Motorola WiNG 5 System Reference Manual

page of 802

/ 802
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Motorola Solutions

WiNG 5

Access Point

System Reference Guide

Table of Contents

Summary of Contents for Motorola WiNG 5

Page 1 Motorola Solutions WiNG 5 Access Point System Reference Guide...
Page 3: Table Of Contents
TABLE OF CONTENTS Chapter 1 Overview 1.1 About the Motorola Solutions WiNG 5 Access Point Software ..................... 1-3 Chapter 2 Web UI Features 2.1 Accessing the Web UI ................................2-2 2.1.1 Browser and System Requirements ..........................2-2 2.1.2 Connecting to the Web UI ............................. 2-2 2.2 Icon Glossary ...................................
Page 4 WiNG 5 Access Point System Reference Guide Chapter 5 Device Configuration 5.1 RF Domain Configuration ................................. 5-2 5.2 RF Domain Sensor Configuration ............................. 5-5 5.3 System Profile Configuration ..............................5-7 5.3.1 General Profile Configuration ............................5-7 5.3.2 Profile Radio Power ............................... 5-9 5.3.3 Profile Adoption (Auto Provisioning) Configuration ....................
Page 5 Table of Contents 5.6.1 Certificate Management ............................5-164 5.6.2 RSA Key Management .............................. 5-172 5.6.3 Certificate Creation ..............................5-176 5.6.4 Generating a Certificate Signing Request ........................ 5-178 5.7 RF Domain Overrides ................................5-181 5.8 Profile Overrides .................................. 5-184 5.9 Radio Power Overrides ................................ 5-187 5.10 Adoption Overrides ................................
Page 6 WiNG 5 Access Point System Reference Guide 6.1.4 Configuring Client Settings ............................6-33 6.1.5 Configuring WLAN Accounting Settings ........................6-35 6.1.5.1 Accounting Deployment Considerations ......................6-38 6.1.6 Configuring Client Load Balancing ..........................6-39 6.1.7 Configuring Advanced WLAN Settings ........................6-40 6.2 Configuring WLAN QoS Policies ............................
Page 7 Table of Contents Chapter 10 Management Access 10.1 Creating Administrators and Roles ............................ 10-2 10.2 Setting the Access Control Configuration ........................... 10-5 10.3 Setting the Authentication Configuration ........................... 10-9 10.4 Setting the SNMP Configuration ............................10-11 10.5 SNMP Trap Configuration ..............................10-14 10.6 Management Access Deployment Considerations ......................
Page 8 WiNG 5 Access Point System Reference Guide 13.2.7.2 RF Statistics ..............................13-25 13.2.7.3 Traffic Statistics ............................13-27 13.2.8 Mesh ..................................13-28 13.2.9 SMART RF ................................13-29 13.2.10 WIPS ..................................13-32 13.2.10.1 WIPS Client Blacklist ..........................13-33 13.2.10.2 WIPS Events ..............................13-34 13.2.11 Captive Portal ................................
Page 9 Table of Contents 13.3.18.2 DHCP Networks ............................13-109 13.3.19 Firewall ................................13-109 13.3.19.1 Packet Flows ............................. 13-110 13.3.19.2 Denial of Service ............................13-111 13.3.19.3 IP Firewall Rules ............................13-113 13.3.19.4 MAC Firewall Rules ..........................13-115 13.3.19.5 NAT Translations ............................13-117 13.3.19.6 DHCP Snooping ............................
Page 10 WiNG 5 Access Point System Reference Guide...
Page 11: About This Guide
• Motorola Solutions WING 5 Access Point System Reference Guide (this guide) - Describes the configuration of either a Standalone AP or Virtual Controller AP using the access point’s initial setup wizard and resident WING 5 access point specific software.
Page 12: Notational Conventions
WiNG 5 Access Point System Reference Guide CAUTION: Indicates conditions that can cause equipment damage or data loss. WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage. Notational Conventions The following additional notational conventions are used in this document: •...
Page 13: Chapter 1 Overview
By distributing intelligence and control amongst access points, a WiNG 5 network can route directly via the best path, as determined by factors including the user, location, the application and available wireless and wired resources. WiNG 5 extends the differentiation Motorola Solutions access points offer to the next level, by making available services and security at every point in the network.
Page 14 AP-7131, AP-6532, AP-7161, AP-6511 and AP-6521 model access. It does not describe the version of the WING 5 software designed for use with the RFS4000, RFS6000, RFS7000 and NX9000. For information on using WING 5 in a controller managed network, go to http://supportcentral.motorola.com/support/product/manuals.do.
Page 15: About The Motorola Solutions Wing 5 Access Point Software
Within a WiNG 5 network, up to 80% of the network traffic can remain on the wireless mesh, and never touch the wired network, so the 802.11n load impact on the wired network is negligible. In addition, latency and associated costs are reduced while reliability and scalability are increased.
Page 16 1 - 4 WiNG 5 Access Point System Reference Guide...
Page 17: Chapter 2 Web Ui Features
CHAPTER 2 WEB UI FEATURES The access point’s resident user interface contains a set of features specifically designed to enable either Virtual Controller AP, Standalone AP or Adopt to Controller functionality. In Virtual Controller AP mode, an access point can manage up to 24 other access points of the same model and share data amongst managed access points.
Page 18: Accessing The Web Ui
2 - 2 WiNG 5 Access Point System Reference Guide 2.1 Accessing the Web UI The access point uses a Graphical User Interface (GUI) which can be accessed using any supported Web browser on a client connected to the subnet the Web UI is configured on.
Page 19 Figure 2-1 Access Point Web UI Login Screen 5. Enter the default username admin in the Username field. 6. Enter the default password motorola in the Password field. 7. Select the Login button to load the management interface. If this is the first time the management interface has been accessed, the first screen to display will prompt for a change of the default access point password.
Page 20: Icon Glossary
2 - 4 WiNG 5 Access Point System Reference Guide 2.2 Icon Glossary The access point interface utilizes a number of icons designed to interact with the system, gather information from managed devices and obtain status. This chapter is a compendium of the icons used, and is organized as follows: •...
Page 21: Dialog Box Icons
Web UI Features 2 - 5 Create new policy – Select this icon to create a new policy. Policies define different configuration parameters that can be applied to device configurations, and device profiles. Edit policy – Select this icon to edit an existing policy. To edit a policy, click on the policy and select this button.
Page 22: Status Icons
2 - 6 WiNG 5 Access Point System Reference Guide 2.2.4 Status Icons  Icon Glossary These icons define device status, operations on the wireless controller, or any other action that requires a status being returned to the user. Fatal Error – States there is an error causing a managed device to stop functioning.
Page 23 Web UI Features 2 - 7 AAA Policy – Indicates an Authentication, Authorization and Accounting (AAA) policy has been impacted. AAA policies define RADIUS authentication and accounting parameters. Association ACL – Indicates an Association Access Control List (ACL) configuration has been impacted. An ACL is a set of configuration parameters used to set access to managed resources.
Page 24: Configuration Objects
2 - 8 WiNG 5 Access Point System Reference Guide Device Categorization – Indicates a device categorization policy is being applied. This is used by the intrusion prevention system to categorize APs or wireless clients as either neighbors or sanctioned devices. This enables these devices to bypass the intrusion prevention system.
Page 25: Configuration Operation Icons
Web UI Features 2 - 9 Panic Snapshots – Indicates a panic snapshot has been generated. A panic snapshot is a file that records the status of all the processes and memory when a failure occurs. UI Debugging – Select this icon/link to view current NETCONF messages. View UI Logs –...
Page 26: Administrative Role Icons
2 - 10 WiNG 5 Access Point System Reference Guide SSH – Indicates a SSH access permission. A user with this permission is permitted to access an access point device using SSH. Console – Indicates a console access permission. A user with this permission is permitted to access using the access point’s serial console.
Page 27: Device Icons
Web UI Features 2 - 11 2.2.10 Device Icons  Icon Glossary The following icons indicate the different device types managed by the system: System – This icon indicates system-wide impact. Cluster – This icon indicates a cluster. A cluster is a set of access points that work collectively to provide redundancy and load sharing.
Page 28 2 - 12 WiNG 5 Access Point System Reference Guide...
Page 29: Chapter 3 Quick Start
CHAPTER 3 QUICK START Access points can utilize an initial setup wizard to streamline the process of initially accessing the wireless network. The wizard defines the access point’s operational mode, deployment location, basic security, network and WLAN settings. For instructions on how to use the initial setup wizard, see Using the Initial Setup Wizard on page 3-2.
Page 30: Using The Initial Setup Wizard
3 - 2 WiNG 5 Access Point System Reference Guide 3.1 Using the Initial Setup Wizard Once the access point is installed and powered on, complete the following steps to get the access point up and running and access management functions: 1.
Page 31 Quick Start 3 - 3 If this is the first time the access points’ management interface has been accessed, an introductory screen displays that outlines the parameters that can be configured sequentially using the setup wizard. Figure 3-2 Initial Setup Wizard NOTE: The Initial Setup Wizard displays the same pages and content for each access point model supported.
Page 32 3 - 4 WiNG 5 Access Point System Reference Guide Figure 3-3 Initial Setup Wizard - Navigation Panel The first page of the Initial AP Setup Wizard displays the Navigation Panel and Introduction for the configuration activities comprising the access point's initial setup.
Page 33 Quick Start 3 - 5 Figure 3-4 Initial Setup Wizard - Introduction 5. Select Save/Commit within each page to save the updates made to that page's configuration. Select Next to proceed to the next page listed in the Navigation Panel. Select Back to revert to the previous screen in the Navigation Panel without saving your updates.
Page 34 AP isn't managed by a Virtual Controller AP, or adopted by a RFS series controller. NOTE: If designating the access point as a Standalone AP, Motorola Solutions recommends the access point’s UI be used exclusively to define its device configuration, and not the CLI.
Page 35 Quick Start 3 - 7 • Adopted to Controller - Select this option when deploying the access point as a controller managed (Dependent mode) access point. Selecting this option closes the Initial AP Setup Wizard. An adopted access point obtains its configuration from a profile stored on its managing controller.
Page 36 3 - 8 WiNG 5 Access Point System Reference Guide Figure 3-7 Initial AP Setup Wizard - Access Point Mode 9. Select an Access Point Mode from the available options. • Router Mode - In Router Mode, the access point routes traffic between the local network (LAN) and the Internet or external network (WAN).
Page 37 Quick Start 3 - 9 Figure 3-8 Initial AP Setup Wizard - LAN Configuration 11.Set the following DHCP and Static IP Address/Subnet information for the LAN interface: • Use DHCP - Select the checkbox to enable an automatic network address configuration using the access point’s DHCP server.
Page 38 3 - 10 WiNG 5 Access Point System Reference Guide • DNS Forwarding - Select this option to allow a DNS server to translate domain names into IP addresses. If this option is not selected, a primary and secondary DNS resource must be specified. DNS forwarding is useful when a request for a domain name is made but the DNS server, responsible for converting the name into its corresponding IP address, cannot locate the matching IP address.
Page 39 Quick Start 3 - 11 13.Set the following DHCP and Static IP Address/Subnet information for the WAN interface: • Use DHCP - Select the checkbox to enable an automatic network address configuration using the access point’s DHCP server. AP-6511 and AP-6521 model access points do not have an onboard DHCP server and an external DHCP server must be utilized.
Page 40 3 - 12 WiNG 5 Access Point System Reference Guide Figure 3-10 Initial AP Setup Wizard - Radio Configuration 15.Set the following parameters for each radio: • Configure as a Date Radio - Select this option to dedicate this radio for WLAN client support in either the selected 2.4 or 5GHz radio band.
Page 41 Quick Start 3 - 13 channels are scanned, it will select the channel with the fewest access points. In the case of multiple access points on the same channel, it will select the channel with the lowest average power level. When Constantly Monitor is selected, the access point will continuously scan the network for excessive noise and sources of...
Page 42 3 - 14 WiNG 5 Access Point System Reference Guide Figure 3-11 Initial AP Setup Wizard - Wireless LAN Setting 17.Set the following parameters for each if the WLAN configurations available as part of this Initial AP Setup Wizard: • SSID - Enter or modify the Services Set Identification (SSID) associated with the WLAN. The WLAN name is auto-generated using the SSID until changed by the user.
Page 43 Quick Start 3 - 15 • PSK Authentication and WPA2 Encryption - Select the option to implement a pre-shared key that must be cor- rectly shared between the access point and requesting clients using this WLAN. If using this option, specify a WPA key in either ASCII (8-63 characters) or HEX (64 characters) format.
Page 44 3 - 16 WiNG 5 Access Point System Reference Guide Figure 3-12 Initial AP Setup Wizard - RADIUS Server Configuration 19.Refer to the Username, Password, Description and Actions columns to review credentials of existing RADIUS Server user accounts. Add new accounts or edit the properties of existing accounts as updates are required.
Page 45 • Location - Define the location of the access point. The Location parameter acts as a reminder of where the AP can be located within the Motorola Solutions managed wireless network. • Contact - Specify the contact information for the administrator. The credentials provided should accurately reflect...
Page 46 3 - 18 WiNG 5 Access Point System Reference Guide • Country - Select the Country where the access point is deployed. The access point prompts for the correct country code on the first login. A warning message also displays stating an incorrect country setting may result in illegal radio operation.
Page 47 Quick Start 3 - 19 Figure 3-14 Initial AP Setup Wizard - Summary and Commit 29.If the configuration displays as intended, select the Save/Commit button to implement these settings to the access point’s configuration. If additional changes are warranted based on the summary, either select the target page from the Navigational Panel, or use the Back button.
Page 48 3 - 20 WiNG 5 Access Point System Reference Guide...
Page 49: Chapter 4 Dashboard
CHAPTER 4 DASHBOARD The dashboard allows network administrators to review and troubleshoot the operation of the devices comprising the access point managed network. Use the dashboard to review the current network topology, assess the network’s component health and diagnose problematic device behavior. By default, the Dashboard screen displays the System Dashboard, which is the top level in the device hierarchy.
Page 50: Dashboard Conventions
4 - 2 WiNG 5 Access Point System Reference Guide 4.1 Dashboard The Dashboard displays device information organized by device association and inter-connectivity between an access point and connected wireless clients. To review dashboard information: 1. Select Dashboard. Expand the System menu item on the upper, left-hand, side of the UI and select either an access point or connected client.
Page 51: Health
Dashboard 4 - 3 4.1.1.1 Health  Dashboard Conventions Health tab displays information about the state of the access point managed network. Figure 4-2 Dashboard screen - Health tab Information in this tab is classified as: • Device Details • Radio RF Quality Index •...
Page 52 4 - 4 WiNG 5 Access Point System Reference Guide Figure 4-3 Device Health Device Details field displays the name assigned to the selected access point, its factory encoded MAC address, model type, RF Domain, software version, uptime, CPU and RAM information and system clock. Use this data to determine whether a software upgrade is warranted, or if the system clock needs adjustment.
Page 53 Dashboard 4 - 5 Periodically select Refresh (at the bottom of the screen) to update the RF quality data. 4.1.1.1.3 Radio Utilization Index  Dashboard Conventions Radio Utilization Index field displays how efficiently the RF medium is used by the access point. Traffic utilization is defined as the percentage of throughput relative to the maximum possible throughput.
Page 54 4 - 6 WiNG 5 Access Point System Reference Guide 4.1.1.1.4 Client RF Quality Index  Dashboard Conventions The Client RF Quality field displays a list of the worst 5 performing clients managed by the selected access point. Figure 4-6 Client RF Quality Index field...
Page 55: Inventory
Dashboard 4 - 7 4.1.1.2 Inventory  Dashboard Conventions The Inventory tab displays information relative to the devices managed by the selected access point. The Inventory screen affords a system administrator an overview of the number and state of managed devices. The screen contains links to display more granular data specific to a specific radio.
Page 56 4 - 8 WiNG 5 Access Point System Reference Guide 4.1.1.2.5 Radio Types  Inventory Radio Types field displays the total number and types of radios managed by the selected access point. Figure 4-8 Radio Types field Refer to the Total Radios column to review the number of managed radios.
Page 57 Dashboard 4 - 9 4.1.1.2.7 Wireless Clients  Inventory Wireless Clients field displays information about the wireless clients managed by the selected access point. Figure 4-10 Wireless Clients field Information within the Wireless Clients field is presented in two tables. The first table lists the total number of wireless clients managed by this access point.
Page 58: Network View
4 - 10 WiNG 5 Access Point System Reference Guide 4.2 Network View The Network View displays device topology association between a selected access point, its RF Domain and its connected clients. The association is displayed using a number of different color options.
Page 59: Network View Display Options
Dashboard 4 - 11 Figure 4-13 Network View - System Browser 4.2.1 Network View Display Options  Network View 1. Select the blue Options link right under the Network View banner to display a menu for different device interaction display options. Figure 4-14 Network View - Options 2.
Page 60: Device Specific Information
4 - 12 WiNG 5 Access Point System Reference Guide • Quality – Select this option to filter based on the overall RF health. RF health is a ratio of connection rate, retry rates, and error rates. Quality results include: Red (Bad Quality, Orange (Poor Quality), Yellow (Fair Quality) and Green (Good Quality).
Page 61: Chapter 5 Device Configuration
CHAPTER 5 DEVICE CONFIGURATION Access points can either be assigned unique configurations to support a particular deployment objective or have an existing RF Domain or Profile configuration modified (overridden) to support a requirement that deviates its configuration from the configuration shared by its peer access points. Refer to the following to set an access point’s sensor functionality, Virtual Controller AP designation, and license and certificate usage configuration: •...
Page 62: Rf Domain Configuration
5 - 2 WiNG 5 Access Point System Reference Guide 5.1 RF Domain Configuration An access point’s configuration is composed of numerous elements including a RF Domain, WLAN and device specific settings. RF Domains are used to assign regulatory, location and relevant policies to access points of the same model.
Page 63 Device Configuration 5 - 3 Figure 5-1 RF Domain - Basic Configuration screen 2. Define the following Basic Configuration values for the access point RF Domain: Location Assign the physical location of the RF Domain. This name could be as specific as the floor of a building, or as generic as an entire site.
Page 64 5 - 4 WiNG 5 Access Point System Reference Guide 3. Refer to the Statistics field to define how RF Domain stats are updated: Update Interval Set a statistics update interval of 0 or 5-3600 seconds for updates retrieved from the access point.
Page 65: Rf Domain Sensor Configuration
In addition to dedicated Motorola Solutions AirDefense sensors, an access point radio can function as a sensor and upload information to a dedicated WIPS server (external to the access point). Unique WIPS server configurations can be used to ensure a WIPS server configuration is available to support the unique data protection needs of a RF Domain.
Page 66 5 - 6 WiNG 5 Access Point System Reference Guide 6. Use the spinner control to specify the Port of each WIPS server. The default port is 443. 7. Select to save the changes to the AirDefense WIPS configuration, or select...
Page 67: System Profile Configuration
The configuration parameters within a profile are based on the hardware model the profile was created to support. All WING 5 supported access point models supported a single profile that’s either shared amongst multiple access points or not. The central benefit of a profile is its ability to update access points collectively without having to modify individual configurations.
Page 68 5 - 8 WiNG 5 Access Point System Reference Guide To define a profile’s general configuration: 1. Select the Configuration tab from the Web UI. 2. Select Devices. 3. Select System Profile from the options on left-hand side of the UI.
Page 69: Profile Radio Power
Device Configuration 5 - 9 5.3.2 Profile Radio Power Use the Power screen to set one of two power modes (3af or Auto) for the access point profile. When Automatic is selected, the access point safely operates within available power. Once the power configuration is determined, the access point configures its operating power characteristics based on its model and power configuration.
Page 70 5 - 10 WiNG 5 Access Point System Reference Guide Figure 5-4 Profile - Power screen 5. Use the Power Mode drop-down menu to set the Power Mode Configuration on this NOTE: Single radio model access point’s always operate using a full power configuration.
Page 71: Profile Adoption (Auto Provisioning) Configuration
Device Configuration 5 - 11 5.3.3 Profile Adoption (Auto Provisioning) Configuration Adoption is the process an access point uses to discover Virtual Controller APs available in the network, pick the most desirable Virtual Controller, establish an association with the and optionally obtain an image upgrade, obtains its configuration and considers itself provisioned.
Page 72 5 - 12 WiNG 5 Access Point System Reference Guide Figure 5-5 Profile Adoption screen 5. Define the Preferred Group used as optimal group of Virtual Controller for adoption. The name of the preferred group cannot exceed 64 characters. 6. Set the Controller Hello Interval for adopting controller discovery.
Page 73 Device Configuration 5 - 13 Routing Level Use the spinner controller to set the routing level (either 1 or 2) for the Virtual Controller link. The default setting is 1. IPSec Secure Define whether a IPSec secure controller list is used in the controller adoption. An IPSec secure link is disabled by default.
Page 74: Profile Interface Configuration
5 - 14 WiNG 5 Access Point System Reference Guide 5.3.4 Profile Interface Configuration A access point profile can support customizable Ethernet Port, Virtual Interface, Port Channel, Radio and PPPoE configurations unique and to the supported AP-7131, AP-6511,AP-6532, AP-6521 or AP-7161 model.
Page 75: Ethernet Port Configuration
Device Configuration 5 - 15 5.3.4.1 Ethernet Port Configuration  Profile Interface Configuration Displays the physical port name reporting runtime data and statistics. The following ports are available depending on model: • AP-7131 - GE1/POE (LAN), GE2 (WAN) • AP-6532 - GE1/POE (LAN) •...
Page 76 5 - 16 WiNG 5 Access Point System Reference Guide Admin Status A green checkmark defines the port as active and currently enabled with the profile. A red “X” defines the port as currently disabled and not available for use. The interface status can be modified with the port configuration as...
Page 77 Device Configuration 5 - 17 Figure 5-7 Ethernet Ports - Basic Configuration screen 7. Set the following Ethernet port Properties: Description Enter a brief description for the port (64 characters maximum). The description should reflect the port’s intended function to differentiate it from others with similar configurations.
Page 78 5 - 18 WiNG 5 Access Point System Reference Guide 8. Define the following Cisco Discovery Protocol (CDP) and LLDP parameters to apply to the Ethernet port configuration. Cisco Discover Select the radio button to allow the Cisco discovery protocol for receiving data Protocol Receive on this port.
Page 79 Device Configuration 5 - 19 11. Select to save the changes made to the Ethernet Port Basic Configuration. Select Reset to revert to the last saved configuration. 12. Select the Security tab. Figure 5-8 Ethernet Ports - Security screen 13. Refer to the Access Control field.
Page 80 5 - 20 WiNG 5 Access Point System Reference Guide Trust DHCP Responses Select the radio button to enable DHCP trust on this port. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port.
Page 81: Virtual Interface Configuration
Device Configuration 5 - 21 5.3.4.2 Virtual Interface Configuration  Profile Interface Configuration A Virtual Interface is required for layer 3 (IP) access to provide layer 3 service on a VLAN. The Virtual Interface defines which IP address is associated with each VLAN ID the access point is connected to. A Virtual Interface is created for the default VLAN (VLAN 1) to enable remote administration.
Page 82 5 - 22 WiNG 5 Access Point System Reference Guide VLAN Displays the numerical VLAN ID associated with each listed interface. IP Address Defines whether DHCP was used to obtain the primary IP address used by the Virtual Interface configuration.
Page 83 Device Configuration 5 - 23 8. Set the following network information from within the IP Addresses field: Enable Zero The access point can use Zero Config for IP assignments on an individual Configuration virtual interface basis. Select Primary to use Zero Config as the designated means of providing an IP address, this eliminates the means to assign one manually.
Page 84 5 - 24 WiNG 5 Access Point System Reference Guide Figure 5-11 Virtual Interfaces - Security screen 12. Use the Inbound IP Firewall Rules drop-down menu to select the firewall rule configuration to apply to this Virtual Interface. The firewall inspects and packet traffic to and from connected clients.
Page 85: Port Channel Configuration
Device Configuration 5 - 25 5.3.4.3 Port Channel Configuration  Profile Interface Configuration The access point’s profile can be applied customized port channel configurations as part of its Interface configuration. To define a port channel configuration for a controller profile: Figure 5-12 Profile Interfaces - Port Channels screen 1.
Page 86 5 - 26 WiNG 5 Access Point System Reference Guide Figure 5-13 Port Channels - Basic Configuration screen 7. Set the following port channel Properties: Description Enter a brief description for the port channel (64 characters maximum). The description should reflect the port channel’s intended function.
Page 87 Device Configuration 5 - 27 Duplex Select either Half, Full or Automatic as the duplex option. Select Half duplex to send data over the port channel, then immediately receive data from the same direction in which the data was transmitted. Like a Full duplex transmission, a Half duplex transmission can carry data in both directions, just not at the same time.
Page 88 5 - 28 WiNG 5 Access Point System Reference Guide Figure 5-14 Port Channels - Security screen 12. Refer to the Access Control field. As part of the port channel’s security configuration, Inbound IP and MAC address firewall rules are required.
Page 89 Device Configuration 5 - 29 Trust 802.1p COS values Select the check box to enable 802.1p COS values on this port channel. The default value is enabled. Trust IP DSCP Select the check box to enable IP DSCP values on this port channel. The default value is disabled.
Page 90 5 - 30 WiNG 5 Access Point System Reference Guide 17. Set the following MSTP Configuration parameters for the port channel: Enable as Edge Port Select the check box to define this port as an edge port. Using an edge (private) port, you can isolate devices to prevent connectivity over this port channel.
Page 91 Device Configuration 5 - 31 19. Select + Add Row as needed to include additional indexes. 20. Refer to the Spanning Tree Port Priority table. Define an Instance Index using the spinner control and then set the Priority. The lower the priority, a greater likelihood of the port becoming a designated port.
Page 92: Access Point Radio Configuration
5 - 32 WiNG 5 Access Point System Reference Guide 5.3.4.4 Access Point Radio Configuration  Profile Interface Configuration An access point profile can have its radio configuration modified once its radios have successfully associated to the network. To define a Access Point radio configuration: 1.
Page 93 Device Configuration 5 - 33 RF Mode Displays whether each listed radio is operating in the 802.11a/n or 802.11b/g/n radio band. If the radio is a dedicated sensor, it will be listed as a sensor to define the radio as not providing typical WLAN support. The radio band is set from within the Radio Settings tab.
Page 94 5 - 34 WiNG 5 Access Point System Reference Guide Radio QoS Policy Use the drop-down menu to specify an existing QoS policy to apply to the access point radio in respect to its intended radio traffic. If there’s no existing suiting the radio’s intended operation, select the Create icon to define a new...
Page 95 (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. Motorola Solutions recommends that only a professional installer set the antenna gain.
Page 96 5 - 36 WiNG 5 Access Point System Reference Guide NOTE: AP-7131, AP-6532 and AP-7161 model access points can support up to 256 client connections to a single access point radio. AP-6511 and AP-6521 model access points (both single radio models) can support up to 128 client connections to a single radio.
