Page 1 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10265-01 June 2007...
Page 2: Technical Support
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 This product complies with CAN/CSA C22.2 No 60950 standards. Europe The WFS709TP ProSafe Smart Wireless Switch is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class A, EN55024, and EN60950.
Page 4 VCCI - Class A Korea Class A Australia/New Zealand This product complies with AS/NZS CISPR 22 Class A standards. Rest of World This product complies with CISPR 22 Class A standards Lithium Battery Safety Notice This product contains a lithium battery which is replaceable only by a trained technician Caution: The lithium battery may explode if it is incorrectly replaced.
Page 5 RoHS Directive are Lead (including Solder used in printed circuit assemblies), Cadmium, Mercury, Hexavalent Chromium, and Bromine compounds of PBB and PBDE. Some Netgear products are subject to the exemptions listed in RoHS Directive Annex 7 (Lead in solder used in printed circuit assemblies). Products and packaging will be marked with the "RoHS"...
Page 6 Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: Publication Part Number: Publication Version Number: WFS709TP June 2007 Wireless WFS709TP ProSafe Smart Wireless Switch Business English 202-10265-01 v1.0, June 2007...
Page 7: Table Of Contents
How to Use This Manual ... xiv How to Print this Manual... xiv Revision History... xv Chapter 1. Overview of the WFS709TP WFS709TP System Components ...1-1 NETGEAR ProSafe Access Points ...1-1 WFS709TP ProSafe Switches ...1-5 WFS709TP Software ...1-7 Basic WLAN Configuration ...1-8 Authentication ...1-8 Encryption ...1-10 VLAN ...
Page 8 WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Configure the Switch for the Access Points ...2-8 Configure a VLAN for Network Connection ...2-10 Connect the WFS709TP to the Network ...2-12 Configure the Loopback for the WFS709TP ...2-13 Deploying APs ...2-14 Enable APs to Connect to the WFS709TP ...2-15...
Page 9 WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Create a Building ...4-23 Model the Access Points ...4-24 Model the Air Monitors ...4-25 Add and Edit a Floor ...4-25 Defining Areas ...4-26 Running the AP Plan ...4-29 Running the AM Plan ...4-30 Chapter 5.
Page 10 WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Authentication Terminated on WFS709TP ...7-3 Configuring 802.1x Authentication ...7-4 802.1x Authentication Page ...7-5 Advanced Configuration Options for 802.1x ...7-6 Chapter 8. Configuring the Captive Portal Overview of Captive Portal Functions ...8-1 Configuring Captive Portal ...8-2 Configuring Advanced Captive Portal Options ...8-3...
Page 11 WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Classifying APs ...12-2 Configuring Rogue AP Detection ...12-4 Misconfigured AP Detection ...12-5 Configuring Misconfigured AP Protection ...12-5 Chapter 13. Configuring Management Utilities Configuring Management Users ...13-1 Configuring SNMP ...13-2 SNMP for the WFS709TP ...13-2 SNMP for Access Points ...13-4...
Page 12 WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Appendix C. Internal Captive Portal Creating a New Internal Web Page ... C-1 Basic HTML Example ... C-3 Installing a New Captive Portal Page ... C-4 Displaying Authentication Error Message ... C-4 Language Customization ...
Page 13: About This Manual
The WFS709TP ProSafe™ Smart Wireless Switch Software Administration Manual describes how to deploy and configure the WFS709TP ProSafe Smart Wireless Switch. It also includes instructions for and examples of commonly used wireless LAN (WLAN) switch configurations such as Virtual Private Networks (VPNs) and redundancy.
Page 14: How To Use This Manual
Scope. This manual is written for the WFS709TP according to these specifications: Product Version Manual Publication Date For more information about network amd wireless technologies, see the links to the NETGEAR website in Appendix D, “Related Note: Product updates are available on the NETGEAR, Inc. website at http://www.netgear.com/support.
Page 15: Revision History
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe website at http://www.adobe.com.
Page 16 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual About This Manual v1.0, June 2007...
Page 17: Overview Of The Wfs709Tp
WFS709TP, and provide the best features and easiest integration. Several other NETGEAR access point products can also be repurposed to work with the WFS709TP. Refer to the NETGEAR support site for a list of which NETGEAR APs can be repurposed, and for instructions on how to do so.
Page 18 APs connected to an WFS709TP. One AP is connected to a switch in the wiring closet that is connected to a router in the data center where the WFS709TP is located. The Ethernet port on the other AP is cabled directly to a port on the WFS709TP.
Page 19 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Protocol (DHCP). Once an AP locates its host switch, it automatically builds a secure Generic Routing Encapsulation (GRE) tunnel to it configuration from the switch through the tunnel. Floor Wiring closet Internet...
Page 20 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Floor Wiring closet Internet Data center Figure 1-3 Automatic RF Channel and Power Settings IntelliFi RF Management (IRM) is a radio frequency (RF) resource allocation algorithm that you can enable and configure in the WFS709TP system. When IRM is enabled, each AP can determine the optimum channel selection and transmitter power setting to minimize interference and maximize coverage and throughput.
Page 21: Wfs709Tp Prosafe Switches
All APs are connected either directly or remotely through an IP network to the WFS709TP ProSafe Smart Wireless Switch. The WFS709TP is an enterprise-class switch that bridges wireless client traffic to and from traditional wired networks and performs high-speed Layer 2 or Layer 3 packet forwarding between Ethernet ports.
Page 22 However, these services are always configured on the master WFS709TP and are “pushed” to specified local WFS709TPs. An AP obtains its firmware image and configuration from a master switch; it can also be instructed by a master switch to obtain its software from a local switch.
Page 23: Wfs709Tp Software
APs that share roaming tables, security policies, and other configurations should be managed by the same master WFS709TP. WFS709TP Software The WFS709TP ProSafe Smart Wireless Switch software is a suite of mobility applications that runs on all WFS709TPs and allows you to configure and manage the wireless and mobile user environment.
Page 24: Basic Wlan Configuration
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The base configuration software includes the following functions: • Centralized configuration and management of APs • Wireless client authentication to an external authentication server or to the WFS709TP’s local database • Encryption •...
Page 25 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • IEEE 802.1x. The IEEE 802.1x authentication standard allows for the use of keys that are dynamically generated on a per-user basic (as opposed to a static key that is the same on all devices in the network).
Page 26: Encryption
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Encryption The Layer 2 encryption option you can select depends upon the authentication method chosen. Table 1-1 lists the authentication methods available, with their corresponding encryption options. Table 1-1. Encryption Options by Authentication Method...
Page 27: Vlan
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual VLAN Each authenticated user is placed into a VLAN, which determines the user’s DHCP server, IP address, and Layer 2 connection. While you could place all authenticated wireless users into a single VLAN, the system allows you to group wireless users into separate VLANs. This enables you to differentiate groups of wireless users and their access to network resources.
Page 28 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Floor Wiring closet Internet VLAN 20 Data center Figure 1-5 A user is assigned to a VLAN by one of several methods, and there is an order of precedence to these methods.The methods for assignment of VLANs are (from lowest to highest precedence): 1.
Page 29: Wireless Client Access To The Wlan
Tunnel Private Group ID). All three attributes must be present. This does not require any server-derived rule. 6. The VLAN is derived from NETGEAR vendor-specific attributes (VSAs) for RADIUS server authentication. This does not require any server-derived rule. If a NETGEAR VSA is present, it overrides any previous VLAN assignment.
Page 30: Authentication
