M WS2000 Wireless Switch System Reference Guide
© 2009 Motorola, Inc. All rights reserved. MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners.
Contents Chapter 1: Product Overview 1.1 WS2000 Wireless Switch System Reference Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.1.1 About this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.1.2 Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-2 WS2000 Wireless Switch System Reference Guide 3.2.1 The DHCP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.2.2 Advanced DHCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.3 Configuring Subnet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-3 5.3 Configuring Wireless LAN Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.3.8 5.3.9 5.3.10 5.3.11 Selecting the Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 Configuring 802.1x EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-4 WS2000 Wireless Switch System Reference Guide 6.1.5 Applet Timeout Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 6.1.6 Changing the Administrator Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 6.2 Configuring User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-5 7.13.2 Setting Up a Log Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-58 7.14 Commands to unmount a CF card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-59 Chapter 8: Configuring HotSpot 8.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-6 WS2000 Wireless Switch System Reference Guide 11.6.1 Mesh Base Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17 11.6.2 Mesh Client Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17 11.7 Intrusion Prevention Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-7 12.23 Adopting Access Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-43 12.24 Configuring the WLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-45 12.24.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-8 WS2000 Wireless Switch System Reference Guide
Product Overview 1.1 WS2000 Wireless Switch System Reference Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.1.1 About this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.1.2 Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-2 WS2000 Wireless Switch System Reference Guide 1.1 WS2000 Wireless Switch System Reference Guide This guide is intended to support administrators responsible for understanding, configuring and maintaining the Wireless Switch. This document provides information for the system administrator to use during the initial setup and configuration of the system. It also serves as a reference guide for the administrator to use while updating or maintaining the system. 1.1.
Product Overview 1-3 1.2 System Overview The WS2000 Wireless Switch provides a low-cost, feature-rich option for sites with one to six Access Ports. The WS2000 Wireless Switch works at the center of a network’s infrastructure to seamlessly and securely combine wireless LANs (WLANs) and wired networks. The switch sits on the network. Wireless Access Ports connect to one of the six available ports on the switch and the external wired network (WAN) connects to a single 10/100 Mbit/sec. WAN port.
1-4 WS2000 Wireless Switch System Reference Guide 1.3 Hardware Overview The WS2000 Wireless Switch provides a fully integrated solution for managing every aspect of connecting wireless LANs (WLANs) to a wired network. This wireless switch can connect directly to a cable or DSL modem, and can also connect to other wide area networks through a Layer 2/3 device (such as a switch or router).
Product Overview 1-5 1.3.2 WS2000 Wireless Switch LED Functions The switch has a large blue LED on the right front that indicates that the switch is powered on. Each port on the WS2000 Wireless Switch has either two or three LEDs that indicate the status of the port. Ports 1-4, which supply 802.3af Power over Ethernet (PoE), have three LEDs. The remaining two non-powered LAN ports and the WAN port have two LEDs.
1-6 WS2000 Wireless Switch System Reference Guide 1.4 Software Overview The WS2000 Wireless Switch software provides a fully integrated solution for managing every aspect of connecting Wireless LANs (WLANs) to a wired network, and includes the following components: 1.4.
Getting Started 2.1 Getting Started with the WS2000 Wireless Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Step 1: Install the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Step 2: Set Up Administrative Communication to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2-2 WS2000 Wireless Switch System Reference Guide 2.1 Getting Started with the WS2000 Wireless Switch This section provides just enough instruction to set up the WS2000 Wireless Switch, connect an Access Port, and test communications with a single mobile unit (MU) and the wide area network (WAN). The configuration suggestions made here are just the minimum needed to test the hardware. Once finished with this section, additional configuration settings are required.
Getting Started 2-3 NOTE: For optimum compatibility use Sun Microsystems’ JRE 1.4 or higher (available from Sun’s website), and be sure to disable Microsoft’s Java Virtual Machine if it is installed. The following screen displays. 4. Log in using “admin” as the User ID and “symbol” as the Password. 5. If the login is successful, the following dialog window displays. Enter a new admin password in both fields, and click the Update Password Now button.
2-4 WS2000 Wireless Switch System Reference Guide Step 3: Set the Basic Switch Setting 1. Enter a System Name for the wireless switch. The specified name appears in the lower-left corner of the configuration screens, beneath the navigation tree. This name can be a useful reminder if multiple Symbol wireless switches are being administered. 2. Enter a text description of the location of the switch in the System Location field.
Getting Started 2-5 NOTE: The WS2000 switch is shipped with an open default SNMP configuration: Community: public, OID: 1.3.6.1, Access: Read-only Community: private, OID: 1.3.6.1, Access: Read-write If your switch has these settings, it is important to change them immediately; otherwise, users on the same network will have read-write access to the switch through the SNMP interface. Select System Configuration --> SNMP Access from the left menu to examine the settings and change them, if necessary.
2-6 WS2000 Wireless Switch System Reference Guide Address This IP address allows users from outside the subnet (whether from the WAN or from another subnet from the same switch) to access the right subnet. An IP address uses a series of four numbers that are expressed in dot notation, for example, 194.182.1.1. Interfaces The Interfaces field displays which of the six physical LAN ports are associated with the subnet.
Getting Started 2-7 3. For this initial configuration, ensure that This interface is a DHCP Server is enabled. If so, the switch sets the IP addresses automatically for the mobile devices. This value can be changed at any time in the future. All other default settings are fine for the system test. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host.
2-8 WS2000 Wireless Switch System Reference Guide NOTE: This setting is independent from the DHCP settings for the switch’s internal subnets. 3. If This interface is DHCP Client is not checked, other fields in the screen are enabled. To find out the information to enter into these fields, contact your network administrator or the ISP that provided the cable modem or DSL router. All fields take standard IP addresses in the form xxx.xxx.xxx.xxx.
Getting Started 2-9 CHAP A type of authentication in which the user logging in uses a secret information and some special mathematical operations to calculate a numerical value. The server, the user is logging into, knows the same secret value and performs the same mathematical operations to arrive at a value. If the values match, the user is authorized to access the server. One of the numbers used in the mathematical operation is changed after every log-in.
2-10 WS2000 Wireless Switch System Reference Guide 2. Verify that Access Port 1 is shown in the Access Ports Adopted field to the right. If it is not, verify the connection between the switch and the Access Port. The current settings for the associated Subnet and adopted Access Ports are displayed on this screen; however, the screen associated with each WLAN (under Network Configuration --> Wireless) is where the settings and rules for adopting Access Ports can be modified.
Getting Started 2-11 Setting the Authentication Method The authentication method sets a challenge-response procedure for validating user credentials such as username, password, and sometimes secret-key information. The WS2000 Wireless Switch provides two methods for authenticating users: 802.1x EAP and Kerberos. The administrator can select between these two methods.
2-12 WS2000 Wireless Switch System Reference Guide Step 9: Test Connectivity At this point, the switch is set up to allow mobile units to access the LAN. 1. Check and ensure that the MU is setup as a DHCP client. 2. Set the MU to use WEP 128 bit encryption. Use the same key as was entered in the WEP Key Setting dialog. You might need to restart the MU after changing the settings. 3. Open a Web browser and type the IP address: 192.168.0.1. The WS2000 Switch Management screen should appear.
LAN/Subnet Configuration 3.1 Enabling Subnets for the LAN Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.1.1 Defining Subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.2 Configuring Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-2 WS2000 Wireless Switch System Reference Guide 3.1 Enabling Subnets for the LAN Interface Subnets are used to maximize the available network addresses and to logically separate the existing organizational network into smaller related networks. The WS2000 Wireless Switch allows administrators to enable and configure six different subnets for each switch. Administrators can assign IP addresses, port associations, DHCP settings, and security settings for each subnet.
LAN/Subnet Configuration 3-3 4. Click Apply to save changes. All “unapplied” changes are lost when the administrator moves to a new screen. The rest of the information on this screen is summary information. It is collected from other screens (such as the subnet configuration screens) where the administrator can set the data. Network Network (subnet) name is a descriptive string that should describe the subnet’s function.
3-4 WS2000 Wireless Switch System Reference Guide 1. Change the Name of the subnet to use a descriptive name that indicates something about the subnet. The name can contain seven characters, including spaces and numbers. It will appear in the left menu under the LAN menu item. 2. Set an IP address to be used for the subnet. The switch uses the IP address to refer to a particular subnet. This IP address could be a WAN address; but is generally a non-routable address.
LAN/Subnet Configuration 3-5 3.2.1 The DHCP Configuration DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask, and gateway. The switch includes internal DHCP server and client features, and the subnet’s interface can use either capability. 1.
3-6 WS2000 Wireless Switch System Reference Guide 2. If Dynamic DNS services are needed on the subnet, check the box labeled Enable Dynamic DNS. Enabling Dynamic DNS will allow domain name information to be updated when the IP address associated with that domain changes. When a MU associates and gets an IP address from the DHCP server, the DHCP server then updates the DNS server with the IP allotted to the corresponding hostname when DDNS is enabled.
LAN/Subnet Configuration 3-7 14.Use the Static Mappings table to associate static (or fixed) IP addresses with MAC addresses of specific wireless devices. Every wireless, 802.11x-standard device has a unique Media Access Control (MAC) address. This address is the device’s hard-coded hardware number (shown on the bottom or back). An example of a MAC address is 00:09:5B:45:9B:07.
3-8 WS2000 Wireless Switch System Reference Guide 3.3.2 The Access Exception Area In the lower half of the screen, the access is controlled by specific rules that control the protocols that are allowed or denied between the two subnets or the subnet and the WAN. All rules are added to the exception table. The Allow or Deny menu item applies to all entries in the table. There are two ways to add entries (access rules) to the table.
LAN/Subnet Configuration 3-9 • Specify a Name to identify the new access rule. For example, this could be the name of a particular application. • Select a transport type from the Transport column’s pull-down menu. The available transports are: Transport Description ALL This selection designates all of the protocols displayed in the table’s pull-down menu, as described below.
3-10 WS2000 Wireless Switch System Reference Guide 3.4 Advanced Subnet Access Settings There can be situations in which the standard subnet access setting process is not specific enough for the needs of an organization. Instead, access or firewall rules need to be defined based upon destination and source IP addresses, transport types, and ports. The Advanced Subnet Access screen allows the administrator to create more complicated inbound and outbound policies.
LAN/Subnet Configuration 3-11 7. Move rules to a higher or lower precedence by clicking the Move Up or Move Down buttons, as necessary. 8. When you have finished defining the Firewall Rules, click the Apply button to save changes. Use the following information to help set the Firewall Rule fields: • Index—The index number determines the order in which firewall rules will be executed. The rules are executed in order from lowest index number to highest number.
3-12 WS2000 Wireless Switch System Reference Guide Transport Description GRE General Routing Encapsulation (GRE) supports VPNs across the Internet. GRE is a mechanism for encapsulating network layer protocols over any other network layer protocol. Such encapsulation allows routing of IP packets between private IP networks across an Internet that uses globally assigned IP addresses. • Src.
LAN/Subnet Configuration 3-13 To configure the bridge: 1. Set the Priority for the bridge. Set the Priority as low as possible to force other devices within the mesh network to defer to this bridge as the root. A root bridge defines the mesh configuration. Motorola recommends assigning a Base Bridge AP with the lowest bridge priority so it becomes the root in the STP. If a root already exists, set the Bridge Priorities of new APs accordingly so that the root of the STP does not get altered.
3-14 WS2000 Wireless Switch System Reference Guide 3.6 Virtual LAN (VLAN) Configuration A Virtual Local Area Network or VLAN is a switched network that has been segmented by function or application rather than by the traditional LAN segmentation which is based on physical location. VLANs allow a greater level of flexibility than a standard LAN, and enable changes to be made to the network infrastructure without physically disconnecting network equipment.
LAN/Subnet Configuration 3-15 5. Enter a list of allowed VLANs between 1 and 4094 in the Allowed VLANs box. The VLANs in this list will be allowed access through the WAN port. When entering multiple VLAN IDs, separate each ID with a comma. When entering a range of VLAN IDs, separate the starting and ending values with a “-”. 6. To enable filtering using IP, check the Enable IP Filtering check box. This option is only available only when Trunk Port is set to Wan.
3-16 WS2000 Wireless Switch System Reference Guide Transport Description TCP Transmission Control Protocol (TCP) is a set of rules used with Internet Protocol (IP) to send data as message units over the Internet. While IP handles the actual delivery of data, TCP keeps track of individual units of data called packets. Messages are divided into packets for efficient routing through the Internet. UDP User Datagram Protocol (UDP) is mostly used for broadcasting data over the Internet.
LAN/Subnet Configuration 3-17 Transport Description IGMP The Internet Group Management Protocol (IGMP) is used between IP hosts and their immediate neighbor multicast agents to support the creation of transient groups, the addition and deletion of members of a group, and the periodic confirmation of group membership. IGMP is an asymmetric protocol and is specified here from the point of view of a host, rather than a multicast agent. IPV6 IPv6 is short for “Internet Protocol Version 6".
3-18 WS2000 Wireless Switch System Reference Guide 3.8 URL Filtering Use the URL Filtering screen to filter out access through HTTP to websites and services that do not meet the organization’s access policies. URL Filtering works on the principles of maintaining a list of websites that are permitted access to, a set of keywords that are allowed or denied search permissions, a list of blacklisted websites, and a list of trusted IP addresses.
LAN/Subnet Configuration 3-19 The URL Parameters screen contains four lists containing parameters used for URL filtering. There are four parameters: • White list – Use this list to provide access to specific websites. Websites in the white list are always allowed access. Up to 50 URLs can be configured. • Black list – Use this list to deny access to specific websites. Any attempt to access blacklisted websites are always denied. Up to 50 URLs can be configured.
3-20 WS2000 Wireless Switch System Reference Guide 3.9 Port Configuration Use the Port Configuration screen to enable or disable each of the 6 LAN ports and the WAN port. Use this screen to set their Auto Negotiation mode, speed and duplex states too. When the Auto Negotiation is enabled, the WS2000 determines the best operating speed and the duplex states for each port. To disable this, select Disable from the Auto Negotiation drop-down list.
WAN Configuration 4.1 Configuring the WAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4.1.1 Configuring WAN IP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4.1.2 Setting Up Point-to-Point over Ethernet (PPPoE) Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-2 WS2000 Wireless Switch System Reference Guide 4.1 Configuring the WAN Interface A wide area network (WAN) is a widely dispersed telecommunications network. In a corporate environment, the WAN port might connect to a larger corporate network. For a small business, the WAN port might connect to a DSL or cable modem to access the Internet. The administrator needs to enter the WAN configuration information. The WS2000 Wireless Switch includes one WAN port.
WAN Configuration 4-3 • The IP Address refers to the IP address that the outside world will use to address the WS2000 Wireless Switch. • Click the More IP Addresses button to specify additional static IP addresses for the switch. Additional IP addresses are required when users within the LAN need dedicated IP addresses, or when servers in the LAN need to be accessed (addressed) by the outside world. The pop-up window allows the administrator to enter up to eight WAN IP addresses for the switch.
4-4 WS2000 Wireless Switch System Reference Guide 4. Check Keep Alive to instruct the switch to continue occasional communications over the WAN even when client communications to the WAN are idle. Some ISPs terminate inactive connections, while others do not. In either case, enabling Keep-Alive mode keeps the switch’s WAN connection alive, even when there is no traffic. If the ISP drops the connection after some idle time, the switch automatically reestablishes the connection to the ISP. 5.
WAN Configuration 4-5 4.2 Configuring the WS2000 Firewall The WS2000 Wireless Switch provides a secure firewall/Network Address Translation (NAT) solution for the WAN uplink. The firewall includes a proprietary CyberDefense Engine to protect internal networks from known Internet attacks. It also provides additional protection by performing source routing, IP unaligned timestamp, and sequence number prediction.
