Loading...
AP-5131 Access Point
Product Reference Guide
AP-5131 Access Point
Product Reference Guide
72E-94168-01
Revision A
November 2006
© 2006 by Symbol Technologies, Inc. All rights reserved.
No part of this publication may be reproduced or used in any form, or by any electrical or mechanical means, without permission in writing from Symbol. This includes electronic or mechanical means, such as photocopying, recording, or information storage and retrieval systems. The material in this manual is subject to change without notice.
The software is provided strictly on an “as is” basis. All software, including firmware, furnished to the user is on a licensed basis. Symbol grants to the user a non-transferable and non-exclusive license to use each software or firmware program delivered hereunder (licensed program). Except as noted below, such license may not be assigned, sublicensed, or otherwise transferred by the user without prior written consent of Symbol. No right to copy a licensed program in whole or in part is granted, except as permitted under copyright law. The user shall not modify, merge, or incorporate any form or portion of a licensed program with other program material, create a derivative work from a licensed program, or use a licensed program in a network without written permission from Symbol. The user agrees to maintain Symbol’s copyright notice on the licensed programs delivered hereunder, and to include the same on any authorized copies it makes, in whole or in part. The user agrees not to decompile, disassemble, decode, or reverse engineer any licensed program delivered to the user or any portion thereof.
Symbol reserves the right to make changes to any software or product to improve reliability, function, or design.
Symbol does not assume any product liability arising out of, or in connection with, the application or use of any product, circuit, or application described herein.
No license is granted, either expressly or by implication, estoppel, or otherwise under any Symbol Technologies, Inc., intellectual property rights. An implied license only exists for equipment, circuits, and subsystems contained in Symbol products.
Symbol, Spectrum One, and Spectrum24 are registered trademarks of Symbol Technologies, Inc. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.
Symbol Technologies, Inc.
One Symbol Plaza
Holtsville, New York 11742-1300
http://www.symbol.com
Contents
About This Guide
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Document Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii Service Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii
Chapter 1. AP-5131 Introduction
New AP-5131 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Mesh Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Additional LAN Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
On-board Radius Server Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Manual Date and Time Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
iv AP-5131 Access Point Product Reference Guide
Single or Dual Mode Radio Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Separate LAN and WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Multiple Mounting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Antenna Support for 2.4 GHz and 5.2 GHz Radios . . . . . . . . . . . . . . . . . . . . . . 1-7 Sixteen Configurable WLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Support for 4 BSSIDs per Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Quality of Service (QoS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 Industry Leading Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Kerberos Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 EAP Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 WEP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 KeyGuard Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 Wi-Fi Protected Access (WPA) Using TKIP Encryption . . . . . . . . . . . . . 1-12 WPA2-CCMP (802.11i) Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 Firewall Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Multiple Management Accessibility Options. . . . . . . . . . . . . . . . . . . . . . . . . 1-14 Updatable Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14 Programmable SNMP v1/v2/v3 Trap Support . . . . . . . . . . . . . . . . . . . . . . . . 1-14 Power-over-Ethernet Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15 MU-MU Transmission Disallow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15 Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 Support for CAM and PSP MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 Statistical Displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 Transmit Power Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17 Advanced Event Logging Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17 Configuration File Import/Export Functionality . . . . . . . . . . . . . . . . . . . . . . . 1-17 Default Configuration Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17 DHCP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18 Multi-Function LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
Theory of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18 Cellular Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19 MAC Layer Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20 Media Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21 Direct-Sequence Spread Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
v
MU Association Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Management Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Chapter 2. Hardware Installation
Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Available Product Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Placement of the AP-5131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Antenna Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Symbol Power Injector System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Installing the Power Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Preparing for Site Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Cabling the Power Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Power Injector LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Mounting the AP-5131. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Desk Mounted Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Wall Mounted Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Suspended Ceiling T-Bar Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Above the Ceiling (Plenum) Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Setting Up MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Chapter 3. Getting Started
Installing the AP-5131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Default Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Initially Connecting to the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Connecting to the Access Point using the WAN Port . . . . . . . . . . . . . . . . . . . . 3-3 Connecting to the Access Point using the LAN Port . . . . . . . . . . . . . . . . . . . . . 3-4 Basic Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Configuring Device Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Configuring WLAN Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
