Smc 2502W User Guide

.
ELITECONNECT WLAN SECURITY SYSTEM
Full authentication support—supports RADIUS, LDAP, 802.1x,
Kerberos, Windows NT/2000 domain and built-in database.
VPN support allows secure wireless communications to and from
wireless clients.
Rights-based network access increases network security by
providing network administrators full control on users’ access to a network, based on user identification, location, and time.
Web-based configuration is easy-to-use, convenient and provides
simple configuration management.
Network access and usage policies can be set for trusted users and
guests by user identification, location, and time.
Roaming across different subnets and persistent session roaming
eliminates the need for re-authentication by roaming users.
User Manual
SMC2504W SMC2502W
ELITECONNECT WLAN SECURITY SYSTEM USER MANUAL
From SMC’s EliteConnect line of enterprise wireless LAN solutions
38 Tesla March 2002
Irvine, CA 92618 Part No. 01-111343-006 Phone: (949) 679-8000
Copyrights and Trademarks
Copyright
Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice.
Copyright © 2002 by SMC Networks, Inc. 38 Tesla Irvine, CA 92618
All rights reserved.
This publication is protected by federal copyright law. No part of this publication may be copied or distributed, stored in a retrieval system, or translated into any human or computer language in any form or by any means electronic, mechanical, manual, magnetic, or otherwise, or disclosed to third parties without the express written permission of SMC Networks Incorporated, located at 38 Tesla, Irvine, CA
92618.
SMC is a registered trademark; and EliteConnect is a trademark of SMC Networks, Inc. Other product and company names are trademarks or registered trademarks of their respective holders.
Licensed users and authorized distributors of SMC Networks products may copy this document for use with SMC Networks products provided that the copyright notice above is included in all reproductions.
All other brand and product names are claimed or registered marks of their respective companies.
Limited Warranty
Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be free from defects in workmanship and materials, under normal use and service, for the applicable warranty term. All SMC products carry a standard 90­day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term. SMC will endeavor to repair or replace any product returned under warranty within 30 days of receipt of the product.
SMC EliteConnect WLAN Security System User Manual v
The standard limited warranty can be upgraded to a Limited Lifetime* warranty by registering new products within 30 days of purchase from SMC or its Authorized Reseller. Registration can be accomplished online via the SMC web site. Failure to register will not affect the standard limited warranty. The Limited Lifetime warranty covers a product during the Life of that Product, which is defined as the period of time during which the product is an “Active” SMC product. A product is considered to be “Active” while it is listed on the current SMC price list. As new technologies emerge, older technologies become obsolete and SMC will, at its discretion, replace an older product in its product line with one that incorporates these newer technologies. At that point, the obsolete product is discontinued and is no longer an “Active” SMC product. A list of discontinued products with their respective dates of discontinuance can be found at:
http://www.smc.com/index.cfm?action=customer_service_warranty
All products that are replaced become the property of SMC. Replacement products may be either new or reconditioned. Any replaced or repaired product carries either a 30-day limited warranty or the remainder of the initial warranty, whichever is longer. SMC is not responsible for any custom software or firmware, configuration information, or memory data of Customer contained in, stored on, or integrated with any products returned to SMC pursuant to any warranty. Products returned to SMC should have any customer-installed accessory or add­on components, such as expansion modules, removed prior to returning the product for replacement. SMC is not responsible for these items if they are returned with the product.
