AltitudeTM 4700 Series Access Point Product Reference Guide, Software Version 4.1 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.
AccessAdapt, Alpine, Altitude, BlackDiamond, Direct Attach, EPICenter, ExtremeWorks Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ExtremeXOS ScreenPlay, ReachNXT, Ridgeline, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, XNV, the Extreme Networks lo
Table of Contents About This Guide...................................................................................................................................... 15 Introduction.............................................................................................................................................................15 Document Conventions ..........................................................................................................................................
Auto Negotiation..............................................................................................................................................36 Adaptive AP ....................................................................................................................................................36 Rogue AP Detection Enhancement ................................................................................................................37 RADIUS Time-Based Authentication..........
Chapter 4: System Configuration ...........................................................................................................77 Configuring System Settings ..................................................................................................................................78 Configuring Power Settings ....................................................................................................................................81 Radios at Full Power ..........................
Configuring VPN Tunnels .....................................................................................................................................225 Creating a VPN Tunnel between Two Access Points ...................................................................................229 Configuring Manual Key Settings ..................................................................................................................230 Configuring Auto Key Settings ....................................
AP4700>admin(network.lan.bridge)>show ............................................................................................306 AP4700>admin(network.lan.bridge)>set................................................................................................307 AP4700>admin(network.lan.wlan-mapping)> ........................................................................................308 AP4700>admin(network.lan.wlan-mapping)>show...................................................................
AP4700>admin(network.wireless.wlan)>edit .........................................................................................361 AP4700>admin(network.wireless.wlan)>delete .....................................................................................362 AP4700>admin(network.wireless.wlan.hotspot)> ..................................................................................363 AP4700>admin(network.wireless.wlan.hotspot)>show...................................................................
AP4700>admin(network.wireless.qos)>delete.......................................................................................423 AP4700>admin(network.wireless.rate-limiting)>....................................................................................424 AP4700>admin(network.wireless.rate-limiting)>show ...........................................................................425 AP4700>admin(network.wireless.rate-limiting)>set .....................................................................
AP4700>admin(system.aap-setup)>delete............................................................................................471 LLDP Commands ..........................................................................................................................................472 AP4700>admin(system)>lldp .................................................................................................................472 AP4700>admin(system.lldp)>show .................................................
AP4700>admin(system.radius.eap)>peap.............................................................................................519 AP4700>admin(system.radius.eap.peap)>set/show .............................................................................520 AP4700>admin(system.radius.eap)>ttls ................................................................................................521 AP4700>admin(system.radius.eap.ttls)>set/show .....................................................................
AP4700>admin.stats.echo)>show .........................................................................................................568 AP4700>admin.stats.echo)>list .............................................................................................................569 AP4700>admin.stats.echo)>set .............................................................................................................570 AP4700>admin.stats.echo)>start..........................................................
Appendix A: Technical Specifications .................................................................................................625 Physical Characteristics .......................................................................................................................................625 Altitude 4710 and Altitude 4750 Physical Characteristics .............................................................................625 Electrical Characteristics .............................................
Altitude 4700 Series Access Point Product Reference Guide 14
About This Guide Introduction This guide provides configuration and setup information for the Extreme Networks® Altitude™ 4710 dual-radio Access Point and Altitude 4750 tri-radio Access Point. For the purposes of this guide, the devices will be called the generic term “Access Point” when identical configuration activities are applied to both models. When command line interface (CLI) commands are displayed, and apply to both models, an “AP4700” convention is used.
Notational Conventions The following notational conventions are used in this document: ● Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents. ● Bullets (•) indicate: ● ● action items ● lists of alternatives ● lists of required steps that are not necessarily sequential Sequential lists (those describing step-by-step procedures) appear as numbered lists.
1 Introduction CHAPTER As a standalone Access Point, the Altitude 4700 Series Access Point provides small and medium-sized businesses with a consolidated wired and wireless networking infrastructure, all in a single device. The integrated router, gateway, firewall, DHCP and AAA RADIUS servers, VPN, hot-spot gateway and Power-over-Ethernet (PoE) simplify and reduce the costs associated with networking by eliminating the need to purchase and manage multiple pieces of equipment.
Introduction New Features The following features are now available with the introduction of the new 4.
Hotspot Customization To date, the default hotspot supported on the Access Point does not allow users to change the text on the hotspot portal or the logo for the enterprise where the hotspot is deployed. With this most recent release of the Access Point firmware, users now have the ability to customize the appearance of an Access Point’s WLAN hotspot pages.
Introduction Proxy ARP Support With this most recent release of the Access Point firmware, the Access Point can respond to ARP requests on behalf of an associated MU and protect the MU’s network credentials from being broadcasted on a publicly accessible network. When Proxy ARP is enabled on the Access Point (it’s enabled by default), the Access Point can make an MU physically located on one network appear part of a different network connected to the same Access Point.
NOTE Some of the legacy 802.11abg-based devices (such as some VoWiFi phones) do not receive frames transmitted by an AP4700 series access point very well if all three transmit chains are used. When only a single transmit chain is used, communication between the access point and those client devices works better. For information on enabling dynamic chain selection using the Access Point Web applet, see “Configuring the 802.11a/n or 802.11b/g/n Radio” on page 174.
Introduction LLDP Support Linked Layer Discovery Protocol (LLDP) is a Layer 2 protocol (IEEE standard 802.1AB) used to determine the capabilities of devices such as repeaters, bridges, access points, routers and wireless clients. LLDP enables devices to advertise their capabilities and media-specific configurations. LLDP provides a method of discovering and representing the physical network connections of a given network management domain.
● Routing Information Protocol (RIP) on page 36 ● Manual Date and Time Settings on page 36 ● Dynamic DNS on page 36 ● Auto Negotiation on page 36 ● Adaptive AP on page 36 ● Rogue AP Detection Enhancement on page 37 ● RADIUS Time-Based Authentication on page 37 ● QBSS Support on page 37 ● Triple Radio Support on page 37 ● IP Filtering on page 38 ● MU Rate Limiting on page 38 ● Per Radio MU Limit on page 38 ● Power Setting Configuration on page 38 ● AMSDU Transmission Support on pag
Introduction The following is a network topology illustrating how a sensor functions within an Access Point supported wireless network: A radio in sensor mode supports the following basic features: NOTE The functions described below are conducted on the WIPS server side, not on the Access Point. ● Wireless Termination—The Access Point attempts to force an unwanted (or unauthorized) connection to disconnect. ● Wireless Sniffing—All received frames are reported to the WIPS server.
NOTE Altitude 4750 models never dedicate the third radio to traditional WLAN support. The third radio is either disabled or set exclusively to WIPS support (referred to in the Access Point interface as sensor mode). CAUTION Users cannot define a radio as a WIPS sensor when one of the Access Point radios is functioning as a rogue AP detector. To use one of the radios as a WIPS sensor, you must disable its current detector method(s) first, then set the radio for WIPS sensor support.
Introduction Multiple Mounting Options The access point attaches to a wall, mounts under a ceiling or above a ceiling (attic). Choose a mounting option based on the physical environment of the coverage area. Do not mount the Access Point in a location that has not been approved in a radio coverage site survey. For detailed information on the mounting options available , see “Mounting an Altitude 4700 Series Access Point” on page 50. Antenna Support for 2.
Quality of Service (QoS) Support The QoS implementation provides applications running on different wireless devices a variety of priority levels to transmit data to and from the Access Point. Equal data transmission priority is fine for data traffic from applications such as Web browsers, file transfers or email, but is inadequate for multimedia applications. Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to latency increases and throughput reductions.
Introduction traffic and intercept passwords. The use of strong authentication methods that do not disclose passwords is necessary. The Access Point uses the Kerberos authentication service protocol (specified in RFC 1510) to authenticate users/clients in a wireless network environment and to securely distribute the encryption keys used for both encrypting and decrypting. A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in understanding how Kerberos works.
interpret the encrypted data without the appropriate key. Only the sender and receiver of the transmitted data know the key. Wired Equivalent Privacy (WEP) is an encryption security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b and supported by the AP. WEP encryption is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. The level of protection provided by WEP encryption is determined by the encryption key length and algorithm.
Introduction For detailed information on WPA2-CCMP, see “Configuring WPA2-CCMP (802.11i)” on page 213. Firewall Security A firewall keeps personal data in and hackers out. The Access Point’s firewall prevents suspicious Internet traffic from proliferating the Access Point managed network. The Access Point performs Network Address Translation (NAT) on packets passing to and from the WAN port. This combination provides enhanced security by monitoring communication with the wired network.
Multiple Management Accessibility Options The Access Point can be accessed and configured using one of the following: ● Java-Based Web UI ● Human readable config file (imported via FTP or TFTP) ● MIB (Management Information Base) ● Command Line Interface (CLI) accessed via RS-232 or Telnet. Use the Access Point’s DB-9 serial port for direct access to the command-line interface from a PC. Use a Null-Modem cable (Part No. 25632878-0) for the best fitting connection.
Introduction The access point can only use a Power-over-Ethernet device when connected to the access point’s LAN (GE1/POE) port. The access point can also support 3af/3at compliant products from other vendors. The Power Injector (Part No. AP-PSBIAS-1P3-AFR) is a single-port Power-over-Ethernet hub combining low-voltage DC with Ethernet data in a single cable connecting to the access point.
Statistical Displays The Access Point can display robust transmit and receive statistics for the WAN and LAN ports. WLAN stats can be displayed collectively and individually for enabled WLANs. Transmit and receive statistics are available for the Access Point’s 802.11a/n and 802.11b/g/n radios. An advanced radio statistics page is also available to display retry histograms for specific data packet retry information. Associated MU stats can be displayed collectively and individually for specific MUs.
Introduction DHCP Support The Access Point can use Dynamic Host Configuration Protocol (DHCP) to obtain a leased IP address and configuration information from a remote server. DHCP is based on the BOOTP protocol and can coexist or interoperate with BOOTP. Configure the Access Point to send out a DHCP request searching for a DHCP/BOOTP server to acquire HTML, firmware or network configuration files when the Access Point boots.
For an overview on mesh networking as well as details on configuring the Access Point’s mesh networking functionality, see “Configuring Mesh Networking” on page 577. Additional LAN Subnet In a typical retail or small office environment (wherein a wireless network is available along with a production WLAN) it is often necessary to segment a LAN into two subnets. Consequently, a second LAN is required to “segregate” wireless traffic.
Introduction For detailed information on configuring the Access Point for Hotspot support, see “Configuring WLAN Hotspot Support” on page 160. Routing Information Protocol (RIP) RIP is an interior gateway protocol that specifies how routers exchange routing-table information. The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used.
For a information overview of the adaptive AP feature as well as how to configure it, refer to “Adaptive AP” on page 605. Rogue AP Detection Enhancement The Access Point can scan for rogues over all channels on both of the Access Point’s radio bands. The switching of radio bands is based on a timer with no user intervention required. For information on configuring the Access Point for Rogue AP support, see “Configuring Rogue AP Detection” on page 243.
Introduction NOTE For information on setting the configuration of a three radio model Altitude 4750, see “Configuring the 802.11a/n or 802.11b/g/n Radio” on page 174. IP Filtering IP filtering determines which IP packets are processed normally and which are discarded. If discarded, the packet is deleted and completely ignored (as if never received). Optionally apply different criteria to better refine which packets to filter. IP filtering supports the creation of up to 20 filter rules enforced at layer 3.
The AP’s hardware design uses a complex programmable logic device (CPLD). When an AP is powered on (or performing a cold reset), the CPLD determines the maximum power available to the AP by a POE device. Once an operational power configuration is defined, the AP firmware can read the power setting and configure operating characteristics based on the AP’s SKU and power configuration.
Introduction digital data signal is encoded onto carriers using a DSSS chipping algorithm. The radio signal propagates into the air as electromagnetic waves. A receiving antenna (on the MU) in the path of the waves absorbs the waves as electrical signals. The receiving MU interprets (demodulates) the signal by reapplying the direct sequence chipping code. This demodulation results in the original digital data. The Access Point uses its environment (the air and certain objects) as the transmission medium.
MAC Layer Bridging The Access Point provides MAC layer bridging between its interfaces. The Access Point monitors traffic from its interfaces and, based on frame address, forwards the frames to the proper destination. The Access Point tracks source and destination addresses to provide intelligent bridging as MUs roam or network topologies change. The Access Point also handles broadcast and multicast messages and responds to MU association requests.
Introduction established by IEEE 802.11b specifications. The bit redundancy within the chipping sequence enables the receiving MU to recreate the original data pattern, even if bits in the chipping sequence are corrupted by interference. The ratio of chips per bit is called the spreading ratio. A high spreading ratio increases the resistance of the signal to interference. A low spreading ratio increases the bandwidth available to the user.
Operating Modes The Access Point can operate in a couple of configurations. ● Access Point—As an Access Point, the Access Point functions as a layer 2 bridge. The wired uplink can operate as a trunk and support multiple VLANs. Up to 16 WLANs can be defined and mapped to Access Point WLANs. Each WLAN can be configured to be broadcast by one or both Access Point radios. An Altitude 4710 or Altitude 4750 can operate in both an Access Point mode and Wireless Gateway/Router mode simultaneously.
Introduction ● Radio1 (802.11b/g/n)—Random address located on the Web UI, CLI and SNMP interfaces. ● Radio2 (802.11a/n)—Random address located on the Web UI, CLI and SNMP interfaces. The Access Point’s BSS (virtual AP) MAC addresses are calculated as follows: ● BSS1—The same as the corresponding base radio’s MAC address.
2 Hardware Installation CHAPTER An Altitude 4700 Series Access Point installation includes mounting the Access Point, connecting the Access Point to the network, connecting antennae and applying power. Installation procedures vary for different environments.
Hardware Installation ● 48 Volt Power Supply ● A power outlet ● Dual-band antennae or an antenna specifically supporting the AP’s 2.4 or 5 GHz band Package Contents Check package contents for the correct model and accessories.
Access Point Placement For optimal performance, install the Access Point away from transformers, heavy-duty motors, fluorescent lights, microwave ovens, refrigerators and other industrial equipment. Signal loss can occur when metal, concrete, walls or floors block transmission. Install the Access Point in an open area or add Access Points as needed to improve coverage. Antenna coverage is analogous to lighting. Users might find an area lit from far away to be not bright enough.
Hardware Installation R1 defines the Access Point’s radio 1 antenna connectors and R2 defines radio 2 antenna connectors. The supported 2.4 GHz antenna suite and 5 GHz antenna suite are given in the Altitude 35xx/46xx/47xx AP Antenna Selection Guide, Rev.xx. Power Options The power options for an Altitude 4700 Series Access Point include: ● 48-Volt Power Supply ● Power Injector (Part No. AP-PSBIAS-1P3-AFR) CAUTION A single-port Gigabit Power-over-Ethernet Power Injector (Part No.
point’s GE1/POE port. The Power Injector is a separately ordered component and not shipped with an existing access point SKU. An AP4700 access point can also be used with the 3af power injector (AP-PSBIAS-1P2-AFR). However, AP functionality is limited when powered by an AP-PSBIAS-1P2-AFR, since the AP has Ethernet connectivity limited to only the GE1 port. Extreme Networks is reselling Motorola Power Supply (Part No. 50-14000-247R) as an accessory for AP4700.
Hardware Installation Preparing for Site Installation The Power Injector can be installed free standing on an even horizontal surface or wall mounted using the unit’s wall mounting key holes. The following guidelines should be adhered to before cabling the Power Injector to an Ethernet source and access point: ● Do not block or cover airflow to the Power Injector. ● Keep the unit away from excessive heat, humidity, vibration and dust.
mounting options based on the physical environment of the coverage area. Do not mount the Access Point in a location that has not been approved in a site survey.
Hardware Installation To mount the Access Point on a wall use the following template: 1 Photocopy the template (on the previous page) to a blank piece of paper. Do not reduce or enlarge the scale of the template. CAUTION If printing the mounting template (on the previous page) from an electronic PDF, dimensionally confirm the template by measuring each value for accuracy. 2 Tape the template to the wall mounting surface.
6 If required, install and attach a security cable to the Access Point’s lock port. 7 Attach the antennas to their correct connectors. For more information on available antennas, see “Antenna Options” on page 47. 8 Place the large center opening of each of the mount slots over the screw heads. 9 Slide the Access Point down along the mounting surface to hang the mount slots on the screw heads.
Hardware Installation 3 Attach the radio antennas to their correct connectors. For more information on available antennas, see “Antenna Options” on page 47. 4 Cable the Access Point using the approved power supply. CAUTION Do not supply power to the Access Point until the cabling of the unit is complete. a Connect an RJ-45 CAT5e (or CAT6) Ethernet cable between the network data supply (host) and the Access Point’s GE1/POE port.
11 The Access Point is ready to configure. For information on an Access Point default configuration, see “Getting Started” on page 63. For specific details on Access Point system configurations, see “System Configuration” on page 77. Above the Ceiling (Plenum) Installations An above the ceiling installation requires placing the Access Point above a suspended ceiling and installing the provided light pipe under the ceiling tile for viewing the rear panel status LEDs of the unit.
Hardware Installation ● Safety wire (strongly recommended) ● Security cable (optional) To install the Access Point above a ceiling: 1 If possible, remove the adjacent ceiling tile from its frame and place it aside. 2 Install a safety wire, between 1.5mm (.06in.) and 2.5mm (.10in.) in diameter, in the ceiling space. 3 If required, install and attach a security cable to the Access Point’s lock port. 4 Mark a point on the finished side of the tile where the light pipe is to be located.
CAUTION Do not supply power to the Access Point until the cabling of the unit is complete. a Connect an RJ-45 CAT5e (or CAT6) Ethernet cable between the network data supply (host) and the Access Point’s GE1/POE port. b Verify the power adapter is correctly rated according the country of operation. c Ensure the cable length from the Ethernet source to the Power Injector and access point does not exceed 100 meters (333 ft).
Hardware Installation NOTE Depending on how the 5 GHz and 2.4 GHz radios are configured, the LEDs will blink at different intervals between amber and yellow (5 GHz radio) and emerald and yellow (2.4 GHz radio). The LEDs on the top housing of the Access Point are clearly visible in wall and below ceiling installations. The top housing LEDs have the following display and functionality.
Blinking Red indicates booting. Solid Red defines the diagnostic mode. White defines normal operation. Green defines normal GE1 operation. Green defines normal GE2 operation. Blinking Amber indicates 802.11a activity. Blinking Emerald indicates 802.11bg activity. A 5 second Amber and Yellow blink rate defines 802.11an activity. A 5 second Emerald and Yellow blink rate defines 802.11bgn activity. A 2 second Amber and Yellow blink rate defines 802.11an (40 MHz) activity.
Hardware Installation Rear LED The LED on the rear (bottom) of the Access Point is optionally viewed using a single (customer installed) extended light pipe, adjusted as required to suit above the ceiling installations. The LED light pipe has the following color display and functionality: LED 7 Blinking Red (160 msec) indicates a failure condition. Solid Red defines the diagnostic mode. White defines normal operation.
NOTE If re-enabling the adapter for 802.11 support, ensure additional 802.11n settings (Aggregation, Channel Width, Guard Interval etc.) are also enabled to ensure optimal operation. 9 Click OK to save the updates to the adapter’s configuration.
Hardware Installation Altitude 4700 Series Access Point Product Reference Guide 62
3 Getting Started CHAPTER The Access Point should be installed in an area tested for radio coverage using one of the site survey tools available to the field service technician. Once an installation site has been identified, the installer should carefully follow the hardware precautions, requirements, mounting guidelines and power options outlined in “Hardware Installation” on page 45.
Getting Started Configuration Options Once installed and powered, the Access Point can be configured using one of several connection techniques. Managing the access point includes viewing network statistics and setting configuration options. The access point requires one of the following connection methods to manage the network: ● Secure Java-Based WEB UI - (use Sun Microsystems’ JRE 1.5 or higher available from Sun’s Web site. Disable Microsoft’s Java Virtual Machine if installed).
Connecting to the Access Point using the LAN Port To initially connect to the Access Point using the Access Point’s LAN port: 1 The LAN (or GE1/POE) port default is set to DHCP. Connect the Access Point’s GE1/POE port to a DHCP server. The Access Point will receive its IP address automatically. 2 To view the IP address, connect one end of a null modem serial cable to the Access Point and the other end to the serial port of a computer running HyperTerminal or similar emulation program.
Getting Started 2 If the default login is successful, the Change Admin Password window displays. Change the password. Enter the current password and a new admin password in fields provided. Click Apply. Once the admin password has been updated, a warning message displays stating the Access Point must be set to a country. The export function will always export the encrypted Admin User password. The import function will import the Admin Password only if the Access Point is set to factory default.
Configuring Device Settings Configure a set of minimum required device settings within the Quick Setup screen. The values (LAN, WAN etc.) can often be defined in other locations within the menu tree. When you change the settings in the Quick Setup screen, the values also change within the screen where these parameters also exist. Additionally, if the values are updated in these other screens, the values initially set within the Quick Setup screen will be updated.
Getting Started 3 Refer to the AP4700 System Settings field to define the following parameters: System Name Assign a System Name to define a title for this Access Point. The System Name is useful if multiple devices are being administered. Country Select the Country for the access point’s country of operation. The Access Point prompts for the correct country code on the first login. A warning message also displays stating an incorrect country setting may result in illegal radio operation.
Radio Button Altitude 4710 Altitude 4750 2.4 GHz WLAN & 5.0 GHz WLAN only no Sensor Radio 1 WLAN, Radio 2 WLAN Radio 1 WLAN, Radio 2 WLAN, Radio 3 Disabled Sensor only Spectrum Analysis mode (no WLAN) Radio 1 WIPS, Radio 2 WIPS Radio 1 WIPS, Radio 2 WIPS, Radio 3 Disabled 2.4 GHz WLAN no Sensor Radio1 WLAN, Radio 2 Disabled Radio 1 WLAN, Radio 2 Disabled, Radio 3 Disabled 5.
Getting Started Set a minimum set of parameters for using the WAN interface. a Select the Enable WAN Interface checkbox to enable a connection between the access point and a larger network or outside world through the WAN port. Disable this option to effectively isolate the access point’s WAN connection. No connections to a larger network or the Internet will be possible. MUs cannot communicate beyond the configured subnets.
g Optionally, use the Enable PPP over Ethernet checkbox to enable Point-to-Point Protocol over Ethernet (PPPoE) for a high-speed connection that supports this protocol. Most DSL providers are currently using or deploying this protocol. PPPoE is a data-link protocol for dialup connections. PPPoE will allow the Access Point to use a broadband modem (DSL, cable modem, etc.) for access to high-speed data networks.
Getting Started client. To avoid this, ensure all statically mapped IP addresses are outside of the IP address range assigned to the DHCP server. For additional access point LAN port configuration options, see “Configuring the LAN Interface” on page 123. 7 Select the WLAN #1 tab (WLANs 1 - 4 are available within the Quick Setup screen) to define its ESSID and security scheme for basic operation. NOTE A maximum of 16 WLANs are configurable within the Wireless Configuration screen.
Configuring Basic WLAN Security Settings To configure a basic security policy for a WLAN: 1 From the Quick Setup screen, click the Create button to the right of the Security Policy item. The New Security Policy screen displays with the Manually Pre-shared key/No authentication and No Encryption options selected. Naming and saving such a policy (as is) would provide no security and might only make sense in a guest network wherein no sensitive data is either transmitted or received.
Getting Started Pass Key Specify a 4 to 32 character pass key and click the Generate button. The Access Point, other proprietary routers and MUs use the same algorithm to convert a string to the same hexadecimal number. Motorola clients and devices need to enter WEP keys manually as hexadecimal numbers. The Access Point and its target client(s) must use the same pass key to interoperate. Keys #1-4 Use the Key #1-4 fields to specify key numbers.
Where to Go from Here? Once basic connectivity has been verified, the access point can be fully configured to meet the needs of the network and the users it supports. Refer to the following: ● For detailed information on access point device access, SNMP settings, network time, importing/ exporting device configurations and device firmware updates, see “System Configuration” on page 77.
Getting Started Altitude 4700 Series Access Point Product Reference Guide 76
4 System Configuration CHAPTER The Access Point contains a built-in browser interface for system configuration and remote management using a standard Web browser such as Microsoft Internet Explorer, Netscape Navigator or Mozilla Firefox (version 0.8 or higher is recommended). The browser interface also allows for system monitoring of the Access Point. Web management of the access point requires either Microsoft Internet Explorer 5.0 or later or Netscape Navigator 6.0 or later.
System Configuration Configuring System Settings Use the System Settings screen to specify the name and location of the access point, assign an email address for the network administrator, restore the AP’s default configuration, restart the AP or disable the Access Point’s LEDs. To configure System Settings for the access point: CAUTION The Access Point’s country of operation is set from within the System Settings screen.
System Name Specify a device name for the access point. Extreme Networks recommends selecting a name serving as a reminder of the user base the access point supports (engineering, retail, etc.). This name will appear in the WIPS server when one of the radios is configured as a sensor and the WIPS functionality connects to the WIPS server. The WIPS module only accepts names with up to 20 characters, keep that if intending to use this AP as a sensor. System Location Enter the location of the access point.
System Configuration Enable DNS Relay Select the radio button to enable DNS relay. DNS relay is used to prevent access to the port used by DNS. If disabled, clients connected to the Access Point are not able to browse sites since DNS is disabled. This feature is enabled by default. Enable SSLv2 Mode Select the radio button to enable SSL (Secure Socket Layer) version 2 support. SSL provides session encryption and message authentication. This feature is enabled by default.
5 Click Apply to save any changes to the System Settings screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost. NOTE The Apply button is not needed for restoring the access point default configuration or restarting the access point. 6 Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the System Settings screen to the last saved configuration.
System Configuration NOTE An Altitude 4750 Access Point has different available power from an Altitude 4710 Access Point. An Altitude 4750 model uses 22 watts when its power status is 3af, 23 - 26 watts when its power status is 3at and 27 watts when its power status is Full Power. CAUTION The power modes described in the section are only obtainable using the 48-Volt Power Supply designed specifically for an Altitude 4700 Series Access Point.
Rates (Mbps) MCS Indices EVM Maximum Transmit Bandwidth Power 2.4 GHz Maximum Transmit Power 5 GHz MCS6/MCS14 -25 HT20/40 21 17 MCS7/MCS15 -28 HT20/40 20 17 Radios at Low Power The table below describes the maximum transmit power available to each radio (at varying data rates) when the Access Point is receiving low DC power in either af or at mode. CAUTION Exceeding the limits listed below can cause damage to the Access Point or cause the radio to operate unpredictably.
System Configuration To define the Access Point’s power setting: 1 Select System Configuration > Power Settings from the menu tree. 2 Refer to the following to assess the Access Point’s current power state. Once known, determine how available power resources are applied to the Access Point’s radios. NOTE Within the Power Configuration field, an installation professional selects a power mode based on the different power resources available to that Access Point.
Power Mode When the Access Point is powered on for the first time, the system determines the power budget available to the Access Point. Using the Auto setting (default setting), the Access Point automatically determines the best power configuration based on the available power budget. If 3af is selected, the AP assumes 12.95 watts are available. If the mode is changed, the Access Point requires a reset to implement the change. 3af Power If 3af is selected, the AP is configured assuming 12.
System Configuration To configure the Access Point’s controller discovery method and connection medium: 1 Select System Configuration > Adaptive AP Setup from the menu tree. 2 Define the following to prioritize a controller connection scheme and AP interface used to adopt to the controller. Control Port Define the port used by the controller FQDN to transmit and receive with the AAP. The default control port is 24576.
