keys.
After a successful group key handshake, the access point can release the client for normal data transfer. The access point is free to perform a rekeying
again during the session using the same type of packets. In principle, the client may also request rekeying from the access point.
WPA also takes the case of older WLAN hardware into account, in which the
access point does not support pairwise keys, but only group keys. The first
phase of the handshake in this case proceeds exactly as before, but doesn't
result in the installation of a pairwise key—the group key handshake simply
proceeds in clear text, but an encryption in the EAP packets themselves prevents an attacker from simply reading the keys.
U WPA with passphrase
The handshake described in the previous section runs strictly under WPA,
i.e. the user will never have to define any TKIP or Michael keys. In environments in which no RADIUS server is available to provide master secrets (for
instance in smaller companies or home networks), WPA therefore provides
the PSK method besides authentication using a RADIUS server; here, the
user must enter a passphrase of 8 to 32 characters on the access point and
on all stations, from which the master secret is calculated along with the SSID
used using a hash procedure. The master secret is therefore constant in such
a PSK network, although different TKIP keys still result.
In a PSK network—similar to classical WEP—both access security and confidentiality depend on the passphrase not being divulged to unauthorized
people. As long as this is the case, WPA-PSK provides significantly improved
security against break-ins and eavesdropping over any WEP variant. For
larger installations in which such a passphrase would have to be made
known to too large a user community for it to be kept secret, EAP/802.11i is
used in combination with the key handshake described here.
BAT54-Rail/F..
Release 7.54 06/08
41
Page 42
Wireless LAN – WLAN
3.2 Development of WLAN security
U Negotiating the encryption method
Since the original WEP definition specified a fixed key length of 40 bits,
the registration of a client at an access point only had to communicate whether encryption should be used or not. Key lengths exceeding 40 bits require
that the key length is announced. WPA provides a mechanism with which client and access point can agree on the encryption and authentication procedures to be used. The following information is made available:
D The encryption method to be used for broadcasts in this network (also the
type of group key). Each client wanting to register in a WPA-WLAN must
support this procedure. Here, besides TKIP, WEP is also still allowed, in
order to support mixed WEP/WPA networks—in a pure WPA network,
TKIP will be selected.
D A list of encryption methods which the access point provides for the pair-
wise key—here, WEP is explicitly disallowed.
D A list of authentication methods a client may use to show itself to the
WLAN as authorized for access—possible methods are currently EAP/
802.1x or PSK.
As mentioned, the original WPA standard specifies only TKIP/Michael as an
improved encryption method. With the further development of the 802.11i
standard, the AES/CCM method described below was added. In a WPA network it is now possible for some clients to communicate with the access point
using TKIP, while other clients use AES.
3.2.6 AES and 802.11i
In mid-2004 the IEEE approved the long-awaited 802.11i standard that places the entire security concept of WLAN on a new basis. As mentioned in the
last section, WPA has already implemented a whole series of concepts from
802.11i—so in this section we will only describe the components which are
new compared to WPA.
U AES
The most obvious extension is the introduction of a new encryption process,
namely AES-CCM. As the name already hints, this encryption scheme is
based on DES's successor AES, in contrast to WEP and TKIP, which are
both based on RC4. Since only the newest generation of WLAN chips contain
AES hardware, 802.11i continues to define TKIP, but with the opposite prerequisites: any 802.11i-compliant hardware must support AES, while TKIP is
optional—in WPA that was exactly the other way around.
42
BAT54-Rail/F..
Release 7.54 06/08
Page 43
Wireless LAN – WLAN
3.2 Development of WLAN security
The suffix CCM denotes the way in which AES is used in WLAN packets. The
process is actually quite complicated, for which reason CCM is only sensibly
implemented in hardware—software-based implementations are possible,
but would result in significant speed penalties due to the processors commonly used in access points.
In contrast to TKIP, AES only requires a 128-bit key, with which both the encryption and protection against undetected changes to packets is achieved.
Furthermore, CCM is fully symmetric, i.e. the same key is used in both communications directions—a standards compliant TKIP implementation, on the
other hand, requires the use of different Michael keys in the send and receive
directions, so that CCM is significantly simpler in use than TKIP.
Similar to TKIP, CCM uses a 48-bit Initial Vector in each packet—an IV repetition is impossible in practice. As in TKIP, the receiver notes the last IV
used and discards packets with an IV which is equal to or less than the comparison value.
U Pre-authentication and PMK caching
802.11i is intended to help with the use of WLAN for speech connections
(VoIP) in enterprise networks. Especially in connection with WLAN-based
wireless telephony, quick roaming (switching from one access point to another without lengthy interruptions) is of special significance. In telephone conversations, interruptions of 100 milliseconds are irritating, but the full
authentication process over 802.1x, including the subsequent key negotiation with the access point, can take significantly longer.
For this reason, the so-called PMK caching was introduced as a first measure. The PMK serves as the basis for key negotiation in an 802.1x authentication between client and access point. In VoIP environments it is possible
that a user moves back and forth among a relatively small number of access
points. Thus it may happen that a client switches back to an access point in
which it was already registered earlier. In this case it wouldn't be sensible to
repeat the entire 802.1x authentication again. For this reason, the access
point can provide the PMK with a code, the so-called PMKID, which it transmits to the client. Upon a new registration, the client uses the PMKID to ask
whether this PMK is still stored. If yes, the 802.1x phase can be skipped and
the connection is quickly restored. This optimization is unnecessary if the
PMK in a WLAN is calculated from a passphrase as this applies everywhere
and is known.
BAT54-Rail/F..
Release 7.54 06/08
43
Page 44
Wireless LAN – WLAN
3.2 Development of WLAN security
A second measure allows for some acceleration even in the case of first-time
registration, but it requires a little care on the part of the client. The client must
already detect a degrading connection to the access point during operation
and select a new access point while it is still in communication with the old
access point. In this case it has the opportunity to perform the 802,1x negotiation with the new access point over the old one, which again reduces the
"dead time" by the time required for the 802.1x negotiation.
3.2.7 Summary
After the security loopholes in WEP encryption became public knowledge,
the presentation of short-term solutions such as WEPplus and the intermediate steps like WPA, the IEEE committee has now presented the new WLAN
security standard 802.11i. The TKIP procedure used by WPA is based on the
older RC4 algorithm, the foundation of WEP. AES is the first important and
conclusive step towards a truly secure encryption system. 802.11i/AES have
confined the practical and theoretical security loopholes in previous methods
to history.
The AES procedure provides security on a level that satisfies the Federal Information Standards (FIPS) 140-2 specifications that are required by many
public authorities.
Hirschmann equips its 54Mbps products with the Atheros chip set featuring
a hardware AES accelerator. This guarantees the highest possible level of
encryption without performance loss.
The user-friendly pre-shared key procedure (entry of a passphrase of 8-63
characters in length) makes 802.11i quick and easy for anybody to set up.
Professional infrastructures with a larger number of users can make use of
802.1x and RADIUS servers.
In combination with further options such as Multi-SSID and VLAN tagging, it
is possible to provide highly secure networks for multiple user groups and
with different levels of security.
D VLAN tagging is available as of LCOS version 3.32.
D Multi-SSID is available as of LCOS 3.42.
D Hirschmann provides the PSK procedure as of the LCOS version 3.50.
D 802.1x will be supported as of LCOS version 3.52.
44
BAT54-Rail/F..
Release 7.54 06/08
Page 45
Wireless LAN – WLAN
3.3 Protecting the wireless network
3.3 Protecting the wireless
network
A wireless LAN does not, like conventional LAN, use cable as the transmitting medium for data transfer, but the air instead. As this medium is openly
available to any eavesdropper, the screening of the data in a WLAN is an important topic.
Depending on how critical WLAN security is for your data, you can take the
following steps to protect your wireless network:
V Activate the "Closed network function". This excludes all WLAN clients
using "Any" as the SSID, and those that do not know your network SSID.
(’Network settings’ → page 79)
V Do not use your access point's default SSID. Only take a name for your
SSID that cannot be guessed easily. The name of your company, for example, is not a particularly secure SSID. (’Network settings’ → page 79)
V If you know exactly which wireless network cards are permitted to access
your WLAN, you can enter the MAC addresses of these cards into the access control list, thus excluding all other cards from communications with
the access point. This reduces access to the WLAN only to those clients
with listed MAC addresses. (’Access Control List’ → page 54)
V Use encryption on the data transferred in the WLAN. Activate the stron-
gest possible encryption available to you ((802.11i with AES, WPA or
WEP) and enter the appropriate keys or passphrases into the access
point and the WLAN clients (’Encryption settings’ → page 57 and ’WEP
group keys’ → page 60).
V Regularly change the WEP key. Also change the standard key (’Encryp-
tion settings’ → page 57) in the configuration. Alternatively, you can use
a cron job to automatically change the key every day, for example (’Regular Execution of Commands’ → page 491). The passphrases for 802.11i
or WPA do not have to be changed regularly as new keys are generated
for each connection anyway. This is not the only reason that the encryption with 802.11i/AES or WPA/TKIP is so much more secure that the now
aged WEP method.
V If the data is of a high security nature, you can further improve the WEP
encryption by additionally authenticating the client with the 802.1x method
(’IEEE 802.1x/EAP’ → page 83) or activate an additional encryption of the
WLAN connection as used for VPN tunnels (’IPSec over WLAN’
→ page 84). In special cases, a combination of these two mechanisms is
possible.
BAT54-Rail/F..
Release 7.54 06/08
45
Page 46
Wireless LAN – WLAN
3.3 Protecting the wireless network
Note: Further information is available from our web site www.hir-
schmann.com under Support FAQ.
3.3.1 LEPS—BAT Enhanced Passphrase Security
U LEPS remedies the security issues presented by global
passphrases.
The modern encryption methods WPA and IEEE 802.11i provide data traffic
in the WLAN with far improved security from eavesdroppers than the older
WEP can. It is very easy to handle a passphrase as a central key; a RADIUS
server such as that for 802.1x installations is not required.
