43 10 0200 05 - AG - WAP 200 - en

WAP-200 Administrators Guide
Release 5.1 (October 2006)
44-10-0200-05
Copyright 2006 Colubris Networks, Inc. All rights reserved, including those to reproduce this document or parts thereof in any form without written permission from Colubris Networks, Inc. Colubris is a registered trademark, and the Colubris Networks logo, the tag line The Intelligent Wireless Networking Choice and TriPlane are trademarks of Colubris Networks, Inc., in the United States and other countries. All other product and brand names are the service marks, trademarks, registered trademarks, or registered service marks of their respective owners. Changes are periodically made to the information herein; these changes will be incorporated into new editions of the document. You can download the most up-to-date product information from the Colubris Networks website. Go to www.colubris.com and on the home page select Support > Product Registration. Colubris Networks, Inc. 200 West Street Ste 300 Waltham, Massachusetts 02451-1121 UNITED STATES Phone: +1 781 684 0001 Fax: +1 781 684 0009 Sales Information: sales@colubris.com Customer Support: support@colubris.com Training: training@colubris.com http://www.colubris.com
: --------------------------------------------------- 3
Contents
Chapter 1
Introduction
About this guide...........................................................................................6 Important terms.....................................................................................6 Typographical conventions ....................................................................6 Warnings, cautions, and notes...............................................................6 RRelated documentation........................................................................7 Hardware overview ......................................................................................8 Front and rear panels .............................................................................8 Antenna connectors ...............................................................................9 Ethernet port(s) .....................................................................................9 Powering the WAP-200..........................................................................9 Status lights.........................................................................................10 Radio ...................................................................................................10 Reset button ........................................................................................10 Hardware Installation .................................................................................11 Mounting options.................................................................................11 Configuring the WAP-200 ....................................................................11 Regulatory information ..............................................................................12 CanadaIndustry Canada (IC) ............................................................12 USAFederal Communications Commission (FCC) ............................12 Europe .................................................................................................13 1313 ........................................................................................................15 Health information .....................................................................................16 Declaration of conformity ..........................................................................17
Channel................................................................................................51 DFS/TPC ..............................................................................................51 Automatic power adjustment ...............................................................51 Distance between access points ..........................................................52 RTS threshold ......................................................................................52 Multicast Tx rate ..................................................................................52 Antenna selection.................................................................................52 Transmit power control........................................................................53 RF performance .........................................................................................54 Client station data rate limits................................................................54 Multicast rate limit ...............................................................................54 Addressing.................................................................................................55 Default settings....................................................................................55 DNS .....................................................................................................55 Layer 2 security .........................................................................................56 Session limits ......................................................................................56 Authentication......................................................................................56 Security options...................................................................................56 Do not broadcast wireless network name ............................................57 Wireless bridging.......................................................................................58 RF extension ........................................................................................58 Building-to-building connections .........................................................58 Guidelines ............................................................................................59 Setting up a wireless link .....................................................................60 VLAN support ............................................................................................62 Creating VLANs....................................................................................62 Default VLAN .......................................................................................63 Assigning traffic to VLANs ...................................................................63 VLAN bridging .....................................................................................63 Firmware management ..............................................................................64 Manual update .....................................................................................64 Scheduled install..................................................................................65 Using cURL..........................................................................................65 Configuration management........................................................................66 Manual management ...........................................................................66 Using cURL..........................................................................................68 Using a RADIUS server..............................................................................70 Creating a RADIUS client entry for the WAP-200.................................70 Creating user profiles on the RADIUS server .......................................73 Creating administrator profiles on the RADIUS server.........................78
Chapter 2
How it works
19
Overview ....................................................................................................20 Public access deployment....................................................................20 Enterprise deployment .........................................................................21 Management Tool ......................................................................................22 Management station ............................................................................22 Starting the Management Tool .............................................................22 Administrator account .........................................................................23 Security................................................................................................25 Virtual service communities.......................................................................26 Setting up a VSC ..................................................................................26 General ................................................................................................29 Virtual AP.............................................................................................29 Egress VLAN ........................................................................................31 Wireless security filters........................................................................32 Wireless protection ..............................................................................33 MAC-based authentication ...................................................................35 Location-aware ....................................................................................36 MAC filter.............................................................................................36 Working with an access controller .............................................................37 Connecting to a Colubris access controller ..........................................37 Using other access controllers.............................................................37 Customer authentication and access control .............................................39 Authentication methods .......................................................................39 Using multiple authentication mechanisms..........................................40 Wireless coverage......................................................................................42 Wireless mode .....................................................................................42 Factors limiting wireless coverage .......................................................42 Configuring overlapping wireless cells.................................................44 Conducting a site survey......................................................................48 Monitor mode ......................................................................................48 Identifying unauthorized access points ................................................49 RF channel management............................................................................50 Operating mode ...................................................................................50 Wireless mode .....................................................................................51
Chapter 3
More from Colubris
79
Colubris.com .............................................................................................80 For registered customers.....................................................................80 For Annual Maintenance Support Program customers ........................80 Information by telephone and e-mail .........................................................81
: --------------------------------------------------- 4
Introduction
Chapter 1
Introduction
In this chapter you can find an explanation of the conventions used in this manual, an overview of the hardware, and instructions on how to power-up the WAP-200 wireless client bridge.
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1
About this guide

This manual shows you how to install, configure, and operate the Colubris Networks WAP-200 wireless access point.
Important terms
Term
MSC Customer
Description
Refers to all Colubris Networks MSC-3000 series and MSC-5000 series products. The term customer refers to any person or device that logs into the public access network created by a Colubris Networks Access Point.
Typographical conventions
The following table gives the typographical conventions used in Colubris Networks technical documentation.
Example
Network > Ports
Description
When referring to the Management Tool web interface, bold type identifies menu selections, input fields, or user supplied values. Submenus are indicated by the > sign. The example refers to the Ports submenu, which is found under the Network menu. Monospaced text identifies command-line output, program listings, or commands that you enter into configuration files or profiles. Items in italics are parameters for which you must supply a value. Items enclosed in square brackets are optional. You can either include them or not. Do not include the brackets. Items separated by a vertical line indicates one or more choices. Specify only one of the items.
use-access-list=username
ip_address
ssl-certificate=URL [%s]
[ONE | TWO]
Warnings, cautions, and notes
The following table explains some of the special symbols used in this guide.
Lead
Warning! Caution!
Description
Warnings provide information that you must follow to avoid risk of physical injury. Cautions provide information that you must follow to avoid damage to the hardware or software components of the system.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
RRelated
documentation
For information on related documentation, see the Colubris Networks Technical Documentation Road Map, available on the Colubris Networks Documentation CD and for download on the Colubris Networks web site.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Hardware overview
This section describes the WAP-200 hardware platform.
Front and rear panels
The following figures show the front and rear panels of the WAP-200.
Front panel
Reset 5 volts Port 1 802.3af 10101
Power Ethernet Wireless light light light Power connector
Serial port
Reset button Antenna connector

MAIN
Rear panel
Antenna connector
AUX
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Antenna connectors
The WAP-200 has two antenna connectors, MAIN on the front panel and AUX on the rear. Both antennas are used to transmit and receive. If you use a single antenna, you can attach it to either connector. The connectors are reverse-polarity SMA male jacks. This means antennas or cable connectors must have reverse-polarity SMA female connectors. Antennas can be either directly attached or attached through a coax cable. When using a coax cable, it is recommended that you connect it to the MAIN connector.
Antenna diversity
The WAP-200 supports both transmit and receive diversity.
Transmit diversity
The WAP-200 always transmits on the antenna it receives. If transmission fails, the WAP-200 automatically switches antennas and retries.
Receive diversity
In 802.11b, the WAP-200 does selection diversity, which means selecting the antenna for receive based on the SNR calculated while receiving the preamble, on a per frame basis. For 802.11a and 802.11g, including mixed 802.11b and 802.11g, the receiver switches antenna when the signal quality goes below a certain threshold.
Ethernet port(s)
The WAP-200 has a single Ethernet port. By default the WAP-200 is configured to operate as a DHCP client to set the address of port 1. If a DHCP server is not found connected to Port 1, the address 192.168.1.1 is assigned to Port 1 and the wireless port. Note: Do not connect the Ethernet ports directly to a metropolitan area network (MAN) or wide area network (WAN). Important: All Ethernet port connections must be made with a shielded Ethernet cable.
Powering the WAP-200
There are two ways to power the WAP-200: DC adapter or PoE.
DC power adapter
The supplied DC power adaptor provides 2A at 5V. Important: The power adapter is not rated for use in plenum installations.
Power over Ethernet (PoE)

The WAP-200 supports PoE and can be used with any IEEE 802.3af compliant power injector. Important: Cisco PoE injectors are not compliant with IEEE 802.3af and cannot be used with the WAP-200.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Status lights
The status lights provide the following operational information.
Power
on The WAP-200 is fully operational. flashing The WAP-200 is starting up. off Power is off.
Ethernet
on LED comes on for a short period when the link is established. flashing Indicates that the Ethernet port is transmitting or receiving. off Ports are not connected or there is no activity.
Wireless
flashing Wireless port is receiving data.
Startup behavior
When power is applied to the WAP-200, the power light will start flashing. When the power light stops flashing, initialization is complete and the WAP-200 is fully operational.
Radio
The WAP-200 provides support for IEEE 802.11a and 802.11b/g technologies, which can be configured in real-time for complete flexibility of operation. When operating in 802.11a or 802.11g mode, the radio supports data rates of up to 54 Mbps When operating in 802.11b mode, the radio provides data rates up to 11 Mbps The power output of the radio and the operating channels (frequencies) that are available are governed by the regulations in your country. The WAP-200 automatically provides the appropriate range of operating values for you to choose from.
Reset button
Use the end of a paper clip or another pointy object to press the reset button.
Restarting
Press and release the button quickly to restart the WAP-200. This is equivalent to disconnecting and reconnecting the power. The WAP-200 will restart immediately.
Resetting to factory defaults

To reset the WAP-200 to its factory default settings, do the following: 1. Press and hold the reset button. All the lights on the WAP-200 back panel will light up. 2. When the lights begin to flash (after about five seconds), immediately release the button. 3. The WAP-200 will restart with factory default settings. When the power light stops flashing, the WAP-200 is fully operational. Important: Resetting the WAP-200 to factory defaults deletes all your configuration settings, resets the Administrator username and password to admin, and sets the IP address of Port 1 via DHCP. If a DHCP server is not found connected to Port 1, the address 192.168.1.1 is assigned to Port 1 and the wireless port.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hardware Installation
Important: Installation must be performed by a professional installer familiar with local regulations governing wireless devices.
Mounting options
When mounting the WAP-200 on a wall, ceiling or other surface, ensure that The surface you attach the WAP-200 to and the fasteners you use are able to support at least 5.1 kg (11.25 pounds) Cable pull (accidental or otherwise) does not make the unit exceed the 5.1 kg (11.25 pound) limit
Plenum installations
Plenum rated cables and attachment hardware must be used if the WAP-200 is installed in a plenum. Since the power adapter is not rated for plenum installations, only the WAP-200 and appropriate cabling can be located in a plenum. Note: Colubris Networks supplied PoE injectors (available separately) cannot be installed inside the plenum.
Configuring the WAP-200
Before attaching the WAP-200 to your network, Colubris recommends that you start the management tool and define basic configuration settings as outlined in the quick start guide. Once this is done, refer to Chapter 2 for additional configuration information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Regulatory information
The WAP-200 complies with the following radio frequency and safety standards. This device requires professional installation. CAUTION: Changes or modifications not expressly approved by Colubris Networks for compliance could void the user's authority to operate the equipment. Installation and operating configurations of this transmitter, including antenna gain and cable loss, must satisfy MPE Categorical Exclusion Limits of 2.1091. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be collocated or operated in conjunction with any other antenna or transmitter. Installers and end users must be provided with operating instructions and antenna installation conditions for satisfying RF exposure compliance requirements.
Canada Industry Canada (IC)
This device complies with RSS 210 of Industry Canada. Cet appareil numrique de la classe B est conforme aux normes NMB-003 et CNR 210 dIndustrie Canada. This device may not cause interference, and this device must accept any interference, including interference that may cause undesired operation of the device. This device is designed to operate with the Centurion WTS2450-RPSMA antenna, having a maximum gain of 2.5 dBi @ 2.4 GHz, 3.0 dBi @ 5.3 GHz, and 3.4 dBi @ 5.7 GHz. Antennas having a gain that is greater than those listed are strictly prohibited for use with this device. The required antenna impedance is 50 ohms. For devices with a detachable antenna, to reduce potential radio interference to other users, antenna type and gain should be chosen so that the equivalent isotropically radiated power (EIRP) is not more than that permitted for successful communication.
USAFederal Communications Commission (FCC)
The WAP-200 complies with Part 15 of FCC Rules. Operation of the WAP-200 in a system is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference that may cause undesired operation.
Caution! Exposure to Radio Frequency Radiation

