How it Works
Symbol Technologies
Loading...
AP-5131
User Manual
578 pgs6.22 Mb1
Table of contents
Loading...

Symbol Technologies AP-5131 User Manual

Download
AP-5131 Access Point
Product Reference Guide
AP-5131 Access Point
Product Reference Guide
72E-94168-01
Revision A
November 2006
© 2006 by Symbol Technologies, Inc. All rights reserved.
The software is provided strictly on an “as is” basis. All software, including firmware, furnished to the user is on a licensed basis. Symbol grants to the user a non-transferable and non-exclusive license to use each software or firmware program delivered hereunder (licensed program). Except as noted below, such license may not be assigned, sublicensed, or otherwise transferred by the user without prior written consent of Symbol. No right to copy a licensed program in whole or in part is granted, except as permitted under copyright law. The user shall not modify, merge, or incorporate any form or portion of a licensed program with other program material, create a derivative work from a licensed program, or use a licensed program in a network without written permission from Symbol. The user agrees to maintain Symbol’s copyright notice on the licensed programs delivered hereunder, and to include the same on any authorized copies it makes, in whole or in part. The user agrees not to decompile, disassemble, decode, or reverse engineer any licensed program delivered to the user or any portion thereof.
Symbol reserves the right to make changes to any software or product to improve reliability, function, or design.
Symbol does not assume any product liability arising out of, or in connection with, the application or use of any product, circuit, or application described herein.
No license is granted, either expressly or by implication, estoppel, or otherwise under any Symbol Technologies, Inc., intellectual property rights. An implied license only exists for equipment, circuits, and subsystems contained in Symbol products.
Symbol, Spectrum One, and Spectrum24 are registered trademarks of Symbol Technologies, Inc. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.
Symbol Technologies, Inc. One Symbol Plaza Holtsville, New York 11742-1300
http://www.symbol.com

Contents

About This Guide
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Document Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii
Service Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii
Chapter 1. AP-5131 Introduction
New AP-5131 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Mesh Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Additional LAN Subnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
On-board Radius Server Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Manual Date and Time Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
iv
AP-5131 Access Point Product Reference Guide
Single or Dual Mode Radio Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Separate LAN and WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Multiple Mounting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Antenna Support for 2.4 GHz and 5.2 GHz Radios . . . . . . . . . . . . . . . . . . . . . . 1-7
Sixteen Configurable WLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Support for 4 BSSIDs per Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Quality of Service (QoS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Industry Leading Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Kerberos Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
EAP Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
WEP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
KeyGuard Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Wi-Fi Protected Access (WPA) Using TKIP Encryption . . . . . . . . . . . . . 1-12
WPA2-CCMP (802.11i) Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Firewall Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Multiple Management Accessibility Options. . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Updatable Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Programmable SNMP v1/v2/v3 Trap Support . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Power-over-Ethernet Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
MU-MU Transmission Disallow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Support for CAM and PSP MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Statistical Displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Transmit Power Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
Advanced Event Logging Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
Configuration File Import/Export Functionality . . . . . . . . . . . . . . . . . . . . . . . 1-17
Default Configuration Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
DHCP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
Multi-Function LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
Theory of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
Cellular Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
MAC Layer Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
Media Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
Direct-Sequence Spread Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
MU Association Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Management Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Chapter 2. Hardware Installation
Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Available Product Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Placement of the AP-5131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Antenna Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Symbol Power Injector System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Installing the Power Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Preparing for Site Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Cabling the Power Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Power Injector LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Mounting the AP-5131. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Desk Mounted Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Wall Mounted Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Suspended Ceiling T-Bar Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15
Above the Ceiling (Plenum) Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Setting Up MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
v
Chapter 3. Getting Started
Installing the AP-5131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Default Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Initially Connecting to the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Connecting to the Access Point using the WAN Port . . . . . . . . . . . . . . . . . . . .3-3
Connecting to the Access Point using the LAN Port . . . . . . . . . . . . . . . . . . . . .3-4
Basic Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Configuring Device Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Configuring WLAN Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
vi
AP-5131 Access Point Product Reference Guide
Testing Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Where to Go from Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Chapter 4. System Configuration
Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Configuring Data Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Managing Certificate Authority (CA) Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Importing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Creating Self Certificates for Accessing the VPN . . . . . . . . . . . . . . . . . . . . . 4-10
Creating a Certificate for Onboard Radius Authentication . . . . . . . . . . . . . . 4-13
Configuring SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17
Configuring SNMP Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23
Enabling SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Configuring Specific SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
Configuring SNMP RF Trap Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30
Configuring Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Logging Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Importing/Exporting Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
Updating Device Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41
Upgrade/Downgrade Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Chapter 5. Network Management
Configuring the LAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Configuring VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Configuring LAN1 and LAN2 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Configuring Advanced DHCP Server Settings . . . . . . . . . . . . . . . . . . . . 5-11
Setting the Type Filter Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Configuring WAN Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Configuring Network Address Translation (NAT) Settings . . . . . . . . . . . . . . 5-19
Configuring Port Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Enabling Wireless LANs (WLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Creating/Editing Individual WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Configuring WLAN Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29
Configuring a WLAN Access Control List (ACL). . . . . . . . . . . . . . . . . . . 5-31
Setting the WLAN Quality of Service (QoS) Policy . . . . . . . . . . . . . . . . 5-34
Configuring WLAN Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
Setting the WLAN’s Radio Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45
Configuring the 802.11a or 802.11b/g Radio . . . . . . . . . . . . . . . . . . . . .5-48
Configuring Bandwidth Management Settings. . . . . . . . . . . . . . . . . . . . . . . . 5-55
Configuring Router Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-57
Setting the RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59
Chapter 6. Configuring Access Point Security
Configuring Security Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Resetting the AP-5131 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Enabling Authentication and Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Configuring Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Configuring 802.1x EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Configuring WEP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Configuring KeyGuard Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
Configuring WPA Using TKIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Configuring WPA2-CCMP (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
Configuring Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
Configuring LAN to WAN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28
Available Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31
Configuring Advanced Subnet Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-32
Configuring VPN Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34
Configuring Manual Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38
Configuring Auto Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-42
Configuring IKE Key Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44
Viewing VPN Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48
Configuring Content Filtering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50
Configuring Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53
Moving Rogue APs to the Allowed AP List . . . . . . . . . . . . . . . . . . . . . . . . . . .6-56
Displaying Rogue AP Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58
Using MUs to Detect Rogue Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-60
Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62
Configuring the Radius Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62
Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-65
Configuring a Proxy Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-67
Managing the Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69
vii
viii
AP-5131 Access Point Product Reference Guide
Mapping Users to Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71
Defining the User Access Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-72
Chapter 7. Monitoring Statistics
Viewing WAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Viewing LAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Viewing a LAN’s STP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
Viewing Wireless Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
Viewing WLAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Viewing Radio Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Viewing Radio Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18
Retry Histogram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22
Viewing MU Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23
Viewing MU Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25
Pinging Individual MUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27
MU Authentication Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28
Viewing the Mesh Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29
Viewing Known Access Point Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30
Chapter 8. Command Line Interface Reference
Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Accessing the CLI through the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Accessing the CLI via Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Admin and Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Network Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
Network LAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
Network LAN, Bridge Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
Network LAN, WLAN-Mapping Commands . . . . . . . . . . . . . . . . . . . . . 8-19
Network LAN, DHCP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28
Network Type Filter Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34
Network WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
Network WAN NAT Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
Network WAN, VPN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
Network Wireless Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57
Network WLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-58
Network Security Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-71
Network ACL Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-80
Network Radio Configuration Commands. . . . . . . . . . . . . . . . . . . . . . . . 8-85
Network Quality of Service (QoS) Commands. . . . . . . . . . . . . . . . . . . . 8-102
Network Bandwith Management Commands. . . . . . . . . . . . . . . . . . . . 8-107
Network Rogue-AP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-110
Network Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-120
Network Router Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-125
System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-131
System Debug and Last Password Commands . . . . . . . . . . . . . . . . . . . . . . .8-135
System Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-136
System Certificate Management Commands . . . . . . . . . . . . . . . . . . . . . . . . 8-139
System SNMP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-152
System SNMP Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-153
System SNMP Traps Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-158
System Network Time Protocol (NTP) Commands . . . . . . . . . . . . . . . . . . . .8-164
System Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-169
System Configuration-Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . .8-175
Firmware Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-182
Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-186
ix
Chapter 9. Configuring Mesh Networking
Mesh Networking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
The AP-5131 Client Bridge Association Process . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-4
Defining the Mesh Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-4
Mesh Networking and the AP-5131’s Two Subnets . . . . . . . . . . . . . . . . . . . . . 9-5
Normal Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-5
Impact of Importing/Exporting Configurations to a Mesh Network . . . . . . . . . 9-5
Configuring Mesh Networking Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Setting the LAN Configuration for Mesh Networking Support. . . . . . . . . . . . . 9-6
Configuring a WLAN for Mesh Networking Support . . . . . . . . . . . . . . . . . . . .9-8
Configuring the AP-5131 Radio for Mesh Networking Support . . . . . . . . . . . 9-12
Usage Scenario - Trion Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Trion’s Initial Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Adding 2 Client Bridges to Expand the Coverage Area. . . . . . . . . . . . . . . . . . 9-29
Adding 2 More Client Bridges to the Trion Network. . . . . . . . . . . . . . . . . . . . 9-36
x
AP-5131 Access Point Product Reference Guide
Appendix A. Technical Specifications
Physical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Electrical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Radio Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
Antenna Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
2.4 GHz Antenna Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
5.2 GHz Antenna Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Additional Antenna Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Antenna Accessory Connectors, Cable Type and Length. . . . . . . . . . . . . . . . . A-5
Country Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6
Appendix B. AP-5131 Usage Scenarios
Configuring Automatic Updates using a DHCP or Linux BootP Server
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
Windows - DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
Embedded Options - Using Option 43 . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
Global Options - Using Extended/Standard Options . . . . . . . . . . . . . . . . B-4
DHCP Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5
Linux - BootP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6
BootP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-7
BootP Priorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9
Configuring an IPSEC Tunnel and VPN FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9
Configuring a VPN Tunnel Between Two AP-5131s . . . . . . . . . . . . . . . . . . . B-10
Configuring a Cisco VPN Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13
Frequently Asked VPN Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-14
Replacing an AP-4131 with an AP-5131. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-19
Appendix C. Customer Support
About This Guide
Introduction
This guide provides configuration and setup information for the AP-5131 model access point.
Document Conventions
The following document conventions are used in this document:
NOTE Indicate tips or special requirements.
CAUTION Indicates conditions that can cause equipment damage or data loss.
!
viii
AP-5131 Access Point Product Reference Guide
WARNING! Indicates a condition or procedure that could result in personal injury or
equipment damage.
Notational Conventions
The following notational conventions are used in this document:
Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents.
Bullets (•) indicate:
• action items
• lists of alternatives
• lists of required steps that are not necessarily sequential
Sequential lists (those describing step-by-step procedures) appear as numbered lists.
Service Information
If a problem is encountered with the AP-5131, contact the Symbol Customer Support. Refer to
Appendix C for contact information. Before calling, have the model number and serial number at hand.
If the problem cannot be solved over the phone, you may need to return your equipment for servicing. If that is necessary, you will be given specific instructions.
Symbol Technologies is not responsible for any damages incurred during shipment if the approved shipping container is not used. Shipping the units improperly can possibly void the warranty. If the original shipping container was not kept, contact Symbol to have another sent to you.

AP-5131 Introduction

The Symbol AP-5131 Access Point (AP) provides a bridge between Ethernet wired LANs or WANs and wireless networks. It provides connectivity between Ethernet wired networks and radio-equipped mobile units (MUs). MUs include the full line of Symbol terminals, bar-code scanners, adapters (PC cards, Compact Flash cards and PCI adapters) and other devices.
The AP-5131 provides a maximum 54Mbps data transfer rate via each radio. It monitors Ethernet traffic and forwards appropriate Ethernet messages to MUs over the network. It also monitors MU radio traffic and forwards MU packets to the Ethernet LAN.
The AP-5131 is available in two models:
A single-radio version (Part No. AP-5131-4002X-WW), that can be configured as either an
802.11a access point or an 802.11b/g access point.
A dual-radio version (Part No. AP-5131-1304X-WW), allowing both the 802.11a radio and
the 802.11b/g radio to function simultaneously.
If you are new to using an access point for managing your network, refer to Theory of Operations on
page 1-18 for an overview on wireless networking fundamentals.
1-2
AP-5131 Access Point Product Reference Guide

1.1 New AP-5131 Features

With this most recent 1.1 release of the AP-5131 firmware, the following new features have been introduced to the existing AP-5131 feature set:
Mesh Networking
Additional LAN Subnet
On-board Radius Server Authentication
Hotspot Support
Routing Information Protocol (RIP)
Manual Date and Time Settings

1.1.1 Mesh Networking

Utilize the AP-5131’s new mesh networking functionality to allow the AP-5131 to function as a bridge to connect two Ethernet networks or as a repeater to extend your network’s coverage area without additional cabling. The AP-5131 mesh networking functionality is configurable in two modes. It can be set in a wireless client bridge mode and/or a wireless base bridge mode (which accepts connections from client bridges). These two modes are not mutually exclusive.
In client bridge mode, the AP-5131 scans to find other access points using the selected WLAN’s ESSID. The AP-5131 must go through the association and authentication process to establish a wireless connection. The mesh networking association process is identical to the AP-5131’s MU association process. Once the association/authentication process is complete, the wireless client adds the connection as a port on its bridge module. This causes the AP-5131 (in client bridge mode) to begin forwarding configuration packets to the base bridge. An AP-5131 in base bridge mode allows the AP-5131 radio to accept client bridge connections.
The two bridges communicate using the Spanning Tree Protocol (STP). The spanning tree determines the path to the root and detects if the current connection is part of a network loop with another connection. Once the spanning tree converges, both access points begin learning which destinations reside on which side of the network. This allows them to forward traffic intelligently.
After the AP-5131 (in client bridge mode) establishes at least one wireless connection, it will begin beaconing and accepting wireless connections (if configured to support mobile users). If the AP-5131 is configured as both a client bridge and a base bridge, it begins accepting client bridge connections. In this way, the mesh network builds itself over time and distance.
AP-5131 Introduction
Once the AP-5131 (in client bridge mode) establishes at least one wireless connection, it establishes other wireless connections in the background as they become available. In this way, the AP-5131 is able to establish simultaneous redundant links. An AP-5131 (in client bridge mode) can establish up to 3 simultaneous wireless connections with other AP-5131s. A client bridge always initiates the connections and the base bridge is always the acceptor of the mesh network data proliferating the network.
Since each AP-5131 can establish up to 3 simultaneous wireless connections, some of these connections may be redundant. In that case, the STP algorithm establishes which links are the redundant links and disables the links from forwarding.
For an overview on mesh networking as well as details on configuring the AP-5131’s mesh networking functionality, see Configuring Mesh Networking on page 9-1.

1.1.2 Additional LAN Subnet

In a typical retail or small office environment (wherein a wireless network is available along with a production WLAN) it is frequently necessary to segment a LAN into two subnets. Consequently, a second LAN is necessary to “segregate” wireless traffic.
The AP-5131 now has a second LAN subnet enabling administrators to segment the AP-5131’s LAN connection into two separate networks. The main AP-5131 LAN screen now allows the user to select either LAN1 or LAN2 as the active LAN over the AP-5131’s Ethernet port. Both LANs can still be active at any given time, but only one can transmit over the AP-5131 physical LAN connection. Each LAN has a separate configuration screen (called LAN 1 and LAN 2 by default) accessible under the main LAN screen. The user can rename each LAN as necessary. Additionally, each LAN can have its own Ethernet Type Filter configuration, and subnet access (HTTP, SSH, SNMP and telnet) configuration.
1-3
For detailed information on configuring the AP-5131 for additional LAN subnet support, see
Configuring the LAN Interface on page 5-1.
1-4
AP-5131 Access Point Product Reference Guide

1.1.3 On-board Radius Server Authentication

The AP-5131 now has the ability to work as a Radius Server to provide user database information and user authentication. Several new screens have been added to the AP-5131’s menu tree to configure Radius server authentication and configure the local user database and access policies. A new Radius Server screen allows an administrator to define the data source, authentication type and associate digital certificates with the authentication scheme. The LDAP screen allows the administrator to configure an external LDAP Server for use with the AP-5131. A new Access Policy screen enables the administrator to set WLAN access based on user groups defined within the User Database screen. Each user is authorized based on the access policies applicable to that user. Access policies allow an administrator to control access to a user groups based on the WLAN configurations.
For detailed information on configuring the AP-5131 for AAA Radius Server support, see Configuring
User Authentication on page 6-62.

