BlueSecure™ Controller Setup and Administration Guide Software Release Version: 6.5 Document Version: 6.5 Bluesocket, Inc. 10 North Avenue Burlington, MA 01803 USA +1 781-328-0888 http://www.bluesocket.
Copyright Notice Copyright © 2001- 2009 Bluesocket, Inc. All rights reserved. No part of this document may be reproduced in any form or by any means, electronic or manual, including photocopying without the written permission of Bluesocket, Inc. The products described in this document may be protected by one or more U.S. patents, foreign patents, or pending patents.
Contents Figures ........................................................................................ x Tables ....................................................................................... xiv About This Guide Audience ..........................................................................................xv Document Organization ......................................................................xv Notational Conventions ...................................................................
Contents BSC-2100 Displays, Controls, and Connectors .................................... 2-5 BSC-1200 Displays, Controls, and Connectors .................................... 2-6 BSC-600 Controls and Connectors ..................................................... 2-8 Preparing Your Network ................................................................... 2-9 Environmental, Rack, Space, and Power Requirements........................ 2-10 Mounting the BlueSecure Controller Chassis .........................
Contents Recovery State............................................................................ 4-26 Configuring the Primary BSC........................................................ 4-26 Completing the Failover Setup ...................................................... 4-28 Configuring Static Routes ................................................................ 4-28 Configuring Multicast Routing .......................................................... 4-30 Configuring AppleTalk Routing ........
Contents Creating a Schedule ................................................................... 8-17 Creating Schedule Groups ........................................................... 8-19 Creating Locations and Location Groups ........................................... 8-19 Creating a User Location ............................................................. 8-20 Creating User Location Groups.....................................................
Contents RF Intrusion Detection/RF Containment .......................................... 12-3 Deploying BSAPs on the Same Layer-2 Subnet as the BSC ................... 12-3 Deploying BSAPs with Layer-3 Connectivity to the BSC........................ 12-4 How a BSAP Discovers BSCs ........................................................... 12-5 How a BSAP Selects a Home BSC .................................................... 12-6 Uploading BSAP Firmware Files ...............................................
Contents Verifying Your Load Sharing Configuration .................................. 14-23 Chapter 15 Status Monitoring Active User Connections ................................................. 15-2 Displaying Active User Status ....................................................... 15-2 Forcing a User Logout ................................................................. 15-3 Monitoring a User’s IDS Status ..................................................... 15-3 Monitoring Connected Access Points .
Contents LANs vs. VLANs ............................................................................... A-2 Tagging Formats .............................................................................. A-2 The Bluesocket BSC VLAN Implementation........................................... A-2 Pass-Through VLANs ..................................................................... A-3 Termination VLANs ....................................................................... A-3 Initiation/Switched VLANs ......
Contents Figures Figures x Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure x 1-1: 1-2: 1-3: 1-4: 1-5: 1-6: 1-7: 1-8: 1-9: 1-10: 2-1: 2-2: 2-3: 2-4: 2-5: 2-6: 2-7: 2-8: 2-9: 3-1: 3-2: 3-3: 3-4: 3-5: 3-
Contents Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure 4-23: 4-24: 4-25: 5-1: 5-2: 6-1: 6-2: 6-3: 6-4: 6-5: 6-6: 6-7: 6-8: 6-9: 6-10: 6-11: 6-12: 6-13: 6-14: 7-1: 8-1: 8-2: 8-3: 8
Contents Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure xii 10-14: 10-15: 11-1: 11-2: 11-3: 11-4: 11-5: 11-6: 11-7: 11-8: 11-9: 11-10: 11-11: 11-12: 11-13: 11-14: 11-15: 11-16: 11
Contents Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure 14-20: 14-21: 14-22: 14-25: 14-26: 14-23: 14-24: 15-1: 15-2: 15-3: 15-4: 15-6: 15-5: 15-7: 15-8: 15-9: 15-10: 15-11: 15-12:
Contents Tables Table Table Table Table Table Table Table Table Table Table Table xiv 1-1: 2-1: 2-2: 3-1: 3-2: 3-3: 3-4: 7-1: 11-1: 13-1: 15-1: Bluesocket BSC Model Specifications .............................................. 1-9 BSC-1200 Status LEDs ................................................................... 2-7 BSC-600 Status LEDs ..................................................................... 2-8 Administrator Console Command Buttons and Icons ........................
About This Guide The BlueSecure™ Controller Setup and Administration Guide provides complete instructions for installing, powering up, configuring, and managing the BlueSecure Controller.
About This Guide authentication, NTLM authentication, transparent NTLM authentication, transparent 802.1x authentication, the BSC internal 802.1x authentication server, Kerberos authentication, cosign authentication, pubcookie authentication, CAS authentication, transparent certificate authentication, and testing an external authentication server. xvi • Chapter 7, "RADIUS Accounting", discusses how to set up RADIUS accounting, used to record network activity and statistics including tracking user logins.
• Appendix C, "Endpoint Scanning," provides procedures for configuring endpoint scanning on the BCS using the fully integrated Check Point Integrity Clientless Security product. • Appendix D, "Serial Port Access to Essential Functions," describes how to use the serial port to access essential functions if you misplace a password or experience an ISP service outage. • Appendix E, "Contacting Bluesocket, Inc.," describes how to contact Bluesocket for additional product information or support.
About This Guide A Glossary is included in this document that defines many terms and acronyms associated with the BlueSecure Controller, the BlueSecure Access Point, and wireless networks.
1 An Overview of the BlueSecure Controller This chapter introduces you to the BlueSecure family of Controllers and Access Points: • An Introduction to the BlueSecure WLAN Solution • The BlueSecure WLAN Solution End-user Experience • BlueSecure Controller Models • Typical BlueSecure WLAN Solution Network Configurations BlueSecure™ Controller Setup and Administration Guide 1-1
Chapter 1: An Overview of the BlueSecure Controller An Introduction to the BlueSecure WLAN Solution The BlueSecure Controller (BSC) product family—BSC-600, BSC-1200, BSC-2100, and BSC-2200/3200/5200 —provides a single scalable solution to the security, Quality of Service (QoS), and WLAN management issues facing institutions, enterprises, and service providers who deploy 802.11-based wireless networks.
An Introduction to the BlueSecure WLAN Solution Thus, unregistered users can be directed to a secured site to be granted free access or to sign up for “pay-for-use” services online. The BlueSecure Controller provides a hotspot account generation feature that enables you to link an existing online billing/payment transaction account to the BSC so as to allow your wireless end users to purchase and set up their own wireless network access accounts using a credit card.
Chapter 1: An Overview of the BlueSecure Controller BSAPs are simple to configure (“zero touch”) and require only minimal provisioning to make them fully operational on a WLAN secured and managed by a BlueSecure Controller. BSAPs can be directly attached to any existing Layer-2 or Layer-3 Ethernet switch and communicate with the BSC across any subnet boundary. Once the BSAP has discovered and established Layer-2 or Layer-3 communication with its home (i.e.
The BlueSecure WLAN Solution End-user Experience VoIP Protocols/VoWLAN Support You can configure the BSC to support Voice-over-WLAN (VoWLAN) phones by enabling VoIP protocols such as H.323, Session Initiation Protocol (SIP), and Cisco Signaling Connection Control Part (SCCP) for stateful inspection by the BSC. Additionally, you can configure vendor-specific IP phones (Polycom, Cisco, Skype, and Vocera), and systemlevel QoS for voice traffic.
Chapter 1: An Overview of the BlueSecure Controller Web-based User Logins When leveraging the BSC's native authentication directory, or an external RADIUS or LDAP server, a user typically authenticates via an SSL login page returned to the user when he or she launches a web browser. The following figure shows a sample user login page.
BlueSecure Controller Models a user on any authentication server. Typically, guest roles are configured to allocate only a small amount of bandwidth. This prevents guests from adversely affecting the level of service for the employees of the organization. In addition, the guest role does not require encryption, blocks access to the private campus/corporate network, and only allows access to the Internet, so a guest can surf the web, or check e-mail.
Chapter 1: An Overview of the BlueSecure Controller Mobility® MatriX WLAN deployment, providing centralized management and control of configuration and policy updates across the enterprise. Bluesocket BSC-2100 The BSC-2100 BlueSecure Controller is designed for larger organizations with higher throughput user/density needs. The BSC-2100 provides hardware-based encryption acceleration and gigabit network connectivity (both fiber and copper interfaces).
BlueSecure Controller Models option is available to support direct connection of PoE access points like the BlueSecure 1500 Access Point via the front-panel ports. Figure 1-7: Bluesocket BSC-600 Bluesocket BSC Model Specifications All products in the Bluesocket BSC family share the same HTML-based administrator console and software functions, and vary only in the number of users supported, data throughput, form factor, and network ports.
Chapter 1: An Overview of the BlueSecure Controller Typical BlueSecure WLAN Solution Network Configurations Typically, you will install and configure Bluesocket BSCs in one of the following network configurations: • single BSC configuration • multiple BSC configuration • failover BSC configuration Single BSC Configuration This chapter provides complete procedures for configuring a single BSC for use in a small network such as a workgroup.
Typical BlueSecure WLAN Solution Network Configurations authentication for those devices by following the steps listed in “Defining MAC Address Authentication” on page 5-5. 8. Optional.
Chapter 1: An Overview of the BlueSecure Controller Within either single- or multiple-BSC networks, you can set up pairs of redundant BSCs (must be the same model) to achieve fault tolerance as shown in Figure 1-8. Within a failover configuration, the primary BSC is active and the secondary BSC is idle. Failover is initiated when the primary and secondary BSCs are unable to contact each other via the failover port. Typically, this is due to a failure of the primary BSC.
2 Installation This chapter provides complete installation procedures for the BlueSecure family of Controllers and includes: • Overview of the Installation Procedure • Safety Precautions • BSC-2200/3200/5200 Displays, Controls, and Connectors • BSC-2100 Displays, Controls, and Connectors • BSC-1200 Displays, Controls, and Connectors • BSC-600 Controls and Connectors • Preparing Your Network • Environmental, Rack, Space, and Power Requirements • Mounting the BlueSecure Controller Chassis •
Chapter 2: Installation Overview of the Installation Procedure You must complete the following steps to install the Bluesocket BSC: 1. Prior to beginning the installation procedure, familiarize yourself with the safety considerations listed started in “Safety Precautions” on page 2-2. 2. Familiarize yourself with the BSC front- and rear-panels as described starting in “BSC- 2200/3200/5200 Displays, Controls, and Connectors” on page 2-4. 3.
Safety Precautions Precautions for Rack-mounted Equipment • Do not allow liquid to enter the Bluesocket BSC chassis, and do not operate the system in a wet environment. If the Bluesocket BSC gets wet, contact Bluesocket. • Do not push any objects into the BSC chassis vents or openings. Doing so can result in fire or electrical shock. • Connect the Bluesocket BSC to the correct external power source as indicated on the electrical ratings label. Consult Bluesocket, Inc.
Chapter 2: Installation BSC-2200/3200/5200 Displays, Controls, and Connectors The following figure shows the Bluesocket BSC-5200 front and rear panel displays, controls, and connectors. Figure 2-1: BSC-2200/3200/5200 Displays, Controls, and Connectors Status LEDs The Bluesocket BSC-2200/3200/5200 provides the following front-panel status LEDs: • PWR - Lights when the BSC is connected to an AC power source and its rear-panel power switch is in the closed position (|).
BSC-2100 Displays, Controls, and Connectors Admin Port Use the Admin port to manage your controller without needing to be connected to the managed or protected ports. The admin port allows for HTTPS access and SSH access. This port doesn’t support mobility, routing, VLANs or firewalling. Managed Ports Use the Managed Port to connect the BSC to the managed side (i.e., the wireless side) of your network via Ethernet.
Chapter 2: Installation LCD The BSC provides a 2x16 character, liquid crystal display (LCD) to display the IP address configured for its protected interface. Power Control If the BSC is running and you press the front-panel Power button, the BSC will stop all active services after a slight delay. After all services are shut down, the BSC executes its normal power-down sequence and shuts off completely. Reset Control Press the Reset button to perform a hard reset of the BSC-2100.
BSC-1200 Displays, Controls, and Connectors Figure 2-3: BSC-1200 Displays, Controls, and Connectors Status LEDs The following table summarizes the status indicated by the Bluesocket BSC-1200 BlueSecure Controller light emitting diodes (LEDs). Table 2-1: BSC-1200 Status LEDs LED 100/Status Link/Activity System Lights to indicate the BSC system is running and its CPU is active. Flickers when the BSC is writing data to or reading data from non-volatile memory.
Chapter 2: Installation Admin Port Use the Admin port to manage your controller without needing to be connected to the managed or protected ports. The admin port allows for HTTPS access and SSH access. This port doesn’t support mobility, routing, VLANs or firewalling. To enable the Admin port on the BSC-1200, the failover port must be disabled. Managed Port Use the Managed Port to connect the BSC to the managed side (i.e., the wireless side) of your network via Ethernet.
Preparing Your Network Table 2-2: BSC-600 Status LEDs LED PoE Activity (1-4) On/Off Control Color Green Description This indicator is under software control. Its primary function is to indicate that the corresponding managed port is delivering POE power. Connect the BSC-600 to its power source, and then press the On/Off button to power up the BlueSecure Controller.
Chapter 2: Installation • Ensure that your wireless devices (laptops, PDAs, etc.) are configured to receive IP addresses via DHCP. • Ensure that you have an Ethernet connection to your corporate/campus network. You will connect the BSC to your corporate/campus network to protect the network resources from unauthorized use. Environmental, Rack, Space, and Power Requirements Follow these guidelines when selecting an installation location for the BlueSecure Controller.
Mounting the BlueSecure Controller Chassis 1. Choose a level, stable desktop that will support the weight of the BSC. 2. Install one of the four supplied self-adhesive rubber feet in each corner on the bottom of the BSC chassis. Install the rubber feet to prevent the BSC chassis from slipping on the desktop.
Chapter 2: Installation Figure 2-7: Attaching the BSC-2100/5200 Chassis Cap Rack-mounting the BlueSecure Controller You may install the Bluesocket BSC in any two-post equipment rack or cabinet that conforms to ANSI/EIA-310-D-92 specifications. ) Note: The BSC should not have desktop feet, bumpers, or a chassis cap installed when mounted in an equipment rack. If these are installed, remove them prior to rack-mounting. Follow these steps to mount the Bluesocket BSC in a two-post equipment rack: 1.
Connecting the BlueSecure Controller to Your Network up the BSC by following the procedure given in “Connecting the BSC to its Power Source” on page 2-13. Connecting the BlueSecure Controller to Your Network After you have mounted the BSC chassis in place, you must: • connect the BSC to the protected (i.e, wired) side of your network • connect the BSC to the managed (i.e.
Chapter 2: Installation 5. (BSC-600, BSC-2100, and BSC-2200/3200/5200 only). Press the Power button on front panel. As the BSC powers up, its cooling fans run and its status LEDs light. If the BSC is the only BSC in a single BSC configuration, or the primary BSC in a failover configuration, the LCD on its front panel shows boot-up sequence messages, DHCP status, Boot Up Information and IP address status. After the bootup is complete, the BSC LCD shows the IP address for the protected interface.
LED Run Time Mode for BSC-600 and BSC-1200 Follow these steps to enable IEEE 802.3af Power-over-Ethernet support on the four frontpanel BSC-600/1200 Controller Managed ports: 1. Connect the PoE power supply included in your BSC-600/1200 distribution to a grounded, 85 to 246 VAC power source. 2. Connect the PoE power supply’s three-pin connector to the mating connector located on the back of the BSC-600/1200’s chassis as shown in Figure 2-9.
Chapter 2: Installation The fault light will be lit for a few seconds after an AP is disconnected.
3 Administrator Console The BlueSecure Controller provides an intuitive, easy-to-use, administrator console that you can access using any web browser. The administrator console enables you to configure the BSC for use in your network and perform general BSC administrative tasks.
