NETGEAR WFS709TP-100NAS User Manual
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
202-10265-01
June 2007
© 2007 by NETGEAR, Inc. All rights reserved.
Technical Support
Please refer to the support information card that shipped with your product. By registering your product at
http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product
and software upgrades.
NETGEAR, INC. Support Information
Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card.
E-mail: support@netgear.com
North American NETGEAR
http://www.netgear.com
Trademarks
NETGEAR, the NETGEAR logo, and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc. Other
brand and product names are registered trademarks or trademarks of their respective holders. Portions of this document
are copyright Intoto, Inc.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
Certificate of the Manufacturer/Importer
It is hereby certified that the WFS709TP ProSafe Smart Wireless Switch has been suppressed in accordance with the
conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example,
test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the
notes in the operating instructions.
The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß dasWFS709TP ProSafe Smart Wireless Switch gemäß der im BMPT-AmtsblVfg 243/1991
und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B.
Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der
Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Regulatory Compliance Information
This section includes user requirements for operating this product in accordance with National laws for usage of radio
spectrum and operation of radio devices. Failure of the end user to comply with the applicable requirements may result
in unlawful operation and adverse action against the end user by the applicable National regulatory authority.
ii
v1.0, June 2007
NOTE: This product's firmware limits operation to only the channels allowed in a particular Region or Country.
Therefore, all options described in this user's guide may not be available in your version of the product.
United States
FCC Class A
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of
the FCC Rules. These limits are designed to provide rea sonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency
energy and, if not installed and used in accordance with the instruction manual, may cause harmful interfe rence to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case
the user will be required to correct the interference at their own expense.
Any changes or modifications not expressly approved by the party responsible for compliance could void the user’s
authority to operate this equipment.
This product is UL Listed (UL60950).
Canada
This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus as set out in the
interference-causing equipment standard entitled “Digital Apparatus,” ICES-003 of the Department of Communications.
Cet appareil numérique respecte les limites de bruit s ra dioélectriques applicables aux appareils numériques de Classe A
prescrites dans la norme sur le matériel brouilleur: “Appareils Numériques,” NMB-003 édictée par le ministère des
Communications.
This product complies with CAN/CSA C22.2 No 60950 standards.
Europe
The WFS709TP ProSafe Smart Wireless Switch is compliant with the following EU Council Directives: 89/336/EEC
and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class A, EN55024, and
EN60950.
Warning: This is a Class A product. In a domestic environment, this product may cause radio interference
in which case the user may be required to take adequate measures
Japan
This equipment is in the Class A category (information equipment to be used in commerc ial and/ or indu strial areas) and
conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and
Electronic Office Machines that are aimed at preventing radio interference in commercial and/or industrial areas.
Consequently, when this equipment is used in a residential area or in an adjacent area thereto, radio interference may be
caused to equipment such as radios and TV receivers.
v1.0, June 2007
iii
VCCI - Class A
Korea
Class A
Australia/New Zealand
This product complies with AS/NZS CISPR 22 Class A standards.
Rest of World
This product complies with CISPR 22 Class A standards
Lithium Battery Safety Notice
This product contains a lithium battery which is replaceable only by a trained technician
Caution: The lithium battery may explode if it is incorrectly replaced. A trained technician should replace the battery
with the same or equivalent type battery recommended by the manufacturer. Dispose of used batteries according to the
manufacturer’s instructions
iv
v1.0, June 2007
European Union RoHS
Netgear products comply with the EU Restriction of Hazardous Substances Directive
2002/95/EC (RoHS). EU RoHS restricts the use of specific hazardous materials in the
manufacture of electrical and electronic equipment. Specifically, restricted materials
under the RoHS Directive are Lead (including Solder used in printed circuit
assemblies), Cadmium, Mercury, Hexavalent Chromium, and Bromine compounds of
PBB and PBDE. Some Netgear products are subject to the exemptions listed in RoHS
Directive Annex 7 (Lead in solder used in printed circuit assemblies). Products and
packaging will be marked with the "RoHS" label shown at the left indicating
conformance to this Directive.
China RoHS
Netgear products comply with China environmental declaration requirements and are
labeled with the "EFUP 50" label shown at the left.
v1.0, June 2007
v
Product and Publication Details
Model Number: WFS709TP
Publication Date: June 2007
Product Family: Wireless
Product Name: WFS709TP ProSafe Smart Wireless Switch
Home or Business Product: Business
Language: English
Publication Part Number: 202-10265-01
Publication Version Number: 1.0
vi
v1.0, June 2007
Contents
About This Manual
Conventions, Formats, and Scope .................................................................................. xiii
How to Use This Manual ................................................................................................. xiv
How to Print this Manual.................................................................................................. xiv
Revision History................... ... ... ... .... .......................................... ..................................... xv
Chapter 1.
