Motorola AP-51XX User Manual
AP-51xx Access Point
Product Reference Guide
MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office.
Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service
names are the property of their respective owners. © 2008 Motorola, Inc. All rights reserved.
AP-51xx Access Point
Product Reference Guide
72E-103901-01
January 2008
Contents
About This Guide
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Service Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Chapter 1. Introduction
New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2
Adaptive AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2
Rogue AP Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Bandwidth Management Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Radius Time-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
QBSS Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4
Single or Dual Mode Radio Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Separate LAN and WAN Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Multiple Mounting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
vi
AP-51xx Access Point Product Reference Guide
Antenna Support for 2.4 GHz and 5.2 GHz Radios. . . . . . . . . . . . . . . . . . . . . . .1-6
Sixteen Configurable WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Support for 4 BSSIDs per Radio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Quality of Service (QoS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-7
Industry Leading Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-7
Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-8
EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-9
WEP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-9
KeyGuard Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-10
Wi-Fi Protected Access (WPA) Using TKIP Encryption . . . . . . . . . . . . . .1-10
WPA2-CCMP (802.11i) Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-11
Firewall Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-11
VPN Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-11
Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-11
VLAN Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-12
Multiple Management Accessibility Options . . . . . . . . . . . . . . . . . . . . . . . . .1-12
Updatable Firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-12
Programmable SNMP v1/v2/v3 Trap Support . . . . . . . . . . . . . . . . . . . . . . . . .1-13
Power-over-Ethernet Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13
MU-MU Transmission Disallow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-14
Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-14
Support for CAM and PSP MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Statistical Displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15
Transmit Power Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15
Advanced Event Logging Capability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-16
Configuration File Import/Export Functionality . . . . . . . . . . . . . . . . . . . . . . . .1-16
Default Configuration Restoration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-16
DHCP Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-16
Multi-Function LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17
Mesh Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17
Additional LAN Subnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18
On-board Radius Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18
Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-19
Routing Information Protocol (RIP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-19
Manual Date and Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20
Auto Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20
Theory of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20
Cellular Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-21
MAC Layer Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22
Media Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22
Direct-Sequence Spread Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23
MU Association Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23
Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-24
Management Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-25
AP-51xx MAC Address Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-27
Chapter 2. Hardware Installation
Precautions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2
Available Product Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2
AP-5131 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2
AP-5181 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5
Access Point Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5
Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6
Antenna Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6
AP-5131 Antenna Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6
AP-5181 Antenna Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8
Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-9
AP-5131 Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-9
AP-5181 Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-10
Power Injector and Power Tap Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-10
Installing the Power Injector or Power Tap . . . . . . . . . . . . . . . . . . . . . . . . . . .2-11
Preparing for Site Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-11
Cabling the Power Injector and Power Tap . . . . . . . . . . . . . . . . . . . . . . .2-11
Power Injector LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-12
Mounting an AP-5131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-13
Desk Mounted Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-13
Wall Mounted Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15
Suspended Ceiling T-Bar Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17
Above the Ceiling (Plenum) Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-20
AP-5131 LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-23
Mounting an AP-5181 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-24
vii
viii
AP-51xx Access Point Product Reference Guide
AP-5181 Pole Mounted Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-24
AP-5181 Wall Mounted Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-27
AP-5181 LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Setting Up MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Chapter 3. Getting Started
Installing the Access Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Default Configuration Changes for the Access Point . . . . . . . . . . . . . . . . . . . . . . . .3-3
Initially Connecting to the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4
Connecting to the Access Point using the WAN Port . . . . . . . . . . . . . . . . . . . .3-4
Connecting to the Access Point using the LAN Port . . . . . . . . . . . . . . . . . . . . .3-4
Basic Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5
Configuring Device Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7
Configuring WLAN Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Testing Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
Where to Go from Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-15
Chapter 4. System Configuration
Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Adaptive AP Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Configuring Data Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Managing Certificate Authority (CA) Certificates . . . . . . . . . . . . . . . . . . . . . . . . . .4-14
Importing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-14
Creating Self Certificates for Accessing the VPN . . . . . . . . . . . . . . . . . . . . . .4-16
Creating a Certificate for Onboard Radius Authentication . . . . . . . . . . . . . . .4-20
Configuring SNMP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-23
Configuring SNMP Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-29
Enabling SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-31
