Colubris Config Guide en

Colubris Networks
Configuration Guide
Release 4.1 (February 2006)
43-10-0000-00
Copyright 2006 Colubris Networks, Inc. All rights reserved, including those to
reproduce this document or parts thereof in any form without written permission from
Colubris Networks, Inc.
Colubris is a registered trademark, and the Colubris Networks logo, the tag line The
Intelligent Wireless Networking Choice, InReach, InMotion, InCharge, and TriPlane are
trademarks of Colubris Networks, Inc., in the United States and other countries.
All other product and brand names are the service marks, trademarks, registered
trademarks, or registered service marks of their respective owners.
Changes are periodically made to the information herein; these changes will be
incorporated into new editions of the document.
You can download the most up-to-date product information from the Colubris Networks
website. Go to www.colubris.com and on the homepage at left select Support >
Product Registration.
Colubris Networks, Inc.
200 West Street Ste 300
Waltham, Massachusetts 02451-1121
UNITED STATES
Phone: +1 781 684 0001
Fax: +1 781 684 0009
Sales Informationsales@colubris.com
Customer Supportsupport@colubris.com
Trainingtraining@colubris.com
http://www.colubris.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Contents
Chapter 1
Introduction
About this guide...........................................................................................6
Scenario 5: Custom HTML pages on each MAP (local mode)....................59

How it works.......................................................................................59
Configuration road map .......................................................................60
Software compatibility matrix ......................................................................8
Chapter 4
Typographical conventions ..........................................................................9
Enterprise deployment
Warnings, cautions, and notes...................................................................10
In this chapter............................................................................................64
Related documents ....................................................................................11
Scenario 1: Adding secure wireless networking.........................................65

How it works........................................................................................65
Chapter 2
Management
13
In this chapter............................................................................................14
Management Tool overview .......................................................................15
Management station ............................................................................15
Administrator account .........................................................................15
Security................................................................................................15
Validating administrator logins using a RADIUS server .............................16
Remote management.................................................................................17
How it works........................................................................................17
Chapter 3
63
Scenario 2a: Integrating wireless networking with authentication .............67

How it works........................................................................................67
Scenario 2b: Using multiple wireless profiles and QoS..............................69
How it works........................................................................................69
Scenario 2c: Supporting wireless phones..................................................71
How it works........................................................................................71
Configure the VSC................................................................................72
Scenario 3: Adding wireless networking to a segmented network .............73
How it works........................................................................................73
In this chapter............................................................................................22
Scenario 4: Roaming across different subnets (single MSC).....................77

How it works........................................................................................77
Scenario 1a: Hotspot with Internet access (local mode) ............................23

How it works........................................................................................23
Scenario 5: Roaming across different subnets (multiple MSCs)................80

How it works........................................................................................80
Scenario 1b: Hotspot with custom interface (local mode) .........................26

How it works........................................................................................26
Scenario 6: Access-controlled VSCs and roaming .....................................83

How it works........................................................................................83
Scenario 1c: Hotspot with satellites and roaming (local mode) .................29
How it works........................................................................................29
Chapter 5
Public access deployment
21
Scenario 1d: Hotspot with layer 2 security (local mode)............................32

How it works........................................................................................32
Scenario 2a: Hotspot with Internet access (AAA server)............................35
How it works........................................................................................35
Scenario 2b: Hotspot with custom interface (AAA server) .........................39
How it works........................................................................................39
Scenario 2c: Hotspot with satellites and roaming (AAA server) .................42
How it works........................................................................................42
Scenario 2d: Hotspot with layer 2 security (AAA server) ...........................45
How it works........................................................................................45
Scenario 2e: Using dual radios to support A+B+G traffic ...........................49
How it works........................................................................................49
Scenario 3: Shared hotspot for public and private traffic ...........................50
How it works........................................................................................50
WDS scenarios
91
In this chapter............................................................................................92
Wireless bridging considerations...............................................................93
Single or dual radios?..........................................................................93
Using 802.1a for WDS .........................................................................93
Scenario 1: Using RF extension to expand a wired network.......................94
How it works........................................................................................94
Scenario 2: Deploying a point-to-point wireless link..................................98
How it works........................................................................................98
Configuration road mapsingle radio.................................................99
Configuration road mapdual radios................................................101
Scenario 3: Setting up multi-hop wireless links .......................................104
How it works......................................................................................104
Configuration road map .....................................................................105
Chapter 6
More from Colubris
109
Colubris.com ...........................................................................................110
For registered customers...................................................................110
For Annual Maintenance Support Program customers ......................110
Information by telephone and e-mail .......................................................111
Scenario 4: Delivering custom HTML pages using VLANs (AAA server)....54

How it works.......................................................................................54
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Chapter 1: Introduction
Chapter 1
Introduction
In this chapter you can find an explanation of the conventions used in
this guide and an overview of its contents. For information on using
different software revisions in your Colubris subnetwork, see the
Software compatibility matrix on page 8.
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
About this guide

This guide contains a number of detailed scenarios for using Colubris Networks
MultiService Access Points (MAPs) and MultiService Controllers (MSCs) in a wide
range of applications.
Although detailed configuration steps are provided with each scenario, the guide does
not cover the basic procedures for operating and configuring Colubris Networks devices.
This information can be found in the Administrators Guide for each device (For a list see
page 11.) You should be familiar with this information before attempting to use the
scenarios in this guide.
The scenarios are grouped according to functionality as follows:
Chapter 2: Management
Scenario/Topic
See page
Management Tool overview
15
Validating administrator logins using a RADIUS server
16
Remote management
17
Chapter 3: Public access deployment

Scenario/Topic
See page
Scenario 1a: Hotspot with Internet access (local mode)
23
Scenario 1b: Hotspot with custom interface (local mode)
26
Scenario 1c: Hotspot with satellites and roaming (local mode)
29
Scenario 1d: Hotspot with layer 2 security (local mode)
32
Scenario 2a: Hotspot with Internet access (AAA server)
35
Scenario 2b: Hotspot with custom interface (AAA server)
39
Scenario 2c: Hotspot with satellites and roaming (AAA server)
42
Scenario 2d: Hotspot with layer 2 security (AAA server)
45
Scenario 2e: Using dual radios to support A+B+G traffic
49
Scenario 3: Shared hotspot for public and private traffic
50
Scenario 4: Delivering custom HTML pages using VLANs (AAA server)
54
Scenario 5: Custom HTML pages on each MAP (local mode)
59
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Chapter 4: Enterprise deployment

Scenario/Topic
See page
Scenario 1: Adding secure wireless networking
65
Scenario 2a: Integrating wireless networking with authentication
67
Scenario 2b: Using multiple wireless profiles and QoS
69
Scenario 2c: Supporting wireless phones
71
Scenario 3: Adding wireless networking to a segmented network
73
Scenario 4: Roaming across different subnets (single MSC)
77
Scenario 5: Roaming across different subnets (multiple MSCs)
80
Scenario 6: Access-controlled VSCs and roaming
83
Chapter 5: WDS scenarios

Scenario/Topic
See page
Wireless bridging considerations
93
Scenario 1: Using RF extension to expand a wired network
94
Scenario 2: Deploying a point-to-point wireless link
98
Scenario 3: Setting up multi-hop wireless links
104
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Software compatibility matrix

As part of the Colubris Intelligent MultiService System (CIMS), InCharge MultiService
Controllers (MSCs) and MGW-3500 MultiService Gateways must be configured with
compatible InReach MultiService Access Points and Colubris Networks wireless
client bridges.
Following is a software release compatibility matrix that shows you which software
versions can be mixed in your CIMS. In general, MSCs and MGWs support access point
products that are at the same software release or one software release behind.
Note: If you upgrade your Colubris Networks access controller products to the 4.1.0
release, all managed access points must be at either 4.1.0 or 3.1.x. Stand-alone access
points can run any firmware version. However, Colubris strongly recommends that you
deploy the same firmware release for all access points in your network.
Supported software
version on Colubris
access controllers
MSC-3200d
MSC-3300e
MGW-3500
MSC-5200
MSC-5500
MSC-5200/MSC-5500
plus
COS Services Packf
Supported software version on

Colubris access points and client bridges
WAP-200
MAP-320a
MAP-330b
MAP-330 Sensorc
WCB-200c
2.4.x
Not supported
2.4.x
2.4.x
N/A
N/A
3.1.x
3.1.x
3.1.x, 2.4.x
3.1.x, 2.4.x
N/A
N/A
4.1.x
4.1.x, 3.1.x
4.1.x, 3.1.x
4.1.x, 3.1.x
N/A
N/A
3.1.x
3.1.x
3.1.x, 2.4.x
3.1.x, 2.4.x
N/A
N/A
4.1.x
4.1.x, 3.1.x
4.1.x, 3.1.x
4.1.x, 3.1.x
N/A
N/A
4.1.x
N/A
4.1 only
4.1 only
N/A
N/A
a. Includes product variants MAP-320R and MAP-320S.

b. Includes ruggedized product variant MAP-330R.
c. MAP-330 Sensors and WCB-200 wireless client bridges do not interact with an MSC or MGW and can be
used in these networks at any supported software version.
d. Includes ruggedized product variant MSC-3200R.
e. Includes ruggedized product variant MSC-3300R.
f. In order to use the mobility services features in 4.1.0including both Layer 2 fast and secure authentication
and Layer 3 mobilityyou must upgrade associated MAPs to the 4.1.0 release.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Typographical conventions
The following table gives the typographical conventions used in Colubris Networks
technical documentation.
Example
Description
Network > Ports
When referring to the Management Tool web interface, items in bold

identify menu commands or input fields. Submenus are indicated by the
> sign. The example refers to the Ports submenu, which is found under
the Network menu.
ip_address
Items in italics identify parameters for which you must supply a value.
use-access-list=usename
Monospaced text identifies command-line output, program listings, or

commands that you enter into configuration files or profiles.
ssl-certificate=URL [ %s ]
Square brackets identify optional arguments. That is, you can decide
whether to enter the argument. Do not enter the brackets.
[ ONE | TWO ]
A vertical line indicates mutually-exclusive choices. That is, you can

specify only one item.
{ ONE | TWO }
Curly brackets group required arguments.