The radiated output power of the WAP-200 is far below the FCC radio frequency exposure limits. Nevertheless, the WAP-200 should be used in a manner that minimizes the potential for human contact during normal operation. When using this device in combination with Colubris Networks antenna products, a certain separation distance between the antenna and nearby persons has to be kept to ensure RF exposure compliance. When an external antenna is connected to the WAP-200, the antenna shall be placed in a manner that minimizes the potential for human contact during normal operation. To avoid the possibility of exceeding the FCC radio frequency exposure limits, human proximity to the antenna shall not be less than 20 cm (8 inches) during normal operation. When no external antenna is connected, the RF output power of the WAP-200 is far below the FCC radio frequency exposure limits. Nevertheless, it is advised to use the WAP-200 in a manner that minimizes human contact during normal operation.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Interference Statement
The WAP-200 has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. The WAP-200 generates, uses, and can radiate radio frequency energy. If not installed and used in accordance with the instructions, it may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If the WAP-200 causes harmful interference to radio or television reception, which can be determined by turning the WAP-200 on and off, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna Increase the distance between the WAP-200 and the receiver Connect the WAP-200 to an outlet that is on a different circuit than the circuit to which the receiver is connected Consult your dealer or an experienced radio/TV technician for help Colubris Networks, Inc., is not responsible for any radio or television interference caused by unauthorized modification of the WAP-200, or the substitution or attachment of connecting cables and equipment other than that specified by Colubris Networks, Inc. Correction of interference caused by such unauthorized modification, substitution, or attachment is the responsibility of the user.
Europe
Colubris Networks products sold in Europe use a technique called Dynamic Frequency Selection (DFS) to automatically select an operating channel. The European Telecommunications Standard Institute (ETSI) requires that 802.11a devices use DFS to prevent interference with radar systems and other devices that already occupy the 5 GHz band. In order to comply with specific spectrum allocations, Colubris Networks products must be set to the correct country of operation prior to use. Failure to do so may violate national requirements. Les produits de Colubris Networks vendues en Europe utilisent une technique dnomme Slection de frquence dynamique (Dynamic Frequency Selection, DFS) pour quun canal de fonctionnement soit automatiquement choisi. Linstitut Europan de Tlcommunications Standard exige que les priphriques 802.11a utilisent DFS pour empcher toute interfrence avec les systmes radar et dautres priphriques qui occupent dj la bande des 5 GHz. Gli apparati di Colubris Networks vendute in Europa impiegano una tecnologia denominata Selezione di frequenza dinamica (Dynamic Frequency Selection, DFS) per la selezione automatica del canale operativo. L'Istituto Europeo di normalizzazione delle telecomunicazioni (European Telecommunications Standard Institute, ETSI) sancisce che tutti i dispositivi 802.11a devono usare la DFS per prevenire eventuali interferenze con sistemi radar ed altri dispositivi che gi occupano la banda di 5 GHz. Die in Europa vertreibenen Colubris Networks verwenden die so genannte dynamische Frequenzauswahl (Dynamic Frequency Selection, DFS), um automatisch einen gltigen Betriebskanal auszuwhlen. Das European Telecommunications Standard Institute (ETSI) shreibt vor, dass 802.11a-Gerte DFS verwenden, um Strungen in Radarsystemen und anderen Gerten, die das 5-GHz Band verwenden, zu vermeiden.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Las unidades Colubris Networks vendidas en Europa usan una tcnica llamada Seleccin dinmica de frecuencias (Dynamic Frequency Selection, DFS) para seleccionar automaticamente un canal de operacin. El Instituto Europeo de Normas de Telecomunicaciones (European Telecommunications Standard Institute, ETSI) requiere que los dispositivos 802.11a usen DFS para evitar las interferencias con sistemas de radar y otros dispositivos que ya ocupan la banda de 5 GHz. Products labeled with the CE mark comply with EMC Directive 89/336/EEC and the Low Voltage Directive 72/23/EEC, implying conformity to the following European Norms. Tous les produits portant la marque CE sont conformes la directive EMC (89/336/ EEC) et la directive sur les basses tensions (Low Voltage Directive - 72/23/EEC) qui impliquent la conformit aux normes de la Commission de la Communaut Europenne. Tutti i prodotti con il marchio CE sono conformi alle direttive Compatibilit elettromagnetica (EMC Directive - 89/336/EEC) e Bassa tensione (Low Voltage Directive - 73/23/EEC) cos rispettando le norme della Commissione della Comunit Europea. Produkte mit der CE-Kennzeichnung erfllen die EMC-Richtlinie (89/336/EEC) sowie die Niederspannungsrichtlinie (72/23/EEC), implizierend die Erfllung der Normen der EU-Kommission. Todos los productos con la marca CE cumplen con la directiva de compatibilidad electromagntica EMC (89/336/EEC) y la directiva de baja tensin (72/23/EEC), que implica conformidad con las normas de la Comisin de la Unin Europea. Products labeled with the CE 1313 mark and optional alert sign ! contain a radio transmitter that complies with the R&TTE Directive 1999/5/ED, implying conformity to the following European Norms. Les produits portant la marque dalerte CE 1313 avec la marque ! contiennent un metteur radio conforme la directive R&TTE (1999/5/ED) qui implique la conformit aux normes de la Commission de la Communaut Europenne. I prodotti che recano l'avvertenza CE 1313 o CE contengono un trasmettitore radio conforme alla Direttiva R&TTE (1999/5/ED) emessa dalla Commissione della Comunit Europea. Funkprodukte mit der CE 1313 und der CE-Kennzeichnung ! enthalten einen Funktransmitter, der die von der Kommision der EU verabschiedete Richtlinie R&TTE (1999/5/ED) erfllt. Los productos con la marca CE 1313 con la Alerta CE ! contienen un tranmisor de radio que cumple con la Directiva R&TTE (1999/5/ED) emitada por la Comisin Europea. EN 60950 (IEC60950)Product Safety EN 300328Radio LAN equipment operating in the 2.4 GHz band EN301893Radio LAN equipment operating in the 5 GHz band ETS 300826 and/or ETS 301489-17General EMC requirements for radio equipment
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
A D LI P IS
B GR LUX E GB
DK IRL NL S FR
FI I N CH
EU member states with restrictive use for this product are crossed out. Les tats membres de lUnion Europenne avec utilisation restrictive de ce produit sont rays. Mitgliedsstaaten der EU mit eingeschrankten Nutzungsrechten fr dieses Produkt sind herausgestrichen. Gli Stati membri nella Comunit Europea (EU) con restrizioni sull'uso di questi prodotti sono contrassegnati di seguito.
1313
Important Notice Low power radio LAN product operating in 5 GHz band for Home and Office environments. Selection of proper country of operation satisfies national requirements. Notice Importante Produit rseau local radio basse puissance oprant dans la bande frquence 5 GHz pour les environnements bureaucratiques et rsidentiels. Merci de vous rfrer au manuel pour les dtails des restrictions. Wichtige Mittellung Low Power FunkLAN Produkt fr den Home- und Office-Bereich, das im 5 GHz Band arbeitet. Weitere informationen ber bezglichen Einschrankungen finden Sie im Datanblatt/Handbuch. Nota Importante Apparati Radio LAN a bassa potenza, operanti a 5 GHz, per ambienti domestico ed ufficio. Fare riferimento alla Guida d'Utente (User Guide) per avere informazione dettagliata sulle restrizioni.
Information for the user

This document provides regulatory information for the following product: WAP-200. These are wireless network products based on the IEEE 802.11 standards for wireless LANs defined and approved by the Institute of Electrical and Electronics Engineers. Products designed according to the IEEE 802.11a standard use Orthogonal Frequency Division Multiplexing (OFDM) radio technology. Products designed according to the IEEE 802.11b standard use Direct Sequence Spread Spectrum (DSSS) radio technology. These products are designed to be interoperable with any other wireless product that complies with the corresponding standard. Wireless Fidelity (WiFi) certification is defined by the WECA Wireless Ethernet Compatibility Alliance.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Health information
The WAP-200, like other radio devices, emits radio frequency electromagnetic energy. The level of energy emitted by the WAP-200 is much less than the electromagnetic energy emitted by other wireless devices, such as mobile phones. Because the WAP-200 operates within the guidelines found in radio frequency safety standards and recommendations, Colubris Networks believes that the WAP-200 is safe for use by consumers. These standards and recommendations reflect the consensus of the scientific community and result from deliberations of panels and committees of scientists who continually review and interpret the extensive research literature. In some situations or environments, use of the WAP-200 may be restricted by a proprietor of a building or responsible representatives of an organization. For example, these situations may include using the WAP-200 On board airplanes In any other environment where the risk of interference to other devices or services is perceived or identified as harmful If you are uncertain about the policy that applies to the use of wireless devices in a specific organization or environmentfor example, airportsyou are encouraged to ask for authorization to use the WAP-200 prior to turning it on.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Declaration of conformity
Colubris Networks 200 West Street Waltham, Massachusetts 02451 USA Declares that the WAP-200 conforms to the following standards: European Directives and European Standards EMC Directive 89/336 EEC Low Voltage Directive 73/23 EEC Radio and Telecommunication Terminal Equipment Directive 1999/5/EEC EN 60950-1 EN 300 328 V1.3.1 301 893 V1.2.3 EN 301 489-1 V1.4.1 EN 301 489-17 V1.2.1 Safety Data Transmission equipment operating in the 2.4 GHz ISM band 5 GHz high performance RLAN EMC Standard for radio equipment and services; Part 1 EMC Standard for radio equipment and services; Part 17; Specific conditions for 2.4 GHz wideband transmission systems and 5 GHz high performance RLAN equipment
North American Standards

FCC Part 15-Subpart C-Title 47 FCC Part 15-Subpart E-Title 47 FCC Part 15-Subpart B UL60950-1, CAN/CSA C22.2 No. 60950-1-03 Radiated Emission Safety
Dated this 27th day of April, 2005
Gerrett L. Durling Principal Compliance Engineer Colubris Networks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
Chapter 2
How it works
This chapter describes the most important features of the WAP-200 and explains how it can be used to address your most important wireless connectivity challenges. The WAP-200 provides support for all MultiService Access Point (MAP) features, with the following exceptions. The WAP-200 Supports up to two virtual service communities (VSCs) Supports one WDS link, but does not support long-haul WDS links Has a reduced physical form factor Does not enforce quality of service (QoS) Colubris Networks MultiService Access points are highly-scalable solutions that offer leading-edge security and manageability features specifically designed for a wide range of networking environments.
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Overview
The WAP-200 can be used as a stand-alone access point or as a satellite in conjunction with other Colubris Networks products. As a satellite, the WAP-200 extends the wireless network and provides intelligent data-forwarding to maintain the security of the network. When multiple WAP-200s are deployed they can be Interconnected using a backbone LAN. Linked through a wireless bridge.
Public access deployment
The following diagram shows you how the WAP-200 can be used in a public access network.
Protected Network Resources
Access Controller
RADIUS server
Backbone LAN
Reset
Reset
PU
BLIC WL A N
PU
BLIC WL A N
PU
BLIC WL A N
Wireless bridge
PU
BLIC WL A N
The WAP-200 uses the services of an access controllersuch as a Colubris Networks MultiService Controllerto manage customer logins to the public access network. In most setups the access controller uses a RADIUS server to store the customer accounts. To maintain the security of the network, the WAP-200 employs a security filter that only allows traffic to flow between the MAP and the access controller. This prevents wireless stations from accessing resources on the backbone LAN. To reach protected network resources, wireless customers must successfully login to the public access interface managed by the access controller. For detailed scenarios illustrating how the WAP-200 can be deployed in a public access environment, see the Colubris Networks Configuration Guide.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Reset
Reset
Enterprise deployment
The following diagram shows you how the WAP-200 can be used in an enterprise network.
Corporate Backbone
RADIUS server
Backbone LAN
Reset
Reset
PU
BLIC WL A N
PU
BLIC WL A N
PU
BLIC WL A N
Wireless bridge
PU
BLIC WL A N
In this type of scenario, the WAP-200 provides wireless access to users of a corporate network. The WAP-200 supports 802.1x/WPA and WEP security. User authentication is handled through the corporate RADIUS server. Support for multiple SSIDs and VLANs makes the WAP-200 an effective tool for delivering wireless access in the corporate environment. For detailed scenarios illustrating how the WAP-200 can be deployed in an enterprise environment, see the Colubris Networks Configuration Guide.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Reset
Reset
Management Tool
The Management Tool is a Web-based interface to the WAP-200 that provides easy access to all configuration functions. Note: The Management Tool web interface is an element management system that is distinct from the Colubris Networks network management system.
Management station
Management station refers to the computer that an administrator uses to connect to the Management Tool. To act as a management station, a computer must Have a JavaScript-enabled Web browser installed; that is, Netscape 7.01 or higher, or Internet Explorer 6.0 or higher, including all updates Be able to establish an IP connection with the WAP-200, either through the wireless port or LAN ports
Configuring the management station for wireless access

