Nortel Business Access Point 120 manual

BAP120

Using the Nortel BusinessAccess Point 120

NN47921-301.

Document status: StandardDocument version: 01.01Document date: August 2006

Copyright © 2006, Nortel NetworksAll Rights Reserved.

Sourced in Canada and the United States of America.

The information in this document is subject to change without notice. The statements, configurations, technicaldata, and recommendations in this document are believed to be accurate and reliable, but are presented withoutexpress or implied warranty. Users must take full responsibility for their applications of any products specified in thisdocument. The information in this document is proprietary to Nortel Networks.

*Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of NortelNetworks.

*Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.

All other trademarks and registered trademarks are the property of their respective owners.

3

Contents

Introduction 7

BAP120 Fundamentals 9BAP120 functions 9

Radio characteristics 10BAP120 user interfaces 10Hardware description 11

Antennas 11LED indicators 12Security slot 13Console port 13Ethernet port 13Reset button 14Power connector 14

Network topologies 14Infrastructure wireless LAN 14Infrastructure wireless LAN for roaming wireless PCs 15Infrastructure wireless bridge 16Infrastructure wireless repeater 17

System defaults 18

BAP120 installation and initial configuration 23

Installing the BAP120 hardware 25BAP120 hardware installation procedures 25Mounting the access point on a wall or ceiling 27Mounting the BAP120 on a horizontal surface 28Attaching the antenna 29Powering up the BAP120 30

Configuring the network 33Procedure job aid 33

Configuring the BAP120 the first time it is powered up 35

Troubleshooting 41Troubleshooting when wireless clients cannot access the network 41

BAP120Using the Nortel Business Access Point 120

NN47921-301 01.01 Standard1.0 August 2006

Copyright © 2006, Nortel Networks Nortel Networks Confidential

.

4 Contents

Troubleshooting when the BAP120 cannot be configured 42Troubleshooting when WebUI does not display the left menu panel 43Contacting the BAP120 if the log on details are lost 43Troubleshooting when all other recovery measures fail 44Troubleshooting when WebUI does not display accurate information 44Troubleshooting when WebUI does not log on correctly 44

System configuration management 45Web User Interface description 45Starting the WebUI 45WebUI navigation 46

System identification 48TCP and IP settings 48RADIUS 50Authentication 52Filter control 55VLAN 56WDS settings 59AP management 63Administration 64Changing the password 64Setting the timeout interval 65Upgrading Firmware 65System log 68Enabling system logging 68Configuring SNTP 70SNMP 70Configuring SNMP and Trap message parameters 71Configuring SNMPv3 users 74Configuring SNMPv3 trap filters 75Configuring SNMPv3 targets 77Radio interface 78Slot 0 - Radio A (802.11a) 79Configuring VAP radio settings 79Configuring common radio settings 81Configuring Wi-Fi multimedia 85WMM Backoff Wait Times 87Slot 0 - Radio G (802.11b/g) 89Security 91Enabling the VAPs 97Wired Equivalent Privacy (WEP) 98Wi-Fi Protected Access (WPA) 100Configuring 802.1X 104Status information 106




.

Contents 5

Access Point Status 106Station Status 107Event Logs 108STP Status 109

References 111Regulatory compliances 111

Federal Communication Commission Interference Statement 111IMPORTANT NOTE: FCC Radiation Exposure Statement 112Wireless 5 GHz Band Statements: 112Industry Canada: Class B 112Australia and New Zealand 112EC Conformance Declaration 112Safety Compliance 116

Twisted-pair cable assignments 12010/100BASE-TX pin assignments 121Straight-through wiring 122

Glossary 12310BASE-T 123100BASE-TX 123Access Point 123Ad hoc 123Advanced Encryption Standard (AES) 123Authentication 123Backbone 123Basic Service Set (BSS) 124Beacon 124Broadcast key 124CSMA/CA 124Dynamic Host Configuration Protocol (DHCP) 124Encryption 124Extended Service Set (ESS) 124Extensible Authentication Protocol (EAP) 124Ethernet 124File Transfer Protocol (FTP) 124Hypertext Transfer Protocol (HTTP) 125Internet Control Message Protocol (ICMP) 125IEEE 802.11a 125IEEE 802.11b 125IEEE 802.11g 125IEEE 802.1X 125Infrastructure 125Inter Access Point Protocol (IAPP) 125Local Area Network (LAN) 125




.

6 Contents

MAC address 125Network Time Protocol (NTP) 126Open system 126Orthogonal Frequency Division Multiplexing (ODFM) 126Power over Ethernet (PoE) 126RADIUS 126Roaming 126RTS threshold 126Service Set Identifier (SSID) 126Session key 126Shared key 127Simple Network Management Protocol (SNMP) 127Simple Network Time Protocol (SNTP) 127Temporal Key Integrity Protocol (TKIP) 127Trivial File Transfer Protocol (TFTP) 127Virtual Access Point (VAP) 127Virtual LAN (VLAN) 127Wi-Fi protected access 127Wired Equivalent Privacy (WEP) 128WPA Preshared Key (PSK) 128




.

7

Introduction

The Business Access Point 120 is an IEEE 802.11a, 802.11b/g, andSuper a/g access point that provides transparent, wireless high-speeddata communications between the wired LAN and fixed or mobile devicesequipped with either an 802.11a or 802.11b/g wireless adapter, or both.

This solution offers fast, reliable wireless connectivity with considerable costsavings over wired LANs (which include long-term maintenance overheadfor cabling).

Navigation• "BAP120 Fundamentals" (page 9)

• "BAP120 installation and initial configuration" (page 23)

• "Installing the BAP120 hardware" (page 25)

• "Configuring the network" (page 33)

• "Configuring the BAP120 the first time it is powered up" (page 35)

• "Troubleshooting" (page 41)

• "System configuration management" (page 45)

• "References" (page 111)




.

8 Introduction




.

9

BAP120 Fundamentals

Understanding the fundamentals of the BAP120 helps you set up, configure,and use the BAP120.

Navigation• "BAP120 functions" (page 9)

• "Hardware Description" (page 11)

• "Network topologies" (page 14)

• "System defaults" (page 18)

BAP120 functionsThe access point supports up to four Virtual Access Points (VAP) perphysical radio interface, that is four on the 802.11a radio and four on the802.11b/g radio. Using this access point, traffic can be separated fordifferent user groups using an access point that services one area. Foreach VAP, different security settings, Virtual Local Area Network (VLAN)assignments, and other parameters can be applied.

Each radio interface on the access point can operate in one of four modes:

• Access Point – Providing connectivity to wireless clients in the servicearea.

• Repeater – Providing an extended link to a remote access point fromthe wired LAN. In this mode, the access point does not have a cableconnection to the wired Ethernet LAN. In this mode, at least one accesspoint must have wired connectivity to enable the signal to repeat to thenext unwired access point.

• Bridge – Providing links to access points operating in Bridge or RootBridge mode and thereby connecting other wired LAN segments.

• Root Bridge – Providing links to other access points operating in Bridgemode and thereby connecting other wired LAN segments. Only one unitin the wireless bridge network can be set to Root Bridge mode.




.

10 BAP120 Fundamentals

In addition, the access point offers full network management capabilitiesthrough an easy to configure web interface, and support for Simple NetworkManagement Protocol tools.

Radio characteristicsThe IEEE 802.11a/g standard uses a radio modulation technique knownas Orthogonal Frequency Division Multiplexing (OFDM), and a sharedcollision domain (CSMA/CA). It operates at the 5 GHz Unlicensed NationalInformation Infrastructure (UNII) band for connections to 802.11a clients,and at 2.4 GHz for connections to 802.11b/g clients.

IEEE 802.11b includes backward compatibility with the IEEE 802.11gstandard. IEEE 802.11b/g also operates at 2.4 GHz, but uses DirectSequence Spread Spectrum (DSSS) and Complementary Code Keying(CCK) modulation technology to achieve a communication rate of up to11 Mbps.

The access point supports a 54 Mbps half-duplex connection to Ethernetnetworks for each active channel (or up to 108 Mbps when using turbomode on the 802.11a interface). The access point also supports Super A for108 Mb/s on 802.11a mode and Super G for 108 Mb/s on 802.11g mode.

BAP120 user interfacesYou can manage the switch using one of the following:

• Web-based management – You can manage the network from theWorld Wide Web. Access the Web-based Graphical User Interface(GUI) through the HTML-based browser located on your network. Usingthe GUI, you can configure, monitor, and maintain your network throughWeb browsers. You can also download software using the Web.

• Business Element Manager – The Element Manager is a client-basedmanagement application that runs on a Windows computer. Using theElement Manager you can connect to BAP120 Series devices over anIP network. It is used to configure, administer, and monitor BAP120Series devices.




.

Hardware description 11

Hardware descriptionTop panel

Rear panel

AntennasThe access point includes detachable diversity antennas for wirelesscommunications. A diversity antenna system uses two identical antennasto receive and transmit signals, helping to avoid multi-path fading effects.When receiving, the access point checks both antennas and selects theone with the strongest signal. When transmitting, it continues to use theantenna previously selected for receiving. The access point never transmitsfrom both antennas at the same time.




.


The antennas transmit the outgoing signal as a toroidal sphere (doughnutshaped), with the coverage extending in a direction perpendicular to theantenna. The antenna must be adjusted to an angle that provides theappropriate coverage for the service area.

LED indicatorsThe access point includes four status LED indicators, as described in thefollowing figure and table:

LED indicators

LED indicators

LED Icon Status Description

On (Green)Fully functional

Indicates that thesystem is workingnormally.

Flashing (Amber)Initialization phase

Indicates that thesystem is running aself-test or loading thesoftware program.

PWR

Flashing (Prolonged) Indicates systemerrors.

On (Green)Functional (notongoing transmission)

Indicates a valid10/100 Mb/s Ethernetcable link.

Link

Flashing (Green)Transmitting

Indicates that theaccess point istransmitting orreceiving data on a10/100 Mb/s EthernetLAN. Flashing rateis proportional tonetwork activity.




.

Hardware description 13

LED Icon Status Description


Indicates that the802.11a radio isenabled.


Indicates that theaccess point istransmitting orreceiving datathrough wirelesslinks. Flashing rateis proportional tonetwork activity.

11a

Off Indicates that the802.11a radio isdisabled.


Indicates that the802.11b/g radio isenabled.


Indicates that theaccess point istransmitting orreceiving datathrough wirelesslinks. Flashing rateis proportional tonetwork activity.

11b/g

Off Indicates that the802.11b/g radio isdisabled.

Security slotThe access point includes a Kensington security slot on the rear panel.You can prevent unauthorized removal of the access point by wrappingthe Kensington security cable (not provided) around an unmovable object,inserting the lock into the slot, and turning the key.

Console portThe console port is only used for maintenance and is not intended forcustomer use.

Ethernet portThe access point has one 10BASE-T/100BASE-TX RJ-45 port that canbe attached directly to 10BASE-T/100BASE-TX LAN segments. Thesesegments must conform to the IEEE 802.3 or 802.3u specifications.




.


This port supports automatic MDI/MDI-X operation, so you can usestraight-through or crossover cables for all network connections to PCs,switches, or hubs.

The access point appears as an Ethernet node and performs a bridgingfunction by moving packets from the wired LAN to remote workstations onthe wireless infrastructure.

Note: The RJ-45 port also supports Power over Ethernet (PoE)based on the IEEE 802.3af standard. For further information, see thedescription for the "Power connector" (page 14) for information aboutsupplying power to the access point network port from a network device,such as a switch, that provides PoE.

Reset buttonThis button is used to reset the access point or restore the factory defaultconfiguration. If you hold down the button for less than 5 seconds, theaccess point performs a hardware reset. If you hold down the button for 5seconds or more, any configuration changes you have made are removed,and the factory default configuration is restored to the access point.

ATTENTIONUse this button as a last resort for resetting the access point. Nortel recommendsthat you use the reset options that are available through the WebUI.

Power connectorThe access point does not have a power switch. It is powered on whenconnected to the AC power adapter, and the power adapter is connected toa power source. The power adapter automatically adjusts to any voltagebetween 100-240 volts at 50 or 60 Hz. No voltage range settings arerequired.

The access point can also receive PoE from a switch or other networkdevice that supplies power over the network cable, based on the IEEE802.3af standard.

Note that, if the access point is connected to a PoE source device andalso connected to a local power source through the AC power adapter, thePoE source is used.

Network topologiesInfrastructure wireless LAN

The Business Access Point 120 also provides access to a wired LANfor wireless workstations. An integrated wired/wireless LAN is called anInfrastructure configuration. A Basic Service Set (BSS) consists of a groupof wireless PC users, and an access point that is directly connected to




.

Network topologies 15

the wired LAN. Each wireless PC in this BSS can talk to any computer inits wireless group by means of a radio link, or access other computers ornetwork resources in the wired LAN infrastructure by means of the accesspoint.

The infrastructure configuration not only extends the accessibility of wirelessPCs to the wired LAN, but also increases the effective wireless transmissionrange for wireless PCs by passing their signal through one or more accesspoints.

A wireless infrastructure can be used for access to a central database, or forconnection between mobile workers, as shown in the following figure.

Infrastructure wireless LAN

Infrastructure wireless LAN for roaming wireless PCsThe BSS defines the communications domain for each access point and itsassociated wireless clients. The BSS ID is a 48-bit binary number basedon the wireless MAC address for the access point, and is set automaticallyand transparently when clients associate with the access point. The BSS IDis used in frames sent between the access point and its clients to identifytraffic in the service area.

The BSS ID is only set by the access point, never by its clients. The clientsonly need to set the Service Set Identifier (SSID) that identifies the serviceset provided by one or more access points. The SSID can be manually




.


configured by the clients, detected in an access point beacon, or obtainedby querying for the identity of the nearest access point. For clients that donot need to roam, set the SSID for the wireless card to that used by theaccess point to which you want to connect.

A wireless infrastructure can also support roaming for mobile workers. Morethan one access point can be configured to create an Extended Service Set(ESS). By placing the access points so that a continuous coverage area iscreated, wireless users within this ESS can roam freely. All wireless networkcards and adapters and wireless access points within a specific ESS mustbe configured with the same SSID.

Infrastructure wireless LAN for roaming wireless PCs

Infrastructure wireless bridgeThe IEEE 802.11 standard defines a Wireless Distribution System (WDS)for bridge connections between BSS areas (access points). The accesspoint uses WDS to forward traffic on links between units.

The access point supports WDS bridge links on either the 5 GHz (802.11a)or 2.4 GHz (802.11b/g) bands and can be used with various externalantennas to offer flexible deployment options.




.

Network topologies 17

Up to six WDS bridge links can be specified for each unit in the wirelessbridge network. Only one unit can be configured as the root bridge in thewireless network. The root bridge must be the unit connected to the maincore of the wired LAN. Other bridges must configure one parent link tothe root bridge or to a bridge connected to the root bridge. The other fiveavailable WDS links can be specified as child links to other bridges. Thisforms a tiered-star topology for the wireless bridge network.

When using WDS on a radio band, only wireless bridge units can associatewith each other. Wireless clients can only associate with the access pointusing a radio band set to access point or repeater mode.

Infrastructure wireless bridge

Infrastructure wireless repeaterThe access point can also operate in a bridge repeater mode to extend therange of links to wireless clients. The access point uses WDS to forwardtraffic between the repeater bridge and the root bridge. The access pointsupports up to six WDS repeater links.




.


In repeater mode, the access point does not support an Ethernet link to awired LAN. Note that when the access point operates in this mode only halfthe normal throughput is possible, because the access point has to receiveand then retransmit all data on the same channel.

Infrastructure wireless repeater

System defaultsThe following table lists some of the BAP120 basic system defaults.

System defaults

System defaults

Feature Parameter Default

Identification System Name Business Access Point 120

User Name nnadminAdministration

Password PlsChgMe!

HTTP Server EnabledGeneral

HTTP Server Port 80




.

System defaults 19

System defaults


DHCP Enabled

IP Address 192.168.1.136

Subnet Mask 255.255.255.0

Default Gateway 192.168.1.1

Primary DNS IP 0.0.0.0

TCP/IP

Secondary DNS IP 0.0.0.0

IP Address 0.0.0.0

Port 1812

Key DEFAULT

Timeout 5 seconds

Retransmit attempts 3

Accounting Port 0 (Disabled)

RADIUS (Primary andSecondary)

Interim Update Timeout 3600 seconds

MAC Disabled

Authentication SessionTimeout

0 minutes (disabled)

Local MAC System Default Allowed

MAC Authentication

Local MAC Permission Allowed

Status Disabled

Broadcast Key Refresh 0 minutes (disabled)

Session Key Refresh 0 minutes (disabled)

802.1X Authentication

Re-authentication RefreshRate

0 seconds (disabled)

Management VLAN ID 1

VLAN ID (VAP Interface) 1

VLAN

VLAN Tag Support Disabled

QoS QoS Mode Off

Local Bridge Disabled

AP Management Disabled

Filter control

Ethernet Type Disabled




.


System defaults


Status Enabled

Location null

Contact null

Community (Read Only) PlsChgMe!RO

Community (Read/Write) PlsChgMe!RW

Traps Enabled

Trap Destination (1-4) Disabled

Trap Destination IP Address null

Trap Destination Community PlsChgMe!RO

SNMP v3 Groups RO, RWAuth, RWPriv

SNMP

SNMP v3 Users none

Syslog Disabled

Logging Host Disabled

Logging Console Disabled

IP Address / Host Name 0.0.0.0

Logging Level Informational

System logging

Logging Facility Type 16

SNTP Server Status Disabled

SNTP Server 1 IP 0.0.0.0

SNTP Server 2 IP 0.0.0.0

Date and Time 00:00, Jan 1, 1970 (whenthere is no time server)

Daylight Saving Time Enabled

System clock

Time Zone GMT-5 (Eastern Time, US andCanada)

Ethernet interface Speed and Duplex Auto




.

