User manual

ManualsBrandsD-Link ManualsComputer equipmentDWC-1000

User Manual

Wireless Controller

D-Link Corporation

http://www.dlink.com

Summary of content (181 pages)

PAGE 2
Wireless Controller User Manual User Manual DWC-1000 Wireless Controller Version 1.3 Copyright © 2011 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be reproduced without written consent of the author. Disclaimer The information in this document is subject to change without notice.
PAGE 3
Wireless Controller User Manual Table of Contents Chapter 1. Introduction .............................................................................................................................9 1.1 About this User Manual ............................................................................................9 1.2 Typographical Conventions ................................................................................... 10 Chapter 2. Configuring Your Network: ..................................
PAGE 4
Wireless Controller 4.4 4.5 4.6 4.7 4.8 User Manual Access Point status ................................................................................................ 64 Global Status ........................................................................................................... 69 Wireless Client Status ............................................................................................ 75 AP Management ................................................................................
PAGE 5
Wireless Controller 8.3.1 8.3.2 User Manual WIDS AP configration ............................................................................................ 154 WIDS Client Configuration..................................................................................... 157 Chapter 9. Administration & Management ......................................................................................... 161 9.1 Remote Management .............................................................................
PAGE 6
Wireless Controller User Manual List of Figures Figure 1: Setup page for LAN TCP/IP settings ...................................................................................... 13 Figure 2: IPv6 LAN and DHCPv6 configuration ..................................................................................... 15 Figure 3: Configuring the Router Advertisement Daemon ................................................................... 18 Figure 4: IPv6 Advertisement Prefix settings ........................
PAGE 7
Wireless Controller User Manual Figure 33: Physical port statistics ............................................................................................................. 61 Figure 34: List of current Active Firewall Sessions ................................................................................ 62 Figure 35: List of LAN hosts ......................................................................................................................
PAGE 8
Wireless Controller User Manual Figure 67: Available ALG support on the controller............................................................................. 108 Figure 68: Passthrough options for VPN tunnels ................................................................................. 109 Figure 69: List of Available Application Rules showing 4 unique rules ............................................
PAGE 9
Wireless Controller User Manual Figure 99: List of Available Applications for SSL Port Forwarding .................................................... 146 Figure 100: SSL VPN client adapter and access configuration ......................................................... 147 Figure 101: Configured client routes only apply in split tunnel mode ............................................... 148 Figure 102: SSL VPN Portal configuration .......................................................................
PAGE 10
Wireless Controller User Manual Chapter 1. Introduction D-Link Wireless Controller (DWC), DWC-1000, is a full-featured wireless LAN controller designing for small network environment. The centralized control function contains various access point management functions, such as fast -roaming, inter-subnet roaming, automatic channel and power adjustment, self -healing etc.
PAGE 11
Wireless Controller User Manual 1.2 Typographical Conventions The following is a list of the various terms, followed by an example of how that term is represented in this document:  Product Name – D-Link Wireless Controller.
PAGE 12
Chapter 2. Configuring Your Network: It is assumed that the user has a machine for management connected to the LAN to the controller. The LAN connection may be through the wired Ethernet ports available on the controller, or once the initial setup is complete, the DWC may also be managed through its wireless interface as it is bridged with the LAN.
PAGE 13
Wireless Controller User Manual To configure LAN Connectivity, please follow the steps below: 1. In the LAN Setup page, enter the following information for your controller:    IP address: (factory default: 192.168.10.1). If you change the IP address and click Save Settings, the GUI will not respond. Open a new connection to the new IP address and log in again.
PAGE 14
Wireless Controller User Manual  Domain Name: Enter domain name  WINS Server (optional): Enter the IP address for the WINS server or, if present in your network, the Windows NetBios server.  Lease Time: Enter the time, in hours, for which IP addresses are leased to clients.  Enable DNS Proxy: To enable the controller to act as a proxy for all DNS requests and communicate with the ISP‘s DNS servers, click the checkbox.  Relay Gateway: Enter the gateway address.
PAGE 15
Wireless Controller User Manual 2.1.1 LAN Configuration in an IPv6 Network Advanced > IPv6 > IPv6 LAN > IPv6 LAN Config In IPv6 mode, the LAN DHCP server is enabled by default (similar to IP v4 mode). The DHCPv6 server will serve IPv6 addresses from configured address pools with the IPv6 Prefix Length assigned to the LAN.  IPv4 / IPv6 mode must be enabled in the Advanced > IPv6 > Routing mode to enable IPv6 configuration options. LAN Settings The default IPv6 LAN address for the router is fec0::1.
PAGE 16
Wireless Controller User Manual Figure 2: IPv6 LAN and DHCPv6 configuration  If you change the IP address and click Save Settings, the GUI will not respond. Open a new connection to the new IP address and log in again. Be sure the LAN host (the machine used to manage the router) has obtained IP address from newly assigned pool (or has a static IP address in the router‘s LAN subnet) before accessing the router via changed IP address. As with an IPv4 LAN network, the router has a DHCPv6 server.
PAGE 17
Wireless Controller User Manual The following settings are used to configure the DHCPv6 server:  DHCP Mode: The IPv6 DHCP server is either state less or stateful. If stateless is selected an external IPv6 DHCP server is not required as the IPv6 LAN hosts are auto-configured by this controller. In this case the controller advertisement daemon (RADVD) must be configured on this device and ICMPv6 controller discovery messages are used by the host for auto -configuration.
PAGE 18
Wireless Controller User Manual 2.1.2 Configuring IPv6 Router Advertisements Router Advertisements are analogous to IPv4 DHCP assignments for LAN clients, in that the router will assign an IP address and supporting network information to devices that are configured to accept such details. Rout er Advertisement is required in an IPv6 network is required for stateless auto configuration of the IPv6 LAN.
PAGE 19
Wireless Controller User Manual Figure 3: Configuring the Router Advertisem ent Daemon Advertisement Prefixes Advanced > IPv6 > IPv6 LAN > Advertisement Prefixes The router advertisements configured with advertisement prefixes allow this router to inform hosts how to perform stateless address auto configuration. Router advertisements contain a list of subnet prefixes that allow the router to determine neighbors and whether the host is on the same link as the router.
PAGE 20
Wireless Controller  User Manual IPv6 Prefix Length: This value indicates the number contiguous, higher order bits of the IPv6 address that define up the network portion of the address. Typically this is 64.  Prefix Lifetime: This defines the duration (in seconds) that the requesting node is allowed to use the advertised prefix. It is analogous to DHCP lease time in an IPv4 network. Figure 4: IPv6 Advertisement Prefix settings 2.
PAGE 21
Wireless Controller User Manual will allow traffic from LAN hosts belonging to this VLAN ID to pass through to other configured VLAN IDs that have Inter VLAN Routing enabled. Figure 5: Adding VLAN memberships to the LAN 2.2.1 Associating VLANs to ports In order to tag all traffic through a specific LAN port with a VLAN ID, you can associate a VLAN to a physical port. Setup > VLAN Settings > Port VLAN VLAN membership properties for the LAN and wireless LAN are listed on this page.
PAGE 22
Wireless Controller User Manual to the switch port on the controller will be tagged. Data passing through the phone from a connected device will be untagged. Figure 6: Port VLAN list  In Access mode the port is a member of a single VLAN (and only one). All data going into and out of the port is untagged. Traffic through a port in access mode looks like any other Ethernet frame.  In Trunk mode the port is a member of a user selectable set of VLANs. All data going into and out of the port is tagged.
PAGE 23
Wireless Controller User Manual Figure 7: Configuring VLAN membership for a port 2.3 Configurable Port: DMZ Setup This controller supports one of the physical ports to be configured as a secondary WAN Ethernet port or a dedicated DMZ port. A DMZ is a subnetwork that is open to the public but behind the firewall. The DMZ adds an additional layer of security to the LAN, as specific services/ports that are exposed to the internet on the DMZ do not have to be exposed on the LAN.