Note: The Management Tool web interface is an element management system that is
distinct from the Colubris Networks InCharge network management system, CNMS.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Warnings, cautions, and notes

The following table explains some of the special symbols used in Colubris Networks
technical documentation.
Lead
Description
Warning!
Warnings provide information that you must follow to avoid risk of

physical injury.
Caution!
Cautions provide information that you must follow to avoid

damage to the hardware or software components of the system.
Note:
Notes provide important information about a procedure or topic.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Related documents
The following documents provide additional information. You can find instructions on
how to download additional documentation on the copyright page.
Document
Provides you with . . .
Quickstart Guides
Hardware and startup information for the Colubris Networks

devices mentioned in this guide.
Administrator Guides
Hardware and configuration information for the Colubris

Networks devices mentioned in this guide.
Public Access
Administrator Guide
Detailed discussions on configuring the public access

interface provided by MSC devices.
Engineering Release
Notes
Specific information about the latest release of Colubris

Networks firmware, including the newest features, fixes, and
known issues.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2: Management
Chapter 2
Management
In this chapter you can find scenarios that illustrate strategies for
managing one or more devices across various network topologies.
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
In this chapter
This chapter contains the following topics.
Scenario/Topic
See page
15
16
Remote management
17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The Management Tool is a Web-based interface to the MAP/MSC that provides easy
access to all configuration functions.
Note: The Management Tool web interface is an element management system that is
distinct from the Colubris Networks InCharge network management system.
Management
station
Management station refers to the computer that an administrator uses to connect to the
Management Tool. To act as a management station, a computer must
Have a JavaScript-enabled Web browser installed; that is, Netscape 7.01 or higher, or
Internet Explorer 6.0 or higher, including all updates
Be able to establish an IP connection with the MAP/MSC, either through the wireless
port or LAN ports
Administrator
account
Administrator password
Access to the Management Tool is protected by a username and password. The
factory default setting for both is admin. Colubris Networks recommends that you
change both on the Management tool configuration page, which you can access by
selecting Management > Management tool.
Caution! If you forget the administrator password, the only way to gain access to the
Management Tool is to reset the MAP/MSC to factory default settings.
Account policy
To maintain the integrity of configuration settings, only one administrator can be
connected to the Management Tool at a given time. To prevent the Management Tool
from being locked up by an idle administrator, two mechanisms are in place:
If a administrators connection to the Management Tool remains idle for more than
ten minutes, the MAP/MSC automatically logs the administrator out.
If a second administrator connects to the Management Tool and logs in with the
correct username and password, the first administrators session is terminated.
(Default setting) If required, you can disable this mechanism on the Management
tool configuration page, which you can access by selecting Management >
Management tool.
Security
The Management Tool is protected by the following security features:

HTTPS: Communications between the management station and the MAP/MSC
occurs through HTTPS. Before logging on to the Management Tool, administrators
must accept a Colubris Networks certificate. You can replace this certificate with your
own.
Port blocking: Access to the Management Tool can be explicitly enabled or disabled
for a variety of interfaces depending on the type of unit. Available options may include:
wireless port, LAN port, Internet port, VLAN, GRE, or WDS.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You can use a RADIUS server to authenticate logins to the Management Tool. One
advantage of this method is that it enables you to create several administrator accounts,
each with its own username and password.
Caution! Ensure that the RADIUS profile you select is configured and that the
administrator account is defined on a functioning RADIUS server. If not, you will not be
able to log back into the MAP because the administrator password cannot be
authenticated.
Use the following steps to configure RADIUS authentication.
1. Create a RADIUS profile to use for administrator authentication:
Select Security > RADIUS.
Click Add New Profile.
Define settings for the RADIUS server that you want to use to validate
administrator logins.
Click Save.
2. Specify this RADIUS profile for administrator authentication:
Select Management > Management tool.
Under Administrator authentication Authenticate via, select the RADIUS
profile that you created in the first step.
Under Username, enter the login name for the administrator. Default is admin.
Under Current password, enter the administrator password. Default is admin.
Under New password, enter the new administrator password. New passwords
must be at least six characters long and contain at least four different characters.
Under Confirm new password, retype the new administrator password.
As a precaution, you can enable the Try local account if RADIUS is
unreachable feature to allow access if the RAIDUS server is down.
Click the Test button to verify that authentication is working.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Remote management
This scenario shows you how to set up an MSC to provide remote management of the
MAPs connected to it.
How it works
When a MAP is installed behind an MSC, enabling remote access to its management
tool requires configuration settings to be defined on the MSC and the RADIUS server.
This section explains how to configure remote management for the following two
topologies:
Topology A
Topology B
Management
station
RADIUS
server
192.168.20.0
Management
station
RADIUS
server
(address in
VPN tunnel)
20.1
VPN server
20.1
30.3
20.3
20.2
30.1
20.4
(address in
VPN tunnel)
VPN tunnel
192.168.20.0
Router
192.168.10.0
10.1
30.2 (address in
VPN tunnel)
MSC
MSC
M S C
M S C
1.1
1.1
192.168.1.0
192.168.1.0
MAP
1.2
PU
BLIC WL A N
MAP
1.3
PU
BLIC WL A N
1.2
MAP
PU
BLIC WL A N
1.3
MAP
PU
BLIC WL A N
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
On the management station

To reach the management tool on the MAPs, the management station must specify the
following addresses in its web browser:
Topology A
To reach MAP A: HTTPS://192.168.10.1:5002
To reach MAP B: HTTPS://192.168.10.1:5003
Topology B
To reach MAP A: HTTPS://192.168.30.2:5002
To reach MAP B: HTTPS://192.168.30.2:5003
Static NAT mappings are used on the MSC to direct traffic to the proper MAP. MAC
address authentication enables the MAPs to log into the public access network. Access
list definitions allow traffic to be sent from the MSCs to the management stations.
Configure the MSCs

Create static NAT mappings
To direct management traffic to the proper MAP, you need to create static NAT
mappings (on the Network > NAT page) to redirect HTTPS traffic to the new ports you
defined on the MAPs.
Map traffic on port 5002 to IP address 192.168.1.2 and port 443.
Map traffic on port 5003 to IP address 192.168.1.3 and port 443.
Configure the RADIUS server

Create an MSC profile
Create a RADIUS profile for the MSC as follows:
MAC address authentication

For the MAP to communicate with the management station, it must log into the public
access network provided by the MSC. To accomplish this, add a MAC address attribute
to the MSCs RADIUS profile for each MAP. This attribute enables the access controller
to authenticate devices (such as the MAPs) based on their MAC address. For example:
mac-address=address[,username[,password]]
Replace address and username with the MAC address of the MAP. Replace password
with the same password that the MSC uses to communicate with the RADIUS server.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
A note about security

Access list
In both topology A and B it makes sense to protect access to the RADIUS server and
management station. This is required because once logged in, public access customers
gain access to all resources connected to the MSCs Internet port.
An access list definition can be used to block all traffic to 192.168.20.0, for topology A,
and 192.168.30.0, for topology B.
However, to enable the MAPs and the management station to communicate, an
additional access list definition must be created as follows:
Topology A: Create an access list that permits HTTPS traffic to address 192.168.20.4.
This is the IP address of the management station. For example:
access-list=320,ACCEPT,tcp,192.168.20.4,443
Topology B: The list should permit HTTPS traffic to address 192.168.30.3. This is the
IP address of the management station inside the VPN tunnel.
access-list=320,ACCEPT,tcp,192.168.30.3,443
Create a MAP profile

Define a RADIUS profile for each MAP. The profile should activate the access list that
was defined in the MSCs RADIUS profile. For example:
use-access-list=320
Create a user account for each MSC

Define a RADIUS user account for each MSC. Define a unique username and password
for each device.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3: Public access deployment
Chapter 3
Public access deployment

In this chapter you can find sample deployment strategies for common
public access scenarios. These scenarios can give you a good idea about
how to approach your installation.
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
In this chapter
This chapter contains the following scenarios.
Scenario/Topic
See page
23
26
29
32
35
39
42
45
49
50
54
59
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This installation shows you how to quickly deploy and test the MSC without installing a
RADIUS server. Instead, customer authentication is handled locally on the MSC.
How it works
In this scenario a single MSC (with radio) is installed to provide a wireless network and
access to the Internet. The MSC is connected to the Internet by way of a broadband
modem, and the Internet connection is protected by the MSCs firewall and NAT features
(which are enabled by default).
1.2
1.3
Internet port
192.168.1.0
LAN port
LAN
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
A local area network is connected to the MSCs LAN port to support wired customers.
The MSC acts as the DHCP server on both the wireless and wired networks which are
bridged together on subnet 192.168.1.0.
The MSC is operating in local mode, which means that:
Customer authentication is handled locally by the MSC and accounts are created on
the MSC for each customer. There is no support for accounting.
A RADIUS server is not required to activate the public access interface. Instead, the
default public access interface resident on the MSC is used by customers to login and
manage their sessions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Install the MSC

1. Install the MSC as described in its Quickstart guide.
2. Connect the Internet port to a broadband modem and then restart the modem.
3. Connect the LAN port to the local area network.
4. Start the management tool.
Configure the wireless network

By default the MSC is configured to:
automatically choose the best operating channel (frequency)
support 802.11b/g clients
create a wireless network named Colubris Networks
There is no need to change these settings for this scenario.
Note: By default, one radio on the MSC-3300 is used to provide the wireless network
and the other is placed into Monitor mode.
Configure the Internet connection

1. Select Network > Ports > Internet port.
2. Select the addressing option supported by your ISP and click Configure.
3. Define all settings as required by your ISP.
Define the list of users

1. Select Security > Users.
2. Add usernames and passwords for all users/customers.
Test the public access interface

To test your installation, use a wireless client station to log onto the public access
interface. (For this to work, the MSC must be configured as the clients default gateway.
This is done by default if the wireless client is using DHCP.)
1. Start the client stations web browser and enter the IP address (or domain name) of
a web site on the Internet.
2. The MSC should intercept the URL and display the Login page. (Depending on the
type of certificate that is installed on the MSC, you may see a security warning first.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3. Specify a valid customer name and password to login.

4. The Session page will open.
5. Next, you are automatically redirected to the web site you originally requested.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario adds custom settings to the default public access interface used in
Scenario 1a.
This installation illustrates how to customize the operation of the public access interface
while running in local mode.
How it works
In this scenario, a web server is used to store custom pages for the public access
interface. The MSC loads these pages each time it is restarted.
There are two ways to deploy this scenario.
Topology 1
In this version, the web server is located on the Internet.
Web server
1.2
1.3
Internet port
192.168.1.0
LAN port
LAN
1.1
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
In this version the web server is located on local LAN B. Instead of being directly
connected to the Internet, the MSC is also connected to local LAN B which provides a
router/firewall to handle the connection to the Internet.
1.2
Web server
1.3
5.1
192.168.1.0
1.1
Internet port
LAN B
LAN port
LAN A
Router
Firewall
192.168.5.0
5.2
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
In this scenario, the web server is also the DHCP server for LAN B, operating on subnet
192.168.5.0. The MSCs Internet port is set to operate as a DHCP client.
Configuration
road map
Important: Start with the configuration defined in Scenario 1a.
Configure the Internet port (Topology 2 only)

2. Select DHCP Client and click Save.
Customize the login page and logo

1. Create a folder called newpages on the web server.
2. Create a file called logo.gif that contains your logo and place it in the newpages
folder (recommended size less than 20K). This same image file is shared by all
pages.
3. Download the current QuickSetup.zip file from the Colubris Support website. (Go to
www.colubris.com and on the home page at left select Support > Product
Registration.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4. Copy the following files from the current QuickSetup.zip file and place them in the
newpages folder.
login.html
transport.html
session.html
fail.html
5. Edit login.html to meet the requirements of your site, keeping the following
restrictions in mind:
Do not alter the ID tags  &  located at the top of
the page.
Do not alter any JavaScript code.
6. Open the Security > Local config page and define the following attributes:
login-page=web_server_URL/newpages/login.html
transport-page=web_server_URL/newpages/transport.html
session-page=web_server_URL/newpages/session.html
fail-page=web_server_URL/newpages/fail.html
logo=web_server_URL/newpages/logo.gif

2. The MSC should intercept the URL and display the modified Login page.
(Depending on the type of certificate that is installed on the MSC, you may see a
security warning first.)
3. To login, specify a valid customer name and password. The Session page should
open.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario adds multiple MAPs to extend the wireless network in Scenario 1b.
MAP devices can be used to extend the reach of the public access network created by
an InMotion MultiService Controller (MSC).
How it works
In this scenario several MAP devices are connected to an MSC by way of a backbone
LAN to provide multiple wireless cells for large physical location.
Customers can log into the public access network at any location and can roam
between access points without losing their connection.
By default, each MAP is configured as a DHCP client and obtains its address from the
MSC, which by default is configured as the DHCP server.
Customer authentication is handled locally by the MSC, and accounts are created on
the MSC for each customer. There is no support for accounting.
Note: This scenario can also be created using an MSC with no radio, in which case
wireless cells are only provided by the MAP devices. When using non-radio MSC units,
the DHCP server option must be enabled manually on the MSC.
The following diagrams illustrate how the two topologies described in Scenario 1b can
be modified to support satellites and roaming. In both cases the configuration procedure
is the same.
Topology 1
Web server
1.2
1.3
192.168.1.0
1.8
MAP
Internet port
1.9
MAP
LAN port
LAN
MSC 1.1
PU
BLIC WL A N
PU
BLIC WL A N
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
1.2
Web server
1.3
5.1
Router
Firewall
192.168.1.0
1.8
MAP
MSC
LAN port
1.9
MAP
1.1
PU
BLIC WL A N
192.168.5.0
5.2
PU
BLIC WL A N
1.4
PU
BLIC WL A N
1.5
Configuration
road map
Internet port
LAN B
LAN A
1.7
1.6
Install the MAPs

1. Install the MAPs as described in the appropriate quickstart guide.
2. Before you connect each unit to the LAN, start the Management Tool and configure
each unit as described in the sections that follow.

