Beruflich Dokumente
Kultur Dokumente
Administrator’s Guide
Release 3.1.0 (August 2005) 43-10-0320-12
Copyright © 2005 Colubris Networks Inc. All rights reserved, including those to
reproduce this document or parts thereof in any form without written permission from
Colubris Networks Inc.
Colubris is a registered trademark, and the Colubris Networks logo, the tag line “The
Intelligent Wireless Networking Choice,” InReach, InMotion, InCharge, and TriPlane are
trademarks of Colubris Networks Inc., in the United States and other countries.
All other product and brand names are the service marks, trademarks, registered
trademarks, or registered service marks of their respective owners.
Changes are periodically made to the information herein; these changes will be
incorporated into new editions of the document.
You can download the most up-to-date product information from the Colubris Networks
website. Go to www.colubris.com and on the homepage at left select Support >
Product Registration.
Sales Information—sales@colubris.com
Customer Support—support@colubris.com
Training—training@colubris.com
http://www.colubris.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Contents
Chapter 1 RF performance .........................................................................................41
Introduction 5 Client station data rate limits................................................................41
About this guide...........................................................................................6 Multicast rate limit ...............................................................................41
Important terms.....................................................................................6 Addressing.................................................................................................42
Typographical conventions ....................................................................6 Default settings ....................................................................................42
Warnings, cautions, and notes...............................................................7 DNS .....................................................................................................42
Related documents ................................................................................7
Layer 2 security .........................................................................................43
Hardware overview ......................................................................................8 Session limits ......................................................................................43
Front and rear panels .............................................................................8 Authentication......................................................................................43
Radio .....................................................................................................8 Security options...................................................................................43
Antennas................................................................................................9 Do not broadcast wireless network name ............................................44
Ethernet port(s) .....................................................................................9
Powering the MAP .................................................................................9 Wireless bridging.......................................................................................45
Status lights.........................................................................................10 RF extension ........................................................................................45
Building-to-building connections .........................................................46
Radio(s) ...............................................................................................10
Reset button ........................................................................................10 Important .............................................................................................47
Setting up a wireless link .....................................................................47
Hardware Installation .................................................................................11 Advanced settings................................................................................48
Mounting options.................................................................................11
Daisy-chaining .....................................................................................11 VLAN support ............................................................................................50
Creating VLANs....................................................................................50
Configuring the MAP............................................................................11
Assigning traffic to VLANs ...................................................................51
VLAN bridging .....................................................................................51
Chapter 2
Quality of service (QoS) .............................................................................52
How it works 13
Traffic queues ......................................................................................52
Overview ....................................................................................................14 QoS priority mechanisms ....................................................................52
Public access deployment....................................................................14 QoS example........................................................................................54
Enterprise deployment .........................................................................15
Firmware management ..............................................................................56
Management Tool ......................................................................................16 Manual update .....................................................................................56
Management station ............................................................................16 Scheduled install..................................................................................57
Starting the Management Tool .............................................................16 Using cURL..........................................................................................57
Administrator account .........................................................................17
Configuration management........................................................................58
Security................................................................................................18
Manual management ...........................................................................58
Virtual access points..................................................................................19 Using cURL..........................................................................................59
Setting up a VAP ..................................................................................19
Using a RADIUS server..............................................................................61
General ................................................................................................20
Creating a RADIUS client entry for the MAP ........................................61
SSID ....................................................................................................21
Creating user profiles on the RADIUS server .......................................64
Egress VLAN ........................................................................................22
Creating administrator profiles on the RADIUS server.........................69
Wireless security filters........................................................................23
Wireless protection ............................................................................24
MAC-based authentication ...................................................................26 Chapter 3
MAC filter.............................................................................................26 Public access scenarios 71
IP filter .................................................................................................27
In this chapter............................................................................................72
Working with an access controller .............................................................28 Scenario 1a: Public access network with roaming .....................................73
Connecting to a Colubris access controller ..........................................28
How it works........................................................................................73
Using other access controllers.............................................................29 Configuration roadmap ........................................................................73
Customer authentication and access control .............................................30
Scenario 1b: Adding layer 2 security..........................................................75
Authentication methods .......................................................................30 How it works........................................................................................75
Access control .....................................................................................30 Configuration roadmap ........................................................................75
Using multiple authentication mechanisms..........................................31
Scenario 1c: Adding wireless bridging.......................................................77
Wireless coverage......................................................................................33 How it works........................................................................................77
Wireless mode .....................................................................................33
Configuration roadmap ........................................................................77
Factors limiting wireless coverage .......................................................33
Configuring overlapping wireless cells.................................................34 Scenario 2: Supporting public and private access with VLANs ..................79
Conducting a site survey......................................................................38 How it works........................................................................................79
Identifying unauthorized access points ................................................38 Configuration roadmap ........................................................................80
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4
Enterprise scenarios 91
In this chapter............................................................................................92
Scenario 1: Integrating secure wireless networking...................................93
How it works........................................................................................93
Configuration roadmap ........................................................................93
Scenario 2: Integrating into a segmented network.....................................95
How it works........................................................................................95
Configuration roadmap ........................................................................96
Scenario 3: Wireless bridging - RF extension ............................................99
How it works........................................................................................99
Configuration roadmap ........................................................................99
Scenario 4: Wireless bridging - point-to-point wireless link.....................101
How it works......................................................................................101
Configuration roadmap - single radio ................................................102
Configuration roadmap - dual radios .................................................102
Scenario 5a: Using multiple wireless profiles and QoS ............................104
How it works......................................................................................104
Configuration roadmap ......................................................................104
Scenario 5b: Supporting Spectralink phones ...........................................106
How it works......................................................................................106
Configuration roadmap ......................................................................106
Chapter 5
More from Colubris 107
Colubris.com ...........................................................................................108
For registered customers ...................................................................108
For Annual Maintenance Support Program customers ......................108
Information by telephone and e-mail .......................................................109
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Chapter 1: Introduction
Chapter 1
Introduction
In this chapter you will find an explanation of the conventions used in
this manual, an overview of the hardware, and instructions on how to
power up an InReach™ MultiService Access Point (MAP).
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
Important terms
Term Description
MAP The acronym MAP is used to refer to the
MAP-320 and MAP-330.
InMotion MultiService Refers to all Colubris Network products that are part of the
Controller InMotion family, including the MSC-3200, MSC-3300,
MSC-5200, MSC-5500 and MGW-3500).
Customer The term customer refers to any person or device that logs
into the public access network created by a Colubris
Networks Access Point.
Typographical
conventions Example Description
Network > Ports When referring to the management tool web interface,
items in bold type identify menu commands or input
fields. They are presented exactly as they appear on
screen. Submenus are indicated using the ‘>’ sign. The
example refers to the Ports submenu, which is found
under the Network menu.
ip_address Items in italics are parameters that you must supply a
value for.
use-access-list=usename Monospaced text is used to present command line
output, program listings, or commands that are entered
into configuration files or profiles.
ssl-certificate=URL [%s] Items enclosed in square brackets are optional. You can
either include them or not. Do not include the brackets.
[ONE | TWO] Items separated by a vertical line indicates one or more
choices. Specify only one of the items.
Note: The Management Tool web interface is an element management system that is
distinct from the Colubris Networks InCharge™ network management system.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
Warnings,
cautions, and Lead Description
notes Warning! Warnings provide information that you must follow to avoid the risk
of physical injury.
Related This guide may refer to the following documents. Instructions on how to access
additional documentation are given on the copyright page.
documents
Document Provides you with . . .
Technical Reference Detailed examples for using third-party RADIUS servers, the
Guide Colubris back-end archive, and certificates. It also covers a
number of other technical topics.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
Hardware overview
Main Aux
Ethernet
Reset
1 2
5 volts 802.3af
Radio 2
Main Aux
Radio • The MAP-320 has a single radio with two antenna connectors. It can create a single
wireless cell.
• The MAP-330 has two radios, each with two antenna connectors. Each radio can
create a single wireless cell. Radio 1 connectors are located on the front panel, and
radio 2 connectors are located on the rear panel.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
Antennas Each radio is supported by two antenna connectors, which are used to transmit and
receive on a single wireless cell. If a single antenna is used, it can be attached to either
connector.
Connector type
The connectors are reverse-polarity SMA male jacks. This means antennas or cable
connectors must be SMA female connectors with reverse polarity. Antennas can be
either directly attached or attached via a coax cable. When using a coax cable, it is
recommended that you connect it to the MAIN connector.
Antenna diversity
The MAP supports both transmit and receive diversity.
Transmit diversity
For a given client station connection, the MAP always transmits on the antenna it
receives. If transmission fails, the MAP automatically switches antennas and retries.
Receive diversity
• In 802.11b, the MAP does selection diversity, which means selecting the antenna for
receive based on the SNR calculated while receiving the preamble, on a per frame
basis.
• For 802.11a and 802.11g, including mixed 802.11b and 802.11g, the receiver
switches antenna when the signal quality goes below a certain threshold.
Ethernet port(s) The MAP has two 10/100 mbps Ethernet ports with RJ-45 connectors. These ports are
bridged together and are functionally identical except that only port 1 supports Power
over Ethernet.
Note: Do not connect the Ethernet ports directly to a metropolitan area network (MAN)
or wide area network (WAN).
Important: All Ethernet port connections must be made with a shielded Ethernet cable.
Powering the There are two ways to power the MAP: DC adapter or PoE.
MAP
DC power adapter
The supplied DC power adaptor provides 2A at 5V.
Important: The power adapter is not rated for use in plenum installations.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
Status lights The status lights provide the following operational information.
Power
on The MAP is fully operational.
flashing The MAP is starting up.
off Power is off.
Ethernet
on LED comes on for a short period when the link is established.
flashing Indicates that an Ethernet port is transmitting or receiving.
off Ports are not connected or there is no activity.
Wireless
flashing Wireless port is receiving data.
Startup behavior
When power is applied to the MAP, the power light will start flashing. When the power
light stops flashing, initialization is complete and the MAP is fully operational.
Radio(s) The MAP provides support for IEEE 802.11a and 802.11b/g technologies which can be
configured in real-time for complete flexibility of operation.