However, the use of WPA and IEEE 802.11i still has some weak spots:
D A passphrase applies globally for all WLAN clients
D The passphrase may fall into unauthorized hands if treated carelessly
D The "leaked" passphrase then offers any attacker free access to the wire-
less network
This means in practice that: Should the passphrase "go missing" or an employee with knowledge of the passphrase leaves the company, then the
passphrase in the access point really needs to be changed—in every WLAN
client, too. As this is not always possible, an improvement would be to have
an individual passphrase for each user in the WLAN instead of a global passphrase for all WLAN clients. In the case mentioned above, the situation of an
employee leaving the company requires merely his "personal" passphrase to
be deleted; all others remain valid and confidential.
With LEPS (LANCOM Enhanced Passphrase Security), there is an efficient
method that makes use of the simple configuration of IEEE 802.11i with
passphrase, but that avoids the potential security loopholes that come with
global passphrases.
LEPS uses an additional column in the ACL (access control list) to assign an
individual passphrase consisting of any 8 to 63 ASCII characters to each
MAC address. The connection to the access point and the subsequent encryption with IEEE 802.11i or WPA is only possible with the right combination
of passphrase and MAC address.
This combination makes the spoofing of the MAC addresses futile—and
LEPS thus shuts out a potential attack on the ACL. If WPA or IEEE 802.11i
is used for encryption, the MAC address can indeed be intercepted—but this
method never transmits the passphrase over wireless. This greatly increases
the difficulty of attacking the WLAN as the combination of MAC address and
passphrase requires both to be known before an encryption can be negotiated.
46
BAT54-Rail/F..
Release 7.54 06/08
Page 47
Wireless LAN – WLAN
3.3 Protecting the wireless network
LEPS can be used both locally in the device and centrally managed with a
RADIUS server. LEPS works with all WLAN client adapters available on the
market without any modification. Full compatibility to third-party products is
assured as LEPS only involves configuration in the access point.
Note: An additional security aspect: LEPS can also be used to secure single
point-to-point (P2P) connections with an individual passphrase. Even if an
access point in a P2P installation is stolen and the passphrase and MAC
address become known, all other WLAN connections secured by LEPS
remain secure, particularly when the ACL is stored on a RADIUS server.
U Configuration
The configuration of LEPS merely involves the assignment of an individual
passphrase to the MAC address of each client that is approved for the
WLAN. To this end, the MAC filter is set to positive, i.e. the data from clients
entered here will be transmitted.
Note: The passphrases should consist of a random string at least 22 charac-
ters long, corresponding to a cryptographic strength of 128 bits.
LANconfig
When using LANconfig for the configuration, you will find the list of stations
approved for the WLAN in the configuration area 'WLAN Security' on the 'Stations' tab under the button Stations.
BAT54-Rail/F..
Release 7.54 06/08
47
Page 48
Wireless LAN – WLAN
3.3 Protecting the wireless network
WEBconfig, Telnet or terminal program
Under WEBconfig, Telnet or a terminal program, you will find the access list
for the wireless network under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
Setup/WLAN/Access-list
Setup WLAN Access-list
3.3.2 Standard WEP encryption
As of LCOS version 4.00, WEP128 encryption is activated for every unconfigured device as standard.
If your device has one or more WLAN interfaces, you can also carry out the
"wireless" configuration from a computer with a WLAN card. To use a WLAN
client to connect to a new BAT access point for wireless configuration, the
WLAN client must be programmed with the 13-character standard WEP key.
48
BAT54-Rail/F..
Release 7.54 06/08
Page 49
Wireless LAN – WLAN
3.3 Protecting the wireless network
The standard WEP key consists of the first letter “L” followed by the LAN
MAC address of the access point in ASCII characters. The LAN MAC addresses of the BAT devices always begin with the character string “00A057”.
You will find the LAN MAC address on a sticker on the base of the device.
Only use the character string labelled as “MAC address” that starts with
“00A057”. The other addresses that may be found are not the LAN MAC address.
A device with the LAN MAC address “00A0570FB9BF” thus has a standard
WEP key of “L00A0570FB9BF”. This key is entered into the ‘Private WEP
settings’ of the device for each logical WLAN network as ‘Key 1’.
Note: To use a WLAN client to connect to a new (unconfigured) BAT access
point, the WEP128 encryption must be activated in the WLAN client and
the 13-character standard WEP key must be programmed in as described
above.
3.3.3 Background WLAN scanning
In order to identify other access points within the device's local radio range,
the BAT Wireless Router can record the beacons received (management
frames) and store them in the scan table. Since this recording occurs in the
background in addition to the access points' "normal" radio activity, it is called
a "background scan".
Background scanning is mainly used for the following tasks:
D Rogue AP detection
D Fast roaming for WLAN clients
U Rogue AP detection
WLAN devices that make unauthorized attempts at accessing a WLAN by
posing as an access point or client are called rogues. An example of rogue
APs are access points that a company's employees connect to the network
without the knowledge or permission of the system administrators, thereby
consciously or unconsciously making the network vulnerable to potential at-
BAT54-Rail/F..
Release 7.54 06/08
49
Page 50
Wireless LAN – WLAN
3.3 Protecting the wireless network
tackers via unsecured WLAN access. Not quite as dangerous, but disruptive
all the same are access points that belong to third-party networks yet are
within the range of the local WLAN. If such devices also use the same SSID
and channel as the local AP (default settings), then local clients could attempt
to log on to external networks.
Unidentified access points within the range of the local network frequently
pose a possible threat and security gap. At the very least, they are a disturbance. Therefore, background scanning identifies rogue APs and helps to
decide whether further measures in securing the local network need to be introduced.
U Fast roaming for WLAN clients
However, the background scanning method can be used for objectives other
than rogue AP detection. A BAT Wireless Router in client mode that logs itself on to another access point can also use the roaming procedure in a mobile installation. This is the case, for example, when a BAT Wireless Router
used in an industrial application scenario is mounted to a forklift that navigates its way through multiple warehouses with separate access points. Under normal circumstances, the WLAN client would only log on to another
access point when the connection to the access point it had been using until
that moment was lost. With the background scanning function, the BAT
Wireless Router using the client mode can collect information about other
available access points in advance. Then the client is not switched to another
access point when the existing connection has been completely lost, but
rather when another access point within its range has a stronger signal.
U Evaluating the background scan
The information on the access points found can be viewed in the BAT
Wireless Router statistics. The WLANmonitor presents the scan results quite
conveniently and also offers additional functions such as access point grouping or automatic notification via e-mail whenever a new WLAN device appears.
Note: Further information can be found under ’Rogue AP and rogue client
detection with the WLANmonitor’ → page 217.
BAT54-Rail/F..
50
Release 7.54 06/08
Page 51
Wireless LAN – WLAN
3.3 Protecting the wireless network
U Configuring the background scan
When configuring the background scan, a time period is defined in which all
available WLAN channels are to be scanned once for the receiving beacons.
Configuration tool Call
LANconfig WLAN interfaces
WEBconfig, Telnet Expert configuration > Setup > Interfaces > WLAN > Radio settings
Physical WLAN settings Radio
D Background scan interval [default: 0 seconds]
If a value is entered here, the BAT Wireless Router searches the frequencies in the active band that are currently not in use in cycles within this
interval in order to find available access points.
D The background scan function is usually deployed for rogue AP detec-
tion for the BAT Wireless Router in access point mode. Here, the scan
interval should be adjusted to correspond to the time span in which
unauthorized access points should be recognized, e.g. 1 hour.
D Conversely, for the BAT Wireless Router in client mode, the back-
ground scan function is generally used for improved mobile WLAN client roaming. In order to achieve fast roaming, the scan time is limited
here, for example, to 260 seconds.
BAT54-Rail/F..
Release 7.54 06/08
51
Page 52
Wireless LAN – WLAN
D When the background scan time is '0' the background scanning func-
tion is deactivated.
The background scan interval sets the time period between searches by a
Wireless Router or Access Point for third-party WLAN networks within range.
The time interval allows the entered value to be defined in milliseconds, seconds, minutes, hours or days.
Note: To avoid adverse effects on data transfer rates, the interval between
channel scans should be at least 20 seconds. Lesser values will be cor-
rected to this minimum value automatically. For example, with 13 chan-
nels to scan in the 2.4GHz band, one scan of the full spectrum takes at
least 13 x 20s = 260 seconds.
Note: Background scanning can be limited to a lower number of channels
when indoor mode is activated. This allows roaming for the mobile BAT
Wireless Router in client mode to be improved even further.
3.4 Configuration of WLAN parameters
3.4 Configuration of WLAN
parameters
Changes to the wireless network settings can be made at various points in
the configuration:
D Some parameters concern the physical WLAN interface. Some BAT mod-
els have one WLAN interface, others have the option of using a second
WLAN card as well. The settings for the physical WLAN interface apply to
all of the logical wireless networks supported by this card. These param-
eters include, for example, the transmitting power of the antenna and the
operating mode of the WLAN card (access point or client).
D Other parameters are related solely to the logical wireless network that is
supported by a physical interface. These include, for example, the SSID
or the activation of encryption, either 802.11i with AES or WPA with TKIP
or WEP.
D A third group of parameters affect the wireless network operation, but are
not significant only to WLANs. These include, for example, the protocol
filter in the LAN bridge.
52
BAT54-Rail/F..
Release 7.54 06/08
Page 53
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
3.4.1 WLAN security
In this part of the configuration, you can place limitations on the communications available to the users in the wireless network. This is done by limiting
the data transfer between user groups according to individual stations or the
protocol being used. Further, the key for the WLAN encryption is set here.
U General settings
Communications between the WLAN clients
Depending on the application, it may be required that the WLAN clients connected to an access point can—or expressly cannot—communicate with other clients. You can centrally define the permissible communication for all
physical and logical networks, and consider the three following cases in doing so:
D Allow data traffic: This setting allows all WLAN clients to communicate
with other stations in their own and in other available wireless networks.
D Do not allow data traffic between stations that are logged on to this access
point: In this case, WLAN clients can only communicate with mobile stations located in other available wireless networks, but not with the stations
in their own WLAN.
D Do not allow data traffic: This last variant prevents all communications be-
tween the WLAN clients.
Roaming
In addition to controlling the communication between the clients, you can define whether the mobile stations in the wireless network can change to a
neighboring access point (roaming).
Monitor stations
In particular for public WLAN access points (public spots), the charging of usage fees requires the recognition of stations that are no longer active. Monitoring involves the access point regularly sending packets to logged-in
stations. If the stations do not answer these packets, then the charging systems recognizes the station as no longer active.