Overview of the WFS709TP
WFS709TP System Components ...................................................................................1-1
NETGEAR ProSafe Access Points .................................................................. ... ... ..1-1
WFS709TP ProSafe Switches .................................................................................1-5
WFS709TP Software ...............................................................................................1-7
Basic WLAN Configuration .............................................................................................1-8
Authentication ..........................................................................................................1-8
Encryption ..............................................................................................................1-10
VLAN ..................................... ................................. ................................ ................1-11
Wireless Client Access to the WLAN ............................................................................1-13
Association ................................... ................................ .................................... ...... 1-13
Authentication ........................................................................................................1-14
Client Mobility and AP Association .........................................................................1-15
Configuring and Managing the WFS709TP ..................... ............................................. 1-16
Tools ................................ ................................ ............................. .......................... 1-18
Chapter 2.
Deploying a Basic WFS709TP System
Configuration Overview ................................................... ... ... .... ... ... ... .... ........................2-1
Deployment Scenario #1 ..........................................................................................2-1
Deployment Scenario #2 ..........................................................................................2-2
Deployment Scenario #3 ..........................................................................................2-4
Configuring the WFS709TP ............................................................................................2-5
Run the Initial Setup . .... ... ... ... .... ... ... .......................................... ...............................2-6
v1.0, June 2007
vii
WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide
Configure the Switch for the Access Points .............................................................2-8
Configure a VLAN for Network Connection ............................................................2-10
Connect the WFS709TP to the Network ................................................................2-12
Configure the Loopback for the WFS709TP ..........................................................2-13
Deploying APs ....................................... ... .... ... ... ... .......................................... .............2-14
Enable APs to Connect to the WFS709TP ............................................................2-15
Install APs ..............................................................................................................2-18
Provision APs .........................................................................................................2-18
Additional Configuration ........................... .... ... ... ... ... .......................................... .... ... ...2-20
Chapter 3.
Configuring Network Parameters
Configuring VLANs .........................................................................................................3-1
Assigning a Static Address to a VLAN .....................................................................3-2
Configuring a VLAN to Receive a Dynamic Address ...............................................3-3
Configuring Static Routes ...............................................................................................3-5
Configuring the Loopback IP Address ............................................................................3-6
Chapter 4.
RF Plan
RF Plan Overview ...........................................................................................................4-1
Before You Begin ............................................................................................................4-2
Task Ov erview .... ... ... .... ... ....................................... ... ... ... .... ... ... ... .... ........................4-2
Planning Requirements ............................................................................................4-2
Using RF Plan ................................................................................................................4-3
Building List Page ........................................ ... .......................................... ...............4-4
Building Specification Overview Page .......................... ... .... ... ... ... .... ... ... ... ... .... ... ... ..4-4
Building Dimension Page ....................................................... ... ... .... ... ... ... ...............4-5
AP Modeling Parameters Page ................................................................................4-7
AM Modeling Parameters Page ...............................................................................4-9
Planning Floors Page .............................................................................................4-10
AP Planning Page ..................................................................................................4-17
AM Planning Page .................................................................................................4-19
Exporting and Importing Files ................................................................................4-20
Locate ....................................................................................................................4-21
RF Plan Example ..........................................................................................................4-22
Sample Building .....................................................................................................4-22
viii Contents
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide
Create a Building ....................................................................................................4-23
Model the Access Points .... ... .... ... ... ... .... ... .............................................................4-24
Model the Air Monitors ................. ... ... .... ... ... ... ... .... ... .......................................... ...4-25
Add and Edit a Floor ..............................................................................................4-25
Defining Areas ........................................................................................................4-26
Running the AP Plan ..............................................................................................4-29
Running the AM Plan .............................................................................................4-30
Chapter 5.
