User guide

ManualsBrandsExtreme Networks ManualsSwitchSummit WM Series

Extreme Networks, Inc.

3585 Monroe Street

Santa Clara, California 95051

(888) 257-3000

http://www.extremenetworks.com

Summit WM-Series WLAN Switch and Altitude

Access Point Software Version 1.0 User Guide

Published: September 2005

Part number: 100198-00 Rev 03

Summary of content (228 pages)

PAGE 1
Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 http://www.extremenetworks.
PAGE 2
Alpine, Altitude, BlackDiamond, EPICenter, Ethernet Everywhere, Extreme Ethernet Everywhere, Extreme Networks, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, GlobalPx Content Director, the Go Purple Extreme Solution Partners Logo, ServiceWatch, Summit, the Summit7i Logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and other countries.
PAGE 3
Table of Contents About this Guide.............................................................................................................................. 9 Who should use this guide ...........................................................................................................9 What is in this guide ...................................................................................................................9 Formatting conventions.....................................................
PAGE 4
Table of Contents Chapter 4: Altitude AP: startup ....................................................................................................... 41 Altitude AP features ..................................................................................................................41 Installing the Altitude APs .........................................................................................................43 Connecting and powering the Altitude AP ........................................
PAGE 5
Table of Contents Privacy for a WM-AD..................................................................................................................96 Privacy for a WM-AD for Captive Portal ..................................................................................96 Privacy for a WM-AD for AAA ................................................................................................97 A WM-AD with no authentication ............................................................................
PAGE 6
Table of Contents Appendix C: DHCP, SLP, and Option 78 reference ......................................................................... 173 Service Location Protocol (SLP) (RFC2608)...............................................................................174 DHCP Options for Service Location Protocol (RFC2610) .............................................................174 SLP Directory Agent Option (Option 78) ....................................................................................
PAGE 7
Table of Contents RU_MANAGER .................................................................................................................208 SECURITY_MANAGER.......................................................................................................208 VNMGR............................................................................................................................210 Appendix H: Regulatory Information ..........................................................................
PAGE 8
Table of Contents 8 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 9
About this Guide This guide describes how to install, configure, and manage the Summit WM-Series Switch Software. Who should use this guide This guide is a reference for system administrators who install and manage the Summit WM-Series Switch Software. What is in this guide This guide contains the following chapters: ● About this Guide describes the target audience and content of the guide, the formatting conventions used in it, and how to provide feedback on the guide.
PAGE 10
About this Guide ● Appendix C provides background information on how the discovery process uses these network services. ● Appendix D provides a reference list of RFCs supported. ● Appendix E provides information on a support tool. ● Appendix F provides a reference list of the RADIUS Attributes that are supported by the Summit WM-Series Switch Software. ● Appendix G provides a reference list of the log and event messages.
PAGE 11
Protocols and standards Protocols and standards Appendix D lists the protocols and standards supported by the Summit WM-Series Switch Software. These lists include the Requests for Comment (RFCs) of the Internet Engineering Task Force (IETF) and the 802.11 standards developed by the Institute of Electrical and Electronics Engineers (IEEE). Regulatory information Appendix H provides regulatory information for the Summit WM-Series Switch and the Altitude 350-2 Wireless Access Point.
PAGE 12
About this Guide 12 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 13
1 The Summit WM-Series Switch Software solution The next generation of Extreme Networks wireless networking devices provides a truly scalable WLAN solution. Extreme Networks Altitude APs are thin access points that are controlled through a sophisticated network device, the Summit WM-Series Switch. This solution provides the security and manageability required by enterprises and service providers alike.
PAGE 14
The Summit WM-Series Switch Software solution An alternative to the ad hoc configuration is the use of an access point. This may be a dedicated hardware router or a computer running special software. Computers and other wireless devices communicate with each other through this access point. The 802.11 standard defines Access Point communications as devices that allow wireless devices to communicate with a “distribution system”. This is a basic service set (BSS) or infrastructure network.
PAGE 15
What is the Summit WM-Series Switch Software system? frequency (RF) communication but relies on a controller to handle WLAN elements such as authentication.) The Altitude AP also provides local processing such as encryption. This architecture allows a single Summit WM-Series Switch to control many Altitude APs, making the administration and management of large networks much easier. There can be several Summit WM-Series Switchs in the network, each with its set of registered Altitude APs.
PAGE 16
The Summit WM-Series Switch Software solution Simplifying the Altitude APs makes them: ● cost-effective ● easy to manage ● easy to deploy Putting control on an intelligent centralized Summit WM-Series Switch enables: ● centralized configuration, management, reporting, maintenance ● high security ● flexibility to suit enterprise ● scalable and resilient deployments with a few Summit WM-Series Switches controlling hundreds of Altitude APs Here are some of the Summit WM-Series Switch Software sys
PAGE 17
Summit WM-Series Switch Software and your network Summit WM-Series Switch Software and your network Components of the solution: a summary The following is a summary checklist of the components of the Summit WM-Series Switch Software solution on your enterprise network. These are described in detail in this guide.
PAGE 18
The Summit WM-Series Switch Software solution ● a device that supports SSH, for serial port access to the Command Line Interface (CLI), for file management and monitoring by a network technician. Network traffic flow Figure 3: Traffic Flow diagram RADIUS authentication server DHCP server External web authentication server Summit WM Wireless Controller control & routing SWC authenticates wireless user, forwards IP packet to wired network.
PAGE 19
Summit WM-Series Switch Software and your network Network security The Summit WM-Series Switch Software system provides features and functionality to control network access. These are based on standard wireless network security practices. Current wireless network security methods provide a degree of protection. These methods include: ● Shared Key authentication that relies on Wired Equivalent Privacy (WEP) keys ● Open System that relies on Service Set Identifiers (SSIDs) ● 802.
PAGE 20
The Summit WM-Series Switch Software solution It also provides Wi-Fi Protected Access version 1 (WPA v.1) encryption, based on Pairwise Master Key (PMK) and Temporal Key Integrity Protocol (TKIP). The most secure encryption mechanism is WPA version 2 using Advanced Encryption Standard (AES). Interaction with wired networks: Wireless Mobility Access Domain Summit WM-Series Switch Software provides a versatile means of mapping wireless networks to the topology of an existing wired network.
PAGE 21
Summit WM-Series Switch Software and your network Policy: packet filtering Policy refers to the rules that allow different network access to different groups of users. The Summit WM-Series Switch Software system can link authorized users to user groups. These user groups then can be confined to predefined portions of the network. In the Summit WM-Series Switch Software system, policy is carried out by means of packet filtering, within a WM-AD.
PAGE 22
The Summit WM-Series Switch Software solution Availability Summit WM-Series Switch Software provides seamless availability against Altitude AP outages, Summit WM-Series Switch outages, and even network outages. For example, if one Altitude AP fails, coverage for the wireless device is automatically provided by the next nearest Altitude AP.
PAGE 23
2 Summit WM-Series Switch: Startup Summit WM-Series Switch features and installation The Summit WM-Series Switch is a network device designed to be integrated into an existing wired Local Area Network (LAN). Figure 4: The Summit WM-Series Switch The Summit WM-Series Switch provides centralized management, network access and routing to wireless devices that are using Altitude APs to access the network. It can also be configured to handle data traffic from third-party access points.
PAGE 24
Summit WM-Series Switch: Startup Installing the Summit WM-Series Switch Before you begin installation, make sure that a site survey has been done, to determine the number and location of Altitude APs and Summit WM-Series Switches required.
PAGE 25
First-time setup of Summit WM-Series Switch Command Line Interface (CLI) commands for the initial setup are described in an attached appendix. ● a laptop computer, running a web browser such as Internet Explorer 6.0 (or higher), attached to the Summit WM-Series Switch’s ethernet Management Port (RJ45 port) via an ethernet cross-over cable (cable provided with the Summit WM-Series Switch). The steps for initial setup in the Graphical User Interface are described below.
PAGE 26
Summit WM-Series Switch: Startup 5 Key in the factory default User Name (“admin”) and Password (“abc123”). Click on the Login button. The main menu screen appears. 6 Click on the Summit WM-Series Switch Configuration menu option to navigate to the Summit WMSeries Switch Configuration screen. 7 In the left-hand list, click on the IP Addresses option. The Management Port Settings area (top portion of the screen) displays the factory settings for the Summit WM-Series Switch.
PAGE 27
First-time setup of Summit WM-Series Switch 8 To modify Management Port Settings, click the Modify button. The System Port Configuration screen appears. 9 Key in: Hostname The name of the Summit WM-Series Switch Domain The IP domain name of the enterprise network Management IP Address The new IP address for the Summit WM-Series Switch’s management port (change this as appropriate to the enterprise network).
PAGE 28
Summit WM-Series Switch: Startup The graphical user interface (GUI): overview The administrator can configure and administer the Summit WM-Series Switch Software system using the web-based Graphical User Interface. To run the graphical user interface 1 Launch Microsoft Internet Explorer (version 6.0 or above), or other web browser. 2 In the address bar, key in the URL https://x.x.x.x:5825 (your management gateway as defined in initial setup plus port 5825, formerly factory default 192.168.10.1:5825).
PAGE 29
The graphical user interface (GUI): overview Table 2: Summit WM-Series Switch Software user interface summary (Continued) Tab Screen Function WM-AD Configuration Global Settings Add a subnet WM-AD Topology WM-AD Authen & Acct WM-AD RADIUS Policy WM-AD Filtering WM-AD Privacy Define RADIUS servers,& global settings Left-hand list. Enter name. Click to add.
PAGE 30
Summit WM-Series Switch: Startup 30 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 31
3 Summit WM-Series Switch Software configuration Configuration steps: overview To set up and configure the Summit WM-Series Switch and Altitude APs, follow these steps: 1 First-time Setup: Perform “First-Time Setup” of the Summit WM-Series Switch on the physical network to modify the Management Port IP address for the enterprise network. 2 Product Key: Apply a Product Key file, for licensing purposes.
PAGE 32
Summit WM-Series Switch Software configuration Enabling the product key on the Summit WM-Series Switch 1 Click on the Summit Switch tab. The Summit WM-Series Switch Configuration screen appears. Click on the Software Maintenance option. Then click on the SWM Product Keys tab. The Product Keys screen appears. The top portion of the screen displays the current Product Key settings. The lower portion permits you to browse for a Product Key file and apply it.