Chapter 3: Administrator Console Logging Into the Administrator Console for the First Time You may access the Bluesocket BSC administrator console using any web browser (e.g., Microsoft Internet Explorer, Netscape Navigator, etc.). To access the BSC administrator console for the first time: 1. Power-up the BSC Power-up the Bluesocket BSC as described in “Connecting the BSC to its Power Source” on page 2-13. 2.
Using and Managing Administrator Accounts 5. Acknowledge License Agreement A dialog appears displaying the Bluesocket End User License Agreement. Read and acknowledge the license agreement, and then close the dialog. 6. Change Password Change your password when prompted to do so. Enter the default password in the Password field, your new password in the New Password and Re-Enter New Password fields, and then click Log in >. The Bluesocket BSC administrator console appears as shown in Figure 3-2.
Chapter 3: Administrator Console • monitor - enables you to view but not change current BSC parameter settings. The default password for the monitor account is blue. If you are setting up or changing a BSC configuration, you can log into the administrator console using the pre-defined admin account. Note that the Admin login page also has a link by which you can log in as an end user.
Using and Managing Administrator Accounts Figure 3-3: New Admin User Page Changing an Administrator Password To change the password for an administrator account: 1. Click the User authentication tab in the BSC administrator console, and then click the Administrative User tab. 2. Click the icon for the administrator whose password you wish to change. The Edit the admin user page appears. 3.
Chapter 3: Administrator Console Changing Your Login Password For security purposes, we recommend that you periodically change the password you use to access the BSC administrator console. Also, be sure to change the password assigned to the predefined admin and monitor accounts. Be sure you record your account username and password in a safe location that you can easily access. You cannot access the BSC administrator console without a valid username and password. To change your login password: 1.
Installing the Bluesocket SSL Certificate Figure 3-5: Security Certificate Alert ) Note: As an alternative to installing the Bluesocket SSL certificate, you can acquire an SSL login certificate from another CA provider, and then upload the certificate to the BSC. See “Installing a Custom SSL Login Certificate” on page 11-22 for information about installing a custom SSL login certificate. To download the Bluesocket SSL login certificate to your web browser host: 1.
Chapter 3: Administrator Console An Overview of the Tabs on the Console Information in the BSC administrator console is presented as a series of tabbed pages as shown in Figure 3-7.
Obtaining Online Help Voice Configure how voice traffic is passed through and managed by the BlueSecure Controller, and enable support for specific models of IP phones.
Chapter 3: Administrator Console Site Map Click on the Site Map link to display a clickable site map (the Site Map link is located in the upper right corner of the display, between the Sign in/out and Help links): Figure 3-8: Site Map 3-10
Error Checking on Page Forms Error Checking on Page Forms Required form elements are marked with a blue bounding box. Once a user enters a value and moves to the next form element on the page, the system validates the previous form element. If the element does not meet predefined validation criteria, the validation fails and the input field is demarcated by a red bounding box. Fields that have passed validation are demarcated by a green bounding box.
Chapter 3: Administrator Console Table 3-1: Administrator Console Command Buttons and Icons Command Button or Icon Click to ... Edit the BSC database record displayed in the corresponding table row. Log out the BSC user listed in the corresponding table row. Display the report listed in the corresponding table row. Display the graph listed in the corresponding table row. Download the report listed in the corresponding table row.
Paging Through Data Figure 3-9: Customizing the Presentation of Table Data Select the column(s) you wish to hide and then click Remove highlighted items. Click Remove all items in list to hide all table columns. 5. Specify column order by ordering the columns in the Selected Items pane. The top column represents the first (i.e. left-most) column in the table. Select a column and then click the up or down arrow to change its relative position within the table. 6.
Chapter 3: Administrator Console Table 3-4: Administrator Console Font Controls Font Control Click to ... Increase or decrease screen text point size. Downloading Administrator Console Data You can download the administrator console page data you are currently viewing from the BSC to your computer or another computer to which you have network connectivity. You can save download page data to a CSV (comma separated values) or an HTML file.
Restarting the BSC to Activate Configuration Information Figure 3-10: Using the Pop Up List Feature Restarting the BSC to Activate Configuration Information After entering new or updated BSC parameter values on an administrator console page, you normally click Save (or Save and Create Another) to save the configuration data to the BSC database. These saved settings take effect immediately and remain in effect even if you log out of the administrator console and start a new session.
Chapter 3: Administrator Console 3-16
4 Networks This chapter coves the following topics: • Defining the BSC Protected Physical Interface • Configuring the BSC Managed Interface • Configuring the Admin Interface • Configuring Failover Parameters • Configuring Static Routes • Configuring Multicast Routing • Configuring AppleTalk Routing BlueSecure™ Controller Setup and Administration Guide 4-1
Chapter 4: Networks Defining the BSC Protected Physical Interface You must configure the BSC to communicate with the protected (i.e., wired) side of your network. The protected side of your network includes your enterprise servers and resources. Specify the following sections as required and click Save to store the information to the BSC database. You may be prompted to restart the BSC.
Defining the BSC Protected Physical Interface Obtain IP settings from a DHCP server for the interface Not Using DHCP. If you are assigning IP settings manually: 1. Clear the Obtain IP settings from a DHCP server for the interface checkbox. 2. Enter default IP settings for the interface as explained in Fallback IP Settings. Using DHCP. if you are using a DHCP server on the protected side of the network to dynamically assign IP settings 1.
Chapter 4: Networks interface as a trunk port. One ISP should be reachable from the protected physical interface and one from the protected VLAN. 1. Protected Physical Egress VLAN: Enter the VLAN id for the secondary interface to share traffic 2. Configure ISP1 “Ping Address”: Enter the IP to ping to determine if the primary (protected physical) route is alive. If the ping fails, then the BSC will switch to using the VLAN interface. 3.
Defining the BSC Protected Physical Interface 2. Physically configure links, choosing one of the following configurations: • Top/Down – The protected physical port and the E2 interface are one trunk. The managed physical port and the E1 interface are one trunk. This logically groups the ports together on the same NIC. • Crisscross - The protected physical port and the E1 interface are one trunk. The managed physical port and the E2 interface are one trunk.
Chapter 4: Networks VLAN Settings 1. Ensure you have set up the protected physical interface as described in “Defining the BSC Protected Physical Interface” on page 4-2. 2. The Enable checkbox is marked by default to make the protected VLAN available. 3. Enter the protected VLAN settings, as described below: Interface Settings • Name - A unique name for the protected-side VLAN. • VLAN ID - The VLAN identification number.
Configuring the BSC Managed Interface Configuring a Protected Virtual Interface (Optional) This is an advanced BSC configuration feature that enables you to set up a protected-side virtual interface for protected-side resources that would benefit from being on a subnet that differs from the BSC protected physical or VLAN interfaces.
Chapter 4: Networks Figure 4-5: Edit Managed Interface (eth1) Page - 4-8 If you are not running a DHCP server on your network, or if you want to conserve IP addresses or “hide” users on a private IP subnet, you can configure the BSC to dynamically assign addresses to wireless clients via its resident DHCP server or you can assign fixed IP addresses to wireless clients, or you can do both.
Configuring the BSC Managed Interface It is possible to configure client addressing on the managed side of the network for both dynamic and fixed assignment. However, if both assignment modes are configured, the wireless client’s fixed IP address always takes precedence.
Chapter 4: Networks This checkbox marked by default List DHCP Servers Figure 4-6: Completed DHCP Relay Options ) IP Address & Netmask Note: You must assign a fixed address to the managed interface.
Configuring the BSC Managed Interface so, select the default user role from the Default role drop-down list. The selected default role is the role the BSC assigns the user if none of rules is true. Port settings Ignore link down error on this interface Mark this checkbox if all BSAPs are connected to the protected interface to prevent failover and the logging of managed interface link down errors (Not applicable on the BSC-600).
Chapter 4: Networks Clear this Checkbox Mark this Checkbox Figure 4-7: Enabling the BSC DHCP Server NAT the addresses to the protected interface address ) Mark this checkbox to activate Network Address Translation (NAT) to map all client IP addresses on the managed side to the IP address of the BSC protected interface. Clear this checkbox to disable NAT.
Configuring the BSC Managed Interface Address range to exclude Optional. If you have IP addresses that are reserved for particular devices and do want these addresses available for DHCP assignment, then enter the range of addresses to exclude from first to last, such as 192.168.162.22 to 192.168.162.27. If you have individual IP addresses to exclude, then enter in the From fields only. Netbios name server Optional.
Chapter 4: Networks Dynamic DNS Mechanism by which the DNS server learns the assigned IP address and fully qualified domain name of a wireless client. There are three options: • Ad Hoc - DNS server looks for a valid host name as specified in the FQDN option and in the client hostname option sent by the client. If this information is available, the DNS server updates its records with the client's hostname. If not, the server will not have a host name for the client, and cannot do a DNS update.
Configuring the BSC Managed Interface Use the Fixed IP address assignments table ( as shown in Figure 4-9), to manage devices that require fixed IP addresses (e.g., access points and bar code scanners) on the managed side of the BSC network. ) Note: If you have many fixed IP address users to configure, you can speed up the process by configuring a few users using the procedure described below, exporting the fixed IP address configuration to a .
Chapter 4: Networks ) Note: Use care when choosing a specific role rather than Authenticate. The Specific Role option allows network transmission via MAC addresses, which is inherently less secure than the Authenticate option. The following figure shows an example of fixed IP address assignments on the Edit Managed interface page. Specify Role for Wireless Client Click to Manage Rows Figure 4-9: Fixed IP Address Assignments for Wireless Clients 4. Optional.
Configuring the BSC Managed Interface Figure 4-10: NAT Settings for Managed Interface Page 3. Supply the following information for each managed side-to-protected side address mappings: • Protected address - Enter a free (i.e., unused) address from the BSC’s protected interface subnet. • Managed address - Enter the managed side IP address of the wireless client or access point. We recommend that you use an address in the range 10.0.0.0 to 10.255.255.255 or 192.168.0.0 to 192.168.255.
Chapter 4: Networks 1. Set up the managed physical interface as described in “Configuring a DHCP Relay Agent” on page 4-9 and in “Configuring the BSC DHCP Server” on page 4-11. 2. Select Managed-side VLAN from the Create drop-down list on the Network page. The Create a Managed VLAN page appears as shown in Figure 4-11. Figure 4-11: Create a Managed VLAN Page 3. The Enable checkbox is marked by default to make the managed-side VLAN available for use. 4.
Configuring the BSC Managed Interface • VLAN Type - The type of VLAN to create. Currently the IEEE 802.1q VLAN standard is the only VLAN type supported. Automatically Add Location Element for this VLAN - Checked by default. Automatically create/edit a Location when the VLAN itself is changed. If a Location does not exist, the Location is created with this VLAN ID, using the same name as the Managed VLAN.
Chapter 4: Networks 2. Select Managed-side Remote Subnet from the Create drop-down list on the Network page. The Create a Managed Remote Subnet page appears as shown in Figure 413. Figure 4-13: Create a Managed Remote Subnet Page 3. The Enable checkbox is marked by default to make the managed remote subnet available to wireless clients. Clearing the checkbox makes the managed remote subnet unavailable. 4. Complete the following options below.
Configuring the BSC Managed Interface • Netmask of Remote Subnet - When handing out addresses to wireless clients via DHCP, the BSC must include the clients' netmask address. This is the netmask address that is assigned to clients on the managed remote subnet. • Additional IP addresses that DHCP relay packets can be sourced from - Used only for HSRP, put all the physical router addresses here (a comma separated list of additional DHCP relay endpoints).
Chapter 4: Networks • Address range to dynamically assign - Optional. Enter range of addresses that DHCP can assign within a network address space from first to last, such as 192.168.162.20 to 192.168.162.50. Leaving this field blank means that DHCP can assign any addresses within the subnet defined by the IP address and Netmask fields on the Edit managed interface (eth1) page. b) • Netbios name server - Optional setting.
Configuring the BSC Managed Interface associated with the option in the Code field, and select the option’s datatype from the Data Type menu. • Enter the value to which to set the predefined or custom DHCP server option in the Value field. The entered value must correspond to the datatype selected for the option. • c) Repeat the above steps for each DHCP server option you wish to configure. Click Save to save the DHCP settings for the managed remote subnet. 8.
Chapter 4: Networks 3. The Enable checkbox is marked by default to make the managed virtual interface available to wireless clients. Clearing the checkbox makes the managed virtual interface unavailable. 4. Complete the following options as appropriate for your network. • Name - Enter a unique name for the managed virtual interface. • VLAN ID - The VLAN identification number. The specified ID must be unique and in the range of 2 to 4094. Enter 0 to indicate no VLAN.
Configuring Failover Parameters Figure 4-16: Edit Admin Interface Page 3. Gateway: Allows connectivity to the Admin port through the IP cloud (for example, through the IP Router). The NOC station can now be several IP hops away. Having a separate Admin Gateway also allows the Admin IP address to reside on the same IP network (subnet) as the Protected IP address. Leave empty if you do not want the admin port routed to remote networks.
Chapter 4: Networks ) Note: On a BSC-600 or BSC-1200, the admin interface must be disabled in order to use the failover feature. ) Note: On a BSC-600 or BSC-1200, a normal CAT-5E ethernet cable is used to connect the two failover ports (a crossover cable is not needed). ) Note: When failover occurs, users with an IPSec connection will need to restart their tunnel. However, network availability is maintained during failover.
Configuring Failover Parameters Figure 4-18: Failover - Failover State Figure 4-19: Failover - Recovery State 1. Click the Network tab in the BSC administrator console, and then click the Failover tab on the Network page. The Edit Failover (Eth2) settings page appears as shown in Figure 4-20. 2. Configure the BSC failover interface settings as described below: • Heart beat interval- Enter the expected time between heartbeats (minimum is 0.5 seconds). The default interval is 5.
Chapter 4: Networks Figure 4-20: Edit Failover (Eth2) Page • ) Primary machine identifier - Enter the MAC address of the primary BSC. In the event of a failover, this entry is used to identify the primary BSC for the administrator, because the rest of the configuration parameters are identical on both primary and secondary. Note: Click the This device link to automatically fill in the Primary machine identifier field with the MAC address of the BSC to which you are connected. 3.
Configuring Static Routes Figure 4-21: Sample BSC Routing Table To enable outbound administrator traffic from the Admin interface, a static route must be configured. This is required because the BSC has a separate routing table for the Admin interface than the rest of the box. Rarely, you may need to add a static route to a special network destination that is not normally included in the routing table. Caution: This is an advanced BSC configuration function.
Chapter 4: Networks 4. Enter the IP address of the gateway through which traffic is routed to the destination network in the Route Gateway field. This gateway must be on the same subnet as the IP address of the specified Interface. 5. Enter a bit mask that specifies the bits in the IP address that correspond to the network address and to the subnet portion of the destination network IP address. 6. Specify the BSC interface through which traffic is routed to the destination network.
Configuring AppleTalk Routing Figure 4-24: Enabling Multicast Routing You can configure a default Rendezvous Point for group address “224.0.0.0” with a network mask of “240.0.0.0.” 6. Repeat steps 1 to 4 for each multicast group for which you wish to route multicast traffic through the BSC. 7. Click Save to store the multicast routing settings to the BSC database. You may be prompted to restart the BSC.
Chapter 4: Networks where to send each packet of data. Each physical network must have one or more seed routers that broadcast the routing information for that network. Not all routers must be seed routers. Routers that are not seed routers maintain a map of the physical networks on the internet and forward data to the correct physical network.
Configuring AppleTalk Routing Configuration Procedure You must enable at least two BSC interfaces to support AppleTalk routing. If there is no other seed router, a managed side interface should be configured as a seed router. A protected side interface should be configured as a non-seed router. You can enable AppleTalk routing globally for all roles on the BSC or only for selected roles. To enable the BSC to route AppleTalk traffic: 1.