System defaults 21

System defaults


IAPP Enabled

Turbo Mode Disabled

Status Disabled

Auto Channel Select Enabled

Closed System Disabled

Transmit Power Full

Max Station Data Rate 54 Mb/s

Beacon Interval 100 TUs

Data Beacon Rate (DTIMInterval)

1 beacon

RTS Threshold 2 347 bytes

Association Timeout Interval 30 minutes

Authentication TimeoutInterval

60 minutes

Antenna Control Method Diversity

Antenna ID 0x0000

Wireless interface 802.11a

Antenna Location Indoor

Authentication Type Open System

Data Encryption Disabled

WEP Key Type Alphanumeric

WEP Transmit Key Number 1

WEP Keys null

WPA Configuration Mode WEP Only (Disabled)

WPA Key Management WPA Pre-shared Key

WPA PSK Type Alphanumeric

VAP0 SSID BAP120_11A_SSID 0



Wireless security 802.11a





.


System defaults


IAPP Enabled

Radio Mode b+g

Status Disabled

Auto Channel Select Enabled

Closed System Disabled

Transmit Power Full

Max Station Data Rate 54 Mb/s

Preamble Length Short

Beacon Interval 100 TUs

Data Beacon Rate (DTIMInterval)

1 beacon

RTS Threshold 2 347 bytes

Association Timeout Interval 30 minutes

Authentication TimeoutInterval

60 minutes

Antenna Control Method Diversity

Antenna ID 0x0000

Wireless interface 802.11b/g

Antenna Location Indoor

Authentication Type Open System

Data Encryption Disabled

WEP Key Type Alphanumeric

WEP Transmit Key Number 1

WEP Keys null

WPA Configuration Mode WEP Only (Disabled)

WPA Key Management WPA Pre-shared Key

WPA PSK Type Alphanumeric

VAP0 SSID BAP120_11G_SSID 0



Wireless security 802.11b/g


Status Disabled

Ping Interval 30 seconds

Link integrity

Fail Retry Count 6




.

23

BAP120 installation and initialconfiguration

Install and configure the BAP120 to enable it as an access point for yournetwork.

Prerequisites to BAP120 installation and initial configurationVerify that your Business Access Point 120 package includes the following:

• one Business Access Point 120

• one Category 5 network cable

• optional AC power adapter and power cord

• four rubber feet

• one mounting bracket

• three Philips screws

• three nylon anchors

• two antennas

• optional two directional antennas

• BAP120 Quick Installation Guide

Inform your dealer if there are any incorrect, missing, or damaged parts.If possible, retain the carton, including the original packing materials. Usethem again to repack the product in case there is a need to return it.




.

24 BAP120 installation and initial configuration

BAP120 installation and initial configuration navigation

BAP120 installation and initial configuration navigation

• "Installing the BAP120 hardware" (page 25)

• "Configuring the network" (page 33)





.

25

Installing the BAP120 hardware

Install the BAP120 unit in the same area as the computers served by theBAP120.

Prerequisites to BAP120 hardware installation• Choose a proper place for the access point. In general, the best location

is at the center of your wireless coverage area, within line of sight ofall wireless devices.For optimum performance, consider these points:

— Mount the access point as high as possible, above any obstructionsin the coverage area.

— Avoid mounting next to or near building-support columns or otherobstructions that can cause reduced signal or null zones in parts ofthe coverage area.

— Mount away from any signal-absorbing or reflecting structures (suchas those containing metal).

— Mount the BAP120 on a wall or a ceiling, or rest it on a high shelf.

• If you are mounting on a horizontal surface (shelf), your BAP120 canuse Power over Ethernet (PoE) and does not need to be connected to anAC power source. If a PoE connection is not available, connect the ACpower adapter to the BAP120, and then connect the AC power adapterto an AC power source. Use only the supplied AC power adapter.

BAP120 hardware installation proceduresThis task flow illustrates the sequence of procedures you perform to install,power up, and configure the BAP120 access point.




.

26 Installing the BAP120 hardware

BAP120 hardware installation procedures

BAP120 hardware installation procedures navigation

• "Mounting the access point on a wall or ceiling" (page 27)

• "Mounting the BAP120 on a horizontal surface" (page 28)

• "Attaching the antenna" (page 29)

• "Powering up the BAP120" (page 30)





.

Mounting the access point on a wall or ceiling 27

Mounting the access point on a wall or ceilingUse this procedure to mount the BAP120 on a wall or ceiling.

Prerequisites

• You must have an electrically insulating gap of at least 0.5 inches (in.)between the base of the BAP120 and an electrically conducting surface.

Procedure steps

Step Action

1 Securely attach a 0.5-in. plywood base to the wall or ceiling toisolate the BAP120 from the mounting surface. Leave enough spaceabove (wall mount) or behind (ceiling mount) to connect the powercord and Ethernet cable.

2 Use the screws provided to screw the mounting plate to the mountingsurface with the tab facing up (wall mount) or behind (ceiling mount).

3 Slide the pins on the base of the BAP120 into the keyhole slots onthe mounting bracket.

BAP120 installed on mounting bracket

4 Tighten the thumbscrew to secure the BAP120 onto the mountingbracket.




.


BAP120 thumbscrew detail

—End—

Mounting the BAP120 on a horizontal surfaceUse this procedure to mount the BAP120 on a horizontal surface.

Procedure steps

Step Action

1 Attach the four rubber feet provided in the accessory kit to themarked circles on the bottom of the access point.

BAP120 rubber feet installation

2 Lock the BAP120 in place.

3 Optionally, protect the BAP120 from unauthorized removal with aKensington Slim microsaver security cable (optional).




.

Attaching the antenna 29

—End—

Attaching the antennaUse this procedure to attach the antenna to the BAP120.

Procedure steps

Step Action

1 Attach the antennas to the BAP120.

2 Rotate each antenna so that it is perpendicular to the computersserved by the BAP120.

BAP120 antenna placement




.


3 Optionally, position the optional directional antenna in the directionof connectivity.

—End—

Powering up the BAP120Power up the BAP120 so that it is ready to function as an access pointfor your network.

Procedure steps

Step Action

1 Connect to the power source using Power over Ethernet (PoE) orthe supplied AC power adapter.

CAUTIONUse ONLY the power adapter supplied with this accesspoint. Otherwise, the product can be damaged.

BAP120 rear panel connections

ATTENTIONIf the access point is connected to both a PoE source device and an ACpower source, the AC power is disabled.

2 Connect the Ethernet cable to the RJ-45 port, and then connect thecable to an Ethernet or PoE port on your Ethernet switch.

The BAP120 automatically requests an IP address from theDHCP server on your LAN by default. If no response is receivedfrom the DHCP server, the access point uses the default address192.168.1.136.

3 The BAP120 begins the self-test.




.

Powering up the BAP120 31

4 Verify that the PWR indicator stops flashing and remains on.

5 Verify that the other indicators start functioning as describedunder "LED Indicators" (page 12). During initialization, the LED isamber and flashing. If the PWR LED does not stop flashing, theself test has not completed correctly. For more information, see"Troubleshooting" (page 41).

—End—




.





.

33

Configuring the network

Use one of the following network topologies to connect wireless clients, theBAP120, and wired LANs:

• "Infrastructure wireless LAN" (page 14)

• "Infrastructure wireless LAN for roaming wireless PCs" (page 15)

• "Infrastructure wireless bridge" (page 16)

• "Infrastructure wireless repeater" (page 17)

Procedure stepsStep Action

1 Determine which of the four valid network topologies is the bestconfiguration for your site.

2 Assemble the required cabling for your chosen topology.

3 Determine which system configuration values must be changed fromthe factory default settings to support your chosen topology. The"Infrastructure wireless LAN" (page 14) uses the default values thatare listed in "System defaults" (page 18).

4 Delay making the changes to the default values until after youhave initially installed the BAP120. For further information, see"Configuring the BAP120 the first time it is powered up" (page 35).

5 Connect the BAP120 to your LAN through the RJ-45 port.

—End—

Procedure job aidWireless networks support a stand-alone configuration as well as anintegrated configuration with 10/100 Mb/s Ethernet LANs. The BusinessAccess Point 120 also provides repeater and bridging services that can beconfigured independently on either the 5 GHz or 2.4 GHz radio interfaces.




.

34 Configuring the network

The 802.11b and 802.11g frequency band, which operates at 2.4 GHz, caneasily encounter interference from other 2.4 GHz devices, such as other802.11b/g wireless devices, cordless phones and microwave ovens. If youexperience poor wireless LAN performance, try the following measures:

• Limit any possible sources of radio interference within the service area

• Increase the distance between neighboring access points

• Decrease the signal strength of neighboring access points

• Increase the channel separation of neighboring access points (forexample, up to 5 channels of separation for 802.11b and 802.11g)




.

35

Configuring the BAP120 the first time itis powered up

Configure the BAP120 the first time it is powered up using the BusinessElement Manager.

Prerequisites• The Business Element Manager must be installed.

Procedure steps

Step Action

1 Start the Element Manager.

2 Choose Network > Find Network Elements > Business AccessPoint from the Element Manager menu.

3 Enter the range 192.168.1.1 to 192.168.1.255, and then click OK.




.

36 Configuring the BAP120 the first time it is powered up

IP address range

4 Select the BAP device from the list of network elements on theElement Manager tree.

The default value for Read Community is PlsChgMe!RO and forWrite Community it is PlsChgMe!RW.

5 Click the Web Page button on the Element Manager menu.

6 Enter the default username (nnadmin) and password (PlsChgMe!)to log on to the BAP120.




.

Prerequisites 37

BAP120 log on page

Country Code selection

7 Set the country code to the country in which the BAP120 is operating.

8 Select Administration > Quick Start from the main menu.




.


Administration and Quick Start menu

9 Set the Service Set ID.

10 Enable each Channel > Radio Setting.

Channel and Radio Setting page

11 Enable DHCP for IP Configuration > TCP/IP settings.

12 Set the security type, if required.

13 Click Submit to save your configuration.




.

Prerequisites 39

14 Select Configuration > System > Administration and click Rebootto restart the BAP120.

—End—




.





.

41

Troubleshooting

Use the procedures in this section to troubleshoot the BAP120.

Navigation• "Troubleshooting when wireless clients cannot access the network"

(page 41)

• "Troubleshooting when the BAP120 cannot be configured" (page 42)

• "Troubleshooting when WebUI does not display the left menu panel"(page 43)

• "Contacting the BAP120 if the log on details are lost" (page 43)

• "Troubleshooting when all other recovery measures fail" (page 44)

• "Troubleshooting when WebUI does not display accurate information"(page 44)

• "Troubleshooting when WebUI does not log on correctly" (page 44)

Troubleshooting when wireless clients cannot access the networkIf wireless clients cannot access the network, perform the following checks.

Procedure steps

Step Action

1 Be sure the access point and the wireless clients are configured withthe same Service Set ID (SSID).

2 If authentication or encryption are enabled, ensure that the wirelessclients are properly configured with the appropriate authenticationor encryption keys.

3 If authentication is being performed through a Remote AuthenticationDial-in User Service (RADIUS) server, ensure that the authenticationcredentials and user information of the clients are properlyconfigured on the RADIUS server.




.

42 Troubleshooting

4 If authentication is being performed through IEEE 802.1X, be surethe wireless users have installed and properly configured 802.1Xclient software.

5 If MAC address filtering is enabled, be sure the client’s address isincluded in the list of MAC address that are allowed to access thenetwork in the local filtering database or on the RADIUS serverdatabase.

6 If the wireless clients are roaming between access points,make sure that all the access points and wireless devices in theExtended Service Set (ESS) are configured to the same SSID, andauthentication method.

—End—

Troubleshooting when the BAP120 cannot be configuredIf the access point cannot be configured using a Web browser or SNMPsoftware, perform the following checks.

Procedure steps

Step Action

1 If you are connecting to the access point through the wired Ethernetinterface, check the network cabling between the managementstation and the access point.

2 Check that you have a valid network connection to the access pointand that the Ethernet port or the wireless interface that you areusing is not disabled.

3 If VLANs are enabled on the access point, the management stationmust be a member of the same VLAN with a VLAN ID that matchesthe access point management VLAN (default VLAN 1. For furtherinformation, see "VLAN" (page 56)).

4 If you are managing the access point from a wireless client, ensurethat you have a valid connection to the access point and the APManagement Filter is disabled (For further information, see "APmanagement" (page 63))

—End—




.

Contacting the BAP120 if the log on details are lost 43

Troubleshooting when WebUI does not display the left menu panelIf the WebUI does not display the left menu panel, perform the followingchecks.

Procedure steps

Step Action

1 Check that the Java Runtime Environment (JRE) is installed on yourcomputer. If not, download the latest version from www.java.com.

2 Check that Java scripting and Java applet are enabled on each ofthe following:

• Web browser

• Firewall

• Software that controls Java behavior

Refer to the respective documentation for details on enabling Javascripting and Java applet.

—End—

Contacting the BAP120 if the log on details are lostIf you forgot or lost the password, perform the following steps.

Procedure steps

Step Action

1 Use the default username nnadmin and password PlsChgMe! toaccess the management interface.

2 If you still cannot access the management interface, set the accesspoint to its default configuration by pressing the reset button on theback panel for 5 seconds or more, then repeat the previous step.

3 Download access point software with the version that is intended torun in the network.

4 Reboot the access point after software download.

5 Reconfigure the access point by manually provisioning it or restorefrom a previously saved configuration file.

—End—




.

44 Troubleshooting

Troubleshooting when all other recovery measures failIf all other recovery measures fail, and the access point is still not functioningproperly, see "Contacting the BAP120 if the log on details are lost" (page43).

Troubleshooting when WebUI does not display accurate informationTo improve data access performance for Web sites that change infrequently,the Web browser caches the displayed information. However, BAP120 WebUser Interface (WebUI) data can change frequently, for example, whenmaking configuration changes.

If the WebUI is not displaying accurate information, perform the followingsteps.

Procedure steps

Step Action

1 On the browser application click Shift + Refresh.

The displayed panel data is pulled from the network to display thecurrent information in each window panel.

—End—

Troubleshooting when WebUI does not log on correctlyIf your WebUI session has timed-out and you experience difficulty eitherdisplaying panel data or difficulty logging on, perform the following steps.

Procedure steps

Step Action

1 Logoff completely through the Administration menu located on thelogoff submenu.

2 Log on to a new session.

—End—




.

45

System configuration management

Web User Interface descriptionThe Business Access Point 120 offers a variety of configurationmanagement options, including a Web User Interface (WebUI).

Use any of the following Web browsers to manage the BAP120:

• Internet Explorer 4.0 or above

• Firefox 1.0

PrerequisitesPrior to logging on, ensure the following:

• On your browser, implement the Cascading Style Sheets (CSS) toensure that all the WebUI pages display correctly.

• The Java Runtime Environment (JRE) is installed on your computer.Download the latest version from www.java.com.

• Java scripting and Java applet are enabled.

Starting the WebUIUse the following procedure to open the BAP120 Web User Interface.

Procedure steps

Step Action

1 Select the BAP120 device from the list of network elements on theElement Manager tree.

2 Click the Web Page button on the Element Manager menu.

3 Enter the username and password to log on to the BAP120. Thedefault values are nnadmin for the username and PlsChgMe! forthe password.

—End—




.

46 System configuration management

WebUI navigationThe information in this chapter is organized to reflect the structure of theWebUI screens for easy reference. However, Nortel recommends that youconfigure a username and password as the first step under advancedconfiguration to control management access to this device (For furtherinformation, see "Administration" (page 64)).

Menu

Menu

Menu Description Page

System Configures basicadministrative and clientaccess

See "System identification"(page 48).

Identification Specifies the host name See "System identification"(page 48).

TCP / IP Settings Configures the IP address,subnet mask, gateway, anddomain name servers

See "TCP and IP settings"(page 48).

RADIUS Configures the RADIUSserver for wireless clientauthentication and accounting

See "RADIUS" (page 50)

Authentication Configures MAC addressauthentication

See "Authentication" (page52).

Filter Control Filters communicationsbetween wireless clients,access to the managementinterface from wireless clients,and traffic matching specificEthernet protocol types

See "Filter control" (page 55).

VLAN Enables VLAN support andsets the management VLANID

See "Ethernet" (page 124).Type Filter—Enables ordisables Ethernet filtering onthe port. (Default: VLAN).

WDS Settings Configures bridge or repeatermodes for each radio interfaceand sets spanning treeparameters

See "WDS settings" (page 59).

AP Management Configures access tomanagement interfaces

See "AP management" (page63).




.

WebUI navigation 47

Menu


Administration Configures username andpassword for managementaccess; upgrades softwarefrom local file, FTP or TFTPserver; resets configurationsettings to factory defaults;and resets the access point

See "Administration" (page64).

System Log Controls logging of errormessages; sets the systemclock by means of SNTPserver or manual configuration

See "System log" (page 68).

SNMP Controls access to this accesspoint from managementstations using SNMP, thehosts that receive trapmessages, and SNMPv3 Usersettings

See "SNMP" (page 70).

SNMP Trap Filters Defines trap filters for SNMPv3users

See "Configuring SNMPv3trap filters" (page 75).

SNMP Targets Specifies SNMPv3 users thatreceive trap messages

See "Configuring SNMPv3targets" (page 77).

Country Code Sets the BAP120 to theregulations for the selectedcountry. A reset of theBAP120 is required after thecountry-code is set.

See "Country Code selection"(page 37).

SLOT 0-Radio A Configures the IEEE 802.11ainterface

See "Radio interface" (page78).