PAGE 33
Setting up the data ports 2 Click in a port row to highlight it. 3 For the highlighted port, key in the: IP address IP Address of the physical ethernet port. Subnet mask For the IP address, the appropriate subnet mask to separate the network portion from the host portion of the address (typically 255.255.255.0) MTU Maximum Transmission Unit (maximum packet size for this port). Default setting is 1500.
PAGE 34
Summit WM-Series Switch Software configuration Port Type or Function A new Summit WM-Series Switch is shipped from the factory with all its data ports set up as “Host ports”, and support of management traffic disabled on all data ports. In the Summit WM-Series Switch Configuration – IP Addresses screen, you can redefine the data ports to function as one of three types: ● Host Port Use “Host Port” for connecting Altitude APs, with no dynamic routing.
PAGE 35
Setting up static routes Setting up static routes It is recommended that you define a default route to your enterprise network, either with a static route or by using OSPF protocol. This will enable the Summit WM-Series Switch to forward wireless packets to the remainder of the network. Setting up a static route on the Summit WM-Series Switch 1 Click on the Summit Switch tab. In the Summit WM-Series Switch Configuration screen, click on the Routing Protocols option. 2 Click the Static Routes tab.
PAGE 36
Summit WM-Series Switch Software configuration 7 The Override dynamic routes checkbox is on by default. This means the static routes defined here will have priority over the OSPF learned routes (including default route) that the Summit WM-Series Switch uses for routing. If you wish to remove this priority for static routes, so that routing is controlled dynamically at all times, click the Override dynamic routes checkbox off.
PAGE 37
Setting up OSPF Routing Ensure that the OSPF parameters defined here for the Summit WM-Series Switch are consistent with the adjacent routers in the OSPF area. The parameters include the following: ● If the peer router has different timer settings, the protocol timer settings in the Summit WM-Series Switch must be changed to match, in order to achieve OSPF adjacency. ● The MTU of the ports on either end of an OSPF link must match.
PAGE 38
Summit WM-Series Switch Software configuration 4 In the Port Settings area, for the data port defined as a “Router Port”, fill in these fields: Port Status: To enable OSPF on the port, select Enabled from the drop-down list. Link Cost: Key in the OSPF standard for your network for this port. Default displayed is 10. (The cost of sending a data packet on the interface. The lower the cost, the more likely the interface is to be used to forward data traffic.
PAGE 39
Filtering at the interface level Port-based exception filters: built-in On the Summit WM-Series Switch, various port-based exception filters are built in and invoked automatically. These filters protect the Summit WM-Series Switch from unauthorized access to system management functions and services via the ports. For example, on the Summit WM-Series Switch’s data interfaces (both physical interfaces and WM-AD virtual interfaces), the built-in exception filter prohibits invoking SSH, HTTPS, or SNMP.
PAGE 40
Summit WM-Series Switch Software configuration Define port exception filters 1 Click on the Summit Switch tab. Click on the Port Exception Filters option. The Port Exception Filters screen appears. 2 Select the data port from the pull-down list to which these filters will apply. 3 For each filtering rule you are defining: IP / Port: Type in the destination IP address. You can also specify an IP range, a port designation or a port range on that IP address. Protocol: Default is N/A.
PAGE 41
4 Altitude AP: startup You are now ready to add the Altitude APs to the Summit WM-Series Switch Software system and register them with the Summit WM-Series Switch. Before the Altitude APs can handle wireless traffic, you will also need to assign the Altitude APs to a WM-AD.
PAGE 42
Altitude AP: startup The Altitude AP has two radios: ● a 5 GHz radio that supports the 802.11a standard The 802.11a standard is an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5-GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS.
PAGE 43
Installing the Altitude APs Installing the Altitude APs Install the Altitude APs as described in the Altitude AP Installation Guide packed with the units. 1 Unpack the Altitude AP from its shipment carton. Check that all parts are present, using the Installation Guide packed with the unit. 2 Mount the Altitude AP wall bracket, using 3 screws, near the LAN ethernet cable plug coming from the wall. 3 Press the back of the Altitude AP onto the bracket, aligning it with the open notches in the bracket.
PAGE 44
Altitude AP: startup Connecting and powering the Altitude AP WARNING! The Altitude 350-2 with internal and detachable antenna is intended for indoor use only. Device must not be connected to a LAN segment exposed to outdoor wiring. Ensure that all cables are installed to avoid strain. Replace the power supply adaptor immediately, if it shows any signs of damage.
PAGE 45
Discovery and registration: Altitude AP registration settings During the “Registration” process, the Summit WM-Series Switch’s approval of the serial number of the Altitude AP depends on the security mode that has been set: ● Allow all If the Summit WM-Series Switch does not recognize the serial number, it sends a default configuration to the Altitude AP. If it recognizes the serial number, it sends the specific configuration (port and binding key) set for that Altitude AP.
PAGE 46
Altitude AP: startup Delay between Retries The default is 1 second 4 To save the above parameters, click the Save button. This completes the preparation for the “discovery” process. Now you can go back to the Altitude APs and power them on. Discovery and registration When the Altitude AP is powered on, it automatically begins a “discovery” process to determine the IP address of the Summit WM-Series Switch. When successful, it registers with the Summit WM-Series Switch.
PAGE 47
Discovery and registration Discover step 2: static IP address You can specify a list of static IP addresses of the Summit WM-Series Switches on your network. On the Altitude AP Configuration screen Static Configuration tab, add the addresses to the Summit WM-Series Switch Search List. WARNING! Care must be taken when setting or changing these values. Altitude APs configured statically will connect only to Summit WM-Series Switches in the list.
PAGE 48
Altitude AP: startup Registration after discovery Any of the discovery steps 2 through 5 can inform the Altitude AP of a list of multiple IP addresses to which the Altitude AP may attempt to connect. Once the Altitude AP has “discovered” these addresses, it sends out connection requests to all of them simultaneously. It will attempt to register only with the first which responds to its request.
PAGE 49
Altitude AP access approval 4 The Altitude AP “learns” the IP address of the Summit WM-Series Switch, Status LED: orange (blink) when IP address successfully obtained (“Registration” process underway) Status LED: red (blink) if “Registration” fails 5 The Altitude AP sends its serial number (a unique identifier that is hard coded during manufacture) to the Summit WM-Series Switch.
PAGE 50
Altitude AP: startup Modify a Altitude AP's registration status (approve access) 1 Click on the Altitude APs tab. The Altitude AP Configuration screen appears. Click on the Access Approval option. The Access Approval screen appears, displaying the current registered Altitude APs and their current status.
PAGE 51
Configuring properties and radios Configuring properties and radios Once a Altitude AP has successfully registered on the Summit WM-Series Switch, it appears in the side list in the Altitude AP Configuration: Properties screen, where you can modify its properties and radio parameters. View and modify properties of registered Altitude APs 1 Select the Altitude APs tab in any screen. The Altitude AP Configuration screen appears, with a list of registered Altitude APs.
PAGE 52
Altitude AP: startup 3 To modify the default information about a selected Altitude AP, key in information in the following fields (where appropriate): Serial # (Display only) A unique identifier set during manufacture. Name Defaults to the serial number. Change this to a unique descriptive name that more easily identifies the Altitude AP. Description Available for descriptive comments (optional). Port # From the drop-down list, select the ethernet port through which the Altitude AP can be reached.
PAGE 53
Configuring properties and radios View and modify the radio settings 1 Select the Altitude APs tab in any screen. The Altitude AP Configuration screen appears, with a list of registered Altitude APs. 2 Highlight the appropriate Altitude AP in the list. Then click on either radio tab: ● 802.11 b/g (2.4 GHz radio) ● 802.11a (5 GHz radio) Each screen displays the default radio settings for each radio on the Altitude AP.
PAGE 54
Altitude AP: startup 3 Modify these Base Settings where appropriate. BSS Info (Display only) After WM-AD configuration, the Basic Service Set (BSS) area displays the MAC address on the Altitude AP for each WM-AD and the SSIDs of the WM-AD to which this radio has been assigned. DTIM Delivery Traffic Indication Message period. Default is 2. Beacon Period Time units between beacon transmissions. Default is 100.
PAGE 55
Configuring properties and radios NOTE Radio A Channels 100 to 140 occupy the 5470-5725 MHz band, in the regulatory domains of the European Union and European Union free trade countries. Radio B/G Channels 12 to 14 are not available in North America. Radio Channels 802.
PAGE 56
Altitude AP: startup Adding a Altitude AP manually Add and register a Altitude AP manually: 1 Select the Altitude AP tab. In any radio screen, click on the Add Altitude AP button. The Add Altitude AP subscreen appears. 2 Key in, or select from the drop-down list, information in the following fields: Serial # A unique identifier set during manufacture. Name A unique name for the Altitude AP. Description Available for descriptive comments (optional).
PAGE 57
Configuring properties and radios Altitude AP static configuration: branch office deployment The Altitude AP static configuration feature provides Summit WM-Series Switch Software capability for a network with the central office / branch office model. In this scenario, Altitude APs are installed in remote sites, while the Summit WM-Series Switch is in the central office. The Altitude APs require the capability to interact in both the local site network and the central network.
PAGE 58
Altitude AP: startup 3 Click the Bridge Traffic Locally checkbox on to enable this. When authentication of a wireless device user in the Branch Office is complete, the Altitude AP will direct all traffic to the local network. Authentication is 802.1x-AAA. Authentication by Captive Portal is not supported 4 In the Summit WM-Series Switch Search List area of the screen, in the entry field, key in the IP address of the Summit WM-Series Switch that will control this Altitude AP.
PAGE 59
Auto Cell software Configure Auto Cell software 1 Select the Altitude AP tab in any screen. Click on the Auto Cell option. The Auto Cell Configuration screen appears. 2 The Enable Auto Cell checkbox is on by default., enabling the software globally. 3 From the list of registered Altitude APs, select the Altitude AP you want to configure for Auto Cell by clicking its checkbox on. The fields for Auto Cell populate with default values, with Auto Cell “on”.