1.1.4 Hotspot Support

The AP-5131 now allows hotspot operators to provide user authentication and accounting without a special client application. The AP-5131 uses a traditional Internet browser as a secure authentication device. Rather than rely on built-in 802.11security features to control AP-5131 association privileges, you can configure a WLAN with no WEP (an open network). The AP-5131 issues an IP address to the user using a DHCP server, authenticates the user and grants the user to access the Internet.
If a tourist visits a public hotspot and wants to browse a Web page, they boot their laptop and associate with a local Wi-Fi network by entering a valid SSID. They start a browser, and the hotspot’s access controller forces the un-authenticated user to a Welcome page (from the hotspot operator) that allows the user to login with a username and password. In order to send a redirected page (a login page), a TCP termination exists locally on the AP-5131. Once the login page displays, the user enters their credentials. The AP-5131 connects to the Radius server and determines the identity of the connected wireless user. Thus, allowing the user to access the Internet once successfully authenticated.
For detailed information on configuring the AP-5131 for Hotspot support, see Configuring WLAN
Hotspot Support on page 5-40.
AP-5131 Introduction

1.1.5 Routing Information Protocol (RIP)

With the release of the 1.1 version AP-5131, Routing Information Protocol (RIP) functionality has been added to the AP-5131’s existing Router screen. RIP is an interior gateway protocol that specifies how routers exchange routing-table information. The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used.
For detailed information on configuring RIP functionality as part of the AP-5131’s Router functionality, see Setting the RIP Configuration on page 5-59.

1.1.6 Manual Date and Time Settings

As an alternative to defining a NTP server to provide AP-5131 system time, the AP-513 can now have its date and time set manually. A new Manual Date/Time Setting screen can be used to set the
AP-5131 time using a Year-Month-Day HH:MM:SS format.
For detailed information on manually setting the AP-5131’s system time, see Configuring Network
Time Protocol (NTP) on page 4-32.
1-5
1-6
AP-5131 Access Point Product Reference Guide

1.2 Feature Overview

The Symbol AP-5131 has the following existing features carried forward from its initial 1.0 release:
Single or Dual Mode Radio Options
Separate LAN and WAN Ports
Multiple Mounting Options
Antenna Support for 2.4 GHz and 5.2 GHz Radios
Sixteen Configurable WLANs
Support for 4 BSSIDs per Radio
Quality of Service (QoS) Support
Industry Leading Data Security
VLAN Support
Multiple Management Accessibility Options
Updatable Firmware
Programmable SNMP v1/v2/v3 Trap Support
Power-over-Ethernet Support
MU-MU Transmission Disallow
Voice Prioritization
Support for CAM and PSP MUs
Statistical Displays
Transmit Power Control
Advanced Event Logging Capability
Configuration File Import/Export Functionality
Default Configuration Restoration
DHCP Support
Multi-Function LEDs

1.2.1 Single or Dual Mode Radio Options

One or two possible configurations are available on the AP-5131 depending on which model is purchased. If the AP-5131 is manufactured as a single radio access point, the AP-5131 enables you to configure the single radio for either 802.11a or 802.11b/g.
AP-5131 Introduction
If the AP-5131 is manufactured as a dual-radio access point, the AP-5131 enables you to configure one radio for 802.11a, and the other 802.11b/g.
For detailed information on configuring your AP-5131, see Setting the WLAN’s Radio Configuration
on page 5-45.

1.2.2 Separate LAN and WAN Ports

The AP-5131 has one LAN port and one WAN port, each with their own MAC address. The AP-5131 must manage all data traffic over the LAN connection carefully as either a DHCP client, BOOTP client, DHCP server or using a static IP address. The AP-5131 can only use a Power-over-Ethernet device when connected to the LAN port.
For detailed information on configuring the AP-5131 LAN port, see Configuring the LAN Interface on
page 5-1.
A Wide Area Network (WAN) is a widely dispersed telecommunications network. In a corporate environment, the WAN port might connect to a larger corporate network. For a small business, the WAN port might connect to a DSL or cable modem to access the Internet. Regardless, network address information must be configured for the AP-5131’s intended mode of operation.
1-7
For detailed information on configuring the AP-5131’s WAN port, see Configuring WAN Settings on
page 5-14.
The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.
For detailed information on locating the AP-5131 MAC addresses, see Viewing WAN Statistics on
page 7-2 and Viewing LAN Statistics on page 7-6.

1.2.3 Multiple Mounting Options

The AP-5131 rests on a flat surface, attaches to a wall, mounts under a ceiling or above a ceiling (attic). Choose a mounting option based on the physical environment of the coverage area. Do not mount the AP-5131 in a location that has not been approved in an AP-5131 radio coverage site survey.
For detailed information on the mounting options available for the AP-5131, see Mounting the
AP-5131 on page 2-11.

1.2.4 Antenna Support for 2.4 GHz and 5.2 GHz Radios

The AP-5131 supports several 802.11a and 802.11b/g radio antennas. Select the antenna best suited to the radio transmission requirements of your coverage area.
1-8
AP-5131 Access Point Product Reference Guide
For an overview of the Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz) antennas supported on the AP-5131’s Reverse SMA (RSMA) connectors, see Antenna Specifications on page A-4.

1.2.5 Sixteen Configurable WLANs

A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one AP-5131 to another like a cellular phone system. WLANs can therefore be configured around the needs of specific groups of users, even when they are not in physical proximity. Sixteen WLANs are configurable on each AP-5131.
To enable and configure WLANs on an AP-5131 radio, see Enabling Wireless LANs (WLANs) on page
5-22.

1.2.6 Support for 4 BSSIDs per Radio

The AP-5131 supports four BSSIDs per radio. Each BSSID has a corresponding MAC address. The first MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs (BSSIDs #2, #3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.
If the radio MAC address displayed on the Radio Settings screen is 00:A0:F8:72:20:DC, then the BSSIDs for that radio will have the following MAC addresses:
BSSID MAC Address Hexadecimal Addition
BSSID #1 00:A0:F8:72:20:DC Same as Radio MAC address
BSSID #2 00:A0:F8:72:20:DD Radio MAC address +1
BSSID #3 00:A0:F8:72:20:DE Radio MAC address +2
BSSID #4 00:A0:F8:72:20:DF Radio MAC address +3
For detailed information on strategically mapping BSSIDs to WLANs, see Configuring the 802.11a or
802.11b/g Radio on page 5-48.
AP-5131 Introduction

1.2.7 Quality of Service (QoS) Support

The AP-5131 QoS implementation provides applications running on different wireless devices a variety of priority levels to transmit data to and from the AP-5131. Equal data transmission priority is fine for data traffic from applications such as Web browsers, file transfers or email, but is inadequate for multimedia applications.
Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to latency increases and throughput reductions. These forms of higher priority data traffic can significantly benefit from the AP-5131 QoS implementation.The WiFi Multimedia QOS Extensions (WMM) implementation used by the AP-5131 shortens the time between transmitting higher priority data traffic and is thus desirable for multimedia applications. In addition, U-APSD (WMM Power Save) is also supported.
WMM defines four access categories—voice, video, best effort and background—to prioritize traffic for providing enhanced multimedia support.
For detailed information on configuring QoS support for the AP-5131, see Setting the WLAN Quality
of Service (QoS) Policy on page 5-34.

1.2.8 Industry Leading Data Security

1-9
The AP-5131 supports numerous encryption and authentication techniques to protect the data transmitting on the WLAN.
The following authentication techniques are supported on the AP-5131:
Kerberos Authentication
EAP Authentication
The following encryption techniques are supported on the AP-5131:
WEP Encryption
KeyGuard Encryption
Wi-Fi Protected Access (WPA) Using TKIP Encryption
WPA2-CCMP (802.11i) Encryption
In addition, the AP-5131 supports the following additional security features:
Firewall Security
VPN Tunnels
1-10
AP-5131 Access Point Product Reference Guide
Content Filtering
For an overview on the encryption and authentication schemes available on the AP-5131, refer to
Configuring Access Point Security on page 6-1.
1.2.8.1 Kerberos Authentication
Authentication is a means of verifying information that is transmitted from a secure source. If information is authentic, you know who created it and you know that it has not been altered in any way since it was originated. Authentication entails a network administrator employing a software “supplicant” on their computer or wireless device.
Authentication is critical for the security of any wireless LAN device. Traditional authentication methods are not suitable for use in wireless networks where an unauthorized user can monitor network traffic and intercept passwords. The use of strong authentication methods that do not disclose passwords is necessary. Symbol uses the Kerberos authentication service protocol (specified in RFC 1510), to authenticate users/clients in a wireless network environment and to securely distribute the encryption keys used for both encrypting and decrypting.
A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in understanding how Kerberos functions. By default, WLAN devices operate in an open system network where any wireless device can associate with an AP without authorization. Kerberos requires device authentication before access to the wired network is permitted.
For detailed information on Kerbeors configurations, see Configuring Kerberos Authentication on
page 6-9.
1.2.8.2 EAP Authentication
The Extensible Authentication Protocol (EAP) feature provides access points and their associated MU’s an additional measure of security for data transmitted over the wireless network. Using EAP, authentication between devices is achieved through the exchange and verification of certificates.
EAP is a mutual authentication method whereby both the MU and AP are required to prove their identities. Like Kerberos, the user loses device authentication if the server cannot provide proof of device identification
Using EAP, a user requests connection to a WLAN through the AP-5131. The AP-5131 then requests the identity of the user and transmits that identity to an authentication server. The server prompts the AP for proof of identity (supplied to the AP-5131 by the user) and then transmits the user data back to the server to complete the authentication.
AP-5131 Introduction
An MU is not able to access the network if not authenticated. When configured for EAP support, the access point displays the MU as an EAP station.
EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4) and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius Server for EAP (802.1x) support.
For detailed information on EAP configurations, see Configuring 802.1x EAP Authentication on page
6-11.
1.2.8.3 WEP Encryption
All WLAN devices face possible information theft. Theft occurs when an unauthorized user eavesdrops to obtain information illegally. The absence of a physical connection makes wireless links particularly vulnerable to this form of theft. Most forms of WLAN security rely on encryption to various extents. Encryption entails scrambling and coding information, typically with mathematical formulas called algorithms, before the information is transmitted. An algorithm is a set of instructions or formula for scrambling the data. A key is the specific code used by the algorithm to encrypt or decrypt the data. Decryption is the decoding and unscrambling of received encrypted data.
The same device, host computer or front-end processor, usually performs both encryption and decryption. The data transmit or receive direction determines whether the encryption or decryption function is performed. The device takes plain text, encrypts or scrambles the text typically by mathematically combining the key with the plain text as instructed by the algorithm, then transmits the data over the network. At the receiving end, another device takes the encrypted text and decrypts, or unscrambles, the text revealing the original message. An unauthorized user can know the algorithm, but cannot interpret the encrypted data without the appropriate key. Only the sender and receiver of the transmitted data know the key.
1-11
Wired Equivalent Privacy (WEP) is an encryption security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b and supported by the AP-5131 AP. WEP encryption is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. The level of protection provided by WEP encryption is determined by the encryption key length and algorithm. An encryption key is a string of case sensitive characters used to encrypt and decrypt data packets transmitted between a mobile unit (MU) and the AP-5131. An AP-5131 and associated wireless clients must use the same encryption key (typically 1 through 4) to interoperate.
For detailed information on WEP configurations, see Configuring WEP Encryption on page 6-16.
1-12
AP-5131 Access Point Product Reference Guide
1.2.8.4 KeyGuard Encryption
Use KeyGuard to shield the master encryption keys from being discovered through hacking. KeyGuard negotiation takes place between the access point and MU upon association. The access point can use KeyGuard with Symbol MUs. KeyGuard is only supported on Symbol MUs making it a Symbol proprietary security mechanism.
For detailed information on KeyGuard configurations, see Configuring KeyGuard Encryption on page
6-18.
1.2.8.5 Wi-Fi Protected Access (WPA) Using TKIP Encryption
Wi-Fi Protected Access (WPA) is a security standard for systems operating with a Wi-Fi wireless connection. WEP’s lack of user authentication mechanisms is addressed by WPA. Compared to WEP, WPA provides superior data encryption and user authentication.
WPA addresses the weaknesses of WEP by including:
a per-packet key mixing function
a message integrity check
an extended initialization vector with sequencing rules
a re-keying mechanism
WPA uses an encryption method called Temporal Key Integrity Protocol (TKIP). WPA employs 802.1X and Extensible Authentication Protocol (EAP).
For detailed information on WPA using TKIP configurations, see Configuring WPA Using TKIP on page
6-20.
1.2.8.6 WPA2-CCMP (802.11i) Encryption
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Message Authentication Code (CBC-MAC) technique. Changing just one bit in a message produces a totally different result.
WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. the end result is an encryption scheme as secure as any the AP-5131 provides.
AP-5131 Introduction
For detailed information on WPA2-CCMP configurations, see Configuring WPA2-CCMP (802.11i) on
page 6-22.
1.2.8.7 Firewall Security
A firewall keeps personal data in and hackers out. The AP-5131 firewall prevents suspicious Internet traffic from proliferating the AP-5131 managed network. The AP-5131 performs network address translation (NAT) on packets passing to and from the WAN port. This combination provides enhanced security by monitoring communication with the wired network.
For detailed information on configuring the AP-5131 firewall, see Configuring Firewall Settings on
page 6-25.
1.2.8.8 VPN Tunnels
Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN across the public network to another LAN, without sacrificing security. A VPN behaves like a private network; however, because the data travels through the public network, it needs several layers of security. The AP-5131 can function as a robust VPN gateway.
For detailed information on configuring VPN security support, see Configuring VPN Tunnels on page
6-34.
1-13
1.2.8.9 Content Filtering
Content filtering allows system administrators to block specific commands and URL extensions from going out through the AP-5131 WAN port only. Therefore, content filtering affords system administrators selective control on the content proliferating the network and is a powerful screening tool. Content filtering allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound HTTP, SMTP, and FTP requests.
For detailed information on configuring content filtering support, see Configuring Content Filtering
Settings on page 6-50.

1.2.9 VLAN Support

A Virtual Local Area Network (VLAN) is a means to electronically separate data on the same AP-5131 from a single broadcast domain into separate broadcast domains. By using a VLAN, you can group by logical function instead of physical location. There are 16 VLANs supported on the AP-5131. An administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN
1-14
AP-5131 Access Point Product Reference Guide
assignment. In addition to these 16 VLANs, the AP-5131 supports dynamic, user-based, VLANs when using EAP authentication.
VLANs enable organizations to share network resources in various network segments within large areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements independent of their physical location. VLANs have the same attributes as physical LANs, but they enable administrators to group clients even when they are not members of the same network segment.
For detailed information on configuring VLAN support, see Configuring VLAN Support on page 5-4.

1.2.10 Multiple Management Accessibility Options

The AP-5131 can be accessed and configured using one of the following methods:
Java-Based Web UI
Human readable config file (imported via FTP or TFTP)
MIB (Management Information Base)
Command Line Interface (CLI) accessed via RS-232 or Telnet. Use the AP-5131 DB-9 serial port for direct access to the command-line interface from a PC. Use Symbol's Null-Modem cable (Part No. 25-632878-0) for the best fitting connection.

1.2.11 Updatable Firmware

Symbol periodically releases updated versions of the AP-5131 device firmware to the Symbol Web site. If the AP-5131 firmware version displayed on the System Settings page (see Configuring System
Settings on page 4-2) is older than the version on the Web site, Symbol recommends updating the
AP-5131 to the latest firmware version for full feature functionality.
For detailed information on updating the AP-5131 firmware using FTP or TFTP, see Updating Device
Firmware on page 4-41.

