1. Manuals
  2. Brands
  3. SMC Networks Manuals
  4. Network Hardware
  5. ELITECONNECT SMC2502W
  6. User manual

SMC Networks ELITECONNECT SMC2502W User Manual

Wlan security system
Hide thumbs Also See for ELITECONNECT SMC2502W:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual
.
E
C
LITE
ONNECT
WLAN S
Full authentication support—supports RADIUS, LDAP, 802.1x,
Kerberos, Windows NT/2000 domain and built-in database.
VPN support allows secure wireless communications to and from
wireless clients.
Rights-based network access increases network security by
providing network administrators full control on users' access to a
network, based on user identification, location, and time.
Web-based configuration is easy-to-use, convenient and provides
simple configuration management.
Network access and usage policies can be set for trusted users and
guests by user identification, location, and time.
Roaming across different subnets and persistent session roaming
eliminates the need for re-authentication by roaming users.
S
ECURITY
YSTEM
User Manual
SMC2504W
SMC2502W

Advertisement

Table of Contents
loading

Related Manuals for SMC Networks ELITECONNECT SMC2502W

Summary of Contents for SMC Networks ELITECONNECT SMC2502W

  • Page 1 ♦ Full authentication support—supports RADIUS, LDAP, 802.1x, Kerberos, Windows NT/2000 domain and built-in database. ♦ VPN support allows secure wireless communications to and from wireless clients. ♦ Rights-based network access increases network security by providing network administrators full control on users’ access to a network, based on user identification, location, and time.
  • Page 3 LITE ONNECT WLAN S ECURITY YSTEM ANUAL From SMC’s EliteConnect line of enterprise wireless LAN solutions 38 Tesla March 2002 Irvine, CA 92618 Part No. 01-111343-006 Phone: (949) 679-8000...
  • Page 5 Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use.
  • Page 6 A product is considered to be “Active” while it is listed on the current SMC price list. As new technologies emerge, older technologies become obsolete and SMC will, at its discretion, replace an older product in its product line with one that incorporates these newer technologies. At that point, the obsolete product is discontinued and is no longer an “Active”...
  • Page 7 WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS. * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase.
  • Page 8 Compliances FCC - Class A This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.

  • Page 9: Table Of Contents

    Preface -vii Introduction 1-1 Overview 1-2 The EliteConnect WLAN Security System 1-3 WLAN Access Manager 1-4 Control Server 1-4 Rights Manager 1-5 Users and Authentication 1- 5 Rights 1-6 Network Address Translation 1- 6 Packet Filters 1- 7 Session Redirectors 1- 7 Valid Times 1- 7 Timers 1-7 Configuring the WLAN Security System 2-1...
  • Page 10 Controlling the System Functions 4-1 Creating and Storing a Backup Image 4-2 Creating a Backup Image 4-2 Saving the Backup 4-4 Restoring a Backed-Up Image 4-5 Updating the System Software 4-7 Rebooting or Shutting Down the System 4-9 Viewing System Status 5-1 Viewing Status Information 5-2 Viewing WLAN Access Managers 5-3 Viewing the Active Client List 5-4...
  • Page 11 Modifying the Group/Allows Column 6- 31 Deleting a Group 6-33 Adding, Modifying, or Deleting a User 6-34 Adding a New User 6-34 Modifying a User’s Characteristics 6-36 Deleting a User 6-36 Adding a MAC Address as a User 6-38 Enforcing Authentication 6-40 To use the Built-in Authentication service: 6- 42 To use the LDAP Authentication Service: 6- 42 To use the RADIUS Authentication Service: 6- 43...
  • Page 12 CLI Help Commands B-2 CLI Access Control Commands B-2 Diagnostic Commands B-3 System Status Commands B-4 Diagnostic Log Commands B-5 Active Client Management Commands B-6 System Configuration and Control Commands B-6 Upgrading the System Software B-6 Stopping and Restarting the System B-7 Network Configuration B-8 Access Manager Configuration B-9 Control Server Configuration B-11...
  • Page 13 Simple Network Management Protocol D-1 Introduction to WLAN Security System SNMP D-2 Supported Management Information Base Objects D-3 MIB Objects D-3 System MIB D-4 Hardware Description MIB Object D-5 Hardware Version MIB Object D-5 Software Version MIB Object D-5 Serial Number MIB Object D-5 Environmental Monitoring Objects D-6 Cooling Fan Registry MIB Objects D-6 Traps D-7...
  • Page 15 How To Use This Document This document contains procedural information describing all configuration and management of the SMC2504W EliteConnect WLAN Secure Server and SMC2502W WLAN Access Manager. Each procedure is written in a task-oriented format consisting of numbered step-by-step instructions, that enable you to perform a series of actions to accomplish a stated objective.

  • Page 16: Introduction

    Document Conventions Convention Boldface Palatino Italic Palatino Courier Organization This document is organized as follows: Chapter 1—Introduction This chapter provides an overview EliteConnect WLAN Security System and describes how the components operate. Chapter 2—Configuration This chapter explains how to configure your EliteConnect WLAN Security System system.

  • Page 17: Rights Tutorial

    Appendix B—Command Line Interface This appendix provides a description of the command line interface. Appendix C—Rights Tutorial Appendix This appendix explains Rights Management through examples. Appendix D—Simple Network Management Protocol This appendix describes the Management Information Base modules used in EliteConnect WLAN Security System.
  • Page 18 Preface...

  • Page 19: Overview

    NTRODUCTION This chapter gives a brief description of the SMC EliteConnect WLAN Security System Solution products. It consists of the following sections 1.1 Overview ......... 1-2...
  • Page 20 Overview The WLAN Security System permits fine-grained access control and transparent Layer 3 roaming capabilities for wireless and wired IP networks. The IP traffic of each user machine or client can be individually authenticated, controlled, redirected, and logged for auditing or billing purposes. When clients move through the enterprise, their open sessions are transparently forwarded so that the sessions are not terminated.

  • Page 21: Wlan Access Manager

    The EliteConnect WLAN Security System Figure 1-1 shows the EliteConnect WLAN Security System. Figure 1-1. The SMC EliteConnect WLAN Security System Solution The EliteConnect WLAN Security System consists of three logical functions: • WLAN Access Manager • Control Server • Rights Manager There are two physical components of the EliteConnect WLAN Security System: •...

  • Page 22: Rights Manager

    Initially, the WLAN Access Manager knows of no connected devices. As a user sends a packet through a wireless access point, it forwards the packet to the network through the WLAN Access Manager. The WLAN Access Manager uses...

  • Page 23: Users And Authentication

    The Rights Manager also offers an advanced authentication option in which multiple authentication methods can be used. SMC EliteConnect WLAN Security System User Manual WLAN Access Manager, the initial set of rights sent by the...

  • Page 24: Network Address Translation

    Passive Authentication Alternatively, you can choose one of the following passive methods for user-level authentication. The following all require user-level authentication and the EliteConnect WLAN Security System can use these authentication services for its own user authentication: • NT/2000 domain login •...

  • Page 25: Timers

    If the client does not respond to the probe (an ARP request) after a period of idleness, the WLAN Access Manager removes the client’s data from its SMC EliteConnect WLAN Security System User Manual for more information about...
  • Page 26 internal tables and informs the Rights Manager. The Rights Manager starts the linger timer. If the linger timer expires, the user must re-authenticate. Introduction...
  • Page 27 WLAN S ONFIGURING THE This chapter describes how to configure the WLAN Secure Server and WLAN Access Manager so that they work with your enterprise network after you have installed it, as described in the EliteConnect WLAN Security System Installation Guide.

  • Page 28: Configuring The Wlan Security System

    Administrative Login To log in: Step 1. Set your browser to the IP address or hostname of the WLAN Secure Server or WLAN Access Manager Step 2. Press Enter. The Administrator Login Screen appears, as shown in Any system connected through a WLAN Access Manager’s or WLAN Secure Server’s ports can access the web interface through the specially recognized URL: http://42.0.0.1.
  • Page 29 Figure 2-2. Main Menu for the WLAN Secure Server Figure 2-3. Main Menu for the WLAN Access Manager EliteConnect WLAN Security System User Manual...

  • Page 30: Changing Your Network Configuration

    This chapter explains the Configuration functions of the Main Menu; other topics are discussed in other chapters, as shown in Topic Airwave Security System Functions Viewing the System Changing Your Network Configuration The WLAN Security System Installation Manual explains initial network installation. Refer to this section if you need to change your network configuration.
  • Page 31 Type the hostname as a fully qualified domain name. Note: SMC recommends creating a hostname. Use a hostname to prevent your users from getting SSL warning about an unknown SSL certificate when they first see the Logon screen. If you enter a hostname, the DNS at your site must resolve the hostname to the IP address you select.

