Wifi AP Colubris 320 330

MAP-320/MAP-330
Administrator’s Guide
Release 3.1.0 (August 2005) 43-10-0320-12
Copyright © 2005 Colubris Networks Inc. All rights reserved, including those to
reproduce this document or parts thereof in any form without written permission from
Colubris Networks Inc.
Colubris is a registered trademark, and the Colubris Networks logo, the tag line “The
Intelligent Wireless Networking Choice,” InReach, InMotion, InCharge, and TriPlane are
trademarks of Colubris Networks Inc., in the United States and other countries.
All other product and brand names are the service marks, trademarks, registered
trademarks, or registered service marks of their respective owners.
Changes are periodically made to the information herein; these changes will be
incorporated into new editions of the document.
You can download the most up-to-date product information from the Colubris Networks
website. Go to www.colubris.com and on the homepage at left select Support >
Product Registration.
Colubris Networks Inc.

200 West Street Ste 300
Waltham, Massachusetts 02451-1121
UNITED STATES
Phone: +1 781 684 0001
Fax: +1 781 684 0009
Sales Information—sales@colubris.com
Customer Support—support@colubris.com
Training—training@colubris.com
http://www.colubris.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Contents
Chapter 1 RF performance .........................................................................................41
Introduction 5 Client station data rate limits................................................................41
About this guide...........................................................................................6 Multicast rate limit ...............................................................................41
Important terms.....................................................................................6 Addressing.................................................................................................42
Typographical conventions ....................................................................6 Default settings ....................................................................................42
Warnings, cautions, and notes...............................................................7 DNS .....................................................................................................42
Related documents ................................................................................7
Layer 2 security .........................................................................................43
Hardware overview ......................................................................................8 Session limits ......................................................................................43
Front and rear panels .............................................................................8 Authentication......................................................................................43
Radio .....................................................................................................8 Security options...................................................................................43
Antennas................................................................................................9 Do not broadcast wireless network name ............................................44
Ethernet port(s) .....................................................................................9
Powering the MAP .................................................................................9 Wireless bridging.......................................................................................45
Status lights.........................................................................................10 RF extension ........................................................................................45
Building-to-building connections .........................................................46
Radio(s) ...............................................................................................10
Reset button ........................................................................................10 Important .............................................................................................47
Setting up a wireless link .....................................................................47
Hardware Installation .................................................................................11 Advanced settings................................................................................48
Mounting options.................................................................................11
Daisy-chaining .....................................................................................11 VLAN support ............................................................................................50
Creating VLANs....................................................................................50
Configuring the MAP............................................................................11
Assigning traffic to VLANs ...................................................................51
VLAN bridging .....................................................................................51
Chapter 2
Quality of service (QoS) .............................................................................52
How it works 13
Traffic queues ......................................................................................52
Overview ....................................................................................................14 QoS priority mechanisms ....................................................................52
Public access deployment....................................................................14 QoS example........................................................................................54
Enterprise deployment .........................................................................15
Firmware management ..............................................................................56
Management Tool ......................................................................................16 Manual update .....................................................................................56
Management station ............................................................................16 Scheduled install..................................................................................57
Starting the Management Tool .............................................................16 Using cURL..........................................................................................57
Administrator account .........................................................................17
Configuration management........................................................................58
Security................................................................................................18
Manual management ...........................................................................58
Virtual access points..................................................................................19 Using cURL..........................................................................................59
Setting up a VAP ..................................................................................19
Using a RADIUS server..............................................................................61
General ................................................................................................20
Creating a RADIUS client entry for the MAP ........................................61
SSID ....................................................................................................21
Creating user profiles on the RADIUS server .......................................64
Egress VLAN ........................................................................................22
Creating administrator profiles on the RADIUS server.........................69
Wireless security filters........................................................................23
Wireless protection ............................................................................24
MAC-based authentication ...................................................................26 Chapter 3
MAC filter.............................................................................................26 Public access scenarios 71
IP filter .................................................................................................27
In this chapter............................................................................................72
Working with an access controller .............................................................28 Scenario 1a: Public access network with roaming .....................................73
Connecting to a Colubris access controller ..........................................28
How it works........................................................................................73
Using other access controllers.............................................................29 Configuration roadmap ........................................................................73
Customer authentication and access control .............................................30
Scenario 1b: Adding layer 2 security..........................................................75
Authentication methods .......................................................................30 How it works........................................................................................75
Access control .....................................................................................30 Configuration roadmap ........................................................................75
Using multiple authentication mechanisms..........................................31
Scenario 1c: Adding wireless bridging.......................................................77
Wireless coverage......................................................................................33 How it works........................................................................................77
Wireless mode .....................................................................................33
Configuration roadmap ........................................................................77
Factors limiting wireless coverage .......................................................33
Configuring overlapping wireless cells.................................................34 Scenario 2: Supporting public and private access with VLANs ..................79
Conducting a site survey......................................................................38 How it works........................................................................................79
Identifying unauthorized access points ................................................38 Configuration roadmap ........................................................................80
RF channel management............................................................................40 Scenario 3: Segregating management traffic using VLANs ........................83

Automatic channel selection ................................................................40 How it works........................................................................................83
Dynamic channel selection...................................................................40 Configuration roadmap ........................................................................84
DFS/TPC ..............................................................................................40 Scenario 4: Remote management ..............................................................87
Automatic power adjustment ...............................................................40 How it works........................................................................................87
Service sensor .....................................................................................40 On the MSC-3200/3300 .......................................................................88
On the RADIUS server .........................................................................88
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4
Enterprise scenarios 91
In this chapter............................................................................................92
Scenario 1: Integrating secure wireless networking...................................93
How it works........................................................................................93
Scenario 2: Integrating into a segmented network.....................................95
How it works........................................................................................95
Scenario 3: Wireless bridging - RF extension ............................................99
How it works........................................................................................99
Scenario 4: Wireless bridging - point-to-point wireless link.....................101
How it works......................................................................................101
Configuration roadmap - single radio ................................................102
Configuration roadmap - dual radios .................................................102
Scenario 5a: Using multiple wireless profiles and QoS ............................104
How it works......................................................................................104
Configuration roadmap ......................................................................104
Scenario 5b: Supporting Spectralink phones ...........................................106
How it works......................................................................................106
Configuration roadmap ......................................................................106
Chapter 5
More from Colubris 107
Colubris.com ...........................................................................................108
For registered customers ...................................................................108
For Annual Maintenance Support Program customers ......................108
Information by telephone and e-mail .......................................................109
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Chapter 1: Introduction
Chapter 1
Introduction
In this chapter you will find an explanation of the conventions used in
this manual, an overview of the hardware, and instructions on how to
power up an InReach™ MultiService Access Point (MAP).
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
About this guide

This manual describes how to install, configure, and operate Colubris® Networks
MAP-320 and MAP-330 MultiService Access Points. The difference between these two
products is the presence of a second radio on the MAP-330.
Important terms
Term Description
MAP The acronym MAP is used to refer to the
MAP-320 and MAP-330.
InMotion MultiService Refers to all Colubris Network products that are part of the
Controller InMotion family, including the MSC-3200, MSC-3300,
MSC-5200, MSC-5500 and MGW-3500).
Customer The term customer refers to any person or device that logs
into the public access network created by a Colubris
Networks Access Point.
Typographical
conventions Example Description
Network > Ports When referring to the management tool web interface,
items in bold type identify menu commands or input
fields. They are presented exactly as they appear on
screen. Submenus are indicated using the ‘>’ sign. The
example refers to the Ports submenu, which is found
under the Network menu.
ip_address Items in italics are parameters that you must supply a
value for.
use-access-list=usename Monospaced text is used to present command line
output, program listings, or commands that are entered
into configuration files or profiles.
ssl-certificate=URL [%s] Items enclosed in square brackets are optional. You can
either include them or not. Do not include the brackets.
[ONE | TWO] Items separated by a vertical line indicates one or more
choices. Specify only one of the items.
Note: The Management Tool web interface is an element management system that is
distinct from the Colubris Networks InCharge™ network management system.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Warnings,
cautions, and Lead Description
notes Warning! Warnings provide information that you must follow to avoid the risk
of physical injury.
Caution! Cautions provide information that you must follow to avoid

damage to the hardware or software components of the system.
Note: Notes provide important information about a procedure or topic.
Related This guide may refer to the following documents. Instructions on how to access
additional documentation are given on the copyright page.
documents
Document Provides you with . . .
Technical Reference Detailed examples for using third-party RADIUS servers, the
Guide Colubris back-end archive, and certificates. It also covers a
number of other technical topics.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Hardware overview
Front and rear MAP-320/MAP-330 front panel

panels
Radio 1
Main Aux
Ethernet
Reset
1 2
5 volts 802.3af
Power Ethernet Wireless Reset button

light light light
Power connector
MAP-330 rear panel
Radio 2
Main Aux
Radio • The MAP-320 has a single radio with two antenna connectors. It can create a single
wireless cell.
• The MAP-330 has two radios, each with two antenna connectors. Each radio can
create a single wireless cell. Radio 1 connectors are located on the front panel, and
radio 2 connectors are located on the rear panel.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Antennas Each radio is supported by two antenna connectors, which are used to transmit and
receive on a single wireless cell. If a single antenna is used, it can be attached to either
connector.
Connector type
The connectors are reverse-polarity SMA male jacks. This means antennas or cable
connectors must be SMA female connectors with reverse polarity. Antennas can be
either directly attached or attached via a coax cable. When using a coax cable, it is
recommended that you connect it to the MAIN connector.
Antenna diversity
The MAP supports both transmit and receive diversity.
Transmit diversity
For a given client station connection, the MAP always transmits on the antenna it
receives. If transmission fails, the MAP automatically switches antennas and retries.
Receive diversity
• In 802.11b, the MAP does selection diversity, which means selecting the antenna for
receive based on the SNR calculated while receiving the preamble, on a per frame
basis.
• For 802.11a and 802.11g, including mixed 802.11b and 802.11g, the receiver
switches antenna when the signal quality goes below a certain threshold.
Ethernet port(s) The MAP has two 10/100 mbps Ethernet ports with RJ-45 connectors. These ports are
bridged together and are functionally identical except that only port 1 supports Power
over Ethernet.
Note: Do not connect the Ethernet ports directly to a metropolitan area network (MAN)
or wide area network (WAN).
Important: All Ethernet port connections must be made with a shielded Ethernet cable.
Powering the There are two ways to power the MAP: DC adapter or PoE.
MAP
DC power adapter
The supplied DC power adaptor provides 2A at 5V.
Important: The power adapter is not rated for use in plenum installations.
Power over Ethernet (PoE)

The MAP supports PoE on LAN port 1 and can be used with any IEEE 802.3af switch or
power injector. The MAP will interoperate with any 802.3af compatible device, including
mid-span power injectors or 802.3af compatible Ethernet switches/hubs.
Important: Cisco PoE injectors are not compliant with IEEE 802.3af and cannot be
used with the MAP.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Status lights The status lights provide the following operational information.
Power
on The MAP is fully operational.
flashing The MAP is starting up.
off Power is off.
Ethernet
on LED comes on for a short period when the link is established.
flashing Indicates that an Ethernet port is transmitting or receiving.
off Ports are not connected or there is no activity.
Wireless
flashing Wireless port is receiving data.
Startup behavior
When power is applied to the MAP, the power light will start flashing. When the power
light stops flashing, initialization is complete and the MAP is fully operational.
Radio(s) The MAP provides support for IEEE 802.11a and 802.11b/g technologies which can be
configured in real-time for complete flexibility of operation.
• When operating in 802.11a mode, the radio supports data rates of up to 54 Mbps.
• When operating in 802.11b/g mode, the radio provides data rates up to 54 Mbps.
The power output of the radio and the operating channels (frequencies) that are
available are governed by the regulations in your country. The MAP automatically
provides the appropriate range of operating values for you to choose from.
Reset button Use the end of a paper clip or another pointy object to press the reset button.
Restarting
Press and release the button quickly to restart the MAP. This is equivalent to
disconnecting and reconnecting the power. The MAP will restart immediately.
Resetting to factory defaults

To reset the MAP to its factory default settings, do the following:
1. Press and hold the reset button. All the lights on the MAP back panel will light up.
2. When the lights begin to flash (after about five seconds), immediately release the
button.
3. The MAP will restart with factory default settings. When the power light stops
flashing, the MAP is fully operational.
Important: Resetting the MAP deletes all your configuration settings, resets the
Administrator username and password to ‘admin’, and sets the IP address of all ports
via DHCP. If a DHCP server is not found connected to the Ethernet ports, the address
192.168.1.1 is assigned to all ports (Ethernet and wireless).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hardware Installation
Important: Installation must be performed by a professional installer familiar with local
regulations governing wireless devices.
Mounting When mounting the MAP on a wall, ceiling or other surface, make sure that:
• the surface you attach the MAP to and the fasteners you use are able to support at
options least 5.1 kg (11.25 pounds)
• cable pull (accidental or otherwise), must not make the unit exceed the 5.1 kg (11.25
pound) limit
Plenum installations
Plenum rated cables and attachment hardware must be used if the MAP is installed in a
plenum. Since the power adapter is not rated for plenum installations, only the MAP and
appropriate cabling can be located in the plenum.
Note: Colubris Networks supplied PoE injectors (available separately) cannot be
installed inside the plenum.
Mounting bracket
An optional mounting bracket is available. Contact Colubris Networks for details.
Daisy-chaining MAPs can be daisy-chained together to eliminate the need for a backbone LAN. Use a
cross-over cable to connect the units as illustrated.
Note: VLANs are not supported when the units are daisy-chained.
Cross-over cable Cross-over cable Cross-over cable
Port 2 Port 1 Port 2 Port 1 Port 2 LAN port
MAP MAP MAP InMotion MultiService Controller
Cross-over cable Cross-over cable Standard cable
Port 2 Port 1 Port 2 Port 1 Port 2
MAP MAP MAP Hub/Switch
Configuring the Before attaching the MAP to your network, it is recommended that you start the
management tool and define basic configuration settings as outline in the Quick Start
MAP Guide. Once this is done, refert to Chapter 2 for additional configuration information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2: How it works
Chapter 2
How it works
The Colubris® Networks InReach™ MultiService Access points are
highly-scalable solutions that offers leading-edge security and
manageability features specifically designed for a wide range of
networking environements.
This chapter describes the most important features of the InReach MAP-
320 and MAP-330 and explains how they can be used to address a wide
range of wireless connectivity challenges.
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Overview
The MAP can be used as a stand-alone access point or as a satellite in conjunction with
other Colubris® Networks products. As a satellite, the role of the MAP is to extend the
wireless network and provide intelligent data forwarding to maintain the security of the
network.
When multiple MAPs are deployed they can be:
• Daisy-chained by connecting the Ethernet ports on two units with a cross-over cable.
• Interconnected using a backbone LAN.
• Linked through a wireless bridge. The MAP can establish wireless links with up to six
other units.
Public access The following diagram illustrates the MAP in use in a public access network.
deployment
Protected Network
Resources
InMotion
MultiService RADIUS
Controller server
Backbone LAN
PU PU PU
BLIC WL A N BLIC WL A N BLIC WL A N
Daisy chain
Wireless bridge
PU
BLIC WL A N
PU
BLIC WL A N
Daisy chain
PU
BLIC WL A N
The MAP uses the services of an access controller (such as a Colubris Networks
InCharge™ MultiService Controller) to manage customer logins to the public access
network. In most setups, the access controller will take advantage of a RADIUS server
to store the customer accounts.
To maintain the security of the network, the MAP employs a security filter that only
allows traffic to flow between itself and the access controller. This prevents wireless
stations from accessing resources on the backbone LAN.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
To reach the protected network resources, wireless customers must successfully login
to the public access interface managed by the access controller.
For detailed scenarios illustrating how the MAP can be deployed in a public access
environment, see Chapter 3.
Enterprise The following diagram illustrates the MAP in use in an enterprise network.
deployment
Corporate Backbone RADIUS
server
Backbone LAN
PU PU PU
Daisy chain
Wireless bridge
PU
BLIC WL A N
PU
BLIC WL A N
Daisy chain
PU
BLIC WL A N
In this type of scenario, the MAP provides wireless access to users of a corporate
network. The MAP supports 802.1x/WPA and WEP security. User authentication is
handled via the corporate RADIUS server.
Support for multiple SSIDs, QoS, and VLANs makes the MAP an effective tool for
delivering wireless access in the corporate environment.
For detailed scenarios illustrating how the MAP can be deployed in an enterprise
environment, see Chapter 4.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Management Tool
The Management Tool is a Web-based interface to the MAP that provides easy access
to all configuration functions.
Management The management station is the computer that an administrator uses to connect to the
Management Tool. To act as a management station, a computer must
station • Have a JavaScript-enabled Web browser installed (Netscape 7.01 or higher, or
Internet Explorer 6.0 or higher with all updates)
• Be able to establish an IP connection with the MAP, either through the wireless port or
LAN ports
Configuring the management station for wireless access

