Symbol Technologies AP-5131 User Manual

AP-5131 Access Point

Product Reference Guide

AP-5131 Access Point

Product Reference Guide

72E-94168-01

Revision A

November 2006

© 2006 by Symbol Technologies, Inc. All rights reserved.

No part of this publication may be reproduced or used in any form, or by any electrical or mechanical means,
without permission in writing from Symbol. This includes electronic or mechanical means, such as
photocopying, recording, or information storage and retrieval systems. The material in this manual is subject to
change without notice.

The software is provided strictly on an “as is” basis. All software, including firmware, furnished to the user is
on a licensed basis. Symbol grants to the user a non-transferable and non-exclusive license to use each
software or firmware program delivered hereunder (licensed program). Except as noted below, such license may
not be assigned, sublicensed, or otherwise transferred by the user without prior written consent of Symbol. No
right to copy a licensed program in whole or in part is granted, except as permitted under copyright law. The
user shall not modify, merge, or incorporate any form or portion of a licensed program with other program
material, create a derivative work from a licensed program, or use a licensed program in a network without
written permission from Symbol. The user agrees to maintain Symbol’s copyright notice on the licensed
programs delivered hereunder, and to include the same on any authorized copies it makes, in whole or in part.
The user agrees not to decompile, disassemble, decode, or reverse engineer any licensed program delivered to
the user or any portion thereof.

Symbol reserves the right to make changes to any software or product to improve reliability, function, or design.

Symbol does not assume any product liability arising out of, or in connection with, the application or use of any
product, circuit, or application described herein.

No license is granted, either expressly or by implication, estoppel, or otherwise under any Symbol Technologies,
Inc., intellectual property rights. An implied license only exists for equipment, circuits, and subsystems
contained in Symbol products.

Symbol, Spectrum One, and Spectrum24 are registered trademarks of Symbol Technologies, Inc. Other product
names mentioned in this manual may be trademarks or registered trademarks of their respective companies
and are hereby acknowledged.

Symbol Technologies, Inc.
One Symbol Plaza
Holtsville, New York 11742-1300

http://www.symbol.com

Contents

About This Guide

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Document Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii

Service Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii

Chapter 1. AP-5131 Introduction

New AP-5131 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Mesh Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Additional LAN Subnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

On-board Radius Server Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Manual Date and Time Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

iv

AP-5131 Access Point Product Reference Guide

Single or Dual Mode Radio Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Separate LAN and WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Multiple Mounting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Antenna Support for 2.4 GHz and 5.2 GHz Radios . . . . . . . . . . . . . . . . . . . . . . 1-7

Sixteen Configurable WLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Support for 4 BSSIDs per Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Quality of Service (QoS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

Industry Leading Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

Kerberos Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

EAP Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

WEP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

KeyGuard Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Wi-Fi Protected Access (WPA) Using TKIP Encryption . . . . . . . . . . . . . 1-12

WPA2-CCMP (802.11i) Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Firewall Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Multiple Management Accessibility Options. . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Updatable Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Programmable SNMP v1/v2/v3 Trap Support . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Power-over-Ethernet Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

MU-MU Transmission Disallow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Support for CAM and PSP MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Statistical Displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Transmit Power Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Advanced Event Logging Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Configuration File Import/Export Functionality . . . . . . . . . . . . . . . . . . . . . . . 1-17

Default Configuration Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

DHCP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Multi-Function LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Theory of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Cellular Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

MAC Layer Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

Media Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21

Direct-Sequence Spread Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21

MU Association Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

Management Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

Chapter 2. Hardware Installation

Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Available Product Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Placement of the AP-5131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Antenna Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Symbol Power Injector System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Installing the Power Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Preparing for Site Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Cabling the Power Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Power Injector LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Mounting the AP-5131. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Desk Mounted Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Wall Mounted Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

Suspended Ceiling T-Bar Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15

Above the Ceiling (Plenum) Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17

LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20

Setting Up MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22

v

Chapter 3. Getting Started

Installing the AP-5131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Default Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Initially Connecting to the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Connecting to the Access Point using the WAN Port . . . . . . . . . . . . . . . . . . . .3-3

Connecting to the Access Point using the LAN Port . . . . . . . . . . . . . . . . . . . . .3-4

Basic Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Configuring Device Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

Configuring WLAN Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

vi

AP-5131 Access Point Product Reference Guide

Testing Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13

Where to Go from Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Chapter 4. System Configuration

Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Configuring Data Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Managing Certificate Authority (CA) Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Importing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Creating Self Certificates for Accessing the VPN . . . . . . . . . . . . . . . . . . . . . 4-10

Creating a Certificate for Onboard Radius Authentication . . . . . . . . . . . . . . 4-13

Configuring SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17

Configuring SNMP Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23

Enabling SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

Configuring Specific SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28

Configuring SNMP RF Trap Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30

Configuring Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Logging Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35

Importing/Exporting Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37

Updating Device Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41

Upgrade/Downgrade Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46

Chapter 5. Network Management

Configuring the LAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Configuring VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

Configuring LAN1 and LAN2 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Configuring Advanced DHCP Server Settings . . . . . . . . . . . . . . . . . . . . 5-11

Setting the Type Filter Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

Configuring WAN Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14

Configuring Network Address Translation (NAT) Settings . . . . . . . . . . . . . . 5-19

Configuring Port Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

Enabling Wireless LANs (WLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22

Creating/Editing Individual WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

Configuring WLAN Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29

Configuring a WLAN Access Control List (ACL). . . . . . . . . . . . . . . . . . . 5-31

Setting the WLAN Quality of Service (QoS) Policy . . . . . . . . . . . . . . . . 5-34

Configuring WLAN Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40

Setting the WLAN’s Radio Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45

Configuring the 802.11a or 802.11b/g Radio . . . . . . . . . . . . . . . . . . . . .5-48

Configuring Bandwidth Management Settings. . . . . . . . . . . . . . . . . . . . . . . . 5-55

Configuring Router Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-57

Setting the RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59

Chapter 6. Configuring Access Point Security

Configuring Security Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Resetting the AP-5131 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Enabling Authentication and Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Configuring Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

Configuring 802.1x EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

Configuring WEP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Configuring KeyGuard Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18

Configuring WPA Using TKIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20

Configuring WPA2-CCMP (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22

Configuring Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

Configuring LAN to WAN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28

Available Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31

Configuring Advanced Subnet Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-32

Configuring VPN Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34

Configuring Manual Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38

Configuring Auto Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-42

Configuring IKE Key Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44

Viewing VPN Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48

Configuring Content Filtering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50

Configuring Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53

Moving Rogue APs to the Allowed AP List . . . . . . . . . . . . . . . . . . . . . . . . . . .6-56

Displaying Rogue AP Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58

Using MUs to Detect Rogue Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-60

Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62

Configuring the Radius Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62

Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-65

Configuring a Proxy Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-67

Managing the Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69

vii

viii

AP-5131 Access Point Product Reference Guide

Mapping Users to Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71

Defining the User Access Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-72

Chapter 7. Monitoring Statistics

Viewing WAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Viewing LAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

Viewing a LAN’s STP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9

Viewing Wireless Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

Viewing WLAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13

Viewing Radio Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Viewing Radio Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18

Retry Histogram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22

Viewing MU Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23

Viewing MU Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25

Pinging Individual MUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27

MU Authentication Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28

Viewing the Mesh Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29

Viewing Known Access Point Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30

Chapter 8. Command Line Interface Reference

Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Accessing the CLI through the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Accessing the CLI via Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

Admin and Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Network Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11

Network LAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12

Network LAN, Bridge Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16

Network LAN, WLAN-Mapping Commands . . . . . . . . . . . . . . . . . . . . . 8-19

Network LAN, DHCP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28

Network Type Filter Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

Network WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

Network WAN NAT Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42

Network WAN, VPN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48

Network Wireless Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57

Network WLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-58

Network Security Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-71

Network ACL Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-80

Network Radio Configuration Commands. . . . . . . . . . . . . . . . . . . . . . . . 8-85

Network Quality of Service (QoS) Commands. . . . . . . . . . . . . . . . . . . . 8-102

Network Bandwith Management Commands. . . . . . . . . . . . . . . . . . . . 8-107

Network Rogue-AP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-110

Network Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-120

Network Router Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-125

System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-131

System Debug and Last Password Commands . . . . . . . . . . . . . . . . . . . . . . .8-135

System Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-136

System Certificate Management Commands . . . . . . . . . . . . . . . . . . . . . . . . 8-139

System SNMP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-152

System SNMP Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-153

System SNMP Traps Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-158

System Network Time Protocol (NTP) Commands . . . . . . . . . . . . . . . . . . . .8-164

System Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-169

System Configuration-Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . .8-175

Firmware Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-182

Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-186

ix

Chapter 9. Configuring Mesh Networking

Mesh Networking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

The AP-5131 Client Bridge Association Process . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-4