  • Page 32: Advanced Network Settings

    Secure Server needs to know how to locate the DHCP server. In this case, called DHCP relay, the WLAN Access Manager relays the client DHCP request to the DHCP server at the administrator-specified IP address. When the WLAN Access Manager or WLAN Secure Server receives the reply, it relays it to the client.
  • Page 33 This Layer 2 protocol is used by Cisco network hardware and software to manage a network of Cisco devices. Click Wireless Network Access Protocol to enable WNMP packets through this WLAN Secure Server or WLAN Access Manager. This Layer 2 protocol is used by Symbol Technologies, Inc. network hardware to manage a network of Symbol devices.
  • Page 34 Click Other. You can enter arbitrary tcpdump syntax in this box to specify what Layer 2 traffic to allow through this WLAN Secure Server or WLAN Access Manager. Any tcpdump-enabled packets are in addition to those enabled by checking CDP, WNMP, or Multicast options, above. Appendix A Examples: CDP enable tcpdump syntax...
  • Page 35 WLAN Access Manager or WLAN Secure Server will then rewrite source IP address and source port number of client packets sent to the network (NAT and PAT functions). Packets received by a WLAN Access Manager or WLAN Secure Server from the network sent in reply to the NAT and PAT packets are relayed to the appropriate client with the destination IP address and destination port number rewritten as appropriate.

  • Page 36: Setting The Shared Secret

    Note: Network routers must be configured to route traffic destined for the subnet defined by the Port Settings to the WLAN Access Manager or WLAN Secure Server. Step 8. Click Update. Setting the Shared Secret All WLAN Access Managers must prove to a system’s WLAN Secure Server that they are trusted.

  • Page 37: Setting The Secure Server Ip Address And Shared Secret

    SNMP enables network administrators to manage their networks. The SNMP subsystem enables the WLAN Access Manager and WLAN Secure Server to be monitored via SNMP from a network management application such as HP OpenView, Aprisma SPECTRUM, or SMC EliteView. EliteConnect WLAN Security System User Manual Figure 2-8.
  • Page 38 SNMP is disabled by default. Click Yes to enable SNMP. Step 3. Type your Community Name, which is analogous to a password. The default name is public; SMC recommends that you change it to increase your security. Step 4. Type the port number of your SNMP Port.

  • Page 39: Specifying Location Description

    Click Submit Changes to save your settings. Specifying Location Description Specifying locations is helpful in a wireless system for system debugging and management. This an optional screen. The WLAN Secure Server Location information is readable by SNMP. This screen applies to the WLAN Access Manager and WLAN Secure Server.

  • Page 40: Specifying Session Logging

    Step 2. Type the location of the WLAN Secure Server Location, for example, Network Closet 2 on the 4th floor of the Physics Building. Step 3. Type the location of Port 1, for example, Advanced Physics Lab. Step 4. Type the location of Port 2, for example, Conference Room 12. Step 5.

  • Page 41: Configuring The Time And Date

    Figure 2-11. Specify Session Logging Step 2. Click Yes to enable Session Login. Step 3. Type a Syslog Server IP address. Step 4. Choose your Syslog Facility from the drop-down list. You can choose Daemon, User, or Local 0 through 7. Use Syslog settings that interoperate with your enterprise Syslog server.

  • Page 42: Viewing Online Documentation And Help

    Figure 2-12. Configuring the Time and Date You can either get the time from an NTP server or set it yourself. Step 3. To use an NTP server, click Get time from server for a primary and an optional secondary NTP server. You can enter either a hostname or an IP address for the NTP servers.
  • Page 43 Figure 2-13. WLAN Secure Server Documentation and Release Notes Step 2. Click EliteConnect WLAN Security System User Manual to see this document in HTML or PDF format. The HTML pages of this document contain blue hypertext links. The online help is organized by the topic of the screen: for example, if you click Help on the Time and Date screen, a screen appears with information on setting the time and date.
  • Page 44 2-18 Configuring the WLAN Security System...

  • Page 45: Vpn Security (Airwave Security)

    VPN S ECURITY IRWAVE This chapter explains how to secure the airwaves between the client and the WLAN Access Manager or WLAN Secure Server. This VPN or Airwave security is an integrated feature of the EliteConnect WLAN Security System that creates a secure VPN tunnel to protect your information over the airwaves.

  • Page 46: Configuring Vpn Security (Airwave Security)

    As such, both protocols include IP address assignment features that are not really necessary in a wireless environment. Both protocols also include facilities for user-level authentication and for non-IP protocols.

  • Page 47: Ipsec

    Configuration of IPSec on the WLAN Security System consists primarily of noting which algorithm the SMC system is prepared to negotiate. It is up to the client system to propose algorithms, and the SMC server either agrees or not.

  • Page 48: Performance And Security

    Rights Manager location, which is part of the WLAN Secure Server, that allows (or requires) PPTP and L2TP. Strength Encryption speed good good fair fair excellent slow good good good good Table 3-2 shows availability of SMC EliteConnect WLAN Security System User Guide Table...
  • Page 49 The WLAN Access Manager configuration of PPTP and L2TP is relatively simple. First, you either enable or disable PPTP and L2TP. Then, you configure IP address assignment. Since PPTP and L2TP were originally designed as remote access protocols, used by traveling clients to access their home network, the PPTP and L2TP protocol assigns an IP address to the client computer.

  • Page 50: Configuring Pptp Or L2Tp

    DHCP server assign as an IP address. Step 5. If you clicked IP address range, type the appropriate IP address range for your enterprise network. Figure 3-1. PPTP and L2TP SMC EliteConnect WLAN Security System User Guide Figure 3-1.

  • Page 51: Configuring Ipsec

    Step 6. Click Submit Changes. Note: To complete the PPTP or L2TP configuration, you need to configure PPTP settings as shown above on the WLAN Access Manager, as well as the WLAN Secure Server’s Rights Manager, and on the client application. Configuring IPSec Configuration of IPSec consists of three parts in the WLAN Access Manager: enable or disable, specifying the shared secret, and checking allowed encryption...
  • Page 52 Step 10. Click IP Address Range and type the range of IP addresses to be assigned by the WLAN Access Manager or WLAN Secure Server. Step 11. Click Submit Changes to save your settings. SMC EliteConnect WLAN Security System User Guide...
  • Page 53 This chapter describes how to create, store, and restore a back up file, update system software, and shut down the WLAN Secure Servers and WLAN Access Managers. It also describes how to reset the SMC WLAN Secure Server to its factory defaults.

  • Page 54: Creating And Storing A Backup Image

    WLAN Access Manager’s data, as necessary, rather than creating a large backup file. SMC recommends that you create data backups on a regular basis. If you make significant changes to the Rights Manager, back up these changes.
  • Page 55 It is important that you save your back-up image to a local computer. If your WLAN Secure Server configuration becomes inoperable, you can restore your back-up image that is stored on another system. SMC EliteConnect WLAN Security System User Guide Figure 4-2.

  • Page 56: Saving The Backup

    Once you create your image file, you must save it to a local system. You cannot restore a backed-up image from the WLAN Secure Server or WLAN Access Manager. 4.1.2 Saving the Backup To save the back up image to your local computer: Step 1.

  • Page 57: Restoring A Backed-Up Image

    To restore a previously backed-up image: Step 1. Click Backup and Restore from the Main menu. The Backup and Restore screen appears, as shown in SMC EliteConnect WLAN Security System User Guide Figure 4-6. If you are using the Internet Figure...
  • Page 58 Figure 4-7. Backup and Restore Screen Step 2. Click Restore From File. The Confirm Restore from File screen appears, as shown in Figure 4-8. Confirm Restore From File Use the Browse feature, if necessary, to locate the backed-up image you want to restore.

  • Page 59: Updating The System Software

    The Update Software screen appears, as shown in Step 2. Type the URL from which you want to download the software. This field provides the latest version available. If you leave this blank, the SMC EliteConnect WLAN Security System User Guide IMPORTANT: Image. Figure...
  • Page 60 SMC FTP server site where upgrade images are stored. Figure 4-10. Entering the Update Software Step 3. Type your Key. The key is a password that enables you to use this version, which you get from Technical Support.