Customers must contact SMC for a Return Material Authorization number prior to returning any product to SMC. Proof of purchase may be required. Any product returned to SMC without a valid Return Material Authorization (RMA) number clearly marked on the outside of the package will be returned to customer at customer's expense. For warranty claims within North America, please call our toll-free customer support number at (800) 762-4968. Customers are responsible for all shipping charges from their facility to SMC. SMC is responsible for return shipping charges from SMC to customer.
WARRANTIES EXCLUSIVE: IF AN SMC PRODUCT DOES NOT OPERATE AS WARRANTED ABOVE, CUSTOMER’S SOLE REMEDY SHALL BE REPAIR OR REPLACEMENT OF THE PRODUCT IN QUESTION, AT SMC’S OPTION. THE FOREGOING WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, EITHERIN FACT OR BY OPERATION OF LAW, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SMC NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS. SMC SHALL NOT BE LIABLE UNDER THIS WARRANTY IF ITS TESTING AND EXAMINATION DISCLOSE THE ALLEGED DEFECT IN THE PRODUCT DOES NOT EXIST OR WAS
vi
CAUSED BY CUSTOMER'S OR ANY THIRD PERSON'S MISUSE, NEGLECT, IMPROPER INSTALLATION OR TESTING, UNAUTHORIZED ATTEMPTS TO REPAIR, OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE, OR BY ACCIDENT, FIRE, LIGHTNING, OR OTHER HAZARD. LIMITATION OF LIABILITY: IN NO EVENT, WHETHER BASED IN CONTRACT OR TORT (INCLUDING NEGLIGENCE), SHALL SMC BE LIABLE FOR INCIDENTAL, CONSEQUENTIAL, INDIRECT, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND, OR FOR LOSS OF REVENUE, LOSS OF BUSINESS, OR OTHER FINANCIAL LOSS ARISING OUT OF OR IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE, USE, PERFORMANCE, FAILURE, OR INTERRUPTION OF ITS PRODUCTS, EVEN IF SMC OR ITS AUTHORIZED RESELLER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR THE LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES FOR CONSUMER PRODUCTS, SO THE ABOVE LIMITATIONS AND EXCLUSIONS MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS.
* SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase.
SMC Networks, Inc.
38 Tesla
Irvine, CA 92618
SMC EliteConnect WLAN Security System User Manual vii
Compliances
FCC - Class A
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with instructions, may cause harmful interference to radio communications. However, there is no guarantee that the interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient the receiving antennaIncrease the separation between the equipment and receiverConnect the equipment into an outlet on a circuit different from that to which
the receiver is connected
Consult the dealer or an experienced radio/TV technician for help
Industry Canada - Class A
This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus as set out in the interference-causing equipment standard entitled “Digital Apparatus,” ICES-003 of the Department of Communications.
Cet appareil numérique respecte les limites de bruits radioélectriques applicables aux appareils numériques de Classe B prescrites dans la norme sur le matériel brouilleur: “Appareils Numériques,” NMB-003 édictée par le ministère des Communications.
viii
Preface -vii
Introduction 1-1
Overview 1-2 The EliteConnect WLAN Security System 1-3
WLAN Access Manager 1-4 Control Server 1-4 Rights Manager 1-5
Users and Authentication 1- 5
Rights 1-6
Network Address Translation 1- 6 Packet Filters 1- 7 Session Redirectors 1- 7 Valid Times 1- 7
Timers 1-7
Configuring the WLAN Security System 2-1
Administrative Login 2-2 Changing Your Network Configuration 2-4 Advanced Network Settings 2-6 Setting the Shared Secret 2-10
Authorizing the Shared Secret on the WLAN Secure Server 2-10 Setting the Secure Server IP Address and Shared Secret 2-11
Configuring SNMP 2-11 Specifying Location Description 2-13 Specifying Session Logging 2-14 Configuring the Time and Date 2-15 Viewing Online Documentation and Help 2-16
VPN Security (Airwave Security) 3-1
Configuring VPN Security (Airwave Security) 3-2
Point-to-Point Tunneling Protocol (PPTP) 3-2 L2TP/IPSec 3-2 IPSec 3-3 General Considerations 3-3
Necessity 3- 3 Performance and Security 3- 4 Availability 3- 4
Configuring PPTP and L2TP 3-4
Configuring PPTP or L2TP 3-6
Configuring IPSec 3-7
EliteConnect WLAN Security System User Manual ix