Page 97 Device Configuration 5 - 37 RTS Threshold Specify a Request To Send (RTS) threshold (between 1 - 2,347 bytes) for use by the WLAN's adopted access point radios. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/CTS procedure clears the air where clients are contending for transmission time.
Page 98 5 - 38 WiNG 5 Access Point System Reference Guide Figure 5-18 Access Point Radio - WLAN Mapping tab 13. Refer to the WLAN/BSS Mappings field to set WLAN BSSID assignments for an existing access point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available.
Page 99 Device Configuration 5 - 39 Figure 5-19 Access Point Radio - Mesh tab 16. Use the Mesh screen to define how mesh connections are established and the number of links available amongst access points within the Mesh network. 17. Define the following Mesh Settings: Mesh Options include Client, Portal and Disabled.
Page 100 5 - 40 WiNG 5 Access Point System Reference Guide Figure 5-20 Access Point Radio - Advanced Settings tab 21. Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define how MAC service frames are aggregated by the access point radio.
Page 101 Device Configuration 5 - 41 Available modes include Receive Only and Transmit and Receive. Transmit and Receive is the default value. Using Transmit and Receive, frames up to 4 KB can be sent and received. The buffer limit is not configurable. 23.
Page 102: Pppoe Configuration
5 - 42 WiNG 5 Access Point System Reference Guide 5.3.4.5 PPPoE Configuration  Profile Interface Configuration PPP over Ethernet (PPPoE) is a data-link protocol for dialup connections. PPPoE allows the access point to use a broadband modem (DSL, cable modem, etc.) for access to high-speed data and broadband networks. Most DSL providers are currently supporting (or deploying) the PPPoE protocol.
Page 103 Device Configuration 5 - 43 Figure 5-21 Profile Interface - PPPoE screen 5. Use the Basic Settings field to enable PPPoE and define a PPPoE client Enable PPPoE Select Enable to support a high speed client mode point-to-point connection using the PPPoE protocol. The default setting is disabled. Service Enter the 128 character maximum PPPoE client service name provided by the service provider.
Page 104 5 - 44 WiNG 5 Access Point System Reference Guide DSL Modem Network Use the spinner control to set the PPPoE VLAN (client local network) connected (VLAN) to the DSL modem. This is the local network connected to DSL modem. The available range is 1 - 4,094.
Page 105 Device Configuration 5 - 45 VPN Crypto Map Use the drop-down menu to apply an existing crypt map configuration to this PPPoE interface. 10. Use the spinner control to set the Default Route Priority for the default route learnt using PPPoE. Select from 1 - 8,000.
Page 106: Wan Backhaul Configuration
5 - 46 WiNG 5 Access Point System Reference Guide 5.3.4.6 WAN Backhaul Configuration  Profile Interface Configuration A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a network device to connect, transmit and receive data over a Cellular Wide Area Network. The AP-7131N model access point has a PCI Express card slot that supports 3G WWAN cards.
Page 107 Device Configuration 5 - 47 Password Provide your password for authentication support by the cellular data carrier. Access Point Name Enter the name of the cellular data provider if necessary. This setting is needed (APN) in areas with multiple cellular data providers using the same protocols such as Europe, the middle east and Asia.
Page 108: Profile Network Configuration
5 - 48 WiNG 5 Access Point System Reference Guide 5.3.5 Profile Network Configuration Setting an access point profile’s network configuration is a large task comprised of numerous administration activities. An access point profile network configuration process consists of the following: •...
Page 109: Dns Configuration
Device Configuration 5 - 49 5.3.5.1 DNS Configuration  Profile Network Configuration Domain Naming System (DNS) DNS is a hierarchical naming system for resources connected to the Internet or a private network. Primarily, DNS resources translate domain names into IP addresses. If one DNS server doesn't know how to translate a particular domain name, it asks another one until the correct IP address is returned.
Page 110 5 - 50 WiNG 5 Access Point System Reference Guide DNS Server Click to enable the forwarding DNS queries to external DNS servers if a DNS Forwarding query cannot be processed by the access point’s own DNS resources. This feature is disabled by default.
Page 111: Arp
Device Configuration 5 - 51 5.3.5.2 ARP  Profile Network Configuration Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address recognized on the network. ARP provides protocol rules for making this correlation and providing address conversion in both directions. When an incoming packet destined for a host arrives, the gateway uses ARP to find a physical host or MAC address that matches the IP address.
Page 112 5 - 52 WiNG 5 Access Point System Reference Guide Figure 5-24 Network - ARP screen 6. Set the following parameters to define the ARP configuration: Switch VLAN Use the spinner control to select a VLAN for an address requiring resolution.
Page 113: L2Tpv3 Profile Configuration
Device Configuration 5 - 53 5.3.5.3 L2TPv3 Profile Configuration  Profile Network Configuration L2TP V3 is an IETF standard used for transporting different types of layer 2 frames in an IP network (and access point profile). L2TP V3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Use L2TP V3 to create tunnels for transporting layer 2 frames.
Page 114 5 - 54 WiNG 5 Access Point System Reference Guide Figure 5-25 Network - L2TPv3 screen, General tab 5. Set the following General Settings for an L2TPv3 profile configuration: Host Name Define a 64 character maximum host name to specify the name of the host that’s sent tunnel messages.
Page 115 Device Configuration 5 - 55 Figure 5-26 Network - L2TPv3 screen, T2TP tunnel tab 7. Review the following L2TPv3 tunnel configuration data: Name Displays the name of each listed L2TPv3 tunnel assigned upon creation. Local IP Address Lists the IP address assigned as the local tunnel end point address, not the interface IP address.
Page 116 5 - 56 WiNG 5 Access Point System Reference Guide Figure 5-27 Network - L2TPv3 screen, Add T2TP Tunnel Configuration 9. If creating a new tunnel configuration, assign it a 31 character maximum Name. 10. Define the following Settings required for the L2TP tunnel configuration:...
Page 117 Device Configuration 5 - 57 11. Refer to the Peer table to review the configurations of the peers available for tunnel connection. Select + Add Row to populate the table with a maximum of two peer configurations. Figure 5-28 Network - L2TPv3 screen, Add T2TP Peer Configuration 12.
Page 118 5 - 58 WiNG 5 Access Point System Reference Guide Pseudowire ID Define a psuedowire ID for this session. A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network.
Page 119 Device Configuration 5 - 59 Figure 5-29 Network - L2TPv3 screen, Manual Session tab 18. Refer to the following manual session configurations to determine whether one should be created or modified: IP Address Lists the IP address assigned as the local tunnel end point address, not the interface IP address.
Page 120 5 - 60 WiNG 5 Access Point System Reference Guide Figure 5-30 Network - L2TPv3 screen, Add T2TP Peer Configuration 20. Set the following session parameters: Name Define a 31 character maximum name of this tunnel session. After a successful tunnel connection and establishment, the session is created.
Page 121 Device Configuration 5 - 61 Remote Session ID Use the spinner control to set the remote session ID passed in the establishment of the tunnel session. Assign an ID in the range of 1 - 4,294,967,295. Encapsulation Select either IP or UDP as the peer encapsulation protocol. The default setting is IP.
Page 122: Igmp Snooping
5 - 62 WiNG 5 Access Point System Reference Guide 5.3.5.4 IGMP Snooping  Profile Network Configuration The Internet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. The access point listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the interested hosts are connected.
Page 123 Device Configuration 5 - 63 6. Set the following IGMP Querier parameters for the IGMP configuration: Enable IGMP Querier Select the radio button to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. It is primarily used in a network where there is a multicast streaming server, hosts subscribed to the server and no IGMP querier present.
Page 124: Quality Of Service (Qos)
5 - 64 WiNG 5 Access Point System Reference Guide 5.3.5.5 Quality of Service (QoS)  Profile Network Configuration The access point uses different Quality of Service (QoS) screens to define WLAN and device radio QoS configurations. The System Profiles > Network > QoS facility is separate from WLAN and radio QoS configurations, and is used to configure the priority of the different DSCP packet types.
Page 125 Device Configuration 5 - 65 802.1p Priority Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted. The priority values are: 0 –...
Page 126: Spanning Tree Configuration
5 - 66 WiNG 5 Access Point System Reference Guide 5.3.5.6 Spanning Tree Configuration  Profile Network Configuration The Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness o f VLANs. MSTOP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology.
Page 127 Device Configuration 5 - 67 Figure 5-33 Spanning Tree screen 5. Set the following MSTP Configuration parameters: MSTP Enable Select this option to enable MSTP for this profile. MSTP is disabled by default, so enable this setting if requiring different (groups) of VLANs with the profile supported network segment.
Page 128 5 - 68 WiNG 5 Access Point System Reference Guide Hello Time Set a BPDU hello interval from 1 - 10 seconds. BPDUs are exchanged regularly (every 2 seconds by default) and enable supported devices to keep track of network changes and start/stop port forwarding as required.
Page 129: Routing
Device Configuration 5 - 69 5.3.5.7 Routing  Profile Network Configuration Routing is the process of selecting paths in a network to send network traffic. Routes network routes can use by fixed paths (static routes). An entire network can be configured using static routes, but this type of configuration is not fault tolerant.
Page 130 5 - 70 WiNG 5 Access Point System Reference Guide Figure 5-34 Network Routing screen 5. Select IP Routing to enable static routes using IP addresses. This option is enabled by default. 6. Select Add Row + as needed to include single rows with in the static IPv4 route table.
Page 131 Device Configuration 5 - 71 DHCP Client Default Use the spinner control to set the priority value (1 - 8,000) for the default Route Priority route learnt from the DHCP client. The default setting is 1000. Enable Routing Failure When selected, all default gateways are monitored for activity. The system will failover to a live gateway if the current gateway becomes unusable.
Page 132: Dynamic Routing (Ospf)
5 - 72 WiNG 5 Access Point System Reference Guide 5.3.5.8 Dynamic Routing (OSPF)  Profile Network Configuration Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology.
Page 133 Device Configuration 5 - 73 Figure 5-35 OSPF Settings screen 5. Enable/disable OSPF and provide the following dynamic routing settings: Enable OSPF Select this option to enable OSPF for this access point. OSPF is disabled by default.
Page 134 5 - 74 WiNG 5 Access Point System Reference Guide Router ID Select this option to define a router ID (numeric IP address) for this access point. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier.
Page 135 Device Configuration 5 - 75 8. Refer to the Route Redistribution table to set the types of routes that can be used by OSPF. Select the + Add Row button to populate the table. Set the Route Type used to define the redistributed route. Options include connected, kernal and static.
Page 136 5 - 76 WiNG 5 Access Point System Reference Guide Figure 5-37 OSPF Area Configuration screen 14. Set the OSPF Area configuration. Area ID Use the drop down menu and specify either an IP address or Integer for the OSPF area.
Page 137 Device Configuration 5 - 77 Figure 5-38 OSPF Interface Settings screen 17. Review existing Interface Settings using: Name Displays the name defined for the interface configuration. Type Displays the type of interface. Description Lists each interface’s 32 character maximum description. Admin Status Displays whether Admin Status privileges have been enabled or disabled for the OSPF route’s virtual interface connection.
Page 138 5 - 78 WiNG 5 Access Point System Reference Guide Figure 5-39 OSPF Virtual Interface - Basic Configuration screen 19. Within the Properties field, enter a 32 character maximum Description to help differentiate the virtual interface configuration used with this OSPF route. Enable/disable admin privileges as need. They’re disabled by default.
Page 139 Device Configuration 5 - 79 Figure 5-40 OSPF Virtual Interface - Security screen 26. Use the Inbound IP Firewall Rules drop-down menu to select the IP access and deny rules to apply to the OSPF dynamic route. Either select an existing IP firewall policy or use the default set of IP firewall rules. The firewall inspects OSPF route traffic flows and detects potential attacks on the dynamic route not visible to traditional wired firewall appliances.
Page 140 5 - 80 WiNG 5 Access Point System Reference Guide Figure 5-41 OSPF Virtual Interface - Dynamic Routing screen 29. Set the following OSPF Settings: Priority Select this option to set the OSPF priority used to select the network designated route. Use the spinner control to set the value from 1 - 255.
Page 141 Device Configuration 5 - 81 32. Select to save the changes to the Profile_Dynamic_Route configuration. Select Reset to revert to the last saved configuration...
Page 142: Forwarding Database
5 - 82 WiNG 5 Access Point System Reference Guide 5.3.5.9 Forwarding Database  Profile Network Configuration A Forwarding Database is used by a bridge to forward or filter packets. The bridge reads the packet’s destination MAC address and decides to either forward the packet or drop (filter) it. If it is determined the destination MAC is on a different network segment, it forwards the packet to the segment.
Page 143 Device Configuration 5 - 83 7. Set a destination MAC Address address. The bridge reads the packet’s destination MAC address and decides to forward the packet or drop (filter) it. If it’s determined the destination MAC is on a different network, it forwards the packet to the segment.
Page 144: Bridge Vlan
5 - 84 WiNG 5 Access Point System Reference Guide 5.3.5.10 Bridge VLAN  Profile Network Configuration A Virtual LAN (VLAN) is separately administrated virtual network within the same physical managed network. VLANs are broadcast domains to allow control of broadcast, multicast, unicast and unknown unicast within a Layer 2 device.
Page 145 Device Configuration 5 - 85 Figure 5-43 Network Bridge VLAN screen VLAN Lists the numerical identifier defined for the Bridge VLAN when it was initially created. The available range is from 1 - 4095. This value cannot be modified during the edit process. Description Lists a description of the VLAN assigned when it was created or modified.
Page 146 5 - 86 WiNG 5 Access Point System Reference Guide 5. Select to define a new Bridge VLAN configuration, Edit to modify the configuration of an existing Bridge VLAN configuration or Delete to remove a VLAN configuration. Figure 5-44 Bridge VLAN Configuration screen 6.
Page 147 Device Configuration 5 - 87 IP Outbound Tunnel Select an IP Outbound Tunnel ACL for outbound traffic from the drop-down menu. If an appropriate outbound IP ACL is not available click the create button to make a new one. MAC Outbound Tunnel Select a MAC Outbound Tunnel ACL for outbound traffic from the drop-down menu.
Page 148: Cisco Discovery Protocol Configuration
5 - 88 WiNG 5 Access Point System Reference Guide 5.3.5.11 Cisco Discovery Protocol Configuration  Profile Network Configuration The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol implemented in Cisco networking equipment. It's primarily used to obtain IP addresses of neighboring devices and discover their platform information.
Page 149: Link Layer Discovery Protocol Configuration
Device Configuration 5 - 89 5.3.5.12 Link Layer Discovery Protocol Configuration  Profile Network Configuration The Link Layer Discovery Protocol (LLDP) provides a standard way for a controller or access point to advertise information about themselves to networked neighbors and store information they discover from their peers. LLDP is neighbor discovery protocol that defines a method for network access devices using Ethernet connectivity to advertise information about them to peer devices on the same physical LAN and store information about the network.
Page 150 5 - 90 WiNG 5 Access Point System Reference Guide Timer Set the interval used to transmit LLDP PDUs. Define an interval from 5 - 900 seconds. The default setting is 60 seconds. Inventory Select this option to include LLPD-MED inventory management discovery Management TLV in LLDP PDUs.
Page 151: Miscellaneous Network Configuration
Device Configuration 5 - 91 5.3.5.13 Miscellaneous Network Configuration  Profile Network Configuration A profile can be configured to include a hostname in a DHCP lease for a requesting device and its profile. This helps an administrator track the leased DHCP IP address by hostname for the supported device profile. When numerous DHCP leases are assigned, an administrator can better track the leases when hostnames are used instead of devices.
Page 152: Profile Network Configuration And Deployment Considerations
5 - 92 WiNG 5 Access Point System Reference Guide 5.3.5.14 Profile Network Configuration and Deployment Considerations  Profile Network Configuration Before defining a profile’s network configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective: •...
Page 153: Defining Profile Vpn Settings
Device Configuration 5 - 93 5.3.6.1 Defining Profile VPN Settings  Profile Security Configuration IPSec VPN provides a secure tunnel between two networked peer access points or controllers. Administrators can define which packets are sent within the tunnel, and how they’re protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination.
Page 154 5 - 94 WiNG 5 Access Point System Reference Guide Figure 5-48 Profile Security - VPN IKE Policy screen 5. Select either the IKEv1 IKEv2 radio button to enforce VPN peer key exchanges using either IKEv1 or IKEv2. IKEv2 provides improvements from the original IKEv1 design (improved cryptographic mechanisms, NAT and firewall traversal, attack resistance etc.) and is recommended in most deployments.
Page 155 Device Configuration 5 - 95 7. Select to define a new IKe Policy configuration, Edit to modify an existing configuration or Delete to remove an existing configuration.
Page 156 5 - 96 WiNG 5 Access Point System Reference Guide Figure 5-49 Profile Security - VPN IKE Policy create/modify screen (IKEv1 example) Name If creating a new IKE policy, assign it a 32 character maximum name to help differentiate this IKE configuration from others with a similar parameters.
Page 157 Device Configuration 5 - 97 IKE LifeTime Set the lifetime defining how long a connection (encryption/authentication keys) should last from successful key negotiation to expiration. Set this value in either Seconds (600 - 86,400), Minutes (10 - 1,440), Hours (1 - 24) or Days (1).
Page 158 5 - 98 WiNG 5 Access Point System Reference Guide Figure 5-50 Profile Security - VPN Peer Destination screen (IKEv1 example) 11. Select either the IKEv1 IKEv2 radio button to enforce VPN key exchanges using either IKEv1 or IKEv2. 12. Refer to the following to determine whether a new VPN...
Page 159 Device Configuration 5 - 99 13. Select to define a new peer configuration, Edit to modify an existing configuration or Delete to remove an existing peer configuration. The parameters that can de defined for the peer configuration vary depending on whether IKEv1 or IKEv2 was selected.
Page 160 5 - 100 WiNG 5 Access Point System Reference Guide Figure 5-51 Profile Security - VPN Peer Configuration create/modify screen (IKEv2 example) Name If creating a new peer configuration (remote gateway) for VPN tunnel connection, assign it a 32 character maximum name to distinguish it from other with similar attributes.
Page 161 Device Configuration 5 - 101 Remote Identity Select the access point’s remote identifier used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Options include IP Address, Distinguished Name, FQDN, email and string. The default setting is string.
Page 162 5 - 102 WiNG 5 Access Point System Reference Guide Authentication Lists each transform sets’s authentication scheme used to validate identity Algorithm credentials. The authentication scheme is either HMAC-SHA or HMAC-MD5. Encryption Algorithm Displays each transform set’s encryption method for protecting transmitted traffic.
Page 163 Device Configuration 5 - 103 Mode Use the drop-down menu to select either Tunnel or Transport as the IPSec tunnel type used with the transform set. Tunnel is used for site-to-site VPN and Transport should be used for remote VPN deployments. 19.
Page 164 5 - 104 WiNG 5 Access Point System Reference Guide Type Displays the site-to-site-manual, site-to-site-auto or remote VPN configuration defined for each listed cyrpto map configuration. With site-to-site deployments, an IPSEC Tunnel is deployed between two gateways, each at the edge of two different remote networks. With remote VPN, an access point located at remote branch defines a tunnel with a security gateway.
Page 165 Device Configuration 5 - 105 Figure 5-55 Profile Security - VPN Crypto Map screen 24. Review the following before determining whether to add or modify a crypto map configuration Sequence Each crypto map configuration uses a list of entries based on a sequence number.
Page 166 5 - 106 WiNG 5 Access Point System Reference Guide Figure 5-56 Profile Security - VPN Crypto Map Entry screen 26. \Define the following to parameters to set the crypto map configuration: Sequence Each crypto map configuration uses a list of entries based on a sequence number.
Page 167 Device Configuration 5 - 107 IP Firewall Rules Use the drop-down menu to select the access list (ACL) used to protect IPSec VPN traffic. New access/deny rules can be defined for the crypto map by selecting the Create icon, or an existing set of firewall rules can be modified by selecting the Edit icon.
Page 168 5 - 108 WiNG 5 Access Point System Reference Guide Figure 5-57 Profile Security - Remote VPN Server screen (IKEv2 example) 29. Select either the IKEv1 IKEv2 radio button to enforce peer key exchanges over the remote VPN server using either IKEv1 or IKEv2.
Page 169 Device Configuration 5 - 109 firewall traversal, attack resistance etc.) and is recommended in most deployments. The appearance of the screen differs depending on the selected IKEv1 or IKEv2 mode. 30. Set the following IKEv1 IKe v2 Settings: Authentication Method Use the drop-down menu to specify the authentication method used to validate the credentials of the remote VPN client.
Page 170 5 - 110 WiNG 5 Access Point System Reference Guide Figure 5-58 Profile Security - Global VPN Settings screen 37. Define the following settings IKE Dead Peer Detection: DPD Keep Alive Define the interval (or frequency) of IKE keep alive messages for dead peer detection.
Page 171 Device Configuration 5 - 111 DPD Retries Use the spinner control to define the number of keep alive messages sent before to an IPSec VPN client before the tunnel connection is defined as dead. The available range is from 1 - 100. The default number of messages is 5.
Page 172: Defining Profile Security Settings
5. Select the radio button to require profile supported devices to use a WEP key to access the network using this profile. The access point, other proprietary routers, and Motorola Solutions clients use the key algorithm to convert an ASCII string to the same hexadecimal number. Clients without Motorola Solutions adapters need to use WEP keys manually configured as hexadecimal numbers.
Page 173: Setting The Certificate Revocation List (Crl) Configuration
Device Configuration 5 - 113 5.3.6.3 Setting the Certificate Revocation List (CRL) Configuration  Profile Security Configuration A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the certificate authority (CA) had improperly issued a certificate, or if a private-key is compromised.
Page 174: Setting The Profile's Nat Configuration
5 - 114 WiNG 5 Access Point System Reference Guide 5.3.6.4 Setting the Profile’s NAT Configuration  Profile Security Configuration Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit across a traffic routing device. This enables mapping one IP address to another to protect network address credentials.
Page 175 Device Configuration 5 - 115 5. Select to create a new NAT policy that can be applied to a profile. Select Edit to modify the attributes of a existing policy or select Delete to remove obsolete NAT policies from the list of those available to a profile. Figure 5-62 Security NAT Pool screen 6.
Page 176 5 - 116 WiNG 5 Access Point System Reference Guide Figure 5-63 Static NAT screen - Source tab 10. To map a source IP address from an internal network to a NAT IP address click the + Add Row button. Enter the internal network IP address in Source IP field.
Page 177 Device Configuration 5 - 117 Figure 5-64 Static NAT screen - Destination tab 13. Select to create a new NAT destination configuration, Edit to modify the attributes of an existing configuration Delete to permanently remove a NAT destination.
Page 178 5 - 118 WiNG 5 Access Point System Reference Guide Figure 5-65 NAT Destination Add screen 14. Set the following Destination configuration parameters: Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network.
Page 179 Device Configuration 5 - 119 Destination Port Use the spinner control to set the local port number used at the (source) end of the static NAT configuration. The default value is port 1. NAT IP Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified.
Page 180 5 - 120 WiNG 5 Access Point System Reference Guide Figure 5-66 Dynamic NAT screen 17. Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or deletion: Source List ACL Lists the ACL defining packet selection criteria for the NAT configuration.
Page 181 Device Configuration 5 - 121 Figure 5-67 Source ACL List screen 19. Set the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT. NAT is applied only on packets which match a rule defined in the access-list.
Page 182 5 - 122 WiNG 5 Access Point System Reference Guide Overload Type Select the radio button of Overload Type used with the listed IP ACL rule. Options include NAT Pool, One Global Address and Interface IP Address. Interface IP Address is the default setting. If NAT Pool is selected, provide the Overload IP address.
Page 183: Setting The Profile's Bridge Nat Configuration
Device Configuration 5 - 123 5.3.6.5 Setting the Profile’s Bridge NAT Configuration  Profile Security Configuration Use Bridge NAT to manage Internet traffic originating at a remote site. In addition to traditional NAT functionality, Bridge NAT provides a means of configuring NAT for bridged traffic through an access point. NAT rules are applied to bridged traffic through the access point, and matching packets are NATed to the WAN link instead of being bridged on their way to the router.
Page 184 5 - 124 WiNG 5 Access Point System Reference Guide Figure 5-68 Security Bridge NAT screen 5. Review the following Bridge NAT configurations to determine whether a new Bridge NAT configuration requires creation or an existing configuration modified or removed.
Page 185 Device Configuration 5 - 125 Figure 5-69 Security Source Dynamic NAT screen 7. Select the whose IP rules are to be applied to this policy based forwarding rule. A new ACL can be defined by selecting the Create icon, or an existing set of IP ACL rules can be modified by selecting the Edit icon. 8.
Page 186 5 - 126 WiNG 5 Access Point System Reference Guide Figure 5-70 Security Source Dynamic NAT screen 10. Select to save the changes made within the Add Row and Source Dynamic NAT screen. Select Reset to revert to the last saved configuration.
Page 187: Profile Security Configuration And Deployment Considerations
Device Configuration 5 - 127 5.3.6.6 Profile Security Configuration and Deployment Considerations  Profile Security Configuration Before defining a profile’s security configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective: • Ensure the contents of the Certificate Revocation List are periodically audited to ensure revoked certificates remained quarantined or validated certificates are reinstated.
Page 188 5 - 128 WiNG 5 Access Point System Reference Guide Figure 5-71 VVRP screen 5. Review the following VRRP configuration data to assess if a new VRRP configuration is required of is an existing VRRP configuration requires modification or removal: Virtual Router ID Lists a numerical index (1 - 254) used to differentiate VRRP configurations.
Page 189 Device Configuration 5 - 129 Figure 5-72 VVRP screen - Version tab VRRP version 3 (RFC 5798) and 2 (RFC 3768) are selectable to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP. For more information on the VRRP protocol specifications (available publicly) refer to http://www.ietf.org/rfc/rfc3768.txt (version 2) and...
Page 190 5 - 130 WiNG 5 Access Point System Reference Guide Figure 5-73 VVRP screen 8. If creating a new VRRP configuration, assign a Virtual Router ID from (1 - 255). In addition to functioning as numerical identifier, the ID identifies the access point’s virtual router a packet is reporting status for.
Page 191 Device Configuration 5 - 131 Virtual IP Addresses Provide up to 8 IP addresses representing the Ethernet switches, routers or security appliances defined as virtual router resources to the AP-7131 access point. Advertisement Select either seconds, milliseconds or centiseconds as the unit used to define Interval Unit VRRP advertisements.
Page 192: Profile Critical Resources
5 - 132 WiNG 5 Access Point System Reference Guide 11. Select to save the changes made to the VRRP configuration. Select Reset to revert to the last saved configuration. 5.3.8 Profile Critical Resources Critical resources are device IP addresses or interface destinations on the network interopreted as critical to the health of the network.
Page 193 Device Configuration 5 - 133 5. Ensure the Activate Critical Resources Policy button is selected to enable the parameters within the screen for configuration. This option needs to remain selected to apply the configuration to the access point profile. 6. Click the button at the bottom of the screen to add a new critical resource and connection method, or select and existing resource and select Edit...
Page 194: Profile Services Configuration
5 - 134 WiNG 5 Access Point System Reference Guide Mode Set the ping mode used when the availability of a critical resource is validated. Select from: • arp-only – Use the Address Resolution Protocol (ARP) for only pinging the critical resource.