1.2.12 Programmable SNMP v1/v2/v3 Trap Support

Simple Network Management Protocol (SNMP) facilitates the exchange of management information between network devices. SNMP uses Management Information Bases (MIBs) to manage the device configuration and monitor Internet devices in remote locations. MIB information accessed via SNMP is defined by a set of managed objects called object identifiers (OIDs). An object identifier (OID) is used to uniquely identify each object variable of a MIB.
AP-5131 Introduction
SNMP allows a network administrator to configure the AP-5131, manage network performance, find and solve network problems, and plan for network growth. The AP-5131 supports SNMP management functions for gathering information from its network components. The AP-5131 CDROM and the (AP­5131 downloads site) contains the following 2 MIB files:
Symbol-CC-WS2000-MIB-2.0 (standard Symbol MIB file)
Symbol-AP-5131-MIB (AP-5131 specific MIB file)
The AP-5131 SNMP agent functions as a command responder and is a multilingual agent responding to SNMPv1, v2c and v3 managers (command generators). The factory default configuration maintains SNMPv1/2c support of the community names, hence providing backward compatibility.
For detailed information on configuring SNMP traps, see Configuring SNMP Settings on page 4-17.

1.2.13 Power-over-Ethernet Support

When users purchase a Symbol WLAN solution, they often need to place access points in obscure locations. In the past, a dedicated power source was required for each access point in addition to the Ethernet infrastructure. This often required an electrical contractor to install power drops at each access point location.
1-15
An approved power injector solution merges power and Ethernet into one cable, reducing the burden of installation and allows optimal AP-5131 placement in respect to the intended radio coverage area. The AP-5131 can only use a Power-over-Ethernet device when connected to the LAN port.
The Symbol Power Injector (Part No. AP-PSBIAS-T-1P-AF) is a single-port, 802.3af compliant Power over Ethernet hub combining low-voltage DC with Ethernet data in a single cable connecting to the AP-5131. The Power Injector’s single DC and Ethernet data cable creates a modified Ethernet cabling environment on the AP-5131’s LAN port eliminating the need for separate Ethernet and power cables.
For detailed information on using the Symbol Power Injector, see Symbol Power Injector System on
page 2-8.

1.2.14 MU-MU Transmission Disallow

The AP-5131’s MU-MU Disallow feature prohibits MUs from communicating with each other even if they are on different WLANs, assuming one of the WLAN’s is configured to disallow MU-MU communication. Therefore, if an MU’s WLAN is configured for MU-MU disallow, it will not be able to communicate with any other MUs connected to this AP-5131.
For detailed information on configuring an AP-5131 WLAN to disallow MU to MU communications, see Creating/Editing Individual WLANs on page 5-24.
1-16
AP-5131 Access Point Product Reference Guide

1.2.15 Voice Prioritization

Each AP-5131 WLAN has the capability of having its QoS policy configured to prioritize the network traffic requirements for associated MUs. A WLAN QoS page is available for each enabled WLAN on either the AP-5131 802.11a or 802.11b/g radio.
Use the QoS page to enable voice prioritization for devices to receive the transmission priority they may not normally receive over other data traffic. Voice prioritization allows the AP-5131 to assign priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported devices (non WMM supported voice devices) additional priority.
For detailed information on configuring voice prioritization over other voice enabled devices, see
Setting the WLAN Quality of Service (QoS) Policy on page 5-34.

1.2.16 Support for CAM and PSP MUs

The AP-5131 supports both CAM and PSP powered MUs. CAM (Continuously Aware Mode) MUs leave their radios on continuously to hear every beacon and message transmitted. These systems operate without any adjustments by the AP-5131.
A beacon is a uniframe system packet broadcast by the AP to keep the network synchronized. A beacon includes the ESSID, AP-5131 MAC address, Broadcast destination addresses, a time stamp, a DTIM (Delivery Traffic Indication Message) and the TIM (Traffic Indication Map).
PSP (Power Save Polling) MUs power off their radios for short periods. When a Symbol MU in PSP mode associates with an AP-5131, it notifies the AP-5131 of its activity status. The AP-5131 responds by buffering packets received for the MU. PSP mode is used to extend an MU’s battery life by enabling the MU to “sleep” during periods of inactivity.

1.2.17 Statistical Displays

The AP-5131 can display robust transmit and receive statistics for the WAN and LAN ports. WLAN stats can be displayed collectively and individually for enabled WLANs. Transmit and receive statistics are available for the AP-5131’s 802.11a and 802.11b/g radios. An advanced radio statistics page is also available to display retry histograms for specific data packet retry information.
Associated MU stats can be displayed collectively and individually for specific MUs. An echo (ping) test is also available to ping specific MUs to assess association strength. Finally, the AP-5131 can detect and display the properties of other APs detected within the AP-5131’s radio coverage area. The type of AP detected can be displayed as well as the properties of individual APs.
AP-5131 Introduction
For detailed information on available AP-5131 statistical displays and the values they represent, see
Monitoring Statistics on page 7-1.

1.2.18 Transmit Power Control

The AP-5131 has a configurable power level for each radio. This enables the network administrator to define the antenna’s transmission power level in respect to the AP-5131’s placement or network requirements as defined in the AP-5131 site survey.
For detailed information on setting the radio transmit power level, see Configuring the 802.11a or
802.11b/g Radio on page 5-48.

1.2.19 Advanced Event Logging Capability

The AP-5131 provides the capability for periodically logging system events. Logging events is useful in assessing the throughput and performance of the AP-5131 or troubleshooting problems on the AP-5131 managed Local Area Network (LAN).
For detailed information on AP-5131 events, see Logging Configuration on page 4-35.

1.2.20 Configuration File Import/Export Functionality

1-17
Configuration settings for an AP-5131 can be downloaded from the current configuration of another AP-5131. This affords the administrator the opportunity to save the current configuration before making significant changes or restoring the default configuration.
For detailed information on importing or exporting configuration files, see Importing/Exporting
Configurations on page 4-37.

1.2.21 Default Configuration Restoration

The AP-5131 has the ability to restore its default configuration or a partial default configuration with the exception of current WAN and SNMP settings. Restoring the default configuration is a good way to create new WLANs if the MUs the AP-5131 supports have been moved to different radio coverage areas.
For detailed information on restoring a default or partial default configuration, see Configuring
System Settings on page 4-2.
1-18
AP-5131 Access Point Product Reference Guide

1.2.22 DHCP Support

The AP-5131 can use Dynamic Host Configuration Protocol (DHCP) to obtain a leased IP address and configuration information from a remote server. DHCP is based on the BOOTP protocol and can coexist or interoperate with BOOTP. Configure the AP-5131 to send out a DHCP request searching for a DHCP/ BOOTP server to acquire HTML, firmware or network configuration files when the AP-5131 boots. Because BOOTP and DHCP interoperate, whichever responds first becomes the server that allocates information.
The AP-5131 can be set to only accept replies from DHCP or BOOTP servers or both (this is the default setting). Disabling DHCP disables BOOTP and DHCP and requires network settings to be set manually. If running both DHCP and BOOTP, do not select BOOTP Only. BOOTP should only be used when the server is running BOOTP exclusively.
The DHCP client automatically sends a DHCP request at an interval specified by the DHCP server to renew the IP address lease as long as the AP-5131 is running (this parameter is programmed at the DHCP server). For example: Windows 2000 servers typically are set for 3 days.

1.2.23 Multi-Function LEDs

The AP-5131 houses seven LED indicators. Four LEDs exist on the top of the AP-5131 and are visible from wall, ceiling and table-top orientations. Three of these four LEDs are single color activity LEDs, and one is a multi-function red and white status LED. Two LEDs exist on the rear of the AP-5131 and are viewable using a single (customer installed) extended light pipe, adjusted as required to suit above the ceiling installations.
For detailed information of the AP-5131 LEDs and their functionality, see LED Indicators on page 2-20.

1.3 Theory of Operations

To understand AP-5131 management and performance alternatives, users need familiarity with
AP-5131 functionality and configuration options. The AP-5131 includes features for different
interface connections and network management.
The AP-5131 uses electromagnetic waves to transmit and receive electric signals without wires. Users communicate with the network by establishing radio links between mobile units (MUs) and access points.
The AP-5131 uses DSSS (direct sequence spread spectrum) to transmit digital data from one device to another. A radio signal begins with a carrier signal that provides the base or center frequency. The
AP-5131 Introduction
digital data signal is encoded onto the carriers using a DSSS chipping algorithm. The AP-5131 radio signal propagates into the air as electromagnetic waves. A receiving antenna (on the MU) in the path of the waves absorbs the waves as electrical signals. The receiving MU interprets (demodulates) the signal by reapplying the direct sequence chipping code. This demodulation results in the original digital data.
The AP-5131 uses its environment (the air and certain objects) as the transmission medium.The
AP-5131 can either transmit in the 2.4 to 2.5-GHz frequency range (802.11b/g radio) or the 5.2 GHz
frequency range (802.11a radio), the actual range is country-dependent. Symbol devices, like other Ethernet devices, have unique, hardware encoded Media Access Control (MAC) or IEEE addresses. MAC addresses determine the device sending or receiving data. A MAC address is a 48-bit number written as six hexadecimal bytes separated by colons. For example: 00:A0:F8:24:9A:C8
Also see the following sections:
Cellular Coverage
MAC Layer Bridging
Content Filtering
DHCP Support
Media Types
Direct-Sequence Spread Spectrum
MU Association Process
Operating Modes
Management Access Options
1-19

1.3.1 Cellular Coverage

An AP-5131 establishes an average communication range with MUs called a Basic Service Set (BSS) or cell. When in a particular cell, the MU associates and communicates with the AP-5131 supporting the radio coverage area of that cell. Adding AP-5131’s to a single LAN establishes more cells to extend the range of the network. Configuring the same ESSID (Extended Service Set Identifier) on all AP-5131s makes them part of the same Wireless LAN.
AP-5131s with the same ESSID defines a coverage area. A valid ESSID is an alphanumeric, case­sensitive identifier up to 32 characters. An MU searches for an AP-5131 with a matching ESSID and synchronizes (associates) to establish communications. This device association allows MUs within the coverage area to move about or roam. As the MU roams from cell to cell, it associates with a
1-20
AP-5131 Access Point Product Reference Guide
different AP-5131. The roam occurs when the MU analyzes the reception quality at a location and determines a different AP-5131 provides better signal strength and lower MU load distribution.
If the MU does not find an AP-5131 with a workable signal, it can perform a scan to find any AP. As MUs switch APs, the AP updates its association statistics.
The user can configure the ESSID to correspond to up to 16 WLANs on each 802.11a or 802.11b/g radio. A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable. Within the WLAN, roaming users can be handed off from one AP-5131 to another like a cellular phone system. WLANs can therefore be configured around the needs of specific groups of users, even when they are not in physical proximity.

1.3.2 MAC Layer Bridging

The AP-5131 provides MAC layer bridging between its interfaces. The AP-5131 monitors traffic from its interfaces and, based on frame address, forwards the frames to the proper destination. The
AP-5131 tracks source and destination addresses to provide intelligent bridging as MUs roam or
network topologies change. The AP-5131 also handles broadcast and multicast messages and responds to MU association requests.
The AP-5131 listens to all packets on its LAN and WAN interfaces and builds an address database using MAC addresses. An address in the database includes the interface media that the device uses to associate with the AP-5131. The AP-5131 uses the database to forward packets from one interface to another. The bridge forwards packets addressed to unknown systems to the Default Interface (Ethernet).
The AP-5131 internal stack interface handles all messages directed to the AP-5131. Each AP-5131 stores information on destinations and their interfaces to facilitate forwarding. When a user sends an ARP (Address Resolution Protocol) request packet, the AP-5131 forwards it over all enabled interfaces except over the interface the ARP request packet was received.
On receiving the ARP response packet, the AP-5131 database keeps a record of the destination address along with the receiving interface. With this information, the AP-5131 forwards any directed packet to the correct destination. Transmitted ARP request packets echo back to other MUs. The
AP-5131 removes from its database the destination or interface information that is not used for a
specified time. The AP refreshes its database when it transmits or receives data from these destinations and interfaces.
AP-5131 Introduction

1.3.3 Media Types

The AP-5131 radio interface conforms to IEEE 802.11a/b/g specifications. The interface operates at a maximum 54Mbps (802.11a radio) using direct-sequence radio technology. The AP-5131 supports multiple-cell operations with fast roaming between cells. Within a direct-sequence system, each cell can operates independently. Adding cells to the network provides increased coverage area and total system capacity.
The RS-232 serial port provides a Command Line Interface (CLI) connection. The serial link supports a direct serial connection. The AP-5131 is a Data Terminal Equipment (DTE) device with male pin connectors for the RS-232 port. Connecting the AP-5131 to a PC requires a null modem serial cable.

1.3.4 Direct-Sequence Spread Spectrum

Spread spectrum (broadband) uses a narrowband signal to spread the transmission over a segment of the radio frequency band or spectrum. Direct-sequence is a spread spectrum technique where the transmitted signal is spread over a particular frequency range. The Symbol AP-5131 uses Direct- Sequence Spread Spectrum (DSSS) for radio communication.
Direct-sequence systems communicate by continuously transmitting a redundant pattern of bits called a chipping sequence. Each bit of transmitted data is mapped into chips by the AP-5131 and rearranged into a pseudorandom spreading code to form the chipping sequence. The chipping sequence is combined with a transmitted data stream to produce the AP -5131’s output signal.
1-21
MUs receiving a direct-sequence transmission use the spreading code to map the chips within the chipping sequence back into bits to recreate the original data transmitted by the AP-5131. Intercepting and decoding a direct-sequence transmission requires a predefined algorithm to associate the spreading code used by the transmitting AP-5131 to the receiving MU. This algorithm is established by IEEE 802.11b specifications. The bit redundancy within the chipping sequence enables the receiving MU to recreate the original data pattern, even if bits in the chipping sequence are corrupted by interference.
The ratio of chips per bit is called the spreading ratio. A high spreading ratio increases the resistance of the signal to interference. A low spreading ratio increases the bandwidth available to the user. The AP-5131 uses different modulation schemes to encode more bits per chip at higher data rates. The AP-5131 is capable of a maximum 54Mbps data transmission rate (802.11a radio), but the coverage area is less than that of AP-5131 operating at lower data rates since coverage area decreases as bandwidth increases.
1-22
AP-5131 Access Point Product Reference Guide

1.3.5 MU Association Process

An AP-5131 recognizes MUs as they begin the association process with the AP-5131. An AP-5131 keeps a list of the MUs it services. MUs associate with an AP-5131 based on the following conditions:
Signal strength between the AP-5131and MU
Number of MUs currently associated with the AP-5131
MUs encryption and authentication capabilities
MUs supported data rate
MUs perform pre-emptive roaming by intermittently scanning for AP-5131’s and associating with the best available AP-5131. Before roaming and associating, MUs perform full or partial scans to collect AP-5131 statistics and determine the direct-sequence channel used by the AP-5131.
Scanning is a periodic process where the MU sends out probe messages on all channels defined by the country code. The statistics enable an MU to reassociate by synchronizing its channel to the
AP-5131. The MU continues communicating with that AP-5131 until it needs to switch cells or roam.
MUs perform partial scans at programmed intervals, when missing expected beacons or after excessive transmission retries. In a partial scan, the MU scans AP-5131’s classified as proximate on the AP-5131 table. For each channel, the MU tests for Clear Channel Assessment (CCA). The MU broadcasts a probe with the ESSID and broadcast BSS_ID when the channel is transmission-free. It sends an ACK to a directed probe response from the AP-5131 and updates the table.
An MU can roam within a coverage area by switching AP-5131s. Roaming occurs when:
Unassociated MU attempts to associate or reassociate with an available AP-5131
Supported rate changes or the MU finds a better transmit rate with another AP-5131
RSSI (received signal strength indicator) of a potential AP-5131 exceeds the current
AP-5131
Ratio of good-transmitted packets to attempted-transmitted packets falls below a threshold.
An MU selects the best available AP-5131 and adjusts itself to the AP-5131 direct-sequence channel to begin association. Once associated, the AP-5131 begins forwarding frames addressed to the target MU. Each frame contains fields for the current direct-sequence channel. The MU uses these fields to resynchronize to the AP-5131.
The scanning and association process continues for active MUs. This process allows the MUs to find new AP-5131’s and discard out-of-range or deactivated AP-5131’s. By testing the airwaves, the MUs can choose the best network connection available.
AP-5131 Introduction