Controlling the System Functions 4-1
Creating and Storing a Backup Image 4-2
Creating a Backup Image 4-2 Saving the Backup 4-4
Restoring a Backed-Up Image 4-5 Updating the System Software 4-7 Rebooting or Shutting Down the System 4-9
Viewing System Status 5-1
Viewing Status Information 5-2 Viewing WLAN Access Managers 5-3 Viewing the Active Client List 5-4 Viewing Active Session Information 5-6 Viewing Log Files 5-7
Informational Logs 5-7 Session logs 5-8
Viewing Version and License Information 5-9
Configuring the Rights Manager 6-1
Rights Manager Terminology 6-2 About the Rights Manager 6-3
Two Simple Rights Examples 6-4
Example 1: Visiting Professor 6- 4 Example 2: Contractors with Extended Hours 6- 4
Getting to the Rights Manager 6-5 Changing Rights Associated with Locations 6-6
Why Change Rights 6-6 Adding a Location 6-7 Modifying a Location 6-11 Deleting a Location 6-12 Changing WLAN Access Manager Rights 6-13
Adding a WLAN Access Manager 6- 13 Modifying a WLAN Access Manager 6- 19 Changing Other Where Properties 6- 20 Deleting a Where 6- 21
Changing Group Properties 6-22
Adding a New Group 6-22 Modifying a Group’s Rights 6-26
Initially Configuring Valid Times or Whens 6- 26 Changing the Time that a Group is Valid 6- 30
x
Modifying the Group/Allows Column 6- 31
Deleting a Group 6-33
Adding, Modifying, or Deleting a User 6-34
Adding a New User 6-34 Modifying a User’s Characteristics 6-36 Deleting a User 6-36 Adding a MAC Address as a User 6-38
Enforcing Authentication 6-40
To use the Built-in Authentication service: 6- 42 To use the LDAP Authentication Service: 6- 42 To use the RADIUS Authentication Service: 6- 43 To use the Kerberos Authentication Service: 6- 44 To use the Advanced Authentication Service: 6- 46 Creating a New Authentication Realm 6- 47
Changing the Default Realm 6-47
Changing Rights-Allows in Groups 6-50
Adding Rights-Allows 6-50 Modifying a Rights-Allow 6-53 Deleting a Rights-Allow 6-53
Redirecting Packets 6-54
Creating or Modifying a Redirect 6-54 Deleting a Redirect 6-58
Changing Allows and Redirect Rights 6- 59 Changing a Group’s Redirect Rights 6- 60
Displaying Rights 6-63 Rights Manager Logs 6-67
Viewing the Rights Manager Log 6-67 Changing the Rights Manager Log Display 6-68
Importing and Exporting Rights 6-68
Importing Rights 6- 68 Exporting a Set of Rights 6- 69 Creating a new Rights Image 6- 69 Downloading the XML Schema 6- 70
Customizing the Logon Screen Appearance 6-70
Customizing the Logon Screen 6-71 Generating an SSL Certificate Signing Request 6-73
Syntax of Client Rights A-1
Command Line Interface B-1
Syntax for Command Line Interface B-2
EliteConnect WLAN Security System User Manual xi
CLI Help Commands B-2 CLI Access Control Commands B-2 Diagnostic Commands B-3 System Status Commands B-4 Diagnostic Log Commands B-5 Active Client Management Commands B-6 System Configuration and Control Commands B-6
Upgrading the System Software B-6 Stopping and Restarting the System B-7 Network Configuration B-8 Access Manager Configuration B-9 Control Server Configuration B-11 Time Configuration B-11
Backup and Restore B-12 SNMP Configuration and Reporting Commands B-12
Rights Tutorial C-1
Starting with Locations C-2 Group Editor C-4
Logon Expire Times for Groups C-5 Default Groups C-6 Logon Rights C-6 Guest Rights C-7 User Rights C-9 Required Rights C-11
Built-in Users C-11 Example 1, Rights Debugger C-12 Example 2, Allowed User Groups C-17 Example 3, Public Location C-24 Time-Based Rights C-28 Time-Based Logon Rights C-29 Example 4, Wired Interface C-29 Example 5, MAC Address User C-32 Example 6, Differentiated Access by Groups C-35
Denying Access to a Subnet C-35 Getting Access to the Subnet C-37 Adding Users C-41 Creating a Location C-42
Example 7, Trap Known Port C-47 Example 8, SOCKS Proxy C-50 Example 9, Public Kiosk Location C-51
xii
Simple Network Management Protocol D-1
Introduction to WLAN Security System SNMP D-2 Supported Management Information Base Objects D-3
MIB Objects D-3 System MIB D-4 Hardware Description MIB Object D-5 Hardware Version MIB Object D-5 Software Version MIB Object D-5 Serial Number MIB Object D-5 Environmental Monitoring Objects D-6 Cooling Fan Registry MIB Objects D-6 Traps D-7
Glossary E-1
Index 1-1
EliteConnect WLAN Security System User Manual xiii
xiv