PAGE 24
Wireless Controller User Manual Figure 8: DMZ configuration  In order to configure a DMZ port, the controller configurable port must be set to DMZ in the Setup > Internet Settings > Configurable Port page. 2.4 Universal Plug and Play (UPnP) Advanced > Advanced Network > UPnP Universal Plug and Play (UPnP) is a feature that allows the controller to discovery devices on the network that can communicate with the controller and allow for auto configuration.
PAGE 25
Wireless Controller  User Manual Advertisement Period: This is the frequency that the controller broadcasts UPnP information over the network. A large value will minimize network traffic but cause delays in identifying new UPnP devices to the network.  Advertisement Time to Live: This is expressed in hops for each UPnP packet. This is the number of steps a packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range.
PAGE 26
Wireless Controller User Manual 2.5 Captive Portal LAN users can gain internet access via web portal authentication with the DWC. Also referred to as Run-Time Authentication, a Captive Portal is ideal for a web café scenario where users initiate HTTP connection requests for web access but are not interested in accessing any LAN services.
PAGE 27
Wireless Controller User Manual Disabling the WLAN controller does not affect non-WLAN features on the controller, such as VLAN or STP functionality. WLAN Controller Operational Status: Shows the operational status of the controller . The status can be one of the following values: • Enabled • Enable-Pending • Disabled • Disable-Pending Figure 11: WLAN global configuration IP Address: This field shows the IP address of the WLAN interface on the controller.
PAGE 28
Wireless Controller User Manual installed and enabled, this is the IP address of the routing or loo pback interface you configure for the controller features. AP MAC Validation Method: Add the MAC address of the AP to the Valid AP database, which can be kept locally on the controller or in an external RADIUS server. When the controller discovers an AP that is not managed by another ccontroller, it looks up the MAC address of the AP in the Valid AP database.
PAGE 29
Wireless Controller User Manual 2.6.
PAGE 30
Wireless Controller User Manual Figure 12: Configuring the Wireless Discovery  L2/VLAN Discovery: The D-Link Wireless Device Discovery Protocol is a good discovery method to use if the controller and APs are located in the same Layer 2 multicast domain. The wireless controller periodically sends a multicast packet containing the discovery message on each VLAN enabled for discovery This page includes the following buttons: • Add—Adds the data in the IP Address or VLAN field to the appropriate list.
PAGE 31
Wireless Controller User Manual Wireless Discovery status Status > Global Info > IP Discovery The IP Discovery list can contain the IP addresses of peer controller and APs for the UWS to discover and associate with as part of the WLAN IP Address: Shows the IP address of the device configured in the IP Discovery list Status: The wireless discovery status is in one of the following states: • Not Polled: The controller has not attempted to contact the IP address in the L3/IP Discovery list.
PAGE 32
Wireless Controller User Manual 2.6.2 AP Profile Global Configuration Advanced > AP Profile  Access Point Profile Summary page, you can Add, Copy, Edit, Delete AP profiles. To add a new profile, click Add in AP Profile Summary page.  In the AP Profile Global Configuration page, enter the name of the profile in the Profile Name field, select Hardware type and enter the valid VLAN ID and then click Submit.
PAGE 33
Wireless Controller User Manual Wired Network Discovery VLAN ID: Enter the VLAN ID that the controller uses to send tracer packets in order to detect APs connected to the wired network. AP Profile Advanced > AP Profile Access point configuration profiles are a useful feature for large wireless networks with APs that serve a variety of different use rs. You can create multiple AP profiles on the Controller to customize APs based on location, function, or other criteria.
PAGE 34
Wireless Controller User Manual Figure 15: AP Profile List For each AP profile, you can configure the following features: • Profile settings (Name, Hardware Type ID, Wired Network Discovery VLAN ID) • Radio settings • SSID settings Profile: The Access Point profile name you added. Use 0 to 32 characters. Profile Status: can have one of the following values: • Associated: The profile is configured, and one or more APs managed by the controller are associated with this profile.
PAGE 35
Wireless Controller User Manual During this process the APs reset, and all wireless clients are disassociated from the AP. • Configured: The profile is configured, but no APs managed by the controller currently use this profile.  Associate a profile with an AP. Entry of the AP is valid and available in database of the controller. This page includes the following buttons: • Edit— To edit the existing AP profile. • Delete— To delete the existing AP profile.
PAGE 36
Wireless Controller User Manual Chapter 3. Connecting to the Internet: WAN Setup This contoller has two WAN ports that can be used to establish a connection to the internet. The following ISP connection types are supported: DHCP, Static, PPPoE, PPTP, L2TP (via USB modem). It is assumed that you have arranged for internet service with your Internet Service Provider (ISP). Please contact your ISP or network administrator for the configuration information that will be required to setup the controller. 3.
PAGE 37
Wireless Controller User Manual button, which confirms the settings by establishing a link with the ISP. Once connected, you can move on and configure other features in this controller. 3.
PAGE 38
Wireless Controller  User Manual Server IP Address: Enter the IP address of the PPTP or L2TP server. 3.2.1 WAN Port IP address Your ISP assigns you an IP address that is either dynamic (newly generated each time you log in) or static (permanent). The IP Address Source option allows you to define whether the address is statically provided by the ISP or should be received dynamically at each login. If static, enter your IP address, IPv4 subnet mask, and the ISP gateway‘s IP address.
PAGE 39
Wireless Controller User Manual Figure 17: Manual Option1 configuration 3.2.4 PPPoE Setup > Internet Settings The PPPoE ISP settings are defined on the WAN Configuration page. There are two types of PPPoE ISP‘s supported by the DWC-1000: the standard username/password PPPoE and Japan Multiple PPPoE.
PAGE 40
Wireless Controller User Manual Figure 18: PPPoE configuration for standard ISPs Most PPPoE ISP‘s use a single control and data connection, and require username / password credentials to login and authenticate the DWC-1000 with the ISP. The ISP connection type for this case is ―PPPoE (Username/Password)‖. The GUI will prompt you for authentication, service, and connection settings in order to establish the PPPoE link.
PAGE 41
Wireless Controller User Manual Figure 19: Option1 configuration for Japanese Multiple PPPoE (part 1) There are a few key elements of a multiple PPPoE connection:  Primary and secondary connections are concurrent  Each session has a DNS server source for domain name lookup, this can be assigned by the ISP or configured through the GUI  The DWC-1000 acts as a DNS proxy for LAN users  Only HTTP requests that specifically identify the secondary connection‘s domain name (for example *.
PAGE 42
Wireless Controller User Manual When Japanese multiple PPPoE is configured and secondary connection is up, some predefined routes are added on that interface. These routes are needed to access the internal domain of the ISP where he hosts various services. These routes can even be configured through the static routing page as well. Figure 20: Option1 configuration for Multiple PPPoE (part 2) 3.2.
PAGE 43
Wireless Controller User Manual Figure 21: Russia L2TP ISP configuration 3.2.6 WAN Configuration in an IPv6 Network Advanced > IPv6 > IPv6 Option1 Config For IPv6 WAN connections, this controller can have a static IPv6 address or receive connection information when configured as a DHCPv6 client. In the case where the ISP assigns you a fixed address to access the internet, the static configuratio n settings must be completed.
PAGE 44
Wireless Controller User Manual When the ISP allows you to obtain the WAN IP sett ings via DHCP, you need to provide details for the DHCPv6 client configuration. The DHCPv6 client on the gateway can be either stateless or stateful. If a stateful client is selected the gateway will connect to the ISP‘s DHCPv6 server for a leased address.
PAGE 45
Wireless Controller User Manual When IPv6 is PPPoE type, the following PPPoE fields are enabled.  Username: Enter the username required to log i n to the ISP.  Password: Enter the password required to login to the ISP.  Authentication Type: The type of Authentication in use by the profile: Auto Negotiate/PAP/CHAP/MS-CHAP/MS-CHAPv2.   Dhcpv6 Options: The mode of Dhcpv6 client that will start in this mo de: disable dhcpv6/stateless dhcpv6/stateful dhcpv6/stateless dhcpv6 with prefix delegation.
