Page 1 Altitude 4000 Series Access Point System Reference Guide Software Version 5.2 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published: November 2011 Part number: 120735-00 Rev 1...
Page 2 ReachNXT, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc.
Page 3: Table Of Contents
Documentation Set ..............................9 Document Conventions ............................9 Notational Conventions ............................10 Chapter 2: Overview..........................11 About the Extreme Networks Access Point Software.....................12 Chapter 3: Web UI Overview........................15 Accessing the Web UI ............................15 Browser and System Requirements........................15 Connecting to the Web UI Locally ........................16 Glossary of Icons Used ............................17...
Page 4 Table of Contents WAN Backhaul Configuration ........................90 WAN Backhaul Deployment Considerations....................91 Profile Network Configuration .........................92 DNS Configuration ...........................92 ARP................................93 Quality of Service (QoS) ..........................95 Static Routes............................96 Forwarding Database..........................97 Bridge VLAN ............................99 Miscellaneous Network Configuration....................102 Profile Network Configuration and Deployment Considerations ............103 Profile Security Configuration........................104 Defining Profile Security Settings......................104 Setting the Certificate Revocation List (CRL) Configuration ..............105...
Page 5 Table of Contents Managing an Event Policy ............................216 Chapter 7: Wireless Configuration .......................219 Wireless LANs ..............................220 Basic WLAN Configuration..........................221 WLAN Basic Configuration Deployment Considerations ...............223 Configuring WLAN Security ..........................223 802.1x EAP, EAP PSK and EAP MAC ....................225 MAC Authentication ..........................226 PSK / None ............................227 Captive Portal ............................228 WPA/WPA2-TKIP ..........................228...
Page 6 Table of Contents Services Deployment Considerations........................367 Chapter 10: Management Access Policy Configuration ..............369 Creating Administrators and Roles........................369 Setting the Access Control Configuration......................372 Setting the Authentication Configuration ......................374 Setting the SNMP Configuration ..........................375 SNMP Trap Configuration ............................377 Management Access Deployment Considerations....................378 Chapter 11: Diagnostics ........................381 Fault Management ...............................381 Crash Files ................................384...
Page 7 Table of Contents Captive Portal..............................448 Historical Data ...............................449 Viewing Smart RF History ........................450 Access Point Statistics ............................451 Health ................................451 Device ................................453 AP Upgrade..............................456 Adoption ................................457 Adopted APs ............................458 AP Adoption History ..........................459 Pending Adoptions ..........................459 AP Detection ..............................461 Wireless Client ..............................462 Wireless LANs...............................463 Critical Resources ............................464 Radios ................................465...
Page 8 Table of Contents Graph ................................517 Appendix A: Customer Support......................519 Registration ................................519 Documentation ..............................519 Altitude 4000 Series Access Point System Reference Guide...
Page 9: Chapter 1: About This Guide
About this Guide C H A P T E R This guide provides information on using the Extreme Networks access point software to manage supported Extreme Networks access points (Altitude 4700 Series Access Points, and Altitude 4500 series Access Points in either Standalone AP or Virtual Controller AP mode).
Page 10: Notational Conventions
Chapter 1: About this Guide NOTE Indicate tips or special requirements. CAUTION Indicates conditions that can cause equipment damage or data loss. WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage. Notational Conventions The following additional notational conventions are used in this document: Italic text is used to highlight the following: ●...
Page 11: Chapter 2: Overview
Overview C H A P T E R Extreme Networks’ family of supported access points enable the centralized distribution of high performance, secure and resilient wireless voice and data services to remote locations with the scalability required to meet the needs of large distributed enterprises.
Page 12: About The Extreme Networks Access Point Software
Networks access points. The software enables the simultaneous use of existing architectures from Extreme Networks, even if those other architectures are centralized models. A wireless network administrator can retain and optimize legacy infrastructure while evolving to the new software as needed.
Page 13 About the Extreme Networks Access Point Software shaping and optimizations in dynamic host configuration protocol (DHCP) responses and Internet group management protocol (IGMP) snooping for multicast traffic flows in wired and wireless networks. Thus, users benefit from an extremely reliable network that adapts to meet their needs and delivers mixed- media applications.
Page 14 Chapter 2: Overview Altitude 4000 Series Access Point System Reference Guide...
Page 15: Chapter 3: Web Ui Overview
Web UI Overview C H A P T E R The access point’s resident user interface contains a set of features specifically designed to enable either Virtual Controller AP, Standalone AP or Dependent AP (Adopted to Controller) functionality. In Virtual Controller AP mode, an access point can manage up to 24 other access points of the same model and share data amongst managed access points.
Page 16: Connecting To The Web Ui Locally
Chapter 3: Web UI Overview Connecting to the Web UI Locally Normally an access point’s IP address is provided using DHCP, and you access the Web UI using the DCHP-assigned address. This procedure shows how to connect to the access point locally using the access point’s default IP address, known as the zero config address.
Page 17: Glossary Of Icons Used
Glossary of Icons Used initial setup wizard. For more information on using the initial setup wizard see “Using the Initial Setup Wizard” on page Glossary of Icons Used The access point interface utilizes a number of icons designed to interact with the system, gather information from managed devices and obtain status.
Page 18: Dialog Box Icons
Chapter 3: Web UI Overview Create new policy – Select this icon to create a new policy. Policies define different configuration parameters that can be applied to device configurations, and device profiles. Edit policy – Select this icon to edit an existing policy. To edit a policy, click on the policy and select this button.
Page 19: Status Icons
Glossary of Icons Used Status Icons “Web UI Overview” These icons define device status, operations on the wireless controller, or any other action that requires a status being returned to the user. Fatal Error – States there is an error causing a managed device to stop functioning.
Page 20 Chapter 3: Web UI Overview Radio QoS Policy – Indicates a QoS policy configuration has been impacted. AAA Policy – Indicates an Authentication, Authorization and Accounting (AAA) policy has been impacted. AAA policies define RADIUS authentication and accounting parameters. Association ACL – Indicates an Association Access Control List (ACL) configuration has been impacted.
Page 21 Glossary of Icons Used Advanced WIPS Policy – States the conditions of an advanced WIPS policy have been invoked. WIPS prevents unauthorized access to the system by checking for and removing rogue access point’s and wireless clients. Device Categorization – Indicates a device categorization policy is being applied.
Page 22: Configuration Objects
Chapter 3: Web UI Overview Configuration Objects “Web UI Overview” Configuration icons are used to define the following: Configuration – Indicates an item capable of being configured by the access point’s interface. View Events / Event History – Defines a list of events. Select this icon to view events or view the event history.
Page 23: Access Type Icons
Glossary of Icons Used Access Type Icons “Web UI Overview” The following icons display a user access type: Web UI – Defines a Web UI access permission. A user with this permission is permitted to access an associated device’s Web UI. Telnet –...
Page 24: Device Icons
Chapter 3: Web UI Overview Help Desk – Indicates help desk privileges. A help desk user is allowed to use troubleshooting tools like sniffers, execute service commands, view or retrieve logs and reboot an access point. Web User – Indicates a Web user privilege. A Web user is allowed accessing the access point’s Web user interface.
Page 25: Chapter 4: Quick Start
Quick Start C H A P T E R Access points can utilize an initial setup wizard to streamline the process of initially accessing the wireless network. The wizard defines the access point operational mode, deployment location, basic security, network and WLAN settings. For instructions on how to use the initial setup wizard, see “Using the Initial Setup Wizard”...
Page 26 Chapter 4: Quick Start NOTE When logging in for the first time, you’re prompted to change the password to enhance device security in subsequent logins. NOTE If you get disconnected when running the wizard, you can connect again with the access point’s actual IP address (once obtained) and resume the wizard.
Page 27 Using the Initial Setup Wizard The first page of the Initial AP Setup Wizard displays the Navigation Panel and Introduction for the configuration activities comprising the access point's initial setup. A green checkmark to the left of an item in the Navigation Panel defines the listed task as having its minimum required configuration parameters set correctly.
Page 28 Chapter 4: Quick Start 6 Select Save/Commit within each page to save the updates made to that page's configuration. Select Next to proceed to the next page listed in the Navigation Panel. Select Back to revert to the previous screen in the Navigation Panel without saving your updates. NOTE While you can navigate to any page in the navigation panel, you cannot complete the Initial AP Setup Wizard until each task in the Navigation Panel has a green checkmark.
Page 29 AP isn't managed by a Virtual Controller AP, or adopted by a controller. NOTE If designating the access point as a Standalone AP, Extreme Networks recommends the access point’s UI be used exclusively to define its device configuration, and not the CLI. The CLI provides the ability to define more than one profile and the UI does not.
Page 30 Chapter 4: Quick Start Adopted to Controller - Select this option when deploying the access point as a controller managed ● (Dependent mode) access point. Selecting this option closes the Initial AP Setup Wizard. An adopted access point obtains its configuration from a profile stored on its managing controller. Any manual configuration changes are overwritten by the controller upon reboot.
Page 31 Using the Initial Setup Wizard 10 Select an Access Point Mode from the available options. Router Mode - In Router Mode, the access point routes traffic between the local network (LAN) ● and the Internet or external network (WAN). Router mode is recommended in a deployment supported by just a single access point.
Page 32 Chapter 4: Quick Start 12 Set the following DHCP and Static IP Address/Subnet information for the LAN interface: Use DHCP - Select the checkbox to enable an automatic network address configuration using the ● access point’s DHCP server. Static IP Address/Subnet - Enter an IP Address and a subnet for the access point's LAN interface. If ●...
Page 33 Using the Initial Setup Wizard DHCP Server and Domain Name Server (DNS) resources, as those fields will become enabled on the bottom portion of the screen. Use on-board DHCP server to assign IP addresses to wireless clients - Select the checkbox to enable the ●...
Page 34 Chapter 4: Quick Start 14 Set the following DHCP and Static IP Address/Subnet information for the WAN interface: Use DHCP - Select the checkbox to enable an automatic network address configuration using the ● access point’s DHCP server. Static IP Address/Subnet - Enter an IP Address/Subnet and gateway for the access point's WAN ●...
Page 35 Using the Initial Setup Wizard NOTE The Radio Configuration screen displays separate configurable fields for each access point radio. Supported access point models can have from one to three (Altitude 4700 Access Point) radios. The ADSP Sensor Support field displays at the bottom of the screen only if a radio has been dedicated as a sensor. 16 Set the following parameters for each radio: Configure as a Date Radio - Select this option to dedicate this radio for WLAN client support in ●...
Page 36 Chapter 4: Quick Start one radio for 2.4GHz and another for 5GHz support (if using a dual or three radio model) when supporting clients in both the 802.11bg and 802.11n bands. Power Level - Use the spinner control to select a 1 - 23 dBm minimum power level to assign to this ●...
Page 37 Using the Initial Setup Wizard 18 Set the following parameters for each if the WLAN configurations available as part of this Initial AP Setup Wizard: Altitude 4000 Series Access Point System Reference Guide...
Page 38 Chapter 4: Quick Start SSID - Enter or modify the Services Set Identification (SSID) associated with the WLAN. The ● WLAN name is auto-generated using the SSID until changed by the user. The maximum number of characters is 32. Do not use < > | “ & \ ? , This is a required parameter for each WLAN. WLAN Type - Set the data protection scheme used by clients and access points within the WLAN.
Page 39 Using the Initial Setup Wizard 20 Refer to the Username, Password, Description and Actions columns to review credentials of existing RADIUS Server user accounts. Add new accounts or edit the properties of existing accounts as updates are required. 21 Refer to the Add On-Board RADIUS Server Users field to set the following parameters for a user account: Altitude 4000 Series Access Point System Reference Guide...
Page 40 Chapter 4: Quick Start Username - If adding a new user account, create a username up to X characters in length. The ● username cannot be revised if modifying the user configuration. This is a required parameter. Password - Provide (or modify) a password between X - X characters in length entered each time a ●...
Page 41 Location - Define the location of the access point. The Location parameter acts as a reminder of ● where the AP can be located within the Extreme Networks managed wireless network. Contact - Specify the contact information for the administrator. The credentials provided should ●...
Page 42 Chapter 4: Quick Start emissions and the maximum RF signal strength that can be transmitted. This is a required parameter. Time Zone - Set the time zone where the access point is deployed. This is a required parameter. ● The setting should be complimentary with the selected deployment country. 25 If an NTP resource is unavailable, set the System Date and Time (calendar date, time and AM/PM designation).
Page 43 Using the Initial Setup Wizard 30 If the configuration displays as intended, select the Save/Commit button to implement these settings to the access point’s configuration. If additional changes are warranted based on the summary, either select the target page from the Navigational Panel, or use the Back button. Altitude 4000 Series Access Point System Reference Guide...
Page 44 Chapter 4: Quick Start Altitude 4000 Series Access Point System Reference Guide...
Page 45: Chapter 5: Dashboard
Dashboard C H A P T E R The dashboard allows network administrators to review and troubleshoot the operation of the devices comprising the access point managed network. Use the dashboard to review the current network topology, assess the network’s component health and diagnose problematic device behavior. By default, the Dashboard screen displays the System Dashboard, which is the top level in the device hierarchy.
Page 46: Dashboard Conventions
Chapter 5: Dashboard The Dashboard displays the Health tab by default. Dashboard Conventions The Dashboard displays device information using the following conventions: “Health” – Displays information about the state of the access point managed network. ● “Inventory” – Displays information on the physical devices being managed by the access point. ●...
Page 47: Health
Dashboard Health “Health” The Health tab displays information about the state of the access point managed network. Information in this tab is classified as: Device Details on page 48 ● Radio RF Quality Index on page 48 ● Radio Utilization Index on page 49 ●...
Page 48 Chapter 5: Dashboard Device Details “Health” The Device Details field displays model and version information. The Device Details field displays the name assigned to the selected access point, its factory encoded MAC address, model type, RF Domain, software version, uptime, CPU and RAM information and system clock.
Page 49 Dashboard The access point’s RF Domain allows an administrator to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building or site. The RF Domain contains policies that can determine a Smart RF or WIPS configuration. Use this diagnostic information to define measures to improve radio performance in respect to wireless client load and radio band.
Page 50 Chapter 5: Dashboard Client RF Quality Index “Health” The Client RF Quality field displays a list of the worst 5 performing clients managed by the selected access point. The Client RF Quality Index displays the following: Worst 5 Lists the worst 5 performing client radios connected to the access point. The RF Quality Index measures the overall effectiveness of the RF environment as a percentage.
Page 51: Inventory
Dashboard Inventory “Dashboard Conventions” The Inventory tab displays information relative to the devices managed by the selected access point. The Inventory screen affords a system administrator an overview of the number and state of managed devices. The screen contains links to display more granular data specific to a specific radio. The Inventory screen is partitioned into the following fields: Radio Types on page 52 ●...
Page 52 Chapter 5: Dashboard Radio Types “Inventory” The Radio Types field displays the total number and types of radios managed by the selected access point. Refer to the Total Radios column to review the number of managed radios. Additionally, use the charts on the bottom of the Radio Types field to assess the number WLANs utilized in supported radio bands.
Page 53 Dashboard Wireless Clients “Inventory” The Wireless Clients field displays information about the wireless clients managed by the selected access point. Information within the Wireless Clients field is presented in two tables. The first table lists the total number of wireless clients managed by this access point. The second table lists an ordered ranking of radios based on their supported client count.
Page 54: Network View
Chapter 5: Dashboard Network View Dashboard on page 45 The Network View displays device topology association between a selected access point, its RF Domain and its connected clients. The association is displayed using a number of different color options. Access points and clients can be selected and viewed using various color schemes in respect to neighboring access points, connected devices and performance criteria.
Page 55: Network View Display Options
Network View The left-hand side of the Network View display contains an expandable System Browser where access points can be selected and expanded to display connected clients. Navigate the System Browser as required to review device connections within the access point managed network. Many of these peer access points are available for connection to access points in Virtual Controller AP mode.
Page 56: Device Specific Information
Chapter 5: Dashboard The following display filter options are available: None - Select this option to keep the Network View display as it currently appears, without any ● additional color or device interaction adjustments. Utilization – Select this option to filter based on the percentage of current throughput relative to ●...
Page 57 Network View Optionally select the Statistics link at the bottom of the display a screen where Access Point device data can be reviewed on a much more granular level. For more information, see “Health” on page Altitude 4000 Series Access Point System Reference Guide...
Page 58 Chapter 5: Dashboard Altitude 4000 Series Access Point System Reference Guide...
Page 59: Chapter 6: Device Configuration
Device Configuration C H A P T E R Access points can either be assigned unique configurations to support a particular deployment objective or have an existing RF Domain or Profile configuration modified (overridden) to support a requirement that deviates its configuration from the configuration shared by its peer access points. Refer to the following to set an access point’s sensor functionality, Virtual Controller AP designation, and license and certificate usage configuration: “RF Domain Sensor Configuration”...
Page 60 Chapter 6: Device Configuration An access point RF Domain allows an administrator to assign configuration data to multiple access points deployed in a common coverage area (floor, building or site). In such instances, there’s many configuration attributes these access points share, as their general client support roles are quite similar. However, an access point’s RF Domain configuration may need periodic refinement from its original RF Domain designation.
Page 61: Rf Domain Sensor Configuration
In addition to dedicated Extreme Networks AirDefense sensors, an access point radio can function as a sensor and upload information to a dedicated WIPS server (external to the access point). Unique WIPS server configurations can be used to ensure a WIPS server configuration is available to support the unique data protection needs of a RF Domain.
Page 62: System Profile Configuration
Chapter 6: Device Configuration To define a WIPS server configuration used with the access point’s RF Domain: 1 Select Configuration > Devices > RF Domains from the Web UI. 2 Select the Sensor Configuration tab. Either select the + Add Row button to create a new WIPS server configuration or highlight an existing Sensor Server Configuration and select the Delete icon to remove it.