By default the MAPs are configured to:
Note: All wireless networks must have the same name in order to support roaming.
Set the shared secret on the MSC

1. Select Security > Authentication > Advanced Settings.
2. In the Access controller shared secret box, set Shared secret and Confirm
shared secret to a unique string. For example: xr2t56. This password will be used
by the MAPs to connect to the MSC when they send authentication requests.
3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the connection to the MSC on the MAPs

Each MAP will use the services of the MSC to authenticate customer logins. Do the
following on each MAP.
1. Select VSC > Profiles.
2. Click the Colubris Networks profile to edit it.
3. In the General box, select the Use Colubris access controller check box.
4. Click Save.
5. Select Security > Access controller
6. Set the Access controller shared secret to match the secret set on the MSC.
7. Click Save.
Note: By default the MAP is set up to use the default gateway assigned by DHCP as the
access controller. Do not change this setting.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario adds support for WEP and WPA clients to scenario 1c.
Enabling support for WEP and WPA helps to protect wireless transmissions against
eavesdropping.
How it works
This scenario creates three virtual service communities (VSCs) on each device. Each
VSC provides support for a different security option: WEP, WPA (with preshared key),
and none.
To connect with the wireless network, customers must select the SSID of the VSC that
matches the option that they want to use. Roaming is supported, since the same VSCs
are defined on all access points.
The following diagrams illustrate how the two topologies described in Scenario 1c can
be modified to support layer 2 security. In both cases the configuration procedure is the
same.
Topology 1
Web server
1.2
1.3
192.168.1.0
1.4
MAP
MAP
Internet port
1.5
LAN port
LAN
MSC 1.1
SSID
WPA
SSID
None
SSID
WEP
SSID
WPA
SSID
None
SSID
WEP
SSID
WPA
SSID
None
SSID
WEP
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
1.2
Web server
1.3
5.1
Router
Firewall
192.168.1.0
1.4
MAP
MSC
SSID
WPA
SSID
None
SSID
WEP
LAN port
1.5
MAP
1.1
Internet port
LAN B
LAN A
192.168.5.0
5.2
SSID
WPA
SSID
None
SSID
WEP
SSID
WPA
SSID
None
SSID
WEP
Configuration
road map
Important: Start with the configuration defined in Scenario 1c.
Create VSCs on the MAPs

Use the following steps to create three virtual service communities on all MAPs.
2. On the Virtual Service Communities page, click the Colubris Networks profile to
edit it.
3. On the Add/Edit Virtual Service Community page:
Under General, enter the Name as None.
Under General, select the Use Colubris access controller check box.
Under Virtual AP, enter the WLAN name (SSID) as None.
Click Save.
4. On the Virtual Service Communities page, click Add new profile.
Under General, enter the Name as WEP.
Under General, enable the Use Colubris access controller check box.
Under Virtual AP, enter the WLAN name (SSID) as WEP.
Under Wireless protection:
Select the checkbox and choose WEP.
For Key, specify 13 ASCII characters as the key.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Under General, enter the Name as WPA.
Under Virtual AP, enter the WLAN name (SSID) as WPA.
Select the checkbox and leave the default setting of WPA.
For Mode, select WPA or WPA2.
For Key source, select Preshared key.
For Key and Confirm key, set a unique key value.
Click Save.
Create VSCs on the MSC

Use the following steps to create virtual service communities on the MSC that match
each VSC you configured on the MAPs:
edit it.
Click Save.
Under General, enter the Name as WEP.
Under Virtual AP, enter the WLAN name (SSID) as WEP.
Select the checkbox and choose WEP.
For Key, specify the same 13 ASCII characters you defined on the MAPs.
Click Save.
For Key and Confirm key, set the same unique key value you defined on the
MAPs.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This installation shows you how to create a public access network using an AAA
(authentication, administration, accounting) RADIUS server to handle customer
authentication.
How it works
In this scenario a single MSC is installed to provide a wireless network and access to
the Internet.
A local area network is connected to the MSCs LAN port to support wired customers.
The MSC acts as the DHCP server on both the wireless and wired networks which are
bridged together on subnet 192.168.1.0.
A RADIUS server (either local or remote) provides services for customer authentication
and accounting.
There are two ways to deploy this scenario as illustrated by topology 1 and topology 2 in
the sections that follow.
Topology 1
In this version, the NOC is located at a remote site and is accessed through the Internet.
The MSC is connected to the Internet by way of a broadband modem, and the Internet
connection is protected by the MSCs firewall and NAT features.
The MSC connects to the VPN server at the NOC using its PPTP client. This provides a
secure link through which data can be transferred.
RADIUS server
VPN server
1.2
1.3
myVPN.com
VPN tunnel
Internet port
192.168.1.0
LAN port
LAN
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
In this version the RADIUS server is located on local LAN B. Instead of being directly
connected to the Internet, the MSC is also connected to local LAN B which provides a
router/firewall to handle the connection to the Internet.
1.2
RADIUS server
1.3
5.1
192.168.1.0
1.1
Internet port
LAN B
LAN port
LAN A
Router
Firewall
192.168.5.0
5.2
MSC
1.4
PU
BLIC WL A N
1.5
Configuration
road map
1.7
1.6
On the RADIUS server

Define RADIUS accounts for all customers that will use the public access network.
Install the MSC

1. Install the MSC as described in its Quickstart guide.
2. If setting up Topology 1, connect the Internet port to a broadband modem and then
restart the modem.
If setting up Topology 2, connect the Internet port to LAN B.
3. Connect the LAN port to the local area network.
4. Start the management tool.

Note: By default one radio on the MSC-3300 is used to provide the wireless network
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the Internet port

2. Select the proper addressing option:
For topology 1, select the option supported by your ISP (Topology 1) and click
Configure. Define all settings as required.
For topology 2, select DHCP client and click Save.
Create a VPN connection (Topology 1 only)

1. Select Security > PPTP client.
2. Under Connection, set the PPTP server address to the address of the VPN server
(in this example, myVPN.com.
3. Under Account, set Username and Password as required by the VPN server.
4. Click Save.
Create a RADIUS profile

1. Select Security > RADIUS.
2. Click Add New Profile.
3. In the Profile name box, assign RADIUS Profile 1 to the new profile.
4. In the Settings box, use the defaults except for Authentication method which must
match the method supported by the RADIUS server.
5. In the Primary RADIUS server box, specify the address of the RADIUS server and
the secret the MSC will use.
Enable RADIUS authentication of customers

edit it.
Under HTML-based user logins,:
Clear the Local authentication checkbox.
Select the RADIUS authentication checkbox.
For RADIUS profile, select RADIUS Profile 1.
Select the RADIUS accounting checkbox.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(This is done by default if the wireless client is using DHCP.)
2. The MSC should intercept the URL and display the Login page opens. Specify a
valid customer name and password.
3. The Session page will open.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario adds custom settings to the default public access interface used in
Scenario 2a.
This installation illustrates how to customize the operation of the public access interface
when using a AAA RADIUS server.
How it works
In this scenario a web server is used to store custom pages for the public access
interface. The MSC loads these pages each time it is restarted.
The following diagrams show how the two topologies described in Scenario 2a can be
modified to support layer 2 security. In both cases the configuration procedure is the
same.
Topology 1
In this version the Web server is located at a remote site and is accessed through the
Internet. by way of a VPN tunnel.
Web server
RADIUS server
VPN server
1.2
1.3
myVPN.com
VPN tunnel
Internet port
192.168.1.0
LAN port
LAN
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
In this version the Web server is located on local LAN B.
1.2
RADIUS
server
1.3
5.1
5.3
Router
Firewall
192.168.1.0
1.1
Internet port
LAN B
LAN port
LAN A
Web
server
192.168.5.0
5.2
MSC
1.4
PU
BLIC WL A N
15
Configuration
road map
1.7
16
Customize the login page and logo

1. Create a folder called newpages on the web sever.
2. Create a file called logo.gif that contains your logo and place it in the newpages
folder (recommended size less than 20K). This same image file is shared by all
pages.
Registration.)
4. Copy the following files from the current QuickSetup.zip file and place them in the
newpages folder.
login.html
transport.html
session.html
fail.html
5. Edit login.html to meet the requirements of your site, keeping the following
restrictions in mind:
Do not alter the ID tags  &  located at the top of
the page.
Do not alter any JavaScript code.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Define attributes on the RADIUS server

Define a RADIUS account for the MSC and add the following entries to it.
login-page=web_server_URL/newpages/login.html
For more information on these attributes, consult the Public Access Administrator Guide.
Enable RADIUS authentication of the MSC

The MSC will retrieve the configuration attributes defined on the RADIUS server each
time it authenticates with the server.
1. Select Security > Authentication.
2. Enable the RADIUS authentication option.
3. Select the RADIUS profile you just defined (RADIUS Profile 1).
4. Specify the username and password the MSC will use to login to the RADIUS
server.
5. Click Force authentication. The light should turn green, indicating that the MSC
has been successfully authenticated.
6. Click Save.

2. The MSC should intercept the URL and display the modified Login page.
(Depending on the type of certificate that is installed on the MSC, you may see a
security warning first.)
3. To login, specify a valid customer name and password. The Session page should
open.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario adds multiple MAPs to extend the wireless network in Scenario 2b.
MAP devices can be used to extend the reach of the public access network created by
an InMotion MultiService Controller (MSC).
How it works
In this scenario several MAP devices are connected to an MSC by way of a backbone
LAN to provide multiple wireless cells for large physical location.
Customers can log into the public access network at any location and can roam
between access points without losing their connection.
By default, each MAP is configured as a DHCP client and obtains its address from the
MSC, which by default is configured as the DHCP server.
A RADIUS server (either local or remote) provides services for customer authentication
and accounting.
Note: This scenario can also be created using an MSC with no radio, in which case
wireless cells are only provided by the MAP devices. When using non-radio MSC units,
the DHCP server option must be enabled manually on the MSC.
The following diagrams illustrate how the two topologies described in Scenario 2b can
be modified to support satellites and roaming. In both cases the configuration procedure
is the same.
Topology 1
Web server
RADIUS server
VPN server
1.2
1.3
myVPN.com
VPN tunnel
192.168.1.0
MAP
1.1
Internet port
MAP
192.168.1.0
1.8
1.9
LAN port
LAN
MSC
PU
BLIC WL A N
PU
BLIC WL A N
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 42 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
1.2
RADIUS
server
1.3
5.1
192.168.1.0
192.168.1.0
1.8
MAP
1.1
Internet port
1.9
MAP
5.3
Router
Firewall
LAN B
LAN port
LAN A
LAN
Web
server
192.168.5.0
5.2
MSC
PU
BLIC WL
AN
PU
BLIC WL
AN
1.4
PU
BLIC WL A N
1.5
Configuration
road map
1.7
1.6
Important: Start with the configuration defined in Scenario 2b.
Install the MAPs