PAGE 46
Wireless Controller User Manual Figure 23: Connection Status information of Option1 The WAN status page allows you to Enable or Disable static WAN links. For WAN settings that are dynamically received from the ISP, you can Renew or Release the link parameters if required. 3.3 Features with Multiple WAN Links This controller supports multiple WAN links.
PAGE 47
Wireless Controller User Manual Setup > Internet Settings > Option Mode To use Auto Failover or Load Balancing, WAN link failure detection must be configured. This involves accessing DNS servers on the internet or ping to an internet address (user defined). If required, you can configure the number of retry attempts when the link seems to be disconnected or the threshold of failures that determines if a WAN port is down. 3.3.
PAGE 48
Wireless Controller User Manual and let low-volume background traffic (such as SMTP) go over the lower speed link. Protocol binding is explained in next section. Spill Over: If Spill Over method is selected, WAN1 acts as a dedicated link till a threshold is reached. After this, WAN2 will be used for new connections. You can configure spill-over mode by using folloing options:  Load Tolerance: It is the percentage of bandwidth after which the controller switches to secondary WAN.
PAGE 49
Wireless Controller User Manual Figure 24: Load Balancing is available when multiple WAN ports are configured and Protocol Bindings have been defin ed 3.3.3 Protocol Bindings Advanced > Routing > Protocol Bindings Protocol bindings are required when the Load Balancing feature is in use. Choosing from a list of configured services or any of the user -defined services, the type of traffic can be assigned to go over only one of the available WAN ports.
PAGE 50
Wireless Controller User Manual applicable when load balancing mode is enabled and more than one WAN is configured. Figure 25: Protocol binding se tup to associate a service and/or LAN source to a WAN and/or destination network 3.4 Routing Configuration Routing between the LAN and WAN will impact the way this controller handles traffic that is received on any of its physical interfaces. The routing mo de of the gateway is core to the behaviour of the traffic flow between the secure LAN and the internet.
PAGE 51
Wireless Controller  User Manual NAT is a technique which allows several computers on a LAN to share an Internet connection. The computers on the LAN use a "private" IP address range while the WAN port on the controller is configured with a single "public" IP address. Along with connection sharing, NAT also hides internal IP addresses from the computers on the Internet. NAT is required if your ISP has assigned only one IP address to you.
PAGE 52
Wireless Controller User Manual Figure 26: Routing Mode is used to conf igure tr affic routing between WAN and LAN, as well as Dynamic routing (RIP) 51
PAGE 53
Wireless Controller User Manual 3.4.2 Dynamic Routing (RIP) Setup > Internet Settings > Routing Mode Dynamic routing using the Routing Information Protocol (RIP) is an Interior Gateway Protocol (IGP) that is common in LANs. With RIP this controller can exchange routing information with other supported controllers in the LAN and allow for dynamic adjustment of routing tables in order to adapt to modifications in the LAN without interrupting traffic flow.
PAGE 54
Wireless Controller User Manual 3.4.3 Static Routing Advanced > Routing > Static Routing Advanced > IPv6 > IPv6 Static Routing Manually adding static routes to this device allows you to define the path selection of traffic from one interface to another. There is no communication between this controller and other devices to account for changes in the path; once configured the static route will be active and effective until the network changes.
PAGE 55
Wireless Controller User Manual Figure 27: Static route configuration fields 3.5 WAN Port Settings Advanced > Advanced Network > Option Port Setup The physical port settings for each WAN link can be defin ed here. If your ISP account defines the WAN port speed or is associated with a MAC address, this information is required by the controller to ensure a smooth connection with the network. The default MTU size supported by all ports is 1500.
PAGE 56
Wireless Controller User Manual Figure 28: Physical WAN port settings 55
PAGE 57
Wireless Controller User Manual Chapter 4. Monitoring Status and Statistics 4.1 System Overview The Status page allows you to get a detailed overview of the system configuration. The settings for the wired and wireless interfaces are displayed in the DWC-1000 Status page, and then the resulting hardware res ource and controller usage details are summarized on the controller Dashboard. 4.1.
PAGE 58
Wireless Controller User Manual Figure 29: Device Status display 57
PAGE 59
Wireless Controller User Manual Figure 30: Device Status display (continued) 4.1.2 Resource Utilization Status > Device Info > Dashboard The Dashboard page presents hardware and usage statistics. The CPU and Memory utilization is a function of the available hardware and current configuration and traffic through the controller. Interface statistics for the wired connections (LAN, WAN1, WAN2/DMZ, VLANs) provide indication of packets through and packets dropped by the interface.
PAGE 60
Wireless Controller User Manual Figure 31: Resource Utilization statistics Figure 32: Resource Utilization data (continued) 59
PAGE 61
Wireless Controller User Manual 4.2 Traffic Statistics 4.2.1 Wired Port Statistics Status > Traffic Monitor > Device Statistics Detailed transmit and receive statistics for each physical port are presented here. Each interface (WAN1, WAN2/DMZ, LAN, and VLANs) have port specific packet level information provided for review. Transmitted/received packets, port collisions, and the cumulating bytes/sec for transmit/receive directions are provided for each interface along with the port up time.
PAGE 62
Wireless Controller User Manual The statistics table has auto-refresh control which allows display of the most current port level data at each page refresh. The default auto-refresh for this page is 10 seconds. Figure 33: Physical port statistics 4.3 Active Connections 4.3.1 Sessions through the controller Status > Active Sessions This table lists the active internet sessions through the controllers firewall. The session‘s protocol, state, local and remote IP addresses are shown.
PAGE 63
Wireless Controller User Manual Figure 34: List of current Active Firewall Sessions 62
PAGE 64
Wireless Controller User Manual 4.3.2 LAN Clients Status > LAN Client Info >LAN Clients The LAN clients to the controller are identified by an ARP scan through the LAN switch. The NetBios name (if available), IP address and MAC address of discovered LAN hosts are displayed. Figure 35: List of LAN hosts 4.3.3 Active VPN Tunnels Status > Active VPNs You can view and change the status (connect or drop) of the controllers IPsec security associations.
PAGE 65
Wireless Controller User Manual Figure 36: List of current Active VPN Sessions All active SSL VPN connections, both for VPN tunnel and VP N Port forwarding, are displayed on this page as well. Table fields are as follows. Field Description User Name The SSL VPN user that has an active tunnel or port forwarding session to this controller. IP Address IP address of the remote VPN client. Local PPP Interface The interface (WAN1 or WAN2) through which the session is active.
PAGE 66
Wireless Controller User Manual To configure an Authentication Failed AP to be managed by the controller the next time it is discovered, select the check box next to the MAC address of the AP and\click Manage. You will be presented with the V alid Access Point Configuration page. Figure 37: AP status MAC Address: Shows the MAC address of the access point. IP Address: The network address of the access point.
PAGE 67
Wireless Controller User Manual • Rogue—The AP has not attempted to contact the controller and the MAC address of the AP is not in the Valid AP database. Radio: Shows the wireless radio mode the AP is using. Channel: Shows the operating channel for the radio. This page includes the following buttons: • Delete All —Manually clear all APs from the All Access Points status page except Managed Access Points.
PAGE 68
Wireless Controller User Manual Figure 38: Managed AP status MAC Address: The Ethernet address of the controller-managed AP. IP Address: The network IP address of the managed AP. Age: Time since last communication between the Controller and the AP. Status The current managed state of the AP. The possible values are: • Discovered: The AP is discovered and by the controller, but is not yet authenticated.
PAGE 69
Wireless Controller User Manual • View AP details — Shows detailed status information collected from the AP.
PAGE 70
Wireless Controller User Manual Figure 39: AP RF Scan Status 4.5 Global Status Peer Controller Status Status > Global Info > Peer Controller > Status The Peer Controller Status page provides information about other Wireless Controllers in the network. Peer wireless controllers within the same cluster exchange data about themselves, their managed APs, and clie nts. The controller maintains a database with this data so you can view information about a peer, such as its IP address and software version.