Page 63: General Profile Configuration
System Profile Configuration A profile allows access point administration across large wireless network segments. However, an administrator cannot manage more than one model’s profile and its set configuration policies at any one time. Therefore, an administrator should manage multiple access points directly from the Virtual Controller AP.
Page 64: Profile Radio Power
Chapter 6: Device Configuration Select + Add Row below the Network Time Protocol (NTP) table to define the configurations of NTP server resources the used it obtain system time by the access point’s profile. Set the following parameters to define the NTP configuration: AutoKey Select the radio button to enable an autokey configuration for the NTP resource.
Page 65 System Profile Configuration and the budget available to the access point. The CPLD also determines the access point hardware SKU (model) and the number of radios. If the access point’s POE resource cannot provide sufficient power to run the access point (with all intended interfaces enabled), some of the following interfaces could be disabled or modified: The access point’s transmit and receive algorithms could be negatively impacted ●...
Page 66: Profile Adoption (Auto Provisioning) Configuration
Chapter 6: Device Configuration When an access point is powered on for the first time, it determines the power budget available. Using the Automatic setting, the access point automatically determines the best power configuration based on the available power budget. Automatic is the default setting. If 802.3af is selected, the access point assumes 12.95 watts are available.
Page 67: Profile Interface Configuration
System Profile Configuration Define the Preferred Group used as optimal group of Virtual Controller for adoption. The name of the preferred group cannot exceed 64 characters. 6 Select the checkbox to define a VLAN the access point’s associating Virtual Controller AP is reachable on.
Page 68: Ethernet Port Configuration
Chapter 6: Device Configuration A profile’s Interface configuration process consists of the following: “Ethernet Port Configuration” ● “Virtual Interface Configuration” ● “Port Channel Configuration” ● “Access Point Radio Configuration” ● “WAN Backhaul Configuration” ● Additionally, deployment considerations and guidelines for profile interface configurations are available for review prior to defining a configuration that could significantly impact the performance of the network.
Page 69 System Profile Configuration Refer to the following to assess port status, mode and VLAN configuration: Name Displays the physical port name reporting runtime data and statistics. Supported ports vary depending model. Type Displays the physical port type. Cooper is used on RJ45 Ethernet ports and Optical materials are used on fiber optic gigabit Ethernet ports.
Page 70 Chapter 6: Device Configuration Allowed VLANs Displays the VLANs allowed to send packets over the listed port. Allowed VLANs are only listed when the mode has been set to Trunk. 6 To edit an access point profile’s port configuration, select it from amongst those displayed and select the Edit button.
Page 71 System Profile Configuration 8 Define the following Cisco Discovery Protocol (CDP) and LLDP parameters to apply to the Ethernet port configuration. Cisco Discover Select the radio button to allow the Cisco discovery protocol for receiving Protocol Receive data on this port. Cisco Discover Select the radio button to allow the Cisco discovery protocol for transmitting Protocol Transmit...
Page 72 Chapter 6: Device Configuration 13 Refer to the Access Control field. As part of the port’s security configuration, Inbound IP and MAC address firewall rules are required. Use the Inbound IP Firewall Rules and Inbound MAC Firewall Rules drop-down menus to select the firewall rules to apply to this profile’s Ethernet port configuration.
Page 73: Virtual Interface Configuration
System Profile Configuration NOTE Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, despite a conflict existing. 16 Select the Enable checkbox within the 802.1x Authentication field to enable a username and password pair to be used when authenticating users on this port.
Page 74 Chapter 6: Device Configuration Review the following parameters unique to each virtual interface configuration: Name Displays the name of each listed Virtual Interface assigned when it was created. The name is between 1 - 4094, and cannot be modified as part of a Virtual Interface edit.
Page 75 System Profile Configuration The Basic Configuration screen displays by default regardless of a whether a new Virtual Interface is being created or an existing one is being modified. 6 If creating a new Virtual Interface, use the Name spinner control to define a numeric ID between 1 - 4094.
Page 76: Port Channel Configuration
Chapter 6: Device Configuration Select either the Inside, Outside or None radio buttons. Inside - The inside network is transmitting data over the network its intended destination. On the ● way out, the source IP address is changed in the header and replaced by the (public) IP address. Outside - Packets passing through the NAT on the way back to the LAN are searched against to ●...
Page 77 System Profile Configuration To define a port channel configuration for a controller profile: Select the Configuration tab from the Web UI. 2 Select Devices. 3 Select System Profile from the options on left-hand side of the UI. 4 Expand the Interface menu and select Port Channels. 5 Refer to the following to review existing port channel configurations and their current status: Name Displays the port channel’s numerical identifier assigned to it when it was...
Page 78 Chapter 6: Device Configuration Set the following port channel Properties: Description Enter a brief description for the port channel (64 characters maximum). The description should reflect the port channel’s intended function. Admin Status Select the Enabled radio button to define this port channel as active to the controller profile it supports.
Page 79 System Profile Configuration 9 Define the following Switching Mode parameters to apply to the port channel configuration: Mode Select either the Access or Trunk radio button to set the VLAN switching mode over the port channel. If Access is selected, the port channel accepts packets only form the native VLANs.
Page 80 Chapter 6: Device Configuration 12 Refer to the Access Control field. As part of the port channel’s security configuration, Inbound IP and MAC address firewall rules are required. Use the Inbound IP Firewall Rules and Inbound MAC Firewall Rules drop-down menus to select firewall rules to apply to this profile’s port channel configuration.
Page 81 System Profile Configuration 16 Define the following PortFast parameters for the port channel’s MSTP configuration: Enable PortFast Select the check box to enable drop-down menus for both the Enable Portfast BPDU Filter and Enable Portfast BPDU Guard options. This setting is disabled by default.
Page 82: Access Point Radio Configuration
Chapter 6: Device Configuration Guard Determines whether the port channel enforces root bridge placement. Setting the guard to Root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together.
Page 83 System Profile Configuration Review the following radio configuration data to determine whether a radio configuration requires modification to better support the network: Name Displays whether the reporting radio is radio 1, radio 2 or radio 3. Altitude 4700 models can have up to 3 radios depending on the SKU. Altitude 4532, Altitude 4710, and Altitude 4762 access points have 2 radios, while Altitude 4511 and Altitude 4521 access points have 1 radio.
Page 84 Chapter 6: Device Configuration The Radio Settings tab displays by default. 7 Define the following radio configuration parameters from within the Properties field: Description Provide or edit a description (1 - 64 characters in length) for the radio that helps differentiate it from others with similar configurations. Admin Status Either select the Disabled or Enabled radio button to define this radio’s current status within the network.
Page 85 Extreme Networks recommends that only a professional installer set the antenna gain. The default value is 0.00.
Page 86 Chapter 6: Device Configuration NOTE Altitude 4700 series and Altitude 4532 access points can support up to 256 client connections to a single access point radio. Altitude 4511 and Altitude 4521 access points (both single radio models) can support up to 128 client connections to a single radio.
Page 87 System Profile Configuration Guard Interval Use the drop down menu to specify a Long or Any guard interval. The guard interval is the space between symbols (characters) being transmitted. The guard interval is there to eliminate inter-symbol interference (ISI). ISI occurs when echoes or reflections from one symbol interfere with another symbol.
Page 88 Chapter 6: Device Configuration 16 Use the Mesh screen to define how mesh connections are established and the number of links available amongst access points within the Mesh network. 17 Define the following Mesh Settings: Mesh Options include Client, Portal and Disabled. Select Client to scan for mesh portals, or nodes that have connection to portals, and then connect through them.
Page 89 System Profile Configuration 21 Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define how MAC service frames are aggregated by the access point radio. A-MPDU Modes Use the drop-down menu to define the A-MPDU mode supported. Options include Transmit Only, Receive Only, Transmit and Receive and None.
Page 90: Wan Backhaul Configuration
Chapter 6: Device Configuration Broadcast/Multicast Define whether client broadcast and multicast packets should always follow Forwarding DTIM, or only follow DTIM when using Power Save Aware mode. The default setting is Follow DTIM. 25 Refer to the Sniffer Redirect (Packet Capture) field to define the radio’s captured packet configuration. Host for Redirected If packets are re-directed from an access point radio, define an IP address of Packets...
Page 91: Wan Backhaul Deployment Considerations
System Profile Configuration Refer to the WAN (3G) Backhaul configuration to specify the access point’s WAN card interface settings: WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card. Enable WAN (3G) Check this box to enable 3G WAN card support on the access point. A supported 3G card must be connected to the device for this feature to work.
Page 92: Profile Network Configuration
Chapter 6: Device Configuration If the WAN card does not connect after a few minutes after a no shutdown, check the access point’s ● syslog for a detected ttyUSB0 No such file event. If this event has occurred, linux didn’t detect the card.
Page 93: Arp
System Profile Configuration To define the DNS configuration: 1 Select the Configuration tab from the Web UI. 2 Select Devices. 3 Select System Profile from the options on left-hand side of the UI. 4 Expand the Network menu and select DNS. Provide a default Domain Name used when resolving DNS names.
Page 94 Chapter 6: Device Configuration Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address recognized on the network. ARP provides protocol rules for making this correlation and providing address conversion in both directions. When an incoming packet destined for a host arrives, the gateway uses ARP to find a physical host or MAC address that matches the IP address.
Page 95: Quality Of Service (Qos)
System Profile Configuration IP Address Define the IP address used to fetch a MAC Address. MAC Address Displays the target MAC address that’s subject to resolution. This is the MAC used for mapping an IP address to a MAC address that’s recognized on the network.
Page 96: Static Routes
Chapter 6: Device Configuration Set the following parameters for IP DSCP mappings for untagged frames: DSCP Lists the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. 802.1p Priority Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority.
Page 97: Forwarding Database
System Profile Configuration Use the Static Routes screen to set Destination IP and Gateway addresses enabling assignment of static IP addresses for requesting clients without creating numerous host pools with manual bindings. This eliminates the need for a long configuration file and reduces the resource space required to maintain address pools.
Page 98 Chapter 6: Device Configuration the destination MAC is on a different network segment, it forwards the packet to the segment. If the destination MAC is on the same network segment, the packet is dropped (filtered). As nodes transmit packets through the bridge, the bridge updates its forwarding database with known MAC addresses and their locations on the network.
Page 99: Bridge Vlan
System Profile Configuration 8 Define the target VLAN ID if the destination MAC is on a different network segment. 9 Provide an Interface Name used as the target destination interface for the target MAC address. 10 Select OK to save the changes. Select Reset to revert to the last saved configuration. Bridge VLAN “Profile Network Configuration”...
Page 100 Chapter 6: Device Configuration VLAN Lists the numerical identifier defined for the Bridge VLAN when it was initially created. The available range is from 1 - 4095. This value cannot be modified during the edit process. Description Lists a description of the VLAN assigned when it was created or modified. The description should be unique to the VLAN’s specific configuration and help differentiate it from other VLANs with similar configurations.
Page 101 System Profile Configuration If adding a new Bridge VLAN configuration, use the spinner control to define a VLAN ID between 1 - 4095. This value must be defined and saved before the General tab can become enabled and the remainder of the settings defined. 7 If creating a new Bridge VLAN, provide a Description (up to 64 characters) unique to the VLAN’s specific configuration to help differentiate it from other VLANs with similar configurations.
Page 102: Miscellaneous Network Configuration
Chapter 6: Device Configuration NOTE If creating a mesh connection between two access points in Standalone AP mode, Tunnel must be selected as the Bridging Mode to successfully create the mesh link between the two access points. 9 Define the following Layer 2 Firewall parameters: Trust ARP Response Select the radio button to use trusted ARP packets to update the DHCP Snoop Table to prevent IP spoof and arp-cache poisoning attacks.
Page 103: Profile Network Configuration And Deployment Considerations
System Profile Configuration Select the Include Hostname in DHCP Request checkbox to include a hostname in a DHCP lease for a requesting device. This feature is enabled by default. 6 Select the DHCP Persistent Lease checkbox to retain the lease that was last used by the access point if the access point’s DHCP server resource were to become unavailable.
Page 104: Profile Security Configuration
Chapter 6: Device Configuration Profile Security Configuration An access point profile can have its own firewall policy, wireless client role policy, WEP shared key authentication and NAT policy applied. For more information, refer to the following sections: “Defining Profile Security Settings” ●...
Page 105: Setting The Certificate Revocation List (Crl) Configuration
System Profile Configuration the key algorithm to convert an ASCII string to the same hexadecimal number. Clients without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers. This option is disabled by default. 6 Select OK to save the changes made within the Settings screen. Select Reset to revert to the last saved configuration.
Page 106: Setting The Profile's Nat Configuration
Chapter 6: Device Configuration 7 Enter the resource ensuring the trustpoint’s legitimacy within the URL field. 8 Use the spinner control to specify an interval (in hours) after which a device copies a CRL file from an external server and associates it with a trustpoint. 9 Select OK to save the changes made within the Certificate Revocation screen.
Page 107 System Profile Configuration The NAT Pool tab displays by default. The NAT Pool tab lists those NAT policies created thus far. Any of these policies can be selected and applied to the access point profile. 5 Select Add to create a new NAT policy that can be applied to a profile. Select Edit to modify the attributes of a existing policy or select Delete to remove obsolete NAT policies from the list of those available to a profile.
Page 108 Chapter 6: Device Configuration If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters: Name If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations. The length cannot exceed 64 characters. IP Address Range Define a range of IP addresses that are hidden from the public Internet.
Page 109 System Profile Configuration hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host. Inside NAT is the default setting. 12 Select the Destination tab to view destination NAT configurations and define packets passing through the NAT on the way back to the LAN are searched against to the records kept by the NAT engine.
Page 110 Chapter 6: Device Configuration 14 Set the following Destination configuration parameters: Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 111 System Profile Configuration NAT Port Enter the port number of the matching packet to the specified value. This option is valid only if the direction specified is destination. Network Select Inside or Outside NAT as the network direction. Inside is the default setting.
Page 112 Chapter 6: Device Configuration Overload IP Enables the use of one global address for numerous local addresses. 18 Select Add to create a new Dynamic NAT configuration, Edit to modify an existing configuration or Delete to permanently remove a configuration. 19 Set the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet...
Page 113: Profile Security Configuration And Deployment Considerations
System Profile Configuration NAT Pool Provide the name of an existing NAT pool for use with the dynamic NAT configuration. Optionally select the Create icon to define a new NAT Pool configuration. Overload IP Enables the use of one global address for numerous local addresses. 21 Select OK to save the changes made to the dynamic NAT configuration.
Page 114: Profile Services Configuration And Deployment Considerations
Chapter 6: Device Configuration Refer to the Captive Portal Hosting field to select or set a guest access configuration (captive portal) for use with this profile. A captive portal is guest access policy for providing guests temporary and restrictive access to the access point managed network.
Page 115: Profile Management Configuration
System Profile Configuration DHCP’s lack of an authentication mechanism means a DHCP server supported profile cannot check ● if a client or user is authorized to use a given user class. This introduces a vulnerability when using user class options. Ensure a profile using DHCP resources is also provisioned with a strong user authorization and validation configuration.
Page 116 Chapter 6: Device Configuration Altitude 4000 Series Access Point System Reference Guide...
Page 117 System Profile Configuration Refer to the Message Logging field to define how the profile logs system events. It’s important to log individual events to discern an overall pattern that may be negatively impacting performance using the configuration defined for the access point’s profile. Enable Message Logging Select the radio button to enable the profile to log system events to a user defined log file or a syslog server.
Page 118 Chapter 6: Device Configuration Password for SMTP Specify the sender’s username password on the outgoing SMTP server. Server Many SMTP servers require users to authenticate with a username and password before sending e-mail through the server. 8 Use the Persist Configuration Across Reloads option to define how the access point saves (in flash memory) the configuration received from its connected Virtual Controller.
Page 119 System Profile Configuration 12 Use the parameters within the Automatic Adopted AP Firmware Upgrade field to define an automatic firmware configuration. Enable Controller Select the access point model to upgrade to a newer firmware version Upgrade of AP Firmware using its associated Virtual Controller AP’s most recent firmware file for that model.
Page 120: Upgrading Altitude 4532 Firmware From 5.1 To 5.2
Chapter 6: Device Configuration Upgrading Altitude 4532 Firmware from 5.1 to 5.2 “Profile Management Configuration” An existing Altitude 4532 deployment running factory installed 5.1 version firmware can be upgrade to this most recent 5.2 version baseline. To upgrade an Altitude 4532 to the 5.2 version baseline: Ensure you have the following resources: A computer with a SSH client and a FTP or TFTP server ●...
Page 121: Profile Management Configuration And Deployment Considerations
● Management services like HTTPS, SSH and SNMPv3 should be used when possible, as they provide data privacy and authentication. Extreme Networks recommends SNMPv3 be used for management profile configurations, as it ● provides both encryption, and authentication. Advanced Profile Configuration An access point profile’s advanced configuration is comprised of defining connected client load balance...
Page 122 Chapter 6: Device Configuration 1 Select Client Load Balancing from the expanded Advanced menu. Use the drop-down menu to define a Band Steering Strategy. Options include prefer-5ghz, prefer-2.4 ghz, and distribute-by-ratio. The default value is prefer-5ghz. 3 Set the following Neighbor Selection Strategies. Use probes from common Select this option to use probes from shared clients in the neighbor clients...
Page 123 System Profile Configuration 5 Set the following Channel Load Balancing settings: Balance 2.4GHz Channel Select this option to balance loads across channels in the 2.4 GHz radio Loads band. This can prevent congestion on the 2.4 GHz radio if a channel is over utilized.
Page 124 Chapter 6: Device Configuration Minimum signal strength When Using smart-rf neighbor detection is selected as a neighbor for smart-rf neighbors selection strategy, use the spinner control to set a minimum signal strength value (between 0 - 100%) for a SMART RF detected access point to be qualified as a neighbor.