Configuring Specific SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-34
Configuring SNMP RF Trap Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-37
Configuring Network Time Protocol (NTP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-39
Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-42
Importing/Exporting Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44
Updating Device Firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-49
Upgrade/Downgrade Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-55
Chapter 5. Network Management
Configuring the LAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1
Configuring VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5
Configuring LAN1 and LAN2 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-9
Configuring Advanced DHCP Server Settings . . . . . . . . . . . . . . . . . . . . .5-12
Setting the Type Filter Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . .5-14
Configuring WAN Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-16
Configuring Network Address Translation (NAT) Settings . . . . . . . . . . . . . . .5-21
Configuring Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-23
Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-25
Enabling Wireless LANs (WLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-27
Creating/Editing Individual WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-30
Configuring WLAN Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-34
Configuring a WLAN Access Control List (ACL). . . . . . . . . . . . . . . . . . . .5-36
Setting the WLAN Quality of Service (QoS) Policy . . . . . . . . . . . . . . . . .5-39
Configuring WLAN Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-45
Setting the WLAN’s Radio Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-51
Configuring the 802.11a or 802.11b/g Radio. . . . . . . . . . . . . . . . . . . . . .5-55
Configuring Bandwidth Management Settings . . . . . . . . . . . . . . . . . . . . . . . .5-63
Configuring Router Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-66
Setting the RIP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-67
ix
Chapter 6. Configuring Access Point Security
Configuring Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-2
Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3
Resetting the Access Point Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-4
Enabling Authentication and Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . .6-5
Configuring Kerberos Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8
Configuring 802.1x EAP Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-11
Configuring WEP Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-16
Configuring KeyGuard Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-18
Configuring WPA/WPA2 Using TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-21
Configuring WPA2-CCMP (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-24
Configuring Firewall Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-27
Configuring LAN to WAN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-30
x
AP-51xx Access Point Product Reference Guide
Available Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-33
Configuring Advanced Subnet Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-34
Configuring VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-36
Configuring Manual Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-40
Configuring Auto Key Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-44
Configuring IKE Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-47
Viewing VPN Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-50
Configuring Content Filtering Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-52
Configuring Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-55
Moving Rogue APs to the Allowed AP List . . . . . . . . . . . . . . . . . . . . . . . . . . .6-59
Displaying Rogue AP Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-60
Using MUs to Detect Rogue Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-62
Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-64
Configuring the Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-64
Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-67
Configuring a Proxy Radius Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-70
Managing the Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-72
Mapping Users to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-74
Defining User Access Permissions by Group. . . . . . . . . . . . . . . . . . . . . . . . . .6-76
Editing Group Access Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-78
Chapter 7. Monitoring Statistics
Viewing WAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2
Viewing LAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6
Viewing a LAN’s STP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-9
Viewing Wireless Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Viewing WLAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-15
Viewing Radio Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18
Viewing Radio Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20
Retry Histogram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-24
Viewing MU Statistics Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-25
Viewing MU Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-27
Pinging Individual MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
MU Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-31
Viewing the Mesh Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32
Viewing Known Access Point Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33
Chapter 8. CLI Reference
Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-2
Accessing the CLI through the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-2
Accessing the CLI via Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-2
Admin and Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-3
Network Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-11
Network LAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-12
Network LAN, Bridge Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-17
Network LAN, WLAN-Mapping Commands . . . . . . . . . . . . . . . . . . . . . .8-20
Network LAN, DHCP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-29
Network Type Filter Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-35
Network WAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-40
Network WAN NAT Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-43
Network WAN, VPN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-49
AP51xx>admin(network.wan.content)> . . . . . . . . . . . . . . . . . . . . . . . . . .8-58
Network WAN, Dynamic DNS Commands . . . . . . . . . . . . . . . . . . . . . . .8-62
Network Wireless Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-66
Network WLAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-67
Network Security Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-80
Network ACL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-88
Network Radio Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . .8-93
Network Quality of Service (QoS) Commands . . . . . . . . . . . . . . . . . . . .8-110
Network Bandwith Management Commands . . . . . . . . . . . . . . . . . . . .8-115
Network Rogue-AP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-118
Network MU Locationing Commands . . . . . . . . . . . . . . . . . . . . . . . . . .8-128
Network Firewall Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-131
Network Router Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-136
System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-142
Adaptive AP Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-148
System Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-152
System Certificate Management Commands . . . . . . . . . . . . . . . . . . . . . . . .8-155
System SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-168
System SNMP Access Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-169