Defining the Mesh Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-4

Mesh Networking and the AP-5131’s Two Subnets . . . . . . . . . . . . . . . . . . . . . 9-5

Normal Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-5

Impact of Importing/Exporting Configurations to a Mesh Network . . . . . . . . . 9-5

Configuring Mesh Networking Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

Setting the LAN Configuration for Mesh Networking Support. . . . . . . . . . . . . 9-6

Configuring a WLAN for Mesh Networking Support . . . . . . . . . . . . . . . . . . . .9-8

Configuring the AP-5131 Radio for Mesh Networking Support . . . . . . . . . . . 9-12

Usage Scenario - Trion Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18

Trion’s Initial Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18

Adding 2 Client Bridges to Expand the Coverage Area. . . . . . . . . . . . . . . . . . 9-29

Adding 2 More Client Bridges to the Trion Network. . . . . . . . . . . . . . . . . . . . 9-36

x

AP-5131 Access Point Product Reference Guide

Appendix A. Technical Specifications

Physical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Electrical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Radio Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3

Antenna Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4

2.4 GHz Antenna Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4

5.2 GHz Antenna Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4

Additional Antenna Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5

Antenna Accessory Connectors, Cable Type and Length. . . . . . . . . . . . . . . . . A-5

Country Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6

Appendix B. AP-5131 Usage Scenarios

Configuring Automatic Updates using a DHCP or Linux BootP Server

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

Windows - DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2

Embedded Options - Using Option 43 . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2

Global Options - Using Extended/Standard Options . . . . . . . . . . . . . . . . B-4

DHCP Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5

Linux - BootP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6

BootP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-7

BootP Priorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9

Configuring an IPSEC Tunnel and VPN FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9

Configuring a VPN Tunnel Between Two AP-5131s . . . . . . . . . . . . . . . . . . . B-10

Configuring a Cisco VPN Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13

Frequently Asked VPN Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-14

Replacing an AP-4131 with an AP-5131. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-19

Appendix C. Customer Support

About This Guide

Introduction

This guide provides configuration and setup information for the AP-5131 model access point.

Document Conventions

The following document conventions are used in this document:

NOTE Indicate tips or special requirements.

CAUTION Indicates conditions that can cause equipment damage or data loss.

!

viii

AP-5131 Access Point Product Reference Guide

WARNING! Indicates a condition or procedure that could result in personal injury or

equipment damage.

Notational Conventions

The following notational conventions are used in this document:

• Italics are used to highlight specific items in the general text, and to identify chapters and
sections in this and related documents.

• Bullets (•) indicate:

• action items

• lists of alternatives

• lists of required steps that are not necessarily sequential

• Sequential lists (those describing step-by-step procedures) appear as numbered lists.

Service Information

If a problem is encountered with the AP-5131, contact the Symbol Customer Support. Refer to

Appendix C for contact information. Before calling, have the model number and serial number at hand.

If the problem cannot be solved over the phone, you may need to return your equipment for servicing.
If that is necessary, you will be given specific instructions.

Symbol Technologies is not responsible for any damages incurred during shipment if the
approved shipping container is not used. Shipping the units improperly can possibly void
the warranty. If the original shipping container was not kept, contact Symbol to have
another sent to you.

AP-5131 Introduction

The Symbol AP-5131 Access Point (AP) provides a bridge between Ethernet wired LANs or WANs and
wireless networks. It provides connectivity between Ethernet wired networks and radio-equipped
mobile units (MUs). MUs include the full line of Symbol terminals, bar-code scanners, adapters (PC
cards, Compact Flash cards and PCI adapters) and other devices.

The AP-5131 provides a maximum 54Mbps data transfer rate via each radio. It monitors Ethernet
traffic and forwards appropriate Ethernet messages to MUs over the network. It also monitors MU
radio traffic and forwards MU packets to the Ethernet LAN.

The AP-5131 is available in two models:

• A single-radio version (Part No. AP-5131-4002X-WW), that can be configured as either an

802.11a access point or an 802.11b/g access point.

• A dual-radio version (Part No. AP-5131-1304X-WW), allowing both the 802.11a radio and

the 802.11b/g radio to function simultaneously.

If you are new to using an access point for managing your network, refer to Theory of Operations on

page 1-18 for an overview on wireless networking fundamentals.

