User Guide Wireless LAN Access Points 8250/8500/8750 3CRWE825075A 3CRWE850075A 3CRWE875075A (Models WL-450, WL-462, WL-463) Version 2 http://www.3com.com/ http://www.3com.com/support/en_US/productreg/frontpg.html/ Published September, 2003 Version 2.3.
3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064 Copyright © 2003 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
Contents 1 Introduction Product Features 6 Security 7 Performance and Reliability 7 Manageability 7 Wireless Network Standards 8 Far-Reaching 802.11g 8 High-Performance 802.
3 System Configuration Using the 3Com Wireless Device Manager 25 Launching a Wireless Device Configuration 25 Using the Pre-IP Configuration Wizard 27 Configuration Login 27 Setting the Country Code 27 Basic Setup 28 Advanced Setup 29 Identification 29 TCP/IP Settings 29 DHCP Client 29 Secure Web Server Connection 30 RADIUS 30 Authentication 31 Filter Control 33 Filtering by VLAN 34 Security Filters 34 Client List Timeout 35 Uplink Port MAC Address Filtering 35 Filtering by Ethernet Protocol Type 35 SNMP 3
4 Troubleshooting A Technical Support Obtaining Support for your Product 52 Register Your Product to Gain Service Benefits Purchase Value-Added Services 52 Where To Go For Help 52 Troubleshoot Online 52 Access Software Downloads 53 Contact Us 53 Telephone Technical Support and Repair 53 Regulatory Compliance Information Index 52
1 INTRODUCTION The 3Com® Wireless LAN Access Points 8250, 8500, and 8750 offer a dual-mode architecture that supports 802.11g, 802.11a and 802.11b wireless users on a single device. This means you can mix and match radio bands to meet different coverage and bandwidth needs within the same area.
n Access Point 8750—Creates a high-performance enterprise-class dual-mode 802.11g and 802.11a wireless LAN supporting up to 250 simultaneous users up to 100 meters (328 feet). SECURITY 3Com offers one of the most robust suite of standards-based security on the market today. To protect sensitive data broadcast over the wireless LAN, 3Com supports Wireless Equivalent Privacy (WEP) RC4 40/ 64-bit, 128-bit and 152-bit shared-key encryption.
need to consider AC power outlet locations. PoE support makes it easier than ever to overcome installation problems with difficult-to-wire or hard-to-reach locations. WIRELESS NETWORK STANDARDS Understanding the characteristics of the 802.11g and 802.11a standards can help you make the best choice for your wireless implementation plans. FAR-REACHING 802.11G 802.11g operates in the 2.4 GHz band at up to 54Mbps. Ratified in 2003, it supports the widest coverage—up to 100 meters (328 feet).
n Supporting a dense user base confined to a small coverage area. Because 802.11a has a greater number of non-overlapping channels, you can pack more access points in a tighter space. NETWORK CONFIGURATION AND PLANNING The wireless solution supports a stand-alone wireless network configuration as well as an integrated configuration with 10/100 Mbps Ethernet LANs.
The infrastructure configuration not only extends the accessibility of wireless PCs to the wired LAN, but also increases the effective wireless transmission range for wireless PCs by passing their signal through one or more access points. A wireless infrastructure can be used for access to a central database, or for connection between mobile workers, as shown in the following figure.
File Server Desktop PC Switch Notebook with Wireless PC Card Adapter Switch Access Point Notebook with Wireless PC Card Adapter Access Point Seamless Roaming PC with Wireless PCI Adapter TERMINOLOGY Access Point—An internetworking device that seamlessly connects wired and wireless networks. Ad Hoc—An ad hoc wireless LAN is a group of computers, each with LAN adapters, connected as an independent wireless LAN. Backbone—The core infrastructure of a network.
ESS—Extended Service Set. More than one BSS is configured to become an ESS. LAN mobile users can roam between different BSSs in an ESS (ESS-ID, SSID). Ethernet—A popular local area data communications network, which accepts transmission from computers and terminals. Infrastructure—An integrated wireless and wired LAN is called an infrastructure configuration. RADIUS—Remote Access Dial-In User Server is an authentication method used in conjunction with EAP for 802.1x authentication and session based keys.
2 INSTALLING THE ACCESS POINT This equipment must be installed in compliance with local and national building codes, regulatory restrictions, and FCC rules. For the safety of people and equipment, this product must be installed by a professional technician/installer. CAUTION: Before installing, see the important warnings and cautions in “Safety Information” on page 14.
dedicated workstation for managing and configuring the access point and the wireless network. POWER REQUIREMENTS The access point complies with the IEEE 802.3af power-over-Ethernet standard. It receives power over standard category 5 straight (8-wire) Ethernet cable. Installation requires the use of either the 3Com power supply provided or IEEE 802.3af compliant power supply equipment (output power rated 48 V dc @ 350 mA maximum).