Install and configure the wireless adapter in the management station according to the
directions that came with it. During installation make sure that:
• Encryption is disabled.
• TCP/IP is installed and configured with addressing set to DHCP.
• Set the SSID to “Colubris Networks”.
Configuring the management station for wired access

Install and configure a network adapter in the management station according to the
directions that came with it. During installation make sure that:
• TCP/IP is installed and configured with addressing set to DHCP.
• Connect the management station to either of the MAP’s LAN ports using a shielded
cross-over cable.
Starting the 1. Start your Web browser.
Management 2. If the MAP is directly connected to the management station via a cross-over cable In
the address box, specify: HTTPS://192.168.1.1.
Tool 3. Press Enter. You will be prompted to accept a Colubris Networks security certificate.
To safeguard the security of the MAP, access to the management tool must occur
via a secure connection. Before this connection can be established, you must accept
a Colubris Networks security certificate. The procedure for accepting the certificate
varies depending on the browser you are using. You must accept the certificate to
continue. (To eliminate this warning message you can install your own certificate.)
4. After you accept the Colubris Networks certificate, the management tool Login page
opens. By default, the username and password are both set to admin.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Administrator Administrator password

account Access to the management tool is protected by a username and password. The factory
default setting for both is admin. It is recommended that you change both using the
Management > Management tool page.
Caution! If you forget the administrator password, the only way to gain access to the
Management Tool is to reset the MAP to factory default settings. See “Resetting to
factory defaults” on page 10.
Account policy
To maintain the integrity of the configuration settings, only one administrator can be
connected to the management tool at a given time. To prevent the management tool
from being locked up by an idle administrator, two mechanisms are in place:
• If a administrator’s connection to the management tool remains idle for more than ten
minutes, the MAP automatically logs the administrator out.
• If a second administrator connects to the management tool and logs in with the
correct username and password, the first administrator’s session is terminated. If
required, you can disable this mechanism on the Management > Management tool
page.
Validating administrator logins using a RADIUS server

You can use a RADIUS server to authenticate logins to the management tool. One
advantage of this is that it enables you to create several administrator accounts, each
with its own username and password.
Important: Make sure that the RADIUS profile you select is configured and that the
administrator account is defined on a functioning RADIUS server. If not, you will not be
able to log back into the MAP because the administrator password cannot be
authenticated.
To configure RADIUS authentication, do the following:
1. Open the Security > RADIUS page.
2. Click Add New Profile.
3. Define the settings for the RADIUS server you want to use to validate administrator
logins.
4. Click Save.
5. On the main menu, click Management.
6. Click Management tool.
7. In the Administrator authentication box, select the RADIUS profile you configured.
8. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Security The management tool is protected by the following security features.
HTTPS
Communications between the management station and the MAP occurs via HTTPS.
Before logging onto the management tool, administrators must accept a Colubris
Networks certificate. You can replace this certificate with your own.
Port blocking
Access to the management tool can be explicitly enabled/disabled for each of the
following:
• Wireless port
• Ethernet ports
• VLANs
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Virtual access points

The MAP enables you to create up to 16 virtual access points (VAPs), each with their
own configuration settings. Each VAP is a distinct entity, and can provide its own
wireless network (SSID), user authentication settings, QoS, and output mappings.
VAPs enable you control and customize how the MAP handles wireless traffic and
customer authentication.
Setting up a VAP To setup a VAP you use the Virtual AP > Profiles page. By default, the Colubris
Networks VAP is defined.
Click the name to customize the VAP. The VAP Add/Edit page opens. By default, it
presents the following options:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you enable the Use Colubris access controller feature, only the following options
are available.
Refer to the sections that follow for complete descriptions of all VAP settings.
General Name
Specify a name to identify the VAP.
Use Colubris access controller
Enable this option to have this profile use the services of a Colubris Networks access
controller for authentication and control of client sessions.
When enabled, all customer traffic is sent to the access controller defined on the
Security > Access controller page, and the Wireless Security Filters option is
enabled.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SSID WLAN name (SSID)

Specify a name to uniquely identify the wireless network associated with this VAP. Each
client computer that wants to connect to this VAP must use this name. The name is
case-sensitive.
Maximum number of wireless clients (per radio)

Specify the maximum number of wireless client stations that can be associated with this
SSID at the same time on each radio.
DTIM count
Defines the DTIM period in the beacon. Client stations use the DTIM to wake up from
low-power mode to receive multicast traffic.
The MAP transmits a beacon every 100 ms. The DTIM counts down with each beacon
that is sent, therefore if the DTIM is set to 5, then client stations in low-power mode will
wake up every 500 ms (.5 second) to receive multicast traffic.
QoS priority mechanism

The MAP features a QoS implementation that provides a wide range of methods for
traffic prioritization. For complete details, see “Quality of service (QoS)” on page 52.
Permit traffic exchange between wireless clients

Use this option to control traffic exchange between wireless clients on the WLAN.
• No: Blocks all inter-client communications. Default setting.
• 802.1x: Only permits authenticated 802.1x clients to communicate.
• All: Select this option to allow wireless client stations (both authenticated and
unauthenticated) to exchange data with one another.
• IPV6: Select this option to to allow authenticated wireless client stations that are using
IP version 6 to exchange data with one another.
When communicating between VAPs, the most restrictive setting takes precedence. For
example:
• If VAP1 is set to No and VAP2 is set to All, no wireless client on VAP 1 can
communicate with a wireless client on VAP 2. However, all wireless clients on VAP 2
can communicate with each other.
• If VAP1 is set to 802.1x and VAP2 set to All, only 802.1x clients can communicate
between the two VAPs.
•
Note: Unicast VLAN traffic going to a different VAP but on the same VLAN and radio will
be forwarded based on the setting of the VAP on which traffic arrives.
Note: Multicast traffic and traffic going to the other radios is forwarded based on the
setting of the VAP where traffic is going out. For example, if VAP 1 is set to All, then
multicast traffic can be sent to all other VAPs that are set to either 802.1x or All.
Minimum rate
Sets the minimum transmission rate that clients stations must meet in order to connect
with this SSID. Client stations that are below this setting will not be able to connect to
this SSID.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the Lowest Available option to have the MAP automatically adjust the data rate
to its minimum setting based on the wireless mode being used.
If the SSID spans two radios, then this setting can only be used if both radios are
operating in the same wireless mode (a/b/g).
Maximum rate
Set the maximum transmission rate that clients stations must respect in order to connect
with this SSID. Clients stations that attempt to associate at a higher data rate will be
refused.
Select the Highest Available option to have the MAP automatically adjust the data rate
to its maximum setting based on the wireless mode being used.
If the SSID spans two radios, then this setting can only be used if both radios are
operating in the same wireless mode (a/b/g).
Transmit/Receive on
Select the radio this SSID will operate on. The same SSID can be active on two radios
at the same time, even if they are operating in different wireless modes.
Broadcast WLAN name (SSID)

When this option is enabled, the MAP will broadcast its wireless network name (SSID)
to all client stations. Most wireless adapter cards have a setting that enables them to
automatically discover access points that broadcast their names and automatically
connect to the one with the strongest signal.
If you disable this option, client stations will have to specify the network name you enter
for WLAN name when they connect.
Advertise Tx power
When this option is enabled, the MAP will broadcast its current transmit power setting in
the wireless beacon.
Egress VLAN Choose the VLAN that this profile forwards data traffic to. To add VLANs to the list, go to
the Networks > VLANs page.
If you choose the default option, traffic is sent untagged to the LAN port. Note however,
that a VLAN may still be assigned on a per-customer basis via a setting in the
customer’s RADIUS account (if using RADIUS-based authentication). Also, a global
VLAN settings is available on the Network > Ports page which will tag all traffic sent on
port 1.
Important: Enabling this feature bypasses all security features that are active on the
MAP. Make sure that your VLAN has the appropriate security installed to protect access
to the network.
Important: If you are using 802.1x/WPA or MAC authentication, the MAP handles all
authentication tasks and must communicate with the RADIUS server or access
controller to validate login credentials. Therefore, the RADIUS server or access
controller must be reachable via the LAN ports.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wireless The MAP features an intelligent bridge which can apply security filters to safeguard the
flow of wireless traffic.
security filters The filters limit both incoming and outgoing traffic as defined below, and force the MAP
to exchange traffic with a specific upstream device.
• If Use Colubris access controller is enabled in the General box, then the default
security filters (defined below) are enabled and all traffic is sent to the access
controller defined on the Security > Access controller page.
Note: If you are using multiple VLANs, each with a different gateway use the MAC
address option on the Security > Access controller page.
• If Use Colubris access controller is disabled in the General box, the security filters
are controlled by the settings in this box.
Restrict wireless traffic to

This setting defines the upstream device that the MAP will forward wireless traffic to.
• MAP’s default gateway: This sends traffic to the default gateway assigned to the MAP
on the Network > Ports page (via DHCP, PPPoE, or static). Wireless security filters
use the default definitions.
• MAC address: Specify the MAC address of the upstream device to forward all traffic
to. Wireless security filters use the default definitions.
• Custom: Lets you define custom security filters and address for the upstream device.
Refer to the section that follows for details.
Note: If you are using multiple VLANs, each with a different gateway use the MAC
address option.
Default filter definitions

The following filter definitions are defined by default.
Incoming wireless traffic filters
Applies to traffic sent from wireless client stations to the MAP.
Accepted
• Any IP traffic addressed to the access controller.
• PPPoE traffic (The PPPoe server must be the upstream device.)
• IP broadcast packets, except NetBIOS
• Certain address management protocols (ARP, DHCP) regardless of their source
address.
• Any traffic addressed to the MAP, including 802.1x.
Blocked
• All other traffic is blocked. This includes NetBIOS traffic regardless of its source/
destination address. HTTPS traffic not addressed to the MAP (or upstream device) is
also blocked, which means wireless client stations cannot access the management
tool on other Colubris Networks products.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Outgoing wireless traffic filters