Page 125: Configuring Mint
System Profile Configuration Weightage given to Client Use the spinner control to assign a weight (between 0 - 100%) the Count access point uses to prioritize client count in the radio load calculation (on both the 2.4 and 5 GHz radio bands). Assign this value higher if this radio is intended to support numerous clients and their throughput is secondary to maintaining client association.
Page 126 Chapter 6: Device Configuration 1 Select MINT Protocol from the expanded Advanced menu. The Settings tab displays by default. 2 Refer to the Area Identifier field to define the Level 1 and Level 2 Area IDs used by the profile’s MINT configuration.
Page 127 System Profile Configuration 6 Select OK to save the changes made to the Settings tab. Select Reset to revert to the last saved configuration. 7 Select the IP tab to display the link IP network address information shared by the devices managed by the access point’s MINT configuration.
Page 128 Chapter 6: Device Configuration Set the following Link IP parameters to complete the MINT network address configuration: Define the IP address used by peer access points for interoperation when supporting the MINT protocol. Port To specify a custom port for MiNT links, select this Port radio button and use the spinner control to define the port number (1 - 65,535).
Page 129 System Profile Configuration The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another. Select Add to create a new VLAN link configuration or Edit to modify an existing configuration. NOTE If creating a mesh link between two access points in Standalone AP mode, you’ll need to ensure a VLAN is available to provide the necessary MINT link between the two Standalone APs.
Page 130: Advanced Profile Miscellaneous Configuration
Chapter 6: Device Configuration 10 Set the following parameters to add or modify MINT VLAN configuration: VLAN If adding a new VLAN, define a VLAN ID between 1 - 4,094 used by peers for interoperation when supporting the MINT protocol. Routing Level If adding a new VLAN, use the spinner control to define a routing level of either 1 or 2.
Page 131 System Profile Configuration 1 Select Miscellaneous from the Advanced Profile’s menu item. Set a NAS-Identifier Attribute up to 253 characters in length. This is the RADIUS NAS-Identifier attribute that typically identifies the access point where a RADIUS message originates. 3 Set a NAS-Port-Id Attribute up to 253 characters in length. This is the RADIUS NAS port ID attribute which identifies the port where a RADIUS message originates.
Page 132: Managing Virtual Controllers
Virtual Controller AP of the same model. NOTE If designating the access point as a Standalone AP, Extreme Networks recommends the access point’s UI be used exclusively to define its device configuration, and not the CLI. The CLI provides the ability to define more than one profile, while the UI only provides one per access point model.
Page 133 Managing Virtual Controllers The Virtual Controller AP screen lists those peer access points within this Virtual Controller’s radio coverage area. Each listed access point is listed by its assigned System Name, MAC Address and Virtual Controller designation. Only Standalone APs of the same model can have their Virtual Controller AP designation changed.
Page 134: Overriding A Device Configuration
Chapter 6: Device Configuration Select the Set as Virtual Controller AP radio button to change the selected access point’s designation from Standalone to Virtual Controller AP. Remember that only one Virtual Controller can manage (up to) 24 access points of the same model. Thus, an administrator should take care to change the designation of a Virtual Controller AP to Standalone AP to compensate for a new Virtual Controller AP designation.
Page 135: Basic Configuration
Basic Configuration access point’s configuration. For more information on applying an override to an access point’s Virtual Controller AP assigned configuration profile, see “Profile Overrides” on page 155. Refer to the following override the configuration of an access point managed device: “Basic Configuration”...
Page 136 Chapter 6: Device Configuration Set the following Configuration settings for the target device: System Name Provide the selected device a system name up to 64 characters in length. This is the device name that appears within the RF Domain or Profile the access points supports and is identified by Area Assign the access point an Area representative of the location the access...
Page 137: Assigning Certificates
Assigning Certificates Use the New Time parameter to set the calendar day, hour and minute. Use the AM and PM radio buttons to refine whether the updated time is for the AM or PM. This time can be synchronized with the use of an external NTP resource.
Page 138 Chapter 6: Device Configuration Set the following Management Security certificate configurations: HTTPS Trustpoint Either use the default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be leveraged. To leverage an existing device certificate for use with this target device, select the Launch Manager button.
Page 139: Certificate Management
Assigning Certificates “Certificate Management” ● “RSA Key Management” ● “Certificate Creation” ● “Generating a Certificate Signing Request” ● Certificate Management “Assigning Certificates” If not wanting to use an existing certificate or key with a selected device, an existing stored certificate can be leveraged from a different device.
Page 140 Chapter 6: Device Configuration 1 Select Launch Manager from either the HTTPS Trustpoint, SSH RSA Key, or RADIUS Server Certificate parameters. The Certificate Management screen displays with the Trustpoints section displayed by default. 2 Select a device from amongst those displayed to review its certificate information. Refer to the Certificate Details to review the certificate’s properties, self-signed credentials, validity period and CA information.
Page 141 Assigning Certificates Define the following configuration parameters required for the Import of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. Key Passphrase Define the key used by both the device and the server (or repository) of the target trustpoint.
Page 142 Chapter 6: Device Configuration Define the following configuration parameters required for the Import of the CA certificate: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
Page 143 Assigning Certificates 8 Select OK to import the defined CA certificate. Select Cancel to revert the screen to its last saved configuration. 9 To optionally import a CRL, select the Import CRL button from the Certificate Management screen. If a certificate displays within the Certificate Management screen with a CRL, that CRL can be imported.
Page 144 Chapter 6: Device Configuration Port If selecting Advanced, use the spinner control to set the port. This option is not valid for cf, usb1, and usb2. IP Address If selecting Advanced, enter IP address of the server used to import the CRL.
Page 145 Assigning Certificates Protocol If selecting Advanced, select the protocol used for importing the target CA certificate. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port If selecting Advanced, use the spinner control to set the port. This option is not valid for cf, usb1, and usb2.
Page 146: Rsa Key Management
Chapter 6: Device Configuration 16 Define the following configuration parameters required for the Export of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
Page 147 Enter the 32 character maximum name assigned to the RSA key. Key Size Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Extreme Networks recommends leaving this value at the default setting of 1024 to ensure optimum functionality. Altitude...
Page 148 Chapter 6: Device Configuration 6 Select OK to generate the RSA key. Select Cancel to revert the screen to its last saved configuration. 7 To optionally import a CA certificate, select the Import button from the RSA Keys screen. Define the following configuration parameters required for the Import of the RSA key: Key Name Enter the 32 character maximum name assigned to the RSA key.
Page 149 Assigning Certificates Export the key to a RADIUS server so it can be imported without generating a second key. If there’s more than one RADIUS authentication server, export the certificate and don’t generate a second key unless you want to deploy two root certificates. 11 Define the following configuration parameters required for the Export of the RSA key: Key Name Enter the 32 character maximum name assigned to the RSA key.
Page 150: Certificate Creation
To create a new RSA key, select the radio button to define 32 character name used to identify the RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Extreme Networks recommends leaving this value at the default setting (1024) to ensure optimum functionality.
Page 151: Generating A Certificate Signing Request
Assigning Certificates 4 Set the following Certificate Subject Name parameters required for the creation of the certificate: Certificate Subject Select either the auto-generate radio button to automatically create the Name certificate's subject credentials or select user-defined to manually enter the credentials of the self CA certificate.
Page 152 To create a new RSA key, select the radio button to define a 32 character name used to identify the RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Extreme Networks recommends leaving this value at the default setting (1024) to ensure optimum functionality.
Page 153: Rf Domain Overrides
RF Domain Overrides 5 Select the following Additional Credentials required for the generation of the CSR: Email Address Provide an email address used as the contact address for issues relating to this CSR. Domain Name) Enter a fully qualified domain name (FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy.
Page 154 Chapter 6: Device Configuration NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device.
Page 155: Profile Overrides
Profile Overrides Sample Interval Use the spinner control to define the interval (in seconds) used to capture statistics supporting the listed RF Domain configuration. The default is 5 seconds. Window Size Use the spinner control to set the number of samples used to define RF Domain statistics.
Page 156 Chapter 6: Device Configuration NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device.
Page 157: Radio Power Overrides
Radio Power Overrides “Overriding the Network Configuration” ● “WAN Backhaul Overrides” ● “Overriding a Security Configuration” ● “Overriding a Services Configuration” ● “Overriding a Management Configuration” ● “Overriding an Advanced Configuration” ● Radio Power Overrides Use the Power screen to set or override one of two power modes (3af or Auto) for an access point. When Automatic is selected, the access point safely operates within available power.
Page 158 Chapter 6: Device Configuration Use the Power Mode drop-down menu to set or override the Power Mode Configuration on this AP. NOTE Single radio model access point’s always operate using a full power configuration. The power management configurations described in this section do not apply to single radio models. When an access point is powered on for the first time, the system determines the power budget available.
Page 159: Adoption Overrides
Adoption Overrides Adoption Overrides Use the Adoption screen to define the configuration of a preferred Virtual Controller resource used for access point adoption. A Virtual Controller can adopt up to 24 access points of the same model. The Virtual Controller must also share its VLAN to peer access points wishing to adopt to it. The Virtual Controllers IP address (or hostname), pool and routing level must also be defined and made available to connecting peers.
Page 160: Profile Interface Override Configuration
Chapter 6: Device Configuration Define a 64 character maximum Preferred Group. The Preferred group is the Virtual Controller group the access point would prefer to connect upon adoption. 8 Use the spinner control to set the Controller VLAN. This is the VLAN the Virtual Controller is reachable on. Select between 1 - 4094. There is no default value for this setting.
Page 161: Ethernet Port Override Configuration
Adoption Overrides “Ethernet Port Override Configuration” ● “Virtual Interface Override Configuration” ● “Radio Override Configuration” ● Ethernet Port Override Configuration “Profile Interface Override Configuration” Use an Ethernet Port override to change (modify) parameters of an access point’s Ethernet Port configuration. The following ports are available on supported access point models: Altitude 4511 - fe1, fe2, fe3, fe4, up1 ●...
Page 162 Chapter 6: Device Configuration Refer to the following to review port status and assess whether an override is warranted: Name Displays the physical port name reporting runtime data and statistics. Supported ports vary depending the supported Altitude 4700 series, Altitude 4532, Altitude 4511, or Altitude 4521 access points.
Page 163 Adoption Overrides Native VLAN Lists the numerical VLAN ID (1 - 4094) set for the native VLAN. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode.
Page 164 Chapter 6: Device Configuration Speed Set the speed at which the port can receive and transmit the data. Select either 10 Mbps, 100 Mbps, 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port.
Page 165 Adoption Overrides Tag Native VLAN Select the radio button to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames.
Page 166: Virtual Interface Override Configuration
Chapter 6: Device Configuration 15 If a firewall rule does not exist suiting the data protection needs of the target port configuration, select the Create icon to define a new rule configuration. For more information, see “Wireless Firewall” on page 295.
Page 167 Adoption Overrides NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device. Review the following parameters unique to each Virtual Interface configuration to determine whether a parameter override is warranted: Name...
Page 168 Chapter 6: Device Configuration The Basic Configuration screen displays by default regardless of a whether a new Virtual Interface is being created or an existing one is being modified. 10 If creating a new Virtual Interface, use the spinner control to define a numeric ID between 1 - 4094. 11 Define or override the following parameters from within the Properties field: Description Provide or edit a description (up to 64 characters) for the Virtual Interface...
Page 169 Adoption Overrides 13 Define or override the Network Address Translation (NAT) direction. Select either the Inside, Outside or None radio buttons. Inside - The inside network is transmitting data over the network its intended destination. On the ● way out, the source IP address is changed in the header and replaced by the (public) IP address. Outside - Packets passing through the NAT on the way back to the LAN are searched against to ●...
Page 170: Radio Override Configuration
Chapter 6: Device Configuration Radio Override Configuration “Profile Interface Override Configuration” Access points can have their radio profile configurations overridden if a portion of a profile is no longer relevant to the access point’s deployment objective. To define a radio configuration override for an access point: 1 Select Devices from the Configuration tab.
Page 171 Adoption Overrides Type Displays the type as either Radio (for typical client support) or sensor. If setting an Altitude 4521 or Altitude 4511 model access point to function as a sensor, the access point must be rebooted before it can begin to operate as a sensor.
Page 172 Extreme Networks recommends only a professional installer set the antenna gain. The default value is 0.00.
Page 173 Adoption Overrides Dynamic Chain Select this option to allow the access point radio to dynamically change the Selection number of transmit chains. This setting is disabled by default. The radio uses a single chain/antenna for frames at non 802.11n data rates. Rate Once the radio band is provided, the Rate drop-down menu populates with rate options depending on the 2.4 or 5 GHz band selected.
Page 174 Chapter 6: Device Configuration RTS Threshold Specify a Request To Send (RTS) threshold (between 1 - 2,347 bytes) for use by the WLAN's adopted access point radios. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving client.
Page 175 Adoption Overrides 14 Refer to the WLAN/BSS Mappings field to set or override WLAN BSSID assignments for an existing access point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio Altitude 4511 or Altitude 4521 access point, there are 8 BSSIDs available. If using a dual-radio Altitude 4532 or Altitude 4700 series access point, there are 8 BSSIDs for the 802.11b/g/n radio and 8 BSSIDs for the 802.11a/n radio.
Page 176 Chapter 6: Device Configuration 17 Use the Mesh screen to define or override how mesh connections are established and the number of links available amongst access points within the Mesh network. 18 Define the following Mesh Settings: Mesh Options include Client, Portal and Disabled.Select Client to scan for mesh portals, or nodes that have connection to portals, and connect through them.
Page 177 Adoption Overrides 22 Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define or override how MAC service frames are aggregated by the access point radio. A-MPDU Modes Use the drop-down menu to define the A-MPDU mode. Options include Transmit Only, Receive Only, Transmit and Receive and None.
Page 178: Wan Backhaul Overrides
Chapter 6: Device Configuration 25 Set or override the following Non-Unicast Traffic values for the profile’s supported access point radio and its connected wireless clients: Non-Unicast Transmit Use the Select drop-down menu to launch a sub screen to define the data Rate rate broadcast and multicast frames are transmitted.
Page 179 Adoption Overrides NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. WAN (3G) Backhaul This will remove all overrides from the device.Refer to the configuration to specify WAN card settings:...
Page 180: Overriding The Network Configuration
Chapter 6: Device Configuration Overriding the Network Configuration Setting a network configuration is a large task comprised of numerous administration activities. Each of the configuration activities described can have an override applied to the original configuration. Applying an override differentiates the device from the profile’s configuration and requires careful administration to ensure this one device still supports the deployment requirements within the network.
Page 181 Adoption Overrides NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device. 6 Provide or override the default Domain Name used when resolving DNS names.
Page 182: Overriding An Arp Configuration
Chapter 6: Device Configuration Overriding an ARP Configuration “Overriding the Network Configuration” Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address. ARP provides protocol rules for making this correlation and providing address conversion in both directions.
Page 183: Overriding A Quality Of Service (Qos) Configuration
Adoption Overrides NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device. 6 Set or override the following parameters to define the ARP configuration: Switch VLAN Interface Use the spinner control to select a VLAN (1 - 4094) for an address requiring...
Page 184 Chapter 6: Device Configuration QoS values are required to provide service priority to packets. For example, VoIP packets get higher priority than data packets to provide a better quality of service for high priority voice traffic. The profile QoS screen maps the 6-bit Differentiated Service Code Point (DSCP) code points to the older 3-bit IP Precedent field located in the Type of Service byte of an IP header.
Page 185: Overriding A Static Route Configuration
Adoption Overrides NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device. 6 Set or override the following parameters for the IP DSCP mappings for untagged frames: DSCP Lists the DSCP value as a 6-bit parameter in the header of every IP packet...
Page 186: Overriding A Forwarding Database Configuration
Chapter 6: Device Configuration NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device.
Page 187 Adoption Overrides packets through the bridge, the bridge updates its forwarding database with known MAC addresses and their locations on the network. This information is then used to decide to filter or forward the packet. This forwarding database assignment can be overridden as needed, but removes the device configuration from the managed profile that may be shared with other similar device models.
Page 188 Chapter 6: Device Configuration NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device.
Page 189: Overriding A Bridge Vlan Configuration
Adoption Overrides is on a different network, it forwards the packet to the segment. If the destination MAC is on the same network segment, the packet is dropped (filtered). 9 Define or override the target VLAN ID if the destination MAC is on a different network segment. 10 Provide an Interface Name used as the target destination interface for the target MAC address.
Page 190 Chapter 6: Device Configuration NOTE A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device.
Page 191 Adoption Overrides Trust DHCP Responses When DHCP trust is enabled, a green checkmark displays. When disabled, a red “X” displays. When enabled, DHCP packets from a DHCP server are considered trusted and permissible within the network. DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks. 7 Select Add to define a new Bridge VLAN configuration, Edit to modify or override an existing Bridge VLAN configuration or Delete to remove a VLAN configuration.
Page 192: Overriding A Miscellaneous Network Configuration
Chapter 6: Device Configuration NOTE If creating a mesh connection between two access points in Standalone AP mode, Tunnel must be selected as the Bridging Mode to successfully create the mesh link between the two access points. 11 Set or override the following Layer 2 Firewall parameters: Trust ARP Responses Select the radio button to use trusted ARP packets to update the DHCP Snoop Table to prevent IP spoof and arp-cache poisoning attacks.
Page 193: Overriding A Security Configuration
Adoption Overrides Select the Include Hostname in DHCP Request checkbox to include a hostname in a DHCP lease for a requesting device. This feature is disabled by default.’ 7 Select the DHCP Persistent Lease checkbox to retain the last DHCP lease used across a reboot if the access point’s designated DHCP server is unavailable.