Chapter 4: Networks b) Specify what version of AppleTalk is to be supported, Phase 1 or Phase 2, by selecting an option from the Phase menu. c) For seed interfaces, assign a range of network addresses to assign to the interface by entering a valid range in the Net Begin and Net End fields, e.g., 20301 - 20310, or assign a single unique address to the interface using the Address field. Leave the Net Begin, Net End, and Address fields blank for auto, i.e., non-seed interfaces.
5 Authentication Using Internal Database Follow the procedures given in this chapter if: • You are using the BSC's internal database for user authentication. We refer to users who are authenticated against the BSC’s internal database as “local” or “native” BSC users. • You have wireless devices that the BSC can authenticate only by using their device media access control (MAC) address.
Chapter 5: Authentication Using Internal Database Local BSC User Authentication You can create local users and assign each to a previously defined role. User credentials are authenticated against the BSC's internal user database. You can assign many users to the same role, but you can assign only one role to a specific user. You can configure the BSC to support enterprise guest access by defining local user accounts and assigning them to the BSC’s default guest role.
Creating/Editing/Deleting a Local User Account Figure 5-1: New Local User Page 4. To edit an existing user account, click the icon corresponding to the user whose password you wish to change.The “Edit the local user” page appears; refer to the figure below for the New local user page, since the Edit page is identical. 5. Mark the Enable user radio button to make the user account available for use.
Chapter 5: Authentication Using Internal Database 5. To enable RADIUS accounting for this user, select the name of the external RADIUS accounting server from the Accounting server drop-down list. See Chapter 7, "RADIUS Accounting," to configure a new RADIUS accounting server for selection in the drop-down list. Alternatively, you can select the Create… option to open a window that enables you to configure a new RADIUS accounting server.
Defining MAC Address Authentication You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network.) Defining MAC Address Authentication Follow the procedure in this section if you have wireless devices that the BSC can authenticate only by using their device media access control (MAC) address.
Chapter 5: Authentication Using Internal Database Acceptable MAC address delimiters are colons (00:03:4a:3b:4F:02) or hyphens (00-03-4a-3b-4F-02). The % wildcard character is supported in place of any alphanumeric field in the MAC Address. The '%' character will match any character. You need exactly one '%' for each character you are matching. This allows admins to configure a MAC address range.
Defining MAC Address Authentication You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network.
Chapter 5: Authentication Using Internal Database 5-8
6 Authentication Using External Servers Follow the procedures given in this chapter if you are using an external server for user authentication. This chapter covers the following topics: • An Overview of External User Authentication • iPass Client Authentication • RADIUS Authentication • LDAP/Active Directory Authentication • SIP2 Authentication • NTLM Authentication • Transparent NTLM Authentication • Transparent 802.1x Authentication • The BSC Internal 802.
Chapter 6: Authentication Using External Servers An Overview of External User Authentication In external server user authentication, an external server contains rules (attributes and values linked by logical operators) that are checked sequentially as defined. If a rule evaluates as true, the authenticating user is assigned the BSC role specified in the rule and checking ends. If no rule is true in RADIUS, LDAP/Active Directory, External NTLM, or Transparent 802.
RADIUS Authentication Figure 6-1: New RADIUS Server Page To configure an external RADIUS authentication server and define the rules used for authentication: Displaying the New RADIUS server page Enable server Click the User authentication tab in the BSC administrator console, and then select External RADIUS Authentication from the Create drop-down list on the User authentication page. The New RADIUS server page appears as shown in Figure 6-1.
Chapter 6: Authentication Using External Servers Name Enter a meaningful name for the external RADIUS authentication server. ) Note: As described in the previous section, if you wish to authenticate iPass clients who attempt to log into the BSC, you must include the word “iPass” in the name you assign to the external RADIUS authentication server.
RADIUS Authentication See “RADIUS Accounting” on page 7-1 to configure a new RADIUS accounting server for selection in the drop-down list. Alternatively, you can select the Create… option to open a window that enables you to configure a new RADIUS accounting server. After you save the server information, you are returned to the New RADIUS server page where you can select the RADIUS accounting server from the drop-down list. Mapping RADIUS attributes to roles 1.
Chapter 6: Authentication Using External Servers 3. The Default Redirect URL field on the General HTTP Settings page (see “HTTP Server Settings” on page 10-2). ) Note: If the user is assigned a role on the Edit Role page with Thank You HTML text specified, the browser displays the Thank You page and no redirection occurs. The user can click on the link to go the URL, but they are not automatically redirected to that link. Location Optional.
LDAP/Active Directory Authentication Figure 6-2: New LDAP/Active Directory Server Page To configure an external LDAP/Active Directory authentication server and define the rules used for authentication: BlueSecure™ Controller Setup and Administration Guide 6-7
Chapter 6: Authentication Using External Servers Displaying the New LDAP/ active directory server page Enable server Name Precedence 1. Click the User authentication tab in the BSC administrator console. 2. Select External LDAP/Active Directory Authentication from the Create drop-down list on the User authentication page. The New LDAP/active directory server page appears as shown in Figure 6-2. The Enable checkbox is marked by default to make the server available for user authentication.
LDAP/Active Directory Authentication on page 7-1 to configure a new RADIUS accounting server for selection in the drop-down list. Alternatively, you can select the Create… option to open a window that enables you to configure a new RADIUS accounting server. After you save the server information, you are returned to the New LDAP/Active directory server page where you can select the RADIUS accounting server from the drop-down list. Mapping LDAP/ Active Directory attributes to roles 1.
Chapter 6: Authentication Using External Servers The user can click on the link to go the URL, but they are not automatically redirected to that link. Location Notes Saving the settings Optional. Specify the user location from which the LDAP/active directory authentication request must originate by selecting a defined user location from the Location drop-down menu. If a user location is specified, the authentication request will not be attempted if the request does not come from that location. Optional.
SIP2 Authentication Figure 6-3: New SIP2 Server Page Displaying the New SIP2 server page Enable server Name Precedence 1. Click the User authentication tab in the BSC administrator console. 2. Select External SIP2 Authentication from the Create drop-down list on the User authentication page. The New SIP2 server page appears as shown in Figure 6-2. The Enable checkbox is marked by default to make the server available for user authentication.
Chapter 6: Authentication Using External Servers Alternatively, you can select the Create … option to open a window that enables you to define a new role. After you save the role information, you are returned to the SIP2 page where you can select the role from the drop-down list. 2. Optional. Use the commands included in the Row Management drop-down list to change the order of rules, add new blank rules, clear rule data, or delete a rule, etc.
NTLM Authentication Displaying the New NTLM server page 1. Click the User authentication tab in the BSC administrator console. 2. Select External NTLM Authentication from the Create drop-down list on the User authentication page. The New NTLM server page appears as shown in Figure 6-4. Enable server Name Precedence The Enable checkbox is marked by default to make the server available for user authentication. Enter a meaningful name for the external NTLM authentication server. Optional.
Chapter 6: Authentication Using External Servers returned to the New NTLM server page where you can select the role from the drop-down list. 2. Optional. Use the commands included in the Row Management drop-down list to change the order of rules, add new blank rules, clear rule data, or delete a rule, etc. Remember, the BSC evaluates rules in the order in which they are listed here on the New NTLM server page.
Transparent NTLM Authentication Figure 6-5: New Transparent NTLM Windows Server Page Displaying the New Transparent NTLM Windows server page Enable server Name Transparent NTLM Windows server settings 1. Click the User authentication tab in the BSC administrator console. 2. Select Transparent NTLM Windows Authentication from the Create drop-down list on the User authentication page. The New Transparent NTLM Windows server page appears as shown in Figure 6-5.
Chapter 6: Authentication Using External Servers 4. NTLM username to ignore (Optional): Enter any generic, client-supplied NTLM login ID that should be ignored in the field. Some clients send additional credentials after authenticating via NTLM. For example, SMS clients will authenticate to another network device using a generic username having the prefix SMSClient_.
Transparent 802.1x Authentication Transparent 802.1x Authentication 802.1x is an IEEE standard that enables authentication and key management for LANs. Although originally designed as a port authentication scheme for wired networks, it has recently been applied to address some security issues surrounding wireless LANs. 802.1x uses the Extensible Authentication Protocol (EAP) as a framework for authentication, allowing it to leverage a variety of existing EAP methods and authentication servers.
Chapter 6: Authentication Using External Servers Figure 6-7: New Transparent 802.1x Server Page New Transparent 802.1x server page Enable server Name Transparent 802.1X server settings Accounting 1. Click the User authentication tab in the BSC administrator console. 2. Select Transparent 802.1x Authentication from the Create drop-down list on the User authentication page. The New Transparent 802.1x server page appears as shown in Figure 6-7.
The BSC Internal 802.1x Authentication Server • RFC822 - Use for TLS EAP methods only. This is the Subject Alternative Name (RFC822) which may be contained in the user's TLS certificate. • You can also enter RADIUS attributes here for matching. b) Select the appropriate logic operator (equal to, not equal to, starts with, ends with, contains, or [is a role]) from the Logic drop-down list. c) Enter the appropriate Value to check against the specified attribute.
Chapter 6: Authentication Using External Servers Figure 6-8: Edit the Local 802.
The BSC Internal 802.1x Authentication Server or TTLS Protocol and pass the inner authentication protocol on to an external RADIUS server or the BSC’s own local user database for user authentication. To configure the BSC’s Internal 802.1x Authentication Server: Edit the Local 802.1X Authentication server page 1. Click the User authentication tab in the BSC administrator console. Local 802.1X Authentication server settings 1.
Chapter 6: Authentication Using External Servers 4. Many other LDAP servers (e.g. Windows 2000/2003 Server Active Directory LDAP server) are not designed store the user password in an MD4 hashed format. This necessitates the manual or automated conversion of the user password from clear text to an MD4 hash. 5. Make sure you mark the Remove Realm Name checkbox if the domain name is included in username.
Kerberos Authentication Saving the settings Click Save to store the information to the BSC database. You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network. Kerberos Authentication Kerberos is a network authentication protocol that was created by MIT as a solution to network security problems.
Chapter 6: Authentication Using External Servers The Port number should be 88, the value assigned to Kerberos by the Internet Assigned Number Authority. 3. Enter the Kerberos realm name in the Realm Name field. In Kerberos, realm names are case sensitive. While it is strongly encouraged that all realm names be uppercase, this recommendation has not been adopted by all sites.
Cosign Authentication Figure 6-10: New Cosign Server Page Cosign client web servers do not need to run SSL; sniffed cookies will compromise only the non-SSL-protected service, not the entire Cosign infrastructure. Cosign is compatible with common SSL accelerators and clustering load balancers. All Cosign client web servers use a central Cosign server to authenticate users. The central Cosign server runs a daemon and several CGIs. The central Cosign server in turn authenticates users against Kerberos 5.
Chapter 6: Authentication Using External Servers Displaying the New Cosign server page 1. Click the User authentication tab in the BSC administrator console. 2. Select External Cosign Authentication from the Create drop-down list on the User authentication page. The New Cosign server page appears as shown in Figure 6-10. Enable server The Enable checkbox is marked by default to make the server available for user authentication.Name Enter a meaningful name for the external Cosign authentication server.
Pubcookie Authentication Alternatively, you can select the Create New… option to open a window that enables you to define a new role. After you save the role information, you are returned to the New Cosign server page where you can select the role from the drop-down list. 2. Optional. Use the commands included in the Row Management drop-down list to change the order of rules, add new blank rules, clear rule data, or delete a rule, etc.
Chapter 6: Authentication Using External Servers Figure 6-11: New Pubcookie Server Page Displaying the New Pubcookie server page 1. Click the User authentication tab in the BSC administrator console. 2. Select External Pubcookie Authentication from the Create drop-down list on the User authentication page. The New Pubcookie server page appears as shown in Figure 6-11.
Pubcookie Authentication 5. Key server address: Enter the Pubcookie key server IP address. 6. Port: Enter port on which the Pubcookie key server is communicating. The default value is 2222. 7. BSC SSL client certificate: Select the digital certificate to use to validate cookies from the login server from the drop-down menu. 8. Trusted CA certificates: Add the trusted certificate authority certificate(s) the BSC is to use from the Available CA certificates list.
Chapter 6: Authentication Using External Servers You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network.
CAS Authentication Once primary authentication is complete, the CAS redirects the user's browser back to the application from which it came adding the ticket as a request parameter. The application service just needs to validate the ticket once it receives it. It does so by passing it as the ticket parameter to the validation URL. Users can log out using the optional logout URL. ) Note: You may need to set up the BSC to communicate with a CAS authentication server over Secure Sockets Layer (SSL).
Chapter 6: Authentication Using External Servers c) Enter the appropriate value to check against the specified attribute in the Value field. d) Select the role to assign to the user if the rule evaluates as true and the user is authenticated from the Role drop-down list. See “Defining User Roles to Enforce Network Usage Policies” on page 8-2 to define a new role available for selection in the drop-down list.
Transparent Certificate Authentication Figure 6-13: Enabling Transparent Certificate Authentication To configure transparent certificate authentication: Displaying the New Transparent Certificate server page Enable server Name 1. Click the User authentication tab in the BSC administrator console. 2. Select Transparent Certificate Authentication from the Create drop-down list on the User authentication page. The New Transparent Certificate server page appears as shown in Figure 6-13.
Chapter 6: Authentication Using External Servers Mapping Transparent Certificate attributes to roles 3. Define the rules to determine if the user is authenticated.For each rule: a) Enter the appropriate digital certificate attribute in the Attribute field. b) Select the appropriate logic operator (equal to, not equal to, starts with, ends with, contains, or [is a role]) from the Logic drop-down list. c) Enter the appropriate value to check against the specified attribute in the Value field.
Testing an External Authentication Server Figure 6-14: External Authentication Server Test Page 4. Enter the password associated with the entered user name in the Password field. 5. Select the external authentication server you wish to communicate with from the External server drop-down menu. 6. Optional. Select a configured VLAN from the User location drop-down menu if you wish to test user authentication from a particular location. 7. Click Submit.
Chapter 6: Authentication Using External Servers 6-36
7 RADIUS Accounting Remote authentication dial-in user service (RADIUS) software includes both an accounting server and an authentication server. You use a RADIUS accounting server to record network activity and statistics including tracking user logins. To set up RADIUS accounting, you: (1) Define a new RADIUS accounting server. Once defined, it is added to the table on the Accounting Servers tab; (2) Associate the RADIUS accounting server with specific users or external authentication servers.
Chapter 7: RADIUS Accounting Defining a RADIUS Accounting Server To define a new RADIUS accounting server: 1. Click the User Authentication, Authentication Servers tab. 2. Select External RADIUS Accounting from the Create drop-down list on the User authentication page. The New RADIUS Accounting page appears as shown in Figure 7-1. Figure 7-1: New RADIUS Accounting Page 3. The Enable server checkbox is marked by default to make the external server available for RADIUS accounting activity.
Attributes Sent to External RADIUS Accounting Server by BSC You might be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network. Attributes Sent to External RADIUS Accounting Server by BSC The following table describes the attributes that the BSC sends to the external RADIUS accounting server.
Chapter 7: RADIUS Accounting 7-4
8 Roles and Role Elements This chapter describes the use of roles and role elements on the BSC: • Defining User Roles to Enforce Network Usage Policies • An Overview of Roles • An Example of Role-based Authorization • Role Inheritance • Defining a Role • Modifying a Role • Creating Role Elements • Creating Destinations and Destination Groups • Creating Network Services and Services Groups • Creating Schedules and Schedule Groups • Creating Locations and Location Groups BlueSecure™ Cont
Chapter 8: Roles and Role Elements Defining User Roles to Enforce Network Usage Policies The BSC uses role-based authorization to define which network resources and destinations in the enterprise a user can access, the bandwidth he or she can use, and whether a secure tunneling protocol such as IPSec or PPTP is required for the connection. You implement role-based authorization by defining roles to enforce network usage policies and then assigning the appropriate role to each BSC user.