Install and configure the wireless adapter in the management station according to the directions that came with it. During installation ensure that Encryption is disabled TCP/IP is installed and configured with addressing set to DHCP SSID is set to Colubris Networks
Configuring the management station for wired access

Install and configure a network adapter in the management station according to the directions that came with it. During installation ensure that TCP/IP is installed and configured with addressing set to DHCP The management station is connected to either of the WAP-200s LAN ports using a shielded cross-over cable
Starting the Management Tool
Use the following steps to start the Management Tool: 1. Start your Web browser. 2. In the address box, enter HTTPS://192.168.1.1. 3. Press Enter. A security alert prompts you to accept a Colubris Networks security certificate. To safeguard the security of the WAP-200, access to the Management Tool must occur through a secure connection. Before this connection can be established, you must accept a Colubris Networks security certificate. The procedure for accepting the certificate varies according to your browser. You must accept the certificate to continue. To eliminate this warning message, you can install your own certificate. 4. After you accept the Colubris Networks certificate, the Management Tools login page opens. By default Username and Password are both set to admin.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Administrator account
Administrator password
Access to the Management Tool is protected by a username and password. The factory default setting for both is admin. Colubris Networks recommends that you change both on the Management tool configuration page, which you can access by selecting Management > Management tool. Caution! If you forget the administrator password, the only way to gain access to the Management Tool is to reset the WAP-200 to factory default settings. See Resetting to factory defaults on page 10.
Account policy
To maintain the integrity of configuration settings, only one administrator can be connected to the Management Tool at a given time. To prevent the Management Tool from being locked up by an idle administrator, two mechanisms are in place: If a administrators connection to the Management Tool remains idle for more than ten minutes, the WAP-200 automatically logs the administrator out. If a second administrator connects to the Management Tool and logs in with the correct username and password, the first administrators session is terminated. If required, you can disable this mechanism on the Management tool configuration page, which you can access by selecting Management > Management tool.
Validating administrator logins using a RADIUS server

You can use a RADIUS server to authenticate logins to the Management Tool. One advantage of this method is that it enables you to create several administrator accounts, each with its own username and password. Caution! Ensure that the RADIUS profile you select is configured and that the administrator account is defined on a functioning RADIUS server. If not, you will not be able to log back into the WAP-200 because the administrator password cannot be authenticated. Use the following steps to configure RADIUS authentication. 1. Create a RADIUS profile to use for administrator authentication: Select Security > RADIUS. Click Add New Profile. Define settings for the RADIUS server that you want to use to validate administrator logins. Click Save. 2. Specify to use this RADIUS profile for administrator authentication: Select Management > Management tool. Under Administrator authentication Authenticate via, select the RADIUS profile that you created in the first step. Under Username, enter the login name for the administrator. Default is admin. Under Current password, enter the administrator password. Default is admin. Under New password, enter the new administrator password. New passwords must be at least six characters long and contain at least four different characters. Under Confirm new password, retype the new administrator password.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Security
The Management Tool is protected by the following security features: HTTPSCommunications between the management station and the WAP-200 occurs through HTTPS. Before logging on to the Management Tool, administrators must accept a Colubris Networks certificate. You can replace this certificate with your own. Port blockingAccess to the Management Tool can be explicitly enabled or disabled for each of the following: Wireless port Ethernet port VLANs
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Virtual service communities

The WAP-200 enables you to create up to 16 virtual service communities (VSCs), each with its own configuration settings. Each VSC is a distinct entity and can provide its own wireless network with its own SSID, user authentication settings, QoS, and output mappings. VSCs enable you control and customize how the WAP-200 handles wireless traffic and customer authentication.
Setting up a VSC
To configure a virtual service community, you use the Virtual Service Communities page, which you can access by selecting VSC > Profiles. A default VSC is defined that is named Colubris Networks. To edit a VSC, click its name to open the Add/Edit Virtual Service Community page. The options shown in the following figure appear by default.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If under General you enable Use Colubris access controller, only the options shown in the following figure are available.
For complete descriptions of all VSC settings, see the following sections.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
General
Name
Specify a name to identify the VSC.
Use Colubris access controller

Enable this option to have this profile use the services of a Colubris Networks access controller for authentication and control of client sessions. When enabled, all customer traffic is sent to the access controller defined on the Security > Access controller page, and the Wireless Security Filters option is enabled.
Virtual AP
WLAN name (SSID)

Specify a name to uniquely identify the wireless network associated with this VSC. Each client computer that wants to connect to this VSC must use this name. The name is case-sensitive.
Maximum wireless clients per radio

Specify the maximum number of wireless client stations that can be associated with this SSID at the same time on each radio.
DTIM count
Defines the DTIM count in the beacon. DTIMsdelivery traffic indication messages are found in an IEEE 802.11b beacon frame. Client stations use the DTIM to wake up from low-power mode to receive multicast traffic. The WAP-200 transmits a beacon every 100 ms. The DTIM counts down with each beacon that is sent. Therefore if the DTIM is set to 5, client stations in low-power mode wake up every 500 ms (0.5 seconds) to receive multicast traffic.
Permit traffic exchange between wireless clients

Use this option to control traffic exchange between wireless clients on the WLAN. No: Blocks all inter-client communications. Default setting. 802.1x: Only permits authenticated 802.1x clients to communicate. All: Select this option to allow wireless client stations (both authenticated and unauthenticated) to exchange data with one another. IPV6: Select this option to allow authenticated wireless client stations that are using IP version 6 to exchange data with one another. When communicating between VSCs, the most restrictive setting takes precedence. For example: If VSC1 is set to No and VSC2 is set to All, no wireless client on VSC1 can communicate with a wireless client on VSC2. However, all wireless clients on VSC2 can communicate with each other. If VSC1 is set to 802.1x and VSC2 set to All, only 802.1x clients can communicate between the two VSCs. Note: Unicast VLAN traffic going to a different VSC but on the same VLAN and radio will be forwarded based on the setting of the VSC on which traffic arrives. Note: Multicast traffic and traffic going to the other radios is forwarded based on the setting of the VSC where traffic is going out. For example, if VSC 1 is set to All, then multicast traffic can be sent to all other VSCs that are set to either 802.1x or All.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Minimum rate
Sets the minimum transmission rate that clients stations must meet in order to connect with this SSID. Client stations that are below this setting will not be able to connect to this SSID. Select the Lowest Available option to have the WAP-200 automatically adjust the data rate to its minimum setting based on the wireless mode being used. If the SSID spans two radios, then this setting can only be used if both radios are operating in the same wireless mode (a/b/g).
Maximum rate
Set the maximum transmission rate that clients stations must respect in order to connect with this SSID. Clients stations that attempt to associate at a higher data rate will be refused. Select the Highest Available option to have the WAP-200 automatically adjust the data rate to its maximum setting based on the wireless mode being used. If the SSID spans two radios, then this setting can only be used if both radios are operating in the same wireless mode (a/b/g).
Transmit/Receive on
Select the radio this SSID will operate on. The same SSID can be active on two radios at the same time, even if they are operating in different wireless modes.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Broadcast WLAN name (SSID)

When this option is enabled, the WAP-200 will broadcast its wireless network name (SSID) to all client stations. Most wireless adapter cards have a setting that enables them to automatically discover access points that broadcast their names and automatically connect to the one with the strongest signal. If you disable this option, client stations will have to specify the network name you enter for WLAN name when they connect.
Advertise Tx power
When this option is enabled, the WAP-200 will broadcast its current transmit power setting in the wireless beacon.
Egress VLAN
Choose the VLAN that this profile forwards data traffic to. To add VLANs to the list, go to the Networks > VLANs page. If you choose the default option, traffic is sent untagged to the LAN port. Note however, that a VLAN may still be assigned on a per-customer basis via a setting in the customers RADIUS account (if using RADIUS-based authentication). Also, a global VLAN settings is available on the Network > Ports page which will tag all traffic sent on port 1. Important: Enabling this feature bypasses all security features that are active on the WAP-200. Make sure that your VLAN has the appropriate security installed to protect access to the network. Important: If you are using 802.1x/WPA or MAC authentication, the WAP-200 handles all authentication tasks and must communicate with the RADIUS server or access controller to validate login credentials. Therefore, the RADIUS server or access controller must be reachable via the LAN ports.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wireless security filters
The WAP-200 features an intelligent bridge which can apply security filters to safeguard the flow of wireless traffic. The filters limit both incoming and outgoing traffic as defined below, and force the WAP-200 to exchange traffic with a specific upstream device. If Use Colubris access controller is enabled in the General box, then the default security filters (defined below) are enabled and all traffic is sent to the access controller defined on the Security > Access controller page. Note: If you are using multiple VLANs, each with a different gateway use the MAC address option on the Security > Access controller page. If Use Colubris access controller is disabled in the General box, the security filters are controlled by the settings in this box.
Restrict wireless traffic to

This setting defines the upstream device that the WAP-200 will forward wireless traffic to. WAP-200s default gateway: This sends traffic to the default gateway assigned to the WAP-200 on the Network > Ports page (via DHCP, PPPoE, or static). Wireless security filters use the default definitions. MAC address: Specify the MAC address of the upstream device to forward all traffic to. Wireless security filters use the default definitions. Custom: Lets you define custom security filters and address for the upstream device. Refer to the section that follows for details. Note: If you are using multiple VLANs, each with a different gateway use the MAC address option.
Default filter definitions

The following filter definitions are defined by default.
Incoming wireless traffic filters

Applies to traffic sent from wireless client stations to the WAP-200.
Accepted
Any IP traffic addressed to the access controller. PPPoE traffic (The PPPoe server must be the upstream device.) IP broadcast packets, except NetBIOS Certain address management protocols (ARP, DHCP) regardless of their source address. Any traffic addressed to the WAP-200, including 802.1x.
Blocked
All other traffic is blocked. This includes NetBIOS traffic regardless of its source/ destination address. HTTPS traffic not addressed to the WAP-200 (or upstream device) is also blocked, which means wireless client stations cannot access the Management Tool on other Colubris Networks products.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Outgoing wireless traffic filters

Applies to traffic sent from the WAP-200 to wireless client stations.
Accepted
Any IP traffic coming from the upstream device, except NetBIOS packets. PPPoE traffic from the upstream device. IP broadcast packets, except NetBIOS ARP and DHCP Offer and ACK packets. Any traffic coming from the WAP-200 itself, including 802.1x.
Blocked
All other traffic is blocked. This includes NetBIOS traffic regardless of its source/ destination address.
Custom
Use this option to define your own filters. To use the default filters as a starting point, click Get Default Filters. Filters are specified using standard pcap syntax (http://www.tcpdump.org/ tcpdump_man.html) with the addition of a few Colubris-specific placeholders. These placeholders can be used to refer to specific MAC addresses and are expanded by the WAP-200 when the filter is activated. Once expanded, the filter must respect the pcap syntax. The pcap syntax is documented in the tcpdump man page:
Placeholders
%a - MAC address of the access controller, as specified on the Security > Access controller page. %b - MAC address of the bridge. %g - Mac address of the default gateway assigned to the WAP-200 on the Network > Ports page %w - MAC address of wireless port.
Wireless protection
Select the type of protection you want to use for the wireless network created by the VSC. Important: 802.1x and WPA sessions are terminated by the WAP-200. This means that the WAP-200 handles all authentication tasks and must communicate with the RADIUS server or access controller to validate login credentials. Therefore, the RADIUS server or access controller must be reachable.
WPA
This option enables support for users with WPA client software.
Mode
Select the WPA mode that the WAP-200 will use. WPA (TKIP) 1: WPA with TKIP encryption. WPA2 (AES/CCMP): WPA2 (802.11i) with CCMP encryption. WPA or WPA2: Mixed mode supports both WPA (version 1) and WPA2 (version 2) at the same time.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Key source
This option determines how the TKIP keys are generated. RADIUS: The WAP-200 obtains the MPPE key from the RADIUS server. This is a dynamic key that changes each time the user logs in and is authenticated. The MPPE key is used to generate the TKIP keys that encrypt the wireless data stream. Select the appropriate RADIUS server. Preshared Key: The WAP-200 uses the key you specify in the Key field to generate the TKIP keys that encrypt the wireless data stream. Since this is a static key, it is not as secure as the RADIUS option. Specify a key that is between 8 and 64 ASCII characters in length. It is recommended that the preshared key be at least 20 characters long, and be a mix of letters and numbers.
RADIUS profile
Select the RADIUS profile the WAP-200 will use to validate user logins. Select Access Controller to forward authentications traffic to a Colubris Networks access controller.
Accounting
Enable this option to have the WAP-200 generate a RADIUS accounting request ON/ OFF for each user authentication. The WAP-200 respects the RADIUS interim-updateinterval attribute if present inside the RADIUS access accept of the authentication.
Mandatory authentication
Requires that all wireless client stations authenticate.
Station ID delimiter
Select the one-character delimiter that will be used to format both the calling station ID and the called station ID attributes in RADIUS packets. By default, the IEEE standard is used, which is a dash.
Station ID MAC case