4-6 WS2000 Wireless Switch System Reference Guide Enter a default timeout value (in seconds) for the switch to use as the timeout value when no matching records are found in the NAT Timeout Table below. This is a global configuration for any TCP/IP packets going through firewall that don't match other values. 4.2.2.2 NAT Timeout Table In addition to the TCP Default Timeout setting, NAT timeout rules for specific TCP and UDP ports can be configured. To add rules to the NAT Timeout Table: 1.
WAN Configuration 4-7 FTP Bounce Attack Check An FTP bounce attack uses the PORT command in FTP mode to gain access to arbitrary ports on machines other than the originating client. IP Unaligned Timestamp Check An IP unaligned timestamp attack uses a frame with the IP timestamp option, where the timestamp is not aligned on a 32-bit boundary.
4-8 WS2000 Wireless Switch System Reference Guide 3. Click Properties button. The Internet Protocol (TCP/IP) Properties dialog box opens 4. Click the Advanced button located at the bottom right of the dialog box. The Advanced TCP/IP Settings dialog opens. 5. Select the WINS tab to enable it. 6. In the NetBIOS setting group, select the Default radio. You can also select the Enable NetBIOS over TCP/IP radio. 7. Click OK in each dialog box to close it.
WAN Configuration 4-9 4.3 Configuring Intrusion Prevention System IP networks are vulnerable to security breaches by attackers exploiting known bugs in installed softwares. These attacks can originate from any host on the network or from devices outside the network. These attacks can either be intentional or un-intentional.
4-10 WS2000 Wireless Switch System Reference Guide 2. To enable IPS, select the Enable IPS check box. 3. To enable the different signature categories that IPS uses, check the appropriate check box in the Signature Categories group. When checked, the IPS checks for intrusion on that protocol. The following IPS signature categories are available. TELNET POP3 IMAP NNTP FTP SNMP TCPDNS UDPDNS TCPRPC UDPRPC HTTP SMTP TCPGEN UDPGEN ICMP TCP UDP IP 4.
WAN Configuration 4-11 5. Set the Protocol Anomaly Detection Parameters next. The following values have to be provided. SMTP Header Length Enter the SMTP header length in this field. MIME Header Length Enter the MIME header length in this field. MIME Header Depth Enter the MIME header depth in this field. Line count in HTTP Header Enter the number of lines in the HTTP header in this field. HTTP Header Size Enter the HTTP header size in this field.
4-12 WS2000 Wireless Switch System Reference Guide 4.4 Configuring Network Address Translation (NAT) NAT provides the translation of an Internet Protocol (IP) address within one network to a different, known IP address within another network. One network is designated the private network, while the other is the public. NAT provides a layer of security by translating private (local) network addresses to one or more public IP addresses.
WAN Configuration 4-13 4. If the NAT type is 1 to Many, the 1 to Many button in the adjacent Outbound Mappings field is active, allowing the administrator to specify address assignments for each subnet. If no translation should be done, none should be selected for the subnet. 5. Click the Port Forwarding button to display a sub-screen of port forwarding parameters for inbound traffic from the associated WAN IP address. When finished, click the Ok button to close the screen. 6.
4-14 WS2000 Wireless Switch System Reference Guide Translation Port Enter the port to which traffic is sent to after translation. 7. Click the Forward all unspecified ports to check box and then specify an IP address to enable port forwarding for incoming packets with unspecified ports. 8. Click the Apply button on the NAT screen to save changes. 4.5 Configuring Static Routes A router uses routing tables and protocols to forward data packets from one network to another.
WAN Configuration 4-15 Subnet 2 If Subnet 2 is enabled, sets it as the Default Gateway Interface for all unspecified routes. Subnet 3 If Subnet 3 is enabled, sets it as the Default Gateway Interface for all unspecified routes. Subnet 4 If Subnet 4 is enabled, sets it as the Default Gateway Interface for all unspecified routes. Subnet 5 If Subnet 5 is enabled, sets it as the Default Gateway Interface for all unspecified routes.
4-16 WS2000 Wireless Switch System Reference Guide 1. Select the RIP Type from the pull-down menu to be one of the following values. No RIP Depending on the RIP Direction setting, the No RIP option partially or completely disallows the switch’s router from exchanging routing information with other routers. Routing information may not be appropriate to share, for example, if the switch manages a private LAN. RIP v1 RIP version 1 is a mature, stable, and widely supported protocol.
WAN Configuration 4-17 4.6 Configuring a Virtual Private Network (VPN) VPNs are IP-based networks that use encryption and tunneling to give users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN across the public network to another LAN, without sacrificing security.
4-18 WS2000 Wireless Switch System Reference Guide Use the Auto Initiate Interval to set the interval when the status of all tunnels are checked. This is a global configuration which is common for all the tunnels and is valid only when Auto Initiate is enabled. Normally, when the tunnel’s life time gets over, its gets disconnected. This feature ensures that the tunnel is automatically initiated once its life time is over. 4.6.1 Creating a VPN Tunnel 1. Click the Add button to create a VPN tunnel.
WAN Configuration 4-19 3. Select the subnet that will be the local end of the tunnel from the Local Subnet menu. 4. Specify the IP address to use for the local WAN (Local Wan IP), which should be one of the (up to) eight IP addresses specified in the WAN screen. 5. Specify the IP address for the Remote Subnet along with its subnet mask (Remote Subnet Mask). Remote Subnet is the remote end of the VPN tunnel. This field accepts 0.0.0.0 as the remote subnet IP address. 6.
4-20 WS2000 Wireless Switch System Reference Guide 3. Select the authentication and anti-replay method you wish to use for the tunnel from the AH Authentication menu. None Disables AH authentication and the rest of the fields in this area will not be active. MD5 Enables the Message Digest 5 algorithm, which requires 128-bit (32-character hexadecimal) authentication keys. SHA1 Enables Secure Hash Algorithm 1, which requires 160-bit (40-character hexadecimal) keys. 4.
WAN Configuration 4-21 AES 128-bit This option selects the Advanced Encryption Standard algorithm in use with 128-bit (32character hexadecimal) keys. AES 192-bit This option selects the Advanced Encryption Standard algorithm in use with 192-bit (48character hexadecimal) keys. AES 256-bit This option selects the Advanced Encryption Standard algorithm in use with 256-bit (64character hexadecimal) keys. 8. Provide keys for both Inbound ESP Encryption Key and Outbound ESP Encryption Key.
4-22 WS2000 Wireless Switch System Reference Guide 3. Forward secrecy is a key-establishment protocol that guarantees that the discovery of a session key or a long-term private key will not compromise the keys of any other sessions. Select Yes from the Use Perfect Forward Secrecy menu to enable this option. Select No to disable Perfect Forward Secrecy. 4. If Perfect Forward Secrecy is enabled, select an IKE Authentication Algorithm.
WAN Configuration 4-23 3DES This option selects the 3DES encryption algorithm, which requires 192-bit (48-character hexadecimal) keys. When creating keys for 3DES, the first 8 bytes cannot equal the second 8 bytes, and the second 8 bytes cannot equal the third 8 bytes. AES 128-bit This options selects the Advanced Encryption Standard algorithm in use with 128-bit (32-character hexadecimal) keys.
4-24 WS2000 Wireless Switch System Reference Guide 3. Select the Operation Mode for IKE. The Phase I protocols of IKE are based on the ISAKMP identityprotection and aggressive exchanges. IKE main mode refers to the identity-protection exchange, and IKE aggressive mode refers to the aggressive exchange. Main This is the standard IKE mode for communication and key exchange. Aggressive Aggressive mode is faster and less secure than Main mode.
WAN Configuration 4-25 AES 128-bit This options selects the Advanced Encryption Standard algorithm in use with 128-bit (32-character hexadecimal) keys. AES 192-bit This options selects the Advanced Encryption Standard algorithm in use with 192-bit (48-character hexadecimal) keys. AES 256-bit This options selects the Advanced Encryption Standard algorithm in use with 256-bit (64-character hexadecimal) keys. 11.Specify a Key Lifetime, which is the number of seconds that the key is valid.
4-26 WS2000 Wireless Switch System Reference Guide An allow outbound rule: Src Dst Transport ANY Src port 1:65535 Dst port 1:65535 Rev NAT None For IKE, an allow inbound rule: Src Dst Transport UDP Src port 1:65535 Dst port 500 Rev NAT None These rules must be above (higher in priority than) any default or other rules that would process these packets differently. 4.6.6.
WAN Configuration 4-27 4.6.6.4 How do I specify which certificates to use from the WS2000 certificate manager to be used for an IKE policy? When generating a certificate to be used with IKE, you must use one of the following fields: IP address, Domain Name, or E-mail address. Also make sure that you are using NTP when attempting use the certificate manager. Certificates are time sensitive. On the IKE configuration page, Local ID type refers to the way that IKE selects a local certificate to use.
4-28 WS2000 Wireless Switch System Reference Guide 4.6.6.7 How can I setup the WS2000 switch to accept VPN tunnels from gateways that have a DHCP WAN address? To accept a VPN tunnel from a unknown (DHCP) address, the WS2000 Wireless Switch operates in what is called responder-only mode. That is, it cannot initiate the VPN connection. It can only wait for a VPN connection to come in. Clients behind a responder-only cannot connect to the remote subnet until the remote subnet has connected to them.
WAN Configuration 4-29 4.7 Configuring Content Filtering Content filtering allows system administrators to block specific commands and URL extensions from going out through the WS2000 switch’s WAN port. This feature allows blocking up to 10 files or URL extensions and allows blocking of specific outbound HTTP, SMTP, and FTP requests. To configure content filtering, select Network Configuration --> WAN --> Content Filtering from the left menu. 1. Select the type of blocking for outbound HTTP requests.
4-30 WS2000 Wireless Switch System Reference Guide SAML (Send and Mail) This command initiates a mail transaction where mail data is sent to one or more local mailboxes and remote terminals. RESET (Reset) This command cancels the current mail transaction and informs the recipient to discard any data sent during this transaction. VRFY (Verify) This command asks the receiver to confirm that the specified argument identifies a user.
WAN Configuration 4-31 4.8 Configuring DynDNS The WS2000 Wireless Switch provides support for using the DynDNS service. Dynamic DNS is a feature offered by www.dyndns.com which allows the mapping of domain names to dynamically assigned IP addresses. When the dynamically assigned IP address of a client changes that new IP address is sent to the DynDNS servers and traffic for the specified domain(s) is routed to the new IP address.
4-32 WS2000 Wireless Switch System Reference Guide
Wireless Configuration 5.1 Enabling Wireless LANs (WLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 5.1.1 WLAN Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 5.1.2 AP Adoption Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-2 WS2000 Wireless Switch System Reference Guide 5.11 Wireless Intrusion Detection System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38 5.11.1 WIDS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39 5.11.2 Filtered MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wireless Configuration 5-3 5.1 Enabling Wireless LANs (WLANs) The WS2000 Wireless Switch works in either a wired or wireless environment; however, the power of the switch is associated with its support of wireless networks. To use the wireless features of the switch, the administrator needs to enable one, two, or three wireless LANs (WLANs). To start the WLAN configuration process, select the Network Configuration --> Wireless item from the left menu. The following Wireless summary screen appears. 5.1.
5-4 WS2000 Wireless Switch System Reference Guide The screen also displays the following information: 1. By default, the switch assigns consecutive Extended Service Set Identification (ESSIDs). This is the name that users will see when accessing the wireless network. The ESSID can be given any recognizable alphanumeric string up to 32 characters in length. 2. The Subnet field displays the subnet assigned to the WLAN. 3. The Access Ports Adopted field displays the Access Port numbers adopted by this WLAN.
Wireless Configuration 5-5 5.1.1.6 Hotspot Inactivity Timeout Enter the duration of inactivity for a user after which the user is timed out from the hotspot. The default value is 20 minutes and the maximum timeout value is 1440 minutes (1 day). 5.1.2 AP Adoption Configuration The AP Adoption Configuration screen allows for setting up default Access Port adoption rules as well as a deny list to prevent the adoption of specific Access Ports. 5.1.2.
5-6 WS2000 Wireless Switch System Reference Guide 5.2 Configuring Wireless LANs The Network Configuration --> Wireless window (covered in Enabling Wireless LANs (WLANs)) is where WLANs are enabled; however, the Network Configuration --> Wireless --> screen is where the administrator configures each WLAN, after it is enabled. The screen is titled with the name of the WLAN. Within the WLAN window, the administrator can modify both standard and advanced configuration features of the WLAN.
Wireless Configuration 5-7 1. Check the Disallow MU to MU Communications box to enable a communication block between mobile units (MUs) using this WLAN. Such communication might be a security issue, for example, on a corporate network. Leave this check box unchecked (default setting) to allow MU-to-MU communications on this WLAN. 2. Check the Answer Broadcast ESS check box to enable adopted Access Ports to transmit the WLAN’s Extended Service Set Identification (ESSID).
5-8 WS2000 Wireless Switch System Reference Guide 5.3.1 Selecting the Authentication Method The authentication method sets a challenge-response procedure for validating user credentials such as username, password, and sometimes, secret-key information. The WS2000 Wireless Switch provides two methods for authenticating users: 802.1x EAP and Kerberos. The administrator can select between these two methods.
Wireless Configuration 5-9 3. The administrator is required to specify the RADIUS Server Address of a primary RADIUS server for this type of authentication to work. Providing the IP address of a secondary server is optional. The secondary server acts as a failover server if the switch cannot successfully contact the primary server. 4. Specify the port on which the primary RADIUS server is listening in the RADIUS Port field. Optionally, specify the port of a secondary (failover) server.
5-10 WS2000 Wireless Switch System Reference Guide 10.In the Max. Retries field, set the maximum number of retries for a client to successfully reauthenticate after failing to complete the EAP process. If the mobile unit fails the authentication process in specified number of retries, the switch will terminate the connection to the mobile unit. Advanced Settings 11.
Wireless Configuration 5-11 3. A realm name functions similar to a DNS domain name. In theory, the realm name is arbitrary; however, in practice, a Kerberos realm is typically named using an uppercase version of the DNS domain name that is associated with hosts in the realm. Specify a realm name that is case-sensitive, for example, MyCompany.com. 4. Specify a Username for the Kerberos configuration. 5. Specify a Password for the Kerberos configuration.
5-12 WS2000 Wireless Switch System Reference Guide WEP is available in two encryption modes: 40 bit (also called 64-bit) and 104 bit (also called 128 bit). The 104-bit encryption mode provides a longer algorithm that takes longer to decode than that of the 40-bit encryption mode. NOTE: The WEP 128 encryption mode allows devices using 104-bit key and devices using 40-bit keys to talk to each other using 40-bit keys, if the 104-bit devices permit this option. 1.
Wireless Configuration 5-13 2. To use WPA/WPA2-TKIP encryption with 802.1x EAP authentication or the No Authentication selection, click the WPA/WPA2-TKIP Settings button to display a sub-screen for key and key rotation settings. 3. To Enable WPA2 check the Use WPA2 check box to use WPA2 encryption in conjunction with WPA-TKIP. 4. If using WPA2 in conjunction with 802.1x EAP authentication you may enable Pre-Authentication and Opportunistic Key Caching by checking the corresponding check boxes. 5.
5-14 WS2000 Wireless Switch System Reference Guide (CBC-MAC) method. Changing even one bit in a message produces a totally different result thus providing strong authentication. WPA2-CCMP is based upon the concept of a robust security network (RSN), which defines a hierarchy of keys that have a limited lifetime, similar to TKIP. Also like TKIP, the keys that the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data.
