HP Ap420

HPProCurve
WirelessAccessPoint420
ManagementandConfigurationGuide
September2003
Copyright 2003 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without
notice.
Thisdocumentcontainsproprietaryinformation,whichis
protectedbycopyright.Nopartofthisdocumentmaybe
photocopied,reproduced,ortranslatedintoanother
languagewithoutthepriorwrittenconsentofHewlett-
Packard.
PublicationNumber
5990-6006
September2003
Edition1
ApplicableProducts
HPProCurveWirelessAccessPoint420na (J8130A)
HPProCurveWirelessAccessPoint420ww (J8131A)
TrademarkCredits
WindowsNT,Windows,andMSWindowsareUS
registeredtrademarksofMicrosoftCorporation.
Disclaimer
HEWLETT-PACKARDCOMPANYMAKESNOWARRANTY
OFANYKINDWITHREGARDTOTHISMATERIAL,
INCLUDING,BUTNOTLIMITEDTO,THEIMPLIED
WARRANTIESOFMERCHANTABILITYANDFITNESS
FORAPARTICULARPURPOSE.Hewlett-Packardshallnot
beliableforerrorscontainedhereinorforincidentalor
consequentialdamagesinconnectionwiththefurnishing,
performance,oruseofthismaterial.
TheonlywarrantiesforHPproductsandservicesareset
forthintheexpresswarrantystatementsaccompanying
suchproductsandservices.Nothinghereinshouldbe
construedasconstitutinganadditionalwarranty.HPshall
notbeliablefortechnicaloreditorialerrorsoromissions
containedherein.
Hewlett-Packardassumesnoresponsibilityfortheuseor
reliabilityofitssoftwareonequipmentthatisnotfurnished
byHewlett-Packard.
Warranty
SeetheCustomerSupport/Warrantybookletincludedwith
theproduct.
Acopyofthespecificwarrantytermsapplicabletoyour
Hewlett-Packardproductsandreplacementpartscanbe
obtainedfromyourHPSalesandServiceOfficeor
authorizeddealer.
Contents
1 GettingStarted
Contents...................................................... 1-1
Introduction .................................................. 1-2
Conventions .................................................. 1-2
CommandSyntaxStatements ................................. 1-2
CommandPrompts .......................................... 1-3
ScreenSimulations .......................................... 1-3
RelatedPublications .......................................... 1-4
GettingDocumentationFromtheWeb.......................... 1-5
SourcesforMoreInformation ................................. 1-6
NeedOnlyaQuickStart? ...................................... 1-6
ToSetUpandInstalltheAccessPointinYourNetwork .......... 1-6
2 SelectingaManagementInterface
Contents...................................................... 2-1
Overview ..................................................... 2-2
UnderstandingManagementInterfaces ......................... 2-2
AdvantagesofUsingtheCLI ................................... 2-3
AdvantagesofUsingtheHPWebBrowserInterface............. 2-4
3 UsingtheCommandLineInterface(CLI)
Contents...................................................... 3-1
Overview ..................................................... 3-2
AccessingtheCLI ............................................. 3-2
UsingtheCLI ................................................. 3-2
PrivilegeLevelatLogon ...................................... 3-2
PrivilegeLevelOperation ..................................... 3-4
ExecPrivileges .......................................... 3-4
iii
HowToMoveBetweenLevels ................................ 3-6
ListingCommandsandCommand Options ...................... 3-7
ListingCommandsAvailableatAnyPrivilegeLevel ........... 3-7
CommandOptionDisplays ................................ 3-9
ConfigurationCommandsandtheContextConfigurationModes .. 3-10
CLIControlandEditing ...................................... 3-12
4 UsingtheHPWebBrowserInterface
Contents...................................................... 4-1
Overview ..................................................... 4-2
GeneralFeatures.............................................. 4-3
StartingaWebBrowserInterfaceSessionwiththeAccessPoint . 4-4
DescriptionofBrowserInterface .............................. 4-5
TheHomePage ............................................. 4-5
SupportURL ............................................... 4-6
TasksforYourFirstHPWebBrowserInterfaceSession......... 4-7
ChangingtheUserNameandPasswordintheBrowserInterface... 4-7
IfYou LosetheUserNameorPassword .................... 4-9
SettingtheSSID ............................................. 4-9
SettingtheRadio Channel ................................... 4-10
ConfiguringTCP/IPSettings ................................. 4-12
ConfiguringSecuritySettings ................................ 4-13
OnlineHelp fortheHPWebBrowserInterface ................. 4-16
StatusReportingFeatures .................................... 4-17
TheAPStatusWindow ...................................... 4-17
StationStatus .............................................. 4-19
EventLogs ................................................ 4-20
TheStatusBar ............................................. 4-21
5 AccessPointConfiguration
Contents...................................................... 5-1
Overview ..................................................... 5-2
iv
ModifyingSystemManagementAccess ......................... 5-3
Web: SettingUserNamesand Passwords ....................... 5-3
CLI:SettingUser NamesandPasswords ........................ 5-4
ModifyingSystemInformation ................................. 5-5
Web: SettingtheSystemName andSSID ... ..................... 5-5
CLI:SettingtheSystem NameandSSID ........................ 5-6
ConfiguringIPSettings........................................ 5-9
Web:ConfiguringIPSettingsStaticallyorviaDHCP .............. 5-9
CLI:ConfiguringIPSettingsStaticallyorviaDHCP.............. 5-11
ConfiguringSNMP ........................................... 5-13
Web: SettingSNMP Parameters .............................. 5-13
CLI:SettingSNMPParameters ............................... 5-15
EnablingSystemLogging ..................................... 5-17
Web: SettingLoggingParameters ............................. 5-18
CLI:SettingLoggingParameters .............................. 5-19
ConfiguringSNTP ............................................ 5-21
Web: SettingSNTPParameters ............................... 5-21
CLI:SettingSNTPParameters ................................ 5-23
ConfiguringEthernetInterfaceParameters ................... 5-25
Web: SettingEthernetInterfaceParameters .................... 5-25
CLI:SettingEthernetInterfaceParameters ..................... 5-26
ConfiguringRADIUSClientAuthentication.................... 5-28
Web: SettingRADIUSServerParameters ...................... 5-28
CLI:SettingRADIUSServerParameters ....................... 5-30
SettingupFilterControl ..................................... 5-32
Web:EnablingVLANSupportandSettingFilters................ 5-33
CLI:EnablingVLANSupportandSettingFilters ................ 5-35
ModifyingRadioSettings ..................................... 5-37
Web:ModifyingtheRadioWorkingModeandSettings ........... 5-37
CLI:ModifyingtheRadioWorkingModeandSettings............ 5-40
ConfiguringWirelessSecurity ................................ 5-45
Web: ConfiguringWPASettings .............................. 5-48
CLI:ConfiguringWPASettings ............................... 5-51
v
Web:ConfiguringMACAddressAuthentication ................. 5-53
CLI:ConfiguringMACAddressAuthentication ................. 5-55
Web: ConfiguringIEEE802.1x ............................... 5-57
CLI:ConfiguringIEEE802.1x ................................ 5-59
Web: SettingupWEPShared-Keys ............................ 5-61
CLI:SettingupWEPShared-Keys ............................. 5-63
6 CommandLineReference
Contents...................................................... 6-1
Overview ..................................................... 6-2
GeneralCommands............................................ 6-3
configure................................................... 6-3
end........................................................ 6-4
exit........................................................ 6-4
ping ....................................................... 6-5
reset....................................................... 6-6
showhistory................................................ 6-6
showline .................................................. 6-7
SystemManagementCommands ............................... 6-8
country .................................................... 6-9
prompt ................................................... 6-11
systemname .............................................. 6-12
username ................................................. 6-12
password ................................................. 6-13
iphttpport ................................................ 6-13
iphttpserver .............................................. 6-14
loggingon ................................................. 6-15
logginghost ............................................... 6-15
loggingconsole ............................................ 6-16
logginglevel ............................................... 6-16
logging facility-type ......................................... 6-17
showlogging .............................................. 6-18
sntp-serverip .............................................. 6-19
sntp-serverenable .......................................... 6-20
vi
sntp-serverdate-time ....................................... 6-20
sntp-serverdaylight-saving .................................. 6-21
sntp-servertimezone........................................ 6-22
showsntp ................................................. 6-23
showsystem............................................... 6-23
showversion .............................................. 6-24
SNMPCommands ............................................ 6-25
snmp-server community ..................................... 6-25
snmp-server contact ........................................ 6-26
snmp-server enableserver ................................... 6-27
snmp-server host .......................................... 6-28
snmp-server location ....................................... 6-29
showsnmp ................................................ 6-30
Flash/FileCommands......................................... 6-30
bootfile ................................................... 6-31
copy .................................................... 6-31
delete ..................................................... 6-33
dir ....................................................... 6-33
RADIUSClient ............................................... 6-34
radius-serveraddress ....................................... 6-35
radius-serverport .......................................... 6-35
radius-serverkey ........................................... 6-36
radius-serverretransmit ..................................... 6-36
radius-servertimeout ....................................... 6-37
showradius ............................................... 6-38
802.1xPortAuthentication ................................... 6-39
802.1x .................................................... 6-40
802.1x broadcast-key-refresh-rate ............................. 6-41
802.1x session-key-refresh-rate ............................... 6-41
802.1x session-timeout ...................................... 6-42
addressfilterdefault ........................................ 6-43
addressfilterentry ......................................... 6-43
addressfilterdelete......................................... 6-44
mac-authenticationserver ................................... 6-45
mac-authenticationsession-timeout ........................... 6-45
vii
showauthentication ........................................ 6-46
FilteringCommands .......................................... 6-47
filter local-bridge ........................................... 6-47
filter ap-manage ............................................ 6-48
filter ethernet-typeenable ................................... 6-48
filter ethernet-typeprotocol.................................. 6-49
showfilters................................................ 6-50
InterfaceCommands ......................................... 6-51
interface .................................................. 6-53
dnsserver ................................................. 6-53
ipaddress ................................................ 6-54
ipdhcp ................................................... 6-55
shutdown ................................................. 6-56
speed-duplex .............................................. 6-57
showinterfaceethernet ..................................... 6-57
radio-mode ................................................ 6-58
description ................................................ 6-59
closed-system.............................................. 6-59
speed ..................................................... 6-60
channel ................................................... 6-61
ssid ...................................................... 6-62
beacon-interval ............................................ 6-62
dtim-period ................................................ 6-63
fragmentation-length........................................ 6-64
rts-threshold ............................................... 6-65
authentication ............................................. 6-66
encryption ................................................ 6-67
key ....................................................... 6-68
transmit-key ............................................... 6-69
transmit-power ............................................ 6-70
max-association ............................................ 6-70
multicast-cipher ............................................ 6-71
wpa-clients ................................................ 6-72
wpa-mode ................................................. 6-73
wpa-preshared-key ......................................... 6-74
viii
shutdown ................................................. 6-75
showinterfacewirelessg .................................... 6-75
showstation ............................................... 6-77
IAPPCommand .............................................. 6-77
iapp ...................................................... 6-77
VLANCommands ............................................. 6-78
vlan ...................................................... 6-79
native-vlanid ............................................... 6-79
A FileTransfers
Contents..................................................... A-1
Overview .................................................... A-2
DownloadingAccessPointSoftware........................... A-3
GeneralSwitch SoftwareDownloadRules ..................... A-3
UsingTFTPorFTPToDownloadSoftwarefromaServer ........ A-3
Web:TFTP/FTPSoftwareDownloadtotheAccessPoint ..... A-4
CLI:TFTP/FTPSoftwareDownloadtotheAccessPoint ...... A-6
UsingtheWebInterfaceToDownloadSoftwareFromtheLocal
Computer ................................................. A-6
TransferringConfigurationFiles.............................. A-8
ix
x
1
GettingStarted
Contents
Introduction .................................................. 1-2
Conventions .................................................. 1-2
CommandSyntaxStatements ................................. 1-2
CommandPrompts .......................................... 1-3
ScreenSimulations .......................................... 1-3
RelatedPublications .......................................... 1-4
GettingDocumentationFromtheWeb.......................... 1-5
SourcesforMoreInformation ................................. 1-6
NeedOnlyaQuickStart? ...................................... 1-6
ToSetUpandInstalltheAccessPointinYourNetwork .......... 1-6
1-1
Getting Started
Introduction
Introduction
ThisManagementandConfigurationGuideisintendedtosupportthe
followingaccesspoints:
HPProCurveWirelessAccessPoint420na
HPProCurveWirelessAccessPoint420ww
Thisguidedescribeshowtousethecommandlineinterface(CLI)andweb
browserinterfacetoconfigure,manage,andmonitoraccesspointoperation.
Atroubleshootingchapterisalsoincluded.
Forinformationonotherproductdocumentationforthisaccesspoint,refer
toRelatedPublicationsonpage1-4.
TheProductDocumentationCD-ROMshippedwith theaccesspointincludes
acopyofthisguide.YoucanalsodownloadacopyfromtheHPProCurve
website,http://www.hp.com/go/hpprocurve.(SeeGettingDocumentationFrom
theWebonpage1-5.)
Conventions
Thisguideusesthefollowingconventionsforcommandsyntaxanddisplayed
information.
CommandSyntaxStatements
Syntax:radius-serveraddress[secondary]<host_ip_address|host_name>
Verticalbars(|)separatealternative,mutuallyexclusiveelements.
Squarebrackets([])indicateoptionalelements.
Braces(<>)encloserequiredelements.
Braceswithinsquarebrackets([<>])indicatearequiredelement
withinanoptionalchoice.
BoldfaceindicatesuseofaCLIcommand,partofaCLIcommand
syntax,orotherdisplayedelementingeneraltext.Forexample:
Usethecopy tftp commandtodownloadthekeyfromaTFTPserver.
1-2
Getting Started
Conventions
Italicsindicatevariablesforwhichyoumustsupplyavaluewhen
executingthecommand.Forexample,inthiscommandsyntax,
<host_ip_address|host_name>indicatesthatyoumustprovideanIP
addressorahostname:
Syntax: radius-serveraddress[secondary]<host_ip_address|host_name>
CommandPrompts
Inthedefaultconfiguration,youraccesspointdisplaysthefollowingCLI
prompt:
HP ProCurve Access Point 420#
Tosimplifyrecognition,thisguideuses HP420 torepresentcommand
prompt.Forexample:
HP420#
(YoucanusethepromptcommandtochangethetextintheCLIprompt.)
ScreenSimulations
Figurescontainingsimulatedscreentextandcommandoutputlooklikethis:
HP420#show version
Version v2.0.0
HP420#
Figure 1-1. Example of a Figure Showing a Simulated Screen
Insomecases,briefcommand-outputsequencesappearoutsideofanum-
beredfigure.Forexample:
HP420(if-ethernet)#ip address 192.168.1.2 255.255.255.0
192.168.1.253
HP420(if-ethernet)#dns primary-server 192.168.1.55
1-3
Getting Started
RelatedPublications
RelatedPublications
InstallationandGettingStartedGuide. UsetheInstallationandGet-
tingStartedGuideshippedwithyouraccesspointtoprepareforandperform
thephysicalinstallation.Thisguidealsostepsyouthroughconnectingthe
accesspointtoyournetworkandassigningIPaddressing,aswellasdescrib-
ingtheLEDindicationsforcorrectoperationandtroubleanalysis.
HPprovidesaPDFversionofthisguideontheProductDocumentation
CD-ROMshippedwiththeaccesspoint.Youcanalsodownloadacopyfrom
theHPProCurvewebsite.(SeeGettingDocumentationFromtheWebon
page1-5.)
ReleaseNotes. ReleasenotesarepostedontheHPProCurvewebsiteand
provideinformationonnewsoftwareupdates:
Newfeaturesandhowtoconfigureandusethem
Softwaremanagement,includingdownloadingsoftwaretotheaccess
point
Softwarefixesaddressedincurrentandpreviousreleases
Toviewanddownloadacopyofthelatestreleasenotesforyouraccesspoint,
seeGettingDocumentationFromtheWebonpage1-5.
1-4
Getting Started
GettingDocumentationFromtheWeb
GettingDocumentationFromtheWeb
1. GototheHPProCurvewebsiteat
http://www.hp.com/go/hpprocurve
2. Clickontechnical support.
3. Clickonmanuals.
4. Clickontheproductforwhichyouwanttoviewordownloadamanual.
2
3
4
Figure 1-2. Finding Product Manuals on the HP ProCurve Website
1-5
Getting Started
SourcesforMoreInformation
SourcesforMoreInformation
IfyouneedinformationonspecificfeaturesintheHPWebBrowser
Interface(hereafterreferredtoasthewebbrowserinterface),use
theonlinehelpavailableforthewebbrowserinterface.Formore
informationonwebbrowserHelpoptions,refertoOnlineHelpfor
theHPWebBrowserInterfaceonpage4-16.
IfyouneedfurtherinformationonHewlett-Packardaccesspoint
technology,visittheHPProCurvewebsiteat:
NeedOnlyaQuickStart?
IPAddressing. IfyoujustwanttogivetheaccesspointanIPaddresssothat
itcancommunicateonyournetwork,HPrecommendsthatyouusetheCLI
toquicklyconfigureIPaddressing.Todoso,dooneofthefollowing:
EnterconfigattheCLIExeclevelprompt.
HP420#config
Enterinterface ethernet attheCLIConfigurationlevelprompt.
HP420(config)#interface ethernet
EntertheIPaddress,subnetmask,andgatewayattheCLIInterface
Configurationlevelprompt.
HP420(if-ethernet)#ip address <address>
<subnet_mask> <gateway>
FormoreonusingtheCLI,seeChapter6,UsingtheCommandLineInterface
(CLI).
ToSetUpandInstalltheAccessPointinYourNetwork
I mport ant ! UsetheInstallationandGettingStartedGuideshippedwithyouraccess
pointforthefollowing:
Notes,cautions,andwarningsrelatedtoinstallingandusingthe
accesspoint
Instructionsforphysicallyinstallingtheaccesspointinyournetwork
1-6
Getting Started
QuicklyassigninganIPaddress,subnetmask,andgateway,seta
Managerpassword,and(optionally)configureotherbasicfeatures.
InterpretingLEDbehavior.
For thelatestversionoftheInstallationandGettingStarted Guideandother
documentationforyouraccesspoint,visittotheHPProCurvewebsite.(Refer
toGettingDocumentationFromtheWebonpage1-5.)
1-7
Getting Started
1-8
2
SelectingaManagementInterface
Contents
Overview ..................................................... 2-2
UnderstandingManagementInterfaces ......................... 2-2
AdvantagesofUsingtheCLI ................................... 2-3
AdvantagesofUsingtheHPWebBrowserInterface............. 2-4
2-1
Selecting a Management Interface
Overview
Overview
Thischapterdescribesthefollowing:
AccessPointmanagementinterfaces
Advantagesofusingeachinterfacetype
UnderstandingManagementInterfaces
Managementinterfacesenableyoutoreconfiguretheaccesspointandto
monitoritsstatusandperformance.Interfacetypesinclude:
CLIacommandlineinterfaceofferingthefullsetofaccesspoint
commandsthroughtheVT-100/ANSIconsolebuiltintotheaccesspoint
page2-3
Webbrowserinterface--anaccesspointinterfaceofferingstatusinfor-
mationandasubsetofaccesspointcommandsthroughastandardweb
browser(suchasNetscapeNavigatororMicrosoftInternetExplorer)
page2-4
ThismanualdescribeshowtousetheCLI(chapters3,5and6),theweb
browserinterface(chapters4and5),andhowtousetheseinterfacesto
configureandmonitortheaccesspoint.
ForinformationonhowtoaccessthewebbrowserinterfaceHelp,referto
OnlineHelpfortheHPWebBrowserInterfaceonpage4-16.
2-2
AdvantagesofUsingtheCLI
AdvantagesofUsingtheCLI
HP420# ExecLevel
HP420(config)# GlobalConfigurationLevel
HP420(<context>)# ContextConfigurationLevels(Ethernet,wireless)
Figure 2-1. Command Prompt Examples
Providesaccesstothecompletesetoftheaccesspointconfiguration
features.
Offersout-of-bandaccess(throughtheRS-232connection)orTelnet(in-
band)access.
Enablesquick,detailedsystemconfigurationandmanagementaccessto
systemoperatorsandadministratorsexperiencedincommandprompt
interfaces.
Provideshelpateachlevelfordeterminingavailableoptionsandvari-
ables.
CLIUsage
ForinformationonhowtousetheCLI,refertochapter3,Usingthe
CommandLineInterface(CLI).
Toperformspecificprocedures(suchasconfiguringIPaddressing),use
theContentslistingatthefrontofthemanualtolocatetheinformation
youneed.
Formonitoringandanalyzingaccesspointoperation,refertotheappro-
priatesectioninchapter5,AccessPointConfiguration.
ForinformationonindividualCLIcommands,refertotheIndexortothe
onlineHelpprovidedintheCLIinterface.
2-3
AdvantagesofUsingtheHPWebBrowserInterface
AdvantagesofUsingtheHPWeb
BrowserInterface
Figure 2-2. Example of the HP Web Browser Interface
Easyaccesstotheaccesspointfromanywhereonthenetwork
Familiarbrowserinterface--locationsofwindowobjectsconsistent
withcommonlyusedbrowsers,usesmouseclickingfornavigation,no
terminalsetup
Manyfeatureshavealltheirfieldsinonescreensoyoucanviewall
valuesatonce
Morevisualcues,usingcolors,statusbars,deviceicons,andother
graphicalobjectsinsteadofrelyingsolelyonalphanumericvalues
Displayofacceptablerangesofvaluesavailableinconfigurationlist
boxes
2-4
3
UsingtheCommandLineInterface(CLI)
Contents
Overview ..................................................... 3-2
AccessingtheCLI ............................................. 3-2
UsingtheCLI ................................................. 3-2
PrivilegeLevelatLogon ...................................... 3-2
PrivilegeLevelOperation ..................................... 3-4
ExecPrivileges .......................................... 3-4
HowToMoveBetweenLevels ................................ 3-6
ListingCommandsandCommand Options ...................... 3-7
ListingCommandsAvailableatAnyPrivilegeLevel ........... 3-7
CommandOptionDisplays ................................ 3-9
ConfigurationCommandsandtheContextConfigurationModes .. 3-10
CLIControlandEditing ...................................... 3-12
3-1
Using the Command Line Interface (CLI)
Overview
Overview
TheCLIisatext-basedcommandinterfaceforconfiguringandmonitoringthe
accesspoint.TheCLIgivesyouaccesstotheaccesspointsfullsetof
commandswhileprovidingthesamepasswordprotectionthatisusedinthe
webbrowserinterface.
AccessingtheCLI
TheCLIisaccessedthroughtheaccesspointconsole.Youcanaccessthe
consoleout-of-bandbydirectlyconnectingaterminaldevicetotheaccess
point,orin-bandbyusingTelnet.
UsingtheCLI
TheCLIofferstheseprivilegelevelstosimplifyconfiguration:
1. Exec
2. GlobalConfiguration
3. ContextConfiguration
Not e CLIcommandsarenotcase-sensitive.
WhenyouusetheCLItomakeaconfigurationchange,theaccesspoint
immediatelysavesthechangetonon-volatilememory.Wheneveryoureboot
theaccesspoint,allchangesmadesincethelastrebootareretained.
PrivilegeLevelatLogon
TheaccesspointprovidesasinglepasswordfortheCLI.Tosecuremanage-
mentaccesstotheaccesspoint,youmustsettheManagerpassword.Without
aManagerpasswordconfigured,anyonehavingserialportorTelnetaccess
totheaccesspointcanreachallCLIcommandmodes.
3-2
UsingtheCLI
WhenyouusetheCLItologontotheaccesspoint,youwillbepromptedto
enterapassword.Forexample:
Ready
Username: admin
Password:
PasswordPrompt
Figure 3-1. Example of CLI Log-On Screen with Password
WhenyoulogontotheCLI,youwillseeacommandprompt:
HP420#_
Ca ut i on HPstronglyrecommendsthatyouconfigureaManagerpassword.IfaMan-
agerpasswordisnotconfigured,theaccesspointisnotpassword-protected,
andanyonehavingin-bandorout-of-bandaccesstotheaccesspointmaybe
abletocompromiseaccesspointandnetworksecurity.
PressingtheResetbuttononthebackoftheaccesspointformorethanfive
secondsremovespasswordprotection.Forthisreason,itisrecommended
thatyouprotecttheaccesspointfromphysicalaccessbyunauthorized
persons.
3-3
UsingtheCLI
PrivilegeLevelOperation
1.ExecLevel
2.GlobalConfigurationLevel
ManagerPrivileges
3.ContextConfigurationLevel
Figure 3-2. Access Sequence for Privilege Levels
ExecPrivileges
Execprivilegesallowyoutoexaminethecurrentconfiguration,perform
system-levelactionsthatdonotrequiresavingchanges,andmovebetween
thethreelevelsofaccess:Exec,GlobalConfiguration,andContextConfigu-
ration.(Seefigure3-2.)A"#"characterdelimitstheExecprompt.Forexample:
HP420#_ Managerprompt.
Execlevel:Allowsyoutoexaminethecurrentconfiguration,perform
system-levelactionsthatdonotrequiresavingchanges,andmove
betweenthedifferentaccesslevels.ThepromptfortheExeclevel
containsonlythesystemnameandthe"#"delimiter,asshownabove.
GlobalConfigurationlevel:Enablesyoutomakeconfiguration
changestotheaccesspoints softwarefeatures.Theprompt fortheGlobal
Configurationlevelincludesthesystemnameand"(config)".Toselect
thislevel,entertheconfig commandattheExecprompt.Forexample:
HP420# _ EnterconfigattheManagerprompt.
HP420(config)#_ TheGlobalConfigprompt.
ContextConfigurationlevel:Enablesyoutomakeconfiguration
changesinaspecificcontext,suchastheEthernetinterfaceorthe
wirelessinterface.ThepromptfortheContextConfigurationlevel
includesthesystemnameandtheselectedcontext.Forexample:
HP420(if-ethernet)#
HP4 20(if-wireless g)#
3-4
UsingtheCLI
TheContextlevelisuseful,forexample,ifyouwanttoexecuteseveral
commandsdirectedatthesameinterface.Toselectthislevel,enterthe
specificcontextattheGlobalConfigurationlevelprompt.Forexample,
toselectthecontextlevelfortheEthernetinterface,youwouldenterthe
followingcommandandseetheindicatedresult:
HP4 20(if-ethernet)#
Table 3-1. Privilege Level Hierarchy
Privilege
Level
Example of Prompt and Permitted Operations
Manager Privilege
Exec HP420# Performsystem-levelactionssuchassystemcontrol, monitoring,
Level anddiagnosticcommands.Foralistofavailablecommands,
enter?attheprompt.
Global
Configuration
Level
HP420(config)# Executeconfigurationcommands.Foralistofavailable
commands,enter? attheprompt.
Context
Configuration
Level
HP420(if-ethernet)#
HP420(if-wireless g)
#
Executecontext-specificconfigurationcommands,suchasa
particularaccesspointinterface.Thisisusefulforenteringa
seriesofcommandsforthesamecontext.Foralistofavailable
commands,enter?attheprompt.
3-5
UsingtheCLI
HowToMoveBetweenLevels
Change in Levels Example of Prompt, Command, and Result
Execlevel
to
Globalconfiguration
level
Globalconfiguration
level
to a
Contextconfiguration
level
Movefromanylevel
totheprecedinglevel
Movefromanylevel
totheExeclevel
HP420#config
HP420(config)#
HP420(if-ethernet)#
HP420(if-ethernet)#end
HP420(config)#end
HP420#
HP420(if-ethernet)#exit
HP420#
or
HP420(config)#exit
HP420#
ChangingParameterSettings. Regardlessof whichinterfaceisused (CLI,
orwebbrowserinterface),themostrecentlyconfiguredversionofaparam-
etersettingoverridesanyearliersettingsforthatparameter.Forexample,if
youusethewebinterfacetoconfigureanIPaddressofXfortheEthernet
interfaceandlaterusetheCLItoconfigureadifferentIPaddressofY,then
YreplacesXastheIPaddressfortheEthernetinterface.
3-6
UsingtheCLI
ListingCommandsandCommandOptions
Atanyprivilegelevelyoucan:
Listallofthecommandsavailableatthatlevel
Listtheoptionsforaspecificcommand
ListingCommandsAvailableatAnyPrivilegeLevel
Atagivenprivilegelevelyoucanlistandexecutethecommandsthatlevel
offers.Forexample,attheExeclevel,youcanlistandexecuteonlytheExec
levelcommands;andattheConfigurationlevel,youcanlistandexecutethe
commandsavailableonlytoConfigurationlevels.
Type"?"ToListAvailableCommands. Typingthe?symbolliststhe
commandsyoucanexecuteatthecurrentprivilegelevel.Forexample,typing
?attheExeclevelproducesthislisting:
HP420#?
Exec commands:
boo tfile Specify Application Bootfile
con figure Enter configuration mode
cop y Copy from one file to another
cou ntry Set the country code
del ete Delete a file
dir List file s on a file system
exi t Exit from the EXEC
hel p Description of the help system
pin g Send echo messages
res et Reset this system
sho w Show information
HP420#
Figure 3-3. Example of the Exec Level Command Listing
3-7
UsingtheCLI
Typing?attheConfigurationlevelproducesthislisting:
HP420(config)#?