Configuring WLANS
Before You Begin ............................................................................................................5-1
Determine the Authentication Method ....................................... ............................... 5-2
Determine the Default VLAN ....................................................................................5-4
Basic WLAN Configuration in the Browser Interface ...................................................... 5-4
Example Configuration .............................................................................................5-7
Advanced WLAN Configuration in the Browser Interface .......................... ..................... 5-9
Configuring Global Parameters ................................................................................5-9
Configuring Location-Specific Parameters .............................................................5-10
Add or Modify SSIDs ..............................................................................................5-10
Configure AP Information .......................................................................................5-12
Configuring Radio Settings ....................................................................................5-14
Example Configuration ...........................................................................................5-17
IntelliFi RF Management ..............................................................................................5-19
Channel Setting ......................................................................................................5-19
Power Setting .........................................................................................................5-19
Advantages of Using IRM ......................................... ... ... .... ... ... ... .... ... ... ... ... .... ... ...5-19
Configuring IRM .....................................................................................................5-20
Chapter 6.
Configuring AAA Servers
Configuring an External RADIUS Server ........................................................................6-1
Adding Users to the Internal Database ...........................................................................6-3
Configuring Authentication Timers ................................................ ...... ....... ...... ....... ...... ..6-4
Chapter 7.
Configuring 802.1x Authentication
802.1x Authentication .....................................................................................................7-1
Authentication with a RADIUS Server ......................................................................7-2
Contents ix
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide
Authentication Terminated on WFS709TP ................... ... .... ... ... ... .... ... ... ... ... .... ... ... ..7-3
Configuring 802.1x Authentication ..................................................................................7-4
802.1x Authentication Page .....................................................................................7-5
Advanced Configuration Options for 802.1x ...................................................................7-6
Chapter 8.
Configuring the Captive Portal
Overview of Captive Portal Functions ............................................................................8-1
Configuring Captive Portal ..............................................................................................8-2
Configuring Advanced Captive Portal Options ...............................................................8-3
Configuring the AAA Server for Captive Portal ...............................................................8-5
Changing the Protocol to HTTP ...............................................................................8-5
Personalizing the Captive Portal Page ...........................................................................8-6
Chapter 9.
Configuring MAC-Based Authentication
Configuring the WFS709TP ............................................................................................9-1
Configuring Users ...........................................................................................................9-2
Chapter 10.
Adding Local WFS709TPs
Moving to a Multi-Switch Environment .........................................................................10-1
Configuring Local WFS709TPs ....................................................................................10-2
Configuring the Local WFS709TP ..........................................................................10-2
Configuring L2/L3 Settings .....................................................................................10-2
Configuring Trusted Ports ......................................................................................10-3
Configuring APs .....................................................................................................10-3
Rebooting APs .......................................................................................................10-4
Chapter 11.
Configuring Redundancy
Virtual Router Redundancy Protocol ............................................................................11-1
Redundancy Configuration ...........................................................................................11-1
Configuring Local WFS709TP Redundancy ..........................................................11-2
Master WFS709TP Redundancy ...........................................................................11-4
Master-Local WFS709TP Redundancy ..................................................................11-5
Chapter 12.
Configuring Wireless Intrusion Protection
Rogue/Interfering AP Detection ....................................................................................12-1
Enabling AP Learning ............................................................................................12-2
x Contents
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide
Classifying APs ......................................................................................................12-2
Configuring Rogue AP Detection ...........................................................................12-4
Misconfigured AP Detection .........................................................................................12-5
Configuring Misconfigured AP Protection ..............................................................12-5
Chapter 13.
Configuring Management Utilities
Configuring Management Users ...................................................................................13-1
Configuring SNMP ........................................................................................................13-2
SNMP for the WFS709TP ......................................................................................13-2
SNMP for Access Points ........................................................................................13-4
SNMP Traps ...........................................................................................................13-9
Configuring Logging .............................................................................................13-12
Creating Guest Accounts ............................................................................................13-14
Managing Files on the WFS709TP .............................................................................13-16
Managing Image Files ........ ... .... ... ... .......................................... ... .... ... ... ... ... .... ... .13-17
Backing Up and Restoring the Flash File System ..................... ........................... 13-17
Copying Log Files ................................................................................................13-18
Copying Other Files .............................................................................................13-18
Installing a Server Certificate ......................................................................................13-19
Chapter 14.
Configuring WFS709TP for Voice
Voice over IP Proxy ARP ....................... ... .... ... .......................................... ... ... ... ..........14-1
Battery Boost ................................................................................................................14-2
Limiting the Number of Active Voice Calls ....................... ... ... .... ... ... ... .... ... ...................14-3
WPA Fast Handover .....................................................................................................14-4
Appendix A.