vi AP-5131 Access Point Product Reference Guide
Testing Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13 Where to Go from Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Chapter 4. System Configuration
Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Configuring Data Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Managing Certificate Authority (CA) Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Importing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Creating Self Certificates for Accessing the VPN . . . . . . . . . . . . . . . . . . . . . 4-10 Creating a Certificate for Onboard Radius Authentication . . . . . . . . . . . . . . 4-13 Configuring SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17 Configuring SNMP Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23 Enabling SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25 Configuring Specific SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28 Configuring SNMP RF Trap Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30 Configuring Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32 Logging Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35 Importing/Exporting Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37 Updating Device Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41 Upgrade/Downgrade Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Chapter 5. Network Management
Configuring the LAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Configuring VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Configuring LAN1 and LAN2 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Configuring Advanced DHCP Server Settings . . . . . . . . . . . . . . . . . . . . 5-11
Setting the Type Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Configuring WAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Configuring Network Address Translation (NAT) Settings . . . . . . . . . . . . . . 5-19
Configuring Port Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Enabling Wireless LANs (WLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Creating/Editing Individual WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Configuring WLAN Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29
Configuring a WLAN Access Control List (ACL) . . . . . . . . . . . . . . . . . . . 5-31
Setting the WLAN Quality of Service (QoS) Policy . . . . . . . . . . . . . . . . 5-34
Configuring WLAN Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
vii
Setting the WLAN’s Radio Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45
Configuring the 802.11a or 802.11b/g Radio . . . . . . . . . . . . . . . . . . . . . 5-48
Configuring Bandwidth Management Settings. . . . . . . . . . . . . . . . . . . . . . . . 5-55
Configuring Router Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-57
Setting the RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59
Chapter 6. Configuring Access Point Security
Configuring Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Resetting the AP-5131 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Enabling Authentication and Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Configuring Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9 Configuring 802.1x EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 Configuring WEP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16 Configuring KeyGuard Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18 Configuring WPA Using TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20 Configuring WPA2-CCMP (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Configuring Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25 Configuring LAN to WAN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28 Available Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31 Configuring Advanced Subnet Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-32 Configuring VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34 Configuring Manual Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38 Configuring Auto Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-42 Configuring IKE Key Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44 Viewing VPN Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48 Configuring Content Filtering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50 Configuring Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53 Moving Rogue APs to the Allowed AP List . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-56 Displaying Rogue AP Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58 Using MUs to Detect Rogue Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-60
Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62 Configuring the Radius Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62 Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-65 Configuring a Proxy Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-67 Managing the Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69
viii AP-5131 Access Point Product Reference Guide
Mapping Users to Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71 Defining the User Access Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-72
Chapter 7. Monitoring Statistics
Viewing WAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Viewing LAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Viewing a LAN’s STP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
Viewing Wireless Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
Viewing WLAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Viewing Radio Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Viewing Radio Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18
Retry Histogram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22
Viewing MU Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23
Viewing MU Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25
Pinging Individual MUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27
MU Authentication Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28
Viewing the Mesh Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29
Viewing Known Access Point Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30
Chapter 8. Command Line Interface Reference
Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Accessing the CLI through the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Accessing the CLI via Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Admin and Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Network Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11 Network LAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12 Network LAN, Bridge Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16 Network LAN, WLAN-Mapping Commands . . . . . . . . . . . . . . . . . . . . . 8-19 Network LAN, DHCP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28 Network Type Filter Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34 Network WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39 Network WAN NAT Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42 Network WAN, VPN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48 Network Wireless Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57 Network WLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-58 Network Security Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-71