Configure commands:
8 02.1x Set 802.1x
a ddress Set address
e nd Return to pre vious mode
e xit Exit to the E XEC mode
f ilter Bridge protoc ol filtering
h elp Description o f the help system
i app Enable IAPP
i nterface Into the inte rface configure mode
i p Set IP
l ogging Modify messag e logging facilities
m ac-authentication C Authentication
n ative-vlanid Set Native VL AN ID <1-4095>
n o Negate
p assword Assign the pr ivileged password(max length:16)
p rompt Set system's prompt
r adius-server Set radius se rver
s nmp-server Modify SNMP p arameters
s ntp-server Set SNTP
s ystem Set system na me
u sername Set username
---More---
When--MORE--appears,usetheSpace
baror[Return]tolistadditional
Set RADIUS MA
Figure 3-4. Example of the Configuration-Level Command Listing
When - - MORE - - appears,therearemorecommandsinthelisting.Tolistthe
nextsetofcommands,presstheSpacebar.Tolisttheremainingcommands
one-by-one,repeatedlypress[Enter].
Typing? attheGlobalConfigurationlevelortheContextConfigurationlevel
producessimilarresults.Inaparticularcontextlevel,thefirstblockof
commandsinthelistingarethecommandsthataremostrelevanttothe
currentcontext.
Use[Tab]ToCompleteaCommandWord. Youcanuse[Tab]toquickly
completethecurrentwordinacommand.Todoso,typeoneormore
consecutivecharactersforacommandandthenpress[Tab] (withnospaces
allowed).TheCLIcompletesthecurrentword(ifyouhavetypedenoughof
3-8
UsingtheCLI
thewordfortheCLItodistinguishitfromotherpossibilities).Forexample,
attheGlobalConfigurationlevel,ifyoupress[Tab]immediatelyaftertyping
"u",theCLIdisplaysthecommandthatbeginswith"u".Forexample:
HP420(config)#u[Tab]
HP420(config)#username
UseShorthandEntries. Youcanabbreviate commandsandoptionsaslong
astheycontainenoughletterstobedistinguishedfromanyothercurrently
availablecommandsoroptions.
CommandOptionDisplays
ConventionsforCommandOptionDisplays. WhenyouusetheCLIto
listoptionsforaparticular command,youwillseeoneormoreofthefollowing
conventionstohelpyouinterpretthecommanddata:
Braces(< >)indicatearequiredchoice.
Squarebrackets([])indicateoptionalelements.
Verticalbars(|)separatealternative,mutuallyexclusiveoptionsina
command.
ListingCommandOptions. YoucanusetheCLItoremindyouofthe
optionsavailableforacommandbyenteringcommandkeywordsfollowed
by?.Forexample,supposeyouwanttoseethecommandoptionsforconfig-
uringIEEE802.1xauthentication:
HP420(config)#802.1x ?
broad cast-key-refresh-rate x broadcast key refresh rate (minutes)
requi red Set 802.1 x required
sessi on-key-refresh-rate x session key refresh rate (minutes)
sessi on-timeout Set 802.1 x session timeout rate (seconds)
suppo rted Set 802.1 x supported
HP420(config)#802.1x
Thisexampledisplaysthecommandoptions
forconfiguring802.1xontheaccesspoint.
Set 802.1
Set 802.1
Figure 3-5. Example of How To List the Options for a Specific Command
3-9
UsingtheCLI
ConfigurationCommandsandtheContext
ConfigurationModes
Youcanexecutebasicconfigurationcommandsintheglobalconfiguration
mode.However,youmustuseacontextmodetoexecutecontext-specific
commands.
Theconfigurationoptionsincludeinterface(ethernetorwireless)context
modes:
EthernetContext. Includesinterface-specificcommandsthatapplyonly
totheEthernetinterface.Thepromptforthismodeincludestheidentityof
theEthernetinterface:
HP420(config)# interface ethernet
HP420(if-ethernet)#
HP420(if-ethernet)#?
Commandexecutedatconfiguration
levelforenteringEthernetinterface
context.
ResultingpromptshowingEthernet
interfacecontext.
Liststhecommandsyoucanuseinthe
Ethernetinterfacecontext.
IntheEthernetcontext,thecommandsinthe"?"listingshow
thecontext-specificcommandsthatwillaffectonlythe
Ethernetinterface.
HP420(if-ethernet)#?
Configure commands:
dns DNS Server setti ngs
end Return to previo us mode
exit Exit to the EXEC mode
help Description of t he help system
ip Set IP
no Negate
show Show Ethernet in terface
shutdown Shutdown the int erface
speed-duplex Set ethernet spe ed/duplex mode
HP420(if-ethernet)#
Figure 3-6. Context-Specific Commands Affecting Ethernet Interface Context
3-10
UsingtheCLI
WirelessContext. Includes wireless-specificcommandsthatapplyonly to
thewirelessinterface.Thepromptforthismodeincludestheidentityofthe
wirelessinterface:
HP420(config)#interface wireless g Commandexecutedatconfiguration
leveltoenterwirelesscontext.
HP420(if-wireless g)# Resultingpromptshowingwireless
context.
HP420(if-wireless g)#? Listscommandsyoucanuseinthe
wirelesscontext.
Inthewireless
context,the
commandsin
the"?"listing
showthe
commandsthat
willaffectonly
thewireless
interface.
HP420(if-wireless g)#?
authe ntication Set authentication type
beaco n-interval Set beacon interval
chann el Set channel
close d-system Set Closed System
descr iption Set description
dtim- period Set DTIM
encry ption Set encryption
end Return to previous mode
exit Exit to the EXEC mode
fragm entation-length Set fragment length
help Description of the help system
key Set key
max-a ssociation Maximum association munber
multi cast-cipher WPA Multicast cipher
no Negate
radio -mode Set radio mode
rts-t hreshold Rts threshold
show Show wireless interface
shutd own Shutdown
speed Speed
ssid SSID
trans mit-key Transmit key index
trans mit-power Transmit power
wpa-c lients WPA client mode
wpa-m ode WPA key management mode
wpa-p reshared-key WPA enter Pre-shared key
wpa-p sk-type WPA enter Pre-shared key type
HP420(if-wireless g)#
Figure 3-7. Context-Specific Commands Affecting Wireless Context
3-11
CLIControlandEditing
CLIControlandEditing
Keystrokes Function
[Ctrl] [A] Jumpstothefirstcharacterofthecommandline.
[Ctrl] [B]or[<] Movesthecursorbackonecharacter.
[Ctrl] [C] Terminatesataskanddisplaysthecommandprompt.
[Ctrl] [E] Jumpstotheendofthecurrentcommandline.
[Ctrl] [F]or[>] Movesthecursorforwardonecharacter.
[Ctrl] [K] Deletesfromthecursortotheendofthecommandline.
[Ctrl] [L]or[Ctrl] [R] Repeatscurrentcommandlineonanewline.
[Ctrl] [N]or[v] Entersthenextcommandlineinthehistorybuffer.
[Ctrl] [P]or[^] Entersthepreviouscommandlineinthehistorybuffer.
[Ctrl] [U] Deletesfromthecursortothebeginningofthecommandline.
[Ctrl] [W] Deletesthelastwordtyped.
[Ctrl] [Z] ExitsfromconfigurationmodetotheExeclevel.
[Esc] [B] Movesthecursorbackwardoneword.
[Esc] [D] Deletesfromthecursortotheendoftheword.
[Esc] [F] Movesthecursorforwardoneword.
[Delete]or Deletesthefirstcharactertotheleftofthecursorinthecommand
[Backspace]
line.
3-12
4
UsingtheHPWebBrowserInterface
Contents
Overview ..................................................... 4-2
GeneralFeatures.............................................. 4-3
StartingaWebBrowserInterfaceSessionwiththeAccessPoint . 4-4
DescriptionofBrowserInterface .............................. 4-5
TheHomePage ............................................. 4-5
SupportURL ............................................... 4-6
TasksforYourFirstHPWebBrowserInterfaceSession......... 4-7
ChangingtheUserNameandPasswordintheBrowserInterface... 4-7
IfYou LosetheUserNameorPassword .................... 4-9
SettingtheSSID ............................................. 4-9
SettingtheRadio Channel ................................... 4-10
ConfiguringTCP/IPSettings ................................. 4-12
ConfiguringSecuritySettings ................................ 4-13
OnlineHelp fortheHPWebBrowserInterface ................. 4-16
StatusReportingFeatures .................................... 4-17
TheAPStatusWindow ...................................... 4-17
StationStatus .............................................. 4-19
EventLogs ................................................ 4-20
TheStatusBar ............................................. 4-21
4-1
Using the HP Web Browser Interface
Overview
Overview
TheHPwebbrowserinterfacebuiltintotheaccesspointletsyoueasilyaccess
theaccesspointfromabrowser-basedPConyournetwork.Thisletsyoudo
thefollowing:
Makeconfigurationchangestotheaccesspoint
Controlaccesstothemanagementinterfacebyconfiguringausername
andpassword
MaintainaccesssecurityforwirelessclientsusingWPAorWEPshared
keys
Encryptdatacommunicationsbetweenclientsandaccesspointsusing
variousalgorithms,includingDES(defaultbyWEP),TKIPorAES
OptimizeyournetworkuptimebyusingtheSystemLog
Thischaptercoversthefollowing:
Generalfeatures(page4-3)
Startingawebbrowserinterfacesession(page4-4)
Tasksforyourfirstwebbrowserinterfacesession(page4-7)
Configuringausernameandpasswordformanagementaccessinthe
webbrowserinterface(page4-7)
SettheaccesspointServiceSetIdentifier(page4-9)
Enableradiocommunicationsandselectachannel(page4-10)
ChangingIPsettings(page4-12)
Settingwirelessnetworksecurity(page4-13)
Gettingaccesstoonlinehelpforthewebbrowserinterface
(page4-16)
Descriptionofthewebbrowserinterface
TheHomePage(page4-5)
TheSupportURL(page4-6)
StatusReportingFeatures
TheAPStatuswindow(page4-17)
Stationstatus(page4-19)
Eventlogs(page4-20)
TheStatusbar(page4-21)
4-2
GeneralFeatures
GeneralFeatures
Theaccesspointincludesthesewebbrowserinterfacefeatures:
AccessPointConfiguration:
Systemidentificationandservicesetidentifier
IPsettingsviamanualconfigurationorDHCP
RADIUSclientidentification
WirelessclientauthenticationviaIEEE802.1x
Filtercontrolbetweenwirelessclients,betweenwirelessclientsand
themanagementinterface,orforspecifiedprotocoltypes
SNMPcommunitystringsandtrapmanagers
Usernamesandpasswords
Firmwareupgradeandsystemreset
Systemlogserverandlogmessagelevels
SNTPclientandmanualclockconfiguration
AccessPointRadioInterface:
Radiosignalparameters
Wirelessclientsecurity,includingWEPandWPA
AccessPointstatus
Systemconfiguration
Wirelessconfiguration
Station status
Eventlogs
4-3
StartingaWebBrowserInterfaceSessionwiththeAccessPoint

StartingaWebBrowserInterface
SessionwiththeAccessPoint
Youcanstartawebbrowsersessionusingastandalonewebbrowserona
networkconnectionfromaPCinthefollowingways:
Directlyconnectedtoyournetwork
Connectedthroughremoteaccesstoyournetwork
Thisprocedureassumesthatyouhaveasupportedwebbrowserinstalledon
yourPCorworkstation,andthatanIPaddresshasbeenconfiguredonthe
accesspoint.IfyouareusingaDomainNameServer(DNS),yourdevicemay
haveanameassociatedwithit(forexample,hp420)thatyoucantypeinthe
Location or AddressfieldinsteadoftheIPaddress.UsingDNSnamestypically
improvesbrowserperformance. Seeyournetworkadministratorfor anyname
associatedwiththeaccesspoint.(FormoreinformationonassigninganIP
address,refertoIPConfigurationonpage4-13.)
Theoperatingsystems,webbrowsers,andJavasupportrequiredtomanage
theaccesspoint throughthebrowserinterfacearelistedinthefollowingtable:
Operating System Internet
Explorer
Java
Windows2000SP3 5.01,SP1
6.0,SP1
SunJava2RuntimeEnvironment,Ver.1.4.1
MicrosoftVirtualMachine5.0.38.09
WindowsXP
ProfessionalHotfixSP2
6.0,SP1
Not e : IPmanagementcanbelimitedto accessfromtheEthernetinterface.Formore
onthisfeature,seeSettingupFilterControlonpage5-32.
TypetheIPaddress(orDNSname)oftheaccesspointinthebrowserLocation
or Addressfieldandpress[Enter].(Itisnotnecessarytoincludehttp://.)
10.11.12.195 [Enter] ExampleofanIPaddress.
HP420 [Enter] ExampleofaDNS-typename.
4-4
DescriptionofBrowserInterface
Browserelementscoveredinthissectioninclude:
TheHomePage(below)
TheSupportURL(page4-6)
TheHomePage
Thehomepageistheentrypointforthewebbrowserinterface.Thefollowing
figureidentifiesthevariouspartsofthescreen.
TabBar
ActiveTab
WorldWideWebsitefor
Hewlett-Packards
networkingproducts
Figure 4-1. The Home Page
4-5
SupportURL
Thehomepagefortheaccesspointswebbrowserinterfaceis theSupporttab.
ThispageprovidesthefollowingURL:
whichistheWorldWideWebsiteforHewlett-Packardsnetworkingproducts.
Clickonthelinkonthispageandyoucanget tosupport informationregarding
youraccesspoint,includingwhitepapers,firmwareupdates,andmore.
4-6
TasksforYourFirstHPWebBrowserInterfaceSession
TasksforYourFirstHPWebBrowser
InterfaceSession
Thefirsttimeyouaccessthewebbrowserinterface,thereareanumberof
basictasksthatyoushouldperform:
SettheManagerusernameandpassword
SettheaccesspointServiceSetIdentifier(SSID)
Enableradiocommunicationsandselectachannel
ChangeTCP/IPsettings
Setradiosecurityoptions
ChangingtheUserNameandPasswordintheBrowser
Interface
Youmaywanttochangeboththeusernameandpasswordtoenhanceaccess
securityforthemanagementinterfaceonyouraccesspoint.Asingleuser
name andpasswordallowfull read/writeaccesstothewebbrowserinterface.
Not e Ifyouwantsecuritybeyondthatachievedwithusernamesandpasswords,
youcandisableaccesstothewebbrowserinterface.Thisisdonebyexecuting
no ip http server attheGlobalConfigurationlevelcommandpromptintheCLI.
Then,managementaccessisonlyfromtheCLIthroughtheconsoleporton
theaccesspoint.
Tosettheusernameorpasswordwiththewebbrowserinterface:
1. ClicktheAdministrationtabandthenthe[Change Password]buttonto
displaytheChangePasswordmenu.
4-7
Figure 4-2. The Change Password Window
2. ClickintheappropriateboxintheChangePasswordmenuandentera
usernameorpassword.Youwillberequiredtorepeatthepassword
stringintheconfirmationbox.
Boththeusernameandpasswordcanbefrom3to16printableASCII
characters.
3. Clickon[Apply Changes]toactivatetheusernameandpassword.
Not e Theusernameandpasswordyouassigninthewebbrowserinterfacewill
overwritetheprevioussettingsassignedineitherthewebbrowserinterface
ortheaccesspointconsole. Thatis,themostrecently assignedusername and
passwordareimmediatelyeffectivefortheaccesspoint,regardlessofwhich
interfacewasusedtoassigntheseparameters.
Themanagerusernameandpasswordisusedtocontrolaccesstoallmanage-
mentinterfacesfortheaccesspoint.Onceset,youwillbepromptedtosupply
theusernameandpasswordeverytimeyoutrytoaccesstheaccesspoint
throughanyofitsinterfaces.
4-8
IfYouLosetheUserNameorPassword
Ifyoulosetheusernameorpassword,youcanclearthembypressingthe
Resetbuttononthebackoftheaccesspointforatleastfiveseconds.This
actiondeletesthepasswordandresetstheusernametothefactorydefault
settingsforalloftheaccesspointsinterfaces.Allconfigurationinformation
isresettothefactorydefaultvalues,including:
Usernameandpassword
Consoleeventlog(cleared)
Networkcounters(resettozero)
ConfiguredIPaddress
Ca ut i on TheResetbuttonisprovidedforyourconvenience,butitspresencemeans
thatifyouareconcernedwiththesecurityoftheaccesspointconfiguration
andoperation,youshouldmakesuretheaccesspointisinstalledinasecure
location.
SettingtheSSID
TheServiceSetIDentifier(SSID)isarecognizabletextstringthatidentifies
thewirelessnetwork.Allwirelessclientsthatwanttoconnecttothenetwork
throughtheaccesspointmustsettheirSSIDstothesameasthatoftheaccess
point.
TosettheaccesspointSSID,clicktheConfigurationtabandthenthe[System
Information] button.Enteratextstring upto32 charactersintheSSIDbox. Click
the[Apply Changes]buttontosavethesetting.
4-9
Figure 4-3. Setting the SSID
SettingtheRadioChannel
Theaccesspointsradiochannelsettingsarelimitedbylocalregulations,
whichdeterminethenumberofchannelsthatareavailable.Youcanmanually
settheaccesspointsradiochannelorallowittoautomaticallyselectan
unoccupiedchannel.
Not e Ifyouareusingtheworldwideproduct,J8131A,beforeconfiguringradio
settingsontheaccesspoint,youmustfirstusetheCLIto settheCountryCode
sothattheradiochannelsusedconformtoyourlocalregulations.SeeUsing
theCLItoSettheCountryCodeonpage5-41.
4-10
Theaccesspointusestheconfiguredradiochanneltocommunicatewith
wirelessclients.Whenmultipleaccesspointsaredeployedinthesamearea,
besuretochooseachannelseparatedbyatleastfivechannelstoavoidhaving
thechannelsinterferewitheachother.Youcandeployuptothreeaccess
pointsinthesamearea(forexample,channels1,6,11).
1. ClicktheConfigurationtab,andthenclickthe[Port/Radio Settings]button.
2. SelecttheWorking Mode.
3. Clickthe[Radio Mode Change]button.
4. ChecktheEnableboxtoenableradiocommunications.
5. Selecttheradiochannelfromthescroll-downbox,ormarktheEnable
radiobuttonforAuto Channel Select.
6. Clickthe[Apply Changes]buttontosavethesettings.
Figure 4-4. Radio Channel Selection
4-11
ConfiguringTCP/IPSettings
Youcanusethewebbrowserinterfacetomanagetheaccesspointonlyifit
alreadyhasanIPaddressthatisreachablethroughyournetwork.Youcanset
aninitialIPaddressfortheaccesspointbyusingtheCLIinterface.Afteryou
havenetworkaccesstotheaccesspoint,youcanthenusethewebbrowser
interfacetomodifytheinitialIPconfiguration.
1. ClicktheConfigurationtab,andthenclickthe[IP Configuration]button.
2. SelecteitherObtain the IP Address from the DHCP ServerorUse the Static IP
Address below.
3. IfyouselecttouseastaticIPaddress,youmustmanuallyentertheIP
addressandsubnetmask.
4. Ifamanagementstationexistsonanothernetworksegment,entertheIP
addressofagatewaythatcanroutetrafficbetweenthesesegments.
5. EntertheIPaddressfortheprimaryandsecondaryDNSserverstobe
usedforhost-nametoIPaddressresolution.
6. Clickthe[Apply Changes]button.
Not e IfyouchangetheIPaddressusingthewebinterface,youmustloginagain
usingthenewaddress.
4-12
Figure 4-5. IP Configuration
ConfiguringSecuritySettings
Theaccesspointisconfiguredbydefaultasanopensystem,whichbroad-
castsabeaconsignalincludingtheconfiguredSSID.Wirelessclientscanread
theSSIDfromthebeacon,andautomaticallyresettheirSSIDtoallowimme-
diateconnectiontothenearestaccesspoint.Formoresecuredatatransmis-
sions,theaccesspointprovidesclientauthenticationbasedonsharedkeys
thataredistributedtoallstations.
WiredEquivalentPrivacy(WEP)isimplementedtoprovideabasiclevelof
security,preventingunauthorizedaccesstothenetworkandencryptingdata
transmittedbetweenwirelessclientsandtheaccesspoint.
ToimplementWEPandsetupsharedkeys,followthesesteps:
1. ClicktheSecuritytabandthenthe[Shared Key Setup]button.
4-13
2. SettheAuthentication TypetoShared Keytorequireauthenticationbased
onasharedkeythathasbeendistributedtoallstations.
3. EnableWiredEquivalencySetup(WEP)toencrypttransmissionspassing
betweenwirelessclientsandtheaccesspoint.
4. Toconfigurethesharedkey,select64-bit,128-bit,or152-bitkeysize,and
enterahexadecimalorASCIIstringoftheappropriatelength.
Not e TheWEPsettingsmustbethesameoneachclientinyourwirelessnetwork.
WEPisthesecurityprotocolinitiallyspecifiedintheIEEE802.11standard
forwirelesscommunications.WhileWEPprovidesamarginofsecurityfor
environmentswithlightnetworktraffic,itisnotsufficientforenterpriseuse
wherehighly-sensitivedataistransmitted.
Formorerobustwirelesssecurity,youshouldconsiderimplementingother
featuressupportedbytheaccesspoint.Wi-FiProtectedAccess(WPA)and
IEEE802.1xprovideimproveddataencryptionanduserauthentication.See
ConfiguringWirelessSecurityonpage5-45.
4-14
Figure 4-6. Security Settings
4-15
OnlineHelpfortheHPWebBrowserInterface
OnlineHelpisavailableforthewebbrowserinterface.Youcanuseitby
clickingonthequestionmarkbuttonintheupper-rightcornerofanyofthe
webbrowserinterfacescreens.
TheHelpButton
Figure 4-7. The Help Button
4-16
Browserelementscoveredinthissectioninclude:
TheAPStatuswindow(below)
Stationstatus(page4-19)
Eventlogs(page4-20)
TheStatusbar(page4-21)
TheAPStatusWindow
TheAPStatuswindowdisplaysbasicsystemconfigurationsettings,aswell
asthesettingsforthewirelessinterface.
ThefollowingfigureidentifiesthevariouspartsoftheAPStatuswindow.
ActiveTab
ButtonBar
TabBar
StatusBar
Current
Status
Information
Figure 4-8. The AP Status Window
4-17
APSystemConfiguration. TheAPSystemConfigurationtabledisplaysthe
basicsystemconfigurationsettings:
SystemUpTime:Lengthoftimetheaccesspointhasbeenup.
MACAddress:Thephysicallayeraddressforthisdevice.
SystemName:Nameassignedtothissystem.
SystemContact:Administratorresponsibleforthesystem.
DHCPStatus:ShowsifIPconfigurationisviaaDHCPserver.
IPAddress:IPaddressofthemanagementinterfaceforthisdevice.
IPDefaultGateway:IPaddressofthegatewayrouterbetweenthis
deviceandmanagementstationsthatexistonothernetworksegments.
HTTPServer:ShowsifmanagementaccessviaHTTPisenabled.
HTTPServerPort:ShowstheTCPportusedbytheHTTPinterface.
Version:Showstheversionnumberfortheruntimecode.
APWirelessConfiguration. TheAPWirelessConfigurationtabledisplays
thefollowingwirelessinterfacesettings:
SSID:Theservicesetidentifierthatidentifiesthiswirelessgroup.
Radio:Indicatesiftheaccesspointisoperatingin802.11b,802.11g,or
mixed(b&g)mode.
RadioStatus:Indicatesiftheaccesspointradioisenabledordisabled.
AutoChannelSelect:Indicatesiftheaccesspointautomaticallyselects
anunoccupiedradiochannel.
RadioChannel:Theradiochannelthroughwhichtheaccesspoint
communicateswithwirelessclients.
RadioEncryption:Thekeysizeusedfordataencryption.
RadioAuthenticationType:Showsifopensystemorsharedkey
authenticationisused.
802.1x:ShowsifIEEE802.1xaccesscontrolforwirelessclientsis
enabled.
APEthernetConfiguration. TheAPEthernet Configurationtabledisplays
thefollowingethernetinterfacesettings:
SubnetMask:Themaskthatidentifiesthehostaddressbitsusedfor
routingtospecificsubnets.
PrimaryDNS:TheIPaddressoftheprimaryDomainNameServeron
thenetwork.
SecondaryDNS:TheIPaddressofthesecondaryDomainNameServer
onthenetwork.
4-18
Speed-Duplex:Theoperatingspeedandduplexmodeoftheaccess
pointsRJ-45Ethernetinterface.
StationStatus
TheStationStatuswindowshowsthewirelessclientscurrentlyassociated
withtheaccesspoint.
Figure 4-9. The Station Status Window
TheStationConfigurationtabledisplaysthefollowinginformation:
StationAddress:TheMACaddressofthewirelessclient.
Authenticated:Showsifthestationhasbeenauthenticated.Thetwo
basicmethodsofauthenticationsupportedfor802.11wirelessnetworks
areopensystemandsharedkey.Open-systemauthenticationaccepts
anyclientattemptingtoconnecttotheaccesspointwithoutverifyingits
identity.Theshared-keyapproachusesWiredEquivalentPrivacy(WEP)
toverifyclientidentitybydistributingasharedkeytostationsbefore
attemptingauthentication.
Associated:Showsifthestationhasbeensuccessfullyassociatedwith
theaccesspoint.Onceauthenticationiscompleted, stationscanassociate
withthecurrentaccesspoint,orreassociatewithanewaccesspoint.The
4-19
associationprocedureallowsthewirelesssystemtotrackthelocationof
eachmobileclient,andensuresthatframesdestinedforeachclientare
forwardedtotheappropriateaccesspoint.
ForwardingAllowed:If802.1xisbeingusedshowsifthestationhas
passed802.1xauthenticationandisnowallowedtoforwardtraffictothe
accesspoint.IfauthenticationisnotrequiredthisvalueisTRUEforall
clients.
KeyType:Displaysoneofthefollowing:
WEPDisabled:TheclientisnotusingWiredEquivalentPrivacy
(WEP)encryptionkeys.
DynamicWEP:TheclientisusingWi-FiProtectedAccess(enterprise
or pre-sharedkeymode)orusing802.1xauthenticationwithdynamic
keying.
StaticWEP:TheclientisusingstaticWEPkeysforencryption.
EventLogs
TheEventLogswindowshowsthelogmessagesgeneratedby theaccesspoint
andstoredinmemory.
Figure 4-10. The Event Logs Window
4-20
TheEventLogstabledisplaysthefollowinginformation:
LogTime:Thetimethelogmessagewasgenerated.
EventLevel:Thelogginglevelassociatedwiththismessage.Fora
descriptionofthevariouslevels,seeEnablingSystemLoggingon
page5-17.
EventMessage:Thecontentofthelogmessage.
TheStatusBar
TheStatusBarisdisplayedintheupperleftcornerofthewebbrowser
interfacescreen.Figure4-11showsanexpandedviewofthestatusbar.
StatusIndicator StatusDescription
ProductName
Figure 4-11. Example of the Status Bar
TheStatusbarconsistsofthreeobjects:
StatusIndicator.Indicates,byicon,theradiostatusoftheaccesspoint.
Green:Indicatestheradioisactive.
Red:Indicatestheradioisinactive.
StatusDescription.Atextdescriptionoftheradiostatus;activeor
inactive.
ProductName.Theproductnameoftheaccesspointtowhichyouare
connectedinthecurrentwebbrowserinterfacesession.
4-21
4-22
5
AccessPointConfiguration
Contents
Overview ..................................................... 5-2
ModifyingSystemManagementAccess ......................... 5-3
Web: SettingUserNamesand Passwords ....................... 5-3
CLI:SettingUser NamesandPasswords ........................ 5-4
ModifyingSystemInformation ................................. 5-5
Web: SettingtheSystemName andSSID ... ..................... 5-5
CLI:SettingtheSystem NameandSSID ........................ 5-6
ConfiguringIPSettings........................................ 5-9
Web:ConfiguringIPSettingsStaticallyorviaDHCP .............. 5-9
CLI:ConfiguringIPSettingsStaticallyorviaDHCP.............. 5-11
ConfiguringSNMP ........................................... 5-13
Web: SettingSNMP Parameters .............................. 5-13
CLI:SettingSNMPParameters ............................... 5-15
EnablingSystemLogging ..................................... 5-17
Web: SettingLoggingParameters ............................. 5-18
CLI:SettingLoggingParameters .............................. 5-19
ConfiguringSNTP ............................................ 5-21
Web: SettingSNTPParameters ............................... 5-21
CLI:SettingSNTPParameters ................................ 5-23
ConfiguringEthernetInterfaceParameters ................... 5-25
Web: SettingEthernetInterfaceParameters .................... 5-25
CLI:SettingEthernetInterfaceParameters ..................... 5-26
ConfiguringRADIUSClientAuthentication.................... 5-28
Web: SettingRADIUSServerParameters ...................... 5-28
CLI:SettingRADIUSServerParameters ....................... 5-30
SettingupFilterControl ..................................... 5-32
Web:EnablingVLANSupportandSettingFilters................ 5-33
CLI:EnablingVLANSupportandSettingFilters ................ 5-35
5-1
Access Point Configuration
Overview
ModifyingRadioSettings ..................................... 5-37
Web:ModifyingtheRadioWorkingModeandSettings ........... 5-37
CLI:ModifyingtheRadioWorkingModeandSettings............ 5-40
ConfiguringWirelessSecurity ................................ 5-45
Web: ConfiguringWPASettings .............................. 5-48
CLI:ConfiguringWPASettings ............................... 5-51
Web:ConfiguringMACAddressAuthentication ................. 5-53
CLI:ConfiguringMACAddressAuthentication ................. 5-55
Web: ConfiguringIEEE802.1x ............................... 5-57
CLI:ConfiguringIEEE802.1x ................................ 5-59
Web: SettingupWEPShared-Keys ............................ 5-61
CLI:SettingupWEPShared-Keys ............................. 5-63
Overview
ThisChapterdescribeshowto:
Viewandmodifytheconfigurationforsystemmanagementaccess
Viewandmodifyaccesspointsysteminformation
ConfigureIPsettings
ConfigureSNMPsettings
ConfigureSNTPclientandmanualclock
SetupRADIUSclientauthentication
Setupfiltercontrolbetweenwirelessclients,betweenwirelessclients
andthemanagementinterface,orforspecifiedprotocoltypes
Modifyradiosettings
Configurewirelesssecurity
5-2
ModifyingSystemManagementAccess
ManagementaccesstotheaccesspointswebandCLIinterfaceiscontrolled
throughasingleusernameandpassword.Youcanalsogainadditionalin-band
accesssecuritybyusingcontrolfilters(seeSettingupFilterControlon
page5-32).
