Page 1
ProSAFE Wireless Controller WC7600
Reference Manual
June, 2014
202-11414-01
350 East Plumeria Drive
San Jose, CA 95134
USA
Page 2
ProSAFE Wireless Controller WC7600
Support
Thank you for selecting NETGEAR products.
After installing your device, locate the serial number on the label of your product and use it to register your product at
https://my.netgear.com. You must register your product before you can use NETGEAR telephone support. NETGEAR
recommends registering your product through the NETGEAR website. For product updates and web support, visit
http://support.netgear.com.
Phone (US & Canada only): 1-888-NETGEAR.
Phone (Other Countries): Check the list of phone numbers at http://support.netgear.com/general/contact/default.aspx.
Contact your Internet service provider for technical support.
Compliance
For regulatory compliance information, visit http://www.netgear.com/about/regulatory.
See the regulatory compliance document before connecting the power supply.
Trademarks
NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc.
and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice.
© NETGEAR, Inc. All rights reserved.
2
Page 3
ProSAFE Wireless Controller WC7600
Chapter 1 Introduction
Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Front Panel Ports, Slots, and LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Back Panel Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
WC7600 Wireless Controller System Components. . . . . . . . . . . . . . . . . . . . . . . 15
NETGEAR ProSAFE Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
What Can You Do with the WC7600 Wireless Controller?. . . . . . . . . . . . . . . . . 18
Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 2 System Planning and Deployment Scenarios
Basic and Advanced Setting Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Profile Group Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Basic Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Advanced Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
System Planning Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Preinstallation Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Before You Configure a Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
High-Level Configuration Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Single Controller Configuration with Basic Profile Group. . . . . . . . . . . . . . . . 28
Single Controller Configuration with Advanced Profile Groups . . . . . . . . . . . 29
Stacked Controller Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Management VLAN and Data VLAN Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . 31
High-Level Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Scenario Example 1: Network with Single VLAN . . . . . . . . . . . . . . . . . . . . . . . 33
Scenario Example 2: Advanced Network with VLANs and SSIDs. . . . . . . . . . 35
Scenario Example 3: Advanced Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 3 RF Planning
RF Planning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Planning Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Define and Edit Buildings and Floors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Specify Access Point Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
View and Manage Heat Maps for Deployed Plans . . . . . . . . . . . . . . . . . . . . . . . . 48
Chapter 4 Installation and Configuration Overview
Connect Your Computer to the Wireless Controller. . . . . . . . . . . . . . . . . . . . . . . 52
Log In to the Wireless Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Roadmap for Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Roadmap for Configuring Management of Your Wireless Network. . . . . . . . . . 55
Choose a Location for the Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Deploy the Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3
Page 4
ProSAFE Wireless Controller WC7600
Chapter 5 Configure the System and Network Settings and Register the
Licenses
Configure the General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Manage the Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Manage the IP, VLAN, and Link Aggregation Settings. . . . . . . . . . . . . . . . . . . . . 62
Management VLAN Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Untagged VLAN Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Link Aggregation Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configure the IP, VLAN, and Link Aggregation Settings . . . . . . . . . . . . . . . . . 63
Manage the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Add a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Change the Settings for a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Remove a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Register Your Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configure the License Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Register Your Licenses with the License Server . . . . . . . . . . . . . . . . . . . . . . . . 72
Manage Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Configure Log, Syslog, Alarm Notification, and Email Settings . . . . . . . . . . . . . 75
Configure Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Configure Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configure Alarm Notification Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configure the Email Notification Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Chapter 6 Manage Security Profiles and Profile Groups
Wireless Security Profile Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Small WLAN Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Large WLAN Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Profile Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Considerations Before You Configure Profiles . . . . . . . . . . . . . . . . . . . . . . . . . 84
Basic and Advanced Security Configuration Concepts . . . . . . . . . . . . . . . . . . 85
Manage Security Profiles for the Basic Profile Group . . . . . . . . . . . . . . . . . . . . . 86
Configure a Profile in the Basic Profile Group . . . . . . . . . . . . . . . . . . . . . . . . . 86
Change the Settings for a Profile in the Basic Profile Group . . . . . . . . . . . . . 90
Remove a Profile From the Basic Profile Group . . . . . . . . . . . . . . . . . . . . . . . . 91
Manage Security Profiles for Advanced Profile Groups . . . . . . . . . . . . . . . . . . . 91
Add an Advanced Profile Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Remove an Advanced Profile Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Configure a Profile in an Advanced Profile Group . . . . . . . . . . . . . . . . . . . . . . 93
Change the Settings for a Profile in an Advanced Profile Group . . . . . . . . . . 98
Remove a Profile From an Advanced Profile Group. . . . . . . . . . . . . . . . . . . . . 99
Network Authentication and Data Encryption Options. . . . . . . . . . . . . . . . . . . . 99
Manage Authentication Servers and Authentication Server Groups. . . . . . . . 104
Authentication Server Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Configure Basic Authentication Server Settings . . . . . . . . . . . . . . . . . . . . . . 105
Configure a RADIUS Authentication Server Group . . . . . . . . . . . . . . . . . . . . 107
Remove a RADIUS Authentication Server Group. . . . . . . . . . . . . . . . . . . . . . 109
4
Page 5
ProSAFE Wireless Controller WC7600
Manage MAC Authentication and MAC Authentication Groups. . . . . . . . . . . . 109
Guidelines for External MAC Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configure Basic Local MAC Authentication Settings . . . . . . . . . . . . . . . . . . . 110
Remove a MAC Address from a Wireless Client List . . . . . . . . . . . . . . . . . . . 112
Import a MAC List from a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Configure a Local MAC Authentication Group . . . . . . . . . . . . . . . . . . . . . . . . 113
Remove a Local MAC Authentication Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Select an ACL for a Profile in the Basic Profile Group . . . . . . . . . . . . . . . . . . 115
Select an ACL for a Profile in an Advanced Profile Group. . . . . . . . . . . . . . . 117
Chapter 7 Discover and Manage Access Points
Access Point Discovery Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
General Discovery Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Layer 3 Discovery Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Remote Access Point Discovery Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Discover Access Points with the Discovery Wizard . . . . . . . . . . . . . . . . . . . . . .123
Discover Access Points in Factory Default State and Access
Points in a Layer 2 Subnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Discover Access Points Installed and Working in
Standalone Mode in Different Layer 3 Networks . . . . . . . . . . . . . . . . . . . . . 127
Manage the Managed AP List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
View the Managed AP List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Change Access Point Information on the Managed AP List . . . . . . . . . . . . . 133
Remove Access Points from the Managed AP List. . . . . . . . . . . . . . . . . . . . . 136
Assign Access Points to Advanced Profile Groups . . . . . . . . . . . . . . . . . . . . . . . 137
Chapter 8 Manage Rogue Access Points,
Guest Network Access, and Users
Manage Rogue Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Rogue Access Point Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configure Basic Rogue Detection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Classify Rogue Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Import a List of Known Access Points from a File . . . . . . . . . . . . . . . . . . . . .144
Manage Guest Network Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Portal Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Configure a Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Manage Users, Accounts, and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
User and Account Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Add a Management User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Add a WiFi User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Add a Captive Portal Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Add a Captive Portal User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Change the Settings for a User or Account. . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Remove a User or Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Export a List of Users or Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5
Page 6
ProSAFE Wireless Controller WC7600
Chapter 9 Configure Wireless and QoS Settings
Basic and Advanced Wireless and QoS Configuration Concepts . . . . . . . . . . . 162
Configure the Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Configure the Radio for the Basic Profile Group . . . . . . . . . . . . . . . . . . . . . . 162
Configure the Radio for an Advanced Profile Group . . . . . . . . . . . . . . . . . . . 164
Configure Wireless Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Configure Wireless Settings for the Basic Profile Group. . . . . . . . . . . . . . . . 165
Override Channel and Transmission Power in the Basic Profile Group . . . . 169
Configure Wireless Settings for an Advanced Profile Group . . . . . . . . . . . . 171
Override Channel and Transmission Power in an Advanced
Profile Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Configure Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Specify Radio Frequency Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Radio Frequency Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
WLAN Healing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configure Radio Frequency Management for the Basic Profile Group . . . . 181
Configure Radio Frequency Management for an Advanced
Profile Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Manage the Preferred Bands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Configure the Preferred Band for WNDAP620 Access
Points in the Basic Profile Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Configure the Preferred Band for WNDAP620 Access
Points in an Advanced Profile Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Manage Quality of Service for an Advanced Profile Group . . . . . . . . . . . . . . . 188
Quality of Service Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Configure Quality of Service for a Profile Group. . . . . . . . . . . . . . . . . . . . . . 189
Manage Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Load Balancing Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Configure Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Manage Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Rate Limiting Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Configure Rate Limiting for the Basic Profile Group . . . . . . . . . . . . . . . . . . . 195
Configure Rate Limiting for an Advanced Profile Group. . . . . . . . . . . . . . . . 196
Chapter 10 Maintain the Wireless Controller and Access Points
Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Back Up the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Restore the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Upgrade the Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Reboot the Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Reset the Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Manage External Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Manage Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Specify Session Time-Outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Manage the System Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Query the System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Save the System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
6
Page 7
ProSAFE Wireless Controller WC7600
Clear the System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
View Alerts and Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
View System Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
View Radio Frequency Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
View Load-Balancing Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
View Rate-Limit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
View Redundancy Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
View Stacking Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Manage Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
View Your Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Retrieve Your Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Reboot Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Configure Multicast Firmware Upgrade for Access Points . . . . . . . . . . . . . . . . 224
Change the Multicast Firmware Upgrade Settings . . . . . . . . . . . . . . . . . . . . 225
Disable Multicast Firmware Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Chapter 11 Manage Stacking and Redundancy
Stacking Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Configure a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Remove a Wireless Controller from a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Select Which Wireless Controller in a Stack to Configure. . . . . . . . . . . . . . . . . 233
Manage Redundancy for a Single Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
VRRP Redundancy Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Configure a Single Controller with Redundancy. . . . . . . . . . . . . . . . . . . . . . . 239
Manage a Redundancy Group with N:1 Redundancy. . . . . . . . . . . . . . . . . . . . . 241
VRRP N:1 Redundancy Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Configure a Redundancy Group with N:1 Redundancy . . . . . . . . . . . . . . . . .244
Change a Redundant Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Remove a Redundancy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Chapter 12 Monitor the Wireless Network and Its Components
Monitor the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
View the Network Summary Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
View the Wireless Controllers in the Network . . . . . . . . . . . . . . . . . . . . . . . . 251
View the Access Points in the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
View the Clients in the Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
View the Profiles in the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Monitor the Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
View the Wireless Controller Summary Screen . . . . . . . . . . . . . . . . . . . . . . . 264
View Wireless Controller Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
View Access Points that the Wireless Controller Manages. . . . . . . . . . . . . . 268
View Clients on Access Points that the Wireless Controller Manages . . . . 273
View Neighboring Clients that the Wireless Controller Detects . . . . . . . . . 277
View Neighboring Access Points that the Wireless Controller
Does Not Manage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
View Security Profiles That the Wireless Controller Manages. . . . . . . . . . . 280
View DHCP Leases That Are Provided by the Wireless Controller . . . . . . . 282
7
Page 8
ProSAFE Wireless Controller WC7600
View Captive Portal Users on Access Points That the
Wireless Controller Manages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Monitor the SSIDs on the Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Monitor Local Clients in the Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Chapter 13 Troubleshooting
Troubleshoot Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Power LED Is Not Lit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Status LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Ethernet Port LEDs Are Not Lit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Troubleshoot the Web Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Check the Ethernet Cabling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Check the IP Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Check the Internet Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Troubleshoot a TCP/IP Network Using the Ping Utility . . . . . . . . . . . . . . . . . . . 298
Use the Reset Button to Restore Default Settings . . . . . . . . . . . . . . . . . . . . . . . 299
Resolve Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Resolve Problems with Access Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Resolve Discovery Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Resolve Connection Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Network Performance and Rogue Access Point Detection. . . . . . . . . . . . . . 301
Use the Diagnostic Tools on the Wireless Controller . . . . . . . . . . . . . . . . . . . . . 301
Ping an Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Trace a Route to an Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Appendix A Factory Default Settings, Technical Specifications, and
Passwords Requirements
Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Password Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
8
Page 9
1. Introduction
This chapter includes the following sections:
• Key Features and Capabilities
• Package Contents
• Hardware Features
• WC7600 Wireless Controller System Components
• NETGEAR ProSAFE Access Points
• What Can You Do with the WC7600 Wireless Controller?
• Licenses
• Maintenance and Support
Note: For more information about the topics covered in this manual, visit the
support website at support.netgear.com.
1
Note: Firmware updates with new features and bug fixes are made
available from time to time on
products can regularly check the site and download new firmware, or
you can check for and download new firmware manually. If the
features or behavior of your product do not match what is described in
this guide, you might need to update your firmware.
downloadcenter.netgear.com. Some
9
Page 10
ProSAFE Wireless Controller WC7600
Key Features and Capabilities
The NETGEAR ProSAFE Wireless Controller WC7600 is a high-capacity, secured wireless
controller intended for medium- to large-sized businesses, higher education institutions,
hospitals, and hotels.
One wireless controller with the appropriate licenses can support up to 50 access points
(APs) with up to 2,000 users. In a stacked configuration, a stack of three wireless controllers
can support up to 6,000 users. The wireless controller supports the IEEE 802.11a/b/g/n
protocols and is 802.11ac ready for future deployment. The wireless controller allows you to
manage your wireless network from a central point, implement security features centrally,
support Layer 2 and Layer 3 fast roaming, configure a guest access captive portal, and
support voice over Wi-Fi (VoWi-Fi).
The wireless controller is equipped with two 1/10 Gigabit Ethernet (1/10GbE) slots with
standard SFP or SFP+ form factor for optional 10GBASE or 1000BASE GBICs. One RJ-45
Gigabit Ethernet port is available to access the wireless controller for management and for
data and control communications between the wireless controller and the access points.
The wireless controller provides the following key features and capabilities:
• Scalable architecture with stacking
- Purchased licenses in increments of 10 or 50 access points allow for support of up to
a maximum number of 300 access points on a single wireless controller in a
configuration without a stack.
- A maximum of three stacked wireless controllers allows for up to 150 access points
(50 on each wireless controller in a stacked configuration) in a single network.
- Support of 802.11a, 802.11b, 802.11g, and 802.1 1n modes. Ready for 802.11ac mode
for future deployment.
• Centralized management
- Single point of management for the entire wireless network.
- Automatic firmware upgrade to all managed access points.
- DHCP server for IP address provisioning.
- Configurable management VLAN.
Introduction
10
Page 11
ProSAFE Wireless Controller WC7600
• Security
- Identity-based security authentication with an external RADIUS or LDAP (Active
Directory) server, or with an internal authentication server.
- Support for nine access point profile groups (one basic and eight advanced) on one
wireless controller.
- Support for up to 8 profiles per access point profile group and 8 profiles per radio
(therefore, dual-band access points can support up to 16 profiles in one access point
profile group).
- Support for up to 144 profiles on one wireless controller (8 profiles per access point
group and eight groups per radio). Each profile supports settings for SSID, network
authentication, data encryption, client separation, VLAN, MAC ACL, and wireless
QoS.
- Rogue access point detection and classification.
- Guest access and captive portal access with cost and expiration accounting.
- Scheduled wireless on/off times.
• Wi-Fi Multimedia Quality of Service and advanced wireless features
- Wi-Fi Multimedia (WMM) support for video, audio, and voice over Wi-Fi (VoWi-Fi).
- WMM power save option.
- Automatic WLAN healing mechanism ensures seamless coverage for wireless users.
- Layer 2 and Layer 3 seamless roaming support.
- Local Layer 2 traffic switching and Layer 3 traffic processing at access point level for
fast processing.
• Wireless and Radio Frequency (RF) management
- Automatic control of access point transmit power and channel allocation to reduce
interference.
- Automatic load balancing of clients across access points.