1. Install the MAPs as described in the appropriate quickstart guide.

By default the MAPs are configured to:
Note: By default, one radio on the MAP-330 and the MSC-3300 is used to provide the
wireless network, and the other is placed into Monitor mode.

by the MAPs to send authentication requests to the MSC.
3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Configure the following on each MAP.
3. In the General box, select the Use Colubris access controller check box.
4. Click Save.
1. Select Security > Access controller.
3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario adds support for 802.1x and WPA clients to scenario 2c.
Enabling support for 802.1x (with WEP encryption) and WPA protects all wireless
transmissions against eavesdropping.
How it works
This scenario creates three virtual service communities (VSCs) on each device. Each
VSC provides support for a different security option: 802.1x (with WEP), WPA, and
none.
To connect with the wireless network, customers must select the SSID that matches the
option that they want to use. Roaming between MAPs is supported, since the same
VSCs are defined on all access points.
Authentication of client stations occurs as follows:
On the SSIDs 8021x and WPA, authentication is handled by way of 802.1x by the
MSC using accounts defined on the RADIUS server. These stations do not see the
public access interface.
On the SSID None, client stations must login through the public access interface and
are authenticated by the MSC by way of accounts defined on the RADIUS server.
The following diagrams show how the two topologies described in Scenario 2c can be
modified to support layer 2 security. In both cases the configuration procedure is the
same.
Topology 1
Web server
RADIUS server
VPN server
1.2
1.3
VPN tunnel
myVPN.com
192.168.1.0
MAP
MAP
1.1
SSID
WPA
SSID
None
SSID
8021x
SSID
8021x
5.2
MSC
SSID
WPA
SSID
None
Internet port
192.168.1.0
1.8
1.9
LAN port
LAN
SSID
WPA
SSID
None
SSID
8021x
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
1.2
RADIUS
server
1.3
5.1
192.168.1.0
192.168.1.0
1.8
MAP
MAP
MSC 1.1
SSID
WPA
SSID
None
SSID
8021x
Internet port
1.9
5.3
Router
Firewall
LAN B
LAN port
LAN A
LAN
Web
server
192.168.5.0
5.2
SSID
WPA
SSID
None
SSID
8021x
SSID
WPA
SSID
None
SSID
8021x
Configuration
road map
Important: Start with the configuration defined in Scenario 2c.
Create VSCs on the MAP

Use the following steps to create three virtual service communities on all MAPs.
edit it.
Click Save.
Leave Key source as RADIUS.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Under General, enter the Name as 8021x.
Under Virtual AP, enter the WLAN name (SSID) as 8021x.
Select the checkbox and select 802.1x.
Select the Mandatory authentication checkbox.
Select the WEP encryption checkbox.
Click Save.
Create VSCs on the MSC

Use the following steps to create virtual service communities on the MSC that match
each VSC you configured on the MAPs:
edit it.
Under HTML-based user logins:
Enable RADIUS authentication.
For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario
2a).
Click Save.
Leave Key source as RADIUS.
2a).
Clear the HTML-based user logins checkbox.
Under Access controlled, clear the Redirect HTML users to login page
checkbox.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Under General, enter the Name as 8021x.
Under Virtual AP, enter the WLAN name (SSID) as 8021x.
Select the checkbox and select 802.1x.
2a).
Select the Mandatory authentication checkbox.
Select the WEP encryption checkbox.
Clear the HTML-based user logins checkbox.
Under Access controlled, clear the Redirect HTML users to login page
checkbox.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 48 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario adds support for 802.11a wireless clients to Scenario 2d.
Colubris Networks dual radio products can be configured to support the same SSID on
two different radios. This enables a single device to support wireless clients regardless
of the type of radio they have: 802.11a, b, or g.
Important: This scenario is supported by dual-radio units only.
How it works
In this scenario an MSC 3300 is used in conjunction with two MAP-330s. Both products
support dual radios.
The radios on all these devices are to operate as follows:
Radio 1: 802.11b/g mode
Radio 2: 802.11a mode
The three wireless profiles created in Scenario 2d are changed to transmit and receive
on both radio 1 and radio 2.
Customers are now able to connect with regardless of their radio type: 802.11a/b/g.
Since 802.11a customers are on a separate radio, they do not share bandwidth with the
b/g customers.
Note: See scenario 2d for a diagram of the network topology.
Configuration
road map
Important: Start with the configuration defined in Scenario 2d.
Configure radio 2
1. Select Wireless > Radios.
2. Under Radio 2:
Change Operating mode to Access point only.
Change Wireless mode to 802.11a.
3. Click Save.
Configure VSC profiles

1. Select Virtual AP > Profiles
2. Edit each VSC created in Scenario 2d (8021x, WPA, and none) as follows:
Click the profile name.
Under Virtual AP, set Transmit/receive on to Radio 1 and 2.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

In this scenario VLANs and multiple SSIDs are used to enable public and private users
to share the same infrastructure with complete security.
How it works
This scenario shows you how to deploy a wireless network so that it can be shared
between company employees and paying customers. It enables you to leverage a single
wireless infrastructure to build a hotspot and provide easy access for mobile employees.
Employees connect using the SSID Private and are routed to the corporate network
on VLAN 50. The MSC authenticates employees using the Corporate RADIUS server.
Once authenticated, customer traffic is forwarded on VLAN 50 so that it can reach the
corporate intranet.
Customers connect using the SSID Public and login using the MSCs public access
interface. The MSC authenticates customers using the ISP RADIUS server. Once
authenticated, customer traffic is forwarded on VLAN 60 so that it can reach the
Internet.
Corporate
RADIUS server
ISP
RADIUS server
Corporate
Intranet
Firewall
VLAN 50
Switch
VLAN 60
192.168.5.5
VLAN 50
VLAN 60
192.168.5.1
Employees
MSC
Employee
SSID = Private
MAP
Guest
SSID = Public
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Define settings on the RADIUS servers

1. On ISPRADIUS create accounts for public users.
2. On CorporateRADIUS create accounts for employees.
Install the MSC and MAP

1. Install the MSC and MAP as described in the appropriate quickstart guide.
Configure the MSC

2. Select No address (Support VLAN traffic only.
3. Click Save.
Create two RADIUS profiles

In the Profile name box, assign CorporateRADIUS to the new profile.
In the Settings box, use the defaults except for Authentication method which
must match the method supported by the RADIUS server.
In the Primary RADIUS server box, specify the address of the RADIUS server
and the secret the MSC will use.
Click Save.
In the Profile name box, assign ISPRADIUS to the new profile.
In the Primary RADIUS server box, specify the address of the RADIUS server
and the secret the MSC will use.
Click Save.
Create VLANs
1. Select Network > Ports.
2. Under VLAN configuration, click Add New VLAN.
Under General
Leave the Port selection as Internet port.
Set VLAN ID to 50.
Set VLAN name to Private.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Under Assign IP address via, select Static.

Set IP address to 192.168.5.1.
Set Mask to 255.255.255.0.
Leave Gateway blank.
Click Save.
Under General
Leave the Port selection as Internet port.
Set VLAN ID to 60.
Set VLAN name to Public.
Under Assign IP address via, select DHCP client.
Click Save.
Create VSCs
Use the following steps to create two virtual service communities on the MSC:
Note: This Private profile must be defined first to enable it to also support wired
employees, since untagged incoming traffic on the LAN port is always sent to the first
VSC profile.
edit it.
Under General, enter the Name as Private.
Under General, select the Provide access control checkbox.
Under Virtual AP, enter the WLAN name (SSID) as Private.
Under VSC ingress mapping, select SSID.
Under VSC egress mapping, for Authenticated select Private.
Enable HTML-based user logins.
For RADIUS Profile, select CorporateRADIUS.
Click Save.
Under General, enter the Name as Public.
Under Virtual AP, enter the WLAN name (SSID) as Public.
Under VSC ingress mapping, select SSID.
Under VSC egress mapping, for Authenticated select Public.
For RADIUS Profile, select ISPRADIUS.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Set the shared secret

by the MAP to send authentication requests to the MSC.
3. Click Save.
Configure the MAP

Create VSCs
edit it.
Under Virtual AP, enter the WLAN name (SSID) as Public.
Click Save.
Under General, enter the Name as Private.
Under Virtual AP, enter the WLAN name (SSID) as Private.
Click Save.
Configure the connection to the MSC

3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario shows you how to split customers onto different VLANs and use this to
deliver a customized user experience.
How it works
In this scenario a hotel assigns customer traffic to a different VLAN based on an access
points location within the building.
The MAPs serving the hotel rooms on each floor are configured to return customer
traffic on VLAN 40.
The MAPs serving the hotel lobby, terrace, and restaurant are configured to return
customer traffic on VLAN 50.
VLAN 30 is defined for management purposes. It is used by the network administrator
to reach the management tool on the MSC and MAPs.
One advantage to this strategy is that it enables all devices to have the same SSID
(Hotspot, for example), making it easy for customers to connect.
Custom content is triggered based on the VLAN ID that customer traffic is mapped to.
RADIUS Server
MSC
VLAN 30
VLAN 40
VLAN 50
VLAN 30
VLAN 40
VLAN 30
VLAN 40
MAP
MAP
Floor 3
SSID =
Hotspot
VLAN 30
VLAN 50
VLAN 30
VLAN 50
MAP
MAP
MAP
Floor 2
Floor 1
Terasse
Restaurant
SSID =
Hotspot
SSID =
Hotspot
SSID =
Hotspot
SSID =
Hotspot
Hotel Rooms
VLAN 30
VLAN 40
Public Spaces
In this scenario the MSC is used to provide access control only and does support
wireless clients.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 54 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
On the RADIUS server

Define accounts for the all customers and the MSC.
To deliver custom content based on the VLAN, add the following entry to the RADIUS
profile for the MSC.
welcome-url=web_server_URL/premium/welcome.html ?VLAN=%v
Create a server-side script to retrieve the VLAN value and then display a custom Login
page as follows:
If VLAN = 40, display the customer Login page.
If VLAN = 50, display the public access Login page.
Install the MSC and the MAPs

1. Install the devices as described in the appropriate quickstart guide.

Note: By default, one radio on the MAP-330 and MSC-3300 is used to provide the
wireless network and the other is placed into Monitor mode.
Configure the MSC

2. Select the addressing option as required by the LAN and click Configure.
3. Define all settings as required.
Create a RADIUS profile

In the Profile name box, assign RADIUS1 to the new profile.
In the Primary RADIUS server box, specify the address of the corporate RADIUS
server and the secret the MSC will use.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Enable RADIUS authentication of the MSC

The MSC will retrieve the configuration attributes defined on the RADIUS server each
time it authenticates with the server.
1. Select Security > Authentication.
2. Enable the RADIUS authentication option.
3. Select the RADIUS profile you just defined (RADIUS Profile 1).
4. Specify the username and password the MSC will use to login to the RADIUS
server.
5. Click Force authentication. The light should turn green, indicating that the MSC
has been successfully authenticated.
6. Click Save.
Create VLANs
Under General
Leave the Port selection as LAN port.
Set VLAN ID to 30.
Set VLAN name to Management.
Set Mask to 255.255.255.0.
Click Save.
Under General
Set VLAN ID to 40.
Set VLAN name to Guest.
Under Assign IP address via, select None.
Click Save.
Under General
Set VLAN ID to 50.
Set VLAN name to Public.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create VSCs
The following two virtual service communities need to be created on the MSC:
Guest: Handles guest traffic on VLAN 40.
Public: Handles public traffic on VLAN 50.
edit it.
Under General, enter the Name as Guest.
Under General, select the Provide access control checkbox.
Under VSC ingress mapping, clear the SSID checkbox.
Under VSC ingress mapping, select VLAN then select Guest.
For RADIUS Profile, select RADIUS1.
Click Save.
Under VSC ingress mapping, clear the SSID checkbox.
Under VSC ingress mapping, select VLAN and then select Public.
For RADIUS Profile, select RADIUS1.
Click Save.
Set the shared secret

by the MAPs to send authentication requests to the MSC.
3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the MAPs