Enable APController Tunnel This setting is required to enable an IPSec VPN from the AAP to the Wireless Controller. Keep-alive Period The Keepalive interval defines a period (in seconds) the AAP uses to terminate its connection to the controller if no data is received. Current Controller Displays the IP address of the connected controller. This is the controller from which the Access Point receives its adaptive configuration.
System Configuration To configure access for the access point: 1 Select System Configuration > AP4700 Access from the menu tree. 2 Use the AP4700 Access field checkboxes to enable/disable the following on the Access Point’s LAN1, LAN2 or WAN interfaces: Applet HTTP (port 80) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the access point configuration applet using a Web browser.
4 Configure the Secure Shell field to set timeout values to reduce network inactivity. Authentication Timeout Defines the maximum time (between 30 - 120 seconds) allowed for SSH authentication to occur before executing a timeout. The minimum permissible value is 30 seconds. SSH Keepalive Interval The SSH Keepalive Interval defines a period (in seconds) after which if no data has been received from a client, SSH sends a message through the encrypted channel to request a response from the client.
System Configuration Message Settings Click the Message Settings button to display a screen used to create a text message. Once displayed, select the Enable Login Message checkbox to allow your customized message to be displayed when the user is logging into the Access Point. If the checkbox is not selected (as is the case by default), the user will encounter the login screen with no additional message.
Managing Certificate Authority (CA) Certificates Certificate management includes the following sections: ● Importing a CA Certificate on page 91 ● Creating Self Certificates for Accessing the VPN on page 92 Importing a CA Certificate A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates that it issues with its own private key.
System Configuration To import a CA certificate: 1 Select System Configuration > Certificate Mgmt > CA Certificates from the menu tree. 2 Copy the content of the CA Certificate message (using a text editor such as notepad) and click on Paste from Clipboard. The content of the certificate displays in the Import a root CA Certificate field. 3 Click the Import root CA Certificate button to import it into the CA Certificate list.
CAUTION Self certificates can only be generated using the Access Point GUI and CLI interfaces. No functionality exists for creating a self-certificate using the Access Point’s SNMP configuration option. To create a self certificate: 1 Select System Configuration > Certificate Mgmt > Self Certificates from the access point menu tree. 2 Click on the Add button to create the certificate request. The Certificate Request screen displays. 3 Complete the request form with the pertinent information.
System Configuration The Certificate Request screen disappears and the ID of the generated certificate request displays in the drop-down list of certificates within the Self Certificates screen. 5 Click the Generate Request button. The generated certificate request displays in Self Certificates screen text box. 6 Click the Copy to Clipboard button. The content of certificate request is copied to the clipboard.
Creating a Certificate for Onboard Radius Authentication The access point can use its on-board RADIUS Server to generate certificates to authenticate MUs for use with the Access Point. In addition, a Windows 2000 or 2003 Server is used to sign the certificate before downloading it back to the Access Point’s on-board RADIUS server and loading the certificate for use with the Access Point. Both a CA and Self certificate are required for Onboard RADIUS Authentication.
System Configuration Domain Name Ensure the Domain name is the name of the CA Server. This value must be set correctly to ensure the certificate is properly generated. IP Address Enter the IP address of this Access Point (as you are using the Access Point’s onboard RADIUS server). Signature Algorithm Use the drop-down menu to select the signature algorithm used for the certificate. Options include: Key Length • MD5-RSA—Message Digest 5 algorithm in combination with RSA encryption.
15 Load the certificates on the Access Point. CAUTION Ensure the CA Certificate is loaded before the Self Certificate, or risk an invalid certificate load. 16 Open the certificate file and copy its contents into the CA Certificates screen by clicking the Paste from Clipboard button. The certificate is now ready to be loaded into the Access Point’s flash memory. 17 Click the Import root CA Certificate button from within the CA Certificates screen.
System Configuration Feature MIB Feature MIB Wireless Configuration EXTR-AP4700-MIB-02a02 PPP Over Ethernet EXTR-CC-AP4700-MIB-2.0 Security Configuration EXTR-AP4700-MIB-02a02 NAT Address Mapping EXTR-CC-AP4700-MIB-2.0 MU ACL Configuration EXTR-AP4700-MIB-02a02 VPN Tunnel Configuration EXTR-CC-AP4700-MIB-2.0 QOS Configuration EXTR-AP4700-MIB-02a02 VPN Tunnel status EXTR-CC-AP4700-MIB-2.0 Radio Configuration EXTR-AP4700-MIB-02a02 Content Filtering EXTR-CC-AP4700-MIB-2.
relatively weak. The improvements in SNMP version 2c (v2c) do not include the attempted security enhancements of other version-2 protocols. Instead, SNMP v2c defaults to SNMP-standard community strings for read-only and read/write access. SNMP version 3 (v3) further enhances protocol features, providing much improved security. SNMP v3 encrypts transmissions and provides authentication for users generating requests.
System Configuration OID Use the OID (Object Identifier) pull-down list to specify a setting of All or a enter a Custom OID. Select All to assign the user access to all OIDs in the MIB. The OID field uses numbers expressed in dot notation. Access Use the Access pull-down list to specify read-only (R) access or read/write (RW) access for the community.
4 Specify the users who can read and optionally modify the SNMP-capable client. SNMP Access Control Click the SNMP Access Control button to display the SNMP Access Control screen for specifying which users can read SNMP-generated information and potentially modify related settings from an SNMP-capable client. The SNMP Access Control screen's Access Control List (ACL) uses Internet Protocol (IP) addresses to restrict access to the AP’s SNMP interface.
System Configuration To configure SNMP user access control for the access point: 1 Select System Configuration > SNMP Access from the access point menu tree. Click on the SNMP Access Control button from within the SNMP Access screen. 2 Configure the SNMP Access Control screen to add the IP addresses of those users receiving SNMP access.
Enabling SNMP Traps SNMP provides the ability to send traps to notify the administrator that trap conditions are met. Traps are network packets containing data relating to network devices, or SNMP agents, that send the traps. SNMP management applications can receive and interpret these packets, and optionally can perform responsive actions. SNMP trap generation is programmable on a trap-by-trap basis.
System Configuration Add Click Add to create a new SNMP v1/v2c Trap Configuration entry. Port Specify a destination User Datagram Protocol (UDP) port for receiving traps. The default is 162. Community Enter a community name specific to the SNMP-capable client that receives the traps. SNMP Version Use the SNMP Version drop-down menu to specify v1 or v2.
Configuring Specific SNMP Traps Use the SNMP Traps screen to enable specific traps on the access point. Extreme Networks recommends defining traps to capture unauthorized devices operating within the access point coverage area. Trap configuration depends on the network machine that receives the generated traps. SNMP v1/v2c and v3 trap configurations function independently. In a mixed SNMP environment, traps can be sent using configurations for both SNMP v1/v2c and v3.
System Configuration 3 Configure the SNMP Traps field to generate traps when SNMP capable MUs are denied authentication privileges or are subject of an ACL violation. When a trap is enabled, a trap is sent every 5 seconds until the condition no longer exists. SNMP authentication failures Generates a trap when an SNMP-capable client is denied access to the access point’s SNMP management functions or data. This can result from an incorrect login, or missing/ incorrect user credentials.
System Cold Start Generates a trap when the access point re-initializes while transmitting, possibly altering the SNMP agent's configuration or protocol entity implementation. VLAN Generates a trap when a change to a VLAN state is detected. LAN Monitor Generates a trap when a change to the LAN monitoring state is detected. 6 Click Apply to save any changes to the SNMP Traps screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
System Configuration 2 Configure the RF Trap Thresholds field to define device threshold values for SNMP traps. NOTE Average Bit Speed,% of Non-Unicast, Average Signal, Average Retries,% Dropped and % Undecryptable are not Access Point statistics. Pkts/s Enter a maximum threshold for the total throughput in Pps (Packets per second). Throughput Set a maximum threshold for the total throughput in Mbps (Megabits per second).
The information is in a Type Length Value (TLV) format for each data item. TLV information is transmitted in an LLDP protocol data unit (LLDPDU), enclosed in an Ethernet frame and sent to a destination MAC address. Certain TLVs are mandatory, and always sent once LLDP is enabled, while other TLVs are optionally configured. LLDP defines a set of common advertisement messages, a protocol for transmitting the advertisements and a method for storing information in received advertisements.
System Configuration 7 Click Logout to securely exit the access point Access Point applet. A prompt displays confirming the logout before the applet is closed. Configuring Network Time Protocol (NTP) Network Time Protocol (NTP) manages time and/or network clock synchronization in the access pointmanaged network environment. NTP is a client/server implementation. The access point (an NTP client) periodically synchronizes its clock with a master clock (an NTP server).
To manage clock synchronization on the access point: 1 Select System Configuration > Date/Time from the access point menu tree. 2 From within the Current Time field, click the Refresh button to update the time since the screen was displayed by the user. The Current Time field displays the current time based on the access point system clock.
System Configuration 5 If using an NTP server to supply system time to the Access Point, configure the NTP Server Configuration field to define the server network address information required to acquire the access point network time. Enable NTP on AP4700 Select the Enable NTP on access point checkbox to allow a connection between the access point and one or more specified NTP servers. A preferred, first alternate and second alternate NTP server cannot be defined unless this checkbox is selected.
To configure event logging for the access point: 1 Select System Configuration > Logging Configuration from the access point menu tree. 2 Configure the Log Options field to save event logs, set the log level and optionally port the access point’s log to an external server. View Log Click View to save a log of events retained on the access point. The system displays a prompt requesting the administrator password before saving the log.
System Configuration Logging Level Use the Logging Level drop-down menu to select the desired log level for tracking system events. Eight logging levels, (0 to 7) are available. Log Level 6: Info is the access point default log level. These are the standard UNIX/LINUX syslog levels.
NOTE For configuration file creation and export operations, only the set radio-config (1-8, depending on the SKU) shall be supported. The export function will always export the encrypted Admin User password. The import function will import the Admin Password only if the Access Point is set to factory default. If the Access Point is not configured to factory default settings, the Admin User password WILL NOT get imported.
System Configuration SFTP/FTP/TFTP Server IP Enter the numerical (non DNS name) IP address of the destination SFTP, FTP or TFTP server where the configuration file is imported or exported. Filepath (optional) Defines the optional path name used to import/export the target configuration file. FTP Select the FTP radio button if using an FTP server to import or export the configuration. TFTP Select the TFTP radio button if using an FTP server to import or export the configuration.
4 Refer to the Status field to assess the completion of the import/export operation. Status After executing an operation (by clicking any of the buttons in the window), check the Status field for a progress indicator and messages about the success or errors in executing the Import/Export operation.
System Configuration 5 Click Apply to save the filename and Server IP information. The Apply button does not execute the import or export operation, only saves the settings entered. 6 Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on Config Import/Export screen to the last saved configuration. 7 Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.
If restoring the Access Point’s factory default firmware, you must export the certificate file BEFORE restoring the Access Point’s factory default configuration. Import the file back after the updated firmware is installed. If a firmware update is required, use the Firmware Update screen to specify a filename and define a file location for updating the firmware. NOTE The firmware file must be available from a SFTP, FTP or TFTP site to perform the update.
System Configuration DHCP options are used for out-of-the-box rapid deployment for Extreme Networks wireless products. The following are the two options available on the Access Point: ● Enable Automatic Firmware Update ● Enable Automatic Configuration Update Both DHCP options are enabled by default. These options can be used to update newer firmware and configuration files on the Access Point.
8 Set the following parameters: ● Username—Specify a username for the FTP or SFTP server login. ● Password—Specify a password for FTP or SFTP server login. Default is admin123. A blank password is not supported. NOTE Click Apply to save the settings before performing the firmware update. The user is not able to navigate the access point user interface while the firmware update is in process. 9 Click the Perform Update button to initiate the update.
System Configuration Altitude 4700 Series Access Point Product Reference Guide 122
5 Network Management CHAPTER Refer to the following for network management configuration activities supported by the Access Point user interface: ● Configuring the LAN Interface on page 123 ● Configuring WAN Settings on page 135 ● Enabling Wireless LANs (WLANs) on page 146 ● Configuring Router Settings on page 186 ● Configuring IP Filtering on page 188 Configuring the LAN Interface The access point has one physical LAN port supporting two unique LAN interfaces.
Network Management To configure the access point LAN interface: 1 Select Network Configuration > LAN from the access point menu tree. 2 Configure the LAN Settings field to enable the access point LAN1 and/or LAN2 interface, assign a timeout value, enable 802.1q trunking, configure WLAN mapping and enable 802.1x port authentication. Enable Select the LAN1 and/or LAN2 checkbox to allow the forwarding of data traffic over the specified LAN connection.
WLAN Mapping Click the WLAN Mapping button to launch the VLAN Configuration screen to map existing WLANs to one of the two LANs and define the WLAN’s VLAN membership (up to 16 mappings are possible per Access Point). 3 Refer to the LAN Ethernet Timeout field to define how LAN Ethernet inactivity is processed by the Access Point. Use the Ethernet Port Timeout drop-down menu to define how the Access Point interprets inactivity for the LAN assigned to the Ethernet port.
Network Management 6 Click Apply to save any changes to the LAN Configuration screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost if the prompts are ignored. 7 Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the LAN configuration screen to the last saved configuration. 8 Click Logout to securely exit the access point Access Point applet.
Trunk links are required to pass VLAN information between destinations. A trunk port is by default a member of all the VLANs existing on the access point and carry traffic for all those VLANs. Trunking is a function that must be enabled on both sides of a link. 3 Select the VLAN Name button. The VLAN name screen displays. The first time the screen is launched a default VLAN name of 1 and a default VLAN ID of 1 display. The VLAN name is auto-generated once the user assigns a VLAN ID.
Network Management The VLAN ID associates a frame with a specific VLAN and provides the information the access point needs to process the frame across the network. Therefore, it may be practical to assign a name to a VLAN representative or the area or type of network traffic it represents. A business may have offices in different locations and want to extend an internal LAN between the locations.
When Tagged is selected from the drop-down menu, the Access Point forwards all tagged frames in the native VLAN and admits only tagged frames on trunks. When Tagged is selected the Access Point drops any untagged traffic, including untagged traffic in the native VLAN. Untagged is selected by default. 11 Use the LAN drop-down menu to map one of the two LANs to the WLAN listed to the left. With this assignment, the WLAN uses this assigned LAN interface.
Network Management To configure unique settings for either LAN1 or LAN2: 1 Select Network Configuration > LAN > LAN1 (or LAN2) from the access point menu tree. 2 Configure the DHCP Configuration field to define the DHCP settings used for the LAN. NOTE When setting the LAN interface to be a DHCP Server and adding an IP address, the primary DNS IP address might not be updated, with only the secondary address getting updated. Ensure the primary address is the same as the IP address of the LAN.
This interface is a DHCP Client Select this button to enable DHCP to set network address information via this LAN1 or LAN2 connection. This is recommended if the access point resides within a large corporate network or the Internet Service Provider (ISP) uses DHCP. This setting is enabled for LAN1 by default. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host.
Network Management WINS Server Enter the numerical (non DNS name) IP address of the WINS server. WINS is a Microsoft NetBIOS name server. Using a WINS server eliminates the broadcasts needed to resolve computer names to IP addresses by providing a cache or database of translations. Mesh STP Configuration Click the Mesh STP Configuration button to define bridge settings for this specific LAN. Each of the Access Point’s two LANs can have a separate mesh configuration.
To generate a list of client MAC address to IP address mappings for the access point: 1 Select Network Configuration > LAN > LAN1 (or LAN2) from the access point menu tree. 2 Click the Advanced DHCP Server button from within the LAN1 or LAN2 screen. 3 Specify a lease period in seconds for available IP addresses using the DHCP Lease Time (Seconds) parameter. An IP address is reserved for re-connection for the length of time you specify. The default interval is 86400 seconds.
Network Management To configure type filtering on the access point: 1 Select Network Configuration > LAN > LAN1 (or LAN2) > Type Filter from the access point menu tree. The Ethernet Type Filter Configuration screen displays for the LAN. No Ethernet types are displayed (by default) when the screen is first launched. 2 Use the all ethernet types, except drop-down menu to designate whether the Ethernet Types defined for the LAN are allowed or denied for use by the access point.
5 Click Apply to save any changes to the LAN1 or LAN2 Ethernet Type Filter Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost. 6 Click Cancel to securely exit the LAN1 or LAN2 Ethernet Type Filter Configuration screen without saving your changes. 7 Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.
Network Management To configure WAN settings for the access point: 1 Select Network Configuration > WAN from the access point menu tree. 2 Refer to the WAN IP Configuration field to enable the WAN interface, and set network address information for the WAN connection. NOTE Extreme Networks recommends that the WAN and LAN ports should not both be configured as DHCP clients.
Enable WAN Interface Select the Enable WAN Interface checkbox to enable a connection between the access point and a larger network or outside world through the WAN port. Disable this option to effectively isolate the access point’s WAN. No connections to a larger network or the Internet are possible. MUs cannot communicate beyond the LAN. By default, the WAN port is static with an IP address of 10.1.1.1. This interface is a DHCP Client This checkbox enables DHCP for the access point WAN connection.
Network Management More IP Addresses Click the More IP Addresses button to specify additional static IP addresses for the access point. Additional IP addresses are required when users within the WAN need dedicated IP addresses, or when servers need to be accessed (addressed) by the outside world. The More IP Addresses screen allows the administrator to enter up to seven additional WAN IP addresses for the access point WAN. Only numeric, non-DNS names can be used.
NOTE Be aware that the Access Point can (incorrectly) carry over previously configured static IP information and maintain two connected routes once it gets an IP address from a PPPOE connection. Enable Use the checkbox to enable Point-to-Point over Ethernet (PPPoE) for a high-speed connection that supports this protocol. Most DSL providers are currently using or deploying this protocol. PPPoE is a data-link protocol for dialup connections.
Network Management 5 Refer to the WWAN Settings field (located at the bottom of the WAN screen) to enable WWAN failover operation and define user names and passwords for WWAN card users. The following express cards can be used with an Altitude 4710 to support the WAN failover feature: NOTE Failover from LAN to 3G is also supported.
WWAN CRM Optionally define a numerical IP address for a third WWAN Remote Gateway 3 remote gateway. If the Access Point detects the loss of the wired WAN connection, it establishes the WWAN connection and uses a remote gateway to route traffic. Traffic that used go to the wired WAN is redirected to the WWAN over this third choice remote gateway, if the first two gateways addresses prove unavailable.
Network Management To configure IP address mappings for the access point: 1 Select Network Configuration > WAN > NAT from the access point menu tree. 2 Configure the Address Mappings field to generate a WAN IP address, define the NAT type and set outbound/inbound NAT mappings. WAN IP Address The WAN IP addresses on the NAT screen are dynamically generated from address settings applied on the WAN screen. NAT Type Specify the NAT Type as 1 to 1 to map a WAN IP address to a single host (local) IP address.
Outbound Mappings When 1 to 1 NAT is selected, a single IP address can be entered in the Outbound Mappings area. This address provides a 1 to 1 mapping of the WAN IP address to the specified IP address. When 1 to Many is selected as the NAT Type, the Outbound Mappings area displays a 1 to Many Mappings button. Click the button to select the LAN1 or LAN2 IP address used to set the outbound IP address or select none to exclude the IP address.
Network Management 4 Configure the Port Forwarding screen to modify the following: Add Click Add to create a local map that includes the name, transport protocol, start port, end port, IP address and Translation Port for incoming packets. Delete Click Delete to remove a selected local map entry. Name Enter a name for the service being forwarded. The name can be any alphanumeric string and is used for identification of the service.
Configuring Dynamic DNS The Access Point supports the Dynamic DNS service. Dynamic DNS (or DynDNS) is a feature offered by www.dyndns.com which allows the mapping of domain names to dynamically assigned IP addresses via the WAN port. When the dynamically assigned IP address of a client changes, the new IP address is sent to the DynDNS service and traffic for the specified domain(s) is routed to the new IP address. NOTE DynDNS supports only the primary WAN IP address.
Network Management 3 Enter the DynDNS Username for the account you wish to use for the Access Point. 4 Enter the DynDNS Password for the account you wish to use for the Access Point. 5 Provide the Hostname for the DynDNS account you wish to use for the Access Point. 6 Click the Update DynDNS button to update the Access Point’s current WAN IP address with the DynDNS service. NOTE DynDNS supports devices directly connected to the Internet.
To configure WLANs on the access point: 1 Select Network Configuration > Wireless from the access point menu tree. If a WLAN is defined, that WLAN displays within the Wireless Configuration screen. When the access point is first booted, WLAN1 exists as a default WLAN available immediately for connection. 2 Refer to the information within the Wireless Configuration screen to view the name, ESSID, access point radio designation, VLAN ID and security policy of existing WLANs.
Network Management Security Policy The Security Policy field displays the security profile configured for the target WLAN. For information on configuring security for a WLAN, QoS Policy The QoS Policy field displays the quality of service currently defined for the WLAN. This policy outlines which data types receive priority for the user base comprising the WLAN. For information on QoS configuration for the WLAN, see “Setting the WLAN Quality of Service (QoS) Policy” on page 156.
NOTE Before editing the properties of an existing WLAN, ensure it is not being used by an access point radio, or is a WLAN that is needed in its current configuration. Once updated, the previous configuration is not available unless saved. Use the New WLAN and Edit WLAN screens as required to create/modify a WLAN. To create a new WLAN or edit the properties of an existing WLAN: 1 Select Network Configuration > Wireless from the access point menu tree. The Wireless Configuration screen displays.
Network Management ESSID Enter the Extended Services Set Identification (ESSID) associated with the WLAN. The WLAN name is autogenerated using the ESSID until changed by the user. The maximum number of characters that can be used for the ESSID is 32. Do not use any of the following characters for an ESSID < > | " & \ ? , Name Define or revise the name for the WLAN. The name should be logical representation of WLAN coverage area (engineering, marketing etc.).
NOTE If 802.11a/n is selected as the radio used for the WLAN, the WLAN cannot use a Kerberos supported security policy. 4 Configure the Security field as required to set the data protection requirements for the WLAN. NOTE A WLAN configured to support Mesh should not have a Kerberos or 802.1x EAP security policy defined for it, as these two authentication schemes are not supported within a Mesh network.
Network Management Enable Rate Limiting Select this checkbox to set MU rate limiting values for this WLAN in both the upstream and downstream direction. Once selected, two fields display enabling you to set MU radio bandwidth for each associated MU in both the wiredto-wireless and wireless-to-wired directions. Set an allocation between 100 and 300,000 kbps. The default value is 1000 kbps. For more information, see “Configuring MU Rate Limiting” on page 184.
NOTE When the access point is first launched, a single security policy (default) is available and mapped to WLAN 1. It is anticipated numerous additional security policies will be created as the list of WLANs grows. Configuring a WLAN security scheme with a discussion of all the authentication and encryption options available is beyond the scope of this chapter. See “Configuring Access Point Security” on page 197 for more details on configuring access point security.
Network Management they may map to. However, be careful not to name policies after specific WLANs, as individual ACL policies can be used by more than one WLAN. For detailed information on assigning ACL policies to specific WLANs, see “Creating/Editing Individual WLANs” on page 148. To create or edit ACL policies for WLANs: 1 Select Network Configuration > Wireless > MU ACL from the access point menu tree.
Either the New MU ACL Policy or Edit MU ACL Policy screen displays. 3 Assign a name to the new or edited ACL policy that represents an inclusion or exclusion policy specific to a particular type of MU traffic you may want to use with a single or group of WLANs. More than one WLAN can use the same ACL policy. 4 Configure the parameters within the Mobile Unit Access Control List field to allow or deny MU access to the access point. The MU adoption list identifies MUs by their MAC address.
Network Management Setting the WLAN Quality of Service (QoS) Policy The access point can keep a list of QoS policies that can be used from the New WLAN or Edit WLAN screens to map to individual WLANs. Use the Quality of Service Configuration screen to configure WMM policies that can improve the user experience for audio, video and voice applications by shortening the time between packet transmissions for higher priority (multimedia) traffic.
2 Click the Create button to configure a new QoS policy, or select a policy and click the Edit button to modify an existing QoS policy. The Access Point supports a maximum of 16 QoS policies. 3 Assign a name to the new or edited QoS policy that makes sense to the access point traffic receiving priority. More than one WLAN can use the same QoS policy.
Network Management 4 Select the Support Voice prioritization checkbox to allow legacy voice prioritization. Certain products may not receive priority over other voice or data traffic. Consequently, ensure the Support Voice Prioritization checkbox is selected if using products that do not support Wi-Fi Multimedia (WMM) to provide preferred queuing for these VOIP products.
Background Background traffic is typically of a low priority (file transfers, print jobs ect.). Background traffic typically does not have strict latency (arrival) and throughput requirements. Best Effort Best Effort traffic includes traffic from legacy devices or applications lacking QoS capabilities. Best Effort traffic is negatively impacted by data transfers with long delays as well as multimedia traffic.
Network Management U-APSD (WMM Power Save) Support The Access Point now supports Unscheduled Automatic Power Save Delivery (U-APSD), often referred to as WMM Power Save. U-APSD provides a periodic frame exchange between a voice capable MU and the Access Point during a VoIP call, while legacy power management is still utilized for typical data frame exchanges. The Access Point and its associated MU activate the new U-APSD power save approach when a VoIP traffic stream is detected.
CAUTION When using the Access Point’s hotspot functionality, ensure MUs are re-authenticated when changes are made to the characteristics of a hotspot enabled WLAN, as MUs within the WLAN will be dropped from Access Point device association. To configure hotspot functionality for an Access Point WLAN: 1 Ensure the Enable Hotspot checkbox is selected from within the target WLAN screen, and ensure the WLAN is properly configured. Any of the sixteen WLANs on the Access Point can be configured as a hotspot.
Network Management Use External URL Select the Use External URL checkbox to define a set of external URLs for hotspot users to access the login, welcome and fail pages. To create a redirected page, you need to have a TCP termination locally. On receiving the user credentials from the login page, the Access Point connects to a RADIUS server, determines the identity of the connected wireless user and allows the user to access the Internet based on successful authentication.
NOTE If using an external Web Server over the WAN port, and the hotspot’s HTTP pages (login or welcome) redirect to the Access Point’s WAN IP address for CGI scripts, the IP address of the external Web server and the Access Point’s WAN IP address should be entered in the White List. 7 Refer to the Radius Accounting field to enable RADIUS accounting and specify the a timeout and retry value for the RADIUS server.
Network Management Defining the Hotspot White List To host a Login, Welcome or Fail page on the external Web server, the IP address of that Web server should be in Access Point’s White List. NOTE If using an external Web Server over the WAN port, and the hotspot’s HTTP pages (login or welcome) redirect to the Access Point’s WAN IP address for CGI scripts, the IP address of the external Web server and the Access Point’s WAN IP address should be entered in the White List.
Customizing a Hotspot Display Each access point WLAN can have a unique hotspot configured and mapped to that WLAN. This enables each Access Point WLAN to have an optimized hotspot configuration and applet display in respect to the WLAN’s client support needs. The hotspot’s login, welcome and fail (login failure) pages are separate HTML files that can be content customized for each WLAN using a cascading style sheet (css).
Network Management The HTML Editor enables you to customize the hotspot html code. It displays the login.html, welcome.html and fail.html files (depending on user selection) in an editable text area. CAUTION No file in a hotspot directory can exceed 10 kb. The maximum number of characters that can be entered into the text area is 10240. 5 Select Apply to save the updates made thus far.