Configuration with LANconfig
For configuration with LANconfig you will find the general WLAN access settings under the configuration area 'WLAN Security' on the 'General' tab.
BAT54-Rail/F..
Release 7.54 06/08
53
Page 54
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you will find the general WLAN access settings
under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
tions or IAAP protocol (for roaming)
cd /Setup/WLAN/Inter-station traffic, Monitor stations
(for roaming)
Setup WLAN Inter-stations traffic, monitor sta-
or
IAAP protocol
U Access Control List
With the Access Control List (ACL) you can permit or prevent the access to
your wireless LAN by individual clients. The decision is based on the MAC
address that is permanently programmed into wireless LAN adapters.
Configuration with LANconfig
For configuration with LANconfig you will find the general WLAN access settings under the configuration area 'WLAN Security' on the 'Stations' tab.
Check that the setting 'filter out data from the listed stations, transfer all other'
is activated. New stations that are to participate in your wireless network are
added with the button 'Stations'.
54
BAT54-Rail/F..
Release 7.54 06/08
Page 55
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you will find the Access Control List under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
cd /Setup/WLAN/Access-List
Setup WLAN Access list
U Protocol filter
With the protocol filter you can influence the handling of certain protocols during transfer from the WLAN to the LAN.
Note: Packets from the WLAN for certain protocols/ports can be redirected
to special IP addresses in the LAN by the protocol filter. This function
known as "Redirect“ is described in detail in the section ’Redirect function’
→ page 82.
Configuration with LANconfig
For configuration with LANconfig you will find the protocol filter under the configuration area 'WLAN Security' on the 'Protocols' tab.
BAT54-Rail/F..
Release 7.54 06/08
55
Page 56
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Make an entry in the protocol list for each protocol that requires special handling. Enter the following values:
D A name of your choice for the filter entry
D Protocol number, e.g. '0800' for IP. If no protocol is entered, the filter will
be applied to all packets.
D Subprotocol, e.g. '6' for TCP. If no subprotocol is entered, the filter will be
applied to all packets of the entered protocol.
D Port start and port end, e.g. each '80' for HTTP. If no ports are entered,
then this filter will be applied to all ports of the appropriate protocol/sub-
protocol.
Note: Lists of the official protocol and port numbers are available in the Inter-
net under www.iana.org.
D Action for the data packets:
D Let through
D Reject
D Redirect (and state the target address)
D List of interfaces that the filters apply to
D Redirect address when the 'Redirect' action is selected
56
BAT54-Rail/F..
Release 7.54 06/08
Page 57
Wireless LAN – WLAN
Example:
3.4 Configuration of WLAN parameters
Name Protocol Sub-
type
ARP 0806 0 0 0 WLAN-1-2 Let through 0.0.0.0
DHCP 0800 17 67 68 WLAN-1-2 Let through 0.0.0.0
TELNET 0800 6 23 23 WLAN-1-2 Redirect 192.168.11.5
ICMP 0800 1 0 0 WLAN-1-2 Let through 0.0.0.0
HTTP 0800 6 80 80 WLAN-1-2 Redirect 192.168.11.5
Start port End
port
Interface list Action Redirect IP
address
ARP, DHCP, ICMP will be let through, Telnet and HTTP will be redirected to
192.168.11.5, all other packets will be rejected.
Note: As soon as an entry is made in the protocol filter, all packets not match-
ing the filter will be automatically rejected!
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you will find the protocol filter under the following
paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
cd /Setup/LAN-Bridge/Protocol-Table
Setup LAN-Bridge Protocol table
U Encryption settings
Access points of the BAT range support the most up-to-date methods of encryption and security for data that is transferred via WLAN.
D The IEEE standard 802.11i/WPA stands for the highest degree of security
that is currently available for WLAN connections. This standards uses a
new encryption procedure (AES-CCM) which, in combination with other
methods, achieves levels of security equalled only by VPN connections
until now. When using AES-capable hardware the transmissions are
much faster than with comparable VPN security.
D WEP is also supported to ensure compatibility with older hardware. WEP
(Wired Equivalent Privacy) is the encryption method originally incorporat-
ed in the 802.11 standard for the encryption of data in wireless transmission. This method uses keys of 40 (WEP64), 104 (WEP128) or 128 bits
(WEP152) in length. A number of security loopholes in WEP have come
to light over time, and so the latest 802.11i/WPA methods should be used
wherever possible.
Note: Further information about the 802.11i and WPA standards are avail-
able under ’Development of WLAN security’ → page 33.
BAT54-Rail/F..
Release 7.54 06/08
57
Page 58
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
The tab '802.11i/WEP' in the configuration area 'WLAN Security' is used for
setting the encryption parameters for each logical WLAN. Open the list with
the button for WPA or Private WEP settings.
Type of encryption
First of all, select the type of encryption for the individual logical WLAN interfaces:
D Yes—Access only for stations with encryption (recommended): In this
mode, only the WLAN clients with activated WEP and the correct key can
register with the access point.
D Yes—Access also for stations without encryption allowed: In this mode,
WLAN clients with activated WEP and WLAN clients (without WEP) can
register with this access point.
D No—No encryption
Method/
Key 1 length
Set the encryption method to be used here.
D 802.11i (WPA)-PSK – Encryption according to the 802.11i standard offers
the highest security. The 128-bit AES encryption used here offers security
equivalent to that of a VPN connection.
D WEP 152, WEP 128, WEP 64 – encryption according to the WEP stan-
dard with key lengths of 128, 104 or 40 bits respectively. This setting is
only to be recommended when the hardware used by the WLAN client
does not support the modern method.
D WEP 152-802.1x, WEP 128-802.1x, WEP 64-802.1x – encryption accord-
ing to the WEP standard with key lengths of 128, 104 or 40 bits respec-
tively, and with additional authentication via 802.1x/EAP. This setting is
also only to be recommended when the hardware used by the WLAN cli-
ent does not support the 802.11i standard. The 802.1x/EAP authentica-
tion offers a higher level of security than WEP encryption alone, although
the necessity for a RADIUS server makes very high demands of the IT in-
frastructure.
Key 1/passphrase
In line with the encryption method activated, you can enter a special WEP
key for the respective logical WLAN interface or a passphrase when using
WPA-PSK:
D The passphrase, or the 'password' for the WPA-PSK method, is entered
as a string of at least 8 and up to 63 ASCII characters.
Note: Please be aware that the security of this encryption method depends
on the confidential treatment of this passphrase. Passphrases should not
be made public to larger circles of users.
58
BAT54-Rail/F..
Release 7.54 06/08
Page 59
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
D The WEP key 1, that applies only to its respective logical WLAN interface,
can be entered in different ways depending on the key length. Rules of
the entry of the keys can be found in the description of the WEP group key
’Rules for entering WEP keys’ → page 62.
WPA session key type
If '802.11i (WPA)-PSK' has been entered as the encryption method, the procedure for generating a session or group key can be selected here:
D AES – the AES method will be used.
D TKIP – the TKIP method will be used.
D AES/TKIP – the AES method will be used. If the client hardware does not
support the AES method, TKIP will be used.
Authentication
If the encryption method was set as WEP encryption, two different methods
for the authentication of the WLAN client are available:
D The 'Open system' method does not use any authentication. The data
packets must be properly encrypted from the start to be accepted by the
access point.
D With the 'Shared key' method, the first data packet is transmitted unen-
crypted and must be sent back by the client correctly encrypted. This
method presents potential attackers with at least one data packet that is
unencrypted.
Default key
If WEP encryption is selected, the access point can select from four different
WEP keys for each logical WLAN interface:
D Three WEP keys for the physical interface
D An additional WEP key particular to each logical WLAN interface
The private WEP settings are used to set the additional key for each logical
WLAN interface (see 'Key 1/passphrase'). You should also select which of
the four keys is currently to be used for the encryption of the data (default
key). This setting can be used to change the key frequently, so increasing security.
Rules of the entry of the keys can be found in the description of the WEP
group key ’Rules for entering WEP keys’ → page 62.
Configuration with LANconfig
For configuration with LANconfig you will find the private WEP settings under
the configuration area 'WLAN Security' on the '802.11i/WEP' tab.
BAT54-Rail/F..
Release 7.54 06/08
59
Page 60
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you will find the individual key settings for logical
WLAN networks under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
tion-Settings
cd /Setup/Interfaces/WLAN-Interfaces/
Encryption-Settings
Setup Interfaces WLAN-Interfaces Encryp-
U WEP group keys
Wired Equivalent Privacy (WEP) is an effective method for the encryption of
data for wireless transmission. The WEP method uses keys of 40 (WEP64),
104 (WEP128) or 128 bits (WEP152) in length. Each WLAN interface has
four WEP keys: a special key for each logical WLAN interface and three common group WEP keys for each physical WLAN interface.
Note: If 802.1x/EAP is in use and the 'dynamic key generation and transmis-
sion' is activated, the group keys from 802.1x/EAP will be used and are
consequently no longer available for WEP encryption.
60
BAT54-Rail/F..
Release 7.54 06/08
Page 61
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Rules of the entry of the keys can be found in the description of the WEP
group key ’Rules for entering WEP keys’ → page 62.
Configuration with LANconfig
The tab '802.11i/WEP' in the configuration area 'WLAN Security' is used for
setting the three WEP keys 2 to 4. Open the list with the button for WEP
Group Keys. These WEP keys apply to the physical WLAN interface and
thus globally to all of the associated logical WLAN interfaces.
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you will find the group keys for the physical
WLAN interface under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
BAT54-Rail/F..
Release 7.54 06/08
Keys
Setup Interfaces WLAN-Interfaces Group-
cd /Setup/Interfaces/WLAN-Interfaces/
Group-Keys
61
Page 62
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
U Rules for entering WEP keys
WEP keys can be entered as ASCII characters or in hexadecimal form. The
hexadecimal form begins with the characters '0x'. The keys have a length depending on the WEP method:
Method ASCII HEX
WEP 64 5 characters
Example: 'aR45Z'
WEP 128 13 characters 26 characters
WEP 152 16 characters 32 characters
10 characters
Example: '0x0A5C1B6D8E'
The ASCII character set includes the characters '0' to'9', 'a' to 'z', 'A' to 'Z' and
the following special characters:
!”#$%&´()*+,-./ :;<=>?@[\]^_‘{|}~
The HEX form uses the numbers '0' to '9' and the letters 'A' to 'F' to display
each character as a character pair, which is why twice the number of characters is required to display a HEX key.