Configuring DHCP with Vendor-Specific Options
Overview ................................... ................ ................ ................. ................ ................ .... A-1
Windows-Based DHCP Servers .................................................................................... A-2
Configuring Option 60 ............................................................................................. A-2
Configuring Option 43 ............................................................................................. A-3
Linux DHCP Servers ..................................................................................................... A-4
Appendix B.
Windows Client Example Configuration for 802.1x
Window XP Wireless Client Example Configuration .............. .................... ................... . B-1
Contents xi
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide
Appendix C.
Internal Captive Portal
Creating a New Internal Web Page .................................... ... .... ... ... ... .... ... ... ... ... .... .......C-1
Basic HTML Example .............................................................................................. C-3
Installing a New Captive Portal Page ........... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... . C-4
Displaying Authentication Error Message ......................................................................C-4
Language Customization ............................................................................................... C-6
Customizing the Welcome Page ................................................................................. C-12
Customizing the Pop-Up Box ...................................................................................... C-14
Customizing the Logged Out Box ................................................................................C-15
Appendix D.
Related Documents
Index 1
xii Contents
v1.0, June 2007
About This Manual
The WFS709TP ProSafe™ Smart Wireless Switch Software Administration Manual describes how
to deploy and configure the WFS709TP ProSafe Smart Wireless Switch. It also includes
instructions for and examples of commonly used wireless LAN (WLAN) switch configurations
such as Virtual Private Networks (VPNs) and redundancy.
Conventions, Formats, and Scope
The conventions, formats, and scope of this manual are described in the following paragraphs:
• Typographical Conventions. This manual uses the following typographical conventions:
Italic Emphasis, books, CDs, file and server names, extensions
Bold User input, IP addresses, GUI screen text
Fixed Command prompt, CLI text, code
italic URL links
• Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note may result in a malfunction or damage to the
equipment.
v1.0, June 2007
xiii
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
Danger: This is a safety warning. Failure to take heed of this notice may result in
personal injury or death.
• Scope. This manual is written for the WFS709TP according to these specifications:
Product Version WFS709TP ProSafe Smart Wireless Switch
Manual Publication Date June 2007
For more information about network amd wireless technologies, see the links to the NETGEAR
website in Appendix D, “Related Documents”.
Note: Product updates are available on the NETGEAR, Inc. website at
http://www.netgear.com/support.
How to Use This Manual
The HTML version of this manual includes the following:
• Buttons, and , for browsing forwards or backwards through the manual one page
at a time
• A button that displays the table of contents and an button. Double-click on a
link in the table of contents or index to navigate directly to where the topic is described in the
manual
• A button to access the full NETGEAR, Inc. online knowledge base for the product
model
• Links to PDF versions of the full manual and individual chapters
How to Print this Manual
To print this manual, choose one of the following options:
• Printing a Page from HTML. Each page in the HTML version of the manual is dedicated to
a major topic. Select File > Print from the browser menu to print the page contents.
xiv About This Manual
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
• Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in
order to view and print PDF files. The Acrobat reader is available on the Adobe website at
http://www.adobe.com.
– Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page.
• Click the PDF of This Chapter link at the top left of any page in the chapter you want
to print. The PDF version of the chapter you were viewing opens in a browser
window.
• Click the print icon in the upper left of your browser window.
– Printing a PDF version of the Complete Manual. Use the Complete PDF Manual link
at the top left of any page.
• Click the Complete PDF Manual link at the top left of any page in the manual. The
PDF version of the complete manual opens in a browser window.
• Click the print icon in the upper left of your browser window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.
Revision History
Part Number
202-10265-01 1.0 June 2007 Initial NETGEAR release.
About This Manual xv
Version
Number
Date Description
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
xvi About This Manual
v1.0, June 2007
Chapter 1
Overview of the WFS709TP
The WFS709TP ProSafe Smart Wireless Switch is a full-featured wireless switch that centrally
manages NETGEAR Light access points, delivering integrated wireless mobility, security, and
converged services for both wired and wireless users.
This chapter describes the components and features of the WFS709TP ProSafe Smart Wireless
Switch, in the following topics:
• “WFS709TP System Components” on page 1-1
• “Basic WLAN Configuration” on page 1-8
• “Wireless Client Access to the WLAN” on page 1-13
• “Configuring and Managing the WFS709TP” on page 1-16
WFS709TP System Components
The WFS709TP ProSafe Smart Wireless Switch system consists of the following components:
• “NETGEAR ProSafe Access Points” on page 1-1
• “WFS709TP ProSafe Switches” on page 1-5
• “WFS709TP Software” on page 1-7
The following sections describe each of these components.