Wireless Configuration 5-15 10.Click the Ok button to return to the WLAN security screen. 11.Click the Apply button on the WLAN Security screen to save changes. 5.3.8 KeyGuard KeyGuard is a proprietary encryption method developed by Symbol Technologies. KeyGuard is Symbol’s enhancement to WEP encryption and can work with any WEP device. This encryption method rotates WEP keys for devices that support the method. This encryption implementation is based on the IEEE Wireless Fidelity (Wi-Fi) standard, 802.
5-16 WS2000 Wireless Switch System Reference Guide To Configure IP Filtering for the WLAN: 1. Check the box marked Enable IP Filtering to turn on IP Address based filtering for inbound and outbound traffic on the WLAN. 2. Click the IP Filtering button to display a sub-screen for filtering settings on the WLAN. 3. Click the Add button to create a new filter in the table. The new filter can then be edited by clicking on the corresponding fields in the table. 4.
Wireless Configuration 5-17 3. Each entry in the table specifies one or more MAC address to be used to match with a mobile unit’s MAC address that is attempting to gain access to the WLAN. Specify a single address (by specifying Start Address only) or a range of MAC access (by using both the Start Address and the End Address). For example, if Allow is selected, all mobile units that match any of the specified MAC addresses or MAC address ranges in the table can be adopted by the WLAN.
5-18 WS2000 Wireless Switch System Reference Guide The switch creates a default name for a newly found switch consisting of “AP” and a unique number. During this detection process, the switch collects the following information from the Access Port: MAC address Each Access Port has a unique Media Access Control (MAC) address by which it is identified. This address is burned into the ROM of the Access Port. Also, this address appears on a sticker attached to the bottom of the Access Port.
Wireless Configuration 5-19 The following screen is displayed with the settings for the selected Access Port. 3. From this screen, the administrator can change several pieces of information about each Access Port. Name Administrators can change the names of the Access Ports from Access Port# to something much more descriptive, so that they can easily identify which Access Port is being referenced in the various screens and in the left menu. The name is limited to a string of 13 characters.
5-20 WS2000 Wireless Switch System Reference Guide MU dB This is a Motorola specific feature. This value indicates the amount of power in dBm that the MU Power Level should reduce its Tx power by with respect to the Tx power of the AP. This feature is used to reduce Adjustment the amount of radio noise in the environment for better reception. 5. Click Apply to save changes. This screen also provides the ability to change several advanced settings for the Access Ports.
Wireless Configuration 5-21 5.5.1 Common Settings to All Radio Types Some of the settings are common to all three radio types. Channel Click the Channel Selection Mode button to configure how channel selection for the selected Selection Mode AP is determined. A window will open with the following selections: User Selection Select this radio button to enable manual channel selection. With this mode, channel can be selected from a drop down list in the parent window.
5-22 WS2000 Wireless Switch System Reference Guide Antenna Diversity Use the drop-down menu to configure the Antenna Diversity settings for Access Ports that use external antennas. Full Diversity: Utilizes both antennas to provide antenna diversity Primary Only: Enables only the primary antenna Secondary Only: Enables only the secondary antenna NOTE: Antenna Diversity should only be enabled if the Access Port has two matching external antennas.
Wireless Configuration 5-23 Beacon Settings Set the Access Port beacon settings by clicking on the Beacon Settings button. Set the following beacon values. Beacon Interval—A beacon is a packet broadcast by the adopted Access Ports to keep the network synchronized. Included in a beacon is information such as the WLAN service area, the access-port address, the broadcast destination addresses, a time stamp, and indicators about traffic and delivery such as a DTIM.
5-24 WS2000 Wireless Switch System Reference Guide Support Short Preamble Check the Support Short Preamble box to allow the Access Port to communicate with the MUs using a short 56-bit preamble. A preamble is the beginning part of a frame. The preamble comprises such elements as robust carrier sensing, collision detection, equalizer training, timing recovery, and gain adjustment. The administration can choose between a long or short preamble for dataframe transmission from the WLAN’s adopted Access Ports.
Wireless Configuration 5-25 2. Select the Access Port to examine or modify. When the Access Port Name menu item is selected, the following screen appears: The advanced Access Port settings are found at the bottom and right of the screen. For most installations, the default settings for the advanced settings are appropriate. 5.6.1 Radio Settings Placement Select either Indoors or Outdoors from the Placement pop-up menu.
5-26 WS2000 Wireless Switch System Reference Guide Channel Selection Mode Click the Channel Selection Mode button to open a sub-screen where you can select the modes by which channels are selected. The available options are User Selection, Uniform Spreading, and Automatic Selection. Selecting Automatic Selection from the sub-screen enables the Remap Channel button and the This radio and All options. Select the appropriate options to remap the selected channel. 5.6.
Wireless Configuration 5-27 RTS Threshold Set the Request to Send Threshold (RTS Threshold) by specifying a number. RTS is a transmitting station’s signal that requests a Clear To Send (CTS) response from a receiving station. This RTS/CTS procedure clears the air when many mobile units (MUs) are contending for transmission time.
5-28 WS2000 Wireless Switch System Reference Guide Beacon Settings Set the Access Port beacon settings by clicking the Beacon Settings button. Beacon Interval A beacon is a packet broadcast by the adopted Access Ports to keep the network synchronized. Included in a beacon is information such as the WLAN service area, the access-port address, the broadcast destination addresses, a time stamp, and indicators about traffic and delivery such as a DTIM.
Wireless Configuration 5-29 5.7.1 Setting the Bandwidth Share Mode First, specify how the networking resources will be shared. The Bandwidth Share Mode provides three allocation options: Off Packets are served on a first-come-first-served basis. If this option is selected, the information in the Bandwidth Share for Each WLAN area is ignored. Round Robin Bandwidth is equally shared among all active WLANs.
5-30 WS2000 Wireless Switch System Reference Guide Bandwidth Share for Each WLAN Table The fields in this table are: WLAN Name This field lists the WLANs on the switch by name (the same name that you see in the left menu). You cannot change the name of the WLAN in this field. Go to the Wireless screen to change a WLAN name. Weight The Weight field specifies the relative amount of bandwidth provided to the given WLAN as compared to the other WLANs.
Wireless Configuration 5-31 To set up Port Authentication for all adopted AP300 Access Ports: 1. In the Username field, specify a 802.1x username for all AP300 Access Ports adopted by the switch. To use the default username click the <- Default button next to the Username field. 2. In the Password field, specify a 802.1x password for all AP300 Access Ports adopted by the switch. To use the default password click the <- Default button next to the Password field. 3.
5-32 WS2000 Wireless Switch System Reference Guide The Rogue AP Detection screen allows the administrator to determine how thoroughly the switch will search for rogue APs as well as list the approved APs. 5.9.1 Setting Up the Detection Method The WS2000 Wireless Switch provides three methods for detecting rogue Access Points (APs). Use the top part of the Rogue AP Detection screen to set the method or methods that the switch will use to detect rogue APs. 1.
Wireless Configuration 5-33 NOTE: Note that only some access ports have the capability of being a Detector AP, including Motorola AP100, AP200, and AP300 Access Ports. 5. In the Scan Interval field, enter a time interval (in minutes) between detection RF scans. Do this for each of the selected detection methods. By default, these scans are set at one hour intervals. NOTE: Scan interval for Full Detector AP is defined in seconds. For other scans, the interval is defined in minutes. 5.9.
5-34 WS2000 Wireless Switch System Reference Guide 5.9.3 Examine the Approve and Rogue Access Ports This screen displays information about APs known to the switch. All approved APs are listed in the upper table. All rogue APs are listed in the lower table. This screen also allows the administrator to create detection rules from the information collected about approved or rogue APs.
Wireless Configuration 5-35 First Seen This field indicates the number of elapsed hours since the rogue AP was first noticed on the network in hours:minutes:seconds. Last Seen This field indicates the number of elapsed hours since the rogue AP was last noticed on the network in hours:minutes:seconds. Reporting AP This field shows the MAC address of the device that detected the rogue AP. 1.
5-36 WS2000 Wireless Switch System Reference Guide To enable and configure Rogue AP Containment: 1. Check the Enable Rogue AP Containment box to enable this feature. 2. All MUs associated to Rogue APs in the Rogue AP Containment list are deauthenticated by the switch. The Deauth Interval value sets the time duration in seconds between two such de-authentications. For example, if the time duration is 2 seconds, the switch de-authenticates MUs associated with Rogue APs every 2 seconds.
Wireless Configuration 5-37 Details About the Rogue Detector The lower portion of the Rogue AP Detail screen displays information about the AP that detected the rogue. This information if provided to the administrator to help located the rogue. Finder's MAC This is the MAC address for the AP that detected the rogue AP. Closest AP MAC This is the MAC address for the AP that is physically closest to the rogue AP. Closest AP Name This is the name of the AP that is physically closest to the rogue AP.
5-38 WS2000 Wireless Switch System Reference Guide 2. Check the Rogue AP box (in the lower right area of the screen) to generate a trap when a rogue (unauthorized) access port (AP) is detected. The detection process is non-disruptive and will not affect the performance of the switch. The detection functionality is greatly enhanced when the Approved AP list is filled out on the AP List screen under Rogue AP Detection. 5.
Wireless Configuration 5-39 5.11 Wireless Intrusion Detection System The Motorola Wireless Intrusion Detection System (WIDS) protects against a wide range of malicious attacks on the WS2000 Wireless Switch. This feature inspects each packet that is received by the WS2000 and then based on analysis decides if an intrusion is happening on the device. By default, WIDS is disabled. It can be enabled from the [Network Configuration]-->Wireless-->WIDS screen.
5-40 WS2000 Wireless Switch System Reference Guide WIDS also keep track of anomalies. An anomaly is defined as an event which is different from the general occurrences on a WS2000. The following anomalies are tracked: • null-dst - NULL destination • same-src-dst - Same source and destination address • mcast-src - Source MAC is multicast • weak-wep-iv - Weak WEP • tkip-cntr-meas - TKIP counter measures • invalid-frame-len - Invalid frame length 5.11.
Wireless Configuration 5-41 5.11.2 Filtered MUs The Filtered MUs screen displays a list of all MUs that have been filtered out by WIDS. You can, if required, remove any or all MUs listed in the Filtered MUs table. The Filtered MUs table displays the following: MU MAC The MAC address of the MU that has been filtered out. Radio The Radio that has been filtered out Violation Type The violation that caused the MU to be filtered out Time Left The duration after which the MU will not be filtered out.
5-42 WS2000 Wireless Switch System Reference Guide 5.12 Smart Scan Each radio, depending on the country it is operating in, provides a large number of channels for data transmission. This means that when a MU roams from one AP to another, it has to scan all the available channels for that radio to find the WLAN it was connected to. This scan process takes time depending on the number of channels to scan.
Wireless Configuration 5-43 5.13 Self Heal A self-healing network is one that is capable of maintaining the availability of the network under all circumstances. The network can self-manage in response to the events that occur within the network. Self heal for WS2000 is provided by the device maintaining a Neighbor Table with entries for each device in its neighborhood. Self heal can be activated from [Network Configuration]-->Wireless-->APs/Radios-->selfheal menu item.
5-44 WS2000 Wireless Switch System Reference Guide Interference Avoidance When enabled, the AP keeps track of the retry count for the Tx frames and if this count exceeds the threshold limit set in Average Retries field, triggers the Interference Avoidance feature. The AP then does a Automatic Channel Selection (ACS) and shifts its channel to one where there is no interference. The Hold Time specifies the time duration in seconds that the AP has to wait after having done a ACS before doing the next ACS. 5.
Wireless Configuration 5-45 5.14.1 Mesh Base Setting Use the Mesh Base Settings area of the Mess Setting screen to set up the device as a Mesh Base device. To do so: 1. Check the Mesh Base box to set the device as a Mesh Base. 2. Enter the maximum number of clients this Mesh Base device can handle simultaneously. The maximum number of client devices that can be handled is 6. 3. Click Apply button to save changes. 5.14.
5-46 WS2000 Wireless Switch System Reference Guide
Administrator and User Access 6.1 Configuring Administrator Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.1.1 Selecting the Type of Admin Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.1.2 Configuring Secure Shell Connection Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-2 WS2000 Wireless Switch System Reference Guide 6.1 Configuring Administrator Access The WS2000 Network Management System allows users to log in to perform administration tasks. The switch administrator can change any settings within the WS2000 Network Management System. The default login name for the switch administrator is “admin” and the initial password is “symbol”. The WS2000 Access screen is used to configure the access to the WS2000 Wireless Switch.
Administrator and User Access 6-3 Access Port Description CLI TELNET 23 Allows administrator access to the wireless switch through TELNET. Allows the administrator to access the switch through the command line interface. CLI SSH 22 Allows administrator access to the command line interface of the wireless switch through the Secure Shell (SSH) protocol of TCP/IP. SNMP 161 Allows administrator access to change switch settings from an SNMP server.
6-4 WS2000 Wireless Switch System Reference Guide If the RADIUS button is selected, specify the RADIUS Server IP address, the communication port for the authentication process, and the RADIUS server’s Shared Secret (password) to use. 6.1.4 Setting Up AirBEAM Software Access Symbol’s AirBEAM software suite is a comprehensive set of mobility management tools that maximize the availability, security and effectiveness of a wireless network.
Administrator and User Access 6-5 6.2 Configuring User Authentication The WS2000 Wireless Switch provides an integrated RADIUS server as well as the ability to work with external RADIUS and LDAP servers to provide user database information and user authentication. Several screens are available to configure the how the RADIUS server authentication works as well as set up the local user database and access policies.
6-6 WS2000 Wireless Switch System Reference Guide ideal choice for networks using legacy EAP authentication methods. • Tunneled TLS EAP (EAP-TTLS) is similar to EAP-TLS, but the client authentication portion of the protocol is not performed until after a secure transport tunnel has been established. This allows EAPTTLS to protect legacy authentication methods used by some RADIUS servers. 3. If PEAP is selected, specify a Default Auth Type for PEAP to use from the pull-down menu.
Administrator and User Access 6-7 6.2.2 Configuring Lightweight Directory Access Protocol (LDAP) Authentication When the RADIUS Data Source is set to use an external LDAP server (see Configuring the RADIUS Server), the LDAP screen is used to provide information about the external LDAP server. Select [User Authentication] --> RADIUS Server --> LDAP The fields on this screen are only available when LDAP or LDAPS is set as the data source for the RADIUS server. 1.
6-8 WS2000 Wireless Switch System Reference Guide Group Member Attribute Specify the Group Member Attribute to be sent to the LDAP server when authenticating the users. The following are the additional settings that are required for the LDAPS data source. Fully Qualified Domain name Enter the fully qualified domain name of the LDAP server that provides authentication information to your RADIUS server. CA Certificate Specify the CA certificate used for authentication.
Administrator and User Access 6-9 Port Enter the TCP/IP port number for the RADIUS server that will be acting as a proxy server. The default port is 1812. Shared Secret Set a shared secret to be used for each suffix that will be used for authentication with the RADIUS proxy server. 4. Click Apply to save changes. To delete a server row, select the row corresponding to that entry and click the Del (Delete) button.
6-10 WS2000 Wireless Switch System Reference Guide 2. To set a group as a group of Guest users, click the check box in the Guest column, next to the Groups field. 3. To enable a group access to a particular VLAN, enter the ID in the VLAN ID field for the group. 4. To restrict access to set times, enter the appropriate time values in “hhmm” (24 hours) format. Enter the access start time and end time in the Start Time and End Time fields respectively. 5.
Administrator and User Access 6-11 When you logon with the guest user name for the first time, you are forced to change the default password. Use the Change Admin/Manager/Guest Admin Password dialog to change the default password. NOTE: Before this screen is used to create a guest user, there must be at least one guest user group configured on the switch.To create a guest user group, see section Adding Groups. To create a guest user: 1. Enter the required username in the User Name text box.