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The client determines which AP is best for connecting to the WLAN and attempts to associate with it. During the association exchange, the client and WFS709TP negotiate the data rate, authentication method, and other options.
Page 31: Client Mobility And Ap Association
WFS709TP. The master WFS709TP pushes out the client information to all local switches in its hierarchy. If the client roams to an AP connected to a different switch, the new switch recognizes the client and tunnels the client traffic back to the original switch.
Page 32: Configuring And Managing The Wfs709Tp
All WFS709TPs have a serial port for connecting to a local console, and a 10/100 Mbps Fast Ethernet port for out-of-band management. Refer to the document WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide for more information about the switch’s ports. Note: You can find the WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide in PDF form on the WFS709TP Resource CD.
Page 33 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual When you connect to the WFS709TP using the browser interface, the system displays the login page (Figure 1-6). Log in using the administrator user account. The password does not display. Figure 1-6...
Page 34: Tools
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • When you select a tab, the tool and its available pages appear in the navigation pane. You can navigate to any of the listed pages by clicking on the page name.
Page 35 • Delete. Removes the selected item from the page configuration. Note: By default, clicking Apply does not save the configuration. Once you finish configuring the switch, always remember to click Save Configuration. Overview of the WFS709TP v1.0, June 2007 1-19...
Page 36 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1-20 Overview of the WFS709TP v1.0, June 2007...
Page 37: Deploying A Basic Wfs709Tp System
Deploying a Basic WFS709TP System This chapter describes how to connect a WFS709TP ProSafe Smart Wireless Switch and access points (APs) to your wired network. It includes the following topics: • “Configuration Overview” on page 2-1 • “Configuring the WFS709TP” on page 2-5 •...
Page 38: Deployment Scenario #2
Set the default gateway to the IP address of the interface of the upstream router to which you will connect the WFS709TP. 2. Connect the uplink port on the WFS709TP to the switch or router interface. By default, all ports on the WFS709TP are access ports and will carry traffic for a single VLAN.
Page 39 (It is the default gateway for the wireless clients.) The uplink port on the WFS709TP is connected to a Layer 2 switch or router; this port is an access port in VLAN 1. You need to perform the following tasks: 1.
Page 40: Deployment Scenario #3
APs are on multiple subnetworks, with routers between the APs and the WFS709TP. The WFS709TP is connected to a Layer 2 switch or router through a trunk port that carries traffic for all wireless user VLANs. An upstream router functions as the default gateway for the wireless users.
Page 41: Configuring The Wfs709Tp
Do not specify a default gateway (use the default “none”). In a later step, you configure the default gateway. 2. Create a VLAN that has the same VLAN ID as the VLAN on the switch or router to which you will connect the WFS709TP. Add the uplink port on the WFS709TP to this VLAN and configure the port as a trunk port.
Page 42: Run The Initial Setup
• The DHCP server on the switch is first enabled and then disabled after setup is complete. If you connect the switch to your network before completing the initial setup, the DHCP server is active on your network...
Page 43 • System name. A user-defined name for the switch (up to 64 characters). • VLAN 1 IP address & subnetwork mask—the IP address that the switch will use to communicate with other switches and with access points. • Default gateway. The default gateway on the switch’s planned subnetwork (the default gateway and VLAN 1 IP address must be in the same network).
Page 44: Configure The Switch For The Access Points
Note: Later, if needed, you can reconfigure the PC you used in step 1 back to its original TCP/IP settings. Configure the Switch for the Access Points 1. Connect the WFS709TP Smart Wireless Switch to your PC using an Ethernet cable to one of the Fast Ethernet Ports. 2. In the web browser of your PC: a.
Page 45 DHCP server. Figure 2-6 Connect the access points directly to the switch using an Ethernet cable to one of the Fast Ethernet Ports on the switch (this does not need to be the final installation location for the access points).
Page 46: Configure A Vlan For Network Connection
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configure a VLAN for Network Connection Follow the instructions in this section only if you need to configure a trunk port between the WFS709TP and another Layer 2 switch (as in This section shows how to use the browser interface for the following configurations: •...
Page 47 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4. Navigate to the Configuration > Basic > Network > IP Interfaces page for the VLAN you just added. Enter the IP address and network mask of the VLAN interface. If required, you can also configure the address of the DHCP server for the VLAN by clicking Add.
Page 48: Connect The Wfs709Tp To The Network
3. Click Apply. Connect the WFS709TP to the Network Connect the ports on the WFS709TP to the appropriately configured ports on an L2 switch or router. Make sure that you have the correct cables and that the port LEDs indicate proper connections.
Page 49: Configure The Loopback For The Wfs709Tp
To set the loopback address through the browser interface: 1. Navigate to the Configuration > Advanced > Switch > General page 2. Enter the IP address for the loopback address. Deploying a Basic WFS709TP System “Deployment Scenario #2”...
Page 50: Deploying Aps
4. At the top of the page, click Save Configuration. You need to reboot the WFS709TP for the new IP address to take effect. 5. Navigate to the Maintenance > Switch > Reboot Switch page Figure 2-11 6. Click Continue.
Page 51: Enable Aps To Connect To The Wfs709Tp
Each AP requires a unique IP address on a subnetwork that has connectivity to a WFS709TP. NETGEAR recommends using the Dynamic Host Configuration Protocol (DHCP) to provide IP addresses for APs. The DHCP server can be an existing network server or a WFS709TP configured as a DHCP server.
Page 52 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 2-12 2. Select the Enable DHCP Server checkbox. 3. In the Pool Configuration section, click Add. Figure 2-13 4. On the Add DHCP Pool page, enter information about the subnetwork for which IP addresses...
Page 53 Using ADP. The Aruba Discovery Protocol (ADP) is enabled by default on all NETGEAR APs and WFS709TPs. To use ADP, all APs and WFS709TPs must be connected to the same Layer 2 network.
Page 54: Install Aps
1.2.3, where 1 specifies the building, 2 specifies the floor, and 3 specifies the location. You can also configure IntelliFi RF Management (IRM), a mechanism that enables NETGEAR APs to optimize their functions in any RF environment. (See Settings”...
Page 55 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 2-14 2. Select the AP that is to be configured from the list by selecting the checkbox to the left of the AP and then clicking the Provision button. Figure 2-15 3.
Page 56: Additional Configuration
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Additional Configuration After you have installed a basic WFS709TP system, the APs advertise the default netgear-ap SSID. Wireless users can connect to this SSID, but because you have not yet configured authentication, policies, or user roles, they will not have access to the network. Other chapters in this manual describe how to build upon this basic deployment to configure user roles, authentication, authentication servers, and other wireless features.
Page 57: Configuring Network Parameters
“Configuring the Loopback IP Address” on page 3-6 Configuring VLANs The WFS709TP ProSafe Smart Wireless Switch operates as a Layer 2 switch that uses a VLAN as a broadcast domain. As a Layer 2 switch, the WFS709TP requires an external router to route traffic between VLANs.
Page 58: Assigning A Static Address To A Vlan
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. On the Add New VLAN screen Figure 3-1 4. To add physical ports to the VLAN, click Add in the VLAN Members section, then select the port to add to the VLAN.
Page 59: Configuring A Vlan To Receive A Dynamic Address
In a branch office, you can connect a WFS709TP to an uplink switch or server that dynamically assigns IP addresses to connected devices. For example, the switch can be connected to a DSL or cable modem, or a broadband remote access server (BRAS).