PREFACE

This preface describes the objective, audience, use, and organization of the EliteConnect WLAN Security System User Manual. It also outlines the document conventions, safety advisories, compliance information, comments, ordering process, related documentation, support information, and revision history.

Audience

The primary audience for this document are network administrators who want to enable their network users to communicate using the EliteConnect WLAN Security System. This document is intended for authorized personnel who have previous experience working with network telecommunications systems or similar equipment. It is assumed that the personnel using this document have the appropriate background and knowledge to complete the procedures described in this document.

How To Use This Document

This document contains procedural information describing all configuration and management of the SMC2504W EliteConnect WLAN Secure Server and SMC2502W WLAN Access Manager. Each procedure is written in a task-oriented format consisting of numbered step-by-step instructions, that enable you to perform a series of actions to accomplish a stated objective. In most cases, several different procedures are required to complete one overall task. All procedures should be performed in the order they appear in this document, unless otherwise instructed. Where applicable, navigation aids also refer you to supplemental information such as figures, tables, and other procedures in this document or another document. Main chapters are followed by supplemental information such as appendices and an index.
vii

Document Conventions

Convention Definition
Boldface Palatino Screen menus that you click to select, commands that you select,
and emphasized terms are in boldface Palatino.
Italic Palatino
Courier
New terms that are defined in the Glossary are in italic Palatino. Filenames and text that you type are in Courier.

Organization

This document is organized as follows:
Chapter 1—Introduction
This chapter provides an overview EliteConnect WLAN Security System and describes how the components operate.
Chapter 2—Configuration
This chapter explains how to configure your EliteConnect WLAN Security System system.
Chapter 3—Airwave Security
This chapter describes how to enforce security using IPSec, L2TP, and PPTP.
Chapter 4—Controlling the System Functions
This chapter explains how to install new software, backup your system, and shutdown and reboot.
Chapter 5—Viewing Status Information
This chapter explains how to view the status of the components of the EliteConnect WLAN Security System.
Chapter 6—Configuring the Rights Manager
This chapter describes how to allocate rights to clients based on their location, groups, and time and date. It includes a definition of frequently used terms for managing rights.
Appendix A—Syntax of Client’s Rights
This appendix explains client’s rights based on the tcpdump utility.
viii Preface
Appendix B—Command Line Interface
This appendix provides a description of the command line interface.
Appendix C—Rights Tutorial Appendix
This appendix explains Rights Management through examples.
Appendix D—Simple Network Management Protocol
This appendix describes the Management Information Base modules used in EliteConnect WLAN Security System.
Glossary
The Glossary explains terms that are specific to the EliteConnect WLAN Security System. These terms are shown in italics when first used.
EliteConnect WLAN Security System User Manual ix
x Preface

INTRODUCTION

This chapter gives a brief description of the SMC EliteConnect WLAN Security System Solution products. It consists of the following sections
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
1.2 The EliteConnect WLAN Security System . . . . . . . . . . . . . 1-3
11
1-1