Page 194 Chapter 6: Device Configuration A profile can leverage existing firewall, wireless client role and WIPS policies and configurations and apply them to the configuration. This affords a profile a truly unique combination of data protection policies. However, as deployment requirements arise, an individual access point may need some or all of its general security configuration overridden from that applied in the profile.
Page 195: Overriding A Certificate Revocation List (Crl) Configuration
Adoption Overrides Overriding a Certificate Revocation List (CRL) Configuration “Overriding a Security Configuration” A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the certificate authority (CA) had improperly issued a certificate, or if a private-key is compromised.
Page 196: Overriding A Profile's Nat Configuration
Chapter 6: Device Configuration 7 Provide the name of the trustpoint in question within the Trustpoint Name field. The name cannot exceed 32 characters. 8 Enter the resource ensuring the trustpoint’s legitimacy within the URL field. 9 Use the spinner control to specify an interval (in hours) after which the access point copies a CRL file from an external server and associates it with a trustpoint.
Page 197 Adoption Overrides The NAT Pool tab displays by default. The NAT Pool screen lists those NAT policies created thus far. Any of these policies can be selected and applied to a profile. 6 Select Add to create a new NAT policy that can be applied to a profile. Select Edit to modify or override the attributes of a existing policy or select Delete to remove obsolete NAT policies from the list of those available to a profile.
Page 198 Chapter 6: Device Configuration If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters: Name If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations. The length cannot exceed 64 characters. IP Address Range Define a range of IP addresses hidden from the public Internet.
Page 199 Adoption Overrides hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host. Inside NAT is the default setting. 10 Select the Destination tab to view destination NAT configurations and define packets passing through the NAT on the way back to the LAN are searched against to the records kept by the NAT engine.
Page 200 Chapter 6: Device Configuration 12 Set or override the following Destination configuration parameters: Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 201 Adoption Overrides 13 Select OK to save the changes or overrides made to the static NAT configuration. Select Reset to revert to the last saved configuration. 14 Select the Dynamic NAT tab. Dynamic NAT configurations translate the IP address of packets going out from one interface to another interface based on configured conditions.
Page 202: Overriding A Services Configuration
Chapter 6: Device Configuration 16 Set or override the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT. NAT is applied only on packets which match a rule defined in the access-list.
Page 203 Adoption Overrides 1 Select Devices from the Configuration tab. 2 Select a target device from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Services.
Page 204: Overriding A Management Configuration
Chapter 6: Device Configuration Overriding a Management Configuration There are mechanisms to allow/deny management access to the network for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). These management access configurations can be applied strategically to profiles as resource permissions dictate for the profile. Additionally, overrides can be applied to customize a device’s management configuration, if deployment requirements change and a devices configuration must be modified from its original device profile configuration.
Page 205 Adoption Overrides Altitude 4000 Series Access Point System Reference Guide...
Page 206 Chapter 6: Device Configuration Refer to the Message Logging field to define how the profile logs system events. It’s important to log individual events to discern an overall pattern that may be negatively impacting performance. Enable Message Logging Select the radio button to enable the profile to log system events to a user defined log file or a syslog server.
Page 207 Adoption Overrides Username for SMTP Specify the username of the sender on the outgoing SMTP server. Many Server SMTP servers require users to authenticate with an username and password before sending e-mail through the server. Password for SMTP Specify the password associated with the username of the sender on the Server outgoing SMTP server.
Page 208 Chapter 6: Device Configuration 12 Use the parameters within the Automatic Adopted AP Firmware Upgrade field to define an automatic firmware upgrade from a controller based file. Enable Controller Select the access point model to upgrade to a newer firmware version Upgrade of AP Firmware using its associated Virtual Controller AP’s most recent firmware file for that model.
Page 209: Overriding An Advanced Configuration
Adoption Overrides Overriding an Advanced Configuration Refer to the Advanced device settings to set or override a profile’s MiNT and/or NAS configurations. MINT provides the means to secure controller profile communications at the transport layer. Using MINT, a device can be configured to only communicate with other authorized (MINT enabled) devices. Access point managed devices can communicate with each other exclusively over a MINT security domain.
Page 210 Chapter 6: Device Configuration Refer to the Area Identifier field to define or override the Level 1 and Level 2 Area IDs used by the profile’s MINT configuration. Level 1 Area ID Select the box to enable a spinner control for setting the Level 1 Area ID between 1 - 4,294,967,295.
Page 211 Adoption Overrides The IP tab displays the IP address, Routing Level, Listening Link, Port, Forced Link, Link Cost, Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another. Select Add to create a new Link IP configuration or Edit to override an existing MINT configuration. Altitude 4000 Series Access Point System Reference Guide...
Page 212 Chapter 6: Device Configuration 13 Set the following Link IP parameters to complete the MINT network address configuration: Define or override the IP address used by peer access points for interoperation when supporting the MINT protocol. Routing Level Use the spinner control to define or override a routing level of either 1 or Listening Link Specify a listening link of either 0 or 1.
Page 213 Adoption Overrides Select Add to create a new VLAN link configuration or Edit to override an existing MINT configuration. NOTE If creating a mesh link between two access points in Standalone AP mode, you’ll need to ensure a VLAN is available to provide the necessary MINT link between the two Standalone APs. 15 Set the following VLAN parameters to complete the MINT configuration: VLAN Define a VLAN ID between 1 - 4,094 used by peer controllers for...
Page 214: Critical Resources
Chapter 6: Device Configuration 18 Set a NAS-Identifier Attribute up to 253 characters in length. This is the RADIUS NAS-Identifier attribute that typically identifies where a RADIUS message originates 19 Set a NAS-Port-Id Attribute up to 253 characters in length. This is the RADIUS NAS port ID attribute which identifies the device port where a RADIUS message originates 20 Refer to the Turn off LEDs option to disable an adopted access point’s LEDs.
Page 215 Critical Resources To define critical resources: 1 Select Devices from the Configuration menu. 2 Select Critical Resources. Ensure the Activate Critical Resources Policy button is selected to enable the parameters within the screen for configuration. This option needs to remain selected to apply the critical resource configuration to the access point profile.
Page 216: Managing An Event Policy
Chapter 6: Device Configuration Ping Mode Set the ping mode used when the availability of a critical resource is validated. Select from: • arp-only – Use the Address Resolution Protocol (ARP) for only pinging the critical resource. ARP is used to resolve hardware addresses when only the network layer address is known.
Page 217 Managing an Event Policy Ensure the Activate Event Policy button is selected to enable the screen for configuration. This option needs to remain selected to apply the event policy configuration to the access point profile. 4 Refer to the Select Event Module drop-down menu on the top right-hand side of the screen and select an event module used to track the occurrence of each list event.
Page 218 Chapter 6: Device Configuration Altitude 4000 Series Access Point System Reference Guide...
Page 219: Chapter 7: Wireless Configuration
Wireless Configuration C H A P T E R A Wireless Local Area Network (WLAN) is a data-communications system and wireless local area network that flexibly extends the functionalities of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or OFDM modulation based technology.
Page 220: Wireless Lans
Chapter 7: Wireless Configuration Wireless LANs To review the attributes of existing WLANs and, if necessary, modify their configurations: 1 Select Configuration > Wireless > Wireless LANs to display a high-level display of existing WLANs. 2 Refer to the following (read only) information to assess the attributes of each available WLAN: WLAN Displays the name of each WLAN available to the access point.
Page 221: Basic Wlan Configuration
Wireless LANs WLAN Status Lists each WLAN’s status as either Active or Shutdown. A green checkmark defines the WLAN as available to clients on all radios where it has been mapped. A red “X” defines the WLAN as shutdown, meaning even if the WLAN is mapped to radios, it’s not available for clients to associate.
Page 222 Chapter 7: Wireless Configuration 3 Refer to the WLAN Configuration field to define the following: WLAN If adding a new WLAN, enter its name in the space provided. Spaces between words are not permitted. The name could be a logical representation of the WLAN coverage area (engineering, marketing etc.).
Page 223: Wlan Basic Configuration Deployment Considerations
Before defining a WLAN’s basic configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: Extreme Networks recommends one VLAN be deployed for secure WLANs, while separate VLANs ● be defined for each WLAN providing guest access.
Page 224 Chapter 7: Wireless Configuration Authentication ensures only known and trusted users or devices access an access point managed WLAN. Authentication is enabled per WLAN to verify the identity of both users and devices. Authentication is a challenge and response procedure for validating user credentials such as username, password and secret-key information.
Page 225: 802.1X Eap, Eap Psk And Eap Mac
Wireless LANs Encryption is essential for WLAN security, as it provides data privacy for traffic forwarded over a WLAN. When the 802.11 specification was introduced, Wired Equivalent Privacy (WEP) was the primary encryption mechanism. WEP has since been interpreted as flawed in many ways, and is not considered an effective standalone scheme for securing a WLAN.
Page 226: Mac Authentication
Before defining a 802.1x EAP, EAP PSK or EAP MAC supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: Extreme Networks recommends a valid certificate be issued and installed on devices providing ●...
Page 227: Psk / None
Wireless LANs technique, as MAC addresses can be easily spoofed by hackers who can mimic a trusted device within the network. MAC authentication is enabled per WLAN, augmented with the use of a RADIUS server to authenticate each device. A device’s MAC address can be authenticated against an access point’s local RADIUS server (if supported) or centrally (from a datacenter).
Page 228: Captive Portal
Chapter 7: Wireless Configuration NOTE Although None implies no authentication, this option is also used when pre-shared keys are used for encryption (thus the /PSK in the description). Captive Portal “Configuring WLAN Security” A captive portal is guest access policy for providing guests temporary and restrictive access to the wireless network.
Page 229 Wireless LANs 1 Select Configuration > Wireless > Wireless LANs to display a high-level display of the existing WLANs. 2 Select the Add button to create an additional WLAN or select an existing WLAN and select Edit to modify the properties of an existing WLAN. 3 Select Security.
Page 230 Extreme Networks recommends rotating these keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.
Page 231: Wpa2-Ccmp
Wireless LANs WPA-TKIP Deployment Considerations Before defining a WPA-TKIP supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: Though TKIP offers better security than WEP, it can be vulnerable to certain attacks. ●...
Page 232 AP, and one broadcast key, the common key for clients in that subnet. Extreme Networks recommends rotating these keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.
Page 233 Before defining a WPA2-CCMP supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: Extreme Networks recommends WPA2-CCMP be configured for all new (non visitor) WLANs ● requiring encryption, as it’s supported by the majority of the hardware and client vendors using Extreme Networks wireless networking equipment.
Page 234: Wep 64
Chapter 7: Wireless Configuration WEP 64 “Configuring WLAN Security” Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi -Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN.
Page 235: Wep 128 Keyguard
WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. KeyGuard is a Extreme Networks encryption option used with legacy clients capable of supporting it. It closely resembled WEP 128 in key structure.
Page 236 Chapter 7: Wireless Configuration wireless data. However, networks that require more security are at risk from a WEP flaw. WEP is only recommended if there are client devices that are incapable of using higher forms of security. The existing 802.11 standard alone offers administrators no effective method to update keys. WEP 128 or Keyguard provide a more robust encryption algorithm than WEP 64 by requiring a longer key length and pass key.
Page 237: Configuring Wlan Firewall Support
Before defining a WEP 128 supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: Extreme Networks recommends additional layers of security (beyond WEP) be enabled to minimize ● the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with Firewall policies restricting access to hosts and suspicious network applications.
Page 238 Chapter 7: Wireless Configuration Keep in mind IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface. To review existing Firewall configurations, create a new Firewall configuration or edit the properties of a WLAN’s existing Firewall: 1 Select Configuration >...
Page 239 WEP 128 Keyguard If creating a new rule, providing a name up to 32 characters long. 4 Select the + Add Row button. 5 Select the added row to expand it into configurable parameters. 6 Define the following parameters for either inbound or outbound IP Firewall Rules: Allow Every IP Firewall rule is made up of matching criteria rules.
Page 240 Chapter 7: Wireless Configuration Protocol Select the protocol used with the IP access policy from the drop-down menu. IP is selected by default. Selecting ICMP displays an additional set of ICMP specific options for ICMP type and code. Selecting either TCP or UDP displays an additional set of specific TCP/UDP source and destinations port options.
Page 241 WEP 128 Keyguard 10 Define the following parameters for either the inbound or outbound MAC Firewall Rules: Allow Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported: Deny —...
Page 242: Configuring Client Settings
Chapter 7: Wireless Configuration VLAN ID Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the access point’s local RADIUS server). The VLAN ID can be between1 and 4094. Match 802.1P Configures IP DSCP to 802.1p priority mapping for untagged frames.
Page 243 WEP 128 Keyguard Each WLAN can maintain its own client setting configuration. These settings include wireless client inactivity timeouts and broadcast configurations. Altitude 4532 and Altitude 4700 series access points can support up to 256 clients per access point. An Altitude 4511 or Altitude 4521/4522 model can support up to 128 clients per access point.
Page 244: Configuring Wlan Accounting Settings
Chapter 7: Wireless Configuration Wireless Client Idle Set the maximum amount of time wireless clients are allowed to be idle within this WLAN. Set the idle time in either Seconds (60 - 86,400), Minutes Time (1 - 1,440), Hours (0 - 24) or Days (0 - 1). When this setting is exceeded, the client is no longer able to access resources and must re-authenticate.
Page 245 WEP 128 Keyguard Accounting can be enabled and applied to managed WLANs, to uniquely log accounting events specific to the WLAN. Accounting logs contain information about the use of remote access services by users. This information is of great assistance in partitioning local versus remote users and how to best accommodate each.
Page 246: Accounting Deployment Considerations
Before defining a AAA configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: When using RADIUS authentication, Extreme Networks recommends the WAN port round trip ● delay not exceed 150ms. Excessive delay over a WAN can cause authentication and roaming issues.
Page 247 WEP 128 Keyguard 4 Set the following Load Balance Settings generic to both the 2.4 and 5 GHz bands: Enforce Client Load Select the radio button to enforce a client load balance distribution on this WLAN. Altitude 4700 series and Altitude 4532 access points can Balancing support 256 clients per access point.
Page 248: Configuring Advanced Wlan Settings
Chapter 7: Wireless Configuration 6 Set the following Load Balancing Settings (5 GHz): Allow Single Band Select this option to enable single band client associations on the 5GHz frequency, even if load balancing is available. The default setting is Clients enabled.
Page 249 WEP 128 Keyguard 4 Refer to the Advanced RADIUS Configuration field to set the WLAN’s NAS configuration and RADIUS Dynamic Authorization. NAS Identifier Specify what should be included in the RADIUS NAS-Identifier field for authentication and accounting packets relating. Configuring a value here is optional, and defaults are used if this is not configured per WLAN.
Page 250: Configuring Wlan Qos Policies
Chapter 7: Wireless Configuration Define both minimum Basic and Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band and 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this WLAN. If supporting 802.11n, select a Supported MCS index.
Page 251 Configuring WLAN QoS Policies Voice and Data. Packets within each category are processed based on the weights defined for each WLAN. The Quality of Service screen displays a list of QoS policies available to WLANs. Each QoS policy has its own radio button that can be selected to edit its properties. If none of the exiting QoS policies supports an ideal QoS configuration for the intended data traffic of this WLAN, select the Add button to create new policy.
Page 252 Chapter 7: Wireless Configuration Wireless Client Lists each policy’s Wireless Client Classification as defined for this WLAN's intended traffic. The Classification Categories are the different Classification WLAN-WMM options available to a radio. Classification types include: WMM – Implies WiFi Multimedia QoS extensions are enabled on this radio.
Page 253: Configuring A Wlan's Qos Wmm Settings
Configuring WLAN QoS Policies Configuring a WLAN’s QoS WMM Settings Using WMM, end-user satisfaction is maintained in a wider variety of environments and traffic conditions. WMM makes it possible for both home networks and Enterprises to decide which data streams are most important and assign them a higher priority. WMM’s prioritization capabilities are based on the four access categories.
Page 254 Chapter 7: Wireless Configuration 3 Configure the following settings in respect to the WLAN’s intended WMM radio traffic and user requirements: Wireless Client Use the drop-down menu to select the Wireless Client Classification for Classification this WLAN's intended traffic. The Classification Categories are the different WLAN-WMM options available to the radio.
Page 255 Configuring WLAN QoS Policies Non-Unicast Use this drop-down menu to define how traffic matching multicast masks Classifications is classified relative to prioritization on the radio. Options include Video, Voice, Normal, Low and Default. The default setting is Normal. Enable Voice Select this option if Voice traffic is prioritized on the WLAN.
Page 256: Configuring A Wlan's Qos Rate Limit Settings
Chapter 7: Wireless Configuration ECW Max The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic.
Page 257 (downstream). Altitude 4511 and Altitude 4521 access points do not support rate limiting on an individual client basis. Before defining rate limit thresholds for WLAN upstream and downstream traffic, Extreme Networks recommends you define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category.
Page 258 Chapter 7: Wireless Configuration 4 Configure the following parameters in respect to the intended Upstream Rate Limit for the selected WLAN. Enable Select the Enable radio button to enable rate limiting for data transmitted from access point radios to associated clients. Enabling this option does not invoke rate limiting for data traffic in the downstream direction.
Page 259 Configuring WLAN QoS Policies 5 Set the following Upstream Random Early Detection Threshold settings for each access category. An early random drop is conducted when the amount of tokens for a traffic stream falls below the set threshold for the selected WLAN. Background Traffic Set a percentage value for WLAN background traffic in the upstream direction.
Page 260 Chapter 7: Wireless Configuration 7 Set the following Downstream Random Early Detection Threshold settings for each access category. An early random drop is conducted when the amount of tokens for a traffic stream falls below the set threshold for the selected WLAN. Background Traffic Set a percentage value for WLAN background traffic in the downstream direction.