• When operating in 802.11a mode, the radio supports data rates of up to 54 Mbps.
• When operating in 802.11b/g mode, the radio provides data rates up to 54 Mbps.
The power output of the radio and the operating channels (frequencies) that are
available are governed by the regulations in your country. The MAP automatically
provides the appropriate range of operating values for you to choose from.
Reset button Use the end of a paper clip or another pointy object to press the reset button.
Restarting
Press and release the button quickly to restart the MAP. This is equivalent to
disconnecting and reconnecting the power. The MAP will restart immediately.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
Hardware Installation
Important: Installation must be performed by a professional installer familiar with local
regulations governing wireless devices.
Mounting When mounting the MAP on a wall, ceiling or other surface, make sure that:
• the surface you attach the MAP to and the fasteners you use are able to support at
options least 5.1 kg (11.25 pounds)
• cable pull (accidental or otherwise), must not make the unit exceed the 5.1 kg (11.25
pound) limit
Plenum installations
Plenum rated cables and attachment hardware must be used if the MAP is installed in a
plenum. Since the power adapter is not rated for plenum installations, only the MAP and
appropriate cabling can be located in the plenum.
Note: Colubris Networks supplied PoE injectors (available separately) cannot be
installed inside the plenum.
Mounting bracket
An optional mounting bracket is available. Contact Colubris Networks for details.
Daisy-chaining MAPs can be daisy-chained together to eliminate the need for a backbone LAN. Use a
cross-over cable to connect the units as illustrated.
Note: VLANs are not supported when the units are daisy-chained.
Configuring the Before attaching the MAP to your network, it is recommended that you start the
management tool and define basic configuration settings as outline in the Quick Start
MAP Guide. Once this is done, refert to Chapter 2 for additional configuration information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2: How it works
Chapter 2
How it works
The Colubris® Networks InReach™ MultiService Access points are
highly-scalable solutions that offers leading-edge security and
manageability features specifically designed for a wide range of
networking environements.
This chapter describes the most important features of the InReach MAP-
320 and MAP-330 and explains how they can be used to address a wide
range of wireless connectivity challenges.
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Overview
The MAP can be used as a stand-alone access point or as a satellite in conjunction with
other Colubris® Networks products. As a satellite, the role of the MAP is to extend the
wireless network and provide intelligent data forwarding to maintain the security of the
network.
When multiple MAPs are deployed they can be:
• Daisy-chained by connecting the Ethernet ports on two units with a cross-over cable.
• Interconnected using a backbone LAN.
• Linked through a wireless bridge. The MAP can establish wireless links with up to six
other units.
Public access The following diagram illustrates the MAP in use in a public access network.
deployment
Protected Network
Resources
InMotion
MultiService RADIUS
Controller server
Backbone LAN
PU PU PU
BLIC WL A N BLIC WL A N BLIC WL A N
Daisy chain
Wireless bridge
PU
BLIC WL A N
PU
BLIC WL A N
Daisy chain
PU
BLIC WL A N
The MAP uses the services of an access controller (such as a Colubris Networks
InCharge™ MultiService Controller) to manage customer logins to the public access
network. In most setups, the access controller will take advantage of a RADIUS server
to store the customer accounts.
To maintain the security of the network, the MAP employs a security filter that only
allows traffic to flow between itself and the access controller. This prevents wireless
stations from accessing resources on the backbone LAN.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
To reach the protected network resources, wireless customers must successfully login
to the public access interface managed by the access controller.
For detailed scenarios illustrating how the MAP can be deployed in a public access
environment, see Chapter 3.
Enterprise The following diagram illustrates the MAP in use in an enterprise network.
deployment
Corporate Backbone RADIUS
server
Backbone LAN
PU PU PU
BLIC WL A N BLIC WL A N BLIC WL A N
Daisy chain
Wireless bridge
PU
BLIC WL A N
PU
BLIC WL A N
Daisy chain
PU
BLIC WL A N
In this type of scenario, the MAP provides wireless access to users of a corporate
network. The MAP supports 802.1x/WPA and WEP security. User authentication is
handled via the corporate RADIUS server.
Support for multiple SSIDs, QoS, and VLANs makes the MAP an effective tool for
delivering wireless access in the corporate environment.
For detailed scenarios illustrating how the MAP can be deployed in an enterprise
environment, see Chapter 4.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Management Tool
The Management Tool is a Web-based interface to the MAP that provides easy access
to all configuration functions.
Management The management station is the computer that an administrator uses to connect to the
Management Tool. To act as a management station, a computer must
station • Have a JavaScript-enabled Web browser installed (Netscape 7.01 or higher, or
Internet Explorer 6.0 or higher with all updates)
• Be able to establish an IP connection with the MAP, either through the wireless port or
LAN ports
Management 2. If the MAP is directly connected to the management station via a cross-over cable In
the address box, specify: HTTPS://192.168.1.1.
Tool 3. Press Enter. You will be prompted to accept a Colubris Networks security certificate.
To safeguard the security of the MAP, access to the management tool must occur
via a secure connection. Before this connection can be established, you must accept
a Colubris Networks security certificate. The procedure for accepting the certificate
varies depending on the browser you are using. You must accept the certificate to
continue. (To eliminate this warning message you can install your own certificate.)
4. After you accept the Colubris Networks certificate, the management tool Login page
opens. By default, the username and password are both set to admin.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Account policy
To maintain the integrity of the configuration settings, only one administrator can be
connected to the management tool at a given time. To prevent the management tool
from being locked up by an idle administrator, two mechanisms are in place:
• If a administrator’s connection to the management tool remains idle for more than ten
minutes, the MAP automatically logs the administrator out.
• If a second administrator connects to the management tool and logs in with the
correct username and password, the first administrator’s session is terminated. If
required, you can disable this mechanism on the Management > Management tool
page.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
HTTPS
Communications between the management station and the MAP occurs via HTTPS.
Before logging onto the management tool, administrators must accept a Colubris
Networks certificate. You can replace this certificate with your own.
Port blocking
Access to the management tool can be explicitly enabled/disabled for each of the
following:
• Wireless port
• Ethernet ports
• VLANs
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Setting up a VAP To setup a VAP you use the Virtual AP > Profiles page. By default, the Colubris
Networks VAP is defined.
Click the name to customize the VAP. The VAP Add/Edit page opens. By default, it
presents the following options:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
If you enable the Use Colubris access controller feature, only the following options
are available.
Refer to the sections that follow for complete descriptions of all VAP settings.
General Name
Specify a name to identify the VAP.
Use Colubris access controller
Enable this option to have this profile use the services of a Colubris Networks access
controller for authentication and control of client sessions.
When enabled, all customer traffic is sent to the access controller defined on the
Security > Access controller page, and the Wireless Security Filters option is
enabled.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
DTIM count
Defines the DTIM period in the beacon. Client stations use the DTIM to wake up from
low-power mode to receive multicast traffic.
The MAP transmits a beacon every 100 ms. The DTIM counts down with each beacon
that is sent, therefore if the DTIM is set to 5, then client stations in low-power mode will
wake up every 500 ms (.5 second) to receive multicast traffic.
Minimum rate
Sets the minimum transmission rate that clients stations must meet in order to connect
with this SSID. Client stations that are below this setting will not be able to connect to
this SSID.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Select the Lowest Available option to have the MAP automatically adjust the data rate
to its minimum setting based on the wireless mode being used.
If the SSID spans two radios, then this setting can only be used if both radios are
operating in the same wireless mode (a/b/g).
Maximum rate
Set the maximum transmission rate that clients stations must respect in order to connect
with this SSID. Clients stations that attempt to associate at a higher data rate will be
refused.
Select the Highest Available option to have the MAP automatically adjust the data rate
to its maximum setting based on the wireless mode being used.
If the SSID spans two radios, then this setting can only be used if both radios are
operating in the same wireless mode (a/b/g).
Transmit/Receive on
Select the radio this SSID will operate on. The same SSID can be active on two radios
at the same time, even if they are operating in different wireless modes.
Advertise Tx power
When this option is enabled, the MAP will broadcast its current transmit power setting in
the wireless beacon.
Egress VLAN Choose the VLAN that this profile forwards data traffic to. To add VLANs to the list, go to
the Networks > VLANs page.
If you choose the default option, traffic is sent untagged to the LAN port. Note however,
that a VLAN may still be assigned on a per-customer basis via a setting in the
customer’s RADIUS account (if using RADIUS-based authentication). Also, a global
VLAN settings is available on the Network > Ports page which will tag all traffic sent on
port 1.
Important: Enabling this feature bypasses all security features that are active on the
MAP. Make sure that your VLAN has the appropriate security installed to protect access
to the network.
Important: If you are using 802.1x/WPA or MAC authentication, the MAP handles all
authentication tasks and must communicate with the RADIUS server or access
controller to validate login credentials. Therefore, the RADIUS server or access
controller must be reachable via the LAN ports.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Wireless The MAP features an intelligent bridge which can apply security filters to safeguard the
flow of wireless traffic.
security filters The filters limit both incoming and outgoing traffic as defined below, and force the MAP
to exchange traffic with a specific upstream device.
• If Use Colubris access controller is enabled in the General box, then the default
security filters (defined below) are enabled and all traffic is sent to the access
controller defined on the Security > Access controller page.
Note: If you are using multiple VLANs, each with a different gateway use the MAC
address option on the Security > Access controller page.
• If Use Colubris access controller is disabled in the General box, the security filters
are controlled by the settings in this box.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Custom
Use this option to define your own filters. To use the default filters as a starting point,
click Get Default Filters.
Filters are specified using standard pcap syntax (http://www.tcpdump.org/
tcpdump_man.html) with the addition of a few Colubris-specific placeholders. These
placeholders can be used to refer to specific MAC addresses and are expanded by the
MAP when the filter is activated. Once expanded, the filter must respect the pcap
syntax. The pcap syntax is documented in the tcpdump man page:
Placeholders
%a - MAC address of the access controller, as specified on the Security > Access
controller page.
%b - MAC address of the bridge.
%g - Mac address of the default gateway assigned to the MAP on the Network > Ports
page
%w - MAC address of wireless port.
