Airgo Networks AGN1202AP0000 802.11 a/b/g True MIMO Access Point User Manual 2

Airgo Networks Inc. 802.11 a/b/g True MIMO Access Point 2

User Manual 2

7 Managing Security138 Installation and Configuration Guide: Airgo Access Pointencryption provides no protection, and is only recommended when security is not of concern. WPA-AES is recommended for all installations, if possible.Configure and view the following aspects of network and user security from the web interface:•Wireless Security—Select protocols for data encryption and user authentication.•Authentication Zones—Group resources for user authentication.•Administrator Security—Set the administrator login and password to access the AP.•RADIUS Servers—Identify authorized RADIUS servers and zones.•Security Statistics—View security-related statistics, including authentication, 802.1x supplicant, and authentication diagnostic statistics.•Advanced—Configured advanced RADIUS properties.Configuring Wireless Security Choose Wireless Security from the Security Services menu to configure the protocols for data encryption and user authentication. The Wireless Security panel contains two tabs:•Security Mode—Configure WPA, WEP, or open encryption and authentication.•SSID Auth—Identify the authentication server for the SSID.Security Mode Use the Security Mode tab (Figure 102) to assign the encryption and authentication methods, including WPA, WEP, or Open. Allowing multiple encryption modes can be useful to support installations with a mixture of client wireless adapters. There are some limitations to the allowed combinations; it is not possible to enable both WEP and Open simultaneously. Also, Open and WPA encryption modes require each mode to be mapped to a separate VLAN (see “Configuring VLANs” on page 105).Table 12: Encryption OptionsType DescriptionAES Highest level of protectionTKIP WEP with additional protectionWEP 128 First generation encryption using 128-bit keys, does not provide adequate protectionWEP 64 First generation encryption using 64-bit keys, does not provide adequate protectionOpen No protection
Configuring Wireless SecurityInstallation and Configuration Guide: Airgo Access Point 139Figure 102: Security Services - Security ModeWPA SecuritySelect Enable WPA to activate the WPA authentication and encryption fields. The following options are available:Click Apply to save the configuration, or Reset to return to the previously saved values.WPA provides strong encryption support with the AES and TKIP algorithms.Field DescriptionWPA Security Mode WPA-EAP—For RADIUS-based networking keyingWPA-PSK—For pre-shared keysEncryption Type AES, TKIP, AES and TKIPNOTE: Some early versions of WPA-capable client software may not permit a client to associate to the AP when multiple modes off encryption and authentication are chosen.
7 Managing Security140 Installation and Configuration Guide: Airgo Access PointWEP SecurityIf it is necessary to configure WEP security, select Enable WEP to activate the WEP fields. Configure the following values in the WEP security area:Click Apply to save the settings or Reset to clear the fields on the panel.Open AccessSelect Enable Open Access to omit data encryption. A pop-up message warns of the potential security risk in using open access. Click OK to continue.SSID Authentication Use the SSID Authentication tab (Figure 103) to assign RADIUS Authentication servers or a WPA pre-shared key. RADIUS based authentication uses lists of servers, called authentication zones, which are provided by the Airgo AP security portal or an external RADIUS server. Each SSID can be configured with the RADIUS servers used for EAP authentication and the WPA pre-shared key (if applicable).MAC-ACL lookups can be enabled for clients that associate with WPA-PSK, manual WEP-keys, or with no security. MAC-ACL is not applicable if per user authentication is done where user name is available.NOTE: Selecting WPA-EAP or WPA-PSK displays a link that leads to the SSID Authentication tab. Refer to “SSID Authentication” on page 140 for instructions on using this tab. Field DescriptionEnable WEP Activate the WEP settings. The Airgo AP supports WEP with dynamic and manually entered keys. To use dynamic keys, select WEP, but do not enter values in the Key fields. Key-Length Select 64-bit or 128-bitKey 1 - Key 4 For manual keys, enter up to four WEP key values. Each WEP key is 26 hex-ASCII characters. (required if security mode is WEP)
Configuring Wireless SecurityInstallation and Configuration Guide: Airgo Access Point 141Figure 103: Security Services - SSID AuthAssign the following values to configure SSID authentication:Click Apply to save changes or Reset to return to previously saved values. It may be necessary to click Back on your browser to return to the Security Configuration panel. Make sure to also click Apply on the Security Configuration panel.An external RADIUS server can also be added from this tab. Click Go at the bottom of the tab to open the Authentication Zone tab of the Authentication Zones panel. For instructions on adding a server, refer to “Configuring Authentication Zones” on page 143.Feature DescriptionSSID Name Select from the SSID pull-down list. Click SSID Details to view more SSID-related information, enable multiple SSIDs, or change other SSID attributes.WPA Pre-Shared Key Enter the pre-shared key for WPA, if appropriate. This field is grayed out if WPA-PSK is not the selected authentication type.Authentication Server Configuration Select the Security Portal or External Authentication Server radio button. For Security Portal, the IP addresses of all security portals are displayed below the radio button. For External security, select from the list of RADIUS servers or click Go at the bottom of the tab to configure the authentication server list (see “Authentication Zones” on page 143). (required)Enable MAC Access Control List Select to enable authentication using MAC addresses that are centrally managed in a RADIUS server. For MAC-ACL authentication, it is necessary to use a security portal or external RADIUS server.
7 Managing Security142 Installation and Configuration Guide: Airgo Access PointIf an external RADIUS server is to be used for MAC address based ACL lookups, the following apply:1The RADIUS server must have PAP authentication enabled for these MAC ACL users 2The RADIUS server can expect the AP to send the following standard RADIUS attributes in the authentication request for purposes of policy configuration and interoperability. (MAC addresses must be in sent with no colon or hyphen separators): 3The RADIUS server should enforce a policy such that MAC ACL users are only allowed to use PAP authentication for Wireless. This is important because the username and password are not secret. 4The RADIUS server may optionally send back the Session-Timeout attribute to override the AP default session-timeout. 5The RADIUS server may optionally send back an attribute encoded with the user group. If an external RADIUS server is used for EAP based authentication (with WPA or with legacy 802.1x), the following information should be used when configuring the server:1The RADIUS server can expect the AP to send the following standard RADIUS attributes in the authentication request for purposes of policy configuration and interoperability: 2The RADIUS server can use these attributes to enforce policies such that EAP based authentication is mandatory for Wireless. 3The RADIUS server may optionally send back the “Session-Timeout” attribute to override the AP default session-timeout. Attribute DescriptionUser-Name MAC addressUser-Password MAC addressMessage-Authenticator RADIUS extension providing enhanced authentication of message contents. (This is the same as the signature attribute in some RADIUS servers). NAS-IP-Address Management IP address of the APNAS-Port Radio interface number for the associating stationNAS-Port-Type Standard value Wireless - IEEE 802.11. Indicates that the user has requested access via an 802.11 port on the AP. Attribute DescriptionUser-Name Contains the MAC address in the format specified above.EAP-Message Contains the EAP messages received from the station.Framed-MTU Contains a hint to help the RADIUS server for EAP fragmentation Message-Authenticator The RADIUS extension that provides enhanced authentication of the message contents. (Also referred to as signature attribute in some RADIUS servers). NAS-IP-Address Contains the management IP address of the AP.NAS-Port Contains the radio interface number on which the station is associating.NAS-Port-Type Contains the standard value “Wireless - IEEE 802.11” to indicate that the user to be authenticated has requested access via an 802.11 port on the AP.
Configuring Authentication ZonesInstallation and Configuration Guide: Airgo Access Point 1434The RADIUS server may optionally send back an attribute encoded with the user group.Configuring Authentication ZonesRADIUS servers may be used to authenticate wireless users and administrative users, and to check MAC Access Control Lists for the SSID. Select Authentication Zones from the Security Services menu to define zones for RADIUS authentication and to add external RADIUS servers to the list of available authentication servers. Configure the servers first, and then include them in zones. The Authentication Zone panel contains two tabs:•Auth Zones—Define zones for RADIUS authentication.•Auth Servers—Add RADIUS servers.Authentication Zones On the Authentication Zones tab (Figure 104), you can create new authentication zones or modify existing ones. Select check boxes for authentication zones you want to modify or delete, or click Add to add a new zone.Figure 104: Authentication Zones - Auth ZonesSet the following values on the Add Auth Zone entry panel (Figure 105):Click Add after making selections. Field DescriptionAuth Zone Name of the authentication zone.Auth Server list List of possible servers to add to the zone. Select desired servers.
7 Managing Security144 Installation and Configuration Guide: Airgo Access PointFigure 105: Authentication Zones - Add Auth ZonesTo add a new authentication server, click Add Auth-Server, and enter the following values for each new RADIUS server:Click Add to save the values, or click Reset to clear the fields on the panel.Click Back on your browser to return to the Auth Zone panel. Set an authentication zone for administrative users by selecting from the pull-down list.Authentication Servers Open the Authentication Servers tab (Figure 106) to view the current authentication servers and add or delete servers.This table shows the list of both internal (security portals) and external auth servers. The servers that do not have a check box against them are security portals.Figure 106: Authentication Zones - Auth ServersConfiguring Administrator SecurityChoose Administrator Security from the Security Services menu to open the Administrator Security panel (Figure 107). Field DescriptionAuth Server IP address of the RADIUS authentication server.Shared Secret Enter and confirm the secret key.Port Number Port number for the server (default is 1812).
Configuring Administrator SecurityInstallation and Configuration Guide: Airgo Access Point 145Figure 107: Administrator Security - Admin PasswordSet the following values on this panel:Click Apply to save the settings or Reset to clear the fields on the panel.External RADIUS Server SettingsThe following rules apply for an external RADIUS server:•The external RADIUS server must have Password Authentication Procedure (PAP) authentication enabled for administrative users.•The Airgo AP sends a standard RADIUS attribute called “Service-Type” in the authentication request. The value of this attribute is set to “Administrative” to indicate that the user to be authenticated has requested access to an administrative interface on the AP •If the user authentication is successful, the RADIUS server must send back an Airgo vendor-specific attribute defined as follows: vendor-id=13586, vendor sub-type=3, integer value = 1. Field DescriptionChange Local Admin Password Enter the old password and the new password, and confirm the new password. This password is used for the local administrative login and the SNMPv3 administrative login. (required)RADIUS Authentication for Network Administrator LoginSelect whether to use the Portal AP security feature for network administrator authentication or use an external RADIUS server. With the external RADIUS server option, links are available to add, delete, or edit the list of servers. (required)
7 Managing Security146 Installation and Configuration Guide: Airgo Access PointThis attribute informs the AP that the user is not normal user, but rather an administrator who may be granted access to the privileged administrative interface. Viewing Security StatisticsChoose Security Statistics item from the menu tree to open the Security Statistics panels. This panel contains the following tabs:•Auth Stats—View authentication statistics for each selected AP radio.•Suppl Stats (Supplicant Statistics)—View statistics on 802.1x requests, for each selected BP radio.•Auth Diag—View authentication diagnostics statistics, including back-end data.Each of the tabs includes a Reset button to return the statistics to zero and begin collecting them again.Authentication Statistics The Authentication Statistics tab (Figure 108) contains EAPOL statistics, which correspond to authentication messages sent between a station and an AP. These are generated by the traffic from WPA or 8021.x based wireless authentication. Only radios in AP mode produce this data. Figure 108: Security Statistics - Authentication Stats
Viewing Security StatisticsInstallation and Configuration Guide: Airgo Access Point 147The tab contains the following information:Supplicant Statistics The Supplicant Stats tab(Figure 109) reports on authentication messages sent between a local BP radio and the upstream AP. Only radios in BP mode return these statistics. The statistics are generated from the EAPOL protocol, which is used for 802.1x authentication.Field DescriptionInterface Select the radio interface of interest for viewing statistics.Last RX EAPOL Frame Source The source MAC address from the last EAPOL frame received by the AP. This identifies a station or BP that is currently authenticating or re-authenticating with the AP.Last RX EAPOL Frame Version The EAPOL version from the last EAPOL frame received by the AP.RX EAPOL The total number of EAPOL frames received by the AP.RX EAPOL-Start The total number of EAPOL-Start frames received by the AP. This count increments as stations or BPs request the AP to start their authentication sequence.RX EAPOL-Logoff The total number of EAPOL-Logoff frames received by the AP. This count may not increment as most 802.1x peers do not send this frame for security reasons.RX EAPOL Response-ID The total number of EAPOL based EAP Response-ID frames received by the AP. This count increments as stations or BPs present their user-id or device-id information to the AP at the start of the authentication sequence.RX EAPOL Response The total number of EAPOL based EAP Response frames received by the AP that do not contain an EAP Response-ID. This count increments as the AP receives authentication credentials derived from passwords or certificates from stations or BPs that are authenticating with it.RX Invalid EAPOL The total number of EAPOL frames received by the AP that have invalid packet type fields. These frames are discarded by the AP.RX EAP Length Error The total number of EAPOL frames received by the AP that have invalid packet body length fields. These frames are discarded by the AP.TX EAPOL The total number of EAPOL frames transmitted by this AP.TX EAPOL Request-ID The total number of EAPOL based EAP Request-ID frames transmitted by this AP. This count increments as the AP sends authentication frames to stations or BPs requesting them to return their user-id or device-id information at the very start of the authentication sequence.TX EAPOL Request The total number of EAPOL based EAP Request frames transmitted by the AP that do not contain an EAP Request-ID. This count increments as the AP transmits authentication credentials derived from passwords or certificates to the stations or BPs that are authenticating with it.
7 Managing Security148 Installation and Configuration Guide: Airgo Access PointFigure 109: Security Statistics - Supplicant StatsThe tab contains the following information:Field DescriptionInterface Select the radio interface of interest for viewing statistics.Last RX EAPOL Frame Source The source MAC address from the last EAPOL frame received by the BP. This identifies the upstream AP that is currently authenticating or re-authenticating with the BP.Last RX EAPOL Frame Version The EAPOL version from the last EAPOL frame received by the BP.RX EAPOL The total number of EAPOL frames received by the BP.RX EAPOL Request-ID The total number of EAPOL based EAP Request-ID frames received by this BP. This count increments as the AP sends authentication frames to the BP requesting it to its device-id information at the very start of the authentication sequence.RX EAPOL Request The total number of EAPOL based EAP Request frames received by the BP that do not contain an EAP Request-ID. This count increments as the AP transmits authentication credentials derived from certificates to the BP.RX Invalid EAPOL The total number of EAPOL frames received by the BP that have invalid packet type fields. These frames are discarded by the BP.RX EAP Length Error The total number of EAPOL frames received by the BP that have invalid packet body length fields. These frames are discarded by the BP.
Viewing Security StatisticsInstallation and Configuration Guide: Airgo Access Point 149Authentication Diagnostics The Authentication Diagnostics tab (Figure 110) contains a summary of the Access Point authenticator events received from a backend authentication server. These events are generated for any RADIUS based authentication and can include WPA (EAP based) or MAC-ACL authentication.Figure 110: Security Statistics - Authentication DiagnosticsThe tab contains the following information:TX EAPOL The total number of EAPOL frames transmitted by this BP.TX EAPOL-Start The total number of EAPOL-Start frames transmitted by the BP. This count goes up as the BP requests the AP to start its authentication sequence.TX EAPOL-Logoff The total number of EAPOL-Logoff frames transmitted by the BP. This count will not increment as the BP does not send this 8021.x frame for security reasons.TX EAPOL Response-ID The total number of EAPOL based EAP Response-ID frames transmitted by this BP. This count increments as the BP sends authentication frames to the AP with its device-id information at the very start of the authentication sequence.TX EAPOL Response The total number of EAPOL based EAP Response frames transmitted by the BP that do not contain an EAP Response-ID. This count increments as the BP transmits authentication credentials derived certificates to the AP that is authenticating with it.Field DescriptionResponses from Auth Server The total number of RADIUS authentication related packets received from the backend authentication server.Access Challenges The total number of RADIUS authentication packets that contained an ACCESS-CHALLENGE. These are sent by the RADIUS server when it is engaged in a multi-step authentication sequence.Field Description
7 Managing Security150 Installation and Configuration Guide: Airgo Access PointConfiguring Advanced Parameters Choose Advanced Configuration from the menu tree to open the Advanced RADIUS configuration panel (Figure 111). It is not necessary to modify any of the settings on this panel.Figure 111: Advanced Configuration - TimeoutsThe panel contains the following fields:Auth Successes The total number of RADIUS authentication packets that contained an ACCESS-ACCEPT. These are sent by the RADIUS server when the authentication sequence succeeds.Auth Failures The total number of RADIUS authentication packets that contained an ACCESS-REJECT. These are sent by the RADIUS server when the authentication sequence fails.Field DescriptionField DescriptionSession Timeout Time in seconds, after which a station is re-authenticatedGroup Key Interval Time in seconds, after which the group key is changed. This is not used if static WEP keys are enforcedRADIUS Timeout Time in seconds, after which the request is retransmitted
Configuring Advanced ParametersInstallation and Configuration Guide: Airgo Access Point 151Other standard or vendor specific attributes can be used to determine service policies. For example, an enterprise having an existing RADIUS attribute for VLANs can reuse the attributes for AP service profile assignments by configuring them as the RADIUS attributes for user groups.Click Apply to implement the changes, or click Reset to return the entries on the panel to their previous values.RADIUS Retries Number of retransmit attempts, after which the RADIUS request is marked a failure.External RADIUS Group-Key Attribute (for User Group ID) RADIUS attribute used by the AP to determine the user group (see “SSID Details” on page 82). When a wireless user is authenticated by a RADIUS server, the server can optionally send the AP the ‘User Group’ for the association. If a user group is not returned, then the user is not assigned a group, and the user gets the default service profile for the SSID. By default, a Vendor Specific Attribute is used (13586, 1, String). Field Description
7 Managing Security152 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 1538Configuring Guest AccessThis chapter describes how to enable guest user access to the wireless network while protecting the network from unauthorized use. It contains the following sections:•Overview•Configuring Guest Access•Guest Access Services PanelOverviewGuest access can be used to allow visitors to a facility to access the Internet through the wireless network without gaining access to the corporate network. Most current guest user solutions require guests to access a separate access point that is not part of the corporate network. The Airgo solution eliminates this requirement by restricting guest access through VLAN tags on the existing access points. There is no need to set up special access points or to physically restrict the locations used for guest access.Unauthenticated users are permitted to associate to an AP, but any web communications are captured and directed to a controlled landing page, the “captive portal.” The landing page allows the guest user to login using a web-based password scheme. The page can inform unauthenticated users of the network access policies and provide instructions on obtaining the guest password. Following successful authentication, the guest user is released from the captive pages and allowed to access any resource on the guest VLAN.The VLAN configuration of the upstream network should make available only those network resources set aside for guest use. This often means prohibiting guest stations from accessing anything other than the corporate open subnet or the Internet.For open guest access, the open access security option must be configured. This precludes the use of WEP Security Mode on APs that provide guest access, but does permit use of WPA Security Mode. VLANs and security privileges are assigned to users by way of service profiles defined for user groups and bound to the network SSID. It is required that the VLAN configuration include DHCP and DNS services. Guest user authentication can be implemented using an internal or external landing page.
8 Configuring Guest Access154 Installation and Configuration Guide: Airgo Access PointInternal Landing Page The internal landing page is a configurable option within the Airgo AP. The guest password for the AP can be set using the Guest Access panel, or an automatically generated password can be configured through the User Management panel in NM Portal. If the automatically generated guest password is used, then the authentication process for the internal landing page also checks the password entered by the guest user against the RADIUS authentication service provided in the Airgo security portal. If either password is acceptable, the guest user is authenticated and receives the privileges specified in the guest service profile.Figure 112 shows how Acme Works configured guest access with an internal guest landing page. The company has two VLANs: Corporate and Guest. Corporate and guest users belong to the Enterprise and Guest user groups, respectively, with appropriate service profiles assigned and bound to the SSID. Corporate users are authenticated by way of the enterprise RADIUS server, while guest users are authenticated by way of an internal landing page configured in the Airgo AP. After they are authenticated, guest users are place in the Guest VLAN.Figure 112: Guest Access - Internal Landing PageRADIUSServerA0045BCorporateVLANCorporateVLANVLAN SwitchGuestVLANGuestVLANCorporate Guest AccessGuestIDPassword
External Landing PageInstallation and Configuration Guide: Airgo Access Point 155External Landing Page An external landing web page can be set up through a corporate web server. The URL for the landing page must use an IP address rather than a domain name. Regardless of the authentication process selected for the external page, it is necessary to forward authentication results to the AP upon completion of successful or unsuccessful guest authentication.1 Figure 113 shows a network configuration with an external guest landing page. The external landing page is made accessible over the Internet through an external web server. As in the previous example, authenticated guest users are given access to the guest VLAN.Figure 113: Guest Access - External Landing Page1An example external landing page is shipped with the Airgo AP.RADIUSServerA0045BCorporateVLANCorporateVLANVLAN SwitchGuestVLANGuestVLANCorporate GuestWebAuthenticationPasswordAuthenticationResults PassedBack to AP
8 Configuring Guest Access156 Installation and Configuration Guide: Airgo Access PointOpen SubnetIn an optional open subnet arrangement, shown in Figure 114, unauthenticated guest users are permitted limited access to an open enterprise subnet specified in the Airgo AP. The enterprise open subnet must be part of the Guest VLAN. Extended access requires authentication through an internal or external landing page.Figure 114: Guest Access - Open SubnetConfiguring Guest AccessThis section describes the complete process of setting up guest access. A Guest Access wizard is also available for easy configuration of the major guest access parameters. See “Guest Access Wizard” on page 50 for instructions on using the Guest Access wizard.InternetVLAN SwitchOpen SubnetOpen SubnetAddress RangeNo Direct Internet AccessUntil AuthenticatedGUEST-VLANA0035BOpen AccessServerUser Group = "GUEST"Task StepsConfirm that open access is supported as a security option.1Choose Wireless Security from the Security Services menu to open the Security Mode tab (“Configuring Wireless Security” on page 138).2Enable WPA security, if mixed mode security (encrypted and open) is desired. Only WPA can be enabled in conjunction with open. The WPA Security mode is for non-guests only.3Enable Open Access.4Click Apply.