PAGE 60
Altitude AP: startup 60 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 61
5 WM Access Domain Services (WM-AD): Introduction Overview WM Access Domain Services (WM-AD) are the key to the advantages that the Summit WM-Series Switch Software system has to offer. This technique provides a versatile means of mapping wireless networks to the topology of an existing wired network. When you set up a WM-AD on the Summit WM-Series Switch, you are defining a subnet for a group of wireless device users.
PAGE 62
WM Access Domain Services (WM-AD): Introduction For each user group, you should set up a Filter ID attribute in the RADIUS server, and then associate each user in the RADIUS server to at least one Filter ID name. The Summit WM-Series Switch Software enables you to define specific filtering rules, by Filter ID attribute, that will be applied to user groups to control network access. What is a WM-AD? A WM-AD is an IP subnet that is especially designed to enable Altitude APs to interact with wireless devices.
PAGE 63
Network assignment and authentication for a WM-AD The key choice for a WM-AD is the type of network assignment, which determines all the other factors of the WM-AD. There are two options for network assignment: ● ● SSID: ● has Captive Portal authentication, or no authentication. ● requires restricted filtering rules before authentication and, after authentication, filtering rules for group Filter IDs. ● is used for a WM-AD supporting wireless voice traffic (QoS).
PAGE 64
WM Access Domain Services (WM-AD): Introduction identification is sent by the Summit WM-Series Switch to the RADIUS server for authentication.
PAGE 65
Filtering for a WM-AD Four types of filters are applied by the Summit WM-Series Switch in the following order: 1 Exception filter, to provide the administrator optional additional flexibility in securing the system and blocking Denial of Service (DoS) attacks, on any type of WM-AD. 2 Non-Authenticated filter, with filtering rules that apply before authentication, to control network access and to direct users to a Captive Portal web page for login.
PAGE 66
WM Access Domain Services (WM-AD): Introduction ● Authentication by AAA (802.1x) Since users have already logged in and have been authenticated, there is no need for a NonAuthenticated filter. When authentication is returned, then the Filter ID group filters are applied. For AAA, a WM-AD can have a subgoup with Login-LAT-group ID that has its own filtering rules. If no Filter ID matches are found, then the Default filter is applied.
PAGE 67
Setting up a new WM-AD 3 In the left-hand list, highlight the name of the new WM-AD. You can now configure its parameters in the Topology screen. Configure the new WM-AD (overview of basic steps) 1 Select the network assignment mechanism from the Assignment by drop-down list: ● SSID ● AAA 2 In the SSID box at the right, key in the SSID that the wireless devices will use to access the Altitude AP. 3 Select the Altitude APs (by radio) to be assigned to this WM-AD.
PAGE 68
WM Access Domain Services (WM-AD): Introduction Global Settings for a WM-AD Before defining specific WM Access Domain Service (WM-AD), define various settings that will apply to all WM-AD definitions.
PAGE 69
Global Settings for a WM-AD Define the RADIUS servers available on the network 4 For each RADIUS server, fill in the following fields: Server Name Name of the RADIUS server Server Address The IP address of the RADIUS server Shared Secret The password that is required in both directions that is set up on the RADIUS Server. This password is used to validate the connection between the Summit WM-Series Switch and the RADIUS Server.
PAGE 70
WM Access Domain Services (WM-AD): Introduction 70 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 71
6 WM Access Domain Configuration For each WM-AD, you define its topology, authentication, accounting, RADIUS servers, filtering, multicast parameters and privacy mechanism. When you set up a new WM-AD definition, the additional tabs will appear only after you save the Topology. Topology for a WM-AD In the Topology screen, the key choice for a WM-AD is the type of network assignment, which determines all the other factors of the WM-AD.
PAGE 72
WM Access Domain Configuration Create an SSID for Captive Portal WM-AD 1 Using the Assignment by drop-down list, select SSID. 2 In the SSID box, key in the SSID that wireless devices will use to access the Altitude AP. 3 Click the Suppress SSID checkbox on to prevent this SSID from appearing in the beacon message sent by the Altitude AP. The wireless device user seeking network access will not see this SSID as an available choice, and will need to specify it.
PAGE 73
Topology for a WM-AD Enable Management Traffic on this WM-AD 6 To use this WM-AD for Management Traffic such as SSH, HTTPS, or SNMP, click the Allow mgmt traffic checkbox on. Use this capability with caution, since it overrides the built-in exception filters that prohibit such traffic on the Summit WM-Series Switch data interfaces. (See also “Port-based exception filters: built-in” on page 39.
PAGE 74
WM Access Domain Configuration 13 If there are specific IP addresses to be excluded from this range, click on the Exclusions button. The Address Exclusion subscreen appears. 14 In the Exclusions subscreen, key in the IP addresses or address ranges to exclude. Click on the Add button after each entry. Click on the Save button to save the changes and return to the Topology screen. 15 The Broadcast Address field populates automatically, based on the Gateway IP address and subnet mask of the WM-AD.
PAGE 75
Topology for a WM-AD The range of IP addresses to be assigned to the wireless device users on this WM-AD should also be designated on the external DHCP server. Save the new WM-AD 21 To save this WM-AD configuration, click on the Save button. When the new Topology has been saved, the screen changes to display tabs for Authentication and Accounting, RAD Policy, Filtering, Multicast and Privacy. Topology for a WM-AD for AAA For a WM-AD with 802.
PAGE 76
WM Access Domain Configuration Authentication for a WM-AD The next step in configuring a WM-AD is to set up the Authentication mechanism in the Authentication and Accounting screen. There are various combinations available: ● ● If network assignment is by SSID, authentication can be: ● none ● by Captive Portal using internal Captive Portal ● by MAC-based authentication If network assignment is by AAA (802.1x), authentication can be: ● by 802.
PAGE 77
Authentication for a WM-AD Vendor Specific Attributes (VSAs) In addition to the standard RADIUS message, you can include Vendor Specific Attributes (VSAs). The Summit WM-Series Switch Software authentication mechanism provides six Vendor Specific Attributes (VSAs), for RADIUS and other authentication mechanisms.
PAGE 78
WM Access Domain Configuration Set up authentication by Captive Portal 1 In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Auth & Acct tab. The Authentication and Accounting screen appears (in the Captive Portal version if network assignment is by SSID). 2 In the right-hand portion of the screen, there are three options: ● Auth. to define authentication servers ● MAC to define servers for MAC-based authentication ● Acct. to define accounting servers Select Auth.
PAGE 79
Authentication for a WM-AD The server name now appears in the list of configured servers (beside the Up and Down buttons) where it can be prioritized for RADIUS redundancy. It can also be assigned again for MAC-based authentication or accounting purposes. A red asterisk appears in the right-hand list, showing that a server has been assigned.
PAGE 80
WM Access Domain Configuration If one of the other servers becomes the active one during a failover, an “A” will appear after that server name. If all defined RADIUS servers fail to respond, a critical message is generated in the logs. 3 To run a test of the Summit WM-Series Switch’s connection to all configured RADIUS servers, click on the Test button. In the pop-up screen, key in your User ID and click on the Test button. 4 To view a summary of the RADIUS test results, click on the View Summary button.
PAGE 81
Authentication for a WM-AD 3 Key in the locations of the header and footers. Header URL The location of the file to be displayed in the Header portion of the Captive Portal screen. This page can be customized to suit your company, with logos or other graphics. (Caution: Ensure that such graphics in the header are not so large that they push the login area out of view.
PAGE 82
WM Access Domain Configuration Authentication for a WM-AD for AAA Set up authentication by AAA (802.1x) method 1 In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Auth & Acct tab. For an AAA WM-AD, the AAA version of the Authentication screen appears. 2 Follow steps 2 to 10 described above for Captive Portal, except for Step 5 (Authentication Type) which does not apply to AAA. See “Authentication for a WM-AD for Captive Portal” on page 77.
PAGE 83
Authentication for a WM-AD Define MAC-based authentication for a WM-AD 1 In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Auth & Acct tab. The Authentication and Accounting screen appears (in either Captive Portal or AAA versions depending on network assignment). In the right-hand portion of the screen, select MAC. A box appears around this area of the screen.
PAGE 84
WM Access Domain Configuration Accounting for a WM-AD The next step is to enable and configure, for a WM-AD, the methods of accounting to track the activity of a wireless device users.
PAGE 85
RADIUS Policy for a WM-AD RADIUS Policy for Captive Portal 1 In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the RAD Policy tab. For a WM-AD with SSID network assignment, the Captive Portal version of the RADIUS Policy screen appears. Define the Filter ID values on this WM-AD. 1 In the Filter ID Values entry field, key in the name of a group that you want to define specific filtering rules for, to control network access. Click on the Add button.
PAGE 86
WM Access Domain Configuration Define the Filter ID values on this WM-AD 1 In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the RAD Policy tab. For a WM-AD with AAA network assignment, the AAA version of the RADIUS Policy screen appears. 2 In the Filter ID Values entry field, key in the name of a group that you want to define specific filtering rules for, to control network access. Click on the Add button. The Filter ID value appears in the list above.
PAGE 87
Filtering rules for a WM-AD For an AAA WM-AD, since users have already been authenticated, there is no need for a NonAuthenticated filter. When authentication is returned, then the Filter ID group filters are applied. For AAA, a WM-AD can have a subgoup with Login-LAT-group ID that has its own filtering rules. If no Filter ID matches are found, then the Default filter is applied. Filtering rules for an exception filter The exception filter on an WM-AD applies only to the destination portion of the packet.
PAGE 88
WM Access Domain Configuration Redirection and Captive Portal credentials apply to HTTP traffic only. A wireless device user attempting to reach websites other than those specifically allowed in the Non-Authenticated Filter will be redirected to the allowed destinations. Most HTTP traffic outside of those defined in the nonauthenticated filter will be redirected. All other network access will be controlled after the user is authenticated, when the filter ID or default filtering rules are applied.
PAGE 89
Filtering rules for a WM-AD 6 Highlight the new filtering rule and fill in (or leave unchecked) the three checkboxes in the combinations that define the traffic access: In: Click checkbox on to refer to traffic from the wireless device that is trying to get on the network (“going to” the network) Out: Click checkbox on to refer to traffic from the network host that is trying to get to a wireless device. (“coming from” the network) Allow: Click checkbox on to allow. Leave unchecked to disallow.