1.3.6 Operating Modes

The AP-5131 can operate in a couple of configurations.
Access Point - As an Access Point, the AP-5131 functions as a layer 2 bridge (similar to
Symbol’s existing AP-4131 access point). The wired uplink can operate as a trunk and support multiple VLANs. Up to 16 WLANs can be defined and mapped to AP-5131 WLANs. Each WLAN can be configured to be broadcast by one or both AP-5131 radios (unlike the
AP-4131). The AP-5131 can operate in both an Access Point mode and Wireless Gateway/
Router mode simultaneously. The network architecture and AP-5131 configuration define how the Access Point and Wireless Gateway/Router mode are negotiated.
Wireless Gateway/Router - If operating as a Wireless Gateway/Router, the AP-5131
functions as a router between two layer 2 networks: the WAN uplink (the ethernet port) and the Wireless side. The following options are available providing a solution for single-cell deployment:
PPPoE - The WAN interface can terminate a PPPoE connection, thus enabling the
AP-5131 to operate in conjunction with a DSL or Cable modem to provide WAN
connectivity.
NAT - (Network Address Translation) on the Wireless interface. Using NAT, the AP-5131
router is able to manage a private IP scheme. NAT allows translation of private addresses to the WAN IP address.
DHCP - On the Wireless side, the AP-5131 can assign private IP addresses.
Firewall - In between the WAN and Wireless interfaces, a Firewall protects against a
number of known attacks.
1-23

1.3.7 Management Access Options

Managing the AP-5131 includes viewing network statistics and setting configuration options. Statistics track the network activity of associated MUs and data transfers on the AP interfaces.
The AP-5131 requires one of the following connection methods to perform a custom installation and manage the network:
Secure Java-Based WEB UI - (use Sun Microsystems’ JRE 1.5 or higher available from Sun’s
Web site and be sure to disable Microsoft’s Java Virtual Machine if installed)
Command Line Interface (CLI) via Serial, Telnet and SSH
Config file - Human-readable; Importable/Exportable via FTP and TFTP
1-24
AP-5131 Access Point Product Reference Guide
MIB (Management Information Base) accessing the AP-5131 SNMP function using a MIB Browser. The AP-5131 CDROM contains the following 2 MIB files:
• Symbol-CC-WS2000-MIB-2.0 (standard Symbol MIB file)
• Symbol-AP-5131-MIB (AP-5131 specific MIB file)
Make configuration changes to AP-5131’s individually. Optionally, use the AP-5131 import/export configuration function to download AP-5131’s settings to other AP-5131s.
For detailed information, see Importing/Exporting Configurations on page 4-37.

Hardware Installation

An AP-5131 installation includes mounting the AP-5131 on a table-top, wall, ceiling T-bar or above the ceiling (attic or plenum), connecting the AP-5131 to the network (LAN or WAN port connection), connecting antennae and applying power. Installation procedures vary for different environments.
See the following sections for more details:
Precautions
Package Contents
Requirements
Placement of the AP-5131
Power Options
Symbol Power Injector System
Mounting the AP-5131
LED Indicators
Setting Up MUs
2-2
AP-5131 Access Point Product Reference Guide
CAUTION Symbol recommends conducting a radio site survey prior to installing
!
the AP-5131. A site survey is an excellent method of documenting areas of radio interference and providing a tool for AP-5131 placement.

2.1 Precautions

Before installing the AP-5131 verify the following:
Do not install in wet or dusty areas without additional protection. Contact a Symbol representative for more information.
Verify the environment has a continuous temperature range between -20° C to 50° C.

2.2 Package Contents

Check package contents for the correct model AP-5131 and applicable AP-5131 accessories. Each available configuration (at a minimum), contains the following:
AP-5131 (two models available)
• Single 802.11a/g radio, external antenna (Part No. AP-5131-4002X-WW)
• Dual 802.11a+g radios, external antenna (Part No. AP-5131-1304X-WW)
Software and Documentation CD-ROM
AP-5131 Install Guide (Part No. 72-70931-01)
Accessories Bag (4 rubber feet for desk mounting and a LED light pipe, badge and label for above the ceiling installations).

2.2.1 Available Product Configurations

An AP-5131 can be ordered in the following access point and accessory combinations:
Symbol Part # Description
AP-5131-13040-WW AP-5131 802.11a+g Dual Radio Access Point
AP-5131 Install Guide Software and Documentation CD-ROM Accessories Bag
Symbol Part # Description
AP-5131-13041-WWR AP-5131 802.11a+g Dual Radio Access Point
AP-5131 Install Guide Power Injector (Part No. AP-PSBIAS-1P2-AFR) Software and Documentation CD-ROM Accessories Bag
AP-5131-13042-WW AP-5131 802.11a+g Dual Radio Access Point
AP-5131 Install Guide Software and Documentation CD-ROM (4) Dual-Band Antennae (Part No. ML-2452-APA2-01) Accessories Bag
AP-5131-13043-WWR AP-5131 802.11a+g Dual Radio Access Point
AP-5131 Install Guide Software and Documentation CD-ROM Power Injector (Part No. AP-PSBIAS-1P2-AFR) (4) Dual-Band Antennae (Part No. ML-2452-APA2-01) Accessories Bag
AP-5131-40020-WW AP-5131 802.11a/g Single Radio Access Point
AP-5131 Install Guide Software and Documentation CD-ROM Accessories Bag
AP-5131-40021-WWR AP-5131 802.11a/g Single Radio Access Point
AP-5131 Install Guide Software and Documentation CD-ROM Power Injector (Part No. AP-PSBIAS-1P2-AFR) Accessories Bag
Hardware Installation
2-3
AP-5131-40022-WW AP-5131 802.11a/g Single Radio Access Point
AP-5131 Install Guide Software and Documentation CD-ROM (2) Dual-Band Antennae (Part No. ML-2452-APA2-01) Accessories Bag
AP-5131-40023-WWR AP-5131 802.11a/g Single Radio Access Point
AP-5131 Install Guide Software and Documentation CD-ROM Power Injector (Part No. AP-PSBIAS-1P2-AFR) (2) Dual-Band Antennae (Part No. ML-2452-APA2-01) Accessories Bag
Verify the model indicated on the bottom of the AP-5131 is correct. Contact the Symbol Support Center to report missing or improperly functioning items.
2-4
AP-5131 Access Point Product Reference Guide
The Symbol power injector (Part No. AP-PSBIAS-1P2-AFR) is included in certain orderable configurations, but can be added to any configuration. For more information on the Symbol power injector, see Symbol Power Injector System on page 2-8.
NOTE A standard Symbol 48 Volt Power Adapter (Part No. 50-24000-050) is
recommended with AP-5131 product SKUs that do not include the Symbol power injector.
For an overview on the optional antennae available for the AP-5131, see Antenna Options on page 2-
5. For detailed specifications on the 2.4 GHz and 5.2 GHz antenna suite, see 2.4 GHz Antenna Matrix on page A-4 and 5.2 GHz Antenna Matrix on page A-4.
CAUTION Using an antenna other than the Dual-Band Antenna (Part No.
!
ML-2452-APA2-01) could render the AP-5131’s Rogue AP Detector Mode feature inoperable. Contact your Symbol sales associate for specific information.

2.3 Requirements

The minimum installation requirements for a single-cell, peer-to-peer network:
AP-5131 (either the dual or single radio model)
AP-5131 48 Volt Power Supply (Part No. 50-24000-050) or Symbol power injector (Part No. AP-PSBIAS-1P2-AFR)
a power outlet
Dual-Band Antennae (Part No. ML-2452-APA2-01)
NOTE The AP-5131 optimally uses 2 antennae for the single-radio model and 4
antennae for the dual-radio model.
.

2.4 Placement of the AP-5131

For optimal performance, install the AP-5131 away from transformers, heavy-duty motors, fluorescent lights, microwave ovens, refrigerators and other industrial equipment. Signal loss can occur when
Hardware Installation
metal, concrete, walls or floors block transmission. Install the AP-5131 in open areas or add access points as needed to improve coverage.
Antenna coverage is analogous to lighting. Users might find an area lit from far away to be not bright enough. An area lit sharply might minimize coverage and create dark areas. Uniform antenna placement in an area (like even placement of a light bulb) provides even, efficient coverage.
Place the AP-5131 using the following guidelines:
Install the AP-5131 at an ideal height of 10 feet from the ground.
Orient the AP-5131 antennae vertically for best reception.
Point the AP-5131 antenna(s) downward if attaching to the ceiling.
Symbol recommends conducting a site survey to define and document radio interference obstacles before installing the AP-5131 to maximize its radio coverage area.

2.4.1 Site Surveys

A site survey analyzes the installation environment and provides users with recommendations for equipment and placement. The optimum placement of 802.11a access points differs from 802.11b/g access points, because the locations and number of access points required are different to support the radio coverage area.
2-5
Symbol recommends conducting a new site survey and developing a new coverage area floor plan when switching from 2 or 11Mbps access points (AP-3021 or AP-4131 models) to 54Mbps access points (AP-5131 models), as the device placement requirements are significantly different.

2.4.2 Antenna Options

Both Radio 1 and Radio 2 require one antenna and can optimally use two antennae per radio (4 antennae total for dual-radio models). Two antennae per radio provides diversity that can improve performance and signal reception. Symbol supports two antenna suites for the AP-5131. One antenna
2-6
AP-5131 Access Point Product Reference Guide
suite supporting the 2.4 GHz band and another antenna suite supporting the 5.2 GHz band. Select an antenna model best suited to the intended operational environment of your AP-5131.
NOTE On a single-radio AP-5131, Radio 1 can be configured to be either a 2.4
GHz or 5.2 GHz radio. On a dual-radio model, Radio 1 refers to the AP­5131’s 2.4 GHz radio and Radio 2 refers to the AP-5131 5.2 GHz radio. However, there could be some cases where a dual-radio AP-5131 is performing a Rogue AP detector function. In this scenario, the AP-5131 is receiving in either 2.4 GHz or 5.2 GHz over the Radio 1 or Radio 2 antennae depending on which radio is selected for the scan.
Antenna connectors for Radio 1 are located in a different location from the Radio 2 antenna connectors. On single radio versions, the R-SMA connectors can support both bands and should be connected to a R-SMA dual-band antenna or an appropriate single band antenna. If necessary a R­SMA to R-BNC adapter (Part No. 25-72178-01) can be purchased separately from Symbol.
The 2.4 GHz antenna suite includes the following models:
Symbol Part Number Antenna Type Nominal Net Gain (dBi)
ML-2499-11PNA2-01R Wide Angle Directional 8.5
ML-2499-HPA3-01R Omni-Directional Antenna 3.3
ML-2499-BYGA2-01R Yagi Antenna 13.9
ML-2452-APA2-01 Dual-Band 3.0
NOTE An additional adapter is required to use ML-2499-11PNA2-01 and
ML-2499-BYGA2-01 model antennae. Please contact Symbol for more information.
The 5.2 GHz antenna suite includes the following models:
Symbol Part Number Antenna Type Nominal Net Gain (dBi)
ML-5299-WPNA1-01R Panel Antenna 13.0
ML-5299-HPA1-01R Wide-Band Omni-Directional
Antenna
ML-2452-APA2-0 Dual-Band 4.0
5.0
Hardware Installation
2-7
For detailed specifications on the 2.4 GHz and 5.2 GHz antennae mentioned in this section, see section 2.4 GHz Antenna Matrix on page A-4 and section 5.2 GHz Antenna Matrix on page A-4.
2-8
AP-5131 Access Point Product Reference Guide

2.5 Power Options

The power options for the AP-5131 include:
Symbol Power Injector (Part No. AP-PSBIAS-1P2-AFR)
Symbol 48-Volt Power Supply (Part No. 50-24000-050)
Any standard 802.3af compliant device.

2.6 Symbol Power Injector System

The AP-5131 can receive power either directly form a Symbol 48V AC-DC power supply (Part No. 50-24000-050) or via an Ethernet cable connected to the LAN port (using the 802.3af standard).
When users purchase a Symbol WLAN solution, they often need to place access points in obscure locations. In the past, a dedicated power source was required for each access point in addition to the Ethernet infrastructure. This often required an electrical contractor to install power drops at each access point location. An approved power injector solution merges power and Ethernet into one cable, reducing the burden of installation and allows optimal AP-5131 placement in respect to the intended radio coverage area.
The Symbol Power Injector is included in certain AP-5131 kits. The Symbol Power Injector (Part No. AP-PSBIAS-1P2-AFR) is an integrated AC-DC converter and 802.3af power injector which requires 110-220V AC power to combine low-voltage DC with Ethernet data in a single cable connecting to the AP-5131. The AP-5131 can only use a Power Injector when connected to the LAN port.
The Symbol AP-5131 Power Supply (Part No. 50-24000-050) is not included in the kit and is orderable separately as an accessory.
CAUTION The AP-5131 supports any standards-based 802.3af compliant power
!
A separate power injector is required for each AP-5131 comprising the network.
source (including non-Symbol power sources). However, using the wrong solution (including a POE system used on a legacy Symbol access point) could severely damage the AP-5131 and void the product warranty.
Hardware Installation

2.6.1 Installing the Power Injector

Refer to the following sections for information on planning, installing, and validating the power injector installation:
Preparing for Site Installation
Cabling the Power Injector
Power Injector LED Indicators
2.6.1.1 Preparing for Site Installation
The power injector can be installed free standing, on an even horizontal surface or wall mounted using the power injector’s wall mounting key holes. The following guidelines should be adhered to before cabling the power injector to an Ethernet source and an AP-5131:
Do not block or cover airflow to the power injector.
Keep the power injector away from excessive heat, humidity, vibration and dust.
The power injector is not a repeater, and does not amplify the Ethernet data signal. For
optimal performance, ensure the power injector is placed as close as possible to the network data port.
2-9
2.6.1.2 Cabling the Power Injector
To install the power injector to an Ethernet data source and AP-5131:
CAUTION Ensure AC power is supplied to the power injector using an AC cable
!
1. Connect the power injector to an AC outlet (110VAC to 220VAC).
2. Connect an RJ-45 Ethernet cable between the network data supply (host) and the power
injector Data In connector.
3. Connect an RJ-45 Ethernet cable between the power injector Data & Power Out connector
and the Symbol AP-5131 LAN port.
CAUTION Cabling the power injector to the AP-5131’s WAN port renders the
!
with an appropriate ground connection approved for the country of operation.
AP-5131 non-operational. Only use a AP-PSBIAS-1P2-AFR model power injector with the AP-5131’s LAN port.
2-10
AP-5131 Access Point Product Reference Guide
Ensure the cable length from the Ethernet source (host) to the power injector and AP-5131 does not exceed 100 meters (333 ft.)
The power injector has no On/Off power switch. The power injector receives power and is ready for AP-5131 device connection and operation as soon as AC power is applied.
2.6.1.3 Power Injector LED Indicators
The power injector demonstrates the following LED behavior under normal and/or problematic operating conditions:
LED AC (Main) Port
Green (Steady) Power injector is receiving power from AC
outlet.
Green (Blinking) Output voltage source is out of range. The power injector is overloaded or has a
For more information and device specifications for the Symbol power injector, refer to the Power Injector Quick Install Guide (Part No. 72-70762-01) available from the Symbol Web site or the AP-5131 Software and documentation CDROM.
Indicates a device is connected to the power injector’s outgoing Data & Power cable.
short circuit.
Hardware Installation

2.7 Mounting the AP-5131

The AP-5131 can rest on a flat surface, attach to a wall, mount under a suspended T-Bar or above a ceiling (plenum or attic). Choose one of the following mounting options based on the physical environment of the coverage area. Do not mount the AP-5131 in a location that has not been approved in a site survey.
Refer to the following, depending on how you intend to mount the AP-5131:
Desk Mounted Installations
Wall Mounted Installations
Suspended Ceiling T-Bar Installations
Above the Ceiling (Plenum) Installations

2.7.1 Desk Mounted Installations

The desk mount option uses rubber feet allowing the unit to sit on most flat surfaces. The four (4) round rubber feet can be found in the AP-5131 (main) box in a separate plastic bag.
To install the AP-5131 in a desk mount orientation:
2-11
1. Turn the AP-5131 upside down.
2. Attach the radio antennae to their correct connectors.
The antenna protection plate cannot be used in a desk mount configuration, as the plate only allows antennas to be positioned in a downward orientation.
CAUTION Both the Dual and Single Radio model AP-5131’s use RSMA type
!
3. Remove the backings from the four (4) rubber feet and attach them to the four rubber feet
recess areas on the AP-5131.
antenna connectors. On the Dual Radio AP-5131, a single dot on the antenna connector indicates the primary antenna for both Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz). Two dots designate the secondary antenna for both Radio 1 and Radio 2. On Single Radio models, a single dot on the antenna connector indicates the primary antenna for Radio 1, and two dots designate the secondary antenna for Radio 1.
2-12
AP-5131 Access Point Product Reference Guide
4. Cable the AP-5131 using either the Symbol power injector solution or an approved line cord and power supply.
CAUTION Do not supply power to the AP-5131 until the cabling of the unit is
!
For Symbol power injector installations:
complete.
a. Connect a RJ-45 Ethernet cable between the network data supply (host) and the power
injector Data In connector.
b. Connect a RJ-45 Ethernet cable between the power injector Data & Power Out
connector and the Symbol AP-5131 LAN port.
c. Ensure the cable length from the Ethernet source (host) to the power injector and
AP-5131 does not exceed 100 meters (333 ft). The power injector has no On/Off power switch. The power injector receives power as soon as AC power is applied. For more information on using the power injector, see Symbol Power Injector System on page 2-8.
For standard Symbol 48-Volt power adapter (Part No. 50-24000-050) and line cord installations:
a. Connect RJ-45 Ethernet cable between the network data supply (host) and the AP-5131
LAN port. b. Verify the power adapter is correctly rated according the country of operation. c. Connect the power supply line cord to the power adapter. d. Attach the power adapter cable into the power connector on the AP-5131. e. Plug the power adapter into an outlet.
Hardware Installation
5. Verify the behavior of the AP-5131 LEDs. For more information, see LED Indicators on page
2-20.
6. Return the AP-5131 to an upright position and place it in the location you wish it to operate.
Ensure the AP-5131 is sitting evenly on all four rubber feet.
The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see
Getting Started on page 3-1. For specific details on AP-5131 system configurations, see System Configuration on page 4-1.