Role Inheritance Managed Side Protected Side Internet Finance Bluesocket BSC PWR HTTP, HTTPS, POP3, and SMTP DISK Power Reset WG-2100 Wireless Gat eway Firewall User with Engineering Role Assigned = Access Blocked Enterprise Network Figure 8-1: Role-based Authorization for a Registered User Managed Side Protected Side Internet Finance Bluesocket BSC PWR HTTP, HTTPS, and POP3 DISK Power Reset WG -2100 Wireless Gateway Firewall User with Guest Role Assigned = Access Blocked Enterprise Ne
Chapter 8: Roles and Role Elements • It reduces the number of administrative changes you need to make to roles. If you need to make changes to the base role, you need only to change that one role. All roles that inherit the base role will also inherit the changes you have made. • It reduces the chance of administrative error by allowing you to change one role rather than each and every role that inherits it.
Defining a Role Figure 8-3: Create a Role Page Name Bandwidth Enter a meaningful name for the role. Typically, this will be the name of a user group or department for which you are setting up access privileges, such as Engineering. Define the bandwidth for incoming/outgoing traffic generated by users assigned this role. 1. Bandwidth allocation - Enter a bandwidth value, and then select the appropriate data rate from the drop-down list. For no bandwidth restrictions, leave this field blank.
Chapter 8: Roles and Role Elements • Per user - Each user logged in with this role can transmit the entire bandwidth. For example, if 1 Mbps is specified, then each user is allocated 1 Mbps maximum, regardless of the number of users. 2. Priority - You can configure role- and network service-based traffic priorities. If the BSC experiences network congestion, High priority traffic takes precedence over other traffic.
Defining a Role Alternatively, as with network services, destinations, and schedules, you can use the Create… option to define a new user location or group.To set up a location or group, see “Creating Locations and Location Groups” on page 8-19. 6. Optional. Use the commands included in the Row Management drop-down list to change the order of policies, add new blank policy records, clear policy data, or delete a policy, etc.
Chapter 8: Roles and Role Elements Figure 8-5: Enabling Prerequisite Machine Authentication Role 4. Configure the Transparent 802.1x server to do role placement based on the username: Figure 8-6: Mapping Role Placement Based on Username In this case the Domain is ENG, so anything starting with ENG is a valid user. More granular policies can be applied based on the setup.
Defining a Role routes all tagged traffic to the protected-side VLAN and is useful if you want to limit the access of VLAN members to certain network assets defined for the role. To use the VLAN tagging functionality, you must first set up a protected-side VLAN. See “Creating a VLAN on the Protected Side (Optional)” on page 4-5 for more information.
Chapter 8: Roles and Role Elements 1. The Redirect URL Attribute field on either the RADIUS page or the LDAP page accessed on the User Authentication tab. (See “RADIUS Authentication” on page 6-2 and “LDAP/Active Directory Authentication” on page 6-6.) 2. The URL Redirect field on the Edit Role page.(“Defining a Role” on page 8-4) 3. The Default Redirect URL field on the General HTTP Settings page. (See “HTTP Server Settings” on page 10-2.
Creating Destinations and Destination Groups single device within the network; all the devices reachable within a network address space After defining destinations, you can organize them into destination groups. Typically, the destinations in a group are physically or logically related in some way.
Chapter 8: Roles and Role Elements You might be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network. Creating a Network Space Destination To set up a destination for all devices in a given network address space: 1. Click the User Roles tab in the BSC administrator console, and then click the Destinations tab. 2. Select Destination Network from the Create drop-down list on the Destinations page.
Creating Network Services and Services Groups 2. Select Destination Group from the Create drop-down list on the Destinations page. The Create a (destination) group page appears as shown in Figure 8-13. Figure 8-13: Create a (Destination) Group Page 3. Enter a meaningful name for the device group in the Name field. 4. Select one or more destinations from the Available Items list to include in the destination group and then click Add highlighted items.
Chapter 8: Roles and Role Elements ) • LDAP - Lightweight directory access protocol • H.323 - ITU-T standard for sending voice (audio) and video using IP on a LAN without QoS • TFTP - Trivial File Transfer Protocol • NTP - Network Time Protocol • SNMP - Simple Network Management Protocol Note: The standard network services available on the BSC might change in future releases of the BSC system software.
Creating Network Services and Services Groups Figure 8-14: Create a Service Page Name Service Settings Enter a meaningful name for the network service. Define the service settings as appropriate for your network. Protocol - Specify whether the network service supports TCP, UDP, both TCP/UDP, ICMP, or some Other protocol. Port - Enter the port number(s) used by TCP, UDP, or both TCP/UDP protocols. Use a hyphen to designate a port range and use a comma between each port or port range entry.
Chapter 8: Roles and Role Elements Incoming/Outgoing Priority - You can configure a priority for traffic coming into the BSC or going out from the BSC via this network service. If the BSC experiences network congestion, High priority traffic takes precedence over Medium and Low priority traffic. You can also configure role-based traffic priority.
Creating Schedules and Schedule Groups 1. Click the User Roles tab in the BSC administrator console, and then click the Services tab. 2. Select Service from the Create drop-down list on the Services page. The Create a (service) group page appears as shown in Figure 8-15. Figure 8-15: Create a (Service) Group Page 3. Enter a meaningful name for the network service group in the Name field. 4.
Chapter 8: Roles and Role Elements 1. Click the User Roles tab in the BSC administrator console, and then click the Schedules tab. 2. Select Schedule from the Create drop-down list on the Schedules page. The Create a schedule page appears as shown in Figure 8-16. 3. Enter a meaningful name for the schedule in the Name field. 4. Using the data entry fields and controls on the Create a schedule page, define the effective times or time range, and dates or date range for the schedule.
Creating Locations and Location Groups 5. Click Save to store the information to the BSC database or Save and create another to continue defining service groups. You might be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network.
Chapter 8: Roles and Role Elements For example, you might have defined “VLAN 15” that includes all access points on the shop floor. You can then create a location called Shop Floor that maps VLAN 15 to the location. After you create the location, you can then select it from the drop-down list when defining a network usage policy in a role. For example, you can create a policy that allows Telnet sessions only when the user is connected to the BSC from an access point in the Shop Floor (VLAN 15) location.
Creating Locations and Location Groups 1. Click the User Roles tab in the BSC administrator console, and then click the Locations tab. 2. Select Location Group from the Create drop-down list on the Schedules page. The Create a (location) group page appears as shown in Figure 8-19. Figure 8-19: Create a (Location) Group Page 3. Enter a meaningful name for the location group in the Name field. 4.
Chapter 8: Roles and Role Elements 8-22
9 Voice Over WLAN Support More and more organizations are now using IP phones that pass voice traffic over WLANs to make use of an existing 802.11 infrastructure for voice traffic as well as data traffic. BlueSecure Controller system software release 5.2 (and higher) enables you to pass IP phone voice traffic through the BSC by providing support of widely used voice over IP protocols (SIP and H.
Chapter 9: Voice Over WLAN Support Configuring General VoWLAN Settings Click the Voice tab in the BSC administrator console, and then click the General tab. The VoWLAN General Settings page appears as shown in Figure 9-1. Figure 9-1: VoWLAN General Settings Page 1. Mark the Prioritize Voice and Video Traffic checkbox to prioritize this traffic over the other background traffic to improve QoS. See “Configuring VoWLAN QoS” on page 9-3 for details on QoS. 2.
Configuring VoWLAN QoS Polycom/Avaya IP phone settings Mark the Enable support for Polycom/Avaya IP phones checkbox if your wireless clients are passing Polycom/Avaya IP phone traffic through the BSC and configure the following settings: Polycom/Avaya gateway IP address or hostname - Enter one or more IP addresses/ hostnames of the Polycom gateway(s) on your network as a comma delimited list Polycom/Avaya SVP server IP address or hostname - Enter one or more IP addresses/ hostnames of the Polycom Voice Pr
Chapter 9: Voice Over WLAN Support 9-4
10 General BSC Operational Settings You may modify the following BSC protocols and functions using the settings found on the General page in the BSC administrator console: • HTTP Server Settings • Intrusion Detection System • SNMP Agent • Automatic Backup of the BSC Database • System Time and Date Settings • Mail Server Access • Public Access Networks • Event Logging and Connection Tracking • Threshold Values • Domain Name System (DNS) Settings • Requesting and Installing an IPSec Authe
Chapter 10: General BSC Operational Settings HTTP Server Settings To modify the BSC HTTP server settings: Displaying the HTTP Settings page 1. Click the General tab in the BSC administrator console, and then click the HTTP tab. The HTTP Settings page appears as shown in Figure 10-1.
HTTP Server Settings Login Redirects Comma separated list of HTTP/proxy ports to monitor - Enter HTTP and HTTP proxy port(s) that the BSC monitors. The BSC monitors the port(s) for all unregistered users and, if it sees a request, it redirects the user to the login page. Specify ports using the commadelimited format. Default value: 80. Port of HTTP redirection for user login - Enter the port through which the BSC sends a redirect response to the user to redirect their browser to the BSC login page.
Chapter 10: General BSC Operational Settings Root CA URL - URL where the certificate authority (CA) credential is stored. Your browser can use the CA to establish that the BSC web server is a trusted source for data. Default value: https://secure.bluesocket.com/root-ca-2.crt Admin Login Options Admin web server port - Use to block admin access at the interface level. The default port is 443.
Intrusion Detection System BlueProtect Endpoint Scanning Optional. Enable BlueProtect Endpoint Scanning support as described in Appendix C, "Endpoint Scanning." BlueProtect cannot be disabled if existing roles require BlueProtect. Saving the settings Click Save to save the HTTP server settings to the BSC database. You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network.
Chapter 10: General BSC Operational Settings Normal Blocked Pre-monitoring Monitoring Figure 10-2: BSC IDS Host State Model Normal State By default, a user host will start in the Normal State unless or otherwise blocked. The administrator-configurable parameter Maximum Number of Firewall Sessions per user is used to define the bounds of normal traffic. If a user host exceeds this maximum, i.e., if it tries to make too many connections to the BSC, the IDS records a violation for the host.
Intrusion Detection System these roles or create your own IDS role to assign to blocked users. Note that the Monitoring Mode role is designed to be used only for test purposes as you tweak the BSC IDS settings for your network. The blocked host is allowed to get a DHCP address but, only administrator intervention can transition the host back to the Normal State. Finally, you may specific a URL to which to redirect blocked users.
Chapter 10: General BSC Operational Settings Figure 10-3: Intrusion Detection System Settings Page Enable IDS Mark this checkbox to activate the BSC Intrusion Detection System. Thresholds Violation Threshold: Enter the maximum number of violations a user host may accrue in the Normal State. The default setting is 20. If a host exceeds the configured threshold, the BSC IDS moves the host to the Pre-monitoring State.
Automatic Backup of the BSC Database Figure 10-4: SNMP Settings Page SNMP Agent Start the selected version of SNMP agent (v2c, v3, or both) on the BSC, or shut down the agent. To enable administrator access to SNMP v3, which requires a user ID and password, see “Adding a New Administrator Account” on page 3-4 of this guide. Default value: Off (SNMP agent shut down).
Chapter 10: General BSC Operational Settings Displaying the Auto Backups page 1. Click the General tab in the BSC administrator console, and then click the Auto Backups tab. The Auto Backups page appears as shown in Figure 10-5. Figure 10-5: Auto Backups Page Recurrence Backup Method Set the time interval at which the BSC database is automatically backed up. Specific backup days and times are shown on the right side of the page. Default value: Never (i.e., automatic backup is disabled).
Mail Server Access Displaying the BSC Time Settings page 1. Click the General tab in the BSC administrator console, and then click the Time tab. The BSC Time Settings page appears as shown in Figure 10-6. Figure 10-6: BSC Time Settings Page System settings Change the current time zone, date, or time on the BSC. Tme entries in 24-hour format (HHMMSS). To prevent manual update of date or time, leave the date or time fields blank, respectively.
Chapter 10: General BSC Operational Settings tab, Email tab to configure the BSC to login to your mail server securely. You can either specify the SMTP authentication method (Login, PLANE, CRAM-MD5) and, optionally, a user name and password. 1. Click the General tab in the BSC administrator console, and then click the Email tab. The BSC Email Settings page appears as shown in Figure 10-7. Figure 10-7: BSC Email Settings Page 2. SMTP Server: Enter the mail server hostname or IP address. 3. SMTP Port.
Public Access Networks Address of mail server for SMTP port redirection In some public access wireless networks, to prevent spamming, ISPs do not allow email to be sent via their default mail server if the user is not a member of that network. The network administrator for such a network may designate a special SMTP server for this purpose, but this requires that users change their SMTP IP address and other settings.
Chapter 10: General BSC Operational Settings Event Logging and Connection Tracking The BSC provides two types of logging facilities: • Event logging - The BSC records BSC-related events such as configuration changes, activity in secure tunnels, and number of logged in users. You can direct log output to the event log page (described in “Viewing the BSC Event Log” on page 15-10) or up to two syslog servers. Some events are logged only when a certain threshold value is reached.
Event Logging and Connection Tracking Figure 10-9: Logging Settings Page • Enable Connection Tracking - If this checkbox is marked, the BSC sends information about all user TCP/UDP connections to the server specified in the IP or name of remote syslog server setting (see previous description). Connection tracking allows you to audit detailed data on user connections.
Chapter 10: General BSC Operational Settings If cleared, no connection tracking data is logged. Default value: Disabled. ) Application Logging Note: Connection tracking can potentially generate a large amount of data, proportional to the number of users and WLAN traffic. • IP address or FQDN of remote connection tracking syslog server - Enter the IP address(es) or fully qualified domain name(s) of up to two syslog server(s) here to log connection tracking data.
Threshold Values Threshold Values You can specify threshold values that trigger the output of certain event log messages, SNMP traps, or a BSC failover. For those values expressed as a percent, the BSC generates an event log message, SNMP trap, or BSC shutdown/failover if the specified percentage is met or exceeded.
Chapter 10: General BSC Operational Settings Warm Start Cold Start Config Change A restart of BSC services. A complete reboot of BSC. Any change to the BSC configuration. Failed User Login A user login fails. SNMP Auth Failure BSC receives an SNMP message with an incorrect community string. Failover General Failure Saving the settings BSC goes into failover mode. A BSC failure occurs, other than that specified elsewhere in this table.
Domain Name System (DNS) Settings Figure 10-11: DNS Proxy Page Managed-side DNS proxy Enable DNS Proxy? - If this checkbox is marked, wireless clients are provided with a DNS entry containing the IP address of the BSC's managed interface. All DNS requests are proxied (i.e., received and forwarded) by the managed interface to internal DNS servers on the protected side. If cleared, wireless clients are provided with protected-side DNS entries. Default value: Disabled.
Chapter 10: General BSC Operational Settings • admin - Administrator login page at the specified host name and interface. Default host name: admin. Default interface: Protected. • secure - PSec, L2TP/IPSec, or PPTP tunnel endpoint at the specified host name and interface. Default host name: secure Default interface: Protected. Local Domain Name for local host: Domain name space for those host names you want to resolve locally (i.e. Enable DNS resolution for local domain names? is marked).
Digital Certificates • ) BSC secure web login page (SSL) - As with any secure web page (SSL), the web server presents a certificate to authenticate itself with the wireless client. The BSC's secure web user and administrator login pages contain a default Bluesocket SSL digital certificate, which is pre-installed on the BSC and cannot be edited or deleted by the client.
Chapter 10: General BSC Operational Settings the server digital certificate). If you are using mutual authentication, mark the BSC Client Certificate radio button for the PKCS#12 certificate. 4. Click Browse to enter the pathname where the certificate file resides on your local computer in the Upload new certificate field. 5. Click Upload to upload the certificate file to the BSC from your computer.