PAGE 90
WM Access Domain Configuration Once a wireless device user has logged in on the Captive Portal page, and has been authenticated by the RADIUS server, then the following filters will apply: ● Filter ID Filter, if a Filter ID associated with this user was returned the authentication server ● Default Filter, if no matching Filter ID was returned from the authentication server These filters are described below.
PAGE 91
Filtering rules for a WM-AD Define filtering rules for a Filter ID group 1 In the WM Access Domain Configuration screen, click on the Filtering tab. The Filtering screen appears for the highlighted WM-AD. 2 Using the Filter ID drop-down list, select one of the names you defined in the Filter ID Values field in the Authentication screen [one of your enterprise's user groups, such as Sales, Engineering, Teacher, Guest....] The screen automatically provides a “Deny All” rule already in place.
PAGE 92
WM Access Domain Configuration Filtering Rules by Filter ID: Examples Below are two examples of possible filtering rules for a Filter ID. The first disallows only some specific access before allowing everything else. In Out x x x x Allow IP / Port Description x *.*.*.*:22-23 Deny all telnet sessions x [specific IP address, range] Deny all traffic to a specific IP address or address range *.*.*.*. Allow everything else x The second example does the opposite of the first example.
PAGE 93
Filtering rules for a WM-AD Define the filtering rules for a default filter 1 In the WM Access Domain Configuration - Filtering screen, using the Filter ID drop-down list, select Default. 2 Follow Steps 2 to 6, as described above for Filter ID values rules. 3 To save the filtering rules, click on the Save button.
PAGE 94
WM Access Domain Configuration Here is another example of filtering rules for a Default Filter: In Out Allow IP / Port Description Port 80 (HTTP) on host IP Deny all incoming wireless devices access to web browsing the host Intranet IP 10.3.0.20, ports 10-30 Deny all traffic from the network to the wireless devices on the port range, such as TELNET (port 23) or FTP (port 21) x Intranet IP 10.3.0.20 Allow all other traffic from the wireless devices to the Intranet network x x Intranet IP 10.3.
PAGE 95
Multicast for a WM-AD Multicast for a WM-AD A mechanism that supports multicast traffic can be enabled as part of a WM-AD definition. This is provided to support the demands of VoIP and IPTV network traffic, while still providing the network access control. In the Multicast screen, you define a list of multicast groups whose traffic is allowed to be forwarded to and from the WM-AD. The default behavior is to drop the packets. For each group defined, you can enable Multicast Replication by group.
PAGE 96
WM Access Domain Configuration Privacy for a WM-AD Privacy for a WM-AD for Captive Portal For the Captive Portal WM-AD, there are three options for the Privacy mechanism: ● None ● Static Wired Equivalent Privacy (WEP) keys for a selected WM-AD, so that it matches the WEP mechanism used on the rest of the network. You can assign each radio on a Altitude AP to up to four WM-ADs by SSID. For each WM-AD, only one WEP key can be specified.
PAGE 97
Privacy for a WM-AD Configure privacy by WPA-PSK for a Captive Portal WM-AD 1 In the WM Access Domain Configuration screen, click on the Privacy tab. The Privacy screen appears for the highlighted WM-AD. 2 To configure privacy by WPA-PSK, click on the WPA-PSK radio button. 3 Type in the Pre-Shared Key (PSK), or shared secret, to be used between the wireless device and Altitude AP. The key should be between 8 and 63 characters. It is used to generate the 256-bit key.
PAGE 98
WM Access Domain Configuration Set up static WEP privacy for a WM-AD for AAA 1 In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Privacy tab. For a AAA WM-AD, the AAA version of the Privacy screen appears. 2 To use static keys, click on the Static Keys (WEP) radio button. 3 From the drop-down list, select the WEP Key Length: 40-bit, 104-bit, 128 bit 4 Click on the appropriate radio button to select the Input Method: Input Hex, Input String.
PAGE 99
Privacy for a WM-AD The encryption portion of WPA v1 is Temporal Key Integrity Protocol (TKIP). TKIP includes: ● a per-packet key mixing function that shares a starting key between devices, and then changes their encryption key for every packet or after the specified re-key time interval. ● a extended WEP key length of 256-bits ● an enhanced Initialization Vector (IV) of 48 bits, instead of 24 bits, making it more difficult to compromise.
PAGE 100
WM Access Domain Configuration Set up Wi-Fi Protected Access privacy (WPA) for an AAA WM-AD 1 To set up WPA privacy on the WM-AD, click on the WPA radio button. 2 To enable either WPA v1 or WPA v2, or both, click the appropriate checkboxes on. 3 To enable re-keying after a time interval, click the Broadcast re-key interval checkbox on (the default is on). Type in the re-key time interval (the time after which the broadcast encryption key is changed automatically) in seconds.
PAGE 101
A WM-AD for voice traffic 5 In the Filtering screen, define a Non-Authenticated Filter that will control specific network access for any wireless device users on this WM-AD. These rules should be very restrictive. The final rule should be a “Deny All” rule. The Non-Authenticated Filter for a WM-AD with no authentication will not have a Captive Portal page for login.
PAGE 102
WM Access Domain Configuration ● a Telephony Gateway, for access to an external standard telephone network, such as the wireless cellular network or the public switched telephone network (PSTN). The Telephony Gateway should be located on the same subnet as the Summit WM-Series Switch. For large deployments, an SVP server is required on the enterprise network, if Spectralink devices are to be supported.
PAGE 103
7 Summit WM-Series Switch Configuration: Availability and Mobility Availability The Summit WM-Series Switch Software system provides a feature that maintains service availability in the event of a Summit WM-Series Switch outage. The Availability feature links two Summit WM-Series Switches as a pair, so that they share information about their Altitude APs. If one Summit WM-Series Switch in a pair fails, then its Altitude APs are allowed to connect instead to the second Summit WM-Series Switch.
PAGE 104
Summit WM-Series Switch Configuration: Availability and Mobility 4 On the other Summit WM-Series Switch that is to be paired, allow all Altitude APs to associate with it. Then set the Registration Mode to “Allow only approved” so that no more Altitude APs can register 5 In the AP Registration screen, now enable the two Summit WM-Series Switchs as a pair, as described below. 6 On each Summit WM-Series Switch, in the Access Approval screen, check the status of the Altitude APs.
PAGE 105
Availability 5 Since this Summit WM-Series Switch is to be the primary connection point, click the checkbox on. 6 Set the Security Mode to “Allow Approved” by clicking the radio button. [recommended after initial set up for paired Summit WM-Series Switches] 7 To save these settings, click on the Save button.
PAGE 106
Summit WM-Series Switch Configuration: Availability and Mobility View the SLP activity with the “slpdump tool” 1 In the Altitude AP Registration Mode screen, click on the View SLP Registration button. A popup screen displays the results of the diagnostic “slpdump tool”, to confirm SLP registration. In normal operations, the primary Summit WM-Series Switch registers as an SLP service called “ac_manager” and directs the Altitude APs to the appropriate Summit WM-Series Switch of a pair.
PAGE 107
Mobility and the WM-AD Manager To support the Availability feature during a “Failover” event, administrator will need to perform the following actions: 1 Monitor the critical messages for the “Failover mode” message, in the information log of the remaining Summit WM-Series Switch (in the Reports and Displays area). 2 After recovery, on the Summit WM-Series Switch that did not fail, select the “foreign” Altitude APs and click on the Release button (in the Altitude AP Configuration - AP Maintenance screen).
PAGE 108
Summit WM-Series Switch Configuration: Availability and Mobility The Summit WM-Series Switch that is a “WM-AD Agent”: ● uses SLP to find the location of the WM-AD Manager ● attempts to establish a TCP/IP connection with the WM-AD Manager ● when it receives the connection-established message (see above), updates its tables, and sets up data tunnels to and between all Summit WM-Series Switchs it has been informed of ● after every Heartbeat massage received, uses the information to update its own tables
PAGE 109
Mobility and the WM-AD Manager View additional displays when WM-AD Manager is enabled On a Summit WM-Series Switch has been configured as a WM-AD Manager, three additional displays appear as options in the List of Displays screen: ● Client Location by Home: shows the active wireless clients, listed by their “Home” Summit WM-Series Switch ● Client Location by Foreign SWM: shows the active wireless clients, listed by the foreign Summit WMSeries Switch they are active on ● SWM Tunnel Traffic: shows the s
PAGE 110
Summit WM-Series Switch Configuration: Availability and Mobility 110 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 111
8 Summit WM-Series Switch: configuring other functions Management users In this screen you define the login usernames that have access to the GUI, either for Summit WM-Series Switch Software Administrators with “read/write” privileges, or users with “read only” privileges. For each user added, you can also define and modify a User ID and Password. Designate Summit WM-Series Switch management users 1 Click on the Summit Switch tab. Click on the Management Users option. The Management Users screen appears.
PAGE 112
Summit WM-Series Switch: configuring other functions Network time Use the Network Time screen to synchronize the elements on the network to a universal clock. This ensures accuracy in usage logs. Network time is synchronized in one of two ways: ● using system time ● using Network Time Protocol (NTP), an Internet standard protocol that synchronizes client workstation clocks. Set Network Time parameters 1 Click on the Summit Switch tab. Click on the Network Time option. The Network Time screen appears.
PAGE 113
Check Point event logging Check Point event logging The Summit WM-Series Switch has the capability to forward specified event messages to an ELA server using the OPSEC ELA protocol - Event Logging API (Application Program Interface). On the ELA server (such as Check Point Management Console), the event messages are tracked and analyzed, so that suspicious messages can be forwarded to a firewall application (such as Check Point Firewall-1) that can take corrective action.
PAGE 114
Summit WM-Series Switch: configuring other functions 3 Key in values in the following fields, or accept the defaults: Check Point Server IP: Type in the Check Point fw-1 IP address, the IP address of the ELA Management Station. ELA Port: Default port is 18187. Modify if desired. ELA Log Interval: Type in the amount of time (in milliseconds) you want the system to wait before attempting to log, once there is a connection between Summit WM-Series Switch and the Check Point gateway.
PAGE 115
Setting up SNMP Setting up SNMP The Summit WM-Series Switch Software system supports Simple Network Management Protocol (SNMP), Version 1 and 2c, for retrieving Summit WM-Series Switch statistics and configuration information. Simple Network Management Protocol, a set of protocols for managing complex networks, sends messages, called protocol data units (PDUs), to different parts of a network.