2.7.2 Wall Mounted Installations

Wall mounting requires hanging the AP-5131 along its width (or length) using the pair of slots on the bottom of the unit and using the AP-5131 itself as a mounting template for the screws. The AP-5131 can be mounted onto any plaster or wood wall surface.
The mounting hardware and tools (customer provided) required to install the AP-5131 on a wall consists of:
Two Phillips pan head self-tapping screws (ANSI Standard) #6-18 X 0.875in. Type A or AB
Self-Tapping screw, or (ANSI Standard Metric) M3.5 X 0.6 X 20mm Type D Self-Tapping screw
Two wall anchors
Security cable (optional)
2-13
To mount the AP-5131 on a wall:
1. Orient the AP-5131 on the wall by its width or length.
2. Using the arrows on one edge of the case as guides, move the edge to the midline of the
mounting area and mark points on the midline for the screws.
3. At each point, drill a hole in the wall, insert an anchor, screw into the anchor the wall
mounting screw and stop when there is 1mm between the screw head and the wall.
If pre-drilling a hole, the recommended hole size is 2.8mm (0.11in.) if the screws are going directly into the wall and 6mm (0.23in.) if wall anchors are being used.
4. If required, install and attach a security cable to the AP-5131 lock port.
5. Place the large corner of each of the mount slots over the screw heads.
6. Slide the AP-5131 down along the mounting surface to hang the mount slots on the screw
heads.
7. Attach the radio antennae to their correct connectors.
2-14
AP-5131 Access Point Product Reference Guide
CAUTION Both the Dual and Single Radio model AP-5131s use RSMA type
!
8. Cable the AP-5131 using either the Symbol power injector solution or an approved line cord and power supply.
NOTE The AP-5131 must be mounted with the RJ45 cable connector oriented
upwards to ensure proper operation.
CAUTION Do not supply power to the AP-5131 until the cabling of the unit is
!
antenna connectors. On the Dual Radio AP-5131, a single dot on the antenna connector indicates the primary antenna for both Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz). Two dots designate the secondary antenna for both Radio 1 and Radio 2. On Single Radio models, a single dot on the antenna connector indicates the primary antenna for Radio 1, and two dots designate the secondary antenna for Radio 1.
complete.
For Symbol power injector installations:
a. Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power
Injector Data In connector.
b. Connect a RJ-45 Ethernet cable between the power injector Data & Power Out
connector and the AP-5131 LAN port.
c. Ensure the cable length from the Ethernet source (host) to the power injector and
AP-5131 does not exceed 100 meters (333 ft). The power injector has no On/Off power switch. The power injector receives power as soon as AC power is applied. For more information on using the power injector, see Symbol Power Injector System on page 2-8.
For standard Symbol 48-Volt Power Adapter (Part No. 50-24000-050) and line cord installations:
a. Connect RJ-45 Ethernet cable between the network data supply (host) and the AP-5131
LAN port. b. Verify the power adapter is correctly rated according the country of operation. c. Connect the power supply line cord to the power adapter. d. Attach the power adapter cable into the power connector on the AP-5131.
Hardware Installation
e. Plug the power adapter into an outlet.
NOTE If the AP-5131 is utilizing remote management antennae, a wire cover
can be used to provide a clean finished look to the installation. Contact Symbol for more information.
9. Verify the behavior of the AP-5131 LEDs. For more information, see LED Indicators on page
2-20.
The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see
Getting Started on page 3-1. For specific details on AP-5131 system configurations, see System Configuration on page 4-1.

2.7.3 Suspended Ceiling T-Bar Installations

A suspended ceiling mount requires holding the AP-5131 up against the T-bar of a suspended ceiling grid and twisting the AP-5131 chassis onto the T-bar.
The mounting hardware and tools (customer provided) required to install the AP-5131 on a ceiling T­bar consists of:
Safety wire (recommended)
Security cable (optional)
2-15
To install the AP-5131 on a ceiling T-bar:
1. If required, loop a safety wire —with a diameter of at least 1.01 mm (.04 in.), but no more
than 0.158 mm (.0625 in.) —through the tie post (above the AP-5131’s console connector) and secure the loop.
2. If required, install and attach a security cable to the AP-5131 lock port.
3. Attach the radio antennae to their correct connectors.
CAUTION Both the Dual and Single Radio model AP-5131s use RSMA type
!
antenna connectors. On the Dual Radio AP-5131, a single dot on the antenna connector indicates the primary antenna for both Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz). Two dots designate the secondary antenna for both Radio 1 and Radio 2. On Single Radio models, a single dot on the antenna connector indicates the primary antenna for Radio 1, and two dots designate the secondary antenna for Radio 1
2-16
AP-5131 Access Point Product Reference Guide
4. Cable the AP-5131 using either the Symbol power injector solution or an approved line cord and power supply.
CAUTION Do not supply power to the AP-5131 until the cabling of the unit is
!
For Symbol power injector installations:
a. Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power
Injector Data In connector.
b. Connect a RJ-45 Ethernet cable between the power injector Data & Power Out
connector and the AP-5131 LAN port.
c. Ensure the cable length from the Ethernet source (host) to the power injector and
AP-5131 does not exceed 100 meters (333 ft). The power injector has no On/Off power switch. The power injector receives power as soon as AC power is applied. For more information on using the power injector, see Symbol Power Injector System on page 2-8.
For standard Symbol 48-Volt Power Adapter (Part No. 50-24000-050) and line cord installations:
complete.
a. Connect RJ-45 Ethernet cable between the network data supply (host) and the AP-5131
LAN port. b. Verify the power adapter is correctly rated according the country of operation. c. Connect the power supply line cord to the power adapter. d. Attach the power adapter cable into the power connector on the AP-5131. e. Plug the power adapter into an outlet.
5. Verify the behavior of the AP-5131 LEDs. For more information, see LED Indicators on page
2-20.
6. Align the bottom of the ceiling T-bar with the back of the AP-5131.
7. Orient the AP-5131 chassis by its length and the length of the ceiling T-bar.
8. Rotate the AP-5131 chassis 45 degrees clockwise, or about 10 o’clock.
9. Push the back of the AP-5131 chassis on to the bottom of the ceiling T-bar.
CAUTION Ensure the safety wire and cabling used in the T-Bar AP-5131
!
installation is securely fastened to the building structure in order to provide a safe operating environment.
Hardware Installation
10. Rotate the AP-5131 chassis 45 degrees counter-clockwise. The clips click as they fasten to
the T-bar.
2-17
11. The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see
Getting Started on page 3-1. For specific details on AP-5131 system configurations, see System Configuration on page 4-1.
NOTE If the AP-5131 is utilizing remote management antennae, a wire cover
can be used to provide a clean finished look to the installation. Contact Symbol for more information.

2.7.4 Above the Ceiling (Plenum) Installations

An AP-5131 above the ceiling installation requires placing the AP-5131 above a suspended ceiling and installing the provided light pipe under the ceiling tile for viewing the rear panel status LEDs of the unit. An above the ceiling AP-5131 installation enables installations compliant with drop ceilings, suspended ceilings and industry standard tiles from .625 to .75 inches thick.
NOTE The AP-5131 is Plenum rated to UL2043 and NEC1999 to support above
the ceiling installations.
2-18
AP-5131 Access Point Product Reference Guide
CAUTION Symbol does not recommend mounting the AP-5131 directly to any
!
The mounting hardware required to install the AP-5131 above a ceiling consists of:
Light pipe
Badge for light pipe
Decal for badge
Safety wire (strongly recommended)
Security cable (optional)
To install the AP-5131 above a ceiling:
1. If possible, remove the adjacent ceiling tile from its frame and place it aside.
2. Install a safety wire, between 1.5mm (.06in.) and 2.5mm (.10in.) in diameter, in the ceiling space.
3. If required, install and attach a security cable to the AP-5131’s lock port.
4. Mark a point on the finished side of the tile where the light pipe is to be located.
5. Create a light pipe path hole in the target position on the ceiling tile.
6. Use a drill to make a hole in the tile the approximate size of the AP-5131 LED light pipe.
suspended ceiling tile with a thickness less than 12.7mm (0.5in.) or a suspended ceiling tile with an unsupported span greater than 660mm (26in.). Symbol strongly recommends fitting the AP-5131 with a safety wire suitable for supporting the weight of the device. The safety wire should be a standard ceiling suspension cable or equivalent steel wire between 1.59mm (.062in.) and 2.5mm (.10in.) in diameter.
CAUTION Symbol recommends care be taken not to damage the finished surface
!
7. Remove the light pipe’s rubber stopper before installing the light pipe.
8. Connect the light pipe to the bottom of the AP-5131. Align the tabs and rotate approximately 90 degrees. Do not over tighten
of the ceiling tile when creating the light pipe hole and installing the light pipe.
Hardware Installation
Light Pipe
Ceiling Tile
Decal
Badge
9. Snap the clips of the light pipe into the bottom of the AP-5131.
10. Fit the light pipe into hole in the tile from its unfinished side.
11. Place the decal on the back of the badge and slide the badge onto the light pipe from the
finished side of the tile.
12. Attach the radio antennae to their correct connectors.
2-19
CAUTION Both the Dual and Single Radio model AP-5131s use RSMA type
!
13. Attach safety wire (if used) to the AP-5131 safety wire tie point or security cable (if used) to
the AP-5131’s lock port.
14. Align the ceiling tile into its former ceiling space.
15. Cable the AP-5131 using either the Symbol power injector solution or an approved line cord
and power supply.
CAUTION Do not supply power to the AP-5131 until the cabling of the unit is
!
antenna connectors. On the Dual Radio AP-5131, a single dot on the antenna connector indicates the primary antenna for both Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz). Two dots designate the secondary antenna for both Radio 1 and Radio 2. On Single Radio models, a single dot on the antenna connector indicates the primary antenna for Radio 1, and two dots designate the secondary antenna for Radio 1.
complete.
2-20
AP-5131 Access Point Product Reference Guide
For Symbol power injector installations:
a. Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power
Injector Data In connector.
b. Connect a RJ-45 Ethernet cable between the power injector Data & Power Out
connector and the AP-5131 LAN port.
c. Ensure the cable length from the Ethernet source (host) to the power injector and
AP-5131 does not exceed 100 meters (333 ft). The power injector has no On/Off power switch. The power injector receives power as soon as AC power is applied. For more information on using the power injector, see Symbol Power Injector System on page 2-8.
For standard Symbol 48-Volt Power Adapter (Part No. 50-24000-050) and line cord installations:
a. Connect RJ-45 Ethernet cable between the network data supply (host) and the AP-5131
LAN port. b. Verify the power adapter is correctly rated according the country of operation. c. Connect the power supply line cord to the power adapter. d. Attach the power adapter cable into the power connector on the AP-5131. e. Plug the power adapter into an outlet.
16. Verify the behavior of the AP-5131 LED lightpipe. For more information, see LED Indicators
on page 2-20.
17. Place the ceiling tile back in its frame and verify it is secure.
The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see
Getting Started on page 3-1. For specific details on AP-5131 system configurations, see System Configuration on page 4-1.

2.8 LED Indicators

The AP-5131 utilizes seven LED indicators. Five LEDs display within four LED slots on the front of the AP-5131 (on top of the AP-5131 housing) and two LEDs (for above the ceiling installations) are located on the back of the device (the side containing the LAN, WAN and antenna connectors).
Hardware Installation
D)
Power and Error Conditions (Split LE
Data Over Ethernet
802.11a Radio Activity
802.11b/g Radio Activity
The five LEDs on the top housing of the AP-5131 are clearly visible in table-top, wall and below ceiling installations. The five AP-5131 top housing LEDs have the following display and functionality:
2-21
Power Status
Solid white indicates the AP-5131 is adequately powered.
Solid red indicates the AP-5131 is experiencing a problem condition requiring
Error Conditions
Ethernet Activity
immediate attention.
Flashing white indicates data transfers and Ethernet activity.
Flickering amber indicates beacons and data transfers over the AP-5131
802.11a Radio Activity
802.11b/g Radio Activity
802.11a radio.
Flickering green indicates beacons and data transfers over the AP-5131
802.11b/g radio.
The LEDs on the rear of the AP-5131 are viewed using a single (customer installed) extended lightpipe, adjusted as required to suit above the ceiling installations. The LEDs displayed using the lightpipe have the following color display and functionality:
2-22
AP-5131 Access Point Product Reference Guide
Boot and Power Status
Error Conditions
Power and Error Conditions
Solid white indicates the AP-5131 is adequately powered.
Solid red indicates the AP-5131 is experiencing a problem condition requiring immediate attention.
Blinking red indicates the AP-5131 Rogue AP Detection feature has located a rogue device

2.9 Setting Up MUs

For a discussion of how to initially test the AP-5131 to ensure it can interoperate with the MUs intended for its operational environment, see Basic Device Configuration on page 3-5 and specifically
Testing Connectivity on page 3-13.
Refer to the LA-5030 & LA-5033 Wireless Networker PC Card and PCI Adapter Users Guide, available from the Symbol Web site, for installing drivers and client software if operating in an 802.11a/g network environment.
Refer to the Spectrum24 LA-4121 PC Card, LA-4123 PCI Adapter & LA-4137 Wireless Networker User Guide, available from the Symbol Web site, for installing drivers and client software if operating in an 802.11b network environment.
Use the default values for the ESSID and other configuration parameters until the network connection is verified. MUs attach to the network and interact with the AP transparently.

