Download Wireless Controller User Manual - D-Link
Transcript
Building Networks for People Wireless Controller User Manual DWC-1000 Ver. 1.01 Business Wireless Solution User Manual Wireless Controller D-Link Corporation Copyright © 2011. http://www.dlink.com Wireless Controller User Manual User Manual DWC-1000 Wireless Controller Version 1.01 Co p y rig h t © 2011 Copyright Notice Th is p u b licat io n , in clu d in g all p h o t o g rap h s , illu s t rat io n s an d s o ft ware, is p ro t ect ed u n d er in t ern at io n al co p y rig h t laws , wit h all rig h t s res erv ed . Neit h er t h is man u al, n o r an y o f t h e mat erial co n t ain ed h erein , may b e rep ro d u ced wit h o u t writ t en co n s en t o f t h e au t h o r. Disclaimer Th e in fo rmat io n in t h is d o cumen t is s ubject t o ch ange wit h o ut n o tice. Th e man u fact u rer makes n o rep res ent at ions o r warran t ies wit h res p ect t o t h e co n t en t s h ereo f an d s p ecifically d is claim an y imp lied warran t ies o f merch an t ab ilit y o r fit n es s fo r an y p art icu lar p u rp o s e. Th e man u fact u rer res erv es t h e rig h t t o rev is e t h is p u b licat io n an d t o make ch an g es fro m t ime t o t ime in t h e co n t ent h ereof wit h o ut o b lig at ion o f t h e man u factu rer t o n o t ify an y p ers o n o f s u ch rev is io n o r ch an g es . Limitations of Liability UNDER NO CIRCUM STA NCES SHA LL D -LINK OR ITS SUPPLIERS BE LIA BLE FOR DA M A GES OF A NY CHA RA CTER (E.G. DA M A GES FOR LOSS OF PROFIT, SOFTW A RE RESTORA TION, W ORK STOPPA GE, LOSS OF SA VED DA TA OR A NY OTHER COM M ERCIA L DA M A GES OR LOSSES) RESULTING FROM THE A PPLICA TION OR IM PROPER USE OF THE D-LINK PRODUCT OR FA ILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORM ED OF THE POSSIBILITY OF SUCH DA M A GES. FURTHERM ORE, D LINK W ILL NOT BE LIA BLE FOR THIRD -PA RTY CLA IM S A GA INST CUSTOM ER FOR LOSSES OR DA M A GES. D-LINK W ILL IN NO EVENT BE LIA BLE FOR A NY DA M A GES IN EXCESS OF THE A M OUNT D -LINK RECEIVED FROM THE END-USER FOR THE PRODUCT. 1 Wireless Controller User Manual Table of Contents Chapter 1. Introduction.......................................................................................................................................... 13 1.1 About this User Manual .................................................................................................... 14 1.2 Typographical Conventions ............................................................................................. 15 Chapter 2. Configuring Your Network .............................................................................................................. 17 2.1 LAN Configuration .............................................................................................................. 17 2.1.1 LAN DHCP Reserved IPs ................................................................................................ 21 2.1.2 LAN DHCP Leased Clients.............................................................................................. 22 2.1.3 LAN Configuration in an IP v6 Network ........................................................................ 23 2.1.4 DHCP v6 Leased Clients ................................................................................................... 26 2.1.5 Configuring IP v6 Router Advertisements ................................................................... 27 2.2 LAN QoS ................................................................................................................................ 30 2.2.1 Port Queue Scheduling..................................................................................................... 30 2.2.2 Port Queue Status .............................................................................................................. 31 2.2.3 Option QoS Configuration................................................................................................ 32 2.2.4 Traffic Selector Configuration ......................................................................................... 34 2.2.5 LAN QoS Configuration .................................................................................................... 36 2.2.6 801.p Configuration ............................................................................................................ 36 2.2.7 DSCP Configuration........................................................................................................... 37 2.2.8 Remark CoS to DSCP ....................................................................................................... 39 2.3 VLAN Configuration ........................................................................................................... 40 2.3.1 Associating VLANs to ports ............................................................................................. 41 2.3.2 Multiple VLA N Subnets ..................................................................................................... 43 2.4 Configurable Port: DMZ Setup ....................................................................................... 44 2.5 2.6 2.6.1 2.6.2 2.6.3 2.7 Universal Plug and Play (UP nP).................................................................................... 45 Captive Portal ....................................................................................................................... 48 Captive Portal Setup .......................................................................................................... 48 Captive Portal Session...................................................................................................... 53 WLAN CP Interface Association .................................................................................... 54 WLAN global configuration .............................................................................................. 56 2.8 2.8.1 2.8.2 Wireless Discovery configuration .................................................................................. 59 Wireless Discovery Status ............................................................................................... 61 AP Profile Global Configuration ..................................................................................... 62 Chapter 3. Configuring Wireless LAN .............................................................................................................. 83 3.1 WLAN Setup Wizard .......................................................................................................... 83 Chapter 4. Monitoring Status and Statistics................................................................................................... 84 4.1 System Overview ................................................................................................................ 84 4.1.1 Dashboard ............................................................................................................................. 84 4.1.2 Device Status ....................................................................................................................... 86 4.1.3 Wireless LAN AP information ......................................................................................... 88 4.1.4 Cluster information ............................................................................................................. 90 4.1.5 Resource Utilization ........................................................................................................... 92 4.2 4.2.1 4.3 4.3.1 Traffic Statistics ................................................................................................................... 95 Wired Port Statistics........................................................................................................... 95 Managed AP and Associated Clients Statistics ....................................................... 96 Managed AP Statistics ...................................................................................................... 96 2 Wireless Controller User Manual 4.3.2 4.3.3 LAN Assoicated Clients .................................................................................................... 97 WLAN Assoicated Clients ................................................................................................ 98 4.4 4.4.1 Active Connections............................................................................................................. 99 Sessions through the Cont roller .................................................................................... 99 4.5 4.5.1 4.5.2 4.5.3 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.6.5 4.7 4.7.1 4.7.2 4.7.3 4.7.4 4.7.5 4.7.6 4.7.7 LAN Client Info................................................................................................................... 100 Associated Clients ............................................................................................................ 100 LAN Clients ......................................................................................................................... 102 Detected Clients ................................................................................................................ 103 Access Point ....................................................................................................................... 105 Access Point Status ......................................................................................................... 105 AP Summary ...................................................................................................................... 108 Managed AP Status ......................................................................................................... 110 Authentication Failure Status ........................................................................................ 111 AP RF Scan Status .......................................................................................................... 113 Global Info ........................................................................................................................... 115 Global status....................................................................................................................... 115 Peer Contorller Status ..................................................................................................... 121 Peer Controller Configuration Status ......................................................................... 122 Peer Controller Managed AP Status .......................................................................... 123 IP Discovery ........................................................................................................................ 124 Configuration Receive Status ....................................................................................... 125 AP Hardware Capability ................................................................................................. 127 4.8 4.8.1 4.8.2 4.8.3 4.8.4 4.8.5 4.8.6 4.8.7 4.8.8 Wireless Client Status ..................................................................................................... 128 Client Status ....................................................................................................................... 128 Assocaited Client Status ................................................................................................ 130 Associated Client SSID Status ..................................................................................... 132 Associated Client VAP Status ...................................................................................... 133 Cont roller Associated Client Status ............................................................................ 134 Detected Client Status .................................................................................................... 135 Pre-A uthoriz ation History ............................................................................................... 136 Detected Client Roam History ...................................................................................... 138 Chapter 5. AP Management .............................................................................................................................. 140 5.1 5.2 5.2.1 5.2.2 5.2.3 5.2.4 Valid Access Point Configuration ................................................................................ 140 RF Management................................................................................................................ 144 RF Configuration ............................................................................................................... 144 Channel Plan History ....................................................................................................... 147 Manual Channel Plan ...................................................................................................... 148 Manual Power Adjustment Plan................................................................................... 151 5.3 5.4 Access Point Software Download ............................................................................... 152 Local OUI Database Summary .................................................................................... 154 5.5 5.6 AP Provisioning Summary ............................................................................................. 155 Manual Management ....................................................................................................... 157 Chapter 6. Connecting to the Int ernet: Option Setup ............................................................................... 160 6.1 6.2 6.2.1 6.2.2 6.2.3 6.2.4 Internet Connection Set up Wizard .............................................................................. 160 Option Configuration ........................................................................................................ 161 Option Port IP address.................................................................................................... 162 Option DNS Servers ........................................................................................................ 163 DHCP Option...................................................................................................................... 163 PPPoE .................................................................................................................................. 164 3 Wireless Controller User Manual 6.2.5 6.2.6 6.2.7 6.3 6.3.1 6.3.2 6.3.3 Russia L2TP and PP TP Option ................................................................................... 167 Option Configuration in an IP v6 Network ................................................................. 169 Checking Option Status .................................................................................................. 172 Features with Multipl e Option Links ........................................................................... 175 Auto Failover ...................................................................................................................... 175 Load Balancing .................................................................................................................. 176 Protocol Bindings .............................................................................................................. 178 6.4 6.4.1 6.4.2 6.4.3 6.5 Routing Configuration...................................................................................................... 180 Routing Mode ..................................................................................................................... 180 Dynamic Routing (RIP) ................................................................................................... 183 Static Routing ..................................................................................................................... 184 OSPF..................................................................................................................................... 185 6.6 6.7 6.8 6to4 Tunneling ................................................................................................................... 188 IGMP Setup ........................................................................................................................ 190 Option Port Settings ......................................................................................................... 191 6.9 IP Aliases ............................................................................................................................. 193 Chapter 7. Securing the Private Network ..................................................................................................... 194 7.1 7.2 7.3 7.3.1 7.4 Firewall Rules ..................................................................................................................... 195 Defining Rule Schedules ................................................................................................ 196 Configuring Firewall Rules ............................................................................................. 197 Firewall Rule Configuration Examples....................................................................... 202 Security on Custom Servic es........................................................................................ 206 7.5 7.6 7.7 ALG support ........................................................................................................................ 207 VPN Passthrough for Firewall ...................................................................................... 208 Client ..................................................................................................................................... 209 7.8 7.9 Application Rules .............................................................................................................. 210 Application Rules Status ................................................................................................ 212 7.10 7.10.1 7.10.2 7.10.3 7.10.4 Web Content Filtering...................................................................................................... 212 Cont ent Filtering ................................................................................................................ 213 Approved URLs ................................................................................................................. 214 Blocked Keywords ............................................................................................................ 215 Export Web Filter .............................................................................................................. 216 7.11 7.12 7.13 IP/MAC Binding ................................................................................................................. 217 RADIUS Settings............................................................................................................... 218 Switch Settings .................................................................................................................. 220 7.14 Protecting from Internet Attacks .................................................................................. 221 Chapter 8. IPsec / PPTP / L2TP VPN ............................................................................................................ 223 8.1 VPN Wizard ........................................................................................................................ 226 8.2 8.2.1 8.2.2 8.3 8.4 8.4.1 8.4.2 8.4.3 Configuring IPsec Policies ............................................................................................. 228 Extended Aut hentication (XAUTH) ............................................................................. 232 Internet over IPS ec tunnel ............................................................................................. 233 Configuring VPN clients .................................................................................................. 233 PPTP / L2TP Tunnels ...................................................................................................... 234 PPTP Tunnel Support ..................................................................................................... 234 L2TP Tunnel Support ...................................................................................................... 236 OpenVPN Support ............................................................................................................ 237 4 Wireless Controller User Manual Chapter 9. SSL VPN ............................................................................................................................................ 241 9.1 Groups and Users............................................................................................................. 243 9.1.1 Users and Passwords ..................................................................................................... 251 9.2 Using SSL VPN Policies ................................................................................................. 253 9.2.1 Using Network Res ourc es ............................................................................................. 256 9.3 Application Port Forwarding .......................................................................................... 257 9.4 SSL VPN Client Configuration...................................................................................... 260 9.4.1 Creating Portal Layouts .................................................................................................. 263 9.5 Active VPN Tunnels ......................................................................................................... 265 Chapter 10. Advanced System Functionalities.............................................................................................. 268 10.1 USB Device Setup ............................................................................................................ 268 10.2 USB Share Port ................................................................................................................. 269 10.3 10.4 Authentication Certificates ............................................................................................. 270 ® Intet AMT ........................................................................................................................... 272 Chapter 11. Advanced Wireless Controller Features .................................................................................. 275 11.1 11.2 Advanced Global Wireless Controller Configuration ............................................ 275 Distributed Tunneling....................................................................................................... 278 11.3 11.4 11.4.1 11.4.2 11.5 11.5.1 11.5.2 Distributed Tunneling Status ......................................................................................... 279 Peer Controller Configuration ....................................................................................... 281 Peer Controller Configuraiton Request Status ....................................................... 281 Peer Controller Configuration ....................................................................................... 282 WIDS Configuration ......................................................................................................... 284 WIDS AP configration...................................................................................................... 284 WIDS Client Configuration............................................................................................. 288 Chapter 12. Administration & Management ................................................................................................... 292 12.1 12.2 Remote Management ...................................................................................................... 292 CLI Access .......................................................................................................................... 292 12.3 12.4 12.5 SNMP Configuration ........................................................................................................ 293 SNMP Traps ....................................................................................................................... 295 Configuring Time Zone and NTP ................................................................................. 298 12.6 12.6.1 12.6.2 12.6.3 12.7 Log Configuration.............................................................................................................. 299 Defining What to Log ....................................................................................................... 300 Sending Logs to E-mail or Syslog ............................................................................... 303 E vent Log Viewer in GUI ................................................................................................ 306 Backing up and Restoring Configuration Settings ................................................. 308 12.8 12.9 12.9.1 12.9.2 12.9.3 12.9.4 12.9.5 Upgrading Wirelesss Controller Firmware ............................................................... 310 Dynamic DNS Setup ........................................................................................................ 311 Using Diagnostic Tools ................................................................................................... 313 Ping........................................................................................................................................ 314 Trace Route ........................................................................................................................ 314 DNS Lookup ....................................................................................................................... 315 Rout er Options ................................................................................................................... 315 Chapter 13. License Activation ........................................................................................................................... 316 5 Wireless Controller User Manual Appendix A. Glossary ............................................................................................................................................. 318 Appendix B. Factory Default Settings................................................................................................................ 321 6 Wireless Controller User Manual List of Figures Figure 1: Setup page for LA N TCP/IP settings (DHCP server) .................................................................. 20 Figure 2: Setup page for LA N TCP/IP settings (DHCP Relay) ................................................................... 21 Figure 3: LAN DHCP Reserved IPs ..................................................................................................................... 22 Figure 4: LAN DHCP Leased Clients ................................................................................................................... 23 Figure 5: IP v6 LA N and DHCP v6 configuration ............................................................................................... 24 Figure 6: DHCP v6 Leased Clients ........................................................................................................................ 26 Figure 7: Configuring the Router Advertisement Daemon ........................................................................... 29 Figure 8: IP v6 Advertisement Prefix settings .................................................................................................... 30 Figure 9: Port Queue Scheduling .......................................................................................................................... 31 Figure 10: Port Queue Status ................................................................................................................................. 32 Figure 11: Option QoS Configuration ................................................................................................................... 33 Figure 12: Bandwidth Profile Configuration ....................................................................................................... 34 Figure 13: Traffic Selector Configuration ............................................................................................................ 35 Figure 14: LA N QoS Configuration ....................................................................................................................... 36 Figure 15: 801.p Configuration............................................................................................................................... 37 Figure 16: DS CP Configuration ............................................................................................................................. 38 Figure 17: Remark CoS to DS CP ......................................................................................................................... 39 Figure 18: Adding VLA N members hips to the LAN ......................................................................................... 41 Figure 19: Port VLAN list.......................................................................................................................................... 42 Figure 20: Configuring VLA N membership for a port ..................................................................................... 43 Figure 21: Multiple VLAN Subnets........................................................................................................................ 44 Figure 22: DMZ configuration ................................................................................................................................. 45 Figure 23: UP nP Configuration .............................................................................................................................. 47 Figure 24: Captive Port al Setup............................................................................................................................. 49 Figure 25: Configuring a captive portal policy................................................................................................... 50 Figure 26: Captive Port al Configuration (Part -1).............................................................................................. 51 Figure 27: Captive Port al Configuration (Part -2).............................................................................................. 52 Figure 28: Active Runtime sessions ..................................................................................................................... 54 Figure 29: WLAN CP Interface Association ....................................................................................................... 55 Figure 30: WLAN global configuration ................................................................................................................. 57 Figure 31: Configuring the Wireless Discovery ................................................................................................ 60 Figure 32: Wireless Discovery status................................................................................................................... 62 Figure 33: AP Profile Global Configuration ........................................................................................................ 63 Figure 34: AP Profile List ......................................................................................................................................... 64 7 Wireless Controller User Manual Figure 35: AP Pofile - Radio configuration (Part-1)......................................................................................... 71 Figure 36: AP Pofile - Radio configuration (Part-2)......................................................................................... 73 Figure 37: AP Pofile - SSID configuration .......................................................................................................... 75 Figure 39: AP Pofile - QoS configuration (P art-2) ........................................................................................... 82 Figure 40: WLAN Setup Wizard............................................................................................................................. 83 Figure 41: Dashboard................................................................................................................................................ 85 Figure 42: Devic e Status display ........................................................................................................................... 87 Figure 43: Devic e Status display (continued) ................................................................................................... 88 Figure 44: Wireless LAN AP information ............................................................................................................ 89 Figure 45: Cluster information ................................................................................................................................ 91 Figure 46: Resource Utilization statistics............................................................................................................ 93 Figure 47: Resource Utilization data (continued) ............................................................................................. 94 Figure 48: Physical port statistics.......................................................................................................................... 95 Fi gu r e 49: M an a g ed A P S t at is t ic s .......................................................................................................... 97 Figure 50: LA N Associated Clients ....................................................................................................................... 98 Figure 51: WLAN Associated Clients ................................................................................................................... 99 Figure 52: List of current Active Firewall Sessions ....................................................................................... 100 Figure 53: Associated Clients ............................................................................................................................... 101 Figure 54: List of LA N hosts.................................................................................................................................. 103 Figure 55: Detected Clients ................................................................................................................................... 104 Figure 57: AP status ................................................................................................................................................ 108 Figure 58: Managed AP status............................................................................................................................. 110 Figure 59: Authentication Failure Status........................................................................................................... 112 Figure 60: AP RF Scan Status ............................................................................................................................. 115 Figure 61: Global Status (Part 1)......................................................................................................................... 116 Figure 62: Global Status (Part 2)......................................................................................................................... 117 Figure 63: Peer Controller Status ........................................................................................................................ 122 Figure 64: Peer Controller Configuration Status ............................................................................................ 123 Figure 65: Peer Controller Managed AP Status............................................................................................. 124 Figure 66: IP Discovery .......................................................................................................................................... 125 Figure 67: Configuration Receive Status .......................................................................................................... 127 Figure 68: AP Hardware Capability .................................................................................................................... 128 Figure 69: Client Status .......................................................................................................................................... 129 Figure 70: Associated Client Status ................................................................................................................... 131 Figure 71: Associated Client SSID Status........................................................................................................ 132 Figure 72: Associated Client VAP Status ......................................................................................................... 133 8 Wireless Controller User Manual Figure 73: Controller Associated Client Status............................................................................................... 134 Figure 74: Detected Client Status ....................................................................................................................... 136 Figure 75: Pre-Auth History ................................................................................................................................... 137 Figure 76: Detected Client Roam History ......................................................................................................... 139 Figure 77: Valid Access Point Configuration ................................................................................................... 141 Figure 78: Add a Valid Access Point.................................................................................................................. 142 Figure 79: RF configuration................................................................................................................................... 146 Figure 80: Channel Plan History. ........................................................................................................................ 148 Figure 81: Manual Channel Plan. ........................................................................................................................ 150 Figure 82: Manual Power Adjustment Plan ..................................................................................................... 152 Figure 83: Access Point Software Download .................................................................................................. 154 Figure 84: Local OUI Database ........................................................................................................................... 155 Figure 85: AP Provisioning Summary Status .................................................................................................. 157 Figure 86: Manual Management .......................................................................................................................... 158 Figure 87: Internet Connection Setup Wizard ................................................................................................. 161 Figure 88: Manual Option1 configuration ......................................................................................................... 164 Figure 89: PPPoE configuration for standard ISPs ....................................................................................... 165 Figure 90: Option1 configuration for Japanese Multiple PPPoE (part 1) ............................................... 166 Figure 91: Option1 configuration for Multiple PPPoE (part 2) ................................................................... 167 Figure 92: Russia L2TP ISP configuration ....................................................................................................... 169 Figure 93: IP v6 Option1 Setup page.................................................................................................................. 171 Figure 94: Connection Status information of Option1 .................................................................................. 174 Figure 95: Load Balancing is available when multiple Option ports are configured and Protocol Bindings have been defined ............................................................................................................. 178 Figure 96: Protocol binding setup to associate a service and/or LAN source to an Option and/or destination network .............................................................................................................................. 179 Figure 97: Routing Mode is used to configure traffic routing between Option and LAN, as well as Dynamic routing (RIP) ........................................................................................................................ 182 Figure 98: Static route configuration fields ....................................................................................................... 185 Figure 99: OSPFv2 status – IP v4........................................................................................................................ 186 Figure 100: OSPFv3 status – IP v6 ..................................................................................................................... 186 Figure 101: OSPFv2 Configuration .................................................................................................................... 187 Figure 102: 6to4 Tunneling.................................................................................................................................... 189 Figure 103: IGMP Setup......................................................................................................................................... 190 Figure 104: Physical Option port settings......................................................................................................... 192 Figure 105: IP Aliases ............................................................................................................................................. 193 Figure 106: List of A vailable Firewall Rules ..................................................................................................... 196 9 Wireless Controller User Manual Figure 107: List of A vailable Schedules to bind to a firewall rule ............................................................. 197 Figure 108: Example where an outbound SNAT rule is used to map an external IP address (209.156.200.225) to a private DMZ IP address (10.30.30.30) ........................................... 200 Figure 109: The firewall rule configuration page allows you to define the To/From zone, service, action, schedules, and specify source/destination IP addresses as needed. ................. 201 Figure 110: Schedule configuration for the above example. ..................................................................... 205 Figure 111: List of user defined services.......................................................................................................... 207 Figure 112: A vailable ALG support on the controller. .................................................................................. 208 Figure 113: Passthrough options for VPN tunnels ........................................................................................ 209 Figure 114: List of Known Clients ....................................................................................................................... 210 Figure 115: List of A vailable Application Rules showing 4 unique rules ................................................ 211 Figure 116: List of A vailable Application Rules and corresponding status ........................................... 212 Figure 117: Content Filtering used to block access to proxy servers and prevent ActiveX controls from being downloaded...................................................................................................................... 214 Figure 118: Two trusted domains added to the Approved URLs List ..................................................... 215 Figure 119: One keyword added to the block list........................................................................................... 216 Figure 120: Export Approved URL list ............................................................................................................... 217 Figure 121: Example binding a LA N host’s MAC Address to a served IP address ........................... 218 Figure 122: RADIUS Server Configuration ...................................................................................................... 219 Figure 123: Switch settings ................................................................................................................................... 220 Figure 124: Protecting the controller and LA N from internet attacks ...................................................... 222 Figure 125: Example of Gateway-to-Gateway IPsec VPN tunnel using two DWC controllers connected to the Int ernet ................................................................................................................... 224 Figure 126: Example of three IPsec client connections to the internal network through the DWC IPsec gateway ....................................................................................................................................... 225 Figure 127: VPN Wizard launch screen ............................................................................................................ 226 Figure 128: IPsec policy configuration ............................................................................................................... 229 Figure 129: IPsec policy configuration continued (Aut o policy via IKE) ................................................. 231 Figure 130: IPsec policy configuration continued (Aut o / Manual Phase 2) ......................................... 232 Figure 131: PPTP tunnel configuration – PP TP Client ................................................................................ 235 Figure 132: PPTP VPN connection status ....................................................................................................... 235 Figure 133: PPTP tunnel configuration – PP TP Server .............................................................................. 236 Figure 134: L2TP tunnel configuration – L2TP Server ................................................................................ 237 Figure 135: OpenVPN configuration .................................................................................................................. 239 Figure 136: Example of clientless SSL VPN connections to the DWC-1000....................................... 242 Figure 137: List of groups ...................................................................................................................................... 243 Figure 138: User group configuration ................................................................................................................ 245 10 Wireless Controller User Manual Figure 139: SSLVPN Settings .............................................................................................................................. 247 Figure 140: Group login policies options .......................................................................................................... 248 Figure 141: Browser policies options ................................................................................................................. 249 Figure 142: IP policies options ............................................................................................................................. 250 Figure 143: A vailable Users with login status and associated Group .................................................... 251 Figure 144: User Configuration options ............................................................................................................ 253 Figure 145: List of SSL VPN polices (Global filter) ....................................................................................... 254 Figure 146: SSL VPN policy configuration ....................................................................................................... 255 Figure 147: List of configured resources, whic h are available to assign to SSL VPN poli cies ...... 257 Figure 148: List of A vailable Applications for SSL Port Forwarding ........................................................ 260 Figure 149: SSL VPN client adapter and access configuration ................................................................ 261 Figure 150: Configured client routes only apply in split tunnel mode ..................................................... 263 Figure 151: SSL VPN Portal configuration....................................................................................................... 265 Figure 152: List of current Active VPN Sessions ........................................................................................... 266 Figure 153: USB Device Detection ..................................................................................................................... 269 Figure 154: USB Share Port ................................................................................................................................. 270 Figure 155: Certificate summary for IPsec and HTTPS management ................................................... 272 ® Figure 156: Intet AMT............................................................................................................................................ 273 Fi gu r e 15 7: W i r el es s C on f i gu r at i o n ..................................................................................................... 276 Fi gu r e 15 8: Dis t r ib ut e d Tu nn el in g ........................................................................................................ 279 Fi gu r e 15 9: Dis t r ib ut e d Tu nn el in g C li ent s ...................................................................................... 280 Fi gu r e 16 0: P e e r Co nt r oll e r C on f ig u r at i o n Re q u es t S t at us ............................................... 281 Fi gu r e 16 1: P e e r Co nt r oll e r C on f ig u r ait o n ..................................................................................... 283 Fi gu r e 16 2: W I DS A P C on f ig u r at i o n .................................................................................................... 288 Figure 163: WIDS Client Configuration ............................................................................................................. 291 Figure 164: Remote Management ...................................................................................................................... 292 Figure 165: SNMP Users, Traps, and Access Control ................................................................................ 294 Figure 166: SNMP system information for this controller ........................................................................... 295 Figure 167: SNMP Traps ....................................................................................................................................... 296 Figure 168: Date, Time, and NTP server setup ............................................................................................. 