- Rate limiting per profile.
- Multicast and broadcast rate limiting
- ARP suppression
• Monitoring and reporting
- Monitoring of the status of the network, wireless controllers, WLANs, and clients, and
network usage statistics.
- Specific health monitoring of access points.
- Logging and emailing of system events, RF events, load-balancing events, and
rate-limiting events.
- Context-sensitive search function.
For a list of all features and capabilities of the wireless controller, see the datasheet that you
can download from
http://support.netgear.com/product/WC7600.
Introduction
11
Page 12
ProSAFE Wireless Controller WC7600
Package Contents
The ProSAFE Wireless Controller WC7600 product package contains the following items:
• ProSAFE Wireless Controller WC7600 appliance
• One
AC power cable
• Rubber feet (four) with adhesive backing
• One rack-mount kit
• Straight-through Category 5 Ethernet cable
• ProSAFE W
ireless Controller WC7600 Installation Guide
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep
the carton, including the original packing materials, in case you need to return the product for
repair
.
Hardware Features
The front panel ports, slots, and LEDs, back panel components, and bottom label of the
wireless controller are described in this section.
Front Panel Ports, Slots, and LEDs
The following figure shows the front panel of the wireless controller.
LED Mode:
Green= Link at 10G, Blink Green=10G Active,
ID
Power
Status
Fan
Stack
Master
USB
Reset
Yellow=Link at 1G, Blink Yellow=1G Active
Figure 1. Front panel
The following figure shows a close-up of the left side of the front panel.
USB port
ID
Power
Status
Fan
Stack
Master
USB
Reset
Reset button
LEDs (top to bottom):
Power, Status, Fan, Stack Master
Figure 2. Front panel close-up
Digital access point counter
LED Mode:
Green= Link at 10G, Blink Green=10G Active,
Yellow=Link at 1G, Blink Yellow=1G Active
LED Mode:
Left LED: Green=Link at 1G E,
Yellow=Link at 10/100M
Right LED:Green=Link,
Green Blink=Active
Slots and LEDs
for optional
SFP and SFP+
GBIC module
LED Mode:
Left LED: Green=Link at 1G E,
Yellow=Link at 10/100M
Right LED:Green=Link,
Green Blink=Active
Ethernet port and LEDs
Console 9600,N,8,1
Introduction
12
Page 13
ProSAFE Wireless Controller WC7600
From left to right, the wireless controller’s front panel shows the following counter, LEDs,
button, ports, and slots:
• Digital counter. Displays the number of connected access points that are in a healthy
state.
• From top to bottom:
- Power LED
- Status LED
- Fan LED
- Stack Master LED
These LEDs are described in Table 1 on page 13.
• Reset button. Using a sharp object, press and hold this button for about 10 seconds until
the Status LED flashes and the wireless controller returns to factory default settings. If
you reset the wireless controller, all configuration settings are lost and the default
password is restored.
• USB port. Allows for external storage for floor heat maps, which will be supported in a
future release.
• SFP slots. Two SFP slots for optional 10GE SFP+ or 1G SFP gigabit interface
converters (GBICs), each slot with an LED.
• Ethernet port. One 10/100/1000 Mbps LAN Ethernet port with an RJ-45 connector, left
LED, and right LED. The Ethernet port provides switched N-way, automatic speed
negotiating, auto MDI/MDIX technology.
• Console port. RS232 port for connecting to an optional console terminal. The port has a
DB9 male connector. The default baud rate is 9600 K. The configuration is 8 bits, no
parity, and 1 stop bit. The console port is for debugging under guidance of NETGEAR
technical support only.
The function of each LED is described in the following table:
Table 1. LED functions
LED Status Description
Power LED Green The green Power LED should be lit when the wireless controller is on.
Off If the power LED is not lit when the wireless controller is on, check the
connections and check to see if the power outlet is controlled by a wall
switch that is turned off (see
Status LED Yellow The wireless controller is initializing. After approximately two minutes, when
the wireless controller has completed its initialization, the Status LED turns
green. If the Status LED remains yellow, the initialization has failed (see
Status LED Never Turns Off on page 296).
Power LED Is Not Lit on page 296).
Green The wireless controller has completed its initialization successfully. The
Status LED should be steady green during normal operation.
Introduction
13
Page 14
ProSAFE Wireless Controller WC7600
Table 1. LED functions (continued)
LED Status Description
Status LED
(continued)
Fan LED Green The fans are functioning correctly.
Stack Master
LED
SFP slot LEDs Green The slot is operating at 10G.
Left Ethernet
port LED
Right Ethernet
port LED
Off The wireless controller does not have power.
Blinking yellow Firmware is being upgraded.
Yellow One or more fans are not functioning correctly.
Green The wireless controller functions as the master controller in a stack.
Yellow The wireless controller functions as a slave controller in a stack.
Blinking green Data is being transmitted or received at 10G.
Yellow The slot is operating at 1G.
Blinking yellow Data is being transmitted or received at 1G.
Off The port has no physical link, that is, no Ethernet cable is plugged into the
wireless controller (see Ethernet Port LEDs Are Not Lit on page 297).
Green The port has detected a link with a connected Ethernet device.
Blinking green The port transmits or receives data.
Off The port has no physical link, that is, no Ethernet cable is plugged into the
wireless controller (see Ethernet Port LEDs Are Not Lit on page 297).
Green The port is operating at 1000 Mbps.
Yellow The port is operating at 100 Mbps or 10 Mbps.
Back Panel Features
The wireless controller comes with a single internal power supply but supports an optional
second power supply for power redundancy. The power supplies are hot-swappable.
The following figure shows the back panel of the wireless controller with a single internal
power supply, the power supply connector, and two double fans.
Power supply connector
Figure 3. Back panel
Introduction
14
Page 15
ProSAFE Wireless Controller WC7600
From left to right, the wireless controller’s back panel components are:
• Power supply. 100–240V
, 5A, 47–63 Hz power supply, which includes the following
external components:
- AC power socket.
Attach the power cord to this socket. (The wireless controller does
not have a separate on/off power switch.)
- Handle.
- LED.
The handle allows for easy removal and insertion.
The LED is lit green when the power supply functions correctly . If the LED is of f,
power is not supplied to the power supply, or a problem has occurred.
• Fans.
Two double fans, each of which can be easily exchanged.
Bottom Panel with Product Label
The product label on the bottom of the wireless controller’s enclosure displays the default IP
address, default user name, and default password, as well as regulatory compliance, input
power, and other information.
®
ProSAFE Wireless Controller WC7600
This device complies with part 15 of the FCC Rules and Canada CAN ICES-3 (A)/NMB-3(A). Operation
is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this
device must accept any interference received, including interference that may cause undesired operation.
DEFAULT ACCESS
http://192.168.0.250
user name: admin
password: password
MAC
(LAN)
NETGEAR, INC.NETGEAR, INC. Made in ChinaMade in China
Input Rating: AC 100-240V
10
47-63Hz, 5A max.
SERIAL
272-12101-02
Figure 4. Product label
WC7600 Wireless Controller System Components
A WC7600 wireless controller system consists of one or more wireless controllers and a
collection of access points that are organized into groups based on location or network
access.
The wireless controller system can include a single wireless controller or a group of up to
three stacked wireless controllers. Redundancy is also supported.
Introduction
15
Page 16
ProSAFE Wireless Controller WC7600
The WC7600 wireless controller system supports the following NETGEAR ProSAFE access
point models:
• WNAP210v2 ProSAFE Wireless-N Access Point
• WNAP320 ProSAFE Wireless-N
• WNDAP350 ProSAFE Dual Band Wireless-N
• WNDAP360 ProSAFE Dual Band Wireless-N
• WNDAP380R ProSAFE Dual Band Wireless-N
• WNDAP620 Premium 3x3 Dual Band Wireless-N
• WNDAP660 Premium 3x3 Dual Band Concurrent Wireless-N
• WN370 ProSAFE W
all Mount Wireless N Access Point
Access Point
Access Point
Access Point
Access Point with RFID support
Access Point
Access Point
NETGEAR ProSAFE Access Points
Y ou can connect access points to the wireless controller either directly with an Ethernet cable
through a router or switch, or remotely through an IP network. After you have used the
automatic discovery process and added access points to the managed access point list on
the wireless controller, the wireless controller converts the standard access points to
dependent access points by pushing firmware to the access points. From then on, you can
centrally manage and monitor the access points.
The following table lists the minimum firmware versions that must run on the standalone
access points before you convert them to managed access points:
Table 2. Minimum firmware versions
Access Point Model Minimum Firmware Version on
Standalone Access Point
WNAP210v2 All firmware versions are supported
WNAP320 2.1.1 or a newer version
WNDAP350 2.1.7 or a newer version
WNDAP360 2.1.6 or a newer version
WNDAP380R All firmware versions are supported
WNAP620 2.0.4 or a newer version
WNDAP660 2.0.2 or a newer version
WN370 All firmware versions are supported
A WC7600 wireless controller system can support the following access points:
• WNAP210v2 ProSAFE W
- Supports 802.1
1b, 802.11g, and 802.11n network devices.
- Supports Power over Ethernet (PoE) with a power consumption of up to 5.8W
ireless-N Access Point
.
Introduction
16
Page 17
ProSAFE Wireless Controller WC7600
For product documentation and firmware, visit
http://support.netgear.com/product/WNAP210.
Note: The WNAP210v1 cannot function in a WC7600 wireless controller
system, but the WNAP210v2 can.
• WNAP320 ProSAFE Wireless-N Access Point
- Supports 802.11b, 802.11g, and 802.11n network devices.
- Supports Power over Ethernet (PoE) with a power consumption of up to 5.8W.
- Accepts optional antennas.
For product documentation and firmware, visit
http://support.netgear.com/product/WNAP320.
• WNDAP350 ProSAFE Dual Band Wireless-N Access Point
- Supports 802.11a, 802.11b, 802.11g, and 802.11n network devices.
- Supports Power over Ethernet (PoE) with a power consumption of up to 10.75W.
- Operates concurrently in the 2.4 GHz and 5 GHz radio bands.
- Accepts optional antennas.
For product documentation and firmware, visit
http://support.netgear.com/product/WNDAP350.
• WNDAP360 ProSAFE Dual Band Wireless-N Access Point
- Supports 802.11a, 802.11b, 802.11g, and 802.11n network devices.
- Supports Power over Ethernet (PoE) with a power consumption of up to 10.51W.
- Operates concurrently in the 2.4 GHz and 5 GHz radio bands.
- Accepts optional antennas.
For product documentation and firmware, visit
http://support.netgear.com/product/WNDAP360.
• WNDAP380R ProSAFE Dual Band Wireless-N Access Point with RFID support
- Supports 802.11a, 802.11b, 802.11g, and 802.11n network devices.
- Supports Power over Ethernet (PoE) with a power consumption of up to 10.51W.
- Operates concurrently in the 2.4 GHz and 5 GHz radio bands.
- Accepts an RFID module for support of RFID devices and tags.
For product documentation and firmware, visit
http://support.netgear.com/product/WNDAP380R.
• WNAP620 ProSAFE Premium 3x3 Dual Band Wireless-N Access Point
- Supports concurrently 802.11a, 802.11b, 802.11g, and 802.11n network devices.
- Supports 3x3 multiple input, multiple output (MIMO).
- Support speeds of up to 450 Mbps for 802.11n network devices
Introduction
17
Page 18
ProSAFE Wireless Controller WC7600
- Supports Power over Ethernet (PoE) with a power consumption that complies with the
802.3af standard.
- Operates in either the 2.4 GHz or 5 GHz radio band.
- Accepts optional antennas.
For product documentation and firmware, visit
http://support.netgear.com/product/WNDAP620.
• WNDAP660 ProSAFE Premium 3x3 Dual Band Concurrent Wireless-N Access Point
- Supports 802.11a, 802.11b, 802.11g, and 802.11n network devices.
- Supports 3x3 multiple input, multiple output (MIMO).
- Support speeds of up to 450 Mbps for 802.11n network devices.
- Supports Power over Ethernet (PoE) with a power consumption that complies with the
802.3at standard.
Note: If your network does not include a PoE device that can provide the
WNDAP660 access point with PoE power according to the 802.3at
standard, you can instead use two ports of a PoE device that complies
with the 802.3af standard. (The WNDAP660 access point has two
Ethernet ports that accept PoE.)
- Operates concurrently in the 2.4 GHz and 5 GHz radio bands.
- Accepts optional antennas.
For product documentation and firmware, visit
http://support.netgear.com/product/WNDAP660.
• WN370 ProSAFE Wall Mounted Wireless-N Access Point
- Supports concurrently 802.11b, 802.11g, and 802.11n network devices.
- Support speeds of up to 300 Mbps for 802.11n network devices
- Supports Power over Ethernet (PoE) with a power consumption that complies with the
802.3af standard.
- Operates in the 2.4 GHz radio band.
For product documentation and firmware, visit
http://support.netgear.com/product/WN370.
What Can You Do with the WC7600 Wireless Controller?
You can perform the following tasks with a WC7600 wireless controller:
• Organize the Network
- Create access point profiles. Organize access points in profiles to differentiate
between SSIDs, client authentication, authentication settings, and wireless QoS
settings.
Introduction
18
Page 19
ProSAFE Wireless Controller WC7600
- Create access point profile groups. Organize access point profiles in access point
profile groups to differentiate between buildings, floors, businesses, business
divisions, and so on. Easily assign access points to profile groups or change
assignments.
For more information, see Chapter 6, Manage Security Profiles and Profile Groups.
• Discover Access Points in the Network and Provision IP Addresses and Firmware
- Discover access points in the network. The access points can be in factory default
state or functioning in standalone mode, but after discovery by the wireless controller
and addition to the managed access point list, the access points become dependent
(managed) access points.
- Provision IP addresses to the access points. Use the internal DHCP server to
provision IP addresses to all or selected managed access points in the network.
- Upgrade access point firmware. Update and synchronize new firmware versions to
all managed access points in the network.
For more information, see Chapter 7, Discover and Manage Access Points.
• Centrally Manage Security in the Network
- Manage secure access to the network and secure data transmission. Manage
client authentication, encryption, wireless client security separation, and MAC
authentication in access point profiles.
- Manage authentication servers for the network. Manage all internal and external
authentication servers for the entire network or for access point profile groups.
- Manage MAC authentication. Specify trusted and untrusted MAC addresses for the
entire network.
- Manage rogue access points. Manage rogue access points and their associated
clients in the network.
- Manage guest access. Manage guest access and captive portal access to the
network.
For more information, see Chapter 8, Manage Rogue Access Points, Guest Network
Access, and Users.
• Centrally Manage the Wireless Settings for the Network
- Schedule the radios. Schedule the entire network to go offline, or schedule access
point profile groups to go offline.
- Manage wireless settings and channel allocation. Manage the wireless settings
such as wireless mode, data rate, and channel width for the entire network or for
access point profile groups, and manage channel allocation for the entire network.
- Manage QoS settings. Manage QoS queue settings for data, background, video,
and voice traffic for access point profile groups.
- Configure RF management settings. Configure WLAN healing and wireless
coverage hole detection for the entire network or for access point profile groups.
For more information, see Chapter 9, Configure Wireless and QoS Settings.
Introduction
19
Page 20
ProSAFE Wireless Controller WC7600
• Manage Other Wireless Controllers in the Network
- Manage stacking. Specify the master and slave wireless controllers in a stack and
synchronize information between the wireless controller.
For more information, see Chapter 11, Manage Stacking and Redundancy.
• Monitor the Network and Its Components
- Monitor the status of all wireless devices. View the status of the wireless
controllers, access points, clients, access point profiles, and the entire network, and
view network usage statistics.
- Monitor network health. See which access points are healthy and which ones are
down or compromised.
