Page 1 HiPath Wireless Controller, Access Points and Convergence Software, V4.0 C10/C100/C1000 User Guide...
Page 2 An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. The trademarks used are owned by Siemens AG or their respective owners.
Page 3: Table Of Contents
hwc1000_user_guidetoc.fm Content Nur für den internen Gebrauch Content 1 About this Guide ............9 1.1 Who should use this guide.
Page 4 hwc1000_user_guidetoc.fm Content Nur für den internen Gebrauch 4.2.3 Applying the product license key ........52 4.2.4 Setting up the data ports .
Page 5 hwc1000_user_guidetoc.fm Content Nur für den internen Gebrauch 6.7 Data protection on a VNS—WEP and WPA ....... . 116 6.8 VNS global settings .
Page 6 hwc1000_user_guidetoc.fm Content Nur für den internen Gebrauch 7.10.1 Setting up a VNS for voice traffic ........176 7.11 Configuring Quality of Service (QoS) .
Page 7 hwc1000_user_guidetoc.fm Content Nur für den internen Gebrauch 12.2 Resetting the AP to its factory default settings ......246 12.3 Performing system maintenance tasks .
Page 8: Content
hwc1000_user_guidetoc.fm Content Nur für den internen Gebrauch A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 9: About This Guide
hwc_pref.fm About this Guide Who should use this guide About this Guide This guide describes how to install, configure, and manage the Controller, Access Points and Convergence Software software. This guide is also available as an online help system. To access the online help system: In the HiPath Wireless Assistant Main Menu bar, click Help.
Page 10: Formatting Conventions
hwc_pref.fm About this Guide Formatting conventions Chapter 7, “Virtual Network configuration”, provides detailed instructions in how to ● configure a VNS, its topology, authentication, accounting, RADIUS policy, multicast, filtering and privacy. Both Captive Portal and AAA types of VNS are described. Chapter 8, “Availability, mobility, and controller functionality”, describes how to set up the ●...
Page 11: Documentation Feedback
Use only original accessories or components approved for the system. Failure to observe ● these instructions may damage the equipment or even violate safety and EMC regulations. Only authorized Siemens service personnel are permitted to service the system. ● Warnings This device must not be connected to a LAN segment with outdoor wiring.
Page 12: Sicherheitshinweise
● Komponenten. Die Nichtbeachtung dieser Hinweise kann zur Beschädigung der Ausrüstung oder zur Verletzung von Sicherheits- und EMV-Vorschriften führen. Das System darf nur von autorisiertem Siemens-Servicepersonal gewartet werden. ● A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 13 hwc_pref.fm About this Guide Sicherheitshinweise Warnhinweise Dieses Gerät darf nicht über Außenverdrahtung an ein LAN-Segment angeschlossen ● werden. Stellen Sie sicher, dass alle Kabel korrekt geführt werden, um Zugbelastung zu vermeiden. ● Sollte das Netzteil Anzeichen von Beschädigung aufweisen, tauschen Sie es sofort aus. ●...
Page 14: Consignes De Sécurité
● système. Dans le cas contraire, vous risquez d'endommager l'installation ou d'enfreindre les consignes en matière de sécurité et de compatibilité électromagnétique. Seul le personnel de service Siemens est autorisé à maintenir/réparer le système. ● Avertissements Cet appareil ne doit pas être connecté à un segment de LAN à l'aide d'un câblage ●...
Page 15 hwc_pref.fm About this Guide Consignes de sécurité Précautions Contrôlez la tension nominale paramétrée sur l'installation (voir le mode d'emploi et la ● plaque signalétique). Des tensions élevées pouvant entraîner des chocs électriques sont utilisées dans cet équipement. Lorsque le système est sous tension, prenez toutes les précautions nécessaires lors de la mesure des hautes tensions et de l'entretien/réparation des cartes, des panneaux, des plaques.
Page 16 hwc_pref.fm About this Guide Consignes de sécurité A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 17: Regulatory Information
Changes or modifications made to the HiPath Wireless Controller or the Wireless APs which are not expressly approved by Siemens could void the user's authority to operate the equipment. Only authorized Siemens service personnel are permitted to service the system.
Page 18: Ap2610 Internal Antenna Ap, Ap2620 External Antenna Ap
hwc_regulatory_information.fm Regulatory information AP2610 Internal Antenna AP, AP2620 External Antenna AP AS/NZS 3260 (Australia/New Zealand ACMA Safety of ITE) ● US 21 CFR Subpart J 1002.10, 1002.12 (Safety of Laser Products) ● CDRH Letter of Approval (US FDA Laser Approval) ●...
Page 19 hwc_regulatory_information.fm Regulatory information AP2610 Internal Antenna AP, AP2620 External Antenna AP This device may not cause harmful interference. ● This device must accept any interference received, including interference that may cause ● undesired operation. This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules.
Page 20: Fcc Rf Radiation Exposure Statement
47 CFR 15.407(d). This Part 15 radio device operates on a non-interference basis with other devices operating at the same frequency when using antennas provided or other Siemens certified antennas. Any changes or modification to the product not expressly approved by Siemens could void the user's authority to operate this device.
Page 21 hwc_regulatory_information.fm Regulatory information AP2610 Internal Antenna AP, AP2620 External Antenna AP This device complies with Part 15 of the FCC Rules and Canadian Standard RSS-210. Operation is subject to the following conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.
Page 22: European Community
2.2.3.1 Declaration of Conformity in Languages of the European Community English Hereby, Siemens, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Finnish Valmistaja Siemens vakuuttaa täten että Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sitä...
Page 23 1999/5/CE. Spanish Por medio de la presente Siemens declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE.
Page 24 és az 1999/5/EC irányelv egyéb elõírásainak. Slovak Siemens týmto vyhlasuje, _e Radio LAN device spåòa základné po_iadavky a všetky príslušné ustanovenia Smernice 1999/5/ES. Siemens tímto prohlašuje, _e tento Radio LAN device je ve shodì se Czech základními po_adavky a dalšími pøíslušnými ustanoveními smìrnice 1999/5/ES." Slovenian Šiuo Siemens deklaruoja, kad šis Radio LAN device atitinka esminius...
Page 25: Conditions Of Use In The European Community
hwc_regulatory_information.fm Regulatory information AP2610 Internal Antenna AP, AP2620 External Antenna AP Radio Transceiver R&TTE Directive 1999/5/EC ● ETSI/EN 300 328-2 2003-04 (2.4 GHz) ● ETSI/EN 301 893-1 2002-07 (5 GHz) ● Other IEEE 802.11a (5 Ghz) ● IEEE 802.11b/g (2.4 GHz) ●...
Page 26 The AP2620 with external antenna must be used only with the factory installed ● antennas, which are certified by Siemens. The 2.4 GHz band, channels 1 - 13, may be used for indoor or outdoor use but ●...
Page 27: Certifications Of Other Countries
The AP2610 and AP2620 wireless access points have been certified for use in the countries listed in the table below. When the AP26XX is connected to the Siemens controller, the user is prompted to enter a country code. Once the correct country code is entered, the controller automatically sets up the AP26XX with the proper frequencies and power outputs for that country code.
Page 28 hwc_regulatory_information.fm Regulatory information AP2610 Internal Antenna AP, AP2620 External Antenna AP Countries Supported Frequency Supported Channel Numbers Bands Brazil 5.15-5.35 GHz 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 5.470-5.725 GHz 108, 112, 116, 120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 165 Chile, Hong Kong, 5.15-5.35 GHz...
Page 29: Overview Of The Controller, Access Points And Convergence Software Solution
System Configuration Overview ● The next generation of Siemens wireless networking devices provides a truly scalable WLAN solution. Siemens Wireless APs are fit access points controlled through a sophisticated network device, the HiPath Wireless Controller. This solution provides the security and manageability required by enterprises and service providers.
Page 30: Elements Of The Solution
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Elements of the solution To allow the wireless devices to communicate with computers on a wired network, the access points must be connected to the wired network providing access to the networked computers. This topology is called bridging.
Page 31 SLP (Service Location Protocol) ● Figure 2 Siemens solution As illustrated in Figure 2, the HiPath Wireless Controller appears to the existing network as if it were an access point, but in fact one HiPath Wireless Controller controls many Wireless APs.
Page 32 hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Elements of the solution The Controller, Access Points and Convergence Software system: Scales up to Enterprise capacity – One HiPath Wireless Controller (C1000 model) ● controls as many as 200 Wireless APs.One HiPath Wireless Controller C2400 controls as many as 200 Wireless APs.
Page 33: Controller, Access Points And Convergence Software And Your Network
Service Agent. In larger installations, a Directory Agent collects information from Service Agents and creates a central repository. The Siemens solution relies on registering “siemens” as an SLP Service Agent. Domain Name Server (DNS) – A server used as an alternate mechanism (if present on ●...
Page 34: Network Traffic Flow
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network Web Authentication Server – A server that can be used for external Captive Portal and ● external authentication. The HiPath Wireless Controller has an internal Captive portal presentation page, which allows Web authentication (Web redirection) to take place without the need for an external captive portal server.
Page 35: Network Security
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network Figure 3 Traffic Flow diagram Each wireless device sends IP packets in the 802.11 standard to the Wireless AP. The Wireless AP uses a UDP (User Datagram Protocol) based tunnelling protocol to encapsulate the packets and forward them to the HiPath Wireless Controller.
Page 36: Authentication
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network Shared Key authentication that relies on Wired Equivalent Privacy (WEP) keys ● Open System that relies on Service Set Identifiers (SSIDs) ●...
Page 37: Privacy
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network 3.3.2.2 Privacy Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques. Controller, Access Points and Convergence Software supports the Wired Equivalent Privacy (WEP) standard common to conventional access points.
Page 38: Static Routing And Routing Protocols
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network 3.3.4 Static routing and routing protocols Routing can be used on the HiPath Wireless Controller to support the VNS definitions. Through the user interface you can configure routing on the HiPath Wireless Controller to use one of the following routing techniques: Static routes –...
Page 39: Mobility And Roaming
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution Controller, Access Points and Convergence Software and your network 3.3.6 Mobility and roaming In typical configurations, APs are setup as bridges, which bridge wireless traffic to the local subnet. In bridging configurations, the user obtains an IP address from the same subnet as the AP.
Page 40: System Configuration Overview
hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution System Configuration Overview WMM (Wi-Fi Multimedia) – WMM is enabled per VNS. For C1000 controllers, these are ● primarily only AP features. The HiPath Wireless Controller provides centralized management of these AP features. For devices with WMM enabled, the standard provides multimedia enhancements for audio, video, and voice applications.
Page 41 hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution System Configuration Overview configuration, this feature will expedite deployment, as an AP will automatically receive full configuration (including VNS assignment) upon initial registration with the HiPath Wireless Controller. Wireless AP Configuration – Modify properties or settings of the Wireless AP, if desired. Virtual Network Services (VNS) Setup –...
Page 42 hwc_intro.fm Overview of the Controller, Access Points and Convergence Software solution System Configuration Overview A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 43: Configuring The Hipath Wireless Controller
hwc_startup.fm Configuring the HiPath Wireless Controller Configuring the HiPath Wireless Controller This chapter introduces the HiPath Wireless Controller and describes the steps involved in its initial configuration and setup, including: System configuration overview ● Performing the first-time setup of the HiPath Wireless Controller ●...
Page 44: System Configuration Overview