System SNMP Traps Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-174
System User Database Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-180
xi
xii
AP-51xx Access Point Product Reference Guide
System Radius Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-193
System Network Time Protocol (NTP) Commands. . . . . . . . . . . . . . . . . . . . .8-216
System Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-221
System Configuration-Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . .8-227
Firmware Update Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-234
Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-238
Chapter 9. Configuring Mesh Networking
Mesh Networking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-1
The AP-51xx Client Bridge Association Process . . . . . . . . . . . . . . . . . . . . . . . .9-3
Client Bridge Configuration Process Example . . . . . . . . . . . . . . . . . . . . . .9-4
Spanning Tree Protocol (STP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-4
Defining the Mesh Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-5
Mesh Networking and the AP-51xx’s Two Subnets . . . . . . . . . . . . . . . . . . . . .9-5
Normal Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-6
Impact of Importing/Exporting Configurations to a Mesh Network . . . . . . . . .9-6
Configuring Mesh Networking Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-6
Setting the LAN Configuration for Mesh Networking Support . . . . . . . . . . . . .9-6
Configuring a WLAN for Mesh Networking Support. . . . . . . . . . . . . . . . . . . . .9-9
Configuring the Access Point Radio for Mesh Support . . . . . . . . . . . . . . . . . .9-13
Mesh Network Deployment - Quick Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-20
Scenario 1 - Two Base Bridges and One Client Bridge . . . . . . . . . . . . . . . . . .9-20
Configuring AP#1: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-21
Configuring AP#2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-26
Configuring AP#3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-27
Verifying Mesh Network Functionality for Scenario #1 . . . . . . . . . . . . .9-30
Scenario 2 - Two Hop Network with a Base Bridge and a Client Bridge . . . .9-31
Configuring AP#1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-32
Configuring AP#2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-32
Configuring AP#3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-33
Verifying Mesh Network Functionality for Scenario #2 . . . . . . . . . . . . .9-36
Mesh Networking Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . .9-37
Chapter 10. Adaptive AP
Adaptive AP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1
Where to Go From Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-2
Adaptive AP Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3
Types of Adaptive APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3
Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Switch Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Auto Discovery using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Manual Adoption Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5
Securing a Configuration Channel Between Switch and AP . . . . . . . . . . . . . .10-6
Adaptive AP WLAN Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-6
Configuration Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-6
Securing Data Tunnels between the Switch and AAP . . . . . . . . . . . . . . . . . .10-6
Adaptive AP Switch Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-7
Remote Site Survivability (RSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-7
Adaptive Mesh Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-7
Supported Adaptive AP Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-9
Topology Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-9
Extended WLANs Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-10
Independent WLANs Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-10
Extended WLANs with Independent WLANs . . . . . . . . . . . . . . . . . . . . . . . .10-10
Extended WLAN with Mesh Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . .10-11
How the AP Receives its Adaptive Configuration . . . . . . . . . . . . . . . . . . . . . . . . .10-11
Establishing Basic Adaptive AP Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-13
Adaptive AP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-13
Adopting an Adaptive AP Manually. . . . . . . . . . . . . . . . . . . . . . . . . . . .10-13
Adopting an Adaptive AP Using a Configuration File . . . . . . . . . . . . . .10-15
Adopting an Adaptive AP Using DHCP Options. . . . . . . . . . . . . . . . . . .10-15
Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-16
Adaptive AP Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . .10-19
Sample Switch Configuration File for IPSec and Independent WLAN . . . . .10-20
xiii
Appendix A. Technical Specifications
Physical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
AP-5131 Physical Characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
AP-5181 Physical Characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
xiv
AP-51xx Access Point Product Reference Guide
Electrical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Radio Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Antenna Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
AP-5131 Antenna Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
2.4 GHz Antenna Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
5.2 GHz Antenna Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6
AP-5131 Additional Antenna Components . . . . . . . . . . . . . . . . . . . . . . . A-6
AP-5131 Antenna Accessory Connectors, Cable Type and Length . . . . . A-6
AP-5181 Antenna Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7
Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9
Appendix B. Usage Scenarios
Configuring Automatic Updates using a DHCP or Linux BootP Server . . . . . . . . . . .B-1
Windows - DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2
Embedded Options - Using Option 43 . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2
Global Options - Using Extended/Standard Options . . . . . . . . . . . . . . . . .B-4
DHCP Priorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-5
Linux - BootP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-6
BootP Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7
BootP Priorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-9
Configuring an IPSEC Tunnel and VPN FAQs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-9
Configuring a VPN Tunnel Between Two Access Points. . . . . . . . . . . . . . . . .B-10
Configuring a Cisco VPN Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-13
Frequently Asked VPN Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-14
Replacing an AP-4131 with an AP-5131 or AP-5181. . . . . . . . . . . . . . . . . . . . . . . .B-20
Appendix C. Customer Support
Index
About This Guide
Introduction
This guide provides configuration and setup information for the AP-5131 and AP-5181 model
access points. For the purposes of this guide, the devices will be called AP-51xx or the generic
term “access point” when identical configuration activities are applied to both models.
Document Conventions
The following document conventions are used in this document:
NOTE Indicate tips or special requirements.
xvi
AP-51xx Access Point Product Reference Guide
CAUTION Indicates conditions that can cause equipment damage or data loss.
!
WARNING! Indicates a condition or procedure that could result in personal injury or
equipment damage.
Notational Conventions
The following notational conventions are used in this document:
• Italics are used to highlight specific items in the general text, and to identify chapters and
sections in this and related documents.
• Bullets (•) indicate:
• action items
• lists of alternatives
• lists of required steps that are not necessarily sequential
• Sequential lists (those describing step-by-step procedures) appear as numbered lists.