Set static addressing and management VLAN
2. Under Port configuration, click Bridge port.
Under Assign IP address via, select Static then click the Configure button.
Define the following:
For each MAP, set IP address to a unique address on the 192.168.30.x subnet.
Set Address mask to 255.255.255.0.
Set Default gateway to 192.168.30.1.
Click Save.
Configure management VLAN

2. Under Port configuration, click Port 1.
Under VLAN
Select the VLAN checkbox.
Set VLAN ID to 30.
Select the Restrict default VLAN to management traffic only checkbox.
Click Save.
Configure a VSC
2. On the Virtual Service Communities page, click the Colubris Networks profile.
Under General, enter the Name as Hotspot.
Under Virtual AP, enter the WLAN name (SSID) as Hotspot.
Under Egress VLAN:
If the MAP is serving a hotel room, set VLAN ID to 40 (which corresponds to the
Guest VLAN).
If the MAP is serving a public area, set VLAN ID to 50 (which corresponds to the
Public VLAN).
Click Save.
Configure the connection to the MSC

3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario shows you how to create a customized user experience based on the
MAP with which a customer is associated.
How it works
In this scenario wireless networking for a condo complex is deployed using multiple
MAPs and a single MSC. The complex features three buildings, each with several
condos serviced by a single MAP.
Since the tenant turnover is low, and network access is included in the monthly condo
fee, accounting support is not needed. Therefore this scenario does not use a RADIUS
server. Instead, all logins are validated by the MSC using a locally defined user list.
To offer personalized service for each building, a set of custom web pages are created
for each building and stored in a separate folder on a web server. (A third-party server
on the Internet is used to keep costs down.) Customers are redirected to the
appropriate set of pages based on the location-aware group name assigned to each
MAP.
Web server
Internet port
MSC
1.1 LAN port
192.168.1.0
MAP 1
1.2
Condo complex 1
MAP 2
1.3
Condo complex 2
MAP 3
1.4
Condo complex 3
About the location-aware feature

This feature, which is enabled by default, permits the MSC to determine the physical
location where customers are logging into the network (as well as other information
which can used for customer tracking). See the Public Access Administrators Guide for
more information on this feature.
This scenario uses the location-aware group name feature to assign a unique name to
each MAP. When a customer logs in, the MAP reports this name to the MSC. The name
is then used to create a URL to a custom set of pages on the web server.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Install the MSC and the MAPs

1. Install the devices as described in the appropriate quickstart guide.
Create the custom web pages

1. Create the following folder on the web server: \newpages
2. Create a file called logo.gif that contains a custom logo for the service being offered
and place it in \newpages.
Registration.)
4. Place a copy of each of the following files from the current QuickSetup.zip file into
\newpages.
transport.html
session.html
fail.html
5. Create the following three folders on the web server:
\newpages\complex_1
\newpages\complex_2
\newpages\complex_3
6. Create the following three html files in each of the three new folders. Customize
each file so that it provide content specific to each condo complex:
login.html
This is the page tenants will use to log in. The following sample code illustrates how
to retrieve login credentials and send them to the MSC for validation.
<form action=https://wireless.colubris.com:8090/goform/HtmlLoginRequest>
<input type=text name=username id=username />
<input type=text name=password id=password />
<input type=submit />
</form>
welcome.html
This is the page tenants will see after their login is approved. It is a standard HTML
page and can be customized as required.
welcome.html
This is the page tenants will see after they logout. It is a standard HTML page and
can be customized as required.
Configure the MAPs

By default each MAP is configured to:
Automatically select the best operating frequency.
Create a wireless network named Colubris Networks.
Act as a DHCP client on its LAN ports.
Use the MSC as the access controller.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 60 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the location-aware group name

Set a unique group name on each MAP as follows:
3. Under General, make sure that the Use Colubris access controller checkbox is
selected.
4. Under Location aware:
For MAP 1, set Group name to Complex_1.
5. Click Save.

Each MAP will use the services of the MSC to authenticate customer logins. Do the
following on each MAP.
1. Select Security > Access controller
2. Set the Access controller shared secret to the same unique value on all MAPs.
For example: xr2t56. This password will be used by the MAPs to connect to the MSC
when they send authentication requests.
3. Click Save.
Configure the MSC

2. Select the addressing option required by your ISP.
3. Click Configure and define all settings as required.
Configure attributes to activate the customized pages

4. Open the Security > Local config page and define the following attributes:
The first four attributes provide support for the common pages that are generic for all
tenants, and the shared logo file.
The next three attributes provide support for the custom pages. Each time a tenant
logs in the MSC calls these pages, replacing the %G with the group name assigned
to the MAP that the tenant is associated with.
login-url=web_server_URL/newpages/%G/login.html
welcome-url=web_server_URL/newpages/%G/welcome.html
goodbye-url=web_server_URL/newpages/%G/goodbye.html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
By default the MSC blocks access to any resources that are connected to its Internet
port until a client station successfully logs in. However, to log in, a client station must
be able to load the custom login page hosted on the web server. To solve this
problem, an access list definition is added that permits access to the web server for
all unauthenticated stations.
Access-list=loginpage,ACCEPT,tcp,web_server_URL,80
Use-access-list=loginpage
Define the list of condo tenants

1. Select Security > Users.
2. Add usernames and passwords for all condo tenants.

shared secret to the same value you set on the MAPs.
3. Click Save.
Using the public access interface

To use the condo internet service, tenants do the following:
Connect to the SSID Colubris Networks using 80211.b or g.
Start their web browser and enter the URL wireless.colubris.com which is the URL
assigned to the MSC.
The MSC will redirect the browser to the login page on the web server.
After the tenant logs in and is validated, the Welcome page is displayed.
The tenant can now surf the Internet.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4: Enterprise deployment
Chapter 4
Enterprise deployment
In this chapter you can find sample deployment strategies for common
enterprise scenarios. These scenarios can give you a good idea about
how to approach your installation.
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
In this chapter
Scenario
See page
65
67
69
71
73
77
80
83
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The MAP makes it easy to add secure wireless connectivity to an existing local area
network.
How it works
In this scenario a MAP is installed on an existing corporate network to provide wireless

networking services for employees.
Since the MAP functions as a DHCP client and all its ports are bridged, it simply creates
a wireless extension to the existing network.
Wireless transmissions are protected using WPA with preshared keys, ensuring that
network traffic cannot be compromised by eavesdroppers.
DCHP
server
5.2
5.4
5.3
5.6
Corporate Network
192.168.5.0
5.7
MAP
5.8
WPA
WPA
5.9
WLA N
Configuration
road map
Install the MAP

1. Install the MAP as described in the quickstart guide.
2. Before you connect the MAP to the LAN, start the Management Tool and configure
it as described in the sections that follow.

By default the MAP is configured to
Automatically select the best operating frequency
Create a wireless network named Colubris Networks
Note: By default one radio on the MAP-330 is used to provide the wireless network, and
the other is placed into Monitor mode.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure addressing
By default, the MAP is set to operate as a DHCP client. In the sample topology it is
automatically assigned the IP address 5.7 by the corporate DHCP server. To make the
MAP easier to manage, it may be useful to assign a static IP address to it as follows:
3. Under Assign IP address via, select Static then click the Configure button.
4. Set the static addressing parameters and click Save.
Configure a VSC
2. Click the Colubris Networks profile in order to edit it.
3. Clear the Wireless security filters checkbox.
4. Under Wireless protection:
For Key and Confirm key, set a unique key value.
5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 66 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The MAP can easily be integrated into an existing networking infrastructure to provide
secure wireless networking by levering an existing RADIUS server.
How it works
In this scenario a MAP is installed on an existing corporate network to provide wireless

networking services for employees.
Since the MAP functions as a DHCP client and all its ports are bridged, it simply creates
a wireless extension to the existing network.
Security for the wireless network is provided using 802.1x. The MAP uses the existing
RADIUS server on the corporate network to validate employee logins.
RADIUS
server
5.2
5.3
5.4
5.5
DCHP
server
5.6
Corporate Network
192.168.5.0
5.7
MAP
5.8
802.1x
802.1x
5.9
WLA N
Configuration
road map
Install the MAP

2. Before you connect the MAP to the LAN, start the Management Tool and configure
it as described in the sections that follow.

By default the MAP is configured to
Note: By default, one radio on the MAP-330 is used to provide the wireless network,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 67 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
By default, the MAP is set to operate as a DHCP client. In the sample topology it is
automatically assigned the IP address 5.7 by the corporate DHCP server. To make the
MAP easier to manage, it may be useful to assign a static IP address to it as follows:
4. Set the static addressing parameters and click Save.
Configure the connection to the RADIUS server

3. Under Profile Name, enter Corporate.
4. Under Primary RADIUS server, enter the Server address and Secret for the
corporate RADIUS server. Under Confirm, reenter the shared secret.
5. Click Save.
Configure a VSC
3. Clear the Wireless security filters checkbox.
4. Under Wireless protection
Select the checkbox.
Select 802.1x
For RADIUS profile, select Corporate.
Select RADIUS accounting.
Select Mandatory authentication.
5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 68 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario expands scenario 2a by using virtual service communities to add a variety
of wireless services.
The MAP can create multiple virtual service communities (VSCs) to support different
types of services, including wireless security options, authentication, and quality of
service (QoS).
How it works
In this scenario the MAP provides three different wireless networks and uses QoS
settings to prioritize traffic:
Employee: This network is for use by all employees. It features 802.1x security and a
QoS setting that provides for normal traffic priority.
Guest: This network is for use by guests. It features WEP security and a QoS setting
that provides for low traffic priority. Guest traffic is restricted using the MAPs security
filter capability so that guests traffic can only reach the router for Internet access. For
this to work, the DHCP server must be configured to return the router as the default
gateway.
Video: This network is for video conferencing. It features 802.1x security and a QoS
setting that provides for high traffic priority.
RADIUS
server
5.2
5.3
5.4
5.5
DCHP
server
5.6
5.99
Router/Firewall
Corporate Network
192.168.5.0
SSID=Guest
QoS=VAP-based Low
5.7
SSID=Video
QoS=VAP-based High
MAP
SSID=Employee
QoS=VAP-based Normal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Configure VSCs
Use the following steps to define the three virtual service communities required for this
scenario.
Under Name, enter Employee.
Under WLAN name (SSID), enter Employee.
Under Virtual AP, QoS priority mechanism, select VAP Based Normal.
Clear the Wireless security filters checkbox.
Under Wireless protection
Select 802.1x
Click Save.
Under Name, enter Guest.
Under WLAN name (SSID), enter Guest.
Under Virtual AP, QoS priority mechanism, select VAP Based Low.
Select WEP.
Define a set of unique WEP keys.
Click Save.
Under Name, enter Video.
Under WLAN name (SSID), enter Video.
Under Virtual AP, QoS priority mechanism, select VAP Based High.
Select 802.1x
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 70 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario adds support for wireless phones to Scenario 2b.
The MAP provides two features to support SIP and Spectralink phones: SVP quality of
service support and MAC-based authentication.
How it works
This scenario adds two virtual service communities to provide support for wireless
phones. Authentication of phones is accomplished by adding the MAC address of each
phone to an internal list maintained on the MAP. Only phones that appear in the list can
connect.
A separate VSC is added for each type of phones: Spectralink and SIP.
RADIUS
server
5.2
5.3
5.4
5.5
DHCP
server
SIP
server
5.6
5.6
5.99
Router/Firewall
Corporate Network
192.168.5.0
SSID=Guest
QoS=VAP-based Low
5.7
MAP
SSID=Video
QoS=VAP-based High
SSID=Spectralink
QoS=Diffsrv
SSID=Employee
QoS=VAP-based Normal
SSID=SIP
QoS=VAP-based High
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 71 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the
VSC
Add a VSC
Use the following steps to define the virtual service community required for this
scenario.
Under Name, enter Phone.
Under WLAN name (SSID), enter Spectralink.
Under Virtual AP, QoS priority mechanism, leave the default selection Diffsrv,
which maps phone traffic to traffic queue 1.
Under MAC Filter
Enable the MAC Filter checkbox.
Select Allow.
Under MAC address, enter the MAC address for each phone.
Click Add.
Under Name, enter Phone.
Under WLAN name (SSID), enter SIP.
Under Virtual AP, QoS priority mechanism, leave the default selection VAPbased Very High, which maps phone traffic to traffic queue 1.
Under MAC Filter
Enable the MAC Filter checkbox.
Select Allow.
Under MAC address, enter MAC address for each phone.
Click Add.
4. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 72 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