299 Figure 169: Facility settings for Logging ........................................................................................................... 301 Figure 170: Log configuration options for traffic through controller ......................................................... 303 Figure 171: E-mail configuration as a Remote Logging option ................................................................. 305 Figure 172: Syslog server configuration for Remote Logging (continued) ............................................ 306 Figure 173: VPN logs displayed in GUI event viewer .................................................................................. 307 Figure 174: SSL VPN logs displayed in GUI event viewer ......................................................................... 308 11 Wireless Controller User Manual Figure 175: Restoring configuration from a saved file will result in the current configuration being overwritten and a reboot .................................................................................................................... 310 Figure 176: Firmware version information and upgrade option ................................................................ 311 Figure 178: Controller diagnostics tools available in the GUI.................................................................... 314 Figure 179: Installing a License ........................................................................................................................... 317 12 Wireless Controller User Manual Chapter 1. Introduction D-Lin k W ireles s Co n t ro ller (DW C), DW C-1000, is a fu ll-feat u red wireles s LA N co n t ro ller d esig nin g fo r s mall n et wo rk en v iro n men t . Th e cen t ralized co n t ro l fu n ct io n co n t ain s v ario us access p oin t man agemen t fu n ctio ns, s uch as fast -roamin g , in t er-s ubn et ro amin g , au t o mat ic ch an n el an d p o wer ad ju s t men t , s elf -h ealin g et c. Th e ad v an ced wireles s s ecu rit y fu n ct io n , in clu d in g ro u g e A P d et ect io n , cap t iv e p o rt al, wireles s in t ru s io n d et ect io n s y s t em (W IDS), o ffers a s t ro n g wireles s n et wo rk p ro t ect io n av o id in g at t acks fro m h ackers . A ft er licen s e u p g rad e o p t imal n et wo rk s ecu rit y is p ro v id ed v ia feat u res s u ch as v ir t u al p riv at e n et wo rk (VPN) t u n n els , IP Secu rit y (IPs ec), Po in t -t o -Poin t Tu n nelin g Pro t ocol (PPTP), Lay er 2 Tu n n elin g Pro t ocol (L2TP), an d Secu re So cket s Lay er (SSL). Emp o wer y o u r ro ad warrio rs wit h clien t les s remo t e acces s an y wh ere an d an y t ime u s in g SSL VP N t u n n els . Th ere are t wo t y p es o f licen s es av ailab le t o act iv at e in creas ed fu n ct io n alit y fo r t h e DW C. Th es e licen s es are n o t act iv at ed b y d efau lt . 1. VPN l i cens e u p grade enables t h e fo llo win g feat ures: ISP Co n n ect ion t y p es (PPPo E, PPTP, L2TP, NA T/ Tran s p aren t mo d e ), Op t io n 2/ DM Z p o rt , IP A lias in g , Dy n amic Ro u t in g (RIP), VPN (PPTP clien t / s erv er, L2TP clien t / s erv er , SSLVPN, Op en VPN) , In t el A M T, Dy n amic DNS, W eb s it e Filt er, A p p licat io n Ru les , Firewall Ru les , UPNP, IGM P p ro xy , an d A LG/ SM TP A LG 2. AP l i cens e u p g rad es t h e n u mb er o f A Ps co n t ro ller can man ag e. Yo u can u p g rad e u p t o 3 A P licen s es . By d efau lt DW C-1000 ca n man ag e u p t o 6 A P's . Yo u in creas e t h e n u mb er b y 6 u p o n each A P licen s e. 13 Wireless Controller 1.1 User Manual About this User Manual Th is d o cu men t is a h ig h lev el man u al t o allo w n ew D-Lin k W ireles s Co n t ro ller u s ers t o co n fig u re co nnectiv ity , W LA N co n fig uratio n, s et up VPN t u n n els, es tablis h firewall ru les an d A P man ag emen t an d p erfo rm g en eral ad min is t rat iv e t as ks . Ty p ical d ep lo y men t an d u se case s cen ario s are d es crib ed in each s ect io n . Fo r mo re d et ailed s et u p in s t ru ct io n s an d exp lan at io n s o f each co n fig u rat io n p aramet er, refer t o t h e o n lin e h elp t h at can b e acces s ed fro m each p ag e in t h e co n t ro ller GUI. Fo r t h is u s er man u al all s creen s h o t s are t aken wit h an act iv at ed VPN licen s e wh ich en ab les VPN / Firewall feat u res . 14 Wireless Controller 1.2 User Manual Typographical Conventions Th e fo llo win g is a lis t o f t h e v ario u s t erms , fo llo wed b y an examp le o f h o w t h at t erm is rep res en t ed in t h is d o cu men t : Pro d u ct Name : D-Lin k W ireles s Co n t ro ller o M o d el n u mb er: DW C-1000 GUI M en u Pat h / GUI Nav ig at io n – Monitoring > Controller Status Imp o rt an t n o t e – 15 Wireless Controller User Manual Chapter 2. Configuring Your Network To en ab le man ag emen t acces s fo r t h e b ro ws er b as ed web GUI acces s o r SNM P man ag er, y o u mu s t co nn ect t h e co ntro ller t o t h e n et work. Th e d efault IP ad d ress/sub net mas k o f t h e co n t ro ller man ag emen t in t erface is 1 9 2 .1 6 8 .1 0 .1 / 2 5 5 .2 5 5 .2 5 5 .0 an d DHCP s erv er o n t h e LA N is d is ab led b y d efault o n t h e co ntro ller. Yo u mu s t co n nect the co n t ro ller t o a 1 9 2 .1 6 8 .1 0 .0 n et wo rk. A ft er y o u co n fig ure n etwo rk in fo rmat io n, s u ch as t h e IP ad d ress an d s u b n et mas k, an d t h e co n t roller is p h y sically an d lo g ically co n nect ed t o t h e n etwo rk, y o u can man age and mo n it o r t h e co n t ro ller remo t ely t h ro u g h W eb b ro ws er, o r an SNM P -b as ed n et wo rk man ag emen t s y stem.On ce t he in it ial s et up is co mp let e, t he DW C-1000 can b e man ag ed t h ro u g h wired in t erface co n n ect ed t o co n t ro ller. A cce s s t h e c o n t ro ller‟s GUI fo r man ag emen t b y u s in g an y web b ro ws er, s u ch as M icro s o ft In t ern et Exp lo rer o r M o zilla Firefo x. Go t o http:/ / 1 9 2 .1 6 8 .1 0 .1 (d efau lt IP ad d res s ) t o d is p lay t h e co n t ro ller‟s man ag emen t lo g in s creen . Defau lt lo g in cred en t ials fo r t h e man ag emen t GUI: Us ern ame: admi n Pas s wo rd : admi n 2.1 If t h e co n t ro ller‟s LA N IP ad d ress was ch anged, u s e t h at IP ad d res s in t h e n av ig at io n b ar o f t h e b ro ws er t o acces s t h e co n t ro ller‟s man ag emen t UI. LAN Configuration Setup > Network Settings > LAN Setup Configuration By d efau lt , in t h e co n tro ller t h e Dy n amic Ho s t Co n fig u rat io n Pro t o co l (DHCP) mo d e is s et t o “No n e”. Th e DHCP mo d e can b e s et as a DHCP s erv er o r DHCP relay . W h en DHCP mo d e is s et as DHCP s erv er, t h e co n t ro ller fu n t io n s as a DHCP s erv er fo r as s ig n in g IP ad d res s leas es t o h o s t s o n t h e W LA N o r LA N. W it h DHCP, PCs an d 17 Wireless Controller User Manual o t h er LA N d ev ices can b e as s ig n ed IP ad d res s es , t h e d efau lt g at eway , as well as ad d res ses fo r DNS s erv ers , W in dows In ternet Name Serv ice (W INS) s erv ers . Th e PCs in t h e LA N are as s ig n ed IP ad d res s es fro m a p o o l o f ad d res s es s p ecified in t h is p ro ced u re. Each p o o l ad d res s is t es t ed b efo re it is as s ig n ed t o av o id d u p licat e ad d res s es o n t h e LA N. Fo r mo s t ap p licat ion s t he d efault DHCP an d TCP/ IP s et t in g s are s at is fact o ry . If y o u wan t an o t h er PC o n y o u r n et wo rk t o b e t h e DHCP s erv er o r if y o u are man u ally co n fig u rin g t h e n et wo rk s et t in g s o f all o f y o u r PCs , s et t h e DHCP mo d e t o „n o n e‟. DHCP relay can b e u s ed t o fo rward DHCP leas e in fo rmat io n fro m an o t h er LA N d ev ice t h at is t h e n et wo rk‟s DHCP s erv er; t h is is p art icu larly u s efu l fo r wireles s clien t s . In s t ead o f u s in g a DNS s erv er, y o u can u s e a W in d o ws In t ern et Namin g Serv ice (W INS) s erv er. A W INS s erv er is t h e eq u iv alen t o f a DNS s erv er b u t u s es t h e Net BIOS p ro t o co l t o reso lve h o stnames. Th e co n t ro ller in clu d es t h e W INS s erv er IP ad d res s in t h e DHCP co n fig u rat io n wh en ackn o wled g in g a DHCP req u es t fro m a DHCP clien t . Yo u can als o en able DNS p ro xy fo r t h e LA N. W h en t h is is e n abled t he co nt roller t h en as a p ro xy fo r all DNS req u es ts an d co mmu n icat es wit h t h e ISP‟s DNS s erv ers . W h en d is ab led all DHCP clien t s receiv e t h e DNS IP ad d res s e s o f t h e ISP. To co n fig u re LA N Co n n ect iv it y , p leas e fo llo w t h e s t ep s b elo w: 1. In the LAN Setup page, enter the following information for your controller: IP addres s : (fact o ry d efau lt : 192.168.10.1). If y o u ch an g e t h e IP ad d res s an d click Sav e Set t in g s , t h e GUI will n o t res p o n d. Op en a n ew co n n ectio n t o t h e n ew IP ad d res s an d lo g in ag ain . Be s u re t h e LA N h o s t (t he mach in e u sed t o man ag e t h e co n troller) h as o bt ained IP ad d res s fro m n ewly as s ig n ed p o o l (o r h as a s t at ic IP ad d res s in t h e co n t ro ller‟s LA N s u b n et ) b efo re acces s in g t h e co n t ro ller v ia ch an g ed IP ad d res s . S ubnet mas k : (fact o ry d efau lt : 255.255.255.0). 2. In the DHCP section, select the DHCP mode: None: t h e co n t ro ller‟s DHCP s erv er is d is ab led fo r t h e LA N 18 Wireless Controller User Manual DHCP S erver . W it h t h is o p t io n t h e co n t ro ller as s ig n s an IP ad d res s wit h in t h e s p ecified ran g e p lu s ad d it io n al s p ecified in fo rmat io n t o an y LA N d ev ice t h at req u es t s DHCP s erv ed ad d res s es . If DHCP is b ein g en ab led , en t er t h e fo llo win g DHCP s erv er p aramet ers : DHCP Rel ay: W it h t h is o p t io n en ab led , DHCP clien t s o n t h e LA N can receiv e IP ad d res s leas es an d co rres p o n d in g in fo rmat io n fro m a DHCP s erv er o n a d ifferen t s u b n et . Sp ecify t h e Relay Gat eway , an d wh en LA N clien t s make a DHCP req u es t it will b e p as s ed alo n g t o t h e s erv er acces s ib le v ia t h e Relay Gat eway I P ad d res s . S tarti ng and Endi ng IP Addres s es : En t er t h e firs t an d last co ntin uo us ad dresses in t h e IP ad d res s p o o l. A n y n ew DHCP clien t jo in in g t h e LA N is as s ig n ed an IP ad d res s in t h is ran g e. Th e d efau lt s t art in g ad d res s is 192.168.10.100. Th e d efau lt en d in g ad d ress is 192.168.10.254. Th es e ad dresses s ho uld b e in t h e s ame IP ad d ress s u b n et as t h e co ntro ller‟s LA N IP ad d ress. Yo u may wis h t o s av e p art o f t h e s u bn et ran g e fo r d ev ices wit h s t at ically as s ig n ed IP ad d res s es in t h e LA N . Defaul t Gateway (Opti onal ): En t er t h e IP ad d res s o f t h e co n t ro ller wh ich y o u wan t t o make it as a d efau lt o t h er t h an DW C-1000 Pri mary and S econdary DNS s ervers : If co n fig u red d o main n ame s y s t em (DNS) s erv ers are av ailab le o n t h e LA N en t er t h e ir IP ad d res s es h ere. Domai n Name : En t er d o main n ame WINS S erver (opti onal ): En t er t h e IP ad d res s fo r t h e W INS s erv er o r, if p res en t in y o u r n et wo rk, t h e W in d o ws Net Bio s s erv er. Leas e Ti me : En t er t h e t ime, in h o u rs , fo r wh ich IP ad d res ses are leas ed t o clien t s . Enabl e DNS Proxy: To en ab le t h e co ntro ller t o act as a p ro xy fo r all DNS req u est s an d co mmu n icat e wit h t h e ISP‟s DNS s erv ers , click t h e ch eckb o x. Rel ay Gateway: En t er t h e g at eway ad d res s . Th is is t h e o n ly co n fig u rat io n p aramet er req u ired in t h is s ectio n wh en DHCP Relay is s elect ed as it s DHCP mo d e 3. Click Save Settings to apply all changes . 19 Wireless Controller User Manual Figure 1 : Se tup page for LAN TCP/IP s e ttings (DHCP s e rve r) 20 Wireless Controller User Manual Figure 2 : Se tup page for LAN TCP/IP s e ttings (DHCP Re lay) W h en DHCP relay is ean ab le d , DHCP clien t s o n t h e LA N can receiv e IP ad d res s leas es an d co rres p o n d in g in fo rmat io n fro m a DHCP s erv er o n a d ifferen t s u b n et . Sp ecify t h e Relay Gat eway , an d wh en LA N clien t s make a DHCP req u es t it will b e p as s ed alo n g t o t h e s erv er acces s ib le v ia t h e Re lay Gat eway IP ad d res s . 2.1.1 LAN DHCP Reserv ed IPs Setup > Network Settings > LAN DHCP Reserved IPs Th e co n t ro ller DHCP s erv er can as s ig n TCP/ IP co n fig u rat io n s t o co mp u t ers in t h e LA N exp licit ly b y ad d in g clien t 's n et wo rk in t erface h ard ware ad d res s an d t h e IP ad d res s t o b e as s ig n ed t o t h at clien t in DHCP s erv er's d at ab as e. W h en ev er DHCP s erv er receiv es a req u est fro m clien t , h ard ware ad d ress o f t h at clien t is co mp ared with t h e h ard ware ad d ress lis t p resen t in t h e d atabase, if an IP ad d res s is alread y as s ig n ed t o t h at co mp u ter o r d ev ice in t h e d at ab as e , t h e cu s t o mized IP ad d res s is co n fig u red o t h erwis e an IP ad d ress is ass ig n ed t o t h e clien t au t o mat ically fro m t h e DHCP p o o l. 21 Wireless Controller User Manual IP Addres s es : Th e LA N IP ad d res s o f a h o s t t h at is res erv ed b y t h e DHCP s erv er. MAC Addres s es : Th e M A C ad d res s t h at will b e as s ig n ed t h e res erv ed IP ad d res s wh en it is o n t h e LA N. Th e act io n s t h at can b e t aken o n lis t o f res erv ed IP ad d res s es are: S el ect: Select s all t h e res erv ed IP ad d res s es in t h e lis t . Edi t: Op en s t h e LA N DHCP Res erv ed IP Co n fig u rat io n p ag e t o ed it t h e s elect ed b in d in g ru le. Del ete : Delet es t h e s elect ed IP ad d res s res erv at io n (s ) Add: Op en s t h e LA N DHCP Res erv ed IP Co n fig u rat io n p ag e t o ad d a n ew b in d in g ru le. Figure 3 : LAN DHCP Re s e rve d I Ps . 2.1.2 LAN DHCP Leased Clients Setup > Network Settings > LAN DHCP Leased Clients Th is p ag e p ro v id es t h e lis t o f clien t s co n n ect t o LA N DHCP s erv er. 22 Wireless Controller User Manual Figure 4 : LAN DHCP Le as e d Clie nts IP Addres s es : Th e LA N IP ad d res s o f a h o s t t h at mat ch es t h e res erv ed IP lis t . MAC Addres s es : Th e M A C ad d ress o f a LA N h o s t t h at h as a co n figu red IP ad d res s res erv at io n . 2.1.3 LAN Configuration in an IPv 6 Network Advanced > IPv6 > IPv6 LAN > IPv6 LAN Config In IPv 6 mo d e, t h e LA N DHCP s erv er is en ab led b y d efau lt (s imilar t o IPv 4 mo d e). Th e DHCPv 6 s erv er will s erv e IPv 6 ad d ress es fro m co n fig u red ad d res s p o o ls wit h t h e IPv 6 Prefix Len g t h as s ig n ed t o t h e LA N. IPv 4 / IPv 6 mo d e mu s t b e en ab led in t h e Advanced > IPv6 > Routing mode t o en ab le IPv 6 co n fig u rat io n o p t io n s . LAN IP Address Setup Th e d efau lt IPv 6 LA N ad d ress fo r t h e ro u ter is fec0 ::1 . Yo u can ch ang e t h is 128 b it IPv 6 ad d res s b ased o n y o ur n et wo rk req u iremen t s . Th e o t h er field t h at d efin es t h e LA N s et t in g s fo r t h e ro u t er is t h e p refix len g t h . Th e IP v 6 n et wo rk (s u b n et ) is id en t ified b y t h e in it ial b it s o f t h e ad d res s called t h e p refix. By d efau lt t h is is 6 4 b it s lo n g . A ll h o s ts in t h e n etwo rk h av e co mmo n in it ial b it s fo r t h eir IPv 6 ad d res s ; t h e n u mb er o f co mmo n in it ial b it s in t h e n et wo rk‟s ad d res s es is s et b y t h e p refix len g t h field . 23 Wireless Controller User Manual Figure 5 : IPv6 LAN and DHCPv6 configurat io n If y o u ch an g e t h e IP ad d res s an d click Sav e Set t in g s , t h e GUI will n o t res p o n d. Op en a n ew co n n ectio n t o t h e n ew IP ad d res s an d lo g in ag ain . Be s u re t h e LA N h o s t (t he mach in e u sed t o man ag e t h e ro u t er) h as o b t ain ed IP ad d res s fro m n ewly as s ign ed p o o l (o r h as a s t atic IP ad d ress in t h e ro u t er‟s LA N s u b n et ) b efo re acces s in g t h e ro u t er v ia ch an g ed IP ad d res s . 24 Wireless Controller User Manual DHCP v6 A s wit h an IPv 4 LA N n et wo rk, t h e ro u t er h as a DHCPv 6 s erv er. If en ab led , t h e ro u t er as s ig n s an IP ad d res s wit h in t h e s p ecified ran g e p lu s ad d it io n al s p ecified in fo rmat io n t o an y LA N PC t h at req u es t s DHCP s erv ed ad d res s es . Th e fo llo win g s et t in g s are u s ed t o co n fig u re t h e DHCPv 6 s erv er: DHCP S tatus : Th is allo w t o En ab le/ Dis ab le DHCPv 6 s erv er. DHCP Mode : Th e IPv 6 DHCP s erv er is eit h er s t at eles s o r s t at efu l. If s t at eles s is s elect ed an ext ern al IPv 6 DHCP s erv er is n o t req u ired as t h e IPv 6 LA N h o s t s are au t o -co nfig ured b y t h is co ntro ller. In t h is case t h e co ntro ller ad vert isemen t d aemo n (RA DVD) mu s t b e co n fig u red o n t h is d ev ice an d ICM Pv 6 co n t ro ller d is co v ery mes s ag es are u s ed b y t h e h o s t fo r au t o -co n fig u rat io n . Th ere are n o man ag ed ad d res s es t o s erv e t h e LA N n o d es . If s t at efu l is s elect ed t h e IPv 6 LA N h o s t will rely o n an ext ern al DHCPv 6 s erv er t o p ro v id e req u ired co n fig u rat io n s et t in g s Th e Domai n Name o f t h e DHCPv 6 s erv er is an o p t io n al s et t in g S erver Preference : To in d icat e t h e p referen ce lev el o f t h is DHCP s erv er. DHCP ad v ert is e mes s ag es wit h t h e h ig h es t s erv er p referen ce v alu e t o a LA N h o s t are p referred o v er o t h er DHCP s erv er ad v ert is e mes s ag es . Th e d efau lt is 255. DNS s erver : Th e d et ails can b e man u ally en tered h ere (p rimary / secon dary o p t io n s . A n alt ern at iv e is t o allo w t h e LA N DHCP clien t t o receiv e t h e DNS s erv er d et ails fro m t h e ISP d irect ly . By s elect in g Us e DNS p ro xy , t h is ro u t er act s as a p ro xy fo r all DNS req u es t s an d co mmu n icat es wit h t h e ISP‟s DNS s erv ers (a Op t io n co n fig u rat io n p aramet er). Pri mary and S econdary DNS s ervers : If t h ere are co n fig ured d omain n ame s ystem (DNS) s erv ers av ailab le o n t h e LA N en t er t h e IP ad d res s es h ere. Leas e/ Rebi nd ti me : It s et s t h e d uratio n o f t h e DHCPv 6 leas e fro m t h is ro u t er t o the LA N clien t . IPv6 Address Pools Th is feat u re allo ws y o u t o d efin e t h e IPv 6 d eleg at io n p refix fo r a ran g e o f IP ad d res ses t o b e s erv ed b y t h e g at eway ‟s DHCPv 6 s erv er. Us in g a d eleg at io n p refix y o u can au t omat e t he p ro cess o f in fo rmin g o t h er n et workin g eq uip men t o n t h e LA N o f DHCP in fo rmat io n s p ecific fo r t h e as s ig n ed p refix. 25 Wireless Controller User Manual Prefix Delegation Th e fo llo win g s et t in g s are u s ed t o co n fig u re t h e Prefix Deleg at io n : Prefi x Del eg ati on: Select t h is o p tio n t o en ab le p refix d eleg at io n in DHCPv 6 s erver. Th is o p t io n can b e s elected o n ly in St at eless A d dres s A u t o Co n fig u rat io n mo d e o f DHCPv 6 s erv er. Prefi x Addres s : IPv 6 p refix ad d res s in t h e DHCPv 6 s erv er p refix p o o l Prefi x Leng th: Len g t h p refix ad d res s 2.1.4 DHCPv 6 Leased Clients Advanced > IPv6 > IPv6 LAN > DHCPv6 Leased Clients Th is p ag e p ro v id es t h e lis t o f DHCPv 6 clien t s co n n ect ed t o t h e LA N DHCPv 6 Serv er an d t o wh o m DHCPv 6 Serv er h as g iv en leas es . Figure 6 : DHCPv6 Le as e d Clie nts IP Addres s es : Th is is t h e DHCP s erv er IP ad d res s . DUID: Each DHCP clien t an d s erv er h as a DUID. DHCP s erv ers u s e DUIDs t o id en t ify clien t s fo r t h e s elect ion o f co nfig urat ion p aramet ers an d in t h e as s o ciat io n 26 Wireless Controller User Manual o f IA s wit h clien t s . DHCP clien t s u s e DUIDs t o id en t ify a s erver in mes s ag es wh ere a s erv er n eed s t o b e id en t ified . IAID:A n id en t ifier fo r an IA , ch o s en b y t h e clien t . Each IA h as an IA ID, wh ich is ch o s en t o b e u niq ue amo n g all IA IDs fo r IA s b elo ng in g t o t hat clien t . : Th is is Dh cp s erv er IP ad d res s . 2.1.5 Configuring IPv 6 Router Adv ertisements Ro u t er A d v ertis emen ts are an alo go us t o IPv 4 DHCP as s ig nmen ts fo r LA N clien t s , in t h at t h e ro u t er will as s ig n an IP ad d res s an d s u p p o rt in g n et wo rk in fo rmat io n t o d ev ices t hat are co n fig ured t o accept s uch d etails. Ro u t er A dv ert isemen t is req u ired in an IPv 6 n et wo rk is req u ired fo r s t at eless au to con fig u rat io n o f t h e IPv 6 LA N. By co n fig u rin g t h e Ro u t er A d v ert is emen t Daemo n o n t h is ro u t er, t h e DW C-1000 will lis t en o n t h e LA N fo r ro u t er s o licit at io n s an d res p o n d t o t h es e LA N h o s t s wit h ro u t er ad v is emen t s . RADVD Advanced > IPv6 > IPv6 LAN > Router Advertisement To s u p p ort s tateless IPv 6 au t o co nfig uratio n o n t h e LA N, s et t h e RA DVD s t at u s t o En ab le. Th e fo llo win g s et t in g s are u s ed t o co n fig u re RA DVD: RADVD S tatus : Yo u can en ab le t h e RA DVD p ro ces s h ere t o allo w s t at eles s au t o co n fig u rat io n o f t h e IPv 6 LA N n et wo rk. Adverti s e Mode : Select Un s o licit ed M u lt ica s t t o s en d ro u t er ad v ert is emen t s (RA ‟s ) t o all in t erfaces in t h e mu lt icas t g ro u p . To res t rict RA ‟s t o well kn o wn IPv 6 ad d res ses o n t h e LA N, an d t h ereb y red u ce o v erall n et wo rk t raffic, s elect Un icas t o n ly . Adverti s e Interval : W h en ad v ertis emen ts are u n so licit ed mu lt icast p ackets, t h is in t erv al s et s t he maximu m t ime b et ween ad v ert isemen t s fro m t h e in t erface. Th e act u al d u rat ion b etween ad vertisemen ts is a ran d o m v alu e b et ween o n e t h ird o f t h is field an d t h is field . Th e d efau lt is 30 s eco n d s . RA Fl ag s : Th e ro u t er ad v ert is emen t s (RA ‟s ) can b e s en t wit h o n e o r b o t h o f t h es e flag s . Ch o s e M an ag ed t o u s e t h e ad min is t ered / s t at efu l p ro t o co l fo r ad d res s au t o co n fig u rat io n . If t h e Ot h er flag is s elect ed t h e h o s t u s es ad min is t ered / s t at efu l p ro t o co l fo r n o n -ad d res s au t o co n fig u rat io n . 27 Wireless Controller User Manual Router Preference : t h is lo w/ med iu m/ h ig h p aramet er d etermin es t h e p referen ce as s o ciat ed wit h t h e RA DVD p ro ces s o f t h e ro u t er. Th is is u s efu l if t h ere are o t h er RA DVD en ab led d evices o n t h e LA N as it h elp s av o id co n flict s fo r IPv 6 clien t s . MTU: Th e ro u t er ad v ertis emen t will s et t h is maximu m t ran s mis sio n u n it (M TU) v alu e fo r all n o d es in t h e LA N t h at are au to co nfig ured b y t he ro u ter. Th e d efau lt is 1500. Router Li feti me : Th is v alu e is p res en t in RA ‟s an d in d icat es t h e u s efu ln es s o f t h is ro u t er as a d efau lt ro u t er fo r t h e in t erface. Th e d efau lt is 3600 s eco n d s . Up o n exp irat io n o f t h is v alu e, a n ew RA DVD exch an g e mu s t t ake p lace b etween t h e h o s t an d t h is ro u t er. 28 Wireless Controller User Manual Figure 7 : Configu ri ng the Route r Adve rtis e me nt Dae mon Advertisement Prefixes Advanced > IPv6 > IPv6 LAN > Advertisement Prefixes Th e ro u t er ad v ert isemen ts co nfig ured wit h ad v ert is emen t p refixes allo w t h is ro u t er t o in fo rm h o s t s h o w t o p erfo rm s t at eles s ad d res s au t o co n fig u rat io n . Ro u t er ad v ert is emen ts co n t ain a lis t o f s u b n et p refixes t h at allo w t h e ro u t er t o d et ermin e n eig h b o rs an d wh et h er t h e h o s t is o n t h e s ame lin k as t h e ro u t er. Th e fo llo win g p refix o p t io n s are av ailab le fo r t h e ro u t er ad v ert is emen t s : IPv6 Prefi x Type : To en s u re h o s t s s u p p o rt IPv 6 t o IPv 4 t u n n el s elect t h e 6t o 4 p refix t y p e. Select in g Glo b al/ Lo cal/ ISA TA P will allo w t h e n o d es t o s u p p o rt all o t h er IPv 6 ro u t in g o p t io n s S LA ID: Th e SLA ID (Sit e -Lev el A g g reg at io n Id en t ifier) is av ailab le wh en 6t o 4 Prefixes are s elect ed . Th is s ho uld b e t he in t erface ID o f t h e ro u t er‟s LA N in t erface u s ed fo r ro u t er ad v ert is emen t s . 29 Wireless Controller User Manual IPv6 Prefi x: W h en u sin g Glo b al/ Lo cal/ ISA TA P p refixes , t h is field is u s ed t o d efin e t h e IPv 6 n et wo rk ad v ert is ed b y t h is ro u t er. IPv6 Prefi x Leng th: Th is v alu e in d icat es t h e n umb er co n tig u o u s , h ig h er o rd er b it s o f t h e IPv 6 ad d ress t h at d efin e u p t h e n et work p o rt io n o f t h e ad dress. Ty p ically t h is is 64. Prefi x Li feti me : Th is d efin es t h e d uratio n (in s eco nds ) t h at t h e req u es t in g n o d e is allo wed t o u s e t h e ad vertised p refix. It is an alo g o u s t o D HCP leas e t ime in an IPv 4 n et wo rk. Figure 8 : IPv6 Adve rtis e me nt Pre fix s e ttings 2.2 LAN QoS 2.2.1 Port Queue Scheduling Setup > LAN QoS > Port Queue Scheduling Th is p ag e allo ws t o s elect t h e q u eu ein g s ch ed u lin g alg o rit h m. Queuei ng s chedul i ng al g orithm: Th e s ch ed ulin g alg o rit hm fo r t h e LA N co n t ro ller can b e co n fig u red h ere. Th e s u p p o rt ed alg o rit h ms are s t rict an d weig h t ed ro u n d 30 Wireless Controller User Manual ro b in o n ly . Th e d ev ice will b e p ro g rammed t o h an d le t h e t raffic u s ing t h e alg o rit h m co n fig u red h ere Figure 9 : Port Que ue Sche duling 2.2.2 Port Queue Status Setup > LAN QoS > Port Queue Status Th is p ag e s h o ws t h e cu rren t q u eu e man ag emen t alg o rit h m t h at is u s ed in t h e LA N co n t ro ller Queuei ng Manag ement al g ori thm: Dis p lay t h e cu rren t q u eu e man ag e men t alg o rit h m t h at is u s ed in t h e LA N co n t ro ller 31 Wireless Controller User Manual Figure 10 : Port Que ue Status 2.2.3 Option QoS Configuration Setup > LAN QoS > Option QoS Configuration Th is p ag e allo ws co n fig u rin g t h e Op t io n Qo S an d d efin in g t h e b an d wid t h fo r Op t io n in t eface s . 32 Wireless Controller User Manual Figure 11 : Option QoS Configuratio n Opti on QoS : To en ab le Ban d wid t h man ag emen t s elect t h e ch eck b o x an d click A p p ly . Opti on Confi g urati on: Defin e t h e u p s tream.d o wn s t ream fo r b an d wid t h fo r Op t io n 1 an d Op t io n 2 in t e rfaces . B andwi dth Profi l e : Click A d d t o d efin e b an d wid t h p ro file Bandwidth Management Profi l e Name: A llo ws d efin in g a p ro file n ame . Pri ori ty: Select t h e p rio rit y o f p ro file . Maxi mum B andwi dth:Pro v id e t h e maximu m allo wed b an d wid t h o f t h e p ro file Mi ni mum B andwi dth: Pro v id e t h e min imu m allo wed b an d wid t h o f t h e p ro file Opti on Interface : Select t h e in t erface Op t io n 1/ Op t io n 2 33 Wireless Controller User Manual Figure 12 : B andwid t h Profile Configurat io n 2.2.4 Traffic Selector Configuration Setup > LAN QoS > Traffic Selector Configuration A ft er y o u creat e a b an d wid t h p ro file, y o u can as s o ciat e it wit h a t raffic flo w . 34 Wireless Controller User Manual Figure 13 : Traffi c Se le ctor Configu rat io n Avai l abl e Profi l es :Select o n e o f t h e p rev io u s ly co n fig u red b an d wid t h p ro files t o as s o ciat e t h is t raffic s elect o r. S ervi ce : Select o n e o f t h e s erv ices fro m t h e av ailab le s erv ices . Traffi c S el ector Match Type :Ch o o s e t h e met h o d fo rid en t ify in g t h e h o s t t h at is co n t ro lled b y t h is t raffic Select o r: IP A d d res s , M A C A d d res s , Po rt Name, VLA N Name, DSCP v alu e o r BSSID. IP Addres s : En t er IP A d d res s o f LA N h o s t , if y o u ch o s e IP as t h e M at ch Ty p e. MAC Addres s : En t er a v alid M A C A d d ress, if y o u ch o se M A C A d d ress as t he M at ch Ty p e. Port Name : Select t h e LA N p o rt n u mb er, if y o u ch o se Po rt Name as t h e M atch Ty p e . Avai l abl e VLANs : Select a VLA N, if y o u ch o s e VLA N Name as t h e M at ch Ty p e. DS CP val ue : En t er a v alid DSCP v alu e b et ween 0 an d 63, if ch o o s e DSCP as t h e M at ch Ty p e. 35 Wireless Controller User Manual 2.2.5 LAN QoS Configuration Setup > LAN QoS > LAN QoS Configuration En ab lin g Qo S o n LA N is an ad v an ced co n fig u rat io n , wh ich is req u ired o n ly if y o u exp ect co n g estio n o n t h e t raffic o n t h e LA N p o rt s . Th is p ag e allo ws y o u t o en ab le t h e co n fig u rat io n an d co n fig u re each p o rt ‟s t o t ru s t a Co S o r DSCP v alu es in t h e p acket . Figure 14 : LAN QoS Configuratio n LAN Port: Th is lis f o u t t h e av ailab le LA N p o rt s Cl as s i fy Us i ng : Th is p ro v id e t h e lis t o f Qo S s erv ices av ailab le o n t h e p o rt 2.2.6 801.p Configuration Setup > LAN QoS > 801.p Configuration Po rt Co S M ap p in g en ab les y o u t o ch an g e t h e p rio rit y o f t h e PCP v alu e . 36 Wireless Controller User Manual Figure 15 : 801.p Configu rat io n CoS Val ue : v alu e o f t h e co s in t h e PCP p art o f t h e LA N t raffic. Pri ori ty Queue ::Prio rit y fo r t h e p art icu lar Co S v alu e 2.2.7 DSCP Configuration Setup > LAN QoS > DSCP Configuration Th is p ag e allo ws co nfig urin g IP DSCP v alu es t o wh ich y ou can map an in t ern al t raffic clas s . 37 Wireless Controller User Manual Figure 16 : DSCP Configuratio n DS CP: Lis t s t h e IP DSCP v alu es t o wh ich y o u can map an in t ern al t raffic clas s . Th e v alu es ran g e fro m 0-63. Queue: Th is p ro v id es t h e p rio rit y o f t h e q u eu e 38 Wireless Controller User Manual 2.2.8 Remark CoS to DSCP Setup > LAN QoS > Remark CoS to DSCP Remarkin g Co S t o DSCP is an ad v an ced Qo S co n fig uratio n, wh ere t h e Lay er 2 q u ality o f s erv ice field is t ran s lat ed t o a Lay er 3 Qo S field in t h e p acket , s o t h at u p s t ream ro u t ers can make a Qo S d ecis io n b as ed o n t h e DSCP field s et in t h e p acket . Figure 17 : Re mark CoS to DSCP On ce y o u en ab le Co S t o DSCP markin g b y ch o o s in g t h e ch eck b o x, y o u can ch o o s e t h e ap p ro p riat e v alu e o f t h e DSCP fo r a g iv en Co S v alu e. 39 Wireless Controller 2.3 User Manual VLAN Configuration Th e co n t ro ller s up port s v irt ual n et work is o lat ion o n t h e LA N wit h t h e u s e o f VLA Ns . LA N d ev ices can b e co n fig u red t o co mmu n icat e in a s u b n et wo rk d efin ed b y VLA N id en t ifiers . LA N p o rt s can b e as s ig n ed u n iq u e VLA N IDs s o t h at t raffic t o an d fro m t h at p h y s ical p o rt can b e is o lat ed fro m t h e g en eral LA N. VLA N filt erin g is p art icu larly u s efu l t o limit b ro ad cas t p acket s o f a d ev ice in a larg e n et wo rk VLA N s u p p o rt is d is ab led b y d efau lt in t h e co n t ro ller. In t h e VLA N Co n fig u rat io n p ag e, en ab le VLA N s u p p o rt o n t he co nt roller an d t h en p ro ceed t o t h e n ext s ect io n t o d efin e t h e v irt u al n et wo rk. Setup > VLAN Settings > Available VLAN Th e A v ailab le VLA N p ag e s h o ws a lis t o f co n fig ured VLA Ns b y n a me an d VLA N ID. A VLA N memb ers h ip can b e creat ed b y clickin g t h e A d d b u t t o n b elo w t h e Lis t o f A v ailab le VLA Ns . A VLA N memb ers h ip en t ry co n s is t s o f a VLA N id en t ifier an d t h e n u merical VLA N ID wh ich is as s ig n ed t o t h e VLA N memb ers h ip . Th e VLA N ID v alu e can b e an y n u mb er fro m 2 t o 255. VLA N ID 1 is res erv ed fo r t h e d efau lt VLA N, wh ich is u s ed fo r u n t ag ged frames receiv ed o n t h e in t erface. By en ab lin g In t er VLA N Ro u t in g , y o u will allo w t raffic fro m LA N h o s ts b elo ng ing t o t his VLA N ID t o p as s t h roug h t o o ther co n fig u red VLA N IDs t h at h av e In t er VLA N Ro u t in g en ab led . 40 Wireless Controller User Manual Figure 18 : Adding VLAN me mbe rs hips to the LAN 2.3.1 Associating VLANs to ports In o rd er t o t ag all t raffic t h ro u g h a s p ecific LA N p o rt wit h a VLA N ID, y o u can as s o ciat e a VLA N t o a p h y s ical p o rt . Setup > VLAN Settings > Port VLAN VLA N memb ers h ip p ro p ert ies fo r t h e LA N an d wireles s LA N are lis t ed o n t h is page. Th e VLA N Po rt t ab le d is p lay s t he p o rt id en tifier, t h e mo d e s ett ing fo r t h at p o rt an d VLA N memb ers h ip in fo rmat io n . Th e co n fig u rat io n p ag e is acces s ed b y s elect in g o n e o f t h e fo u r p h y s ical p o rt s o r a co n fig u red acces s p o in t an d clickin g Ed it . Th e ed it p ag e o ffers t h e fo llo win g co n fig u rat io n o p t io n s : M o d e: Th e mo d e o f t h is VLA N can b e General , Acces s , o r Trunk . Th e d efau lt is acces s . In General mo d e t h e p o rt is a memb er o f a u s er s elect ab le s et o f VLA Ns . Th e p o rt s en ds an d receiv es d at a t h at is t ag g ed o r u n t ag g ed wit h a VLA N ID. If t h e d at a in t o t h e p ort is u n tagged, it is as sig n ed t h e d efin ed PVID. In t h e co n fig u rat io n fro m Fig u re 6, Po rt 3 is a Gen eral p o rt wit h PVID 3, s o 41 Wireless Controller User Manual u n t ag ged d at a in t o Po rt 3 will b e as s ig ned PVID 3. A ll t ag g ed d ata s ent o u t o f t h e p o rt wit h t h e s ame PVID will b e u n t ag ged. Th is is mo d e is t y p ically u s ed wit h IP Ph o n es t h at h ave d ual Et h ern et p o rts. Dat a co min g fro m p h o ne t o t h e co n t roller p o rt o n t h e co ntro ller will b e t ag g ed. Dat a p assing t hro ug h t h e p h o n e fro m a co n n ect ed d ev ice will b e u n t ag g ed . Figure 19 : Port VLAN lis t In Acces s mo d e t h e p o rt is a memb e r o f a s in g le VLA N (an d o n ly o n e). A ll d at a g o in g in t o an d o u t o f t h e p o rt is u n t ag g ed . Traffic t h ro u g h a p o rt in acces s mo d e lo o ks like an y o t h er Et h ern et frame. In Trunk mo d e t h e p o rt is a memb er o f a u s er s electable s et o f VLA Ns . A ll d at a g o in g in t o an d o u t o f t h e p o rt is t ag ged. Un t agged co min g in t o t he p o rt is n o t fo rward ed , excep t fo r t h e d efau lt VLA N wit h PVID=1, wh ich is u n t ag ged. Tru n k p o rt s mu lt ip lex t raffic fo r mu lt ip le VLA Ns o v er t h e s ame p h y s ical lin k. Select PVID fo r t h e p o rt wh en t h e Gen eral mo d e is s elect ed . Co n fig u red VLA N memb ers h ip s will b e d is p lay ed on t h e VLA N M emb ers h ip Co n fig u rat io n fo r t h e p o rt . By s elect in g o n e mo re VLA N 42 Wireless Controller User Manual memb ers h ip o p t io n s fo r a Gen eral o r Tru n k p o rt , t raffic can b e ro u t ed b et ween t h e s elect ed VLA N memb ers h ip IDs Figure 20 : Configu ri ng VLAN me mbe rs hip for a port 2.3.2 Multiple VLAN Subnets Setup > VLAN Settings > Multiple VLAN Subnets Each co n fig u red VLA N ID can map d irect ly t o a s u b n et wit h in t h e LA N. Each LA N p o rt can b e as sig ned a u n iq ue IP ad d ress an d a VLA N s p ecific DHCP s erv er can b e co n fig u red t o as s ig n IP ad d res s leas es t o d ev ices o n t h is VLA N. VLAN ID: Th e PVID o f t h e VLA N t h at will h av e all memb er d ev ices b e p art o f t he s ame s u b n et ran g e. IP Addres s : Th e IP ad d res s as s o ciat ed wit h a p o rt as s ig n ed t h is VLA N ID. S ubnet Mas k : Su b n et M as k fo r t h e ab o v e IP A d d res s . Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : 43 Wireless Controller User Manual Edi t: Th e Ed it b u t t o n will lin k t o t h e Po rt VLA N Co n fig u rat io n p ag e, allo win g y o u t o make ch an g es t o t h e s elect ed p o rt VLA N at t rib u t es . Figure 21 : M ultiple VLAN Subne ts 2.4 Configurable Port: DMZ Setup Th is co n t roller s u pp orts o n e o f t h e p h ysical p o rts (Op t io n Po rt s) t o b e co nfig ured as a s eco n d ary Et h ern et p o rt o r a d ed icat ed DM Z p o rt . A DM Z is a s u b n et wo rk t h at is o p en t o t h e p u b lic b u t b eh in d t h e firewall. Th e DM Z ad d s an ad d it io n al lay er o f s ecu rit y t o t h e LA N, as s p ecific s ervices/po rts t h at are exp o sed t o t h e in t ern et o n t h e DM Z d o n o t h av e t o b e exp o sed o n t h e LA N. It is reco mmen d ed t h at h o s t s t h at mu s t b e exp o s ed t o t h e in t ern et (s u ch as web o r email s erv ers ) b e p laced in t h e DM Z n et wo rk. Firewall ru les can b e allo wed t o p ermit access s p ecific s ervices/p o rt s t o t h e DM Z fro m b o t h t h e LA N o r Op t io n . In t h e ev en t o f an at t ack t o an y o f t h e DM Z n o d es , t h e LA N is n o t n eces s arily v u ln erab le as well. Setup > DMZ Setup > DMZ Setup Configuration DM Z co n fig u ratio n is id en tical t o t h e LA N co n fig u ratio n. Th ere are n o rest rictio ns on t h e IP ad d res s o r s u bnet as sign ed t o t h e DM Z p o rt , o t h er t h an t h e fact t h at it can n o t b e id en t ical t o t h e IP ad d res s g iv en t o t h e LA N in t erface o f t h is g at eway . 44 Wireless Controller User Manual Figure 22 : DM Z configuratio n 2.5 In o rd er t o co n fig u re a DM Z p o rt , t h e co n tro ller co n fig u rab le p o rt mu s t b e s et t o DM Z in t h e Setup > Internet Settings > Configurable Port p ag e. Universal Plug and Play (UPnP) Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. 45 Wireless Controller User Manual Advanced > Advanced Network > UPnP Un iv ers al Plu g a n d Play (UPn P) is a feat u re t h at allo ws t h e co n t ro ller t o d is co v ery d ev ices o n t h e n etwo rk t h at can co mmu n icat e wit h t h e co n t ro ller an d allo w fo r au t o co n fig u rat io n . If a n et wo rk d ev ice is d et ect ed b y UPn P, t h e co n t ro ller can o p en in t ern al o r ext ern al p o rt s fo r t h e t raffic p ro t o co l req u ired b y t h at n et wo rk d ev ice. On ce UPn P is en ab led , y o u can co n fig u re t h e co n t ro ller t o d et ect UPn P-s u p p o rt in g d ev ices o n t h e LA N (o r a co n fig u red VLA N). If d is ab led , t he co ntro ller will n o t allo w fo r au t o mat ic d ev ice co n fig u rat io n . Co n fig u re t h e fo llo win g s et t in g s t o u s e UPn P: Adverti s ement Peri od: Th is is t h e freq u en cy t h at t h e co n t ro ller b ro ad cas t s UPn P in fo rmat io n o v er t h e n et wo rk. A larg e v alu e will min imize n et wo rk t raffic b u t cau s e d elay s in id en t ify in g n ew UPn P d ev ices t o t h e n et wo rk. Adverti s ement Ti me to Li ve: Th is is exp res s ed in h o p s fo r each UPn P p acket . Th is is t h e n u mb er o f s t ep s a p acket is allo wed t o p ro pagate b efore b ein g d is card ed . Small v alu es will limit t h e UPn P b ro ad cast ran g e. A d efault o f 4 is t y p ical fo r n et wo rks with few co n t o ro llers . 46 Wireless Controller User Manual Figure 23 : UPnP Configuratio n UPnP Port map Table Th e UPn P Po rt map Tab le h as t h e d et ails o f UPn P d ev ices t h at res p o n d t o t h e co n t ro ller ad v ert isemen ts. Th e fo llo win g in fo rmat io n is d is p lay ed fo r each d et ect ed d ev ice: Acti ve : A y es / no in d icat in g wh et h er t h e p o rt o f t h e UPn P d ev ice t h at es t ab lis h ed a co n n ect io n is cu rren t ly act iv e Protocol : Th e n et wo rk p ro t o co l (i.e. HTTP, FTP, et c.) u s ed b y t h e DW C Int. Port (Internal Port): Th e in t ern al p o rt s o p en ed b y UPn P (if an y ) Ext. Port (External Port): Th e ext ern al p o rt s o p en ed b y UPn P (if an y ) IP Addres s : Th e IP ad d res s o f t h e UPn P d ev ice d et ect ed b y t h is co n t ro ller Click Refres h t o refres h t h e p o rt map t ab le an d s earch fo r an y n ew UPn P d ev ices 47 Wireless Controller 2.6 User Manual Captive Portal LA N an d W LA N u s ers can g ain in t ernet acces s v ia web p o rt al au t h en t icat io n wit h t h e DW C. A ls o referred t o as Ru n -Time A u t h en t icat io n , a Cap t iv e Po rt al is id eal fo r a web café s cen ario wh ere u s ers in it iat e HTTP co n n ect io n req u es t s fo r web acces s b u t are n o t in t erested in accessin g an y LA N s erv ices . Th e LA N an d W LA N u s ers can access cap tiv e p ort al u s in g HTTP. Firewall p o licies u n d ern eath will d efin e wh ich u s ers req u ire au t h en t icat io n fo r HTTP acces s , an d wh en a mat ch in g u s er req u es t is mad e t h e DW C will in t ercep t t h e req u es t an d p ro mp t fo r a u s ern ame / p as s word . Th e lo g in cred en t ials are co mp ared ag ain s t t h e Ru n TimeA u t h u s ers in u s er d at ab as e p rio r t o g ran t in g HTTP acces s . Cap t iv e Po rt al is av ailab le fo r LA N an d W LA N u s ers o n ly an d n ot fo r DMZ hos ts . 2.6.1 Captiv e Portal Setup Advanced > Captive Portal > Setup Captive Portal Policies Th e Lis t o f A v ailab le Cap t iv ePo rt al Po licies are s h o wn in t h is t ab le. Pol i cy Name: Set t h e Name o f t h e Part icu lar Po licy wh ich is t o b e co n fig u red . S tatus : Th e s t at us o f t h e Po licy can b e en abled (activ e) o r Dis ab led (co nfig ured b ut n o t in u s e). In Interface : Th e s o u rce In t erface o f t h e t raffic t h at is co n t ro lled b y t h is Cap t iv e Po rt al: LA N o r VLA NS. Out Interface : Th e d es t in at io n In t erface o f t h e t raffic t h at is co n t ro lled b y t h is Cap t iv e Po rt al: Op t io n o r DM Z. 48 Wireless Controller User Manual Figure 24 : Captive Portal Se tup Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Edi t: Can ed it t h e ad d ed p o licies . Enabl e : Can en ab le t h e ad d ed p o licies . Di s abl e : Can d is ab le t h e ad d ed Po licies . Del ete : W ill d elet e t h e Po licy s elect ed . Add: W ill let y o u ad d a n ew p o licy . List of Available Profiles A n y o n e o f t h ese p ro files can b e u sed fo r Cap t iv e Po rt al Lo g in p ag e wh ile en ab lin g Cap t iv e Po rt al. Enabl e : Can en ab le t h e ad d ed p ro files . Edi t: Can ed it t h e ad d ed p ro files . Th e d efau lt Pro file can t b e ed it ed . Del ete : W ill d elet e t h e p ro file s elect ed . Yo u can n o t d elet e t h e d efau lt p ro file an d t h e cu rren t p ro file b ein g u s ed . 49 Wireless Controller User Manual Add: W ill let y o u ad d a n ew p ro file. M aximu m allo wed n u mb er o f p ro files are 5 exclu d in g d efau lt . S how Previ ew: W ill s h o w p rev iew o f t h e p ag e, if a p ro file is s elect ed . Configure Captive Portal Policies Th is allo ws t o ad d a cap t iv e p o rt al p o licy o r t o ed it t h e co n fig u rat io n o f an exis it in g p o licy . Pol i cy Name: Set t h e Name o f t h e Part icu lar Po licy wh ich is t o b e co n fig u red . From Interface : Th e s o u rce In t erface o f t h e t raffic t h at is co n t ro lled b y t h is Cap t iv e Po rt al: LA N o r VLA N‟s To Interface : Th e d es t in at io n In t erface o f t h e t raffic t h at is co n t ro lled b y t h is Cap t iv e Po rt al: Op t io n o r DM Z. Enabl e : Th is en ab les t h e cap t iv e p o rt al p o licy . Figure 25 : Configu ri ng a captive portal policy 50 Wireless Controller User Manual Captive Portal Configuration Cap t iv e p o rt al lo g in p age d isp lay can b e alt ered b y mo d ify in g t he s ettin gs av ailable h ere. General Detai l s : Profi l eName : Name o f t h e p ro file t h at is b ein g ad d ed . B rows er Ti tl e : It is t h e b ro ws er t it le. Pag e B ack g round Col or : Set s t h e b ackg ro u n d co lo r o f t h e p ag e. Cus tom Col or : It allo ws ch o o s in g t h e cu s t o m b ackg ro u n d co lo r Figure 26 : Captive Portal Configuratio n (Part -1) 51 Wireless Controller User Manual Figure 27 : Captive Portal Configuratio n (Part -2) Header Detai l s : It allo ws u s er t o co n fig u re h o w t h e h ead er p o rt io n o f t h e p ag e s h o u ld b e d is p lay ed . B ack g r ound: Set s t h e b ackg ro u n d fo r t h e h ead er p o rt io n . Add: W ill let y o u ad d a n ew imag e.Th is imag e can b e s et as h ead er imag e fo r t h is p ro file. Header B ack g round Col or : Cus tom Col or : It allo ws ch o o s in g t h e cu s t o m h ead er b ackg ro u n d co lo r Header Capti on: Text t o b e d is p lay ed in t h e h ead er p o rt io n . Capti on Font: Fo n t o f t h e h ead er t ext t o b e d is p lay ed . Font S i ze : Fo n t s ize fo r t h e h ead er t ext t o b e d is p lay ed . 52 Wireless Controller User Manual Font Col or : Co lo r in wh ich t h e t ext is t o b e d is p lay ed . Log i n Detai l s : Log i n S ecti on Ti tl e : Tit le fo r t h e Lo g in Bo x Wel come Mes s ag e : M es s ag e wh ich is d is p lay ed wh en a u s er v is it s t h e p ag e. Error Mes s ag e : Erro r M es s ag e d is p lay ed wh en u s er en t ers in v alid cred en t ials . Adverti s ement Detai l s : Enabl e Adverti s ement: Th is is t o en ab le ad v ert is emen t in lo g in p ag e, wh ere u s er can co n fig u re t he cu sto m mes s ag es / in fo rmat io n t h at is n eed ed t o b e d is p lay ed in t h e Cap t iv ePo rt al lo g in p ag e. Ad Pl ace : Th e lo cat io n o f t h e ad v ert is emen t co n t en t t o b e d is p lay ed Ad Content: Th e co n t en t o f t h e ad v ert is emen t in t h e lo g in p ag e. Font: Fo n t fo r t h e in fo rmat io n t o b e d is p lay ed . Font S i ze : Fo n t s ize fo r t h e in fo rmat io n t o b e d is p lay ed . Font Col or : Co lo r in wh ich t h e in fo rmat io n is t o b e d is p lay e d . Footer Detai l s : Chang e Footer Content: It allo ws u s er t o co n fig ure t he fo o ter p ort io n o f t h e p ag e. Footer Content: It allo ws u s er t o ad d t h e fo o t er co n t en t . Footer Font Col or : Co lo r in wh ich t h e fo o t er is t o b e d is p lay ed . 2.6.2 Captiv e Portal Session Advanced > Captive Portal > Captive Portal Sessions Th e A ct iv e Ru n t ime in t ern et s essio ns t h rou gh t h e con tro ller firewall are lis t ed in t h e b elo w t ab le. Th es e u s ers are p resent in t h e lo cal o r ext ern al u s er d at ab ase an d h av e h ad t h eir lo g in cred en t ials ap p ro v ed fo r in t ern et acces s . A „Dis co n n ect ‟ b u t t o n allo ws t h e DW C-1000 ad min t o s elect iv ely d ro p an au t h en t icat ed u s er. 53 Wireless Controller User Manual Figure 28 : Active Runtime s e s s ions 2.6.3 W LAN CP Interface Association Advanced > Captive Portal > WLAN CP Interface Association Fro m t h e In t erface A sso ciat ion p ag e, y o u can as s o ciat e a co n fig u red cap t iv e p o rt al wit h a s p ecific p h y s ical in t erface o r wireles s n et wo rk (SSID). Th e CP feat u re o n ly ru n s o n t h e wired o r wireles s in t erfaces t h at y o u s p ecify . A CP can h av e mu lt ip le in t erfaces associated wit h it , b u t an in t erface can b e as s o ciat ed t o o n ly o n e CP at a t ime. CP Confi g urati on: Lis t s t h e cap tiv e p o rt als co n fig u red o n t h e co n t ro ller b y n u mb er an d n ame. As s oci ated Interfaces : Lis t s t h e in t erfaces t h at are cu rren t ly as s o ciat ed wit h t h e s elect ed cap t iv e p o rt al. W ireles s in t erfaces are id en t ified b y t h e wireles s n et wo rk n u mb er an d SSID. Ph y s ical (wired ) in t erfaces are id en t ified b y t h e Po rt Des crip t io n t h at in clu d es s lo t n u mb er, p o rt n u mb er, an d in t erface t y p e. Interface Li s t: Lis t s t h e in t erfaces av ailab le o n t h e co n t ro ller t h at are n o t cu rren t ly as s o ciat ed wit h a CP. W ireles s in t erfaces are id en t ified b y t h e wireles s n et wo rk 54 Wireless Controller User Manual n u mb er an d SSID. Ph y s ical (wired ) in t erfaces are id en t ified b y t h e Po rt Des crip t io n t h at in clu d es s lo t n u mb er, p o rt n u mb er, an d in t erface t y p e. Figure 29 : WLAN CP Inte rface As s ociation Us e t h e fo llo win g s t ep s t o as s o ciat e o n e o r mo re in t erfaces wit h a cap t iv e p o rt al. 1. Select t h e d es ired cap t iv e p o rt al fro m t h e CP Co n fig u rat io n lis t . 2. Select t h e in t erface o r in t erfaces fro m t h e In t erface Lis t . To s elect mo re t h an o n e in t erface, h o ld CTRL an d click mu lt ip le in t erfaces . 3. Click Add 55 Wireless Controller User Manual Us e t h e fo llo win g s t eps t o remo v e an in t erface fro m t h e A s sociated In t erfaces lis t fo r a cap t iv e p o rt al. 1. Select t h e d es ired c ap t iv e p o rt al fro m t h e CP Co n fig u rat io n lis t . 2. In t h e A s sociated In t erfaces field , s elect t h e in t erface o r in t erfaces t o remo v e. To s elect mo re t h an o n e in t erface, h o ld CTRL an d click mu lt ip le in t erfaces . 3. Click Del ete . Th e in t erface is remo v ed fro m t h e A s s o ciat ed In t erface lis t an d ap p ears in t h e In t erface Lis t . 2.7 WLAN global configuration Setup > WLAN Global Settings Fo llo win g are t h e o p t io n s av ailab le t o en ab le t h e W LA N fu n ct io n o n DW C -1000 Enabl e WLAN Control l er : Select t h is o p t io n t o en ab le W LA N co n t ro ller fu n ct io n alit y o n t he s ystem. Clear t h e o p t io n t o ad min is trat iv ely d is ab le t h e W LA N co n t ro ller. If y o u clear t h e o p t io n , all p eer co n t ro ller an d A Ps t h at are as s o ciat ed wit h t h is co n t ro ller are d is as s o ciat ed . Dis ab lin g t h e W LA N co n t ro ller d o es n o t affect n o n -W LA N feat u res o n t h e co n t ro ller, s u ch as VLA N o r STP fu n ct io n alit y . WLAN Control l er Operati onal S tatus : Sh o ws t h e o p erat io n al s t at u s o f t h e co n t ro ller. Th e s t at u s can b e o n e o f t h e fo llo win g v alu es : • En ab led • En ab le -Pen d in g • Dis ab led • Dis ab le -Pen d in g 56 Wireless Controller User Manual Figure 30 : WLAN global configurat io n IP Addres s : Th is field s h o ws t h e IP ad d res s o f t h e W LA N in t erface o n t h e co n t ro ller. If t h e co n t ro ller d o es n o t h av e t h e Ro u t in g Packag e in s t alled , o r if ro u t in g is d is abled, t h e IP ad d ress is t h e n etwo rk in t erface. If t h e ro u t ing p ackag e is in s t alled an d en abled , t his is t h e IP ad d ress o f t h e ro u tin g o r lo o p back i n t erface y o u co n fig u re fo r t h e co n t ro ller feat u res . AP MAC Val i dati on Method: A d d t h e M A C ad d res s o f t h e A P t o t h e Valid A P d at ab as e, wh ich can b e kep t lo cally o n t h e co n t ro ller o r in an ext ern al RA DIUS s erv er. W h en t h e co n t ro ller d is co v ers an A P t h at is n o t man ag ed b y an o t h er 57 Wireless Controller User Manual cco n t ro ller, it lo o ks u p t h e M A C ad d res s o f t h e A P in t h e Valid A P d at ab as e. If it fin d s t h e M A C ad d ress in t h e d at ab ase, t he co nt roller v alid ates t h e A P an d as s u mes man ag emen t . Select t h e d at ab as e t o u s e fo r A P v alid at io n an d , o p t io n ally , fo r au t h en t icat io n if t h e Req u ire A u t h en t icat io n Pas s p h ra s e o p t io n is s elect ed . Local : If y o u s elect t h is o p tio n, y o u mu s t ad d t h e M A C ad d res s o f each A P t o t h e lo cal Valid A P d at ab as e. RADIUS : If y o u s elect t h is o p tio n, y o u mu s t co nfig ure t h e M A C ad d res s o f each A P in an ext ern al RA DIUS s erv er. Requi re Authenti cati on Pas s phras e : Select t h is o p t io n t o req u ire A Ps t o b e au t h en ticat ed b efore t h ey can asso ciat e wit h t h e co ntro ller. If y o u s elect t h is o p t io n , y o u mu s t co n fig ure t he p assphrase o n t h e A P wh ile it is in s t an d alo n e mo d e as well as in t h e Valid A P d at ab as e. RADIUS Authenti cati on S erver Name : En t er t h e n ame o f t h e RA DIUS s erv er u s ed fo r A P an d clien t au t h en t icat io n s . Th e n ame can co n t ain u p t o 32 alp h an u meric ch aract ers. Sp aces, u nd erscores, an d d ashes are als o p ermit t ed . Th e co n t ro ller act s as t h e RA DIUS clien t an d p erfo rms all RA DIUS t ran s act io n s o n b eh alf o f t h e A Ps an d wireles s clien t s . RADIUS Authenti cati on S erver Confi g ured: In d icat es wh et h er t h e RA DIUS au t h en t icat io n s erv er is co n fig u red . RADIUS Accounti ng S erver Name : En t er t h e n ame o f t h e RA DIUS s erv er u sed fo r rep o rt in g wireles s clien t associatio ns an d d is asso ciatio ns. Th e n ame can co n t ain u p t o 32 alp h an u meric ch aracters. Sp aces, u nd erscores, an d d as h es are als o p ermit t ed . RADIUS Accounti ng S erver Confi g ured: In d icat es wh et h er t h e RA DIUS acco u n t in g s erv er is co n fig u red . RADIUS Accounti ng : Select t o en ab le RA DIUS acco u n t in g fo r wireles s clien t s . Country Code : Select t h e co u n t ry co d e t h at rep res en t s t h e co u n t ry wh ere y o u r co n t ro ller an d A Ps o p erate. W h en y o u click Su b mit , a p o p -u p mes s ag e as ks y o u t o co n firm t h e ch an ge. W ireless reg ulat ion s v ary fro m co u n t ry t o co u n t ry . M ake s u re y o u s elect t h e co rrect co u n t ry co d e s o t h at y o u r W LA N s y s t em co mp lies wit h t h e reg u lat io n s in y o u r co u n t ry . 