Wireless Select the type of protection you want to use for the wireless network created by the
VAP.
protection Important: 802.1x and WPA sessions are terminated by the MAP. This means that the
MAP handles all authentication tasks and must communicate with the RADIUS server or
access controller to validate login credentials. Therefore, the RADIUS server or access
controller must be reachable.
WPA
This option enables support for users with WPA client software.
Mode
Select the WPA mode that the MAP will use.
• WPA (TKIP) 1: WPA with TKIP encryption.
• WPA2 (AES/CCMP): WPA2 (802.11i) with CCMP encryption.
• WPA or WPA2: Mixed mode supports both WPA (version 1) and WPA2 (version 2) at
the same time.
Key source
This option determines how the TKIP keys are generated.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
• RADIUS: The MAP obtains the MPPE key from the RADIUS server. This is a dynamic
key that changes each time the user logs in and is authenticated. The MPPE key is
used to generate the TKIP keys that encrypt the wireless data stream. Select the
appropriate RADIUS server.
• Preshared Key: The MAP uses the key you specify in the Key field to generate the
TKIP keys that encrypt the wireless data stream. Since this is a static key, it is not as
secure as the RADIUS option. Specify a key that is between 8 and 64 ASCII
characters in length. It is recommended that the preshared key be at least 20
characters long, and be a mix of letters and numbers.
RADIUS profile
Select the RADIUS profile the MAP will use to validate user logins. Select Access
Controller to forward authentications traffic to a Colubris Networks access controller.
Accounting
Enable this option to have the MAP generate a RADIUS accounting request ON/OFF for
each user authentication. The MAP respects the RADIUS interim-update-interval
attribute if present inside the RADIUS access accept of the authentication.
Mandatory authentication
Requires that all wireless client stations authenticate.
802.1x
This option enables support for users with 802.1x client software. The MAP supports
802.1x client software that uses EAP-TLS, EAP-TTLS, EAP-SIM, and PEAP.
Note: Colubris Networks recommends that you do not use 802.1x unless you enable
WEP encryption.
RADIUS profile
Select the RADIUS profile the MAP will use to validate user logins. Select Access
Controller to forward authentications traffic to a Colubris Networks access controller.
WEP encryption
Enable the use of dynamic WEP keys for all 802.1x sessions. Dynamic key rotation
occurs on key 1, which is the broadcast key. Key 0 is the pair-wise key. It is automatically
generated by the MAP.
Key length and key change interval are set in the Dynamic keys box.
Accounting
Enable this option to have the MAP generate a RADIUS accounting request ON/OFF for
each user authentication. The MAP respects the RADIUS interim-update-interval
attribute if present inside the RADIUS access accept of the authentication.
Mandatory authentication
Requires that all wireless client stations authenticate.
WEP
Key 1, 2, 3, 4
The number of characters you specify for a key determines the level of encryption the
MAP will provide.
• For 40-bit encryption, specify 5 ASCII characters or 10 HEX digits.
• For 128-bit encryption, specify 13 ASCII characters or 26 HEX digits.
When encryption is enabled, wireless stations that do not support encryption cannot
communicate with the MAP. The definition for each encryption key must be the same on
the MAP and all client stations. Keys must also be in the same position. For example, if
you are using key 3 to encrypt transmissions, then each client station must also define
key 3 to communicate with the MAP.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Note: Keys 2, 3, and 4 are supported only on the first VAP profile.
Transmission key
Select the key the MAP will use to encrypt transmitted data. All four keys are used to
decrypt received data.
Key format
Select the format you used to specify the encryption keys:
ASCII
ASCII keys are much weaker than carefully chosen HEX keys. You can include ASCII
characters between 32 and 126, inclusive, in the key. However, note that not all client
stations support non-alphanumeric characters such as spaces, punctuation, or special
symbols in the key.
HEX
Your keys should only include the following digits: 0-9, a-f, A-F
MAC-based When enabled, this option lets you control access to the MAP based on the MAC
address of client stations.
authentication Important: When both this option and the MAC filtering option are enabled, the
following applies: if a customer’s MAC address does not appear in the MAC filtering list
then MAC-based authentication takes place for that customer.
RADIUS profile
When this option is enabled, the MAP will authenticate wireless stations using a
RADIUS server. Communications with the server is controlled via a RADIUS profile
defined on the Security > RADIUS page. Since each VAP profile is independently
configurable, it is possible to use a different RADIUS server for each one.
To successfully authenticate a client station, an account must be created on the
RADIUS server with both username and password set to the MAC address of the client
station.
The MAC address sent by the MAP in the RADIUS REQUEST packet for both
username and password is 12 hexadecimal numbers, with the values “a” to “f” in
lowercase. For example: 0003520a0f01.
The RADIUS server will reply to the REQUEST with either an ACCEPT or REJECT
RADIUS REPSONSE packet. In the case of an ACCEPT, the RADIUS server can return
the session-timeout RADIUS attribute (if configured for the account). This attribute
indicates the amount of time, in seconds, that the authentication is valid for. When this
period expires, the MAP will re-authenticate the wireless station.
Accounting
Enable this option to have the MAP generate a RADIUS accounting request ON/OFF for
each user authentication. The MAP respects the RADIUS interim-update-interval
attribute if present inside the RADIUS access accept of the authentication.
MAC filter Note: The MAC filter option is not available if Use Colubris access controller is
enabled under General.
When enabled, this option enables you to control access to the MAP based on the MAC
address of client stations. You can either block access or allow access, depending on
your requirements.
Note: When both the MAC filter option and the MAC-based authentication options
are enabled, if a customer’s MAC address does not appear in the MAC filtering list,
MAC-based authentication is used for that customer.
Specify the MAC address as six pairs of hexadecimal digits separated by colons. For
example: 00:03:52:0a:0f:01.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Filter behavior
• Allow: Only client stations whose MAC addresses appear in the MAC address list can
connect to the wireless network.
• Block: All client stations whose MAC addresses appear in the MAC address list are
blocked from accessing the wireless network.
IP filter Note: The IP filter option is not available if Use Colubris access controller is enabled
under General.
The IP filter enables you to block wireless traffic on this profile based on its destination
address.
Specify the list of destination IP addresses that traffic will be accepted for. All other
traffic will be blocked. If the list is empty, then no wireless-to-wired LAN traffic is
permitted.
The IP filter does not block:
• DNS queries (i.e., TCP/UDP traffic on port 53)
• DHCP requests/responses
Examples
To only allow traffic addressed to a gateway at the address 192.168.130.1, define the
filter as follows:
• Address: 192.168.130.1
• Mask: 255.255.255.255
To only allow traffic addressed for the network 192.168.130.0, define the filter as follows:
• Address: 192.168.130.0
• Mask: 255.255.255.0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Protected Network
Resources
InMotion
MultiService RADIUS
Controller server
PU
BLIC WL A N
In most setups the access controller uses a RADIUS server to store customer accounts
and validate credentials.
Connecting to a By default, the MAP operates as a DHCP client. The access controller, operating as the
DHCP server, will assign itself as the MAP’s default gateway.
Colubris access However, to successfully connect to the access controller, you must define settings as
controller follows:
1. Open the Security > Access controller page.
Note: If DHCP is not being used to set the default gateway address, you can specify the MAC
address of the access controller instead.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Using other Instead of using a Colubris access controller, you can choose to send traffic to another
device (VPN server for example). In this case, you need to configure the following
access settings on a per-VAP basis:
controllers 1. Open the Virtual AP > Profiles page.
2. Click the Colubris Networks profile to edit it.
3. In the Wireless security filters box, select MAC address and enter the address of
the access controller.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
methods
WPA/802.1x
The MAP provides full support for users with 802.1x or WPA1/WPA2 client software. The
MAP terminates the session and authenticates users via a Colubris Networks access
controller or RADIUS server. Another option is to use preshared keys (WPA only).
The MAP supports 802.1x client software that uses EAP-TLS, EAP-TTLS, and PEAP.
Dynamic key rotation is supported.
See page 24 for more information.
Note: Colubris Networks does not recommend that you use 802.1x without enabling
dynamic WEP encryption.
MAC-based authentication
The MAP can authenticate devices based on their MAC address. This is useful for
authenticating devices that do not have a web browser (cash registers or cell phones,
for example). These devices do not log in through the public access interface provided
by the access controller, rather, as soon as the MAP sees their MAC address appear on
the network, the MAP attempts to authenticate them. MAC-based authentication can be
defined on a per-profile basis. See page “MAC-based authentication” on page 26 for
more information.
Location-aware authentication
This option works when the MAP is used in conjunction with a Colubris Networks
access controller. This feature enables you to control logins to the public access
network based on the wireless access point a customer is connected to.
When a customer attempts to login to the public access network, the access controller
sets the Called-Station-ID in the RADIUS access request to the MAC address of the
MAP wireless port the customer is associated with.
For more information, see the Administrator’s Guide for the access controller.
Important: This feature can only be used when the MAP is installed in conjunction with
a Colubris Networks access controller such as the InMotion™ family of MultiService
Controllers.
Important: This feature does not support 802.1x customers and devices using MAC-
based authentication.
Access control Two input filters are available that enable you control wireless access based on the IP or
MAC address of client stations. Both filters are configurable on the per-VAP basis.
For more information see:
• “MAC filter” on page 26
• “IP filter” on page 27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Using multiple 802.1x and MAC-based authentication are configurable on a per-VAP basis. Both
options can be enabled at the same time for added flexibility. When this occurs, the
authentication result for 802.1x authentication takes precedence over the MAC authentication result. It
mechanisms is therefore possible for a client station to be authenticated via MAC and then refused
via 802.1x, or refused by MAC and accepted by 802.1x.
An additional option is available that can be used to force all client stations to
authenticate via 802.1x. When active, even if a client station is authenticated via MAC,
the client station will be refused if it cannot authenticate via 802.1x.
Restriction
Both MAC and 802.1x authentication options can only be active at the same time on the
same VAP when the setting for wireless protection is:
• 802.1x with no encryption (WEP option disabled)
OR
• 802.1x with WEP encryption enabled and static keys enabled
Note: If you intend to only use dynamic keys, only 802.1x authentication is supported.