CAUTION: It is the responsibility of the installer to ensure that the Power-over-Ethernet (POE) power supply is properly connected. Connection to any other device, such as a standard Ethernet card or another POE supply, may result in permanent damage to equipment, electric shock, or fire.
Regulatory restrictions dictate that when this device is operational, the minimal body-to-antenna distance is 1 Meter (3 Feet). BEFORE YOU BEGIN Record the access point MAC address in a safe place before the access point is installed in a hard-to-reach location. The MAC address is printed on the back of the access point housing. The following illustration shows the front and rear views of the access point, including the LEDs and connecting ports.
1 Carefully unpack the standard detachable antennas. CAUTION: Do not handle the antenna tips, especially after they are connected to the access point, as this could lead to electrostatic discharge (ESD), which could damage the equipment. 2 Screw an antenna into each of the sockets in the access point housing. 3 Hand-tighten the antennas at the very base of the SMA connectors without handling the antenna tips.
n Connect the access point directly to your own power-over-Ethernet hub or switch, which must also comply with the IEEE 802.3af standard. If you supply your own Ethernet cable for connecting power, be sure that it is standard category 5 straight-through (8-wire) cable that has not been altered in any way. Use of nonstandard cable could damage the access point.
4 To link the access point to your Ethernet network, plug one end of another Ethernet cable into the port labeled To Hub/Switch on the power supply, and plug the other end into a LAN port (on a hub or in a wall). USING A POWER-OVER-ETHERNET LAN PORT If your LAN equipment complies with the IEEE 802.3af power-over-Ethernet standard, you can connect the access point directly to a LAN port.
1 Install the mounting plate as shown in the following illustration, on either a stud (or other hard wall surface), or onto drywall. If installing into drywall, use 3 plastic anchors and 3 screws. If installing into a stud or other secure vertical surface, use 2 screws. Allow for a clearance of at least 25 cm (10 Inches) between the ceiling and the top of the mounting plate. n Make sure that “UP” is correctly oriented, and align the mounting plate screw holes vertically.
3 Position the access point at an angle to the mounting plate bayonet connection and turn the unit clockwise until it snaps into place, as shown below. Leave at least 13 cm (5 in.) length. Ethernet cable may be routed through center opening or through the side. Hold the access point at an angle. Turn clockwise to engage and secure it on the mounting plate.
SELECTING AND CONNECTING A DIFFERENT ANTENNA MODEL The standard detachable antennas supplied with the Access Point 8250 and Access Point 8750 are suitable for a broad variety of environments. If you require a different type of antenna for the Access Point 8250 or Access Point 8750, several options are available by model number from the 3Com Web site (www.3Com.com). (Access Point 8500 does not support interchangeable antennas.
ensure a strong signal. Ensure that access is available for routing the antenna cable from the antenna to the access point. 2 If they are installed, remove both arms of the standard detachable antenna, making sure not to handle the tips of the antenna. 3 Connect one end of the optional antenna cable to the antenna and secure the antenna in place. 4 Connect the free end of the antenna cable to the right-hand side connection on the access point, as shown in the illustration above.
20ft (3CWE481) 100% 100% 100% 25% 12.5% 50 ft (3CWE482) 100% 100% 100% 100% 25% INSTALLING SOFTWARE UTILITIES The installation CD includes documentation and software utilities to help you set up and administer the wireless components of your network. To view product documentation, select View the Documentation from the CD Startup Menu and then select the item you wish to view. The software Tools and Utilities include: n 3Com Wireless Infrastructure Device Manager.
3 SYSTEM CONFIGURATION The access point can be configured using a Web browser that has Java support (Internet Explorer 5.0 or newer). Using the Web management interface, you can configure the access point and view statistics to monitor network activity. The 3Com Wireless Infrastructure Device Manager helps you locate 3Com wireless LAN devices on the network, select a device and view its properties, and launch the device’s configuration in your Web browser.
exclamation points (!). You can refresh this display by clicking Refresh. You should refresh the display, for example, after you change a device IP address. 2 In the Wireless Network Tree, select the device you want to configure. If more than one wireless LAN device appears in the tree and you are not sure that you have selected the right one, click Properties and check the MAC address to verify that it is the one you want. 3 Click Configure.