58 Wireless Controller 2.8 User Manual Wireless Discovery configuration Th e wireles s c o n t ro ller can d is co v er, v alid at e, au t h en t icat e, o r mo n it o r t h e fo llo win g s y s t em d ev ices : • Peer wireles s co n t ro llers • A Ps • W ireles s clien t s • Ro g u e A Ps • Ro g u e wireles s clien t s Setup > AP Management > Poll List Th e wireles s co n t ro ller can d is co v er p eer wireles s co n t ro ller an d A Ps reg ard les s o f wh et her t h ese d evices are co n nect ed t o each o t h er, lo cat ed in t h e s ame Lay er 2 b ro ad cast d o main , o r at t ached t o d ifferent IP s u b nets. In o rd er for t h e co n t roller t o d is co v er o t h er W LA N d ev ices an d es t ab lis h co mmu n ic at io n wit h t h em, t h e d ev ices mu s t h av e t h eir o wn IP ad d res s , mu s t b e ab le t o fin d o t h er W LA N d ev ices, an d mu s t b e co mp at ib le. W h en t h e co n t ro ller d is co v ers an d v alid at es A Ps, t h e co nt roller t akes o v er t h e man ag emen t o f t h e A P. If y o u co n fig u re t h e A P in St an d alo ne mo d e, t h e exis t in g A P co nfig urat ion is rep laced b y t h e d efau lt A P Pro file co n fig u rat io n o n t h e co n t ro ller. L3 / IP Di s covery: Select o r clear t h is o p t io n t o en ab le o r d is ab le IP -b as ed d is co v ery o f acces s p o in t s an d p eer wireles s co n t ro ller. W h en t h e L3/ IP Dis co v ery o p t io n is s elect ed , IP p o llin g is en ab led an d t h e co n t ro ller will p erio d ically p o ll each ad d res s in t h e co n fig u red IP Lis t . By d efau lt , L3/ IP Dis co v ery is en ab led . Li s t of IP Addres s : Sh o ws t h e lis t o f IP ad d res s es co n fig u red fo r d is co v ery . To remo v e en t ries fro m t h e lis t , s elect o n e o r mo re en t ries an d click Delet e. Ho ld t h e " s h ift " key o r “co n t ro l” key t o s elect s p ecific en t ry . IP Addres s Rang e : Th is t ext field is u s ed t o ad d a ran g e o f IP ad d ress en t ries t o t h e IP Lis t . En t er t h e IP ad d res s at t h e s t art o f t h e ad d ress ran ge in t h e Fro m field , an d en t er t h e IP ad d res s at t h e en d o f t h e ran g e in t h e To field , t h en 59 Wireless Controller User Manual click A d d . A ll IP ad d res ses in t h e ran ge are ad ded t o t he IP Lis t . On ly t h e las t o ct et is allo wed t o d iffer b et ween t h e Fro m ad d res s an d t h e To ad d res s . Figure 31 : Configu ri ng the Wire le s s Dis cove ry L2 / VLAN Di s covery: Th e D-Lin k W ireles s Dev ice Dis co v ery Pro t o co l is a g o o d d is co v ery met h o d t o u se if t h e co n t ro ller an d A Ps are lo cat ed in t h e s ame Lay er 2 60 Wireless Controller User Manual mu lt icas t d o main . Th e wireles s co n t ro ller p erio d ically s en d s a mu lt icas t p acket co n t ain in g t h e d is co v ery mes s ag e o n each VLA N en ab led fo r d is co v ery Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Add: A d d s t h e d at a in t h e IP A d d res s o r VLA N field t o t h e ap p ro p riat e lis t . Del ete : Delet es t h e s elect ed en t ry fro m t h e IP o r VLA N lis t . 2.8.1 W ireless Discov ery Status Status > Global Info > IP Discovery Th e IP Dis co v ery lis t can co n tain t h e IP ad d res s es o f p eer co n t ro ller an d A Ps fo r t h e DW C-1000 t o d is co v er an d as s o ciat e wit h as p art o f t h e W LA N IP Addres s : Sh o ws t h e IP ad d res s o f t h e d ev ice co nfig ured in t h e IP Dis co v ery lis t S tatus : Th e wireles s d is co v ery s t at u s is in o n e o f t h e fo llo win g s t at es : Not Pol l ed: Th e co n t ro ller h as n ot at temp ted t o co nt act t h e IP ad d ress in t h e L3/ IP Dis co v ery lis t . Pol l ed: Th e co n t ro ller h as at t emp t ed t o co n t act t h e IP ad d res s . Di s covered: Th e co n t ro ller co n t act ed t h e p eer co n t ro ller o r t h e A P in t h e L3/ IP Dis co v ery lis t an d h a s au t h en t icat ed o r v alid at ed t h e d ev ice. Di s covered - Fai l ed: Th e co n t ro ller co nt acted t h e p eer co n t ro ller o r t h e A P wit h IP ad d ress in t h e L3/ IP Dis co v ery lis t an d was u nable t o au th en ticate or v alid at e t h e d ev ice. If t h e d ev ice is an access p oin t, an e n t ry ap pears in t h e A P failu re lis t wit h a failu re reas o n . 61 Wireless Controller User Manual Figure 32 : Wire le s s Dis cove ry s tatus Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n 2.8.2 AP Profile Global Configuration Advanced > AP Profile A cces s Po in t Pro file Su mmary p ag e, y o u can A d d , Co p y , Ed it , Delet e A P p ro files . To ad d a n ew p ro file, click A d d in A P Pro file Su mmary p ag e. In t h e A P Pro file Glo b al Co n fig u rat io n p ag e , en t er t h e n ame o f t h e p ro file in t h e Pro file Name field , s elect Hard ware t y p e an d en t er t h e v alid VLA N ID an d t h en click Su b mit . 62 Wireless Controller User Manual Figure 33 : AP Profile Global Configuratio n Profi l e Name : Th e A cces s Po in t p ro file n ame y o u a d d ed . Us e 0 t o 32 ch aract ers . On ly alp h an u meric ch aract ers are allo wed . No s p ecial ch aract ers are allo wed . Hardware Type : Select t h e h ard ware t y pe fo r t h e A Ps t hat u se t h is p ro file. Th e h ardware t y p e is d et ermin ed , in p art , b y t h e n umb er o f rad io s t h e A P s up port s (s ing le o r d u al) an d the IEEE 802.11 mo d es t h at t h e rad io s up port s (a/ b / g o r a/ b / g / n ). Th e o p t io n av ailab le in t h e Hard ware Ty p e ID is : • DW L-8600A P Du al Rad io a/ b / g / n DW L-3600A P Sin g le Rad io b / g / n DW L-6600A P Du al Rad io a/ b / g / n Wi red Network Di s covery VLAN ID: En t er t h e VLA N ID t h at t h e co ntro ller u ses t o s en d t racer p acket s in o rd er t o d et ect A Ps co n n ect ed t o t h e wired n et wo rk. AP Profile Advanced > AP Profile A cces s p oin t con fig uratio n p ro files are a u s eful feat u re fo r larg e wireles s n etwo rks with A Ps t h at s erv e a v ariet y o f d ifferen t u sers . Yo u can creat e mu lt ip le A P p ro files o n t h e Co n t ro ller t o cu s to mize A Ps b ased o n lo catio n , fu n ct io n , o r o t h er crit eria. Pro files are like t emp lat es , an d o n ce y o u create an A P p ro file, y o u can ap ply t h at p ro file t o an y A P. 63 Wireless Controller User Manual Figure 34 : AP Profile Lis t Fo r each A P p ro file, y o u can co nfig ure t h e fo llo win g feat ures: • Pro file s et t in gs (Name, Hard ware Ty p e ID, W ired Net wo rk Dis co v ery VLA N ID) • Rad io s et t in gs • SSID s et t ing s • Qo S s et t in gs 64 Wireless Controller User Manual Profi l e : Th e A cces s Po in t p ro file n ame y o u ad ded. Us e 0 t o 32 ch aract ers. Profi l e S tatus : can h av e o n e o f t h e fo llo win g v alu es: • As s oci ated: Th e p ro file is co n fig u red, an d o ne o r mo re A Ps man ag ed b y t h e co ntro ller are as sociated wit h t h is p ro file. • As s oci ated-Modi fi ed: Th e p ro file h as b een mo d ified s in ce it was ap p lied t o o n e o r mo re as so ciat ed A Ps; t h e p rofile mu s t b e re ap p lied fo r t h e ch an ges t o t ake effect. • Appl y Reques ted: A ft er y o u s elect a p ro file an d click A p p ly , t h e s creen refres hes and s hows t h at an ap ply h as b een req uested . • Appl y In Prog res s : Th e p ro file is b ein g ap plied t o all A Ps t h at u s e t h is p ro file. Du rin g t his p rocess t h e A Ps reset, an d all wireles s clien t s are d is associated fro m t h e A P. • Confi g ured: Th e p ro file is co n fig u red , b u t n o A Ps man ag ed b y t h e co n t roller cu rren tly u se t his p rofile. A s s o ciat e a p ro file wit h an A P. En t ry o f t h e A P is v alid an d av ailab le in d at ab as e o f t h e co n t ro ller. Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Edi t: To ed it t h e exis t in g A P p ro file . Del ete : To d elet e t h e exis t in g A P p ro file . Add: A d d a n ew A P p ro file Copy: Co p y t h e exis t in g A P p ro file . Appl y: Up d at e t h e A P p ro file c o n fig u rat io n d et ails en t ered . Confi g ure Radi o: A llo ws co n fig u rat ion o f t h e A P p ro file Rad io co n fig u rat ion . Confi g ure S S ID: A llo ws co n fig u rat io n o f t h e A P p ro file VA P co n fig u rat io n . Confi g ure QoS : A llo ws co n fig u rat io n o f t h e A P p ro file Qo S co n fig u rat io n . 65 Wireless Controller User Manual Radio Configuration Radi o Mode : Fro m t h is field , y o u can s elect t h e rad io t h at y o u wan t t o co n fig u re. By d efau lt , Rad io 1 o p erat es in IEEE 802.11a/ n mo d e, an d Rad io 2 o p erat es in IEEE 802.11b / g / n mo d e. If y o u ch an g e t h e mo d e, t h e lab els for t h e rad io s ch an g e acco rd in g ly . Ch an g es t o t h e s et t in g s ap p ly o n ly t o t h e s elect ed rad io .Th e DW L-3600A P is a s in g le -rad io A P. A n y s et t in g s y o u co n fig u re fo r Rad io 1 (802.11a/ n ) are n o t ap p lied t o t h e DW L -3600A P. If t h e s elect ed Hard ware Ty pe ID fo r t h e A P p ro file is DW L-3600A P, t h e radio s elect o rs are n o t av ailab le. S tate : Sp ecify wh et h er y o u wan t t h e rad io o n o r o ff b y clickin g On o r Off. If y o u t u rn o ff a rad io , t h e A P s en ds d is associatio n frames t o all t h e wireless clien t s it is cu rren t ly s u p p o rt in g s o t h at t h e rad io can b e g racefu lly s h u t d o wn an d t h e clien t s can s t art t h e as s o ciat io n p ro ces s wit h o t h er av ailab le A Ps RTS : Th res h o ld Sp ecify a Req u est t o Sen d (RTS) Th res h o ld v alu e b et ween 0 an d 2347. Th e RTS t h res h old in d icat es t h e n umb er o f o ct et s in an M PDU, b elo w wh ich an RTS/ CTS h an d s h ake is n o t p erfo rmed . Ch an g in g t h e RTS t h res h old can h elp co ntro l t raffic flo w t h ro u gh t h e A P, es pecially o n e wit h a lo t o f clien t s . If y o u s pecify a lo w t h res h old v alue, RTS p acket s wil l b e s en t mo re freq u en t ly . Th is will co n s u me mo re b an d wid t h an d red u ce t h e t h ro u g hp ut o f t h e p acket . On t h e o th er h an d, s endin g mo re RTS p acket s can h elp t h e n et wo rk reco ver fro m in t erferen ce o r co llis io n s wh ich mig h t o ccu r o n a b u s y n et wo rk, o r o n a n et wo rk exp erien cin g elect ro mag n et ic in t erferen ce. Load B al anci ng : If y o u en ab le lo ad b alan cin g, y o u can co n t ro l t h e amo u n t o f t raffic t h at is allo wed o n each o f t h e act iv e A P‟s . Load Uti l i zati on: Th is field allo ws y o u t o s et a t h resh old fo r t h e p ercent ag e o f n et wo rk b an d wid t h u t ilizat io n allo wed o n t h e rad io . On ce t h e lev el y o u s p ecify is reach ed , t he A P s to ps accep t in g n ew clien t as s o ciat io n s . En t er a p ercen t ag e o f u t ilizat io n fro m 1 t o 100. Maxi mum Cl i ents : Sp ecify t h e maximu m n u mb er o f s t at io n s allo wed t o as s o ciat e wit h t h is acces s p o in t at an y o n e t ime. Yo u can en t er a v alu e b et ween 0 an d 200. 66 Wireless Controller User Manual RF S can Other Channel s : Th e acces s p oin t can p erform RF s can s t o co llect in fo rmat io n ab o u t o t her wireles s d ev ices wit h in ran g e an d t h en rep o rt t h is in fo rmat io n t o t h e DW C-1000 wireles s co n t ro ller. If y o u s elect t h e Scan Ot h er Ch an n els o p t io n , t h e rad io p erio d ically mo v es away fro m t h e o p erat ion al ch ann el t o s can o t h er ch an n els . En ab lin g t h is mo d e cau s es t h e rad io t o in t erru p t u s er t raffic, wh ich may b e n o t iceab le w it h v o ice co n n ectio ns. W h en t he Scan Ot h er Ch an nels o p tio n is cleared , t he A P s can s o n ly t h e o p erat in g ch an n el. RF S can S entry: Select t h is o p t io n t o allo w t h e rad io t o o p erat e in s en t ry mo d e. W h en t h e RF Scan Sen t ry o p t io n is s elect ed , t h e rad io p rimarily p erfo rms d ed icat ed RF s can nin g. Th e rad io p assiv ely lis t ens fo r b eacons and t raffic exch an g e b et ween clien t s and o t her access p oin ts b u t d o es n o t accep t co n n ect io n s fro m wireles s clien t s . In s en t ry mo d e, all VA Ps are d is ab led . Net wo rks t h at d eplo y s entry A Ps o r rad io s can d etect d ev ices o n t h e n etwork q u icker an d p erfo rm mo re t h ro u gh s ecurit y an alysis . In t h is mo d e, t h e rad io co n t ro llers fro m o n e ch an nel t o t h e n ext . Th e len g t h o f t ime s p en t o n each ch an n el is co n trolled b y t h e s can d u rat io n . Th e d efau lt s can d u rat io n is 10 millis eco n d s . Mode : Th e M o d e d efin es t h e Ph ysical Lay er (PHY) s t an dard t h e rad io u s es . Select o n e o f t h e fo llo win g mo d es fo r each rad io in t erface. Radi o 1 s upports : • IEEE 802.11a is a PHY s t an dard t h at s pecifies o peratin g in t h e 5 GHz U-NII b an d u s ing o rt hog onal freq u en cy d iv isio n mu lt ip lexin g (OFDM ). It s u p p o rt s d at a rat es ran g in g fro m 6 t o 54 M b p s . • IEEE 802.11a/ n o p erat es in t h e 5 GHz ISM b an d an d in clu des su ppo rt fo r b o t h 802.11a an d 802.11n d ev ices . IEEE 802.11n is an ext en s io n o f t h e 802.11 s t an d ard t h at in clu d es mu lt ip le -in p u t mu lt ip le -o u t p u t (M IM O) t ech n o lo g y . IEEE 802.11n s u p p o rt s d at a ran g es o f u p t o 248 M b p s an d n early t wice t h e in d o o r ran g e o f 802.11 b , 802.11g , an d 802.11a. • 5 GHz IEEE 802.11n is t h e reco mmen d ed mo d e fo r n et wo rks wit h 802.11n d ev ices t hat o p erat e in t h e 5 GHz freq u en cy t h at d o n ot n eed to s u p p o rt 802.11a o r 802.11b / g d ev ices . IEEE 802.11n can ach iev e a 67 Wireless Controller User Manual h ig h er t h ro u ghp ut wh en it d o es n o t n eed t o b e co mp at ib le wit h leg acy d ev ices (802.11b / g o r 802.11a). Radi o 2 s upports : • IEEE 802.11b / g o p erat es in t h e 2.4 GHz ISM b an d . IEEE 802.11b is an en h an cemen t o f t h e in it ial 802.11 PHY t o in clu d e 5.5 M b p s an d 11 M b p s d at a rat es . It u s es d irect s eq u en ce s p read s p ect ru m (DSSS) o r freq u en cy h o pp ing s p read s p ect ru m (FHSS ) as well as co mp lemen t ary co d e key in g (CCK) t o p ro v id e t h e h ig h er d at a rat es . It s u p p o rt s d at a rat es ran g in g fro m 1 t o 11 M b p s . IEEE 802.11g is a h ig h er s p eed ext en s io n (u p t o 54 M b p s ) t o t h e 802.11b PHY. It u s es o rt h o g o n al freq u en cy d iv is ion mu lt ip lexin g (OFDM ). It s u p p orts d at a rat es ran ging fro m 1 t o 54 M b p s . • IEEE 802.11b / g / n o p erat es in t h e 2.4 GHz ISM b an d an d in clu d es s u p p o rt fo r 802.11b , 802.11g , an d 802.11n d ev ices . • 2.4 GHz IEEE 802.11n is t h e reco mmen d ed mo d e fo r n et wo rks wit h 802.11n d ev ices t hat o p erat e in t h e 2.4 GHz freq u en cy t hat d o n o t n eed t o s u p p o rt 802.11a o r 802.11b / g d ev ices . IEEE 802.11n can ach iev e a h ig h er t h ro u ghp ut wh en it d o es n o t n eed t o b e co mp at ib le wit h leg acy d ev ices (802.11b / g o r 802.11a). DTIM Peri od: Th e Deliv ery Traffic In fo rmat io n M ap (DTIM ) mes s age is an elemen t in clu d ed in s o me B eacon frames . It in d icat es wh ich clien t s tatio ns, cu rrent ly s leepin g in lo w p o wer mo d e, h av e d at a b uffered o n t h e acces s p o in t await in g p ick -u p . Th e DTIM p erio d y o u s p ecify in d icat es h o w o ft e n t h e clien t s s erv ed b y t h is acces s p o int s hou ld ch eck fo r b u ffered d ata s till o n t h e A P await in g p icku p . Sp ecify a DTIM p erio d wit h in t h e g iv en ran g e (1 – 255). Th e meas u remen t is in b eaco n s . Fo r examp le, if y o u s et t h is field t o 1, clien t s will ch eck fo r b u ffered d at a o n t h e A P at ev ery b eaco n . If y o u s et t h is field t o 10, clien t s will ch eck o n ev ery 10t h b eaco n . B eacon Interval : Beaco n frames are t ran s mit t ed b y an acces s p o in t at reg u lar in t erv als t o an n o u n ce t h e exis t en ce o f t h e wireles s n et wo rk. Th e d efau lt b eh avio r is t o s end a b eaco n frame o n ce ev ery 100 millis eco n d s (o r 68 Wireless Controller User Manual 10 p er s eco n d ). Th e Beaco n In t erv al v alu e is s et in millis eco n d s . En t er a v alu e fro m 20 t o 2000. Automati c Channel : Th e ch an n el d efin es t h e p ort io n o f t h e rad io s p ect ru m t h at t h e rad io u ses fo r t ran smit t in g an d receivin g. Th e ran ge o f ch ann els an d t h e d efau lt ch annel are d et ermin ed b y t h e M o de o f t h e rad io in t erface. W hen t h e A P b o o t s, each A P rad io s can s t h e RF area fo r o ccu p ied ch an n els an d s elect s a ch an n el fro m t h e av ailab le n o n -in t erferin g o r clear ch an n els . Ho wev er, ch an n el co n d it io n s can ch an g e d u rin g o p erat io n . En ab lin g t h e A u t o mat ic Ch an nel makes t h e rad io o f A Ps as s ig n ed t o t h is p ro file elig ib le fo r au t o -ch an n el s elect io n . Yo u can au t o mat ically o r man u ally ru n t h e au t o ch ann el s electio n alg o rit hm t o allo w t h e DW C-1000 co n t ro ller t o ad ju s t t h e ch an n el o n A Ps as W LA N co n d it io n s ch an g e. Automati c Power : Th e p o wer lev el affect s h o w far an A P b ro ad casts it s RF s ig n al. If t h e p o wer lev el is t o o lo w, wireles s clien t s will n o t d et ect t h e s ig n al o r exp erien ce p o o r W LA N p erfo rman ce. If t h e p o wer lev el is t o o h ig h , t h e RF s ig n al mig h t in t erfere wit h o t h er A Ps wit h in ran g e. A u t o mat ic p o wer u s es a p ro p rietary alg orit hm t o au t o mat ically ad ju s t t h e RF s ig n al t o b ro ad cas t far en o u g h t o rea ch wireles s clien t s , b u t n o t s o far t h at it in t erferes wit h RF s ig n als b ro ad cas t b y o t h er A Ps . Th e p o wer lev el alg o rit h m in creas es o r d ecreas es t h e p o wer lev el in 10% in cremen t s b as ed o n p res en ce o r ab s en ce o f p acket ret ran s mis s io n erro rs . Ini ti al Power : Th e au t o mat ic p o wer alg o rit h m will n o t red u ce t h e p o wer b elo w t h e n u mb er y o u s et in t h e in it ial p o wer field . By d efau lt , t h e p o wer lev el is 100%. Th erefo re, ev en if y o u en able t h e au t omat ic p o wer, t h e p o wer o f t h e RF s ig n al will n o t d ecreas e. Th e p o wer lev e l is a p ercen t ag e o f t h e maximu m t ran s mis s io n p o wer fo r t h e RF s ig n al. APS D Mode : Select En ab le t o en ab le A u t o mat ic Po wer Sav e Deliv ery (A PSD), wh ich is a p o wer man ag emen t met h o d . A PSD is reco mmen d ed if Vo IP p h o n es acces s t h e n et wo rk t h ro u g h t h e A P. RF S can Interval : Th is field co n t ro ls t h e len g t h o f t ime b et ween ch an n el ch an g es d u rin g t h e RF Scan . Long Retri es Th e v alu e in t h is field in d icat es t h e maximu m n u mb er o f t ran s mis sio n at t emp t s o n frame s izes g reat er t h an t h e RTS Th res h o ld . Th e ran g e is 1-255. 69 Wireless Controller User Manual Rate Li mi ti ng : En ab lin g mu lt icas t an d b ro ad cas t rat e limit in g can imp ro v e o v erall n et wo rk p erfo rman ce b y limit in g t h e n u mb er o f p acket s t ran s mit t ed acro s s t h e n et wo rk. Th is feat u re is d is ab led b y d efau lt . No t e: Th e av ailab le rat e limit v alu es are v ery lo w fo r mo s t en v iro n men t s , s o en ab lin g t h is feat u re is n o t reco mmen d ed excep t fo r ad v an ced u s ers . • To en ab le M u lt icas t an d Bro ad cas t Rat e Limit in g , click Enabl ed. • To d is ab le M u lt icast an d Bro ad cast Rat e Dis abled, click Di s abl ed. 70 Wireless Controller User Manual Figure 35 : AP Pofile - Radio configurat io n (Part-1) Trans mi t Li feti me : Sh o ws t h e n u mb er o f millis eco n d s t o wait b efo re t ermin at in g at t emp t s t o t ran s mit t h e M SDU aft er t h e in it ial t ran s mis s io n . Rate Li mi t: En t er t h e rat e limit y o u wan t t o s et fo r mu lt ic as t an d b ro ad cas t t raffic. Th e limit s h o u ld b e g reat er t h an 1, b u t les s t h an 50 p acket s p er s eco n d . A n y t raffic t h at falls b elo w t h is rat e limit will alway s co n fo rm t o an d b e t ran smit t ed t o t h e app rop riate d est in at io n . Th e d efau lt an d maximu m 71 Wireless Controller User Manual rat e limit s e t t in g is 50 p acket s p er s eco n d . Th is field is d is ab led if Rat e Limit in g is d is ab led . Recei ve Li feti me: Sh o ws t h e n u mb er o f millis eco n d s t o wait b efo re t ermin at in g at t emp t s t o reas s emb le t h e M M PDU o r M SDU aft er t h e in it ial recep t io n o f a frag men t ed M M PDU o r M SDU. Rate Li mi t B urs t: Set t in g a rat e limit b u rs t d et ermin es h o w mu ch t raffic b u rs t s can b e b efo re all t raffic exceed s t h e rat e limit . Th is b u rs t limit allo ws in t ermit t en t b u rs t s o f t raffic o n a n et wo rk ab o v e t h e s et rat e limit . Th e d efau lt an d maximu m rat e limit b u rs t s et tin g is 75 p acket s p er s eco n d . Th is field is d is ab led if Rat e Limit in g is d is ab led . S tati on Is ol ati on: W h en t h is o p t io n is s elect ed , t h e A P b lo cks co mmu n icat io n b et ween wireles s clien ts. It s t ill allo ws d at a t raffic b et ween it s wireles s clien t s an d wired d ev ices o n t h e n et wo rk, b u t n o t amo n g wireles s clien t s . Th is feat u re is d is ab led b y d efau lt . • To en ab le M u lt icas t an d Bro ad cas t Rat e Limit in g , click Enabl ed. • To d is ab le M u lt icast an d Bro ad cast Rat e Dis abled, click Di s abl ed. Channel B andwi dth: Th e 802.11n s p ecificat io n allo ws t h e u s e o f a 40 M Hz-wid e ch an n el in ad d it io n t o t he leg acy 20 -M Hz ch an n el av ailab le wit h o t h er mo d es . Th e 40-M Hz ch an n el en ab les h ig h er d at a rat es b u t leav es fewer ch an n els av ailab le fo r u s e b y o t h er 2.4 GHz an d 5 GHz d ev ices . Th e 40-M Hz o p t io n is en ab led b y d efau lt fo r 802.11a/ n mo d es an d 20 M Hz fo r 802.11b / g / n mo d es . Yo u can u s e t h is s et t in g t o res t rict t h e u s e o f t h e ch an n el b an d wid t h t o a 20-M Hz ch an n el. Pri mary Channel : Th is s et t ing is ed it ab le o n ly wh en a ch an n el is s elect ed an d t h e ch an n el b an d wid t h is s et t o 40 M Hz. A 40 -M Hz ch an n el can b e co n s id ered t o co n s is t o f t wo 20-M Hz ch an n els t h at are co n t ig u o u s in t h e freq u en cy d o main . Th ese t wo 20-M Hz ch an n els are o ft en referred t o as t h e Primary an d Seco n dary ch an n els . Th e Primary Ch an n el is u s ed fo r 802.11n clien t s t h at s u p p o rt o n ly a 20-M Hz ch an n el b an d wid t h an d fo r leg acy clien t s . Us e t h is s ettin g t o s et t h e Primary Ch an n el as t h e u pp er o r lo wer 20 M Hz ch an n el in t h e 40-M Hz b an d . 72 Wireless Controller User Manual Figure 36 : AP Pofile - Radio configurat io n (Part-2) Protecti on: Th e p ro t ect ion feat u re co n t ain s ru les t o g u aran t ee t h at 802.11 t ran s mis sio ns d o n o t cause in t erferen ce wit h leg acy s tatio ns o r ap p licatio n s . By d efau lt , t h ese p ro t ectio n mech an isms are en abled ( A u to ). W it h p ro tection en ab led , p ro tect io n mech anis ms will b e in v o ked if leg acy d ev ices are wit h in ran g e o f t h e A P. Yo u can d is ab le (Off) t h es e p ro t ect io n mech an is ms ; h o wev er, wh en 802.11n p ro t ect io n is o ff, leg acy clien ts o r A Ps wit h in ran g e can b e affect ed b y 802.11n t ran s mis s io ns. 802.11 p ro t ect io n is als o available wh en t h e mo d e is 802.11b / g . W h en p ro t ect io n is en ab led in t h is mo d e, it p ro t ect s 802.11b clien t s an d A Ps fro m 802.11g t ran s mis s io n s . 73 Wireless Controller User Manual S hort Guard Interval : Th e g u ard in t erv al is t h e d ead t ime, in n an o second s , b et ween OFDM s y mb o ls . Th e g u ard in t erv al p rev en t s In t er -Sy mb o l an d In t er-Carrier In t erferen ce (ISI, ICI). Th e 802.11n mo d e allo ws fo r a red u ct io n in t h is g u ard in t erv al fro m t h e a an d g d efin it io n o f 800 n an o second s t o 400 n an o s eco n d s . Red u cin g t h e g u ard in t erv al can y ield a 10% imp ro v emen t in d at a t h ro ugh p u t . Select o n e o f t h e fo llo win g o p t io n s : • Enabl e : Th e A P t ran s mit s d at a u s in g a 400 n s g u ard In t erv al wh en co mmu n icat in g wit h clien t s t h at als o s u p p o rt t h e 400 n s g u ard in t erv al. • Di s abl e : Th e A P t ran s mit s d at a u s in g an 800 n s g u ard in t erv al. S pace Ti me B l ock Code : Sp ace Time Blo ck Co d in g (STBC) is an 802.11n t ech n iq ue in t ended t o imp ro v e t h e reliab ilit y o f d at a t ransmis sio ns. Th e d ata s t ream is t ran s mit t ed o n mu lt ip le an t en n as s o t h e receiv in g s y s t em h as a b et t er ch ance o f d et ect ing at least o n e o f t h e d at a s t reams . Select o n e o f t h e fo llo win g o p t io n s : • Enabl e : Th e A P t ran s mit s t h e s ame d at a s t ream o n mu lt ip le an t en n as at t h e s ame t ime. • Di s abl e : Th e A P d o es n o t t ran s mit s t h e s ame d at a o n mu lt ip le an t en n as . Radi o Res ource Manag ement: Rad io Re s o u rce M eas u remen t (RRM ) mo d e req u ires t h e W ireles s Sy s t em t o s en d ad d it io n al in fo rmat io n in b eaco n s , p ro b e res p onses, an d associat io n res p o n s es . En ab le o r d is ab le t h e s u p p o rt fo r rad io res o u rce meas uremen t feat ure in t h e A P p ro file. Th e feat u re is s et in d ep en d en t ly fo r each rad io an d is en ab led b y d efau lt . No ACK: Select En ab le t o s p ecify t h at t h e A P s h o u ld n o t ackn o wled g e frames wit h Qo s No A ck as t h e s erv ice clas s v alu e. Mul ti cas t Tx Rate (Mbps ): Select t h e 802.11 rat e at wh ich t h e rad io t ran s mit s mu lt icas t frames . Th e rat e is in M b p s . Th e lo wes t rat e in t h e 5 GHz b an d is 6 M b p s . 74 Wireless Controller User Manual SSID Configuration Th e SSID Co n fig u rat io n p age d isp lays t he v irt u al acces s p o in t (VA P) s et t in g s as s o ciat ed wit h t h e s elect ed A P p ro file. Each VA P is id en t ified b y it s n et wo rk n u mb er an d Serv ice Set Id en t ifier (SSID). Figure 37 : AP Pofile - SSID configurat ion 75 Wireless Controller User Manual Radi o Mode : Fro m t h is field , y o u can s elect t h e rad io t h at y o u wan t t o co n fig u re. By d efau lt , Rad io 1 o p erat es in IEEE 802.11a/ n mo d e, an d Rad io 2 o p erat es in IEEE 802.11b / g / n mo d e. If y o u ch an g e t h e mo d e, t h e lab els for t h e rad io s ch an g e acco rd in g ly . Ch an g es t o t h e s et t in g s ap p ly o n ly t o t h e s elect ed rad io .Th e DW L-3600A P is a s in g le -rad io A P. A n y s et t in g s y o u co n fig u re fo r Rad io 1 (802.11a/ n ) are n o t ap p lied t o t h e DW L-3600A P. If t h e s elect ed Hard ware Ty pe ID fo r t h e A P p ro file is DW L-3600A P, t h e radio s elect o rs are n o t av ailab le. Network : Us e t h e o p t ion t o t he left o f t h e n et wo rk t o en ab le o r d is ab le t h e co rres p on din g VA P o n t h e s elect ed rad io . W h en en ab led , u s e t h e men u t o s elect a n et wo rks t o assig n t o t h e VA P. Yo u can co n fig u re u p t o 64 s ep arate n et wo rks o n t h e co n t ro ller an d ap p ly t h em acro s s mu lt ip le rad io an d VA P in t erfaces . By d efau lt , 16 n et wo rks are p re -co n fig u red an d ap p lied in o rd er t o t h e VA Ps o n each rad io . En ab lin g a VA P o n o n e rad io d o es n o t au t o mat ically en ab le it o n t h e o t h er rad io . VLAN: Sh o ws t h e VLA N ID o f t h e VA P. To ch an g e t his s et t in g , click Ed it . L3 Tu n n el: Sh o ws wh et h er L3 Tu n n elin g is e n ab led o n t h e n et wo rk. No t e: W h en L3 t u n n elin g is en abled, t h e VLA N ID co n fig u red ab o v e is n o t u s ed . In fact , t h e co n t ro ller p u t s t h e man ag emen t VLA N ID, if an y , o n t h e t u n n eled p acket s d es t in ed t o t h e A P. Hi de S S ID: Sh o ws wh et h er t h e VA P b ro ad cas t s t h e S SID. If en ab led , t h e SSID fo r t h is n et wo rk is n o t in clu ded in A P b eaco ns. To ch an ge t his sett in g, click Ed it . S ecuri ty: Sh o ws t h e cu rrent s ecu rit y s et t in g s fo r t h e VA P. To ch an g e t h is s et t in g , click Ed it . Red irect Sh o ws wh et h er HTTP red irect is en ab led . T h e p o s s ib le v alu es fo r t h e field are as fo llo ws : • HTTP: HTTP Red irect is en ab led • None : HTTP Red irect is d is ab led Edi t: Click Ed it t o mo d ify s et t in g s fo r t h e co rres p o n d in g n et wo rk. W h en y o u click Ed it , t h e W ireles s Net wo rk Co n fig u rat io n p ag e ap p ears . 76 Wireless Controller User Manual QoS Configuration Qu alit y o f Serv ice (Qo S) p ro v id es y o u wit h t h e ab ilit y t o s pecify p aramet ers o n mu lt ip le q u eu es fo r in creas ed t h ro u g h p u t an d b et t er p erfo rman ce o f d ifferen t iat ed wireles s t raffic , d ifferen t t y p es o f au d io , v id eo , an d s t reamin g med ia as well as t rad it io n al IP d at a o v er t h e DW C-1000. Figure 38 : AP Pofile - QoS configuratio n (Part-1) Co n fig u rin g Qu alit y o f Serv ice (Qo S) o n t h e DW C-1000 co n s is t s o f s et t in g p aramet ers o n exis t in g q u eu es fo r d ifferen t t y p es o f w ireles s t raffic, an d 77 Wireless Controller User Manual effect iv ely s p ecify in g min imu m an d maximu m wait t imes (t h ro u g h Co n t en t io n W in d o ws ) fo r t ran s mis s io n . Th e s et t in g s d es crib ed h ere ap p ly t o d at a t ran s mis sio n b eh av ior o n t h e access p oin t o n ly , n ot t o t h at o f t h e clien t s t at io n s . AP Enhanced Di s tri buted Channel Acces s (EDCA ) Paramet ers affect t raffic flo win g fro m t h e acces s p o in t t o t h e clien t s t at io n . S tati on Enhanced Di s tri buted Channel Acces s (EDCA ) Paramet ers affect t raffic flo win g fro m t h e clien t s t at io n t o t he access p o in t . Yo u can s p ecify cu s t o m Qo S s et t in g s , o r y o u can s elect a t emp lat e t hat co n figu res t h e A P p ro file wit h p re -d efin ed sett ing s t hat are o p t imized fo r d at a t raffic o r v o ice t raffic. Radi o Mode : Fro m t h is field , y o u can s elect t h e rad io fo r wh ich y o u wan t t o co n fig u re Qo S s ett ing s. Set tin gs fo r each rad io are co n fig ured s eparat ely . By d efau lt , Rad io 1 o p erat es in IEEE 802.11a/ n mo d e, an d Rad io 2 o p erat es in IEEE 802.11b / g / n mo d e. If y o u ch an ge t h e mo d e, t h e lab els fo r t h e rad io s ch an g e accordin gly . Ch an ges t o t h e s et tin gs ap ply o nly t o t h e s elect ed rad io. Th e DW L--3600A P is a s in g le - rad io A P. A n y s et t in g s y o u c o n fig u re fo r Rad io 1 (802.11a/ n ) are n o t ap p lied t o t h e DW L--3600A P. If t h e s elect ed Hard ware Ty p e ID fo r t h e A P p ro file is DW L--3600A P, t h e rad io s elect o rs are n o t av ailab le. Templ ate : Select t h e Qo S t emp lat e t o ap p ly t o t h e A P p ro file. If y o u s elect Cu s t o m, y o u can ch ange t h e A P an d s tatio n p aramet ers . If y o u s elect Vo ice o r Fact o ry Defau lt s, t h e co ntro ller will u s e t h e p re -d efin ed s et t in g s fo r t h e t emp lat e y o u s elect . AP EDCA Parameters : Queue :Qu eu es are d efin ed fo r d ifferen t t y p es o f d at a t ran s mit t ed fro m A Pt o -s t at io n : Data 0 (Voi ce): Hig h p rio rit y q u eu e, min imu m d elay . Time -s en s it iv e d at a s u ch as Vo IP an d s t reamin g med ia are au t o mat ically s en t t o t h is q u eu e. Data 1 (Vi deo): Hig h p rio rit y q u eu e, min imu m d elay . Time -s en s it iv e v id eo d at a is au t o mat ically s en t t o t h is q u eu e. Data 2 (bes t effort): M ed iu m p rio rit y q u eu e, med iu m t h ro u g h p u t an d d elay . M o s t t rad it io n al IP d at a is s en t t o t h is q u eu e. 78 Wireless Controller User Manual Data 3 (B ack g round): Lo wes t p rio rit y q u eu e, h ig h t h ro u g h p u t . Bu lk d at a t h at req uires maximu m t h ro u gh put an d is n o t t ime -s en sitiv e is s en t t o t h is q u eu e (FTP d at a, fo r examp le). AIFS (Inter -Frame S pace): Th e A rb it rat io n In t er-Frame Sp acin g (A IFS) s p ecifies a wait t ime fo r d at aframes . Th e wait t ime is meas u red in s lo t s . Valid v alu es fo r A IFS are 1 t h ro u g h 255. cwMi n (Mi ni mum Contenti on Wi ndow) : Th is p aramet er is in p u t t o t h e alg o rit h m t h at d et ermin es t he in it ial ran d o m b acko ff wait t ime (win d o w) fo r ret ry o f a t ran s mis sio n. Th e v alue s pecified h ere in t h e M in i mu m Co n t en tion W in d o w is t h e u p per limit (in millis eco n d s ) o f a ran g e fro m wh ich t h e in it ial ran d o m b acko ff wait t ime is d et ermin ed . Th e firs t ran d om n u mb er g en erated will b e a n u mb er b et ween 0 an d t h e n u mb er s p ecified h ere. If t h e firs t ran d o m b acko ff wait t ime exp ires b efo re t h e d at a frame is s en t , a ret ry co u n t er is in cremen ted an d t h e ran d o m b acko ff v alu e (win d o w) is d o u b led . Do u b lin g will co n t in u e u n t il t h e s ize o f t h e ran d o m b acko ff v alu e reach es t h e n u mb er d efin ed in t h e M aximu m Co n t en t io n W in d o w. Va lid v alu es fo r t h e cwmin are 1, 3, 7, 15, 31, 63, 127, 255, 511, o r 1024. Th e v alu e fo r cwmin mu s t b e lo wer t h an t h e v alu e fo r cwmax. cwMax (Maxi mum Contenti on Wi ndow) : Th e v alu e s p ecified h ere in t h e M aximu m Co n t en t io n W in d o w is t h e u p p er limit (in millis eco n d s ) fo r t h e d o u b lin g o f t h e ran dom b acko ff v alu e. Th is d o u b lin g co n t in u es u n t il eit h er t h e d at a frame is s en t o r t h e M aximu m Co n t en t io n W in d o w s ize is reach ed . On ce t h e M aximu m Co n t en t io n W in d o w s ize is reach ed , ret ries will co n t in u e u n t il a maximu m n u mb er o f ret ries allo wed is reach ed . Valid v alu es fo r t h e cwmax are 1, 3, 7, 15, 31, 63, 127, 255, 511, o r 1024. Th e v alu e fo r cwmax mu s t b e h ig h er t h an t h e v alu e fo r cwmin . Max. B urs t Leng th: A P EDCA Paramet er On ly (Th e M ax. Bu rs t Len g t h ap p lies o n ly t o t raffic flo win g fro m t h e acces s p o in t t o t h e clien t s t at io n .) Th is v alu e s p ecifies (in millis eco n d s ) t h e M aximu m Bu rs t Len g t h allo wed fo r p acket b u rsts o n t h e wireles s n et wo rk. A p acket b u rs t is a co llect io n o f mu lt ip le frames t ran s mit t ed wit h o u t h ead er in f o rmat io n . Th e d ecreas ed o v erh ead res ult s in h ig h er t h ro ugh put an d b et t er p erfo rman ce. Valid v alu es fo r maximu m b u rs t len g t h are 0.0 t h ro u g h 999 79 Wireless Controller User Manual WMM Mode : W i-Fi M u lt iM ed ia (W M M ) is en abled b y d efault . W it h W MM en ab led , Qo S p rio rit izat io n an d co o rd in at io n o f wireles s med iu m acces s is o n . W it h W M M en abled, Qo S s et tin gs o n t h e DW C-1000 wireles s co n t ro ller co n t ro l d o wn s t ream t raffic flo win g fro m t h e acces s p o in t t o clien t s t at io n (A P EDCA p aramet ers ) an d t h e u p stream t raffic flo win g fro m t h e s t at io n t o t h e access p o in t (s t at io n EDCA p aramet ers ). Dis ab lin g W M M d eact iv at es Qo S co n t ro l o f s t at io n EDCA p aramet ers o n u p s t ream t raffic flo win g fro m t h e s t atio n t o t h e access p oin t W it h W M M d is ab led , y o u can s t ill s et s o me p aramet ers o n t h e d o wn s t ream t raffic flo win g fro m t h e acces s p o in t t o t h e clien t s t at io n (A P EDCA p aramet ers ). To d is ab le W M M ext en s io n s , click Di s abl ed. To en ab le W M M ext en s io n s , click Enabl ed S tati on EDCA Parameters Queue : Qu eu es are d efin ed fo r d ifferen t t y p es o f d at a t ran s mit t ed fro m s t at io n -t o -A P: Data 0 (Voi ce): Hig h p rio rit y q u eu e, min imu m d elay . Time -s en s it iv e d at a s u ch as Vo IP an d s t reamin g med ia are au t o mat ically s en t t o t h is q u eu e. Data 1 (Vi deo): Hig h p rio rit y q u eu e, min imu m d elay . Time -s en s it iv e v id eo d at a is au t o mat ically s en t t o t h is q u eu e . Data 2 (bes t effort): M ed iu m p rio rit y q u eu e, med iu m t h ro u g h p u t an d d elay . M o s t t rad it io n al IP d at a is s en t t o t h is q u eu e. Data 3 (B ack g round): Lo wes t p rio rit y q u eu e, h ig h t h ro u g h p u t . Bu lk d at a t h at req uires maximu m t h ro u gh put an d is n o t t ime -s en sitiv e is s en t t o t h is q u eu e (FTP d at a, fo r examp le). AIFS (Inter -Frame S pace): Th e A rb it rat io n In t er-Frame Sp acin g (A IFS) s p ecifies a wait t ime fo r d at a frames . Th e wait t ime is meas u red in s lo t s . Valid v alu es fo r A IFS are 1 t h ro u g h 255. cwMi n (Mi ni mum Contenti on Wi ndow): Th is p aramet er is u s ed b y t h e alg o rit h m t h at d et ermin es t h e in it ial ran d o m b acko ff wait t ime (win d o w) fo r d at a t ran smis sio n d u ring a p erio d o f co n tent ion fo r Th e v alu e s p ecified in t h e M in imu m Co n t en t io n W in do w is t h e u p p er limit (in millis eco n d s ) o f a ran g e fro m wh ich t h e in it ial ran d o m b acko ff wait t ime is d et ermin ed . Th e 80 Wireless Controller User Manual firs t ran d o m n u mb er g en erated will b e a n u mb er b et ween 0 an d t h e n u mb er s p ecified h ere. If t h e firs t ran do m b acko ff wait t ime exp ires b efo re t h e d at a frame is s en t , a ret ry co un ter is in cremen ted an d t h e ran d o m b acko ff v alu e (win d o w) is d o u b led . Do u b lin g will co n t in u e u n t il t h e s ize o f t h e ran d o m b acko ff v alu e reach es t h e n u mb er d efin ed in t h e M aximu m Co n t en t io n W in d o w. cwMax (Maxi mum Contenti on Wi ndow) : Th e v alu e s p ecified in t h e M aximu m Co n t en t io n W in d o w is t h e u p p er limit (in millis eco n d s ) fo r t h e d o u b lin g o f t h e ran d o m b acko ff v alu e. Th is d o u b lin g co n t in u es u n t il eit h er t h e d at a frame is s en t o r t h e M aximu m Co n t en t io n W in d o w s ize is reach ed . On ce t h e M aximu m Co n t en t io n W in d o w s ize is reach ed , ret ries will co n t in u e u nt il a maximu m n u mb er o f ret ries allo wed is reach ed. TXOP Li mi t: St at io n EDCA Paramet er On ly (Th e TXOP Limit ap p lies o n ly t o t raffic flo win g fro m t h e clien t s t at io n t o t h e acces s p o in t .) Th e Tran s mis s io n Op p o rt u n it y (TXOP) is an in t erv al o f t ime wh en a W M E clien t s t at io n h as t h e rig h t t o in it iat e t ran s mis s io n s o n t o t h e wireles s med iu m (W M ). Th is v alu e s p ecifies (in millis eco n d s ) t h e Tran s mis s io n Op p o rt u nit y (TXOP) fo r clien t s t at ion s; t h at is , t h e in t erv al o f t ime wh en a W M M clien t s t atio n h as t h e rig h t t o in it iat e t ran s mis s io n s o n t h e wireles s n et wo rk. 81 Wireless Controller User Manual Figure 39 : AP Pofile - QoS configuratio n (Part-2) 82 Wireless Controller User Manual Chapter 3. Configuring Wireless LAN 3.1 WLAN Setup Wizard Setup > Wizard > WLAN Setup Wizard Th e W LA N Set u p W izard is av ailab le fo r u s ers fo r co n fig u rin g t h e b as ic wireles s co n t ro ller s et t in g s s u ch as rad io , SSID an d A cces s Po in t . Figure 4 0 : WLAN Se tup Wizard Yo u can s t art u sin g t h e W izard b y lo g g ing in wit h t h e ad min is trato r p as s wo rd fo r t h e co n t ro ller. On ce au t h en t icat ed s et Co u n t ry Co d e t h at y o u are lo cat ed in , an d t h en co n fig u re t h e Rad io Co n fig u ratio n, VA P co n fig u ratio n an d A cces p oin t. Th e las t s t ep in t h e W izard is t o click t h e Connect b u t t o n . 83 Wireless Controller User Manual Chapter 4. Monitoring Status and Statistics 4.1 System Overview Th e St at u s p ag e allo ws y o u t o g et a d et ailed o v erv iew o f t h e s y s t em co n fig u rat io n . Th e s et t in g s fo r t h e wired an d wireles s in t erfaces are d is p lay ed in t h e DW C-1000 St at u s p age, an d t hen t h e resu ltin g h ard ware res ou rce an d co nt roller u s ag e d et ails are s u mmarized o n t h e co n t ro ller Das h b o ard . 4.1.1 Dashboard Status > Dashboard > General Th e DW C-1000 d as h b o ard p ag e g iv es a s u mmary o f t h e CPU an d M emo ry u t ilizat io n . 84 Wireless Controller User Manual Figure 41 : Das hboard CPU Uti l i zati on Th is s ect io n d is p lay s t h e ro u t er's p ro ces s o r s t at is t ics . CPU us ag e by us er : Percen t o f t h e CPU u t ilizat io n b ein g co nsu med cu rren tly b y all u s er s p ace p ro ces s es , s u ch as SSL VPN o r man ag emen t o p erat io n s . CPU us ag e by k ernel : p ercent o f t h e CPU u t ilizat io n b ein g co n s u med cu rren t ly b y kern el s p ace p ro ces s es , s u ch as firewall o p erat io n s . CPU i dl e : p ercen t o f CPU cy cles t h at are cu rren t ly n o t in u s e. CPU wai ti ng for IO: p ercen t o f CPU cy cles t h at are allo cat ed t o in p u t / o u t p u t d ev ices . Memory Uti l i zati on Th is s ect io n d is p lay s memo ry s t at u s o f s y s t em. Total Memory: In d icat es t o t al av ailab le v o lat ile p h y s ical memo ry . Us ed Memory: In d icat es memo ry u s ed b y all p ro ces s es in s y s t em. 85 Wireless Controller User Manual Free Memory: In d icat es av ailab le free memo ry in s y s t em. Cached Memory: In d icat es cach ed memo ry in s y s t em. B uffer Memory: In d icat es b u ffered memo ry in s y s t em 4.1.2 Dev ice Status Status > Device Info > Device Status Th e DW C-1000 St at u s p age g iv es a s u mmary o f t h e co n t roller co n fig uratio n s et tings co n fig u red in t h e Set u p an d A d vanced men u s. Th e s tatic h ardware s erial n u mb er and cu rren t firmware v ers io n are p resen ted in t h e Gen eral s ectio n. Th e Op t io n an d LA N in t erface in fo rmat io n s h o wn o n t h is p ag e are b as ed o n t h e ad min is t rat o r co n fig u ratio n p aramet ers. Th e rad io b and an d ch anne l s ett in g s are p res en t ed b elo w alo n g wit h all co n fig u red an d act iv e A Ps t h at are en ab led o n t h is co n t ro ller. 86 Wireless Controller User Manual Figure 42 : De vice Status dis play 87 Wireless Controller User Manual Figure 43 : De vice Status dis play (continue d) 4.1.3 W ireless LAN AP information Status > Device Info > Wireless LAN AP Information Th e M an ag ed A P s t at u s p ag es allo ws t o acces s co n fig u rat io n an d as s o ciat io n in fo rmat io n ab o u t man ag ed A Ps an d t h eir n eig h b o rs . Vi ew AP Detai l s : Sh o ws d et ailed s t at u s in fo rmat io n co llect ed fro m t h e A P. Vi ew Radi o Detai l s : Sh o ws d et ailed s t at u s fo r a rad io in t erface. Us e t h e rad io b u t t o n t o n av ig at e b et ween t h e t wo rad io in t erfaces . 88 Wireless Controller User Manual Vi ew Nei g hbor APs : Sh o ws t h e n eigh bor A Ps t h at t he s pecified A P h as d is co v ered t h ro u g h p erio d ic RF s c an s o n t h e s elect ed rad io in t erface. Vi ew Nei g hbor Cl i ents : Sh o ws in fo rmat io n abo u t wireles s clien t s as s o ciat ed wit h an A P o r d et ect ed b y t h e A P rad io . Vi ew VAP Detai l s : Sh o ws s u mmary in fo rmat io n ab o u t t h e v irt u al acces s p o in t s (VA Ps ) fo r t h e s elect ed A P an d rad io in t erface o n t h e A Ps t h at t h e co n t ro ller man ag es . Vi ew Di s tri buted Tunnel i ng Detai l s : Sh o ws in fo rmat io n ab o u t t h e L2 t u n n els cu rren t ly in u s e o n t h e A P. Figure 44 : Wire le s s LAN AP inform atio n MAC Addres s : Th e Et h ern et ad dress o f t h e co n toller man ag ed A P. If t h e M A C ad d ress o f t h e A P is fo llo wed b y an as t eris k (* ), it is man ag ed b y a p eer co n t ro ller. IP Addres s : Th e n et wo rk IP ad d res s o f t h e man ag ed A P Ag e: Time s in ce las t co mmu n icat io n b et ween t h e co n t ro ller an d t h e A P. S tatus : Th e cu rren t man ag ed s t at e o f t h e A P. Th e p o s s ib le v alu es are: 89 Wireless Controller User Manual Di s covered: Th e A P is d is co v ered an d b y t he co n t ro ller, b u t is n o t y et au t h en t icat ed . Authenti cated: Th e A P h as b een v alid at ed an d au t h en t icat ed (if au t h en t icat io n is e n ab led ), b u t it is n o t co n fig u red . Manag ed: Th e A P p ro file co n fig u ratio n h as b een ap plied t o t he A P and it 's o p erat in g in man ag ed mo d e. Fai l ed: Th e co n t ro ller lo s t co n t act wit h t h e A P, a failed en t ry will remain in t h e man ag ed A P d at ab as e u n les s y o u remo v e it . No t e t h at a man ag ed A P will t emp o rarily s h o w a failed s t at u s d u rin g a res et . No t e: W h en man ag emen t co n nectiv it y is lo s t fo r a man ag ed A P, t h en b o t h rad io s o f t h e A P are t u rn ed d o wn. A ll t h e clien t s as sociat ed wit h t h e A P g et d is as s o ciat ed . Th e rad io s b eco me o p erat io n al if an d wh en t h at A P is man ag ed ag ain b y a co n t ro ller. Profi l e : Th e A P p ro file co n fig u rat io n cu rren t ly ap p lied t o t h e man ag ed A P. Th e p ro file is as s ig n ed t o t h e A P in t h e v alid A P d at ab as e. Radi o Interface : Sh o ws t h e wireles s rad io mo d e t h at each rad io o n t h e A P is u s in g . 4.1.4 Cluster information Status > Device Info > Cluster Information Th e Peer Co n t ro ller St at u s p age p ro vid es in fo rmat io n ab out o th er wireles s co n tro ller in t h e n et wo rk.Peer wireles s co nto reller wit h in t h e s ame clu s ter e xch ang e d at a ab out t h ems elv es , t h eir man ag ed A Ps , an d clien t s . Th e co n t ro ller main t ain s a d at ab as e wit h t h is d at a s o y o u can v iew in fo rmat io n ab out a p eer, s u ch as it s IP ad d res s an d s o ft ware v ersio n. If t h e co n tro ller lo s es co n t act wit h a p eer, all o f t h e d at a fo r t h at p eer is d elet ed . On e o f t h e co n t ro ller in a clu s t er is elect ed as a Clu s t er Co n t ro ller. Th e Clu s t er Co n t ro ller co llect s st at us an d s tatis tics fro m all t h e o t h er co n t ro llers in t h e clu s t er, in clu d in g in fo rmat io n ab o u t t h e A Ps p eer co n t ro ller man ag e an d t h e clien t s as s o ciat ed t o t h o s e A Ps . 90 Wireless Controller User Manual Figure 45 : Clus te r inform at ion Cl us ter Control l er IP Addres s : IP ad d res s o f t h e co n t ro ller t h at co n t ro ls t h e clu s t er. Peer Control l ers : Dis p lay s t h e n u mb er o f p eer co n t ro llers in t h e clu s t er. IP Addres s : IP ad d res s o f t h e p eer wireles s co n t ro ller in t h e clu s t er. Vendor ID: Ven d o r ID o f t h e p eer co n t ro ller s o ft ware. S oftware Vers i on: Th e s o ft ware v ers io n fo r t h e g iv en p eer co n t ro llers Protocol Vers i on: In d icat es t h e p ro t ocol v e rsio n s u p p o rt ed b y t h e s o ft ware o n t h e p eer co n t ro llers Di s covery Reas on: Th e d is co v ery met h od o f t h e g iv en p eer co nt roller, wh ich can be t h ro u g h an L2 Po ll o r IP Po ll Manag ed AP Count: Sh o ws t h e n u mb er o f A Ps t h at t h e co n t ro ller cu rren t ly man ag es . Ag e : Time s in ce las t co mmu n icat io n wit h t h e co n t o rller in Ho u rs , M in u t es , an d Seco n d s . 91 Wireless Controller User Manual 4.1.5 Resource Utilization Status > Dashboard > Interface Th e Das h b oard p ag e p resents h ard ware an d u sag e s t at is t ics . Th e CPU an d M emo ry u t ilizat io n is a fu n ct io n o f t h e av ailab le h a rd ware an d cu rren t co n fig u rat io n an d t raffic t h ro u g h t h e co nt ro ller. In t erface s t at is t ics fo r t h e wired co n n ect io n s (LA N, Op t io n 1, Op t io n 2/ DM Z, VLA Ns ) p ro v id e in d icatio n o f p ackets t h rou gh an d p ackets d ro p p ed b y t h e in t erface. Click refres h t o h av e t h is p ag e ret riev e t h e mo s t cu rren t s t at is t ics . 92 Wireless Controller User Manual Figure 46 : Re s ource Utilizatio n s tatis tics 93 Wireless Controller User Manual Figure 47 : Re s ource Utilizatio n data (continue d) 94 Wireless Controller 4.2 User Manual Traffic Statistics 4.2.1 W ired Port Statistics Status > Traffic Monitor > Device Statistics Det ailed t ran s mit an d receiv e s t at is t ics fo r each p h y s ical p o rt are p res en t ed h ere. Each in t erface (Op t io n 1, Op t io n 2/ DM Z, LA N, an d VLA Ns ) h av e p o rt s p ecific p acket lev el in fo rmat io n p ro v id ed fo r rev iew. Tran s mit t ed / receiv ed p acket s , p o rt co llis io n s , an d t h e cu mu lat in g b y tes/sec fo r t ran smit / receiv e d irectio ns are p ro v id ed fo r each in t erface alo n g wit h t h e p o rt u p t ime. If y o u s u sp ect is s u es wit h an y o f t h e wired p o rt s , t h is t ab le will h elp d iag n o s e u p t ime o r t ran s mit lev el is s u es wit h t h e p o rt . Th e s t at ist ics t ab le h as au t o-refresh co ntro l wh ich allo ws d is play o f t h e mo s t cu rrent p o rt lev el d at a at each p ag e refres h . Th e d efau lt au t o -refres h fo r t h is p ag e is 10 s eco n d s . Figure 48 : Phys ical port s tatis tics 95 Wireless Controller 4.3 User Manual Managed AP and Associated Clients Statistics 4.3.1 Managed AP Statistics Status > Traffic Monitor > Managed AP Statistics Th e man ag ed A P s t atist ics p ag e s h o ws in fo rmat io n ab o u t t raffic o n t h e wired an d wireles s in t erfaces o f t h e access p o in t. Th is in fo rmat io n can h elp d iag nose n et wo rk is s u es , s u ch as t h ro u g h p u t p ro b lems . Th e fo llo win g fig u re s h o ws t h e M an ag ed A cces s Po in t St at is t ics p ag e wit h a man ag ed A P. MAC Addres s : Th is field s h o ws t h e M A C ad d res s o f t h e clien t s t at io n Interface: Th is field s h o ws t h e in t erface t y p e W LA N o r Et h ern et . Pack et Trans mi tted: Th is field s h o ws t h e p acket t ran s mit t ed t o t h e clien t s t at io n Pack et Recei ved: Th is field s h o ws t h e p acket receiv ed t o t h e clien t s t at io n B ytes Trans mi tted: Th is field s h o ws t h e b y t es t ran s mit t ed t o t h e clien t s t at io n B ytes Recei ved: Th is field s h o ws t h e b y t es receiv ed t o t h e clien t s t at io n 96 Wireless Controller User Manual Figure 49 : M anage d AP Statis tics Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e: Vi ew Detai l s : Sh o ws d et ailed s t at u s in fo rmat io n co llect ed fro m t h e A P. Vi ew Radi o Detai l s : Sh o ws d et ailed s t at u s fo r a rad io in t erface Vi ew VAP Detai l s : Sh o ws s u mmary in fo rmat io n ab o u t t h e v irt u al acces s p o in t s (VA Ps ) fo r t h e s elect ed A P an d rad io in t erface o n t he A Ps t h at t h e co n t ro ller man ag es Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n 4.3.2 LAN Assoicated Clients Status > Traffic Monitor > Associated Clients Statistics > LAN Associated Clients Th e co n t ro ller t racks t h e t raffic t h e clien t co n n ect ed wireles s co n t ro ller. Name: Th e LA N h o s t n ame if av ailab le t h ro u g h Net BIOS. IP Addres s : Th e LA N d ev ice's IP ad d res s . MAC Addres s : Th e M A C ad d res s o f t h e co n n ect ed LA N clien t . 