Digital Certificates Figure 10-13: IPSec Certificate Signing Request Generation Page Figure 10-14: IPSec CSR Generated Page 5. When the provider returns the signed certificate, upload it to the BSC: a) Click the General tab in the administrator console, click the Certificates tab, and then click the Generate link at the top of the page. The CSR generated page appears as shown in Figure 10-14.
Chapter 10: General BSC Operational Settings Miscellaneous BSC Options Use the Miscellaneous page in the administrator console to configure miscellaneous BSC options including. Displaying the Miscellaneous settings page To configure miscellaneous BSC options: Click the General tab in the BSC administrator console, and then click the Miscellaneous tab. The Miscellaneous settings page appears as shown in Figure 10-15.
Miscellaneous BSC Options the Active Connections page (see “Monitoring Active User Connections” on page 15-2 for more information). Default value: 5 minutes. UI Access Point Tracking Time in seconds between refreshing status pages - Time interval at which the BSC refreshes the Status pages with the latest status data. Default value: 30 seconds. Read-only SNMP community string for all access points - SNMP community string used to access SNMP information on the wireless access points. Default value: public.
Chapter 10: General BSC Operational Settings Serial Console Access Allow access via serial port? - By default, administrators are allowed to access a subset of the BSC’s functionality by connecting a console to the BSC’s serial port as described in Appendix D, "Serial Port Access to Essential Functions." Unmark the Allow access via serial port? checkbox to disable serial port access. ICMP Allow ICMP to protected Interface? - By default, Internet Control Message Protocol traffic (i.e.
11 Web Logins This chapter covers the following topics: • • • • Customizing the User Login Page • The Appearance of the User Login Page • Customizing the Login Form and HTML Body of Login Page • Customizing the Right Side of the User Login Page • Redirecting Clients to an External Server for Authentication • Configuring Hotspot Account Generation Uploading Image/Media Files for the User Login Page Translating User Login Pages • Defining a User Login Page Language • Editing a User Login Page
Chapter 11: Web Logins Customizing the User Login Page You can customize the appearance of the web page that users see at login to maintain your organization’s brand identity and to control which login features to expose.
Customizing the User Login Page The default user login page along with the page elements that can be customized are shown in the following figure. Define Window Title Specify: HTML page background, foreground (text), and link colors Add Custom Logo and Specify Number of Pixels to add Above Logo Guests Area - Specify background color, foreground (text) color, and placement above or below Users area. Users Area - Specify background color, foreground (text) color, and placement above or below Guests area.
Chapter 11: Web Logins Figure 11-3: Create New Custom Login Page 11-4
Customizing the User Login Page Name Login Options Enter a meaningful name for the custom user login page you are defining. Allow user logins - If this checkbox is marked, the BSC login page displays the Registered Users login area, which enables registered users to log in to the wireless network. Default value: Enabled. If cleared, the Registered Users login area is not displayed on the BSC login page.
Chapter 11: Web Logins The Number of active sessions per username/authentication type applies to External Server Authentication methods only.
Customizing the User Login Page Displaying the GUI Customization Page 1. Click the Web Logins tab in the administrator console, click the Login Screens tab, and then click the icon that corresponds to the user login page you wish to edit. 2. Click the HTML Text link at the top of the page. The Edit HTML for custom login - Default page appears as shown in Figure 11-4.
Chapter 11: Web Logins Spacing Specify the remaining spacing options, if necessary: Pixels between the form and the customized HTML - Spacing in pixels between the login form on the left side of the login page and the left margin of the HTML code. Default: 40. Pixels between the top and the customized HTML - Spacing in pixels between the top of the login page (below the window title bar) and the top margin of the HTML code. Default: 60.
Customizing the User Login Page Example Here is a test page for testing all custom variables.
Chapter 11: Web Logins Redirecting Clients to an External Server for Authentication Complete the “Edit redirection for custom login Default” page to redirect clients to an external server for authentication. ) Note: The external authentication server must be reachable from the managed network. To enter the HTML code and set related parameters: 1.
Customizing the User Login Page Currently Micros-Fidelio Opera 4 PMS, Authorize.net SIM, Authorize.net AIM, and CyberSource are the four billing/payment transaction account providers that work with the BSC hotspot account generation feature. Free guest accounts are also created using the Hotspot Account generation feature. Prior to 6.
Chapter 11: Web Logins BSC uses the email address internally as the account name, different from the user’s credit card account name). Figure 11-7: Sample Account Selections Page After the user creates his or her access account, a confirmation page is displayed to allow the user to see the total cost for access and confirm previous selections. These confirmed account selections are then submitted to the online billing/payment transaction company, and the transaction is completed.
Customizing the User Login Page Table 11-1: Required Authorize.net Settings Name Payment Form:Color Settings Any value Payment Form:Header Any value Payment Form:Form Fields:First Name Mark all three checkboxes: View; Edit; and Required Payment Form:Form Fields:Last Name Mark all three checkboxes: View; Edit; and Required Payment Form:Form Fields:Zip Code Mark all three checkboxes: View; Edit; and Required Payment Form:Form Fields:Email Authorize.net AIM Value Mark just the “View” checkbox.
Chapter 11: Web Logins CyberSource • On the BSC side, set “Server Address” to test.authorize.net and check off (turn on) “Enable test mode” • On the Authorize.net Merchant Interface, switch account to test mode by going to Account Settings --> Test Mode To setup a hotspot account to be billed through CyberSource, a merchant id and a private key is required on the Edit Hotspot Account Generation for custom login page. The private key must be downloaded from the CyberSource Business Center: 1.
Customizing the User Login Page Displaying the Hotspot Account Generation Page 1. Click the Web Logins tab in the administrator console, select the pencil icon to Edit Enable users to create their own local accounts? Mark the checkbox. Plans the Default Wireless Network Log In, and then click the Hotspot Account Generation tab. The Edit Hotspot Account Generation for custom login page appears as shown in Figure 11-8. 1. Select a plan from one or more of the drop downs.
Chapter 11: Web Logins Response URL must be configured in the Merchant Interface.This will also cause error checking responses to be displayed directly on the transaction form. Authorize.net AIM: Enter the credentials the BSC requires to access your credit card processing provider account: Account Login ID and Transaction Key. Server Address - Enter the host name to which users will be redirected when setting up their account, for example, secure.authorize.net.
Uploading Image/Media Files for the User Login Page entering an anonymous email account (like blueman@yahoo.com), the BSC allows the option to exclude public email providers (yahoo, gmail). To configure this, go to Hotspot Account Generation and set auto-generate password, and exclude public-email providers. Then setup the email receipt that the guest will receive.
Chapter 11: Web Logins The topleftlogo file can be any GIF, JPEG or PNG file with a recommended size of 133x64 pixels. • Normal - All other image and media files. You can reference these files in HTML code for your custom login page. To upload image/media files for use on the user login page: ) Displaying the File Uploads Page Note: You can click the User Login Page link on the right side of the page to display the user login page as it is currently defined. 1.
Translating User Login Pages • Chinese-Traditional (zh-TW/Big5) • Czech (UTF-8) • Dutch (UTF-8) • English (en/ISO-8859-1) • French (fr/ISO-8859-1) • German (de/ISO-8859-1) • Italian (it/ISO-8859-1) • Japanese (ja/EUC-JP) • Korean (ko/EUC-KR) • Portuguese (pt/ISO-8859-1) • Spanish (es/ISO-8859-1) • Swedish (sv/ISO-8859-1) You can add to the list of supported languages by providing user login page translations in additional languages.
Chapter 11: Web Logins Defining a User Login Page Language Displaying the Create a User Login Page Figure 11-12: Create a User Login Page Language Page 11-20
Translating User Login Pages To define a new user login page language: 1. Click the Web Logins tab in the administrator console, and then click the Languages tab. 2. Select Language from the Create menu. The Create new language page appears (see Figure 11-12). Language Setup Define how the language is represented in the BSC administrator console: Note that the Enable checkbox is marked by default. 1. Enter the name of the language in English in the English name field. 2.
Chapter 11: Web Logins Hotspot Sign-up Saving the settings • Thank-You page - Enter any HTML code to disable URL redirection after login. The HTML is displayed in a standard Thank You page when users assigned to this role log in. • Pop-up Link - Enter the text for the logout link, e.g. Click to Logout.
Installing a Custom SSL Login Certificate • “Requesting a Certificate” on page 11-23. • “Uploading a Replacement SSL Certificate You Already Have” on page 11-25. Requesting a Certificate If you do not have a replacement certificate, you need to issue a certificate signature request (CSR) to the certificate provider who will return a signed certificate. You can then upload the certificate to the BSC. Displaying the SSL Certificate Generation Page Certificate Request 1.
Chapter 11: Web Logins The CSR generated page appears as shown in Figure 11-14. Figure 11-14: SSL CSR Generated Page To delete a CSR and start over, click Delete CSR of the left side of the page. Save a copy of the private key 4. When you generate the CSR, a private key is also created on the BSC. When a Copy CSR to provider’s web site 5.
Installing a Custom SSL Login Certificate • The host name is the same one you entered in your Certificate Signing Request. Figure 11-15: Uploaded Certificate Uploading a Replacement SSL Certificate You Already Have Digital certificates are only valid until a certain date. If your Web SSL certificate has expired, you must replace it – otherwise, user’s trying to log in may get a security warning, or even be blocked from logging in.
Chapter 11: Web Logins 2. Upload the certificate as follows: a) Mark the BSC Client Certificate radio button. b) Click Browse, locate the file for the new certificate on your computer, and then click Upload to upload it to the BSC. 3. Click the Web Logins tab in the administrator console, and then click the SSL Certificate tab. The SSL Certificate Generation page appears. 4. Mark the Use an uploaded PKCS #12 certificate checkbox on the SSL Certificate Generation page.
Installing a Custom SSL Login Certificate The SSL Certificate Generation page appears as shown in Figure 11-17. Figure 11-17: SSL Certificate Generation Page 2. Click Browse in the Key Upload section to locate the private key on your computer. 3. Click Process to upload the key to the BSC. Renewing a Custom SSL Certificate A custom SSL login certificate is only valid for a finite period of time.
Chapter 11: Web Logins Installing a Wildcard (*) SSL Certificate on Multiple BSCs Before installing a wildcard SSL certificate on multiple BSCs, you first need to obtain and install a new SSL Certificate on the first BSC, as explained in “Installing a Custom SSL Login Certificate” on page 11-22.
12 BlueSecure Access Points This chapter covers the following topics: • Overview • Deploying BSAPs on the Same Layer-2 Subnet as the BSC • Deploying BSAPs with Layer-3 Connectivity to the BSC • How a BSAP Discovers BSCs • How a BSAP Selects a Home BSC • Uploading BSAP Firmware Files • Configuring Global Miscellaneous Non-Radio Settings • Configuring Global Radio Settings • Editing Settings for an Individual BSAP • Creating SSIDs • Creating BSAPs • Enabling BSAP Service • Displaying
Chapter 12: BlueSecure Access Points Overview Bluesocket manufactures a line of next-generation “thin” access points that work in conjunction with BlueSecure Controllers for enterprise wireless LAN (WLAN) deployments. All BlueSecure Access Points (BSAPs) feature dual radios supporting 802.11a/b/g. There are seven BSAP models: the BSAP1800, an 802.11n dual radio AP with second generation MIMO antenna technology, supporting the 802.
Deploying BSAPs on the Same Layer-2 Subnet as the BSC ) Note: Connect only the recommended number of BSAPs to a BSC: RF Management To overcome the various sources of RF noise and interference, and user loads that can impede the performance of access points on your WLAN, the BSC incorporates “DynamicRF™” functionality for use with BlueSecure Access Points.
Chapter 12: BlueSecure Access Points Run a DHCP Server or a DHCP Server Relay Agent on the BSC BSAPs will Automatically Discover and Communicate with their Home BSC Figure 12-2: Deploying BSAPs on the Same Layer-2 Subnet as the BSC See “Configuring the BSC DHCP Server” on page 4-11 for information about running a DHCP server on the BSC. See “Configuring a DHCP Relay Agent” on page 4-9 for information about running a DHCP relay agent on the BSC.
How a BSAP Discovers BSCs • Protocol 97 and TCP/UDP Port 33333 traffic is allowed between BSAPs and the BSC Each BSAP will receive its IP address from your existing network DHCP server. The BSAP also needs the IP address of the home BSC to which it will connect and from which it will obtain its software image and configuration.
Chapter 12: BlueSecure Access Points How a BSAP Selects a Home BSC When a BSAP discovers multiple BSCs to which it may connect, it uses the following methods to select the home BSC to which it should connect: 1. If the BSAP has a BSC IP address that has been manually configured using its CLI or in the case where the BSAP has the IP address of the BSC that last assigned it a DHCP address (discovery methods #1 and #3), the BSAP queries the BSC to determine if the BSC is answering discovery requests.
Uploading BSAP Firmware Files model can have one Default firmware and one Alternative firmware. If set, the Default firmware will be applied to any newly discovered BSAPs. ) Note: Select the icon to transfer all BSAPs back to the Default firmware and flag them for Upgrade. 2. For example, if you select the pencil icon for the BSAP 1800, the Edit AP Firmware page appears as shown in Figure 12-5. Figure 12-5: Edit AP Firmware Page 3. Select either the Local file or Remote Location radio button.
Chapter 12: BlueSecure Access Points Configuring Global Miscellaneous Non-Radio Settings The Wireless Global System Settings page is used to specify the country in which the BSAPs are located and to enable remote SSH diagnostics (this option only applies to BSAP-15x0 platforms). You can optionally override these global settings for individual BSAPs on the Wireless AP tab by clicking the pencil icon for the BSAP.
Configuring Global Miscellaneous Non-Radio Settings The Bluesocket Sales team maps customers to their country of operation, and each customer is issued an authorization code, which can be found in the Salesforce.com account. When the BSC is started for the first time, the country on the Wireless Global page is set to “No Country Set”. While the BSC is in this state, all Radios will be disabled on all Bluesocket Access Points.
Chapter 12: BlueSecure Access Points Enable Front User Port - Mark the Enable Front User Port checkbox to enable the front ethernet port on the Wi-Jack w/ Jack. To disable the port, uncheck the box. The default is enabled. Saving the settings Click Save to save the global BSAP settings to the BSC database. You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network.
Configuring Global Radio Settings 3. Select the Sensor Frequency Band in which to scan (BSAP-1800s with external antennas only). This determines which bands the BSAP will sense when it is scanning. It takes less time to scan all the channels when you limit the BSAP to a single band. Channel Options The Auto Channel Select checkbox only provides an auto mode on the global tab since selecting channel on a global basis is not recommended.
Chapter 12: BlueSecure Access Points 12-12
Configuring Global Radio Settings Figure 12-7: Edit 802.11b/g/n Settings - Global Page Advanced Settings for the 802.11b/g/n Radio Mark the Display Advanced Settings checkbox to specify the following: • Beacon Interval -- Enter the rate in milliseconds at which beacon signals are transmitted from the BSAP. The beacon signals allow wireless clients to maintain contact with the BSAP. They may also carry power-management information.
Chapter 12: BlueSecure Access Points 2. Mark the Antenna Diversity radio button to specify whether the antenna is automatically selected based on best signal reception (i.e., Diversity mode), or is fixed to use one of the BSAP’s antennas, A or B. (Default: Diversity mode is enabled). 3. Mark the Antenna Mode radio button to specify whether 3 Antennas or 1 Antenna is used. This is available on a per radio basis, globally or per each individual AP.
Configuring Global Radio Settings 11N Load Balancing 6.5Mbps 13Mbps 19.5Mbps 26Mbps 39Mbps 52Mbps 58.5Mbps 65Mbps 6.5Mbps 13Mbps 19.5Mbps 26Mbps 39Mbps 52Mbps 58.5Mbps 65Mbps 78Mbps 104Mbps 117Mbps 130Mbps 13.5Mbps 27Mbps 40.5Mbps 54Mbps 81Mbps 108Mbps 121.5Mbps 135Mbps 150Mbps 13.5Mbps 27Mbps 40.5Mbps 54Mbps 81Mbps 108Mbps 121.