USING THE PRE-IP CONFIGURATION WIZARD You can only configure devices that are on the same subnet as your computer. To configure a device on a different subnet, you must first assign it an IP address on the same subnet as your computer. After you launch the configuration, you can change settings as usual. Just before you finish, you must change the device IP address back to its original setting.
BASIC SETUP For a basic configuration, use the Setup Wizard as described below. At any time, you can click Home to return to the Home page of the configuration interface. If you want to configure more advanced features, click Advanced Setup in the Home page. 1 In the Home page, click Setup Wizard. 2 In the “1-2-3” Setup Wizard page, click Next to start basic configuration. 3 In the SSID page, enter the same Service Set ID as the other wireless devices in your network and click Next.
ADVANCED SETUP The Advanced Setup pages allow you to configure features that are not available in the basic setup. On the Home page, click Advanced Setup to open the Advanced Setup menu. After making selections and entering data on each page, click Apply to save the changes. The following sections describe the Advanced Setup pages. IDENTIFICATION On the Identification page, you can identify the access point by providing a descriptive name. This name then appears in the device manager window.
address of one or more domain name servers. Enter those addresses in Primary DNS Address and Secondary DNS Address fields. SECURE WEB SERVER CONNECTION This option controls whether Secure Socket Layer (SSL) technology is used to encrypt information between the computer and the device during a configuration session. By default this option is Off. When this option is turned on, the HTTPS protocol is used, and data is protected during the configuration session.
In the RADIUS Authentication section, enter the required parameters for a primary and secondary RADIUS authentication server. In the RADIUS Accounting section, click the Enable radio button, then enter required parameters for a primary and secondary RADIUS accounting server. When you are finished configuring items on this page, click Apply. The parameters are described below. n IP Address—The address of the server. n Port—The network (UDP) port of the server used for messages.
Configure the options as described below. When you are finished, click Apply. n MAC Authentication— Selecting MAC authentication allows you to define access permission and precedence. Options are: Local MAC— With this option, the MAC address of the associating station is compared against the local access control list. You must build this list (called the MAC Authentication Table) as described in Local MAC Authentication below.
Field Default Description Session Key Refresh Rate 0 (minutes) Defines how long the RADIUS server will dynamically re-assign a session key to a connected client station. 802.1x Reauthentication Refresh Rate 0 (seconds) Defines the time interval in which the Access Point forces a Reauthentication and subsequently re-issues a new session key. Local MAC Authentication—Client computers can be filtered using the unique MAC addresses of their network cards.
FILTERING BY VLAN The access point supports filtering of up to 64 VLANs (virtual local area networks). VLAN IDs must be configured for each client on one of the RADIUS authentication servers specified on the RADIUS configuration page. If a RADIUS server is not being used or not setup to update the VLAN ID, then the access point will tag all ethernet packets with the Native VLAN ID (defaulted to 1).
CLIENT LIST TIMEOUT This option sets the timeout for inactive clients to be disassociated and removed from the associated client list. The interval can be set to 1, 5, 10, 30 or 60 minutes (default is 30 minutes). UPLINK PORT MAC ADDRESS FILTERING This feature allows associated wireless clients to communicate only with specific selected MAC addresses on a sub net.
Although there are five types of IPX packets, the Filter Control page shows only two options for IPX filtering. The following table shows how to filter each IPX packet type: ISO Designator Filter 8138 Enable 8138 8137 Enable 8137 802.3(Raw) Enable 8138 802.2 Enable 8138 SNAP Enable 8137 SNMP Use the SNMP page to display and enter a community string for the Simple Network Management Protocol.
n n n n recommended that you change the password from the default value (no password) to ensure network security. Firmware Upgrade—You can upgrade firmware from a downloaded file that you have placed on the local computer, or from a remote FTP or TFTP server. n Local—Click Browse to locate the downloaded firmware file. Click Start Upgrade to start the upgrade process. The upgrade takes place through the HTTP protocol from the local machine. n Remote—Select FTP or TFTP.