PAGE 71
Wireless Controller User Manual Software Version: The software version for the given peer controller. Protocol Version: Indicates the protocol version supported by the software on the peer controller. Discovery Reason: The discovery method of the given peer controller, which can be through an L2 Poll or IP Poll Managed AP Count: Shows the number of APs that the controller currently manages. Age: Time since last communication with the controller in Hours, Minutes, and Seconds.
PAGE 72
Wireless Controller User Manual Peer IP Address: Shows the IP address of each peer wireless controller in the cluster that received configuration information. Configuration Controller IP Address: Shows the IP Address of the controller that sent the configuration information. Configuration: Identifies which parts of the configuration the controller received from the peer controller. Timestamp: Shows when the configuration was applied to the controller.
PAGE 73
Wireless Controller User Manual Peer Controller IP: Shows the IP address of the peer controller that manages the AP. This field displays when ―All‖ is selected from the drop -down menu. Location: The descriptive location configured for the managed AP. AP IP Address: The IP address of the AP. Profile: The AP profile applied to the AP by the controller.
PAGE 74
Wireless Controller User Manual • Saving Configuration, • Applying AP Profile Configuration • Success • Failure - Invalid Code Version • Failure - Invalid Hardware Version • Failure - Invalid Configuration Last Configuration Received: Peer controller IP Address indicates the last controller from which this controller received any wireless configuration data.
PAGE 75
Wireless Controller User Manual Figure 43: Configuration Receive Status 74
PAGE 76
Wireless Controller User Manual 4.6 Wireless Client Status Assocaited Client Status Status > Wireless Client Info> Associated Clients > Status You can view a variety of information about the wireless clients that are associated with the APs the controller manages. MAC Address: The Ethernet address of the client station. If the MAC address is followed by an asterisk (*), the client is associated with an AP managed by a peer controller. AP MAC Address: The Ethernet address of the AP.
PAGE 77
Wireless Controller User Manual • View SSID Details— Lists the SSIDs of the networks that each wireless client associated with a managed AP has used for WLAN access • View VAP Details — Shows information about the VAPs on the managed AP that have associated wireless clients • View Neigh our AP Status — Shows information about access points that the client detects.
PAGE 78
Wireless Controller User Manual Assocaited Client VAP Status Status > Wireless Client Info> Associated Clients > VAP Status Each AP has 16 Virtual Access Points (VAPs) per radio, and every VAP has a unique MAC address (BSSID).The VAP Associated Client Status page which shows information about the VAPs on the ma naged AP that have associated wireless clients.
PAGE 79
Wireless Controller User Manual Controller Assocaited Client Status Status > Wireless Client Info> Associated Clients > Controller Status This shows information about the controller that manages the AP to which the client is associated Controller IP Address: Shows the IP address of the controller that manages the AP to which the client is associated. Client MAC Address: Shows the MAC address of the associated client.
PAGE 80
Wireless Controller User Manual Client Name: Shows the name of the client, if available, from the Known Client Database. If client is not in the database then the field is blank. Client Status: Shows the client status, which can be one of the following: • Authenticated— The wireless client is authenticated with the wireless system. • Detected— The wireless client is detected by the wireless system but is not a security threat.
PAGE 81
Wireless Controller User Manual • Acknowledge All Rogues — Clear the rogue status of all clients listed as rogues in the Detected Client database, The status of an acknowledge client is returned to the status it had when it was first detected. If the detected client fails any of the tests that classify it as a threat, it will be listed as a Rogue again • Refresh — Updates the page with the latest information.
PAGE 82
Wireless Controller User Manual Figure 49: Pre-Auth History This page includes the following button: • Refresh—Updates the page with the latest information. Detected Client Roam History Status > Wireless Client Info> Roam History The wireless system keeps a record of clients as they roam from one managed AP to another managed AP. MAC Address: MAC address of the detected client. AP MAC Address: MAC Address of the managed AP to which the client authenticated.
PAGE 83
Wireless Controller User Manual Figure 50: Detected Client Ro am History This page includes the following button: • Refresh—Updates the page with the latest information. • Purge History— To purge the history when the list of entries is full. • View Details — Shows the details of the detected clients.
PAGE 84
Wireless Controller User Manual 4.7 AP Management Valid Access Point Configuration Setup > AP Management > Valid AP MAC Address This field shows the MAC address of the AP. To change this field, you must delete the entire Valid AP configuration and then enter the correct MAC address from the page that lists all Valid Aps Location: To help you identify the AP, you can enter a location.
PAGE 85
Wireless Controller User Manual This page has the following buttons : • Edit - To edit AP details in Valid AP pa ge. • Delete - To delete a valid AP provide valid MAC address in Valid AP page. • Add - To add an AP in Valid AP page. Figure 52: Add a Valid Access Point MAC Address: This field shows the MAC address of the AP. To change this fi eld, you must delete the entire Valid AP configuration and then enter the correct MAC address from the page that lists all Valid APs.
PAGE 86
Wireless Controller User Manual Location: To help you identify the AP, you can enter a location. This field accepts up to 32 alphanumeric characters. Authentication Password: You can require that the AP authenticate itself with the controller upon discovery. Edit option and enter the password in this field. The valid password range is between 8 and 63 alphanumeric characters. The password in this field must match the password configured on the AP.
PAGE 87
Wireless Controller User Manual The controller contains a channel plan algorithm that automatically de termines which RF channels each AP should use to minimize RF interference. When you enable the channel plan algorithm, the controller periodically evaluates the operational channel on every AP it manages and changes the channel if the current channel is noisy Channel Plan: Each AP is dual-band capable of operating in the 2.4 GHz and 5 GHz frequencies. The 802.11a/n and 802.
PAGE 88
Wireless Controller User Manual Figure 53: RF configuration Channel Plan History Depth: The channel plan history lists the channels the controller assigns each of the APs it manages after a channel plan is applied. Entries are added to the history regardless of in terval, time, or channel plan mode. The number you specify in this field controls the number of iterations of the channel assignment.  The APs changed in previous iterations cannot be assigned new channels in the next iteration.
PAGE 89
Wireless Controller User Manual not be adjusted below the value in the AP profile. The settings in the local database and RADIUS server always override power set in the profile setting. If you manually set the power, the level is fixed and the AP will not use the automatic power adjustment algorithm. You can configure the power as a percentage of maximum power, where the maximum power is the minimum of power level allowed for the channel by the regulatory domain or the hardware capability.
PAGE 90
Wireless Controller User Manual previous iterations cannot be assigned new channels in the next iteration to prevent the same APs from being changed time after time. Last Algorithm Time: Shows the date and time when the channel plan algorithm last ran. AP MAC Address: This table displays the channel assigned to an AP in an iteration of the channel plan (Location, Radio,Iteration, Channel) Figure 54: Channel Plan History .
PAGE 91
Wireless Controller User Manual • Algorithm Complete: The channel plan algorithm has finished running. A table displays to indicate proposed channel assignments. Each entry shows the AP along with the current and new channel. To accept the proposed channel change, click Apply. You must manually apply the channel plan for the proposed assignments to be applied. • Apply In Progress: The controller is applying the proposed channel plan and adjusting the channel on the APs listed in the table.
PAGE 92
Wireless Controller User Manual RF Management (Manual Power Adjustment Plan) Setup > AP Management > RF Management > Manual Power Adjustment Plan If you select Manual as the Power Adjustment Mode on the Configuration tab, you can manually initiate the power adjustment algorithm on the Manual Power Adjustments page. Current Status: Shows the Current Status of the plan, which is one of the following states: • None: The power adjustment algorithm has not been manually run since the last controller reboot.
PAGE 93
Wireless Controller User Manual Figure 56: Manual Power Adjustment Plan Access Point Software Download Setup > AP Management > Software Download The wireless controller can upgrade software on the APs that it manages. Server Address: Enter the IP address of the host where the upgrade file is located. The host must have a TFTP server installed and running. File Path: Enter the file path on the TFTP server where the software is located. You may enter up to 96 characters.