Configuring Guest AccessInstallation and Configuration Guide: Airgo Access Point 157Create or confirm existence of a corporate VLAN. This can be the default untagged VLAN or a specially created VLAN.1Choose VLAN Configuration from the Networking Services menu to open the VLAN table (“VLAN Table” on page 106).2Confirm that the corporate VLAN is listed in the table, or click Add to create a new VLAN:aEnter the corporate VLAN name and a numeric VLAN ID in the Add VLAN entry panel.bEnter the IP address and maskbits of the captive portal server, or select the DHCP option. The guest portal must have a valid IP address for the authentication process to work.cSelect the eth0 interface, and mark it as tagged. (Only eth0 should be tagged.)dClick Add. Create the guest VLAN. 1Choose VLAN Configuration from the Networking Services menu to open the VLAN table (“VLAN Table” on page 106). 2Click Add.3Enter the VLAN name (Guest VLAN) and a numeric VLAN ID in the Add VLAN entry panel. It is not recommended to use the default VLAN.4Enter the IP address and maskbits of the captive portal server, or select the DHCP option.5Select the eth0 interface, and mark it as tagged. (Only eth0 should be tagged.)6Click Add. For additional information on configuring VLANS, see “Configuring VLANs” on page 105.Create or confirm definition of a corporate service profile.1Choose SSID Configuration from the Wireless Services menu to open the SSID table (“SSIDs and Service Profiles” on page 79).2Click Profile Table. 3Add a corporate profile, or confirm that one exists with the desired WPA security option and the corporate VLAN specified. Make sure that the corporate profile is bound to the SSID.Create a guest service profile which specifies the guest VLAN and desired COS and security options.1Choose SSID Configuration from the Wireless Services menu to open the SSID table.2Select SSID Details (“SSID Details” on page 82).3Confirm the SSID name, or enter a new SSID name for the Guest Portal, and then click Apply.4Click Profile Table to display the current list of service profiles.5Click Add to create the guest service profile. Select the VLAN ID for the guest VLAN previously defined. Enter the COS value and make sure that no-encryption is selected. 6Click Apply.Task (continued) Steps
8 Configuring Guest Access158 Installation and Configuration Guide: Airgo Access PointGuest access is now configured. When guests attempt to access the network, they are directed to an external landing page or to a standard user login screen. Upon entering the correct guest password or server secret code, they are granted access to the guest VLAN. They are also given the COS and encryption characteristics specified in the guest service profile.Guest Access Services PanelFor summary information about guest access, use the Guest Access Configuration panel. The panel opens to the Guest table (Figure 115), which lists currently defined guest service profiles. The table presents the following information:Add guest access to the SSID and specify an internal or external landing page for guest users who attempt to access the network.1Choose Guest Access Configuration from the Guest Access Services menu to open the Guest table.2Click Add.3Confirm selection of the SSID and guest profile, as defined in the previous task.4Select whether the landing page will be internal or external. If external, enter a URL and an external web server secret code, which is the shared secret code for communication between the AP and web server.5Click Apply.For the internal landing page, set a guest password; for an external landing page use the RADIUS shared secret code.1If Internal is selected as the landing page type, click Security to enter the guest password.2Enter and confirm the password, and then click Apply. Set up optional auto-generation of guest passwords1From NM Portal (Network Management Explorer) window, select User Management from the Security Portal menu.2On the Guest User tab (Figure 117), select Yes to enable auto-password generation.3Select an interval from the Generate Auto Guest Password pull-down list.4Click Apply.NOTE: If static and auto-generated passwords are configured, then a guest user can enter either password to be authenticated.Task (continued) StepsField DescriptionSSID The network to which the guest profile belongs. There can be at most one guest profile per SSID.Service-Profile The name of the guest service profile bound to the SSIDLanding Page Internal or external page automatically displayed when guest users attempt to access the networkAllowed Guest Subnet The subnet optionally reserved for unauthenticated guest access. Configuring an allowed guest subnet can give unauthenticated users access to a limited set of free services.
Guest Access Services PanelInstallation and Configuration Guide: Airgo Access Point 159Figure 115: Guest Access Configuration - Guest TablePerform the following functions from the Guest Table:Function DescriptionAdd an entry to the Guest Table One guest profile can be added for each SSID. If a profile is already assigned to an SSID and you add a new one, it replaces the previously defined profile.1Click Add.2Select the SSID.3Select the service profile from the Profile pull-down list.4If desired, enter the address and maskbits for a subnet optionally reserved for unauthenticated guest access.5Select an internal or external landing page. If the external page is selected, enter the full URL and the shared secret code used for communicating with the RADIUS server.6Click Apply.Modify an entry 1Select the entry you wish to modify, and click Modify.2Confirm the SSID.3Select the service profile from the Profile pull-down list.4If desired, enter the address and maskbits for a subnet optionally reserved for unauthenticated guest access.5Select an internal or external landing page. If the external page is selected, enter the full URL and shared secret code for access.Click Apply.
8 Configuring Guest Access160 Installation and Configuration Guide: Airgo Access PointGuest Access SecurityThe Security tab of the Guest Access Configuration panel (Figure 116) provides an interface to set the guest password for an internal landing page. Figure 116: Guest Access Configuration - SecurityDelete an entry 6Select the entry and click Delete. 7Click OK to confirm.Function Description
Guest Access Services PanelInstallation and Configuration Guide: Airgo Access Point 161Auto-Generating Guest PasswordsFor optional generation of guest passwords automatically at set intervals, use the Guest User tab within the security area of NM Portal (Figure 117).Figure 117: Security Portal - Guest User
8 Configuring Guest Access162 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 1639Managing the NetworkThis chapter explains how to use the NM Portal features of the Airgo Access Point to manage multiple APs across the network. It includes the following topics:•Introduction•Using NM Portal•Using the Network Topology Menu•Managing Rogue Access Points•Using the NM Services Menu•Managing Network Faults•Managing UsersIntroductionNetwork management refers to the coordinated control and supervision of multiple access points across a network. Network management functions include single-point configuration of multiple access points, user access control, performance monitoring, and fault management. Airgo offers the unique advantage of a network management capability built into the Airgo Access Point. When configured as an NM Portal, the Airgo AP can provide network management services for up to five subnetworks. For small to mid-size networks, this eliminates the need for an external network management application. For mid to large size enterprise networks, NM Portal can be used to manage all the APs at a specific location or branch, while NMS Pro, offered as a separate product, can supply enterprise-level network management.NM Portal supports the following functions:•Single view to manage the entire network•AP discovery•AP enrollment•Centralized software distribution and policy management•Integrated security management for users•Rogue AP control•Email alerts•Fault management•Syslog•Guest access control
9 Managing the Network164 Installation and Configuration Guide: Airgo Access PointUsing NM PortalTo use the Airgo AP for NM Portal services, it is necessary to initialize (bootstrap) the unit in NM Portal mode. Do so when initially configuring the AP, or by resetting the AP to factory defaults prior to booting. Chapter 3, “Installing the Access Point,” explains how to initialize an NM Portal and how to reset to factory defaults.After the AP is initialized as a portal, access NM Portal services from the web interface at any time by clicking Manage Wireless Network on the menu tree or on the Home panel (“The Home Panel” on page 37). The NM Portal Network Management Explorer opens in a new browser window (Figure 118).Figure 118: NM Portal Web InterfaceThis interface is similar to that of the standard Airgo AP web interface. The menu tree on the left contains a set of menus to access application features. Use the detail panels on the right to set the configuration and monitor the state of the network. The alarm panel in the lower left portion of the window shows the number of outstanding critical alarms collected across the NM Portal managed network.Home PanelThe Home panel (Figure 118) contains summary information about the network configuration together with links to some of the Detail panels. Open the Home panel at any time by selecting Home from the menu tree.Menu TreeThe menu tree contains the following menus:•Home—Open the Home panel.NOTE: Before resetting the AP to factory defaults, make sure to have the original password shipped with the unit available.
Using the Network Topology MenuInstallation and Configuration Guide: Airgo Access Point 165•Network Topology—Manage AP enrollment, wireless backhaul, IP address status, and radio neighbors.•NM Services—Set up network discovery, DHCP settings, and portal settings.•Fault Management—View alarm logs and syslog events.•Admin Tools—Upgrade AP software (see “Upgrading Software” on page 219).•Security Portal—Add network, administrative, and legacy users.Each of these topics is described in this chapter, except Software Upgrade, which is described in Chapter 10, “Maintaining the Access Point.”Click the arrow to the left of a menu item to expand the menu.Using the Network Topology MenuUse the Network Topology menu items to manage the identification, network status, and relationship of APs in the network.Enrolling APsNetwork security depends upon mutual trust between the NM Portal and the other managed Airgo APs. Each access point must trust the identity of the NM Portal AP, and the NM Portal must trust that each access point is fully authenticated (Figure 119). Enrollment is the process used to establish this mutual trust. The process consists of several steps:•NM Portal automatically discovers all the Airgo Access Points and presents those that are not already enrolled in a list of unenrolled APs.•You select a candidate AP to enroll and verify its identity.•NM Portal and the AP perform a mutual authentication process.•Once the authentication is complete, the AP is enrolled. It is not necessary to enroll the AP again, even if power is lost to the unit.An NM Portal can discover up to 50 APs across multiple IP subnets, but can only enroll up to 20 APs. To access the enrollment panel, choose AP Enrollment from the Network Topology menu. The AP Enrollment panel opens to display the list of discovered, but as yet un-enrolled, APs (Figure 120). Figure 119: AP EnrollmentNOTE: In order to enroll an AP, it must be in the factory default state. This assures that enrollment will be based on a known configuration.A0028ANM Portal:Manage andMonitor theNetworkOther APsEnrollment Portal:Verify AP Identity
9 Managing the Network166 Installation and Configuration Guide: Airgo Access PointFigure 120: Network Topology - AP Enrollment - Not EnrolledPerform the following functions from this panel:Function DescriptionEnroll an AP 1Select the desired AP, and click Enroll to open the Enroll an AP Entry panel (Figure 121). If the AP is not in the factory default state, a message is presented. Click the AP link to open the web interface for the AP and reset it to the factory default configuration.2After verifying the information on the panel (Table 13), enter the correct password, and click Enroll. It takes a couple of minutes to enroll the AP. Delete an AP Select an AP and click Delete to remove it from the list.Refresh Click to update the display.Rediscover Now Scan the network to discover APs and update the Not Enrolled APs table.
Using the Network Topology MenuInstallation and Configuration Guide: Airgo Access Point 167Figure 121: Network Topology - AP Enrollment - Enroll an AP Entry PanelThe Enroll an AP panel contains information that uniquely identifies the AP. To verify the identity of the AP, compare the following information to the information on the paperwork shipped with the AP:When an AP is enrolled, it is configured with the enrolling AP’s bootstrap configuration. Refer to Chapter 3, “Installing the Access Point,” for bootstrap configuration details.Enrolled APsEnrolled APs are listed on the Enrolled tab of the Enrollment panel (Figure 122). The screen should refresh automatically to reflect new enrollments. If this does not happen, click Refresh. Table 13: AP Enrollment InformationField DescriptionAP Name Verify the alphanumeric name of the AP. The default is the IP address.IP Address Verify IP address of the AP.Serial Number Verify the AP serial number.Thumbprint Verify the thumbprint, which uniquely identifies the AP for security purposes.Password Enter and confirm the Airgo-supplied password.Security Portal Indicate whether to use the AP as a standby security portal. With a backup security portal, a copy of the user authentication database remains accessible even if the NM Portal AP becomes unavailable.NOTE: If DHCP is used for address assignment for enrolled Airgo APs, the AP address may change periodically. When that occurs, there is no interruption to service, and all security credentials remain intact.
9 Managing the Network168 Installation and Configuration Guide: Airgo Access PointFigure 122: Network Topology - AP Enrollment - EnrolledPerform the following functions as needed from the Enrolled APs tab:Viewing Backhaul Topology Configuring a wireless backhaul extends wireless network coverage while reducing the number of APs that must be connected to the wired network. Chapter 6, “Configuring a Wireless Backhaul,” explains how to configure the Airgo AP to be part of a wireless backhaul. Once the wireless backhaul structure is in place, use the Backhaul Topology panel in NM Portal to view all the backhaul paths defined for the network. Choose Backhaul Topology from the Network Topology menu to display this information (Figure 123). Function DescriptionUnenroll Remove the AP from the set of enrolled APsRefresh Update the screen display to reflect the most recent enrollment changesReboot Reboot the selected APClick the IP address link for an AP Access the web interface for the selected AP in a new browser windowNOTE: When an AP is unenrolled, the mutual trust between the NM Portal and the AP is destroyed and the unenrolled AP resets to factory defaults. The AP cannot be configured by NM Portal nor participate in the network (i.e., form a wireless backhaul) without being enrolled again.
Using the Network Topology MenuInstallation and Configuration Guide: Airgo Access Point 169Figure 123: Network Topology - Backhaul TopologyThis panel contains the following information for each backhaul link:Viewing IP Topology The IP Topology panel lists all the APs discovered by NM Portal. Choose IP Topology from the Network Topology menu to display this information (Figure 124). Field DescriptionChannel ID RF channel over which the backhaul traffic travelsSource AP AP that begins the uplink backhaul trunk. The Source AP link opens the web interface for the AP in a new browser window.Source Radio MAC address of the radio used for the uplink (wlan0 or wlan1).Destination AP MAC address of the radio that ends the backhaul trunkDestination Radio Radio used for the destination (wlan0 or wlan1)Retrunk Count The number of times a functioning backhaul radio reestablishes a trunk. A new backhaul can be established to any AP within RF range (retrunk does not necessarily mean re-connection to the same AP). If the retrunk count is high, the network has a high level of instability in its wireless inter-access point connections.Rediscover Now button Begins the rediscovery process.
9 Managing the Network170 Installation and Configuration Guide: Airgo Access PointFigure 124: Network Topology - IP TopologyThe table includes the following information for each AP:Field DescriptionName IP address assigned to the APDevice ID Unique AP identifier sent during the discovery process and required for AP enrollment. The device ID is included in the paperwork shipped with the AP.Operation State Indication of whether the AP can be reached from the NM Portal AP. The operation state is updated once every 5 minutes.MAC Address MAC addresses assigned to each of the AP radios. The address of the wlan0 radio is listed first and the wlan1 radio is listed second.Auto/Manual Indication of whether the AP was discovered automatically or manually identified
Using the Network Topology MenuInstallation and Configuration Guide: Airgo Access Point 171View and check the status of all discovered APs from this panel. To delete an AP from the list, select the radio button to the left of the listing, and click Delete. Deleting an AP removes it from the topology database and deletes all the details about its configuration. However, since network discovery is a continuous process, it is possible for a deleted AP to be rediscovered if it is still part of the network. Use the delete feature when an AP is moved from one managed network to another. Displaying Discovered RadiosEvery 15 minutes, the NM Portal AP polls all the enrolled APs, which then report on all the wireless devices they can detect. The results of the polling are presented in the Discovered Radio table (Figure 125), accessible from the Discovered Radios item under Network Topology menu in the menu tree.Use the Discovered Radios list to characterize the wireless network neighborhood and detect possible rogue APs.Portal Services Indication of which portal services are configured on the AP (enrollment and security). Possible values:•Factory Default - AP has not yet been enrolled or bootstrapped.•Access Point - AP has been enrolled/bootstrapped as an AP•NM Portal- AP is enrolled/bootstrapped as NM Portal•SEC Portal - AP is enrolled/bootstrapped as a Security Portal•NM & SEC Portal - AP is enrolled/bootstrapped as NM Portal and Security Portal•Enrollment Portal - AP is bootstrapped as a Enrollment portal.Time Discovered Date and time of discoveryEnrollment State Indication of whether the AP is enrolled (authorized) or not (unauthorized)Thumbprint Unique identifier used for security purposes. The thumbprint is included in the paperwork shipped with the AP.Field Description
9 Managing the Network172 Installation and Configuration Guide: Airgo Access PointFigure 125: Network Topology - Discovered RadiosThe Discovered Radios table contains the following information for each detected device:Field DescriptionMAC Address Address that uniquely identifies the detected deviceIP Address IP address of the detected device, if knownReporting AP The enrolled AP which reported the device to the NM Portal AP. If this field is blank, the AP was reported on a previous scan, but not the most recent one.Time Reported The time of the last scan that detected the APTime Discovered The time of day that the presence of the device was discovered by the reporting APClass Indication of whether the discovered node is just a Radio Neighbor or a Radio and IP Neighbor. Radio and IP neighbors are part of the internal network (they are reachable by way of IP addressing).Signal Strength Strength of the detected signal as a percentageSSID The SSID of the detected device, if knownChannel ID The channel on which the signal was detectedBSS Type Whether the detected device is part of an infrastructure or ad-hoc service set
Managing Rogue Access PointsInstallation and Configuration Guide: Airgo Access Point 173Managing Rogue Access PointsA rogue AP is an access point that connects to the wireless network without authorization. In some cases, the AP may be performing a legitimate function and the appropriate management action is to classify the AP as “known.” If it is not possible to identify a legitimate role for the AP, then the AP is considered to be a true rogue. NM Portal provides information to help determine where rogue APs are physically located and how recently they have accessed the network. With this information, it may be possible to find and disable them.Potential rogue AP candidates are identified during discovery. Every 15 minutes NM Portal scans the network to discover and identify known Airgo APs. The domain for the discovery process is specified in the Discover Configuration panel (see “Configuring Network Discovery” on page 182). Discovery can be restricted to specific subnetworks, ranges of IP addresses, or individual APs. It is also possible to specify whether the discovery is at the IP (layer 3) or wireless/MAC level (layer 2). Wireless discovery is based on the beacon sent by APs within range of the receiving AP. Each AP collects information about beacons it sees and passes that information to NM Portal. NM Portal checks the MAC address of the detected AP to see whether it matches that of a known AP. If it does not match, the detected AP becomes a rogue AP candidate.IP level discovery requires that the detecting AP be able to determine the IP address of the discovered AP through an IP / SNMP connectivity check and establish IP level communications with it. NM Portal then performs a series of consistency checks and certification to determine whether the AP is a recognized part of the network. After an AP is successfully discovered and authenticated, the system checks to see whether it is enrolled and places it into the Enrolled or APs to be Enrolled table. For more information on AP enrollment, see “Enrolling APs” on page 165.A variety of conditions may cause NM Portal to label an AP as a rogue candidate:•The AP is in a subnet not included in the discovery domain.•The AP is not an Airgo AP.•A problem exists with the AP certificate, and the AP cannot be authenticated.•The AP is a legitimate device on a neighboring network, but has been detected through a wireless scan.•An unauthorized device attempts to access the networkThe objectives of rogue AP management are to determine which APs pose a security risk and to take action to reduce the risk.The Rogue AP panels within NM Portal provide an interface to monitor and classify rogue APs. Use the IP Rogue AP panel to manage potential rogues detected through IP discovery, and use the Wireless Rogue AP panel to manage potential rogues detected through wireless discovery. Each panel opens to the Unclassified tab, which lists the candidate rogue APs. From the list, select individual APs to classify as known in your network or a neighbor’s network. Once classified, the APs are listed in the IP or Wireless Classified tab.NOTE: Use the Discovery Configuration panel to enable the rogue AP discovery feature. For instructions, see “Configuring Network Discovery” on page 182.
9 Managing the Network174 Installation and Configuration Guide: Airgo Access PointIP Rogue AP ManagementSelect IP Rogue AP from the Rogue AP menu to open the table of IP-unclassified APs. This panel (Figure 126) lists the following information for each unclassified AP:Figure 126: IP Rogue AP - UnclassifiedField DescriptionDevice ID Unique identifier for the APNode Name Name of the AP advertised in the beacon frameRejection Reason Failure that prevented the AP from passing authenticationTime Discovered Time of the last IP scan that detected the AP. This value is updated each time the AP is detected.Thumbprint Factory-generated identifier used for AP enrollment
Managing Rogue Access PointsInstallation and Configuration Guide: Airgo Access Point 175Perform the following functions from this tab:Figure 127: IP Rogue AP - ClassifyClassified TabThe Classified tab (Figure 128) lists all the APs designated as known through IP classification. It contains the following information for each classified AP:Function StepsClassify an AP as known 1Select the AP from the list. APs are identified by Airgo device ID and IP address, if known.2Click Classify-Node to open the Classify the Rogue AP panel (Figure 127).3Select Our-Network to classify the AP as known within your wireless network. Select Neighbor-Network to classify the AP as known in a neighboring network. 4Click Apply.The AP is now classified. The classification information is retained in the NM Portal database and presented on the Classified tab (Figure 128). This information is retained upon AP reboot. Delete an AP from the rogue list Click Delete and click OK to confirm. If an AP is deleted from the list and then discovered in a subsequent scan, it is added to the list again. Delete from the list all APs classified as IP roguesClick Delete all IP-Unclassified Rogues, and click OK to confirm.Field DescriptionAP Name of the AP, by default, the MAC addressDevice ID Unique identifier for the APThumbprint Factory-generated identifier used for AP enrollmentPortal Services Portal services (enrollment, security, NM portal) configured on the APOperational State Indicator of whether the AP is currently activeDiscovery Method IP or wireless discoveryTime Discovered Time of the last IP scan that detected the AP. This value is updated each time the AP is detected.Node State Identifies whether the AP has been classified as a member of Our-Network or Neighbor-NetworkMAC Address MAC address of the AP
9 Managing the Network176 Installation and Configuration Guide: Airgo Access PointFigure 128: IP Rogue AP - ClassifiedWireless Rogue AP ManagementWireless rogue management differs from IP rogue management in the type of discovery used to determine whether the AP is authorized to be part of the network. In wireless discovery, each AP scans the beacons sent by other APs within range and attempts to identify the APs from the information in the beacon. Select Wireless Rogue AP from the Rogue AP menu to open the table of unclassified wireless rogue APs. This panel (Figure 129) lists the following information for each IP rogue:Field DescriptionMAC Address MAC address of the unclassified rogue APReporting AP The device ID of the AP or APs that identified the rogue AP. If this field is empty, that means that the rogue device was detected in a previous scan, but not in the most recent scan. Detection Time Time that the AP was last detectedClass Radio Neighbor or Radio & IP NeighborSignal Strength Strength of the beacon (dBm)BSS Type Infrastructure or ad-hoc (IBSS)SSID SSID sent in the rogue beaconChannel ID Radio channel on which the AP was discovered
Managing Rogue Access PointsInstallation and Configuration Guide: Airgo Access Point 177Figure 129: Wireless Rogue AP - UnclassifiedPerform the following functions from this tab:Reporting Time Time of the last wireless scanFunction StepsClassify an AP as known 1Select the AP from the list. APs are identified by MAC address.2Click Classify-Node to open the Classify the Rogue AP panel (Figure 130).3Select Our-Network to classify the AP as known within your wireless network. Select Neighbor-Network to classify the AP as known in a neighboring network. 4Click Apply.The AP is now classified. The classification information is retained in the NM Portal database and presented on the Classified tab (Figure 131). This information is retained upon AP reboot. Delete an AP from the rogue list Click Delete and click OK to confirm. If an AP is deleted from the list and then discovered in a subsequent scan, it is added to the list again. Delete from the list all APs classified as wireless roguesClick Delete All, and click OK to confirmField Description
9 Managing the Network178 Installation and Configuration Guide: Airgo Access PointFigure 130: Wireless Rogue AP - ClassifyClassified TabThe Classified tab (Figure 131) lists all the APs designated as known through wireless classification. It contains the following information for each AP:Figure 131: Wireless Rogue AP - ClassifiedField DescriptionMAC Address Name of the detected AP, by default, the MAC addressReporting AP IP address of the AP that reported the detected APDetection Time Time of the scan that last detected the APClass Category used to classify the AP
Using the NM Services MenuInstallation and Configuration Guide: Airgo Access Point 179Using the NM Services MenuUse the NM Services menu to define and manage policies, configure parameters for network discovery, add information about DHCP servers, and add portals at remote locations.Working With PoliciesPolicy Management provides tools to keep your network configuration synchronized to a defined set of rules. Open the Policy Management panel to manage configuration policies for distribution to the network of enrolled APs. The panel contains the following tabs:•Policy Table—View existing policies.•Define Policy—Specify a policy for bootstrapping other APs in the network.•Distribute Policy—Send a policy to other APs in the network.Policy TableThe policy table (Figure 132) lists policies that exist on this AP and are available for distribution to the network of enrolled APs. Figure 132: NM Services - Policy Management - Policy TableTo view the details of a policy, select the name in the policy table, and click Details. The policy table expands to display all the parameters contained in the policy (Figure 132). To return to the policy table, click Back. To delete a policy, click Delete.