1-2

AP-5131 Access Point Product Reference Guide

1.1 New AP-5131 Features

With this most recent 1.1 release of the AP-5131 firmware, the following new features have been
introduced to the existing AP-5131 feature set:

• Mesh Networking

• Additional LAN Subnet

• On-board Radius Server Authentication

• Hotspot Support

• Routing Information Protocol (RIP)

• Manual Date and Time Settings

1.1.1 Mesh Networking

Utilize the AP-5131’s new mesh networking functionality to allow the AP-5131 to function as a bridge
to connect two Ethernet networks or as a repeater to extend your network’s coverage area without
additional cabling. The AP-5131 mesh networking functionality is configurable in two modes. It can
be set in a wireless client bridge mode and/or a wireless base bridge mode (which accepts
connections from client bridges). These two modes are not mutually exclusive.

In client bridge mode, the AP-5131 scans to find other access points using the selected WLAN’s
ESSID. The AP-5131 must go through the association and authentication process to establish a
wireless connection. The mesh networking association process is identical to the AP-5131’s MU
association process. Once the association/authentication process is complete, the wireless client
adds the connection as a port on its bridge module. This causes the AP-5131 (in client bridge mode)
to begin forwarding configuration packets to the base bridge. An AP-5131 in base bridge mode allows
the AP-5131 radio to accept client bridge connections.

The two bridges communicate using the Spanning Tree Protocol (STP). The spanning tree determines
the path to the root and detects if the current connection is part of a network loop with another
connection. Once the spanning tree converges, both access points begin learning which destinations
reside on which side of the network. This allows them to forward traffic intelligently.

After the AP-5131 (in client bridge mode) establishes at least one wireless connection, it will begin
beaconing and accepting wireless connections (if configured to support mobile users). If the AP-5131
is configured as both a client bridge and a base bridge, it begins accepting client bridge connections.
In this way, the mesh network builds itself over time and distance.

AP-5131 Introduction

Once the AP-5131 (in client bridge mode) establishes at least one wireless connection, it establishes
other wireless connections in the background as they become available. In this way, the AP-5131 is
able to establish simultaneous redundant links. An AP-5131 (in client bridge mode) can establish up
to 3 simultaneous wireless connections with other AP-5131s. A client bridge always initiates the
connections and the base bridge is always the acceptor of the mesh network data proliferating the
network.

Since each AP-5131 can establish up to 3 simultaneous wireless connections, some of these
connections may be redundant. In that case, the STP algorithm establishes which links are the
redundant links and disables the links from forwarding.

For an overview on mesh networking as well as details on configuring the AP-5131’s mesh networking
functionality, see Configuring Mesh Networking on page 9-1.

1.1.2 Additional LAN Subnet

In a typical retail or small office environment (wherein a wireless network is available along with a
production WLAN) it is frequently necessary to segment a LAN into two subnets. Consequently, a
second LAN is necessary to “segregate” wireless traffic.

The AP-5131 now has a second LAN subnet enabling administrators to segment the AP-5131’s LAN
connection into two separate networks. The main AP-5131 LAN screen now allows the user to select
either LAN1 or LAN2 as the active LAN over the AP-5131’s Ethernet port. Both LANs can still be active
at any given time, but only one can transmit over the AP-5131 physical LAN connection. Each LAN
has a separate configuration screen (called LAN 1 and LAN 2 by default) accessible under the main
LAN screen. The user can rename each LAN as necessary. Additionally, each LAN can have its own
Ethernet Type Filter configuration, and subnet access (HTTP, SSH, SNMP and telnet) configuration.

1-3

For detailed information on configuring the AP-5131 for additional LAN subnet support, see

Configuring the LAN Interface on page 5-1.

1-4

AP-5131 Access Point Product Reference Guide

1.1.3 On-board Radius Server Authentication

The AP-5131 now has the ability to work as a Radius Server to provide user database information and
user authentication. Several new screens have been added to the AP-5131’s menu tree to configure
Radius server authentication and configure the local user database and access policies. A new Radius
Server screen allows an administrator to define the data source, authentication type and associate
digital certificates with the authentication scheme. The LDAP screen allows the administrator to
configure an external LDAP Server for use with the AP-5131. A new Access Policy screen enables the
administrator to set WLAN access based on user groups defined within the User Database screen.
Each user is authorized based on the access policies applicable to that user. Access policies allow an
administrator to control access to a user groups based on the WLAN configurations.