With support for VLANs and multiple SSIDs, the MAP provides for seamless integration
into an existing segmented network architecture.
How it works
In this scenario, multiple VSCs are used to provide a wireless architecture that mirrors
the segmented configuration of the backbone LAN. Wireless traffic is secured using
either 802.1x or WPA and leverages the existing corporate RADIUS server for employee
authentication.
Since all MAPs are installed on the same network segment, and each features an
identical wireless setup, employees are able to roam between wireless cells without
losing their network connection.
An unprotected guest network is provided, allowing company guests to access the
Internet through a wireless connection.
RADIUS and
DHCP server
Server 1
Server 2
Router/Firewall
VLAN 40
VLAN 50
VLAN 60
802.1Q trunk
Layer 3
switch with
trunk port
802.1Q trunk
MAP 1
50.2
50.3
LAN port
VLAN=50
SSID=Guest
VLAN=40
MAP 2
50.4
SSID=Priv_802.1x
VLAN=60
MAP 3
SSID=Priv_WPA
VLAN=60
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 73 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
About the SSIDs and VLANs

This scenario uses the following SSIDs and VLANs:
Guest: This SSID has no encryption enabled and is mapped to VLAN 40. This
permits guests to access the Internet only.
Priv_802.1x: This SSID is defined with 802.1x security and is mapped to VLAN 60.
Employee authentication occurs by way of the corporate RADIUS server.
Priv_WPA: This SSID is defined with WPA security and is mapped to VLAN 60.
Default VLAN: The default VLAN is set to 50. Since all user traffic on the MAP is
mapped to either 40 or 60, only management traffic is sent on VLAN 50, which
includes all communication with the corporate RADIUS server and configuration
activities. For this to work, LAN port 1 must be used to connect the MAP to the
corporate network.
Addressing details
Following are addressing details used in this scenario:
The MAPs are connected to the layer 3 switch through LAN port 1. Each MAP has a
unique static IP address on the 50.0 segment.
Employees on the Guest, Priv_802.1x, and Priv_WPA SSIDs are bridged to the
appropriate VLAN. This means that they receive an IP address from the DHCP server
on the network.
The Layer 3 switch provides routing between VLAN 60 and VLAN 40, enabling
employees to access the Internet.
Configuration
road map
Install the MAPs

2. Before you connect the MAPs to the LAN, configure them as described in the
sections that follow.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Define the VLANs and network addressing

Define VLANs 40 and 60 so that later they can be mapped to VSCs.
1. Select Network > VLAN.
2. Click Add New VLAN.
Under General
Leave the Port selection as Port 1.
Set VLAN ID to 40.
Click Save.
3. Click Add New VLAN.
Under General
Leave the Port selection as Port 1.
Set VLAN ID to 60.
Set VLAN name to Employee.
Click Save.
5. Click Bridge port.
Under Assign IP address via, select Static, then click Configure.
Define static addressing as required by your corporate network.
Click Save.
7. Click Port 1.
Under VLAN, select VLAN ID and set it to 50.
Click Save.

3. For Profile Name, enter Corporate.
4. Under Primary RADIUS server, specify the Server address and Secret for the
5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the VSCs

Use the following steps to define three virtual service communities on each MAP:
Under General, set Name to Guest.
Under SSID, set WLAN name to Guest.
Under Egress VLAN, select the VLAN ID of 40, which corresponds to Guest.
Clear the Wireless Security Filters checkbox.
Click Save.
Under General, set Name to Priv_WPA.
Under SSID, set WLAN name to Priv_WPA.
Under Egress VLAN, select the VLAN ID of 60, which corresponds to Employee.
Enable the checkbox and select WPA.
Set Mode to WPA or WPA2.
Click Save.
Under General, set Name to Priv_8021x.
Under SSID, set WLAN name to Priv_8021x.
Under Egress VLAN, select the VLAN ID of 60, which corresponds to Employee.
Disable the Wireless Security Filters checkbox.
Enable the checkbox and select 802.1x.
Click Save.
Configure the RADIUS server

Configure the RADIUS server to return VLAN 60 for employee accounts. You can do this
by setting the following standard RADIUS attributes on the server:
tunnel-type=VLAN
tunnel-medium-type=802
tunnel-private-group-id=60
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 76 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Colubris supports roaming across different subnets by utilizing MAPs in combination
with an MSC. This scenario shows how a single MSC can be used to service MAPs on
different subnets.
How it works
In this scenario multiple MAPs are installed to provide wireless networking coverage on
two different subnets. Client stations are able to roam between MAPs without loosing
their connection, even across different subnets.
The MSC provides centralized management of client sessions to support layer 3
roaming between wireless cells. The MAPs automatically discover the MSC and
establishes a secure tunnel with it, through which they can exchange management and
control information to support features such as fast authentication and layer 3 mobility.
The layer 3 mobility feature is used in this scenario to support client station roaming
between subnets. The fast authentication feature enables quick handoff between MAPs
on the same subnet.
Wireless security is provided by enabling 802.1x on the MAPs, using the services of the
RADIUS server to validate logins.
Address allocation is provided by the DHCP server for all devices, even wireless client
stations. (The routers must be configured to support DHCP relay.)
Router
Firewall
DHCP
server
RADIUS
server
MSC
5.1
5.3
5.2
LAN port
Router
Router
192.168.1.0
192.168.2.0
1.2
MAP A
1.3
2.2
MAP B
1.4
WLA N
WLA N
Area 1
1.5
MAP C
2.3
MAP D
2.4
WLA N
2.5
WLA N
Area 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 77 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Autodiscovery
Discovery of MSCs on the same subnet as a MAP is automatic and occurs through
Layer 2 broadcasts.
Discovery of MSCs on different subnets from a MAP is fully automated if the DHCP
server is properly configured. By default a MAP searches for MSCs with the names
cnsrv1, cnsrv2, and cnsrv3 on the default domain returned by the DHCP server. In the
this example, the DHCP server is configured to return company.lan as the default
domain. This means the MAPs will search for MSCs with the following names (in order):
cnserv1.company.lan
cnserv2.company.lan
cnserv3.company.lan
By setting up the DHCP server to associate the name cnserv1.company.lan with the
IP address of the MSC, the MAPs will automatically be able to find and establish a
secure tunnel with it. No configuration is necessary on the MAPs.
Configuration
road map
Install the MAPs and the MSC

1. Install the MAPs as described in the quickstart guide.
2. Before you connect the MAPs to the LAN, configure them as described in the
Configure the MAPs

By default, the MAPs are set to operate as a DHCP client. In the sample topology they
are automatically assigned IP addresses by the DHCP server (through DHCP relay on
the routers). To make the MAPs easier to manage however, it may be useful to assign a
static IP address to them as follows:
4. Set the static addressing parameters as required by the network and click Save.

4. Under Primary RADIUS server, specify the Server address (192.168.5.2) and
Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret.
5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 78 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the VSCs

Use the following steps to define a virtual service community on each MAP:
2. Click the Colubris Networks profile in the list.
Under General, set Name to Priv_8021x.
Under General, disable Use Colubris access controller.
Under SSID, set WLAN name to Priv_8021x.
Under Mobility, select the Enable L2 Fast Authentication checkbox.
3. Click Save.
Configure the MSC

Note: To support fast authentication and layer 3 mobility the MSC must have the COS
Services Pack license installed.
By default, the MSCs LAN port is set to the static IP address 192.168.1.1. For this
scenario, the address needs to be changed to 192.168.5.3.
1. Under Port configuration, click LAN port.
2. Under Addressing, set LAN IP port address to 192.168.5.3.
3. Under Addressing, set LAN port mask to 255.255.255.0.
4. Click Save.
Note: After clicking Save you will have to reconnect to the management tool using the
new address.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 79 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Colubris supports roaming across different subnets by utilizing MAPs in combination
with an MSC. This scenario shows how multiple MSCs can be used, by installing one on
each subnet.
How it works
In this scenario multiple MAPs are installed to provide wireless networking coverage on
two different subnets. Client stations are able to roam between MAPs without loosing
their connection, even across different subnets.
The MSC provides centralized management of client sessions to support layer 3
roaming between wireless cells. The MAPs automatically discover the MSC and
establishes a secure tunnel with it, through which they can exchange management and
control information to support features such as fast authentication and layer 3 mobility.
The layer 3 mobility feature is used in this scenario to support client station roaming
between subnets. The fast authentication feature enables quick handoff between MAPs
on the same subnet.
To support roaming between the subnets, the two MSCs also establish a secure
channel with each other to exchange management and control information. One MSC is
designated as the primary. In this scenario, it is MSC A.
Wireless security is provided by enabling 802.1x on the MAPs, using the services of the
RADIUS server to validate logins.
Address allocation is provided by the DHCP server for all devices, even wireless client
stations. (The router must be configured to support DHCP relay.)
DHCP
server
RADIUS
server
Router
Firewall
5.1
5.2
5.3
192.168.5.0
MSC A
MSC B
1.6
1.2
MAP A
Router
192.168.1.0
1.3
MAP B
1.4
WLA N
WLA N
Area 1
2.6
1.5
192.168.2.0
MAP C
2.2
2.3
MAP D
2.4
WLA N
2.5
WLA N
Area 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 80 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Autodiscovery
Discovery of MSCs on the same subnet as a MAP is automatic and occurs through
Layer 2 broadcasts.
above example, the DHCP server is configured to return company.lan as the default
cnserv1.company.lan
cnserv2.company.lan
cnserv3.company.lan
Configuration
road map

1. Install the MAP and MSCs as described in the quickstart guide.
2. Before you connect the devices to the network, configure them as described in the
Configure the MAPs

By default each MAP is configured to automatically select the best operating frequency
There is no need to change this setting for this scenario.
By default, the MAPs are set to operate as DHCP clients. In the sample topology they
are automatically assigned IP addresses by the DHCP server. To make the MAPs easier
to manage however, it may be useful to assign a static IP address to them as follows:

5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 81 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the VSCs

2. Click the Colubris Networks profile in the list to edit it.
Under General, set Name to 8021x.
Under SSID, set WLAN name to 8021x.
3. Click Save.
Configure the MSCs

scenario, the address needs to be changed as follows:
2. Under Addressing, set LAN IP port address to 192.168.1.6 for MSC A and
192.168.2.6 for MSC B.
3. Under Addressing, set LAN port mask to 255.255.255.0 for both units.
4. Click Save.
Configure controller discovery on MSC A