Select the case applied to the station delimiter if it is a letter.
802.1x
This option enables support for users with 802.1x client software. The WAP-200 supports 802.1x client software that uses EAP-TLS, EAP-TTLS, EAP-SIM, and PEAP. Note: Colubris Networks recommends that you do not use 802.1x unless you enable WEP encryption.
RADIUS profile
Select the RADIUS profile the WAP-200 will use to validate user logins. Select Access Controller to forward authentications traffic to a Colubris Networks access controller.
WEP encryption
Enable the use of dynamic WEP keys for all 802.1x sessions. Dynamic key rotation occurs on key 1, which is the broadcast key. Key 0 is the pair-wise key. It is automatically generated by the WAP-200. Key length and key change interval are set in the Dynamic keys box.
Accounting
Mandatory authentication
Requires that all wireless client stations authenticate.
Station ID delimiter
Select the one-character delimiter that will be used to format both the calling station ID and the called station ID attributes in RADIUS packets. By default, the IEEE standard is used, which is a dash.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Station ID MAC case

Select the case applied to the station delimiter if it is a letter.
WEP
Key 1, 2, 3, 4
The number of characters you specify for a key determines the level of encryption the WAP-200 will provide. For 40-bit encryption, specify 5 ASCII characters or 10 HEX digits. For 128-bit encryption, specify 13 ASCII characters or 26 HEX digits. When encryption is enabled, wireless stations that do not support encryption cannot communicate with the WAP-200. The definition for each encryption key must be the same on the WAP-200 and all client stations. Keys must also be in the same position. For example, if you are using key 3 to encrypt transmissions, then each client station must also define key 3 to communicate with the WAP-200. Note: Keys 2, 3, and 4 are supported only on the first virtual service community
Transmission key
Select the key the WAP-200 will use to encrypt transmitted data. All four keys are used to decrypt received data.
Key format
Select the format you used to specify the encryption keys:
ASCII
ASCII keys are much weaker than carefully chosen HEX keys. You can include ASCII characters between 32 and 126, inclusive, in the key. However, note that not all client stations support non-alphanumeric characters such as spaces, punctuation, or special symbols in the key.
HEX
Your keys should only include the following digits: 0-9, a-f, A-F
MAC-based authentication
When enabled, this option lets you control access to the WAP-200 based on the MAC address of client stations. Important: When both this option and the MAC filtering option are enabled, the following applies: if a customers MAC address does not appear in the MAC filtering list then MAC-based authentication takes place for that customer.
RADIUS profile
When this option is enabled, the WAP-200 will authenticate wireless stations using a RADIUS server. Communications with the server is controlled via a RADIUS profile defined on the Security > RADIUS page. Since each VSC is independently configurable, it is possible to use a different RADIUS server for each one. To successfully authenticate a client station, an account must be created on the RADIUS server with both username and password set to the MAC address of the client station. The MAC address sent by the WAP-200 in the RADIUS REQUEST packet for both username and password is 12 hexadecimal numbers, with the values a to f in lowercase. For example: 0003520a0f01. The RADIUS server will reply to the REQUEST with either an ACCEPT or REJECT RADIUS RESPONSE packet. In the case of an ACCEPT, the RADIUS server can return the session-timeout RADIUS attribute (if configured for the account). This attribute indicates the amount of time, in seconds, that the authentication is valid for. When this period expires, the WAP-200 will re-authenticate the wireless station.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Accounting
Location-aware
Note: Location-aware is only available if Use Colubris access controller is enabled under General. This feature enables you to control logins to the public access network based on the wireless access point to which a customer is connected. For details see the documentation that came with the access controller you are using.
Group name
Specify a group name for the access point. You can assign the same group name to more than one access point. The WAP-200 returns the value you specify in all Access Requests as a Colubris Networks Vendor-Specific Attribute identified with the string "group".
Address list
Construct a list of MAC addresses to either Allow or Block by entering the MAC address and clicking either Remove or Add.
MAC filter
Note: The MAC filter option is not available if Use Colubris access controller is enabled under General. When enabled, this option enables you to control access to the WAP-200 based on the MAC address of client stations. You can either block access or allow access, depending on your requirements. Note: When both the MAC filter option and the MAC-based authentication options are enabled, if a customers MAC address does not appear in the MAC filtering list, MAC-based authentication is used for that customer. Specify the MAC address as six pairs of hexadecimal digits separated by colons. For example: 00:03:52:0a:0f:01.
Filter behavior
Allow: Only client stations whose MAC addresses appear in the MAC address list can connect to the wireless network. Block: All client stations whose MAC addresses appear in the MAC address list are blocked from accessing the wireless network.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Working with an access controller

In a public access deployment, a WAP-200 generally uses the services of an access controllersuch as a Colubris Networks MultiService Controllerto manage customer logins to the public access network. In most setups the access controller uses a RADIUS server to store customer accounts and validate credentials.
Connecting to a Colubris access controller
By default a WAP-200 operates as a DHCP client. The access controller, operating as the DHCP server, assigns itself as the WAP-200s default gateway. However, to successfully connect to the access controller, you must define settings as follows: 1. Select the Security > Access controller. The Access controller page opens.
Note: If DHCP is not used to set the default gateway address, you can specify the MAC address of the access controller instead. 2. Under Access controller shared secret, enter the shared secret that is defined on the access controller. 3. Click Save. 4. Select VSC > Profiles. The Virtual Service Communities page opens. 5. Click the Colubris Networks profile to edit it. The Add/Edit Virtual Service Communities page openssee page 26. 6. Under General, select the Use Colubris access controller checkbox. 7. Click Save. The VSC is now set up to send all wireless traffic to the access controller. Security filters are enabled by default to ensure that traffic is exchanged only with the access controller.
Using other access controllers
Instead of using a Colubris access controller, you can send traffic to another devicefor example, a VPN server. In this case, configure the following settings for each virtual service community: 1. Select VSC > Profiles. The Virtual Service Communities page opens.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. Click the Colubris Networks profile to edit it. The Add/Edit Virtual Service Communities page openssee page 26. 3. Under Wireless security filters, Restrict wireless traffic to, Select MAC address In the field that then appears, enter the MAC address of the appropriate device.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Customer authentication and access control

Customer refers to any person or device that logs on to the WAP-200.
Authentication methods
Customers can be authenticated in several ways as described in this section.
WPA/802.1x
The WAP-200 provides full support for users with 802.1x or WPA1/WPA2 client software. The WAP-200 terminates the session and authenticates users via a Colubris Networks access controller or RADIUS server. Another option is to use preshared keys (WPA only). The WAP-200 supports 802.1x client software that uses EAP-TLS, EAP-TTLS, and PEAP. Dynamic key rotation is supported. See page 33 for more information. Note: Colubris Networks does not recommend that you use 802.1x without enabling dynamic WEP encryption.
MAC-based authentication
The WAP-200 can authenticate devices based on their MAC address. This is useful for authenticating devices that do not have a web browser (cash registers or cell phones, for example). These devices do not log in through the public access interface provided by the access controller, rather, as soon as the WAP-200 sees their MAC address appear on the network, the WAP-200 attempts to authenticate them. MAC-based authentication can be defined on a per-profile basis. See MAC-based authentication on page 35 for more information.
Location-aware authentication
This option works when the WAP-200 is used in conjunction with a Colubris Networks access controller. This feature enables you to control logins to the public access network based on the wireless access point a customer is connected to. When a customer attempts to login to the public access network, the access controller sets the Called-Station-ID in the RADIUS access request to the MAC address of the WAP-200 wireless port the customer is associated with. For more information, see the Administrators Guide for the access controller. Important: This feature can only be used when the WAP-200 is installed in conjunction with a Colubris Networks access controller such as the family of MultiService Controllers. Important: This feature does not support 802.1x customers and devices using MACbased authentication.
802.1x global authentication settings

In addition to configuring support for 802.1x for each virtual service community, you can configure system-wide 802.1x authentication settings. Select Security > 802.1x to open the Authentication settings page and specify 802.1x global settings.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The Authentication settings page enables you to specify the following global parameters: Supplicant timeoutEnter the maximum number of seconds for the WAP-200 to wait for a client station to respond to an Extensible Authentication Protocol (EAPOL) packet before resending it. Default is 3 seconds. If wireless client stations are configured to manually enter an 802.1x username or password or both, you must increase the Supplicant timeout to 15 to 20 seconds. Group key updateEnable this checkbox in order to force updating of 802.1x group keys at the selected Key change interval. ReauthenticationEnable this checkbox in order to force 802.1x clients to reauthenticate as determined by the following parameters: PeriodSelect the interval at which client stations must reauthenticate. Select 15 or 30 minutes or 1, 2, 4, 8, or 12 hours. Default is 1 hour. TerminateEnable this checkbox to specify that client traffic is blocked during reauthentication and is reactivated only when authentication succeeds. Disable this checkbox to specify that client stations remain connected during reauthentication and that client traffic is blocked only if reauthentication fails.
Using multiple authentication mechanisms
802.1x and MAC-based authentication are configurable for each virtual service community. Both options can be enabled at the same time for added flexibility. When this occurs, the result for 802.1x authentication takes precedence over the MAC authentication result. It is therefore possible for a client station to be authenticated via MAC and then refused via 802.1x, or refused by MAC and accepted by 802.1x. An additional option is available that can be used to force all client stations to authenticate via 802.1x. When active, even if a client station is authenticated via MAC, the client station will be refused if it cannot authenticate via 802.1x. Restriction Both MAC and 802.1x authentication options can only be active at the same time on the same VSC when the setting for wireless protection is: 802.1x with no encryption (WEP option disabled) OR 802.1x with WEP encryption enabled and static keys enabled Note: If you intend to only use dynamic keys, only 802.1x authentication is supported. The following table illustrates the results for all authentication scenarios.
Authentication result Active Authentication Method MAC

Failure MAC Success 802.1x Not Mandatory 802.1x Mandatory Success Failure Failure Success -
802.1x
-
Network Access?
No Yes Yes No Yes No Yes No
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failure Failure Failure MAC + 802.1x Not Mandatory Success Success Success Failure Failure Failure MAC + 802.1x Mandatory Success Success Success
Success Failure Failure Success Success Failure Failure Success
No Yes No No Yes Yes No Yes No No No Yes
Example A MAC and 802.1x enabled, mandatory 802.1x authentication option disabled Wireless clients are automatically authenticated by their MAC address. If MAC authentication succeeds, the client gains access. Next the client station can initiate an 802.1x session, causing 802.1x authentication to take place. The result of this authentication then takes precedence over the MAC authentication result. If MAC authentication fails, the client does not gain access but can still initiate an 802.1x session, causing 802.1x authentication to take place. If the result of this authentication is successful, then the client gains access. Example B MAC and 802.1x enabled, mandatory 802.1x authentication option enabled Wireless clients are automatically authenticated by their MAC address. If MAC authentication succeeds they do not gain access until 802.1x authentication is successful. Example C MAC disabled and 802.1x enabled, mandatory 802.1x authentication option disabled Wireless clients automatically gain access to the network with no authentication required. If the client starts an 802.1x session, authentication to take place. If the result of this authentication is failure, then the client looses access to the network. Example D MAC disabled and 802.1x enabled, mandatory 802.1x authentication option enabled Wireless clients only gain access to the network after successfully starting being authenticated via an 802.1x session.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wireless coverage
As a starting point for planning your setup, you can assume that the WAP-200 provides a wireless networking area, also called a wireless cell, of up to 300 feet (100 meters) in radius at high power. However, before creating a permanent installation, you should always perform a site survey to determine the optimum settings and location for the WAP-200. The following sections provide information on wireless coverage. The Colubris Networks RF Planner is a tool that can help simplify planning a secure wireless network. For more information see the RF Planner Administrators Guide.
Wireless mode
Available wireless modes are determined by the wireless radio installed in the WAP-200, and may include 802.11b: 11 Mbps in the 2.4 GHz frequency band. 802.11g: 54 Mbps in the 2.4 GHz frequency band. 802.11 b + g: 11 Mbps and 54 Mbps in the 2.4 GHz frequency band. 802.11a: 54 Mbps in the 5 GHz frequency band.
Factors limiting Wireless coverage is affected by the following factors. wireless Radio power coverage
More radio power means better signal quality and the ability to create bigger wireless cells. However, cell size should generally not exceed the range of transmission supported by client stations. If it does, client stations will be able to receive signals from the access point, but they will not be able to reply, rendering the connection useless. Also, when multiple access points are operating in an area, cell size needs to be adjusted to reduce interference between units. The WAP-200 provides an automatic power control feature to address this challenge. See Automatic power adjustment on page 51 for details. Note: Governmental regulations in different parts of the world determine the maximum power output of the WAP-200s radio.
Antenna configuration
Antennas play a large role in determining the shape of the wireless cell and transmission distance. Consult the specifications for the antennas you are using to determine how they affect wireless coverage.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 42 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Interference
Interference is caused by other access points or devices that operate in the same frequency band as the WAP-200. This can substantially affect throughput. The WAP-200 provides advanced wireless configuration features to automatically eliminate this problem. See for RF channel management on page 50 details. In addition, the WAP-200 provides several tools to diagnose interference problems as they occur. Wireless > Neighborhood: This page provides detailed information on all wireless access points operating in the immediate area so that you can effectively set your operating frequency. It also makes it easy to find rogue access points. See Conducting a site survey on page 48 for details. Status > Wireless: This page provides detailed information on packets sent and received, transmission errors, and other low-level events. Consult the online help for this page for recommendations on using this information to diagnose wireless problems. Status > Client data rate matrix: This page lists the data rates for all connected client stations. This makes it easy to determine if low-speed clients are affecting network performance. You can use the Minimum rate option when defining a WLAN profile to keep low-speed clients from connecting. Important: Access points operating in the 2.4 Ghz band may experience interference from 2.4 Ghz cordless phones and microwave ovens.
Physical characteristics of the location