Page 60 Only one VLAN on the WFS709TP can obtain its IP address through DHCP. Enabling the DHCP Client The DHCP server assigns an IP address for a specified amount of time called a lease. The switch automatically renews the lease before it expires. When you shut down the VLAN, the DHCP lease is released.
Page 61: Configuring Static Routes
IP address of the DNS server obtained by the WFS709TP via DHCP is provided to clients along with their IP address. 1. Navigate to the Configuration > Advanced > Switch > General > DHCP Server page. 2. Select Enable DCHP Server.
Page 62: Configuring The Loopback Ip Address
The loopback IP address is a logical IP interface that is used by the WFS709TP to communicate with APs. If you do not configure a loopback address for the switch, the IP address of the lowest- numbered VLAN interface (typically VLAN 1) is used.
Page 63 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1. Navigate to the Configuration > Advanced > Switch > General page on the browser interface (Figure 3-5). Figure 3-5 2. Modify the loopback IP address in the Loopback Interface section on this page as required.
Page 64 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring Network Parameters v1.0, June 2007...
Page 65: Chapter 4. Rf Plan
RF Plan is a built-in wireless deployment modeling tool that enables you to design an efficient wireless local area network (WLAN) for your corporate environment, optimizing coverage and performance, and eliminating complicated WLAN network setup. This chapter describes the following topics: •...
Page 66: Before You Begin
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Before You Begin Before you use RF Plan, review the following steps to create a building model and plan the WLAN for the model. Task Overview 1. Gather information about your building’s dimensions and floor plan.
Page 67: Using Rf Plan
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Use a worksheet similar to the following to collect your information: Table 4-1. Building Dimensions Height: Number of Floors: User Information Number of Users: Radio Types: Overlap Factor: AP Desired Rates 802.11b|g: AM Desired Rates 802.11b|g:...
Page 68: Building List Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Building List Page Building List is the first page you see when you start RF Plan. This list contains all the buildings you have defined using the RF Plan tool. The first time you run the application, there are no buildings in the list.
Page 69: Building Dimension Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-2 The Overview page includes the following: • Building Dimensions. Your building’s name and dimensions • Access Point Modeling Parameters. • Air Monitor Modeling Parameters. • Building Dimensions button (in the upper right of the page). Click this button to edit the building dimensions settings.
Page 70 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-3 Enter the following information: • Building ID. The valid range for this field is any integer from 1 to 255. • Building Name. The Building Name is an alphanumeric string up to 64 characters in length.
Page 71: Ap Modeling Parameters Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual When width and length are specified, RF Plan creates a rectangular area in the Planning feature pages that represent the overall area covered by the building. You need to import an appropriate background image defining areas that don’t require coverage or areas in which you do not wish to deploy APs and...
Page 72 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Design Model. Use these radio buttons to specify which design model to use in the placement of APs. • Users. Use this field to specify the number of users on your WLAN.
Page 73: Am Modeling Parameters Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Users Note: The Users text boxes are active only when the Capacity model is selected. • Enter the number of users you expect to have on your WLAN in the Users text box.
Page 74: Planning Floors Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Design Model. Use these radio buttons to specify a design model to use in the placement of AMs. • Monitor Rate. Use this pull-down menu to specify the desired monitor rate for the AMs.
Page 75 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-7 You can select or adjust the following features, which are described in more detail in this section: • Zoom. Use this pull-down menu or type a zoom factor in the text field to increase or decrease the size of the displayed floor area.
Page 76 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Coverage Select a radio type from the Coverage pull-down menu to view the approximate coverage area for each of the APs that RF Plan has deployed in the AP Plan or AM Plan (Figure 4-8).
Page 77 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-9 Naming. You can name the floor anything you choose as long as the name is an alphanumeric string with a maximum length of 64 characters. The name you specify appears to the right of the Floor Number displayed above the background image in the Planning view.
Page 78 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-10 Naming. You can name an area using an alphanumeric string of characters with a maximum length of 64 characters. Give areas meaningful names so that they are easily identified. Locating and Sizing. Specify absolute coordinates for the lower left corner and upper right corner of the box that represents the area you are defining.
Page 79 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Access Point Editor Page The Access Point Editor (Figure 4-13) allows you to manually create or modify a suggested AP. Figure 4-13 Naming. RF Plan automatically names APs using the default convention ap number, where number starts at 1 and increments by one for each new AP.
Page 80 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Fixed. Fixed APs do not move when RF Plan executes the positioning algorithm. Note: You would typically set a fixed AP when you have a specific room, such as a conference room, in which you want saturated coverage. Consider also using fixed APs for areas with unusually high user density.
Page 81: Ap Planning Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual AP Planning Page The AP Planning page (Figure 4-15) uses the information entered in the modeling pages to locate access points in the buildings you described. Figure 4-15 Initialize Initialize the optimizing algorithm by clicking the Initialize button. This makes an initial placement of the APs and prepares RF Plan for the task of determining the optimum location for each AP.
Page 82 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-16 Start Click Start to launch the optimizing algorithm. The AP symbols move on the page as RF Plan finds the optimum location for each. The process may take several minutes. You can watch the progress on the status bar of your browser.
Page 83: Am Planning Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-17 The Suggested Access Points and Air Monitors table (Figure 4-18) lists the coordinates, power, location, power setting, and channel for each of the APs shown in the floor plan. Figure 4-18 AM Planning Page The AM Planning page calculates the optimum placement for the air monitors.
Page 84: Exporting And Importing Files
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual AMs. To obtain information about a specific AM, place the cursor over its symbol. An information box appears (Figure 4-19), containing information about the AM’s exact location, PHY type, channel, power, and so on.
Page 85: Locate
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-21 When exporting a building file, NETGEAR recommends that you select the Include Images checkbox. When you click the Save to a file... button, you are prompted for the location and name for the exported file.
Page 86: Rf Plan Example
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The Deployed Access Points and Air Monitors table displays information on each of these devices. • To add a device, click Add Device. • To delete a device, click Remove Device. •...
Page 87: Create A Building
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Create a Building In this section you create a building using the information supplied in the planning summary. 1. Click New Building. The Overview page appears. 2. Click Save. 3. Click Building Dimension.
Page 88: Model The Access Points
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Model the Access Points You now determine how many APs are required to cover your building with a specified data transfer rate and overlap. In this example, you use the Coverage Model. The following assumptions are made about the performance of the WLAN: •...