Page 195 Device Configuration 5 - 135 1. Select the Configuration tab from the Web UI. 2. Select Devices. 3. Select System Profile from the options on left-hand side of the UI. 4. Select Services. Figure 5-77 Profile Services screen 5. Refer to the Captive Portal Hosting field to select or set a guest access configuration (captive portal) for use with this profile.
Page 196: Profile Services Configuration And Deployment Considerations
5 - 136 WiNG 5 Access Point System Reference Guide 5.3.9.1 Profile Services Configuration and Deployment Considerations  Profile Services Configuration Before defining a profile’s captive portal and DHCP configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective: •...
Page 197 Device Configuration 5 - 137 Figure 5-78 Profile Management Settings screen...
Page 198 5 - 138 WiNG 5 Access Point System Reference Guide 5. Refer to the Message Logging field to define how the profile logs system events. It’s important to log individual events to discern an overall pattern that may be negatively impacting performance using the configuration defined for the access point’s profile.
Page 199 Device Configuration 5 - 139 7. Refer to the Events E-mail Notification field to define how system event notification e-mails are sent on behalf of the access point profile. SMTP Server Specify either the Hostname or IP Address of the outgoing SMTP server where notification e-mails are originated.
Page 200 5 - 140 WiNG 5 Access Point System Reference Guide Figure 5-79 Profile Management Firmware screen 11. Refer to the Auto Install via DHCP field to define the configuration used by the profile to update firmware using DHCP: Configuration Update Select this option to enable automatic configuration file updates for the profile from a location external to the access point.
Page 201 Device Configuration 5 - 141 Number of Concurrent Use the spinner control to define the maximum number (1 - 20) of adopted Upgrades APs that can receive a firmware upgrade at the same time. Keep in mind that, during a firmware upgrade, the AP is offline and unable to perform its normal wireless client support function until the upgrade process is complete.
Page 202: Upgrading Ap-6532 Firmware From 5.1
3. Ping the AP-6532 from the computer to ensure IP connectivity. 4. Open an SSH session on the computer and connect to the AP-6532’s IP address. 5. Login with a username and password of admin/motorola. The CLI will prompt for a new password. Re-enter the password and confirm.
Page 203: Profile Management Configuration And Deployment Considerations
• Define profile management access configurations providing both encryption and authentication. Management services like HTTPS, SSH and SNMPv3 should be used when possible, as they provide data privacy and authentication. • Motorola Solutions recommends SNMPv3 be used for management profile configurations, as it provides both encryption, and authentication.
Page 204: Advanced Profile Client Load Balancing
5 - 144 WiNG 5 Access Point System Reference Guide 5.3.11.1 Advanced Profile Client Load Balancing  Advanced Profile Configuration Use the screen to administer the client load across an access point’s radios. AP-7131 models can have from 1-3 radios depending on the SKU.
Page 205 Device Configuration 5 - 145 Use notifications from Select this option to use roamed client notifications in the neighbor roamed clients selection process. This feature is enabled by default, allowing access points in the neighbor selection process to consider device roaming counts as selection criteria.
Page 206 5 - 146 WiNG 5 Access Point System Reference Guide Band Ratio (5GHz) Use the spinner control to set a loading ratio (between 0 - 10) the access point 5 GHz radio uses in respect to radio traffic on the 5 GHz band. This allows an administrator to weight client traffic if wishing to prioritize client traffic on the 5 GHz radio band.
Page 207 Device Configuration 5 - 147 Weightage given to Use the spinner control to assign a weight (between 0 - 100%) the access Client Count point uses to prioritize 2.4GHz radio client count in the 2.4GHz radio load calculation. Assign this value higher this 2.4GHz radio is intended to support numerous clients and their throughput is secondary to maintaining association.
Page 208 5 - 148 WiNG 5 Access Point System Reference Guide Weightage given to Use the spinner control to assign a weight (between 0 - 100%) the access Throughput point radio uses to prioritize radio throughput in the load calculation (on both the 2.4 and 5 GHz radio bands).
Page 209: Configuring Mint
Device Configuration 5 - 149 5.3.11.2 Configuring MINT MINT provides the means to secure access point profile communications at the transport layer. Using MINT, an access point can be configured to only communicate with other authorized (MINT enabled) access points of the same model. Virtual Controller AP managed access points can communicate with each other exclusively over a MINT security domain.
Page 210 5 - 150 WiNG 5 Access Point System Reference Guide 3. Define the following Device Heartbeat Settings in respect to devices supported by the controller profile: Designated IS Priority Use the spinner control to set a Designated IS Priority Adjustment setting Adjustment between -255 and 255.
Page 211 Device Configuration 5 - 151 Figure 5-83 Advanced Profile MINT screen - IP tab tab displays the IP address, routing level, link cost, hello packet interval and Adjacency Hold Time managed devices use to securely communicate amongst one another within the IPSec network. Select to create a new Link IP configuration or Edit...
Page 212 5 - 152 WiNG 5 Access Point System Reference Guide Figure 5-84 Advanced Profile MINT screen - Add IP MiNT Link 8. Set the following Link IP parameters to complete the MINT network address configuration: Define the IP address used by peer access points for interoperation when supporting the MINT protocol.
Page 213 Device Configuration 5 - 153 IPSec GW Define either an IP address or hostname for the IPSec gateway. 9. Select the VLAN tab to display the link IP VLAN information shared by the devices managed by the MINT configuration. Figure 5-85 Advanced Profile MINT screen - VLAN tab The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another.
Page 214 5 - 154 WiNG 5 Access Point System Reference Guide Figure 5-86 Advanced Profile MINT screen - Add/edit VLAN 10. Set the following parameters to add or modify MINT VLAN configuration: VLAN If adding a new VLAN, define a VLAN ID between 1 - 4,094 used by peers for interoperation when supporting the MINT protocol.
Page 215: Advanced Profile Miscellaneous Configuration
Device Configuration 5 - 155 5.3.11.3 Advanced Profile Miscellaneous Configuration  Advanced Profile Configuration Refer to the advanced profile’s Miscellaneous menu item to set the profile’s NAS configuration. The profile database on the RADIUS server consists of user profiles for each connected network access server (NAS) port. Each profile is matched to a username representing a physical port.
Page 216 5 - 156 WiNG 5 Access Point System Reference Guide up to 24 access points of the same model. An AP-7131 or AP-6532 RF Domain Manager can support up to 512 client connections. An AP-6511 or AP-6521 RF Domain Manager can support up to 256 client connections.
Page 217: Managing Virtual Controllers
Dependent mode access points can be connected to, and managed by, a single Virtual Controller AP of the same model. NOTE: If designating the access point as a Standalone AP, Motorola Solutions recommends the access point’s UI be used exclusively to define its device configuration, and not the CLI.
Page 218 5 - 158 WiNG 5 Access Point System Reference Guide 5. Either select an access point from those displayed and select Edit, or use the Device Browser in the lower left-hand side of the UI to select an access point.
Page 219: Overriding A Device Configuration
Device Configuration 5 - 159 5.5 Overriding a Device Configuration Devices within the access point managed network can have an override configuration defined and applied. New devices can also have an override configuration defined and applied once NOTE: The best way to administer a network populated by numerous access points is to configure them directly from the designated Virtual Controller AP.
Page 220 5 - 160 WiNG 5 Access Point System Reference Guide Figure 5-90 Device Overrides - Basic Configuration screen 5. Set the following Configuration settings for the target device: System Name Provide the selected device a system name up to 64 characters in length. This...
Page 221 Device Configuration 5 - 161 Use the New Time parameter to set the calendar day, hour and minute. Use the AM and PM radio buttons to refine whether the updated time is for the AM or PM. This time can be synchronized with the use of an external NTP resource. When completed, select Update Clock to commit the updated time to the device.
Page 222: Assigning Certificates
5 - 162 WiNG 5 Access Point System Reference Guide 5.6 Assigning Certificates A certificate links identity information with a public key enclosed in the certificate. A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption.
Page 223 Device Configuration 5 - 163 Figure 5-91 Device Overrides - Certificates screen 6. Set the following Management Security certificate configurations: HTTPS Trustpoint Either use the default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be leveraged. To leverage an existing device certificate for use with this target device, select the Launch Manager button.
Page 224: Certificate Management
5 - 164 WiNG 5 Access Point System Reference Guide For more information on the certification activities, refer to the following: • Certificate Management • RSA Key Management • Certificate Creation • Generating a Certificate Signing Request 5.6.1 Certificate Management ...
Page 225 Device Configuration 5 - 165 3. To optionally import a certificate, select the Import button from the Certificate Management screen. The Import New Trustpoint screen displays. Figure 5-93 Certificate Management - Import New Trustpoint screen 4. Define the following configuration parameters required for the Import of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint.
Page 226 5 - 166 WiNG 5 Access Point System Reference Guide Hostname If selecting Advanced, provide the hostname of the server used to import the trustpoint. This option is not valid for cf, usb1 and usb2. Path If selecting Advanced, specify the path to the trustpoint. Enter the complete relative path to the file on the server.
Page 227 Device Configuration 5 - 167 Protocol If selecting Advanced, select the protocol used for importing the target CA certificate. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port If selecting Advanced, use the spinner control to set the port. This option is not valid for cf, usb1, and usb2.
Page 228 5 - 168 WiNG 5 Access Point System Reference Guide Figure 5-95 Certificate Management - Import CRL screen 10. Define the following configuration parameters required for the Import of the CRL: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate.
Page 229 Device Configuration 5 - 169 IP Address If selecting Advanced, enter IP address of the server used to import the CRL. This option is not valid for cf, usb1, and usb2. Hostname If selecting Advanced, provide the hostname of the server used to import the CRL.
Page 230 5 - 170 WiNG 5 Access Point System Reference Guide Provide the complete URL to the location of the signed certificate. Protocol If selecting Advanced, select the protocol used for importing the target signed certificate. Available options include: • tftp •...
Page 231 Device Configuration 5 - 171 Figure 5-97 Certificate Management - Export Trustpoint screen 16. Define the following configuration parameters required for the Export of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
Page 232: Rsa Key Management
5 - 172 WiNG 5 Access Point System Reference Guide Path If selecting Advanced, specify the path to the trustpoint. Enter the complete relative path to the file on the server. 17. Select to export the defined trustpoint. Select Cancel to revert the screen to its last saved configuration.
Page 233 Device Configuration 5 - 173 Figure 5-98 Certificate Management - RSA Keys screen 3. Select a listed device to review its current RSA key configuration. Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device.
Page 234 5 - 174 WiNG 5 Access Point System Reference Guide Key Size Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality.
Page 235 Device Configuration 5 - 175 Hostname If selecting Advanced, provide the hostname of the server used to import the RSA key. This option is not valid for cf, usb1 and usb2. Path If selecting Advanced, specify the path to the RSA key. Enter the complete relative path to the key on the server.
Page 236: Certificate Creation
5 - 176 WiNG 5 Access Point System Reference Guide Protocol If selecting Advanced, select the protocol used for exporting the RSA key. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port If selecting Advanced, use the spinner control to set the port.
Page 237 To create a new RSA key, select the radio button to define 32 character name used to identify the RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting (1024) to ensure optimum functionality. For more...
Page 238: Generating A Certificate Signing Request
5 - 178 WiNG 5 Access Point System Reference Guide Country (C) Define the Country of deployment for the certificate. The field can be modified by the user to other values. This is a required field and must not exceed 2 characters.
Page 239 To create a new RSA key, select the radio button to define a 32 character name used to identify the RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting (1024) to ensure optimum functionality. For more...
Page 240 5 - 180 WiNG 5 Access Point System Reference Guide Organization (O) Define an Organization for the organization used in the CSR. This is a required field. Organizational Unit Enter an Organizational Unit for the name of the organization unit used in the (OU) CSR.
Page 241: Rf Domain Overrides
Device Configuration 5 - 181 5.7 RF Domain Overrides Use RF Domain Overrides to define settings overriding a target device’s original RF Domain configuration. An RF Domain allows an administrator to assign configuration data to multiple access points (of the same model) deployed in a common coverage area (floor, building or site).
Page 242 5 - 182 WiNG 5 Access Point System Reference Guide Figure 5-104 RF Domain Overrides screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 243 Device Configuration 5 - 183 7. Refer to the Statistics field to set the following: Update Interval Set a statistics update interval (5 - 300 seconds). Set the value to 0 for auto mode. Using auto mode, the update interval is automatically adjusted by the RF Domain manager based on the access point’s load.
Page 244: Profile Overrides
5 - 184 WiNG 5 Access Point System Reference Guide 5.8 Profile Overrides A Profile enables an administrator to assign a common set of configuration parameters and policies to another access point of the same model. Profiles can be used to assign shared or unique network, wireless and security parameters to access points across a large, multi segment, site.
Page 245 Device Configuration 5 - 185 Figure 5-105 Profile Overrides - General screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 246 5 - 186 WiNG 5 Access Point System Reference Guide 9. Refer to the following to complete the override of the access point’s entire profile configuration: • Radio Power Overrides • Adoption Overrides • Profile Interface Override Configuration • Overriding the Network Configuration •...
Page 247: Radio Power Overrides
Device Configuration 5 - 187 5.9 Radio Power Overrides Use the Power screen to set or override one of two power modes (3af or Auto) for an access point. When Automatic is selected, the access point safely operates within available power. Once the power configuration is determined, the access point configures its operating power characteristics based on its model and power configuration.
Page 248 5 - 188 WiNG 5 Access Point System Reference Guide Figure 5-106 Profile Overrides - Power screen 7. Use the Power Mode drop-down menu to set or override the Power Mode Configuration on this AP. NOTE: Single radio model access point’s always operate using a full power configuration.
Page 249: Adoption Overrides
Device Configuration 5 - 189 5.10 Adoption Overrides Use the Adoption screen to define the configuration of a preferred Virtual Controller resource used for access point adoption. A Virtual Controller can adopt up to 24 access points of the same model. The Virtual Controller must also share its VLAN to peer access points wishing to adopt to it.
Page 250 5 - 190 WiNG 5 Access Point System Reference Guide Figure 5-107 Profile Overrides - Adoption screen 7. Define a 64 character maximum Preferred Group. The Preferred group is the Virtual Controller group the access point would prefer to connect upon adoption.
Page 251: Profile Interface Override Configuration
Device Configuration 5 - 191 5.10.1 Profile Interface Override Configuration An access point requires its Virtual Interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A virtual interface defines which IP address is associated with each connected VLAN ID. An interface configuration can have overrides applied to customize the configuration to a unique deployment objective.
Page 252: Ethernet Port Override Configuration
5 - 192 WiNG 5 Access Point System Reference Guide 5.10.1.1 Ethernet Port Override Configuration  Profile Interface Override Configuration Use an Ethernet Port override to change (modify) parameters of an access point’s Ethernet Port configuration. The following ports are available on supported access point models: •...
Page 253 Device Configuration 5 - 193 Figure 5-108 Profile Overrides - Interface Ethernet Port screen 7. Refer to the following to review port status and assess whether an override is warranted: Name Displays the physical port name reporting runtime data and statistics. Supported ports vary depending the supported AP-7131, AP-6532, AP-7161, AP-6511 or AP-6521 model.
Page 254 5 - 194 WiNG 5 Access Point System Reference Guide Tag Native VLAN A green checkmark defines the native VLAN as tagged. A red “X” defines the native VLAN as untagged. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN...
Page 255 Device Configuration 5 - 195 Speed Set the speed at which the port can receive and transmit the data. Select either 10 Mbps, 100 Mbps, 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port.
Page 256 5 - 196 WiNG 5 Access Point System Reference Guide Tag Native VLAN Select the radio button to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs.
Page 257 Device Configuration 5 - 197 Figure 5-110 Ethernet Ports - Security screen 14. Refer to the Access Control field. As part of the port’s security configuration, Inbound IP and MAC address firewall rules are required. The configuration can be optionally overridden if needed. Use the Inbound IP Firewall Rules and Inbound MAC Firewall Rules drop-down menus to select the firewall rules to apply to this profile’s Ethernet port configuration.
Page 258 5 - 198 WiNG 5 Access Point System Reference Guide Trust 8021p COS values Select the radio button to enable 802.1p COS values on this port. The default value is enabled. Trust IP DSCP Select the radio button to enable IP DSCP values on this port. The default value is enabled.
Page 259: Virtual Interface Override Configuration
Device Configuration 5 - 199 5.10.1.2 Virtual Interface Override Configuration  Profile Interface Override Configuration A Virtual Interface is required for layer 3 (IP) access or provide layer 3 service on a VLAN. The Virtual Interface defines which IP address is associated with each VLAN ID. A Virtual Interface is created for the default VLAN (VLAN 1) to enable remote administration.
Page 260 5 - 200 WiNG 5 Access Point System Reference Guide Figure 5-111 Profile Overrides - Virtual Interfaces screen 7. Review the following parameters unique to each Virtual Interface configuration to determine whether a parameter override is warranted: Name Displays the name of each listed Virtual Interface assigned when it was created.
Page 261 Device Configuration 5 - 201 Figure 5-112 Profile Overrides - Virtual Interfaces Basic Configuration screen The Basic Configuration screen displays by default regardless of a whether a new Virtual Interface is being created or an existing one is being modified. 9.
Page 262 5 - 202 WiNG 5 Access Point System Reference Guide Use DHCP to Obtain IP Select this option to allow DHCP to provide the IP address for the Virtual Interface. Selecting this option disables the Primary IP address field. AP-7131, AP-6532 and AP-7161 have on onboard DHCP server resources, while AP-6511 and AP-6521 models do not.
Page 263 Device Configuration 5 - 203 Figure 5-113 Profile Overrides - Virtual Interfaces Security screen 15. Use the Inbound IP Firewall Rules drop-down menu to select the firewall rule configuration to apply to this Virtual Interface. The firewall inspects and packet traffic to and from connected clients. If a firewall rule does not exist suiting the data protection needs of this Virtual Interface, select the Create icon to define a new firewall rule configuration or the Edit icon to modify or override an existing configuration.
Page 264: Radio Override Configuration
5 - 204 WiNG 5 Access Point System Reference Guide 5.10.1.3 Radio Override Configuration  Profile Interface Override Configuration Access points can have their radio profile configurations overridden if a portion of a profile is no longer relevant to the access point’s deployment objective.
Page 265 Device Configuration 5 - 205 Type Displays the type as either Radio (for typical client support) or sensor. If setting an AP-6521 or AP-6511 model access point to function as a sensor, the access point must be rebooted before it can begin to operate as a sensor. Description Displays a brief description of the radio provided by the administrator when the radio’s configuration was added or modified.
Page 266 5 - 206 WiNG 5 Access Point System Reference Guide Admin Status Either select the Active or Shutdown radio button to define this radio’s availability. When defined as Active, the access point is operational and available for client support, Shutdown renders it unavailable.
Page 267 (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. Motorola Solutions recommends only a professional installer set the antenna gain. The default value is 0.00.
Page 268 5 - 208 WiNG 5 Access Point System Reference Guide Max Clients Use the spinner control to set the maximum permissible client connections for this radio. Set a value between 0 - 256. AP-7131, AP-6532 and AP-7161 model access points can support up to 256 clients per access point or radio. AP-6511 and AP-6521 model access points can support up to 128 clients per access point or radio.
Page 269 Device Configuration 5 - 209 RTS Threshold Specify a Request To Send (RTS) threshold (between 1 - 2,347 bytes) for use by the WLAN's adopted access point radios. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/CTS procedure clears the air where clients are contending for transmission time.
Page 270 5 - 210 WiNG 5 Access Point System Reference Guide Figure 5-116 Profile Overrides - WLAN Mapping tab 14. Refer to the WLAN/BSS Mappings field to set or override WLAN BSSID assignments for an existing access point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio AP-6511 or AP-6521 access point, there are 8 BSSIDs available.
Page 271 Device Configuration 5 - 211 Figure 5-117 Access Point Radio - Mesh tab 17. Use the Mesh screen to define or override how mesh connections are established and the number of links available amongst access points within the Mesh network. 18.
Page 272 5 - 212 WiNG 5 Access Point System Reference Guide Figure 5-118 Profile Overrides - Access Point Radio Advanced Settings tab 22. Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define or override how MAC service frames are aggregated by the access point radio.
Page 273 Device Configuration 5 - 213 24. Define a Reduced Interframe Spacing (RIFS) mode using the drop-down menu. This value determines whether interframe spacing is applied to transmissions or received packets, or both or none. The default mode is Transmit and Receive.
Page 274: Wan Backhaul Overrides
5 - 214 WiNG 5 Access Point System Reference Guide 5.10.1.4 WAN Backhaul Overrides A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a network device to connect, transmit and receive data over a Cellular Wide Area Network. Certain AP7131N model access points have a PCI Express card slot that supports 3G WWAN cards.
Page 275 Device Configuration 5 - 215 Figure 5-119 Profile Overrides -WAN Backhaul screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 276: Overriding The Network Configuration
5 - 216 WiNG 5 Access Point System Reference Guide Authentication Type Use the drop-down menu to specify authentication type used by your cellular data provider. Supported authentication types are None, PAP, CHAP, MSCHAP, and MSCHAP-v2. 8. Select to save or override the changes to the Advanced Settings screen. Select...
Page 277: Overriding The Dns Configuration
Device Configuration 5 - 217 5.10.2.1 Overriding the DNS Configuration  Overriding the Network Configuration Domain Naming System (DNS) DNS is a hierarchical naming system for resources connected to the Internet or a private network. Primarily, DNS resources translate domain names into IP addresses. If one DNS server doesn't know how to translate a particular domain name, it asks another one until the correct IP address is returned.
Page 278 5 - 218 WiNG 5 Access Point System Reference Guide Figure 5-120 Profile Overrides - Network DNS screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 279: Overriding An Arp Configuration
Device Configuration 5 - 219 5.10.2.2 Overriding an ARP Configuration  Overriding the Network Configuration Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address. ARP provides protocol rules for making this correlation and providing address conversion in both directions. This ARP assignment can be overridden as needed, but removes the device configuration from the managed profile that may be shared with other similar device models.
Page 280 5 - 220 WiNG 5 Access Point System Reference Guide Figure 5-121 Profile Overrides - Network ARP screen 6. Set or override the following parameters to define the ARP configuration: Switch VLAN Use the spinner control to select a VLAN (1 - 4094) for an address requiring Interface resolution.
Page 281: Overriding A L2Tpv3 Profile Configuration
Device Configuration 5 - 221 5.10.2.3 Overriding a L2TPv3 Profile Configuration  Overriding the Network Configuration L2TP V3 is an IETF standard used for transporting different types of layer 2 frames in an IP network (and access point profile). L2TP V3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Use L2TP V3 to create tunnels for transporting layer 2 frames.
Page 282 5 - 222 WiNG 5 Access Point System Reference Guide Figure 5-122 Network - L2TPv3 screen, General tab 6. Set the following General Settings for an L2TPv3 profile configuration: Host Name Define a 64 character maximum host name to specify the name of the host that’s sent tunnel messages.
Page 283 Device Configuration 5 - 223 Figure 5-123 Network - L2TPv3 screen, T2TP tunnel tab 8. Set the following for an L2TPv3 profile configuration: Name Displays the name of each listed L2TPv3 tunnel assigned upon creation. Local IP Address Lists the IP address assigned as the local tunnel end point address, not the interface IP address.
Page 284 5 - 224 WiNG 5 Access Point System Reference Guide Figure 5-124 Network - L2TPv3 screen, Add T2TP Tunnel Configuration 10. If creating a new tunnel configuration, assign it a 31 character maximum Name. 11. Define the following Settings required for the L2TP tunnel configuration:...
Page 285 Device Configuration 5 - 225 12. Refer to the Peer table to review the configurations of the peers available for tunnel connection. Select + Add Row to populate the table with a maximum of two peer configurations. Figure 5-125 Network - L2TPv3 screen, Add T2TP Peer Configuration 13.
Page 286 5 - 226 WiNG 5 Access Point System Reference Guide Pseudowire ID Define a psuedowire ID for this session. A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network.
Page 287 Device Configuration 5 - 227 Figure 5-126 Network - L2TPv3 screen, Manual Session tab 19. Refer to the following manual session configurations to determine whether one should be created or modified: IP Address Lists the IP address assigned as the local tunnel end point address, not the interface IP address.
Page 288 5 - 228 WiNG 5 Access Point System Reference Guide Figure 5-127 Network - L2TPv3 screen, Add T2TP Peer Configuration 21. Set the following session parameters: Name Define a 31 character maximum name of this tunnel session. After a successful tunnel connection and establishment, the session is created.
Page 289 Device Configuration 5 - 229 Remote Session ID Use the spinner control to set the remote session ID passed in the establishment of the tunnel session. Assign an ID in the range of 1 - 4,294,967,295. Encapsulation Select either IP or UDP as the peer encapsulation protocol. The default setting is IP.
Page 290: Overriding An Igmp Snooping Configuration
5 - 230 WiNG 5 Access Point System Reference Guide 5.10.2.4 Overriding an IGMP Snooping Configuration  Overriding the Network Configuration The Internet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. The access point listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the interested hosts are connected.
Page 291 Device Configuration 5 - 231 7. Set the following IGMP Querier parameters for the IGMP configuration: Enable IGMP Querier Select the radio button to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. It is primarily used in a network where there is a multicast streaming server, hosts subscribed to the server and no IGMP querier present.
Page 292: Overriding A Quality Of Service (Qos) Configuration
5 - 232 WiNG 5 Access Point System Reference Guide 5.10.2.5 Overriding a Quality of Service (QoS) Configuration  Overriding the Network Configuration QoS values are required to provide service priority to packets. For example, VoIP packets get higher priority than data packets to provide a better quality of service for high priority voice traffic.
Page 293 Device Configuration 5 - 233 Figure 5-129 Profile Overrides - Network QoS screen 6. Set or override the following parameters for the IP DSCP mappings for untagged frames: DSCP Lists the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification.
Page 294: Overriding A Spanning Tree Configuration
5 - 234 WiNG 5 Access Point System Reference Guide 5.10.2.6 Overriding a Spanning Tree Configuration  Overriding the Network Configuration The Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness o f VLANs. MSTOP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology.