6-12 WS2000 Wireless Switch System Reference Guide 2. Enter the required password in the Password text box. You can also generate a random password. To generate a random password, click the Password Generate button. A 10 character long password is generated. 3. Select the User Group the new user will belong to. Click on User Group to display a list of guest user groups. Select the appropriate guest user group. 4. Two options are available to set the life of the new guest user.
Administrator and User Access 6-13 3. Click Print. The user information is printed. You can then provide this information to the user for reference. 6.2.6 Setting the User Access Policy The RADIUS Access Policy screen allows you to set WLAN access based on a user group defined on the User Database screen. Select [User Authentication] --> RADIUS Server --> Access Policy to set group access. Each Group ID defined in the User Database screen appears on the Access Policy screen as a single row in the table.
6-14 WS2000 Wireless Switch System Reference Guide 1. To enable group access to a particular WLAN, check the box for that WLAN in the row corresponding to the group. To disable access for a group, uncheck the box for the appropriate WLAN. A group must have at least one WLAN checked to have wireless access to the switch. 2. Click Apply when you have finished the changes. 6.
Administrator and User Access 6-15 To import a CA certificate perform the following steps: 1. Select System Configuration --> Certificate Mgmt --> CA Certificates from the left menu. The following screen appears. 2. Copy the content of the CA Certificate message into the clipboard and then click Paste from Clipboard. The content of the certificate will appear in the Import Root CA Certificate area. 3. Click the Import Root CA Certificate button to import it into the CA Certificate list. 4.
6-16 WS2000 Wireless Switch System Reference Guide 6.3.2 Creating Self Certificates Self certificates are those for which the organization creates a certificate request, sends it off to a Certificate Authority (CA) to be signed, and then imports the signed certificate into the management system. To go through this process, select System Configuration--> Certificate Mgmt --> Self Certificates. 1. To create the certificate request, click the Add button. The Certificate Request screen appears. 2.
Administrator and User Access 6-17 Signature Algorithm Indicate the signature algorithm to use for the certificate. The selection should match the VPN tunnel settings. • MD5-RSA: Message Digest 5 algorithm in combination with RSA encryption. • SHA1-RSA: Secure Hash Algorithm 1 in combination with RSA encryption. Key Length Indicate the desired length of the key. Possible values are 512, 1024, and 2048. 3.
6-18 WS2000 Wireless Switch System Reference Guide
Switch Administration 7.1 7.2 7.3 7.4 7.5 7.6 7.7 Overview of Administration Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Restarting the Wireless Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Changing the Name of the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-2 WS2000 Wireless Switch System Reference Guide 7.1 Overview of Administration Support The WS2000 Network Management System provides several screens for administering the switch and monitoring activity on the switch.
Switch Administration 7-3 7.3 Changing the Name of the Switch When the administrator first logs into the WS2000 Network Management System, the System Settings screen appears. One of the fields in this screen is the System Name field. In this field, the administrator can specify the name of the switch. This name is used to distinguish the switch from others that are on the network and it is also used to set the device name in SNMP. To examine and change the current name for the switch: 1.
7-4 WS2000 Wireless Switch System Reference Guide 1. Select System Configuration --> System Settings from the left menu. 2. Type in a description of the physical location of the switch within your facility into the Location field. 3. Find the Country field and use the drop down menu to select the correct country from the list. 4. Click Apply to save changes. The interface asks you to confirm any changes you make to the Country selection. 7.
Switch Administration 7-5 2. Enter the IP address of the DNS server in the DNS Server IP Address field. 3. Click Apply to save changes. 7.6 Configuring the Domain Name for the switch The Domain Name field provides domain information for reverse DNS queries. The name of the WS2000 as entered in the System Name field and the device’s domain name as entered in the Domain Name field is returned for the reverse DNS query.
7-6 WS2000 Wireless Switch System Reference Guide 7.7 Configuring Switch Redundancy The WS2000 Wireless Switch supports redundancy between two WS2000 Wireless Switch, allowing a standby switch to take over if the primary switch stop responding. Use the WS2000 Redundancy settings to configure the Operational State and Redundancy Mode for the switch. 7.7.1 Setting Up Switch Redundancy For each of the two switches, use the following procedure to set up redundancy. 1.
Switch Administration 7-7 7.7.2 Redundancy Operations Status To see the Operational Mode status for switch redundancy, look at the bottom of the Redundancy screen. Click the Refresh button to update the Operational Mode status. 7.8 Updating the WS2000 Wireless Switch’s Firmware From time to time, Motorola releases updates to the WS2000 Wireless Switch’s firmware.
7-8 WS2000 Wireless Switch System Reference Guide an FTP server, on a system with a TFTP server, or on a CompactFlash card that is compatible with the switch. 7.8.2 Performing the Firmware Update To perform the update, the update file must be available from an FTP or TFTP site, or it must be on the CompactFlash card in the CF slot of the switch. The administrator supplies the site information and the WS2000 Network Management System will perform the update for the administrator. 1.
Switch Administration 7-9 2. After the switch reboots, return to the Firmware Update screen. Read the Status field to verify that the firmware update completed successfully. The Version number at the top of the screen should have been updated. 3. Confirm that the wireless switch’s configuration settings are the same as prior to the update. If not, restore the settings. 7.8.
7-10 WS2000 Wireless Switch System Reference Guide Select [System Configuration] --> [Cfg/Firmware Mgt] --> DHCP Options (Sys Update) to configure the switch to accept DHCL downloads. 7.8.5.1 Setting Up the Switch 1. Check Enable Automatic Firmware Update to allow the WS2000 Wireless Switch to automatically receive firmware updates from a server using the DHCP protocol. By default this option is disabled. 2.
Switch Administration 7-11 7.9 Exporting and Importing Wireless Switch Settings All of the configuration settings for the WS2000 Wireless Switch can be saved to a configuration file and then either imported back into the same switch or transferred to another switch. This file-based configuration saving feature provides several benefits: • It can speed the switch setup process significantly at sites using multiple WS2000 wireless switches.
7-12 WS2000 Wireless Switch System Reference Guide 6. If required, select Default Before Applying to reset the WS2000 device to default settings before an imported configuration file is applied on it. 7. To import a file from the FTP server and apply it, click FTP Import. Similarly, to import a file from the TFTP server, click TFTP Import. To export a file a server using FTP, click FTP Export. Similarly, to export to a server using TFTP, click TFTP Export.
Switch Administration 7-13 3. Enter the administrative password for this WS2000 in the Administrator Password field. This allows you to download the configuration file from the WS2000. 4. Click Get File. The Opening cfg,txt dialog displays. If you want to view the downloaded file, click Open with option to select it. If you want to save the file, click Save to Disk. Click Ok to do the selected task.
7-14 WS2000 Wireless Switch System Reference Guide Below is a sample configuration file that has been annotated using comment lines. All comment lines begin with // and are blue in color. The configuration file is organized by function area, and most areas correspond directly to a menu item. // // WS2000 Configuration Command Script // System Firmware Version: 2.3.1.
Switch Administration 7-15 set fw boot on-board-flash set fw active-partition primary set bind-interface none / system logs // Logs menu set mode disable set level L6 set cf_logging_mode disable / system ntp // NTP menu set mode enable set server 1 157.235.205.31 set server 2 \0 set server 3 \0 set port 1 123 set port 2 123 set port 3 123 set intrvl 15 set zone 206 / system snmp access // SNMP ACL configuration delete acl all // SNMP v1/v2c configuration delete v1v2c all add v1v2c public ro 1.3.6.
7-16 WS2000 Wireless Switch System Reference Guide set rate pkts wlan 0.00 set rate pkts ap 0.00 set rate pkts mu 0.00 set rate mbps switch 0.00 set rate mbps wlan 0.00 set rate mbps ap 0.00 set rate mbps mu 0.00 set rate avg-bps wlan 0.00 set rate avg-bps ap 0.00 set rate avg-bps mu 0.00 set rate pct-nu wlan 0.00 set rate pct-nu ap 0.00 set rate pct-nu mu 0.00 set rate avg-signal wlan 0.00 set rate avg-signal ap 0.00 set rate avg-signal mu 0.00 set rate avg-retries wlan 0.00 set rate avg-retries ap 0.
Switch Administration 7-17 userdb user // clear userdb user configuration clearall / system userdb group // clear userdb group configuration clearall / system userdb user enc-add EVLtwLcU a8342499045d7431bbb5 enc-add jzoniBdO 95252ea206553419ff9d enc-add ssmzhpIC bd0539c4102c0b16cb9c / system userdb group create Guests 1 add EVLtwLcU Guests add jzoniBdO Guests add ssmzhpIC Guests set guest-group Guests set start-time Guests 0000 set end-time Guests 2359 set day-access Guests mo tu we th fr sa su / system r
7-18 WS2000 Wireless Switch System Reference Guide policy // radius access policy configuration set Guests / system radius ldap // radius LDAP configuration set domain \0 set port 389 set binddn cn=Manager,o=mobion set basedn o=mobion set login (uid=%{Stripped-User-Name:-%{User-Name}}) set pass_attr userPassword set groupname cn set filter (|(&(objectClass=GroupOfNames)(member=%{LdapUserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) set membership radiusGroupName import client none
Switch Administration 7-19 set set set set set set kerb realm 1 \0 kerb port 1 1 88 kerb port 1 2 88 kerb port 1 3 88 eap port 1 1 1812 eap port 1 2 1812 set eap reauth mode 1 disable set eap reauth retry 1 2 set eap reauth period 1 3600 set eap adv mu-quiet 1 10 set eap adv mu-tx 1 5 set eap adv mu-timeout 1 10 set eap adv mu-retry 1 2 set eap adv server-timeout 1 5 set eap adv server-retry 1 2 set eap rad-acct mode 1 disable set eap rad-acct timeout 1 10 set eap rad-acct retry-count 1 2 set tkip type 1
7-20 WS2000 Wireless Switch System Reference Guide set set set set wep-mcm enc-key 2 3 e2565fc57c2a766fb0d52a19a9 wep-mcm enc-key 2 4 92262fb50c5a061fc0a55a69d9 mu-inact 10 kerb user 2 \0 set set set set set set kerb realm 2 \0 kerb port 2 1 88 kerb port 2 2 88 kerb port 2 3 88 eap port 2 1 1812 eap port 2 2 1812 set eap reauth mode 2 disable set eap reauth retry 2 2 set eap reauth period 2 3600 set eap adv mu-quiet 2 10 set eap adv mu-tx 2 5 set eap adv mu-timeout 2 10 set eap adv mu-retry 2 2 set eap
Switch Administration 7-21 set set set set set set set set auth 3 none wep-mcm index 3 wep-mcm enc-key wep-mcm enc-key wep-mcm enc-key wep-mcm enc-key mu-inact 10 kerb user 3 \0 set set set set set set kerb realm 3 \0 kerb port 3 1 88 kerb port 3 2 88 kerb port 3 3 88 eap port 3 1 1812 eap port 3 2 1812 1 3 3 3 3 1 2 3 4 c2767fe55c0a564f90f50a3989 f2464fd56c3a667fa0c53a09b9 e2565fc57c2a766fb0d52a19a9 92262fb50c5a061fc0a55a69d9 set eap reauth mode 3 disable set eap reauth retry 3 2 set eap reauth per
7-22 WS2000 Wireless Switch System Reference Guide // WLAN 4 configuration set mode 4 disable set ess 4 104 set enc 4 none set auth 4 none set wep-mcm index 4 1 set wep-mcm enc-key 4 1 set wep-mcm enc-key 4 2 set wep-mcm enc-key 4 3 set wep-mcm enc-key 4 4 set mu-inact 10 set kerb user 4 \0 set set set set set set c2767fe55c0a564f90f50a3989 f2464fd56c3a667fa0c53a09b9 e2565fc57c2a766fb0d52a19a9 92262fb50c5a061fc0a55a69d9 kerb realm 4 \0 kerb port 4 1 88 kerb port 4 2 88 kerb port 4 3 88 eap port 4 1 1812
Switch Administration 7-23 set eap syslog mode 4 disable set vlan-id 4 4 set secure-beacon 4 disable delete 4 all // WLAN 5 configuration set mode 5 disable set ess 5 105 set enc 5 none set auth 5 none set wep-mcm index 5 1 set wep-mcm enc-key 5 1 c2767fe55c0a564f90f50a3989 set wep-mcm enc-key 5 2 f2464fd56c3a667fa0c53a09b9 set wep-mcm enc-key 5 3 e2565fc57c2a766fb0d52a19a9 set wep-mcm enc-key 5 4 92262fb50c5a061fc0a55a69d9 set mu-inact 10 set kerb user 5 \0 set set set set set set kerb realm 5 \0 kerb po
7-24 WS2000 Wireless Switch System Reference Guide set adopt 5 allow set acl 5 allow set mcast 5 1 01005E000000 set mcast 5 2 09000E000000 set eap syslog mode 5 disable set vlan-id 5 5 set secure-beacon 5 disable delete 5 all // WLAN 6 configuration set mode 6 disable set ess 6 106 set enc 6 none set auth 6 none set wep-mcm index 6 1 set wep-mcm enc-key 6 1 c2767fe55c0a564f90f50a3989 set wep-mcm enc-key 6 2 f2464fd56c3a667fa0c53a09b9 set wep-mcm enc-key 6 3 e2565fc57c2a766fb0d52a19a9 set wep-mcm enc-key 6
Switch Administration 7-25 set name 6 WLAN6 set no-mu-mu 6 disable set vop 6 enable set bcast 6 disable set adopt 6 allow set acl 6 allow set mcast 6 1 01005E000000 set mcast 6 2 09000E000000 set eap syslog mode 6 disable set vlan-id 6 6 set secure-beacon 6 disable delete 6 all // WLAN 7 configuration set mode 7 disable set ess 7 107 set enc 7 none set auth 7 none set wep-mcm index 7 1 set wep-mcm enc-key 7 1 c2767fe55c0a564f90f50a3989 set wep-mcm enc-key 7 2 f2464fd56c3a667fa0c53a09b9 set wep-mcm enc-key
7-26 WS2000 Wireless Switch System Reference Guide set ccmp rotate-mode 7 disable set ccmp mixed-mode 7 disable set ccmp preauth 7 disable set ccmp opp-pmk 7 enable set name 7 WLAN7 set no-mu-mu 7 disable set vop 7 enable set bcast 7 disable set adopt 7 allow set acl 7 allow set mcast 7 1 01005E000000 set mcast 7 2 09000E000000 set eap syslog mode 7 disable set vlan-id 7 7 set secure-beacon 7 disable delete 7 all // WLAN 8 configuration set mode 8 disable set ess 8 108 set enc 8 none set auth 8 none set we
Switch Administration 7-27 set ccmp enc-phrase 8 a11e00942773343deb84 set ccmp enc-key 8 c2767fe55c0a564fa8cd3201b1984a33f986e7872572740a80c6dcff32905735 set ccmp interval 8 86400 set ccmp rotate-mode 8 disable set ccmp mixed-mode 8 disable set ccmp preauth 8 disable set ccmp opp-pmk 8 enable set name 8 WLAN8 set no-mu-mu 8 disable set vop 8 enable set bcast 8 disable set adopt 8 allow set acl 8 allow set mcast 8 1 01005E000000 set mcast 8 2 09000E000000 set eap syslog mode 8 disable set vlan-id 8 8 set se
7-28 WS2000 Wireless Switch System Reference Guide set primary 802.11a 1 set dtim 802.11a 1 10 set dtim 802.11a 2 10 set dtim 802.11a 3 10 set dtim 802.11a 4 10 // Default 802.11b radio configuration set reg 802.11b in/out 1 20 set rate 802.11b 1,2 1,2,5.5,11 set div 802.11b full set ch_mode 802.11b fixed set beacon intvl 802.11b 100 set rts 802.11b 2341 set short-pre 802.11b disable set dtim 802.11b 1 10 set dtim 802.11b 2 10 set dtim 802.11b 3 10 set dtim 802.11b 4 10 // Default 802.