ix
Network ACL Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-80
Network Radio Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . 8-85
Network Quality of Service (QoS) Commands. . . . . . . . . . . . . . . . . . . . 8-102
Network Bandwith Management Commands . . . . . . . . . . . . . . . . . . . . 8-107
Network Rogue-AP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-110
Network Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-120
Network Router Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-125
System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-131
System Debug and Last Password Commands . . . . . . . . . . . . . . . . . . . . . . . 8-135
System Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-136
System Certificate Management Commands . . . . . . . . . . . . . . . . . . . . . . . . 8-139
System SNMP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-152
System SNMP Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-153
System SNMP Traps Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-158
System Network Time Protocol (NTP) Commands . . . . . . . . . . . . . . . . . . . . 8-164
System Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-169
System Configuration-Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 8-175
Firmware Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-182
Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-186
Chapter 9. Configuring Mesh Networking
Mesh Networking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 The AP-5131 Client Bridge Association Process . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Defining the Mesh Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Mesh Networking and the AP-5131’s Two Subnets . . . . . . . . . . . . . . . . . . . . . 9-5 Normal Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Impact of Importing/Exporting Configurations to a Mesh Network . . . . . . . . . 9-5
Configuring Mesh Networking Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Setting the LAN Configuration for Mesh Networking Support. . . . . . . . . . . . . 9-6 Configuring a WLAN for Mesh Networking Support . . . . . . . . . . . . . . . . . . . . 9-8 Configuring the AP-5131 Radio for Mesh Networking Support . . . . . . . . . . . 9-12 Usage Scenario - Trion Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18 Trion’s Initial Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18 Adding 2 Client Bridges to Expand the Coverage Area. . . . . . . . . . . . . . . . . . 9-29 Adding 2 More Client Bridges to the Trion Network. . . . . . . . . . . . . . . . . . . . 9-36
x AP-5131 Access Point Product Reference Guide
Appendix A. Technical Specifications
Physical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Electrical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Radio Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
Antenna Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
2.4 GHz Antenna Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
5.2 GHz Antenna Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Additional Antenna Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Antenna Accessory Connectors, Cable Type and Length. . . . . . . . . . . . . . . . . A-5
Country Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6
Appendix B. AP-5131 Usage Scenarios
Configuring Automatic Updates using a DHCP or Linux BootP Server
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 Windows - DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2 Embedded Options - Using Option 43 . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2 Global Options - Using Extended/Standard Options . . . . . . . . . . . . . . . . B-4 DHCP Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5 Linux - BootP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6 BootP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-7 BootP Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9
Configuring an IPSEC Tunnel and VPN FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9 Configuring a VPN Tunnel Between Two AP-5131s . . . . . . . . . . . . . . . . . . . B-10 Configuring a Cisco VPN Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13 Frequently Asked VPN Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-14 Replacing an AP-4131 with an AP-5131. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-19
Appendix C. Customer Support
About This Guide
Introduction
This guide provides configuration and setup information for the AP-5131 model access point.
Document Conventions
The following document conventions are used in this document:
NOTE Indicate tips or special requirements.
CAUTION Indicates conditions that can cause equipment damage or data loss.
!
viii AP-5131 Access Point Product Reference Guide
WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage.
Notational Conventions
The following notational conventions are used in this document:
•Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents.
•Bullets (•) indicate:
•action items
•lists of alternatives
•lists of required steps that are not necessarily sequential
•Sequential lists (those describing step-by-step procedures) appear as numbered lists.
Service Information
If a problem is encountered with the AP-5131, contact the Symbol Customer Support. Refer to Appendix C for contact information. Before calling, have the model number and serial number at hand.
If the problem cannot be solved over the phone, you may need to return your equipment for servicing. If that is necessary, you will be given specific instructions.
Symbol Technologies is not responsible for any damages incurred during shipment if the approved shipping container is not used. Shipping the units improperly can possibly void the warranty. If the original shipping container was not kept, contact Symbol to have another sent to you.
AP-5131 Introduction
The Symbol AP-5131 Access Point (AP) provides a bridge between Ethernet wired LANs or WANs and wireless networks. It provides connectivity between Ethernet wired networks and radio-equipped mobile units (MUs). MUs include the full line of Symbol terminals, bar-code scanners, adapters (PC cards, Compact Flash cards and PCI adapters) and other devices.
The AP-5131 provides a maximum 54Mbps data transfer rate via each radio. It monitors Ethernet traffic and forwards appropriate Ethernet messages to MUs over the network. It also monitors MU radio traffic and forwards MU packets to the Ethernet LAN.
The AP-5131 is available in two models:
•A single-radio version (Part No. AP-5131-4002X-WW), that can be configured as either an 802.11a access point or an 802.11b/g access point.
•A dual-radio version (Part No. AP-5131-1304X-WW), allowing both the 802.11a radio and the 802.11b/g radio to function simultaneously.
If you are new to using an access point for managing your network, refer to Theory of Operations on page 1-18 for an overview on wireless networking fundamentals.