  • Page 61: Rebooting Or Shutting Down The System

    To reboot, shut down, or reset your WLAN Secure Server to factory defaults settings and reboot: Step 1. Click System Shutdown from the Main Menu. The System Shutdown appears, as shown in SMC EliteConnect WLAN Security System User Guide Figure 4-12.
  • Page 62 Step 2. Click Reboot this System to reboot. The Confirm System Reboot screen appears. Click Continue with System Reboot button to proceed with the reboot. Step 3. Click Shutdown and Power Off to shut down the system. The Confirm System Shutdown and Power Off screen appears. Click the Continue with Shutdown and Power Off to proceed with the reboot.
  • Page 63 Step 5. Click Main Menu if you do not want to reboot or shut down. Caution: If you reboot a WLAN Access Manager, you will erase the logs and backup information. SMC EliteConnect WLAN Security System User Guide 4-11...
  • Page 64 4-12 Controlling the System Functions...
  • Page 65 IEWING YSTEM TATUS This chapter explains how to view the system status of the WLAN Secure Server and WLAN Access Manager. It consists of the following sections: 5.2 Viewing WLAN Access Managers ....5-3 5.3 Viewing the Active Client List .

  • Page 66: Viewing System Status

    Viewing Status Information This chapter explains how to view information about the WLAN Secure Server and WLAN Access Manager. The screens that provide this information let you filter the information. This enables you to easily find the WLAN Security System information that you need.

  • Page 67: Viewing Wlan Access Managers

    To sort column headings, click the column heading, such as MAC address or IP address, as shown in Viewing WLAN Access Managers The WLAN Access Manager List shows all the currently connected WLAN Access Managers to your WLAN Secure Server. Use this list to manage the WLAN Access Managers.

  • Page 68: Viewing The Active Client List

    Viewing the Active Client List The Active Client list shows the status of all connected clients. To view the Active Client List screen: Step 1. Click View Active Clients from the Main Menu. The View Active Client screen appears, as shown in The screen presents user name, machine name, IP address, port number, sessions, and the idle time for each active session.
  • Page 69 Table 5-2 Client Information Information Description Client The MAC address (hardware ID) of the client User The name or the user, if known, otherwise the MAC address Machine name The name of the machine, if known. IP Address IP address for the client’s machine Address Status Information about how your IP address was assigned WLAN Access...

  • Page 70: Viewing Active Session Information

    Step 5. Click the Go to Rights Manager, if appropriate. Clicking this button takes you to the Home Rights Manager screen, as shown in Figure Viewing Active Session Information Viewing active sessions provides information on client’s open sessions. From this screen, you learn more about a client’s network traffic.

  • Page 71: Viewing Log Files

    Table 5-3 Understanding the Active Session Information Heading MAC address Client Source Actual Source Client Destination Actual Destination Port Xmit Recv Viewing Log Files The WLAN Security System provides two types of logs for WLAN Secure Servers and WLAN Access Managers: •...

  • Page 72: Session Logs

    Step 2. Click on any log file. Step 3. The most recent entries are shown first by default. You can filter the entries in reverse order time order by deselecting Show most recent first and clicking Apply Filter. Step 4. You can filter log files based on severity, time period, or search based on any string you type;...

  • Page 73: Viewing Version And License Information

    Table 5-4 Session Log Parameters Entry Name Start Duration MACaddr Protocol Client.Source Client.Dest Actual.Source Actual.Dest Bytes.Xmit Bytes.Rcvd Viewing Version and License Information You should know the current version of software run by your WLAN Security System to upgrade your software or contact Technical Support. This page also tells you the latest configuration change, IP address and Ethernet adapters.
  • Page 74 5-10 Viewing System Status...
  • Page 75 ONFIGURING THE This chapter explains how to configure the Rights Manager for the WLAN Secure Server. It includes the following sections: 6.1 Rights Manager Terminology ......6-2 6.2 About the Rights Manager .

  • Page 76: Rights Manager Terminology

    Rights Manager Terminology The Rights Manager uses common terms in a very specific manner. Before starting to administer rights, make sure you understand these terms: A Location is a group of wheres. A Where is a WLAN Access Manager or a WLAN Access Manager port or a specific client.

  • Page 77: About The Rights Manager

    • Redirect port • Redirect IP address Section 6.9, Redirecting Packets Linger: a timer for how long the client is allowed to remain known by the Rights Manager after being disassociated from the WLAN Access Manager. If the linger setting is not exceeded, then the next time clients associate, they will receive the rights they had before they disassociated Expire: a timer that determines how long rights are valid after they are allocated to a client.

  • Page 78: Two Simple Rights Examples

    6.2.1 Two Simple Rights Examples The following simple examples explain at a high level why you might want to change rights. First, there is the visiting professor who comes to Cold Creek University for the month of January. Second, the contractors who are implementing a new student database for Cold Creek University need extra hours to complete the project on schedule.

  • Page 79: Getting To The Rights Manager

    When: Where: When= Admin office Usual Bldg. General Contractors Getting to the Rights Manager To go to the Rights Manager: Step 1. Set your browser to the IP address or hostname of the WLAN Secure Server or WLAN Access Manager. Step 2.

  • Page 80: Changing Rights Associated With Locations

    Why Change Rights You must configure the initial rights that are associated with a location to enable the SMC WLAN Secure Server. After configuring initial rights, you might need to add locations, modify the rights associated with a location, or delete locations because the locations or the functions housed in the location might change.

  • Page 81: Adding A Location

    As an example, a room that was once used only for college professors might become a location used for graduate student’s thesis demonstrations to defend their research. In this example, you might want to limit access to only graduate students so that only these students can use network resources. 6.4.2 Adding a Location To add a location:...
  • Page 82 Step 2. Click New Location. The Location Editor appears, as shown in Step 3. Type a location name. Step 4. Add or change the Where: Click New under Where to add a new WLAN Access Manager. See Adding a WLAN Access Click Edit under Where to change the properties of an existing WLAN Access Manager.
  • Page 83 Note: If you leave When blank, it is available all of the time. Step 6. Add or change Groups: see Click New under Group to add a new group; see Group. Click Edit under Group to change a groups’s rights; see Group’s Note: All groups are disallowed except for those that you specifically allow.
  • Page 84 Step 16. Click to enable either MS-CHAP v2 or to enable MS-CHAP or MS-CHAP Step 17. Click Update. The Locations Editor now shows Music in the Location Name textbox, as shown in Figure 6-9. New Location Added Figure 6-9. Location Editor With New Location to be Added 6-10 Configuring the Rights Manager...

  • Page 85: Modifying A Location

    6.4.3 Modifying a Location You can modify the following location attributes: its name, the ports in use, the times, groups, and other options that allow it to be available for use. To modify the characteristics of a location: Step 1. In the Location Manager, as shown in location name that you want to modify.

  • Page 86: Deleting A Location

    6.4.4 Deleting a Location To delete a location: Step 1. Click a Location that you want to delete from the Location Editor, as shown in Figure 6-11. Figure 6-11. Location Manager with a Location to be Deleted Step 2. Click Delete. The Delete Confirmation Screen appears, as shown in 6-12 Figure 6-12 on page...

  • Page 87: Changing Wlan Access Manager Rights

    Figure 6-12. Delete Location Confirmation Step 3. If you are sure you want to delete this location, click Yes. Otherwise, click 6.4.5 Changing WLAN Access Manager Rights You might want to add, change, or delete rights associated with a WLAN Access Manager if your environment has changed.
  • Page 88 Figure 6-13. Location Manager Step 2. Click New Location to add a WLAN Access Manager from the Locations Manager menu. The Locations Editor appears, as shown in Figure 6-14 on page 6-15. 6-14 Configuring the Rights Manager...
  • Page 89 Figure 6-14. Location Editor Step 3. Click New under Where. The Where Editor appears, as shown in Figure 6-15. EliteConnect WLAN Security System User Manual 6-15...
  • Page 90 Step 4. Click New to add a new WLAN Access Manager. The WLAN Access Manager Editor appears, as shown in Figure 6-16. WLAN Access Manager Editor Step 5. Type the WLAN Access Manager Name. Step 6. Type the MAC address. You can find the MAC address in the WLAN Access Manager Version and License screen.
  • Page 91 Step 8. Click Update to create a new WLAN Access Manager. The Where Editor appears with your new WLAN Access Manager, as shown in Figure Step 9. Type a name for your Where. Figure 6-17. Where Editor with the New WLAN Access Manager Step 10.
  • Page 92 New Where Figure 6-18. Location Editor with New Where Added Step 12. Click Update. 6-18 Configuring the Rights Manager...