For detailed information on configuring the AP-5131 for AAA Radius Server support, see Configuring

User Authentication on page 6-62.

1.1.4 Hotspot Support

The AP-5131 now allows hotspot operators to provide user authentication and accounting without a
special client application. The AP-5131 uses a traditional Internet browser as a secure authentication
device. Rather than rely on built-in 802.11security features to control AP-5131 association privileges,
you can configure a WLAN with no WEP (an open network). The AP-5131 issues an IP address to the
user using a DHCP server, authenticates the user and grants the user to access the Internet.

If a tourist visits a public hotspot and wants to browse a Web page, they boot their laptop and
associate with a local Wi-Fi network by entering a valid SSID. They start a browser, and the hotspot’s
access controller forces the un-authenticated user to a Welcome page (from the hotspot operator)
that allows the user to login with a username and password. In order to send a redirected page (a
login page), a TCP termination exists locally on the AP-5131. Once the login page displays, the user
enters their credentials. The AP-5131 connects to the Radius server and determines the identity of
the connected wireless user. Thus, allowing the user to access the Internet once successfully
authenticated.

For detailed information on configuring the AP-5131 for Hotspot support, see Configuring WLAN

Hotspot Support on page 5-40.

AP-5131 Introduction

1.1.5 Routing Information Protocol (RIP)

With the release of the 1.1 version AP-5131, Routing Information Protocol (RIP) functionality has been
added to the AP-5131’s existing Router screen. RIP is an interior gateway protocol that specifies how
routers exchange routing-table information. The parent Router screen also allows the administrator
to select the type of RIP and the type of RIP authentication used.

For detailed information on configuring RIP functionality as part of the AP-5131’s Router functionality,
see Setting the RIP Configuration on page 5-59.

1.1.6 Manual Date and Time Settings

As an alternative to defining a NTP server to provide AP-5131 system time, the AP-513 can now have
its date and time set manually. A new Manual Date/Time Setting screen can be used to set the

AP-5131 time using a Year-Month-Day HH:MM:SS format.

For detailed information on manually setting the AP-5131’s system time, see Configuring Network

Time Protocol (NTP) on page 4-32.

1-5

1-6

AP-5131 Access Point Product Reference Guide

1.2 Feature Overview

The Symbol AP-5131 has the following existing features carried forward from its initial 1.0 release:

• Single or Dual Mode Radio Options

• Separate LAN and WAN Ports

• Multiple Mounting Options

• Antenna Support for 2.4 GHz and 5.2 GHz Radios

• Sixteen Configurable WLANs

• Support for 4 BSSIDs per Radio

• Quality of Service (QoS) Support

• Industry Leading Data Security

• VLAN Support

• Multiple Management Accessibility Options

• Updatable Firmware

• Programmable SNMP v1/v2/v3 Trap Support

• Power-over-Ethernet Support

• MU-MU Transmission Disallow

• Voice Prioritization

• Support for CAM and PSP MUs

• Statistical Displays

• Transmit Power Control

• Advanced Event Logging Capability

• Configuration File Import/Export Functionality

• Default Configuration Restoration

• DHCP Support

• Multi-Function LEDs

1.2.1 Single or Dual Mode Radio Options

One or two possible configurations are available on the AP-5131 depending on which model is
purchased. If the AP-5131 is manufactured as a single radio access point, the AP-5131 enables you
to configure the single radio for either 802.11a or 802.11b/g.

AP-5131 Introduction

If the AP-5131 is manufactured as a dual-radio access point, the AP-5131 enables you to configure
one radio for 802.11a, and the other 802.11b/g.

For detailed information on configuring your AP-5131, see Setting the WLAN’s Radio Configuration

on page 5-45.

1.2.2 Separate LAN and WAN Ports

The AP-5131 has one LAN port and one WAN port, each with their own MAC address. The AP-5131
must manage all data traffic over the LAN connection carefully as either a DHCP client, BOOTP client,
DHCP server or using a static IP address. The AP-5131 can only use a Power-over-Ethernet device
when connected to the LAN port.

For detailed information on configuring the AP-5131 LAN port, see Configuring the LAN Interface on

page 5-1.

A Wide Area Network (WAN) is a widely dispersed telecommunications network. In a corporate
environment, the WAN port might connect to a larger corporate network. For a small business, the
WAN port might connect to a DSL or cable modem to access the Internet. Regardless, network
address information must be configured for the AP-5131’s intended mode of operation.