Page 89: Model The Air Monitors
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Model the Air Monitors You now determine how many AMs are required to provide a specified monitoring rate. In this example you continue to use the Coverage Model and make the following assumptions: •...
Page 90: Defining Areas
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Type Entrance Level in the Name box of the Floor Editor Dialog. 3. Use the Browse button to locate the background image for the first floor. 4. Click Apply. To add the background image and name the second floor: 1.
Page 91 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual This example assumes the following: • You do not care if you have coverage in the Shipping and Receiving areas. • You do not want to deploy APs or AMs in the Lobby Area.
Page 92 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 4-27 8. Click Save. Create a Don’t Deploy Area To create a Don’t Deploy area: 1. Click the New link in the Areas section under Floor 1 to open the Area Editor.
Page 93: Running The Ap Plan
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 6. Drag one corner of the box to a corresponding corner of the lobby and using one of the corner handles of the box, stretch it to fit exactly over the lobby area.
Page 94: Running The Am Plan
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The algorithm stops when the movement is less than a threshold value calculated based on the number of APs. The threshold value is displayed in the status bar at the bottom of the browser window.
Page 95 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Click Save. RF Plan 4-31 v1.0, June 2007...
Page 96 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4-32 RF Plan v1.0, June 2007...
Page 97: Chapter 5. Configuring Wlans
This section describes tasks that you need to do prior to configuring a WLAN. You have a wide variety of options for authentication, encryption, access management, and user rights when you configure a WLAN with a WFS709TP ProSafe Smart Wireless Switch. However, you must configure the following basic elements: •...
Page 98: Determine The Authentication Method
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Determine the Authentication Method A user must authenticate to the system in order to access WLAN resources. types of authentication that you can configure for a WLAN. Table 5-1. Authentication Methods Method...
Page 99 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The Layer 2 encryption depends upon the authentication method chosen Table 5-2. Encryption Options by Authentication Method Authentication Method None 802.1x WPA or WPA-PSK WPA2, WPA2-PSK, or xSec Combination of WPA or WPA-PSK and WPA2 or...
Page 100: Determine The Default Vlan
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual ** Only when the AAA FastConnect feature is enabled and EAP-Generic Token Card (EAP-GTC) is used within the Protected EAP tunnel. See “Configuring 802.1x Authentication” on page Determine the Default VLAN Each SSID is linked to a VLAN on the WFS709TP. Successful wireless client association to an AP places the user into the default VLAN specified by the SSID configuration.
Page 101 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • You can assign only one VLAN to the SSID. If you need to have multiple VLANs configured for a WLAN, you must configure the SSID using the WLAN Advanced Configuration pages.
Page 102 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 5-4 describes the options available from the WLAN Basic Configuration page. Table 5-4. WLAN Basic Configuration Parameters Parameter Network Section: Network Name (SSID) Radio Type 802.11 Security: Network Authentication Encryption Advanced Authentication...
Page 103: Example Configuration
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 5-4. WLAN Basic Configuration Parameters (continued) Parameter Authentication Server VLAN Example Configuration This section describes how to use the WLAN Basic Configuration page to configure a WLAN to provide network access for company employees who use wireless PCs. Employees are typically validated against a corporate database on an authentication server before they are allowed access to the network.
Page 104 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Shared Key: radius123 The administrator for the RADIUS server must configure the server to support authentication. The administrator must also configure the server to allow communication with the WFS709TP. To configure the WLAN in the WLAN Basic Configuration page: 1.
Page 105: Advanced Wlan Configuration In The Browser Interface
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 5-2 7. Click Apply. Advanced WLAN Configuration in the Browser Interface The Advanced WLAN configuration pages allow you to configure the following features: • Global SSID and radio parameters that affect all APs in the network •...
Page 106: Configuring Location-Specific Parameters
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Navigate to the Configuration > Advanced > WLAN > Network > SSID page to add or modify SSIDs. • Navigate to the Configuration > Advanced > WLAN > Network > General page to configure or modify AP parameters.
Page 107 Default SSID The default SSID is netgear-ap. This will be broadcast as a valid SSID if the value is not changed. This is the only SSID that permits a name change. To change the name of other SSIDs but retain the configurations: 1.
Page 108: Configure Ap Information
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Ignore Broadcast Probe Request. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls whether or not the system responds for this SSID. When enabled, no response is sent and clients must know the SSID in order to associate to the SSID.
Page 109 • LMS IP and Backup LMS IP. Specifies the local management switch (LMS) that the AP uses in multi-switch networks. The LMS is responsible for terminating user traffic from the APs, processing it, and forwarding it to the wired network. An AP can boot up from any WFS709TP on the WLAN network (in a setup with master and local WFS709TPs), if all of the WFS709TPs are on the same VLAN and if load balancing is enabled on the WFS709TP.
Page 110: Configuring Radio Settings
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Power Management. Enables power management. • Bootstrap Threshold. Number of heartbeat misses before an AP reboots. • VoIP CAC Disconnect Extra Call. Enables disconnecting of calls that exceed the high capacity threshold.
Page 111 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 5-5 The radio configuration in the Advanced WLAN pages allow you to configure the following settings: • RTS Threshold. Wireless clients transmitting frames larger than this threshold must issue Request to Send (RTS) and wait for the AP to respond with Clear to Send (CTS). This helps prevent mid-air collisions for wireless clients that are not within wireless peer range and cannot detect when other wireless clients are transmitting.
Page 112 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • DTIM Period. Specifies the interval between the sending of Delivery Traffic Indication Messages (DTIMs) in the beacon. This is the maximum number of beacon cycles before unacknowledged network broadcasts are flushed. When using wireless clients that employ power management features to sleep, the client must revive at least once during the DTIM period to receive broadcasts.
Page 113: Example Configuration
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The radio configuration in the Advanced WLAN pages also allow you to configure IntelliFi RF Management (IRM) parameters, which are described in and voice parameters, which are described in Example Configuration The following example includes: •...
Page 114 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 5-7 3. Configure the Guest SSID for location 4.2.6 Add the location 4.2.6. Once the location is added, the location page is opened up with the inherited SSID. Click Add to add a new SSID Guest.
Page 115: Intellifi Rf Management
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual IntelliFi RF Management IntelliFi RF Management (IRM) is an RF management technology for a stable, self-healing RF design. IRM takes the distributed algorithm approach, allowing APs to determine their transmit power and channel settings based on what they detect. The APs make their channel and power setting decisions based on the RF environment as they hear it, independent of the WFS709TP.
Page 116: Configuring Irm