1-2 AP-5131 Access Point Product Reference Guide
1.1 New AP-5131 Features
With this most recent 1.1 release of the AP-5131 firmware, the following new features have been introduced to the existing AP-5131 feature set:
•Mesh Networking
•Additional LAN Subnet
•On-board Radius Server Authentication
•Hotspot Support
•Routing Information Protocol (RIP)
•Manual Date and Time Settings
1.1.1 Mesh Networking
Utilize the AP-5131’s new mesh networking functionality to allow the AP-5131 to function as a bridge to connect two Ethernet networks or as a repeater to extend your network’s coverage area without additional cabling. The AP-5131 mesh networking functionality is configurable in two modes. It can be set in a wireless client bridge mode and/or a wireless base bridge mode (which accepts connections from client bridges). These two modes are not mutually exclusive.
In client bridge mode, the AP-5131 scans to find other access points using the selected WLAN’s ESSID. The AP-5131 must go through the association and authentication process to establish a wireless connection. The mesh networking association process is identical to the AP-5131’s MU association process. Once the association/authentication process is complete, the wireless client adds the connection as a port on its bridge module. This causes the AP-5131 (in client bridge mode) to begin forwarding configuration packets to the base bridge. An AP-5131 in base bridge mode allows the AP-5131 radio to accept client bridge connections.
The two bridges communicate using the Spanning Tree Protocol (STP). The spanning tree determines the path to the root and detects if the current connection is part of a network loop with another connection. Once the spanning tree converges, both access points begin learning which destinations reside on which side of the network. This allows them to forward traffic intelligently.
After the AP-5131 (in client bridge mode) establishes at least one wireless connection, it will begin beaconing and accepting wireless connections (if configured to support mobile users). If the AP-5131 is configured as both a client bridge and a base bridge, it begins accepting client bridge connections. In this way, the mesh network builds itself over time and distance.
AP-5131 Introduction 1-3
Once the AP-5131 (in client bridge mode) establishes at least one wireless connection, it establishes other wireless connections in the background as they become available. In this way, the AP-5131 is able to establish simultaneous redundant links. An AP-5131 (in client bridge mode) can establish up to 3 simultaneous wireless connections with other AP-5131s. A client bridge always initiates the connections and the base bridge is always the acceptor of the mesh network data proliferating the network.
Since each AP-5131 can establish up to 3 simultaneous wireless connections, some of these connections may be redundant. In that case, the STP algorithm establishes which links are the redundant links and disables the links from forwarding.
For an overview on mesh networking as well as details on configuring the AP-5131’s mesh networking functionality, see Configuring Mesh Networking on page 9-1.
1.1.2 Additional LAN Subnet
In a typical retail or small office environment (wherein a wireless network is available along with a production WLAN) it is frequently necessary to segment a LAN into two subnets. Consequently, a second LAN is necessary to “segregate” wireless traffic.
The AP-5131 now has a second LAN subnet enabling administrators to segment the AP-5131’s LAN connection into two separate networks. The main AP-5131 LAN screen now allows the user to select either LAN1 or LAN2 as the active LAN over the AP-5131’s Ethernet port. Both LANs can still be active at any given time, but only one can transmit over the AP-5131 physical LAN connection. Each LAN has a separate configuration screen (called LAN 1 and LAN 2 by default) accessible under the main LAN screen. The user can rename each LAN as necessary. Additionally, each LAN can have its own Ethernet Type Filter configuration, and subnet access (HTTP, SSH, SNMP and telnet) configuration.
For detailed information on configuring the AP-5131 for additional LAN subnet support, see
Configuring the LAN Interface on page 5-1.
1-4 AP-5131 Access Point Product Reference Guide
1.1.3 On-board Radius Server Authentication
The AP-5131 now has the ability to work as a Radius Server to provide user database information and user authentication. Several new screens have been added to the AP-5131’s menu tree to configure Radius server authentication and configure the local user database and access policies. A new Radius Server screen allows an administrator to define the data source, authentication type and associate digital certificates with the authentication scheme. The LDAP screen allows the administrator to configure an external LDAP Server for use with the AP-5131. A new Access Policy screen enables the administrator to set WLAN access based on user groups defined within the User Database screen. Each user is authorized based on the access policies applicable to that user. Access policies allow an administrator to control access to a user groups based on the WLAN configurations.