Radio Settings Configures common radiosignal parameters and othersettings for each VAP interface

See "Slot 0 - Radio A(802.11a)" (page 79).

Security Enables each virtual accesspoint (VAP) interface, sets theService Set Identifier (SSID),and configures wirelesssecurity (802.1x)

See "Security" (page 91).

SLOT 1-Radio G Configures the IEEE 802.11b/ginterface

See "Radio interface" (page78).

Radio Settings Configures common radiosignal parameters and othersettings for each VAP interface

See "Slot 0 - Radio G(802.11b/g)" (page 89).




.


Menu


Security Enables each VAP interface,sets the SSID, and configureswireless security (802.1X)

See "Security" (page 91).

Status Displays information aboutthe access point and wirelessclients

See "Status information" (page106).

AP Status Displays configuration settingsfor the basic system and thewireless interface

See "Access Point Status"(page 106).

Station Station Shows the wireless clientscurrently associated with theaccess point

See "Station Status" (page107).

Event Logs Shows log messages stored inmemory

See "Event Logs" (page 108).

System identificationThe system name for the access point can be left at its default setting.However, modifying this parameter can help you to more easily distinguishdifferent devices in your network.

System identification

System Name——An alias for the access point, enabling the device tobe uniquely identified on the network. (Default: Business Access PointBAP120; Range: 1-32 characters).

TCP and IP settingsConfiguring the access point with an IP address is required to managethe access point.

Note: You can use the Web browser interface to access IP addressingonly if the access point already has an IP address that is reachablethrough your network.




.

WebUI navigation 49

By default, the access point is automatically configured with IP settings froma Dynamic Host Configuration Protocol (DHCP) server. After you havenetwork access to the access point, you can use the Web browser interfaceto modify the initial IP configuration, if needed.

Note: If there is no DHCP server on your network, or DHCP fails,the access point automatically starts up with a default IP address of192.168.1.136.

TCP and IP settings

DHCP Client (Enable)—Select this option to obtain the IP settings forthe access point from a DHCP server. The IP address, subnet mask,default gateway, and Domain Name Server (DNS) address are dynamicallyassigned to the access point by the network DHCP server. (Default:Enabled).

DHCP Client (Disable)—Select this option to manually configure a staticaddress for the access point.

• IP Address: The IP address of the access point. Valid IP addressesconsist of four decimal numbers, 0 to 255, separated by periods.

• Subnet Mask: The mask that identifies the host address bits used forrouting to specific subnets.

• Default Gateway: The default gateway is the IP address of the routerfor the access point, which is used if the requested destination addressis not on the local subnet.

• If you have management stations, DNS, RADIUS, or other networkservers located on another subnet, type the IP address of the defaultgateway router in the text field provided. Otherwise, leave the addressas all zeros (0.0.0.0).




.


• Primary and Secondary DNS Address: The IP address of DNS on thenetwork. A DNS maps numerical IP addresses to domain names andcan be used to identify network hosts by familiar names instead of the IPaddresses.

• If you have one or more DNS servers located on the local network,type the IP addresses in the text fields provided. Otherwise, leave theaddresses as all zeros (0.0.0.0). Note: These servers are for AP useand not for clients attaching to the AP.

RADIUSRemote Authentication Dial-in User Service (RADIUS) is an authenticationprotocol that uses software running on a central server to control access toRADIUS-aware devices on the network. An authentication server containsa database of user credentials for each user that requires access to thenetwork.

A primary RADIUS server must be specified for the access point toimplement IEEE 802.1X network access control and Wi-Fi Protected Access(WPA) wireless security. A secondary RADIUS server can also be specifiedas a backup if the primary server fails or becomes inaccessible.

In addition, the configured RADIUS server can also act as a RADIUSAccounting server and receive user-session accounting information fromthe access point. RADIUS Accounting can be used to provide valuableinformation on user activity in the network.

Note: This guide assumes that you have already configured RADIUSservers to support the access point. Configuration of RADIUS serversoftware is beyond the scope of this guide, for more information seedocumentation provided with the RADIUS server software.




.

WebUI navigation 51

RADIUS settings

MAC Address Format—MAC addresses can be specified in one of fourformats, using no delimeter, with a single dash delimeter, with multiple dashdelimeters, or with multiple colon delimeters.

VLAN ID Format—A VLAN ID (a number between 1 and 4 094) can beassigned to each client after successful authentication using IEEE 802.1Xand a central RADIUS server. The user VLAN IDs must be configured onthe RADIUS server for each user authorized to access the network. VLANIDs can be entered as hexadecimal numbers or as ASCII strings.

Primary Radius Server Setup—Configure the following settings to useRADIUS authentication on the access point.

• IP Address: Specifies the IP address or host name of the RADIUSserver.




.


• Port: The UDP port number used by the RADIUS server forauthentication messages. (Range: 1024-65535; Default: 1812)

• Key: A shared text string used to encrypt messages between the accesspoint and the RADIUS server. Be sure that the same text string isspecified on the RADIUS server. Do not use blank spaces in the string.(Maximum length: 255 characters)

• Timeout: Number of seconds the access point waits for a reply from theRADIUS server before resending a request. (Range: 1-60 seconds;Default: 5)

• Retransmit attempts: The number of times the access point tries toresend a request to the RADIUS server before authentication fails.(Range: 1-30; Default: 3)

• Accounting Port: The RADIUS Accounting server UDP port used foraccounting messages. (Range: 0 or 1024-65535; Default: 0, disabled)

• Interim Update Timeout: The interval between transmitting accountingupdates to the RADIUS server. (Range: 60-86400; Default: 3600seconds)

Note: For the Timeout and Retransmit attempts fields, accept thedefault values unless you experience problems connecting to theRADIUS server over the network.

Secondary Radius Server Setup—Configure a secondary RADIUS serverto provide a backup in case the primary server fails. The access point usesthe secondary server if the primary server fails or becomes inaccessible.When the access point switches over to the secondary server, it periodicallyattempts to establish communication again with primary server. Ifcommunication with the primary server is reestablished, the secondaryserver reverts to a backup role.

AuthenticationWireless clients can be authenticated for network access by checking theirMAC address against the local database configured on the access point, orby using a database configured on a central RADIUS server. Alternatively,authentication can be implemented using the IEEE 802.1X network accesscontrol protocol.

A client’s MAC address provides relatively weak user authentication,because MAC addresses can be easily captured and used by anotherstation to break into the network. Using 802.1X provides more robust userauthentication by using usernames and passwords or digital certificates.You can configure the access point to use both MAC address and 802.1Xauthentication, with client station MAC authentication occurring prior toIEEE 802.1X authentication. However, it is better to choose one or theother, as appropriate.




.

WebUI navigation 53

Take note of the following points before configuring MAC address or 802.1Xauthentication:

• Use MAC address authentication for a small network with a limitednumber of users. MAC addresses can be manually configured on theaccess point itself without the need to set up a RADIUS server, butmanaging a large number of MAC addresses across many accesspoints is very cumbersome. A RADIUS server can be used to centrallymanage a larger database of user MAC addresses.

• Use IEEE 802.1X authentication for networks with a larger number ofusers and where security is the most important issue. When using802.1X authentication, a RADIUS server is required in the wired networkto centrally manage the credentials of the wireless clients. It alsoprovides a mechanism for enhanced network security using dynamicencryption key rotation or W-Fi Protected Access (WPA).

Note: If you configure RADIUS MAC authentication together with802.1X, RADIUS MAC address authentication is performed prior to802.1X authentication. If RADIUS MAC authentication succeeds, then802.1X authentication is performed. If RADIUS MAC authenticationfails, 802.1X authentication is not performed.

System Authentication

MAC Authentication—You can configure a list of the MAC addresses forwireless clients that are authorized to access the network. This provides abasic level of authentication for wireless clients attempting to gain accessto the network. A database of authorized MAC addresses can be storedlocally on the access point or remotely on a central RADIUS server.




.


(Default: Disabled)

• Disabled: No checks are performed on an associating station MACaddress.

• Local MAC: The MAC address of the associating station is comparedagainst the local database stored on the access point. Use the LocalMAC Authentication section of this Web page to set up the localdatabase, and configure all access points in the wireless networkservice area with the same MAC address database.

• Radius MAC: The MAC address of the associating station is sent to aconfigured RADIUS server for authentication. When using a RADIUSauthentication server for MAC address authentication, the server mustfirst be configured in the Radius window (For further information, see"RADIUS" (page 50)). The database of MAC addresses and filteringpolicy must be defined in the RADIUS server.

Note: MAC addresses on the RADIUS server can be entered in fourdifferent formats (For further information, see "RADIUS" (page 50)).

Local MAC Authentication—Configures the local MAC authenticationdatabase. The MAC database provides a mechanism to take certain actionsbased on a wireless client’s MAC address. The MAC list can be configuredto allow or deny network access to specific clients.

• System Default: Specifies a default action for all unknown MACaddresses (that is, those not listed in the local MAC database).

— Deny: Blocks access for all MAC addresses except those listed inthe local database as Allow.

— Allow: Permits access for all MAC addresses except those listedin the local database as Deny.

• MAC Authentication Settings: Enters specified MAC addresses andpermissions into the local MAC database.

— MAC Address: Physical address of a client. Enter six pairsof hexadecimal digits separated by hyphens; for example,00-90-D1-12-AB-89.

— Permission: Select Allow to permit access or Deny to block access.If Delete is selected, the specified MAC address entry is removedfrom the database.

— Update: Enters the specified MAC address and permission settinginto the local database.

• MAC Authentication Table: Displays current entries in the local MACdatabase.




.

WebUI navigation 55

Filter controlThe access point can employ network traffic frame filtering to controlaccess to network resources and increase security. You can preventcommunications between wireless clients and prevent access pointmanagement from wireless clients. Also, you can block specific Ethernettraffic from being forwarded by the access point.

Filter control

Inter Client STAs Communication Filter—Sets the global mode forwireless-to-wireless communications between clients associated to VirtualAP (VAP) interfaces on the access point. (Default: Disable)

• Disabled: All clients can communicate with each other through theaccess point.

• Prevent Intra VAP client communication: When enabled, clientsassociated with a specific VAP interface cannot establish wirelesscommunications with each other. Clients can communicate with clientsassociated to other VAP interfaces.

• Prevent Inter and Intra VAP client communication: When enabled, clientscannot establish wireless communications with any other client, eitherthose associated to the same VAP interface or any other VAP interface.

AP Management Filter—Controls management access to the access pointfrom wireless clients. Management interfaces include the Web or SNMP.(Default: Disabled)

• Disabled: Allows management access from wireless clients.

• Enabled: Blocks management access from wireless clients.




.


Uplink Port MAC Address Filtering Status—Allows traffic with specifiedsource MAC addresses being forwarded to wireless clients through theaccess point. You can add a maximum of eight MAC addresses to the filtertable. When MAC address filtering is enabled, only traffic with a sourceaddress specified in the filtering table is forwarded to the wireless clients.(Default: Disabled)

• MAC Address: Specifies a MAC address to filter, in the formxx-xx-xx-xx-xx-xx.

• Permission: Adds or deletes a MAC address from the filtering table.

Ethernet Type Filter—Controls checks on the Ethernet type of all incomingand outgoing Ethernet packets against the protocol filtering table. (Default:Disabled)

• Disabled: Access point does not filter Ethernet protocol types.

• Enabled: Access point filters Ethernet protocol types based on theconfiguration of protocol types in the filter table. If the status of a protocolis set to ON, the protocol is filtered from the access point.

Note: Ethernet protocol types not listed in the filtering table are alwaysforwarded by the access point.

VLANThe access point can employ VLAN tagging support to control access tonetwork resources and increase security. VLANs separate traffic passingbetween the access point, associated clients, and the wired network.There can be a VLAN assigned to each associated client, a default VLANfor each VAP (Virtual Access Point) interface, and a management VLANfor the access point.

Note the following points about the VLAN support for the access point:

• The management VLAN is for managing the access point throughremote management tools, such as the Web interface or SNMP. Theaccess point only accepts management traffic that is tagged with thespecified management VLAN ID.

• If VLAN classification is enabled, a VLAN ID is assigned to the wirelessclients associated to the access point:

— When 802.1X is used to authenticate a wireless client, the VLANID of the wireless client can be configured on the RADIUS serverand returned to the access point.

— If the RADIUS server does not assign a VLAN ID or if 802.1Xauthentication is not used, then a default VLAN ID is assigned tothe wireless client. This assignment is based on the configuration




.

WebUI navigation 57

of the associated wireless client VAP. For further information, see"Configuring VAP radio settings" (page 79).

VLAN ID to service set ID assignment

• All wireless clients associated to the access point are assigned to aVLAN. If IEEE 802.1X is being used to authenticate wireless clients,specific VLAN IDs can be configured on the RADIUS server to beassigned to each client. If a client is not assigned to a specific VLAN orif 802.1X is not used, the client is assigned to the default VLAN for theVAP interface with which it is associated. The access point only allowstraffic tagged with assigned VLAN IDs or default VLAN IDs to accessclients associated on each VAP interface.

• When VLAN support is enabled on the access point, traffic passed tothe wired network is tagged with the appropriate VLAN ID, either anassigned client VLAN ID, default VLAN ID, or the management VLANID. Traffic received from the wired network must also be tagged withone of these known VLAN IDs. Received traffic that has an unknownVLAN ID or no VLAN tag is dropped.

• When VLAN support is disabled, the access point does not tag trafficpassed to the wired network and ignores the VLAN tags on any receivedframes.




.


Note: Before enabling VLAN tagging on the access point, be sure toconfigure the attached network switch port to support tagged VLANframes from the access point management VLAN ID, default VLAN IDs,and other client VLAN IDs. Otherwise, connectivity to the access pointis lost when you enable the VLAN feature.

Using IEEE 802.1X and a central RADIUS server, up to 64 VLAN IDs canbe mapped to specific wireless clients, so users can remain within the sameVLAN as they move around a campus site. This feature can also be used tocontrol access to network resources from clients, thereby improving security.

A VLAN ID (1-4094) can be assigned to a client after successful IEEE802.1X authentication. The client VLAN IDs must be configured on theRADIUS server for each user authorized to access the network. If a clientdoes not have a configured VLAN ID on the RADIUS server, the access pointassigns the client to the configured default VLAN ID for the VAP interface.

Note: When using IEEE 802.1X to dynamically assign VLAN IDs, theaccess point must have 802.1X authentication enabled and a RADIUSserver configured. Wireless clients must also support 802.1X clientsoftware.

When setting up VLAN IDs for each user on the RADIUS server, be sure touse the RADIUS attributes and values as indicated in the following table:

RADIUS attributes and values

Number RADIUS attribute Value

64 Tunnel-Type VLAN (13)

65 Tunnel-Medium-Type 802

81 Tunnel-Private-Group-ID VLANID(1 to 4094 ashexadecimal or string)

VLAN IDs on the RADIUS server can be entered as hexadecimal digitsor a string.

Note: The specific configuration of RADIUS server software is beyondthe scope of this guide. For more information, see the documentationprovided with the RADIUS server software.




.

WebUI navigation 59

VLAN

VLAN Classification—Enables or disables VLAN tagging support on theaccess point.

Native VLAN ID—The VLAN ID that traffic must have to be able to managethe access point. (Range 1-4094; Default: 1)

WDS settingsEach access point radio interface can be configured to operate in a bridge orrepeater mode, which allows it to forward traffic directly to other access pointunits. To set up bridge links between access point units, you must configurethe wireless Distribution System (WDS) forwarding table by specifying thewireless MAC address of all units to which you want to forward traffic. Upto six WDS bridge or repeater links can be specified for each unit in thewireless bridge network.

The Spanning Tree Protocol (STP) can be used to detect and disablenetwork loops, and to provide backup links between bridges. Using theSTP, a wireless bridge can interact with other bridging devices (that is, anSTP-compliant switch, bridge or router) in your network to ensure that onlyone route exists between any two stations on the network, and providebackup links, which automatically take over when a primary link goes down.




.


WDS settings

WDS Bridge—Up to six WDS bridge or repeater links (MAC addresses) perradio interface can be specified for each unit in the wireless bridge network.One unit must be configured as the root bridge in the wireless network. Theroot bridge is the unit connected to the main core of the wired LAN. Otherbridges need to specify one Parent link to the root bridge or to a bridgeconnected to the root bridge. The other five WDS links are available asChild links to other bridges.

• Bridge Role—Each radio interface can be set to operate in one of thefollowing four modes: (Default: AP)

— Access Point (AP): Operates as an access point for wireless clients,providing connectivity to a wired LAN.




.

WebUI navigation 61

— Bridge: Operates as a bridge to other access points. The Parent linkto the root bridge must be configured. Up to five other Child links areavailable to other bridges.

— Repeater: Operates as a wireless repeater, extending the range forremote wireless clients and connecting them to the root bridge. TheParent link to the root bridge must be configured. In this mode, trafficis not forwarded to the Ethernet port from the radio interface.

— Root Bridge: Operates as the root bridge in the wireless bridgenetwork. Up to six Child links are available to other bridges in thenetwork.

• Bridge Parent—The physical layer address of the root bridge unit orthe bridge unit connected to the root bridge. (12 hexadecimal digits inthe form xx-xx-xx-xx-xx-xx)

• Bridge Child—The physical layer address of other bridge units for whichthis unit serves as the bridge parent or the root bridge. Note that the firstentry under the list of child nodes is reserved for the root bridge, andcan only be configured if the role is set to Root Bridge. (12 hexadecimaldigits in the form xx-xx-xx-xx-xx-xx)

Spanning Tree Protocol—STP uses a distributed algorithm to select abridging device (STP-compliant switch, bridge or router) that serves as theroot of the spanning tree network. It selects a root port on each bridgingdevice (except for the root device), which incurs the lowest path cost whenforwarding a packet from that device to the root device. Then it selects adesignated bridging device from each LAN, which incurs the lowest pathcost when forwarding a packet from that LAN to the root device. All portsconnected to designated bridging devices are assigned as designatedports. After determining the lowest cost spanning tree, it enables all rootports and designated ports, and disables all other ports. Network packetsare therefore only forwarded between root ports and designated ports,eliminating any possible network loops.