1-7

For detailed information on configuring the AP-5131’s WAN port, see Configuring WAN Settings on

page 5-14.

The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.

For detailed information on locating the AP-5131 MAC addresses, see Viewing WAN Statistics on

page 7-2 and Viewing LAN Statistics on page 7-6.

1.2.3 Multiple Mounting Options

The AP-5131 rests on a flat surface, attaches to a wall, mounts under a ceiling or above a ceiling
(attic). Choose a mounting option based on the physical environment of the coverage area. Do not
mount the AP-5131 in a location that has not been approved in an AP-5131 radio coverage site survey.

For detailed information on the mounting options available for the AP-5131, see Mounting the

AP-5131 on page 2-11.

1.2.4 Antenna Support for 2.4 GHz and 5.2 GHz Radios

The AP-5131 supports several 802.11a and 802.11b/g radio antennas. Select the antenna best suited
to the radio transmission requirements of your coverage area.

1-8

AP-5131 Access Point Product Reference Guide

For an overview of the Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz) antennas supported on the AP-5131’s
Reverse SMA (RSMA) connectors, see Antenna Specifications on page A-4.

1.2.5 Sixteen Configurable WLANs

A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the
functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight
transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from
one AP-5131 to another like a cellular phone system. WLANs can therefore be configured around the
needs of specific groups of users, even when they are not in physical proximity. Sixteen WLANs are
configurable on each AP-5131.

To enable and configure WLANs on an AP-5131 radio, see Enabling Wireless LANs (WLANs) on page

5-22.

1.2.6 Support for 4 BSSIDs per Radio

The AP-5131 supports four BSSIDs per radio. Each BSSID has a corresponding MAC address. The first
MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs (BSSIDs #2,
#3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.

If the radio MAC address displayed on the Radio Settings screen is 00:A0:F8:72:20:DC, then the
BSSIDs for that radio will have the following MAC addresses:

BSSID MAC Address Hexadecimal Addition

BSSID #1 00:A0:F8:72:20:DC Same as Radio MAC address

BSSID #2 00:A0:F8:72:20:DD Radio MAC address +1

BSSID #3 00:A0:F8:72:20:DE Radio MAC address +2

BSSID #4 00:A0:F8:72:20:DF Radio MAC address +3

For detailed information on strategically mapping BSSIDs to WLANs, see Configuring the 802.11a or

802.11b/g Radio on page 5-48.

AP-5131 Introduction

1.2.7 Quality of Service (QoS) Support

The AP-5131 QoS implementation provides applications running on different wireless devices a
variety of priority levels to transmit data to and from the AP-5131. Equal data transmission priority is
fine for data traffic from applications such as Web browsers, file transfers or email, but is inadequate
for multimedia applications.

Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to
latency increases and throughput reductions. These forms of higher priority data traffic can
significantly benefit from the AP-5131 QoS implementation.The WiFi Multimedia QOS Extensions
(WMM) implementation used by the AP-5131 shortens the time between transmitting higher priority
data traffic and is thus desirable for multimedia applications. In addition, U-APSD (WMM Power
Save) is also supported.

WMM defines four access categories—voice, video, best effort and background—to prioritize traffic
for providing enhanced multimedia support.

For detailed information on configuring QoS support for the AP-5131, see Setting the WLAN Quality

of Service (QoS) Policy on page 5-34.

1.2.8 Industry Leading Data Security

1-9

The AP-5131 supports numerous encryption and authentication techniques to protect the data
transmitting on the WLAN.

The following authentication techniques are supported on the AP-5131:

• Kerberos Authentication

• EAP Authentication

The following encryption techniques are supported on the AP-5131:

• WEP Encryption

• KeyGuard Encryption

• Wi-Fi Protected Access (WPA) Using TKIP Encryption

• WPA2-CCMP (802.11i) Encryption

In addition, the AP-5131 supports the following additional security features:

• Firewall Security

• VPN Tunnels

1-10

AP-5131 Access Point Product Reference Guide

• Content Filtering

For an overview on the encryption and authentication schemes available on the AP-5131, refer to

Configuring Access Point Security on page 6-1.

1.2.8.1 Kerberos Authentication

Authentication is a means of verifying information that is transmitted from a secure source. If
information is authentic, you know who created it and you know that it has not been altered in any
way since it was originated. Authentication entails a network administrator employing a software
“supplicant” on their computer or wireless device.