Getting Started

The AP-5131 should be installed in an area tested for radio coverage using one of the site survey tools available to the Symbol field service technician. Once an installation site has been identified, the installer should carefully follow the hardware precautions, requirements, mounting guidelines and power options outlined in Appendix 2, Hardware Installation on page 2-1.
See the following sections for more details:
Installing the AP-5131
Configuration Options
Basic Device Configuration

3.1 Installing the AP-5131

Make the required cable and power connections before mounting the AP-5131 in its final operating position. Test the AP-5131 with an associated MU before mounting and securing the AP-5131. Carefully follow the mounting instructions in one of the following sections to ensure the AP-5131 is installed correctly:
3-2
AP-5131 Access Point Product Reference Guide
For instructions on installing the AP-5131 on a table top, see Desk Mounted Installations on
page 2-11.
For instructions on AP-5131 wall mounting, see Wall Mounted Installations on page 2-13.
For instructions on mounting an AP-5131 to a ceiling T-bar, see Suspended Ceiling T-Bar
Installations on page 2-15.
For instructions on installing the AP-5131 in an above the ceiling attic space, see Above the
Ceiling (Plenum) Installations on page 2-17.
For information on the 802.11a and 802.11b/g radio antenna suite available to the AP-5131, see
Antenna Options on page 2-5. For more information on using a Symbol Power Injector to combine
Ethernet and power in one cable to the AP-5131, see Symbol Power Injector System on page 2-8. To verify the behavior of the AP-5131 LEDs once installed, see LED Indicators on page 2-20.

3.2 Configuration Options

Once installed and powered, the AP-5131 can be configured using one of several connection techniques. Managing the AP-5131 includes viewing network statistics and setting configuration options. The AP-5131 requires one of the following connection methods to manage the network:
Secure Java-Based WEB UI - (use Sun Microsystems’ JRE 1.5 or higher available from Sun’s Web site. Disable Microsoft’s Java Virtual Machine if installed). For information on using the Web UI to set AP-5131 default configuration values, see Basic Device Configuration on page
3-5 or chapters 4 through 7 of this guide.
Command Line Interface (CLI) via Serial, Telnet and SSH. The AP-5131 CLI is accessed through the AP-5131 RS232 port, via Telnet or SSH. The CLI follows the same configuration conventions as the device user interface with a few documented exceptions. For details on using the CLI to manage the AP-5131, see Appendix 8, Command Line Interface Reference
on page 8-1.
Config file - Readable text file; Importable/Exportable via FTP, TFTP and HTTP. Configuration settings for an AP-5131 can be downloaded from the current configuration of another AP­5131 meeting the import/export requirements. For information on importing or exporting configuration files, see Importing/Exporting Configurations on page 4-37.
MIB (Management Information Base) accessing the AP-5131 SNMP functions using a MIB Browser. The AP-5131 CDROM contains the following 2 MIB files:
• Symbol-CC-WS2000-MIB-2.0 (standard Symbol MIB file)
• Symbol-AP-5131-MIB (AP-5131 specific MIB file)
Getting Started

3.3 Default Configuration Changes

The following table illustrates the changes made to the AP-5131 version 1.1 configuration as compared to the 1.0 version configuration:
Version 1.0 Version 1.1
3-3
WAN DHCP client
Auto-Update Enabled
LAN 1 Static IP: 192.168.0.1
Static Mask: 255.255.255.0
DHCP Server Enabled
LAN 2 Not applicable in 1.0 release Static IP: 192.168.1.1
Access via WAN
port
HTTPS, SSH, SNMP: Enabled HTTP, HTTPS, SSH, SNMP, Telnet:
Static IP: 10.1.1.1
Static Mask: 255.0.0.0
DHCP Client
Auto-Update Enabled
Default Gateway
Ethernet Port Enabled
Static Mask: 255.255.255.0
DHCP Server Enabled
Enabled

3.4 Initially Connecting to the Access Point

NOTE The procedures described below assume this is the first time you are
connecting to the access point.

3.4.1 Connecting to the Access Point using the WAN Port

To initially connect to the AP-5131 using the access point’s WAN port:
1. Connect AC power to the AP-5131, as Power-Over-Ether support is not available on the WAN
port.
2. Start a browser and enter the AP-5131’s static IP WAN address (10.1.1.1). The default
password is “symbol.”
3. Refer to Basic Device Configuration on page 3-5 for instructions on the initial (basic)
configuration of the AP-5131.
3-4
AP-5131 Access Point Product Reference Guide

3.4.2 Connecting to the Access Point using the LAN Port

To initially connect to the AP-5131 using the access point’s LAN port:
1. The LAN port default is set to DHCP. Connect the AP-5131’s LAN port to a DHCP server.
The AP-5131 will receive its IP address automatically.
2. To view the AP-5131’s IP address, connect one end of a null modem serial cable to the AP-5131 and the other end to the serial port of a computer running HyperTerminal or similar emulation program.
3. Configure the following settings:
• Baud Rate - 19200
• Data Bits - 8
• Stop Bits - 1
• No Parity
• No Flow Control
4. Press <ESC> or <Enter> to access the AP-5131 CLI.
5. Enter the default username of “admin” and the default password of “symbol.
As this is the first time you are logging into the AP-5131, you are prompted to enter a new password and set the county code. Refer to Country Codes on page A-6 for a list of each available countries two digit country code.
6. At the CLI prompt (admin>), type “summary.”
The AP-5131’s LAN IP address will display.
7. Using a Web browser, use the AP-5131’s IP address to access the AP-5131.
8. Refer to Basic Device Configuration on page 3-5 for instructions on the initial (basic) configuration of the AP-5131.
Getting Started

3.5 Basic Device Configuration

For the basic setup described in this section, the Java-based Web UI will be used to configure the AP-5131. Use the AP-5131’s LAN interface for establishing a link with the AP-5131. Configure the AP­5131 as a DHCP client. For optimal screen resolution, set your screen resolution to 1024 x 768 pixels or greater.
1. Log in using admin as the default user ID and symbol as the default password. Use your
new password if it has been updated from default.
NOTE For optimum compatibility, use Sun Microsystems’ JRE 1.5 or higher
(available from Sun’s Website), and be sure to disable Microsoft’s Java Virtual Machine if installed.
3-5
2. If the default login is successful, the Change Admin Password window displays. Change
the password.
3-6
AP-5131 Access Point Product Reference Guide
Enter the current password and a new admin password in fields provided, and click Apply. Once the admin password has been updated, a warning message displays stating the AP­5131 must be set to a country.
The export function will always export the encrypted Admin User password. The import function will import the Admin Password only if the AP-5131 is set to factory default. If the AP-5131 is not configured to factory default settings, the Admin User password WILL NOT get imported.
.
NOTE Though the AP-5131 can have its basic settings defined using a number of
different screens, Symbol recommends using the AP-5131 Quick Setup screen to set the correct country of operation and define its minimum required configuration from one convenient location.

3.5.1 Configuring Device Settings

Configure a set of minimum required device settings within the AP-5131 Quick Setup screen. The values defined within the Quick Setup screen are also configurable in numerous other locations within the AP-5131 menu tree. When you change the settings in the Quick Setup screen, the values also change within the screen where these parameters also exist. Additionally, if the values are updated in these other screens, the values initially set within the Quick Setup screen will be updated.
To define a basic AP-5131 configuration:
1. Select System Configuration -> Quick Setup from the AP-5131 menu tree, if the Quick Setup screen is not already displayed.
Getting Started
3-7
2. Enter a System Name for the AP-5131.
The System Name is useful if multiple Symbol devices are being administered.
3. Select the Country for the AP-5131’s country of operation from the drop-down menu
The AP-5131 prompts the user for the correct country code on the first login. A warning message also displays stating that an incorrect country settings may result in illegal radio operation. Selecting the correct country is central to legally operating the AP-5131. Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted. To ensure compliance with national and local laws, be sure to set the Country accurately. CLI and MIB users cannot configure their AP-5131 until a two character country code (for example, United States - us) is set. Refer to Appendix A, Country Codes on page A-6 for the two character country codes.
NOTE The System Name and Country are also configurable within the System
Settings screen. Refer to Configuring System Settings on page 4-2 (if
necessary) to set a system location and admin email address for the AP-5131 or to view other default settings.
3-8
AP-5131 Access Point Product Reference Guide
4. Optionally enter the IP address of the server used to provide system time to the AP-5131 within the Time Server field.
NOTE DNS names are not supported as a valid IP address. The user is required
to enter a numerical IP address.
Once the IP address is entered, the AP-5131’s Network Time Protocol (NTP) functionality is engaged automatically. Refer to the AP-5131 Product Reference Guide for information on defining alternate time servers and setting a synchronization interval for the AP-5131 to adjust its displayed time. Refer to Configuring Network Time Protocol (NTP) on page 4-32 (if necessary) for information on setting alternate time servers and setting a synchronization interval for the AP-5131 to adjust its displayed time.
5. Click the WAN tab to set a minimum set of parameters for using the WAN interface. a. Select the Enable WAN Interface checkbox to enable a connection between the
AP-5131 and a larger network or outside world through the WAN port. Disable this option to effectively isolate the AP-5131’s WAN connection. No connections to a larger network or the Internet will be possible. MUs cannot communicate beyond the configured subnets.
b. Select the This Interface is a DHCP Client checkbox to enable DHCP for the AP-5131
WAN connection. This is useful, if the larger corporate network or Internet Service Provider (ISP) uses DHCP. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask, and gateway.
NOTE Symbol recommends that the WAN and LAN ports should not both be
configured as DHCP clients.
c. Specify an IP address for the AP-5131’s WAN connection. An IP address uses a series
of four numbers expressed in dot notation, for example, 190.188.12.1 (no DNS names supported).
d. Specify a Subnet Mask for the AP-5131’s WAN connection. This number is available
from the ISP for a DSL or cable-modem connection, or from an administrator if the AP-5131 connects to a larger network. A subnet mask uses a series of four numbers expressed in dot notation. For example, 255.255.255.0 is a valid subnet mask.
Getting Started
e. Define a Default Gateway address for the AP-5131’s WAN connection. The ISP or a
network administrator provides this address.
f. Specify the address of a Primary DNS Server. The ISP or a network administrator
provides this address.
6. Optionally, use the Enable PPP over Ethernet checkbox to enable Point-to-Point over
Ethernet (PPPoE) for a high-speed connection that supports this protocol. Most DSL providers are currently using or deploying this protocol. PPPoE is a data-link protocol for dialup connections. PPPoE will allow the AP-5131 to use a broadband modem (DSL, cable modem, etc.) for access to high-speed data networks.
a. Select the Keep Alive checkbox to enable occasional communications over the WAN
port even when client communications to the WAN are idle. Some ISPs terminate inactive connections, while others do not. In either case, enabling Keep-Alive maintains the WAN connection, even when there is no traffic. If the ISP drops the connection after the idle time, the AP-5131 automatically reestablishes the connection to the ISP.
b. Specify a Username entered when connecting to the ISP. When the Internet session
begins, the ISP authenticates the username.
c. Specify a Password entered when connecting to the ISP. When the Internet session
starts, the ISP authenticates the password.
For additional AP-5131 WAN port configuration options, see Configuring WAN Settings on
page 5-14.
7. Click the LAN tab to set a minimum set of parameters to use the AP-5131 LAN interface.
a. Select the Enable LAN Interface checkbox to forward data traffic over the AP-5131
LAN connection. The LAN connection is enabled by default.
b. Use the This Interface drop-down menu to specify how network address information
is defined over the AP-5131’s LAN connection. Select DHCP Client if the larger corporate network uses DHCP. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask, and gateway. Select DHCP Server to use the AP-5131 as a DHCP server over the LAN connection. Select the Bootp client option to enable a diskless system to discover its own IP address.
.
NOTE Symbol recommends that the WAN and LAN ports should not both be
configured as DHCP clients.
3-9
3-10
AP-5131 Access Point Product Reference Guide
c. If using the static or DHCP Server option, enter the network-assigned IP Address of the
AP-5131.
NOTE DNS names are not supported as a valid IP address for the AP-5131. The
user is required to enter a numerical IP address.
d. The Subnet Mask defines the size of the subnet. The first two sets of numbers specify
the network domain, the next set specifies the subset of hosts within a larger network. These values help divide a network into subnetworks and simplify routing and data transmission.
e. If using the static or DHCP Server option, enter a Default Gateway to define the
numerical IP address of a router the AP-5131 uses on the Ethernet as its default gateway.
f. If using the static or DHCP Server option, enter the Primary DNS Server numerical IP
address.
g. If using the DHCP Server option, use the Address Assignment Range parameter to
specify a range of IP address reserved for mapping clients to IP addresses. If a manually (static) mapped IP address is within the IP address range specified, that IP address could still be assigned to another client. To avoid this, ensure all statically mapped IP addresses are outside of the IP address range assigned to the DHCP server.
For additional AP-5131 LAN port configuration options, see Configuring the LAN Interface
on page 5-1.
8. Enable the radio(s) using the Enable checkbox(es) within the Radio Configuration field. If using a single radio AP-5131, enable the radio, then select either 2.4 GHz or 5.2 GHz from the RF Band of Operation field. Only one RF band option at a time is permissible in a single-radio AP-5131. If using a dual-radio AP-5131, the user can enable both RF bands. For additional AP-5131 radio configuration options, see Configuring the 802.11a or 802.11b/g
Radio on page 5-48.
9. Select the WLAN #1 tab (WLANs 1 - 4 are available within the Quick Setup screen) to define its ESSID and security scheme for basic operation.
NOTE A maximum of 16 WLANs are configurable within the AP-5131 Wireless
Configuration screen. The limitation of 16 WLANs exists regardless of whether the AP-5131 is a single or dual-radio model.
Getting Started
a. Enter the Extended Services Set Identification (ESSID) and name associated with the
WLAN. For additional information on creating and editing up to 16 WLANs per AP-5131, see Creating/Editing Individual WLANs on page 5-24.
b. Use the Available On checkboxes to define whether the target WLAN is operating over
the 802.11a or 802.11b/g radio. Ensure the radio selected has been enabled (see step 8).
c. Even an AP-5131 configured with minimal values must protect its data against theft and
corruption. A security policy should be configured for WLAN1 as part of the basic configuration outlined in this guide. A security policy can be configured for the WLAN from within the Quick Setup screen. Policies can be defined over time and saved to be used as needed as the AP-5131’s security requirements change. Symbol recommends you familiarize yourself with the security options available on the AP-5131 before defining a security policy. Refer to Configuring WLAN Security Settings on page 3-11.
10. Click Apply to save any changes to the AP-5131 Quick Setup screen. Navigating away from
the screen without clicking Apply results in all changes to the screens being lost.
11. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the
settings displayed on the AP-5131 Quick Setup screen to the last saved configuration.
3.5.1.1 Configuring WLAN Security Settings
3-11
To configure a basic security policy for a WLAN:
1. From the AP-5131 Quick Setup screen, click the Create button to the right of the Security
Policy item.
The New Security Policy screen displays with the Manually Pre-shared key/No
authentication and No Encryption options selected. Naming and saving such a policy (as
is) would provide no security and might only make sense in a guest network wherein no sensitive data is either transmitted or received. Consequently, at a minimum, a basic security scheme (in this case WEP 128) is recommended in a network environment wherein sensitive data is transmitted.
NOTE For information on configuring the other encryption and authentication
options available to the AP-5131, see Configuring Security Options on
page 6-2.
2. Ensure the
Name of the security policy entered suits the intended configuration or function
of the policy.
3-12
AP-5131 Access Point Product Reference Guide
Multiple WLANs can share the same security policy, so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy. Symbol recommends naming the policy after the attributes of the authentication or encryption type selected.
3. Select the WEP 128 (104 bit key) checkbox.
The WEP 128 Settings field displays within the New Security Policy screen.
4. Configure the WEP 128 Settings field as required to define the Pass Key used to generate the WEP keys
Pass Key Specify a 4 to 32 character pass key and click the Generate
.
button. The AP-5131, other proprietary routers and Symbol MUs use the same algorithm to convert an ASCII string to the same hexadecimal number. Non-Symbol clients and devices need to enter WEP keys manually as hexadecimal numbers. The AP-5131 and its target client(s) must use the same pass key to interoperate.
Getting Started
Keys #1-4 Use the Key #1-4 fields to specify key numbers. The key can be
either a hexidecimal or ASCII depending on which option is selected from the drop-down menu. For WEP 64 (40-bit key), the keys are 10 hexadecimal characters in length or 5 ASCII characters. For WEP 128 (104-bit key), the keys are 26 hexadecimal characters in length or 13 ASCII characters. Select one of these keys for activation by clicking its radio button. The AP-5131 and its target client(s) must use the same key to interoperate.
5. Click the Apply button to save the security policy and return to the AP-5131 Quick Setup
screen.
At this point, you can test the AP-5131 for MU interoperability.