PAGE 116
Summit WM-Series Switch: configuring other functions ● EXTREME-SMI ● EXTREME-DOT11-EXTNS-MIB ● EXTREME-BEACON-CELL-MIB ● EXTREME-BRANCH-OFFICE-MIB The MIB is provided for compilation into an external NMS. No support has been provided for automatic device discovery by an external NMS. The Summit WM-Series Switch is the only point of SNMP access for the entire system. In effect, the Summit WM-Series Switch will proxy sets and gets and alarms from the associated Altitude APs.
PAGE 117
Setting up SNMP 2 Key in: Contact Name: The name of SNMP administrator. Location: Location of the SNMP administration machine (descriptive). Read Community Name: Key in the password for Read activity. Read/Write Community Name: Key in the password for Read/Write activity. (Write ability is not supported.) SNMP Port: Key in the destination port for SNMP traps. The industry standard is 162. [If left blank, no traps are generated.
PAGE 118
Summit WM-Series Switch: configuring other functions 118 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 119
9 Setting up third-party access points Your enterprise's WLAN may have existing third-party access points that you would like to integrate into the Summit WM-Series Switch Software WLAN solution. You can set up the Summit WM-Series Switch to handle wireless device traffic from third-party access points, providing the same policy and network access control.
PAGE 120
Setting up third-party access points 4 Set up a WM-AD for the “3rd-party AP” port: In the WM Access Domain Configuration screen, add a new WM-AD. Then highlight the WM-AD name in the left-hand list and click on the Topology tab. In the Topology screen, select Assignment by SSID. Click on the Use 3rd Party AP checkbox to select it. Fill in the IP Address and MAC Address entry fields that appear on the right (the addresses of the third party access points, and click on the Add button.
PAGE 121
● Disable the third-party access point's layer-3 IP routing capability and set the access point to work as a layer-2 bridge. Here are the differences between third-party access points and Altitude APs on the Summit WM-Series Switch Software system: ● A third-party access point exchanges data with the Summit WM-Series Switch's data port using standard IP over ethernet protocol. The third-party access points do not support the tunnelling protocol for encapsulation.
PAGE 122
Setting up third-party access points 122 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 123
10 Summit Spy: detecting rogue access points Overview The Summit WM-Series Switch Software system includes a mechanism that assists in the detection of rogue access points. The function is called the Summit Spy. The Summit Spy feature has three components: ● a radio frequency (RF) scanning task that runs on the Altitude AP. The Altitude AP itself functions as a scan device. Its scan function alternates with providing its regular service the wireless devices on the network.
PAGE 124
Summit Spy: detecting rogue access points Enabling the Analysis and RFDC Engines Enable and configure the Summit Spy Analysis Engine 1 In the Summit WM-Series Switch Configuration screen, click on the Summit Spy option. The Summit Spy Configuration screen appears. 2 To enable the Summit Spy Analysis Engine, click the checkbox on. Define the Summit Spy RF Data Collector Engines 3 To enable the Summit Spy Data Collection Engine on this Summit WM-Series Switch click the checkbox on.
PAGE 125
Summit Spy: running scans 7 To clear the entry fields and add a new Collection Engine, click on the Add Collection Engine option. Repeat steps 4 to 6 above. 8 To save these settings, click on the Apply button. Summit Spy: running scans After enabling the Summit Spy engines (as described above), click the Summit Spy menu item in the main menu, or the Summit Spy tab in any screen. The Summit Spy Scanner screen appears, with five tabs.
PAGE 126
Summit Spy: detecting rogue access points ● Active: the Altitude AP sends out ProbeRequests and waits for ProbeResponse messages from any access points. ● Passive: the Altitude AP listens for 802.11 beacons 7 In the Channel Dwell Time field, key in the time in milliseconds that the scanner waits for a response (either for 802.11 beacons in passive scanning, or ProbeResponse in active scanning).
PAGE 127
The Analysis Engine ● known Altitude AP with an unknown SSID (major alarm) ● in ad-hoc mode (major alarm) NOTE In the current release, there is no capability to initiate a DoS attack on the detected rogue access point. Containment of a detected rogue will require an inspection of the geographical location of its Scan Group area (where its RF activity has been found).
PAGE 128
Summit Spy: detecting rogue access points 5 Click the Rogue Summary button to view the Rogue Summary popup report. 6 To view the Friendly list, click on the Friendly APs tab. The Friendly AP Definitions screen appears. 7 To add friendly access points manually to the Friendly AP Definitions list, key in the MAC Address, SSID, Channel, and a text description of the access point. Click on the Add button. The new access point appears in the list above.
PAGE 129
The Analysis Engine View the Summit Spy list of Third-Party APs To view the list of the known third-party access points, click on the 3rd Party APs tab. The 3rd Party APs screen appears.
PAGE 130
Summit Spy: detecting rogue access points 2 To delete the marked access points and Altitude APs from the Summit Spy's database, click on the Delete marked APs button. This will only delete them from the Summit Spy's database, not from the Summit WM-Series Switch's database. Viewing the Scanner Status report When the Summit Spy is enabled, you can view a report on the connection status of the RF Data Collector Engines with the Analysis Engine.
PAGE 131
11 Ongoing operation Altitude AP maintenance: software Periodically, the software used by the Altitude APs is altered, either for reasons of upgrade or security. The new version of the software is installed from the Summit WM-Series Switch, using the Altitude AP Maintenance option.
PAGE 132
Ongoing operation Maintain the list of current Altitude AP software images 1 Click on the Altitude APs tab. The Altitude AP Configuration screen appears. Click on the AP Maintenance option. 2 Click on the AP Software Maintenance tab. The AP Software Maintenance screen appears. The Current AP Images area displays the list of AP software versions that have been downloaded and are available. (This list appears in the drop-down list of available images in the Controlled Upgrade screen.
PAGE 133
Altitude AP client management Define parameters for a Altitude AP controlled software upgrade. 1 Click on the Altitude APs tab. The Altitude AP Configuration screen appears. Click on the AP Maintenance option. 2 Click on the Controlled Upgrade tab. The Controlled Upgrade screen appears. The screen displays the steps to initiate a software upgrade. 3 Step 1: From the drop-down list, select the software version you wish to use for the upgrade. (This list is maintained in the AP Software Maintenance screen.
PAGE 134
Ongoing operation Client disassociate Disassociate a wireless device client 1 Click on the Altitude APs tab. Click on the Client Management option. Click on the Disassociate tab. The Disassociate screen appears. 2 Click on the checkbox to select the wireless device to be disassociated. 3 To search for a client by MAC Address, IP Address or User ID, select the search parameters from the pull-down list. Then key in the search string and click on the Search button. (Wildcard searches are supported.
PAGE 135
Altitude AP client management Client blacklist Add a wireless device client to a blacklist 1 Click on the Client Management option in the Altitude AP Configuration screen. Click on the Blacklist tab. The Blacklist screen appears. The Blacklist screen displays the current list of MAC addresses that will be not be allowed to associate. Clients selected in the Disassociate screen for the Blacklist will appear here.
PAGE 136
Ongoing operation 1 Click on the Summit WM-Series Switch tab. Click on the System Maintenance option. The System Maintenance screen appears. Health Checking 1 In the Poll Interval field, key in a time in seconds for the Summit WM-Series Switch to check that the Altitude APs are still there. Click on the Apply button.
PAGE 137
Summit WM-Series Switch software maintenance 4 To include additional system messages, click the Include all service messages checkbox on. If the box is left unchecked, only component messages (logs and traces) are relayed. (This will apply to all three servers.
PAGE 138
Ongoing operation Upgrade the Summit WM-Series Switch software 1 Click on the Summit WM-Series Switch tab. Click on the Software Maintenance option. Click on the SWM Software Maintenance tab. The Software Maintenance screen appears. The Current SWM Images area displays the list of software versions that have been downloaded and are available. (This list appears in the drop-down list of available images in the Upgrade area.
PAGE 139
Summit WM-Series Switch software maintenance Upgrade the Operating System software 1 Click on the Summit WM-Series Switch tab. Click on the Software Maintenance option. Click on the OS Software tab. The OS Software Maintenance screen appears. 2 Follow the steps described for the Software Maintenance screen. Back up the Summit WM-Series Switch software 1 Click on the Summit WM-Series Switch tab. Click on the Software Maintenance option. Click on the Backup tab. The Backup screen appears.
PAGE 140
Ongoing operation Restore the Summit WM-Series Switch software 1 Click on the Summit WM-Series Switch tab. Click on the Software Maintenance option. Click on the Restore tab. The Restore screen appears. 2 Follow the steps described for the Software Maintenance screen. Summit WM-Series Switch Software logs and traces Summit WM-Series Switch Software log and data files The Summit WM-Series Switch Software system stores configuration data and log files.
PAGE 141
Summit WM-Series Switch Software logs and traces Viewing log, alarm and trace messages To view the logs and traces, select the Logs & Traces tab.
PAGE 142
Ongoing operation View the Logs 1 Click on the Logs & Traces tab. In the Navigation bar, click on one of the Log tabs. The selected Log screen appears: The events are displayed in chronological order, sorted by the Timestamp column. 2 To sort the display by Type or Component, click on the column heading. 3 To filter the logs by severity, in order to display only Info, Minor, Major, or Critical logs, click on the appropriate Log tab at the top of the screen.
PAGE 143
Summit WM-Series Switch Software logs and traces You can sort, refresh and export the Trace information, as described for Log displays. View the Audits 1 To view the GUI Audit display, click on the GUI Audit tab. Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 144
Ongoing operation Reports and displays View displays To view Summit WM-Series Switch Software reports and displays, click on the Reports tab. The List of Displays screen appears, with a menu of available displays. The three options on the right-hand side of the screen appear only if the WM-AD Manager function has been enabled. Click on an option in the menu to view its display screen (examples below): 144 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 145
Reports and displays View statistics for Altitude APs Two displays are snapshots of activity at that point in time on a selected Altitude AP: ● Wired Ethernet Statistics by Altitude APs ● Wireless Statistics by Altitude APs The statistics displayed are those defined in the 802.11 MIB, in the IEEE 802.11 standard. In the Wired Ethernet Statistics by Altitude APs display, click on one of the registered Altitude APs to display its information.