Page 295 Device Configuration 5 - 235 Figure 5-130 Spanning Tree screen 6. Set the following MSTP Configuration parameters: MSTP Enable Select this option to enable MSTP for this profile. MSTP is disabled by default, so if requiring different (groups) of VLANs with the profile supported network segment.
Page 296 5 - 236 WiNG 5 Access Point System Reference Guide Hello Time Set a BPDU hello interval from 1 - 10 seconds. BPDUs are exchanged regularly (every 2 seconds by default) and enable supported devices to keep track of network changes and star/stop port forwarding as required.
Page 297: Overriding A Routing Configuration
Device Configuration 5 - 237 5.10.2.7 Overriding a Routing Configuration  Overriding the Network Configuration Routing is the process of selecting paths in a network to send network traffic. Routes network routes can use by fixed paths (static routes). An entire network can be configured using static routes, but this type of configuration is not fault tolerant.
Page 298 5 - 238 WiNG 5 Access Point System Reference Guide Figure 5-131 Network Routing screen 6. Select this option to enable IP routing using static routes provided in the route table. This option is enabled by default. 7. Select Add Row + as needed to include single rows with in the static IPv4 route table.
Page 299 Device Configuration 5 - 239 DHCP Client Default Use the spinner control to set the priority value (1 - 8,000) for the default Route Priority route learnt from the DHCP client. The default setting is 1000. Enable Routing Failure When selected, all default gateways are monitored for activity. The system will failover to a live gateway if the current gateway becomes unusable.
Page 300: Overriding A Dynamic Routing (Ospf) Configuration
5 - 240 WiNG 5 Access Point System Reference Guide 5.10.2.8 Overriding a Dynamic Routing (OSPF) Configuration  Overriding the Network Configuration Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN.
Page 301 Device Configuration 5 - 241 Figure 5-132 OSPF Settings screen 6. Enable/disable OSPF and provide the following dynamic routing settings: Enable OSPF Select this option to enable OSPF for this access point. OSPF is disabled by default.
Page 302 5 - 242 WiNG 5 Access Point System Reference Guide Router ID Select this option to define a router ID (numeric IP address) for this access point. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier.
Page 303 Device Configuration 5 - 243 9. Refer to the Route Redistribution table to set the types of routes that can be used by OSPF. Select the + Add Row button to populate the table. Set the Route Type used to define the redistributed route. Options include connected, kernal and static.
Page 304 5 - 244 WiNG 5 Access Point System Reference Guide Figure 5-134 OSPF Area Configuration screen 15. Set the OSPF Area configuration. Area ID Use the drop down menu and specify either an IP address or Integer for the OSPF area.
Page 305 Device Configuration 5 - 245 Figure 5-135 OSPF Interface Settings screen 18. Review existing Interface Settings using: Name Type Description Lists each interface’s 32 character maximum description. Admin Status Displays whether Admin Status privileges have been enabled or disabled the OSPF route’s virtual interface connection.
Page 306 5 - 246 WiNG 5 Access Point System Reference Guide Figure 5-136 OSPF Virtual Interface - Basic Configuration screen 20. Within the Properties field, enter a 32 character maximum Description to help differentiate the virtual interface configuration used with this OSPF route. Enable/disable admin privileges as need. They’re disabled by default.
Page 307 Device Configuration 5 - 247 Figure 5-137 OSPF Virtual Interface - Security screen 27. Use the Inbound IP Firewall Rules drop-down menu to select the IP access and deny rules to apply to the OSPF dynamic route. Either select an existing IP firewall policy or use the default set of IP firewall rules. The firewall inspects OSPF route traffic flows and detects potential attacks on the dynamic route not visible to traditional wired firewall appliances.
Page 308 5 - 248 WiNG 5 Access Point System Reference Guide Figure 5-138 OSPF Virtual Interface - Dynamic Routing screen 30. Set the following OSPF Settings: Priority Select this option to set the OSPF priority used to select the network designated route. Use the spinner control to set the value from 1 - 255.
Page 309 Device Configuration 5 - 249 33. Select to save the changes to the Profile_Dynamic_Route configuration. Select Reset to revert to the last saved configuration...
Page 310: Overriding A Forwarding Database Configuration
5 - 250 WiNG 5 Access Point System Reference Guide 5.10.2.9 Overriding a Forwarding Database Configuration  Overriding the Network Configuration A Forwarding Database is used by a bridge to forward or filter packets. The bridge reads the packet’s destination MAC address and decides to either forward the packet or drop (filter) it.
Page 311 Device Configuration 5 - 251 Figure 5-139 Profile Overrides - Network Forwarding Database screen 6. Define or override a Bridge Aging Time between 0, 10-1,000,000 seconds. The aging time defines the length of time an entry will remain in the a bridge’s forwarding table before being deleted due to lack of activity.
Page 312: Overriding A Bridge Vlan Configuration
5 - 252 WiNG 5 Access Point System Reference Guide 5.10.2.10 Overriding a Bridge VLAN Configuration  Overriding the Network Configuration A Virtual LAN (VLAN) is separately administrated virtual network within the same physical. VLANs are broadcast domains to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device.
Page 313 Device Configuration 5 - 253 Figure 5-140 Profile Overrides - Network Bridge VLAN screen 6. Review the following VLAN configuration parameters to determine whether an override is warranted: VLAN Lists the numerical identifier defined for the Bridge VLAN when it was initially created.
Page 314 5 - 254 WiNG 5 Access Point System Reference Guide Trust DHCP Responses When DHCP trust is enabled, a green checkmark displays. When disabled, a red “X” displays. When enabled, DHCP packets from a DHCP server are considered trusted and permissible within the network. DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks.
Page 315 Device Configuration 5 - 255 10. Set or override the following Extended VLAN Tunnel parameters: Bridging Mode Specify one of the following bridging mode for use on the VLAN. Automatic: Select Automatic mode to let the controller determine the best bridging mode for the VLAN.
Page 316: Overriding A Cisco Discovery Protocol Configuration
5 - 256 WiNG 5 Access Point System Reference Guide 5.10.2.11 Overriding a Cisco Discovery Protocol Configuration  Overriding the Network Configuration The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol implemented in Cisco networking equipment. It's primarily used to obtain IP addresses of neighboring devices and discover their platform information.
Page 317: Overriding A Link Layer Discovery Protocol Configuration
Device Configuration 5 - 257 5.10.2.12 Overriding a Link Layer Discovery Protocol Configuration  Overriding the Network Configuration The Link Layer Discovery Protocol (LLDP) provides a standard way for a controller or access point to advertise information about themselves to networked neighbors and store information they discover from their peers. LLDP is neighbor discovery protocol that defines a method for network access devices using Ethernet connectivity to advertise information about them to peer devices on the same physical LAN and store information about the network.
Page 318 5 - 258 WiNG 5 Access Point System Reference Guide Hold Time Use the spinner control to set the hold time (in seconds) for transmitted LLDP PDUs. Set a value in the range of 10 - 1,800. The default hold time is 180.
Page 319: Overriding A Miscellaneous Network Configuration
Device Configuration 5 - 259 5.10.2.13 Overriding a Miscellaneous Network Configuration  Overriding the Network Configuration An access point profile can be configured to include a hostname in a DHCP lease for a requesting device and its profile. This helps an administrator track the leased DHCP IP address by hostname for a device profile. When numerous DHCP leases are assigned, an administrator can better track the leases when hostnames are used instead of devices.
Page 320: Overriding A Security Configuration
5 - 260 WiNG 5 Access Point System Reference Guide 5.10.3 Overriding a Security Configuration A profile can have its own firewall policy, wireless client role policy, WEP shared key authentication, NAT policy and VPN policy applied. If an existing firewall, client role or NAT policy is unavailable create the required security policy configuration.
Page 321: Overriding General Security Settings
Device Configuration 5 - 261 5.10.3.1 Overriding General Security Settings  Overriding a Security Configuration A profile can leverage existing firewall, wireless client role and WIPS policies and configurations and apply them to the configuration. This affords a profile a truly unique combination of data protection policies. However, as deployment requirements arise, an individual access point may need some or all of its general security configuration overridden from that applied in the profile.
Page 322: Overriding A Certificate Revocation List (Crl) Configuration
5 - 262 WiNG 5 Access Point System Reference Guide Figure 5-145 Profile Overrides - General Security screen 6. Refer to the General field to assign or override the following: WEP Shared Key Select the radio button to require devices using this profile to use a WEP key Authentication to access the network using this profile.
Page 323 Device Configuration 5 - 263 5. Select Certificate Revocation. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device. Figure 5-146 Profile Overrides - Certificate Revocation screen 6.
Page 324: Overriding A Profile's Nat Configuration
5 - 264 WiNG 5 Access Point System Reference Guide 5.10.3.3 Overriding a Profile’s NAT Configuration  Overriding a Security Configuration Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit across a traffic routing device. This enables mapping one IP address to another to protect network address credentials.
Page 325 Device Configuration 5 - 265 Figure 5-147 Profile Overrides - NAT Pool screen NAT Pool tab displays by default. The NAT Pool screen lists those NAT policies created thus far. Any of these policies can be selected and applied to a profile. 6.
Page 326 5 - 266 WiNG 5 Access Point System Reference Guide Figure 5-148 NAT Pool screen 7. If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters: Name If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations.
Page 327 Device Configuration 5 - 267 Figure 5-149 Profile Overrides - Static NAT screen To map a source IP address from an internal network to a NAT IP address click the + Add Row button. Enter the internal network IP address in Source IP field. Enter the NAT IP address in the NAT IP field. Use the Network drop-down menu to set the NAT type either Inside or Outside.
Page 328 5 - 268 WiNG 5 Access Point System Reference Guide Figure 5-150 NAT Destination screen 11. Select to create a new NAT destination configuration, Edit to modify or override the attributes of an existing configuration or Delete to permanently remove a NAT destination.
Page 329 Device Configuration 5 - 269 Figure 5-151 Destination NAT screen 12. Set or override the following Destination configuration parameters: Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 330 5 - 270 WiNG 5 Access Point System Reference Guide Destination Port Use the spinner control to set the local port number used at the (source) end of the static NAT configuration. The default value is port 1. NAT IP Enter the IP address of the matching packet to the specified value.
Page 331 Device Configuration 5 - 271 Figure 5-152 Profile Overrides - Dynamic NAT screen 15. Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or deletion: Source List ACL Lists an ACL name to define the packet selection criteria for the NAT configuration.
Page 332 5 - 272 WiNG 5 Access Point System Reference Guide Figure 5-153 Source NAT screen 16. Set or override the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT.
Page 333: Overriding A Services Configuration
Device Configuration 5 - 273 17. Select to save the changes or overrides made to the dynamic NAT configuration. Select Reset to revert to the last saved configuration. 5.10.4 Overriding a Services Configuration A profile can contain specific guest access (captive portal), DHCP server and RADIUS server configurations. These access, IP assignment and user authorization resources can be defined uniquely as profile requirements dictate.
Page 334: Overriding A Management Configuration
5 - 274 WiNG 5 Access Point System Reference Guide login page where the user must enter valid credentials to access to the network. Once logged into the hotspot, additional Agreement, Welcome and Fail pages provide the administrator with a number of options on the hotspot’s screen flow and user appearance.
Page 335 Device Configuration 5 - 275 Figure 5-155 Profile Overrides - Management Settings screen...
Page 336 5 - 276 WiNG 5 Access Point System Reference Guide 5. Refer to the Message Logging field to define how the profile logs system events. It’s important to log individual events to discern an overall pattern that may be negatively impacting performance.
Page 337 Device Configuration 5 - 277 Port of SMTP If a non-standard SMTP port is used on the outgoing SMTP server check this box and specify a port between 1 and 65,535 for the outgoing SMTP server to use. Sender E-mail Address Specify the e-mail address that notification e-mails will be sent from.
Page 338 5 - 278 WiNG 5 Access Point System Reference Guide Figure 5-156 Profile Overrides - Management Firmware screen 11. Refer to the Auto Install via DHCP Option field to define automatic configuration file and firmware updates. Configuration Update Select the Configuration Update check box to enable automatic configuration file updates for the controller profile from a location external to the access point.
Page 339: Overriding An Advanced Configuration
Device Configuration 5 - 279 14. Select Heartbeat from the Management menu. Figure 5-157 Profile Overrides - Management Heartbeat screen 15. Select the Service Watchdog option to implement heartbeat messages to ensure other associated devices are up and running and capable of effectively interoperating. The Service Watchdog is enabled by default. 16.
Page 340 5 - 280 WiNG 5 Access Point System Reference Guide 2. Select a target device from the Device Browser in the lower, left-hand, side of the UI. 3. Select Profile Overrides to expand its menu items 4. Select Advanced to expand its sub menu items.
Page 341 Device Configuration 5 - 281 9. Define or override the following MINT Link Settings: MLCP IP Check this box to enable MINT Link Creation Protocol (MLCP) by IP Address. MINT Link Creation Protocol is used to create one UDP/IP link from the device to a neighbor.
Page 342 5 - 282 WiNG 5 Access Point System Reference Guide Figure 5-160 Advanced Profile MINT screen - IP (Add) 12. Set the following Link IP parameters to complete the MINT network address configuration: Define or override the IP address used by peer access points for interoperation when supporting the MINT protocol.
Page 343 Device Configuration 5 - 283 IPSec Secure Select this option to use a secure link for IPSec traffic. This setting is disabled by default. When enabled, both the header and the traffic payload are encrypted. IPSec GW Define either an IP address or hostname for the IPSec gateway. 13.
Page 344 5 - 284 WiNG 5 Access Point System Reference Guide Figure 5-162 Advanced Profile MINT screen - VLAN tab 15.Set the following VLAN parameters to complete the MINT configuration: VLAN Define a VLAN ID between 1 - 4,094 used by peer controllers for interoperation when supporting the MINT protocol.
Page 345 Device Configuration 5 - 285 Figure 5-163 Profile Overrides - Miscellaneous screen 18.Set a NAS-Identifier Attribute up to 253 characters in length. This is the RADIUS NAS-Identifier attribute that typically identifies where a RADIUS message originates 19.Set a NAS-Port-Id Attribute up to 253 characters in length.
Page 346: Managing An Event Policy
5 - 286 WiNG 5 Access Point System Reference Guide 5.11 Managing an Event Policy Event Policies enable an administrator to create specific notification mechanisms using one, some or all of the SNMP, syslog, controller forwarding or email notification options available to the controller. Each listed event can have customized notification settings defined and saved as part of an event policy.
Page 347 Device Configuration 5 - 287 6. Select to save the changes. Select Reset to revert to the last saved configuration. Delete obsolete rows as needed.
Page 348 5 - 288 WiNG 5 Access Point System Reference Guide...
Page 349: Chapter 6 Wireless Configuration
CHAPTER 6 WIRELESS CONFIGURATION A Wireless Local Area Network (WLAN) is a data-communications system and wireless local area network that flexibly extends the functionalities of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or OFDM modulation based technology.
Page 350 6 - 2 WiNG 5 Access Point System Reference Guide Figure 6-1 Configuration > Wireless...
Page 351: Wireless Lans
Wireless Configuration 6 - 3 6.1 Wireless LANs To review the attributes of existing WLANs and, if necessary, modify their configurations: 1. Select Configuration > Wireless > Wireless LANs to display a high-level display of existing WLANs. Figure 6-2 Wireless LANs screen 2.
Page 352: Basic Wlan Configuration
6 - 4 WiNG 5 Access Point System Reference Guide Authentication Type Displays the name of the authentication scheme each listed WLAN is using to secure client transmissions. None is listed if authentication is not used within a WLAN. Refer to the Encryption Type column if no authentication is used to verify there is some sort of data protection used with the WLAN, or risk using this WLAN with no protection at all.
Page 353 Wireless Configuration 6 - 5 Figure 6-3 WLAN Basic Configuration screen 3. Refer to the WLAN Configuration field to define the following: WLAN If adding a new WLAN, enter its name in the space provided. Spaces between words are not permitted. The name could be a logical representation of the WLAN coverage area (engineering, marketing etc.).
Page 354 6 - 6 WiNG 5 Access Point System Reference Guide QoS Policy Use the drop-down menu to assign an existing QoS policy to the WLAN. If needed, select the Create icon to define a new QoS policy or select the Edit icon to modify the configuration of a selected QoS Policy.
Page 355: Wlan Basic Configuration Deployment Considerations
Before defining a WLAN’s basic configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: NOTE: Motorola Solutions recommends one VLAN be deployed for secure WLANs, while separate VLANs be defined for each WLAN providing guest access.
Page 356 6 - 8 WiNG 5 Access Point System Reference Guide Refer to the following to configure an authentication scheme for a WLAN: • 802.1x EAP, EAP PSK and EAP MAC • MAC Authentication • PSK / None Secure guest access to the network is referred to as captive portal. A captive portal is guest access policy for providing guests temporary and restrictive access to the access point managed wireless network.
Page 357: Eap, Eap Psk And Eap Mac
Wireless Configuration 6 - 9 6.1.2.1 802.1x EAP, EAP PSK and EAP MAC  Configuring WLAN Security The Extensible Authentication Protocol (EAP) is the de-facto standard authentication method used to provide secure authenticated access to WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption.
Page 358 • Motorola Solutions Solutions recommends a valid certificate be issued and installed on devices providing 802.1X EAP. The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials.
Page 359: Mac Authentication
Wireless Configuration 6 - 11 6.1.2.2 MAC Authentication  Configuring WLAN Security MAC is a device level authentication method used to augment other security schemes. MAC can be used open, with WEP 64 or WEP 128, KeyGuard, TKIP or CCMP. MAC authentication can be used for device level authentication by permitting WLAN access based on device MAC address.
Page 360: Psk / None
6 - 12 WiNG 5 Access Point System Reference Guide • MAC authentication is somewhat poor as a standalone data protection technique, as MAC addresses can be easily spoofed by hackers who can provision a MAC address on their device to mimic a trusted device.
Page 361: Captive Portal
Wireless Configuration 6 - 13 6.1.2.4 Captive Portal  Configuring WLAN Security A captive portal is guest access policy for providing guests temporary and restrictive access to the wireless network. The primary means of securing such guest access is the use of a hotspot. For an overview of the Captive Portal process and information on how to define a captive portal policy that can be applied to a WLAN, see Configuring Captive Portal Policies on page 9-2.
Page 362: Wpa/Wpa2-Tkip
6 - 14 WiNG 5 Access Point System Reference Guide 6.1.2.5 WPA/WPA2-TKIP  Configuring WLAN Security Wi-Fi Protected Access (WPA) is an encryption scheme specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11i. WPA provides more sophisticated data encryption than WEP. WPA is designed for corporate networks and small-business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person.
Page 363 When using WPA2, a wireless client can use 2 keys: one unicast key, for its own traffic to and from an access point, and one broadcast key, the common key for all clients in that subnet. Motorola Solutions recommends rotating these keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.
Page 364 6 - 16 WiNG 5 Access Point System Reference Guide Broadcast Rotation When enabled, the key indices used for encrypting/decrypting broadcast Interval traffic will be alternatively rotated based on the defined interval Define an interval for broadcast key transmission in seconds (30-86,400). Key rotation enhances the broadcast traffic security on the WLAN.
Page 365 Wireless Configuration 6 - 17 WPA-TKIP Deployment Considerations Before defining a WPA-TKIP supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Though TKIP offers better security than WEP, it can be vulnerable to certain attacks. •...
Page 366: Wpa2-Ccmp
6 - 18 WiNG 5 Access Point System Reference Guide 6.1.2.6 WPA2-CCMP  Configuring WLAN Security WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. CCMP is the security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP.
Page 367 Wireless Configuration 6 - 19 Figure 6-6 WLAN Security - WPA2-CCMP screen 5. Define Settings. Pre-Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share.
Page 368 AP, and one broadcast key, the common key for clients in that subnet. Motorola Solutions Solutions recommends rotating these keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.
Page 369 • Motorola Solutions Solutions recommends WPA2-CCMP be configured for all new (non visitor) WLANs requiring encryption, as it’s supported by the majority of the hardware and client vendors using Motorola Solutions Solutions wireless networking equipment.
Page 370: Wep 64
6 - 22 WiNG 5 Access Point System Reference Guide 6.1.2.7 WEP 64  Configuring WLAN Security Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi -Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN.
Page 371 The pass key can be any alphanumeric string. The wireless controller, other proprietary routers, and Motorola Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without Motorola Solutions Solutions adapters need to use WEP keys manually configured as hexadecimal numbers.
Page 372 Before defining a WEP 64 supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Motorola Solutions Solutions recommends additional layers of security (beyond WEP 64) be enabled to minimize the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN...
Page 373: Wep 128 And Keyguard
WLAN with a level of security and privacy comparable to that of a wired LAN. KeyGuard is a Motorola Solutions encryption option used with legacy clients capable of supporting it. It closely resembled WEP 128 in key structure.
Page 374 6 - 26 WiNG 5 Access Point System Reference Guide Figure 6-8 WEP 128 screen 5. Configure the following WEP 128 or Keyguard settings: Generate Keys Specify a 4 to 32 character Pass Key and select the Generate button. The pass key can be any alphanumeric string.
Page 375: Configuring Wlan Firewall Support
Before defining a WEP 128 supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Motorola Solutions Solutions recommends additional layers of security (beyond WEP) be enabled to minimize the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with Firewall policies restricting access to hosts and suspicious network applications.
Page 376 6 - 28 WiNG 5 Access Point System Reference Guide Figure 6-9 WLAN Firewall screen The screen displays editable fields for IP Firewall Rules, MAC Firewall Rules, Trust Parameters and Client Deny Limits. 4. Select an existing inbound and outbound IP Firewall Rule using the drop-down menu.
Page 377 Wireless Configuration 6 - 29 Figure 6-10 WLAN IP Firewall Rules screen 7. Define the following parameters for either inbound or outbound IP Firewall Rules: Allow Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported: Deny - Instructs the Firewall to prohibit a packet from proceeding to its destination.
Page 378 6 - 30 WiNG 5 Access Point System Reference Guide Protocol Select the protocol used with the IP access policy from the drop-down menu. IP is selected by default. Selecting ICMP displays an additional set of ICMP specific options for ICMP type and code. Selecting either TCP or UDP displays an additional set of specific TCP/UDP source and destinations port options.
Page 379 Wireless Configuration 6 - 31 Figure 6-11 WLAN MAC Firewall Rules screen 11.Define the following parameters for either the inbound or outbound MAC Firewall Rules: Allow Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported: Deny - Instructs the Firewall to not to allow a packet to proceed to its destination.
Page 380 6 - 32 WiNG 5 Access Point System Reference Guide Action The following actions are supported: Log - Creates a log entry that a Firewall rule has allowed a packet to either be denied or permitted. Mark - Modifies certain fields inside the packet, and then permits them.
Page 381: Configuring Client Settings
Wireless Configuration 6 - 33 Blacklist Duration Select the checkbox and define a setting between 0 - 86,400 seconds. Once the blacklist duration has been exceeded, offending clients can reauthenticate. 15.Set a Firewall Session Hold Time in either Seconds (1 - 300) or Minutes (1 - 5). This is the hold time for caching user credentials and Firewall state information when a client roams.
Page 382 6 - 34 WiNG 5 Access Point System Reference Guide Figure 6-12 WLAN Client Settings screen 4. Define the following Client Settings for the WLAN: Enable Select this option to allow client to client communication within this WLAN. Client-to-Client The default is enabled, meaning clients are allowed to exchange packets with Communication other clients.
Page 383: Configuring Wlan Accounting Settings
Symbol Technology clients. The default setting is enabled. WMM Load Select this option to support a WMM Load Information Element in radio Information Element transmissions with legacy Motorola Solutions clients. The default setting is disabled. 6. Define the following Timeout Settings...
Page 384 6 - 36 WiNG 5 Access Point System Reference Guide assistance in partitioning local versus remote users and how to best accommodate each. Remote user information can be archived to a remote location for periodic network and user permission administration.
Page 385 Wireless Configuration 6 - 37 Case Use the drop-down menu to specify whether the MAC address format supplied is specified in upper or lower case. The default setting is uppercase. 5. Select Enable RADIUS Accounting to use an external RADIUS resource for AAA accounting. When the radio button is selected, a AAA Policy field displays.
Page 386: Accounting Deployment Considerations
Before defining a AAA configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • When using RADIUS authentication, Motorola Solutions recommends the WAN port round trip delay not exceed 150ms. Excessive delay over a WAN can cause authentication and roaming issues. When excessive delays exists, a distributed RADIUS service should be used.
Page 387: Configuring Client Load Balancing
Wireless Configuration 6 - 39 6.1.6 Configuring Client Load Balancing Client load balance settings can be defined generically to both the 2.4 and 5 GHz bands and specifically to either of the 2.4 or 5 GHz bands. To configure client load balancing settings on an access point managed WLAN: 1.
Page 388: Configuring Advanced Wlan Settings
6 - 40 WiNG 5 Access Point System Reference Guide Capability Ageout Time Define a value in either Seconds (0 and 10,000), Minutes (0 -166) or Hours (0 -2) to ageout a client’s capabilities from the access point’s internal table.
Page 389 Wireless Configuration 6 - 41 Figure 6-15 WLAN Advanced Configuration screen 4. Refer to the Advanced RADIUS Configuration field to set the WLAN’s NAS configuration and RADIUS Dynamic Authorization. NAS Identifier Specify what should be included in the RADIUS NAS-Identifier field for authentication and accounting packets relating.
Page 390 6 - 42 WiNG 5 Access Point System Reference Guide Figure 6-16 Advanced WLAN Rate Settings 2.4 GHz 6. Define both minimum Basic and Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band and 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These...
Page 391 Wireless Configuration 6 - 43 Figure 6-17 Advanced WLAN Rate Settings 5 GHz If supporting 802.11n, select a Supported MCS index. Set a MCS (modulation and coding scheme) in respect to the radio’s channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types.
Page 392: Configuring Wlan Qos Policies
6 - 44 WiNG 5 Access Point System Reference Guide 6.2 Configuring WLAN QoS Policies  Wireless LANs QoS provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value.
Page 393 Wireless Configuration 6 - 45 1. Select Configuration > Wireless > WLAN QoS Policy to display existing QoS policies available to access point WLANs. Figure 6-18 WLAN Quality of Service (QoS) screen 2. Refer to the following read-only information on each listed QoS policy to determine whether an existing policy can be used as is, an existing policy requires edit or a new policy requires creation: WLAN QoS Policy Displays the name assigned to each listed WLAN QoS.
Page 394 6 - 46 WiNG 5 Access Point System Reference Guide WMM Power Save Enables support for the WMM based power-save mechanism, also known as Unscheduled Automatic Power Save Delivery (U-APSD). This is primarily used by WMM capable voice devices. The default setting is enabled.
Page 395: Configuring A Wlan's Qos Wmm Settings
Wireless Configuration 6 - 47 6.2.1 Configuring a WLAN’s QoS WMM Settings Using WMM, end-user satisfaction is maintained in a wider variety of environments and traffic conditions. WMM makes it possible for both home networks and Enterprises to decide which data streams are most important and assign them a higher priority.
