User's Manual
Table Of Contents
- Chapter 1 Introduction
- Chapter 2 Mesh Point CLI and Administrative Access
- Chapter 3 Networking and Radio Configuration
- 3.1 Network Interfaces
- 3.2 Network Bridging
- 3.2.1 Bridging Configuration
- 3.2.2 FastPath Mesh Bridging
- 3.2.3 Fine-tuning FastPath Mesh Network Performance
- 3.2.3.1 Selecting the FastPath Mesh Multicast Transmit Mode
- 3.2.3.2 Setting the FastPath Mesh Packet Interval
- 3.2.3.3 Setting the FastPath Mesh Transmit Control Level
- 3.2.3.4 Setting Multicast Video Clamping Thresholds
- 3.2.3.5 Setting Mesh Routing Reactivity
- 3.2.3.6 Setting Mesh Packet Time To Live
- 3.2.3.7 Viewing Current Mesh Performance Parameters
- 3.2.3.8 Frame Processor Parameters
- 3.2.4 STP Bridging
- 3.3 Global Radio Settings
- 3.4 Individual Radio Settings
- 3.4.1 Radio Band, Short Preamble, Guard Interval
- 3.4.2 Channel Selection
- 3.4.3 Distance, Beacon Interval, Noise Immunity
- 3.4.4 Network Type, Antenna Gain, Tx Power
- 3.4.5 MIMO
- 3.4.6 STBC
- 3.4.7 Channel Lock and Other Channel Selection Features
- 3.4.8 DFS, TDWR, and Channel Exclusion
- 3.4.9 Radio BSS Settings
- 3.4.9.1 BSS Radio, BSS Name and SSID
- 3.4.9.2 WDS Bridging or AP Infrastructure Configuration
- 3.4.9.3 BSS State, SSID Advertising and Drop Probe Requests
- 3.4.9.4 BSS STA Idle Timeout and 802.11g-Only Settings
- 3.4.9.5 BSS Unicast Transmission Rate Settings
- 3.4.9.6 BSS WMM QoS Setting
- 3.4.9.7 BSS Fragmentation and RTS Thresholds
- 3.4.9.8 BSS DTIM Beacon Countdown
- 3.4.9.9 BSS VLANs Settings
- 3.4.9.10 BSS Fortress Security Zone
- 3.4.9.11 FastPath Mesh BSS Cost Offset
- 3.4.9.12 BSS Multicast Settings
- 3.4.9.13 Bridging MTU and Beacon Encryption
- 3.4.9.14 BSS Description
- 3.4.9.15 BSS Wi-Fi Security Configuration
- 3.4.10 Antenna Tracking / Rate Monitoring
- 3.4.11 ES210 Mesh Point STA Settings and Operation
- 3.4.11.1 STA Radio, Name, SSID and SSID Roaming
- 3.4.11.2 STA State
- 3.4.11.3 STA Unicast Transmission Rate Settings
- 3.4.11.4 STA Background Scanning
- 3.4.11.5 STA WMM QoS Setting
- 3.4.11.6 STA Fragmentation and RTS Thresholds
- 3.4.11.7 STA Multicast Rate
- 3.4.11.8 STA Description
- 3.4.11.9 STA Wi-Fi Security Configuration
- 3.4.11.10 Editing or Deleting a STA Interface Connection
- 3.4.11.11 Establishing a STA Interface Connection
- 3.4.11.12 ES210 Station Access Control Lists
- 3.5 Local Area Network Configuration
- 3.6 Time and Location Configuration
- 3.7 GPS and Location Configuration
- 3.8 DHCP and DNS Services
- 3.9 Ethernet Interfaces
- 3.10 Quality of Service
- 3.11 VLANs Implementation
- 3.12 ES210 Mesh Point Serial Port Settings
- 3.13 Mesh Viewer Protocol Settings
- Chapter 4 Network Security, Authentication and Auditing
- 4.1 Fortress Security Settings
- 4.1.1 Operating Mode
- 4.1.2 FIPS Settings
- 4.1.3 MSP Encryption Algorithm
- 4.1.4 Encrypted Data Compression
- 4.1.5 MSP Key Establishment
- 4.1.6 MSP Re-Key Interval
- 4.1.7 Key Beacon Interval
- 4.1.8 Fortress Legacy Devices
- 4.1.9 Encrypted Zone Cleartext Traffic
- 4.1.10 Encrypted Zone Management Settings
- 4.1.11 Authorized Wireless Client Management Settings
- 4.1.12 Turning Mesh Point GUI Access Off and On
- 4.1.13 SSH Access to the Mesh Point CLI
- 4.1.14 Blackout Mode
- 4.1.15 Allow Cached Credentials
- 4.1.16 Fortress Access ID