hwc_startup.fm Configuring the HiPath Wireless Controller System configuration overview HiPath Wireless Controller (Rev.2) Specifications Model Number C100 Four fast-Ethernet ports (10/100 BaseT), ● supporting up to 75 Wireless APs One management port (10/100/1000 BaseT) ● One console port (DB9 serial) ●...
Page 45 hwc_startup.fm Configuring the HiPath Wireless Controller System configuration overview Step 3 – Installing the hardware Install the HiPath Wireless Controller C10/C100/C1000. For more information, see the HiPath Wireless Controller, Access Points and Convergence Software Controller C10/C100/C1000 Installation Instructions. Install the HiPath Wireless Controller C2400. For more information, see the HiPath Wireless Controller, Access Points and Convergence Software Controller C2400 Installation Instructions.
Page 46 hwc_startup.fm Configuring the HiPath Wireless Controller System configuration overview Step 5 – Configuring the VNS Research and then configure the traffic topologies your network must support. Set up one or more virtual subnetworks on the HiPath Wireless Controller. For each VNS, configure the following: Topology –...
Page 47: Performing The First-Time Setup Of The Hipath Wireless Controller
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller Before you can connect the HiPath Wireless Controller to the enterprise network, you must change the IP address of the HiPath Wireless Controller management port from its factory default to the IP address suitable for your enterprise network.
Page 48 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller In the User Name box, type your user name. The default is admin. In the Password box, type your password. The default is abc123. A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 49 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller Click Login. The HiPath Wireless Assistant main menu screen appears. In the footer of the HiPath Wireless Assistant, the following is displayed: > [host name | product name | up time] ●...
Page 50 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller In the Management Port Settings section, click Modify. The System Port Configuration screen appears. 10. Type the following information: Hostname – Specifies the name of the HiPath Wireless Controller ●...
Page 51: Changing The Administrator Password
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller Management IP Address – Specifies the new IP address for the HiPath Wireless ● Controller’s management port. Change this as appropriate for the enterprise network. Subnet mask –...
Page 52: Applying The Product License Key
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller To connect the HiPath Wireless Controller to your enterprise network: Disconnect your computer from the HiPath Wireless Controller management port. Connect the HiPath Wireless Controller management port to the enterprise Ethernet LAN. The HiPath Wireless Controller resets automatically.
Page 53: Setting Up The Data Ports
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller In the Apply Product Key section, click Browse to navigate to the location of the product key file and select the file. Click Apply Now. The product license key is applied. 4.2.4 Setting up the data ports The next step in the initial setup of the HiPath Wireless Controller is to configure the physical...
Page 54 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller Router Port ● Use a router port definition for a port that you want to connect to an upstream, next-hop router in the network. Dynamic routing protocol, such as OSPF, can be turned on for this port type.
Page 55 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller The lower portion of the HiPath Wireless Controller Configuration screen displays either four Ethernet ports (for the C10 and C100), or two ports (for the C1000). For each port, the MAC address is displayed automatically.
Page 56 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller Subnet mask – The appropriate subnet mask for the IP address, which separates the ● network portion from the host portion of the address (typically 255.255.255.0). MTU –...
Page 57: Setting Up Static Routes
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller 4.2.5 Setting up static routes It is recommended that you define a default route to your enterprise network, either with a static route or by using OSPF protocol. A default route enables the HiPath Wireless Controller to forward packets to destinations that do not match a more specific route definition.
Page 58 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller In the Gateway box, type the IP address of the specific router port or gateway on the same subnet as the HiPath Wireless Controller to which to forward these packets. This is the IP address of the next hop between the HiPath Wireless Controller and the packet’s ultimate destination.
Page 59: Setting Up Ospf Routing
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller This report displays all defined routes, whether static or OSPF, and their current status. To update the display, click Refresh. 4.2.6 Setting up OSPF Routing To enable OSPF (OSPF RFC2328) routing, you must: Define one data port as a router port in the IP Addresses screen ●...
Page 60 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller The MTU of the ports on either end of an OSPF link must match. The MTU for ports on the ● HiPath Wireless Controller is defined as 1500, in the IP Addresses screen, during data port setup.
Page 61 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller Default – The default acts as the backbone area (also known as area zero). It forms ● the core of an OSPF network. All other areas are connected to it, and inter-area routing happens via a router connected to the backbone area.
Page 62: Filtering At The Interface Level
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller Dead-Interval – Specifies the time in seconds (displays OSPF default). The default ● setting is 40 seconds. Retransmit-Interval – Specifies the time in seconds (displays OSPF default). The ●...
Page 63 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller For example, on the HiPath Wireless Controller’s data interfaces (both physical interfaces and VNS virtual interfaces), the built-in exception filter prohibits invoking SSH, HTTPS, or SNMP. However, such traffic is allowed, by default, on the management port.
Page 64: User Defined Port-Based Exception Filters
hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller Select the appropriate interface in the IP Addresses screen. Select the corresponding Management checkbox. To save your changes, click Save. 4.2.9 User defined port-based exception filters You can add specific filtering rules at the port level in addition to the built-in rules.
Page 65 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller If defined improperly, user exception rules may seriously compromise the systems normal security enforcement rules. They may also disrupt the system's normal operation and even prevent system functionality altogether. It is advised to only augment the exception-filtering mechanism if absolutely necessary.
Page 66 hwc_startup.fm Configuring the HiPath Wireless Controller Performing the first-time setup of the HiPath Wireless Controller To select the new filter, click it. To allow traffic, select the Allow checkbox. To adjust the order of the filtering rules, click Up or Down to position the rule. The filtering rules are executed in the order defined here.
Page 67: Completing The System Configuration
hwc_startup.fm Configuring the HiPath Wireless Controller Completing the system configuration Completing the system configuration Once you have performed the initial configuration of the HiPath Wireless Controller, you are now ready to do the following: Configuring the VNS – For more information, see Section , “Virtual Network Services”, on ●...
Page 68 hwc_startup.fm Configuring the HiPath Wireless Controller Ongoing Operations of the Controller, Access Points and Convergence Software A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 69: Configuring The Wireless Ap
hwc_apstartup.fm Configuring the wireless AP Wireless AP overview Configuring the wireless AP This chapter discusses the Wireless AP and its role in the Controller, Access Points and Convergence Software solution, including: Wireless AP overview ● Discovery and registration overview ● Configuring the wireless APs for the first time ●...
Page 70 hwc_apstartup.fm Configuring the wireless AP Wireless AP overview In order to comply with FCC regulations in North America, the U-NII Low Band (5.15 > to 5.25 GHz band) is disabled for the Model AP2620. Wireless AP radios The wireless AP has two radios: 5 GHz radio supporting the 802.11a standard –...
Page 71: Discovery And Registration Overview
hwc_apstartup.fm Configuring the wireless AP Discovery and registration overview To configure the appropriate radio band according to each European Union country, use the HiPath Wireless Assistant. For more information, see Section 5.5.3, “Modifying a wireless AP’s properties”, on page 86. Discovery and registration overview When the wireless AP is powered on, it automatically begins a discovery process to determine its own IP address and the IP address of the HiPath Wireless Controller.
Page 72 ● Controller.domain-name. If no DA is found, or if it has no Siemens SAs registered, the Wireless AP attempts to locate a HiPath Wireless Controller via DNS. If you use this method for discovery, place an A record in the DNS server for Controller.<domain-name>.
Page 73: Registration After Discovery
hwc_apstartup.fm Configuring the wireless AP Discovery and registration overview 5.2.2 Registration after discovery Any of the discovery steps 2 through 5 can inform the wireless AP of a list of multiple IP addresses to which the wireless AP may attempt to connect. Once the wireless AP has discovered these addresses, it sends out connection requests to each of them.
Page 74 hwc_apstartup.fm Configuring the wireless AP Discovery and registration overview The table below assumes the software uses a timer and multiple phases to simulate LED blinking on all three LEDs. For example, an LED status of Red indicates the LED is solid colored Red, an LED status of Off/Green/Off indicates that the LED is Off for the first phase, Green for the second phase, and Off for the third phase.
Page 75: Configuring The Wireless Aps For The First Time
hwc_apstartup.fm Configuring the wireless AP Configuring the wireless APs for the first time Left LED Center LED Right LED AP Status Status Status Status Green when Green Green when 802.11a Radios enabled per user settings 802.11b/g enabled enabled Off otherwise otherwise Red/Green Upgrading firmware.
Page 76 hwc_apstartup.fm Configuring the wireless AP Configuring the wireless APs for the first time Adding a wireless AP manually option An alternative to the automatic discovery and registration process of the wireless AP is to manually add and register a wireless AP to the HiPath Wireless Controller. For more information, see Section 5.4, “Adding and registering a Wireless AP manually”, on page 80.
Page 77: Defining Properties For The Discovery Process
hwc_apstartup.fm Configuring the wireless AP Configuring the wireless APs for the first time 5.3.1 Defining properties for the discovery process Before a wireless AP is configured, you must define properties for the discovery process. The discovery process is the process by which the wireless APs determine the IP address of the HiPath Wireless Controller.
Page 78 hwc_apstartup.fm Configuring the wireless AP Configuring the wireless APs for the first time During the initial setup of the network, it is recommended to select the Allow all > Wireless APs to connect option. This option is the most efficient way to get a large number of wireless APs registered with the HiPath Wireless Controller.
Page 79 hwc_apstartup.fm Configuring the wireless AP Configuring the wireless APs for the first time In the Security Mode section, select one of the following: Allow all Wireless APs to connect ● Allow only approved Wireless APs to connect ● The Allow all Wireless APs to connect option is selected by default. For more information, see Section 5.3.1, “Security mode”, on page 77.
Page 80: Connecting The Wireless Ap To A Power Source And Initiating The Discovery And Regis
hwc_apstartup.fm Configuring the wireless AP Adding and registering a Wireless AP manually In the Discovery Timers section, type the discovery timer values in the following boxes: Number of retries ● Delay between retries ● The default number of retries is 3, and the default delay between retries is 1 second. To save your changes, click Save.
Page 81: Modifying Wireless Ap Settings
hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings In the Serial # box, type the unique identifier. From the Hardware Type drop-down list, select the hardware type of the Wireless AP. In the Name box, type a unique name for the Wireless AP. In the Description box, type descriptive comments for the Wireless AP.