For detailed information on configuring the AP-5131 for AAA Radius Server support, see Configuring User Authentication on page 6-62.
1.1.4 Hotspot Support
The AP-5131 now allows hotspot operators to provide user authentication and accounting without a special client application. The AP-5131 uses a traditional Internet browser as a secure authentication device. Rather than rely on built-in 802.11security features to control AP-5131 association privileges, you can configure a WLAN with no WEP (an open network). The AP-5131 issues an IP address to the user using a DHCP server, authenticates the user and grants the user to access the Internet.
If a tourist visits a public hotspot and wants to browse a Web page, they boot their laptop and associate with a local Wi-Fi network by entering a valid SSID. They start a browser, and the hotspot’s access controller forces the un-authenticated user to a Welcome page (from the hotspot operator) that allows the user to login with a username and password. In order to send a redirected page (a login page), a TCP termination exists locally on the AP-5131. Once the login page displays, the user enters their credentials. The AP-5131 connects to the Radius server and determines the identity of the connected wireless user. Thus, allowing the user to access the Internet once successfully authenticated.
For detailed information on configuring the AP-5131 for Hotspot support, see Configuring WLAN Hotspot Support on page 5-40.
AP-5131 Introduction 1-5
1.1.5 Routing Information Protocol (RIP)
With the release of the 1.1 version AP-5131, Routing Information Protocol (RIP) functionality has been added to the AP-5131’s existing Router screen. RIP is an interior gateway protocol that specifies how routers exchange routing-table information. The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used.
For detailed information on configuring RIP functionality as part of the AP-5131’s Router functionality, see Setting the RIP Configuration on page 5-59.
1.1.6 Manual Date and Time Settings
As an alternative to defining a NTP server to provide AP-5131 system time, the AP-513 can now have its date and time set manually. A new Manual Date/Time Setting screen can be used to set the AP-5131 time using a Year-Month-Day HH:MM:SS format.
For detailed information on manually setting the AP-5131’s system time, see Configuring Network Time Protocol (NTP) on page 4-32.
1-6 AP-5131 Access Point Product Reference Guide
1.2 Feature Overview
The Symbol AP-5131 has the following existing features carried forward from its initial 1.0 release:
•Single or Dual Mode Radio Options
•Separate LAN and WAN Ports
•Multiple Mounting Options
•Antenna Support for 2.4 GHz and 5.2 GHz Radios
•Sixteen Configurable WLANs
•Support for 4 BSSIDs per Radio
•Quality of Service (QoS) Support
•Industry Leading Data Security
•VLAN Support
•Multiple Management Accessibility Options
•Updatable Firmware
•Programmable SNMP v1/v2/v3 Trap Support
•Power-over-Ethernet Support
•MU-MU Transmission Disallow
•Voice Prioritization
•Support for CAM and PSP MUs
•Statistical Displays
•Transmit Power Control
•Advanced Event Logging Capability
•Configuration File Import/Export Functionality
•Default Configuration Restoration
•DHCP Support
•Multi-Function LEDs
1.2.1 Single or Dual Mode Radio Options
One or two possible configurations are available on the AP-5131 depending on which model is purchased. If the AP-5131 is manufactured as a single radio access point, the AP-5131 enables you to configure the single radio for either 802.11a or 802.11b/g.
AP-5131 Introduction 1-7
If the AP-5131 is manufactured as a dual-radio access point, the AP-5131 enables you to configure one radio for 802.11a, and the other 802.11b/g.
For detailed information on configuring your AP-5131, see Setting the WLAN’s Radio Configuration on page 5-45.
1.2.2 Separate LAN and WAN Ports
The AP-5131 has one LAN port and one WAN port, each with their own MAC address. The AP-5131 must manage all data traffic over the LAN connection carefully as either a DHCP client, BOOTP client, DHCP server or using a static IP address. The AP-5131 can only use a Power-over-Ethernet device when connected to the LAN port.
For detailed information on configuring the AP-5131 LAN port, see Configuring the LAN Interface on page 5-1.