1.1 Overview

The WLAN Security System permits fine-grained access control and transparent Layer 3 roaming capabilities for wireless and wired IP networks. The IP traffic of each user machine or client can be individually authenticated, controlled, redirected, and logged for auditing or billing purposes. When clients move through the enterprise, their open sessions are transparently forwarded so that the sessions are not terminated. Almost any user authentication scheme can be supported thanks to WLAN Security System’s fully customizable Rights Manager component.
In addition, the Airwave Security feature can encrypt all client traffic using standard encryption technology including PPTP, L2TP, or IPSec.
The WLAN Security System addresses the following mandatory network infrastructure functions:
Security that includes the following functions:
User authentication
User-based access and resource control
Airwave Security: PPTP, L2TP, or IPSec
Management: tracking of wireless access points and users
Accounting: information for accounting, logging, and billing
The WLAN Security System also addresses the following mobility functions:
Address Mobility: no need to re-authenticate or acquire a new address when roaming
Connection Mobility: sessions remain open when roaming
1-2 Introduction

1.2 The EliteConnect WLAN Security System

Figure 1-1 shows the EliteConnect WLAN Security System.
Figure 1-1. The SMC EliteConnect WLAN Security System Solution
The EliteConnect WLAN Security System consists of three logical functions:
WLAN Access Manager
Control Server
Rights Manager
There are two physical components of the EliteConnect WLAN Security System:
The WLAN Secure Server consists of a Control Server, Rights Manager, and WLAN Access Manager with four RJ-45 ports
The WLAN Access Manager consists of the WLAN Access Manager function with four RJ-45 ports
The next section explains the three logical functions.
SMC EliteConnect WLAN Security System User Manual 1-3

1.2.1 WLAN Access Manager

The WLAN Access Manager is positioned between each access point and the network. It inspects and filters each packet arriving from the wireless client through the access point, deciding whether to allow or deny forwarding of the packet. The WLAN Access Manager applies a set of rules to each packet. Allowed packets can be redirected based on other rule sets.
Initially, the WLAN Access Manager knows of no connected devices. As a user sends a packet through a wireless access point, it forwards the packet to the network through the WLAN Access Manager. The WLAN Access Manager uses the received packet to determine the hardware MAC address of the client device, and requests an initial set of rights from the Rights Manager through the WLAN Secure Server.
The Rights Manager supplies a set of logon rights that allow DHCP, DNS, and HTTP requests, additionally redirecting HTTP requests to the Rights Manager. The Rights Manager uses the first HTTP request to require user authentication by means of an SSL-protected HTTP connection. After verifying a user’s identity through the HTTPS connection, the Rights Manager sends a new rights package through the WLAN Secure Server, to the WLAN Access Manager. This rights package is based on the user’s identity, location, and the time and date.
In addition to filtering and redirecting packets, the WLAN Access Manager coordinates with other Access Managers through the WLAN Secure Server to maintain connections as a client device roams from one access point to another.
The Access Manager is also responsible for maintaining Airwave Security encryption using PPTP, L2TP, or IPSec protocols.
Scalability is ensured by concentrating all packet-level inspection and rewriting functions and encryption at the WLAN Access Manager. An individual Control Server can easily supervise several WLAN Access Managers.

1.2.2 Control Server

Each WLAN Secure Server administrative domain requires only one Control Server, which is embedded in the WLAN Secure Server. The Control Server in the WLAN Secure Server performs two functions:
Coordinates between the WLAN Access Managers and the Rights Manager
Coordinates WLAN Access Manager-to-WLAN Access Manager communications, such
as a roaming handoff.
To ensure scalability, all per-packet operations are confined to the WLAN Access Managers. The WLAN Secure Server merely coordinates the client meta­information among the WLAN Access Managers.
All policy and user database entries are kept in the Rights Manager, which is part of the WLAN Secure Server.
1-4 Introduction
Command and control communication between the WLAN Access Manager and the WLAN Secure Server is through an encrypted connection. Command and control communication between WLAN Access Managers is also through an encrypted connection. User packets that must be tunneled between WLAN Access Managers to ensure transparent Layer 3 roaming are not encrypted.