Service Information
If a problem is encountered with the access point, contact Customer Support. Refer to
Appendix C for contact information. Before calling, have the model number and serial number at hand.
If the problem cannot be solved over the phone, you may need to return your equipment for servicing.
If that is necessary, you will be given specific instructions.
Motorola is not responsible for any damages incurred during shipment if the approved shipping
container is not used. Shipping the units improperly can possibly void the warranty. If the original
shipping container was not kept, contact Motorola to have another sent to you.
Introduction
This AP-51xx Product Reference Guide contains setup and advanced configuration instructions for
both the AP-5131 and AP-5181 model access points. Both the AP-5131 and AP-5181 model access
points share the same Web UI, CLI and MIB interfaces. There are no differences in how the devices
are configured using the instructions within this guide, even though the Web UI displays AP-5131 or
AP-5181 specifically.
However, there are several differences between the two models you should be aware of. The
AP-5181 is constructed to support outdoor installations, while the AP-5131 model is constructed
primarily for indoor deployments. The AP-5131 is available in numerous single and dual-radio SKUs,
while an AP-5181 is available in only a dual-radio SKU. An AP-5181 cannot use the AP-5131’s 48 volt
power supply (Part No. 50-14000-243R) and, therefore, is recommended to use the AP-5181 Power
Tap (Part No. AP-PSBIAS-5181-01R) designed specifically for outdoor deployments. An AP-5181
model access point also must use an RJ-45 to Serial cable to establish a serial connection to a host
computer. Additionally, an AP-5181 model access point cannot downgrade to 1.1.0.x (or earlier)
firmware.
1-2
AP-51xx Access Point Product Reference Guide
The access point (AP) provides a bridge between Ethernet wired LANs or WANs and wireless
networks. It provides connectivity between Ethernet wired networks and radio-equipped mobile units
(MUs). MUs include the full line of terminals, adapters (PC cards, Compact Flash cards and PCI
adapters) and other devices.
The access point provides a maximum 54Mbps data transfer rate via each radio. It monitors Ethernet
traffic and forwards appropriate Ethernet messages to MUs over the network. It also monitors MU
radio traffic and forwards MU packets to the Ethernet LAN.
If you are new to using an access point for managing your network, refer to Theory of Operations on
page 1-20 for an overview on wireless networking fundamentals.
1.1 New Features
With this most recent 2.0 release of the access point firmware, the following new features have been
introduced:
• Adaptive AP
• Rogue AP Enhancements
• Bandwidth Management Enhancements
• Radius Time-Based Authentication
• QBSS Support
Legacy users can upgrade their firmware image to version 2.0. to benefit from the new features
described in this section. For information on upgrading the access point’s firmware image, see
Updating Device Firmware on page 4-49.
1.1.1 Adaptive AP
An adaptive AP (AAP) is an AP-51XX access point that can adopt like an AP300 (L3). The management
of an AAP is conducted by a switch, once the access point connects to a Motorola WS5100 or
RFS7000 model switch and receives its AAP configuration.
An AAP provides:
• local 802.11 traffic termination
• local encryption/decryption
• local traffic bridging
• the tunneling of centralized traffic to the wireless switch
Introduction
For a information overview of the adaptive AP feature as well as how to configure it, refer to
Adaptive AP on page 10-1.
1.1.2 Rogue AP Enhancements
With the 2.0 release of the access point firmware, the access point now has the option to scan for
rogues over all channels on both of the access point’s 11a and 11bg radio bands. The switching of
radio bands is based on a timer with no user intervention required.
For information on configuring the access point for Rogue AP support, see Configuring Rogue AP
Detection on page 6-55.
1.1.3 Bandwidth Management Enhancements
Use the Bandwidth Management screen to control the network bandwidth allotted to individual
WLANs. Define a weighted scheme as needed when WLAN traffic supporting a specific network
segment becomes critical. Bandwidth management is configured on a per-WLAN basis. However,
with this latest version 2.0 release, a separate tab has been created for each access point radio. With
this new segregated radio approach, bandwidth management can be configured uniquely for
individual WLANs on different access point radios.
1-3
For information on configuring bandwidth management, see Configuring Bandwidth Management
Settings on page 5-63.
1.1.4 Radius Time-Based Authentication
An external AAA server maintains a users and groups database used by the access point for access
permissions. Various kinds of access policies can be applied to each group. With this latest 2.0
version access point firmware, individual groups can be configured with their own time-based access
policy. Each group’s policy has a user defined interval defining the days and hours access is permitted.
Authentication requests for users belonging to the group are honored only during these defined hourly
intervals.
For more information on defining access point access policies by group, see Defining User Access
Permissions by Group on page 6-76.