9 Managing the Network180 Installation and Configuration Guide: Airgo Access PointFigure 133: NM Services - Policy Management - Policy Table - Details (excerpt)Define PolicyDefine a default policy for bootstrapping other APs in the network by selecting the configuration of this AP as a model. The default policy is pushed automatically to newly enrolled APs. Use the Define Policy tab (Figure 134) to choose the default policy.Perform the following functions from this tab:NOTE: The Portal AP requires two radios in order to construct a default policy for 2-radio APs. Function DescriptionGenerate a default policy from a pre-defined policySelect a policy from the pull-down list, and click Apply. Not currently supported.Use this AP’s start-up configuration to generate a default policy.Select the checkbox, and click Apply.
Using the NM Services MenuInstallation and Configuration Guide: Airgo Access Point 181Figure 134: NM Services - Policy Management - Define PolicyDistribute PolicyUse the Distribute Policy tab (Figure 135) to direct how policies are shared across the network.Figure 135: NM Services - Policy Management - Distribute PolicyConfigure the following fields on this tab:Field DescriptionSelect Policy to Distribute Select an existing policy from the pull-down list.Select All Policies to Distribute Select to distribute all the existing policies.
9 Managing the Network182 Installation and Configuration Guide: Airgo Access PointClick Distribute Now to send the policies to the designated APs.Configuring Network DiscoveryUse the Network Discovery panel to set up the rules for AP discovery.The panel contains the following tabs:•Configuration—Specify discovery parameters.•Scope/Seed—Restrict discovery to specified subnetworks or IP address ranges.•Rogue AP—Enable or disable rogue AP discovery.ConfigurationSelect Network Discovery from the NM Services menu to open the Configuration panel (Figure 136). Figure 136: NM Services - Discovery ConfigurationConfigure the following values on this tab:Target AP Name Select the APs to receive the policy or policies, or select Target AP Name to distribute to all the APs.Field DescriptionDiscovery Interval Restrict discovery to a time interval (in minutes). The range is 60-10080 (default is 60). Field Description
Using the NM Services MenuInstallation and Configuration Guide: Airgo Access Point 183Click Apply to implement the changes in each section or Reset to return to previously saved values.Use the Start Discovery radio buttons at the bottom of the panel to configure discovery on demand. Choices are to discover all APs, only those with a connection to the wired network (IP), or only those that radio neighbors. Click Discover to rediscover the network on demand.Scope/SeedBy default, NM Portal automatically discovers all compatible APs in the local IP subnet. When APs are deployed across multiple subnetworks, specifying the discovery scope and seed IP address speeds the discovery process. The seed IP address is used as the reference AP for discovery purposes. The Seed AP is optional. If it is not specified, NM Portal automatically discovers all the compatible APs in that subnet and identifies a seed AP for itself. Select the Scope/Seed tab (Figure 136) to configure the scope and seed parameters. Discovery Limit Restrict discovery to a number of APs. Once this limit is reached, the discover process stops. The range is 1-50 for (default is 50 APs). AP IP Address Specify the IP address of an AP that you want to manage but which is not part of the managed subnetwork specified in the discovery scope.AP's added to the managed network this way are termed “manually added” and can be managed by NM Portal.This option is useful if an AP is moved to another subnet and is no longer able to reach the NM Portal AP. You can manually add the AP’s IP address in NM Portal and continue manage the AP. It is not necessary to reenroll the AP.Discovery Methods Select whether to discover the APs with valid IP address information (IP), those identifiable by their radio beacon (Wireless), or those that meet either criterion. Force Rediscovery Select to force an immediate rediscovery of all APs. If the discovery process is already in progress when rediscovery is initiated, then no additional discovery is re-initiated. To stop the current discovery process and restart discovery again, use the Force All option. This is useful if the discovery scope is incorrectly configured and must be deleted.Field Description
9 Managing the Network184 Installation and Configuration Guide: Airgo Access PointFigure 137: NM Services - Discovery Configuration - Scope/SeedConfigure the following fields on this tab:Click Apply to save the selections and add them to the Discovery Scope Table at the bottom of the panel.Rogue APUse the Rogue AP tab (Figure 136) to enable or disable discovery of rogue access points. The default is Enabled. Click Apply to save the setting. If enabled, NM Portal automatically scans the network to detect IP and wireless rogue access points. For more information, see “Managing Rogue Access Points” on page 173.Field DescriptionDiscovery Scope Enter the IP address of the subnet that you want to discover.Discovery Scope - Subnet Maskbits Enter the subnet prefix length for the discovery scope.Discovery Seed Specify a seed IP, which is the first address NM Portal will attempt to discover in the selected subnetwork.
Using the NM Services MenuInstallation and Configuration Guide: Airgo Access Point 185Figure 138: NM Services - Discovery Configuration - Rogue APConfiguring PortalsThe Portal Configuration panel lists all the Airgo Access Point portals that your AP has discovered and permits addition of a standby security portal to ensure that the wireless user authentication service remains available even if the NM Portal AP temporarily loses its connection. The panel contains two tabs:•Portal Table—Add a redundant security portal and synchronize the portal databases.•Secure Backup—Use https to perform a secure backup of the NM Portal AP configuration.•Portal Backup—Back up or restore the portal databases and configuration.
9 Managing the Network186 Installation and Configuration Guide: Airgo Access PointPortal TableUse the Portal Table (Figure 139) to manage the security portals for the network.Figure 139: NM Services - Portal Configuration - Portal TablePerform the following functions on this tab:Field DescriptionAdd Redundant Security Portal Specify the IP address, and click Apply. Only an already-enrolled AP can be configured to be a redundant security portal.Portal Table View the list of currently identified NM Portal APs. The listing includes the IP address of the AP, its device ID, and whether the AP is currently enrolled. To delete an entry from the table, select the radio button to the left of the entry, and click Delete. All Portals shown in this table as unenrolled are currently not managed by this NM Portal but form part of other managed networks.Only Portals managed by this NM Portal will be shown as Enrolled and or will have a radio button using which the portal may be deleted.
Using the NM Services MenuInstallation and Configuration Guide: Airgo Access Point 187Secure BackupUse the Secure Backup tab (Figure 139) to save the NM Portal database and configuration using the secure https protocol.Figure 140: NM Services - Portal Configuration - Secure BackupClick Save Configuration. When the configuration is generated, a hyperlink is displayed. Right-click and select Save As to save the configuration locally. After the configuration file is saved, click Delete to remove the file from the AP. The file takes up space on the AP disk, so it is recommended to remove it. To restore the configuration, browse to select the file, and then click Apply to restore the configuration and reboot the AP.Sync Frequency Select to automatically synchronize the database between the portals. The sync frequency represents the duration in minutes at which NM Portal cross checks the portals in the network to make sure their databases synchronized with the NM Portal database. Click Apply to save the settings, or click Reset to return to the default values (autonomous selected, period 5 minutes). It is recommended to accept the default value to make sure that synchronization takes place.Portal DB Version Table View current database information for user security. For each AP designated as a security portal, the table lists the following information:•AP IP Address—IP address of each portal AP.•RADIUS Client DB Version—Version of the user database resident on the RADIUS client.•RADIUS User DB Version—Version of the user database for RADIUS users.•Certificate DB Version—Version of the security certificate for RADIUS clients.•AP Device-ID—Unique identifier for the AP.•Enrollment Status—Indication of whether the AP is enrolled.Field Description
9 Managing the Network188 Installation and Configuration Guide: Airgo Access PointPortal Backup Use the Portal Backup tab (Figure 141) to back up the portal databases and configuration to a TFTP server and to restore the configuration from the TFTP server. For backup and restore, enter the server IP address and specify a backup file name. For restore, enter the same TFTP server address and file name. If you want to reboot the AP once the configuration file has been copied, select Reboot. (required)Figure 141: NM Services - Portal Configuration - Backup/RestoreConfiguring the DHCP ServerNM Portal includes an internal DCHP server, which can be activated to support IP address assignments in the network if a DHCP server is not in place. Choose DHCP from the NM Services menu to open the DHCP panel. The panel contains four tabs:•DHCP Options—Activate and configure the DHCP server.•IP Range—Enter address information for the DHCP server.•Leases—View details about the current DHCP leases.•Static IP—Assign static IP addresses for specific equipment NOTE: Use the DHCP panels to support IP address assignments only if a DHCP server is not already in place on the existing network.
Using the NM Services MenuInstallation and Configuration Guide: Airgo Access Point 189DHCP OptionsSelect the DHCP Options tab (Figure 142)to activate and configure the DHCP server. Figure 142: NM Services - DHCP Configuration - DHCP OptionsTo activate the server, Enable DHCP Server and configure the following information:Field DescriptionLease Time Specify the maximum number of leases that the server should assign. This is used to restrict the number of IP addresses served even though the IP subnet served by the DHCP server may be large Maximum Leases Specify the maximum number of available leases. There is no default.Gateway Enter the IP address of the gateway. There is no default.DNS Server IP Address Enter the IP address of the server or servers that provide domain name resolution. There is no default. More than one DNS IP address may be specified (space separated). If the field is left blank, then any previously configured DNS server addresses will be deleted.If you delete DNS servers, only those added manually are deleted. DHCP-assigned DNS servers continue to be available.WINS Server Enter the IP address of the Windows name server used to map IP addresses to computer names. There is no default.
9 Managing the Network190 Installation and Configuration Guide: Airgo Access PointClick Add to save the configuration information. IP Range Select IP Range to configure address ranges for DHCP leases (Figure 143).Figure 143: NM Services - DHCP Configuration - IP RangeEnter the following information on this panel:NTP Server Enter the IP address of the server or servers used to synchronize network clocks. There is no default. More than one NTP IP address may be specified (space separated). If you delete NTP servers, only those added manually are deleted. DHCP-assigned NTP servers continue to be available.Field DescriptionInterface Name Confirm the alphanumeric name of the AP interface. The default is br1, which is the default bridge.IP Address Range Select a radio button to specify the range of addresses available for assignment. Choose either of the following:•IP Address/Maskbits—Enter the address and maskbits that define the subnet to be used for address assignment.•Use Fixed IP Address Range—Specify a range of IP addresses by entering starting and ending addresses, with subnet prefix length.Field Description
Using the NM Services MenuInstallation and Configuration Guide: Airgo Access Point 191Click Apply to save the address information. Add additional interfaces if desired. The added interfaces are listed in the DHCP Address Range table at the bottom of the panel. To delete a DHCP interface, select the interface in the DHCP IP Address Range table, and click Delete.LeasesThe Leases tab (Figure 144) lists each network computer serviced by DHCP and its lease information. Figure 144: NM Services - DHCP Configuration - LeasesThis table contains the following information:Field DescriptionMAC Address Address that uniquely defines the DHCP clientLeased IP Address IP address assigned by the DCHP serverLease Time Remaining Amount of time remaining on the current DHCP lease (in hours)
9 Managing the Network192 Installation and Configuration Guide: Airgo Access PointStatic IPUse the Static IP tab (Figure 145) to reserve static IP addresses for specific nodes. Figure 145: NM Services - DHCP Configuration - Static IPEnter the following information on this tab:Click Add to save the information. The new entry is listed in the table at the bottom of the tab to delete an entry, select the name in the DHCP Static IP Table, and click Delete.Managing Network FaultsNM Portal aggregates alarms from all managed APs. Each AP can store up to 260 alarms locally. When the number of alarms exceeds this limit, the oldest alarms are deleted as needed. Use the Fault Management panels to view the system alarms and syslog entries. Alarms are raised as SNMP Traps, which are forwarded to the SNMP Sink Host (or Primary NMS). Viewing AlarmsChoose Alarm Summary from the Fault Management menu to view counts and descriptions of alarms that occur in the network managed by NM Portal. Field DescriptionFully Qualified Domain Name Enter an alphanumeric name for the node, which is fully qualified by DNS.Client MAC Address Enter the MAC address that uniquely identifies the client station.Assigned IP Address/Maskbits Assign the static IP address and maskbits.
Managing Network FaultsInstallation and Configuration Guide: Airgo Access Point 193The Alarm Summary panel contains three tabs:•Alarm Summary—View counts of system alarms in the managed network.•Alarm Table—View a detailed list of alarms.•Filter Table—Select events that should be filtered out of the reported alarm list.Alarm SummaryThe Alarm Summary tab (Figure 146) provides an aggregate count of alarms across the network managed by NM Portal. The Alarm Summary tab contains the following information:Figure 146: Fault Management - Alarm Summary Alarm TableThe Alarm Table tab (Figure 147) provides a detailed description of alarms and enables filtering of the alarm table for easy viewing and searching. A description of all the alarms is provided in “Airgo Access Point Alarms” on page 196 and additional details are presented in Appendix C, “Alarms.”.The Alarm Table includes the following information:NOTE: The alarm count in the lower left corner of the Network Management Explorer window is the same as that given on the Alarm Summary tab. Click the Alarm Summary hyperlink to open the Alarm Summary tab.Field DescriptionAlarm Count Total alarms in the managed networkTotal Alarms Received Total alarms from APs other than this APTotal Alarms Filtered Count of alarms not displayed because they were filtered outAlarm Logging Start Time Time at which the counts beganField DescriptionAlarm ID Text description of the specific alarmAlarm From Device ID of the AP that reported the alarm
9 Managing the Network194 Installation and Configuration Guide: Airgo Access PointDescription Text description of the eventLog Time Time the alarm occurred and was loggedFrom Module The subsystem that is the source of the alarm. Modules include:•Authentication•Networking•Distribution•Configuration•Wireless•Discovery•NM Portal•SW DownloadNOTE: The filtering function on the Alarm Table tab only affects the information that is displayed in the Alarm Table at the bottom of the tab. To remove some event types completely from the alarm list, use the Alarm Filter tab.Field Description
Managing Network FaultsInstallation and Configuration Guide: Airgo Access Point 195Figure 147: Fault Management - Alarm Summary - Alarm TableConfigure the following fields to define a viewing filter:Click Set Filter to apply the filter to the alarm table or Reset to clear the selected values.Field DescriptionAlarm ID Select an alarm from the list to view only those specific alarms.Logging Module Name Select from the list to filter all the alarms from a specific system logging module.Alarms From (Host Address) Select an AP to view only the alarms generated by that AP.Logging Period Enter a date range to show events during a specific interval of time.
9 Managing the Network196 Installation and Configuration Guide: Airgo Access PointTable 14: Airgo Access Point Alarms Alarm ID DescriptionDiscovered new node Generated when a new Airgo Access Point is discovered by NM Portal for the first time.Node deleted from network Generated when a previously-discovered node is deleted from the system. When the node is deleted, all information about that node is deleted from NM Portal. If the node’s IP address falls within the discovery scope, then the node will be re-discovered and added back to the set of the discovered nodes during the next discovery scan.Managed nodes limit exceeded Generated when the number of discovered nodes exceeds the limit defined in the Discovery Configuration panel, Configuration tab. See “Configuring Network Discovery” on page 182). If this alarm occurs, NM Portal ceases to discover nor track any new nodes. Node Enrolled Generated when an Airgo AP has been successfully enrolled.Node Un-Enrolled Generated when an Airgo AP has been successfully rejected (un-enrolled).Policy Download Successful Generated when a policy is successfully downloaded to an AP.Policy Download Failed Generated when policy downloaded to an AP is unsuccessful due to an error in the policy, software version mismatch, or other error.Image download succeeded. Generated when an image is successfully downloaded and applied to an AP.Image download failed Generated when image download to an AP is unsuccessful, due to corrupted images, images of invalid length, or connectivity failures.Software distribution succeed Generated when an image distribution is completed.Radio enabled (BSS Enabled) Generated when a AP radio is enabled. Indicates successful start of a BSS and includes the channel on which the AP radio will be operating.Radio Disabled (BSS disabled) Generated when an AP is disabled. Disabling can be user triggered for administrative purposes, caused by radio reset due to application of wireless configuration parameters, triggered by hardware, or due to a change in SSID. BSS Enabling Failed Generated when an attempt to enable an AP radio fails. Reason codes:0 – Unspecified reason1 – System timeout attempting to enable BSSFrequency Changed Generated when operating frequency is changed for an AP radio due to user intervention or events such as periodic dynamic frequency selection (DFS). Reason Codes:0 - Triggered due to DFS1 - User Triggered
Managing Network FaultsInstallation and Configuration Guide: Airgo Access Point 197STA Association Failed Generated when a 802.11 client station fails in its attempt to associate to the AP radio. Reason Codes:1 - Invalid parameters received from station in association request2 - Only stations are allowed to associate with this AP based on current configuration3 - Only backhauls can be formed with this AP based on current configuration4 - Max backhaul limit is reached based on the 'Max Trunks' configuration for AP Admission Criteria5 - Max station limit is reached based on the 'Max Stations' configuration for SSID6 - SSID received in association request does not match SSID in AP configuration. This can occur more often when AP is not broadcasting SSID in beacon (due to suppressed SSID or multiple SSIDs being configured) and station is associating with AP with a different SSID. 7 - Authentication and encryption requested by station does not match security policy of the AP8 - Multi Vendor Station are not allowed to associate based on AP Admission Criteria9 - 802.11b stations are not allowed to associate based on AP Admission Criteria10 - Station is not allowed to associate and transferred to another AP Radio due to Load Balancing11 - Station is not allowed to associate because node does not have network connectivitySTA Associated Generated when a client station succeeds in associating to the AP radio. The alarm message includes the current associated stations, type of association and user ID. The user ID is the user name if RADIUS authentication is used and the MAC address otherwise.STA Disassociated Generated when a 802.11 station is disassociated by the network or the station.Reason Codes: 0 - Station initiated disassociation1 - Station has handed off to another AP2 - Disassociation triggered due to authentication failure after ULAP timeout3 - Disassociation triggered due to user actionTable 14: Airgo Access Point Alarms (continued)Alarm ID Description
9 Managing the Network198 Installation and Configuration Guide: Airgo Access PointWDS Failed Generated when wireless backhaul formation fails. The message includes the MAC address of the end node. This alarm can help track losses in network connectivity.Reason Codes:0 - System Failure1 - Maximum BP count has been reached (this relevant only for AP)2 - Join attempt to the uplink AP failed (BP side only)WDS Up Generated when a wireless backhaul formation succeeds. The message includes the MAC address of the end node. Reason Codes:0 - Trunk has been established1 - Trunk has been optimized (re-established based on better connectivity)WDS Down This is a notification generated when a wireless backhaul has gone down. The remote end’s MAC address is provided.Reason Codes:0 - System Reason (unspecified)1 - Loss of Link (applies to BP side only)2 - Trunk brought down by uplink AP (applies to BP side only)3 - User retrunk issued (this can occur due to new backhaul configuration being applied on BP)4 - Trunk has reformed with another AP (AP side only)5 - Trunk brought down by BP (applies to AP side only)Guest Authentication Succeeded Generated when a guest station is authenticated, and indicates the successful start of a guest access communications session. The guest user is offered the communications services specified in the guest profile for the specified SSID.Guest Authentication Failed Generated when a guest station fails authentication.User Reject by RADIUS Server Generated when user authentication fails. The AP radio and the RADIUS server which rejected the user are included in the message.BP rejected by RADIUS Server Generated when security portal has rejected the attempt by a BP radio to associate to the AP. This may mean that the BP is not enrolled in the same network as the AP or that the BP was just enrolled, but the enrollment database has not yet been synchronized across the network to all security portals.RADIUS Server timeout Generated when the RADIUS server fails to respond within the RADIUS timeout period. The RADIUS server may be unreachable over the network, or the shared secret for the RADIUS server is incorrectly configured on the AP. If multiple RADIUS servers are configured in this authentication zone, the AP will switch to using the next one in the list.Table 14: Airgo Access Point Alarms (continued)Alarm ID Description
Managing Network FaultsInstallation and Configuration Guide: Airgo Access Point 199Management User login success Generated when a management user successfully logs in to the local AP.Management User login failure Generated when a management user fails to log in to the AP.STA failed EAPOL MIC check Generated when the MIC fails during EAPOL key exchange process. If the authentication type is WPA PSK and the failure happened during the pairwise key exchange, then the most likely reason is incorrect configuration of the WPA PSK on the station. It could also mean that an attacker’s station is attempting to masquerade as a legal station.STA attempting WPA-PSK – no Pre-shared Key is set for SSID Generated when a client station attempts to perform WPA-PSK based authentication on a given SSID, but no WPA pre-shared key has been configured for that SSID.Auth Server Improperly configured on this SSID Generated when the AP has determined that a station requires an authentication server, but none is configured for this SSID. Authentication servers are needed for EAP based authentication and MAC address based ACL lookups.STA failed to send EAPOL-Start Generated when the AP has determined that a client station has failed to send an EAPOL-Start, possibly indicating incorrect configuration of the station. The AP expects the station to send an EAPOL-Start if the authentication type is deemed to be EAP based. This can happen when WPA EAP authentication is negotiated, or when WEP is enabled on the AP and no manual WEP keys are configured.RADIUS sent a bad response Generated during authentication, when the RADIUS server sends a bad or unexpected response. This would occur if the cryptographic signature check failed or an attribute is missing or badly encoded.RADIUS timeout too short Generated when the AP receives a late response from the RADIUS server, generally due to high network latencye. The AP may have attempted multiple retries or may have switched to another RADIUS server by this time. If this alarm is generated repeatedly, it may be desirable to increase the timeout associated with the authentication server.STA authentication did not complete in time Generated when the station authentication sequence did not complete in time.Upstream AP is using an untrusted auth server Generated when the local BP determines that the upstream AP is using an untrustworthy authentication server. This could mean that the upstream AP is a rogue AP. If the downstream AP was previously enrolled in another network, it should be rest and re-enrolled in the new network.Upstream AP is using a non-portal node as its auth server Generated when the local BP determines that the upstream AP is using a node that is not a security portal as its authentication server. The BP is aware of the other Airgo node, but does not believe it is authorized to be a security portal.Upstream AP failed MIC check during BP authentication Generated when the MIC fails during EAPOL key exchange process with a BP radio.Table 14: Airgo Access Point Alarms (continued)Alarm ID Description
9 Managing the Network200 Installation and Configuration Guide: Airgo Access PointPremature EAP-Success receive Generated when an upstream AP sends an EAP success before authentication is complete. This may indicate that a rogue AP is trying to force an AP to join before authentication is complete.Profile not configured for user-group Generated when the AP determines that the station is a member of a group that does not have a service profile defined for this SSID.STA has failed security enforcement check Generated if the station attempts to use an encryption type that is not allowed in its service profile. The AP can advertise multiple encryption capabilities, but different stations may be restricted to different subsets of encryption capabilities based on their service profiles. AP Detected Bad TKIP MIC Generated when a bad TKIP MIC is detected on an incoming frame from a station that is encrypted with a pairwise/unicast key. All packets received by the AP are always encrypted with the pairwise/unicast key.BP detected Bad TKIP MIC on Incoming Unicast Generated when a bad TKIP MIC is detected by a local BP radio on an incoming frame encrypted with the pairwise/unicast key.BP detected Bad TKIP MIC on Incoming Multicast/Broadcast Generated when a bad TKIP MIC is detected by a local BP radio on an incoming multicast or broadcast packet from the AP, where the packet is encrypted with the group/multicast/broadcast key.STA detected Bad TKIP MIC on Incoming Unicast Generated when a bad TKIP MIC is detected by an station associated with this AP on an incoming unicast packet from the AP, where the packet is encrypted with the pairwise/unicast key.STA detected Bad TKIP MIC on Incoming Multicast/Broadcast Generated when a bad TKIP MIC is detected by an station associated with a radio on an incoming multicast or broadcast packet from the AP, where the packet is encrypted with the group/multicast/broadcast key.TKIP counter-measures lockout period started Generated when a TKIP counter measures lockout period for 60 seconds is started. Indicates that the AP has determined that an attempt is underway to compromise the secure operation of TKIP. This happens if two MIC failures are detected within a 60 second interval. If this happens, the AP disassociates all stations and prevents new stations from associating for a period of 60 seconds.EAP User-ID timeout Generated when a station fails to send its user-ID in time to complete its authentication sequence using the specified authentication type. The two authentication modes that require the station to send its user-ID are WPA EAP and legacy 8021.x for dynamic WEP. This alarm may indicate that a user prompt is not attended to on the client side.Table 14: Airgo Access Point Alarms (continued)Alarm ID Description
Managing Network FaultsInstallation and Configuration Guide: Airgo Access Point 201Alarm FilterUse the Alarm Filter tab (Figure 148) to eliminate selected events from the alarm displays in the Alarm Summary and Alarm Table tabs. Select an event ID from the list, and click Add to include the event type in the list of events that are not reported. Each added event is included in the Event Filter Table Drop List at the top of the tab.The table includes the event ID and a description. To remove an event from the list, select the event, and click Delete.EAP response timeout Generated when a station fails to send an EAP-Response in time to complete its authentication sequence using the specified authentication type and encryption. The two authentication modes that require the station to send EAP responses are WPA EAP and legacy 8021.x for dynamic WEP. This alarm may mean that a user prompt is not attended to on the client side. It may also indicate that the client silently rejected a EAP request sent from the RADIUS server – perhaps because it did not trust the RADIUS server’s credentials.EAPOL Key exchange – message 2 timeout Generated when a station fails to send the WPA EAPOL-Key Pairwise Message #2 in time to complete the pairwise key exchange.EAPOL Key exchange – message 4 timeout Generated when a station fails to send the WPA EAPOL-Key Pairwise Message #4 in time to complete its authentication sequence with a radio, using the specified authentication type and encryption.EAPOL Group 2 key exchange timeout Generated when a station fails to send the WPA EAPOL-Key Group Message #2 in time to complete its authentication sequence with a radio, using the specified authentication type and encryption.Table 14: Airgo Access Point Alarms (continued)Alarm ID Description
9 Managing the Network202 Installation and Configuration Guide: Airgo Access PointFigure 148: Fault Management - Alarm Summary - Alarm FilterViewing the SyslogSelect SYSLOG from the Fault Management menu to view syslog messages used for network troubleshooting. The most recent messages are in the default message file, Messages, with the latest messages at the top. To view older messages, select the appropriate message.x file from the list on the SYSLOG panel (Figure 149). See “Syslog Configuration” on page 211 for instructions on configuring the syslog message output.