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • The AP response time to noise is quick and reliable, even to non-802.11 noise, especially when client traffic starts generating errors due to the noise. • Non-802.11 noise detection is disabled by default and must be explicitly enabled.
Page 117 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Set IRM Assignment to Single Band from the pull-down menu. Note: The Multi Band option is currently unavailable. Selecting Multi Band automatically sets the selection to Single Band 3. Select IRM Scanning to enable scanning on the AP.
Page 118 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 5-22 Configuring WLANS v1.0, June 2007...
Page 119: Configuring Aaa Servers
You can use an external authentication server or an internal user database to authenticate users who need to access the wireless network. This chapter describes how to configure theWFS709TP ProSafe Smart Wireless Switch to interface with an external Remote Authentication Dial-In User Service (RADIUS) server, and how to add entries into the internal database.
Page 120 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 6-1. RADIUS Server Configuration Information Parameter Num Retries Timeout NAS Source IP Address NAS Identifier Match ESSID Match FQDN Trim FQDN Mode 2. Navigate to the Configuration > Advanced > Security > AAA Servers > RADIUS Servers page.
Page 121: Adding Users To The Internal Database
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4. Set the Mode to Enable to activate the authentication server. Note: When you configure a server, you can set the VLAN for users based on attributes returned for the user during authentication. These values take precedence over the default VLAN configured for the user.
Page 122: Configuring Authentication Timers
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Navigate to the Configuration > Advanced > Security > AAA Servers > Internal Database page. 3. Click Add User in the Users section. The user configuration page displays. 4. Enter the information for the user.
Page 123 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 2. Configure the timers as described above. 3. Click Apply before moving on to another page or closing the browser window. Failure to do this results in loss of configuration, and you will have to reconfigure the settings.
Page 124 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring AAA Servers v1.0, June 2007...
Page 125: Configuring 802.1X Authentication
• The authenticator is the gatekeeper to the network and permits or denies access to the supplicants. The WFS709TP ProSafe Smart Wireless Switch acts as the authenticator, relaying information between the authentication server and supplicant. The EAP type must be consistent between the authentication server and supplicant and is transparent to the WFS709TP.
Page 126: Authentication With A Radius Server
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual You can terminate the 802.1x authentication on the WFS709TP. The switch passes user authentication to its internal database or to a “backend” non-802.1x server. This feature, also called AAA FastConnect, is useful for deployments where an 802.1x EAP-compliant RADIUS server is not available or required for authentication.
Page 127: Authentication Terminated On Wfs709Tp
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual For the WFS709TP to communicate with the authentication server, you must configure the IP address, authentication port, and accounting port of the server on the WFS709TP. The authentication server must be configured with the IP address of the RADIUS client, which here is the WFS709TP.
Page 128 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual In this scenario, the supplicant must be configured for Protected EAP (PEAP), as the WFS709TP only supports PEAP. PEAP uses Transport Layer Security (TLS) to create an encrypted tunnel. Within the tunnel, one of the following EAP methods is used: •...
Page 129: 802.1X Authentication Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4. Configure the WLAN, specifying the authentication and encryption that matches the wireless client configuration. 802.1x Authentication Page In the browser interface, you configure 802.1x authentication in the Configuration > Advanced >...
Page 130: Advanced Configuration Options For 802.1X
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 7-1. 802.1x Authentication Browser Interface Page Options (continued) Parameter Description Enable Opportunistic Key Enables the same pairwise master key (PMK) derived with a Caching (WPA2) client and an associated AP to be used when the client roams to a new AP.
Page 131 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 7-4 Table 7-2 describes the Advanced Configuration page fields. Table 7-2. Advanced Authentication Fields Field Description Authentication Server Time in seconds after which the authentication server is timed Timeout if it fails to respond.
Page 132 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 7-2. Advanced Authentication Fields (continued) Field Description Multicast Key Rotation The time period between each multicast key rotation. Time Interval Enable Unicast Key Enables the rotation of unicast keys. Rotation (Many wireless clients do not support this function.) Unicast Key Rotation The time period between each unicast key rotation.
Page 133: Configuring The Captive Portal
One of the methods of authentication supported by the WFS709TP ProSafe Smart Wireless Switch is Captive Portal. A Captive Portal presents a web page that requires action on the part of the wireless user before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password that must be validated against a database of authorized users.
Page 134: Configuring Captive Portal
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual If an appropriate server certificate is not installed in the WFS709TP, wireless clients that use Captive Portal may see a Security Alert message when logging in Figure 8-1 To prevent this message from appearing on clients, install a valid server certificate as described in “Installing a Server Certificate”...
Page 135: Configuring Advanced Captive Portal Options
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual The easiest way to complete these tasks is by using the browser interface Basic WLAN configuration page. Navigating to the Configuration > Basic > WLAN page allows you to configure an ESSID for either Registration Web Page or Captive Portal users.
Page 136 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 8-2 Table 8-1 describes the configuration options on this page. Captive Portal Authentication Browser Interface Page Options Table 8-1. Parameter Description Authentication Enabled Enables Captive Portal authentication. Enable Guest Logon Enables Captive Portal logon without authentication.
Page 137: Configuring The Aaa Server For Captive Portal
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 8-1. Captive Portal Authentication Browser Interface Page Options Parameter Description Login Page Location The page that appears for the user logon. This can be set to any URL. Logon Wait Interval Time range, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high.
Page 138: Personalizing The Captive Portal Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1. Navigate to the Configuration > Advanced > Security > Authentication Methods > Captive Portal page. 2. For Protocol Type, select http and click Apply. Personalizing the Captive Portal Page You can personalize the following elements on the Captive Portal page: •...
Page 139 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. (Optional) Customize the captive portal background text. a. Set the background color in the Custom page background color field. The color code must a hexadecimal value in the format #hhhhhh. b. Click Submit on the bottom on the page.
Page 140 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 8-5 The text you entered appears in a text box when the user clicks the Acceptable Use Policy on the Captive Portal web page. Configuring the Captive Portal v1.0, June 2007...
Page 141: Configuring Mac-Based Authentication
Configuring MAC-Based Authentication This chapter describes how to configure media access control (MAC) based authentication on the WFS709TP ProSafe Smart Wireless Switch using the browser interface. Use MAC-based authentication to authenticate devices based on their physical MAC address. While not the most secure and scalable method, MAC-based authentication implicitly provides an additional layer of security to authentication devices.
Page 142: Configuring Users