A Wide Area Network (WAN) is a widely dispersed telecommunications network. In a corporate environment, the WAN port might connect to a larger corporate network. For a small business, the WAN port might connect to a DSL or cable modem to access the Internet. Regardless, network address information must be configured for the AP-5131’s intended mode of operation.
For detailed information on configuring the AP-5131’s WAN port, see Configuring WAN Settings on page 5-14.
The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.
For detailed information on locating the AP-5131 MAC addresses, see Viewing WAN Statistics on page 7-2 and Viewing LAN Statistics on page 7-6.
1.2.3 Multiple Mounting Options
The AP-5131 rests on a flat surface, attaches to a wall, mounts under a ceiling or above a ceiling (attic). Choose a mounting option based on the physical environment of the coverage area. Do not mount the AP-5131 in a location that has not been approved in an AP-5131 radio coverage site survey.
For detailed information on the mounting options available for the AP-5131, see Mounting the AP-5131 on page 2-11.
1.2.4 Antenna Support for 2.4 GHz and 5.2 GHz Radios
The AP-5131 supports several 802.11a and 802.11b/g radio antennas. Select the antenna best suited to the radio transmission requirements of your coverage area.
1-8 AP-5131 Access Point Product Reference Guide
For an overview of the Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz) antennas supported on the AP-5131’s
Reverse SMA (RSMA) connectors, see Antenna Specifications on page A-4.
1.2.5 Sixteen Configurable WLANs
A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one AP-5131 to another like a cellular phone system. WLANs can therefore be configured around the needs of specific groups of users, even when they are not in physical proximity. Sixteen WLANs are configurable on each AP-5131.
To enable and configure WLANs on an AP-5131 radio, see Enabling Wireless LANs (WLANs) on page 5-22.
1.2.6 Support for 4 BSSIDs per Radio
The AP-5131 supports four BSSIDs per radio. Each BSSID has a corresponding MAC address. The first MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs (BSSIDs #2, #3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.
If the radio MAC address displayed on the Radio Settings screen is 00:A0:F8:72:20:DC, then the BSSIDs for that radio will have the following MAC addresses:
BSSID |
MAC Address |
Hexadecimal Addition |
BSSID #1 |
00:A0:F8:72:20:DC |
Same as Radio MAC address |
BSSID #2 |
00:A0:F8:72:20:DD |
Radio MAC address +1 |
BSSID #3 |
00:A0:F8:72:20:DE |
Radio MAC address +2 |
BSSID #4 |
00:A0:F8:72:20:DF |
Radio MAC address +3 |
For detailed information on strategically mapping BSSIDs to WLANs, see Configuring the 802.11a or 802.11b/g Radio on page 5-48.
AP-5131 Introduction 1-9
1.2.7 Quality of Service (QoS) Support
The AP-5131 QoS implementation provides applications running on different wireless devices a variety of priority levels to transmit data to and from the AP-5131. Equal data transmission priority is fine for data traffic from applications such as Web browsers, file transfers or email, but is inadequate for multimedia applications.
Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to latency increases and throughput reductions. These forms of higher priority data traffic can significantly benefit from the AP-5131 QoS implementation.The WiFi Multimedia QOS Extensions (WMM) implementation used by the AP-5131 shortens the time between transmitting higher priority data traffic and is thus desirable for multimedia applications. In addition, U-APSD (WMM Power Save) is also supported.
WMM defines four access categories—voice, video, best effort and background—to prioritize traffic for providing enhanced multimedia support.
For detailed information on configuring QoS support for the AP-5131, see Setting the WLAN Quality of Service (QoS) Policy on page 5-34.
1.2.8 Industry Leading Data Security
The AP-5131 supports numerous encryption and authentication techniques to protect the data transmitting on the WLAN.
The following authentication techniques are supported on the AP-5131:
•Kerberos Authentication
•EAP Authentication
The following encryption techniques are supported on the AP-5131:
•WEP Encryption
•KeyGuard Encryption
•Wi-Fi Protected Access (WPA) Using TKIP Encryption
•WPA2-CCMP (802.11i) Encryption
In addition, the AP-5131 supports the following additional security features:
•Firewall Security
•VPN Tunnels
1-10 AP-5131 Access Point Product Reference Guide
•Content Filtering
For an overview on the encryption and authentication schemes available on the AP-5131, refer to
Configuring Access Point Security on page 6-1.