Page 82: Modifying A Wireless Ap's Status
hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings 5.5.1 Modifying a Wireless AP’s status If during the discovery process, the HiPath Wireless Controller security mode was Allow only approved Wireless APs to connect, then the status of the wireless AP is Pending. You must modify the security mode to Allow all Wireless APs to connect.
Page 83: Configuring The Default Ap Settings
hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings To select the wireless APs for status change, do one of the following: For a specific Wireless AP, select the corresponding checkbox. ● For Wireless AP’s by category, click one of the Select Wireless APs buttons. ●...
Page 84 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings Telnet Access – Select whether Telnet Access is enabled or disabled. ● Maintain client sessions – Select whether the AP should remain active if a link loss ● with the controller occurs.This option is enabled by default. Broadcast for disassoc.
Page 85 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings Basic Rates – Select the data rates that must be supported by all stations in a BSS: ● 1, 2 or 1, 2, 5.5, and 11 Mbps. Preamble – Select a preamble value: Short, Long, or Auto. ●...
Page 86: Modifying A Wireless Ap's Properties
hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings Coverage – Select Shaped or Standard. Shaped coverage adjusts the range based ● on neighboring Wireless APs and standard coverage adjusts the range to the client that is the most distant, as indicated by its signal strength. Avoid WLAN –...
Page 87 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings Modify the Wireless AP’s information: Name – Type a unique name for the Wireless AP that identifies the Wireless AP. The ● default value is the Wireless AP’s serial number. Description – Type comments for the wireless AP. ●...
Page 88: Modifying The Wireless Ap's Radio Properties
hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings Use broadcast for disassociation – Select if you want the wireless AP to use ● broadcast disassociation when disconnecting all clients, instead of disassociating each client one by one. This will affect the behavior of the AP under the following conditions: If the Wireless AP is preparing to reboot or to enter one of the special modes ●...
Page 89 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings To modify the wireless AP’s radio properties: From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen appears. Click the appropriate wireless AP in the list. Click the radio tab you want to modify. Each tab displays the radio settings for each radio on the wireless AP.
Page 90 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings DTIM Period – Type the Delivery Traffic Indication Message (DTIM) period. The ● default value is 1. This measures the number of beacons in the DTIM cycle. Beacon Period – Type the time units between beacon transmissions. The default ●...
Page 91 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings No of Retries for Video VI – Select the number of retries for the Video ● transmission queue. The default value is 4. The recommended rate is adaptive (multi-rate). No of Retries for Voice VO – Select the number of retries for the Voice ●...
Page 92 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings If applicable, click the 802.11a tab to modify the radio properties. ● DTIM Period – Type the Delivery Traffic Indication Message (DTIM) period. The ● default value is 1. This measures the number of beacons in the DTIM cycle. Beacon Period –...
Page 93: Setting Up The Wireless Ap Using Static Configuration
hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings Tx Power Level – Select the Tx power level: Min, 13%, 25%, 50%, or Max. If Dynamic ● Radio Management (DRM) was enabled on the DRM screen, this option is read-only. Rx Diversity –...
Page 94 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings employed at any time if required. In the branch office model, wireless APs are installed in remote sites, while the HiPath Wireless Controller is in the central office. The wireless APs require the capability to interact in both the local site network and the central network.
Page 95 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings Click the Static Configuration tab. Select one of the VLAN settings for the wireless AP: Tagged - VLAN ID – Select if you want to assign this AP to a specific VLAN and type ●...
Page 96: Configuring Dynamic Radio Management
hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings For first-time deployment of the wireless AP for static IP assignment, (a branch > office scenario is an example of a setup that may require static IP assignment), it is recommended to use DHCP initially on the central office network to obtain an IP address for the wireless AP.
Page 97 hwc_apstartup.fm Configuring the wireless AP Modifying wireless AP settings To configure the DRM software: From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen appears. In the left pane, click DRM. Confirm the Enable DRM checkbox is selected. To refresh the wireless APs list, click Save.
Page 98: Modifying A Wireless Ap's Properties Based On A Default Ap Configuration
hwc_apstartup.fm Configuring the wireless AP Modifying a wireless AP’s properties based on a default AP configuration In the RF Domain ID box, type a string that uniquely identifies a group of APs that cooperate in managing RF channels and power levels. The maximum length of the string is 15 characters.
Page 99: Configuring Aps Simultaneously
hwc_apstartup.fm Configuring the wireless AP Configuring APs simultaneously To modify the system’s default AP settings based on an already configured AP: From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen appears. In the wireless AP list, click the wireless AP whose properties you want to become the system’s default AP settings.
Page 100 hwc_apstartup.fm Configuring the wireless AP Configuring APs simultaneously In the Wireless APs list, select one or more APs to edit. To select multiple APs, select the appropriate APs from the list while pressing the CTRL key. When using multi-edit configuration, any box or option that is not explicitly >...
Page 101: Performing Wireless Ap Software Maintenance
hwc_apstartup.fm Configuring the wireless AP Performing wireless AP software maintenance Modify the configuration of the selected Wireless APs: AP Properties – For more information, see Section 5.5.3, “Modifying a wireless AP’s ● properties”, on page 86. Radio Settings – For more information, see Section 5.5.4, “Modifying the wireless ●...
Page 102 hwc_apstartup.fm Configuring the wireless AP Performing wireless AP software maintenance From the AP Images for Platform drop-down list select the appropriate platform. To select an image to be the default image for a software upgrade, select it in the list, and then click Set as default.
Page 103 hwc_apstartup.fm Configuring the wireless AP Performing wireless AP software maintenance Select the Do not upgrade AP images if current image version = upgrade version checkbox to prevent an upgrade if current image version is the same as the upgrade version. Selecting this option overrides upgrade behavior. Select the Automatically downgrade the AP to the default image if AP is at later release number (major/minor rev) checkbox to allow an older image to be installed if selected.
Page 104 hwc_apstartup.fm Configuring the wireless AP Performing wireless AP software maintenance To define parameters for a wireless AP controlled software upgrade: From the main menu, click Wireless AP Configuration. The Wireless AP Configuration screen appears. From the left pane, click AP Maintenance. The AP Software Maintenance tab appears. Click the Controlled Upgrade tab.
Page 105 hwc_apstartup.fm Configuring the wireless AP Performing wireless AP software maintenance To save the software upgrade strategy to be run later, click Save for later. To run the software upgrade immediately, click Upgrade Now. The selected Wireless AP reboots, and the new software version is loaded. The Always upgrade AP to default image checkbox on the AP Software >...
Page 106 hwc_apstartup.fm Configuring the wireless AP Performing wireless AP software maintenance A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 107: Virtual Network Services
hwc_vnsintro.fm Virtual Network Services VNS overview Virtual Network Services This chapter describes Virtual Network Services (VNS) concepts, including: VNS overview ● Setting up a VNS checklist ● Topology of a VNS ● RF assignment for a VNS ● Authentication for a VNS ●...
Page 108: Setting Up A Vns Checklist
hwc_vnsintro.fm Virtual Network Services Setting up a VNS checklist These IP addresses are not virtual IP addresses. They are regular IP addresses and are unique over the network. These IP addresses are advertised to other hosts on the network to exchange traffic with the wireless devices in the VNS. A single overall filtering policy applies to all the wireless devices within the VNS.
Page 109 hwc_vnsintro.fm Virtual Network Services Setting up a VNS checklist The routing mechanism to be used on the VNS ● For tunneled configurations mostly, the network addresses that the VNS will use ● A VLAN bridged VNS (at the controller) requires the specification of the IP address for the ●...
Page 110: Topology Of A Vns
hwc_vnsintro.fm Virtual Network Services Topology of a VNS Department (such as Engineering, Sales, Finance) ● Role (such as student, teacher, library user) ● Status (such as guest, administration, technician) ● For each user group, you should set up a filter ID attribute in the RADIUS server, and then associate each user in the RADIUS server to at least one filter ID name.
Page 111: Rf Assignment For A Vns
hwc_vnsintro.fm Virtual Network Services RF assignment for a VNS Traffic behavior types There are 2 traffic types available when setting up your VNS: Tunneled to controller ● Bridged at AP ● There are 3 traffic types available when setting up your VNS: Tunneled to controller ●...
Page 112: Authentication For A Vns
hwc_vnsintro.fm Virtual Network Services Authentication for a VNS Authentication for a VNS The third step in setting up a VNS is to configure the authentication mechanism for the VNS. The authentication mechanism depends on the network assignment. In addition, all VNS definitions can include authentication by Media Access Control (MAC) address.
Page 113: Authentication With Aaa (802.1X) Network Assignment
hwc_vnsintro.fm Virtual Network Services Authentication for a VNS 6.5.2 Authentication with AAA (802.1x) network assignment If network assignment is AAA with 802.1x authentication, the wireless device user requesting network access must first be authenticated. The wireless device's client utility must support 802.1x.
Page 114: Filtering For A Vns
hwc_vnsintro.fm Virtual Network Services Filtering for a VNS Filtering for a VNS The VNS capability provides a technique to apply policy, to allow different network access to different groups of users. This is accomplished by packet filtering. After setting authentication, define the filtering rules for the filters that apply to your network and the VNS you are setting up.
Page 115: Filtering Sequence
hwc_vnsintro.fm Virtual Network Services Filtering for a VNS 6.6.2 Filtering sequence The filtering sequence depends on the type of authentication used: No authentication (network assignment by SSID) ● Only the default filter will apply. Specific network access can be defined. Authentication by captive portal (network assignment by SSID) ●...
Page 116: Data Protection On A Vns-Wep And Wpa
hwc_vnsintro.fm Virtual Network Services Data protection on a VNS—WEP and WPA Data protection on a VNS—WEP and WPA On wireless and wired networks, data is protected by encryption techniques. The type of data protection that is available depends on the VNS assignment mode: WEP and WPA-PSK is only available for assignment by SSID ●...
Page 117 hwc_vnsintro.fm Virtual Network Services VNS global settings To define a RADIUS server available on the network, do the following: In the Server Name box, type a name. ● In the Server Address box, type the IP address. ● In the Shared Secret box, type the password that is required in both directions. This ●...
Page 118 hwc_vnsintro.fm Virtual Network Services VNS global settings To define DAS for VNS global settings: From the main menu, click Virtual Network Configuration. The Virtual Network list appears. In the left pane, click Global Settings. The Authentication tab appears. Click the DAS tab. To enable DAS support, select the Enable DAS Support checkbox.
Page 119 hwc_vnsintro.fm Virtual Network Services VNS global settings Using the percentage drop-down lists, define the thresholds for the following: Max Voice (VO) bandwidth for re-association ● Max Voice (VO) bandwidth for association ● Max Video (VI) bandwidth for re-association ● Max Video (VI) bandwidth for association ●...