Applies to traffic sent from the MAP to wireless client stations.
Accepted
• Any IP traffic coming from the upstream device, except NetBIOS packets.
• PPPoE traffic from the upstream device.
• IP broadcast packets, except NetBIOS
• ARP and DHCP Offer and ACK packets.
• Any traffic coming from the MAP itself, including 802.1x.
Blocked
• All other traffic is blocked. This includes NetBIOS traffic regardless of its source/
destination address.
Custom
Use this option to define your own filters. To use the default filters as a starting point,
click Get Default Filters.
Filters are specified using standard pcap syntax (http://www.tcpdump.org/
tcpdump_man.html) with the addition of a few Colubris-specific placeholders. These
placeholders can be used to refer to specific MAC addresses and are expanded by the
MAP when the filter is activated. Once expanded, the filter must respect the pcap
syntax. The pcap syntax is documented in the tcpdump man page:
Placeholders
%a - MAC address of the access controller, as specified on the Security > Access
controller page.
%b - MAC address of the bridge.
%g - Mac address of the default gateway assigned to the MAP on the Network > Ports
page
%w - MAC address of wireless port.
Wireless Select the type of protection you want to use for the wireless network created by the
VAP.
protection Important: 802.1x and WPA sessions are terminated by the MAP. This means that the
MAP handles all authentication tasks and must communicate with the RADIUS server or
access controller to validate login credentials. Therefore, the RADIUS server or access
controller must be reachable.
WPA
This option enables support for users with WPA client software.
Mode
Select the WPA mode that the MAP will use.
• WPA (TKIP) 1: WPA with TKIP encryption.
• WPA2 (AES/CCMP): WPA2 (802.11i) with CCMP encryption.
• WPA or WPA2: Mixed mode supports both WPA (version 1) and WPA2 (version 2) at
the same time.
Key source
This option determines how the TKIP keys are generated.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
• RADIUS: The MAP obtains the MPPE key from the RADIUS server. This is a dynamic
key that changes each time the user logs in and is authenticated. The MPPE key is
used to generate the TKIP keys that encrypt the wireless data stream. Select the
appropriate RADIUS server.
• Preshared Key: The MAP uses the key you specify in the Key field to generate the
TKIP keys that encrypt the wireless data stream. Since this is a static key, it is not as
secure as the RADIUS option. Specify a key that is between 8 and 64 ASCII
characters in length. It is recommended that the preshared key be at least 20
characters long, and be a mix of letters and numbers.
RADIUS profile
Select the RADIUS profile the MAP will use to validate user logins. Select Access
Controller to forward authentications traffic to a Colubris Networks access controller.
Accounting
Enable this option to have the MAP generate a RADIUS accounting request ON/OFF for
each user authentication. The MAP respects the RADIUS interim-update-interval
attribute if present inside the RADIUS access accept of the authentication.
Mandatory authentication
Requires that all wireless client stations authenticate.
802.1x
This option enables support for users with 802.1x client software. The MAP supports
802.1x client software that uses EAP-TLS, EAP-TTLS, EAP-SIM, and PEAP.
Note: Colubris Networks recommends that you do not use 802.1x unless you enable
WEP encryption.
RADIUS profile
Select the RADIUS profile the MAP will use to validate user logins. Select Access
Controller to forward authentications traffic to a Colubris Networks access controller.
WEP encryption
Enable the use of dynamic WEP keys for all 802.1x sessions. Dynamic key rotation
occurs on key 1, which is the broadcast key. Key 0 is the pair-wise key. It is automatically
generated by the MAP.
Key length and key change interval are set in the Dynamic keys box.
Accounting
Mandatory authentication
Requires that all wireless client stations authenticate.
WEP
Key 1, 2, 3, 4
The number of characters you specify for a key determines the level of encryption the
MAP will provide.
• For 40-bit encryption, specify 5 ASCII characters or 10 HEX digits.
• For 128-bit encryption, specify 13 ASCII characters or 26 HEX digits.
When encryption is enabled, wireless stations that do not support encryption cannot
communicate with the MAP. The definition for each encryption key must be the same on
the MAP and all client stations. Keys must also be in the same position. For example, if
you are using key 3 to encrypt transmissions, then each client station must also define
key 3 to communicate with the MAP.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Note: Keys 2, 3, and 4 are supported only on the first VAP profile.
Transmission key
Select the key the MAP will use to encrypt transmitted data. All four keys are used to
decrypt received data.
Key format
Select the format you used to specify the encryption keys:
ASCII
ASCII keys are much weaker than carefully chosen HEX keys. You can include ASCII
characters between 32 and 126, inclusive, in the key. However, note that not all client
stations support non-alphanumeric characters such as spaces, punctuation, or special
symbols in the key.
HEX
Your keys should only include the following digits: 0-9, a-f, A-F
MAC-based When enabled, this option lets you control access to the MAP based on the MAC
address of client stations.
authentication Important: When both this option and the MAC filtering option are enabled, the
following applies: if a customer’s MAC address does not appear in the MAC filtering list
then MAC-based authentication takes place for that customer.
RADIUS profile
When this option is enabled, the MAP will authenticate wireless stations using a
RADIUS server. Communications with the server is controlled via a RADIUS profile
defined on the Security > RADIUS page. Since each VAP profile is independently
configurable, it is possible to use a different RADIUS server for each one.
To successfully authenticate a client station, an account must be created on the
RADIUS server with both username and password set to the MAC address of the client
station.
The MAC address sent by the MAP in the RADIUS REQUEST packet for both
username and password is 12 hexadecimal numbers, with the values “a” to “f” in
lowercase. For example: 0003520a0f01.
The RADIUS server will reply to the REQUEST with either an ACCEPT or REJECT
RADIUS REPSONSE packet. In the case of an ACCEPT, the RADIUS server can return
the session-timeout RADIUS attribute (if configured for the account). This attribute
indicates the amount of time, in seconds, that the authentication is valid for. When this
period expires, the MAP will re-authenticate the wireless station.
Accounting
MAC filter Note: The MAC filter option is not available if Use Colubris access controller is
enabled under General.
When enabled, this option enables you to control access to the MAP based on the MAC
address of client stations. You can either block access or allow access, depending on
your requirements.
Note: When both the MAC filter option and the MAC-based authentication options
are enabled, if a customer’s MAC address does not appear in the MAC filtering list,
MAC-based authentication is used for that customer.
Specify the MAC address as six pairs of hexadecimal digits separated by colons. For
example: 00:03:52:0a:0f:01.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Filter behavior
• Allow: Only client stations whose MAC addresses appear in the MAC address list can
connect to the wireless network.
• Block: All client stations whose MAC addresses appear in the MAC address list are
blocked from accessing the wireless network.
IP filter Note: The IP filter option is not available if Use Colubris access controller is enabled
under General.
The IP filter enables you to block wireless traffic on this profile based on its destination
address.
Specify the list of destination IP addresses that traffic will be accepted for. All other
traffic will be blocked. If the list is empty, then no wireless-to-wired LAN traffic is
permitted.
The IP filter does not block:
• DNS queries (i.e., TCP/UDP traffic on port 53)
• DHCP requests/responses
Examples
To only allow traffic addressed to a gateway at the address 192.168.130.1, define the
filter as follows:
• Address: 192.168.130.1
• Mask: 255.255.255.255
To only allow traffic addressed for the network 192.168.130.0, define the filter as follows:
• Address: 192.168.130.0
• Mask: 255.255.255.0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Working with an access controller

In a public access deployment, a MAP generally uses the services of an access
controller—such as a Colubris Networks InCharge MultiService Controller—to manage
customer logins to the public access network.
Protected Network
Resources
InMotion
MultiService RADIUS
Controller server
PU
BLIC WL A N
In most setups the access controller uses a RADIUS server to store customer accounts
and validate credentials.
Connecting to a By default, the MAP operates as a DHCP client. The access controller, operating as the
DHCP server, will assign itself as the MAP’s default gateway.
Colubris access However, to successfully connect to the access controller, you must define settings as
controller follows:
1. Open the Security > Access controller page.
Note: If DHCP is not being used to set the default gateway address, you can specify the MAC
address of the access controller instead.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. Set the shared secret that is defined on the access controller.

3. Click Save.
4. Open the Virtual AP > Profiles page.
5. Click the Colubris Networks profile to edit it.
6. In the General box, enable Use Colubris access controller.
7. Click Save.
The VAP is now setup to send all wireless traffic to the access controller. Security filters
are enable by default to ensure that traffic is only exchange with the access controller.
Using other Instead of using a Colubris access controller, you can choose to send traffic to another
device (VPN server for example). In this case, you need to configure the following
access settings on a per-VAP basis:
controllers 1. Open the Virtual AP > Profiles page.
3. In the Wireless security filters box, select MAC address and enter the address of
the access controller.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Customer authentication and access control

This manual uses the term customer to refer to any person or device that logs onto the
MAP.
Authentication Customers can be authenticated in several ways as described in this section.
methods
WPA/802.1x
The MAP provides full support for users with 802.1x or WPA1/WPA2 client software. The
MAP terminates the session and authenticates users via a Colubris Networks access
controller or RADIUS server. Another option is to use preshared keys (WPA only).
The MAP supports 802.1x client software that uses EAP-TLS, EAP-TTLS, and PEAP.
Dynamic key rotation is supported.
See page 24 for more information.
Note: Colubris Networks does not recommend that you use 802.1x without enabling
dynamic WEP encryption.
MAC-based authentication
The MAP can authenticate devices based on their MAC address. This is useful for
authenticating devices that do not have a web browser (cash registers or cell phones,
for example). These devices do not log in through the public access interface provided
by the access controller, rather, as soon as the MAP sees their MAC address appear on
the network, the MAP attempts to authenticate them. MAC-based authentication can be
defined on a per-profile basis. See page “MAC-based authentication” on page 26 for
more information.
Location-aware authentication
This option works when the MAP is used in conjunction with a Colubris Networks
access controller. This feature enables you to control logins to the public access
network based on the wireless access point a customer is connected to.
When a customer attempts to login to the public access network, the access controller
sets the Called-Station-ID in the RADIUS access request to the MAC address of the
MAP wireless port the customer is associated with.
For more information, see the Administrator’s Guide for the access controller.
Important: This feature can only be used when the MAP is installed in conjunction with
a Colubris Networks access controller such as the InMotion™ family of MultiService
Controllers.
Important: This feature does not support 802.1x customers and devices using MAC-
based authentication.
Access control Two input filters are available that enable you control wireless access based on the IP or
MAC address of client stations. Both filters are configurable on the per-VAP basis.
For more information see:
• “MAC filter” on page 26
• “IP filter” on page 27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Using multiple 802.1x and MAC-based authentication are configurable on a per-VAP basis. Both
options can be enabled at the same time for added flexibility. When this occurs, the
authentication result for 802.1x authentication takes precedence over the MAC authentication result. It
mechanisms is therefore possible for a client station to be authenticated via MAC and then refused
via 802.1x, or refused by MAC and accepted by 802.1x.
An additional option is available that can be used to force all client stations to
authenticate via 802.1x. When active, even if a client station is authenticated via MAC,
the client station will be refused if it cannot authenticate via 802.1x.
Restriction
Both MAC and 802.1x authentication options can only be active at the same time on the
same VAP when the setting for wireless protection is:
• 802.1x with no encryption (WEP option disabled)
OR
• 802.1x with WEP encryption enabled and static keys enabled
Note: If you intend to only use dynamic keys, only 802.1x authentication is supported.
The following table illustrates the results for all authentication scenarios.
Authentication result Network

Active Authentication Method Access?
MAC 802.1x
Failure - No
MAC
Success - Yes
- Success Yes
802.1x Not Mandatory - Failure No

- - Yes
- Failure No
802.1x Mandatory - Success Yes

- - No
Failure - No
Failure Success Yes
Failure Failure No
MAC + 802.1x Not Mandatory
Success Failure No
Success - Yes
Success Success Yes
Failure - No
Failure Success Yes

Failure Failure No
MAC + 802.1x Mandatory
Success Failure No
Success - No
Success Success Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Example A:
MAC and 802.1x enabled, mandatory 802.1x authentication option disabled
Wireless clients are automatically authenticated by their MAC address.
• If MAC authentication succeeds, the client gains access. Next the client station can
initiate an 802.1x session, causing 802.1x authentication to take place. The result of
this authentication then takes precedence over the MAC authentication result.
• If MAC authentication fails, the client does not gain access but can still initiate an
802.1x session, causing 802.1x authentication to take place. If the result of this
authentication is successful, then the client gains access.
Example B
MAC and 802.1x enabled, mandatory 802.1x authentication option enabled
Wireless clients are automatically authenticated by their MAC address. If MAC
authentication succeeds they do not gain access until 802.1x authentication is
successful.
Example C
MAC disabled and 802.1x enabled, mandatory 802.1x authentication option disabled
Wireless clients automatically gain access to the network with no authentication
required. If the client starts an 802.1x session, authentication to take place. If the result
of this authentication is failure, then the client looses access to the network.
Example D
MAC disabled and 802.1x enabled, mandatory 802.1x authentication option enabled
Wireless clients only gain access to the network after successfully starting being
authenticated via an 802.1x session.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wireless coverage
As a starting point for planning your setup, you can assume that the MAP provides a
wireless networking area, also called a wireless cell, of up to 300 feet (100 meters) in
radius at high power. However, before creating a permanent installation, you should
always perform a site survey to determine the optimum settings and location for the
MAP.
Wireless mode The available wireless modes are determined by the wireless radio(s) installed in the
MAP, and may include:
• 802.11b: 11 Mbps in the 2.4 GHz frequency band.
• 802.11g: 54 Mbps in the 2.4 GHz frequency band.
• 802.11 b + g: 11 Mbps and 54 Mbps in the 2.4 GHz frequency band.
• 802.11a: 54 Mbps in the 5 GHz frequency band.
Factors limiting Wireless coverage is affected by the following factors.

wireless
coverage Radio power
More radio power means better signal quality and the ability to create bigger wireless
cells. However, cell size should generally not exceed the range of transmission
supported by client stations. If it does, client stations will be able to receive signals from
the access point, but they will not be able to reply, rendering the connection useless.
Also, when multiple access points are operating in an area, cell size needs to be
adjusted to reduce interference between units. The MAP provides an automatic power
control feature to address this challenge. See “Automatic power adjustment” on page 40
for details.
Note: Governmental regulations in different parts of the world determine the maximum
power output of the MAP’s radio.
Antenna configuration
Antennas play a large role in determining the shape of the wireless cell and
transmission distance. Consult the specifications for the antennas you are using to
determine how they affect wireless coverage.
Interference
Interference is caused by other access points or devices that operate in the same
frequency band as the MAP. This can substantially affect throughput. The MAP
provides advanced wireless configuration features to automatically eliminate this
problem. See for “RF channel management” on page 40 details.
In addition, the MAP provides several tools to diagnose interference problems as they
occur.
• Wireless > Neighborhood: This page provides detailed information on all wireless
access points operating in the immediate area so that you can effectively set your
operating frequency. It also makes it easy to find rogue access points. See
“Conducting a site survey” on page 38 for details.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
• Status > Wireless: This page provides detailed information on packets sent and
received, transmission errors, and other low-level events. Consult the online help for
this page for recommendations on using this information to diagnose wireless
problems.
• Status > Client data rate matrix: This page lists the data rates for all connected
client stations. This makes it easy to determine if low-speed clients are affecting
network performance. You can use the Minimum rate option when defining a WLAN
profile to keep low-speed clients from connecting.
Important: Access points operating in the 2.4 Ghz band may experience interference
from 2.4 Ghz cordless phones and microwave ovens.
Physical characteristics of the location

To maximize coverage of the wireless cell, wireless access points are best installed in
an open area with as few obstructions as possible. Try to choose a location that is
central to the area being served.
Radio waves cannot penetrate metal, instead they are reflected. This means that a
wireless access point is able to transmit through wood or plaster walls and closed
windows. However, the steel reinforcing found in concrete walls and floors may block
transmissions, or reduce signal quality by creating reflections. This can make it difficult
for a single unit to serve users on different floors in a concrete building. Such
installations will require a separate wireless access point on each floor.
Configuring Overlapping wireless cells are caused when two or more access points are within
transmission range of each other. This may be under your control (when setting up
overlapping multiple cells to cover a large location), or out of your control (when your neighbors set
wireless cells up their own wireless networks). In either case, the problems you face are similar.
Note: On the MSC-330, the management tool does not allow you to configure the two
radios on overlapping channels.
Performance degradation and channel separation

When two wireless cells operating on the same frequency overlap, it can cause a
reduction in throughput in both cells. This occurs because a wireless station that is
attempting to transmit will defer (delay) its transmission if another station is currently
transmitting. On a network with many clients and a lot of traffic, this can severely affect
performance as stations defer multiple times before the channel becomes available. If a
station is forced to delay its transmission too many times, data may be lost.
Delays and lost transmissions can severely reduce throughput on a network. Use the
Wireless option on the Status menu to view this information on your network.
The following example shows two overlapping wireless cells operating on the same
frequency. Since both access points are within range of each other, the number of
deferred transmissions will be large.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
cell 1 cell 2
Overlapping wireless cells can cause transmission delays.
The solution to this problem is to set the two networks to different channels with as great
a separation as possible in their operating frequencies. This reduces cross-talk, and
enables client stations connected to each access point to transmit at the same time.
Choosing channels
For optimum performance when operating in 802.11b or 802.11g modes, choose a
frequency that differs from other wireless access points operating in neighboring cells
by at least 25 MHz.
Two channels with the minimum 25 MHz frequency separation will always perform
worse than two channels using the maximum separation. So it is always best to use the
greatest separation possible between overlapping networks.
Note: When operating in 802.11a mode, all channels are non-overlapping.
With the proliferation of wireless networks, it is very possible that the wireless cells of
access points outside your control may overlap your intended area of coverage. To
choose the best operating frequency, use the Wireless > Neighborhood page to
generate a list of all access points operating near you and their operating frequencies.
The set of available channels is automatically determined by the MAP based on the
Country setting you define on the Wi-Fi page, which means that the number of non-
overlapping channels available to you will also vary. This will affect how you setup your
multi-cell network.
Example
When operating in 802.11b mode, the MAP supports the following 14 channels in the
2.4 Ghz band:
Channel Frequency Channel Frequency