NETGEAR ProSafe Access Points
The NETGEAR ProSafe WAGL102 and ProSafe WGL102 access points (APs) are designed for
the WFS709TP, and provide the best features and easiest integration. Several other NETGEAR
access point products can also be repurposed to work with the WFS709TP. Refer to the
NETGEAR support site for a list of which NETGEAR APs can be repurposed, and for instructions
on how to do so.
An AP broadcasts its configured service set identifier (SSID), which corresponds to a specific
wireless local area network (WLAN). Wireless clients discover APs by listening for broadcast
beacons or by sending active probes to search for APs with a specific SSID.
1-1
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
You can connect an AP to a WFS709TP either directly with an Ethernet cable or remotely through
an IP network. Figure 1-1 shows two APs connected to an WFS709TP. One AP is connected to a
switch in the wiring closet that is connected to a router in the data center where the WFS709TP is
located. The Ethernet port on the other AP is cabled directly to a port on the WFS709TP.
Floor
Wiring
closet
Data center
Internet
Netgear AP
connected
through an IP
network
Netgear AP connected
WFS709TP
with an Ethernet cable
Figure 1-1
Access points used with the WFS709TP are Light APs, which means their primary function is to
receive and transmit wireless RF signals; other WLAN processing is left to the WFS709TP itself.
When powered on, an AP locates its host switch through a variety of methods, including the Aruba
Discovery Protocol (ADP), Domain Name Service (DNS), or D ynamic Host Configuration
1-2 Overview of the WFS709TP
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
Protocol (DHCP). Once an AP locates its host switch, it automatically builds a secure Generic
Routing Encapsulation (GRE) tunnel to it (Figure 1-2). The AP then downloads its firmware and
configuration from the switch through the tunnel.
Netgear AP
Floor
GRE tunnel
Wiring
closet
Internet
GRE
tunnel
Data center
Figure 1-2
WFS709TP
Client traffic received by the AP is immediately sent through the tunnel to the host WFS709TP
(Figure 1-3), which performs packet processing such as encryption and decryption, authentication,
and policy enforcement
Overview of the WFS709TP 1-3
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
.
Wireless clients
Floor
Netgear AP
Wiring
closet
Internet
WFS709TP
Data center
Figure 1-3
Automatic RF Channel and Power Settings
IntelliFi RF Management (IRM) is a radio frequency (RF) resource allocation algorithm that you
can enable and configure in the WFS709TP system. When IRM is enabled, each AP can determine
the optimum channel selection and transmitter power setting to minimize interference and
maximize coverage and throughput. The APs scan for better channels at periodic intervals and
report information to the WFS709TP. The WFS709TP analyzes reports from all APs and
coordinates changes, resulting in a higher-performance RF environment.
If an AP fails for any reason, the system’ s self-healing mechanism automatically ensures coverage
for wireless users. The WFS709TP detects the failed AP and instructs neighboring APs to increase
power levels to compensate.
1-4 Overview of the WFS709TP
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
You can also enable WFS709TPs to detect coverage holes, or areas where a good RF signal is not
adequately reaching wireless clients.
RF Monitoring
An AP can function as either a dedicated or shared Air Monitor (AM) to monitor the RF spectrum
to detect intrusions, denial of service (DoS) attacks, and other vulnerabilities. A dedicated AM
performs monitoring functions exclusively and does not service wireless clients or advertise
SSIDs. A shared AM performs monitoring functions in addition to servicing wireless clients.
Every AP automatically monitors the channel on which it services wireless clients. You can
configure the AP to perform off-channel scanning, where the AP spends brief time intervals
scanning other channels. However, the more clients an AP services, the less time it has to perform
off-channel scanning. If air monitoring functions are critical to your network, designate a few APs
as dedicated AMs.
You can configure dedicated AMs to perform the following functions:
• Detect, locate, and disable rogue APs (APs that are not authorized or sanctioned by network
administrators)
• Detect and disable ad-hoc networks
• Detect and disable honeypot APs
• Detect wireless bridges
• Capture remote packets
If you only need air monitoring functions periodically, you can configure APs to operate
temporarily as AMs. You can also configure dedicated AMs to automatically convert into APs if
an AP failure occurs or when there is a high level of traffic on the network.