Switch Administration 7-29 set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set mac 1 00A0F860C858 ap_type 1 AP200 radio_type 1 802.
7-30 WS2000 Wireless Switch System Reference Guide set radio_type 4 802.11a set beacon intvl 4 100 set dtim 4 1 10 set dtim 4 2 10 set dtim 4 3 10 set dtim 4 4 10 set ch_mode 4 random set primary 4 1 set div 4 full set reg 4 in 36 17 set mu-power-adjustment 4 0 set rts 4 2341 set name 4 AP4 set loc 4 \0 set ap_scan 4 on-chan set rate 4 6,12,24 6,9,12,18,24,36,48,54 set allowed_sip_session 4 10 set mac 5 00A0F8BFF144 set ap_type 5 AP300 set radio_type 5 802.
Switch Administration 7-31 // AP Deny List menu delete all // Self-Healing configuration / network ap selfheal // Self-Heal Interference Avoidance Configuration set interference-avoidance mode disable set interference-avoidance max-retries 14 set interference-avoidance hold-time 3600 // Self-Heal Neighbor set neighbor-recovery set neighbor-recovery set neighbor-recovery set neighbor-recovery set neighbor-recovery set neighbor-recovery set neighbor-recovery set neighbor-recovery set neighbor-recovery set n
7-32 WS2000 Wireless Switch System Reference Guide set set del set set set set set del set set set set set del set set set set set del set set set set set del set set set set set del set set set set set del set set set set set del set set set set set del set set set set set del set set wlan 1 1 auto 1 enable 1 all base 1 disable max-clients 1 6 client 2 disable wlan 2 1 auto 2 enable 2 all base 2 disable max-clients 2 6 client 3 disable wlan 3 1 auto 3 enable 3 all base 3 disable max-clients 3 6 client 4
Switch Administration 7-33 set client 11 disable set wlan 11 1 set auto 11 enable del 11 all set base 11 disable set max-clients 11 6 set client 12 disable set wlan 12 1 set auto 12 enable del 12 all set base 12 disable set max-clients 12 6 / // LAN configuration network lan set mode 1 enable set name 1 Subnet1 set ipadr 1 192.168.0.1 set mask 1 255.255.255.0 set dgw 1 192.168.0.1 set mode 2 enable set name 2 Subnet2 set ipadr 2 192.168.1.1 set mask 2 255.255.255.0 set dgw 2 192.168.1.
7-34 WS2000 Wireless Switch System Reference Guide set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set ddnsusrcls 1 single dgw 1 192.168.0.1 dns 1 1 192.168.0.1 dns 1 2 192.168.0.1 wins 1 192.168.0.254 lease 1 86400 domain 1 \0 fwdzone 1 \0 tftp-server 1 0.0.0.
Switch Administration 7-35 set option-43 4 \0 set mode 4 server set range 4 192.168.3.100 192.168.3.
7-36 WS2000 Wireless Switch System Reference Guide set duplex port3 full set auto-negotiation port4 enable set speed port4 100M set duplex port4 full set auto-negotiation port5 enable set speed port5 100M set duplex port5 full set auto-negotiation port6 enable set speed port6 100M set duplex port6 full // WAN Port configuration set auto-negotiation wan enable set speed wan 100M set duplex wan full / system redundancy //Redundancy menu set op_state redundancy set redundancy s1 disable set virtualip s1 0.0.
Switch Administration 7-37 set mode 7 disable set mode 8 disable / network wan nat // NAT configuration set type 1 1-to-many set inb mode 1 disable set type 2 none set inb mode 2 disable set type 3 none set inb mode 3 disable set type 4 none set inb mode 4 disable set type 5 none set inb mode 5 disable set type 6 none set inb mode 6 disable set type 7 none set inb mode 7 disable set type 8 none set inb mode 8 disable // Outbound 1-To-Many NAT configuration set outb map s1 1 set outb map s2 1 set outb map s
7-38 WS2000 Wireless Switch System Reference Guide delcmd ftp pasv delcmd web file all addcmd web file \0 addcmd web file \0 addcmd web file \0 addcmd web file \0 addcmd web file \0 addcmd web file \0 addcmd web file \0 addcmd web file \0 addcmd web file \0 addcmd web file \0 / // Firewall configuration network fw set override disable submap // Subnet map configuration set default s1 w allow set default s1 s2 allow set default s1 s3 allow set default s1 s4 allow set default s2 w allow set default s2 s1 all
Switch Administration 7-39 set override enable policy inbound // Inbound policy configuration delete all / network fw set override enable policy outbound // Outbound policy configuration delete all / network fw set mode enable set override disable set syn enable set src enable set win enable set ftp enable set ip enable set seq enable set mime filter enable set mime len 8192 set mime hdr 16 set timeout 10 set spoof enable set rst enable set range enable set fin 20 timerdel all / // Router configuration net
7-40 WS2000 Wireless Switch System Reference Guide set bw-share weight 8 1 set bw-share mode rate-limit set bw-share mode none / // VLAN configuration network vlan set assign-mode port set default 1 // Subnet to VLAN configuration set vlan-id s1 1 set vlan-id s2 2 set vlan-id s3 3 set vlan-id s4 4 / // VLAN Trunk configuration network vlan set trunk-port none set allow vlans 1-4094 / // Hotspot configuration // Hotspot configuration network wlan hotspot // Wlan 1 - Hotspot configuration set mode 1 disable
Switch Administration 7-41 set exturl 5 fail \0 set http-mode 5 https // Wlan 6 - Hotspot configuration set mode 6 disable set page-loc 6 default set exturl 6 login \0 set exturl 6 welcome \0 set exturl 6 fail \0 set http-mode 6 https // Wlan 7 - Hotspot configuration set mode 7 disable set page-loc 7 default set exturl 7 login \0 set exturl 7 welcome \0 set exturl 7 fail \0 set http-mode 7 https // Wlan 8 - Hotspot configuration set mode 8 disable set page-loc 8 default set exturl 8 login \0 set exturl 8
7-42 WS2000 Wireless Switch System Reference Guide set port 4 secondary 1812 // Wlan 5 - Hotspot Radius configuration set acct-mode 5 disable set acct-timeout 5 10 set acct-retry 5 3 set port 5 primary 1812 set port 5 secondary 1812 // Wlan 6 - Hotspot Radius configuration set acct-mode 6 disable set acct-timeout 6 10 set acct-retry 6 3 set port 6 primary 1812 set port 6 secondary 1812 // Wlan 7 - Hotspot Radius configuration set acct-mode 7 disable set acct-timeout 7 10 set acct-retry 7 3 set port 7 prima
Switch Administration 7-43 / network wips // WIPS menu set mode enable defaults set mode client set ipaddr 192.168.0.10 set mask 255.255.255.0 set dgw 192.168.0.1 set pwips 192.168.0.20 set swips 192.168.0.21 ..
7-44 WS2000 Wireless Switch System Reference Guide wlanipfpolicy set ipf-mode 1 enable set set set set ipf-mode 1 disable default incoming 1 allow default outgoing 1 allow ipf-mode 2 enable set set set set ipf-mode 2 disable default incoming 2 allow default outgoing 2 allow ipf-mode 3 enable set set set set ipf-mode 3 disable default incoming 3 allow default outgoing 3 allow ipf-mode 4 enable set set set set ipf-mode 4 disable default incoming 4 allow default outgoing 4 allow ipf-mode 5 enable set
Switch Administration 7-45 set username \0 set password \0 set hostname \0 / // WIDS Configuration network wids set mode disable set detect-window 10 / network wids set excess-op threshold mu probe-req 0 set excess-op threshold radio probe-req 0 set excess-op threshold switch probe-req 0 set excess-op filter-ageout probe-req 60 set excess-op threshold mu auth-assoc-req 0 set excess-op threshold radio auth-assoc-req 0 set excess-op threshold switch auth-assoc-req 0 set excess-op filter-ageout auth-assoc-req
7-46 WS2000 Wireless Switch System Reference Guide set anomaly-detect mode tkip-cntr-meas disable set anomaly-detect filter-ageout tkip-cntr-meas 60 set anomaly-detect mode invalid-frame-len disable set anomaly-detect filter-ageout invalid-frame-len 60 / / // Enhanced Rogue AP Scan configuration network wlan enhancedrogueap set mode disable set scaninterval 10 set scanduration 100 / // Mu Probe Table configuration network wlan muprobe set mode disable set size 200 / / passwd enc-admin b3 passwd enc-manager
Switch Administration 7-47 7.10 Updating Sensor Firmware WS2000 provides support for setting up AP300s as dedicated sensors. This feature enables updating the firmware for these APs without disturbing the switch settings. The following must be noted with respect to sensor firmware update: • The switch need not be restarted after a successful sensor firmware update. • APs that are converted as sensors after a sensor firmware update receive the new firmware.
7-48 WS2000 Wireless Switch System Reference Guide 7. To restrict the maximum size of the sensor firmware image, use the Max size of sensor file. Use this value to restrict the file size for the sensor firmware file. 7.10.2 Updating the Sensor Firmware To update the sensor firmware, use the FTP or TFTP buttons on the screen. Select the appropriate server to update the sensor firmware from. A warning dialog appears. Click Yes to proceed with sensor firmware update.
Switch Administration 7-49 Select System Configuration --> SNMP Access from the left menu to set up SNMP service. 7.11.1 Setting the SNMP Version Configuration The SNMP Access screen allows the administrator to define SNMP v1/v2c community definitions and SNMP v3 user definitions. SNMP v1 and v2c provide a strong network management system, but their security is relatively weak. SNMP v3 provides greatly enhanced security protocols.
7-50 WS2000 Wireless Switch System Reference Guide 7.11.1.2 Setting Up SNMP v3 Community Definitions Setting up the v3 user definition is very similar to the v1/v2c community definitions. The difference is the addition of a user security level and a user password. 1. To create a new SNMP v3 user definition, click the Add button in the SNMP v3 User Definitions area. 2. Specify a user name in the Username field. 3. Select a security level from the Security pull-down menu.
Switch Administration 7-51 7.11.2 Setting Up the Access Control List To set up the Access Control list as specified by a range of IP addresses, click the SNMP Access Control button at the bottom of the SNMP Access screen. The SNMP Access Control screen appears: 1. Click the Add button to create a new entry in the Access Control table. 2. Specify the IP address for the user(s) that have access. Enter an IP address only in the Starting IP Address column to specify an address for a single SNMP user.
7-52 WS2000 Wireless Switch System Reference Guide 3. Specify a destination User Datagram Protocol (UDP) port for receiving the traps that are sent by SNMP agents. UDP offers direct connection for sending and receiving datagrams over an IP network. 4. Specify a Community name that matches one of the community names added on the SNMP Access screen. 5. Select the appropriate SNMP Version (v1 or v2) from the pull-down menu for this particular SNMP server. 6. Click the Apply button to save the entries. 7.11.
Switch Administration 7-53 1. To set the SNMP traps, select System Configuration --> SNMP Access --> SNMP Traps from the left menu. 2. Check the type of traps to enable the generation of notification events. Trap Category System Traps Network Traps Trap Name Generates a Trap whenever… System Cold Start The switch’s router reinitializes while transmitting, possibly altering the agent’s configuration or protocol entity implementation.
7-54 WS2000 Wireless Switch System Reference Guide Trap Category Trap Name IPS Event Generates a Trap whenever… An Intrusion Prevention System event is detected by the switch’s firewall. IPS Event traps are sent until the attack stops. These traps are internally rate-limited to prevent flooding of traps in case of heavy attack traffic on the network.
Switch Administration 7-55 3. Click the Apply button to save the trap settings. 4. It is necessary to tell the switch where to send the notifications. Make sure to set the trap configuration to indicate where to send the trap notifications. 7.11.7 Setting RF Traps A screen is also available to specify traps caused when certain rates of activities either exceed or drop below a specified threshold. To set rate traps, select System Configuration --> SNMP Access --> SNMP RF Traps from the left menu. 1.
7-56 WS2000 Wireless Switch System Reference Guide Average Retries The maximum threshold for the average number of retries for each of the devices before a trap is sent. % Gave Up The maximum threshold for the total percentage of packets that are given up for each of the devices before a trap is sent. % Dropped The maximum threshold for the total percentage of packets that are dropped for each of the devices before a trap is sent.
Switch Administration 7-57 3. To set the time manually, click the Set Date/Time button. A sub-window displays where you can set the WS2000’s time. NOTE: When NTP is enabled on the WS2000, you will not be able to set time manually. 4. To enable time service on the switch, check the Enable NTP on check box and continue with the rest of the steps below. 5.
7-58 WS2000 Wireless Switch System Reference Guide 7.13 Setting Up and Viewing the System Log The WS2000 Network Management System keeps a log of the events that happen on the switch. The switch has a modest of amount of memory to store events. If the administrator wishes to keep a more complete event history, the administrator needs to enable a log server. To view the log or set up a log server, select System Configuration --> Logs from the left menu. 7.13.
Switch Administration 7-59 4. Check the Enable logging to CF check box to enable logging of events to a CF card on the switch. This is useful when the connection to the Syslog server is lost due to network disturbances or any other cause. When enabled, the event log is written to the CF card when the Syslog server is not available for any reason. When the Syslog server comes back on line, the logging is automatically done to the server. 5. Select Apply to save the changes. 6.
7-60 WS2000 Wireless Switch System Reference Guide
Configuring HotSpot 8.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.1.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2 Configuring Hotspot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-2 WS2000 Wireless Switch System Reference Guide 8.1 Overview The hotspot feature enables the WS2000 Wireless Switch to act as a single on-site solution to provide wireless LAN hotspots and management. The hotspot access controller enables hotspot operators to provide user authentication and accounting without a special client application. It enables an web browser as a secure authentication device. Instead of relying on the built-in security features of 802.
Configuring HotSpot 8-3 8.2.1 Enabling Hotspot on a WLAN To enable hotspot on a WLAN: 1. Click [Network Configuration] --> Wireless. The Wireless screen is displayed. S 2. Select the Hotspot check box for the WLAN that will support Hotspot. 3. Click Apply to apply the changes made to this screen. Click Undo Changes to revert back to the previous settings. This enables hotspot on the particular WLAN.
8-4 WS2000 Wireless Switch System Reference Guide 8.2.2 Set Hotspot Configuration Hotspots can be configured from the Hotspot Config screen. This screen allows you to configure the different parameters to enable users to use the hotspots. To configure the hotspot for a WLAN: 1. Set the HTTP Redirection mode to either http or https by selecting the appropriate option. When a user successfully logs on using the hotspot, the user is redirected to a welcome screen.
Configuring HotSpot 8-5 primary RADIUS server. To authenticate a hotspot user with a RADIUS server through a VPN tunnel select the bind interface from the Bind Intf (for Pri Server) drop down. If the RADIUS server is on a network accessible through a VPN tunnel, then the tunnel must be configured. The bind interface should be the same as the Local Subnet configured for the VPN tunnel. Entering information for the secondary RADIUS server is optional.
8-6 WS2000 Wireless Switch System Reference Guide Redirect Pages Hotspot uses HTML pages to provide login and login status to the user. Three files are used. They are • Login page • Welcome page • Fail page When selecting Use CF Card to set the location where these files can be found, the CF Card Files area enables. Use the Login, Welcome, and Fail buttons to enter the HTML files. This screen is displayed when Login button is clicked. Similar screens are displayed when Welcome and Fail buttons are clicked.
Configuring HotSpot 8-7 Type in the HTML code for the appropriate page. You can also paste the code from the clipboard by clicking the Get from Clipboard button. When selecting Use External URL to set the location where the files are located, the External URL area is enabled. Enter the fully qualified URL to the appropriate file in its text box. Creating Hotspot users To create a new hotspot user quickly, see Adding New Guest Users Quickly.