1 2412 8 2447
2 2417 9 2452
3 2422 10 2457
4 2427 11 2462
5 2432 12 2467
6 2437 13 2472
7 2442 14 2477
However, the number of channels available for use in a particular country are
determined by the regulations defined by the local governing body.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
For example:
Region Available channels

North America 1 to 11
Japan 1 to 14
Europe 1 to 13
Since the minimum recommended separation between overlapping channels is 25 MHz

(5 cells), the recommended maximum number of overlapping cells you can have in most
regions is three. For example:
North America Europe Japan

• cell 1 on channel 1 • cell 1 on channel 1 • cell 1 on channel 1
In North America, you would create the following installation:
cell 1 cell 2 cell 3

channel = 1 channel = 6 channel = 11
Reducing transmission delays by using different operating frequencies.
However, It is possible to stagger your cells to reduce overlap and increase channel
separation. Consider the following:
150m 150m 150m

450 feet 450 feet 450 feet
cell 1 cell 2 cell 3 cell 4

channel = 1 channel = 6 channel = 11 channel 1
Using only three frequencies across multiple cells (North America).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This strategy can be expanded to cover an even larger area using three channels as
follows:


Using three frequencies to cover a large area (North America).
The areas in gray indicate where two cells using the same frequency overlap.
Distance between access points
In environments where the number of wireless frequencies are limited, it can be
beneficial to adjust the receiver sensitivity of the MAP. To make the adjustment, open
the Wireless > Radio(s) page.
For most installations, the Large setting should be used. However, if you are installing
multiple MAPs, and the channels available to you do not provide enough separation,
then reducing the receiver sensitivity can help you reduce the amount of crosstalk
between the MAPs.
Another benefit to using reduced settings is that it will improve roaming performance.
Client stations will switch between MAPs more frequently.
Note: The distance between access points option provides the best performance
benefit when client stations are equipped with wireless adapters that are configured with
the same setting. However, not all manufacturers support this feature.
Automatic power control

The MAP’s automatic power control feature enables it to dynamically adjust its
transmission power to avoid causing interference with neighboring Colubris Networks
access points.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Conducting a To discover the operating frequencies of other access points in your area, open the
Wireless > Neighborhood page. The MAP will automatically scan to find all active
site survey access points. For example:
Note: If an access point is not broadcasting its name, the SSID is blank.
Monitor mode
The radio(s) in the MAP can be configured to operate in monitor mode (Wireless >
Radio(s) page). In this mode, both access point and wireless links functionality are
disabled. The MAP will receive all wireless transmissions, but will not broadcast.
Use this option for continuous scanning across all channels in all wireless modes
supported by the radio (a/b/g). See the results of the scans on the Wireless >
Neighborhood page.
This mode also enables 802.11 traffic to be traced when using the Tools > Network
trace command.
Identifying Improperly configured wireless access points can seriously compromise the security of
a corporate network. Therefore, it is important that they be identified as quickly as
unauthorized possible.
access points The wireless neighborhood feature can be configured to automatically list all non-
authorized access points that are operating nearby.
To identify unauthorized access points, the MAP compares the MAC address of each
discovered access point against the list of authorized access points (which you must
define). If the discovered access point does not appear in the list, it is displayed in the
Unauthorized access points list.
List of authorized access points
The format of this file is XML. Each entry in the file is composed of two items: MAC
address and SSID. Each entry should appear on a new line. The easiest way to create
this file is to wait for a scan to complete, then open the list of all access points in Brief
format. Edit this list so that it contains only authorized access points and save it. Then,
specify the address of this file for the List of authorized access points parameter.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
When you edit the Brief list you need to remove extra text that appears before and after
each MAC address. For example, if the brief list looks like this:
<?xml version='1.0'?> <simple-ap-list> # MAC SSID 00:03:52:07:f5:11
"AP_1"
00:03:52:07:f5:23 "AP_2"
00:03:52:07:f5:12 "AP_3"
</simple-ap-list>
Reformat the list to look like this:

00:03:52:07:f5:11 "AP_1"
00:03:52:07:f5:23 "AP_2"
00:03:52:07:f5:12 "AP_3"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
RF channel management
The MAP provides several features for channel management.
Automatic When enabled (on the Wireless > Radio(s) page), the MAP will automatically scan the
operating environment to find the channel with the best throughput. Scanning is done on
channel startup and at preset intervals.
selection Note: You cannot use Automatic channel selection when creating wireless links with
the radio. You must set the channel manually to ensure that it matches the radio on the
other side of the link.
Dynamic RF characteristics in the operating environment can change as new devices are
introduced, modified, or removed. Therefore, when the autochannel option is enabled,
channel the MAP will automatically scan the RF environment at configurable intervals and adjust
selection the channel as required.
Note: Dynamic channel selection causes interruptions to voice calls when used on a
single radio. On dual-radio units, if the second radio is set to operate in Monitor mode,
scanning takes place on radio 2, so no interruptions on radio 1 occur.
DFS/TPC The MAP supports Dynamic Frequency Selection (802.11h) and Transmit Power
Control (802.11d) for 802.11a for operation in European countries. These options are
automatically enabled as required.
Automatic The MAP features an auto power adjustment option. When enabled (Wireless >
Radio(s) page), the MAP will automatically scan the RF environment and adjust power
power output to minimize interference with other access points.
adjustment This feature works best when the entire network uses only Colubris Network access
points (as third-party products will not adjust their output power).
How it works
If co-channel interference is discovered, then all neighboring APs will shrink their cell
size to minimize the interference. The first step is to adjust the transmit power. If this
fails, then the next step is to increase the transmit power (if possible) to maximum and
change the minimum data rate to a higher value (802.11b will change from 1Mbps to
2Mbps, 802.11a/g will change from 6Mbps up to 18Mbps).
Note: The majority of clients will still transmit at maximum power so not all interference
can be eliminated.
Note: Some older wireless client cards may not support a data rate of 2 mbps.
Service sensor The service sensor enables the MAP to determine if access to the network or a
particular server is available. If not, the MAP automatically shuts off its radio transmitter,
taking down the wireless cell.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
RF performance
Use the following features to help improve the performance of the wireless network.
Client station The MAP provides settings for controlling the minimum and maximum client data rates
per VAP. These rates are advertised in the 802.11 beacon, sent in response to wireless
data rate limits probes, and specified in the negotiated rate of the association response.
The primary application for these settings is to enable performance optimization across
the wireless network. For example, if the minimum data rate is set to 6 mbps, a client
with a weak signal (that may only be able to associate at 1 Mbps) is prevented from
doing so. If that same client was allowed to associate successfully, the overall
performance of the network would be compromised downwards for all clients. By
preventing the association, clients with more powerful signals are able to perform at
their optimal capability.
The following two settings are available when you define an SSID for a VAP.
• Minimum rate: Sets the minimum transmission rate that client stations can use when
communicating with the VAP. Client stations that are operating at a rate that is slower
than this setting will be able to associate with the MAP but will not be able to send or
receive data. For example, if the minimum rate is set to 6 mbps and a client is not
close enough to reach this rate, it will still see the MAP, but all transmissions will time
out.
Note: Increasing the minimum rate effectively reduces the cell size of the wireless network,
since as the distance from the MAP increases the data rate decreases.
Note: Some wireless client stations may refuse to associate with the MAP if the basic rates
for the current operating mode are not supported. For example, if the minimum data rate is set
to 6 mbps for 802.11b, this is above the mandated basic rates of 1 and 2 mbps, and may cause
some clients to refuse the association.
• Maximum rate: Sets the maximum transmission rate that clients stations can use
when communicating with the VAP. Client stations that support higher rates will
negotiate this value as their limit when associating to the MAP.
Multicast rate The MAP provides control of the multicast rate on a per-radio basis (on the Wireless >
Radio(s) page). By default, this is set to the lowest rate for the current wireless mode. If
limit there is a lot of multicast traffic on your network, raising the multicast rate can improve
throughput.
Note: If you raise the multicast rate, client stations that do not support the new rate will
not receive the multicast data.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Addressing
The MAP is a wireless bridge, which means that all its ports share the same IP address.
The address can be set statically or via DHCP on the Network > Ports page.
Default settings By default, the MAP is configured as a DHCP client on both LAN ports. If no DHCP
server is found at startup, the MAP assigns the address 192.168.1.1 to all its ports.
DNS When the MAP is configured to use the DHCP client, the MAP uses the DNS name
returned by the server. You can override this with static settings if required on the
Network > DNS page.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 42 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Layer 2 security
The MAP supports several layer 2 security schemes which can be enabled to protect
customer wireless traffic.
Session limits Up to 255 user connections are supported when layer 2 security is active.
Authentication The following table lists the available authentication options:
Protocol User authentication provide by

802.1x Access Controller, RADIUS server
WPA1/WPA2 Access Controller, RADIUS server

WPA (pre-shared keys) None
WEP None
Security options To enable multiple layer 2 options at the same time, each option must be assigned to its
own wireless profile.
WEP
Weaknesses in WEP’s cryptographic technology were exposed not long after it was
developed. However, it can still be of use in light-traffic, casual-use installations to deter
eavesdroppers. It is not recommended for corporate networks without enabling a VPN
security option (IPSec, PPTP, or L2TP).
802.1x
802.1x: is an IEEE port-based authentication standard. It improves upon WEP by
providing two important enhancements: user authentication and unique keys with key
rotation.
• User authentication: Before a user gains access to the wireless network, they must
first log in. The login process is managed by 802.1x client software which must be
installed on the user’s computer. It communicates with the MAP, which in turn uses
the services of a RADIUS server to validate user login credentials.
• Unique keys with key rotation: Each user is assigned their own key by the RADIUS
server. Keys are automatically rotated (regenerated) at an interval configured on the
MAP.
To use 802.1x, wireless client stations must install 802.1x client software. The MAP
supports 802.1x clients using EAP-SIM, EAP-TLS, EAP-TTLS and PEAP. Dynamic
WEP encryption is supported.
Note: Colubris Networks does not recommend the use of 802.1x without enabling
dynamic WEP encryption.
Note: When 802.1x is active, the MAP can also be configured to accept connections
from stations using static WEP keys if required.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
WPA1/WPA2
Wi-Fi Protected Access (WPA) is the Wi-Fi security standard that was developed to
replace WEP. It features improved data encryption and implements 802.1x to provide
user authentication.
WPA1 data encryption is handled by the Temporal Key Integrity Protocol (TKIP). It
addresses all known WEP weaknesses with a variety of important security
enhancements.
WPA2 provides AES/CCMP encryption for even stronger protection of the wireless data
stream.
Keys can be dynamically generated on a per-user basis at login via a RADIUS server.In
this case, user login information is also maintained on the RADIUS server. Key length
and key rotation interval are defined on the MAP.
WPA also features a special mode called Pre-Shared Keys In this mode a single key is
defined for all user connections. This key is used for encryption only. This mode does
not provide user authentication (there is no username and password).
To use WPA, wireless client stations must install WPA client software.
Do not You can disable the broadcast of the wireless network name. This forces client stations
to provide the correct network name to connect to the MAP. By assigning a unique
broadcast name to the wireless network, you can block access by unauthorized computers.
wireless This feature can be used to create backup operation of the network in case of
equipment failure. For example, you could install two MAPs, each operating on a
network name different channel, within close proximity of one another. Each MAP would communicate
with a different access controller. If one of the controllers goes down, the service sensor
will detect it and shut down the radio on the affected MAP. Client stations connected to
this MAP will automatically be transferred to the other MAP with no interruption in
service. This only works if both MAPs have the same SSID.
To set up the service sensor, open the Security > Access controller page.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wireless bridging
The wireless bridging feature enables you to use the wireless radio to create point-to-
point wireless links to other access points.
Each MAP can support up to six wireless bridges, which can operate at the same time
as the network serving wireless customers.
See page 77 for a complete wireless bridging sienna.
RF extension Wireless bridging provides an effective solution for extending wireless coverage in
situations where it is impractical or expensive to run cabling to a wireless access point.
In this scenario, the satellite access point is used to expand the coverage of the wireless
network.
In this configuration, both the MAP and the access controller (MSC-3200/3300) are
equipped with omnidirectional antennas, enabling them to deliver both access point
functionality and wireless bridging.
MSC-3200 wireless bridge

MSC-3300 MAP
When dual-radio units are used, the following setup is possible:
MSC-3300 wireless bridge MAP-330
PU PU
BLIC WL A N BLIC WL A N
• A directional antenna is installed on Radio 1 (main connector recommended) to

establish the wireless link. Wireless links are only supported on Radio 1.
• Omnidirectional antennas are installed on the Radio 2 to provide access point
functionality
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Building-to- The wireless bridging feature can also be used to create point-to-point links over longer
distances. In this scenario, two units create a wireless bridge between the networks in
building two adjacent buildings. Each unit is equipped with a directional external antenna and is
connections within line of sight to make the connection. Customers are authenticated via the
RADIUS server.
Note: When a directional antenna is used to create a wireless link, only one antenna is
supported and the units cannot provide wireless access point functionality.
Building A Building B
directional wireless bridge directional

antenna antenna
MAP MSC-3200
MSC-3300
MAP RADIUS
server
PU
BLIC WL A N
MAP
PU
BLIC WL A N
MAP
PU
BLIC WL A N
When dual-radio units are used, the following setup is possible:
Building A Building B
directional directional
antenna antenna
wireless bridge
MAP-330 MSC-3300
PU
BLIC WL A N
PU
BLIC WL A N
MAP-330
RADIUS
PU
server
BLIC WL A N
MAP-330
PU
BLIC WL A N
• Each unit is equipped with a directional external antenna attached to Radio 1. (When
using an external antenna, it is recommended that you connect it to the MAIN
connector.)
• Radio 2 is equipped with an omnidirectional antenna to provide access point
functionality.
• The units are within line of sight.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Important • All radios that are part of a link must be set to the same operating frequency and
channel. This means that the Automatic option cannot be used for Channel on the
Wireless > Radio page.
• If a single radio is used to provide both access point functionality and a wireless link,
bandwidth is shared by all bridged access points and all their associated client
stations.
• All wireless ports must be on the same subnet, with each port having a unique IP
address.
• If WEP is enabled, the same settings must be used on all access points.
• Although the MAP support up to six wireless links, only one wireless link can be
defined between any two access points.
• If you establish a wireless link between two MAPs, or a MAP and a MultiService
Controller, then access to the management tool across the bridge is blocked.
• As soon as a wireless bridge link is established, the spanning tree protocol is enabled
on the link to provide proper routing of traffic.
• When using an external antenna (via a coax cable), it is recommended that you
connect it to the MAIN connector.
Setting up a 1. Open the Wireless > Wireless links page
wireless link
2. Click Wireless Link #1. The configuration page for the link opens.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3. In the Settings box, select Enabled.