WFS709TP ProSafe Switches
All APs are connected either directly or remotely through an IP network to the WFS709TP
ProSafe Smart Wireless Switch. The WFS709TP is an enterprise-class switch that bridges wireless
client traffic to and from traditional wired networks and performs high-speed Layer 2 or Layer 3
packet forwarding between Ethernet ports. While APs provide radio services only, the WFS709TP
performs upper-layer media access control (MAC) processing, such as encryption and
authentication, as well as centralized configuration and management of SSIDs and RF
characteristics for the APs. This allows you to deploy APs with little or no physical change to an
existing wired infrastructure.
Overview of the WFS709TP 1-5
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
WFS709TP switches provide 10/100 Mbps Fast Ethernet, IEEE 802.3af-compliant ports that can
provide Power over Ethernet (PoE) to directly connected APs. When you connect a PoE-capable
port on the WFS709TP to a PoE-compatible device such as an AP, the port automatically detects
the device and provides operating power through the connected Ethernet cable. This allows APs to
be installed in areas where electrical outlets are unavailable, undesirable, or not permitted, such as
in the plenum or in air-handling spaces.
At least one WFS709TP is the master switch while non-master switches are referred to as local
switches (Figure 1-4). A master WFS709TP offers a single point of configuration that is
automatically replicated from the master to local WFS709TPs throughout the network.
Local WFS709TPs offer local points of traffic aggregation and management for APs and services.
A local WFS709TP can perform any supported function (for example , WLAN m anagement or
policy enforcement). However, these services are always configured on the master WFS709TP and
are “pushed” to specified local WFS709TPs.
An AP obtains its firmware image and configuration from a master switch; it can also be instructed
by a master switch to obtain its software from a local switch.
Note: For information about configuring the switch for master or local status, see the
“Run the Initial Setup” on page 2-6.
1-6 Overview of the WFS709TP
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
.
NETGEAR Wireless APs
Local WFS709TP
Master WFS709TP
Local WFS709TP
Figure 1-4
Your network can include one master WFS709TP, one or more backup master WFS709TPs, and
any number of local WFS709TPs. Master WFS709TPs do not share information with each other,
so APs that share roaming tables, security policies, and other configurations should be managed by
the same master WFS709TP.
WFS709TP Software
The WFS709TP ProSafe Smart Wireless Switch software is a suite of mobility applications that
runs on all WFS709TPs and allows you to configure and manage the wireless and mobile user
environment.
Overview of the WFS709TP 1-7
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
The base configuration software includes the following functions:
• Centralized configuration and management of APs
• Wireless client authentication to an external authentication ser ver or to the WFS709TP’s local
database
•Encryption
• Mobility with fast roaming
• RF management and analysis tools
Basic WLAN Configuration
You have a wide variety of options for authentication, encryption, acc ess management, and user
rights when you configure a WLAN in a WFS709TP system. However, you must configure the
following basic elements:
• An SSID that uniquely identifies the WLAN
• Layer 2 authentication to protect against unauthorized access to the WLAN
• Layer 2 encryption to ensure the privacy and confidentiality of the data transmitted to and
from the network
• A user role and virtual local area network (VLAN) for the authenticated client
This section describes authentication, encryption, and VLAN configuration in the WFS709TP
system.
Authentication
A user must authenticate to the system in order to access WLAN resources. There are several types
of Layer 2 security mechanisms allowed by the IEEE 802.11 standard that you can employ,
including those that require an external RADIUS authentication server.
• None (also called open system authentication). This is the default authentication protocol. The
client’s identity, in the form of the Media Access Control (MAC) address of the wireless
adapter in the wireless client, is passed to the WFS709TP. Essentially, any client requesting
access to the WLAN is authenticated.
1-8 Overview of the WFS709TP
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
• IEEE 802.1x. The IEEE 802.1x authentication standard allows for the use of keys that are
dynamically generated on a per-user basic (as opposed to a static key that is the same on all
devices in the network).
Note: The 802.1x standard requires the use of a RADIUS authentication server. Most
Lightweight Directory Access Protocol (LDAP) servers do not support 802.1x.
With 802.1x authentication, a supplicant is the wireless client that wants to gain access to the
network and the device that communicates with both the supplicant and the authentication
server is the authenticator. In this system, the WFS709TP is the 802.1x authenticator, relaying
authentication requests between the authentication server and the supplicant.