Managing UsersInstallation and Configuration Guide: Airgo Access Point 203Figure 149: Fault Management - SYSLOGManaging UsersChoose User Management from the Security Portal menu to manage the authentication of users by way of the internal RADIUS database on the NM Portal AP. The panel contains three tabs:•Wireless Users—Manage users who seek access to the wireless network.•Admin Users—Manage administrators responsible for the wireless network.•MAC ACLs—Identify and manage users using the MAC addresses of their computers.•Guest User—Set up automatic password generation for guest users. For a description of this tab, see “Configuring Guest Access” on page 153.Adding Wireless UsersChoose User Management from the Security Portal menu to open the Wireless Users tab, which contains a list of current network users (Figure 150).
9 Managing the Network204 Installation and Configuration Guide: Airgo Access PointFigure 150: Security Portal - User Management - Wireless UsersTo add a new user, click Add to open the Add Wireless User entry panel (Figure 151). Figure 151: Security Portal - User Management - Add Wireless UserEnter the following information:Click Add to save the user record, Reset to clear the fields on the panel, or Cancel to return to the Wireless tab without saving the record. When a wireless user is added to the database a unique certificate is generated for that user. The certificate must be installed on the user's PC. This can be done in one of two ways:Field DescriptionLogin Name Assign a login name for network access (required).User Group Select a user group as defined in the RADIUS server.First Name Enter the first name of the user.Last Name Enter the last name of the user.Email ID Enter the user’s email address.Description Enter a text description, if desired.
Managing UsersInstallation and Configuration Guide: Airgo Access Point 205• Email. If an SMTP server is configured, then the certificate is mailed to the user. To install the emailed certificate on the PC:aAsk the administrator for the password associated with the certificate. This password is displayed in the user details page.bDouble click on the certificate obtained through email. When the certificate installation wizard asks for the password, supply the previously-obtained password.•Download. To download the certificate: aClick the Wireless Users tab to display the list of users.bClick the login name link for the user, or highlight the checkbox to the left of the Login Name, and click Details. This opens the View Wireless User panel (Figure 152). cClick the link entitled Click Here to Download Certificate. A security certificate pop-up opens with a prompt to open or save the certificate. dSave the certificate on your local computer.Figure 152: Security Portal - User Management - View Wireless User Adding Administrative Users To give designated users access to NM Portal, open the Admin Users tab (Figure 153).Figure 153: Security Portal - User Management - Admin Users
9 Managing the Network206 Installation and Configuration Guide: Airgo Access PointThe tab opens with a list of current administrative users. To add a new user, click Add, and enter the following information in the Add Administrative User entry panel (Figure 154):Figure 154: Security Portal - User Management - Add Administrative UserAfter entering the requested information, click Add. From the user list, you can also delete an existing user, modify user information, or view the details in a read-only table.Adding MAC-ACL Users Use the MAC-ACL tab (Figure 155) to identify and authenticate users by the MAC address of the computer rather than by login. This type of authentication is generally used to accommodate legacy equipment that does not support user-based authentication. MAC addresses are checked when the SSID has MAC-ACL enabled, and open access, static WEP keys, or WPA-PSK encryption are used. For more information on security options, see Chapter 7, “Managing Security.”Field DescriptionLogin Name Assign a login name for network access (required).Password Enter the password and enter it again in the Confirm Password field (required).User First Name Enter the first name of the user.User Last Name Enter the last name of the user. Email ID Enter the user’s email address.Description Enter a text description.
Managing UsersInstallation and Configuration Guide: Airgo Access Point 207Figure 155: Security Portal - User Management - MAC-ACLsThe tab opens with a list of current MAC-ACL users. To add a new user, click Add and enter the following information in the Add MAC Address User entry panel (Figure 156):Figure 156: Security Portal - User Management - Add MAC Address UserClick Add after entering the requested information. From the user list, you can delete an existing MAC-ACL user, modify user information, or view the details in a read-only table.Field DescriptionMAC Address Enter the MAC address that uniquely identifies the device. Use the tab key to move between the successive two-character fields (required).User Group Select a group from the list or create a new group.User First Name Enter the first name of the user.User Last Name Enter the last name of the user.Email ID Enter the user’s email address.Description Enter a text description, if desired.
9 Managing the Network208 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 20910Maintaining the Access PointThis chapter describes the tools available to maintain the Airgo Access Point. It contains the following sections:•Rebooting the AP•Managing the System Configuration•Click Apply to save the entries or Reset to return to the previously saved values.•Upgrading Software•Common Problems and SolutionsRebooting the APChoose Reboot AP from the System Services menu to order a reboot of the access point. To begin the process, click Reboot (Figure 158). The process takes approximately 2 minutes, and may take additional time if the AP is currently used for wireless backhaul service.Figure 157: System Configuration - Reboot APManaging the System ConfigurationChoose System Configuration from the System Services menu to access the network-related configuration features of the Airgo AP and set up syslog parameters.The panel includes the following tabs:•IP Configuration—Configure IP and host settings.•Syslog Configuration—Set up and view the syslog.•License Management—Set up the real time clock (RTC) to keep track of time in the event that power is lost to the AP.•NMS Configuration—Specify the entities used for network management, including the NMS Pro server and NM Portal AP.•Hardware Options—Enable the real time clock and buzzer.
10 Maintaining the Access Point210 Installation and Configuration Guide: Airgo Access PointIP Configuration Use the IP Configuration tab (Figure 158) to update the IP and basic system configuration for the Airgo AP. Figure 158: System Configuration - IP ConfigurationThe tab is divided into two sections. Click Apply after configuring each section, or Reset to return to the default values. Configure the following fields:Field DescriptionDHCP Assigned IP address Enables the AP to obtain an IP address for the AP from the network DHCP server.DNS IP Address Enter the IP address of the DNS server. (required)Management IP address /Maskbits Enter the IP address and subnet prefix of the management server. (required)Gateway IP address Enter the IP address of the network gateway. (required)Host Name Enter a unique name for the AP. The default is the device ID, which is derived from the MAC address. (required)AP Location Enter a text description of the physical location of the AP. Administrator Contact Enter the email address of the administrative contact for the AP.
Managing the System ConfigurationInstallation and Configuration Guide: Airgo Access Point 211Syslog Configuration Syslog tracks and records information about network activities for later viewing and analysis. The top area of the Syslog panel (Figure 159) provides controls to set the logging level and scope for a variety of functional areas or modules. Figure 159: System Configuration - Syslog ConfigurationCAUTION: Only an authorized administrator should change syslog levels or enable or disable syslog capabilities. Arbitrary changes to syslog can adversely affect the AP.
10 Maintaining the Access Point212 Installation and Configuration Guide: Airgo Access PointThe tab contains the following settings:License Management Use the License Management tab (Figure 160) if it is necessary to change the license key for the AP. Enter or verify the license key for the AP, and click Apply. Click Reset to restore the previous license key.Figure 160: System Configuration - License ManagementNMS Configuration Use the NMS Configuration tab (Figure 161) to identify network management servers and to determine which network management system will receive fault and event notifications. Field DescriptionSyslog-Level Select the activity level that triggers a syslog entry. Choose from several levels (Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug). (required)Syslog-Level Module Select whether to record a specific type of activity, or include all the activities in the list. (required)Remote Syslog Logging Indicate whether to enable a remote server to monitor events across the network.Remote Syslog Server If the Syslog server is enabled, enter the remote server hostname or IP address.Remote Syslog Server Port If the Syslog server is enabled, enter the IP address or hostname of the server port. (optional)NOTE: If the AP is already enrolled, it is not necessary to modify the settings on this panel.
Managing the System ConfigurationInstallation and Configuration Guide: Airgo Access Point 213Figure 161: System Configuration - NMS ConfigurationEnter the following values to set the NMS configuration:Click Apply to save the entries or Reset to return to the previously saved values.Hardware Options Select HW Options (Figure 162) to set the buzzer and the real time clock (RTC), which keeps track of the date and time in the event that the AP loses power. This feature is not required if the AP is always connected to the Internet. Field DescriptionPrimary Manager IP Enter the IP address of the NM Portal or NMS Pro server responsible for managing the AP. (required)Auxiliary Manager IP If applicable, enter the IP address of the NM Portal AP used to manage the AP at the branch location (in conjunction with an NMS Pro server as a primary manager.
10 Maintaining the Access Point214 Installation and Configuration Guide: Airgo Access PointFigure 162: System Configuration - Hardware OptionsSelect the following parameters on this tabClick Apply to save the entries or Reset to return to the previously saved values.Managing the AP ConfigurationChoose Configuration Management from the System Services menu to open the Configuration Management feature panel. The panel contains the following tabs:•Secure Backup—Use https to perform a secure backup of the AP configuration.•Configuration Backup—Back up and restore configurations, export log files, and reset the AP configuration to the factory defaults.•Configuration Reports—View configuration reports for the AP.•Reset Configuration—Revert to the factory default configuration, or reset specify subsystems to default configuration.Secure BackupPerform the following functions on the Secure Backup tab (Figure 166):Field DescriptionEnable Real Time Clock Use the real time clock (RTC).Enable Buzzer Activate the AP buzzer to locate the AP, if necessary. Task StepsBack up the AP configuration using https1Click Save Configuration.2When the configuration is generated, a hyperlink is displayed. Right-click and select Save As to save the configuration locally.3After the configuration file is saved, click Delete to remove the file from the AP. The file takes up space on the AP disk, so it is recommended to remove it.
Managing the AP ConfigurationInstallation and Configuration Guide: Airgo Access Point 215Figure 163: Configuration Management - Secure BackupConfiguration Reports Select any of the following configuration reports on this tab (Figure 164):Restore the AP configuration 1In the Restore Configuration area, click Browse and select the configuration file.2Click Apply to restore the configuration and reboot the AP.NOTE: If the AP has been unenrolled or restored to factory defaults, it is not possible to reapply the configuration using this method. The AP must be reenrolled and have a new configuration created.Generate support logs 1Click Generate Support Logs.2When the configuration is generated, a hyperlink is displayed. Right-click and select Save As to save the configuration locally.3After the support logs file is saved, click Delete to remove the file from the AP. The file takes up space on the AP disk, so it is recommended to remove it.Report DescriptionStartup-Config Provides details on the configuration that is stored on the AP flash device and used each time the AP reboots. Running-Config Provides details on the current AP configuration, which may or may not match the startup configuration.Default-Config Lists the factory default settings shipped on the AP.Task Steps
10 Maintaining the Access Point216 Installation and Configuration Guide: Airgo Access PointClick Refresh to update the selected reportFigure 164: Configuration Management - Configuration Reports
Managing the AP ConfigurationInstallation and Configuration Guide: Airgo Access Point 217Reset Configuration Use the Reset Configuration tab to reset the AP configuration or revert to the defaults for individual subsystems (Figure 165). Figure 165: Configuration Management - Reset Configuration
10 Maintaining the Access Point218 Installation and Configuration Guide: Airgo Access PointPerform the following functions on this tab:Click Reset to clear the selections on the tab.TFTP BackupUse the TFTP Backup tab (Figure 166) to back up and restore configurations on an external TFTP server. Perform the following functions on this tab:The Reset buttons on the panel clear the field entries in the associated section.Function DescriptionReset to Default 1Select Reset AP Startup Configuration Only or AP Configuration and Databases to Factory Defaults. 2Click Apply to reboot the AP with the selected configuration.Reset Subsystems to Defaults 1Select one or more individual subsystems to reset. 2Click Apply to reboot the AP with the selected defaults.Task StepsSave configuration 1Indicate whether to save the AP configuration each time a save operation is done. 2Click Apply. Click Save Configuration to save the current settings on demand.Back up the configuration to a TFTP server1Enter the IP address of the TFTP server.2Enter or confirm the configuration file name.3Click Apply to restore the configuration and reboot the AP.NOTE: If the AP has been restored to factory defaults, it is not possible to reapply the configuration using this method. The AP must be reenrolled and a new configuration created.Restore the configuration 1Enter the IP address of the TFTP server.2Enter or confirm the name of the configuration file.3Click Apply.Export support logs 1Enter the IP address of the TFTP server.2Enter or confirm the name of the log file.3Click Apply.
Upgrading SoftwareInstallation and Configuration Guide: Airgo Access Point 219Figure 166: Configuration Management - TFTP BackupUpgrading Software From the NM Portal web interface, you can upgrade the software on enrolled APs throughout the network in one operation. You can also upgrade any individual, non-portal AP from the AP web interface. The same interface is used for both situations; however, access to the interface is different for an NM Portal than for a non-portal AP.•If the AP is an NM Portal, click Manage Wireless Network to open the NM Portal interface, and then choose Admin Tools > Software Upgrade to open the Software Upgrade panel (Figure 167).•If the AP is a non-portal AP, choose Admin Tools > Software Upgrade to open the Software Upgrade panel.NOTE: The AP license file is not affected by software upgrades. The existing software license remains valid after the AP software is upgraded.
10 Maintaining the Access Point220 Installation and Configuration Guide: Airgo Access PointFigure 167: Software UpgradeThe Software Upgrade panel offers two upgrade options. The Software Image Upgrade option uses https to download the software image to the AP. The Software Download via TFTP option uses TFTP to download the software image. Select only one of these options; it is not possible to use both methods at the same time.The software upgrade process for an NM Portal consists of the following three steps:If you are upgrading a non-portal AP or using TFTP as the download method, then the staging, selection, and distribution steps happen as a single process that cannot be interrupted once it begins. If you use the Software Image Upgrade selection in NM Portal, then staging, selection, and distribution are separate steps that can be monitored and canceled if needed.Software Image FileThe AP software image file conforms to an Airgo-defined format that uses the filename extension.img. During download, the filename extension and structure are verified and the download is stopped if a problem with the file is detected.Upgrading the AP SoftwareThis section provides information for upgrading AP software using both the TFTP and https software download options.Step DescriptionStaging The software image is downloaded to the Airgo AP.Selection APs are selected for software upgrade. Distribution The software upgrade image is distributed to the selected APs, installed, and the AP is rebooted.
Upgrading SoftwareInstallation and Configuration Guide: Airgo Access Point 221Upgrade Using https Download - Individual Non-Portal APTo upgrade a non-portal AP using https download:1Choose Admin Tools > Software Upgrade.2Browse to select the .img software image file.3Click Download. A confirmation dialog appears asking you to confirm the software download.4Click OK.The software image is downloaded to the AP, the AP software image is upgraded, and the AP is automatically rebooted.Upgrade and Distribution Using https Download - NM Portal APTo upgrade APs from NM Portal using https download:1Choose Admin Tools > Software Upgrade.2Browse to select the .img software image file.3Click Download. A confirmation dialog asks you to confirm the software download.4Click OK.The system verifies the filename extension and header information. When successful, the Software Download Status panel opens (Figure 168). Staging is now complete.5Select the APs to receive the upgrade.6Click Distribute. A confirmation dialog asks you to confirm that the upgrade should now begin.7Click OK.NOTE: It is important to perform software upgrades during a scheduled maintenance window. Upgrading takes approximately 4-5 minutes per AP, and upgrading multiple APs from an NM Portal is a serial process. To manage system resources during a software upgrade, the AP shuts down some services (such as CLI sessions) to create temporary memory and to validate the image prior to writing to AP's flash. CAUTION: Do not leave the Software Upgrade panel while download is taking place. Clicking on another menu item during download, the download process is canceled.
10 Maintaining the Access Point222 Installation and Configuration Guide: Airgo Access PointFigure 168: Software Upgrade - Download StatusThe software distribution process begins by sending the software to the first selected AP. As soon as this AP receives the software, it upgrades its image and reboots automatically. The process then moves to the next selected AP. After all the APs have been upgraded, the NM Portal AP is upgraded and rebooted. The administrator must again log in to the NM Portal web interface after an upgrade and reboot.Upgrade Using TFTP DownloadTo upgrade an NM Portal or non-portal AP using TFTP download:1Choose Software Upgrade from the Admin Tools menu.2Enter the IP address of the TFTP server.3Enter the name of the image file on the TFTP server. The default file is target.ppc.ani.img, under the boot directory of the TFTP server. Relative paths can be used when specifying the file name.4Click Apply. A pop-up message asks for confirmation that you want the upgrade to begin.5Click OK.The download process begins. Every 10 seconds the screen is updated with new status information. If the download is successful, the AP is automatically rebooted with the new software image. If the download is unsuccessful, an explanatory message is displayed in the Download Status column.
Upgrading SoftwareInstallation and Configuration Guide: Airgo Access Point 223Canceling a DistributionTo cancel software distribution at any time, you must click Cancel All. This cancels distribution to APs that have not yet been upgraded, restarts services that were shut down during the upgrade, and removes the image file from the AP RAM. Cancellation is performed serially for multiple AP distributions. Canceling during distribution does not cause any damage to the APs. If the distribution on a remote AP is cancelled, the AP will be automatically rebooted. You can cancel distribution to an individual AP at any time except when the status is Updating Flash…, Error, or Done (Rebooting…).If you leave the Software Upgrade panel before the distribution is complete without clicking the Cancel All, software distribution continues in the background, but it is not possible to return to the Distribution Status page. Download StatusDuring distribution, the Download State column displays the current status of the distribution process (see Figure 168). Status information is automatically updated every 10 seconds. The status information shows clearly the stage of the distribution process and identifies any problems. Table 15 lists the possible status values and their meaning.Status ExplanationNot scheduled This AP has not been scheduled to receive a software update.Scheduled The update has been ordered for this AP, but has not yet begun.Canceling A request has been made to cancel the distribution; however, the request is not complete. For example, this message is displayed if a request has been made to cancel distribution to an AP waiting its turn in the distribution list.Canceled Distribution to the AP is canceled.AP Unreachable The enrolled AP is not reachable for distribution.Retrying 1, Retrying 2 If communication with the AP is lost during distribution, the process waits for two minutes and then retries the distribution. Three retries are attempted before the process stops and an error message is presented. Retrying 1 and Retrying 2 status represent the first and second retries. Retries may occur, for example, during upgrade of backhaul APs, if the radio signal is temporarily lost and retrunking is required.There is a timeout of 2 minutes in between retries. With a total of three retries, it can take up to 10 minutes before a distribution on an AP is deemed to be in error.The message changes to In Progress .. (XX %) when the retry actually starts.In Progress .. (XX %) Upgrade is underway on the AP and is XX% complete.Error All retries have finished and the AP could not be upgraded due to some internal error. Unknown An unknown error has occurred.Image Integrity Error The image has passed the compatibility test but failed the integrity check after the distribution, but before the flash update.Updating Flashing ... Image distribution is complete and it is being saved onto the AP's flash memory.