SYSTEM LOG The System Log page allows you to set up a server to store event logs and to specify how the access point obtains the date and time. When you are finished configuring items on this page, click Apply. Each logging message is tagged with a severity level, as defined in RFC3164.
n n Stations Status—Click Stations Status to view the configurations of connected stations. The Station Status page displays basic connection information for all associated stations. Select “refresh” on you browser to see update station status. Event Logs—Click Event Logs to display the activity log of the access point. The event log resets to zero if the access point is reset. The log saves 128 events, then overwrites the first event and continues.
n n n n n n n Auto Channel Select (802.11g and 802.11a only)—Select Auto Channel Select Enable to allow the access point to select a radio channel automatically. (Default: Enable) Transmit Power (802.11g and 802.11a only)—Set the signal strength transmitted from the access point. The longer the transmission distance, the higher the transmission power required.
n n synchronize to the incoming data stream. Enabling the Short preamble can boost your throughput; however, this can cause interoperability issues. (Default: Long) Client Access Mode (802.11g only)—802.11g radios can support both 802.11b and 802.11g clients. This option determines which mode the radio will operate in and consequently which clients will be able to connect to the radio interface. The default is to provide information for both 802.11g and 802.11b clients.
There must be at least one entry in the User Access List, which determines the users that can associate with the access point. Click Edit User Access List. In the User Access List page, user names are listed. Scroll to the bottom of the list to perform the following actions: To add a new user, click Add Users. In the next page, type the user name and password in the spaces provided and click Apply. To delete users, click Delete Users.
WEP—Provides standard WEP ciphering (Least Secure) 3 Select the type of WPA Key Management: WPA authentication over 802.1x (More secure, but requires a RADIUS authentication server setup. See WPA note below) WPA Pre-shared Key (PSK) (see WPA note below) 4 Select the Key Type: Hexadecimal (0~9, A~F; for example, D7 0A 9C 7F E5) Alphanumeric (0~9, A~F; for example 01234) 5 Enter the pre-shared key in the space provided if necessary.
The key selected as the transmit key index is used by the access point for all transmissions. Other keys defined can be used by the access point for decrypting station communications. When enabling 802.1x security with dynamic session keys, key index 4 is reserved for the 802.1x client session key. Therefore, when 802.1x clients are in the network, the access point should not be configured to use key index 4 as the transmit key index. To configure WEP encryption: 1 Under Encryption, select Enable.
5 Enter all the settings of your Primary RADIUS Authentication Server (make sure the IP Address and Key match those on the RADIUS Authentication software). 6 Click on Apply 7 Choose Authentication from the left frame page Menu 8 Make sure the following settings are set on the Authentication page: 9 a MAC Authentication is Disabled. (if Local or RADIUS MAC Authentication is chosen MAC address filtering or authentication, respectively, will be done before the 802.1x authentication.
8 Make sure the following settings are set on the Authentication page: 9 a MAC Authentication is Disabled. (if Local or RADIUS MAC Authentication is chosen MAC address filtering or authentication, respectively, will be done before the 802.1x authentication. Therefore, these setups must be validated individually and verified functional before 802.1x can be done). b 802.1x Setup: is set to Optional (if non-RADIUS clients need access too) or Required (if only RADIUS clients are to be allowed).
6 c Click on Apply. Click Security on the 802.11a/b/g radio from the left frame page Menu. 7 Make sure the following settings are set from the Security page: a b c d 8 Authentication is set to Open System. Encryption is Enabled. WPA Configuration is Checked to “Allow only WPA Clients”. Cipher Mode is set to AES/TKIP/WEP (WEP Cipher Mode is intended ONLY for support of legacy clients. If only WPA clients are on the network, choose AES or TKIP for increased security).
Windows XP Wireless Zero Configuration Authentication Shared WPA WPA-PSK Access Points 8200/8250/8500/8700/8750 Encryption Authentication Disabled Not available WEP Shared Key AES Not available on 8200 TKIP Encryption Other Enable Enter static keys under WEP Configuration Open System Enable WPA Configuration: Required Multicast Cipher Mode: TKIP WPA Key Management: WPA 802.1x WEP Open System Enable WPA Configuration: Required Multicast Cipher Mode: WEP WPA Key Management: WPA 802.
4 TROUBLESHOOTING If you have difficulty with the 3Com Wireless LAN access point, first check the following items in the configuration: n Radio Settings page: Ensure that the SSID is the same on clients and the access point. n Security page: Ensure that Encryption is the same on clients and the access point. n Authentication page: Ensure that the Local MAC Authentication System Default is set to Allow. Ensure that 802.1x Authentication Settings are correct.
Symptom Solutions No operation. Verify the access point configuration. Review access point firmware revisions and update firmware if necessary. Make sure that there are no duplicate IP addresses on the network. Unplug the access point and ping the assigned address to make sure that no other device responds to that address. Access point powers up, but Confirm that the service area on the access point matches that does not associate with wireless on the clients. clients.