  • Page 93: Modifying A Wlan Access Manager

    Modifying a WLAN Access Manager To modify a WLAN Access Manager Step 1. Go to the Where Editor, as shown in Figure 6-19. Where Editor with Graham and Geology Step 2. Click Edit. The Choose a WLAN Access Manager to Edit screen appears with the list of the WLAN Access Manager at that location, as shown in Figure 6-20.

  • Page 94: Changing Other Where Properties

    Figure 6-21. WLAN Access Manager Editor Step 4. Change the MAC Address or comment as required. Step 5. When you are done, click Update. The WLAN Access Manager is modified or created if you changed the WLAN Access Manager name. Changing Other Where Properties You can change other Where properties, as shown in To change Where properties:...

  • Page 95: Deleting A Where

    • Click the checkbox for the Watch for NT Domain logons or Watch for 802.1x logons to interoperate with your enterprise environment. • Type a new Client MAC address. Section C.14, Example 9, Public Kiosk Location MAC address. Click Update. Deleting a Where To delete a Where: Step 1.

  • Page 96: Changing Group Properties

    Figure 6-25. Where Delete Confirmation Screen Step 4. To delete the Where, click Yes. Otherwise, click No. Changing Group Properties Users can be members of one or more groups. Making a user a member of a group is the basic way to deliver a set of rights for a collection of users. Group properties include: •...
  • Page 97 Step 2. Click New Group. Step 3. Type the Group Name that you want to add, in this example, Contractors, as shown in EliteConnect WLAN Security System User Manual Figure 6-26. Groups Manager Figure 6-27 on page 6-24. 6-23...
  • Page 98 Figure 6-27. Group Editor with Contractors Step 4. Check the appropriate Group Type. Modifying a User’s Step 5. Choose specific times when this group is allowed access. Under Valid Times, click New. The When Editor appears, as shown in appropriate times these set of rights are valid or none if they are always valid.
  • Page 99 Table 6-1 Group Editor Rights Entries Entry Group Name Group Type Valid Times Has Rights Match an NT Group Name Static IP allowed Override max user restrictions Max concurrent logons per user Linger Seconds Expire Seconds Enable HTTP Proxy Use a browser cookie to optimize logoffs HTTP Proxy IP Address HTTP Proxy Port...

  • Page 100: Modifying A Group's Rights

    Contractors Added Figure 6-28. Groups Manager With Group Contractors Added 6.5.2 Modifying a Group’s Rights This section describes how to modify a group that was previously created by: • Initially configuring the times when a group can access • Changing the times when the group can access •...
  • Page 101 Figure 6-29. Group Manager The Group Editor appears as shown in Figure 6-30 on page 6-28. EliteConnect WLAN Security System User Manual 6-27...
  • Page 102 Figure 6-30. Group Editor Step 2. Click New under Valid Times. The When Editor appears, as shown in Figure 6-31 on page 6-29. 6-28 Configuring the Rights Manager...
  • Page 103 Step 3. Assign a name to the When Name. In this example, the name assigned is Contractors. Step 4. Choose the days and times that the group has access. You can choose All dates or a specific range of dates. You might have a visitor, for example, who is with you for the month of January, so you could click from January 1 through January 31.

  • Page 104: Changing The Time That A Group Is Valid

    Figure 6-32. Group Editor with Valid Times Step 6. Click Update. Changing the Time that a Group is Valid After setting initial valid times for a group, you might need to change the valid times. Reasons to change schedules might include: •...

  • Page 105: Modifying The Group/Allows Column

    Step 4. Choose the new valid times: either a range of dates, days, or times. Step 5. Click Update. Modifying the Group/Allows Column You can modify the Group Allows Column so that you see a subset of the Allows. To change which groups appear in the Groups Manager: Step 1.
  • Page 106 The Group/Allow Column Modifier screen appears, as shown in Figure 6-35. Group Allow Column Modifier Use the Group/Allow Column Modifier to include or exclude any Allows in the Groups Manager. To choose the columns to display, choose one of the following options: •...

  • Page 107: Deleting A Group

    • Click Edit to view the Allows in the Allow Editor. Changing Allows and Redirect • Click New to create new Allows. • Click Select All or Select None to select all or no allows, respectively. When you are done, click Update. The Groups Manager appears with the columns you have selected.

  • Page 108: Adding, Modifying, Or Deleting A User

    Figure 6-37. Group Delete Confirmation Step 4. Click Yes to delete the Group. Adding, Modifying, or Deleting a User This section shows you how to add, modify, or delete a user for the Rights Manager. It also explains how to add a specific MAC address as a user. Users can belong to one or more groups, or to no group.
  • Page 109 Figure 6-39. Entering a New User in User Editor Step 3. Type the User Name. Step 4. Select the Group of which this user is a member. See 6.5.1 Adding a New Group 6-22 if you need to add a new group. Step 5.

  • Page 110: Modifying A User's Characteristics

    6.6.2 Modifying a User’s Characteristics You might want to change or add a user’s group membership to associate the user with a group with a different set of rights. To modify a user’s name, group membership, or password: Step 1. In the Users Manager, as shown in you want to modify.
  • Page 111 Click User to Delete Figure 6-42. Selecting a User to Delete Step 2. The User Editor screen appears, as shown in the user you selected. Figure 6-43. User Editor With User Selected Step 3. To delete this user, click Delete. The Delete Confirmation screen, as shown in Figure 6-44 on page 6-38 EliteConnect WLAN Security System User Manual...

  • Page 112: Adding A Mac Address As A User

    You can add a specific MAC address as a user. Typical applications for this feature include an Access Point, a server running without user intervention, a wireless device without SSL capability, or a specific user who does not want to log on.
  • Page 113 Step 2. Type the MAC address in the User Name text box, as shown in Step 3. Click the This user is a MAC address user check box. Figure 6-46. User Editor with MAC Address for User Name Step 4. Click Update.

  • Page 114: Enforcing Authentication

    MAC address user to a particular Normal group. You must allow that Normal group at the locations that you want those rights to apply. Enforcing Authentication SMC uses the following authentication services: • Built-in (the default service created by SMC) • LDAP • RADIUS • Kerberos The Built-in service is available if you choose not use the other authentication services in place.
  • Page 115 Click Figure 6-48. Clicking Authentication from User Manager Screen If you are choosing an Authentication service for the first time, you see the Built-in method screen, as shown in Figure 6-49 on page 6-41. If you have previously chosen an Authentication Service, you see the screen for that service.

  • Page 116: To Use The Built-In Authentication Service:

    To use the Built-in Authentication service: Step 1. Click the Built-in checkbox on the Authentication screen, as shown in Figure 6-49 on page Step 2. Click Update. Step 3. If you configure 802.1x Logons, use the Where Editor from the Location Editor to enable watching for 802.1x logons.

  • Page 117: To Use The Radius Authentication Service:

    Step 2. Enter the information requested. The information is needed to interoperate with your enterprise LDAP service. See Table 6-2 LDAP Authentication Options Entry Name Server Username field Port Timeout Base DN Group Field Receive user password Password field Password Encryption Anonymous bind Bind using rootdn/rootpw Rootdn...

  • Page 118: To Use The Kerberos Authentication Service:

    Figure 6-51. RADIUS Authentication Screen Step 2. Enter the information requested. A description of these fields is given in Table 6-3 RADIUS Authentication Options Entry Name Server Port Secret Group Field Timeout Supports Microsoft’s attributes (RFC 2548) Step 3. Click Update when you are done. To use the Kerberos Authentication Service: Step 1.
  • Page 119 Step 2. Enter the information requested. Note: When using Kerberos authentication, you must synchronize the time between the SMC WLAN Secure Server and the Kerberos authentication server to within five minutes, otherwise Kerberos authentication does not work properly. A description of the Kerberos fields is given in...

  • Page 120: To Use The Advanced Authentication Service:

    To use the Advanced Authentication Service: Step 1. From the Rights Manager Authentication screen, click Advanced. The Advanced Authentication screen appears, as shown in Figure 6-53. Advanced Authentication Screen Use Advanced Authentication when you want multiple authentication realms or when you want default realms to support multiple authentication services. Step 2.