For more information, see Chapter 12, Monitor the Wireless Network and Its
Components.
Licenses
By default, the wireless controller comes with a trial license for five access points. You must
purchase and register licenses for the access points in your network. Licenses are tied to the
serial number of the wireless controller.
You can purchase a single 50–access point license or licenses in 10–,or 50–access point
increments for support of up to 150
• 10–AP license. WC10APL
• 50–AP license. WC50APL
If you have three wireless controllers in a stack and want to support the maximum number of
150 access points in a stacked configuration, you must purchase three WC50APL licenses
(or a combination of other licenses that add up to a total of 150 access points).
For more information, see the datasheet that you can download from
http://support.netgear.com/product/WC7600.
For information about how to register and manage your licenses, see Register Your Licenses
on page 70 and Manage Licenses on page 219.
access points on a single wireless controller:
Maintenance and Support
NETGEAR offers technical support seven days a week, 24 hours a day. Information about
support is available on the NETGEAR ProSupport website at
http://kb.netgear.com/app/answers/detail/a_id/212.
Introduction
20
Page 21
2. System Planning and Deployment
Scenarios
This chapter includes the following sections:
• Basic and Advanced Setting Concepts
• Profile Group Concepts
• System Planning Concepts
• High-Level Configuration Examples
• Management VLAN and Data VLAN Strategies
• High-Level Deployment Scenarios
2
21
Page 22
ProSAFE Wireless Controller WC7600
Basic and Advanced Setting Concepts
You can deploy the wireless controller in a small wireless network with 10 access points or in
a large wireless network with up to 150 access points. Small networks require a basic
configuration, but large networks can become complex and require you to configure the
advanced features of the wireless controller.
Depending on your network configuration, use basic settings or advanced settings to manage
your access points:
• Basic settings for a typical network.
network configurations. For example, all access points on the WLAN are for the same
organization or business and therefore adhere to the same policies and use a few service
set identifiers (SSIDs, or network names).
• Advanced settings for access point profile groups. If you have a large wireless
network, or if separate networks share a single WLAN, use the advanced settings to set
up multiple access point profile groups with multiple security profiles (SSIDs with
associated security settings). For example, a shopping mall might need several access
point profile groups if several businesses share a WLAN but each business has its own
network. Larger networks could require multiple access point profile groups to allow
ferent policies per building or department. The access points could have different
dif
security profiles per building and department, for example, one for guests, one for
management, and one for sales.
Note: Access point profile groups are also referred to as just profile groups.
Profiles, security profiles, and SSIDs (that is, SSIDs with associated
security settings) are terms that are interchangeable.
To accommodate all types of networks, almost all configuration menus of the web
management interface are divided into basic and advanced submenus.
shows an example of the Configuration > Security > Basic submenu on the left and the
Configuration > Security > Advanced submenu on the right:
The basic settings work with most common
The following figure
Figure 5. Basic and advanced submenus
System Planning and Deployment Scenarios
22
Page 23
ProSAFE Wireless Controller WC7600
Before you start the configuration of your wireless controller, decide whether you can use a
basic configuration (that is, follow the Basic submenus) or need to use an advanced
configuration (that is, follow the Advanced submenus). Once you have made your choice,
configuring the wireless controller should be fairly easy if you consistently follow either the
Basic submenus or the Advanced submenus.
Profile Group Concepts
Each access point can support up to eight security profiles (16 for dual-band access points),
each with its own SSID, security settings, MAC ACL, rate-limiting settings, WMM, and so on.
The wireless controller follows the same architecture. A profile group on the wireless
controller includes all the features that you can configure for an individual access point: up to
eight profiles (16 for dual-band access points), each of which has its own SSID, security,
MAC ACL, rate-limiting settings, WMM settings, and so on.
Basic Profile
The basic profile includes all the settings that are required to configure a fully functional
access point with up to eight security profiles (16 for dual-band access points).
After you have used the automatic discovery process and added access points to the
managed AP list on the wireless controller, the access points are assigned by default to the
basic profile group.
If your network requires the wireless controller to manage multiple access points with
different configurations, use the advanced profile.
Advanced Profile
The advanced profile lets you configure up to eight access point profile groups. Each group
includes all the settings that are required to configure a fully functional access point with up to
eight security profiles (16 for dual-band access points).
For example, if your company has four buildings, each with a different wireless network, you
simply create four profile groups. You then assign all access points in one building to one
profile group, all access points in another building to a second profile group, and so on.
For each profile group, you can create an individual radio on/off schedule, RF management
settings, MAC ACL authentication, and an authentication server. For each radio in a profile
group (2.4 GHz radio and 5 GHz radio), you can create individual wireless settings, WMM,
and rate-limit settings.
The following figure shows the advanced profile group architecture. The structure that is
shown under Group-1 is implemented in all profile groups (that is, Group-2 through Group-8):
System Planning and Deployment Scenarios
23
Page 24
ProSAFE Wireless Controller WC7600
Group-1
Group-2
Group-3
Group-4
2.4 GHz
radio
1
2
34
5678
Security profiles
Figure 6. Advanced profile group architecture
Group-5
5 GHz
radio
1
Group-6
23
Security profiles
Group-7
4
56
Group-8
78
The following figure shows an example of three access point profile groups, in which the first
profile group (Group-1) has five security profiles. For each profile in this profile group, the
profile name, radio mode, and authentication setting are shown. (Group-1 is the default group
in the advanced profile group configuration; you must create the other profiles groups.)
Figure 7. Example of profile groups with security profiles
System Planning and Deployment Scenarios
24
Page 25
ProSAFE Wireless Controller WC7600
System Planning Concepts
This section includes the following subsections:
• Preinstallation Planning
• Before You Configure a Wireless Controller
Preinstallation Planning
Before you install any wireless controllers, determine the following:
• Number of access points required to provide seamless coverage
• Number of licenses required to cover all access points that must be managed
• Number of wireless controllers required
• 802.11 frequency band and the channels that are optimal for WiFi usage
NETGEAR recommends that you perform a site survey:
• To determine the current RF behavior and detect both 802.11 and non-802.11 noise, run
a spectrum analysis of the channels of the site.
• To determine the maximum throughput that is achievable on the client, run an access
point-to-client connectivity test.
• Identify potential RF obstructions and interference sources.
• Determine areas where denser coverage might be required because of heavier usage.
Before You Configure a Wireless Controller
These sections assume that you have deployed at least one wireless controller in your
network and are ready to configure the wireless controller. For information about how to
deploy the wireless controller in your network, see the ProSAFE Wireless Controller WC7600
Installation Guide that you can download from
For many configurations, you can use the default wireless settings. The IP address, VLAN,
DHCP server, client authentication, and data encryption settings are specific to your
environment. Following are short sections that describe these settings (except for IP address
settings, which are self-explanatory). For information about how to configure these settings,
see the relevant sections.
Management VLAN
http://support.netgear.com/product/WC7600.
The management VLAN is the dedicated VLAN for access to the wireless controller. All traf fic
that is directed to the wireless controller, including HTTP, HTTPS, SNMP, and SSH traffic, is
carried over the management VLAN.
If the management VLAN is also configured as a tagged VLAN (the most common
configuration), the packets to and from the wireless controller carry the 802.1Q VLAN header
with the assigned VLAN number. If the management VLAN is marked as untagged, the
packets that are sent from the wireless controller do not carry the 802.1Q header, and all
System Planning and Deployment Scenarios
25
Page 26
ProSAFE Wireless Controller WC7600
untagged packets that are sent to the wireless controller are treated as management VLAN
traffic.
Note: Use a tagged VLAN or change the tagged VLAN ID only if the hubs
and switches on your LAN support 802.1Q. If they do not, and you
have not configured a tagged VLAN with the same VLAN ID on the
hubs and switches in your network, IP connectivity might be lost.
The wireless controller must have IP connectivity with the access points through the
management VLAN. If the wireless controller and the access points are on different
management VLANs, external VLAN routing must allow IP connectivity between the wireless
controller and the access points.
For information about how to configure management VLANs, see Manage the IP, VLAN, and
Link Aggregation Settings on page 62.
Client VLANs
Each authenticated wireless user is placed into a VLAN that determines the user’s DHCP
server, IP address, and Layer 2 connection. Although you could place all authenticated
wireless users into the single VLAN that is specified in the basic security profile, the wireless
controller allows you to group wireless users into separate VLANs based on the wireless
SSID to differentiate access to network resources. For example, you might place authorized
employee users into one VLAN, and itinerant users, such as contractors or guests, into a
separate VLAN. To use different VLANs, you must create different security profiles.
For information about how to configure regular VLANs, see Manage the IP, VLAN, and Link
Aggregation Settings on page 62.
DHCP Server
The wireless controller can function as a DHCP server and assign IP addresses to both
wireless and wired devices that are connected to it. You can add up to 64 DHCP server
pools, each assigned to a different VLAN.
DHCP option 43 (vendor-specific information) must be enabled on an external DHCP server.
Specifying an internal DHCP server on the wireless controller automatically enables DHCP
option 43 with the IP address of the wireless controller.
Client Authentication and Data Encryption
A user must authenticate to the WLAN to be able to access WLAN resources. The wireless
controller supports several types of security methods, including those methods that require
an external RADIUS or LDAP authentication server.
System Planning and Deployment Scenarios
26
Page 27
ProSAFE Wireless Controller WC7600
The encryption option that you can select depends upon the authentication method that you
have selected. The following table lists the authentication methods available, with their
corresponding encryption options:
Table 3. Authentication and encryption options
Authentication Method Encryption Option Authentication Server
Open System 64-bit, 128-bit, or 152-bit WEP None
Shared Key 64-bit, 128-bit, or 152-bit WEP None
WPA-PSK TKIP or TKIP+AES None
WPA2-PSK AES or TKIP+AES None
WPA-PSK and WPA2-PSK TKIP+AES None
WPA TKIP or TKIP+AES One of the following authentication servers:
• External RADIUS server
• Internal authentication server
• External LDAP server
WPA2 AES or TKIP+AES One of the following authentication servers:
• External RADIUS server
• Internal authentication server
• External LDAP server
WPA and WPA2 TKIP+AES One of the following authentication servers:
• External RADIUS server
• Internal authentication server
• External LDAP server
For information about how to configure client authentication, data encryption, and
authentication servers, see Chapter 6, Manage Security Profiles and Profile Groups.
System Planning and Deployment Scenarios
27
Page 28
ProSAFE Wireless Controller WC7600
High-Level Configuration Examples
This section includes the following subsections:
• Single Controller Configuration with Basic Profile Group
• Single Controller Configuration with Advanced Profile Groups
• Stacked Controller Configuration
Single Controller Configuration with Basic Profile Group
A basic configuration consists of a single wireless controller that controls a collection of
access points that are organized into the basic default group.
To set up a single wireless controller system with a basic profile group:
Step Configuration Web Management Interface Path
1. Configure the system and network settings of the wireless
controller:
1. Configure the country code of operation.
2. Configure the time settings.
3. Configure the IP address of the wireless controller.
4. Verify that VLAN 1 is set as the management VLAN and is
marked as untagged.
By default, VLAN 1 an untagged management VLAN.
5. DHCP option 43 (vendor-specific information) must be
enabled on an external DHCP server. If no network DHCP
server is accessible to the access points, configure the
wireless controller’s DHCP server. Specifying an internal
DHCP server on the wireless controller automatically enables
DHCP option 43 with the IP address of the wireless controller.
2. Configure up to eight profiles, and for each profile, do at least the
following:
1. Configure an SSID for wireless access.
2. Configure the network authentication and data encryption.
3. Assign the VLAN.
Configuration > System > General
Configuration > System > Time
Configuration > System > IP/VLAN
Configuration > System > DHCP
Server
Configuration > Profile > Basic
4. If necessary for the selected network authentication option,
configure the authentication server.
3. Run the Discovery Wizard and add the access points to the
managed access point list.
System Planning and Deployment Scenarios
28
Configuration > Security > Basic >
Authentication Server
Access Point > Discovery Wizard
Page 29
ProSAFE Wireless Controller WC7600
Single Controller Configuration with Advanced Profile Groups
A more complex configuration consists of a single wireless controller that controls a collection
of access points that are organized in access point profile groups and might use several
profiles in each access point profile group.
To set up a single wireless controller system with advanced profile groups:
Step Configuration Web Management Interface Path
1. Configure the system and network settings of the wireless
controller:
1. Configure the country code of operation.
2. Configure the time settings.
3. Configure the IP address of the wireless controller.
4. Verify that VLAN 1 is set as the management VLAN and is
marked as untagged.
By default, VLAN 1 an untagged management VLAN.
5. DHCP option 43 (vendor-specific information) must be
enabled on an external DHCP server. If no network DHCP
server is accessible to the access points, configure the
wireless controller’s DHCP server. Specifying an internal
DHCP server on the wireless controller automatically enables
DHCP option 43 with the IP address of the wireless controller.
2. Configure up to eight access point profile groups, and for each
access point profile in a group, do at least the following:
1. Configure an SSID for wireless access.
2. Configure the network authentication and data encryption.
3. Assign the VLAN.
Configuration > System > General
Configuration > System > Time
Configuration > System > IP/VLAN
Configuration > System > DHCP
Server
Configuration > Profile > Advanced
4. If necessary for the selected network authentication option,
configure the authentication server.
3. Run the Discovery Wizard and add the access points to the
managed access point list.
4. Assign the access points to the access point profile groups (also
referred to as WLAN groups).
System Planning and Deployment Scenarios
29
Configuration > Security >
Advanced > Authentication Server
Access Point > Discovery Wizard
Configuration > WLAN Network
Page 30
ProSAFE Wireless Controller WC7600
Stacked Controller Configuration
A stacked controller configuration can consist of up to three wireless controllers and up to
150 access points.
Note: If the stack members are on different floors or in different buildings, you
could configure a separate access point profile group for each building or
floor.
To set up a stacked controller configuration:
Step Configuration Web management interface path
1. On each individual wireless controller that you intend to make a
stack member, configure the system and network settings of the
wireless controller:
1. Configure the country code of operation.
2. Configure the time settings.
3. Configure the IP address of the wireless controller.
4. Verify that VLAN 1 is set as the management VLAN and is
marked as untagged.
By default, VLAN 1 an untagged management VLAN.
5. DHCP option 43 (vendor-specific information) must be
enabled on an external DHCP server. If no network DHCP
server is accessible to the access points, configure the
wireless controller’s DHCP server. Specifying an internal
DHCP server on the wireless controller automatically enables
DHCP option 43 with the IP address of the wireless controller.
2. Configure the master wireless controller and deploy it in the
network.
Configure up to eight access point profile groups, and for each
access point profile in a group, do at least the following:
1. Configure an SSID for wireless access.
Configuration > System > General
Configuration > System > Time
Configuration > System > IP/VLAN
Configuration > System > DHCP
Server
Configuration > Profile > Advanced
2. Configure the network authentication and data encryption.
3. Assign the VLAN.
4. If necessary for the selected network authentication option,
configure the authentication server.
System Planning and Deployment Scenarios
30
Configuration > Security >
Advanced > Authentication Server
Page 31
ProSAFE Wireless Controller WC7600
Step Configuration Web management interface path
3. Configure the slave wireless controllers and deploy them in the
network.
For each slave wireless controller, configure up to eight access
point profile groups, and for each access point profile in a group, do
at least the following:
1. Configure an SSID for wireless access.
2. Configure the network authentication and data encryption.
3. Assign the VLAN.
4. If necessary for the selected network authentication option,
configure the authentication server.
4. Interconnect the wireless controllers that you intend to make
members of the stack. The connection must be a wired
connection but does not need to be a direct connection, that is, a
switch or router can be located in between the wireless
controllers that are part of a stack.