Symptom Solutions While you are configuring the access point, the Configuration Management System stops responding. To maintain wireless association, the service area and the security settings on the client and the access point must match exactly. Therefore, if you are associated with the access point that you are configuring and you change the access point service area or security, make sure to change the client service area to match.
A TECHNICAL SUPPORT OBTAINING SUPPORT FOR YOUR PRODUCT REGISTER YOUR PRODUCT TO GAIN SERVICE BENEFITS To take advantage of warranty and other service benefits, you must first register your product at http://eSupport.3com.com/. 3Com eSupport services are based on accounts that you create or have authorization to access. First time users must apply for a user name and password that provides access to a number of eSupport features including Product Registration, Repair Services, and Service Request.
Connection Assistant helps you install, configure and troubleshoot 3Com desktop and server NICs, wireless cards and Bluetooth devices. This diagnostic software is located at http://www.3com.com/prodforms/software/connection_assistant/ca_thankyou.html ACCESS SOFTWARE DOWNLOADS Software Updates are the bug fix / maintenance releases for the version of software initially purchased with the product.
Country Asia, Pacific Rim Australia Hong Kong India Indonesia Japan Malaysia New Zealand Pakistan Telephone Number Country Telephone Number Telephone Technical Support and Repair 1 800 678 515 800 933 486 +61 2 9424 5179 or 000800 650 1111 001 803 61009 00531 616 439 or 03 5977 7991 1800 801 777 0800 446 398 +61 2 9937 5083 Philippines P.R. of China Singapore S.
Latin America: Telephone Technical Support and Repair. You can obtain support in this region using the following URLs: Latin America. Spanish speakers, enter the URL: http://lat.3com.com/lat/support/form.html Portuguese speakers, enter the URL: http://lat.3com.com/br/support/form.html English speakers in Latin America should send e-mail to: lat_support_anc@3com.
REGULATORY COMPLIANCE INFORMATION 3Com Wireless LAN Access Points 8250/8500/8750 (Models WL-450, WL462, WL-463) FCC Radio-Frequency Exposure Notice This device generates and radiates radio-frequency energy. In order to comply with FCC radio-frequency radiation exposure guidelines for an uncontrolled environment, this equipment has to be installed and operated while maintaining a minimum body to antenna distance of 1 meter. This product does not contain any user serviceable components.
Industry Canada Notice (Applicable to Use Within Canada) This device complies with Canadian RSS-210. To prevent radio interference to the licensed service, this device is intended to be operated indoors and away from windows to provide maximum shielding. Equipment (or its transmit antenna) that is installed outdoors is subject to licensing.
Countries: Allowable Frequencies of Operation: Greece. No 5 GHz operation allowed at this time. European Community—CE Notice (WL-463, 802.11g Radio Module) Marking by the symbol: indicates compliance with the essential requirements of Directive 73/23/EC and the essential requirements of articles 3.1(b), 3.2 and 3.3 of Directive 1999/5/EC.
Consult user documentation for information on how to configure this product. Safety Compliance Notice This device has been tested and certified according to the following safety standards and is intended for use only in Information Technology Equipment which has been tested and certified to these or other equivalent standards: n UL Standard 60950, 3rd Edition / CSA C22.2 No. 60950-00 n IEC 60950 n EN 60950 Published September, 2003 User Guide Version 2.3.
INDEX Numbers 3Com 3CDaemon Server Tool 24 3Com Network Supervisor 24 3Com Passphrase encryption 44 3Com Wireless Infrastructure Device Manager 24, 25 802.11a, turbo mode 39 802.1x reauthentication refresh rate 33 802.
E encryption 3Com Passphrase 44 configuring 42 shared key 44 WEP 42, 43 WPA 42 Ethernet cable 13 Ethernet type filter 35 event logs 39 MAC address 33 location configuration parameter 36 for installation 15 log 38 login 27 M filter control 33 firmware upgrade 37 flat surface installation 21 fragment length 40 MAC address locating 33 recording 16 use in locating devices 25, 26 MAC authentication 32 maximum station data rate 40 mounting on a wall 19 plate 20 G N F gateway, default 29 glossary of wirele
RADIUS Authentication Setup Steps 44 RADIUS MAC authentication 32 reauthentication refresh rate 33 recording MAC address 16 Refresh button 26 resetting a bridge 30 resetting the access point 37 restore configuration 37 RF preamble 40 roaming 10 RTS threshold 40 S safety information 14 secure web server connection 30 session key refresh rate 33 setting the time and date 38 settings TCP/IP 29 settings, radio 39 Setup Wizard 28 setup, 802.