Authentication is critical for the security of any wireless LAN device. Traditional authentication
methods are not suitable for use in wireless networks where an unauthorized user can monitor
network traffic and intercept passwords. The use of strong authentication methods that do not
disclose passwords is necessary. Symbol uses the Kerberos authentication service protocol (specified
in RFC 1510), to authenticate users/clients in a wireless network environment and to securely
distribute the encryption keys used for both encrypting and decrypting.

A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in
understanding how Kerberos functions. By default, WLAN devices operate in an open system network
where any wireless device can associate with an AP without authorization. Kerberos requires device
authentication before access to the wired network is permitted.

For detailed information on Kerbeors configurations, see Configuring Kerberos Authentication on

page 6-9.

1.2.8.2 EAP Authentication

The Extensible Authentication Protocol (EAP) feature provides access points and their associated
MU’s an additional measure of security for data transmitted over the wireless network. Using EAP,
authentication between devices is achieved through the exchange and verification of certificates.

EAP is a mutual authentication method whereby both the MU and AP are required to prove their
identities. Like Kerberos, the user loses device authentication if the server cannot provide proof of
device identification

Using EAP, a user requests connection to a WLAN through the AP-5131. The AP-5131 then requests
the identity of the user and transmits that identity to an authentication server. The server prompts the
AP for proof of identity (supplied to the AP-5131 by the user) and then transmits the user data back
to the server to complete the authentication.

AP-5131 Introduction

An MU is not able to access the network if not authenticated. When configured for EAP support, the
access point displays the MU as an EAP station.

EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4)
and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius
Server for EAP (802.1x) support.

For detailed information on EAP configurations, see Configuring 802.1x EAP Authentication on page

6-11.

1.2.8.3 WEP Encryption

All WLAN devices face possible information theft. Theft occurs when an unauthorized user
eavesdrops to obtain information illegally. The absence of a physical connection makes wireless links
particularly vulnerable to this form of theft. Most forms of WLAN security rely on encryption to
various extents. Encryption entails scrambling and coding information, typically with mathematical
formulas called algorithms, before the information is transmitted. An algorithm is a set of instructions
or formula for scrambling the data. A key is the specific code used by the algorithm to encrypt or
decrypt the data. Decryption is the decoding and unscrambling of received encrypted data.

The same device, host computer or front-end processor, usually performs both encryption and
decryption. The data transmit or receive direction determines whether the encryption or decryption
function is performed. The device takes plain text, encrypts or scrambles the text typically by
mathematically combining the key with the plain text as instructed by the algorithm, then transmits
the data over the network. At the receiving end, another device takes the encrypted text and decrypts,
or unscrambles, the text revealing the original message. An unauthorized user can know the
algorithm, but cannot interpret the encrypted data without the appropriate key. Only the sender and
receiver of the transmitted data know the key.

1-11

Wired Equivalent Privacy (WEP) is an encryption security protocol specified in the IEEE Wireless
Fidelity (Wi-Fi) standard, 802.11b and supported by the AP-5131 AP. WEP encryption is designed to
provide a WLAN with a level of security and privacy comparable to that of a wired LAN. The level of
protection provided by WEP encryption is determined by the encryption key length and algorithm. An
encryption key is a string of case sensitive characters used to encrypt and decrypt data packets
transmitted between a mobile unit (MU) and the AP-5131. An AP-5131 and associated wireless
clients must use the same encryption key (typically 1 through 4) to interoperate.

For detailed information on WEP configurations, see Configuring WEP Encryption on page 6-16.

1-12

AP-5131 Access Point Product Reference Guide

1.2.8.4 KeyGuard Encryption

Use KeyGuard to shield the master encryption keys from being discovered through hacking. KeyGuard
negotiation takes place between the access point and MU upon association. The access point can
use KeyGuard with Symbol MUs. KeyGuard is only supported on Symbol MUs making it a Symbol
proprietary security mechanism.

For detailed information on KeyGuard configurations, see Configuring KeyGuard Encryption on page

6-18.

1.2.8.5 Wi-Fi Protected Access (WPA) Using TKIP Encryption

Wi-Fi Protected Access (WPA) is a security standard for systems operating with a Wi-Fi wireless
connection. WEP’s lack of user authentication mechanisms is addressed by WPA. Compared to WEP,
WPA provides superior data encryption and user authentication.