10 Maintaining the Access Point224 Installation and Configuration Guide: Airgo Access PointWhen the distribution is complete, the message Software Distribution is Complete is displayed, regardless of whether the distribution was successful. If a portal AP is not included in the download, then all services restarted automatically after the distribution.Image RecoveryDuring the upgrade process, care is taken to validate the image integrity and compatibility with AP hardware. If a new image is successfully upgraded but fails to initialize during subsequent reboot, AP automatically performs a “safe” boot from the backup partition. Common Problems and SolutionsTable 15 lists common problems that can occur along with recommended solutions. Done. Rebooting... The flashing is complete and the AP is rebooting.Status ExplanationTable 15: Common Problems and SolutionsSymptom Problem SolutionAP power and Ethernet Link LEDs are off. Power is off or unconnected. Check the power connection to make sure it is plugged in. Also check the power outlet. If necessary, plug some other appliance into the outlet to verify power.AP power LED is on, but the Ethernet Link LED is off.Ethernet cable is unconnected or unable to access the LAN. Check the Ethernet cable connection between the AP and network port.Make sure to use a regular CAT-5 standard Ethernet cable, and not a crossover cable (usually used for uplinks between switches and routers). If in doubt, swap the cable for a known, working cable.If the port is non-functional, it may be necessary to use another working network port.Unable to configure the Access Point through the web browser interface.Computer is unable to reach the Access Point over the Local Area Network (LAN).Check to make sure the Access Point power LED is on.Check the Ethernet cable connections to both the computer and to the AP.Make sure that the network adapter in the computer is working properly.Check to see whether the IP address is on the same subnet as the Access Point.
Common Problems and SolutionsInstallation and Configuration Guide: Airgo Access Point 225Poor or lower than expected signal strength, as measured by wireless network adapters attempting to connect to the Access Point.Access Point may be poorly placed, or external antenna not connected properly.The Access Point and/or its external antenna should not be in an obstructed location. Metallic objects (such as equipment racks) and some construction materials can block wireless signals. If this is the case, reposition the Access Point(s) and/or any external antennae to be free of these obstructions.If using an external antenna, also make sure that it is connected securely to the Access Point.Table 15: Common Problems and SolutionsSymptom Problem Solution
10 Maintaining the Access Point226 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 227AUsing the Command Line InterfaceThis appendix explains how to access and interact with the command line interface (CLI). For detailed information on specific commands, see the CLI Reference Manual.Using the Command Line InterfaceTo connect to the AP for command line interface access using Secure Shell (SSH), do the following:1Launch your SSH client application.2Type ssh admin@<AP IP address>, using the AP IP address assigned to the Access Point (or 192.168.1.254 by default) and press Return.When connected, a screen opens similar to the one shown in Figure 169.Figure 169: Access Point Serial Console Login Screen3Enter your login ID and press Return. When prompted next, enter your password. The factory default for administrator access is user name: admin. If the AP has not been initialized, the user name field is grayed out. The factory default password is shipped with the AP on a paper insert. Use the password from the insert to log in.NOTE: SSH Communications provides an SSH client, http://www.ssh.com.
A Using the Command Line Interface228 Installation and Configuration Guide: Airgo Access Point4To see the list of available commands, type a question mark (?). For a list of hot keys (short cuts for console functions, press Ctrl-H.There are two important modes in console access, one is show mode and the other is config mode. In show mode, examine the AP’s configuration settings and status. Use config mode to change values. To go into either mode from the main command> prompt, type either show or config.Toggle between show and config modes by pressing Ctrl-P. Leave a mode and return to the top level command prompt by typing exit.5To log out and close your connection to the command line interface, type logout at any prompt.Using the Console Port for CLI AccessTo connect to the AP for command line interface (CLI) access using the built-in console port, do the following:1Connect your computer to the AP console port using a serial DCE cable (this is typically a 9-pin-to-9-pin cable with the transmit and receive lines crossed over a null modem cable). A USB-to-Serial adapter may be required if the computer lacks a 9-pin serial port.2Launch your terminal emulation application. On PCs running Microsoft Windows operating systems, the Microsoft-provided application HyperTerminal will work fine. (This is accessed usually through Programs > Accessories > Communications > HyperTerminal. The remainder of this procedure assumes the use of HyperTerminal. Modify the procedures accordingly if using another application.)3Create a terminal connection profile if one does not already exist. Enter a descriptive name and select any icon from the list provided. Click OK when done.If there is a working HyperTerminal connection profile, select that shortcut instead to launch the connection, and skip to step 7.4The Connect To screen displays. The important element there is to use the Connect using: drop down box, and select the serial port to which the AP is connected. Click OK when done.5Use the following port settings:• Bits per second: 115200 • Data bits: 8• Parity: None• Stop bits: 1• Flow control: None6Click OK when done. When connected, a screen opens similar to the one shown in Figure 169.7If the console login screen in the HyperTerminal does not open, press Return once or twice. If you still see nothing or garbage characters appears, check the cable connection and the terminal connection parameters.8Enter your login ID and press Return. When prompted next, enter your password. (The AP defaults are login admin and password: password, and login opr and password opr for operator (read-only) access.)
Using the Console Port for CLI AccessInstallation and Configuration Guide: Airgo Access Point 2299To see the list of available commands, type a question mark (?). For a list of hot keys (short cuts for console functions, press Ctrl-H.There are two important modes in console access, one is show mode and the other is config mode. In show mode, examine the AP’s configuration settings and status. Use config mode to change values. To go into either mode from the main command> prompt, type either show or config.Toggle between show and config modes by pressing Ctrl-P. Leave a mode and return to the top level command prompt by typing exit.To log out and close your connection to the command line interface, type logout at any prompt.
A Using the Command Line Interface230 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 231BRegulatory and License InformationThis appendix contains the regulatory and license information specific to the Airgo Access Point hardware and software.Table 16: Regulatory and License ComplianceID Access Point Requirement DetailsCERT1 Safety UL 1950 third edition TUV approvalUL-2043 (Fire and Smoke) ComplianceCERT2 EMC EMC Directive 89/336/EEC (CE Mark)CERT3 Radio Approvals FCC CFR47 Part 15, section 15.247FCC (47CFR) Part 15B, Class B EmissionsCanada IC RSS210Japan MPT Radio RegulationsEurope: ETS 300.328
B Regulatory and License Information232 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 233CAlarmsAlarms generated by the Airgo Access Point are stored persistently on the AP. The Airgo AP can store approximately 130 * 2 = 260 alarms in total. When the number of alarms exceeds this limit, the oldest alarm set is discarded. All alarms generated by the Airgo Access Point have the following parameters:•Event ID: The internal event number that uniquely identifies the event.• Log-level: The criticality of the event. All alarms are logged at the same criticality. • Log-time: The time as determined by the clock on the Access point, when the alarm was logged. All forwarded alarms have the log-time set to the clock time on the originating Access point.• Module: The subsystem on the Access point that generated the alarm.•Source: The hostname or IP address of the access point that generated the alarm.• Description: The alarm details. Use the Airgo AP CLI to display the alarm table as follows:Examples: system(show)> alarm-table event-id : 102log-level : 2log-time : Tue Jan 4 16:14:01 2000module : WSMsource-ip : AP_00-0A-F5-00-02-1Fdescription : Device ID AP_00-0A-F5-00-02-1F radio 6 is enabled, its operational state is 2 operating on 11--------------------------------------------------------------------------------event-id : 103log-level : 2log-time : Tue Jan 4 17:04:28 2000module : WSMsource-ip : AP_00-0A-F5-00-02-1Fdescription : Device Id AP_00-0A-F5-00-02-1F radio 4 disabled--------------------------------------------------------------------------------The following section describes in detail the alarm syntax and alarm parameters. The alarm and its parameters together are shown as “description” above. The following alarms are described:•“Discovery: Discovered new node” on page 235•“Discovery: Node deleted from network” on page 235•“Discovery: Managed nodes limit exceeded” on page 236•“Enrollment: Node Enrolled” on page 236•“Enrollment: Node Un-enrolled” on page 237•“Policy: Policy Download Successful” on page 238
C Alarms234 Installation and Configuration Guide: Airgo Access Point•“Policy: Policy Download Failed” on page 238•“Software Download: Image Download Succeeded” on page 239•“Software Download: Image Download Failed” on page 239•“Software Download: Software Distribution Succeeded” on page 240•“Wireless: Radio enabled (BSS Enabled)” on page 241•“Wireless: Radio Disabled (BSS disabled)” on page 241•“Wireless: BSS Enabling Failed” on page 242•“Wireless: Frequency Changed” on page 242•“Wireless: STA Association Failed” on page 243•“Wireless: STA Associated” on page 244•“Wireless: STA Disassociated” on page 245•“Wireless: WDS Failed” on page 246•“Wireless: WDS Up” on page 246•“Wireless: WDS Down” on page 247•“Security: Guest Authentication Succeeded” on page 248•“Security: Guest Authentication Failed” on page 249•“Security: User rejected by RADIUS Server” on page 249•“Security: BP rejected by RADIUS Server” on page 250•“Security: RADIUS Server timeout” on page 251•“Security: Management User login success” on page 252•“Security: Management User login failure” on page 253•“Security: STA failed EAPOL MIC check” on page 253•“Security: STA attempting WPA PSK – no Pre-shared Key is set for SSID” on page 254•“Security: Auth Server Improperly configured on this SSID” on page 255•“Security: STA failed to send EAPOL-Start” on page 256•“Security: RADIUS sent a bad response” on page 256•“Security: RADIUS timeout too short” on page 257•“Security: STA authentication did not complete in time” on page 258•“Security: Upstream AP is using an untrusted auth server” on page 259•“Security: Upstream AP failed MIC check during BP authentication” on page 260•“Security: Premature EAP-Success received” on page 261•“Security: Profile not configured for user-group” on page 262•“Security: STA has failed security enforcement check” on page 263•“Security: Guest Authentication Failed” on page 264•“Security: BP Detected Bad TKIP MIC on Incoming Unicast” on page 266•“Security: BP Detected Bad TKIP MIC on Incoming Multicast/Broadcast” on page 266•“Security: STA Detected Bad TKIP MIC on Incoming Unicast” on page 267•“Security: STA Detected Bad TKIP MIC on Incoming Multicast/Broadcast” on page 268•“Security: TKIP counter-measures lockout period started” on page 268•“Security: EAP response timeout” on page 270•“Security: EAPOL Key exchange – message 2 timeout” on page 271•“Security: EAPOL Group 2 key exchange timeout” on page 272
Discovery: Discovered new nodeInstallation and Configuration Guide: Airgo Access Point 235Discovery: Discovered new nodeAlarm generated when a new Airgo AP is discovered in the nework.Syntax: DeviceId %s discovered node [deviceId=%s, IP=%s, Subnet=%s].Description: This alarm is generated when an Airgo AP is discovered by the NM Portal the first time. Usage: Informational log.Examples: DeviceId AP_00-0A-F5-00-02-1F discovered node [deviceId=AP_00-0A-F5-00-01-B0, IP=192.168.75.244, Subnet=255.255.254.0].See Also: <Node deleted from network>Discovery: Node deleted from networkGenerated when a node is deleted from the Portal network.Syntax: DeviceId %s Node [Ip=%s, persona=%d] deleted from database.Description: This alarm is generated when the a discovered node is deleted from the system. When a node is deleted, all information about that node is erased from the Portal. If the node’s IP address falls within the discovery scope, then the node will be re-discovered and added back to the set of the discovered nodes on the next discovery Alarm ParametersDeviceID The Portal’s Device ID.deviceId The discovered node’s device IDIP The discovered node’s IP addressSubnet The Subnet to which the discovered node belongsAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the NM PortalIp The IP address of the node being deleted.Persona The Persona of the node being deleted.Alarm SeveritySeverity Critical
C Alarms236 Installation and Configuration Guide: Airgo Access Pointsweep.Usage: Informational log.Examples: DeviceId AP_00-0A-F5-00-02-1F Node [Ip=192.168.74.210, persona=6] deleted from database.See Also: <Discovered new node>Discovery: Managed nodes limit exceededGenerated when a the number of nodes discovered exceeds the predefined limit on the NM portal.Syntax: On Device %s Node[Ip=%s] managed node limit exceeded. Current managed nodes limit is %d.Description: This alarm is generated when the number of discovered nodes exceeds the predefined limit. The current limit on number of access points discovered is 50. This limit can be configured to be lower. Usage: If this alarm occurs then the discovery server will not discover nor track any new nodes once this limit is reached. In such case, delete unwanted nodes and manually add the nodes to the discovery database so that they may be managed.Examples: On Device AP_00-0A-F5-00-02-1F Node[Ip=192.168.74.245] managed node limit exceeded. Current managed nodes limit is 10.See Also: Enrollment: Node EnrolledAlarm generated when an Airgo AP is enrolled into the neworkSyntax: NMPortal with DeviceId %s has successfully enrolled a remote node having ApDeviceId=%s NodeIp=%s and Persona=%dAlarm Parameters Device The Device ID of the NM PortalIP The IP address of the node being deleted. Node Limit The current limit imposed on the discovery server.Alarm SeveritySeverity CriticalAlarm ParametersDeviceId The Device ID of the NMPortalApDeviceId The Device ID of the remote AP
Enrollment: Node Un-enrolledInstallation and Configuration Guide: Airgo Access Point 237Description: This alarm is generated when the Airgo AP has been successfully enrolled into the network.Usage: Informational log.Examples: NMPortal with DeviceId AP_00-0A-F5-00-01-77 has successfully enrolled a remote node having DeviceIdId=AP_00-0A-F5-00-01-7A NodeIp=172.16.12.4 and persona=2See Also: <Node Unenrolled>Enrollment: Node Un-enrolledAlarm generated when the Airgo AP is rejected (un-enrolled) from the neworkSyntax: NMPortal with DeviceId %s has successfully unenrolled the remote node having ApDeviceId=%s NodeIp=%s and Persona=%dDescription: This alarm is generated when the Airgo AP has bee successfully rejected (un-enrolled) from the network.Usage: Informational log.Examples: NMPortal with DeviceId AP_00-0A-F5-00-01-77 has successfully enrolled a remote node having DeviceIdId=AP_00-0A-F5-00-01-7A NodeIp=172.16.12.4 and persona=2See Also: <Node Enrolled>NodeIp The IP address of the remote APPersona The Persona of the remote AP 6 = Security Portal 2 = Normal APAlarm SeveritySeverity CriticalAlarm ParametersDeviceId The Device ID of the NMPortalApDeviceId The Device ID of the remote APNodeIp The IP address of the remote APPersona The Persona of the remote AP 6 = Security Portal 2 = Normal APAlarm SeveritySeverity Critical
C Alarms238 Installation and Configuration Guide: Airgo Access PointPolicy: Policy Download SuccessfulAlarm generated when a policy is successfully downloaded to an AP.Syntax: For accesspoint Node %s The policy [%s] from [%s] was successfully downloaded at time[%s]Description: This alarm is generated when a policy is successfully downloaded to an AP.Usage: Informational log.Examples: For accesspoint Node AP_00-0A-F5-00-01-77 The policy [security.xml] from [TrustedManager] was successfully downloaded at time[Thu Jan 6 04:27:45 2000 ]See Also: <Policy Download Failed>Policy: Policy Download FailedAlarm generated when a policy is download to an AP failed.Syntax: For accesspoint Node %s the policy [%s] from [%s] could not be downloaded due to error %d at time[%s]Alarm ParametersNode The device ID of the remote APpolicy The policy namefrom The device ID of the source of the policytime The time at which the policy was consumedAlarm SeveritySeverity CriticalAlarm ParametersNode The device ID of the remote APpolicy The policy namefrom The device ID of the source of the policyerror The failure error code time The time at which the policy was consumedAlarm SeveritySeverity Critical
Software Download: Image Download SucceededInstallation and Configuration Guide: Airgo Access Point 239Description: This alarm is sent when a policy downloaded to an AP could not be consumed correctly either due to an error in the policy or software version mismatch or due to some other error.Usage: Informational log.Examples: For accesspoint Node AP_00-0A-F5-00-01-7D The policy [defaultpolicy.xml] from [TrustedManager] could not be downloaded due to error 22549 at time[Wed Feb 11 17:28:38 2004 ]See Also: <Policy Download Successful>Software Download: Image Download SucceededAlarm generated when an image is successfully downloaded and applied to an AP.Syntax: For accesspoint Node %s the software image [%s] from [%s] was successfully downloaded at time[%s]Description: This alarm is when an image is successfully downloaded and applied to an AP.Usage: Informational log.Examples: For accesspoint Node AP_00-0A-F5-00-01-77 The software image [1.1.0, build 3278, AGN1dev, Airgo Inc., ] from [AP_00-0A-F5-00-01-77 ] was successfully downloaded at time[Fri Jan 7 06:04:47 2000 ]See Also: <Image Download Failed, Software Distribution Succeeded>Software Download: Image Download FailedAlarm generated when an image is un-successfully downloaded and applied to an AP.Syntax: For accesspoint Node %s The software image [%s] from [%s] could not be downloaded due to error %d at time[%s]Alarm ParametersNode The device ID of the remote APimage The image version informationfrom The device ID of the source of the imagetime The time at which the image was consumedAlarm SeveritySeverity CriticalAlarm ParametersNode The device ID of the remote APimage The image version
C Alarms240 Installation and Configuration Guide: Airgo Access PointDescription: This alarm is when an image is un-successfully downloaded and applied to an AP.Usage: Image download failures can happen due to corrupted images, invalid length images or due to connectivity failures. Examples: For accesspoint Node AP_00-0A-F5-00-01-77 The software image [] from [AP_00-0A-F5-00-01-77 ] could not be downloaded due to error 24581 at time[Fri Jan 7 04:12:35 2000 ]See Also: <Image Download Succeeded, Software Distribution Succeeded>Software Download: Software Distribution SucceededAlarm generated when an image distribution is completed.Syntax: On DeviceId %s, the Software image [%s] distribution request from portal[%s] using the Distribution TaskId=%s and with status=%s completed at time[%s]Description: This alarm is when an image distribution is completed. Image distribution is Usage: Informational log.Examples: On DeviceId AP_00-0A-F5-00-01-77 , the Software image [0.7.0, build A.2286, AGN1dev, Airgo Inc., ] distribution request from portal[AP_00-0A-F5-00-01-77 ] using the Distribution TaskId=000000 and with status=172.16.12.4, , 0, 947304168, 947304183, invalid image file. completed at time[Tue Jan 6 21:32:18 1970 ]See Also: <Image Download Failed, Image Download Succeeded>from The device ID of the source of the imageerror The failure error codetime The time at which the error occurredAlarm SeveritySeverity CriticalAlarm ParametersDeviceId The device ID of the remote APimage The image versionportal The device ID of the source of the image (NMS or NMPortal)TaskId The task ID of the distributionstatus The distribution status (success or failure) of the selected APstime The time at which the distribution was doneAlarm SeveritySeverity Critical
Wireless: Radio enabled (BSS Enabled)Installation and Configuration Guide: Airgo Access Point 241Wireless: Radio enabled (BSS Enabled)Notification which indicates that AP radio has been enabled.Syntax: "Device ID %s radio %d is enabled, its operational state is %d operating on %d" Description: Notification which is generated when a AP radio (BSS) is enabledUsage: This indicates successful start of a BSS and also provides the channel on which the AP radio will be operating on.Examples: Device ID AP_00-0A-F5-00-01-B6 radio 4 is enabled, its operational mode is 1 and operating on 64See Also: Wireless: Radio Disabled (BSS disabled)Notification which indicates that the AP radio has been disabled.Syntax: "Device Id %s radio %d disabled"Description: Notification which indicates that AP has been disabled.Usage: The AP radio can be disabled for several reasons such as:a. User Triggered (administrative disabling)Alarm Parameters DeviceId The Device ID of the Airgo APRadio Identifies Radio by interface ID on the Access PointOperational Mode This indicates the operational mode of the radio whether it is 802.11a, 802.11b or 802.11gChannel ID This indicates the channel on which the AP is operating.Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo APRadio Identifies Radio by interface ID on the Access PointAlarm SeveritySeverity Critical
C Alarms242 Installation and Configuration Guide: Airgo Access Pointb. Radio reset caused due to application of wireless specific configurationc. Radio reset triggered by hardwared. Radio reset due to change in SSIDExamples: Device Id AP_00-0A-F5-00-01-B6 radio 4 disabledSee Also: <List of other alarms>Wireless: BSS Enabling FailedNotification which indicates that the AP radio (BSS) enabling failed.Syntax: “Bss enabling failed for DeviceId %s radio %d CauseCode %d” Description: Notification which indicates that AP rado enabling has failedUsage: The AP radio enabling can fail for reasons which are indicated by the Cause code parameter:0 – Unspecified reason1 – System timeout attempting to enable BSS.Examples: Bss enabling failed for Device Id AP_00-0A-F5-00-01-B6 radio 4 Cause Code 1See Also: <List of other alarms>Wireless: Frequency ChangedNotification which indicates that the frequency of operation changed on the AP.Syntax: "Frequency changed for DeviceId %s radio %d channelId %d CauseCode %d"Alarm Parameters DeviceId The Device ID of the Airgo APRadio Identifies Radio by interface ID on the Access PointCause Code Reason for AP radio enabling failureAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP
Wireless: STA Association FailedInstallation and Configuration Guide: Airgo Access Point 243Description: This is a notification generated when operating frequency is changed for an AP radio due to either user triggers or events such as peridic DFS. The reason code can have an value of 0 which is unspecified reason. The new channel ID is also provided.Reason Code Description0 Triggered due to DFS1User TriggeredUsage: This is an informational log.Examples: Frequency Changed for Device ID AP_00-0A-F5-00-01-B6 radio 4 channelId 64 CauseCode 0See Also: Wireless: STA Association FailedNotification which indicates that the association failed for a 802.11 station.Syntax: "Station association failed for DeviceId %s radio %d station MAC %s station status %d CauseCode"Description: This is a notification generated when a association from a 802.11 station fails with the AP radio. The reasons for the failure are encapsulated in the cause code parameter and are as follows:Radio Identifies Radio by interface ID on the Access PointChannel ID This indicates the channel on which the AP is operating.Cause Code Reason why frequency changedAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo APRadio Identifies Radio by interface ID on the Access PointSTA MAC Address MAC address of 802.11 station.STA status Association or reassociationCause Code Reason why station association failedAlarm SeveritySeverity Critical