To maximize coverage of the wireless cell, wireless access points are best installed in an open area with as few obstructions as possible. Try to choose a location that is central to the area being served. Radio waves cannot penetrate metal, instead they are reflected. This means that a wireless access point is able to transmit through wood or plaster walls and closed windows. However, the steel reinforcing found in concrete walls and floors may block transmissions, or reduce signal quality by creating reflections. This can make it difficult for a single unit to serve users on different floors in a concrete building. Such installations will require a separate wireless access point on each floor.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuring overlapping wireless cells
Overlapping wireless cells are caused when two or more access points are within transmission range of each other. This may be under your control (when setting up multiple cells to cover a large location), or out of your control (when your neighbors set up their own wireless networks). In either case, the problems you face are similar.
Performance degradation and channel separation

When two wireless cells operating on the same frequency overlap, it can cause a reduction in throughput in both cells. This occurs because a wireless station that is attempting to transmit will defer (delay) its transmission if another station is currently transmitting. On a network with many clients and a lot of traffic, this can severely affect performance as stations defer multiple times before the channel becomes available. If a station is forced to delay its transmission too many times, data may be lost. Delays and lost transmissions can severely reduce throughput on a network. Use the Wireless option on the Status menu to view this information on your network. The following example shows two overlapping wireless cells operating on the same frequency. Since both access points are within range of each other, the number of deferred transmissions will be large.
Reset
cell 1
cell 2
Overlapping wireless cells can cause transmission delays.
The solution to this problem is to set the two networks to different channels with as great a separation as possible in their operating frequencies. This reduces cross-talk, and enables client stations connected to each access point to transmit at the same time.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Reset
Selecting channels
For optimum performance when operating in 802.11b or 802.11g modes, choose a frequency that differs from other wireless access points operating in neighboring cells by at least 25 MHz. Two channels with the minimum 25 MHz frequency separation will always perform worse than two channels using the maximum separation. So it is always best to use the greatest separation possible between overlapping networks. Note: When operating in 802.11a mode, all channels are non-overlapping. With the proliferation of wireless networks, it is very possible that the wireless cells of access points outside your control may overlap your intended area of coverage. To choose the best operating frequency, use the Wireless > Neighborhood page to generate a list of all access points operating near you and their operating frequencies. The set of available channels is automatically determined by the WAP-200 based on the Country setting you define on the Wi-Fi page, which means that the number of nonoverlapping channels available to you will also vary. This will affect how you setup your multi-cell network.
Example
When operating in 802.11b mode, the WAP-200 supports the following 14 channels in the 2.4 Ghz band:
Channel
1 2 3 4 5 6 7
Frequency
2412 2417 2422 2427 2432 2437 2442
Channel
8 9 10 11 12 13 14
Frequency
2447 2452 2457 2462 2467 2472 2477
However, the number of channels available for use in a particular country are determined by the regulations defined by the local governing body. For example:
Region
North America Japan Europe
Available channels
1 to 11 1 to 14 1 to 13
Since the minimum recommended separation between overlapping channels is 25 MHz (5 cells), the recommended maximum number of overlapping cells you can have in most regions is three. For example:
North America
cell 1 on channel 1 cell 2 on channel 6 cell 3 on channel 11
Europe
Japan
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
In North America you would create the following installation:
Reset
Reset
cell 1 channel = 1
cell 2 channel = 6
cell 3 channel = 11
Reducing transmission delays by using different operating frequencies.
However, it is possible to stagger your cells to reduce overlap and increase channel separation. Consider the following:
150m 450 feet 150m 450 feet 150m 450 feet
Reset
Reset
cell 1 channel = 1
cell 2 channel = 6
cell 3 channel = 11
cell 4 channel 1
Using only three frequencies across multiple cells (North America).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Reset
Reset
Reset
This strategy can be expanded to cover an even larger area using three channels as follows:
cell 1 channel = 1 cell 2 channel = 6 cell 3 channel = 11 cell 4 channel 1
Reset
cell 5 channel = 11
cell 6 channel = 1
cell 7 channel = 6
cell 8 channel 11
Using three frequencies to cover a large area (North America).
The areas in gray indicate where two cells using the same frequency overlap.
Distance between access points

In environments where the number of wireless frequencies are limited, it can be beneficial to adjust the receiver sensitivity of the WAP-200. To make the adjustment, open the Wireless > Radio page. For most installations, the Large setting should be used. However, if you are installing multiple WAP-200s, and the channels available to you do not provide enough separation, then reducing the receiver sensitivity can help you reduce the amount of crosstalk between the WAP-200s. Another benefit to using reduced settings is that it will improve roaming performance. Client stations will switch between WAP-200s more frequently. Note: The distance between access points option provides the best performance benefit when client stations are equipped with wireless adapters that are configured with the same setting. However, not all manufacturers support this feature.
Automatic power control

The WAP-200s automatic power control feature enables it to dynamically adjust its transmission power to avoid causing interference with neighboring Colubris Networks access points.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Reset
Reset
Reset
Reset
Reset
Reset
Reset
Conducting a site survey
To discover the operating frequencies of other access points in your area, open the Wireless > Neighborhood page. The WAP-200 automatically scans to find all active access points. For example:
Note: If an access point is not broadcasting its name, the SSID is blank.
Monitor mode
The radio(s) in the WAP-200 can be configured to operate in monitor mode (Wireless > Radio(s) page). In this mode, both access point and wireless links functionality are disabled. The WAP-200 will receive all wireless transmissions, but will not broadcast. Use this option for continuous scanning across all channels in all wireless modes supported by the radio (a/b/g). See the results of the scans on the Wireless > Neighborhood page. This mode also enables 802.11 traffic to be traced when using the Tools > Network trace command.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 48 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Identifying unauthorized access points
Improperly configured wireless access points can seriously compromise the security of a corporate network. Therefore, it is important that they be identified as quickly as possible. The wireless neighborhood feature can be configured to automatically list all nonauthorized access points that are operating nearby. To identify unauthorized access points, the WAP-200 compares the MAC address of each discovered access point against the list of authorized access points (which you must define). If the discovered access point does not appear in the list, it is displayed in the Unauthorized access points list.
List of authorized access points

The format of this file is XML. Each entry in the file is composed of two items: MAC address and SSID. Each entry should appear on a new line. The easiest way to create this file is to wait for a scan to complete, then open the list of all access points in Brief format. Edit this list so that it contains only authorized access points and save it. Then, specify the address of this file for the List of authorized access points parameter. When you edit the Brief list you need to remove extra text that appears before and after each MAC address. For example, if the brief list looks like this:
<?xml version='1.0'?> <simple-ap-list> # MAC "AP_1" 00:03:52:07:f5:23 "AP_2" 00:03:52:07:f5:12 "AP_3" </simple-ap-list> SSID 00:03:52:07:f5:11
Reformat the list to look like this:

00:03:52:07:f5:11 "AP_1" 00:03:52:07:f5:23 "AP_2" 00:03:52:07:f5:12 "AP_3"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
RF channel management
The WAP-200 provides several features for channel management. You configure these parameters by selecting Wireless > Radio on the MAP-320, or by selecting Wireless > Radios on the MAP-330, which opens the Radio(s) configuration page. The following figure shows how this page appears on a MAP-300.
Operating mode
Select the Operating mode for each radio from the following options: Access point and Wireless linksStandard operating mode that provides support for all wireless functions. Access point onlyProvides access point functionality only; wireless links cannot be created. Wireless links onlyProvides wireless links functionality only; wireless client stations cannot connect. MonitorPlaces the radio in promiscuous mode so that it does not transmit and both access point and wireless links functionality are disabled. Use this option for continuous scanning across all channels in all wireless modes (a/b/g). See the results of the scans on the Wireless > Neighborhood page. This mode also enables you to trace 802.11 traffic when using the Tools > Network trace command.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wireless mode
Select the transmission speed and frequency band. The available options are determined by the wireless card installed in the WAP-200, and may include the following: 802.11b: 11 Mbps in the 2.4 GHz frequency band. 802.11b + 802.11g: 11 and 54 Mbps in the 2.4 GHz frequency band. 802.11g: 54 Mbps in the 2.4 GHz frequency band. 802.11a: 54 Mbps in the 5 GHz frequency band.
Channel
Select the channelthat is, the frequency on which the WAP-200 operates. Available channels are determined by the radio installed in the WAP-200 and the regulations that apply in your country. You enable automatic channel selection for each radio under Channel: select Automatic. In this mode the WAP-200 automatically scans the operating environment to find the channel with the best throughput. Scanning is done on startup and at the Interval that you configure. Note: You cannot use automatic channel selection when creating wireless links with the radio. You must set the channel manually to ensure that it matches the radio on the other side of the link. For optimum performance when operating in 802.11b or 802.11g modes, select a channel that is different by at least 25 MHz from the channel used by other wireless access points operating in neighboring cells. Open the Wireless > Neighborhood page to view a list of access points currently operating in your area. If operating in 802.11a mode, all channels are non-overlapping.
DFS/TPC
The WAP-200 supports Dynamic Frequency Selection (802.11h) and Transmit Power Control (802.11d) for 802.11a for operation in European countries. These options are automatically enabled as required.
Automatic power adjustment
The WAP-200 features an auto power adjustment option. When enabled (Wireless > Radio page), the WAP-200 will automatically scan the RF environment and adjust power output to minimize interference with other access points. This feature works best when the entire network uses only Colubris Network access points, as third-party products will not adjust their output power.
How it works
If co-channel interference is discovered, then all neighboring APs will shrink their cell size to minimize the interference. The first step is to adjust the transmit power. If this fails, then the next step is to increase the transmit power (if possible) to maximum and change the minimum data rate to a higher value (802.11b will change from 1Mbps to 2Mbps, 802.11a/g will change from 6Mbps up to 18Mbps). Note: The majority of clients will still transmit at maximum power so not all interference can be eliminated. Note: Some older wireless client cards may not support a data rate of 2 mbps.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Distance between access points
Note: This option is not available in Monitor mode. You can use Distance between access points to adjust the receiver sensitivity of the WAP-200. Change this parameter only if you have more than one wireless access point installed in your location and are experiencing throughput problems In all other cases, use the default setting of Large. If you have installed more than oneWAP-200, reducing the receiver sensitivity of the WAP-200 from its maximum helps reduce the amount of cross-talk between wireless stations, in order to better support roaming clients. By reducing receiver sensitivity, client stations are be more likely to connect with the nearest access point.
RTS threshold
Note: This option is not available in Monitor mode. Use this parameter to control collisions on the link that can reduce throughput. If the Status > Wireless page shows increasing values for Tx multiple retry frames or Tx single retry frames, you should adjust this value until the errors clear up. Start with a value of 1024 and then decrease to 512 until errors are reduced or eliminated. Note that using a small value for RTS threshold can affect throughput. Range: 128 to 1540. If a packet is larger than the threshold, the WAP-200 will hold it and issue a request to send (RTS) message to the client station. Only when the client station replies with a clear to send (CTS) message will the WAP-200 send the packet. Packets smaller than the threshold are transmitted without this handshake.
Multicast Tx rate
Note: This option is not available in Monitor mode. Use this parameter to set the transmit rate for multicast traffic. This is a fixed rate, which means that if a station is too far away to receive traffic at this rate, multicast is not seen by the station.
Antenna selection
Select the antenna on which the radio transmits and receives, as follows: Diversity (both antennas)In this mode both antennas transmit and receive. The WAP-200 supports both transmit and receive diversity: Transmit diversityFor a given client station connection, the WAP-200 always transmits on the antenna it receives. If transmission fails, the WAP-200 automatically switches antennas and retries. Receive diversityIn 802.11b, the WAP-200 does selection diversity, which means selecting the antenna for receive based on the SNR calculated while receiving the preamble, on a per frame basis.For 802.11a and 802.11g, including mixed 802.11b and 802.11g, the receiver switches antenna when the signal quality goes below a certain threshold. Main antennaSelect this option to use the Main antenna to transmit and receive. Auxiliary antennaSelect this option to use the Auxiliary antenna to transmit and receive. Regardless of the antenna that is selected, the WAP-200 can create a only single wireless cell using the radio. If a single antenna is used, it can be connected to either Main or Aux. When creating a point-to-point wireless bridge, Colubris Networks recommends that a single directional antenna be used on either Main or Aux. For maximum wireless coverage, use two omnidirectional antennas and select Diversity.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Transmit power control
As of this release, you can configure Transmit power control on the wireless radio as a percentage of maximum power, as well as in dBm. You can configure this parameter by selecting Wireless > Radio(s), which opens the Radio(s) configuration page. The Transmit power control group box appears at lower left. Note: This parameter is not available if the radio is in Monitor mode.
Configuring transmit power