5. Configure the stacking group on the wireless controller that you
intend as the master controller.
6. Synchronize all wireless controllers that are members of the
stack.
Configuration > Profile > Advanced
Configuration > Security >
Advanced > Authentication Server
Stacking > Stacking
Management VLAN and Data VLAN Strategies
If your network includes ten or more access points, NETGEAR recommends that you set up
at least two VLAN groups: a management VLAN group and a data VLAN group. If your
network is large, you should create a number of data VLAN groups. Setting up data VLANs
for clients allows you to:
• Segregate traffic by user category
• Create different policies such as access policies that are based on user category
System Planning and Deployment Scenarios
31
Page 32
ProSAFE Wireless Controller WC7600
The following illustration shows a simplified view of how you can use VLANs to segregate
traffic by user category:
Management VLAN 100 Ethernet traffic
Finance VLAN 10 Ethernet traffic
Employee VLAN 20 Ethernet traffic
Deploy the wireless controller
on a trunk port if you use the
internal DHCP server
Wireless controller
WC7600
Internet
Network printer
Backend L3 switch
or router
PoE switch
Access point
WNDAP360
Finance
computer
Finance
computer
Employee
computer
Employee
computer
Figure 8. Example: Use VLANs to segregate traffic by user categories
The wireless controller uses the management VLAN to continually exchange packets with the
access points. For large networks, if all traffic uses a single VLAN, the client traffic could
potentially flood the network. If flooding occurs and the wireless controller is not able to
exchange packets with the access points, the network performance can slow down, and the
access points can lose their connectivity with the wireless controller.
If you use the internal DHCP server of the wireless controller, you should deploy the wireless
controller on a trunk port on your switch.
The trunk port should have access to all VLANs.
To accommodate the traffic load of the trunk, use a high-speed port on your switch as the
trunk port. If you use an external DHCP server
, you do not need to deploy the wireless
controller on a trunk port on your switch.
System Planning and Deployment Scenarios
32
Page 33
ProSAFE Wireless Controller WC7600
High-Level Deployment Scenarios
This section provides three deployment scenarios to illustrate how the wireless controller can
function in various network configurations:
• Scenario Example 1: Network with Single VLAN
• Scenario Example 2: Advanced Network with VLANs and SSIDs
• Scenario Example 3: Advanced Network
Scenario Example 1: Network with Single VLAN
The following sample scenario consists of a simple network with a wireless controller, PoE
switch, Layer 3 switch or router, and access points:
Management VLAN Ethernet traffic
All client Ethernet traffic
Internet
Deploy the wireless controller
on a trunk port if you use the
internal DHCP server
Wireless controller
WC7600
Finance
computer
PoE switch
Marketing
computer
Network printer
Employee
computer
Backend L3 switch
or router
Access point
WNDAP360
Employee
computer
Figure 9. Example: Basic network with a single VLAN
System Planning and Deployment Scenarios
33
Page 34
ProSAFE Wireless Controller WC7600
The access points and wireless controller are connected in the same subnet and use the
same IP address range that is assigned for that subnet. The configuration does not include
any routers between the access points and the wireless controller. The access points are
connected to a PoE switch, which, in turn, is connected to the wireless controller. The uplink
of the PoE switch connects to a Layer 3 switch or router that provides Internet access.
To provision the wireless controller:
Step Configuration Web Management Interface Path
1. Configure the system and network settings of the wireless
controller:
1. Configure the country code of operation.
2. Configure the time settings.
3. Configure the IP address of the wireless controller.
4. Verify that VLAN 1 is set as the management VLAN and is
marked as untagged.
By default, VLAN 1 an untagged management VLAN.
5. DHCP option 43 (vendor-specific information) must be
enabled on an external DHCP server. If no network DHCP
server is accessible to the access points, configure the
wireless controller’s DHCP server. Specifying an internal
DHCP server on the wireless controller automatically enables
DHCP option 43 with the IP address of the wireless controller.
2. Configure up to eight profiles, and for each profile, do at least the
following:
1. Configure an SSID for wireless access.
2. Configure the network authentication and data encryption.
3. Assign the VLAN.
Configuration > System > General
Configuration > System > Time
Configuration > System > IP/VLAN
Configuration > System > DHCP
Server
Configuration > Profile > Basic
4. If necessary for the selected network authentication option,
configure the authentication server.
3. Use any port of the wireless controller to connect the wireless
PoE switch.
4. Deploy the access points and connect them to the same wireless
PoE switch.
System Planning and Deployment Scenarios
34
Configuration > Security > Basic >
Authentication Server
Page 35
ProSAFE Wireless Controller WC7600
Step Configuration Web Management Interface Path
5. When the access points are operating, open the Discovery
Wizard to do the following:
1. Specify the state of the access points. The state can be either
factory default in a Layer 2 network or already installed and
functioning in standalone mode.
2. Run the Discovery Wizard.
3. Select the access points that you want the wireless controller to
manage and add them to the managed list.
Note: By default, all access points are added to the basic group
and all settings from the basic group (profile definition, client
authentication, authentication settings, and wireless QoS) are
applied to the access points.
Access Point > Discovery Wizard
Scenario Example 2: Advanced Network with VLANs and SSIDs
The following sample scenario consists of an advanced network with a wireless controller,
PoE switch, Layer 3 switch or router, access points, and several VLANs and SSIDs. The
wireless controller system includes the following VLANs:
• VLAN 1, the default untagged VLAN to access the wireless controller
• VLAN 10, a tagged client VLAN
• VLAN 20, another tagged client VLAN
• VLAN 100, a tagged management VLAN
Management VLAN 100 Ethernet traffic
Client VLAN 10 Ethernet traffic
Client VLAN 20 Ethernet traffic
Wireless controller
WC7600
Backend L3 switch
or router
Internet
PoE switch
SSID 1
Client VLAN 10
SSID 2
Client VLAN 20
Figure 10. Example: Advanced network with VLANs and SSIDs
WNDAP360
WNDAP360
System Planning and Deployment Scenarios
35
Page 36
ProSAFE Wireless Controller WC7600
The access points and wireless controller are connected in the same subnet and same VLAN
and use the same IP address range that is assigned for that subnet. The configuration does
not include any routers between the access points and the wireless controller. The access
points are connected to a PoE switch, which, in turn, is connected to the Layer 3 switch or
router that provides Internet access.
This network configuration has the following prerequisites:
• VLANs 10, 20, and 100 are tagged VLANs and are configured on the wireless controller
and the PoE switch.
• The wireless controller is connected to the PoE switch through default VLAN 1. You
manage the wireless controller from a computer over VLAN 1 through the PoE switch.
• The DHCP server on the wireless controller is configured in management VLAN 100 to
enable the access points to receive an IP address through VLAN 100.
• The PoE switch port to which the wireless controller is connected is configured as a
tagged port to allow tagged traffic from VLAN 100.
To provision the wireless controller:
Step Configuration Web management interface path
1. Configure the basic system settings:
1. Configure the country code of operation.
2. Configure the time settings.
3. Configure the IP address of wireless controller.
4. For initial discovery and configuration of the access points,
temporarily configure management VLAN 100 as an
untagged management VLAN on the wireless controller.
5. Change default VLAN 1 to a tagged VLAN.
2. For initial discovery and configuration of the access points,
temporarily configure management VLAN 100 as an untagged
management on the PoE switch.
3. Configure either the network’s DHCP server or the wireless
controller’s DHCP server to use VLAN 100.
If you use the wireless controller’s DHCP server:
1. Configure the IP address range for VLAN 100.
2. Configure the other DHCP server fields, including the
gateway and DNS servers.
Configuration > System > General
Configuration > System > Time
Configuration > System > IP/VLAN
Configuration > System > DHCP
Server
System Planning and Deployment Scenarios
36
Page 37
ProSAFE Wireless Controller WC7600
Step Configuration Web management interface path
4. Configure the following profiles, and configure network
authentication and data encryption for these profiles:
1. A profile with SSID 1 and VLAN 10.
2. A profile with SSID 2 and VLAN 20.
3. If necessary for the selected network authentication options,
configure one or more authentication servers.
5. Connect the wireless controller to the PoE switch.
6. Before you connect the access points to the PoE switch, verify
that the switch ports to which you intend to connect the access
points are configured as access ports in management VLAN 100.
7. Deploy the access points and connect them to the designated
PoE switch ports.
8. When the access points are operating, open the Discovery
Wizard to do the following:
1. Specify the state of the access points, which is factory default
in a Layer 2 network.
2. Run the Discovery Wizard.
3. Select the access points that you want the wireless controller to
manage and add them to the managed list.
Configuration > Profile > Basic
Configuration > Security > Basic >
Authentication Server
Access Point > Discovery Wizard
Note: By adding the access points to managed list, you enable
them to receive an IP address from the DHCP server over
management VLAN 100.
9. For each access point on the managed list, disable the untagged
VLAN and configure VLAN 100 as the management VLAN. Doing
so causes the access points to lose connectivity with the wireless
controller.
10. Restore connectivity between the access points and the wireless
controller by changing the PoE switch ports to which the access
points are connected to tagged ports.
During the discovery process, these switch ports were access
ports in management VLAN 100.
Scenario Example 3: Advanced Network
The following sample scenario consists of an advanced network with one wireless controller,
one redundant wireless controller, one core switch, two PoE switches in different buildings,
access points, and several VLANs and SSIDs. These are the components in the wireless
controller system:
• One wireless controller
• 50 access points (managed by the wireless controller through management VLAN 1)
• One redundant wireless controller
System Planning and Deployment Scenarios
37
Page 38
ProSAFE Wireless Controller WC7600
• Four VLANs: VLAN 10, VLAN 20, VLAN 30, and VLAN 40
• Three SSIDs: SSID 1, SSID 2, and SSID 3
In this scenario, the VLANs and SSIDs are used to accommodate traffic for different user
groups in a school that is spread out over two buildings.
• Building 1:
- SSID 1 in VLAN 10 for staff traffic
- SSID 2 in VLAN 20 for middle school students
- SSID 3 in VLAN 30 for guests
• Building 2:
- SSID 1 in VLAN 10 for staff traffic
- SSID 2 in VLAN 40 for high school students
- SSID 3 in VLAN 30 for guests
Internet
Backend L3 switch
or router
WC7600
Redundant WC7600
Staff VLAN 10 Ethernet traffic
Middle school VLAN 20 Ethernet traffic
High school VLAN 40 Ethernet traffic
Guest VLAN 30 Ethernet traffic
Core switch
Building 1
SSID 1 Staff VLAN 10
SSID 2 Middle school VLAN 20
SSID 3 Guest VLAN 30
PoE switch
WNDAP360
Building 2
SSID 1 Staff VLAN 10
SSID 2 High school VLAN 40
SSID 3 Guest VLAN 30
PoE switch
WNDAP360
Figure 11. Example: Advanced network
The access points and wireless controllers are connected in the same subnet and same
VLAN and use the same IP address range that is assigned for that subnet. The core switch is
located between the wireless controllers and the PoE switches, to which the access points
are connected. The core switch provides Internet access.
System Planning and Deployment Scenarios
38
Page 39
ProSAFE Wireless Controller WC7600
This network configuration has the following prerequisites:
• VLAN 1 is configured on the wireless controllers, core switch, and PoE switches. This
VLAN is untagged.
• VLANs 10, 20, and 30 are configured on the wireless controllers, core switch, and the
PoE switch in Building 1. These VLANs are tagged.
• VLANs 1, 10, 20, 30, and 40 are configured on the wireless controllers, core switch, and
PoE switches. Except for VLAN 1, these VLANs are tagged.
To provision the wireless controller:
Step Configuration Web management interface path
1. Configure the basic system settings:
1. Configure the country code of operation.
2. Configure the time settings.
3. Configure the IP address of wireless controller.
4. Verify that VLAN 1 is set as the management VLAN and is
marked as untagged.
By default, VLAN 1 an untagged management VLAN.
2. Configure the following profiles, and configure network
authentication and data encryption for these profiles:
1. A profile with SSID 1 and VLAN 10.
2. A profile with SSID 2 and VLAN 20.
3. A profile with SSID 2 and VLAN 30.
4. A profile with SSID 3 and VLAN 40.
5. If necessary for the selected network authentication options,
configure one or more authentication servers.
3. Configure the following profile groups:
1. A profile group with the name Building 1, to which you add the
following profiles:
- The profile with SSID 1 and VLAN 10
- The profile with SSID 2 and VLAN 20
- The profile with SSID 2 and VLAN 30
Configuration > System > General
Configuration > System > Time
Configuration > System > IP/VLAN
Configuration > Profile > Basic
Configuration > Security > Basic >
Authentication Server
Configuration > Profile > Advanced
2. A profile group with the name Building 2, to which you add the
following profiles:
- The profile with SSID 1 and VLAN 10
- The profile with SSID 2 and VLAN 30
- The profile with SSID 3 and VLAN 40
4. Deploy the access points and connect them to PoE switches.
System Planning and Deployment Scenarios
39
Page 40
ProSAFE Wireless Controller WC7600
Step Configuration Web management interface path
5. When the access points are operating, open the Discovery
Wizard to do the following:
1. Specify the state of the access points, which is factory default
in a Layer 2 network.
2. Run the Discovery Wizard.
3. Select and add the access points that you want to be managed
by the wireless controller to the managed list.
Note: By default, all access points are added to the basic group.
6. Assign the access points to the access point profile groups (also
referred to as WLAN groups) Building 1 and Building 2.
Access Point > Discovery Wizard
Configuration > WLAN Network
System Planning and Deployment Scenarios
40
Page 41
3. RF Planning
This chapter includes the following sections:
• RF Planning Overview
• Define and Edit Buildings and Floors
• Specify Access Point Requirements
• View and Manage Heat Maps for Deployed Plans
RF Planning Overview
You can do the following with RF planning:
• Define WLAN coverage.
• Estimate the number of access points required based on signal quality and number of
clients per access point.
3
• Optimize the placement of access points for the best coverage.
• Monitor WLAN coverage, rogue access points, and blacklisted clients for a plan that is in
deployment.
• Identify weak signal spots and dead spots from the coverage hole and add additional
access points to mitigate the situation.
RF planning provides a view of each floor, allowing you to specify how WiFi coverage should
be provided. It then provides coverage maps and access point placement locations.
Real-time calibration lets you visualize the indoor propagation of RF signals to identify areas
with weak signal or dead spots and add additional access points in the right location to
mitigate the weak signal or dead spots.
Planning Requirements
Collect the following information before using RF planning to expedite your planning efforts.
• Building dimensions.
• Number of floors.
• Distance between floors.
• Total number of users and number of users per access point.
41
Page 42
ProSAFE Wireless Controller WC7600
• Radio type or types.
• Desired data rates for access points.
• Identify areas where you do not necessarily want coverage.
• Identify areas where you cannot deploy an access point.
Use a worksheet similar to the following to collect your information.
Table 4. Building planning worksheet
Building dimensions
Height
Width
Number of floors
User information
Number of users
Users per access point
Radio types
Access point desired signal rate
802.11b/bg/ng
802.11a/na
Don’t care/don’t deploy areas
Define and Edit Buildings and Floors
This section explains how you can define your buildings and floors, and make modifications
after you have defined them. You can add a maximum of three local buildings and three
remote buildings, a total of six buildings.
To define a building:
1. Select Plans > Layout.
The Layout Buildings screen displays with the Local Building tab
and associated screen in view. To define a remote building, click the Remote Building
tab.
RF Planning
42
Page 43
ProSAFE Wireless Controller WC7600
.
Figure 12.
2. The Buildings table shows the names of the previously defined buildings and their number of
floors.
3. T
o add a building, click Add. The Add Building pop-up window displays.