4. If using a dual-radio product, set Transmit/receive to Radio 1.
5. Enable WEP Security, and specify 26 hexadecimal characters for the key.
6. In the Addressing box, specify the Remote MAC address. This is the MAC
address of the other access point.
7. Click Save.
8. Open the Wireless > Radio(s) page.
9. Set the Operating mode to Access point and Wireless links. (If using a dual-radio
product, make this setting on Radio 1.)
10. Set the Wireless mode to the same value as the other access point
11. Set the Channel to the same value as the other access point. Do not use the
Automatic option.
12. Click Save.
Performance adjustments
Once both units have been configured:
1. Open the Tools > Ping page on one unit and ping the other one to make sure that
the bridge is working.
2. Open the Status > Wireless page.
3. Using the SNR value in the Wireless bridging status box as a guide, adjust the
antennas to obtain the best possible value. A value greater than 20 is good. After
each change, allow a minimum of two minutes for the Link speed field to settle
down and report its new value.
Advanced The following global settings are configurable on the Wireless > Wireless links page.
settings Ack distance

Fine tunes internal timeout settings to account for the distance that the link spans. For
normal operation, the MAP is optimized for links of less than 1 km.
Important: This is a global setting that applies to all wireless connection made with the
radio, not just for wireless links. Therefore, if you are also using the radio to serve local
wireless client stations, adjusting this setting may lower the performance for clients with
marginal signal strength or when interference is present. (Essentially, it means that if a
frame needs to be retransmitted it will take longer before the actual retransmit takes
place.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 48 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Quality of service
The wireless bridging feature enables you to define a quality of service (QoS) setting
that will govern how traffic is sent on all wireless links. The same options are available
as on a per-VAP basis. For details, see “QoS priority mechanisms” on page 52.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
VLAN support
The MAP provides a robust and flexible VLAN (802.1q) implementation. VLANs can be
defined on the LAN ports, as well as on wireless links. User traffic can be mapped to a
VLAN on a per-VAP basis, or on a per-user basis.
The following scenarios illustrate how to work with VLANs:
• “Scenario 2: Supporting public and private access with VLANs” on page 79.
• “Scenario 3: Segregating management traffic using VLANs” on page 83.
• “Scenario 2: Integrating into a segmented network” on page 95.
Important: MAPs cannot be daisy-chained when VLANs are in use.
Creating VLANs To create a VLAN, do the following:

1. Open the Network > VLANs page. This presents a list of all defined VLANs. Initially
this list is empty.
2. Click Add New VLAN. This opens the VLAN Add/Edit page where you define the
characteristics of the VLAN.
Define the settings as follows:
General
• Port: Select the port that the VLAN is associated with.
• VLAN ID: Specify an ID for the VLAN (802.1q). The same VLAN ID can be
assigned to different ports to create a VLAN bridge across the ports. If the VLAN
is being assigned to an Ehternet port you can also define a range of VLANs in the
form X-Y. Where X and Y can be 1 to 1024. For example: 50-60
Note: An IP address cannot be assigned when you define a range of VLANs.
• VLAN name: Specify a name for the VLAN. This name is used to identify the
VLAN on the MAP and has no operational significance.
Assign IP address via
An IP address cannot be assigned when the VLAN ID is defined as a range.
• DHCP client: The VLAN obtains its IP address from a DHCP server on the same
VLAN.
• Static: Assign a static IP address and mask.
• None: No IP address is assigned.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Default VLAN
LAN port 1 can be configured with a default VLAN setting. Any outgoing traffic on port 1
that is not tagged with a VLAN ID will receive the default ID.
The default VLAN can be restricted to carry management traffic only. This includes:
• all traffic that is exchanged with the access controller
• all traffic exchanged with external RADIUS servers
• HTTPS sessions established by administrators to the management tool
• incoming/outgoing SNMP traffic
• DNS requests/replies
Assigning traffic WIreless traffic can be assigned to VLANs on a per-VAP or per-user basis.
Note: The VLAN assigned on a per-user basis always overrides the VLAN assigned by
to VLANs a VAP (or the default VLAN). For example, a wireless station could be associated with a
VAP that is configured for VLAN 30, but after logging in, user-specific settings (retrieved
from a RADIUS server) could override this setting by assigning VLAN 40.
Per-VAP VLAN assignment

Each VAP can be mapped to its own VLAN. Wireless clients that connect to a VAP with
VLAN support are bridged to the appropriate VLAN. Address allocation and security
measures are the responsibility of the target network that the VLAN connects to.
Important: Per-SSID VLANs cannot have the same VLAN ID as the default VLAN ID.
Per-user VLAN assignment

VLANs can also be assigned on a per-customer basis by setting a attributes in a
customer’s RADIUS account. The only restrictions are:
• A customer cannot be assigned to a VLAN that is already set as the default VLAN on
port 1 (Network > Ports page).
• A customer can only be assigned to a VLAN that is defined on the Network > VLANs
page.
• This can only be used for 802.1x client stations. MAC authentication does not support
this feature.
For details on see “Creating user profiles on the RADIUS server” on page 64.
VLAN bridging If the same VLAN ID is assigned to more than one interface, the VLAN is bridged across
the interfaces.
For example: if you create three VLANs:
• Bridge_1 with ID =50, assigned to Port 1.
• Bridge_2 with ID =50, assigned to Port 2.
• Bridge_3 with ID =50, assigned to wireless link 1.
All VLAN traffic with ID 50 is now bridged across all these interfaces. If you create a VAP
and assign the Egress VLAN in it to any of these VLANs, output from the VAP can be
sent to destinations on any interface.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Quality of service (QoS)

The MAP features a QoS implementation that provides a wide range of methods for
traffic prioritization.
The QoS priority mechanisms are defined on a per-profile basis, enabling the MAP to
simultaneously support a variety of different mechanisms in a single access point.
Traffic queues Four traffic queues are provided based on the WME standard. In order of priority, these
queues are:
Queue Description
1 Voice traffic
2 Video traffic
3 Best effort data traffic
4 Background data traffic
Each QoS priority mechanism maps traffic to one of the four traffic queues. Client
stations that do not support the QoS mechanism for the profile they are connected to
are always assigned to queue 3.
Important: Traffic delivery is based on strict priority (per the WME standard). Therefore,
if excessive traffic is present on queues 1 or 2, it will reduce the flow of traffic on queues
3 and 4.
SVP support
Spectralink Voice Protocol is an open standard for the prioritization of voice traffic on
wireless and wired LANs. The MAP prioritizes SVP traffic for all priority mechanisms
except VAP-based.
QoS priority 802.1p

mechanisms Traffic from 802.1p client stations is classified based on the VLAN priority field present
within the VLAN header. When this mechanism is selected, the MAP will advertise
802.1p capabilities, enabling 801.1p clients to associate and take advantage of them.
This setting has no effect on legacy clients.
Note: To support 802.1p, the wireless profile must have a VLAN assigned to it.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Triggered service powersave mode (Reverse polling)

The MAP supports the WME triggered service powersave mode. Wireless client
stations that support this mode can go into powersave mode and the MAP will buffer
traffic for them. When the client wakes up it notifies the MAP and traffic is then
forwarded.
Traffic type
Queue (based on VLAN priority field)
1 SVP traffic
1 6,7
2 4,5
3 0,2
3 Other traffic
4 1,3
VAP-based priority
The VAP-based priority mechanism is unique to Colubris Networks access points. It
allows a specific priority level to be specified for all traffic on a VAP. This enables client
stations without a QoS mechanism to set traffic priority by connecting to the appropriate
VAP.
If you enable a VAP-based priority mechanism, it takes precedence regardless of the
priority mechanism supported by associated client stations. For example, if you set
VAP-based low priority for a VAP, all devices that connect to the profile have their traffic
set at this priority.
Queue Traffic type

1 Very High
2 High
3 Normal
4 Low
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Differential services (diffserv)

Differential services is a method for defining IP traffic priority on a per-hop basis. The
Differential Service bits are defined in RFC2474 and are composed of the six most
significant bits of the IP TOS field. These bits define the class selector code points
which the MAP maps to the appropriate traffic queue.
Traffic type
Queue (based on binary value of Class Selector Codepoint)
1 SVP traffic
1 111000 (Network control)
1 110000 (Internetwork control)
1 101000 (Critical)
2 100000 (Flash override)
2 011000 (Flash)
3 010000 (Immediate)
3 001000 (Priority)
3 Other traffic
4 000000 (Routine)
TOS
The IP TOS (type of service) field can be used to mark prioritization or special handling
for IP packets.
Queue Traffic type

1 SVP traffic
1 0x30, 0xE0, 0x88, 0xB8
2 0x28, 0xA0
3 0x08, 0x20
3 Non-TOS traffic
4 All other TOS traffic
QoS example In this example, a single MAP provides voice and data wireless support with different
QoS settings for guests and employees.
Corporate backbone
SSID=Voice SSID=Video Conference

QoS=Diffsrv QoS=SSID-based High
SSID=Guest SSID=Data
QoS=SSID-based Low QoS=SSID-based Normal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 54 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Voice
This profile supports wireless phones using the DiffServ mechanism.
Video Conference
This profile supports high priority video traffic for video conferences.
Data
This profile is used by employees. It features a higher QoS setting than the guest profile.
Guest
Guests gain access via this profile. They get the lowest traffic priority to reserve
bandwidth for employees.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Firmware management
The firmware is special software that controls the operation of the MAP. Periodically,
Colubris Networks will make new versions of the firmware available. Firmware updates
can be handled manually, automatically, or with a tool like cURL.
Important: When a MAP is restarted it automatically initializes itself to the default
address 192.168.1.1 on all ports. If the DHCP client is enabled, it takes about 30
seconds after the restart for the DHCP client to request an address. Therefore, for a
short period of time after restarting, the MAP may conflict with another device on the
network. This will usually not be an issue. However, if you are using an automated tool
(like cURL) to update the configuration/firmware on several MAPs at the same time, you
may experience difficulties. It is recommended that you schedule your updates to occur
in succession, leaving a three minute interval between each device.
Important: When using the MAP in conjunction with an access controller you must: (1)
always upgrade the access controller before upgrading the MAP, (2) never load an
earlier firmware version on the MAP than is installed on the access controller.
Manual update 1. On the Maintenance menu, click Firmware updates.
2. In the Install firmware box, click the Browse button and select a firmware file.
3. Click Install.
Note: The MAP will automatically restart after the firmware has been installed to
activate it. This will disconnect all client stations. Once the MAP resumes operation, all
client stations will have to reconnect.
Note: Configuration settings are preserved during firmware upgrades.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scheduled The MAP can automatically retrieve and install firmware from a local or remote URL. By
placing MAP firmware on a web or ftp server, you can automate the update process for
install multiple units.
When the update process is triggered, the MAP retrieves the first few bytes of the
firmware file to determine if it is different than the active version. If different, the firmware
is downloaded and installed. Configuration settings are preserved. However, all
connections will be terminated forcing users to log in again.
Using cURL It is possible to automate management tasks using a tool like cURL. cURL is a software
client that can be used to get/send files to/from a server using a number of different
protocols (HTTP, HTTPS, FTP, GOPHER, DICT, TELNET, LDAP or FILE).
cURL is designed to work without user interaction or any kind of interactivity. It is
available for Windows and LINUX at: http://curl.haxx.se/. You must use version 7.10 or
higher.
The following cURL commands illustrate how to update the firmware. The following
setup is assumed:
• IP address of the MAP’s Ethernet port is 24.28.15.22.
• Management access via the Ethernet port is enabled.
• Firmware is located in the file: MAP.CIM
These examples are non-secure (no certificates are used authentication), but data
traffic is still encrypted.
Note: If you want to secure the connection with the MAP using certificates, you must
use the --cacert option to specify where the CA certificates are located on your
computer. This also requires that you specify the host name wireless.colubris.com
instead of using its IP address. The host name must be resolved either via a DNS server
or using the hosts file on your computer.
Uploading the firmware

1. Prepare the MAP to receive the login.
curl -s -k "https://24.28.15.22/home.asp"
2. Login to the management interface.

curl -s -k --dump-header cookie.txt "https://24.28.15.22/goform/Logout"
-d username=admin -d pw=admin
3. Prepare the MAP to receive the firmware update.

curl -s -k --cookie cookie.txt "https://24.28.15.22/script/
firmware_init.asp"
4. Upload the firmware. Once the upload is complete the MAP will automatically
restart.
curl -s -k --cookie cookie.txt -F firmware=@MAP.cim -F backup=Install
"https://24.28.15.22/goform/ScriptUploadFirmware"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration management
The configuration file contains all the settings that customize the operation of the MAP.
You can save and restore the configuration file manually, automatically, or with a tool like
cURL.
Configuration management can also be performed using the command line interface via
an SSH session. For details, see the Command Line Interface Reference Guide.
Important: When a MAP is restarted it automatically initializes itself to the default
address 192.168.1.1 on all ports. If the DHCP client is enabled, it takes about 30
seconds after the restart for the DHCP client to request an address. Therefore, for a
short period of time after restarting, the MAP may conflict with another device on the
network. This will usually not be an issue. However, if you are using an automated tool
(like cURL) to update the configuration/firmware on several MAPs at the same time, you
may experience difficulties. It is recommended that you schedule your updates to occur
in succession, leaving a three minute interval between each device.
Manual Use the Config file management option on the Maintenance menu to manage your
configuration file.
management
The following three options are available:

Backup configuration file
This option enables you to backup your configuration settings so they can be easily
restored in case of failure. This option is also used when you want to directly edit the
configuration file.
Reset configuration
Use this option to return the configuration of the MAP to its factory default settings.
Note: Resetting sets the administrator password to ‘admin’ and resets all configuration
settings.
Restore configuration file
Enables you to restore a configuration from a previously saved backup.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This feature enables you to maintain several configuration files with different settings,
which can be useful if you frequently need to alter the configuration of the MAP, or if you
are managing several MAPs from a central site.
Using cURL It is possible to automate management tasks using a tool like cURL. cURL is a software
client that can be used to get/send files to/from a server using a number of different
protocols.
cURL is designed to work without user interaction or any kind of interactivity. It is
available for Windows and LINUX at: http://curl.haxx.se/. You must use version 7.9.8 or
higher.
The following cURL commands illustrate how to manage the configuration file. The
following setup is assumed:
• IP address of the MAP’s Internet port is 24.28.15.22.
• Management access to the Ethernet port is enabled.
• Configuration file is located in MAP.CFG.
These examples are non-secure (no certificates are used authentication), but data
traffic is still encrypted.
Note: If you want to secure the connection with the MAP using certificates, you must
use the --cacert option to specify where the CA certificates are located on your
computer. This also requires that you specify the host name wireless.colubris.com
instead of using its IP address. The host name must be resolved either via a DNS server
or using the hosts file on your computer.
Uploading the configuration file


3. Prepare the MAP to receive the configuration update.

curl -s -k --cookie cookie.txt "https://24.28.15.22/script/config_init.asp"
4. Upload the configuration file.

curl -s -k --cookie cookie.txt -F config=@MAP.cfg -F backup=Restore "https://
24.28.15.22/goform/ScriptUploadConfig"
5. Reset the MAP to activate the new configuration.

curl -s -k --cookie cookie.txt "https://24.28.15.22/script/reset.asp"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Downloading the configuration file


3. Prepare the configuration file for download.

curl -s -k --cookie cookie.txt "https://24.28.15.22/goform/
FormBackupConfig" -d backup=Backup
4. Download the configuration file.

curl -s -k --cookie cookie.txt "https://24.28.15.22/download/config.cfg"
-o config.cfg
5. Logout.
curl -s -k --cookie cookie.txt “https://24.28.15.22/goform/Logout” -d
logout=Logout
Resetting the configuration to factory defaults


3. Reset configuration to factory defaults.

curl -s -k --cookie cookie.txt "https://24.28.15.22/goform/
ScriptResetFactory?reset=Reset+to+Factory+Default"
4. Reset the MAP to activate the new configuration.

curl -s -k --cookie cookie.txt "https://24.28.15.22/script/reset.asp"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 60 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Using a RADIUS server

This section explains how to make use of a RADIUS server for administrator
authentication and to authenticate and store accounting information for users
authenticated via MAC/WPA/802.1x when not working in conjunction with a Colubris
Networks access controller.
The minimum setup you must define to use a RADIUS server is as follows:
• Define RADIUS client settings for the MAP
Each MAP is considered to be a RADIUS client and you must define client settings on
the RADIUS server for each one that you intend to install.
• Create a RADIUS profile for one or more users
The user profile is required to authenticate users when they connect, and store
accounting information.
• (Optional) Create a RADIUS profile for one or more administrators
The administrator profile is used to authenticate an administrator when logging into
the management tool.
Creating a Any device that uses the authentication services of a RADIUS server is called a
RADIUS client (or RAS client on some systems). Therefore, each MAP is considered to
RADIUS client be a RADIUS client and you must define client settings on the RADIUS server for each
entry for the one that you intend to install.
MAP
Configuration settings
You may need to supply the following information when setting up a RADIUS client
entry:
• Client IP address: This is the IP address assigned to the MAP’s LAN ports.
• Shared secret: Secret the MAP will use to authenticate the packets it receives from
the RADIUS server.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuring the connection

To configure the connection to a RADIUS server, do the following:
1. Open the Security > RADIUS page.
2. Click Add New Profile. The RADIUS profiles configuration page opens.
3. Configure the parameters as described in the sections that follow.