97 Wireless Controller User Manual Figure 50 : LAN As s ociate d Clie nts Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e: Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n Vi ew Detai l s : Sh o ws d et ailed s t at u s as s o ciat ed clien t . 4.3.3 W LAN Assoicated Clients Status > Traffic Monitor > Associated Clients Statistics > WLAN Associated Clients Th e wireles s clien t can ro am amo n g A Ps wit h o u t in t erru p t io n in W LA N s erv ice. Th e co n t ro ller t racks t h e t raffic t h e clien t s en d s an d receiv es d u rin g t h e en t ire wireles s s essio n wh ile t h e clien t ro ams amo n g A Ps t h at t he co nt roller man ag es. The co n t ro ller s t ores s tat istics ab o ut clien t t raffic wh ile it is as s o ciat ed wit h a s in gle AP as well as t h ro u g h o u t t h e ro amin g s es s io n . MAC Addres s : Th is field s h o ws t h e M A C ad d res s o f t h e clien t s t at io n Pack et Trans mi tted: Th is field s h o ws t h e p acket t ran s mit t ed t o t h e clien t s t at io n Pack et Recei ved: Th is field s h o ws t h e p acket receiv ed t o t h e clien t s t at io n 98 Wireless Controller User Manual B ytes Trans mi tted: Th is field s h o ws t h e b y t es t ran s mit t ed t o t h e clien t s t at io n B ytes Recei ved: Th is field s h o ws t h e b y t es receiv ed t o t h e clien t s t at io n Figure 51 : WLAN As s ociate d Clie nts Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e: Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n Vi ew Detai l s : Sh o ws d et ailed s t at u s as s o ciat ed clien t . 4.4 Active Connections 4.4.1 Sessions through the Controller Status > Active Sessions Th is t ab le lis t s t h e act iv e in t ern et s es s io n s t h ro u g h t h e co n t ro llers firewall. Th e s es s io n ‟s p ro t o co l, s t at e, lo cal an d remo t e IP ad d res s es are s h o wn . 99 Wireless Controller User Manual Figure 52 : Lis t of curre nt Active Fire wall Se s s ions 4.5 LAN Client Info 4.5.1 Associated Clients Status > LAN Client Info > Associated Clients Th e clien t s t h at are as s o ciat ed wit h t h e A Ps t h e co n t ro ller man ag es as d is p lay ed . 100 Wireless Controller User Manual Figure 53 : As s ociate d C lie nts MAC Addres s : Th e Et h ern et ad d res s o f t h e clien t s t at io n . If t h e M A C ad d res s is fo llo wed b y an as t erisk (* ), t h e clien t is as s o ciat ed wit h an A P man ag ed b y a p eer co n t ro ller. AP MAC Addres s : Th e Et h ern et ad d res s o f t h e A P. S S ID: Th e n et wo rk o n wh ic h t h e clien t is co n n ect ed . B S S ID: Th e Et h ern et M A C ad d res s fo r t h e man ag ed A P VA P wh ere t h is clien t is as s o ciat ed . Detected IP Addres s : Id en t ifies t h e IPv 4 ad d res s o f t h e clien t , if av ailab le. S tatus : In d icat es wh eth er o r n o t t h e clien t h as associated an d/ or au t h en t icat ed . Th e v alid v alu es are: • As s oci ated: Th e clien t is cu rren t ly as s o ciat ed t o t h e man ag ed A P. • Authenti cated: Th e clien t is cu rren t ly associated an d au t h en t icat ed t o t h e man ag ed A P. 101 Wireless Controller User Manual • Di s as s ociated: Th e clien t h as d isasso ciat ed fro m t h e man a g ed A P. If t h e clien t d o es n o t ro am t o an o t h er man ag ed A P wit h in t h e clien t ro am t imeo u t , it will b e d elet ed . Di s as s oci ate : Dis as s o ciat es t h e clien t fro m t h e man ag ed A P. Vi ew Detai l s : Fo r each clien t as s o ciat ed wit h an A P t h at t h e co n t ro ller man ag es , y o u can v iew d et ailed s tatus in fo rmat io n ab o ut t h e clien t an d it s asso ciat ion wit h t he acces s p o in t . Vi ew Nei g hbor S tatus : Th e as s o ciat ed clien t s tatus s h ows in fo rmat io n ab o ut access p o in t s t hat t h e clien t d et ects. Th e in fo rmat io n o n t h is p ag e can h elp y o u d et ermin e t h e man ag ed A P an as s o ciat ed clien t mig h t u s e fo r ro amin g . Vi ew Di s tri buted Tunnel i ng S tatus : Th e as s o ciat ed clien t s t at u s s h o ws in fo rmat io n ab o u t access p o in ts t h at t he clien t d et ect s . Th e A P -A P t u n n elin g mo d e is u s ed t o s u p p o rt L3 ro amin g fo r wireles s clien t s wit h o u t fo rward in g an y d at a t raffic t o t h e wireles s co n t ro ller Vi ew S S ID Detai l s : Each man ag ed A P can b e fro m d ifferen t n et wo rks t h at each h av e a u n iq u e SSID. A lt h o u g h s ev eral wireles s clien t s mig h t b e co n n ect ed t o t h e s ame p h y s ical A P, t h ey mig h t n o t co n n ect b y u s in g t h e s ame SSID. Th e W LA N > M o n it o rin g > Clien t > A s s o ciat ed Clien t s > SSID St at u s p ag e lis t s t h e SSIDs o f t h e n et wo rks t h at each wireles s clien t as s o ciat ed wit h a man ag ed A P h as u s ed fo r W LA N acces s . Vi ew VAP Detai l s : Each A P h as s et o f Virt u al A ccess Po in t s (VA Ps ) p er rad io , an d ev ery VA P h as a u n iq u e M A C ad d ress (BSSID). Th is d is p lay s t h e VA P A s s o ciat ed Clien t St at u s p age wh ich s ho ws in fo rmat io n ab ou t t h e VA Ps o n t h e man ag ed AP that h av e as s o ciat ed wireles s clien t s . 4.5.2 LAN Clients Status > LAN Client Info > LAN Clients Th e LA N clien t s t o t h e co n t ro ller are id en t ified b y an A RP s can t h ro u g h t h e LA N co n t ro ller. Th e Net Bio s n ame (if av ailab le), IP ad d res s an d M A C ad d res s o f d is co v ered LA N h o s t s are d is p lay ed . 102 Wireless Controller User Manual Figure 54 : Lis t of LAN hos ts 4.5.3 Detected Clients Status > LAN Client Info > Detected Clients W ireles s clien ts are d etect ed b y t h e wireles s sy stem wh en t h e clien t s eit h er at t emp t t o in t eract wit h t h e s ystem o r wh en t h e s y s t em d et ect s t raffic fro m t h e clien t s . Th e Det ect ed Clien t St at u s p ag e co n t ain s in fo rmat io n ab o u t clien t s t h at h av e au t h en ticat ed wit h an A P as well in fo rmat io n ab o ut clien ts t h at d is asso ciat e an d are n o lo n g er co n n ect ed t o t h e s y s t em. 103 Wireless Controller User Manual Figure 55 : De te cte d Clie nts MAC Addres s : Th e Et h ern et M A C ad d res s o f t h e clien t . Cl i ent Name : Sh o ws t h e n ame o f t h e clien t , if av ailab le, fro m t h e Kn o wn Clien t Dat ab as e. If clien t is n o t in t h e d at ab as e t h en t h e field is b lan k. Cl i ent S tatus : Sh o ws t h e clien t s t at u s , wh ich ca n b e o n e o f t h e fo llo win g : A u t h ent icat ed.Th e wireles s clien t is au th en ticated wit h t h e wireles s s y s t em. Det ect ed .The wireles s clien t is d et ected b y t h e wireles s s y s t em b u t is n o t a s ecu rit y t h reat . Black-Lis t ed .Th e clien t wit h t h is M AC ad d ress is s pecifica lly d en ied acces s v ia M A C A u t h en t icat io n . Ro g u e.Th e clien t is clas s ified as a t h reat b y o n e o f t h e t h reat d et ect io n alg o rit h ms . 104 Wireless Controller User Manual Ag e : Time s in ce an y ev ent h as b een receiv ed fo r t h is clien t t h at u pd at ed t he d etected clien t d at ab as e en t ry . Create Ti me : Time s in ce t h is en try was firs t ad ded t o t h e d et ected clien ts d at ab as e. 4.6 Access Point 4.6.1 Access Point Status Status > General > Access Point Th e A cces s Po in t St at u s p ag e s h o ws s u mmary in fo rmat io n ab o u t man ag ed , failed , an d ro g u e acces s p o in t s t h e co n t ro ller h as d is co v ered o r d et ect ed . 105 Wireless Controller User Manual Figure 56 : AP s tatus Total Acces s Poi nts Uti l i zati on Total Acces s Poi nts : To t al n u mb er o f M an ag ed A Ps in t h e d at ab as e. Th is v alu e is alway s eq u al t o t h e s u m o f M an ag ed A cces s Po in t s , Co n n ect io n Failed A cces s Po in t s , an d Dis co v ered A cces s Po in t s . Manag ed Acces s Poi nts : Nu mb er o f A Ps in t h e man ag ed A P d at ab as e t h at are au t h en t icat ed , co n fig u red , an d h av e an act iv e co n n ect io n wit h t h e co n t ro ller. 106 Wireless Controller User Manual Di s covered Acces s Poi nts : A Ps t h at h av e a co n n ect io n wit h t h e co n t ro ller, b u t h av en 't b een co mp let ely co n fig u red . Th is v alu e in clu d es all man ag ed A Ps wit h a Dis co v ered o r A u t h en t icat ed s t at u s . Connecti on Fai l ed Acces s Poi nts : Nu mb er o f A Ps t h at were p rev io u s ly au t h en ticat ed an d man ag ed, b u t cu rrently d o n't h av e co n nect ion wit h t h e co n t ro ller. Acces s Poi nts Uti l i zati on S tandal one Acces s Poi nts : Nu mb er o f t ru s t ed A Ps in St an d alo n e mo d e. A Ps in St an d alo n e mo d e are n o t man ag ed b y a co n t ro ller. Rog ue Acces s Poi nts : Nu mb er o f Ro g u e A Ps cu rren t ly d et ect ed o n t h e W LA N. W h en an A P p erfo rms an RF s can , it mig h t d et ect access p o in t s t h at h av e n o t b een v alid at ed . It rep o rt s t h es e A Ps as ro g u es . Authenti cati on Fai l ed Acces s Poi nts : Nu mb er o f A Ps t h at failed t o es t ab lis h co mmu n icat io n wit h t h e co n t ro ller. Unk nown Acces s Poi nts : Nu mb er o f Un kn o wn A Ps cu rren t ly d et ect ed o n t h e W LA N. If an A P co n fig u red t o b e man ag ed b y t h e co nt roller is d et ect ed t h ro u g h an RF s can at an y t ime t h at it is n o t act iv ely man ag ed it is clas s ified as an Un kn o wn A P. Rog ue AP Mi ti g ati on Li mi t: M aximu m n u mb er o f A Ps fo r wh ich t h e s y s t em can s en d d e -au t h en t icat io n frames . Rog ue AP Mi ti g ati on Count: Nu mb er o f A Ps t o wh ich t h e wireles s s y s t em is cu rren t ly s endin g d e -aut he nticatio n mes s ag es t o mit ig at e ag ain st ro g ue A Ps. A v alue o f 0 in d icat es t h at mit ig at io n is n o t in p ro g res s . Maxi mum Manag ed APs i n Peer Group: M aximu m n u mb er o f acces s p o in t s t h at can b e man ag ed b y t h e clu s t er. WLAN Uti l i zati on: To t al n et wo rk u t ilizat io n acro s s all A Ps man ag ed b y t h is co n t ro ller. Th is is b as ed o n g lo b al s t at is t ics . 107 Wireless Controller User Manual 4.6.2 AP Summary Status > Access Point Info> APs Summary Th e Lis t o f A P p ag e s h o ws s u mmary in fo rma t io n ab o u t man ag ed , failed , an d ro g u e access p oin ts t h e co ntro ller h as d is co vere d o r d et ect ed . Th e s t at us en tries can b e d elet ed man u ally . To clear all A Ps fro m t h e A ll A cces s Po in ts s tatu s p ag e except M an ag ed A cces s Po in t s , click Del ete Al l . To co n fig u re an A u th ent icat ion Failed A P t o b e man ag ed b y t he co n t ro ller t h e n ext t ime it is d is co v ered , s elect t h e ch eck b o x n ext t o t h e M A C ad d res s o f t h e A P an d \ click M an age. Yo u will b e p res en ted wit h t h e Valid A cces s Po in t Co n fig u ration p ag e. Figure 57 : AP s tatus MAC Addres s : Sh o ws t h e M A C ad d res s o f t h e a cces s p o in t . IP Addres s : Th e n et wo rk ad d res s o f t h e acces s p o in t . Ag e : Sh o ws h o w mu ch t ime h as p as s ed s in ce t h e A P was las t d et ect ed an d t h e in fo rmat io n was las t u p d at ed . S tatus : Sh o ws t h e acces s p o in t s t at u s 108 Wireless Controller User Manual • Manag ed: Th e A P p ro file co n fig u ratio n h as b een ap p lied t o t h e A P an d it 's o p erat in g in man ag ed mo d e. • No Databas e Entry: M A C ad d res s o f t h e A P d o es n o t ap p ear in t h e lo cal o r RA DIUS Valid A P d at ab as e. • Authenti cati on (Fai l ed AP): Th e A P failed t o b e au t h en t icat ed b y t h e co n t ro ller o r RA DIUS s erv er. Sin ce A P is n o t co n fig u red as a v alid A P wh ich t h e co rrect lo cal o r RA DIUS au t h en t icat io n in fo rmat io n . • Fai l ed: Th e co n t ro ller lo s t co n t act wit h t h e A P; a failed en t ry will remain in t h e man ag ed A P d at abase u nless y o u remo v e it . No t e t h at a man ag ed A P will t emp o rarily s h o w a failed s t at u s d u rin g a res et . • Rog ue : Th e A P h as n o t at temp t ed t o co n t act t h e co n t ro ller an d t h e M A C ad d res s o f t h e A P is n o t in t h e Valid A P d at ab as e. Radi o: Sh o ws t h e wireles s rad io mo d e t h e A P is u s in g . Channel : Sh o ws t h e o p erat in g ch an n el fo r t h e rad io . Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e Del ete Al l : M an u ally clear all A Ps fro m t h e A ll A cces s Po in t s s t at u s p ag e excep t M an ag ed A cces s Po in t s . Manag e : Co n fig u re an A u t h en ticatio n Failed A P t o b e man ag ed b y t h e co n t ro ller t h e n ext t ime it is d is co v ered . Select t h e ch eck b o x n ext t o t h e M A C ad d res s o f t h e A P b efo re y o u click M an ag e Yo u will b e p res en t ed wit h t h e Valid A cces s Po in t Co n fig u rat io n p ag e. Yo u can t h en co n fig ure t he A P an d click Su b mit t o s av e the AP in t h e lo cal Valid A P d at ab ase. If y o u u se a RA DIUS s erv er fo r A P v alid at io n , y o u mu s t ad d t h e M A C ad d res s o f t h e A P t o t h e A P d at ab as e o n t h e RA DIUS s erv er. Ack nowl edg e : Id en t ify an A P as an A ckn o wled g ed Ro g u e. Select t h e ch eck b o x n ext t o t h e M A C ad d ress o f t h e A P b efo re y o u click A ckn o wled g e. Th e co n t ro ller ad d s t h e A P t o t h e Valid A P d at ab as e as an A ckn o wled g ed Ro g u e. Vi ew Detai l s : To v iew t h e d et ails co n fig ured A Ps . Select t he ch eck b o x n ext t o t h e M A C ad d res s o f t h e A P b e fo re y o u click View Det ails . Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n 109 Wireless Controller User Manual 4.6.3 Managed AP Status Status > Access Point Info> Managed AP Status In t h e M an ag ed A P St at u s p ag e, y o u can acces s a v ariet y o f in fo rmat io n ab o u t each A P t h at t h e co n t ro ller man ag es . Figure 58 : M anage d AP s tatus MAC Addres s : Th e Et h ern et ad d res s o f t h e co n t ro ller-man ag ed A P. IP Addres s : Ag e: Th e n et wo rk IP ad d res s o f t h e man ag ed A P. Time s in ce las t co mmu n icat io n b et ween t h e Co n t ro ller an d t h e A P. S tatus : Th e cu rren t man ag ed s t at e o f t h e A P. Th e p o s s ib le v alu es are • Di s covered: Th e A P is d is co v ered an d b y t h e co n t ro ller, b u t is n o t y et au t h en t icat ed . • Authenti cated: Th e A P h as b een v alid at ed an d au t h en t icat ed (if au t h en t icat io n is en ab led ), b u t it is n o t co n fig u red . 110 Wireless Controller User Manual • Manag ed: Th e A P p ro file co n fig u ratio n h as b een ap p lied t o t h e A P an d it 's o p erat in g in man ag ed mo d e. • Fai l ed: Th e Co n t ro ller lo s t co n t act wit h t h e A P, a failed en t ry will remain in t h e man ag ed A P d at abase u nless y o u remo v e it . No t e t h at a man ag ed A P will t emp o rarily s h o w a failed s t at u s d u rin g a res et . Profi l e : Th e A P p ro file co n fig u ratio n cu rrent ly ap p lied t o t h e man ag ed A P. Th e p ro file is as s ig n ed t o t h e A P in t h e v alid A P d at ab as e. Radi o Interface: Sh o ws t h e wireles s rad io mo d e t h at each rad io o n t h e A P is u s in g . Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Del ete : M an u ally clear exis t in g A Ps Vi ew AP Detai l s : Sh o ws d et ailed s t at u s in fo rmat io n co llect ed fro m t h e A P. Vi ew Radi o Detai l s : Sh o ws d et ailed s t at u s fo r a rad io in t erface Vi ew Nei g hbor Detai l s : Sh o ws t h e n eig h b o r A Ps t h at t h e s p ecified A P h as d is co v ered t h ro u g h p erio d ic RF s can s o n t h e s elect ed rad io in t erface Vi ew Nei g hbor Cl i ents : Sh o ws in fo rmat io n ab o u t wireles s clien t s as s o ciat ed wit h an A P o r d et ect ed b y t h e A P rad io Vi ew VAP Detai l s : Sh o ws s ummary in fo rmat io n ab o ut t h e v irt u al access p oin ts (VA Ps ) fo r t h e s elect ed A P an d rad io in t erface o n t h e A Ps t h at t h e co n t ro ller man ag es 4.6.4 Authentication Failure Status Status > Access Point Info> Authentication Failure Status A n A P mig h t fail t o as s ociate t o t he co ntro ller d u e t o erro rs s u ch as in v alid p acket fo rmat o r v en d o r ID, o r b ecau s e t h e A P is n o t co n fig u red as a v alid A P wit h t h e co rrect lo cal o r RA DIUS au t h en ticatio n in fo rmat io n Th e A P au t h en t icat io n failu re lis t s h o ws in fo rmat io n ab ou t A Ps t h at failed t o es t ab lis h co mmu n icat io n wit h t h e DW C-1000 wireles s co n t o rller Th e A P can fail d u e t o o n e o f t h e fo llo win g reas o n s : 111 Wireless Controller User Manual No Databas e Entry: Th e M A C ad d res s o f t h e A P is n o t in t h e lo cal Valid A P d at ab ase o r t h e ext ern al RA DIUS s erv er d at ab as e, s o t h e A P h as n o t b een v alid at ed . Local Authenti cati on: Th e au t h ent icat ion p as s wo rd co n fig u red in t h e A P d id n o t ma t ch t h e p as s wo rd co n fig u red in t h e lo cal d at ab as e. Not Manag ed: Th e A P is in t h e Valid A P d at ab ase, b u t t h e A P M o de in t h e lo cal d at ab as e is n o t s et t o M an ag ed . RADIUS Authenti cati on: Th e p as s wo rd co n fig u red in t h e RA DIUS clien t fo r t h e RA DIUS s erv er was r eject ed b y t h e s erv er. RADIUS Chal l eng ed: Th e RA DIUS s erv er is co n fig u red t o u s e t h e Ch allen g e -Res p o n s e au t h en t icat io n mo d e, wh ich is in co mp at ib le wit h t h e A P. RADIUS Unreachabl e : Th e RA DIUS s erv er t h at t h e A P is co n fig u red t o u s e is u n reach ab le. Inval i d RADIUS Res pons e : Th e A P receiv ed a res p o n s e p acket fro m t h e RA DIUS s erv er t h at was n o t reco g n ized o r in v alid . Inval i d Profi l e ID: Th e p ro file ID s p ecified in t h e RA DIUS d at ab as e may n o t exis t o n t h e co n t ro ller. Th is can als o h ap p en wit h t h e lo cal d at ab as e wh en t h e co n fig u rat io n h as b een receiv ed fro m a p eer co n t ro ller. Profi l e Mi s match•-Hard ware Ty p e: Th e A P h ard ware t y p e s p ecified in t h e A P Pro file is n o t co mp at ib le wit h t h e act u al A P h ard ware. Figure 59 : Authe nticat io n Failure St atus 112 Wireless Controller User Manual M AC Address: The Ethernet address of the AP . If the MAC address of the AP is followed by an asterisk (*), it was reported by a peer controller. IP Addre s s : The IP address of the AP . Las t Failure Type : Indicates the last type of failure that occurre d, which can be one of the following: Local Authentication No Database Entry Not Managed RADIUS Authentication RADIUS Challenged RADIUS Unreachable Invalid RADIUS Response Invalid P rofile ID P rofile Mismatch-Hardware Type Age : Time since failure occurred. 4.6.5 AP RF Scan Status Status > Access Point Info> AP RF Scan Status The radios on each AP can periodically scan the radio frequency to collect information about other AP s and wireless clients that are within range. In normal operating mode the AP always scans on the operational channel for the radio. MAC Addres s : Th e Et h ern et M A C ad d res s o f t h e d et ect ed A P. Th is co u ld b e a p h y s ical rad io in t erface o r VA P M A C. 113 Wireless Controller User Manual S S ID: Serv ice Set ID o f t h e n et wo rk, wh ich is b ro ad cas t in t h e d et ect ed b eaco n frame. Phys i cal Mode : In d icat es t h e 802.11 mo d e b ein g u s ed o n t h e A P. Channel : Tran s mit ch an n el o f t h e A P. S tatus : In d icat es t h e man ag ed s tatus o f t h e A P, wh et her t h is is a v alid A P kn o wn to t h e co n t ro ller o r a Ro g u e o n t h e n et wo rk. Th e v alid v alu es are: Manag ed: Th e n eig h b o r A P is man ag ed b y t h e wireles s s y s t em. S tandal one : Th e A P is man ag ed in s t an d alo n e mo d e an d co n fig u red as a v alid A P en t ry (lo cal o r RA DIUS). Rog ue : Th e A P is clas s ified as a t h reat b y o n e o f t h e t h reat d et ect io n alg o rit h ms . Unk nown: Th e A P is d et ec t ed in t h e n etwo rk b u t is n o t classified as a t h reat b y t h e t h reat d et ect io n alg o rit h ms . Ag e : Time s in ce t h is A P was las t d etected in an RF s can . St at u s en t ries fo r t h e RF Scan St at u s p age are co llect ed at a p o in t in t ime an d ev en t u ally ag e o u t . Th e ag e v alu e fo r each en t ry s h o ws h o w lo n g ag o t h e co n t ro ller reco rd ed t h e en t ry . 114 Wireless Controller User Manual Figure 60 : AP RF Scan Status 4.7 Global Info 4.7.1 Global status Status > Global Info > Global Status Th e DW C-1000 co n t ro ller p erio d ically co llect s in fo rmat io n fro m t h e A Ps it man ag es an d fro m as s ociat ed p eer co n t ro ller. Th e in fo rmat io n o n t h e Glo b al p ag e s h o ws s tatus an d s t at is t ics ab o u t t h e co n t ro ller an d all o f t h e o b ject s as s o ciat ed wit h it . 115 Wireless Controller User Manual Figure 61 : Global Status (Part 1) 116 Wireless Controller User Manual Figure 62 : Global Status (Part 2) 117 Wireless Controller User Manual WLAN Control l er Operati onal S tatus : Th is s t at us field d is p lays t he o p eratio nal s t at us o f t h is co ntro ller (a W LA N co n t ro ller). Th e W LA N Co n t ro ller may b e co n figured as en ab led , b ut is o p eratio nally d is abled d ue t o co nfig uratio n d ep end en cies. If t h e o p erat io nal s t at us is d is abled , t he reaso n will b e d is p lay ed in t h e fo llo win g s tatu s field . IP Addres s : IP ad d ress o f t h e co nt roller. Peer Control l er : Nu mb er o f p eer W LA N co n t ro llers d et ected o n t h e n et work. Cl us ter Control l er : In d icat es wh et her t his co ntro ller is t h e Clu s ter Co n t roller fo r t h e clu s t er. Cl us ter Control l er IP Addres s : Th e IP ad d res s o f t h e p eer co nt roller t h at is t h e Clu s t er Co n t ro ller. Total Acces s Poi nts : To t al n u mb er o f M an ag ed A Ps in t h e d atabase. Th is v alu e is alway s eq u al t o t h e s um o f M an ag ed A ccess Po in ts, Co n n ect ion Failed A ccess Po in ts, an d Dis co v ered A ccess Po in t s. Manag ed Acces s Poi nts : Nu mb er o f A Ps in t h e man ag ed A P d at ab ase t hat are au t h en ticat ed , co nfig ured, an d h av e an act iv e co nn ectio n wit h t h e co nt roller. S tandal one Acces s Poi nts : Nu mb er o f t ru s ted A Ps in St an dalon e mo d e. A Ps in St an d alo ne mo d e are n o t man aged b y a co n tro ller. Rog ue Acces s Poi nts : Nu mb er o f Ro g u e A Ps cu rrently d etected o n t he W LA N. W h e n an A P p erfo rms an RFs can , it mig h t d et ect access p o int s t hat h ave n o t b een v alid ated. It rep o rt s t hese A Ps as ro g ues. Di s covered Acces s Poi nts : A Ps t hat h av e a co n nectio n wit h t h e co ntro ller, b u t h aven't b een co mp let ely co nfig ured. Th is v alue in clu des al l man ag ed A Ps wit h a Dis co v ered o r A u t h ent icat ed s t at us. Connecti on Fai l ed Acces s Poi nts : Nu mb er o f A Ps t h at were p rev io usly au thent icat ed an d man ag ed , b u t cu rrent ly d o n't h ave co nnect ion wit h t h e Un ified Co n t ro ller. Authenti cati on Fai l ed Acces s Poi nts : Nu mb er o f A Ps t h at failed t o est ab lish co mmu n icat io n wit h t h e Un ified Co n t ro ller. Unk nown Acces s Poi nts : Nu mb er o f Un kn o wn A Ps cu rren tly d etect ed o n t h e W LA N. If an A P co n fig u red t o b e man ag ed b y t h e Un ified Co n t ro ller is d et ected t h ro ugh an RF s can at an y t ime t h at it is n ot activ ely man ag ed it is clas sified as an Un kn o wn A P. 118 Wireless Controller User Manual Rog ue AP Mi ti g ati on Li mi t: M aximu m n u mb er o f A Ps fo r wh ich t h e s y s tem can s end d e-au t h en ticatio n frames . Rog ue AP Mi ti g ati on Count: Nu mb er o f A Ps t o wh ich t h e wireles s s yst em is cu rr en t ly s en d in g t h e au t henticatio n mes s ag es t o mit ig at e ag ain st ro g ue A Ps. A v alu e o f 0 in d icat es t h at mit ig at io n is n o t in p ro g ress. Maxi mum Manag ed APs i n Peer Group: M aximu m n u mb er o f acces s p o int s t hat can b e man ag ed b y t h e clu ster. WLAN Uti l i zati on: To t al n et wo rk u t ilizat io n acro ss all A Ps man ag ed b y t his co n t ro ller. Th is is b ased o n g lo bal s tatist ics. Total Cl i ents : To t al n u mb er o f clien t s in t h e d atabase. Th is t ot al in clu d es clien t s wit h an A s s ociated, A u thent icat ed , o r Dis associated s tatus. Authenti c ated Cl i ents : To t al n u mb er o f clien t s in t h e associated clien t d atabase wit h an A u t h ent icated s t at us. 8 0 2 .1 1 a Cl i ents: To t al n u mb er o f IEEE 802.11a o n ly clien t s t h at are au t henticated. 8 0 2 .1 1 b/ g Cl i ents: To t al n u mb er o f IEEE 802.11b / g o n ly clien t s t h at are au t henticated. 8 0 2 .1 1 n Cl i ents: To t al n u mb er o f clien t s t h at are IEEE 802.11n cap ab le an d are au t h en ticat ed . Th ese in clu de IEEE 802.11a/ n , IEEE 802.11b / g / n , 5 GHz IEEE 802.11n , 2.4GHz IEEE 802.11n . Maxi mum As s oci ated Cl i ents : M aximu m n u mb er o f clien t s t h a t can associate wit h t h e wireles s s y stem. Th is is t h e maximu m n u mb er o f en t ries allo wed in t h e A ssociated Clien t d at ab ase. Detected Cl i ents : Nu mb er o f wireles s clien t s d etect ed in t h e wireles s n et wo rk en v iro n men t . Maxi mum Detected Cl i ents : M aximu m n u mb er o f clien t s t h at can b e d etected b y t h e co n t ro ller. Th e n u mb er is limit ed b y t h e s ize o f t h e Det ect ed Clien t Dat abase. Maxi mum Pre -authenti cati on Hi s tory Entri es : M aximu m n u mb er o f Clien t PreA u t h enticatio n ev ents t h at can b e record ed b y t h e sy stem. Total Preauthenti cati on Hi s tory: En t ries Cu rren t n u mb er o f p re -au t henticatio n h is tory en t ries in u s e b y t h e s ystem. Maxi mum Roam Hi s tory Entri es : M aximu m n u mb er o f en t ries t h at can b e record ed in t h e ro am h is t o ry fo r all d et ect ed clien ts. 119 Wireless Controller User Manual Total Roam Hi s tory Entri es : Cu rren t n u mb er o f ro am h is t o ry en tries in u s e b y t h e s y s tem. AP Provi s i oni ng Count: Cu rren t n u mb er o f A P p ro v is io nin g ent ries co nfig ured o n t h e s y s tem. WLAN B ytes Trans mi tted: To t al b y t es t ran smit t ed across all A Ps man ag ed b y t h e co n t ro ller. WLAN Pac k ets Trans mi tted: To t al p acket s t ransmit t ed across all A Ps man ag ed b y t he co n t ro ller. WLAN B ytes Recei ved To t al b y t es receiv ed across all A Ps man ag ed b y t h e co n troller. WLAN Pack ets Recei ved: To t al p acket s receiv ed acro ss all A Ps man ag ed b y t h e co n t ro ller. WLAN B ytes Trans mi t Dropped: To t al b y t es t ransmit t ed acro ss all A Ps man ag ed b y t h e co n t roller t h at were d ro p p ed. WLAN Pack ets Trans mi t Dropped: To t al p acket s t ransmit t ed acro ss all A Ps man ag ed b y t h e co n t roller t h at were d ro p ped. WLAN B ytes Recei ve Droppe d: To t al b y t es receiv ed across all A Ps man ag ed b y t h e co n t ro ller t h at were d ro p ped. WLAN Pack ets Recei ve Dropped: To t al p acket s receiv ed acro ss all A Ps man ag ed b y t h e co n t roller t h at were d ro p p ed. Di s tri buted Tunnel Pack ets Trans mi tted: To t al n u mb er o f p ac ket s s en t b y all A Ps v ia d is t rib u ted t u nn els . Di s tri buted Tunnel Roamed Cl i ents : To t al n u mb er o f clien t s t h at s uccessfu lly ro amed away fro m Ho me A P u s in g d is trib ut ed t un nelin g. Di s tri buted Tunnel Cl i ents : To t al n u mb er o f clien t s t hat are as sociated wit h an A P t h at are u s in g d is trib ut ed t un nelin g. Di s tri buted Tunnel Cl i ent Deni al s : To t al n u mb er o f clien t s fo r wh ich t h e s yst em was u n ab le t o s et u p a d is trib ut ed t un nel wh en clien t ro amed Th e fo llo win g act io n s are s u ppo rted fro m t h is p ag e: Refres h: Up d at es t h e p age wit h t h e lat est in fo rmat io n. Cl ear S tati s ti cs: Res et all co u n t ers o n t h e p age t o zero 120 Wireless Controller User Manual 4.7.2 Peer Contorller Status Status > Global Info > Peer Controller > Status Th e Peer Co n t ro ller St at u s p ag e p ro v id es in fo rmat io n ab o u t o t h er W ireles s Co n t ro llers in t h e n et wo rk. Peer wireles s co n t ro llers wit h in t h e s ame clu s t er exch an g e d at a ab o u t t h ems elv es , t h eir man ag ed A Ps , an d clien t s . Th e co n t ro ller main t ain s a d at ab ase wit h t h is d ata s o y o u can v iew in fo rmat io n ab out a p eer, s u ch as it s IP ad d res s an d s oft ware v ersio n. If t h e co n t roller lo s es co n tact wit h a p eer, all o f t h e d at a fo r t h at p eer is d elet ed. On e co nt roller in a clu s t er is elect ed as a Clu s ter Co n t ro ller. Th e Clu s t er Co n t ro ller co llect s s t at u s an d s t at is t ics fro m all t h e o t h er co n t ro llers in t h e clu s t er, in clu d in g in fo rmat io n ab o u t t h e A Ps p eer co n t ro llers man ag e an d t h e clien t s as s o ciat ed t o t h o s e A Ps . Cl us ter Control l er IP Addres s : IP ad d res s o f t h e co n t ro ller t h at co n t ro ls t h e clu s t er. Peer Control l ers : Dis p lay s t h e n u mb er o f p eer co n t ro ller in t h e clu s t er. Li s t of Peer Control l ers IP Addres s : IP ad d res s o f t h e p eer wireles s co n t ro ller in t h e clu s t er. Vendor ID: Ven d o r ID o f t h e p eer co n t ro ller s o ft ware. S oftware Vers i on: Th e s o ft ware v ers io n fo r t h e g iv en p eer co n t ro ller. Protocol Vers i on: In d icat es t h e p ro t ocol v ersio n s up port ed b y t h e s o ft ware o n t h e p eer co n t ro ller. Di s covery Reas on: Th e d is co v ery met h o d o f t h e g iv en p eer co n t ro ller, wh ich can b e t h ro u g h an L2 Po ll o r IP Po ll Manag ed AP Count: Sh o ws t h e n u mb er o f A Ps t h at t h e co n t ro ller cu rren t ly man ag es . Ag e: Time s in ce las t co mmu n icat io n wit h t h e co ntro ller in Ho u rs , M in ut es, an d Seco n d s . 121 Wireless Controller User Manual Figure 63 : Pe e r Controlle r Status Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n 4.7.3 Peer Controller Configuration Status Status > Global Info > Peer Controller > Configuration Yo u can p u s h p o rt io n s o f t h e co n t ro ller co n fig u rat io n fro m o n e co n t ro ller t o an o t h er co n t ro ller in t h e clu s t er. Th e Peer Co n t ro ller Co n fig u rat io n St at u s p ag e d is p lay s in fo rmat io n ab o ut t h e co nfig uratio n s ent b y a p eer co n troller in t h e clu s ter. It als o id en t ifies t h e IP ad d res s o f each p eer co n t ro ller t h at receiv ed t h e co n fig u rat io n in fo rmat io n Peer IP Addres s : Sh o ws t h e IP ad d res s o f each p eer wireles s co n t ro ller in t h e clu s t er t h at receiv ed co n fig u rat io n in fo rmat io n . 122 Wireless Controller User Manual Confi g urati on Control l er IP Addres s : Sh o ws t h e IP A d d ress o f t h e co nt roller t h at s en t t h e co n fig u rat io n in fo rmat io n . Confi g urati on: Id en t ifies wh ich p art s o f t h e con fig u rat io n t h e co n t ro ller receiv ed fro m t h e p eer co n t ro ller. Ti mes tamp: Sh o ws wh en t h e co n figu rat io n was ap plied t o t h e co n t ro ller. Th e t ime is d is p lay ed as UTC t ime an d t h erefo re o n ly u s efu l if t h e ad min is t rat o r h as co n fig u red each p eer co n t ro ller t o u s e NTP. Figure 64 : Pe e r Controlle r Configuratio n Status Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n 4.7.4 Peer Controller Managed AP Status Status > Global Info > Peer Controller > Managed AP Th e Peer Co n t ro ller M an ag ed A P St at us p ag e d is p lay s in fo rmat io n ab o u t t h e A Ps t h at each p eer co n troller in t h e clu s t er man ag es . Us e t h e men u ab o v e t h e t ab le t o s elect t h e p eer co n troller wit h t h e A P in fo rmat io n t o d is p lay . Each p eer co n t ro ller is id en t ified b y it s IP ad d res s 123 Wireless Controller User Manual MAC Addres s : Sh o ws t h e M A C ad d res s o f each A P man ag ed b y t h e p eer co n t ro ller. Peer Control l er IP: Sh o ws t h e IP ad d ress o f t h e p eer co n t ro ller t h at man ag es t h e A P. Th is field d is p lay s wh en “A ll” is s elect ed fro m t h e d ro p -d o wn men u . Locati on: Th e d es crip t iv e lo cat io n co n fig u red fo r t h e man ag ed A P. AP IP Addres s : Th e IP ad d res s o f t h e A P. Profi l e: Th e A P p ro file ap p lied t o t h e A P b y t h e co n t ro ller. Hardware ID: Th e Hard ware ID as s o ciat ed wit h t h e A P h ard ware p lat fo rm Figure 65 : Pe e r Controlle r M anage d AP Status 4.7.5 IP Discov ery Status > Global Info > IP Discovery Th e IP Dis co v ery lis t can co n tain t h e IP ad d resses o f p eer co n t o rllers an d A Ps fo r t h e wireles s co n t ro ller t o d is co v er an d as s o ciat e wit h as p art o f t h e W LA N IP Addres s : Sh o ws t h e IP ad d res s o f t h e d ev ice co nfig ured in t h e IP Dis co v ery lis t. S tatus : Th e s t at u s is in o n e o f t h e fo llo win g s t at es : Not Pol l ed: Th e co n t ro ller h as n ot at temp ted t o co n t act t h e IP ad d res s in t h e L3/ IP Dis co v ery lis t . 124 Wireless Controller User Manual Po lled : Th e co n t ro ller h as at t emp t ed t o co n t act t h e IP ad d res s . Dis co v ered: Th e co n t ro ller co n t act ed t h e p eer co n t ro ller o r t h e A P in t h e L3/ IP Dis co v ery lis t an d h as au th ent icat ed o r v alid at ed t h e d ev ice. Dis co v ered - Failed : Th e co n t ro ller co n tact ed t he p eer co n t ro ller o r t h e A P wit h IP ad d res s in t h e L3/ IP Dis co v ery lis t an d was u n ab le t o au t h en t icat e o r v alid at e t h e d ev ice. No t e: If t h e d ev ice is an access p oin t, an en t ry ap pears in t h e A P failu re lis t wit h a failu re reas o n . Figure 66 : IP Dis cove ry 4.7.6 Configuration Receiv e Status Status > Global Info > Config Receive Status Th e Peer Co n t ro ller Co n fig u rat io n feat ure allo ws y o u t o s en d t h e crit ical wireles s co n fig u ratio n fro m o n e co n troller t o all o t h er co n tro llers. In ad d it ion t o keep in g t he co n t ro llers s y n ch ro n ized , t h is fu n ct io n en ab les t h e ad min is t rat o r t o man ag e all wireles s co n t ro llers in t h e clu s t er fro m o n e co n t ro ller. Th e Peer Co n t ro ller Co n fig u rat io n Receiv ed St at us p age p ro vid es in fo rmat io n abo ut t he co nfig urat io n a co n t ro ller h as receiv ed fro m o n e o f it s p eers 125 Wireless Controller User Manual Current Recei ve S tatus : In d icat es t he g lo bal s tatu s wh en wireles s co nfig u rat ion i s receiv ed fro m a p eer co n t ro ller. Th e p o s s ib le s t at u s v alu es are as fo llo ws : No t St art ed Receiv in g Co n fig u rat io n Sav in g Co n fig u rat io n , A p p ly in g A P Pro file Co n fig u rat io n Su cces s Failu re - In v alid Co d e Vers io n Failu re - In v alid Hard ware Vers io n Failu re - In v alid Co n fig u rat io n Las t Confi g urati on Recei ved: Peer co n t ro ller IP A d d res s in d icat es t h e las t co n t ro ller fro m wh ich t h is co n t ro ller receiv ed an y wireles s co n fig u rat io n d at a. Confi g urati on: In d icat es wh ich p ort io ns o f co nfig u rat ion were las t receiv ed fro m a p eer co n t ro ller, wh ich can b e o n e o r mo re o f t h e fo llo win g : Glo b al Dis co v ery Ch an n el/ Po wer A P Dat ab as e A P Pro files Kn o wn Clien t Cap t iv e Po rt al RA DIUS Clien t Qo S A CL Qo S DiffServ If t h e co n t ro ller h as n o t received an y c o nfig uratio n fo r an o th er co n tro ller, t h e v alu e is None . 126 Wireless Controller User Manual Ti mes tamp: In d icat es t he las t t ime t h is co n tro ller receiv ed an y co n fig u rat io n d at a fro m a p eer co n t ro ller. Th e Peer Co n t ro ller M an ag ed A P St at u s p ag e d is p lay s in fo rmat io n ab o u t t h e A Ps t h at each p eer co n troller in t h e clu s ter man ag es. Us e t h e men u ab o v e t h e t ab le t o s elect t h e p eer co n t ro ller wit h t h e A P in fo rmat io n t o d is p lay . Each p eer co n t ro ller is id en t ified b y it s IP ad d res s Figure 67 : Configu rat ion Re ce ive Status 4.7.7 AP Hardware Capability Status > Global Info > AP H/W Capability Th e co n t ro ller can s upp ort A Ps t h at h av e d ifferen t h ard ware cap ab ilit ies , s u ch as t h e s u p p o rt ed n u mb er o f rad io s , t h e s u p p o rt ed IEEE 802.11 mo d es , an d t h e s o ft ware imag e req u ired b y t he A P. Fr o m t h e A P Hard ware Cap ab ilit y t ab , y o u can acces s s ummary in fo rmat io n ab o ut t h e A P Hard ware s u p p o rt , t h e rad io s an d IEEE mo d es s u p port ed b y t h e h ard ware, an d t h e s o ft ware imag es t h at are av ailab le fo r d o wn lo ad t o t h e A Ps Hardware Type : Id en t ifies t h e ID n u mb er as s ign ed t o each A P h ard ware t yp e. Th e co n t ro ller s u p p o rt s u p t o s ix d ifferen t A P h ard ware t y p es . Hardware Type Des cri pti on : In clu d es a d es crip t io n o f t h e p lat fo rm an d t h e s u p p o rt ed IEEE 802.11 mo d es . Radi o Count: Sp ecifies wh et h er t h e h ard ware s u p p o rt s o n e rad io o r t wo rad io s . 127 Wireless Controller User Manual Imag e Type : Sp ecifies t h e t y p e o f s o ft ware t h e h ard ware req u ires . Figure 68 : AP Hardware Capabil it y 4.8 Wireless Client Status 4.8.1 Client Status Status > Dashboard > Client Th is p ag e s ho ws in fo rmat io n ab o ut all t h e clien t s wh ich are c o n nect ed t h ro u g h o u r man ag ed A P. 128 Wireless Controller User Manual Figure 69 : Clie nt Status 8 0 2 .1 1 Cl i ents – Data 8 0 2 .1 1 a Cl i ents: To t al n u mb er o f IEEE 802.11a o n ly clien t s t h at are au t henticat ed . 8 0 2 .1 1 b/ g Cl i ents : To t al n u mb er o f IEEE 802.11b / g o n ly clien t s t h at are au t h en t icat ed . 8 0 2 .1 1 n Cl i ents : To t al n u mb er o f clien t s t h at are IEEE 802.11n cap ab le an d are 129 Wireless Controller User Manual au t h en t icat ed . Th es e in clu d e IEEE 802.11a/ n , IEEE 802.11b / g / n , 5 GHz IEEE 802.11n , 2.4GHz IEEE 802.11n . Cl i ents – Data Total Cl i ents : To t al n u mb er o f clien t s in t h e d at ab as e. Th is t o t al in clu d es clien t s wit h an A s s o ciat ed , A u t h en t icat ed , o r Dis as s o ciat ed s t at u s . Authenti cated Cl i ents : To t al n u mb er o f clien t s in t h e as s o ciat ed clien t d at ab as e wit h an A u t h en t icat ed s t at u s . Maxi mum As s oci ated Cl i ents : M aximu m n u mb er o f clien t s t h at can associate wit h t h e wireles s s y s t em. Th is is t h e maximu m n u mb er o f en t ries allo wed in t h e A s s o ciat ed Clien t d at ab as e. Detected Cl i ents : Nu mb er o f wireles s clien t s d et ect ed in t h e W LA N. Maxi mum Detected Cl i ents : M aximu m n u mb er o f clien t s t h at can b e d et ect ed b y t h e co n t roller. Th e n u mb er is limit ed b y t h e s ize o f t h e Det ect ed Clien t Dat ab as e. Maxi mum Pre -authenti cati on Hi s tory Entri es : M aximu m n u mb er o f Clien t Pre A u t h en t icat io n ev en t s t h a t can b e reco rd ed b y t h e s y s t em. Total Pre -authenti cati on Hi s tory Entri es : Cu rren t n u mb er o f p re -au t h en t icat io n h is t o ry en t ries in u s e b y t h e s y s t em. Maxi mum Roam Hi s tory Entri es : M aximu m n u mb er o f en t ries t h at can b e reco rd ed in t h e ro am h is t o ry fo r all d et ect ed clien t s . Total Roam Hi s tory Entri es : Cu rren t n u mb er o f p re -au t henticatio n h is to ry en t ries in u s e b y t h e s y s t em. 4.8.2 Assocaited Client Status Status > Wireless Client Info> Associated Clients > Status Yo u can v iew a v ariet y o f in fo rmat io n ab ou t t h e wir eles s clien t s t h at are asso ciat ed wit h t h e A Ps t h e co n t ro ller man ag es . MAC Addres s : Th e Et h ern et ad dres s o f t h e clien t s t at io n . If t h e M A C ad d res s is fo llo wed b y an as t erisk (* ), t h e clien t is asso ciat ed wit h an A P man ag ed b y a p eer co n t ro ller. 130 Wireless Controller User Manual AP MAC Addres s : Th e Et h ern et ad d res s o f t h e A P. S S ID: Th e n et wo rk o n wh ich t h e clien t is co n n ect ed . B S S ID: Th e Et h ern et M A C ad d res s fo r t h e man ag ed A P VA P wh ere t h is clien t is as s o ciat ed . Detected IP Addres s : Id en t ifies t h e IPv 4 ad d res s o f t h e clien t , if av ailab le. Figure 70 : As s ociate d Clie nt Status Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Di s as s oci ate : Dis as s o ciat es t h e s elect ed clien t fro m t h e man ag ed A P. Vi ew Detai l s : Dis p lay as s o ciat ed clien t d et ails . Vi ew AP Detai l s : Dis p lay as s o ciat ed A P d et ails . Vi ew S S ID Detai l s : Lists the SSIDs of the networks that each wireless client associated with a managed AP has used for WLAN access Vi ew VAP Detai l s : Shows information about the VAP s on the managed AP that have associated wireless clients 131 Wireless Controller User Manual Vi ew Nei g hbor AP S tatus : Shows information about access points that the client detects. 4.8.3 Associated Client SSID Status Status > Wireless Client Info> Associated Clients > SSID Status Each man ag ed A P can h av e u p t o 16 d ifferen t n et wo rks t h at each h as a u n iq u e SSID. A lt h o u gh s everal wireles s clien t s mig h t b e co n n ect ed t o t h e s ame p h y s ical A P, t h ey mig h t n o t co n n ect b y u s in g t h e s ame SSID S S ID: In d icat es t h e n et wo rk o n wh ich t h e clien t is co n n ect ed . Cl i ent MAC Addres s : Th e Et h ern et ad d res s o f t h e clien t s t at io n . Figure 71 : As s ociate d Clie nt SSID Status Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Di s as s oci ate : Dis as s o ciat es t h e clien t fro m t h e man ag ed A P. Vi ew Cl i ent Detai l s : Dis p lay as s o ciat ed clien t d et ails . Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n 132 Wireless Controller User Manual 4.8.4 Associated Client VAP Status Status > Wireless Client Info> Associated Cl ients > VAP Status Each A P h as 16 Virt u al A cces s Po in t s (VA Ps ) p er rad io , an d ev ery VA P h as a u n iq u e M A C ad d ress (BSSID).Th e VA P A s s o ciated Clien t St at u s p age wh ich s hows in fo rmat io n ab o u t t h e VA Ps o n t h e man ag ed A P t h at h av e as s o ciat ed wireles s clien t s . To d is co n n ect a clien t fro m an A P, s elect t h e b o x n ext t o t h e BSSID, an d t h en click Dis as s o ciat e B S S ID: In d icat es t h e Et h ern et M A C ad d res s fo r t h e man ag ed A P VA P wh ere t h is clien t is as s o ciat ed . S S ID: In d icat es t h e SSID fo r t h e man ag ed A P VA P wh ere t h is cli en t is as s o ciat ed . AP MAC Addres s : Th is field in d icat es t h e b ase A P Et h ern et M A C ad d res s fo r t h e man ag ed A P. Radi o: Dis p lay s t h e man ag ed A P rad io in t erface t he clien t is as s o ciat ed t o an d it s co n fig u red mo d e. Cl i ent MAC Addres s : Th e Et h ern et ad d res s o f t h e clien t s t at io n . Cl i ent IP Addres s : Th e IP ad d res s o f t h e clien t s t at io n . Figure 72 : As s ociate d Clie nt VAP Status 133 Wireless Controller User Manual Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Di s as s oci ate : Dis as s o ciat es t h e clien t fro m t h e man ag ed A P. Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n 4.8.5 Controller Associated Client Status Status > Wireless Client Info> Associated Clients > Controller Status Th is s h o ws in fo rmat io n ab o u t t h e co n t ro ller t h at man ag es t h e A P t o wh ich t h e clien t is as s o ciat ed Control l er IP Addres s : Sh o ws t h e IP ad d ress o f t h e co nt roller t h at man ag es the AP t o wh ic h t h e clien t is as s o ciat ed . Cl i ent MAC Addres s : Sh o ws t h e M A C ad d res s o f t h e as s o ciat ed clien t . Figure 73 : Controlle r As s ociate d Clie nt Status Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Di s as s oci ate : Dis as s o ciat es t h e clien t fro m t h e man ag ed A P. Vi ew Cl i ent Detai l s : Dis p lay as s o ciat ed clien t d et ails . Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n 134 Wireless Controller User Manual 4.8.6 Detected Client Status Status > Wireless Client Info> Detected Clients W ireles s clien ts are d etect ed b y t h e wireles s sy stem wh en t h e clien ts eit h er at t emp t t o in t eract wit h t h e s ystem o r wh en t h e s yst em d et ects t raffic fro m t h e clien t s . Th e Det ect ed Clien t St at u s p ag e co n t ain s in fo rmat io n ab o u t clien t s t h at h av e au t h en ticat ed wit h an A P as well in fo rmat io n ab o ut clien ts t h at d is associate an d are n o lo n g er co n n ect ed t o t h e s y s t em. MAC Addres s : Th e Et h ern et ad d res s o f t h e clien t . Cl i ent Name : Sh o ws t h e n ame o f t h e clien t , if av ailab le, fro m t h e Kn o wn Clien t Dat ab as e. If clien t is n o t in t h e d at ab as e t h en t h e field is b lan k. Cl i ent S tatus : Sh o ws t h e clien t s t at u s , wh ich can b e o n e o f t h e fo llo win g : Authenti cated: Th e wireles s clien t is au t h en t icat ed wit h t h e wireles s s y s t em. Detected: Th e wireles s clien t is d et ect ed b y t h e wireles s s ys t em b u t i s n o t a s ecu rit y t h reat . B l ack -Li s ted: Th e clien t wit h t h is M A C ad dress is s pecifically d en ied acces s v ia M A C A u t h en t icat io n . Rog ue : Th e clien t is clas s ified as a t h reat b y o n e o f t h e t h reat d et ect io n alg o rit h ms . Ag e : Time s in ce an y ev en t h as b een receiv ed fo r t h is clien t t h at u p d at ed t h e d et ect ed clien t d at ab as e en t ry . Create Ti me : Time s in ce t h is en t ry was firs t ad d ed t o t h e d et ect ed clien t ‟s d at ab as e. 135 Wireless Controller User Manual Figure 74 : De te cte d Clie nt Status Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Del ete : Delet e t h e s elected clien t fro m t h e lis t . If t h e clien t is d et ected ag ain, it will b e ad d ed t o t h e lis t . Del ete Al l : Delet es all n o n -au th en ticated clien ts fro m t h e Det ect ed Clie n t d at abase. A s clien t s are d et ect ed , t h ey are ad d ed t o t h e d at ab as e an d ap p ear in t h e lis t . Ack nowl edg e Al l Rog ues : Clear t h e ro g u e s tatus o f all clien t s lis t ed as ro g u es in t h e Det ect ed Clien t d at abase, Th e s tat us o f an ackn o wledg e clien t is ret urn ed t o t h e s t at us it h ad wh en it was firs t d et ected. If t h e d et ect ed clien t fails an y o f t h e t es t s t h at clas s ify it as a t h reat , it will b e lis t ed as a Ro g u e ag ain Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n . 4.8.7 Pre-Authorization History Status > Wireless Client Info> Pre -Auth History To h elp au t h en t icat ed clien t s ro am wit h o u t lo s in g s es s io n s an d n eed in g t o re au t h en ticat e, wireles s clien t s can att emp t t o au th ent icat e t o o t her A Ps wit h in ran g e t h at t h e clien t co uld p ossib ly as sociate wit h . Fo r s u ccessfu l p re -auth en t icat io n , t h e 136 Wireless Controller User Manual t arg et A P mu s t h av e a VA P wit h an SSID an d s ecu rit y co n fig u rat io n t h at mat ch es t h at o f t h e clien t , in clu d in g M A C au t h en t icat io n , en cry p t io n met h o d , an d p re s h ared key o r RA DIUS p aramet ers . Th e A P t h at t h e clien t is as s o c iat ed wit h cap t u res all p re -au t h en t icat io n req u es t s an d s en d s t h em t o t h e co n t ro ller. MAC Addres s : M A C ad d res s o f t h e clien t . AP MAC Addres s : M A C A d d res s o f t h e man ag ed A P t o wh ich t h e clien t h as p re au t h en t icat ed . Radi o Interface Number : Rad io n u mb er t o wh ich t h e clien t is au t h en t icat ed , wh ich is eit h er Rad io 1 o r Rad io 2. VAP MAC Addres s : VA P M A C ad d res s t o wh ich t h e clien t ro amed . S S ID: SSID Name u s ed b y t h e VA P. Ag e : Time s in ce t h e h is t o ry en t ry was ad d ed . Us er Name: In d icat es t h e u s er n ame o f clien t t h at au t h en t icat ed v ia 802.1X. Pre -Authenti cati on S tatus : In d icat es wh eth er t h e clien t s u ccessfully au t henticated an d s h o ws a s t at u s o f Su cces s o r Failu re. Figure 75 : Pre -Auth His tory Th is p ag e in clu d es t h e fo llo win g b u t t o n : Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n . 137 Wireless Controller User Manual 4.8.8 Detected Client Roam History Status > Wireless Client Info> Roam History Th e wireles s s y stem keep s a reco rd o f clien t s as t hey ro am fro m o n e man ag ed AP to an o t h er man ag ed A P. MAC Addres s : M A C ad d re s s o f t h e d et ect ed clien t . AP MAC Addres s : M A C A d d res s o f t h e man ag ed A P t o wh ich t h e clien t au t h en t icat ed . Radi o Interface Number : Rad io Nu mb er t o wh ich t h e clien t is au t h en t icat ed . VAP MAC Addres s : VA P M A C ad d res s t o wh ich t h e clien t ro amed . S S ID SSID Na me u s ed b y t h e VA P. New Authenti cati on: A flag in d icat in g wh eth er t h e h ist ory ent ry rep res en t s a n ew au t h en t icat io n o r a ro am ev en t . Ag e : Time s in ce t h e h is t o ry en t ry was ad d ed . 138 Wireless Controller User Manual Figure 76 : De te cte d Clie nt Roam His tory Th is p a g e in clu d es t h e fo llo win g b u t t o n : Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n . Purg e Hi s tory: To p u rg e t h e h is t o ry wh en t h e lis t o f en t ries is fu ll. Vi ew Detai l s : Sh o ws t h e d et ails o f t h e d et ect ed clien t s . 