PAGE 94
Wireless Controller  User Manual To download all images, make sure you specify the file path and file name for both images in the appropriate File Path and File Name fields . Managed AP: The list shows all the APs that the controller manages. If the controller is the Cluster Controller, then the list shows the APs managed by all controllers in the cluster. Each AP is identified by its MAC address, IP address, and Location in the format.
PAGE 95
Wireless Controller  User Manual The first byte of the OUI must have the least significant bit set to 0. For example 02:FF:FF is a valid OUI, but 03:FF:FF is not . OUI Description: Enter the organization name associated with the OUI. The name can be up to 32alphanumeric characters..
PAGE 96
Wireless Controller User Manual 4.8 Associated Client Status/Statistics Managed AP Statistics Status > Traffic Monitor > Managed AP Statistics The managed AP statistics page shows information about traffic on the wired and wireless interfaces of the access point. This information can help diagnose network issues, such as throughput problems. The following figure shows the Managed Access Point Statistics page with a managed AP.
PAGE 97
Wireless Controller User Manual • View VAP details — Shows summary information about the virtual access points (VAPs) for the selected AP and radio interface on the APs that the controller manages • Refresh—Updates the page with the latest information WLAN Assoicated Clients Status > Traffic Monitor > Associated Clients Statistics > WLAN Associated Clients The wireless client can roam among APs without interruption in WLAN service.
PAGE 98
Wireless Controller User Manual Chapter 5. Securing the Private Network You can secure your network by creating and applying rules that your controller uses to selectively block and allow inbound and outbound Internet traffic. You then specify how and to whom the rules apply.
PAGE 99
Wireless Controller User Manual may use the IP address if a static address is ass igned to the WAN port, or if your WAN address is dynamic a DDNS (Dynamic DNS) name can be used. Outbound (LAN/DMZ to WAN) rules restrict access to traffic leaving your network, selectively allowing only specific local users to access specific outside resou rces. The default outbound rule is to allow access from the secure zone (LAN) to either the public DMZ or insecure WAN.
PAGE 100
Wireless Controller User Manual Figure 62: List of Available Schedules to bind to a firewall rule 5.3 Configuring Firewall Rules Advanced > Firewall Settings > Firewall Rules All configured firewall rules on the controller are displayed in the Firewall Rules list. This list also indicates whether the rule is enabled (active) or not, and gives a summary of the From/To zone as well as the services or users that the rule affects. To create a new firewall rules, follow the steps be low: 1.
PAGE 101
Wireless Controller User Manual  Service: ANY means all traffic is affected by this rule. For a specific service the drop down list has common services, or you can select a custom defined service.  Action & Schedule: Select one of the 4 actions that this rule defines: BLOCK always, ALLOW always, BLOCK by schedule otherwise ALLOW, or ALLOW by schedule otherwise BLOCK. A schedule must be preconfigured in order for it to be available in the dropdown list to assign to this rule.
PAGE 102
Wireless Controller  User Manual External IP address: The rule can be bound to a specific WAN interface by selecting either the primary WAN or configurable port WAN as the source IP address for incoming traffic.  This controller supports multi-NAT and so the External IP address does not necessarily have to be the WAN address. On a single WAN interface, multiple public IP addresses are supported.
PAGE 103
Wireless Controller User Manual Figure 63: Example where an outbound SNAT rule is used to map an external IP address (209.156.200.225) to a private DMZ IP address (10.30 .30.
PAGE 104
Wireless Controller User Manual Figure 64: The firewall rule configuration page allows you to define the To/From zone, service, action, schedules, and specify source/destination IP addresses as needed. 5.3.1 Firewall Rule Configuration Examples Example 1: Allow inbound HTTP traffic to the DMZ Situation: You host a public web server on your local DMZ network. You want to allow inbound HTTP requests from any outside IP address to the IP address of your web server at any time of day.
PAGE 105
Wireless Controller User Manual Service HTTP Action ALLOW always Send to Local Server (DNAT IP) 192.168.5.2 (web server IP address) Destination Users Any Log Never Example 2: Allow videoconferencing from range of outside IP addresses Situation: You want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses (132.177.88.2 - 132.177.88.254), from a branch office. Solution: Create an inbound rule as follows.
PAGE 106
Wireless Controller User Manual  Web server host in the DMZ, IP address: 192.168.12.222  Access to Web server: (simulated) public IP address 10.1.0.52 Parameter E Value x Zone From Insecure (WAN1/WAN2) a TomZone p Service l Action e Public (DMZ) HTTP ALLOW always Send to Local Server (DNAT IP) 4 Destination Users : From 192.168.12.222 ( web server local IP address) Single Address 10.1.0.
PAGE 107
Wireless Controller User Manual Figure 65: Schedule configuration for the above example. 2. Since we are trying to block HTTP requests, it is a service with To Zone: Insecure (WAN1/WAN2) that is to be blocked according to schedule ―Weekend‖. 3. Select the Action to ―Block by Schedule, otherwise allow‖. This will take a predefined schedule and make sure the rule is a blocking rule during the defined dates/times. All other times outside the schedule will not be affected by this firewall blocking rule 4.
PAGE 108
Wireless Controller User Manual 8. The last step is to enable this firewall rule. Select the rule, and click ―enable‖ below the list to make sure the firewall rule is active 5.4 Security on Custom Services Advanced > Firewall Settings > Custom Services Custom services can be defined to add to the list of services available during firewall rule configuration. While common services have known TCP/UDP/ICMP ports for traffic, many custom or uncommon applications exist in the LAN or WAN.
PAGE 109
Wireless Controller User Manual Figure 67: Available ALG support on the controller. 5.6 VPN Passthrough for Firewall Advanced > Firewall Settings > VPN Passthrough This controller‘s firewall settings can be configured to allow encrypted VPN traffic for IPsec, PPTP, and L2TP VPN tunnel connections between the LAN and internet. A specific firewall rule or service is not appropriate to introduce this passthrough support; instead the appropriate check boxes in the VPN Passthrough page must be enabled.
PAGE 110
Wireless Controller User Manual Figure 68: Passthrough options for VPN tunnels 5.7 Application Rules Advanced > Application Rules > Application Rules Application rules are also referred to as port triggering. This feature allows devices on the LAN or DMZ to request one or more ports to be forwarded to them. Port triggering waits for an outbound request from the LAN/DMZ on one of the defined outgoing ports, and then opens an incoming port for that specified type of traffic.
PAGE 111
Wireless Controller User Manual ports. The controller has a list of common applications and games with corresponding outbound and inbound ports to open. You can also specify a port triggering rule by defining the type of traffic (TCP or UDP) and the range of incoming and outgoing ports to open when enabled. Figure 69: List of Available Application Rul es showing 4 unique rules The application rule status page will list any active rules, i.e.
PAGE 112
Wireless Controller User Manual Figure 70: Content Filtering used to blo ck access to proxy servers and prevent ActiveX controls from being downloaded 5.8.2 Approved URLs Advanced > Website Filter > Approved URLs The Approved URLs is an acceptance list for all URL domain names. Domains added to this list are allowed in any form. For example, if the domain ―yahoo‖ is added to this list then all of the following URL‘s are permitted access from the LAN: www.yahoo.com , yahoo.co.uk, etc.
PAGE 113
Wireless Controller User Manual Figure 71: Two trusted domains added to the Approved URLs List 5.8.3 Blocked Keywords Advanced > Website Filter > Blocked Keywords Keyword blocking allows you to block all website URL‘s or site content that contains the keywords in the configured list. This is lower priority than the Approved URL List; i.e. if the blocked keyword is present in a site allowed by a Trusted Domain in the Approved URL List, then access to that site will be allowed.
PAGE 114
Wireless Controller User Manual Figure 72: One keyword added to the block list 5.8.4 Export Web Filter Advanced > Website Filter > Export Export Approved URLs: Feature enables the user to export the URLs to be allowed to a csv file which can then be downloaded to the local host. The user has to click the export button to get the csv file. Export Blocked Keywords: This feature enables the user to export the keywords to be blocked to a csv file which can then be downloaded to the local host.