CAUTION Once updated, the CSS file must not exceed 12500 bytes, or it cannot be exported back onto the Access Point for effective deployment with the hotspot. 7 Select the FTP Transfer tab to define the configuration of the FTP server configuration and target filename used to import or export the CSS and logo banners to and from the hosting Access Point.
Network Management Filename(s) Provide the name of the target file either imported or exported from the FTP server. Up to 10 files can be used, and each must not exceed 39 characters. Filepath(optional) Optionally provide the path to the hotspot files specified within the Filenames field. The path cannot exceed 39 characters. FTP Server IP Address Enter the IP address of the FTP server used by the Access Point to import and export hotspot file information to the clients providing hotspot access.
Export Select the Export button to begin an FPT transfer from the hotspot enabled client to the hosting Access Point. Refer to the Status field for the results of the export operation. Selecting Export also saves the configuration before performing the export operation. Status Displays the Pass or Fail designation of the most recent import or export operation.
Network Management Altitude 4750 Description Three Radios Two radios supporting either WLAN or WIPS. Radio three dedicated to WIPS. For radios 1 and 2, WIPS and WLAN modes are mutually exclusive. In WLAN mode, a radio functions as a traditional Access Point, providing wireless bridging. In WIPS mode a radio provides no wireless bridging.
To set the access point radio configuration (this example is for a dual-radio Access Point): 1 Select Network Configuration > Wireless > Radio Configuration from the access point menu tree. Review the Radio Function to assess if this radio is currently functioning as a WLAN radio or has been dedicated as a sensor. Refer to RF Band of Operation parameter to ensure you are enabling the correct 802.11a/n or 802.11b/ g/n radio.
Network Management NOTE With a multiple-radio AP, a radio can be configured as either a Rogue AP or WIPS detector, not for just WLAN MU support. NOTE The AP does not support MU radio associations if its Maximum MUs value is set to 0. Alternatively, if you set the value to 127 for one radio, you risk shutting out MU associations for the other radio(s), as the AP does not validate the logic of a user’s MU association distribution.
CAUTION An Access Point in client bridge mode cannot use a WLAN configured with a Kerberos or EAP 802.1x based security scheme, as these authentication types secure user credentials not the mesh network itself. NOTE Ensure you have verified the radio configuration for both Radio 1 and Radio 2 before saving the existing settings and exiting the Radio Configuration screen.
Network Management 8 Click Apply to save any changes to the Radio Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost. CAUTION When defining a Mesh configuration and changes are saved, the mesh network temporarily goes down. The Mesh network is unavailable because the Access Point radio is reconfigured when applying changes. This can be problematic for users making changes within a deployed mesh network.
To configure the access point’s 802.11a/n or 802.11b/g/n radio: 1 Select Network Configuration > Wireless > Radio Configuration > Radio1 (default name) from the access point menu tree. 2 Configure the Properties field to assign a name and placement designation for the radio. Placement Use the Placement drop-down menu to specify whether the radio is located outdoors or indoors. Default placement depends on the country of operation selected for the access point.
Network Management HT Protection Displays the HT Protection state, and whether a non HT protected MU is currently associated with the Access Point. 3 Configure the Channel, Power and Rate Settings field to assign a channel, antenna diversity setting, radio transmit power level and data rate. CAUTION When deploying a mesh network, Extreme Networks recommends manually configuring channels and not using the Automatic or Uniform options. 802.
Channel Width Select the Channel Width (MHz) from the drop-down menu. The AP radio can support 20 and 40 MHz channel widths. 20 MHz is the default setting for the 2.4 GHz radio. 20/40 MHz operation (the default setting for the 5 GHz radio) allows the Access Point to receive packets from clients using 20 MHz of bandwidth while transmitting a packet using 40 MHz bandwidth. This mode is supported for 11n users on both the 2.4 and 5 GHz radios.
Network Management Antenna Gain Set the antenna gain used with the selected antenna type between 0.00–15.00 dBm. The Access Point’s Power Management Antenna Configuration File (PMACF) automatically configures the Access Point’s radio transmit power based on the antenna type (provided in the CLI), its antenna gain (provided here) and the deployed country’s regulatory domain restrictions. Once the antenna type and gain are provided, the Access Point calculates the power range.
Set Rates Click the Set Rates button to define minimum and maximum data transmit rates for the radio. Use the Basic Rates drop-down menu to select the rates available for either the 2.4 GHz or 5 GHz radio band. The menu options differ, based on the radio band. For 2.4 GHz, the following options are available: • 1 and 2 Mbps • 1, 2, 5.5 and 11 Mbps (default setting) • 1, 2, 5.5, 11 and 6, 12, 24 Mbps • 1, 2, 5.
Network Management 4 Configure the Performance field to set the preamble, thresholds values and QoS values for the radio. Support Short Preamble Interval The preamble is approximately 8 bytes of packet header generated by the Access Point and attached to a packet prior to transmission from the 802.11b radio. The preamble length for 802.11b transmissions is rate dependant. A short preamble is 50% shorter than a long preamble.
Set RF QoS Click the Set RF QoS button to display the Set RF QOS screen to set QoS parameters for the radio. Do not confuse with the QoS configuration screen used for a WLAN. The Set RF QoS screen initially appears with default values displayed. Select manual from the Select Parameter set drop-down menu to edit the CW min and CW max (contention window), AIFSN (Arbitrary Inter-Frame Space Number) and TXOPs Time for each Access Category. These are the QoS policies for the 802.11a/n or 802.
Network Management 5 Refer to the Beacon Settings field to set the radio beacon and DTIM intervals. Beacon Interval The beacon interval controls the performance of power save stations. A small interval may make power save stations more responsive, but it will also cause them to consume more battery power. A large interval makes power save stations less responsive, but could increase power savings. The default is 100. Avoid changing this parameter as it can adversely affect performance.
8 Refer to the Broadcast/Multicast Transmit Control field to define the broadcast/multicast transmission configuration. The Optimized for Range radio button is selected by default. This default option is ideal when range is preferred over performance for broadcast/multicast (group) traffic. The data rates used for range are the lowest defined basic rates selected from this radio’s Set Rates screen.
Network Management NOTE If using a dual-radio Access Point, 4 BSSIDs for the 802.11b/g/n radio and 4 BSSIDs for the 802.11a/n radio are available. WLAN Lists the WLAN names available to the 802.11a/n or 802.11b/g/n radio that can be assigned to a BSSID. BSSID Assign a BSSID value of 1 through 4 to a WLAN in order to map the WLAN to a specific BSSID.
To define MU rate limits for specific WLANs on an Access Point radio: 1 Select Network Configuration > Wireless > Rate Limiting from the access point menu tree. 2 Select the Enable Rate Limiting option to globally enable MU rate limiting for each of the Access Point’s 16 WLANs. Once enabled, MU rate limiting still needs to be enabled for a specific WLAN, then the rate limit allocation needs to be defined for MU traffic within that specific WLAN.
Network Management protection functions. More specifically, see, “Configuring Firewall Settings” on page 218 and “Configuring Rogue AP Detection” on page 243. Configuring Router Settings The access point router uses routing tables and protocols to forward data packets from one network to another. The access point router manages traffic within the network, and directs traffic from the WAN to destinations on the access point managed LAN.
4 To set or view the RIP configuration, click the RIP Configuration button. Routing Information Protocol (RIP) is an interior gateway protocol that specifies how routers exchange routing-table information. The Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used by the controller. For more information on configuring RIP, see “Setting the RIP Configuration” on page 187. 5 Use the User Defined Routes field to add or delete static routes.
Network Management 3 If RIP v2 or RIP v2 (v1 compat) is the selected RIP type, the RIP v2 Authentication field becomes active. Select the type of authentication to use from the Authentication Type drop-down menu. Available options include: None This option disables the RIP authentication. Simple This option enables RIP version 2’s simple authentication mechanism. This setting activates the Password (Simple Authentication) field. MD5 This option enables the MD5 algorithm for data verification.
IP filtering supports the creation of up to 20 filter rules enforced at layer 3. Once defined (using the Access Point’s SNMP, GUI or CLI), filtering rules can be enforced on the Access Point’s LAN1 or LAN2 interfaces and within any of the 16 Access Point WLANs. An additional default action is also available denying traffic when filter rules fail. Lastly, imported and exported configurations retain their defined IP filtering configurations. IP filtering is a network layer facility.
Network Management To filter packets against undesired data traffic: 1 Select Network Configuration > IP Filtering from the access point menu tree. When the IP Filtering screen is initially displayed, there are no default filtering policies, and they must be created. NOTE With IP Filtering, users can only define a destination port, not a source port. 2 Click the Add button to define the attributes of a new IP Filtering policy. The following policy (or filtering rule) attributes require definition.
Src Start Creates a range beginning source IP address to be either allowed or denied IP packet forwarding. The source address is where the packet originated. Setting the Src End value the same as the Src Start allows or denies just this address without defining a range. Src End Providing this address completes a range of source (data origination) addresses than can either be allowed or denied access to the LAN1, LAN2 or WLAN.
Network Management From the Wireless screen: a Select Network Configuration > Wireless from the access point menu tree. b Click the Create button to apply the filter to a new WLAN, or highlight an existing WLAN and click the Edit button. Either the New WLAN or Edit WLAN screen displays. c Select the Enable IP Filtering button in the lower portion of the screen. d Select the IP Filtering button.
admin(network.ipfilter)>add icmp1 ICMP ALL ALL 10.1.1.1 10.1.1.10 11.1.1.1 11.1.1.10 admin(network.ipfilter)>show ------------------------------------------------------------------------------Idx Name Protocol Port-Start-End SrcIP-Start-End DstIP-Start-End In-Use ------------------------------------------------------------------------------1 icmp1 ICMP ALL 10.1.1.1 11.1.1.1 NO 10.1.1.10 11.1.1.10 admin(network.
Network Management Adding a filter to LAN 1 for outbound traffic results in the inspection of packets at point A. Both packets out the physical port and wireless transmissions are checked. Adding a filter to WLAN 1 for inbound traffic results in the inspection of packets at point B. Even though WLAN 2 is on LAN 1, its packets are unaffected. Adding a filter to WLAN 3 for inbound traffic results in the inspection of packets at point C.
Creating a LAN IP Filter Policy. The following example uses the Access Point CLI: admin(network.lan.ipfpolicy)>add 1 icmp1 incoming deny admin(network.lan.ipfpolicy)>show 1 -----------------------------------------------------------------Idx Filter-Name Direction Action -----------------------------------------------------------------1 icmp1 incoming deny IP Filter Mode Default Incoming Action Default Outgoing Action admin(network.lan.
Network Management Dropped Packets %Undecryptable Packets : 0.00 % : 0.00 % IP Filtering: Incoming: icmp1 Default Action Outgoing: Default Action : 0 denied : 64 allowed : 75 allowed admin(stats)>show lan 1 LAN Interface Information LAN Interface 1 IP Address 1 Network Mask Ethernet Address Speed Duplex : : : : : : enable 192.168.0.1 255.255.255.
6 Configuring Access Point Security CHAPTER Security measures for the access point and its WLANs are critical. Use the available access point security options to protect the access point LAN from wireless vulnerabilities, and safeguard the transmission of RF packets between the access point and its associated MUs. WLAN security can be configured on an ESS by ESS basis on the access point.
Configuring Access Point Security ● To configure a security policy supporting KeyGuard, see, “Configuring KeyGuard Encryption” on page 209. ● To define a security policy supporting WPA-TKIP, see “Configuring WPA/WPA2 Using TKIP” on page 211. ● To create a security policy supporting WPA2-CCMP, see “Configuring WPA2-CCMP (802.11i)” on page 213. ● To create WLANs with same SSID but different BSSIDs and security schemes, see “Configuring Multi Cipher Support” on page 216.
CAUTION Restoring the Access Point’s configuration back to default settings changes the administrative password back to “admin123.” If restoring the configuration back to default settings, be sure you change the administrative password accordingly. 5 Enter the previous password and the new admin password in the two fields provided. Click the Apply button. Once the admin password has been created/updated, the System Settings screen displays.
Configuring Access Point Security Enabling Authentication and Encryption Schemes To complement the built-in firewall filters on the WAN side of the access point, the WLAN side of the access point supports authentication and encryption schemes. Authentication is a challenge-response procedure for validating user credentials such as username, password, and sometimes secret-key information. The access point provides two schemes for authenticating users: 802.1x EAP and Kerberos.
4 Enable and configure an Authentication option if necessary for the target security policy. Manually PreShared Key / No Authentication Select this button to disable authentication. This is the default value for the Authentication field. Kerberos Select the Kerberos button to display the Kerberos Configuration field within the New Security Policy screen. For specific information on configuring Kerberos, see “Configuring Kerberos Authentication” on page 202. 802.1x EAP Select the 802.
Configuring Access Point Security For access point encryption: ● To create a security policy supporting WEP, see “Configuring WEP Encryption” on page 208. ● To define a security policy supporting KeyGuard, see, “Configuring KeyGuard Encryption” on page 209. ● To configure a security policy supporting WPA/TKIP, see “Configuring WPA/WPA2 Using TKIP” on page 211. ● To create a security policy supporting WPA2/CCMP, see “Configuring WPA2-CCMP (802.11i)” on page 213.
4 Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5 Set the Kerberos Configuration field as required to define the parameters of the Kerberos authentication server and access point. Realm Name Specify a realm name that is case-sensitive, for example, extremenetworks.com. The realm name is the name domain/realm name of the KDC Server. A realm name functions similarly to a DNS domain name. In theory, the realm name is arbitrary.
Configuring Access Point Security Remote KDC Optionally, specify a numerical (non-DNS) IP address and port for a remote KDC. Kerberos implementations can use an administration server allowing remote manipulation of the Kerberos database. This administration server usually runs on the KDC. Port Specify the ports on which the Primary, Backup and Remote KDCs reside. The default port number for Kerberos Key Distribution Centers is Port 88.
6 Configure the Server Settings field as required to define address information for the authentication server. The appearance of the Server Settings field varies depending on whether Internal or External has been selected from the Radius Server drop-down menu. Radius Server Address If using an External RADIUS Server, specify the numerical (non-DNS) IP address of a primary Remote Dial-In User Service (RADIUS) server. Optionally, specify the IP address of a secondary server.
Configuring Access Point Security Radius Port If using an External Radius Server, specify the port on which the primary Radius server is listening. Optionally, specify the port of a secondary (failover) server. Older Radius servers listen on ports 1645 and 1646. Newer servers listen on ports 1812 and 1813. Port 1645 or 1812 is used for authentication. Port 1646 or 1813 is used for accounting.
Enable Reauthentication Select the Enable Reauthentication checkbox to configure a wireless connection policy so MUs are forced to reauthenticate periodically. Periodic repetition of the EAP process provides ongoing security for current authorized connections. Period (30-9999) secs Set the EAP reauthentication period to a shorter interval for tighter security on the WLAN's connections.
Configuring Access Point Security Configuring WEP Encryption Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. WEP may be all that a small-business user needs for the simple encryption of wireless data. However, networks that require more security are at risk from a WEP flaw. The existing 802.
5 Configure the WEP 64 Settings or WEP 128 Settings field as required to define the Pass Key used to generate the WEP keys. These keys must be the same between the Access Point and its MU to encrypt packets between the two devices. Pass Key Specify a 4 to 32 character pass key and click the Generate button. The pass key can be any alphanumeric string. The access point, other proprietary routers and Motorola MUs use the algorithm to convert a string to the same hexadecimal number.
Configuring Access Point Security The KeyGuard Settings field displays within the New Security Policy screen. 4 Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5 Configure the KeyGuard Settings field as required to define the Pass Key used to generate the WEP keys used with the KeyGuard algorithm.
Key 4 404142434445464748494A4B4C 6 Select the Allow WEP128 Clients checkbox (from within the KeyGuard Mixed Mode field) to enable WEP128 clients to associate with an Access Point’s KeyGuard supported WLAN. The WEP128 clients must use the same keys as the KeyGuard clients to interoperate within the Access Point’s KeyGuard supported WLAN. 7 Click the Apply button to save any changes made within the KeyGuard Setting field of the New Security Policy screen.
Configuring Access Point Security 5 Configure the Key Rotation Settings area as needed to broadcast encryption key changes to MUs and define the broadcast interval. Broadcast Key Rotation Select the Broadcast Key Rotation checkbox to enable or disable broadcast key rotation. When enabled, the key indices used for encrypting/decrypting broadcast traffic will be alternatively rotated on every interval specified in the Broadcast Key Rotation Interval.
256-bit Key To use a hexadecimal value (and not an ASCII passphrase), select the checkbox and enter 16 hexadecimal characters into each of the four fields displayed. Default (hexadecimal) 256-bit keys for WPA/TKIP include: ● 1011121314151617 ● 18191A1B1C1D1E1F ● 2021222324252627 ● 28292A2B2C2D2E2F 7 Enable WPA2-TKIP Support as needed to allow WPA2 and TKIP client interoperation. Allow WPA2-TKIP clients WPA2-TKIP support enables WPA2 and TKIP clients to operate together on the network.
Configuring Access Point Security WPA2/CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an encryption scheme as secure as any the access point provides.
Broadcast Key Rotation Select the Broadcast Key Rotation checkbox to enable or disable broadcast key rotation. When enabled, the key indices used for encrypting/decrypting broadcast traffic will be alternatively rotated on every interval specified in the Broadcast Key Rotation Interval. Enabling broadcast key rotation enhances the broadcast traffic security on the WLAN. This value is disabled by default.
Configuring Access Point Security Opportunistic PMK Caching Select the Opportunistic Pairwise Master Key (PMK) Caching option to reduce handoff latency by preestablishing security associations between an MU and the AP4700 Access Points in the wireless network. NOTE PMK key caching is enabled internally by default when 802.1x EAP authentication is enabled. 9 Click the Apply button to save any changes made within this New Security Policy screen.
● Each WLAN having a unique WLAN name. If a WLAN’s name is same as the ESSID, it’s difficult to distinguish them when doing WLAN-BSSID grouping. ● Not using WLANs with same ESSID and security scheme. If this were to be deployed, beacons will contain the same ESSID and security scheme data, but different BSSIDs would be generated, potentially confusing MUs. ● Ensuring WLANs with the same ESSID use the same authentication method(s) in their security policies.
Configuring Access Point Security This results in the AP beaconing the same ESSID but different WLAN BSSIDs and security schemes. Configuring Firewall Settings The access point's firewall is a set of related programs located in the gateway on the WAN side of the access point. The firewall uses a collection of filters to screen information packets for known types of system attacks. Some of the access point's filters are continuously enabled, others are configurable.
To configure the access point firewall settings: 1 Select Network Configuration > Firewall from the access point menu tree. 2 Refer to the Global Firewall Disable field to enable or disable the access point firewall. Disable Firewall Select the Disable Firewall checkbox to disable all firewall functions on the access point. This includes firewall filters, NAT, VP, content filtering, and subnet access.
Configuring Access Point Security 4 Refer to the Configurable Firewall Filters field to set the following firewall filters: SYN Flood Attack A SYN flood attack requests a connection and then fails to Check promptly acknowledge a destination host's response, leaving the destination host vulnerable to a flood of connection requests.
Color Access Type Description Green Full Access No protocol exceptions (rules) are specified. All traffic may pass between these two areas. Yellow Limited Access One or more protocol rules are specified. Specific protocols are either enabled or disabled between these two areas. Click the table cell of interest and look at the exceptions area in the lower half of the screen to determine the protocols that are either allowed or denied. Red No Access All protocols are denied, without exception.
Configuring Access Point Security Pre configured Rules The following protocols are preconfigured with the access point. To enable a protocol, check the box next to the protocol name. • HTTP—Hypertext Transfer Protocol is the protocol for transferring files on the Web. HTTP is an application protocol running on top of the TCP/IP suite of protocols, the foundation protocols for the Internet. The HTTP protocol uses TCP port 80. • TELNET—TELNET is the terminal emulation protocol of TCP/IP.
Available Protocols Protocols that are not pre-configured can be specified using the drop down list within the Transport column within the Subnet Access and Advanced Subnet Access screens. They include: ● ALL—Enables all of the protocol options displayed in the drop-down menu (as described below). ● TCP—Transmission Control Protocol is a set of rules for sending data as message units over the Internet. TCP manages individual data packets.
Configuring Access Point Security To configure access point Advanced Subnet Access: 1 Select Network Configuration > Firewall > Advanced Subnet Access from the access point menu tree. 2 Configure the Settings field as needed to override the settings in the Subnet Access screen and import firewall rules into the Advanced Subnet Access screen.
Insert Click the Insert button to insert a new rule directly above a selected rule in the table. Clicking on a field in the row displays a new window with configuration options. Del (Delete) Click Del to remove the selected rule from the table. The index numbers for all the rows below the deleted row decrease by 1. Move Up Clicking the Move Up button moves the selected rule up by one row in the table. The index numbers for the affected rows adjust to reflect the new order.
Configuring Access Point Security The access point allows up to 25 VPN tunnels to either a VPN endpoint or to another access point. VPN tunnels allow all traffic on a local subnet to route securely through an IPSec tunnel to a private network. A VPN port is a virtual port which handles tunneled traffic. VPN is also supported with the Access Point’s new WWAN feature. For more information, see “WAN Failover” on page 19.
Del Click Del to delete a highlighted VPN tunnel. There is no confirmation before deleting the tunnel. Tunnel Name The Tunnel Name column lists the name of each VPN tunnel on the access point. Remote Subnet The Remote Subnet column lists the remote subnet for each tunnel. The remote subnet is the subnet the remote network uses for connection. Remote Gateway The Remote Gateway column lists a remote gateway IP address for each tunnel.
Configuring Access Point Security Remote Gateway Enter a numerical (non-DNS) remote gateway IP address for the tunnel. The remote gateway IP address is the gateway address on the remote network the VPN tunnel connects to. Default Gateway Displays the WAN interface's default gateway IP address. Manual Key Exchange Selecting Manual Key Exchange requires you to manually enter keys for AH and/or ESP encryption and authentication. Click the Manual Key Settings button to configure the settings.
Creating a VPN Tunnel between Two Access Points This section describes how to define a simple configuration using two Access Points to create an IPSec tunnel. To create a IPSec VPN tunnel between two Access Points: 1 Ensure the WAN ports are connected via the internet 2 Select Network Configuration > WAN > VPN from the access point menu tree. 3 Enter any tunnel name (tunnel names do not need to match). 4 Enter the WAN port IP address of AP #1 in the Local WAN IP field.
Configuring Access Point Security Notice the status displays “NOT_ACTIVE”. This screen automatically refreshes to get the current status of the VPN tunnel. Once the tunnel is active, the IKE_STATE changes from NOT_CONNECTED to SA_MATURE. 19 On AP #2, repeat the same steps as above. However, replace AP #2 information with AP #1 information. 20 Once both tunnels are established, ping each side to ensure connectivity.
To configure manual key settings for the access point: 1 Select Network Configuration > WAN > VPN from the access point menu tree. 2 Refer to the VPN Tunnel Config field, select the Manual Key Exchange radio button and click the Manual Key Settings button. 3 Configure the Manual Key Settings screen to modify the following: NOTE When entering Inbound or Outbound encryption or authentication keys, an error message could display stating the keys provided are “weak”.
Configuring Access Point Security Inbound AH Authentication Key Configure a key for computing the integrity check on inbound traffic with the selected authentication algorithm. The key must be 32/40 (for MD5/SHA1) hexadecimal (0-9, A-F) characters in length. The key value must match the corresponding outbound key on the remote security gateway. Outbound AH Authentication Key Configure a key for computing the integrity check on outbound traffic with the selected authentication algorithm.
ESP Authentication Select the authentication algorithm to use with ESP. This Algorithm option is available only when ESP with Authentication was selected for the ESP type. Options include: • MD5—Enables the Message Digest 5 algorithm, which requires 128-bit (32-character hexadecimal) keys. • SHA1—Enables Secure Hash Algorithm 1, which requires 160-bit (40-character hexadecimal) keys.
Configuring Access Point Security To configure auto key settings for the access point: 1 Select Network Configuration > WAN > VPN from the access point menu tree. 2 Refer to the VPN Tunnel Config field, select the Auto (IKE) Key Exchange radio button and click the Auto Key Settings button.
ESP Encryption Algorithm Use this menu to select the encryption and authentication algorithms for this VPN tunnel. • DES—Selects the DES algorithm.No keys are required to be manually provided. • 3DES—Selects the 3DES algorithm. No keys are required to be manually provided. • AES 128-bit—Selects the Advanced Encryption Standard algorithm with 128-bit. No keys are required to be manually provided. • AES 192-bit—Selects the Advanced Encryption Standard algorithm with 192-bit.
Configuring Access Point Security 3 Configure the IKE Key Settings screen to modify the following: Operation Mode Local ID Type Local ID Data The Phase I protocols of IKE are based on the ISAKMP identity-protection and aggressive exchanges. IKE main mode refers to the identity-protection exchange, and IKE aggressive mode refers to the aggressive exchange. • Main—Standard IKE mode for communication and key exchange. • Aggressive—Aggressive mode is faster, but less secure than Main mode.
Remote ID Type Select the type of ID to be used for the access point end of the tunnel from the Remote ID Type drop-down menu. • IP—Select the IP option if the remote ID type is the IP address specified as part of the tunnel. • FQDN—Select FQDN if the remote ID type is a fully qualified domain name (such as extremenetworks.com). The setting for this field does not have to be fully qualified, however it must match the setting for the Certificate Authority.
Configuring Access Point Security Diffie Hellman Group Select a Diffie-Hellman Group to use. The Diffie-Hellman key agreement protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. Two algorithms exist, 768-bit and 1024-bit. Select one of the following options: • Group 1 - 768 bit—Somewhat faster than the 1024-bit algorithm, but secure enough in most situations.
To view VPN status: 1 Select Network Configuration > WAN > VPN > VPN Status from the access point menu tree. 2 Reference the Security Associations field to view the following: Tunnel Name The Tunnel Name column lists the names of all the tunnels configured on the access point. For information on configuring a tunnel, see “Configuring VPN Tunnels” on page 225. Status The Status column lists the status of each configured tunnel. When the tunnel is not in use, the status reads NOT_ACTIVE.
Configuring Access Point Security Tx Bytes The Tx Bytes column lists the amount of data (in bytes) transmitted through each configured tunnel. Rx Bytes The Rx Bytes column lists the amount of data (in bytes) received through each configured tunnel. 3 Click the Reset VPNs button to reset active VPNs. Selecting Reset VPNs forces renegotiation of all the Security Associations and keys. Users could notice a slight pause in network performance.
To configure content filtering for the access point: 1 Select Network Configuration > WAN > Content Filtering from the access point menu tree. 2 Configure the HTTP field to configure block Web proxies and URL extensions. Block Outbound HTTP HyperText Transport Protocol (HTTP) is the protocol used to transfer information to and from Web sites. HTTP Blocking allows for blocking of specific HTTP commands going outbound on the access point WAN port. HTTP blocks commands on port 80 only.
Configuring Access Point Security 3 Configure the SMTP field to disable or restrict specific kinds of network mail traffic. Block Outbound SMTP Commands Simple Mail Transport Protocol (SMTP) is the Internet standard for host-to-host mail transport. SMTP generally operates over TCP on port 25. SMTP filtering allows the blocking of any or all outgoing SMTP commands. Check the box next to the command to disable that command when using SMTP across the access point’s WAN port.