PAGE 146
Ongoing operation The displays lists the registered Altitude APs Click on the selected Altitude AP. Then click on the appropriate tab to display information for each radio on the Altitude AP. If there are associated clients on this radio, you can view information on a selected client. Click on the View Client button. The Associated Clients popup window appears. View reports To view Summit WM-Series Switch Software reports and displays, click on the Reports tab. The List of Displays screen appears.
PAGE 147
Glossary Networking terms and abbreviations A AAA Authentication, Authorization and Accounting. A system in IP-based networking to control what computer resources users have access to and to keep track of the activity of users over a network. Access Point (AP) A wireless LAN transceiver or “base station” that can connect a wired LAN to one or many wireless devices. Ad-hoc mode An 802.
PAGE 148
Glossary B BSS Basic Service Set. A wireless topology consisting of one Access Point connected to a wired network and a set of wireless devices. Also called an infrastructure network. See also IBSS. Captive Portal A browser-based authentication mechanism that forces unauthenticated users to a web page. Sometimes called a “reverse firewall”.
PAGE 149
D D (Continued) Device Server A specialized, network-based hardware device designed to perform a single or specialized set of server functions. Print servers, terminal servers, remote access servers and network time servers are examples of device servers. DHCP Dynamic Host Configuration Protocol. A protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network.
PAGE 150
Glossary E EAP-TLS EAP-TTLS EAP-TLS Extensible Authentication Protocol - Transport Layer Security. A general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, onetime passwords, certificates, public key authentication and smart cards. IEEE 802.1x specifies how EAP should be encapsulated in LAN frames.
PAGE 151
G F (Continued) Fit, thin and fat APs A thin AP architecture uses two components: an access point that is essentially a stripped-down radio and a centralized management controller that handles the other WLAN system functions. Wired network switches are also required. A fit AP, a variation of the thin AP, handles the RF and encryption, while the central management controller, aware of the wireless users' identities and locations, handles secure roaming, quality of service, and user authentication.
PAGE 152
Glossary H (Continued) HTTP Hypertext Transfer Protocol is the set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. A Web browser makes use of HTTP. HTTP is an application protocol that runs on top of the TCP/IP suite of protocols. (RFC2616: Hypertext Transfer Protocol -- HTTP/1.
PAGE 153
I I (Continued) IP Internet Protocol is the method or protocol by which data is sent from one computer to another on the Internet. Each computer (host) on the Internet has at least one IP address that uniquely identifies it. Internet Protocol specifies the format of packets, also called datagrams, and the addressing scheme. Most networks combine IP with a higher-level protocol called Transmission Control Protocol (TCP), which establishes a virtual connection between a destination and a source.
PAGE 154
Glossary L LAN Local Area Network. LSA Link State Advertisements received by the currently running OSPF process. The LSAs describe the local state of a router or network, including the state of the router's interfaces and adjacencies. See also OSPF. MAC Media Access Control layer. One of two sublayers that make up the Data Link Layer of the OSI model. The MAC layer is responsible for moving data packets to and from one Network Interface Card (NIC) to another across a shared channel.
PAGE 155
N N NAS Network Access Server, a server responsible for passing information to designated RADIUS Servers and then acting on the response returned. A NAS-Identifier is a RADIUS attribute identifying the NAS server. (RFC2138) NAT Network Address Translator. A network capability that enables a group of computers to dynamically share a single incoming IP address. NAT takes the single incoming IP address and creates new IP address for each client computer on the network.
PAGE 156
Glossary O (Continued) OS Operating system. OSI Open System Interconnection. An ISO standard for worldwide communications that defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, down through the presentation, session, transport, network, data link layer to the physical layer at the bottom, over the channel to the next station and back up the hierarchy.
PAGE 157
Q P (Continued) PAP Password Authentication Protocol is the most basic form of authentication, in which a user's name and password are transmitted over a network and compared to a table of name-password pairs. Typically, the passwords stored in the table are encrypted. (See CHAP). PDU Protocol Data Unit. A data object exchanged by protocol machines (such as management stations, SMUX peers, and SNMP agents) and consisting of both protocol control information and user data.
PAGE 158
Glossary R 158 RADIUS Remote Authentication Dial-In User Service. An authentication and accounting system that checks User Name and Password and authorizes access to a network. The RADIUS specification is maintained by a working group of the IETF (RFC2865 RADIUS, RFC2866 RADIUS Accounting, RFC2868 RADIUS Attributes for Tunnel Protocol Support). RF Radio Frequency, a frequency in the electromagnetic spectrum associated with radio wave propagation.
PAGE 159
S S Segment In ethernet networks, a section of a network that is bounded by bridges, routers or switches. Dividing a LAN segment into multiple smaller segments is one of the most common ways of increasing available bandwidth on the LAN. SLP Service Location Protocol. A method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network.
PAGE 160
Glossary S (Continued) SNMP trap An event notification sent by the SNMP managed agent to the management system to identify the occurrence of conditions (such as a threshold that exceeds a predetermined value). SSH Secure Shell, sometimes known as Secure Socket Shell, is a Unix-based command interface and protocol for securely getting access to a remote computer. SSH is a suite of three utilities - slogin, ssh, and scp - secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp.
PAGE 161
T S (Continued) SVP SpectraLink Voice Protocol, a protocol developed by SpectraLink to be implemented on access points in order to facilitate voice prioritization over an 802.11 wireless LAN that will carry voice packets from SpectraLink wireless telephones. Switch In networks, a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol.
PAGE 162
Glossary T (Continued) TLS Transport Layer Security. (See EAP, Extensible Authentication Protocol) ToS / DSCP ToS (Type of Service) / DSCP (Diffserv Codepoint). The ToS/DSCP field contained in the IP header of a frame is used by applications to indicate the priority and Quality of Service (QoS) for each frame. The level of service is determined by a set of service parameters which provide a three way trade-off between low-delay, high-reliability, and high-throughput.
PAGE 163
V V VLAN Virtual Local Area Network. A network of computers that behave as if they are connected to the same wire when they may be physically located on different segments of a LAN. VLANs are configured through software rather than hardware, which makes them extremely flexible. When a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration. The standard is defined in IEEE 802.
PAGE 164
Glossary W (Continued) WINS Windows Internet Naming Service. A system that determines the IP address associated with a particular network computer, called name resolution. WINS supports network client and server computers running Windows and can provide name resolution for other computers with special arrangements.
PAGE 165
W Summit WM-Series Switch Software terms and abbreviations Term Explanation CTP CAPWAP Tunnelling Protocol (CTP). The Altitude AP uses a UDP (User Datagram Protocol) based tunnelling protocol called CAPWAP Tunnelling Protocol (CTP) to encapsulate the 802.11 packets and forward them to the Summit WM-Series Switch. The CTP protocol defines a mechanism for the control and provisioning of wireless access points (CAPWAP) through centralized access controllers.
PAGE 166
Glossary Term Explanation WM-AD Manager (and WMAD Agent) The technique in Summit WM-Series Switch Software by which multiple Summit WM-Series Switches on a network can discover each other and exchange information about a client session. This enables a wireless device user to roam seamlessly between different Altitude APs on different Summit WM-Series Switches, to provide mobility to the wireless device user. One Summit WM-Series Switch on the network must be designated as the “WM-AD Manager”.
PAGE 167
A Summit WM-Series Switch Software system states and LEDs Summit WM-Series Switch system states and LEDs The Summit WM-Series Switch has the two system states: Standby and Active. It enters “Standby” when shut down in the Summit WM-Series Switch Configuration – System Maintenance screen.
PAGE 168
Summit WM-Series Switch Software system states and LEDs System State Status LED Activity LED A component fails to start or needs restarting (Startup Manager Task retrying that component) Solid Amber Blinking green Summit WM-Series Switch fails to boot Solid Red Off A component fails (no more retries) Solid Red Off System about to be reset by watchdog Blinking Red Off Altitude AP system states For the Altitude AP the Status LED in the center also indicates power.
PAGE 169
B CLI command reference Table 7: CLI commands Category Top Level Syntax # Comment ip interface System State System Maintenance exit quit ssh session logout logs out of system # shutdown requires confirmation # reset requires confirmation # reset requires confirmation # loglevel <1|2|3|4|5> # syslog :syslog# syslogip #
PAGE 170
CLI command reference Table 7: CLI commands (Continued) Category OSPF Syntax # ip :ip# (no) protocol ospf :ip# ospf :ospf# routerid Comment only 1 protocol can be enabled on the AC area areatype config ospfinterface <0|1|2|3> :ospf.
PAGE 171
Table 7: CLI commands (Continued) Category Syntax Comment # show backup [filename|number] list back-up files on system # show cdrs [dir] [filename|number] list CDRs available on system # show restore list restore files on system # show upgrade list upgrade files on system # show osupgrade list os upgrade files on system # show apup list ap image upgrade files on system # show bootrom list ap bootrom image files on s
PAGE 172
CLI command reference Table 7: CLI commands (Continued) Category Users Diagnostics Altitude APs 172 Syntax Comment # users :users#id [admin] [enable|disable] end of command, enter password & confirm password :users#id no id confirm delete :users#id (no) logon disable / enable user access to management system; confirm action :users#id pwd id change password for userid; enter password & confirm password
PAGE 173
C DHCP, SLP, and Option 78 reference For the Altitude AP’s process to “discover” the Summit WM-Series Switch, the Summit WM-Series Switch Software system relies on a DHCP server that supports Option 78 and 79 for Service Location Protocol (SLP). The combination of Dynamic Host Configuration Protocol (DHCP), Option 78 and 79, and SLP provide a technique that defines the Summit WM-Series Switch as the only element on the network that the Altitude AP can communicate with.
PAGE 174
DHCP, SLP, and Option 78 reference Service Location Protocol (SLP) (RFC2608) Service Location Protocol (RFC2608) is a method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network. Using SLP, networking applications can discover the existence, location and configuration of networked devices.
PAGE 175
SLP Service Scope Option (Option 79) SLP Service Scope Option (Option 79) Services are grouped together using 'scopes'. These are strings that identify a set of services that form an administrative grouping. Service Agents (SAs) and Directory Agents (DAs) are always assigned a scope string. A User Agent (UA) is normally assigned a scope string (in which case the User Agent will only be able to discover that particular grouping of services).