1.1.5 QBSS Support
Each access point radio can be configured to optionally allow the access point to communicate
channel usage data to associated devices and define the beacon interval used for channel utilization
transmissions. The QBSS load represents the percentage of time the channel is in use by the access
1-4
AP-51xx Access Point Product Reference Guide
point and the access point’s station count. This information is very helpful in assessing the access
point’s overall load on a channel, its availability for additional device associations and multi media
traffic support.
For information on enabling QBSS and defining the channel utilization transmission interval, see
Configuring the 802.11a or 802.11b/g Radio on page 5-55.
1.2 Feature Overview
The access point has the following features carried forward from previous releases:
• Single or Dual Mode Radio Options
• Separate LAN and WAN Ports
• Multiple Mounting Options
• Antenna Support for 2.4 GHz and 5.2 GHz Radios
• Sixteen Configurable WLANs
• Support for 4 BSSIDs per Radio
• Quality of Service (QoS) Support
• Industry Leading Data Security
• VLAN Support
• Multiple Management Accessibility Options
• Updatable Firmware
• Programmable SNMP v1/v2/v3 Trap Support
• Power-over-Ethernet Support
• MU-MU Transmission Disallow
• Voice Prioritization
• Support for CAM and PSP MUs
• Statistical Displays
• Transmit Power Control
• Advanced Event Logging Capability
• Configuration File Import/Export Functionality
• Default Configuration Restoration
• DHCP Support
Introduction
• Multi-Function LEDs
• Mesh Networking
• Additional LAN Subnet
• On-board Radius Server Authentication
• Hotspot Support
• Routing Information Protocol (RIP)
• Manual Date and Time Settings
• Dynamic DNS
• Auto Negotiation
1.2.1 Single or Dual Mode Radio Options
One or two possible configurations are available on the access point depending on which model is
purchased. If the access point is manufactured as a single radio access point, the access point
enables you to configure the single radio for either 802.11a or 802.11b/g. However, an AP-5181 model
access point is only available in a dual-radio model.
If the access point is manufactured as a dual-radio access point, the access point enables you to
configure one radio for 802.11a support, and the other for 802.11b/g support.
1-5
For detailed information, see Setting the WLAN’s Radio Configuration on page 5-51.
1.2.2 Separate LAN and WAN Ports
The access point has one LAN port and one WAN port, each with their own MAC address. The access
point must manage all data traffic over the LAN connection carefully as either a DHCP client, BOOTP
client, DHCP server or using a static IP address. The access point can only use a Power-over-Ethernet
device when connected to the LAN port.
For detailed information on configuring the LAN port, see Configuring the LAN Interface on page 5-1.
A Wide Area Network (WAN) is a widely dispersed telecommunications network. In a corporate
environment, the WAN port might connect to a larger corporate network. For a small business, the
WAN port might connect to a DSL or cable modem to access the Internet. Regardless, network
address information must be configured for the ’s intended mode of operation.
For detailed information on configuring the ’s WAN port, see Configuring WAN Settings on page 5-16.
The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.
1-6
AP-51xx Access Point Product Reference Guide
For detailed information on locating the access point’s MAC addresses, see Viewing WAN Statistics
on page 7-2 and Viewing LAN Statistics on page 7-6. For information on access point MAC address
assignments, see AP-51xx MAC Address Assignment on page 1-27.
1.2.3 Multiple Mounting Options
The access point rests on a flat surface, attaches to a wall, mounts under a ceiling or above a ceiling
(attic). Choose a mounting option based on the physical environment of the coverage area. Do not
mount the access point in a location that has not been approved in an either an AP-5131 or outdoor
AP-5181 radio coverage site survey.
For detailed information on the mounting options available , see Mounting an AP-5131 on page 2-13
or Mounting an AP-5181 on page 2-24.
1.2.4 Antenna Support for 2.4 GHz and 5.2 GHz Radios
The access point supports several 802.11a and 802.11b/g radio antennas. Select the antenna best
suited to the radio transmission requirements of your coverage area.
For an overview of the Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz) antennas supported on the access
point’s Reverse SMA (RSMA) connectors, see Antenna Specifications on page A-5. The AP-5181
model access point uses an antenna suite primarily suited for outdoor use.
1.2.5 Sixteen Configurable WLANs
A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the
functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight
transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from
one access point to another like a cellular phone system. WLANs can therefore be configured around
the needs of specific groups of users, even when they are not in physical proximity. Sixteen WLANs
are configurable on each access point.
To enable and configure WLANs on an access point radio, see Enabling Wireless LANs (WLANs) on
page 5-27.
1.2.6 Support for 4 BSSIDs per Radio
The access point supports four BSSIDs per radio. Each BSSID has a corresponding MAC address. The
first MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs (BSSIDs
#2, #3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.