4 Configure the FTP field to block or restrict various FTP traffic on the network. Block Outbound FTP Actions File Transfer Protocol (FTP) is the Internet standard for host-to-host mail transport. FTP generally operates over TCP port 20 and 21. FTP filtering allows the blocking of any or all outgoing FTP functions. Check the box next to the command to disable the command when using FTP across the access point’s WAN port.
Configuring Access Point Security Therefore, the interval should be set according to the perceived risk of rogue devices and the criticality of MU performance. CAUTION Using an antenna other than the Dual-Band Antenna could render the access point’s Rogue AP Detector Mode feature inoperable. Contact your Extreme Networks sales associate for specific information.
RF Scan by MU Select the RF Scan by MU checkbox to enable MUs to scan for potential rogue APs within the network. Define an interval in the Scan Interval field for associated MUs to beacon in an attempt to locate a rogue AP. Set the interval to a value sooner than the default if a large volume of device network traffic is anticipated within the coverage area of the target access point. The Scan Interval field is not available unless the RF Scan by MU checkbox is selected.
Configuring Access Point Security 4 Click Apply to save any changes to the Rogue AP Detection screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost. 5 Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Rogue AP Detection screen to the last saved configuration. 6 Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.
2 Enter a value (in minutes) in the Allowed APs Age Out Time field to indicate the number of elapsed minutes before an AP will be removed from the approved list and reevaluated. A zero (0) for this value (default value) indicates an AP can remain on the approved AP list permanently. 3 Enter a value (in minutes) in the Rogue APs Age Out Time field to indicate the number of elapsed minutes before an AP will be removed from the rogue AP list and reevaluated.
Configuring Access Point Security 3 Refer to the Rogue AP Detail field for the following information: BSSID/MAC Displays the MAC address of the rogue AP. This information could be useful if the MAC address is determined to be an Extreme Networks MAC address and the device is interpreted as non-hostile and the device should be defined as an allowed AP. ESSID Displays the ESSID of the rogue AP.
Using MUs to Detect Rogue Devices The Access Point can use an associated MU that has its rogue AP detection feature enabled to scan for rogue APs. Once detected, the rogue AP(s) can be moved to the list of allowed devices (if appropriate) within the Active APs screen. When adding an MU’s detection capabilities with the Access Point’s own rogue AP detection functionality, the rogue detection area can be significantly extended.
Configuring Access Point Security you are sure all of the devices detected and displayed within the Scan Results table are non-hostile APs. 5 Highlight a different MU from the Rogue AP enabled MUs field as needed to scan for additional rogue APs. 6 Click Logout to return to the Rogue AP Detection screen. Configuring User Authentication The Access Point can work with external RADIUS and LDAP Servers (AAA Servers) to provide user database information and user authentication.
2 From within the Data Source Configuration field, use the Data Source drop-down menu to select the data source for the RADIUS server. Local An internal user database serves as the data source. Use the User Database screen to enter the user data. For more information, see “Managing the Local User Database” on page 257. LDAP If LDAP is selected, the controller will use the data in an LDAP server. Configure the LDAP server settings on the LDAP screen under RADIUS Server on the menu tree.
Configuring Access Point Security Default Specify a PEAP and/or TTLS Authentication Type for EAP Authentication Type to use from the drop-down menu to the right of each checkbox item. PEAP options include: • GTC—EAP Generic Token Card (GTC) is a challenge handshake authentication protocol using a hardware token card to provide the response string. • MSCHAP-V2—Microsoft CHAP (MSCHAP-V2) is an encrypted authentication method based on Microsoft's challenge/response authentication protocol.
Shared Secret Click the Passwords button and set a shared secret used for each host or subnet authenticating against the RADIUS server. The shared secret can be up to 7 characters in length. 5 Click Apply to save any changes to the RADIUS Server screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost. 6 Click Undo Changes (if necessary) to undo any changes made.
Configuring Access Point Security 2 Enter the appropriate information within the LDAP Configuration field to allow the Access Point to interoperate with the LDAP server. Consult with your LDAP server administrator for details on how to define the values in this screen. LDAP Server IP Enter the IP address of the external LDAP server acting as the data source for the RADIUS server. The LDAP server must be accessible from the WAN port or from the Access Point’s active subnet.
Group Member Attribute Enter the Group Member Attribute sent to the LDAP server when authenticating users. CAUTION Windows Active Directory users must set their Login Attribute to “sAMAccountName” in order to successfully login to the LDAP server. 3 Click Apply to save any changes to the LDAP screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost. 4 Click Undo Changes (if necessary) to undo any changes made.
Configuring Access Point Security To configure the proxy RADIUS server for the access point: 1 Select System Configuration > User Authentication > Radius Server > Proxy from the menu tree. 2 Refer to the Proxy Configuration field to define the proxy server’s retry count and timeout values. Retry Count Enter a value between 3 and 6 to indicate the number of times the Access Point attempts to reach a proxy server before giving up.
6 Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Proxy screen to the last saved configuration. 7 Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed. Managing the Local User Database Use the User Database screen to create groups for use with the RADIUS server. The database of groups is employed if Local is selected as the Data Source from the RADIUS Server screen.
Configuring Access Point Security The Users table displays the entire list of users. Up to 100 users can be entered here. The users are listed in the order added. Users can be added and deleted, but there is no capability to edit the name of a group. 4 To add a new user, click the Add button at the bottom of the Users area. 5 In the new line, type a User ID (username). 6 Click the Password cell. A small window displays. Enter a password for the user and click OK to return to the Users screen.
3 To add the user to a group, select the group in the Available list (on the right) and click the <-Add button. Assigned users will display within the Assigned table. Map one or more groups as needed for group authentication access for this particular user. 4 To remove the user from a group, select the group in the Assigned list (on the left) and click the Delete -> button. 5 Click the OK button to save your user and group mapping assignments and return to the Users screen.
Configuring Access Point Security time based authentication will not work properly. For information on setting the time zone for the Access Point, see “Configuring Network Time Protocol (NTP)” on page 110. 1 Select User Authentication > Radius Server > Access Policy from the menu tree. The Access Policy screen displays the following fields: Groups The Groups field displays the names of those existing groups that can have access intervals applied to them.
2 Review the existing access intervals assigned to each group by selecting the group from amongst those displayed. To modify a group’s permissions, see “Editing Group Access Permissions” on page 261. 3 Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed. Editing Group Access Permissions The Access Policy screen provides a mechanism for modifying an existing group’s access permissions.
Configuring Access Point Security NOTE Groups have a strict start and end time (as defined using the Edit Access Policy screen). Only during this period of time can authentication requests from users be honored (with no overlaps). Any authentication request outside of this defined interval is denied regardless of whether a user’s credentials match or not. 5 Refer to the WLANs field to select existing WLANs to apply to the selected group’s set of access permissions.
7 Monitoring Statistics CHAPTER The access point has functionality to display robust transmit and receive statistics for its WAN and LAN port. Wireless Local Area Network (WLAN) stats can also be displayed collectively for each enabled WLAN as well as individually for up to 16 specific WLANs. Transmit and receive statistics can also be displayed for the access point’s 802.11a/n and 802.11b/g/n radios.
Monitoring Statistics To view access point WAN Statistics: 1 Select Status and Statistics > WAN Stats from the access point menu tree. 2 Refer to the Information field to reference the following access point WAN data: Status The Status field displays Enabled if the WAN interface is enabled on the WAN screen. If the WAN interface is disabled on the WAN screen, the WAN Stats screen displays no connection information and statistics.
RX Packets RX packets are data packets received over the WAN port. The displayed number is a cumulative total since the WAN interface was last enabled or the access point was last restarted. RX Bytes RX bytes are bytes of information received over the WAN port. The displayed number is a cumulative total since the WAN interface was last enabled or the Access Point was last restarted. RX Errors RX errors include dropped data packets, buffer overruns, and frame errors on inbound traffic.
Monitoring Statistics Viewing LAN Statistics Use the LAN Stats screen to monitor the activity of the access point’s LAN1 or LAN2 connection. The Information field of the LAN Stats screen displays network traffic information as monitored over the access point LAN1 or LAN2 port. The Received and Transmitted fields of the screen display statistics for the cumulative packets, bytes, and errors received and transmitted over the LAN1 or LAN2 port since it was last enabled or the access point was last restarted.
Link The Link parameter displays Up if the LAN connection is active between the access point and network, and Down if the LAN connection is interrupted or lost. Use this information to assess the current connection status of LAN 1 or LAN2. Speed The LAN 1 or LAN 2 connection speed is displayed in Megabits per second (Mbps), for example, 54Mbps. If the throughput speed is not achieved, examine the number of transmit and receive errors, or consider increasing the supported data rate.
Monitoring Statistics TX Overruns TX overruns are buffer overruns on the LAN port. TX overruns occur when packets are sent faster than the LAN connection can handle. If TX overruns are excessive, consider reducing the data rate, TX Carrier The TX Carrier field displays the number of TCP/IP data carrier errors. 5 Click the Clear LAN Stats button to reset each of the data collection counters to zero in order to begin new data collections.
2 Refer to the Spanning Tree Info field to for details on spanning tree state, and root Access Point designation. Spanning Tree State Displays whether the spanning tree state is currently enabled or disabled. The spanning tree state must be enabled for a unique spanning-tree calculation to occur when the bridge is powered up or when a topology change is detected. Designated Root Displays the Access Point MAC address of the bridge defined as the root bridge in the Bridge STP Configuration screen.
Monitoring Statistics Designated Cost Displays the unique distance between each Access Point MAC address listed in the Designated Bridge column and the Access Point MAC address listed in the Designated Root column. 4 Click the Logout button to securely exit the Access Point applet. There will be a prompt confirming logout before the applet is closed. Viewing a LAN’s IP Filter Statistics Each Access Point LAN has the ability to track its own unique IP filter statistics.
3 Refer to the Outgoing Policies field to assess the number of packets either allowed or denied access by the Access Point’s filtering rules. These are packets that are outgoing from the Access Point LAN. 4 Click the Clear LAN Stats button to reset each of the data collection counters to zero in order to begin new data collections. 5 Click the Logout button to securely exit the Access Point applet. There will be a prompt confirming logout before the applet is closed.
Monitoring Statistics Name Displays the names of all the enabled WLANs on the access point. MUs Displays the total number of MUs currently associated with each enabled WLAN. Use this information to assess if the MUs are properly grouped by function within each enabled WLAN. T-put Displays the total throughput in Megabits per second (Mbps) for each active WLAN. ABS Displays the Average Bit Speed (ABS) in Megabits per second (Mbps) for each active WLAN displayed.
signal averages from the associated MUs. The Error field displays RF traffic errors based on retries, dropped packets, and undecryptable packets. The WLAN Stats screen is view-only with no user configurable data fields. To view statistics for an individual WLAN: 1 Select Status and Statistics > Wireless Stats > WLANx Stats (x = target WLAN) from the access point menu tree.
Monitoring Statistics 3 Refer to the Traffic field to view performance and throughput information for the WLAN selected from the access point menu tree. Pkts per second The Total column displays the average total packets per second crossing the selected WLAN. The Rx column displays the average total packets per second received on the selected WLAN. The Tx column displays the average total packets per second sent on the selected WLAN.
5 Refer to the Errors field to view MU association error statistics for the WLAN selected from the access point menu tree. Avg Num of Retries Displays the average number of retries for all MUs associated with the selected WLAN. The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour. Dropped Packets Displays the percentage of packets which the AP gave up on for all MUs associated with the selected WLAN.
Monitoring Statistics To view access point LAN’s IP filter statistics: 1 Select Status and Statistics > Wireless Stats > WLAN1 Stats (or any other WLAN) > IP Filter Stats from the access point menu tree. 2 Refer to the Incoming Policies field to assess the number of packets either allowed or denied access by the Access Point’s filtering rules. These are packets that are incoming to the selected Access Point WLAN.
To view high-level access point radio statistics: 1 Select Status and Statistics > Radio Stats from the access point menu tree. 2 Refer to the Radio Summary field to reference access point radio information. Type Displays the type of radio (either 802.11a/n or 802.11b/g/n) currently deployed by the access point. MUs Displays the total number of MUs currently associated with each access point radio. T-put Displays the total throughput in Megabits per second (Mbps) for each access point radio listed.
Monitoring Statistics Do not clear the radio stats if currently in an important data gathering activity or risk losing all data calculations to that point. For information on viewing radio statistics particular to the access point radio type displayed within the AP Stats Summary screen, see “Viewing Radio Statistics” on page 278. 4 Click the Logout button to securely exit the Access Point applet.
HW Address The Media Access Control (MAC) address of the access point housing the 802.11a/n radio. The MAC address is set at the factory and can be found on the bottom of the Access Point. Radio Type Displays the radio type (either 802.11a/n or 802.11b/g/n). Power The power level in milliwatts (mW) for RF signal strength. Active WLANs Lists the access point WLANs adopted by the 802.11a/n or 802.11b/g/n radio. Placement Lists whether the access point radio is indoors or outdoors.
Monitoring Statistics 4 Refer to the RF Status field to view the following MU signal, noise and performance information for the target access point 802.11a/n or 802.11b/g/n radio. Avg MU Signal Displays the average RF signal strength in dBm for all MUs associated with the radio. The number in black represents the average signal for the last 30 seconds and the number in blue represents the average signal for the last hour.
The table’s first column shows 0 under Retries. The value under the Packets column directly to the right shows the number of packets transmitted by this Access Point radio that required 0 retries (delivered on the first attempt). As you go down the table you can see the number of packets requiring 1 retry, 2 retries etc. Use this information to assess whether an abundance of retries warrants reconfiguring the Access Point radio to achieve better performance.
Monitoring Statistics To view access point overview statistics for all of the MUs associated to the access point: 1 Select Status and Statistics > MU Stats from the access point menu tree. 2 Refer to the MU List field to reference associated MU address, throughput and retry information. IP Address Displays the IP address of each of the associated MU. MAC Address Displays the MAC address of each of the associated MU. WLAN Displays the WLAN name each MU is interoperating with.
NOTE An echo test initiated from the access point MU Stats Summary screen uses WNMP pings. Therefore, target clients that are not Motorola MUs are unable to respond to the echo test. 5 Click the MU Authentication Statistics button to display a screen with detailed authentication statistics for the an MU. For information on individual MU authentication statistics, see “MU Authentication Statistics” on page 285. 6 Click the MU Details button to display a screen with detailed statistics for a selected MU.
Monitoring Statistics Radio Association Displays the name of the AP MU is currently associated with. QoS Client Type Displays the data type transmitted by the mobile unit. Possible types include Legacy, Voice, WMM Baseline and Power Save. Encryption Displays the encryption scheme deployed by the associated MU. 5 Refer to the Traffic field to view individual MU RF throughput information. Packets per second The Total column displays average total packets per second crossing the MU.
Dropped Packets Displays the percentage of packets the AP gave up as not received on for the selected MU. The number in black represents the percentage of packets for the last 30 seconds and the number in blue represents the percentage of packets for the last hour. % of Undecryptable Displays the percentage of undecryptable packets for the Pkts MU.
Monitoring Statistics To view access point authentication statistics for a specific MU: 1 Select Status and Statistics > MU Stats from the access point menu tree. 2 Highlight a target MU from within the MU List field. 3 Click the MU Authentication Statistics button Use the displayed statistics to determine if the target MU would be better served with a different access point WLAN or access point radio. 4 Click Ok to return to the MU Stats Summary screen.
MAC Address The unique 48-bit, hard-coded Media Access Control address, known as the devices station identifier. This value is hard coded at the factory by the manufacturer and cannot be changed. WLAN Displays the WLAN name each wireless bridge is interoperating with. Radio Displays the name of the 802.11a/n or 802.11b/g/n radio each bridge is associated with. T-put Displays the total throughput in Megabits per second (Mbps) for each associated bridge.
Monitoring Statistics Viewing Known Access Point Statistics The access point has the capability of detecting and displaying the properties of other Extreme Networks Access Points located within its coverage area. Detected access point’s transmit a WNMP message indicating their channel, IP address, firmware version, etc. This information is used to create a known AP list. The list has field indicating the properties of the Access Point discovered.
2 Click the Clear Known AP Stats button to reset each of the data collection counters to zero in order to begin new data collections. 3 Click the Details button to display Access Point address and radio information. The Known AP Details screen displays the target AP’s MAC address, IP address, radio channel, number of associated MUs, packet throughput per second, radio type(s), model, firmware version, ESS and client bridges currently connected to the AP radio.
Monitoring Statistics Additionally, LAN1 and LAN2 IP mode settings will only be sent if the sender’s AP mode is DHCP or BOOTP. The WAN’s IP mode will only be sent if the sender’s IP mode is DHCP. 6 Click the Start Flash button to flash the LEDs of other access points detected and displayed within the Known AP Statistics screen. Use the Start Flash button to determine the location of the devices displayed within the Known AP Statistics screen.
8 CLI Reference CHAPTER The access point Command Line Interface (CLI) is accessed through the serial port or a Telnet session. The access point CLI follows the same conventions as the Web-based user interface. The CLI does, however, provide an “escape sequence” to provide diagnostics for problem identification and resolution. NOTE The CLI commands described in this guide pertain equally to both the Altitude 4710 and Altitude 4750 Access Points.
CLI Reference Accessing the CLI via Telnet To connect to the access point CLI through a Telnet connection: 1 If this is your first time connecting to your access point, keep in mind the access point uses a static IP WAN address (10.1.1.1). Additionally, the access point’s LAN port is set as a DHCP client. 2 Enter the default username of admin and the default password of admin123.
Admin and Common Commands AP4700>admin> Displays admin configuration options. The items available under this command are shown below. Syntax help Displays general user interface help. passwd Changes the admin password. summary Shows a system summary. network Goes to the network submenu system Goes to the system submenu. stats Goes to the stats submenu. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference AP4700>admin>help Displays general CLI user interface help. Syntax help Displays command line help using combinations of function keys for navigation. Example admin>help ? * Restriction of “?”: : : : : : : : display command help - Eg. ?, show ?, s? “?” after a function argument is treated as an argument Eg. admin
AP4700>admin>passwd Changes the password for the admin login. Syntax passwd Changes the admin password for access point access. This requires typing the old admin password and entering a new password and confirming it. Passwords can be up to 11 characters. The access point CLI treats the following as invalid characters: ' " \ & $ ^ * + ? [ ( {|,<> In order to avoid problems when using the access point CLI, these characters should be avoided.
CLI Reference AP4700>admin>summary Displays the access point’s system summary. Syntax summary Displays a summary of high-level characteristics and settings for the WAN, LAN and WLAN. Example admin>summary AP4700 firmware version country code ap-mode serial number model hw version : : : : : : 4.1.1.0-022R us independent 10289-80867 AP4750-US A WLAN 1: WLAN name ESS ID Radio Band(s) VLAN Security Policy QoS Policy Rate Limiting : : : : : : : lobby 101 5.
AP4700>admin>.. Displays the parent menu of the current menu. This command appears in all of the submenus under admin. In each case, it has the same function, to move up one level in the directory structure. Example admin(network.lan)>..
CLI Reference AP4700>admin> / Displays the root menu, that is, the top-level CLI menu. This command appears in all of the submenus under admin. In each case, it has the same function, to move up to the top level in the directory structure. Example admin(network.
AP4700>admin>save Saves the configuration to system flash. The save command appears in all of the submenus under admin. In each case, it has the same function, to save the current configuration. Syntax save Saves configuration settings. The save command works at all levels of the CLI. The save command must be issued before leaving the CLI for updated settings to be retained.
CLI Reference AP4700>admin>quit Exits the command line interface session and terminates the session. The quit command appears in all of the submenus under admin. In each case, it has the same function, to exit out of the CLI. Once the quit command is executed, the login prompt displays again.
Network Commands AP4700>admin(network)> Displays the network submenu. The items available under this command are shown below. lan wan wireless firewall router ipfilter ..
CLI Reference Network LAN Commands AP4700>admin(network.lan)> Displays the LAN submenu. The items available under this command are shown below. show Shows current access point LAN parameters. set Sets LAN parameters. bridge Goes to the mesh configuration submenu. wlan-mapping Goes to the WLAN/Lan/Vlan Mapping submenu. dhcp Goes to the LAN DHCP submenu. type-filter Goes to the Ethernet Type Filter submenu. ipfpolicy Goes to the LAN IP Filter Policy submenu. .. Goes to the parent menu.
AP4700>admin(network.lan)>show Displays the access point LAN settings. Syntax show Shows the settings for the access point LAN1 and LAN2 interfaces. Example admin(network.lan)>show LAN On Ethernet Port LAN Ethernet Timeout : LAN1 : disable 802.1x Port Authentication: Username Password : admin : ******** Auto-negoitation Speed Duplex : disable : 100M : full ** LAN1 Information ** LAN Name LAN Interface 802.
CLI Reference AP4700>admin(network.lan)>set Sets the LAN parameters for the LAN port. Syntax set lan Enables or disables the access point LAN interface. name Defines the LAN name by index. ethernet-port-lan Defines which LAN (LAN1 or LAN2) is active on the Ethernet port. timeout Sets the interval (in seconds) the access point uses to terminate its LAN interface if no activity is detected for the specified interval. trunking Enables or disables 802.
Network LAN, Bridge Commands AP4700>admin(network.lan.bridge)> Displays the access point Bridge submenu. show Displays the mesh configuration parameters for the access point’s LANs. set Sets the mesh configuration parameters for the access point’s LANs. .. Moves to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI and exits the session.
CLI Reference AP4700>admin(network.lan.bridge)>show Displays the mesh bridge configuration parameters for the access point’s LANs. Syntax show Displays mesh bridge configuration parameters for the access point’s LANs. Example admin(network.lan.
AP4700>admin(network.lan.bridge)>set Sets the mesh configuration parameters for the access point’s LANs. Syntax set priority Sets bridge priority time in seconds (0-65535) for specified LAN. hello Sets bridge hello time in seconds (0-10) for specified LAN. msgage Sets bridge message age time in seconds (6-40) for specified LAN. fwddelay Sets bridge forward delay time in seconds (4-30) for specified LAN.
CLI Reference Network LAN, WLAN-Mapping Commands AP4700>admin(network.lan.wlan-mapping)> Displays the WLAN/Lan/Vlan Mapping submenu. show Displays the VLAN list currently defined for the access point. set Sets the access point VLAN configuration. create Creates a new access point VLAN. edit Edits the properties of an existing access point VLAN. delete Deletes a VLAN. lan-map Maps access point existing WLANs to an enabled LAN. vlan-map Maps access point existing WLANs to VLANs. ..
AP4700>admin(network.lan.wlan-mapping)>show Displays the VLAN list currently defined for the access point. These parameters are defined with the set command. Syntax show name Displays the existing list of VLAN names. vlan-cfg Shows WLAN-VLAN mapping and VLAN configuration. lan-wlan Displays a WLAN-LAN mapping summary. wlan Displays the WLAN summary list. Example admin(network.lan.
CLI Reference AP4700>admin(network.lan.wlan-mapping)>set Sets VLAN parameters for the access point. Syntax set mgmt- tag Defines the Management VLAN tag index (1 or 2) to tag number (1-4095). native-tag Sets the Native VLAN tag index (1 or 2) to tag number (1-4095). mode Sets WLAN VLAN mode (WLAN 1-16) to either dynamic or static. Example admin(network.lan.wlan-mapping)>set mgmt-tag 1 10 admin(network.lan.wlan-mapping)>set native-tag 1 12 admin(network.lan.
AP4700>admin(network.lan.wlan-mapping)>create Creates a VLAN for the access point. Syntax create vlan-id vlan-name Defines the VLAN ID (1-4095). Specifies the name of the VLAN (1-31 characters in length). Example admin(network.lan.wlan-mapping)> admin(network.lan.wlan-mapping)>create 5 vlan-5 For information on creating VLANs using the applet (GUI), see “Configuring VLAN Support” on page 126.
CLI Reference AP4700>admin(network.lan.wlan-mapping)>edit Modifies a VLAN’s name and ID. Syntax edit name Modifies an existing VLAN name (1-31 characters in length) id Modifies an existing VLAN ID (1-4095) characters in length) For information on editing VLANs using the applet (GUI), see “Configuring VLAN Support” on page 126.
AP4700>admin(network.lan.wlan-mapping)>delete Deletes a specific VLAN or all VLANs. Syntax delete < VLAN id> Deletes a specific VLAN ID (1-16). all Deletes all defined VLAN entries. For information on deleting VLANs using the applet (GUI), see “Configuring VLAN Support” on page 126.
CLI Reference AP4700>admin(network.lan.wlan-mapping)>lan-map Maps an access point VLAN to a WLAN. Syntax lan-map Maps an existing WLAN to an enabled LAN. All names and IDs are case-sensitive. Defines enabled LAN name. All names and IDs are case-sensitive. Example admin(network.lan.wlan-mapping)>lan-map wlan1 lan1 For information on mapping VLANs using the applet (GUI), see “Configuring VLAN Support” on page 126.
AP4700>admin(network.lan.wlan-mapping)>vlan-map Maps an access point VLAN to a WLAN. Syntax vlan-map Maps an existing WLAN to an enabled LAN. All names and IDs are case-sensitive. Defines the existing VLAN name. All names and IDs are case-sensitive. Example admin(network.lan.wlan-mapping)>vlan-map wlan1 vlan1 For information on mapping VLANs using the applet (GUI), see “Configuring VLAN Support” on page 126.
CLI Reference Network LAN, DHCP Commands AP4700>admin(network.lan.dhcp)> Displays the access point DHCP submenu. The items available are displayed below. show Displays DHCP parameters. set Sets DHCP parameters. add Adds static DHCP address assignments. delete Deletes static DHCP address assignments. list Lists static DHCP address assignments. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI and exits the session.
AP4700>admin(network.lan.dhcp)>show Shows DHCP parameter settings. Syntax show Displays DHCP parameter settings for the access point. These parameters are defined with the set command. Example admin(network.lan.dhcp)>show **LAN1 DHCP Information** DHCP Address Assignment Range: Starting IP Address : 192.168.0.100 Ending IP Address : 192.168.0.254 Lease Time : 86400 **LAN2 DHCP Information** DHCP Address Assignment Range: Starting IP Address : 192.168.0.100 Ending IP Address : 192.168.0.
CLI Reference AP4700>admin(network.lan.dhcp)>set Sets DHCP parameters for the LAN port. Syntax set range lease Sets the DHCP assignment range from IP address to IP address for the specified LAN (1-lan1, 2-lan2). Sets the DHCP lease time in seconds (1-999999) for the specified LAN. Example admin(network.lan.dhcp)>set range 1 192.168.0.100 192.168.0.254 admin(network.lan.dhcp)>set lease 1 86400 admin(network.lan.
AP4700>admin(network.lan.dhcp)>add Adds static DHCP address assignments. Syntax add Adds a reserved static IP address to a MAC address for the specified LAN. Example admin(network.lan.dhcp)>add 1 00A0F8112233 192.160.24.6 admin(network.lan.dhcp)>add 1 00A0F1112234 192.169.24.7 admin(network.lan.
CLI Reference AP4700>admin(network.lan.dhcp)>delete Deletes static DHCP address assignments. Syntax delete Deletes the static DHCP address entry (1-30) for the specified LAN. all Deletes all static DHCP addresses. Example admin(network.lan.
AP4700>admin(network.lan.dhcp)>list Lists static DHCP address assignments. Syntax list Lists the static DHCP address assignments for the specified LAN (1-LAN1, 2 LAN2). Example admin(network.lan.dhcp)>list 1 ----------------------------------------------------------------------------Index MAC Address IP Address ----------------------------------------------------------------------------1 2 3 4 5 00A0F8112233 00A0F8102030 00A0F8112234 00A0F8112235 00A0F8112236 10.1.2.4 10.10.1.2 10.1.2.3 192.