1.2.3 Rights Manager

The Rights Manager, which is part of the WLAN Secure Server, enables the network administrator to edit rights for users, groups, locations, and times. It supplies the WLAN Access Managers with appropriate rights based on who, when, and where. The Rights Manager also authenticates users.
Users and Authentication
Active Authentication
As described earlier in WLAN Access Manager, the initial set of rights sent by the Rights Manager to the WLAN Access Manager limits the packets allowed into the network. Additionally, any HTTP requests from the end-user are redirected to the Rights Manager. The Rights Manager sets up an HTTPS connection with the user, and presents a logon screen.
The user types their username and password, or requests guest rights. Users are authenticated, while guests are given a set of pre-defined rights that limit network access to the external Internet.
The Rights Manager supports four methods of authentication:
A built-in database of user-password pairs
An interface to an external LDAP authentication service
An interface to an external RADIUS service
An interface to a Kerberos service
After performing the appropriate authentication, the Rights Manager determines the correct set of rights for that particular user based on group membership, geographic location of the client, day, and time of day. The Rights Manager also offers an advanced authentication option in which multiple authentication methods can be used.
SMC EliteConnect WLAN Security System User Manual 1-5
Passive Authentication
Alternatively, you can choose one of the following passive methods for user-level authentication. The following all require user-level authentication and the EliteConnect WLAN Security System can use these authentication services for its own user authentication:
NT/2000 domain login
802.1x authentication
PPTP MS-CHAP, or MS-CHAP v2 authentication
L2TP MS-CHAP or MS-CHAP v2 authentication

1.2.4 Rights

At any given time, for each client attached to a WLAN Access Manager, a certain set of rights is in effect. These rights are based on the powerful packet-matching language of the tcpdump utility program. A rights package contains the following main components: Network Address Translation (NAT) setting, Mode Setting, Packet Filters, and Session Redirectors. Each set of rights has a valid time.
Network Address Translation
A WLAN Access Manager provides Network Address Translation (NAT) services for users who request DHCP IP address when they initiate connection to the Access Manager.
When a client sends a packet through the WLAN Access Manager, the WLAN Access Manager rewrites the IP address field and the port number field to a value that is unique and that will identify any return packet.
Depending on the application, you can choose to use the NAT service or you can choose to assign your own IP address. Following are some points in favor of and against using NAT:
NAT makes roaming much more efficient. The WLAN Security System can move the entire connection state from one WLAN Access Manager to the roamed-to WLAN Access Manager, and only tunnel open sessions back through the original WLAN Access Manager. MobileIP as a solution to roaming suffers because every connection has to be tunneled back through the original connection point.
NAT provides some amount of protection to a client since no device other than the WLAN Access Manager can talk directly to the client. This provides rudimentary firewall protection.
Certain applications require a host or server system to know the actual IP address of a client. Some examples include multi-player games, file transfer in Instant Messenger applications, and other peer-to-peer applications.
1-6 Introduction
NAT is enabled by default. You can choose to disable NAT based on individual user’s needs. See Configuring the Rights Manager for more information about configuring NAT.
Packet Filters
Each set of client rights has an associated set of packet filters that determine what traffic the client is allowed to generate. Any packets generated by the client that do not match one or more of the filters are quietly rejected. You can base filters for packets on protocol, IP address, port, or other considerations. You can specify packet filters to be as granular as you want, even to the point of specifying individual bit patterns in the client’s packet.
Session Redirectors
Client TCP and UDP sessions can be redirected from their original destination IP address or port. This is useful, for example, to force HTTP clients to login, or to ensure that certain requests for network services, such as DNS, are directed to the appropriate servers.
Some important notes about configuring rights:
Filters and redirectors match packets using the powerful pattern matching language introduced by the tcpdump utility program.
If NAT is not enabled for a set of rights, then these rights should also include a filter allowing clients to renew their DHCP leases.
Often a session redirector will match client DNS requests and redirect them to a known DNS server allowing for client misconfiguration of DNS.
Valid Times
A set of rights is valid for some time periods as specified by the system administrator when configuring the rights. When the rights valid time expires, the WLAN Access Manager queries the Rights Manager for a new set of rights, but does not require re-authentication.