Page 396 6 - 48 WiNG 5 Access Point System Reference Guide The WMM tab displays by default. Figure 6-19 WLAN QoS Policy screen - WMM tab 3. Configure the following Settings in respect to the WLAN’s intended WMM radio traffic and user requirements:...
Page 397 Select this option if Voice traffic is prioritized on the WLAN. This gives Prioritization priority to voice and voice management packets and is supported only on certain legacy Motorola Solutions VOIP phones. This feature is disabled by default. Enable SVP...
Page 398 6 - 50 WiNG 5 Access Point System Reference Guide 5. Set the following Voice Access settings for the WLAN’s QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. The default value is 47.
Page 399 Wireless Configuration 6 - 51 ECW Max The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Higher values are used for lower priority traffic.
Page 400: Configuring A Wlan's Qos Rate Limit Settings
(downstream). AP-6511 and AP6521 model access points do not support rate limiting on an individual client basis. Before defining rate limit thresholds for WLAN upstream and downstream traffic, Motorola Solutions recommends you define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category.
Page 401 Wireless Configuration 6 - 53 3. Select the Rate Limit tab. Figure 6-20 WLAN QoS Policy screen - Rate Limit tab 4. Configure the following parameters in respect to the intended Upstream Rate Limit for the selected WLAN. Enable Select the Enable radio button to enable rate limiting for data transmitted from access point radios to associated clients on this WLAN.
Page 402 6 - 54 WiNG 5 Access Point System Reference Guide Rate Define an upstream rate limit between 50 - 1,000,000 kbps.This limit constitutes a threshold for the maximum the number of packets transmitted or received over the WLAN (from all access categories). Traffic exceeding the defined rate is dropped and a log message is generated.
Page 403 Wireless Configuration 6 - 55 6. Configure the following parameters in respect to the WLAN’s intended Downstream Rate Limit, or traffic from wireless clients to associated access Point radios: Enable Select the Enable radio button to enable rate limiting for data transmitted from Access Point radios to associated wireless clients.
Page 404 6 - 56 WiNG 5 Access Point System Reference Guide Voice Traffic Set a percentage value for WLAN voice traffic in the downstream direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped and a log message is generated.
Page 405 Wireless Configuration 6 - 57 Video Traffic Set a percentage value for client video traffic in the upstream direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated.
Page 406 6 - 58 WiNG 5 Access Point System Reference Guide Best Effort Traffic Set a percentage value for client best effort traffic in the downstream direction. This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped and a log message is generated.
Page 407 Wireless Configuration 6 - 59 Figure 6-21 WLAN QoS Policy screen - Multimedia Optimizations tab 13.Configure the following parameters in respect to the intended Multicast Mask: Multicast Mask Configure the primary multicast mask defined for a QoS policy. Normally, Primary all multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode awake to check for frames.
Page 408 6 - 60 WiNG 5 Access Point System Reference Guide Multicast Mask Set a secondary multicast mask for the WLAN QoS policy. Normally, all Secondary multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode wake to check for frames.
Page 409: Radio Qos Policy
• Prevent the ineffective utilization of access points degrading session quality by configuring admission control mechanisms within each radio QoS policy Within a Motorola Solutions wireless network, wireless clients supporting low and high priority traffic contend with one another for data resources. The IEEE 802.11e amendment has defined Enhanced Distributed Channel Access (EDCA) mechanisms stating high priority traffic can access the network sooner then lower priority traffic.
Page 410 6 - 62 WiNG 5 Access Point System Reference Guide When enabled on a WLAN, traffic forwarded from to a client is prioritized and forwarded based on the WLAN’s WMM access control setting. NOTE: Statically setting a WLAN WMM access category value only prioritizes traffic to the client.
Page 411: Configuring A Radio's Qos Policy
Wireless Configuration 6 - 63 6.3.1 Configuring a Radio’s QoS Policy  Radio QoS Policy To configure an access point radio’s QoS policy: 1. Select Configuration > Wireless > Radio QoS Policy. Figure 6-22 Radio QoS Policy screen 2. Refer to the following information for a radio QoS policy: Radio QoS Policy Displays the name of each Radio QoS policy.
Page 412 6 - 64 WiNG 5 Access Point System Reference Guide Voice A green checkmark indicates Voice prioritization QoS is enabled on the radio. A red X indicates Voice prioritization QoS is disabled on the radio. Best Effort A green checkmark indicates Best Effort QoS is enabled on the radio. A red X indicates Best Effort QoS is disabled on the radio.
Page 413 Wireless Configuration 6 - 65 4. Set the following Voice Access settings for the Radio QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. When resources are shared between a Voice over IP (VoIP) call and a low priority file transfer, bandwidth is normally exploited by the file transfer, thus reducing call quality or even causing the call to disconnect.
Page 414 6 - 66 WiNG 5 Access Point System Reference Guide 6. Set the following Video Access settings for the Radio QoS policy: Transmit Ops Use the spinner control to set the maximum duration a radio can transmit after obtaining a transmit opportunity. For higher-priority traffic categories (like video), this value should be set to a low number.
Page 415 Wireless Configuration 6 - 67 9. Select the Admission Control tab to configure an admission control configuration for selected radio QoS policy. Admission control requires clients send their traffic specifications (TSPEC) to a managed Access Point before they can transmit or receive data within the access point managed network. The name of the Radio QoS policy for which the admission control settings apply displays in the banner of the QoS Policy screen.
Page 416 6 - 68 WiNG 5 Access Point System Reference Guide Maximum Wireless Set the number of voice supported wireless clients allowed to exist (and Clients consume bandwidth) within the radio’s QoS policy. Select from an available range of 0-256 clients. Consider setting this value proportionally...
Page 417 Wireless Configuration 6 - 69 14.Set the following Video Access admission control settings for the radio QoS policy: Enable Video Select the check box to enable admission control for video traffic. Only video traffic admission control is enabled, not any of the other access categories (each access category must be separately enabled and configured).
Page 418 6 - 70 WiNG 5 Access Point System Reference Guide Maximum Roamed Set the number of low priority supported wireless clients allowed to roam Wireless Clients to a different access point radio. Select from a range of 0-256 clients. The default value is 10 roamed clients.
Page 419: Radio Qos Configuration And Deployment Considerations
• WMM enabled clients can co-exist with non-WMM clients on the same WLAN. Non-WMM clients are always assigned a Best Effort access category. • Motorola Solutions recommends default WMM values be used for all deployments. Changing these values can lead to unexpected traffic blockages, and the blockages might be difficult to diagnose.
Page 420: Aaa Policy
6 - 72 WiNG 5 Access Point System Reference Guide 6.4 AAA Policy Authentication, Authorization, and Accounting (AAA) provides the mechanism network administrators define access control within the access point managed network. The access point can optionally use an external RADIUS and LDAP Servers (AAA Servers) to provide user database information and user authentication data.
Page 421 Wireless Configuration 6 - 73 Figure 6-26 Authentication, Authorization, and Accounting (AAA) screen 2. Refer to the following information listed for each existing AAA policy: AAA Policy Displays the name assigned to the AAA policy when it was initially created. The name cannot be edited within a listed profile. Accounting Packet Displays the accounting type set for the AAA policy.
Page 422 6 - 74 WiNG 5 Access Point System Reference Guide Figure 6-27 AAA Policy - RADIUS Authentication screen 4. Refer to the following information about configured AAA Authentication policies. Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point.
Page 423 Wireless Configuration 6 - 75 NAI Routing Enable Displays NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name.
Page 424 6 - 76 WiNG 5 Access Point System Reference Guide Figure 6-28 AAA Policy - Add RADIUS Authentication Server 6. Define the following settings to add or modify new AAA RADIUS authentication server configuration: Server ID Define the numerical server index (1-6) for the authentication server to differentiate it from others available to the access point’s AAA policy.
Page 425 Wireless Configuration 6 - 77 Request Proxy Mode Select the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller, or Through RF Domain Manager. Request Attempts Specify the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session.
Page 426 6 - 78 WiNG 5 Access Point System Reference Guide 9. Refer to the following information supporting configured RADIUS Accounting profiles. Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point.
Page 427 Wireless Configuration 6 - 79 NAI Routing Enable Displays the NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name.
Page 428 6 - 80 WiNG 5 Access Point System Reference Guide Figure 6-29 AAA Policy - Add RADIUS Accounting Server 11.Define the following settings to add or modify new AAA RADIUS accounting server configuration: Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point.
Page 429 Wireless Configuration 6 - 81 Request Proxy Mode Select the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller, or Through RF Domain Manager. Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session.
Page 430 6 - 82 WiNG 5 Access Point System Reference Guide 13.Set the following RADIUS server configuration parameters: Protocol for MAC, Set the authentication protocol when the server is used for any non-EAP Captive-Portal authentication. Options include Password Authentication Protocol (PAP),...
Page 431 Wireless Configuration 6 - 83 Request Interval Set the periodicity of the interim accounting requests. The default is 30 minutes. Select the server preference for RADIUS Accounting. The options are: Accounting Server Preference Prefer Same Authentication Server Host - Uses the authentication server host name as the host used for RADIUS accounting.
Page 432: Association Acl
6 - 84 WiNG 5 Access Point System Reference Guide 6.5 Association ACL An Association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a WLAN. An Association ACL affords an administrator the ability to grant or restrict client access by specifying a wireless client MAC address or range of MAC addresses to either include or exclude from connectivity.
Page 433 Wireless Configuration 6 - 85 Figure 6-31 Association ACL screen 3. Select the + Add Row button to add an association ACL template that requires configuration. 4. If creating a new Association ACL, provide a name specific to its function. Avoid naming it after a WLAN it may support.
Page 434: Association Acl Deployment Considerations
• Motorola Solutions recommends using the Association ACL screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to. However, be careful not to name ACLs after specific WLANs, as individual ACL policies can be used by more than one WLAN.
Page 435: Smart Rf
Wireless Configuration 6 - 87 6.6 Smart RF Self Monitoring At Run Time RF Management (Smart RF) is a Motorola Solutions Solutions innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization radio performance improvements.
Page 436 6 - 88 WiNG 5 Access Point System Reference Guide Figure 6-32 Smart RF - Basic Configuration screen 3. Refer to the Basic Settings field to enable a Smart RF policy and define its sensitivity and detector status. Sensitivity Select a radio button corresponding to the desired Smart RF sensitivity.
Page 437 Wireless Configuration 6 - 89 Coverage Hole Select the radio button to enable Coverage Hole Recovery when a radio Recovery coverage hole is detected within the Smart RF supported radio coverage area. When coverage hole is detected, Smart RF first determines the power increase needed based on the signal to noise ratio for a client as seen by the access point radio.
Page 438 6 - 90 WiNG 5 Access Point System Reference Guide Figure 6-33 Smart RF - Channel and Power screen 7. Refer to the Power Settings field to define Smart RF recovery settings for the access point’s 5.0 GHz (802.11a) and 2.4 GHz (802.11bg) radio.
Page 439 Wireless Configuration 6 - 91 5.0 Channel Width 20 and 40 MHz channel widths are supported by the 802.11a radio. 20/40 MHz operation (the default setting for the 5 GHz radio) allows the access point to receive packets from clients using 20 MHz of bandwidth while transmitting a packet using 40 MHz bandwidth.
Page 440 6 - 92 WiNG 5 Access Point System Reference Guide NOTE: The monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen.
Page 441 Wireless Configuration 6 - 93 11.Enable or disable Smart Monitoring Enable by selecting the check box. The feature is enabled by default. When enabled, detector radios monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation. 12.Set the following Scanning Configurations for both the 2.4 and 5 GHz radio bands:...
Page 442 6 - 94 WiNG 5 Access Point System Reference Guide 15.Set the following Neighbor Recovery variables for the Smart RF configuration: NOTE: The recovery parameters within the Neighbor Recovery, Interference and Coverage Hole Recovery tabs are only enabled when Custom is selected as the Sensitivity setting from the Smart RF Basic Configuration screen.
Page 443 Wireless Configuration 6 - 95 2.4 GHz Neighbor Use the spinner control to set a value between -85 to -55 dBm the access Recovery Power point’s 2.4 GHz radio uses as a maximum power increase threshold if the Threshold radio is required to increase its output power to compensate for a failed radio within the access point’s radio coverage area.
Page 444 6 - 96 WiNG 5 Access Point System Reference Guide 19.Select the Interference Recovery tab. Figure 6-35 Smart RF Advanced Configuration screen - Interference Recovery tab 20.Set the following Interference Recovery parameters: Interference Select the radio button to allow Smart RF to scan for excess interference from supported radio devices.
Page 445 Wireless Configuration 6 - 97 5.0 GHz Channel Use the spinner to set a channel switch delta (between 5 - 35 dBm) for the Switch Delta 5.0 GHz radio. This parameter is the difference between noise levels on the current channel and a prospective channel. If the difference is below the configured threshold, the channel will not change.
Page 446 6 - 98 WiNG 5 Access Point System Reference Guide 22.Select the Coverage Hole Recovery tab. Figure 6-36 Smart RF Advanced Configuration screen - Coverage Hole Recovery tab 23.Set the following Coverage Hole Recovery for 5.0 GHz 2.4 GHz parameters: Client Threshold Use the spinner to set a client threshold between 1 - 255.
Page 447: Smart Rf Configuration And Deployment Considerations
Wireless Configuration 6 - 99 Interval Define the interval coverage hole recovery should be conducted after a coverage hole is detected. The default is 30 seconds for both the 2.4 and 5.0 GHz radios. 24.Select to update the Smart RF Coverage Hole Recovery settings for this policy. Select Reset to revert to the last saved configuration.
Page 448 6 - 100 WiNG 5 Access Point System Reference Guide...
Page 449: Chapter 7 Network Configuration
CHAPTER 7 Network Configuration The access point allows packet routing customizations and additional route resources be defined. For more information on the network configuration options available o the access point, refer to the following: • Policy Based Routing (PBR) • L2TP V3 Configuration •...
Page 450: Policy Based Routing (Pbr)
7 - 2 WiNG 5 Access Point System Reference Guide 7.1 Policy Based Routing (PBR) Define a policy based routing (PBR) configuration to create policies directing packets to take selective paths. PBR can optionally mark traffic for preferential services (QoS). PBR minimally provides the following: •...
Page 451 Network Configuration 7 - 3 • Default next hop - If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This can be either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined.
Page 452 7 - 4 WiNG 5 Access Point System Reference Guide 3. If creating a new PBR policy assign it a Policy Name up to 32 characters in length to distinguish this route map configuration from others with similar attributes. Select...
Page 453 Network Configuration 7 - 5 Incoming Interface Display the name of the access point WWAN or VLAN interface on which the packet is received for the listed PBR policy. 5. Select Edit to create or modify a route-map configuration. Figure 7-3 Policy Based Routing screen - Add a Route Map 6.
Page 454 7 - 6 WiNG 5 Access Point System Reference Guide Incoming Packets Select this option to enable radio buttons used to define the interfaces required to receive route-map packets. Use the drop-down menu to define either the access point’s wwan1 or pppoe1 interface. Neither is selected by default.
Page 455 Network Configuration 7 - 7 Figure 7-4 Policy Based Routing screen - General tab 11.Set the following General PBR configuration settings: Logging Select this option to log events generated by route-map configuration rule enforcement. This setting is disabled by default. Local PBR Select this option to implement policy based routing for this access point’s packet traffic.
Page 456: L2Tp V3 Configuration
7 - 8 WiNG 5 Access Point System Reference Guide 7.2 L2TP V3 Configuration L2TP V3 is an IETF standard used for transporting different types of layer 2 frames in an IP network. L2TP V3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes.
Page 457 Network Configuration 7 - 9 Figure 7-5 L2TP V3 Policy screen L2TP V3 screen lists the policy configurations defined thus far. 2. Refer to the following to discern whether a new L2TP V3 requires creation or modification: Name Lists the 31 character maximum name assigned to each listed L2TP V3 policy, designated upon creation.
Page 458 7 - 10 WiNG 5 Access Point System Reference Guide Rx Window Size Displays the number of packets that can be received without sending an acknowledgement. Tx Window Size Displays the number of packets that can be transmitted without receiving an acknowledgement.
Page 459 Network Configuration 7 - 11 Reconnect Attempts Use the spinner control to set a value (from 0 - 250) representing the maximum number of reconnection attempts initiated to reestablish the tunnel.The default interval is 5. Reconnect Interval Define an interval in either Seconds (1 - 3,600), Minutes (1 -60) or Hours (1) between two successive reconnection attempts.
Page 460: Network Deployment Considerations
7 - 12 WiNG 5 Access Point System Reference Guide 7.3 Network Deployment Considerations Before defining an access point network configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: • In respect to L2TP V3, data transfers on the pseudowire can start as soon as session establishment corresponding to the pseudowire is complete.
Page 461: Chapter 8 Security Configuration
CHAPTER 8 SECURITY CONFIGURATION When taking precautions to secure wireless traffic from a client to an access point, the network administrator should not lose sight of the security solution in it's entirety, since the network’s chain is as weak as its weakest link. An access point managed wireless network provides seamless data protection and user validation to protect and secure data at each vulnerable point in the network.
Page 462: Wireless Firewall
Firewall is of little value, and in fact could provide a false sense of security. With Motorola Solutions’ access points, Firewalls are configured to protect against unauthenticated logins from outside the wireless network. This helps prevent hackers from accessing wireless clients within the access point managed network.
Page 463 Security Configuration 8 - 3 Figure 8-1 Wireless Firewall screen - Denial of Service tab A denial of service (DoS) attack is an attempt to make a computer or network resource unavailable to its intended users. Although the means to carry out a DoS attack will vary, it generally consists of a concerted effort of one or more persons attempting to prevent a device, site or service from functioning temporarily or indefinitely.
Page 464 8 - 4 WiNG 5 Access Point System Reference Guide Action If a DoS filter is enabled, chose an action from the drop-down menu to determine how the Firewall treats the associated DoS attack. Options include: Log and Drop - An entry for the associated DoS attack is added to the log and then the packets are dropped.
Page 465 Security Configuration 8 - 5 LAND The LAND DoS attack sends spoofed packets containing the SYN flag to the target destination using the target port and IP address as both the source and destination. This will either crash the target system or result in high resource utilization slowing down all other processes.
Page 466 8 - 6 WiNG 5 Access Point System Reference Guide TCP Intercept A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved...
Page 467 Security Configuration 8 - 7 TCP Packet This is an attempt to predict the sequence number used to identify the Sequence packets in a TCP connection, which can be used to counterfeit packets. The attacker hopes to correctly guess the sequence number to be used by the sending host.
Page 468 8 - 8 WiNG 5 Access Point System Reference Guide Figure 8-2 Wireless Firewall screen - Storm Control tab The Firewall maintains a facility to control packet storms. Storms are packet bombardments that exceed the high threshold value configured for an interface. During a storm, packets are throttled until the rate falls below the configured rate, severely impacting performance for the interface.
Page 469 Security Configuration 8 - 9 Interface Name Use the drop-down menu to refine the interface selection to a specific WLAN or physical port. This helps with threshold configuration for potentially impacted interfaces. Packets per Second Select the check box to activate the spinner control used for specifying the packets per second threshold for activating the Storm Control mechanism.
Page 470 8 - 10 WiNG 5 Access Point System Reference Guide Figure 8-3 Wireless Firewall screen - Advanced Settings tab 14.Refer to the Enable Firewall radio buttons to define the Firewall as either Enabled or Disabled. The Firewall is enabled by default.
Page 471 Security Configuration 8 - 11 IPMAC Conflict When enabled, use the drop-down menu to set the logging level (Error, Logging Warning, Notification, Information or Debug) if an attack is detected. The default setting is Warning. IPMAC Conflict Use the drop-down menu to set the action taken when an attack is Action detected.
Page 472 8 - 12 WiNG 5 Access Point System Reference Guide TFTP ALG Check the Enable box to allow TFTP traffic through the Firewall using its default ports. This feature is enabled by default. SIP ALG Check the Enable box to allow SIP traffic through the Firewall using its default ports.
Page 473: Configuring Ip Firewall Rules
Security Configuration 8 - 13 21.Refer to the TCP Protocol Checks field to set the following parameters: Check TCP states Select the checkbox to allow a SYN packet to delete an old flow in where a SYN packet TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow. The tears down the flow default setting is enabled.
Page 474 8 - 14 WiNG 5 Access Point System Reference Guide Figure 8-4 IP Firewall Rules screen 2. Select + Add Row to create a new IP Firewall Rule. Select an existing policy and click Edit to modify the attributes of the rule’s configuration.
Page 475 Security Configuration 8 - 15 Figure 8-5 IP Firewall Rules screen - Adding a new rule 4. If adding a new rule, enter a name up to 32 characters in length. 5. Define the following parameters for the IP Firewall Rule: Allow Every IP Firewall rule is made up of matching criteria rules.
Page 476: Configuring Mac Firewall Rules
8 - 16 WiNG 5 Access Point System Reference Guide Protocol Select the protocol used with the IP rule from the drop-down menu. IP is selected by default. Selecting ICMP displays an additional set of ICMP specific Options for ICMP Type and code. Selecting either TCP or UDP displays an additional set of specific TCP/UDP source and destinations port options.
Page 477 Security Configuration 8 - 17 Figure 8-6 MAC Firewall Rules screen 2. Select + Add Row to create a new MAC Firewall Rule. Select an existing policy and click Edit to modify the attributes of the rule’s configuration. 3. Select the added row to expand it into configurable parameters for defining the MAC based Firewall rule.
Page 478 8 - 18 WiNG 5 Access Point System Reference Guide Figure 8-7 MAC Firewall Rules screen - Adding a new rule 4. If adding a new MAC Firewall Rule, provide a name up to 32 characters in length. 5. Define the following parameters for the IP Firewall Rule: Allow Every IP Firewall rule is made up of matching criteria rules.
Page 479 Security Configuration 8 - 19 Action The following actions are supported: Log - Events are logged for archive and analysis. Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit. - VLAN 802.1p priority.
Page 480: Wireless Ips (Wips)
8 - 20 WiNG 5 Access Point System Reference Guide 8.2 Wireless IPS (WIPS) The access point supports Wireless Intrusion Protection Systems (WIPS) to provide continuous protection against wireless threats and act as an additional layer of security complementing wireless VPNs and encryption and authentication policies.
Page 481 Security Configuration 8 - 21 Figure 8-8 Wireless IPS screen - Settings tab 2. Select the Activate Firewall IPS Policy option on the upper left-hand side of the screen to enable the screen’s parameters for configuration. Ensure this option stays selected to apply the configuration to the access point profile. 3.
Page 482 8 - 22 WiNG 5 Access Point System Reference Guide 6. Select to update the settings. Select Reset to revert to the last saved configuration. The WIPS policy can be invoked at any point in the configuration process by selecting...
Page 483 Security Configuration 8 - 23 Filter Expiration Set the duration an event generating client is filtered. This creates a special ACL entry, and frames coming from the client are dropped. The default setting is 0 seconds. This value is applicable across the RF Domain. If a station is detected performing an attack and is filtered by an access point, the information is passed to the domain controller.
Page 484 8 - 24 WiNG 5 Access Point System Reference Guide 11.Set the following MU Anomaly Event configurations: Name Displays the name of the event tracked against the defined thresholds set for interpreting the event as excessive or permitted. Enable Displays whether tracking is enabled for each MU Anomaly event. Use the drop-down menu to enable/disable events as required.
Page 485 Security Configuration 8 - 25 Figure 8-11 Wireless IPS screen - WIPS Events, AP Anomaly tab AP Anomaly events are suspicious frames sent by neighboring APs. Use the AP Anomaly tab to enable or disable an event. 14.Enable or disable the following AP Anomaly Events: Name Displays the name of each AP Anomaly event.
Page 486 8 - 26 WiNG 5 Access Point System Reference Guide 16.Select the WIPS Signatures tab. Ensure the Activate Wireless IPS Policy option remains selected to enable the screen’s configuration parameters. Figure 8-12 Wireless IPS screen - WIPS Signatures tab 17.The...
Page 487 Security Configuration 8 - 27 Figure 8-13 WIPS Signature Configuration screen 19.If adding a new WIPS signature, define a Name to distinguish it from others with similar configurations. The name cannot exceed 64 characters. 20.Set the following network address information for a new or modified WIPS Signature: Enable Signature Select the radio button to enable the WIPS signature for use with the profile.
Page 488 8 - 28 WiNG 5 Access Point System Reference Guide Radio Threshold Specify the threshold limit per radio that, when exceeded, signals the event. The configurable range is from 1 - 65,535. 22.Set a Filter Expiration between 1 - 86,400 seconds that specifies the duration a client is excluded from radio association when responsible for triggering a WIPS event.
Page 489: Device Categorization
Security Configuration 8 - 29 8.3 Device Categorization Properly classifying and categorizing access points and clients can help suppress unnecessary unauthorized access point alarms, and allow an administrator to focus on alarms on devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized could potentially perform activities that harm your organization.
Page 490 8 - 30 WiNG 5 Access Point System Reference Guide Figure 8-15 Device Categorization screen - Marked Devices 3. If creating a new Device Categorization filter, provide it a Name (up to 32 characters). Select to save the name and enable the remaining device categorization parameters.
Page 491: Security Deployment Considerations
• Is the detected access point properly configured according to your organization’s security policies? • Motorola Solutions recommends trusted and known access points be added to an sanctioned AP list. This will minimize the number of unsanctioned AP alarms received.
Page 492 8 - 32 WiNG 5 Access Point System Reference Guide...
Page 493: Chapter 9 Services Configuration
CHAPTER 9 SERVICES CONFIGURATION The Motorola Solutions WING 5 software supports services providing captive portal (guest) access, leased DHCP IP address assignments to requesting clients and local RADIUS client authentication. For more information, refer to the following: • Configuring Captive Portal Policies •...
Page 494: Configuring Captive Portal Policies
9 - 2 WiNG 5 Access Point System Reference Guide 9.1 Configuring Captive Portal Policies A captive portal is guest access policy for providing guests temporary and restrictive access to the access point managed wireless network. A captive portal policy’s configuration provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network.
Page 495 VLAN is defined where the client can reach the controller. 0 is the default value. Connection Mode Lists each policy’s connection mode as either HTTP or HTTPS. Motorola Solutions recommends the use of HTTPS, as it offers client transmissions a measure of data protection HTTP cannot provide.
Page 496 9 - 4 WiNG 5 Access Point System Reference Guide AAA Policy Lists each AAA policy used to authorize client guest access requests. The security provisions provide a way to configure advanced AAA policies that can be applied to captive portal policies supporting authentication. When a captive portal policy is created or modified, a AAA policy must be defined and applied to authorize, authenticate and account user requests.