Note: During the authentication process, the supplicant (the wireless client) and the
RADIUS authentication server negotiate the type of Extensible Authentication
Protocol (EAP) they will use for the authentication transaction. The EAP type
is completely transparent to the WFS709TP and has no impact on its
configuration.
• Wi-Fi Protected Access (WPA). WPA implements most of the IEEE 802.11i standard. It is
designed for use with an 802.1x authentication server (the Wi-Fi Alliance refers to this mode
as WPA-Enterprise). WPA uses the Temporal Key Integrity Protocol (TKIP) to dynamically
change keys and RC4 stream cipher to encrypt data.
• WPA in pre-shared key (PSK) mode (WPA-PSK). With WPA-PSK, all clients use the same
key (the Wi-Fi Alliance refers to this mode as WPA-Personal).
Note: In PSK mode, users must enter a passphrase 8–63 characters in length to access
the network. PSK is intended for home and small office networks where
operating an 802.1x authentication server is not practical
• WPA2. WPA2 implements the full IEEE 802.11i standard. In addition to WPA features,
WPA2 provides Counter Mode with Cipher Blocking Chaining Message Authentication Code
Protocol (CCMP) for encryption that uses the Advanced Encryption Standard (AES)
algorithm. The Wi-Fi Alliance refers to this mode as WPA2-Enterprise.
• WPA2-PSK. WPA2-PSK is WPA2 used in PSK mode, where all clients use the same key. The
Wi-Fi Alliance refers to this mode as WPA2-Personal.
Overview of the WFS709TP 1-9
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
Encryption
The Layer 2 encryption option you can select depends upon the authentication method chosen.
Table 1-1 lists the authentication methods available, with their corresponding encryption options.
Table 1-1. Encryption Options by Authentication Method
Authentication Method Encryption Option
None Null or Static WEP
802.1x Dynamic WEP
WPA or WPA-PSK only TKIP
WPA2 or WPA2-PSK only AES
Combination of WP A or WPA-PSK and WPA2 or
WPA2-PSK
You can configure the following data encryption options for the WLAN:
• Null. No encryption is used and packets passing between the wireless client and WFS709TP
are in clear text.
• Wired Equivalent Protocol (WEP). Defined by the original IEEE 802.11 standard, WEP
uses the RC4 stream cipher with 40-bit and 128-bit encryption keys. The management and
distribution of WEP keys is performed outside of the 802.11 protocol. There are two forms of
WEP keys:
Mixed TKIP/AES
– Static WEP requires you to manually enter the key for each client and on the WFS709TP.
– Dynamic WEP allows the keys to be automatically derived for each client for a specific
authentication method during the authentication process. Dynamic WEP requires 802.1x
authentication.
• Temporal Key Integrity Protocol (TKIP). TKIP ensures that the encryption key is changed
for every data packet. You specify TKIP encryption for WPA and WPA-PSK authentication.
• Advanced Encryption Standard (AES). AES is an encryption cipher that uses the Countermode CBC-MAC (Cipher Block Chaining-Message Authentication Code) Protocol (CCMP)
mandated by the IEEE 802.11i standard. AES-CCMP is specifically designed for IEEE 802.11
encryption and encrypts parts of the 802.11 MAC headers as well as the data payload. You can
specify AES-CCMP encryption with WPA2 or WPA2-PSK authentication.
• Mixed TKIP/AES-CCM. This option allows the WFS709TP to use TKIP encryption with
WPA or WPA-PSK clients and use AES encryption with WPA2 or WPA2-PSK clients. Mixed
TKIP/AES-CCM allows you to deploy the system in environments containing existing
WLANs that use different authen tication and encryption methods.
1-10 Overview of the WFS709TP
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
VLAN
Each authenticated user is placed into a VLAN, which determines the user’s DHCP server, IP
address, and Layer 2 connection. While you could place all authenticated wireless users into a
single VLAN, the system allows you to group wireless users into separate VLANs. This enables
you to differentiate groups of wireless users and their access to network resources. For example,
you might place authorized employee users into one VLAN and itinerant users, such as contractors
or guests, into a separate VLAN.
Note: You create the VLANs for wireless users only on the WFS709TP. You do not need
to create the VLANs anywhere else on your network. Because wireless clients are
tunneled to the WFS709TP, it appears to the rest of the network as if the clients
were directly connected to the WFS709TP.
For example, in the topology shown in Figure 1-5, authenticated wireless users are placed on
VLAN 20. You configure VLAN 20 only on the WFS709TP; you do not need to configure VLAN
20 on any other device in the network.