4. Enter a name for your building in the Building Name field, and then click Add. The
building is added to the Buildings table. The name is an alphanumeric string up to 64
characters in length.
5. T
o define the floors of the building, select the radio button that corresponds to the building,
and then click Edit. The Layout Floors screen displays:
new
Figure 13.
RF Planning
43
Page 44
ProSAFE Wireless Controller WC7600
6. Define the floors as explained in the following table:
Table 5. Building name and floors
Setting Description
Building
Building Name Y ou can modify the previously defined building name, which is an alphanumeric string
up to 64 characters in length.
Floors
Floor Names The floor name is an alphanumeric string up to 64 characters in length.
Floor Dimensions Enter the floor length in meters in the Length field; enter the floor width in meters in
Width field.
Existing Floor Map If you have imported a floor map, a very small image of the floor map is shown. Click
Preview to enlarge the map. (If you did not import a floor map, the Preview button is
not displayed.)
New Floor Map If you have an existing floor map, import the map into the RF planning tool by clicking
Browse and navigating to the location where you have stored the map. Follow the
directions of your browser to import the map.
The default measurements for both are 40 meters.
Note: Background images need to be in JPEG format and cannot exceed
2048 x 2048 pixels in size. If you attempt to import a file with a larger pixel footprint, the
image will not scale to fit the image area in the floor display area.
Note: Images are scaled (stretched) to fit the display area. The display area aspect
ratio is determined by the floor dimensions.
Note: The internal flash memory of the wireless controller supports up to three floor
maps. If you want to define additional floors, use external USB storage (see
External Storage on page 206).
Note: Because background images for your floors are embedded in the XML file that
defines your building, minimize the file size of the JPEGs that you use for your
backgrounds. You can minimize the file size by selecting maximum compression
(lowest quality) in most graphics programs.
7. To add another floor, click the + tab next to the Floor-1 name, or whatever name you have
given the first floor, and define the floors as explained in Table 5 on page 44. You can add
up to six floors in one building but will need external USB storage if you add more than three
floor maps.
8. Click Apply to save your settings.
9. Click Back to return to the Layout Buildings screen.
To edit a building:
1. Select the radio button in the Edit column that corresponds to the building that you want
to edit.
2. Click Edit.
Manage
RF Planning
44
Page 45
ProSAFE Wireless Controller WC7600
To delete a building:
1. Select the check box that corresponds to the building that you want to delete, or select
the check box at the top row of the table to delete all buildings.
2. Click Delete.
Specify Access Point Requirements
After you have defined the buildings and floors, you need to specify the following RF
requirements for each floor and each supported access point model (WNAP210v2,
WNAP320, WNDAP350, and WNDAP360):
• Frequency band. The radio frequency to be used (802.11b/bg/ng or 802.11a/na).
• Signal quality. The signal strength that you expect for the WLAN. This setting
determines the automatic channel allocation and automatic transmission power of the
access points (see the explanation in the table later in this section).
• Number of client per access point. The total number of clients that you expect to be
supported on each access point.
• Total number of clients per floor. The total number of clients that you expect to be
supported on each floor.
Along with the floor dimensions, these settings determine the estimated number of access
points. A screen lets you visually optimize the access point locations for best coverage.
To specify the WLAN requirements for a floor, estimate the number of access points
required, and view their suggested locations:
1. Select Plans > Planning. The Planning Buildings screen displays with the Local
Building tab and associated screen in view. To specify the information for a remote
building, click the Remote Building tab.
RF Planning
45
Page 46
ProSAFE Wireless Controller WC7600
.
Figure 14.
The Planning Buildings screen shows a tab for each building that you previously defined.
For each building, the screen shows the floors that you previously defined.
2. Select the building and floor that you want to configure by clicking the corresponding tabs.
3. Specify the WLAN requirements for the floor as explained in the following table:
Table 6. Floor WLAN requirements
Setting Description
Access Point Model Specify the access point model that you will use on the floor by selecting the
WNDAP 350, WNAP 210, WNAP 320, or WNDAP 360 radio button.CHANGE
SCREEN,
Frequency Band Select one of the following radio buttons to specify the frequency band that the access
points will function in:
• 802.1
• 802.1
Signal Quality Specify the required signal quality by moving the slider or by entering a percentage in
the field to the right of the slider
maximum is 100 percent.
Client Per Radio Specify the expected maximum number of clients per access point by moving the
slider or by entering a number in the field to the right of the slider
number of clients that you can configure per access point is 64.
1b/bg/ng
1a/na
. The minimum signal quality is 25 percent; the
. The maximum
Total Clients Specify the expected total number of clients on the floor by moving the slider or by
entering a number in the field to the right of the slider
clients that you can configure on the floor is 1024.
. The maximum number of total
4. Click Estimate to view the number of access points required for the settings that you
entered. The number of access points displays in a pop-up window. Access points that you
RF Planning
46
Page 47
ProSAFE Wireless Controller WC7600
want to deploy in sentry mode are not included in this number. (For information about sentry
mode, see Change Access Point Information on the Managed AP List on page 133.)
After you have closed the pop-up window, the Estimated Access Points row is added to
the Planning Buildings screen.
5. Click V
iew Map to view and optimize the suggested approximate access point locations for
the settings that you entered:
Figure 15.
Note that the planning tool provides only default placement and shows the coverage area
for each access point.
6. Move the access points to optimize coverage in desired areas and avoid coverage in
unwanted areas based on the floor plan.
Colored circles around the access point symbols indicate the expected approximate
coverage of the individual access point.
The color of the circle represents the expected
quality of the signal strength: a darker color indicates signal overlap with nearby access
points.
Note: A red color indicates the strongest coverage area: better than –50 dBm
RSSI; an orange color better than -60 dBm; a yellow color better than
–70 dBm; and so on.
Moderate overlap is required for seamless roaming. No overlap will lead to
disconnections and dead spots.
You can click an access point icon and drag it to manually reposition it to see how the
new location would af
fect the coverage. Click Cancel to undo any access point
repositioning changes.
Use the Zoom slider to increase or decrease the size of the map.
RF Planning
47
Page 48
ProSAFE Wireless Controller WC7600
7. Click Save to save the location map, or click Back to return to the Planning Buildings
screen without savings changes to the location map.
Note: For each floor, you can save one location map only. When you modify
and save the location map, the previously saved location map is
overwritten.
View and Manage Heat Maps for Deployed Plans
A heat map lets you view in real time, by wireless frequency band, the signal strength and
wireless coverage for a building floor. The heat map shows the actual signal strengths that
each access point is detecting from neighbor access points.
Note: For the heat maps to work correctly, the access point placement on
the floor plan needs to closely match the actual physical location of
the access points.
The heat map shows the following information:
• Signal strength and wireless coverage, including coverage holes
• Known access points that are managed by the wireless controller
• Location of rogue access points
• Location of clients associated with the access points
• Location of blacklisted clients
To view the heat map for a building floor and to adjust access points:
1. Select Plans > Deployed. The Deployed Buildings screen displays with the Local
Building tab and associated screen in view. To view the information for a remote
building, click the Remote Building tab.
RF Planning
48
Page 49
ProSAFE Wireless Controller WC7600
.
Figure 16.
The Deployed Buildings screen shows a tab for each building that you previously defined.
For each building, the screens shows the floors that you previously defined.
2. Select the building and floor for which you want to view the heat map by clicking the
corresponding tabs.
3. Click Heat Map.
The heat map for the selected floor displays:
Figure 17.
4. The first time you view the heat map, the access points need to be manually placed on the
heat map to closely match their actual physical locations.
5. Click Apply to save the locations. Doing so regenerates the complete heat map of the floor
RF Planning
49
.
Page 50
ProSAFE Wireless Controller WC7600
The spectrum bar at the top of the screen indicates how the colors correspond to the
signal strength and wireless coverage.
To view information about an access point or client on the heat map, place your pointer
over the icon. The following information becomes available:
• IP address
• MAC address
• Name
• Model
• Status
• Power per channel
• Configured and operating channel bandwidth
To select another wireless frequency band, make a selection from the Frequency band
drop-down list above the heat map.
Use the Zoom slider to increase or decrease the size of the map.
6. Make adjustments to the wireless signal strength and coverage in real time by dragging the
access point icons to new locations.
The colors disappear from the heat map until you click Apply again. When you apply the
new position, the heat map is refreshed based on the new location and the RF data
collected from the access points.
7. Click Apply to view how your changes affect the heat map. Depending on the size of your
WLAN, it might take several minutes before the heat map is updated. If you do not want to
apply the changes, click Close to return to the Deployed Buildings screen.
RF Planning
50
Page 51
4. Installation and Configuration
Overview
This chapter includes the following sections:
• Connect Your Computer to the Wireless Controller
• Roadmap for Initial Configuration
• Roadmap for Configuring Management of Your Wireless Network
• Choose a Location for the Wireless Controller
• Deploy the Wireless Controller
4
51
Page 52
ProSAFE Wireless Controller WC7600
Connect Your Computer to the Wireless Controller
To connect to the wireless controller for initial configuration, follow the steps in this section.
You can also access the ProSAFE Wireless Controller WC7600 Installation Guide that you can
download from http://support.netgear.com/product/WC7600.
To connect your computer to the wireless controller:
1. Configure the computer with a static IP address of 192.168.0.210 and 255.255.255.0 as
the subnet mask.
2. Connect the wireless controller to the computer through the network or directly to the
wireless controller’
3. Connect the power cord from the wireless controller to an
4. V
erify that the following LEDs on the front panel are lit:
LED Description
s Ethernet port.
AC power outlet.
Power The green Power LED is lit. If the Power LED is not lit, check the connections and check to see
if the power outlet is controlled by a wall switch that is turned of
Status The Status LED is lit yellow while the wireless controller is initializing. After approximately two
minutes, when the wireless controller has completed its initialization, the Status LED turns
green.
Fan The green Fan LED is lit, indicating that the fans are functioning correctly.
Ethernet The right Ethernet port LED is lit green for a 1000 Mbps connection or yellow for a 100 Mbps or
10 Mbps connection. If it is not, make sure that the Ethernet cable is securely attached at both
ends.
f.
Log In to the Wireless Controller
Before you log in to the wireless controller, make sure that you have followed the steps in the
previous section, Connect Your Computer to the Wireless Controller.
To log in to the wireless controller, you must use a web browser such as Microsoft Internet
Explorer 9 or 10, or the latest Mozilla Firefox version, or Google Chrome 24 or later with
JavaScript, cookies, and SSL enabled.
To log in to the wireless controller:
1. Open your browser and type http://192.168.0.250 in the browser
’s address field.
Installation and Configuration Overview
52
Page 53
ProSAFE Wireless Controller WC7600
The wireless controller’s login screen displays:
2. When prompted, enter admin for the user name and password for the password, both in
lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen (the path is Monitor > Controller > Summary), which shows the network status
and related information:
For information about the network status and related information, see View the Wireless
Controller Summary Screen on page 264.
Installation and Configuration Overview
53
Page 54
ProSAFE Wireless Controller WC7600
Roadmap for Initial Configuration
After you have connected and logged in to the wireless controller, perform the initial
configuration. If you are not sure how you are going to deploy the wireless controller in your
network, NETGEAR recommends that you read
Deployment Scenarios.
This section is a roadmap for basic configuration only: It provides high-level configuration
steps with references to the sections or chapters that provide detailed configuration steps.
To perform the initial configuration of the wireless controller:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
Chapter 2, System Planning and
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System > General.
The General Settings screen displays.
5. Enter a name for the wireless controller and select the country in which the wireless
controller is used.
6. Click the Apply button.
7. Select Configuration > System > Time.
The Time Setting screen displays.
8. Select the time zone in which the wireless controller is used. Optionally, configure the NTP
settings.
For more information, see Manage the Time Settings on page 61.
9. Click the Apply button.
10. Select Configuration > System > IP/VLAN.
The IP Settings screen displays.
11. Enter the IP settings for your network and the VLANs that you want to assign to the wireless
controller.
Installation and Configuration Overview
54
Page 55
ProSAFE Wireless Controller WC7600
Note: A management VLAN is used for all SNMP and HTTP traffic to and
from the wireless controller and managed access points.
Note: Clear the Untagged VLAN check box only if the hubs and switches in
your network support the VLAN (802.1Q) standard. Likewise, change
the untagged VLAN value only if the hubs and switches in your network
support the VLAN (802.1Q) standard.
For more information, see Manage the IP, VLAN, and Link Aggregation Settings on
page 62.
12. Click the Apply button.
13. If your network does not include a DHCP server, configure the wireless controller’s DHCP
server.
For more information, see Manage the DHCP Server on page 65.
14. Click the Apply button.
The connection to the wireless controller is terminated because you have changed its IP
address.
15. Reconfigure your computer with an IP address and subnet mask that is in the same
IP
subnet as the new IP address of the wireless controller.
16. Log back in to the wireless controller using its new IP address.
Continue with the following section, Roadmap for Configuring Management of Your
Wireless Network.
Roadmap for Configuring Management of Your Wireless Network
After you have performed the initial configuration and changed the IP address to an address
that is specific to your network (see the previous section,
you are ready to configure the wireless controller for management of your wireless network.
This section is a roadmap only: It provides high-level configuration steps with references to
the sections or chapters that provide detailed configuration steps.
To configure the wireless controller for management of your wireless network:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
Roadmap for Initial Configuration),
The wireless controller’s login screen displays.
2. Enter your user name and password.
Installation and Configuration Overview
55
Page 56
ProSAFE Wireless Controller WC7600
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Register the licenses.
For more information, see Register Your Licenses on page 70.
5. (Optional but recommended) Replace the default certificate with a custom certificate for
certificate-based authentication of the
internal authentication server.
For more information, see Manage Certificates on page 74.
6. (Optional but recommended) Configure logs, alerts, and alarms.
For more information, see Configure Log, Syslog, Alarm Notification, and Email Settings
on page 75.
7. Configure security profiles:
a. Configure the security profiles for the basic profile group or for advanced profile
groups.
For detailed configuration steps, see:
• Manage Security Profiles for the Basic Profile Group on page 86.
• Manage Security Profiles for Advanced Profile Groups on page 91.
b. (Optional) Configure authentication servers.
For more information, see Manage Authentication Servers and Authentication Server
Groups on page 104.
c. (Optional) Configure MAC authentication.
For more information, see Manage MAC Authentication and MAC Authentication
Groups on page 109.
d. (Optional) Assign the authentication servers and MAC ACLs to the security profiles.
For more information, see:
• Manage Security Profiles for the Basic Profile Group on page 86.
• Manage Security Profiles for Advanced Profile Groups on page 91.
8. Configure the managed access point list:
a. Run the Discovery Wizard and add access points to the managed list.
For more information, see Discover Access Points with the Discovery Wizard on
page 123.
b. (Optional) Configure access points that are on the managed list.
For more information, see Manage the Managed AP List on page 131.
Installation and Configuration Overview
56
Page 57
ProSAFE Wireless Controller WC7600
c. (Optional) Assign access points to advanced profile groups:
For more information, see Assign Access Points to Advanced Profile Groups on
page 137.
9. (Optional) Configure rogue access point detection.
For more information, see Manage Rogue Access Points on page 141.
10. (Optional) Configure a guest portal or captive portal.
For more information, see Manage Guest Network Access on page 145.
11. (Optional) Configure user accounts and portal accounts.
For more information, see Manage Users, Accounts, and Passwords on page 150.
12. (Optional) Configure wireless and QoS settings.
For more information, see Chapter 9, Configure Wireless and QoS Settings.
13. (Optional but recommended) Back up the configuration.
For more information, see Back Up the Configuration File on page 199.
Choose a Location for the Wireless Controller
The wireless controller is suitable for use in an office environment where it can be
freestanding on its runner feet or mounted into a standard 19-inch equipment rack.