  • Page 121: Creating A New Authentication Realm

    Creating a New Authentication Realm To create a new Authentication Realm: Step 1. Click New Realm. The Realm Editor appears, as shown in Step 2. Type the name of the Realm. Step 3. Click the checkbox to make this the default realm, if appropriate. Step 4.
  • Page 122 Step 1. Under Authentication realms, click the Realm you want to modify from the Realm Editor screen, as shown in Figure 6-55. Choose a Realm to Modify The Realm Editor screen appears, as shown in Step 2. Click the checkbox to make this the default realm, if appropriate. 6-48 Figure 6-54.
  • Page 123 Step 3. Click the checkbox to use this realm for PPTP authentication, if appropriate. Step 4. Use the move arrows (<< or >>) to choose the methods you want into the Use these methods box. The methods that appear are based on authentication services that you previously selected.

  • Page 124: Changing Rights-Allows In Groups

    Changing Rights-Allows in Groups This section describes how you can change the rights that are assigned to a group. You can add, modify and delete rights allows to groups. 6.8.1 Adding Rights-Allows Step 1. Click Groups. The Groups Manager screen appears, as shown in Figure 6-57.
  • Page 125 Figure 6-58. Allow Editor Step 4. Type the Allow Name, as shown in Figure 6-59. Figure 6-59. Typing New Allow Name EliteConnect WLAN Security System User Manual 6-51...
  • Page 126 Step 5. Click Update. The Allow Editor appears, as shown in Figure 6-60. New Allow Added to Groups Manager Step 6. If you click Advanced in Figure 6-61. 6-52 Figure 6-60. Figure 6-59, the Filter screen appears, as shown Configuring the Rights Manager...

  • Page 127: Modifying A Rights-Allow

    For more detailed information on adding advanced allows or redirects, see the tcpdump manual page. 6.8.2 Modifying a Rights-Allow To modify an existing rights-allow: Step 1. To change an allow for a particular group, check or uncheck the box corresponding to that allow-group intersection in the Groups Manager, as shown in Figure 6-57 on page Step 2.

  • Page 128: Redirecting Packets

    Figure 6-62. Allow Delete Confirmation Screen Step 2. If you want to delete the allow, click Yes. Otherwise, click No. Redirecting Packets Redirects specify packets that are allowed to be forwarded, but require that these packets be redirected to a new destination, also specified by the redirect. An example is requesting a DNS server;...
  • Page 129 Select Contractors for Redirects Figure 6-63. Selecting a Group from the Groups Manager Screen EliteConnect WLAN Security System User Manual 6-55...
  • Page 130 The Group Editor Screen appears with the name of the group given under Group Name, as shown in Figure Figure 6-64. Group Editor Screen With Group Selected Step 2. Under Redirects, click New if you want to create a redirect. Click Edit if you want to change an existing redirect.
  • Page 131 Step 3. Choose the Redirect to edit from the drop-down list. The Redirect Editor appears, as shown in Step 4. Select the Protocol and the address to which you want packets redirected. Then, click Update. A Redirect called SHOES appears on the Group Editor, as shown in Figure 6-67 on page EliteConnect WLAN Security System User Manual Figure 6-65.

  • Page 132: Deleting A Redirect

    Figure 6-67. Group Editor with New Redirect Added 6.9.2 Deleting a Redirect To delete a redirect: Step 1. From the Group Editor, as shown in redirect you want to delete, under the proper group. Click Edit. The Redirect Editor appears, as shown in Step 2.

  • Page 133: Changing Allows And Redirect Rights

    Figure 6-68. Delete Redirect Confirmation Screen Step 4. If you want to delete the Redirect, click Yes. Otherwise, click No. Changing Allows and Redirect Rights To change Allow Rights: Step 1. From the Group Editor, click Edit under Allow to change the type of Allows rights for a group.

  • Page 134: Changing A Group's Redirect Rights

    Step 6. Click Update. Changing a Group’s Redirect Rights To change a group’s Redirect rights: Step 1. Click New Redirect to change Redirect rights. The Redirect Editor appears, as shown in 6-60 Figure 6-70. Advanced Allow Figure Configuring the Rights Manager 6-71.
  • Page 135 Step 2. Type the Redirect Name. Step 3. Choose the Protocol, Port or Address you want redirected. Step 4. Choose the address or an address and port to which you want the Redirect packets sent. Step 5. Click Advanced if you want to filter for a specific tcpdump string. EliteConnect WLAN Security System User Manual Figure 6-71.
  • Page 136 Figure 6-72. Filter Redirect Editor Step 6. Click Update. 6-62 Configuring the Rights Manager...

  • Page 137: Displaying Rights

    6.10 Displaying Rights To display rights for a user: Step 1. From any Rights Manager screen, click Debug, as shown in Figure 6-73. Figure 6-73. Rights Manager Screen The Rights Debugger appears, as shown in Figure 6-74. Step 2. Select either the Built-in User, LDAP, or RADIUS user, along with the location and time, whose rights you want to display.
  • Page 138 Step 3. Click Show Me. The rights for the user you have selected appear, as shown in Figure Figure 6-75. Rights for Logon User Step 4. Click Done when you are finished viewing the rights. When simulating the rights for an LDAP or RADIUS user, use the Everyone Else user from the drop-down list.
  • Page 139 Figure 6-76. Selecting Guest User at Location Everywhere Else Step 6. Click Show Me and the Rights for Guests screen appears, as shown in Figure 6-77. EliteConnect WLAN Security System User Manual 6-65...
  • Page 140 Figure 6-77. Rights for Guest Step 7. When you have finished, click Done. 6-66 Configuring the Rights Manager...

  • Page 141: Rights Manager Logs

    Use this option if you are unable to authenticate to your LDAP server. If you click this checkbox, the Rights Manager records the next LDAP authentication attempt. You can send this log to SMC for analysis. EliteConnect WLAN Security System User Manual Files.

  • Page 142: Changing The Rights Manager Log Display

    6.12 Importing and Exporting Rights You can import rights from one SMC WLAN Secure Server to another. Importing rights enables you to add a number of groups or users without going through the user interface for each one. The screen enables you to import rights, export rights, and download an XML schema.

  • Page 143: Exporting A Set Of Rights

    Step 2. Type the name of the file to be imported into the text box or use Browse to locate the file. Step 3. Click Upload to upload the import file. Step 4. Click Update to see the progress of the upload. Exporting a Set of Rights To export a set of rights: Step 1.

  • Page 144: Downloading The Xml Schema

    Figure 6-80. Confirm Rights Export Step 2. Click Continue with rights export. You see the screen showing the completed export image with the new date, as shown in Downloading the XML Schema To download the XML schema: Step 1. Click Schema to download the current XML schema. The schema is a text file that you can view with any text editor.

  • Page 145: Customizing The Logon Screen

    certificate signing request and to upload the SSL certificate that is used during the logon process. You might want to customize the logon screen: • To make users aware of your enterprise’s name. You can include your organization’s logo and a brief welcome message. •...
  • Page 146 The Appearance customization screen appears, as shown in on page 6-72 Figure 6-83. Customizing the Location Appearance Step 5. To update the logo for the logon screen: Type the name of a GIF, JPEG, or PNG file or other browser-compatible file format that contains the logo you want.

  • Page 147: Generating An Ssl Certificate Signing Request

    Step 9. Figure 6-84 the new logon screen logo, text, and stop image and text are correct. Figure 6-84. Customized Logon Screen 6.13.2 Generating an SSL Certificate Signing Request If you want to use a certificate that is signed by an external signing authority, you must generate a custom certificate.
  • Page 148 Figure 6-85. Entering information in Appearance Screen Step 2. Click Generate CSR. The Appearance Screen reappears, with the information you entered and the Certificate Signing Request, as shown in Figure 6-86. Upload SSL Certificate You use this certificate signing request either to request a certificate from a certificate authority, (for example VeriSign) or to create your own self signed certificate using an SSL toolkit, for example OpenSSL.
  • Page 149 Step 3. Copy the CSR (including the full BEGIN and END lines and all dashes) and submit it to a certificate authority. Or you can use the CSR to generate your own self-signed certificate. Step 4. Type the filename of the certificate you received from the certificate authority (the one you generated).
  • Page 150 6-76 Configuring the Rights Manager...
  • Page 151 YNTAX OF LIENT This appendix describes client rights as referred to by the tcpdump utility. Expression selects which packets will be dumped. If no expression is given all packets on the net will be dumped. Otherwise, only packets for which expression is ‘true’...