Select the length and the format (ASCII or HEX) of the key depending on the
best option available in the wireless network cards that register with your
WLAN. If the encryption in an access point is set to WEP 152, some clients
may not be able to log into the WLAN as their hardware does not support the
key length.
3.4.2 General WLAN settings
Country setting
Regulations for the operation of WLAN cards differ from country to country.
The use of some radio channels is prohibited in certain countries. To limit the
operation of the BAT access points to the parameters that are allowed in various countries, all physical WLAN interfaces can be set up for the country
where they are operated.
Configuration with LANconfig
For the configuration with LANconfig, the country settings can be found in the
configuration area 'Interfaces' on the tab 'Wireless LAN' in the group 'General':
62
BAT54-Rail/F..
Release 7.54 06/08
Page 63
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
This group includes two other parameters in addition to the country setting:
ARP handling
D Mobile stations in the wireless network that are on standby do not answer
the ARP requests from other network stations reliably. If 'ARP handling' is
activated, the access point takes over this task and answers the ARP requests on behalf of stations that are on standby.
Broken link detection
D The 'Broken link detection' deactivates the WLAN card if the access point
loses contact to the LAN.
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you will find the general WLAN parameters under the following paths:
Configuration tool Menu/Table
WEBconfig Expert-Configuration
Terminal/Telnet
cd /Setup/WLAN
Setup WLAN
3.4.3 WLAN routing (isolated mode)
When set by default the data between LAN and WLAN is transmitted transparently. Thereby the data transmission between cabled and radio network
does not pass over the IP Router. This means, that the features firewall and
Quality of Service integrated in the IP router are not provided for transferring
data between WLAN and LAN. To use these options nevertheless, the
WLAN interface can be set to “isolated mode”, so the data is transferred deliberately over the IP router.
Note: So the IP router can transfer data between LAN and WLAN correctly,
both areas must have different IP address sections and the local routing
must be activated in the IP router settings.
BAT54-Rail/F..
Release 7.54 06/08
63
Page 64
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Configuration with LANconfig
When configuring with LANconfig you can find the WLAN routing in the configuration area 'Interfaces' on the tab 'LAN' in the section 'Ethernet switch settings':
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you can find the WLAN routing as follows:
Configuration tool Menu/Table
WEBconfig Expert Configuration
Terminal/Telnet
cd /Setup/LAN
Setup LAN Isolated Mode
/Isolated Mode
3.4.4 The physical WLAN interfaces
U Setting up the WLAN card
Apart from the parameters common to all WLAN cards, there is a series of
settings to be made that are particular to each WLAN card of the access
point.
Configuration with LANconfig
For configuration with LANconfig you will find the settings for the WLAN card
under the configuration area 'Interfaces' on the 'Wireless LAN' tab. Open the
list of physical WLAN interfaces by clicking on the button Physical WLAN
settings.
64
BAT54-Rail/F..
Release 7.54 06/08
Page 65
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
U WLAN card operation
Operation mode
BAT Wireless Router devices can be operated in two basic operation modes:
D As an access point, it forms the link between the WLAN clients and the
cabled LAN.
D In Client mode the device seeks another access point and attempts to
register with a wireless network. In this case the device serves to link a
cabled network device to another access point over a wireless connec-
tion.
Select the operation mode from the tab 'Operation'. If the WLAN interface is
not required, it can be completely deactivated.
BAT54-Rail/F..
Release 7.54 06/08
65
Page 66
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you can set the operation mode for the physical
WLAN interface under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
tion-Settings
cd /Setup/Interfaces/WLAN-Interfaces/
Operation-Settings
Setup Interfaces WLAN-Interfaces Opera-
U Radio settings
Frequency band, Subband
When selecting the frequency band on the 'Radio' tab under the physical interface settings, you decide whether the WLAN card operates in the 2.4 GHz
or in the 5 GHz band (also see ’Standardized radio transmission by IEEE’
→ page 21), and thus the available radio channels.
In the 5 GHz band, a subband can also be selected which is linked to certain
radio channels and maximum transmission powers.
Note: In some countries, the use of the DFS method for automatic channel
selection is a legal requirement. Selecting the subband also defines the
radio channels that can be used for the automatic channel selection.
Channel number
D Automatic selection of 5 Ghz WLAN channels over DFS with a “blacklist”
and “whitelist”.
To avoid for instance disturbances through radar units and to achieve an
even distribution of the WLAN devices on the frequency band the DFS
method (dynamic frequency selection) selects a channel automatically.
After switching-on or booting the device perchancely selects one channel
out of a number of available channels (e.g. due to the country settings)
and checks if a radar signals or a different wireless LANs are already
working on this channel. This scanning procedure is repeated until a
channel without radar signals and as less networks as possible is found.
To assure that there are no radar signal, the selected channel is watched
for about 60 seconds. The data transfer can therefore possibly be disconnected for about 60 seconds while the device is scanning or searching for a new free channel.
To prevent the data transfer being interrupted whenever a new channel is
being selected, a BAT (LCOS version 5.00 and higher) executes the
scanning procedure before selecting a certain channel. Following information about the scanned channels is saved in an internal data base:
66
BAT54-Rail/F..
Release 7.54 06/08
Page 67
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
D Has a radar signal been found on the channel?
D How many other networks have been found on the channel?
With the help of this data base a WLAN device can select a radar free
channel with the least number of networks. As soon as a channel has
been selected the data transfer can begin with no further waiting time.
D The “blacklist” in the data base saves the channels which are blocked
due to found radar signals. To keep the blacklist up to date every entry
is deleted automatically after 30 minutes.
D The “whitelist” contains the channels where no radar signals were
found. As long as no radar signals occur on a channel an entry remains valid for the next 24 hours. If a radar signal is found, then the
entry is directly deleted out of the list and saved in the blacklist.
The 60 second scanning procedure is only necessary under following circumstances:
D The device is switched on or a coldstart is done. In this case the data
base is empty, the device cannot select a channel out of the whitelist.
D If the device has been operating for 24 hours, the whitelist entries are
deleted. In this case the data base has to be refilled.
Note: To prevent the 60 second scanning procedure initiating to an unsuit-
able time, the time when the database is deleted can be adjusted with
WEBconfig or Telnet under the menu
Settings
. The cron commands can be used for defining the time, e.g.
/setup/Interfaces/WLAN/Radio-
'1,6,13' for a DFS scan at 1 a.m., 6 a.m. and 1 p.m, or '0-23/4' for a DFS
scan every four hours from 0 a.m. to 11 p.m.. Precondition is the correct
program time of the device.
Note: As of LCOS 7.20, the limitation requiring 5-GHz operations with DFS
to be interrupted for one minute every 24 hours (as required for outdoor
radio paths, for example) no longer applies. The connection can now be
operated for any length of time on the channel selected by the DFS algorithm until either a radar signal is detected or the radio cell is restarted
(e.g. by changing the device configuration, firmware upload, or restart).
The validity of the result of the one-minute scan is still limited to 24
hours. For this reason, restarting the radio cell or the detection of a
radar signal can cause a one-minute interruption if the last scan was
more than 24 hours ago, because the device is not aware of channels
identified as "free" and available for immediate use. As with earlier
versions of LCOS, the configuration item 'DFS rescan hours' makes it
possible to force the one-minute scan to take place at a time of day
when the wireless network is not being used.
BAT54-Rail/F..
Release 7.54 06/08
67
Page 68
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
The radio channel selects a portion of the conceivable frequency band for
data transfer.
DFS 2 – ETSI 301 893 V1.3.1
The ETSI standard 301 893 version 1.3.1 is the latest set of regulations concerning the operation of 5 GHz wireless LANs. In the context of the wireless
LAN modules used in the BAT Wireless Routers and BAT Access Points, this
standard is also referred to as DFS 2.
This standard makes tougher demands on the radar detection patterns used
when operating 5 GHz WLANs. The standard applies to all devices brought
into circulation after April 01, 2008. Devices brought into circulation before
this date do not have to meet this standard. In particular devices with older
WLAN chips (two- or three-chip modules) do not have to meet this standard
and, as such, do not have to be upgraded.
Hirschmann supplies LCOS firmware of the versions 7.30 (for the current
Wireless Routers and Access Points) and 7.52 (for BAT Wireless L-310agn
and BAT Wireless L-305agn) with DFS 2 support. These firmware versions
have different threshold values for radar pattern recognition than with the
former DFS.
Danger: In principle the operator of the WLAN is responsible for maintaining
the new ETSI standards. For this reason Hirschmann recommends that
you perform an update to a firmware version with DFS 2 support.
Note: In the 2.4-GHz band, two separate wireless networks must be at least
three channels apart to avoid interference.
Compatibility mode
Two different wireless standards are based on the 2.4-GHz band: the
IEEE 802.11b standard with a transfer rate of up to 11 Mbps and the
IEEE 802.11g standard with up to 54 Mbps. When 2.4 GHz is selected as the
frequency band, the data transfer speed can be set as well.
Note: Please observe that clients supporting only the slower standards may
not be able to register with the WLAN if the speeds set here are higher.
The 802.11g/b compatibility mode offers the highest possible speeds and yet
also offers the 802.11b standard so that slower clients are not excluded. In
this mode, the WLAN card in the access point principally works with the faster
standard and falls back on the slower mode should a client of this type log
into the WLAN. In the '2Mbit compatible' mode, the access point supports
older 802.11b cards with a maximum transmission speed of 2 Mbps.
68
BAT54-Rail/F..
Release 7.54 06/08
Page 69
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Turb o mo de
Using two neighboring, vacant channels for wireless transmissions can increase the transfer speeds up to 108 Mbps. Set this option for the 2.4-GHz
band by selecting the drop down list '2.4 GHz mode', for the 5-GHz band in
the appropriate list '5 GHz mode' below.
Antenna gain
Transmission power reduction
Where the transmission power of an antennae exceeds the levels permitted
in the country of operation, the power must be attenuated accordingly.
D The field 'Antenna gain' is for the gain of the antenna minus the actual ca-
ble loss. For an AirLancer Extender O-18a antenna with a gain of 18dBi
and a 4m cable with a loss of 1dB/m, the 'Antenna gain' would be entered
as 18 - 4 = 14. This value for true antenna gain is dynamically used to calculate and emit the maximum permissible power with regards to other parameters such as country, data rate and frequency band.