PAGE 176
DHCP, SLP, and Option 78 reference 176 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 177
D Reference lists of standards RFC list Listed below are the Internet Engineering Task Force (IETF) Request for Comments (RFCs) standards supported by Summit WM-Series Switch Software. The Request for Comments, a series of notes about the Internet, submitted to the Internet Engineering Task Force (IETF) and designated by an RFC number, that may evolve into an Internet standard. The RFCs are catalogued and maintained on the IETF RFC website: www.ietf.org/rfc.html.
PAGE 178
Reference lists of standards Table 8: List of RFCs (Continued) RFC Number Title RFC 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) RFC 3417 Transport Mappings for the Simple Network Management Protocol (SNMP). RFC 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP). RFC 959 File Transfer Protocol.
PAGE 179
802.11 standards list Table 9: List of 802.11 standards supported (Continued) Standard Name 802.3z 1000Base-X (Gigabit Ethernet) 802.1d MAC bridges 802.11 MIB management information base for 802.11 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 180
Reference lists of standards 180 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 181
E Support for Altitude AP Altitude AP diagnostics by Telnet WARNING! For security reasons, Telnet is disabled by default. Only enable it in order to perform a diagnostic session. When finished, disable Telnet again. As a support tool to perform diagnostic debugging of the Altitude AP, the capability to access the Altitude AP by Telnet has been provided. Normally Telnet is disabled and should be disabled again after diagnostics. This process should only be used by support services.
PAGE 182
Support for Altitude AP 1 In the Telnet Access Password entry field, key in the password for a Telnet session. To confirm the password, key it in again. 2 To send the password information to all registered Altitude APs, click on the Save button. Use the AP Properties screen, to enable Telnet on a selected Altitude AP. 1 Highlight the selected Altitude AP in the left-hand list. 2 In the Telnet Access field, select “Enable” from the drop-down list. 3 Click on the Save button.
PAGE 183
F RADIUS Attributes Remote Authentication Dial-In User Service (RADIUS) is an industry standard for providing identification, authentication, authorization, and accounting services for distributed dial-up/remote access networking. RADIUS Vendor-Specific Attributes (VSAs) RADIUS Vendor-Specific Attributes (VSAs) are RADIUS Authentication and Accounting attributes defined by vendors to customize information exchanges between clients and servers.
PAGE 184
RADIUS Attributes RADIUS Accounting Account-Start Packet The following table lists the information elements (including VSAs) supported in a RADIUS Start message, issued by Summit WM-Series Switch Software, with RADIUS Accounting enabled: 184 Attribute NO. RAD.
PAGE 185
RADIUS Accounting Account-Stop/Interim Packet The following table lists the information elements (including VSAs) supported in a RADIUS Stop or Interim messages, issued by Summit WM-Series Switch Software, with RADIUS Accounting enabled: Attribute NO. RAD.
PAGE 186
RADIUS Attributes Termination Codes The RADIUS client (SWM or AP) terminates the wireless device user’s session when one of the following events occur: ● user request ● idle timeout ● session timeout ● administrator reset When a user session is terminated, the RADIUS client sends a RADIUS accounting stop request that will include one of the following termination codes: Radius Radius Value Definition XP Value XP/SMT Definition 1 User Request 9 RF notification that MU has disconnected from RU.
PAGE 187
G Logs and Events Overview The Summit WM-Series Switch is designed to behave like an appliance. It is either in an operational state, or it has failed due to a hardware problem or low level packet processing issue. In general, the system will self recover by rebooting if the system fault is recoverable.
PAGE 188
Logs and Events ACCESSPOINT Severity Critical Log Message AccessPoint software upgrade failed. Cannot open application backup file. Description AccessPoint software upgrade failed. Action Make sure to have the proper Access Point software file on AC for downloading . ACCESSPOINT Severity Critical Log Message AccessPoint software upgrade failed. Writing backup file failed Description AccessPoint software upgrade failed.
PAGE 189
Critical ACCESSPOINT Severity Critical Log Message AccessPoint configuration failed. Wassp config rcv: cannot send config to SNMP Agent. Description AccessPoint configuration failed Action Check software and configuration compatibility. Check the connection to AP. ACCESSPOINT Severity Critical Log Message AccessPoint configuration failed. Wassp config rcv: cannot get response from SNMP Agent. Description AccessPoint configuration failed Action Check software and configuration compatibility.
PAGE 190
Logs and Events ACCESSPOINT Severity Critical Log Message AccessPoint Rebooting. AP-AC poll timeout. Description AccessPoint Rebooting. Action AP detected a problem and rebooted automatically. Check the log message detail. No action is normally needed. ACCESSPOINT Severity Critical Log Message AccessPoint Rebooting. ChipReset: Error resetting WLAN HW. Description AccessPoint Rebooting. Action AP detected a problem and rebooted automatically. Check the log message detail.
PAGE 191
Critical CDR_COLLECTOR CDR_COLLECTOR Severity Critical Log Message CDR Manager failed to open accounting file for writing. The CDR Manager will halt. Description The accounting record file could not be opened; as accounting records cannot be written, the service halted. Action Indicates that the accounting record partition is corrupted. Contact service as the controller may require servicing.
PAGE 192
Logs and Events CONFIG_MANAGER Severity Critical Log Message Access point controlled software upgrade has failed. This normally occurs if a corrupt image file was selected as the upgrade image. Please select another image for the upgrade: %s Description AP upgrade has failed due to a bad software image. Action The selected upgrade image has a problem. Select a known good image and apply it to the access points for upgrade.
PAGE 193
Critical EVENT_SERVER Severity Critical Log Message Unable to initialize internal program thread. Event server will halt. Description Internal service failure Action In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service as the system may need to be replaced. EVENT_SERVER Severity Critical Log Message Memory allocation failure. Unable to log last event. Description Indicates a memory allocation failure.
PAGE 194
Logs and Events LANGLEY LANGLEY Severity Critical Log Message Langley has suffered a critical error, and has halted. Error Details: %s Description Messaging infrastructure alarm. Action If this error appears, the system is completely non-functional. The hardware watchdog timer will kick in and the system will reboot. If the error persists, contact service as the system may need to be replaced.
PAGE 195
Critical RADIUS_CLIENT Severity Critical Log Message Failed to send process status success to Startup Manager. Start-up Manager will reboot the RADIUS client. Description Interprocess communication failure. Action No action required. RADIUS_CLIENT Severity Critical Log Message No radius server available for VNS: %s. Description None of the RADIUS servers configured for a VNS are reachable by the RADIUS client. Action Indicates that network connectivity needs to be checked.
PAGE 196
Logs and Events RU_MANAGER Severity Critical Log Message RU Manager has suffered a critical internal error and will halt (unable to open data dictionary). Description The file system has encountered a problem, and the messaging data dictionary file cannot be opened for reading. Action Indicates that the main service partition is corrupted, or there has been a low level file error. Alternatively, the file permissions may have been altered.
PAGE 197
Critical SECURITY_MANAGER Severity Critical Log Message Error binding to listener socket. Will not be able to communicate with Apache server. Description Inter-component communication failure. Action Verify that the web server is still running. If it is, re-start the security manager process to clear the problem. SECURITY_MANAGER Severity Critical Log Message Listen call failed. Will not be able to communicate with Apache Server. Description Inter-component communication failure.
PAGE 198
Logs and Events STARTUP_MANAGER Severity Critical Log Message HSM failed to start. System reboot initiated. Description Major system process start failure Action The process responsible for starting the interface IP stack failed to start. The system is rebooted automatically to attempt to clear the problem. If failure persists, try installing a previous version of the system software.
PAGE 199
Critical VNMGR VNMGR Severity Critical Log Message Critical internal error - memory protection flags have been corrupted. VN Manager will halt. Description Indicates that internal memory protection flags have been corrupted. Action If the process did not restart after emitting this error, or if client association, MAC-based authentication, or mobility problems continue to exist, shell into the O/S and kill the process to see if that clears the problem.
PAGE 200
Logs and Events VNMGR Severity Critical Log Message Socket call failed. Will not be able to communicate with specific component. Description A socket call has failed, which may make the process unable to communicate with another process. Action This log may be generated after a normal restart of the process, a normal restart of the controller, or a change in the role for mobility, and in these cases can be ignored.
PAGE 201
Major ACCESSPOINT Severity Major Log Message Beacon Creation Problem. Cannot allocate beacon. Description Beacon Creation Problem. Action Upgrade AP with the proper latest software. CDR_COLLECTOR CDR_COLLECTOR Severity Major Log Message Internal messaging error: %d. Accounting information for one client session will be incomplete. Description Accounting record is incomplete for a single client session. Action A single accounting record is incomplete.
PAGE 202
Logs and Events CDR_COLLECTOR Severity Major Log Message CDR Manager failed when attempting to write client record to accounting file. Accounting record for this client session will be unavailable. Description File input error. Action A single accounting record was not written to the accounting log. To accurately bill for usage, the client session needs to be audited against the RADIUS accounting server.
PAGE 203
Major CONFIG_MANAGER CONFIG_MANAGER Severity Major Log Message Config Manager has experienced an error which has prevented it from properly processing a request. CM will continue running, however this error may be an indicator of a larger system problem. Error Details Description CM messaging error. Action Monitor the system for re-occurrence. If problem re-occurs, other components may report additional problems. Try rebooting system to clear problem, and contact support if the problem persists.
PAGE 204
Logs and Events EVENT_SERVER EVENT_SERVER Severity Major Log Message The controller evaluation license will expire in %s days. Please contact your customer representative and purchase licenses to continue using the controller. Description License expiration warning Action See log message for appropriate action. EVENT_SERVER Severity Major Log Message Audit message error. Unable to log audit message. Description Logging behavior. Action An event from the web pages could not be logged.
PAGE 205
Major EVENT_SERVER Severity Major Log Message Cannot reset audit file pointer to beginning of the audit file - Error no: %d. The message and subsequent messages will be dropped. Description Audit file circular buffer problem. Action Indicates that the audit file may be corrupted, or the logging partition is full or corrupted. Try deleting the audit file and restarting the event server.