4. Click Save, when you are done.
Profile name
Specify a name to identify the profile.
RADIUS profile settings

Authentication port
Specify the port to use for authentication. By default, RADIUS servers use port 1812.
Accounting port
Specify the port to use for accounting. By default, RADIUS servers use port 1813.
Retry interval
Controls the retry interval (in seconds) for access and accounting requests that time-
out. If no reply is received within this interval, the MAP switches between the primary
and secondary RADIUS servers (if defined). If a reply is received after the interval
expires, it is ignored.
This parameter applies to access and accounting requests generated by the following:
• administrator logins to the management tool
• MAC-based authentication of devices
The maximum number of retries can be determined as follows:
• MAC-based and MAP authentication: Number of retries is infinite.
• 802.1x authentication. Retries are controlled by the 802.1x client software.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Authentication method
Choose the default authentication method the MAP will use when exchanging
authentication packets with the primary/secondary RADIUS server defined for this
profile.
For 802.1x users, the authentication method is always determined by the 802.1x client
software and is not controlled by this setting.
If traffic between the MAP and the RADIUS server is not protected by a VPN, it is
recommended that you use either EAP-MD5 or MSCHAP V2, if supported by your
RADIUS Server. (PAP, MSCHAP V1 and CHAP are less secure protocols.)
NAS Id
Specify the network access server ID you want to use for the MAP. By default, the serial
number of the MAP is used. The MAP includes the NAS-ID attribute in all packets that it
sends to the RADIUS server.
Always try primary server first
Set this option to force the MAP to contact the primary server first.
Otherwise, the MAP sends the first RADIUS access request to the last known RADIUS
server that replied to any previous RADIUS access request. If the request times out, the
next request is sent to the other RADIUS server if defined.
For example, assume that the primary RADIUS server was not reachable and that the
secondary server responded to the last RADIUS access request. When a new
authentication request is received, the MAP sends the first RADIUS access request to
the secondary RADIUS server.
If it does not reply, the RADIUS access request is retransmitted to the primary RADIUS
server. The MAP always alternates between the two servers, when configured.
Primary RADIUS server

Server address
Specify the IP address of the RADIUS server.
Secret/Confirm secret
Specify the secret (password) that MAP will use when communicating with the RADIUS
server. The shared secret is used to authenticate all packets exchanged with the server
to prove that they originate from a valid/trusted source.
Secondary RADIUS server

Server address
Specify the IP address of the RADIUS server.
Secret/Confirm secret
Specify the secret (password) that MAP will use when communicating with the RADIUS
server. The shared secret is used to authenticate all packets exchanged with the server
to prove that they originate from a valid/trusted source.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 63 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Creating user You must create at least one RADIUS user profile. Multiple user accounts can be
associated with a single RADIUS profile.
profiles on the Note: The maximum number of attributes the MAP can receive in one request is 4096
RADIUS server bytes.
Supported RADIUS attributes

This section presents all RADIUS and Colubris attributes that are supported by for a
MAP profile. (Attributes starting with MS are Microsoft and are not standard.)
The MAP supports the following RADIUS attributes when VAP-based 802.1x or MAC
authentication is enabled without using the services of a Colubris Networks access
controller. When an access controller is used, RADIUS attributes are supported as
defined in the administrator’s guide for the access controller.
Note: In the following definitions, strings are defined as 1 to 253 characters in length.
Colubris Networks vendor-specific attribute
The Colubris Networks vendor-specific attribute conforms to RADIUS RFC 2865.
You may need to define this attribute on your RADIUS server if it is not already present.
In this case, you need to specify the following:
• SMI network management private enterprise code = 8744
• Vendor-specific attribute type number = 0
• Attribute type = string
Access Request
Web
Attribute Admin 802.1x MAC
Acct-Session-Id ■ ■
Called-Station-Id ■ ■
Calling-Station-Id ■ ■
EAP-Message ■ ■
Framed-MTU ■ ■
Message-Authenticator ■ ■ ■
NAS-Identifier ■ ■ ■
NAS-Ip-Address ■ ■
NAS-Port ■ ■ ■
NAS-Port-Type ■ ■ ■
Service-Type ■ ■ ■
State ■ ■
User-Name ■ ■ ■
User-Password ■
Colubris-AVPair (SSID) ■
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Descriptions
• Acct-Session-Id (32-bit unsigned integer): Random value generated per
authentication by the MAP.
• Called-Station-Id (string): BSSID of the VAP used by a wireless client, or the MAC
address of the LAN port used by a wired client. By default, the MAC address is sent in
IEEE format. For example: 00-02-03-5E-32-1A. This can be changed on the Security
> 802.1x page.
• Calling-Station-Id (string): The MAC address of the 802.1x client station. By default,
the MAC address is sent in IEEE format. For example: 00-02-03-5E-32-1A. This can
be changed on the Security > 802.1x page.
• Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496.
• Message-Authenticator (string): As defined in RFC 2869. Always present even when
not doing an EAP authentication. length = 16 bytes.
• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the
RADIUS profile being used.
• NAS-Ip-Address 32-bit unsigned integer): The IP address of the port the MAP is using
to communicate with the RADIUS server.
• NAS-Port (32-bit unsigned integer): A virtual port number starting at 1. Assigned by
the MAP. For 802.1x, this field is always set to 0.
• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents
WIRELESS_802_11.)
• Service-Type (32-bit unsigned integer): Set to Framed-User.
• State (string): As defined in RFC 2865.
• User-Name (string): The username assigned to the user. Or if MAC-authentication is
enabled, the MAC address of the wireless client station.
The following attributes are mutually exclusive depending on the RADIUS authentication
method.
• User-Password (string): The password supplied by a user or device when logging in.
Encoded as defined in RFC 2865. Only present when the authentication scheme on
the Security > RADIUS > Profile 1 page is set to PAP/SecurID. Or if MAC-
authentication is enabled, the MAC address of the wireless client station.
• EAP-Message (string): As defined in RFC 2869. Only present when the
authentication scheme on the Security > RADIUS > Profile 1 page is set to EAP-
MD5.
• Colubris-AVPair (SSID): SSID that the customer is associated with.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Access Accept
Web
Class ■
EAP-Message ■
MS-MPPE-Recv-Key ■
MS-MPPE-Send-Key ■
Session-TImeout ■ ■
Termination-Action ■ ■
Tunnel-Medium-Type ■
Tunnel-Private-Group-ID ■
Tunnel-Type ■
Descriptions
• Class (string): As defined in RFC 2865. Multiple instances are supported.
• EAP-Message (string): Note that the content will not be read as the RADIUS Access
Accept overrides whatever indication is contained inside this packet.
• MS-MPPE-Recv-Key: As defined by RFC 3078.
• MS-MPPE-Send-Key: As defined by RFC 3078.
• Session-Timeout (32-bit unsigned integer): Maximum time a session can be active.
After this interval, the 802.1x client is re-authenticated.
• Termination-Action: As defined by RFC 2865. If set to 1, customer traffic is not allowed
during the 802.1x re-authentication.
• Tunnel-Medium-Type = Only used when assigning a specific VLAN number to a
customer. In this case it must be set to 802.
• Tunnel-Private-Group-ID = Only used when assigning a specific VLAN number to a
customer. In this case it must be set to the VLAN ID.
• Tunnel-Type: Only used when assigning a specific VLAN number to a customer. In
this case it must be set to VLAN.
Access Reject
None.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 66 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Access Challenge
Web
EAP-Message ■
Message-Authenticator ■
State ■
Descriptions
• EAP-Message (string): As defined in RFC 2869.
• Message-Authenticator (string): As defined in RFC 2869. Always present even when
not doing an EAP authentication. length = 16 bytes.
• State (string): As defined in RFC 2865.
Accounting request
Web
Acct-Session-Id ■ ■
Acct-Session-Time ■
Acct-Status-Type ■ ■
Called-Station-Id ■ ■
Calling-Station-Id ■ ■
Class ■ ■
Framed-MTU ■
NAS-Identifier ■ ■
NAS-Port ■ ■
NAS-Port-Type ■ ■
User-Name ■ ■
Colubris-AVPair (SSID) ■
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 67 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Descriptions
• Acct-Session-Id (32-bit unsigned integer): Random value generated by the MAP.
• Acct-Session-Time (32-bit unsigned integer): Number of seconds this session since
this session was authenticated.
• Acct-Status-Type (32-bit unsigned integer): Supported values are Accounting-On (7)
and Accounting-Off (8).
• Called-Station-Id (string): BSSID of the wireless client, or the MAC address of the
LAN port used by a wired client. By default, the MAC address is sent in IEEE format.
For example: 00-02-03-5E-32-1A. This can be changed on the Security > 802.1x
page.
• Calling-Station-Id (string): The MAC address of the 802.1x client station in IEEE
format. By default, the MAC address is sent in IEEE format. For example: 00-02-03-
5E-32-1A. This can be changed on the Security > 802.1x page.
• Class (string): As defined in RFC 2865. Multiple instances are supported.
• Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. The value is
always four bytes lower than the wireless MTU maximum which is 1500 bytes in order
to support IEEE802dot1x authentication.
• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the profile
being used.
• NAS-Port (32-bit unsigned integer): Always 0.
• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents
WIRELESS_802_11.
• User-Name (string): The RADIUS username provided by the 802.1x client.
• Colubris-AVPair (SSID): SSID that the customer is associated with.
Accounting response
None.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 68 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Creating If you want to support multiple administrator names and passwords, you must use a
RADIUS server to manage them. The MAP only supports a single admin name and
administrator password internally.
profiles on the Important: Improper configuration of the administrator profile could expose the MAP to
access by any user with a valid account. The only thing that distinguishes an
RADIUS server administrative account from that of a standard user account is the setting of the service
type. Make sure that a user is not granted access if service type is not Administrative.
Supported RADIUS attributes

Following are supported RADIUS attributes.
Access Request
• User-Name (string): The username assigned to the user or a device when using MAC
authentication.
• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the profile
being used.
• Service-Type (32-bit unsigned integer): As defined in RFC 2865. Set to a value of 6,
which indicates SERVICE_TYPE_ADMINISTRATIVE.
• Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496.
• MSCHAP-Challenge (string): As defined in RFC 2433. Only present when the
authentication scheme on the Security > RADIUS page is set to MSCHAPv1 or
MSCHAPv2. Length = 8 bytes.
• MSCHAP-Response (string): As defined in RFC 2433. Only present when the
authentication scheme on the Security > RADIUS page is set to MSCHAPv1. Length
= 49 bytes.
Access Accept
None.
Access Reject
None.
Access Challenge
None.
Accounting Request
None.
Accounting Response
None.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 70 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3: Public access scenarios
Chapter 3
Public access scenarios
This chapter provides sample deployment strategies for common
scenarios. These scenarios will give you a good idea on how to
approach your installation.
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
In this chapter
The following scenarios are provided in this chapter.
Scenario See page

Scenario 1a: Public access network with roaming 73
Scenario 1b: Adding layer 2 security 75
Scenario 1c: Adding wireless bridging 77
Scenario 2: Supporting public and private access with VLANs 79
Scenario 3: Segregating management traffic using VLANs 83
Scenario 4: Remote management 87
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 72 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 1a: Public access network with roaming

The MAP can be used to extend the reach of the public access network created by an
InMotion MultiService Controller.
How it works In this scenario several MAPs are connected to an InMotion MultiService Controller,
(MSC-3200/3300) via a backbone LAN to provide wireless cells for a public access
network. Customers can roam between access points without losing their connections
to the public access network.
Each MAP is configured as a DHCP client and obtains its address from the MSC-3200/
3300 which is configured as the DHCP server.
The MultiService Controller handles all customer logins by using the services of a
RADIUS server installed at a remote network operating center.
Network Operating Center

SMTP
server
Firewall
Web/FTP VPN server
server
RADIUS Management
server station
LAN MSC-3200
MSC-3300
MAP MAP
PU PU PU
Configuration Note: This scenario assumes that the MSC-3300 is properly installed and configured.
roadmap
Install the MAPs
1. Install the MAPs as described in Chapter 1.
2. Before you connect each unit to the LAN, start the management tool and configure
each unit as described in the sections that follow.
Configure the wireless network

By default the MAP is configured to:
• automatically choose the best operating frequency
• create a wireless network name “Colubris Networks”
These is no need to change these settings for this scenario.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 73 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Note: By default, one radio on the MAP-330 is used to provide the wireless network and
the other is placed into Monitor mode (page 38).
Configure the connection to the access controller

VIrtual AP > Profiles
2. In the General box, enable Use Colubris access controller.
Security > Access controller
1. By default, the MAP is setup to use the default gateway assigned by DHCP as the
access controller. Do not change this setting.
2. Set the Access controller shared secret to match the one set on the
MSC-3200/3300.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 1b: Adding layer 2 security

This scenario adds support for 802.1x and WPA clients to Scenario 1a.
By enabling support for 802.1x and WPA, enables customers to protect their wireless
transmissions against eavesdropping.
How it works In this scenario three VAPs are created on each MAP. Each VAP provides support for a
different security option: 802.1x, WPA, and none.
To connect with the wireless network, customers must choose the SSID of the VAP that
matches the option that they want to use. Roaming is supported since all VAPs are
defined on all access points.