Ca ut i on HPstronglyrecommendsthatyouconfigureanewManagerpasswordand
notusethedefault.IfaManagerpasswordisnotconfigured,thentheaccess
pointisnotpassword-protected,andanyonehavingin-bandorout-of-band
accesstotheaccesspointmaybeabletocompromiseaccesspointand
networksecurity.
PressingtheResetbuttononthebackoftheaccesspointformorethanfive
secondsremovespasswordprotection.Forthisreason,itisrecommended
thatyouprotecttheaccesspointfromphysicalaccessbyunauthorized
persons.
Web:SettingUserNamesandPasswords
TheChange Passwordwindowenablestheaccesspointsmanagementuser
nameandpasswordtobeset.
Thewebinterfaceenablesyoutomodifytheseparameters:
Username:Thenameoftheuser.Thedefaultnameisadmin.(Length:
3-16printableASCIIcharacters,casesensitive.)
NewPassword:Thepasswordformanagementaccess.(Length:3-16
printableASCIIcharacters,casesensitive)Thereisnodefaultpassword.
ToSetaUserNameandPassword:
1. SelecttheConfigurationtab.
2. Clickthe[Change Password]button.
3. TypeanewusernameintheUsernametextfield.
4. TypeapasswordintheNew Passwordtextfield.
5. TypethepasswordagainintheConfirm New Passwordtextfield.
5-3
Figure 5-1. The Change Password Window
CLI:SettingUserNamesandPasswords
CLI Commands Used in This Section
Command Syntax CLI Reference Page
username<name> page6-12
[no] password <password> page6-13
Thisexampleshowshowtosetanewusernameandpassword.
HP420(config)#username bob
HP420(config)#password hp
HP420(config)#
5-4
ModifyingSystemInformation
Theaccesspointssysteminformationparameterscanbeleftattheirdefault
settings.However,modifyingtheseparameterscanhelpyoutomoreeasily
distinguishonedevicefromanotherinyournetwork.
YoushouldsetaServiceSetIdentification(SSID)toidentifythewireless
networkserviceprovided bytheaccesspoint.Onlyclientswith thesameSSID
canassociatewiththeaccesspoint.
Web:SettingtheSystemNameandSSID
TomodifytheaccesspointssystemnameandradioServiceSetIdentification
(SSID),usetheSystem InformationwindowontheConfigurationtab.
SystemName:Analiasfortheaccesspointonly,enablingthedeviceto
beuniquelyidentifiedonthenetwork.Userscanenteramaximumof32
charactersasaSystemName.
SSID:Thenameofthebasicservicesetprovidedbytheaccesspoint.
Clientsthatwantto connect tothe network throughtheaccesspoint must
settheirSSIDstothesameasthatoftheaccesspoint.(Range:1- 32
characters)
ToSetaSystemNameandSSID:
2. Clickthe[System Information]button.
3. TypeanametoidentifytheaccesspointintheSystem Nametextfield.
4. TypeanidentificationstringintheSSIDtextfield.
5-5
Figure 5-2. The System Information Window
CLI:SettingtheSystemNameandSSID
interface<ethernet|wireless g> page6-53
system name<name> page6-12
ssid<string> page6-62
show system page6-23
Thefollowingexampleshowshowtosetthesystemname.
HP420(config)#system name AP420
5-6
TosettheSSIDtoRD-AP#3anddisplayit,entertheCLIcommandsshown
inthefollowingexample.
HP420(config)#interface wireless g
Enter Wireless configuration commands, one per line.
HP420(if-wireless g)#ssid RD-AP#3
HP420(if-wireless g)#show
Wireless Interface Information
===========================================================
----------------Identification-----------------------------
Description : Enterprise 802.11g Access Point
SSID : RD-AP#3
Radio mode : 802.11b only
Channel : 3
Status : Enabled
----------------802.11 Parameters--------------------------
Transmit Power : FULL (18 dBm)
Max Station Data Rate : 11Mbps
Fragmentation Threshold : 2346 bytes
RTS Threshold : 2347 bytes
Beacon Interval : 100 TUs
DTIM Interval : 2 beacons
Maximum Association : 128 stations
----------------Security-----------------------------------
Closed System : DISABLED
WPA mode : Dynamic key
Multicast cipher : WEP
Unicast cipher : TKIP
WPA clients : SUPPORTED
Authentication Type : OPEN
Encryption : DISABLED
Default Transmit Key : 1
WEP Key Data Type : Hexadecimal
Static Keys :
Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY
===========================================================
5-7
Todisplaytheconfiguredsystemname,usetheshow systemcommand,as
showninthefollowingexample.
HP420#show system
System Information
============================================================
Serial Number : A252014354
System Up time : 0 days, 1 hours, 28 minutes, 9 seconds
System Name : AP420
System Location :
System Contact : Contact
System Country Code : 99 - NO_COUNTRY_SET
MAC Address : 00-30-F1-71-D6-40
IP Address : 192.168.1.1
Subnet Mask : 255.255.255.0
Default Gateway : 0.0.0.0
VLAN State : DISABLED
IAPP State : ENABLED
DHCP Client : ENABLED
HTTP Server : ENABLED
HTTP Server Port : 80
Slot Status : 802.11g only
Software Version : v2.0.0
============================================================
HP420#
5-8
ConfiguringIPSettings
ConfiguringtheaccesspointwithanIPaddressexpandsyourabilityto
managetheaccesspointanduseitsfeatures.Anumberofaccesspoint
featuresdependonIPaddressingtooperate.
Not e YoucanusethewebbrowserinterfacetoaccessIPaddressingonlyifthe
accesspointalreadyhasan IPaddressthatisreachable throughyournetwork.
Bydefault,theaccesspointisconfiguredtoautomaticallyreceiveIP
addressingonthedefaultVLANfromaDynamicHostConfigurationProtocol
(DHCP)server.However,ifyouarenotusingaDHCPservertoconfigureIP
addressing,usetheCLItomanuallyconfiguretheinitialIPvalues.Afteryou
havenetworkaccesstotheaccesspoint,youcanusethewebbrowser
interfacetomodifytheinitialIPconfiguration,ifneeded.
Not e IfthereisnoDHCPserveronyournetwork,orDHCPfails,theaccesspoint
willautomaticallystartupwithadefaultIPaddressof192.168.1.1.
Web:ConfiguringIPSettingsStaticallyorviaDHCP
TheIP ConfigurationwindowontheConfigurationtabenablestheDHCPclient
tobeenabledortheTransmissionControlProtocol/InternetProtocol(TCP/
IP)settingstobemanuallyspecified.
ObtaintheIPAddressfromtheDHCPServer:TheDHCPclientis
enabled.TheIPaddress,subnetmask,defaultgateway,andDomainName
Server(DNS)addressaredynamicallyassignedtotheaccesspointbythe
networkDHCPserver.
UsetheStaticIPAddressBelow:TheDHCPclientisdisabled.TheIP
addresssettingsareconfiguredmanually.
IPAddress:TheIPaddressoftheaccesspoint.ValidIPaddresses
consistoffourdecimalnumbers,0to255,separatedbyperiods.
SubnetMask:Themaskthatidentifiesthehostaddressbitsusedfor
routingtospecificsubnets.
DefaultGateway:ThedefaultgatewayistheIPaddressofthenext-
hopgatewayrouterfortheaccesspoint,whichis usedif therequested
destinationaddressisnotonthelocalsubnet.
5-9
PrimaryandSecondaryDNSAddress:TheIPaddressofDomain
NameServersonthenetwork.ADNSmapsnumericalIPaddresses
todomainnamesandcanbeusedtoidentifynetworkhostsbyfamiliar
namesinsteadoftheIPaddresses.
ToEnabletheDHCPClient:
2. Clickthe[IP Configuration]button.
3. SelectObtain the IP Address from the DHCP Server.
ToConfigureIPSettingsManually:
2. Clickthe[IP Configuration]button.
3. SelectUse the Static IP Address below.
4. TypetheIPaddressandthesubnetmaskinthetextfieldsprovided.
5. (Optional)Ifyouhavemanagementstations,DNS,Radius,orother
networkserverslocatedonanothersubnet,typetheIPaddressofthe
defaultgatewayrouterinthetextfieldprovided.Otherwise,leavethe
addressasallzeros(0.0.0.0).
6. (Optional)IfyouhaveoneormoreDNSserverslocatedonthelocal
network,typetheIPaddressesinthetextfieldsprovided.Otherwise,
leavetheaddressesasallzeros(0.0.0.0).
5-10
Figure 5-3. The IP Configuration Window
CLI:ConfiguringIPSettingsStaticallyorviaDHCP
[no] ip address<ip-address><netmask><gateway> page6-54
[no] ip dhcp page6-55
dns primary-server<server-address> page6-53
dns secondary-server<server-address> page6-53
show interface [ethernet] page6-57
5-11
ThefollowingexampleshowshowtoenabletheDHCPclient.
Enter Ethernet configuration commands, one per line.
HP420(if-ethernet)#ip dhcp
HP420(if-ethernet)#
TosettheaccesspointsIPparametersmanually,youmustfirstdisablethe
DHCPclient.ThefollowingexampleshowshowtodisabletheDHCPclient
andthenspecifyanIPaddress,subnetmask,defaultgateway,andDNSserver
addresses.
HP420(if-ethernet)#no ip dhcp
10.1.0.254
HP420(if-ethernet)#dns secondary-server 10.1.2.19
HP420(if-ethernet)#
TodisplaythecurrentIPsettingsfromtheEthernetinterfaceconfiguration
context,usetheshowcommand.TodisplaythecurrentIPsettingsfromthe
Execlevel,usetheshow interface ethernetcommandasshowninthefollowing
example.
HP420#show interface ethernet
Ethernet Interface Information
========================================
IP Address : 10.1.0.1
Subnet Mask : 255.255.255.0
Primary DNS : 10.1.0.55
Secondary DNS : 10.1.2.19
Speed-duplex : 100Base-TX Half Duplex
Admin status : Up
Operational status : Up
========================================
HP420#
5-12
ConfiguringSNMP
ConfiguringSNMP
YoucanuseanetworkmanagementapplicationsuchasHPOpenViewto
managetheaccesspointviatheSimpleNetworkManagementProtocol
(SNMP)fromanetworkmanagementstation.ToimplementSNMPmanage-
ment,theaccesspointmusthaveanIPaddressandsubnetmask,configured
eithermanuallyordynamically.OnceanIPaddresshasbeenconfigured,
appropriateSNMPcommunitiesandtrapreceiversshouldbeconfigured.
CommunitynamesareusedtocontrolmanagementaccesstoSNMPstations,
as wellastoauthorizeSNMPstationstoreceivetrapmessagesfromtheaccess
point.Tocommunicatewiththeaccesspoint,amanagementstationmustfirst
submitavalidcommunitynameforauthentication.Youthereforeneedto
assigncommunitynamestospecifiedusersorusergroupsandsettheaccess
level.
Web:SettingSNMPParameters
TheSNMPwindowontheConfigurationtabcontrolsmanagementaccessto
theaccesspointfrommanagementstationsusingSNMP.
SNMP:EnablesordisablesSNMPmanagementaccessandalsoenables
theaccesspointtosendSNMPtraps(notifications).SNMPmanagement
isenabledbydefault.
Location:Atextstringthatdescribesthesystemlocation.
(Maximumlength:20characters)
Contact:Atextstringthatdescribesthesystemcontact.
CommunityName (Read/Write):DefinestheSNMPcommunityaccess
stringthathasread/writeaccess.Authorizedmanagementstationsare
abletobothretrieveandmodifyMIBobjects.(Maximumlength:23
characters,casesensitive)
CommunityName(ReadOnly):DefinestheSNMPcommunityaccess
stringthathasread-onlyaccess.Authorizedmanagementstations areonly
abletoretrieveMIBobjects.(Maximumlength:23characters,casesensi-
tive)
TrapDestinationIPAddress:SpecifiestherecipientofSNMPnotifica-
tions.EntertheIPaddressorthehostname(from1to20characters).
5-13
ConfiguringSNMP
TrapDestinationCommunityName:Thecommunitystringsentwith
thenotificationoperation.(Maximumlength:23characters)
ToEnableSNMPandSetParameters:
2. Clickthe[SNMP]button.
3. SelectEnabletoenableSNMPmanagement.
4. Typetextstringstoreplacethedefaultcommunitynamesforread-only
andread/writeaccess.(Recommendedforsecurity.)
5. (Optional)IfyouwanttosendSNMPtrapstoamanagementstation,type
theIPaddressintheTrap Destination IP Addressfieldandspecifyoneof
theconfiguredcommunitynamesintheTrap Destination Community Name
field.
6. (Optional)Typeatextstringtoidentifythelocationoftheaccesspointin
theLocationtextfield.
7. (Optional)Typeatextstringornametoidentifyasystemadministration
contactintheContacttextfield.
5-14
ConfiguringSNMP
Figure 5-4. The SNMP Window
CLI:SettingSNMPParameters
[no] snmp-server enable server
[no] snmp-server community<string>[ro |rw]
[no] snmp-server host<host_ip_address|
host_name> <community-string>
[no] snmp-server contact<string>
[no] snmp-server location <text>
show snmp
page6-27
page6-25
page6-28
page6-26
page6-29
page6-30
5-15
ConfiguringSNMP
SNMPmanagementontheaccesspointisenabledbydefault. TodisableSNMP
management,typethefollowingcommand:
HP420(config)#no snmp-server enable server
ThefollowingexampleshowshowtoenableSNMP,configurethecommunity
strings,andsetthelocationandcontactparameters.
HP420(config)#snmp-server enable server
HP420(config)#snmp-server community alpha rw
HP420(config)#snmp-server community beta ro
HP420(config)#snmp-server location 2F-R19
HP420(config)#snmp-server contact Paul
HP420(config)#
IfyouwanttosendSNMPtrapstoamanagementstation,specifythehostIP
addressusingthefollowingcommand:
HP420(config)#snmp-server host 10.1.19.23 alpha
TodisplaythecurrentSNMPsettingsfromtheExeclevel,usetheshow snmp
command,asshowninthefollowingexample.
HP420#show snmp
SNMP Information
============================================
Service State : Enable
Community (ro) : *****
Community (rw) : *****
Location : 2F-R19
Contact : Paul
Traps : Enabled
Host Name/IP : 10.1.19.23
Trap Community : *****
=============================================
HP420#
5-16
EnablingSystemLogging
Theaccesspointsupportsaloggingprocessthatcancontrolerrormessages
savedtomemoryorsenttoaSyslogserver.Theloggedmessagesserveasa
valuabletoolforisolatingaccesspointandnetworkproblems.
Thesystemallowsyoutolimitthemessagesthatareloggedbyspecifyinga
minimumseveritylevel. Thefollowing tablelists theerrormessagelevelsfrom
themostsevere(Alert)toleastsevere(Debug).Themessagelevelsthatare
loggedincludethespecifiedminimumleveluptotheAlertlevel.
Error Level Description
Alerts Immediateactionneeded
Critical Criticalconditions(e.g.,memoryallocation,orfree
memoryerror- resourceexhausted)
Error Errorconditions(e.g.,invalidinput,defaultused)
Warning Warningconditions(e.g.,returnfalse,unexpectedreturn)
Notice Normalbutsignificantcondition,suchascoldstart
Informational Informationalmessagesonly
Debug Debuggingmessages
Not e ThereareonlyCritical,Notice,andInformationalmessagesimplementedat
thistime.
Theaccesspointerrorlogcanbeviewedusingthewebinterfacefromthe
Event Logs windowontheStatustab.TheEvent Logswindowdisplaysthelast
128messagesloggedinchronologicalorder,fromthenewesttotheoldest.
Logmessagesareonlygeneratedsincethelastreboot.Rebootingtheaccess
pointerasesallpreviouslogmessages.Considerconfiguringtheaccesspoint
tologmessagestoaSyslogserver(seeWeb:SettingLoggingParameterson
page5-18orCLI:SettingLoggingParametersonpage5-19).
5-17
Web:SettingLoggingParameters
TheSystem ServerswindowontheAdministrationtabenablessystemlogsand
Syslogserverdetailstobeconfiguredfortheaccesspoint.
SystemLogSetup:Enablestheloggingoferrormessages.
LoggingHost:EnablesthesendingoflogmessagestoaSyslogserver
host.
ServerName/IP:TheIPaddressornameofaSyslogserver.
LoggingConsole:Enablestheloggingoferrormessagestotheconsole.
LoggingLevel:Setstheminimumseveritylevelforeventlogging
ToEnableLogging:
1. SelecttheAdministrationtab.
2. Clickthe[System Servers]button.
3. ForSystem Log Setup,selectEnable.
4. ForLogging Level,selecttheminimumseverityleveltobelogged.
5. (Optional)IfyouwanttosendlogmessagestoaSyslogserver,perform
thesesteps:
a. SetLogging HosttoEnable.
b. IntheServer Name/IPfield,typetheIPaddressornameofaSyslog
server.
6. (Optional)Ifyouwanttosendlogmessagestotheconsole,setLogging
ConsoletoEnable.
5-18
Figure 5-5. Setting Logging Parameters
CLI:SettingLoggingParameters
[no] logging on page6-15
[no] logging host<host_name|host_ip_address> page6-15
[no] logging console page6-16
logging level <Alert|Critical|Error|Warning| page6-16
Notice|Informational|Debug>
logging facility-type<type> page6-17
show logging page6-18
5-19
Thefollowingexampleshowshowtoenablelogging,settheminimumseverity
levelofmessagestobelogged,andsendmessagestotheconsole.
HP420(config)#logging on
HP420(config)#logging level critical
HP420(config)#logging console
HP420(config)#
Thefollowingexampleshowshowtoconfiguretheaccesspointtosend
loggingmessagestoaSyslogserver.TheCLIalsoprovidesacommandto
specifythefacilitytypetag sent inSyslog messages. (SeeRFC3164.) Thistype
hasnoeffectonthekindofmessagesreportedbytheaccesspoint.However,
itmaybeusedbytheSyslogservertosortmessagesortostoremessagesin
thecorrespondingdatabase.
HP420(config)#logging host 10.1.0.3
HP420(config)#logging facility-type 19
HP420(config)#
TodisplaythecurrentloggingsettingsfromtheExeclevel,usetheshow
loggingcommand,asshowninthefollowingexample.
HP420#show logging
Logging Information
============================================
Syslog State : Enabled
Logging Host State : Enabled
Logging Console State : Enabled
Server Domain name/IP : 10.1.0.3
Logging Level : Error
Logging Facility Type : 19
=============================================
HP420#
5-20
ConfiguringSNTP
ConfiguringSNTP
SimpleNetworkTimeProtocol(SNTP)allowstheaccesspointtosetits
internalclockbasedonperiodicupdatesfromatimeserver(SNTPorNTP).
Maintaininganaccuratetimeontheaccesspointenablesthesystemlogto
recordmeaningfuldatesandtimesforevententries.Iftheclockisnotset,the
accesspointwillonlyrecordthetimefromthefactorydefaultsetatthelast
bootup.
TheaccesspointactsasanSNTPclientinunicastmode,periodicallysending
timesynchronizationrequeststospecifictimeservers.Youcanconfigureup
totwotimeserverIPaddresses.Theaccesspointwillattempttopolleach
serverintheconfiguredsequence.
SNTPisenabledbydefault.TheaccesspointalsoallowsyoutodisableSNTP
andsetthesystemclockmanuallyusingtheCLI.
SettingtheTimeZone. SNTPusesCoordinatedUniversalTime(orUTC,
formerlyGreenwichMeanTime,orGMT)basedonthetimeattheEarths
primemeridian,zerodegreeslongitude.Todisplayatimecorrespondingto
yourlocaltime,youmustindicatethenumberofhoursandminutesyourtime
zoneiseastorwestofUTC.
Web:SettingSNTPParameters
TheSystem ServerswindowontheAdministrationtabenablesSNTPserverand
timezonedetailstobeconfiguredfortheaccesspoint.
SNTPServer:Configurestheaccesspointtooperateasan SNTPunicast
client.Whenenabled,atleastonetimeserverIPaddressmustbespeci-
fied.
PrimaryServer:TheIPaddressofanSNTPorNTPtimeserverthat
theaccesspointattemptstopollforatimeupdate.
SecondaryServer:TheIPaddressof asecondarySNTPorNTPtime
server.Theaccesspointfirstattemptstoupdatethetimefromthe
primaryserver,ifthisfailsitattemptsanupdatefromthesecondary
server.
SetTimeZone:Selectsthetimezonethatspecifiesthenumberofhours
before(east)orafter(west)UTC.
5-21
ConfiguringSNTP
EnableDaylightSaving:Theaccesspointprovidesawaytoautomati-
callyadjustthesystemclockforDaylightSavingTime(DST)changes.To
usethisfeatureyoudefinethemonthanddatetobeginandtoendthe
changefromstandardtime.Duringthisperiodthesystemclockissetback
byonehour.
ToSetSNTPParameters:
2. Clickthe[System Servers]button.
3. ForSNTP Server,selectEnable.
4. Fortheprimarytimeserver,typetheIPaddressinthePrimary Serverfield.
5. Forthesecondarytimeserver,typetheIPaddressintheSecondary Server
field.
6. FromtheEnter Time Zone drop-downmenu,selectthetimeappropriatefor
yourregion.
7. (Optional)IfyourregionusesDaylightSavingTime,checktheEnable
Daylight Savingcheckboxandthenselectthedatestoimplementthis
feature.
5-22
ConfiguringSNTP
Figure 5-6. Setting SNTP Parameters
CLI:SettingSNTPParameters
[no] sntp-server enable
sntp-server ip <1|2> <ip>
sntp-server date-time
[no] sntp-server daylight-saving
sntp-server timezone<hours>
show sntp
page6-20
page6-19
page6-20
page6-21
page6-22
page6-23
5-23
ConfiguringSNTP
ThefollowingexampleshowshowtoenableSNTP,configureprimaryand
secondarytimeserverIPaddresses,setthetimezone,andenableDaylight
Saving.
HP420(config)#sntp-server enable
HP420(config)#sntp-server ip 1 10.1.0.19
HP420(config)#sntp-server ip 2 10.1.2.233
HP420(config)#sntp-server timezone -8
HP420(config)#sntp-server daylight-saving
Enter Daylight saving from which month<1-12>: 3
and which day<1-31>: 31
Enter Daylight saving end to which month<1-12>: 10
HP420(config)#
Thefollowingexampleshowshowconfiguretheaccesspointssystemclock
manually.NotethatyoumustfirstdisableSNTPtobeableusethesntp-server
date-timecommand.
HP420(config)#no sntp-server enable
HP420(config)#sntp-server date-time
Enter Year<1970-2100>: 2003
Enter Month<1-12>: 8
Enter Day<1-31>: 9
Enter Hour<0-23>: 15
Enter Min<0-59>: 25
HP420(config)#
TodisplaythecurrentSNTPandclocksettingsfromtheExeclevel,usethe
show sntpcommand,asshowninthefollowingexample.
HP420#show sntp
SNTP Information
===========================================================
Service State : Enabled
SNTP (server 1) IP : 10.1.0.19
SNTP (server 2) IP : 10.1.2.233
Current Time : 17 : 31, Aug 9th, 2003
Time Zone : -8 (PACIFIC)
Daylight Saving : Enabled, from Mar, 31th to Oct, 31th
===========================================================
HP420#
5-24
ConfiguringEthernetInterfaceParameters
ConfiguringEthernetInterface
Parameters
TheaccesspointsEthernetinterfacecanbeconfiguredtouseauto-negotia-
tiontosettheoperatingspeedandduplexmode.Whenauto-negotiationis
disabled,the operating speedandduplexmode mustbe manually setto match
thatoftheconnecteddevice.Auto-negotiationisenabledbydefault.
Not e Whenusingauto-negotiation,besurethattheattacheddevicesupports
IEEE802.3ustandardauto-negotiationandisnotsettoaforcedspeedand
duplexmode.
Web:SettingEthernetInterfaceParameters
ThePort/Radio SettingswindowontheConfigurationtabenablestheaccess
pointsEthernetinterfacesettingstobeconfigured.
Auto:TheEthernetinterfaceautomaticallysetstheoperatingspeedand
duplexmodetomatchthatoftheattacheddevice.
100Base-TXFullDuplex:TheEthernetinterfaceissettooperateat
100Mbpsfullduplex.
100Base-TXHalfDuplex:TheEthernetinterfaceissettooperateat
100Mbpshalfduplex.
10Base-TFullDuplex:TheEthernetinterfaceissettooperateat
10Mbpsfullduplex.
10Base-THalfDuplex:TheEthernetinterfaceissettooperateat
10Mbpshalfduplex.
ToConfigureEthernetInterfaceSettings:
1. SelecttheConfiguration tab.
2. Clickthe[Port/Radio Settings]button.
3. UnderPort Settings,selectthesettingtomatchthatoftheconnected
device;eitherAuto oroneoftheforcedspeedandduplexmodeoptions.
TodisplaythecurrentoperatingstatusfortheEthernetinterface,usetheAP
StatuswindowontheStatustab.SeeTheAPStatusWindowonpage4-17.
5-25
Figure 5-7. Setting Ethernet Interface Parameters
CLI:SettingEthernetInterfaceParameters
interface <ethernet | wireless g> page6-53
[no] shutdown page6-56
speed-duplex <auto | 10MH | 10MF | 100MF | 100MH> page6-57
show interface [ethernet] page6-57
5-26
ThefollowingexampleshowshowtodisabletheEthernetinterface,forcethe
settingto100Mbpsfullduplex,andthenre-enableit.
HP420(if-ethernet)#shutdown
HP420(if-ethernet)#speed-duplex 100mf
HP420(if-ethernet)#no shutdown
HP420(if-ethernet)#
TodisplaythecurrentEthernetinterfacestatusfromtheExeclevel,usethe
show interface ethernet command,asshowninthefollowingexample.
===========================================================
Subnet Mask : 255.255.255.0
Primary DNS : 0.0.0.0
Speed-duplex : 100Base-TX Full Duplex
Admin status : Up
===========================================================
HP420#
5-27
ConfiguringRADIUSClientAuthentication
ConfiguringRADIUSClient
Authentication
RemoteAuthenticationDial-inUserService(RADIUS)isanauthentication
protocolthatusessoftwarerunningonacentralservertocontrolaccessto
RADIUS-awaredevicesonthenetwork.Anauthenticationservercontainsa
databaseofusercredentialsforeachuserthatrequiresaccesstothenetwork.
AprimaryRADIUSserver mustbespecified fortheaccesspointto implement
IEEE802.1xnetworkaccesscontrolandWi-FiProtectedAccess(WPA)
wirelesssecurity.AsecondaryRADIUSservermayalsobespecifiedasa
backupshouldtheprimaryserverfailorbecomeinaccessible.
Not e Thisconfigurationguideassumesthatyouhavealreadyconfiguredthe
RADIUSserver(s)tosupporttheaccesspoint.TheconfigurationofRADIUS
serversoftwareisbeyondthescopeofthisguide,refertothedocumentation
providedwiththeRADIUSserversoftware.
Web:SettingRADIUSServerParameters
TheRadiuswindowontheConfigurationtabprovidestheprimaryand
secondaryRADIUSserversetupparameters.
ThewebinterfaceenablesyoutomodifytheseparameterstouseRADIUS
authenticationontheaccesspoint:
PrimaryRadiusServerSetup:Configurethefollowingsettingstouse
RADIUSauthenticationontheaccesspoint.
IPAddress:SpecifiestheIPaddressorhostnameoftheRADIUS
server.