After a stable network topology has been established, all bridges listenfor Hello BPDUs (Bridge Protocol Data Units) transmitted from the rootbridge. If a bridge does not get a Hello BPDU after a predefined interval(Maximum Age), the bridge assumes that the link to the root bridge is down.This bridge then initiates negotiations with other bridges to reconfigure thenetwork to reestablish a valid network topology.

• Bridge—Enables/disables STP on the wireless bridge or repeater.(Default: Disabled)

• Bridge Priority—Used in selecting the root device, root port, anddesignated port. The device with the highest priority becomes the STProot device. However, if all devices have the same priority, the device




.


with the lowest MAC address then becomes the root device. (Note thatlower numeric values indicate higher priority.)

— Range: 0-65535

— Default: 32768

• Bridge Max Age—The maximum time (in seconds) a device canwait without receiving a configuration message before attempting toreconfigure. All device ports (except for designated ports) must receiveconfiguration messages at regular intervals. Any port that ages outSTP information (provided in the last configuration message) becomesthe designated port for the attached LAN. If it is a root port, a new rootport is selected from among the device ports attached to the network.(Range: 6-40 seconds)

— Default: 20

— Minimum: The higher of 6 or [2 x (Hello Time + 1)].

— Maximum: The lower of 40 or [2 x (Forward Delay - 1)]

• Bridge Hello Time—Interval (in seconds) at which the root devicetransmits a configuration message. (Range: 1-10 seconds

— Default: 2

— Minimum: 1

— Maximum: The lower of 10 or [(Max. Message Age / 2) -1]

• Bridge Forwarding Delay—The maximum time (in seconds) thisdevice waits before changing states (that is, discarding to learning toforwarding). This delay is required because every device must receiveinformation about topology changes before it starts to forward frames. Inaddition, each port needs time to listen for conflicting information thatcan make it return to a discarding state; otherwise, temporary data loopsmight result. (Range: 4-30 seconds)

— Default: 15

— Minimum: The higher of 4 or [(Max. Message Age / 2) + 1]

— Maximum: 30

• Link Path Cost—This parameter is used by the STP to determine thebest path between devices. Therefore, lower values must be assignedto ports attached to faster media, and higher values assigned to portswith slower media. (Path cost takes precedence over port priority.)

— Range: 1-65535

— Default: Ethernet interface: 19; Wireless interface: 40




.

WebUI navigation 63

• Link Port Priority—Defines the priority used for this port in the SpanningTree Protocol. If the path cost for all ports on a switch are the same, theport with the highest priority (that is, lowest value) is configured as anactive link in the spanning tree. This makes a port with higher priorityless likely to be blocked if the Spanning Tree Protocol is detectingnetwork loops. Where more than one port is assigned the highestpriority, the port with lowest numeric identifier is enabled.

— Default: 128

— Range: 0-240, in steps of 16

AP managementThe Web and SNMP management interfaces are enabled and open to allIP addresses by default. To provide more security for management accessto the access point, specific interfaces can be disabled and managementrestricted to a single IP address or a limited range of IP addresses.

After you specify an IP address or range of addresses, access tomanagement interfaces is restricted to the specified addresses. If anyonetries to access a management interface from an unauthorized address, theaccess point rejects the connection.

AP management

UI Management—Enables or disables management access through theWeb (HTTP), or SNMP interfaces. (Default: Enabled)

IP Management—Restricts management access to Web and SNMPinterfaces to specified IP addresses. (Default: Any IP)

• Any IP: Indicates that any IP address is allowed management access.

• Single IP: Specifies a single IP address that is allowed managementaccess.




.


• Multiple IP: Specifies an address range as defined by the entered IPaddress and subnet mask. For example, IP address 192.168.1.6 andsubnet mask 255.255.255.0, defines all IP addresses from 192.168.1.1to 192.168.1.254.

AdministrationChanging the password

Management access to the Web on the access point is controlled througha single username and password. You can also gain additional accesssecurity by using control filters (For further information, see "Filter control"(page 55)).

To protect access to the management interface, you need to configure anAdministrator username and password as soon as possible. If the usernameand password are not configured, then anyone having access to the accesspoint can compromise the access point and network security.

Note: Pressing the Reset button on the back of the access point formore than five seconds resets the username and password to thefactory defaults. For this reason, Nortel recommends that you protectthe access point from physical access by unauthorized persons.

ATTENTIONThe Reset button should be used as a last resort for resetting the access point.Nortel recommends that you use the reset options that are available through theWebUI.

Changing the password

Username—The name of the user. The default name is nnadmin. (Length:3-16 characters, case sensitive).

New Password—The password for management access. (Length: 3-16characters, case sensitive).

Confirm New Password—Enter the password again for verification.

Note: Submit an empty password to reset to the default password(PlsChgMe!).




.

WebUI navigation 65

Setting the timeout intervalYou can set the timeout interval for Web access to the unit, after which theuser must reenter the username and password.

Setting the timeout interval

Session Timeout for WEB—Sets the time limit for an idle Web interfacesession.(Range: 0-1800 seconds; Default: 60 seconds; 0 is disabled)

Upgrading FirmwareYou can upgrade new access point software from a local file on themanagement workstation, or from an FTP or TFTP server. New softwarecan be provided periodically from your distributor.

After upgrading new software, you must reboot the access point toimplement the new code. Until a reboot occurs, the access point continuesto run the software it used before the upgrade started.

Upgrading Firmware




.


Before upgrading new software, verify that the access point is connectedto the network and is configured with a compatible IP address and subnetmask.

If you need to download from an FTP or TFTP server, take the followingadditional steps:

• Obtain the IP address of the FTP or TFTP server where the accesspoint software is stored.

• If upgrading from an FTP server, be sure that you have an accountconfigured on the server with a username and password.

• If VLANs are configured on the access point, ensure the VLAN ID withwhich the FTP or TFTP server is associated is the same VLAN ID that isconfigured for the access point and the management station. If you aremanaging the access point from a wireless client, the VLAN ID for thewireless client must be configured on a RADIUS server.

• Perform local disk file upgrade in addition to FTP and TFTP methods.

Current version—Version number of runtime code.




.

WebUI navigation 67

Firmware Upgrade Local—Downloads an operation code image file fromthe Web management station to the access point using HTTP. Use theBrowse button to locate the image file locally on the management stationand click Start Upgrade to proceed.

• New firmware file: Specifies the name of the code file on the server. Thenew firmware file name must be bap120.bin.

Firmware Upgrade Remote—Downloads an operation code image file froma specified remote FTP or TFTP server. After filling in the following fields,click Start Upgrade to proceed.

• New firmware file: Specifies the name of the code file on the server. Thenew firmware file name must be bap120.bin.

• IP Address: IP address or host name of FTP or TFTP server.

• Username: The user ID used for logging on to an FTP server.

• Password: The password used for logging on to an FTP server.

Configuration File Backup/Restore—Uploads the current access pointconfiguration file to a specified remote FTP or TFTP server. A configurationfile can also be downloaded to the access point to restore a specificconfiguration.

• Export/Import: Select Export to upload a file to an FTP/TFTP server.Select Import to download a file from an FTP/TFTP server.

• Config file: Specifies the name of the configuration file. A path on theserver can be specified using “/” in the name, providing the path alreadyexists; for example, myfolder/syscfg. Other than to indicate a path, thefile name must not contain any slashes (\ or /), the leading letter cannotbe a period (.), and the maximum length for file names on the FTP/TFTPserver is 255 characters. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• IP Address: IP address or host name of FTP or TFTP server.

• Username: The user ID used for logging on to an FTP server.

• Password: The password used for logging on to an FTP server.

Restore Factory Settings—Click the Restore button to reset the configurationsettings for the access point to the factory defaults and reboot the system.Note that all user configured information including country code settingis lost. You must reenter the default username (nnadmin) to regainmanagement access to this device.

Reboot Access Point—Click the Reset button to reboot the system.

Note: If you have upgraded system software, then you must reboot theaccess point to implement the new operation code. New software that is




.


incompatible with the current configuration automatically restores theaccess point to default values when first activated after a reboot.

Upon upgrading to new system software, you are prompted to either restorefactory settings, or reboot the unit.

System logThe access point can be configured to send event and error messages to aSystem Log Server. The system clock can also be synchronized with a timeserver, so that all the messages sent to the Syslog server are stamped withthe correct time and date.

System log

Enabling system loggingThe access point supports a logging process that can control errormessages saved to memory or sent to a Syslog server. The loggedmessages serve as a valuable tool for isolating access point and networkproblems.

System Log Setup—Enables the logging of error messages. (Default:Disable)

Server (1-4)—Enables the sending of log messages to a Syslog serverhost. Up to four Syslog servers are supported on the access point. (Default:Disable)

Server Name/IP—The IP address or name of a Syslog server. (Default:0.0.0.0)




.

WebUI navigation 69

UDP Port—The UDP port used by a Syslog server. (Range: 514 or11024-65535; Default: 514)

Logging Console—Enables the logging of error messages to the console.(Default: Disable)

Logging Level—Sets the minimum severity level for event logging. (Default:Informational)

Specify a minimum severity level to limit the messages that are logged bythe system. The following table lists the error message levels from the mostsevere (Emergency) to least severe (Debug). The message levels that arelogged include the specified minimum level up to the Emergency level.

Error message levels

Error level Description

Emergency System unusable

Alerts Immediate action needed

Critical Critical conditions (for example, memoryallocation, or free memory error - resourceexhausted)

Error Error conditions (for example, invalid input,default used)

Warning Warning conditions (for example, return false,unexpected return)

Notice Normal but significant condition, such as coldstart

Informational Informational messages only

Debug Debugging messages

Note: The access point error log can be viewed using the Event Logswindow in the Status section (For further information, see "Event Logs"(page 108)). The Event Logs window displays the last 128 messageslogged in chronological order, from the newest to the oldest. Logmessages saved in the access point memory are erased when thedevice is rebooted.

Logging Facility Type—Sets the facility type for remote logging of syslogmessages. The command specifies the facility type tag sent in syslogmessages. (See RFC 3164.) This type has no effect on the kind ofmessages reported by the switch. However, it can be used by the syslogserver to sort messages or to store messages in the correspondingdatabase. (Range: 16-23; Default: 16)




.


Configuring SNTPUsing Simple Network Time Protocol (SNTP), the access point can setits internal clock based on periodic updates from a time server (SNTP orNTP). By maintaining an accurate time on the access point, the system logcan record meaningful dates and times for event entries. If the clock is notset, the access point only records the time from the factory default set atthe last bootup.

The access point acts as an SNTP client, periodically sending timesynchronization requests to specific time servers. You can configure up totwo time server IP addresses. The access point attempts to poll each serverin the configured sequence.

SNTP Server—Configures the access point to operate as an SNTP client.When enabled, at least one time server IP address must be specified.

• Primary Server: The IP address of an SNTP or NTP time server that theaccess point attempts to poll for a time update.

• Secondary Server: The IP address of a secondary SNTP or NTP timeserver. The access point first attempts to update the time from theprimary server; if this fails it attempts an update from the secondaryserver.

Note: Using the access point, you can also disable SNTP and set thesystem clock manually.

Set Time Zone—SNTP uses Coordinated Universal Time (or UTC, formerlyGreenwich Mean Time, or GMT) based on the time at the Earth’s primemeridian, zero degrees longitude. To display a time corresponding to yourlocal time, you must indicate the number of hours your time zone is locatedbefore (east) or after (west) UTC.

Enable Daylight Saving—The access point provides a way to automaticallyadjust the system clock for Daylight Saving Time changes. To use thisfeature you must define the month and date to begin and to end the changefrom standard time. During this period, the system clock is set forwardby one hour.

SNMPSimple Network Management Protocol (SNMP) is a communication protocoldesigned specifically for managing devices on a network. Equipmentcommonly managed with SNMP includes switches, routers, and hostcomputers. SNMP is typically used to configure these devices for properoperation in a network environment, as well as to monitor them to evaluateperformance or detect potential problems.




.

WebUI navigation 71

Managed devices supporting SNMP contain software, which runs locally onthe device and is referred to as an agent. A defined set of variables, knownas managed objects, is maintained by the SNMP agent and used to managethe device. These objects are defined in a Management Information Base(MIB) that provides a standard presentation of the information controlled bythe agent. SNMP defines both the format of the MIB specifications and theprotocol used to access this information over the network.

The access point includes an onboard agent that supports SNMP versions1, 2c, and 3 clients. This agent continuously monitors the status of theaccess point, as well as the traffic passing to and from wireless clients.A network management station can access this information using SNMPmanagement software that is compliant with MIB II. To implement SNMPmanagement, the access point must first have an IP address and subnetmask, configured either manually or dynamically. Access to the onboardagent using SNMP v1 and v2c is controlled by community strings. Tocommunicate with the access point, the management station must firstsubmit a valid community string for authentication.

Access to the access point using SNMP v3 provides additional securityfeatures that cover message integrity, authentication, and encryption; aswell as controlling notifications that are sent to specified user targets.

Configuring SNMP and Trap message parametersThe access point SNMP agent must be enabled to function (for versions1, 2c, and 3 clients). Management access using SNMP v1, v2c, and v3calso requires community strings to be configured for authentication. Trapnotifications can be enabled and sent to up to four management stations.

Configuring SNMP and Trap message parameters




.


SNMP—Enables or disables SNMP management access and also enablesthe access point to send SNMP traps (notifications). (Default: Enable)

Location—A text string that describes the system location. (Maximumlength: 255 characters)

Contact—A text string that describes the system contact. (Maximum length:255 characters)

Community Name (Read Only)—Defines the SNMP community accessstring that has read-only access. Authorized management stations areonly able to retrieve MIB objects. (Maximum length: 23 characters, casesensitive; Default: PlsChgMe!RO)

Community Name (Read/Write)—Defines the SNMP community accessstring that has read/write access. Authorized management stations are ableto both retrieve and modify MIB objects. (Maximum length: 23 characters,case sensitive; Default: PlsChgMe!RW)

Trap Destination (1 to 4)—Enables recipients (up to four) of SNMPnotifications.

• Trap Destination IP Address—Specifies the recipient of SNMPnotifications. Enter the IP address or the host name. (Host Name: 1to 63 characters, case sensitive)

• Trap Destination Community Name—The community string sent with thenotification operation. (Maximum length: 23 characters, case sensitive;Default: PlsChgMe!RO)

Engine ID—Sets the engine identifier for the SNMPv3 agent that resides onthe access point. This engine protects against message replay, delay, andredirection. The engine ID is also used in combination with user passwordsto generate the security keys for authenticating and encrypting SNMPv3packets. A default engine ID is automatically generated that is unique to theaccess point. (Range: 10 to 64 hexadecimal characters)

Note: If the local engine ID is deleted or changed, all SNMP usersare cleared. All existing users need to be reconfigured. If you want to




.

WebUI navigation 73

change the default engine ID, change it first before configuring otherSNMP v3 parameters.

Trap Configuration

Trap Configuration—Allows selection of specific SNMP notifications to send.The following items are available:

• sysSystemUp - The access point is up and running.

• sysSystemDown - The access point is about to shutdown and reboot.

• sysRadiusServerChanged - The access point has changed from theprimary RADIUS server to the secondary, or from the secondary tothe primary.

• sysConfigFileVersionChanged - The access point configuration file hasbeen changed.

• dot11StationAssociation - A client station has successfully associatedwith the access point.

• dot11StationReAssociation - A client station has successfullyreassociated with the access point.

• dot11StationAuthentication - A client station has been successfullyauthenticated.

• dot11StationRequestFail - A client station has failed association,reassociation, or authentication.

• dot11InterfaceBFail - The 802.11b/g interface has failed.

• dot11InterfaceAFail - The 802.11a or 802.11b/g interface has failed.

• dot1xMacAddrAuthSuccess - A client station has successfullyauthenticated its MAC address with the RADIUS server.




.


• dot1xMacAddrAuthFail - A client station has failed MAC addressauthentication with the RADIUS server.

• dot1xAuthNotInitiated - A client station did not initiate 802.1Xauthentication.

• dot1xAuthSuccess - A 802.1X client station has been successfullyauthenticated by the RADIUS server.

• dot1xAuthFail - A 802.1X client station has failed RADIUS authentication.

• dot1xSuppAuthenticated - A supplicant station has been successfullyauthenticated by the RADIUS server

• localMacAddrAuthSuccess - A client station has successfullyauthenticated its MAC address with the local database on the accesspoint.

• localMacAddrAuthFail - A client station has failed authentication with thelocal MAC address database on the access point.

• iappStationRoamedFrom - A client station has roamed from anotheraccess point (identified by its IP address).

• iappStationRoamedTo - A client station has roamed to another accesspoint (identified by its IP address).

• iappContextDataSent - A client station’s Context Data has been sent toanother access point with which the station has associated.

• sntpServerFail - The access point has failed to set the time from theconfigured SNTP server.

• wirelessExternalAntenna - An external antenna has been enabled.

• dot11WirelessStationDeauthenticate - A client station hasdeauthenticated from the network.

• dot11StationDisassociate - A client station no longer associates withthe network.

• dot11StationAuthenticateFail - A client station has tried and failed toauthenticate to the network.

• Enable All Traps - Click the button to enable all the available traps.