D In contrast to this, the entry in the field 'Tx power reduction' causes a static
reduction in the power by the value entered, and ignores the other parameters. Also see ’Establishing outdoor wireless networks’ → page 112.
Note: The transmission power reduction simply reduces the emitted power.
The reception sensitivity (reception antenna gain) remains unaffected.
This option is useful, for example, where large distances have to be
bridged by radio when using shorter cables. The reception antenna gain
can be increased without exceeding the legal limits on transmission power. This leads to an improvement in the maximum possible range and, in
particular, the highest possible data transfer rates.
BAT54-Rail/F..
Release 7.54 06/08
69
Page 70
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Access point density
The more access points there are in a given area, the more the reception areas of the antennae intersect. The setting 'Access point density' can be used
to reduce the reception sensitivity of the antenna.
Maximum distance
Large distances between transmitter and receiver give rise to increasing delays for the data packets. If a certain limit is exceeded, the responses to
transmitted packets no longer arrive within an acceptable time limit. The entry for maximum distance increases the wait time for the responses. This distance is converted into a delay which is acceptable for wireless
communications.
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you will find the radio parameters under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
Settings
cd /Setup/Interfaces/WLAN-Interfaces/
Radio settings
Setup Interfaces WLAN-Interfaces Radio-
U Point-to-point connections
Access points are not limited to communications with mobile clients; they can
also transfer data from one access point to another. On the 'Point-to-Point'
tab for the physical interface settings, you can allow the additional exchange
of data with other access points. You can select from:
70
BAT54-Rail/F..
Release 7.54 06/08
Page 71
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
D Point-to-point 'Off': The access point only communicates with mobile cli-
ents
D Point-to-point 'On': The access point can communicate with other access
points and with mobile clients
D Point-to-point 'Exclusive': The access point only communicates with other
access points
The input fields are for the MAC addresses of the WLAN cards for the pointto-point connections (up to 7).
Note: Please observe that only the MAC addresses of the WLAN cards at the
other end of the connections are to be entered here! Not the access
point's own MAC address, and not the MAC addresses from any other in-
terfaces that may be present in the access points.
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you can set the settings for the point-to-point
connections under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
Settings
cd /Setup/Interfaces/WLAN-Interfaces/
Interpoint-Settings
Setup Interfaces WLAN-Interfaces Interpoint-
U Client mode
If the BAT Wireless Router device is operating as a client, the tab 'Client
mode' can be used for further settings that affect the behavior as a client.
BAT54-Rail/F..
Release 7.54 06/08
71
Page 72
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Network types
'Network types' controls whether the station can register only with infrastructure networks, or also with adhoc networks. Further information about these
network types can be found under ’The ad-hoc mode’ → page 26 and ’The
infrastructure network’ → page 26.
Create IBBS
If the station can establish an IBBS (Independent Basic Service Set), meaning an adhoc network, then the station can connect to other WLAN clients.
For the connection of devices with a client station, this is mostly unwanted or
not required.
Keep client connection alive
This option ensures that the client station keeps the connection to the access
point alive even when the connected devices do not send any data packets.
If this option is switched off, the client station will automatically log off from
the wireless network if no packets are transferred over the WLAN connection
within a given time.
Scan bands
This defines whether the client station scans just the 2.4 GHz, just the 5 GHz,
or all of the available bands for access points.
Preferred BSS-ID
If the client station is only supposed to log in on a certain access point, you
can enter the MAC address of the WLAN card from the access point.
72
BAT54-Rail/F..
Release 7.54 06/08
Page 73
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Address Adaption
In client mode the client station usually replaces the MAC addresses contained in the data packets of the connected devices with the own MAC address. The access point on the other side of the connection therefore only
"sees" the MAC address of the client station, but not the MAC address of the
connected computer or computers.
MAC-address of
the client station
MAC-Adresse of
Without MAC Address-Adaption
the computers
Server
Server
Access Point
With MAC Address-Adaption
Access Point
Client station
MAC-address of
the computer
Client station
MAC-Adresse of
the computer
In some installations it is required, that the MAC address of the computer and
not of the client station is transmitted. With the option Address-Adaption the
replacement of the MAC address by the client stations is prevented and the
data packets are transmitted with the original MAC address.
Note: The address-adaption only works if only one computer is connected
to the client station.
Client Bridge Support
With address-adaption (’Address Adaption’ → page 73) the MAC address of
only one connected device is visible to the access point. With a Client-Bridge
Support all MAC addresses of the stations in the LAN behind the client stations are transmitted transparently to the access point.
BAT54-Rail/F..
Release 7.54 06/08
73
Page 74
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Source: MAC address of
station 1 and client station
Target: MAC address of access point and server
Station 1
MAC address of
station 1
Source: MAC address of
station 2 and client station
Access PointServer
Target: MAC address of
the access point and
server
client station
MAC address of
station 2
Station 2
In this operating mode not the usual MAC addresses for instance in client
mode are used (in this example for server, access points and client stations),
but in conformity to point-to-point connections four addresses (the MAC address of the station in LAN of the client station is additional). The fully transparent connection of a LAN to the client station allows transmitting data
packets in the WLAN and therefore works like TFTP downloads, which are
triggered over a broadcast.
The Client-Bridge mode has following advantages compared to other methods:
D Compared to the "normal" client mode the address encryption (masquer-
ading) is not required.
D Compared to a point-to-point connection the entry of the MAC addresses
is not required. Additionally in the Client -Bridge mode more than six connections (with P2P limited) can be established.
Note: The Client-Bridge mode can only be used between two BAT devices.
Applying the Client-Bridge mode must also be activated in the settings for
the logical network of the access point.
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you will find the settings for the client mode under
the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
cd /Setup/Interfaces/WLAN-Interfaces/
Client-Settings
74
Setup Interfaces WLAN-Interfaces Client-Settings
BAT54-Rail/F..
Release 7.54 06/08
Page 75
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
U Authentication with EAP/802.1X for BAT Wireless Router in
client mode
In WLAN client operation mode, the BAT Wireless Router can authenticate
to another access point using EAP/802.1X. To activate the EAP/802.1X authentication in client mode, the client EAP method is selected as the encryption method for the first logical WLAN network.
Configuration tool Call
LANconfig Wireless LAN
WEBconfig, Telnet Expert configuration > Setup > Interfaces > WLAN > Encryption > WLAN 1
802.11i/WEP WPA or private WEP settings Wireless network 1
D Client EAP method
Select the desired client EAP method here. Please observe that the
selected client EAP method must match the settings on the access point
that the BAT Wireless Router is attempting to log onto. The following val-
ues are available:
D TLS
D TTLS/PAP
D TTLS/CHAP
D TTLS/MSCHAP
D TTLS/MSCHAPv2
D TTLS/MD5
D PEAP/MSCHAPv2
BAT54-Rail/F..
Release 7.54 06/08
75
Page 76
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Note: In addition to setting the client EAP method, also be sure to observe
the corresponding setting for the WLAN client operation mode!
The client EAP method setting has no function on logical WLAN networks
other than WLAN 1.
U Indoor function for WLAN channels
When selecting the frequency band (2.4 or 5 GHz), among other things, you
must determine the channels which may possibly be used for transmission.
From these possible channels, under automatic channel selection, a
Wireless Router selects a free channel, for example, in order to avoid interference with other radio signals.
In some countries, there are special regulations on the frequency bands and
channels which may be used for WLAN for indoor and outdoor operation. For
example, in France, not all available channels in the 2.4 GHz band may be
used in outdoor operation. In some countries the DFS procedure is required
for outdoor operation in the 5 GHz band in order to avoid interference from
radar systems.
With the option 'indoor-only' a BAT Wireless Router can be restricted exclusively to operation in closed buildings. This restriction on the other hand allows the channels to be managed more flexibly under automatic channel
selection.
Configuration tool Call
LANconfig WLAN interfaces
WEBconfig, Telnet Expert configuration > Setup > WLAN
D Indoor-only [default: off]
D In the 5 GHz band in ETSI countries, the channel selection is limited
to the channels 36, 40, 44 and 48 in the frequency range 5.15 to
76
General
BAT54-Rail/F..
Release 7.54 06/08
Page 77
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
5.25 GHz. At the same time, the DFS function is turned off and the
mandatory interruption after 24 hours is no longer in effect. This
restriction reduces the risk of interruption due to false radar detections.
D In the 2.4 GHz band in France, the channels 8 to 13 are also permitted,
although these channels are permitted solely for indoor operation.
Note: Activating the indoor-only function can only be relied upon if the coun-
try in which the access point is being operated has been set.
Caution: Activating the indoor-only function is only permitted when the
access point and all connected clients are located in a closed space.
U Signal-quality display via LEDs
When setting up point-to-point connections or operating the device as a
WLAN client, the best possible positioning of the antennas is facilitated if the
signal strength can be recognized at different positions. The WLAN link LED
can be used for displaying the signal quality during the set-up phase. In the
corresponding operation mode, the WLAN link LED blinks faster the better
the reception quality in the respective antenna position is.
When configuring the WLAN link LED, the operation mode in which the LED
is to be used must be set.
Configuration tool Call
LANconfig WLAN interfaces
WEBconfig, Telnet Expert configuration > Setup > Interfaces > WLAN > Operation
D Link LED function [default: number of connections]
D Number of connections: In this operation mode, the LED uses "inverse
flashing" in order to display the number of WLAN clients that are
logged on to this access point as clients. There is a short pause after
BAT54-Rail/F..
Release 7.54 06/08
Physical WLAN settings Operational
77
Page 78
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
the number of flashes for each client. Select this operation mode when
you are operating the BAT Wireless Router in access point mode.
D Client signal strength: In this operation mode, this LED displays the
signal strength of the access point with which the BAT Wireless Router
has registered itself as a client. The faster the LED blinks, the better
the signal. Select this operation mode only if you are operating the BAT
Wireless Router in client mode.
D P2P1 to P2P6 signal strength: In this operation mode, the LED dis-
plays the signal strength of respective P2P partner with which the BAT
Wireless Router forms a P2P path. The faster the LED blinks, the better the signal.