Port:TheUserDatagramProtocol(UDP)portnumberusedbythe
RADIUSserverforauthenticationmessages.(Range:1024-65535;
Default:1812)
SecretKey:Asharedtextstringusedtoencryptmessagesbetween
theaccesspointandtheRADIUSserver.Besurethatthesametext
stringisspecifiedontheRADIUSserver.Donotuseblankspacesin
thestring.(Maximumlength:20characters)
Timeout:Numberofsecondstheaccesspointwaitsforareplyfrom
theRADIUSserverbeforeresendingarequest.Thedefaultis5
seconds.(Range:1-60seconds)
5-28
RetransmitAttempts:Thenumberoftimestheaccesspointtries
toresendarequesttotheRADIUSserverbeforeauthenticationfails.
(Range:1- 30)
SecondaryRadiusServerSetup:ConfigureasecondaryRADIUS
servertoprovideabackupincasetheprimaryserverfails.Theaccess
pointusesthesecondaryserveriftheprimaryserverfailsorbecomes
inaccessible.Oncetheaccesspointswitchesovertothesecondaryserver,
itperiodicallyattemptstoestablishcommunicationagainwithprimary
server.Ifcommunicationwiththeprimaryserverisre-established,the
secondaryserverrevertstoabackuprole.
ToSetRADIUSServerParameters:
2. Clickthe[Radius]button.
3. FortheprimaryRADIUSserver,typetheIPaddressintheIP Addressfield.
4. InthePortfield,specifytheUDPportnumberusedbytheRADIUSserver
forauthentication.Thedefaultandrecommendedportnumberis1812.
5. IntheSecret Keyfield,specifythesharedtextstringthatisalsousedby
theRADIUSserver.
6. (Optional)FortheTimeoutandRetransmit Attemptsfields,acceptthe
defaultvalues unlessyouexperienceproblemsconnectingto the RADIUS
serveroverthenetwork.
7. (Optional)IfyouhaveasecondaryRADIUSserverinthenetwork,specify
itsIPaddressandotherparametersintheappropriatefields.Otherwise,
leavetheIPaddresssettingasallzeros(0.0.0.0).
5-29
Figure 5-8. The Radius Setup Window
CLI:SettingRADIUSServerParameters
radius-server address [secondary]<host_ip_address|host_name> page6-35
radius-server [secondary] port<port_number> page6-35
radius-server [secondary]key<key_string> page6-36
radius-server [secondary]retransmit<number_of_retries> page6-36
radius-server [secondary] timeout<number_of_seconds> page6-37
show radius page6-38
5-30
ThefollowingexampleshowshowtoconfiguretheprimaryRADIUSserver
parameters,includingtheIPaddress,UDPportnumber,secretkey,timeout,
andretransmitattempts.
HP420(config)#radius-server address 10.1.2.25
HP420(config)#radius-server port 1812
HP420(config)#radius-server key green
HP420(config)#radius-server timeout 10
HP420(config)#radius-server retransmit 5
HP420(config)#
ThefollowingexampleshowshowtoconfigurethesecondaryRADIUSserver
IPaddressandsecretkey.
HP420(config)#radius-server address secondary 10.1.1.103
HP420(config)#radius-server secondary key blue
HP420(config)#
TodisplaythecurrentRADIUSserversettingsfromtheExeclevel,usethe
show radiuscommand,asshowninthefollowingexample.
HP420#show radius
Radius Server Information
========================================
IP : 10.1.2.25
Port : 1812
Key : *****
Retransmit : 5
Timeout : 10
========================================
Radius Secondary Server Information
========================================
IP : 10.1.1.103
Port : 1812
Key : ****
Retransmit : 3
Timeout : 5
========================================
HP420#
5-31
SettingupFilterControl
TheaccesspointcanemployVLANIDandnetworktrafficframefilteringto
controlaccesstonetworkresourcesandincreasesecurity.
AccessandFrameFiltering. Youcanpreventcommunicationsbetween
wirelessclientsassociatedtotheaccesspoint,onlyallowingtrafficbetween
clientsandthewirednetwork.Youcanalsopreventanywirelessclientfrom
performinganyaccesspointconfigurationthroughanyofitsmanagement
interfaces,includingweb,Telnet,orSNMPaccess.Framefilteringcanalso be
enabledtocontrolspecificEthernetprotocoltrafficthatisforwardedtoor
fromwirelessclients.
VLANIDFiltering. TheaccesspointcanenablethesupportofVLAN-
taggedtrafficpassingbetweenwirelessclientsandthewirednetwork.Upto
64VLANIDscanbemappedtospecificwirelessclients,allowingusersto
remainwithinthesame VLANasthey movearoundacampussite. This feature
canalsobe usedto controlaccessto networkresources fromwirelessclients,
therebyimprovingsecurity.
AVLANID(anumberbetween1and 4095)can beassignedtoeach clientafter
successfulauthenticationusingIEEE802.1xandacentralRADIUSserver.
TheuserVLANIDsmustbeconfiguredontheRADIUSserverforeachuser
authorizedtoaccessthenetwork.IfauserdoesnothaveaconfiguredVLAN
ID,theaccesspointassignstheusertoitsownconfigurednativeVLANID.
WhensettingupVLANIDsforeachuserontheRADIUSserver,besuretouse
theRADIUSattributesandvaluesasindicatedinthefollowingtable.
Number RADIUS Attribute Value
64 Tunnel-Type VLAN(13)
65 Tunnel-Medium-Type 802
81 Tunnel-Private-Group-ID VLANID(1to4095ashexadecimal)
Not e ThespecificconfigurationofRADIUSserversoftwareisbeyondthescopeof
thisguide.RefertothedocumentationprovidedwiththeRADIUSserver
software.
5-32
WhenVLANfilteringisenabled,theaccesspointmustalsohave802.1x
authenticationenabled(seepage5-57)andaRADIUSserverconfigured(see
page5-28).Wirelessclientsmustalsosupport802.1xclientsoftwaretobe
assignedtoaspecificVLAN.
WithVLANsenabled,theaccesspointsEthernetinterfacedropsallreceived
trafficthatdoesnotincludeaVLANtag.Tomaintainnetworkconnectivityto
theaccesspointandwirelessclients,besurethattheaccesspointis
connectedtoadeviceportthatsupportsIEEE802.1QVLANtags.
WhenVLANfilteringisdisabled,theaccesspointignorestheVLANtagson
anyreceivedframes.
Web:EnablingVLANSupportandSettingFilters
TheFilter ControlwindowontheConfiguration tabtoconfigureframefiltering
ontheaccesspointswirelessandEthernetinterfaces.
NativeVLANID:TheVLANIDassignedtowirelessclientusersthatare
notassignedtoaspecificVLANbyRADIUSserverconfiguration.The
NativeVLANIDislimitedtoanumberbetween1and64.
VLAN:EnablesordisablesVLANtaggingsupportontheaccesspoint.
LocalBridgeFilter:Controlswireless-to-wirelesscommunications
betweenclientsthroughtheaccesspoint.However,itdoesnotaffect
communicationsbetweenwirelessclientsandthewirednetwork.
Disable:Allowswireless-to-wirelesscommunicationsbetween
clientsthroughtheaccesspoint.
Enable:Blockswireless-to-wirelesscommunicationsbetween
clientsthroughtheaccesspoint.
APManagementFilter:Controlsmanagementaccesstotheaccess
pointfromwirelessclients.Managementinterfacesincludetheweb,
Telnet,orSNMP.
Disable:Allowsmanagementaccessfromwirelessclients.
Enable:Blocksmanagementaccessfromwirelessclients.
EthernetTypeFilter:ControlschecksontheEthernettypeofall
incomingandoutgoingEthernetpacketsagainsttheprotocolfiltering
table.
Disable:AccesspointdoesnotfilterEthernetprotocoltypes.
Enable:AccesspointfiltersEthernetprotocoltypesbasedonthe
configurationofprotocoltypesinthefiltertable.Ifaprotocolhasits
statussettoON,theprotocolisnotpassedbytheaccesspoint.
5-33
ToEnableVLANSupport:
1. SelecttheSecuritytab.
2. Clickthe[Shared Key Setup]button.
3. SettheAuthenticationTypeSetuptoOpen System.
5. Clickthe[Authentication]button.
6. Under802.1xSetup,selectRequired.
10. ConfigureparametersfortheprimaryRADIUSserverand,optionally,a
secondaryRADIUS server.SeeWeb:Setting RADIUSServerParameters
onpage5-28formoredetails.
12. Clickthe[Filter Control]button.
13. Typeanumberbetween1and64intheNative VLAN IDtextfield.
14. SetVLANtoenable.
ToSetLocalandManagementFilters:
2. Clickthe[Filter Control]button.
3. Topreventwireless-to-wirelessclientcommunication,setLocal Bridge
Filtertoenable.
4. Topreventaccesspointmanagementfromwirelessclients,setAP
Management Filtertoenable.
5. ToimplementspecificEthernetprotocolfilters,setEthernet Type Filterto
enable.
a. Fromthelistofprotocoltypes,selectON forthoseprotocolsthatyou
wanttofilterfromtheaccesspoint.
7. Reboottheaccesspointbyusingthe[Reboot]buttonfromtheSoftware
UpgradescreenontheAdministrationtab.
5-34
Figure 5-9. The Filter Control Window
CLI:EnablingVLANSupportandSettingFilters
[no] vlan enable
native-vlanid <vlan_id>
[no] filter local-bridge
[no] filter ap-manage
[no] filter ethernet-type enable
[no] filter ethernet-type protocol <protocol>
show filters
page6-79
page6-79
page6-47
page6-48
page6-48
page6-49
page6-50
5-35
-----------------------------------------------------------
Thefollowingexampleshowshowto set thenative VLANIDand enableVLAN
support.NotethattoenableordisableVLANsupport,youmustrebootthe
accesspoint.
HP420(config)#native-vlanid 5
HP420(config)#vlan enable
Reboot system now? <y/n>:
Thefollowingexampleshowshowtoenablefilteringformanagementaccess
andwireless-to-wirelesscommunications.
HP420(config)#filter loca-bridge
HP420(config)#filter ap-manage
HP420(config)#
Thefollowingexampleshowshowto enable protocol filtering,preventing the
accesspointfromforwardingNovellIPXframes.
HP420(config)#filter ethernet-type protocol novell-ipx(old)
HP420(config)#filter ethernet-type protocol novell-ipx(new)
HP420(config)#filter ethernet-type enable
HP420(config)#
Thefollowingexampleshowshowtodisplaythecurrentfilterstatusforthe
accesspoint.
HP420#show filters
Protocol Filter Information
===========================================================
Local Bridge :ENABLED
AP Management :ENABLED
Ethernet Type Filter :ENABLED
Enabled Protocol Filters
Protocol: Novell_IPX(new) ISO: 0x8138
Protocol: Novell_IPX(old) ISO: 0x8137
===========================================================
HP420#
5-36
ModifyingRadioSettings
Theaccesspointcanoperateinthreestandardmodes,IEEE802.11bonly,
802.11gonly,oramixed802.11b/802.11gmode.
Not e BoththeIEEE802.11gand802.11bstandardsoperatewithinthe2.4GHzband.
InawirelessLANenvironmenttherecanoftenbeinterferencefromother
2.4GHzdevices,suchascordlessphones.Ifyouexperiencepoorwireless
LANperformance,trytolimitanypossiblesourcesofradiointerference
withintheservicearea.
TheIEEE802.11gstandardisanextensionoftheIEEE802.11bstandardand
enablesclientstationswith802.11bwirelessnetworkcardstoassociatetoan
802.11gaccesspoint.However,the802.11bstandardusesComplementary
CodeKeying(CCK)modulationtechnologytoachieveacommunicationrate
ofupto11Mbps,whereas802.11gusesOrthogonalFrequencyDivision
Multiplexing(OFDM)toreachratesofupto54Mbps.(Notethatthe802.11g
standardisbackward-compatiblewith802.11bandthereforeincludesthe
ability touse OFDMorCCKmodulation.) Tosupportboth802.11g and802.11b
clients,theaccesspointhastofirstcommunicatewithallclientsusingCCK
andonlyswitchtoOFDMfordatatransfersbetween802.11g-compatible
clients.Thismechanismhastheeffectofreducingthemaximumthroughput
for802.11gclientsinthenetwork.
Workinginitsmixedb/gmode,theaccesspointwillexperiencereduced
datathroughput,evenifthereareno802.11bclientsactiveinthenetwork.To
achieveahigherthroughput,youcansettheaccesspointtooperatein802.11g-
onlymode,whichignoresall802.11bclientsintheservicearea.
Not e BoththeIEEE802.11gand802.11bstandardsoperatewithinthe2.4GHzband.
Ifyouareoperatingin802.11g-onlymode,any802.11bdevicesin theservice
areawillcontributetotheradiofrequencynoiseandaffectnetworkperfor-
mance.
Web:ModifyingtheRadioWorkingModeandSettings
ThePort/Radio SettingswindowontheConfigurationtabprovidesthebasic
settingsfortheaccesspointsradiooperation.
Theaccesspointsradiochannelsettingsarelimitedbylocalregulations,
whichdeterminethenumberofchannelsthatareavailable.
5-37
Not e Ifyouareusingtheworldwideproduct,J8131A,beforeyoucanconfigurethe
radiosettingstheCountrySettingmustbesetusingtheCLI.SeeUsingthe
CLItoSettheCountryCodeonpage5-41.
WorkingMode:Selectsastandardoperatingmodefortheaccesspoint.
b&gmixedmode:Both802.11band802.11gclientscancommuni-
catewiththeaccesspoint.Thisisthedefaultconfiguration.
gonlymode:Only802.11gclientscancommunicatewiththeaccess
point.
bonlymode:Both802.11band802.11gclientscancommunicatewith
theaccesspoint,but802.11gclientscanonlytransferdataat802.11b
standardrates(upto11Mbps).
Radio:Enablesradiocommunicationsontheaccesspoint.
RadioChannel:Theradiochannelthattheaccesspointusestocommu-
nicatewithwirelessclients.Whenmultipleaccesspointsaredeployedin
thesamearea,besuretochooseachannelseparatedbyatleastfive
channelstoavoidhavingthechannelsinterferewitheachother.Youcan
deployuptothreeaccesspointsinthesamearea(forexample,channels
1,6,11).
AutoChannelSelect:Enablestheaccesspointtoautomaticallyselect
anunoccupiedradiochannel.
TransmitPower:Adjuststhepowerof theradiosignalstransmittedfrom
theaccesspoint.Thehigherthetransmissionpower,thefartherthe
transmissionrange.
MaximumStationDataRate:Themaximumdatarateatwhichaclient
canconnecttotheaccesspoint.Themaximumtransmissiondistanceis
affectedbythedatarate.Thelowerthedatarate,thelongerthetransmis-
siondistance.
BeaconInterval:Therateatwhichbeaconsignalsaretransmittedfrom
theaccesspoint.Thebeaconsignalsallowwirelessclientstomaintain
contactwiththeaccesspoint.Theymayalsocarrypower-management
information.
DataBeaconRate:Therateatwhichstationsinsleepmodemustwake
uptoreceivebroadcast/multicasttransmissions.
KnownalsoastheDeliveryTrafficIndicationMap(DTIM)interval,it
indicateshowoftentheMAClayerforwardsbroadcast/multicasttraffic,
whichisnecessarytowakeupstationsthatareusingPowerSavemode.
Thedefaultvalueof2indicatesthattheaccesspointwillsaveallbroad-
cast/multicastframesfortheBasicServiceSet(BSS)andforwardthem
5-38
aftereverysecondbeacon.UsingsmallerDTIMintervalsdeliversbroad-
cast/multicastframesinamoretimelymanner,causingstationsinPower
Savemodetowakeupmoreoftenanddrainpowerfaster.Usinghigher
DTIMvaluesreducesthepowerusedbystationsinPowerSavemode,but
delaysthetransmissionofbroadcast/multicastframes.
RTSThreshold:SetsthepacketsizethresholdatwhichaRequesttoSend
(RTS)signal mustbesenttoareceivingstationpriortothesendingstation
startingcommunications.TheaccesspointsendsRTSframestoa
receivingstationtonegotiatethesendingofadataframe.Afterreceiving
anRTSframe,thestationsendsaCTS(cleartosend)frametonotifythe
sendingstationthatitcanstartsendingdata.
IftheRTSthresholdissetto0,theaccesspointneversendsRTSsignals.
Ifsetto2347,theaccesspoint alwayssendsRTSsignals.Ifsettoanyother
value,andthepacketsizeequalsorexceedstheRTSthreshold,theRTS/
CTS(RequesttoSend/CleartoSend)mechanismwillbeenabled.
ToChangetheWorkingMode:
3. Selecttheworkingmodeyouwanttouse,b & g mixed mode,g only mode,
orb only mode.
4. Clickthe[Radio Mode Change]button.
ToModifyRadioSettings:
3. Toenabletheradio,checktheEnablecheckboxnexttoRadio.
4. SelectEnableforAuto Channel Select,orselectaspecificnumberforthe
Radio Channel.Ifyouaredeployingaccesspointsinthesamearea,besure
toselectchannelnumbersthatareatleastfiveapart(forexample,
channels1,6,11).
5. Modifyotherradioparameters,ifappropriate.
5-39
Figure 5-10. Port/Radio Settings Window
CLI:ModifyingtheRadioWorkingModeandSettings
country<country_code>
interface<ethernet|wireless g>
radio-mode <b | g | b+g>
speed<speed>
channel<channel|auto>
beacon-interval<interval>
page6-9
page6-53
page6-58
page6-60
page6-61
page6-62
5-40
dtim-period<interval>
fragmentation-length<length>
rts-threshold <threshold>
transmit-power<signal-strength>
max-association<count>
[no] shutdown
show interface wireless g
page6-63
page6-64
page6-65
page6-70
page6-70
page6-75
page6-75
UsingtheCLItoSettheCountryCode. Thecorrectcode mustbesetfor
thecountryinwhichyouoperatetheaccesspointsothatitusesthecorrect
authorizedradiochannelsforwirelessnetworkdevices.
Not e TheJ8130Acomeswiththecountrypre-configured;theJ8131Adoesnot.The
radioisdisablediftheCountryCodeisnotset.OncetheCountryCodeisset,
theradioisenabled.
ThefollowingexampleshowshowtosettheCountryCodefortheaccess
pointtoUnitedKingdom(GB).Youcandisplaytheavailablecountrycodes
byusingthecountry ?command.AfulllistoftheaccesspointsCountryCodes
isprovidedinTable6-1onpage6-10.
5-41
HP420#country ?
WORD Country code: AL-ALBANIA, DZ-ALGERIA, AR-ARGENTINA, AM-ARMENIA,
AU-AUSTRALIA, AT-AUSTRIA, AZ-AZERBAIJAN, BH-BAHRAIN, BY-BELARUS,
BE-BELGIUM, BZ-BELIZE, BO-BOLVIA, BR-BRAZIL, BN-BRUNEI_DARUSSALAM,
BG-BULGARIA, CA-CANADA, CL-CHILE, CN-CHINA, CO-COLOMBIA, CR-COSTA_RICA,
HR-CROATIA, CY-CYPRUS, CZ-CZECH_REPUBLIC, DK-DENMARK,
DO-DOMINICAN_REPUBLIC, EC-ECUADOR, EG-EGYPT, EE-ESTONIA, FI-FINLAND,
FR-FRANCE, GE-GEORGIA, DE-GERMANY, GR-GREECE, GT-GUATEMALA,
HK-HONG_KONG, HU-HUNGARY, IS-ICELAND, IN-INDIA, ID-INDONESIA, IR-IRAN,
IE-IRELAND, IL-ISRAEL, IT-ITALY, JP-JAPAN, JO-JORDAN, KZ-KAZAKHSTAN,
KP-NORTH KOREA, KR-KOREA_REPUBLIC, KW-KUWAIT, LV-LATVIA, LB-LEBANON,
LI-LIECHTENSTEIN, LT-LITHUANIA, LU-LUXEMBOURG, MO-MACAU, MK-MACEDONIA,
MY-MALAYSIA, MX-MEXICO, MC-MONACO, MA-MOROCCO, NA-NORTH_AMERICA,
NL-NETHERLANDS, NZ-NEW_ZEALAND, NO-NORWAY, OM-OMAN, PK-PAKISTAN,
PA-PANAMA, PE-PERU, PH-PHILIPPINES, PL-POLAND, PT-PORTUGAL,
PR-PUERTO_RICO, QA-QATAR, RO-ROMANIA, RU-RUSSIA, SA-SAUDI_ARABIA,
SG-SINGAPORE, SK-SLOVAK_REPUBLIC, SI-SLOVENIA, ZA-SOUTH_AFRICA,
ES-SPAIN, SE-SWEDEN, CH-SWITZERLAND, SY-SYRIA, TW-TAIWAN, TH-THAILAND,
TR-TURKEY, UA-UKRAINE, AE-UNITED_ARAB_EMIRATES, GB-UNITED_KINGDOM,
US-UNITED_STATES, UY-URUGUAY, VE-VENEZUELA, VN-VIETNAM
HP420#country gb
HP420#
OncetheCountryCodehasbeenset,theCLIcommandisnolongeravailable.
IfyouneedtochangetheCountryCode,youmustreloadtheaccesspoint
defaultconfigurationby usingthereset configurationcommand,orby pressing
theaccesspointsResetbuttonformorethanfiveseconds.
UsingtheCLItoSettheWorkingMode. Thefollowingexampleshows
howtosettheworkingmodefortheaccesspointto802.11g-onlymode.
HP420(if-wireless g)#radio-mode g
Not e YoumustsettheCountryCodeandradiomodebefore configuringotherradio
settings.Thesebasicsettingsaffecttheradiochannelsandvaluesthatare
availableforotherparameters.
5-42
UsingtheCLItoConfigureRadioSettings. Thefollowingexample
showshowtoenableanddisabletheradio,aswellasconfigureotherradio
parameters.
HP420(if-wireless g)#shutdown
HP420(if-wireless g)#speed 24
HP420(if-wireless g)#channel 9
HP420(if-wireless g)#beacon-interval 60
HP420(if-wireless g)#dtim-period 8
HP420(if-wireless g)#fragmentation-length 1024
HP420(if-wireless g)#rts-threshold 2000
HP420(if-wireless g)#transmit-power half
HP420(if-wireless g)#max-association 64
HP420(if-wireless g)#no shutdown
5-43
TodisplaythecurrentradiosettingsfromtheExeclevel, usetheshow interface
wireless gcommand,asshowninthefollowingexample.
HP420#show interface wireless g
===========================================================
----------------Identification-----------------------------
SSID : Enterprise Wireless AP
Channel : 9
Status : Enabled
----------------802.11 Parameters--------------------------
Transmit Power : HALF (18 dBm)
----------------Security-----------------------------------
Authentication Type : OPEN
Encryption : DISABLED
WEP Key Data Type : Hexadecimal
Static Keys :
Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY
===========================================================
HP420#
5-44
ConfiguringWirelessSecurity
Theaccesspointisconfiguredbydefaultasanopensystem,whichbroad-
castsabeaconsignalincludingtheconfiguredSSID.Wirelessclientscanread
theSSIDfromthebeacon,andautomaticallyresettheirSSIDtoallowimme-
diateconnectiontothenearestaccesspoint.
Toimprovewirelessnetworksecurity,youhavetoimplementtwomain
functions:
Authentication:Itmustbeverifiedthatclientsattemptingtoconnectto
thenetworkareauthorizedusers.
Traffic Encryption:Datapassingbetweentheaccesspointandclients
mustbeprotectedfrominterceptionandevesdropping.
Foramoresecurenetwork,theaccesspointcanimplementoneoracombi-
nationofthefollowingsecuritymechanisms:
WiredEquivalentPrivacy(WEP)
IEEE802.1x
WirelessMACaddressfiltering
Wi-FiProtectedAccess(WPA)
Thesecuritymechanismsthatmaybeemployeddependonthelevelof
securityrequired,thenetworkandmanagementresourcesavailable,andthe
softwaresupportprovidedonwirelessclients.
WiredEquivalentPrivacy(WEP). WEPprovidesabasiclevelofsecurity,
preventingunauthorizedaccesstothenetworkandencryptingdatatrans-
mittedbetweenwirelessclientsandtheaccesspoint.WEPusesstaticshared
keys(fixed-lengthhexadecimaloralphanumericstrings)thataremanually
distributedtoallclientsthatwanttousethenetwork.
WEPisthesecurityprotocolinitiallyspecifiedintheIEEE802.11standard
forwirelesscommunications.Unfortunately,WEPhasbeenfoundtobe
seriouslyflawedandcannotberecommendedforahighlevelofnetwork
security.Formorerobustwirelesssecurity,theaccesspointprovidesWi-Fi
ProtectedAccess(WPA)forimproveddataencryptionanduserauthentica-
tion.
IEEE802.1xNetworkAccessControl. IEEE802.1xisastandardframe-
workfornetworkaccesscontrolthatusesacentralRADIUSserverforuser
authentication.Thiscontrolfeaturepreventsunauthorizedaccesstothe
5-45
networkbyrequiringan802.1xclientapplicationtosubmitusercredentials
forauthentication.The802.1xstandardusestheExtensibleAuthentication
Protocol (EAP)topassuser credentials(eitherdigitalcertificates,usernames
andpasswords,orother)fromtheclienttotheRADIUSserver.Clientauthen-
ticationisthenverifiedontheRADIUSserverbeforetheaccesspointgrants
clientaccesstothenetwork.
The802.1xEAPpacketsarealsousedtopassdynamicunicastsessionkeys
andstaticbroadcastkeystowirelessclients.Sessionkeysareuniquetoeach
clientandareusedtoencryptandcorrelatetrafficpassingbetweenaspecific
clientandtheaccesspoint.Youcanalsoenablebroadcastkeyrotation,sothe
accesspointprovidesadynamicbroadcastkeyandchangesitataspecified
interval.
MACAddressFiltering. UsingMACaddressfiltering,youcanconfigure
theaccesspointwithalistoftheMACaddressesofwirelessclientsthatare
authorizedtoaccessthenetwork.Thisprovidesabasiclevelofauthentication
forwirelessclientsattemptingtogainaccesstothenetwork.Adatabaseof
authorizedMACaddressescanbestoredlocallyontheaccesspointor
remotelyonacentralRADIUSserver.
Wi-FiProtectedAccess(WPA). WPAemploysacombinationofseveral
technologiestoprovideanenhancedsecuritysolutionfor802.11wireless
networks.TheaccesspointsupportsthefollowingWPAcomponentsand
features:
IEEE802.1x(802.1x) andthe ExtensibleAuthenticationProtocol
(EAP):WPAemploys802.1xasitsbasicframeworkforuserauthentica-
tionanddynamickeymanagement.The802.1xclientandRADIUSserver
shoulduseanappropriateEAPtypesuchasEAP-TLS(TransportLayer
Security),EAP-TTLS(TunneledTLS),orPEAP(ProtectedEAP)for
strongestauthentication.Workingtogether,theseprotocolsprovide
mutualauthenticationbetweenaclient,theaccesspoint,andaRADIUS
server thatpreventsusersfromaccidentallyjoining a roguenetwork.Only
whenaRADIUSserverhasauthenticatedauserscredentialswillencryp-
tionkeysbesenttotheaccesspointandclient.
Not e ImplementingWPAonwirelessclientsrequiresaWPA-enablednetworkcard
driverand802.1xclientsoftwarethatsupportstheEAPauthenticationtype
thatyouwanttouse.WindowsXPprovidesnativeWPAsupport,othersystems
requireadditionalsoftware.
TemporalKeyIntegrityProtocol(TKIP):WPAspecifiesTKIPasthe
dataencryptionmethodtoreplaceWEP.TKIPavoidstheproblemsof
WEPstatickeysbydynamicallychangingdataencryptionkeys.Basically,
5-46
TKIPstartswithamaster(temporal)keyforeachusersessionandthen
mathematicallygeneratesotherkeystoencrypteachdatapacket.TKIP
providesfurtherdataencryptionenhancementsbyincludingamessage
integritycheckforeachpacketandare-keyingmechanism,whichperi-
odicallychangesthemasterkey.
WPAPre-SharedKey(PSK)Mode:Forenterprisedeployment,WPA
requiresaRADIUSauthenticationservertobeconfiguredonthewired
network.However,forsmallofficenetworksthatmaynothavethe
resourcestoconfigureandmaintainaRADIUSserver,WPAprovidesa
simpleoperatingmodethatusesjustapre-sharedpasswordfornetwork
access.ThePre-SharedKeymodeusesacommonpasswordforuser
authenticationthatismanuallyenteredontheaccesspointandallwire-
less clients. ThePSKmodeuses thesameTKIPpacketencryptionandkey
managementasWPAintheenterprise,soit providesarobustandmanage-
ablealternativeforsmallnetworks.
MixedWPAandWEPClientSupport:WPAenablestheaccesspoint
toindicateitssupportedencryptionandauthenticationmechanismsto
clientsusingitsbeaconsignal.WPA-compatibleclientscanlikewise
respondtoindicatetheirWPAsupport.Thisenablestheaccesspointto
determinewhichclientsareusingWPAsecurityandwhichareusing
legacyWEP.TheaccesspointusesTKIPunicastdataencryptionkeysfor
WPAclientsandWEPunicast keysforWEPclients.Theglobalencryption
keyformulticastandbroadcasttrafficmustbethesameforallclients,
thereforeitrestrictsencryptiontoaWEPkey.