Alternatively, you can rack-mount the wireless controller in a wiring closet or equipment
room. A mounting kit, containing two mounting brackets and screws, is provided in the
wireless controller package.
Consider the following when deciding where to position the wireless controller:
• The unit is accessible and cables can be connected easily.
• Cabling is away from sources of electrical noise. These include lift shafts, microwave
ovens, and air-conditioning units.
• Water or moisture cannot enter the case of the unit.
• Airflow around the unit and through the vents in the side of the case is not restricted.
Provide a minimum of 25 mm or 1 inch of clearance.
• The air is as free of dust as possible.
• Temperature operating limits are not likely to be exceeded. Install the unit in a clean,
air-conditioned environment. For information about the recommended operating
temperatures for the wireless controller, see
Technical Specifications, and Passwords Requirements.
Appendix A, Factory Default Settings,
Installation and Configuration Overview
57
Page 58
ProSAFE Wireless Controller WC7600
Deploy the Wireless Controller
After you have followed the steps in the Roadmap for Initial Configuration on page 54 and the
Roadmap for Configuring Management of Your Wireless Network on page 55, you are ready
to deploy the wireless controller in your network.
To deploy the wireless controller:
1. Disconnect the wireless controller from the computer that you used for configuration.
2. (Optional) Reconfigure the computer back to its original TCP/IP settings.
3. Place the wireless controller where you intend to deploy it.
4. Connect an Ethernet cable from the wireless controller to a switch or router on your wired
network.
5. Connect the power cord to the wireless controller and plug the power cord into a power
outlet.
The Power, Status, and Ethernet LEDs should light. If any of these do not light, see
Troubleshoot Basic Functioning on page 296.
Installation and Configuration Overview
58
Page 59
5. Configure the System and Network
Settings and Register the Licenses
This chapter includes the following sections:
• Configure the General Settings
• Manage the Time Settings
• Manage the IP, VLAN, and Link Aggregation Settings
• Manage the DHCP Server
• Register Your Licenses
• Manage Certificates
• Configure Log, Syslog, Alarm Notification, and Email Settings
5
59
Page 60
ProSAFE Wireless Controller WC7600
Configure the General Settings
Note: You must select the correct country or region of operation. It might not
be legal to operate the access points in a country or region not shown
here. If your location is not listed, check with your local government
agency or check the NETGEAR website for more information about
which channels to use.
The General Settings screen lets you configure the basic settings of your wireless controller.
To configure general settings:
1. Open a web browser
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System > General.
The General Settings screen displays:
. In the browser’s address field, type the http:// followed by the IP
Configure the System and Network Settings and Register the Licenses
60
Page 61
ProSAFE Wireless Controller WC7600
5. Configure the settings as described in the following table:
Setting Description
Name Enter a unique value as the wireless controller name. NETGEAR recommends
changing the name as soon as possible after setting up.
The name must contain only alphabetical characters, numbers, and hyphens, and must
be 31 characters or less.
Country/Region From the menu, select the region of operation for the wireless controller and the access
points that the wireless controller manages.
This setting is crucial for optimal performance of the wireless controller. The wireless
controller uses the country code to determine the best wireless settings for the access
points. In the United States, the country is preset and cannot be changed on the access
points. If the country or region is not set up correctly
be able to access the access points.
, the wireless controller might not
Controller
Location Code
(Optional) Enter a code to identify the physical location of the wireless controller.
If you use more than one wireless controller, a code is especially useful.
6. Click the Apply button.
Manage the Time Settings
This screen lets you configure the time-related settings of your wireless controller and
managed access points.
To configure time settings:
1. Open a web browser
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
. In the browser’s address field, type the http:// followed by the IP
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System > T
Configure the System and Network Settings and Register the Licenses
ime.
61
Page 62
ProSAFE Wireless Controller WC7600
The Time Settings screen displays:
5. Configure the settings as described in the following table:
Setting Description
Time Zone From the menu, select the local time zone for your country or region.
Current Time This field is a nonconfigurable field that displays the current time at your
location.
NTP Client Select the Enable radio button to use a Network
synchronize the clock of the wireless controller and managed access points.
Select the Disable radio button if you do not want to use an NTP server
Use Custom NTP Server Select the Use Custom NTP Server check box if you want to use an alternate
NTP server
Hostname/IP Address Enter the host name or IP address of the NTP server, if you are using a custom
NTP server
. By default, the NETGEAR NTP server is used.
.
Time Protocol (NTP) server to
6. Click the Apply button.
Manage the IP, VLAN, and Link Aggregation Settings
You can manage the IP address, VLAN settings, and link aggregation (LAG) settings of the
wireless controller.
Management VLAN Concepts
Management VLANs are used for all SNMP and HTTP traffic to and from the wireless
controller and managed access points.
.
For large deployments, NETGEAR recommends that the wireless controller and access
points are in separate VLANs to ensure uninterrupted connectivity between the wireless
controller and the access points.
The wireless controller and access points share heartbeat messages to keep synchronized
and share configurations and client key data to facilitate seamless roaming.
Configure the System and Network Settings and Register the Licenses
62
Page 63
ProSAFE Wireless Controller WC7600
Untagged VLAN Concepts
When the Untagged VLAN check box is selected on the IP Settings screen, one VLAN can
be configured as an untagged VLAN:
• When the wireless controller sends frames associated with the untagged VLAN to the
LAN (Ethernet) interface, those frames do not carry an 802.1Q VLAN header.
• When the wireless controller receives untagged traffic from the LAN (Ethernet) interface,
those frames are assigned to the untagged VLAN.
If you clear the Untagged VLAN check box, the wireless controller tags all outgoing LAN
(Ethernet) frames, and accepts only incoming frames that are tagged with known VLAN IDs.
Note: Clear the Untagged VLAN check box only if the hubs and switches
on your LAN support the VLAN (802.1Q) standard. Likewise, change
the untagged VLAN value only if the hubs and switches on your LAN
support the VLAN (802.1Q) standard.
Changing either of these values results in a loss of IP connectivity if the hubs and switches
on your network have not yet been configured with the corresponding VLANs.
Link Aggregation Concepts
If you connect the two 10GE connections of the wireless controller to a switch or router, the
wireless controller supports dynamic link aggregation (802.3ad), which you can use either to
increase bandwidth or to support link redundancy.
You can enable the wireless controller to automatically create a single link aggregation group
(LAG) in which the two links share the same speed and duplex settings. The link selection for
egress traffic is based on the transmit hash policy.
You can also configure a standby link in which only one link in the LAG is active. The standby
link becomes active only if the active link fails. In such a situation, a failover occurs from the
failed active link to the standby link, which becomes the new active link.
Configure the IP, VLAN, and Link Aggregation Settings
You can configure the management IP address, VLAN settings, and link aggregation (LAG)
settings of the wireless controller.
To configure IP, VLAN, and LAG settings:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
Configure the System and Network Settings and Register the Licenses
63
Page 64
ProSAFE Wireless Controller WC7600
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System > IP/VLAN.
The IP Settings screen displays:
5. Configure the settings as described in the following table:
Setting Description
IP Settings section
IP Address Enter the IP address of the wireless controller.
The default IP address is 192.168.0.250. To change it, enter an available IP
address from the address range used on your LAN.
IP Subnet Mask Enter the subnet mask value used on your LAN.
The default value is 255.255.255.0.
Default Gateway Enter the IP address of the gateway for your LAN.
Configure the System and Network Settings and Register the Licenses
64
Page 65
ProSAFE Wireless Controller WC7600
Setting Description
Primary DNS Server Enter the IP address of the primary Domain Name Server (DNS) that you want to
use.
Secondary DNS Server Enter the IP address of the secondary DNS that you want to use.
WINS Server Enter the IP address of the Windows Internet Name Service (WINS) that you want
to use.
Management VLAN Settings section
Management VLAN Enter the management VLAN.
For more information, see Management VLAN Concepts on page 62.
Untagged VLAN Select the Untagged VLAN check box if the configured VLAN is untagged.
For more information, see Untagged VLAN Concepts on page 63.
10G Port Settings section
LAG Select the LAG radio button to enable the wireless controller to automatically
create a LAG in which both links are active.
The LAG radio button and Active Standby radio button are mutually exclusive.
For more information, see
Link Aggregation Concepts on page 63.
Active Standby Select the Active Standby radio button to enable the wireless controller to
automatically create a LAG in which only one link is active and the other link
functions as a standby link.
The Active Standby radio button and LAG radio button are mutually exclusive.
For more information, see
Link Aggregation Concepts on page 63.
6. Click the Apply button.
Manage the DHCP Server
Note: Make sure that a DHCP server is available; otherwise, the Discovery
Wizard does not function correctly . If you already have a DHCP server
on your network, do not enable the DHCP server on the wireless
controller.
The wireless controller can function as a DHCP server. You can add multiple DHCP server
pools for different VLANs. By default, the wireless controller has no DHCP server pool
configured but you can add one or more DHCP server pools.
Add a DHCP Server
The DHCP Server List screen lets you add a DHCP server pool.
Configure the System and Network Settings and Register the Licenses
65
Page 66
ProSAFE Wireless Controller WC7600
To add a DHCP server and configure its settings:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System > DHCP Server.
The DHCP Server List screen displays. The following figure shows part of the DHCP
Server List screen. Because this screen is wide, it is shown in the following two figures:
Configure the System and Network Settings and Register the Licenses
66
Page 67
ProSAFE Wireless Controller WC7600
The DHCP Server List shows the DHCP servers that are already configured on the
wireless controller.
5. Click the Add button.
The Add DHCP Server pop-up screen displays:
6. Configure the settings as described in the following table:
Setting Description
Enabled Select the Enabled check box to enable the DHCP server
When the check box is cleared, the DHCP server is disabled.
Use VLAN Interface Select the Use VLAN Interface check box to allow the DHCP server to function
with multiple VLANs.
VLAN Enter the DHCP server VLAN ID.
The range is between 1 and 4094. The DHCP server services this VLAN.
IP Network Enter the IP address for the wireless controller in the VLAN that you have
specified in the VLAN field.
If you have not selected the Use VLAN Interface check box, the IP address of
the wireless controller’
Subnet Mask Enter the subnet mask that is assigned to the wireless clients by the DHCP
server
.
Default Gateway Enter the IP address of the default network gateway for all traffic beyond the
local network.
Start IP Enter the start IP address of the range that the DHCP server can assign.
End IP Enter the end IP address of the range that the DHCP server can assign.
s management VLAN is used.
.
Configure the System and Network Settings and Register the Licenses
67
Page 68
ProSAFE Wireless Controller WC7600
Setting Description
Use Default DNS Server Select the Use Default DNS Server check box to allow the DHCP server to use
the wireless controller’s default DNS servers.
The Primary DNS Server and Secondary DNS Server fields are masked out.
Primary DNS Server Enter the IP address of the primary DNS server for the network.
Secondary DNS Server Enter the IP address of the secondary DNS server for the network.
Use Default WINS Server Select the Use Default WINS Server check box to allow the DHCP server to
use the wireless controller’s default WINS server.
The WINS Server field is masked out.
WINS Server Enter the IP address of the WINS server for the network.
7. Click the Add button.
The new DHCP server is added to the DHCP Server List.
Change the Settings for a DHCP Server
You can change the settings for a DHCP server.
To change the settings for a DHCP server:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System > DHCP Server.
The DHCP Server List screen displays.
5. Select the radio button in the Edit/Remove column that corresponds to the DHCP server for
which you want to change the settings.
6. Click the Edit button.
Configure the System and Network Settings and Register the Licenses
68
Page 69
ProSAFE Wireless Controller WC7600
The Edit DHCP Server pop-up screen displays:
7. Change the settings.
8. Click the Apply button.
Remove a DHCP Server
You can remove a DHCP server.
To remove a DHCP server:
1. Open a web browser
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
. In the browser’s address field, type the http:// followed by the IP
4. Select Configuration > System > DHCP Server.
The DHCP Server List screen displays.
5. Select the radio button in the Edit/Remove column that corresponds to the DHCP server that
you want to remove.
6. Click the Remove button.
Configure the System and Network Settings and Register the Licenses
69
Page 70
ProSAFE Wireless Controller WC7600
Register Your Licenses
Make sure that your licenses cover the number of access points in your network. Before you
can register your licenses, you must configure the license server settings.
Note: When you install your licenses, they replace the default trial license
for five access points.
For more information about licenses, see Licenses on page 20 and Manage Licenses on
page 219.
Configure the License Server Settings
Although you generally do not need to change the default license update server, you must
make sure that the wireless controller can reach the license update server.
To configure the license server settings:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Maintenance > Licensing.
5. Click the Server Settings tab.
Configure the System and Network Settings and Register the Licenses
70
Page 71
ProSAFE Wireless Controller WC7600
The Server Settings screen displays:
6. Configure the settings as described in the following table:
Setting Description
Update From Select one of the following radio buttons to specify the license update server:
Use a Proxy Server to
Connect to the Internet
This Proxy Server
Requires Authentication
• Default Update Server.
• Specify Update Server.
the Server Address field.
Server Address Enter the IP address or FQDN of the server from which you
import your licenses.
By default, the FQDN of the NETGEAR license server is
update1.eng.netgear
Select the Use a Proxy Server to Connect to the Internet check box if you use
a proxy server to connect to the Internet.
Proxy Server Enter the IP address or FQDN of the proxy server.
Proxy Port Enter the port that the proxy server uses.
If the proxy server requires authentication, specify the user name and password.
User Name Enter the user name to access the proxy server.
Password Enter the password to access the proxy server.
The default license update server is used.
You must specify the license update server. Fill in
.com.
7. Click the Apply button.
Configure the System and Network Settings and Register the Licenses
71
Page 72
ProSAFE Wireless Controller WC7600
Register Your Licenses with the License Server
You must have purchased licenses before you can register them. For more information, see
Licenses on page 20)
To register your licenses:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Make sure that the wireless controller is connected to the Internet.
5. Select Maintenance > Licensing.
6. Click the Registration tab.
The Registration screen displays. The following figure shows some licenses already
registered and installed. If you register licenses for the first time, the screen does not yet
show any licenses.
Configure the System and Network Settings and Register the Licenses
72
Page 73
ProSAFE Wireless Controller WC7600
7. Complete the fields in the Customer Information section with the customer information that is
associated with the key that you want to add and register.
These fields are self-explanatory.
8. Complete the fields in the V
AR Information section with the value-added reseller (VAR)
information that is associated with the key that you want to add and register.
These fields are self-explanatory.
9. In the Registration Key field at the top of the screen, enter the registration key for the
license that you want to add and register
.
10. Click the Add button.
The license is added to the table. The key details have the same meaning as the details
that are shown on the Inventory screen (see the Key Details section in the table in View
Your Licenses on page 220).
11. Click the Apply button.
Your license is registered.
12. T
o register another license, repeat these steps.
Configure the System and Network Settings and Register the Licenses
73
Page 74
ProSAFE Wireless Controller WC7600
Manage Certificates
The internal authentication server for certificate-based authentication requires you to install a
certificate on the wireless controller. A default self-signed server certificate is installed on the
wireless controller. However, NETGEAR strongly recommends that you replace this default
certificate with a custom certificate issued for your site or domain by a trusted certificate
authority (CA).
To obtain a security certificate for the wireless controller, generate and submit a certificate
signing request (CSR) to the CA of your choice. Upon receiving the CA-signed server
certificate, install the certificate from your computer as described in this section. Certificates
must be in X.509 PEM format.
To add certificates:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System > Certificates.
Configure the System and Network Settings and Register the Licenses
74
Page 75
ProSAFE Wireless Controller WC7600
The Add Certificates screen displays:
5. Configure the settings as described in the following table:
Setting Description
Password Enter the password for wireless controller certificates.