139 Wireless Controller User Manual Chapter 5. AP Management Th e A P M an ag emen t co n t ain s lin ks t o t h e fo llo win g p ag es t h at h elp y o u man ag e an d main t ain t h e A Ps o n y o u r DW C-1000 wireles s co n t ro ller n et wo rk: 5.1 Valid A cces s Po in t Co n fig u rat io n RF M an ag emen t A cces s Po in t So ft ware Do wn lo ad Lo cal OUI Dat ab as e A P Pro v is io n in g M an u al M an ag emen t Valid Access Point Configuration Setup > AP Management > Valid AP MAC Addres s Th is field s h o ws t h e M A C ad d ress o f t h e A P. To ch an g e t h is field , y o u mu s t d elet e t h e en tire Valid A P co n fig u ratio n an d t h en en t er t h e co rrect M A C ad d res s fro m t h e p ag e t h at lis t s all Valid A P‟s Locati on: To h elp y o u id en t ify t he A P, y o u can en ter a lo cat io n. Th is field accep t s u p t o 32 alp h an u meric ch aract ers AP Mode Yo u can co n fig u re t h e A P t o b e in o n e o f t h ree mo d es : S tandal one : Th e A P act s as an in d iv id u al acces s p o in t in t h e n et wo rk. Manag ed: If an A P is in M an ag ed M o d e, t h e A d min is t rat o r W eb UI an d SNM P s erv ices o n t h e A P are d is ab led . Rog ue : Select Ro g u e as t h e A P mo d e if y o u wis h t o b e n o tified (t h rou gh an SNM P t rap , if en ab led ) wh en t h is A P is d et ect ed i n t h e n et wo rk. Profi l e: If y o u co n fig ure mu lt ip le A P Pro files , y o u can s elect t h e p ro file t o as s ig n t o t h is A P 140 Wireless Controller User Manual Figure 77 : Valid Acce s s Point Configu rat io n 141 Wireless Controller User Manual Th e fo llo win g act io n s are s u p p o rt e d fro m t h is p ag e: Edi t: To ed it A P d et ails in Valid A P p ag e. Del ete : To d elet e a v alid A P p ro v id e v alid M A C ad d res s in Valid A P p ag e. Add: To ad d an A P in Valid A P p ag e. Figure 78 : Add a Valid Acce s s Point MAC Addres s : Th is field s h o ws t h e M A C ad d ress o f t h e A P. To ch an g e t h is field , y o u mu s t d elet e t h e en tire Valid A P co n fig u rat io n an d t h en en t er t h e co rrect M A C ad d res s fro m t h e p ag e t h at lis t s all Valid A Ps . AP Mode: Yo u can co n fig u re t h e A P t o b e in o n e o f t h ree mo d es : S tandal one : Th e A P act s as an in d ivid u al access p o in t in t h e n et wo rk. Yo u d o n o t man ag e t h e A P b y u s in g t h e co n t ro ller. In s t ead , y o u lo g o n t o t h e A P it s elf an d man ag e it b y u s in g t h e A d min is trato r W eb Us er In t erface (UI), CLI, 142 Wireless Controller User Manual o r SNM P. If y o u s elect t h e St an d alo n e mo d e, t h e s creen refres h es an d d ifferen t field s ap p ear. Fo r St an dalo ne mo d e t h e fo llo win g field s are en ab led Exp ect ed SSID, Exp ect ed Ch an n el, Exp ect ed W DS M o d e, Exp ect ed Secu rit y M o d e an d Exp ect ed W ired Net wo rk M o d e. Manag ed: Th e A P is p art o f t h e D-Lin k W ireles s Co n t roller, an d y o u man ag e it b y u s in g t h e W ireles s Co n t ro ller. If an A P is in M an ag ed M o d e, t h e A d min is t rat o r W eb UI an d SNM P s erv ices o n t h e A P are d is ab led . Rog ue : Select Ro g u e as t h e A P mo d e if y o u wis h t o b e n o t ified (t h ro u g h an SNM P t rap , if en ab led ) wh en t his A P is d et ected in t h e n etwo rk. A d dit io nally, t h e wh en t h is A P is d et ected t h rou gh an RF s can , t h e st at us is lis t ed as Ro gue. If y o u s elect t h e Ro g u e mo d e, t h e s creen refres h es , an d field s t h at d o n o t ap p ly t o t h is mo d e are h id d en . Locati on: To h elp y o u id en t ify t he A P, y o u can en ter a lo cat io n . Th is field accep t s u p t o 32 alp h an u meric ch aract ers . Authenti cati on Pas s word: Yo u can req u ire t h at t he A P au t h en t icat e it s elf wit h t h e co n t ro ller u p o n d isc ov ery . Ed it o p t ion an d en ter t h e p asswo rd in t h is field . Th e v alid p as s word ran ge is b etween 8 an d 63 alp h an u meric ch aracters . Th e p as s wo rd in t h is field mu s t mat ch t h e p as s wo rd co n fig u red o n t h e A P. Profi l e: If y o u co n fig ure mu lt ip le A P Pro files , y o u can s elect t he p ro file t o assign to t h is A P Expected S S ID: En t er t h e SSID t h at id en t ifies t h e wireles s n et wo rk o n t h e s t an d alo n e A P. Expected Channel : Select t h e ch an n el t h at t h e s t an d alo n e A P u s es . If t h e A P is co n fig u red t o au t o mat ically s elect a ch an n el, o r if y o u d o n o t wan t t o s p ecify a ch an n el, s elect A n y Expected WDS Mode : St an d alo n e A Ps can u s e a W ireles s Dis t rib u t io n Sy s t em (W DS) lin k t o co mmu n icat e wit h each o t h er wit h o u t wires . Th e men u co n t ain s t h e fo llo win g o p t io n s : B ri dg e : Select t h is o p t io n if t h e s t an d alo n e A P y o u ad d t o t h e Valid A P d at ab as e is co n fig u red t o u s e o n e o r mo re W DS lin ks . Normal : Select t h is o p t ion if t h e s t an dalon e A P is n o t co nfig ured t o u se an y W DS lin ks . 143 Wireless Controller User Manual Any: Select t h is o p t io n if t h e s t an d alo n e A P mig h t u s e a W DS lin k. Expected S ecuri ty Mode : Select t h e o p t io n t o s p ecify t h e t y p e o f s ecu rit y t h e A P u s es : Any: A n y s ecu rit y mo d e Open: No s ecu rit y WEP: St at ic W EP o r W EP 802.1X WPA/ WPA2 : W PA an d / o r W PA 2 (Pers o n al o r En t erp ris e) Expected Wi red Network Mode : If t h e s t an d alo n e A P is allo wed o n t h e wired n et wo rk, s elect A llo wed. If t h e A P is n o t p ermit t ed o n t h e wired n et work, s elect No t A llo wed Channel : Th e Ch an n el d efin es t h e p o rtio n o f t h e rad io s pect rum t h at t h e rad io u s es fo r t ran s mit t in g an d receiv in g . Th e ran g e o f ch an n els an d t h e d efau lt ch an n el are d et ermin ed b y t h e M o d e o f t h e rad io in t erface an d t h e co u n t ry in wh ich t h e A Ps o p erat e. Power: Th e p o wer lev el affect s h ow far an A P b ro ad cast s it s RF s ig n al. If t h e p o wer lev el is t o o lo w, wireles s clien t s will n o t d et ect t h e s ign al o r exp erien ce p o or W LAN p erfo rman ce. If t h e p o wer lev el is t o o h ig h , t h e RF s ig n al mig h t in t erfere wit h o t h er A Ps wit h in ran g e. 5.2 RF Management 5.2.1 RF Configuration Setup > AP Management > RF Management > RF Configuration Th e rad io freq u en c y (RF) b ro ad cas t ch an n el d efin es t h e p o rt io n o f t h e rad io s p ect rum t h at t h e rad io o n t he access p o int u ses fo r t ran s mit t in g an d receiv in g . Th e ran g e o f av ailab le ch an n els fo r an acces s p o in t is d et ermin ed b y t h e IEEE 802.11 mo d e (als o referred t o as b an d ) o f t h e acces s p o in t . Th e co n t ro ller co n t ain s a ch an n el p lan alg o rit h m t h at au t o mat ically d et ermin es wh ich RF ch an n els each A P s h o u ld u s e t o min imize RF in t erferen ce. W h en y o u en ab le t h e ch an n el p lan alg o rit h m, t h e co n t ro ller p erio d ically ev alu at es t h e 144 Wireless Controller User Manual o p erat io nal ch ann el o n ev ery A P it man ag es an d ch an g es t h e ch an n el if t h e cu rren t ch an n el is n o is y Channel Pl an: Each A P is d u al-b an d capable o f o p erat in g in t h e 2.4 GHz an d 5 GHz freq u en cies . Th e 802.11a/ n an d 802.11b / g / n mo d es u s e d ifferen t ch an n el p lan s . Befo re y o u co nfig ure ch an nel p lan s et tin gs, s elect t h e mo d e t o co n fig u re. Channel Pl an Mode: Th is field in d icat es t h e ch an n el as s ig n men t mo d e. Th e mo d e o f ch an n el p lan as s ig n men t can b e o n e o f t h e fo llo win g : Fi xed Ti me : If y o u s elect t h e fixed t ime ch an n e l p lan mo d e, y o u s pecify t h e t ime fo r t h e ch an n el p lan an d ch an n el as s ig n men t . In t h is mo d e t h e p lan is ap p lied o n ce ev ery 24 h o u rs at t h e s p ecified t ime. Manual : W it h t h e man u al ch an n el p lan mo d e, y o u co n t ro l an d in it iat e t h e calcu lat io n an d as sign men t o f t h e ch an n el p lan . Yo u mu s t man u ally ru n t h e ch an nel p lan alg o rit h m an d ap p ly t h e ch an n el p lan t o t h e A Ps . Interval : In t h e in t erv al ch ann el p lan mo d e, t h e co n t ro ller p erio d ically calcu lat es an d app lies t h e ch ann el p lan . Yo u can co n fig u re t h e in t erv al t o b e fro m ev ery 6 t o ev ery 24 h o u rs . Th e in t erv al p erio d b eg in s wh en y o u click Su b mit . 145 Wireless Controller User Manual Figure 79 : RF configurat io n Channel Pl an Hi s tory Depth : Th e ch an n el p lan h is t o ry lis t s t h e ch an n els t h e co n t ro ller as s ig n s each o f t h e A Ps it man ag es aft er a ch an n el p lan is ap p lied . En t ries are ad d ed t o t h e h is t o ry reg ard les s o f in t erv al, t ime, o r ch an n el p lan mo d e. Th e n u mb er y o u s p ecify in t h is field co n tro ls t h e n u mb er o f it erat io n s o f t h e ch an n el as s ig n men t . A Ps ch an ged in p rev io us it erat ion s cann ot b e assig n ed n ew ch an n els in t h e n ext it erat io n . Th is h is to ry p rev en ts t he s ame A Ps fro m b ein g ch an ged t ime aft er t ime . Channel Pl an Interval : If y o u s elect t h e In t erv al ch an n el p lan mo d e, y o u can s p ecify t h e freq u en cy at wh ich t h e ch an n e l p lan calcu lat io n an d as s ig n men t o ccu rs . Th e in t erv al t ime is in h o u rs , an d y o u can s pecify an in t erval t h at ran ges b et ween ev ery 6 h o u rs t o ev ery 24 h o u rs . Channel Pl an Fi xed Ti me : If y o u s elect t h e Fixed Time ch an n el p lan mo d e, you can s p ecify t h e t ime at wh ich t h e ch an n el p lan calcu lat io n an d as s ig n men t o ccu rs . Th e chann el p lan calcu latio n will o ccu r o n ce ev ery 24 h o u rs at t h e t ime y o u s p ecify . Power Adjus tment Mode : Yo u can s et t h e p o wer o f t h e A P rad io freq u en cy t ran s mis sio n in t h e A P p ro file, t h e lo cal d at abase o r in t h e RA DIUS s erv er. Th e 146 Wireless Controller User Manual p o wer lev el in t h e A P p ro file is t h e d efau lt lev el fo r t h e A P, an d t h e p o wer will n o t b e ad ju s t ed b elo w t h e v alu e in t h e A P p ro file. Th e s et t in g s in t h e lo cal d at ab ase an d RA DIUS s erv er alway s o verrid e p ower s et in t h e p ro file s et t in g . If y o u man u ally s et t h e p o wer, t h e lev el is fixed an d t h e A P will n o t u s e t h e au t o mat ic p o wer ad ju s t men t alg o rit h m. Yo u can co n fig u re t h e p o wer as a p ercen t ag e o f maximu m p o wer, wh ere t h e maximu m p o wer is t h e min imu m o f p o wer lev el allo wed fo r t h e ch an n el b y t h e reg u lat o ry d o main o r t h e h ard ware cap ab ilit y . Manual : In t h is mo d e, y o u ru n t h e p rop os ed p o wer ad ju s t men t s man u ally fro m t h e M an u al Po wer A d ju s t men t s p ag e. Interval : In t h is mo d e, t h e co n t ro ller p erio d ically calcu lat es t h e p o wer ad ju s t men ts an d ap p lies t he p o wer fo r all A Ps . Th e in t erv al p erio d b eg in s wh en y o u click Su b mit . Power Adjus tment Interval : Th is field d et ermin es h o w o ft en t h e co n t ro ller ru n s t h e p o wer ad just men t alg o rit h m. Th e alg o rit h m ru n s au t o mat ically o n ly if y o u s et t h e p o wer ad ju s t men t mo d e t o In t erv al. Th is s et t in g g et s ap p lied t o b o t h rad io s o f t h e A P. Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e: S ubmi t: Up d at es t h e co n t ro ller wit h t h e v alu es y o u en t er. 5.2.2 Channel Plan History Setup > AP Management > RF Management > Channel Plan History Th e wireles s co n t ro ller s t o res ch an n el as s ig n men t in fo rmat io n fo r t h e A Ps it man ag es . Th e Clu s t er Co n t ro ller t h at co n t ro ls t h e clu s t er main t ain s t h e ch an n el h is t o ry in fo rmat io n fo r all co n t ro llers in t h e clu s t er. On t h e Clu s t er Co n t ro ller, t h e p ag e s h ows in fo rmat io n ab out t h e rad io s o n all A Ps man ag ed b y co n t ro lle rs in t h e clu s t er t h at are elig ib le fo r ch an n el as s ig n men t an d were s u cces s fu lly as s ig n ed a n ew ch an n el. Channel Pl an: Th e 5 GHz an d 2.4 GHz rad io s u s e d ifferen t ch an n el p lan s , s o t h e co n t roller t racks t he ch an nel h is tory s ep arat ely fo r each rad io . Th e ch an n el in fo rmat io n t h at d is p lay s o n t h e p ag e is o n ly fo r t h e rad io y o u s elect . 147 Wireless Controller User Manual Operati onal S tatus : Th is field s h o ws wh et h er t h e co n t ro ller is u s in g t h e au t o mat ic ch an n el ad ju s t men t alg o rit h m o n t h e A P rad io s . Las t Iterati on: Th e n u mb er in t h is field in d icat es t h e mo s t recen t it erat io n o f ch an n el p lan ad ju s t men t s . Th e A Ps t h at receiv ed a ch an n el ad ju s t men t in p rev io u s it erat io n s can n o t b e as s ig n ed n ew ch an n els in t h e n ext it erat io n t o p rev en t t h e s ame A Ps fro m b ein g ch an g ed t ime aft er t ime. Las t Al g ori thm Ti me : Sh o ws t h e d at e an d t ime wh en t h e ch an n el p lan alg o rit h m las t ran . AP MAC Addres s : Th is t ab le d is p lay s t h e ch an n el as s ig n ed t o an A P in an it erat io n o f t h e ch an n el p lan (Lo cat io n , Rad io ,It erat io n , Ch an n el) Figure 80 : Channe l Plan His tory. 5.2.3 Manual Channel Plan Setup > AP Management > RF Management > Manual Channel Plan If y o u s p ecify M an u al as t h e Ch an n el Plan M o d e o n t h e Co n fig u rat io n t ab , t h e M an u al Ch an n el Plan p ag e allo ws y o u t o in it iat e t h e ch an n el p lan alg o rit h m. To 148 Wireless Controller User Manual man u ally ru n t h e ch an n el p lan ad ju s t men t feat u re, s elect t h e rad io t o u p d at e t h e ch an n els o n (5 GHz o r 2.4 GHz) an d click St art . Channel Pl an: Th e 5 GHz an d 2.4 GHz rad io s u s e d ifferen t ch an n el p lan s , s o t h e co n t roller t racks t he ch an nel h is tory s ep arat ely fo r each rad io . Th e ch an n el in fo rmat io n t h at d is p lay s o n t h e p ag e is o n ly fo r t h e rad io y o u s elect . Channel pl an al g ori thm (Cu rren t St at u s): Sh o ws t he Cu rren t St at us o f t h e p lan, wh ich is o n e o f t h e fo llo win g s t at es : None : Th e ch an n el p lan alg o rit hm h as n o t b een man u ally ru n s in ce t h e las t co n t ro ller reb o o t . Al g ori thm i n Prog res s : Th e ch an n el p lan alg o rit h m is ru n n in g . Al g ori thm Compl ete : Th e ch an n el p lan alg o rit hm h as fin is hed ru n n in g . A t ab le d is p lay s t o in d icate p ro posed ch annel as sign men ts. Each en try s hows the A P alo n g wit h t h e cu rren t an d n ew ch an n el. To accep t t h e p ro p o s ed ch an n el ch an g e, click A p p ly . Yo u mu s t man u ally ap p ly t h e ch an n el p lan fo r t h e p ro p o s ed as s ig n men t s t o b e ap p lied . Appl y In Prog res s : Th e co n t ro ller is ap p ly in g t h e p ro p o s ed ch an n el p lan an d ad ju s t in g t h e ch an n el o n t h e A Ps lis t ed in t h e t ab le. Appl y Compl ete : Th e alg o rit h m an d ch an n el ad ju s t men t are co mp let e Propos ed Channel As s i g nments : If n o A Ps ap p ear in t h e t ab le aft er t h e alg o rit h m is co mp let e, t h e alg o rit hm d o es n ot recommen d an y ch an n el ch an g es . Current Channel : Sh o ws t h e cu rrent o p erat ing ch an n el fo r t h e A P t h at t h e alg o rit h m re co mmen d s fo r n ew ch an n el as s ig n men t s . New Channel : Sh o ws t h e p ro p o s ed o p erat in g ch an n el fo r t h e A P. Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e: S tart: To in it iat e t h e ch an n el p lan alg o rit h m 149 Wireless Controller User Manual Figure 81 : M anual Channe l Plan. 150 Wireless Controller User Manual 5.2.4 Manual Power Adjustment Plan Setup > AP Management > RF Management > Manual Power Adjustment Plan If y o u s elect M anual as t h e Po wer A d ju stmen t M o d e o n t h e Co n fig u rat io n t ab , y o u can man u ally in it iat e t h e p o wer ad ju s t men t alg o rit h m o n t h e M an u al Po wer A d ju s t men t s p ag e . Current S tatus : Sh o ws t h e Cu rren t St at u s o f t h e p lan , wh ich is o n e o f t h e fo llo win g s t at es : None : Th e p o wer ad ju s tmen t alg o rit hm h as n o t b een man u ally ru n s in ce t h e las t co n t ro ller reb o o t . Al g ori thm In Prog res s : Th e p o wer ad ju s t men t alg o rit h m is ru n n in g . Al g ori thm Compl ete : Th e p o wer ad ju s t men t alg o rit h m h as fin is h ed ru n n in g . A t ab le d is p lay s t o in d icat e p ro p o s ed p o wer ad ju s t men t s . Each en t ry s h o ws t h e A P alo n g wit h t h e cu rren t an d n ew p o wer lev els . Appl y In Prog res s : Th e co nt roller is ad ju st in g t h e p o wer lev els t h at t h e A Ps u s e. Appl y Compl ete : Th e alg o rit h m an d p o wer ad ju s t men t are co mp let e. A P M A C A d d res s Id en t ifies t h e AP MAC addres s : Identifies the AP MAC address. Locati on: Id en t ifies t h e lo catio n o f t h e A P, wh ich is s et in t h e Valid A P d at ab as e. Radi o Interface : Id en t ifies t h e rad io . Ol d Power: Sh o ws t h e earlier p o wer lev el fo r t h e A P. New Power : Sh o ws t h e p ro p o s ed p o wer lev el fo r t h e A P . Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e: S tart: To in it iat e t h e p o wer ad ju s t men t alg o rit h m. 151 Wireless Controller User Manual Figure 82 : M anual Powe r Adjus tme nt Plan 5.3 Access Point Software Download Setup > AP Management > Software Download Th e wireles s co n t ro ller can u p g rad e s o ft ware o n t h e A Ps t h at it man ag es . Th e A P firmware v ers io n mu s t as s ame as DW C-1000 W LA N mo d u le v ers io n S erver Addres s : En t er t h e IP ad d res s o f t h e h o s t wh ere t h e u p g rad e file is lo cat ed . Th e h o s t mu s t h av e a TFTP s erv er in s t alled an d ru n n in g . File Pat h : En t er t h e file p at h o n t h e TFTP s erver wh ere t h e s o ft ware is lo cat ed . Yo u may en t er u p t o 96 ch aract ers . Fi l e Name: En t er t h e n ame o f t h e u p g rad e file. Yo u may en t er u p t o 32 ch aract ers , an d t h e file ext en s io n .t ar mu s t b e in clu d ed . Group S i ze: W h en y o u u p g rad e mu lt ip le A Ps , each A P co n t act s t h e TFTP s erv er t o d o wn lo ad t h e u p g rad e file. To p rev en t t h e TFTP s erv er fro m b ein g o v erlo ad ed , y o u can limit t h e n u mb er o f A Ps t o b e u p g rad ed at a t ime. In t h e 152 Wireless Controller User Manual Gro u p Size field , en t er t h e n u mb er o f A Ps t h at can b e u p g rad ed at t h e s ame t ime. W h en o n e g ro up co mp letes t he u p grade, t he n ext g ro u p b egin s t h e p ro ces s Imag e Downl oad Type : Ty p e o f t h e imag e t o b e d o wn lo aded, wh ich can b e o n e o f t h e fo llo win g : • A ll imag es (img _ d wl8600 an d img _ d wl3600/ 6600) • img _ d wl8600 • img _ d wl3600/ 6600 To d o wn lo ad all imag es , make s u re y o u s pecify t h e file p at h an d file n ame fo r b o t h imag es in t h e ap p ro p riat e File Pat h an d File Name field s . Manag ed AP: Th e lis t s h o ws all t h e A Ps t h at t h e co n t ro ller man ag es . If t h e co n t ro ller is t h e Clu s t er Co n t roller, t h en t h e lis t s h o ws t h e A Ps man ag ed b y all co n t ro llers in t h e clu s ter. Each A P is id en t ified b y it s M AC ad d ress, IP ad d res s , an d Lo cat io n in t h e <M A C - IP - Lo cat io n > fo rmat . To u p g rad e a s in g le A P, s elect t h e A P M A C ad d ress fro m t h e d ro p d o wn lis t . To u p g rad e all A Ps , s elect A ll fro m t h e t o p o f t h e lis t . If A ll is s elect ed , t h e Gro u p Size field will limit t h e n u mb er o f s imu lt an eo u s A P u p grades in o rd er n o t t o o v erwhelm t h e TFTP s erv er 153 Wireless Controller User Manual Figure 83 : Acce s s Point Software Download 5.4 Local OUI Database Summary Setup > AP Management > Local OUI Database To h elp id en t ify A P an d W ireles s Clien t ad ap t er man u fact u rers d et ect ed in t h e wireles s n et wo rk, t h e wireles s co n t ro ller co n t ain s a d at ab a s e o f reg is t ered Org an izat io n ally Un iq u e Id entifiers (OUIs ). Th is is a read -o nly lis t wit h o v er 10,000 reg is t rat ion s. Fro m t h e Lo cal OUI Dat ab as e Su mmary p ag e, y o u can en t er u p t o 64 u s er-d efin ed OUIs . Th e lo cal lis t is s earch ed firs t , s o t h e s ame OUI can b e lo cat ed in t h e lo cal lis t as well as t h e read -o n ly lis t . OUI Val ue : En t er t h e OUI t h at rep resen ts t h e co mp any ID in t h e fo rmat XX:XX:XX wh ere XX is a h exad ecimal n u mb er b et ween 00 an d FF. Th e firs t t h ree b y t es o f t h e M A C ad d res s rep res en t s t h e co mp an y I D as s ig n men t . Th e firs t b y t e o f t h e OUI mu s t h av e t h e leas t s ig n ifican t b it s et t o 0. Fo r examp le 02:FF:FF is a v alid OUI, b u t 03:FF:FF is n o t . OUI Des cri pti on: En t er t h e o rg an izat ion n ame as s o ciat ed wit h t h e OUI. Th e n ame can b e u p t o 32alp h an u meric ch ara ct ers .. 154 Wireless Controller User Manual Figure 84 : Local OUI Databas e 5.5 AP Provisioning Summary Setup > AP Management > AP Provisioning Summary Status Th e A P Pro v is io n in g feat u re h elp s y o u ad d n ew A Ps t o an exis t in g co n t ro ller clu s t er. W it h A P Pro v isio nin g, y o u can co nfig ure t h e access p o in t s wit h p aramet ers t h at are n eed ed t o co n nect t o t h e wireles s n etwo rk . Us e A P Pro v isio n in g t o co n n ect d ev ices t o a n et wo rk en abled fo r mu t u al au th en ticatio n . If a n et wo rk is n o t en ab led fo r mu t u al au t h en t icat io n t h en A Ps can b e at t ach ed t o t h e n et wo rk b y p ro p erly co n fig u rin g t h e lo cal Valid A P d at ab as e o r RA DIUS A P d at ab as e an d d is co v ery o p t io n s. Th e p rov isio nin g feat ure can o p t io n ally b e u s ed o n n et wo rks n o t en ab led fo r mu t u al au t h en t icat io n t o s imp lify A P at t ach men t t o t h e c lu s t er. MAC Addres s : M A C ad d res s o f t h e A P IP Addres s : IP A d d res s o f t h e A P. Pri mary IP Addres s : Th e IP ad d res s o f t h e p rimary p ro v is io n ed co n t ro ller as rep o rt ed b y t h e A P. B ack up IP Addres s : Th e IP ad d res s o f t h e b acku p p ro v is io n ed co n t ro ller as rep o rt ed b y t h e A P. 155 Wireless Controller User Manual New Pri mary IP Addres s : En t er t h e IP ad d res s o f p rimary co n t ro ller t o wh ich t h e A P s h o u ld t ry t o co n n ect . New B ack up IP Addres s : En t er t h e IP ad d res s o f co nt roller t o wh ich t h e A P s ho u ld t ry t o co n n ect if it is u n ab le t o co n n ect t o t h e p rimary co n t ro ller. S tatus : St at u s o f t h e mo s t recent ly is su ed A P p ro visio nin g co mman d , wh ich h as o n e o f t h e fo llo win g v alu es : Not S tarted: Pro v is io n in g h as n o t b een s t art ed fo r t h is A P. S ucces s : Pro v is io n in g fin is h ed s u cces s fu lly fo r t h is co n t ro ller. Th e A P Pro v is io n in g St at u s t ab le s h o u ld reflect the lat es t p ro v is io n in g co n fig u rat io n . In Prog res s : Pro v is io n in g is in p ro g res s fo r t h is A P. Inval i d Control l er IP Addres s : Eit h er p rimary o r b acku p co n t ro ller IP ad d res s is n o t in t h e clu s t er o r t h e mu t u al au t h en t icat io n mo d e is en ab led an d t h e p rimary co n t ro ller IP ad d res s is n o t s p ecified . Provi s i oni ng Rejected: A P is n o t man ag ed an d is co n fig u red n o t t o accep t p ro v is io n in g d at a in u n man ag ed mo d e. Ti med Out: Th e las t p ro v is io n in g req u e s t t imed o u t . 156 Wireless Controller User Manual Figure 85 : AP Provis ioning Summary Status Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e: Del ete : Remo v e t h e s elect ed A P fro m t h e A P p ro v is io n in g lis t . Del ete Al l : Remo v e all A Ps fro m t h e A P p ro v is io n in g lis t . Provi s i on: In it iat e p ro v is io nin g fo r t h e s elected A P. Yo u can p ro v isio n an A P o n ly fro m t h e clu s ter co nt roller. A ft er t h e A P is p ro v isio ned, it s h o uld b eco me man ag ed b y t h e co n t ro ller wit h t h e co n fig u re d Primary IP A d d res s an d ap p ear in t h e A P p ro v is io n in g d at ab as e as a man ag ed A P. Edi t: Ed it t h e p aramet ers o f s elect ed A P fro m t h e A P p ro v is io n in g lis t Refres h: Up d at es t h e p ag e wit h t h e lat es t in fo rmat io n 5.6 Manual Management Setup > AP Management > Manual Management W h en t h e A P is in M an ag ed mo d e, remo t e acces s t o t h e A P is d is ab led . Fro m t h e M an au al M an ag emen t p ag e, y o u can als o man u ally ch an g e t h e RF ch an n el an d p o wer fo r each rad io o n an A P. Th e man u al p o wer an d ch annel ch anges o verrid e t h e 157 Wireless Controller User Manual s et t in gs co n fig u red in t h e A P p ro file (in clu d in g au t o mat ic ch an n el s elect io n ) an d t ake effect immed iat ely . Th e man u al ch an n el an d p o wer as s ig n men t s are n o t ret ain ed wh en t h e A P is res et o r if t h e p ro file is reap p lied t o t h e A P, s u ch as wh en t h e A P d is as s o ciat es a n d reas s o ciat es wit h t h e co n t ro ller. Figure 86 : M anual M anage me nt MAC Addres s : Sh o ws t h e M A C ad d res s o f t h e A P. Locati on: Sh o ws t h e A P lo cat io n, wh ich is b ased o n t he v alu e co nfig u red in t h e RA DIUS o r lo cal Valid A P d at ab as e . Debug : To h elp y o u t ro u blesho ot, y o u can en ab le Teln et access t o t h e A P s o that y o u can d eb ug t h e d evice fro m t h e CLI.Th e Deb u g field s h o ws t h e d eb ug s t at u s an d can b e o n e o f t h e fo llo win g : • Dis ab led • Set Req u es t ed • Set in Pro g res s • En ab led To ch an g e t h e s t at u s , s elect t h e A P an d click t h e M an ag ed A P Deb u g b u t t o n . 158 Wireless Controller User Manual Radi o Interface: Id en t ifies t h e rad io t o wh ich t h e ch an n el an d p o wer s et t in g s ap p ly . Channel : Select t h e A P an d click t h e Ed it Ch an n el/ Po wer b u t t o n t o acces s t h e M an ag ed A P Ch an n el/ Po wer A d ju s t p ag e. Fro m t h at p ag e, y o u can s et a n ew ch an n el fo r Rad io 1 o r Rad io 2. Th e av ailab le ch an n els d ep en d o n t h e rad io mo d e an d co u n t ry in wh ich t h e A Ps o p erat e. Th e man u al ch an n el ch an g e o v errid es t he ch an nel co nfig u red in t h e A P p ro file an d is n o t ret ain ed wh en t h e A P reb o o t s o r wh en t h e A P p ro file is reap p lied . Power : Select t h e A P an d click t h e Ed it Ch an n el/ Po wer b u t t o n t o acces s t h e M an ag ed A P Ch an n el/ Po wer A d ju s t p ag e. Fro m t h at p ag e, y o u can s et a n ew p o wer lev el fo r t h e A P. Th e man u al p o wer ch an g e o v errid es t h e p o wer s et t in g co n fig u red in t h e A P p ro file an d is n o t ret ain ed wh en t h e A P reb o o t s o r wh en t h e A P p ro file is reap p lied 159 Wireless Controller User Manual Chapter 6. Connecting to the Internet: Option Setup Th is co n t oller h as t wo Op t ion p ort s t h at can b e u s ed t o es t ab lis h a co n n ect io n t o t h e in t ern et . Th e fo llo win g ISP co n n ect io n t y p es are s u p p o rt ed : DHCP, St at ic, PPPo E, PPTP, L2TP. It is as s u med t h at y o u h av e arran g ed fo r in t ern et s erv ice wit h y o u r In t ern et Serv ice Pro v id er (ISP). Pleas e co n tact y o ur ISP o r n et wo rk ad min is t rat o r fo r t h e co n fig u rat io n in fo rmat io n t h at will b e req u ired t o s et u p t h e co n t ro ller. 6.1 Th e ISP Co n n ect io n t y p es : PPPo E, PPTP, L2TP, NA T/ Tran s p aren t mo d e feat u re are av ailab le u p on licen s ed activ at ion o f VPN / Firewall feat u res for t h e s y s t em. Internet Connection Setup Wizard Setup > Wizard > Internet Th e In t ern et Co n nect io n Set u p W izard is av ailab le fo r u s ers n ew t o n et wo rkin g . By g o in g t h ro ug h a few s t raig ht forward co nfig uratio n p ag es y o u can t ake t h e in fo rmat io n p ro v id ed b y y o ur ISP t o g et y o u r Op t io n co nn ectio n u p a n d en able in t ernet acces s fo r y o u r n et wo rk. 160 Wireless Controller User Manual Figure 87 : Inte rne t Conne ction Se tup Wizard Yo u can s t art u sin g t h e W izard b y lo g g ing in wit h t h e ad min is trato r p as s wo rd fo r t h e co n t ro ller. On ce au t h en t icat ed s et t h e t ime zo n e t h at y o u are lo cat ed in , an d t h en ch o o s e t h e t y p e o f in t ern et co n n ect io n t y p e: DHCP, St at ic, PPPo E, PPTP, L2TP. Dep en d in g o n t h e con nect ion t yp e a u s ern ame/ p as s wo rd may b e req u ired t o reg is t er t h is co n t roller wit h t h e ISP. In mo s t cas es t h e d efault s et t in g s ca n b e u s ed if t h e ISP d id n o t s p ecify t h at p aramet er. Th e las t s t ep in t h e W izard is t o click t h e Co n n ect b u t t o n , wh ich co n firms t h e s et t in g s b y es t ab lis h in g a lin k wit h t h e ISP. On ce co n n ect ed , y o u can mo v e o n an d co n fig u re o t h er feat u res in t h is co n t ro lle r. 6.2 Option Configuration Setup > Internet Settings > Option1 Settings > Option1 Setup Yo u mu s t eit h er allo w t h e co n t roller t o d et ect Op t io n co n n ect io n t y p e au t o mat ically o r co n fig u re man u ally t h e fo llo win g b as ic s et t in g s t o en ab le In t ern et co n n ect iv it y : Connecti on type : Bas ed o n t h e ISP y o u h av e s elect ed fo r t h e p rimary Op t io n lin k fo r t h is co n t ro ller, ch o o s e St at ic IP ad d res s , DHCP clien t , Po in t -t o -Po in t Tu n n elin g Pro t o co l (PPTP), Po in t -t o -Po in t Pro t o co l o v er Et h ern et (PPPo E), Lay er 2 Tu n n elin g Pro t o co l 161 Wireless Controller User Manual (L2TP). Req u ired field s fo r t h e s elected ISP t y p e b ecome h ig h lig h ted . En t er t h e fo llo wing in fo rmat io n as n eed ed an d as p ro v id ed b y y o u r ISP: PPPoE Profi l e Name . Th is men u lis t s co n fig u red PPPo E p ro files , p art icu larly u s efu l wh en co n fig u rin g mu lt ip le PPPo E co n n ect io n s (i.e. fo r Jap an ISPs t h at h av e mu lt ip le PPPo E s u p p o rt ). IS P l og i n i nformati on. Th is is req u ired fo r PPTP an d L2TP ISPs . Us er Name Pas s wo rd Secret (req u ired fo r L2TP o n ly ) MPPE Encrypti on: Fo r PPTP lin ks , y o u r ISP may req u ire y o u t o en able M icro soft Po in t t o -Po in t En cry p t io n (M PPE). S pl i t Tunnel (s u p p ort ed fo r PPTP an d L2TP co n n ect io n ). Th is s et t in g allo ws y o u r LA N h o s t s t o access in t ern et sit es o ver t h is Op t io n lin k wh ile s t ill p ermit t in g VPN t raffic t o b e d irect ed t o a VPN co n fig u red o n t h is Op t io n p o rt . If s p lit t u n n el is en ab led , DW C wo n ‟t exp ect a d efau lt ro u t e fro m t h e ISP s erv er. In s u ch cas e, u s er h as t o t ake care o f ro u t in g man u ally b y co n fig u rin g t h e ro u t in g fro m St at ic Ro u t in g p ag e. To keep t h e co n n ect io n alway s o n , click Keep Connected. To lo g o u t aft er t h e co n n ect io n is id le fo r a p erio d o f t ime (u s efu l if y o u r ISP co s t s are b ased o n lo g o n t imes ), click Id le Timeo u t an d en t er t h e t ime, in min u t es , t o wait b efo re d is co n n ect in g in t h e Id le Time field . 6.2.1 Option Port IP address Yo u r ISP a s s ig n s y o u an IP ad d res s t h at is eit h er d y n amic (n ewly g en erat ed each t ime y o u lo g in ) o r s t at ic (p erman ent). Th e IP A d d ress So u rce o p t io n allo ws y o u t o d efin e wh et h er t h e ad d ress is s t at ically p ro v id ed b y t h e ISP o r s h o u ld b e receiv ed d y n amically at each lo g in . If s t at ic, en t er y o ur IP ad d ress, IPv 4 s u b net mas k, and the ISP g at eway ‟s IP ad d ress. PPTP an d L2TP ISPs als o can p ro v ide a s t at ic IP ad d res s an d s u b n et t o co n fig u re, h o wev er t h e d efau lt is t o receiv e t h at in fo rmat io n d y n amically fro m t h e ISP. 162 Wireless Controller User Manual 6.2.2 Option DNS Serv ers Th e IP A d d res s es o f Op t io n Do main Name Serv ers (DNS) are t y p ically p ro v id ed d y n amically fro m t h e ISP b u t in s o me cas es y ou can d efin e t h e s tatic IP ad d resses of the DNS s erv ers . DNS s erv ers map In t ern et d o main n ames (examp le: www.g o o g le.co m) t o IP ad d res s es . Click t o in d icat e wh et h er t o g et DNS s erv er ad d res s es au t o mat ically fro m y o u r ISP o r t o u s e ISP -s p ecified ad d res s es . If it s lat t er, en t er ad d res s es fo r t h e p rimary an d s eco n d ary DNS s erv ers . To av o id co n n ect iv it y p ro b lems , en s u re t h at y o u en t er t h e ad d res s es co rrect ly . 6.2.3 DHCP Option Fo r DHCP clien t co n n ect ions, y o u can ch oose t h e M A C ad d ress o f t h e co n t ro ller t o reg is t er wit h t h e ISP. In s o me cas es y o u may n eed t o clo n e t h e LA N h o s t ‟s M A C ad d res s if t h e ISP is reg is t ered wit h t h at LA N h o s t . 163 Wireless Controller User Manual Figure 88 : M anual Option1 configurat io n 6.2.4 PPPoE Setup > Internet Settings > Option1 Settings > Option1 Setup Th e PPPo E ISP s et t in g s are d efin ed o n t h e Op t io n Co n fig u rat io n p ag e. Th ere are t wo t y p es o f PPPo E ISP‟s s u p p o rt ed by the u s ern ame/ p as s wo rd PPPo E an d Jap an M u lt ip le PPPo E. 164 DW C-1000: t h e s t an d ard Wireless Controller User Manual Figure 89 : PPPoE configuratio n for s tandard ISPs M o s t PPPo E ISP‟s u s e a s in g le co nt rol an d d ata co nnect ion , an d req u ire u s ern ame / p as s word cre dent ials t o lo g in an d au thent icate t h e DW C-1000 wit h t h e ISP. Th e ISP co n n ect io n t y p e fo r t h is cas e is “PPPo E (Us ern ame/ Pas s wo rd )”. Th e GUI will p ro mp t y o u fo r au t h en ticatio n, s erv ice, an d co nnect io n s et tin gs in o rd er t o es t ab lis h t h e PPPo E lin k. Fo r s o me ISP‟s , mo s t p o p u lar in Jap an , t h e u s e o f “Jap an es e M u lt ip le PPPo E” is req u ired in o rd er t o es t ablis h co n cu rren t p rimary an d s eco ndary PPPo E co n n ect io n s b et ween t h e DW C-1000 an d t h e ISP. Th e Primary co n n ectio n is u s ed fo r t h e b ulk o f d at a an d in t ernet t raffic an d t h e Seco n d ary PPPo E co n n ect io n carries ISP s p ecific (i.e. co n t ro l) t raffic b et ween t h e DW C-1000 an d t h e ISP. 165 Wireless Controller User Manual Figure 90 : Option1 configu rat ion for Japane s e M ultiple PPPoE (part 1) Th ere are a few key elemen t s o f a mu lt ip le PPPo E co n n ect io n : Primary an d s eco n d ary co n n ect io n s are co n cu rren t Each s es sio n h as a DNS s erv er s ou rce fo r d o main n ame lo o ku p , t h is can b e assig ned b y t h e ISP o r co n fig u red t h ro u g h t h e GUI Th e DW C-1000 act s as a DNS p ro xy fo r LA N u s ers 166 Wireless Controller User Manual On ly HTTP req u es ts t h at s pecifically id en t ify t h e s econd ary co nnectio n‟s d o main n ame (fo r examp le * .flet s ) will u s e t h e s eco n d ary p ro file t o acces s t h e co n t en t av ailab le t h ro u g h t h is s econ dary PPPo E t ermin al. A ll o t h er HTTP / HTTPS req u es ts g o t h ro u g h t h e p rimary PPPo E co n n ect io n . W h en Jap anese mu lt ip le PPPo E is co n fig u red an d s eco ndary con nect ion is u p , so me p red efin ed ro u t es are ad ded o n t hat in t erface. Th ese ro u tes are n eeded t o access t he in t ern al d o main o f t h e ISP wh ere h e h o s t s v ario us s erv ices . Th es e ro u t e s can ev en b e co n fig u red t h ro u g h t h e s t at ic ro u t in g p ag e as well. Figure 91 : Option1 configu rat ion for M ultiple PPPoE (part 2) 6.2.5 Russia L2TP and PPTP Option Fo r Ru s s ia L2TP Op t io n co n n ect io n s , y o u can ch o o s e t h e ad d res s mo d e o f t h e co n n ect io n t o g et an IP ad d res s fro m t h e ISP o r co n fig u re a s t at ic IP ad d res s 167 Wireless Controller User Manual p ro v id ed b y t h e ISP. Fo r DHCP clien t co n n ect io n s , y o u can ch o o s e t h e M A C ad d res s o f t h e co n t ro ller t o reg is t er wit h t h e ISP. In s o me cas es y o u may n eed t o clo n e t h e LA N h o s t ‟s M A C ad d res s if t h e ISP is reg is t ered wit h t h at LA N h o s t . 168 Wireless Controller User Manual Figure 92 : Rus s ia L2TP ISP configurat io n 6.2.6 Option Configuration in an IPv 6 Network Advanced > IPv6 > IPv6 Option1 Config Fo r IPv 6 Op t io n co n n ect io n s , t h is co n t ro ller can h av e a s t at ic IPv 6 ad d res s o r receiv e co n n ect io n in fo rmat io n wh en co n fig u red as a DHCPv 6 clien t . In t h e cas e wh ere t h e ISP as s ig n s y o u a fixed ad d res s t o acces s t h e in t ern et , t h e s t at ic co n fig u ratio n sett ing s mu s t b e co mp let ed . In ad dit io n t o t h e IPv 6 ad d res s as s ig n ed 169 Wireless Controller User Manual t o y o u r co n tro ller, t h e IPv 6 p refix len g t h d efin ed b y t h e ISP is n eed ed . Th e d efau lt IPv 6 Gat eway ad d res s is t h e s erver at t he ISP t h at t h is co nt roller will co n n ect t o fo r acces sin g t h e in t ern et . Th e p rimary an d s eco n d ary DNS s erv ers o n t h e ISP‟s IPv 6 n et wo rk are u s ed fo r res olv in g in t ernet ad dresses, an d t h ese are p ro v ided alo n g wit h t h e s t at ic IP ad d res s an d p refix len g t h fro m t h e ISP. W h en t h e ISP allo ws y o u t o o b t ain t h e Op t io n IP s et t in g s v ia DHCP, y o u n eed t o p ro v id e d et ails fo r t h e DHCPv 6 clien t co n fig u rat io n . Th e DHCPv 6 clien t o n t h e g at eway can b e eit her s tateless o r s t ateful. If a s t at eful clien t is s elected t h e g at eway will co n n ect t o t h e ISP‟s DHCPv 6 s erv er fo r a leas ed ad d res s . Fo r s t at eles s DHCP t h ere n eed n o t b e a DHCPv 6 s erv er av ailab le at t h e ISP, rat h er ICM Pv 6 d is co v er mes s ag es will o rig in at e fro m t h is g at eway an d will b e u s ed fo r au t o co nfig u rat ion. A t h ird o p t io n t o s p ecify t h e IP ad d res s an d p refix len g t h o f a p referred DHCPv 6 s erv er is av ailab le as well. 170 Wireless Controller User Manual Figure 93 : IPv6 Option1 Se tup page Prefix Deleg at io n : Select t his o pt ion t o req uest co ntro ller ad v ert is emen t p refix fro m an y av ailab le DHCPv 6 s erv ers av ailab le o n t h e ISP, t h e o b t ain ed p refix is u p d at ed t o t h e ad v ert is ed p refixes o n t h e LA N s id e. Th is o p t io n can b e s elect ed o n ly in St at es les s A d d res s A u t o Co n fig u rat io n mo d e o f DHCPv 6 Clien t . W h en IPv 6 is PPPo E t y p e, t h e fo llo win g PPPo E field s are en ab led . Us ername : En t er t h e u s ern ame req u ired t o lo g in t o t h e ISP. 171 Wireless Controller User Manual Pas s word: En t er t h e p as s wo rd req u ired t o lo g in t o t h e ISP. Authenti cati on Type : Th e t y p e o f A u t h en t icat io n in u s e b y t h e p ro file: A u t o Neg o t iat e/ PA P/ CHA P/ M S-CHA P/ M S-CHA Pv 2. Dhcpv6 Opti ons : Th e mo d e o f Dh cp v 6 clien t t h at will s t art in t h is mo d e: d is ab le d h cp v 6/ stat eless d h cp v 6/ s t at efu l d h cp v 6/ s t at eles s d h cp v 6 wit h p refix d eleg at io n . Pri mary DNS S erver : En t er a v alid p rimary DNS Serv er IP A d d res s . S econdary DNS S erver : En t er a v alid s eco n d ary DNS Serv er IP A d d res s . Click S ave S etti ng s t o s av e y o u r ch an g es . 6.2.7 Checking Option Status Setup > Internet Settings > Option1 Settings > Option 1 Status Th e s t at us an d s u mmary o f co n fig u red s et t in g s fo r b o t h Op t io n 1an d Op t io n 2 are av ailab le o n t h e Op t io n St at u s p ag e. Yo u can v iew t h e fo llo win g key co n n ect io n s t at u s in fo rmat io n fo r each Op t io n p o rt : MAC Addres s : M A C A d d res s o f t h e Op t io n p o rt . IPv4 Addres s : IP ad d res s o f t h e Op t io n p o rt fo llo wed b y t h e Op t io n s u b n et . Opti on S tate : In d icat es t h e s t at e o f t h e Op t io n p o rt (UP o r DOW N) NAT (IPv4 onl y): In d icat es if t h e s ecu rit y ap p lian ce is in NA T mo d e (en ab led ) o r ro u t in g mo d e (d is ab led ). IPv4 Connecti on Type: In d icat es if t h e Op t io n IPv 4 ad d res s is o b t ain ed d y n amically t h ro u gh a DHCP s erv er o r as s ig n ed s t at ically b y t h e u s er o r o b t ain ed t h ro u g h a PPPo E (Us ern ame/ Pas s wo rd )/ PPTP (Us ern ame/ Pas s wo rd )/ L2TP (Us ern ame/ Passwo rd)/ Jap an ese mu lt ip le PPPo E/ Ru s sian d u al access PPPo E/ Ru ss ian d u al acces s PPTP/ Ru s s ian d u al acces s L2TP ISP co n n ect io n . IPv4 Connecti on S tate : In d icat es if t h e Op t io n is co nn ected t o t h e In t ern et Serv ice Pro v id er. Li nk S tate: Det ect s if a lin k is p res en t o n t h e Op t io n In t erface Opti on Mode: In d icat es if Op t io n 1 o r Op t io n 2 is in u s e Gateway: Gat eway IP ad d res s o f t h e Op t io n p o rt . 172 Wireless Controller User Manual Pri mary DNS : Primary DNS s erv er IP ad d res s o f t h e Op t io n p o rt . S econdary DNS : Seco n d ary DNS s erv er IP ad d res s o f t h e Op t io n p o rt . If t h e Co n n ect io n St at u s in d icat ed t h at t h e as s o ciat io n wit h t h e ISP is act iv e, t h en t h e Op t io n can b e d is co n n ect ed b y clickin g t h e Dis ab le b u t t o n . If t h e Co n n ect ion St atus in d icated t h at t h e as s o ciat io n wit h t h e ISP is act iv e, t h en t h e Op t io n can b e d is co n n ect ed b y clickin g t h e Di s abl e b u t t o n . 173 Wireless Controller User Manual Figure 94 : Conne ction Status inform at io n of Option1 Th e Op t io n s t at u s p ag e allo ws y o u t o En ab le o r Dis ab le s t at ic Op t io n lin ks . Fo r Op t io n s et t in g s t h at are d y n amically receiv ed fro m t h e ISP, y o u can Ren ew o r Releas e t h e lin k p aramet ers if req u ired . 174 Wireless Controller 6.3 User Manual Features with Multiple Option Links Th is co n t roller s u pp orts mu lt ip le Op t io n lin ks . Th is allo ws y o u t o t ake ad v an t ag e o f failo v er an d lo ad b alan cing featu res t o en s ure certain in t ern et d epend en t s erv ices are p rio rit ized in t h e ev en t o f u n s t ab le Op t io n co n n ect iv it y o n o n e o f t h e p o rt s . Setup > Internet Settings > Option Mode To u s e A u t o Failo v er o r Lo ad Balan cin g , Op t io n lin k failu re d et ect io n mu s t b e co n fig u red. Th is in v olv es accessin g DNS s erv ers o n t h e in t ern et o r p in g t o an in t ernet ad d res s (u s er d efin ed ). If req u ired , y o u can co n fig u re t h e n u mb er o f ret ry at t emp t s wh en t h e lin k s eems t o b e d is con nect ed o r t h e t h reshold o f failu res t h at d et ermin es if a Op t io n p o rt is d o wn . 6.3.1 Auto Failov er In t h is cas e o n e o f y o u r Op t io n p o rts is assig n ed as t h e p rimary in t ern et lin k fo r all in t ern et t raffic. Th e s eco n d ary Op t io n p o rt is u s ed fo r red u n d an cy in cas e t h e p rimary lin k g o es d o wn fo r an y reason. Bo t h Op t io n p o rt s (p rimary an d s eco n d ary ) mu s t b e co n fig u red t o co nnect t o t he res p ect iv e ISP‟s b efo re en ab lin g t h is feat u re. Th e s eco nd ary Op t io n p o rt will remain u n co nn ected u n til a failu re is d et ect ed o n t h e p rimary lin k (eit h er p o rt can b e as sign ed as t h e p rimary ). In t h e ev en t o f a failu re o n t h e p rimary p o rt , all in t ern et t raffic will b e ro lled o v er t o t h e b acku p p o rt . W h en co n fig u red in A u t o Failo v er mo d e, t h e lin k s t at u s o f t h e p rimary Op t io n p o rt is ch ecked at reg u lar in t erv als as d efin ed b y t h e failu re d et ect io n s et t in g s . No t e t h at b o th Op t ion 1 an d Op t io n2 can b e co n fig u red as t h e p rimary in t ern et lin k. Auto-Rol l over u s in g Op t io n p o rt Pri mary Opti on: Select ed Op t io n is t h e p rimary lin k (Op t io n 1/ Op t io n 2) S econdary Opti on: Select ed Op t io n is t h e s eco n d ary lin k. Failo v er De t ect io n Set tin gs: To ch eck co nn ectiv it y o f t h e p rimary in t ern et lin k, o n e o f t h e fo llo win g failu re d et ect io n met h o d s can b e s elect ed : DNS l ook up us i ng Opti on DNS S ervers : DNS Lo o ku p o f t h e DNS Serv ers o f t h e p rimary lin k are u s ed t o d et ect p rimary Op t io n co n n ect iv it y . 175 Wireless Controller User Manual DNS l ook up us i ng Opti on S ervers : DNS Lo o ku p o f t h e cu s t o m DNS Serv ers can b e s p ecified t o ch eck t h e co n n ect iv it y o f t h e p rimary lin k. Pi ng thes e IP addres s es : Th es e IP's will b e p in g ed at reg u lar in t erv als t o ch eck t h e co n n ect iv it y o f t h e p rimary lin k. Retry Interval i s : Th e n u mb er t ells t h e co n t ro ller h o w o ft en it s h o u ld ru n t h e ab o v e co n fig u red failu re d et ect io n met h o d . Fai l over after : Th is s et s t h e n u mb er o f ret ries aft er wh ich failo v er is in it iat ed . 6.3.2 Load Balancing Th is feat u re allo ws y o u t o u s e mu lt ip le Op t io n lin ks (an d p res u mab ly mu lt ip le ISP‟s ) s imu lt an eo u s ly . A ft er co n fig u rin g mo re t h an o n e Op t io n p o rt , t h e lo ad b alan cin g o p t io n is av ailab le t o carry t raffic o v er mo re t h an o n e lin k. Pro t o co l b in d in g s are u s ed t o s egregate an d assig n s e rvices o v er o n e Op t io n p o rt in o rd er t o man ag e in t ern et flo w. Th e co n fig u red failu re d et ect io n met h o d is u s ed at reg u lar in t erv als o n all co n fig u red Op t io n p o rt s wh en in Lo ad Balan cin g mo d e. DW C-1000 cu rren t ly s u p p o rt s t h ree alg o rit h ms fo r Lo ad Balan cin g : Round Robi n: Th is alg o rit h m is p art icu larly u s efu l wh en t h e co n n ect io n s p eed o f o n e Op t io n p o rt g reat ly d iffers fro m an o t h er. In t h is cas e y o u can d efin e p ro t o co l b in d in g s t o ro u t e lo w-lat en cy s erv ices (s u ch as VOIP) o v er t h e h ig h er -s p eed lin k an d let lo w-v o lu me b ackg ro u nd t raffic (s u ch as SM TP) g o o v er t h e lo wer s p eed lin k. Pro t o co l b in d in g is exp lain ed in n ext s ect io n . S pi l l Over : If Sp ill Ov er met h o d is s elect ed , Op t io n 1act s as a d ed icat ed lin k t ill a t h res h old is reached. A ft er t h is, Op t io n 2 will b e u s ed fo r n ew co n n ectio ns. Yo u can co n fig u re s p ill-o v er mo d e b y u s in g fo llo in g o p t io n s : Load Tol erance : It is t h e p ercen t ag e o f b an d wid t h aft er wh ich t h e co n t ro ller co n t ro llers t o s eco n d ary Op t io n . Max B andwi dth: Th is s et s t h e maximu m b an d wid t h t o lerab le b y t h e p rimary Op t io n . If t h e lin k b an d wid t h g o es ab o v e t h e lo ad t o leran ce v alu e o f max b an d wid t h , t h e co n t ro ller will s p ill-o v er t h e n ext co n n ect io n s t o s eco n d ary Op t io n . 176 Wireless Controller User Manual Fo r examp le, if t h e maximu m b an d wid t h o f p rimary Op t io n is 1 Kb p s an d t h e lo ad t o leran ce is s et t o 70. No w ev ery t ime a n ew co n n ect io n is es t ab lis h ed t h e b an d wid t h in creases. A ft er a cert ain n u mb er o f co n nect ions s ay b an d wid t h reach ed 70% o f 1Kb p s , t h e n ew co n nect io n s will b e s p illed -o v er t o s eco n d ary Op t io n . Th e maximu m v alu e o f lo ad t o leran ce is 80 an d t h e leas t is 20. Protocol B i ndi ng s : Refer Sect io n 6.3.3 fo r d et ails Lo ad b alan cin g is p art icularly u sefu l wh en t h e co nn ectio n s p eed o f o n e Op t io n p o rt g reat ly d iffers fro m an o t h er. In t h is case y o u can d efin e p ro t o co l b in d in g s t o ro u t e lo w-lat en cy s ervices (s uch as VOIP) o v er t h e h ig h er -s p eed lin k an d let lo w-v o lu me b ackg ro u n d t raffic (s u ch as SM TP) g o o v er t h e lo wer s p eed lin k. 177 Wireless Controller User Manual Figure 95 : Load B alancing is available whe n multiple Option ports are configure d and Protocol B indings have be e n de fine d 6.3.3 Protocol Bindings 178 Wireless Controller User Manual Advanced > Routing > Protocol Bindings Pro t o co l b in d in gs are req uired wh en t h e Lo ad Balan cin g feat ure is in u s e. Ch o o s in g fro m a lis t o f co n fig u red s erv ices o r an y o f t h e u s er -d efin ed s erv ices , t h e t y p e o f t raffic can b e as s ig n ed t o g o o v er o n ly o n e o f t h e av ailab le Op t io n p o rt s . Fo r in creas ed flexib ilit y t h e s o u rce n et work o r mach in es can b e s p ecified as well as t h e d es t in at io n n et wo rk o r mach in es . Fo r examp le t h e VOIP t raffic fo r a s et o f LA N IP ad d res ses can b e assig ned t o o ne Op t io n an d an y VOIP t raffic fro m t h e remain in g IP ad d res s es can b e as s ig n ed t o t h e o t h er Op t io n lin k. Pro t o co l b in d in g s are o n ly ap p licab le wh en lo ad b alan cin g mo d e is en ab led an d mo re t h an o n e Op t io n is co n fig u red . Figure 96 : Protocol binding s e tup to as s ociate a s e rvice and/or LAN s ource to an Option and/or de s tination ne twork S ervi ce : Select o n e o f t h e v ario us s ervices av ailab le fo r p ro to col b in d in g Local Gateway: s elect t h e p o rt t h at s e ts t h e lo cal g at eway fo r t h is p ro tocol b in d in g (eit h er o p tio n1 o r o p t io n2) S ource Network : Select o n e o f t h e fo llo win g : 179 Wireless Controller User Manual Any: No s p ecific n et work n eed s t o b e g iv en. S i ng l e Addres s : Limit t o o n e co mp u t er. Req u ires t h e IP ad d ress o f t h e co mp u ter t h at will b e p art o f t h e s o u rce n etwo rk fo r t h is p ro tocol b in d in g Addres s Rang e: Select if y o u wan t t o allo w co mp u t ers wit h in an IP ad d ress ran g e t o b e a p art o f t h e s o urce n etwo rk. Req u ires St art ad dress and En d ad d ress S tart Addres s : IP ad d res s fro m wh ere t h e ra n g e n eeds t o b egin , o r t h e s ing le ad d res s if t h at is t h e s o urce n etwo rk s elected. End Addres s : IP ad d ress wh ere t h e ran ge n eeds t o en d Des ti nati on Network : Select o n e o f t h e fo llo win g : Any: No s p ecific n et work n eed s t o b e g iv en. S i ng l e Addres s : Limit t o o n e co mp u t er. Req u ires t h e IP ad d ress o f t h e co mp u ter t h at will b e p art o f t h e d es tin atio n n etwo rk fo r t h is p ro tocol b in d in g Addres s Rang e : Select if y o u wan t t o allo w co mp u t ers wit h in an IP ad d ress ran g e t o b e a p art o f t h e d est inatio n n et work. Req u ire s St art ad dress and En d ad d res s S tart Addres s : IP ad d res s fro m wh ere t h e ran g e n eeds t o b egin , o r t h e s ing le ad d res s if t h at is t h e d est inatio n n et work s elected. End Addres s : IP ad d ress wh ere t h e ran ge n eeds t o en d 6.4 Routing Configuration Ro u t in g b et ween t h e LA N an d Op t io n will imp act t h e way t h is co n t ro ller h an d les t raffic t h at is receiv ed o n an y o f it s p h y s ical in t erfaces . Th e ro u t in g mo d e o f t h e g at eway is co re t o t he b ehavio ur o f t h e t raffic flo w b et ween t h e s ecu re LA N an d t h e in t ern et . 6.4.1 Routing Mode Setup > Internet Settings > Routing Mode Th is d ev ice s u p p o rt s clas s ical ro u t in g , n et wo rk ad d res s t ran s lat io n (NA T), an d t ran s p o rt mo d e ro u t in g . W it h cl a ssi ca l ro ut ing, d ev ices o n t h e LA N can b e d irect ly acces s ed fro m t h e in t ern et b y t heir p u b lic IP ad d res ses (as sumin g ap pro priat e firewall s et t in gs). If 180 Wireless Controller User Manual y o u r ISP h as as s ig n ed an IP ad d res s fo r each o f t h e co mp u t ers t h at y o u u s e, s elect Clas s ic Ro u t in g . NA T is a t ech n iq u e wh ich allo ws s ev eral co mp u t ers o n a LA N t o s h are an In t ern et co n n ect io n . Th e co mp u t ers o n t h e LA N u s e a " p riv at e" IP ad d res s ran g e wh ile t h e Op t io n p o rt o n t h e co n t ro ller is co n fig u red wit h a s in g le " p u b lic" IP ad d ress. A lo n g wit h co n nect ion s haring , NA T als o h id es in t ern al IP ad d res ses fro m t h e co mp u t ers o n t h e In tern et . NA T is req u ired if y o u r ISP h as as s ig ned o n ly o ne IP ad d ress t o y ou . Th e co mp u t ers t h at co n n ect t h ro u g h t h e co n t ro ller will n eed t o b e as s ig n ed IP ad d res s es fro m a p riv at e s u b n et . Tra nsp a rent ro ut i ng b et ween t h e LA N an d Op t io n d o es n o t p erfo rm NA T. Bro ad cas t an d mu lt icast p ackets t h at arriv e o n t h e LA N in t erface are s wit ch ed t o t h e Op t io n an d v ice v ers a, if t h ey d o n o t g et filt ered b y firewall o r VPN p o licies . To main t ain t h e LA N an d Op t io n in t h e s ame b ro adcast d o main s elect Tran s p aren t mo d e, wh ich allo ws b rid g in g o f t raffic fro m LA N t o Op t io n an d v ice v ers a, excep t fo r co n t ro ller -t ermin at ed t raffic an d o t h er man ag emen t t raffic . A ll DW C feat u res are s up port ed in t ran sparen t mo d e as sumin g t h e LAN an d Op t io n are co n fig u red t o b e in t h e s ame b ro ad cas t d o main . NA T ro u t in g h as a feat u re called “NA T Hair-p in n in g ” t h at allo ws in t ern al n et wo rk u s ers o n t h e LA N an d DM Z t o acces s in t ern al s erv ers (eg . an in t ern al FTP s erv er) u s in g t h eir ext ern ally -kn o wn d o main n ame. Th is is als o referred t o as “NA T lo o p b ack” s in ce LA N g en erat ed t raffi c is red irect ed t h ro u g h t h e firewall t o reach LA N s erv ers b y t h eir ext ern al n ame. 181 Wireless Controller User Manual Figure 97 : Routing M ode is us e d to configure traffic routing be twe e n Option and LAN, as we ll as Dynamic routing (RIP) 182 Wireless Controller User Manual 6.4.2 Dynamic Routing (RIP) Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Setup > Internet Settings > Routing Mode Dy n amic ro u t in g u s in g t h e Ro u t in g In fo rmat io n Pro t o co l (RIP) is an In t erio r Gat eway Pro t o co l (IGP) t h at is co mmo n in LA Ns . W it h RIP t h is co n t ro ller can exch an g e ro u t in g in fo rmat io n wit h o t h er s u ppo rted co nt rollers in t h e LA N an d allo w fo r d y n amic ad ju s tmen t o f ro u t in g t ab les in o rd er t o ad ap t t o mo d ificat io n s in t h e LA N wit h o u t in t erru p t in g t raffic flo w. Th e RIP d irect io n will d efin e h o w t h is co n t ro ller s en d s an d receiv es RIP p acket s . Ch o o s e b et ween : B oth: Th e co n t ro ller b o t h b ro ad cas t s it s ro u t in g t ab le an d als o p ro ces s es RIP in fo rmat io n receiv ed fro m o t h er co n t ro llers . Th is is t h e reco mmen d ed s et t in g in o rd er t o fu lly u t ilize RIP cap ab ilit ies . Out Onl y: Th e co n t ro ller b ro adcast s it s ro u tin g t ab le p erio d ically b u t d o es n o t accep t RIP in fo rmat io n fro m o t h er co n t ro llers . In Onl y: Th e co n t ro ller accep t s RIP in fo rmat io n fro m o t h er co n t ro ller, b u t d o es n o t b ro ad cas t it s ro u t in g t ab le. None : Th e co n t ro ller n eit her b roadcast s it s ro u te t able n o r d o es it accep t any RIP p acket s fro m o t h er co n t ro llers . Th is effect iv ely d is ab les RIP. Th e RIP v ers io n is d ep en d en t o n t h e RIP s u p p o rt o f o t h er ro u t in g d ev ices in t h e LA N. Di s abl ed: Th is is t h e s et t in g wh en RIP is d is ab led . RIP-1 is a clas s -b ased ro u tin g v ersio n t h at d o es n o t in clu de s ub net in fo rmat io n. This is t h e mo s t co mmo n ly s u p p o rt ed v ers io n . RIP-2 in clu d es all t h e fu n ct io n alit y o f RIPv 1 p lu s it s u p p o rt s s u b n et in fo rmat io n . Th o u g h t h e d at a is s en t in RIP -2 fo rmat fo r b o t h RIP-2B an d RIP-2M , t h e mo d e in wh ich p acket s are s en t is d ifferen t . RIP-2B b ro ad cas t s d at a in t h e en t ire s u b n et wh ile RIP-2M s en d s d at a t o mu lt icas t ad d res s es . 