CLI Reference Network Type Filter Commands AP4700>admin(network.lan.type-filter)> Displays the access point Type Filter submenu. The items available under this command include: show Displays the current Ethernet Type exception list. set Defines Ethernet Type Filter parameters. add Adds an Ethernet Type Filter entry. delete Removes an Ethernet Type Filter entry. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(network.lan.type-filter)>show Displays the access point’s current Ethernet Type Filter configuration. Syntax show Displays the existing Type-Filter configuration for the specified LAN. Example admin(network.lan.
CLI Reference AP4700>admin(network.lan.type-filter)>set Defines the access point Ethernet Type Filter configuration. Syntax set mode allow or deny Allows or denies the access point from processing a specified Ethernet data type for the specified LAN. Example admin(network.lan.type-filter)>set mode 1 allow For information on configuring the type filter settings using the applet (GUI), see “Setting the Type Filter Configuration” on page 133.
AP4700>admin(network.lan.type-filter)>add Adds an Ethernet Type Filter entry. Syntax add Adds entered Ethernet Type to list of data types either allowed or denied access point processing permissions for the specified LAN (either LAN1 or LAN2). Example admin(network.lan.type-filter)> admin(network.wireless.type-filter)>add 1 8137 admin(network.wireless.type-filter)>add 2 0806 admin(network.wireless.
CLI Reference AP4700>admin(network.lan.type-filter)>delete Removes an Ethernet Type Filter entry individually or the entire Type Filter list. Syntax delete Deletes the specified Ethernet Type index entry (1 through 16). all Deletes all Ethernet entries currently in list. Example admin(network.lan.type-filter)>delete 1 1 admin(network.lan.
Network WAN Commands AP4700>admin(network.wan)> Displays the WAN submenu. The items available under this command are shown below. show set delete clear nat vpn content dyndns ..
CLI Reference AP4700>admin(network.wan)>show Displays the access point WAN port parameters. Syntax show Shows the general IP parameters for the WAN port along with settings for the WAN interface. Example admin(network.
AP4700>admin(network.wan)>set Defines the configuration of the access point WAN port. Syntax set wan enable/disable Enables or disables the access point WAN port. dhcp enable/disable Enables or disables WAN DHCP Client mode. ipadr mask Sets the subnet mask for the access point WAN interface. dgw Sets the default gateway IP address to . dns autonegotiation enable/disable Enables or disables auto-negotiation for the access point WAN port.
CLI Reference For an overview of the WAN configuration options available using the applet (GUI), see “Configuring WAN Settings” on page 135.
Network WAN NAT Commands AP4700>admin(network.wan.nat)> Displays the NAT submenu. The items available under this command are shown below. show Displays the access point’s current NAT parameters for the specified index. set Defines the access point NAT settings. add Adds NAT entries. delete Deletes NAT entries. list Lists NAT entries. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference AP4700>admin(network.wan.nat)>show Displays access point NAT parameters. Syntax show Displays access point NAT parameters for the specified NAT index (1-8). Example admin(network.wan.nat)>show 2 WAN IP Mode WAN IP Address NAT Type Inbound Mappings : : : : enable 157.235.91.2 1-to-many Port Forwarding unspecified port forwarding mode unspecified port fwd. ip address one to many nat mapping : enable : 111.223.222.
AP4700>admin(network.wan.nat)>set Sets NAT inbound and outbound parameters. Syntax set type Sets the type of NAT translation for WAN address index (1-8) to (none, 1-to-1, or 1-to-many). ip Sets NAT IP mapping associated with WAN address to the specified IP address .
CLI Reference AP4700>admin(network.wan.nat)>add Adds NAT entries.
AP4700>admin(network.wan.nat)>delete Deletes NAT entries. Syntax delete Deletes a specified NAT index entry associated with the WAN. all Deletes all NAT entries associated with the WAN. Example admin(network.wan.nat)>list 1 ----------------------------------------------------------------------------index name Transport start port end port internal ip translation ----------------------------------------------------------------------------1 special tcp 20 21 192.168.42.
CLI Reference AP4700>admin(network.wan.nat)>list Lists access point NAT entries for the specified index. Syntax list Lists the inbound NAT entries associated with the WAN index (1-8). Example admin(network.wan.nat)>list 1 ----------------------------------------------------------------------------index name Transport start port end port internal ip translation ----------------------------------------------------------------------------1 special tcp 20 21 192.168.42.
Network WAN, VPN Commands AP4700>admin(network.wan.vpn)> Displays the VPN submenu. The items available under this command include: add Adds VPN tunnel entries. set Sets key exchange parameters. delete Deletes VPN tunnel entries. list Lists VPN tunnel entries reset Resets all VPN tunnels. stats Lists security association status for the VPN tunnels. ikestate Displays an Internet Key Exchange (IKE) summary. .. Goes to the parent menu. / Goes to the root menu.
CLI Reference AP4700>admin(network.wan.vpn)>add Adds a VPN tunnel entry. Syntax add Creates a tunnel (1 to 13 characters) to gain access through local WAN IP from the remote subnet with address and subnet mask using the remote gateway . Example admin(network.wan.vpn)>add 2 SJSharkey 209.235.44.31 206.107.22.46 255.255.255.224 206.107.22.
AP4700>admin(network.wan.vpn)>set Sets VPN entry parameters. Syntax set type Sets the tunnel type to Auto or Manual for the specified tunnel name. authalgo Sets the authentication algorithm for to (None, MD5, or SHA1). authkey Sets the AH authentication key (if type is Manual) for tunnel with the direction set to IN or OUT, and the manual authentication key set to .
CLI Reference ike opmode Sets the Operation Mode of IKE for to Main or Aggr(essive). myidtype Sets the Local ID type for IKE authentication for (1 to 13 characters) to (IP, FQDN, or UFQDN). remidtype Sets the Remote ID type for IKE authentication for (1 to 13 characters) to (IP, FQDN, or UFQDN). myiddata Sets the Local ID data for IKE authentication for to .
AP4700>admin(network.wan.vpn)>delete Deletes VPN tunnel entries. Syntax delete all Deletes all VPN entries. Deletes VPN entries . Example admin(network.wan.vpn)>list -------------------------------------------------------------------------Tunnel Name Type Remote IP/Mask Remote Gateway Local WAN IP -------------------------------------------------------------------------Eng2EngAnnex Manual 192.168.32.2/24 192.168.33.1 192.168.24.198 SJSharkey Manual 206.107.22.45/27 206.107.22.2 209.235.
CLI Reference AP4700>admin(network.wan.vpn)>list Lists VPN tunnel entries. Syntax list Lists all tunnel entries. Lists detailed information about tunnel named . The must match case with the name of the VPN tunnel entry. Example admin(network.wan.
AP4700>admin(network.wan.vpn)>reset Resets all of the access point’s VPN tunnels. Syntax reset Resets all VPN tunnel states. Example admin(network.wan.vpn)>reset VPN tunnels reset. admin(network.wan.vpn)> For information on configuring VPN using the applet (GUI), see “Configuring VPN Tunnels” on page 225.
CLI Reference AP4700>admin(network.wan.vpn)>stats Lists statistics for all active tunnels. Syntax stats Display statistics for all VPN tunnels. Example admin(network.wan.
AP4700>admin(network.wan.vpn)>ikestate Displays statistics for all active tunnels using Internet Key Exchange (IKE). Syntax ikestate Displays status about Internet Key Exchange (IKE) for all tunnels. In particular, the table indicates whether IKE is connected for any of the tunnels, it provides the destination IP address, and the remaining lifetime of the IKE key. Example admin(network.wan.
CLI Reference AP4700>admin(network.wan.content)> Displays the Outbound Content Filtering menu. The items available under this command include: addcmd Adds control commands to block outbound traffic. delcmd Deletes control commands to block outbound traffic. list Lists application control commands. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(network.wan.content)>addcmd Adds control commands to block outbound traffic. Syntax addcmd web Adds WEB commands to block outbound traffic. proxy Adds a Web proxy command. activex Adds activex files. file Adds Web URL extensions (10 files maximum) smtp Adds SMTP commands to block outbound traffic.
CLI Reference AP4700>admin(network.wan.content)>delcmd Deletes control commands to block outbound traffic. Syntax delcmd web Deletes WEB commands to block outbound traffic. proxy Deletes a Web proxy command. activex Deletes activex files. file Deletes Web URL extensions (10 files maximum) smtp Deletes SMTP commands to block outbound traffic.
AP4700>admin(network.wan.content)>list Lists application control commands. Syntax list web Lists WEB application control record. smtp Lists SMTP application control record. ftp Lists FTP application control record. Example admin(network.wan.content)>list web HTTP Files/Commands Web Proxy ActiveX filename : deny : allow : admin(network.wan.
CLI Reference Network WAN, Dynamic DNS Commands AP4700>admin(network.wan.dyndns)> Displays the Dynamic DNS submenu. The items available under this command include: set update show save quit .. / : : : : : : : set dyndns parameters manual dyndns update show dyndns parameters save cfg to system flash quit cli go to parent menu go to root menu For an overview of the Dynamic DNS options available using the applet (GUI), see “Configuring Dynamic DNS” on page 145.
AP4700>admin(network.wan.dyndns)>set Sets the access point’s Dynamic DNS configuration. Syntax set mode enable/disable Enables or disbales the Dynamic DNS service for the access point. username Enter a 1–32 character username for the account used for the access point. password Enter a 1–32 character password for the account used for the access point. hostname Enter a 1–32 character hostname for the account used for the access point. Example admin(network.wan.
CLI Reference AP4700>admin(network.wan.dyndns)>update Updates the access point’s current WAN IP address with the DynDNS service. Syntax update Updates the access point’s current WAN IP address with the DynDNS service. Example admin(network.wan.dyndns)>update IP Address Hostname : 157.235.91.231 : greengiant For an overview of the Dynamic DNS options available using the applet (GUI), see “Configuring Dynamic DNS” on page 145.
AP4700>admin(network.wan.dyndns)>show Shows the current Dynamic DNS configuration. Syntax show Shows the access point’s current Dynamic DNS configuration. Example admin(network.wan.dyndns)>show DynDNS Configuration Mode Username Password Hostname : : : : enable percival ******** greengiant DynDNS Update Response IP Address Hostname Status : 157.235.91.231 : greengiant : OK For an overview of the Dynamic DNS options available using the applet (GUI), see “Configuring Dynamic DNS” on page 145.
CLI Reference Network Wireless Commands AP4700>admin(network.wireless) Displays the access point wireless submenu. The items available under this command include: set Sets the access point’s wireless (proxy arp) configuration. show Displays the access point’s wireless (proxy arp) configuration. wlan Displays the WLAN submenu used to create and configure up to 16 WLANs per access point.
AP4700>admin(network.wireless)>set Sets the access point’s wireless (proxy arp) configuration. Syntax show enable/disable Enables/disables proxy-arp support. Example admin(network.wireless)>set proxy-arp enable For informarton on configuring proxy arp support using the applet (GUI), see “Enabling Wireless LANs (WLANs)” on page 146.
CLI Reference AP4700>admin(network.wireless)>show Displays the access point’s wireless (proxy arp) configuration. Syntax show Displays the access point’s wireless (proxy arp) configuration. Example admin(network.wireless)>show Proxy ARP : dynamic For informarton on configuring proxy arp support using the applet (GUI), see “Enabling Wireless LANs (WLANs)” on page 146.
Network WLAN Commands AP4700>admin(network.wireless.wlan)> Displays the access point wireless LAN (WLAN) submenu. The items available under this command include: show Displays the access point’s current WLAN configuration. create Defines the parameters of a new WLAN. edit Modifies the properties of an existing WLAN. delete Deletes an existing WLAN. hotspot Displays the WLAN hotspot menu. ipfpolicy Goes to the WLAN IP Filter Policy menu. .. Goes to the parent menu. / Goes to the root menu.
CLI Reference AP4700>admin(network.wireless.wlan)>show Displays the access point’s current WLAN configuration. Syntax show summary wlan Displays the current configuration for existing WLANs. Displays the configuration for the requested WLAN (WLAN 1 through 16). Example admin(network.wireless.wlan)>show summary WLAN1 WLAN Name ESSID Radio Band(s) VLAN Security Policy QoS Policy Rate Limiting : : : : : : : Lobby 101 2.4 and 5.0 GHz Default Default disabled admin(network.wireless.
AP4700>admin(network.wireless.wlan)>create Defines the parameters of a new WLAN. Syntax create show wlan Displays newly created WLAN and policy number. set ess Defines the ESSID for a target WLAN. wlan-name Determines the name of this particlular WLAN (1-32). 5.0GHz Enables or disables access to the access point 5.0 GHz radio. 2.4Ghz Enables or disables access to the access point 2.4 GHz radio.
CLI Reference Client Bridge Mesh Backhaul Hotspot Maximum MUs MU Idle Timeout Security Policy MU Access Control Kerberos User Name Kerberos Password disallow MU to MU Use Secure Beacon answer Broadcast ess QoS Policy per-mu rate limiting per-mu rate limit (wired-to-wl) per-mu rate limit (wl-to-wired) : : : : : : : : : : : : : : : not available not available 127 30 Default Default ******** disable disable disable Default disabled 1000 kb 1000 kb admin(network.wireless.wlan.
AP4700>admin(network.wireless.wlan)>edit Edits the properties of an existing WLAN policy. Syntax edit Edits the properties of an existing (and specified) WLAN policy (1 -16). show Displays the WLANs pamaters and summary. set Edits the same WLAN parameters that can be modified using the create command. change Completes the WLAN edits and exits the CLI session. .. Cancel the WLAN edits and exit the CLI session.
CLI Reference AP4700>admin(network.wireless.wlan)>delete Deletes an existing WLAN. Syntax delete Deletes a target WLAN using the name supplied. all Deletes all WLANs defined (except default WLAN). For information on deleting a WLAN using the applet (GUI), see “Creating/Editing Individual WLANs” on page 148.
AP4700>admin(network.wireless.wlan.hotspot)> Displays the Hotspot submenu. The items available under this command include: show Show hotspot parameters. redirection Goes to the hotspot redirection menu. radius Goes to the hotspot RADIUS menu. white-list Goes to the hotspot white-list menu. set Sets the WLAN’s hotspot configuration. hs_import Imports hotspot configuraiton files from a dedicated server. hs_export Exports hotspot configuraiton files to a dedicated server.
CLI Reference AP4700>admin(network.wireless.wlan.hotspot)>show Displays the current access point Rogue AP detection configuration. Syntax show hotspot Shows hotspot parameters per wlan index (1-16). Example admin(network.wireless.wlan.hotspot)>show hotspot 1 WLAN1 Hotspot Mode Hotspot Page Location External Login URL External Welcome URL External Fail URL : enable : default : www.sjsharkey.
AP4700>admin(network.wireless.wlan.hotspot)>redirection Goes to the hotspot redirection menu. Syntax redirection set Sets the hotspot http-re-direction by index (1-16) for the specified URL. Shows hotspot http-redirection details for specifiec index (1-16) for specified page (login, welcome, fail) and target URL. show Shows hotspot http-redirection details. save Saves the updated hotspot configuration to flash memory. quit Quits the CLI session. .. Goes to the parent menu.
CLI Reference AP4700>admin(network.wireless.wlan.hotspot)>radius Goes to the hotspot RADIUS menu. Syntax set Sets the RADIUS hotspot configuration. show Shows RADIUS hotspot server details. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. For information on configuring the Hotspot options available to the access point using the applet (GUI), see “Configuring WLAN Hotspot Support” on page 160.
AP4700>admin(network.wireless.wlan.hotspot.radius)>set Sets the RADIUS hotspot configuration. Syntax set server Sets the RADIUS hotpost server IP address per wlan index (1-16) port Sets the RADIUS hotpost server port per wlan index (1-16) secret Sets the RADIUS hotspot server shared secret password.
CLI Reference AP4700>admin(network.wireless.wlan.hotspot.radius)>show Shows RADIUS hotspot server details. Syntax show radius Displays RADIUS hotspot server details per index (1-16) Example admin(network.wireless.wlan.hotspot.radius)>show radius 1 WLAN 1 Hotspot Mode : enable Primary Server Ip adr : 157.235.12.12 Primary Server Port : 1812 Primary Server Secret : ****** Secondary Server Ip adr : 0.0.0.
AP4700>admin(network.wireless.wlan.hotspot)>white-list Goes to the hotspot white-list menu. Syntax white-list add Adds hotspot whitelist rules by index (1-16) for specified IP address. clear Clears hotspot whitelist rules for specified index (1-16). show Shows hotspot whitelist rules for specified index (1-16). save Saves the updated hotspot configuration to flash memory. quit Quits the CLI session. .. Goes to the parent menu. / Goes to the root menu. Example admin(network.wireless.
CLI Reference AP4700>admin(network.wireless.wlan.hotspot)>set Goes to the hotspot white-list menu. Syntax set file Sets the hotspot customized file name(s) for the specified WLAN index idx>. There’s a maximum of 10 files and file names should be separated by a space. path Sets the 0 to 39 character path name used to route imported and exported hotspot files.
AP4700>admin(network.wireless.wlan.hotspot)>hs_import Imports hotspot configuration parameters for a specified WLAN index . Syntax hs_import Imports hotspot configuration parameters for a specified WLAN index (1-16). Example admin(network.wireless.wlan.
CLI Reference AP4700>admin(network.wireless.wlan.hotspot)>hs_export Exports hotspot configuration parameters for a specified WLAN index . Syntax hs_export Exports hotspot configuration parameters for a specified WLAN index (1-16). Example admin(network.wireless.wlan.
AP4700>admin(network.wireless.wlan.hotspot)>default Restores default hotspot files to a specified WLAN index . Syntax default Restores default hotspot files to a specified WLAN index . Example admin(network.wireless.wlan.hotspot)>default 2 For information on configuring the Hotspot options available to the access point using the applet (GUI), see “Configuring WLAN Hotspot Support” on page 160.
CLI Reference AP4700>admin(network.wireless.wlan.hotspot)>delete Deletes hotspot files from a specified WLAN index . Syntax delete Deletes hotspot files from a specified WLAN index . Example admin(network.wireless.wlan.hotspot)>delete 2 Warning: This will delete all the files from the corresponding directory. For information on configuring the Hotspot options available to the access point using the applet (GUI), see “Configuring WLAN Hotspot Support” on page 160.
Network Security Commands AP4700>admin(network.wireless.security)> Displays the access point wireless security submenu. The items available under this command include: show Displays the access point’s current security configuration. set Enables/disables the WPA countermeasure. create Creates a security policy. edit Edits the properties of an existing security policy. delete Removes a specific security policy. .. Goes to the parent menu. / Goes to the root menu.
CLI Reference AP4700>admin(network.wireless.security)>show Displays the access point’s current security configuration. Syntax show summary policy Displays list of existing security policies (1-16). Displays the specified security policy . Example admin(network.wireless.
AP4700>admin(network.wireless.security)>set Enables/disables the WPA countermeasure. Syntax set Enables/disables WPA countermeasures. Example admin(network.wireless.security)set wpa-countermeasure enable admin(network.wireless.
CLI Reference AP4700>admin(network.wireless.security)>create Defines the parameter of access point security policies. Syntax create Defines the parameters of a security policy. show set Displays new or existing security policy parameters. secname Sets the name of the security policy. auth Sets the authentication type for WLAN to (none, eap, or kerberos).
adv secret Set external RADIUS server shared secret password. timeout Defines MU timout period in seconds (1-255). retry Sets the maximum number of MU retries to (1-10). syslog Enable or disable syslog messages. ip Defines syslog server IP address. mu-quiet
CLI Reference tkip rotate-mode Enables or disabled the broadcast key. interval
AP4700>admin(network.wireless.security.edit)> Edits the properties of a specific security policy. Syntax show set Displays the new or modified security policy parameters. Edits security policy parameters. The values subject to modification, are the same ones created using the “AP4700>admin(network.wireless.security)>create” command. change Completes policy changes and exits the session. .. Cancels the changes made and exits the session. Example admin(network.wireless.
CLI Reference AP4700>admin(network.wireless.security)>delete Deletes a specific security policy. Syntax delete Removes the specified security policy from the list of supported policies. Removes all security policies except the default policy. For information on configuring the encryption and authentication options available to the access point using the applet (GUI), see “Configuring Security Options” on page 197.
Network ACL Commands AP4700>admin(network.wireless.acl)> Displays the access point Mobile Unit Access Control List (ACL) submenu. The items available under this command include: show Displays the access point’s current ACL configuration. create Creates an MU ACL policy. edit Edits the properties of an existing MU ACL policy. delete Removes an MU ACL policy. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference AP4700>admin(network.wireless.acl)>show Displays the access point’s current ACL configuration. Syntax show summary policy Displays the list of existing MU ACL policies. Displays the requested MU ACL index policy. Example admin(network.wireless.
AP4700>admin(network.wireless.acl)>create Creates an MU ACL policy. Syntax create show set Displays the parameters of a new ACL policy. acl-name Sets the MU ACL policy name. mode Sets the ACL mode for the defined index (1-16). Allowed MUs can access the access point managed LAN. Options are deny and allow. add-addr or delete Adds specified MAC address to list of ACL MAC addresses.
CLI Reference AP4700>admin(network.wireless.acl.edit)> Edits the properties of an existing MU ACL policy. Syntax show Displays MU ACL policy and its parameters. set Modifies the properties of an existing MU ACL policy. add-addr Adds an MU ACL table entry. delete Deletes an MU ACL table entry, including starting and ending MAC address ranges. change Completes the changes made and exits the session. .. Cancels the changes made and exits the session.
AP4700>admin(network.wireless.acl)>delete Removes an MU ACL policy. Syntax delete Deletes a partilcular MU ACL policy. all Deletes all MU ACL policies. For information on configuring the ACL options available to the access point using the applet (GUI), see “Configuring a WLAN Access Control List (ACL)” on page 153.
CLI Reference Network Radio Configuration Commands AP4700>admin(network.wireless.radio)> Displays the access point Radio submenu. The items available under this command include: show Summarizes access point radio parameters at a high-level. set Defines the access point radio configuration. radio1 Displays the 2.4 GHz radio submenu. radio2 Displays the 5.0 GHz radio submenu. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(network.wireless.radio)>show Displays the access point’s current radio configuration. Syntax show Displays the access point’s current radio configuration. Example admin(network.wireless.radio)>show Radio Configuration Radio 1 Name Radio Mode Radio Function RF Band of Operation Maximum MUs : : : : : Radio 1 enable WLAN 802.11n(2.
CLI Reference For information on configuring the Radio Configuration options available to the access point using the applet (GUI), see “Setting the WLAN’s Radio Configuration” on page 169.
AP4700>admin(network.wireless.radio)>set Sets the access point’s radio configuration and defines the RF band of operation. Syntax set radio-config Sets the radio configuration. The options available differ depending on the single, dual or three radio configuration deployed (see examples below). max-mus > Defines the maximum number of MUs assigned to the specified radio (idx 1 or 2). The range can be defined between 0 and 127. This command does not apply to single radio access points.
CLI Reference 7 Radio 1 Disabled, Radio 2 WLAN, Radio 3 Disabled 8 Radio 1 Disabled, Radio 2 Disabled, Radio 3 Disabled 1 Radio 1 WLAN, Radio 2 WIPS 2 Radio 1 WIPS, Radio 2 WLAN 3 Radio 1 WLAN, Radio 2 WLAN 4 Radio 1 WIPS, Radio 2 WIPS 5 Radio 1 WLAN, Radio 2 Disabled 6 Radio 1 Disabled, Radio 2 WLAN 7 Radio 1 Disabled, Radio 2 Disabled 1 Radio 1 WIPS 2 Radio 1 WLAN (B/G/N) 3 Radio 1 WLAN (A/N) 4 Radio 1 Disabled Two Radio SKU set radio-config Single Radio SKU set r
AP4700>admin(network.wireless.radio.802-11n[2.4 GHz])> Displays a specific 802.11n 2.4 GHz radio 1 submenu. The items available under this command include: Syntax show set delete advanced mesh .. / save quit : : : : : : : : : : : : show 802.11n radio parameters set 802.11n radio parameters delete 802.
CLI Reference AP4700>admin(network.wireless.radio.802-11n[2.4 GHz])>show Displays specific 802.11n (2.4 GHz) radio settings. Syntax show radio Displays specific 802.11n (2.4 GHz) radio settings. rates Displays specific 802.11n (2.4 GHz) radio rate settings. aggr Displays specific 802.11n (2.4 GHz) aggregation settings. qos Displays specific 802.11n (2.4 GHz) radio WMM QoS settings. Example admin(network.wireless.radio.802-11n[2.
4 5 6 7 8 9 10 11 12 13 14 15 Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported 39.0 52.0 58.5 65.0 13.0 26.0 39.0 52.0 78.0 104.0 117.0 130.0 Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps 81.0 Mbps 108.0 Mbps 121.5 Mbps 135.0 Mbps 27.0 Mbps 54.0 Mbps 81.0 Mbps 108.0 Mbps 162.0 Mbps 216.0 Mbps 243.0 Mbps 270.0 Mbps admin(network.wireless.radio.802-11n[2.4 GHz])> admin(network.wireless.radio.802-11n[2.
CLI Reference AP4700>admin(network.wireless.radio.802-11n[2.4 GHz])>set Defines specific 802.11n (2.4 GHz) radio parameters. Syntax set placement Defines the access point radio placement as indoors or outdoors. ch-mode Determines how the radio channel is selected (user, auto-20 or auto-40). channel Defines the radio channel used. Channel allowed depends on actual country of operation. power Defines the antenna power transmit level. Depends on radio type, channel and country.
admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.wireless.radio.802-11n[2.4 admin(network.
CLI Reference AP4700>admin(network.wireless.radio.802-11n[2.4 GHz].advanced)> Displays the advanced submenu for the 802.11n (2.4 GHz) radio. The items available under this command include: Syntax show Displays advanced radio settings for the 802.11n (2.4 GHz) radio. set Defines advanced parameters for the 802.11n (2.4 GHz) radio. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(network.wireless.radio.802-11n[2.4 GHz].advanced)> show Displays the BSSID to WLAN mapping for the 802.11n (2.4 GHz) radio. Syntax show advanced Displays advanced settings for the 802.11n (2.4 GHz) radio. wlan Displays WLAN summary list for the 802.11n (2.4 GHz) radio. Example admin(network.wireless.radio.802-11n[2.4 GHz].
CLI Reference AP4700>admin(network.wireless.radio.802-11n[2.4 GHz].advanced)>set Defines advanced parameters for the target 802.11n (2.4 GHz) radio. Syntax set wlan Defines advanced WLAN to BSSID mapping for the target radio. bss Sets the BSSID to primary WLAN definition. Example admin(network.wireless.radio.802-11n[2.4 GHz].advanced)>set wlan demoroom 1 admin(network.wireless.radio.802-11n[2.4 GHz].
AP4700>admin(network.wireless.radio.802-11n[2.4 GHz].mesh)> Displays the mesh configuration submenu for the 802.11n (2.4 GHz) radio. The items available under this command include: Syntax show Displays mesh settings and status for the 802.11n (2.4 GHz) radio. set Defines mesh parameters for the 802.11n (2.4 GHz) radio. add Adds a 802.11n (2.4 GHz) radio mesh connection. delete Deletes a 802.11n (2.4 GHz) radio mesh connection. .. Goes to the parent menu. / Goes to the root menu.