Page 120 hwc_vnsintro.fm Virtual Network Services VNS global settings To define inter-HiPath Wireless Controller shared secret for VNS global settings: From the main menu, click Virtual Network Configuration. The Virtual Network list appears. In the left pane, click Global Settings. Click the General tab. In the Inter-HWC Shared Secret box, type a password between 8 and 63 characters long, to be used between HiPath Wireless Controllers.
Page 121: Setting Up A New Vns
hwc_vnsintro.fm Virtual Network Services Setting up a new VNS Setting up a new VNS Now that you are familiar with the VNS concepts, you can now set up a new VNS. Setting up a new VNS involves the following general steps: Step one –...
Page 122 hwc_vnsintro.fm Virtual Network Services Setting up a new VNS A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 123: Virtual Network Configuration
hwc_vnsconfiguration.fm Virtual Network configuration Virtual Network configuration This chapter discusses VNS (Virtual Network Services) configuration, including: Topology for a VNS ● Assigning Wireless AP radios to a VNS ● Authentication for a VNS ● Defining accounting methods for a VNS ●...
Page 124: Topology For A Vns
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS Before you can define the VNS topology parameters and configure the VNS, you must first create a new VNS name. To create a new VNS name: From the main menu, click Virtual Network Configuration. The Virtual Network Configuration screen appears.
Page 125: Configuring Topology For A Vns For Captive Portal
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS 7.1.1 Configuring topology for a VNS for Captive Portal The section describes how to set up a VNS for Captive Portal. The RF tab, where you assign APs to VNSs, is not accessible until the topology for the VNS has been configured and saved. To create an SSID for Captive Portal VNS: From the main menu, click Virtual Network Configuration.
Page 126: Enabling Management Traffic
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS an un-authenticated user. For example, a user may have disconnected from the system (shutdown the device, moved out of range, etc.). A pre timeout expires and cleans up the session. The post timeout is the max amount of time that is allowed to elapse from the last time any traffic was received for an authenticated user.
Page 127: Enabling Third-Party Aps On A Vns
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS To enable management traffic on a VNS: From the main menu, click Virtual Network Configuration. The Virtual Network Configuration screen appears. In the left pane Virtual Networks list, click the VNS you want to enable management traffic for.
Page 128: Defining A Next Hop Route And Ospf Advertisement For A Vns
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS 7.1.1.4 Defining a next hop route and OSPF advertisement for a VNS The next hop definition allows the administrator to define a specific host as the target for all non-VNS targeted traffic for users in a VNS. The next hop IP identifies the target device to which all VNS (user traffic) will be forwarded to.
Page 129 hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS To define the IP address for the VNS: From the main menu, click Virtual Network Configuration. The Virtual Network Configuration screen appears. In the left pane Virtual Networks list, click the VNS you want to define the IP address for. The Topology tab is displayed.
Page 130: Modifying Time Limits For Ip Assignments
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS In the DHCP Address Exclusion subscreen, do one of the following: ● To specify an IP range, type the first available address in the From box and type ● the last available address in the to box. Click Add for each IP range you provide. To specify a IP address, select the Single Address option and type the IP address ●...
Page 131: Setting The Name Server Configuration
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS To modify time limits for IP assignments: From the main menu, click Virtual Network Configuration. The Virtual Network Configuration screen appears. In the left pane Virtual Networks list, click the VNS you want to set time limits for. The Topology tab is displayed.
Page 132: Configuring Topology For A Vns For Aaa
hwc_vnsconfiguration.fm Virtual Network configuration Topology for a VNS Using a DHCP relay forces the HiPath Wireless Controller to forward DHCP requests to an external DHCP server on the enterprise network. This function bypasses the local DHCP server for the HiPath Wireless Controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure.
Page 133: Saving Your Topology Properties
hwc_vnsconfiguration.fm Virtual Network configuration Assigning Wireless AP radios to a VNS Configure the topology for your VNS accordingly. For more information, see Section 7.1, “Topology for a VNS”, on page 124. To save your changes, click Save. 7.1.3 Saving your topology properties Once your topology is defined, you can then save your topology properties to continue configuring your VNS.
Page 134 hwc_vnsconfiguration.fm Virtual Network configuration Assigning Wireless AP radios to a VNS Once you have assigned a Wireless AP radio to eight VNSs, it will not appear in the list for another VNS setup. Each radio can support up to eight SSIDs (16 per AP). Each AP can be assigned to any of the VNSs defined within the system.
Page 135: Authentication For A Vns
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS foreign APs - all radios – Select to assign only the foreign APs. ● foreign APs - a radios – Select to assign only the foreign APs’ a radios. ● foreign APs - b/g radios – Select to assign only the foreign APs’ b/g radios. ●...
Page 136: Vendor Specific Attributes
The RADIUS message also includes RADIUS attributes Called-Station-Id and Calling-Station- Id in order to include the MAC address of the wireless device. Siemens-URL-Redirection is supported by MAC-based authentication. > A31003-W1040-U101-1-7619, July 2006 DRAFT...
Page 137: Defining Authentication For A Vns For Captive Portal
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS 7.3.2 Defining authentication for a VNS for Captive Portal For Captive Portal authentication, the wireless device connects to the network, but can only access the specific network destinations defined in the non-authenticated filter. For more information, see Section 7.6.2, “Defining non-authenticated filters”, on page 156.
Page 138 hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS Click Auth. The Authentication fields are displayed. From the RADIUS drop-down list, select the server you want to use for Captive Portal authentication, and then click Use. The server’s default information is displayed. The RADIUS servers are defined in the Global Settings screen.
Page 139 hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS The selected server is no longer available in the RADIUS drop-down list. The server name now appears in the list of configured servers, next to the Up and Down buttons, where it can be prioritized for RADIUS redundancy. The server can also be assigned again for MAC-based authentication or accounting purposes.
Page 140: Defining The Radius Server Priority For Radius Redundancy
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS 10. In the Auth. Type drop-down list, select the authentication protocol to be used by the RADIUS server to authenticate the wireless device users. The authentication protocol applies to a VNS with Captive Portal authentication: PAP –...
Page 141: Configuring Captive Portal For Internal Or External Authentication
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS In the event of a failover of the main RADIUS server—if there is no response after the set number of retries—then the other servers in the list will be polled on a round-robin basis until a server responds.
Page 142 hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS No Captive Portal Support ● Internal Captive Portal – Define the parameters of the internal Captive Portal page ● presented by the HiPath Wireless Controller, and the authentication request from the HiPath Wireless Controller to the RADIUS server. External Captive Portal –...
Page 143 hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS Click Configure Captive Portal Settings. The Captive Portal Configurations window appears. Select the Internal Captive Portal option. In the Login Label box, type the text that will appear as a label for the user login field. In the Password Label box, type the text that will appear as a label for the user password field.
Page 144 hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS 15. To provide users with a logoff button, select Logoff. The Logoff button launches a popup logoff screen, allowing users to control their logoff. 16. To provide users with a status check button, select Status check. The Status check button launches a popup window, which allows users to monitor session statistics such as system usage and time left in a session.
Page 145: Defining Authentication For A Vns For Aaa
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS You must add a filtering rule to the non-authenticated filter that allows access to > the External Captive Portal site. For more information, see Section 6.6, “Filtering for a VNS”, on page 114. 7.3.3 Defining authentication for a VNS for AAA If network assignment is AAA with 802.1x authentication, the wireless device must successfully...
Page 146 hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS Click Auth. The Authentication fields are displayed. From the RADIUS drop-down list, select the server you want to use for Captive Portal authentication, and then click Use. The server’s default information is displayed. The RADIUS servers are defined in the Global Settings screen.
Page 147 hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS The selected server is no longer available in the RADIUS drop-down list. The server name now appears in the list of configured servers, next to the Up and Down buttons, where it can be prioritized for RADIUS redundancy. The server can also be assigned again for MAC-based authentication or accounting purposes.
Page 148: Defining Mac-Based Authentication For A Vns
hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS AP’s ● VNS’s ● SSID ● The Vendor Specific Attributes must be defined on the RADIUS server. 11. If applicable, select Set as primary server. 12. To save your changes, click Save. If you have already assigned a server to either MAC-based authentication or >...
Page 149 hwc_vnsconfiguration.fm Virtual Network configuration Authentication for a VNS From the RADIUS drop-down list, select the server you want to use for MAC authentication, and then click Use. The server’s default information is displayed and a red asterisk appears next to MAC, indicating that a server has been assigned. The RADIUS servers are defined in the Global Settings screen.
Page 150: Defining Accounting Methods For A Vns
hwc_vnsconfiguration.fm Virtual Network configuration Defining accounting methods for a VNS 11. In the NAS Identifier box, type the Network Access Server (NAS) identifier. The NAS identifier is a RADIUS attribute that identifies the server responsible for passing information to designated RADIUS servers and then acting on the response returned. This is an optional step.
Page 151: Defining Radius Filter Policy For Vnss And Vns Groups
hwc_vnsconfiguration.fm Virtual Network configuration Defining RADIUS filter policy for VNSs and VNS groups To define accounting methods for a VNS: From the main menu, click Virtual Network Configuration. The Virtual Network Configuration screen appears. In the left pane Virtual Networks list, click the VNS you want to define accounting methods for.
Page 152 hwc_vnsconfiguration.fm Virtual Network configuration Defining RADIUS filter policy for VNSs and VNS groups In addition to the filter ID values, you can also set up a group ID for a VNS with AAA authentication. You can set up a group within a VNS that relies on the RADIUS attribute Login- LAT-Group (RFC2865).
Page 153: Configuring Filtering Rules For A Vns
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS In the Filter ID Values box, type the name of a group that you want to define specific filtering rules for to control network access. Click the corresponding Add button. The filter ID value appears in the list. These filter ID values will appear in the Filter ID list on the Filtering tab.
Page 154 hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS match is determined. Therefor, these user-defined rules are evaluated before the system’s own generated rules. As such, these user-defined rules may inadvertently create security lapses in the system's protection mechanism or create a scenario that filters out packets that are required by the system.
Page 155 hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS For each filtering rule you are defining, do the following: In the IP/subnet:port box, type the destination IP address. You can also specify an IP ● range, a port designation, or a port range on that IP address. In the Protocol drop-down list, select the applicable protocol.