183 Wireless Controller User Manual If RIP-2B o r RIP-2M is t h e s elect ed v ersio n, au th en ticat io n b et ween t h is co n t ro ller an d o t h er co n t ro llers (co n fig u red wit h t h e s ame RIP v ers io n ) is req u ired . M D5 au t h en ticat io n is u sed in a firs t / s eco n d key exch an g e p ro ces s . Th e au t h en t icat io n key v alid it y lifet imes are co n fig u rab le t o en s u re t h at t h e r o u t in g in fo rmat io n exch an g e is wit h cu rren t an d s u p p o rt ed co n t ro llers d et ect ed o n t h e LA N. 6.4.3 Static Routing Advanced > Routing > Static Routing Advanced > IPv6 > IPv6 Static Routing M an u ally ad d ing s tatic ro u tes t o t h is d evice allo ws y o u t o d efin e t h e p at h s elect io n o f t raffic fro m o n e in t erface t o an o t h er. Th ere is n o co mmu n icat io n b et ween t h is co n t ro ller an d o t her d ev ices t o accoun t fo r ch ang es in t h e p at h; o n ce co n fig u red t h e s t at ic ro u t e will b e act iv e an d effect iv e u n t il t h e n et wo rk ch an g es . Th e Lis t o f St at ic Ro u t es d is play s all ro u t es t h at h av e b een ad d ed man u ally b y an ad min is t rat o r an d allo ws s ev eral o p erat io n s o n t h e s t at ic ro u t es . Th e Lis t o f IPv 4 St at ic Ro u t es an d Lis t o f IPv 6 St at ic Ro u t es s h are t h e s ame field s (wit h o n e excep t io n ): Name : Name o f t h e ro u t e, fo r id en t ificat io n an d man ag emen t . Acti ve : Det ermin es wh et h er t h e ro u te is activ e o r in activ e. A ro u t e can b e ad d ed t o t h e t ab le an d mad e in act ive, if n o t n eeded. Th is allo ws ro u t es t o b e u s ed as n eed ed wit h o u t d elet ing an d re -ad din g t h e en t ry. A n in activ e ro u t e is n o t b ro adcast if RIP is en ab led . Pri vate : Det ermin es wh et h er t h e ro u t e can b e s h ared wit h o t h er co n t ro llers wh en RIP is en ab led . If t h e ro u t e is mad e p riv at e, t h en t h e ro u t e will n o t b e s h ared in a RIP b ro ad cas t o r mu lt icas t . Th is is o n ly ap p licab le fo r IPv 4 s t at ic ro u t es . Des ti nati on: t h e ro u t e will lead t o t h is d es t in at io n h o s t o r IP ad d res s . IP S ubnet Mas k : Th is is v alid fo r IPv 4 n et wo rks o n ly, an d id ent ifies t h e s ub net that is affect ed b y t h is s t at ic ro u t e Interface : Th e p h y s ic al n et wo rk in t erface (Op t io n 1, Op t io n 2, DM Z o r LA N), t h ro u g h wh ich t h is ro u t e is acces s ib le. 184 Wireless Controller User Manual Gateway: IP ad d ress o f t h e g ateway t h rou gh wh ich t h e d es t in at io n h o s t o r n et wo rk can b e reach ed . Metri c : Det ermin es t h e p rio rit y o f t h e ro u t e. If mu lt ip le ro u t es t o t h e s ame d es t in at io n exis t , t h e ro u t e wit h t h e lo wes t met ric is ch o s en . Figure 98 : Static route configurat io n fie lds 6.5 OSPF Advanced > Routing > OSPF Advanced > IPv6 > OSPF Th is p ag e s ho ws t h e OSPFv 2 an d OSPFv 3 p aramet ers co nfig u red o n t h e co n t ro ller. Yo u can als o ed it t h e co n fig u red p aramet ers fro m t h e OSPF co n fig u rat io n p ag e. 185 Wireless Controller User Manual Figure 99 : OSPFv2 s tatus – IPv4 Figure 100 : OSPFv3 s tatus – IPv6 186 Wireless Controller User Manual Figure 101 : OSPFv2 Configuratio n OS PFv2 Enabl e : A ch eck b o x t o en ab le/ d is ab le OSPFv 2. Interface : Th e p h y s ical n et wo rk in t erface o n wh ich OSPFv 2 is En ab led / Dis ab led . Area: Th e area t o wh ich t h e in t erface b elo n g s .En t er v alu es fro m 1 t o 255 .Two ro u t ers h avin g a co mmo n s eg men t; t h eir in t erfaces h av e t o b elo n g t o t h e s ame area o n t h at s egmen t. Th e in t erfaces s hou ld b elo n g t o t h e s ame s u b n et an d h av e s imilar mas k. Pri ori ty:Help s t o d etermin e t h e OSPFv 2 d es ign at ed ro ut er fo r a n et wo rk.Th e ro u t er wit h t h e h ig h es t p rio rit y will b e mo re elig ib le t o b eco me Des ig n ated Ro u t er. Set t in g t h e v alu e t o 0, makes t h e ro u t er in elig ib le t o b eco me Des ig nated Ro u t er. Th e d efault v alu e is 1.Lo wer v alu e mean s h ig h er p rio rit y . Hel l oInterval :Th e n u mb er o f s eco n d s fo r Hello In t erv al t imer v alu e. Set t in g t h is v alu e, Hello p acket will b e s en t ev ery t imer v alu e s eco nds o n t he s pecified in t erface. 187 Wireless Controller User Manual Th is v alu e mu s t b e t h e s ame fo r all ro u t ers at t ach ed t o a co mmo n n et wo rk. Th e d efau lt v alu e is 10 s eco n d s . DeadInterval : Th e n u mb er o f s eco n d s t h at a d ev ice’s h ello p acket s mu s t n o t h av e b een s een b efore it s n eigh bors d eclare t h e OSPF ro u t er d o wn .Th is v alu e mu s t b e t h e s ame fo r all ro u t ers at t ach ed t o a co mmo n n et wo rk.Th e d efau lt v alu e is 40 s eco n d s . OSPF req u ires t h es e in t erv als t o b e exact ly t h e s ame b et ween t wo n eig h b o rs . If an y o f t h es e in t erv als are d ifferen t , t h es e ro u t ers will n o t b eco me n eig h b o rs o n a p art icu lar s eg men t Cos t:Th e co s t o f s en d in g a p acket o n an OSPFv 2 in t erface. Authenti cati on Type : Th is co lu mn d is p lay s t h e t y p e o f au t h en t icat io n t o b e u s ed fo r OSPFv 2.If A u t h ent icat ion t yp e is n o n e t h e in t erface d o es n o t au t h en t icat e o s p f p acket s .If A u thent icatio n Ty pe is Simp le t h en o sp f p acket s are au t h en t icat ed u s in g s imp le t ext key .If A u t h enticatio n Ty p e is M D5 t h en t h e i n t erface au t henticat es o s p f p acket s wit h M D5 au t h en t icat io n . Authenti cati on Key: A s s ig n a s p ecific p as s wo rd t o b e u s ed b y n eig h b o rin g OSPF ro u t ers o n a n et wo rk s egmen t t h at is u s ing A ut henticatio n. Ro u t ers in t h e s ame area t h at wan t t o p art icip at e in t h e r o u t in g d o main will h av e t o b e co n fig u red wit h t h e s ame key . Md5 Key Id: In p u t t h e u n iq u e M D-5 key ID t o b e u s ed b y n eig h b o rin g OSPF ro u t ers o n a n et wo rk s eg men t t h at is u s in g A u t h en t icat io n . Ty p e as M D5 Md5 Authenti cati on Key: In p u t t h e au t h key fo r t h is M D5 key t o b e u s ed b y n eig h b o ring OSPF ro u t ers o n a n et work s eg ment t h at is u s in g A u t h en t icat io n Ty p e as M D5 6.6 6to4 Tunneling Advanced > IPv6 > 6to4 Tunneling 6t o 4 is an In t ern et t ran s it io n mech an is m fo r mig rat in g fro m IPv 4 t o IPv 6, a s y s t em t h at allo ws IPv 6 p acket s t o b e t ran s mit t ed o v er an IPv 4 n et wo rk . Select t h e ch eck b o x t o Enabl e Automati c Tunnel i ng an d allo w t raffic fro m an IPv 6 LA N t o b e s en t o v er a IPv 4 Op t io n t o reach a remo t e IPv 6 n et wo rk. 188 Wireless Controller User Manual Figure 102 : 6to4 Tunne ling 189 Wireless Controller 6.7 User Manual IGMP Setup Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Advanced > Advanced Network > IGPM Setup A ct iv e IGM P s n o o p in g is referred t o as IGM P p ro xy . W h en in u s e IGM P p acket s t h ro u g h t h e LA N are filt ered in o rd er t o red u ce t h e amo u n t o f mu lt icas t t raffic in t h e n et wo rk.. Figure 103 : IGM P Se tup Enabl e IGMP Proxy: Ch eck t h is t o en ab le IGM P p ro xy o n t h is LA N Al l owed Network Addres s es : A ll t h e IP n et wo rk ad d res s es / h o s t ad d res s es o f t h e mu lt icas t s o u rces are lis t ed h ere. Network Addres s : Th e IP n et wo rk o r t h e h o s t ad d res s o f t h e mu lt icas t s o u rce. Mas k Leng th: Th e len g t h o f t h e s u b n et mas k. Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : 190 Wireless Controller User Manual Add: To ad d a n et wo rk/ h o s t ad d res s alo n g wit h mas k len g t h . Edi t: To ed it a n et wo rk/ h o s t ad d res s alo n g wit h mas k len g t h . Del ete: To d elet e a n et wo rk/ h o s t ad d res s alo n g wit h mas k len g t h .. 6.8 Option Port Settings Advanced > Advanced Network > Option Port Setup Th e p h y s ical p o rt s et t in g s fo r each Op t io n lin k can b e d efin ed h ere. If y o u r ISP acco u n t d efin es t h e Op t io n p o rt s p eed o r is as s o ciat ed wit h a M A C ad d res s , t h is in fo rmat io n is req u ired b y t h e co n t ro ller t o en s u re a s mo o t h co n n ect io n wit h t h e n et wo rk. Th e d efau lt M TU s ize s u p p o rt ed b y all p o rt s is 1500. Th is is t h e larg es t p acket s ize t h at can p ass t h roug h t h e in t erface wit h o ut frag men t at io n. Th is s ize can b e in creas ed , h o wev er larg e p ackets can in t rod uce n etwo rk lag an d b rin g d own t h e in t erface s p eed . No t e t h at a 1500 b y t e s ize p acket is t h e larg est allo wed b y t h e Et h ernet p ro to co l at the n et wo rk lay er. Th e p o rt s p eed can b e s en s ed b y t h e co n t ro ller wh en A u t o is s elect ed . W it h t h is o p t io n t h e o p t imal p o rt s et t in g s are d et ermin ed b y t h e co n t ro ller an d n et wo rk. Th e d u p lex (h alf o r fu ll) can b e d efin ed b ased o n t h e p o rt su ppo rt, as well as o n e o f t h ree p o rt s p eeds: 10 M b p s , 100 M b p s an d 1000 M b p s (i.e. 1 Gb p s ). Th e d efau lt s et t in g is 100 M b p s fo r all p o rt s . Th e d efau lt M A C ad d res s is d efin ed d u rin g t h e man u fact u rin g p ro ces s fo r t h e in t erfaces , and can u n iq uely id en tify t h is co n t ro ller. Yo u can cu s t o mize each Op t io n p o rt ‟s M A C ad d ress as n eeded, eit h er b y let t in g t h e Op t io n p o rt as s u me t h e cu rren t LA N h o s t ‟s M A C ad d res s o r b y en t erin g a M A C ad d res s man u ally . 191 Wireless Controller User Manual Figure 104 : Phys ical Option port s e ttings 192 Wireless Controller 6.9 User Manual IP Aliases Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Setup > Internet Settings > IP Aliases Th e Lis t o f IP A lias es d is p lay s t h e co n fig u red IP A lias es o n t h e co n t ro ller. Figure 105 : IP Alias e s Interface Name : Th e in t erface o n wh ich t h e A lias was co n fig u red . IP Addres s : Th e IP A d d res s o f t h e co n fig u red IP A lias . S ubnet Mas k : Th e Su b n et M as k o f t h e co n fig u red IP A lias . Th e fo llo win g act io n s are s u p p o rt ed fro m t h is p ag e : Edi t: Op en s t h e IP A lias co n fig u rat io n p ag e t o ed it t h e s elect ed IP A lias Add: Op en s t h e IP A lias co n fig u rat io n p ag e t o ad d a n ew IP A lias . Del ete : Delet es t h e s elect ed IP A lias es . 193 Wireless Controller User Manual Chapter 7. Securing the Private Network Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Yo u can s ecu re y ou r n etwo rk b y creatin g an d ap p lyin g ru les t hat y o ur co n troller u s es to s elect iv ely b lo ck an d allo w in b o u n d an d o u t b o u n d In t ern et t raffic. Yo u t h en s p ecify h o w an d t o wh o m t h e ru les ap p ly . To d o s o , y o u mu s t d efin e t h e fo llo win g : Serv ices o r t raffic t y p es (examp le s : web b ro ws in g , Vo IP, o t h er s t an d ard s erv ices an d als o cu s t o m s erv ices t h at y o u d efin e) Direct io n fo r t h e t raffic b y s p ecifyin g t h e s ource an d d es t in at io n o f t raffic; t h is is d o n e b y s pecify in g t h e “Fro m Zo n e” (LA N/ Op t io n / DM Z) an d “To Zo n e” (LA N/ Op t io n / DM Z) Sch ed u les as t o wh en t h e co n t ro ller s h o u ld ap p ly ru les A n y Key wo rd s (in a d o main n ame o r o n a URL o f a web p ag e) t h at t h e co n t ro ller s h o u ld allo w o r b lo ck Ru les fo r allo win g o r b lo ckin g in b o un d an d o u tb oun d In t ern et t raffic fo r s p ecified s erv ices o n s p ecified s ch ed u les M A C ad d res s es o f d ev ices t h at s h o u ld n o t acces s t h e in t ern et Po rt t rig g ers t h at s ign al t h e co ntro ller t o allo w o r b lo ck acces s t o s pecified s ervices as d efin ed b y p o rt n u mb er Rep o rt s an d alert s t h at y o u wan t t h e co n t ro ller t o s en d t o y o u Yo u can , fo r examp le, es t ab lis h res t rict ed -acces s p o licies b as ed o n t ime -o f-d ay , web ad d res ses, an d web ad d ress key wo rd s . Yo u can b lo ck In t ern et acces s b y ap p licat io n s an d s erv ices o n t h e LA N, s u ch as ch at ro o ms o r g ames . Yo u can b lo ck ju s t cert ain g ro u p s o f PCs o n y o u r n et wo rk fro m b ein g acces s ed b y t h e Op t io n o r p u b lic DM Z n et wo rk. 194 Wireless Controller 7.1 User Manual Firewall Rules Advanced > Firewall Settings > Firewall Rules In b o u n d (Op t io n t o LA N/ DM Z) ru les rest rict access t o t raffic en t erin g y o u r n et wo rk, s elect iv ely allo win g o n ly s pecific o u t side u sers t o access s p ecific lo cal res o u rces . By d efau lt all acces s fro m t h e in s ecure Op t io n s ide are b lo cked fro m acces sin g t h e s ecu re LA N, excep t in res p o n s e t o req u es t s fro m t h e Op t io n o r DM Z. To allo w o u t s id e d ev ices t o access s erv ices o n t h e s ecu re LA N, y o u mu s t creat e an in b o u n d fire wall ru le fo r each s erv ice. If y o u wan t t o allo w in co min g t raffic, y o u mu s t make t h e co n t ro llers Op t io n p o rt IP ad d res s kn o wn t o t h e p u blic. Th is is called “exp o sin g y o ur h o st.” Ho w y o u make y o u r ad d res s kn o wn d ep en ds o n h o w t h e Op t io n p o rt s are co n fig u red ; fo r t h is co n t ro ller y o u may u s e t h e IP ad d ress if a s t at ic ad dress is assig ned t o t h e Op t io n p o rt , o r if y our Op t io n ad d res s is d y n amic a DDNS (Dy n amic DNS) n ame can b e u s ed . Ou t b o u nd (LA N/ DM Z t o Op t io n) ru les res trict access t o t raffic leav ing y ou r n et w o rk, s elect iv ely allo win g o n ly s pecific lo cal u s ers t o access s p ecific o u tsid e res ou rces. The d efau lt o u t b o u n d ru le is t o allo w acces s fro m t h e s ecu re zo n e (LA N) t o eit h er t h e p u b lic DM Z o r in s ecu re Op t io n. On o t h er h an d t h e d efau lt o u t b o u n d ru le is t o d en y acces s fro m DM Z t o in s ecu re Op t io n. Yo u can ch an g e t h is d efau lt b eh av io u r in t h e Firewall Settings > Default Outbound Policy p ag e. W h en t h e d efau lt o u t b o u n d p o licy is allo w alway s , y o u can t o b lo ck h o s t s o n t h e LA N fro m acces s in g in t ern et s erv ices b y creat in g an o u t b o u n d firewall ru le fo r each s erv ice. 195 Wireless Controller User Manual Figure 106 : Lis t of Available Fire wal l Rule s 7.2 Defining Rule Schedules Tools > Schedules Firewall ru les can b e en abled o r d is ab led au t o mat ically if t h ey are as s o ciat ed wit h a co n fig u red s chedule. Th e s ched u le co n fig u rat io n p ag e allo ws y o u t o d efin e d ay s o f t h e week an d t h e t ime o f d ay fo r a n ew s ch ed u le, an d t h en t h is s ch ed u le can b e s elect ed in t h e firewall ru le co n fig u rat io n p ag e. A ll s ch ed ules will fo llo w t h e t ime in t h e co n tro ller‟s co n fig u red t ime zo n e. Refer t o t h e s ect io n o n ch o o s in g y o u r Time Zo n e an d co n fig u rin g NTP s erv ers fo r mo re in fo rmat io n . 196 Wireless Controller User Manual Figure 107 : Lis t of Available Sche dule s to bind to a fire wal l rule 7.3 Configuring Firewall Rules Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Advanced > Firewall Settings > Firewall Rules A ll co n fig u red firewall ru les o n t h e con tro ller are d is play ed in t h e Firewall Ru les lis t . Th is lis t als o in d icat es wh et h er t h e ru le is en ab led (act iv e) o r n o t , an d g iv es a s u mmary o f t h e Fro m/ To zo n e as well as t h e s erv ices o r u s ers t h at t h e ru le affect s . To creat e a n ew firewall ru les , fo llo w t h e s t ep s b elo w: 1. View the existing rules in the List of Available Firewall Rules table. 2. To edit or add an outbound or inbound services rule, do the following: To ed it a ru le, click t h e ch eckb o x n ext t o t h e ru le an d click Ed it t o reach t h at ru le‟s co n fig u rat io n p ag e. To ad d a n ew ru le, click A d d t o b e t aken t o a n ew ru le‟s co n fig u rat io n p ag e. On ce creat ed, t h e n ew ru le is au t o mat ically ad d ed t o t h e o rig in al t ab le. 197 Wireless Controller User Manual 3. Chose the From Zone to be the source of originating traffic: either the secure LAN, public DMZ, or insecure Option. For an inbound rule Option should be selected as the From Zone. 4. Choose the To Zone to be the destination of traffic covered by this rule. If the From Zone is the Option, the to Zone can be the public DMZ or secure LAN. Similarly if the From Zone is the LAN, then the To Zone can be the public DMZ or insecure Option. 5. Parameters that define the firewall rule include the following: Serv ice: A NY mean s all t raffic is affect ed b y t h is ru le. Fo r a s p ecific s erv ice t h e d ro p d o wn lis t h as co mmo n s erv ices , o r y o u can s elect a cu s t o m d efin ed s erv ice. A ct io n & Sch ed u le: Select o n e o f t h e 4 act io n s t h at t h is ru le d efin es : BLOCK alway s , A LLOW alway s , BLOCK b y s ch ed u le o t h erwis e A LLOW , o r A LLOW b y s ch ed u le o t h erwis e BLOCK. A s ch ed u le mu s t b e p reco n fig ured in o rd er fo r it t o b e av ailab le in t h e d ro p d o wn lis t t o as s ig n t o t h is ru le. So u rce & Des t in at io n u sers: Fo r each relev an t cat ego ry, s elect t he u sers t o wh ich t h e ru le ap p lies : A n y (all u s ers ) Sin g le A d d res s (en t er an IP ad d res s ) A d d res s Ran g e (en t er t h e ap p ro p riat e IP ad d res s ran g e) Lo g : t raffic t h at is filt ered b y t h is ru le can b e lo g g ed ; t h is req u ires co n fig u rin g t h e co n t ro ller‟s lo g g in g feat u re s ep arat ely . Qo S Prio rit y : Ou t b o u n d ru les (wh ere To Zo n e = in s ecu re Op t io n o n ly ) can h av e t h e t raffic marked wit h a Qo S p rio rit y t ag . Select a p rio rit y lev el: No rmal-Serv ice: To S=0 (lo wes t Qo S) M in imize -Co s t : To S=1 M aximize -Reliab ilit y : To S=2 M aximize -Th ro u g h p u t : To S=4 M in imize -Delay : To S=8 (h ig h es t Qo S) 198 Wireless Controller User Manual 6. Inbound rules can use Destination NAT (DNAT) for managing traffic from the Option. Destination NAT is available when the To Zone = DMZ or secure LAN. W it h an in b o u n d allo w ru le y o u can en t er t h e in t ern al s erv er ad d res s t h at is h o s t in g t h e s elect ed s erv ice. Yo u can en ab le p o rt fo rward in g fo r an in co min g s erv ice s p ecific ru le (Fro m Zo n e = Op t io n ) b y s electin g t h e app rop riat e ch eckb o x. Th is will allo w t h e s elect ed s erv ice t raffic fro m t h e in t ern et t o reach t h e ap p ro p riat e LA N p o rt v ia a p o rt fo rward in g ru le. Tran s lat e Po rt Nu mb er: W it h p o rt fo rward in g , t h e in co min g t raffic t o b e fo rward ed t o t h e p o rt n u mb er en t ered h ere. Ext ern al IP ad d res s : Th e ru le can b e b o u n d t o a s p ecific Op t io n in t erface b y s elect in g eit h er t h e p rimary Op t io n o r co n fig u rab le p o rt Op t io n as t h e s o u rce IP ad d res s fo r in co min g t raffic. Th is co n t roller s u pp orts mu lt i-NA T an d s o t h e Ext ern al IP ad d res s d oes n ot n eces s arily h av e t o b e t h e Op t io n ad d res s . On a s in g le Op t io n in t erface, mu lt ip le p u b lic IP ad d res s es are s u p p o rt ed . If y o u r ISP as s ig n s y o u mo re t h an o n e p u b lic IP ad d res s , o n e o f t h es e can b e u s ed as y o u r p rimary IP ad d res s o n t h e Op t ion p ort , an d t h e o t hers can b e as sign ed t o s ervers o n t h e LA N o r DM Z. In t h is way t h e LA N/ DM Z s erv er can b e acces s ed fro m t h e in t ern et b y it s alias ed p u b lic IP ad d res s . 7. Outbound rules can use Source NAT (SNAT) in order to map (bind) all LAN/DMZ traffic matching the rule parameters to a specific Option interface or external IP address (usually provided by your ISP). On ce t h e n ew o r mo d ified ru le p aramet ers are s av ed , it ap p ears in t h e mas t er lis t o f firewall ru les . To en ab le o r d is ab le a ru le, click t h e ch eckb o x n ext t o t h e ru le in t h e lis t o f firewall ru les an d ch o o s e En ab le o r Dis ab le. Th e co n t ro ller ap p lies firewall ru les in t h e o rd er lis t ed . A s a g en eral ru le, y o u s h o uld mo v e t h e s trict est ru les (t h ose wit h t h e mo s t s pecific s erv ices or ad d res ses) t o t h e t o p o f t h e lis t . To reo rd er ru les , click t h e ch eckb ox n ext t o a ru le an d click u p o r d o wn . 199 Wireless Controller User Manual Figure 108 : Example whe re an outbound SNAT rule is us e d to map an e xte rnal IP addre s s (209.156.200.225) to a private DM Z IP addre s s (10.30.30.30 ) 200 Wireless Controller User Manual Figure 109 : The fire wal l rule configuratio n page allows you to de fine the To/From zone , s e rvice , action, s che dule s , and s pe cify s ource /de s tination IP addre s s e s as ne e de d. 201 Wireless Controller User Manual 7.3.1 Firewall Rule Configuration Examples Exampl e 1 : A llo w in b o u n d HTTP t raffic t o t h e DM Z S i tuati on: Yo u h o s t a p u b lic web s erv er o n y o u r lo cal DM Z n et wo rk. Yo u wan t t o allo w in b o u n d HTTP req u ests fro m an y o u t sid e IP ad d ress t o t h e IP ad d res s o f y o u r web s erv er at an y t ime o f d ay . S ol uti on: Creat e an in b o u n d ru le as fo llo ws . Par am eter V alu e From Zone Insecure (Option 1/ Option2) To Zone Public (DMZ) Service HTTP Action ALLOW alw ays Send to Local Server (DNAT IP) 192.168.5.2 (w eb server IP address) Destination Users Any Log Never Exampl e 2 : A llo w v id eo co n feren cin g fro m ran g e o f o u t s id e IP ad d res s es S i tuati on: Yo u wan t t o allo w in co min g v id eo co n feren cin g t o b e in it iat ed fro m a res t rict ed ran g e o f o u t s id e IP ad d res s es (132.177.88.2 - 132.177.88.254), fro m a b ran ch o ffice. S ol uti on: Creat e an in b o u n d ru le as fo llo ws . In t h e examp le, CUSeeM e (t h e v id eo co n feren ce s erv ice u s ed ) co n n ect io n s are allo wed o n ly fro m a s p ecified ran g e o f ext ern al IP ad d res s es . 202 Wireless Controller User Manual Par am eter V alu e From Zone Insecure (Option 1/ Option2) To Zone Secure (LAN) Service CU-SEEME:UDP Action ALLOW alw ays Send to Local Server (DNAT IP) 192.168.10.11 Destination Users Address Range From 132.177.88.2 To 134.177.88.254 Enable Port Forw arding Yes (enabled) Exampl e 3 : M u lt i-NA T co n fig u rat io n S i tuati on: Yo u wan t t o co n fig u re mu lt i-NA T t o s u p p o rt mu lt ip le p u b lic IP ad d res s es o n o n e Op t io n p o rt in t erface. S ol uti on: Creat e an in b o u n d ru le t h at co n fig u res t h e firewall t o h o s t an ad d it io n al p u b lic IP ad d res s . A s s o ciat e t h is ad d res s wit h a web s erv er o n t h e DM Z. If y o u arran g e wit h y o u r ISP t o h av e mo re t h an o ne p u blic IP ad d ress fo r y o u r u se, y ou can u s e t h e ad dit io nal p u blic IP ad d resses t o map t o s erv ers o n y o u r LA N. On e o f t h es e p u b lic IP ad d resses is u sed as t h e p rimary IP ad d res s o f t h e co n troller. Th is ad d res s is u s ed t o p ro v id e In t ern et acces s t o y o u r LA N PCs t h ro u g h NA T. Th e o t h er ad d res s es are av ailab le t o map t o y o u r DM Z s erv ers . Th e fo llo win g ad d res s in g s ch eme is u s ed t o illu s t rat e t h is p ro ced u re: Op t io n IP ad d res s : 10.1.0.118 203 Wireless Controller User Manual LA N IP ad d res s : 192.168.10.1; s u b n et 255.255.255. 0 W eb s erv er h o s t in t h e DM Z, IP ad d res s : 192.168.12.222 A cces s t o W eb s erv er: (s imu lat ed ) p u b lic IP ad d res s 10.1.0.52 E am eter Par V alu e x a From Zone Insecure ( Option 1/ Option 2) m p To Zone Public (DMZ) l e Service HTTP 4 Action ALLOW alw ays Send to Local Server (DNAT IP) 192.168.12.222 ( w eb server local IP address) : B l Destination Users o Single Address c From 10.1.0.52 E Users Option Any x a Log Never m pl e 4 : Blo ck t raffic b y s ch ed u le if g en erat ed fro m s p ecific ran g e o f mach in es Us e Cas e: Blo ck all HTTP t raffic o n t h e weeken d s if t h e req u es t o rig in at es fro m a s p ecific g ro u p o f mach in es in t h e LA N h av in g a kn o wn ran g e o f IP ad d res s es , an d an y o n e co min g in t h ro u g h t h e Net wo rk fro m t h e Op t io n (i.e. all remo t e u s ers ). Confi g urati on: 1. Setup a schedule: To s et u p a s ch ed u le t h at affect s t raffic o n weeken d s o n ly , n av ig at e t o Secu rit y : Sch ed u le, an d n ame t h e s ch ed u le “W eeken d ” 204 Wireless Controller User Manual Defin e “weeken d ” t o mean 12 am Sat u rd ay mo rn in g t o 12 am M o n d ay mo rn in g – all d ay Sat u rd ay & Su n d ay In t h e Sch ed u led d ays b o x, ch eck t h at y ou wan t t h e s chedu le t o b e act ive fo r “s p ecific d ay s ”. Select “Sat u rd ay ” an d “Su n d ay ” In t h e s ch edu led t ime o f d ay , s elect “all d ay ” – t h is will ap p ly t h e s ch ed u le b et ween 12 am t o 11:59 p m o f t h e s elect ed d ay . Click ap p ly – n o w s ch ed u le “W eeken d ” is o lat es all d ay Sat u rd ay an d Su n d ay fro m t h e res t o f t h e week. Figure 110 : Sche dule configurat io n for the above e xample . 2. Since we are trying to block HTTP requests, it is a service with To Zone: Insecure (Option 1/ Option2) that is to be blocked according to schedule “Weekend”. 3. Select the Action to “Block by Schedule, otherwise allow”. This will take a predefined schedule and make sure the rule is a blocking rule during the defined dates/times. All other times outside the schedule will not be affected by this firewall blocking rule 205 Wireless Controller User Manual 4. As we defined our schedule in schedule “Weekend”, this is available in the dropdown menu 5. We want to block the IP range assigned to the marketing group. Let‟s say they have IP 192.168.10.20 to 192.168.10.30. On the Source Users dropdown, select Address Range and add this IP range as the from and To IP addresses. 6. We want to block all HTTP traffic to any services going to the insecure zone. The Destination Users dropdown should be “any”. 7. We don‟t need to change default QoS priority or Logging (unless desired) – clicking apply will add this firewall rule to the list of firewall rules. 8. The last step is to enable this firewall rule. Select the rule, and click “enable” below the list to make sure the firewall rule is active 7.4 Security on Custom Services Advanced > Firewall Settings > Custom Services Cu s t o m s erv ices can b e d efin ed t o ad d t o t he lis t o f s ervices av ailab le d u rin g firewall ru le co n fig u rat io n . W h ile co mmo n s erv ices h av e kn o wn TCP/ UDP/ ICM P p o rt s fo r t raffic, man y cu s t o m o r u n co mmo n ap p licat io n s exis t in t h e LA N o r Op t io n . In t h e cu s t om s erv ice co nfig uratio n men u y o u can d efin e a ran g e o f p o rt s an d id en t ify t h e t raffic t y p e (TCP/ UDP/ ICM P) fo r t h is s erv ice. On ce d efin ed , t h e n ew s erv ice will ap p ear in t h e s erv ices lis t o f t h e firewall ru les co n fig u rat io n men u . 206 Wireless Controller User Manual Figure 111 : Lis t of us e r de fine d s e rvice s . 7.5 ALG support Advanced > Firewall Settings > ALGs A p p licat io n Lev el Gat eway s (A LGs ) are s ecu rit y co mp o nent t hat en h ance t h e firewall an d NA T s u p p ort o f t h is co ntro ller t o s eamles sly s u ppo rt ap plicat ion lay er p ro t o co ls . In s o me cas es en ab lin g t h e A LG will allo w t h e firewall t o u s e d y n amic ep h emeral TCP/ UDP p o rt s t o co mmu n icat e wit h t h e kn o wn p ort s a p art icu lar clien t ap p licat i o n (s u ch as H.323 o r RTSP) req u ires , wit h o ut wh ich t he ad min wo u ld h av e t o o p en larg e n u mb er o f p o rt s t o accomp lis h t h e s ame s u p p o rt . Becau s e t h e A LG u n d ers t an d s t h e p ro t o co l u s ed b y t h e s p ecific ap p licat io n t h at it s u p p o rt s , it is a v ery s ecu re an d efficien t way o f in t ro d u cin g s upp o rt fo r clien t ap p licat io n s t h ro u g h t h e co n t ro ller‟s firewall. 207 Wireless Controller User Manual Figure 112 : Available ALG s upport on the controlle r. 7.6 VPN Passthrough for Firewall Advanced > Firewall Settings > VPN Passthrough Th is co n t roller‟s firewall s et t in g s can b e co n fig u red t o allo w en cry p t ed VPN t raffic fo r IPs ec, PPTP, an d L2TP VPN t u n n el co nn ectio ns b et ween t h e LA N an d in t ern et . A s p ecific firewall ru le o r s erv ice is n o t ap p ro p riat e t o in t ro d u ce t h is p as s t h ro u g h s u p p ort ; in s tead t he ap p ro p riat e ch eck b o xes in t h e VPN Pas s t h ro u g h p ag e mu s t b e en ab led . 208 Wireless Controller User Manual Figure 113 : Pas s through options for VPN tunne ls 7.7 Client Advanced > Client Th e Kn o wn Clien t Su mmary s h o ws t h e wireles s clien ts cu rrently in t h e Kn o wn Clien t Dat ab as e an d allo ws y o u t o ad d n ew clien t s o r mo d ify exis t in g clien t s t o t h e d atabase. MAC Addres s : Sh o ws t h e M A C ad d res s o f t h e kn o wn clien t . Name : Sh o ws t h e d escrip tiv e n ame co n fig ured fo r t h e clien t wh en it was ad ded t o t h e Kn o wn Clien t d at ab a s e. Authenti cati on Acti on: W h en M A C au t h en t icat io n is en ab led o n t h e n et wo rk, t h is field s h o ws t h e act io n t o t ake o n a wireles s clien t . Th e fo llo win g o p t io n s are av ailab le. Grant: A llo w t h e clien t wit h t h e s p ecified M A C ad d res s t o acces s t h e n et wo rk. Deny: Pro h ib it t h e clien t wit h t h e sp ecified M A C ad dress fro m acces sing t he n etwo rk. 209 Wireless Controller User Manual Gl obal Acti on: Us e t h e g lo b al wh it e -lis t o r b lack-lis t act io n co n fig u red o n t h e A d v an ced Glo b al Co n fig u rat io n p ag e t o d et ermin e h o w t o h an d le t h e clien t . Figure 114 : Lis t of Known Clie nts Th e fo llo win g act io n s are s u ppo rted fro m t h is p ag e: Add: A d d ‟s a clien t wit h t h e M A C ad dress y ou en ter in t h e field t o t h e Kn o wn Clien t d at ab ase. Del ete : Remo v es t h e s elected clien t fro m t h e Kn o wn Clien t d at ab ase. Edi t: ch an g es t h e s ett ing o f p art icular M A C ad d ress 7.8 Application Rules Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Advanced > Application Rules > Application Rules A p p licat io n ru les are als o referred t o as p o rt t rig g erin g . Th is feat u re allo ws d ev ices o n t h e LA N o r DM Z t o req u es t o n e o r mo re p o rt s t o b e fo rward ed t o t h em. Po rt 210 Wireless Controller User Manual t rig g erin g wait s fo r an o u t b o u n d req u es t fro m t h e LA N/ DM Z o n o n e o f t h e d efin ed o u t g o ing p ort s, an d t h en o pens an in co min g p ort fo r t h at s pecified t y pe o f t raffic. This can b e t h o u g h t o f as a fo rm o f d y n amic p o rt fo rward in g wh ile an ap p licat io n is t ran s mit t in g d at a o v er t h e o p en ed o u t g o in g o r in co min g p o r t (s ). Po rt t rig g erin g ap plicat ion ru les are mo re flexib le t h an s t at ic p o rt fo rward in g t h at is an av ailab le o p t io n wh en co nfig urin g firewall ru les . Th is is b ecaus e a p o rt t rig g erin g ru le d o es n o t h ave t o referen ce a s p ecific LA N IP o r IP ran g e. A s well p o r t s are n o t left o p en wh en n o t in u s e, t h ereby p ro vid in g a lev el o f s ecu rit y t h at p o rt fo rward in g d o es n o t o ffer. Po rt t rig g erin g is n o t ap p ro p riat e fo r s erv ers o n t h e LA N, s in ce t h ere is a d ep en d en cy o n t h e LA N d ev ice makin g an o u t g o in g co n n ect io n b efo re in co min g p o rt s are o p en ed . So me ap p licat io n s req uire t h at wh en ext ern al d ev ices co n n ect t o t h em, t h ey receiv e d at a o n a s p ecific p o rt o r ran g e o f p o rts in o rd er t o fu n ct io n p ro p erly . Th e co n t ro ller mu s t s en d all in co min g d at a fo r t h at ap plicatio n o nly o n t he req uired p o rt o r ran g e o f p o rt s . Th e co ntro ller h as a lis t o f co mmo n ap p licat io ns an d g ames wit h co rrespo ndin g o u t b o und an d in b ou nd p o rt s t o o p en . Yo u can als o s p ecify a p o rt t rig g erin g ru le b y d efin in g t h e t y p e o f t raffic (TCP o r UDP) an d t h e ran g e o f in co min g an d o u t g o in g p o rt s t o o p en wh en en ab led . Figure 115 : Lis t of Available Applicat io n Rule s s howing 4 unique rule s 211 Wireless Controller User Manual Th e ap p licat io n ru le s t atus p age will lis t an y act iv e ru les , i.e. in co min g p o rt s t h at are b ein g t rig g ered b as ed o n o u t b o u n d req u es t s fro m a d efin ed o u t g o in g p o rt . 7.9 Application Rules Status Advanced > Application Rules > Application Rules Status Th is p ag e allo ws d is playin g t h e lis t o f av ailable ap plicat ion ru les an d co rres p o n d in g s at u s Figure 116 : Lis t of Available Applicat io n Rule s and corre s ponding s tatus . 7.10 Web Content Filtering Th e g at eway o ffers s ome s t andard web filt erin g o p t io n s t o allo w t h e ad min t o eas ily creat e in t ern et access p o licies b etween t h e s ecu re LA N an d in s ecu re Op t io n . In s t ead o f creat in g p o licies b as ed o n t h e t y p e o f t raffic (as is t h e cas e wh en u s in g firewall ru les ), web b as ed co n t en t it s elf can b e u s ed t o d et ermin e if t raffic is allo wed o r d ro p p ed . 212 Wireless Controller User Manual 7.10.1 Content Filtering Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Advanced > Website Filter > Content Filtering Co n t en t filt erin g mu s t b e en abled t o co n figu re an d u se t h e s ubsequent featu res (lis t o f Tru s t ed Do main s , filt erin g o n Blo cked Key wo rds , et c.). Pro xy s erv ers , wh ich can b e u s ed t o circu mv en t cert ain firewall ru les an d t h u s a p o t en t ial s ecu rit y g ap , can b e b lo cked fo r all LA N d ev ices . Jav a ap p let s can b e p rev en t ed fro m b ein g d o wn lo ad ed fro m in t ern et s it es , an d s imilarly t h e g at eway can p rev en t A ct iv eX co n t ro ls fro m b ein g d o wn lo aded v ia In t ernet Exp lo rer. Fo r ad d ed s ecu rit y co o kies , wh ich t y p ically co n t ain s es s io n in fo rmat io n , can b e b lo cked as well fo r all d ev ices o n t h e p riv at e n et wo rk. 213 Wireless Controller User Manual Figure 117 : Conte nt Filte ring us e d to block acce s s to proxy s e rve rs and pre ve nt Active X controls from be ing downloade d 7.10.2 Approv ed URLs Advanced > Website Filter > Approved URLs Th e A p p ro ved URLs is an accep t ance lis t fo r all URL d o main n ames . Do main s ad d ed t o t h is lis t are allo wed in an y fo rm. Fo r examp le, if t h e d o main “y ah o o ” is ad d ed t o t h is lis t t h en all o f t h e fo llo win g URL‟s are p ermit t ed acces s fro m t h e LA N: www.yahoo.com, yahoo.co.uk, et c. Imp o rt / exp o rt fro m a t ext o r CSV file fo r A p p ro v ed URLs is als o s u p p o rt ed 214 Wireless Controller User Manual Figure 118 : Two trus te d domains adde d to the Approve d URLs Lis t 7.10.3 Blocked Keywords Advanced > Website Filter > Blocked Keywords Key wo rd b lo ckin g allo ws y o u t o b lo ck all web s it e URL‟s o r s it e co n t ent t h at con tains t h e key wo rd s in t h e co n fig u red lis t . Th is is lo wer p rio rit y t h an t h e A p p ro v ed URL Lis t ; i.e. if t h e b lo cked key wo rd is p res en t in a s it e allo wed b y a Tru s t ed Do main in t h e A p p ro ved URL Lis t , t h en access t o t hat s it e will b e allo wed . Imp o rt / exp o rt fro m a t ext o r CSV file fo r key wo rd b lo ckin g is als o s u p p o rt ed . 215 Wireless Controller User Manual Figure 119 : One k e yword adde d to the block lis t 7.10.4 Export W eb Filter Advanced > Website Filter > Export Export Approved URLs : Feat u re en ab les t h e u s er t o exp o rt t h e URLs t o b e allo wed t o a cs v file wh ich c an t h en b e d own lo aded t o t h e lo cal h o st . Th e u s er h as t o click t h e exp o rt b u t t o n t o g et t h e cs v file. Export B l ock ed Keywords : Th is feat u re en ables t h e u s er t o exp o rt t h e key wo rd s t o b e b lo cked t o a cs v file wh ich can t h en b e d o wn loaded t o t h e lo cal h o st. Th e u s er h as t o click t h e exp o rt b u t t o n t o g et t h e cs v file . 216 Wireless Controller User Manual Figure 120 : Export Approve d URL lis t 7.11 IP/MAC Binding Advanced > IP/MAC Binding A n o t h er av ailab le securit y meas u re is t o o n ly allo w o u t bou nd t raffic (fro m t h e LA N to Op t io n ) wh en t h e LA N n o d e h as an IP ad d ress mat ch ing t he M A C ad d ress b o und t o it. Th is is IP/ M A C Bin d in g , an d b y en fo rcin g t h e g ateway t o v alid ate t h e s ou rce t raffic‟s IP ad d res s wit h t h e u n iq u e M A C A d d res s o f t h e co n fig u red LA N n o d e, t h e ad min is t rat o r can en sure t raffic fro m t h at IP ad d res s is n ot s poo fed . In t h e ev en t o f a v io lat io n (i.e. t h e t raffic‟s s ou rce IP ad d ress d oesn‟t mat ch u p wit h t h e exp ect ed MAC ad d res s h avin g t h e s ame IP ad d ress) t h e p ackets will b e d ro p p ed an d can b e lo g ged for d iag n o s is . 217 Wireless Controller User Manual Figure 121 : Example binding a LAN hos t’s M AC Addre s s to a s e rve d IP addre s s In t h e ab o v e examp le , if t h ere is an IP/ M A C Bin d in g v io lat io n , t h e v io lat in g p acket will b e d ro p p ed an d lo g s will b e cap t u red . 7.12 RADIUS Settings Advanced > RADUIS Settings Fro m t h e RA DIUS Serv er Co n fig u rat io n p ag e, y o u can ad d a n ew RA DIUS s erv er, co n fig u re s et t in g s fo r a n ew o r exis t in g RA DIUS s erv er, an d v iew RA DIUS s erv er s t at u s in fo rmat io n . 218 Wireless Controller User Manual Figure 122 : RADIUS Se rve r Configuratio n Authenti cati on S erver IP Addres s (Pri mary) : IP ad d res s o f t h e p rimary RA DIUS au t h en t icat io n s erv e r. Authenti cati on S erver IP Addres s (S econdary) : IP ad d res s o f t h e s eco n d ary RA DIUS au t h en t icat io n s erv er. Authenti cati on Port: RA DIUS au t h en ticatio n s erver p o rt t o s en d RA DIUS mes s ag es . S ecret: Secret key t h at allo ws t h e d ev ice t o lo g in t o t h e co nfig ured RA DIUS s erv er. It mu s t mat ch t h e s ecret o n RA DIUS s erv er. Ti meout: Set t h e amo u n t o f t ime in s eco n d s , t h e ro u t er s h o u ld wait fo r a res p o n s e fro m t h e RA DIUS s erv er. 219 Wireless Controller User Manual Retri es : Th is d et ermin es t h e n u mb er o f t ries t h e ro u t er will make t o t h e RA DIUS s erv er b efo re g iv in g u p . 7.13 Switch Settings Advanced > Switch Settings Th is p ag e allo ws u s er t o en ab le/ d is ab le p o wer s av in g , ju mb o frames in t h e ro u t er. Figure 123 : Switch s e ttings Power S avi ng S tate: W h en en ab led , t h e t o t al p o wer t o t h e LA N co n t ro ller is d ep en d ent o n t h e n umb er o f co n n ected p o rts. Th e o v erall cu rren t d raw wh en a s in g le 220 Wireless Controller User Manual p o rt is co n n ect ed is les s t h an wh en all o f t h e av ailab le LA N p o rt s h a v e an act iv e Et h ern et co n n ect io n . Leng th Detecti on S tate: W h en en ab led t h e LA N co n t ro ller will red u ce t h e o v erall cu rren t s u pplied t o t he LA N p o rt wh en a s mall cab le len g t h is co nn ected t o t h at p o rt . Lo n g er cab les h ave h ig her resis tance t h an s h o rt er ca b les an d req u ire mo re p o wer t o t ran s mit p acket s o ver t h at d ist an ce. Th is o p t io n will red u ce t h e p o wer t o a LA N p o rt if an Et h ern et cab le o f les s t h an 10 ft is d et ect ed as b ein g co n n ect ed t o t h at p o rt . J umbo Frames Opti on: W h en en ab led , LA N s id e d ev ices can exch an g e t raffic co n t an in g ju mb o frames . 7.14 Protecting from Internet Attacks Advanced > Advanced Network > Attack Checks A t t acks can b e malicio u s s ecu rit y b reach es o r u n in t en t io n al n et wo rk is s u es t h at ren d er t h e co n troller u n u sab le. A tt ack ch ecks allo w y o u t o man ag e Op t io n s ecu rit y t h reat s s uch as co ntin ual p in g req uests an d d is co very v ia A RP s can s . TCP an d UDP flo o d at t ack ch ecks can b e en ab led t o man ag e ext reme u s ag e o f Op t io n res o u rces . A d d it io n ally cert ain Den ial-o f-Serv ice (Do S) at t acks can b e b lo cked. Th ese at t acks , if u n in h ib it ed , can u s e u p p ro ces s in g p o wer an d b an d wid t h an d p rev en t reg u lar n et wo rk s erv ices fro m ru n n in g n o rmally . ICM P p acket flo o d in g , SYN t raffic flo o d in g , an d Ech o s torm t h res ho lds can b e con fig ured t o t emp orarily s usp ect t raffic fro m t h e o ffen d in g s o u rce. 221 Wireless Controller User Manual Figure 124 : Prote cting the controlle r and LAN from inte rne t attack s 222 Wireless Controller User Manual Chapter 8. IPsec / PPTP / L2TP VPN Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. A VPN p ro v id es a s ecu re co mmu n icat io n ch an n el (“t u n n el”) b et ween t wo g at eway co n t ro ller o r a remo t e PC clien t . Th e fo llo win g t y p es o f t u n n els can b e creat ed : Gateway-to-g ateway VPN: t o co n n ect t wo o r mo re co n t ro ller t o s ecu re t raffic b et ween remo t e s it es . Remote Cl i ent (clien t -t o -g at eway VPN t u n n el): A remo t e clien t in it iat es a VPN t u n n el as t h e IP ad d res s o f t h e remo t e PC clien t is n o t kn o wn in ad v an ce. Th e g at eway in t h is cas e act s as a res p o n d er. Remo t e clien t b eh in d a NA T co n t ro ller: Th e clien t h as a d y n amic IP ad d res s an d is b eh in d a NA T co n t ro ller. Th e remo t e PC clien t at t h e NA T co n t ro ller in it iat es a VPN t u n n el as t h e IP ad d res s o f t h e remo t e NA T co n t roller is n o t kn o wn in ad v ance. T h e g ateway Op t io n p o rt act s as res p o n d er. 223 Wireless Controller User Manual Figure 125 : Example of Gate way-to - Gate way IPs e c VPN tunne l us ing two DWC controlle rs conne cte d to the Inte rne t 224 Wireless Controller User Manual Figure 126 : Example of thre e IPs e c clie nt conne ctions to the inte rnal ne twork through the DWC IPs e c gate way 225 Wireless Controller 8.1 User Manual VPN Wizard Setup > Wizard > VPN Wizard Yo u can u s e t h e VPN wizard t o q u ickly creat e b o t h IKE an d VPN p o licies . On ce t h e IKE o r VPN p o licy is crea t ed , y o u can mo d ify it as req u ired . Figure 127 : VPN Wizard launch s cre e n To eas ily es t ab lis h a VPN t u n n el u s in g VPN W izard , fo llo w t h e s t ep s b elo w: 1. Select the VPN tunnel type to create Th e t u n n el can eit her b e a g at eway t o g at eway co n nect ion (s ite -to -site) o r a t u n n el t o a h o s t o n t h e in t ern et (remo t e acces s ). 226 Wireless Controller User Manual Set t h e Co n n ectio n Name an d p re -sh ared key : t h e co nn ectio n n ame is u s ed fo r man ag emen t, and t h e p re -s h ared key will b e req u ired o n t h e VPN clien t o r g at eway t o es t ab lis h t h e t u n n el Det ermin e t h e lo cal g at eway fo r t h is t u n n el; if t h ere is mo re t h an 1 Op t io n co n fig u red t h e t u n n el can b e co n fig u red fo r eit h er o f t h e g at eway s . 2. Configure Remote and Local Option address for the tunnel endpoints Remo t e Gat eway Ty p e: id en t ify t h e remo t e en dp oin t o f t h e t u nnel b y FQDN o r s t at ic IP ad d ress Remo t e Op t io n IP ad d res s / FQDN: Th is field is en ab led o n ly if t h e p eer y o u are t ry in g t o co n n ect t o is a Gat eway . Fo r VPN Clien t s , t h is IP ad d ress o r In t ern et Name is d et ermin ed wh en a co n n e ct io n req u es t is receiv ed fro m a clien t . Lo cal Gat eway Ty p e: id en t ify t h is co n t ro ller‟s en d p o in t o f t h e t u n n el b y FQDN o r s t at ic IP ad d res s Lo cal Op t io n IP ad d res s / FQDN: Th is field can b e left b lan k if y o u are n o t u s in g a d ifferen t FQDN o r IP ad d res s t h a n t h e o n e s p ecified in t h e Op t io n p o rt ‟s co n fig u rat io n . 3. Configure the Secure Connection Remote Accessibility fields to identify the remote network: Remo t e LA N IP ad d res s : ad d res s o f t h e LA N b eh in d t h e p eer g at eway Remo t e LA N Su b n et M as k: t h e s u b n et mas k o f t h e LA N b eh in d t h e p eer Note: Th e IP ad d res s ran ge u sed o n t h e remo t e LA N mu s t b e d ifferen t fro m t h e IP ad d res s ran g e u s ed o n t h e lo cal LA N. 4. Review the settings and click Connect to establish the tunnel. Th e W izard will creat e an A u t o IPs ec p o licy wit h t h e fo llo win g d efau lt v alu es fo r a VPN Clien t o r Gat eway p o licy (t h es e can b e acces s ed fro m a lin k o n t h e W izard p ag e): Par am eter De f au lt value f rom Wizard Exchange Mode Aggressive (Client policy ) or Main (Gatew ay policy) ID Type FQDN 227 Wireless Controller User Manual Local Option ID w an_local.com (only applies to Client policies) Remote Option ID w an_remote.com (only applies to Client policies) Encryption Algorithm 3DES Authentication Algorithm SHA-1 Authentication Method Pre-shared Key PFS Key-Group DH-Group 2(1024 bit) Life Time (Phase 1) 24 hours Life Time (Phase 2) 8 hours NETBIOS Enabled (only applies to Gatew ay policies) Th e VPN W izard is t h e reco mmen d ed met h o d t o s et u p an A u t o IPs ec p o licy . On ce t h e W izard creat es t h e mat ch in g IKE an d VPN p o licies req u ired b y t h e A ut o p o licy, o n e can mo d ify t h e req uired field s t h ro ugh t h e ed it lin k. Refer t o t h e o n lin e h elp fo r d et ails . Eas y S etup S i te to S i te VPN Tunnel If y o u fin d it d ifficu lt t o co n fig u re VPN p o licies t h ro ugh VPN wizard u s e easy s et up s it e t o s it e VPN t u n n el. Th is will ad d VPN p o licies b y imp o rt in g a file co n t ain in g v pn p o licies . 8.2 Configuring IPsec Policies Setup > VPN Settings > IPsec > IPsec Policies A n IPs ec p o licy is b et ween t his con tro ller an d an o ther g ateway o r t h is co n t ro ller an d a IPs ec clien t o n a remo t e h o s t . Th e IPs ec mo d e can b e eit h er t u n n el o r t ran s p o rt d ep en d in g o n t h e n et wo rk b ein g t rav ers ed b et ween t h e t wo p o licy en d p o in t s . 228 Wireless Controller User Manual Tran s p ort : Th is is u sed fo r en d -t o -en d co mmu n icat io n b et ween t h is co n t ro ller an d t h e t u n n el en d p o in t, eit h er an o ther IPs ec g at eway o r an IPs ec VPN clien t o n a h o s t . On ly t h e d ata p ayload is en cry p t ed an d t h e IP h ead er is n o t mo d ified o r en cry p t ed . Tu n n el: Th is mo d e is u s ed fo r n et wo rk -t o -n et wo rk IPs ec t u n n els wh ere t h is g at eway is o n e en d p o in t o f t h e t u n n el. In t h is mo d e t h e en t ire IP p acket in clu d in g t h e h ead er is en cry p t ed an d / o r au t h en t icat ed . W h en t u n n el mo d e is s elect ed , y o u can en ab le Net BIOS an d DHCP o v er IPs ec. DHCP o v er IPs ec allo ws t h is co nt roller t o s erve IP leas es t o h o sts o n t h e remo t e LA N. A s well in t h is mo d e y o u can d efin e t h e s in g le IP ad d res s , ran g e o f IPs , o r s u b n et o n b o t h t h e lo cal an d remo t e p riv at e n et wo rks t h at can co mmu n icat e o v er t h e t u n n el. Figure 128 : IPs e c policy configurat ion 229 Wireless Controller User Manual On ce t h e t u n nel t y p e an d en d poin t s o f t h e t u n n el are d efin ed y o u can d et ermin e t h e Ph as e 1 / Ph as e 2 n eg o t iatio n t o u se fo r t h e t un nel. Th is is co v ered in t h e IPs ec mode s et t in g , as t h e p o licy can b e M an u al o r A u t o . Fo r A u t o p o licies , t h e In t ern et Key Exch an g e (IKE) p ro t o co l d y namically exch an g es key s b et ween t wo IPs ec h o s t s . Th e Ph as e 1 IKE p aramet ers are u s ed t o d efin e t h e t u n n el‟s s ecu rit y as s o ciat io n d et ails . Th e Ph as e 2 A u t o p o licy p aramet ers co v er t h e s ecu rit y as s o ciat io n lifet ime an d en cry p t io n / au t h en t icat io n d et ails o f t h e p h as e 2 key n eg o t iat io n . Th e VPN p o licy is o n e h alf o f t h e IKE/ VPN p o licy p air req u ired t o est ab lis h an A u t o IPs ec VPN t u n n el. Th e IP ad d res s es o f t h e mach in e o r mach in es o n t h e t wo VPN en d p o in ts are co nfig u red h ere, alo n g wit h t h e p o licy p aramet ers req u ired t o s ecure t he t u n n el 230 Wireless Controller User Manual Figure 129 : IPs e c policy configurat ion continue d (Auto policy via IKE) A M an u al p o licy d o es n ot u s e IKE an d in s t ead relies o n man u al key in g t o exch an g e au t h en ticat io n p aramet ers b etween t h e t wo IPs ec h o s t s . Th e in co min g an d o u t g o in g s ecu rit y p aramet er in d ex (SPI) v alu es mu s t b e mirro red o n t h e remo t e t u n n el en d p o in t. A s well t h e en cry pt io n an d in t egrit y alg o rit hms an d key s mu s t mat ch on the remo t e IPs ec h o s t exact ly in o rd er fo r t h e t u nn el t o es t ab lis h s u c ces s fu lly . No t e t h at 231 Wireless Controller User Manual u s in g A u to p olicies wit h IKE are p referred as in s o me IPs ec imp lemen t at io n s t h e SPI (s ecu rit y p aramet er in d ex) v alu es req u ire co n v ers io n at each en d p o in t . DW C-1000 s u p p o rt s VPN ro ll-o v er feat u re. Th is mean s t h at p o licies co n fig u red o n p rimary Op t io n will ro llo v er t o t h e s eco n d ary Op t io n in cas e o f a lin k failu re o n a p rimary Op t io n . Th is feat ure can b e u s ed o n ly if y o u r Op t io n is co n fig u red in A u t o Ro llo v er mo d e. Figure 130 : IPs e c policy configurat ion continue d (Auto / M anual Phas e 2) 8.2.1 Extended Authentication (XAUTH) Yo u can als o co n fig ure ext en ded au t hen ticatio n (XA UTH). Rat h er t h an co n fig u re a u n iq u e VPN p o licy fo r each u s er, y o u can co n fig u re t h e VPN g at eway co n t ro ller t o au t h en t icat e u s ers fro m a s t o red lis t o f u s er acco u n t s o r wit h an ext ern al au t h en ticat io n s erv er s u ch as a RA DIUS s erv er. W it h a u s er d atabase, u ser accou n t s creat ed in t h e co n t ro ller are u s ed t o au t h en t icat e u s ers . 