Introduction
If the radio MAC address displayed on the Radio Settings screen is 00:A0:F8:72:20:DC, then the
BSSIDs for that radio will have the following MAC addresses:
BSSID MAC Address Hexadecimal Addition
BSSID #1 00:A0:F8:72:20:DC Same as Radio MAC address
BSSID #2 00:A0:F8:72:20:DD Radio MAC address +1
BSSID #3 00:A0:F8:72:20:DE Radio MAC address +2
BSSID #4 00:A0:F8:72:20:DF Radio MAC address +3
For detailed information on strategically mapping BSSIDs to WLANs, see Configuring the 802.11a or
802.11b/g Radio on page 5-55. For information on access point MAC address assignments, see
AP-51xx MAC Address Assignment on page 1-27.
1.2.7 Quality of Service (QoS) Support
The QoS implementation provides applications running on different wireless devices a variety of
priority levels to transmit data to and from the access point. Equal data transmission priority is fine
for data traffic from applications such as Web browsers, file transfers or email, but is inadequate for
multimedia applications.
1-7
Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to
latency increases and throughput reductions. These forms of higher priority data traffic can
significantly benefit from the QoS implementation.The WiFi Multimedia QOS Extensions (WMM)
implementation used by the shortens the time between transmitting higher priority data traffic and
is thus desirable for multimedia applications. In addition, U-APSD (WMM Power Save) is also
supported.
WMM defines four access categories—voice, video, best effort and background—to prioritize traffic
for enhanced multimedia support.
For detailed information on configuring QoS support, see Setting the WLAN Quality of Service (QoS)
Policy on page 5-39.
1.2.8 Industry Leading Data Security
The access point supports numerous encryption and authentication techniques to protect the data
transmitting on the WLAN.
The following authentication techniques are supported:
1-8
AP-51xx Access Point Product Reference Guide
• Kerberos Authentication
• EAP Authentication
The following encryption techniques are supported:
• WEP Encryption
• KeyGuard Encryption
• Wi-Fi Protected Access (WPA) Using TKIP Encryption
• WPA2-CCMP (802.11i) Encryption
In addition, the access point supports the following additional security features:
• Firewall Security
• VPN Tunnels
• Content Filtering
For an overview on the encryption and authentication schemes available , refer to Configuring Access
Point Security on page 6-1.
1.2.8.1 Kerberos Authentication
Authentication is a means of verifying information transmitted from a secure source. If information is
authentic, you know who created it and you know it has not been altered in any way since originated.
Authentication entails a network administrator employing a software “supplicant” on their computer
or wireless device.
Authentication is critical for the security of any wireless LAN device. Traditional authentication
methods are not suitable for use in wireless networks where an unauthorized user can monitor
network traffic and intercept passwords. The use of strong authentication methods that do not
disclose passwords is necessary. The access point uses the Kerberos authentication service protocol
(specified in RFC 1510) to authenticate users/clients in a wireless network environment and to
securely distribute the encryption keys used for both encrypting and decrypting.
A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in
understanding how Kerberos functions. By default, WLAN devices operate in an open system network
where any wireless device can associate with an AP without authorization. Kerberos requires device
authentication before access to the wired network is permitted.
For detailed information on Kerbeors configurations, see Configuring Kerberos Authentication on
page 6-8.
Introduction
1.2.8.2 EAP Authentication
The Extensible Authentication Protocol (EAP) feature provides access points and their associated
MU’s an additional measure of security for data transmitted over the wireless network. Using EAP,
authentication between devices is achieved through the exchange and verification of certificates.
EAP is a mutual authentication method whereby both the MU and AP are required to prove their
identities. Like Kerberos, the user loses device authentication if the server cannot provide proof of
device identification.
Using EAP, a user requests connection to a WLAN through the access point. The access point then
requests the identity of the user and transmits that identity to an authentication server. The server
prompts the AP for proof of identity (supplied to the by the user) and then transmits the user data
back to the server to complete the authentication process.
An MU is not able to access the network if not authenticated. When configured for EAP support, the
access point displays the MU as an EAP station.
EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4)
and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius
Server for EAP (802.1x) support.
1-9
For detailed information on EAP configurations, see Configuring 802.1x EAP Authentication on page
6-11.
1.2.8.3 WEP Encryption
All WLAN devices face possible information theft. Theft occurs when an unauthorized user
eavesdrops to obtain information illegally. The absence of a physical connection makes wireless links
particularly vulnerable to this form of theft. Most forms of WLAN security rely on encryption to
various extents. Encryption entails scrambling and coding information, typically with mathematical
formulas called algorithms, before the information is transmitted. An algorithm is a set of instructions
or formula for scrambling the data. A key is the specific code used by the algorithm to encrypt or
decrypt the data. Decryption is the decoding and unscrambling of received encrypted data.