The following table illustrates the results for all authentication scenarios.
- Success Yes
- Failure No
Failure - No
Failure Failure No
MAC + 802.1x Not Mandatory
Success Failure No
Success - Yes
Failure - No
Success - No
Success Success Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Example A:
MAC and 802.1x enabled, mandatory 802.1x authentication option disabled
Wireless clients are automatically authenticated by their MAC address.
• If MAC authentication succeeds, the client gains access. Next the client station can
initiate an 802.1x session, causing 802.1x authentication to take place. The result of
this authentication then takes precedence over the MAC authentication result.
• If MAC authentication fails, the client does not gain access but can still initiate an
802.1x session, causing 802.1x authentication to take place. If the result of this
authentication is successful, then the client gains access.
Example B
MAC and 802.1x enabled, mandatory 802.1x authentication option enabled
Wireless clients are automatically authenticated by their MAC address. If MAC
authentication succeeds they do not gain access until 802.1x authentication is
successful.
Example C
MAC disabled and 802.1x enabled, mandatory 802.1x authentication option disabled
Wireless clients automatically gain access to the network with no authentication
required. If the client starts an 802.1x session, authentication to take place. If the result
of this authentication is failure, then the client looses access to the network.
Example D
MAC disabled and 802.1x enabled, mandatory 802.1x authentication option enabled
Wireless clients only gain access to the network after successfully starting being
authenticated via an 802.1x session.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Wireless coverage
As a starting point for planning your setup, you can assume that the MAP provides a
wireless networking area, also called a wireless cell, of up to 300 feet (100 meters) in
radius at high power. However, before creating a permanent installation, you should
always perform a site survey to determine the optimum settings and location for the
MAP.
Wireless mode The available wireless modes are determined by the wireless radio(s) installed in the
MAP, and may include:
• 802.11b: 11 Mbps in the 2.4 GHz frequency band.
• 802.11g: 54 Mbps in the 2.4 GHz frequency band.
• 802.11 b + g: 11 Mbps and 54 Mbps in the 2.4 GHz frequency band.
• 802.11a: 54 Mbps in the 5 GHz frequency band.
Antenna configuration
Antennas play a large role in determining the shape of the wireless cell and
transmission distance. Consult the specifications for the antennas you are using to
determine how they affect wireless coverage.
Interference
Interference is caused by other access points or devices that operate in the same
frequency band as the MAP. This can substantially affect throughput. The MAP
provides advanced wireless configuration features to automatically eliminate this
problem. See for “RF channel management” on page 40 details.
In addition, the MAP provides several tools to diagnose interference problems as they
occur.
• Wireless > Neighborhood: This page provides detailed information on all wireless
access points operating in the immediate area so that you can effectively set your
operating frequency. It also makes it easy to find rogue access points. See
“Conducting a site survey” on page 38 for details.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
• Status > Wireless: This page provides detailed information on packets sent and
received, transmission errors, and other low-level events. Consult the online help for
this page for recommendations on using this information to diagnose wireless
problems.
• Status > Client data rate matrix: This page lists the data rates for all connected
client stations. This makes it easy to determine if low-speed clients are affecting
network performance. You can use the Minimum rate option when defining a WLAN
profile to keep low-speed clients from connecting.
Important: Access points operating in the 2.4 Ghz band may experience interference
from 2.4 Ghz cordless phones and microwave ovens.
Configuring Overlapping wireless cells are caused when two or more access points are within
transmission range of each other. This may be under your control (when setting up
overlapping multiple cells to cover a large location), or out of your control (when your neighbors set
wireless cells up their own wireless networks). In either case, the problems you face are similar.
Note: On the MSC-330, the management tool does not allow you to configure the two
radios on overlapping channels.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
cell 1 cell 2
The solution to this problem is to set the two networks to different channels with as great
a separation as possible in their operating frequencies. This reduces cross-talk, and
enables client stations connected to each access point to transmit at the same time.
Choosing channels
For optimum performance when operating in 802.11b or 802.11g modes, choose a
frequency that differs from other wireless access points operating in neighboring cells
by at least 25 MHz.
Two channels with the minimum 25 MHz frequency separation will always perform
worse than two channels using the maximum separation. So it is always best to use the
greatest separation possible between overlapping networks.
Note: When operating in 802.11a mode, all channels are non-overlapping.
With the proliferation of wireless networks, it is very possible that the wireless cells of
access points outside your control may overlap your intended area of coverage. To
choose the best operating frequency, use the Wireless > Neighborhood page to
generate a list of all access points operating near you and their operating frequencies.
The set of available channels is automatically determined by the MAP based on the
Country setting you define on the Wi-Fi page, which means that the number of non-
overlapping channels available to you will also vary. This will affect how you setup your
multi-cell network.
Example
When operating in 802.11b mode, the MAP supports the following 14 channels in the
2.4 Ghz band:
However, the number of channels available for use in a particular country are
determined by the regulations defined by the local governing body.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
For example:
Japan 1 to 14
Europe 1 to 13
However, It is possible to stagger your cells to reduce overlap and increase channel
separation. Consider the following:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
This strategy can be expanded to cover an even larger area using three channels as
follows:
The areas in gray indicate where two cells using the same frequency overlap.
Distance between access points
In environments where the number of wireless frequencies are limited, it can be
beneficial to adjust the receiver sensitivity of the MAP. To make the adjustment, open
the Wireless > Radio(s) page.
For most installations, the Large setting should be used. However, if you are installing
multiple MAPs, and the channels available to you do not provide enough separation,
then reducing the receiver sensitivity can help you reduce the amount of crosstalk
between the MAPs.
Another benefit to using reduced settings is that it will improve roaming performance.
Client stations will switch between MAPs more frequently.
Note: The distance between access points option provides the best performance
benefit when client stations are equipped with wireless adapters that are configured with
the same setting. However, not all manufacturers support this feature.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Conducting a To discover the operating frequencies of other access points in your area, open the
Wireless > Neighborhood page. The MAP will automatically scan to find all active
site survey access points. For example:
Note: If an access point is not broadcasting its name, the SSID is blank.
Monitor mode
The radio(s) in the MAP can be configured to operate in monitor mode (Wireless >
Radio(s) page). In this mode, both access point and wireless links functionality are
disabled. The MAP will receive all wireless transmissions, but will not broadcast.
Use this option for continuous scanning across all channels in all wireless modes
supported by the radio (a/b/g). See the results of the scans on the Wireless >
Neighborhood page.
This mode also enables 802.11 traffic to be traced when using the Tools > Network
trace command.
Identifying Improperly configured wireless access points can seriously compromise the security of
a corporate network. Therefore, it is important that they be identified as quickly as
unauthorized possible.
access points The wireless neighborhood feature can be configured to automatically list all non-
authorized access points that are operating nearby.
To identify unauthorized access points, the MAP compares the MAC address of each
discovered access point against the list of authorized access points (which you must
define). If the discovered access point does not appear in the list, it is displayed in the
Unauthorized access points list.
List of authorized access points
The format of this file is XML. Each entry in the file is composed of two items: MAC
address and SSID. Each entry should appear on a new line. The easiest way to create
this file is to wait for a scan to complete, then open the list of all access points in Brief
format. Edit this list so that it contains only authorized access points and save it. Then,
specify the address of this file for the List of authorized access points parameter.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
When you edit the Brief list you need to remove extra text that appears before and after
each MAC address. For example, if the brief list looks like this:
<?xml version='1.0'?> <simple-ap-list> # MAC SSID 00:03:52:07:f5:11
"AP_1"
00:03:52:07:f5:23 "AP_2"
00:03:52:07:f5:12 "AP_3"
</simple-ap-list>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
RF channel management
The MAP provides several features for channel management.
Automatic When enabled (on the Wireless > Radio(s) page), the MAP will automatically scan the
operating environment to find the channel with the best throughput. Scanning is done on
channel startup and at preset intervals.
selection Note: You cannot use Automatic channel selection when creating wireless links with
the radio. You must set the channel manually to ensure that it matches the radio on the
other side of the link.
Dynamic RF characteristics in the operating environment can change as new devices are
introduced, modified, or removed. Therefore, when the autochannel option is enabled,
channel the MAP will automatically scan the RF environment at configurable intervals and adjust
selection the channel as required.
Note: Dynamic channel selection causes interruptions to voice calls when used on a
single radio. On dual-radio units, if the second radio is set to operate in Monitor mode,
scanning takes place on radio 2, so no interruptions on radio 1 occur.
DFS/TPC The MAP supports Dynamic Frequency Selection (802.11h) and Transmit Power
Control (802.11d) for 802.11a for operation in European countries. These options are
automatically enabled as required.
Automatic The MAP features an auto power adjustment option. When enabled (Wireless >
Radio(s) page), the MAP will automatically scan the RF environment and adjust power
power output to minimize interference with other access points.
adjustment This feature works best when the entire network uses only Colubris Network access
points (as third-party products will not adjust their output power).
How it works
If co-channel interference is discovered, then all neighboring APs will shrink their cell
size to minimize the interference. The first step is to adjust the transmit power. If this
fails, then the next step is to increase the transmit power (if possible) to maximum and
change the minimum data rate to a higher value (802.11b will change from 1Mbps to
2Mbps, 802.11a/g will change from 6Mbps up to 18Mbps).
Note: The majority of clients will still transmit at maximum power so not all interference
can be eliminated.
Note: Some older wireless client cards may not support a data rate of 2 mbps.
Service sensor The service sensor enables the MAP to determine if access to the network or a
particular server is available. If not, the MAP automatically shuts off its radio transmitter,
taking down the wireless cell.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
RF performance
Use the following features to help improve the performance of the wireless network.
Client station The MAP provides settings for controlling the minimum and maximum client data rates
per VAP. These rates are advertised in the 802.11 beacon, sent in response to wireless
data rate limits probes, and specified in the negotiated rate of the association response.