Controller Key Click the Browse button, and select the controller key
Controller Certificate Click the Browse button, and select the controller certificate.
CA Certificate Click the Browse button, and select the CA certificate.
6. Click the Apply button.
.
Configure Log, Syslog, Alarm Notification, and Email Settings
From the Alerts/Logs menu, you can configure the logs, syslog, and the alarms, and specify
the email address from which alerts originate.
Configure Log Settings
For the logs, you can either configure event tracing or select a log level. These selections are
mutually exclusive.
Event tracing can help you to debug the wireless network. Event tracing generates logs from
the wireless controller and from all controlled access points, and saves these logs in a file on
the wireless controller. The file can become large quickly.
Configure the System and Network Settings and Register the Licenses
75
Page 76
ProSAFE Wireless Controller WC7600
To configure the log settings and view the logs:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System >
Alerts/Logs > Logs/Syslog.
The Log Settings screen displays:
5. In the Log Settings section of the screen, configure either event tracing or a log level (these
selections are mutually exclusive):
• Event tracing.
To configure event tracing:
a. Select the Event T
b. Next to T
ime Duration, use the menus to specify the period during which event
racing check box.
tracing should occur.
• Log level. From the Log Level menu, select one of the following levels:
- LOG_LEVEL_CRIT. Critical errors only are logged.
- LOG_LEVEL_ERR. Noncritical errors and critical errors are logged.
- LOG_LEVEL_W
Configure the System and Network Settings and Register the Licenses
ARN. Warnings, noncritical errors, and critical errors are logged.
76
Page 77
ProSAFE Wireless Controller WC7600
- LOG_LEVEL_NOTICE. Notifications, warnings, noncritical errors, and critical
errors are logged.
- LOG_LEVEL_INFO. Informational messages, notifications, warnings, noncritical
errors, and critical errors are logged.
6. Click the Apply button.
For information about saving the logs, see Save the System Logs on page 212.
For information about clearing the logs, see Clear the System Logs on page 212.
Configure Syslog Settings
This screen lets you configure the settings to connect to a syslog server, if you have one
configured in your network.
Note: Before you configure the IP address of the syslog server on the
wireless controller, make sure that you have set up a syslog server
(such as a computer running a syslog service) and that the syslog
server is available on the network.
To configure syslog settings:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System > Alerts/Logs > Logs/Syslog.
Configure the System and Network Settings and Register the Licenses
77
Page 78
ProSAFE Wireless Controller WC7600
The Log Settings screen displays:
5. In the Syslog Settings section of the screen, configure the settings as described in the
following table:
Setting Description
Enable Syslog Enable the syslog settings, if you have a syslog server on your network.
Syslog Server IP Address Enter the IP address to which the wireless controller and managed access
points send all syslogs, if the Enable Syslog check box is selected.
Note: Before you configure the IP address of the syslog server on the wireless
controller, make sure that you have set up a syslog server (such as a computer
running a syslog service) and that the syslog server is available on the network.
Server Port Number Enter the number of the port at which your syslog server is configured to listen to
requests.
Log Level From the Log Level menu, select one of the following levels:
• LOG_LEVEL_CRIT. Critical errors only are logged.
• LOG_LEVEL_ERR. Noncritical errors and critical errors are logged.
• LOG_LEVEL_W
logged.
• LOG_LEVEL_NOTICE. Notifications, warnings, noncritical errors, and
critical errors are logged.
• LOG_LEVEL_INFO. Informational messages, notifications, warnings,
noncritical errors, and critical errors are logged.
ARN. Warnings, noncritical errors, and critical errors are
6. Click the Apply button.
Configure the System and Network Settings and Register the Licenses
78
Page 79
ProSAFE Wireless Controller WC7600
Configure Alarm Notification Settings
You can classify certain events as critical, major, normal, or minor. Some events you can
classify only as critical or major. For example, on the RF Management screen, you can
specify whether a coverage hole should be classified as critical or major (see Configure
Radio Frequency Management for the Basic Profile Group on page 181).
To configure alarm actions:
1. Open a web browser
. In the browser’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration
> System > Alerts/Logs > Alarms.
The Alarm Actions screen displays:
5. For each alarm severity (Minor, Normal, Major, and Critical), select the desired action from
its corresponding Action menu.
• No Action. When the alarm occurs, no action is taken.
• Add T
o Syslog. When the alarm occurs, the wireless controller adds an entry to the
syslog.
• Send Email. When the alarm occurs, the wireless controller sends an email.
Configure the System and Network Settings and Register the Licenses
79
Page 80
ProSAFE Wireless Controller WC7600
6. For each alarm severity for which you have selected the Send Email option in the previous
step, enter an email address.
7. Click the Apply button.
Configure the Email Notification Server
The email notification server is the location from which the email alerts originate.
To configure email settings:
1. Open a web browser
. In the browser’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > System >
Alerts/Logs > Email Setup.
The Email Configuration screen displays:
5. Configure the settings as described in the following table:
Setting Description
Server Address Enter the IP address of the server from which email notifications are sent.
Port Enter the port number of the server from which email notifications are sent. The
default port is 25.
Configure the System and Network Settings and Register the Licenses
80
Page 81
ProSAFE Wireless Controller WC7600
Setting Description
Sender Email Address Enter the email address from which email notifications are sent.
Authentication Required Select the Authentication Required check box if the email server requires
authentication, and complete the User Name and Password fields.
User Name Enter the user name that is associated with the email server.
Password Enter the password that is associated with the email server.
6. Click the Apply button.
Configure the System and Network Settings and Register the Licenses
81
Page 82
6. Manage Security Profiles and
Profile Groups
This chapter includes the following sections:
• Wireless Security Profile Concepts
• Manage Security Profiles for the Basic Profile Group
• Manage Security Profiles for Advanced Profile Groups
• Network Authentication and Data Encryption Options
• Manage Authentication Servers and Authentication Server Groups
• Manage MAC Authentication and MAC Authentication Groups
Note: In this chapter and in the following chapters, access point profile
groups are referred to as just profile groups.
Profiles, security profiles, and SSIDs (that is, SSIDs with associated
security settings) are terms that are interchangeable.
6
82
Page 83
ProSAFE Wireless Controller WC7600
Wireless Security Profile Concepts
Profiles are sets of configurations that you can apply to an access point. The configuration
includes radio parameters, load-balancing parameters, and rate-limit parameters. Each
wireless radio on an access point can support 8 profiles. For example, the dual-band
WNDAP660 access point can support a total of 16 profiles. Therefore, in one profile group on
the wireless controller, you can configure up to 8 profiles for each radio, that is, up to
8
profiles for the 2.4 GHz radio and up to 8 profiles for the 5 GHz radio.
Setting up profiles allows you to configure the WLAN network offline. Then, when the WLAN
network is operating, you can push the configuration onto managed access points. You can
configure profiles and profile groups without taking the state of the access points into
consideration. When the access points connect to the wireless controller, the profile
configurations are pushed onto the access points.
An access point can be a member of one profile group only . If you move an access point from
one profile group to another, the access point stops serving the SSIDs in the old profile group
and starts serving the SSIDs in the new profile group.
Note: If an access point is removed from its building (someone takes it
home or it is stolen), the access point does not retain the configuration
that it received from the wireless controller. The configuration is not
stored in memory on the access point.
Depending on your network needs, you can either use the basic profile group (that is, the
basic configuration) or the advanced profile groups (that is, the advanced configuration). The
basic profile group works well for small-scale WLAN networks; advanced profile groups are
useful for larger deployments.
Note: For more information about basic and advanced profile groups, see
Basic and Advanced Setting Concepts on page 22.
Small WLAN Networks
For small WLAN networks, you can use the basic configuration with the basic profile group.
All access points belong to the same group and use the same wireless, security, and QoS
configurations.
The basic profile group can contain up to 16 profiles for a dual-band access point, or eight
profiles for a single-band access point. Each profile has its own SSID and can have its own
VLAN to allow the profile to establish its own tunnel. Profiles can also share the same VLAN.
For example, in an enterprise network in which all access points that are managed by the
wireless controller serve the same wireless networks and have the same settings, you can
use the basic configuration.
Manage Security Profiles and Profile Groups
83
Page 84
ProSAFE Wireless Controller WC7600
Large WLAN Networks
For large network deployments that consist of different sets of WLAN networks, consider
using the advanced configuration to create multiple profile groups. The access points that
belong to the same profile group use the same wireless, security, and QoS configurations.
The wireless controller supports up to eight profile groups. Each profile group can have its
own wireless, security, and QoS configurations. Each profile group can contain up to
16
profiles for a dual-band access point, or eight profiles for a single-band access point.
Using dual-band access points, the wireless controller could support a total of 128 profiles.
Each profile has its own SSID and can have its own VLAN to allow the profile to establish its
own tunnel. Profiles can also share the same VLAN.
In larger network deployments also, you would assign guests to a separate VLAN because
guests typically access only the Internet, not the business network, and do not have
peer-to-peer access.
Profile Naming Conventions
You can use profile naming conventions that are based on user groups such as Marketing, or
based on VLANs such as VLAN40, or you can use other naming conventions such as
CompanyName15.
Note: In the advanced configuration, you cannot change the names of
profile groups. However, you can change the group names of MAC
ACLs and external RADIUS servers.
Considerations Before You Configure Profiles
Before you create and configure profiles for the basic profile group or an advanced profile
group, consider the following:
• Authentication servers. If you want to use external LDAP or RADIUS authentication, or
both, first configure the authentication server settings:
- Configure basic server settings on the basic Authentication Server screen (see
Configure Basic Authentication Server Settings on page 105).
- For more complex networks, configure additional RADIUS servers on the advanced
Authentication Server screen (see
on page 107).
Configure a RADIUS Authentication Server Group
After you have configured authentication server settings, you can then assign any
authentication server to a security profile in a basic profile group or advanced profile
group.
Manage Security Profiles and Profile Groups
84
Page 85
ProSAFE Wireless Controller WC7600
Note: You can configure profiles to function with different authentication
servers. For example, you could set up a guest profile with no
authentication, an engineering profile that uses external RADIUS
authentication, and a marketing profile that uses external LDAP
authentication. You can also use additional external RADIUS servers
in other profiles.
• MAC authentication. If you want to use a MAC access control list (ACL) to control
access of wireless clients, first create one or more MAC ACLs:
- Configure the basic MAC ACL on the basic MAC Authentication screen (see
Configure Basic Local MAC Authentication Settings on page 110).
- For more complex networks, configure additional MAC ACLs on the advanced MAC
Authentication screen (see
page 113).
After you have configured one or more MAC ACLs, you can then assign any MAC ACL to
a security profile in a basic profile group or advanced profile group.
Configure a Local MAC Authentication Group on
• Cloning profiles. For faster setup, you can clone a profile and rename it. Cloning copies
all settings except for the name and SSID.
Basic and Advanced Security Configuration Concepts
The basic security configuration model (Configuration > Security > Basic) does not apply
strictly to the basic profile group, nor does the advanced security configuration model
(Configuration > Security > Advanced) apply strictly to advanced profile groups. The
reason is that you apply an authentication server and a MAC ACL to an individual profile and
not to a profile group.
• Basic security settings. You can apply the following security settings to any profile,
whether in the basic profile group or in an advanced profile group:
- Basic MAC authentication (the MAC ACL group that is called basic)
- Basic authentication server (the RADIUS server that is called basic-Auth or the LDAP
server that is called basic-LDAP)
• Advanced security settings. You can apply the following security settings to any profile,
whether in the basic profile group or in an advanced profile group:
- Advanced MAC authentication (the MAC ACLs that are, by default, called Acl-1,
Acl-2, Acl-3, and so on; you can change these default names)
- Advanced authentication server (the RADIUS servers that are, by default, called
Auth-1, Auth-2, Auth-3, and so on; you can change these default names)
Manage Security Profiles and Profile Groups
85
Page 86
ProSAFE Wireless Controller WC7600
Manage Security Profiles for the Basic Profile Group
The basic profile group works well for small-scale WLAN networks. NETGEAR recommends
that you read the information in the previous section,
before you configure any profiles.
Configure a Profile in the Basic Profile Group
The Edit Profile (Basic) screen lets you create and configure up to eight security profiles per
wireless radio (eight profiles for a single-band access point; 16 profiles for a dual-band
access point). Separate profiles are applied to 802.11b/bg/ng-mode and 802.11a/na-mode
radios.
To add a security profile to the basic profile group and configure the security profile:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
Wireless Security Profile Concepts,
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > Profile > Basic > Radio.
Manage Security Profiles and Profile Groups
86
Page 87
ProSAFE Wireless Controller WC7600
The Edit Profile (Basic) screen displays:
Click + to add another profile.
Your selection from
the Network
Authentication menu
determines the
information that is
displayed onscreen.
Select the Local radio
button to display the
Local MAC ACL
Group menu.
Select the External
radio button to display
the External Radius
Server menu.
By default, an NG_11g-01 profile and an NG_11a-01 profile are present in the basic
profile group.
5. Click the tab for the radio for which you want to add a profile.
6. Click the + button to add the profile to the basic profile group.
The Add Profiles pop-up screen displays.
7. (Optional) Clone an existing profile:
a. Select the Clone an existing Profile check box.
The previous figure shows that you can clone an existing profile with the name
VLAN10.
Manage Security Profiles and Profile Groups
87
Page 88
ProSAFE Wireless Controller WC7600
b. Select a profile from the Profiles menu.
8. Click the Add button.
The newly created profile displays onscreen, and the tab for the new profile is
automatically selected to let you configure the new profile.
Note: The authentication server settings that you specify on the
Authentication Server screen affect the selections that are available
from the Network Authentication menu. For more information, see
Manage Authentication Servers and Authentication Server Groups on
page 104. If your selection from the Network Authentication menu
requires authentication, a corresponding Authentication Server field
displays.
9. Configure the settings as described in the following table:
Setting Description
Profile Definition section
Name Enter a unique name to identify the profile.
This value can be up to 32 alphanumeric characters. Use meaningful profile
names instead of the default names. The default profile names are Profile1,
Profile2, and so on, through Profile8.
Wireless Network Name
(SSID)
Broadcast Wireless
Network Name
Client Authentication section
Note: The options that display onscreen depend on your selection from Network Authentication menu.
Network Authentication From the menu, select the authentication type to be used.
Data Encryption From the menu, select the data encryption type to be used.
Enter a unique name for the wireless network associated with this profile.
Select the Yes radio button to enable broadcast of the SSID.
This is the default setting.
Select the No radio button to disable broadcast of the SSID, in which case only
devices that have the correct SSID can connect to the access point.
Table 7 on page 100 lists all the authentication type options.
The options available for data encryption as well as other requirements such as
entering a key or passphrase depend on the network authentication settings.
Table 7 on page 100 lists all the data encryption options.
Wireless Client Security
Separation
VLAN Enter the VLAN ID to be associated with this security profile.
From the menu, select Disable to prevent associated wireless clients from
communicating with each other, or select Enable to allow such communication.
Wireless client separation is intended for hotspots and other public access
situations.
This VLAN ID must match the VLAN ID that is used by other network devices.
Manage Security Profiles and Profile Groups
88
Page 89
ProSAFE Wireless Controller WC7600
Setting Description
Authentication Settings section
Note: The options that display onscreen depend on the selection from Network Authentication menu.
Note: The MAC ACL
button displays only when
you select Open System,
Shared Key, WPA-PSK,
WPA2-PSK, or
WPA-PSK & WPA2-PSK
from the Network
Authentication menu.
MAC ACL Select one of the following radio buttons:
• Local. Use local MAC authentication.