  • Page 152: Syntax Of Client Rights

    Allowable primitives are shown in Table A-1 Allowable Primitives Primitive dst host host src host host host host ether dst ehost ether src ehost ether host ehost dst net net src net net net net net net mask mask net net/len dst port port src port port port port...
  • Page 153 Table A-1 Allowable Primitives (Continued) Primitive ip proto protocol ip protochain protocol ether broadcast ip broadcast ether multicast ip multicast ether proto protocol vlan [vlan_id] tcp, udp, icmp expr relop expr EliteConnect WLAN Security System User Manual Explanation True if the packet is an IP packet (see ip(4P)) of protocol type protocol.
  • Page 154 Primitives can be combined using: • A parenthesized group of primitives and operators. • Negation (`!' or `not'). • Concatenation (`&&' or `and'). • Alternation (`||' or `or'). Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right. Note that explicit and tokens, not juxtaposition, are now required for concatenation.

  • Page 155: Command Line Interface

    OMMAND NTERFACE This appendix documents the commands that are available on the serial console as part of the Command Line Interface (CLI). The CLI enables initial configuration and subsequent troubleshooting of WLAN Security System. The Command Line Interface commands are listed in the following categories: B.1 Syntax for Command Line Interface .

  • Page 156: Syntax For Command Line Interface

    Syntax for Command Line Interface The following text explains the syntax used for the command line interface. indicates commands you can type. Bold courier Italics indicate variables. You must replace variables with the appropriate value for your network. An option inside a set of square brackets ([ ]) indicates that specifying this value is optional, for example: debug ip [interface] where specifying an interface is an option you can choose.

  • Page 157: Diagnostic Commands

    Show IP traffic on an interface. The console session is restarted after the command is completed. interface The available interfaces are: SMC EliteConnect WLAN Security System User Manual The interface to watch. The default interface is the external interface. The external interface. This interface is sometimes called the uplink interface.

  • Page 158: System Status Commands

    Translates to: tcpdump –en –i interface ip debug interface [interface] Show traffic on an interface. The console session is restarted after the command is completed. interface Translates to: tcpdump –en -i interface debug tcpport port [interface] Show specified TCP port traffic on an interface. The console session is restarted after the command is completed.

  • Page 159: Diagnostic Log Commands

    Clear the error log. SMC EliteConnect WLAN Security System User Manual critical log entries crit error and critical log entries warning, error and critical log entries warn notice, warning, error, and critical log entries...

  • Page 160: Active Client Management Commands

    Active Client Management Commands Use these commands to manage Active Clients. show clients [mac [sort (mac | ip | user | machine | port | sessions | idle)] [reverse] List active clients. mac-address MAC (Ethernet) address to display. Format: xx:xx:xx:xx:xx:xx show client mac mac-address [ rights ] List active sessions for a client.

  • Page 161: Stopping And Restarting The System

    Shuts down the system. SMC EliteConnect WLAN Security System User Manual The URL encoded location of the software release to install. The host must be an FTP server. The software release install key. Automatically reboot after installing the upgrade. The upgraded software is not activated until the system is rebooted.

  • Page 162: Network Configuration

    factoryreset Restores the user configurable data with factory defaults. B.8.3 Network Configuration set hostname hostname Set the system's hostname. The system hostname is also used as the SNMP system name. hostname clear hostname Clear the system's hostname. show ip Show the current IP configuration. set gateway ip-address Set the IP address of the default router.

  • Page 163: Access Manager Configuration

    Other set dhcpserver ip-address Set the IP address to be used as a DHCP server for client’s connected to an SMC EliteConnect WLAN Security System User Manual Cisco Discovery Protocol Wireless Network Access Protocol IP Multicast Type any string...
  • Page 164 Access Manager that does not use NAT. ip-address clear dhcpserver Reset the currently configured DHCP server value. show dhcpserver Show the currently configured DHCP server value. set forwardipbroadcasts none | port-list Specify the ports that should have the none port-list show forwardipbroadcasts Show the list of ports that have IP broadcast forwarding enabled.

  • Page 165: Control Server Configuration

    Clear the NTP servers IP address or hostnames. This command also disables the NTP service if it was enabled. set datetime date time SMC EliteConnect WLAN Security System User Manual The syslog server IP address. The syslog server logging facility. The default is daemon.

  • Page 166: Backup And Restore

    Display information about the list of local backup and the status of a running store backup or get backup task. B.10 SNMP Configuration and Reporting Commands Note: SMC EliteConnect WLAN Security System User Manual supports MIB 2-compliant MIB objects. B-12 The current date in yyyy/mm/dd The current time in format.
  • Page 167 Sets up an IP address to receive traps. delete snmptrapreceiver all | ip-address Deletes a trap receiver, or all of them. show snmp Shows the current SNMPv1 configuration. SMC EliteConnect WLAN Security System User Manual object, defined in RFC 1213 as “the textual sysContact B-13...
  • Page 168 B-14 Command Line Interface...
  • Page 169 IGHTS UTORIAL So you’re supposed to setup the rights for the WLAN Secure Server. There seem to be users, groups, locations, allows, redirects, wheres, and whens. What does it all mean? This section explains how to properly setup your system. This appendix provides some examples of how to structure rights.

  • Page 170: Starting With Locations

    Starting with Locations How are rights handed out by the EliteConnect WLAN Security System? To start, we must answer some basic questions. For this system we need to know: Who, When, and Where. Let’s start with Where. Step 1. Click Goto Rights Manager from the Main Menu. To understand what is going on, the best place to start is the Location editor.
  • Page 171 Figure C-2. Location Editor for Everywhere Else Notice that in this location we can start to answer some of the Who question, but we cannot yet answer the When question. We have not yet specified any times that groups can access the network from this location. This particular location is always valid.

  • Page 172: Group Editor

    Each location has the following groups: Table C-1 Allowed Groups Group Name Number Logon Must have one None or only Guest User group None or only Normal None or more Group Editor To better understand the Rights Manager, let’s look at the Group Editor. Step 1.

  • Page 173: Logon Expire Times For Groups

    Notice that the types of groups correspond to the group selectors on the Location Editor, shown in Figure groups, which are then automatically added to the list of Logon, Guest, User or Normal groups for use in the Location Editor. See for more information.

  • Page 174: Default Groups

    When a guest logs on, the only expire time that matters is the one set for the Guest group at that location. When a user logs on, the expire times for the user’s groups and the expire times for the implicit User group all come into play. The Rights Manager uses the maximum expire time from the set of valid groups for this user, and uses it as an indicator of when this client needs to re-authenticate.

  • Page 175: Guest Rights

    HTTP logon redirect HTTPS logon redirect HTTPS Logon page Internal Admin UI Internal rights UI Kerberos SOCKS Redirect DNS Redirect C.2.4 Guest Rights Guest rights are shown in The Rights Debugger displays how rights are allocated to a client based on who, when, and where.
  • Page 176 Guest rights for this example are explained below: • DHCP, DNS redirect, and HTTPS Logon page are the same as the Logon group. • Outside World allows the guest access to anything except a machine that is on the @INTRANET@ network. This is defined by the settings in the Network configuration web page.

  • Page 177: User Rights

    • SSL Stop page and Stop page allow access to port 81 and port 446, which are used to display the stop page once a client is redirected to it. See Logon Screen for more information. C.2.5 User Rights User Rights are shown in EliteConnect WLAN Security System User Manual Figure C-5.
  • Page 178 Figure C-5. User Rights shown in the Rights Debugger In this example: • All IP allows access to all network traffic. • DNS redirect, and Logon page shortcut are the same as above. C-10 Rights Tutorial...

  • Page 179: Required Rights

    C.2.6 Required Rights We assume administrators will customize rights as they see fit. The only absolutely required Allows and Redirects are those that allow the user to log on. Specifically, these are the three Redirects and one Allow: • HTTP logon redirect •...

  • Page 180: Example 1, Rights Debugger

    to filter off some of the user’s groups if those groups are not allowed at that location. Also remember that groups can have Whens associated with them, so a user being a member of that group does not guarantee that those rights are always granted to that user.
  • Page 181 • User: There is a drop-down list for any created users, and three special users: Guest, Logon, and Everyone Else. Everyone Else is used to see how an LDAP, Kerberos, or RADIUS user would receive rights. • Location: There is a drop-down list containing all locations that have been created, and the pre-existing Everywhere Else location.
  • Page 182 Figure C-8. Rights for Guest Table C-4 explains the Rights Debugger. C-14 Rights Tutorial...
  • Page 183 Table C-4 Rights Explained Right Match groups=Guest Guest Initial Group Expire = Guest:Never Location Expire = Everywhere Else:Never Final Group Expire = Guest: Never Allows = HTTPS Logon page, DHCP, Outside World, SSL Stop page. HTTP logon redirector Redirects = DNS redirect:Internal blocker, Logon page shortcut, No internal rights UI, no...
  • Page 184 <encryption_required>False</encryption_required> <ipsec> <stance>Accept</stance> </ipsec> <pptp> <stance>Deny</stance> <mppe_bits>0</mppe_bits> <min_mschap>0</min_mschap> </pptp> <l2tp> <stance>Deny</stance> <mppe_bits>0</mppe_bits> <min_mschap>0</min_mschap> </l2tp> <ip_redirects> <ip_redirect> <match>(udp dst port 53) or (tcp dst port 53)</match> <ip>192.168.2.248</ip> <port>0</port> </ip_redirect> <ip_redirect> <match>(tcp dst port 80 and not dst host 42.0.0.1)</match> <ip>192.168.10.86</ip> <port>82</port> </ip_redirect>...