AdvancedEncryptionStandard(AES)Support:WPAspecifiesAES
encryptionas anoptionalalternativetoTKIPandWEP.AES providesvery
strongencryptionusingacompletelydifferentcipheringalgorithmto
TKIPandWEP.ThedevelopingIEEE802.11iwirelesssecuritystandard
hasspecifiedAESasaneventualreplacementforTKIPandWEP.
However,becauseofthedifferenceincipheringalgorithms,AESrequires
newhardwaresupport inclientnetworkcardsthat iscurrentlynotwidely
available.TheaccesspointincludesAESsupportasafuturesecurity
enhancement.
5-47
Table 5-1. Summary of Wireless Security
Security Mechanism Client Support Implementation Considerations
WEP Built-insupportonall802.11band
802.11gdevices
WEPwith802.1x Requires802.1xclientsupportin
systemorbyadd-insoftware
(nativesupportprovidedin
WindowsXP)
MACAddressFiltering UsestheMACaddressofclient
networkcard
WPAEnterpriseMode RequiresWPA-enabledsystemand
networkcarddriver
WindowsXP)
WPAPSKMode RequiresWPA-enabledsystemand
networkcarddriver
WindowsXP)
Providesonlyweaksecurity
Requiresmanualkeymanagement
ProvidesdynamickeyrotationforimprovedWEP
security
RequiresconfiguredRADIUSserver
802.1xEAPtypemayrequiremanagementofdigital
certificatesforclientsandserver
Providesonlyweakuserauthentication
ManagementofauthorizedMACaddresses
Canbecombinedwithothermethodsforimproved
security
OptionalconfiguredRADIUSserver
ProvidesrobustsecurityinWPA-onlymode
OfferssupportforlegacyWEPclients,butwith
increasedsecurityrisk
RequiresconfiguredRADIUSserver
802.1xEAPtypemayrequiremanagementofdigital
certificatesforclientsandserver
Providesgoodsecurityinsmallnetworks
Requiresmanualmanagementofpre-sharedkey
Web:ConfiguringWPASettings
TheWPA SettingswindowontheSecuritytabenablestheaccesspointtobe
configuredtouseWPAsecurity.
WPAConfiguration Mode:Theaccesspointcanbeconfiguredtoallow
onlyWPA-enabledclientstoaccessthenetwork,or alsoallowclientsonly
capableofsupportingWEP.
WPAKey Management:WPAcanbeconfiguredtowork in anenterprise
environmentusingIEEE802.1xandaRADIUSserverforuserauthenti-
cation.Forsmallernetworks,WPAcanbeenabledusingacommonpre-
sharedkeyforclientauthenticationwiththeaccesspoint.
WPAauthenticationover802.1x:TheWPAenterprisemodethat
usesIEEE802.1xtoauthenticateusersandtodynamicallydistribute
encryptionkeystoclients.
5-48
WPAPre-sharedKey:TheWPAmodeforsmallnetworksthatuses
acommonpasswordstringthatismanuallydistributed.Ifthismode
isselected,besuretoalsospecifythekeystring.
MulticastCipherMode:Selectsanencryptionmethodfortheglobal
keyusedformulticastandbroadcasttraffic,whichissupportedbyall
wirelessclients.
WEP:WEPisthefirstgenerationsecurityprotocolusedtoencrypt
datacrossingthewirelessmediumusingafairlyshortkey.Commu-
nicatingdevicesmustusethesameWEPkeytoencryptanddecrypt
radiosignals.WEPhasmanysecurityflaws,andisnotrecommended
fortransmittinghighly-sensitivedata.
TKIP:TKIPprovidesdataencryptionenhancementsincludingper-
packetkeyhashing(thatis,changingtheencryptionkeyoneach
packet),amessageintegritycheck,anextendedinitializationvector
withsequencingrules,andare-keyingmechanism.
AES:AEShasbeendesignatedbytheNationalInstituteofStandards
andTechnologyasthesuccessortotheDataEncryptionStandard
(DES)encryptionalgorithm,andwillbeusedbytheU.S.government
forencryptingallsensitive,nonclassifiedinformation.Becauseofits
strength,andresistancetoattack,AESisalsobeingincorporatedas
partofthe802.11standard.
WPAPre-SharedKeyType:IftheWPApre-shared-keymodeisused,all
wirelessclientsmustbeconfiguredwiththesamekeytocommunicate
withtheaccesspoint.
Hexadecimal:Enterakeyasastringof64hexadecimalnumbers.
Alphanumeric:Enterakeyasaneasy-to-rememberformofletters
andnumbers.Thestringmustbefrom8to63characters,whichcan
includespaces.
ToConfigureWPAinEnterpriseMode:
5-49
11. IfthereareclientsintheserviceareathatarenotWPA-enabled,entertime
periodsforrefreshingthesessionandbroadcastencryptionkeys,andfor
re-authenticatingtheclient.
13. Clickthe[WPA Settings]button.
14. UnderWPA Configuration Mode,checkRequiredifyouwantonlyWPA-
enabledclientstoconnecttothenetwork.Ifyouwantsomeclientsto
connectthatarenotWPA-enabled,leavethischeckboxclear.
15. UnderMulticast Cipher Mode,selectWEPifyouaresupportinganyclients
thatarenotWPA-enabled,otherwiseselectTKIP.OnlyselectAESifyou
aresurethatallclientssupportAESencryption.
ToConfigureWPAinPre-sharedKeyMode:
6. Under802.1xSetup,selectDisable.
8. Clickthe[WPA Settings]button.
9. UnderWPA Configuration Mode,checkRequired.
10. UnderWPA Pre-Shared Key Type,selectHexadecimalorAlphanumeric.
11. FortheWPA Pre-Shared Key, enterexactly64hexadecimaldigitsor
between8and63alphanumericcharacters.(Besurethatallwireless
clientsusethesamepre-sharedkey.)
5-50
Figure 5-11. WPA Settings Window
CLI:ConfiguringWPASettings
authentication<open|shared>
[no] 802.1x<supported|required>
wpa-clients<required|supported>
wpa-mode<dynamic|pre-shared-key>
multicast-cipher<AES|TKIP|WEP>
page6-53
page6-66
page6-40
page6-72
page6-73
page6-71
5-51
wpa-preshared-key <type><value> page6-74
show interface wireless g page6-75
show station page6-77
UsingtheCLItoConfigureWPA. Toconfiguretheaccesspointtosup-
portonlyWPA-enabledclients,be sure tosettheaccesspoint toopensystem
andset802.1xauthenticationtorequired.
Thefollowingexampleshowshowtoconfigureaccesspointsecurityfor WPA.
ThisexampleassumesthataRADIUSserverisconfiguredandavailableon
thewirednetwork,italsoassumesthattheRADIUSserverparametersare
configuredontheaccesspoint.
HP420(config)#802.1x required
HP420(if-wireless g)#authentication open
HP420(if-wireless g)#wpa-clients required
HP420(if-wireless g)#wpa-mode dynamic
HP420(if-wireless g)#multicast-cipher tkip
UsingtheCLItoConfigureWPA-PSKMode. Toconfiguretheaccess
pointtooperateinWPA-PSKmode,besuretosettheaccesspointtoopen
systemandset802.1xauthenticationtodisable.
ThefollowingexampleshowshowtoconfigureaccesspointsecurityforWPA-
PSKmode.SupportedclientsmustbeWPA-enabledandconfiguredwiththe
samepre-sharedkey.
HP420(config)#no 802.1x
HP420(if-wireless g)#wpa-clients required
HP420(if-wireless g)#wpa-mode pre-shared-key
HP420(if-wireless g)#wpa-pre-shared-key ASCII agoodsecret
5-52
Web:ConfiguringMACAddressAuthentication
TheaccesspointcanbeconfiguredtoauthenticateclientMACaddresses
againstadatabasestoredlocallyontheaccesspointorremotelyonaRADIUS
server.ClientMACaddressesinthelocal databasecanbespecifiedasallowed
ordeniedaccessthenetwork.Thisenablestheaccesspointtocontrolwhich
devicescanassociatewiththeaccesspoint.
Not e IfaRADIUSauthenticationserverisusedforMACauthentication,theserver
mustfirstbeconfiguredintheRADIUSwindow.
ClientstationMACauthenticationoccurspriortoanyIEEE802.1xauthenti-
cationconfiguredfortheaccesspoint.However,aclientsMACaddress
providesrelativelyweakuserauthentication,sinceMACaddressescanbe
easilycapturedandusedbyanotherstationtobreakintothenetwork.Using
802.1xprovidesmorerobustuserauthenticationusingusernamesandpass-
wordsordigitalcertificates.So,althoughyoucanconfiguretheaccesspoint
touseMACaddressand802.1xauthenticationtogether,itisbettertochoose
oneortheother,asappropriate.Considerthefollowingguidelines:
UseMACaddressauthenticationforasmallnetworkwithalimited
numberofusers.MACaddressescanbemanuallyconfiguredonthe
accesspointitselfwithout theneedto setupaRADIUSserver.Theaccess
pointsupportsupto1024MACaddressesinitsfilteringtable,but
managingalargenumberofMACaddressesacrossmorethanoneaccess
pointquicklybecomesverycumbersome.
UseIEEE802.1xauthenticationfornetworkswithalargernumberof
usersandwheresecurityisthemostimportantissue.ARADIUSserveris
requiredinthewirednetworktocontroltheusercredentials(digital
certificates,smartcards,passwords,orother)ofwirelessclients.The
802.1xauthenticationapproachprovidesastandards-based,flexible,and
scalablesolutionthatcanbecentrallymanaged.However,implementing
802.1xrequiresmoreresourcesandskillstooperateandmaintaina
RADIUSserverandmanagealargedatabaseofusercredentials.
TheAuthentication windowontheSecuritytabenablestheaccesspointtobe
configuredtouseMACaddressauthentication.
MACAuthentication:Thetypeofauthenticationmethodthesystem
employswhenauthenticatingawirelessclientsMACaddress.
5-53
LocalMAC:TheMACaddressof theassociatingstation is compared
againstthelocaldatabasestoredontheaccesspoint.TheLocal MAC
Authentication sectionenablesthelocaldatabasetobesetup.The
accesspointsupportsupto1024MACaddresses.
RadiusMAC:TheMACaddressoftheassociatingstationissentto
aconfiguredRADIUSserverforauthentication.
Disable:NochecksareperformedonanassociatingstationsMAC
address.
LocalMACAuthentication:ConfiguresthelocalMACauthentication
database.TheMACdatabaseprovidesamechanismtotakecertain
actionsbasedonawirelessclientsMACaddress.TheMAClistcanbe
configuredtoallowordenynetworkaccesstospecificclients.
SystemDefault:SpecifiesadefaultactionforallunknownMAC
addresses(thatis,thosenotlistedinthelocalMACdatabase).
Deny:BlocksaccessforallMACaddressesexceptthoselisted
inthelocaldatabaseasallowed.
Allow:PermitsaccessforallMACaddressesexceptthoselisted
inthelocaldatabaseasdenied.
MACAuthenticationSettings:EntersspecifiedMACaddressesand
permissionsintothelocalMACdatabase.
MACAddress:Physicaladdressofaclient.Entersixpairsofhexa-
decimal digitsseparatedby hyphens,forexample, 00-90-D1-12-AB-89.
Permission:SelectAllowtopermitaccessorDenytoblockaccess.
IfDeleteisselected,thespecifiedMACaddressentryis removedfrom
thedatabase.
Update:EntersthespecifiedMACaddressandpermissionsetting
intothelocaldatabase.
MACAuthenticationTable:DisplayscurrententriesinthelocalMAC
database.
ToConfigureMACAuthenticationUsingaLocalDatabase:
3. SetMAC AuthenticationtoLocal MAC.
4. UnderLocal MAC authentication,setSystem DefaulttoDeny.Thisblocksall
unknownMACaddressesfromgainingaccesstothenetwork.
6. UnderMAC Authentication Settings,enteranauthorizedclientMAC
addressintheMAC addresstextfield.
5-54
7. SetthePermissiontoAllowed.
8. Clickthe[Update]button.ThenewentryappearsintheMAC Authentication
Table.
9. Repeatsteps6to8foreachclientthatisauthorizedtoaccessthenetwork.
Figure 5-12. Local MAC Authentication
CLI:ConfiguringMACAddressAuthentication
mac-authentication server[local|remote] page6-45
address filter default<allowed|denied> page6-43
address filter entry<mac-address><allowed|denied> page6-43
address filter delete<mac-address> page6-44
mac-authentication session-timeout<seconds> page6-45
show authentication page6-46
5-55
-----------------
ThefollowingexampleshowshowtoconfigureMACaddressauthentication
usingtheaccesspointslocaldatabase.TheexampleshowsthreeclientMAC
addressesthatarepermittedtoaccessthenetwork.AllotherMACaddresses
aredeniedaccess.
HP420(config)#mac-authentication server local
HP420(config)#address filter default denied
HP420(config)#address filter entry 00-70-50-cc-99-1a allowed
HP420(config)#address filter entry 00-70-23-7a-1c-bb allowed
HP420(config)#address filter entry 00-70-51-49-d3-26 allowed
HP420(config)#
ThefollowingexampleshowshowtodeleteaMACaddressfromtheaccess
pointslocaldatabase.
HP420(config)#address filter delete 00-70-50-cc-99-1a
HP420(config)#
Thefollowingexampleshowshowtodisplaythecurrentauthentication
configurationontheaccesspointfromtheExeclevel.
HP420#show authentication
Authentication Information
=========================================================
MAC Authentication Server : REMOTE
MAC Auth Session Timeout Value : 1 secs
802.1x : SUPPORTED
Broadcast Key Refresh Rate : 5 min
Session Key Refresh Rate : 5 min
802.1x Session Timeout Value : 300 secs
Address Filtering : DENIED
System Default : DENY addresses not found in filter table.
Filter Table
MAC Address Status
----------
00-70-23-7a-1c-bb ALLOWED
00-70-51-49-d3-26 ALLOWED
=========================================================
HP420#
5-56
Web:ConfiguringIEEE802.1x
TheaccesspointsupportsIEEE802.1x(802.1x)accesscontrolforwireless
clients.Thiscontrolfeaturepreventsunauthorizedaccesstothenetworkby
requiringan802.1xclientapplicationtosubmitusercredentialsforauthenti-
cation.ClientauthenticationisthenverifiedbyaRADIUSserverusingExten-
sibleAuthenticationProtocol(EAP)beforetheaccesspointgrantsaclient
accesstothenetwork.
Not e The802.1xaccesscontrolfeaturerequiresaRADIUSauthenticationserverto
beconfiguredandavailableinthewirednetwork.Besurethattheservers
detailsareconfiguredintheRADIUSwindow.
Theaccesspointalsousesthe802.1xExtensibleAuthenticationProtocol Over
LANs(EAPOL)packetstopassdynamicunicastsessionkeysandstatic
broadcastkeystowirelessclients.Sessionkeysareuniquetoeachclientand
areusedtoauthenticateaclientconnection,andcorrelatetrafficpassing
betweenaspecificclientandtheaccesspoint.Youcanalsoenablebroadcast
keyrotation,sotheaccesspointprovidesadynamicbroadcastkeyand
changesitataspecifiedinterval.
TheAuthenticationwindowontheSecuritytabenables802.1xtobeconfigured
fortheaccesspoint.
802.1xSetup. Youcanenable802.1xasoptionallysupportedorasrequired
toenhancethesecurityofthewirelessnetwork.When802.1xisenabled,the
broadcastandsessionkeyrotationintervalscanalsobeconfigured.
Disable:Theaccesspointdoesnotsupport802.1xauthenticationforany
wirelessclient.Aftersuccessfulwirelessassociationwiththeaccess
point,eachclientisallowedtoaccessthenetwork.
Supported:Theaccesspointsupports802.1xauthenticationonlyfor
clientsinitiatingthe802.1xauthenticationprocess(theaccesspointdoes
notinitiate 802.1xauthentication).Forclientsinitiating 802.1x,onlythose
successfullyauthenticatedareallowedtoaccessthenetwork.Forthose
clientsnotinitiating802.1x,accesstothenetworkisallowedafter
successfulwirelessassociationwiththeaccesspoint.
Required:Theaccesspointenforces802.1xauthenticationforallasso-
ciatedwirelessclients.If802.1xauthenticationisnotinitiatedbyaclient,
theaccesspointwillinitiateauthentication.Onlythoseclientssuccess-
fullyauthenticatedwith802.1xareallowedtoaccessthenetwork.
5-57
BroadcastKeyRefreshRate:Setstheintervalatwhichthebroadcast
keysarerefreshedforstationsusing802.1xdynamickeying.(Range:0-
1440minutes;Default:0=disabled)
SessionKeyRefreshRate:Theintervalatwhichtheaccesspoint
refreshesunicastsessionkeysforassociatedclients.(Range:0- 1440
minutes;Default:0=disabled)
802.1xReauthenticationRefreshRate:Thetimeperiodafterwhicha
connectedclientmustbere-authenticated.Duringthere-authentication
processofverifyingtheclientcredentialsontheRADIUSserver,theclient
remainsconnectedthenetwork.Onlyifre-authenticationfailsisnetwork
accessblocked.(Range:0-65535seconds;Default:0=Disabled)
ToConfigure802.1xAuthenticationandKeyManagement:
7. SettheAuthentication Type SetuptoOpen System.
11. FortheBroadcast Key Refresh Rate,enteratimeperiodbetween0
(disabled)and1440minutes.
12. FortheSession Key Refresh Rate,enteratimeperiodbetween0(disabled)
and1440minutes.
13. Forthe802.1x Re-Authentication Refresh Rate,enteratimeperiodbetween
0(disabled)and65535seconds.
5-58
Figure 5-13. The Authentication Window 802.1x Setup
CLI:ConfiguringIEEE802.1x
[no] 802.1x<supported|required>
802.1x broadcast-key-refresh-rate<rate>
802.1x session-key-refresh-rate<rate>
802.1x session-timeout<seconds>
show authentication
page6-53
page6-66
page6-40
page6-41
page6-41
page6-42
page6-46
5-59
-----------------
Thefollowingexampleshowshowtoconfigure802.1xauthenticationtobe
requiredbyallclients,aswellassettingbroadcastandsessionkeyrefresh
ratesandare-authenticationtimeout.
HP420(if-wireless g)#end
HP420(config)#802.1x required
HP420(config)#802.1x broadcast-key-refresh-rate 5
HP420(config)#802.1x session-key-refresh-rate 5
HP420(config)#802.1x session-timeout 600
HP420(config)#
Thefollowing exampleshowshowtodisplay the current802.1xconfiguration
ontheaccesspointfromtheExeclevel.
=========================================================
MAC Authentication Server : LOCAL
802.1x : REQUIRED
Filter Table
MAC Address Status
----------
00-70-23-7a-1c-bb ALLOWED
00-70-51-49-d3-26 ALLOWED
=========================================================
HP420#
5-60
Web:SettingupWEPShared-Keys
SettingupsharedkeysenablesthebasicIEEE802.11WiredEquivalent
Privacy(WEP)ontheaccesspointtopreventunauthorizedaccesstothe
network.
IfyouchoosetouseWEPsharedkeysinsteadofanopensystem,besureto
defineatleastonestaticWEPkeyfor userauthenticationanddata encryption.
Also,besurethattheWEPsharedkeysarethesameforeachclientinthe
wirelessnetwork.
Not e WEPhasbeenfoundtobeseriouslyflawedandcannotberecommendedfor
ahighlevelofnetworksecurity.Formorerobustwirelesssecurity,theaccess
pointprovidesWi-FiProtectedAccess(WPA)forimproveddataencryption
anduserauthentication.
TheShared Key SetupwindowontheSecuritytabenablesWEPsharedkeysto
beconfiguredfortheaccesspoint.
AuthenticationTypeSetup:Setstheaccesspointtocommunicatewith
clientsusingpre-configuredstaticsharedkeysorasanopensystemthat
acceptsnetworkaccessattemptsfromanyclient.
OpenSystem:SelectthisoptionifyouplantouseWPAor802.1xas
asecuritymechanism.Ifyoudontsetupanyothersecuritymecha-
nismontheaccesspoint,thenetworkhasnoprotectionandisopen
toallusers.
SharedKey:SetstheaccesspointtouseWEPsharedkeys.Ifthis
optionisselected,youmustconfigureatleastonekeyontheaccess
pointandallclients.
WiredEquivalentPrivacy(WEP)Setup:Enableordisabletheaccess
pointtouseWEPsharedkeys.Ifthisoptionisselected,youmust
configureatleastonekeyontheaccesspointandallclients.
SharedKeySetup:Select64Bit,128Bit,or152Bit.Notethatthesame
sizeofencryptionkeymustbesupportedonallwirelessclients.
KeyType:SelectthepreferredmethodofenteringWEPencryptionkeys
ontheaccesspointandenteruptofourkeys:
Hexadecimal:Enterkeysas10hexadecimaldigits(0to9andAto
F)for64bitkeys,26hexadecimaldigitsfor128bitkeys,or32
hexadecimaldigitsfor152bitkeys.
5-61
Alphanumeric:Enterkeysas5alphanumericcharactersfor64bit
keys,13alphanumericcharactersfor128bit keys,or16alphanumeric
charactersfor152bitkeys.
TransmitKeySelect:Selectsthekeynumbertouseforencryption.
ToConfigureWEPSharedKeys:
3. SettheAuthentication Type SetuptoShared Key.
4. SetWired Equivalent Privacy (WEP) SetuptoEnabled.
5. Selectthesizeoftheencryptionkeytobeusedbyallclients,64 bit,128 bit,
or152 bit.
6. Selectthemethodtoenterthekeys,HexadecimalorAlphanumeric.
7. Enteroneormorekeysinthetableconformingthemethodandsize
alreadyselected.
8. SelectoneoftheenteredkeysastheTransmit Keytobeusedtoencrypt
datatransmittedfromtheaccesspoint.Otherkeyscanbesharedwith
clientsandusedfordecryption.
5-62
Figure 5-14. Shared Key Setup Window
CLI:SettingupWEPShared-Keys
authentication<open|shared> page6-66
[no] closed-system page6-59
[no] encryption<key-length> page6-67
5-63
[no] key<index> <size> <type> <value> page6-68
transmit-key<index> page6-69
show interface wireless g page6-75
ThefollowingexampleshowshowtosetupWEPsharedkeysthatareused
forclientauthenticationanddataencryption.
ToenhancesecuritywhenusingWEP,theCLIenablesyoutosettheaccess
pointasaclosedsystem.Whensetasaclosedsystem,theaccesspointdoes
notincludeitsSSIDinbeaconmessagesanddoesnotrespondtoanyprobe
requestsfromclientsthatdonotincludetheaccesspointsconfiguredSSID.
HP420(if-wireless g)#authentication shared
HP420(if-wireless g)#closed-system
HP420(if-wireless g)#encryption 128
You changed the WEP key length, please make sure you change
your key for static WEP
HP420(if-wireless g)#key 1 128 ascii asdeipadjsipd
HP420(if-wireless g)#key 2 128 ascii lkdhenoekmpet
HP420(if-wireless g)#key 3 128 ascii zbxhwofpwutny
HP420(if-wireless g)#transmit-key 2
5-64
ThefollowingexampleshowshowtodisplaythecurrentWEPsharedkey
configurationontheaccesspointfromtheExeclevel.
===========================================================
----------------Identification-----------------------------
Channel : 9
Status : Disabled
----------------802.11 Parameters--------------------------
Transmit Power : HALF (15 dBm)
----------------Security-----------------------------------
Closed System : ENABLED
Authentication Type : SHARED
Encryption : 128-BIT ENCRYPTION
WEP Key Data Type : Alphanumeric
Static Keys :
Key 1: ***** Key 2: ***** Key 3: ***** Key 4: EMPTY
===========================================================
HP420#
5-65
5-66
6
CommandLineReference
Contents
Overview ..................................................... 6-2
GeneralCommands............................................ 6-3
SystemManagementCommands ............................... 6-8
SNMPCommands ............................................ 6-25
Flash/FileCommands......................................... 6-30
RADIUSClient ............................................... 6-34
802.1xPortAuthentication ................................... 6-39
FilteringCommands .......................................... 6-47
InterfaceCommands ......................................... 6-51
IAPPCommand .............................................. 6-77
VLANCommands ............................................. 6-78
6-1
Command Line Reference
Overview
Overview
ThischapterdescribesthecommandsprovidedbytheCLI.
TheCLIcommandscanbebrokendownintothefunctionalgroupsshown
below.
Command Group Description Page
General Basiccommandsforenteringconfigurationmode,restarting
thesystem,orquittingtheCLI
System
Management
Controlsusername,password,systemlogs,browser
managementoptions,clocksettings,andavarietyofother
systeminformation
SNMP Configurescommunityaccessstringsandtrapmanagers 6-25
Flash/File Managescodeimageoraccesspointconfigurationfiles 6-30
RADIUS ConfigurestheRADIUSclientusedwith802.1xauthentication 6-34
Authentication ConfiguresIEEE802.1xportaccesscontrolandaddressfiltering 6-39
Filtering Filterscommunicationsbetweenwirelessclients,controls 6-47
accesstothemanagementinterfacefromwirelessclients,and
filterstrafficusingspecificEthernetprotocoltypes
Interface ConfiguresconnectionparametersfortheEthernetinterface
andwirelessinterface
6-51
IAPP Enablesroamingbetweenmulti-vendoraccesspoints 6-77
VLANs ConfiguresVLANmembership 6-78
Theaccessmodeshowninthefollowingtablesisindicatedbytheseabbrevi-
ations:GC(GlobalConfiguration),andIC(InterfaceConfiguration).
6-2
6-3
6-8
GeneralCommands
GeneralCommands
Command Function Mode Page
configure Activatesglobalconfigurationmode Exec 6-3
end Returnstothepreviousconfigurationmode GC,IC 6-4
exit ReturnstotheExecmode,orexitstheCLI any 6-4
ping SendsICMPechorequestpacketstoanothernode Exec 6-5
onthenetwork
reset Restartsthesystem Exec 6-6
showhistory Showsthecommandhistorybuffer Exec 6-6
showline Showstheconfigurationsettingsfortheconsoleport Exec 6-7
configure
ThiscommandactivatesGlobalConfigurationmode.Youmustenterthis
modetomodifymostofthesettingsontheaccesspoint.Youmustalsoenter
GlobalConfigurationmodepriortoenablingthecontextmodesforInterface
Configuration.SeeUsingtheCLIonpage3-2.
DefaultSetting
None
CommandMode
Exec
Example
HP420#configure
HP420(config)#
RelatedCommands
end(page6-4)
6-3
GeneralCommands
end
Thiscommandreturnstothepreviousconfigurationmode.
DefaultSetting
None
CommandMode
GlobalConfiguration,InterfaceConfiguration
Example
ThisexampleshowshowtoreturntotheConfigurationmodefromthe
EthernetInterfaceConfigurationmode:
HP420(if-ethernet)#end
HP420(config)#
exit
ThiscommandreturnstotheExecmodeorexitstheconfigurationprogram.
DefaultSetting
None
CommandMode
Any
Example
ThisexampleshowshowtoreturntotheExecmodefromtheInterface
Configurationmode,andthenquittheCLIsession:
HP420(if-ethernet)#exit
HP420#exit
CLI session with the Access Point is now closed
Username:
6-4
GeneralCommands
ping
ThiscommandsendsICMPechorequestpacketstoanothernodeonthe
network.
Syntax
ping<host_name|ip_address>
host_name-Aliasofthehost.
ip_address-IPaddressofthehost.
DefaultSetting
None
CommandMode
Exec
CommandUsage
Usethepingcommandtoseeifanothersiteonthenetworkcanbe
reached.
Thefollowingaresomeresultsofthepingcommand:
Normalresponse-Thenormalresponseoccursinonetoten
seconds,dependingonnetworktraffic.
Destinationdoesnotrespond- Ifthehostdoesnotrespond,a
timeoutappearsintenseconds.
Destinationunreachable- Thegatewayforthisdestinationindi-
catesthatthedestinationisunreachable.
Networkorhostunreachable- Thegatewayfoundnocorre-
spondingentryintheroutetable.
Press[Esc]tostoppinging.
Example
HP420#ping 10.1.0.9
10.1.0.9 is alive
HP420#
6-5
GeneralCommands
reset
Thiscommandrestartsthesystemorrestoresthefactorydefaultsettings.
Syntax
reset<board|configuration>
board-Rebootsthesystem.
configuration- Resetstheconfigurationsettingstothefactory
defaults,andthenrebootsthesystem.
DefaultSetting
None
CommandMode
Exec
CommandUsage
Whenthesystemisrestarted,itwillalwaysrunthePower-OnSelf-Test.
Example
Thisexampleshowshowtoresetthesystem:
HP420#reset board
Reboot system now? <y/n>: y
showhistory
Thiscommandshowsthecontentsofthecommandhistorybuffer.
DefaultSetting
None
CommandMode
Exec
CommandUsage
Thehistorybuffersizeisfixedat10commands.
Usetheupordownarrowkeystoscrollthroughthecommandsin
thehistorybuffer.
6-6
GeneralCommands
Example
Inthisexample,theshowhistorycommandliststhecontents ofthecommand
historybuffer:
HP420#show history
config
exit
show history
HP420#
showline
Thiscommanddisplaystheconsoleportsconfigurationsettings.
CommandMode
Exec
Example
Theconsoleportsettingsarefixedatthevaluesshownbelow.