8-8 WS2000 Wireless Switch System Reference Guide 8.2.3 Setting the User Access Policy The RADIUS Access Policy screen allows you to set WLAN access based on a user group defined on the User Database screen. Select [User Authentication] --> RADIUS Server --> Access Policy to set group access. Each Group ID defined in the User Database screen appears on the Access Policy screen as a single row in the table. Each wireless LAN represents a column in the table. 1.
Configuring HotSpot 8-9 When the mobile unit requests the RADIUS server to log out, the RADIUS server again sends a trigger to the wireless switch to change the state of the mobile unit to REDIRECT. 8.2.5 Handling log-in and redirection When a client requests a URL from a web server, the login handler returns an HTTP redirection status code in the range 300-399 (for example, 301 Moved Permanently), which indicates to the browser that it should look for the page at another URL.
8-10 WS2000 Wireless Switch System Reference Guide If a client logs out or an MU is dis-associated, an Accounting Stop packet will be generated describing the type of service that was delivered, the statistics, and the elapsed time. That packet will be sent to the RADIUS accounting server, which replies with an acknowledgement that the packet has been received.
Using DDNS 9.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 9.2 Enabling DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 9.3 Updating DNS Entries using DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-2 WS2000 Wireless Switch System Reference Guide 9.1 Overview When browsing web sites or sending E-mail messages a domain name is used. For example, the URL www.yahoo.com and the e-mail address user@yahoo.com contains the domain name yahoo.com. Domain names allow users to remember the address to a site without knowing the IP address. For traffic to be routed on a network those domain names must first be converted to an IP address.
Using DDNS 9-3 2. Enter a range of IPs in the Address Assignment Range fields. 3. Click the Advanced DHCP Server button to open the Advanced DHCP window. 4. In the Advanced DHCP Server window check the box next to Enable Dynamic DNS. 5. Select either Single User Class Option or Multiple User Class Option depending on the settings of your DHCP clients. Any DHCP client can send the User Class Id either in the Single or Multiple user class ID format.
9-4 WS2000 Wireless Switch System Reference Guide 9.3 Updating DNS Entries using DDNS Once DDNS has been configured and enabled for a subnet, it is possible to manually refresh the DNS entries for all active DHCP clients on a single subnet or on all active subnets. 9.3.1 Updating DNS Entries for a Single Subnets The DNS entries for a single subnet can be updated using the following steps. 1. Select the subnet you wish to refresh from the menu tree on the left side of the screen. 2.
Using DDNS 9-5 9.3.2 Updating DNS Entries for All Active Subnets The DNS entries for all active subnets can be updated using the following steps. 1. Select LAN from menu tree on the left side of the screen. 2. From the DNS Update section of the screen click the Update DNS for All Subnets button located in the DHCP section of the screen.
9-6 WS2000 Wireless Switch System Reference Guide
Trunking VLANs Through the WAN Port 10.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 10.1.1 Assigning VLAN Tags to Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 10.1.2 Installation Considerations and Default VLAN Settings . . . . . . . . . . . . . . . . . . . . . . .
10-2 WS2000 Wireless Switch System Reference Guide 10.1 Overview Earlier versions of WS2000 had a limit of 31 VLAN IDs (IDs 1-31) due to LAN port switch hardware limitations. It was difficult to seamless integrate the WS2000 with existing network topology of VLANs with VLAN IDs greater than 31. To enable easier integration into networks with existing VLAN infrastructure, you can now configure the existing WAN port as a Trunk-Port and the user can configure any VLAN-IDs in the range 1-4094.
Trunking VLANs Through the WAN Port 10-3 10.2 Configuring VLAN Trunking Use the following steps to configure VLAN trunking on the WAN port. 1. Select Network Configuration --> VLAN to open the VLAN Configuration screen. 1. Use the pull-down menu to select a VLAN Type for this switch. The two options are User Based and Port Based. Port-based VLANs partitions traffic based on port on which the packet is received.
10-4 WS2000 Wireless Switch System Reference Guide 6. To enable filtering using IP, check the Enable IP Filtering check box. This option is only available only when Trunk Port is set to Wan. To add an IP filter, click IP Filtering button. The IP Filtering dialog appears. Set the appropriate filter and click Ok to close the dialog. 7. Click Ok on the VLAN Configuration screen to save changes. 10.2.
Status & Statistics 11.1 WAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 11.2 Subnet Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 11.2.1 Subnet Lease stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-2 WS2000 Wireless Switch System Reference Guide 11.1 WAN Statistics The WS2000 Network Management System provides a set of screens that allow the administrator to view real-time statistics for monitoring the switch’s activity. One of those screens displays statistics for the Wide Area Network (WAN) port. Selecting Status & Statistics --> WAN Stats displays the following screen. The Information portion of the WAN Stats screen displays general information about the WAN.
Status & Statistics 11-3 Received Field Description RX Errors The total number of errors including dropped data packets, buffer overruns, and frame errors on inbound traffic RX Dropped The number of data packets that failed to reach the WAN interface RX Overruns The total number of buffer overruns (when packets are received faster than the WAN interface can handle them) RX Frame The total number of TCP/IP data frame errors received Transmitted Field Description TX Packets The total number of d
11-4 WS2000 Wireless Switch System Reference Guide The following information is displayed: • The Idx field displays an unique number for each of the DHCP client lease. • The IP field displays the IP address assigned to the client by the DHCP server. • The MAC field displays the MAC address of each of the DHCP clients. This address is for the network interface on the specified client. • The Life Left field displays the remaining lease time in seconds for each DHCP lease.
Status & Statistics 11-5 11.2.2 Subnet Stats The Subnet Stats screens displays statistics for each of the subnets. Selecting Status & Statistics --> Subnet Stats --> Stats from the left menu displays the following screen. The Information portion of the Subnet Stats screen displays general information about the subnet. • The HW address is the Media Access Control (MAC) address of the switch’s WAN port, which is set at the factory.
11-6 WS2000 Wireless Switch System Reference Guide Transmitted Field Description TX Packets The total number of data packets sent over the subnet TX Bytes The total number of bytes of information sent over the subnet TX Errors The total number of errors including dropped data packets, buffer overruns, and carrier errors that fail on outbound traffic TX Dropped The number of data packets that fail to get sent from the subnet TX Overruns The total number of buffer overruns (when packets are sent f
Status & Statistics 11-7 Selecting the [Status & Statistics]-->Subnet Stats--> Stats-->STP Stats displays the following screen. The Spanning Tree Info portion of the screen displays the following information: Field Description Spanning Tree State Displays whether the spanning tree state is currently enabled or disabled. The spanning tree state must be enabled for a unique spanning-tree calculation to occur when the bridge is powered up or when a topology change is detected.
11-8 WS2000 Wireless Switch System Reference Guide The screen also provide comprehensive information on the port interfaces used. This information is displayed in the form of a table in the Port Interface Table portion of the screen. Field Description Port ID Identifies the port from which the configuration message was sent. State Displays whether a bridge is forwarding traffic to other members of the mesh network (over this port) or blocking traffic.
Status & Statistics 11-9 The WLAN Summary section of the screen shows basic statistics about the currently enabled WLANs. Name The WLAN name. Subnet Displays the name of the subnet that is associated with the WLANs. MUs Displays the number of mobile units associated with this WLAN. T-put Displays the total throughput in Megabits per second (Mbps) for each of the active WLANs. ABS Displays the Average Bit Speed (ABS) in Megabits per second (Mbps) for each of the active WLANs.
11-10 WS2000 Wireless Switch System Reference Guide 11.3.2 Getting Statistics for a Particular WLAN To see a summary information about wireless operations, select Status & Statistics --> Wireless Stats -> Stats from the navigation menu. A screen like the one shown for EngWLAN (below) will appear. There are four areas on the screen. The Information area shows general information about the Access Port.
Status & Statistics 11-11 11.3.3 General WLAN Information 11.3.3.1 Information Section ESSID Displays the Extended Service Set Identification name that users will see when accessing the WLAN. Subnet Displays the name of the subnet to which this WLAN is associated. Num. Associated MUs Lists the number of mobile units (MUs) currently associated with the Access Port. Authentication Type Displays the type of authentication used with this WLAN.
11-12 WS2000 Wireless Switch System Reference Guide Avg MU SNR Displays the average Signal to Noise Ratio (SNR) for all MUs associated with the selected WLAN. The Signal to Noise Ratio is an indication of overall RF performance on your wireless networks. 11.3.3.4 Errors Avg Num of Retries Displays the average number of retries for all MUs associated with the selected WLAN.
Status & Statistics 11-13 Each Access Port associated with the switch is listed in the AP Summary area. For each AP, the following information is provided. Field Description IP Displays the IP address of the Access Port. WLAN Displays the WLAN with which the Access Port is associated. AP Displays the name of the Access Port with which the Access Port is associated. T-Put Displays the total throughput in Megabits per second (Mbps) for the Access Port.
11-14 WS2000 Wireless Switch System Reference Guide 11.4.3 General Access Port Information 11.4.3.1 Information Section HW Address The Media Access Control (MAC) address of the Access Port. This value is typically set at the factory and can be found on the bottom of the Access Port. Placement Lists whether the Access Port is placed indoors or outdoors. This is determined by the placement setting in the Access Port configuration screen in the Network Configuration section.
Status & Statistics 11-15 Avg. Bit Speed The Total column displays the average bit speed in Mbps for a given time period on the selected Access Port.This includes all packets that are sent and received. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour. Approx RF Utilization The approximate utilization of the Access Port’s RF port. This is calculated as Throughput divided by Average bit speed.
11-16 WS2000 Wireless Switch System Reference Guide 11.5 Mobile Unit (MU) Statistics Each Access Port can have up to 32 associated mobile units. These units are listed in the Mobile Unit Access Control List of the WLAN Security screen (Network Configuration --> Wireless --> --> Security. To see a summary of the associated mobile units and general information about each unit, select Status & Statistics --> MU Stats. The MU Stats Summary screen appears.
Status & Statistics 11-17 11.6 Mesh Statistics A mesh network is a type of local area network where each node participating in the network is connected directly to its peers. This kind of network provides a robustness that cannot be matched by the standard network. In a mesh network, devices participating in the network, assist each other in transmitting packets through the network and provides a highly scalable network with multiple redundant communication paths.
11-18 WS2000 Wireless Switch System Reference Guide MAC The unique 48-bit, hard-coded Media Access Control address, known as the devices station identifier. This value is hard coded at the factory by the manufacturer and cannot be changed. Wlan Displays the WLAN name each wireless bridge is inter-operating with. Ap The AP on which connection is made to the Client bridge. Vlan The VLAN of the mesh connection T-put The total throughput in Megabits per second (Mbps) for each associated bridge.
Status & Statistics 11-19 11.7 Intrusion Prevention Statistics The Intrusion Prevention Statistics (IPS) screen displays the IPS statistics. To view IPS statistics, click Status & Statistics --> IPS Stats menu item from the left menu. The following screen appears. This screen is divided into two sections. The top one, IPS Global Statistics, displays the global IPS information. The bottom section, Individual Category Statistics displays IPS information for a selected category.
11-20 WS2000 Wireless Switch System Reference Guide Select [Status & Statistics] --> Statistical Graphs from the navigation menu on the left. The Graphical Display of Statistics screen appears. To create a graph that will remain on your screen until you close it, follow these steps: 1. Select the type of Entity (WAN, SUBNET, WLAN, AP, or MU) that you want to display from the menu. 2. Select the particular member that you want to watch from the Member menu. 3. Select the data to monitor.
Status & Statistics 11-21 5. Repeat Steps 1 through 4 to display as many statistics windows as required. A graphical statistics display window will stay available until you manually close it or Logout of the application.
11-22 WS2000 Wireless Switch System Reference Guide
WS2000 Use Cases 12.1 Retail Use Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 12.1.1 A Retail Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 12.2 The Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12-2 WS2000 Wireless Switch System Reference Guide 12.20 Configuring the WAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-40 12.21 Configuring the WAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-41 12.21.1 Setting Up Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . .
WS2000 Use Cases 12-3 12.1 Retail Use Case 12.1.1 A Retail Example 12.1.1.1 Background CCC Clothing Stores have, in the past, used POS terminals with a 10BaseT Ethernet connection to an inhouse server. Management has decided to install wireless networking in the stores. Wireless point of sale (POS) terminals and printers will allow them to be more flexible with store layout. Wireless handheld terminals for inventory and price lookup will make inventory faster and more accurate.
12-4 WS2000 Wireless Switch System Reference Guide This plan covers all the wireless devices—the POS terminals, the printers, and the customer laptops— except the wireless handheld terminals. Clarissa decides to put them on the WLAN with the POS terminals. There are also some conventional, 100baseT wired devices to consider. There is the store server and two wired POS terminals. Clarissa will put all of these on the 100baseT ports on the WS2000.
WS2000 Use Cases 12-5 Clarissa starts her web browser and enters “http://192.168.0.1/” as the URL. The WS2000 sends a login page to her browser. She logs in using “admin” for the username and “symbol“ as the password. The system immediately asks her to change the password to something else. Clarissa does so. 12.3.1 Entering the Basic System Settings Clarissa selects System Settings from the left menu, located under the System Configuration heading.
12-6 WS2000 Wireless Switch System Reference Guide 12.3.2 Setting Access Control In the WS2000 Access screen, Clarissa controls which network interfaces can be used to reconfigure the WS2000 switch. She is currently using HTTP access on port 80 over the LAN, so she leaves that on. She may also want to make changes using the Command Line Interface (CLI), so she leaves on local CLI access.
WS2000 Use Cases 12-7 Clarissa clicks the Apply button to save her changes. Clarissa leaves the rest of the System Configuration screens for now, moves to the left menu, and clicks on Network Configuration so that she can begin to define the subnets. 12.3.3 The IP Address Plan Subnets can be renamed, assigned an IP address, and have ports associated with them. Clarissa needs to plan how she is going to assign IP addresses to the subnets and the devices on them.
12-8 WS2000 Wireless Switch System Reference Guide 12.4 Configuring POS Subnet Clarissa selects the first subnet from the LAN menu items in the left menu. Clarissa renames this subnet “POSsn”, then gives the switch an IP address of 192.168.0.1 on that subnet and assigns a subnet mask of 255.255.255.0.
WS2000 Use Cases 12-9 The Default Gateway is already set to the subnet address. This is the IP address to which the DHCP clients on this subnet will forward their outbound traffic. Clarissa fills in the DNS Server addresses, which corporate has specified. This will also be supplied to the DHCP clients. The DHCP Lease Time is the time an IP address will remain assigned to a client after there is no more activity. She leave it at the default and clicks Ok to save her changes.
12-10 WS2000 Wireless Switch System Reference Guide After the Address Assignment Range is entered, Clarissa clicks Advanced DHCP Server. Clarissa enters the DNS server IP addresses and leaves the Default Gateway and DHCP Lease Time at their defaults. She clicks Ok in the Advanced DHCP Server window and then Apply in the Subnet window to save her changes. Now Clarissa will configure the Cafe subnet.
WS2000 Use Cases 12-11 12.6 Configuring the Cafe Subnet Clarissa selects the third subnet in the LAN menu list under Network Configuration in the left menu. She then renames this subnet “Cafesn“and gives it the IP address 192.168.2.1 and a subnet mask of 255.255.255.0. The only devices on this subnet are the customer’s laptops in the cafe. Using the Interfaces section of the screen, she associates the third WLAN with this subnet, and activates the DHCP server with an IP address range of 192.168.2.