Page 497 Services Configuration 9 - 5 Basic Configuration tab displays by default. Define the policy’s security, access and whitelist basic configuration before HTML pages can be defined for guest user access.
Page 498 Connection Mode Select either the HTTP or HTTPS radio button to define the connection medium. Motorola Solutions recommends the use of HTTPS, as is offers additional data protection HTTP cannot provide. The default value however is HTTP. Simultaneous Users...
Page 499 Services Configuration 9 - 7 7. Set the following Access parameters to define captive portal access, RADIUS lookup information and whether the login pages contain terms that must be accepted before access is granted: Access Type Select the radio button for the authentication scheme applied to wireless clients using the captive portal for guest access.
Page 500 9 - 8 WiNG 5 Access Point System Reference Guide Figure 9-2 Captive Portal DNS Whitelist screen b. Provide a numerical IP address or Hostname within the DNS Entry parameter for each destination IP address or host in the Whitelist.
Page 501 Services Configuration 9 - 9 Enable Syslog Select this option to log information about the use of remote access Accounting services by users using an external syslog resource. This information is of great assistance in partitioning local versus remote users. Remote user information can be archived to an external location for periodic network and user administration.
Page 502 9 - 10 WiNG 5 Access Point System Reference Guide Figure 9-3 Captive Portal Policy Basic Web Page screen The Login screen prompts for a username and password to access the captive portal and proceed to either the Terms and Conditions page (if used) or the Welcome page. The Terms and Conditions page provides conditions that must be agreed to before wireless client guest access is provided for the captive portal policy.
Page 503 Services Configuration 9 - 11 14.Provide the following required information when creating Login, Terms and Conditions, Welcome Fail pages maintained internally. Organization Name If the captive portal is defined on behalf of an organization, that name can be associated as sponsoring the captive portal. Title Text Set the title text displayed on the Login, Terms and Conditions, Welcome and Fail pages when wireless clients access each page.
Page 504 9 - 12 WiNG 5 Access Point System Reference Guide Figure 9-4 Captive Portal Policy Externally Hosted Web Page screen 17.Set the following URL destinations for externally hosted captive portal pages: Login URL Define the complete URL for the location of the Login page. The Login screen prompts the user for a username and password to access the Terms and Conditions or Welcome page.
Page 505 Services Configuration 9 - 13 Figure 9-5 Captive Portal Policy Advanced Web Page screen 20.The access point maintains its own set of Advanced Web pages for custom captive portal creation. These files can be transferred to other managed devices as the devices support connection attempts on behalf of their connected access point.
Page 506: Setting The Whitelist Configuration
A DNS whitelist is used in conjunction with a captive portal to provide hotspot services to wireless clients. Use the WING 5 DNS Whitelist parameter to create a set of allowed destination IP addresses within the captive portal. These allowed IP addresses are called the Whitelist. To effectively host hotspot pages on an external Web server, the IP address of the destination Web server(s) should be in the Whitelist.
Page 507 Services Configuration 9 - 15 c. Use the Match Suffix parameter to match any hostname or domain name as a suffix. The default setting is disabled. d. If necessary, select the radio button of an existing Whitelist entry and select the - Delete icon to remove the entry from the Whitelist.
Page 508: Setting The Dhcp Server Configuration
9 - 16 WiNG 5 Access Point System Reference Guide 9.3 Setting the DHCP Server Configuration Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses as well as discover information about the network where they reside. Each subnet can be configured with its own address pool.
Page 509 Services Configuration 9 - 17 Figure 9-7 DHCP Server Policy screen - DHCP Pool tab 2. Select the Activate DHCP Server Policy option to optimally display the screen and enable the ability Add or Edit a new policy. This option must remain selected to apply the DHCP pool configuration to the access point profile. 3.
Page 510 9 - 18 WiNG 5 Access Point System Reference Guide Lease Time If a lease time has been defined for a listed network pool, it displays as an interval between 1 - 9,999,999 seconds. DHCP leases provide addresses for defined times to various clients. If a client does not use a leased address for the defined time, that IP address can be re-assigned to another DHCP supported client.
Page 511 Services Configuration 9 - 19 Subnet Define the IP address and Subnet Mask used for DHCP discovery and requests between the DHCP Server and DHCP clients. The IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface for the addresses to be supported through that interface.
Page 512 9 - 20 WiNG 5 Access Point System Reference Guide Figure 9-9 DHCP Pools screen - Static Bindings tab 8. Review existing DHCP pool static bindings to determine if a static binding can be used as is, a new one requires...
Page 513 Services Configuration 9 - 21 Figure 9-10 Static Bindings Add screen 10.Define the following General parameters required to complete the creation of the static binding configuration: Client Identifier Use the drop-down menu whether the DHCP client is using a Hardware Type Address or Client Identifier as its identifier type with a DHCP server.
Page 514 9 - 22 WiNG 5 Access Point System Reference Guide Boot File Enter the name of the boot file used with this pool. Boot files (Boot Protocol) can be used to boot remote systems over the network. BOOTP messages are encapsulated inside UDP messages so requests and replies can be forwarded.
Page 515 Services Configuration 9 - 23 15.Select when completed to update the static bindings configuration. Select Reset to revert the screen back to its last saved configuration. 16.Select the Advanced tab to define additional NetBIOS and Dynamic DNS parameters. Figure 9-11 DHCP Pools screen - Advanced tab 17.The addition or edit of the network pool’s advanced settings requires the following General parameters be set:...
Page 516: Defining Dhcp Server Global Settings
9 - 24 WiNG 5 Access Point System Reference Guide 18.Set the following NetBIOS parameters for the network pool: NetBIOS Node Type Set the NetBIOS Node Type used with this pool. The following types are available: Broadcast - Uses broadcasting to query nodes on the network for the owner of a NetBIOS name.
Page 517 Services Configuration 9 - 25 Figure 9-12 DHCP Server Policy screen - Global Settings tab 2. Set the following parameters within the Configuration field: Ignore BOOTP Select the checkbox to ignore BOOTP requests. BOOTP requests boot remote Requests systems within the network. BOOTP messages are encapsulated inside UDP messages and are forwarded.
Page 518: Dhcp Class Policy Configuration
9 - 26 WiNG 5 Access Point System Reference Guide 9.3.3 DHCP Class Policy Configuration The DHCP server assigns IP addresses to DHCP enabled wireless clients based on user class option names. Clients with a defined set of user class option names are identified by their user class name. The DHCP server can assign IP addresses from as many IP address ranges as defined by the administrator.
Page 519 Services Configuration 9 - 27 Figure 9-14 DHCP Class Name Add screen 3. If adding a new DHCP Class Name, assign a name representative of the device class supported. The DHCP user class name should not exceed 32 characters. 4. Select a row within the Value column to enter a 32 character maximum value string.
Page 520: Setting The Radius Configuration
9 - 28 WiNG 5 Access Point System Reference Guide 9.4 Setting the RADIUS Configuration Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software enabling remote access servers to authenticate users and authorize their access to the access point managed network. RADIUS is a distributed client/server system that secures networks against unauthorized access.
Page 521 Services Configuration 9 - 29 1. Select Configuration > Services. 2. Select RADIUS. A list of existing groups displays by default. Figure 9-15 RADIUS Group screen 3. Review the following read-only information for existing groups to determine if a new group requires creation or an existing group requires modification: RADIUS Group Displays the group name or identifier assigned to each listed group when it...
Page 522 9 - 30 WiNG 5 Access Point System Reference Guide VLAN Displays the VLAN ID used by the group. The VLAN ID is representative of the shared SSID each group member (user) employs to interoperate within the access point managed network (once authenticated by the local RADIUS server).
Page 523: Creating Radius Groups
Services Configuration 9 - 31 9.4.1.1 Creating RADIUS Groups To create a RADIUS group: 1. Select Configuration > Services. 2. Select and expand the RADIUS menu. Select Groups if the RADIUS Group screen is not already displayed by default. 3. Click to create a new RADIUS group, Edit to modify the configuration of an existing group or...
Page 524 9 - 32 WiNG 5 Access Point System Reference Guide VLAN Select this option (and use the slider) to assign a specific VLAN to this RADIUS user group. Ensure Dynamic VLAN assignment (Single VLAN) is enabled for the WLAN for the VLAN to work properly. For more information, see Basic WLAN Configuration on page 6-4.
Page 525: Defining User Pools
Services Configuration 9 - 33 9.4.2 Defining User Pools A user pool defines policies for individual user access to the access point’s internal RADIUS resources. User or pools provide a convenient means of providing user access to RADIUS resources based on the pool’s unique permissions (either temporary or permanent).
Page 526 9 - 34 WiNG 5 Access Point System Reference Guide Figure 9-18 RADIUS User Pool Add screen 5. Refer to the following User Pool configurations to discern when specific user IDs have access to the access point’s RADIUS resources: User Id Displays the unique alphanumeric string identifying this user.
Page 527 Services Configuration 9 - 35 6. Select the button to add a new RADIUS user, Edit to modify the configuration of an existing user or Delete remove an existing user Id. Figure 9-19 RADIUS User screen 7. Set the following to create a new RADIUS user with unique access privileges: User Id Assign a unique alphanumeric string identifying this user.
Page 528: Configuring The Radius Server
9 - 36 WiNG 5 Access Point System Reference Guide 9.4.3 Configuring the RADIUS Server A RADIUS server policy is a unique authentication and authorization configuration for receiving user connection requests, authenticating users and returning the configuration information necessary for the RADIUS client to deliver service to the user.
Page 529 Services Configuration 9 - 37 2. Expand the RADIUS menu option and select RADIUS Server. Figure 9-20 RADIUS Server Policy screen - Server Policy tab RADIUS Server Policy screen displays with the Server Policy tab displayed by default.
Page 530 9 - 38 WiNG 5 Access Point System Reference Guide 3. Select the Activate RADIUS Server Policy button to enable the parameters within the screen for configuration. Ensure this option remains selected, or this RADIUS server configuration is not applied to the access point profile.
Page 531 Services Configuration 9 - 39 LDAP Authentication Type Use the drop-down menu to select the LDAP authentication scheme. The following LDAP authentication types are supported by the external LDAP resource: All – Enables both TTLS and PAP and PEAP and GTC. TTLS and PAP - The EAP type is TTLS with default authentication using PAP.
Page 532 9 - 40 WiNG 5 Access Point System Reference Guide Figure 9-21 RADIUS Server Policy screen - Client tab 9. Select the + Add Row button to add a table entry for a new client’s IP address, mask and shared secret. To delete...
Page 533 Services Configuration 9 - 41 Figure 9-22 RADIUS Server Policy screen - Proxy tab 15.Enter the Proxy Retry Delay as a value in seconds (within the range of 5-10 seconds). This is the interval the RADIUS server waits before making an additional connection attempt. The default delay interval is 5 seconds. 16.Enter the Proxy Retry Count field as a value within the range of 3-6.
Page 534 9 - 42 WiNG 5 Access Point System Reference Guide 24. Select the LDAP and ensure the Activate RADIUS Server Policy button remains selected. Administrators have the option of using the access point’s RADIUS server to authenticate users against an external LDAP server resource.
Page 535 Services Configuration 9 - 43 26.Select to add a new LDAP server configuration, Edit to modify an existing LDAP server configuration or Delete to remove a LDAP server from the list of those available. Figure 9-24 LDAP Server Add screen 27.Set the following Network address information required for the connection to the external LDAP server resource:.
Page 536 9 - 44 WiNG 5 Access Point System Reference Guide 28.Set the following Network information for the connection to the external LDAP server resource: Bind DN Specify the distinguished name to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas.
Page 537: Services Deployment Considerations
• Motorola Solutions recommends each RADIUS client use a different shared secret password. If a shared secret is compromised, only the one client poses a risk as opposed all the additional clients that potentially share that secret password.
Page 538 9 - 46 WiNG 5 Access Point System Reference Guide...
Page 539: Chapter 10 Management Access
Management Access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces. Motorola Solutions recommends disabling unused and insecure management interfaces as required within different access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources.
Page 540: Creating Administrators And Roles
10 - 2 WiNG 5 Access Point System Reference Guide 10.1 Creating Administrators and Roles Use the Administrators screen to review existing administrators, their access medium and their administrative role within the access point managed network. New administrators can be added and existing administrative configurations modified or deleted as required.
Page 541 Management Access 10 - 3 Figure 10-2 Administrators screen 4. If adding a new administrator, enter the user name in the User Name field. This is a mandatory field, and cannot exceed 32 characters. Optimally assign a name representative of the user’s intended access type and role. 5.
Page 542 10 - 4 WiNG 5 Access Point System Reference Guide Network Select this option to allow the user to configure all wired and wireless parameters (IP configuration, VLANs, L2/L3 security, WLANs, radios etc). Security Select Security to set the administrative rights for a security administrator allowing the configuration of all security parameters.
Page 543: Setting The Access Control Configuration
(HTTP, HTTPS, Telnet, SSH or SNMP). Access options can be either enabled or disabled as required. Motorola Solutions recommends disabling unused interfaces to reduce security holes. The Access Control tab is not meant to function as an ACL (in routers or other firewalls), where you can specify and customize specific IPs to access specific interfaces.
Page 544 10 - 6 WiNG 5 Access Point System Reference Guide 2. Select Access Control from the list of Management Policy options in the upper, left-hand, side of the UI. Figure 10-3 Management Policy Access Control screen 3. Set the following parameters required for...
Page 545 Management Access 10 - 7 4. Set the following parameters required for access: Enable SSHv2 Select the checkbox to enable SSH device access. SSH (Secure Shell) version 2, like Telnet, provides a command line interface to a remote host. SSH transmissions are encrypted and authenticated, increasing the security of transmission.
Page 546 10 - 8 WiNG 5 Access Point System Reference Guide 8. Set the following Access Restrictions: Filter Type Use the drop-down menu to select the filter mechanism used as the management policy access restriction. Options include source-address, ip-access-list and None.
Page 547: Setting The Authentication Configuration
Management Access 10 - 9 10.3 Setting the Authentication Configuration As part of the access point’s Management Policy, define how client authentication requests are validated using either an external or internal authentication resource: To configure an authentication resource: 1. Select Configuration >...
Page 548 10 - 10 WiNG 5 Access Point System Reference Guide 4. Use the drop-down menu to specify to select the AAA Policy to use with an external RADIUS resource. An AP-6511 or AP-6521 model access point (or a model that’s not using its local RADIUS resource) will need to interoperate with a RADIUS and LDAP Server (AAA Servers) to provide user database information and user authentication data.
Page 549: Setting The Snmp Configuration
Management Access 10 - 11 10.4 Setting the SNMP Configuration The access point can use Simple Network Management Protocol (SNMP) to interact with wireless devices. SNMP is an application layer protocol that facilitates the exchange of management information. SNMP enabled devices listen on port 162 (by default) for SNMP packets from their management server.
Page 550 10 - 12 WiNG 5 Access Point System Reference Guide 2. Select SNMP from the list of Management Policy options in the upper, left-hand, side of the UI. Figure 10-5 Management Policy screen - SNMP tab 3. Enable or disable SNMPv2 and SNMPv3.
Page 551 Management Access 10 - 13 4. Set the SNMP v1/v2 Community String configuration. Use the + Add Row function as needed to add additional SNMP v1/2 community strings, or select an existing community string’s radio button and select the Delete icon to remove it.
Page 552: Snmp Trap Configuration
10 - 14 WiNG 5 Access Point System Reference Guide 10.5 SNMP Trap Configuration An access point can use SNMP trap receivers for fault notifications. SNMP traps are unsolicited notifications triggered by thresholds (or actions) on devices, and are therefore an important fault management tool.
Page 553 Management Access 10 - 15 4. Refer to the Trap Receiver table to set the configuration of the external resource receiving trap information. Select Add Row + as required to add additional trap receivers. Select the Delete icon to permanently remove a trap receiver. IP Address Set the IP address of the external server resource receiving SNMP traps on behalf of the access point.
Page 554: Management Access Deployment Considerations
Legacy Motorola Solutions devices may use other community strings by default. • Motorola Solutions recommends SNMPv3 be used for device management, as it provides both encryption, and authentication. • Enabling SNMP traps can provide alerts for isolated attacks at both small radio deployments or distributed attacks...
Page 555: Chapter 11 Diagnostics
CHAPTER 11 DIAGNOSTICS An access point’s resident diagnostic capabilities enable administrators to understand how devices are performing and troubleshoot issues impacting network performance. Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail. Numerous tools are available within the Diagnostics menu.
Page 556: Fault Management
11 - 2 WiNG 5 Access Point System Reference Guide 11.1 Fault Management Fault management enables user's administering multiple sites to assess device performance and issues effecting the network. Use the Fault Management screens to view and administrate errors generated by an access point or a connected wireless client.
Page 557 Diagnostics 11 - 3 Module Select the module from which events are tracked. When a single module is selected, events from other modules are not tracked. Remember this when interested in events generated by a particular module. Individual modules can be selected (such as TEST, LOG, FSM etc.) or all modules can be tracked by selecting All Modules.
Page 558 11 - 4 WiNG 5 Access Point System Reference Guide 5. Select View Events from the upper, left-hand, side of the Fault Management browser. Figure 11-2 Fault Management View Events screen Use the View Events screen to track and troubleshoot events using source and severity levels defined in the Configure events screen.
Page 559 Diagnostics 11 - 5 Figure 11-3 Fault Management Event History screen 9. Refer to the Select a Device field, and specify a single device MAC address for event tracking. 10.Select Fetch Historical Events from the lower, right-hand, side of the UI to populate the table with either device or RF Domain events.
Page 560: Crash Files
11 - 6 WiNG 5 Access Point System Reference Guide 11.2 Crash Files Use the Crash Files screen to review files created when an access point encounters a critical error or malfunction. Use crash files to troubleshoot issues specific to the device on which a crash event was generated.These are issues impacting the core (distribution layer).
Page 561: Advanced
Diagnostics 11 - 7 11.3 Advanced Use the Advanced diagnostics screens to review and troubleshoot potential issues with the access point’s User Interface (UI). The UI Diagnostics screen contains tools to effectively identify and correct access point UI issues. Diagnostics can also be performed at the device level for connected clients.
Page 562: Schema Browser
11 - 8 WiNG 5 Access Point System Reference Guide 3. Select View UI Logs from the upper, left-hand, side of the browser to view Application Logs, Flex Logs and Error Logs. The Sequence (order of occurrence), Date/Time, Type, Category and Message items display for each log option selected.
Page 563 Diagnostics 11 - 9 Figure 11-7 UI Debugging screen - Schema Browser The Scheme Browser displays the Configuration tab by default.The Schema Browser displays two fields (regardless of the Configuration, Statistics or Actions tab selected). Use the left field to navigate the schema by expanding and collapsing directories.
Page 564 11 - 10 WiNG 5 Access Point System Reference Guide...
Page 565: Chapter 12 Operations
Self Monitoring At Run Time RF Management (Smart RF) is a Motorola Solutions innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements.
Page 566: Device Operations
12 - 2 WiNG 5 Access Point System Reference Guide 12.1 Device Operations Motorola Solutions periodically releases updated device firmware and configuration files to the Motorola Solutions Support Web site. If an access point’s (or its associated device’s) firmware is older than the version on the Web site, Motorola Solutions recommends updating to the latest firmware version for full functionality and utilization.
Page 567 Operations 12 - 3 Figure 12-1 Device Details screen 1. Refer to the following to determine whether a firmware image needs requires an update: Device MAC Displays the factory assigned hardware MAC address (in the banner of the screen) for the selected access point. The Device Type also displays in the banner of the screen.
Page 568 12 - 4 WiNG 5 Access Point System Reference Guide 2. Refer to the drop-down menu on the lower, left-hand side, of the UI. The following tasks and displays are available in respect to device firmware: Show Running Config Select this option to display the running configuration of the selected device.
Page 569: Upgrading Device Firmware
Operations 12 - 5 12.1.1.1 Upgrading Device Firmware  Managing Firmware and Config Files To update the firmware of a Virtual Controller AP managed device access point: NOTE: AP upgrades can only be performed by access points in Virtual Controller AP mode, and cannot be initiated by Standalone APs.
Page 570 12 - 6 WiNG 5 Access Point System Reference Guide 4. If needed, select Advanced to expand the dialog to display network address information to the location of the firmware. The number of additional fields that populate the screen is also dependent on the selected protocol.
Page 571: Managing File Transfers
Operations 12 - 7 12.1.2 Managing File Transfers  Device Operations Transfer files from a device to this access point, to a remote server or from a remote server. An administrator can transfer logs, configurations and crash dumps. Additionally, the Web pages used to create captive portal pages can be transferred to managed devices that need to host them to provide access to the access point managed wireless network.
Page 572 12 - 8 WiNG 5 Access Point System Reference Guide Protocol If Advanced is selected, choose the protocol for file management. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 This parameter is required only when Server is selected as the Source and Advanced is selected.
Page 573: Using The File Browser
Operations 12 - 9 12.1.3 Using the File Browser  Device Operations The access point maintains a File Browser enabling the administration of files currently residing on any internal or external memory location. Directories can be created and maintained for each File Browser location, and folders and files can be moved and deleted as needed.
Page 574: Ap Upgrades
12 - 10 WiNG 5 Access Point System Reference Guide 12.1.4 AP Upgrades  Device Operations To configure an AP upgrade: NOTE: AP upgrades can only be performed by access points in Virtual Controller AP mode, and cannot be initiated by Standalone APs. Additionally, upgrades can only be performed on access points of the same model as the Virtual Controller AP.
Page 575 Operations 12 - 11 Schedule Reboot Time To reboot a target access point immediately, select Now. To schedule the reboot to take place at a specified time in the future, enter a date and time. This feature is helpful when wishing to upgrade an access point’s firmware, but wish to keep in operation until the reboot does not impact its current client support and operation.
Page 576 12 - 12 WiNG 5 Access Point System Reference Guide 6. Select the AP Image File tab to specify the model and network address information to the file used in the access point upgrade operation. Figure 12-7 AP Upgrade screen - AP Image File 7.
Page 577 Operations 12 - 13 8. When the AP Image Type and appropriate file location and protocol have been specified, select the Load Image button to load all available images to the Type Version table. The table now displays available images and their corresponding versions. 9.
Page 578: Controller Re-Election
12 - 14 WiNG 5 Access Point System Reference Guide Displays the time of the last status update for access points that are no Last Status longer upgrading. Selecting the Clear History button clears the history log page for each Clear History access point.
Page 579 Operations 12 - 15 3. If necessary, enter a search string at the bottom of either the Available APs or Selected APs tables to search for a target AP from amongst those access points in the representative table. 4. Select Tunnel Controller Name to enable a drop-down menu used to select a controller name that matches the selected AP(s).
Page 580: Certificates
12 - 16 WiNG 5 Access Point System Reference Guide 12.2 Certificates A certificate links identity information with a public key enclosed in the certificate. A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption.
Page 581 Operations 12 - 17 Figure 12-10 Trustpoints screen Trustpoints screen displays for the selected MAC address. 2. Refer to the Certificate Details to review certificate properties, self-signed credentials, validity period and CA information. 3. Select the Import button to import a certificate.
Page 582 12 - 18 WiNG 5 Access Point System Reference Guide Figure 12-11 Import New Trustpoint screen 4. Define the following configuration parameters required for the Import of the trustpoint: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
Page 583 Operations 12 - 19 IP Address If using Advanced settings, enter IP address of the server used to import the trustpoint. This option is not valid for cf, usb1 and usb2. Hostname If using Advanced settings, provide the hostname of the server used to import the trustpoint.
Page 584 12 - 20 WiNG 5 Access Point System Reference Guide Cut and Paste Select the Cut and Paste radio button to simply copy an existing CA certificate into the cut and past field. When pasting a valid CA certificate, no additional network address information is required.
Page 585 Operations 12 - 21 Figure 12-13 Import CRL screen 10.Define the following configuration parameters required for the Import of the CRL: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters and an association with an enrolled identity certificate.
Page 586 12 - 22 WiNG 5 Access Point System Reference Guide Port If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1 and usb2. IP Address If using Advanced settings, enter IP address of the server used to import the CRL.
Page 587 Operations 12 - 23 Self-signed certificates cannot be revoked which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. However, CAs have the ability to revoke a compromised certificate, which prevents its further use.
Page 588 12 - 24 WiNG 5 Access Point System Reference Guide Protocol Select the protocol used for importing the target signed certificate. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1 and usb2.
Page 589 Operations 12 - 25 Figure 12-15 Export Trustpoint screen 16.Define the following configuration parameters required for the Export of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
Page 590: Rsa Key Management
12 - 26 WiNG 5 Access Point System Reference Guide Port If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1, and usb2. IP Address If using Advanced settings, enter IP address of the server used to export the trustpoint.
Page 591 Operations 12 - 27 Figure 12-16 RSA Keys screen Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device.
Page 592 12 - 28 WiNG 5 Access Point System Reference Guide 3. Select Generate Key to create a new key with a defined size. Figure 12-17 Generate RSA Key screen 4. Select to generate the RSA key. Select Cancel to revert the screen to its last saved configuration.
Page 593 Operations 12 - 29 5. To optionally import a CA certificate, select the Import button from the RSA Keys screen. Figure 12-18 Import New RSA Key screen 6. Define the following configuration parameters required for the Import of the RSA key: Key Name Enter the 32 character maximum name assigned to identify the RSA key.
Page 594 12 - 30 WiNG 5 Access Point System Reference Guide IP Address Enter IP address of the server used to import the RSA key. This option is not valid for cf, usb1 and usb2. Hostname Provide the hostname of the server used to import the RSA key. This option is not valid for cf, usb1 and usb2.
Page 595: Certificate Creation
Operations 12 - 31 Protocol Select the protocol used for exporting the RSA key. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1 and usb2.
Page 596 12 - 32 WiNG 5 Access Point System Reference Guide Figure 12-20 Create Certificate screen 3. Define the following configuration parameters required to Create New Self-Signed Certificate: Certificate Name Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate.