WPA addresses the weaknesses of WEP by including:

• a per-packet key mixing function

• a message integrity check

• an extended initialization vector with sequencing rules

• a re-keying mechanism

WPA uses an encryption method called Temporal Key Integrity Protocol (TKIP). WPA employs 802.1X
and Extensible Authentication Protocol (EAP).

For detailed information on WPA using TKIP configurations, see Configuring WPA Using TKIP on page

6-20.

1.2.8.6 WPA2-CCMP (802.11i) Encryption

WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected
Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security standard used by
the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP.
CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Message
Authentication Code (CBC-MAC) technique. Changing just one bit in a message produces a totally
different result.

WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy
of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used
to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data.
the end result is an encryption scheme as secure as any the AP-5131 provides.

AP-5131 Introduction

For detailed information on WPA2-CCMP configurations, see Configuring WPA2-CCMP (802.11i) on

page 6-22.

1.2.8.7 Firewall Security

A firewall keeps personal data in and hackers out. The AP-5131 firewall prevents suspicious Internet
traffic from proliferating the AP-5131 managed network. The AP-5131 performs network address
translation (NAT) on packets passing to and from the WAN port. This combination provides enhanced
security by monitoring communication with the wired network.

For detailed information on configuring the AP-5131 firewall, see Configuring Firewall Settings on

page 6-25.

1.2.8.8 VPN Tunnels

Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing
users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN
across the public network to another LAN, without sacrificing security. A VPN behaves like a private
network; however, because the data travels through the public network, it needs several layers of
security. The AP-5131 can function as a robust VPN gateway.

For detailed information on configuring VPN security support, see Configuring VPN Tunnels on page

6-34.

1-13

1.2.8.9 Content Filtering

Content filtering allows system administrators to block specific commands and URL extensions from
going out through the AP-5131 WAN port only. Therefore, content filtering affords system
administrators selective control on the content proliferating the network and is a powerful screening
tool. Content filtering allows the blocking of up to 10 files or URL extensions and allows blocking of
specific outbound HTTP, SMTP, and FTP requests.

For detailed information on configuring content filtering support, see Configuring Content Filtering

Settings on page 6-50.

1.2.9 VLAN Support

A Virtual Local Area Network (VLAN) is a means to electronically separate data on the same AP-5131
from a single broadcast domain into separate broadcast domains. By using a VLAN, you can group by
logical function instead of physical location. There are 16 VLANs supported on the AP-5131. An
administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN

1-14

AP-5131 Access Point Product Reference Guide

assignment. In addition to these 16 VLANs, the AP-5131 supports dynamic, user-based, VLANs when
using EAP authentication.

VLANs enable organizations to share network resources in various network segments within large
areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements
independent of their physical location. VLANs have the same attributes as physical LANs, but they
enable administrators to group clients even when they are not members of the same network
segment.

For detailed information on configuring VLAN support, see Configuring VLAN Support on page 5-4.

1.2.10 Multiple Management Accessibility Options

The AP-5131 can be accessed and configured using one of the following methods:

• Java-Based Web UI

• Human readable config file (imported via FTP or TFTP)

• MIB (Management Information Base)

• Command Line Interface (CLI) accessed via RS-232 or Telnet. Use the AP-5131 DB-9 serial
port for direct access to the command-line interface from a PC. Use Symbol's Null-Modem
cable (Part No. 25-632878-0) for the best fitting connection.

1.2.11 Updatable Firmware

Symbol periodically releases updated versions of the AP-5131 device firmware to the Symbol Web
site. If the AP-5131 firmware version displayed on the System Settings page (see Configuring System

Settings on page 4-2) is older than the version on the Web site, Symbol recommends updating the

AP-5131 to the latest firmware version for full feature functionality.

For detailed information on updating the AP-5131 firmware using FTP or TFTP, see Updating Device

Firmware on page 4-41.

1.2.12 Programmable SNMP v1/v2/v3 Trap Support

Simple Network Management Protocol (SNMP) facilitates the exchange of management information
between network devices. SNMP uses Management Information Bases (MIBs) to manage the device
configuration and monitor Internet devices in remote locations. MIB information accessed via SNMP
is defined by a set of managed objects called object identifiers (OIDs). An object identifier (OID) is
used to uniquely identify each object variable of a MIB.