Page 156: Defining Non-Authenticated Filters
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS 10. To save your changes, click Save. For external Captive Portal, you need to add an external server to a > non-authentication filter. 7.6.2 Defining non-authenticated filters Defining non-authenticated filters allows administrators to identify destinations to which a user is allowed to access without incurring an authentication redirection.
Page 157 hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS To define filtering rules for a non-authenticated filter: From the main menu, click Virtual Network Configuration. The Virtual Network Configuration screen appears. In the left pane Virtual Networks list, click the VNS you want to define filter ID values for. The Topology tab is displayed.
Page 158: Non-Authenticated Filter Examples
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS Select IP/Port. ● Type the default gateway IP address that you defined in the Topology tab for this VNS. ● Click Add. The information appears in the Filter Rules area of the tab. Select the new filter, then do the following: If applicable, select In to refer to traffic from the wireless device that is trying to get on ●...
Page 159: Filtering Rules For A Filter Id Group
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS If you place URLs in the header and footer of the Captive Portal page, you must explicitly allow access to any URLs mentioned in the authentication's server page, such as: Internal captive portal –...
Page 160 hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS If the filter ID attribute value (or Login-LAT-Group attribute value) from the RADIUS server matches a filter ID value that you have set up on the HiPath Wireless Controller, the HiPath Wireless Controller applies the filtering rules that you defined for that filter ID value to the wireless device user.
Page 161: Filtering Rules By Filter Id Examples
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS The Filtering tab automatically provides a Deny All rule already in place. This rule can be modified to Allow All, if appropriate to the network access needs for this VNS. For each filtering rule you are defining, do the following: In the IP/subnet:port box, type the destination IP address.
Page 162: Filtering Rules For A Default Filter
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS Allow IP / Port Description *.*.*.*. Deny everything else. Table 10 Filtering rules by filter ID example B 7.6.4 Filtering rules for a default filter After authentication of the wireless device user, the default filter will apply only after: No match is found for the Exception filter rules.
Page 163: Default Filter Examples
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS The Filtering tab automatically provides a Deny All rule already in place. This rule can be modified to Allow All, if appropriate to the network access needs for this VNS. 7.6.4.1 Default filter examples The following are examples of filtering rules for a default filter:...
Page 164: Filtering Rules For An Aaa Child Group Vns
hwc_vnsconfiguration.fm Virtual Network configuration Configuring filtering rules for a VNS Allow IP / Port Description Port 80 (HTTP) on host IP Deny all incoming wireless devices access to web browsing the host Intranet IP 10.3.0.20, ports Deny all traffic from the network to the 10-30 wireless devices on the port range, such as TELNET (port 23) or FTP (port 21)
Page 165: Enabling Multicast For A Vns
hwc_vnsconfiguration.fm Virtual Network configuration Enabling multicast for a VNS Enabling multicast for a VNS A mechanism that supports multicast traffic can be enabled as part of a VNS definition. This mechanism is provided to support the demands of VoIP and IPTV network traffic, while still providing the network access control.
Page 166 hwc_vnsconfiguration.fm Virtual Network configuration Enabling multicast for a VNS To enable the multicast function, click Enable Multicast Support. Define the multicast groups by selecting one of the radio buttons: IP Group – Type the IP address range. ● Defined groups – Select from the drop-down list. ●...
Page 167: Configuring Privacy For A Vns
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS The multicast packet size should not exceed 1450 bytes. > Configuring privacy for a VNS Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques. The following section describes how the Privacy mechanism is handled for a Captive Portal VNS and an AAA VNS.
Page 168 hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS From the WEP Key Length drop-down list, select the WEP encryption key length: 40-bit ● 104-bit ● 128-bit ● Select one of the following input methods: Input Hex – If you select Input Hex, type the WEP key input in the WEP Key box. The ●...
Page 169 hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS To configure privacy by WPA-PSK for a Captive Portal VNS From the main menu, click Virtual Network Configuration. The Virtual Network Configuration screen appears. In the left pane Virtual Networks list, click the VNS you want to configure privacy by WPA- PSK for a Captive Portal.
Page 170: Privacy For A Vns For Aaa
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS To enable re-keying after a time interval, select Broadcast re-key interval. If this checkbox is not selected, the Broadcast encryption key is never changed and the Wireless AP will always use the same broadcast key for Broadcast/Multicast transmissions.
Page 171 hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS Dynamic keys ● Wi-Fi Protected Access (WPA) version 1, with encryption by Temporal Key Integrity ● Protocol (TKIP) Wi-Fi Protected Access (WPA) version 2, with encryption by Advanced Encryption ● Standard with Counter-Mode/CBC-MAC Protocol (AES-CCMP) To set up static WEP privacy for an AAA VNS: From the main menu, click Virtual Network Configuration.
Page 172: Dynamic Wep Privacy For An Aaa Vns
hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS 104-bit ● 128-bit ● Select one of the following input methods: Input Hex – If you select Input Hex, type the WEP key input in the WEP Key box. The ● key is generated automatically, based on the input.
Page 173 hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS A per-packet key mixing function that shares a starting key between devices, and then ● changes their encryption key for every packet (unicast key) or after the specified re-key time interval (broadcast key) expires An extended WEP key length of 256-bits ●...
Page 174 hwc_vnsconfiguration.fm Virtual Network configuration Configuring privacy for a VNS Step six – The wireless device client gains network access via the Wireless AP, sending ● and receiving encrypted data. The traffic is controlled with permissions and policy applied by the HiPath Wireless Controller. To set up Wi-Fi Protected Access privacy (WPA) for an AAA VNS: From the main menu, click Virtual Network Configuration.
Page 175: Defining A Vns With No Authentication
hwc_vnsconfiguration.fm Virtual Network configuration Defining a VNS with no authentication Auto – The AP will advertise both TKIP and CCMP (Counter Mode with Cipher Block ● Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard).
Page 176: Defining Priority Level For Vns Traffic
hwc_vnsconfiguration.fm Virtual Network configuration Defining priority level for VNS traffic Click the Filtering tab. Define a default filter that will control specific network access for any wireless device users on this VNS. For more information, see Section 7.6, “Configuring filtering rules for a VNS”, on page 153.
Page 177 hwc_vnsconfiguration.fm Virtual Network configuration Defining priority level for VNS traffic Private Branch Exchange (PBX) – A private telephone system within an enterprise, with ● such features as voicemail. Telephony Gateway – For access to an external standard telephone network, such as the ●...
Page 178 hwc_vnsconfiguration.fm Virtual Network configuration Defining priority level for VNS traffic 11. Define rules that allow access to the DNS server, to the Telephony Gateway, and then deny all other traffic. For more information, see Section 7.6, “Configuring filtering rules for a VNS”, on page 153.
Page 179 hwc_vnsconfiguration.fm Virtual Network configuration Defining priority level for VNS traffic For more information, see Section 5.5.4, “Modifying the wireless AP’s radio properties”, on page 88. To save your changes, click Save. A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 180: Configuring Quality Of Service (Qos)
hwc_vnsconfiguration.fm Virtual Network configuration Configuring Quality of Service (QoS) 7.11 Configuring Quality of Service (QoS) QoS policy is configured for each VNS and applies to routed, bridged at AP, and bridged at controller VNSs. Each VNS has a configurable policy for the QoS characteristics of the VNS. For every user associated with the VNS there will be a different behavior on the wireless traffic.
Page 181 hwc_vnsconfiguration.fm Virtual Network configuration Configuring Quality of Service (QoS) Both Layer 3 tagging (DSCP) and Layer 2 (802.11d) tagging are supported, and the mapping is conformant with the WMM specification. If both L2 and L3 priority tags are available, then both are taken into account and the chosen AC is the highest resulting from L2 and L3.
Page 182 hwc_vnsconfiguration.fm Virtual Network configuration Configuring Quality of Service (QoS) WMM Priority WMM (WiFi Multimedia – Enables WMM (WiFi Multimedia), which is a WiFi- ● defined industry standard intended to provide a standard QoS solution until 802.11e specification is ratified. This new capability is designed to improve the user experience of voice, video, and audio applications over a Wi-Fi network.
Page 183: Defining The Service Class For The Vns
hwc_vnsconfiguration.fm Virtual Network configuration Configuring Quality of Service (QoS) At this time, Layer 2 802.1d bits are not carried across the tunnel. The HiPath > Wireless Controller C2400 supports functionality (CTP_QoS field) by which L2 priority flags for user traffic received from a core VLAN is copied into the CTP header (CTP_QoS field) and passed to the AP to determine the corresponding access class.
Page 184 hwc_vnsconfiguration.fm Virtual Network configuration Configuring Quality of Service (QoS) To configure QoS Policy on a VNS: From the main menu, click Virtual Network Configuration. The Virtual Network Configuration screen appears. In the left pane Virtual Networks list, click the VNS you want to configure for QoS. Click the QoS Policy tab.
Page 185: Bridging Traffic Locally
hwc_vnsconfiguration.fm Virtual Network configuration Bridging traffic locally Turbo Voice – <<< attention reviewer: need descriptions of what this option ● does.>>: To define the service class and DSCP marking for the VNS, select the Priority Override checkbox: Service class – From the drop-down list, select the appropriate priority level: ●...
Page 186 hwc_vnsconfiguration.fm Virtual Network configuration Bridging traffic locally To bridge traffic locally: From the main menu, click Virtual Network Configuration. The Virtual Network Configuration screen appears. In the left pane Virtual Networks list, click the VNS that you want to define topology parameters for.
Page 187 hwc_vnsconfiguration.fm Virtual Network configuration Bridging traffic locally The VLAN IDs are assigned by the branch office network administrator. The AP > will operate correctly only if the VLAN ID is unique per AP and there is at most one untagged VNS per AP. To save your changes, click Save.
Page 188 hwc_vnsconfiguration.fm Virtual Network configuration Bridging traffic locally A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 189: Availability, Mobility, And Controller Functionality
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Availability overview Availability, mobility, and controller functionality This chapter describes the availability and mobility concepts, including: Availability overview ● Mobility manager ● Defining management users ● Configuring network time ● Configuring Check Point event logging ●...
Page 190 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Availability overview The availability feature provides APs with a list of interfaces to which the AP should > attempt to automatically connect to when a connection with an active controller link is lost. The provided list identifies the local active interfaces (enabled on the primary and backup controllers) for the active controller as well as the active interfaces for the backup controller.
Page 191: Availability Prerequisites
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Availability overview 8.1.1 Availability prerequisites Before you begin, ensure you have completed the following: Choose the primary and secondary HiPath Wireless Controllers. ● Purchased two availability licenses to enable availability on a pair of controllers. ●...