232 Wireless Controller User Manual W it h a co n fig u red RA DIUS s erv er, t h e co nt roller co n nects t o a RA DIUS s erv er an d p as s es t o it t h e credent ials t h at it receiv es fro m t h e VPN clien t . Yo u can s ecu re t h e co n n ectio n b etween t h e co n t ro ller an d t h e RA DIUS s erv er wit h t h e au t h en t icat io n p ro t o co l s u p p o rt ed b y t h e s erv er (PA P o r CHA P). Fo r RA DIUS – PA P, t h e co n t ro ller firs t ch ecks in t h e u s er d at ab as e t o s ee if t h e u s er cred en t ials are av ailab le; if t h ey are n o t , t h e co n t ro ller co n n ect s t o t h e RA DIUS s erv er. 8.2.2 Internet ov er IPSec tunnel In t h is feat u re all t h e t raffic will p as s t h rou gh t h e VPN Tu n n el an d fro m t h e Rem o t e Gat eway t h e p acket will b e ro u t ed t o In t ern et . On t h e remo t e g at eway s id e, t h e o u t g o in g p acket will b e SNA T'ed . 8.3 Configuring VPN clients Remo t e VPN clien t s mu s t b e co nfig u red wit h t h e s ame VPN p o licy p aramet ers used in t h e VPN t u n n el t h at t h e clien t wis h es t o u se: en crypt io n, au thent icat ion , life t ime, an d PFS key -g ro u p . Up o n es t ab lis h in g t h es e au t h en t icat io n p aramet ers , t h e VPN Clien t u s er d at ab as e mu s t als o b e p o p u lat ed wit h an acco u n t t o g iv e a u s er acces s t o t h e t u n n el. VPN clien t s o ft ware is req u ired t o es t ab lis h a VPN t u n n el b et ween t h e co n t ro ller an d remo t e en dpo int . Op en s o urce s oft ware (su ch as Op en VPN or Op en s wan ) as well as M icro s o ft IPs ec VPN s o ft ware can b e co n fig u red wit h t h e req u ired IKE p o licy p aramet ers t o es t ab lis h an IPs ec VPN t u n n e l. Refer t o t h e clien t s o ftware g u ide fo r d et ailed in s tructio ns o n s et u p as well as t h e co n t ro ller‟s o n lin e h elp . Th e u s er d at abase co nt ain s t he lis t o f VPN u s er acco un ts t h at are au t h o rized t o u s e a g iv en VPN t u n n el. A lt ern at iv ely VPN t u n n el u s ers can b e au t h en t icat ed u s in g a co n fig u red Rad iu s d at ab ase. Refer t o t h e o nlin e h elp t o d et ermin e h o w t o p o pu late the u s er d at ab as e an d / o r co n fig u re RA DIUS au t h en t icat io n . 233 Wireless Controller 8.4 User Manual PPTP / L2TP Tunnels Th is co n t ro ller s u p p o rt s VPN t u n n els fro m eit h er PPTP o r L2TP ISP s erv e rs . Th e co n t ro ller act s as a b ro ker d ev ice t o allo w t h e ISP's s erv er t o creat e a TCP co n t ro l co n n ect io n b et ween t h e LA N VPN clien t an d t h e VPN s erv er. 8.4.1 PPTP Tunnel Support Setup > VPN Settings > PPTP > PPTP Client PPTP VPN Clien t can b e co n fig u red o n t h is co n t ro ller. Us in g t h is clien t we can acces s remo t e n et wo rk wh ich is lo cal t o PPTP s erv er. On ce clien t is en ab led , t h e u s er can acces s Status > Active VPNs p ag e an d es t ab lis h PPTP VPN t u n n el clickin g Co n n ect . To d is co n n ect t h e t u n n el, click Dro p . 234 Wireless Controller User Manual Figure 131 : PPTP tunne l configuratio n – PPTP Clie nt Figure 132 : PPTP VPN conne ction s tatus Setup > VPN Settings > PPTP > PPTP Server A PPTP VPN can b e es t ablis hed t h rou gh t h is co nt roller. On ce en abled a PPTP s erver is av ailab le o n t h e co n troller fo r LA N an d Op t io n PPTP clien t u s ers t o access . On ce t h e PPTP s erv er is en ab led, PPTP clien t s t h at are wit h in t h e ran g e o f co n fig u red IP ad d res s es o f allo wed clien t s can reach t h e co n t ro ller‟s PPTP s erv er. On ce au t h en ticat ed b y t h e PPTP s erv er (t h e t u nnel en dp oin t), PPTP clien t s h ave acces s t o t h e n et wo rk man ag ed b y t h e co n t ro ller. 235 Wireless Controller User Manual Figure 133 : PPTP tunne l configuratio n – PPTP Se rve r 8.4.2 L2TP Tunnel Support Setup > VPN Settings > L2TP > L2TP Server A L2TP VPN can b e es t ablis hed t h rou gh t h is co nt roller. On ce en abled a L2TP s erver is av ailab le o n t h e co n troller fo r LA N an d Op t io n L2TP clien t u s ers t o access . On ce t h e L2TP s erv er is en ab led, L2TP clien t s t h at are wit h in t h e ran g e o f co n fig u red IP ad d res s es o f allo wed clien t s can reach t h e co n t ro ller‟s L2TP s erv er. On ce au t h en ticat ed b y t h e L2TP s erv er (t h e t u nnel en dp oin t), L2TP clien t s h av e acces s t o t h e n et wo rk man ag ed b y t h e co n t ro ller. 236 Wireless Controller User Manual Figure 134 : L2TP tunne l configuratio n – L2TP Se rve r 8.4.3 OpenVPN Support Setup > VPN Settings > OpenVPN > OpenVPN Configuration Op en VPN allo ws p eers t o au t h en t icat e each o t h er u s in g a p re -s h ared s ecret key , cert ificat es , o r u sername/ passwo rd . W hen u sed in a mu lt iclien t -s erv er co n figu rat ion, it allo ws t h e s erv er t o releas e an au t h en t icat io n cert ificat e fo r ev ery clien t , u s in g s ig n at ure an d Cert ificat e au th o rit y . A n Op en VPN can b e es t ab lis h ed t h ro u g h t h is co n t ro ller. Ch eck/ Un check t h is an d click s av e s ettin gs t o s tart/ stop o p en v p n s erv er. 237 Wireless Controller User Manual Mode: Op en VPN d aemo n mo d e. It can ru n in s erv er mo d e, clien t mo d e o r acces s s erv er clien t mo d e. In access s erv er clien t mo d e, t h e u ser h as t o d o wn lo ad t h e au t o lo g in p ro file fro m t h e Op en v p n A cces s Serv er an d u p lo ad t h e s ame t o co n n ect . S erver IP: Op en VPN s erv er IP ad d res s t o wh ich t h e clien t co n n ect s (A p p licab le in clien t mo d e). VPN Network : A d d res s o f t h e Virt u al Net wo rk. VPN Netmas k : Net mas k o f t h e Virt u al Net wo rk. Port: Th e p o rt n u mb er o n wh ich o p en v p n s erv er(o r A cces s Serv er) ru n s . Tunne l Protocol : Th e p ro t o co l u sed t o co mmu n icat e wit h t h e remo t e h o s t . Ex: Tcp , Ud p . Ud p is t h e d efau lt . Encrypti on Al g ori thm: Th e cip h er wit h wh ich t h e p acket s are en cry p t ed . Ex: BF CBC, A ES-128,A ES-192 an d A ES-256. BF-CBC is t h e d efau lt Has h al g ori thm: M es s ag e d ig est alg o rit hm u s ed t o au th en ticat e p acket s . Ex: SHA 1, SHA 256 an d SHA 512. SHA 1 is t h e d efau lt . Tunnel Type : Select Fu ll Tu n n el t o red irect all t h e t raffic t h ro ug h t h e t u nn el. Select Sp lit Tu n n el t o red irect t raffic t o o n ly s p ecified res o u rces (ad d ed f ro m o p en Vp n Clien t Ro u t es ) t h ro u g h t h e t u n n el. Fu ll Tu n n el is t h e d efau lt . Enabl e Cl i ent to Cl i ent communi cati on : En ab le t h is t o allo w o p en v p n clien t s t o co mmu n icat e wit h each o t h er in s p lit t u n n el cas e. Dis ab led b y d efau lt . Upl oad Acces s S erver Cl i ent Conf i g urati on: Th e u s er h as t o d o wn lo ad t h e au t o lo g in p ro file an d u p lo ad h ere t o co n n ect t h is co n t ro ller t o t h e Op en VPN A cces s Serv er. Certi fi cates : Select t h e s et o f cert ificat es o p en v p n s erv er u s es . Firs t Ro w: Set o f cert ificat es and key s t h e s erver u ses. S eco nd Ro w: Set o f cert ificat es an d key s n ewly u p lo ad ed . Enabl e TLS Authenti cati on Key: En ab lin g t h is ad d s Tls au thent icat ion wh ich ad ds an ad d it io n al lay er o f au t h en t icat io n . Can b e ch ecked o n ly wh en t h e t ls key is u p lo ad ed . Dis ab led b y d efau lt . Click S ave S etti ng s t o s av e t h e co n fig u rat io n en t ered . 238 Wireless Controller User Manual Figure 135 : Ope nVPN configuratio n 239 Chapter 9. SSL VPN Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Th e co n t ro ller p ro vid es an in t rin sic SSL VPN feat u re as an alt ernate t o t he s tandard IPs ec VPN. SSL VPN d iffers fro m IPs ec VPN main ly b y remo v in g t h e req u iremen t o f a p re -in s t alled VPN clien t o n t h e remo t e h o st . In stead , u sers can s ecurely lo g in t hro ugh t he SSL Us er Po rt al u s in g a s t an dard web b ro wser an d receive access t o co nfig ured n etwo rk res ou rces wit h in t h e co rp o rat e LA N. Th e co n t ro ller s u pp orts mu lt ip le co n current s essio ns t o allo w remo t e u s ers t o acces s t h e LA N o v er an en cry p t ed lin k t h ro u g h a cu s t o mizab le u s er p o rt al i n t erface, an d each SSL VPN u s er can b e as s ig n ed u n iq u e p riv ileg es an d n et wo rk res o u rce acces s lev els . Th e remo t e u s er can b e p ro v id ed d ifferen t o p t io n s fo r SSL s erv ice t h ro u g h t h is co n t ro ller: VPN Tunnel : Th e remo t e u s er‟s SSL en ab led b ro ws er is u s ed in p lace o f a VPN clien t o n t h e remo t e h o s t t o es t ab lis h a s ecu re VPN t u n n el. A SSL VPN clien t (A ct iv e -X o r Jav a b as ed ) is in s t alled in t h e remo t e h o st t o allo w t h e clien t t o jo in t h e co rp o rat e LA N wit h p re -co n fig u red acces s/p olicy p riv ileg es. A t t his p oin t a v irt u al n et work in t erface is creat ed o n t h e u s er‟s h o s t an d t h is will b e as s ig n ed an IP ad d res s an d DNS s erv er ad d res s fro m t h e co n t ro ller. On ce es t ab lis h ed , t h e h o s t mach in e can acces s allo cat ed n et wo rk res o u rces . Port Forwardi ng : A web -b as ed (A ct iv eX o r Jav a) clien t is in s t alled o n t h e clien t mach in e ag ain . No t e t h at Po rt Fo rward in g s ervice o n ly s u p p o rt s TCP co n n ect io n s b et ween t h e remo t e u s er an d t h e co n tro ller. Th e co ntro ller ad min is t rat or can d efin e s pecific s erv ices o r ap p lications t h at are av ailab le t o remo t e p o rt fo rward in g u s ers in s t ead o f acces s t o t h e fu ll LA N like t h e VPN t u n n el. A ct iv eX clien t s are u s ed wh en t h e remo t e u ser accesses t h e p o rt al u s ing t he In t ern et Exp lo rer b ro ws er. Th e Jav a clien t is u s ed fo r o t h er b ro ws ers like M o zilla Firefo x, Net s cap e Nav ig at o r, Go o g le Ch ro me, an d A p p le Safari. Wireless Controller User Manual Figure 136 : Example of clie ntle s s SSL VPN conne ctions to the DWC-1000 242 Wireless Controller 9.1 User Manual Groups and Users Advanced > Users > Groups Th e g ro u p p ag e allo ws creat in g , ed it in g an d d elet in g g ro u p s . Th e g ro u p s are as s o ciat ed t o s et o f u s er t y pes. Th e lis ts o f av ailab le g ro ups are d is p layed in t h e “Lis t o f Gro u p ” p ag e wit h Gro u p n ame an d d es crip t io n o f g ro u p . Click Add t o creat e a g ro u p . Click Edi t t o u p d at e an exis t in g g ro u p . Click Del ete t o clear an exis it in g g ro u p . Figure 137 : Lis t of groups Gro u p co n fig u rat io n p age allo ws t o creat e a g ro u p wit h a d ifferen t t y pe o f u s ers . Th e u s er t y p es are as fo llo ws : PPTP Us er : Th es e are PPTP VPN t u n n el LA N u s ers t h at can esta blis h a t u n n el wit h t h e PPTP s erv er o n t h e Op t io n . L2 TP Us er : Th es e are L2TP VPN t u n n el LA N u s ers t hat can est ab lish a t u n n el wit h t h e L2TP s erv er o n t h e Op t io n . 243 Wireless Controller User Manual Xauth Us er : Th is u s er‟s au t h en t icat io n is p erfo rmed b y an ext ern ally co n fig u red RA DIUS o r o t h e r En t erp rise s erv er. It is n o t p art o f t h e lo cal u s er d at ab as e. S S LVPN Us er : Th is u s er h as access t o t he SSL VPN s erv ices as d et ermin ed b y t h e g ro u p p o licies an d au t h en t icat io n d o main o f wh ich it is a memb er. Th e d o main -d et ermin ed SSL VPN p o rt al will b e d is p lay ed wh en lo g g in g in wit h t h is u s er t y p e. Admi n: Th is is t h e co n t roller‟s s u per-user, an d can man ag e t h e co n t ro ller, u s e SSL VPN t o access n et work res o urces, an d lo g in t o L2TP/ PPTP s erv ers on the Op t io n . Th ere will alway s b e o n e d efau lt ad min is t rat o r u s er fo r t h e GUI Gues t Us er (read-onl y): Th e g u es t u s er g ain s read o n ly acces s t o t h e GUI t o o b s erv e an d rev iew co n fig uratio n s ettin gs. Th e g u est d oes n o t h av e SSL VPN acces s . Capti ve Portal Us er : Th es e cap t iv e p o rt al u s ers h as acces s t h ro u g h t h e co n t ro ller. Th e acces s is d et ermin ed b as ed o n cap t iv e p o rt al p o licies . Idl e Ti meout: Th is t h e lo g in t imeo u t p erio d fo r u s ers o f t h is g ro u p . 244 Wireless Controller User Manual Figure 138 : Us e r group configu rat ion W h en SSLVPN u s ers are s elect ed , t h e SSLVPN s et t in g s are d is p lay ed wit h t h e fo llo win g p aramet ers as cap t u red in SSLVPN Set t in g s . A s p er t h e A u t h en t icat io n Ty p e SSL VPN d et ails are co n fig u red . Authenti cati on Type : Th e au t h en t icat io n Ty p e can b e o n e o f t h e fo llo win g : Lo cal Us er Dat ab ase (d efault ), Rad iu s -PAP, Rad iu s-CHA P, Rad iu s -MSCHAP, Rad iu s -M SCHA Pv 2, NT Do main , A ct iv e Direct o ry an d LDA P. Authenti cati on S ecret: If t h e d o main u s es RA DIUS au t h en t icat io n t h en t h e au t h en ticat io n s ecret is req u ired (an d t h is h as t o mat ch t h e s ecret co n fig u red o n t h e RA DIUS s erv er). Work g roup: Th is is req u ired is fo r NT d o main au t h en t icat io n . If t h ere are mu lt ip le wo rkg ro u p s , u s er can en t er t h e d et ails fo r u p t o t wo wo rkg ro u p s . 245 Wireless Controller User Manual LDAP B as e DN: Th is is t h e b as e d o main n ame fo r t h e LDA P au t h en t icat io n s erv er. If t h ere are mu lt ip le LDA P au t h e n ticatio n s erv ers , u s er can en t er t h e d et ails fo r u p t o t wo LDA P Bas e DN. Acti ve Di rectory Domai n: If t h e d o main u s es t h e A ct iv e Direct o ry au t h en t icat io n , t h e A ct iv e Direct o ry d o main n ame is req u ired . Us ers co n fig u red in t h e A ct ive Direct o ry d atabase are g iv en acces s t o t h e SSL VPN p o rt al wit h t h eir A ct iv e Direct o ry u s ern ame an d p as s wo rd . If t h ere are mu lt ip le A ct iv e Direct o ry d o main s , u s er can en t er t h e d et ails fo r u p t o t wo au t h en t icat io n d o main s . Ti meout: Th e t imeo u t p erio d fo r reach in g t h e au t h en t icat io n s erv er. Retri es : Th e n u mb er o f ret ries t o au t h en t icat e wit h t h e au t h en t icat io n s erv er aft er wh ich t h e DW C-1000 s t o p s t ry in g t o reach t h e s erv er. 246 Wireless Controller User Manual Figure 139 : SSLVPN Se ttings Log i n Pol i ci es To s et lo g in p o licies fo r t h e g r o u p , s elect t h e co rres p o n d in g g ro u p click “Lo g in p o licies ”. Th e fo llo win g p aramet ers are co n fig u red : Group Name : Th is is t h e n ame o f t h e g ro u p t h at can h av e it s lo g in p o licy ed it ed Di s abl e Log i n: En ab le t o p rev en t t h e u s ers o f t h is g ro u p fro m lo g g in g in t o t h e d ev ices man ag emen t in t erface(s ) 247 Wireless Controller User Manual Deny Log i n from Opti on i nterface : En ab le t o p rev en t t h e u s ers o f t h is g ro u p fro m lo g g in g in fro m a Op t io n (wid e area n et wo rk) in t erface. In t h is cas e o n ly lo g in t h ro u g h LA N is allo wed . Figure 140 : Group login policie s options Pol i cy by B rows ers To s et b ro ws er p olicies fo r t h e g ro up , s elect t h e co rrespo ndin g g ro u p click “Po licy b y Bro ws ers ”. Th e fo llo win g p aramet ers are co n fig u red : Group Name : Th is is t h e n ame o f t h e g ro u p t h at can h av e it s lo g in p o licy ed it ed Deny Log i n from Defi ned B rows ers : Th e lis t o f d efin ed b ro wsers b elo w will b e u sed t o p rev en t t h e u s ers o f t h is g ro u p fro m lo g g in g in t o t h e co n t ro ller‟s GUI. A ll n o n d efin ed b ro ws ers will b e allo wed fo r lo g in fo r t h is g ro u p . Al l ow Log i n from Defi ned B rows ers : Th e lis t o f d efin ed b ro ws ers b elo w will b e u s ed t o allo w t h e u sers o f t h is g ro up fro m lo g g in g in t o t h e co n t ro llers GUI. A ll n o n d efin ed b ro ws ers will b e d en ied fo r lo g in fo r t h is g ro u p . Defi ned B rows ers : Th is lis t d is play s t he web b ro ws ers t h at h av e b een ad d ed t o t h e Defin ed Bro ws ers lis t , u p o n wh ich g ro u p lo g in p o licies can b e d efin ed . (Ch eck Bo x A t Firs t Co lu mn Head er): Select s all t h e d efin ed b ro ws ers in t h e t ab le. Del ete : Delet es t h e s elect ed b ro ws er(s ). 248 Wireless Controller User Manual Yo u can ad d t o t h e lis t o f Defin ed Bro ws ers b y s elect in g a clien t b ro ws er fro m t h e d ro p d o wn men u an d clickin g A d d. Th is b rows er will t h en ap p ear in t h e ab o v e lis t o f Defin ed Bro ws ers . Click S ave S etti ng s t o s av e y o u r ch an g es . Figure 141 : B rows e r policie s options Pol i cy by IP To s et p o licies b ye IP fo r t h e g ro u p , select t h e co rres p o n d in g g ro u p click “Po licy b y IP”. Th e fo llo win g p aramet ers are co n fig u red : Group Name : Th is is t h e n ame o f t h e g ro u p t h at can h av e it s lo g in p o licy ed it ed Deny Log i n from Defi ned B rows ers : Th e lis t o f d efin ed b ro wsers b elo w will b e u sed t o p rev en t t h e u s ers o f t h is g ro u p fro m lo g g in g in t o t h e co n t ro ller GUI. A ll n o n d efin ed b ro ws ers will b e allo wed fo r lo g in fo r t h is g ro u p . 249 Wireless Controller User Manual Al l ow Log i n from Defi ned B rows ers : Th e lis t o f d efin ed b ro ws ers b elo w will b e u s ed t o allo w t h e u sers o f t h is g ro u p fro m lo g g in g in t o t h e co n t ro ller GUI. A ll n o n d efin ed b ro ws ers will b e d en ied fo r lo g in fo r t h is g ro u p . Defi ned B rows ers : Th is lis t d is play s t he web b ro ws ers t h at h av e b een ad d ed t o t h e Defin ed Bro ws ers lis t , u p o n wh ich g ro u p lo g in p o licies can b e d efin ed . (Ch eck Bo x A t Firs t Co lu mn Head er): Select s all t h e d efin ed b ro ws ers in t h e t ab le. Del ete : Delet es t h e s elect ed b ro ws er(s ). Yo u can ad d t o t h e lis t o f Defin ed Bro ws ers b y s elect in g a clien t b ro ws er fro m t h e d ro p d o wn men u an d clickin g A d d. Th is b rows er will t h en ap p ear in t h e ab o v e lis t o f Defin ed Bro ws ers . Click S ave S etti ng s t o s av e y o u r ch an g es . Figure 142 : IP policie s options Lo g in Po licies , Po lic y b y Bro ws ers , Po licy b y IP are ap p licab le SSL VPN u s er o n ly . 250 Wireless Controller User Manual Advanced > Users > Users Th e u s ers p ag e allo ws ad d in g , ed it in g an d d elet in g exis t in g g ro u p s . Th e u s er are as s o ciat ed t o co nfig u red g rou ps. Th e lis t s o f av ailable u sers are d is played in t h e “Li s t o f Us ers ” p ag e wit h Us er n ame, as s o ciat ed g ro u p an d Lo g in s t at u s . Click Add t o creat e a u s er. Click Edi t t o u p d at e an exis t in g u s er. Click Del ete t o clear an exis t in g u s er Figure 143 : Available Us e rs with login s tatus and as s ociate d Group 9.1.1 Users and Passwords Advanced > Users > Users Th e u s er co n fig uratio ns allo w creat in g u sers asso ciat ed t o g ro u p . Th e u s er s et t in g s co n t ain t h e fo llo win g key co mp o n en t s : Us er Name : Th is is u n iq u e id en t ifier o f t h e u s er. Fi rs t Name : Th is is t h e u s er‟s firs t n ame Las t Name : Th is is t h e u s er‟s las t n ame 251 Wireless Controller User Manual S el ect Group: A g ro u p is ch o s en fro m a lis t o f co n fig u red g ro u p s . Pas s word: Th e p as s wo rd as s o ciat ed wit h t h e u s er n ame. Confi rm Pas s word: Th e s ame p as s wo rd as ab o v e is req u ired t o mit ig at e ag ai n s t t y p in g erro rs . Idl e Ti meout: Th e s es s io n t imeo u t fo r t h e u s er. It is reco mmen d ed t h at p asswo rds co nt ain s n o d ict io nary wo rd s fro m an y lan g u ag e, an d is a mixt u re o f let t ers (b o th u p p ercas e an d lo wercas e), n u mb ers , an d s y mb o ls . Th e p as s wo rd can b e u p t o 30 ch aract ers . 252 Wireless Controller User Manual Figure 144 : Us e r Configu rat io n options 9.2 Using SSL VPN Policies Setup > VPN Settings > SSL VPN Server > SSL VPN Policies SSL VPN Po licies can b e creat ed o n a Glo b al, Gro u p , o r Us er lev el. Us er l ev el p o licies t ake p reced en ce o v er Gro u p lev el p o licies an d Gro u p lev el p o licies t ake p reced ence o ver Glo b al p o licies . Th ese p o licies can b e ap p lied t o a s p ecific n et wo rk res o u rce, IP ad d res s o r ran g es o n t h e LA N, o r t o d ifferen t SSL VPN s erv ices s u p p ort ed b y t h e co n t ro ller. Th e Lis t o f A v ailab le Po licies can b e filt ered b as ed o n wh et h er it ap p lies t o a u s er, g ro u p , o r all u s ers (g lo b al). A mo re s p ecific p o licy t akes p reced en ce o v er a g en eric p o licy wh en b o t h are ap p lied t o t h e s ame u s er/ g ro u p / g lo b al d o mai n . I.e. a p o licy fo r a s p ecific IP ad d res s t akes p recedence o v er a p o licy fo r a ran g e o f ad d res s es co n t ain in g t h e IP ad d res s alread y referen ced . 253 Wireless Controller User Manual Figure 14 5: Lis t of SSL VPN police s (Global filte r) To ad d a SSL VPN p o licy , y o u mu s t firs t as sig n it t o a u s er, g ro u p , o r make it g lo b al (i.e. ap p licab le t o all SSL VPN u s ers ). If t h e p o licy is fo r a g ro u p , t h e av ailab le co n fig u red g ro u p s are s h o wn in a d ro p d o wn men u an d o n e mu s t b e s elect ed . Similarly , fo r a u s er d efin ed p o licy a SSL VPN u s er mu s t b e ch o s en fro m t h e av ailab le lis t o f co n fig u red u s ers . Th e n ext s t ep is t o d efin e t h e p o licy d et ails . Th e p olicy n ame is a u n iq u e id ent ifier for t h is ru le. Th e p o licy can b e assig ned t o a s p ecific Net wo rk Res o urce (d etails fo llo w in t h e s u b s eq u en t s ect io n ), IP ad d res s , IP n et wo rk, o r all d ev ices o n t h e LA N o f t h e co n t ro ller. Bas ed o n t h e s elect io n o f o n e o f t h es e fo u r o p t io n s , t h e ap p ro p riat e co n fig u ratio n field s are req u ired (i.e. ch o o s in g t h e n et wo rk res o u rces fro m a lis t o f d efin ed res o urces, o r d efin in g t h e IP ad d resses). Fo r ap p ly ing t he p o licy t o ad d res s es t h e p o rt ran g e/ p o rt n u mb er can b e d efin ed . Th e fin al s t ep s req uire t h e p o licy p ermis sio n t o b e s et t o eit h er p ermit o r d en y acces s t o t h e s elected ad d resses o r n et wo rk res ources. A s well t h e p o licy can b e sp ecified for o n e o r all o f t h e s u p p o rt ed SSL VPN s erv ices (i.e. VPN t u n n el) 254 Wireless Controller User Manual On ce d efin ed , t h e p olicy g o es in t o effect immed iat ely . Th e p o licy n ame, SSL s erv ice it ap p lies t o , d es t in at io n (n et wo rk res o u rce o r IP ad d res s es ) an d p er mis s io n (d en y / p ermit ) is o u t lin ed in a lis t o f co n fig u red p o licies fo r t h e co n t ro ller. Figure 146 : SSL VPN policy configurat io n To co n fig u re a p o licy fo r a s in g le u s er o r g ro u p o f u s ers , en t er t h e fo llo win g in fo rmat io n : Pol i cy For: Th e p o licy can b e as sign ed t o a g ro u p o f u sers, a s in gle u s er, o r all u s ers (makin g it a g lo b al p o licy ). To cu s t omize t h e p o licy fo r s p ecific u s ers o r g ro u p s , t h e u s er can s elect fro m t h e A v ailab le Gro u p s an d A v ailab le Us ers d ro p d o wn . 255 Wireless Controller User Manual Appl y Pol i cy To: Th is refers t o t h e LA N res o u rces man ag ed b y t h e DW C-1000, an d t h e p o licy can p ro v id e (o r p rev en t ) acces s t o n et wo rk res o u rces , IP ad d res s , IP n et wo rk, et c. Pol i cy Name: Th is field is a u n iq u e n ame fo r id en t ify in g t h e p o licy . IP ad d re s s : Req u ired wh en t h e g o v ern ed res o u rce is id en t ified b y it s IP ad d res s o r ran g e o f ad d res s es . Mas k Leng th: Req u ired wh en t h e g o v ern ed res o u rce is id en t ified b y a ran g e o f ad d res s es wit h in a s u b n et . Port Rang e : If t h e p o licy g o v ern s a t y pe o f t raffic, t h is field is u s ed fo r d efin in g TCP o r UDP p o rt n u mb er(s ) co rrespo n d in g t o t h e g o v ern ed t raffic. Leav in g t h e s t art in g an d en d in g p o rt ran g e b lan k co rres p o n d s t o all UDP an d TCP t raffic. S ervi ce : Th is is t h e SSL VPN s erv ice mad e av ailab le b y t h is p o licy . T h e s erv ices o ffered are VPN t u n n el, p o rt fo rward in g o r b o t h . Defi ned Res ources : Th is p o licy can p ro v id e acces s t o s p ecific n et wo rk res o u rces . Net wo rk res o u rces mu s t b e co n figu red in ad v an ce o f creatin g t he p o licy t o make t h em av ailab le fo r s elect io n as a d efin ed reso urce. Net wo rk res o u rces are creat ed wit h t h e fo llo win g in fo rmat io n Permi s s ion: Th e as sig ned res ources d efin ed b y t his p olicy can b e exp licit ly p ermit t ed o r d en ied . 9.2.1 Using Network Resources Setup > VPN Settings > SSL VPN Server > Resou rces Net wo rk res o u rces are s erv ices o r g ro u p s o f LA N IP ad d res s es t h at are u s ed t o eas ily creat e an d co n fig u re SSL VPN p o licies . Th is s h o rt cu t s av es t ime wh en creat in g s imilar p o licies fo r mu lt ip le remo t e SSL VPN u s ers . A d d in g a Net wo rk Res o u rce in v o lv es creat in g a u n iq u e n ame t o id en t ify t h e res o u rce and assig nin g it t o o n e o r all o f t h e s u p p o rt ed SSL s erv ices . On ce t h is is d o n e, ed it in g o n e o f t h e creat ed n et wo rk res o u rces allo ws y o u t o co n fig u re t h e o b ject t y p e (eit h er IP ad d ress o r IP ran g e) as sociat ed wit h t h e s erv ice. Th e Net wo rk A d d res s , M as k Len g t h , an d Po rt Ran g e/ Po rt Nu mb er can all b e d efin ed fo r t h is 256 Wireless Controller User Manual res o u rce as req u ired . A n et wo rk res o u rce can b e d efin ed b y co n fig u rin g t h e fo llo win g in t h e GUI: Res ource Name: A u n iq u e id en t ifier n ame fo r t h e re s o u rce. S ervi ce : Th e SSL VPN s erv ice co rres p o n d in g t o t h e res o u rce (VPN t u n n el, Po rt Fo rward in g o r A ll). Figure 147 : Lis t of configure d re s ource s , which are availab le to as s ign to SSL VPN policie s 9.3 Application Port Forwarding Setup > VPN Settings > SSL VPN Server > Port Forwarding Po rt fo rward in g allo ws remo t e SSL u s ers t o access s pecified n et wo rk ap p licat io n s o r s erv ices aft er t h ey lo g in t o t h e Us er Po rt al an d lau n ch t h e Po rt Fo rward in g s erv ice. Traffic fro m t h e remo t e u s er t o t h e co n t ro ller is d et ect ed an d re -ro u t ed b as ed o n co n fig u red p o rt fo rward in g ru les . In t ern al h o st s erv ers o r TCP ap p licat io n s mu s t b e s pecified as b ein g mad e acces s ib le t o remo t e u s ers . A llo win g access t o a LA N s erv er req u ires en terin g t h e lo cal s erver IP 257 Wireless Controller User Manual ad d res s an d TCP p o rt n u mb er o f t h e ap plicat ion t o b e t u nn elled . Th e t able b elo w lis t s s o me co mmo n ap p licat io n s an d co rres p o n d in g TCP p o rt n u mb ers : T CP Ap p lication Po r t Num ber FTP Data (usually not needed) 20 FTP Control Protocol 21 SSH 22 Telnet 23 SMTP (send mail) 25 HTTP (w eb) 80 POP3 (receive mail) 110 NTP (netw ork time protocol) 123 Citrix 1494 Terminal Services 3389 VNC (virtual netw ork computing) 5900 or 5800 A s a co n v enien ce fo r remo t e u s ers , t h e h o s t n ame (FQDN) o f t h e n et wo rk s erv er can b e co n fig u red t o allo w fo r IP ad d ress res olu tio n . Th is h o s t n ame res o lu t io n p ro v id es u s ers wit h eas y -t o -rememb er FQDN‟s t o acces s TCP ap p licat io n s in s t ead o f erro r p ro n e IP ad d res s es wh en u s in g t h e Po rt Fo rward in g s erv ice t h ro u g h t h e SSL Us er Po rt al. To co n fig u re p o rt fo rward in g , fo llo win g are req u ired : 258 Wireless Controller User Manual Local S erver IP addres s : Th e IP ad d res s o f t h e lo cal s erv er wh ich is h o s t in g t h e ap p licat io n . TCP port: Th e TCP p o rt o f t h e ap p licat io n On ce t h e n ew ap p licat io n is d efin ed it is d is p layed i n a lis t o f co n fig u red ap plicat ion s fo r p o rt fo rward in g . allo w u s ers t o access t he p riv ate n et work s erv ers b y u sin g a h o st name in s tead o f an IP ad d res s, t he FQDN co rres p on din g t o t he IP ad d ress is d efin ed in t h e p o rt fo rward in g h o s t co n fig u rat io n s ect io n . Local s erver IP addres s : Th e IP ad d res s o f t h e lo cal s erv er h o s t in g t h e ap p licat io n . Th e ap p licat io n s h o u ld b e co n fig u red in ad v an ce. Ful l y qual i fi ed domai n name : Th e d o main n a me o f t h e in t ern al s erv er is t o b e s p ecified On ce t h e n ew FQDN is co n fig u red, it is d is p layed in a lis t o f co n fig u red h o sts fo r port fo rward in g . Defin in g t h e h o s t n ame is o p t io n al as min imu m req u iremen t fo r p o rt fo rward in g is id en t ify in g t h e TCP ap p licat io n an d lo cal s erv er IP ad d res s . Th e lo cal s erv er IP ad d ress o f t h e co n fig u red h o s t n ame mu s t mat ch t h e IP ad d res s o f t h e co n fig u red ap p licat io n fo r p o rt fo rward in g . 259 Wireless Controller User Manual Figure 148 : Lis t of Available Applicat io ns for SSL Port Forward i ng 9.4 SSL VPN Client Configuration Setup > VPN Settings > SSL VPN Client > S SL VPN Client A n SSL VPN t u n n el clien t p ro vid es a p o in t-to -po int co nnect ion b etween t h e b ro ws er s id e mach in e an d t h is co n t ro ller. W h en a SSL VPN clien t is lau n ch ed fro m t h e u s er p o rt al, a " n et wo rk ad ap t er" wit h an IP ad d res s fro m t h e co rp o rat e s u b n et , DNS an d W INS s et t in g s is au t o mat ically creat ed . Th is allo ws lo cal ap p licat io n s t o acces s s erv ices o n t h e p riv at e n et wo rk wit h o u t an y s p ecial n et wo rk co n fig u rat io n o n t h e remo t e SSL VPN clien t mach in e. It is imp o rt an t t o en s u re t h at t h e v irt u al (PPP) in t erface ad d res s o f t h e VPN t u n n el clien t d o es n ot co nflict wit h p h ys ical d ev ices o n t h e LA N. Th e IP ad d res s ran g e fo r t h e SSL VPN v irt u al n et wo rk ad ap t er s h o u ld b e eit h er in a d ifferen t s u b n et o r n o n o v erlap p in g ran g e as t h e co rp o rat e LA N. 260 Wireless Controller User Manual Th e IP ad d res s es o f t h e clien t ‟s n et wo rk in t erfaces (Et h ern et , W ireles s , et c.) can n o t b e id en t ical t o t h e co n t ro ller‟s IP ad d res s o r a s erv er o n t h e co rp o rat e LA N t h at is b ein g acces s ed t h ro u g h t h e SSL VPN t u n n el. Figure 149 : SSL VPN clie nt adapte r and acce s s configuratio n Th e co n t ro ller allo ws fu ll t u n n el an d s plit t u nn el s u ppo rt. Fu ll t u n n el mo d e ju s t s en d s all t raffic fro m t h e clien t acro s s t h e VPN t u n n el t o t h e co n t ro ller. Sp lit t u n n el mo d e o n ly s en d s t raffic t o t h e p riv at e LA N b as ed o n p re -s p ecified clien t ro u t es . Th es e clien t ro u t es g iv e t h e SSL clien t acces s t o sp ecific p riv at e n etwo rks, t h ereb y allo win g acces s co n t ro l o v er s p ecific LA N s erv ices . Clien t lev el co n fig u rat io n s u p p o rt s t h e fo llo win g : Enabl e S pl i t Tunnel S upport: W it h a s p lit t u n n el, o n ly res o u rces wh ich are referen ced b y clien t ro u t es can b e acces s ed o v er t h e VPN t u n n el. W it h fu ll t u n n el s u p p ort (if t h e s p lit t u nnel o p tio n is d is abled t h e DW C-1000 act s in fu ll t u n n el mo d e) 261 Wireless Controller User Manual all ad d res ses o n t h e p riv at e n etwo rk are accessib le o ver t h e VPN t u n n el. Clien t routes are n o t req u ired . DNS S uffi x: Th e DNS s u ffix n ame wh ich will b e g iv en t o t h e SSL VPN clien t . Th is co n fig u rat io n is o p t io n al. Pri mary DNS S erver : DNS s erv er IP ad d res s t o s et o n t h e n et wo rk ad ap t o r creat ed o n t h e clien t h o s t . Th is co n fig u rat io n is o p t io n al. S econdary DNS S erver : Seco n d ary DNS s erv er IP ad d res s t o s et o n t h e n et wo rk ad ap t o r creat ed o n t h e clien t h o s t . Th is co n fig u rat io n is o p t io n al. Cl i ent Addres s Rang e B eg i n : Clien t s wh o co n nect t o t h e t u n n el g et a DHCP s er v ed IP ad d res s as s ig n ed t o t h e n et wo rk ad ap t o r fro m t h e ran g e o f ad d res s es b eg in n in g wit h t h is IP ad d res s Clien t A d d ress Ran g e En d : Th e en d in g IP ad d res s o f t h e DHCP ran g e o f ad d res s es s erv ed t o t h e clien t n et wo rk ad ap t o r. Setup > VPN Settings > SSL VPN Client > Configured Client Routes If t h e SSL VPN clien t is as s ig n ed an IP ad d res s in a d ifferen t s u b n et t h an t h e co rp o rat e n et work, a clien t ro u t e mu s t b e ad d ed t o allo w acces s t o t h e p riv at e LA N t h ro u g h t h e VPN t u n n el. A s well a s t at ic ro u t e o n t h e p riv at e LA N‟s firewall (t y p ically t h is co n t ro ller) is n eed ed t o fo rward p riv at e t raffic t h ro u g h t h e VPN Firewall t o t h e remo t e SSL VPN clien t . W h en s plit t u nnel mo d e is en ab led, t h e u s er is req u ired t o co n fig u re ro u t es fo r VPN t u n n el clien t s : Des ti nati on Networ k : Th e n et wo rk ad d ress o f t h e LA N o r t h e s u b n et in fo rmat io n o f t h e d es t in at io n n et wo rk fro m t h e VPN t u n n el clien t s ‟ p ers p ect iv e is s et h ere. S ubnet Mas k : Th e s u b n et in fo rmat io n o f t h e d es t in at io n n et wo rk is s et h ere. 262 Wireless Controller User Manual Figure 150 : Configu re d clie nt route s only apply in s plit tunne l mode 9.4.1 Creating Portal Layouts Setup > VPN Settings > SSL VPN Server > Portal Layouts Th e co n t ro ller allo ws y o u t o create a cu sto m p ag e fo r remo t e SSL VPN u s ers t h at is p res en t ed u p o n au t h en t icat io n . Th ere are v ario u s field s in t h e p o rt al t h at are cu s t o mizab le fo r t h e d o main , an d t h is allo ws t h e co n t ro ller ad min is t rat o r t o co mmu n icat e d et ails s uch as lo g in in s tructio ns, av ailable s erv ices , an d o t h er u s ag e d et ails in t h e p o rt al v is ib le t o remo t e u ser s. Du rin g d o main s etup , co n fig u red p o rt al lay o u t s are av ailab le t o s elect fo r all u s ers au t h en t icat ed b y t h e d o main . Th e d efau lt p o rt al LA N IP ad d res s is https://192.168.10.1/scgibin/userPortal/portal. Th is is t h e s ame p ag e t h at o p ens wh en t h e “Us er Po rt al” lin k is clicked o n t h e SSL VPN men u o f t h e co n t ro ller GUI. Th e co n t ro ller ad min is t rat or creates an d ed it s p o rt al lay o u t s fro m t h e co n fig u rat io n p ag es in t h e SSL VPN men u . Th e p o rt al n ame, t it le, b an n er n ame, an d b an ner contents are all cu s t omizab le t o t h e in t ended u sers fo r t h is p ort al. Th e p o rt al n ame is ap p en ded t o t h e SSL VPN p o rt al URL. A s well, t h e u s ers as sign ed t o t h is p o rt al (t h ro u g h t h eir au t h en t icat io n d o main ) can b e p res en t e d wit h o n e o r mo re o f t h e co n t ro ller‟s s u p p o rt ed SSL s erv ices s u ch as t h e VPN Tu n n el p ag e o r Po rt Fo rward in g p ag e. To co n fig u re a p o rt al lay o u t an d t h eme, fo llo win g in fo rmat io n is n eed ed : 263 Wireless Controller User Manual Portal Layout Name: A d es crip t iv e n ame fo r t h e cu s t o m p o r t al t h at is b ein g co n fig u red . It is u s ed as p art o f t h e SSL p o rt al URL. Portal S i te Ti tl e: Th e p o rt al web b ro ws er win d o w t it le t h at ap p ears wh en t h e clien t acces s es t h is p o rt al. Th is field is o p t io n al. B anner Ti tl e: Th e b an n er t it le t h at is d is p lay ed t o SSL VPN clien t s p rio r t o lo g in . Th is field is o p t io n al. B anner Mes s ag e : Th e b an n er mes s ag e t h at is d is p lay ed t o SSL VPN clien t s p rio r t o lo g in . Th is field is o p t io n al. Di s pl ay banner mes s ag e on the l og i n pag e : Th e u s er h as t h e o p t io n t o eit h er d is p lay o r h id e t h e b an n er mes s ag e in t h e lo g in p ag e. HTTP meta tag s for cache control : Th is s ecu rit y feat ure p revent s exp ired web p ag es an d d at a fro m b ein g s t o red in t h e clien t ‟s web b ro ws er cach e. It is reco mmen d ed t h at t h e u s er s elect s t h is o p t io n . Acti veX web cache cl eaner : A n A ct iv eX cach e co n t ro l web clean er can b e p u s h ed fro m t h e g at eway t o t he clien t b ro wser wh en ev er u sers lo g in t o t his SSL VPN p o rt al. S S L VPN portal pag e to di s pl ay: Th e Us er can eit h er en able VPN t u n n el p ag e o r Po rt Fo rward in g , o r b o t h d ep en d in g o n t h e SSL s erv ices t o d is p lay o n t h is p o rt al. On ce t h e p o rt al s ettin gs are co n fig u red , t h e n ewly co n fig u red p o rt al is ad d ed t o t h e lis t o f p o rt al lay o u t s . 264 Wireless Controller User Manual Figure 151 : SSL VPN Portal configu rat ion 9.5 Active VPN Tunnels Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Status > Active VPNs Yo u can v iew an d ch an g e t h e s t at u s (co n n ect o r d ro p ) o f t h e co n t ro llers IPs ec s ecu rit y associatio ns. Here, t h e act iv e I Ps ec SA s (s ecu rit y as s o ciat io n s ) are lis t ed alo n g wit h t h e t raffic d et ails an d t un nel s tate. Th e t raffic is a cu mu lat iv e meas ure o f t ran s mit t ed / receiv ed p acket s s in ce t h e t u n n el was es t ab lis h ed . If a VPN p o licy s t at e is “IPs ec SA No t Es t ab lis h ed ”, it can b e en ab led b y clickin g t h e Co n n ect b u tt on o f t h e co rrespo ndin g p o licy . Th e A ct ive IPs ec SA s t ab le d isp lays a lis t o f act iv e IPs ec SA s . Tab le field s are as fo llo ws . 265 Wireless Controller User Manual Pol i cy Name : IKE o r VPN p o licy as s o ciat ed wit h t h is SA . Endpoi nt: IP ad d res s o f t h e remo t e VPN g at eway o r clien t . Tx (KB ): Kilo b y t es o f d at a t ran s mit t ed o v er t h is SA . Tx (Pack ets ): Nu mb er o f IP p acket s t ran s mit t ed o v er t h is SA . S tate : St at u s o f t h e SA fo r IKE p o licies : No t Co n n ect ed o r IPs ec SA Es t ab lis h ed . Acti on: Click Co n n ect t o es t ab lis h an in act iv e SA (co n n ect io n ) o r Dis co n n ect t o t ermin at e an act iv e SA (co n n ect io n ). Figure 152 : Lis t of curre nt Active VPN Se s s ions A ll act iv e SSL VPN co n n ect ion s, b ot h fo r VPN t u n n el an d VPN Po rt fo rward in g , are d is p lay ed o n t h is p ag e as well. Tab le field s are as fo llo ws . Us er Name : Th e SSL VPN u s er t h at h as an act iv e t u nn el o r p o rt fo rward in g s es s io n t o t h is co n t ro ller. IP Addres s : IP ad d res s o f t h e remo t e VPN clien t . Local PPP Interface : Th e in t erface (Op t io n 1o r Op t io n 2) t h ro ug h wh ich t h e s essio n is act iv e. Peer PPP Interface IP: Th e as s ig n ed IP ad d res s o f t h e v irt u al n et wo rk ad ap t er. 266 Wireless Controller User Manual Connect S tatus : St at u s o f t h e SSL co n n ect io n b et ween t h is co n t ro ller an d t h e remo t e VPN clien t : No t Co n n ect ed o r Co n n ect ed . 267 Wireless Controller User Manual Chapter 10. Advanced System Functionalities 10.1 USB Device Setup Setup > USB Settings > USB Status Th e DW C-1000 W ireles s co n t ro ller h as a USB in t erface fo r p rin t er acces s , file s h arin g . USB M as s St o rag e: als o referred t o as a “s h are p o rt ”, files o n a USB d is k co n n ect ed t o t h e DW C can b e acc es s ed b y LA N u s ers as a n et wo rk d riv e. USB Prin t er: Th e DW C can p ro v id e t h e LA N wit h acces s t o p rin t ers co n n ect ed t h ro u g h t h e USB. Th e p rin t er d riv er will h av e t o b e in s t alled o n t h e LA N h o s t an d t raffic will b e ro u t ed t h ro u g h t h e DW C b et ween t h e LA N an d p rin t er. To co n fig u re p rin t er o n a W in d o ws mach in e, fo llo w b elo w g iv en s t ep s : 1. Click ' S tart' o n t h e d es kt o p . 2. Select „Pri nters and faxes ’ o p t io n . 3. Rig h t click an d s elect ' add pri nter' o r click o n ' Add pri nter' p res en t at t h e left men u . 4. Select t h e 'Network Pri nter' rad io b u t t o n an d click n ext (s elect " d ev ice is n 't lis t ed in cas e o f W in d o ws 7" ). 5. Select t h e ' Connect to pri nter us i ng URL' rad io b u t t o n ('Select a s h ared p rin t er b y n ame „in cas e o f W in d o ws 7) an d g iv e t h e fo llo win g URL h t t p :/ / < co n t ro ller‟s LA N IP ad d res s>:631/ p rin ters / <M o d el Name> (M o d el Name can b e fo u n d in t h e USB s t at u s p ag e o f co n t ro ller‟s GUI). 6. Click ' next' an d s elect t h e ap p ro p riat e d riv er fro m t h e d is p lay ed lis t . 7. Click o n ' next' an d 'fin is h ' t o co mp let e ad d in g t h e p rin t er. 268 Wireless Controller User Manual Figure 153 : USB De vice De te ction 10.2 USB Share Port Setup > USB Settings > USB Status Th e DW C-1000 W ireles s co n troller h as a USB in t erface fo r p rin t er acces s t h is p ag e allo ws y o u t o en able USB d ev ice s u p p o rt fo r b o t h in t erface USB1 an d USB2. It als o allo ws y o u t o en ab le p rin t er acces s fro m a p art icu lar VLA N. 269 Wireless Controller User Manual Figure 154 : USB Share Port 10.3 Authentication Certificates Advanced > Certificates Th is g at eway u s es d ig it al cert ificat es fo r IPs ec VPN au t h en t icat io n as well as SSL v alid at io n (fo r HTTPS an d SSL VPN au t h en t icat io n ). Yo u can o b t ain a d ig it al cert ificat e fro m a well-kn o wn Cert ificat e A u t h o rit y (CA ) s u ch as VeriSig n , o r g en erat e and s ign y ou r o wn certificat e u s ing fu nctio nalit y av ailab le o n t h is g at eway . Th e g at eway co mes wit h a s elf -s ig n ed cert ificat e, an d t h is can b e rep laced b y o n e s ig n ed b y a CA as p er y o u r n et wo rkin g req u iremen t s . A CA cert ificat e p ro v id es s t ro n g as s u ran ce o f t h e s erv er‟s id en t it y an d is a req u iremen t fo r mo s t co rp o rat e n et wo rk VPN s o lu t io n s . Th e cert ificat es men u allo ws y o u t o v iew a lis t o f cert ificat es (b o t h fro m a CA an d s elf-s ig n ed ) cu rren t ly lo ad ed o n t h e g at eway . Th e fo llo win g cert ificat e d at a is d is p lay ed in t h e lis t o f Tru s t ed (CA ) cert ificat es : CA Identi ty (S ubject Name): Th e cert ificat e is is s ued t o t h is p ers o n o r o rg an izat io n Is s uer Name : Th is is t h e CA n ame t h at is s u ed t h is cert ificat e 270 Wireless Controller User Manual Expi ry Ti me : Th e d at e aft er wh ich t h is Tru s t ed cert ificat e b eco mes in v alid A s elf cert ificat e is a cert ificat e is s u ed b y a CA id en t ify in g y o u r d ev ice (o r s elfs ig n ed if y o u d o n‟t wan t t h e id ent ity p ro tect ion o f a CA ). Th e A ct iv e Self Cert ificat e t ab le lis t s t h e s elf cert ificat es cu rren t ly lo ad ed o n t h e g at eway . Th e fo llo win g in fo rmat io n is d is p lay ed fo r each u p lo ad ed s elf cert ificat e: Name : Th e n ame y o u u s e t o id en tify t h is cert ificate, it is n o t d is p lay ed t o IPs ec VPN p eers o r SSL u s ers . S ubject Name : Th is is t h e n ame t h at will b e d is p lay ed as t h e o wn er o f t h is cert ificate. Th is s h o uld b e y o ur o fficial reg is t ered o r co mp an y n ame, as IPs ec o r SSL VPN p eers are s h o wn t h is field . S eri al Number : Th e s erial n u mb er is main t ain ed b y t h e CA an d u s ed t o id en t ify t h is s ig n ed cert ificat e. Is s uer Name : Th is is t h e CA n ame t h at is s u ed (s ig n ed ) t h is cert ificat e Expi ry Ti me: Th e d at e aft er wh ich t h is s ig n e d cert ificat e b eco mes in v alid – y o u s h o u ld ren ew t h e cert ificat e b efo re it exp ires . To req u es t a s elf cert ificat e t o b e s ig n ed b y a CA , y o u can g en erat e a Cert ificat e Sig n in g Req u est fro m t h e g at eway b y ent erin g id ent ificatio n p aramet ers an d p assing it alo n g t o t h e CA fo r s ig n in g . On ce s ig n ed , t h e CA ‟s Tru s t ed Cert ificat e an d s ig n ed cert ificat e fro m t h e CA are u p lo ad ed t o act iv at e t h e s elf -cert ificat e v alid at in g t h e id en t it y o f t h is g at eway . Th e s elf cert ificat e is t h en u s ed in IPs ec an d SSL co n n ect io n s wit h p eers t o v alid at e t h e g at eway ‟s au t h en t icit y . 271 Wireless Controller User Manual Figure 155 : Ce rtificate s ummary for IPs e c and HTTPS manage me nt 10.4 Intet ® AMT Th is feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Advanced > Intet ®AMT In t el ® A ct iv e M anagemen t Techn olo gy en ab les IT man ag ers t o remo t ely acces s an d man ag e ev ery n et worked co mp ut ing s ystem, ev en t ho se t h at lack a wo rkin g o p erat in g s y s tem o r h ard d riv e, o r are t u rn ed o ff as lo n g as t h e PC/ No t eb o o k is co n n ect ed t o lin e p o wer an d t o t h e n et wo rk ev en if PC/ No t eb o o k is o ff o r OS is cras h ed . In t el ® A M T u s es a s ep arat e man ag emen t p ro ces s o r t h at ru n s in d ep en d et ly o n t h e clien t mach in e an d can b e reach ed t hro ug h t h e wired o r wireles s n et work. W it h D -Lin k DSR 272 Wireless Controller User Manual Ro u t ers , In t el ® A M T Tech n o lo g y co u ld cro s s In t ern et s eamles s ly an d it 's an id eal s o lu t io n t o h elp IT man ag ers fo r as s et man ag emen t o v er In t ern et . . Figure 156 : Inte t ® AM T Enabl e Ports : W h en en abled , in b ou nd/ ou t b o u n d firewall ru les are ad d ed fo r cert ain p o rt s t o en ab le In t el® A M T s erv ice. Opti on Hos ts : If t h e u s er s elects A NY, all Op t io n s id e h osts are g ran t ed access t o t h e lo cal s erv er. If t h e u s er s elect s " Sp ecify Op t io n IPs " , h e mu s t p ro v id e a co mma 273 Wireless Controller User Manual s ep arat ed lis t o f Op t io n h o s t ad d res s es t h at are t o b e allo wed acces s t o t h e Lo cal Serv er (LA N Ho s t ). Opti on Hos t Addres s es : Th e u s er mu s t p ro vid e a co mma s ep arat ed lis t o f Op t io n IP ad d res s es t h at mu s t b e allo wed acces s t o t h e Lo cal Serv er in cas e h e h as s elect ed " Sp ecify Op t io n IPs " in t h e Dro p d o wn men u . On ly co mmas are allo wed an d t h ere s h o u ld b e n o s p aces b et ween t h e co mma an d t h e IP ad d res s Internal IP Addres s : Th e u s er mu s t p ro v id e a s in g le I P ad d res s o f t h e LA N h o s t (Lo cal Serv er). Enabl e Intel ® Amt Refl ector : Ch eck t h is b o x t o reflect b ack t h e d at a o n s elect ed p o rt s t o t h e clien t in it iat in g t h e co n n ect io n . Redi rect to Port 1 6 9 9 2 : Ch eck t h is b o x t o red irect t o p o rt 16992 o f t h e clien t in it iat in g t h e co n n ect io n . Li s ten on Port: En t er t h e p o rt o n wh ich s erv er s h o u ld lis t en fo r in co min g co n n ect io n s . Redi rect to Port 1 6 9 9 3 : Ch eck t h is b o x t o red irect t o p o rt 16993 o f t h e clien t in it iat in g t h e co n n ect io n . Li s ten on Port: En t er t h e p o rt o n wh ich s er v er s h o u ld lis t en fo r in co min g co n n ect io n s . Redi rect to Port 1 6 9 9 4 : Ch eck t h is b o x t o red irect t o p o rt 16994 o f t h e clien t in it iat in g t h e co n n ect io n . Li s ten on Port: En t er t h e p o rt o n wh ich s erv er s h o u ld lis t en fo r in co min g co n n ect io n s . Redi rect to Port 1 6 9 9 5 : Ch eck t h is b o x t o red irect t o p o rt 16995 o f t h e clien t in it iat in g t h e co n n ect io n . Li s ten on Port: En t er t h e p o rt o n wh ich s erv er s h o u ld lis t en fo r in co min g co n n ect io n s . Redi rect to Port 9 9 7 1 : Ch eck t h is b ox t o red irect t o p o rt 9971 o f t h e clien t in i t iat in g t h e co n n ect io n . Li s ten on Port: En t er t h e p o rt o n wh ich s erv er s h o u ld lis t en fo r in co min g co n n ect io n s . 274 Wireless Controller User Manual Chapter 11. Advanced Wireless Controller Features 11.1 Advanced Global Wireless Controller Configuration Advanced > Global > General Th e field s o n t h e ad v an ced W ireles s Glo b al Co n fig u rat io n p ag e are s et t in g s t h at ap p ly t o t h e DW C-1000 W ireles s Co n t ro ller. 275 Wireless Controller User Manual Figure 157 : Wire le s s Configu rat io n Peer Group ID: In o rd er t o s u p p o rt larg er n et wo rks , y o u can co n fig u re wireles s co n t ro llers as p eers , wit h u p t o 8 co n t ro llers in a clu s t er (p eer g ro u p ). Peer co n t ro llers s h are s o me in fo rmat io n ab o u t A Ps an d allo w L3 ro amin g amo n g t h em.Peers are g ro u p ed acco rd in g t o t h e Gro u p ID. Cl i ent Roam Ti meout: Th is v alu e d et ermin es h o w lo n g t o keep an en t ry in t h e A s s o ciat ed Clien t St at u s lis t aft er a clien t h as d is as s o ciat ed . Each en t ry in t h e s t at us lis t s h ows an ag e, and wh en t h e ag e reach es t h e v alu e y o u co n fig u re in t h e t imeo u t field , t h e en t ry is d elet ed . Ad Hoc Cl i ent S tatus Ti meout: Th is v alu e d et ermin es h o w lo n g t o keep an en t ry in t h e A d Ho c Clien t St at u s lis t . Each en t ry in t h e s t at u s lis t s h o ws an ag e, an d wh en t h e ag e reach es t h e v alu e y o u co n fig u re in t h e t imeo u t field , t h e en t ry is d elet ed . 276 Wireless Controller User Manual AP Fai l ure S tatus Ti meout: Th is v alu e d et ermin es h o w lo n g t o keep an en t ry in t h e A P A u t h enticatio n Failu re St at us lis t . Each en t ry in t h e s t at us lis t s hows an ag e, an d wh en t h e ag e reaches t h e v alue y ou co nfig ure in t h e t imeo u t field , t h e en t ry is d elet ed . MAC Authenti cati on Mode : Select t h e g lo b al act io n t o t ake o n wireles s clien t s in t h e wh it e -lis t : Select t h is o p t io n t o s p ecify t h at an y wireles s clien t s wit h M A C ad d res ses t h at are s p ecified in t h e Kn o wn Clien t d at ab as e, an d are n o t exp licit ly d en ied access, are g rant ed access. If t h e M A C ad d res s is n o t in t h e d at ab as e t h en t h e acces s t o t h e clien t is d en ied . Detected Cl i ents S tatus Ti meout : Th is v alu e d et ermin es h o w lo n g t o keep an entry in t h e Det ect ed Clien t St at u s lis t . Each en t ry in t h e s t at u s lis t s h o ws an ag e, an d wh en t h e ag e reach es t h e v alu e y o u co n fig u re in t h e t imeo u t field , t h e en t ry is d elet ed . Tunnel IP MTU S i ze : Select t h e maximu m s ize o f an IP p acket h an d led b y t h e n et wo rk. Th e M TU is en fo rced o n ly on t u n n eled VA Ps . W h en IP p acket s are t u n neled b etween t h e A Ps an d t h e Un ified W ireles s co ntro ll er, t h e p acket s ize is in creas ed b y 20 b y t es d u rin g t ran s it . Th is mean s t h at clien t s co n fig u red fo r 1500 b y t e IP M TU s ize may exceed t h e maximu m M TU s ize o f exis t in g n et wo rk in fras t ructure wh ich is s et u p t o co n t ro ller an d ro u t e 1518 (1522 t ag g ed ) b yt e fra mes . If y o u in crease t h e t u nn el IP M TU s ize, y o u mu s t als o in crease t h e p h y s ical M TU o f t h e p o rt s o n wh ich t h e t raffic flo ws . No t e: f an y o f t h e fo llo win g co n d it io ns are t ru e, y o u d o n ot n eed t o in creas e t h e t u n n el IP M TU s ize: Th e wireles s n et wo rk d o es no t use L3 t u n n elin g . Th e t u n n elin g mo d e is u s ed o n ly fo r v o ice t raffic, wh ich t y p ically h as s mall p acket s .Th e t u nn elin g mo d e is u s ed o n ly fo r TCP b as ed p ro t o co ls , s u ch as HTTP. Th is is b ecau s e t h e A P au t o mat ically red u ces t h e maximu m s eg men t s ize fo r all TCP co n n ect io n s t o fit wit h in t h e t u n n el. Cl us ter Pri ori ty: Sp ecify t h e p rio rit y o f t h is co n t ro ller fo r t h e Clu s t er Co n t ro ller elect io n . Th e co n t ro ller wit h h ig h es t p rio rit y in a clu s t er b eco mes t h e Clu s t er Co n t ro ller. If t h e p rio rit y is t h e s ame fo r all co n t ro llers , t h en t h e co n t ro ller wit h lo wes t IP ad d res s b eco mes t h e Clu s t er Co n t ro ller. A p rio rit y o f 0 mean s t h at t h e co n t ro ller can n o t b eco me t h e Clu s t er Co n t ro ller. Th e h ig h es t p o s s ib le p rio rit y is 255. AP Cl i ent QoS : En ab le o r d is ab le t h e clien t Qo S feat u re. If A P Clien t Qo S is d is ab led , t h e Clien t Qo S co n fig u ratio n remain s in p lace, b u t an y A CLs o r DiffServ p o licies ap p lied to wireles s 277 t raffic are not en fo rced . Wireless Controller User Manual Th e Clien t Qo S feat u re ext en d s t h e p rimary Qo S cap ab ilit ies o f t h e Un ified W ireles s co nt roller t o t h e wireles s d o main . M o re s p ecifically , acces s co n t ro l lis t s (A CLs ) an d d ifferen t iated s ervice (DiffServ ) p o licies are ap plied t o wireles s clien ts as s o ciat ed t o t h e A P.t h e maximu m M TU s ize o f exis t in g n et wo rk in fras t ru ct u re wh ich is s et u p t o co n t ro ller an d ro u t e 1518 (1522-t ag g ed ) b y t e frames . If y o u in creas e t h e t u nn el IP M TU s ize, y o u mu s t als o in creas e t h e p h y s ical M TU o f t h e p o rt s o n wh ich t h e t raffic flo ws . 