You can configure transmit power to be the Maximum available output power, which is the default. Alternatively, you can clear the Maximum available output power checkbox in order to enter transmission power in dBmusing a range between 0 and 20, even though not all radios can support up to 20 dBmor as a percentage of the maximum available powerusing a range between 0 and 100. Actual Maximum output power for the specific radio that is installed appears at the bottom of the group box. Enter the number of dBm or % of max output power and then click outside the field. The corresponding value appears in the % of max output power or dBm field, respectively. The actual transmit power that is used may be less than the specified value. The MAP determines the power to be used based on settings for regulatory domain, wireless mode, and operating frequency. As in earlier releases, select Automatic power control in order to enable the MAP to determine the optimal power setting within the limits you definedmaximum or up to the percentage of maximum specified earlier. Under Interval, you can specify how frequently Automatic Power Control checks the radio to determine its optimal power setting. This option is relevant only when Automatic Power Control is enabled. Default is one hour.
Guidelines for configuring transmit power

Transmit power control works best when the entire network uses only Colubris Networks access points, as third-party products will not adjust their output power. If co-channel interference is discovered, all neighboring access points shrink their cell size to minimize the interference. The first step is to adjust the transmit power. If this fails, the next step is to increase the transmit power to maximum, if possible, and to change the minimum data rate to a higher value802.11b will change from 1 Mbps to 2 Mbps, and 802.11a/g will change from 6 Mbps up to 18 Mbps. Note: Because the majority of client stations will still transmit at maximum power, not all interference can be eliminated. Note: Some older wireless client cards may not support a data rate of 2 Mbps and thus may not be able to associate when Automatic power control is enabled.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
RF performance
Use the following features to help improve the performance of the wireless network.
Client station data rate limits
The WAP-200 provides settings for controlling the minimum and maximum client data rates on each VSC. These rates are advertised in the 802.11 beacon, sent in response to wireless probes, and specified in the negotiated rate of the association response. The primary application for these settings is to enable performance optimization across the wireless network. For example, if the minimum data rate is set to 6 mbps, a client with a weak signal (that may only be able to associate at 1 Mbps) is prevented from doing so. If that same client was allowed to associate successfully, the overall performance of the network would be compromised downwards for all clients. By preventing the association, clients with more powerful signals are able to perform at their optimal capability. The following two settings are available when you define an SSID for a VSC. Minimum rate: Sets the minimum transmission rate that client stations can use when communicating with the VSC. Client stations that are operating at a rate that is slower than this setting will be able to associate with the WAP-200 but will not be able to send or receive data. For example, if the minimum rate is set to 6 mbps and a client is not close enough to reach this rate, it will still see the WAP-200, but all transmissions will time out. Note: Increasing the minimum rate effectively reduces the cell size of the wireless network, since as the distance from the WAP-200 increases the data rate decreases. Note: Some wireless client stations may refuse to associate with the WAP-200 if the basic rates for the current operating mode are not supported. For example, if the minimum data rate is set to 6 mbps for 802.11b, this is above the mandated basic rates of 1 and 2 mbps, and may cause some clients to refuse the association. Maximum rate: Sets the maximum transmission rate that clients stations can use when communicating with the VSC. Client stations that support higher rates will negotiate this value as their limit when associating to the WAP-200.
Multicast rate limit
The WAP-200 provides control of the multicast rate on a per-radio basis (on the Wireless > Radio page under Multicast Tx rate). By default this is set to the lowest rate for the current wireless mode. If there is a lot of multicast traffic on your network, raising the multicast rate can improve throughput. Note: If you raise the multicast rate, client stations that do not support the new rate will not receive the multicast data.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 54 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Addressing
The WAP-200 is a wireless bridge, which means that all its ports share the same IP address. The address can be set statically or via DHCP on the Network > Ports page.
Default settings
By default the WAP-200 is configured as a DHCP client on both LAN ports. If no DHCP server is found at startup, the WAP-200 assigns the address 192.168.1.1 to all its ports.
DNS
When the WAP-200 is configured to use the DHCP client, the WAP-200 uses the DNS name returned by the server. You can override this with static settings if required on the Network > DNS page.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Layer 2 security
The WAP-200 supports several layer 2 security schemes that can be enabled to protect customer wireless traffic.
Session limits Authentication
Up to 255 user connections are supported when Layer 2 security is active.
The following table lists the available authentication options:
Protocol
802.1x WPA1/WPA2 WPA (pre-shared keys) WEP
User authentication provide by

Access Controller, RADIUS server Access Controller, RADIUS server None None
Security options
To enable multiple Layer 2 options at the same time, each option must be assigned to its own wireless profile.
WEP
Weaknesses in WEPs cryptographic technology were exposed not long after it was developed. However, it can still be of use in light-traffic, casual-use installations to deter eavesdroppers. It is not recommended for corporate networks without enabling a VPN security option (IPSec, PPTP, or L2TP).
802.1x
802.1x: is an IEEE port-based authentication standard. It improves upon WEP by providing two important enhancements: user authentication and unique keys with key rotation. User authentication: Before a user gains access to the wireless network, they must first log in. The login process is managed by 802.1x client software which must be installed on the users computer. It communicates with the WAP-200, which in turn uses the services of a RADIUS server to validate user login credentials. Unique keys with key rotation: Each user is assigned their own key by the RADIUS server. Keys are automatically rotated (regenerated) at an interval configured on the WAP-200. To use 802.1x, wireless client stations must install 802.1x client software. The WAP-200 supports 802.1x clients using EAP-SIM, EAP-TLS, EAP-TTLS and PEAP. Dynamic WEP encryption is supported. Note: Colubris Networks does not recommend the use of 802.1x without enabling dynamic WEP encryption. Note: When 802.1x is active, the WAP-200 can also be configured to accept connections from stations using static WEP keys if required.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
WPA1/WPA2
Wi-Fi Protected Access (WPA) is the Wi-Fi security standard that was developed to replace WEP. It features improved data encryption and implements 802.1x to provide user authentication. WPA1 data encryption is handled by the Temporal Key Integrity Protocol (TKIP). It addresses all known WEP weaknesses with a variety of important security enhancements. WPA2 provides AES/CCMP encryption for even stronger protection of the wireless data stream. Keys can be dynamically generated on a per-user basis at login via a RADIUS server.In this case, user login information is also maintained on the RADIUS server. Key length and key rotation interval are defined on the WAP-200. WPA also features a special mode called Pre-Shared Keys In this mode a single key is defined for all user connections. This key is used for encryption only. This mode does not provide user authentication (there is no username and password). To use WPA, wireless client stations must install WPA client software.
Do not broadcast wireless network name
You can disable the broadcast of the wireless network name. This forces client stations to provide the correct network name to connect to the WAP-200. By assigning a unique name to the wireless network, you can block access by unauthorized computers. This feature can be used to create backup operation of the network in case of equipment failure. For example, you could install two WAP-200s, each operating on a different channel, within close proximity of one another. Each WAP-200 would communicate with a different access controller. If one of the controllers goes down, the service sensor will detect it and shut down the radio on the affected WAP-200. Client stations connected to this WAP-200 will automatically be transferred to the other WAP-200 with no interruption in service. This only works if both WAP-200s have the same SSID. To set up the service sensor, open the Security > Access controller page.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wireless bridging
The wireless bridging feature enables you to use the wireless radio to create point-topoint wireless links to other access points. Each WAP-200 can support a single wireless bridge, which can operate at the same time as the network serving wireless customers. For a complete wireless bridging scenario, see the Colubris Networks Configuration Guide.
RF extension
Wireless bridging provides an effective solution for extending wireless coverage in situations where it is impractical or expensive to run cabling to a wireless access point. In this scenario, the satellite access point is used to expand the coverage of the wireless network. In this configuration, both the WAP-200 and the access controller (MSC-3200/3300) are equipped with omnidirectional antennas, enabling them to deliver both access point functionality and wireless bridging.
MSC-3200 MSC-3300
wireless bridge
WAP-200
Reset
Building-tobuilding connections
The wireless bridging feature can also be used to create point-to-point links over longer distances. In this scenario, two units create a wireless bridge between the networks in two adjacent buildings. Each unit is equipped with a directional external antenna and is within line of sight to make the connection. Customers are authenticated via the RADIUS server. Note: When a directional antenna is used to create a wireless link, only one antenna is supported and the units cannot provide wireless access point functionality.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Building A
directional antenna
Reset
Building B wireless bridge

directional antenna
WAP-200
LAN
MSC-3200 MSC-3300
WAP-200
PU
Reset
LAN
RADIUS server WAP-200

Reset
BLIC WL A N
PU
WAP-200
PU
Reset
BLIC WL A N
BLIC WL A N
Guidelines
All radios that are part of a link must be set to the same operating frequency and channel. This means that the Automatic option cannot be used for Channel on the Wireless > Radio page. If a single radio is used to provide both access point functionality and a wireless link, bandwidth is shared by all bridged access points and all their associated client stations. All wireless ports must be on the same subnet, with each port having a unique IP address. If WEP is enabled, the same settings must be used on all access points. If you establish a wireless link between two WAP-200s, or a WAP-200 and a MultiService Controller, then access to the Management Tool across the bridge is blocked. As soon as a wireless bridge link is established, the spanning tree protocol is enabled on the link to provide proper routing of traffic. When using an external antenna (via a coax cable), it is recommended that you connect it to the MAIN connector.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Setting up a wireless link
Use the following steps to set up a wireless link. 1. Select Wireless > WDS groups. The WDS group configuration page opens.
2. Under Settings, select Enabled. 3. For Link name, enter a user-friendly identifier for this wireless link. 4. For Speed, select the bit rate for the link, in megabits per second, or select Auto in order to have the WAP-200 automatically select the optimum bit rate. For load balancing you may want to limit the speed of a link when connecting to multiple destinations. 5. Enable the Security checkbox and select one of the following: WEP: Specifies to use the Wired Equivalent Privacy standard to secure traffic on the wireless link. TKIP: Specifies to use Temporal Key Integrity Protocol encryption to secure traffic on the wireless link. AES/CCMP: Specifies to use the Advanced Encryption Standard with Counter Mode Cipher Block Chaining Message Authentication Code Protocol encryption defined by 802.11i. This is the most secure method to encrypt traffic on the wireless link. 6. Under Addressing, specify the Remote MAC address. This is the MAC address of the other access point. 7. Click Save. 8. Select Wireless > Radio. The Radio(s) configuration page openssee page 50. 9. Set the Operating mode to Access point and Wireless links. 10. Set the Wireless mode to the same value as the other access point. 11. Set the Channel to the same value as the other access point. Do not use the Automatic option. 12. Click Save. Once both units have been configured, you can use the following steps to make performance adjustments: 1. Open the Tools > Ping page on one unit and ping the other one to make sure that the bridge is working. 2. Open the Status > Wireless page. 3. Using the SNR value in the Wireless bridging status box as a guide, adjust the antennas to obtain the best possible value. A value greater than 20 is good. After
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 60 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
each change, allow a minimum of two minutes for the Link speed field to settle down and report its new value.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
VLAN support
The WAP-200 provides a robust and flexible VLAN (802.1q) implementation. VLANs can be defined on the LAN ports, as well as on wireless links. User traffic can be mapped to a VLAN on a per-VSC basis, or on a per-user basis. For scenarios that illustrate how to work with VLANs, see the Colubris Networks Configuration Guide.
Creating VLANs
Use the following steps to create a VLAN: 1. Open the Network > Ports page. Under VLAN configuration you can view a list of all defined VLANs. Initially this list is empty. 2. Click Add New VLAN. This opens the Add/Edit VLAN page, where you define the characteristics of the VLAN.
Define settings as follows: General PortSelect the port that the VLAN is associated with. VLAN IDSpecify an ID for the VLAN (802.1q). The same VLAN ID can be assigned to different ports to create a VLAN bridge across the ports. If the VLAN is being assigned to an Ethernet port you can also define a range of VLANs in the form X-Y. Where X and Y can be 1 to 1024. For example: 50-60 Note: An IP address cannot be assigned when you define a range of VLANs. VLAN nameSpecify a name for the VLAN. This name is used to identify the VLAN on the WAP-200 and has no operational significance. Assign IP address via An IP address cannot be assigned when the VLAN ID is defined as a range. DHCP clientThe VLAN obtains its IP address from a DHCP server on the same VLAN. StaticAssign a static IP address and mask. NoneNo IP address is assigned.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Default VLAN
The default VLAN can be restricted to carry management traffic only. This includes the following: All traffic that is exchanged with the access controller All traffic exchanged with external RADIUS servers HTTPS sessions established by administrators to the Management Tool Incoming and outgoing SNMP traffic DNS requests/replies
Assigning traffic to VLANs
Wireless traffic can be assigned to VLANs on a per-VSC or per-user basis. Note: The VLAN assigned on a per-user basis always overrides the VLAN assigned by a VSC (or the default VLAN). For example, a wireless station could be associated with a VSC that is configured for VLAN 30, but after logging in, user-specific settings (retrieved from a RADIUS server) could override this setting by assigning VLAN 40.
Per-VSC VLAN assignment