Chapter 12: BlueSecure Access Points • 1 = Enabled 2. BSAP1700: MIMO Network Density: Network Density refers to how many wireless networks are deployed in your surroundings. This setting provides a mechanism to tell the AP how noisy to expect the environment so the AP can then adjust its noise threshold accordingly. The settings are subjective (i.e.
Configuring Global Radio Settings Saving the settings 7. Click Save to save the BSAP radio settings to the BSC database You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network.
Chapter 12: BlueSecure Access Points 802.11a/n Radio Configuration See “802.11b/g/n Radio Configuration” on page 12-10 for settings not described here. Displaying Edit 802.11a/n Settings - Global Click the Wireless Global tab, and then click the 802.11a/n link at the top of the page. Figure 12-8: Edit 802.
Editing Settings for an Individual BSAP Operational Mode Wireless Mode and Rate Select one of the following from the drop-down menu to determine whether the BSAPs will act as Access Points, as RF sensors, or as both: • AP Mode - BSAP provides standard wireless client access. • Sensor Mode - Perform RF scanning to detect WLAN intrusion, attack, or vulnerability. • Dual (AP/Sensor) Mode - BSAP alternates between access point and RF sensor operation on a continual basis. • Wireless Mode - Select 802.
Chapter 12: BlueSecure Access Points • ) Only Use Selected SSIDs - The BSAP will use only those SSIDs selected in the Select SSID picklist. Note: Only one SSID is supported on the BSAP-1700’s 11a radio. Creating SSIDs As part of the BSAP configuration, you can create a pool of Service Set Identifiers (SSIDs) that you can assign to BSAPs (maximum of 8 per radio).
Creating SSIDs the BSAP and all wireless clients. The PSK mode uses either TKIP or AES for packet encryption and key management as WPA in the enterprise, providing a robust and manageable alternative for small networks.When the WPA mode is set to “pre-sharedkey,” the key must first be generated and distributed to all wireless clients before they can successfully associate with the BSAP. WPA2 Wi-Fi Protected Access 2 (WPA2) is the second generation of WPA security and is based on the final IEEE 802.
Chapter 12: BlueSecure Access Points TKIP (This option cannot be used with 802.11n when connecting at rates above 54Mhz). Temporal Key Integrity Protocol (TKIP): WPA specifies the TKIP data encryption method to replace WEP. TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys. TKIP starts with a master (temporal) key for each user session and then mathematically generates other keys to encrypt each data packet.
Creating SSIDs The SSID is case sensitive and can consist of up to 32 alphanumeric characters. The SSID does not need to be unique. The same SSID can exist with different attributes (e.g. VLAN) on different access points. To configure this, use a different name with the same SSID and then override the access points with the desired named SSID. • VLAN -- Optional. Enter a VLAN identifier. Entering a VLAN ID enables VLAN tagging support on the BSAP.
Chapter 12: BlueSecure Access Points 3. Enter keys as 10 hexadecimal digits (0 to 9 and A to F) for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32 hexadecimal digits for 152 bit keys. Be sure to specify a default key (0 to 3) when entering 64-bit keys. WPA or WPA2 Authentication only If you have configured WPA or WPA2 authentication, then you must configure access to the RADIUS authentication server that is to authenticate each user on the network before the user is able to join it. 1.
Creating BSAPs Displaying the Create new AP page Enable AP MAC Click the Wireless tab in the BSC administrator console, click the AP tab, and then select an AP model from the Create drop-down menu.The Create New AP page appears with the fields required for the BSAP model you are creating, for example the BSAP-1800 as as shown in Figure 12-10. The Enable AP check box is marked by default to enable the BSAP configuration. Enter the MAC address of the BSAP.
Chapter 12: BlueSecure Access Points Display Diagnostics Saving the settings Specify which login page to display to users logging into the BSC on the managed interface via this BSAP from the drop-down menu. Select Normal to use the location- or VLAN-based login page or select a customized page you have defined. See “Customizing the User Login Page” on page 11-2 for information about creating a customized user login page.
Enabling BSAP Service • Configured APs - The BSC accepts connections from only those BSAPs that have a configuration on the BSC. This is the recommended setting. • Any AP - This is the default setting. The BSC issues certificates to any BSAP. Selecting this option may pose a security risk to your network. ) Note: This feature is only for out-of-the-box access points that have not been previously attached to a BSC and received a certificate.
Chapter 12: BlueSecure Access Points Saving the Settings 12-28 • Autochannel BG - Mark/unmark this checkbox to enable/disable the BSC to dynamically change the 802.11b/g/n channel settings of BSAPs under its control to achieve optimal RF performance. • Autochannel A - Mark/unmark this checkbox to enable/disable the BSC to dynamically change the 802.11a/n channel settings of BSAPs under its control to achieve optimal RF performance.
Displaying Configured BSAPs Displaying Configured BSAPs After you have created BSAPs as described in “Creating BSAPs” on page 12-24 and as BSAPs come online and connect to the BSC, you can view their status on the Wireless AP tab. The tab presents a table that provides the following information about BSAPs that will connect to the BSC (i.e., BSAPs for which you have created configurations) and BSAPs that are currently connected to the BSC.
Chapter 12: BlueSecure Access Points • ) Enabled MAC Radio MAC Hostname Location Status Active Error Hardware Firmware ) Click to accept all the DynamicRF recommendations for channel and power.The configuration will be saved to the database, and then applied to the individual access point. Note: The BSAP-1700 does not support dual mode or Dynamic RF, only Set Once and Hold.
13 RF Intrusion Detection and Containment The BSC detects and protects against rogue devices, ad-hoc networks, and a large number of WLAN Denial of Service (DoS) and spoofing attacks. The BSC provides RF intrusion detection by analyzing the data collected from its BSAPs operating in dual AP/sensor mode or sensor-only mode to detect attacks, vulnerabilities, and rogue devices in the RF space.
Chapter 13: RF Intrusion Detection and Containment Identifying Authorized RF Stations on Your Network To better track rogue devices on your network, you can create a “white list” of known authorized RF stations. RF devices not appearing on the authorized list will be identified as rogue or intruding devices. To add an RF device to BSC’s list of known authorized RF stations: Displaying the Create new Station page 1. Click the Wireless tab in the BSC administrator console, and then click the Stations tab.
Configuring RF Alarms Saving the settings • Rogue - This station is not authorized to be on the network and an alarm will be generated if it is detected. • Neighbor - This station is not part of the internal network, but is always present. • Unknown - The origin and or identity of this station is unknown at this time. Click Save to save the RF station settings to the BSC database.
Chapter 13: RF Intrusion Detection and Containment Table 13-1: BSAP Sensor Alarms Alarm Description Dual/ Sensor Mode Client BSSID Changed Mobile station has changed its BSSID. D Client Limit Maximum client limit per AP has been reached. Could be due to a MAC spoofing client or real network density increase. D Client Rate Support Mismatch Specified mandatory data rate in Probe Request does not match with the values advertised by the AP.
Configuring RF Alarms Table 13-1: BSAP Sensor Alarms Alarm Description Dual/ Sensor Mode Rogue AP A Rogue AP has been detected. Check that this is not a newly installed Access Point or an AP belonging to a nearby organization. D Rogue Ad-Hoc Client A rogue client in Ad-Hoc mode has been detected. D SSID too long SSID length exceeds 32 bytes which is larger than allowed by the 802.11 standard. This is indicative of a SSID handling exploit.
Chapter 13: RF Intrusion Detection and Containment • Severe - This is the highest alert level and is usually associated with a WLAN intrusion, e.g., a broadcast attack. • Warning - This alert level is usually associated with a security vulnerability, e.g., a client association change. • Informational - This alert level is usually associated with a change in network operational status, e.g., an authorized AP is down. Figure 13-3: Alarm Configuration Page 5.
Configuring Autocontainment Figure 13-4: Autocontainment Configuration Page 2. Mark the Enable Autocontainment checkbox to enable RF autocontainment. 3. Enter the duration (in minutes) that the BSC will perform active containment on the rogue device in the Autocontainment Duration field. 4. Click Save to save the autocontainment settings to the BSC database. See “Monitoring Devices in RF Autocontainment” on page 15-7 for information about displaying a list of devices currently in active containment.
Chapter 13: RF Intrusion Detection and Containment 13-8
14 Secure Mobility® MatriX This chapter provides procedures for configuring a large-scale wireless network that requires two or more BlueSecure Controllers. The term Security Mobility MatriX refers to three functional areas: Secure Mobility, Replication, and Load Sharing.
Chapter 14: Secure Mobility® MatriX An Overview of the Secure Mobility MatriX Where multiple BlueSecure Controllers are deployed across multiple WLANs, Bluesocket provides centralized management and control through its Secure Mobility MatriX architecture, as shown in the following figure.
Secure Mobility® General Configuration Procedure Follow these high-level steps to configure a multiple-BSC Secure Mobility MatriX: 1. Configure the BSC Secure Mobility feature to enable seamless secure user roaming across subnets in your network. • An overview of the Secure Mobility feature is given in “Secure Mobility®” on page 14-3. • See “Step 1: Designate and Set Up the Mobility Node List Master” on page 14-6 for detailed Secure Mobility feature configuration instructions. 2.
Chapter 14: Secure Mobility® MatriX How Secure Mobility Works The following figure illustrates how Secure Mobility works. For simplicity, two wireless networks and one mobile user are shown. In practice, the number of mobile users and WLANs is much greater.
Secure Mobility® Subnet 1 Subnet 2 P O W E R FA U L T D A T A A L A R M Router BSC - A P WR DI SK PW R Po w e r D IS K R e se t Po w er W G -2 100 W ir eles s G atew ay R e se t W G - 210 0 W ire le ss G a te way BSCs Communicate to See if User was on a Different Subnet Originally BSC - B BSC - B Detects New User from BSC - A W LAN 2 W LAN 1 Mobile User Figure 14-4: Secure Mobility: Phase 3 A single BSC in the Secure Mobility configuration is configured as the Mobility Node List Master.
Chapter 14: Secure Mobility® MatriX subnet. BSC protected interfaces that are not connected to a router may be on the same subnet. The following figure illustrates the subnet requirements for the BSC managed and protected interfaces to enable use of Secure Mobility® in a multipleBSC network.
Secure Mobility® Figure 14-7: BSC Secure Mobility Setup Page communicating with each other, thus providing an extra layer of security. The key can be any text string you choose, as long as it is the same for all BSCs in the Secure Mobility configuration. 4. Re-enter the Secure Mobility mesh key in the Confirm field. 5. Set the BSC role to Secure Mobility Node List Master by marking the Act as a master and transmit mobility node list to the mobility nodes radio button. 6.
Chapter 14: Secure Mobility® MatriX a) Enter the IP address of the protected interface on the Node and an optional description in the fields provided. b) Note that the Enable Secure Mobility node checkbox is marked by default to enable secure mobility on this node. c) Click Save to store the information or Save and create another to continue defining mobility node BSCs. 3. Click the Secure Mobility Nodes tab on the Mobility MatriX page to review the list of configured nodes.
Secure Mobility® be any text string you choose, as long as it is the same for all BSCs in the Secure Mobility configuration. 7. Re-enter the Secure Mobility mesh key in the Confirm field. 8. Click Save to save the BSC Secure Mobility settings to the BSC database. Do not restart the BSC until instructed to do so at the end of this procedure.
Chapter 14: Secure Mobility® MatriX • Last Update - ID of last status update. • Last Update Message - Last message concerning Secure Mobility configuration update. • Last Requested Update - ID or update last requested by Node. Enabling VLAN Roaming Across LSG BSCs To enable users to roam between BSC managed interfaces within the same LSG, configure the following Secure Mobility settings on each LSG member BSC: 1.
Replication A Comparison of Standard and Cascaded Replication In addition to the standard replication configuration described above, v4 (and later) of the BSC system software also supports a cascaded replication configuration. The following figure illustrates a standard BSC replication configuration and a cascaded BSC replication configuration.
Chapter 14: Secure Mobility® MatriX Step 1: Set Up Replication on the Master Select one BSC as the Replication Master. You can also set up a secondary BSC in a failover configuration with the Replication Master. You can configure VLANs as well To set up replication on the Master BSC: 1. Click the Mobility MatriX tab in the BSC administrator console, and then click the Replication Setup tab. The Replication Setup page appears as shown in Figure 14-11.
Replication Figure 14-12: Create a Node Page d) Optional. If you are configuring the replication feature to support a Load Sharing Group, you must take the additional step of adding the Replication Master as a Replication Node by following steps a to c. This is only required if you are using the BSC Load Sharing Feature. 3. Click the Replication Nodes tab on the Mobility MatriX page to review the list of configured nodes. If any Replication Node BSCs are missing, add them by following the above steps.
Chapter 14: Secure Mobility® MatriX Figure 14-13: Configuring Replication on a Node BSC 5. Mark the Acquire a snapshot from the master? checkbox to configure the Replication Node to upload the database snapshot file that is generated on the Replication Master. The upload occurs when you restart the Replication Nodes, later in this procedure. 6. Click Save to store the information to the BSC database.
Replication Figure 14-14: Configuring a Replication Master/Node 6. Do not restart the BSC until instructed to do so at the end of this procedure. Step 5: Restart Services on the Master and All Nodes To restart each BSC, click the click here link in the Restart message on the Replication Master, on all of the Replication Nodes, and on any combination Master/Node BSC if using cascaded replication.
Chapter 14: Secure Mobility® MatriX 2. If you are supporting VoIP, make sure that you override the replicated IP addresses for the SpectraLink/Avaya gateway and SVP server. See “Configuring Vendor-specific IP Phone Support” on page 9-2 for VoIP details. 3. Click Save to save the BSC Replication Override settings to the BSC database. 4. Restart the BSC to enable the replication override.
Load Sharing Load Sharing Use the BSC load sharing feature in environments where many wireless clients log onto the network simultaneously via a limited number of access points.The load sharing feature should be used when the collective traffic load from a group of wireless and wired clients exceeds the performance limits of a single BSC. ) Note that Secure Mobility roaming is supported on VLANs within a Load Sharing Group, but not from a BSC outside of the Load Sharing Group.
Chapter 14: Secure Mobility® MatriX Network Requirements Ensure that your BSC network meets the following requirements before you configure the BSC load sharing feature on up to six BSCs in a load sharing group. • We recommend that you assign a fixed IP address to the protected interface for each BSC in the load sharing group (LSG) because during a load sharing failover event, the interface state might change such as to conflict with the DHCP client.
Load Sharing sharing feature on up to six members of the local replication configuration including the Replication Master by following these steps. ) Note: Before configuring LoadSharing or performing the following three stepes, create all the VLANs that you wish to use on all LoadSharing Nodes. If a VLAN exists on one node, it must exist on all boxes with the same VLAN id. 1. Define the IDs and virtual network addresses to be assigned to members of the load sharing group on the Load Sharing Master. 2.
Chapter 14: Secure Mobility® MatriX Figure 14-18: Defining LSG Member Settings b) Select a weight (1 to 5) from the Weight drop-down menu to assign the LSG member. A low weight (e.g. 1) means that the LSG member is less likely to be selected to service client traffic.A high weight means the LSG member is more likely to be selected. c) Enter the Load Sharing IP virtual address to assign the LSG member’s managed interface in the Managed side virtual address field.
Load Sharing • Enter a subnet mask in the Managed side netmask that specifies which bits in the Load Sharing virtual IP address correspond to network address and which bits correspond to the subnet portion of the address. This netmask must match the corresponding VLAN’s netmask. • Optional. If using the same protected-side VLAN, then enter the Load Sharing IP virtual address to assign the LSG member’s protected interface in the Protected side virtual address field. 3.