PAGE 115
Wireless Controller User Manual Figure 73: Export Approved URL list 5.9 IP/MAC Binding Advanced > IP/MAC Binding Another available security measure is to only allow outbound traffic (from the LAN to WAN) when the LAN node has an IP address matching the MAC address bound to it. This is IP/MAC Binding, and by enforcing the gateway to validate the source traffic‘s IP address with the unique MAC Address of the configured LAN node, the administrator can ensure traffic from that IP address is not spoofed.
PAGE 116
Wireless Controller User Manual Figure 74: The following example binds a LAN host’s MAC Address to an IP address served by DWC-1000. If there is an IP/MAC Binding violation, the violating packet will be dropped and logs will be captured 5.10 Protecting from Internet Attacks Advanced > Advanced Network > Attack Checks Attacks can be malicious security breaches or unintentional network issues that render the controller unusable.
PAGE 117
Wireless Controller User Manual Figure 75: Protecting the controller and LAN f rom internet attacks 116
PAGE 118
Wireless Controller User Manual Chapter 6. IPsec / PPTP / L2TP VPN A VPN provides a secure communication channel (―tunnel‖) between two gateway controller or a remote PC client. The following types of tunnels can be created:  Gateway-to-gateway VPN: to connect two or more controller to secure traffic between remote sites.  Remote Client (client-to-gateway VPN tunnel): A remote client initiates a VPN tunnel as the IP address of the remote PC client is not known in advance.
PAGE 119
Wireless Controller User Manual Figure 77: Example of three IPsec client connections to the internal network through the DWC IPsec gateway 118
PAGE 120
Wireless Controller User Manual 6.1 VPN Wizard Setup > Wizard > VPN Wizard You can use the VPN wizard to quickly create both IKE and VPN policies. Onc e the IKE or VPN policy is created, you can modify it as required. Figure 78: VPN Wizard launch screen To easily establish a VPN tunnel using VPN Wizard, follow the steps below: 1. Select the VPN tunnel type to create  The tunnel can either be a gateway to gateway connection (site -to-site) or a tunnel to a host on the internet (remote access).
PAGE 121
Wireless Controller User Manual 2. Configure Remote and Local WAN address for the tunnel endpoints  Remote Gateway Type: identify the remote endpoint of the tunnel by FQDN or static IP address  Remote WAN IP address / FQDN: This field is enabled only if the peer you are trying to connect to is a Gateway. For VPN Clients, this IP address or Internet Name is determined when a connection request is received from a client.
PAGE 122
Wireless Controller User Manual Parameter Default value from Wizard Exchange Mode Aggressive (Client policy ) or Main (Gateway policy) ID Type FQDN Local WAN ID wan_local.com (only applies to Client policies) Remote WAN ID wan_remote.
PAGE 123
Wireless Controller User Manual Figure 79: IPsec policy configuration Once the tunnel type and endpoints of the tunnel are defined you can determine the Phase 1 / Phase 2 negotiation to use for the tunnel. This is covered in the IPsec mode setting, as the policy can be Manual or Auto. For Auto policies, the Internet Key Exchange (IKE) protocol dynamically exchanges keys between two IPsec hosts. The Phase 1 IKE parameters are used to define the tunnel‘s security association details.
PAGE 124
Wireless Controller User Manual Figure 80: IPsec policy configuration continued (Auto policy via IKE) A Manual policy does not use IKE and instead relies on manual keying to exchange authentication parameters between the two IPsec hosts. The incoming and outgoing security parameter index (SPI) values must be mirrored on the remote tunnel endpoint. As well the encryption and integrity algorithms and keys must match on the remote IPsec host exactly in order for the tunnel to establish successfu lly.
PAGE 125
Wireless Controller User Manual Figure 81: IPsec policy configuration continued (Auto / Manual Phase 2) 6.2.1 Extended Authentication (XAUTH) You can also configure extended authentication (XAUTH). Rather than configure a unique VPN policy for each user, you can configure the VPN gateway controller to authenticate users from a stored list of user accou nts or with an external authentication server such as a RADIUS server.
PAGE 126
Wireless Controller User Manual 6.3 Configuring VPN clients Remote VPN clients must be configured with the same VPN policy parameters used in the VPN tunnel that the client wishes to use: encrypti on, authentication, life time, and PFS key-group. Upon establishing these authentication parameters, the VPN Client user database must also be populated with an account to give a user access to the tunnel.  VPN client software is required to establish a VP N tunnel between the controller and remote endpoint.
PAGE 127
Wireless Controller User Manual Figure 82: PPTP tunnel configuration – PPTP Client Figure 83: PPTP VPN connection status Setup > VPN Settings > PPTP > PPTP Server A PPTP VPN can be established through this controller. Once enabled a PPTP server is available on the controller for LAN and WAN PPTP client users to access. Once the PPTP server is enabled, PPTP clients that are within the range of configured IP addresses of allowed clients can reach the controller‘s PPTP server.
PAGE 128
Wireless Controller User Manual Figure 84: PPTP tunnel configuration – PPTP Server 6.4.2 L2TP Tunnel Support Setup > VPN Settings > L2TP > L2TP Server A L2TP VPN can be established through this controller. Once enabled a L2TP server is available on the controller for LAN and WAN L2TP client users to access. Once the L2TP server is enabled, L2TP clients that are within the range of configured IP addresses of allowed clients can reach the controller‘s L2TP server.
PAGE 129
Wireless Controller User Manual Figure 85: L2TP tunnel configuration – L2TP Server 6.4.3 OpenVPN Support Setup > VPN Settings > OpenVPN > OpenVPN Configuration OpenVPN allows peers to authenticate each other using a pre -shared secret key, certificates, or username/password. When used in a multiclient -server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. An Open VPN can be established through this controller.
PAGE 130
Wireless Controller User Manual  Port: The port number on which openvpn server(or Access Server) runs.  Tunnel Protocol: The protocol used to communicate with the remote host. Ex: Tcp, Udp. Udp is the default.  Encryption Algorithm: The cipher with which the packets are encrypted. Ex: BF-CBC, AES-128,AES-192 and AES-256. BF-CBC is the default  Hash algorithm: Message digest algorithm used to authenticate packets. Ex: SHA1, SHA256 and SHA512. SHA1 is the default.
PAGE 131
Wireless Controller User Manual Figure 86: OpenVPN configuration 130
PAGE 132
Chapter 7. SSL VPN The controller provides an intrinsic SSL VPN feature as an alternate to the standard IPsec VPN. SSL VPN differs from IPsec VPN mainly by removing the requirement of a pre-installed VPN client on the remote host. Instead, users can securely login through the SSL User Portal using a standard web browser and receive access to configured network resources within the corporate LAN.
PAGE 133
Wireless Controller User Manual Figure 87: Example of clientless SSL VPN connections to the DWC-1000 132
PAGE 134
Wireless Controller User Manual 7.1 Groups and Users Advanced > Users > Groups The group page allows creating, editing and deleting groups. The groups are associated to set of user types. The lists of available groups are displayed in the ―List of Group‖ page with Group name and description of group.  Click Add to create a group.  Click Edit to update an existing group.  Click Delete to clear an exisiting group.
PAGE 135
Wireless Controller User Manual  Guest User (read-only): The guest user gains read only access to the GUI to observe and review configuration settings. The guest does not have SSL VPN access.  Captive Portal User: These captive portal users has access through the controller. The access is determined based on captive portal policies. Idle Timeout: This the log in timeout period for users of this group.
PAGE 136
Wireless Controller User Manual  Active Directory Domain: If the domain uses the Active Directory authentication, the Active Directory domain name is required. Users configured in the Active Directory database are given access to the SSL VPN portal with their Active Directory username and password. If there are multiple Active Directory domains, user can enter the details for up to two authentication domains.  Timeout: The timeout period for reaching the authentication server.
PAGE 137
Wireless Controller User Manual  Disable Login: Enable to prevent the users of this group from logging into the devices management interface(s)  Deny Login from WAN interface: Enable to prevent the users of this group from logging in from a WAN (wide area network) interface. In this case only login through LAN is allowed. Figure 91: Group login policies options Policy by Browsers To set browser policies for the group, select the corresponding group click ―Policy by Browsers‖.