Page 261 Configuring WLAN QoS Policies 9 Set the following Upstream Random Early Detection Threshold settings for each access category. An early random drop is conducted when the amount of tokens for a traffic stream falls below the set threshold for wireless client traffic. Background Traffic Set a percentage value for WLAN background traffic in the upstream direction.
Page 262 Chapter 7: Wireless Configuration 11 Set the following Downstream Random Early Detection Threshold settings for each access category. An early random drop is conducted when the amount of tokens for a traffic stream falls below the set threshold for wireless client traffic. Background Traffic Set a percentage value for WLAN background traffic in the downstream direction.
Page 263 Configuring WLAN QoS Policies 13 Configure the following parameters in respect to the intended Multicast Mask: Multicast Mask Configure the primary multicast mask defined for a QoS policy. Normally, all multicast and broadcast packets are buffered until the periodic DTIM Primary interval (indicated in the 802.11 beacon frame), when clients in power save mode awake to check for frames.
Page 264: Radio Qos Policy
QoS policy’s intended wireless client base. Extreme Networks Access Point radios and wireless clients support several Quality of Service (QoS) techniques enabling real-time applications (such as voice and video) to co-exist simultaneously with lower priority background applications (such as Web, Email and file transfers).
Page 265: Configuring A Radio's Qos Policy
Radio QoS Policy access point. U-APSD reduces the amount of signaling frames sent from a client to retrieve buffered data from an access point. U-APSD also allows access points to deliver buffered data frames as bursts, without backing-off between data frames. These improvements are useful for voice clients, as they improve battery life and call quality.
Page 266 Chapter 7: Wireless Configuration 1 Select Configuration > Wireless > Radio QoS Policy. 2 Refer to the following information for a radio QoS policy: Radio QoS Policy Displays the name of each Radio QoS policy. This is the name set for each listed policy when it was created and cannot be modified as part of the policy edit process.
Page 267 Radio QoS Policy The Radio QoS Policy screen displays the WMM tab by default. Use the WMM tab to define the access category configuration (CWMin, CWMax, AIFSN and TXOP values) in respect to the type of wireless data planned for this new or updated radio QoS policy. 4 Set the following Voice Access settings for the Radio QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after...
Page 268 Chapter 7: Wireless Configuration 5 Set the following Normal (Best Effort) Access settings for the radio QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number.
Page 269 Radio QoS Policy 8 Select OK when completed to update the radio QoS settings for this policy. Select Reset to revert the WMM screen back to its last saved configuration. 9 Select the Admission Control tab to configure an admission control configuration for selected radio QoS policy.
Page 270 Chapter 7: Wireless Configuration Maximum Wireless Set the number of voice supported wireless clients allowed to exist (and consume bandwidth) within the radio’s QoS policy. Select from an Clients available range of 0-256 clients. Consider setting this value proportionally to the number of other QoS policies supporting the voice access category, as wireless clients supporting voice use a greater proportion of resources than lower bandwidth traffic (like low and best effort categories).
Page 271 Radio QoS Policy Maximum Wireless Set the number of video supported wireless clients allowed to exist (and consume bandwidth) within the radio’s QoS policy. Select from an Clients available range of 0-256 clients. Consider setting this value proportionally to the number of other QoS policies supporting the video access category, as wireless clients supporting video use a greater proportion of resources than lower bandwidth traffic (like low and best effort categories).
Page 272: Radio Qos Configuration And Deployment Considerations
Chapter 7: Wireless Configuration 17 Set the following Accelerated Multicast settings: Maximum number of Specify the maximum number of wireless clients (between 0 and 256) allowed to use accelerated multicast. The default value is 25. wireless clients allowed When wireless client When the wireless client count using accelerated multicast exceeds the maximum number set the radio to either Reject new wireless clients or to count exceeds the...
Page 273: Aaa Policy
WMM enabled clients can co-exist with non-WMM clients on the same WLAN. Non-WMM clients ● are always assigned a Best Effort access category. Extreme Networks recommends default WMM values be used for all deployments. Changing these ● values can lead to unexpected traffic blockages, and the blockages might be difficult to diagnose.
Page 274 Chapter 7: Wireless Configuration To define unique WLAN AAA configurations: 1 Select Configuration > Wireless > AAA Policy to display existing AAA policies. The Authentication, Authorization, and Accounting (AAA) screen lists those AAA policies created thus far. Any of these policies can be selected and applied to the access point. 2 Refer to the following information listed for each existing AAA policy: AAA Policy Displays the name assigned to the AAA policy when it was initially...
Page 275 AAA Policy 4 Refer to the following information about configured AAA Authentication policies. Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point. Host Displays the IP address or hostname of the RADIUS authentication server.
Page 276 Chapter 7: Wireless Configuration NAI Routing Enable Displays NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name.
Page 277 AAA Policy 6 Define the following settings to add or modify new AAA RADIUS authentication server configuration: Server ID Define the numerical server index (1-6) for the authentication server to differentiate it from others available to the access point’s AAA policy. Host Specify the IP address or hostname of the RADIUS authentication server.
Page 278 Chapter 7: Wireless Configuration Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point. Host Displays the IP address or hostname of the RADIUS authentication server. Port Displays the port on which the RADIUS server listens to traffic within the access point managed network.
Page 279 AAA Policy NAI Routing Enable Displays the NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name.
Page 280 Chapter 7: Wireless Configuration Host Specify the IP address or hostname of the RADIUS authentication server. Port Define or edit the port on which the RADIUS server listens to traffic within the access point managed network. The port range is 1 to 65,535. The default port is 1813.
Page 281 AAA Policy Protocol for MAC, The authentication protocol Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) when the server is Captive-Portal used for any non-EAP authentication. PAP is the default setting Authentication Altitude 4000 Series Access Point System Reference Guide...
Page 282: Association Acl
Chapter 7: Wireless Configuration Accounting Packet Set the type of RADIUS Accounting Request packets generated. Options include Stop Only, Start/Stop, Start/Interim/Stop. Start/Stop is the default Type setting Request Interval Set the periodicity of the interim accounting requests. The default is 30 minutes.
Page 283 Association ACL To define an Association ACL deployable with a WLAN: 1 Select Configuration > Wireless > Association ACL to display existing Association ACLs. The Association Access Control List (ACL) screen lists those Association ACL policies created thus far. Any of these policies can be selected and applied. 2 Select Add to define a new ACL configuration, Edit to modify an existing ACL configuration or Delete to remove an existing one.
Page 284: Association Acl Deployment Considerations
Before defining an Association ACL configuration and applying it to a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: Extreme Networks recommends using the Association ACL screen strategically to name and ● configure ACL policies meeting the requirements of the particular WLANs they may map to.
Page 285 Smart RF Policy performance and site coverage during dynamic RF environment changes, which typically require manual reconfiguration to resolve. NOTE RF planning must be performed to ensure overlapping coverage exists at a deployment site for Smart RF to be a viable network performance tool. Smart RF can only provide recovery when access points are deployed appropriately.
Page 286 Chapter 7: Wireless Configuration 3 Refer to the Basic Settings field to enable a Smart RF policy and define its sensitivity and detector status. Sensitivity Select a radio button corresponding to the desired Smart RF sensitivity. Options include Low, Medium, High and Custom. Medium, is the default setting.
Page 287 Smart RF Policy 7 Refer to the Power Settings field to define Smart RF recovery settings for the access point’s 5.0 GHz (802.11a) and 2.4 GHz (802.11bg) radio. 5.0 GHz Minimum Use the spinner control to select a 1 - 20 dBm minimum power level for Smart RF to assign to a radio in the 5 GHz band.
Page 288 Chapter 7: Wireless Configuration 5.0 Channel Width 20 and 40 MHz channel widths are supported by the 802.11a radio. 20/ 40 MHz operation (the default setting for the 5 GHz radio) allows the access point to receive packets from clients using 20 MHz of bandwidth while transmitting a packet using 40 MHz bandwidth.
Page 289 Smart RF Policy NOTE The monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen. 11 Enable or disable Smart Monitoring Enable by selecting the check box. The feature is enabled by default.
Page 290 Chapter 7: Wireless Configuration When enabled, detector radios monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation. 12 Set the following Scanning Configurations for both the 2.4 and 5 GHz radio bands: Duration Set a channel scan duration (between 20 - 150 milliseconds) access point radios use to monitor devices within the network and, if necessary,...
Page 291 Smart RF Policy Power Hold Time Defines the minimum time between two radio power changes during neighbor recovery. Set the time in either Seconds (0 - 3,600), Minutes (0 - 60) or Hours (0 - 1). The default setting is 0 seconds. Channel Hold Time Defines the minimum time between channel changes during neighbor recovery.
Page 292 Chapter 7: Wireless Configuration 17 Set the following Dynamic Sample Recovery parameters: Dynamic Sample Select this option to enable dynamic sampling. Dynamic sampling enables an administrator to define how Smart RF adjustments are Enabled triggered by locking retry and threshold values. This setting is disabled by default.
Page 293 Smart RF Policy 5.0 GHz Channel Use the spinner to set a channel switch delta (between 5 - 35 dBm) for the 5.0 GHz radio. This parameter is the difference between noise levels Switch Delta on the current channel and a prospective channel. If the difference is below the configured threshold, the channel will not change.
Page 294: Smart Rf Configuration And Deployment Considerations
Chapter 7: Wireless Configuration Coverage Interval Define the interval when coverage hole recovery should be initiated after a coverage hole is detected. The default is 10 seconds for both the 2.4 and 5.0 GHz radios. Interval Define the interval coverage hole recovery should be conducted after a coverage hole is detected.
Page 295: Chapter 8: Security Configuration
Firewall is of little value, and in fact could provide a false sense of security. With Extreme Networks access points, Firewalls are configured to protect against unauthenticated logins from outside the wireless network. This helps prevent hackers from accessing wireless clients within the access point managed network.
Page 296: Defining A Firewall Configuration
Chapter 8: Security Configuration Rules comprise conditions and actions. A condition describes a packet traffic stream. Define constraints on the source and destination device, the service (for example, protocols and ports), and the incoming interface. An action describes what should occur to packets matching set conditions. For example, if the packet stream meets all conditions, traffic is permitted, authenticated and sent to the destination device.
Page 297 Wireless Firewall concerted effort of one or more persons attempting to prevent a device, site or service from functioning temporarily or indefinitely. Most DoS attacks involve saturating the target device with external communications requests so it cannot respond to legitimate traffic or respond so slowly the device becomes unavailable in respect to its defined data rate.
Page 298 Chapter 8: Security Configuration The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto TCP IP TTL Zero the network which have a Time To Live (TTL) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the network to overload.
Page 299 Wireless Firewall A SYN-flooding attack occurs when a hacker floods a server with a TCP Intercept barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site, accessing e-mail, using FTP service, and so The TCP intercept feature helps prevent SYN-flooding attacks by...
Page 300 Chapter 8: Security Configuration 5 Select OK to update the Denial of Service settings. Select Reset to revert to the last saved configuration. The Firewall policy can be invoked at any point in the configuration process by selecting Activate Firewall Policy from the upper, left-hand side, of the access point user interface. 6 Select the Storm Control tab.
Page 301 Wireless Firewall 8 Refer to the Storm Control Settings field to set the following: Use the drop-down menu to define the traffic type for which the Storm Traffic Type Control configuration applies. Options include ARP, Broadcast, Multicast and Unicast. Use the drop-down menu to define the interface for which the Storm Interface Type Control configuration is applied.
Page 302 Chapter 8: Security Configuration 14 Refer to the Enable Firewall radio buttons to define the Firewall as either Enabled or Disabled. The Firewall is enabled by default. If disabling the Firewall, a confirmation prompt displays stating NAT, wireless hotspot, proxy ARP, deny-static-wireless-client and deny-wireless-client sending not permitted traffic excessively will be disabled.
Page 303 Wireless Firewall Select this option to enable IPMAC Routing Conflict detection. This is IPMAC Routing also known as a Hole-196 attack in the network. This feature helps to Conflict Enable detect if the client is sending routed packets to the correct MAC address. Select enable logging for IPMAC Routing Conflict detection.
Page 304: Configuring Ip Firewall Rules
Chapter 8: Security Configuration 19 Select the Enable Stateful DHCP Checks radio button to enable the stateful checks of DHCP packet traffic through the Firewall. The default setting is enabled. When enabled, all DHCP traffic flows are inspected. 20 Define Flow Timeout intervals for the following flow types impacting the Firewall: Define a flow timeout value in either Seconds (1 - 32,400), Minutes TCP Close Wait (1 - 540) or Hours (1 - 9).
Page 305 Wireless Firewall IP based Firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying an IP ACL NOTE Once defined, a set of IP Firewall rules must be applied to an interface to be a functional filtering tool.
Page 306 Chapter 8: Security Configuration 4 If adding a new rule, enter a name up to 32 characters in length. 5 Define the following parameters for the IP Firewall Rule: Every IP Firewall rule is made up of matching criteria rules. The action Allow defines what to do with a packet if it matches the specified criteria.
Page 307: Configuring Mac Firewall Rules
Wireless Firewall Provide a description to help differentiate it from others with similar Description configurations. 6 Select + Add Row as needed to add additional IP Firewall Rule configurations. Select the - Delete Row icon as required to remove selected IP Firewall Rules. 7 Select OK when completed to update the IP Firewall rules.
Page 308 Chapter 8: Security Configuration 2 Select + Add Row to create a new MAC Firewall Rule. Select an existing policy and click Edit to modify the attributes of the rule’s configuration. 3 Select the added row to expand it into configurable parameters for defining the MAC based Firewall rule.
Page 309: Wireless Ips (Wips)
Wireless IPS (WIPS) Enter a VLAN ID representative of the shared SSID each user employs VLAN ID to interoperate within the network (once authenticated by the RADIUS server). The VLAN ID can be between 1 and 4094. Configures IP DSCP to 802.1p priority mapping for untagged frames. Match 802.1P Use the spinner control to define a setting between 0-7.
Page 310 Chapter 8: Security Configuration Locationing - Administrators can define the location of wireless clients as they move throughout a ● site. This allows for the removal of potential rogues though the identification and removal of their connected Access Points. WEP Cloaking - WEP Cloaking protects organizations using the Wired Equivalent Privacy (WEP) ●...
Page 311 Wireless IPS (WIPS) Define a wait time in either Seconds (10 - 600) or Minutes (0 - 10) before Wait Time to a detected AP is interpreted as a rogue (unsanctioned) device, and Determine AP Status potentially removed. The default interval is 1 minute. Set the interval the WIPS policy uses to ageout rogue devices.
Page 312 Chapter 8: Security Configuration Set the duration an event generating client is filtered. This creates a Filter Expiration special ACL entry, and frames coming from the client are dropped. The default setting is 0 seconds. This value is applicable across the RF Domain. If a station is detected performing an attack and is filtered by an access point, the information is passed to the domain controller.
Page 313 Wireless IPS (WIPS) Displays whether tracking is enabled for each MU Anomaly event. Use Enable the drop-down menu to enable/disable events as required. A green checkmark defines the event as enabled for tracking against its threshold. A red “X” defines the event as disabled, and not tracked by the WIPS policy.
Page 314 Chapter 8: Security Configuration 14 Enable or disable the following AP Anomaly Events: Displays the name of each AP Anomaly event. This column lists the Name event tracked against the defined thresholds set for interpreting the event as excessive or permitted. Displays whether tracking is enabled for each AP Anomaly event.
Page 315 Wireless IPS (WIPS) Displays each destination MAC address of the packet examined for Destination MAC matching purposes. Frame Type to Match Lists the frame types specified for matching with the WIPS signature. Lists each SSID used for matching purposes. Match on SSID 17 Select Add to create a new WIPS signature, Edit to modify the attributes of a selected WIPS signature or Delete to remove obsolete signatures from the list of those available.
Page 316: Device Categorization
Chapter 8: Security Configuration Specify the threshold limit per radio that, when exceeded, signals the Radio Threshold event. The configurable range is from 1 - 65,535. 21 Set a Filter Expiration between 1 - 86,400 seconds that specifies the duration a client is excluded from radio association when responsible for triggering a WIPS event.
Page 317 Device Categorization 1 Select Configuration > Security > Device Categorization. The Device Categorization screen lists the device authorizations defined thus far. 2 Select Add to create a new Device Categorization policy, Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available. Altitude 4000 Series Access Point System Reference Guide...
Page 318 Chapter 8: Security Configuration 3 If creating a new Device Categorization filter, provide it a Name (up to 32 characters). Select OK to save the name and enable the remaining device categorization parameters. 4 Select + Add Row to populate the Marked Devices field with parameters for classifying an access point or client and defining the target device’s MAC address and SSID.
Page 319: Wireless Client Roles
Wireless Client Roles Wireless Client Roles Define wireless client roles to filter clients from access point interoperation based on matching policies. Matching policies (much like ACLs) are sequential collections of permit and deny conditions that apply to packets received from connected clients. When a packet is received from a client, its associated access point compares the fields in the packet against applied matching policy rules to verify the packet has the required permissions to be forwarded, based on the criteria specified.
Page 320 Chapter 8: Security Configuration 3 Select Add to create a new wireless client role, Edit to modify the attributes of a selected role or Delete to remove obsolete roles from the list of those available. The Role Policy Roles screen displays with the Settings tab displayed by default. 4 If creating a new role, assign it name to help differentiate it from others that may have a similar configuration.
Page 321 Wireless Client Roles Use the drop-down menu to define a wireless client filter option based on SSID Configuration how the SSID is specified in a WLAN. Select one of the following options: Exact -The role is only applied when the exact SSID string is specified in the role.
Page 322 Chapter 8: Security Configuration A Firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the access point managed network. The means by which this is accomplished varies, but in principle, a Firewall can be thought of as a mechanism both blocking and permitting data traffic based on inbound and outbound IP and MAC rules.