The same device, host computer or front-end processor, usually performs both encryption and
decryption. The transmit or receive direction determines whether the encryption or decryption
function is performed. The device takes plain text, encrypts or scrambles the text typically by
mathematically combining the key with the plain text as instructed by the algorithm, then transmits
the data over the network. At the receiving end, another device takes the encrypted text and decrypts,
or unscrambles, the text revealing the original message. An unauthorized user can know the
1-10
AP-51xx Access Point Product Reference Guide
algorithm, but cannot interpret the encrypted data without the appropriate key. Only the sender and
receiver of the transmitted data know the key.
Wired Equivalent Privacy (WEP) is an encryption security protocol specified in the IEEE Wireless
Fidelity (Wi-Fi) standard, 802.11b and supported by the AP. WEP encryption is designed to provide a
WLAN with a level of security and privacy comparable to that of a wired LAN. The level of protection
provided by WEP encryption is determined by the encryption key length and algorithm. An encryption
key is a string of case sensitive characters used to encrypt and decrypt data packets transmitted
between a mobile unit (MU) and the access point. An access point and its associated wireless clients
must use the same encryption key (typically 1 through 4) to interoperate.
For detailed information on WEP, see Configuring WEP Encryption on page 6-16.
1.2.8.4 KeyGuard Encryption
Use KeyGuard to shield the master encryption keys from being discovered through hacking. KeyGuard
negotiation takes place between the access point and MU upon association. The access point can
use KeyGuard with Motorola MUs. KeyGuard is only supported on Motorola MUs making it a
Motorola proprietary security mechanism.
For detailed information on KeyGuard configurations, see Configuring KeyGuard Encryption on page
6-18.
1.2.8.5 Wi-Fi Protected Access (WPA) Using TKIP Encryption
Wi-Fi Protected Access (WPA) is a security standard for systems operating with a Wi-Fi wireless
connection. WEP’s lack of user authentication mechanisms is addressed by WPA. Compared to WEP,
WPA provides superior data encryption and user authentication.
WPA addresses the weaknesses of WEP by including:
• a per-packet key mixing function
• a message integrity check
• an extended initialization vector with sequencing rules
• a re-keying mechanism
WPA uses an encryption method called Temporal Key Integrity Protocol (TKIP). WPA employs 802.1X
and Extensible Authentication Protocol (EAP).
For detailed information on WPA using TKIP configurations, see Configuring WPA/WPA2 Using TKIP
on page 6-21.
Introduction
1.2.8.6 WPA2-CCMP (802.11i) Encryption
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected
Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security standard used by
the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP.
CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Message
Authentication Code (CBC-MAC) technique. Changing just one bit in a message produces a totally
different result.
WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy
of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used
to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data.
The end result is an encryption scheme as secure as any the provides.
For detailed information on WPA2-CCMP, see Configuring WPA2-CCMP (802.11i) on page 6-24.
1.2.8.7 Firewall Security
A firewall keeps personal data in and hackers out. The firewall prevents suspicious Internet traffic
from proliferating the access point managed network. The access point performs network address
translation (NAT) on packets passing to and from the WAN port. This combination provides enhanced
security by monitoring communication with the wired network.
1-11
For detailed information on configuring the access point’s firewall, see Configuring Firewall Settings
on page 6-27.
1.2.8.8 VPN Tunnels
Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing
users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN
across the public network to another LAN, without sacrificing security. A VPN behaves like a private
network; however, because the data travels through the public network, it needs several layers of
security. The can function as a robust VPN gateway.
For detailed information on configuring VPN security support, see Configuring VPN Tunnels on page
6-36.
1.2.8.9 Content Filtering
Content filtering allows system administrators to block specific commands and URL extensions from
going out through the WAN port. Therefore, content filtering affords system administrators selective
control on the content proliferating the network and is a powerful screening tool. Content filtering
1-12
AP-51xx Access Point Product Reference Guide
allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound HTTP,
SMTP, and FTP requests.
For detailed information on configuring content filtering support, see Configuring Content Filtering
Settings on page 6-52.
1.2.9 VLAN Support
A Virtual Local Area Network (VLAN) can electronically separate data on the same AP from a single
broadcast domain into separate broadcast domains. By using a VLAN, you can group by logical
function instead of physical location. There are 16 VLANs supported on the access point. An
administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN
assignment. In addition to these 16 VLANs, the access point supports dynamic, user-based, VLANs
when using EAP authentication.
VLANs enable organizations to share network resources in various network segments within large
areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements
independent of their physical location. VLANs have the same attributes as physical LANs, but they
enable administrators to group clients even when they are not members of the same network
segment.