3.4.5 The logical WLAN interfaces
Every physical WLAN interface can support up to eight different logical wireless networks (Multi-SSID). Parameters can be defined specifically for each
of these networks, without the need of additional access points.
Configuration with LANconfig
For configuration with LANconfig you will find the settings for the logical
WLAN interface under the configuration area 'Interfaces' on the 'Wireless
LAN' tab. Open the list of logical WLAN interfaces by clicking on the button
Logical WLAN settings and select the required logical interface.
78
BAT54-Rail/F..
Release 7.54 06/08
Page 79
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
U Network settings
Enablingf
The switch 'WLAN network enabled' enables the logical WLAN to be
switched on or off separately.
Set the SSID
Define an unambiguous SSID (network name) for each of the logical wireless
networks on the 'Network' tab for the logical interfaces. Only network cards
that have the same SSID can register with this wireless network.
Closed network mode
You can operate your wireless LAN either in public or private mode. A wireless LAN in public mode can be contacted by any mobile station in the area.
Your wireless LAN is put into private mode by activating the closed network
function. In this operation mode, mobile stations that do not know the network
name (SSID) are excluded from taking part in the wireless LAN.
Activate the closed network mode if you wish to prevent WLAN clients using
the SSID 'ANY' from registering with your network.
Enable MAC filter
In the MAC filter list (WLAN Security
Stations Stations) the MAC ad-
dresses of the Clients are entered, which may connect to the access point.
With the switch 'MAC filter enabled' the MAC filter list for single logical networks can be switched off.
BAT54-Rail/F..
Release 7.54 06/08
79
Page 80
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Note: The MAC filter list is always required in logical networks, in which cli-
ents log in with an individual passphrase over LEPS. The Passphrase
used with LEPS must also be enterd in the MAC filter list. For the log in
with an individual Passphrase the MAC filter list is always considered,
even if the option is deactivated at this place.
Maximum count of clients
Here you can specify the number of clients, that can connect to the access
point. Further clients are rejected.
Client-Bridge-Support
Enable this option for an access point, if you have enabled the client-bridge
support in the WLAN client mode for a client station.
Note: The client-bridge mode can only be used between two BAT devices.
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you can set the network settings for the logical
WLAN interface under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
cd /Setup/Interfaces/WLAN-Interfaces/
Network settings
Setup Interfaces WLAN-Interfaces Network-Settings
U Transmission settings
Details for the data transfer over the logical interface are set on the 'Transmission' tab.
80
BAT54-Rail/F..
Release 7.54 06/08
Page 81
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Packet size
Smaller data packets cause fewer transmission errors than larger packets,
although the proportion of header information in the traffic increases, leading
to a drop in the effective network load. Increase the factory value only if your
wireless network is largely free from interference and very few transmission
errors occur. Reduce the value to reduce the occurrence of transmission errors.
Minimum and maximum transmit rate
The access point normally negotiates the data transmission speeds with the
connected WLAN clients continuously and dynamically. In doing this, the access point adjusts the transmission speeds to the reception conditions. As an
alternative, you can set fixed values for the minimum and maximum transmission speeds if you wish to prevent the dynamic speed adjustment.
Broadcast rate
The defined broadcast rate should allow the slowest clients to connect to the
WLAN even under poor reception conditions. A higher value should only be
set here if all clients are able to connect "faster".
RTS threshold
The RTS threshold prevents the occurrence of the "hidden station“ phenomenon.
Network coverage access point 쐋Network coverage access point 쐃
쐃
쐇
쐋
Here, the three access points 쐃, 쐇, and 쐋 are positioned such that no direct
wireless connection between the two outer devices is possible. If 쐃 sends a
packet to 쐇, 쐋 is not aware of this as it is outside of 쐃's coverage area. 쐋
may also try, during the transmission from 쐃, to send a packet to 쐇 as well,
because 쐋 has no knowledge of the medium (in this case the wireless connection) being blocked. A collision results and neither of the transmissions
from 쐃 nor 쐋 to 쐇 will be successful. The RTS/CTS protocol is used to prevent collisions.
BAT54-Rail/F..
Release 7.54 06/08
81
Page 82
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
RTS signal from 쐃 to 쐇
쐃
CTS signal from 쐇, can also be
쐇
received by 쐋
쐋
To this end, 쐃 precedes the actual transmission by sending an RTS packet
to 쐇, that 쐇 answers with a CTS. The CTS sent by 쐇 is now within "listening
distance" of 쐋, so that 쐋 can wait with its packet for 쐇. The RTS and CTS
signals each contain information about the time required for the transmission
that follows.
A collision between the very short RTS packets is improbable, although the
use of RTS/CTS leads to an increase in overhead. The use of this procedure
is only worthwhile where long data packets are being used and the risk of collision is higher. The RTS threshold is used to define the minimum packet
length for the use of RTS/CTS. The best value can be found using trial and
error tests on location.
Long preamble for 802.11b
Normally, the clients in 802.11b mode negotiate the length of the preamble
with the access point. "Long preamble" should only be set when the clients
require this setting to be fixed.
3.4.6 Additional WLAN functions
Apart from the different encryption methods 802.11i/AES, WPA/TKIP or
WEP and the closed network, a variety of other functions exist for securing
the operation of a wireless network. The Redirect function provides the convenient control over the connection of WLAN clients in changing environments. As this function has significance to other modules of the BAT LCOS,
the configuration parameters are to be found outside of the WLAN settings.
U Redirect function
Clients within wireless networks often have one main aspect in common: a
high degree of mobility. The clients are thus not always connected to the
same access point, but frequently change between access points and the related LANs.
82
BAT54-Rail/F..
Release 7.54 06/08
Page 83
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
The redirect function assist the applications being used by the WLAN clients
to find the correct target computer in the LAN automatically. If a WLAN client's HTTP request from a certain logical wireless network should always be
directed to a certain server in the LAN, then a filter setting for the appropriate
protocol with the action "redirect" will be set up for the desired logical WLAN
interface.
10.0.0.99
Logical wireless network on
interface WLAN-1-2
HTTP request to
192.168.2.25
Redirect: HTTP from
WLAN 1-2 to 10.0.0.99
All requests with this protocol from this logical wireless network will automatically be redirected to the target server in the LAN. The returning data packets are sent to the senders' addresses and ports according to the entries in
the connection statistics, which ensures the trouble-free operation in both directions. Further information to the configuration of the protocol filter can be
found ’Protocol filter’ → page 55
U IEEE 802.1x/EAP
The international industry standard IEEE 802.1x and the Extensible
Authentication Protocol (EAP) enable access points to carry out reliable and
secure access checks. The access data can be managed centrally on a RADIUS server and can be called up by the access point on demand.
This technology also enables the secure transmission and the regular automatic changing of WEP keys. In this way, IEEE 802.1x improves the security
of WEP.
The IEEE-802.1x technology is already fully integrated in Windows XP. Client software exists for other operating systems.
BAT54-Rail/F..
Release 7.54 06/08
83
Page 84
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
Configuration with LANconfig
For the configuration with LANconfig you will find the IEEE-802.1x settings in
the configuration area 'WLAN Security'. This is where you decide if you want
to activate IEEE-802.1x. If IEEE-802.1x is activated, a RADIUS server must
be defined for the IEEE-802.1x authentication.
Configuration with WEBconfig or Telnet
Under WEBconfig or Telnet you will find the settings for IEEE-802.1x under
the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
cd /Setup/IEEE802.1x/Ports
Setup IEEE802.1x Ports
U IPSec over WLAN
Only with the VPN Option. Not available with all BAT devices.
With the help of the IPSec-over-WLAN technology in addition to the security
measures described already, a wireless network for the exchange of especially sensitive data can be optimally secured. To this end, the BAT Wireless
Router access point is upgraded to a VPN gateway with the VPN Option. In
addition to the encryption per 802.11i, WPA or WEP, the BAT Wireless
Router now offers the possibility of encrypting wireless connections with an
IPSec-based VPN.
84
BAT54-Rail/F..
Release 7.54 06/08
Page 85
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
U The beaconing table
Settings in the beaconing table influence the transmission of beacons by the
access point in AP mode. In part this can influence the roaming behavior of
clients, and in part this serves to optimize the MultiSSID mode for older
WLAN clients.
Configuration tool Call
WEBconfig, Telnet Expert Configuration > Setup > Interfaces > WLAN > Beaconing
D Beacon period
This value defines the time interval in Kµs between beacon transmission
(1 Kµs corresponds to 1024 microseconds and is a measurement unit of
the 802.11 standard. 1 Kµs is also known as a Timer Unit (TU)). Smaller
values result in a shorter beacon timeout period for the client and enable
quicker roaming in case of failure of an access point, but they also
increase the WLAN overhead.
D Default: 100
D DTIM period
This value defines the number of beacons which are collected before mul-
ticasts are broadcast. Higher values enable longer client sleep intervals,
but worsen the latency times.
D Default: 1
D Beacon order
Beacon order refers to the order in which beacons are sent to the various
WLAN networks. For example, if three logical WLAN networks are active
and the beacon period is 100 Kµs, then the beacons will be sent to the
three WLANs every 100 Kµs. Depending on the beacon order, the bea-
cons are transmitted at times as follows:
D Cyclic: In this mode the access point transmits the first beacon trans-
mission at 0 Kµs to WLAN-1, followed by WLAN-2 and WLAN-3. For
the second beacon transmission (100 Kµs) WLAN-2 is the first recipient, followed by WLAN-3 and then WLAN-1. For the third beacon
transmission (200 Kµs) the order is WLAN-3, WLAN-1, WLAN-2.
Thereafter the order starts at the beginning again.
D Staggered: In this mode, the beacons are not sent together at a partic-
ular time, rather they are divided across the available beacon periods.
Beginning at 0 Kµs, WLAN-1 only is sent; after 33.3 Kµs WLAN-2, after
BAT54-Rail/F..
Release 7.54 06/08
85
Page 86
Wireless LAN – WLAN
3.4 Configuration of WLAN parameters
66.6 Kµs WLAN-3. At the start of a new beacon period, transmission
starts again with WLAN-1.
D Simple burst: In this mode the access point always transmits the bea-
cons for the WLAN networks in the same order. The first beacon transmission (0 Kµs) is WLAN-1, WLAN-2 and WLAN-3; the second
transmission is in the same order, and so on.