  • Page 185: Example 2, Allowed User Groups

    <allow>tcp dst port 444 and dst host 42.0.0.1</allow> <allow>udp dst port 88</allow> <allow>(tcp dst port 139) or (udp dst port 138) or (udp dst port 137)</allow> </allow_filters> <block_redirects> </block_redirects> </client_rights> Table C-5 defines the variables. Table C-5 Variable Definitions Variable Definition @SERVER@ IP Address of the box as typed in on the Network Configuration page...
  • Page 186 Step 3. Next, let’s add Example group 2, following the procedure in the Rights Management chapter. Step 4. Make it as follows: • a Normal group • Linger 0 • Expire NEVER • Allow All IP traffic • DNS redirect •...
  • Page 187 Step 5. Click New User in the User Manager. The User Editor screen appears, as shown in Step 6. Add user Fred, and make Fred a member of both Example Group 1, and Example Group 2. A password is not necessary since we don’t really care in this example. Step 7.
  • Page 188 Figure C-11. User Editor for Fred Step 8. After adding user Fred, go back to the Rights Debugger, as shown in Figure C-7, and select Fred at location Everywhere Else at time Now, as shown in Figure C-12. C-20 Rights Tutorial...
  • Page 189 Figure C-12. Rights Debugger for Fred EliteConnect WLAN Security System User Manual C-21...
  • Page 190 Notice that the match groups are the two example groups as expected, but also the group User. This is because as a user (as opposed to Logon or Guest), we match all groups specified for the user, as well as all implicit User groups. Initial Group Expire determines the corresponding expire times for each initial group.
  • Page 191 Step 10. Click Debug. The Rights Debugger appears, as shown in The first three lines are the same as before, but now, Final Group Expire contains the two example groups as well as the implicit User group. EliteConnect WLAN Security System User Manual Figure Figure C-14.

  • Page 192: Example 3, Public Location

    The Allows are the combination of the Allows from all three groups: Example Group 1, Example Group 2, and User; the Allows are All IP traffic and All IP traffic Similarly for the redirects: we now have a long list of redirects from all three groups.
  • Page 193 Notice that this location has a section that Everywhere Else did not have. It has a list of Wheres (blank list at the moment) in which you will choose a location. At least one Where must be chosen from this list so that we know the Where to which the location applies.
  • Page 194 A Where is comprised of a WLAN Access Manager and either all ports, or a single port. Notice the list of WLAN Access Managers indicates No WLAN Access Managers defined. This is telling us we need to first create a WLAN Access Manager before we can create the Where.
  • Page 195 If you have multiple WLAN Access Managers and have registered them by pointing your WLAN Access Manager at the Control Server and they both have the same shared secret, then you can get to each WLAN Access Manager via the Managers button of the Control Server.

  • Page 196: Time-Based Rights

    Step 9. Click Update at the bottom of the screen after selecting the Where, and selecting the Logon group and Guest group, but not any User groups or Normal groups. Doing this sets up this location to deny users logon access. If a user tries to logon on the Logon page, rather than them receiving no rights at all, they will end up with Logon rights again.

  • Page 197: Time-Based Logon Rights

    First, if the location is not valid, then the location falls back to Everywhere Else. This is another example of the system trying its best to make sure that a client always gets some sort of rights package, rather than no rights at all. If the group is not valid when the rights are being generated, then the group falls off the Final Group Expire list, and those rights are not handed out.
  • Page 198 Step 2. Change it’s name to Wired Logon, and its type to Logon. This creates the Wired Logon group with the same Allows and Redirects as the User group we started editing. See Step 3. Now, create a new location that uses this group, and does not use any other guest, or user groups, and uses the wired Where on your network.
  • Page 199 Notice that the Wired Where we are creating is using the port 1, where the previous Example Where uses all ports. So a user who shows up on this WLAN Access Manager on port 1 is associated with this location Where before they associate with the other where.

  • Page 200: Example 5, Mac Address User

    Now you have a location that allocates user rights as soon as a client appears on your network. This is the equivalent of a wired Access Point instead of a wireless Access Point. C.10 Example 5, MAC Address User You might want to permit a client with a specific MAC address to access the net without logging on.
  • Page 201 Figure C-23. User Editor However, when we look at the rights as specified by the debugger, the MAC address user will get User rights, instead of Logon rights, even though the MAC address has not yet authenticated, as shown in Figure C-24.
  • Page 202 Figure C-24. Rights Debugger for MAC User Thus, for known MAC addresses, you can skip the logon process completely. Also, if you wanted to give the MAC address user special rights that the implicit User group does not have, you could do that by adding the MAC address user to a C-34 Rights Tutorial...

  • Page 203: Example 6, Differentiated Access By Groups

    particular Normal group, and allowing that Normal group at the locations to which you want those rights to apply. C.11 Example 6, Differentiated Access by Groups Many customers ask for different access to different machines based on group access. One way to achieve this type of arrangement is to set up the implicit User group for the location so that access to the specific IP address in question is explicitly denied.
  • Page 204 Step 5. Change the name to All IP traffic Except 192.168.0.0/16, and in the address field type !192.168.0.0/16, which means all IP addresses except for the one specified, as shown in Step 6. Click Update to add this Allow to the list of Allows. Step 7.

  • Page 205: Getting Access To The Subnet

    Step 9. Click Update to create this implicit User group. C.11.2 Getting Access to the Subnet Now, let’s create a group that gets access to part of this subnet. Step 1. Click New Group to add a group of type Normal. Step 2.
  • Page 206 Step 5. Click Update to create this Allow. Step 6. Return to the Groups Manager. Step 7. Select this Allow in our new group, as shown in C-38 Figure C-29. Allow Editor Figure C-30. Rights Tutorial...
  • Page 207 Step 8. Click Update. Step 9. Create another group using the Allow 192.168.2.0/24, as shown in C-31). EliteConnect WLAN Security System User Manual Figure C-30. Group Editor with new Allows Figure C-39...
  • Page 208 Figure C-31. Allow Editor Step 10. Click Update. The Group Editor shows this added as an Allow, as shown in Figure C-32. C-40 Rights Tutorial...

  • Page 209: Adding Users

    C.11.3 Adding Users Now, let’s create a couple users who take advantage of these groups. Step 1. Create a new user Harry, as a subnet 1 user as shown in EliteConnect WLAN Security System User Manual Figure C-32. Group Editor Figure C-33.

  • Page 210: Creating A Location

    Step 2. Create Jack as a subnet 2 user, as shown in C.11.4 Creating a Location Now, let’s create a location that takes advantage of this. Step 1. Create a new location. See this procedure the Rights Management chapter. Step 2. Then, in the Location Editor, add a new Where by clicking New under Where.
  • Page 211 Step 3. Click Update. Step 4. Name the location, Subnet Location. Step 5. Select the User group Subnet User, and the normal groups 192.168.1, and 192.168.2, and the Subnet Where location, as shown in Now, let’s see how our two users differ in the Rights Debugger. Step 6.
  • Page 212 Notice 192.168.1.0/24 is allowed, so this user gets explicit use of the 1 subnet. Also anything except 192.168.0.0/16 is allowed so all other traffic will be let through. Step 7. Display the rights for Jack at location Subnet Location, as shown in C-38.
  • Page 213 Figure C-38. Rights Debugger Notice Jack gets rights for the 2 subnet, and none of the rest of the internal network. This example can be extended for any group of IP addresses, or even for a single IP address. To make this example, I used all ports, but you could get more restrictive and only handout specific ports if necessary.
  • Page 214 Figure C-39. Users Manager Figure C-40 shows the Locations Manager screen with the location Subnet Location, and the groups that are valid at this location. As expected, the groups valid at this location are Logon, Subnet User, and the two subnet groups, 192.168.1, and 192.168.2.