The primary application for these settings is to enable performance optimization across
the wireless network. For example, if the minimum data rate is set to 6 mbps, a client
with a weak signal (that may only be able to associate at 1 Mbps) is prevented from
doing so. If that same client was allowed to associate successfully, the overall
performance of the network would be compromised downwards for all clients. By
preventing the association, clients with more powerful signals are able to perform at
their optimal capability.
The following two settings are available when you define an SSID for a VAP.
• Minimum rate: Sets the minimum transmission rate that client stations can use when
communicating with the VAP. Client stations that are operating at a rate that is slower
than this setting will be able to associate with the MAP but will not be able to send or
receive data. For example, if the minimum rate is set to 6 mbps and a client is not
close enough to reach this rate, it will still see the MAP, but all transmissions will time
out.
Note: Increasing the minimum rate effectively reduces the cell size of the wireless network,
since as the distance from the MAP increases the data rate decreases.
Note: Some wireless client stations may refuse to associate with the MAP if the basic rates
for the current operating mode are not supported. For example, if the minimum data rate is set
to 6 mbps for 802.11b, this is above the mandated basic rates of 1 and 2 mbps, and may cause
some clients to refuse the association.
• Maximum rate: Sets the maximum transmission rate that clients stations can use
when communicating with the VAP. Client stations that support higher rates will
negotiate this value as their limit when associating to the MAP.
Multicast rate The MAP provides control of the multicast rate on a per-radio basis (on the Wireless >
Radio(s) page). By default, this is set to the lowest rate for the current wireless mode. If
limit there is a lot of multicast traffic on your network, raising the multicast rate can improve
throughput.
Note: If you raise the multicast rate, client stations that do not support the new rate will
not receive the multicast data.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Addressing
The MAP is a wireless bridge, which means that all its ports share the same IP address.
The address can be set statically or via DHCP on the Network > Ports page.
Default settings By default, the MAP is configured as a DHCP client on both LAN ports. If no DHCP
server is found at startup, the MAP assigns the address 192.168.1.1 to all its ports.
DNS When the MAP is configured to use the DHCP client, the MAP uses the DNS name
returned by the server. You can override this with static settings if required on the
Network > DNS page.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 42 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Layer 2 security
The MAP supports several layer 2 security schemes which can be enabled to protect
customer wireless traffic.
Session limits Up to 255 user connections are supported when layer 2 security is active.
WEP None
Security options To enable multiple layer 2 options at the same time, each option must be assigned to its
own wireless profile.
WEP
Weaknesses in WEP’s cryptographic technology were exposed not long after it was
developed. However, it can still be of use in light-traffic, casual-use installations to deter
eavesdroppers. It is not recommended for corporate networks without enabling a VPN
security option (IPSec, PPTP, or L2TP).
802.1x
802.1x: is an IEEE port-based authentication standard. It improves upon WEP by
providing two important enhancements: user authentication and unique keys with key
rotation.
• User authentication: Before a user gains access to the wireless network, they must
first log in. The login process is managed by 802.1x client software which must be
installed on the user’s computer. It communicates with the MAP, which in turn uses
the services of a RADIUS server to validate user login credentials.
• Unique keys with key rotation: Each user is assigned their own key by the RADIUS
server. Keys are automatically rotated (regenerated) at an interval configured on the
MAP.
To use 802.1x, wireless client stations must install 802.1x client software. The MAP
supports 802.1x clients using EAP-SIM, EAP-TLS, EAP-TTLS and PEAP. Dynamic
WEP encryption is supported.
Note: Colubris Networks does not recommend the use of 802.1x without enabling
dynamic WEP encryption.
Note: When 802.1x is active, the MAP can also be configured to accept connections
from stations using static WEP keys if required.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
WPA1/WPA2
Wi-Fi Protected Access (WPA) is the Wi-Fi security standard that was developed to
replace WEP. It features improved data encryption and implements 802.1x to provide
user authentication.
WPA1 data encryption is handled by the Temporal Key Integrity Protocol (TKIP). It
addresses all known WEP weaknesses with a variety of important security
enhancements.
WPA2 provides AES/CCMP encryption for even stronger protection of the wireless data
stream.
Keys can be dynamically generated on a per-user basis at login via a RADIUS server.In
this case, user login information is also maintained on the RADIUS server. Key length
and key rotation interval are defined on the MAP.
WPA also features a special mode called Pre-Shared Keys In this mode a single key is
defined for all user connections. This key is used for encryption only. This mode does
not provide user authentication (there is no username and password).
To use WPA, wireless client stations must install WPA client software.
Do not You can disable the broadcast of the wireless network name. This forces client stations
to provide the correct network name to connect to the MAP. By assigning a unique
broadcast name to the wireless network, you can block access by unauthorized computers.
wireless This feature can be used to create backup operation of the network in case of
equipment failure. For example, you could install two MAPs, each operating on a
network name different channel, within close proximity of one another. Each MAP would communicate
with a different access controller. If one of the controllers goes down, the service sensor
will detect it and shut down the radio on the affected MAP. Client stations connected to
this MAP will automatically be transferred to the other MAP with no interruption in
service. This only works if both MAPs have the same SSID.
To set up the service sensor, open the Security > Access controller page.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Wireless bridging
The wireless bridging feature enables you to use the wireless radio to create point-to-
point wireless links to other access points.
Each MAP can support up to six wireless bridges, which can operate at the same time
as the network serving wireless customers.
See page 77 for a complete wireless bridging sienna.
RF extension Wireless bridging provides an effective solution for extending wireless coverage in
situations where it is impractical or expensive to run cabling to a wireless access point.
In this scenario, the satellite access point is used to expand the coverage of the wireless
network.
In this configuration, both the MAP and the access controller (MSC-3200/3300) are
equipped with omnidirectional antennas, enabling them to deliver both access point
functionality and wireless bridging.
PU PU
BLIC WL A N BLIC WL A N
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Building-to- The wireless bridging feature can also be used to create point-to-point links over longer
distances. In this scenario, two units create a wireless bridge between the networks in
building two adjacent buildings. Each unit is equipped with a directional external antenna and is
connections within line of sight to make the connection. Customers are authenticated via the
RADIUS server.
Note: When a directional antenna is used to create a wireless link, only one antenna is
supported and the units cannot provide wireless access point functionality.
Building A Building B
MAP MSC-3200
MSC-3300
MAP RADIUS
server
PU
BLIC WL A N
MAP
PU
BLIC WL A N
MAP
PU
BLIC WL A N
Building A Building B
directional directional
antenna antenna
wireless bridge
MAP-330 MSC-3300
PU
BLIC WL A N
PU
BLIC WL A N
MAP-330
RADIUS
PU
server
BLIC WL A N
MAP-330
PU
BLIC WL A N
• Each unit is equipped with a directional external antenna attached to Radio 1. (When
using an external antenna, it is recommended that you connect it to the MAIN
connector.)
• Radio 2 is equipped with an omnidirectional antenna to provide access point
functionality.
• The units are within line of sight.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Important • All radios that are part of a link must be set to the same operating frequency and
channel. This means that the Automatic option cannot be used for Channel on the
Wireless > Radio page.
• If a single radio is used to provide both access point functionality and a wireless link,
bandwidth is shared by all bridged access points and all their associated client
stations.
• All wireless ports must be on the same subnet, with each port having a unique IP
address.
• If WEP is enabled, the same settings must be used on all access points.
• Although the MAP support up to six wireless links, only one wireless link can be
defined between any two access points.
• If you establish a wireless link between two MAPs, or a MAP and a MultiService
Controller, then access to the management tool across the bridge is blocked.
• As soon as a wireless bridge link is established, the spanning tree protocol is enabled
on the link to provide proper routing of traffic.
• When using an external antenna (via a coax cable), it is recommended that you
connect it to the MAIN connector.
wireless link
2. Click Wireless Link #1. The configuration page for the link opens.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Performance adjustments
Once both units have been configured:
1. Open the Tools > Ping page on one unit and ping the other one to make sure that
the bridge is working.
2. Open the Status > Wireless page.
3. Using the SNR value in the Wireless bridging status box as a guide, adjust the
antennas to obtain the best possible value. A value greater than 20 is good. After
each change, allow a minimum of two minutes for the Link speed field to settle
down and report its new value.
Advanced The following global settings are configurable on the Wireless > Wireless links page.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 48 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Quality of service
The wireless bridging feature enables you to define a quality of service (QoS) setting
that will govern how traffic is sent on all wireless links. The same options are available
as on a per-VAP basis. For details, see “QoS priority mechanisms” on page 52.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
VLAN support
The MAP provides a robust and flexible VLAN (802.1q) implementation. VLANs can be
defined on the LAN ports, as well as on wireless links. User traffic can be mapped to a
VLAN on a per-VAP basis, or on a per-user basis.
The following scenarios illustrate how to work with VLANs:
• “Scenario 2: Supporting public and private access with VLANs” on page 79.
• “Scenario 3: Segregating management traffic using VLANs” on page 83.
• “Scenario 2: Integrating into a segmented network” on page 95.
Important: MAPs cannot be daisy-chained when VLANs are in use.
General
• Port: Select the port that the VLAN is associated with.
• VLAN ID: Specify an ID for the VLAN (802.1q). The same VLAN ID can be
assigned to different ports to create a VLAN bridge across the ports. If the VLAN
is being assigned to an Ehternet port you can also define a range of VLANs in the
form X-Y. Where X and Y can be 1 to 1024. For example: 50-60
Note: An IP address cannot be assigned when you define a range of VLANs.
• VLAN name: Specify a name for the VLAN. This name is used to identify the
VLAN on the MAP and has no operational significance.
Assign IP address via
An IP address cannot be assigned when the VLAN ID is defined as a range.
• DHCP client: The VLAN obtains its IP address from a DHCP server on the same
VLAN.
• Static: Assign a static IP address and mask.
• None: No IP address is assigned.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Default VLAN
LAN port 1 can be configured with a default VLAN setting. Any outgoing traffic on port 1
that is not tagged with a VLAN ID will receive the default ID.
The default VLAN can be restricted to carry management traffic only. This includes:
• all traffic that is exchanged with the access controller
• all traffic exchanged with external RADIUS servers
• HTTPS sessions established by administrators to the management tool
• incoming/outgoing SNMP traffic
• DNS requests/replies
Assigning traffic WIreless traffic can be assigned to VLANs on a per-VAP or per-user basis.