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 9-1 2. Check the Authentication Enabled checkbox to enable authentication. 3. Configure the authentication servers. This is the authentication server to which the WFS709TP will send authentication requests. a. To add an authentication server, click Add under Choose an Authentication Server.
Page 143 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 9-2 3. Enter the user information. a. In the User Name field, enter the MAC address of the device to be used, (this is the MAC- address of the physical interface that will be used to access the network). By default, the entry should be in the format xxxxxx.
Page 144 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring MAC-Based Authentication v1.0, June 2007...
Page 145: Chapter 10. Adding Local Wfs709Tps
Wireless Switch to a master WFS709TP configuration. Typically, this is the first expansion of a network with just one WFS709TP (which is a by definition a master switch). This chapter is a basic discussion of creating master-local WFS709TP configurations. More complicated multi-...
Page 146: Configuring Local Wfs709Tps
WFS709TP and the VRRP redundant backup WFS709TP. This chapter covers migration to both of those scenarios. The steps involved in migrating from a single-switch to a multi-switch WFS709TPenvironment are: 1. Configure the role of the local WFS709TP to local and specify the IP address of the master.
Page 147: Configuring Trusted Ports
WFS709TPs to synchronize configurations. Configuring Trusted Ports • On the local WFS709TP, navigate to the Configuration > Advanced > Switch > General > Port page and make sure that the port connecting to the master WFS709TP is trusted. •...
Page 148: Rebooting Aps
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure 10-3 3. Apply the configuration on the master. Note: To verify that the local WFS709TP has obtained a copy of the global settings, check the local WFS709TP for the global configuration changes made on the master, such as authentication changes and WMS settings.
Page 149: Chapter 11. Configuring Redundancy
“Virtual Router Redundancy Protocol” on page 11-1 • “Redundancy Configuration” on page 11-1 Virtual Router Redundancy Protocol The underlying mechanism for NETGEAR’s redundancy solutions is the Virtual Router Redundancy Protocol (VRRP). This mechanism can be used to create various redundancy solutions, including the following: •...
Page 150: Configuring Local Wfs709Tp Redundancy
Virtual IP address to be used for the VRRP instance 2. Navigate to the Configuration > Advanced> Switch > General > VRRP page on the browser interface for each of the local WFS709TPs. Click Add to create a VRRP instance.
Page 151 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 11-1. VRRP Parameters for Local WFS709TP Redundancy Parameter Virtual Router ID Recommended to Advertisement Interval Authentication Password Description IP Address Enable Router Pre-emption Priority Tracking Configuring Redundancy Explanation The Virtual Router ID that uniquely identifies this VRRP instance.
Page 152: Master Wfs709Tp Redundancy
Virtual IP address that has been reserved to be used for the VRRP instance 2. Navigate to the Configuration > Advanced> Switch > General > VRRP page on the browser interface for each of the master WFS709TPs. Click Add to create a VRRP instance.
Page 153: Master-Local Wfs709Tp Redundancy
The WFS709TP requires a reboot after you change the master IP of the WFS709TP. If Domain Name Service (DNS) resolution is the chosen mechanism for the APs to discover their master WFS709TP, ensure that the name “netgear-master” resolves to the same VIP address configured as a part of the master redundancy.
Page 154 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual any one of the local WFS709TPs becomes unavailable, the master takes over the APs controlled by that local WFS709TP for the time that the local WFS709TP remains unavailable. When the local WFS709TP comes back again, it resumes control over the APs.
Page 155 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Virtual IP addresses that have been reserved to be used for the VRRP instances 3. Navigate to the Configuration > Advanced> Switch > General > VRRP page. 4. Enter the parameters shown in recommended: •...
Page 156 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 11-8 Configuring Redundancy v1.0, June 2007...
Page 157: Configuring Wireless Intrusion Protection
The most important intrusion protection functionality offered in the WFS709TP ProSafe Smart Wireless Switch system is the ability to classify an access point as either a rogue AP or an interfering AP. An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network.
Page 158: Enabling Ap Learning
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Enabling AP Learning AP learning allows the system to classify all newly discovered APs as valid APs. By default, AP learning is not enabled and all newly discovered APs are classified as interfering APs. You can enable or disable AP learning from the browser interface.
Page 159 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Valid AP. An AP that is part of the enterprise providing WLAN service. APs that successfully connect to the WFS709TP and load software and configuration should be classified as valid APs.
Page 160: Configuring Rogue Ap Detection
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring Rogue AP Detection Follow the steps below to configure the network to detect insecure APs and to classify them as rogue and interfering respectively as defined in the section above. Navigate to the Configuration > Advanced > Security > Rogue AP page on the browser interface...
Page 161: Misconfigured Ap Detection
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Note: Use caution when enabling both “Mark Unknown APs as Rogue” and “Disable Users from Connecting to Rogue APs.” If the system is installed in an area where APs from neighboring locations can be detected, these two options will disable all APs in the area.
Page 162 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 12-6 Configuring Wireless Intrusion Protection v1.0, June 2007...
Page 163: Configuring Management Utilities
WFS709TP To configure management users from the browser interface: 1. Navigate to the Configuration > Advanced > Switch > Management > Access Control page. 2. Under Management Users, click Add. 3. Enter the name and password for the user.
Page 164: Configuring Snmp
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring SNMP WFS709TP switches and access points (APs) support versions 1, 2c, and 3 of SNMP for reporting purposes only. SNMP cannot be used for setting values in a WFS709TP system in the current version.
Page 165 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-1. Basic WFS709TP SNMP Parameters (continued) Field Description Read Community Community strings used to Strings authenticate requests for SNMP versions before version 3. Enable Trap Enables generation of SNMP traps to Generation configured SNMP trap receivers.
Page 166: Snmp For Access Points
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-2. SNMPv3 User Details (continued) Field Description Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol being used.
Page 167 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1. Navigate to the Configuration > Advanced > WLAN > Network > General page of the master WFS709TP (Figure 13-2). This page includes fields for configuring the SNMP parameters on all access points in the network.
Page 168 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-3. Basic Access Point SNMP Parameters (continued) Field Description Enable SNMP Traps Enables generation of SNMP traps from all Access Points. Refer to Traps” on page 13-9 of traps that may be generated by access points in the network.
Page 169 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-4. SNMPv3 Access Point User Details (continued) Field Description Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol that is used.
Page 170 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. Navigate to Configuration > Advanced > WLAN > Network > SSID to configure the SSID for the added APs (Figure 13-4). Figure 13-4 4. Click the General tab to configure the SNMP parameters for the set of APs Figure 13-5 5.
Page 171: Snmp Traps
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual SNMP Traps WFS709TP Traps Table 13-5 lists the key traps generated by the WFS709TP. Table 13-5. WFS709TP SNMP Traps Trap Description WFS709TP IP changed The WFS709TP IP has been changed. The WFS709TP IP is either the loopback IP address or the IP address of the VLAN 1 interface (if no loopback IP address is configured).
Page 172 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-5. WFS709TP SNMP Traps (continued) Trap Description Authentication ACL table The maximum number of ACL entries in the ACL table has full been exceeded. The limit is 2048 entries on a WFS709TP.