C Alarms244 Installation and Configuration Guide: Airgo Access Point1 - Invalid parameters received from station in association request2 - Only stations are allowed to associate with this AP based on current configuration3 - Only backhauls can be formed with this AP based on current configuration4 - Max backhaul limit is reached based on the 'Max Trunks' configuration for AP Admission Criteria5 - Max station limit is reached based on the 'Max Stations' configuration for SSID6 - SSID received in association request does not match SSID in AP configuration. This can occur more often when AP is not broadcasting SSID in beacon (either due to SSID being surpressed or multiple SSIDs being configured) and station is associating with AP with a different SSID. 7 - Authentication and encryption requested by station does not match security policy of the AP8 - Multi Vendor Station are not allowed to associate based on AP Admission Criteria9 - 802.11b stations are not allowed to associate based on AP Admission Criteria10 - Station is not allowed to associate and transferred to another AP Radio due to Load Balancing11 - Station is not allowed to associate because node does not have network connectivityUsage: The reason for the association failure can be used to determine any configuration issue in the system which may be causing the association failures.Examples: Station association failed for Device ID AP_00-0A-F5-00-01-B6 radio 4 station MAC 00:0a:f5:00:3a:fe CauseCode 2See Also: Wireless: STA AssociatedNotification which indicates that the association and authentication was successful for a 802.11 station.Syntax: "Station associated for DeviceId %s radio %d station MAC %s, Station status %d userId %s station count %d"Alarm Parameters DeviceId The Device ID of the Airgo APRadio Identifies Radio by interface ID on the Access PointSTA MAC Address MAC address of 802.11 station.STA status Association or reassociationUser ID Identifies user by user name or MAC addressStation Count Current count of associated users with AP.Alarm Severity
Wireless: STA DisassociatedInstallation and Configuration Guide: Airgo Access Point 245Description: This is a notification generated when a association and authentication from a 802.11 station succeeds with the AP radio. In addition count of current associated stations, type of association and user ID is provided. User ID is user name if RADIUS authentication is used and MAC address otherwise.Usage: Informational log.Examples: Station associated for Device ID AP_00-0A-F5-00-01-B6 radio 4 station MAC 00:0a:f5:00:3a:fe, Station status 1 userId John Doe station count 10See Also: Wireless: STA DisassociatedNotification which indicates that a 802.11 station disassociated.Syntax: "Station disassociated from AP for DeviceId %s radio %d station MAC %s CauseCode %d"Description: This is a notification generated when a 802.11 station is disassociated either by the network or the station.Reason Code Description0 STA initiated disassociation1 Station has handed off to another AP2 Disassociation triggered due to authentication failure after ULAP timeout3 Disassociation triggered due to user action.Usage: Informational log.Examples: Station disassociated for Device ID AP_00-0A-F5-00-01-B6 radio 4 station MAC 00:0a:f5:00:3a:fe, CauseCode 0See Also: Severity CriticalAlarm Parameters DeviceId The Device ID of the Airgo APRadio Identifies Radio by interface ID on the Access PointSTA MAC Address MAC address of 802.11 station.Cause Code Reason Code for disassociationAlarm SeveritySeverity Critical
C Alarms246 Installation and Configuration Guide: Airgo Access PointWireless: WDS FailedNotification which indicates a failure in formation of Wireless Backhaul Syntax: "WDS trunk brought down for DeviceId %s radio %d remote MAC %s CauseCode %d"Description: This is a notification generated when a wireless backhaul formation fails. The remote end’s MAC address is provided. This notification is generated by AP node.Reason Code Description0 System Failure1 Maximum BP count has been reached (this relevant only for AP)2 Join attempt to the uplink AP failed (relevant only on BP side)Usage: This can be used to track any losses in connectivity of network.Examples: WDS trunk brought down for Device ID AP_00-0A-F5-00-01-B6 radio 4 remote MAC 00:0a:f5:00:3a:fb, CauseCode 0See Also: Wireless: WDS UpNotification which indicates successful formation of wireless backhaulSyntax: "WDS trunk established for DeviceId %s radio %d remote mac %s TrunkPort count %d CauseCode %d”Alarm Parameters DeviceId The Device ID of the Airgo APRadio Identifies Radio by interface ID on the Access PointRemote MAC Address MAC address of remote end of backhaul linkCause Code Reason Code for WDS formation failureAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP
Wireless: WDS DownInstallation and Configuration Guide: Airgo Access Point 247Description: This is a notification generated when a wireless backhaul formation succeeds. The remote end’s MAC address is provided.Reason Code Description0 Trunk has been established1 Trunk has been optimized (re-established based on better connectivity)Usage: Informational logExamples: WDS trunk established for Device ID AP_00-0A-F5-00-01-B6 radio 4 remote MAC 00:0a:f5:00:3a:fb TrunkPort count 2 CauseCode 0See Also: Wireless: WDS DownNotification which indicates that a wireless backhaul link has gone downSyntax: "WDS trunk brought down for DeviceId %s radio %d remote MAC %s CauseCode %d"Description: This is a notification generated when a wireless backhaul has gone down. The remote end’s MAC address is provided.Reason Code Description0 System Reason (unspecified)Radio Identifies Radio by interface ID on the Access PointRemote MAC Address MAC address of remote end of backhaul link Backhaul Count Number of backhauls which are formed to this AP radioCause Code Indicates whether backhaul was a retrunk or notAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo APRadio Identifies Radio by interface ID on the Access PointRemote MAC Address MAC address of remote end of backhaul link Cause Code Indicates why backhaul link was bought downAlarm SeveritySeverity Critical
C Alarms248 Installation and Configuration Guide: Airgo Access Point1 Loss of Link (applies to BP side only)2 Trunk brought down by uplink AP (applies to BP side only)3 User retrunk issued (this can occur due to new backhaul con-figuration being applied on BP)4 Trunk has reformed with another AP (AP side only)5 Trunk brought down by BP (applies to AP side only)Usage: Informational logExamples: WDS trunk brought down for Device ID AP_00-0A-F5-00-01-B6 radio 4 remote MAC 00:0a:f5:00:3a:fb CauseCode 0See Also: Security: Guest Authentication SucceededNotification which indicates that a “Guest Access” Station has been successfully authenticatedSyntax: "For device-id %s , Guest authentication succeeded for STA %s on radio %d with SSID %s using captive portal %s and guest mode %d" Description: Notification which is generated when a “Guest Station” is authenticated.Usage: This indicates the successful start of a “Guest Access” Stations communications session. This Guest STA will be offered the communications services specified in the Guest Profilethat has been configured for the specified SSID.Examples: For device-id AP_00-0A-F5-00-01-89 , Guest authentication succeeded for STA 00:0a:f5:00:05:f0 on radio 0 with SSID NewYorkRoom using captive portal Internal and guest mode 4Alarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Guest STAtion.Radio Identifies Radio by interface ID on the Access PointSSID Identifies the SSID on this AP that the Guest has associated with.Captive Portal Identifies the “Landing Page” that has accomplished authentication of the Guest STA. This is either simply the Internal “Landing Page”, or a URL identifying the “External Landing Page” which performed the authentication.Guest Mode Currently, always set to 4. Alarm SeveritySeverity Normal
Security: Guest Authentication FailedInstallation and Configuration Guide: Airgo Access Point 249See Also: Security: Guest Authentication FailedSecurity: Guest Authentication FailedNotification which indicates that a “Guest Access” Station has failed authenticationSyntax: "For device id %s, Guest authentication failed for STA %s on radio %d with SSID %s using captive portal %s and guest mode %d due to %d" Description: Notification which is generated when a “Guest Station” fails authentication.Usage: This indicates that a Guest Station did not present the appropriate “credentials” (currently simple password) upon request. Examples: For device-id AP_00-0A-F5-00-01-89 , Guest authentication failed for STA 00:0a:f5:00:05:f0 on radio 0 with SSID NewYorkRoom using captive portal Internal and guest mode 4 due to 0See Also: Security: Guest Authentication SucceededSecurity: User rejected by RADIUS ServerNotification which indicates that the AP has determined that a User has been rejected by RADIUS. Syntax: "For device-id %s, the RADIUS SERVER %s:%d from auth zone %s rejected the STA %s on radio %d with user-id %s and SSID %s"Alarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Guest STAtion.Radio Identifies Radio by interface ID on the Access PointSSID Identifies the SSID on this AP that the Guest has associated with.Captive Portal Identifies the “Landing Page” that has accomplished authentication of the Guest STA. This is either simply the Internal “Landing Page”, or a URL identifying the “External Landing Page” which performed the authentication.Guest Mode Currently, always set to 4. Reason code Currently, always set to 0.Alarm SeveritySeverity Critical
C Alarms250 Installation and Configuration Guide: Airgo Access PointDescription: This notification is generated when a User authentication fails. The context of the AP radio and the RADIUS server which rejected the User are also provided.Usage: This indicates that the AP has determined that RADIUS has rejected a user authentication attempt. Examples: For device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 from auth zone BldgOne rejected rejected the STA 00:0a:f5:00:05:cc on radio 0 with user-id paul and SSID NewYorkRmSee Also: Security: BP rejected by RADIUS ServerNotification which indicates that the AP has determined that a RADIUS server has rejected this BP’s authentication attempt. Syntax: "For device-id %s, the RADIUS SERVER %s:%d from auth zone %s rejected the node %s on radio %d with device-id %s and SSID %s"Alarm Parameters DeviceId The Device ID of the Airgo AP RADIUS server The IP address of the RADIUS server. Port The port used to communicate with the RADIUS server. Auth Zone The name of the Auth Zone on this AP that this RADIUS server is a member of Station MAC address of the Station Radio Identifies Radio by interface ID on the Access Point User ID The Username SSID Identifies the SSID on this AP that the STA has associated withAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP RADIUS server The IP address of the RADIUS server. Port The port used to communicate with the RADIUS server. Auth Zone The name of the auth Zone on this AP that this RADIUS server is a member of
Security: RADIUS Server timeoutInstallation and Configuration Guide: Airgo Access Point 251Description: This notification is generated when a Bridge Portal (radio) authentication fails. The context of the BP radio and the RADIUS server which rejected the BP radio are also provided. A BP attempts authentication when a wireless backhaul is being established.Usage: This indicates that a security portal has rejected a BP’s authentication attempt with this AP. Usually it means that the BP is not enrolled in the same network as the AP. It may also mean that the BP was just enrolled, and the enrollment database has not yet been synced across the network to all security portals.Examples: For device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 from auth zone BldgOne rejected the node 00:0a:f5:00:06:22 on radio 0 with device-id AP_00-0A-F5-00-01-89 and SSID NewYorkRm See Also: Security: RADIUS Server timeoutNotification which indicates that the AP has determined that a RADIUS server has failed to respond within the RADIUS timeout. Syntax: "For device-id %s, the RADIUS server %s:%d from auth zone %s failed to respond within %d seconds and %d attempts while authenticating STA %s on radio %d with user-id %s and SSID %s" Node MAC address of the BP node Radio Identifies Radio by interface ID on the Access Point Device ID The Device ID of the BP node SSID Identifies the SSID on this AP that the STA has associated withAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP RADIUS server The IP address of the RADIUS server. Port The port used to communicate with the RADIUS server. Auth Zone The name of the auth Zone on this AP that this RADIUS server is a member of RADIUS timeout The current setting of the RADIUS timeout. RADIUS retries The number of retries performed Station MAC address of the Station.
C Alarms252 Installation and Configuration Guide: Airgo Access PointDescription: This notification is generated when the RADIUS server fails to respond within a certain timeout period.Usage: This indicates that the AP has determined that a RADIUS server has failed to respond within the RADIUS timeout. This may mean that the RADIUS server is unreachable over the network, or the shared secret with the RADIUS server is misconfigured on the AP. Usually, RADIUS servers do not respond when clients attempt to communiate with bad shared secrets. If multiple RADIUS servers are configured in this auth zone, the AP will switch to using the next one in the list.Examples: For device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 from auth zone BldgOne failed to respond within 5 seconds and 3 attempts while authenticating STA 00:0a:f5:00:05:f0 on radio 0 with user-id paul and SSID NewYorkRm See Also: Security: Management User login successNotification which indicates that the AP has determined that a Management user login has succeeded. Syntax: "For device-id %s, the management user '%s' with privilege level %d logged in succesfully via %d"Description: This notification is generated whenever a management User tries to login to the local AP.Usage: This indicates that the AP has determined that a Management user login has Radio Identifies Radio by interface ID on the Access Point User Supplicant User ID established during EAPOL Authentication exchange SSID Identifies the SSID on this AP that the STA has associated withAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP Management User Username of management User. Privilege Level The privilege level of the management user (Ignore in this release.) Login access Identifies the type of access, console, or SSH. (Ignore in this release.)Alarm SeveritySeverity Critical
Security: Management User login failureInstallation and Configuration Guide: Airgo Access Point 253succeeded. Examples: For device-id AP_00-0A-F5-00-01-89 , the management user 'admin' with privilege level 1 logged in succesfully via 1See Also: Security: Management User login failureNotification which indicates that the AP has determined that a Management user login has failed. Syntax: "For device-id %s, the management user '%s' failed to login successfully via %d”Description: This notification is generated when a management User login attempt is unsuccessful.Usage: This indicates that the AP has determined that a Management user login has failed. Too many failed logins in succession might attempt that someone is trying to break into your AP.Examples: For device-id AP_00-0A-F5-00-01-89 , the management user 'admin' failed to login successfully via 1See Also: Security: STA failed EAPOL MIC checkNotification which indicates that the AP has determined that a STA has failed a MIC check during the EAPOL authentication exchange. Syntax: "For device-id %s, the STA %s[%d] on radio %d with user-id %s and SSID %s failed an EAPOL-MIC check with auth-type %d during key exchange %d. (If using WPA-PSK, check the PSK on the STA.)" DeviceId The Device ID of the Airgo AP Management User Username of management User. Login access Identifies the type of access, console, or SSH. (Ignore in this release.)Alarm SeveritySeverity Critical DeviceId The Device ID of the Airgo AP Station MAC address of the Station. bpIndicator Identifies if the supplicant is a BP (1), or a STA (0). Radio Identifies Radio by interface ID on the Access Point
C Alarms254 Installation and Configuration Guide: Airgo Access PointDescription: This notification is generated when the MIC fails during EAPOL key exchange process. Usage: This indicates that the AP has determined that a STA has failed a MIC check during the EAPOL authentication exchange. If the authentication type is WPA PSK, and the failure happened during the pairwise key exchange, then this is most likely due to a misconfiguration of the WPA pre-shared key on the station. Otherwise, it might mean that an attacker’s station is attempting to marquerade as a legal station.Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm failed an EAPOL-MIC check with auth-type 4 during key exchange 2. (If using WPA-PSK, check the PSK on the STA.)See Also: Security: STA attempting WPA PSK – no Pre-shared Key is set for SSIDNotification which indicates that the AP has determined that a STA is attemping WPA-PSK authentication – but no Pre-shared Key has been configured for the SSID. Syntax: "For device-id %s, the STA %s on radio %d attempted to do WPA-PSK based auth on the SSID %s but no pre-shared key is set." Description: This notification is sent when a Station attempts to do a WPA-PSK based User Supplicant User ID established during EAPOL Authentication exchange SSID Identifies the SSID on this AP that the STA has associated with Authentication Type The valid types include: WPA PSK (3), WPA EAP (4) Key Exchange 0 for pairwise key exchange, and 1 for group key exchange.Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. Radio Identifies Radio by interface ID on the Access Point SSID Identifies the SSID on this AP that the STA has associated withAlarm SeveritySeverity Critical
Security: Auth Server Improperly configured on this SSIDInstallation and Configuration Guide: Airgo Access Point 255authentication on a given SSID, but no WPA pre-shared key is setup for that SSID.Usage: This indicates that the AP has determined that a STA is attempting to perform WPA-PSK authentication – but no WPA Pre-shared Key has been configured on this AP for that SSID. Recall that WPA PSK’s are configured per SSID.Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 on radio 0 attempted to do WPA-PSK based auth on the SSID NewYorkRm but no pre-shared key is set.See Also: Security: Auth Server Improperly configured on this SSID Notification which indicates that the AP has determined that a STA requires authentication servers – and these are not configured properly on this SSID. Syntax: "For device-id %s, Auth servers are improperly configured for the SSID %s and are needed for authenticating STA %s on radio %d with RADIUS usage %d" Description: This notification is sent when authentication servers are improperly configured for a given SSID.Usage: This indicates that the AP has determined that a STA requires authentication servers configured –and there are none configured on this SSID Generally authentication servers are needed for EAP based authentication, or for MAC address based ACL lookups.Examples: For device-id AP_00-0A-F5-00-01-89 , Auth servers are improperly configured for the SSID NewYorkRm and are needed for authenticating STA 00:0a:f5:00:05:f0 on radio 0 with RADIUS 2See Also: Alarm Parameters DeviceId The Device ID of the Airgo AP SSID Identifies the SSID on this AP that the STA has associated with Station MAC address of the Station. Radio Identifies Radio by interface ID on the Access Point RADIUS Usage A code indicating what the RADIUS server was required for: Legacy 8021.x for dynamic WEP (1), WPA EAP athentication (2), MAC address based ACL lookup (3).Alarm SeveritySeverity Critical
C Alarms256 Installation and Configuration Guide: Airgo Access PointSecurity: STA failed to send EAPOL-StartNotification which indicates that the STA has failed to send an EAPOL-Start even though it was expected to for EAP based authentication. Syntax: "For device-id %s, the STA %s on radio %d and SSID %s failed to send an EAPOL-Start in order to begin auth of type %d" Description: This notification is sent during authentication, when the Station fails to send an EAPOL-Start in order to begin the authentication using WPA-EAP or legacy 802.1X protocols.Usage: This indicates that the AP has determined that a STA has failed to send an EAPOL-Start. This might indicate a misconfiguration on the STA. The AP expects the STA to send an EAPOL-Start if the authentication type is deemed to be EAP based. This can happen when WPA EAP authentication is negotiated, or when WEP is enabled on the AP and no manual WEP keys are configured.Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 on radio 0 and SSID NewYorkRm failed to send an EAPOL-Start in order to begin auth of type 4See Also: Security: RADIUS sent a bad responseNotification which indicates that the AP has determined that a RADIUS server has sent a bad response. Syntax: "For device-id %s, the RADIUS server %s:%d sent back a bad response due to %d" Alarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. Radio Identifies Radio by interface ID on the Access Point SSID Identifies the SSID on this AP that the STA has associated with Authentication Type The valid types include: LEGACY 8021.x (2), WPA EAP (4)Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP
Security: RADIUS timeout too shortInstallation and Configuration Guide: Airgo Access Point 257Description: This notification is sent during authentication, when the RADIUS server sends a bad response. The aniNotifCauseCode identifies the reason associated with this bad response.Usage: This indicates that the AP has determined that a RADIUS server has sent a bad or unexpected response. The response could be bad because the cryptographic signature check might have failed or because an attribute might be missing or badly encoded.Examples: For device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 sent back a bad response due to 7 See Also: Security: RADIUS timeout too shortNotification which indicates that the AP has determined that a RADIUS server has sent a late response. This indicates that the APs RADIUS timeout might need to be increased. Syntax: "For device-id %s, the RADIUS server %s:%d sent a late response - you might need to increase your RADIUS timeout of %d seconds" Description: This notification is generated when the AP receives a late response from the RADIUS server The IP address of the RADIUS server. Port The port used to communicate with the RADIUS server. Response The reason codes for the bad response: BAD SIGNATURE BASED ON SHARED SECRET (0), UNEXPECTED RESPONSE TYPE WHEN DOING EAP AUTH (1), UNEXPECTED RESPONSE TYPE WHEN DOING MAC-ACL LOOKUP (2), LEGAL MS-MPPE KEYS NOT PRESENT (3), BAD ENCODING FOR USER GROUP ATTRIBUTE (5)Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP RADIUS server The IP address of the RADIUS server. Port The port used to communicate with the RADIUS server. RADIUS timeout The current setting of the RADIUS timeout.Alarm SeveritySeverity Critical
C Alarms258 Installation and Configuration Guide: Airgo Access PointRADIUS server, as opposed to not receiving any response at all. The AP may have attempted multiple retries or may even have switched to another RADIUS server by this time. This indicates that due to higher latencies in the network, it might be better to increase the timeout associated with the authentication server.Usage: This indicates that the AP has determined that a RADIUS server has sent a late response. Examples: For device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 sent a late response - you might need to increase your RADIUS timeout of 4 seconds See Also: Security: STA authentication did not complete in timeNotification which indicates that the AP has determined that a station has failed to complete the proper sequence of authentication exchanges in a timely manner. Syntax: "For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not complete its auth sequence in time with auth-type %d and enc-type %d due to reason code %d" Description: This notification is generated when the station authentication sequence did not complete in time.Alarm Parameters DeviceId The Device ID of the Airgo AP AP The MAC address of the upstream AP. Station MAC address of the Station. bpIndicator Identifies if the supplicant is a BP (1), or a STA (0). Radio Identifies Radio by interface ID on the Access Point User Supplicant User ID, if exchanged the during EAPOL authentication SSID Identifies the SSID on this AP that the STA has associated with Authentication Type The valid types include: LEGACY 802.1x (2), WPA PSK (3), WPA EAP (4) Encryption Type The valid types include: WEP-64 (1), WEP-128 (2), TKIP (5), AES (6) Reason Code The reason for the failure: EAP-REQUEST NOT RECEIVED FROM AUTHENTICATION SERVER (2)Alarm SeveritySeverity Critical
Security: Upstream AP is using an untrusted auth serverInstallation and Configuration Guide: Airgo Access Point 259Usage: This indicates that the AP has determined that the station authentication sequence did not complete in time.Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not complete its auth sequence in time with auth-type 4 and enc-type 6 due to reason code 6 See Also: EAP User-ID timeout, EAP Response TimeoutSecurity: Upstream AP is using an untrusted auth serverNotification which indicates that the local BP has determined that the upstream AP is using an un-trusted auth server. Syntax: "For device-id %s, the upstream AP %s with SSID %s authenticating via local BP radio %d is using an untrusted auth server %s with certificate SHA-1 thumbprint %s : IT MIGHT BE A ROGUE AP” Description: This notification is generated when the local BP has determined that the upstream AP is using an un-trusted auth server.Usage: This indicates that the local BP has determined that the upstream AP is using an un-trusted auth server. This may indicate that the upstream AP is a rogue AP. It is safe to say that the upstream AP and the downstream AP are not enrolled in the same network. If the downstream AP was previously enrolled elsewhere, then reset it and re-enroll it in the new network.Examples: For device-id AP_00-0A-F5-00-01-89 , the upstream AP 00:0a:f5:00:06:22 with SSID NewYorkRm authenticating via local BP radio 0 is using an untrusted auth server 00:0a:f5:00:01:45 with certificate SHA-1 thumbprint 98:72:a8:6d:56:f8:92:a8:f3:97:ec:3f:fa:0b:66:4e : IT MIGHT BE A ROGUE AP See Also: Alarm Parameters DeviceId The Device ID of the Airgo AP AP The MAC address of the upstream AP. SSID Identifies the SSID on this AP that the STA has associated with. Radio Identifies Radio by interface ID on the Access Point Node The Device ID (X.509 Certificate CN) of the entity used by the upstream AP as an auth server Thumbprint The SHA-1 Thumbprint of the certificate for this purported portalAlarm SeveritySeverity Critical