• Disable All Traps - Click the button to disable all the available traps.

Configuring SNMPv3 usersThe access point allows up to 10 SNMP v3 users to be configured. Eachuser must be defined by a unique name, assigned to one of three predefinedsecurity groups, and configured with specific authentication and encryptionsettings.




.

WebUI navigation 75

Configuring SNMPv3 users

New User—The SNMPv3 username. (32 characters maximum)

Group—The SNMPv3 group name. (Options: RO, RWAuth, or RWPriv;Default: RO)

• RO—Read-only access.

• RWAuth—Read/write access with user authentication.

• RWPriv—Read/write access with both user authentication and dataencryption.

Auth Type—The authentication type used for the SNMP user; either MD5or none. When MD5 is selected, enter a password in the correspondingPassphrase field.

Priv Type—The data encryption type used for the SNMP user; either DES ornone. When DES is selected, enter a key in the corresponding Passphrasefield.

Passphrase—The password or key associated with the authentication andprivacy settings. A minimum of eight plain text characters is required.

Action—Click the Add button to add a new user to the list. Click the editbutton to change details of an existing user. Click the Del button to removea user from the list.

Note: Users must be assigned to groups that have the same securitylevels. For example, a user who has Auth Type and Priv Type configuredto MD5 and DES respectively (that is, it uses both authentication anddata encryption) must be assigned to the RWPriv group. If this sameuser is instead assigned to the read-only (RO) group, the user cannotaccess the database.

Configuring SNMPv3 trap filtersSNMP v3 users can be configured to receive notification messages fromthe access point. An SNMP Target ID is created that specifies the SNMPv3 user, IP address, and UDP port. A user-defined notification filter canbe created so that specific notifications can be prevented from being sentto particular targets.




.


Up to 10 notification filters can be created on the access point. Each filtercan be defined by up to 20 MIB subtree ID entries.

To configure a new notification filter, click the New button. A new pageopens to configure the filter (see the following figure). To edit an existingfilter, select the radio button next to the entry in the table and then click theEdit button. To delete a filter, select the radio button next to the entry in thetable and then click the Delete button.

Configuring SNMPv3 trap filters

When you click on the New button in the SNMP Trap Filters page, a newpage opens where the filter parameters are configured. Define a filter nameand subtree ID to be filtered. Select the filter type, include or exclude, fromthe drop-down list. Click Apply to create the filter.

Configuring the SNMP filter ID

To add more subtree IDs to the filter, return to the SNMP Trap Filters pageand click the Edit button. In the Edit page, click the New button to accessthe Add SNMP Notification Subtree page and configure a new subtree IDto be filtered.

Note: You can only configure the Filter ID on the New Filter page.

Filter ID—A user-defined name that identifies the filter. (Maximum length:32 characters)

Subtree OID—Specifies MIB subtree to be filtered. The MIB subtree mustbe defined in the form.1.3.6.1 and always start with a period (.).




.

WebUI navigation 77

Filter Type—Indicates if the filter is to include or exclude the MIB subtreeobjects from the filter. Note that MIB objects included in the filter are notsent to the receiving target and objects excluded are sent. By default, alltraps are sent, so you can first use an include filter entry for all trap objects.Then use exclude entries for the required trap objects to send to the target.Note that the filter entries are applied in the sequence that they are defined.

Configuring SNMPv3 targetsAn SNMP v3 notification Target ID is specified by the SNMP v3 user, IPaddress, and UDP port. A user-defined filter can also be assigned tospecific targets to limit the notifications received to specific MIB objects.(Note that the filter must first be configured (For further information, see"Configuring SNMPv3 trap filters" (page 75))).

To configure a new notification receiver target, click the New button. A newpage opens to configure the settings (see the following figure). To edit anexisting target, select the radio button next to the entry in the table and thenclick the Edit button. To delete targets, select the radio button next to theentry in the table and then click the Delete button.

Configuring SNMPv3 targets

When you click on the New or Edit button in the SNMP Targets page, anew page opens where the target parameters are configured. Define theparameters and select a filter, if required. Note that the SNMP v3 usernamemust first be defined (For further information, see "Configuring SNMPv3users" (page 74)). Click Apply.

Note: The Target ID cannot be changed in the Edit Target page. Onlythe New Target page allows the Target ID to be configured.




.


Configuring SNMPv3 target IDs

Target ID—A user-defined name that identifies a receiver of notifications.The access point supports up to 10 target IDs. (Maximum length: 32characters)

IP Address—Specifies the IP address of the receiving management station.

UDP Port—The UDP port that is used on the receiving management stationfor notification messages.

SNMP User—The defined SNMP v3 user that is to receive notificationmessages.

Assigned Filter—The name of a user-defined notification filter that is appliedto the target.

Radio interfaceThe IEEE 802.11a and 802.11b/g interfaces include configuration options forradio signal characteristics and wireless security features. The configurationoptions are nearly identical, and are therefore both covered in this section ofthe manual.

The access point can operate in three modes, IEEE 802.11a only, 802.11b/gonly, or a mixed 802.11a/b/g mode. These interfaces are configuredindependently under the following Web pages:

• Slot 0 - Radio A: 802.11a

• Slot 1 - Radio G: 802.11b/g




.

WebUI navigation 79

Each radio supports up to four virtual access point (VAP) interfacesnumbered 0 to 3. Each VAP functions as a separate access point, and canbe configured with its own Service Set Identification (SSID) and securitysettings. However, most radio signal parameters apply to all VAP interfaceson the same radio.

The VAPs function similar to a VLAN, with each VAP mapped to its ownVLAN ID. Traffic to specific VAPs can be segregated based on user groupsor application traffic. Note: Each radio interface supports a maximum of 64users regardless of the number of VAPs enabled on the radio.

Note: The radio channel settings for the access point are limited by localregulations, which determine the number of channels that are available.For more information, see "Regulatory compliances" (page 111).

Slot 0 - Radio A (802.11a)The IEEE 802.11a interface operates within the 5 GHz band, at up to 54Mb/s in normal mode or up to 108 Mb/s in Turbo mode.

First configure the radio settings that apply to the individual VAPs (VirtualAccess Point) and the common radio settings that apply to the overallsystem. After you have configured the radio settings, go to the Securitypage under the 802.a Interface (For further information, see "Security"(page 91)), enable the radio service for any of the VAP interfaces, and thenset an SSID to identify the wireless network service provided by each VAP.Remember that only clients with the same SSID can associate with a VAP.

Note: You must first enable VAP interface 0 before the other interfacescan be enabled.

Configuring VAP radio settingsTo configure VAP radio settings, select the Radio Settings page.




.


Configuring VAP radio settings

Default VLAN ID—The VLAN ID assigned to wireless clients associated tothe VAP interface that are not assigned to a specific VLAN by RADIUSserver configuration. (Default: 1)

Closed System—When enabled, the VAP interface does not include itsSSID in beacon messages. Nor does it respond to probe requests fromclients that do not include a fixed SSID. (Default: Disable)

Authentication Timeout Interval—The time within which the client mustfinish authentication before authentication times out. (Range: 5-60 minutes;Default: 60 minutes)




.

WebUI navigation 81

Association Timeout Interval—The idle time interval (when no frames aresent) after which a client is disassociated from the VAP interface. (Range:5-60 minutes; Default: 30 minutes)

WPA2 PMKSA Life TimeWPA2 PMKSA Life Time—WPA2 provides fast roaming for authenticatedclients by retaining keys and other security settings in a cache for eachVAP. In this way, when clients roam back into a VAP they had previouslybeen using, reauthentication is not required. When a WPA2 client is firstauthenticated, it receives a Pairwise Master Key (PMK) that is used togenerate the other keys used for unicast data encryption. This key andother client information form a client Security Association (SA) that the VAPholds in a cache. When the lifetime expires, the security association andkeys are deleted from the cache. If the client returns to an access point afterthe association has been deleted, it requires full reauthentication. (Range:1-1 440 minutes; Default: 720 minutes).

Configuring common radio settingsTo configure common radio settings, select the Radio Settings page, andscroll down to below the VAP radio settings.

Configuring common radio settings

Turbo Mode—The normal 802.11a wireless operation mode providesconnections up to 54 Mb/s. Turbo Mode is an enhanced mode (notregulated in IEEE 802.11a) that provides a higher data rate of up to 108Mb/s. Enabling Turbo Mode allows the access point to provide connectionsup to 108 Mb/s. (Default: Disabled)




.


Note: In normal mode, the access point provides a channel bandwidthof 20 MHz, and supports the maximum number of channels permittedby local regulations (for example, 13 channels for the United States). InTurbo Mode, the channel bandwidth is increased to 40 MHz to supportthe increased data rate. However, this reduces the number of channelssupported (for example, 5 channels for the United States).

Check your country’s regulations to see if Turbo Mode is allowed.

Radio Channel—The radio channel that the access point uses tocommunicate with wireless clients. When multiple access points aredeployed in the same area, set the channel on neighboring access points atleast four channels apart to avoid interference with each other. For example,in the United States you can deploy up to four access points in the samearea (for example, channels 36, 56, 149, 165). Also note that the channelfor wireless clients is automatically set to the same as that used by theaccess point to which it is linked.

Auto Channel Select—Enables the access point to automatically select anoperating radio channel. (Default: Enabled)

Note: Check your country’s regulations to see if Auto Channel can bedisabled.

Transmit Power—Adjusts the power of the radio signals transmitted fromthe access point. The higher the transmission power, the farther thetransmission range. Power selection is not just a trade off between coveragearea and maximum supported clients. You must also ensure that high-powersignals do not interfere with the operation of other radio devices in theservice area. (Options: 100%, 50%, 25%, 12%, minimum; Default: 100%)

Note: When operating the access point using 5 GHz channels ina European Community country, the end user and installer areobligated to operate the device in accordance with European regulatoryrequirements for Transmit Power Control (TPC).

Maximum Supported Rate—The maximum data rate at which the accesspoint transmits unicast packets on the wireless interface. The maximumtransmission distance is affected by the data rate. The lower the datarate, the longer the transmission distance. (Options: 54, 48, 36, 24 Mb/s;Default: 54 Mb/s)

Maximum Associated Clients—Sets the maximum number of clients thatcan be associated with a VAP interface at the same time. (Range: 1-64 perVAP interface: Default: 64)

Antenna ID—Selects the antenna to be used by the access point; eitherthe diversity antennas (the Default Antenna) or an optional externalantenna. The optional external antennas (if any) that are certified for usewith the access point are listed in the drop-down menu. Selecting the




.

WebUI navigation 83

correct antenna ID ensures that the access point’s radio transmissionsare within regulatory power limits for the country of operation. (Default:Default Antenna)

Note: The Antenna ID must be selected in conjunction with the AntennaControl Method to configure proper use of any of the antenna options.

Antenna Control Method—Selects the use of both fixed antennas operatingin diversity mode or a single antenna. (Default: Diversity)

• Diversity: The radio uses both antennas in a diversity system. Selectthis method when the Antenna ID is set to Default Antenna to use theaccess point’s integrated antennas.

• Right: The radio only uses the antenna on the right side (the side closestto the access point LEDs). Select this method when using an optionalexternal antenna that is connected to the right antenna connector.

• Left: The radio only uses the antenna on the left side (the side farthestfrom the access point LEDs). Select this method when using an optionalexternal antenna that is connected to the left antenna connector.

Antenna Location—Selects the mounting location of the antenna in use;either Indoor or Outdoor. Selecting the correct location ensures that theaccess point only uses radio channels that are permitted in the country ofoperation. (Default: Indoor)

MIC Mode—The Michael Integrity Check (MIC) is part of the Temporal KeyIntegrity Protocol (TKIP) encryption used in Wi-Fi Protected Access (WPA)security. The MIC calculation is performed in the access point for eachtransmitted packet and this can impact throughput and performance. Theaccess point supports a choice of software or hardware MIC calculation.The performance of the access point can be improved by selecting the bestmethod for the specific deployment. (Default: Software)

• Hardware: Provides best performance when the number of supportedclients is less than 27.

• Software: Provides the best performance for a large number of clientson one radio interface. Throughput can be reduced when both 802.11aand 802.11b/g interfaces are supporting a high number of clientssimultaneously.

Super A—The Atheros proprietary Super A performance enhancements aresupported by the access point. These enhancements include bursting,compression, and fast frames. Maximum throughput ranges between 40 to60 Mb/s for connections to Atheros-compatible clients. (Default: Disabled)




.


Beacon Interval—The rate at which beacon signals are transmitted fromthe access point. Using the beacon signals, wireless clients can maintaincontact with the access point. They can also carry power-managementinformation. (Range: 20-1000 TUs; Default: 100 TUs)

WARNINGNortel recommends that you do not change this value as it cancause interoperability issues with wireless clients.

Data Beacon Rate—The rate at which stations in sleep mode must wakeup to receive broadcast/multicast transmissions.

Known also as the Delivery Traffic Indication Map (DTIM) interval, it indicateshow often the MAC layer forwards broadcast/multicast traffic, which isnecessary to wake up stations that are using Power Save mode. The defaultvalue of 2 indicates that the access point saves broadcast/multicast framesfor the Basic Service Set (BSS) and forwards them after every secondbeacon. Using smaller DTIM intervals delivers broadcast and multicastframes or both in a more timely manner, causing stations in Power Savemode to wake up more often and drain power faster. Using higher DTIMvalues reduces the power used by stations in Power Save mode, but delaysthe transmission of broadcast and multicast frames or both.(Range: 1-255 beacons; Default: 1 beacon)

Fragmentation Length—Configures the minimum packet size that can befragmented when passing through the access point. Fragmentation of thePDUs (Package Data Unit) can increase the reliability of transmissionsbecause it increases the probability of a successful transmission due tosmaller frame size. If there is significant interference present, or collisionsdue to high network utilization, try setting the fragment size to send smallerfragments. This speeds up the retransmission of smaller frames. However, itis more efficient to set the fragment size larger if very little or no interferenceis present because it requires overhead to send multiple frames. (Range:256-2 346 bytes; Default: 2 346 bytes)

RTS Threshold—Sets the packet size threshold at which a Request toSend (RTS) signal must be sent to a receiving station prior to the sendingstation starting communications. The access point sends RTS frames to areceiving station to negotiate the sending of a data frame. After receivingan RTS frame, the station sends a CTS (clear to send) frame to notify thesending station that it can start sending data.




.

WebUI navigation 85

If the RTS threshold is set to 0, the access point always sends RTS signals.If set to 2 347, the access point never sends RTS signals. If set to anyother value, and the packet size equals or exceeds the RTS threshold, theRTS/CTS (Request to Send / Clear to Send) mechanism is enabled.

The access points contending for the medium may not be aware of eachother. The RTS/CTS mechanism can solve this Hidden Node Problem.(Range: 0-2 347 bytes: Default: 2 347 bytes)

Configuring Wi-Fi multimediaWireless networks offer an equal opportunity for all devices to transmitdata from any type of application. Although this is acceptable for mostapplications, multimedia applications (with audio and video) are particularlysensitive to the delay and throughput variations that result from this equalopportunity wireless access method. For multimedia applications to run wellover a wireless network, a Quality of Service (QoS) mechanism is requiredto prioritize traffic types and provide an enhanced opportunity wirelessaccess method.

The access point implements QoS using the Wi-Fi Multimedia (WMM)standard. Using WMM, the access point is able to prioritize traffic andoptimize performance when multiple applications compete for wirelessnetwork bandwidth at the same time. WMM employs techniques that are asubset of the developing IEEE 802.11e QoS standard and it enables theaccess point to inter operate with both WMM- enabled clients and otherdevices that may lack any WMM functionality.

Access categories — WMM defines four access categories (ACs): voice,video, best effort, and background. These categories correspond to trafficpriority levels and are mapped to IEEE 802.1D priority tags (see "WMMAccess Categories" (page 85)). The direct mapping of the four ACs to802.1D priorities is specifically intended to facilitate inter operability withother wired network QoS policies. While the four ACs are specified forspecific types of traffic, WMM allows the priority levels to be configured tomatch any network-wide QoS policy. WMM also specifies a protocol thataccess points can use to communicate the configured traffic priority levelsto QoS-enabled wireless clients.

WMM Access Categories


Access Category WMM Designation Description 802.1D Tags

AC_VO (AC3) Voice Highest priority,minimum delay.Time-sensitive datasuch as VoIP (Voiceover IP) calls.

7, 6




.



Access Category WMM Designation Description 802.1D Tags

AC_VI (AC2) Video High priority, minimumdelay. Time-sensitivedata such asstreaming video.

5, 4

AC_BE (AC0) Best Effort Normal priority,medium delay andthroughput. Dataonly affected bylong delays. Datafrom applications ordevices that lack QoScapabilities.

0, 3

AC_BK (AC1) Background Lowest priority.Data with no delayor throughputrequirements, such asbulk data transfers.

2, 1

WMM operation — WMM uses traffic priority based on the four ACs; Voice,Video, Best Effort, and Background. The higher the AC priority, the higherthe probability that data is transmitted.

When the access point forwards traffic, WMM adds data packets to fourindependent transmit queues, one for each AC, depending on the 802.1Dpriority tag of the packet. Data packets without a priority tag are alwaysadded to the Best Effort AC queue. From the four queues, an internal virtualcollision resolution mechanism first selects data with the highest priorityto be granted a transmit opportunity. Then the same collision resolutionmechanism is used externally to determine which device has access tothe wireless medium.

For each AC queue, the collision resolution mechanism is dependent ontwo timing parameters:

• AIFSN (Arbitration Inter-Frame Space Number), a number used tocalculate the minimum time between data frames

• CW (Contention Window), a number used to calculate a random backofftime

After a collision detection, a backoff wait time is calculated. The total waittime is the sum of a minimum wait time (Arbitration Inter-Frame SpaceNumber, or AIFSN) determined from the AIFSN, and a random backoff timecalculated from a value selected from zero to the CW. The CW value varies




.