CLI Reference AP4700>admin(network.wireless.radio.802-11n[2.4 GHz].mesh)>show Displays mesh settings and status for the 802.11n (2.4 GHz) radio. Syntax show config Displays the connection list configuration. status Shows the available mesh connection status. Example admin(network.wireless.radio.802-11n[2.4 GHz].mesh)>show config Mesh Connection Auto Select : enable admin(network.wireless.radio.802-11n[2.4 GHz].
AP4700>admin(network.wireless.radio.802-11n[2.4 GHz].mesh)>set Defines mesh parameters for the 802.11n (2.4 GHz) radio. Syntax set Enables or disables auto select mesh connections. Example admin(network.wireless.radio.802-11n[2.4 GHz].mesh)>set auto-select enable admin(network.wireless.radio.802-11n[2.4 GHz].
CLI Reference AP4700>admin(network.wireless.radio.802-11n[2.4 GHz].mesh)>add Adds a 802.11n (2.4 GHz) radio mesh connection. Syntax add Defines the connection priority (1-16). Sets the access point MAC address. Example admin(network.wireless.radio.802-11n[2.4 GHz].
AP4700>admin(network.wireless.radio.802-11n[2.4 GHz].mesh)>delete Deletes a 802.11n (2.4 GHz) radio mesh connection by specified index or by removing all entries. Syntax delete Deletes a mesh connection by specified index (1-16). Removes all mesh connections. Example admin(network.wireless.radio.802-11n[2.4 GHz].
CLI Reference AP4700>admin(network.wireless.radio.802-11n[5.0 GHz])> Displays a specific 802.11n (5.0 GHz) radio 2 submenu. The items available under this command include: Syntax show set delete advanced mesh .. / save quit : : : : : : : : : : : : show 802.11n radio parameters set 802.11n radio parameters delete 802.
AP4700>admin(network.wireless.radio.802-11n[5.0 GHz])>show Displays specific 802.11n (5.0 GHz) radio settings. Syntax show radio Displays specific 802.11n (5.0 GHz) radio settings. rates Displays specific 802.11n (5.0 GHz) radio rate settings. aggr Displays specific 802.11n (5.0 GHz) aggregation settings. qos Displays specific 802.11n (5.0 GHz) radio WMM QoS settings. Example admin(network.wireless.radio.802-11n[5.
CLI Reference 8 9 10 11 12 13 14 15 Supported Supported Supported Supported Supported Supported Supported Supported 13.0 26.0 39.0 52.0 78.0 104.0 117.0 130.0 Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps 27.0 Mbps 54.0 Mbps 81.0 Mbps 108.0 Mbps 162.0 Mbps 216.0 Mbps 243.0 Mbps 270.0 Mbps admin(network.wireless.radio.802-11n[5.0 GHz])> admin(network.wireless.radio.802-11n[5.
AP4700>admin(network.wireless.radio.802-11n[5.0 GHz])>set Defines specific 802.11n (5.0 GHz) radio parameters. Syntax set placement Defines the access point radio placement as indoors or outdoors. ch-mode Determines how the radio channel is selected. channel Defines the actual channel used by the radio. Channel allowed depends on actual country of operation. power Defines the antenna power transmit level. Depends on radio type, channel and country.
CLI Reference admin(network.wireless.radio.802-11n[5.0 admin(network.wireless.radio.802-11n[5.0 admin(network.wireless.radio.802-11n[5.0 admin(network.wireless.radio.802-11n[5.0 admin(network.wireless.radio.802-11n[5.0 admin(network.wireless.radio.802-11n[5.0 admin(network.wireless.radio.802-11n[5.0 admin(network.wireless.radio.802-11n[5.
AP4700>admin(network.wireless.radio.802-11n[5.0 GHz].advanced)> Displays the advanced submenu for the 802.11n (5.0 GHz) radio. The items available under this command include: Syntax show Displays advanced radio settings for the 802.11n (5.0 GHz) radio. set Defines advanced parameters for the 802.11n (5.0 GHz) radio. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference AP4700>admin(network.wireless.radio.802-11n[5.0 GHz].advanced)> show Displays the BSSID to WLAN mapping for the 802.11n (5.0 GHz) radio. Syntax show advanced Displays advanced settings for the 802.11n (5.0 GHz) radio. wlan Displays WLAN summary list for 802.11n (5.0 GHz) radio. Example admin(network.wireless.radio.802-11n[5.0 GHz].
AP4700>admin(network.wireless.radio.802-11n[5.0 GHz].advanced)> set Defines advanced parameters for the target 802.11n (5.0 GHz) radio. Syntax set wlan Defines advanced WLAN to BSSID mapping for the target 5.0 GHz radio. bss Sets the BSSID to primary WLAN definition. Example admin(network.wireless.radio.802-11n[5.0 GHz].advanced)>set wlan demoroom 1 admin(network.wireless.radio.802-11n[5.0 GHz].
CLI Reference AP4700>admin(network.wireless.radio.802-11n[5.0 GHz].mesh)> Displays the mesh configuration submenu for the 802.11n (5.0 GHz) radio. The items available under this command include: Syntax show Displays mesh settings and status for the 802.11n (5.0 GHz) radio. set Defines mesh parameters for the 802.11n (5.0 GHz) radio. add Adds a 802.11n (5.0 GHz) radio mesh connection. delete Deletes a 802.11n (5.0 GHz) radio mesh connection. .. Goes to the parent menu. / Goes to the root menu.
AP4700>admin(network.wireless.radio.802-11n[5.0 GHz].mesh)>show Displays mesh settings and status for the 802.11n (5.0 GHz) radio. Syntax show config Displays the connection list configuration. status Shows the available mesh connection status. Example admin(network.wireless.radio.802-11n[5.0 GHz].mesh)>show config Mesh Connection Auto Select : enable admin(network.wireless.radio.802-11n[5.0 GHz].
CLI Reference AP4700>admin(network.wireless.radio.802-11n[5.0 GHz].mesh)>set Defines mesh parameters for the 802.11n (5.0 GHz) radio. Syntax set Enables or disables auto select mesh connections. Example admin(network.wireless.radio.802-11n[5.0 GHz].mesh)>set auto-select enable admin(network.wireless.radio.802-11n[5.0 GHz].
AP4700>admin(network.wireless.radio.802-11n[5.0 GHz].mesh)>add Adds a 802.11n (5.0 GHz) radio mesh connection. Syntax add Defines the connection priority (1-16). Sets the access point MAC address. Example admin(network.wireless.radio.802-11n[5.0 GHz].
CLI Reference AP4700>admin(network.wireless.radio.802-11n[5.0 GHz].mesh)>delete Deletes a 802.11n (5.0 GHz) radio mesh connection by specified index or by removing all entries. Syntax delete Deletes a mesh connection by specified index (1-16). Removes all mesh connections. Example admin(network.wireless.radio.802-11n[5.0 GHz].
Network Quality of Service (QoS) Commands AP4700>admin(network.wireless.qos)> Displays the access point Quality of Service (QoS) submenu. The items available under this command include: show Displays access point QoS policy information. create Defines the parameters of the QoS policy. edit Edits the settings of an existing QoS policy. delete Removes an existing QoS policy. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference AP4700>admin(network.wireless.qos)>show Displays the access point’s current QoS policy by summary or individual policy. Syntax show summary policy Displays all exisiting QoS policies that have been defined. Displays the configuration for the requested QoS policy. Example admin(network.wireless.
AP4700>admin(network.wireless.qos.create)> Defines an access point QoS policy. Syntax show set Displays QoS policy parameters. qos-name Sets the QoS name for the specified index entry. vop Enables or disables support (by index) for legacy VOIP devices. mcast Defines primary and secondary Multicast MAC address. wmm-qos Enables or disables the QoS policy index specified. param-set Defines the data type used with the qos policy and mesh network.
CLI Reference AP4700>admin(network.wireless.qos.edit)> Edits the properties of an existing QoS policy. Syntax show set Displays QoS policy parameters. qos-name Sets the QoS name for the specified index entry. vop Enables or disables support (by index) for legacy VOIP devices. mcast Defines primary and secondary Multicast MAC address. wmm-qos Enables or disables the QoS policy index specified.
AP4700>admin(network.wireless.qos)>delete Removes a QoS policy. Syntax delete Deletes the specified QoS polciy index, or all of the policies (except default policy). For information on configuring the WLAN QoS options available to the access point using the applet (GUI), see “Setting the WLAN Quality of Service (QoS) Policy” on page 156.
CLI Reference Network Rate Limiting Commands AP4700>admin(network.wireless.rate-limiting)> Displays the access point Rate Limiting submenu. The items available under this command include: show Displays Rate Limiting information for how data is processed by the access point. set Defines Rate Limiting parameters for the access point. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(network.wireless.rate-limiting)>show Displays the access point’s current Rate Limiting configuration. Syntax show summary Displays the current Rate Limiting configuration for defined WLANs. wlan Example admin(network.wireless.rate-limiting>show summary Per MU Rate Limiting : disable admin(network.wireless.rate-limiting)>show wlan WLAN 1 WLAN Name ESSID Radio Band(s) VLAN Security Policy QoS Policy Rate Limiting WLAN1 101 2.4 and 5.
CLI Reference AP4700>admin(network.wireless.rate-limiting)>set Defines the access point Rate Limiting configuration. Syntax set mode Enables or disables Rate Limiting. For information on configuring the Rate Limiting options available to the access point using the applet (GUI), see “Configuring MU Rate Limiting” on page 184.
Network Rogue-AP Commands AP4700>admin(network.wireless.rogue-ap)> Displays the Rogue AP submenu. The items available under this command include: show Displays the current access point Rogue AP detection configuration. set Defines the Rogue AP detection method. mu-scan Goes to the Rogue AP mu-uscan submenu. allowed-list Goes to the Rogue AP Allowed List submenu. active-list Goes the Rogue AP Active List submenu. rogue-list Goes the Rogue AP List submenu. .. Goes to the parent menu.
CLI Reference AP4700>admin(network.wireless.rogue-ap)>show Displays the current access point Rogue AP detection configuration. Syntax show Displays the current access point Rogue AP detection configuration. Example admin(network.wireless.
AP4700>admin(network.wireless.rogue-ap)>set Defines the access point ACL rogue AP method. Syntax set mu-scan interval on-channel detector-scan ABG-scan : : : : : : : : : : : extreme networks-ap applst-ageout roglst-ageout enable/disable MU Scan set MU Scan interval enable/disable On Channel Detection enable/disable AP Detector Scan enable/disable Detector Scan on Both Bands (2.4 & 5.
CLI Reference AP4700>admin(network.wireless.rogue-ap.mu-scan)> Displays the Rogue-AP mu-scan submenu. Syntax add Add all or just one scan result to Allowed AP list. show Displays all APs located by the MU scan. start The access point initiates an immediate scan for known and associated MUs. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(network.wireless.rogue-ap.mu-scan)>start Initiates an MU scan from a user provided MAC address. Syntax start Initiates MU scan from user provided MAC address. For information on configuring the Rogue AP options available to the access point using the applet (GUI), see “Configuring Rogue AP Detection” on page 243.
CLI Reference AP4700>admin(network.wireless.rogue-ap.mu-scan)>show Displays the results of an MU scan. Syntax show Displays all APs located by the MU scan. For information on configuring the Rogue AP options available to the access point using the applet (GUI), see “Configuring Rogue AP Detection” on page 243.
AP4700>admin(network.wireless.rogue-ap.allowed-list)> Displays the Rogue-AP allowed-list submenu. show Displays the rogue AP allowed list add Adds an AP MAC address and ESSID to the allowed list. delete Deletes an entry or all entries from the allowed list. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference AP4700>admin(network.wireless.rogue-ap.allowed-list)>show Displays the Rogue AP allowed List. Syntax show Displays the rogue-AP allowed list. Example admin(network.wireless.rogue-ap.
AP4700>admin(network.wireless.rogue-ap.allowed-list)>add Adds an AP MAC address and ESSID to existing allowed list. Syntax add Adds an AP MAC address and ESSID to existing allowed list. “fffffffffffffffff” means any MAC Use a “*” for any ESSID. Example admin(network.wireless.rogue-ap.allowed-list)>add 00A0F83161BB 103 admin(network.wireless.rogue-ap.
CLI Reference AP4700>admin(network.wireless.rogue-ap.allowed-list)>delete Deletes an AP MAC address and ESSID to existing allowed list. Syntax delete (1-50) Deletes an AP MAC address and ESSID (or all addresses) from the allowed list. For information on configuring the Rogue AP options available to the access point using the applet (GUI), see “Configuring Rogue AP Detection” on page 243.
WIPS Commands AP4700>admin(network.wireless.wips)> Displays the WIPS submenu. The items available under this command include: show Displays the current WLAN Intrusion Prevention configuration. set Sets WLAN Intrusion Prevention parameters. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference AP4700>admin(network.wireless.wips)>show Shows the WLAN Intrusion Prevention configuration. Syntax show Displays the existing Wireless Intrusion Protection System (WIPS) configuration. Example admin(network.wireless.wips>show WIPS Server #1 IP Address : 192.168.0.21 WIPS Server #2 IP Address : 10.1.1.1 admin(network.wireless.
AP4700>admin(network.wireless.wips)>set Sets the WLAN Intrusion Prevention configuration. Syntax set Defines the WLAN Intrusion Prevention Server IP Address (for server IPs 1 and 2). Example admin(network.wireless.wips)>set server 1 192.168.0.21 admin(network.wireless.
CLI Reference Network MU Locationing Commands AP4700>admin(network.wireless.mu-locationing)> Displays the MU Locationing submenu. The items available under this command include: show Displays the current MU Locationing configuration. set Defines MU Locationing parameters. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(network.wireless.mu-locationing)>show Displays the MU probe table configuration. Syntax show Displays the MU locationing probe table configuration. Example admin(network.wireless.mu-locationing)>show MU Probe Table Mode MU Probe Table Size : disable : 200 admin(network.wireless.
CLI Reference AP4700>admin(network.wireless.mu-locationing>set Defines the MU probe table configuration used for locating MUs. Syntax set Defines the MU probe table configuration. mode Enables/disables MU locationing. size Defines the number of MUs in the locationing table (the maximum allowed is 200). Example admin(network.wireless.mu-locationing)>set admin(network.wireless.mu-locationing)>set mode enable admin(network.wireless.mu-locationing)>set size 200 admin(network.wireless.
Network Firewall Commands AP4700>admin(network.firewall)> Displays the access point firewall submenu. The items available under this command include: show Displays the access point’s current firewall configuration. set Defines the access point’s firewall parameters. access Enables/disables firewall permissions through the LAN and WAN ports. advanced Displays interoperaility rules between the LAN and WAN ports. .. Goes to the parent menu. / Goes to the root menu.
CLI Reference AP4700>admin(network.firewall)>show Displays the access point firewall parameters. Syntax show Shows all access point firewall settings. Example admin(network.
AP4700>admin(network.firewall)>set Defines the access point firewall parameters. Syntax set mode Enables or disables the firewall. nat-timeout Defines the NAT timeout value. syn Enables or disables SYN flood attack check. src Enables or disables source routing check. win Enables or disables Winnuke attack check. ftp Enables or disables FTP bounce attack check. ip Enables or disables IP unaligned timestamp check.
CLI Reference AP4700>admin(network.firewall)>access Enables or disables firewall permissions through LAN to WAN ports. Syntax show Displays LAN to WAN access rules. set Sets LAN to WAN access rules. add Adds LAN to WAN exception rules. delete Deletes LAN to WAN access exception rules. list Displays LAN to WAN access exception rules. for the specified LAN. .. Goes to parent menu / Goes to root menu. save Saves configuration to system flash. quit Quits and exits the CLI session.
AP4700>admin(network.firewall)>advanced Displays whether an access point firewall rule is intended for inbound traffic to an interface or outbound traffic from that interface. Syntax show Shows advanced subnet access parameters. set Sets advanced subnet access parameters. import Imports rules from subnet access. inbound Goes to the Inbound Firewall Rules submenu. outbound Goes to the Outbound Firewall Rules submenu. .. Goes to the parent menu. / Goes to the root menu.
CLI Reference Network Router Commands AP4700>admin(network.router)> Displays the router submenu. The items available under this command are: show Displays the existing access point router configuration. set Sets the RIP parameters. add Adds user-defined routes. delete Deletes user-defined routes. list Lists user-defined routes. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(network.router)>show Shows the access point route table. Syntax show rip Displays the rounter’s RIP parameters. routes Displays connected routes. Example admin(network.router)>show rip rip type rip direction rip authentication type rip simple auth password rip md5 id 1 rip md5 key 1 rip md5 id 2 rip md5 key 2 : : : : : : : : off both none ********* 1 ********* 1 ********* admin(network.
CLI Reference AP4700>admin(network.router)>set Shows the access point route table. Syntax set auth Sets the RIP authentication type (none, simple or MD5). dir Sets RIP direction (rx, tx or both) id Sets MD5 authetication ID (1-256) for specific index (1-2). key Sets MD5 authetication key (up to 16 characters) for specified inded (1-2). passwd Sets the password (up to 16 characters) for simple authentication. type Defines the RIP type (off, ripv1, ripv2, or ripv1v2).
AP4700>admin(network.router)>add Adds user-defined routes. Syntax add Adds a route with destination IP address , IP netmask , destination gateway IP address , interface LAN1, LAN2 or WAN , and metric set to (1-65536). Example admin(network.router)>add 192.168.3.0 255.255.255.0 192.168.2.1 LAN1 1 admin(network.
CLI Reference AP4700>admin(network.router)>delete Deletes user-defined routes. Syntax delete Deletes the user-defined route (1-20) from list. all Deletes all user-defined routes. Example admin(network.router)>list ---------------------------------------------------------------------------index destination netmask gateway interface metric ---------------------------------------------------------------------------1 192.168.2.0 255.255.255.0 192.168.0.1 lan1 1 2 192.168.1.0 255.255.255.0 0.
AP4700>admin(network.router)>list Lists user-defined routes. Syntax list Displays a list of user-defined routes. Example admin(network.router)>list ---------------------------------------------------------------------------index destination netmask gateway interface metric ---------------------------------------------------------------------------1 192.168.2.0 255.255.255.0 192.168.0.1 lan1 1 2 192.168.1.0 255.255.255.0 0.0.0.0 lan2 0 3 192.168.0.0 255.255.255.0 0.0.0.
CLI Reference Network IP Filter Commands AP4700>admin(network.ipfilter)> Displays the ipfilter submenu. The items available under this command are: show Displays Global IP Filter table entries. set Sets Global IP Filter table entries. add Adds a filter to the Global IP Filter table delete Deletes a filter from the Global IP Filter table. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(network.ipfilter)>show Displays Global IP Filter table entries. Syntax show Displays Global IP Filter table entries. Example admin(network.ipfilter)>show ---------------------------------------------------------------------------Idx name Protocol Port-Start-End SrcIP-Start-End DestIP-Start-End In-Use ---------------------------------------------------------------------------admin(network.
CLI Reference AP4700>admin(network.ipfilter)>set Sets Global IP Filter table entries. Syntax set Sets Global IP Filter table entries. Example admin(network.
AP4700>admin(network.ipfilter)>add Adds a filter to the Global IP Filter table. Syntax add filter-name Adds name to IP Filter (up to 20 characters). protocol Adds protocol for IP Filter. start-port Adds a starting port for IP Filter. end-port Adds an ending port for IP Filter. start-src-address Adds a starting source IP address for IP Filter. end-src-address Adds an ending source IP address for IP Filter.
CLI Reference AP4700>admin(network.ipfilter)>delete Deletes a filter from the Global IP Filter table. Syntax delete index all Deletes a filter index from the Global IP Filter table. Deletes all filters from the Global IP Filter table. Example admin(network.ipfilter)>delete all admin(network.
System Commands AP4700>admin(system)> Displays the System submenu. The items available under this command are shown below. restart Restarts the access point. show Shows access point system parameter settings. set Defines access point system parameter settings. lastpw Displays last debug password. exec Goes to a Linux command menu. arp Dispalys the access point’s arp table. power-setup Goes to the Power Settings submenu. aap-setup Goes to the Adaptive AP Settings submenu.
CLI Reference AP4700>admin(system)>restart Restarts the access point access point. Syntax restart Restarts the access point. Example admin(system)>restart ********************************WARNING*********************************** ** Unsaved configuration changes will be lost when the access point is reset. ** Please be sure to save changes before resetting.
AP4700>admin(system)>show Displays high-level system information helpful to differentiate this access point. Syntax show Displays access point system information.
CLI Reference AP4700>admin(system)>set Sets access point system parameters. Syntax set name Sets the access point system name to (1 to 59 characters). The access point does not allow intermediate space characters between characters within the system name. For example, “AP4700 sales” must be changed to “AP4700sales” to be a valid system name. loc Sets the access point system location to (1 to 59 characters).
AP4700>admin(system)>lastpw Displays last expired debug password.
CLI Reference AP4700>admin(system)>arp Dispalys the access point’s arp table. Example admin(system)>arp IP Address HWtype HWaddress Flags Mask 157.235.92.210 157.235.92.179 157.235.92.248 157.235.92.180 157.235.92.3 157.235.92.181 157.235.92.80 157.235.92.95 157.235.92.161 157.235.92.
Power Setup Commands AP4700>admin(system)>power-setup Displays the Power Setup submenu. show Displays the current power setting configuration. set Defines the access point’s power setting configuration. .. Goes to the parent menu. / Goes to the root menu. save Saves the current configuration to the access point system flash. quit Quits the CLI and exits the current session. For information on configuring power settings using the applet (GUI), see “Configuring Power Settings” on page 81.
CLI Reference AP4700>admin(system.power-setup)>show Displays the access point’s current power configuration. Syntax show Displays the access point’s current power configuration. Example admin(system.power-setup)>show Power Mode Power Status 3af Power Option 3at Power Option Default Radio : : : : : Auto Full Power default default Radio1 For information on configuring power settings using the applet (GUI), see “Configuring Power Settings” on page 81.
AP4700>admin(system.power-setup)>set Sets access point’s power consumption configuration. Syntax set mode Sets the power mode to either Auto or 3af. Changing the mode requires restarting the access point. power-option Defines the power option. def-radio Defines the access point’s default radio (1-Radio1, 2-Radio2). admin(system.power-setup)>set mode Auto admin(system.power-setup)>set power-option 3af option admin(system.
CLI Reference Adaptive AP Setup Commands AP4700>admin(system)>aap-setup Displays the Adaptive AP submenu. show Displays Adaptive AP information. set Defines the Adaptive AP configuration. delete Deletes static controller address assignments. .. Goes to the parent menu. / Goes to the root menu. save Saves the current configuration to the access point system flash. quit Quits the CLI and exits the current session.
AP4700>admin(system.aap-setup)>show Displays the access point’s Adaptive AP configuration. Syntax show Displays the access point’s Adaptive AP configuration. Example admin(system.aap-setup)>show Auto Discovery Mode Controller Name Static IP Port Static IP Address IP Address 1 IP Address 2 IP Address 3 IP Address 4 IP Address 5 IP Address 6 IP Address 7 IP Address 8 IP Address 9 IP Address 10 IP Address 11 IP Address 12 : disable : greg : 24576 : : 0.0.0.0 : 0.0.0.0 : 0.0.0.0 : 0.0.0.0 : 0.0.0.0 : 0.0.0.
CLI Reference AP4700>admin(system.aap-setup)>set Sets access point’s Adaptive AP configuration. Syntax set auto-discovery Sets the controller auto-discovery mode (enable/disable). ipadr Defines the controller IP address used. name Defines the controller name for DNS lookups (up to 127 characters). port Sets the port. passphrase Defines the pass phrase or key for controller connection. tunnel-to-controller Enables/disables the tunnel between controller and access point.
AP4700>admin(system.aap-setup)>delete Deletes static controller address assignments. Syntax delete Deletes static controller address assignments by selected index. Deletes all assignments. Example admin(system.aap-setup)>delete 1 admin(system.aap-setup)> For information on configuring Adaptive AP using the applet (GUI), see “Adaptive AP Setup” on page 85. For an overview of adaptive AP functionality and its implications, see “Adaptive AP Overview” on page 605.
CLI Reference LLDP Commands AP4700>admin(system)>lldp Displays the LLDP submenu. show Displays LLDP information. set Sets LLDP parameters. .. Goes to the parent menu. / Goes to the root menu. save Saves the current configuration to the access point system flash. quit Quits the CLI and exits the current session. For information on configuring LLDP using the applet (GUI), see “Configuring LLDP Settings” on page 108.
AP4700>admin(system.lldp)>show Displays LLDP information. Syntax show Displays LLDP information. admin(system.lldp)>show LLDP Status LLDP Refresh Interval LLDP Holdtime Mutiplier admin(system.lldp)> :enable :30 :4 For information on configuring LLDP using the applet (GUI), see “Configuring LLDP Settings” on page 108.
CLI Reference AP4700>admin(system.lldp)>set Sets the LLDP configuration. Syntax set Sets the LLDP configurarion. lldp-mode Sets AP lldp mode. lldp-refresh Sets the LLDP Refresh Interval. lldp-holdtime Sets the LLDP HoldTime Multiplier. admin(system.lldp)>set lldp-mode enable admin(system.lldp)>set lldp-refresh 100 admin(system.lldp)>set lldp-holdtime 2 admin(system.lldp)> For information on configuring LLDP using the applet (GUI), see “Configuring LLDP Settings” on page 108.
System Access Commands AP4700>admin(system)>access Displays the access point access submenu. show Displays access point system access capabilities. set Goes to the access point system access submenu. .. Goes to the parent menu. / Goes to the root menu. save Saves the current configuration to the access point system flash. quit Quits the CLI and exits the current session.
CLI Reference AP4700>admin(system.access)>set Defines the permissions to access the access point applet, CLI, SNMP as well as defining their timeout values. Syntax set applet Defines the applet HTTP/HTTPS access parameters. app-timeout Sets the applet timeout. Default is 300 Mins. sslv2 Enables/disables SSL v2 support. cli Defines CLI Telnet access parameters. Enables/disables access from lan and wan. ssh Sets the CLI SSH access parameters.
AP4700>admin(system.access)>show Displays the current access point access permissions and timeout values. Syntax show Shows all of the current system access settings for the access point. Example admin(system.
CLI Reference System Certificate Management Commands AP4700>admin(system)>cmgr Displays the Certificate Manager submenu. The items available under this command include: genreq Generates a Certificate Request. delself Deletes a Self Certificate. loadself Loads a Self Certificate signed by CA. listself Lists the self certificate loaded. loadca Loads trusted certificate from CA. delca Deletes the trusted certificate. listca Lists the trusted certificate loaded.
AP4700>admin(system.cmgr)>genreq Generates a certificate request. Syntax genreq > [-ou ] [-on ] [-cn ] [-st ] . . . ...
CLI Reference AP4700>admin(system.cmgr)>delself Deletes a self certificate. Syntax delself Deletes the self certificate named . Example admin(system.cmgr)>delself MyCert2 For information on configuring self certificate settings using the applet (GUI), see “Creating Self Certificates for Accessing the VPN” on page 92.
AP4700>admin(system.cmgr)>loadself Loads a self certificate signed by the Certificate Authority. Syntax loadself Load the self certificate signed by the CA with name (7 characters). For information on configuring self certificate settings using the applet (GUI), see “Creating Self Certificates for Accessing the VPN” on page 92.