Note: The VLAN assigned on a per-user basis always overrides the VLAN assigned by
to VLANs a VAP (or the default VLAN). For example, a wireless station could be associated with a
VAP that is configured for VLAN 30, but after logging in, user-specific settings (retrieved
from a RADIUS server) could override this setting by assigning VLAN 40.
VLAN bridging If the same VLAN ID is assigned to more than one interface, the VLAN is bridged across
the interfaces.
For example: if you create three VLANs:
• Bridge_1 with ID =50, assigned to Port 1.
• Bridge_2 with ID =50, assigned to Port 2.
• Bridge_3 with ID =50, assigned to wireless link 1.
All VLAN traffic with ID 50 is now bridged across all these interfaces. If you create a VAP
and assign the Egress VLAN in it to any of these VLANs, output from the VAP can be
sent to destinations on any interface.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Traffic queues Four traffic queues are provided based on the WME standard. In order of priority, these
queues are:
Queue Description
1 Voice traffic
2 Video traffic
3 Best effort data traffic
4 Background data traffic
Each QoS priority mechanism maps traffic to one of the four traffic queues. Client
stations that do not support the QoS mechanism for the profile they are connected to
are always assigned to queue 3.
Important: Traffic delivery is based on strict priority (per the WME standard). Therefore,
if excessive traffic is present on queues 1 or 2, it will reduce the flow of traffic on queues
3 and 4.
SVP support
Spectralink Voice Protocol is an open standard for the prioritization of voice traffic on
wireless and wired LANs. The MAP prioritizes SVP traffic for all priority mechanisms
except VAP-based.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Traffic type
Queue (based on VLAN priority field)
1 SVP traffic
1 6,7
2 4,5
3 0,2
3 Other traffic
4 1,3
VAP-based priority
The VAP-based priority mechanism is unique to Colubris Networks access points. It
allows a specific priority level to be specified for all traffic on a VAP. This enables client
stations without a QoS mechanism to set traffic priority by connecting to the appropriate
VAP.
If you enable a VAP-based priority mechanism, it takes precedence regardless of the
priority mechanism supported by associated client stations. For example, if you set
VAP-based low priority for a VAP, all devices that connect to the profile have their traffic
set at this priority.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Traffic type
Queue (based on binary value of Class Selector Codepoint)
1 SVP traffic
1 111000 (Network control)
1 110000 (Internetwork control)
1 101000 (Critical)
2 100000 (Flash override)
2 011000 (Flash)
3 010000 (Immediate)
3 001000 (Priority)
3 Other traffic
4 000000 (Routine)
TOS
The IP TOS (type of service) field can be used to mark prioritization or special handling
for IP packets.
QoS example In this example, a single MAP provides voice and data wireless support with different
QoS settings for guests and employees.
Corporate backbone
SSID=Guest SSID=Data
QoS=SSID-based Low QoS=SSID-based Normal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 54 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Voice
This profile supports wireless phones using the DiffServ mechanism.
Video Conference
This profile supports high priority video traffic for video conferences.
Data
This profile is used by employees. It features a higher QoS setting than the guest profile.
Guest
Guests gain access via this profile. They get the lowest traffic priority to reserve
bandwidth for employees.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Firmware management
The firmware is special software that controls the operation of the MAP. Periodically,
Colubris Networks will make new versions of the firmware available. Firmware updates
can be handled manually, automatically, or with a tool like cURL.
Important: When a MAP is restarted it automatically initializes itself to the default
address 192.168.1.1 on all ports. If the DHCP client is enabled, it takes about 30
seconds after the restart for the DHCP client to request an address. Therefore, for a
short period of time after restarting, the MAP may conflict with another device on the
network. This will usually not be an issue. However, if you are using an automated tool
(like cURL) to update the configuration/firmware on several MAPs at the same time, you
may experience difficulties. It is recommended that you schedule your updates to occur
in succession, leaving a three minute interval between each device.
Important: When using the MAP in conjunction with an access controller you must: (1)
always upgrade the access controller before upgrading the MAP, (2) never load an
earlier firmware version on the MAP than is installed on the access controller.
2. In the Install firmware box, click the Browse button and select a firmware file.
3. Click Install.
Note: The MAP will automatically restart after the firmware has been installed to
activate it. This will disconnect all client stations. Once the MAP resumes operation, all
client stations will have to reconnect.
Note: Configuration settings are preserved during firmware upgrades.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Scheduled The MAP can automatically retrieve and install firmware from a local or remote URL. By
placing MAP firmware on a web or ftp server, you can automate the update process for
install multiple units.
When the update process is triggered, the MAP retrieves the first few bytes of the
firmware file to determine if it is different than the active version. If different, the firmware
is downloaded and installed. Configuration settings are preserved. However, all
connections will be terminated forcing users to log in again.
Using cURL It is possible to automate management tasks using a tool like cURL. cURL is a software
client that can be used to get/send files to/from a server using a number of different
protocols (HTTP, HTTPS, FTP, GOPHER, DICT, TELNET, LDAP or FILE).
cURL is designed to work without user interaction or any kind of interactivity. It is
available for Windows and LINUX at: http://curl.haxx.se/. You must use version 7.10 or
higher.
The following cURL commands illustrate how to update the firmware. The following
setup is assumed:
• IP address of the MAP’s Ethernet port is 24.28.15.22.
• Management access via the Ethernet port is enabled.
• Firmware is located in the file: MAP.CIM
These examples are non-secure (no certificates are used authentication), but data
traffic is still encrypted.
Note: If you want to secure the connection with the MAP using certificates, you must
use the --cacert option to specify where the CA certificates are located on your
computer. This also requires that you specify the host name wireless.colubris.com
instead of using its IP address. The host name must be resolved either via a DNS server
or using the hosts file on your computer.
4. Upload the firmware. Once the upload is complete the MAP will automatically
restart.
curl -s -k --cookie cookie.txt -F firmware=@MAP.cim -F backup=Install
"https://24.28.15.22/goform/ScriptUploadFirmware"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Configuration management
The configuration file contains all the settings that customize the operation of the MAP.
You can save and restore the configuration file manually, automatically, or with a tool like
cURL.
Configuration management can also be performed using the command line interface via
an SSH session. For details, see the Command Line Interface Reference Guide.
Important: When a MAP is restarted it automatically initializes itself to the default
address 192.168.1.1 on all ports. If the DHCP client is enabled, it takes about 30
seconds after the restart for the DHCP client to request an address. Therefore, for a
short period of time after restarting, the MAP may conflict with another device on the
network. This will usually not be an issue. However, if you are using an automated tool
(like cURL) to update the configuration/firmware on several MAPs at the same time, you
may experience difficulties. It is recommended that you schedule your updates to occur
in succession, leaving a three minute interval between each device.
Manual Use the Config file management option on the Maintenance menu to manage your
configuration file.
management
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
This feature enables you to maintain several configuration files with different settings,
which can be useful if you frequently need to alter the configuration of the MAP, or if you
are managing several MAPs from a central site.
Using cURL It is possible to automate management tasks using a tool like cURL. cURL is a software
client that can be used to get/send files to/from a server using a number of different
protocols.
cURL is designed to work without user interaction or any kind of interactivity. It is
available for Windows and LINUX at: http://curl.haxx.se/. You must use version 7.9.8 or
higher.
The following cURL commands illustrate how to manage the configuration file. The
following setup is assumed:
• IP address of the MAP’s Internet port is 24.28.15.22.
• Management access to the Ethernet port is enabled.
• Configuration file is located in MAP.CFG.
These examples are non-secure (no certificates are used authentication), but data
traffic is still encrypted.
Note: If you want to secure the connection with the MAP using certificates, you must
use the --cacert option to specify where the CA certificates are located on your
computer. This also requires that you specify the host name wireless.colubris.com
instead of using its IP address. The host name must be resolved either via a DNS server
or using the hosts file on your computer.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
5. Logout.
curl -s -k --cookie cookie.txt “https://24.28.15.22/goform/Logout” -d
logout=Logout
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 60 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Creating a Any device that uses the authentication services of a RADIUS server is called a
RADIUS client (or RAS client on some systems). Therefore, each MAP is considered to
RADIUS client be a RADIUS client and you must define client settings on the RADIUS server for each
entry for the one that you intend to install.
MAP
Configuration settings
You may need to supply the following information when setting up a RADIUS client
entry:
• Client IP address: This is the IP address assigned to the MAP’s LAN ports.
• Shared secret: Secret the MAP will use to authenticate the packets it receives from
the RADIUS server.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Profile name
Specify a name to identify the profile.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Authentication method
Choose the default authentication method the MAP will use when exchanging
authentication packets with the primary/secondary RADIUS server defined for this
profile.
For 802.1x users, the authentication method is always determined by the 802.1x client
software and is not controlled by this setting.
If traffic between the MAP and the RADIUS server is not protected by a VPN, it is
recommended that you use either EAP-MD5 or MSCHAP V2, if supported by your
RADIUS Server. (PAP, MSCHAP V1 and CHAP are less secure protocols.)
NAS Id
Specify the network access server ID you want to use for the MAP. By default, the serial
number of the MAP is used. The MAP includes the NAS-ID attribute in all packets that it
sends to the RADIUS server.
Always try primary server first
Set this option to force the MAP to contact the primary server first.
Otherwise, the MAP sends the first RADIUS access request to the last known RADIUS
server that replied to any previous RADIUS access request. If the request times out, the
next request is sent to the other RADIUS server if defined.
For example, assume that the primary RADIUS server was not reachable and that the
secondary server responded to the last RADIUS access request. When a new
authentication request is received, the MAP sends the first RADIUS access request to
the secondary RADIUS server.
If it does not reply, the RADIUS access request is retransmitted to the primary RADIUS
server. The MAP always alternates between the two servers, when configured.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 63 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Creating user You must create at least one RADIUS user profile. Multiple user accounts can be
associated with a single RADIUS profile.
profiles on the Note: The maximum number of attributes the MAP can receive in one request is 4096
RADIUS server bytes.