Page 597 RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality. For more...
Page 598: Generating A Certificate Signing Request (Csr)
12 - 34 WiNG 5 Access Point System Reference Guide 12.2.4 Generating a Certificate Signing Request (CSR)  Certificates A certificate signing request (CSR) is a message from a requestor to a certificate authority to apply for a digital identity certificate. The CSR is composed of a block of encrypted text generated on the server the certificate will be used on.
Page 599 Create or use an existing key by selecting the appropriate radio button. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality.
Page 600 12 - 36 WiNG 5 Access Point System Reference Guide 4. Set the following Certificate Subject Name parameters required for the creation of the certificate: Certificate Subject Select either the auto-generate radio button to automatically create the Name certificate's subject credentials or select user-defined to manually enter the credentials of the self signed certificate.
Page 601: Smart Rf
Operations 12 - 37 12.3 Smart RF Self Monitoring At Run Time RF Management (Smart RF) is a Motorola Solutions innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements.
Page 602 12 - 38 WiNG 5 Access Point System Reference Guide Figure 12-22 Smart RF screen 2. Refer to the following to determine whether Smart RF calibrations or interactive calibration is required. AP MAC Address Displays the hardware encoded MAC address assigned to each access point radio within the RF Domain.
Page 603 Operations 12 - 39 Old Power Lists the transmit power assigned to each listed access point within the RF Domain. The power level may have been increased or decreased as part an Interactive Calibration process applied to the RF Domain. Compare this Old Power level against the Power value to right of it (in the table) to determine whether a new power level was warranted to compensate for a coverage hole.
Page 604 12 - 40 WiNG 5 Access Point System Reference Guide Figure 12-23 Save Calibration Result screen • Replace - Only overwrites the current channel and power values with the new channel power values the Interactive Calibration has calculated. • Write - Writes the new channel and power values to the radios under their respective device configurations.
Page 605: Operations Deployment Considerations
• If an access point’s (or its associated device’s) firmware is older than the version on the support site, Motorola Solutions recommends updating to the latest firmware version for full functionality and utilization.
Page 606 12 - 42 WiNG 5 Access Point System Reference Guide...
Page 607: Chapter 13 Statistics
CHAPTER 13 STATISTICS This chapter describes the statistical information available to WING 5 supported access points. Statistics can be exclusively displayed to validate access points, their VLAN assignments and the current authentication and encryption schemes. Statistics can be displayed for the entire system or access point coverage are. Stats can also be viewed collectively for RF Domain member access point radio’s and their connected clients.
Page 608: System Statistics
13 - 2 WiNG 5 Access Point System Reference Guide 13.1 System Statistics System screens displays information supporting access points, RF Domains and managed clients (the entire access point managed network). Use this information to obtain an overall view of the state of the network. The data is organized as follows: •...
Page 609 Statistics 12 - 3 Figure 13-1 System - Health screen 4. The Devices table displays the total number of access points in the network. The pie chart is a proportional view of how many are functional and are currently online. Green indicates online devices and the red offline devices. 5.
Page 610 13 - 4 WiNG 5 Access Point System Reference Guide • 0 – 50 (Poor) • 50 – 75 (Medium) • 75 – 100 (Good). This area displays the following: Worst 5 Displays five RF Domains with the lowest quality indices in the access point managed network.
Page 611: Inventory
Statistics 12 - 5 13.1.2 Inventory  System Statistics The Inventory screen displays information about the physical hardware deployed within the system. Use this information to assess the overall performance of access points and their connected clients in the system, whether members of the RF Domain or not.
Page 612: Adopted Devices
13 - 6 WiNG 5 Access Point System Reference Guide 5. The Radios table displays radios in use throughout within the wireless controller managed network. This area displays the total number of managed radios and top 5 RF Domains in terms of radio count. The Total Radios value is the total number of radios in this system.
Page 613 Statistics 12 - 7 Figure 13-3 System - Adopted Devices screen 4. The Adopted Devices screen provides the following: Adopted Device Displays the hostname of the adopted device. Type Displays the type of device adopted to an access point system member. RF Domain Name Displays the adopting access point’s RF Domain name.
Page 614: Pending Adoptions
13 - 8 WiNG 5 Access Point System Reference Guide 13.1.4 Pending Adoptions  System Statistics The Pending Adoptions screen displays a list of devices detected in system, but has not yet been connected to one of the system’s access points and its adoption is still pending.
Page 615: Offline Devices
Statistics 12 - 9 13.1.5 Offline Devices  System Statistics The Offline Devices screen displays a list of devices in the access point managed network or RF Domain that are currently offline. To view offline device statistics: 1. Select the Statistics menu from the Web UI.
Page 616 13 - 10 WiNG 5 Access Point System Reference Guide Area Displays the deployment area assigned to the listed device when deployed using the WING UI as a means of identifying the device’s physical location. Floor Displays the deployment floor assigned to the listed device when deployed using the WING UI as a means of identifying the device’s physical location.
Page 617: Rf Domain
Statistics 12 - 11 13.2 RF Domain RF Domain screens display status within the access point’s single RF domain. This includes the access point’s health and device inventory, wireless clients and Smart RF functionality. Use the information to obtain an overall view of the performance of the selected RF Domain and troubleshoot the domain or any member device.
Page 618 13 - 12 WiNG 5 Access Point System Reference Guide Figure 13-6 RF Domain - Health screen Configuration field displays the name of the Virtual Controller AP that is the manager for this RF Domain. The RF Domain Manager is the focal point for the radio system and acts as a central registry of applications, hardware and capabilities.
Page 619 Statistics 12 - 13 • 60-100 – Good quality 4. Refer to the Worst 5 Radios table for RF Domain member radios requiring administration to improve performance: Worst 5 Radios Displays five radios with the lowest average quality in the access point RF Domain.
Page 620: Inventory
13 - 14 WiNG 5 Access Point System Reference Guide 9. The SMART RF Activity area displays the following: Power Changes Displays the total number of radio transmit power changes that have been made using SMART RF within the access point RF Domain.
Page 621 Statistics 12 - 15 2. Select the default item from under the System node on the top, left-hand side, of the screen. 3. Select Inventory from the RF Domain menu. Figure 13-7 RF Domain - Inventory screen 4. The Device Types table displays the total number of member access points in the RF Domain.
Page 622 13 - 16 WiNG 5 Access Point System Reference Guide 5. The Radios by Channel field displays the total number of radios using the 5GHz and 2.4GHz bands within the access point RF Domain. 6. The Wireless Clients table displays the total number of wireless clients connected to RF Domain member access points.
Page 623: Access Points
Statistics 12 - 17 13.2.3 Access Points  RF Domain The RF Domain Access Points screen displays hardware data collectively for all the access point’s within the RF Domain. Data is only collected from access points of the same model. To display RF Domain access point statistics: 1.
Page 624: Ap Detection
13 - 18 WiNG 5 Access Point System Reference Guide IP Address Displays the IP address that access point is using. Refresh Select the Refresh button to update the statistics counters to their latest values. 13.2.4 AP Detection  RF Domain The AP Detection screen displays information about detected access points that are not members of the RF Domain.
Page 625: Wireless Clients
Statistics 12 - 19 Reported by Displays the MAC address of the RF Domain member access point detecting the unidentified access point. Refresh Select the Refresh button to update the statistics counters to their latest values. 13.2.5 Wireless Clients  RF Domain The Wireless Clients screen displays read only device information for wireless clients connected to RF Domain member access points.
Page 626: Wireless Lans
13 - 20 WiNG 5 Access Point System Reference Guide 4. The Wireless Clients screen displays the following: MAC Address Displays the Hardware or Media Access Control (MAC) address of each listed wireless client. This address is hard-coded at the factory and can not be modified.
Page 627 Statistics 12 - 21 Figure 13-10 RF Domain - Wireless LAN screen 4. The Wireless LANs screen displays the following: WLAN Name Displays the text-based name assigned to the WLAN by its RF Domain member access point. SSID Displays the Service Set ID (SSID) assigned to the WLAN by its RF Domain member access point Traffic Index Displays the traffic utilization index of each listed WLAN, which measures...
Page 628: Radios
13 - 22 WiNG 5 Access Point System Reference Guide 13.2.7 Radios  RF Domain Radio screens displays information on RF Domain member access point radios. Use these screens to troubleshooting radio issues. For more information, refer to the following: •...
Page 629: Status
Statistics 12 - 23 13.2.7.1 Status To view the RF Domain radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select the default item from under the System node on the top, left-hand side, of the screen. 3.
Page 630 13 - 24 WiNG 5 Access Point System Reference Guide Power Current Displays the current power level the radio is broadcasting. (Config) Clients Displays the number of clients currently connected to each RF Domain member access point radio. AP-7131, AP-6532 and AP-7161 models can support up to 256 clients per radio.
Page 631: Rf Statistics
Statistics 12 - 25 13.2.7.2 RF Statistics To view the RF Domain radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select the default item from under the System node on the top, left-hand side, of the screen. 3.
Page 632 13 - 26 WiNG 5 Access Point System Reference Guide Traffic Index Displays the traffic utilization index of each RF Domain member access point radio. This is expressed as an integer value. 0 – 20 indicates very low utilization, and 60 and above indicate high utilization.
Page 633: Traffic Statistics
Statistics 12 - 27 13.2.7.3 Traffic Statistics To view RF Domain member access point radio traffic statistics: 1. Select the Statistics menu from the Web UI. 2. Select the default item from under the System node on the top, left-hand side, of the screen. 3.
Page 634: Mesh
13 - 28 WiNG 5 Access Point System Reference Guide Tx User Data Displays the rate (in kbps) that user data is transmitted by each RF Domain Rate member access point radio. This rate only applies to user data and does not include any management overhead.
Page 635: Smart Rf
Statistics 12 - 29 3. Select Mesh. Figure 13-14 RF Domain - Mesh screen The RF Domain Mesh screen displays the following: Client Hostname Displays the configured hostname for each client connected to a RF Domain member access point. Client Radio MAC Displays the Media Access Control for each client connected to a RF Domain member access point.
Page 636 13 - 30 WiNG 5 Access Point System Reference Guide To view Smart RF stats for RF Domain member access points: 1. Select the Statistics menu from the Web UI. 2. Select the default item from under the System node on the top, left-hand side, of the screen.
Page 637 Statistics 12 - 31 Figure 13-16 RF Domain - SMART RF Details screen 5. Select the Energy Graph tab for a RF Domain member access point radio to review the radio’s operating channel and noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing radios.
Page 638: Wips
13 - 32 WiNG 5 Access Point System Reference Guide Figure 13-17 RF Domain - SMART RF Energy Graph 13.2.10 WIPS  RF Domain Refer to the Wireless Intrusion Protection Software (WIPS) screens to review a client blacklist and events reported by a RF Domain member access point.
Page 639: Wips Client Blacklist
Statistics 12 - 33 13.2.10.1 WIPS Client Blacklist  WIPS This Client Blacklist displays blacklisted clients detected by WIPS. Blacklisted clients are not allowed to associate to RF Domain member access points. To view the WIPS client blacklist: 1. Select the Statistics menu from the Web UI.
Page 640: Wips Events
13 - 34 WiNG 5 Access Point System Reference Guide 13.2.10.2 WIPS Events  WIPS Refer to the WIPS Events screen to assess WIPS events reported by RF Domain member access points. To view the rogue access point statistics: 1. Select the Statistics menu from the Web UI.
Page 641: Captive Portal
Statistics 12 - 35 13.2.11 Captive Portal  RF Domain A captive portal technique a client connected to a RF Domain member access point to use a customized set of Web pages (for authentication purposes) before being granted access to the access point managed Internet. Thus, a captive portal turns a Web browser into an authentication device.
Page 642: Historical Data
13 - 36 WiNG 5 Access Point System Reference Guide VLAN Displays the name of the access point VLAN the client belongs to. Remaining Time Displays the time after which a connected client is disconnected from the access point managed Captive Portal.
Page 643: Viewing Smart Rf History
Statistics 12 - 37 13.2.12.1 Viewing Smart RF History  Historical Data To view the RF Domain member Smart RF history: 1. Select the Statistics menu from the Web UI. 2. Select the default item from under the System node on the top, left-hand side, of the screen. 3.
Page 644 13 - 38 WiNG 5 Access Point System Reference Guide 4. The SMART RF History screen displays the following RF Domain member historical data: AP MAC Displays the MAC address of each access point comprising the RF Domain. Radio MAC Displays the radio MAC address of each access point radio comprising the RF Domain.
Page 645: Access Point Statistics
Statistics 12 - 39 13.3 Access Point Statistics The access point statistics screens displays an access point’s performance, health, version, client support, radio, mesh, interface, DHCP, firewall, WIPS, sensor, captive portal, NTP and load information. Access point statistics consists of the following: •...
Page 646 13 - 40 WiNG 5 Access Point System Reference Guide 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation. 3. Select Health. Figure 13-22 Access Point - Health screen 4.
Page 647 Statistics 12 - 41 RF Domain Name Displays the access point’s RF Domain membership. Unlike a RFS series controller, an access point can only belong to one RF Domain based on its model. Version Displays the access point’s current firmware version. Use this information to assess whether an upgrade is required for better compatibility.
Page 648: Device
13 - 42 WiNG 5 Access Point System Reference Guide 13.3.2 Device  Access Point Statistics The Device screen displays basic information about the selected access point. Use this screen to gather version information, such as the installed firmware image version, the boot image and upgrade status.
Page 649 Statistics 12 - 43 Version Displays the software (firmware) version on the access point. Boot Partition Displays the boot partition type. Fallback Enabled Displays whether this option is enabled. This method enables a user to store a known legacy version and a new version in device memory. The user can test the new software, and use an automatic fallback, which loads the old version on the access point if the new version fails.
Page 650 13 - 44 WiNG 5 Access Point System Reference Guide Maximum Lists the maximum buffers available to the selected access point. Buffers 9. The IP Domain field displays the following: IP Domain Name Displays the name of the IP Domain service used with the selected access point.
Page 651: Ap Upgrade
Statistics 12 - 45 Power Lists the power status of the access point. Management Status Ethernet Power Displays the access point’s Ethernet power status. Status Radio Power Displays the power status of the access point’s radios. Status 13.3.3 AP Upgrade ...
Page 652: Adoption
13 - 46 WiNG 5 Access Point System Reference Guide Type Displays the model of the access point. The updating access point must be of the same model as the access point receiving the update. Displays the MAC address of the access point receiving the update.
Page 653: Adopted Aps
Statistics 12 - 47 13.3.4.1 Adopted APs  Adoption The adopted AP statistics screen lists access points adopted by this access point, their RF Domain memberships and network service information. To view adopted access point statistics: 1. Select the Statistics menu from the Web UI.
Page 654 13 - 48 WiNG 5 Access Point System Reference Guide Config Status Displays each listed access point’s configuration status to help determine its service role. Config Errors Lists any configuration errors that may be hindering performance. Adopted By Lists the adopting access point.
Page 655: Ap Adoption History
Statistics 12 - 49 13.3.4.2 AP Adoption History  Adoption To view historical statistics for adopted access points: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 656: Pending Adoptions
13 - 50 WiNG 5 Access Point System Reference Guide 13.3.4.3 Pending Adoptions  Adoption The Pending Adoptions screen displays a list of devices adopted to this access point or access points in the process of adoption. To view pending access point statistics: 1.
Page 657: Ap Detection
Statistics 12 - 51 Refresh Select the Refresh button to update the screen’s statistics counters to their latest values. 13.3.5 AP Detection  Access Point Statistics The AP Detection screen displays potentially hostile access points, their SSIDs, reporting AP, and so on. Continuously revalidating the credentials of associated devices reduces the possibility of an access point hacking into the network.
Page 658: Wireless Client
13 - 52 WiNG 5 Access Point System Reference Guide Radio Type Displays the type of the radio on the unsanctioned access point. The radio can be 802.11b, 802.11bg, 802.1bgn, 802.11a or 802.11an. Channel Displays the channel the unsanctioned access point is currently transmitting...
Page 659 Statistics 12 - 53 3. Select Wireless Clients. Figure 13-29 Access Point - Wireless Clients screen 4. The Access Point Wireless Statistics screen displays the following: Client MAC Displays the MAC address of each listed client that’s connected to the selected access point.
Page 660: Wireless Lans
13 - 54 WiNG 5 Access Point System Reference Guide 13.3.7 Wireless LANs  Access Point Statistics The Wireless LAN statistics screen displays an overview of access point WLAN utilization. This screen displays access point WLAN assignment, SSIDs, traffic utilization, number of radios the access point is utilizing on the WLAN and transmit and receive statistics.
Page 661 Statistics 12 - 55 Radio Count Displays the number of access point radios deployed within each listed WLAN. Tx Bytes Displays the average number of transmitted bytes sent on each listed WLAN. Tx User Data Displays transmitted user data rate in kbps for each listed WLAN. Rate Rx Bytes Displays the average number of packets in bytes received on each listed...
Page 662: Policy Based Routing
13 - 56 WiNG 5 Access Point System Reference Guide 13.3.8 Policy Based Routing  Access Point Statistics The Policy Based Routing statistics screen displays statistics for selective path packet redirection. PBR can optionally mark traffic for preferential services (QoS). PBR is applied to incoming routed packets, and a route-map is created containing a set of filters and associated actions.
Page 663: Radios
Statistics 12 - 57 Secondary Next If the primary hop is unavailable, a second resource is used. This column lists Hop IP the address set for the alternate route in the election process. Secondary Next Displays whether the secondary hop is being applied to incoming routed Hop State packets.
Page 664 13 - 58 WiNG 5 Access Point System Reference Guide Figure 13-32 Access Point Radio - Statistics screen Use the Details screen to review this radio’s configuration in greater detail, as additional deployment location, configuration, Smart RF, quality index and wireless client information becomes available.
Page 665: Status
Statistics 12 - 59 13.3.9.1 Status An administrator can use the Status screen to review access point radio stats in detail. Use the Status screen to assess radio type, operational state, operating channel and current power to assess whether the radio is optimally configured in respect to its intended deployment objective.
Page 666 13 - 60 WiNG 5 Access Point System Reference Guide Power Current Displays the current power level each listed radio is broadcasting on, as well (Config) as the power level it is configured to use in parenthesis. Configured Displays each listed radio’s administrator defined output power level.
Page 667: Rf Statistics
Statistics 12 - 61 13.3.9.2 RF Statistics An administrator can use the RF Statistics screen to review access point radio transmit and receive statistics, error rate and RF quality. To view access point radio RF statistics: 1. Select the Statistics menu from the Web UI.
Page 668 13 - 62 WiNG 5 Access Point System Reference Guide Error Rate Displays the average number of retries per packet. A high number indicates possible network or hardware problems. Assess the error rate in respect to potentially high signal and SNR values to determine whether the error rate coincides with a noisy signal.
Page 669: Traffic Statistics
Statistics 12 - 63 13.3.9.3 Traffic Statistics An administrator can use the Traffic Statistics screen to review access point radio transmit and receive statistics, data rate, and packets dropped during both transmit and receive operations. To view the access point radio traffic statistics: 1.
Page 670: Mesh
13 - 64 WiNG 5 Access Point System Reference Guide Rx User Data Displays the rate (in kbps) user data is received by the radio. This rate only Rate applies to user data and does not include management overhead. Tx Dropped Displays the total number of transmitted packets dropped by each listed radio.
Page 671 Statistics 12 - 65 4. Select Mesh. Figure 13-36 Access Point Mesh screen 5. The Mesh screen describes the following: Client AP Displays the name for each access point in the RF Domain mesh network. Client Hostname Displays the configured hostname for each access point in the RF Domain mesh network.
Page 672: Interfaces
 Access Point Statistics The Interface screen provides detailed statistics on each of the interfaces available on WING 5 supported access points. Use this screen to review the statistics for each access point interface. Use the following screens to review the performance of each interface on the access point.
Page 673: General Statistics
Statistics 12 - 67 13.3.11.1 General Statistics  Interfaces The General screen provides information on a selected access point interface such as its MAC address, type and TX/RX statistics. To view the general interface statistics: 1. Select the Statistics menu from the Web UI. 2.
Page 674 13 - 68 WiNG 5 Access Point System Reference Guide 3. Select Interfaces. The General tab displays by default. Figure 13-37 Access Point Interface - General tab 4. Select an access point interface from those available for this access point model. The subsequent display within the General and Network Graph tabs is specific to the selected interface.
Page 675 Statistics 12 - 69 Hardware Type Displays the hardware type of the access point interface. Index Displays the unique numerical identifier supporting the interface. Access VLAN Displays the interface the VLAN can access. Access Setting Displays the mode of the VLAN as either Access or Trunk. Administrative Displays whether the interface is currently true or false.
Page 676 13 - 70 WiNG 5 Access Point System Reference Guide Good Pkts Describes the number of good packets received. Received Mcast Pkts Sent Displays the number of multicast packets sent through the selected interface. Mcast Pkts Displays the number of multicast packets received through the selected Received interface.
Page 677 Statistics 12 - 71 9. The Receive Errors field displays the following information about the selected interface: Rx Frame Errors Displays the number of frame errors received at the interface. A frame error occurs when a byte of data is received, but not in the format expected. Rx Length Errors Displays the number of length errors received at the interface.
Page 678: Viewing Interface Statistics Graph
13 - 72 WiNG 5 Access Point System Reference Guide 13.3.11.2 Viewing Interface Statistics Graph  Interfaces Network Graph tab displays interface statistics graphically. To view a detailed graph for an interface, select an interface, then choose from up to three performance variables from within the Parameters drop down menu.
Page 679 Statistics 12 - 73 Figure 13-39 Access Point - PPPoE screen 4. The Access Point PPPoE screen displays the following configuration information and connection status: Shutdown Displays whether a high speed client mode point-to-point connection has been enabled using the PPPoE protocol. Service Lists the 128 character maximum PPPoE client service name provided by the service provider.
Page 680: Ospf
13 - 74 WiNG 5 Access Point System Reference Guide Maximum Displays the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. Transmission The MTU is the largest physical packet size in bytes a network can transmit. Unit (MTU) Any messages larger than the MTU are divided into smaller packets before being sent.
Page 681: Ospf Summary
Statistics 12 - 75 13.3.13.1 OSPF Summary  OSPF To view OSPF summary statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 682 13 - 76 WiNG 5 Access Point System Reference Guide 3. Select OSPF. The Summary tab displays by default. Figure 13-40 Access Point OSPF - Summary tab...
Page 683 Statistics 12 - 77 4. The Summary tab describes the following: General The general field displays the router ID assigned for this OSPF connection, RFC compliance information and LSA data. OSPF version 2 was originally defined within RFC versions 1583 and 2328. The general field displays whether compliance to these RFCs have been satisfied.
Page 684: Ospf Neighbors
13 - 78 WiNG 5 Access Point System Reference Guide 13.3.13.2 OSPF Neighbors  OSPF OSPF establishes neighbor relationships to exchange routing updates with other routers. An access point supporting OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors.
Page 685 Statistics 12 - 79 3. Select OSPF. 4. Select the Neighbor Info tab. Figure 13-41 Access Point OSPF - Neighbor Info tab 5. The Neighbor Info tab describes the following: Router ID Displays the router ID assigned for this OSPF connection. The router is a level three Internet Protocol packet switch.
Page 686 13 - 80 WiNG 5 Access Point System Reference Guide Dead Time Lists the dead time between neighbors in the network topology that are currently utilizing the listed router ID. Self Neighbour Displays the self-neighbor status assessment used to discover neighbors and State elect a designated router.
Page 687: Ospf Area Details
Statistics 12 - 81 13.3.13.3 OSPF Area Details  OSPF An OSPF network is subdivided into routing areas (with 32 bit area identifiers) to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network.
Page 688 13 - 82 WiNG 5 Access Point System Reference Guide Total LSA Lists the Link State Advertisements of all entities using the dynamic route (in any direction) in the listed area ID. Router LSA Lists the Link State Advertisements of the router supporting each listed area ID.
Page 689: Ospf Route Statistics
Statistics 12 - 83 13.3.13.4 OSPF Route Statistics  OSPF Refer to the Routes tab to assess the status of OSPF Border Routes, External Routes, Network Routes and Router Routes. To view OSPF route statistics: 1. Select the Statistics menu from the Web UI. 2.
Page 690 13 - 84 WiNG 5 Access Point System Reference Guide expressed as simple unit-less numbers. This provides a dynamic process of traffic load balancing between routes of equal cost. 6. Refer to the Network Routes tab. Figure 13-44 Access Point OSPF - Network Routes tab Network routes support more than two routers, with the capability of addressing a single physical message to all attached routers (broadcast).
Page 691: Ospf Interface
Statistics 12 - 85 13.3.13.5 OSPF Interface  OSPF An OSPF interface is the connection between a router and one of its attached networks. An interface has state information associated with it, which is obtained from the underlying lower level protocols and the routing protocol itself. A network interface has associated a single IP address and mask (unless the network is an unnumbered point-to-point network).
Page 692 13 - 86 WiNG 5 Access Point System Reference Guide Lists the OSPF interface maximum transmission unit (MTU) size. The MTU is the largest physical packet size (in bytes) a network can transmit. Any packets larger than the MTU are divided into smaller packets before being sent.
Page 693: Ospf State
Statistics 12 - 87 13.3.13.6 OSPF State  OSPF An OSPF enabled access point sends hello packets to discover neighbors and elect a designated router for dynamic links. The hello packet includes link state data maintained on each access point and is periodically updated on all OSPF members.
Page 694 13 - 88 WiNG 5 Access Point System Reference Guide OSPF max ignore Displays whether an OSPF state timeout is being ignored and not utilized in state count the transmission of state update requests amongst neighbors within the OSPF topology.
Page 695: L2Tp V3
Statistics 12 - 89 13.3.14 L2TP V3  Access Point Statistics A WiNG supported access point uses L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables an access point to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between WING devices and other devices supporting the L2TP V3 protocol.
Page 696: Vrrp
13 - 90 WiNG 5 Access Point System Reference Guide Local Address Lists the IP address assigned as the local tunnel end point address, not the tunnel interface’s IP address. This IP is used as the tunnel source IP address.
Page 697 Statistics 12 - 91 Figure 13-48 Access Point - VRRP screen 4. Refer to the Global Error Status field to review the various sources of packet errors logged during the implementation of the virtual route. Errors include the mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions.
Page 698 13 - 92 WiNG 5 Access Point System Reference Guide Version Display VRRP version 3 (RFC 5798) or 2 (RFC 3768) as selected to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP.
Page 699: Critical Resources