12-12 WS2000 Wireless Switch System Reference Guide Clarissa clicks the Ok button in the Advanced DHCP Server window, then on the Apply button in the subnet screen to save her choices. The subnets are now configured. Next Clarissa configures the WAN interface. 12.7 Configuring the WAN Interface Now Clarissa selects the WAN node in the left menu. Here she enters the static IP address assigned to this store by CCC corporate.
WS2000 Use Cases 12-13 If corporate had not paid their ISP for a static IP address for each store, she would have selected the This interface is a DHCP Client option and the WAN configuration settings would have been assigned by the ISP each time they connected to the Internet. Clarissa clicks the Apply button to save her changes. 12.8 Configuring Network Address Translation (NAT) Clarissa has only one public IP address for the whole store.
12-14 WS2000 Wireless Switch System Reference Guide After she makes this selection a new button appears, labelled “1 to Many Mappings”. She selects the “1 to Many Mappings“ button. If Clarissa had more than one static IP address, she would have been able to assign several to the WAN interface. This screen would be used to choose how the internal IP addresses on each subnet translated into the selection of external IP addresses. However, she has only one external IP address.
WS2000 Use Cases 12-15 Clarissa clicks the Apply button to confirm that all attacks listed will be filtered. 12.10 Configuring the Access Ports So far, Clarissa has been operating with the WS2000 connected only to her laptop. To configure the Access Ports, she will need to connect them to the switch.
12-16 WS2000 Wireless Switch System Reference Guide She does not change the supported rates—using the Set Rates button—but leaves them as they are. The switch will operate at the maximum rate allowed by radio conditions, scaling back as needed. She also does not change the Antenna Diversity setting, Short Preamble setting, RTS Threshold, or the Beacon Settings. These parameters control some of the broadcast mechanics of an 802.11 conversation between mobile units and Access Ports.
WS2000 Use Cases 12-17 12.10.2 Naming the POS Access Port Having specified the general Access Port defaults, Clarissa goes on to name and configure the Access Port for the POS WLAN. She selects the first Access Port in the left menu. In the Properties section, Clarissa enters a new name for the Access Port and a brief description of its permanent location. In the Radio Settings section, Clarissa sets the Channel to 3. She knows that the store uses cordless phones that transmit on channel 1.
12-18 WS2000 Wireless Switch System Reference Guide She clicks the Apply button to save her changes. 12.10.4 Configuring the Cafe Access Port Finally, she names the third Access Port “Cafe AP” and gives it a channel of 9. In this case she makes sure Support Short Preamble is not selected. There are two preambles in use in the wireless world, an older, longer one and a newer, shorter one. Most wireless devices support both and use the shorter one by default.
WS2000 Use Cases 12-19 12.10.5 Associating the Access Ports to the WLANs Now Clarissa selects the APs/Radio item in the left menu. This screen indicates which Access Ports are associated with which WLANs. First Clarissa looks in the [Network Configuration] --> Wireless screen to determine that all three WLANs are enabled. In the Radio Adoption Table screen, the screen begins with a single line with “ANY” as the Start MAC address, “ANY” as the End MAC address, and checks under all three of the WLANs.
12-20 WS2000 Wireless Switch System Reference Guide different ESSID. Since the cafe is a public access WLAN, leaving this option on will make it easier for the cafe customer to associate with the WLAN. For the private WLANs on this switch, she will turn this option off. She clicks the Apply button to save her choices.
WS2000 Use Cases 12-21 Clarissa goes to the left menu and clicks the button to the left of the Cafe WLAN node. A menu item labeled “Cafe Security” is displayed and Clarissa selects it. She confirms that the Cafe Security screen shows that no authentication and no encryption methods. Clarissa clicks the Apply button to save her choices. 12.
12-22 WS2000 Wireless Switch System Reference Guide Clarissa clicks the Apply button to confirm her choices.
WS2000 Use Cases 12-23 Clarissa clicks the + to the left of the Printer WLAN menu item and selects the Printer Security item. In the screen that displays, Clarissa selects no authentication. She enters the MAC numbers of the wireless printers in the Mobile Access Control section. The MAC numbers are unique numbers assigned to every network-cable hardware device and are usually listed on the same label that shows the device’s model number and serial number.
12-24 WS2000 Wireless Switch System Reference Guide She clicks the Ok button to confirm the WEP key selections, then the Apply button to confirm the screen selections. 12.
WS2000 Use Cases 12-25 Clarissa then clicks the “+” to the left of the POS WLAN in the left menu and selects POS Security. In that screen, she selects 802.1x EAP for authentication. This will allow her to use the corporate RADIUS server for user authentication. Under Encryption Methods, she selects WPA/WPA2-TKIP encryption. Then she selects the “802.1x EAP Configuration” key.
12-26 WS2000 Wireless Switch System Reference Guide She clicks the Ok button in the 802.1x-EAP configuration window. She then clicks the WPA-TKIP Settings button in the security screen. Clarissa selects the Use WPA choice to enable WPA. WPA is disabled by default. TKIP encryption protocol calls for keys between two specific nodes to change with every packet. However, there is no standard with respect to how often one should change keys for broadcast packets.
WS2000 Use Cases 12-27 With this, Clarissa has finished configuring the basic WLAN configuration and the WLAN security. She clicks the Ok button in the WPA-TKIP window and then the Apply button in the WLAN security screen. 12.14 Configuring Subnet Access Clarissa wants the two internal subnets to have complete access to one another, but she wants the Cafe subnet to have access only to the WAN. In the left menu, she opens the Firewall item under Network Configuration and selects the Subnet Access node.
12-28 WS2000 Wireless Switch System Reference Guide To set the subnet access for a pair of subnets, she clicks the square for traffic from one subnet to another and then uses the detail section, which appears below, to determine the rules for traffic between those two subnets. She allows the Cafe subnet to have full access to the WAN. For the Cafe subnet to or from any other internal subnet, she selects the appropriate square, then uses to the detail box below to “Deny” all protocols.
WS2000 Use Cases 12-29 12.15 Configuring the Clients Clarissa has now finished configuring the switch. Next she configures the wired clients. Going to each device, she gives it the IP address and other networking information that it will need to communicate with the switch: Client IP Address Subnet Mask Gateway WS2000 Port Wired POS terminal #1 192.168.0.4 255.255.255.0 192.168.0.1 4 Wired POS terminal #2 192.168.0.5 255.255.255.0 192.168.0.1 5 Server 192.168.0.6 255.255.255.0 192.168.0.
12-30 WS2000 Wireless Switch System Reference Guide 12.16 Field Office Use Case 12.16.1 A Field Office Example 12.16.1.1 Background Leo is the network administrator, system administrator, and IT professional for a field office with 60 employees. The users include sales people, sales engineers, office administration and customer support people. All of the sales personnel have laptops and many of them have personal digital assistants (PDAs).
WS2000 Use Cases 12-31 To keep things simple, he will define one subnet for the administration users, one subnet for the sales and marketing users, and one subnet for the engineers. Each subnet will have one WLAN associated with it and one Access Port. The only exception is the engineering subnet, which will have one WLAN and two Access Ports. The marketing subnet will not have any access to the engineering or administration subnets.
12-32 WS2000 Wireless Switch System Reference Guide 192.168.0.1. He sets his laptop to have an IP address of 192.168.0.2 and a netmask of 255.255.255.0. He also sets the gateway IP address to be 192.168.0.1, the WS2000’s IP address. Leo launches his web browser and enters “http://192.168.0.1/” as the URL. He logs in using admin for the username and symbol as the password.
WS2000 Use Cases 12-33 As soon as he logs in, the WS2000 asks him to set the password. He sets the administration password to something relatively secure. He presses Update Password Now to record his changed password. 12.18.2 Entering the Basic System Settings The interface opens by displaying the System Setting screen. This screen is also accessible by clicking the toggle to the left of System Configuration in the left menu, then selecting System Settings in the left menu.
12-34 WS2000 Wireless Switch System Reference Guide Different countries have different regulations for the use of radio frequencies. Setting the location configures the switch to use only the channels, frequencies, and power levels that are legal for that country. Leo sets the location to United States - us. The system name is used to distinguish between WS2000 switches for remote configuration. Leo gives the switch a descriptive name, Atlanta1.
WS2000 Use Cases 12-35 AirBEAM® is a Symbol Technology product for the management of software on wireless devices. Leo does not have a copy of AirBEAM yet, but he hopes to get one when the company purchases some Voice over IP (VoIP) phones. He also doesn’t expect to access the switch from the Compact Flash card slot. So, he turns AirBEAM Access off. Leo clicks on the Apply button in the WS2000 Access screen to save his changes. 12.
12-36 WS2000 Wireless Switch System Reference Guide This screen shows the subnets, their IP addresses, and the network interfaces (the 10/100BaseT ports and the WLANs) that are currently associated with each subnet. Only the first subnet is initially enabled, so Leo clicks on the check boxes to the left of Subnet2 and Subnet3 to enable them. He clicks the Apply button to record his changes. Next Leo needs to configure each of the subnets.
WS2000 Use Cases 12-37 He also selects the option This interface is a DHCP Server. Choosing this DHCP option means that the switch will pick IP addresses from the Address Assignment Range and assign them to network clients on this subnet, as needed. This screen also sets the IP address for the switch’s interface to the subnet. Any address that starts with “192.168” is an internal-use-only IP address.
12-38 WS2000 Wireless Switch System Reference Guide The Domain Name field will be supplied to any DHCP clients that request it. Leo enters his company’s domain name. There is no reason to set up static DHCP mappings now. These would permanently lease an IP address to a client with a specific MAC address. Leo clicks the Ok button on the Advanced DHCP Server window, then the Apply button on the subnet window. 12.19.
WS2000 Use Cases 12-39 Leo selects the Advanced DHCP Server button and follows the same procedures as he did for the engineering subnet. Leo clicks the Ok button on the Advanced DHCP Server window, then the Apply button on the subnet window.
12-40 WS2000 Wireless Switch System Reference Guide Again, Leo fills out the advanced DHCP screen as he did for the two previous subnets. Leo clicks the Ok button on the Advanced DHCP Server window, then the Apply button on the subnet window. The next step is to configure the WAN interface. 12.20 Configuring the WAN Interface Next Leo configures the WS2000 WAN interface. This interface connects the WS2000 switch to the VPN appliance and, through that appliance, to the Internet.
WS2000 Use Cases 12-41 He clicks Ok button in the address window, then the Apply button on the WAN window to save his changes. The next step is to set up the network address translations (NAT). 12.21 Configuring the WAN Interface 12.21.1 Setting Up Network Address Translation After entering the IP addresses for the WAN interface, Leo clicks the toggle to the left of the WAN item in the left menu to expand it. He then selects the NAT item.
12-42 WS2000 Wireless Switch System Reference Guide the pull-down menus to the right of each IP number. As he does so, a 1 to Many Mappings button appears to the right of the pull-down menus, in the Outbound Mappings column. Leo clicks any of the NAT Ranges button to the right of the IP addresses. The 1 to Many Outbound Mappings window displays. Leo uses the pull-down menu to set the outbound IP address for each subnet.
WS2000 Use Cases 12-43 Leo examines the list and sees no reason to turn off any of the filters. He clicks the Apply button. The next step is to determine which Access Ports each WLAN will use. 12.23 Adopting Access Ports Now that the LAN and WAN interfaces are configured, Leo needs to specify which Access Ports will go with which wireless LANs (WLANs). To do this, Leo needs the MAC address for each Access Port. He removes them from their packaging and connects them to the switch.
12-44 WS2000 Wireless Switch System Reference Guide Now that the WLANs are enabled, Leo needs to specify which Access Ports go with which WLANs. He selects APs/Radio from the menu tree on the left. All discovered APs are listed in this screen. He deselects the check boxes to the right of the row in which the MAC address range is specified as ANY.
WS2000 Use Cases 12-45 For the engineering WLAN, Leo selects the AP with MAC of 00:A0:F8:BB:FC:94 and makes sure that all WLAN check boxes are not checked. He then selects the WLAN1 check box for this AP. He performs the same actions for the AP with MAC of 00:A0:F8:BB:FC:95. For the Marketing WLAN, Leo selects the AP with MAC of 00:A0:F8:BB:FC:96. He makes sure that only the check box under the WLAN2 column is selected for this AP. For the Marketing WLAN, Leo selects the AP with MAC of 00:A0:F8:BB:FC:97.
12-46 WS2000 Wireless Switch System Reference Guide In the Advanced section of the screen, the Disallow MU to MU Communications setting would keep mobile units from communicating directly with each other. Leo believes that people sometimes share files directly, laptop to laptop, instead of using the file server. Leo does not want to prevent this type of communication, so he leaves this option disabled.
WS2000 Use Cases 12-47 Leo also needs to configure the 802.1x EAP system and the WPA2 encryption. Leo clicks 802.1x EAP Configuration. In the window that appears, he enters the RADIUS server information that he obtained from corporate system administration: the IP addresses of the RADIUS servers, the ports used for RADIUS communication, and the secret string used to start communication. He leaves the rest of the parameters at their default settings.
12-48 WS2000 Wireless Switch System Reference Guide q Leo clicks the Ok button to save the 802.1x EAP settings. Leo then clicks the WPA2-CCMP Settings button. WPA2 constantly changes keys, but requires an initial key, known to both ends of the communication. If Leo was not using 802.1X EAP user authentication, that initial key would need to be entered here, in the Key Settings section. However, with 802.1x EAP, the RADIUS server supplies the initial key, so that Key Settings section is grayed out for Leo.
WS2000 Use Cases 12-49 Leo also selects Allow WPA/WPA2-TKIP clients in the section labelled WPA2-CCMP Mixed Mode. WPATKIP is an earlier version of the WPA encryption method. WPA2 is more secure, but not all wireless clients in Leo’s office are WPA2-capable. Selecting this option allows the older clients to use WPA-TKIP when they are not WPA2-CCMP-capable. Leo also selects Pre-Authentication and Opportunistic Key Caching in the Fast Roaming section.
12-50 WS2000 Wireless Switch System Reference Guide All the Access Ports will be indoors, so he specifies Placement as Indoors. He sets the default Channel as 1, even though all of his Access Ports will be using different 802.11b channels. He sets the Power Level to 20dBm. This will broadcast at 100 mW, the maximum level allowed in the US. He does not change the settings for Antenna Diversity, Support Short Preamble, RTS Threshold, or Beacon Settings.
WS2000 Use Cases 12-51 He sets the channel at 1, and notes the number. Access Ports channels should be separated as much as practical to minimize interference between them. The other engineering Access Port will use channel 4 and the marketing Access Port will use channel 7. He then sets the Power Level at the maximum setting of 100mW. Before he can change the channels, Leo checks the Channel Selection Mode. The default Channel Selection mode is set under the respective radio’s default screen.
12-52 WS2000 Wireless Switch System Reference Guide He clicks the Apply button to save his changes. Leo then selects AP2, the second engineering Access Port. He gives it a new name, a location, and assigns it channel 4. Leo clicks the Apply button to save the configuration for this Access Port. Leo then selects the third Access Port in the left menu. This will be the sales and marketing Access Port. Leo configures it similarly, but uses channel 7.
WS2000 Use Cases 12-53 Leo clicks Apply to save his changes. To avoid interference with the sales and marketing AP, Leo chooses channel 10 for the administration Access Port. He then enters the Access Port Name and Location. Leo clicks the Apply button to save the changes for the administration Access Port.
12-54 WS2000 Wireless Switch System Reference Guide The Access Ports are now configured. The next step is to specify access levels between the subnets. 12.26 Configuring Subnet Access Leo selects the Firewall --> Subnet Access item in the left menu. This screen determines what subnetto-subnet traffic is allowed. The subnet access defaults every subnet having access to every other subnet and full access to the WAN.