Page 323 Wireless Client Roles If no IP Inbound or Outbound rules exist meeting the required Firewall filtering criteria, select the Create icon to set the inbound or outbound rule criteria. Select the + Add Row button or Delete icon as needed to add or remove IP Firewall rules. Define the following parameters to create a new Inbound or Outbound IP Firewall rule: If creating a new IP Firewall rule, assign it a name (up to 32 characters) IP Firewall Rules...
Page 324 Chapter 8: Security Configuration Select the IP, ICMP, TCP or UDP protocol used with the IP access Protocol policy. IP is selected by default. Selecting ICMP displays an additional set of ICMP specific options to set the ICMP Type and Code. Selecting either TCP or UDP displays an additional set of specific TCP/UDP source and destinations port options.
Page 325 Wireless Client Roles If creating a new MAC Firewall rule, assign it a name (up to 32 MAC Firewall Rules characters) to help differentiate it from others that may have similar configurations. Every MAC Firewall rule is made up of matching criteria rules. The action Allow defines what to do with the packet if it matches the specified criteria.
Page 326: Security Deployment Considerations
Chapter 8: Security Configuration The following actions are supported: Action Log—Logs an event when this rule is applied to a client’s association attempt. Mark—Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit. - VLAN 802.1p priority.
Page 327 Is the detected access point properly configured according to your organization’s security policies? Extreme Networks recommends trusted and known access points be added to an sanctioned AP list. ● This will minimize the number of unsanctioned AP alarms received.
Page 328 Chapter 8: Security Configuration Altitude 4000 Series Access Point System Reference Guide...
Page 329: Chapter 9: Services Configuration
Services Configuration C H A P T E R The software supports services providing captive portal (guest) access, leased DHCP IP address assignments to requesting clients and local access point RADIUS client authentication. For more information, refer to the following: Configuring Captive Portal Policies on page 329 ●...
Page 330 Chapter 9: Services Configuration 1 Select Configuration > Services. The upper, left-hand, side of the user interface displays an area e where Captive Portal, DNS Whitelist and DHCP Server Policy configuration options can be selected. 2 Select Captive Portals. The Captive Portal screen displays the configurations of existing policies. New captive portal guest access policies can be created, existing policies can be modified or existing policies deleted.
Page 331 Configuring Captive Portal Policies Lists each AAA policy used to authorize client guest access requests. AAA Policy The security provisions provide a way to configure advanced AAA policies that can be applied to captive portal policies supporting authentication. When a captive portal policy is created or modified, a AAA policy must be defined and applied to authorize, authenticate and account user requests.
Page 332 Chapter 9: Services Configuration Altitude 4000 Series Access Point System Reference Guide...
Page 333 Select either the HTTP or HTTPS radio button to define the connection Connection Mode medium. Extreme Networks recommends the use of HTTPS, as is offers additional data protection HTTP cannot provide. The default value however is HTTP. Select the checkbox and use the spinner control to set between 1-8192...
Page 334 Chapter 9: Services Configuration Select this option (with any access type) to include terms that must be Terms and adhered to for captive portal access. These terms are included in the Conditions page Terms and Conditions page when No authentication required is selected as the access type, otherwise the terms appear in the Login page.
Page 335 Configuring Captive Portal Policies b Provide a numerical IP address or Hostname within the DNS Entry parameter for each destination IP address or host in the Whitelist. c Use the Match Suffix parameter to match any hostname or domain name as a suffix. The default setting is disabled.
Page 336 Chapter 9: Services Configuration The Login screen prompts for a username and password to access the captive portal and proceed to either the Terms and Conditions page (if used) or the Welcome page. The Terms and Conditions page provides conditions that must be agreed to before wireless client guest access is provided for the captive portal policy.
Page 337 Configuring Captive Portal Policies Set the title text displayed on the Login, Terms and Conditions, Welcome Title Text and Fail pages when wireless clients access each page. The text should be in the form of a page title describing the respective function of each page and should be unique to each login, terms, welcome and fail function.
Page 338 Chapter 9: Services Configuration 16 Set the following URL destinations for externally hosted captive portal pages: Define the complete URL for the location of the Login page. The Login Login URL screen prompts the user for a username and password to access the Terms and Conditions or Welcome page.
Page 339: Setting The Whitelist Configuration
Setting the Whitelist Configuration Setting the Whitelist Configuration A DNS whitelist is used in conjunction with a captive portal to provide hotspot services to wireless clients. Use the DNS Whitelist parameter to create a set of allowed destination IP addresses within the captive portal.
Page 340: Setting The Dhcp Server Configuration
Chapter 9: Services Configuration b Provide a numerical IP address or Hostname within the DNS Entry parameter for each destination IP address or host in the Whitelist. c Use the Match Suffix parameter to match any hostname or domain name as a suffix. The default setting is disabled.
Page 341 Setting the DHCP Server Configuration the vendor and functionality of a DHCP client. The information is a variable-length string of characters (or octets) that has a meaning specified by the vendor of the DHCP client. To define the parameters of a DHCP pool: 1 Select Configuration >...
Page 342 Chapter 9: Services Configuration 4 Select Add to create a new DHCP pool, Edit to modify an existing pool or Delete to remove a pool. If adding or editing a DHCP pool, the DHCP Pool screen displays the Basic Settings tab by default. Define the required parameters for the Basic Settings, Static Bindings and Advanced tabs to complete the creation of a DHCP pool.
Page 343 Setting the DHCP Server Configuration After a DHCP client has booted, the client begins sending packets to its Default Routers default router. Set the IP address of one or a group of routers used to map host names into IP addresses available to DHCP supported clients. Up to 8 default router IP addresses are supported.
Page 344 Chapter 9: Services Configuration 8 Review existing DHCP pool static bindings to determine if a static binding can be used as is, a new one requires creation or edit, or if one requires deletion: Lists whether the reporting client is using a Hardware Address or Client Client Identifier Type Identifier as its identifier type.
Page 345 Setting the DHCP Server Configuration 10 Define the following General parameters required to complete the creation of the static binding configuration: Use the drop-down menu whether the DHCP client is using a Hardware Client Identifier Type Address or Client Identifier as its identifier type with a DHCP server. Provide a hardware address or client identifier value to help differentiate Value the client from other client identifiers.
Page 346 Chapter 9: Services Configuration Unicast packets are sent from one location to another location (there's Enable Unicast just one sender, and one receiver). Select this option to forward unicast messages to just a single device within this network pool. 11 Define the following NetBIOS parameters required to complete the creation of the static binding configuration: Set the NetBios Node Type used with this particular pool.
Page 347 Setting the DHCP Server Configuration 17 The addition or edit of the network pool’s advanced settings requires the following General parameters be set: Enter the name of the boot file used with this pool. Boot files (Boot Boot File Protocol) can be used to boot remote systems over the network. BOOTP messages are encapsulated inside UDP messages so requests and replies can be forwarded.
Page 348: Defining Dhcp Server Global Settings
Chapter 9: Services Configuration 19 Refer to the DHCP Option Values table to set global DHCP options applicable to all clients, whereas a set of subnet options applies to just the clients on a specified subnet. a Select the + Add Row button to add individual options. Assign each a Global DHCP Option Name to help differentiate it from others with similar configurations.
Page 349 Setting the DHCP Server Configuration 1 Select the Global Settings tab and ensure the Activate DHCP Server Policy button remains selected. This option must remain selected to implement the configuration as part of the access point profile. 2 Set the following parameters within the Configuration field: Select the checkbox to ignore BOOTP requests.
Page 350: Dhcp Class Policy Configuration
Chapter 9: Services Configuration DHCP Class Policy Configuration The DHCP server assigns IP addresses to DHCP enabled wireless clients based on user class option names. Clients with a defined set of user class option names are identified by their user class name. The DHCP server can assign IP addresses from as many IP address ranges as defined by the administrator.
Page 351: Setting The Radius Configuration
Setting the RADIUS Configuration 3 If adding a new DHCP Class Name, assign a name representative of the device class supported. The DHCP user class name should not exceed 32 characters. 4 Select a row within the Value column to enter a 32 character maximum value string. 5 Select the Multiple User Class radio button to enable multiple option values for the user class.
Page 352: Creating Radius Groups
Chapter 9: Services Configuration The access point’s local RADIUS server stores the user database locally, and can optionally use a remote user database. It ensures higher accounting performance. It allows the configuration of multiple users, and assign policies for the group authorization. Altitude 4532 and Altitude 4700 series access points have an internal RADIUS server resource.
Page 353 Setting the RADIUS Configuration 3 Review the following read-only information for existing groups to determine if a new group requires creation or an existing group requires modification: Displays the group name or identifier assigned to each listed group when it RADIUS Group was created.
Page 354: Creating Radius Groups
Chapter 9: Services Configuration Creating RADIUS Groups To create a RADIUS group: 1 Select Configuration > Services. 2 Select and expand the RADIUS menu. Select Groups if the RADIUS Group screen is not already displayed by default. 3 Click Add to create a new RADIUS group, Edit to modify the configuration of an existing group or Delete to permanently remove a selected group.
Page 355: Defining User Pools
Setting the RADIUS Configuration Select the checkbox to set a downlink rate limit from clients within this Rate Limit to Air RADIUS group. Use the spinner to set value from 100-1,000,000 kbps. Setting a value of 0 disables rate limiting. Select this option to designate the RADIUS group as a management group.
Page 356 Chapter 9: Services Configuration 3 Select Add to create a new user pool, Edit to modify the configuration of an existing pool or Delete to remove a selected pool. 4 If creating a new pool, assign it a name up to 32 characters and select Continue. The name should be representative of the users comprising the pool and/or the temporary or permanent access privileges assigned.
Page 357 Setting the RADIUS Configuration 5 Refer to the following User Pool configurations to discern when specific user IDs have access to the access point’s RADIUS resources: Displays the unique alphanumeric string identifying this user. This is ID User Id assigned to the user when created and cannot be modified with the rest of the configuration.
Page 358 Chapter 9: Services Configuration 7 Set the following to create a new RADIUS user with unique access privileges: Assign a unique alphanumeric string identifying this user. The ID cannot User Id exceed 64 characters. Provide a password unique to this user. The password cannot exceed 32 Password characters.
Page 359: Configuring The Radius Server
Setting the RADIUS Configuration Configuring the RADIUS Server A RADIUS server policy is a unique authentication and authorization configuration for receiving user connection requests, authenticating users and returning the configuration information necessary for the RADIUS client to deliver service to the user. An access point’s requesting client is the entity with authentication information requiring validation.
Page 360 Chapter 9: Services Configuration The RADIUS Server Policy screen displays with the Server Policy tab displayed by default. 3 Select the Activate RADIUS Server Policy button to enable the parameters within the screen for configuration. Ensure this option remains selected, or this RADIUS server configuration is not applied to the access point profile.
Page 361 Setting the RADIUS Configuration Use the drop-down menu to select LDAP groups to apply the server LDAP Groups policy configuration. Select the Create or Edit icons as needed to either create a new group or modify an existing group. Use the arrow icons to add and remove groups as required.
Page 362 Chapter 9: Services Configuration Use the spinner control to define the maximum number of entries Maximum Cache Entries maintained in cache for this RADIUS server policy. The default setting is 128 entries. 7 Select OK to save the settings to the server policy configuration. Select Reset to revert to the last saved configuration.
Page 363 Setting the RADIUS Configuration 13 Select OK to save the server policy’s client configuration. Select the Reset button to revert to the last saved configuration. 14 Select the Proxy tab and ensure the Activate RADIUS Server Policy button remains selected. A user’s access request is sent to a proxy server if it cannot be authenticated by local RADIUS resources.
Page 364 Chapter 9: Services Configuration 17 Select the + Add Row button to add a RADIUS server proxy realm name and network address. To delete a proxy server entry, select the Delete icon on the right-hand side of the table. 18 Enter a 50 character maximum Realm Name. When the access point’s RADIUS server receives a request for a user name, the server references a table of realms.
Page 365 Setting the RADIUS Configuration 25 Refer to the following to determine whether an LDAP server can be used as is, a server configuration requires creation or modification or a configuration requires deletion: Displays whether the listed LDAP server IP address has been defined Redundancy as a primary or secondary server resource.
Page 366 Chapter 9: Services Configuration 27 Set the following Network address information required for the connection to the external LDAP server resource:. Define whether this LDAP server is a primary or secondary server Redundancy resource. Primary servers are always queried for the first connection attempt.
Page 367: Services Deployment Considerations
Before defining the access point’s configuration using the Services menu, refer to the following deployment guidelines to ensure the configuration is optimally effective: Extreme Networks recommends each RADIUS client use a different shared secret password. If a ● shared secret is compromised, only the one client poses a risk as opposed all the additional clients that potentially share that secret password.
Page 368 Chapter 9: Services Configuration Altitude 4000 Series Access Point System Reference Guide...
Page 369: Chapter 10: Management Access Policy Configuration
(in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces. Extreme Networks recommends disabling unused and insecure management interfaces as required within different access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources.
Page 370 Chapter 10: Management Access Policy Configuration To create administrators and assign them access types and roles: 1 Select Configuration > Management. The Administrators screen displays by default. 2 Refer to the following to review existing administrators:. User Name Displays the name assigned to the administrator upon creation. The name cannot be modified when editing an administrator’s configuration.
Page 371 Creating Administrators and Roles 4 If adding a new administrator, enter the user name in the User Name field. This is a mandatory field, and cannot exceed 32 characters. Optimally assign a name representative of the user’s intended access type and role. 5 Provide a strong administrator password.
Page 372: Setting The Access Control Configuration
(HTTP, HTTPS, Telnet, SSH or SNMP). Access options can be either enabled or disabled as required. Extreme Networks recommends disabling unused interfaces to reduce security holes. The Access Control tab is not meant to function as an ACL (in routers or other firewalls), where you can specify and customize specific IPs to access specific interfaces.
Page 373 Setting the Access Control Configuration 3 Set the following parameters required for Telnet access: Enable Telnet Select the checkbox to enable Telnet device access. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is disabled by default.
Page 374: Setting The Authentication Configuration
Chapter 10: Management Access Policy Configuration 6 Set the following FTP parameters: Enable FTP Select the checkbox to enable FTP device access. FTP (File Transfer Protocol) is the standard protocol for transferring files over a TCP/IP network. FTP requires administrators enter a valid username and password authenticated locally on the controller.
Page 375: Setting The Snmp Configuration
Setting the SNMP Configuration 3 Set the following to authenticate access requests to the access point managed network: Local Define whether the access point’s internal RADIUS resource (if supported) is used to validate authentication requests. The default setting is Enabled. When enabled, network address information is not required for an external RADIUS resource.
Page 376 Chapter 10: Management Access Policy Configuration The access point can use Simple Network Management Protocol (SNMP) to interact with wireless devices. SNMP is an application layer protocol that facilitates the exchange of management information. SNMP enabled devices listen on port 162 (by default) for SNMP packets from their management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices.
Page 377: Snmp Trap Configuration
SNMP Trap Configuration Enable SNMPv3 Select the checkbox to enable SNMPv3 support. SNMPv3 adds security and remote configuration capabilities to previous versions. The SNMPv3 architecture introduces the User-based Security Model (USM) for message security and the View-based Access Control Model (VACM) for access control.
Page 378: Management Access Deployment Considerations
Chapter 10: Management Access Policy Configuration 1 Select Configuration > Management. 2 Select SNMP Traps from the list of Management Policy options in the upper, left-hand, side of the UI. 3 Select the Enable Trap Generation checkbox to enable trap creation using the trap receiver configuration defined in the lower portion of the screen.
Page 379 Management Access Deployment Considerations Extreme Networks recommends SNMPv3 be used for device management, as it provides both ● encryption, and authentication. Enabling SNMP traps can provide alerts for isolated attacks at both small radio deployments or ● distributed attacks occurring across multiple sites.
Page 380 Chapter 10: Management Access Policy Configuration Altitude 4000 Series Access Point System Reference Guide...
Page 381: Chapter 11: Diagnostics
Diagnostics C H A P T E R An access point’s resident diagnostic capabilities enable administrators to understand how devices are performing and troubleshoot issues impacting network performance. Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail. Numerous tools are available within the Diagnostics menu.
Page 382 Chapter 11: Diagnostics Use the Filter Events screen to create filters for managing events. Events can be filtered based on severity, module received, source MAC of the event, device MAC of the event and MAC address of the wireless client. 2 Define the following Customize Event Filters: Set the severity of the event being filtered.
Page 383 Fault Management 3 Select the Add to Active Filters button to create a new filter and add it to the Active Event Filters table. When added, the filter uses the configuration defined in the Customize Event Filters field. 4 Refer to the Active Event Filters table to set the following parameters: a To activate all the events in the Active Events Filters table, select the Enable All Events button.
Page 384: Crash Files
Chapter 11: Diagnostics 8 Select Event History from the upper, left-hand, side of the Fault Management browser. Use the Event History screen to track events impacting either a selected device or those impacting the access point’s default RF Domain. 9 Refer to the Select a Device field, and specify a single device MAC address for event tracking. 10 Select Fetch Historical Events from the lower, right-hand, side of the UI to populate the table with either device or RF Domain events.
Page 385: Advanced Diagnostics
Advanced Diagnostics Use crash files to troubleshoot issues specific to the device on which a crash event was generated.These are issues impacting the core (distribution layer). Once reviewed, files can be deleted or transferred for archive. Crash files can be sent to a support team to expedite issues with the reporting device. To review crash files impacting the access point network: 1 Select Diagnostics >...
Page 386: Ui Debugging
Chapter 11: Diagnostics UI Debugging “Advanced Diagnostics” Use the UI Debugging screen to view debugging information for a selected device. To review device debugging information: 1 Select Diagnostics > Advanced to display the UI Debugging menu options. Once a target device has been selected, its debugging information displays within the NETCONF Viewer by default.