  • Page 215: Example 7, Trap Known Port

    C.12 Example 7, Trap Known Port You might have some need to block a specific port for everyone. Something we’ve been asked for is how to block a well known streaming port in a public Access Point. Let’s take Gnutella’s default port 6346 as an example. Step 1.
  • Page 216 This closes the 6346 port to everyone who uses this group. Step 4. Select this Redirect in the Guest group, and click Update, as shown in Figure C-42. C-48 Figure C-41. Redirect Editor Rights Tutorial...
  • Page 217 As a result, a location that uses this Guest group effectively shuts down port 6346. Notice that stopping users from using the network in this way is a moving target, as you will have to discover what ports are being abused, and close them one at a time.

  • Page 218: Example 8, Socks Proxy

    C.13 Example 8, SOCKS Proxy The default set of Redirects includes a redirect for SOCKS proxy. It is not selected by default, but if you have a SOCKS proxy, then your users need this to access the network. See the Redirect section in the Rights Management chapter. This is shown Figure C-44.

  • Page 219: Example 9, Public Kiosk Location

    This example shows how to setup a public access kiosk, or several kiosks. Let’s say you are providing wireless coverage of a large conference. This means you probably want public access kiosks spread out over the show. Also you probably want to allow conference attendees to get access through their own laptops.
  • Page 220 not allow you to capture any leads, and that’s what the conference is all about, right? To capture the leads, you need attendees to logon at the public access kiosk. Thus they can’t be MAC address users. So you need to make sure the kiosks are at a different location, and hand out the rights according to the groups allowed at that location.
  • Page 221 Step 3. Enter the Location Name, in this case Public Kiosks. Step 4. We also need a new Where, so click New under the list of Wheres, and enter the name Kiosk1. Step 5. Also click the Client MAC address radio button, and enter the MAC address of the kiosk, as shown in EliteConnect WLAN Security System User Manual Figure C-47.
  • Page 222 Step 6. Click Update, then select this Where. If this was really for a conference we would only want this kiosk to be valid during the show, so let’s create a When for the show. Step 7. Click New under the list of Whens. Step 8.
  • Page 223 Step 9. Click Update to return to the Location Manager. Step 10. Click New under the list of groups, to create a new user group. By doing this, you can specify what rights the new group’s users will get at this location. Step 11.
  • Page 224 Step 14. Click Update to create this group, and go back to the Location Editor. Step 15. Select the Where as Kiosk 1, the When as Show hours, the Logon group Logon, and the User group 20 Minute User, as shown in C-56 Figure C-50.
  • Page 225 Figure C-51. Location Editor Step 16. Click Update to create this location. Now you have created the Location Public Kiosks, with different rights from the rest of the network, based on the fact that the users are logging in at a specific client MAC address, as shown in Figure C-52.
  • Page 226 The most significant part of this example is that you have created a new location that is expandable on a kiosk-by-kiosk basis. It does not cost you anymore in WLAN Access Manager ports because it uses existing coverage rather than a dedicated access point.
  • Page 227 IMPLE ETWORK This appendix describes SMC implementation of Simple Network Management Protocol. The sections include: D.1 Introduction to WLAN Security System SNMP ..D-2 D.2 Supported Management Information Base Objects ..D-3 All the MIB v2 objects are read-only.
  • Page 228 Introduction to WLAN Security System SNMP The SNMP subsystem allows the WLAN Access Manager and WLAN Secure Server devices to be managed via SNMP from a network management application or platform such as HP OpenView. Initially, not all parameters in the devices will be accessible via SNMP.
  • Page 229 (or data) that exists in a network device. A manager requests data by specifying names of MIB objects. SMC supports certain industry-standard MIB II objects and proprietary MIB objects, which are listed below. You can also find the latest MIBs on your WLAN Secure Server and WLAN Access Manager by typing the following URLs: https://yourbox/snmp/mibs/SMCNETWORKS-BASE-MIB.txt...
  • Page 230 DESCRIPTION "The Base MIB module for SMC Networks EliteConnect WLAN devices." REVISION"0202270000Z" DESCRIPTION"The latest version of this MIB module." REVISION"0202270000Z" DESCRIPTION"The initial version of this MIB module." ::= { smcNetworks 30 } Organization & Product branches smcNetworksCommonOBJECT IDENTIFIER ::= { smcNetworksEltCnt 1 }...
  • Page 231 Fax Line: +44 (0) 118-974-8701 Support Line: +44 (0) 118-974-8700 (8:00 AM - 5:30 PM UK Greenwich Mean Time)" DESCRIPTION"The Base MIB module for SMC EliteConnect WLAN devices." REVISION"0203110000Z" DESCRIPTION"The latest version of this MIB module." ::= { smcNetworksCommon 1 } smcNetworksSysMib OBJECT IDENTIFIER ::= { smcNetworksSystem 1 } D.2.3...
  • Page 232 DESCRIPTION ::= { smcNetworksSysMib 5 } D.2.7 Environmental Monitoring Objects CPU Temperature MIB Object smcCpuTemperature OBJECT-TYPE SYNTAX MAX-ACCESS STATUS DESCRIPTION "Current temperature in degrees centigrade of the CPU." ::= { smcNetworksSysMib 6 } Power Supply Temperature MIB Object smcPowerSupplyTemperature OBJECT-TYPE SYNTAX MAX-ACCESS STATUS...
  • Page 233 ::= { smcFanStatusTable 1 } SmcFanStatusEntry smcFanNumber smcFanOperational INTEGER, smcFanSpeed Fan Identifier MIB smcFanNumber OBJECT-TYPE SYNTAX MAX-ACCESS STATUS DESCRIPTION "Identifier of cooling fan, numbered to represent what hardware the fan is supposed to be cooling." ::= { smcFanStatusEntry 1 } Fan Status MIB smcFanOperational OBJECT-TYPE SYNTAX...
  • Page 234 Temperature Trap temperatureAlarm NOTIFICATION-TYPE OBJECTS { smcCpuTemperature } STATUS current DESCRIPTION "A temperatureAlarm signifies that the SNMP entity, acting in an agent role, has detected that the smcCpuTemperature has a value that exceeds acceptable tolerances (i.e., it is too hot or too cold)." ::= { smcSystemTraps 3 } Simple Network Management Protocol...
  • Page 235 LOSSARY The glossary defines terms that are used throughout the WLAN Security System. Some of the following terms are in common usage but have WLAN Security System-specific meanings. These terms are defined in context in the chapter where they first appear. Allows specify packets that are permitted to be forwarded by a WLAN Access Manager.
  • Page 236 SMC component that allocates rights or access privileges for locations, groups, and users. The Rights Manager also authenticates clients. the act of moving from one wireless access point to another.
  • Page 237 NDEX Symbols C-17 @DNS@ C-17 @INTERNAL@ C-17 @INTRANET@ C-17 @SERVER@ Numerics 42.0.0.1 6-13 C-24 C-26 Access Manager 6-22 Adding a New Group 6-50 Adding Rights-Allows C-10 All IP C-36 C-37 Allow 6-50 6-53 Allow Editor 6-51 Allow Name Allowed Group C-15 Allows 6-70...
  • Page 238 Groups Logon, Guest, User or Normal Groups Manager 6-32 6-50 6-54 Guest C-24 Guest only Guest Rights Hostname 2-17 HTML C-49 HTTP HTTP logon redirect HTTPS Logon page C-55 HTTPS logon page HTTPS logon redirect Idle C-22 Implicit User Group Initial Group Expire C-15 C-22...

  • Page 239: Simple Network Management Protocol D

    SNMP port 2-12 SNMP traps C-50 C-51 SOCKS Specifying location descriptions C-49 C-55 SMC EliteConnect WLAN Security System User Manual SSL certificate SSL Certificate Signing Request SSL Stop page Stop Page Graphic Stop Page Text Subnet Location 6-53 tcpdump Temperature Trap...

  • Page 240: Index

    Index...
  • Page 241 PRC: Taiwan: Asia Pacific: Korea: Japan: Australia: India: If you are looking for further contact information, please visit www.smc.com or www.smc-europe.com. 38 Tesla Irvine, CA 92618 Phone: (949) 679-8000 SMC EliteConnect WLAN Security System User Manual (800) SMC-4-YOU; Fax (949) 679-1481 34-93-477-4935;...

This manual is also suitable for:

Eliteconnect smc2504w2502w - annexe 12504w - annexe 1

Table of Contents