- 4.2 Digital Certificates
- 4.3 Access Control Entries
- 4.4 Internet Protocol Security
- 4.5 Authentication and Timeouts
- 4.5.1 Authentication Servers
- 4.5.2 Internal Authentication Server
- 4.5.2.1 Basic Internal Authentication Server Settings
- 4.5.2.2 Certificate Authority Settings
- 4.5.2.3 Global User and Device Authentication Settings
- 4.5.2.4 Local 802.1X Authentication Settings
- 4.5.2.5 OCSP Authentication Server Settings
- 4.5.2.6 OCSP Cache Settings and Management
- 4.5.2.7 Internal Authentication Server Access Control Lists
- 4.5.3 User Authentication
- 4.5.4 Client Device Authentication
- 4.5.5 Session Idle Timeouts
- 4.6 ACLs and Cleartext Devices
- 4.7 Remote Audit Logging
- 4.8 Wireless Schedules
- 4.1 Fortress Security Settings
- Chapter 5 System Options, Maintenance and Licensing
- Chapter 6 System and Network Monitoring
- Index
- Glossary
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing
165
You can delete a specified controller device, or all controllers
from authentication with the
del command:
# del controllerauth -deviceID
<controllerDeviceID>
|all
You must be logged on to an
administrator
-level account to
change configuration settings (refer to Section 2.2).
4.6.5 Cleartext Device Access Control
You may want to allow certain devices to pass unencrypted
data, or cleartext, on the Mesh Point’s encrypted interfaces.
These might be wireless 3rd-party APs (access points) or
Trusted Devices that require cleartext access to the encrypted
zone.
Mesh Points equipped with one or more radios can themselves
serve as wireless access points (APs), as described in Section
3.4.9.
NOTE: Each AP
name must be
unique on the Mesh
Point.
4.6.5.1 3rd-Party AP Management
View configured AP management rules with
show ap:
# show ap
NAME IP MAC 2W S PASSALL PORT
---------------- --------------- ---------------- -- - ------- ----
east 192.167.1.22 11:2b:3c:4d:5e:00 Y N N any
north 192.167.1.44 e1:2b:33:40:0d:5e Y N N any
south 192.167.1.33 11:2b:3e:40:0d:5e Y N N any
west 192.167.1.11 1a:2b:3c:4d:5e:6f Y N N any
--- Total APs: 4
Use the add, update and del (delete) commands to manage
APs for the Mesh Point-secured WLAN, as described in the
following sections.
Add AP management rules with the
add ap command:
#
add ap -name
<
APname
>
-mac
<
MACaddr
>
-ip any|
<
IPaddr
>
-ports any|
<port1,port2,…>
-2way y|n
-passall y|n -state enable|disable
in which APname is a descriptive identifier for the AP, MACaddr is
the MAC address of the AP, and
IPaddr either configures the
AP to take any IP address or specifies the AP’s network
address. The
-ports switch specifies, by number, the port(s)
accessible to the AP (comma delimited, without spaces), or
that
any port is accessible to the AP.
NOTE: STP and
Cisco® Layer 2,
VLAN management
traffic to or from
switches in the Mesh
Point’s encrypted zone
requires -passall to
be enabled (
y
).
The -passall switch determines whether the Mesh Point will
permit all OSI Layer 2 traffic to pass in the encrypted zone (
y
)
or filters Layer 2 traffic (
n
, the default). The -state switch
enables or disables Mesh Point management of the AP. The
-
2way
switch enables/disables two-way communication for the
AP.
You must configure a name, MAC address and either
any
or a
specific IP address for the AP management rule when you add