WebUI navigation 87

within a configurable range. It starts at CWMin and doubles after everycollision up to a maximum value, CWMax. After a successful transmission,the CW value is reset to its CWMin value.

WMM timing

WMM Backoff Wait TimesFor high-priority traffic, the AIFSN and CW values are smaller. The smallervalues equate to less backoff and wait time, and therefore, more transmitopportunities.

To configure WMM, select the Radio Settings page, and scroll down to theWMM configuration settings.

Configuring WMM Backoff Wait Times




.


WMM—Sets the WMM operational mode on the access point. Whenenabled, the parameters for each AC queue are employed on the accesspoint and QoS capabilities are advertised to WMM-enabled clients. (Default:Support)

• Disable: WMM is disabled.

• Support: WMM is used for any associated device that supports thisfeature. Devices that do not support this feature can still associate withthe access point.

• Required: WMM must be supported on any device trying to associatedwith the access point. Devices that do not support this feature are notallowed to associate with the access point.

WMM acknowledge policy—By default, all wireless data transmissionsrequire the sender to wait for an acknowledgement from the receiver.WMM allows the acknowledgement wait time to be turned off for eachAccess Category (AC). Although this increases data throughput, it can alsoresult in a high number of errors when traffic levels are heavy. (Default:Acknowledge)

WMM BSS parameters—These parameters apply to the wireless clients.

WMM AP parameters—These parameters apply to the access point.

• logCWMin (Minimum Contention Window)—The initial upper limit ofthe random backoff wait time before wireless medium access can beattempted. The initial wait time is a random value between zero and theCWMin value. Specify the CWMin value in the range 0-15. Note that theCWMin value must be equal or less than the CWMax value.

• logCWMax (Maximum Contention Window)—The maximum upper limitof the random backoff wait time before wireless medium access canbe attempted. The contention window is doubled after each detectedcollision up to the CWMax value. Specify the CWMax value in therange 0-15. Note that the CWMax value must be greater or equal tothe CWMin value.

• AIFSN (Arbitration Inter-Frame Space Number)—The minimum amountof wait time before the next data transmission attempt. Specify theAIFSN value in the range 0-15.

• TXOP limit (Transmit Opportunity Limit)—The maximum time an ACtransmit queue has access to the wireless medium. When an AC queueis granted a transmit opportunity, it can transmit data for a time up to theTxOpLimit. This data bursting greatly improves the efficiency for highdata-rate traffic. The TXOP limit is specified in units of 32 microseconds.Specify a TXOP value in the range 0-65 535 units.




.

WebUI navigation 89

• Admission control—The admission control mode for the accesscategory. When enabled, clients are blocked from using the accesscategory. (Default: Disabled)

Slot 0 - Radio G (802.11b/g)The IEEE 802.11b/g standard operates within the 2.4 GHz band at up to 54Mb/s. Also note that, because the IEEE 802.11g standard is an extensionof the IEEE 802.11b standard, clients with 802.11b wireless network cardscan associate with an 802.11g access point.

First, configure the radio settings that apply to the individual VAPs (VirtualAccess Point) and the common radio settings that apply to all of the802.11b/g interfaces. After you have configured the radio settings, go tothe Security page under the 802.g Interface (For further information, see"Security" (page 91)), enable the radio service for any of the VAP interfaces,and then set an SSID to identify the wireless network service provided byeach VAP. Remember that only clients with the same SSID can associatewith a VAP.

Note: You must first enable VAP interface 0 before the other interfacescan be enabled.

Most of the 802.11b/g commands are identical to those used by the 802.11ainterface. For information on the these commands, see the followingsections:

• "Configuring VAP radio settings" (page 79)

• "WPA2 PMKSA Life Time" (page 81)

• "Configuring common radio settings" (page 81)

• "Configuring Wi-Fi multimedia" (page 85)

Only the radio settings specific to the 802.11b/g interface are included inthis section. To configure the 802.11b/g radio settings, select the RadioSettings page.




.


Slot 0 - Radio G (802.11b/g) settings

Radio Mode—Selects the operating mode for the 802.11b/g wirelessinterface. (Default: 802.11b+g)

• 802.11b+g: Both 802.11b and 802.11g clients can communicate withthe access point (up to 54 Mb/s).

• 802.11b only: Both 802.11b and 802.11g clients can communicate withthe access point, but 802.11g clients can only transfer data at 802.11bstandard rates (up to 11 Mb/s).

• 802.11g only: Only 802.11g clients can communicate with the accesspoint (up to 54 Mb/s).

Radio Channel—The radio channel that the access point uses tocommunicate with wireless clients. When multiple access points aredeployed in the same area, set the channel on neighboring access points atleast five channels apart to avoid interference with each other. For example,in the United States you can deploy up to three access points in the samearea (for example, channels 1, 6, 11). Also note that the channel for wirelessclients is automatically set to the same as that used by the access pointto which it is linked.

Auto Channel Select—Enables the access point to automatically select anoperating radio channel. (Default: Enabled)

Maximum Station Data Rate—The maximum data rate at which the accesspoint transmits unicast packets on the wireless interface. The maximumtransmission distance is affected by the data rate. The lower the data rate,the longer the transmission distance. (Default: 54 Mb/s)




.

WebUI navigation 91

Super G—The Atheros proprietary Super G performance enhancementsare supported by the access point. These enhancements include bursting,compression, fast frames, and dynamic turbo. Maximum throughput rangesbetween 40 to 60 Mb/s for connections to Atheros-compatible clients.(Default: Disabled)

Preamble—Sets the length of the signal preamble that is used at the start ofa data transmission. (Default: Short)

• Long: Sets the preamble to long (192 microseconds). Using a longpreamble ensures the access point can support all 802.11b and 802.11gclients.

• Short or Long: Sets the preamble according to the capability of clientsthat are currently associated. Uses a short preamble (96 microseconds)if all associated clients can support it, otherwise a long preamble isused. The access point can increase data throughput when using ashort preamble, but only uses a short preamble if it determines thatall associated clients support it.

SecurityThe access point is configured by default as an open system, whichbroadcasts a beacon signal including the configured SSID. Wireless clientswith an SSID setting of any can read the SSID from the beacon andautomatically set their SSID to allow immediate connection to the nearestaccess point.

To improve wireless network security, you have to implement two mainfunctions:

• Authentication: It must be verified that clients attempting to connect tothe network are authorized users.

• Traffic Encryption: Data passing between the access point and clientsmust be protected from interception and eavesdropping.

For a more secure network, the access point can implement one or acombination of the following security mechanisms:

• Wired Equivalent Privacy (WEP)

• IEEE 802.1X

• Wireless MAC address filtering

• Wi-Fi Protected Access (WPA or WPA2)

Both WEP and WPA security settings are configurable separately for eachvirtual access point (VAP) interface. MAC address filtering, and RADIUSserver settings are global and apply to all VAP interfaces.




.


The security mechanisms that can be employed depend on the level ofsecurity required, the network and management resources available, andthe software support provided on wireless clients.

A summary of wireless security considerations is listed in the "Wirelesssecurity considerations" (page 92):

Wireless security considerations


Security mechanism Client support Implementationconsiderations

WEP Built-in support on all 802.11aand 802.11b/g devices

• Provides only weak security• Requires manual keymanagement

WEP over 802.1X Requires 802.1X client supportin system or by add-in software(support provided in Windows2000 SP3 or later andWindows XP)

• Provides dynamic keyrotation for improved WEPsecurity• Requires configured RADIUSserver• 802.1X EAP type canrequire management of digitalcertificates for clients andserver

MAC Address Filtering Uses the MAC address ofclient network card

• Provides only weak userauthentication• Management of authorizedMAC addresses• Can be combined with othermethods for improved security• Optionally configuredRADIUS server

WPA over 802.1X Mode Requires WPA-enabledsystem and network carddriver(native support provided inWindows XP)

• Provides robust security inWPA-only mode (that is, WPAclients only)• Requires configured RADIUSserver• 802.1X EAP type canrequire management of digitalcertificates for clients andserver

WPA PSK Mode Requires WPA-enabledsystem and network carddriver(native support provided inWindows XP)

• Provides good security insmall networks• Requires manualmanagement of presharedkey




.

WebUI navigation 93


Security mechanism Client support Implementationconsiderations

WPA2 with 802.1X Requires WPA-enabledsystem and network carddriver

• Provides the strongestsecurity in WPA2-only mode• Provides robust security inmixed mode for WPA andWPA2 clients• Offers fast roamingfor time-sensitive clientapplications• Requires configured RADIUSserver• 802.1X EAP type canrequire management of digitalcertificates for clients andserver• Clients can require hardwareupgrade to be WPA2 compliant

WPA2 PSK Mode Requires WPA-enabledsystem and network carddriver

• Provides robust security insmall networks• Requires manualmanagement of presharedkey• Clients can require hardwareupgrade to be WPA2 compliant

Note: You must enable data encryption through the Web interface toenable all types of encryption (WEP, TKIP, or AES) in the access point.

The access point can simultaneously support clients using various differentsecurity mechanisms. The configuration for these security combinations areoutlined in the following table. Note that MAC address authentication canbe configured independently to work with all security mechanisms and isindicated separately in the table. Required RADIUS server support is alsolisted.

Security combinations


Client securitycombination

Configuration summary1 MAC authentication2 RADIUSserver

No encryption andno authentication

Interface Detail Settings:Authentication: OpenSystemEncryption: Disable802.1x: Disable

Local, RADIUS, or Disabled No




.





Static WEP only(with or withoutshared keyauthentication)

Enter 1 to 4 WEP keysSelect a WEP transmit keyfor the interfaceInterface Detail Settings:Authentication: SharedKey or Open SystemEncryption: Enable802.1x: Disable

Local, RADIUS, or Disabled No

Dynamic WEP(802.1x) only

Interface Detail Settings:Authentication: OpenSystemEncryption: Enable802.1x: RequiredSet 802.1x key refresh andre-authentication rates

Local, RADIUS, or Disabled Yes

802.1x WPA only Interface Detail Settings:Authentication: WPAEncryption: EnableWPA Configuration:RequiredCipher Suite: TKIP802.1x: RequiredSet 802.1x key refresh andreauthentication rates

Local or Disabled Yes

WPA Pre-SharedKey only

Interface Detail Settings:Authentication: WPA-PSKEncryption: EnableWPA Configuration:RequiredCipher Configuration:TKIP802.1x: DisableWPA Pre-shared KeyType: Hexadicmal orAlphanumericEnter a WPA Presharedkey

Local or Disabled No




.

WebUI navigation 95




Static and dynamic(802.1x) WEP keys

Enter 1 to 4 WEP keysSelect a WEP transmit keyInterface Detail Settings:Authentication: OpenSystemEncryption: Enable802.1x: SupportedSet 802.1x key refresh andreauthentication rates

Local, RADIUS, or Disabled Yes

Dynamic WEP and802.1x WPA

Interface Detail Settings:Authentication: WPAEncryption: EnableWPA Configuration:SupportedCipher Suite: WEP802.1x: RequiredSet 802.1x key refresh andreauthentication rates


Static and dynamic(802.1x) WEP keysand 802.1x WPA

Enter 1 to 4 WEP keysSelect a WEP transmit keyInterface Detail Settings:Authentication: WPAEncryption: EnableWPA Configuration:SupportedCipher Suite: WEP802.1x: SupportedSet 802.1x key refresh andreauthentication rates


802.1x WPA2 only Interface Detail Settings:Authentication: WPA2Encryption: EnableWPA Configuration:RequiredCipher Suite: AES-CCMP802.1x: RequiredSet 802.1x key refresh andreauthentication rates





.





WPA2 Pre-SharedKey only

Interface Detail Settings:Authentication:WPA2-PSKEncryption: EnableWPAConfiguraton: RequiredCipher Suite: AES-CCMP802.1x: DisableWPA Pre-shared KeyType: Hexadicmal orAlphanumericEnter a WPA Presharedkey


802.1x WPA-WPA2Mixed Mode

Interface Detail Settings:Authentication:WPA-WPA2-mixedEncryption: EnableWPA Configuration:RequiredCipher Suite: TKIP802.1x: RequiredSet 802.1x key refresh andreauthentication rates


WPA-WPA2 MixedMode Pre-SharedKey

Interface Detail Settings:Authentication:WPA-WPA2-PSK-mixedEncryption: EnableWPA Configuration:RequiredCipher Suite: TKIP802.1x: DisableWPA Pre-shared KeyType: Hexadicmal orAlphanumericEnter a WPA Presharedkey


1. The configuration summary does not include the setup for MACauthentication or RADIUS server.

2. The configuration of RADIUS MAC authentication together with 802.1xWPA/WPA2 or WPA/WPA2 Preshared Key is not supported.

Note: If you choose to configure RADIUS MAC authentication togetherwith 802.1X, the RADIUS MAC address authentication occurs priorto 802.1X authentication. Only when RADIUS MAC authentication




.

WebUI navigation 97

succeeds is 802.1X authentication performed. When RADIUS MACauthentication fails, 802.1X authentication is not performed.

Enabling the VAPsBefore enabling the Virtual Access Point (VAP) radio interfaces, firstconfigure all of the relevant radio settings (For further information, see "Slot0 - Radio A (802.11a)" (page 79) or "Slot 0 - Radio G (802.11b/g)" (page 89).

After you have configured the radio settings, select Security under SLOT0 - Radio A or SLOT 1 - Radio G, set an SSID to identify the wirelessnetwork service provided by each VAP you want to use, and then clickApply to save your settings.

Before enabling the radio service for any VAP, first configure the WEP, WPA,and 802.1X security settings described in the following sections. After youhave finished configuring the security settings, return to the main Securitypage shown in the following figure, start the required VAP interfaces byclicking the Enable checkbox, and then click Apply.

Enabling the VAPs

Enable—Enables radio communications on the VAP interface. (Default:Disabled)

Note: You must first enable VAP interface 0 before you can enableother VAP interfaces.

SSID—The name of the basic service set provided by a VAP interface.Clients that want to connect to the network through the access pointmust set their SSID to the same as that of an access point VAP interface.(Default: (0 to 7); Range: 1-32 characters)




.


Wired Equivalent Privacy (WEP)WEP provides a basic level of security, preventing unauthorized access tothe network, and encrypting data transmitted between wireless clients andthe access point. WEP uses static shared keys (fixed-length hexadecimal oralphanumeric strings) that are manually distributed to all clients that want touse the network.

WEP is the security protocol initially specified in the IEEE 802.11 standardfor wireless communications.

Setting up shared keys enables the basic IEEE 802.11 Wired EquivalentPrivacy (WEP) on the access point to prevent unauthorized access to thenetwork.

If you choose to use WEP shared keys instead of an open system, be sureto define at least one WEP key for user authentication and data encryption.Also, be sure that the WEP shared keys are the same for each client inthe wireless network.

Note that all clients share the same keys, which are used for userauthentication and data encryption. Up to four keys can be specified. Thesefour keys are used for all VAP interfaces on the same radio.

To set up WEP shared keys, click Radio Settings under Radio A or Radio G.

Setting up WEP shared keys

Key Type—Select the preferred method of entering WEP encryption keys onthe access point and enter up to four keys:

• Hexadecimal: Enter keys as 10 hexadecimal digits (0-9 and A-F) for64-bit keys, 26 hexadecimal digits for 128-bit keys, or 32 hexadecimaldigits for 152-bit keys (802.11a radio only). This is the default setting.

• Alphanumeric: Enter keys as 5 alphanumeric characters for 64-bitkeys, 13 alphanumeric characters for 128-bit keys, or 16 alphanumericcharacters for 152-bit keys (802.11a radio only).

Key Number—Selects the key number to use for encryption for each VAPinterface. If the clients have all four keys configured to the same values, youcan change the encryption key to any of the eight settings without having toupdate the client keys. (Default: Key 1)




.

WebUI navigation 99

Shared Key Setup—Select 64-bit, 128-bit, or 152-bit key length. Note thatthe same size of encryption key must be supported on all wireless clients.(Default: None)

Note: Key index and type must match that configured on the clients.

In a mixed-mode environment with clients using static WEP keys andWPA, select WEP transmit key index 2, 3, or 4. The access point usestransmit key index 1 for the generation of dynamic keys.

To enable WEP shared keys for a VAP interface, click Security under RadioA or Radio G. Then, select the VAP interface that uses WEP keys by clickingMore, and configure the Authentication Type Setup and Encryption fields.

Enabling WEP shared keys

Authentication Type Setup—Sets the access point to communicate as anopen system that accepts network access attempts from any client, or withclients using preconfigured static shared keys. (Default: Open System)

• Open System: If you do not set up any other security mechanism on theaccess point, the network has no protection and is open to all users.This is the default setting.

• Shared Key: Sets the access point to use WEP shared keys. If thisoption is selected, you must configure at least one key on the accesspoint and all clients.

Note: To use 802.1X on wireless clients requires a network card driverand 802.1X client software that supports the EAP authentication typethat you want to use. Windows 2000 SP3 or later and Windows XPprovide 802.1X client support. Windows XP also provides native WPAsupport. Other systems require additional client software to support802.1X and WPA.




.


Encryption—Enable or disable the access point to use data encryption(WEP, TKIP, or AES). If this option is selected when using static WEP keys,you must configure at least one key on the access point and all clients.(Default: Disabled)

Note: You must enable data encryption through the Web to enable alltypes of encryption (WEP, TKIP, or AES) in the access point.

Wi-Fi Protected Access (WPA)WPA employs a combination of several technologies to provide an enhancedsecurity solution for 802.11 wireless networks.