1.2.5 Timers

There are two important timers maintained by the WLAN Security System:
Expire
Linger
The Expire timer specifies how long before a user is required to re-authenticate.
The Linger time specifies how long a user has to roam once he disappears from one WLAN Access Manager and before he reappears at another WLAN Access Manager. A WLAN Access Manager periodically probes for a client after that client is idle for a while. If the client does not respond to the probe (an ARP request) after a period of idleness, the WLAN Access Manager removes the client’s data from its
SMC EliteConnect WLAN Security System User Manual 1-7
internal tables and informs the Rights Manager. The Rights Manager starts the linger timer. If the linger timer expires, the user must re-authenticate.
1-8 Introduction

CONFIGURING THE WLAN SECURITY SYSTEM

This chapter describes how to configure the WLAN Secure Server and WLAN Access Manager so that they work with your enterprise network after you have installed it, as described in the EliteConnect WLAN Security System Installation Guide. It includes the following sections:
2.1 Administrative Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
2.2 Changing Your Network Configuration . . . . . . . . . . . . . . . 2-4
2.3 Advanced Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
2.4 Setting the Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
2.5 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
2.6 Specifying Location Description . . . . . . . . . . . . . . . . . . . . 2-13
2.7 Specifying Session Logging . . . . . . . . . . . . . . . . . . . . . . . . 2-14
2.8 Configuring the Time and Date . . . . . . . . . . . . . . . . . . . . . 2-15
2.9 Viewing Online Documentation and Help . . . . . . . . . . . . 2-16
2
Note: You can also use the EliteConnect WLAN Security System command-line interface for
configuration, which is described in
Command Line Interface.
March 18, 2002 3:12 pm 2-1

2.1 Administrative Login

To log in:
Step 1. Set your browser to the IP address or hostname of the WLAN Secure
Server or WLAN Access Manager
Step 2. Press Enter.
The Administrator Login Screen appears, as shown in Figure 2-1
Any system connected through a WLAN Access Manager’s or WLAN Secure Server’s ports can access the web interface through the specially recognized URL: http://42.0.0.1.
Note: Your browser must accept cookies to log in.
Figure 2-1. Administrator’s Login
Note: The text is adjusted appropriately depending on whether the component you are
connected to is a WLAN Secure Server or a WLAN Access Manager.
Step 3.
Note: By default, the system ships with the user name admin and password admin.
Step 4.
Step 5. Click Login.
Enter your username.
Enter your password.
The Main Menu appears. Figure 2-2 shows the Main Menu for the WLAN Secure Server. Figure 2-3 shows the Main Menu for the WLAN Access Manager.
2-2 Configuring the WLAN Security System
Figure 2-2. Main Menu for the WLAN Secure Server
Figure 2-3. Main Menu for the WLAN Access Manager
EliteConnect WLAN Security System User Manual 2-3
This chapter explains the Configuration functions of the Main Menu; other topics are discussed in other chapters, as shown in Table 2-1.
Table 2-1 Topics in Other Chapters
Top ic Chapter
Airwave Security 3 System Functions 4 Viewing the System 5

2.2 Changing Your Network Configuration

The WLAN Security System Installation Manual explains initial network installation. Refer to this section if you need to change your network configuration.
To change your network configuration:
Step 1. Click Network from the Main Menu.
Figure 2-4 shows the Network Configuration screen for the WLAN Secure Server. Figure 2-5 shows the Network Configuration screen for the WLAN Access
Manager.
Figure 2-4. Network Configuration for the WLAN Secure Server
2-4 Configuring the WLAN Security System
Loading...
+ 212 hidden pages