WS2000 Use Cases 12-55 Similarly, Leo restricts access from the marketing subnet to the administration subnet. Leo would also like to restrict traffic from all subnets to the WAN to just HTTP, SMTP, and POP protocols. He selects the cell in the matrix defined by From Eng-SN on the left and To WAN above. Then he uses the Rules pull down menu to select Deny and specifies that HTTP, SMTP and POP are the exceptions.
12-56 WS2000 Wireless Switch System Reference Guide Similarly, he restricts the marketing and administration subnets in their access to the WAN. Leo clicks the Apply button to record his changes. The subnet access is configured. Now Leo needs to set up VPN access to the Engineering Annex and test the installation.
WS2000 Use Cases 12-57 12.27 Configuring the VPN To configure a VPN link between WS2000s, the following must be specified: • The subnets on each end of the VPN link (tunnel) • The authentication method for allowing a connection • The encryption method for the content passed across the link Both WS2000s must be set up with complimentary information on each other. Leo toggles open the WAN item in the left menu and selects VPN. Each VPN link between one subnet and another is called a tunnel.
12-58 WS2000 Wireless Switch System Reference Guide Leo clicks the Add button to add a VPN tunnel. Now Leo specifies the network parameters for the tunnel. The Tunnel Name is simply a name by which to distinguish one tunnel from another. Leo names the tunnel “Eng2EngAnnex.” The Local Subnet is the subnet that will be networked over the VPN, in this case, the Engineering subnet. The Local WAN IP is the IP address for the interface that this WS2000 will show to the WS2000 on the other side of the VPN.
WS2000 Use Cases 12-59 The Remote Subnet specifies the subnet, on the other WS2000, to which the engineering subnet will be connected. The Remote Gateway and the Remote Subnet Mask describe the network interface on the other WS2000 switch. After Leo fills in these parameters, he clicks Apply to record the changes. Now Leo needs to specify the authentication and encryption methods for the VPN link. He selects the simplest alternative, Manual Key Settings, since the link is so short and relatively unexposed.
12-60 WS2000 Wireless Switch System Reference Guide The AH Authentication protocol is used between the two WS2000 switches to authorize initialization of the VPN tunnel. The AH authentication method must match on both switches and the inbound key on one WS2000 must match the outbound key on the other. Leo selects Secure Hash Algorithm 1 or SHA1 as the method and enters inbound and outbound 40 character authentication keys.
WS2000 Use Cases 12-61 laptop to connect to the administration WLAN. He makes sure that laptops on each WLAN can connect to the WAN and to each other. After he has tested the three subnets, he installs the Access Ports in their permanent locations. He test coverage with the laptops, making sure each Access Port is covering its assigned area. He also unplugs each of the engineering Access Ports, in turn, to be sure that both are working properly.
12-62 WS2000 Wireless Switch System Reference Guide
Syslog Messages A.1 A.2 A.3 A.4 A.5 A.6 A.7 Informational Log Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-2 Notice Log Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-4 Warning Log Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A-2 WS2000 Wireless Switch System Reference Guide A.1 Informational Log Entries System Component Debug Level Log Message 802.1X Module LOG_INFO 8021x: 802.1x Authentication success for MU [MAC_ADDR] 802.1X Module LOG_INFO Tried max eap-id requests for MU [MAC_ADDR].
A-3 System Component Debug Level Log Message Encryption Key Exchange Module LOG_INFO [Pairwise Transient Key] Unable to get free CC buffer Encryption Key Exchange Module LOG_INFO [Pairwise Transient Key] Group rekey after %u seconds gk_timeout RADIUS Module LOG_INFO rcvd access-accept from [IP_ADDR] for [MAC_ADDR] RADIUS Module LOG_INFO rcvd access-reject from [IP_ADDR] for [MAC_ADDR] RF Port Module LOG_INFO Radio [MAC_ADDR] acs done ch=[Number] RF Port Module LOG_INFO Radio [MAC_ADDR]
A-4 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message WIPS module LOG_INFO “Sensor [MAC] is no longer responding, removed” WIPS module LOG_INFO Sensor [MAC] timed out waiting for [command] AP Revert LOG_INFO AP [MAC] Reverting to AP4131 AP Revert LOG_INFO AP [MAC] Reverting to AP4121 AP Revert LOG_INFO old rf image = [name] new rf image = [name] load_now = [truth value] Port Configuration LOG_INFO Port config changed for port idx = [idx] Port Config
A-5 System Component Debug Level Log Message Encryption Key Exchange Module LOG_NOTICE [Pairwise Transient Key] Bad version [MAC_ADDR] mu->addr Encryption Key Exchange Module LOG_NOTICE [Pairwise Transient Key] Funny pkt!! [MAC_ADDR] mu->addr Encryption Key Exchange Module LOG_NOTICE [Pairwise Transient Key] IE no match [MAC_ADDR] mu->addr Encryption Key Exchange Module LOG_NOTICE [Pairwise Transient Key] Ignore packet [MAC_ADDR] mu->addr Encryption Key Exchange Module LOG_NOTICE [Pairwise
A-6 WS2000 Wireless Switch System Reference Guide A.3 Warning Log Entries System Component Debug Level Log Message 802.1X Module LOG_WARNING 8021x: MU [MAC_ADDR] in unknown PAE state [[Number]]. 802.1X Module LOG_WARNING 8021x: no rsp from server [IP_ADDR] count: [Number] 802.1X Module LOG_WARNING 8021x:Using backup server [IP_ADDR] 802.1X Module LOG_WARNING Unable to send EAPOL keys. MPPE keys 802.1X Module LOG_WARNING Unable to send EAPOL keys. MPPE keys 802.
A-7 System Component Debug Level Log Message Kerberos Proxy Module LOG_WARNING krb5: error [Number] in krb5_rd_req_decoded) retval Kerberos Proxy Module LOG_WARNING krb5: key generation failure! Kerberos Proxy Module LOG_WARNING krb5: Server name for MU [MAC_ADDR] not known to KDC Kerberos Proxy Module LOG_WARNING krb5: switch auth not done. ignoring Kerberos Proxy Module LOG_WARNING krb5: switch auth not done.
A-8 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message RF Port Configuration Module LOG_WARNING Portal [MAC_ADDR] denied adoption in acl prtl_ptr->addr RF Port Configuration Module LOG_WARNING portal [MAC_ADDR] found at idx [Number] RF Port Configuration Module LOG_WARNING portal [MAC_ADDR] not connected & not in acl RF Port Configuration Module LOG_WARNING portal [MAC_ADDR] not found using idx [Number] RF Port Configuration Module LOG_WARNING Portal [MAC_ADD
A-9 A.4 Alert Log Entry System Component NTP Client Module Debug Level LOG_ALERT Log Message errno [Number] updating system clock to ntp time errno A.5 Error-Level Log Entries System Component Debug Level Log Message 802.
A-10 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message Address Lookup Table Module LOG_ERR altable: can't read cfg bss radio idx Address Lookup Table Module LOG_ERR altable: can't set bss mac Address Lookup Table Module LOG_ERR altable: can't set bss radio idx Address Lookup Table Module LOG_ERR altable: can't set bss radio idx Address Lookup Table Module LOG_ERR altable: rates configured incorrectly Address Lookup Table Module LOG_ERR altable: unabl
A-11 System Component Debug Level Log Message Address Lookup Table Module LOG_ERR cfg radio type [Number] not allowed rtype Address Lookup Table Module LOG_ERR rfport list is full Address Lookup Table Module LOG_ERR wlan [Number]: addr1 = [MAC_ADDR] addr2 = [MAC_ADDR] wlan_idx Cell Controller Module LOG_ERR Error [Number] initing sig handlers errno Cell Controller Module LOG_ERR Error [Number] initing stats.
A-12 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message NTP Client Module LOG_ERR ntp:socket bind error. errno=[Number] errno NTP Client Module LOG_ERR ntp:socket create error. errno=[Number] errno NTP Client Module LOG_ERR ntp:socket recv error. errno=[Number] errno NTP Client Module LOG_ERR ntp:socket send error. errno=[Number] errno portalcfg.
A-13 System Component Debug Level Log Message Rogue AP Detection Module LOG_ERR Unable to read watched_ssid from cfg Receive Packets Module LOG_ERR rx data frame of unexpected ethernet Receive Packets Module LOG_ERR rxpkts:bad ctl %04x from [[MAC_ADDR]] pkt_ptr->ctl pkt_ptr->src Receive Packets Module LOG_ERR rxpkts:bad dest [[MAC_ADDR]] from [[MAC_ADDR]] pkt_ptr->src pkt_ptr>dest Statistics Module LOG_ERR errno [Number] sending trap to SNMPD\n errno Statistics Module LOG_ERR errno [Num
A-14 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message SIP Module LOG_ERR SIP:Bye received with NULL call id SIP Module LOG_ERR SIP:Status message received with NULL status code SIP Module LOG_ERR SIP:Status message received with NULL call id SIP Module LOG_ERR SIP:Status message received for an invalid call id [identifier] SIP Module LOG_ERR SIP:Status message received at invalid state for call id [identifier] SIP Module LOG_ERR SIP:Status message r
A-15 System Component Debug Level Log Message AP Revert LOG_ERR RF Port [MAC] no free rfp Port Configuration LOG_ERR Port Auto-neg Get failed for port [port idx] Port Configuration LOG_ERR Port Speed Get failed for port [port idx] Port Configuration LOG_ERR Port Duplex Get failed for port [port idx] Port Configuration LOG_ERR ioctl Read failed for Lan Port [port idx] Port Configuration LOG_ERR Read failed for Wan registers Port Configuration LOG_ERR Write failed for Wan registers Po
A-16 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message IP Filter Module LOG_ERR [Function Name]:Could not get Global IP FIlter Table IP Filter Module LOG_ERR [Function Name]: Invalid pointer passed IP Filter Module LOG_ERR [Function Name]: Invalid pointer passed IP Filter Module LOG_ERR [Function Name]: Invalid pointer passed IP Filter Module LOG_ERR Invalid Length Passed for IP Filter table [length] IP Filter Module LOG_ERR Error reading config id
A-17 System Component Debug Level Log Message IP Filter Module LOG_ERR Unable to allocate memory for iterator info IP Filter Module LOG_ERR Could not get total entries from WLAN IP Filter Table IP Filter Module LOG_ERR Could not get total entries from WLAN IP Filter Table IP Filter Module LOG_ERR Config GET/SET error in ccWlanIpFilterPolicyTable IP Filter Module LOG_ERR Could not get total entries from WLAN IP Filter Table IP Filter Module LOG_ERR [Function Name]:Could not get total ent
A-18 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message IP Filter Module LOG_ERR Config GET/SET error in ccWlanIpFilterPolicyTable IP Filter Module LOG_ERR Row already exists.
A-19 System Component Debug Level Log Message IP Filter Module LOG_ERR [Function Name]:Duplicate filter name in TRUNK IP Filter Table IP Filter Module LOG_ERR Config GET/SET error in ccWanTrunkIpFilterPolicyTable IP Filter Module LOG_ERR Config GET/SET error in ccWanTrunkIpFilterTable IP Filter Module LOG_ERR [Function Name]:Could not get filter policy name required for deletion IP Filter Module LOG_ERR [Function Name]:Could not get filter policy direction required for deletion IP Filter
A-20 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message IP Filter Module LOG_ERR Invalidation request rcvd for column[column number] in ccWanTrunkIpFilterTable IP Filter Module LOG_ERR problem encountered in [Function Name]: unsupported mode IP Filter Module LOG_ERR Could not get total entries from TRUNK IP Filter Table IP Filter Module LOG_ERR [Function Name]:Could not get total entries from TRUNK IP Filter Table IP Filter Module LOG_ERR Duplicate filte
A-21 Debug Level Log Message IP Filter Module LOG_ERR Config GET/SET error in ccIpFilterPolicyTable IP Filter Module LOG_ERR Config GET/SET error in ccIpFilterPolicyTable IP Filter Module LOG_ERR Config GET/SET error in ccIpFilterPolicyTable IP Filter Module LOG_ERR Config GET/SET error in ccIpFilterPolicyTable IP Filter Module LOG_ERR Config GET/SET error in ccIpFilterPolicyTable IP Filter Module LOG_ERR Config GET/SET error in ccIpFilterPolicyTable IP Filter Module LOG_ERR Config GE
A-22 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message DynDNS module LOG_ERR ERROR while retrieving DynDNS MODE DynDNS module LOG_ERR ERROR adding Interface record
A-23 A.6 Debug-Level Log Entries System Component Debug Level Log Message 802.
A-24 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message NTP Client Module LOG_DEBUG rcvd ntp response from [IP_ADDR] sa.sin_addr.
A-25 System Component Debug Level Log Message SIP Module LOG_DEBUG SIP:Ack received in invalid state for call id [identifier] SIP Module LOG_DEBUG SIP:Changing the state of the SIP session call id [identifier] to terminated SIP Module LOG_DEBUG SIP:Changing the state of the SIP session call id [identifier] to processed SIP Module LOG_DEBUG SIP:Removing the SIP session call id [identifier] SIP Module LOG_DEBUG SIP:Timer expired for call id [identifier] SIP Module LOG_DEBUG SIP: MU [addr]
A-26 WS2000 Wireless Switch System Reference Guide System Component Debug Level Log Message Port Configuration LOG_DEBUG Register value received for Port [idx] = [register value] Port Configuration LOG_DEBUG Register value to be set for Port [idx] = [register value] Port Configuration LOG_DEBUG Writing Register values for Wan = [register value] Port Configuration LOG_DEBUG Setting Wan port configuration.
A-27 System Component Debug Level Log Message IP Filter Module LOG_DEBUG Protocol mismatch IP Filter Module LOG_DEBUG direction mismatch[incoming/outgoing] IP Filter Module LOG_DEBUG Hash entry pointing to NULL IP Filter Module LOG_DEBUG Packet Source IP [ip address] IP Filter Module LOG_DEBUG Packet Destination IP [ip address] IP Filter Module LOG_DEBUG Packet protocol [protocol number] IP Filter Module LOG_DEBUG Packet port [port number] IP Filter Module LOG_DEBUG Packet directi
A-28 WS2000 Wireless Switch System Reference Guide
Index Numerics 1 to 1 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12 1 to Many NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12 802.11 b/g mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-23 802.11i encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-13 802.1x EAP authentication advanced settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index-2 WS2000 Wireless Switch System Reference Guide setting method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-11 setting up for AP300 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-29 user, configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-5 WAN methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9, 4-4 WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7 authorization levels . . . . .
Index-3 F redirect pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . redirect pages, Get External URL . . . . . . . . . . . . . . . . . . . redirect pages, Get from Clipboard . . . . . . . . . . . . . . . . . . redirect pages, Use CF Card . . . . . . . . . . . . . . . . . . . . . . . requirements for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . white list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hotspots configuring . . . . . .
Index-4 WS2000 Wireless Switch System Reference Guide entering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4 log enable logging to CF card . . . . . . . . . . . . . . . . . . . . . . . . .7-59 system server, setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-58 logging in AirBEAM name and password . . . . . . . . . . . . . . . . . . . . . .6-4 default name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-2 procedure . . . . . . . .
Index-5 operational status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7 remote ID types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-24 vs. local ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-27 RESET command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-30 restarting the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2 reverse NAT . . . . . . . . . . . . . . .
Index-6 WS2000 Wireless Switch System Reference Guide advanced settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-10 allowing or denying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8 configuring . . . . . . . . . . . . . . . . . . . . . . . . . 3-7, 12-27, 12-54 level descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7 protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index-7 creating tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-18 FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-25 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3 setting up security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-19 troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-25 VRFY command . . . . . . . . . . . . . . . . . . . . . . . . . .
Index-8 WS2000 Wireless Switch System Reference Guide
MOTOROLA INC. 1303 E. ALGONQUIN ROAD SCHAUMBURG, IL 60196 http://www.motorola.