The access point supports the following WPA components and features:

IEEE 802.1X and the Extensible Authentication Protocol (EAP):WPA employs 802.1X as its basic framework for user authenticationand dynamic key management. The 802.1X client and RADIUS servermust use an appropriate EAP type—such as EAP-TLS (Transport LayerSecurity), EAP-TTLS (Tunneled TLS), or PEAP (Protected EAP)—forstrongest authentication. Working together, these protocols provide mutualauthentication between a client, the access point, and a RADIUS server thatprevents users from accidentally joining a rogue network. Only when aRADIUS server has authenticated a user’s credentials are encryption keyssent to the access point and client.

Note: To implement WPA on wireless clients requires a WPA-enablednetwork card driver and 802.1X client software that supports the EAPauthentication type that you want to use. Windows XP provides nativeWPA support, other systems require additional software.

Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the dataencryption method to replace WEP. TKIP avoids the problems of WEP statickeys by dynamically changing data encryption keys. Basically, TKIP startswith a master (temporal) key for each user session and then mathematicallygenerates other keys to encrypt each data packet. TKIP provides furtherdata encryption enhancements by including a message integrity check foreach packet and a rekeying mechanism, which periodically changes themaster key.

WPA Preshared Key Mode (WPA-PSK, WPA2-PSK): For enterprisedeployment, WPA requires a RADIUS authentication server to be configuredon the wired network. However, for small office networks that do not havethe resources to configure and maintain a RADIUS server, WPA providesa simple operating mode that uses just a preshared password for networkaccess. The Pre-Shared Key mode uses a common password for userauthentication that is manually entered on the access point and all wirelessclients. The PSK mode uses the same TKIP packet encryption and keymanagement as WPA in the enterprise, providing a robust and manageablealternative for small networks.




.

WebUI navigation 101

Mixed WPA and WEP client support: WPA enables the access point toindicate its supported encryption and authentication mechanisms to clientsusing its beacon signal. WPA-compatible clients can likewise respond toindicate their WPA support. This enables the access point to determinewhich clients are using WPA security and which are using legacy WEP. Theaccess point uses TKIP unicast data encryption keys for WPA clients andWEP unicast keys for WEP clients. The global encryption key for multicastand broadcast traffic must be the same for all clients, therefore it restrictsencryption to a WEP key.

When access is opened to both WPA and WEP clients, no authentication isprovided for the WEP clients through shared keys. To support authenticationfor WEP clients in this mixed mode configuration, you can use either MACauthentication or 802.1X authentication.

WPA2—WPA was introduced as an interim solution for the vulnerability ofWEP pending the ratification of the IEEE 802.11i wireless security standard.In effect, the WPA security features are a subset of the 802.11i standard.WPA2 includes the now ratified 802.11i standard, but also offers backwardcompatibility with WPA. Therefore, WPA2 includes the same 802.1X andPSK modes of operation and support for TKIP encryption. The maindifferences and enhancements in WPA2 can be summarized as follows:

• Advanced Encryption Standard (AES): WPA2 uses AESCounter-Mode encryption with Cipher Block Chaining MessageAuthentication Code (CBC-MAC) for message integrity. The AESCounter-Mode/CBCMAC Protocol (AES-CCMP) provides extremelyrobust data confidentiality using a 128-bit key. The AES-CCMPencryption cipher is specified as a standard requirement for WPA2.However, the computational intensive operations of AES-CCMP requireshardware support on client devices. Therefore to implement WPA2 inthe network, wireless clients must be upgraded to WPA2-complianthardware.

• WPA2 mixed-mode: WPA2 defines a transitional mode of operation fornetworks moving from WPA security to WPA2. WPA2 Mixed Mode allowsboth WPA and WPA2 clients to associate to a common SSID interface.In mixed mode, the unicast encryption cipher (TKIP or AES-CCMP) isnegotiated for each client. The access point advertises its supportedencryption ciphers in beacon frames and probe responses. WPA andWPA2 clients select the cipher they support and return the choice in theassociation request to the access point. For mixed-mode operation,the cipher used for broadcast frames is always TKIP. WEP encryptionis not allowed.

• Key caching: WPA2 provides fast roaming for authenticated clients byretaining keys and other security information in a cache, so that if a clientroams away from an access point and then returns, reauthenticationis not required. When a WPA2 client is first authenticated, it receives




.


a Pairwise Master Key (PMK) that is used to generate other keys forunicast data encryption. This key and other client information form aSecurity Association that the access point names and holds in a cache.

• Preauthentication: Each time a client roams to another access point,it has to be fully reauthenticated. This authentication process is timeconsuming and can disrupt applications running over the network.WPA2 includes a mechanism, known as preauthentication, that letsclients roam to a new access point and be quickly associated. The firsttime a client is authenticated to a wireless network, it has to be fullyauthenticated. When the client is about to roam to another access pointin the network, the access point sends preauthentication messagesto the new access point that include the client’s security associationinformation. Then, when the client sends an association request to thenew access point, the client is known to be already authenticated, so itproceeds directly to key exchange and association.

To configure WPA, click Security under Radio A or Radio G. Select one ofthe VAP interfaces by clicking More. Select one of the WPA options in theAuthentication Setup table, and then configure the parameters displayedbeneath the table.

Configuring WPA

The WPA configuration parameters are described as follows:

Encryption—You must enable data encryption to enable all types ofencryption (WEP, TKIP, or AES) in the access point.

Preauthentication—When using WPA2 over 802.1X, preauthentication canbe enabled, which lets clients roam to a new access point and be quicklyassociated without performing full 802.1X authentication. (Default: Disabled)




.


Note: The wireless client network card driver must supportpreauthentication to use this feature.

Authentication Setup—To use WPA or WPA2, set the access point to oneof the following options. If a WPA/WPA2 mode that operates over 802.1Xis selected (WPA, WPA2, or WPA-WPA2-mixed), the 802.1X settings andRADIUS server details need to be configured. Be sure you have alsoconfigured a RADIUS server on the network before enabling authentication.If a WPA/WPA2 Preshared Key mode is selected (WPA-PSK, WPA2-PSK, orWPA-WPA2 PSK-Mixed), be sure to specify the key string.

• WPA: Clients using WPA over 802.1X are accepted for authentication.

• WPA-PSK: Clients using WPA with a Preshared Key are accepted forauthentication.

• WPA2: Clients using WPA2 over 802.1X are accepted for authentication.

• WPA2-PSK: Clients using WPA2 with a Preshared Key are accepted forauthentication.

• WPA-WPA2-mixed: Clients using WPA or WPA2 over 802.1X areaccepted for authentication.

• WPA-WPA2-PSK-mixed: Clients using WPA or WPA2 with a PresharedKey are accepted for authentication.

WPA Configuration—Each VAP interface can be configured to allow onlyWPA-enabled clients to access the network (Required), or to allow accessto both WPA and WEP clients (Supported). (Default: Required)

Cipher Suite—Selects an encryption method for the global key used formulticast and broadcast traffic, which is supported by all wireless clients.

• WEP: WEP is used as the multicast encryption cipher. Select WEP onlywhen both WPA and WEP clients are supported.

• TKIP: TKIP is used as the multicast encryption cipher.

• AES-CCMP: AES-CCMP is used as the multicast encryption cipher.AES-CCMP is the standard encryption cipher required for WPA2.

WPA Preshared Key Type—If the WPA or WPA2 preshared-key modeis used, all wireless clients must be configured with the same key tocommunicate with the access point.

• Hexadecimal—Enter a key as a string of 64 hexadecimal numbers.

• Alphanumeric—Enter a key as an easy-to-remember form of lettersand numbers.The string must be from 8 to 63 characters, which can include spaces.




.


The configuration settings for WPA are summarized in the following table:

WPA Configuration Settings

WPA Configuration Settings

WPA and WPA2 preshared key only WPA and WPA2 over 802.1X

Encryption: EnabledAuthentication Setup: WPA-PSK, WPA2-PSK,or WPA-WPA2-mixedCipher Suite: WEP/TKIP/AES-CCMPWPA Preshared Key Type: Hex/ASCII

Encryption: EnabledAuthentication Setup: WPA, WPA2,WPA-WPA2-mixedCipher Suite: WEP/TKIP/AES-CCMP (requiresRADIUS server to be specified)

1: You must enable data encryption to enable all types of encryption in the access point.2: Select TKIP when any WPA clients do not support AES. Select AES only if all clients supportAES.

Configuring 802.1XIEEE 802.1X is a standard framework for network access control that uses acentral RADIUS server for user authentication. This control feature preventsunauthorized access to the network by requiring an 802.1X client applicationto submit user credentials for authentication. The 802.1X standard uses theExtensible Authentication Protocol (EAP) to pass user credentials (eitherdigital certificates, usernames and passwords, or other) from the client tothe RADIUS server. Client authentication is then verified on the RADIUSserver before the access point grants client access to the network.

The 802.1X EAP packets are also used to pass dynamic unicast sessionkeys and static broadcast keys to wireless clients. Session keys are uniqueto each client and are used to encrypt and correlate traffic passing betweena specific client and the access point. You can also enable broadcastkey rotation, so the access point provides a dynamic broadcast key andchanges it at a specified interval.

Open the Security page, and click More for one of the VAP interfaces.

Configuring 802.1X




.


You can enable 802.1X as optionally supported or as required to enhancethe security of the wireless network. (Default: Disable)

• Disable: The access point does not support 802.1X authenticationfor any wireless client. After successful wireless association with theaccess point, each client is allowed to access the network.

• Supported: The access point supports 802.1X authentication only forclients initiating the 802.1X authentication process (that is, the accesspoint does not initiate 802.1X authentication). For clients initiating802.1X, only those successfully authenticated are allowed to access thenetwork. For those clients not initiating 802.1X, access to the networkis allowed after successful wireless association with the access point.The 802.1X supported mode allows access for clients not using WPA orWPA2 security.

• Required: The access point enforces 802.1X authentication for allassociated wireless clients. If 802.1X authentication is not initiated bya client, the access point initiates authentication. Only those clientssuccessfully authenticated with 802.1X are allowed to access thenetwork.

Note: If 802.1X is enabled on the access point, then RADIUS setupmust be completed (For further information, see "RADIUS" (page50)).

When 802.1X is enabled, the broadcast and session key rotationintervals can also be configured.

• Broadcast Key Refresh Rate: Sets the interval at which the broadcastkeys are refreshed for stations using 802.1X dynamic keying. (Range:0-1 440 minutes; Default: 0 means disabled)

• Session Key Refresh Rate: The interval at which the access pointrefreshes unicast session keys for associated clients. (Range: 0-1 440minutes; Default: 0 means disabled)

• 802.1X Reauthentication Refresh Rate: The time period after which aconnected client must be reauthenticated. During the reauthenticationprocess of verifying the client credentials on the RADIUS server, theclient remains connected the network. Only if reauthentication fails isnetwork access blocked. (Range: 0-65 535 seconds; Default: 0 meansdisabled)




.


Status informationThe Status page includes information on the following items:

Status information


AP Status Displays configuration settings forthe basic system and the wirelessinterface

See "Access Point Status"(page 106).

Station Status Shows the wireless clients currentlyassociated with the access point

See "Station Status" (page107).

Event Logs Shows log messages stored inmemory

See "Event Logs" (page 108).

Access Point StatusThe AP Status window displays basic system configuration settings, as wellas the settings for the wireless interface.

Access Point Status settings

AP System Configuration—The AP System Configuration table displays thebasic system configuration settings:

• System Up Time: Length of time the management agent has been up.

• Ethernet MAC: The physical layer address for the Ethernet port.

• Radio A MAC: The physical layer address for the 802.11a interface.

• Radio G MAC: The physical layer address for the 802.11b/g interface.

• System Name: Name assigned to this system.

• System Contact: Administrator responsible for the system.




.


• IP Address: IP address of the management interface for this device.

• IP Default Gateway: IP address of the gateway router between thisdevice and management stations that exist on other network segments.

• HTTP Server: Shows if management access by means of HTTP isenabled.

• HTTP Server Port: Shows the TCP port used by the HTTP interface.

• Software Version: Shows the software version number.

• Bootrom Version: Show the bootrom version number.

• Hardware Version: Shows the hardware version number.

AP Wireless Configuration—The AP Wireless Configuration tables displaythe following listed radio and VAP interface settings. Note that InterfaceWireless A refers to the 802.11a radio and Interface Wireless G refers the802.11b/g radio.

• SSID: The service set identifier for the VAP interface.

• Radio Channel: The radio channel through which the access pointcommunicates with wireless clients.

• Encryption: The key size used for data encryption.

• Authentication Type: Shows the type of authentication used.

• 802.1X: Shows if IEEE 802.1X access control for wireless clients isenabled.

Station StatusThe Station Status window shows the wireless clients currently associatedwith the access point.

Station Status settings




.


The Station Configuration page displays basic connection information for allassociated stations as described in the following list. Note that this page isautomatically refreshed every five seconds.

• Station Address: The MAC address of the wireless client.

• Authenticated: Shows if the station has been authenticated. The twobasic methods of authentication supported for 802.11 wireless networksare open system and shared key. Open-system authentication acceptsany client attempting to connect to the access point without verifyingits identity. The shared-key approach uses Wired Equivalent Privacy(WEP) to verify client identity by distributing a shared key to stationsbefore attempting authentication.

• Associated: Shows if the station has been successfully associatedwith the access point. After authentication is completed, stations canassociate with the current access point, or reassociate with a newaccess point. Using the association procedure, the wireless system cantrack the location of each mobile client, and ensure that frames destinedfor each client are forwarded to the appropriate access point.

• Forwarding Allowed: Shows if the station has passed 802.1Xauthentication and is now allowed to forward traffic to the access point.

• Key Type—Displays one of the following:

— WEP Disabled—The client is not using Wired Equivalent Privacy(WEP) encryption keys.

— Dynamic—The client is using Wi-Fi Protected Access (802.1X orpreshared key mode) or using 802.1X authentication with dynamickeying.

— Static—The client is using static WEP keys for encryption.

Event LogsThe Event Logs window shows the log messages generated by the accesspoint and stored in memory.

Event Logs




.


The Event Logs table displays the following information:

• Log Time: The time the log message was generated.

• Event Level: The logging level associated with this message. For adescription of the various levels, see "System log" (page 68).

• Event Message: The content of the log message.

Error Messages—An example of a logged error message is: Station Failedto authenticate (unsupported algorithm).

This message can be caused by any of the following conditions:

• Access point was set to Open Authentication, but a client sent anauthentication request frame with a Shared key.

• Access point was set to Shared Key Authentication, but a client sent anauthentication frame for Open System.

• WEP keys do not match: When the access point uses Shared KeyAuthentication, but the key used by client and access point are not thesame, the frame is decrypted incorrectly, using the wrong algorithm andsequence number.

STP StatusThe STP Status window shows the STP status for each port.

STP Status

• ID: Displays the port ID number.

• Priority: The priority designated to the specified port.

• Path Cost: Displays the path cost value for the specified port.

• Status: Displays if STP is enabled or disabled for the specified port.




.


• State: Display the STP state for the specified port.




.

111

References

Regulatory compliancesThe Business Access Point 120 conforms with the following regulatorycompliances.

Federal Communication Commission Interference StatementThis equipment has been tested and found to comply with the limits for aClass B digital device, pursuant to Part 15 of the FCC Rules. These limitsare designed to provide reasonable protection against harmful interferencein a residential installation. This equipment generates, uses and can radiateradio frequency energy and, if not installed and used in accordance withthe instructions, may cause harmful interference to radio communications.However, there is no guarantee that interference will not occur in a particularinstallation. If this equipment does cause harmful interference to radio ortelevision reception, which can be determined by turning the equipment offand on, the user is encouraged to try to correct the interference by oneof the following measures:

• Reorient or relocate the receiving antenna

• Increase the separation between the equipment and receiver

• Connect the equipment into an outlet on a circuit different from that towhich the receiver is connected

• Consult the dealer or an experienced radio/TV technician for help

FCC Caution: Any changes or modifications not expressly approved by theparty responsible for compliance could void the user’s authority to operatethis equipment. This device complies with Part 15 of the FCC Rules.Operation is subject to the following two conditions: (1) This device may notcause harmful interference, and (2) this device must accept any interferencereceived, including interference that may cause undesired operation.




.

112 References

IMPORTANT NOTE: FCC Radiation Exposure StatementThis equipment complies with FCC radiation exposure limits set forth for anuncontrolled environment. This equipment should be installed and operatedwith a minimum distance of 20 centimeters (8 in.) between the radiatorand your body. This transmitter must not be co-located or operating inconjunction with any other antenna or transmitter.

Wireless 5 GHz Band Statements:As the Access Point can operate in the 5150-5250 MHz frequency band it islimited by the FCC, Industry Canada and some other countries to indooruse only so as to reduce the potential for harmful interference to co-channelMobile Satellite systems.

High power radars are allocated as primary users (meaning they havepriority) of the 5250-5350 MHz and 5470-5725 MHz bands. These radarscould cause interference and /or damage to the access point when usedin Canada.

The term “IC” before the radio certification number only signifies thatIndustry Canada technical specifications were met.

Industry Canada: Class BThis digital apparatus does not exceed the Class B limits for radio noiseemissions from digital apparatus as set out in the interference-causingequipment standard entitled “Digital Apparatus,” ICES-003 of IndustryCanada.

Cet appareil numérique respecte les limites de bruits radioélectriquesapplicables aux appareils numériques de Classe B prescrites dans lanorme sur le matérial brouilleur: “Appareils Numériques,” NMB-003 édictéepar l’Industrie.

Australia and New Zealand

EC Conformance Declaration




.