Page 192 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Availability overview An alternate method to setting up APs includes: Add each wireless AP manually to each HiPath Wireless Controller. From the AP Properties screen, click Add Wireless AP. Define the wireless AP and click Add Wireless AP. Manually defined APs will inherit the AP default configuration settings.
Page 193 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Availability overview Do one of the following: For a primary controller, in the Wireless Controller IP Address box, type the IP ● address of the physical port of the secondary HiPath Wireless Controller. This IP address must be on a routable subnet between the two HiPath Wireless Controllers.
Page 194: Viewing The Wireless Ap Availability Display
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Availability overview 8.1.2 Viewing the Wireless AP availability display For more information, see Section 11.1.1, “Viewing the Wireless AP availability display”, on page 233. 8.1.3 Viewing SLP activity In normal operations, the primary HiPath Wireless Controller registers as an SLP service called ac_manager.
Page 195: Events And Actions During A Failover
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Availability overview 8.1.4 Events and actions during a failover If one of the HiPath Wireless Controllers in a pair fails, the connection between the two HiPath Wireless Controllers is lost. This triggers a failover mode condition, and a critical message appears in the information log of the remaining HiPath Wireless Controller.
Page 196: Mobility Manager
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Mobility manager A Wireless AP connects first to a HiPath Wireless Controller registered as > ac_manager and, if not found, then seeks an ru_manager. If the primary HiPath Wireless Controller fails, the secondary one registers as ru_manager. This enables the secondary HiPath Wireless Controller to be found by Wireless APs after they reboot.
Page 197 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Mobility manager For the mobility manager you have two options: > Rely on SLP with DHCP Option 78 ● Define at the agent the IP address of the mobility manager. By explicitly defining ● the IP address, the agent and the mobility manager are able to find each other directly without using the SLP discovery mechanisms.
Page 198 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Mobility manager Uses the information from every Heartbeat message received to update its own tables and ● updates the mobility manager with information on the wireless device users and data tunnels it is managing If a controller configured as the mobility manager is lost, the following occurs: Agent to agent connections will remain active.
Page 199 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Mobility manager To enable mobility for this controller, select the Enable Mobility checkbox. The controller mobility options appear. Select the This Wireless Controller is a Mobility Manager option. The mobility manager options appear. In the Port drop-down list, select the interface on the HiPath Wireless Controller to be used for the mobility manager process.
Page 200 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Mobility manager Select the Security Mode option: Allow all mobility agents to connect – All mobility agents can connect to the mobility ● manager. Allow only approved mobility agents to connect – Only approved mobility agents ●...
Page 201 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Mobility manager In the Port drop-down list, select the port on the HiPath Wireless Controller to be used for the mobility agent process. Ensure that the port selected is routable on the network. In the Heartbeat box, type the time interval (in seconds) to wait for a connection establishment response before trying again.
Page 202: Displays For The Mobility Manager
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Defining management users 8.2.1 Displays for the mobility manager For more information, see Section 11.1.3, “Viewing displays for the mobility manager”, on page 236. Defining management users In this screen you define the login user names that have access to the HiPath Wireless Assistant, either for Controller, Access Points and Convergence Software administrators with read/write privileges, or users with read only privileges.
Page 203 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Defining management users The user_admin list displays Admin users who have read/write privileges. The user_read list is for users who have read only privileges. From the Group pull-down list, select Admin or Read only. In the User ID box, type the user ID for the new user.
Page 204: Configuring Network Time
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Configuring network time Configuring network time You can synchronize the elements on the network to a universal clock. This ensures accuracy in usage logs. Network time is synchronized in one of two ways: using system time ●...
Page 205: Configuring Check Point Event Logging
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Configuring Check Point event logging From the Time Zone Region drop-down list, select the appropriate time zone region for the selected country. To apply your changes, click Apply Time Zone. To set system time parameters: From the main menu, click Wireless Controller Configuration.
Page 206 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Configuring Check Point event logging Before you set up the HiPath Wireless Controller, you must first create OPSEC > objects for HiPath Wireless Controller in the Check Point management software. The name and password you define must also be entered into the HiPath Wireless Controller Check Point configuration screen.
Page 207: Ela Management Station Events
Connection Status area displays the following message: OPSEC Connection Error 8.5.1 ELA Management Station events The events for the ELA Management Station are grouped under Siemens and are mapped as info events and alert events. The alerts include: Wireless AP registration and/or authentication failed ●...
Page 208: Enabling Snmp
IF-MIB ● IEEE802dot11-MIB ● RFC1213-MIB ● The HiPath Wireless Controller is not fully compliant with MIB II. For example, esa/ > IXP ports only provide interface statistics. The Siemens Enterprise MIB includes: HIPATH-WIRELESS-HWC-MIB ● HIPATH-WIRELESS-PRODUCTS-MIB ● HIPATH-WIRELESS-SMI.my ● HIPATH-WIRELESS-DOT11-EXTNS-MIB ●...
Page 209: Enabling Snmp On The Hipath Wireless Controller
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Enabling SNMP 8.6.2 Enabling SNMP on the HiPath Wireless Controller You can enable SNMP on the HiPath Wireless Controller to retrieve statistics and configuration information. To enable SNMP Parameters: From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen appears.
Page 210: Using Controller Utilities
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Using controller utilities Read/Write Community Name – Specifies the community name for users with read ● and write privileges SNMP Trap Port – Specifies the destination port for SNMP traps. The industry ● standard is 162. If left blank, no traps are generated. Forward Traps –...
Page 211: Configuring Web Session Timeouts
hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Configuring Web session timeouts Configuring Web session timeouts You can configure the time period to allow Web sessions to remain inactive before timing out. To configure Web session timeouts: From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen appears.
Page 212 hwc_controlleravailmobility.fm Availability, mobility, and controller functionality Configuring Web session timeouts In the Web Session Timeout box, type the time period to allow the Web session to remain inactive before it times out. This can be entered as hour:minutes, or as minutes. The range is 1 minute to 168 hours.
Page 213: Working With Third-Party Aps
hwc_3rdpartyaps.fm Working with third-party APs Working with third-party APs You can set up the HiPath Wireless Controller to handle wireless device traffic from third-party access points, providing the same policy and network access control. This process requires the following steps: Step 1 –...
Page 214 hwc_3rdpartyaps.fm Working with third-party APs Highlight the appropriate port, and in the Function box, select 3rd-party AP from the drop-down list. Make sure that Management Traffic and SLP are disabled for this port. Connect the third-party access point to this port, via a switch. Step 2 –...
Page 215 hwc_3rdpartyaps.fm Working with third-party APs In the Assignment by drop-down list, click SSID. To define a VNS for a third-party AP, select the Use 3rd Party AP checkbox. Continue configuring your VNS as described in Section 7.1.1, “Configuring topology for a VNS for Captive Portal”, on page 125.
Page 216 hwc_3rdpartyaps.fm Working with third-party APs Step 4 – Define filtering rules for the third-party APs Because the third-party APs are mapped to a physical port, you must define the Exception filters on the physical port, using the Port Exception Filters screen. For more information, see Section 7.6, “Configuring filtering rules for a VNS”, on page 153.
Page 217: Working With The Mitigator
hwc_mitigator.fm Working with the Mitigator Mitigator overview Working with the Mitigator This chapter describes Mitigator concepts, including: Mitigator overview ● Enabling the Analysis and data collector engines ● Running Mitigator scans ● Analysis engine overview ● Working with Mitigator scan results ●...
Page 218: Enabling The Analysis And Data Collector Engines
hwc_mitigator.fm Working with the Mitigator Enabling the Analysis and data collector engines 10.2 Enabling the Analysis and data collector engines Before using the Mitigator, you must enable and define the Analysis and data collector engines. To enable the Analysis engine: From the main menu, click Wireless Controller Configuration.
Page 219: Running Mitigator Scans
hwc_mitigator.fm Working with the Mitigator Running Mitigator scans In the Poll interval box, type (in seconds) the interval that the Analysis Engine will poll ● the RF Data Collector to maintain connection status. The default is 30 seconds. In the Poll retry count box, type the number of times the Analysis Engine will attempt ●...
Page 220 hwc_mitigator.fm Working with the Mitigator Running Mitigator scans In the Scan Group Name box, type a unique name for this scan group. In the Wirelss APs list, select the checkbox corresponding to the Wireless APs you want included in the new scan group, which will perform the scan function. A Wireless AP can participate in only one Scan Group at a time.
Page 221 hwc_mitigator.fm Working with the Mitigator Running Mitigator scans In the Scan Type drop-down list, select one of the following: Active – The Wireless AP sends out ProbeRequests and waits for ProbeResponse ● messages from any access points. Passive – The Wireless AP listens for 802.11 beacons. ●...
Page 222: Analysis Engine Overview
hwc_mitigator.fm Working with the Mitigator Analysis engine overview 10.4 Analysis engine overview The Analysis engine relies on a database of known devices on the Controller, Access Points and Convergence Software system. The Analysis engine compares the data from the RF Data Collector with the database of known devices.
Page 223 hwc_mitigator.fm Working with the Mitigator Working with Mitigator scan results To view Mitigator scan results: From the main menu, click Mitigator. The Mitigator screen appears. Click the Rogue Detection tab. To modify the screen’s refresh rate, type a time (in seconds) in the Refresh every __ seconds box.
Page 224 hwc_mitigator.fm Working with the Mitigator Working with Mitigator scan results To avoid the Mitigator's database becoming too large, it is recommended that you > either delete Rogue APs or add them to Friendly AP list, rather than leaving them in the Rogue list.
Page 225: Working With Friendly Aps
hwc_mitigator.fm Working with the Mitigator Working with friendly APs To clear all rogue access points from the Mitigator scan results, click Clear Detected Rogues. All APs are removed from the list. 10.6 Working with friendly APs To view the friendly APs: From the main menu, click Mitigator.
Page 226: Viewing The Mitigator List Of Third-Party Aps
hwc_mitigator.fm Working with the Mitigator Viewing the Mitigator list of third-party APs Channel – Specifies the current operating channel for the friendly AP ● Description – Specifies a brief description for the friendly AP ● Click Add. The new access point appears in the list above. To delete a friendly AP: From the main menu, click Mitigator.
Page 227: Maintaining The Mitigator List Of Aps