1.2.8.1 Kerberos Authentication
Authentication is a means of verifying information that is transmitted from a secure source. If information is authentic, you know who created it and you know that it has not been altered in any way since it was originated. Authentication entails a network administrator employing a software “supplicant” on their computer or wireless device.
Authentication is critical for the security of any wireless LAN device. Traditional authentication methods are not suitable for use in wireless networks where an unauthorized user can monitor network traffic and intercept passwords. The use of strong authentication methods that do not disclose passwords is necessary. Symbol uses the Kerberos authentication service protocol (specified in RFC 1510), to authenticate users/clients in a wireless network environment and to securely distribute the encryption keys used for both encrypting and decrypting.
A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in understanding how Kerberos functions. By default, WLAN devices operate in an open system network where any wireless device can associate with an AP without authorization. Kerberos requires device authentication before access to the wired network is permitted.
For detailed information on Kerbeors configurations, see Configuring Kerberos Authentication on page 6-9.
1.2.8.2 EAP Authentication
The Extensible Authentication Protocol (EAP) feature provides access points and their associated MU’s an additional measure of security for data transmitted over the wireless network. Using EAP, authentication between devices is achieved through the exchange and verification of certificates.
EAP is a mutual authentication method whereby both the MU and AP are required to prove their identities. Like Kerberos, the user loses device authentication if the server cannot provide proof of device identification
Using EAP, a user requests connection to a WLAN through the AP-5131. The AP-5131 then requests the identity of the user and transmits that identity to an authentication server. The server prompts the AP for proof of identity (supplied to the AP-5131 by the user) and then transmits the user data back to the server to complete the authentication.
AP-5131 Introduction 1-11
An MU is not able to access the network if not authenticated. When configured for EAP support, the access point displays the MU as an EAP station.
EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4) and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius Server for EAP (802.1x) support.
For detailed information on EAP configurations, see Configuring 802.1x EAP Authentication on page 6-11.
1.2.8.3 WEP Encryption
All WLAN devices face possible information theft. Theft occurs when an unauthorized user eavesdrops to obtain information illegally. The absence of a physical connection makes wireless links particularly vulnerable to this form of theft. Most forms of WLAN security rely on encryption to various extents. Encryption entails scrambling and coding information, typically with mathematical formulas called algorithms, before the information is transmitted. An algorithm is a set of instructions or formula for scrambling the data. A key is the specific code used by the algorithm to encrypt or decrypt the data. Decryption is the decoding and unscrambling of received encrypted data.
The same device, host computer or front-end processor, usually performs both encryption and decryption. The data transmit or receive direction determines whether the encryption or decryption function is performed. The device takes plain text, encrypts or scrambles the text typically by mathematically combining the key with the plain text as instructed by the algorithm, then transmits the data over the network. At the receiving end, another device takes the encrypted text and decrypts, or unscrambles, the text revealing the original message. An unauthorized user can know the algorithm, but cannot interpret the encrypted data without the appropriate key. Only the sender and receiver of the transmitted data know the key.
Wired Equivalent Privacy (WEP) is an encryption security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b and supported by the AP-5131 AP. WEP encryption is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. The level of protection provided by WEP encryption is determined by the encryption key length and algorithm. An encryption key is a string of case sensitive characters used to encrypt and decrypt data packets transmitted between a mobile unit (MU) and the AP-5131. An AP-5131 and associated wireless clients must use the same encryption key (typically 1 through 4) to interoperate.
For detailed information on WEP configurations, see Configuring WEP Encryption on page 6-16.
1-12 AP-5131 Access Point Product Reference Guide
1.2.8.4 KeyGuard Encryption
Use KeyGuard to shield the master encryption keys from being discovered through hacking. KeyGuard negotiation takes place between the access point and MU upon association. The access point can use KeyGuard with Symbol MUs. KeyGuard is only supported on Symbol MUs making it a Symbol proprietary security mechanism.
For detailed information on KeyGuard configurations, see Configuring KeyGuard Encryption on page 6-18.
1.2.8.5 Wi-Fi Protected Access (WPA) Using TKIP Encryption
Wi-Fi Protected Access (WPA) is a security standard for systems operating with a Wi-Fi wireless connection. WEP’s lack of user authentication mechanisms is addressed by WPA. Compared to WEP, WPA provides superior data encryption and user authentication.