3.5.2 Testing Connectivity

Verify the AP-5131’s link with an MU by sending Wireless Network Management Protocol (WNMP) ping packets to the associated MU. Use the Echo Test screen to specify a target MU and configure the parameters of the test. The WNMP ping test only works with Symbol MUs. Only use a Symbol MU to test AP-5131 connectivity using WNMP.
3-13
NOTE Before testing for connectivity, the target MU needs to be set to the same
ESSID as the AP-5131. Since WEP 128 has been configured for the AP­5131, the MU also needs to be configured for WEP 128 and use the same WEP keys. Ensure the MU is associated with the AP-5131 before testing for connectivity.
To ping a specific MU to assess its connection with an AP-5131:
1. Select Status and Statistics -> MU Stats from the AP-5131 menu tree.
2. Select the Echo Test button from within the MU Stats Summary screen.
3. Define the following parameters for the test.
Station Address The station address is the IP address of the target MU. Refer to
the MU Stats Summary screen for associated MU IP address information.
Number of pings Defines the number of packets to be transmitted to the MU. The
default is 100.
3-14
AP-5131 Access Point Product Reference Guide
Packet Length Specifies the length of each packet transmitted to the MU during
the test. The default length is 100 bytes.
4. Click the Ping button to begin transmitting packets to the specified MU address.
Refer to the Number of Responses value to assess the number of responses from the MU versus the number of ping packets transmitted by the AP-5131. Use the ratio of packets sent versus the number of packets received the link quality between the MU and the AP-5131.
Click the OK button to exit the Echo Test screen and return to the MU Stats Summary screen.

3.5.3 Where to Go from Here?

Once basic connectivity has been verified, the AP-5131 can be fully configured to meet the needs of the network and the users it supports. Refer to the following:
For detailed information on AP-5131 device access, SNMP settings, network time, importing/exporting device configurations and device firmware updates, see Chapter 4,
System Configuration on page 4-1.
For detailed information on configuring AP-5131 LAN interface (subnet) and WAN interface see, Chapter 5, Network Management on page 5-1.
For detailed information on configuring specific encryption and authentication security schemes for individual AP-5131 WLANs, see Chapter 6, Configuring Access Point Security
on page 6-1.
To view detailed statistics on the AP-5131 and its associated MUs, see Chapter 7,
Monitoring Statistics on page 7-1.

System Configuration

The Symbol AP-5131 contains a built-in browser interface for system configuration and remote management using a standard Web browser such as Microsoft Internet Explorer, Netscape Navigator or Mozilla Firefox. The browser interface also allows for system monitoring of the AP-5131.
Web management of the AP-5131 requires either Microsoft Internet Explorer 5.0 or later or Netscape Navigator 6.0 or later.
NOTE For optimum compatibility, use Sun Microsystems’ JRE 1.5 or higher
(available from Sun’s Web site), and be sure to disable Microsoft’s Java Virtual Machine if installed.
To connect to the AP, the AP-5131 IP is required. If connected to the AP-5131 using the WAN port, the default static IP address is 10.1.1.1. The default password is “symbol.” If connected to the AP-5131 using the LAN port, the default setting is DHCP client. The user is must know the IP address in order to access the AP-5131 using a Web browser.
4-2
AP-5131 Access Point Product Reference Guide
.
NOTE DNS names are not supported as a valid IP address for the AP-5131. The
user is required to enter a numerical IP address.
System configuration topics include:
Configuring System Settings
Configuring Data Access
Managing Certificate Authority (CA) Certificates
Configuring SNMP Settings
Configuring Network Time Protocol (NTP)
Logging Configuration
Importing/Exporting Configurations
Updating Device Firmware

4.1 Configuring System Settings

Use the System Settings screen to specify the name and location of the AP-5131, assign an email address for the network administrator, restore the AP’s default configuration or restart the AP.
To configure System Settings for the AP-5131:
1. Select System Configuration -> System Settings from the AP-5131 menu tree.
System Configuration
2. Configure the AP-5131 System Settings field to assign a system name and location, set the
country of operation and view device version information.
4-3
System Name Specify a device name for the AP-5131. Symbol recommends
selecting a name serving as a reminder of the user base the
AP-5131 supports (engineering, retail, etc.).
System Location Enter the location of the
parameter acts as a reminder of where the AP can be found. Use the System Name field as a specific identifier of device location. Use the System Name and System Location fields together to optionally define the AP name by the radio coverage it supports and specific physical location. For example, “second floor engineering”
Admin Email Address Specify the AP administrator's email address.
AP-5131. The System Location
4-4
AP-5131 Access Point Product Reference Guide
Country The AP-5131 prompts the user for the correct country code after
AP-5131 Version The displayed number is the current version of the AP-5131 device
the first login. A warning message also displays stating that an incorrect country setting will lead to an illegal use of the AP-5131. Use the pull-down menu to select the country of operation. Selecting the correct country is extremely important. Each country has its own regulatory restrictions concerning electromagnetic emissions (channel range) and the maximum RF signal strength transmitted. To ensure compliance with national and local laws, be sure to set the Country field correctly.
If using the
AP-5131 configuration file, CLI or MIB to configure the
AP-5131’s country code, see Country Codes on page A-6.
firmware. Use this information to determine if the AP is running the most recent firmware available from Symbol. Use the Firmware
Update screen to keep the AP’s firmware up to date. For more
information, see Updating Device Firmware on page 4-41.
System Uptime Displays the current uptime of the
Name field. System Uptime is the cumulative time since the
AP-5131 defined in the System
AP-5131 was last rebooted or lost power.
Serial Number Displays the AP-5131 Media Access Control (MAC) address. The
AP-5131 MAC address is hard coded at the factory and cannot be modified. The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens. For information on locating the AP-5131 MAC addresses, see Viewing WAN Statistics
on page 7-2 and Viewing LAN Statistics on page 7-6.
3. Refer to the Factory Defaults field to restore either a full or partial default configuration.
CAUTION Restoring the AP-5131’s configuration back to default settings
!
changes the administrative password back to “symbol.” If restoring the configuration back to default settings, be sure you change the administrative password accordingly.
System Configuration
4-5
Restore Default Configuration
Restore Partial Default Configuration
Select the Restore Default Configuration button to reset the AP’s configuration to factory default settings. If selected, a message displays warning the user the current configuration will be lost if the default configuration is restored. Before using this feature, Symbol recommends using the Config Import/Export screen to export the current configuration for safekeeping, see
Importing/Exporting Configurations on page 4-37.
Select the Restore Partial Default Configuration button to restore a default configuration with the exception of the current LAN, WAN, SNMP settings and IP address used to launch the browser. If selected, a message displays warning the user all current configuration settings will be lost with the exception of WAN and SNMP settings. Before using this feature, Symbol recommends using the Config Import/Export screen to export the current configuration for safekeeping, see Importing/Exporting
Configurations on page 4-37.
4. Use the Restart AP-5131 field to restart the AP (if necessary).
Restart
AP-5131
Click the Restart AP-5131 button to reboot the AP. Restarting the
AP-5131 resets all data collection values to zero. Symbol does not
recommend restarting the AP during significant system uptime or data collection activities.
CAUTION After a reboot, static route entries disappear from the AP Route Table
!
if a LAN Interface is set to DHCP Client. The entries can be retrieved (once the reboot is done) by performing an Apply operation from the WEB UI or a save operation from the CLI.
5. Click Apply to save any changes to the System Settings screen. Navigating away from the
screen without clicking the Apply button results in all changes to the screen being lost.
NOTE The Apply button is not needed for restoring the AP-5131 default
configuration or restarting the AP-5131.
6. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the
settings displayed on the System Settings screen to the last saved configuration.
4-6
AP-5131 Access Point Product Reference Guide
7. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed.

4.2 Configuring Data Access

Use the AP-5131 Access screen to enable/disable data throughput to the AP-5131’s LAN1, LAN2 and/or WAN interfaces and display screens for changing administrator passwords.
Use the AP-5131 Access screen checkboxes to enable or disable LAN1, LAN2 and/or WAN access using the protocols and ports listed. If access is disabled, this effectively locks out the administrator from configuring the AP-5131 using that interface. To avoid jeopardizing the network data managed by the AP-5131, Symbol recommends enabling only those interfaces used in the routine (daily) management of the network, and disabling all other interfaces until they are required.
To configure access for the AP-5131:
1. Select System Configuration -> AP-5131 Access from the AP-5131 menu tree.
2. Use the AP-5131 Access field checkboxes to enable/disable the following AP-5131 on the AP-5131’s LAN1, LAN2 or WAN interfaces:
System Configuration
Applet HTTP (port 80) Select the LAN1, LAN2 and/or WAN checkboxes to enable access
to the
AP-5131 configuration applet using a Web browser.
4-7
Applet HTTPS (port
443)
CLI TELNET (port 23)
CLI SSH (port 22) Select the LAN1, LAN2 and/or WAN checkboxes to enable access
SNMP (port 161) Select the LAN1, LAN2 and/or WAN checkboxes to enable access
Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the
AP-5131 configuration applet using a Secure Sockets Layer
(SSL) for encrypted HTTP sessions.
Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the
AP-5131 CLI via the TELNET terminal emulation TCP/IP
protocol.
to the
AP-5131 CLI using the SSH (Secure Shell) protocol.
to the
AP-5131 configuration settings from an SNMP-capable
client.
3. Refer to the Applet Timeout field to set an HTTPS timeout interval.
HTTP/S Timeout
Disables access to the AP-5131 if no data activity is detected over Applet HTTPS (port 443) after the user defined interval. Default is 0 Mins.
4. Configure the Secure Shell field to set timeout values to reduce network inactivity.
Authentication Timeout
Defines the maximum time (between 30 - 120 seconds) allowed for SSH authentication to occur before executing a timeout. The minimum permissible value is 30 seconds.
SSH Keepalive Interval
The SSH Keepalive Interval defines a period (in seconds) after which if no data has been received from a client, SSH sends a message through the encrypted channel to request a response from the client. The default is 0, and no messages will be sent to the client until a non-zero value is set. Defining a Keepalive interval is important, otherwise programs running on a server may never notice if the other end of a connection is rebooted.
5. Use the Admin Authentication buttons to specify the authentication server connection
method.
The
Local
AP-5131 verifies the authentication connection.
4-8
AP-5131 Access Point Product Reference Guide
Radius Designates that a Radius server is used in the authentication
6. Use the Radius Server if a Radius server has been selected as the authentication server, enter the required network address information.
credential verification. If using this option, the connected PC is required to have its Radius credentials verified with an external Radius server. Additionally, the Radius Server’s Active Directory should have a valid user configured and have a PAP based Remote Access Policy configured for Radius Admin Authentication to work.
Radius Server IP Specify the
Authentication Dial-In User Service (Radius) server. Radius is a
client/server protocol and software enabling remote-access servers to communicate with a server used to authenticate users and authorize access to the requested system or service.
Port Specify the port on which the server is listening. The Radius server
typically listens on ports 1812 (default port).
Shared Secret Define a shared secret for authentication on the server. The shared
secret is required to be the same as the shared secret defined on the Radius server. Use shared secrets to verify Radius messages (with the exception of the Access-Request message) sent by a Radius-enabled device configured with the same shared secret.
Apply the qualifications of a well-chosen password to the generation of a shared secret. Generate a random, case-sensitive string using letters, numbers and symbols. The default is symbol.
numerical (non DNS name) IP address of the Remote
7. Update the Administrator Access field to change the administrative password used to access the AP-5131 configuration settings.
Change Admin Password
Click the for updating the AP administrator password. Enter and confirm a new administrator password as required.
Change Admin Password button to display a screen
8. Click Apply to save any changes to the AP-5131 Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
9. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the AP-5131 Access screen to the last saved configuration.
10. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed.
System Configuration

4.3 Managing Certificate Authority (CA) Certificates

Certificate management includes the following sections:
Importing a CA Certificate
Creating Self Certificates for Accessing the VPN

4.3.1 Importing a CA Certificate

A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates that it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. A browser must contain this CA certificate in its Trusted Root Library so that it can trust certificates “signed” by the CA's private key.
Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information.
The AP-5131 can import and maintain a set of CA certificates to use as an authentication option for Virtual Private Network (VPN) access. To use the certificate for a VPN tunnel, define a tunnel and select the IKE settings to use either RSA or DES certificates. For additional information on configuring VPN tunnels, see Configuring VPN Tunnels on page 6-34.
4-9
CAUTION Loaded and signed CA certificates will be lost when changing the
AP-5131’s firmware version using either the GUI or CLI. After a
!
Refer to your AP-5131 network administrator to obtain a CA certificate to import into the AP-5131.
NOTE Verify the AP-5131 device time is synchronized with an NTP server before
To import a CA certificate:
1. Select System Configuration -> Certificate Mgmt -> CA Certificates from the AP-5131
menu tree.
certificate has been successfully loaded, export it to a secure location to ensure its availability after a firmware update.
importing a certificate to avoid issues with conflicting date/time stamps. For more information, see Configuring Network Time Protocol (NTP) on
page 4-32.
4-10
AP-5131 Access Point Product Reference Guide
2. Copy the content of the CA Certificate message (using a text editor such as notepad) and then click on Paste from Clipboard.
The content of the certificate displays in the Import a root CA Certificate field.
3. Click the Import root CA Certificate button to import it into the CA Certificate list.
4. Once in the list, select the certificate ID within the View Imported root CA Certificates field to view the certificate issuer name, subject, and certificate expiration data.
5. To delete a certificate, select the Id from the drop-down menu and click the Del button.

4.3.2 Creating Self Certificates for Accessing the VPN

The AP-5131 requires two kinds of certificates for accessing the VPN, CA certificates and self certificates. Self certificates are certificate requests you create, send to a Certificate Authority (CA) to be signed, then import the signed certificate into the management system.
CAUTION Self certificates can only be generated using the AP-5131 GUI and CLI
interfaces. No functionality exists for creating a self-certificate using
!
the AP-5131’s SNMP configuration option.
System Configuration
To create a self certificate:
1. Select System Configuration -> Certificate Mgmt -> Self Certificates from the AP-5131
menu tree.
2. Click on the Add button to create the certificate request.
4-11
The Certificate Request screen displays.
3. Complete the request form with the pertinent information. Only 4 values are required, the
others optional:
Key ID Enter a logical name for the certificate to help distinguish between
certificates. The name can be up to 7 characters in length.
4-12
AP-5131 Access Point Product Reference Guide
Subject The required Subject value contains important information about
Signature Algorithm Use the drop-down menu to select the signature algorithm used for
Key Length Defines the length of the key. Possible values are 512, 1024, and
4. When the form is completed, click the Generate button.
The Certificate Request screen disappears and the ID of the generated certificate request displays in the drop-down list of certificates within the Self Certificates screen.
5. Click the Generate Request button.
the certificate. Contact the CA signing the certificate to determine the content of the Subject parameter.
the certificate. Options include:
MD5-RSA - Message Digest 5 algorithm in combination with RSA encryption.
SHA1-RSA - Secure Hash Algorithm 1 in combination with RSA encryption.
2048.
The generated certificate request displays in Self Certificates screen text box.
System Configuration
6. Click the Copy to Clipboard button.
The content of certificate request is copied to the clipboard.
Create an email to your CA, paste the content of the request into the body of the message and send it to the CA.
The CA signs the certificate and will send it back. Once received, copy the content from the email into the clipboard.
7. Click the Paste from clipboard button.
The content of the email displays in the window.
Click the Load Certificate button to import the certificate and make it available for use as a VPN authentication option. The certificate ID displays in the Signed list.
NOTE If the AP-5131 is restarted after a certificate request has been generated
but before the signed certificate is imported, the import will not execute properly. Do not restart the AP-5131 during this process.
8. To use the certificate for a VPN tunnel, first define a tunnel and select the IKE settings to use either RSA or DES certificates. For additional information on configuring VPN tunnels, see Configuring VPN Tunnels on page 6-34.
4-13