hwc_mitigator.fm Working with the Mitigator Maintaining the Mitigator list of APs 10.8 Maintaining the Mitigator list of APs To maintain the wireless APs: From the main menu, click Mitigator. The Mitigator screen appears. Click the AP Maintenance tab. The deleted access points are marked with a Deleted flag. A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 228 hwc_mitigator.fm Working with the Mitigator Maintaining the Mitigator list of APs To delete the marked access points from the Mitigator database, click Delete marked APs. The selected access points are deleted from the Mitigator database, not from > the HiPath Wireless Controller database. A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 229: Viewing The Scanner Status Report
hwc_mitigator.fm Working with the Mitigator Viewing the Scanner Status report 10.9 Viewing the Scanner Status report When the Mitigator is enabled, you can view a report on the connection status of the RF Data Collector Engines with the Analysis Engine. To view the Mitigator scanner engine status display: From the main menu, click Mitigator.
Page 230 hwc_mitigator.fm Working with the Mitigator Viewing the Scanner Status report A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 231: Working With Reports And Displays
hwc_reports.fm Working with reports and displays Viewing the displays Working with reports and displays This chapter describes the various reports and displays available in the HiPath Wireless Controller, Access Points and Convergence Software system. 11.1 Viewing the displays The following displays are available in the HiPath Wireless Controller, Access Points and Convergence Software system: Active Wireless APs ●...
Page 232 hwc_reports.fm Working with reports and displays Viewing the displays To view reports and displays: From the main menu, click Reports & Displays. The HiPath Reports & Displays screen appears. The two displays on the right-hand side of the screen only appear if the mobility >...
Page 233: Viewing The Wireless Ap Availability Display
hwc_reports.fm Working with reports and displays Viewing the displays Statistics are expressed in relation to the AP. Therefore, Packets Sent means the > AP has sent that data to a client and Packets Rec’d means the AP has received packets from a client. 11.1.1 Viewing the Wireless AP availability display When the AP Registration screen has been saved for the HiPath Wireless Controller in Paired...
Page 234 hwc_reports.fm Working with reports and displays Viewing the displays In the Wired Ethernet Statistics by Wireless APs display, click a registered Wireless APs to display its information. To view Wireless Statistics by Wireless APs: From the main menu, click Reports & Displays. The HiPath Reports & Displays screen appears.
Page 235 hwc_reports.fm Working with reports and displays Viewing the displays In the Wired Ethernet Statistics by Wireless APs display, click a registered Wireless APs to display its information. Click the appropriate tab to display information for each radio on the Wireless AP. To view information on a selected associated client, click View Client.
Page 236: Viewing Displays For The Mobility Manager
hwc_reports.fm Working with reports and displays Viewing the displays Statistics are expressed in respect of the AP. Therefore, Packets Sent means the AP has sent that data to a client and Packets Rec’d means the AP has received packets from a client. Time Conn is the length of time that a client has been on the system, not just on an AP.
Page 237 hwc_reports.fm Working with reports and displays Viewing the displays To view mobility manager displays: From the main menu, click Reports & Displays. The List of Displays screen appears. Click the appropriate mobility manager display: Client Location in Mobility Zone ● Mobility Tunnel Matrix ●...
Page 238 hwc_reports.fm Working with reports and displays Viewing the displays Client Location in Mobility Zone You can do the following: Sort this display by home or foreign controller ● Search for a client by MAC address, user name, or IP address, and typing the search ●...
Page 239: Viewing Reports
hwc_reports.fm Working with reports and displays Viewing reports 11.2 Viewing reports The following reports are available in the HiPath Wireless Controller, Access Points and Convergence Software system: Forwarding Table (routes defined in the HiPath Wireless Controller Routing Protocols ● screen) OSPF Neighbor (if OSPF is enabled in the Routing Protocols screen) ●...
Page 240 hwc_reports.fm Working with reports and displays Viewing reports If you open only automatically refreshed report pages, the web management > session timer will not be updated or reset. Your session will eventually timeout. To export and save a report in XML: On the report window, click Export.
Page 241: Performing System Maintenance
hwc_ongoing.fm Performing system maintenance Performing wireless AP client management Performing system maintenance This chapter describes system maintenance processes, including: Performing wireless AP client management ● Resetting the AP to its factory default settings ● Performing system maintenance tasks ● Performing HiPath Wireless Controller software maintenance ●...
Page 242: Blacklisting A Client
hwc_ongoing.fm Performing system maintenance Performing wireless AP client management In the Select AP list, click the AP you want to dissassociate. In the Select Client(s) list, select the checkbox next to the client you want to disassociate, if applicable. You can search for a client by MAC Address, IP Address or User ID, by selecting >...
Page 243: Hipath Wireless Controller, Access Points And Convergence Software V4.0, C10/C100/C1000 User Guide
hwc_ongoing.fm Performing system maintenance Performing wireless AP client management To blacklist a wireless device client: From the main menu, click Wireless AP Configuration. The Wireless AP Configuration screen appears. From the left pane, click Client Management. The Disassociate tab appears. In the Select AP list, click the AP you want to dissassociate.
Page 244 hwc_ongoing.fm Performing system maintenance Performing wireless AP client management To blacklist a wireless device client using its MAC address: From the main menu, click Wireless AP Configuration. The Wireless AP Configuration screen appears. From the left pane, click Client Management. The Disassociate tab appears. Click the Blacklist tab.
Page 245 hwc_ongoing.fm Performing system maintenance Performing wireless AP client management To clear an address from the blacklist: From the main menu, click Wireless AP Configuration. The Wireless AP Configuration screen appears. From the left pane, click Client Management. The Disassociate tab appears. Click the Blacklist tab.
Page 246: Resetting The Ap To Its Factory Default Settings
hwc_ongoing.fm Performing system maintenance Resetting the AP to its factory default settings 12.2 Resetting the AP to its factory default settings You can reset the wireless AP to its factory default settings. The AP boot-up sequence includes a random delay interval, followed by a vulnerable time interval. During the vulnerable time interval (2 seconds), the LEDs flash in a particular sequence to indicate that the HiPath Wireless Controller is in the vulnerable time interval.
Page 247 hwc_ongoing.fm Performing system maintenance Performing system maintenance tasks To change the log levels: From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen appears. In the System Log Level area, from the Wireless Controller Log Level drop-down list, select the least severe log level for the Controller that you want to receive: Information, Minor, Major, Critical.
Page 248 hwc_ongoing.fm Performing system maintenance Performing system maintenance tasks To set a poll interval: From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen appears. From the left pane, click System Maintenance. The System Maintenance screen appears. In the Health Checking area, in the Poll Timer box, type the time interval (in seconds) for the HiPath Wireless Controller to check that each Wireless AP is connected.
Page 249 hwc_ongoing.fm Performing system maintenance Performing system maintenance tasks 11. To apply your changes, click on the Apply button. The syslog daemon must be running on both the HiPath Wireless Controller and on > the remote syslog server before the logs can be synchronized. If you change the log level on the HiPath Wireless Controller, you must also modify the appropriate setting in the syslog configuration on remote syslog server.
Page 250: Performing Hipath Wireless Controller Software Maintenance
hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance 12.4 Performing HiPath Wireless Controller software maintenance You can update the core HiPath Wireless Controller software files, and the Operating System (OS) software using the Software Maintenance function. A facility to backup and restore the HiPath Wireless Controller database is also available.
Page 251 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance The Available HWC Images area displays the list of software versions that have been downloaded and are available. In the Upgrade area, select an image from the Select an image to use drop-down list. It is recommended that the Bypass checks for compatible upgrade RPM and >...
Page 252: Updating Operating System Software
hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance To delete a HiPath Wireless Controller software image: From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen appears. From the left pane, click Software Maintenance. The HWC Software tab appears. To delete a software image from the list, in the Available HWC Images list, click the image.
Page 253 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance The Available OS Images area displays the list of software versions that have been downloaded and are available. In the Upgrade area, select an image from the Select an image to use drop-down list. To launch the upgrade with the selected image, click Upgrade Now.
Page 254: Backing Up Hipath Wireless Controller Software
hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance To delete a software image from the list, in the Available OS Images list, click the image. Click Delete. The image is removed from the list. 12.4.3 Backing up HiPath Wireless Controller software You can backup the HiPath Wireless Controller database.
Page 255 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance To launch the backup with the selected items, click on the Backup Now button. In the dialog box that appears, confirm the backup. The items are backed up. To upload a new backup: From the main menu, click Wireless Controller Configuration.
Page 256 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance To schedule a backup: From the main menu, click Wireless Controller Configuration. The Wireless Controller Configuration screen appears. From the left pane, click Software Maintenance. The HWC Software tab appears. Click the Backup tab.
Page 257: Restoring Hipath Wireless Controller Software
hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance FTP Server – The IP of the FTP server to where the scheduled backup will be copied ● User ID – The user ID that the controller should use when it attempts to log in to the ●...
Page 258 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance The Available Backups area displays the list items that have been backed up and are available. In the Restore area, select an item from the Select an image to use drop-down list. To launch the backup with the selected items, click on the Restore Now button.
Page 259: Upgrading A Hipath Wireless Controller Using Sftp
hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance User ID – The user ID that the controller should use when it attempts to log in to the ● FTP server. Password – The corresponding password for the user ID. ●...
Page 260: Configuring The Controller For Interaction With The Hipath Wireless Manager
hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance To upload an image file: Launch the SFTP client, point it to the HiPath Wireless Controller and login in. The exact details of how to do this will depend on the client used. The following screenshot uses putty as an example: Change to the directory to receive the uploaded file: For AP images change to: /var/tftp/chantry...
Page 261 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance Manager. To configure the HiPath Wireless Controller to interact with the HiPath Wireless Manager, a shared secret must be defined for both. For more information, see the HiPath Wireless Manager User Guide. To configure a shared secret for interaction with the HiPath Wireless Manager From the main menu, click Wireless Controller Configuration.
Page 262: Configuring Controller, Access Points And Convergence Software Logs And Traces
hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance To remove a connections, select the IP address in the table and then click Remove Selected Peer. To save your changes, click Save. 12.4.7 Configuring Controller, Access Points and Convergence Software logs and traces The system stores configuration data and log files.
Page 263 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance Reboot due to failure ● Software upgrade failure on the HiPath Wireless Controller ● Software upgrade failure on the Wireless AP ● Detection of rogue access point activity without valid ID ●...