The Local MAC ACL Group menu displays so you can
select a group. For more information, see Manage MAC
Authentication and MAC Authentication Groups on
page 109.
• External. Use external MAC authentication.
The External Radius Server menu displays so you can
select a server. You can select either the basic-Auth
RADIUS server or a RADIUS server of an advanced
authentication group. You cannot use the external LDAP
server.
For information about setting up and enabling internal and
external authentication servers, see Manage Authentication
Servers and Authentication Server Groups on page 104.
Note: The Captive
Portal check box displays
only when you select
Open System, Shared
Key, WPA-PSK,
WPA2-PSK, or
WPA-PSK & WPA2-PSK
from the Network
Authentication menu.
Note: The
Authentication Server
buttons and menu display
only when you select WPA
with Radius, WPA2 with
Radius, or WPA & WPA2
with Radius from the
Network Authentication
menu.
Note: The MAC ACL radio buttons do not display onscreen if
the network authentication uses an external RADIUS server.
The reason for this is that you can configure either MAC
authentication with an external RADIUS server or network
authentication with an external RADIUS server, but not both.
That is, if you configure an external RADIUS server with WPA,
WPA2, or WPA & WPA2 (or you use Legacy 802.1X), you
cannot use external MAC authentication, and the MAC ACL
radio buttons do not display on screen. You can still use internal
MAC authentication.
Captive Portal Select the Captive Portal check box if you want to enable the
captive portal.
For more information, see Manage Guest Network Access on
page 145.
Note: If the network authentication uses a RADIUS server,
whether it is a local server or an external server, you cannot
configure captive portal authentication. That is, if you configure
a RADIUS server with WPA, WPA2, or WPA & WPA2 (or if you
use legacy 802.1X), the Captive Portal check box is not shown
onscreen.
Authentication
Server
Select one of the following radio buttons:
• Local. Use the local authentication server.
• External. Use an external authentication server.
Select an external authentication server from the
Authentication Server menu.
Note: For information about setting up and enabling internal
and external authentication servers, see Manage Authentication
Servers and Authentication Server Groups on page 104.
Manage Security Profiles and Profile Groups
89
Page 90
ProSAFE Wireless Controller WC7600
Setting Description
Wireless QoS section
Wi-Fi Multimedia (WMM) To enable Wi-Fi Multimedia (WMM), select the Enable radio button, which is
the default setting.
Select the Disable button to disable the feature. For more information, see
Manage Quality of Service for an Advanced Profile Group on page 188.
WMM Powersave The WMM Powersave feature saves power for battery-powered equipment by
increasing the efficiency and flexibility of data transmission.
To enable this feature, select the Enable radio button, which is the default
setting.
Note: NETGEAR recommends that you do not disable the WMM Powersave
feature.
10. Click the Apply button.
Change the Settings for a Profile in the Basic Profile Group
You can change the settings for a profile in the basic profile group.
To change the settings for an existing profile:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > Profile > Basic > Radio.
The Edit Profile (Basic) screen displays.
5. Click the tab for the radio for which you want to change a profile.
6. Click the tab for the profile that you want to change.
7. Change the settings.
For information about how to change the settings, see Configure a Profile in the Basic
Profile Group on page 86.
8. Click the Apply button.
Manage Security Profiles and Profile Groups
90
Page 91
ProSAFE Wireless Controller WC7600
Remove a Profile From the Basic Profile Group
You can remove a profile from the basic profile group.
To remove an existing profile:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > Profile > Basic > Radio.
The Edit Profile (Basic) screen displays.
5. Click the tab for the radio for which you want to remove a profile.
6. Click the tab for the profile that you want to remove.
7. Click the Delete button.
8. Confirm that you want to remove the profile.
Manage Security Profiles for Advanced Profile Groups
Advanced profile groups are useful for larger deployments. NETGEAR recommends that you
read the information in the
configure any profile groups and profiles.
Add an Advanced Profile Group
The advanced Profile Group screen lets you create up to eight profile groups. For each
profile group, you can create and configure up to eight security profiles per wireless radio
(eight
profiles for a single-band access point; 16 profiles for a dual-band access point).
Separate profiles are applied to 802.11b/bg/ng-mode and 802.11a/na-mode radios.
Wireless Security Profile Concepts on page 83 before you
By default, all access points are assigned to the basic profile group. After you have created
advanced profile groups, you can use the WLAN Network screen to reassign access points
to any of these advanced profile groups (see
Groups on page 137).
Manage Security Profiles and Profile Groups
Assign Access Points to Advanced Profile
91
Page 92
ProSAFE Wireless Controller WC7600
To add an advanced profile group:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > Profile >
Advanced > Radio.
The Profile Groups screen displays:
Click + to add another profile group.
5. To add a profile group, click the + button.
The new profile group displays on the Profile Groups screen. By default, an NG_1
profile and an NG_11a-x2 profile, in which x is the group number, are present in a profile
group.
1g-x1
Note: By default, profile groups are named Group-1, Group-2, Group-3,
and so on. You cannot change these profile group names.
Manage Security Profiles and Profile Groups
92
Page 93
ProSAFE Wireless Controller WC7600
The following table describes the fields that are shown for each profile in a profile group.
Setting Description
Name The unique profile name.
Radio The wireless radio in which the profile is operating.
Authentication The authentication setting under which the profile is operating.
Remove an Advanced Profile Group
You can remove an advanced profile group
To remove an advanced profile group:
1. Open a web browser
. In the browser’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > Profile >
Advanced > Radio.
The Profile Groups screen displays.
5. Click the tab for the profile group that you want to remove.
6. Click the Delete button.
Note: There is no separate procedure to change profile groups. You change
profile groups by adding, removing, or changing profiles in the profile
group.
Configure a Profile in an Advanced Profile Group
For each profile group, the Edit Profile (Group-X, in which X is the group number) screen lets
you create and configure up to 8 security profiles per wireless radio (8 profiles for a
single-band access point; 16 profiles for a dual-band access point). Separate profiles are
applied to 802.1
1b/bg/ng-mode and 802.11a/na-mode radios.
Manage Security Profiles and Profile Groups
93
Page 94
ProSAFE Wireless Controller WC7600
To add a security profile to an advanced profile group and configure the security
profile:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > Profile >
Advanced > Radio.
The Profile Groups screen displays.
5. Click the Edit button.
The Edit Profile (Group-X) screen displays.
6. Click the tab for the radio that for which you want to add a profile.
7. Click the + button to add the profile to the selected advanced profile group.
The Add Profiles pop-up screen displays:
8. (Optional) Clone an existing profile:
a. Select the Clone an existing Profile check box.
b. Select a profile from the Profiles menu.
9. Click the Add button.
The newly created profile displays onscreen, and the tab for the new profile is
automatically selected to let you configure the new profile.
Manage Security Profiles and Profile Groups
94
Page 95
ProSAFE Wireless Controller WC7600
Note: The authentication server settings that you specify on the
Authentication Server screen affect the selections that are available
from the Network Authentication menu. For more information, see
Manage Authentication Servers and Authentication Server Groups on
page 104. If your selection from the Network Authentication menu
requires authentication, a corresponding Authentication Server field
displays.
Click + to add another profile.
Your selection from
the Network
Authentication menu
determines the
information that is
displayed onscreen.
Select the Local radio
button to display the
Local MAC ACL
Group menu.
Select the External
radio button to display
the External Radius
Server menu.
Manage Security Profiles and Profile Groups
95
Page 96
ProSAFE Wireless Controller WC7600
10. Configure the settings as described in the following table:
Setting Description
Profile Definition section
Name Enter a unique name to identify the profile.
This value can be up to 32 alphanumeric characters. Use meaningful profile
names instead of the default names. The default profile names are Profile1,
Profile2, and so on, through Profile8.
Wireless Network Name
(SSID)
Broadcast Wireless
Network Name
Client Authentication section
Note: The options that display onscreen depend on your selection from Network Authentication menu.
Network Authentication From the menu, select the authentication type to be used.
Data Encryption From the menu, select the data encryption type to be used.
Wireless Client Security
Separation
VLAN Enter the VLAN ID to be associated with this security profile.
Enter a unique name for the wireless network associated with this profile.
Select the Yes radio button to enable broadcast of the SSID.
This is the default setting.
Select the No radio button to disable broadcast of the SSID, in which case only
devices that have the correct SSID can connect to the access point.
Table 7 on page 100 lists all authentication types.
The options available for data encryption as well as other requirements such as
entering a key or passphrase depend on the network authentication settings.
Table 7 on page 100 lists all data encryption options.
From the menu, select Disable to prevent associated wireless clients from
communicating with each other, or select Enable to allow such communication.
Wireless client separation is intended for hotspots and other public access
situations.
This VLAN ID must match the VLAN ID that other network devices use.
Manage Security Profiles and Profile Groups
96
Page 97
ProSAFE Wireless Controller WC7600
Setting Description
Authentication Settings section
Note: The options that display onscreen depend on the selection from Network Authentication menu.
Note: The MAC ACL
buttons displays only when
you select Open System,
Shared Key, WPA-PSK,
WPA2-PSK, or
WPA-PSK & WPA2-PSK
from the Network
Authentication menu.
MAC ACL Select one of the following radio buttons:
• Local. Use local MAC authentication.
The Local MAC ACL Group menu displays so you can
select a group. For more information, see Manage MAC
Authentication and MAC Authentication Groups on
page 109.
• External. Use external MAC authentication.
The External Radius Server menu displays so you can
select a server. You can select either the basic-Auth
RADIUS server or a RADIUS server of an advanced
authentication group. You cannot use the external LDAP
server.
For information about setting up and enabling internal and
external authentication servers, see Manage Authentication
Servers and Authentication Server Groups on page 104.
Note: The Captive
Portal check box displays
only when you select
Open System, Shared
Key, WPA-PSK,
WPA2-PSK, or
WPA-PSK & WPA2-PSK
from the Network
Authentication menu.
Note: The
Authentication Server
buttons and menu display
only when you select WPA
with Radius, WPA2 with
Radius, or WPA & WPA2
with Radius from the
Network Authentication
menu.
Note: The MAC ACL radio buttons do not display onscreen if
the network authentication uses an external RADIUS server.
The reason for this is that you can configure either MAC
authentication with an external RADIUS server or network
authentication with an external RADIUS server, but not both.
That is, if you configure an external RADIUS server with WPA,
WPA2, or WPA & WPA2 (or you use Legacy 802.1X), you
cannot use external MAC authentication, and the MAC ACL
radio buttons do not display on screen. You can still use internal
MAC authentication.
Captive Portal Select the Captive Portal if you want to enable the captive
portal.
For more information, see Manage Guest Network Access on
page 145.
Note: If the network authentication uses a RADIUS server,
whether it is a local server or an external server, you cannot
configure captive portal authentication. That is, if you configure
a RADIUS server with WPA, WPA2, or WPA & WPA2 (or if you
use legacy 802.1X), the Captive Portal check box is not shown
onscreen.
Authentication
Server
Select one of the following radio buttons:
• Local. Use the local authentication server.
• External. Use an external authentication server.
Select an external authentication server from the
Authentication Server menu.
Note: For information about setting up and enabling internal
and external authentication servers, see Manage Authentication
Servers and Authentication Server Groups on page 104.
Manage Security Profiles and Profile Groups
97
Page 98
ProSAFE Wireless Controller WC7600
Setting Description
Wireless QoS section
Wi-Fi Multimedia (WMM) To enable Wi-Fi Multimedia (WMM), select the Enable radio button, which is
the default setting.
Select the Disable button to disable the feature. For more information, see
Manage Quality of Service for an Advanced Profile Group on page 188.
WMM Powersave The WMM Powersave feature saves power for battery-powered equipment by
increasing the efficiency and flexibility of data transmission.
To enable this feature, select the Enable radio button, which is the default
setting.
Select the Disable button to disable the feature.
11. Click the Apply button.
Change the Settings for a Profile in an Advanced Profile Group
You can change the settings for a profile in an advanced profile group.
To change the settings for an existing profile to an advanced profile group:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > Profile > Advanced > Radio.
The Profile Groups screen displays.
5. Click the tab for the profile group for which you want to change a profile.
6. Click the Edit button.
The Edit Profile screen displays.
7. Click the tab for the radio for which you want to change a profile.
8. Click the tab for the profile that you want to change.
9. Change the settings.
Manage Security Profiles and Profile Groups
98
Page 99
ProSAFE Wireless Controller WC7600
For information about how to change the settings, see Configure a Profile in an Advanced
Profile Group on page 93.
10. Click the Apply button.
Remove a Profile From an Advanced Profile Group
You can remove a profile from an advanced profile group.
To remove an existing profile from an advanced profile group:
1. Open a web browser. In the browser ’s address field, type the http:// followed by the IP
address that you assigned to the wireless controller.
By default, the IP address is 192.168.0.250. If you have not yet assigned another IP
address to the wireless controller, type http://192.168.0.250.
The wireless controller’s login screen displays.
2. Enter your user name and password.
If you have not yet personalized your user name and password, enter admin for the user
name and password for the password, both in lowercase letters.
3. Click the Login button.
The wireless controller’s web management interface opens and displays the Summary
screen.
4. Select Configuration > Profile > Advanced > Radio.
The Profile Groups screen displays.
5. Click the tab for the profile group for which you want to remove a profile.
6. Click the Edit button.
The Edit Profile (Group-X) screen displays.
7. Click the tab for the radio for which you want to remove a profile.
8. Click the tab for the profile that you want to remove.
9. Click the Delete button.
10. Confirm that you want to remove the profile.
Network Authentication and Data Encryption Options
This section describes the detailed network authentication and data encryption options that
you can select in the procedures that are described in
Group on page 86 and Configure a Profile in an Advanced Profile Group on page 93.
Table 7 on page 100 shows the data encryption options based on the network authentication
that you select on the Edit Profile (Basic) or Edit Profile (Group-X) screen, and the required
configuration steps to implement the selected network authentication.
Manage Security Profiles and Profile Groups
99
Configure a Profile in the Basic Profile
Page 100
ProSAFE Wireless Controller WC7600
Note: On the Edit Profile (Basic) or Edit Profile (Group-X) screen, for any
selection from the Network Authentication menu that requires a
RADIUS server, authentication is not restricted to a RADIUS server;
you can also use an internal authentication server or an external
LDAP server.
Note: You can configure either MAC authentication with an external
RADIUS server or network authentication with an external RADIUS
server, but not both. That is, if you configure external MAC
authentication, you cannot use an external RADIUS server with WP A,
WPA2, or WPA & WPA2.
Table 7. Network authentication and data encryption settings
Network Authentication
Selection
Open None
Shared Key 64-bit WEP
Data
Encryption
Options
WEP
128-bit WEP
152-bit WEP
Configuration Steps
Y ou can use an open system without any encryption or with WEP
encryption:
• No encryption. An open system without encryption is the
default setting. No further authentication and encryption
configuration is required.
• WEP encryption. To configure an open system with WEP
encryption, see the Shared Key and WEP information further
down in this table.
To configure Shared Key authentication with WEP:
1. From the Data Encryption menu, select a level of WEP
encryption:
- 64-bit WEP. Uses 40/64-bit encryption.
- 128-bit WEP. Uses 104/128-bit encryption.
- 152-bit WEP. A proprietary mode that works only with
other wireless devices that support this mode.
2. (Optional) Select the Show Key check box to display the
characters in the key fields.
3. Select a key radio button (Key1, Key2, Key3, or Key4).
4. Enter a key in the corresponding field:
- 64-bit WEP requires a key with 10 characters.
- 128-bit WEP requires a key with 26 characters.
- 152-bit WEP requires a key with 32 characters.
Note: For information about requirements for WEP keys, see
Table 11 on page 306.
Manage Security Profiles and Profile Groups
100
Loading...