SMTP
server
Firewall
Web/FTP VPN server
server
RADIUS Management
server station
LAN
MSC-3200
MSC-3300
MAP MAP
SSID SSID SSID

SSID SSID SSID
WPA WPA WPA
None None None
SSID SSID SSID

8021x 8021x 8021x
Configuration Configure the VAPs

roadmap Virtual AP > Profiles
Define the following three profiles on all MAPs.
None
In the General box, enable Use Colubris access controller.
• In the SSID box, set WLAN name to None.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
WPA
• In the General box, enable Use Colubris access controller.
• In the SSID box, set WLAN name to WPA.
• In the Wireless protection box:
• Enable WPA.
• Set Mode to Mixed.
• Set Key source protection to RADIUS.
8021x
• In the SSID box, set WLAN name to 8021x.
• Enable 802.1x.
• Enable the WEP encryption option.
Configure the MSC-3200/3300

Create a RADIUS profile
Add a RADIUS profile to communicate with the RADIUS server. Configure it as follows:
2. In the Profile name box, assign the name RADIUS1.
3. In the Settings box, use the defaults except for Authentication method which must
match the method supported by the corporate RADIUS server.
4. In the Primary RADIUS server box, specify the address of the RADIUS server and
the secret the MSC-3200/3300 will use.
Define VAPs
Define matching VAP profiles on the MSC-3200/3300 for each VAP configured on the
MAPs. Set the VAPs as follows:
None
• Set the SSID to None
• In the VAP ingress mapping box, select SSID.
• In the VAP egress mapping box, select Internet port.
• Enable HTML-based user logins.
8021x
• Set the SSID to 8021x.
• Enable 802.1x authentication and select RADIUS1.
WPA
• Set the SSID to WPA
• Enable WPA authentication and select RADIUS1.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 76 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 1c: Adding wireless bridging

This scenario extends the wireless network in Scenario 1b using the wireless bridging
feature.
The MAP can create a wireless bridge to other units enabling you to extend the reach of
the wireless network without running cable.
How it works In this scenario, a new MAP (unit B in the diagram) is added to the network and
connected to the MSC-3200/3300 via a wireless bridge. The same wireless profiles are
defined on this unit, enabling full roaming support. In order for the bridge to be
successful, the wireless cells of units A and B must overlap, and both units must be
operating in the same mode and on the same channel.

SMTP
server
Firewall
VPN server
Web/FTP
server
RADIUS Management
server station
LAN
A B
MSC-3200 wireless bridge MAP
MAP MAP MSC-3300
SSID SSID SSID SSID

SSID SSID SSID SSID
WPA WPA WPA WPA
None None None None
SSID SSID SSID SSID

8021x 8021x 8021x 8021x
Configuration Configure the wireless network

roadmap To ensure that units A and B are on the same channel, you must manually configure
their radios.
Wireless > Radio
Make sure that units A and B are set to operate in the same Wireless mode and on the
same Channel.
1. Set the Operating mode to Access point and Wireless links.
2. Set the appropriate Wireless mode.
3. Choose a specific Channel. Do not use the Automatic option.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 77 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Enable the wireless bridge

Do the following on unit A and B.
Wireless > Wireless links
1. Click Wireless link #1.
4. In the Addressing box, specify the MAC address of the other unit.
5. Click Save.
antennas to obtain the possible value. A value > 20 is good. After each change,
allow a minimum of two minutes for the Link speed field to settle down and report its
new value.
Configure the VAPs

Add the following VAPs to unit B.
Virtual AP > Profiles
None
WPA
In the Wireless protection box:
• Enable WPA.
• Set RADIUS profile to Access Controller.
8021x
In the Wireless protection box:
• Enable 802.1x.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 78 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 2: Supporting public and private access with VLANs

In this scenario, VLANs and multiple SSIDs are used to enable public and private users
to share the same infrastructure with complete security.
How it works In this scenario, a wireless network is shared between company employees and paying
customers.
Employees connect using the SSID Private and are routed to the corporate network on
VLAN 50 where they are authenticated. This traffic by-passes all security and
authentication functions on the MAP, including the DHCP services. This is a pure tunnel
through the MAP. The only service that is provided is tagging the traffic with a VLAN ID.
Customers connect using the SSID Public and login via the MSC-3200/3300’s public
access interface. The MAP authenticates customers using the ISP RADIUS server.
Once authenticated, customer traffic is forwarded on VLAN 60 so it can reach the
Internet.
Corporate ISP
RADIUS server RADIUS server
Corporate
Intranet
VLAN 50 VLAN 60
Firewall Switch
192.168.5.5
VLAN 50 VLAN 60
Employees 192.168.5.1
MSC-3200
MSC-3300
Employee Guest
MAP
SSID = Private SSID = Public
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 79 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration Define settings on the RADIUS servers

roadmap ISPRADIUS
Define accounts for public users and the MAP.
CorporateRADIUS
Define accounts for employees.
Install the MAP

1. Install the MAP as described in Chapter 1.
2. Before you connect the MAP to the LAN, start the management tool and configure it
as described in the sections that follow.

Configure the VAPs

Define the two VAPs on the MAP with default settings, except as noted below. Name
them as follows:
• Public
• Private

1. By default the MAP is setup to use the default gateway assigned by DHCP as the
2. Set the Access controller shared secret to match the one set on the
MSC-3200/3300.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 80 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Add two RADIUS profiles.
CorporateRADIUS
• In the Settings box, use the defaults except for Authentication method which must
match the method supported by the RADIUS server.
• In the Primary RADIUS server box, specify the address of the corporate RADIUS
server and the secret the MSC-3200/3300 will use.
ISPRADIUS
• In the Settings box, use the defaults except for Authentication method which must
• In the Primary RADIUS server box, specify the address of the ISP’s RADIUS server
and the secret the MSC-3200/3300 will use.
Connect to the RADIUS server
1. Enable the RADIUS authentication option.
2. Select the RADIUS profile ISPRADIUS.
3. Specify the username and password the MSC-3200/3300 will use to login to the
RADIUS server.
4. Click Force authentication. The light should turn green, indicating that the MSC-
3200/3300 has been successfully authenticated.
5. Click Save.
Define VLANs
Configure the VLAN as follows:
Private
• Set Port to Internet port.
• Set VLAN ID to 50.
• Set Assign IP address via to Static.
• IP address to 192.168.5.1.
• Set Mask to 255.255.255.0.
• Leave Gateway blank.
Public
• Set Port to Internet port.
• Set Assign IP address via to DHCP.
Define VAP profiles

Configure the VAPs as follows:
Private
This profile must be defined first in order to support the wired employees, since
untagged incoming traffic on the LAN port is always sent to the first VAP profile.
• Enable Provide access control.
• Set SSID to Private.
• Set VAP ingress mapping to SSID.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 81 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
• Set VAP egress mapping to VLAN and then select Private.

• Select RADIUS profile ISPRADIUS.
Public
• Set SSID to Public.
• Set VAP ingress mapping to SSID.
• Set VAP egress mapping to VLAN and then select Public.
• Select RADIUS profile ISPRADIUS.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 3: Segregating management traffic using VLANs

This scenario illustrates how to segregate the traffic exchanged between a MAP and a
MSC-3200/3300 using VLANs.
How it works In this scenario, the traffic exchanged between the MAP and the MSC-3200/3300 is
separated onto two different VLANs for security reasons: VLAN 30 is used for the
exchange of management traffic and VLAN 50 is used for customer sessions.
The MAP has a single wireless profile with an SSID of Customer that forwards all
authenticated customer traffic to the MSC-3200/3300 on VLAN 50. In addition, the
default VLAN is set to 30. This VLAN is used to exchange management traffic with the
MSC-3200/3300.
On the MSC-3200/3300, a VAP profile (named Customer) is created with a matching
SSID of Customer. This is required so it can properly process the incoming customer
traffic from the MAP, which is identified with the SSID Customer. This traffic is forwarded
onto the Internet port untagged.
Customers are authenticated by the MSC-3200/3300 using the services of the remote
RADIUS server.
RADIUS server
Internet port
MSC-3200
MSC-3300
192.168.30.1 LAN port
x-over cable VLAN 30: for management traffic (alias Manage)

VLAN 50: for customer traffic (alias Customer)
192.168.30.2
LAN port 1
MAP
SSID = Customer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration On the RADIUS server

roadmap Define RADIUS accounts for the MSC-3200/3300 and all customers that will use the
public access network.
Install the MAP


Define the VLANs

Network > VLANs
Define VLAN 30 so it can be mapped to the VAP later.
1. Click Add New VLAN.
2. In the General box:
• Set Port to Port 1.
• Set VLAN name to Customer.
3. In the Assign IP address via box, select DHCP.
Network > Ports
1. Select Static in the Assign IP address via box, then click the Configure button.
Define the following:
• Set IP address to 192.168.30.2.
• Set Address mask to 255.255.255.0.
• Set Default gateway to 192.168.30.1.
2. Click Save.
3. In the VLAN (Port 1) box:
• Enable Restrict default VLAN to management traffic only.
Configure the VAPs

Define a VAP on the MAP as follows:
• In the General box, enable Use Colubris access controller.
• In the SSID box, set WLAN name to Customer.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
• In the Egress VLAN box, select VLAN to Customer.

1. By default, the MAP is setup to use the default gateway assigned by DHCP as the
2. Set the Access controller shared secret to match the one set on the MSC-3200/
3300.

2. In the Profile name box, assign RADIUS Profile 1 to the new profile.
3. In the Settings box, use the defaults except for Authentication method which must
4. In the Primary RADIUS server box, specify the address of the RADIUS server and
the secret the MSC-3200/3300 will use.
Connect to the RADIUS server

1. Enable the MSC-3200/3300 RADIUS authentication option.
2. Select the RADIUS profile you just defined.
3. Specify the username and password the MSC-3200/3300 will use to login to the
RADIUS server.
4. Click Force authentication. The light should turn green, indicating that the MSC-
3200/3300 has been successfully authenticated.
5. Click Save.
Define VLANs
Configure the VLAN as follows:
Customer
• Set Port to LAN port.
• Set Assign IP address via to None.
Manage
• Set Port to LAN port.
• Set Assign IP address via to Static.
• IP address to 192.168.30.1.
• Set Mask to 255.255.255.0.
• Leave Gateway to blank.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 85 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Define VAP profiles

Configure the VAP as follows:
Customer
• Set the SSID to Customer.
• Set VAP ingress mapping to VLAN and then select Customer.
• Set VAP egress mapping to Internet port.
• Select RADIUS profile RADIUS Profile 1.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 86 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 4: Remote management

This scenario illustrates how to set up a Colubris Networks InMotion MultiService
Controller (like the MSC-3200/MSC-3300) to provide remote management of the MAP’s
connected to it.
How it works When the MAP is installed behind a MultiService Controller, enabling remote access to
the management tool requires configuration settings to be defined on the MultiService
Controller, the RADIUS server, and the MAP. This section explains how to accomplish
this for the following two topologies:
Topology A Topology B
RADIUS Management
server station
192.168.20.0
30.3
RADIUS Management 20.2 20.3 (address in
server station 20.1 VPN tunnel)
VPN server
20.1 20.4 30.1
(address in
VPN tunnel VPN tunnel)
192.168.20.0
192.168.10.0
10.1
30.2 (address in
InMotion InMotion
VPN tunnel)
MultiService MultiService
Controller Controller
1.1 1.1
192.168.1.0 192.168.1.0
1.2 MAP 1.3 MAP 1.2 MAP 1.3 MAP
PU PU PU PU
BLIC WL A N BLIC WL A N BLIC WL A N BLIC WL A N
A B A B
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 87 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
To reach the management tool

To reach the management tool, the management station must specify the following
addresses in its web browser:
Topology A
• To reach MAP A: HTTPS://192.168.10.1:5002
• To reach MAP B: HTTPS://192.168.10.1:5003
Topology B
• To reach MAP A: HTTPS://192.168.30.2:5002
• To reach MAP B: HTTPS://192.168.30.2:5003
Static NAT mappings are used on the MSC-3200/3300 to direct traffic to the proper
MAP. MAC address authentication enables the MAPs to log into the public access
network. Access list definitions allow traffic to be sent from the MAPs to the
management stations.
The following sections explain these configuration settings in more detail.
On the Create static NAT mappings

MSC-3200/3300 To direct management traffic to the proper MAP, you need to create static NAT
mappings to redirect HTTPS traffic to the new ports you defined on the MAPs.
• Map traffic on port 5002 to IP address 192.168.1.2 and port 443.
• Map traffic on port 5003 to IP address 192.168.1.3 and port 443.
On the RADIUS Configure the access controller profile

server MAC address authentication
For the MAP to communicate with the remote management station, it must log into the
public access network. To accomplish this, use the MAC address attribute when
creating the RADIUS profile for the access controller. This attribute enables the access
controller to authenticate devices based on their MAC address.
Access list
In both topology A and B it makes sense to protect access to the RADIUS server and
management station. This is done with an access list definition that blocks all traffic to
192.168.20.0, for topology A, and 192.168.30.0, for topology B.
However, to enable the MAPs and the management station to communicate, you must
create an additional access list definition as follows:
• Topology A: Create an access list that permits HTTPS traffic to address 192.168.20.4.
This is the IP address of the management station. For example:
access-list=320,ACCEPT,tcp,192.168.20.4,443
• Topology B: The list should permit HTTPS traffic to address 192.168.30.3. This is the
IP address of the management station inside the VPN tunnel.
access-list=320,ACCEPT,tcp,192.168.30.3,443
Create a MAP profile

Define a RADIUS profile for the MAPs. The profile should activate the access list that
was defined in the MultiService Controller’s profile. For example:
use-access-list=320
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a user account for each MAP

Define a RADIUS user account for each MAP. Define a unique username and password
for each device.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4: Enterprise scenarios
Chapter 4
Enterprise scenarios
This chapter provides sample deployment strategies for common
scenarios when using the MAP in an enterprise network. These scenarios
will give you a good idea on how to approach your installation.
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enterprise scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4
In this chapter
The following scenarios are provided in this chapter.
Scenario See page

Scenario 1: Integrating secure wireless networking 93
Scenario 2: Integrating into a segmented network 95
Scenario 3: Wireless bridging - RF extension 99
Scenario 4: Wireless bridging - point-to-point wireless link 101
Scenario 5a: Using multiple wireless profiles and QoS 104
Scenario 5b: Supporting Spectralink phones 106
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 92 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 1: Integrating secure wireless networking

The MAP makes it easy to integrate secure wireless connectivity into an existing
networking infrastructure.
How it works In this scenario the MAP provides secure networking via 802.1x and uses an existing
RADIUS server on the corporate network to validate employee logins.
RADIUS server
Corporate
Intranet
WPA WPA
WLA N
Configuration Install the MAP

roadmap 1. Install the MAP as described in Chapter 1.
Configure addressing
Network > Ports
Set the IP addressing method required by the corporate network.
Configure the connection to the RADIUS server