Statistics 12 - 93 13.3.16 Critical Resources  Access Point Statistics The Critical Resources statistics screen displays a list of device IP addresses on the network (gateways, routers etc.). These defined IP address is critical to the health of the access point managed network. These device addresses are pinged regularly by the access point.
Page 700: Network
13 - 94 WiNG 5 Access Point System Reference Guide Ping Mode Describes the ping mode as either: arp-only – Uses the Address Resolution Protocol (ARP) for only pinging the critical resource. ARP is used to resolve hardware addresses when only the network layer address is known.
Page 701: Arp Entries
Statistics 12 - 95 13.3.17.1 ARP Entries  Network ARP is a networking protocol for determining a network host’s hardware address when its IP address or network layer address is known. To view an access point’s ARP statistics: 1. Select the Statistics menu from the Web UI.
Page 702: Route Entries
13 - 96 WiNG 5 Access Point System Reference Guide 13.3.17.2 Route Entries  Network The route entries screen provides details about the destination subnet, gateway, and interface for routing packets to a defined destination. When an existing destination subnet does not meet the needs of the network, add a new destination subnet, subnet mask and gateway.
Page 703: Bridge
Statistics 12 - 97 13.3.17.3 Bridge  Network A bridge is a device connecting two networks using either the same or different Data Link Layer (DLL) protocol. Bridging is a forwarding technique used in networks. Bridging makes no assumption about where a particular address is located. It relies on the flooding and examination of source addresses in received packet headers to locate unknown devices.
Page 704 13 - 98 WiNG 5 Access Point System Reference Guide Figure 13-52 Access Point Network - Bridge Details screen 5. The Details screen’s Integrated Gateway Server (IGS) table displays the following: VLAN Displays the VLAN where the multicast transmission is conducted.
Page 705 Statistics 12 - 99 7. Select the MAC Address tab. 8. Review the following from within the MAC Address tab: Bridge Name Displays the name of the network bridge. MAC Address Displays the MAC address of the bridge selected. Interface Displays the interface where the bridge transferred packets.
Page 706: Igmp
13 - 100WiNG 5 Access Point System Reference Guide 13.3.17.4 IGMP  Network Internet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. The access point listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the interested hosts are connected.
Page 707 Statistics 12 - 101 6. The Multicast Router (MRouter) table displays the following: VLAN Displays the group VLAN where the multicast transmission is conducted. Learn Mode Displays the learning mode used by the router as either Static or PIM-DVMRP. Port Members Displays the ports on which multicast clients have been discovered by the multicast router.
Page 708: Dhcp Options
13 - 102WiNG 5 Access Point System Reference Guide 13.3.17.5 DHCP Options  Network Supported access point’s can use a DHCP server resource to provide the dynamic assignment of IP addresses automatically. This is a protocol that includes IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host.
Page 709 Statistics 12 - 103 Configuration Displays the name of the configuration file on the DHCP server. Legacy Adoption Displays legacy device adoption information on behalf of the access point. Adoption Displays adoption information on behalf of the access point. Select the Refresh button to update the screen’s statistics counters to their Refresh latest values.
Page 710: Cisco Discovery Protocol
13 - 104WiNG 5 Access Point System Reference Guide 13.3.17.6 Cisco Discovery Protocol  Network The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer network protocol implemented in Cisco networking equipment and used to share information about network devices. To view an access point’s CDP statistics: 1.
Page 711: Link Layer Discovery Protocol
Statistics 12 - 105 Refresh Select Refresh to update the statistics counters to their latest values. 13.3.17.7 Link Layer Discovery Protocol  Network The Link Layer Discovery Protocol (LLDP) or IEEE 802.1AB is a vendor-neutral Data Link Layer protocol used by network devices for advertising of (announcing) their identity, capabilities, and interconnections on a IEEE 802 LAN network.
Page 712: Dhcp Server
13 - 106WiNG 5 Access Point System Reference Guide Platform Displays the model number of the LLDP capable device. Port ID Displays the identifier for the local port. Displays the time to live for each LLDP connection. Clear Neighbors Select Clear Neighbors to remove all known LDP neighbors from the table. Refresh Select Refresh to update the statistics counters to their latest values.
Page 713 Statistics 12 - 107 4. Select General. Figure 13-57 Access Point Network DHCP Server - General tab 5. The General screen displays the following: Interfaces Displays the interface used for the newly created DHCP configuration. State Displays the current state of the DHCP server. IP Address Displays the IP address assigned to the client.
Page 714: Dhcp Bindings
13 - 108WiNG 5 Access Point System Reference Guide 13.3.18.1 DHCP Bindings  Network The DHCP binding information screen displays DHCP binding information such as expiry time, client IP addresses and their MAC address. To view a network’s DHCP Bindings: 1.
Page 715: Dhcp Networks
Statistics 12 - 109 13.3.18.2 DHCP Networks  Network The DHCP server maintains a pool of IP addresses and client configuration parameters (default gateway, domain name, name servers etc). On receiving a valid client request, the server assigns the computer an IP address, a lease (the validity of time), and other IP configuration parameters.
Page 716: Packet Flows
13 - 110WiNG 5 Access Point System Reference Guide 13.3.19.1 Packet Flows Total Active Flows graph displays the total number of flows supported. Other bar graphs display for each individual packet type. The Packet Flows screen displays data traffic packet flow utilization. The chart represents the different protocol flows supported, and displays a proportional view of the flows in respect to their percentage of data traffic utilized.
Page 717: Denial Of Service
Statistics 12 - 111 13.3.19.2 Denial of Service  Firewall A denial-of-service attack (DoS attack) or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out a DoS attack may vary, it generally consists of concerted efforts to prevent an Internet site or service from functioning efficiently.
Page 718 13 - 112WiNG 5 Access Point System Reference Guide Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection. Select the Refresh button to update the screen’s statistics counters to their Refresh latest values.
Page 719: Ip Firewall Rules
Statistics 12 - 113 13.3.19.3 IP Firewall Rules  Firewall Create firewall rules to let any computer to send traffic to, or receive traffic from, programs, system services, computers or users. Firewall rules can be created to take one of the three actions listed below that match the rule’s criteria: •...
Page 720 13 - 114WiNG 5 Access Point System Reference Guide Select the Refresh button to update the screen’s statistics counters to their Refresh latest values.
Page 721: Mac Firewall Rules
Statistics 12 - 115 13.3.19.4 MAC Firewall Rules  Firewall The ability to allow or deny access point connectivity by client MAC address ensures malicious or unwanted clients are unable to bypass the access point’s security filters. Firewall rules can be created to support one of the three actions listed below that match the rule’s criteria: •...
Page 722 13 - 116WiNG 5 Access Point System Reference Guide MAC Firewall Rules screen provides the following information: Precedence Displays the precedence value, which are applied to packets. The rules within an Access Control Entries (ACL) list are based on their precedence values. Every rule has a unique precedence value between 1 and 5000.
Page 723: Nat Translations
Statistics 12 - 117 13.3.19.5 NAT Translations  Firewall To view the Firewall’s NAT translations: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 724 13 - 118WiNG 5 Access Point System Reference Guide Reverse Source Displays the source port for the reverse NAT flow (contains ICMP ID if it is an Port ICMP flow). Reverse Dest IP Displays the destination IP address for the reverse NAT flow. Reverse Dest Displays the destination port for the reverse NAT flow (contains ICMP ID if it Port...
Page 725: Dhcp Snooping
Statistics 12 - 119 13.3.19.6 DHCP Snooping  Firewall When DHCP servers are allocating IP addresses to clients on the LAN, DHCP snooping can be configured to better enforce the security on the LAN to allow only clients with specific IP/MAC addresses. 1.
Page 726: Vpn
13 - 120WiNG 5 Access Point System Reference Guide Lease Time When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator). The lease time is the time an IP address is reserved for re-connection after its last use.
Page 727: Ikesa
Statistics 12 - 121 13.3.20.1 IKESA  The IKESA screen allows for the review of individual peer security association statistics. 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 728: Ipsec
13 - 122WiNG 5 Access Point System Reference Guide Clear All Select the Clear All button to clear each peer of its current status and begin a new data collection. Select the Refresh button to update the screen’s statistics counters to their Refresh latest values.
Page 729 Statistics 12 - 123 State Lists the last known or current status of each listed peer’s IPSec tunnel session. SPI In Lists stateful packet inspection (SPI) status for incoming IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid.
Page 730: Certificates
13 - 124WiNG 5 Access Point System Reference Guide 13.3.21 Certificates  Access Point Statistics The Secure Socket Layer (SSL) protocol ensures secure transactions between Web servers and browsers. SSL uses a third-party certificate authority to identify one (or both) ends of a transaction. A browser checks the certificate issued by the server before establishing a connection.
Page 731: Trustpoints
Statistics 12 - 125 13.3.21.1 Trustpoints  Certificates Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporate or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters and an association with an enrolled identity certificate.
Page 732 13 - 126WiNG 5 Access Point System Reference Guide Figure 13-67 Access Point Certificate - Trustpoint screen...
Page 733 Statistics 12 - 127 5. The Certificate Details field displays the following: Subject Name Lists details about the entity to which the certificate is issued. Alternate Displays alternative details to the information specified under the Subject Subject Name Name field. Issuer Name Displays the name of the organization issuing the certificate.
Page 734: Rsa Keys
13 - 128WiNG 5 Access Point System Reference Guide 13.3.21.2 RSA Keys  Certificates Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. It’s the first algorithm known to be suitable for signing, as well as encryption. The RSA Keys screen displays a list of RSA keys installed in the selected access point.
Page 735: Wips
Statistics 12 - 129 13.3.22 WIPS  Access Point Statistics A Wireless Intrusion Prevention System (WIPS) monitors the radio spectrum for the presence of unauthorized access points and take measures to prevent an intrusion. Unauthorized attempts to access the WLAN is generally accompanied by anomalous behavior as intruding clients try to find network vulnerabilities.
Page 736: Wips Client Blacklist
13 - 130WiNG 5 Access Point System Reference Guide 13.3.22.1 WIPS Client Blacklist  WIPS This Client Blacklist displays blacklisted clients detected by this access point using WIPS. Blacklisted clients are not allowed to associate to this access points. To view the WIPS client blacklist for this access point: 1.
Page 737: Wips Events
Statistics 12 - 131 13.3.22.2 WIPS Events  WIPS The WIPS Events screen details the wireless intrusion event by an access point. To view the WIPS events statistics: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 738: Sensor Servers
13 - 132WiNG 5 Access Point System Reference Guide Select the Refresh button to update the screen’s statistics counters to their Refresh latest values. 13.3.23 Sensor Servers  Access Point Statistics Sensor servers allow the monitor and download of data from multiple sensors and remote locations using Ethernet TCP/IP or serial communication.
Page 739: Captive Portal
Statistics 12 - 133 13.3.24 Captive Portal  Access Point Statistics A captive portal forces a HTTP client to use a special Web page for authentication before using the Internet. A captive portal turns a Web browser into a client authenticator. This is done by intercepting packets regardless of the address or port, until the user opens a browser and tries to access the Internet.
Page 740 13 - 134WiNG 5 Access Point System Reference Guide Select the Refresh button to update the screen’s statistics counters to their Refresh latest values.
Page 741: Network Time
Statistics 12 - 135 13.3.25 Network Time  Access Point Statistics Network Time Protocol (NTP) is central to networks that rely on their access point(s) to supply system time. Without NTP, access point supplied network time is unpredictable, which can result in data loss, failed processes, and compromised security.
Page 742: Ntp Status
13 - 136WiNG 5 Access Point System Reference Guide 13.3.25.1 NTP Status  Network Time To view the Network Time statistics of an access point: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 743 Statistics 12 - 137 Root Delay The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on relative time and frequency offsets. The values that normally appear in this field range from negative values (a few milliseconds) to positive values (several hundred milliseconds).
Page 744: Ntp Association
13 - 138WiNG 5 Access Point System Reference Guide 13.3.25.2 NTP Association  Network Time The interaction between the access point and an NTP server constitutes an association. NTP associations can be either peer associations (the access point synchronizes to another system or allows another system to synchronize to it), or a server associations (only the access point synchronizes to the NTP resource, not the other way around).
Page 745: Load Balancing
Statistics 12 - 139 Reach Displays the status of the last eight SNTP messages. If an SNTP packet is lost, the lost packet is tracked over the next eight SNTP messages. Reference IP Displays the address of the time source the access point is synchronized to. Address Server IP Displays the numerical IP address of the SNTP resource (server) providing...
Page 746 13 - 140WiNG 5 Access Point System Reference Guide Figure 13-75 Access Point - Load Balancing screen 4. The Load Balancing screen displays the following: Load Balancing Select any of the options to display any or all of the following information in the graph below: AP Load, 2.4GHz Load, 5GHz Load, and Channel.
Page 747: Wireless Client Statistics
Statistics 12 - 141 13.4 Wireless Client Statistics The wireless client statistics display read-only statistics for a client selected from within its connected access point’s directory. It provides an overview of the health of wireless clients in the access point managed network. Use this information to assess if configuration changes are required to improve client performance.
Page 748 13 - 142WiNG 5 Access Point System Reference Guide Figure 13-76 Wireless Client - Health screen 5. The Wireless Client field displays the following: Client MAC Displays the MAC address of the selected wireless client. Vendor Displays the vendor name or the manufacturer of the wireless client. State Displays the state of the wireless client.
Page 749 Statistics 12 - 143 6. The User Details field displays the following: Username Displays the unique name of the administrator or operator managing the client’s connected access point. Authentication Lists the authentication scheme applied to the client for interoperation with the access point.
Page 750: Details
13 - 144WiNG 5 Access Point System Reference Guide 9. The Traffic Utilization field displays statistics on the traffic generated and received by the selected wireless client. This area displays the traffic index, which measures how efficiently the traffic medium is utilized. It’s defined as the percentage of current throughput relative to the maximum possible throughput.
Page 751 Statistics 12 - 145 Figure 13-77 Wireless Clients - Details screen 5. The Wireless Client field displays the following: SSID Displays the client’s Service Set ID. RF Domain Displays the access point RF Domain to which the connected client is a member.
Page 752 13 - 146WiNG 5 Access Point System Reference Guide Captive Portal Displays whether captive portal authentication is enabled (True of False). Auth. 7. The Connection field displays the following: Idle Time Displays the time for which the wireless client remained idle. Last Active Displays the time in seconds the wireless client was last in contact with its connected access point.
Page 753: Traffic
Statistics 12 - 147 9. The 802.11 Protocol field displays the following: High-Throughput Displays whether high throughput is supported. High throughput is a measure of the successful packet delivery over a communication channel. RIFS Displays whether this feature is supported. RIFS is a required 802.11n feature that improves performance by reducing the amount of dead time between OFDM transmissions.
Page 754 13 - 148WiNG 5 Access Point System Reference Guide Figure 13-78 Wireless Clients - Traffic screen Traffic Utilization statistics utilize a traffic index, which measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to the maximum possible throughput. This screen also provides the following: Total Bytes Displays the total bytes processed by the access point’s connected client.
Page 755 Statistics 12 - 149 Tx Dropped Displays the client’s number of dropped packets while transmitting to its Packets connected access point. Tx Retries Displays the total number of client transmit retries with its connected access point. Rx Errors Displays the degree of errors encountered by the client during data transmission.
Page 756: Wmm Tspec
13 - 150WiNG 5 Access Point System Reference Guide R-Value Displays the R-value. R-value is a number or score that is used to quantitatively express the quality of speech in communications systems. This is used in digital networks that carry Voice over IP (VoIP) traffic. The R-value can range from 1 (worst) to 100 (best) and is based on the percentage of users who are satisfied with the quality of a test voice signal after it has passed through a network from a source (transmitter) to a destination (receiver).
Page 757 Statistics 12 - 151 Figure 13-79 Wireless Clients - 802.11e WMM TSPEC screen 5. The TSPEC Count displays the number of TSPECs available for the client’s packet flow. 6. The TSPEC Type field displays the following: Voice Displays the status of voice traffic prioritization. A red ‘X’ indicates this feature is disabled.
Page 758: Association History
13 - 152WiNG 5 Access Point System Reference Guide Parameter Displays the parameter for defining the traffic stream. TID identifies data packets as belonging to a unique traffic stream. Voice Displays the Voice corresponding to the TID and Media Time. Video Displays the Video corresponding to the TID and Media Time.
Page 759 Statistics 12 - 153 Figure 13-80 Wireless Clients - Association History screen 5. Refer to the following to discern this client’s access point association history: Access Point Lists the access point’s this client has connected to, and been managed by, since the screen was last refreshed.
Page 760: Graph
13 - 154WiNG 5 Access Point System Reference Guide 13.4.6 Graph  Wireless Client Statistics Use the Graph to assess a connected client’s radio performance and diagnose radio performance issues that may be negatively impacting performance. Up to three selected performance variables can be charted at one time. The graph uses a Y-axis and a X-axis to associate selected.
Page 761: Customer Support
• Software type and version number Motorola Solutions responds to calls by email or telephone within the time limits set forth in support agreements. If you purchased your product from a Motorola Solutions business partner, contact that business partner for support.
Page 762 A - 2 WiNG 5 Access Point System Reference Guide...
Page 763 Products: RFS4000, RFS6000, RFS7000, AP650 (WiNG 5.3 software), AP5131/AP5181 (5.3 software) and AP7131/7131N (5.3 software). For instructions on obtaining a copy of any source code being made publicly available by Motorola related to software used in this Motorola product, you may send a request in writing to: MOTOROLA, INC.
Page 764 B - 2 WiNG 5 Access Point System Reference Guide B.2.1 Wireless Controller Name Version Origin License Linux kernel 2.6.16.51 http://www.kernel.org gplv2 bridge-utils 1.0.4 http://www.kernel.org gplv2 pciutils 2.1.11 & http://mj.ucw.cz/pciutils.html gplv2 2.1.11-15.patch busybox 1.1.3 http://www.busybox.net gplv2 LILO 22.6 http://lilo.go.dyndns.org e2fsprogs busybox-1.1.3...
Page 765 Appendix B Publicly Available Software B - 3 Name Version Origin License Authentication http://www.kernel.org/pub/linux/libs/pam/ gplv2 modules diff utility 2.8.1 http://www.gnu.org/software/diffutils/diffutils. gplv2 html nano editor 1.2.4 http://www/nano-editor.org gplv2 thttpd 2.25b http://www.acme.com net-snmp 5.3.0.1 http://net-snmp.sourceforge.net smidump 0.4.3 http://www.ibr.cs.tu-bs.de/projects/libsmi/inde library x.html OpenSSH 5.4p1 http://www.openssh.com OpenSSL 0.9.8n...
Page 766 B - 4 WiNG 5 Access Point System Reference Guide Name Version Origin License libpopt 1.14-4 http://packages.debian.org/changelogs/pool/m ain/p/popt/ libusb 0.1.12 http://www.libusb.org/ lgplv2 sysstat 9.0.3 http://sebastien.godard.pagesperso-orange.fr/ gplv2 pychecker 0.8.18 http://pychecker.sourceforge.net/ aestable.c http://geocities.com/malbrain/aestable_c.html public domain as3-rpc Library http://code.google.com/p/as3-rpclib/ flare 2009.01.24 http://flare.prefuse.org/ Pyparsing 1.5.1...
Page 767 Appendix B Publicly Available Software B - 5 Name Version Origin License dropbear 0.51 http://matt.ucc.asn.au/dropbear/dropbear.ht dropbear e2fsprogs 1.40.11 http://e2fsprogs.sourceforge.net/ gplv2 4.1.2 http://gcc.gnu.org/ gplv2 http://www.gnu.org/software/gdb/ gplv2 genext2fs 1.4.1 http://genext2fs.sourceforge.net/ gplv2 glibc http://www.gnu.org/software/libc/ gplv2 hostapd 0.6.9 http://hostap.epitest.fi/hostapd/ gplv2 hotplug2 http://isteve.bofh.cz/~isteve/hotplug2/ gplv2 ipkg-utils http://www.handhelds.org/sources.html gplv2 iproute2...
Page 768 B - 6 WiNG 5 Access Point System Reference Guide Name Version Origin License squashfs http://squashfs.sourceforge.net/ gplv2 StrongSwan 4.50 http://www.strongswan.org gplv2 u-boot trunk-2010-03-30 http://www.denx.de/wiki/U-Boot/ gplv2 B.2.3 AP51xx Name Version Origin License Linux 2.4.20_mv131-ix www.mvista.com gplv2 and MontaVista dp4xx Apache Web 1.3.41...
Page 769 Appendix B Publicly Available Software B - 7 Name Version Origin License busybox 1.11.3 http://www.busybox.net/ gplv2 e2fsprogs 1.40.11 http://e2fsprogs.sourceforge.net/ gplv2 flex 2.5.4 http://flex.sourceforge.net/ freeradius 2.0.2 http://www.freeradius.org/ gplv2 4.1.2 http://gcc.gnu.org/ gplv2 http://www.gnu.org/software/gdb/ gplv2 genext2fs 1.4.1 http://genext2fs.sourceforge.net/ gplv2 glibc http://www.gnu.org/software/libc/ gplv2 ipkg-utils http://www.handhelds.org/sources.html gplv2 iptables...
Page 770 B - 8 WiNG 5 Access Point System Reference Guide Name Version Origin License snmpagent 5.0.9 http://sourceforge.net/ strace 4.5.18 http://sourceforge.net/projects/strace// u-boot Trunk-2010-03-3 http://www.denx.de/wiki/U-Boot/ gplv2 wireless_tools http://www.hpl.hp.com/personal/Jean_Tour gplv2 rilhes/Linux/Tools.html wuftpd 1.0.21 http://wu-ftpd.therockgarden.ca/ wuftpd zlib 1.2.3 http://www.zlib.net/ zlib...
Page 771 Appendix B Publicly Available Software B - 9 B.3 OSS Licenses B.3.1 GNU General Public License 2.0 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Page 772 B - 10 WiNG 5 Access Point System Reference Guide work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty;...
Page 773 Appendix B Publicly Available Software B - 11 corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.
Page 774 B - 12 WiNG 5 Access Point System Reference Guide For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed...
Page 775 Appendix B Publicly Available Software B - 13 12.If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 776 B - 14 WiNG 5 Access Point System Reference Guide The licenses for most software are designed to take away yourfreedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.
Page 777 Appendix B Publicly Available Software B - 15 In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.
Page 778 B - 16 WiNG 5 Access Point System Reference Guide faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
Page 779 Appendix B Publicly Available Software B - 17 whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6.
Page 780 B - 18 WiNG 5 Access Point System Reference Guide automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
Page 781 Appendix B Publicly Available Software B - 19 15.BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Page 782 B - 20 WiNG 5 Access Point System Reference Guide M.I.T. and the M.I.T. S.I.P.B. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. B.3.5 WU-FTPD License...
Page 783 Appendix B Publicly Available Software B - 21 IN NO EVENT SHALL THE WU-FTPD DEVELOPMENT GROUP, THE COPYRIGHT HOLDERS, OR CONTRIBUTORS, BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;...
Page 784 B - 22 WiNG 5 Access Point System Reference Guide ----------------------- Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.
Page 785 Appendix B Publicly Available Software B - 23 Jean-loup Gailly Mark Adler jloup@gzip.org madler@alumni.caltech.edu B.3.8 Open LDAP Public License The OpenLDAP Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1.
Page 786 B - 24 WiNG 5 Access Point System Reference Guide cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
Page 787 Appendix B Publicly Available Software B - 25 d. If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works;...
Page 788 B - 26 WiNG 5 Access Point System Reference Guide with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Page 789 Appendix B Publicly Available Software B - 27 ===== Import code in keyimport.c is modified from PuTTY's import.c, licensed as follows: PuTTY is copyright 1997-2003 Simon Tatham. Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, and CORE SDI S.A.
Page 790 B - 28 WiNG 5 Access Point System Reference Guide 2.1. Original Contributor Grant. Subject to Your compliance with Sections 3, 8.10 and Attachment A of this License, Original Contributor grants to You a worldwide, royalty-free, non-exclusive license, to the extent of Original...
Page 791 Appendix B Publicly Available Software B - 29 protection scheme limited to Licensees and a click-on, download certification of Licensee status required of those attempting to download from the server. An example of an acceptable certification is attached as Attachment A-2. c) Notices.
Page 792 B - 30 WiNG 5 Access Point System Reference Guide "Com.sun", and use this as a prefix for Your package names, using a convention developed within Your organization to further administer package names." 3.2. Additional Requirements and Responsibilities. Any additional requirements and responsibilities relating to the Technology are listed in Attachment F (Additional Requirements and Responsibilities), if applicable, and are hereby incorporated into this Section 3.
Page 793 Appendix B Publicly Available Software B - 31 having then actually been paid by You to Original Contributor for the Original Code, Upgraded Code and TCK, depreciated on a straight line, five year basis. 7.2. LIMITATION OF LIABILITY. TO THE FULL EXTENT ALLOWED BY APPLICABLE LAW, ORIGINAL CONTRIBUTOR'S LIABILITY TO YOU FOR CLAIMS RELATING TO THIS LICENSE, WHETHER FOR BREACH OR IN TORT, SHALL BE LIMITED TO ONE HUNDRED PERCENT (100%) OF THE AMOUNT HAVING THEN ACTUALLY BEEN PAID BY YOU TO ORIGINAL CONTRIBUTOR FOR ALL COPIES LICENSED HEREUNDER OF THE PARTICULAR ITEMS GIVING RISE TO SUCH CLAIM, IF...
Page 794 B - 32 WiNG 5 Access Point System Reference Guide provisional or emergency relief from a court of competent jurisdiction. The arbitrator shall have no authority to award damages in excess of those permitted in this License and any such award in excess is void. All awards will be payable in U.S.
Page 795 Appendix B Publicly Available Software B - 33 5. "Contributor" means each Licensee that creates or contributes to the creation of any Error Correction or Shared Modification. 6. "Covered Code" means the Original Code, Upgraded Code, Modifications, or any combination thereof. 7.
Page 796 B - 34 WiNG 5 Access Point System Reference Guide 25. "Technology Download Site" means the site(s) designated by Original Contributor for access to the Original Code, Upgraded Code, TCK and Specifications. 26. "Upgrade(s)" means new versions of Technology designated exclusively by Original Contributor as an Upgrade and released by Original Contributor from time to time.
Page 797 Appendix B Publicly Available Software B - 35 Java (tm) Platform, Standard Edition, Java 2 JDK 1.4.2 Source Technology as described on the Technology Download Site. ATTACHMENT C INTERNAL DEPLOYMENT USE This Attachment C is only effective for the Technology specified in Attachment B, upon execution of Attachment D (Commercial Use License) including the requirement to pay royalties.
Page 798 B - 36 WiNG 5 Access Point System Reference Guide 2.1. Definitions. a) "Added Value" means code which: (i) has a principal purpose which is substantially different from that of the stand-alone Technology; (ii) represents a significant functional and value enhancement to the Technology;...
Page 799 Appendix B Publicly Available Software B - 37 Java Platform, Micro Edition Connected Limited Device Configuration. (iii)A Profile as integrated with a Configuration must pass the applicable TCK for the Technology. 2.3. Compatibility Testing. Successful compatibility testing must be completed by You, or at Original Contributor's option, a third party designated by Original Contributor to conduct such tests, in accordance with the User's Guide.
Page 800 B - 38 WiNG 5 Access Point System Reference Guide B.3.13 ZLIB / LIB PNG License Copyright (C) 1999-2006 Takeshi Kanno This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
Page 802 MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLC and are used under license. All other trademarks are the property of their respective owners. © 2012 Motorola Solutions, Inc. All Rights Reserved.

Motorola WiNG 5 System Reference Manual

Chapter 1 Overview

Chapter 2 Web UI Features

Chapter 3 Quick Start

Chapter 4 Dashboard

Chapter 5 Device Configuration

Chapter 6 Wireless Configuration

Chapter 7 Network Configuration

Chapter 8 Security Configuration

Chapter 9 Services Configuration

Chapter 10 Management Access

Chapter 11 Diagnostics

Chapter 12 Operations

Chapter 13 Statistics

Quick Links

Related Manuals for Motorola WiNG 5

Summary of Contents for Motorola WiNG 5