1. Select Management, click Controller discovery.
2. Under Controller discovery:
Select the Enable controller discovery checkbox.
Select the This MSC is primary checkbox.
3. Click Save.
Configure controller discovery on MSC B

1. Select Management, click Controller discovery.
2. Under Controller discovery:
Select the Enable controller discovery checkbox.
Clear the This MSC is primary checkbox.
Set IP address of primary controller to 192.168.1.6.
3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario shows you how to use the access control functions on the MSC, while at
the same time supporting layer 2 roaming.
How it works
In this scenario two MAPs are installed to provide wireless networking coverage.
DHCP
DNS
server
5.1
192.168.5.0
RADIUS
server
5.2
Router
Firewall
5.3
5.5
5.4
Internet port
MSC
Router
LAN port
192.168.10.1 VLAN 10 (Private)

(DHCP relay enabled on VLAN 10)
192.168.20.1 VLAN 20 (Guest)

192.168.30.1 VLAN 30 (Management)
VLAN Switch
192.168.30.0
192.168.10.2 VLAN 10 (Private)

VLAN 20 (Guest)
MAP A
SSID
Private
IP=192.168.10.10
Gateway=192.168.10.1
LAN port 1
30.10
SSID
Guest
192.168.10.3 VLAN 10 (Private)

VLAN 20 (Guest)
MAP B
SSID
Private
LAN port 1
30.20
SSID
Guest
IP=192.168.20.15
Gateway=192.168.20.1
VSCs on the MAPs

Each MAP has two VSCs defined on it as follows:
Private
This VSC is used by employees to access the corporate network. It is not access
controlled. It uses 802.1x to provide secure networking and validates logins using the
corporate RADIUS server.
Once authenticated, employee traffic is forwarded on VLAN 10.
Employees are able to roam between MAPs without loosing their connection, even
across different subnets.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Guest
This VSC is used by company guests. It is access controlled, which means:
Guest authentication is handled by the MSC in conjunction with the RADIUS server,
rather than on the MAP.
Guests log in through the public access interface that is provided by the MSC.
Guests cannot roam between subnets. Roaming is only supported on the same
subnet when a VAP is access controlled.
The VSC forwards guest traffic to the MSC on VLAN 20. Once authenticated, guest
traffic is forwarded through the Internet port on the MSC. An access list definition is
used to restrict guest traffic to the router/firewall. This way customers gain access to the
Internet but not the corporate network.
Addressing
Client stations on the Private VSC are assigned addresses on 192.168.10.0 by the
DHCP server by way of the DHCP relay function on the router. The DHCP server must
return the default gateway as the router (192.168.10.1) for these stations.
The MAPs are assigned addresses on 192.168.30.0 by the DHCP server by way of
the DHCP relay function on the router. The DHCP server must return the default
gateway as the router (192.168.30.1) for the MAPs.
Client stations on the Guest VSC are assigned addresses on 192.168.20.0 by the
DHCP server by way of the DHCP relay function on the MSC. The DHCP server must
return the default gateway as the MSC (192.168.20.1) for these stations.
The management VLAN on both MAPs must be configured as the default VLAN on
LAN port 1 for compatibility with the auto-discovery feature.
The MAPs are assigned addresses on 192.168.30.0 by the DHCP server by way of
the DHCP relay function on the router. The DHCP server must return the default
gateway as the router (192.168.30.1) for these stations.
The corporate DHCP server must be configured to serve addresses on subnet
192.168.20.0 for DHCP requests from the MSCs relay agent, and on subnets
192.168.10.0 and 192.168.30.0 for DHCP requests from the router relay agent.
For the DHCP relay function to work on the MSC and on the router, Network Address
Translation (NAT) must be disabled on both devices. As a result, routes for the
192.168.10.0, 192.168.20.0 and 192.168.30 subnets must exist on the corporate
servers (DHCP, DNS, and RADIUS).
Autodiscovery
Discovery of an MSC on the same subnet as a MAP is automatic and occurs through
Layer 2 broadcasts.
above example, the DHCP server is configured to return company.lan as the default
cnserv1.company.lan
cnserv2.company.lan
cnserv3.company.lan
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map

1. Install the MAP and MSCs as described in the quickstart guide.
2. Before you connect the devices to the network, configure them as described in the
Configure the MAPs

By default each MAP is configured to automatically select the best operating frequency
There is no need to change this setting for this scenario.
Configure the connection to the access controller

By default, the MAPs are configured to use the default gateway returned by the DHCP
server as the access controller. In this scenario, the default gateway is not the access
controller, therefore the address of the access controller must be statically configured.
on both MAPs as follows:
2. Under Access controller address, select Specify access controller MAC
address and specify the MAC address of the MSC LAN port.
3. Click Save.

5. Click Save.
Create VLANs
Three VLANs need to be defined on each MAP. VLAN 10 for employee traffic, VLAN 20
for guest traffic, and VLAN 30 to permit management traffic to reach the MSC.
Under General
Set VLAN ID to 10.
On MAP A, set IP address to 192.168.30.2.
On MAP B, set IP address to 192.168.30.3.
Set Mask to 255.255.255.0.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 85 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Click Save.
Under General
Set VLAN ID to 20.
Click Save.
4. Under Port configuration, click Port 1.
Under VLAN
Select the VLAN checkbox.
Set VLAN ID to 30.
Click Save.
Configure the VSCs

Under General, set Name to Private.
Under SSID, set WLAN name to Private.
Disable the Wireless security filters checkbox.
Click Save.
3. Click the Add New Profile button.
Under General, set Name to Guest.
Under General, enable Use Colubris access controller.
Under SSID, set WLAN name to Guest.
Disable Wireless protection.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 86 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the MSCs

Configure Internet port addressing

By default, the MSC is set to operate a a DHCP client on its Internet port. The DHCP
server should be configured to assign the default gateway to be the router/firewall at
192.168.5.3.
Enable DHCP relay

Enable the DHCP relay option. DHCP requests will be forwarded to the DHCP server
assigned to the Internet port.
1. Select Network > Address allocation.
2. Select DHCP relay agent.
3. Click Save.
Disable NAT on the Internet port

For DHCP relay to work on the MSC, NAT must be disabled on the internet port.
2. Select Internet port.
3. Clear the Network address translation (NAT) checkbox.
4. Click Save.
Configure LAN port addressing

scenario, the address needs to be changed as follows:
3. Under Addressing, set LAN IP port address to 192.168.20.1.
4. Under Addressing, set LAN port mask to 255.255.255.0.
5. Click Save.

5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 87 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure VLANs
VLAN 20 needs to be defined to support guest traffic. It will be associated with the
Guest VSC. VLAN 30 needs to be defined for management traffic. It is not associated
with a VSC.
Under General
Set VLAN ID to 20.
Click Save.
Under General
Set VLAN ID to 30.
Set VLAN name to Management.
Set Mask to 255.255.255.0.
Click Save.
Configure the guest VSC

To handle guest traffic, a matching guest VSC must be created on the MSC as follows:
Under Virtual AP, enter the WLAN name (SSID) as Guest.
Under VSC ingress mapping, disable the SSID checkbox.
Under VSC ingress mapping, select the VLAN and then select Guest.
For RADIUS Profile, select Corporate.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Define access list

To maintain network security, customer traffic needs to be restricted to the route/firewall
only. Do this on both MSCs by defining an access list as follows:
1. Select Security > Local config.
2. Click the Add New Attribute button.
3. On the Add/Edit attribute page:
Under Attribute, set Name to ACCESS-LIST.
Under Attribute, set Value to guest,ACCEPT,tcp,192.168.5.3,all
Click Add.
4. Click the Add New Attribute button.
5. On the Add/Edit attribute page:
Under Attribute, set Name to USE-ACCESS-LIST.
Under Attribute, set Value to guest
Click Add.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 5: WDS scenarios
Chapter 5
WDS scenarios
In this chapter you can find sample deployment strategies for using the
WDS standardwireless distribution systemto wirelessly extend and
interconnect networks.
Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5
In this chapter
Scenario/Topic
See page
93
94
98
104
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 92 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Single or dual
radios?
A single-radio MAPs can be configured to simultaneously support wireless clients and

the creation of one or more wireless bridges, Although this is an economical solution, it
offers reduced throughput since the total available bandwidth is be shared between the
bridge and the wireless clients.
A more effective solution is to use a dual-radio MAP, with one radio dedicated to support
wireless client stations and the other used for wireless bridging. Another solution would
be to used two single-radio MAPs, with one servicing wireless clients and the other
dedicated to bridging.
Using 802.1a
for WDS
Colubris Networks recommends using 802.11a for wireless bridging whenever possible.
This optimizes throughput and reduces the potential for interference because:
Most Wi-Fi clients support 802.11b or b/g, therefore most APs are set to operate in
the 2.4 GHz band. This frees the 5 GHz (802.11a) band for use in other applications
such as WDS.
802.11a provides more channels and more non-overlapping channels (twelve,
including four that are dedicated for point-point use) than 802.11b/g.
Assuming an optimal implementation, 802.11a supports up to 54 Mbps for data
throughput, providing a fat pipe for Point-Point or Point-Multipoint WDS
communications.
Keep in mind that there are limitations inherent in using 802.11a, most notably shorter
reach when compared to 2.4 GHz-based technology. Even so, 802.11a is a good
choice in general for WDS.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 93 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Extending a wired network using WDS technology is a quick and effective solution for
increasing network coverage.
How it works
In this scenario a corporate network uses three MAPs to provide wireless access for
employees. Units 1 and 2 are installed in locations that are currently served by the
backbone network. Unit 3 is deployed in an area without cabling support and uses a
wireless bridge to link with unit B.
Each MAP features two VSCs, one supporting 802.1x and one WPA. Both use the
corporate RADIUS server to authenticate wireless clients.
The corporate DHCP server assigns addresses to all stations, even those on the other
side of the wireless bridge.
Employee workstations
5.2
5.3
5.4
Corporate Network
192.168.5.0
RADIUS
server
5.5
DCHP
server
5.6
MAP 1
5.7
MAP 2
5.8
5.9
wireless bridge
MAP 3
Radio 2 operating
in 802.11a mode.
802.11b/g
Single radio operating

in 802.11b/g mode.
802.11b/g
Radio 1 operating
in 802.11b/g mode.
802.11b/g
Radio 1 operating
in 802.11b/g mode.
Note: For the bridge to be successful, the wireless cells of units 2 and 3 must overlap,
and both units must be operating in the same wireless mode and on the same channel.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Install the MAPs

2. Before you connect the MAPs to the LAN, start the Management Tool and
configure all MAPs as described in the sections that follow.

For optimum performance, the wireless channel used for the wireless bridge should be
different and non-overlapping with the channel used to support wireless client stations.
One effective way to meet this challenge is to use 802.11b/g mode to support wireless
clients and 802.11a mode to create the bridge. Radio 2 will be used to create the bridge
on units 2 and 3,
Do the following on MAP 2 and MAP 3:
2. Under Radio 1:
Set Operating mode to Access point only.
Set Operating mode to 802.11b + 802.11g.
Set Channel to Automatic.
3. Under Radio 2:
Set Operating mode to Wireless links only.
Set Operating mode to 802.11a.
Set Channel to Channel 44.
Set Antenna selection to Main antenna.
4. Click Save.
Enable the wireless bridge

Do the following on MAP 2 and MAP 3:
1. Select Wireless > Wireless links.
2. Click Wireless link #1 to edit it.
3. Under Settings, select Enabled.
4. Under Security:
Enable the checkbox.
Select WEP.
Under 128-bit WP key, enter 26 hexadecimal characters for the key.
5. Under Addressing, set Remote MAC address to the address of wireless port 2 on
the other MAP.
6. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 95 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Make performance adjustments

Make performance adjustments to MAP 2 and MAP 3 with the following steps:
1. Select Network > Discover protocol.
2. Under Discovery protocol settings, select Disabled. (This suppresses the
unnecessary generation of CDP packets to improve throughput on the bridge.)
3. Open the Tools > Ping page on one unit and ping the other one to ensure that the
bridge is working.
4. Select Status > Wireless.
5. Under Wireless links status, use the SNR value as a guide to adjust the antennas
to obtain the best possible value. A value greater than 20 is good. After each
change, allow a minimum of two minutes for Link speed to report its new value.