C Alarms260 Installation and Configuration Guide: Airgo Access PointSecurity: Upstream AP is using a non-portal node as its auth serverNotification which indicates that the local BP has determined that the upstream AP is using a non-portal node as an auth server. Syntax: "For device-id %s, the upstream AP %s with SSID %s authenticating via local BP radio %d is using a non portal node %s with certificate SHA-1 thumbprint %s as its auth server: YOUR ENROLLMENT DATABASE MIGHT BE OUT OF SYNC." Description: This notification is generated when the local BP has determined that the upstream AP is using a node that is not a security portal as its auth server. This indicates that the BP knows about the other Airgo node, but does not believe it is authorized to be a Security Portal.Usage: This indicates that the local BP has determined that the upstream AP is out-of-sync with respect to the identity of legitimate portal APs and the enrollment databases are out of sync on the downstream AP and the upstream AP.Examples: For device-id AP_00-0A-F5-00-01-89 , the upstream AP 00:0a:f5:00:06:22 with SSID NewYorkRm authenticating via local BP radio 0 is using a non portal node 00:0a:f5:00:01:45 with certificate SHA-1 thumbprint 98:72:a8:6d:56:f8:92:a8:f3:97:ec:3f:fa:0b:66:4e as its auth server: YOUR ENROLLMENT DATABASE MIGHT BE OUT OF SYNC See Also: Security: Upstream AP failed MIC check during BP authenticationNotification which indicates that the local BP has determined that the upstream AP has failed a MIC check on a received frame. Syntax: "For device-id %s, the upstream AP %s with SSID %s authenticating via Alarm Parameters DeviceId The Device ID of the Airgo AP AP The MAC address of the upstream AP. SSID Identifies the SSID on this AP that the STA has associated with. Radio Identifies Radio by interface ID on the Access Point Node The Device ID (X.509 Certificate CN) of the entity used by the upstream AP as an auth server Thumbprint The SHA-1 Thumbprint of the certificate for this purported portalAlarm SeveritySeverity Critical
Security: Premature EAP-Success receivedInstallation and Configuration Guide: Airgo Access Point 261local BP radio %d failed an EAPOL-MIC check with auth-type %d during key exchange %d" Description: This notification is generated when the MIC fails during EAPOL key exchange process via a BP radio.Usage: This indicates that a frame with a MIC failure has been received during the EAPOL Key Exchange process. Examples: For device-id AP_00-0A-F5-00-01-89 , the upstream AP 00:0a:f5:00:06:22 with SSID NewYorkRm authenticating via local BP radio 0 failed an EAPOL-MIC check with auth-type 4 during key exchange 3 Security: Premature EAP-Success receivedNotification which indicates that the local BP has recevied an EAP-Success BEFORE authentication has completed. Syntax: "For device-id %s, the upstream AP %s with SSID %s authenticating via local BP radio %d sent EAP-Sucess before authentication completed : IT MIGHT BE A ROGUE AP" Alarm Parameters DeviceId The Device ID of the Airgo AP AP The MAC address of the upstream AP. SSID Identifies the SSID on this AP that the STA has associated with. Radio Identifies Radio by interface ID on the Access Point Authentication Type The valid types include: RSN PSK (3), RSN EAP (4) Key Exchange Pairwise key exchange (0), group ky exchange (1).Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP AP The MAC address of the upstream AP. SSID Identifies the SSID on this AP that the STA has associated with. Radio Identifies Radio by interface ID on the Access PointAlarm Severity
C Alarms262 Installation and Configuration Guide: Airgo Access PointDescription: This notification is generated when an upstream AP sends an EAP success before authentication is completed. This may be a rogue AP trying to force an AP to join even before authentication is complete.Usage: This indicates that the local BP has received an EAP-Success before authentication has even been completed. Examples: For device-id AP_00-0A-F5-00-01-89 , the upstream AP 00:0a:f5:00:06:22 with SSID NewYorkRm authenticating via local BP radio 0 sent EAP-Sucess before authentication completed : IT MIGHT BE A ROGUE AP See Also: Security: Profile not configured for user-group Notification which indicates that the AP has determined that a STA is a member of group for which a corresponding service profile has NOT been configured in this SSID. Syntax: "For device-id %s, the STA %s on radio %d with user %s is in group %s but SSID %s has no profile configured for that group" Description: This notification is generated during Station authentication when no service profile has been configured for a given Group.Usage: This indicates that the AP has detected a STA is authenticating which is a member of a group for which no service profile has yet been configured in this SSID. Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:cc on radio 0 with user paul is in group employee but SSID NewYorkRm has no profile configured for that group. See Also: Severity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. Radio Identifies Radio by interface ID on the Access Point User User ID Group Group tag for this user (determined from RADIUS configuration) SSID Identifies the SSID on this AP that the STA has associated with.Alarm SeveritySeverity Critical
Security: STA has failed security enforcement checkInstallation and Configuration Guide: Airgo Access Point 263Security: STA has failed security enforcement checkNotification which indicates that the AP has determined that a STA has failed the security enforcement checks for its service profile.Syntax: "For device-id %s, the STA %s on radio %d with user %s and SSID %s of group %s failed the security enforcement check with auth-type %d and enc-type %d at enforcement level %d" Description: This notification is generated if the STA fails the security enforcement checks for its service profileUsage: This indicates that the STA is attempting to use an encryption type that is not allowed in its service profile. The service profile is determined based on the SSID and user group of the STA. Note that the AP may advertize multiple encryption capabilities, but different STAs might be restricted to different subsets of encryption capabilities based on their service profiles. Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:cc on radio 0 with user paul and SSID NewYorkRm of group employee failed the security enforcement check with auth-type 4 and enc-type 5 at enforcement level 1See Also: Alarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. Radio Identifies Radio by interface ID on the Access Point User Supplicant User ID SSID Identifies the SSID on this AP that the STA has associated with. Group Group tag for this user (determined from RADIUS configuration) Authentication Type The valid types include: NONE (0), SHARED KEY (1), LEGACY EAP (2), RSN PSK (3), RSN EAP (4) Encryption Type The valid types include: NONE (0), WEP-64 (1), WEP-128 (2), TKIP (5), AES (6) Enforcement Level The security enforcement level configured in the service profile: AES ONLY (1) TKIP OR AES (2), WEP ONLY (3), NO ENCRYPTION (4), DEFAULT ENFORCEMENT (5) Alarm SeveritySeverity Critical
C Alarms264 Installation and Configuration Guide: Airgo Access PointSecurity: Guest Authentication SucceededNotification which indicates that a “Guest Access” Station has been successfully authenticatedSyntax: "For device-id %s , Guest authentication succeeded for STA %s on radio %d with SSID %s using captive portal %s and guest mode %d" Description: Notification which is generated when a “Guest Station” is authenticated.Usage: This indicates the successful start of a “Guest Access” Stations communications session. This Guest STA will be offered the communications services specified in the Guest Profilethat has been configured for the specified SSID.Examples: For device-id AP_00-0A-F5-00-01-89 , Guest authentication succeeded for STA 00:0a:f5:00:05:f0 on radio 0 with SSID NewYorkRoom using captive portal Internal and guest mode 4See Also: Security: Guest Authentication FailedSecurity: Guest Authentication FailedNotification which indicates that a “Guest Access” Station has failed authenticationSyntax: "For device id %s, Guest authentication failed for STA %s on radio %d with SSID %s using captive portal %s and guest mode %d due to %d" Alarm Parameters DeviceId The Device ID of the Airgo APStation MAC address of the Guest STAtion.Radio Identifies Radio by interface ID on the Access PointSSID Identifies the SSID on this AP that the Guest has associated with.Captive Portal Identifies the “Landing Page” that has accomplished authentication of the Guest STA. This is either simply the Internal “Landing Page”, or a URL identifying the “External Landing Page” which performed the authentication.Guest Mode Currently, always set to 4. Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP
Security: AP Detected Bad TKIP MICInstallation and Configuration Guide: Airgo Access Point 265Description: Notification which is generated when a “Guest Station” fails authentication.Usage: This indicates that a Guest Station did not present the appropriate “credentials” (currently simple password) upon request. Examples: For device-id AP_00-0A-F5-00-01-89 , Guest authentication failed for STA 00:0a:f5:00:05:f0 on radio 0 with SSID NewYorkRoom using captive portal Internal and guest mode 4 due to 0See Also: Security: Guest Authentication SucceededSecurity: AP Detected Bad TKIP MICNotification which indicates that the AP has detected a BAD TKIP MIC value in an incoming frame encrypted with the pairwise/uniast key.Syntax: "For device-id %s, a bad TKIP MIC was detected on an incoming unicast packet from STA %s on radio %d" Description: This notification is generated when a bad TKIP MIC is detected on an incoming frame from a STA that is ecrypted with the pairwise/unicast key.Usage: This indicates that the AP has detected an invalid TKIP MIC value on an incoming Station MAC address of the Guest STAtion.Radio Identifies Radio by interface ID on the Access PointSSID Identifies the SSID on this AP that the Guest has associated with.Captive Portal Identifies the “Landing Page” that has accomplished authentication of the Guest STA. This is either simply the Internal “Landing Page”, or a URL identifying the “External Landing Page” which performed the authentication.Guest Mode Currently, always set to 4. Reason code Currently, always set to 0.Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. Radio Identifies Radio by interface ID on the Access PointAlarm SeveritySeverity Critical
C Alarms266 Installation and Configuration Guide: Airgo Access Pointframe. All packets received by the AP are always encrypted with the pairwise/unicast key.Examples: For device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected on an incoming unicast packet from STA 00:0a:f5:00:05:cc on radio 0See Also: Security: BP Detected Bad TKIP MIC on Incoming UnicastNotification which indicates that the BP has detected a BAD TKIP MIC value in an incoming frame from the AP that is encrypted with the pairwise/unicast key.Syntax: "For device-id %s, a bad TKIP MIC was detected by local BP radio %d on an incoming unicast packet from the AP %s" Description: This notification is generated when a bad TKIP MIC is detected by a local BP radio, identified by aniApRadioIndex, on an incoming unicast packet from the AP, where the packet is encrypted with the pairwise/unicast key.Usage: This indicates that the BP has detected an invalid TKIP MIC value on an incoming frame encrypted with the pairwise/unicast key.Examples: For device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected by local BP radio 0 on an incoming unicast packet from the AP 00:0a:f5:00:06:22See Also: BP Detected Bad TKIP MIC on Incoming Multicast/BroadcastSecurity: BP Detected Bad TKIP MIC on Incoming Multicast/BroadcastNotification which indicates that the BP has detected a BAD TKIP MIC value in an incomng frame from the AP that is encrypted with the group/multicast/broadcast key.Syntax: "For device-id %s, a bad TKIP MIC was detected by local BP radio %d on an incoming multicast/broadcast packet from the AP %s" Alarm Parameters DeviceId The Device ID of the Airgo AP Radio Identifies Radio by interface ID on the Access Point AP MAC address The MAC address of the source APAlarm SeveritySeverity CriticalAlarm Parameters
Security: STA Detected Bad TKIP MIC on Incoming UnicastInstallation and Configuration Guide: Airgo Access Point 267Description: This notification is generated when a bad TKIP MIC is detected by a local BP radio, identified by aniApRadioIndex, on an incoming multicast or broadcast packet from the AP where the packet is encrypted with the group/multicast/broadcast key..Usage: This indicates that the BP has detected an invalid TKIP MIC value on a received multicast/broadcast frame.Examples: For device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected by local BP radio 0 on an incoming multicast/broadcast packet from the AP 00:0a:f5:00:06:22See Also: BP Detected Bad TKIP MIC on Incoming UnicastSecurity: STA Detected Bad TKIP MIC on Incoming UnicastNotification which indicates that a STA associated with this AP has detected a BAD TKIP MIC value in a frame it received from the AP encrypted with the pairwise/unicast key.Syntax: "For device-id %s, a bad TKIP MIC was detected by STA %s on radio %d on an incoming unicast packet from the AP" Description: This notification is generated when a bad TKIP MIC is detected by an STA associated with this AP on an incoming unicast packet from the AP, where the packet is encrypted with the pairwise/unicast key.Usage: This indicates that the STA has detected an invalid TKIP MIC value on an incoming frame encrypted with the pairwise/unicast key.Examples: For device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected by STA 00:0a:f5:00:05:f0 on radio 0 on an incoming unicast packet from the AP DeviceId The Device ID of the Airgo AP Radio Identifies Radio by interface ID on the Access Point AP MAC address The MAC address of the source APAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. Radio Identifies Radio by interface ID on the Access PointAlarm SeveritySeverity Critical
C Alarms268 Installation and Configuration Guide: Airgo Access PointSee Also: STA Deteted Bad TKIP MIC on Incoming Multicast/BroadcastSecurity: STA Detected Bad TKIP MIC on Incoming Multicast/BroadcastNotification which indicates that a STA associated with this AP has detected a BAD TKIP MIC value in a multicast/broadcast frame it received from the AP.Syntax: "For device-id %s, a bad TKIP MIC was detected by STA %s on radio %d on an incoming multicast/broadcast packet from the AP" Description: This notification is generated when a bad TKIP MIC is detected by an STA associated with a radio, identified by aniApRadioIndex, on an incoming multicast or broadcast packet from the AP where the packet is encrypted with the group/multicast/broadcast key.Usage: This indicates that the STA has detected an invalid TKIP MIC value on a received, multicast, frame.Examples: For device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected by STA 00:0a:f5:00:05:f0 on radio 0 on an incoming multicast/broadcast packet from the APSee Also: STA Detected Bad TKIP MIC on Incoming UnicastSecurity: TKIP counter-measures lockout period startedNotification which indicates that the AP is taking active counter-measures against an attempted compromise of TKIP.Syntax: "For device-id %s, the TKIP counter-measures lockout period has started for 60 seconds." Alarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. Radio Identifies Radio by interface ID on the Access PointAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The Device ID of the Airgo APAlarm SeveritySeverity Critical
Security: EAP User-ID timeoutInstallation and Configuration Guide: Airgo Access Point 269Description: This notification is generated when a TKIP counter measures lockout period for 60 seconds is started.Usage: This indicates that the AP has determined that an attempt is underway to compromise the secure operation of TKIP. This happens if two MIC failures are detected within a 60 second interval. If this happens, the AP disassociates all STAs and prevents new STAs from associating for a period of 60 seconds.Examples: For device-id AP_00-0A-F5-00-01-89 , the TKIP counter-measures lockout period has started for 60 seconds.See Also: Security: EAP User-ID timeoutNotification which indicates that the STA has failed to respond, in a timely manner, with its User-ID during the authentication exchange.Syntax: "For device-id %s, the STA %s[%d] on radio %d and SSID %s did not send its user-id in time to complete its auth sequence with auth-type %d and enc-type %d." Description: This notification is generated when an STA fails to send its user-id in time to complete its authentication sequence using the specified authentication type.Usage: This indicates the failure of a STA to complete the EAP authentication exchange in a timely fashion. The two authentication modes that require the STA to send its user-id are WPA EAP and legacy 8021.x for dynamic WEP. This trap might indicate that a user prompt is not attended to on the client side.Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 and SSID NewYorkRm did not send its user-id in time to complete its auth sequence with auth-type 4 and enc-type 6Alarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. bpIndicator Identifies if the supplicant is a BP (1), or a STA (0).Radio Identifies Radio by interface ID on the Access PointSSID Identifies the SSID on this AP that the STA has associated with.Authentication type The valid types include: LEGACY 8021.x (2), WPA EAP (4)Encryption Type The valid types include: WEP-64 (1), WEP-128 (2), TKIP (5), AES (6)Alarm SeveritySeverity Critical
C Alarms270 Installation and Configuration Guide: Airgo Access PointSee Also: EAP Response Timeout, STA Authentication TimeoutSecurity: EAP response timeoutNotification which indicates that the STA has failed to respond, in a timely manner, with an EAP response during the authentication exchange.Syntax: "For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not send an EAP-Response in time to complete its auth sequence with auth-type %d and enc-type %d" Description: This notification is generated when an STA fails to send an EAP-Response in time to complete its authentication sequence using the specified authentication type and encryption. This is an EAP response other that the User-ID.Usage: This indicates the failure of a STA to complete its EAP authentication exchange in a timely fashion.The two authentication modes that require the STA to send EAP responses are WPA EAP and legacy 8021.x for dynamic WEP. This trap might indicate that a user prompt is not attended to on the client side. It may also indicate that the client silently rejected a EAP request sent from the RADIUS server – perhaps because it did not trust the RADIUS server’s credentials.Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not send an EAP-Response in time to complete its auth sequence with auth-type 4 and enc-type 6See Also: EAP User-ID Timeout, STA Authentication TimeoutAlarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. bpIndicator Identifies if the supplicant is a BP (1), or a STA (0).Radio Identifies Radio by interface ID on the Access PointUser Supplicant User ID established during EAPOL Authentication exchangeSSID Identifies the SSID on this AP that the STA has associated with.Authentication type The valid types include: LEGACY 802.1x (2), WPA EAP (4)Encryption Type The valid types include: WEP-64 (1), WEP-128 (2), TKIP (5), AES (6)Alarm SeveritySeverity Critical
Security: EAPOL Key exchange – message 2 timeoutInstallation and Configuration Guide: Airgo Access Point 271Security: EAPOL Key exchange – message 2 timeoutNotification which indicates that the STA has failed to respond, in a timely manner, with EAPOL 4-way handshake message number 2.Syntax: "For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not send the WPA EAPOL-Key Pairwise Messg #2 in time where auth-type %d and enc-type %d" Description: This notification is generated when an STA fails to send the WPA EAPOL-Key Pairwise Message #2 in time to complete the pairwise key exchange.Usage: This indicates the failure of a STA to complete the EAPOL 4-way key exchange in a timely fashion.Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not send the WPA EAPOL-Key Pairwise Messg #2 in time where auth-type 4 and enc-type 6See Also: Alarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. bpIndicator Identifies if the supplicant is a BP (1), or a STA (0).Radio Identifies Radio by interface ID on the Access PointUser User ID established during EAPOL Authentication exchange (if applicabe)SSID Identifies the SSID on this AP that the STA has associated with.Authentication type The valid types include: WPA PSK (3), WPA EAP (4)Encryption Type The valid types include: TKIP (5), AES (6)Alarm SeveritySeverity Critical
C Alarms272 Installation and Configuration Guide: Airgo Access PointSecurity: EAPOL Key exchange – message 4 timeoutNotification which indicates that the STA has failed to respond, in a timely manner, with EAPOL 4-way handshake message number 4.Syntax: "For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not send the WPA EAPOL-Key Pairwise Messg #4 in time where auth-type %d and enc-type %d" Description: This notification is generated when an STA fails to send the WPA EAPOL-Key Pairwise Message #4 in time to complete its authentication sequence with a radio, using the specified authentication type and encryption.Usage: This indicates the failure of a STA to complete the EAPOL 4-way key exchange in a timely fashion.Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not send the WPA EAPOL-Key Pairwise Messg #4 in time where auth-type 4 and enc-type 6See Also: Security: EAPOL Group 2 key exchange timeoutNotification which indicates that the STA has failed to respond, in a timely manner, with EAPOL Group key exchange message number 2.Syntax: "For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not send the WPA EAPOL-Key Group Messg #2 in time where auth-Alarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station. bpIndicator Identifies if the supplicant is a BP (1), or a STA (0).Radio Identifies Radio by interface ID on the Access PointUser User ID established during EAPOL Authentication exchange (if applicable)SSID Identifies the SSID on this AP that the STA has associated with.Authentication type The valid types include:WPA PSK (3), WPA EAP (4)Encryption Type The valid types include: TKIP (5), AES (6)Alarm SeveritySeverity Critical
Security: EAPOL Group 2 key exchange timeoutInstallation and Configuration Guide: Airgo Access Point 273type %d and enc-type %d" Description: This notification is generated when an STA fails to send the WPA EAPOL-Key Group Message #2 in time to complete its authentication sequence with a radio, using the specified authentication type and encryption.Usage: This indicates the failure of a STA to complete the Group Key exchange in a timely fashion.Examples: For device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not send the WPA EAPOL-Key Group Messg #2 in time where auth-type 4 and enc-type 6See Also: Alarm Parameters DeviceId The Device ID of the Airgo AP Station MAC address of the Station.bpIndicator Identifies if the supplicant is a BP (1), or a STA (0).Radio Identifies Radio by interface ID on the Access PointUser User ID established during EAPOL Authentication exchange (if applicable)SSID Identifies the SSID on this AP that the STA has associated with.Authentication type The valid types include: WPA PSK (3), WPA EAP (4)Encryption Type The valid types include: TKIP (5), AES (6)Alarm SeveritySeverity Critical
C Alarms274 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 275GlossaryThis glossary defines terms that apply to wireless and networking technology in general and Airgo products in particular.802.1x Standard for port-based authentication in LANs. Identifies each users and allows connectivity based on policies in a centrally managed server.802.11 Refers to the set of WLAN standards developed by IEEE. The three commonly in use today are 802.11a, 802.11b, and 802.11g, sometimes referred to collectively as Dot11.Access Control List (ACL)A list of services used for security of programs and operating systems. Lists users and groups together with the access awarded for each.Access Point (AP)An inter-networking device that connects wired and wireless networks together. Also, an 802.11x capable device that may support one or more 802.11 network interfaces in it and co-ordinates clients stations in establishing an Extended Service Set 802.11 networkAdvanced Encryption Standard (AES)An encryption algorithm developed for use by U.S. Government agencies and now incorporated into encryption standards for commercial transactions.Airgo Client Utility (ACU)Application that executes on a client station and provides management and diagnostics functionality for the 802.11 network interfaces.Ad-Hoc networkA group of nodes or systems communicating with each other without an intervening Access Point. Many wireless network cards support ad-hoc networking modes.Authentication ServerA central resources that verifies the identity of prospective network users and grants access based on pre-defined policies.Authentication ZoneA administrative grouping of resources for user authentication.Backhaul The process of getting data from a source and sending it for distribution over the main backbone network. Wireless backhaul refers to the process of delivering data from a node on the wireless network back to the wired network. Also referred to a WDS.x.