WPA addresses the weaknesses of WEP by including:
•a per-packet key mixing function
•a message integrity check
•an extended initialization vector with sequencing rules
•a re-keying mechanism
WPA uses an encryption method called Temporal Key Integrity Protocol (TKIP). WPA employs 802.1X and Extensible Authentication Protocol (EAP).
For detailed information on WPA using TKIP configurations, see Configuring WPA Using TKIP on page 6-20.
1.2.8.6 WPA2-CCMP (802.11i) Encryption
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP.
CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Message Authentication Code (CBC-MAC) technique. Changing just one bit in a message produces a totally different result.
WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. the end result is an encryption scheme as secure as any the AP-5131 provides.
AP-5131 Introduction 1-13
For detailed information on WPA2-CCMP configurations, see Configuring WPA2-CCMP (802.11i) on page 6-22.
1.2.8.7 Firewall Security
A firewall keeps personal data in and hackers out. The AP-5131 firewall prevents suspicious Internet traffic from proliferating the AP-5131 managed network. The AP-5131 performs network address translation (NAT) on packets passing to and from the WAN port. This combination provides enhanced security by monitoring communication with the wired network.
For detailed information on configuring the AP-5131 firewall, see Configuring Firewall Settings on page 6-25.
1.2.8.8 VPN Tunnels
Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN across the public network to another LAN, without sacrificing security. A VPN behaves like a private network; however, because the data travels through the public network, it needs several layers of security. The AP-5131 can function as a robust VPN gateway.
For detailed information on configuring VPN security support, see Configuring VPN Tunnels on page 6-34.
1.2.8.9 Content Filtering
Content filtering allows system administrators to block specific commands and URL extensions from going out through the AP-5131 WAN port only. Therefore, content filtering affords system administrators selective control on the content proliferating the network and is a powerful screening tool. Content filtering allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound HTTP, SMTP, and FTP requests.
For detailed information on configuring content filtering support, see Configuring Content Filtering Settings on page 6-50.
1.2.9 VLAN Support
A Virtual Local Area Network (VLAN) is a means to electronically separate data on the same AP-5131 from a single broadcast domain into separate broadcast domains. By using a VLAN, you can group by logical function instead of physical location. There are 16 VLANs supported on the AP-5131. An administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN
1-14 AP-5131 Access Point Product Reference Guide
assignment. In addition to these 16 VLANs, the AP-5131 supports dynamic, user-based, VLANs when using EAP authentication.
VLANs enable organizations to share network resources in various network segments within large areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements independent of their physical location. VLANs have the same attributes as physical LANs, but they enable administrators to group clients even when they are not members of the same network segment.
For detailed information on configuring VLAN support, see Configuring VLAN Support on page 5-4.
1.2.10 Multiple Management Accessibility Options
The AP-5131 can be accessed and configured using one of the following methods:
•Java-Based Web UI
•Human readable config file (imported via FTP or TFTP)
•MIB (Management Information Base)
•Command Line Interface (CLI) accessed via RS-232 or Telnet. Use the AP-5131 DB-9 serial port for direct access to the command-line interface from a PC. Use Symbol's Null-Modem cable (Part No. 25-632878-0) for the best fitting connection.
1.2.11 Updatable Firmware
Symbol periodically releases updated versions of the AP-5131 device firmware to the Symbol Web site. If the AP-5131 firmware version displayed on the System Settings page (see Configuring System Settings on page 4-2) is older than the version on the Web site, Symbol recommends updating the AP-5131 to the latest firmware version for full feature functionality.
For detailed information on updating the AP-5131 firmware using FTP or TFTP, see Updating Device Firmware on page 4-41.
1.2.12 Programmable SNMP v1/v2/v3 Trap Support
Simple Network Management Protocol (SNMP) facilitates the exchange of management information between network devices. SNMP uses Management Information Bases (MIBs) to manage the device configuration and monitor Internet devices in remote locations. MIB information accessed via SNMP is defined by a set of managed objects called object identifiers (OIDs). An object identifier (OID) is used to uniquely identify each object variable of a MIB.
Loading...