Chapter 14: Secure Mobility® MatriX Figure 14-20: Configuring Load Sharing on a Node 4. Mark the ID radio button that corresponds to the load sharing ID for the Load Sharing Node. 5. Specify the Load sharing method that is to be used: NAT enabled for Managed Interfaces or NAT disabled for Managed Interfaces. Note: This procedure demonstrates configuration of the Single Subnet load sharing method.
Load Sharing You must allocate physical and virtual address carefully according to the subnets you have chosen. Each node's assigned virtual address and physical address must be located in the same subnet. 1. physical=192.168.160.1/24 virtual=192.168.160.2/26 2. physical=192.168.160.65/24 virtual=192.168.160.66/26 3. physical=192.168.160.129/24 virtual=192.168.160.130/26 Note here we use the /24 subnet for all physical addresses and the /26 subnet for the virtual addresses.
Chapter 14: Secure Mobility® MatriX Physical Protected Interface Address Virtual Loadsharing Protected Interface Setting Figure 14-21: Verifying the Protected Interface Address Settings Figure 14-22: Load Sharing Setup on the Load Sharing Master In the event of a down interface on a Load Sharing Group member, the Load Sharing Master will reassign the traffic load to another member of the group almost instantaneously.
Load Sharing Figure 14-23: Load Sharing Setup on the Load Sharing Node Figure 14-24: Verifying the Load Sharing Failover Event Load Sharing Status Summary You can also display a quick visual snapshot of your configured Load Sharing Group by clicking Status/Summary, and then clicking the Loadsharing link at the top of the page.
Chapter 14: Secure Mobility® MatriX 14-26
15 Status This chapter covers the following topics: • Monitoring Active User Connections • Viewing the BSC Event Log • Displaying a BSC Status Summary • Displaying BSC Secure Mobility® Status • Displaying Load Sharing Status • Displaying Power over Ethernet (PoE) Status • Generating and Displaying BSC Reports • Performing Standard Network Diagnostic Tests • Capturing Network Traffic Data BlueSecure™ Controller Setup and Administration Guide 15-1
Chapter 15: Status Monitoring Active User Connections You can monitor and display active user connection status and other user information, such as IP address, assigned role, and throughput statistics, in both text and graphical formats. The information in this section is organized as follows: • “Displaying Active User Status” on page 15-2. • “Forcing a User Logout” on page 15-3. • “Monitoring a User’s IDS Status” on page 15-3.
Monitoring Active User Connections • Role - Role assigned to this connection. To change a user’s role, mark that user’s checkbox and then select the new role from the Override Role dropdown. • Authentication - Authentication type (Local = BSC user database) • Current/Average Kbps - Current and average data throughput in kilobytes per second (Kbps) • Start Time - Start date and time of the connection session.
Chapter 15: Status • Packets Dropped - Count of packets dropped due to blocked port(s). • Port N - Count of packets dropped on this blocked port. • Start Time - Start date and time of the connection session. Monitoring Connected Access Points To enable the BSC to monitor the status of connected access points, you must configure the access point tracking parameters listed on the General/Misc page in the BSC administrator console.
Monitoring Active User Connections Figure 15-3: Displaying Detailed Access Point Information If you are monitoring BlueSecure Access Points connected to and configured by the BSC, then the following additional fields of status information are displayed: BlueSecure™ Controller Setup and Administration Guide 15-5
Chapter 15: Status • Associations - Wireless clients that have associated to the BSAP. Click (+) to expand the list of associations or (-) to collapse the list. • Count - Number of associations to the BSAP. • Channel - Channel on which BSAP’s 802.11a/n and 802.11b/g/n radios are operating. • Tx Power - Transmission power settings for the BSAP 802.11a/n and 802.11b/g/n radios. • ESSID - Extended Service Set Identifier used to identify wireless clients associated to the BSAP.
Monitoring Active User Connections Sensor IP or Sensor Location columns are visible, the column headers also have a global expansion button (a plus icon). Clicking on this icon expands all sensor mac columns. • Action - Click the pencil icon to display the Create a New Station page. Click the green light icon to initiate active containment on the corresponding device. Click the lock icon to stop active containment on the corresponding device.
Chapter 15: Status Figure 15-5: Contained Devices Page You must have the Macromedia Flash (Version 6 or later) browser plug-in installed and a VBScript-enabled browser [e.g., Microsoft Internet Explorer] to use the graphical monitoring tool. You can download and install the latest Macromedia Flash browser plugin by visiting http://www.macromedia.com/go/getflashplayer.
Monitoring Active User Connections User connections are displayed on the horizontal axis and data throughput on the vertical axis. Note the following about the graphical monitor display: Filtering Users • Secure connections are shown as a solid cylinder (not shown in the example) and non-secure connections as a hollow tube with a center rod. Place the mouse pointer over a connection to display more information about it. • The role assigned to each user is color-coded.
Chapter 15: Status 3. Click Filter to apply the filters you have defined. The Filter Users dialog closes and the graphical monitoring tool is refreshed to display only those user connections that pass through the filters you have defined. You may edit or turn off the filters you have defined by clicking on the appropriate link at the bottom of the graphical monitoring tool screen. Viewing the BSC Event Log The BSC maintains a log file of significant events.
Displaying a BSC Status Summary alphanumeric characters in event descriptions, choose Search from the Message dropdown list and enter the string. The Rows per page control restricts the number of rows displayed per log page for easy viewing. The Page number drop-down list, next link, and prior link allow quick navigation through the log. To delete all of the log entries, click Purge all logs at the bottom of the screen.
Chapter 15: Status Displaying BSC Secure Mobility® Status If you have configured the BSC Secure Mobility feature to enable users to roam across subnets seamlessly (See “Step 1: Designate and Set Up the Mobility Node List Master” on page 14-6 for setup details), you can display status information about a users’ roaming status.
Displaying Power over Ethernet (PoE) Status Figure 15-10: Load Sharing Status Summary Displaying Power over Ethernet (PoE) Status For the BSC 600/1200, you can display the PoE status, as shown in The status summary for a three-node Load Sharing Group that is up and fully operational would look similar to the following figure. Figure 15-11: Power over Ethernet (PoE) Status Summary There are two lines in the PoE Summary page, PoE State and PoE Activity.
Chapter 15: Status Using Pre-defined Report Definitions The following pre-defined report definitions are available to generate your BSC report: • Total Users - Total number of users. • Bandwidth usage by user - Bandwidth consumed by each user. • System bandwidth usage - Total BSC throughput. • System performance - System performance statistics. • Total logins by user - Number of logins by each user. • User Session Statistics - All data available for user logout.
Generating and Displaying BSC Reports • Log Level - Restricts collected data to records of a specified log level or higher in severity. For example, if you choose Critical, the BSC only collects data from records that have a Critical, Alert, or Emergency log level. 4. Click Save to save the report definition to the BSC database or Save and create another to continue creating report definitions. Creating a BSC Report To set the report format, time period, and delivery options and create the report: 1.
Chapter 15: Status Alternatively, you can generate a report for a specific time period. To do so, select Specific Time Period from the drop down and then indicate the Start Time and End Time. The ending date and time you select is also the date/time that the report is automatically delivered via the selected delivery options. • Output format - Output format of the report: Text, CSV, or XML.
Performing Standard Network Diagnostic Tests To specify display or delivery of the report, click the appropriate icon in the Action column next to the name of the report. The following table summarizes the report icons. Table 15-1: Report Display and Delivery Icons Icon Click to ... Display the report listed in the corresponding table row. Display the graph listed in the corresponding table row. Download the report listed in the corresponding table row.
Chapter 15: Status Figure 15-15: Task Execution Menu Page Displaying the Task Execution Menu Click the Status tab in the BSC administrator console, click the Diagnostics tab, and then click the System link at the top of the page. The Task execution menu page appears as shown in Figure 15-15. Ping Use the standard Packet InterNet Groper utility to determine if the BSC can reach a specified IP address over a specified network interface.
Performing Standard Network Diagnostic Tests Purge DHCP leases Mark this checkbox to purge existing IP addresses leased by the DHCP server. Enabling this option means that clients might receive different IP addresses when issued by the DHCP server. Netstat List statistics about the network including socket status, interfaces that have been autoconfigured, memory statistics, etc. The Genmask column refers to the Netmask.
Chapter 15: Status Capturing Network Traffic Data The BSC allows you to capture network traffic data on any of its physical or VLAN interfaces, filter the packets using specified criteria, and then save the data as a file. You can then either display the data file on screen or import the file into any network analyzer program, such as Ethereal or TCP Dump. To capture BSC network traffic: 1.
Capturing Network Traffic Data 6. Optional. To delete a traffic capture file, select the name of the file from the Choose File drop-down list, mark the Delete radio button, and then click the Submit button.
Chapter 15: Status 15-22
16 Maintenance This chapter covers the following topics: • Restarting, Rebooting, and Shutting Down the BSC • Configuration Backup and Restore • Backup • Restore • Show Tech • Resetting the BSC to its Default Settings • Save DHCP Leases • Export Firewall Policies • Export BSAP-1840 Licenses • Upgrading to a New Version of Runtime Software • Software Patches • Switching Between BSC Runtime Software Versions • Exporting and Importing BSC Bulk Data Files • Exporting BSC Log Records •
Chapter 16: Maintenance Restarting, Rebooting, and Shutting Down the BSC Many configuration settings in the BSC do not take effect until you restart certain BSC services or reboot the BSC. Where a restart of service(s) or a reboot is needed to effect configuration changes, a message is displayed in the administrator console that includes a click here link. Click the link, and the BSC will perform whatever action is required.
Configuration Backup and Restore Backup All BSC configuration information is stored in its internal database. We strongly recommended that you routinely back up the database, so that you can restore the original settings if the current database becomes corrupted or unusable. You can also configure the BSC to back up its database automatically to an external host via FTP or SCP. See “Automatic Backup of the BSC Database” on page 10-9 for details. To back up the BSC database: 1.
Chapter 16: Maintenance 1. Click the Maintenance tab and then click Configuration Backup/Restore. The BSC configuration backup and restore page appears as shown in Figure 16-3. Figure 16-3: BSC Configuration Backup and Restore Page (Restore) 2. Mark the Restore radio button. 3. Enter the pathname of the .BLUE database file in the Configuration to restore field. 4. Click Restore to upload the database to the BSC to which you are connected.
Configuration Backup and Restore To reset all BSC configuration settings back to their default values: 1. Click the Maintenance tab and then click Configuration Backup/Restore. The BSC configuration backup and restore page appears. 2. Mark the Reset to default settings radio button, and then click Reset. You are prompted to confirm your intention to restore the BSC’s default settings as shown in Figure 16-4. Figure 16-4: Restore Default Settings Dialog 3. Click OK. The BSC reboots.
Chapter 16: Maintenance Un-registered;1;Allow;Any;Any;Outgoing;192.168.100.18/ 255.255.255.255;Any;Any; Un-registered;1;Allow;Any;Any;Outgoing;abc.go.com/ 255.255.255.255;Any;Any; Un-registered;1;Allow;Any;Any;Outgoing;www.google.com/ 255.255.255.255;Any;Any; Guest;2;Allow;TCP;53;Outgoing;0.0.0.0/0;Any;Any; Guest;2;Allow;UDP;53;Outgoing;0.0.0.0/0;Any;Any; Guest;2;Allow;Any;Any;Outgoing;0.0.0.0/0;Any;Any; Export BSAP-1840 Licenses This exports the list of BSAP-1840 802.11n licenses on the BSC.
Upgrading to a New Version of Runtime Software 3. After the database is backed up, click the Maintenance tab in the BSC administrator console, and then click Upgrade to display the BSC update page, for example as shown in Figure 16-5. Figure 16-5: BSC Update Page The current active image, either A or B, is shown in boldface on the right side of the page. 4. Enter the pathname of the new runtime image you wish to load onto the BSC. 5. Optional.
Chapter 16: Maintenance e) Restart services on each BSC you have upgraded. 3. Re-configure each original Node BSC as a Node and configure it to receive a snapshot from the Replication Master: a) Click the Mobility MatriX tab in the Administrator console, and then click Replication Setup. b) Clear the Act as a Master and transmit configuration settings to the replication nodes? checkbox and then mark the Act as a Master and transmit configuration settings to the replication nodes? checkbox.
Switching Between BSC Runtime Software Versions The Manage Patches for BSC page appears as shown in Figure 16-6. Figure 16-6: Manage Patches for BSC Page Any previously installed patches are listed in the Installed Patches listbox. 2. Use the Browse button to enter the pathname where the patch file resides on your local computer in the Upload new patch field. 3. Click Install Patch to install the patch on the BSC.
Chapter 16: Maintenance 3. Click Switch, and then reboot the BSC manually when prompted. Figure 16-7: BSC Switch Tool Page Exporting and Importing BSC Bulk Data Files You can export and import these types of BSC bulk data files: • Local Users • MAC Devices • Fixed IP Addresses • Access Points • Authorized RF Stations Exporting and importing BSC data files can speed up the BSC configuration process.
Exporting and Importing BSC Bulk Data Files 5. Select the local data fields to export by marking the checkbox. It is good practice to export all or all configured data fields. Never omit a configured data field. 6. Click Export, and then specify where to save the file on your computer. Importing Data Files ) Note: The presence/absence of the ID column in the import data determines whether the existing records are overridden or added to the existing records.
Chapter 16: Maintenance ) Note: When importing values, the BSC shows the values before it adds them to the configuration information. It will give you warnings about any records it cannot accept because they would conflict with the data in existing records (such as two records with the same MAC address or user name). You can edit the values to correct problems before they are finally added. The new records are not actually added until you confirm them.
Licenses Figure 16-12: Manage Licenses page BlueProtect The license is supplied by Bluesocket as part of your BlueSecure Controller distribution if you have purchased the endpoint scanning option. ) Note: A unique BlueProtect license is required for all Controllers even if in a load sharing or mobility mesh. To enter your Bluesocket BlueProtect unlock license: 1. Click the Maintenance tab, and then click the Licenses tab. 2. In the BlueProtect EndPoint Scanning section, enter your License. 3.
Chapter 16: Maintenance BSAP 1840 When purchasing BSAP-1840 APs, there are three SKUs: two hardware SKUs (same hardware, different serial numbers) and one 11n license SKU. They are: • BSAP-1840-000-00-0 - 802.11abg with 11n upgrade option • BSAP-1840-11N-00-0 – 802.11abgn • BSAP-1840-LIC-11N-0 – Upgrade license to 11n If you purchase the 802.11abgn model, then the BSAP-1840 will appear as an ABGN AP in the UI, and no manual intervention is needed. If you purchase the 802.
Licenses failover, the license file is automatically copied between the primary and failover box, so in the event of a failover, the BSAP-1840s will remain licensed.
Chapter 16: Maintenance 16-16
A An Overview of Virtual LANs The Bluesocket BSC supports multiple VLANs on both the managed and protected sides of the network. This appendix presents an overview of VLANs and their implementation in the BSC, and includes: • LANs vs.
Appendix A: LANs vs. VLANs A LAN is a broadcast domain composed of hubs, switches, or bridges that are physically wired to each other and to multiple nodes and hosts. Typically, hosts within one LAN can communicate directly with each other, but inter-LAN communication requires one or more routers depending on the complexity of the network. Use of routers increases the possibility of network traffic delays and gaps in security.
number. VLAN interfaces support all of the authentication types and services supported by the physical interfaces. On the BSC, you can set up these types of VLANs: • Pass-Through VLANs • Termination VLANs • Initiation/Switched VLANs Pass-Through VLANs Pass-through VLANs on the BSC receive 802.1q-tagged packets from one physical interface (typically the managed side) and forward them with the same tag to the outgoing physical interface (protected side).
Appendix A: To configure a termination VLAN properly, do not configure a VLAN interface on the protected side with a VLAN ID that corresponds to a VLAN interface on the managed side. Initiation/Switched VLANs With initiation or switched VLANs on the BSC, VLAN tags are added to packets exiting the BSC on the protected side based on the user’s Role.