D Default: Cyclic
Some older WLANs are unable to process the quick succession of beacons which occur with simple burst. Consequently these clients often recognize the first beacons only and can only associate with this network.
Staggered transmission of beacons produces better results but increases
load on the access point's processor. Cyclic transmission proves to be a
good compromise as all networks are transmitted first in turn.
U The transmission table
The transmission settings regulate variables such as the packet size for
WLAN communications and minimum and maximum transmission speeds.
Transmission properties can also be improved with the number of repetitions
for packet transmission:
Configuration tool Call
WEBconfig, Telnet Expert Configuration > Setup > Interfaces > WLAN > Transmission
D Hard retries
This value defines the number of times that the hardware should attempt
to send packets before a Tx error message is issued. Smaller values
mean that a packet which cannot be sent blocks the sender for less time.
D Default: 10
D Soft retries
If the hardware was unable to send a packet, the number of soft retries
defines how often the system repeats the attempt to transmit.
The total number of attempts is thus (soft retries + 1) * hard retries.
The advantage of using soft retries at the expense of hard retries is that
the rate-adaption algorithm immediately begins the next series of hard
retries with a lower datarate.
D Default: 0
86
BAT54-Rail/F..
Release 7.54 06/08
Page 87
Wireless LAN – WLAN
3.5 Extended WLAN protocol filters
3.5 Extended WLAN protocol
filters
With the protocol filter you can influence the handling of certain protocols
during transfer from the WLAN to the LAN. The use of appropriate rules allows the definition of which data packets should be inspected, interfaces for
which the filter applies and which action should be performed on the data
packets.
Configuration
Follow the paths below for protocol filter configuration parameters:
Configuration tool Menu/Table
LANconfig WLAN security
WEBconfig Expert configuration
Terminal/Telnet
cd /Setup/LAN Bridge/Protocol table
Protocols
Setup LAN Bridge Protocol table
BAT54-Rail/F..
Release 7.54 06/08
87
Page 88
Wireless LAN – WLAN
3.5 Extended WLAN protocol filters
3.5.1 Protocol filter parameters
The protocol table can accommodate up to 128 entries. Create an entry in
the protocol list for each protocol that requires special handling. Enter the following values:
D Name: freely selectable name for the filter entry [maximum 16 characters]
D DHCP source MAC: Enabling of DHCP address tracking.
D Yes: The rule applies if the source MAC address of the packet is listed
in the table under
Status > LAN Bridge Statistics > DHCP Table
an address which obtained an IP address using DHCP.
D No: The rule applies if this is not the case.
D Irrelevant: The source MAC address is not considered.
Note: If DHCP address tracking is enabled, any IP addresses usually en-
tered are disregarded. Please refer to ’DHCP address tracking’
→ page 92 for further information.
D Destination MAC address: The MAC address of the client to which the
packet is to be sent.
If no destination MAC address is entered, the filter is applied to all packets.
D Protocol: e.g. '0800' for IP.
If '0' is entered as the protocol, the filter applies to all packets.
D IP network and IP netmask: The IP address of the network mask to
which this filter applies. Only those IP packets whose source and destination IP addresses lie within this network are captured by the rule.
If no network is entered, the filter applies to all packets.
D Sub-protocol: e.g. '6' for TCP.
If '0' is entered as the sub-protocol, the filter applies to all packets of the
protocol entered.
D Start port and end port: e.g. both '80' for HTTP.
If '0' is entered as the start port, this filter will be applied to all ports of the
corresponding protocol/sub-protocol. If '0' is entered as the end port, the
start port becomes an end port.
as
Note: Lists of the official protocol and port numbers are available in the Inter-
net under www.iana.org.
D Action: Action performed for the data packets captured using this rule:
D Pass: The packet is forwarded on without change.
D Drop: The complete packet is dropped.
88
BAT54-Rail/F..
Release 7.54 06/08
Page 89
Wireless LAN – WLAN
3.5 Extended WLAN protocol filters
D Redirect: The packet is forwarded on, albeit with changed destination
IP address and target MAC address.
D Interface list: List of the interfaces to which the filter applies.
All of the LAN interfaces, DMZ interfaces, logical WLAN networks and
point-to-point connections in the WLAN may be entered as interfaces.
The following examples illustrate how interfaces are specified: 'LAN-1'
for the first LAN interface, 'WLAN-2-3' for the third logical WLAN network
on the second physical WLAN interface, 'P2P-1-2' for the second point-
to-point connection on the first physical WLAN interface.
Groups of interfaces may be specified in the form 'WLAN-1-1~WLAN-1-
6' (logical WLANs 1 to 6 on the first physical WLAN interface) or with a
wildcard as 'P2P-1-*' (all P2P connections on the first physical interface).
Note: Only filter rules with valid entries in the interface list are active. A rule
with no specification of the interfaces does not apply to all of them - it is
ignored instead.
D Redirect IP address: Destination IP address for the "Redirect" action
On redirection, the destination IP address of the packets is replaced by
the Redirect IP address entered here. Furthermore, the destination MAC
address is replaced by the MAC address determined using ARP for the
Redirect IP address.
Note: If ARP was unable to determine the destination MAC address, the
packet is dropped rather than redirected.
Example:
Name DHCP
ARP irrele-
DHCP irrele-
TELNET
ICMP irrele-
HTTP irrele-
source
MAC:
vant
vant
irrelevant
vant
vant
Destination MAC
address.
00000000
0000
00000000
0000
00000000
0000
00000000
0000
00000000
0000
Prot. IP
address
0806 0.0.0.0 0.0.0.0 0 0 0 WLAN-
0800 0.0.0.0 0.0.0.0 17 67 68 WLAN-
0800 0.0.0.0 0.0.0.0 6 23 23 WLAN-
0800 0.0.0.0 0.0.0.0 1 0 0 WLAN-
0800 0.0.0.0 0.0.0.0 6 80 80 WLAN-
IP network:
Subtype
Start
port
End
port
Interface list
1-2
1-2
1-2
1-2
1-2
Action Redirect
IP
address
Pass 0.0.0.0
Pass 0.0.0.0
Redirect 192.168.1
1.5
Pass 0.0.0.0
Redirect 192.168.1
1.5
ARP, DHCP, ICMP are allowed to pass, Telnet and HTTP are redirected to
192.168.11.5 and all other packets are rejected.
BAT54-Rail/F..
Release 7.54 06/08
89
Page 90
Wireless LAN – WLAN
3.5 Extended WLAN protocol filters
3.5.2 Procedure for filter test
If no filter rules are defined for an interface, all packets from and destined to
it are transmitted without alteration. As soon as a filter rule has been defined
for an interface, all packets to be transferred via this interface are checked
prior to being processed.
V As a first step, the information required for checking is read out of the
packets:
V DHCP source MAC:
V Destination MAC address of the packet:
V Protocol, e.g. IPv4, IPX, ARP
V Sub-protocol, e.g. TCP, UDP or ICMP for IPv4 packets, ARP Request
or ARP Response for ARP packets
V IP address and network mask (source and destination) for IPv4 pack-
ets
V Source and destination port for IPv4 TCP or IPv4 UDP packets
V As a second step, this information is checked against the information from
the filter rules. All those rules in which the source or destination interface
is included in the interface list are considered. Checking of the rules for
the individual values is as follows:
V For DHCP source MAC, protocol and sub-protocol, the values read out
of the packets are checked for consistency with the values defined in
the rule.
V With IP addresses, the source and destination address of the packet
are checked to see whether they lie within the range formed by the IP
address and the network mask of the rule.
V Source and destination ports are checked to see whether they lie in the
range between start port and end port.
If none of the rule values specified (not filled by wildcards) agree with the
values read out of the packet, the rule is not considered applicable and is
disregarded. If several rules apply, the most accurate rule action is carried out. Parameters are more accurate the further down the list of
parameters they are or the further right they appear in the protocol table.
90
BAT54-Rail/F..
Release 7.54 06/08
Page 91
Wireless LAN – WLAN
3.5 Extended WLAN protocol filters
Note: If rules are defined for an interface, but there is no match with one of
the rules for a packet from/for this interface, the default rule for this inter-
face is used for the packet. The default rule is pre-configured for each in-
terface with the 'drop' action but this is not visible in the protocol table. To
modify a default rule for an interface, a rule with the name 'default-drop' is
defined. Besides the interface naming, this rule can only contain wildcats
and the required action.
Checking of MAC addresses in packets sent over the respective inter-
face takes on a different form to that with in-coming packets.
V With out-going packets, the source MAC address read out of the pack-
et is checked against the destination MAC address entered in the rule.
V The destination MAC addresses read out of the packet are then
checked to see whether they are listed as currently active DHCP clients.
V Rules with the 'Redirect' action are ignored if they apply for an inter-
face over which the packet is to be sent. Please refer to section ’Redirect function’ → page 82 for further information.
V In the third step, the action associated with the applicable rule is carried
out.
3.5.3 Redirect function
U The Redirect function
With the Redirect action, IPv4 packets can not only be transferred and
dropped, they can also be communicated specifically to a particular destination. As a general rule, the destination IP address of the packet is replaced
by the Redirect IP address entered. The destination MAC address of the
packet is replaced by the MAC address determined by ARP and associated
with the Redirect IP address.
In order for the redirected packets to find the correct sender on their "return
trip", a dynamic table is compiled with automatic filter rules that apply to packets leaving via this interface. This table can be viewed under
Bridge > Connection table
. Rules in this table have a higher priority than oth-
er matching rules with the 'Transfer' or 'Drop' actions.
Status > LAN
BAT54-Rail/F..
Release 7.54 06/08
91
Page 92
Wireless LAN – WLAN
3.5 Extended WLAN protocol filters
U Example application
Clients within wireless networks often have one aspect in common: a high
degree of mobility. Consequently, clients are not necessarily always connected to the same access point, but frequently change between access points
and the related LANs.
The redirect function assists WLAN client applications to automatically find
the correct target computer in the LAN. If a WLAN client's HTTP request from
a particular logical wireless network is to be always directed to a particular
server in the LAN, a filter setting with the "Redirect" action is set up for the
appropriate protocol for the desired logical WLAN interface.