Regulatory compliances 113

Marking by the preceding symbol indicates compliance with the EssentialRequirements of the R and TTE Directive of the European Union(1999/5/EC). This equipment meets the following conformance standards:

• EN 60950-1 (IEC 60950-1) - Product Safety

• EN 301 893 - Technical requirements for 5 GHz radio equipment

• EN 300 328 - Technical requirements for 2.4 GHz radio equipment

• EN 301 489-1 / EN 301 489-17 - EMC requirements for radio equipment

Countries of Operation and Conditions of Use in the EuropeanCommunityThis device is intended to be operated in all countries of the EuropeanCommunity. Requirements for indoor vs. outdoor operation, licenserequirements and allowed channels of operation apply in some countriesas described below:

Note: The user must use the configuration utility provided with thisproduct to ensure the channels of operation are in conformance with thespectrum usage rules for European Community countries as describedbelow.

• This device requires that the user or installer properly enter the currentcountry of operation in the command line interface as described in theuser guide, before operating this device.

• This device will automatically limit the allowable channels determinedby the current country of operation. Incorrectly entering the countryof operation may result in illegal operation and may cause harmfulinterference to other systems. The user is obligated to ensure thedevice is operating according to the channel limitations, indoor/outdoorrestrictions and license requirements for each European Communitycountry as described in this document.

• This device employs a radar detection feature required for EuropeanCommunity operation in the 5 GHz band. This feature is automaticallyenabled when the country of operation is correctly configured for anyEuropean Community country. The presence of nearby radar operationmay result in temporary interruption of operation of this device. Theradar detection feature will automatically restart operation on a channelfree of radar.

• The 5 GHz Turbo Mode feature is not allowed for operation in anyEuropean Community country. The current setting for this feature isfound in the 5 GHz 802.11a Radio Settings Window as described inthe user guide.

• The 5 GHz radio’s Auto Channel Select setting described in the userguide must always remain enabled to ensure that automatic 5 GHz




.

114 References

channel selection complies with European requirements. The currentsetting for this feature is found in the 5 GHz 802.11a Radio SettingsWindow as described in the user guide.

• This device is restricted to indoor use when operated in the EuropeanCommunity using the 5.15 - 5.35 GHz band: Channels 36, 40, 44,48, 52, 56, 60, 64. See "Allowed 5GHz Channels in Each EuropeanCommunity Country" (page 114) for allowed 5 GHz channels by country.

• This device may be operated indoors or outdoors in all countries of theEuropean Community using the 2.4 GHz band: Channels 1 - 13, exceptwhere noted below.

— In Italy the end-user must apply for a license from the nationalspectrum authority to operate this device outdoors.

— In Belgium outdoor operation is only permitted using the 2.46 -2.4835 GHz band: Channel 13.

— In France outdoor operation is only permitted using the 2.4 - 2.454GHz band: Channels 1 - 7.

Operation Using 5 GHz Channels in the European CommunityThe user/installer must use the provided configuration utility to check thecurrent channel of operation and make necessary configuration changes toensure operation occurs in conformance with European National spectrumusage laws as described below and elsewhere in this document.

Allowed 5GHz Channels in Each European Community Country

Allowed 5GHz Channels in Each European Community Country

Allowed Frequency Bands Allowed Channel Numbers Countries

5.15 - 5.25 GHz* 36, 40, 44, 48 Austria, Belgium

5.15 - 5.35 GHz* 36, 40, 44, 48, 52, 56, 60, 64 France, Switzerland,Liechtenstein

5.15 - 5.35* and 5.470 - 5.725GHz

36, 40, 44, 48, 52, 56, 60, 64,100, 104, 108, 112, 116, 120,124, 128, 132, 136, 140

Denmark, Finland, Germany,Iceland, Ireland, Italy,Luxembourg, Netherlands,Norway, Portugal, Spain,Sweden, U.K.

5 GHz Operation Not Allowed None Greece

* Outdoor operation is not allowed using 5.15-5.35 GHz bands (Channels 36 - 64).




.


Declaration of Conformity in Languages of the EuropeanCommunity




.

116 References

Safety CompliancePower Cord SafetyRead the following safety information carefully before installing the accesspoint:

WARNINGInstallation and removal of the unit must be carried out by qualifiedpersonnel only.

• The unit must be connected to an earthed (grounded) outlet to complywith international safety standards.

• Do not connect the unit to an A.C. outlet (power supply) without an earth(ground) connection.

• The appliance coupler (the connector to the unit and not the wallplug) must have a configuration for mating with an EN 60320/IEC 320appliance inlet.

• The socket outlet must be near to the unit and easily accessible. Youcan only remove power from the unit by disconnecting the power cordfrom the outlet.

• This unit operates under SELV (Safety Extra Low Voltage) conditionsaccording to IEC 60950. The conditions are only maintained if theequipment to which it is connected also operates under SELV conditions.

• The PoE (Power over Ethernet), which is to be interconnected with otherequipment that must be contained within the same building including theinterconnected equipment’s associated LAN connections.

France and Peru only

This unit cannot be powered from IT† supplies. If your supplies are of ITtype, this unit must be powered by 230 V (2P+T) via an isolation transformerratio 1:1, with the secondary connection point labelled Neutral, connecteddirectly to earth (ground).

† Impédance à la terre




.


Important! Before making connections, make sure you have the correctcord set. Check it (read the label on the cable) against the following:

Power Cord Set

Power Cord Set

The cord set must be UL-approved and CSAcertified.

The minimum specifications for the flexible cordare:- No. 18 AWG - not longer than 2 meters, or16 AWG.- Type SV or SJ- 3-conductor

The cord set must have a rated current capacityof at least 0.5 A

U.S.A. and Canada

The attachment plug must be anearth-grounding type with NEMA 5-15P(15 A, 125 V) or NEMA 6-15P (15 A, 250 V)configuration.

Denmark The supply plug must comply with Section107-2-D1, Standard DK2-1a or DK2-5a.

Switzerland The supply plug must comply with SEV/ASE1011.

The supply plug must comply with BS1363(3-pin 13 A) and be fitted with a 5 A fuse whichcomplies with BS1362.

U.K.

The mains cord must be <HAR> or <BASEC>marked and be of type HO3VVF3GO.75(minimum).

The supply plug must comply with CEE7/7("SCHUKO").

The mains cord must be <HAR> or <BASEC>marked and be of type HO3VVF3GO.75(minimum).

Europe

IEC-320 receptacle.




.

118 References

Power Cord Safety: France




.


Power Cord Safety: Germany




.

120 References

Twisted-pair cable assignmentsFor 10/100BASE-TX connections, a twisted-pair cable must have two pairsof wires. Each wire pair is identified by two different colors. For example,one wire might be green and the other, green with white stripes. Also, anRJ-45 connector must be attached to both ends of the cable.

CAUTIONEach wire pair must be attached to the RJ-45 connectors in aspecific orientation.

CAUTIONDO NOT plug a phone jack connector into the RJ-45 port. Useonly twisted-pair cables with RJ-45 connectors that conform withFCC standards.




.

Twisted-pair cable assignments 121

The following figure illustrates how the pins on the RJ-45 connector arenumbered. Be sure to hold the connectors in the same orientation whenattaching the wires to the pins.

RJ-45 connector pin numbering

10/100BASE-TX pin assignmentsUse unshielded twisted-pair (UTP) or shielded twisted-pair (STP) cablefor RJ-45 connections: 100-ohm Category 3 or better cable for 10Mb/s connections, or 100-ohm Category 5 or better cable for 100 Mb/sconnections. Also be sure that the length of any twisted-pair connectiondoes not exceed 100 meters (328 feet).

The RJ-45 port on the access point is wired with MDI pinouts. This meansthat you must use crossover cables for connections to PCs or servers,and straight-through cable for connections to switches or hubs. However,when connecting to devices that support automatic MDI/MDI-X pinoutconfiguration, you can use either straight-through or crossover cable.

10/100BASE-TX MDI port pinouts


Pin MDI Signal Name

1 Transmit Data plus (TD+)

2 Transmit Data minus (TD-)

3 Receive Data plus (RD+)

4 GND (Positive Vport)

5 GND (Positive Vport)

6 Receive Data minus (RD-)

7 -48V feeding power (Negative- Vport)




.

122 References


Pin MDI Signal Name

8 -48V feeding power (Negative- Vport)

Note: The “+” and “-” signs represent the polarity of the wires that make up each wire pair.

Straight-through wiringBecause the 10/100 Mb/s port on the access point uses an MDI pinconfiguration, you must use straight-through cable for network connectionsto hubs or switches that only have MDI-X ports.

Straight-through wiring configuration

Wiring map for serial cable


DB9 Male (AP Console) DB9 Male (PC DTE)

Pin Function Pin Function

1 GND (ground) —— 5 GND (ground)

2 Unused 4 Unused

3 RXD (receivedata)

← 3 TXD (transmit data)

4 TXD (transmitdata)

→ 2 RXD (receive data)

5 Unused 1 Unused

6 Unused 9 Unused

7 RTS (request tosend)

→ 8 CTS (clear to send)

8 CTS (clear orsend)

← 7 RTS (request to send)




.

Glossary 123


DB9 Male (AP Console) DB9 Male (PC DTE)

Pin Function Pin Function

9 Unused 6 Unused

Note: The left hand column pin assignments are for the male DB-9 connector on the access point.Pin 4 (TXD or “transmit data”) must emerge on the management console’s end of the connection asRXD (“receive data”). Pin 8 (CTS or “clear to send”) must emerge on the management console’send of the connection as RTS (“request to send”)

GlossaryThe following terms are used in this document.

10BASE-TIEEE 802.3 specification for 10 Mb/s Ethernet over two pairs of Category 3or better UTP cable.

100BASE-TXIEEE 802.3u specification for 100 Mb/s Fast Ethernet over two pairs ofCategory 5 or better UTP cable.

Access PointAn internetworking device that seamlessly connects wired and wirelessnetworks. Access points attached to a wired network, support the creationof multiple radio cells that enable roaming throughout a facility.

Ad hocA group of computers connected as an independent wireless network,without an access point.

Advanced Encryption Standard (AES)An encryption algorithm that implements symmetric key cryptography.AES provides very strong encryption using a completely different cipheringalgorithm to TKIP and WEP.

AuthenticationThe process to verify the identity of a client requesting network access. IEEE802.11 specifies two forms of authentication: open system and shared key.

BackboneThe core infrastructure of a network. The portion of the network thattransports information from one central location to another central locationwhere it is unloaded onto a local system.




.

124 References

Basic Service Set (BSS)A set of 802.11-compliant stations and an access point that operate as afully-connected wireless network.

BeaconA signal periodically transmitted from the access point that is used to identifythe service set, and to maintain contact with wireless clients.

Broadcast keyBroadcast keys are sent to stations using 802.1X dynamic keying. Dynamicbroadcast key rotation is often used to allow the access point to generatea random group key and periodically update all key-management capablewireless clients.

CSMA/CACarrier Sense Multiple Access with Collision Avoidance.

Dynamic Host Configuration Protocol (DHCP)Provides a framework for passing configuration information to hosts ona TCP/IP network. DHCP is based on the Bootstrap Protocol (BOOTP),adding the capability of automatic allocation of reusable network addressesand additional configuration options.

EncryptionData passing between the access point and clients can use encryption toprotect from interception and eavesdropping.

Extended Service Set (ESS)More than one wireless cell can be configured with the same Service SetIdentifier to allow mobile users can roam between different cells with theExtended Service Set.

Extensible Authentication Protocol (EAP)An authentication protocol used to authenticate network clients. EAPis combined with IEEE 802.1X port authentication and a RADIUSauthentication server to provide “mutual authentication” between a client,the access point, and the a RADIUS server.

EthernetA popular local area data communications network, which acceptstransmission from computers and terminals.

File Transfer Protocol (FTP)A TCP/IP protocol used for file transfer.




.

Glossary 125

Hypertext Transfer Protocol (HTTP)HTTP is a standard used to transmit and receive all data over the WorldWide Web.

Internet Control Message Protocol (ICMP)A network layer protocol that reports errors in processing IP packets. ICMPis also used by routers to feed back information about better routing choices.

IEEE 802.11aA wireless standard that supports high-speed communications in the 5GHz band using Orthogonal Frequency Division Multiplexing (OFDM). Thestandard supports data rates of 6, 12, 24, and 54 Mb/s.

IEEE 802.11bA wireless standard that supports wireless communications in the 2.4 GHzband using Direct Sequence Spread Spectrum (DSSS). The standardprovides for data rates of 1, 2, 5.5, and 11 Mb/s.

IEEE 802.11gA wireless standard that supports wireless communications in the 2.4 GHzband using Orthogonal Frequency Division Multiplexing (OFDM). Thestandard provides for data rates of 6, 9, 11, 12, 18, 24, 36, 48, 54 Mb/s.IEEE 802.11g is also backward compatible with IEEE 802.11b.

IEEE 802.1XPort Authentication controls access to the switch ports by requiring users tofirst enter a user ID and password for authentication.

InfrastructureAn integrated wireless and wired LAN is called an infrastructureconfiguration.

Inter Access Point Protocol (IAPP)A protocol that specifies the wireless signaling required to ensure thesuccessful handover of wireless clients roaming between different802.11f-compliant access points.

Local Area Network (LAN)A group of interconnected computer and support devices.

MAC addressThe physical layer address used to uniquely identify network nodes.




.

126 References

Network Time Protocol (NTP)NTP provides the mechanisms to synchronize time across the network.The time servers operate in a hierarchical-master-slave configuration tosynchronize local clocks within the subnet and to national time standardsby means of wire or radio.

Open systemA security option which broadcasts a beacon signal including the accesspoint’s configured SSID. Wireless clients can read the SSID from thebeacon, and automatically reset their SSID to allow immediate connectionto the nearest access point.

Orthogonal Frequency Division Multiplexing (ODFM)OFDM/ allows multiple users to transmit in an allocated band by dividing thebandwidth into many narrow bandwidth carriers.

Power over Ethernet (PoE)A specification for providing both power and data to low-power networkdevices using a single Category 5 Ethernet cable. PoE provides greaterflexibility in the locating of access point’s and network devices, andsignificantly decreased installation costs.

RADIUSA logon authentication protocol that uses software running on a centralserver to control access to the network.

RoamingA wireless LAN mobile user moves around an ESS and maintains acontinuous connection to the infrastructure network.

RTS thresholdTransmitters contending for the medium may not be aware of each other.RTS/CTS mechanism can solve this “Hidden Node Problem.” If thepacket size is smaller than the preset RTS Threshold size, the RTS/CTSmechanism will not be enabled.

Service Set Identifier (SSID)An identifier that is attached to packets sent over the wireless LAN andfunctions as a password for joining a particular radio cell; that is, BasicService Set (BSS).

Session keySession keys are unique to each client, and are used to authenticate aclient connection, and correlate traffic passing between a specific clientand the access point.




.

Glossary 127

Shared keyA shared key can be used to authenticate each client attached to a wirelessnetwork. Shared Key authentication must be used along with the 802.11Wireless Equivalent Privacy algorithm.

Simple Network Management Protocol (SNMP)The application protocol in the Internet suite of protocols that offers networkmanagement services.

Simple Network Time Protocol (SNTP)SNTP allows a device to set its internal clock based on periodic updatesfrom a Network Time Protocol (NTP) server. Updates can be requestedfrom a specific NTP server, or can be received by means of broadcastssent by NTP servers.

Temporal Key Integrity Protocol (TKIP)A data encryption method designed as a replacement for WEP. TKIP avoidsthe problems of WEP static keys by dynamically changing data encryptionkeys.

Trivial File Transfer Protocol (TFTP)A TCP/IP protocol commonly used for software downloads.

Virtual Access Point (VAP)Virtual AP technology multiplies the number of Access Points presentwithin the RF footprint of a single physical access device. With Virtual APtechnology, WLAN users within the device footprint can associate with whatappears to be different access points and their associated network services.All the services are delivered using a single radio channel, enabling VirtualAP technology to optimize the use of limited WLAN radio spectrum.

Virtual LAN (VLAN)A Virtual LAN is a collection of network nodes that share the same collisiondomain regardless of their physical location or connection point in thenetwork. A VLAN serves as a logical workgroup with no physical barriers,and allows users to share information and resources as though located onthe same LAN.

Wi-Fi protected accessWPA employs 802.1X as its basic framework for user authentication anddynamic key management to provide an enhanced security solution for802.11 wireless networks.




.

128 References

Wired Equivalent Privacy (WEP)WEP is based on the use of security keys and the popular RC4 encryptionalgorithm. Wireless devices without a valid WEP key are excluded fromnetwork traffic.

WPA Preshared Key (PSK)PSK can be used for small office networks that do not have the resources toconfigure and maintain a RADIUS server, WPA provides a simple operatingmode that uses just a preshared password for network access.




.

BAP120

Using the Nortel Business Access Point 120Copyright © 2006, Nortel NetworksAll Rights Reserved.

Publication: NN47921-301Document status: StandardDocument version: 01.01Document date: August 2006


To order documentation from Nortel Networks Global Wireless Knowledge Services, call(1) (877) 662-5669

To report a problem in this document, call(1) (877) 662-5669or send e-mail from the Nortel Networks Customer Training & Documentation World Wide Web site atwww.nortel.com/documentfeedback.


The information in this document is subject to change without notice. The statements, configurations, technical data, andrecommendations in this document are believed to be accurate and reliable, but are presented without express or impliedwarranty. Users must take full responsibility for their applications of any products specified in this document. The information inthis document is proprietary to Nortel Networks.

*Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel Networks.

*Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.

All other trademarks and registered trademarks are the property of their respective owners.

Date post:	18-Nov-2014
Category:	Documents
Upload:	api-19979146
View:	833 times
Download:	2 times

Nortel Business Access Point 120 manual

Documents