Note: To allow data to be routed to VLAN 20, you must configure a static route to VLAN
20 on an upstream router in the wired network
Overview of the WFS709TP 1-11
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
.
VLAN 20
Floor
Netgear AP
Wiring
closet
Internet
VLAN 20
Data center
Figure 1-5
WFS709TP
A user is assigned to a VLAN by one of several methods, and there is an order of precedence to
these methods.The methods for assignment of VLANs are (from lowest to highest precedence):
1. The VLAN is configured for the AP location.
2. The VLAN is derived from rules based on user attributes SSID, BSSID (Basic Service Set
Identifier), user MAC, location, and encryption type. W ithin the set of possible user -derivation
rules, a rule that derives a specific VLAN takes precedence over a rule that derives a user role
that may have a VLAN configured for it.
3. The VLAN is configured for a default role for an authentication method, such as 802.1x or
VPN.
1-12 Overview of the WFS709TP
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
4. The VLAN is derived from attributes returned by the authentication server (server-derived
rule). Within a set of server-derived rules, a rule that derives a specific VLAN takes
precedence over a rule that derives a user role that may have a VLAN configured for it.
5. The VLAN is derived from Microsoft Tunnel attributes (Tunnel-Type, Tunnel Medium Type,
and Tunnel Private Group ID). All three attributes must be present. This does not require any
server-derived rule.
6. The VLAN is derived from NETGEAR vendor-specific attributes (VSAs) for RADIUS server
authentication. This does not require any server-derived rule.
If a NETGEAR VSA is present, it overrides any previous VLAN assignment.
Wireless Client Access to the WLAN
Wireless clients communicate through a WLAN with the wired network and other wireless clients
in a WFS709TP system. There are two phases to the process by which a wireless client gains
access to a WLAN:
1. Association of the radio network interface card (NIC) in the PC with an AP, as described by
the IEEE 802.11 standard. This association allows data link (Layer 2) connectivity.
2. Authentication of the client/user before network access is allowed.
Association
APs send out beacons that contain the SSIDs of specific WLANs; the user can select the network
they want to join. Wireless clients can also send out probes to locate a WLAN within range or to
locate a specific SSID, and APs within range of the client respond. Along with the SSID, an AP
also sends out the following information:
• Data rates supported by the WLAN. Clients can determine which WLAN to associate with
based on the supported data rate.
• WLAN requirements for the client. For example, clients may need to use TKIP for encrypting
data transmitted on the WLAN.
Overview of the WFS709TP 1-13
v1.0, June 2007
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
The client determines which AP is best for connecting to the WLAN and attempts to associate with
it. During the association exchange, the client and WFS709TP negotiate the data rate,
authentication method, and other options.
Note: Because an AP connected to a WFS709TP is a Thin AP, all wireless traffic it
receives is immediately sent through a GRE tunnel to the WFS709TP. The
WFS709TP responds to client requests and communicates with an authentication
server on behalf of the client. Therefore, the client authentication and association
processes occur between the wireless client and the WFS709TP.
Authentication
Authentication provides a way to identify a user and provide appropriate access to the network for
that user. One or more authentication methods may be used, ranging from secure authentication
methods such as 802.1x and captive portal to less secure methods such as MAC address
authentication.
802.1x Authentication
802.1x is an IEEE standard used for authenticating clients on any IEEE 802 network. It is an open
authentication framework, allowing multiple authentication protocols to operate within the
framework. 802.1x operates as a Layer 2 protocol. Successful 802.1x authentication must
complete before any higher-layer communication with the network, such as a DHCP exchange to
obtain an IP address, is allowed.
802.1x is key-generating, which means that the output of the authentication process can be used to
assign dynamic per-user encryption keys. While the configuration of 802.1x authentication on the
WFS709TP is fairly simple, 802.1x can require significant work in configuring an external
authentication server and wireless client devices.
Captive Portal
Captive Portal allows a wireless client to authenticate using a web-based portal. Captive portals
are typically used in public access wireless hotspots or for hotel in-room Internet access. After a
user associates to the wireless network, their device is assigned an IP address. The user must start
a web browser and pass an authentication check before access to the network is granted.
Captive portal authentication is the simplest form of authentication to use and requires no software
installation or configuration on the client. The username/password exchange is encrypted using
standard SSL encryption. However, portal authentication does not provide any form of encryption
1-14 Overview of the WFS709TP
v1.0, June 2007
Loading...