PAGE 138
Wireless Controller User Manual Figure 92: Browser policies options Policy by IP To set policies bye IP for the group, select the corresponding group click ―Policy by IP‖. The following parameters are configured:  Group Name: This is the name of the group that can have its login policy edited  Deny Login from Defined Browsers: The list of defined browsers below will be used to prevent the users of this group from logging in to the controller GUI.
PAGE 139
Wireless Controller User Manual Figure 93: IP policies options  Login Policies, Policy by Browsers, Policy by IP are applicable SSL VPN user only. Advanced > Users > Users The users page allows adding, editing and deleting existing groups. The user are associated to configured groups. The lists of available users are displayed in the ―List of Users‖ page with User name, associated group and Login status.  Click Add to create a user.  Click Edit to update an existing user.
PAGE 140
Wireless Controller User Manual Figure 94: Available Users with login status and asso ciated Group 7.1.1 Users and Passwords Advanced > Users > Users The user configurations allow creating users associated to group. The user settings contain the following key components:  User Name: This is unique identifier of the user.  First Name: This is the user‘s first name  Last Name: This is the user‘s last name  Select Group: A group is chosen from a list of configured groups.
PAGE 141
Wireless Controller User Manual Figure 95: User configuration options 7.2 Using SSL VPN Policies Setup > VPN Settings > SSL VPN Server > SSL VPN Policies SSL VPN Policies can be created on a Global, Group, or User level. User level policies take precedence over Group level policies and Group level policies take precedence over Global policies. These policies can be applied to a specific network resource, IP address or ranges on the LAN, or to different SSL VPN services supported by the controller.
PAGE 142
Wireless Controller User Manual Figure 96: List of SSL VPN polices (Global filter) To add a SSL VPN policy, you must first assign it to a user, group, or make it global (i.e. applicable to all SSL VPN users). If the policy is for a group, the available configured groups are shown in a drop down menu and one must be selected. Similarly, for a user defined policy a SSL VPN user must be chosen from the available list of configured users. The next step is to define the policy details.
PAGE 143
Wireless Controller User Manual Figure 97: SSL VPN policy configuration To configure a policy for a single user or group of users, enter the following information:  Policy for: The policy can be assigned to a group of users, a single user, or all users (making it a global policy). To customize the policy for specific users or groups, the user can select from the Available Groups and Available Users drop down.
PAGE 144
Wireless Controller User Manual the starting and ending port range blank corresponds to all UDP and TCP traffic.  Service: This is the SSL VPN service made available by this policy. services offered are VPN tunnel, port forwardin g or both. The  Defined resources: This policy can provide access to specific network resources. Network resources must be configured in advance of creating the policy to make them available for selection as a defined resource.
PAGE 145
Wireless Controller User Manual Figure 98: List of conf igured resources, which are available to assign to SSL VPN policies 7.3 Application Port Forwarding Setup > VPN Settings > SSL VPN Server > Port Forwarding Port forwarding allows remote SSL users to access specified network applications or services after they login to the User Portal and launch the Port Forwarding service. Traffic from the remote user to the controller is detected and re-routed based on configured port forwarding rules.
PAGE 146
Wireless Controller User Manual VNC (virtual network computing) 5900 or 5800 As a convenience for remote users, the hostname (FQDN) of the network server can be configured to allow for IP address resolution. This host name resolution provides users with easy-to-remember FQDN‘s to access TCP applications instead of error prone IP addresses when using the Port Forwarding service through the SSL User Portal.
PAGE 147
Wireless Controller User Manual Figure 99: List of Available Applications for SSL Port Forwarding 7.4 SSL VPN Client Configuration Setup > VPN Settings > SSL VPN Client > SSL VPN Client An SSL VPN tunnel client provides a point -to-point connection between the browserside machine and this controller. When a SSL VPN client is launched from the user portal, a "network adapter" with an IP address from the corporate subnet, DNS and WINS settings is automatically created.
PAGE 148
Wireless Controller User Manual Figure 100: SSL VPN client adapter and access configuration The controller allows full tunnel and split tunnel support. Full tunnel mode just sends all traffic from the client across the VPN tunnel to the controller. Split tunnel mode only sends traffic to the private LAN based on pre -specified client routes. These client routes give the SSL client access to spe cific private networks, thereby allowing access control over specific LAN services.
PAGE 149
Wireless Controller User Manual Setup > VPN Settings > SSL VPN Client > Configured Client Routes If the SSL VPN client is assigned an IP addr ess in a different subnet than the corporate network, a client route must be added to allow access to the private LAN through the VPN tunnel. As well a static route on the private LAN‘s firewall (typically this controller) is needed to forward private traffic through the VPN Firewall to the remote SSL VPN client.
PAGE 150
Wireless Controller User Manual The controller administrator creates and edits portal layouts from the configuration pages in the SSL VPN menu. The portal name, title, banner name, and banner contents are all customizable to the intended user s for this portal. The portal name is appended to the SSL VPN portal URL.
PAGE 151
Wireless Controller User Manual Figure 102: SSL VPN Portal configuration 150
PAGE 152
Wireless Controller User Manual Chapter 8. Advanced Configuration Tools 8.1 USB Device Setup Setup > USB Settings > USB Status The DWC-1000 Wireless controller has a USB interface for printer access, file sharing. There is no configuration on the GUI to enable USB device support. Upon inserting your USB storage device, printer cable the DWCwill automatically detect the type of connected peripheral.
PAGE 153
Wireless Controller User Manual Figure 103: USB Device Detection 8.2 Authentication Certificates Advanced > Certificates This gateway uses digital certificates for IPsec VPN authentication as well as SSL validation (for HTTPS and SSL VPN authentication). You can obtain a digital certificate from a well-known Certificate Authority (CA) such as VeriSign, or generate and sign your own certificate using functionality available on this gateway.
PAGE 154
Wireless Controller User Manual A self certificate is a certificate issued by a CA identifying your de vice (or selfsigned if you don‘t want the identity protection of a CA). The Active Self Certificate table lists the self certificates currently loaded on the gateway. The following information is displayed for each uploaded self certificate:  Name: The name you use to identify this certificate, it is not displayed to IPsec VPN peers or SSL users.
PAGE 155
Wireless Controller User Manual Figure 104: Certificate summary for IPsec and HTTPS management 8.3 WIDS Security 8.3.1 WIDS AP configration Advanced > WIDS Security > AP The WIDS AP Configuration page allows you to activate or deactivate various threat detection tests and set threat detection thresholds in order to help detect rogue APs on the wireless network. These changes can be done without disrupting network connectivity.
PAGE 156
Wireless Controller User Manual Managed SSID from an unknown AP: This test checks whether an unknown AP is using the managed network SSID. A hacker may set up an AP with managed SSID to fool users into associating with the AP and revealing password and other secure information. Administrators with large networks who are using multiple clusters should either use different network names in each cluster or disable this test.
PAGE 157
Wireless Controller User Manual AP is operating on an illegal channel: The purpose of this test is to detect hackers or incorrectly configured devices that are operating on channels that are not legal in the country where the wireless system is set up. Note: In order for the wireless system to detect this threat, the wireless network must contain one or more radios that operate in sentry mode.
PAGE 158
Wireless Controller User Manual AP De-Authentication Attack: Enable or disable the AP de-authentication attack. The wireless controller can protect against rogue APs by sending DE authentication Messages to the rogue AP. The de-authentication attack feature must be globally enabled in order for the wireless system to do this function. Make sure that no legitimate APs are classified as rogues before enabling the attack feature. This feature is disabled by default. Figure 105: WIDS AP Configuration 8.3.
PAGE 159
Wireless Controller  User Manual In order to help determine whether a client is posing a threat to the network by flooding the network with management traffic, the system keeps track of the number of times the AP received each message type and the highest message rate detected in a single RF Scan report. On the WIDS Client Configuration page, you can set thresholds for each type of message sent, and the APs monitor whether any clients exceed those thresholds or tests.