HP420#show line
Console Line Information
======================================================
databits : 8
parity : none
speed : 9600
stop bits : 1
======================================================
HP420#
6-7
SystemManagementCommands
Thesecommandsareused toconfiguretheusername,password,systemlogs,
browsermanagementoptions,clocksettings,andavarietyofothersystem
information.
Country Setting
country
Device
Designation
prompt
systemname
snmp-server
contact
snmp-server
location
User Access
username
password
Web Server
iphttpport
iphttpserver
Event Logging
loggingon
logginghost
logging
console
Setsthecountrycodeforcorrectradiooperation
Setstheaccesspointcountrycode Exec 6-9
Configuresinformationthatuniquelyidentifiesthis
device
Customizesthecommandlineprompt GC 6-11
Specifiesthehostnamefortheaccesspoint GC 6-12
Setsthesystemcontactstring GC 6-26
Setsthesystemlocationstring GC 6-29
Configurestheusernameandpasswordfor
managementaccess
Configurestheusernameformanagementaccess GC 6-12
Specifiesthepasswordformanagementaccess GC 6-13
EnablesmanagementaccessviaaWebbrowser
SpecifiestheporttobeusedbytheWebbrowser GC 6-13
interface
Allowstheaccesspointtobemonitoredorconfigured GC 6-14
fromabrowser
Controlsloggingoferrormessages
Controlsloggingoferrormessages GC 6-15
AddsasyslogserverhostIPaddressthatwillreceive GC 6-15
loggingmessages
Initiatesloggingoferrormessagestotheconsole GC 6-16
logginglevel Definestheminimumseveritylevelforeventlogging GC 6-16
6-8
GC 6-17 loggingfacility-
type
Setsthefacilitytypeforremoteloggingofsyslog
messages
showlogging Displaysthestateoflogging Exec 6-18
System Clock SetsthesystemclockviaanNTP/SNTPserver
sntp-serverip Specifiesoneormoretimeservers GC 6-19
sntp-server Acceptstimefromthespecifiedtimeservers GC 6-20
enable
sntp-server
date-time
Manuallysetsthesystemdateandtime GC 6-20
sntp-server
daylight-saving
Setsthestartandenddatesfordaylightsavingstime GC 6-21
sntp-server
timezone
Setsthetimezonefortheaccesspointsinternalclock GC 6-22
showsntp ShowscurrentSNTPconfigurationsettings Exec 6-23
System Status Displayssystemconfigurationandversioninformation
showsystem Displayssysteminformation Exec 6-23
showversion Displaysversioninformationforthesystem Exec 6-24
country
ThiscommandconfigurestheaccesspointsCountryCode,whichidentifies
thecountryofoperationandsetsthecorrectauthorizedradiochannels.
Thiscommandisavailableonlyifyouareusingtheworldwideproduct,
J8131A.
Syntax
country<country_code>
country_code- Atwocharactercodethatidentifiesthecountryof
operation.SeeTable6-1onpage6-10forafulllistoftheavailable
codes.
6-9
Table 6-1. Access Point Country Codes
Country Code Country Code Country Code Country Code
Albania AL DominicanRepulic DO Kuwait KW Qatar QA
Algeria DZ Ecuador EC Latvia LV Romania RO
Argentina AR Egypt EG Lebanon LB Russia RU
Armenia AM Estonia EE Liechtenstein LI SaudiaArabia SA
Australia AU Finland FI Lithuania LT Singapore SG
Austria AT France FR Luxembourg LU SlovakRepublic SK
Azerbaijan AZ Georgia GE Macau MO Slovenia SI
Bahrain BH Germany DE Macedonia MK SouthAfrica ZA
Belarus BY Greece GR Malaysia MY Spain ES
Belgium BE Guatemala GT Mexico MX Sweden SE
Belize BZ HongKong HK Monaco MC Switzerland CH
Bolivia BO Hungary HU Morocco MA Syria SY
Brazil BR Iceland IS NorthAmerica NA Taiwan TW
BruneiDarussalam BN India IN Netherlands NL Thailand TH
Bulgaria BG Indonesia ID NewZealand NZ Turkey TR
Canada CA Iran IR Norway NO Ukraine UA
Chile CL Ireland IE Oman OM UnitedArabEmirates AE
China CN Israel IL Pakistan PK UnitedKingdom GB
Colombia CO Italy IT Panama PA UnitedStates US
CostaRica CR Japan JP Peru PE Uruguay UY
Croatia HR Jordan JO Philippines PH Venezuela VE
Cyprus CY Kazakhstan KZ Poland PL Vietnam VN
CzechRepublic CZ NorthKorea KP Portugal PT
Denmark DK KoreaRepublic KR PuertoRico PR
DefaultSetting
99(nocountryset)
6-10
CommandMode
Exec
CommandUsage
TheaccesspointsCountryCodemustbesetbeforetheradiocanbe
enabled.
TheavailableCountryCodesettingscanbedisplayedbyusingthe
country ?command.
TheCountryCodesUS(UnitedStates)andCA(Canada)areeffec-
tivelythesamesettingandarebothimplementedasNA(North
America).
AfteraCountryCodehasbeensetthecountrycommandisnolonger
availablefromtheCLI.IfyouneedtochangetheCountryCode,the
accesspointconfigurationmustberesettoitsdefaultvaluesbyusing
thereset configuration command,orbypressingtheresetbuttonfor
morethanfiveseconds.
Example
HP420#country us
HP420#
prompt
ThiscommandcustomizestheCLIprompt.Usethenoformtorestorethe
defaultprompt.
Syntax
prompt<string>
noprompt
string-AnyalphanumericstringtousefortheCLIprompt.
DefaultSetting
HPProCurveAccessPoint420
CommandMode
GlobalConfiguration
6-11
Example
HP420(config)#prompt RD2
RD2(config)#
systemname
Thiscommandspecifiesormodifiesthesystemnameforthisdevice.
Syntax
systemname<name>
name- Thenameofthishost.(Maximumlength:32characters)
DefaultSetting
EnterpriseAP
CommandMode
GlobalConfiguration
Example
HP420(config)#system name HP420 Access Point
HP420(config)#
username
Thiscommandconfigurestheusernameformanagementaccess.
Syntax
username<name>
name-Thenameoftheuser.
(Length:3-16characters,casesensitive.)
DefaultSetting
admin
CommandMode
GlobalConfiguration
6-12
Example
HP420(config)#username bob
HP420(config)#
password
Afterinitiallyloggingontothesystem,youshouldsetthepassword.
Remembertorecorditinasafeplace.Usethenoformtoresetthedefault
password.
Syntax
password<password>
nopassword
password- Passwordformanagementaccess.
(Length:3-16characters,casesensitive)
DefaultSetting
None
CommandMode
GlobalConfiguration
Example
HP420(config)#password hp420ap
HP420(config)#
iphttpport
ThiscommandspecifiestheTCPportnumberusedbytheWebbrowser
interface.Usethenoformtousethedefaultport.
Syntax
iphttpport<port-number>
noiphttpport
port-number- TheTCPporttobeusedbythebrowserinterface.
(Range:1024-65535)
DefaultSetting
80
6-13
CommandMode
GlobalConfiguration
CommandUsage
ToavoidusingcommonreservedTCPportnumbersbelow1024,the
configurablerangeisrestrictedtobetween1024and65535.However,the
defaultportnumberis80.Toresetthedefaultportnumber,usetheno ip
http portcommand.
Example
HP420(config)#ip http port 49153
HP420(config)#
RelatedCommands
ip http server(page6-14)
iphttpserver
Thiscommandallowsthisdevicetobemonitoredorconfiguredfroma
browser.Usetheno formtodisablethisfunction.
Syntax
iphttpserver
noiphttpserver
DefaultSetting
Enabled
CommandMode
GlobalConfiguration
Example
HP420(config)#ip http server
HP420(config)#
RelatedCommands
ip http port(page6-13)
6-14
loggingon
Thiscommandcontrolsloggingof errormessages,i.e.,sending debugorerror
messagestomemory.Theno formdisablestheloggingprocess.
Syntax
loggingon
nologging
DefaultSetting
None
CommandMode
GlobalConfiguration
CommandUsage
Theloggingprocesscontrolserrormessagessavedtomemory.Youcan
usethelogging levelcommandtocontrolthetypeoferrormessagesthat
arestoredinmemory.
Example
HP420(config)#logging on
HP420(config)#
logginghost
ThiscommandspecifiesaSyslogserverhostthatwillreceivelogging
messages.UsethenoformtoremoveSyslogserverhost.
Syntax
logginghost<host-name|host-ip-address>
nologginghost
host-name- ThenameofaSyslogserver.(Range:1-20characters)
host-ip-address- TheIPaddressofaSyslogserver.
DefaultSetting
None
CommandMode
GlobalConfiguration
6-15
Example
HP420(config)#logging host 10.1.0.3
HP420(config)#
loggingconsole
Thiscommandinitiatesloggingoferrormessagestotheconsole.Usetheno
formtodisableloggingtotheconsole.
Syntax
loggingconsole
nologgingconsole
DefaultSetting
Disabled
CommandMode
GlobalConfiguration
Example
HP420(config)#logging console
HP420(config)#
logginglevel
Thiscommandsetstheminimumseveritylevelforeventlogging.
Syntax
logginglevel<Alert|Critical|Error|Warning|Notice|Informational|Debug>
DefaultSetting
Error
CommandMode
GlobalConfiguration
6-16
CommandUsage
MessagessentincludetheselectedleveldowntotheAlertlevel.
Level Argument Description
Alerts Immediateactionneeded
Critical Criticalconditions(forexample,memoryallocation,orfreememory
error- resourceexhausted)
Error Errorconditions(forexample,invalidinput,defaultused)
Warning Warningconditions(forexample,returnfalse,unexpectedreturn)
Notice Normalbutsignificantcondition,suchascoldstart
Informational Informationalmessagesonly
Debug Debuggingmessages
* ThereareonlyCritical,Notice,andInformationalmessagesforthecurrentfirmware.
Example
HP420(config)#logging level alert
HP420(config)#
loggingfacility-type
ThiscommandsetsthefacilitytypeforremoteloggingofSyslogmessages.
Syntax
loggingfacility-type<type>
type- AnumberthatindicatesthefacilityusedbytheSyslogserverto
dispatchlogmessagestoanappropriateservice.(Range:16-23)
DefaultSetting
16
CommandMode
GlobalConfiguration
6-17
CommandUsage
ThecommandspecifiesthefacilitytypetagsentinSyslogmessages.(See
RFC3164.)Thistypehasnoeffectonthekindofmessagesreportedby
theaccesspoint.However,itmaybeusedbytheSyslogservertosort
messagesortostoremessagesinthecorrespondingdatabase.
Example
HP420(config)#logging facility 19
HP420(config)#
showlogging
Thiscommanddisplaystheloggingconfiguration.
Syntax
showlogging
CommandMode
Exec
Example
HP420#show logging
Logging Information
============================================
Syslog State : Disabled
Logging Host State : Enabled
Logging Console State : Disabled
Server Domain name/IP : none
Logging Level : Error
Logging Facility Type : 16
=============================================
HP420#
6-18
sntp-serverip
ThiscommandsetstheIPaddressoftheserverstowhichSNTPtimerequests
areissued.Usethiscommandwithnoargumentstoclearalltimeserversfrom
thecurrentlist.
Syntax
sntp-serverip<1|2><ip>
1-Firsttimeserver.
2-Secondtimeserver.
ip- IPaddressofatimeserver(NTPorSNTP).
DefaultSetting
137.92.140.80
192.43.244.18
CommandMode
GlobalConfiguration
CommandUsage
WhenSNTPclient modeisenabled usingthesntp-server enablecommand,
thesntp-server ip commandspecifiesthetimeserversfromwhichthe
accesspointpollsfortimeupdates.Theaccesspointwillpollthetime
serversintheorderspecifieduntilaresponseisreceived.
Example
HP420(config)#sntp-server ip 10.1.0.19
HP420#
RelatedCommands
sntp server enable(page6-20)
show sntp(page6-23)
6-19
sntp-serverenable
ThiscommandenablesSNTPclientrequestsfortimesynchronizationwith
NTPorSNTPtimeserversspecifiedbythesntp-server ip command.Usethe
noformtodisableSNTPclientrequests.
Syntax
sntp-serverenable
nosntp-serverenable
DefaultSetting
Disabled
CommandMode
GlobalConfiguration
CommandUsage
Thetimeacquiredfromtimeserversisusedtorecordaccuratedatesand
timesforlog events.WithoutSNTP,theaccesspoint only recordsthetime
startingfromthefactorydefaultsetatthelastbootup(i.e.,00:14:00,
January1,1970).
Example
HP420(config)#sntp-server enable
HP420(config)#
RelatedCommands
sntp-server ip(page6-19)
show sntp(page6-23)
sntp-serverdate-time
Thiscommandsetsthesystemclock.
DefaultSetting
00:14:00,January1,1970
CommandMode
GlobalConfiguration
6-20
Example
Thisexamplesetsthesystemclockto17:37June19,2003.
HP420#sntp-server date-time
Enter Year<1970-2100>: 2003
Enter Month<1-12>: 6
Enter Day<1-31>: 19
Enter Hour<0-23>: 17
Enter Min<0-59>: 37
HP420#
RelatedCommands
sntp-server enable(page6-20)
sntp-serverdaylight-saving
Thiscommandsetsthestartandenddatesfordaylightsavingstime.Usethe
noformtodisabledaylightsavingstime.
Syntax
sntp-serverdaylight-saving
nosntp-serverdaylight-saving
DefaultSetting
Disabled
CommandMode
GlobalConfiguration
CommandUsage
Thecommandsetsthesystemclockbackonehourduringthespecified-
period.
6-21
Example
ThissetsdaylightsavingstimetobeusedfromMarch31sttoOctober31st.
HP420(config)#sntp-server daylight-saving
Enter Daylight saving from which month<1-12>: 3
Enter Daylight saving end to which month<1-12>: 10
HP420(config)#
sntp-servertimezone
Thiscommandsetsthetimezonefortheaccesspointsinternalclock.
Syntax
sntp-servertimezone<hours>
hours-Numberofhoursbefore/afterUTC.(Range:-12to+12hours)
DefaultSetting
None
CommandMode
GlobalConfiguration
CommandUsage
ThiscommandsetsthelocaltimezonerelativetotheCoordinated
UniversalTime(UTC,formerlyGreenwichMeanTimeorGMT),basedon
theearthsprimemeridian,zerodegreeslongitude.Todisplayatime
correspondingtoyourlocaltime,youmustindicatethenumberofhours
andminutesyourtimezoneiseast(before)orwest(after)ofUTC.
Example
HP420(config)#sntp-server timezone +8
HP420(config)#
6-22
showsntp
Thiscommanddisplaysthecurrenttimeandconfigurationsettingsforthe
SNTPclient.
CommandMode
Exec
Example
HP420#show sntp
SNTP Information
=========================================================
Service State : Enabled
SNTP (server 1) IP : 137.92.140.80
SNTP (server 2) IP : 192.43.244.18
Current Time : 08 : 04, Jun 20th, 2003
Time Zone : +8 (TAIPEI, BEIJING)
Daylight Saving : Enabled, from Jun, 1st to Sep, 1st
=========================================================
HP420#
showsystem
Thiscommanddisplaysbasicsystemconfigurationsettings.
DefaultSetting
None
CommandMode
Exec
6-23
Example
HP420#show system
System Information
============================================================
Serial Number : 0000000001
System Up time : 0 days, 0 hours, 1 minutes, 3 seconds
System Name : Enterprise AP
System Location :
System Contact : Contact
System Country Code : NA - North America
MAC Address : 00-30-F1-81-83-12
Subnet Mask : 255.255.255.0
VLAN State : DISABLED
Native VLAN ID : 1
IAPP State : ENABLED
DHCP Client : DISABLED
HTTP Server : ENABLED
HTTP Server Port : 80
Slot Status : Dual band(b/g)
Software Version : v2.0.22
===========================================================
HP420#
showversion
Thiscommanddisplaysthesoftwareversionforthesystem.
DefaultSetting
None
CommandMode
Exec
Example
HP420#show version
Version v2.0.22
HP420#
6-24
SNMPCommands
SNMPCommands
Controlsaccesstothisaccesspointfrommanagementstationsusingthe
SimpleNetworkManagementProtocol(SNMP),aswellasthehoststhatwill
receivetrapmessages.
snmp-server
community
Setsupthecommunityaccessstringtopermitaccess
toSNMPcommands
GC 6-25
snmp-server
contact
Setsthesystemcontactstring GC 6-26
snmp-server
enableserver
EnablesSNMPserviceandtraps GC 6-27
snmp-serverhost SpecifiestherecipientofanSNMPnotification
operation
GC 6-28
snmp-server
location
Setsthesystemlocationstring GC 6-29
showsnmp DisplaysthestatusofSNMPcommunications Exec 6-30
snmp-servercommunity
ThiscommanddefinesthecommunityaccessstringfortheSimpleNetwork
ManagementProtocol.Usethenoformtoremovethespecifiedcommunity
string.
Syntax
snmp-servercommunity<string>[ro|rw]
nosnmp-servercommunity<string>
string- Communitystringthatactslikeapasswordandpermits
accesstotheSNMPprotocol.(Maximumlength:23characters, case
sensitive)
ro- Specifiesread-onlyaccess.Authorizedmanagementstationsare
onlyabletoretrieveMIBobjects.
rw- Specifiesread/writeaccess.Authorizedmanagementstations
areabletobothretrieveandmodifyMIBobjects.
6-25
SNMPCommands
DefaultSetting
public-Read-onlyaccess.Authorizedmanagementstationsareonly
abletoretrieveMIBobjects.
private- Read/writeaccess.Authorizedmanagementstationsareable
tobothretrieveandmodifyMIBobjects.
CommandMode
GlobalConfiguration
CommandUsage
Ifyouenteracommunitystringwithouttheroorrwoption,thedefaultis
readonly.
Example
HP420(config)#snmp-server community alpha rw
HP420(config)#
snmp-servercontact
Thiscommandsetsthesystemcontactstring.Usethenoformtoremovethe
systemcontactinformation.
Syntax
snmp-servercontact<string>
nosnmp-servercontact
string-Stringthatdescribesthesystemcontact.
DefaultSetting
Contact
CommandMode
GlobalConfiguration
Example
HP420(config)#snmp-server contact Paul
HP420(config)#
6-26
SNMPCommands
RelatedCommands
snmp-server location(page6-29)
snmp-serverenableserver
ThiscommandenablesSNMPmanagementaccessandalsoenablesthis
devicetosendSNMPtraps(i.e.,notifications).Usethenoformtodisable
SNMPserviceandtrapmessages.
Syntax
snmp-serverenableserver
nosnmp-serverenableserver
DefaultSetting
Enabled
CommandMode
GlobalConfiguration
CommandUsage
Thiscommandenablesbothauthenticationfailurenotificationsand
linkup-downnotifications.
Thesnmp-server hostcommandspecifiesthehostdevicethatwill
receiveSNMPnotifications.
Example
HP420(config)#snmp-server enable server
HP420(config)#
RelatedCommands
snmp-server host(page6-28)
6-27
SNMPCommands
snmp-serverhost
ThiscommandspecifiestherecipientofanSNMPnotification.Usethenoform
toremovethespecifiedhost.
Syntax
snmp-serverhost<host_ip_address|host_name><community-string>
nosnmp-serverhost
host_ip_address- IPofthehost(thetargetedrecipient).
host_name- Nameofthehost.(Range:1-20characters)
community-string- Password-likecommunitystringsentwiththe
notificationoperation.Althoughyoucansetthisstringusingthe
snmp-server hostcommandbyitself,werecommendthat youdefine
thisstringusingthesnmp-server communitycommand priortousing
thesnmp-server hostcommand.(Maximumlength:23characters)
DefaultSetting
HostAddress:None
CommunityString:public
CommandMode
GlobalConfiguration
CommandUsage
Thesnmp-server hostcommandisusedinconjunctionwiththesnmp-server
enable servercommandtoenableSNMPnotifications.
Example
HP420(config)#snmp-server host 10.1.19.23 batman
HP420(config)#
RelatedCommands
snmp-server enable server(page6-27)
6-28
SNMPCommands
snmp-serverlocation
Thiscommandsetsthesystemlocationstring.Usethenoformtoremovethe
locationstring.
Syntax
snmp-serverlocation<text>
nosnmp-serverlocation
text- Stringthatdescribesthesystemlocation.
DefaultSetting
None
CommandMode
GlobalConfiguration
Example
HP420(config)#snmp-server location WC-19
HP420(config)#
RelatedCommands
snmp-server contact(page6-26)
6-29
Flash/FileCommands
showsnmp
ThiscommanddisplaystheSNMPconfigurationsettings.
CommandMode
Exec
Example
HP420#show snmp
SNMP Information
============================================
Service State : Enable
Community (ro) : *****
Community (rw) : *****
Location : WC-19
Contact : Paul
Traps : Enabled
Host Name/IP : 10.1.19.23
Trap Community : *****
=============================================
HP420#
Flash/FileCommands
Thesecommandsareusedtomanagethesystemcodeorconfigurationfiles.
bootfile Specifiesthefileorimageusedtostartupthesystem Exec 6-31
copy Copiesacodeimageorconfigurationbetweenflash Exec 6-31
memoryandaFTP/TFTPserver
delete Deletesafileorcodeimage Exec 6-33
dir Displaysalistoffilesinflashmemory Exec 6-33
6-30
Flash/FileCommands
bootfile
Thiscommandspecifiesthesoftwareimageusedtostartupthesystem.
Syntax
bootfile<filename>
filename - Nameoftheconfigurationfileorimagename.
DefaultSetting
None
CommandMode
Exec
CommandUsage
Usethedircommandtoseetheeligiblefilenames.
Example
HP420#bootfile hp420-2.bin
HP420#
copy
ThiscommandcopiesabootfileorsoftwareimagefilebetweenanFTP/TFTP
serverandtheaccesspointsflashmemory. Italso allowsyouto uploadacopy
oftheconfigurationfilefromtheaccesspointsflashmemorytoanFTP/TFTP
server.WhenyousavetheconfigurationsettingstoafileonanFTP/TFTP
server,thatfilecanlaterbedownloadedtotheaccesspointtorestoresystem
operation.Thesuccessofthefiletransferdependsontheaccessibilityofthe
FTP/TFTPserverandthequalityofthenetworkconnection.
Syntax
copy<ftp|tftp>file
copyconfig<ftp|tftp>
ftp-Keywordthatallowsyoutocopyto/fromanFTPserver.
tftp- Keywordthatallowsyoutocopyto/fromaTFTPserver.
file- Keywordthatallowsyoutocopyaboot,softwareimage,or
configurationfiletoflashmemory.
config- Keywordthatallowsyoutouploadtheconfigurationfile
fromflashmemory.
6-31
Flash/FileCommands
DefaultSetting
None
CommandMode
Exec
CommandUsage
Thesystempromptsfordatarequiredtocompletethecopy
command.
OnlyaconfigurationfilecanbeuploadedtoanFTP/TFTPserver,but
everytypeoffilecanbedownloadedtotheaccesspoint.
HPrecommendsnotchangingthenameofasoftwareimagefilewhen
downloadinganewsoftwareimage.Thisnamehelpstoquickly
identifythesoftwarerevisionthatthefilecontains.
Duetothesizelimitoftheflashmemory,theaccesspointsupports
onlytwooperationcodefiles.
Theconfigurationfilemustalwaysbenamed"syscfg"priortodown-
loadingittotheaccesspoint.
Example
Thefollowingexampleshowshowtouploadtheconfigurationsettingstoa
fileontheTFTPserver:
HP420#copy config tftp
TFTP Source file name:syscfg
TFTP Server IP:192.168.1.19
HP420#
Thefollowingexampleshowshowtodownloadaconfigurationfile:
HP420#copy tftp file
1. Application image
2. Config file
3. Boot block image
Select the type of download<1,2,3>: [1]:2
HP420#
6-32
Flash/FileCommands
delete
Thiscommanddeletesafileorimage.
Syntax
deletefilename
filename - Nameoftheconfigurationfileorimagename.
DefaultSetting
None
CommandMode
Exec
Ca ut i on Bewareofdeletingapplicationimagesfromflashmemory.Atleastoneappli-
cationimageisrequiredinordertoboottheaccesspoint.Iftherearemultiple
imagefilesinflashmemory,andtheoneusedtoboottheaccesspointis
deleted,besureyoufirstusethebootfilecommandtoupdatetheapplication
imagefilebootedatstartupbeforeyoureboottheaccesspoint.SeeDown-
loadingAccessPointSoftwareonpageA-3formoreinformation.
Example
Thisexampleshowshowtodeletethetest.cfgconfigurationfilefromflash
memory.
HP420#delete test.cfg
Are you sure you wish to delete this file? <y/n>:
HP420#
RelatedCommands
bootfile(page6-31)
dir(page6-33)
dir
Thiscommanddisplaysalistoffilesinflashmemory.
CommandMode
Exec
6-33
-------------------------- --------- -- ----
RADIUSClient
CommandUsage
Fileinformationisshownbelow:
Column Heading Description
FileName Thenameofthefile.
Type (2)OperationCodeand(5)Configurationfile
FileSize Thelengthofthefileinbytes.
Example
Thefollowingexampleshowshowtodisplayallfileinformation:
HP420#dir
File Name Type File Size
dflt-img.bin 2 1044140
syscfg 5 16860
syscfg_bak 5 16860
zz-img.bin 2 1044140
1048576 byte(s) available
HP420#
RADIUSClient
RemoteAuthenticationDial-inUserService(RADIUS)isalogonauthentica-
tionprotocolthatusessoftwarerunningonacentralservertocontrolaccess
forRADIUS-awaredevicestothenetwork.Anauthenticationservercontains
adatabaseofusercredentialsforeachwirelessclientthatrequiresaccessto
thenetwork.RADIUS client configuration is required for the access
point to support MAC authentication and IEEE 802.1x.
radius-server SpecifiestheRADIUSserver GC 6-35
address
radius-serverport SetstheRADIUSservernetworkport GC 6-35
radius-serverkey SetstheRADIUSencryptionkey GC 6-36
6-34
RADIUSClient
Setsthenumberofretries GC 6-36 radius-server
retransmit
radius-server
timeout
Setstheintervalbetweensendingauthentication
requests
GC 6-37
showradius ShowsthecurrentRADIUSsettings Exec 6-38
radius-serveraddress
ThiscommandspecifiestheprimaryandsecondaryRADIUSservers.
Syntax
radius-serveraddress[secondary]<host_ip_address|host_name>
secondary- Secondaryserver.
host_ip_address-IPaddressofserver.
host_name- Hostnameofserver.(Range:1-20characters)
DefaultSetting
None
CommandMode
GlobalConfiguration
Example
HP420(config)#radius-server address 192.168.1.25
HP420(config)#
radius-serverport
ThiscommandsetstheRADIUSservernetworkport.
Syntax
radius-server[secondary]port<port_number>
port_number - RADIUSserverUDPportusedforauthentication
messages.(Range:1024-65535)
6-35
RADIUSClient
DefaultSetting
1812
CommandMode
GlobalConfiguration
Example
HP420(config)#radius-server port 49153
HP420(config)#
radius-serverkey
ThiscommandsetstheRADIUSencryptionkey.
Syntax
radius-server[secondary]key<key_string>
key_string - Encryptionkeyusedtoauthenticatelogonaccessfor
client.Donotuseblankspacesinthestring.(Maximumlength:20
characters)
DefaultSetting
DEFAULT
CommandMode
GlobalConfiguration
Example
HP420(config)#radius-server key green
HP420(config)#
radius-serverretransmit
Thiscommandsetsthenumberofretries.
Syntax
radius-server[secondary]retransmit<number_of_retries>
6-36
RADIUSClient
number_of_retries-Numberoftimestheaccesspointwilltryto
authenticatelogonaccessviatheRADIUSserver.(Range:1- 30)
DefaultSetting
3
CommandMode
GlobalConfiguration
Example
HP420(config)#radius-server retransmit 5
HP420(config)#
radius-servertimeout
Thiscommandsetstheintervalbetweentransmittingauthenticationrequests
totheRADIUSserver.
Syntax
radius-server[secondary]timeout<number_of_seconds>
number_of_seconds -Numberofsecondstheaccesspointwaitsfora
replybeforeresendingarequest.(Range:1-60)
DefaultSetting
5
CommandMode
GlobalConfiguration
Example
HP420(config)#radius-server timeout 10
HP420(config)#
6-37
RADIUSClient
showradius
ThiscommanddisplaysthecurrentsettingsfortheRADIUSserver.
DefaultSetting
None
CommandMode
Exec
Example
HP420#show radius
Radius Server Information
========================================
IP : 192.168.1.25
Port : 181
Key : *****
Retransmit : 5
Timeout : 10
========================================
Radius Secondary Server Information
========================================
IP : 0.0.0.0
Port : 1812
Key : *****
Retransmit : 3
Timeout : 5
========================================
HP420#
6-38
802.1xPortAuthentication
TheaccesspointsupportsIEEE802.1x(802.1x)accesscontrolforwireless
clients.Thiscontrolfeaturepreventsunauthorizedaccesstothenetworkby
requiringan802.1xclientapplicationtosubmitusercredentialsforauthenti-
cation.ClientauthenticationisthenverifiedbyaRADIUSserverusingEAP
(ExtensibleAuthenticationProtocol)beforetheaccesspointgrantsclient
accesstothenetwork.The802.1xEAPpacketsarealsousedtopassdynamic
unicastsessionkeysandstaticbroadcastkeystowirelessclients.