Page 173 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-6. Access Point SNMP Traps (continued) Trap Description OUI misconfiguration This trap indicates an error in the Organizationally Unique Identifier (OUI) configuration of an AP. The AP generates the trap and includes its BSSID, the configured SSID, and the location of the AP in the trap.
Page 174: Configuring Logging
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Table 13-6. Access Point SNMP Traps (continued) Trap Description Frame Bandwidth rate This trap refers to the event of the bandwidth rate for a station exceeded exceeding a configured threshold (High Watermark).
Page 175 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 1. Navigate to the Configuration > Advanced > Switch > Management > Logging page on the browser interface (Figure Figure 13-6 2. To add a logging server, click Add in the Logging Server section.
Page 176: Creating Guest Accounts
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual In the example shown in server module is being modified to debugging. Figure 13-7 5. Click Done to make the modification. 6. Click Apply to apply the configuration. Creating Guest Accounts You can create a special administrative login that allows a user, such as a front desk receptionist, to create guest accounts on a browser interface page.
Page 177 Figure 13-8 6. Click Apply. When a user logs into the browser interface on the WFS709TP (in a multi-switch system, this must be the master WFS709TP) using the login and password you just created: 1. A special browser interface page is displayed that allows them to create guest accounts in the WFS709TP’s internal database...
Page 178: Managing Files On The Wfs709Tp
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 3. The user can then define a user name and password for the guest account and configure the expiration for the account. Clicking Apply adds the guest account to the database (Figure 13-11).
Page 179: Managing Image Files
4. Select the system partition to which the image file is copied. 5. Specify the boot partition, whether the switch is to be rebooted after the image file is transferred, and whether the current configuration is saved before the switch is rebooted.
Page 180: Copying Log Files
2. Navigate to the Maintenance > File > Restore Flash page. 3. Click Restore to restore the flashbackup.tar.gz file to the flash file system. 4. Navigate to the Maintenance > Switch > Reboot Switch page. 5. Click Continue to reboot the WFS709TP.
Page 181: Installing A Server Certificate
Functions” on page 8-1). There is a default server certificate installed in the WFS709TP, however this certificate does not guarantee security for production networks. NETGEAR strongly recommends that you replace the default server certificate in the WFS709TP with a custom certificate issued for your site or domain by a trusted certificate authority (CA).
Page 182 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 13-20 Configuring Management Utilities v1.0, June 2007...
Page 183: Configuring Wfs709Tp For Voice
Voice over IP Proxy ARP You can enable proxy address resolution protocol (ARP) on the WFS709TP for voice over IP (VoIP) clients. When the WFS709TP receives an ARP broadcast for a VoIP client, the switch constructs an ARP response containing the client’s MAC address.
Page 184: Battery Boost
DTIM is increased but multicast traffic is buffered and delivered as unicast. Increasing the LI can further increase battery life, but can also decrease client responsiveness. NETGEAR recommends a DTIM setting of 10 or less for NEC FOMA N900iL clients, and 30 or less for BlackBerry 7270 clients.
Page 185: Limiting The Number Of Active Voice Calls
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Limiting the Number of Active Voice Calls You can limit the number of active voice calls allowed on a radio. This feature is disabled by default. When the disconnect extra call feature is enabled, the system monitors the number of active voice calls, and if the defined threshold is reached, any new calls are disconnected.
Page 186: Wpa Fast Handover
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual WPA Fast Handover In 802.1x authentication, the WPA fast handover feature allows certain WPA clients to use a pre- authorized Pairwise Master Key (PMK), significantly reducing handover interruption. Check with the manufacturer of your handset to see if this feature is supported. This feature is disabled by default.
Page 187: Configuring Dhcp With Vendor-Specific Options
Smart Wireless Switch’s IP address through the Vendor-Specific Option Code (option 43) in the DHCP reply. In the WFS709TP system, this information can allow a NETGEAR access point to automatically discover the IP address of a master WFS709TP for its configuration and management.
Page 188: Windows-Based Dhcp Servers
Description: Netgear AP vendor class identifier 5. Click OK to save this information. 6. In the Predefined Options and Values dialog box, make sure 060 Netgear Access Point is selected from the Option Name drop-down list. 7. In the Value field, enter the following information: String: Netgear Access Point 8.
Page 189 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring Option 43 Option 43 returns the IP address of the master WFS709TP to a DHCP client. This information allows the APs to auto-discover the master WFS709TP and obtain their configuration. To configure option 43 on the Windows DHCP server: 1.
Page 190: Linux Dhcp Servers
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Option 43 is configured for this DHCP scope. Note that even though you entered the IP address in ASCII text, it displays in binary form Figure A-2 Linux DHCP Servers The following code is an example configuration for the Linux dhcpd.conf file.
Page 191 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual subnet 10.200.10.0 netmask 255.255.255.0 { default-lease-time 200; max-lease-time 200; option subnet-mask 255.255.255.0; option routers 10.200.10.1; option domain-name-servers 10.4.0.12; option domain-name "vlan10.aa.netgear.com"; subclass "vendor-class" "NetgearAP" { option vendor-class-identifier "NetgearAP"; option serverip 10.200.10.10; range 10.200.10.200 10.200.10.252;...
Page 192 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Configuring DHCP with Vendor-Specific Options v1.0, June 2007...
Page 193: Windows Client Example Configuration For 802.1X
Windows Client Example Configuration for 802.1x This appendix provides an example configuration for a wireless client (the 802.1x supplicant) in a Windows environment. Note: For detailed information about configuring computers in a Windows environment for PEAP-MS-CHAPv2 and EAP-TLS authentication, see the Microsoft document “Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab,”...
Page 194 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual This screen displays the available wireless networks and the list of preferred networks (Figure B-1). Windows connects to the preferred networks in the order in which they appear. Figure B-1 4. Click the Advanced button to display the Networks to access window Figure B-2 This window determines what types of wireless networks the client can access.
Page 195 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 5. Make sure that the option Computer-to-computer (ad hoc) networks only is not selected, then click Close. 6. In the Wireless Networks tab, click Add to add a wireless network. 7. Click the Association tab to enter the network properties for the ESSID.
Page 196 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure B-3 shows the configuration for the ESSID WLAN-01 that uses dynamic WEP. Figure B-3 8. Click the Authentication tab to enter the 802.1x authentication parameters for the ESSID. This tab configures the EAP type used between the wireless client and the authentication server.
Page 197 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure B-4 10. Under EAP type, select Properties to display the Protected EAP Properties window. Configure the client PEAP properties, as shown in • Select Validate server certificate. This instructs the client to check the validity of the server certificate from an expiration, identity, and trust perspective.
Page 198 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual • Select Enable Fast Reconnect to speed up authentication in some cases. Figure B-5 11. Under Select Authentication Method, click Configure to display the EAP-MSCHAPv2 Properties window. Select the option Automatically use my Windows logon name and password, and domain if any This option specifies that the user’s Windows logon information is used for authentication to...