PAGE 160
Wireless Controller User Manual Rogue Detected Trap Interval: Specify the interval, in seconds, between transmissions of the SNMP trap telling the administrator that rogue APs are present in the RF Scan database. If you set the value to 0, the trap is never sent. De-Authentication Requests Threshold Interval : Specify the number of seconds an AP should spend counting the DE authentication messages sent by wireless clients.
PAGE 161
Wireless Controller User Manual Figure 106: WIDS Client Configuration 160
PAGE 162
Wireless Controller User Manual Chapter 9. Administration & Management 9.1 Remote Management Both HTTPS and telnet access can be restricted to a subset of IP addresses. The controller administrator can define a known PC, single IP address or range of IP addresses that are allowed to access the GUI with HTTPS. The opened port for SSL traffic can be changed from the default of 443 at the same time as defining the allowed remote management IP address range. Figure 107: Remote Management 9.
PAGE 163
Wireless Controller User Manual 9.3 SNMP Configuration Tools > Admin > SNMP SNMP is an additional management tool that is useful when multiple controller in a network are being managed by a central Master system. When an external SNMP manager is provided with this controller Management Information Base (MIB) file, the manager can update the controller hierarchal variables to view or update configuration parameters.
PAGE 164
Wireless Controller User Manual Figure 109: SNMP system information f or this controller 9.4 Configuring Time Zone and NTP Tools > Date and Time You can configure your time zone, whether or not to adjust for Daylight Savings Time, and with which Network Time Protocol (NTP) server to synchronize the date and time. You can choose to set Date and Time manually, which will store the information on the controller real time clock (RTC).
PAGE 165
Wireless Controller User Manual Figure 110: Date, Time, and NTP server setup 9.5 Log Configuration This controller allows you to capture log messages for traffic through the firewall, VPN, and over the wireless AP. As an administrator you can monitor the type of traffic that goes through the controller and also be notified of potential attacks or errors when they are detected by the controller. The following sections describe the log configuration settings and the ways you can access these logs.
PAGE 166
Wireless Controller User Manual 9.5.1 Defining What to Log Tools > Log Settings > Logs Facility The Logs Facility page allows you to determine the granularity of logs to receive from the controller. There are three core components of the controller, referred to as Facilities:  Kernel: This refers to the Linux kernel. Log messages that correspond to this facility would correspond to traffic through the firewall or network stack.
PAGE 167
Wireless Controller User Manual Figure 111: Facility settings for Logging The display for logging can be customized based on where the logs are sent, either the Event Log viewer in the GUI (the Event Log viewer is in the Status > Logs page) or a remote Syslog server for later review. E -mail logs, discussed in a subsequent section, follow the same configuration as logs configured for a Syslog server.
PAGE 168
Wireless Controller  User Manual Example: If Accept Packets from LAN to WAN is enabled and there is a firewall rule to allow SSH traffic from LAN, then whenever a LAN machine tries to make an SSH connection, those packets will be accepted and a message will be logged. (Assuming the log option is set to Allow for the SSH firewall rule.) Dropped Packets are packets that were intentionally blocked from being transferred through the corresponding network segment.
PAGE 169
Wireless Controller User Manual Figure 112: Log configuration options for traffic through controller 9.5.2 Sending Logs to E-mail or Syslog Tools > Log Settings > Remote Logging Once you have configured the type of logs that you want the controller to collect, they can be sent to either a Syslog server or an E -Mail address. For remote logging a key configuration field is the Remote Log Identifier.
PAGE 170
Wireless Controller User Manual send a valid e-mail that is accepted by one of the configured ―send -to‖ addresses. Up to three e-mail addresses can be configured as log recipients. In order to establish a connection with the configured SMTP port and server, define the server‘s authentication requirements. The controller supports Login Plain (no encryption) or CRAM-MD5 (encrypted) for the username and password data to be sent to the SMTP server.
PAGE 171
Wireless Controller User Manual Figure 113: E-mail configuration as a Remote Logging option An external Syslog server is often used by network administrator to collect and store logs from the controller. This remote device typically has less memory constraints than the local Event Viewer on the controller GUI, and thus can collect a considerable number of logs over a sustained period. This is ty pically very useful for debugging network issues or to monitor controller traffic over a long duration.
PAGE 172
Wireless Controller User Manual Figure 114: Syslog server configuration for Remote Logging ( continued) 9.5.3 Event Log Viewer in GUI Status > Logs > View All Logs The controller GUI lets you observe configured log messages from t he Status menu. Whenever traffic through or to the controller matches the settings determined in the Tools > Log Settings > Logs Facility or Tools > Log Settings > Logs Configuration pages, the corresponding log message will be displayed in this window with a timestamp.
PAGE 173
Wireless Controller User Manual Figure 115: VPN logs displayed in GUI event viewer 9.6 Backing up and Restoring Configuration Settings Tools > System You can back up the controller custom configuration settings to restore them to a different device or the same controller after some other changes. During backup, your settings are saved as a file on your host. You can restore the controller saved settings from this file as well.
PAGE 174
Wireless Controller User Manual 9. To restore your saved settings from a backup file, click Browse then locate the file on the host. After clicking Restore, the controller begins importing the file‘s saved configuration settings. After the restore, the controller reboots automatically with the restored settings. 10. To erase your current settings and revert to factory default settings, click the Default button.
PAGE 175
Wireless Controller  User Manual IMPORTANT! During firmware upgrade, do NOT try to go online , turn off the DWC-1000, shut down the PC, or interrupt the process in anyway until the operation is complete. This should take only a minute or so including the reboot process. Interrupting the upgrade process at specific points when the flash is being written to may corrupt the flash memory and render the controller unusable without a low-level process of restoring the flash firmware (not through the web GUI).
PAGE 176
Wireless Controller User Manual directed to the correct IP address. When you set up an account with a DDNS service, the host and domain name, username, password and wildcard support will be provided by the account provider. Figure 118: Dynamic DNS configuration 9.9 Using Diagnostic Tools Tools > System Check The controller has built in tools to allow an administrator to evaluate the communication status and overall network health.
PAGE 177
Wireless Controller User Manual Figure 119: Controller diagnostics tools available in the GUI 9.9.1 Ping This utility can be used to test connectivity between this controller and another device on the network connected to this controller. Enter an IP address and click PING. The command output will appear indicating the ICMP echo request status. 9.9.2 Trace Route This utility will display all the controller present between the destination IP address and this controller.
PAGE 178
Wireless Controller User Manual 9.9.4 Router Options The static and dynamic routes configured on this controller can be shown by clicking Display for the corresponding routing table. Clicking the Packet Trace button will allow the controller to capture and display traffic through the DWC-1000 between the LAN and WAN interface as well. T his information is often very useful in debugging traffic and routing issues. 9.
PAGE 179
Wireless Controller User Manual Appendix A. Glossary ARP Address Resolution Protocol. Broadcast protocol for mapping IP addresses to MAC addresses. CHAP Challenge-Handshake Authentication Protocol. Protocol for authenticating users to an ISP. DDNS Dynamic DNS. System for updating domain names in real time. Allows a domain name to be assigned to a device with a dynamic IP address. DHCP Dynamic Host Configuration Protocol.
PAGE 180
Wireless Controller User Manual PPPoE Point-to-Point Protocol over Ethernet. Protocol for connecting a network of hosts to an ISP without the ISP having to manage the allocation of IP addresses. PPTP Point-to-Point Tunneling Protocol. Protocol for creation of VPNs for the secure transfer of data from remote clients to private servers over the Internet. RADIUS Remote Authentication Dial-In User Service. Protocol for remote user authentication and accounting.
PAGE 181
Appendix B. Factory Default Settings Feature Device login Internet Connection Description Default Setting User login URL http://192.168.10.1 User name (case sensitive) admin Login password (case sensitive) admin WAN MAC address Use default address WAN MTU size 1500 Port speed Autosense IP address 192.168.10.1 IPv4 subnet mask 255.255.255.0 RIP direction None RIP version Disabled RIP authentication Disabled DHCP server Enabled DHCP starting IP address 192.168.10.