802.1x Configures802.1xasdisabled,supported,orrequired GC 6-40
802.1xbroadcast- Setstheintervalatwhichtheprimarybroadcastkeys GC 6-41
key-refresh-rate arerefreshedforstationsusing802.1xdynamickeying
802.1xsession- Setstheintervalatwhichunicastsessionkeysare GC 6-41
key-refresh-rate refreshedforassociatedstationsusingdynamickeying
802.1xsession- Setsthetimeoutafterwhichaconnectedclientmust GC 6-42
timeout bere-authenticated
addressfilter Setsfilteringtoallowordenylistedaddresses GC 6-43
default
addressfilterentry EntersaMACaddressinthefiltertable GC 6-43
addressfilter RemovesaMACaddressfromthefiltertable GC 6-44
delete
mac- Setsaddressfilteringtobeperformedwithlocalor GC 6-45
authentication remoteoptions
server
mac- Setstheintervalatwhichassociatedclientswillbere- GC 6-45
authentication authenticatedwiththeRADIUSserverauthentication
session-timeout database
show Showsall802.1xauthenticationsettings,aswellasthe Exec 6-46
authentication addressfiltertable
6-39
802.1x
Thiscommandconfigures802.1xasoptionallysupportedorasrequiredfor
wirelessclients.Usethenoformtodisable802.1xsupport.
Syntax
802.1x<supported|required>
no802.1x
supported- Authenticatesclientsthatinitiatethe802.1xauthentica-
tionprocess.Usesstandard802.11authenticationforallothers.
required- Requires802.1xauthenticationforallclients.
DefaultSetting
Disabled
CommandMode
GlobalConfiguration
CommandUsage
When802.1xisdisabled,theaccesspointdoesnotsupport802.1x
authenticationforanystation.Aftersuccessful802.11association,
eachclientisallowedtoaccessthenetwork.
When802.1xissupported,theaccesspointsupports802.1xauthen-
ticationonlyforclientsinitiatingthe802.1xauthenticationprocess.
Theaccesspointdoes NOTinitiate802.1xauthentication. For stations
initiating802.1x,onlythosestationssuccessfullyauthenticatedare
allowedtoaccessthenetwork.Forthosestationsnotinitiating
802.1x,accesstothenetworkisallowedaftersuccessful802.11
association.
When802.1xisrequired,theaccesspointenforces802.1xauthentica-
tionforall802.11associatedstations.If802.1xauthenticationisnot
initiatedbythestation,theaccesspointwillinitiateauthentication.
Onlythosestationssuccessfullyauthenticatedwith802.1xare
allowedtoaccessthenetwork.
802.1xdoesnotapplytotheEthernetinterface.
Example
HP420(config)#802.1x supported
HP420(config)#
6-40
802.1xbroadcast-key-refresh-rate
Thiscommandsetstheintervalatwhichthebroadcastkeysarerefreshedfor
stationsusing802.1xdynamickeying.
Syntax
802.1xbroadcast-key-refresh-rate<rate>
rate-Theintervalatwhichtheaccesspointrotatesbroadcastkeys.
(Range:0- 1440minutes)
DefaultSetting
0(Disabled)
CommandMode
GlobalConfiguration
CommandUsage
TheaccesspointusesEAPOL(ExtensibleAuthenticationProtocol
OverLANs)packetstopassdynamicunicastsessionandbroadcast
keystowirelessclients.The802.1x broadcast-key-refresh-rate
commandspecifiestheintervalafterwhichthebroadcastkeysare
changed.The802.1x session-key-refresh-ratecommandspecifiesthe
intervalafterwhichunicastsessionkeysarechanged.
Dynamicbroadcastkeyrotationallowstheaccesspointtogenerate
arandomgroupkeyandperiodicallyupdateallkey-management
capablewirelessclients.
Example
HP420(config)#802.1x broadcast-key-refresh-rate 5
HP420(config)#
802.1xsession-key-refresh-rate
Thiscommandsetstheintervalatwhichunicastsessionkeysarerefreshed
forassociatedstationsusingdynamickeying.
Syntax
802.1xsession-key-refresh-rate<rate>
rate- Theintervalatwhichtheaccesspointrefreshesasessionkey.
(Range:0- 1440minutes)
6-41
DefaultSetting
0(Disabled)
CommandMode
GlobalConfiguration
CommandUsage
Sessionkeysareuniquetoeachclient,andareusedtoauthenticatea
clientconnection,andcorrelatetrafficpassingbetweenaspecificclient
andtheaccesspoint.
Example
HP420(config)#802.1x session-key-refresh-rate 5
HP420(config)#
802.1xsession-timeout
Thiscommandsetsthetimeperiodafterwhichaconnectedclientmustbere-
authenticated.
Syntax
802.1xsession-timeout<seconds>
seconds- Thenumberofseconds.(Range:0-65535)
Default
0(Disabled)
CommandMode
GlobalConfiguration
Example
HP420(config)#802.1x session-timeout 300
HP420(config)#
6-42
addressfilterdefault
ThiscommandsetsfilteringtoallowordenylistedMACaddresses.
Syntax
addressfilterdefault<allowed|denied>
allowed- OnlyMACaddressesenteredasdeniedintheaddress
filteringtablearedenied.
denied- OnlyMACaddressesenteredasallowedintheaddress
filteringtableareallowed.
Default
allowed
CommandMode
GlobalConfiguration
Example
HP420(config)#address filter default denied
HP420(config)#
RelatedCommands
address filter entry(page6-43)
show authentication(page6-46)
addressfilterentry
ThiscommandentersaMACaddressinthefiltertable.
Syntax
addressfilterentry<mac-address><allowed|denied>
mac-address - Physicaladdressofclient.Entersixpairsofhexadec-
imaldigitsseparatedbyhyphens,e.g.,00-90-D1-12-AB-89.
allowed-Entryisallowedaccess.
denied- Entryisdeniedaccess.
Default
None
6-43
CommandMode
GlobalConfiguration
CommandMode
Theaccesspointsupportsupto1024MACaddresses.
Anentryintheaddresstablemaybeallowedordeniedaccess
depending ontheglobalsettingconfiguredfortheaddress filter default
command.
Example
HP420(config)#address filter entry 00-70-50-cc-99-1a allowed
HP420(config)#
RelatedCommands
address filter default(page6-43)
addressfilterdelete
ThiscommanddeletesaMACaddressfromthefiltertable.
Syntax
addressfilterdelete<mac-address>
mac-address - Physicaladdressofclient.Entersixpairsofhexadec-
imaldigitsseparatedbyhyphens.
Default
None
CommandMode
GlobalConfiguration
Example
HP420(config)#address filter delete 00-70-50-cc-99-1b
HP420(config)#
RelatedCommands
6-44
mac-authenticationserver
Thiscommandsetsaddressfilteringtobeperformedwithlocalorremote
options.UsethenoformtodisableMACaddressauthentication.
Syntax
mac-authenticationserver[local|remote]
local- AuthenticatetheMACaddressofwirelessclientswiththe
localauthenticationdatabaseduring802.11association.
remote- AuthenticatetheMACaddressofwirelessclientswiththe
RADIUSserver.
Default
local
CommandMode
GlobalConfiguration
Example
HP420(config)#mac-authentication server remote
HP420(config)#
RelatedCommands
address filter entry(page6-43)
radius-server address(page6-35)
mac-authenticationsession-timeout
Thiscommandsetstheintervalatwhichassociatedclientswillbere-authen-
ticatedwiththeRADIUSserverauthenticationdatabase.Usethenoformto
disablereauthentication.
Syntax
mac-authenticationsession-timeout<seconds>
seconds - Re-authenticationinterval.(Range:0-65535)
Default
0(disabled)
6-45
-----------------
CommandMode
GlobalConfiguration
Example
HP420(config)#mac-authentication session-timeout 1
HP420(config)#
showauthentication
ThiscommandshowsallMACaddressand802.1xauthenticationsettings,as
wellastheMACaddressfiltertable.
CommandMode
Exec
Example
=========================================================
MAC Authentication Server : REMOTE
802.1x : SUPPORTED
Filter Table
MAC Address Status
----------
00-70-50-cc-99-1a DENIED
00-70-50-cc-99-1b ALLOWED
=========================================================
HP420(config)#
6-46
FilteringCommands
FilteringCommands
Thecommandsdescribedinthissectionareusedtofiltercommunications
betweenwirelessclients,controlaccesstothemanagementinterfacefrom
wirelessclients,andfiltertrafficusingspecificEthernetprotocoltypes.
filterlocal-bridge
filterap-manage
filterethernet-type
enable
filterethernet-type
protocol
showfilters
Disablescommunicationbetweenwirelessclients GC 6-47
Preventswirelessclientsfromaccessingthe GC 6-48
managementinterface
CheckstheEthernettypeforallincomingandoutgoing GC 6-48
Ethernetpacketsagainsttheprotocolfilteringtable
SetsafilterforaspecificEthernettype GC 6-49
Showsthefilterconfiguration Exec 6-50
filterlocal-bridge
Thiscommanddisablescommunicationbetweenwirelessclients.Usetheno
formtodisablethisfiltering.
Syntax
filterlocal-bridge
nofilterlocal-bridge
Default
Disabled
CommandMode
GlobalConfiguration
CommandUsage
Thiscommandcandisablewireless-to-wirelesscommunicationsbetween
clientsviatheaccesspoint.However,itdoesnotaffectcommunications
betweenwirelessclientsandthewirednetwork.
6-47
FilteringCommands
Example
HP420(config)#filter local-bridge
HP420(config)#
filterap-manage
Thiscommandpreventswirelessclientsfromaccessingthemanagement
interfaceontheaccesspoint.Usethenoformtodisablethisfiltering.
Syntax
filterap-manage
nofilterap-manage
Default
Disabled
CommandMode
GlobalConfiguration
Example
HP420(config)#filter ap-manage
HP420(config)#
filterethernet-typeenable
ThiscommandcheckstheEthernettypeonallincomingandoutgoing
Ethernetpacketsagainsttheprotocolfilteringtable.Usethenoformtodisable
thisfeature.
Syntax
filterethernet-typeenable
nofilterethernet-typeenable
Default
Disabled
CommandMode
GlobalConfiguration
6-48
FilteringCommands
CommandUsage
Thiscommandisusedinconjunctionwiththefilter ethernet-type protocol
commandtodeterminewhichEthernetprotocoltypesaretobefiltered.
Example
HP420(config)#filter ethernet-type enable
HP420(config)#
RelatedCommands
filter ethernet-type protocol(page6-49)
filterethernet-typeprotocol
ThiscommandsetsafilterforaspecificEthernettype.Usethenoformto
disablefilteringforaspecificEthernettype.
Syntax
filterethernet-typeprotocol<protocol>
nofilterethernet-typeprotocol<protocol>
protocol -AnEthernetprotocoltype.
Aironet-DDP
Appletalk-ARP
ARP
Banyan
Berkeley-Trailer-Neg
CDP
DEC-LAT
DEC-MOP
DEC-MOP-Dump-Load
DEC-XNS
EAPOL
Enet-Config-Test
Ethertalk
IP
LAN-Test
NetBEUI
Novell-IPX(new)
Novell-IPX(old)
RARP
Telxon-TXP
X25-Level-3
6-49
---------------------------------------------------------
FilteringCommands
Default
None
CommandMode
GlobalConfiguration
CommandUsage
Usethefilter ethernet-type enable commandtoenablefilteringforEthernet
typesspecifiedinthefilteringtable,ortheno filter ethernet-type enable
commandtodisableallfilteringbasedonthefilteringtable.
Example
HP420(config)#filter ethernet-type protocol ARP
HP420(config)#
RelatedCommands
filter ethernet-type enable(page6-48)
showfilters
Thiscommandshowsthefilteroptionsandprotocolentriesinthefiltertable.
CommandMode
Exec
Example
TheexamplebelowshowsARPframesfilteredindicatingitsEthernet
protocolID(0x0806).
HP420#show filters
Protocol Filter Information
=========================================================
Local Bridge :ENABLED
AP Management :ENABLED
Ethernet Type Filter :ENABLED
Enabled Protocol Filters
Protocol: ARP ISO: 0x0806
=========================================================
HP420#
6-50
InterfaceCommands
InterfaceCommands
Thecommandsdescribedinthissectionconfigureconnectionparametersfor
theEthernetinterfaceandwirelessinterface.
General Interface
interface
Ethernet Interface
dnsprimary-server
dnssecondary-server
ipaddress
ipdhcp
shutdown
speed-duplex
showinterfaceethernet
Wireless Interface
radio-mode
description
closed-system
speed
channel
ssid
beacon-interval
dtim-period
fragmentation-length
Entersspecifiedinterfaceconfigurationmode GC 6-53
Specifiestheprimarynameserver IC-E 6-53
Specifiesthesecondarynameserver IC-E 6-53
SetstheIPaddressfortheEthernetinterface IC-E 6-54
SubmitsaDHCPrequestforanIPaddress IC-E 6-55
DisablestheEthernetinterface IC-E 6-56
Configuresspeedandduplexoperation IC-E 6-57
ShowsthestatusfortheEthernetinterface Exec 6-57
Setstheradioworkingmode IC-W 6-58
Addsadescriptiontothewirelessinterface IC-W 6-59
Closesaccesstoclientswithoutapre- IC-W 6-59
configuredSSID
Configuresthemaximumdatarateatwhicha IC-W 6-60
stationcanconnecttotheaccesspoint
Configurestheradiochannel IC-W 6-61
Configurestheservicesetidentifier IC-W 6-62
Configurestherateatwhichbeaconsignals IC-W 6-62
aretransmittedfromtheaccesspoint
Configurestherateatwhichstationsinsleep IC-W 6-63
modemustwakeuptoreceivebroadcast/
multicasttransmissions
Configurestheminimumpacketsizethatcan IC-W 6-64
befragmented
6-51
InterfaceCommands
rts-threshold SetsthepacketsizethresholdatwhichanRTS IC-W 6-65
mustbesenttothereceivingstationpriortothe
sendingstationstartingcommunications
authentication Definesthe802.11authenticationtypeallowed IC-W 6-66
bytheaccesspoint
encryption DefineswhetherornotWEPencryptionisused IC-W 6-67
toprovideprivacyforwireless
communications
key SetsthekeysusedforWEPencryption IC-W 6-68
transmit-key Setstheindexofthekeytobeusedfor IC-W 6-69
encryptingdataframessentbetweenthe
accesspointandwirelessclients
transmit-power Adjuststhepoweroftheradiosignals IC-W 6-70
transmittedfromtheaccesspoint
max-association Configuresthemaximumnumberofclientsthat IC-W 6-70
canbeassociatedwiththeaccesspointatthe
sametime
multicast-cipher Definesthecipheralgorithmusedfor IC-W 6-71
multicasting
wpa-clients DefineswhetherWPAisrequiredoroptionally IC-W 6-72
supportedforclientstations
wpa-mode Specifiesdynamickeysorapre-sharedkey IC-W 6-73
wpa-preshared-key DefinesaWPApre-sharedkeyvalue IC-W 6-74
wpa-psk-type Definesthetypeofthepre-sharedkey IC-W ???
shutdown Disablesthewirelessinterface IC-W 6-75
showinterface Showsthestatusforthewirelessinterface Exec 6-75
wirelessg
showstation Showsthewirelessclientsassociatedwiththe Exec 6-77
accesspoint
6-52
InterfaceCommands
interface
Thiscommandconfiguresaninterfacetypeandentersinterfaceconfiguration
mode.
Syntax
interface<ethernet|wirelessg>
ethernet- Interfaceforwirednetwork.
wirelessg- Interfaceforwirelessclients.
DefaultSetting
None
CommandMode
GlobalConfiguration
Example
Tospecifythe10/100Base-TXnetworkinterface,enterthefollowing
command:
HP420(if-ethernet)#
dnsserver
Thiscommandspecifiestheaddressfortheprimaryorsecondarydomain
nameservertobeusedforname-to-addressresolution.
Syntax
dnsprimary-server<server-address>
dnssecondary-server<server-address>
primary-server- Primaryserverusedfornameresolution.
secondary-server-Secondaryserverusedfornameresolution.
server-address - IPaddressofdomain-nameserver.
DefaultSetting
None
CommandMode
GlobalConfiguration
6-53
InterfaceCommands
CommandUsage
Theprimaryandsecondarynameserversarequeriedinsequence.
Example
Thisexamplespecifiestwodomain-nameservers.
HP420(if-ethernet)#dns secondary-server 10.1.0.55
HP420(if-ethernet)#
RelatedCommands
show interface ethernet(page6-57)
ipaddress
ThiscommandsetstheIPaddressforthe(10/100Base-TX)Ethernetinterface.
UsethenoformtorestorethedefaultIPaddress.
Syntax
ipaddress<ip-address><netmask><gateway>
noipaddress
ip-address-IPaddress
netmask-NetworkmaskfortheassociatedIPsubnet.Thismask
identifiesthehostaddressbitsusedforroutingtospecificsubnets.
gateway - IPaddressofthedefaultgateway
DefaultSetting
IPaddress:192.168.1.1
Netmask:255.255.255.0
CommandMode
InterfaceConfiguration(Ethernet)
CommandUsage
DHCPisenabledbydefault.TomanuallyconfigureanewIPaddress,
youmustfirstdisabletheDHCPclientwiththeno ip dhcpcommand.
YoumustassignanIPaddresstothisdevicetogainmanagement
accessoverthenetworkortoconnecttoexistingIPsubnets.Youcan
manuallyconfigureaspecificIPaddressusingthiscommand,or
directthedevicetoobtainanaddressfromaDHCPserverusingthe
6-54
InterfaceCommands
ip dhcpcommand.ValidIPaddressesconsistoffournumbers,0to
255,separatedbyperiods.Anythingotherthanthisformatwillnotbe
acceptedbytheconfigurationprogram.
Example
192.168.1.253
HP420(if-ethernet)#
RelatedCommands
ip dhcp(page6-55)
ipdhcp
ThiscommandenablestheDHCPclientfortheaccesspoint.Usethenoform
todisabletheDHCPclient.
Syntax
ipdhcp
noipdhcp
DefaultSetting
Enabled
CommandMode
CommandUsage
YoumustassignanIPaddresstothisdevicetogainmanagement
accessoverthenetworkortoconnecttoexistingIPsubnets.Youcan
manuallyconfigureaspecificIPaddressusingtheip address
command,ordirectthedevicetoobtainanaddressfromaDHCP
serverusingthiscommand.
Whenyouusethiscommand,theaccesspointwillbeginbroadcasting
DHCPclientrequests. ThecurrentIPaddress(i.e., default ormanually
configuredaddress)willcontinuetobeeffectiveuntilaDHCPreply
isreceived.Requestswillbebroadcastperiodicallybythisdevicein
anefforttolearnitsIPaddress.(DHCPvaluescanincludetheIP
address,subnetmask,anddefaultgateway.)
6-55
InterfaceCommands
Example
HP420(if-ethernet)#ip dhcp
HP420(if-ethernet)#
RelatedCommands
ip address(page6-54)
shutdown
This commanddisables theEthernetinterface.Torestartadisabled interface,
usethenoform.
Syntax
shutdown
noshutdown
DefaultSetting
Interfaceenabled
CommandMode
CommandUsage
ThiscommandallowsyoutodisabletheEthernetinterfacedueto
abnormalbehavior(e.g.,excessivecollisions),andre-enableitafterthe
problemhasbeenresolved.YoumayalsowanttodisabletheEthernet
interfaceforsecurityreasons.
Example
ThefollowingexampledisablestheEthernetinterface.
HP420(if-ethernet)#shutdown
HP420(if-ethernet)#
6-56
InterfaceCommands
speed-duplex
ThiscommandconfiguresthespeedandduplexmodeoftheEthernetinter-
facewhenauto-negotiationisdisabled.Usethenoformtorestorethedefault.
Syntax
speed-duplex<auto|10MH|10MF|100MH|100MF>
auto- autonegotiatethespeedandduplexmode
10MH-Forces10Mbps,half-duplexoperation
10MF-Forces10Mbps,full-duplexoperation
100MH-Forces100Mbps,half-duplexoperation
100MF-Forces100Mbps,full-duplexoperation
DefaultSetting
Auto-negotiationisenabledbydefault.
CommandMode
CommandUsage
Ifauto-negotiationisdisabled,thespeedandduplexmodemustbe
configuredtomatchthesettingoftheattacheddevice.
Example
ThefollowingexampleconfigurestheEthernetinterfaceto100Mbps,half-
duplexoperation.
HP420(if-ethernet)#speed-duplex 100mh
HP420(if-ethernet)#
showinterfaceethernet
ThiscommanddisplaysthestatusfortheEthernetinterface.
Syntax
showinterface[ethernet]
DefaultSetting
Ethernetinterface
6-57
InterfaceCommands
CommandMode
Exec
Example
========================================
IP Address : 192.168.1.1
Subnet Mask : 255.255.255.0
Primary DNS : 192.168.1.55
Speed-duplex : 100Base-TX Half Duplex
Admin status : Up
========================================
HP420#
radio-mode
Thiscommandsetstheworkingmodeforthewirelessinterface.
Syntax
radio-mode<b|g|b+g>
b- b-onlymode:Both802.11band802.11gclientscancommunicate
withtheaccesspoint,but802.11gclientscanonlytransferdataat
802.11bstandardrates(upto11Mbps).
g- g-onlymode:Only802.11gclientscancommunicatewiththeaccess
point.
b+g- b&gmixedmode:Both802.11band802.11gclientscancommu-
nicatewiththeaccesspoint.
DefaultSetting
b&gmixedmode
CommandMode
InterfaceConfiguration(Wireless)
Example
HP420(if-wireless g)#radio-mode g
6-58
InterfaceCommands
description
Thiscommandaddsadescriptiontothewirelessinterface.Usethenoform
toremovethedescription.Thewirelessinterfacedescriptionisdisplayed
whenusingtheshow interface wireless gcommandfromtheExeclevel.
Syntax
description<string>
nodescription
string- Commentoradescriptionforthisinterface.
(Range:1-80characters)
DefaultSetting
Enterprise802.11gAccessPoint
CommandMode
Example
HP420(if-wireless g)#description RD-AP#3
closed-system
Thiscommand closes accesstoclientswithout a pre-configuredSSID.Usethe
no formtodisablethisfeature.
Syntax
closed-system
noclosed-system
DefaultSetting
Disabled
CommandMode
6-59
InterfaceCommands
CommandUsage
Whenclosedsystemisenabled,theaccesspointwillnotincludeitsSSID
inbeaconmessages.Norwillitrespondtoproberequestsfromclients
thatdonotincludeafixedSSID.
Example
HP420(if-wireless g)#closed-system
speed
Thiscommandconfiguresthemaximumdatarateatwhichastationcan
connecttotheaccesspoint.
Syntax
speed<speed>
speed-Maximumaccessspeedallowedforwirelessclients.
(Options:1,2,5.5,6,9,11,12,18,24,36,48,54Mbps)
DefaultSetting
54Mbps
CommandMode
CommandUsage
Themaximumtransmissiondistanceisaffectedbythedatarate.The
lowerthedatarate,thelongerthetransmissiondistance.
Example
HP420(if-wireless g)#speed 6
6-60
InterfaceCommands
channel
Thiscommandconfigurestheradiochannelthroughwhichtheaccesspoint
communicateswithwirelessclients.
Syntax
channel<channel|auto>
channel -Manuallysetstheradiochannelusedforcommunications
withwirelessclients.
J8130A:Therangeischannels1to11
J8131A:Therangeischannels1to14dependingonthecountry
setting
auto-Automaticallyselectsanunoccupiedchannel(ifavailable).
Otherwise,thelowestchannelisselected.
DefaultSetting
Automaticchannelselection
CommandMode
CommandUsage
Theavailablechannelsettingsarelimitedbylocalregulations,which
determinethenumberofchannelsthatareavailable.
Whenmultipleaccesspointsaredeployedinthesamearea,besure
tochoose achannelseparatedby atleast fivechannelstoavoidhaving
thechannelsinterferewitheachother.Youcandeployuptothree
accesspointsinthesamearea(e.g.,channels1,6,11).
Formostwirelessadapters,thechannelforwirelessclientsisauto-
maticallysettothesameasthatusedbytheaccesspointtowhichit
islinked.
Example
HP420(if-wireless g)#channel 1
6-61
InterfaceCommands
ssid
ThiscommandconfigurestheServiceSetIDentifier(SSID).
Syntax
ssid<string>
string-Thenameofabasicservicesetsupportedbytheaccesspoint.
(Range:1- 32characters)
DefaultSetting
EnterpriseWirelessAP
CommandMode
CommandUsage
Clientsthatwanttoconnecttothenetworkviatheaccesspointmustset
theirSSIDstothesameasthatoftheaccesspoint.
Example
HP420(if-wireless g)#ssid RD-AP#3
beacon-interval
Thiscommandconfigurestherateatwhichbeaconsignalsaretransmitted
fromtheaccesspoint.
Syntax
beacon-interval<interval>
interval - Theratefortransmittingbeaconsignals.
(Range:20-1000milliseconds)
DefaultSetting
100
CommandMode
6-62
InterfaceCommands
CommandUsage
Thebeaconsignalsallowwirelessclientstomaintaincontactwiththe
accesspoint.Theymayalsocarrypower-managementinformation.
Example
HP420(if-wireless g)#beacon-interval 150
dtim-period
Thiscommandconfigurestherateatwhichstationsinsleepmodemustwake
uptoreceivebroadcast/multicasttransmissions.
Syntax
dtim-period<interval>
interval- Intervalbetweenthebeaconframesthattransmitbroadcast
ormulticasttraffic.(Range:1-255beaconframes)
DefaultSetting
2
CommandMode
CommandUsage
TheDeliveryTrafficIndicationMap(DTIM)packetintervalvalue
indicateshowoftentheMAClayerforwardsbroadcast/multicast
traffic.Thisparameterisnecessarytowakeupstationsthatareusing
PowerSavemode.
TheDTIMistheintervalbetweentwosynchronousframeswith
broadcast/multicastinformation. Thedefaultvalue of2indicatesthat
theaccesspointwillsave allbroadcast/multicast framesfortheBasic
ServiceSet(BSS)andforwardthemaftereverysecondbeacon.
UsingsmallerDTIMintervalsdeliversbroadcast/multicastframesin
amoretimelymanner,causingstationsinPowerSavemodetowake
upmoreoftenanddrainpowerfaster.UsinghigherDTIMvalues
reducesthepowerusedbystationsinPowerSavemode,butdelays
thetransmissionofbroadcast/multicastframes.
6-63
InterfaceCommands
Example
HP420(if-wireless g)#dtim-period 100
fragmentation-length
Thiscommandconfigurestheminimumpacketsizethatcanbefragmented
whenpassingthroughtheaccesspoint.
Syntax
fragmentation-length<length>
length-Minimumpacketsizeforwhichfragmentationisallowed.
(Range:256-2346bytes)
DefaultSetting
2346
CommandMode
CommandUsage
Ifthepacketsizeissmallerthanthepresetfragmentsize,thepacket
willnotbefragmented.
FragmentationofthePDUs(PackageDataUnit)canincreasethe
reliabilityoftransmissionsbecauseitincreasestheprobabilityofa
successfultransmissionduetosmallerframesize.Ifthereissignifi-
cantinterferencepresent,orcollisionsduetohighnetworkutiliza-
tion,trysettingthefragmentsizetosendsmallerfragments.Thiswill
speeduptheretransmissionofsmallerframes.However,itismore
efficienttosetthefragmentsizelargerifverylittleornointerference
ispresentbecauseitrequiresoverheadtosendmultipleframes.
Example
HP420(if-wireless g)#fragmentation-length 512
6-64
InterfaceCommands
rts-threshold
ThiscommandsetsthepacketsizethresholdatwhichaRequest toSend(RTS)
signal must besent tothe receiving stationpriortothesendingstationstarting
communications.
Syntax
rts-threshold<threshold>
threshold-ThresholdpacketsizeforwhichtosendanRTS.
(Range:0-2347bytes)
DefaultSetting
2347
CommandMode
CommandUsage
Ifthethresholdissetto0,theaccesspointneversendsRTSsignals.
Ifsetto2347,theaccesspointalwayssendsRTSsignals.Ifsettoany
othervalue,andthepacketsizeequalsorexceedstheRTSthreshold,
theRTS/CTS(RequesttoSend/CleartoSend)mechanismwillbe
enabled.
TheaccesspointsendsRTSframestoareceivingstationtonegotiate
thesendingofadataframe.AfterreceivinganRTSframe,thestation
sendsaCTSframetonotifythesendingstationthatitcanstart
sendingdata.
Accesspointscontendingforthewirelessmediummaynotbeaware
ofeachother.TheRTS/CTSmechanismcansolvethisHiddenNode
problem.
Example
HP420(if-wireless g)#rts-threshold 256
6-65
InterfaceCommands
authentication
This commanddefinesthe802.11authenticationtypeusedbytheaccesspoint.
Syntax
open-Acceptstheclient without verifying itsidentityusingashared
key.
shared- Authenticationisbasedonasharedkeythathasbeen
distributedtoallstations.