Web
Attribute Admin 802.1x MAC
Acct-Session-Id ■ ■
Called-Station-Id ■ ■
Calling-Station-Id ■ ■
EAP-Message ■ ■
Framed-MTU ■ ■
Message-Authenticator ■ ■ ■
NAS-Identifier ■ ■ ■
NAS-Ip-Address ■ ■
NAS-Port ■ ■ ■
NAS-Port-Type ■ ■ ■
Service-Type ■ ■ ■
State ■ ■
User-Name ■ ■ ■
User-Password ■
Colubris-AVPair (SSID) ■
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Descriptions
• Acct-Session-Id (32-bit unsigned integer): Random value generated per
authentication by the MAP.
• Called-Station-Id (string): BSSID of the VAP used by a wireless client, or the MAC
address of the LAN port used by a wired client. By default, the MAC address is sent in
IEEE format. For example: 00-02-03-5E-32-1A. This can be changed on the Security
> 802.1x page.
• Calling-Station-Id (string): The MAC address of the 802.1x client station. By default,
the MAC address is sent in IEEE format. For example: 00-02-03-5E-32-1A. This can
be changed on the Security > 802.1x page.
• Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496.
• Message-Authenticator (string): As defined in RFC 2869. Always present even when
not doing an EAP authentication. length = 16 bytes.
• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the
RADIUS profile being used.
• NAS-Ip-Address 32-bit unsigned integer): The IP address of the port the MAP is using
to communicate with the RADIUS server.
• NAS-Port (32-bit unsigned integer): A virtual port number starting at 1. Assigned by
the MAP. For 802.1x, this field is always set to 0.
• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents
WIRELESS_802_11.)
• Service-Type (32-bit unsigned integer): Set to Framed-User.
• State (string): As defined in RFC 2865.
• User-Name (string): The username assigned to the user. Or if MAC-authentication is
enabled, the MAC address of the wireless client station.
The following attributes are mutually exclusive depending on the RADIUS authentication
method.
• User-Password (string): The password supplied by a user or device when logging in.
Encoded as defined in RFC 2865. Only present when the authentication scheme on
the Security > RADIUS > Profile 1 page is set to PAP/SecurID. Or if MAC-
authentication is enabled, the MAC address of the wireless client station.
• EAP-Message (string): As defined in RFC 2869. Only present when the
authentication scheme on the Security > RADIUS > Profile 1 page is set to EAP-
MD5.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Access Accept
Web
Attribute Admin 802.1x MAC
Class ■
EAP-Message ■
MS-MPPE-Recv-Key ■
MS-MPPE-Send-Key ■
Session-TImeout ■ ■
Termination-Action ■ ■
Tunnel-Medium-Type ■
Tunnel-Private-Group-ID ■
Tunnel-Type ■
Descriptions
• Class (string): As defined in RFC 2865. Multiple instances are supported.
• EAP-Message (string): Note that the content will not be read as the RADIUS Access
Accept overrides whatever indication is contained inside this packet.
• MS-MPPE-Recv-Key: As defined by RFC 3078.
• MS-MPPE-Send-Key: As defined by RFC 3078.
• Session-Timeout (32-bit unsigned integer): Maximum time a session can be active.
After this interval, the 802.1x client is re-authenticated.
• Termination-Action: As defined by RFC 2865. If set to 1, customer traffic is not allowed
during the 802.1x re-authentication.
• Tunnel-Medium-Type = Only used when assigning a specific VLAN number to a
customer. In this case it must be set to 802.
• Tunnel-Private-Group-ID = Only used when assigning a specific VLAN number to a
customer. In this case it must be set to the VLAN ID.
• Tunnel-Type: Only used when assigning a specific VLAN number to a customer. In
this case it must be set to VLAN.
Access Reject
None.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 66 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Access Challenge
Web
Attribute Admin 802.1x MAC
EAP-Message ■
Message-Authenticator ■
State ■
Descriptions
• EAP-Message (string): As defined in RFC 2869.
• Message-Authenticator (string): As defined in RFC 2869. Always present even when
not doing an EAP authentication. length = 16 bytes.
• State (string): As defined in RFC 2865.
Accounting request
Web
Attribute Admin 802.1x MAC
Acct-Session-Id ■ ■
Acct-Session-Time ■
Acct-Status-Type ■ ■
Called-Station-Id ■ ■
Calling-Station-Id ■ ■
Class ■ ■
Framed-MTU ■
NAS-Identifier ■ ■
NAS-Port ■ ■
NAS-Port-Type ■ ■
User-Name ■ ■
Colubris-AVPair (SSID) ■
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 67 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Descriptions
• Acct-Session-Id (32-bit unsigned integer): Random value generated by the MAP.
• Acct-Session-Time (32-bit unsigned integer): Number of seconds this session since
this session was authenticated.
• Acct-Status-Type (32-bit unsigned integer): Supported values are Accounting-On (7)
and Accounting-Off (8).
• Called-Station-Id (string): BSSID of the wireless client, or the MAC address of the
LAN port used by a wired client. By default, the MAC address is sent in IEEE format.
For example: 00-02-03-5E-32-1A. This can be changed on the Security > 802.1x
page.
• Calling-Station-Id (string): The MAC address of the 802.1x client station in IEEE
format. By default, the MAC address is sent in IEEE format. For example: 00-02-03-
5E-32-1A. This can be changed on the Security > 802.1x page.
• Class (string): As defined in RFC 2865. Multiple instances are supported.
• Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. The value is
always four bytes lower than the wireless MTU maximum which is 1500 bytes in order
to support IEEE802dot1x authentication.
• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the profile
being used.
• NAS-Port (32-bit unsigned integer): Always 0.
• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents
WIRELESS_802_11.
• User-Name (string): The RADIUS username provided by the 802.1x client.
• Colubris-AVPair (SSID): SSID that the customer is associated with.
Accounting response
None.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 68 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Creating If you want to support multiple administrator names and passwords, you must use a
RADIUS server to manage them. The MAP only supports a single admin name and
administrator password internally.
profiles on the Important: Improper configuration of the administrator profile could expose the MAP to
access by any user with a valid account. The only thing that distinguishes an
RADIUS server administrative account from that of a standard user account is the setting of the service
type. Make sure that a user is not granted access if service type is not Administrative.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 70 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3: Public access scenarios
Chapter 3
Public access scenarios
This chapter provides sample deployment strategies for common
scenarios. These scenarios will give you a good idea on how to
approach your installation.
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
In this chapter
The following scenarios are provided in this chapter.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 72 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
How it works In this scenario several MAPs are connected to an InMotion MultiService Controller,
(MSC-3200/3300) via a backbone LAN to provide wireless cells for a public access
network. Customers can roam between access points without losing their connections
to the public access network.
Each MAP is configured as a DHCP client and obtains its address from the MSC-3200/
3300 which is configured as the DHCP server.
The MultiService Controller handles all customer logins by using the services of a
RADIUS server installed at a remote network operating center.
RADIUS Management
server station
LAN MSC-3200
MSC-3300
MAP MAP
PU PU PU
BLIC WL A N BLIC WL A N BLIC WL A N
Configuration Note: This scenario assumes that the MSC-3300 is properly installed and configured.
roadmap
Install the MAPs
1. Install the MAPs as described in Chapter 1.
2. Before you connect each unit to the LAN, start the management tool and configure
each unit as described in the sections that follow.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 73 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
Note: By default, one radio on the MAP-330 is used to provide the wireless network and
the other is placed into Monitor mode (page 38).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
How it works In this scenario three VAPs are created on each MAP. Each VAP provides support for a
different security option: 802.1x, WPA, and none.
To connect with the wireless network, customers must choose the SSID of the VAP that
matches the option that they want to use. Roaming is supported since all VAPs are
defined on all access points.
RADIUS Management
server station
LAN
MSC-3200
MSC-3300
MAP MAP
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
WPA
• In the General box, enable Use Colubris access controller.
• In the SSID box, set WLAN name to WPA.
• In the Wireless protection box:
• Enable WPA.
• Set Mode to Mixed.
• Set Key source protection to RADIUS.
8021x
• In the SSID box, set WLAN name to 8021x.
• In the Wireless protection box:
• Enable 802.1x.
• Enable the WEP encryption option.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 76 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
How it works In this scenario, a new MAP (unit B in the diagram) is added to the network and
connected to the MSC-3200/3300 via a wireless bridge. The same wireless profiles are
defined on this unit, enabling full roaming support. In order for the bridge to be
successful, the wireless cells of units A and B must overlap, and both units must be
operating in the same mode and on the same channel.
RADIUS Management
server station
LAN
A B
MSC-3200 wireless bridge MAP
MAP MAP MSC-3300
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 77 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
Performance adjustments
Once both units have been configured:
1. Open the Tools > Ping page on one unit and ping the other one to make sure that
the bridge is working.
2. Open the Status > Wireless page.
3. Using the SNR value in the Wireless bridging status box as a guide, adjust the
antennas to obtain the possible value. A value > 20 is good. After each change,
allow a minimum of two minutes for the Link speed field to settle down and report its
new value.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 78 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
How it works In this scenario, a wireless network is shared between company employees and paying
customers.
Employees connect using the SSID Private and are routed to the corporate network on
VLAN 50 where they are authenticated. This traffic by-passes all security and
authentication functions on the MAP, including the DHCP services. This is a pure tunnel
through the MAP. The only service that is provided is tagging the traffic with a VLAN ID.
Customers connect using the SSID Public and login via the MSC-3200/3300’s public
access interface. The MAP authenticates customers using the ISP RADIUS server.
Once authenticated, customer traffic is forwarded on VLAN 60 so it can reach the
Internet.
Corporate ISP
RADIUS server RADIUS server
Corporate
Intranet
VLAN 50 VLAN 60
Firewall Switch
192.168.5.5
VLAN 50 VLAN 60
Employees 192.168.5.1
MSC-3200
MSC-3300
Employee Guest
MAP
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 79 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 80 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
Define VLANs
Configure the VLAN as follows:
Private
• Set Port to Internet port.
• Set VLAN ID to 50.
• Set Assign IP address via to Static.