For detailed information on configuring VLAN support, see Configuring VLAN Support on page 5-5.
1.2.10 Multiple Management Accessibility Options
The access point can be accessed and configured using one of the following methods:
• Java-Based Web UI
• Human readable config file (imported via FTP or TFTP)
• MIB (Management Information Base)
• Command Line Interface (CLI) accessed via RS-232 or Telnet. Use the access point’s DB-9
serial port for direct access to the command-line interface from a PC. Use a Null-Modem
cable (Part No. 25-632878-0) for the best fitting connection.
1.2.11 Updatable Firmware
Motorola periodically releases updated versions of device firmware to the Motorola Web site. If the
firmware version displayed on the System Settings page (see Configuring System Settings on page
4-2) is older than the version on the Web site, Motorola recommends updating the access point to
Introduction
the latest firmware version for full feature functionality. An AP-5181 model access point does not
support firmware earlier than 1.1.1.0.
For detailed information on updating the firmware using FTP or TFTP, see Updating Device Firmware
on page 4-49.
1.2.12 Programmable SNMP v1/v2/v3 Trap Support
Simple Network Management Protocol (SNMP) facilitates the exchange of management information
between network devices. SNMP uses Management Information Bases (MIBs) to manage the device
configuration and monitor Internet devices in remote locations. MIB information accessed via SNMP
is defined by a set of managed objects called object identifiers (OIDs). An object identifier (OID) is
used to uniquely identify each object variable of a MIB.
SNMP allows a network administrator to configure the access point, manage network performance,
find and solve network problems, and plan for network growth. The access point supports SNMP
management functions for gathering information from its network components. The access point’s
download site contains the following 2 MIB files:
• Symbol-CC-WS2000-MIB-2.0 (standard MIB file)
• Symbol-AP-5131-MIB (both the AP-5131 and AP-5181 use the same MIB, there is no specific
MIB for an AP-5181)
1-13
The access point’s SNMP agent functions as a command responder and is a multilingual agent
responding to SNMPv1, v2c and v3 managers (command generators). The factory default
configuration maintains SNMPv1/2c support of community names, thus providing backward
compatibility.
For detailed information on configuring SNMP traps, see Configuring SNMP Settings on page 4-23.
1.2.13 Power-over-Ethernet Support
When users purchase a Motorola WLAN solution, they often need to place access points in obscure
locations. In the past, a dedicated power source was required for each access point in addition to the
Ethernet infrastructure. This often required an electrical contractor to install power drops at each
access point location.
An approved power injector solution merges power and Ethernet into one cable, reducing the burden
of installation and allows optimal access point placement in respect to the intended radio coverage
area. An AP-5131 or AP-5181 can only use a Power-over-Ethernet device when connected to the LAN
port.
1-14
AP-51xx Access Point Product Reference Guide
The Power Injector (Part No. AP-PSBIAS-T-1P-AF) is a single-port, 802.3af compliant Power over
Ethernet hub combining low-voltage DC with Ethernet data in a single cable connecting to the access
point. The Power Injector’s single DC and Ethernet data cable creates a modified Ethernet cabling
environment on the access point’s LAN port eliminating the need for separate Ethernet and power
cables. For detailed information on using the Power Injector, see Power Injector and Power Tap
Systems on page 2-10.
The Power Tap (Part No. AP-PSBIAS-5181-01R) is also a single-port, 802.3af compliant Power over
Ethernet hub combining low-voltage DC with Ethernet data in a single cable connecting to the access
point. However, the Power Tap is designed and ruggedized for use with an AP-5181’s outdoor
deployment. For detailed information on using the Power Tap, see Power Injector and Power Tap
Systems on page 2-10.
1.2.14 MU-MU Transmission Disallow
The access point’s MU-MU Disallow feature prohibits MUs from communicating with each other even
if they are on different WLANs, assuming one of the WLAN’s is configured to disallow MU-MU
communication. Therefore, if an MU’s WLAN is configured for MU-MU disallow, it will not be able to
communicate with any other MUs connected to this access point.
For detailed information on configuring an WLAN to disallow MU to MU communications, see
Creating/Editing Individual WLANs on page 5-30.
1.2.15 Voice Prioritization
Each access point WLAN has the capability of having its QoS policy configured to prioritize the
network traffic requirements for associated MUs. A WLAN QoS page is available for each enabled
WLAN on either the 802.11a or 802.11b/g radio.
Use the QoS page to enable voice prioritization for devices to receive the transmission priority they
may not normally receive over other data traffic. Voice prioritization allows the access point to assign
priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported devices (non
WMM supported voice devices) additional priority.
For detailed information on configuring voice prioritization over other voice enabled devices, see
Setting the WLAN Quality of Service (QoS) Policy on page 5-39.
Loading...