10.0.0.99
Logical wireless network on
interface WLAN-1-2
HTTP request to
192.168.2.25
Redirect: HTTP from
WLAN 1-2 to 10.0.0.99
All requests with this protocol from this logical wireless network are automatically redirected to the target server in the LAN. The returning data packets
are sent to the senders' addresses and ports according to the entries in the
connection statistics, ensuring trouble-free operation in both directions.
3.5.4 DHCP address tracking
DHCP address tracking keeps a record of which clients have received their
IP addresses using DHCP. The relevant information for an interface is automatically maintained in a table under
Table
. DHCP tracking is enabled on an interface if, for this interface, a mini-
mum of one rule is defined where 'DHCP Source MAC' is set to 'Yes'.
Status > LAN Bridge Statistics > DHCP
92
BAT54-Rail/F..
Release 7.54 06/08
Page 93
Wireless LAN – WLAN
3.6 Client mode
Note: The number of clients which may be connected to an interface via
DHCP can be configured in the Port table under
Port Data
. Setting the entry to '0' means that any number of clients can
Setup > LAN Bridge >
register at this interface via DHCP. If the maximum number of DHCP cli-
ents is exceeded by a further attempt to register, the oldest entry in the list
is deleted.
When checking data packets, IP addresses and the IP network mask defined
in the rule are not used. Consequently no check is made as to whether the
destination IP address of the packet lies within the range specified. Instead,
a check is made as to whether the source IP address of the packet matches
the IP address assigned to the client via DHCP. The connection of the two IP
addresses is made based on the source MAC address.
This check can be used to block clients which have received an IP address
via DHCP, but which actually use a different IP address (either intentionally
or inadvertently). A rule in which the DHCP Source MAC parameter is set to
'Yes' would not apply since the two addresses do not match. The packet
would instead be processed either by other rules or the default rule.
In order for DHCP tracking to work, at least two more rules must be set up for
this interface, rules which are not dependent on DHCP tracking. This is necessary since the required DHCP information is not exchanged until the end
of DHCP handshake. This is why packets due to be sent beforehand must be
allowed by rules which do not use DHCP tracking. These usually included
TCP/UDP packets on port 67 and 68 and ARP packets.
Note: If DHCP tracking is enabled on an interface, packets received on this
interface from HDCP servers are automatically dropped.
3.6 Client mode
To connect individual devices with an Ethernet interface into a wireless LAN,
BAT devices with a WLAN module can be switched to "client mode", whereupon they act as conventional wireless LAN adapters and not as access
points (AP). The use of client mode therefore allows devices fitted with only
an Ethernet interface, such as PCs and printers, to be integrated into a wireless LAN.
BAT54-Rail/F..
Release 7.54 06/08
93
Page 94
Wireless LAN – WLAN
WLAN device in
AP mode
WLAN device in
client mode
3.6 Client mode
Note: Multiple WLAN clients can register with a WLAN device in AP mode,
which is not the case for a WLAN device in client mode.
3.6.1 Basic configuration
U Setting the operating mode
BAT Wireless Routers can be operated in two different operating modes:
D As an access point, it forms the link between WLAN clients and the cabled
LAN.
D In client mode, the device itself locates the connection to another access
point and attempts to register with a wireless network. In this case the device serves to link a cabled network device to an access point over a wireless connection.
Note: Some models can only operate in the WLAN client operating mode.
Setting of the operating mode on these devices is thus redundant.
V Client mode is enabled in the LANconfig 'Wireless LAN' configuration
area on the 'General' tab. The 'Interfaces' section allows you to select
from a list the physical WLAN settings for the desired WLAN interface.
Note: The devices have either one or more WLAN interfaces depending on
model.
V The WLAN interface is enabled from the 'Operation' tab. In addition, the
WLAN operating mode is set to 'Station (client mode)'.
94
BAT54-Rail/F..
Release 7.54 06/08
Page 95
Wireless LAN – WLAN
3.6 Client mode
Note: A WLAN interface can only be set to one of the two operating modes.
Simultaneous operation of a WLAN interface as both access point and cli-
ent is not supported.
Many models can not be operated as an access point. In this case the
WLAN operating mode is permanently set to 'Client'.
Under WEBconfig or Telnet the setting for the operating mode of the physical
WLAN interface can be found under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
Setup/Interfaces/WLAN/
Operational settings
Setup Interfaces WLAN Operational settings
U Client settings
For BAT Wireless Routers in client mode, further settings/client behavior can
be configured from the 'Client mode' tab under the settings for the physical
interfaces.
V To edit the settings for client mode in LANconfig, go to the 'Client mode'
tab under the physical WLAN settings for the desired WLAN interface.
V In 'Scan bands', define whether the client station scans just the 2.4 GHz,
just the 5 GHz, or all of the available bands to locate an access point.
BAT54-Rail/F..
Release 7.54 06/08
95
Page 96
Wireless LAN – WLAN
3.6 Client mode
Under WEBconfig or Telnet the settings for client mode can be found
under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
Setup/Interfaces/WLAN/
Client modes
Setup Interfaces WLAN Client modes
U Radio settings
For the WLAN client to connect to an access point, it needs to use suitable
frequency bands/channels.
V To edit the radio settings in LANconfig, go to the 'Radio' tab under the
physical WLAN settings for the desired WLAN interface.
V Set the frequency band, the channels and the 2.4 GHz/5 GHz mode to
match the settings of the access point.
Note: Selection of the frequency band and channels is not necessary on
some models, such as those devices which support only one frequency
band.
Under WEBconfig or Telnet the settings for client mode can be found
under the following paths:
Configuration tool Call
LANconfig WLAN interfaces
WEBconfig, Telnet Expert configuration > Setup > Interfaces > WLAN > Radio settings
Physical WLAN settings Radio
U Set the SSID of the available networks
In the WLAN clients, the SSIDs of the networks to which the client stations
are to connect must be entered.
V To enter the SSIDs, change to the 'General' tab under LANconfig in the
'Wireless LAN' configuration area. In the 'Interfaces' section, select the
first WLAN interface from the list of logical WLAN settings.
96
BAT54-Rail/F..
Release 7.54 06/08
Page 97
Wireless LAN – WLAN
3.6 Client mode
V Enable the WLAN network and enter the SSID of the network the client
station should log onto.
Under WEBconfig or Telnet the network settings for the logical WLAN
interfaces can be found under the following paths:
Configuration tool Menu/Table
WEBconfig Expert configuration
Terminal/Telnet
Setup/Interfaces/WLAN/
Network settings
Setup Interfaces WLAN Network
U Encryption settings
For access to a WLAN, the appropriate encryption methods and key must be
set in the client station.
V To enter the key, change to the '802.11i/WEP' tab under LANconfig in the
'Wireless LAN' configuration area. From 'WPA / private WEP settings', se-
lect the first WLAN interface from the list of logical WLAN settings.
BAT54-Rail/F..
Release 7.54 06/08
97
Page 98
Wireless LAN – WLAN
3.6 Client mode
V Enable encryption and match the encryption method to the settings for the
access point.
V In WLAN client operating mode, the BAT device can authenticate itself to
another access point using EAP/802.1X. For this, select the desired client
EAP method here. Note that the selected client EAP method must match
the settings of the access point that the BAT Wireless Router is attempting to log onto.
Under WEBconfig or Telnet the network settings for the logical WLAN
interfaces can be found under the following paths:
Configuration tool Call
WEBconfig, Telnet Expert configuration > Setup > Interfaces > WLAN > Encryption > WLAN
1
3.6.2 Advanced configuration
U Roaming
Roaming is defined as the transfer of a WLAN client to another access point
once the connection to the access point used so far can no longer be kept
alive. To allow roaming, at least one additional access point must be within
range of the client, it must provide a network with an identical SSID and
matching radio and encryption settings.
98
BAT54-Rail/F..
Release 7.54 06/08
Page 99
Wireless LAN – WLAN
3.6 Client mode
Under normal circumstances the WLAN client would only log onto another
access point if the connection to the access point used up to that point was
lost completely (hard roaming). Soft roaming on the other hand enables the
client to use scan information to roam to the strongest access point. With the
background scanning function, the BAT device in client mode can gather information on other available access points prior to the connection being lost.
In this case the client is not switched to another access point once the existing connection has been lost completely, but rather when another access
point within its range has a stronger signal.
V To enable soft roaming, change to Setup > Interfaces > WLAN > Roaming
in WEBconfig or Telnet and select the physical WLAN interface.
V Enable soft roaming and, if required, set the other parameters (such as
threshold levels and signal level). Please refer to the reference handbook
for further information on these parameters.
V To configure background scanning in LANconfig, go to the 'Radio' tab un-
der the physical WLAN settings for the desired WLAN interface.
V Enter the background scan interval as the time in which the BAT device
cyclically searches the currently unused frequencies of the active band for
available access points. To achieve fast roaming, the scan time is restrict-
ed to e.g. a minimum of 260 seconds (2.4 GHz) or 720 seconds (5 GHz).
BAT54-Rail/F..
Release 7.54 06/08
99
Page 100
Wireless LAN – WLAN
3.6 Client mode
Under WEBconfig or Telnet the network settings for the logical WLAN
interfaces can be found under the following paths:
Configuration tool Call
LANconfig WLAN interfaces
WEBconfig, Telnet Expert configuration > Setup > Interfaces > WLAN > Radio settings
Physical WLAN settings Radio
3.6.3 The roaming table
The roaming table contains various threshold values which influence the precise control over the BAT Wireless Router's behavior when roaming in the
'Client' operating mode.
Configuration tool Call
WEBconfig, Telnet Expert Configuration > Setup > Interfaces > WLAN > Roaming
D Soft roaming
This option enables a client to use scan information to roam to the strongest access point (soft roaming). Roaming due to connection loss (hard
roaming) is unaffected by this. The roaming threshold values only take
effect when soft roaming is activated.
D Beacon miss threshold
This defines how many access-point beacons can be missed before an
associated client starts searching again.
Higher values will delay the recognition of an interrupted connection, so a
longer time period will pass before the connection is re-established.
The smaller the value set here, the sooner a potential interruption to the
connection will be recognized; the client can start searching for an alternative access point sooner.
D Default: 4
Note: Values which are too small may cause the client to detect lost connec-
tions more often than necessary.
D Roaming threshold
This value is the percentage difference in signal strength between access
points above which the client will switch to the stronger access point.
D Default: 15
100
BAT54-Rail/F..
Release 7.54 06/08
Loading...