Page 387: Schema Browser
Advanced Diagnostics Schema Browser “Advanced Diagnostics” Use the schema browser to navigate To review device debugging information: 1 Select Diagnostics > Advanced to display the UI Debugging menu options. 2 Select Schema Browser. Altitude 4000 Series Access Point System Reference Guide...
Page 388 Chapter 11: Diagnostics The Scheme Browser displays the Configuration tab by default.The Schema Browser displays two fields (regardless of the Configuration, Statistics or Actions tab selected). Use the left field to navigate the schema by expanding and collapsing directories. Selecting a a node on the left displays node details on the right.
Page 389: Chapter 12: Operations
Networks Support Web site. If an access point’s (or its associated device’s) firmware is older than the version on the Web site, Extreme Networks recommends updating to the latest firmware version for full functionality and utilization. Additionally, selected devices can either have a primary or secondary firmware image applied or fallback to a selected firmware image if an error were to occur in the update process.
Page 390: Managing Firmware And Config Files
Chapter 12: Operations AP Upgrades on page 396 ● NOTE AP upgrades can only be performed by access points in Virtual Controller AP mode, and cannot be initiated by Standalone APs. Additionally, upgrades can only be performed on access points of the same model as the Virtual Controller AP.
Page 391: Upgrading Device Firmware
Device Operations 1 Refer to the following to determine whether a firmware image needs requires an update: Displays the factory assigned hardware MAC address (in the banner of Device MAC the screen) for the selected access point. The Device Type also displays in the banner of the screen.
Page 392 Chapter 12: Operations NOTE AP upgrades can only be performed by access points in Virtual Controller AP mode, and cannot be initiated by Standalone APs. Additionally, upgrades can only be performed on access points of the same model as the Virtual Controller AP. 1 Select a target device from the left-hand side of the UI.
Page 393: Managing File Transfers
Device Operations Use the spinner control or manually enter the value to define the port Port used by the protocol for firmware updates. This option is not valid for cf, usb1, and usb2. Enter IP address of the server used to update the firmware. This IP Address option is not valid for cf, usb1, and usb2.
Page 394 Chapter 12: Operations 1 Select Operations > Devices > File Transfers. 2 Set the following file management source and target directions as well as the configuration parameters of the required file transfer activity: Select the source of the file transfer. Source Select Server to indicate the source of the file is a remote server.
Page 395: Using The File Browser
Device Operations If advanced is selected, specify the IP address of the server used to IP Address transfer files. This option is not valid for cf, usb1, and usb2. If IP address of the server is provided, a Hostname is not required. This parameter is required only when Server is selected as the Source.
Page 396: Ap Upgrades
Chapter 12: Operations 1 Select Operations > Devices > File Browser. 2 Refer to the following to determine whether a file needs to be deleted or included in a new folder for the selected memory resource. The following display for each of the available memory resources. Displays the name of the file residing on the selected flash, system, File Name nvram usb1 or usb2 location.
Page 397 Device Operations NOTE AP upgrades can only be performed by access points in Virtual Controller AP mode, and cannot be initiated by Standalone APs. Additionally, upgrades can only be performed on access points of the same model as the Virtual Controller AP. 1 Select Operations >...
Page 398 Chapter 12: Operations Use the > button to move a selected access point in the All Devices > table to the Upgrade List table. Use the << button to move all access points from the Upgrade List. << Use the < button to move a selected access point from the Upgrade List. <...
Page 399 Device Operations Select the protocol to retrieve the image files. Available options include: Protocol tftp - Select this option to specify a file location using Trivial File Transfer Protocol. A port and IP address or hostname are required. A path is optional.
Page 400: Certificates
Chapter 12: Operations Displays the current upgrade status for each listed access point. State Possible states include: • Waiting • Downloading • Updating Scheduled • Reboot • Rebooting Done • Cancelled • Done • No Reboot Displays the current progress of each access point undergoing an Progress upgrade.
Page 401: Certificate Management
Certificates Certificate Creation on page 412 ● Generating a Certificate Signing Request (CSR) on page 414 ● Certificate Management “Certificates” If not wanting to use an existing certificate or key with a selected device, an existing stored certificate can be leveraged from a different device for use with the target device. Device certificates can be imported and exported to a secure remote location for archive and retrieval as they are required for application to other managed devices.
Page 402 Chapter 12: Operations 1 Select Operations > Certificates. The Trustpoints screen displays for the selected MAC address. 2 Refer to the Certificate Details to review certificate properties, self-signed credentials, validity period and CA information. 3 Select the Import button to import a certificate. Altitude 4000 Series Access Point System Reference Guide...
Page 403 Certificates 4 Define the following configuration parameters required for the Import of the trustpoint: Enter the 32 character maximum name assigned to the target trustpoint. The Trustpoint Name trustpoint signing the certificate can be a certificate authority, corporation or individual. Define the key used by the target trustpoint.
Page 404 Chapter 12: Operations A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. 7 Define the following configuration parameters required for the Import of the CA certificate: Enter the 32 character maximum name assigned to the target trustpoint Trustpoint Name...
Page 405 Certificates 9 To optionally import a CRL, select the Import CRL button from the Trustpoints screen. If a certificate displays within the Certificate Management screen with a CRL, that CRL can be imported. A certificate revocation list (CRL) is a list of revoked certificates or certificates no longer valid.
Page 406 Chapter 12: Operations If using Advanced settings, provide the hostname of the server used to Hostname import the CRL. This option is not valid for cf, usb1, and usb2. If using Advanced settings, specify the path to the CRL. Enter the complete Path relative path to the file on the server.
Page 407 Certificates Select the protocol used for importing the target signed certificate. Available Protocol options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 If using Advanced settings, use the spinner control to set the port. This Port option is not valid for cf, usb1 and usb2.
Page 408: Rsa Key Management
Chapter 12: Operations Define the key used by both the access point and the server (or repository) Key Passphrase of the target trustpoint. Select the Show textbox to expose the actual characters used in the key. Leaving the checkbox unselected displays the passphrase as a series of asterisks “*”.
Page 409 Certificates Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device. 3 Select Generate Key to create a new key with a defined size.
Page 410 Use the spinner control to set the size of the key (between 1,024 - 2,048 Key Size bits). Extreme Networks recommends leaving this value at the default setting of 1024 to ensure optimum functionality. 5 To optionally import a CA certificate, select the Import button from the RSA Keys screen.
Page 411 Certificates 7 Select OK to import the defined RSA key. Select Cancel to revert the screen to its last saved configuration. 8 To optionally export a RSA key to a remote location, select the Export button from the RSA Keys screen.
Page 412: Certificate Creation
Chapter 12: Operations 11 Select OK to export the defined RSA key. Select Cancel to revert the screen to the last saved configuration. 12 To optionally delete a key, select the Delete button from within the RSA Keys screen. Provide the key name within the Delete RSA Key screen and select the Delete Certificates checkbox to remove the certificate the key supported.
Page 413 Create a New RSA Key To create a new RSA key, select the radio button to define 32 character name used to identify the RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Extreme Networks recommends leaving this value at the default setting of 1024 to ensure optimum functionality.
Page 414: Generating A Certificate Signing Request (Csr)
Chapter 12: Operations Define the Country used in the certificate. This is a required field and must Country (C) not exceed a 2 character country code. Enter a State/Prov. for the state or province name used in the certificate. State (ST) This is a required field.
Page 415 RSA Key the spinner control to set the size of the key (between 1,024 - 2,048 bits). Extreme Networks recommends leaving this value at the default setting of 1024 to ensure optimum functionality. For more information, see “RSA Key Management” on page 408.
Page 416: Smart Rf
Chapter 12: Operations Define an Organization for the organization used in the CSR. This is a Organization (O) required field. Enter an Org. Unit for the name of the organization unit used in the CSR. Organizational Unit This is a required field. (OU) If there’s a common name (IP address) for the organizational unit issuing the Common Name (CN)
Page 417 Smart RF managed radios. Access point to access point distance is recorded in terms of signal attenuation. The information from external radios is used during channel assignment to minimize interference. To conduct Smart RF calibration: 1 Select Operations > Smart RF. The Smart RF screen populates with information specific to the devices within the RF Domain with updated data from the last interactive calibration.
Page 418 Chapter 12: Operations Lists the transmit power assigned to each listed access point within the Old Power RF Domain. The power level may have been increased or decreased as part an Interactive Calibration process applied to the RF Domain. Compare this Old Power level against the Power value to right of it (in the table) to determine whether a new power level was warranted to compensate for a coverage hole.
Page 419: Operations Deployment Considerations
If an access point’s (or its associated device’s) firmware is older than the version on the support site, ● Extreme Networks recommends updating to the latest firmware version for full functionality and utilization. An access point must be rebooted to implement a firmware upgrade. Take advantage of the reboot ●...
Page 420 Chapter 12: Operations Altitude 4000 Series Access Point System Reference Guide...
Page 421: Chapter 13: Statistics
Statistics C H A P T E R This chapter describes the statistical information available to supported access points. Statistics can be exclusively displayed to validate access points, their VLAN assignments and the current authentication and encryption schemes. Statistics can be displayed for the entire system or access point coverage are. Stats can also be viewed collectively for RF Domain member access point radio’s and their connected clients.
Page 422 Chapter 13: Statistics The Health screen displays the overall performance of the access point supported system and its connected clients. This includes information on device availability, overall RF quality, resource utilization and network threat perception. To display the health of the system: 1 Select the Statistics menu from the Web UI.
Page 423: Inventory
System Statistics 4 The Devices table displays the total number of access points in the network. The pie chart is a proportional view of how many are functional and are currently online. Green indicates online devices and the red offline devices. 5 The Device Types lists the access point model deployed in the system.
Page 424 Chapter 13: Statistics The Inventory screen displays information about the physical hardware deployed within the system. Use this information to assess the overall performance of access points and their connected clients in the system, whether members of the RF Domain or not. To display the system-wide inventory statistics: 1 Select the Statistics menu from the Web UI.
Page 425: Adopted Devices
System Statistics 6 The Wireless Clients table displays the total number of wireless clients managed by the access points deployed within the system. Displays the number of wireless clients adopted by the access points Top Client Count deployed within the system. Displays the name of the access point RF Domain the listed clients are RF Domain connected to.
Page 426 Chapter 13: Statistics 4 The Adopted Devices screen provides the following: Displays the hostname of the adopted device. Adopted Device Displays the type of device adopted to an access point system member. Type Displays the adopting access point’s RF Domain name. RF Domain Name Displays the model number of the access point providing device association.
Page 427: Pending Adoptions
System Statistics Displays the time when the listed adopted device was connected to its Adoption Time associated access point. Displays the elapsed time the listed client’s associated access point has been Uptime in service. Periodically select the Refresh button to update the screen to its latest device Refresh adoption status for the system.
Page 428: Offline Devices
Chapter 13: Statistics Displays the status as to why the device is still pending adoption. Reason Displays the discovery option code for each AP listed pending adoption. Discovery Option Displays the date and time stamp of the last time the device was seen. Click Last Seen the arrow next to the date and time to toggle between standard time and UTC.
Page 429: Rf Domain
RF Domain Displays the current VLAN number of the device pending adoption. VLAN Displays the name of this access point’s RF Domain membership if RF Domain Name applicable. Displays the hostname of the access point reporting the listed device offline. Reporter Displays the date and time stamp of the last time the device was seen.
Page 430 Chapter 13: Statistics To display the health of the RF Domain members: 1 Select the Statistics menu from the Web UI. 2 Select the default item from under the System node on the top, left-hand side, of the screen. 3 Select Health from the RF Domain menu. 4 The Configuration field displays the name of the Virtual Controller AP that is the manager for this RF Domain.
Page 431 RF Domain The RF Quality Index can be interpreted as: 0-20 – Very poor quality ● 20-40 – Poor quality ● 40-60 – Average quality ● 60-100 – Good quality ● 7 Refer to the Worst 5 Radios table for RF Domain member radios requiring administration to improve performance: Displays five radios with the lowest average quality in the access point RF Worst 5 Radios...
Page 432: Inventory
Chapter 13: Statistics Displays the total number of radio transmit channel changes that have been Channel Changes made using SMART RF within the access point RF Domain. Coverage Changes Displays the total number of radio coverage area changes that have been made using SMART RF within the access point RF Domain.
Page 433 RF Domain 4 The Device Types table displays the total number of member access points in the RF Domain. The exploded pie chart depicts the distribution of RF Domain members. The Radio Types table displays the total number of radios in this RF Domain. The bar chart depicts the distribution of the different radio types.
Page 434: Access Points
Chapter 13: Statistics Displays the Media Access Control (MAC) address of the RF Domain MAC Address member access point. Each listed MAC address can be selected to display the access point’s device information in greater detail. Displays the physical location each RF Domain member access point is Location deployed.
Page 435: Ap Detection
RF Domain Displays the name of each access point currently a member of the RF Access Point Domain. Displays each access point’s factory encoded MAC address its hardware AP MAC Address identifier. Displays the access point model supported by the RF Domain. An access Type point can only share RF Domain membership with access points of the same model.
Page 436: Wireless Clients
Chapter 13: Statistics To view device information on detected access points: 1 Select the Statistics menu from the Web UI. 2 Select the default item from under the System node on the top, left-hand side, of the screen. 3 Select AP Detection from the RF Domain menu. The screen provides the following information: Displays the Broadcast Service Set ID (SSID) of the network to which the BSSID...
Page 437: Wireless Lans
RF Domain 1 Select the Statistics menu from the Web UI. 2 Select the default item from under the System node on the top, left-hand side, of the screen. 3 Select Wireless Clients from the RF Domain menu. This screen provides the following information: Displays the Hardware or Media Access Control (MAC) address of each MAC Address listed wireless client.
Page 438 Chapter 13: Statistics To view wireless LAN statistics for RF Domain members: 1 Select the Statistics menu from the Web UI. 2 Select the default item from under the System node on the top, left-hand side, of the screen. 3 Select Wireless LANs from the RF Domain menu. This screen displays the following information: Displays the text-based name assigned to the WLAN by its RF Domain WLAN Name...
Page 439: Radios
RF Domain Radios “RF Domain” The Radio screens displays information on RF Domain member access point radios. Use these screens to troubleshooting radio issues. For more information, refer to the following: Status on page 439 ● RF Statistics on page 440 ●...
Page 440: Rf Statistics
Chapter 13: Statistics Lists the model of each RF Domain member access point. AP Type Displays the radio’s current operational state as On or Off. State Displays the current channel the RF Domain member access point radio is Channel Current broadcasting on.
Page 441: Traffic Statistics
RF Domain The RF Statistics screen displays the following: Displays the name assigned to each listed RF Domain member access Radio point radio. Each name displays as a link that can be selected to display radio information in greater detail. Displays the power of each listed RF Domain member access point radio Signal signals in dBm.
Page 442 Chapter 13: Statistics This screen provides the following information: Displays the name assigned to each listed RF Domain member access Radio point radio. Each name displays as a link that can be selected to display radio information in greater detail. Displays the total number of bytes transmitted by each RF Domain member Tx Bytes access point radio.
Page 443: Mesh
RF Domain Mesh “RF Domain” To view Mesh statistics for RF Domain member access point and the connected clients: 1 Select the Statistics menu from the Web UI. 2 Select the default item from under the System node on the top, left-hand side, of the screen. 3 Select Mesh.
Page 444 Chapter 13: Statistics When invoked by an administrator, Self-Monitoring At Run Time (Smart RF) instructs access point radios to change to a specific channel and begin beaconing using the maximum available transmit power. Within a well-planned deployment, any RFM Domain member access point radio should be reachable by at least one other radio.
Page 445 RF Domain Select the Energy Graph tab for a RF Domain member access point radio to review the radio’s operating channel and noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing radios. Altitude 4000 Series Access Point System Reference Guide...
Page 446: Wips
Chapter 13: Statistics WIPS “RF Domain” Refer to the Wireless Intrusion Protection Software (WIPS) screens to review a client blacklist and events reported by a RF Domain member access point. For more information, see: WIPS Client Blacklist on page 446 ●...
Page 447: Wips Events
RF Domain This WIPS Client Blacklist displays the following: Displays the name of the wireless intrusion event detected by a RF Domain Event Name member access point. Displays the MAC address of the unauthorized device intruding the RF Blacklisted Client Domain, Displays the time when the wireless client was blacklisted by a RF Domain Time Blacklisted...
Page 448: Captive Portal
Chapter 13: Statistics 4 The WIPS Events screen provides the following information: Displays the name of the intrusion detected by a RF Domain member Event Name access point. Displays the MAC address of the RF Domain member access point reporting Reporting AP the intrusion.
Page 449: Historical Data
RF Domain This screen displays the following Captive Portal data for RF Domain member access points and their requesting clients: Displays the MAC address of each listed client using its connected RF Client MAC Domain member access point for captive portal access. Displays the IP address of each listed client using its connected RF Domain Client IP member access point for captive portal access.
Page 450: Viewing Smart Rf History
Chapter 13: Statistics Viewing Smart RF History “Historical Data” To view the RF Domain member Smart RF history: 1 Select the Statistics menu from the Web UI. 2 Select the default item from under the System node on the top, left-hand side, of the screen. 3 Expand the Historical Data menu item and select Smart RF History.
Page 451: Access Point Statistics
Access Point Statistics Access Point Statistics “Statistics” The access point statistics screens displays an access point’s performance, health, version, client support, radio, mesh, interface, DHCP, firewall, WIPS, sensor, captive portal, NTP and load information. Access point statistics consists of the following: Health on page 451 ●...
Page 452 Chapter 13: Statistics The Device Details field displays the following information: Displays the AP’s unique name. A hostname is assigned to a device Hostname connected to a computer network. Displays the MAC address of the AP. This is factory assigned and cannot Device MAC be changed.
Page 453: Device
Access Point Statistics Displays the system clock information. System Clock The RF Quality Index field displays the following: Displays radios having very low quality indices. RF quality index indicates Bottom Radios the overall RF performance. The RF quality indices are: •...