PAGE 206
Logs and Events NSM_SERVER Severity Major Log Message NSM suffered an internal messaging failure. Re-trying connection. Description Internal communications error. Action No action required. Process should recover. If failure continues, try restarting process. OSPF_SERVER OSPF_SERVER Severity Major Log Message OSPF server suffered an internal messaging failure. Re-trying connection. Description Internal communications error. Action No action required. Process should recover.
PAGE 207
Major RADIUS_CLIENT Severity Major Log Message Radius server changed: %s Description RADIUS client service information. Action No action required RADIUS_CLIENT Severity Major Log Message Failed to get radius profile for VNS: %s. Description RADIUS client service information. Action No action required. The config manager process has not responded. System should recover.
PAGE 208
Logs and Events RU_MANAGER RU_MANAGER Severity Major Log Message An AP has attempted to connect that is unknown to the system. AP authentication failure. %s. Description Access point registration information. Action Indicates that someone may be attempting to set-up a rogue AP and/or spoof the registration/authentication process. It is recommended that the device be blocked from the network until the identity of the AP can be verified. RU_MANAGER Severity Major Log Message AP fails discovery.
PAGE 209
Major SECURITY_MANAGER Severity Major Log Message Unable to create new session tracking tag (token mapping) based on MAC address. Will not be able to process Captive portal authentication request. Description Security Manager service information. Action If this occurs, a client session will fail captive portal authentication. The end user should try to authenticate again. Alternatively, try restarting to the process to see if this clears the problem.
PAGE 210
Logs and Events SECURITY_MANAGER Severity Major Log Message Component [%s] is down. Component will be restarted. Description System service status message. Action No action required. VNMGR VNMGR Severity Major Log Message Configuration error - missing or bad parameters. VN Manager will retry configuration request. VN Manager will not start-up until configuration is successful. Description VN Manager status message. Action Verify that Config Manager is operational.
PAGE 211
Major VNMGR Severity Major Log Message Heart-beat interval has expired - have missed too many heart-beats from VN Manager. VN Agent will reset all remote client information and revert to nodal operation. Description VN Manager status message. Action Indicates there is a network connectivity issue between controllers in the mobility domain. Resolve the connectivity issues for mobility to be returned to normal operation.
PAGE 212
Logs and Events 212 Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.
PAGE 213
H Regulatory Information This section provides the regulatory information for the Summit WM-Series Switch and Altitude 350-2 Wireless Access Point. Configuration of the Altitude 350-2 frequencies and power output are controlled by the regional software purchased with the Summit WM-Series controller and are downloaded from the sever upon initial set-up.
PAGE 214
Regulatory Information Emissions ● FCC Part 15, Subpart B, Class A ● ICES-003, Class A ● 89/336/EEC EMC Directive ● EN 55022:1998 A2:2003 Class A (European Emissions) ● EN55024:1998 A2:2003 includes IEC/EN61000-2,3,4,5,6,11 (Europe Immunity) ● EN61000-3-2:2000 Class A (Harmonics) ● EN61000-3-3:1995 A1:2001 (Flicker) ● ETSI/EN 300 386:2001-9 (EU Telecommunication Emissions & Immunity) ● IEC/CISPR22:1997 Class A (International Emissions) ● IEC/CISPR24:1998 (International Immunity) ● IEC/
PAGE 215
Altitude 350-2 Integrated Antenna AP (15938), Altitude 350-2 Detachable Antenna AP (15939) Storage & Transportation Environment: ● ● ● ● ● Storage & Transportation Temp.Range1 Storage & Transportation Relative Storage & Transportation Humidity1 Shock1 Storage & Transportation Random –40º C to +70º C (-40º F to 158º F) 10 - 95% RH 18G @ 6ms, 600 shocks (package < 50kg) Vib.1 Storage & Transportation Packaging Drop1 5-20 Hz @ 1.0 ASD w/-3dB/oct. from 20-200 Hz 14 drops min on sides & corners @ 39.
PAGE 216
Regulatory Information ● Consult the dealer or an experienced radio/TV technician for suggestion. This equipment meets the conformance standards listed in Table 10. Table 10: USA Conformance Standards Safety • UL 60950-1:2001 1st Edition, Listed Accessory EMC • FCC CFR 47 Part 15 Class B • UL 2043 Plenum Rated FCC ID#: RJF-A3502 Radio Transceiver Environmental • CFR 47 Part 15.247, Class C, 2.4 GHz Other: • CFR 47 Part 15.407, Class C, 5 GHz • IEEE 802.11a (5 Ghz) • CFR 47 Part 15.205, 15.
PAGE 217
Altitude 350-2 Integrated Antenna AP (15938), Altitude 350-2 Detachable Antenna AP (15939) Conditions Under Which a Second party may replace a Part 15 Unlicensed Antenna Second party antenna replacement (end user or second manufacturer) is permitted under the conditions listed below, with no testing or filing requirement. The general technical requirement of FCC Part 15.15 (a)(b)(c) still applies, however. ● Replacement antennas must be equal or lower then 4dBi gain within 2.
PAGE 218
Regulatory Information This equipment meets the following conformance standards: Table 11: Canada Conformance Standards Safety • cULus Listed Accessory #60950-1-03 1st edition • Plenum Rated Enclosure EMC • ICES-003 Class B Radio Transceiver • RSS-210 Other: • RSS-139-1 • IEEE 802.11a (5 GHz) • RSS-102 FR Exposure • IEEE 802.11b/g (2.4 GHz) • ID# 4141A-3502 • IEEE 802.3af See Environmental Conditions.
PAGE 219
Altitude 350-2 Integrated Antenna AP (15938), Altitude 350-2 Detachable Antenna AP (15939) Table 12: European Conformance Standards (Continued) Environmental • EN/ETSI 300 019-2-1 v2.1.2 - Class 1.2 Storage • EN/ETSI 300 019-2-2 v2.1.2 - Class 2.3 Transportation • EN/ETSI 300 019-2-3 v2.1.2 - Class 3.1e Operational • ASTM D5276 Drop Packaged • ASTM D3580 Random Vibration Unpackaged 1.
PAGE 220
Regulatory Information 220 ● The Altitude 350-2 wireless port requires the end user or installer to properly enter the correct country code into the switch software prior to operating the Altitude 350-2, to allow for proper configuration in conformance with European National spectrum usage laws. ● After the first Altitude 350-2 wireless port is connected to the switch, each additional wireless port connected will inherit the operating configuration of the first Altitude 350-2 wireless port.
PAGE 221
Altitude 350-2 Integrated Antenna AP (15938), Altitude 350-2 Detachable Antenna AP (15939) Permitted 5 GHz Channels for the European Community Table 13 lists the 5 GHz channels approved for operation in the European Community. Table 13: Permitted 5 GHz Channels in European Community Countries Permitted Frequency Bands Permitted Channel Numbers Countries 5.15-5.25GHz 36, 40, 44, 48 Austria, Belgium 5.15-5.35GHz 36, 40, 44, 48, 52, 56, 60, 64 France, Switzerland, Liechtenstein 5.15-5.35* & 5.4705.
PAGE 222
Regulatory Information Table 14: European Spectrum Usage Rules - Effective as of July 2005 (Continued) 5.47-5.725 (GHz) 5.15-5.25 (GHz) 5.25-5.35 (GHz) Country Channels: 36,40,44,48 Channels: 52,56,60,64 Channels: 100,104,108,112,116,12 0,124,128,132,136,140 2.4-2.
PAGE 223
Altitude 350-2 Integrated Antenna AP (15938), Altitude 350-2 Detachable Antenna AP (15939) Declarations of Conformity Table 15 presents the Extreme Networks declarations of conformity for the languages used in the European Community. Table 15: Declaration of Conformity in Languages of the European Community English Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC.
PAGE 224
Regulatory Information Certifications of Other Countries The Altitude 350-2 Model 15938 and 15939 wireless port has been certified for use in the countries listed in Table 16. When the Altitude 350-2 is connected to the Extreme Networks switch, the user is prompted to enter a country code. Once the correct country code is entered, the switch automatically sets up the Altitude 350-2 with the proper frequencies and power outputs for that country code. Go to http://www.extremenetworks.com/go/rfcertification.
PAGE 225
Index A access approval Altitude AP, in discovery, 49 accounting setup on a WM-AD, 84 adding a new WM-AD subnet name, 66 Altitude AP manually, 56 RADIUS server definitions, 69 alarms overview of log types and levels, 140 allow all or approved APs for availability setup, 104 for discovery and registration, 44 allow or deny in a filtering rule, 65 Altitude AP access approval, 49 adding for availability setup, 104 adding manually, 56 assigning to a WM-AD, 72 client blacklist, 135 client disassociate, 133 confi
PAGE 226
Index SWM tunnel traffic, 109 documentation feedback, 10 Domain Name Server (DNS) in discovery, 46 Dynamic Host Configuration Protocol (DHCP) for availability, 103 for mobility (WM-AD Manager), 107 Option 78 in discovery, 46 relay on a WM-AD, 74 required as part of solution, 15 E event logging in Check Point, 113 in SWM software, 140 exception filters on a WM-AD, 87 port-based, 39 exclusions, IP address range on a WM-AD, 73 H health checking status of Altitude APs, 135 heartbeat messages, in WM-AD Manager
PAGE 227
Index N network assignment by AAA, 75, 97 by SSID for Captive Portal, 71 options for a WM-AD, 63 network time synchronization, 112 next hop route for a WM-AD, 73 non-authenticated filter for Captive Portal, 81, 87 O operating system software upgrade, 137 OSPF configuring, 36 linkstate report, 38 neighbor report, 38 on a WM-AD, 73 P paired Summit WM-Series Switch for availability, 104 port configuring data ports, 32 management, first-time setup, 24 port exception filters, 39 power supply, Summit WM-Series
PAGE 228
Index shut down system, 135 Simple Network Management Protocol (SNMP) enabling, 116 MIBs supported, 115 software maintenance of Altitude AP software, 131 maintenance of Summit WM-Series Switch software, 137 SSID network assignment for Captive Portal, 71 standards supported, 11 static configuration of Altitude AP, 57 static routes configuring, 35 viewing forwarding table report, 36 status of Altitude APs in Access Approval screen, 49 Summit WM-Series Switch availability overview, 22 define management user na