Page 199 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Figure B-6 Windows Client Example Configuration for 802.1x v1.0, June 2007...
Page 200 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Windows Client Example Configuration for 802.1x v1.0, June 2007...
Page 201: Creating A New Internal Web Page
Note: This is dependent on the setting of the WFS709TP ProSafe Smart Wireless Switch and is supported only by Windows global catalog server software. The form can use either the “get” or the “post” methods, but the “post” method is recommended.
Page 202 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual <FORM method="post" ACTION="/auth/index.html/u"> </FORM> A recommended option for the <FORM> element is: autocomplete="off" This tells Internet Explorer not to cache form inputs. The form variables can be input using any form control method available such as INPUT, SELECT, TEXTAREA and BUTTON.
Page 203: Basic Html Example
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Recommended Options: None. You must also include an input button: <INPUT type="submit"> Basic HTML Example <HTML> <HEAD> </HEAD> <BODY> <FORM method="post" autocomplete="off" ACTION="/auth/index.html/u"> Username:<BR> <INPUT type="text" name="user" accesskey="u" SIZE="25" VALUE=""> <BR> Password:<BR>...
Page 204: Installing A New Captive Portal Page
Captive Portal Login (top level): This type uploads the file into the WFS709TP ProSafe Smart Wireless Switch and instantly sets the captive portal page to reference the file that you are uploading. Use with caution on a production switch, as this takes effect immediately.
Page 205 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual function createCookie(name,value,days) if (days) else var expires = ""; document.cookie = name+"="+value+expires+"; path=/"; var q = window.location.search; var errmsg = null; if (q && q.length > 1) { q = q.substring(1).split(/[=&]/); for (var i = 0; i < q.length - 1; i += 2) { if (q[i] == "errmsg") {...
Page 206: Language Customization
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual if (errmsg && errmsg.length > 0) { errmsg = "<div id='errorbox'>\n" + errmsg + "\n</div>\n"; document.write(errmsg); </script> Language Customization The ability to customize the internal captive portal provides you with a very flexible interface to the captive portal system.
Page 207 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual 4. Once you have a page you find acceptable, click on View Captive Portal one more time to display your login page. From your browser, choose View->Source or its equivalent. Your system will display the HTML source for the captive portal page. Save this source as a file on your local system.
Page 208 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual <link href="default1/styles.css" rel="stylesheet" media="screen" type="text/css" /> <script language="javascript" type="text/javascript"> function showPolicy() { win = window.open("/auth/acceptableusepolicy.html", "policy", "height=550,width=550,scrollbars=1"); </script> </head> b. Fix the references: If you have used the built-in preferences, you will need to update the reference for the logo image and the CSS style sheet.
Page 209 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual To localize the authentication failure message, replace the following text (it is just a few lines below the <body> <div id="errorbox" style="display: none;"> </div> with the script below. You will need to translate the Authentication Failed error message into your local language and add it into the script below where it states <script>...
Page 210 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual errmsg = "<div id='errorbox'>\n" + localised_msg + "\n</div>\n"; document.write(errmsg); </script> d. Translate the web page text. Once you have made the changes as above, you only need to translate the rest of the text that appears on the page. The exact text that appears will depend on the WFS709TP settings when you originally viewed the captive portal.
Page 211 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual If you require this to be a page on the WFS709TP, you must create you own web page using the charset meta attribute, and upload this page as “content” to the designated WFS709TP.
Page 212: Customizing The Welcome Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual Customizing the Welcome Page Once a user has authenticated to the WFS709TP, they are presented with the welcome page. The default welcome page will depend slightly on your configuration, but will look similar to Figure C-2.
Page 213 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual var nameEQ = name + "="; var ca = document.cookie.split(';'); for(var i=0;i < ca.length;i++) c.substring(1,c.length); c.substring(nameEQ.length,c.length); return null; var cookieval = readCookie('url'); if (cookieval.length>0) document.write("<meta http- equiv=\"refresh\" content=\"2;url=http://"+cookieval+"\""+">"); </script> </head> <body bgcolor=white text=000000>...
Page 214: Customizing The Pop-Up Box
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual <INPUT type="submit" name="logout" value="Logout"> </FORM> </font> </body> </html> If you customize the welcome page, then you must also customize the pop-up, box if you want to have one. Customizing the Pop-Up Box Before you can customize the pop-up box, you must customize your welcome page.
Page 215: Customizing The Logged Out Box
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual <script language="JavaScript"> var url="/upload/popup.html"; var w=210; var h=80; var x=window.screen.width - w - 20; var y=window.screen.height - h - 60; window.open(url, 'logout', "toolbar=no,location=no,width="+w+",height="+h+",top="+y+",left="+x+",sc reenX="+x+",screenY="+y); </script> These are some common elements to change: •...
Page 216 WFS709TP ProSafe Smart Wireless Switch Software Administration Manual <html> <body bgcolor=white text=000000> <iframe src='/auth/logout.html' width=0 height=0 frameborder=0><img src=/auth/logout.html width=0 height=0></iframe> <P><font face="Verdana, Arial, Helvetica, sans-serif" size=+1> You have now logged out.</font></P> <form> <input type="button" onclick="window.close()" name="close" value="Close Window"></form> </body> </html>...
Page 217: Appendix D Related Documents
This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Internet Networking and TCP/IP Addressing Wireless Communications Preparing a Computer for Network Access Glossary Related Documents...
Page 218 WFS709TP ProSafe Smart Wireless Switch Hardware Installation Guide Related Documents v1.0, May 2007...
Page 219 Numbers 802.1x authentication advanced options basic options configuring on WFS709TP Windows client example AAA FastConnect access points compatibility with WFS709TP configuring for a local switch configuring for WLAN 5-12 connecting to WFS709TP deploying 2-14 editing in RF Plan 4-15 installing...
Page 220 NETGEAR FrameMaker Templates for the Reference Print Manual DTIM (Delivery Traffic Indication Message) 14-1 14-2 EAP (Extensible Authentication Protocol) encryption and authentication 1-10 types of 1-10 GRE (Generic Routing Encapsulation) and SSID settings 5-11 between AP and switch loopback address and...
Page 221 11-4 overview of 11-1 WEP (Wired Equivalent Protocol) 1-10 Index NETGEAR FrameMaker Templates for the Reference Print Manual NETGEAR FrameMaker Templates for the Reference Print Manual wireless intrusion protection classifying access points configuring risconfigured AP detection configuring rogue AP detection...
Page 222 NETGEAR FrameMaker Templates for the Reference Print Manual NETGEAR FrameMaker Templates for the Reference Print Manual Index-4 Index v1.0, June 2006...

NETGEAR ProSafe WFS709TP Software Administration Manual

About this Manual

Chapter 1

Overview of the WFS709TP

Chapter 2

Deploying a Basic WFS709TP System

Chapter 3

Configuring Network Parameters

Chapter 4. RF Plan

Chapter 5. Configuring WLANS

Chapter 6

Configuring AAA Servers

Chapter 7

Configuring 802.1X Authentication

Chapter 8

Configuring the Captive Portal

Chapter 9

Configuring MAC-Based Authentication

Chapter 10. Adding Local Wfs709Tps

Chapter 11. Configuring Redundancy

Chapter 12

Configuring Wireless Intrusion Protection

Chapter 13

Configuring Management Utilities

Chapter 14

Configuring WFS709TP for Voice

Appendix A. Configuring DHCP with Vendor-Specific Options

Appendix B. Windows Client Example Configuration for 802.1X

Appendix C. Creating a New Internal Web Page

Appendix D Related Documents

Quick Links

Related Manuals for NETGEAR ProSafe WFS709TP

Summary of Contents for NETGEAR ProSafe WFS709TP