Page 454 Chapter 13: Statistics The System field displays the following: Displays the model as either Altitude 4700, Altitude 4532, Altitude 4760, Model Number Altitude 4511 or Altitude 4521. Displays the software (firmware) version on the access point. Version Displays the boot partition type. Boot Partition Displays whether this option is enabled.
Page 455 Access Point Statistics Displays the access point’s total memory. Total Memory Displays the access point’s free RAM space. If its very low, free up some Currently Free space by closing some processes. Displays the recommended RAM required for routine operation. Recommended Displays the access point’s current file description.
Page 456: Ap Upgrade
Chapter 13: Statistics The Firmware Images field displays the following: Displays the build date when this access point firmware version was Primary Build created. Date Displays the date this version was installed. Primary Install Date Displays the primary version string. Primary Version Displays the build date when this version was created.
Page 457: Adoption
Access Point Statistics The Upgrade screen displays the following information: Displays the MAC address of the access point that performed the upgrade. Upgraded By Displays the model of the access point. The updating access point must be Type of the same model as the access point receiving the update. Displays the MAC address of the access point receiving the update.
Page 458: Adopted Aps
Chapter 13: Statistics Adopted APs “Adoption” The adopted AP statistics screen lists access points adopted by this access point, their RF Domain memberships and network service information. To view adopted access point statistics: 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 459: Ap Adoption History
Access Point Statistics Lists the adopting access point. Adopted By Displays each listed access point’s time of adoption by this access point Adoption time (whose MAC address displays in the banner of the screen). Displays each listed access point’s in service time since last offline. Uptime Select the Refresh button to update the screen’s statistics counters to their Refresh...
Page 460 Chapter 13: Statistics The Pending Adoptions screen displays a list of devices adopted to this access point or access points in the process of adoption. To view pending access point statistics: 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 461: Ap Detection
Access Point Statistics AP Detection “Access Point Statistics” The AP Detection screen displays potentially hostile access points, their SSIDs, reporting AP, and so on. Continuously revalidating the credentials of associated devices reduces the possibility of an access point hacking into the network. To view the AP detection statistics: 1 Select the Statistics menu from the Web UI.
Page 462: Wireless Client
Chapter 13: Statistics Select the Clear All button to clear the screen of its current status and Clear All begin a new data collection. Select the Refresh button to update the screen’s statistics counters to their Refresh latest values. Wireless Client “Access Point Statistics”...
Page 463: Wireless Lans
Access Point Statistics Displays the VLAN ID each listed client is currently mapped to. VLAN Displays the unique IP address of the client. Use this address as necessary IP Address throughout the applet for filtering, device intrusion recognition, and approval. Displays the name of the vendor (or manufacturer) of each listed client.
Page 464: Critical Resources
Chapter 13: Statistics Displays the traffic utilization index, which measures how efficiently the Traffic Index WLAN’s traffic medium is used. It’s defined as the percentage of current throughput relative to maximum possible throughput. Traffic indices are: • 0 – 20 (very low utilization) •...
Page 465: Radios
Access Point Statistics 4 The Access Point Critical Resource screen displays the following: Lists the IP address of the critical resource. This is the address the device IP Address assigned and is used by the access point to ensure the critical resource is available.
Page 466 Chapter 13: Statistics depending on the SKU purchased. Altitude 4522, Altitude 4532 and Altitude 4700 series access points are dual radio models and Altitude 4511 and Altitude 4521 models are both single radio access points. Each of these screens provide enough statistics to troubleshoot issues related to the following three areas: Status on page 467 ●...
Page 467: Status
Access Point Statistics Status An administrator can use the Status screen to review access point radio stats in detail. Use the Status screen to assess radio type, operational state, operating channel and current power to assess whether the radio is optimally configured in respect to its intended deployment objective. To view access point radio statistics: 1 Select the Statistics menu from the Web UI.
Page 468: Rf Statistics
Chapter 13: Statistics RF Statistics An administrator can use the RF Statistics screen to review access point radio transmit and receive statistics, error rate and RF quality. To view access point radio RF statistics: 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 469: Traffic Statistics
Access Point Statistics Displays an integer that indicates overall RF performance. The RF quality Quality Index indices are: • 0 – 50 (poor) • 50 – 75 (medium) • 75 – 100 (good) Select the Refresh button to update the screen’s statistics counters to their Refresh latest values.
Page 470: Mesh
Chapter 13: Statistics Displays the total number of packets transmitted by each listed radio. This Tx Packets includes all user data as well as any management overhead packets. Displays the total number of packets received by each listed radio. This Rx Packets includes all user data as well as any management overhead packets.
Page 471: Interfaces
Access Point Statistics The Mesh screen describes the following: Displays the name for each access point in the RF Domain mesh network. Client AP Displays the configured hostname for each access point in the RF Domain Client Hostname mesh network. Displays the MAC address for each access point in the RF Domain mesh Client Radio MAC network.
Page 472: General Statistics
Chapter 13: Statistics Viewing Interface Statistics Graph on page 476 ● General Statistics “Interfaces” The General screen provides information on a selected access point interface such as its MAC address, type and TX/RX statistics. To view the general interface statistics: 1 Select the Statistics menu from the Web UI.
Page 473 Access Point Statistics Select an access point interface from those available for the selected access point model. The subsequent display within the General and Network Graph tabs is specific to the selected interface. The General field describes the following: Displays the name of the access point interface selected from the upper, Name left-hand side, of the screen.
Page 474 Chapter 13: Statistics Displays the unique numerical identifier supporting the interface. Index Displays the interface the VLAN can access. Access VLAN Displays the mode of the VLAN as either Access or Trunk. Access Setting Displays whether the interface is currently true or false. Administrative Status The Specification field displays the following:...
Page 475 Access Point Statistics Displays the number of packets transmitted through the interface that are Jabber Pkts larger than the MTU through the interface. The Errors field displays the following information for the selected access point interface: Displays the number of bad packets received through the interface. Bad Pkts Received Displays the number of collisions on the interface.
Page 476: Viewing Interface Statistics Graph
Chapter 13: Statistics Displays the number of carrier errors on the interface. This generally Tx Carrier Errors indicates bad Ethernet hardware or cabling. Displays the number of FIFO errors received at the interface. First-in-First- Tx FIFO Errors Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival.
Page 477: Network
Access Point Statistics Network “Access Point Statistics” Use the Network screen to view information for ARP, DHCP, Routing and Bridging. Each of these screen provide enough statistics to troubleshoot issues related to the following features: ARP Entries on page 477 ●...
Page 478: Route Entries
Chapter 13: Statistics Select the Refresh button to update the screen’s statistics counters to their Refresh latest values. Route Entries “Network” The route entries screen provides details about the destination subnet, gateway, and interface for routing packets to a defined destination. When an existing destination subnet does not meet the needs of the network, add a new destination subnet, subnet mask and gateway.
Page 479 Access Point Statistics The Bridge screen provides details about the Integrate Gateway Server (IGS), which is a router connected to an access point. The IGS performs the following: Issues IP addresses ● Throttles bandwidth ● Permits access to other networks ●...
Page 480 Chapter 13: Statistics The Details screen’s Integrated Gateway Server (IGS) table displays the following: Displays the VLAN where the multicast transmission is conducted. VLAN Displays the Multicast Group ID supporting the statistics displayed. This Group Address group ID is the multicast address hosts are listening to. Displays the ports on which multicast clients have been discovered by the Port Members access point.
Page 481: Dhcp Options
Access Point Statistics Displays the ports on which multicast clients have been discovered by the Port Members access point. Displays the periodic IGMP query interval value. Query Interval Displays the IGMP version in use. Version Displays the VLAN on which the multicast transmission is conducted. VLAN 5 Select the MAC Address tab.
Page 482: Cisco Discovery Protocol
Chapter 13: Statistics The DHCP Options screen displays the following: Displays the IP address of the DHCP server used on behalf of the access Server point. Information Displays the image file name. BOOTP or the bootstrap protocol can be Image File used to boot diskless clients.
Page 483: Link Layer Discovery Protocol
Access Point Statistics The Cisco Discovery Protocol screen displays the following: Displays the capabilities code for the device as either Router, Trans Bridge, Capabilities Source Route Bridge, Host, IGMP or Repeater. Displays the configured device ID or name for each device in the table. Device ID Displays the local port name for each CDP capable device.
Page 484: Dhcp Server
Chapter 13: Statistics 3 Select Network and expand the menu to reveal its sub menu items. 4 Select Link Layer Discovery. The Link Layer Discovery Protocol screen displays the following: Displays the capabilities code for the device either Router, Trans Bridge, Capabilities Source Route Bridge, Host, IGMP or Repeater.
Page 485: Dhcp Bindings
Access Point Statistics To view DHCP server statistics: 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation. 3 Select DHCP and expand the menu to reveal its sub menu items.
Page 486: Dhcp Networks
Chapter 13: Statistics The DHCP binding information screen displays DHCP binding information such as expiry time, client IP addresses and their MAC address. To view a network’s DHCP Bindings: 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 487: Firewall
Access Point Statistics The DHCP Networks screen displays the following: Displays the name of the DHCP pool. Name Displays the subnet addresses of the DHCP Pool. Subnet Address Number of addresses that have already been leased to requesting clients. Used Addresses Total available addresses that can be leased to requesting clients.
Page 488: Denial Of Service
Chapter 13: Statistics Denial of Service “Firewall” A denial-of-service attack (DoS attack) or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out a DoS attack may vary, it generally consists of concerted efforts to prevent an Internet site or service from functioning efficiently.
Page 489: Ip Firewall Rules
Access Point Statistics The Denial of Service screen displays the following: Displays the Denial of Service (DoS) attack type. Attack Type Displays the number of times the access point’s firewall has observed each Count listed DoS attack. Displays the amount of time since the DoS attack has been observed by Last Occurrence the access point firewall.
Page 490: Mac Firewall Rules
Chapter 13: Statistics 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation. 3 Select Firewall and expand the menu to reveal its sub menu items. 4 Select IP Firewall Rules.
Page 491: Nat Translations
Access Point Statistics Block a connection ● To view the access point’s MAC Firewall Rules: 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 492: Dhcp Snooping
Chapter 13: Statistics 3 Select Firewall and expand the menu to reveal its sub menu items. 4 Select NAT Translations. The NAT Translations screen displays the following: Displays the IP protocol as either TCP, UDP or ICMP. Protocol Displays the source IP address for the forward NAT flow. Forward Source Displays the source port for the forward NAT flow (contains ICMP ID if it is Forward Source...
Page 493 Access Point Statistics When DHCP servers are allocating IP addresses to clients on the LAN, DHCP snooping can be configured to better enforce the security on the LAN to allow only clients with specific IP/MAC addresses. 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 494: Certificates
Chapter 13: Statistics Select the Clear All button to clear the screen of its current status and Clear All begin a new data collection. Select the Refresh button to update the screen’s statistics counters to their Refresh latest values. Certificates “Access Point Statistics”...
Page 495 Access Point Statistics The Certificate Details field displays the following: Lists details about the entity to which the certificate is issued. Subject Name Displays alternative details to the information specified under the Subject Alternate Subject Name field. Name Altitude 4000 Series Access Point System Reference Guide...
Page 496: Rsa Keys
Chapter 13: Statistics Displays the name of the organization issuing the certificate. Issuer Name The unique serial number of the certificate issued. Serial Number Displays the name of the key pair generated separately, or automatically RSA Key Used when selecting a certificate. Indicates if this certificate is a authority certificate.
Page 497: Wips
Access Point Statistics The RSA Key Details field displays the size (in bits) of the desired key. If not specified, a default key size of 1024 is used. The RSA Public Key field lists the public key used for encrypting messages. Periodically select the Refresh button to update the screen’s statistics counters to their latest values.
Page 498: Wips Events
Chapter 13: Statistics To view the WIPS client blacklist for this access point: 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 499: Sensor Servers
Access Point Statistics 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation. 3 Select WIPS and expand the menu to reveal its sub menu items. 4 Select WIPS Events.
Page 500: Captive Portal
Chapter 13: Statistics The Sensor Servers screen displays the following: Displays a list of sensor server IP addresses. These are the server IP Address resources available to the access point for the management of data uploaded from dedicated sensors. Displays numerical port where the sensor server is listening. Port Displays whether the server resource is connected or not.
Page 501: Network Time
Access Point Statistics The Captive Portal screen supporting the following: Displays the MAC address of the wireless client. Client MAC Displays the IP address of the wireless client. Client IP Displays the IP address of the captive portal page. Captive Portal Displays the authentication status of the wireless client.
Page 502: Ntp Status
Chapter 13: Statistics The Network Time statistics screen consists of two tabs: NTP Status on page 502 ● NTP Association on page 503 ● NTP Status “Network Time” To view the Network Time statistics of an access point: 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 503: Ntp Association
Access Point Statistics Displays the address of the time source the access point is synchronized Reference The total round-trip delay in seconds. This variable can take on both Root Delay positive and negative values, depending on relative time and frequency offsets.
Page 504 Chapter 13: Statistics The NTP Association screen displays the following: Displays the round-trip delay (in seconds) for broadcasts between the NTP Delay Time server and the access point. Displays the time difference between the peer NTP server and the access Display point’s clock.
Page 505: Load Balancing
Access Point Statistics Displays the time of the last statistics update. Time Select the Refresh button to update the screen’s statistics counters to their Refresh latest values. Load Balancing “Access Point Statistics” An access point load can be viewed in a graph and filtered to display different load attributes. the access point’s entire load can be displayed, as well as the separate loads on the 2.4 and 5 GHz radio bands.
Page 506: Wireless Client Statistics
Chapter 13: Statistics The Load Balancing screen supports the following: Select any of the options to display any or all of the following information in Load Balancing the graph below: AP Load, 2.4GHz Load, 5GHz Load, and Channel. The graph section displays the load percentages for each of the selected variables over a period of time, which can be altered using the slider below the upper graph.
Page 507: Health
Wireless Client Statistics The wireless client statistics display read-only statistics for a client selected from within its connected access point’s directory. It provides an overview of the health of wireless clients in the access point managed network. Use this information to assess if configuration changes are required to improve client performance.
Page 508 Chapter 13: Statistics The Wireless Client field displays the following: Displays the MAC address of the selected wireless client. Client MAC Displays the vendor name or the manufacturer of the wireless client. Vendor Displays the state of the wireless client. It can be idle, authenticated, State roaming, associated or blacklisted.
Page 509 Wireless Client Statistics The RF Quality Index field displays the following: Displays information on the RF quality for the selected wireless client. The RF Quality Index RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions, as well as the retry and error rate.
Page 510: Details
Chapter 13: Statistics Displays the number of errors encountered during data transmission. The Rx Errors higher the error rate, the less reliable the connection or data transfer between the client and connected access point. Details “Wireless Client Statistics” The Details screen provides granular performance information on a selected wireless client. To view the details screen of an access point’s connected wireless client: 1 Select the Statistics menu from the Web UI.
Page 511 Wireless Client Statistics The User Details field displays the following: Displays the unique name of the administrator or operator managing the Username client’s connected access point. Lists the authentication scheme applied to the client for interoperation with Authentication the access point. Lists the encryption scheme applied to the client for interoperation with the Encryption access point.
Page 512: Traffic
Chapter 13: Statistics Displays whether APSD is supported. APSD defines an unscheduled Unscheduled service period, which is a contiguous period of time during which the APSD access point is expected to be awake. Displays the Association ID established by an AP. 802.11 association enables the access point to allocate resources and synchronize with a radio NIC.
Page 513 Wireless Client Statistics Traffic Utilization statistics utilize a traffic index, which measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to the maximum possible throughput. This screen also provides the following: Displays the total bytes processed by the access point’s connected client. Total Bytes Displays the total number of data packets processed by the wireless client.
Page 514: Wmm Tspec
Chapter 13: Statistics Displays the power save using the Power Save Poll (PSP) mode. Power Rx Power Save Save Poll is a protocol, which helps to reduce the amount of time a radio Poll needs to powered. PSP allows the WiFi adapter to notify the access point when the radio is powered down.
Page 515 Wireless Client Statistics 3 Select a client MAC address from those connected to the selected access point 4 Select WMM TPSEC. 5 The TSPEC Count displays the number of TSPECs available for the client’s packet flow. 6 The TSPEC Type field displays the following: Displays the status of voice traffic prioritization.
Page 516: Association History
Chapter 13: Statistics Displays the parameter for defining the traffic stream. TID identifies data Parameter packets as belonging to a unique traffic stream. Displays the voice corresponding to the TID and Media Time. Voice Displays the Video corresponding to the TID and Media Time. Video Displays the Best Effort corresponding to the TID and Media Time.
Page 517: Graph
Wireless Client Statistics 5 Refer to the following to discern this client’s access point association history: Lists the access point’s this client has connected to, and been managed by, Access Point since the screen was last refreshed. Displays the connected access point’s hardware encoded MAC address as BSSID hardware identifier.
Page 518 Chapter 13: Statistics 5 Use the Parameters drop down menu to define from 1- 3 variables assessing signal noise, transmit or receive values. 6 Use the Polling Interval drop-down menu to define the interval the chart is updated. Options include 30 seconds, 1 minute, 5 minutes, 20 minutes or 1 hour.
Page 519: Registration
A P P E N D I X NOTE Services can be purchased from Extreme Networks or through one of its channel partners. If you are an end-user who has purchased service through an Extreme Networks channel partner, please contact your partner first for support.
Page 520: Appendix A: Customer Support
Appendix A: Customer Support Altitude 4000 Series Access Point System Reference Guide...

Extreme Networks Altitude 4000 Series Reference Manual

Quick Links

Related Manuals for Extreme Networks Altitude 4000 Series

Summary of Contents for Extreme Networks Altitude 4000 Series