Each VSC can be mapped to its own VLAN. Wireless clients that connect to a VSC with VLAN support are bridged to the appropriate VLAN. Address allocation and security measures are the responsibility of the target network that the VLAN connects to. Important: Per-SSID VLANs cannot have the same VLAN ID as the default VLAN ID.
Per-user VLAN assignment

VLANs can also be assigned on a per-customer basis by setting a attributes in a customers RADIUS account. The only restrictions are: A customer cannot be assigned to a VLAN that is already set as the default VLAN on port 1 (Network > Ports page). A customer can only be assigned to a VLAN that is defined on the Network > VLANs page. This can only be used for 802.1x client stations. MAC authentication does not support this feature. For details on see Creating user profiles on the RADIUS server on page 73.
VLAN bridging
If the same VLAN ID is assigned to more than one interface, the VLAN is bridged across the interfaces. For example: if you create three VLANs: Bridge_1 with ID =50, assigned to Port 1. Bridge_3 with ID =50, assigned to the wireless link. All VLAN traffic with ID 50 is now bridged across all these interfaces. If you create a VSC and assign the Egress VLAN in it to any of these VLANs, output from the VSC can be sent to destinations on any interface.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 63 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Firmware management
The firmware is special software that controls the operation of the WAP-200. Periodically, Colubris Networks will make new versions of the firmware available. Firmware updates can be handled manually, automatically, or with a tool like cURL. Important: When a WAP-200 is restarted it automatically initializes itself to the default address 192.168.1.1 on all ports. If the DHCP client is enabled, it takes about 30 seconds after the restart for the DHCP client to request an address. Therefore, for a short period of time after restarting, the WAP-200 may conflict with another device on the network. This will usually not be an issue. However, if you are using an automated tool (like cURL) to update the configuration/firmware on several WAP-200s at the same time, you may experience difficulties. It is recommended that you schedule your updates to occur in succession, leaving a three minute interval between each device. Important: When using the WAP-200 in conjunction with an access controller you must: (1) always upgrade the access controller before upgrading the WAP-200, (2) never load an earlier firmware version on the WAP-200 than is installed on the access controller.
Manual update
1. On the Maintenance menu, click Firmware updates.
2. In the Install firmware box, click the Browse button and select a firmware file. 3. Click Install. Note: The WAP-200 will automatically restart after the firmware has been installed to activate it. This will disconnect all client stations. Once the WAP-200 resumes operation, all client stations will have to reconnect. Note: Configuration settings are preserved during firmware upgrades.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scheduled install
The WAP-200 can automatically retrieve and install firmware from a local or remote URL. By placing WAP-200 firmware on a web or ftp server, you can automate the update process for multiple units. When the update process is triggered, the WAP-200 retrieves the first few bytes of the firmware file to determine if it is different than the active version. If different, the firmware is downloaded and installed. Configuration settings are preserved. However, all connections will be terminated forcing users to log in again.
Using cURL
It is possible to automate management tasks using a tool like cURL. cURL is a software client that can be used to get/send files to/from a server using a number of different protocols (HTTP, HTTPS, FTP, GOPHER, DICT, TELNET, LDAP or FILE). cURL is designed to work without user interaction or any kind of interactivity. It is available for Windows and LINUX at: http://curl.haxx.se/. You must use version 7.10 or higher. The following cURL commands illustrate how to update the firmware. The following setup is assumed: IP address of the WAP-200s Ethernet port is 24.28.15.22. Management access via the Ethernet port is enabled. Firmware is located in the file: WAP-200.CIM These examples are non-secure (no certificates are used authentication), but data traffic is still encrypted. Note: If you want to secure the connection with the WAP-200 using certificates, you must use the --cacert option to specify where the CA certificates are located on your computer. This also requires that you specify the host name wireless.colubris.com instead of using its IP address. The host name must be resolved either via a DNS server or using the hosts file on your computer.
Uploading the firmware

1. Prepare the WAP-200 to receive the login.
curl -s -k "https://24.28.15.22/home.asp"
2. Login to the management interface.

curl -s -k --dump-header cookie.txt "https://24.28.15.22/goform/Logout" -d username=admin -d pw=admin
3. Prepare the WAP-200 to receive the firmware update.

curl -s -k --cookie cookie.txt "https://24.28.15.22/script/ firmware_init.asp"
4. Upload the firmware. Once the upload is complete the WAP-200 will automatically restart.
curl -s -k --cookie cookie.txt -F firmware=@WAP-200.cim -F backup=Install "https://24.28.15.22/goform/ScriptUploadFirmware"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration management
The configuration file contains all the settings that customize the operation of the WAP-200. You can save and restore the configuration file manually, automatically, or with a tool like cURL. Configuration management can also be performed using the command line interface via an SSH session. For details, see the Command Line Interface Reference Guide. Important: When a WAP-200 is restarted it automatically initializes itself to the default address 192.168.1.1 on all ports. If the DHCP client is enabled, it takes about 30 seconds after the restart for the DHCP client to request an address. Therefore, for a short period of time after restarting, the WAP-200 may conflict with another device on the network. This will usually not be an issue. However, if you are using an automated tool (like cURL) to update the configuration/firmware on several WAP-200s at the same time, you may experience difficulties. It is recommended that you schedule your updates to occur in succession, leaving a three minute interval between each device.
Manual management
Use the Config file management option on the Maintenance menu to manage your configuration file.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 66 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following options are available:
Backup configuration file

This option enables you to backup your configuration settings so they can be easily restored in case of failure. This option is also used when you want to directly edit the configuration file.
Reset configuration
Use this option to return the configuration of the WAP-200 to its factory default settings. Note: Resetting sets the administrator password to admin and resets all configuration settings.
Restore configuration file

Enables you to restore a configuration from a previously saved backup. This feature enables you to maintain several configuration files with different settings, which can be useful if you frequently need to alter the configuration of the WAP-200, or if you are managing several WAP-200s from a central site.
Scheduled operations
Enables you to schedule unattended backup or restoration of the WAP-200s configuration file. Use the following steps to schedule a backup or restoration of the WAP-200s configuration file. 1. Select Maintenance > Config file management. The Config file management page opens. 2. At lower right, select the Scheduled operations checkbox. 3. Under Operation, select Backup or Restore. 4. Under Day of week, select Everyday, or select a specific day of the week on which to perform the backup or restore operation. 5. Under Time of day, enter the hour and minute on which to perform the backup or restore operation. Use the format hh mm, where hh ranges from 00 to 24 mm ranges from 00 to 60 6. Under URL, enter the path that leads to the local or remote directory in which to save the configuration file or from which to load the configuration file. For example ftp://username:password@192.168.132.11/config.cfg http://192.168.132.11/config.cfg 7. To confirm that the specified URL is correct, click Validate. 8. To commit the schedule that you have configured, click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 67 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Using cURL
It is possible to automate management tasks using a tool like cURL. cURL is a software client that can be used to get/send files to/from a server using a number of different protocols. cURL is designed to work without user interaction or any kind of interactivity. It is available for Windows and LINUX at: http://curl.haxx.se/. You must use version 7.9.8 or higher. The following cURL commands illustrate how to manage the configuration file. The following setup is assumed: IP address of the WAP-200s Internet port is 24.28.15.22. Management access to the Ethernet port is enabled. Configuration file is located in WAP-200.CFG. These examples are non-secure (no certificates are used authentication), but data traffic is still encrypted. Note: If you want to secure the connection with the WAP-200 using certificates, you must use the --cacert option to specify where the CA certificates are located on your computer. This also requires that you specify the host name wireless.colubris.com instead of using its IP address. The host name must be resolved either via a DNS server or using the hosts file on your computer.
Uploading the configuration file


3. Prepare the WAP-200 to receive the configuration update.

curl -s -k --cookie cookie.txt "https://24.28.15.22/script/config_init.asp"
4. Upload the configuration file.

curl -s -k --cookie cookie.txt -F config=@WAP-200.cfg -F backup=Restore "https:/ /24.28.15.22/goform/ScriptUploadConfig"
5. Reset the WAP-200 to activate the new configuration.

curl -s -k --cookie cookie.txt "https://24.28.15.22/script/reset.asp"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 68 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Downloading the configuration file


3. Prepare the configuration file for download.

curl -s -k --cookie cookie.txt "https://24.28.15.22/goform/ FormBackupConfig" -d backup=Backup
4. Download the configuration file.

curl -s -k --cookie cookie.txt "https://24.28.15.22/download/config.cfg" -o config.cfg
5. Logout.
curl -s -k --cookie cookie.txt https://24.28.15.22/goform/Logout -d logout=Logout
Resetting the configuration to factory defaults


3. Reset configuration to factory defaults.

curl -s -k --cookie cookie.txt "https://24.28.15.22/goform/ ScriptResetFactory?reset=Reset+to+Factory+Default"
4. Reset the WAP-200 to activate the new configuration.

curl -s -k --cookie cookie.txt "https://24.28.15.22/script/reset.asp"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Using a RADIUS server

This section explains how to make use of a RADIUS server for administrator authentication and to authenticate and store accounting information for users authenticated via MAC/WPA/802.1x when not working in conjunction with a Colubris Networks access controller. The minimum setup you must define to use a RADIUS server is as follows: Define RADIUS client settings for the WAP-200 Each WAP-200 is considered to be a RADIUS client and you must define client settings on the RADIUS server for each one that you intend to install. Create a RADIUS profile for one or more users The user profile is required to authenticate users when they connect, and store accounting information. (Optional) Create a RADIUS profile for one or more administrators The administrator profile is used to authenticate an administrator when logging into the Management Tool.
Creating a RADIUS client entry for the WAP-200
Any device that uses the authentication services of a RADIUS server is called a RADIUS client (or RAS client on some systems). Therefore, each WAP-200 is considered to be a RADIUS client and you must define client settings on the RADIUS server for each one that you intend to install.
Configuration settings
You may need to supply the following information when setting up a RADIUS client entry: Client IP address: This is the IP address assigned to the WAP-200s LAN ports. Shared secret: Secret the WAP-200 will use to authenticate the packets it receives from the RADIUS server.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 70 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuring the connection

To configure the connection to a RADIUS server, do the following: 1. Open the Security > RADIUS page. 2. Click Add New Profile. The RADIUS profiles configuration page opens.
3. Configure the parameters as described in the sections that follow. 4. Click Save, when you are done.
Profile name
Specify a name to identify the profile.
RADIUS profile settings