CLI Reference AP4700>admin(system.cmgr)>listself Lists the loaded self certificates. Syntax listself Lists all self certificates that are loaded. For information on configuring self certificate settings using the applet (GUI), see “Creating Self Certificates for Accessing the VPN” on page 92.
AP4700>admin(system.cmgr)>loadca Loads a trusted certificate from the Certificate Authority. Syntax loadca Loads the trusted certificate (in PEM format) that is pasted into the command line. For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate” on page 91.
CLI Reference AP4700>admin(system.cmgr)>delca Deletes a trusted certificate. Syntax delca Deletes the trusted certificate. For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate” on page 91.
AP4700>admin(system.cmgr)>listca Lists the loaded trusted certificate. Syntax listca Lists the loaded trusted certificates. For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate” on page 91.
CLI Reference AP4700>admin(system.cmgr)>showreq Displays a certificate request in PEM format. Syntax showreq Displays a certificate request named generated from the genreq command. For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate” on page 91.
AP4700>admin(system.cmgr)>delprivkey Deletes a private key. Syntax delprivkey Deletes private key named . For information on configuring certificate settings using the applet (GUI), see “Creating Self Certificates for Accessing the VPN” on page 92.
CLI Reference AP4700>admin(system.cmgr)>listprivkey Lists the names of private keys. Syntax listprivkey Lists all private keys and displays their certificate associations. For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate” on page 91.
AP4700>admin(system.cmgr)>expcert Exports the certificate file to a user defined location. Syntax expcert Exports the access point’s CA or Self certificate file. To export certificate information from an Altitude 4700 access point: admin(system.cmgr)>expcert ? : : : : type: ftp/tftp file name: Certificate file name Server options for this file are the same as that for the configuration file admin(system.cmgr)>expcert tftp AP-71x1certs.
CLI Reference AP4700>admin(system.cmgr)>impcert Imports the target certificate file. Syntax impcert Imports the target certificate file. To import certificate information from an Altitude 4700 Access Point: admin(system.cmgr)>impcert ? : : : : type: ftp/tftp file name: Certificate file name Server options for this file are the same as that for the configuration file admin(system.cmgr)>impcert tftp AP-4700certs.
System SNMP Commands AP4700>admin(system)> snmp Displays the SNMP submenu. The items available under this command are shown below. access Goes to the SNMP access submenu. traps Goes to the SNMP traps submenu. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference System SNMP Access Commands AP4700>admin(system.snmp.access) Displays the SNMP Access menu. The items available under this command are shown below. show Shows SNMP v3 engine ID. add Adds SNMP access entries. delete Deletes SNMP access entries. list Lists SNMP access entries. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
AP4700>admin(system.snmp.access)>show Shows the SNMP v3 engine ID. Syntax show eid Shows the SNMP v3 Engine ID. Example admin(system.snmp.access)>show eid AP4700 snmp v3 engine id : 000001846B8B4567F871AC68 admin(system.snmp.access)> For information on configuring SNMP access settings using the applet (GUI), see “Configuring SNMP Access Control” on page 101.
CLI Reference AP4700>admin(system.snmp.access)>add Adds SNMP access entries for specific v1v2 and v3 user definitions. Syntax add acl v1v2c Adds an entry to the SNMP access control list with as the starting IP address and and as the ending IP address. : comm - community string 1 to 31 characters : access - read/write access - (ro,rw) : oid - string 1 to 127 chars - E.g. 1.3.6.
AP4700>admin(system.snmp.access)>delete Deletes SNMP access entries for specific v1v2 and v3 user definitions. Syntax delete acl v1v2c v3 Deletes entry (1-10) from the access control list. all Deletes all entries from the access control list. Deletes entry (1-10) from the v1/v2 configuration list. all Deletes all entries from the v1/v2 configuration list. Deletes entry (1-10) from the v3 user definition list.
CLI Reference AP4700>admin(system.snmp.access)>list Lists SNMP access entries. Syntax list acl Lists SNMP access control list entries. v1v2c Lists SNMP v1/v2c configuration. v3 Lists SNMP v3 user definition by index (1-10). all Lists all SNMP v3 user definitions. Example admin(system.snmp.access)>list acl ---------------------------------------------------------------index start ip end ip ---------------------------------------------------------------1 209.236.24.1 209.236.24.
System SNMP Traps Commands AP4700>admin(system.snmp.traps) Displays the SNMP traps submenu. The items available under this command are shown below. show Shows SNMP trap parameters. set Sets SNMP trap parameters. add Adds SNMP trap entries. delete Deletes SNMP trap entries. list Lists SNMP trap entries. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference AP4700>admin(system.snmp.traps)>show Shows SNMP trap parameters. Syntax show trap Shows SNMP trap parameter settings. rate-trap Shows SNMP rate-trap parameter settings. Example admin(system.snmp.
AP4700>admin(system.snmp.traps)>set Sets SNMP trap parameters. Syntax set mu-assoc enable/disable Enables/disables the MU associated trap. mu-unassoc enable/disable Enables/disables the MU unassociated trap. mu-deny-assoc enable/disable Enables/disables the MU association denied trap. mu-deny-auth enable/disable Enables/disables the MU authentication denied trap. snmp-auth enable/disable Enables/disables the authentication failure trap.
CLI Reference AP4700>admin(system.snmp.traps)>add Adds SNMP trap entries. Syntax add v1v2 Adds an entry to the SNMP v1/v2 access list with the destination IP address set to , the destination UDP port set to , the community string set to (1 to 31 characters), and the SNMP version set to .
AP4700>admin(system.snmp.traps)>delete Deletes SNMP trap entries. Syntax delete v1v2c v3 Deletes entry from the v1v2c access control list. all Deletes all entries from the v1v2c access control list. Deletes entry from the v3 access control list. all Deletes all entries from the v3 access control list. Example admin(system.snmp.traps)>delete v1v2 all For information on configuring SNMP traps using the applet (GUI), see “Configuring SNMP Settings” on page 97.
CLI Reference AP4700>admin(system.snmp.traps)>list Lists SNMP trap entries. Syntax list v1v2c v3 Lists SNMP v1/v2c access entries. Lists SNMP v3 access entry . all Lists all SNMP v3 access entries. Example admin(system.snmp.traps)>add v1v2 203.223.24.2 162 mycomm v1 admin(system.snmp.
System User Database Commands AP4700>admin(system)> userdb Goes to the user database submenu. Syntax user Goes to the user submenu. group Goes to the group submenu. save Saves the configuration to system flash. .. Goes to the parent menu. / Goes to the root menu. For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
CLI Reference Adding and Removing Users from the User Databse AP4700>admin(system.userdb)>user Adds and removes users from the user database and defines user passwords. Syntax add Adds a new user. delete Deletes a new user. clearall Removes all existing user IDs from the system. set Sets a password for a user. show Displays the current user database configuration. save Saves the configuration to system flash. .. Goes to the parent menu. / Goes to the root menu.
AP4700>admin(system.userdb.user)>add Adds a new user to the user database. Syntax add Adds a new user ID and password string to the user database. Example admin(system.userdb.user>add george password admin(system.userdb.user> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
CLI Reference AP4700>admin(system.userdb.user)>delete Removes a new user to the user database. Syntax delete Removes a user ID and password string from the user database. Example admin(system.userdb.user>delete george admin(system.userdb.user> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
AP4700>admin(system.userdb.user)>clearall Removes all existing user IDs from the system. Syntax clearall Removes all existing user IDs from the system. Example admin(system.userdb.user>clearall admin(system.userdb.user> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
CLI Reference AP4700>admin(system.userdb.user)>set Sets a password for a user. Syntax set Sets user and password string for a specific user. Example admin(system.userdb.user>set george password admin(system.userdb.user> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
Adding and Removing Groups from the User Databse AP4700>admin(system.userdb)>group Adds and removes groups from the user database. Syntax create Creates a group name. delete Deletes a group name. clearall Removes all existing group names from the system. add Adds a user to an existing group. remove Removes a user from an existing group. show Displays existing groups. save Saves the configuration to system flash. .. Goes to the parent menu. / Moves back to root menu.
CLI Reference AP4700>admin(system.userdb.group)>create Creates a group name. Once defined, users can be added to the group. Syntax create Creates a group name string. Once defined, users can be added to the group. Example admin(system.userdb.group>create 2 admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
AP4700>admin(system.userdb.group)>delete Deletes an existing group. Syntax delete Deletes an existing group name string. Example admin(system.userdb.group>delete 2 admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
CLI Reference AP4700>admin(system.userdb.group)>clearall Removes all existing group names from the system. Syntax clearall Removes all existing group names from the system. Example admin(system.userdb.group>clearall admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
AP4700>admin(system.userdb.group)>add Adds a user to an existing group. Syntax add Adds a user to an existing group . Example admin(system.userdb.group>add lucy group x admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
CLI Reference AP4700>admin(system.userdb.group)>remove Removes a user from an existing group. Syntax remove Removes a user from an existing group. Example admin(system.userdb.group>remove lucy group x admin(system.userdb.
AP4700>admin(system.userdb.group)>show Displays existing groups. Syntax show Displays existing groups and users, users Displays configured user IDs for a group. groups Displays configured groups. Example admin(system.userdb.group>show groups List of Group Names : engineering : marketing : demo room admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 259.
CLI Reference System RADIUS Commands AP4700>admin(system)>radius Goes to the RADIUS system submenu. Syntax eap Goes to the EAP submenu. policy Goes to the access policy submenu. ldap Goes to the LDAP submenu. proxy Goes to the proxy submenu. client Goes to the client submenu. set Sets RADIUS parameters. show Displays RADIUS parameters. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu.
AP4700>admin(system.radius)>set/show Sets or displays the RADIUS user database. Syntax set Sets the RADIUS user database. show all Displays the RADIUS user database. Example admin(system.radius)>set database local admin(system.radius)>show all Database : local admin(system.radius)> For information on configuring RADIUS using the applet (GUI), see “Configuring User Authentication” on page 250.
CLI Reference AP4700>admin(system.radius)>eap Goes to the EAP submenu. Syntax peap Goes to the Peap submenu. ttls Goes to the TTLS submenu. import Imports the requested EAP certificates. set Defines EAP parameters. show Displays the EAP configuration. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. For information on configuring EAP RADIUS using the applet (GUI), see “Configuring User Authentication” on page 250.
AP4700>admin(system.radius.eap)>peap Goes to the Peap submenu. Syntax set Defines Peap parameters. show Displays the Peap configuration. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. For information on configuring PEAP RADIUS using the applet (GUI), see “Configuring User Authentication” on page 250.
CLI Reference AP4700>admin(system.radius.eap.peap)>set/show Defines and displays Peap parameters Syntax set Sets the Peap authentication (to either gtc or mschapv2). show Displays the Peap authentication type. Example admin(system.radius.eap.peap)>set auth gtc admin(system.radius.eap.peap)>show PEAP Auth Type : gtc For information on configuring EAP PEAP RADIUS values using the applet (GUI), see “Configuring User Authentication” on page 250.
AP4700>admin(system.radius.eap)>ttls Goes to the TTLS submenu. Syntax set Defines TTLS parameters. show Displays the TTLS configuration. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. For information on configuring EAP TTLS RADIUS values using the applet (GUI), see “Configuring User Authentication” on page 250.
CLI Reference AP4700>admin(system.radius.eap.ttls)>set/show Defines and displays TTLS parameters Syntax set Sets the default TTLS authentication (to either pap, md5 or mschapv2). show Displays the TTLS authentication . Example admin(system.radius.eap.ttls)>set auth pap admin(system.radius.eap.ttls)>show TTLS Auth Type : pap For information on configuring EAP TTLS RADIUS values using the applet (GUI), see “Configuring User Authentication” on page 250.
AP4700>admin(system.radius)>policy Goes to the access policy submenu. Syntax set Sets a group’s WLAN access policy. access-time Goes to the time based login submenu. show Displays the group’s access policy. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. For information on configuring RADIUS access policies using the applet (GUI), see “Configuring User Authentication” on page 250.
CLI Reference AP4700>admin(system.radius.policy)>set Defines the group’s WLAN access policy. Syntax set Defines a group’s WLAN access policy (defined as a string) delimited by a space. Example admin(system.radius.policy)>set engineering 16 admin(system.radius.policy)> For information on configuring RADIUS WLAN policy values using the applet (GUI), see “Configuring User Authentication” on page 250.
AP4700>admin(system.radius.policy)>access-time Goes to the time-based login submenu. Syntax set Defines a target group’s access time permissions. Access time is in DayDDDD-DDDD format. show Displays the group’s access time rule. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. Example admin(system.radius.policy.
CLI Reference AP4700>admin(system.radius.policy)>show Displays a group’s access policy. Syntax show Displays a group’s access policy. Example admin(system.radius.policy)>show List of Access Policies engineering marketing demo room test demo : : : : 16 10 3 No Wlans admin(system.radius.
AP4700>admin(system.radius)>ldap Goes to the LDAP submenu. Syntax set Defines the LDAP parameters. show all Displays existing LDAP parameters. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. For information on configuring a RADIUS LDAP server using the applet (GUI), see “Configuring LDAP Authentication” on page 253.
CLI Reference AP4700>admin(system.radius.ldap)>set Defines the LDAP parameters. Syntax set Defines the LDAP parameters. ipadr Sets LDAP IP address. port Sets LDAP server port. binddn Sets LDAP bind distinguished name. basedn Sets LDAP base distinguished name. passwd Sets LDAP server password. login Sets LDAP login attribute. pass_attr Sets LDAP password attribute. groupname Sets LDAP group name attribute. filter Sets LDAP group membership filter.
AP4700>admin(system.radius.ldap)>show all Displays existing LDAP parameters. Syntax show all Displays existing LDAP parameters. Example admin(system.radius.ldap)>show all LDAP Server IP : 0.0.0.
CLI Reference AP4700>admin(system.radius)>proxy Goes to the RADIUS proxy server submenu. Syntax add Adds a proxy realm. delete Deletes a proxy realm. clearall Removes all proxy server records. set Sets proxy server parameters. show Displays current RADIUS proxy server parameters. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu.
AP4700>admin(system.radius.proxy)>add Adds a proxy. Syntax add Adds a proxy realm. name Realm name. ip1 Authentication server IP address. port Authentication server port. sec Shared secret password. Example admin(system.radius.proxy)>add lancelot 157.235.241.22 1812 muddy admin(system.radius.proxy)> For information on configuring RADIUS proxy server values using the applet (GUI), see “Configuring a Proxy Radius Server” on page 255.
CLI Reference AP4700>admin(system.radius.proxy)>delete Adds a proxy. Syntax delete Deletes a realm name. Example admin(system.radius.proxy)>delete lancelot admin(system.radius.proxy)> For information on configuring RADIUS proxy server values using the applet (GUI), see “Configuring a Proxy Radius Server” on page 255.
AP4700>admin(system.radius.proxy)>clearall Removes all proxy server records from the system. Syntax clearall Removes all proxy server records from the system. Example admin(system.radius.proxy)>clearall admin(system.radius.proxy)> For information on configuring RADIUS proxy server values using the applet (GUI), see “Configuring a Proxy Radius Server” on page 255.
CLI Reference AP4700>admin(system.radius.proxy)>set Sets Radius proxy server parameters. Syntax set Sets RADIUS proxy server parameters. delay Defines retry delay time (in seconds) for the proxy server. count Defines retry count value for the proxy server. Example admin(system.radius.proxy)>set delay 10 admin(system.radius.proxy)>set count 5 admin(system.radius.
AP4700>admin(system.radius)>client Goes to the RADIUS client submenu. Syntax add Adds a RADIUS client to list of available clients. delete Deletes a RADIUS client from list of available clients. show Displays a list of configured clients. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. For information on configuring RADIUS client values using the applet (GUI), see “Configuring the Radius Server” on page 250.
CLI Reference AP4700>admin(system.radius.client)>add Adds a RADIUS client to those available to the RADIUS server. Syntax add Adds a proxy. ip Client’s IP address. mask Network mask address of the client. secret Shared secret password. Example admin(system.radius.client)>add 157.235.132.11 255.255.255.225 muddy admin(system.radius.client)> For information on configuring RADIUS client values using the applet (GUI), see “Configuring the Radius Server” on page 250.
AP4700>admin(system.radius.client)>delete Removes a specified RADIUS client from those available to the RADIUS server. Syntax delete Removes a specified RADIUS client from those available to the RADIUS server. Example admin(system.radius.client)>delete 157.235.132.11 admin(system.radius.client)> For information on configuring RADIUS client values using the applet (GUI), see “Configuring the Radius Server” on page 250.
CLI Reference AP4700>admin(system.radius.client)>show Displays a list of configured RADIUS clients. Syntax show Removes a specified RADIUS client from those available to the RADIUS server. Example admin(system.radius.client)>show ---------------------------------------------------------------------------Idx Subnet/Host Netmask SharedSecret ---------------------------------------------------------------------------1 157.235.132.11 255.255.255.225 ***** admin(system.radius.
System Network Time Protocol (NTP) Commands AP4700>admin(system)>ntp Displays the NTP menu. The correct network time is required for numerous functions to be configured accurately on the access point. Syntax show Shows NTP parameters settings. date-zone Show date, time and time zone. zone-list Displays list of time zones. set Sets NTP parameters. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
CLI Reference AP4700>admin(system.ntp)>show Displays the NTP server configuration. Syntax show Shows all NTP server settings. Example admin(system.ntp)>show current time : 2006-07-31 14:35:20 time zone: : UTC ntp mode : enable For information on configuring NTP using the applet (GUI), see “Configuring Network Time Protocol (NTP)” on page 110.
AP4700>admin(system.ntp)>date-zone Show date, time and time zone. Syntax date-zone Show date, time and time zone. Example admin(system.ntp)>date-zone Date/Time : Sat 1970-Jan-03 20:06:22 +0000 UTC Time Zone : UTC For information on configuring NTP using the applet (GUI), see “Configuring Network Time Protocol (NTP)” on page 110.
CLI Reference AP4700>admin(system.ntp)>zone-list Displays an extensive list of time zones for countries around the world. Syntax zone-list Displays list of time zone indexes for every known zone. Example admin(system.ntp)> zone-list For information on configuring NTP using the applet (GUI), see “Configuring Network Time Protocol (NTP)” on page 110.
AP4700>admin(system.ntp)>set Sets NTP parameters for access point clock synchronization. Syntax set mode Enables or disables NTP. server Sets the NTP sever IP address. port Defines the port number. intrvl Defines the clock synchronization interval used between the access point and the NTP server in minutes (15 - 65535). time
CLI Reference System Log Commands AP4700>admin(system)>logs Displays the access point log submenu. Logging options include: Syntax show Shows logging options. set Sets log options and parameters. view Views system log. delete Deletes the system log. send Sends log to the designated FTP Server. .. Goes to the parent menu. / Goes to the root menu. save Saves configuration to system flash. quit Quits the CLI.
AP4700>admin(system.logs)>show Displays the current access point logging settings. Syntax show Displays the current access point logging configuration. Example admin(system.logs)>show log level syslog server logging syslog server ip address : L6 Info : enable : 192.168.0.102 For information on configuring logging settings using the applet (GUI), see “Logging Configuration” on page 112.
CLI Reference AP4700>admin(system.logs)>set Sets log options and parameters. Syntax set level Sets the level of the events that will be logged. All events with a level at or above (L0-L7) will be saved to the system log. L0:Emergency L1:Alert L2:Critical L3:Errors L4:Warning L5:Notice L6:Info (default setting) L7:Debug mode Enables or disables syslog server logging. ipadr Sets the external syslog server IP address to (a.b.c.d). admin(system.
AP4700>admin(system.logs)>view Displays the access point system log file. Syntax view Displays the entire access point system log file. Example admin(system.logs)>view Jan 7 16:14:00 (none) syslogd 1.4.1: restart (remote reception). Jan 7 16:14:10 (none) klogd: :ps log:fc: queue maintenance Jan 7 16:14:41 (none) klogd: :ps log:fc: queue maintenance Jan 7 16:15:43 (none) last message repeated 2 times Jan 7 16:16:01 (none) CC: 4:16pm up 6 days, 16:16, load average: 0.00, 0.01, 0.
CLI Reference AP4700>admin(system.logs)>delete Deletes the log files. Syntax delete Deletes the access point system log file. Example admin(system.logs)>delete For information on configuring logging settings using the applet (GUI), see “Logging Configuration” on page 112.
AP4700>admin(system.logs)>send Sends log and core file to an FTP Server. Syntax send Sends the system log file via FTP to a location specified with the set command. Refer to the command set under the AP4700>admin(fw update) command for information on setting up an FTP server and login information. Example admin(system.logs)>send File transfer File transfer : [ In progress ] : [ Done ] admin(system.
CLI Reference System Configuration-Update Commands AP4700>admin(system.config)> Displays the access point configuration update submenu. Syntax default Restores the default access point configuration. partial Restores a partial default access point configuration. show Shows import/export parameters. set Sets import/export access point configuration parameters. export Exports access point configuration to a designated system. import Imports configuration to the access point. ..
AP4700>admin(system.config)>default Restores the full access point factory default configuration. Syntax default Restores the access point to the original (factory) configuration. Example admin(system.config)>default Are you sure you want to default the configuration? : For information on importing/exporting access point configurations using the applet (GUI), see “Importing/Exporting Configurations” on page 114.
CLI Reference AP4700>admin(system.config)>partial Restores a partial factory default configuration. The access point’s LAN, WAN and SNMP settings are unaffected by the partial restore. Syntax default Restores a partial access point configuration. Example admin(system.config)>partial Are you sure you want to partially default AP4700? : For information on importing/exporting access point configurations using the applet (GUI), see “Importing/Exporting Configurations” on page 114.
AP4700>admin(system.config)>show Displays import/export parameters for the access point configuration file. Syntax show Shows all import/export parameters. Example admin(system.config)>show cfg filename cfg filepath ftp/tftp server ip address ftp user name ftp password : : : : : cfg.txt 192.168.0.101 myadmin ******** For information on importing/exporting access point configurations using the applet (GUI), see “Importing/Exporting Configurations” on page 114.
CLI Reference AP4700>admin(system.config)>set Sets the import/export parameters. Syntax set file Sets the configuration file name (1 to 39 characters in length). path Defines the path used for the configuration file upload. server Sets the FTP/TFTP server IP address. user Sets the FTP user name (1 to 39 characters in length). passwd Sets the FTP password (1 to 39 characters in length). Example admin(system.config)>set server 192.168.22.
AP4700>admin(system.config)>export Exports the configuration from the system. Syntax export ftp Exports the access point configuration to the FTP server. Use the set command to set the server, user, password, and file name before using this command. tftp Exports the access point configuration to the TFTP server. Use the set command to set the IP address for the TFTP server before using the command. terminal Exports the access point configuration to a terminal.
CLI Reference AP4700>admin(system.config)>import Imports the access point configuration to the access point. Errors could display as a result of invaid configuration parameters. Correct the sepcified lines and import the file again until the import operation is error free. import ftp Imports the access point configuration file from the FTP server. Use the set command to set the server, user, password, and file. tftp Imports the access point configuration from the TFTP server.
Firmware Update Commands AP4700>admin(system)>fw-update Displays the firmware update submenu. The items available under this command are shown below. NOTE The access point must complete the reboot process to successfully update the device firmware, regardless of whether the reboot is conducted uing the GUI or CLI interfaces. show Displays the current access point firmware update settings. set Defines the access point firmware update parameters. update Executes the firmware update. ..
CLI Reference AP4700>admin(system.fw-update)>show Displays the current access point firmware update settings. Syntax show Shows the current system firmware update settings for the access point. Example admin(system.fw-update)>show automatic firmware upgrade automatic config upgrade : enable : enable firmware filename firmware path ftp/tftp server ip address ftp user name ftp password : : : : : apn.bin /tftpboot/ 168.197.2.
AP4700>admin(system.fw-update)>set Defines access point firmware update settings and user permissions. Syntax set fw-auto When enabled, updates device firmware each time the firmware versions are found to be different between the access point and the specified firmware on the remote system. cfg-auto When enabled, updates device configuration file each time the confif file versions are found to be different between the access point and the specified LAN or WAN interface.
CLI Reference AP4700>admin(system.fw-update)>update Executes the access point firmware update over the WAN or LAN ports using either ftp, tftp or SFTP. Syntax update Defines the ftp ot tftp mode used to conduct the firmware update. Specifies whether the update is executed over the access point’s WAN, LAN1 or LAN2 interface .
Statistics Commands AP4700>admin(stats) Displays the access point statistics submenu. The items available under this command are: show Displays access point WLAN, MU, LAN and WAN statistics. send-cfg-ap Sends a config file to another access point within the known AP table. send-cfg-all Sends a config file to all access points within the known AP table. clear Clears all statistic counters to zero. flash-all-leds Starts and stops the flashing of all access point LEDs.
CLI Reference AP4700>admin(stats)>show Displays access point system information. Syntax show wan Displays stats for the access point WAN port. lan Displays stats for the access point LAN port stp Displays LAN Spanning Tree Status wlan Displays WLAN status and statistics summary. s-wlan Displays status and statistics for an individual WLAN radio Displays a radio statistics transmit and receive summary.
AP4700>admin(stats)>send-cfg-ap Copies the access point’s configuration to another access point within the known AP table. Syntax send-cfg-ap Copies the access point’s configuration to the access points within the known AP table. Mesh configuration attributes do not get copied using this command and must be configured manually.
CLI Reference AP4700>admin(stats)>send-cfg-all Copies the access point’s configuration to all of the access points within the known AP table. Syntax send-cfg-all Copies the access point’s configuration to all of the access points within the known AP table. Example admin(stats)>send-cfg-all admin(stats)> NOTE The send-cfg-all command copies all existing configuration parameters except Mesh settings, LAN IP data, WAN IP data and DHCP Server parameter information.
AP4700>admin(stats)>clear Clears the specified statistics counters to zero to begin new data calculations. Syntax clear wan Clears WAN statistics counters. lan Clears LAN statistics counters for specified LAN index (either clear lan 1 or clear lan 2). all-rf Clears all RF data. all-wlan Clears all WLAN summary information. wlan Clears individual WLAN statistic counters. all-radio Clears access point radio summary information. radio1 Clears statistics counters specific to radio1.
CLI Reference AP4700>admin(stats)>flash-all-leds Starts and stops the illumination of a specified access point’s LEDs. Syntax flash-all-leds Defines the Known AP index number of the target AP to flash. Begins or terminates the flash activity.
AP4700>admin(stats)>echo Defines the echo test values used to conduct a ping test to an associated MU. Syntax show Shows the Mobile Unit Statistics Summary. list Defines echo test parameters and result. set Determines echo test packet data. start Begins echoing the defined station. .. Goes to parent menu. / Goes to root menu. quit Quits CLI session. For information on MU Echo and Ping tests using the applet (GUI), see “Pinging Individual MUs” on page 285.
CLI Reference AP4700>admin.stats.echo)>show Shows Mobile Unit Statistics Summary. Syntax show Shows Mobile Unit Statistics Summary. Example admin(stats.echo)>show ---------------------------------------------------------------------------Idx IP Address MAC Address WLAN Radio T-put ABS Retries ---------------------------------------------------------------------------1 192.168.2.
AP4700>admin.stats.echo)>list Lists echo test parameters and results. Syntax list Lists echo test parameters and results. Example admin(stats.echo)>list Station Address Number of Pings Packet Length Packet Data (in HEX) : : : : 00A0F8213434 10 10 55 admin(stats.echo)> For information on MU Echo and Ping tests using the applet (GUI), see “Pinging Individual MUs” on page 285.