Glossary276 Installation and Configuration Guide: Airgo Access PointBasic Service Set (BSS)The set of all wireless client stations controlled by a single access point. The BSSID, or identifier, for the basis service set can be assigned or default to the MAC address of the access point.Bridge A connection between two (or more) LANs using the same protocol. Virtual bridges are used as a means of defining layer 2 domains for broadcast messages. Each virtual bridge uniquely defines a virtual local area network (VLAN).Class of Service (COS)A method of specifying and grouping applications into various QoS groups or categories.Differentiated Services Code Point (DSCP)A system of assigning Quality of Service “Class of Service” tags.Domain Name Service (DNS)A standard methodology for converting alphanumeric Internet domain names to IP addresses.Dynamic Host Configuration Protocol (DHCP)A communications protocol enabling IP address assignments to be managed both dynamically and centrally. With DHCP enabled on a node (a system, device, network card, or Access Point), when it boots or is connected to a network, an address is automatically assigned. Each assigned address is considered to be “leased” to a specific node; when the lease expires, a new IP can be requested and/or automatically reassigned. Without DHCP, IP addresses would need to be entered manually for each and every device on the network.Dynamic Frequency Selection (DFS)A method for selecting the least intrusive and noisy available frequency for operation, part of the 802.11 specification.Dynamic IP AddressA TCP/IP network address assigned temporarily (or dynamically) by a central server, also known as a DHCP server. A node set to accept dynamic IPs is said to be a “DHCP client.”Extensible Authentication Protocol (EAP)Standard that specifies the method of communication between an authentication server and the client, or supplicant, requesting access to the network. EAP supports a variety of authentication methods.Extensible Authentication Protocol Over LAN (EAPOL)Protocol used for 802.1x authentication.EAP-TLS EAP using Transport Layer Security. EAP-based authentication method based on X.509 certificates, which provides mutual, secure authentication. Certificates must be maintained in the authentication server and supplicant.EAP-PEAP Protected EAP-based authentication method based on X.509 certificates. Uses a two-phase approach in which the server is first authenticated to the supplicant.
GlossaryInstallation and Configuration Guide: Airgo Access Point 277This establishes a secure channel over which the supplicant can be authenticated to the server.Extended Service Set (ESS)A set of multiple connected BSSs. From the perspective of network clients, the ESS functions as one wireless network, with clients able to roam between the BSSs within the ESS. ESSID Name or identifier of the ESS used in network configuration.hostname The unique, fully qualified name assigned to a network computer, providing an alternative to the IP address as a way to identify the computer for networking purposes.Hypertext Transfer Protocol (HTTP)Protocol governing the transfer of data on the World Wide Web between servers and browser (and browser enabled software applications).Hypertext Transfer Protocol over SSL (HTTPS)A variant of HTTP that uses SSL (Secure Sockets Layer) encryption to secure data transmissions. HTTPS uses port 443, as opposed to HTTP which uses port 80.Independent Basic Service Set (IBSS)A set of clients communicating with each other or a network via an Access Point.Internet Protocol (IP)The network layer protocol for routing packets through the Internet.IP address 32-bit number, usually presented as a period-separated (dotted decimal) list of three-digit numbers, which identifies an entity on the Internet according to the Internet Protocol standard. Local Area Network (LAN)A group of computers, servers, printers, and other devices connected to one another, with the ability to share data between them.Maskbits Number of bits in the subnet prefix for an IP address, (provides the same information as subnet mask). Each triplet of digits in an IP address consists of 8 bits. To specify the subnet in maskbits, count the number of bits in the prefix. To specify using a subnet mask, indicate the masked bits as an IP address. Example: subnet mask 255.255.255.0 is equivalent to 24 maskbits, which is the total number of bits in the 255.255.255 prefix.Media Access Control (MAC) AddressA unique hardware-based equipment identifier, set during device manufacture. The MAC address uniquely identifies each node of a network. Access Points can be configured with MAC access lists, allowing only certain specific devices to connect with the LAN through them, or to allow certain MAC-identified network cards or devices access only to certain resources.
Glossary278 Installation and Configuration Guide: Airgo Access PointMAC address authenticationMethod of authenticating clients by using the MAC address of the client station as opposed to the user.Network Address Translation (NAT)The translation of one IP address used within a network to another address used elsewhere. One frequent use of NAT is the translation of IPs used inside a company, versus the IP addresses visible to the outside world. This feature helps increase network security to a small degree, because when the address is translated, this provides an opportunity to authenticate the request and/or to match it to known, authorized types of requests. NAT is also used sometimes to map multiple nodes to a single outwardly visible IP address.Network Interface Card (NIC)Generic term for network interface hardware that includes wired and wireless LAN adapter cards, PC Cardbus PCMCIA cards, and USB-to-LAN adapters.Network Management System (NMS)Software application that controls a network of multiple access points and clients.Node Generic term for a network entity. Includes a access point, network adapter (wireless or wired), or network appliance (such as a print server or other non-computer device)Network Time Protocol (NTP) NTP servers are used to synchronize clocks on computers and other devices. Airgo APs have the capability to connect automatically to NTP servers to set their own clocks on a regular basis.Ping Packet INternet Groper (ping)A utility which determines whether a specific IP address is accessible, and the amount of network time (measured in milliseconds) for response. Ping is used primarily to troubleshoot Internet connections.Policy-based NetworkingThe management of a network with rules (or policies), governing the priority and availability of bandwidth and resources, based both on the type of data being transmitted, as well as the privileges assigned to a given user or group of users. This allows network administrators to control how the network is used, to help maximize efficiency.Power Over Ethernet (PoE)Power supplied to a device by way of the Ethernet network data cable instead of a electrical power cord.Preamble TypeThe preamble defines the length of the cyclic redundancy check (CRC) block for communication between the Access Point and a roaming network adapter. All nodes on a given network should use the same preamble type.Quality of Service (QoS)QoS is a term encompassing the management of network performance, based on the notion that transmission speed, signal integrity, and error rates can be managed,
GlossaryInstallation and Configuration Guide: Airgo Access Point 279measured, and improved. In a wireless network, QoS is commonly managed through the use of policies.Remote Authentication Dial-In User Service (RADIUS)A client/server protocol and software that enables remote access servers to communicate with a central server to authenticate users and authorize service or system access. RADIUS permits maintenance of user profiles in a central repository that all remote servers can share. Radio Frequency (RF)The electromagnetic wave frequency radio used for communications applications.Roaming Analogous to the way cellular phone roaming works, roaming in the wireless networking environment is the ability to move from one AP coverage area to another without interruption in service or loss in connectivity.Rogue AP An access point that connects to the wireless network without authorization.Secure SHell (SSH)Also known as the Secure Socket Shell, SSH is a UNIX-based command line interface for secure access to remote systems. Both ends of communication are secured and authenticated using a digital certificate, and any passwords exchanged are encrypted.Service Set Identifier (SSID)The SSID is a unique identifier attached to all packets sent over a wireless network, identifying one or more wireless network adapters as “belonging” to a common group. Some Access Points can support multiple SSIDs, allowing for varying privileges and capabilities, based on user roles.Secure Sockets Layer (SSL)A common protocol for message transmission security on the Internet. Existing as a program layer between Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers, SSL is a standard feature in Internet Explorer, Netscape, and most web server products.Simple Mail Transfer Protocol (SMTP)Protocol used to transfer email messages between email servers.Simple Network Management Protocol (SNMP)An efficient protocol for network management and device monitoring.SNMP trap A process that filers SNMP messages and saves or drops them, depending upon how the system is configured.Spanning Tree Protocol (STP)A protocol that prevents bridging loops from forming due to incorrectly configured networks.Station (STA) An 802.11 capable device that supports only one 802.11 network interface, capable of establishing a Basic Service Set 802.11 network (i.e., peer-to-peer network)
Glossary280 Installation and Configuration Guide: Airgo Access PointStatic IP AddressA permanent IP address assigned to a node in a TCP/IP network.Subnet Portion of a network, designated by a particular set of IP addresses. Provides a hierarchy for addressing in LANs. Also called subnetwork.Subnet Mask A TCP/IP addressing method for dividing IP-based networks into subgroups or subnets (compare with maskbits). Each triplet of digits in an IP address consists of 8 bits. To specify using a subnet mask, indicate the masked bits as an IP address. To specify the subnet in maskbits, count the number of bits in the prefix. Example: subnet mask 255.255.255.0 is equivalent to 24 maskbits, which is the total number of bits in the 255.255.255 prefix.Temporal Key Integrity Protocol (TKIP)Part of the IEEE 802.11i encryption standard. TKIP provides improvements to WEP encryption, including per-packet key mixing, message integrity check and a re-keying mechanism.Traffic Class Identifier (TCID)Part of the standard 802.11 frame header. The 3-bit TCID is used for mapping to class-of-service values.Transmission Control Protocol/Internet Protocol (TCP/IP)One of the most commonly used communication protocols in modern networking. Addresses used in TCP/IP usually consist of four triplets of digits, plus a subnet mask (for example, 192.168.25.3, subnet 255.255.255.0).Transport Layer Security (TLS)Protocol that provides privacy protection for applications that communicate with each other and their users on the Internet. TLS is a successor to the Secure Sockets Layer (SSL). Trunk In telecommunications, a communications channel between two switching systems. In a wireless network, a trunk is a wireless connection from one access point to another.Type of Service (ToS)Sometimes also called IP Precedence, ToS is a system of applying QoS methodologies, based on headers placed into transmitted IP packets.User Datagram Protocol (UDP)A connectionless protocol similar to TCP/IP, but without the same level of error-checking. UDP is commonly used when some small degree of errors and packet-loss can be tolerated without losing program integrity, such as for online games.Virtual LAN (VLAN)A local area network with a definition that addresses network nodes on some basis other than physical location or even whether the systems are wired together or operating using the same local equipment. VLANs are, on average, much easier to manage than a physically implemented LAN. In other words, moving a user from one VLAN to another is a simple change in software, whereas on a regular LAN, the computer or device would need to be connected physically to a different switch
Installation and Configuration Guide: Airgo Access Point 281IndexNumerics128-bit encryption 13764-bit encryption 137802.11802.11a,802.11b,802.11g 7definition 275extensions 69mode in 2.4 GHz band 69policy configuration 69802.11i 12802.1p 7802.1Q 7802.1x 5, 12, 136, 275Aaccess control list (ACL) 275access pointintroduction 1placement 27rebooting 209rogue 173access point (AP) 1beacon name 131components 25configuration management 214definition 275enrollment 165hostname 33interfaces 99mode, selecting 62name in beacon 58accessingNM Portal 45, 164the AP 30ack mode 67activating DHCP server 189add to discovery database 183address resolution protocol (ARP) table 102ad-hoc network 275adminstate 62administrative users 205administrator 144authentication 145email address 36password 36, 145security 144administrator security 135admission 68backhaul criteria 68multi vendor criteria 68advancedradio configuration 69RADIUS parameters 150advanced encryption standard (AES) 12definition 275statistics 90with WPA 139alarmcount 193filter 201ID 193panel 37summary 192, 193table 192, 193alarmslist and description 233logging time 193total 193AP hostname 33AP security 135assigning IP address to interface 122associationstatus 87type 87association status 88association type 88asterisk next to field name 30authentication 5diagnostics 146, 149server 141, 275timeout 150type 87user 12, 136zones 143authentication zone 275task overview 14authorization state 170auto/manual 170auto-discoveryconfiguration 182, 184automatic channel selection 65automatically generated password 154, 158auto-select channel 58auto-sync database 186auxiliary manager 213Bbackground scanning 58backhaul 127, 275admission criteria 68AP and BP radios 128applications 127authentication 127candidate APs 131link criteria 129security 128trunk 128, 131uplink criteria 130viewing topology 168backhaul point (BP) 55mode, selecting 62backup 214, 218backup restore portal databases 188band 65basic rate set 70basic service set (BSS) 276beaconname 58, 131period 72bootstrapNM Portal 164password 136policy 180security mode 35bootstrappingthe AP 31br1 101br4094 101branch office installation 16bridgedefinition 276details table 101forwarding table 101prefix 101
Index282 Installation and Configuration Guide: Airgo Access Pointstatistics 102bridge and STP tab 100bridging services 100broadcast SSID in beacon 81BSS type 172BSSID 276BSSID criteria 130burst ack 69buzzer 213, 214byte statistics 88Ccabling requirements 26campus installation 16candidate APs 131captive portal 153cell size and range management 3certificate 204channelID 169set 65channel configuration 35, 41, 64channel list 65channel management 3choosing access point locations 25class 172class of service (COS) 6, 82, 111, 112, 276class order 116levels 111overview 6priority settings 6class order 112client LAN adapter 1client stations, managing 86Client Utility 275clock 43command conventions xicommand line interface (CLI) 8, 227getting help 228common problems and solutions 224compatibility status 77configurationreset 217syslog 211configuration interfaces 30configuration reports 215configuring 129bridging services 100DHCP server 188interfaces 121network discovery 182packet filters 119portals 185quality of service 111RADIUS parameters 150SNMP 123VLANs 105console port 228connection 25settings 228conventions, command xiCOSlevels 114COS MAC layer mapping 6COS to IP mappings 6COS-to-TCID 114country code 41, 58coverage and capacity requirements 10Ddata encryption 5, 137overview 12data rates supported 7date setting 34, 42defaultgateway 33SSID 78VLAN 105assigned to interface 107default gateway 34defer threshold 69delivery traffic indication message (DTIM) 72deployment environment 41, 58destinationAP 169radio 169detection time 172device ID 136, 167, 170DHCP serveractivating 189configuring 188diagnosticsauthentication 149differentiated services code point (DSCP) 117, 276diffServ code point (DSCP)-to-COS mapping 112disassociating a station 88discovered radios 171discovery 182interval 182method 172scope 184seed 184discovery configurationscope/seed 183DNS 33DNS IP address 210domain name service (DNS) 276and guest access 153dot11 QoS 66, 68downlink statistics 88downloading software 219dynamic frequency selection (DFS) 276dynamic host configuration protocol (DHCP) 33, 276IP address 210lease 191dynamic IP address 276EEAP-PEAP 137, 276EAP-TLS 137, 276egress COS 112, 114encapsulation configuration 122encryption type 87enhanceddata rates 7, 66, 68rate set 69enrolling APs 165enrollment 12, 136overview 12portal 4server 136ESSID 277eth0 99example 9extended service set (ESS) 277extensible authentication protocol (EAP) 136, 276external landing page 53, 155external RADIUS server 141external RADIUS server settings 145Ffactory defaults 217resettingradio 62fault management 192alarm summary 192field asterisk 30filteralarm 201statistics 121table 119
Installation and Configuration Guide: Airgo Access Point 283Indexfilters 119fragmentation threshold 72FUNK-RADIUS 5Ggateway IP address 210generating bootstrap policy 180global radio configuration 57graphlink test 95group keyretries 150group name 87guest access 153and VLANs 157and wireless security 156configuring 156external landing page 53internal landing page 51overview 6panel 158security 160shared secret 53task overview 15URL 53VLAN 53wizard 50guest access security 135guest password 154, 158guest service profile 157guest table 158guest VLAN 157Hhardware options 213HCF 69help, command line interface 228highest node priority 130Home 164home panel 37hostname 33, 277https 136https download 221hypermode 66, 68hypertext transfer protocol (HTTP) 277hypertext transfer protocol over SSL (HTTPS) 277IIAPPservice 91statistics 92topology 91ICMP ping 125IEEE802.1x 136independent basic service set (IBSS) 277ingress QoS 112, 113initializingnormal AP 33portal AP 36installationplanning 9requirements 25scenarios 16installing the AP 26integration with existing network 7inter access point protocol (IAPP) 90interdependencieschannel configuration 67global radio 63interfacestatistics 123tab 107table 122interfaces 99configuring 121interface-to-COS mapping 111internal landing page 51, 154internet protocol (IP) 277IP address 277assigning to interface 122link for AP 168of AP 33IP configuration 210IP Precedence tab 119IP precedence-to-COS mapping 112IP Protocol tab 118IP protocol-to-COS mapping 112IP rogue discovery 173IP routing 6configuration 103IP subnet criteria 130IP topology 169IP-DSCP tab 117Llanding page 153external 155internal 154large office installation 16lease time 189LEDs 28levels 6license key 214license management 212linkstatistics 88link criteria 129link test 94adding 95graph 95load balancing 69local area network (LAN) 277logging in to the web interface 31logging module name 195logical interfaces 99long retry limit 72lowest hop count 130lowest weighted cost 130MMAC address 87, 170configuration 71MAC address authentication 278MAC-ACL users 206managementinterface options 8VLAN 105management information base (MIB) 123management IP address 210management VLAN 106managingfaults 192users 203maskbits 277maximum number of leases 189media access control (MAC) address 277menu tree 37, 164Microsoft-IAS 5mid-size office installation 16mobility management 3model number 44multi domain support 41, 58multiple SSIDs 78, 85multiple VLANs 5Nnavigating the web interface 37neighbors 171networkconnectivity parameters 58default settings 99density 58discovery 182information requirements 26
Index284 Installation and Configuration Guide: Airgo Access Pointmanagement 12, 163radio neighbors 171topology 165network address translation (NAT) 278network density 34network interface card (NIC) 278network management system (NMS) 278network time protocol (NTP) 278networking services 99NM Explorer Home panel 164NM Portal 4, 163access 45features 163initializing 36NM services 179NMS configuration 212NMS Professional 1NMS-Professional 2, 163interface options 8no authentication security 137node 278normal AP 127NTP server 189Oopenaccess 140encryption 137open securityquick start option 35operating bands 35, 41operational state 170overview 6Ppacket filters 119passwordadministrator 145AP 167password authentication procedure (PAP) 145path selection criteria 130performance configuration 66, 68persona 62ping packet internet groper (ping) 278ping test 125planning your installation 9policybootstrapping 180defining 180table 179policy management 179policy-based networking 278port number 143portalarchitecture 4configuration 185database backup/restore 188database version 186secure backup 187services 170services overview 4table 186portal APinitializing 36power over Ethernet (PoE) 27, 278power requirements 26preamble type 278primary manager 213problems and solutions 224product features 2product suite 1profile table 84protocols, data rates, and coverage 10Qquality of service (QoS) 6, 111, 278advanced features 115class order 112, 116features 111statistics 115task overview 15user group-based 6Quick Start 31panels 39Rradioadvanced configuration 69channel configuration 64configuration panel 56diagnostics 93discovered 171interface 35, 41neighbors 77, 171state 72statistics 72, 75radio frequency (RF) 279radio resource management 3RADIUS 141, 150authentication zones 143group attribute 150server 143server settings 145with backhaul 127rate adaptation 66, 68real time clock (RTC) 214real-time clock 213rebooting the AP 209receiver rate adaptation 69redundant security portal 186regulatory and license information 231remote authentication dial-in user ser-vice (RADIUS) 136, 279remote MAC address 131reporting AP 172reportsconfiguration 215required field 30resetconfiguration 217subsystems 217to default 217to factory defaults 217resettingAP 29to factory defaults 29resetting radio 62restore 188, 214, 218re-trunk count 169re-trunking 128retry limits 72retry statistics 88roaming 279rogue AP 173, 279features 6management overview 6reasons 173unclassified 173, 176rogue AP discoveryIP 173wireless 173RTS threshold 72Sscope/seed 183secure backupNM Portal 187secure shell (SSH) 227, 279secure sockets layer (SSL) 279security 144administrator 135and guest access 160AP 135backhaul 128certificate 204
Installation and Configuration Guide: Airgo Access Point 285Indexdata encryption 12enforcement 82enrollment 12features 5guest access 135mode 138overview 11statistics 88, 146user 135wireless 138security portal 4enrolling 167redundant 186seed 183selecting method 12serial number 44service profile 79add or modify 85bind to SSID 79change binding 83guest 157SSID binding 83task overview 15service set identifier (SSID) 279and service profiles 79broadcast in beacon 81details 82information 80max stations 80multiple SSIDs 85name 34service type attribute 145shared secret 143for guest access 53short retry limit 72signal quality 172signal strength 172simple mail transfer protocol (SMTP) 279community 124server 36trap 124simple network management protocol (SNMP) 123, 136, 279site surveys 11small office installation 16SMTP server address 43SNMP trap 279softwareupgrade 219software distributioncancelling 223software distribution process 222software download status 223software image file 220software image recovery 224sourceAP name 169radio 169spanning tree protocol (STP) 100, 101, 279SSH 136SSIDauthentication 140binding to service profile 83configuring 78criteria 130default 78example 78multiple 6STA 279standards supported 7start discovery 183staticIP address 280station 279link statistics 88MAC address 88management 86statisticssupplicant 147subnet 280subnet mask 280supplicant statistics 146, 147supported standards and data rates 7syslogconfiguration 211viewing 202system configurationmanaging 209system determined band 65system requirements 25Ttagged VLAN 106task roadmaps 14Telnet 25temporal key integrity protocol (TKIP) 139, 280TFTP download 222TFTP server 214, 218thumbprint 136, 167, 170timediscovered 170setting 34, 42zone setting 34, 42timeout statistics 88traffic class identifier (TCID) 280traffic class identifiers (TCID) 111transmission control protocol/internet protocol (TCP/IP) 280transport layer security (TLS) 280trap 124trunk 128, 280statistics 132table 131type of service (ToS) 280Uunauthenticated users 153unclassified rogue AP 173, 176unenroll an AP 168upgrading AP software 220upgrading software 219uplinkconfiguration 130statistics 88URLfor guest access 53userauthentication 12, 136group 15, 82name 87VLAN 108user datagram protocol (UDP) 280user security 135user security wizard 45open access 46, 49WEP 46, 48WPA-EAP 46WPA-PSK 46, 47usersadding administrative users 205adding MAC-ACL users 206managing 203unauthenticated 153wireless 203using NM Portal 164Vvendor specific attribute 145verifying AP installation 28version table 44virtual LAN (VLAN) 280VLAN 824094 101and guest access 5example 105guest 157
Index286 Installation and Configuration Guide: Airgo Access Pointguest access 53ID 106, 108interface 5name 106overview 5statistics 110table 106tag 106task overview 15, 20, 22user 5, 108VLANSmultiple 5VLAN-to-COS mapping 111Wwalk test 97parameters 97web browserinterface 8, 30navigating the interface 37web interface 8Wi-Fi 280wi-fi protected access (WPA) 5, 12quick start option 35Windows internet name server (WINS) 280wired equivalent privacy (WEP) 5, 12, 137, 280key 35keys 140quick start options 35security 140statistics 90wirelessnetwork 9security 138users 203wireless backhaul 127, 129AP and BP radios 128applications 127candidate APs 131link criteria 129security 128trunk 128trunks 131uplink criteria 130viewing topology 168wireless LAN adapter 1wireless local area network (WLAN) 280wireless rogue discovery 173wizardguest access 50user security 45wlan0, wlan1 99world mode 65country code 41, 58multi domain support 41, 58WPA security 139WPA-AES 137WPA-EAP 139WPA-PSK 137, 139WPA-PSK passphrase 35WPA-TKIP 137

Navigation menu