11.2 Distributed Tunneling Advanced > Global > Distributed Tunneling Th e Dis t rib u t ed Tu n nelin g mo d e, als o kn o wn as A P-AP t u nn elin g mo d e, is u s ed t o s u p p ort L3 ro amin g fo r wireles s clien t s wit h o u t fo rward in g an y d at a t raffic t o t h e wireles s co n t ro ller. In t h e A P-A P t u n n elin g mo d e, wh en a clien t firs t as s o ciat es wit h an A P in t h e wireles s s y s t em t h e A P fo rward s it s d at a u s in g t h e VLA N fo rward in g mo d e. Th e A P t o wh ich t h e clien t in it ially as s o ciat es is t h e Ho me A P. Th e A P t o wh ich t h e clien t ro ams is t h e A s s o ciat io n A P. 278 Wireless Controller User Manual Figure 158 : Dis tribute d Tunne ling Di s tri buted Tunnel Cl i ents : Sp ecify t h e maximu m n u mb er o f d is t rib u t ed t u n neling clien t s t h at can ro am away fro m t h e Ho me A P at t h e s ame t ime. Di s tri buted Tunnel Idl e Ti meout: Sp ecify t h e n u mb er o f s eco nds o f n o act iv ity by t h e clien t b efo re t h e t u n n el t o t h at clien t is t ermin at ed an d t h e clien t is fo rced t o ch an g e it s IP ad d res s . Di s tri buted Tunnel Ti meout: Sp ecify t h e n u mb er o f s econd s b efo re t h e t u n n el t o t h e ro amed clien t is t ermin at ed an d t h e clien t is fo rced t o ch an g e it s IP ad d res s . Di s tri buted Tunnel Max Mul ti cas t Repl i cati ons Al l owed: Sp ecify t h e maximu m n u mb er o f t u n n els t o wh ich a mu lt icas t frame is co p ied o n t h e Ho me A P. 11.3 Distributed Tunneling Status Status > Dashboard > Distributed Tunneling Th is p ag e s h o ws in fo rmat io n ab o u t all t h e d is t rib u t ed t u n n el clien t s . 279 Wireless Controller User Manual Fig ure 159 : Dis tribute d Tunne ling Clie nts Di s tri buted Tunnel Pack ets : Tran s mit t ed: To t al n u mb er o f p acket s sent b y all A Ps v ia d is t rib u t ed t u n n els . Di s tri buted Tunnel Roamed Cl i ents : To t al n u mb er o f clien t s t h at s u cces s fu lly ro amed away fro m Ho me A P u s in g d is t rib u t ed t u n n elin g . Di s tri buted Tunnel Cl i ents : To t al n u mb er o f clien t s t hat are as sociated wit h an AP t h at are u s in g d is t rib u t ed t u n n elin g . Di s tri buted Tunnel Cl i ent Deni al s : To t al n u mb er o f clien t s fo r wh ich t h e s y s t em was u n ab le t o s et u p a d is t rib u t ed t u n n el wh en clien t ro amed . 280 Wireless Controller User Manual 11.4 Peer Controller Configuration 11.4.1 Peer Controller Configuraiton Request Status Advanced > Peer Controller > Configuraiton Request Status Th e Peer Co n t ro ller Co n fig u rat io n feat u re allo ws y o u t o s en d a v ariet y o f co n fig u ratio n in fo rmat io n fro m o n e co n tro ller t o all o t h er co nt rollers. In ad d it ion to keep in g t h e co n t ro llers s y n ch ro n ized , t h is fu n ct io n allo ws y o u t o man ag e all wireles s co n t ro llers in t h e clu s t er fro m o n e co n t ro ller. Th e Peer Co n t ro ller Co n fig u rat io n Req u es t St at u s p ag e p ro v id es in fo rmat io n ab o u t t h e s t at u s o f t h e co n fig u rat io n u p g rad e o n t h e co n t ro llers in t h e clu s t er Figure 160 : Pe e r Controlle r Configura tio n Re que s t Status Peer Co n t ro ller Co n fig u rat io n Req u e s t St at u s : Confi g urati on Reques t S tatus : In d icat es t h e g lo b al s t atus fo r a co n fig u rat io n p ush o p erat io n t o o n e o r mo re p eer co n t ro llers. Th e s t at u s can b e o n e o f t h e fo llo win g : 281 Wireless Controller User Manual No t St art ed . Receiv in g Co n fig u rat io n . Sav in g Co n fig u rat io n . Su cces s . Failu re In v alid Co d e Vers io n . Failu re In v alid Hard ware Vers io n . Failu re In v alid Co n fig u rat io n Total Count: In d icat es t h e n u mb er o f p eer co n t ro llers in clu d ed at t h e t ime a co n fig u ratio n d own lo ad req u es t is s t art ed , t h e v alu e is 1 if a d o wn lo ad req u es t is fo r a s in g le co n t ro ller. S ucces s Count: In d icat es t h e t o t al n u mb er o f p eer co n t ro llers t h at h av e s u cces s fu lly co mp let ed a co n fig u rat io n d o wn lo ad . Fai l ure Count: In d icat es t h e t o t al n u mb er o f p eer co n t ro llers t h at h av e failed t o co mp let e a co n fig u rat io n d o wn lo ad . Li s t of Peers Peer IP Addres s : Lis t s t h e IP ad d res s o f each co n t ro ller in t h e clu s t er an d in d icat es t h e co n fig u rat io n req u es t s t at u s o f t h at co n t ro ller. 11.4.2 Peer Controller Configuration Advanced > Peer Controller > Configuraiton Items Th e Peer Co n t ro ller Co n fig u rat io n it esm p ag es allo ws t o En ab le/Dis able allo ws y ou t o s elect wh ich p art s o f t h e co n fig u rat io n t o co p y t o o n e 282 Wireless Controller User Manual Figure 161 : Pe e r Controlle r Configuraito n Gl obal : En ab le t h is field t o in clu d e t h e b as ic an d ad v an ced g lo b al s et t in g s in t h e co n fig u ratio n t hat t h e co n t ro ller p u s h es t o it s p eers . Th e co n fig u rat io n d o es n o t in clu d e t h e co n t ro ller IP ad d res s s in ce t h at is a u n iq u e s et t in g . Di s covery: En ab le t h is field t o in clu d e t h e L2 an d L3 d is co v ery in fo rmat io n , in clu d in g t h e VLA N lis t an d IP lis t , in t h e co n fig uratio n t h at t h e co n t ro ller p u s h es t o it s p eers . Channel / Power : En ab le t h is field t o in clu d e t h e RF man ag emen t in fo rmat io n in the co n fig u rat io n t h at t h e co n t ro ller p u s h es t o it s p eers . AP Databas e : En ab le t h is field t o in c lu d e t h e A P Dat ab ase in t h e co nfig uratio n that t h e co n t ro ller p u s h es t o it s p eers . AP Profi l es : En ab le t h is field t o in clu d e all A P p ro files in t h e co n fig u rat io n t h at t h e co n t roller p u sh es t o it s p eers. Th e A P p ro file in clu d es t h e g lo b al A P s et t in g s , s u ch as t he h ardware t y pe, Rad io s ett in gs, VA P an d W ireles s Net wo rk s ettin gs, an d Qo S s et t in g s . 283 Wireless Controller User Manual Known Cl i ent: En ab le t h is field t o in clu d e t h e Kn o wn Clien t Dat ab as e in t h e co n fig u rat io n t h at the co n t ro ller p u s h es to it s p eers . RADIUS Cl i ent: En ab le t h is field t o in clu d e t h e Clien t RA DIUS in fo rmat io n in t h e co n fig u rat io n t h at t h e co n t ro ller p u s h es t o it s p eers . 11.5 WIDS Configuration Th e D-Lin k W ireles s Co n t ro ller W ireles s In t ru s io n Det ect io n Sy s t em (W IDS) can h elp d et ect in t ru sio n at temp ts in t o t h e wireles s n et work an d t ake au tomat ic act io n s t o p ro t ect t h e n et wo rk. 11.5.1 W IDS AP configration Advanced > WIDS Security > AP Th e W IDS A P Co n fig u rat io n p ag e allo ws y o u t o act iv at e o r d eact iv at e v ario u s t h reat d et ect io n t es t s an d s et t h reat d et ect io n t h res h o ld s in o rd er t o h elp d et ect ro g u e A Ps o n t he wireles s n etwo rk. Th ese chang es can b e d o n e wit h o u t d is ru p t in g n et wo rk co n n ect iv it y . Sin ce s o me o f t h e wo rk is d o n e b y acces s p o in t s , t h e co n t ro ller n eed s t o s en d mes s ag es t o t h e A Ps t o mo d ify it s W IDS o p erat io n al p ro p ert ies Admi ni s trator confi g ured rog ue AP : If t h e s o u rce M A C ad d res s is in t h e v alid A P d at ab ase o n t h e co ntro ller o r o n t h e RA DIUS s erv er an d t h e A P t y p e is marked as Ro g u e, t h en t h e A P s t at e is Ro g u e. Manag ed S S ID from an unk nown AP : Th is t es t ch ecks wh et her an u nkn own A P is u s in g t h e man aged n et work SSID. A h acker may s et u p an A P wit h man ag ed SSID t o fo o l u s ers in t o asso ciat ing wit h t h e A P an d rev ealin g p asswo rd an d o t h er s ecu re in fo rmat io n . A d min is t rat o rs wit h larg e n et wo rks wh o are u s in g mu lt ip le clu s t ers s h o u ld e it h er u s e d ifferen t n et wo rk n ames in each clu s t er o r d is ab le t h is t es t . Ot h erwis e, if an A P in t h e firs t clu s t er d et ect s A Ps in t h e s eco n d clu s t er t ran s mit t in g t h e s ame SSID as A Ps in t h e firs t clu s t er t h en t h es e A Ps are rep o rt ed as ro g u es . 284 Wireless Controller User Manual Manag ed S S ID from a fak e manag ed AP : A h acker may s et u p an A P wit h t h e s ame M A C ad d res s as o ne o f t h e man ag ed A Ps an d co n fig u re it t o s en d o n e o f t h e man ag ed SSIDs . Th is t est ch ecks fo r a v en d or field in t h e b eaco ns wh ich is alway s t ran s mit t ed b y man ag ed A Ps . If t h e v e n d o r field is n o t p res en t , t h en t h e A P is id en t ified as a fake A P. AP wi thout an S S ID: SSID is an o p t io n al field in b eaco n frames . To av o id d et ect io n a h acker may s et u p an A P wit h t h e man ag ed n et wo rk SSID, b u t d is ab le SSID t ran s mis sio n in t h e b eacon frame s . Th e A P wo u ld s till s en d p ro b e res p o n s es t o clien t s t h at s en d p ro b e req u es t s fo r t h e man ag ed SSID fo o lin g t h e clien t s in t o as s o ciat in g wit h t h e h acker's A P. Th is t es t d et ect s an d flag s A Ps t h at t ran s mit b eaco n s wit h o u t t h e SSID field . Th e t es t is au t o mat ically d is ab led if an y o f t h e rad io s in t h e p ro files are co n fig u red n o t t o s en d SSID field , wh ich is n o t reco mmen d ed b ecause it d o es n ot p rov id e an y real s ecu rit y an d d is ab les t h is t es t . Fak e manag ed AP on an i nval i d channel : Th is t es t d et ect s ro g u e A Ps t h at t ran s mit b eacon s fro m t h e s o urce M A C ad d ress o f o n e o f t h e man ag ed A Ps , b u t o n d ifferen t ch an n el fro m wh ich t h e A P is s u p p o s ed t o b e o p erat in g . Manag ed S S ID detected wi th i ncorrect s ecuri ty : Du rin g RF Scan t h e A P examin es b eaco n frames receiv ed fro m o t h er A Ps an d d et ermin es wh et h er t h e d et ect ed A P is ad v ert isin g an o p en n et work, W EP, o r W PA . If t h e SSID rep o rt ed in t h e RF Scan is o n e o f t h e man ag ed n etwo rks an d it s co nfig u red s ecu rit y n o t mat ch t h e d et ect ed s ecu rit y t h en t h is t es t marks t h e A P as ro g u e. Inval i d S S ID from a manag ed AP : Th is t es t checks wh eth er a kn o wn man ag ed A P is s en d in g an u n exp ect ed SSID. Th e SSID rep o rt ed in t h e RF Scan is co mp ared t o t h e lis t o f all co n fig u red SSIDs t h at are u sed b y t he p ro file as sign ed t o t h e man aged A P. If t h e d et ect ed SSID d o esn 't mat ch an y co n figu red SSID t h en t h e A P is marked as ro g u e. AP i s operati ng on an i l l eg al channel : Th e p u rpose o f t h is t est is t o d et ect h ackers o r in co rrect ly co n fig ured d evices t hat are o p eratin g o n ch an nels t hat are n o t leg al in t h e co u n t ry wh ere t h e wireles s s y s t em is s et u p . No t e: In o rd er fo r t h e wireles s s y s tem t o d et ect t his t hreat, t h e wireles s n et wo rk mu s t co n t ain o n e o r mo re rad io s t h at o p erat e in s en t ry mo d e. S tandal one AP wi th unexpected confi g urati on : If t h e A P is clas s ified as a kn own s t an d alo n e A P, t h en t h e co n t ro ller ch ecks wh et h er t h e A P is o p erat in g wit h t h e exp ect ed co n fig uratio n p aramet ers. Yo u co n fig u re t h e exp ect ed p aramet ers fo r t h e 285 Wireless Controller User Manual s t an d alo n e A P in t h e lo cal o r RA DIUS Valid A P d at ab as e. Th is t es t may d et ect n et wo rk mis co n fig u rat io n as well as p o t en t ial in t ru s io n at t emp t s . Th e fo llo win g p aramet ers are ch ecked : • Ch an n el Nu mb er • SSID • Secu rit y M o d e • W DS M o d e. • Pres en ce o n a wired n et wo rk. Unexpected WDS devi ce detected on network : If t h e A P is clas s ified as a M an ag ed o r Un kn o wn A P an d wireles s d is t rib u t io n s y s t em (W DS) t raffic is d et ect ed o n t h e A P, t h en t he A P is co n sid ered t o b e Ro g u e. On ly s t an d -alo n e A Ps t h at are exp licit ly allo wed t o o p erat e in W DS mo d e are n o t rep o rt ed as ro g u es b y t h is t es t . Unmanag ed AP dete cted on wi red network : Th is t es t ch ecks wh et h er t h e A P is d et ect ed o n t h e wired n et work. If t h e A P s t at e is Un kn o wn , t h en t h e t es t ch an g es t h e A P s t at e t o Ro g u e. Th e flag in d icat in g wh et h er A P is d et ect ed o n t h e wired n et wo rk is rep o rt ed as p art o f t h e RF Scan rep o rt . If A P is man ag ed an d is d et ect ed o n t h e n et wo rk t h en t h e co n troller s imp ly rep o rt s t h is fact an d d o es n 't ch an g e t h e A P s t at e t o Ro g u e. In o rd er fo r t h e wireles s s y s t em t o d et ect t h is t h reat , t h e wireles s n et wo rk mu s t co n t ain o n e o r mo re rad io s t h at o p erat e in s en t ry mo d e Rog ue Detected Trap Interval : Sp ecify t h e in t erv al, in s eco n d s , b et ween t ran s mis sio ns o f t h e SNM P t rap t ellin g t h e admin is t rator t h at ro g ue A Ps are p resent in t h e RF Scan d at ab as e. If y o u s et t h e v alu e t o 0, t h e t rap is n ev er s en t . Wi red Network Detecti on Interval : Sp ecify t h e n u mb er o f s eco n d s t h at t h e A P wait s b efo re s t art in g a n ew wired n et wo rk d et ect ion cy cle. If y o u s et t h e v alu e t o 0, wired n et wo rk d et ect io n is d is ab led AP De -Authenti cati on Attack : En ab le o r d is ab le t h e A P d e-aut hen t icat io n at t ack. Th e wireles s co n tro ller can p ro tect again st ro g ue A Ps b y send ing DE au t h ent icat ion mes s ag es t o t h e ro g u e A P. Th e d e -au t h en t icat io n at t ack feat u re mu s t b e g lo b ally en ab led in o rd er fo r t h e wireles s s y s t em t o d o t h is fu n ct io n . M ake s u re t h at n o 286 Wireless Controller User Manual leg it imat e A Ps are clas s ified as ro g u es b efo re en ab lin g t h e at t ack feat u re. Th is feat u re is d is ab led b y d efau lt . 287 Wireless Controller User Manual Figure 162 : WIDS AP Configuratio n 11.5.2 W IDS Client Configuration Advanced > WIDS Security > Client Th e s et t in gs y o u co nfig ure o n t he W IDS Clien t Co n fig u rat io n p ag e h elp d et ermin e wh et h er a d et ected clien t is clas s ified as a ro g u e. Clien t s clas s ified as ro g u es are co n s id ered t o b e a t h reat t o n et wo rk s ecu rit y Th e W IDS feat u re t racks t h e fo llo win g t y p es o f man ag emen t mes s ag es t h at each d et ect ed clien t s en d s : 288 Wireless Controller User Manual • Pro b e Req u es t s • 802.11 A u t h en t icat io n Req u es t s • 802.11 De -A u t h en t icat io n Req u es t s . In o rd er t o h elp d et ermin e wh et h er a clien t is p o s in g a t h reat t o t h e n et wo rk b y flo o d in g t h e n et wo rk wit h man ag emen t t raffic, t h e s y s t em keep s t rack o f t h e n u mb er o f t imes t h e A P receiv ed each mes sage t y p e an d t h e h ig hest mes s ag e rat e d et ect ed in a s in g le RF Scan rep o rt . On t h e W IDS Clien t Co n fig u rat io n p age, y ou can s et t h resh old s fo r each t y pe o f mes s ag e s en t , an d t h e A Ps mo n it o r wh et h er an y clien t s exceed t h o s e t h res h o ld s o r t es t s . Not Pres ent i n OUI Databas e Tes t: Th is t es t ch ecks wh et her t he M A C ad d res s o f t h e clien t is fro m a reg is t ered man u fact u rer id en t ified in t h e OUI d at ab as e. Known Cl i ent Databas e Tes t: Th is t es t ch ecks wh et h er t h e clien t , wh ich is id en t ified b y it s M A C ad d res s , is lis t ed in t h e Kn o wn Clien t Dat ab as e an d is allo wed acces s t o t h e A P eit h er t h ro u g h t h e A u t h en t icat io n A ct io n o f Gran t o r t h ro u g h t h e W h it e Lis t g lo b al act ion . If t h e clien t is in t h e Kn o wn Clien t Dat ab as e an d h as an act ion o f Den y , o r if t h e act io n is Glo b al A ct io n an d it is g lo b ally s et t o Black Lis t , t h e clien t fails t h is t es t . Confi g ured Authenti cati on Rate Tes t : Th is t es t ch ecks wh et h er t h e clien t h as exceed ed t h e co n fig u red rat e fo r t ran s mit t in g 802.11 au t h en t icat io n req u es t s . Confi g ured Probe Reques ts Rate Tes t: Th is t es t ch ecks wh et h er t h e clien t h as exceed ed t h e co n fig u red rat e fo r t ran s mit t in g p ro b e req u es t s . Confi g ured De -Authenti cati on Reques ts Rate Tes t : Th is t es t ch ecks wh et h er t h e clien t h as exceed ed t h e co nfig ured rat e fo r t ran smit t ing d e -au thent icat ion req u es t s . Maxi mum Authenti cati on Fai l ures Tes t: Th is t est ch ecks wh et h er t h e clien t h as exceed ed t h e maximu m n u mb er o f failed au t h en t icat io n s . Authenti cati on wi th Unk nown AP Tes t : Th is t es t ch ecks wh et h er a clien t in t h e Kn o wn Clien t d at ab as e is au t h en t icat ed wit h an u n kn o wn A P. Cl i ent Threat Mi ti g ati on: Select en ab le t o s en d d e -au t h en t icat io n mes s ag es t o clien t s t h at are in t h e Kn o wn Clien t s d at ab as e b u t are as s o ciat ed wit h u n kn o wn A Ps . Th e A u t hent icat ion wit h Un kn o wn A P Tes t mu s t als o b e en ab led in o rd er fo r t h e mit ig at io n t o t ake p lace. Select d is ab le t o allo w clien t s in t h e Kn o wn Clien t s d at ab as e t o remain au t h en t icat ed wit h an u n kn o wn A P. 289 Wireless Controller User Manual Known Cl i ent Databas e Look up Method: W h en t h e co n t ro ller d et ect s a clien t o n t h e n et wo rk it p erfo rms a lo o ku p in t h e Kn o wn Clien t d at ab as e. Sp ecify wh et h er t h e co n t ro ller s h o u ld u s e t h e lo cal o r RA DIUS d at ab as e fo r t h es e lo o ku p s . Known Cl i ent Databas e RADIUS S erver Name : If t h e kn o wn clien t d at ab as e lo o ku p met h o d is RA DIUS t h en t h is field s p e cifies t h e RA DIUS s erv er n ame. Rog ue Detected Trap Interval : Sp ecify t h e in t erv al, in s eco n d s , b et ween t ran s mis sio ns o f t h e SNM P t rap t ellin g t h e admin is t rator t h at ro g ue A Ps are p resent in t h e RF Scan d at ab as e. If y o u s et t h e v alu e t o 0, t h e t rap is n ev er s en t . De-Authenti cati on Reques ts Thres hol d Interval : Sp ecify t h e n u mb er o f s eco n d s an A P s h o u ld s p en d co u n t in g t h e DE au t h en t icat io n mes s ag es s en t b y wireles s clien t s . De-Authenti cati on Reques ts Thres hol d Val ue: If co n t ro ller receiv es mo re t h an s p ecified mes s ag es d u rin g t h e t h res h o ld in t erv al t h e t es t t rig g ers . Authenti cati on Reques ts Thres hol d Interval : Sp ecify t h e n u mb er o f s eco n d s an A P s h o u ld s pen d co u n t in g t h e au t h en t icat io n mes s ag es s en t b y wireles s clien t s . Authenti cati on Reques ts Thres hol d Val ue : If co n t ro ller receiv es mo re t h an s p ecified mes s ages d u ring t he t h resh old in t erv al t h e t es t t rig g ers . Pro b e Req u es t s Th res h old In t erval Sp ecify t h e n umb er o f s econ ds an A P s ho uld sp en d co un tin g t h e p ro b e mes s ag es s en t b y wireles s clien t s . Probe Reques ts Thre s hol d Val ue : Sp ecify t h e n u mb er o f p ro b e req u ests a wireless clien t is allo wed t o s en d d urin g t h e t hresho ld in t erv al b efo re t h e ev en t is rep o rt ed as a t h reat . Authenti cati on Fai l ure Thres hol d Val ue : Sp ecify t h e n u mb er o f 802.1X au t h en ticat io n failu res a clien t is allo wed t o h av e b efo re t h e ev en t is rep o rt ed as a t h reat . 290 Wireless Controller User Manual Figure 163 : WIDS Clie nt Configuratio n 291 Wireless Controller User Manual Chapter 12. Administration & Management 12.1 Remote Management Bo t h HTTPS an d t eln et acces s can b e res t rict ed t o a s u b s et o f IP ad d res s es . Th e co n t ro ller ad min is t rat o r can d efin e a kn o wn PC, s in g le IP ad d res s o r ran g e o f IP ad d res ses t h at are allo wed t o access t he GUI wit h HTTPS. Th e o p en ed p o rt fo r SSL t raffic can b e ch an g ed fro m t h e d efau lt o f 443 at t h e s ame t ime as d efin in g t h e allo we d remo t e man ag emen t IP ad d res s ran g e. Figure 164 : Re mote M anage me nt 12.2 CLI Access In ad d it io n t o t h e web -b as ed GUI, t h e g at eway s u p p o rt s SSH an d Teln et man ag emen t fo r co mman d -lin e in t eract io n . Th e CLI lo g in cred en t ials are s h a red 292 Wireless Controller User Manual wit h t h e GUI fo r ad min is t rat o r u s ers . To acces s t h e CLI, t y p e “cli” in t h e SSH o r co n s o le p ro mp t an d lo g in wit h ad min is t rat o r u s er cred en t ials . 12.3 SNMP Configuration Tools > Admin > SNMP SNM P is an ad d it io n al man ag emen t t o o l t h at is u s efu l wh en mu lt ip l e co n t ro ller in a n et wo rk are b ein g man ag ed b y a cen t ral M as t er s y s t em. W h en an ext ern al SNM P man ag er is p ro v id ed wit h t h is co n t ro ller M an ag emen t In fo rmat io n Bas e (M IB) file, t h e man ag er can u p d at e t h e co n t ro ller h ierarch al v ariab les t o v iew o r u p d at e co n fig u ratio n p aramet ers. Th e co n tro ller as a man ag ed d evice h as an SNM P ag en t that allo ws t h e M IB co n fig u rat io n v ariab les t o b e acces s ed b y t h e M as t er (t h e SNM P man ag er). Th e A cces s Co n t ro l Lis t o n t h e co n t ro ller id en t ifies man ag ers in t h e n et wo rk t h at h ave read -only o r read -writ e SNM P cred en tials. Th e Trap s Lis t o u t lin es t h e p o rt o v er wh ich n o t ificat io n s fro m t h is co n t ro ller are p ro v id ed t o t h e SNM P co mmu n it y (man ag ers ) an d als o t h e SNM P v ers io n (v 1, v 2c, v 3) fo r t h e t rap . 293 Wireless Controller User Manual Figure 165 : SNM P Us e rs , Traps , and Acce s s Control Tools > Admin > SNMP System Info Th e co n t ro ller is id en t ified b y an SNM P man ag er v ia t h e Sy s t em In fo rmat io n . Th e id en t ifier s et t in g s Th e Sy s Name s et h ere is als o u s ed t o id en t ify t h e co n t ro ller fo r Sy s Lo g lo g g in g . 294 Wireless Controller User Manual Figure 166 : SNM P s ys te m inform at io n for this controlle r 12.4 SNMP Traps Advanced > Global > SNMP Traps If y o u u s e Simp le Net wo rk M an ag emen t Pro t o co l (SNM P) t o man ag e t h e DW C-1000 wireles s co n t roller, y o u can co nfig u re t h e SNM P ag ent o n t h e co ntro ller t o s en d t rap s t o t h e SNM P man ag er o n y o u r n et wo rk. W h en an A P is man ag ed b y a co n t ro ller, it d o es n o t s end o u t an y t raps. Th e co ntro ller g enerates all SNM P t rap s b ased o n it s o wn ev en t s an d t h e ev en t s it learn s ab o u t t h ro u g h u p d a t es fro m t h e A Ps it man ag es . 295 Wireless Controller User Manual Figure 167 : SNM P Traps AP Fai l ure Traps : If y o u en ab le t h is field , t h e SNM P ag en t s en d s a t rap if an A P fails t o as s o ciat e o r au t h en t icat e wit h t h e co n t ro ller. AP S tate Chang e Traps : If y o u en ab le t h is field , t h e SNM P ag en t s en d s a t rap fo r o n e o f t h e fo llo win g reas o n s : M an ag ed A P Dis co v ered M an ag ed A P Failed M an ag ed A P Un kn o wn Pro t o co l Dis co v ered . M an ag ed A P Lo ad Balan cin g Ut ilizat io n Exceed ed . Cl i ent Fai l ure Traps : If y o u en ab le t h is field , t h e S NM P ag en t s en d s a t rap if a wireles s clien t fails t o as s o ciat e o r au t h en t icat e wit h an A P t h at is man ag ed b y t h e co n t ro ller. 296 Wireless Controller User Manual Cl i ent S tate Chang e Traps : If y o u en ab le t his field , t h e SNM P ag en t s en ds a t rap fo r o n e o f t h e fo llo win g reas o n s as s o ciat ed wit h t h e wireles s clien t : Clien t A s s o ciat io n Det ect ed . Clien t Dis as s o ciat io n Det ect ed . Clien t Ro am Det ect ed . Peer Control l er Traps : If y o u en ab le t h is field , t h e SNM P ag en t s ends a t rap fo r o n e o f t h e fo llo win g reas o n s as s o ciat ed wit h a p eer co n t ro ller. Peer Co n t ro ller Dis co v ered Peer Co n t ro ller Failed Peer Co n t ro ller Un kn o wn Pro t o co l Dis co v ered . Co n fig u rat io n co mman d receiv ed fro m p eer co n t ro ller. (Th e co n t ro ller n eed n o t b e Clu s t er Co n t ro ller fo r g en erat in g t h is t rap . RF S can Traps : If y o u en ab le t h is field , t h e SNM P ag en t s en d s a t rap wh en t h e RF s can d et ect s a n ew A P, wireles s clien t , o r ad -h o c clien t . Rog ue AP Traps : If y o u en ab le t h is field , t h e SNM P ag en t s en d s a t rap wh en t h e co n t ro ller d is covers a ro g u e A P. Th e ag en t als o s en d s a t rap ev ery Ro g u e Det ect e d Trap In t erv al s eco n d s if an y ro g u e A P co n t in u es t o b e p res en t in t h e n et wo rk. Wi rel ess S tatus Traps : If y o u en able t h is field , t h e SNM P ag en t s en d s a t rap if t h e o p erat io nal s t at us o f t h e Un ified W ireles s co nt roller (it n eed n o t b e Clu s t er Co n t roller fo r t h is t rap ) ch an g es . It s en d s a t rap if t h e Ch an n el A lg o rit h m is co mp let e o r t h e Po wer A lg o rit h m is co mp let e. It als o s en ds a t rap if an y o f t h e fo llo win g d at ab ases o r lis t s h as reach ed t h e maximu m n u mb er o f en t ries : 1- M an ag ed A P d at ab as e. 2- A P Neig h b o r Lis t . 3- Clien t Neig h b o r Lis t . 4- A P A u t h en t icat io n Failu re Lis t . 5- RF Scan A P Lis t . 6- Clien t A s s o ciat io n Dat ab as e. 7- A d Ho c Clien t s Lis t . 297 Wireless Controller User Manual 8- Det ect ed Clien t s Lis t . 12.5 Configuring Time Zone and NTP Tools > Date and Time Yo u can co n fig u re y o u r t ime zo n e , wh et h er o r n o t t o ad ju s t fo r Day lig h t Sav in g s Time, an d wit h wh ich Net wo rk Time Pro t o co l (NTP) s erv er t o s y n ch ro n ize t h e d at e an d t ime. Yo u can ch o o s e t o s et Dat e an d Time man u ally , wh ich will s t o re t h e in fo rmat io n o n t h e co n troller real t ime clo ck (RTC). If t h e co n t ro ller h as access t o t he in t ern et , t h e mo s t accu rat e mech an is m t o s et t h e co n t ro ller t ime is t o en ab le NTP s erv er co mmu n icat io n . A ccu rat e d at e an d t ime o n t h e co n t ro ller is crit ical fo r firewall s ch ed u les , W i-Fi p o wer s av in g s upp ort t o d is ab le A Ps at certain t imes o f t h e d ay , an d accu rat e lo g g in g . Pleas e fo llo w t h e s t ep s b elo w t o co n fig u re t h e NTP s erv er: 1. Select the controller time zone, relative to Greenwich Mean Time (GMT). 2. If supported for your region, click to Enable Daylight Savings. 3. Determine whether to use default or custom Network Time Protocol (NTP) servers. If custom, enter the server addresses or FQDN. 298 Wireless Controller User Manual Figure 168 : Date , Time , and NTP s e rve r s e tup 12.6 Log Configuration Th is co n t ro ller allo ws y o u t o cap t u re lo g mes s ag es fo r t raffic t h ro u g h t h e firewall, VPN, an d o v er t h e wireles s A P. A s an ad min is t rat o r y o u can mo n it o r t h e t y p e o f t raffic t h at g o es t h ro u g h t h e co n t ro ller an d als o b e n o t ified o f p o t en t ial at t acks o r erro rs wh en t h ey are d et ected b y t h e co n t ro ller. Th e fo llo win g s ect io n s d es crib e t h e lo g co n fig u rat io n s et t in g s an d t h e way s y o u can acces s t h es e lo g s . 299 Wireless Controller User Manual 12.6.1 Defining W hat to Log Tools > Log Settings > Logs Facility Th e Lo g s Facilit y p ag e allo ws y o u t o d et ermin e t h e g ran u larit y o f lo g s t o receiv e fro m t h e co n t roller. Th ere are t h ree co re co mp on en ts o f t h e co ntro ller, referred t o as Facilit ies : Kernel : Th is refers t o t h e Lin u x kern el. Lo g mes s ag es t h at co rres p o n d t o t h is facilit y wo u ld co rres p o n d t o t raffic t h ro u g h t h e firewall o r n et wo rk s t ack. S ys tem: Th is refers t o ap p licatio n an d man ag emen t lev el feat u res av ailab le o n t h is co n t ro ller, in clu d in g SSL VPN an d ad min is t rat o r ch an g es fo r man ag in g t h e u n it . Wi rel es s : Th is facilit y co rres p o n d s t o t h e 802.11 d riv er u s ed fo r p ro v id in g A P fu n ct io n alit y t o y o u r n et wo rk. Local 1 -UTM: Th is facilit y co rres p onds t o IPS (In t ru s ion Prev en tio n Sy s t em) wh ich h elp s in d et ect in g malicio u s in t ru s io n at t emp t s fro m t h e Op t io n . Fo r each facilit y , t h e fo llo win g ev en t s (in o rd er o f s ev erit y ) can b e lo g g ed : Emerg en cy , A lert , Crit ica l, Erro r, W arn in g , No t ificat io n , In fo rmat io n , Deb u g g in g . W h en a p art icu lar s ev erit y lev el is s elect ed , all ev en t s wit h s ev erit y eq u al t o an d g reat er t h an t h e ch osen s ev erit y are cap t u red . Fo r examp le if y o u h av e co n fig u red CRITICA L lev el lo g g in g fo r t h e W ireles s facilit y , t h en 802.11 lo g s wit h s ev erit ies CRITICA L, A LERT, an d EM ERGENCY are lo g g ed . Th e s ev erit y lev els av ailab le fo r lo g g in g are: EM ERGENC Y: s y s t em is u n u s ab le A LERT: act io n mu s t b e t aken immed iat ely CRITICA L: crit ical co n d it io n s ERROR: erro r co n d it io n s W A RNING: warn in g co n d it io n s NOTIFICA TION: n o rmal b u t s ig n ifican t co n d it io n INFORM A TION: in fo rmat io n al DEBUGGIN G: d eb u g -lev el mes s ag es 300 Wireless Controller User Manual Figure 169 : Facility s e ttings for Logging Th e d is p lay fo r lo g g in g can b e cu s t omized b as ed o n wh ere t h e lo g s are s en t , eit h er t h e Ev en t Lo g v iewer in t h e GUI (t h e Ev en t Lo g v iewer is in t h e Status > Logs p ag e ) o r a remo t e Sy s lo g s erv er fo r lat er rev iew. E-mail lo g s , d is cu s s ed in a s u b sequ en t s ectio n, fo llo w t h e s ame co n fig u rat io n a s lo g s co n fig u red fo r a Sy s lo g s erv er. Tools > Log Settings > Logs Configuration Th is p ag e allo ws y o u t o d etermin e t h e t y p e o f t raffic t h ro u g h t h e co n t ro ller t h at is lo g g ed fo r d is p lay in Sy s lo g, E-mailed lo g s , o r t h e Ev en t Viewer. Den ial o f s erv ice at t acks , g en eral at t ack in fo rmat io n , lo g in at t emp t s , d ro p p ed p acket s , an d s imilar ev en t s can b e cap t u red fo r rev iew b y t h e IT ad min is t rat o r. 301 Wireless Controller User Manual Traffic t h ro u g h each n etwo rk s egmen t (LA N, Op t io n , DM Z) can b e t racked b ased on wh et h er t h e p acket was accep t ed o r d ro p p ed b y t h e firewall. A ccep t ed Packet s are t h o s e t h at were s u cces s fu lly t ran s ferred t h ro u g h t h e co rres p o n d in g n et wo rk s eg men t (i.e. LA N t o Op t io n ). Th is o p t io n is p art icu larly u s efu l wh en t h e Defau lt Ou t b o u n d Po licy is “Blo ck A lway s ” s o t h e IT ad min can mo n it o r t raffic t h at is p as s ed t h ro u g h t h e firewall. Exampl e : If A ccep t Packet s fro m LA N t o Op t io n is en ab led an d t h ere is a firewall ru le t o allo w SSH t raffic fro m LA N, t h en wh en ev er a LA N mach in e t ries t o make an SSH co n n ect io n , t h o s e p acket s will b e accep t ed an d a mes s ag e will b e lo g g ed . (A s s u min g t h e lo g o p t io n is s et t o A llo w fo r t h e SSH firewall ru le.) Dro p p ed Packet s are p acket s t hat were in t en tio nally b lo cked fro m b ein g t ran s ferred t h ro u g h t h e co rrespo ndin g n et work s eg men t. Th is o p tio n is u s efu l wh en t h e Defau lt Ou t b o u n d Po licy is “A llo w A lway s ”. Exampl e : If Dro p Packet s fro m LA N t o Op t io n is en ab led an d t h ere is a firewall ru le t o b lo ck SSH t raffic fro m LA N, t h en wh en ev er a LA N mach in e t ries t o make an SSH co n n ect io n , t h o s e p acket s will b e d ro p p ed a n d a mes s ag e will b e lo g g ed . (M ake s u re t h e lo g o p t io n is s et t o allo w fo r t h is firewall ru le.) En ab lin g accep t ed p acket lo g g in g t h ro u g h t h e firewall may g en erat e a s ig n ifican t v o lu me o f lo g mes s ag es d ep en d in g o n t h e t y p ical n et wo rk t raffic. Th is is reco mmen d ed fo r d eb u g g in g p u rp o s es o n ly . In ad d it io n t o n et work s egmen t lo g gin g, u n icast an d mu lt icast t raffic can b e lo g g ed . Un icas t p acket s h av e a s in g le d es t in at io n o n t h e n et wo rk, wh ereas b ro ad cas t (o r mu lt icas t ) p acket s are s en t t o all p o s s ib le d es t in at io n s s imu lt an eo u s ly . On e o t h er u s efu l lo g co n tro l is t o lo g p acket s t h at are d ro p p ed d u e t o co n fig u red b an d wid t h p ro files o v er a p art icu lar in t erface. Th is d ata will in d icat e t o t h e ad min wh et h er t h e b an d wid t h p ro file h as t o b e mo d ified t o acco u n t fo r t h e d es ired in t ern et t raffic o f LA N u s ers . 302 Wireless Controller User Manual Figure 170 : Log configuratio n options for traffic through controlle r 12.6.2 Sending Logs to E-mail or Syslog Tools > Log Settings > Remote Logging On ce y o u h av e co nfig ured t h e t y p e o f lo g s t h at y o u wan t t h e co n t ro ller t o co llect , t h ey can b e s ent t o eit h er a Sy s lo g s erver o r an E-M ail ad d res s. Fo r remo t e lo g ging a key co n fig u rat io n field is t h e Remo t e Lo g Id en t ifier. Ev ery lo g g ed mes s ag e will co n t ain t h e co nfig u red p refix o f t h e Remo t e Lo g Id en t if ier, s o t h at s y slog serv ers o r email ad d res s es t h at receiv e lo g s fro m mo re t h an o n e co n t ro ller can s o rt fo r t h e relev an t d ev ice‟s lo g s . 303 Wireless Controller User Manual On ce y o u en ab le t h e o p t io n t o e -mail lo g s , en t er t h e e -mail s erv er‟s ad d res s (IP ad d res s o r FQDN) o f t h e SM TP s erv er. T h e co n t ro ller will co n n ect t o t h is s erv er wh en s en d ing e -mails o u t t o t h e co nfig ured ad dresses. Th e SM T P p o rt an d ret u rn e mail ad d res s es are req u ired field s t o allo w t h e co n t ro ller t o p ackag e t h e lo g s an d s en d a v alid e -mail t h at is accept ed b y o n e o f t h e co n fig u red “s en d -t o ” ad d res s es . Up t o t h ree e -mail ad d res s es can b e co n fig u red as lo g recip ien t s . In o rd er t o es t ablis h a co n n ectio n wit h t h e co nfig ured SM TP p o rt an d s erv er, d efin e t h e s erv er‟s au t h en t icat io n req u iremen t s . Th e co n t ro ller s u p p o rt s Lo g in Plain (n o en cry p t ion ) o r CRA M -M D5 (en cry p ted) fo r t h e u s ern ame an d p as s wo rd d at a t o b e s en t t o t h e SM TP s erv er. A u th en ticat io n can b e d is ab led if t h e s erv er d o es n o t h av e t h is req u iremen t . In s ome cas es t h e SM TP s erver may s en d o u t IDENT req u es ts, an d t h is co n t ro ller can h av e t h is res p o n s e o p t io n en ab led as n eed ed . On ce t h e e -mail s erv er an d recip ient d etails are d efin ed y o u can d etermin e wh en t h e co n t ro ller s h o u ld s en d o u t lo g s . E-mail lo g s can b e s en t o u t b as ed o n a d efin ed s ch ed u le b y firs t ch o o s in g t h e u n it (i.e. t h e freq u en cy ) o f s en d in g lo g s : Ho u rly , Daily , o r W eekly . Select in g Nev er will d is ab le lo g e -mails b u t will p res erv e t h e e mail s erv er s et t in g s . 304 Wireless Controller User Manual Figure 171 : E-mail configurat io n as a Re mote Logging option A n ext ern al Sy s lo g s erver is o ft en u sed b y n etwo rk ad min is trato r t o collect an d s tore lo g s fro m t h e co n tro ller. Th is remo t e d evice t y p ically h as les s memo ry co n s t rain t s t h an t h e lo cal Ev en t Viewer o n t h e co n t ro ller GUI, an d t h u s can co llect a co n s id erable n u mb er o f lo g s o v er a s u s t ain ed p erio d . Th is is t y p ically v ery u s efu l fo r d eb u gg in g n etwo rk is su es o r t o mo n it o r co n t ro ller t raffic o v er a lo n g d u rat io n . Th is co n t roller s u pp orts u p t o 8 co n curren t Sy slo g s erv ers . Each can b e co n fig u red t o receiv e d ifferen t lo g facilit y mes s ag es o f v ary in g s ev erit y . To en ab le a Sy s lo g 305 Wireless Controller User Manual s erv er s elect t h e ch eckb o x n ext t o an emp t y Sy s lo g s erv er field an d as s ig n t h e IP ad d res s o r FQDN t o t h e Name field . Th e s elect ed facilit y an d s ev erit y lev el mes s ag es will b e s en t t o t h e co n figu red ( an d en abled) Sy s lo g s erv er o n ce y o u s av e t h is co n fig u rat io n p ag e‟s s et t in g s . Figure 172 : Sys log s e rve r configuratio n for Re mote Logging ( continue d) 12.6.3 Ev ent Log Viewer in GUI Status > Logs > View All Logs Th e co n t ro ller GUI le t s y o u o b serv e co n figu red lo g mes sages fro m t h e St at u s men u . W h en ever t raffic t h ro ugh o r t o t he co nt roller mat ch es t h e s ettin gs d et ermin ed in t h e Tools > Log Settings > Logs Facility o r Tools > Log Settings > Logs Configuration p ag es , t h e co rres p o n d in g lo g mes s ag e will b e d is p lay ed in t h is win d o w wit h a t imes t amp . It is v ery imp o rt an t t o h av e accu rat e s y s t em t ime (man u ally s et o r fro m a NTP s erv er) in o rd er t o u n d ers t an d lo g mes s ag es . 306 Wireless Controller User Manual Status > Logs > VPN Logs Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Th is p ag e d is p lay s IPs ec VPN lo g mes s ag es as d et ermin ed b y t h e co n fig u rat io n s et t in g s fo r facilit y an d s ev erit y . Th is d at a is u s efu l wh en ev alu at in g IPs ec VPN t raffic an d t u n n el h ealt h . Figure 173 : VPN logs dis playe d in GUI e ve nt vie we r Status > Logs > SSLVPN Logs Th e fo llo win g feat u re is av ailab le u p o n licen s ed act iv at io n o f VPN / Firewall feat u res fo r t h e s y s t em. Th is p ag e d is p lay s SSLVPN lo g mes s ag es as d et ermin ed b y t h e co n fig u rat io n s et t in g s fo r facilit y an d s ev erit y . Th is d at a is u s efu l wh en ev alu at in g SSL VPN t raffic an d t u n n el h ealt h . 307 Wireless Controller User Manual Figure 174 : SSL VPN logs dis playe d in GUI e ve nt vie we r 12.7 Backing up and Restoring Configuration Settings Tools > System Yo u can b ack u p t h e co n t ro ller cu s t o m co n fig u rat io n s et t in g s t o res t o re t h em t o a d ifferen t d ev ice o r t h e s ame co n tro ller aft er s ome o t h er ch ang es. Du rin g b acku p, y o u r s et t in gs are s aved as a file o n y o u r h o st. Yo u can res t ore t he co nt roller s aved s et t in g s fro m t h is file as well. Th is p ag e will als o allo w y o u rev ert t o facto ry d efau lt s et t in g s o r execu t e a s o ft reb o o t o f t h e co n t ro ller. IMPORTANT! Du rin g a res t o re o p erat io n , d o NOT t ry t o g o o n lin e, t u rn o ff t h e co n tro ller, s h ut d o wn t h e PC, o r d o an y t h in g els e t o t h e co n t ro ller u n t il t h e o p erat io n is co mp let e. Th is will t ake ap p ro ximat ely 1 min u t e. On ce t h e LEDs are t u rn ed o ff, wait a few mo re s eco n d s b efo re d o in g an y t h in g wit h t h e co n t ro ller. 308 Wireless Controller User Manual Fo r b ackin g u p co nfig u rat io n o r res t o rin g a p rev io u s ly s av ed co n fig u rat io n , p leas e fo llo w t h e s t ep s b elo w: 1. To save a copy of your current settings, click the Backup button in the Save Current Settings option. The browser initiates an export of the configuration file and prompts to save the file on your host. 2. To restore your saved settings from a backup file, click Browse then locate the file on the host. After clicking Restore, the controller begins importing the file‟s saved configuration settings. After the restore, the controller reboots automatically with the restored settings. 3. To erase your current settings and revert to factory default settings, click the Default button. The controller will then restore configuration settings to factory defaults and will reboot automatically. (See Appendix B for the factory default parameters for the controller). 309 Wireless Controller User Manual Figure 175 : Re s toring configuratio n from a s ave d file will re s ult in the curre nt configurat io n be ing ove rwritte n and a re boot 12.8 Upgrading Wirelesss Controller Firmware Tools > Firmware Yo u can u p g rad e t o a n ewer s o ft ware v ers io n fro m t h e A d min is t rat io n web p ag e. In t h e Firmware Up g rad e s ect io n , t o u p g rad e y o u r firmware, click Bro ws e, lo cat e an d s elect t h e firmware imag e o n y o u r h o s t , an d click Up g rad e. A ft er t h e n ew firmware imag e is v alid at ed , t h e n ew imag e is writ t en t o flas h , an d t h e co n t ro ller is au t o mat ically reb o o t ed wit h t h e n ew firmware. Th e Firmware In fo rmat io n an d als o t h e Status > Device Info > Device Status p ag e will reflect t h e n ew firmware v ers io n . IMPORTANT! Du rin g firmware u p g rad e, d o NOT t ry t o g o o n lin e, t u rn off t h e DW C-1000, s h u t d own t h e PC, o r in t erru p t t h e p ro cess in an y way u n t il t h e o p erat ion is co mp let e. Th is s h o u ld t ake o n ly a min u t e o r s o in clu d in g t h e reb o o t p ro cess. In t erru pt ing t he u p grade p ro cess at s p ecific p o in ts wh en t h e flas h is b ein g writ t en t o may co rru p t t h e flas h memo ry an d ren d er t h e co n t ro ller u n u s ab le wit h o u t a lo w-lev el p ro ces s o f res t o rin g t h e flas h firmware (n o t t h ro u g h t h e web GUI). 310 Wireless Controller User Manual Figure 176 : Firmware ve rs ion inform atio n and upgrade option Th is co n t ro ller als o s u p p o rt s an au t o mat ed n o t ificat io n t o d et ermin e if a n ewer firmware v ers io n is av ailab le fo r t h is co nt roller. By clickin g t h e Ch eck No w b u t t o n in t h e n o t ificat io n s ect io n , t h e co n t ro ller will ch eck a D-Lin k s erv er t o s ee if a n ewer firmware v ers io n fo r t h is co ntro ller is av ailab le fo r d o wn lo ad an d u p d at e t h e St at u s field b elo w. 12.9 Dynamic DNS Setup Tools > Dynamic DNS Dy n amic DNS (DDNS) is an In t ern et s erv ice t h at allo ws co n t ro ller wit h v ary in g p u b lic IP ad d res s es t o b e lo cat ed u s in g In t ern et d o main n ames . To u s e DDNS, y o u mu s t s et u p an accoun t wit h a DDNS p ro v id er s u ch as Dy n DNS.o rg , D -Lin k DDNS, o r Oray .n et . 311 Wireless Controller User Manual Each co n fig u red Op t io n can h av e a d ifferen t DDNS s erv ice if req u ir ed . On ce co n fig u red , t h e co n t ro ller will u p d at e DDNS s erv ices ch an g es in t h e Op t io n IP ad d res s s o t h at feat u res t h at are d ep en d en t o n acces s in g t h e co n t ro ller Op t io n v ia FQDN will b e d irect ed t o t h e co rrect IP ad d ress. W h en y o u s et u p an acco u n t wit h a DDNS s erv ice, t h e h ost an d d o main n ame, u s ern ame, p as sword an d wild card s u p p o rt will b e p ro v id ed b y t h e acco u n t p ro v id er. 312 Wireless Controller User Manual Figure 177 : Dynamic DNS configurat ion 12.9.1 Using Diagnostic Tools Tools > System Check Th e co n t ro ller h as b u ilt in t o o ls t o allo w an ad min is t rat o r t o ev alu at e t h e co mmu n icat io n s t at u s an d o v erall n et wo rk h ealt h . 313 Wireless Controller User Manual Figure 178 : Controlle r diagnos tics tools available in the GUI 12.9.2 Ping Th is u t ilit y can b e u s ed t o t es t co n n ect iv it y b et ween t h is co n t ro ller an d an o t h er d ev ice o n t h e n et wo rk co n n ect ed t o t h is co n t ro ller. En t er an IP ad d res s an d click PING. Th e co mman d o u t p u t will ap p ear in d icat in g t h e ICM P ech o req u es t s t at u s . 12.9.3 Trace Route Th is u t ilit y will d is p lay all t h e co n t roller p res en t b e tween t h e d estin atio n IP ad d res s an d t h is co nt roller. Up t o 30 “h o p s” (in t ermed iate co ntro ller) b et ween t h is co n troller an d t h e d es t in at io n will b e d is p lay ed . 314 Wireless Controller User Manual 12.9.4 DNS Lookup To ret riev e t h e IP ad d ress o f a W eb , FTP, M ail o r an y o t h er s erv er o n t h e In t ern et , t y p e t h e In t ern et Name in t h e t ext b o x an d click Lo o ku p . If t h e h o s t o r d o main en t ry exis t s , y o u will s ee a res p o n s e wit h t h e IP ad d res s . A mes s ag e s t at in g “Un kn o wn Ho s t ” in d icat es t h at t h e s p ecified In t ern et Name d o es n o t exis t . Th is feat u re as s u mes t h ere is in t ern et acces s av ailab le o n t h e Op t io n lin k(s ). 12.9.5 Router Options Th e s t at ic an d d y n amic ro u t es co n fig u red o n t h is co n t ro ller can b e s h o wn b y clickin g Dis p lay fo r t h e co rres p o n d in g ro u t in g t ab le. Clickin g t h e Packet Trace b u t t o n will allo w t h e co n t ro ller t o cap ture an d d is play t raffic t h ro ug h t h e DW C-1000 b et ween t h e LA N an d Op t io n in t erface as well. Th is in fo rmat io n is o ft en v ery u seful in d eb u g g in g t raffic an d ro u t in g is s u es . 315 Wireless Controller User Manual Chapter 13. License Activation Tools > License Yo u can act iv at e A P6 an d VPN licen s e s in t h is co n t ro ller b y p ro v id in g v alid A ct iv at io n Key an d click A ct iv at e key . A ft er act iv at in g licen s e A P6 licen s e y o u s h o u ld b e ab le t o man ag e 6 mo re A P‟s . VPN licen s e act iv at es t h e VPN licen s e fu n ct io n alit y o n t h e DW C-1000 d ev ice . Th e A P firmware v ers io n mu s t as s ame as DW C-1000 W LA N mo d u le v ers io n 316 Wireless Controller User Manual Figure 179 : Ins talling a Lice ns e Figure 180 : Available Lice ns e s Dis play afte r ins talling a Lice ns e Th e n ew feat u re s will b e en ab le d aft er s y s t em reb o o t . 317 Wireless Controller User Manual Appendix A. Glossary ARP Address Resolution Protocol. Broadcast protocol for mapping IP addresses to MAC addresses. CHAP Challenge-Handshake Authentication Protocol. Protocol for authenticating users to an ISP. DDNS DHCP Dynamic DNS. System for updating domain names in real time. Allow s a domain name to be assigned to a device w ith a dynamic IP address. Dynamic Host Configuration Protocol. Protocol for allocating IP addresses dynamically so that addresses can be reused w hen hosts no longer need them. Domain Name System. Mechanism for translating H.323 IDs, URLs, or e-mail IDs into IP DNS addresses. Also used to assist in locating remote gatekeepers and to map IP addresses to hostnames of administrative domains. FQDN Fully qualified domain name. Complete domain name, including the host portion. Example: serverA.companyA.com. FTP File Transfer Protocol. Protocol for transferring files between network nodes. HTTP Hypertext Transfer Protocol. Protocol used by w eb browsers and web servers to transfer files. IKE Internet Key Exchange. Mode for securely exchanging encryption keys in ISAKMP as part of building a VPN tunnel. IP security. Suite of protocols for securing VPN tunnels by authenticating or encrypting IP IPsec packets in a data stream. IPsec operates in either transport mode (encrypts payload but not packet headers) or tunnel mode (encrypts both payload and packet headers). 318 Wireless Controller ISAKMP ISP MAC Address MTU User Manual Internet Key Exchange Security Protocol. Protocol for establishing security associations and cryptographic keys on the Internet. Internet service provider. Media-access-control address. Unique physical-address identifier attached to a netw ork adapter. Maximum transmission unit. Size, in bytes, of the largest packet that can be passed on. The MTU for Ethernet is a 1500-byte packet. Netw ork Address Translation. Process of rewriting IP addresses as a packet passes through a NAT controller or firew all. NAT enables multiple hosts on a LAN to access the Internet using the single public IP address of the LAN’s gatew ay controller. NetBIOS NTP PAP PPPoE PPTP Microsoft Window s protocol for file sharing, printer sharing, messaging, authentication, and name resolution. Netw ork Time Protocol. Protocol for synchronizing a controller to a single clock on the netw ork, know n as the clock master. Passw ord Authentication Protocol. Protocol for authenticating users to a remote access server or ISP. Point-to-Point Protocol over Ethernet. Protocol for connecting a netw ork of hosts to an ISP w ithout the ISP having to manage the allocation of IP addresses. Point-to-Point Tunneling Protocol. Protocol for creation of VPNs for the secure transfer of data from remote clients to private servers over the Internet. 319 Wireless Controller RADIUS RSA TCP UDP User Manual Remote Authentication Dial-In User Service. Protocol for remote user authentication and accounting. Provides centralized management of usernames and passw ords. Rivest-Shamir-Adleman. Public key encryption algorithm. Transmission Control Protocol. Protocol for transmitting data over the Internet w ith guaranteed reliability and in-order delivery. User Data Protocol. Protocol for transmitting data over the Internet quickly but w ith no guarantee of reliability or in-order delivery. Virtual private netw ork. Netw ork that enables IP traffic to travel securely over a public TCP/IP VPN netw ork by encrypting all traffic from one netw ork to another. Uses tunneling to encrypt all information at the IP level. Window s Internet Name Service. Service for name resolution. Allow s clients on different IP WINS subnets to dynamically resolve addresses, register themselves, and browse the network without sending broadcasts. 320 Appendix B. Factory Default Settings Fe at u re Device login Internet Connection De s cription De f au lt Setting User login URL http://192.168.10.1 User name (case sensitive) admin Login password (case sensitive) admin Option MAC address Use default address Option MTU size 1500 Port speed Autosense IP address 192.168.10.1 IPv4 subnet mask 255.255.255.0 RIP direction None RIP version Disabled RIP authentication Disabled DHCP server Enabled Local area network (LAN) Wireless Controller User Manual DHCP starting IP address 192.168.10.2 DHCP ending IP address 192.168.10.100 Time zone GMT Time zone adjusted for Daylight Saving Time Disabled SNMP Disabled Remote management Disabled Inbound communications from the Internet Disabled (except traffic on port 80, the HTTP port) Outbound communications to the Internet Enabled (all) Source MAC filtering Disabled Stealth mode Enabled Firew all 322