Enforcing Network Usage Policies with VLANs Enforcing Network Usage Policies with VLANs In addition to configuring Roles to perform VLAN tagging, you can use VLAN IDs to determine policy enforcement within a Role (the managed side VLAN ID that is used within the policy). When defining a role, you can create network usage policies based on the logical location from which a user connects to the wireless network. The BSC uses VLANs to logically represent these locations.
Appendix A: A-6
B Provisioning Network DHCP Servers to Support BSAPs The BSAP needs the IP address of the home BSC to which it will connect and from which it will obtain its software image and configuration. You can provide the home BSC IP address to a BSAP by manually configuring the DHCP server on your network to send BSC IP addresses to BSAPs using DHCP vendorspecific option 43.
Appendix B: Overview You can deploy BSAPs on a routed network with Layer-3 connectivity to the BSC as shown in the following figure.
Figure B-2: Defining the BSAP Vendor Class The DHCP Vendor Classes dialog appears. 2. Click Add... and the New Class dialog appears, for example. Figure B-3: Entering DHCP Vendor Class Information 3. Enter a meaningful Display name and Description, and then enter the string (BlueSecure.AP1500) that the DHCP client on the BSAP will send to the DHCP server. Click below in the ASCII section, and type the string BlueSecure.AP1500. The Hexadecimal string will be created automatically.
Appendix B: 4. Click OK to close the New Class dialog. You will see that the BSAP vendor class is listed in the DHCP Vendor Classes dialog, for example: Figure B-4: The BSAP Vendor Class is Now Listed Set a value for predefined option 43 1. Right click on the DHCP server in the navigation tree, and then select Set Predefined Options…. The Predefined Options and Values dialog appears as shown in Figure B-5. Figure B-5: The Predefined Options and Values Dialog 2. Select BlueSecure.
4. In the Option Type dialog: a) Enter a descriptive name in the Name field. b) Select Encapsulated for the Data type. c) Enter 127 for the Code Value. d) Enter a meaningful description in the Description field. e) Click OK to return to the Predefined Options and Values dialog. 5. Click OK to finish the definition of Options and Values. Configure the Option for the BSAP DHCP address scope 1.
Appendix B: ) Note: If you wish to prioritize certain BSCs to connect to, a failover option is allowed in the IP separated list. By prepending the letter F to the IP address, it designates that BSC as a failover BSC. Only if the primary BSC(s) fail, will the AP associate to the failover BSC(s). This provides N+1 redundancy. In the following example, 192.168.100.25 is the failover BSC: option 43 "192.168.100.23,192.168.100.98,F192.168.100.25 " 5. Click Apply to complete the scope option configuration.
More than one BSC IP address can be specified, separated by commas or semi-colons. The length (up to 255) can contain up to 15 IP addresses. The following example shows two BSC IP addresses (192.168.160.1 and 40.4.4.1) - 2C is a comma: if option vendor-class-identifier = "BlueSecure.
Appendix B: B-8
C Endpoint Scanning BlueProtect ensures that a client device is a trusted end-point by performing a scan of the client device to verify that the device is running the proper administrator-specified security applications before allowing the device onto the network. This release of the Bluesocket BSC system software fully integrates BlueProtect.
Appendix C: Endpoint Scanning Overview A “trusted end-point” refers to a client device that has been verified to be free of worm or virus infection and confirmed to be running virus detection software or firewall software to protect it against future attacks or infections. Increasingly, as a matter of policy, network administrators will allow only trusted end-points onto their networks. Version 6.4 (and later) of the Bluesocket BSC system software fully integrates BlueProtect.
Client Browser Requirements HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Install Check And the existence of the key: IE40 Registry key checks must end with a value name, and path checking is not supported. Only DWORD, String, and Expanded Strings are supported. Expanded strings are treated as regular strings. File Checking and Process Support BlueProtect can now scan the system for a file on the disk, or a running process. For a file, enter the full path, like “C:\Windows\cmd.exe”.
Appendix C: Endpoint Scanning Applet Loader Page The Applet Loader Page has two responsibilities. 1. The page gracefully handles non-compatible environments.
Creating a BlueProtect Policy Figure C-1: HTTP Settings Page - BlueProtect Endpoint Scanning ) Note: Any URL that appears in this window will be automatically allowed for clients in the Unregistered role. This allows a client to download Java. By default, a link is provided for Windows clients. If you are supporting MAC OS X or Linux clients, add the appropriate Java download URLs.
Appendix C: Endpoint Scanning 5. Select the Save button. 6. To configure Antivirus, Antispyware, or Firewall settings, click the link for your platform at the left of the page. For example, the Edit BlueProtect policy page redisplays as shown in Figure C-2 when you click the Antivirus Windows link: 7. Mark the Enable Antivirus Category checkbox 8. In the Select Products scrolling list, mark the checkbox for the product you want BlueProtect to verify is installed on the wireless client. 9.
Creating a BlueProtect Policy Figure C-2: Edit BlueProtect Policy BlueSecure™ Controller Setup and Administration Guide C-7
Appendix C: Endpoint Scanning Remediation When an endpoint fails the security policy scan, the administrator can block the endpoint until it is in compliance. The endpoint has two means to address this: • Auto-remediation • Manual remediation AutoRemediation If auto-remediation is enabled and the endpoint fails to scan, a FixAll button will appear on the Java Applet. When this is clicked, the Applet will attempt to fix the scan failures.
Assigning a BlueProtect Policy to a User Role without credentials from getting to Remediation sites (which could be internet sites or internal resources). Assigning a BlueProtect Policy to a User Role You need to edit user roles on the BSC to enable/disable BlueProtect scanning for each role and to specify the frequency at which users authenticated into that role will have their devices scanned.
Appendix C: Endpoint Scanning Figure C-3: Client Display when Required Products Not Installed Figure C-4: Overriding a Client Role C-10
D Serial Port Access to Essential Functions On a rare occasion, you may temporarily lose access to the BSC's web browser interface due to a misplaced password or an ISP service outage. In this case, the BSC provides serial port access to essential functions via the serial port.
Appendix D: Listing of Accessible Functions • 1) dbinit - Restore all values in the BSC back to their defaults. • 2) ifconfig - Show the NIC settings for the protected, managed, or failover interface. • 3) processes - Show a list of all running processes. • 4) restart - Restart the BSC software. • 5) switch - Switch to the alternate runtime software image. You must subsequently issue the reboot command for the switch to take effect. • 6) reboot - Reboot the BSC machine.
L R DB-9 Female DB-9 Female Pin Connections L-SH R-SH L-1 L-7, R-8 L-2 R-3 L-3 R-2 L-4 R-6 L-5 R-5 L-6 R-4 L-8 R-1, R-7 Use the above cable for RS-232 asynchronous communications between the BSC and a laptop computer. In this cable, Request-to-Send (RTS, pin 7) asserts the Carrier Detect (pin 1) on the same side and the Clear-to-Send (CTS, pin 8) on the other side of the cable.
Appendix D: D-4
E Contacting Bluesocket, Inc.
Appendix E: Obtaining Technical Support Bluesocket is committed to providing complete technical support to its customers. If you have a question concerning your Bluesocket products, refer to the technical documentation, including release notes, supplied with your distribution. You should be able to find the answer to your question in these documents. If you need further assistance, please first contact your authorized Bluesocket value-added reseller from whom you purchased your products.
Glossary ! 802.11 x - A series of IEEE specifications for LANs, currently 802.11b, 802.11a, and 802.11g. Using any one of these extensions to the 802.11 standard permits wireless communication between a client and an access point or between two clients. The various specifications govern transmission speeds and radio frequencies as well as fall-back rates and other characteristics. The upcoming standard 802.11i will provide additional security specific to WLANs, and 802.11e will address quality of service.
Glossary Authentication - Process whereby the identity of a person or process is verified. The BSC authenticates users by matching submitted user credentials against its internal database and an external RADIUS or LDAP/Active Directory server. Authorization - Process whereby the network resources, enterprise destinations, and bandwidth a user can access are defined. You can implement authorization in the BSC by assigning a role to each user.
Glossary EAP-FAST (EAP-Flexible Authentication via Secure Tunneling) - A publicly accessible IEEE 802.1X EAP type developed by Cisco Systems and supported by the BSC. EAP-FAST uses symmetric key algorithms to achieve a tunneled authentication process. Encryption - Scrambling data so that only the authorized recipient can read it. Usually a key is needed to decrypt the data.
Glossary Managed Remote Subnet - A BSC network configuration in which the local wireless subnet uses a router that does not use NAT and the BSC uses DHCP to assign IP addresses to wireless clients on the managed side of the network. Managed Side - The segment of the network containing wireless clients and wireless access points. The BlueSecure Controller manages use, quality of service, and security on this side of the network.
Glossary R RADIUS (Remote Authentication Dial-In User Service) - An authentication and accounting system that verifies users' credentials and grants access to requested resources. RC4 - An encryption algorithm designed at RSA Laboratories; specifically, a stream cipher of pseudo-random bytes that is used in WEP encryption. Rogue - A rogue station is one that you have not authorized for operation.
Glossary Glossary-6
Index Symbols .BLUE file 16-3, 16-4 .DEBUG file 16-4 .DMP file 15-20 Numerics 802.11i preauthentication, enabling for an SSID 12-24 802.1x authentication server, configuring the BSC’s 6-21 802.1x authentication server, running the BSC’s internal 6-19 802.1x authentication, configuring 6-17 802.
Index Allow ICMP to protected Interface? 10-26 Allow user logins 11-5 Answer failed DNS queries? 10-19 Antenna type, configuring fixed or external for BSAPs 12-13 AP mode, configuring the BSAP for 12-10 AppleTalk routing, configuring 4-31 Application programming interface (API), disabling the BSC 10-4 ARP utility, executing from the administrator console 15-19 Asian language support, configuring 10-4, 11-21 Authenticating users against CAS authentication server 6-30 Cosign authentication server 6-24 digita
Index models 1-7 network configurations 1-10 specifications 1-9 Bluesocket SSL certificate, installing 3-6 Bluesocket stopped message 2-7 Bluesocket, contacting E-2 Brackets, mounting 2-12 BSAP service, enabling on the BSC 12-26 BSC-1200 1-8 BSC-2100 1-8 BSC-5200 1-7 BSC-600 1-8 Bulk data files, importing/exporting 16-10 C Capturing network traffic data 15-20 CAS authentication, configuring 6-30 Certificate management page 10-21 Certificate signature request (CSR) 11-23 Change Password 3-6 Character set 10
Index Date setting, configuring the BSC’s 10-10 Debug file, creating 16-4 Debugging the BSC 16-4 Default gateway IP address for remote clients to reach the BSC 4-20 Default redirect URL 10-3 Defaults, resetting all BSC parameters to 16-4, D-2 Delete button, using 3-11 Deleting administrator or user accounts 3-6 Deleting user accounts 5-2 Denial of Service (DoS) attack, combating 8-14, 8-16 Desktop bumpers, installing on BSC-2100 chassis 2-11 Destination groups, creating 8-10 Destinations page 3-8 Destinat
Index Enable MAC Device 5-5 Enable QoS for this Service 8-15 Enable show Cisco CDP Neighbors? 10-25 Enable SIP Outbound Proxy Service? 9-2 Endpoint scanning, configuring support for C-1 Enforcement 12-15 Enterprise guest access, configuring 5-2, 8-3 Envelope icon, using 3-12 Environmental requirements for the BSC 2-10 Event levels, descriptions of 10-16 Event log, viewing 15-10 Event logging, configuring 10-14 Expire device 5-6 Exporting database files 16-10 Exporting log records 16-12 External antennas, c
Index H.
Index L Language code 10-4 Languages, changing on the user login page 11-5 LCD 2-4, 2-6, 2-7 LDAP/Active Directory authentication over SSL, configuring 6-6, 6-31 LDAP/Active directory authentication server, configuring 6-6 LEDs BSC-1200 2-7 BSC-1200/BSC-1200 SOE 2-8 BSC-2100 2-5 BSC-5200 2-4 License, entering your BlueProtect C-4 Lifetime Minutes 5-4 Load balancing clients on a BSAP 12-15 Load sharing configuring 14-18 network requirements for 14-18 overview of feature 14-17 Local users, creating 5-2 Local
Index Managed side of the network 1-2 Managed virtual interface, configuring 4-23 MatriX, secure mobility general configuration procedure 14-3 overview of 1-5, 14-2 reasons for deploying 14-2 MD5, configuring support of 6-17 Media files, uploading to the BSC 11-17 Miscellaneous BSC options, configuring 10-24 Mobility MatriX page 3-9 Monitor administrator account 3-4 Monitoring access points 15-4 Monitoring BSAPs 12-29, 15-4 Monitoring mode role for IDS 10-8 Monitoring state, IDS 10-6 Mounting procedures two
Index P Page controls, using 3-13 Pass-through VLANs A-3 Password administrator account 3-2 changing 3-6 Password change choice enabled 11-5 Password change, forcing a user 5-4 Password, changing an administrator’s 3-5 Password, recovering lost or forgotten administrator account 3-3, D-2 Patch installing a system software patch 16-8 removing an installed system software patch 16-9 PEAP, configuring support of 6-17 PEAP, terminating on the BSC 6-19 Pencil icon, using 3-12 Permanently put this MAC in quara
Index Q Quality of service (QoS), defining for a network service 8-15 Quarantined role for IDS 10-8 Question mark (?) link 3-9 R Rack requirements 2-10 Rack-mounting procedures 2-12 Radio settings, configuring 12-10 RADIUS accounting attributes sent from the BSC 7-3 configuring use of 7-1 description of 1-2 RADIUS authentication server configuring use of 6-3 defining server precedence 6-4 enabling MAC address RADIUS authentication 6-4 Read-only pages, in the administrator console 3-9 Realm Name 6-24 Reboo
Index RFC822 6-19 Rogue, identifying an RF station as 13-3 Role elements, creating 8-10 Role inheritance 8-3 Role-based authorization configuring 8-2 description of 1-3 example of 8-2 Roles defining 8-4 modifying 8-10 Root CA URL 10-4 Routing table, displaying the BSC’s 4-28 Rubber feet, connecting to the BSC chassis 2-10 S Safety considerations when installing the BSC 2-2 Save and create another button, using 3-11 Save button, using 3-11 Scalability features of the BSC 1-3 Scanning a client device with Bl
Index Sorting administrator console data 3-12 Sorting table data 3-12 Space requirements 2-10 Specifications for the BSC 1-9 Specifications, BSC 1-9 Spectralink IP phone traffic, passing through the BSC 9-3 Speed LEDs, BSC-2100 2-5 SSIDs, creating 12-20 SSL certificate installing a custom login 11-22 installing Bluesocket 3-6 renewing 11-27 requesting from certificate provider 11-23 uploading a replacement 11-25 SSL, defining external authentication over 10-21 SSL, requiring for LDAP/Active Directory authen
Index Trash can icon, using 3-11 Troubleshooting your BSC’s configuration 16-4 Trusted certificate authority (CA) certificate 10-20 Trusted server certificate 10-20 TTLS, configuring support of 6-17 TTLS, terminating on the BSC 6-19 Tunneled Transport Layer Security Protocol, terminating on the BSC 6-19 U Upload Cert 10-23 URL Redirect 8-9 URL to redirect detected devices 10-8 URL, to connect to BSC 3-2 Use an uploaded PKCS #12 certificate 11-26 User access, disabling on a specified date 5-4 User account
Index creating on the protected side 4-5 initiation A-4 overview of A-1 pass-through A-3 termination A-3 Vocera IP phone traffic, passing through the BSC 9-3 Voice Over WLAN support, configuring 9-1 Voice page 3-9 VoIP Protocol Support 1-5 VoIP, configuring network services to support 8-14 W Web Logins page 3-9 Web page, directing users to after login 8-9 Windows Internet naming service (WINS) server 4-13 Wireless client IP address assignment, configuring 4-9 Wireless page 3-9 Worms, combating 8-14, 8-16