DefaultSetting
open
CommandMode
CommandUsage
SharedkeyauthenticationcanonlybeusedwhenWEPisenabled
withtheencryptioncommand,andatleastonestaticWEPkeyhas
beendefinedwiththekeycommand.
WhenusingWPAor802.1xforauthenticationanddynamickeying,
theaccesspointmustbesettoopen.
Example
HP420(if-wireless g)#authentication shared
RelatedCommands
encryption(page6-67)
key(page6-68)
6-66
InterfaceCommands
encryption
ThiscommanddefineswhetherornotWEPencryptionisusedtoprovide
privacyforwirelesscommunications.Usethenoformtodisableencryption.
Syntax
encryption<key-length>
noencryption
key-length- Sizeofencryptionkey.(Options:64,128,or152bits)
DefaultSetting
disabled
CommandMode
CommandUsage
WiredEquivalentPrivacy(WEP)isimplementedinthisdeviceto
preventunauthorizedaccesstoyourwirelessnetwork.Formore
securedatatransmissions,enableWEPwiththiscommand,andset
atleastonestaticWEPkeywiththekeycommand.
TheWEPsettingsmustbethesameoneachclientinyourwireless
network.
NotethatWEPprotectsdatatransmittedbetweenwirelessnodes,but
doesnotprotectanytransmissionsoveryourwirednetworkorover
theInternet.
Example
HP420(if-wireless g)#encryption 128
RelatedCommands
key(page6-68)
6-67
InterfaceCommands
key
ThiscommandsetsthekeysusedforWEPencryption.Usethenoformto
deleteaconfiguredkey.
Syntax
key<index><size><type><value>
nokey<index>
index- Keyindex.(Range:1-4)
size- Keysize.(Options:64,128,or152bits)
type-Inputformat.(Options:ASCII,HEX)
value-Thekeystring.
For64-bitkeys,use5alphanumericcharactersor10hexadec-
imaldigits.
For128-bitkeys,use13alphanumericcharactersor26hexa-
decimaldigits.
For152-bitkeys,use16alphanumericcharactersor32hexa-
decimaldigits.
DefaultSetting
None
CommandMode
CommandUsage
ToenableWiredEquivalentPrivacy(WEP),usetheauthentication
commandtoselectthesharedkeyauthenticationtype,usethe
encryptioncommandtospecifythekeylength,andusethekey
commandtoconfigureatleastonekey.
IfWEPisenabled,allwirelessclientsmustbeconfiguredwiththe
samesharedkeystocommunicatewiththeaccesspoint.
Example
HP420(if-wireless g)#key 1 64 hex 1234512345
HP420(if-wireless g)#key 2 128 ascii asdeipadjsipd
HP420(if-wireless g)#key 3 64 hex 12345123451234512345123456
6-68
InterfaceCommands
RelatedCommands
authentication(page6-66)
key(page6-68)
transmit-key
Thiscommandsetstheindexofthekeytobeusedforencryptingdataframes
broadcastormulticastfromtheaccesspointtowirelessclients.
Syntax
transmit-key<index>
index- Keyindex.(Range:1-4)
DefaultSetting
1
CommandMode
CommandUsage
IfyouuseWEPkeyencryption,theaccesspointusesthetransmit
keytoencryptmulticastandbroadcastdatasignalsthatitsendsto
clientdevices.Otherkeyscanbeusedfordecryptionofdatafrom
clients.
WhenusingIEEE802.1x,theaccesspointusesadynamicWEPkey
toencryptunicast,broadcast,andmulticastmessagesto802.1x-
enabledclients.However,becausetheaccesspointsendstheWEP
keysduringthe802.1xauthenticationprocess,thesekeysdonot
havetoappearintheclientsWEPkeylist.
Example
HP420(if-wireless g)#transmit-key 2
6-69
InterfaceCommands
transmit-power
Thiscommandadjuststhepoweroftheradiosignalstransmittedfromthe
accesspoint.
Syntax
transmit-power<signal-strength>
signal-strength-Signalstrengthtransmittedfromtheaccesspoint.
(Options:full,half,quarter,eighth,min)
DefaultSetting
full
CommandMode
CommandUsage
Theminkeywordindicatesminimumpower.
Thelongerthetransmissiondistance,thehigherthetransmission
powerrequired.
Example
HP420(if-wireless g)#transmit-power half
max-association
Thiscommandconfiguresthemaximumnumberofclientsthatcanbeasso-
ciatedwiththeaccesspointatthesametime.
Syntax
max-association<count>
count - Maximumnumberofassociatedstations.(Range:0-64)
DefaultSetting
64
CommandMode
6-70
InterfaceCommands
Example
HP420(if-wireless g)#max-association 32
multicast-cipher
Thiscommanddefinesthecipheralgorithmusedforbroadcastingandmulti-
castingwhenusingWi-FiProtectedAccess(WPA)security.
Syntax
multicast-cipher<AES|TKIP|WEP>
AES- AdvancedEncryptionStandard
TKIP- TemporalKeyIntegrityProtocol
WEP-WiredEquivalentPrivacy
DefaultSetting
WEP
CommandMode
CommandUsage
WPAenablestheaccesspointtosupportdifferentunicastencryption
keysforeachclient.However,theglobalencryptionkeyformulticast
andbroadcasttrafficmustbethesameforallclients.Thiscommand
setstheencryptiontypethatissupportedbyallclients.
IfanyclientssupportedbytheaccesspointarenotWPAenabled,the
multicast-cipheralgorithmmustbesettoWEP.
WEPisthefirstgenerationsecurityprotocolusedtoencryptdata
crossingthewirelessmediumusingafairlyshortkey.Communicating
devicesmustusethesameWEPkeytoencryptanddecryptradio
signals.WEPhasmanysecurityflaws,andisnotrecommendedfor
transmittinghighlysensitivedata.
TKIPprovidesdataencryptionenhancementsincludingper-packet
keyhashing(i.e.,changingtheencryptionkeyoneachpacket),a
messageintegritycheck,anextendedinitializationvectorwith
sequencingrules,andare-keyingmechanism.
TKIPdefendsagainstattacksonWEPinwhichtheunencrypted
initialization vectorinencryptedpacketsis usedtocalculatetheWEP
key. TKIPchangestheencryptionkeyon eachpacket,and rotatesnot
6-71
InterfaceCommands
justtheunicastkeys,butthebroadcastkeysaswell.TKIPisa
replacementforWEPthatremovesthepredictabilitythatintruders
reliedontodeterminetheWEPkey.
AEShasbeendesignatedbytheNationalInstituteofStandardsand
TechnologyasthesuccessortotheDataEncryptionStandard(DES)
encryptionalgorithm,andwillbeusedbytheU.S.governmentfor
encryptingallsensitive,nonclassifiedinformation.Becauseofits
strength,andresistancetoattack,AESisalsobeingincorporatedas
partofthe802.11standard.
Example
HP420(if-wireless g)#multicast-cipher TKIP
wpa-clients
ThiscommanddefineswhetherWi-FiProtectedAccess(WPA)isrequiredor
optionallysupportedforclientstations.
Syntax
wpa-clients<required|supported>
required-SupportsonlyclientsusingWPA.
supported- SupportclientswithorwithoutWPA.
DefaultSetting
supported
CommandMode
CommandUsage
Wi-FiProtectedAccess(WPA)providesimproveddata encryption,which
wasweakinWEP,anduserauthentication,whichwaslargelymissingin
WEP.WPAusesthefollowingsecuritymechanisms.
EnhancedDataEncryptionthroughTKIP
WPAusesTemporalKeyIntegrityProtocol(TKIP).TKIPprovidesdata
encryptionenhancementsincludingper-packetkeyhashing(i.e.,
changingtheencryptionkeyoneachpacket),amessageintegritycheck,
anextendedinitializationvectorwithsequencingrules,andare-keying
mechanism.
6-72
InterfaceCommands
Enterprise-levelUserAuthenticationvia802.1xandEAP
Tostrengthenuserauthentication,WPAuses802.1xandtheExtensible
AuthenticationProtocol(EAP).Usedtogether,theseprotocolsprovide
stronguserauthenticationviaacentralRADIUSauthenticationserver
thatauthenticateseachuseronthenetworkbeforetheyjoinit.WPAalso
employsmutualauthenticationtopreventawirelessclientfromacci-
dentallyjoiningaroguenetwork.
Example
HP420(if-wireless g)#wpa-client required
RelatedCommands
wpa-mode(page6-73)
wpa-mode
ThiscommandspecifieswhetherWi-FiProtectedAccess(WPA)istouse
802.1xauthenticationanddynamickeyingorapre-sharedkey.
Syntax
wpa-mode<dynamic|pre-shared-key>
dynamic- WPAwith802.1xauthenticationanddynamickeys.
pre-shared-key- WPAwithapre-sharedkey.
DefaultSetting
dynamic
CommandMode
CommandUsage
WhentheWPAmodeissettodynamic,clientsareauthenticatedusing
802.1xviaaRADIUSserver.EachclienthastobeWPA-enabledor
support802.1xclientsoftware.ARADIUSservermustalsobeconfig-
uredandbeavailableinthewirednetwork.
In thedynamicmode,keysaregeneratedforeachwirelessclient
associatingwiththeaccesspoint.Thesekeysareregeneratedperiod-
ically,andalsoeachtimethewirelessclientisre-authenticated.
6-73
InterfaceCommands
WhentheWPAmodeissettopre-shared-key,thekeymustfirstbe
generatedanddistributedtoallwirelessclientsbeforetheycan
successfullyassociatewiththeaccesspoint.
Example
HP420(if-wireless g)#wpa-mode pre-shared-key
RelatedCommands
wpa-clients(page6-72)
wpa-preshared-key(page6-74)
wpa-preshared-key
ThiscommanddefinesaWi-FiProtectedAccess(WPA)pre-sharedkey.
Syntax
wpa-preshared-key<type><value>
type-Inputformat.(Options:ASCII,HEX)
value-Thekeystring.
ForASCIIinput,typeastringbetween8and63alphanumeric
characters.
ForHEXinput,typeexactly64hexadecimaldigits.
CommandMode
CommandUsage
TosupportWi-FiProtectedAccess(WPA)forclientauthentication,
usethewpa-clientscommandtospecifythatWPAisrequired,usethe
wpa-mode commandtospecifythepre-sharedkeymode,andusethis
commandtoconfigureonestatickey.
IfWPAisusedinpre-sharedkeymode,allwirelessclientsmustbe
configuredwiththesamepre-sharedkeytocommunicatewiththe
accesspoint.
Example
HP420(if-wireless g)#wpa-preshared-key ASCII agoodsecret
6-74
InterfaceCommands
RelatedCommands
wpa-clients(page6-72)
wpa-mode(page6-73)
shutdown
Thiscommanddisablesthewirelessinterface.Usethenoformtoenablethe
interface.
Syntax
shutdown
noshutdown
DefaultSetting
Interfaceenabled
CommandMode
Example
HP420(if-wireless g)#shutdown
showinterfacewirelessg
Thiscommanddisplaysthestatusforthewirelessinterface.
CommandMode
Exec
6-75
InterfaceCommands
Example
===========================================================
----------------Identification-----------------------------
Radio mode : 802.11b + 802.11g
Channel : 11 (AUTO)
Status : Enabled
----------------802.11 Parameters--------------------------
Transmit Power : FULL (14 dBm)
----------------Security-----------------------------------
WPA mode : Pre-shared key
WPA clients : REQUIRED
Authentication Type : SHARED
Encryption : 64-BIT ENCRYPTION
WEP Key Data Type : Alphanumeric
Static Keys :
Key 1: ***** Key 2: ***** Key 3: ***** Key 4: *****
===========================================================
HP420#
6-76
IAPPCommand
showstation
Thiscommandshowsthewirelessclientsassociatedwiththeaccesspoint.
The"StationAddress"displayedistheclientsMACaddress.
CommandMode
Exec
Example
HP420#show station
802.11g Station Table
Station Address : 00-04-E2-41-C2-9D
Authenticated : TRUE
Associated : TRUE
Forwarding Allowed : TRUE
HP420#
IAPPCommand
Thecommanddescribedinthissectionenablestheprotocolsignaling
requiredtoensurethesuccessfulhandoverofwirelessclientsroaming
betweendifferentIEEE802.11f-compliantaccesspoints.TheIEEE802.11f
protocolcanensuresuccessfulroamingbetweenaccesspointsinamulti-
vendorenvironment.
iapp
Thiscommandenablestheprotocolsignalingrequiredtohandoverwireless
clientsroamingbetweendifferent802.11f-compliantaccesspoints.Usetheno
formtodisable802.11fsignaling.
Syntax
iapp
noiapp
Default
Enabled
CommandMode
GlobalConfiguration
6-77
VLANCommands
CommandUsage
Thecurrent802.11standarddoesnotspecifythesignalingrequired
betweenaccesspointsinordertosupportclientsroamingfromone
accesspointtoanother. Inparticular,thiscan createaproblemforclients
roamingbetweenaccesspointsfromdifferentvendors.Thiscommandis
usedtoenableordisable802.11fhandoversignalingbetweendifferent
accesspoints,especiallyinamulti-vendorenvironment.
Example
HP420(config)#iapp
HP420(config)#
VLANCommands
TheaccesspointcanenablethesupportofVLAN-taggedtrafficpassing
betweenwirelessclientsandthewirednetwork.Upto64VLANIDscanbe
mappedtospecificwirelessclients,allowinguserstoremainwithinthesame
VLANastheymovearoundacampussite.
WhenVLANisenabledontheaccesspoint,aVLANID(anumberbetween1
and4095)canbeassignedtoeachclientaftersuccessfulauthenticationusing
IEEE802.1xandacentralRADIUSserver.TheuserVLANIDsmustbe
configuredontheRADIUSserverforeachuserauthorizedtoaccessthe
network.IfauserdoesnothaveaconfiguredVLANID,theaccesspoint
assignstheusertoitsownconfigurednativeVLANID.
Not e WhenVLANsareenabled,theaccesspointsEthernetinterfacedropsall
receivedtrafficthatdoesnotincludeaVLANtag.Tomaintainnetwork
connectivitytotheaccesspointandwirelessclients,besurethattheaccess
pointisconnectedtoadeviceportthatsupportsIEEE802.1QVLANtags.
TheVLANcommandssupportedbytheaccesspointarelistedbelow.
vlanenable EnablesVLAN-tagsupportforalltraffic GC 6-79
native-vlanid ConfiguresthenativeVLANfortheaccesspoint GC 6-79
6-78
VLANCommands
vlan
ThiscommandenablesVLAN-tagsupportforalltraffic.Usethenoformto
disableVLANs.
Syntax
vlanenable
novlan
Default
Disabled
CommandMode
GlobalConfiguration
Example
HP420(config)#vlan enable
native-vlanid
ThiscommandconfiguresthenativeVLANIDfortheaccesspoint.
Syntax
native-vlanid<vlan-id>
vlan-id- NativeVLANID.(Range:1-64)
DefaultSetting
1
CommandMode
GlobalConfiguration
CommandUsage
WhenVLANsareenabledontheaccesspoint,aVLANID(anumber
between1and4095)canbeassignedtoeachclientaftersuccessful
authenticationusingIEEE802.1xandacentralRADIUSserver.Ifauser
doesnothaveaconfiguredVLANID,theaccesspointassignstheuserto
itsownconfigurednativeVLANID(anumberbetween1and64).
6-79
VLANCommands
Example
HP420(config)#native-vlanid 3
HP420(config)#
6-80
A
FileTransfers
Contents
Overview .................................................... A-2
DownloadingAccessPointSoftware........................... A-3
GeneralSwitch SoftwareDownloadRules ..................... A-3
UsingTFTPorFTPToDownloadSoftwarefromaServer ........ A-3
Web:TFTP/FTPSoftwareDownloadtotheAccessPoint ..... A-4
CLI:TFTP/FTPSoftwareDownloadtotheAccessPoint ...... A-6
UsingtheWebInterfaceToDownloadSoftwareFromtheLocal
Computer ................................................. A-6
TransferringConfigurationFiles.............................. A-8
A-1
File Transfers
Overview
Overview
Youcandownloadnewaccesspointsoftwareanduploadordownloadcon-
figurationfiles.Thesefeaturesareusefulforacquiringperiodicaccesspoint
softwareupgradesandforstoringorretrievingaswitchconfiguration.
Thisappendixincludesthefollowinginformation:
Downloadingaccesspointsoftware(pageA-3)
Transferringaccesspointconfigurations(pageA-8)
A-2
File Transfers
DownloadingAccessPointSoftware
HPperiodicallyprovidesaccesspointsoftwareupdatesthroughtheHP
ProCurvewebsite(http://www.hp.com/go/hpprocurve).Formoreinformation,
seethesupport andwarrantybooklet shippedwiththeaccesspoint.Afteryou
acquireanewaccesspointsoftwarefile,youcanuseoneofthefollowing
methodsfordownloadingthesoftwarecodetotheaccesspoint.
GeneralSwitchSoftwareDownloadRules
Afteranaccesspointsoftwaredownload,youmustreboottheaccesspoint
toimplementthenewlydownloadedcode.Untilarebootoccurs,theaccess
pointcontinuestorunonthesoftwareitwasusingbeforethedownload
started.
Not e Downloadingnewsoftwaredoesnotchangethecurrentaccesspointconfig-
uration.Theaccesspointconfigurationiscontainedinseparatefilesthatcan
alsobetransferred.
Theaccesspointstorestwosoftwarefilesinitsflashmemory.Onehasafile
namesuchashp420-2022.bin,whichisthecurrentversionofsoftwarethe
accesspointruns.Thecurrentsoftwarefileisoverwrittenwhennewcodeis
downloadedtotheaccesspoint.Theothersoftwarefile,calleddflt-img.bin,
containsadefaultversionoftheaccesspointcodethatisusedifthecurrent
softwarefileisdeletedorfails.Thedflt-img.binfilecannotbedeletedfromthe
systemoroverwritten.
UsingTFTPorFTPToDownloadSoftwarefroma
Server
Thisprocedureassumesthat:
AsoftwarefilefortheaccesspointhasbeenstoredonaTFTPorFTP
serveraccessibletotheaccesspoint.(Theaccesspointsoftwarefileis
typicallyavailablefromtheHP ProCurvewebsiteathttp://www.hp.com/go/
hpprocurve.)
Theaccesspointisproperlyconnectedtoyournetworkandhasalready
beenconfiguredwithacompatibleIPaddressandsubnetmask.
TheTFTPorFTPserverisaccessibletotheaccesspointthroughIP.
A-3
File Transfers
Beforeyouusetheprocedure,dothefollowing:
ObtaintheIPaddressofthe TFTPorFTPserveronwhichthe accesspoint
softwarefilehasbeenstored.
IfVLANsareconfiguredontheaccesspoint,determinethenameofthe
VLANinwhichtheTFTPorFTPserverisoperating.
DeterminethenameoftheaccesspointsoftwarefilestoredintheTFTP
orFTPserverfortheaccesspoint(forexample,hp420-2022.bin).
Not e IfyourTFTPorFTPserverisaUnixworkstation,ensurethatthecase(upper
orlower)thatyouspecify forthefilenameis thesamecaseasthecharacters
intheaccesspointsoftwarefilenamesontheserver.
Web:TFTP/FTPSoftwareDownloadtotheAccessPoint
TheSoftware UpgradewindowontheAdministrationtabenablestheaccess
pointssystemfirmwaretobeupgradedbydownloadinganewfiletothe
accesspointsflashmemory.Thenewcodefilemustbestoredremotelyonan
FTPorTFTPserver.
Not e Duetothesizelimitoftheflashmemory,theaccesspointcanstoreonlytwo
softwarecodefiles.
SoftwareUpgradeRemote:Downloadsanoperationcodeimagefile
fromaspecifiedremoteFTPorTFTPserver.Thesuccessofthefile
transferdependsontheaccessibilityoftheFTPorTFTPserverandthe
qualityofthenetworkconnection.
Newsoftwarefile:Specifiesthenameofthecodefileontheserver.
Thenewsoftwarefilenameshouldnotcontainslashes(\or/),the
leadingletterofthefilenameshouldnotbeaperiod(.),andthe
maximumlengthforfilenamesontheFTP/TFTPserveris255char-
actersor32charactersfor fileson theaccesspoint.(Valid characters:
A-Z,a-z,0-9,.,-,_)
IPAddress:TheIPaddressorhostnameoftheFTPorTFTPserver.
Username:TheuserIDusedforloginonanFTPserver.
Password:ThepasswordusedforloginonanFTPserver.
RestoreFactorySettings:ClicktheRestorebuttontoresettheaccess
pointsconfigurationsettingstothefactorydefaultsandrebootthe
system.
ResetAccessPoint:ClicktheResetbuttontorebootthesystem.
A-4
File Transfers
ToDownloadNewCodeUsingFTPorTFTP:
2. Clickthe[Software Upgrade]button.
3. UnderSoftware Upgrade Remote,selectFTPorTFTP fortheserveryouare
using.
4. InthetextfieldNew Software File,specifythefilenameofthesoftware
codeontheFTPorTFTPserver.
5. InthetextfieldIP Address,specifytheIPaddressoftheFTPorTFTP
server.
6. IfusinganFTPserver,specifytheusernameandpassword,ifrequired.
7. Clickthe[Start Upgrade]button.
8. Whenthedownloadiscomplete,restarttheaccesspointbyclickingon
the[Reboot]button.Alternatively,youcanresettheaccesspointdefaults
andrebootthesystembyclickingonthe[Reset]button.Resettingthe
accesspointishighlyrecommended.
Figure A-1. Remote Software Upgrade
A-5
-------------------------- --------- -- ----
File Transfers
CLI:TFTP/FTPSoftwareDownloadtotheAccessPoint
copy <ftp | tftp> file page6-31
dir page6-33
reset <board | configuration> page6-6
Thefollowingexampleshowshowtodownloadnewcodetotheaccesspoint
usingaTFTPserver.Afterdownloadingthesoftwarefile,youmustrebootthe
accesspoint.
2. Config file
3. Boot block image
TFTP Source file name:hp420-2022.bin
HP420#dir
File Name Type File Size
dflt-img.bin 2 1325119
hp420-2022.bin 2 1325119
syscfg 5 17004
syscfg_bak 5 17004
262144 byte(s) available
HP420#reset board
UsingtheWebInterfaceToDownloadSoftwareFrom
theLocalComputer
Thisprocedureassumesthat:
Asoftwarefilefortheaccesspointhasbeen storedonthelocal computer.
(Theaccesspointsoftwarefileistypically availablefromtheHPProCurve
websiteathttp://www.hp.com/go/hpprocurve.)
A-6
File Transfers
Theaccesspointisproperlyconnectedtoyournetworkandhasalready
beenconfiguredwithacompatibleIPaddressandsubnetmask.
Beforeyouusetheprocedure,dothefollowing:
Storeorlocatetheaccesspointsoftwarefileonthelocalcomputer(for
example,hp420-2022.bin).
TheSoftware UpgradewindowontheAdministrationtabenablestheaccess
pointssystemfirmwaretobeupgradedbydownloadinganewfiletothe
accesspointsflashmemory.Thenewcodefilemustbestoredlocallyona
managementstationusingtheaccesspointswebinterface.
SoftwareUpgradeLocal:Downloadsanoperationcodeimagefilefrom
thewebmanagementstationtotheaccesspointusingHTTP.Usethe
Browsebuttontolocatetheimagefilelocallyonthemanagementstation
andclickStartUpgradetoproceed.
Thenewsoftwarefilenameshouldnotcontainslashes(\or/),theleading
letterofthefilenameshouldnotbeaperiod(.),andthemaximumlength
forfilesontheaccesspointis32characters.(Validcharacters:A-Z,a-z,
0-9,.,-,_)
RestoreFactorySettings:ClicktheRestorebuttontoresettheaccess
pointsconfigurationsettingstothefactorydefaultsandrebootthe
system.
ResetAccessPoint:ClicktheResetbuttontorebootthesystem.
ToDownloadNewCode:
2. Clickthe[Software Upgrade]button.
3. UnderSoftware Upgrade Local,inthetextfieldNew Software File,specify
thepathandfilenameofthesoftwarecodeonthelocalcomputer.You
canusethe[Browse]buttontofindthefile.
4. Clickthe[Start Upgrade]button.
5. Whenthedownloadiscomplete,restarttheaccesspointbyclickingon
the[Reboot]button.Alternatively,youcanresettheaccesspointdefaults
andrebootthesystembyclickingonthe[Reset]button.
A-7
File Transfers
TransferringConfigurationFiles
Figure A-2. Local Software Upgrade
copy config <ftp | tftp> page6-31
copy <ftp | tftp> file page6-31
dir page6-33
reset <board | configuration> page6-6
UsingtheCLIcommandsdescribedinthissection,youcancopyaccesspoint
configurationfilestoandfromanFTPorTFTPserver.Transferringconfigu-
rationfilesisnotavailableusingthewebinterface.
Whenyou copytheaccesspointconfigurationfileto anFTP/TFTPserver,that
filecanlaterbedownloadedtotheaccesspointtorestorethesystemconfig-
uration.Thesuccessofthefiletransferdependsontheaccessibilityofthe
FTP/TFTPserverandthequalityofthenetworkconnection.
A-8
File Transfers
ThefollowingexampleshowshowtouploadtheconfigurationfiletoaTFTP
server.
HP420#copy config tftp
HP420#
Thefollowingexampleshowshowtodownloadaconfigurationfiletothe
accesspointusingaTFTPserver.Afterdownloadingtheconfigurationfile,
youmustreboottheaccesspoint.
2. Config file
3. Boot block image
HP420#
A-9
File Transfers
A-10
Index
Numerics
802.1xauthentication5-45,6-39
A
addressfiltering5-46
AdvancedEncryptionStandard5-47
AES5-47
authenticationusingMACaddresses5-53
B
beaconinterval5-38
ChangePasswordWindow4-7
cipheralgorithms6-71
closedsystem6-59
communitystring6-25
ComplementaryCodeKeying5-37
configuration
downloadA-3
configurationsettings,savingorrestoring6-31
CountryCode,setting5-41
D
DHCP5-11,6-54,6-55
DNSname4-4
DomainNameServer4-4
download,TFTPA-3
downloadingsoftware6-31
DTIM5-38
F
firmware
displayingversion6-24
upgrading6-31
framefiltering5-32
H
hardwareversion,displaying6-24
HPwebbrowserinterface2-4
I
IAPP6-77
IEEE802.11f6-77
IEEE802.1x6-39
IP
DHCP5-9
usingforwebbrowserinterface4-4
IPaddress
DHCP6-54,6-55
setting6-54,6-55
L
logging
tosyslogservers6-15
logonauthentication
RADIUSclient6-34
RADIUSserver6-34
lostpassword4-9
M
management
interfacesdescribed2-2
managementfilter6-47
managerpassword4-8
N
networkaccesscontrol5-45
O
OpenSystem5-61
operatorpassword4-8
OrthogonalFrequencyDivisionMultiplexing5-37
OSdownload
usingTFTPA-3
Index1
C
P
password4-7,4-8
administratorsetting6-12
creating4-7
delete4-9
ifyoulosethepassword4-9
lost4-9
setting4-7
port
status4-18
utilization4-18
portauthentication6-39
ports
duplexmode6-57
speed6-57
pre-sharedkey,WPA5-47
Q
quickstart1-6
R
radiochannelselection5-38
RADIUSserversetup5-28
RADIUS,logonauthentication6-34
Resetbutton4-9
restartingthesystem6-6
roaming6-77
RTSthreshold5-39
S
security
802.1x5-45
MACfiltering5-46
ofaccesspoint4-9
WEP5-45
wireless5-45
WPA5-46
serialport
configuring6-8
ServiceSetIdentification5-5
setupscreen1-6
sharedkeys,WEP5-63
SimpleNetworkTimeProtocol5-21
SNMP
communitystring6-25
enablingtraps6-27
trapmanager6-28
SNTP5-21
software
displayingversion6-24
downloading6-31
SSID5-5
startupfiles
creating6-31
setting6-31
status,port4-18
switchsoftware
SeeOS.
Sysloglogging5-17
systemsoftware,downloadingfromserver6-31
T
TFTP
OSdownloadA-3
timezone,setting5-21
TKIPencryption5-46
transmitpower5-38
trapmanager6-28
U
upgradingsoftware6-31
username,usingforbrowserorconsole
access4-7
userpassword6-12,6-13
utilization,port4-18
V
VLAN
OSdownloadA-4
VLANtagsupport6-78
W
webagentenabled4-7
webagent,
advantages2-4
webbrowserinterface
accessparameters4-7
disableaccess4-7
enabling4-4
2Index
features2-4
first-timetasks4-7
mainscreen4-5,4-17,4-19,4-20
overview4-5,4-17,4-19,4-20
Overviewwindow4-5,4-17,4-19,4-20
passwordlost4-9
password,setting4-7
screenelements4-5,4-17
security4-7
standalone4-4
statusbar4-21
systemrequirements4-4
WEP5-45
Wi-FiProtectedAccess5-46
WiredEquivalentPrivacy5-45
workingmode,setting5-37,6-58
Index3

HP Ap420

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

HP Ap420

Hochgeladen von

Copyright:

Verfügbare Formate

HPProCurve

Das könnte Ihnen auch gefallen