5. Click Save.
Configure a VSC
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 96 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Under General, set Name to WPA.
Under SSID, set WLAN name to WPA.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 97 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This scenario shows you how to use a point-to-point wireless bridge to connect two
networks located in different buildings.
In many cases, it can be more practical and far less expensive to connect two networks
wirelessly than by running cable between them. For example, when:
the distance between two buildings exceeds Ethernet cabling limits
an obstacle (body of water, street, public park) separates the two buildings.
the characteristics of one or both buildings precludes adding wires due to safety risks
or building code restrictions
the link is required for a temporary or short-term solution or needs to be deployed
quickly
How it works
In this scenario two MAPs are used to wirelessly link the networks in two offices located
in neighboring buildings, enabling workers in both offices to share data and resources
as if they were on the same network. To maximize signal power, directional antennas
are used to establish the connection, which must be line-of-sight.
Single-radio
When using single-radio units with a directional antenna, a local wireless network
cannot be created at each office. Instead the MAPs are directly connected to the
backbone LANs in each office.
wireless bridge
antenna
antenna
5.5
main
main
5.4
5.6
5.7
MAP 1
MAP 2
5.3
5.8
5.2
5.9
5.1
5.10
RADIUS
server
DCHP
server
Building 1
Radio operating
in 802.11a mode.
Building 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 98 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dual-radio
With dual-radio units, radio 1 can be used to provide wireless networking, and radio 2
can be used to establish the wireless bridge.
Each MAP on radio 1 features two VSCs, one supporting 802.1x and one WPA. Both
use the corporate RADIUS server to authenticate wireless clients.
wireless bridge
antenna
antenna
main
5.5
MAP 1
main
5.6
MAP 2
5.4
5.3
5.7
Radio 1 operating
in 802.11b/g mode.
Radio 1 operating
5.8
in 802.11b/g mode.
RADIUS
server
DCHP
server
5.2
5.9
5.1
5.10
Building 1
Configuration
road map
single radio
Radio 2 operating
in 802.11a mode.
Building 2
Install the MAPs

2. Attach a directional antenna to the Main radio connector.

1. Select Wireless > Radio.
2. Under Radio:
3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 99 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Do the following on both MAPs:
4. Under Security:
Select WEP.
5. Under Addressing, set Remote MAC address to the MAC address of the other
unit.
6. Click Save.

Make performance adjustments to MAP 2 and MAP 3 with the following steps:
bridge is working.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Install the MAPs

Configuration
road mapdual 1. Install the MAPs as described in the quickstart guide.
2. Attach a directional antenna to the Main connector for radio 2.
radios

clients and 802.11a mode to create the bridge. Radio 2 will be used to create the bridge.
2. Under Radio 1:
3. Under Radio 2:
4. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 101 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3. Under Settings:
Select Enabled.
For Transmit/receive on, select Radio 2.
4. Under Security:
Select WEP.
5. Under Addressing, set Remote MAC address to the MAC address of wireless port
2 on the other unit.
6. Click Save.

Make performance adjustments with the following steps:
bridge is working.

5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 102 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure a VSC
Click Save.
Under General, set Name to WPA.
Under SSID, set WLAN name to WPA.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 103 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The Colubris WDS implementation can be used to provide repeater-like functionality to
extend the distance that a wireless bridging solution can span.
When signal loss or excessive distance between the two stations precludes the use of a
single hop/high gain directional antenna solution, a multi-hop strategy can be used to
deploy the service.
How it works
In this scenario three MAPs are used to create a wireless link between two buildings
that are not within direct line of sight.
Channel 44
Channel 36
antennas
Both radios operating

in 802.11a mode.
Radio 2
5.5
Radio 2
Radio 2
Radio 1
MAP 1
5.6
MAP 2
5.4
5.3
antenna
Both radios operating

in 802.11a mode.
antenna
5.7
MAP 3
Radio 1 operating
in 802.11b/g mode.
Radio 1 operating
5.8
in 802.11b/g mode.
RADIUS
server
DCHP
server
5.2
5.9
5.1
5.10
Building 1
Building 2
MAP 3 is within line of sight of both MAP 1 and MAP 2. The two radios on MAP 3 are set
to operate on different channels to avoid interference and increase throughput. (Every
added WDS-link on the same frequency cuts throughput roughly by a factor of two.)
This concept can be extended to cover even longer ranges as follows:
Channel 44
Radio 2
Channel 36
Radio 1
Radio 2
Channel 44
Radio 1
Radio 2
Channel 36
Radio 1
Radio 2
Radio 2
Radio 1
Radio 1
MAP 1
Building 1
MAP 2
MAP 3
MAP 4
MAP 5
Building 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 104 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Install the MAPs

2. Attach directional antennas to the Main radio connectors as follows:
On MAPs 1 and 2, attach to radio 2.
On MAP 3 attache to both radio 1 and radio 2.

clients and 802.11a mode to create the bridge.
MAP 1 and MAP 2 configuration

2. Under Radio 1:
3. Under Radio 2:
On MAP 1, set Channel to Channel 44.
On MAP 2, set Channel to Channel 36.
4. Click Save.
MAP 3 configuration
2. Under Radio 1:
3. Under Radio 2:
4. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 105 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
By default MAPs operate as a DHCP client. In the sample topology they are
automatically assigned IP addresses by the DHCP server. To make the MAPs easier to
manage however, it may be useful to assign a static IP address to them as follows:

MAP 1 and MAP 2 configuration
3. Under Settings:
Select Enabled.
4. Under Security:
Select WEP.
5. Under Addressing, set Remote MAC address as follows:
On MAP 1, set the MAC address of wireless port 1 on MAP 3.
On MAP 2, set the MAC address of wireless port 2 on MAP 3.
6. Click Save.
MAP 3 configuration
4. Under Security:
Select WEP.
2 on MAP 1.
6. Click Save.
8. Under Settings:
Select Enabled.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 106 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9. Under Security:
Select WEP.
2 on MAP 2.
11. Click Save.

Use the following steps to make performance adjustments to MAP 1 and MAP 2, and
then repeat for MAP 2 and MAP 3.
bridge is working.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 107 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 108 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 6: More from Colubris
Chapter 6
More from Colubris

In this chapter you can find information about the resources that are
available to you at the Colubris website, as well as information about how
to contact Colubris support, training, and sales.
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More from Colubris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6
Colubris.com
Visit Colubris.com to access Datasheets, Whitepapers, Case Studies, and
Solution Guides. From the left side of the homepage, select Literature in order to view
these menu items. Access to this material is free and does not require product
registration.
For registered
customers
By registering your product at Colubris.com, you can access the information listed
below.
To register, simply go to Colubris.com and from the left side of the home page select
Support > Product Registration. Complete and submit the Product Registration
Form in order to gain access to the support area of the website.
Once you register your product purchase with Colubris, you can log in and access the
following information:
Technical documentation
Administrators guides
Quickstart guides
Quick setup tools
SNMP MIBs
Software license agreement
Return Material Authorization (RMA) procedures and forms
For Annual
Maintenance
Support
Program
customers
Colubris Networks offers a comprehensive set of annual support programs that focus on
the hardware and software content of Colubris' award-winning family of secure Wi-Fi
solutions.
Annual Maintenance Support Programs provide a broad level of hardware and software
assistance that combines various elements of support:
Telephone-based technical support
Hardware support
Software support
When visiting Colubris.com, customers who have purchased an Annual Maintenance
Support Program can access the following information in addition to the website
material discussed above:
FAQs
Technical notes
Release notes
Software downloads
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 110 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Information by telephone and e-mail

You can contact Colubris support, training, and sales directly as follows:
Colubris Customer Support team:
E-mail support@colubris.com
Telephone toll-free from within the United States and Canada by dialing
1-866-241-8324, then select option 1
To telephone the Colubris Customer Support team from other countries, dial the
International Direct Dialing prefix (IDD) for the country from which you are calling,
then dial 1-781-684-0001. Select option 1.
You can find a list of IDDs, as well as more information about making international
calls, at http://kropla.com/dialcode.htm.
Colubris training department: E-mail training@colubris.com
Colubris sales information: E-mail sales@colubris.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 111 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 112 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Colubris Config Guide en

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Colubris Config Guide en

Hochgeladen von

Copyright:

Verfügbare Formate

Colubris Networks

Release 4.1 (February 2006)

About this guide...........................................................................................6

Scenario 5: Custom HTML pages on each MAP (local mode)....................59

Software compatibility matrix ......................................................................8

Typographical conventions ..........................................................................9

Warnings, cautions, and notes...................................................................10

Related documents ....................................................................................11

Scenario 1: Adding secure wireless networking.........................................65

Scenario 2a: Integrating wireless networking with authentication .............67

Scenario 4: Roaming across different subnets (single MSC).....................77

Scenario 1a: Hotspot with Internet access (local mode) ............................23

Scenario 5: Roaming across different subnets (multiple MSCs)................80

Scenario 1b: Hotspot with custom interface (local mode) .........................26

Scenario 6: Access-controlled VSCs and roaming .....................................83

Public access deployment

Scenario 1d: Hotspot with layer 2 security (local mode)............................32

More from Colubris

Scenario 4: Delivering custom HTML pages using VLANs (AAA server)....54

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

About this guide

Management Tool overview

Validating administrator logins using a RADIUS server

Chapter 3: Public access deployment

Scenario 1a: Hotspot with Internet access (local mode)

Scenario 1b: Hotspot with custom interface (local mode)

Scenario 1c: Hotspot with satellites and roaming (local mode)

Scenario 1d: Hotspot with layer 2 security (local mode)

Scenario 2a: Hotspot with Internet access (AAA server)

Scenario 2b: Hotspot with custom interface (AAA server)

Scenario 2c: Hotspot with satellites and roaming (AAA server)

Scenario 2d: Hotspot with layer 2 security (AAA server)

Scenario 2e: Using dual radios to support A+B+G traffic

Scenario 3: Shared hotspot for public and private traffic

Scenario 4: Delivering custom HTML pages using VLANs (AAA server)

Scenario 5: Custom HTML pages on each MAP (local mode)

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Chapter 4: Enterprise deployment

Scenario 1: Adding secure wireless networking

Scenario 2a: Integrating wireless networking with authentication

Scenario 2b: Using multiple wireless profiles and QoS

Scenario 2c: Supporting wireless phones

Scenario 3: Adding wireless networking to a segmented network

Scenario 4: Roaming across different subnets (single MSC)

Scenario 5: Roaming across different subnets (multiple MSCs)

Scenario 6: Access-controlled VSCs and roaming

Chapter 5: WDS scenarios

Wireless bridging considerations

Scenario 1: Using RF extension to expand a wired network

Scenario 2: Deploying a point-to-point wireless link

Scenario 3: Setting up multi-hop wireless links

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Software compatibility matrix

Supported software version on

a. Includes product variants MAP-320R and MAP-320S.

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Network > Ports

When referring to the Management Tool web interface, items in bold

Monospaced text identifies command-line output, program listings, or

A vertical line indicates mutually-exclusive choices. That is, you can

Curly brackets group required arguments.

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Warnings, cautions, and notes