4.3.3 Creating a Certificate for Onboard Radius Authentication

The AP-5131 can use its on-board Radius Server to generate certificates to authenticate MUs for use with the AP-5131. In addition, a Windows 2000 or 2003 Server is used to sign the certificate before downloading it back to the AP-5131’s on-board Radius server and loading the certificate for use with the AP-5131.
Both a CA and Self certificate are required for Onboard Radius Authentication. For information on CA Certificates, see Importing a CA Certificate on page 4-9 Encoded format
!
To create a self certificate for on-board Radius authentication:
or risk loading an invalid certificate.
CAUTION Self certificates can only be generated using the AP-5131 GUI and CLI
interfaces. No functionality exists for creating a self-certificate using the AP-5131’s SNMP configuration option.
. Ensure the certificate is in a Base 64
4-14
AP-5131 Access Point Product Reference Guide
1. Select System Configuration -> Certificate Mgmt -> Self Certificates from the AP-5131
menu tree.
2. Click on the Add button to create the certificate request.
The Certificate Request screen displays.
3. Complete the request form with the pertinent information.
Key ID (required) Enter a logical name for the certificate to help distinguish between
certificates. The name can be up to 7 characters in length.
Subject (required) The required
the certificate. Contact the CA signing the certificate to determine the content of the Subject parameter.
Department Optionally enter a value for your organizations’s department name
if needing to differentiate the certificate from similar certificates used in other departments within your organization.
Organization Optionally enter the name of your organization for supporting
information for the certificate request.
City Optionally enter the name of the City where the AP-5131(using the
certificate) resides.
State Optionally enter the name of the State where the AP-5131(using
the certificate) resides.
Postal Code Optionally enter the name of the Postal (Zip) Code where the
AP-5131(using the certificate) resides.
Country Code Optionally enter the AP-5131’s Country Code.
Email Enter a organizational email address (avoid using a personal
address if possible) to associate the request with the proper requesting organization.
Domain Name Ensure the Domain name is the name of the CA Server. This value
must be set correctly to ensure the certificate is properly generated.
Subject value contains important information about
IP Address Enter the IP address of this AP-5131 (as you are using the AP-5131’s
onbard Radius server).
System Configuration
Signature Algorithm Use the drop-down menu to select the signature algorithm used for
the certificate. Options include:
MD5-RSA - Message Digest 5 algorithm in combination with RSA encryption.
SHA1-RSA - Secure Hash Algorithm 1 in combination with RSA encryption.
Key Length Defines the length of the key. Possible values are 512, 1024, and
2048. Symbol recommends setting this value to 1024 to ensure optimum functionality.
4. Complete as many of the optional values within the Certificate Request screen as
possible.
5. When the form is completed, click the Generate button from within the Certificate Request
screen.
The Certificate Request screen disappears and the ID of the generated certificate request displays in the drop-down list of certificates within the Self Certificates screen.
NOTE A Warning screen may display at this phase stating key information could
be lost if you proceed with the certificate request. Click the OK button to continue, as the certificate has not been signed yet.
4-15
6. Click the Generate Request button from within the Self Certificates screen. The certificate
content displays within the Self Certificate screen.
4-16
AP-5131 Access Point Product Reference Guide
7. Click the Copy to clipboard button. Save the certificate content to a secure location.
8. Connect to the Windows 2000 or 2003 server used to sign the certificate.
9. Select the Request a certificate option. Click Next to continue.
10. Select the Advanced request checkbox from within the Choose Request Type screen and
click Next to continue.
11. From within the Advanced Certificate Requests screen, select the Submit a certificate
request using a base 64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS file option. Click Next to continue.
12. Paste the content of certificate in the Saved Request field (within the Submit a Saved
Request screen).
NOTE An administrator must make sure the Web Server option is available as a
selectable option for those without administrative privileges.
If you do not have administrative privileges, ensure the Web Server option has been selected from the Certificate Template drop-down menu. Click Submit.
13. Select the Base 64 encoded checkbox option from within the Certificate Issued screen and select the Download CA Certificate link.
System Configuration
A File Download screen displays prompting the user to select the download location for the certificate.
14. Click the Save button and save the certificate to a secure location.
15. Load the certificates on the AP-5131
CAUTION Ensure the CA Certificate is loaded before the Self Certificate, or risk
!
16. Open the certificate file and copy its contents into the CA Certificates screen by clicking the
Paste from Clipboard button.
The certificate is now ready to be loaded into the AP-5131’s flash memory.
17. Click the Import root CA Certificate button from within the CA Certificates screen.
18. Verify the contents of the certificate file display correctly within the CA Certificates screen.
19. Open the certificate file and copy its contents into the Self Certificates screen by clicking
the Paste from Clipboard button.
20. Click the Load Certificate button.
21. Verify the contents of the certificate file display correctly within the Self Certificates screen.
The certificate for the onboard Radius authentication of MUs has now been generated and loaded into the AP-5131’s flash memory.
an invalid certificate load.
.
4-17

4.4 Configuring SNMP Settings

Simple Network Management Protocol (SNMP) facilitates the exchange of management information between network devices. SNMP uses Management Information Bases (MIBs) to manage the device configuration and monitor Internet devices in potentially remote locations. MIB information accessed via SNMP is defined by a set of managed objects called object identifiers (OIDs). An object identifier (OID) is used to uniquely identify each object variable of a MIB. The AP-5131 CDROM contains the following 2 MIB files:
• Symbol-CC-WS2000-MIB-2.0 (common Symbol MIB file)
• Symbol-AP-5131-MIB (AP-5131 specific MIB file)
4-18
AP-5131 Access Point Product Reference Guide
NOTE The Symbol-AP-5131-MIB contains the majority of the information
contained within the Symbol-CC-WS2000-MIB-2.0 file. This feature rich information has been validated with the Symbol WS2000 and proven reliable. The remaining portion of the Symbol-AP-5131-MIB contains supplemental information unique to the AP-5131 feature set.
If using the Symbol-CC-WS2000-MIB-2.0 and/or Symbol-AP-5131-MIB to configure the AP-5131, use the table below to locate the MIB where the feature can be configured.
Feature MIB Feature MIB
LAN Configuration Symbol-AP-5131-MIB Subnet Configuration Symbol-CC-WS2000-MIB-2.0
VLAN Configuration Symbol-AP-5131-MIB DHCP Server
Configuration
802.1x Port Authentication
Ethernet Type Filter Configuration
Wireless Configuration
Security Configuration Symbol-AP-5131-MIB NAT Address Mapping Symbol-CC-WS2000-MIB-2.0
MU ACL Configuration Symbol-AP-5131-MIB VPN Tunnel
QOS Configuration Symbol-AP-5131-MIB VPN Tunnel status Symbol-CC-WS2000-MIB-2.0
Radio Configuration Symbol-AP-5131-MIB Content Filtering Symbol-CC-WS2000-MIB-2.0
Bandwidth Management
SNMP Trap Selection Symbol-AP-5131-MIB Firewall Configuration Symbol-CC-WS2000-MIB-2.0
SNMP RF Trap Thresholds
Config Import/Export Symbol-AP-5131-MIB Advanced LAN Access Symbol-CC-WS2000-MIB-2.0
Symbol-AP-5131-MIB Advanced DHCP
Server configuration
Symbol-AP-5131-MIB WAN IP Configuration Symbol-CC-WS2000-MIB-2.0
Symbol-AP-5131-MIB PPP Over Ethernet Symbol-CC-WS2000-MIB-2.0
Configuration
Symbol-AP-5131-MIB Rogue AP Detection Symbol-CC-WS2000-MIB-2.0
Symbol-AP-5131-MIB LAN to WAN Access Symbol-CC-WS2000-MIB-2.0
Symbol-CC-WS2000-MIB-2.0
Symbol-CC-WS2000-MIB-2.0
Symbol-CC-WS2000-MIB-2.0
MU Authentication Stats
Symbol-AP-5131-MIB Router Configuration Symbol-CC-WS2000-MIB-2.0
System Configuration
Feature MIB Feature MIB
4-19
WNMP Ping Configuration
Known AP Stats Symbol-AP-5131-MIB AP 5131 Access Symbol-CC-WS2000-MIB-2.0
Flash LEDs Symbol-AP-5131-MIB Certificate Mgt Symbol-CC-WS2000-MIB-2.0
Automatic Update Symbol-AP-5131-MIB SNMP Access
Symbol-AP-5131-MIB System Settings Symbol-CC-WS2000-MIB-2.0
Symbol-CC-WS2000-MIB-2.0
Configuration
SNMP Trap Configuration
NTP Server Configuration
Logging Configuration Symbol-CC-WS2000-MIB-2.0
Firmware Update Symbol-CC-WS2000-MIB-2.0
Wireless Stats Symbol-CC-WS2000-MIB-2.0
Radio Stats Symbol-CC-WS2000-MIB-2.0
MU Stats Symbol-CC-WS2000-MIB-2.0
Automatic Update Symbol-CC-WS2000-MIB-2.0
Symbol-CC-WS2000-MIB-2.0
Symbol-CC-WS2000-MIB-2.0
SNMP allows a network administrator to manage network performance, find and solve network problems, and plan for network growth. The AP-5131 supports SNMP management functions for gathering information from its network components, communicating that information to specified users and configuring the AP-5131. All the fields available within the AP-5131 are also configurable within the MIB.
The AP-5131 SNMP agent functions as a command responder and is a multilingual agent responding to SNMPv1, v2c and v3 managers (command generators). The factory default configuration maintains SNMPv1/2c support of the community names, hence providing backward compatibility.
SNMP v1/v2c community definitions and SNMP v3 user definitions work independently, and both use the Access Control List (ACL) of the SNMP Access Control sub-screen.
Use the SNMP Access screen to define SNMP v1/v2c community definitions and SNMP v3 user definitions. SNMP version 1 (v1) provides a strong network management system, but its security is relatively weak. The improvements in SNMP version 2c (v2c) do not include the attempted security enhancements of other version-2 protocols. Instead, SNMP v2c defaults to SNMP-standard
4-20
AP-5131 Access Point Product Reference Guide
community strings for read-only and read/write access. SNMP version 3 (v3) further enhances protocol features, providing much improved security. SNMP v3 encrypts transmissions and provides authentication for users generating requests.
To configure SNMP v1/v2c community definitions and SNMP v3 user definitions for the AP-5131:
1. Select System Configuration - > SNMP Access from the AP-5131 menu tree.
SNMP v1/v2c community definitions allow read-only or read/write access to AP-5131 management information. The SNMP community includes users whose IP addresses are specified on the SNMP Access Control screen.
A read-only community string allows a remote device to retrieve information, while a read/ write community string allows a remote device to modify settings. Symbol recommends considering adding a community definition using a site-appropriate name and access level. Set up a read/write definition (at a minimum) to facilitate full access by the AP-5131 administrator.
2. Configure the SNMP v1/v2 Configuration field (if SNMP v1/v2 is used) to add or delete community definitions, name the community, specify the OID and define community access.
Add Click Add to create a new SNMP v1/v2c community definition.
System Configuration
Delete Select Delete to remove a SNMP v1/v2c community definition.
4-21
Community
OID Use the OID (Object Identifier) pull-down list to specify a setting of
Access Use the Access pull-down list to specify read-only (R) access or
Use the Community field to specify a site-appropriate name for the community. The name is required to match the name used within the remote network management software.
All or a enter a Custom OID. Select All to assign the user access to all OIDs in the MIB. The OID field uses numbers expressed in dot notation.
read/write (RW) access for the community. Read-only access allows a remote device to retrieve AP-5131 information, while read/write access allows a remote device to modify AP-5131 settings.
3. Configure the SNMP v3 User Definitions field (if SNMP v3 is used) to add and configure
SNMP v3 user definitions.
SNMP v3 user definitions allow read-only or read/write access to management information as appropriate.
Add
Delete Select Delete to remove an entry for an SNMP v3 user.
Username
Click Add to create a new entry for an SNMP v3 user.
Specify a username by typing an alphanumeric string of up to 31 characters.
Security Level Use the Security Level area to specify a security level of noAuth
(no authorization), AuthNoPriv (authorization without privacy), or AuthPriv (authorization with privacy).
The NoAuth setting specifies no login authorization or encryption for the user.
The AuthNoPriv setting requires login authorization, but no encryption.
The AuthPriv setting requires login authorization and uses the
Data Encryption Standard (DES) protocol.
OID Use the OID (Object Identifier) area to specify a setting of All or
enter a Custom OID. Select All to assign the user access to all OIDs in the MIB. The OID field uses numbers expressed in dot notation.
4-22
AP-5131 Access Point Product Reference Guide
Passwords Select Passwords to display the Password Settings screen for
Access Use the Access pull-down list to specify read-only (R) access or
4. Specify the users who can read and optionally modify the SNMP-capable client.
SNMP Access Control Click the SNMP Access Control button to display the SNMP
specifying authentication and password settings for an SNMP v3 user. The maximum password length is 11 characters. Use the
Authentication Algorithm drop-down menu to specify MD5 or SHA1 as the authentication algorithm. Use the Privacy Algorithm
drop-down menu to define an algorithm of DES or AES-128bit. When entering the same username on the SNMP Traps and
SNMP Access screens, the password entered on the SNMP Traps
page overwrites the password entered on the SNMP Access page. To avoid this problem, enter the same password on both pages.
read/write (RW) access for a user. Read-only access permits a user to retrieve user to modify
Access Control screen for specifying which users can read
SNMP-generated information and potentially modify related settings from an SNMP-capable client.
The SNMP Access Control screen's Access Control List (ACL) uses Internet Protocol (IP) addresses to restrict access to the AP’s SNMP interface. The ACL applies to both SNMP v3 user definitions and SNMP v1/v2c community definitions.
For detailed instructions of configuring SNMP user access and modification privileges, see Configuring SNMP Access Control on
page 4-23.
AP-5131 information, while read/write access allows a
AP-5131settings.
5. If configuring SNMP v3 user definitions, set the SNMP v3 engine ID.
AP-5131 SNMP v3
Engine ID
The AP-5131 SNMP v3 Engine ID field lists the unique SNMP v3 Engine ID for the source for a trap, response or report. It is also used as the destination ID when sending get, getnext, getbulk, set or inform commands.
AP-5131. This ID is used in SNMP v3 as the
6. Click Apply to save any changes to the SNMP Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
System Configuration
7. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the
settings displayed on the SNMP Access screen to the last saved configuration.
8. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays
confirming the logout before the applet is closed.
For additional SNMP configuration information, see:
Configuring SNMP Access Control
Enabling SNMP Traps
Configuring Specific SNMP Traps
Configuring SNMP RF Trap Thresholds

4.4.1 Configuring SNMP Access Control

Use the SNMP Access Control screen (as launched from the SNMP Access screen) to specify which users can read SNMP generated information and, if capable, modify related settings from an SNMP-capable client.
Use the SNMP Access Control screen's Access Control List (ACL) to limit, by Internet Protocol (IP) address, who can access the AP-5131 SNMP interface.
4-23
NOTE The ACL applies to both SNMP v3 user definitions and SNMP v1/v2c
community definitions on the AP-5131 SNMP Access screen.
To configure SNMP user access control for the AP-5131:
1. Select System Configuration - > SNMP Access from the AP-5131 menu tree. Click on the
SNMP Access Control button from within the SNMP Access screen.
4-24
AP-5131 Access Point Product Reference Guide
2. Configure the SNMP Access Control screen to add the IP addresses of those users receiving SNMP access.
Access Control List Enter Start IP and End IP addresses (numerical addresses only, no
DNS names supported) to specify a range of user that can access the
AP-5131 SNMP interface. An SNMP-capable client can be set
up whereby only the administrator (for example) can use a read/ write community definition.
Use just the Starting IP Address column to specify a single SNMP user. Use both the Starting IP Address and Ending IP Address columns to specify a range of addresses for SNMP users.
To add a single IP address to the ACL, enter the same IP address in the Start IP and End IP fields.
Leave the ACL blank to allow access to the SNMP interface from the IP addresses of all authorized users.
Add Click Add to create a new ACL entry.
Edit Click Edit to revise an existing ACL entry.
Delete Click Delete to remove a selected ACL entry for one or more SNMP
users.
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use