Authentication port
Specify the port to use for authentication. By default, RADIUS servers use port 1812.
Accounting port
Specify the port to use for accounting. By default, RADIUS servers use port 1813.
Retry interval
Controls the retry interval (in seconds) for access and accounting requests that timeout. If no reply is received within this interval, the WAP-200 switches between the primary and secondary RADIUS servers (if defined). If a reply is received after the interval expires, it is ignored. This parameter applies to access and accounting requests generated by the following: administrator logins to the Management Tool MAC-based authentication of devices The maximum number of retries can be determined as follows: MAC-based and WAP-200 authentication: Number of retries is infinite. 802.1x authentication. Retries are controlled by the 802.1x client software.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 71 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Authentication method
Choose the default authentication method the WAP-200 will use when exchanging authentication packets with the primary/secondary RADIUS server defined for this profile. For 802.1x users, the authentication method is always determined by the 802.1x client software and is not controlled by this setting. If traffic between the WAP-200 and the RADIUS server is not protected by a VPN, it is recommended that you use either EAP-MD5 or MSCHAP V2, if supported by your RADIUS Server. (PAP, MSCHAP V1 and CHAP are less secure protocols.)
NAS Id
Specify the network access server ID you want to use for the WAP-200. By default, the serial number of the WAP-200 is used. The WAP-200 includes the NAS-ID attribute in all packets that it sends to the RADIUS server.
Always try primary server first

Set this option to force the WAP-200 to contact the primary server first. Otherwise, the WAP-200 sends the first RADIUS access request to the last known RADIUS server that replied to any previous RADIUS access request. If the request times out, the next request is sent to the other RADIUS server if defined. For example, assume that the primary RADIUS server was not reachable and that the secondary server responded to the last RADIUS access request. When a new authentication request is received, the WAP-200 sends the first RADIUS access request to the secondary RADIUS server. If it does not reply, the RADIUS access request is retransmitted to the primary RADIUS server. The WAP-200 always alternates between the two servers, when configured.
Primary RADIUS server

Server address
Specify the IP address of the RADIUS server.
Secret/Confirm secret
Specify the secret (password) that WAP-200 will use when communicating with the RADIUS server. The shared secret is used to authenticate all packets exchanged with the server to prove that they originate from a valid/trusted source.
Secondary RADIUS server

Server address
Specify the IP address of the RADIUS server.
Secret/Confirm secret
Specify the secret (password) that WAP-200 will use when communicating with the RADIUS server. The shared secret is used to authenticate all packets exchanged with the server to prove that they originate from a valid/trusted source.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 72 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Creating user profiles on the RADIUS server
You must create at least one RADIUS user profile. Multiple user accounts can be associated with a single RADIUS profile. Note: The maximum number of attributes the WAP-200 can receive in one request is 4096 bytes.
Supported RADIUS attributes

This section presents all RADIUS and Colubris attributes that are supported by for a WAP-200 profile. (Attributes starting with MS are Microsoft and are not standard.) The WAP-200 supports the following RADIUS attributes when VAP-based 802.1x or MAC authentication is enabled without using the services of a Colubris Networks access controller. When an access controller is used, RADIUS attributes are supported as defined in the administrators guide for the access controller. Note: In the following definitions, strings are defined as 1 to 253 characters in length.
Colubris Networks vendor-specific attribute

The Colubris Networks vendor-specific attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server if it is not already present. In this case, you need to specify the following: SMI network management private enterprise code = 8744 Vendor-specific attribute type number = 0 Attribute type = string
Access Request
Attribute
Acct-Session-Id Called-Station-Id Calling-Station-Id EAP-Message Framed-MTU Message-Authenticator NAS-Identifier NAS-Ip-Address NAS-Port NAS-Port-Type Service-Type State User-Name User-Password Colubris-AVPair (SSID)
Web Admin
802.1x
MAC
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 73 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Descriptions
Acct-Session-Id (32-bit unsigned integer): Random value generated per authentication by the WAP-200. Called-Station-Id (string): BSSID of the VSC used by a wireless client, or the MAC address of the LAN port used by a wired client. By default, the MAC address is sent in IEEE format. For example: 00-02-03-5E-32-1A. This can be changed on the Security > 802.1x page. Calling-Station-Id (string): The MAC address of the 802.1x client station. By default, the MAC address is sent in IEEE format. For example: 00-02-03-5E-32-1A. This can be changed on the Security > 802.1x page. Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. Message-Authenticator (string): As defined in RFC 2869. Always present even when not doing an EAP authentication. length = 16 bytes. NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the RADIUS profile being used. NAS-Ip-Address 32-bit unsigned integer): The IP address of the port the WAP-200 is using to communicate with the RADIUS server. NAS-Port (32-bit unsigned integer): A virtual port number starting at 1. Assigned by the WAP-200. For 802.1x, this field is always set to 0. NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents WIRELESS_802_11.) Service-Type (32-bit unsigned integer): Set to Framed-User. State (string): As defined in RFC 2865. User-Name (string): The username assigned to the user. Or if MAC-authentication is enabled, the MAC address of the wireless client station. The following attributes are mutually exclusive depending on the RADIUS authentication method. User-Password (string): The password supplied by a user or device when logging in. Encoded as defined in RFC 2865. Only present when the authentication scheme on the Security > RADIUS > Profile 1 page is set to PAP/SecurID. Or if MACauthentication is enabled, the MAC address of the wireless client station. EAP-Message (string): As defined in RFC 2869. Only present when the authentication scheme on the Security > RADIUS > Profile 1 page is set to EAPMD5. Colubris-AVPair (SSID): SSID that the customer is associated with.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Access Accept
Web Admin
Attribute
Class EAP-Message MS-MPPE-Recv-Key MS-MPPE-Send-Key Session-TImeout Termination-Action Tunnel-Medium-Type Tunnel-Private-Group-ID Tunnel-Type
802.1x
MAC
Descriptions
Class (string): As defined in RFC 2865. Multiple instances are supported. EAP-Message (string): Note that the content will not be read as the RADIUS Access Accept overrides whatever indication is contained inside this packet. MS-MPPE-Recv-Key: As defined by RFC 3078. MS-MPPE-Send-Key: As defined by RFC 3078. Session-Timeout (32-bit unsigned integer): Maximum time a session can be active. After this interval, the 802.1x client is re-authenticated. Termination-Action: As defined by RFC 2865. If set to 1, customer traffic is not allowed during the 802.1x re-authentication. Tunnel-Medium-Type = Only used when assigning a specific VLAN number to a customer. In this case it must be set to 802. Tunnel-Private-Group-ID = Only used when assigning a specific VLAN number to a customer. In this case it must be set to the VLAN ID. Tunnel-Type: Only used when assigning a specific VLAN number to a customer. In this case it must be set to VLAN.
Access Reject
None.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Access Challenge
Web Admin
Attribute
EAP-Message Message-Authenticator State
802.1x
MAC
Descriptions
EAP-Message (string): As defined in RFC 2869. Message-Authenticator (string): As defined in RFC 2869. Always present even when not doing an EAP authentication. length = 16 bytes. State (string): As defined in RFC 2865.
Accounting request
Web Admin
Attribute
Acct-Session-Id Acct-Session-Time Acct-Status-Type Called-Station-Id Calling-Station-Id Class Framed-MTU NAS-Identifier NAS-Port NAS-Port-Type User-Name Colubris-AVPair (SSID)
802.1x
MAC
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 76 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Descriptions
Acct-Session-Id (32-bit unsigned integer): Random value generated by the WAP-200. Acct-Session-Time (32-bit unsigned integer): Number of seconds this session since this session was authenticated. Acct-Status-Type (32-bit unsigned integer): Supported values are Accounting-On (7) and Accounting-Off (8). Called-Station-Id (string): BSSID of the wireless client, or the MAC address of the LAN port used by a wired client. By default, the MAC address is sent in IEEE format. For example: 00-02-03-5E-32-1A. This can be changed on the Security > 802.1x page. Calling-Station-Id (string): The MAC address of the 802.1x client station in IEEE format. By default, the MAC address is sent in IEEE format. For example: 00-02-035E-32-1A. This can be changed on the Security > 802.1x page. Class (string): As defined in RFC 2865. Multiple instances are supported. Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. The value is always four bytes lower than the wireless MTU maximum which is 1500 bytes in order to support IEEE802dot1x authentication. NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the profile being used. NAS-Port (32-bit unsigned integer): Always 0. NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents WIRELESS_802_11. User-Name (string): The RADIUS username provided by the 802.1x client. Colubris-AVPair (SSID): SSID that the customer is associated with.
Accounting response
None.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 77 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Creating administrator profiles on the RADIUS server
If you want to support multiple administrator names and passwords, you must use a RADIUS server to manage them. The WAP-200 only supports a single admin name and password internally. Important: Improper configuration of the administrator profile could expose the WAP-200 to access by any user with a valid account. The only thing that distinguishes an administrative account from that of a standard user account is the setting of the service type. Make sure that a user is not granted access if service type is not Administrative.
Supported RADIUS attributes

Following are supported RADIUS attributes.
Access Request
User-Name (string): The username assigned to the user or a device when using MAC authentication. NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the profile being used. Service-Type (32-bit unsigned integer): As defined in RFC 2865. Set to a value of 6, which indicates SERVICE_TYPE_ADMINISTRATIVE. Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. MSCHAP-Challenge (string): As defined in RFC 2433. Only present when the authentication scheme on the Security > RADIUS page is set to MSCHAPv1 or MSCHAPv2. Length = 8 bytes. MSCHAP-Response (string): As defined in RFC 2433. Only present when the authentication scheme on the Security > RADIUS page is set to MSCHAPv1. Length = 49 bytes.
Access Accept
None.
Access Reject
None.
Access Challenge
None.
Accounting Request
None.
Accounting Response
None.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 78 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3: More from Colubris
Chapter 3
More from Colubris

In this chapter you can find information about the resources that are available to you at the Colubris website, as well as information about how to contact Colubris support, training, and sales.
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More from Colubris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3
Colubris.com
Visit Colubris.com to access Datasheets, Whitepapers, Case Studies, and Solution Guides. From the left side of the homepage, select Literature in order to view these menu items. Access to this material is free and does not require product registration.
For registered customers
By registering your product at Colubris.com, you can access the information listed below. To register, simply go to Colubris.com and from the left side of the home page select Support > Product Registration. Complete and submit the Product Registration Form in order to gain access to the support area of the website. Once you register your product purchase with Colubris, you can log in and access the following information: Technical documentation Administrators guides Quickstart guides Quick setup tools SNMP MIBs Software license agreement Return Material Authorization (RMA) procedures and forms
For Annual Maintenance Support Program customers
Colubris Networks offers a comprehensive set of annual support programs that focus on the hardware and software content of Colubris' award-winning family of secure Wi-Fi solutions. Annual Maintenance Support Programs provide a broad level of hardware and software assistance that combines various elements of support: Telephone-based technical support Hardware support Software support When visiting Colubris.com, customers who have purchased an Annual Maintenance Support Program can access the following information in addition to the website material discussed above: FAQs Technical notes Release notes Software downloads
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 80 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Information by telephone and e-mail

You can contact Colubris support, training, and sales directly as follows: Colubris Customer Support team: E-mail support@colubris.com Telephone toll-free from within the United States and Canada by dialing 1-866-241-8324, then select option 1 To telephone the Colubris Customer Support team from other countries, dial the International Direct Dialing prefix (IDD) for the country from which you are calling, then dial 1-781-684-0001. Select option 1. You can find a list of IDDs, as well as more information about making international calls, at http://kropla.com/dialcode.htm. Colubris training department: E-mail training@colubris.com Colubris sales information: E-mail sales@colubris.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 81 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

43 10 0200 05 - AG - WAP 200 - en

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

43 10 0200 05 - AG - WAP 200 - en

Hochgeladen von

Copyright:

Verfügbare Formate

WAP-200 Administrators Guide

Release 5.1 (October 2006)

More from Colubris

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

About this guide

Warnings, cautions, and notes

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Front and rear panels

Reset 5 volts Port 1 802.3af 10101

Power Ethernet Wireless light light light Power connector

Reset button Antenna connector

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Powering the WAP-200

There are two ways to power the WAP-200: DC adapter or PoE.

Power over Ethernet (PoE)

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

The status lights provide the following operational information.

Resetting to factory defaults

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Configuring the WAP-200

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Canada Industry Canada (IC)

USAFederal Communications Commission (FCC)

Caution! Exposure to Radio Frequency Radiation

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Information for the user

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

North American Standards

Dated this 27th day of April, 2005

Gerrett L. Durling Principal Compliance Engineer Colubris Networks

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Public access deployment

Protected Network Resources

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Configuring the management station for wireless access

Configuring the management station for wired access

Starting the Management Tool

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Validating administrator logins using a RADIUS server

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Virtual service communities

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Use Colubris access controller

WLAN name (SSID)

Maximum wireless clients per radio

Permit traffic exchange between wireless clients

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Broadcast WLAN name (SSID)

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

Wireless security filters

Restrict wireless traffic to