CLI Reference AP4700>admin.stats.echo)>set Defines the parameters of the echo test. Syntax set station Defines MU target MAC address. request Sets number of echo packets to transmit (1-539). length Determines echo packet length in bytes (1-539). data Defines the particular packet data. For information on MU Echo and Ping tests using the applet (GUI), see “Pinging Individual MUs” on page 285.
AP4700>admin.stats.echo)>start Initiates the echo test. Syntax start Initiates the echo test. Example admin(stats.echo)>start admin(stats.echo)>list Station Address Number of Pings Packet Length Packet Data (in HEX) : : : : 00A0F843AABB 10 100 1 Number of MU Responses : 2 For information on MU Echo and Ping tests using the applet (GUI), see “Pinging Individual MUs” on page 285.
CLI Reference AP4700>admin(stats)>ping Defines the ping test values used to conduct a ping test to an AP with the same ESSID. Syntax ping show Shows Known AP Summary details. list Defines ping test packet length. set Determines ping test packet data. start Begins pinging the defined station. .. Goes to parent menu. / Goes to root menu. quit Quits CLI session. For information on Known AP tests using the applet (GUI), see “Pinging Individual MUs” on page 285.
AP4700>admin.stats.ping)>show Shows Known AP Summary Details. Syntax show Shows Known AP Summary Details. Example admin(stats.ping)>show ---------------------------------------------------------------------------Idx IP Address MAC Address MUs KBIOS Unit Name ---------------------------------------------------------------------------1 192.168.2.
CLI Reference AP4700>admin.stats.ping)>list Lists ping test parameters and results. Syntax list Lists ping test parameters and results. Example admin(stats.ping)>list Station Address Number of Pings Packet Length Packet Data (in HEX) : : : : 00A0F8213434 10 10 55 admin(stats.ping)> For information on Known AP tests using the applet (GUI), see “Pinging Individual MUs” on page 285.
AP4700>admin.stats.ping)>set Defines the parameters of the ping test. Syntax set station Defines the AP target MAC address. request Sets number of ping packets to transmit (1-539). length Determines ping packet length in bytes (1-539). data Defines the particular packet data. Example admin(stats.ping)>set admin(stats.ping)>set admin(stats.ping)>set admin(stats.ping)>set station 00A0F843AABB request 10 length 100 data 1 admin(stats.
CLI Reference AP4700>admin.stats.echo)>start Initiates the ping test. Syntax start Initiates the ping test. Example admin(stats.ping)>start admin(stats.ping)>list Station Address Number of Pings Packet Length Packet Data (in HEX) : : : : 00A0F843AABB 10 100 1 Number of AP Responses : 2 For information on Known AP tests using the applet (GUI), see “Pinging Individual MUs” on page 285.
9 Configuring Mesh Networking CHAPTER Mesh provides a network that is robust and reliable. In this network, each node is connected to its neighbor by more than one path. The multiple paths provide the network with its robustness. If a node goes down, there are other paths available for the data to traverse through the network.
Configuring Mesh Networking Once the spanning tree converges, both Access Points begin learning which destinations reside on which side of the network. This allows them to forward traffic intelligently. After the client bridge establishes at least one wireless connection (if configured to support mobile users), it begins beaconing and accepting wireless connections. If configured as both a client bridge and a base bridge, it begins accepting client bridge connections.
The association and authentication process is identical to the MU association process. The client Access Point sends 802.11 authentication and association frames to the base Access Point. The base Access Point responds as if the client is an actual mobile unit. Depending on the security policy, the two Access Point’s engage in the normal handshake mechanism to establish keys.
Configuring Mesh Networking Defining the Mesh Topology When a user wants to control how the spanning tree determines client bridge connections, they need to control the mesh configuration. The user must be able to define one node as the root. Assigning a base bridge the lowest bridge priority defines it as the root. NOTE Extreme Networks recommends using the Mesh STP Configuration screen to define a base bridge as a root.
Impact of Importing/Exporting Configurations to a Mesh Network When using the Access Point’s Configuration Import/Export screen to migrate an Access Point’s configuration to other Access Points, mesh network configuration parameters will get sent or saved to other Access Points. However, if using the Known AP Statistics screen’s Send Cfg to APs functionality, “auto-select” and preferred list” settings do not get imported.
Configuring Mesh Networking 5 Define the properties for the following parameters within the mesh network: Priority Set the Priority as low as possible to force other devices within the mesh network to defer to this client bridge as the bridge defining the mesh configuration (commonly referred to as the root). Extreme Networks recommends assigning a Base Bridge AP with the lowest bridge priority so it becomes the root in the STP.
7 Click Cancel to discard the changes made to the Mesh STP Configuration and return to the LAN1 or LAN2 screen. Once the Mesh STP Configuration is defined, the Access Point’s radio can be configured for base and/or client bridge support. Configuring a WLAN for Mesh Networking Support Each Access Point comprising a particular mesh network is required to be a member of the same WLAN.
Configuring Mesh Networking Extreme Networks recommends assigning a unique name to a WLAN supporting a mesh network to differentiate it from WLANs defined for non mesh support. The name assigned to the WLAN is what is selected from the Radio Configuration screen for use within the mesh network. NOTE It is possible to have different ESSID and WLAN assignments within a single mesh network (one set between the Base Bridge and repeater and another between the repeater and Client Bridge).
NOTE The Kerberos User Name and Kerberos Password fields can be ignored, as Kerberos is not supported as a viable authentication scheme within a mesh network. 9 Select the Disallow MU to MU Communication checkbox to restrict MUs from interacting with each other both within this WLAN, as well as other WLANs. Selecting this option could be a good idea, if restricting device “chatter” improves mesh network performance.
Configuring Mesh Networking 1 Select Network Configuration > Wireless > Radio Configuration from the menu tree. 2 Refer to the Radio Function parameter to ensure the radio has been designated for WLAN Radio support. Refer to RF Band of Operation parameter to ensure you are enabling the correct 802.11a/n or 802.11b/g/n radio. After the settings are applied within this Radio Configuration screen, the Radio Status and MUs connected values update.
CAUTION An Access Point in Base Bridge mode logs out whenever a Client Bridge associates to the Base Bridge over the LAN connection. This problem is not experienced over the Access Point’s WAN connection. If this situation is experienced, log-in to the Access Point again. Once the settings within the Radio Configuration screen are applied (for an initial deployment), the current number of client bridge connections for this specific radio displays within the CBs Connected field.
Configuring Mesh Networking the order base bridges are added to the mesh network when one of the three associated base bridges becomes unavailable. NOTE Auto link selection is based on the RSSI and load. The client bridge will select the best available link when the Automatic Link Selection checkbox is selected. Extreme Networks recommends you do not disable this option, as (when enabled) the Access Point will select the best base bridge for connection.
15 Click Cancel to undo any changes made within the Advanced Client Bridge Settings screen. This reverts all settings for the screen to the last saved configuration. 16 If using a dual-radio model Access Point, refer to the Mesh Timeout drop-down menu (from within the Radio Configuration screen) to define whether one of the Access Point’s radio’s beacons on an existing WLAN or if a client bridge radio uses an uplink connection.
Configuring Mesh Networking For additional information on configuring the Access Point’s radio, see “Configuring the 802.11a/n or 802.11b/g/n Radio” on page 174. For two fictional deployment scenarios, see “Mesh Network Deployment - Quick Setup” on page 590. Mesh Network Deployment - Quick Setup This section provides instructions on how to quickly setup and demonstrate mesh functionality using three Access Points.
Configuring AP#1: 1 Provide a known IP address for the LAN1 interface. NOTE Enable the LAN1 Interface of AP#1 as a DHCP Server if you intend to associate MUs and require them to obtain an IP address via DHCP. 2 Assign a Mesh STP Priority of 40000 to LAN1 Interface.
Configuring Mesh Networking 3 Define a mesh supported WLAN.
4 Enable base bridge functionality on the 802.11a/n radio (Radio 2). 5 Define a channel of operation for the 802.11a/n radio.
Configuring Mesh Networking 6 If needed, create another WLAN mapped to the 802.11b/g/n radio if 802.11b/g/n support is required for MUs on that 802.11 band. Configuring AP#2 AP#2 can be configured the same as AP#1 with the following exceptions: ● Assign an IP Address to the LAN1 Interface different than that of AP#1 ● Assign a higher Mesh STP Priority 50000 to the AP#2 LAN1 Interface. NOTE In a typical deployment, each base bridge can be configured for a Mesh STP Priority of 50000.
Configuring AP#3 To define the configuration for AP#3 (a client bridge connecting to both AP#1 and AP#2 simultaneously): 1 Provide a known IP address for the LAN1 interface. 2 Assign the maximum value (65535) for the Mesh STP Priority.
Configuring Mesh Networking 3 Create a mesh supported WLAN with the Enable Client Bridge Backhaul option selected. NOTE This WLAN should not be mapped to any radio. Therefore, leave both of the “Available On” radio options unselected. 4 Select the Client Bridge checkbox to enable client bridge functionality on the 802.11a/n radio. Use the Mesh Network Name drop-down menu to select the name of the WLAN created in step 3. NOTE You don't need to configure channel settings on the client bridge (AP#3).
Verifying Mesh Network Functionality for Scenario #1 You now have a three AP mesh network ready to demonstrate. Associate a single MU on each AP WLAN configured for 802.11b/g/n radio support. Once completed, pass traffic among the three APs comprising the mesh network. Scenario 2 - Two Hop Mesh Network with a Base Bridge Repeater and a Client Bridge By default, the mesh algorithm runs an automatic link selection algorithm to determine the best possible active and redundant links.
Configuring Mesh Networking Configuring AP#2 AP#2 requires the following modifications from AP#2 in the previous scenario to function in base bridge/client bridge repeater mode. 1 Enable client bridge backhaul on the mesh supported WLAN.
2 Enable client and base bridge functionality on the 802.11a/n radio Configuring AP#3 To define AP #3’s configuration: 1 The only change needed on AP#3 (with respect to the configuration used in scenario #1), is to disable the Auto Link Selection option. Click the Advanced button within the Mesh Client Bridge Settings field.
Configuring Mesh Networking 2 Add the 802.11a/n Radio MAC Address. In scenario #2, the mesh WLAN is mapped to BSS1 on the 802.11a/n radio if each AP. The Radio MAC Address (the BSSID#1 MAC Address) is used for the AP#2 Preferred Base Bridge List. Ensure both the AP#1 and AP#2 Radio MAC Addresses are in the Available Base Bridge List. Add the AP#2 MAC Address into the Preferred Base Bridge List. 3 Determine the Radio MAC Address and BSSID MAC Addresses.
Verifying Mesh Network Functionality for Scenario #2 You now have a three AP demo multi-hop mesh network ready to demonstrate. Associate an MU on the WLANs configured on the 802.11b/g/n radio for each AP and pass traffic among the members of the mesh network.
Configuring Mesh Networking Resolution: Check the mesh backhaul radio channel configuration on both base bridges (AP1, AP2). They need to use the same channel so the client bridge can connect to both simultaneously. Mesh Deployment Issue 2 - Faulty Client Bridge Connectivity You have configured three Access Points in mesh mode; one base bridge (AP1), one client bridge/ base bridge (AP2) and one client bridge (AP3).
Resolution: Yes, MUs on a mesh APs can roam seemlessly throughout the mesh network as well as with non-mesh Access Points on the wired network. Mesh Deployment Issue 8 - Can I mesh between an AP4700 and an AP3500? Can I mesh between these models? Resolution: Yes, the Access Points are fairly close from a software deployment standpoint. So it is a supported configuration for three models to exist in a single topology.
Configuring Mesh Networking Altitude 4700 Series Access Point Product Reference Guide 604
10 Adaptive AP CHAPTER An adaptive AP (AAP) is an access point that can adopt like a thin AP in layer 2 or layer 3. The management of an AAP is conducted by the controller, once the access point connects to an Extreme Networks WM3000 series wireless controller and receives its AAP configuration.
Adaptive AP ● WAN Survivability—Local WLAN services at a remote sites are unaffected in the case of a WAN outage. ● Securely extend corporate WLAN's to stores for corporate visitors—Small home or office deployments can utilize the feature set of a corporate WLAN from their remote location. ● Maintain local WLAN's for in store applications—WLANs created and supported locally can be concurrently supported with your existing infrastructure.
Controller Discovery For an Access Point to function as an AAP (regardless of mode), it needs to connect to a controller to receive its configuration. There are two methods of controller discovery: ● Auto Discovery Using DHCP on page 607 ● Manual Adoption Configuration on page 608v Auto Discovery Using DHCP Extended Global Options 189, 190, 191, 192 can be used or Embedded Option 43 - Vendor Specific options can be embedded in Option 43 using the vendor class identifier: ExtremeAP.4700.
Adaptive AP tunnel-to-controller enable Manual Adoption Configuration A manual controller adoption of an AAP can be conducted using: ● Static FQDN—A controller fully qualified domain name can be specified to perform a DNS lookup and controller discovery. ● Static IP addresses—Up to 12 controller IP addresses can be manually specified in an ordered list the AP can choose from. When providing a list, the AAP tries to adopt based on the order in which they are listed (from 1-12).
the network. If the controller is on the Access Point’s LAN, ensure the LAN subnet is on a secure channel. The AP will connect to the controller and request a configuration. Adaptive AP WLAN Topology An AAP can be deployed in the following WLAN topologies: ● Extended WLANs—Extended WLANs are the centralized WLANs created on the controller. ● Independent WLANs—Independent WLANs are local to an AAP and can be configured from the controller.
Adaptive AP If a new controller is located, the AAP synchronizes its configuration with the located controller once adopted. If Remote Site Survivability (RSS) is disabled, the independent WLAN is also disabled in the event of a controller failure. Remote Site Survivability (RSS) RSS can be used to turn off RF activity on an AAP if it loses adoption (connection) to the controller.
● Extended WLANs with Independent WLANs on page 612 ● Extended WLAN with Mesh Networking on page 612 Topology Deployment Considerations When reviewing the AAP topologies describes in the section, be cognizant of the following considerations to optimize the effectiveness of the deployment: ● An AAP firmware upgrade will not be performed at the time of adoption from the wireless controller.
Adaptive AP Extended WLANs with Independent WLANs An AAP can have both extended WLANs and independent WLANs operating in conjunction. When used together, MU traffic from extended WLANs go back to the controller and traffic from independent WLANs is bridged locally by the AP. All local WLANs are mapped to LAN1, and all extended WLANs are mapped to LAN2. Extended WLAN with Mesh Networking Mesh networking is an extension of the existing wired network.
Configuring the Adaptive AP for Adoption by the Controller 1 An AAP needs to find and connect to the controller. To ensure this connection: ● Configure the controller’s IP address on the AAP ● Provide the controller IP address using DHCP option 189 on a DHCP server. The IP address is a comma delimited string of IP addresses. For example “157.235.94.91, 10.10.10.19”. There can be a maximum of 12 IP addresses. ● Configure the controller’s FQDN on the AAP.
Adaptive AP Establishing Basic Adaptive AP Connectivity This section defines the activities required to configure basic AAP connectivity with a Summit WM3400, Summit WM3600 or Summit WM3700 controller. In establishing a basic AAP connection, both the Access Point and controller require modifications to their respective default configurations.
Adopting an Adaptive AP Manually To manually enable the Access Point’s controller discovery method and connection medium required for adoption: 1 Select System Configuration > Adaptive AP Setup from the Access Point’s menu tree. 2 Select the Auto Discovery Enable checkbox.
Adaptive AP NOTE The manual AAP adoption described above can also be conducted using the Access Point’s CLI interface using the admin(system.aapsetup)> command. Adopting an Adaptive AP Using a Configuration File To adopt an AAP using a configuration file: 1 Refer to “Adopting an Adaptive AP Manually” and define the AAP controller connection parameters. 2 Export the AAP’s configuration to a secure location.
To disable automatic adoption on the controller: 1 Select Network > Access Port Radios from the controller main menu tree. 2 Select the Configuration tab (should be displayed be default) and click the Global Settings button. 3 Ensure the Adopt unconfigured radios automatically option is NOT selected. When disabled, there is no automatic adoption of non-configured radios on the network. Additionally, default radio settings will NOT be applied to Access Ports when automatically adopted.
Adaptive AP NOTE Additionally, a WLAN can be defined as independent using the "wlan independent" command from the config-wireless context. Once an AAP is adopted by the controller, it displays within the controller Access Port Radios screen (under the Network parent menu item) as an Access Point within the AP Type column.
Adaptive AP Deployment Considerations Before deploying your controller/AAP configuration, refer to the following usage caveats to optimize its effectiveness: ● Extended WLANs are mapped to the AP’s LAN2 interface and all independent WLANs are mapped to the AP’s LAN1 Interface. ● If deploying multiple independent WLANs mapped to different VLANs, ensure the AP’s LAN1 interface is connected to a trunk port on the L2/L3 controller and appropriate management and native VLANs are configured.
Adaptive AP Sample Controller Configuration File for IPSec and Independent WLAN The following constitutes a sample Summit WM3700 wireless LAN controller configuration file supporting an AAP IPSec with Independent WLAN configuration. Please note new AAP specific CLI commands in red and relevant comments in blue. NOTE In addition to the sample configuration below, a WMM policy should be enabled and configured for the Access Point in AAP mode.
! ip http server ip http secure-trustpoint default-trustpoint ip http secure-server ip ssh no service pm sys-restart timezone America/Los_Angeles license AP xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxx yxyxyx ! wireless no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 ssid qs5-ccmp wlan 1 vlan 200 wlan 1 encryption-type ccmp wlan 1 dot11i phrase 0 admin123 wlan 2 enable wlan 2 ssid qs5-tkip wlan 2 vlan 210 wlan 2 encryption-type tkip wlan
Adaptive AP radio 2 base-bridge max-clients 12 radio 2 base-bridge enable radio add 3 00-15-70-00-79-12 11bg aap4700 radio 3 bss 1 3 radio 3 bss 2 4 radio 3 bss 3 2 radio 3 channel-power indoor 6 8 radio 3 rss enable radio add 4 00-15-70-00-79-12 11a aap4700 radio 4 bss 1 5 radio 4 bss 2 6 radio 4 channel-power indoor 48 4 radio 4 rss enable radio 4 client-bridge bridge-select-mode auto radio 4 client-bridge ssid Mesh radio 4 client-bridge mesh-timeout 0 radio 4 client-bridge enable radio default-11a rss e
interface ge4 controllerport access vlan 1 ! interface me1 ip address dhcp ! interface sa1 controllerport mode trunk controllerport trunk native vlan 1 controllerport trunk allowed vlan none controllerport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, controllerport trunk allowed vlan add 180,190,200,210,220,230,240,250, ! ! ! ! interface vlan1 ip address dhcp ! To attach a Crypto Map to a VLAN Interface ! crypto map AAP-CRYPTOMAP ! sole ! ip route 157.235.0.0/16 157.235.92.2 ip route 172.0.0.
Adaptive AP Altitude 4700 Series Access Point Product Reference Guide 624
A Technical Specifications APPENDIX This appendix section provides technical specifications for the following: ● Physical Characteristics on page 625 ● Electrical Characteristics on page 626 ● Radio Characteristics on page 626 ● Country Codes on page 627 Physical Characteristics This section describes the physical characteristics of the Altitude 4700 Series Access Points: ● Altitude 4710 and Altitude 4750 Physical Characteristics on page 625 Altitude 4710 and Altitude 4750 Physical Characterist
Electrical Characteristics The Altitude 4700 Series Access Points have the following electrical characteristics: Table 3: Electrical Characteristics Operating Voltage 38-54V DC Operating Current Not to exceed 600mA @ 48VDC Radio Characteristics This section describes the radio characteristics of the Altitude 4700 Series Access Points: ● Altitude 4710 and Altitude 4750 Radio Characteristics on page 626 Altitude 4710 and Altitude 4750 Radio Characteristics An Altitude 4710 and Altitude 4750 has the foll
Country Codes The following list of countries and their country codes is useful when using the Access Point configuration file, CLI or the MIB to configure the Access Point: Table 5: Country Codes Country Code Algeria DZ Anguilla AI Argentina AR Australia AU Austria AT Bahamas BS Bahrain BH Barbados BB Belarus BY Belgium BE Bermuda BM Bolivia BO Botswana BW Botznia-Herzegovina BA Brazil BR Bulgaria BG Canada CA Chile CL China CN Christmas Islands CX Colombia CO Co
Table 5: Country Codes (Continued) Country Code Greece GR Guadeloupe GP Guatemala GT Guyana GY Haiti HT Honduras HN Hong Kong HK Hungary HU Iceland IS India IN Indonesia ID Ireland IE Italy IT Jamaica JM Japan JP Jordan JO Kazakhstan KZ Kenya KE Kuwait KW Latvia LV Lebanon LB Liechtenstein LI Lithuania LT Luxembourg LU Macau MO Macedonia MK Malaysia MY Malta MT Martinique MQ Mexico MX Moldova MD Montenegro ME Morocco MA Nambia NA Netherla
Table 5: Country Codes (Continued) Country Code Norway NO Oman OM Pakistan PK Panama PA Paraguay PY Peru PE Philippines PH Poland PL Portugal PT Puerto Rico PR Qatar QA Romania RO Russia RU Saudi Arabia SA Serbia RS Singapore SG Slovak Republic SK Slovenia SI South Africa ZA South Korea KR Spain ES Sri Lanka LK Sweden SE Switzerland CH Taiwan TW Thailand TH Trinidad and Tobago TT Tunisia TN Turkey TR UAE AE Ukraine UA United Kingdom GB Urugua
Altitude 4700 Series Access Point Product Reference Guide 630
B Usage Scenarios APPENDIX This appendix section provides practical usage scenarios for many of the Access Point’s key features. This information should be referenced as a supplement to the information contained within this Product Reference Guide.
Windows - DHCP Server Configuration See the following sections for information on these DHCP server configurations in the Windows environment: ● Embedded Options - Using Option 43 on page 632 ● Global Options - Using Extended/Standard Options on page 633 ● DHCP Priorities on page 635 Embedded Options - Using Option 43 This section provides instructions for automatic update of firmware and configuration file via DHCP using extended options or standard options configured globally.
5 While the Access Point boots, verify the Access Point: ● Obtains and applies the expected IP Address from the DHCP Server ● Downloads both the firmware and configuration files from the TFTP Server and updates both as needed. Verify the file versions within the System Settings screen. NOTE If the firmware files are the same, the firmware will not get updated.
d Under the General tab, check all 3 options mentioned within the Extended Options table and enter a value for each option. 3 Copy both the firmware and configuration files to the appropriate directory on the TFTP Server. By default, auto update is enabled on the Access Point (since the LAN Port is a DHCP Client, out-of-the-box auto update support is on the LAN Port). 4 Restart the Access Point.
DHCP Priorities The following flowchart indicates the priorities used by the Access Point when the DHCP server is configured for multiple options. -------------------------------------------------------------------------------------------- If the DHCP Server is configured for options 186 and 66 (to assign TFTP Server IP addresses) the Access Point uses the IP address configured for option 186.
The setup example described in this section includes: ● 1 Access Point (either an Altitude 4710 or Altitude 4750 model) ● 1 Linux/Unix BOOTP Server ● 1 TFTP Server To configure BootP options using a Linux/Unix BootP Server: 1 Set the Linux/Unix BootP Server and Access Point on the same Ethernet segment. 2 Configure the bootptab file (/etc/bootptab) on the Linux/Unix BootP Server in any one of the formats that follows: Using options 186, 187 and 188: AP47xx:ha=00a0f88aa6d8\ :sm=255.255.255.0\ :ip=157.
5 While the Access Point boots, verify the Access Point: ● Sends a true BootP request. ● Obtains and applies the expected IP Address from the BootP Server. ● Downloads both the firmware and configuration files from the TFTP Server and updates them as required. Verify the file versions within the System Settings screen. Whenever a configuration file is specified, the Access Point will tftp the config file, parse it and use the firmware file name in the config file.
Configuring an IPSEC Tunnel and VPN FAQs The Access Point has the capability to create a tunnel between an Access Point and a VPN endpoint. The Access Point can also create a tunnel from one Access Point to another Access Point. The following instruction assumes the reader is familiar with basic IPSEC and VPN terminology and technology.
5 Enter the WAN port IP address of AP #1 for the Local WAN IP. 6 Within the Remote Subnet and Remote Subnet Mask fields, enter the LAN IP subnet and mask of AP #2 /Device #2. 7 Enter the WAN port IP address of AP #2/ Device #2 for a Remote Gateway. 8 Click Apply to save the changes. NOTE For this example, Auto IKE Key Exchange is used. Any key exchange can be used, depending on the security needed, as long as both devices on each end of the tunnel are configured exactly the same.
11 For the ESP Type, select ESP with Authentication and use AES 128-bit as the ESP encryption algorithm and MD5 as the authentication algorithm. Click OK. 12 Select the IKE Settings button. 13 Select Pre Shared Key (PSK) from the IKE Authentication Mode drop-down menu. 14 Enter a Passphrase. Passphrases must match on both VPN devices.
NOTE Ensure the IKE authentication Passphrase is the same as the Pre-shared key on the Cisco PIX device. 15 Select AES 128-bit as the IKE Encryption Algorithm. 16 Select Group 2 as the Diffie-Hellman Group. Click OK. This will take you back to the VPN screen. 17 Click Apply to make the changes 18 Check the VPN Status screen. Notice the status displays "NOT_ACTIVE". This screen automatically refreshes to get the current status of the VPN tunnel.
The figure below shows how the Access Point VPN Status screen should look if the entire configuration is set up correctly once the VPN tunnel is active. The status field should display “ACTIVE”. Frequently Asked VPN Questions The following are common questions that arise when configuring a VPN tunnel. ● Question 1: Does the Access Point IPSec tunnel support multiple subnets on the other end of a VPN concentrator? Yes.
● Question 2: Even if a wildcard entry of “0.0.0.0” is entered in the Remote Subnet field in the VPN configuration page, can the AP access multiple subnets on the other end of a VPN concentrator for the APs LAN/WAN side? No. Using a “0.0.0.0” wildcard is an unsupported configuration. In order to access multiple subnets, the steps in Question #1 must be followed. ● Question 3: Can the AP be accessed via its LAN interface of AP#1 from the local subnet of AP#2 and vice versa? Yes.
● ● UFQDN—tries to match the user entered remote ID data string to the email address field of the received certificate. Question 8: I am using a direct cable connection between my two VPN gateways for testing and cannot get a tunnel established, yet it works when I set them up across another network or router. Why? The packet processing architecture of the Access Point VPN solution requires the WAN default gateway to work properly.
● Question 11: My tunnel works fine when I use the LAN-WAN Access page to configure my firewall. Now that I use Advanced LAN Access, my VPN stops working. What am I doing wrong? VPN requires certain packets to be passed through the firewall. Subnet Access automatically inserts these rules for you when you do VPN. Advanced Subnet Access requires these rules to be in effect for each tunnel.
Altitude 4700 Series Access Point Product Reference Guide 646
C Customer Support APPENDIX NOTE Services can be purchased from Extreme Networks or through one of its channel partners. If you are an end-user who has purchased service through an Extreme Networks channel partner, please contact your partner first for support. Extreme Networks Technical Assistance Centers (TAC) provide 24x7x365 worldwide coverage. These centers are the focal point of contact for post-sales technical and network-related questions or issues.
Altitude 4700 Series Access Point Product Reference Guide 648