Security > RADIUS
2. In the Profile Name box, specify Corporate.
3. In the Primary RADIUS server box, set the Server address and Shared secret of
the corporate RADIUS server.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 93 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2. In the Wireless protection box:
• Enable WPA.
• Set RADIUS profile to Corporate.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 2: Integrating into a segmented network

With support for VLANs and multiple SSIDs, the MAP provides for seamless integration
into an existing segmented network architecture.
How it works In this scenario the virtual access point capabilities of the MAP are used to provide a
wireless architecture that mirrors the segmented configuration of the backbone LAN.
Wireless traffic is secured using either WEP or WPA, and leverages the existing
corporate RADIUS server for user authentication.
Because each MAP features an identical wireless setup, users are able to roam
between access points without loosing their network connection.
RADIUS and
DHCP server
Server 1 Server 2
Router/Firewall
VLAN 40 VLAN 50 VLAN 60
802.1Q trunk
Layer 3
switch with
trunk port
802.1Q trunk
MAP MAP
LAN port
VLAN=50
SSID=Priv_WPA
SSID=Guest VLAN=60
MAP
VLAN=40
SSID=Priv_WEP
VLAN=60
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 95 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
About the SSIDs and VLANs

• Guest: This SSID has no encryption enabled and is mapped to VLAN 40. This permits
guests to surf the Internet only.
• Priv_WPA: This SSID is defined with WPA security and is mapped to VLAN 60. User
authentication occurs via the corporate RADIUS server.
• Priv_WEP: This SSID is defined with WEP security and is mapped to VLAN 60.
• Default VLAN: The default VLAN is set to 50. Since all user traffic on the MAP is
mapped to either 40 or 60, only management traffic is sent on VLAN 50, which
includes all communication with the corporate RADIUS server and configuration
activities. (For this to work, you must use LAN port 1 to connect the MAP to the
corporate network.)
Addressing details
• The MAPs are connected to the layer 3 switch via a LAN port. Each MAP has a
unique static IP address on the 50.0 segment.
• Employees on the Guest, Priv_WPA, and Priv_WEP SSIDs are bridged to the
appropriate VLAN. This means that they receive an IP address from the DHCP server
on the network.
• The Layer 3 switch provides routing between VLAN 60 and VLAN 40, enabling
employees to access the Internet.
Configuration Configure all MAPs as follows:
roadmap
Install the MAP
2. Before you connect the MAP to the LAN, start the management tool and configure

Note: By default, one radio on the MSC-330 is used to provide the wireless network and
Define the VLANs and network addressing

Network > VLANs
Define VLANs 40 and 60 so they can be mapped to the VAPs later.
• Set VLAN name to Guest.
4. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 96 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

• Set VLAN name to Employee.
8. Click Save.
Network > Ports
1. Select Static in the Assign IP address via box, then click the Configure button.
Define addressing as required by the corporate network.
2. Click Save.
3. In the VLAN (Port 1) box:
• Enable Restrict default VLAN to management traffic only.
Configure the connection to the RADIUS server

Security > RADIUS
2. In the Profile Name box, specify Corporate.
3. In the Primary RADIUS server box, set the Server address and Shared secret of
the corporate RADIUS server.
Configure the VAPs

Define the following three profiles on each MAP:
Guest
• In the SSID box, set WLAN name to Guest.
• In the Egress VLAN box, select VLAN to Guest.
• Disable Security Filters.
Priv_WEP
• In the SSID box, set WLAN name to Priv_WEP.
• In the Egress VLAN box, select VLAN to Employee.
• Enable WEP and define the appropriate keys.
Priv_WPA
• In the SSID box, set WLAN name to Priv_WEP.
• In the Egress VLAN box, select VLAN to Employee.
• Enable WPA.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 97 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
• Set RADIUS profile to Corporate.
Configure the RADIUS server

Configure the RADIUS server to return VLAN 60 for employee accounts. This is done by
setting the following standard RADIUS attributes:
tunnel-type=VLAN
tunnel-medium-type=802
tunnel-private-group-id=60
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 98 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 3: Wireless bridging - RF extension

The MAP can use the wireless network to create a wireless bridge to other units.
How it works In this scenario a corporate network uses three MAPs to provide wireless access for
employees. Units A and B are directly connected to the backbone LAN, while unit C is
connected via a wireless bridge.
Each MAP features two VAPs, one for HTML users and one for 802.1x users.
In order for the bridge to be successful, the wireless cells of units A and B must overlap,
and both units must be operating in the same wireless mode and on the same channel.

SMTP
server
Firewall
Web/FTP VPN server
server
RADIUS Management
server station
LAN
MAP MAP MAP

wireless bridge
Employee workstations
A B C
Employee workstations Employee workstations
Configuration Install the MAPs

roadmap 1. Install the MAPs as described in Chapter 1.
2. Before you connect the MAPs to the LAN, start the management tool and configure

These is no need to change these settings for unit C.
To ensure that units B and C are on the same channel, you must manually configure
their radios.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 99 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wireless > Radio

Make sure that units B and C are set to operate in the same Wireless mode and on the
same Channel.
1. Set the Operating mode to Access point and Wireless links.
2. Set the appropriate Wireless mode.
3. Choose a specific Channel. Do not use the Automatic option.

Do the following on unit B and C.
5. Click Save.
new value.
Configure the VAPs

Add the following wireless profiles to all units.
HTML
• In the SSID box, set WLAN name to HTML.
8021x
• In the SSID box, set WLAN name to 8021x.
• Enable 802.1x.
• Set RADIUS profile to Access Controller.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 4: Wireless bridging - point-to-point wireless link

This scenario illustrates how to interconnect two networks via a wireless bridge.
How it works In this scenario, two MAPs are used to wirelessly link the networks in two offices located
in neighboring buildings. This enables workers in both offices to share data and
resources as if they were on the same network. To maximize signal power, directional
antennas are used to establish the connection, which must be line-of-sight.
Single-radio
When using single-radio units with a directional antenna, a local wireless network
cannot be created at each office. Instead, the MAPs are directly connected to the
backbone LANs in each office.
data and resources

Share
secure link
antenna antenna
Dual-radio
With dual-radio units, radio 1 is can be used to establish the link and radio two can be
used to provide wireless networking.
data and resources

Share
secure link
antenna antenna
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 101 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

roadmap - 1. Install the MAPs as described in Chapter 1.
single radio 2. Before you connect the MAP to the LAN, start the management tool and configure
Configure the wireless radios

To ensure that both units are on the same channel, you must manually configure their
radios.
Wireless > Radio
Make sure that units A and B are set to operate in the same Wireless mode and on the
same Channel.

Do the following on both units.
5. Click Save.
new value.

roadmap - dual 1. Install the MAPs as described in Chapter 1.
radios 2. Attach a directional antenna to the Main connector for radio 1.
Configure the wireless radios

To ensure that both units are on the same channel, you must manually configure their
radios.
Wireless > Radios
1. In the Radio 1 box:
• Set the Operating mode to Wireless links only.
• Set the appropriate Wireless mode.
• Choose a specific Channel. Do not use the Automatic option.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 102 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. In the Radio 2 box:

• Set the Operating mode to Access point only.
• Set the appropriate Wireless mode.
• Set Channel to Automatic.

Do the following on both units.
5. Click Save.
new value.
Configure the VAPs

1. Click the Colubris Networks profile in the list to edit it.
2. In the SSID box, change Transmit/receive on to Radio 2.
3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 103 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 5a: Using multiple wireless profiles and QoS

The MAP can create multiple wireless profiles to support different types of user
connections. Each profile can also be configured to provide a different quality of service.
How it works In this scenario, the MAP provide three different wireless networks and uses QoS
settings to prioritize traffic.
• Employee: This network is for use by all employees. It features a QoS setting that
provides for normal traffic priority, and restricts traffic to the corporate VPN server.
Employees use PPTP client software to connect with the corporate VPN server.
• Guest: This network is for use by guests. It features WEP security and a QoS setting
that provides for low traffic priority.
• Video: This network is for video conferencing. It features a QoS setting that provides
for high traffic priority, and restricts traffic to the corporate VPN server. Employees use
PPTP client software to connect with the corporate VPN server.
Router/Firewall VPN server
Corporate
Backbone
SSID=Guest
QoS=SSID-based Low
SSID=Employee
SSID=Video
QoS=SSID-based Normal
QoS=SSID-based High
Configuration Install the MAP

roadmap 1. Install the MAP as described in Chapter 1.
2. Before you connect the MAP to the LAN, start the management tool and configure

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 104 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Configure the VAPs

Wireless > Wi-Fi > WLAN profiles
Define the following profiles:
Employee
• Set QoS to SSID-based Normal.
• Enable IP filter and add the address of the corporate VPN server. This restricts
employee traffic to the VPN server only.
Video
• Set QoS to SSID-based High.
• Enable IP filter and add the address of the corporate VPN server. This restricts traffic
to the VPN server only.
Guest
Edit the Guest profile as follows:
• Enable IP filter and add the address of the corporate Router/Firewall. This restricts
Guest traffic to the Internet only.
Employee
• In the SSID box:
• Set WLAN name to Employee.
• Set QoS priority mechanism to VAP-based Normal.
• In the Security Filters box, select custom and specify the MAC address of the
corporate VPN server. This restricts employee traffic to the VPN server only.
Video
• Set WLAN name to Video.
• Set QoS priority mechanism to VAP-based High.
• Enable IP filter and add the address of the corporate VPN server. This restricts traffic
to the VPN server only.
Guest
• Set WLAN name to Guest.
• Enable IP filter and add the address of the corporate Router/Firewall. This restricts
traffic to the VPN server only.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 105 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scenario 5b: Supporting Spectralink phones

This scenario adds support for wireless phones to Scenario 5a.
The MAP provides two features to support Spectralink phones: SVP quality of service
support, and MAC-based authentication.
How it works In this scenario, a new profile is added to support wireless phones. Authentication of
phones is accomplished by adding the MAC address of each phone to an internal list
maintained on the MAP. Only phones that appear in the list can connect.
Router/Firewall VPN server
Corporate
Backbone
SSID=Phone
QoS=Diffsrv
SSID=Guest
QoS=SSID-based Low
SSID=Employee
SSID=Video
QoS=SSID-based Normal
QoS=SSID-based High
Configuration Configure the wireless profile

roadmap Virtual AP > Profiles
1. Define a new profile and name it Phone.
2. Leave the default QoS setting of DiffServ which maps phone traffic to traffic queue
1.
3. In the MAC filter box, add the MAC address for each phone.
4. Select the Allow option.
5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 106 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 5: More from Colubris
Chapter 5
More from Colubris
In this chapter you can find information about the resources that are
available to you at the Colubris website, as well as information about how
to contact Colubris support, training, and sales.
Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More from Colubris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5
Colubris.com
Visit Colubris.com to access Datasheets, Whitepapers, Case Studies, and
Solution Guides. From the left side of the homepage, select Literature in order to view
these menu items. Access to this material is free and does not require product
registration.
For registered By registering your product at Colubris.com, you can access the information listed
below.
customers To register, simply go to Colubris.com and from the left side of the home page select
Support > Product Registration. Complete and submit the Product Registration
Form in order to gain access to the support area of the website.
Once you register your product purchase with Colubris, you can log in and access the
following information:
• Technical documentation
• Administrator’s guides
• Quickstart guides
• Quick setup tools
• SNMP MIBs
• Software license agreement
• Return Material Authorization (RMA) procedures and forms
For Annual Colubris Networks offers a comprehensive set of annual support programs that focus on
the hardware and software content of Colubris' award-winning family of secure Wi-Fi
Maintenance solutions.
Support Annual Maintenance Support Programs provide a broad level of hardware and software
assistance that combines various elements of support:
Program
• Telephone-based technical support
customers
• Hardware support
• Software support
When visiting Colubris.com, customers who have purchased an Annual Maintenance
Support Program can access the following information in addition to the website
material discussed above:
• FAQs
• Technical notes
• Release notes
• Software downloads
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 108 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Information by telephone and e-mail

You can contact Colubris support, training, and sales directly as follows:
• Colubris Customer Support team:
• E-mail support@colubris.com
• Telephone toll-free from within the United States and Canada by dialing
1-866-241-8324, then select option 1
To telephone the Colubris Customer Support team from other countries, dial the
International Direct Dialing prefix (IDD) for the country from which you are calling,
then dial 1-781-684-0001. Select option 1.
You can find a list of IDDs, as well as more information about making international
calls, at http://kropla.com/dialcode.htm.
• Colubris training department: E-mail training@colubris.com
• Colubris sales information: E-mail sales@colubris.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 109 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 110 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Wifi AP Colubris 320 330

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Wifi AP Colubris 320 330

Hochgeladen von

Copyright:

Verfügbare Formate

MAP-320/MAP-330

Colubris Networks Inc.

RF channel management............................................................................40 Scenario 3: Segregating management traffic using VLANs ........................83

About this guide

Caution! Cautions provide information that you must follow to avoid

Front and rear MAP-320/MAP-330 front panel

Power Ethernet Wireless Reset button

MAP-330 rear panel

Power over Ethernet (PoE)

Resetting to factory defaults

Cross-over cable Cross-over cable Cross-over cable

Port 2 Port 1 Port 2 Port 1 Port 2 LAN port

MAP MAP MAP InMotion MultiService Controller

Cross-over cable Cross-over cable Standard cable

Port 2 Port 1 Port 2 Port 1 Port 2

MAP MAP MAP Hub/Switch

Configuring the management station for wireless access

Configuring the management station for wired access

Starting the 1. Start your Web browser.

Administrator Administrator password

Validating administrator logins using a RADIUS server

Security The management tool is protected by the following security features.

Virtual access points

SSID WLAN name (SSID)

Maximum number of wireless clients (per radio)

QoS priority mechanism

Permit traffic exchange between wireless clients

Broadcast WLAN name (SSID)

Restrict wireless traffic to

Default filter definitions

Outgoing wireless traffic filters

Working with an access controller

2. Set the shared secret that is defined on the access controller.

Customer authentication and access control

Authentication Customers can be authenticated in several ways as described in this section.

Authentication result Network

802.1x Not Mandatory - Failure No

802.1x Mandatory - Success Yes

Failure Success Yes

Success Success Yes

Failure Success Yes

Factors limiting Wireless coverage is affected by the following factors.

Physical characteristics of the location

Performance degradation and channel separation

Overlapping wireless cells can cause transmission delays.

Channel Frequency Channel Frequency

Region Available channels

Since the minimum recommended separation between overlapping channels is 25 MHz

North America Europe Japan

In North America, you would create the following installation:

cell 1 cell 2 cell 3

Reducing transmission delays by using different operating frequencies.

150m 150m 150m

cell 1 cell 2 cell 3 cell 4

Using only three frequencies across multiple cells (North America).

cell 1 cell 2 cell 3 cell 4

cell 5 cell 6 cell 7 cell 8

Using three frequencies to cover a large area (North America).

Automatic power control

Reformat the list to look like this:

Authentication The following table lists the available authentication options:

Protocol User authentication provide by

WPA1/WPA2 Access Controller, RADIUS server

MSC-3200 wireless bridge