Page 264 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance To filter the logs by severity, in order to display only Info, Minor, Major, or Critical logs, click the appropriate Log tab at the top of the screen. To refresh the information in any display, click Refresh. To export information from a display as an HTML file, click the Export button.
Page 265 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance To refresh the information in any display, click Refresh. To export information from a display as an HTML file, click the Export button. To view audits: From the main menu, click Logs & Traces. The Logs & Traces screen appears. In the Navigation bar, click the Audit: GUI tab.
Page 266 hwc_ongoing.fm Performing system maintenance Performing HiPath Wireless Controller software maintenance To clear logs: From the main menu, click Logs & Traces. The Logs & Traces screen appears. In the Navigation bar, click one of the Log tabs. The selected Log screen appears. The following is an example of the HiPath Wireless Controller logs: The events are displayed in chronological order, sorted by the Timestamp column.
Page 267: Glossary
hwc_glossary.fm Glossary Networking terms and abbreviations Glossary 13.1 Networking terms and abbreviations Term Explanation Authentication, Authorization and Accounting. A system in IP-based networking to control what computer resources users have access to and to keep track of the activity of users over a network. Access Point (AP) A wireless LAN transceiver or "base station"...
Page 268 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation asynchronous Asynchronous transmission mode (ATM). A start/stop transmission in which each character is preceded by a start signal and followed by one or more stop signals. A variable time interval can exist between characters.
Page 269 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Datagram A datagram is "a self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network." (RFC1594). The term has been generally replaced by the term packet.
Page 270 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Diversity antenna and The AP has two antennae. Receive diversity refers to the ability of the receiver AP to provide better service to a device by receiving from the user on which ever of the two antennae is receiving the cleanest signal. Transmit diversity refers to the ability of the AP to use its two antenna to transmit on a specific antenna only, or on a alternate antennae.
Page 271 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation EAP-TLS EAP-TLS Extensible Authentication Protocol - Transport Layer EAP-TTLS Security. A general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one- time passwords, certificates, public key authentication and smart cards.
Page 272 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Fit, thin and fat APs A thin AP architecture uses two components: an access point that is essentially a stripped-down radio and a centralized management controller that handles the other WLAN system functions. Wired network switches are also required.
Page 273 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Host (1) A computer (usually containing data) that is accessed by a user working on a remote terminal, connected by modems and telephone lines. (2) A computer that is connected to a TCP/IP network, including the Internet.
Page 274 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Internet or IP IP or Internet telephony are communications, such as voice, facsimile, telephony voice-messaging applications, that are transported over the Internet, rather than the public switched telephone network (PSTN). IP telephony is the two-way transmission of audio over a packet-switched IP network (TCP/IP network).
Page 275 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation IPsec Internet Protocol security (IPSec) IPsec-ESP Internet Protocol security Encapsulating Security Payload (IPsec- IPsec-AH ESP). The encapsulating security payload (ESP) encapsulates its data, enabling it to protect data that follows in the datagram.Internet Protocol security Authentication Header (IPsec-AH).
Page 276 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Media Access Control layer. One of two sublayers that make up the Data Link Layer of the OSI model. The MAC layer is responsible for moving data packets to and from one Network Interface Card (NIC) to another across a shared channel.
Page 277 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Network Address Translator. A network capability that enables a group of computers to dynamically share a single incoming IP address. NAT takes the single incoming IP address and creates new IP address for each client computer on the network.
Page 278 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Operating system. Open System Interconnection. An ISO standard for worldwide communications that defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, down through the presentation, session, transport, network, data link layer to the physical layer at the bottom, over the channel to the next station and back up the hierarchy.
Page 279 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Packet The unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network. When any file is sent from one place to another on the Internet, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into packets.
Page 280 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation push-to-talk (PTT) The push-to-talk (PTT) is feature on wireless telephones that allows them to operate like a walkie-talkie in a group, instead of standard telephone operation. The PTT feature requires that the network be configured to allow multicast traffic.
Page 281 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Roaming In 802.11, roaming occurs when a wireless device (a station) moves from one Access Point to another (or BSS to another) in the same Extended Service Set (ESS) -identified by its SSID. RP-SMA Reverse Polarity-Subminiature version A, a type of connector used with wireless antennas...
Page 282 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation SMT (802.11) Station ManagemenT. The object class in the 802.11 MIB that provides the necessary support at the station to manage the processes in the station such that the station may work cooperatively as a part of an IEEE 802.11 network.
Page 283 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation SSID Service Set Identifier. A 32-character unique identifier attached to the header of packets sent over a Wireless LAN that acts as a password when a wireless device tries to connect to the Basic Service Set (BSS).
Page 284 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Switch In networks, a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol.
Page 285 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation TKIP Temporal Key Integrity Protocol (TKIP) is an enhancement to the WEP encryption technique that uses a set of algorithms that rotates the session keys. TKIPs’ enhanced encryption includes a per-packet key mixing function, a message integrity check (MIC), an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.
Page 286 Virtual LAN (VLAN) Bridges that permit the definition, operation and administration of Virtual LAN topologies within a Bridged LAN infrastructure." Virtual Network Services (VNS). A Siemens specific technique that provides a means of mapping wireless networks to a wired topology. VoIP Voice Over Internet Protocol.
Page 287 hwc_glossary.fm Glossary Networking terms and abbreviations Term Explanation Vendor Specific Attribute, an attribute for a RADIUS server defined by the manufacturer.(compared to the RADIUS attributes defined in the original RADIUS protocol RFC2865). A VSA attribute is defined in order that it can be returned from the RADIUS server in the Access Granted packet to the Radius Client.
Page 288: Controller, Access Points And Convergence Software Terms And Abbreviations
hwc_glossary.fm Glossary Controller, Access Points and Convergence Software terms and abbreviations Term Explanation Wireless Protected Access, or Wi-Fi Protected Access is a security solution adopted by the Wi-Fi Alliance that adds authentication to WEPs’ basic encryption. For authentication, WPA specifies IEEE 802.1x authentication with Extensible Authentication Protocol (EAP).
Page 289 hwc_glossary.fm Glossary Controller, Access Points and Convergence Software terms and abbreviations Term Explanation DRM (dynamic radio/ The DRM feature consists of software on the Wireless AP that RF management) provides dynamic radio frequency (RF) management. For Wireless APs with the DRM feature enabled and on a common channel, the power levels will be adjusted to balance coverage if a Wireless AP is added to, or leaves, the network.
Page 290 Analysis Engine to assist in detecting rogue access points. Virtual Network The Virtual Network Services (VNS) technique is Siemens's means Services (VNS) of mapping wireless networks to the topology of an existing wired network. When you set up Virtual Network Services (VNS) on the HiPath Wireless Controller, you are defining subnets for groups of wireless users.
Page 291 hwc_appendixa.fm System states and LEDs HiPath Wireless Controller system states and LEDs System states and LEDs HiPath Wireless Controller system states and LEDs The HiPath Wireless Controller has the two system states: Standby and Active. It enters Standby state when shut down in the user interface. During this state, the HiPath Wireless Controller: sends a control message to Wireless APs to enter Standby state ●...
Page 292 hwc_appendixa.fm System states and LEDs Wireless AP system states Activity LED: Indicates the amount of traffic carried to and from Wireless APs. This LED is ● visible from both the front and the back of the HiPath Wireless Controller. Table 21 shows the sequence of the Status and Activity LEDs. System State Status LED Activity LED...
Page 293 hwc_appendixa.fm System states and LEDs Wireless AP system states State / Process Description LEDs Failed discovery If there are SLP issues in failed discovery, the LED display Green-orange changes. (alternate blink) Registration Wireless AP learns the HiPath Wireless Controller's IP Orange (blink) address, and can begin the Registration process Failed...
Page 294 hwc_appendixa.fm System states and LEDs Wireless AP system states A31003-W1040-U101-1-7619, July 2006 DRAFT HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide...
Page 295 hwc1000_user_guideix.fm Index Nur für den internen Gebrauch Index defined 112 non-authenticated filtering rules 156 accounting privacy mechanisms 167 setup on a VNS 150 set up a VNS topology 125 adding view sample page 144 wireless AP manually 80 Check Point event logging 205 alarms configuring overview of log types and levels 262...
Page 296 hwc1000_user_guideix.fm Index Nur für den internen Gebrauch wireless AP wired and wireless statistics gateway, default, on a VNS 129 documentation feedback 11 global settings Domain Name Server (DNS) for a VNS 116 in discovery 71 RADIUS servers for authentication 138, Dynamic Host Configuration Protocol (DHCP) 146, 149, 151 for availability 189...
Page 297 hwc1000_user_guideix.fm Index Nur für den internen Gebrauch set up a VNS for VoIP 177 view and modify 88 RADIUS server deployment with no server 109 network assignment filter ID values 159 by AAA 170 for authentication 138, 146, 149, 151 by SSID for Captive Portal 125 for MAC-based authentication 148 options for a VNS 110...
Page 298 hwc1000_user_guideix.fm Index Nur für den internen Gebrauch Simple Network Management Protocol (SN- network assignment overview 110 privacy for AAA 170 MIBs supported 208 privacy overview 167 software set up for VoIP 176 maintenance of Controller software 250 topology for Captive Portal 125 maintenance of wireless AP software 101 Voice-over-IP (VoIP) SSID network assignment for Captive Portal...
Page 300 IP convergence innovative product portfolio. solutions. www.siemens.com/hipath © Siemens AG 2006 • Information and Communication Networks • Hofmannstraße 51 • D-81359 München, Germany Reference No.: A31003-W1040-U101-1-7619 Printed in Germany. Subject to availability. Right of modification reserved.

This manual is also suitable for:

Hipath c1000 Hipath c2400 Hipath ap2610 Hipath ap2620 Hipath c100

Siemens HiPath C10 User Manual

1 About this Guide

2 Regulatory Information

3 Overview of the Controller, Access Points and Convergence Software Solution

4 Configuring the Hipath Wireless Controller

5 Configuring the Wireless AP

6 Virtual Network Services

7 Virtual Network Configuration

8 Availability, Mobility, and Controller Functionality

9 Working with Third-Party Aps

10 Working with the Mitigator

11 Working with Reports and Displays

12 Performing System Maintenance

13 Glossary

Quick Links

Related Manuals for Siemens HiPath C10

Summary of Contents for Siemens HiPath C10