• IP address to 192.168.5.1.
• Set Mask to 255.255.255.0.
• Leave Gateway blank.
Public
• Set Port to Internet port.
• Set VLAN ID to 60.
• Set Assign IP address via to DHCP.
Private
This profile must be defined first in order to support the wired employees, since
untagged incoming traffic on the LAN port is always sent to the first VAP profile.
• Enable Provide access control.
• Set SSID to Private.
• Set VAP ingress mapping to SSID.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 81 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
Public
• Enable Provide access control.
• Set SSID to Public.
• Set VAP ingress mapping to SSID.
• Set VAP egress mapping to VLAN and then select Public.
• Enable HTML-based user logins.
• Select RADIUS profile ISPRADIUS.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
How it works In this scenario, the traffic exchanged between the MAP and the MSC-3200/3300 is
separated onto two different VLANs for security reasons: VLAN 30 is used for the
exchange of management traffic and VLAN 50 is used for customer sessions.
The MAP has a single wireless profile with an SSID of Customer that forwards all
authenticated customer traffic to the MSC-3200/3300 on VLAN 50. In addition, the
default VLAN is set to 30. This VLAN is used to exchange management traffic with the
MSC-3200/3300.
On the MSC-3200/3300, a VAP profile (named Customer) is created with a matching
SSID of Customer. This is required so it can properly process the incoming customer
traffic from the MAP, which is identified with the SSID Customer. This traffic is forwarded
onto the Internet port untagged.
Customers are authenticated by the MSC-3200/3300 using the services of the remote
RADIUS server.
RADIUS server
Internet port
MSC-3200
MSC-3300
192.168.30.2
LAN port 1
MAP
SSID = Customer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
Define VLANs
Configure the VLAN as follows:
Customer
• Set Port to LAN port.
• Set VLAN ID to 50.
• Set Assign IP address via to None.
Manage
• Set Port to LAN port.
• Set VLAN ID to 30.
• Set Assign IP address via to Static.
• IP address to 192.168.30.1.
• Set Mask to 255.255.255.0.
• Leave Gateway to blank.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 85 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 86 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
How it works When the MAP is installed behind a MultiService Controller, enabling remote access to
the management tool requires configuration settings to be defined on the MultiService
Controller, the RADIUS server, and the MAP. This section explains how to accomplish
this for the following two topologies:
Topology A Topology B
RADIUS Management
server station
192.168.20.0
30.3
RADIUS Management 20.2 20.3 (address in
server station 20.1 VPN tunnel)
VPN server
20.1 20.4 30.1
(address in
VPN tunnel VPN tunnel)
192.168.20.0
192.168.10.0
10.1
30.2 (address in
InMotion InMotion
VPN tunnel)
MultiService MultiService
Controller Controller
1.1 1.1
192.168.1.0 192.168.1.0
PU PU PU PU
BLIC WL A N BLIC WL A N BLIC WL A N BLIC WL A N
A B A B
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 87 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
Static NAT mappings are used on the MSC-3200/3300 to direct traffic to the proper
MAP. MAC address authentication enables the MAPs to log into the public access
network. Access list definitions allow traffic to be sent from the MAPs to the
management stations.
The following sections explain these configuration settings in more detail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4: Enterprise scenarios
Chapter 4
Enterprise scenarios
This chapter provides sample deployment strategies for common
scenarios when using the MAP in an enterprise network. These scenarios
will give you a good idea on how to approach your installation.
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
In this chapter
The following scenarios are provided in this chapter.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 92 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
How it works In this scenario the MAP provides secure networking via 802.1x and uses an existing
RADIUS server on the corporate network to validate employee logins.
RADIUS server
Corporate
Intranet
WPA WPA
WLA N
Configure addressing
Network > Ports
Set the IP addressing method required by the corporate network.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 93 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
How it works In this scenario the virtual access point capabilities of the MAP are used to provide a
wireless architecture that mirrors the segmented configuration of the backbone LAN.
Wireless traffic is secured using either WEP or WPA, and leverages the existing
corporate RADIUS server for user authentication.
Because each MAP features an identical wireless setup, users are able to roam
between access points without loosing their network connection.
RADIUS and
DHCP server
Server 1 Server 2
Router/Firewall
802.1Q trunk
Layer 3
switch with
trunk port
802.1Q trunk
MAP MAP
LAN port
VLAN=50
SSID=Priv_WPA
SSID=Guest VLAN=60
MAP
VLAN=40
SSID=Priv_WEP
VLAN=60
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 95 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
Addressing details
• The MAPs are connected to the layer 3 switch via a LAN port. Each MAP has a
unique static IP address on the 50.0 segment.
• Employees on the Guest, Priv_WPA, and Priv_WEP SSIDs are bridged to the
appropriate VLAN. This means that they receive an IP address from the DHCP server
on the network.
• The Layer 3 switch provides routing between VLAN 60 and VLAN 40, enabling
employees to access the Internet.
roadmap
Install the MAP
1. Install the MAP as described in Chapter 1.
2. Before you connect the MAP to the LAN, start the management tool and configure
each unit as described in the sections that follow.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 96 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 97 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 98 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
How it works In this scenario a corporate network uses three MAPs to provide wireless access for
employees. Units A and B are directly connected to the backbone LAN, while unit C is
connected via a wireless bridge.
Each MAP features two VAPs, one for HTML users and one for 802.1x users.
In order for the bridge to be successful, the wireless cells of units A and B must overlap,
and both units must be operating in the same wireless mode and on the same channel.
RADIUS Management
server station
LAN
A B C
Employee workstations Employee workstations
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 99 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
Performance adjustments
Once both units have been configured:
1. Open the Tools > Ping page on one unit and ping the other one to make sure that
the bridge is working.
2. Open the Status > Wireless page.
3. Using the SNR value in the Wireless bridging status box as a guide, adjust the
antennas to obtain the possible value. A value > 20 is good. After each change,
allow a minimum of two minutes for the Link speed field to settle down and report its
new value.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
How it works In this scenario, two MAPs are used to wirelessly link the networks in two offices located
in neighboring buildings. This enables workers in both offices to share data and
resources as if they were on the same network. To maximize signal power, directional
antennas are used to establish the connection, which must be line-of-sight.
Single-radio
When using single-radio units with a directional antenna, a local wireless network
cannot be created at each office. Instead, the MAPs are directly connected to the
backbone LANs in each office.
secure link
antenna antenna
Dual-radio
With dual-radio units, radio 1 is can be used to establish the link and radio two can be
used to provide wireless networking.
secure link
antenna antenna
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 101 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
single radio 2. Before you connect the MAP to the LAN, start the management tool and configure
each unit as described in the sections that follow.
Performance adjustments
Once both units have been configured:
1. Open the Tools > Ping page on one unit and ping the other one to make sure that
the bridge is working.
2. Open the Status > Wireless page.
3. Using the SNR value in the Wireless bridging status box as a guide, adjust the
antennas to obtain the possible value. A value > 20 is good. After each change,
allow a minimum of two minutes for the Link speed field to settle down and report its
new value.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 102 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
Performance adjustments
Once both units have been configured:
1. Open the Tools > Ping page on one unit and ping the other one to make sure that
the bridge is working.
2. Open the Status > Wireless page.
3. Using the SNR value in the Wireless bridging status box as a guide, adjust the
antennas to obtain the possible value. A value > 20 is good. After each change,
allow a minimum of two minutes for the Link speed field to settle down and report its
new value.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 103 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
How it works In this scenario, the MAP provide three different wireless networks and uses QoS
settings to prioritize traffic.
• Employee: This network is for use by all employees. It features a QoS setting that
provides for normal traffic priority, and restricts traffic to the corporate VPN server.
Employees use PPTP client software to connect with the corporate VPN server.
• Guest: This network is for use by guests. It features WEP security and a QoS setting
that provides for low traffic priority.
• Video: This network is for video conferencing. It features a QoS setting that provides
for high traffic priority, and restricts traffic to the corporate VPN server. Employees use
PPTP client software to connect with the corporate VPN server.
Corporate
Backbone
SSID=Guest
QoS=SSID-based Low
SSID=Employee
SSID=Video
QoS=SSID-based Normal
QoS=SSID-based High
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 104 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 105 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
How it works In this scenario, a new profile is added to support wireless phones. Authentication of
phones is accomplished by adding the MAC address of each phone to an internal list
maintained on the MAP. Only phones that appear in the list can connect.
Corporate
Backbone
SSID=Phone
QoS=Diffsrv
SSID=Guest
QoS=SSID-based Low
SSID=Employee
SSID=Video
QoS=SSID-based Normal
QoS=SSID-based High
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 106 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 5: More from Colubris
Chapter 5
More from Colubris
In this chapter you can find information about the resources that are
available to you at the Colubris website, as well as information about how
to contact Colubris support, training, and sales.
Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More from Colubris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5
Colubris.com
Visit Colubris.com to access Datasheets, Whitepapers, Case Studies, and
Solution Guides. From the left side of the homepage, select Literature in order to view
these menu items. Access to this material is free and does not require product
registration.
For registered By registering your product at Colubris.com, you can access the information listed
below.
customers To register, simply go to Colubris.com and from the left side of the home page select
Support > Product Registration. Complete and submit the Product Registration
Form in order to gain access to the support area of the website.
Once you register your product purchase with Colubris, you can log in and access the
following information:
• Technical documentation
• Administrator’s guides
• Quickstart guides
• Quick setup tools
• SNMP MIBs
• Software license agreement
• Return Material Authorization (RMA) procedures and forms
For Annual Colubris Networks offers a comprehensive set of annual support programs that focus on
the hardware and software content of Colubris' award-winning family of secure Wi-Fi
Maintenance solutions.
Support Annual Maintenance Support Programs provide a broad level of hardware and software
assistance that combines various elements of support:
Program
• Telephone-based technical support
customers
• Hardware support
• Software support
When visiting Colubris.com, customers who have purchased an Annual Maintenance
Support Program can access the following information in addition to the website
material discussed above:
• FAQs
• Technical notes
• Release notes
• Software downloads
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 108 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More from Colubris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 109 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More from Colubris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 110 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -