Page 1 BlueSecure™ Controller Setup and Administration Guide Software Release Version: 6.5 Document Version: 6.5 Bluesocket, Inc. 10 North Avenue Burlington, MA 01803 USA +1 781-328-0888 http://www.bluesocket.com...
Page 2 Copyright Notice Copyright © 2001- 2009 Bluesocket, Inc. All rights reserved. No part of this document may be reproduced in any form or by any means, electronic or manual, including photocopying without the written permission of Bluesocket, Inc. The products described in this document may be protected by one or more U.S. patents, foreign patents, or pending patents.
Page 3: Table Of Contents
Notational Conventions ..............xvii Related Documentation ..............xvii Terminology ..................xvii Chapter 1 An Overview of the BlueSecure Controller An Introduction to the BlueSecure WLAN Solution ........ 1-2 User Authentication ............... 1-2 RADIUS Accounting and Hotspot Support ........1-2 Role-based Authorization ............... 1-3 Remote Management ..............
Page 4 BSC-600/BSC-1200 Desktop Mounting ........2-10 BSC-2100 and BSC-2200/3200/5200 Desktop Mounting ..... 2-11 Rack-mounting the BlueSecure Controller........2-12 Connecting the BlueSecure Controller to Your Network ....... 2-13 Connecting the BSC to its Power Source..........2-13 Powering Down Your BSC ............... 2-14 Enabling Power over Ethernet on the BSC-600 and BSC-1200 .....
Page 5 Contents Recovery State................4-26 Configuring the Primary BSC............4-26 Completing the Failover Setup ............4-28 Configuring Static Routes ..............4-28 Configuring Multicast Routing ............4-30 Configuring AppleTalk Routing ............4-31 AppleTalk Networks: Key Concepts ..........4-31 Configuration Procedure .............. 4-33 Chapter 5 Authentication Using Internal Database Local BSC User Authentication ............
Page 6 Contents Creating a Schedule ..............8-17 Creating Schedule Groups ............8-19 Creating Locations and Location Groups ........... 8-19 Creating a User Location ............. 8-20 Creating User Location Groups............. 8-20 Chapter 9 Voice Over WLAN Support Configuring General VoWLAN Settings ..........9-2 Configuring Vendor-specific IP Phone Support........
Page 7 Contents RF Intrusion Detection/RF Containment .......... 12-3 Deploying BSAPs on the Same Layer-2 Subnet as the BSC ....12-3 Deploying BSAPs with Layer-3 Connectivity to the BSC......12-4 How a BSAP Discovers BSCs ............12-5 How a BSAP Selects a Home BSC ............ 12-6 Uploading BSAP Firmware Files ............
Page 8 Contents Verifying Your Load Sharing Configuration ........14-23 Chapter 15 Status Monitoring Active User Connections ..........15-2 Displaying Active User Status ............15-2 Forcing a User Logout ..............15-3 Monitoring a User’s IDS Status ............. 15-3 Monitoring Connected Access Points ..........15-4 Monitoring RF IDS Alarms ............
Page 9 Contents LANs vs. VLANs ................A-2 Tagging Formats ................A-2 The Bluesocket BSC VLAN Implementation........... A-2 Pass-Through VLANs ..............A-3 Termination VLANs ............... A-3 Initiation/Switched VLANs ............. A-4 Enforcing Network Usage Policies with VLANs........A-5 Appendix B Provisioning Network DHCP Servers to Support BSAPs Overview ..................
Page 10: Figures
Contents Figures Figures x Figure 1-1: The Role of the Bluesocket BSC in a Wireless LAN ......1-2 Figure 1-2: The Bluesocket Secure Mobility MatriX Architecture......1-5 Figure 1-3: A Sample BSC User Login Page............1-6 Figure 1-4: Bluesocket BSC-5200 ..............1-7 Figure 1-5: Bluesocket BSC-2100 ..............
Page 11 Contents Admin Interface in Network Routing Table ........4-30 Figure 4-23: Figure 4-24: Enabling Multicast Routing ............4-31 Figure 4-25: Enabling AppleTalk Routing ............4-33 Figure 5-1: New Local User Page..............5-3 Figure 5-2: New MAC Device Page ..............5-5 Figure 6-1: New RADIUS Server Page .............
Page 12 Contents Figure 10-14: IPSec CSR Generated Page............10-23 Figure 10-15: Miscellaneous Settings Page ............10-24 Figure 11-1: Default User Login Page .............. 11-2 Figure 11-2: Elements of the User Login Page You Can Customize ...... 11-3 Figure 11-3: Create New Custom Login Page ........... 11-4 Figure 11-4: Custom Login Page - Edit HTML ............
Page 13 Contents Figure 14-20: Configuring Load Sharing on a Node ......... 14-22 Figure 14-21: Verifying the Protected Interface Address Settings ......14-24 Figure 14-22: Load Sharing Setup on the Load Sharing Master......14-24 Figure 14-25: Status Summary for an Operational LSG........14-25 Figure 14-26: Status Summary for a Load Sharing Failover Event ......
Page 14: Tables
Contents Tables Table 1-1: Bluesocket BSC Model Specifications ..........1-9 Table 2-1: BSC-1200 Status LEDs ..............2-7 Table 2-2: BSC-600 Status LEDs ..............2-8 Table 3-1: Administrator Console Command Buttons and Icons ......3-11 Table 3-2: Sorting and Filtering Administrator Console Table Data ....3-12 Table 3-3: Administrator Console Page Controls ..........
Page 15: About This Guide
About This Guide BlueSecure™ Controller Setup and Administration Guide provides complete instructions for installing, powering up, configuring, and managing the BlueSecure Controller. This section introduces the document and describes: • Audience • Document Organization • Notational Conventions • Related Documentation •...
Page 16 (SSL) certificate for user login, and hotspot account generation (i.e., end user credit card billing services). "An Overview of Virtual LANs," • Appendix A, describes the BlueSecure Controller implementation of virtual LANs (VLANs) on both the managed and protected sides of the network. • Appendix B, "Provisioning Network DHCP Servers to Support BSAPs,"...
Page 17: Notational Conventions
IP address. Terminology For brevity, we use the term BSC to refer to the BlueSecure Controller product family as a whole, unless reference to a specific model is required. We use the term BSAP to refer to the BlueSecure Access Point product family as a whole, unless reference to a specific model is required.
Page 18 About This Guide Glossary is included in this document that defines many terms and acronyms associated with the BlueSecure Controller, the BlueSecure Access Point, and wireless networks. xviii...
Page 19: An Overview Of The Bluesecure Controller
An Overview of the BlueSecure Controller This chapter introduces you to the BlueSecure family of Controllers and Access Points: • An Introduction to the BlueSecure WLAN Solution • The BlueSecure WLAN Solution End-user Experience • BlueSecure Controller Models • Typical BlueSecure WLAN Solution Network Configurations...
Page 20: An Introduction To The Bluesecure Wlan Solution
Chapter 1: An Overview of the BlueSecure Controller An Introduction to the BlueSecure WLAN Solution The BlueSecure Controller (BSC) product family—BSC-600, BSC-1200, BSC-2100, and BSC-2200/3200/5200 —provides a single scalable solution to the security, Quality of Service (QoS), and WLAN management issues facing institutions, enterprises, and service providers who deploy 802.11-based wireless networks.
Page 21: Role-Based Authorization
Thus, unregistered users can be directed to a secured site to be granted free access or to sign up for “pay-for-use” services online. The BlueSecure Controller provides a hotspot account generation feature that enables you to link an existing online billing/payment transaction account to the BSC so as to allow your wireless end users to purchase and set up their own wireless network access accounts using a credit card.
Page 22: Rf Management
Chapter 1: An Overview of the BlueSecure Controller BSAPs are simple to configure (“zero touch”) and require only minimal provisioning to make them fully operational on a WLAN secured and managed by a BlueSecure Controller. BSAPs can be directly attached to any existing Layer-2 or Layer-3 Ethernet switch and communicate with the BSC across any subnet boundary.
Page 23: Voip Protocols/Vowlan Support
A transparent domain authentication means that the wireless user authentication process is no different than that on a wired user. The BlueSecure Controller is intelligent and identifies users who are trying to log into the domain and dynamically communicates with the domain controllers defined in the Bluesocket BSC configuration.
Page 24: Web-Based User Logins
(i.e., physical interface, VLAN, or remote subnet) in your network. The Un- To enable use of web-based user logins, the BlueSecure Controller provides a default “un- Registered Role registered” role. The un-registered role is a special role into which users/devices are placed after they get their IP address.
Page 25: Bluesecure Controller Models
400/1500/4000 active users and 50/100/150 Access Points respectively. Figure 1-4: Bluesocket BSC-5200 The Bluesocket BSC-5200 BlueSecure Controller offers a open systems, enterprise-class WLAN solution to the administration, management, interoperability, quality of service (QoS) and security issues facing large enterprises deploying wireless LANs.
Page 26: Bluesocket Bsc-2100
(both fiber and copper interfaces). The Bluesocket BSC-2100 supports up to 400 simultaneous users. Figure 1-5: Bluesocket BSC-2100 Bluesocket BSC-1200 The BSC-1200 BlueSecure Controller is designed to support entire office floors or buildings with up to 200 users. Figure 1-6: Bluesocket BSC-1200 Bluesocket BSC-600...
Page 27: Bluesocket Bsc Model Specifications
BlueSecure Controller Models option is available to support direct connection of PoE access points like the BlueSecure 1500 Access Point via the front-panel ports. Figure 1-7: Bluesocket BSC-600 Bluesocket BSC Model Specifications All products in the Bluesocket BSC family share the same HTML-based administrator console and software functions, and vary only in the number of users supported, data throughput, form factor, and network ports.
Page 28: Typical Bluesecure Wlan Solution Network Configurations
Chapter 1: An Overview of the BlueSecure Controller Typical BlueSecure WLAN Solution Network Configurations Typically, you will install and configure Bluesocket BSCs in one of the following network configurations: • single BSC configuration • multiple BSC configuration • failover BSC configuration...
Page 29: Multiple Bscs
Typical BlueSecure WLAN Solution Network Configurations authentication for those devices by following the steps listed in “Defining MAC Address Authentication” on page 5-5. Optional. Configure the following options as required for your BSC network: • When setting up authentication via LDAP/Active Directory over SSL; Cosign, Pubcookie, or CAS authentication over SSL;...
Page 30: Figure 1-9: Failover Within A Bsc Pair
Chapter 1: An Overview of the BlueSecure Controller Within either single- or multiple-BSC networks, you can set up pairs of redundant BSCs (must be the same model) to achieve fault tolerance as shown in Figure 1-8. Within a failover configuration, the primary BSC is active and the secondary BSC is idle.
Page 31: Installation
Preparing Your Network • Environmental, Rack, Space, and Power Requirements • Mounting the BlueSecure Controller Chassis • Connecting the BlueSecure Controller to Your Network • Connecting the BSC to its Power Source • Powering Down Your BSC • Enabling Power over Ethernet on the BSC-600 and BSC-1200 •...
Page 32: Overview Of The Installation Procedure
“Environmental, Rack, Space, and Power Requirements” on page 2-10. Mount the BSC chassis in the selected installation location as described in “Mounting the BlueSecure Controller Chassis” on page 2-10. Connect the BSC to your network by connecting cables to: protected side •...
Page 33 Safety Precautions • Do not allow liquid to enter the Bluesocket BSC chassis, and do not operate the system in a wet environment. If the Bluesocket BSC gets wet, contact Bluesocket. • Do not push any objects into the BSC chassis vents or openings. Doing so can result in fire or electrical shock.
Page 34: Bsc-2200/3200/5200 Displays, Controls, And Connectors
Chapter 2: Installation BSC-2200/3200/5200 Displays, Controls, and Connectors The following figure shows the Bluesocket BSC-5200 front and rear panel displays, controls, and connectors. Figure 2-1: BSC-2200/3200/5200 Displays, Controls, and Connectors Status LEDs The Bluesocket BSC-2200/3200/5200 provides the following front-panel status LEDs: •...
Page 35: Bsc-2100 Displays, Controls, And Connectors
BSC-2100 Displays, Controls, and Connectors Admin Port Use the Admin port to manage your controller without needing to be connected to the managed or protected ports. The admin port allows for HTTPS access and SSH access. This port doesn’t support mobility, routing, VLANs or firewalling. Managed Ports Use the Managed Port to connect the BSC to the managed side (i.e., the wireless side) of your network via Ethernet.
Page 36: Bsc-1200 Displays, Controls, And Connectors
Chapter 2: Installation The BSC provides a 2x16 character, liquid crystal display (LCD) to display the IP address configured for its protected interface. Power Control If the BSC is running and you press the front-panel Power button, the BSC will stop all active services after a slight delay.
Page 37: Figure 2-3: Bsc-1200 Displays, Controls, And Connectors
BSC-1200 Displays, Controls, and Connectors Figure 2-3: BSC-1200 Displays, Controls, and Connectors Status LEDs The following table summarizes the status indicated by the Bluesocket BSC-1200 BlueSecure Controller light emitting diodes (LEDs). Table 2-1: BSC-1200 Status LEDs 100/Status Link/Activity System Lights to indicate the BSC system is running and Flickers when the BSC is writing data to or its CPU is active.
Page 38: Bsc-600 Controls And Connectors
Serial Port On/Off & Restart Controls Figure 2-4: BSC-600 LEDs, Controls, and Connectors Status LEDs The following table summarizes the status indicated by the Bluesocket BSC-600 BlueSecure Controller light emitting diodes (LEDs). Table 2-2: BSC-600 Status LEDs Color Description Power Blue Indicates that the unit is powered up.
Page 39: Preparing Your Network
Ethernet. The BSC-600 Protected Port is equipped with a copper, RJ-45 10/100 Mbps Fast Ethernet connector. Preparing Your Network Verify the following before attempting to install and connect your BlueSecure Controller: • You have installed and configured your access points (APs) to enable wireless access to your network.You will connect the BSC to the APs either directly, or via a hub or...
Page 40: Environmental, Rack, Space, And Power Requirements
There is at least 15 inches/381 mm of clearance in front of and behind the rack. This space is required to connect and disconnect network cables. AC Power Ensure that the BlueSecure Controller AC power source meets the following specifications: AC input voltage: dedicated, grounded, single-phase circuit 100 to 240 VAC AC frequency: 50 to 60 Hz.
Page 41: Bsc-2100 And Bsc-2200/3200/5200 Desktop Mounting
After mounting the BSC chassis on the desktop, connect the BSC to your network as described in “Connecting the BlueSecure Controller to Your Network” on page 2-13, and then power up the BSC by following the procedure given in “Connecting the BSC to its Power Source”...
Page 42: Rack-Mounting The Bluesecure Controller
Secure the BSC’s mounting brackets to the rack rails using the appropriate hardware. Figure 2-8: Attaching the Mounting Brackets to the BSC Chassis After rack-mounting the BSC chassis, connect the BSC to your network as described in “Connecting the BlueSecure Controller to Your Network” on page 2-13, and then power 2-12...
Page 43: Connecting The Bluesecure Controller To Your Network
AC frequency: 50 to 60 Hz. Switch the AC power switch located on the BSC rear panel to the ON position (|). BlueSecure Controller models BSC-1200 power up. You must complete step 5 to power up the BSC-2100 and BSC-2200/3200/5200.
Page 44: Powering Down Your Bsc
Caution: Never use the BSC-2100’s front-panel Reset button or rear-panel power switch to power down the BlueSecure Controller. Likewise, never use the BSC-2200/3200/5200’s rear-panel power switch to power down the BlueSecure Controller. Failing to power down the BSC using its software shutdown function or the shutdown procedure listed below may render the BSC un-bootable.
Page 45: Led Run Time Mode For Bsc-600 And Bsc-1200
LED Run Time Mode for BSC-600 and BSC-1200 Follow these steps to enable IEEE 802.3af Power-over-Ethernet support on the four front- panel BSC-600/1200 Controller Managed ports: Connect the PoE power supply included in your BSC-600/1200 distribution to a grounded, 85 to 246 VAC power source. Connect the PoE power supply’s three-pin connector to the mating connector located on the back of the BSC-600/1200’s chassis as shown in Figure 2-9.
Page 46 Chapter 2: Installation The fault light will be lit for a few seconds after an AP is disconnected. 2-16...
Page 47: Administrator Console
Administrator Console The BlueSecure Controller provides an intuitive, easy-to-use, administrator console that you can access using any web browser. The administrator console enables you to configure the BSC for use in your network and perform general BSC administrative tasks. This chapter presents an overview of the BSC administrator console and includes: •...
Page 48: Logging Into The Administrator Console For The First Time
Chapter 3: Administrator Console Logging Into the Administrator Console for the First Time You may access the Bluesocket BSC administrator console using any web browser (e.g., Microsoft Internet Explorer, Netscape Navigator, etc.). To access the BSC administrator console for the first time: 1.
Page 49: Logging Out Of The Administrator Console
Using and Managing Administrator Accounts 5. Acknowledge A dialog appears displaying the Bluesocket End User License Agreement. Read and License acknowledge the license agreement, and then close the dialog. Agreement 6. Change Change your password when prompted to do so. Password Enter the default password in the Password field, your new password in the New Password and Re-Enter New Password fields, and then click Log in >.
Page 50: Adding A New Administrator Account
Chapter 3: Administrator Console • monitor - enables you to view but not change current BSC parameter settings. The default password for the monitor account is blue. If you are setting up or changing a BSC configuration, you can log into the administrator console using the pre-defined admin account.
Page 51: Changing An Administrator Password
Using and Managing Administrator Accounts Figure 3-3: New Admin User Page Changing an Administrator Password To change the password for an administrator account: Click the User authentication tab in the BSC administrator console, and then click the Administrative User tab. Click the icon for the administrator whose password you wish to change.
Page 52: Changing Your Login Password
Chapter 3: Administrator Console Changing Your Login Password For security purposes, we recommend that you periodically change the password you use to access the BSC administrator console. Also, be sure to change the password assigned to the predefined admin and monitor accounts. Be sure you record your account username and password in a safe location that you can easily access.
Page 53: Figure 3-5: Security Certificate Alert
Installing the Bluesocket SSL Certificate Figure 3-5: Security Certificate Alert Note: As an alternative to installing the Bluesocket SSL certificate, you can acquire an SSL login certificate from another CA provider, and then upload the certificate to the BSC. See “Installing a Custom SSL Login Certificate” on page 11-22 for information about installing a custom SSL login certificate.
Page 54: An Overview Of The Tabs On The Console
Chapter 3: Administrator Console An Overview of the Tabs on the Console Information in the BSC administrator console is presented as a series of tabbed pages as shown in Figure 3-7. Display Menu Context Sensitive Main Page Logout Column Heading Check to Help Hierarchy...
Page 55: Read-Only Pages (Replication Nodes Only)
Obtaining Online Help Voice Configure how voice traffic is passed through and managed by the BlueSecure Controller, and enable support for specific models of IP phones. General Perform general BSC administrative tasks such as: configuring the HTTP server, enabling and configuring the Integrity Clientless Security endpoint scanning functionality, configuring the Intrusion Detection System (IDS), configuring the SNMP agent, scheduling automatic backups of the BSC database, setting the BSC system time, defining BSC logging, configuring public access, specifying system resource thresholds, defining DNS...
Page 56: Site Map
Chapter 3: Administrator Console Site Map Click on the Site Map link to display a clickable site map (the Site Map link is located in the upper right corner of the display, between the Sign in/out and Help links): Figure 3-8: Site Map 3-10...
Page 57: Error Checking On Page Forms
Error Checking on Page Forms Error Checking on Page Forms Required form elements are marked with a blue bounding box. Once a user enters a value and moves to the next form element on the page, the system validates the previous form element.
Page 58: Sorting And Filtering Table Data
Chapter 3: Administrator Console Table 3-1: Administrator Console Command Buttons and Icons Command Button Click to ... or Icon Edit the BSC database record displayed in the corresponding table row. Log out the BSC user listed in the corresponding table row. Display the report listed in the corresponding table row.
Page 59: Paging Through Data
Paging Through Data Figure 3-9: Customizing the Presentation of Table Data Select the column(s) you wish to hide and then click Remove highlighted items. Click Remove all items in list to hide all table columns. Specify column order by ordering the columns in the Selected Items pane. The top column represents the first (i.e.
Page 60: Downloading Administrator Console Data
Chapter 3: Administrator Console Table 3-4: Administrator Console Font Controls Font Control Click to ... Increase or decrease screen text point size. Downloading Administrator Console Data You can download the administrator console page data you are currently viewing from the BSC to your computer or another computer to which you have network connectivity. You can save download page data to a CSV (comma separated values) or an HTML file.
Page 61: Restarting The Bsc To Activate Configuration Information
Restarting the BSC to Activate Configuration Information Figure 3-10: Using the Pop Up List Feature Restarting the BSC to Activate Configuration Information After entering new or updated BSC parameter values on an administrator console page, you normally click Save (or Save and Create Another) to save the configuration data to the BSC database.
Page 62 Chapter 3: Administrator Console 3-16...
Page 63: Networks
Networks This chapter coves the following topics: • Defining the BSC Protected Physical Interface • Configuring the BSC Managed Interface • Configuring the Admin Interface • Configuring Failover Parameters • Configuring Static Routes • Configuring Multicast Routing • Configuring AppleTalk Routing BlueSecure™...
Page 64: Defining The Bsc Protected Physical Interface
Chapter 4: Networks Defining the BSC Protected Physical Interface You must configure the BSC to communicate with the protected (i.e., wired) side of your network. The protected side of your network includes your enterprise servers and resources. Specify the following sections as required and click Save to store the information to the BSC database.
Page 65 Defining the BSC Protected Physical Interface Obtain IP Not Using DHCP. If you are assigning IP settings manually: settings from a Clear the Obtain IP settings from a DHCP server for the interface checkbox. DHCP server for Enter default IP settings for the interface as explained in Fallback IP Settings. the interface Using DHCP.
Page 66 Chapter 4: Networks interface as a trunk port. One ISP should be reachable from the protected physical interface and one from the protected VLAN. Protected Physical Egress VLAN: Enter the VLAN id for the secondary interface to share traffic Configure ISP1 “Ping Address”: Enter the IP to ping to determine if the primary (protected physical) route is alive.
Page 67: Creating A Vlan On The Protected Side (Optional)
Defining the BSC Protected Physical Interface Physically configure links, choosing one of the following configurations: • Top/Down – The protected physical port and the E2 interface are one trunk. The managed physical port and the E1 interface are one trunk. This logically groups the ports together on the same NIC.
Page 68: Figure 4-3: Create A Protected Vlan Page
Chapter 4: Networks VLAN Settings Ensure you have set up the protected physical interface as described in “Defining the BSC Protected Physical Interface” on page 4-2. The Enable checkbox is marked by default to make the protected VLAN available. Enter the protected VLAN settings, as described below: •...
Page 69: Configuring A Protected Virtual Interface (Optional)
Configuring the BSC Managed Interface Configuring a Protected Virtual Interface (Optional) This is an advanced BSC configuration feature that enables you to set up a protected-side virtual interface for protected-side resources that would benefit from being on a subnet that differs from the BSC protected physical or VLAN interfaces. For example, you might want to isolate protected side components from wireless users by isolating them on different subnets so as to make it more difficult for the users to find and gain unauthorized access.
Page 70: Figure 4-5: Edit Managed Interface (Eth1) Page
Chapter 4: Networks Figure 4-5: Edit Managed Interface (eth1) Page If you are not running a DHCP server on your network, or if you want to conserve IP addresses or “hide” users on a private IP subnet, you can configure the BSC to dynamically assign addresses to wireless clients via its resident DHCP server or you can assign fixed IP addresses to wireless clients, or you can do both.
Page 71: Configuring Wireless Client Ip Address Assignment
Configuring the BSC Managed Interface It is possible to configure client addressing on the managed side of the network for both dynamic and fixed assignment. However, if both assignment modes are configured, the wireless client’s fixed IP address always takes precedence. •...
Page 72: Figure 4-6: Completed Dhcp Relay Options
Chapter 4: Networks This checkbox marked by default List DHCP Servers Figure 4-6: Completed DHCP Relay Options Note: You must assign a fixed address to the managed interface. IP Address & To assign a fixed IP address to the managed interface, complete these two fields: Enter Netmask the IP Address of the BSC managed interface in four-byte, dotted-decimal format;...
Page 73 Configuring the BSC Managed Interface so, select the default user role from the Default role drop-down list. The selected default role is the role the BSC assigns the user if none of rules is true. Port settings Ignore link down error on this interface Mark this checkbox if all BSAPs are connected to the protected interface to prevent failover and the logging of managed interface link down errors (Not applicable on the BSC-600).
Page 74: Figure 4-7: Enabling The Bsc Dhcp Server
Chapter 4: Networks Clear this Checkbox Mark this Checkbox Figure 4-7: Enabling the BSC DHCP Server NAT the Mark this checkbox to activate Network Address Translation (NAT) to map all client IP addresses to the addresses on the managed side to the IP address of the BSC protected interface. Clear protected this checkbox to disable NAT.
Page 75: Figure 4-8: Dhcp Settings For Managed Interface (Eth1) Page
Configuring the BSC Managed Interface Address range Optional. If you have IP addresses that are reserved for particular devices and do to exclude want these addresses available for DHCP assignment, then enter the range of addresses to exclude from first to last, such as 192.168.162.22 to 192.168.162.27.
Page 76 Chapter 4: Networks Dynamic DNS Mechanism by which the DNS server learns the assigned IP address and fully qualified domain name of a wireless client. There are three options: • Ad Hoc - DNS server looks for a valid host name as specified in the FQDN option and in the client hostname option sent by the client.
Page 77 Configuring the BSC Managed Interface Use the Fixed IP address assignments table ( as shown in Figure 4-9), to manage devices that require fixed IP addresses (e.g., access points and bar code scanners) on the managed side of the BSC network. Note: If you have many fixed IP address users to configure, you can speed up the process by configuring a few users using the procedure described below, exporting the fixed IP address configuration to a .CSV or XML file, appending new data to the file, and then re-...
Page 78: Figure 4-9: Fixed Ip Address Assignments For Wireless Clients
Chapter 4: Networks Note: Use care when choosing a specific role rather than Authenticate. The Specific Role option allows network transmission via MAC addresses, which is inherently less secure than the Authenticate option. The following figure shows an example of fixed IP address assignments on the Edit Managed interface page.
Page 79: Creating A Vlan On The Managed Side Of Your Network
Configuring the BSC Managed Interface Figure 4-10: NAT Settings for Managed Interface Page Supply the following information for each managed side-to-protected side address mappings: • Protected address - Enter a free (i.e., unused) address from the BSC’s protected interface subnet. •...
Page 80: Figure 4-11: Create A Managed Vlan Page
Chapter 4: Networks Set up the managed physical interface as described in “Configuring a DHCP Relay Agent” on page 4-9 and in “Configuring the BSC DHCP Server” on page 4-11. Select Managed-side VLAN from the Create drop-down list on the Network page. The Create a Managed VLAN page appears as shown in Figure 4-11.
Page 81: Configuring A Managed Remote Subnet
Configuring the BSC Managed Interface • VLAN Type - The type of VLAN to create. Currently the IEEE 802.1q VLAN standard is the only VLAN type supported. Automatically Add Location Element for this VLAN - Checked by default. Automatically create/edit a Location when the VLAN itself is changed. If a Location does not exist, the Location is created with this VLAN ID, using the same name as the Managed VLAN.
Page 82: Figure 4-13: Create A Managed Remote Subnet Page
Chapter 4: Networks Select Managed-side Remote Subnet from the Create drop-down list on the Network page. The Create a Managed Remote Subnet page appears as shown in Figure 4- Figure 4-13: Create a Managed Remote Subnet Page The Enable checkbox is marked by default to make the managed remote subnet available to wireless clients.
Page 83: Figure 4-14: Dhcp Settings For New Managed Remote Subnet Page
Configuring the BSC Managed Interface • Netmask of Remote Subnet - When handing out addresses to wireless clients via DHCP, the BSC must include the clients' netmask address. This is the netmask address that is assigned to clients on the managed remote subnet. •...
Page 84 Chapter 4: Networks • Address range to dynamically assign - Optional. Enter range of addresses that DHCP can assign within a network address space from first to last, such as 192.168.162.20 to 192.168.162.50. Leaving this field blank means that DHCP can assign any addresses within the subnet defined by the IP address and Netmask fields on the Edit managed interface (eth1) page.
Page 85: Configuring A Managed Virtual Interface
Configuring the BSC Managed Interface associated with the option in the Code field, and select the option’s datatype from the Data Type menu. • Enter the value to which to set the predefined or custom DHCP server option in the Value field. The entered value must correspond to the datatype selected for the option.
Page 86: Configuring The Admin Interface
Chapter 4: Networks The Enable checkbox is marked by default to make the managed virtual interface available to wireless clients. Clearing the checkbox makes the managed virtual interface unavailable. Complete the following options as appropriate for your network. • Name - Enter a unique name for the managed virtual interface. •...
Page 87: Configuring Failover Parameters
Disconnecting the managed or protected interface cable will cause a failover. The secondary BlueSecure Controller becomes active with the same MAC addresses, the same IP addresses, the same software and patches, the same configuration and the active connections table as the primary BlueSecure Controller.
Page 88: Normal Operation
• Dedicated VLAN for the failover ports only Normal Operation Within a failover configuration, the primary BlueSecure Controller is normally active and the secondary BlueSecure Controller is idle, as shown in Figure 4-17. Figure 4-17: Failover - Normal State Failover State When the secondary BSC takes over, its role changes and it functions as the primary, as shown in Figure 4-18.
Page 89: Figure 4-18: Failover - Failover State
Configuring Failover Parameters Figure 4-18: Failover - Failover State Figure 4-19: Failover - Recovery State Click the Network tab in the BSC administrator console, and then click the Failover tab on the Network page. The Edit Failover (Eth2) settings page appears as shown in Figure 4-20. Configure the BSC failover interface settings as described below: •...
Page 90: Completing The Failover Setup
Chapter 4: Networks Figure 4-20: Edit Failover (Eth2) Page • Primary machine identifier - Enter the MAC address of the primary BSC. In the event of a failover, this entry is used to identify the primary BSC for the administrator, because the rest of the configuration parameters are identical on both primary and secondary.
Page 91: Figure 4-21: Sample Bsc Routing Table
Configuring Static Routes Figure 4-21: Sample BSC Routing Table To enable outbound administrator traffic from the Admin interface, a static route must be configured. This is required because the BSC has a separate routing table for the Admin interface than the rest of the box. Rarely, you may need to add a static route to a special network destination that is not normally included in the routing table.
Page 92: Configuring Multicast Routing
Chapter 4: Networks Enter the IP address of the gateway through which traffic is routed to the destination network in the Route Gateway field. This gateway must be on the same subnet as the IP address of the specified Interface. Enter a bit mask that specifies the bits in the IP address that correspond to the network address and to the subnet portion of the destination network IP address.
Page 93: Configuring Appletalk Routing
Configuring AppleTalk Routing Figure 4-24: Enabling Multicast Routing You can configure a default Rendezvous Point for group address “224.0.0.0” with a network mask of “240.0.0.0.” Repeat steps 1 to 4 for each multicast group for which you wish to route multicast traffic through the BSC.
Page 94 Chapter 4: Networks where to send each packet of data. Each physical network must have one or more seed routers that broadcast the routing information for that network. Not all routers must be seed routers. Routers that are not seed routers maintain a map of the physical networks on the internet and forward data to the correct physical network.
Page 95: Configuration Procedure
Configuring AppleTalk Routing Configuration Procedure You must enable at least two BSC interfaces to support AppleTalk routing. If there is no other seed router, a managed side interface should be configured as a seed router. A protected side interface should be configured as a non-seed router. You can enable AppleTalk routing globally for all roles on the BSC or only for selected roles.
Page 96 Chapter 4: Networks Specify what version of AppleTalk is to be supported, Phase 1 or Phase 2, by selecting an option from the Phase menu. For seed interfaces, assign a range of network addresses to assign to the interface by entering a valid range in the Net Begin and Net End fields, e.g., 20301 - 20310, or assign a single unique address to the interface using the Address field.
Page 97: Authentication Using Internal Database
Authentication Using Internal Database Follow the procedures given in this chapter if: • You are using the BSC's internal database for user authentication. We refer to users who are authenticated against the BSC’s internal database as “local” or “native” BSC users. •...
Page 98: Local Bsc User Authentication
The wireless device associates with an access point on the managed network and obtains an IP address from the BlueSecure Controller. The BlueSecure Controller adds the device MAC address and IP address to its active connections table and assigns the device to the unregistered role. The unregistered role allows DNS traffic from the managed network to transit the BSC firewall and reach the protected network.
Page 99: Figure 5-1: New Local User Page
Creating/Editing/Deleting a Local User Account Figure 5-1: New Local User Page To edit an existing user account, click the icon corresponding to the user whose password you wish to change.The “Edit the local user” page appears; refer to the figure below for the New local user page, since the Edit page is identical. Mark the Enable user radio button to make the user account available for use.
Page 100 Chapter 5: Authentication Using Internal Database To enable RADIUS accounting for this user, select the name of the external RADIUS accounting server from the Accounting server drop-down list. See Chapter 7, "RADIUS Accounting," to configure a new RADIUS accounting server for selection in the drop-down list.
Page 101: Defining Mac Address Authentication
Defining MAC Address Authentication You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network.) Defining MAC Address Authentication Follow the procedure in this section if you have wireless devices that the BSC can authenticate only by using their device media access control (MAC) address.
Page 102 Chapter 5: Authentication Using Internal Database Acceptable MAC address delimiters are colons (00:03:4a:3b:4F:02) or hyphens (00-03-4a-3b-4F-02). The % wildcard character is supported in place of any alphanumeric field in the MAC Address. The '%' character will match any character. You need exactly one '%' for each character you are matching.
Page 103 Defining MAC Address Authentication You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network. BlueSecure™ Controller Setup and Administration Guide...
Page 104 Chapter 5: Authentication Using Internal Database...
Page 105: Authentication Using External Servers
Authentication Using External Servers Follow the procedures given in this chapter if you are using an external server for user authentication. This chapter covers the following topics: • An Overview of External User Authentication • iPass Client Authentication • RADIUS Authentication •...
Page 106: An Overview Of External User Authentication
The wireless device associates with an access point on the managed network and obtains an IP address from the BlueSecure Controller. The BlueSecure Controller adds the device MAC address and IP address to its active connections table and assigns the device to the unregistered role. The unregistered role allows DNS traffic from the managed network to transit the BSC firewall and reach the protected network.
Page 107: Figure 6-1: New Radius Server Page
RADIUS Authentication Figure 6-1: New RADIUS Server Page To configure an external RADIUS authentication server and define the rules used for authentication: Displaying the Click the User authentication tab in the BSC administrator console, and then select New RADIUS External RADIUS Authentication from the Create drop-down list on the User authentication server page page.
Page 108 Chapter 6: Authentication Using External Servers Name Enter a meaningful name for the external RADIUS authentication server. Note: As described in the previous section, if you wish to authenticate iPass clients who attempt to log into the BSC, you must include the word “iPass” in the name you assign to the external RADIUS authentication server.
Page 109 RADIUS Authentication See “RADIUS Accounting” on page 7-1 to configure a new RADIUS accounting server for selection in the drop-down list. Alternatively, you can select the Create… option to open a window that enables you to configure a new RADIUS accounting server. After you save the server information, you are returned to the New RADIUS server page where you can select the RADIUS accounting server from the drop-down list.
Page 110: Ldap/Active Directory Authentication
LDAP servers. The Microsoft Active Directory Server LDAP implementation uses sAMAccountName as the unique identifier. The BlueSecure Controller must bind to the LDAP server to look up the user in the LDAP database. The BlueSecure Controller can use anonymous binding when it is supported by the LDAP server.
Page 111: Figure 6-2: New Ldap/Active Directory Server Page
LDAP/Active Directory Authentication Figure 6-2: New LDAP/Active Directory Server Page To configure an external LDAP/Active Directory authentication server and define the rules used for authentication: BlueSecure™ Controller Setup and Administration Guide...
Page 112 Chapter 6: Authentication Using External Servers Displaying the Click the User authentication tab in the BSC administrator console. New LDAP/ Select External LDAP/Active Directory Authentication from the Create drop-down list active directory on the User authentication page. The New LDAP/active directory server page server page appears as shown in Figure 6-2.
Page 113 LDAP/Active Directory Authentication on page 7-1 to configure a new RADIUS accounting server for selection in the drop-down list. Alternatively, you can select the Create… option to open a window that enables you to configure a new RADIUS accounting server. After you save the server information, you are returned to the New LDAP/Active directory server page where you can select the RADIUS accounting server from the drop-down list.
Page 114: Sip2 Authentication
Chapter 6: Authentication Using External Servers The user can click on the link to go the URL, but they are not automatically redirected to that link. Location Optional. Specify the user location from which the LDAP/active directory authentication request must originate by selecting a defined user location from the Location drop-down menu.
Page 115: Figure 6-3: New Sip2 Server Page
SIP2 Authentication Figure 6-3: New SIP2 Server Page Displaying the Click the User authentication tab in the BSC administrator console. New SIP2 Select External SIP2 Authentication from the Create drop-down list on the User server page authentication page. The New SIP2 server page appears as shown in Figure 6-2. Enable server The Enable checkbox is marked by default to make the server available for user authentication.
Page 116: Ntlm Authentication
Chapter 6: Authentication Using External Servers Alternatively, you can select the Create … option to open a window that enables you to define a new role. After you save the role information, you are returned to the SIP2 page where you can select the role from the drop-down list. Optional.
Page 117 NTLM Authentication Displaying the Click the User authentication tab in the BSC administrator console. New NTLM Select External NTLM Authentication from the Create drop-down list on the User server page authentication page. The New NTLM server page appears as shown in Figure 6-4. Enable server The Enable checkbox is marked by default to make the server available for user authentication.
Page 118: Transparent Ntlm Authentication
Chapter 6: Authentication Using External Servers returned to the New NTLM server page where you can select the role from the drop-down list. Optional. Use the commands included in the Row Management drop-down list to change the order of rules, add new blank rules, clear rule data, or delete a rule, etc. Remember, the BSC evaluates rules in the order in which they are listed here on the New NTLM server page.
Page 119: Figure 6-5: New Transparent Ntlm Windows Server Page
Transparent NTLM Authentication Figure 6-5: New Transparent NTLM Windows Server Page Displaying the Click the User authentication tab in the BSC administrator console. Select Transparent NTLM Windows Authentication from the Create drop-down list on Transparent the User authentication page. The New Transparent NTLM Windows server page NTLM Windows appears as shown in Figure 6-5.
Page 120 Chapter 6: Authentication Using External Servers NTLM username to ignore (Optional): Enter any generic, client-supplied NTLM login ID that should be ignored in the field. Some clients send additional credentials after authenticating via NTLM. For example, SMS clients will authenticate to another network device using a generic username having the prefix SMSClient_.
Page 121: Transparent 802.1X Authentication
Transparent 802.1x Authentication Transparent 802.1x Authentication 802.1x is an IEEE standard that enables authentication and key management for LANs. Although originally designed as a port authentication scheme for wired networks, it has recently been applied to address some security issues surrounding wireless LANs. 802.1x uses the Extensible Authentication Protocol (EAP) as a framework for authentication, allowing it to leverage a variety of existing EAP methods and authentication servers.
Page 122: Figure 6-7: New Transparent 802.1X Server Page
Chapter 6: Authentication Using External Servers Figure 6-7: New Transparent 802.1x Server Page Click the User authentication tab in the BSC administrator console. Transparent Select Transparent 802.1x Authentication from the Create drop-down list on the User 802.1x server authentication page. page The New Transparent 802.1x server page appears as shown in Figure 6-7.
Page 123: The Bsc Internal 802.1X Authentication Server
The BSC Internal 802.1x Authentication Server • RFC822 - Use for TLS EAP methods only. This is the Subject Alternative Name (RFC822) which may be contained in the user's TLS certificate. • You can also enter RADIUS attributes here for matching. Select the appropriate logic operator (equal to, not equal to, starts with, ends with, contains, or [is a role]) from the Logic drop-down list.
Page 124: Figure 6-8: Edit The Local 802.1X Server Page
Chapter 6: Authentication Using External Servers Figure 6-8: Edit the Local 802.1x Server Page 6-20...
Page 125 The BSC Internal 802.1x Authentication Server or TTLS Protocol and pass the inner authentication protocol on to an external RADIUS server or the BSC’s own local user database for user authentication. To configure the BSC’s Internal 802.1x Authentication Server: Edit the Local Click the User authentication tab in the BSC administrator console.
Page 126 Chapter 6: Authentication Using External Servers Many other LDAP servers (e.g. Windows 2000/2003 Server Active Directory LDAP server) are not designed store the user password in an MD4 hashed format. This necessitates the manual or automated conversion of the user password from clear text to an MD4 hash.
Page 127: Kerberos Authentication
Kerberos Authentication Saving the Click Save to store the information to the BSC database. settings You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network. Kerberos Authentication Kerberos is a network authentication protocol that was created by MIT as a solution to network security problems.
Page 128: Cosign Authentication
Chapter 6: Authentication Using External Servers The Port number should be 88, the value assigned to Kerberos by the Internet Assigned Number Authority. Enter the Kerberos realm name in the Realm Name field. In Kerberos, realm names are case sensitive. While it is strongly encouraged that all realm names be uppercase, this recommendation has not been adopted by all sites.
Page 129: Figure 6-10: New Cosign Server Page
Cosign Authentication Figure 6-10: New Cosign Server Page Cosign client web servers do not need to run SSL; sniffed cookies will compromise only the non-SSL-protected service, not the entire Cosign infrastructure. Cosign is compatible with common SSL accelerators and clustering load balancers. All Cosign client web servers use a central Cosign server to authenticate users.
Page 130 Chapter 6: Authentication Using External Servers Displaying the Click the User authentication tab in the BSC administrator console. New Cosign Select External Cosign Authentication from the Create drop-down list on the User server page authentication page. The New Cosign server page appears as shown in Figure 6-10. Enable server The Enable checkbox is marked by default to make the server available for user authentication.Name...
Page 131: Pubcookie Authentication
Pubcookie Authentication Alternatively, you can select the Create New… option to open a window that enables you to define a new role. After you save the role information, you are returned to the New Cosign server page where you can select the role from the drop-down list.
Page 132: Figure 6-11: New Pubcookie Server Page
Chapter 6: Authentication Using External Servers Figure 6-11: New Pubcookie Server Page Displaying the Click the User authentication tab in the BSC administrator console. New Pubcookie Select External Pubcookie Authentication from the Create drop-down list on the User server page authentication page.
Page 133 Pubcookie Authentication Key server address: Enter the Pubcookie key server IP address. Port: Enter port on which the Pubcookie key server is communicating. The default value is 2222. BSC SSL client certificate: Select the digital certificate to use to validate cookies from the login server from the drop-down menu.
Page 134: Cas Authentication
Chapter 6: Authentication Using External Servers You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network. CAS Authentication The Central Authentication Server (CAS) is designed as a standalone web application to: facilitate single sign-on across multiple web applications and core services that aren't necessarily web-based but have a web front end, provide trusted and untrusted services, authenticate users without having access to their passwords, simplify procedures that...
Page 135 CAS Authentication Once primary authentication is complete, the CAS redirects the user's browser back to the application from which it came adding the ticket as a request parameter. The application service just needs to validate the ticket once it receives it. It does so by passing it as the ticket parameter to the validation URL.
Page 136: Ipass Client Authentication
Chapter 6: Authentication Using External Servers Enter the appropriate value to check against the specified attribute in the Value field. Select the role to assign to the user if the rule evaluates as true and the user is authenticated from the Role drop-down list. See “Defining User Roles to Enforce Network Usage Policies”...
Page 137: Figure 6-13: Enabling Transparent Certificate Authentication
Transparent Certificate Authentication Figure 6-13: Enabling Transparent Certificate Authentication To configure transparent certificate authentication: Displaying the Click the User authentication tab in the BSC administrator console. Select Transparent Certificate Authentication from the Create drop-down list on the Transparent User authentication page. Certificate The New Transparent Certificate server page appears as shown in Figure 6-13.
Page 138: Testing An External Authentication Server
Chapter 6: Authentication Using External Servers Mapping Define the rules to determine if the user is authenticated.For each rule: Transparent Enter the appropriate digital certificate attribute in the Attribute field. Certificate Select the appropriate logic operator (equal to, not equal to, starts with, ends attributes to with, contains, or [is a role]) from the Logic drop-down list.
Page 139: Figure 6-14: External Authentication Server Test Page
Testing an External Authentication Server Figure 6-14: External Authentication Server Test Page Enter the password associated with the entered user name in the Password field. Select the external authentication server you wish to communicate with from the External server drop-down menu. Optional.
Page 140 Chapter 6: Authentication Using External Servers 6-36...
Page 141: Radius Accounting
RADIUS Accounting Remote authentication dial-in user service (RADIUS) software includes both an accounting authentication server and an server. You use a RADIUS accounting server to record network activity and statistics including tracking user logins. To set up RADIUS accounting, you: (1) Define a new RADIUS accounting server. Once defined, it is added to the table on the Accounting Servers tab;...
Page 142: Defining A Radius Accounting Server
Chapter 7: RADIUS Accounting Defining a RADIUS Accounting Server To define a new RADIUS accounting server: Click the User Authentication, Authentication Servers tab. Select External RADIUS Accounting from the Create drop-down list on the User authentication page. The New RADIUS Accounting page appears as shown in Figure 7-1. Figure 7-1: New RADIUS Accounting Page The Enable server checkbox is marked by default to make the external server available for RADIUS accounting activity.
Page 143: Attributes Sent To External Radius Accounting Server By Bsc
Attributes Sent to External RADIUS Accounting Server by BSC You might be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network. Attributes Sent to External RADIUS Accounting Server by BSC The following table describes the attributes that the BSC sends to the external RADIUS accounting server.
Page 144 Chapter 7: RADIUS Accounting...
Page 145: Roles And Role Elements
Roles and Role Elements This chapter describes the use of roles and role elements on the BSC: • Defining User Roles to Enforce Network Usage Policies • An Overview of Roles • An Example of Role-based Authorization • Role Inheritance •...
Page 146: Defining User Roles To Enforce Network Usage Policies
Chapter 8: Roles and Role Elements Defining User Roles to Enforce Network Usage Policies The BSC uses role-based authorization to define which network resources and destinations in the enterprise a user can access, the bandwidth he or she can use, and whether a secure tunneling protocol such as IPSec or PPTP is required for the connection.
Page 147: Role Inheritance
Role Inheritance Managed Side Protected Side Internet Finance Bluesocket BSC HTTP, HTTPS, POP3, and SMTP Power Reset WG-2100 Wireless Gat eway Firewall User with Engineering Role Assigned = Access Blocked Enterprise Network Figure 8-1: Role-based Authorization for a Registered User Managed Side Protected Side Internet...
Page 148: Defining A Role
Chapter 8: Roles and Role Elements • It reduces the number of administrative changes you need to make to roles. If you need to make changes to the base role, you need only to change that one role. All roles that inherit the base role will also inherit the changes you have made. •...
Page 149: Figure 8-3: Create A Role Page
Defining a Role Figure 8-3: Create a Role Page Name Enter a meaningful name for the role. Typically, this will be the name of a user group or department for which you are setting up access privileges, such as Engineering. Bandwidth Define the bandwidth for incoming/outgoing traffic generated by users assigned this role.
Page 150 Chapter 8: Roles and Role Elements • Per user - Each user logged in with this role can transmit the entire bandwidth. For example, if 1 Mbps is specified, then each user is allocated 1 Mbps maximum, regardless of the number of users. Priority - You can configure role- and network service-based traffic priorities.
Page 151: Figure 8-4: Enabling Machine Authentication On Windows Zero-Config
Defining a Role Alternatively, as with network services, destinations, and schedules, you can use the Create… option to define a new user location or group.To set up a location or group, see “Creating Locations and Location Groups” on page 8-19. Optional.
Page 152: Figure 8-6: Mapping Role Placement Based On Username
Chapter 8: Roles and Role Elements Figure 8-5: Enabling Prerequisite Machine Authentication Role Configure the Transparent 802.1x server to do role placement based on the username: Figure 8-6: Mapping Role Placement Based on Username In this case the Domain is ENG, so anything starting with ENG is a valid user. More granular policies can be applied based on the setup.
Page 153 Defining a Role routes all tagged traffic to the protected-side VLAN and is useful if you want to limit the access of VLAN members to certain network assets defined for the role. To use the VLAN tagging functionality, you must first set up a protected-side VLAN. See “Creating a VLAN on the Protected Side (Optional)”...
Page 154: Modifying A Role
Chapter 8: Roles and Role Elements The Redirect URL Attribute field on either the RADIUS page or the LDAP page accessed on the User Authentication tab. (See “RADIUS Authentication” on page 6-2 and “LDAP/Active Directory Authentication” on page 6-6.) The URL Redirect field on the Edit Role page.(“Defining a Role” on page 8-4) The Default Redirect URL field on the General HTTP Settings page.
Page 155: Creating A Single Device Destination
Creating Destinations and Destination Groups single device within the network; all the devices reachable within a network address space After defining destinations, you can organize them into destination groups. Typically, the destinations in a group are physically or logically related in some way. Using destination groups can streamline role administration, by enabling you to apply one network usage policy to the entire destination group rather than creating a separate policy for each individual destination.See “Defining User Roles to Enforce Network Usage Policies”...
Page 156: Creating A Network Space Destination
Chapter 8: Roles and Role Elements You might be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network. Creating a Network Space Destination To set up a destination for all devices in a given network address space: Click the User Roles tab in the BSC administrator console, and then click the Destinations tab.
Page 157: Creating Network Services And Services Groups
Creating Network Services and Services Groups Select Destination Group from the Create drop-down list on the Destinations page. The Create a (destination) group page appears as shown in Figure 8-13. Figure 8-13: Create a (Destination) Group Page Enter a meaningful name for the device group in the Name field. Select one or more destinations from the Available Items list to include in the destination group and then click Add highlighted items.
Page 158: Creating A Network Service
Chapter 8: Roles and Role Elements • LDAP - Lightweight directory access protocol • H.323 - ITU-T standard for sending voice (audio) and video using IP on a LAN without QoS • TFTP - Trivial File Transfer Protocol • NTP - Network Time Protocol •...
Page 159: Figure 8-14: Create A Service Page
Creating Network Services and Services Groups Figure 8-14: Create a Service Page Name Enter a meaningful name for the network service. Service Settings Define the service settings as appropriate for your network. Protocol - Specify whether the network service supports TCP, UDP, both TCP/UDP, ICMP, or some Other protocol.
Page 160: Creating Network Service Groups
Chapter 8: Roles and Role Elements Incoming/Outgoing Priority - You can configure a priority for traffic coming into the BSC or going out from the BSC via this network service. If the BSC experiences network congestion, High priority traffic takes precedence over Medium and Low priority traffic. You can also configure role-based traffic priority.
Page 161: Creating Schedules And Schedule Groups
Creating Schedules and Schedule Groups Click the User Roles tab in the BSC administrator console, and then click the Services tab. Select Service from the Create drop-down list on the Services page. The Create a (service) group page appears as shown in Figure 8-15. Figure 8-15: Create a (Service) Group Page Enter a meaningful name for the network service group in the Name field.
Page 162: Figure 8-16: Create A Schedule Page
Chapter 8: Roles and Role Elements Click the User Roles tab in the BSC administrator console, and then click the Schedules tab. Select Schedule from the Create drop-down list on the Schedules page. The Create a schedule page appears as shown in Figure 8-16. Enter a meaningful name for the schedule in the Name field.
Page 163: Creating Schedule Groups
Creating Locations and Location Groups Click Save to store the information to the BSC database or Save and create another to continue defining service groups. You might be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network.
Page 164: Creating A User Location
Chapter 8: Roles and Role Elements For example, you might have defined “VLAN 15” that includes all access points on the shop floor. You can then create a location called Shop Floor that maps VLAN 15 to the location. After you create the location, you can then select it from the drop-down list when defining a network usage policy in a role.
Page 165: Figure 8-19: Create A (Location) Group Page
Creating Locations and Location Groups Click the User Roles tab in the BSC administrator console, and then click the Locations tab. Select Location Group from the Create drop-down list on the Schedules page. The Create a (location) group page appears as shown in Figure 8-19. Figure 8-19: Create a (Location) Group Page Enter a meaningful name for the location group in the Name field.
Page 166 Chapter 8: Roles and Role Elements 8-22...
Page 167: Voice Over Wlan Support
WLANs to make use of an existing 802.11 infrastructure for voice traffic as well as data traffic. BlueSecure Controller system software release 5.2 (and higher) enables you to pass IP phone voice traffic through the BSC by providing support of widely used voice over IP protocols (SIP and H.323), vendor-specific IP phone...
Page 168: Configuring General Vowlan Settings
Chapter 9: Voice Over WLAN Support Configuring General VoWLAN Settings Click the Voice tab in the BSC administrator console, and then click the General tab. The VoWLAN General Settings page appears as shown in Figure 9-1. Figure 9-1: VoWLAN General Settings Page Mark the Prioritize Voice and Video Traffic checkbox to prioritize this traffic over the other background traffic to improve QoS.
Page 169: Configuring Vowlan Qos
Configuring VoWLAN QoS Polycom/Avaya Mark the Enable support for Polycom/Avaya IP phones checkbox if your wireless clients IP phone settings are passing Polycom/Avaya IP phone traffic through the BSC and configure the following settings: Polycom/Avaya gateway IP address or hostname - Enter one or more IP addresses/ hostnames of the Polycom gateway(s) on your network as a comma delimited list Polycom/Avaya SVP server IP address or hostname - Enter one or more IP addresses/ hostnames of the Polycom Voice Priority (SVP) server(s) on your network as a comma...
Page 170 Chapter 9: Voice Over WLAN Support...
Page 171: General Bsc Operational Settings
General BSC Operational Settings You may modify the following BSC protocols and functions using the settings found on the General page in the BSC administrator console: • HTTP Server Settings • Intrusion Detection System • SNMP Agent • Automatic Backup of the BSC Database •...
Page 172: Http Server Settings
Chapter 10: General BSC Operational Settings HTTP Server Settings To modify the BSC HTTP server settings: Displaying the Click the General tab in the BSC administrator console, and then click the HTTP tab. HTTP Settings The HTTP Settings page appears as shown in Figure 10-1. page Figure 10-1: HTTP Settings Page 10-2...
Page 173 HTTP Server Settings Login Redirects Comma separated list of HTTP/proxy ports to monitor - Enter HTTP and HTTP proxy port(s) that the BSC monitors. The BSC monitors the port(s) for all unregistered users and, if it sees a request, it redirects the user to the login page. Specify ports using the comma- delimited format.
Page 174 Chapter 10: General BSC Operational Settings Root CA URL - URL where the certificate authority (CA) credential is stored. Your browser can use the CA to establish that the BSC web server is a trusted source for data. Default value: https://secure.bluesocket.com/root-ca-2.crt Admin Login Admin web server port - Use to block admin access at the interface level.
Page 175: Intrusion Detection System
Intrusion Detection System BlueProtect Optional. Enable BlueProtect Endpoint Scanning support as described in Appendix C, Endpoint "Endpoint Scanning." BlueProtect cannot be disabled if existing roles require BlueProtect. Scanning Saving the Click Save to save the HTTP server settings to the BSC database. You may be prompted to settings restart the BSC.
Page 176: Figure 10-2: Bsc Ids Host State Model
Chapter 10: General BSC Operational Settings Normal Blocked Pre-monitoring Monitoring Figure 10-2: BSC IDS Host State Model Normal State By default, a user host will start in the Normal State unless or otherwise blocked. The Maximum Number of Firewall Sessions per user administrator-configurable parameter used to define the bounds of normal traffic.
Page 177: Configuration Procedure
Intrusion Detection System these roles or create your own IDS role to assign to blocked users. Note that the Monitoring Mode role is designed to be used only for test purposes as you tweak the BSC IDS settings for your network. The blocked host is allowed to get a DHCP address but, only administrator intervention can transition the host back to the Normal State.
Page 178: Snmp Agent
Chapter 10: General BSC Operational Settings Figure 10-3: Intrusion Detection System Settings Page Enable IDS Mark this checkbox to activate the BSC Intrusion Detection System. Thresholds Violation Threshold: Enter the maximum number of violations a user host may accrue in the Normal State.
Page 179: Automatic Backup Of The Bsc Database
Automatic Backup of the BSC Database Figure 10-4: SNMP Settings Page SNMP Agent Start the selected version of SNMP agent (v2c, v3, or both) on the BSC, or shut down the agent. To enable administrator access to SNMP v3, which requires a user ID and password, see “Adding a New Administrator Account”...
Page 180: System Time And Date Settings
Chapter 10: General BSC Operational Settings Displaying the Click the General tab in the BSC administrator console, and then click the Auto Auto Backups Backups tab. The Auto Backups page appears as shown in Figure 10-5. page Figure 10-5: Auto Backups Page Recurrence Set the time interval at which the BSC database is automatically backed up.
Page 181: Mail Server Access
Mail Server Access Displaying the Click the General tab in the BSC administrator console, and then click the Time tab. BSC Time The BSC Time Settings page appears as shown in Figure 10-6. Settings page Figure 10-6: BSC Time Settings Page System settings Change the current time zone, date, or time on the BSC.
Page 182: Public Access Networks
Chapter 10: General BSC Operational Settings tab, Email tab to configure the BSC to login to your mail server securely. You can either specify the SMTP authentication method (Login, PLANE, CRAM-MD5) and, optionally, a user name and password. Click the General tab in the BSC administrator console, and then click the Email tab. The BSC Email Settings page appears as shown in Figure 10-7.
Page 183 Public Access Networks Address of mail In some public access wireless networks, to prevent spamming, ISPs do not allow email to server for SMTP be sent via their default mail server if the user is not a member of that network. The port redirection network administrator for such a network may designate a special SMTP server for this purpose, but this requires that users change their SMTP IP address and other settings.
Page 184: Event Logging And Connection Tracking
Chapter 10: General BSC Operational Settings Event Logging and Connection Tracking The BSC provides two types of logging facilities: • Event logging - The BSC records BSC-related events such as configuration changes, activity in secure tunnels, and number of logged in users. You can direct log output to the event log page (described in “Viewing the BSC Event Log”...
Page 185: Figure 10-9: Logging Settings Page
Event Logging and Connection Tracking Figure 10-9: Logging Settings Page • Enable Connection Tracking - If this checkbox is marked, the BSC sends information about all user TCP/UDP connections to the server specified in the IP or name of remote syslog server setting (see previous description). Connection tracking allows you to audit detailed data on user connections.
Page 186 Chapter 10: General BSC Operational Settings If cleared, no connection tracking data is logged. Default value: Disabled. Note: Connection tracking can potentially generate a large amount of data, proportional to the number of users and WLAN traffic. • IP address or FQDN of remote connection tracking syslog server - Enter the IP address(es) or fully qualified domain name(s) of up to two syslog server(s) here to log connection tracking data.
Page 187: Threshold Values
Threshold Values Threshold Values You can specify threshold values that trigger the output of certain event log messages, SNMP traps, or a BSC failover. For those values expressed as a percent, the BSC generates an event log message, SNMP trap, or BSC shutdown/failover if the specified percentage is met or exceeded. For boolean threshold values (such as Link Down), select Yes to generate an event log message or SNMP trap if this event occurs or No to disable the threshold: Note: To enable use of SNMP traps to monitor the BSC, you must enable the SNMP agent...
Page 188: Domain Name System (Dns) Settings
Chapter 10: General BSC Operational Settings Warm Start A restart of BSC services. Cold Start A complete reboot of BSC. Config Change Any change to the BSC configuration. Failed User A user login fails. Login SNMP Auth BSC receives an SNMP message with an incorrect community string. Failure Failover BSC goes into failover mode.
Page 189: Figure 10-11: Dns Proxy Page
Domain Name System (DNS) Settings Figure 10-11: DNS Proxy Page Managed-side Enable DNS Proxy? - If this checkbox is marked, wireless clients are provided with a DNS DNS proxy entry containing the IP address of the BSC's managed interface. All DNS requests are proxied (i.e., received and forwarded) by the managed interface to internal DNS servers on the protected side.
Page 190: Digital Certificates
Chapter 10: General BSC Operational Settings • admin - Administrator login page at the specified host name and interface. Default host name: admin. Default interface: Protected. • secure - PSec, L2TP/IPSec, or PPTP tunnel endpoint at the specified host name and interface.
Page 191: Configuring External Server Authentication Over Ssl
Digital Certificates • BSC secure web login page (SSL) - As with any secure web page (SSL), the web server presents a certificate to authenticate itself with the wireless client. The BSC's secure web user and administrator login pages contain a default Bluesocket SSL digital certificate, which is pre-installed on the BSC and cannot be edited or deleted by the client.
Page 192: Requesting And Installing An Ipsec Authentication Certificate
Chapter 10: General BSC Operational Settings the server digital certificate). If you are using mutual authentication, mark the BSC Client Certificate radio button for the PKCS#12 certificate. Click Browse to enter the pathname where the certificate file resides on your local computer in the Upload new certificate field.
Page 193: Figure 10-13: Ipsec Certificate Signing Request Generation Page
Digital Certificates Figure 10-13: IPSec Certificate Signing Request Generation Page Figure 10-14: IPSec CSR Generated Page When the provider returns the signed certificate, upload it to the BSC: Click the General tab in the administrator console, click the Certificates tab, and then click the Generate link at the top of the page.
Page 194: Miscellaneous Bsc Options
Chapter 10: General BSC Operational Settings Miscellaneous BSC Options Use the Miscellaneous page in the administrator console to configure miscellaneous BSC options including. Displaying the To configure miscellaneous BSC options: Miscellaneous Click the General tab in the BSC administrator console, and then click the Miscellaneous settings page tab.
Page 195 Miscellaneous BSC Options the Active Connections page (see “Monitoring Active User Connections” on page 15-2 for more information). Default value: 5 minutes. Time in seconds between refreshing status pages - Time interval at which the BSC refreshes the Status pages with the latest status data. Default value: 30 seconds. Access Point Read-only SNMP community string for all access points - SNMP community string used to Tracking...
Page 196 Chapter 10: General BSC Operational Settings Serial Console Allow access via serial port? - By default, administrators are allowed to access a subset of Access the BSC’s functionality by connecting a console to the BSC’s serial port as described in Appendix D, "Serial Port Access to Essential Functions."...
Page 197: Web Logins
Web Logins This chapter covers the following topics: • Customizing the User Login Page • The Appearance of the User Login Page • Customizing the Login Form and HTML Body of Login Page • Customizing the Right Side of the User Login Page •...
Page 198: Customizing The User Login Page
Chapter 11: Web Logins Customizing the User Login Page You can customize the appearance of the web page that users see at login to maintain your organization’s brand identity and to control which login features to expose. This section is organized as follows: •...
Page 199: Customizing The Login Form And Html Body Of Login Page
Customizing the User Login Page The default user login page along with the page elements that can be customized are shown in the following figure. Specify: HTML page background, foreground (text), and link colors Define Window Title Add Custom Logo and Specify Number of Pixels to add Above Logo Guests Area - Specify background color, foreground (text) color, and placement...
Page 200: Figure 11-3: Create New Custom Login Page
Chapter 11: Web Logins Figure 11-3: Create New Custom Login Page 11-4...
Page 201 Customizing the User Login Page Name Enter a meaningful name for the custom user login page you are defining. Login Options Allow user logins - If this checkbox is marked, the BSC login page displays the Registered Users login area, which enables registered users to log in to the wireless network. Default value: Enabled.
Page 202: Customizing The Right Side Of The User Login Page
Chapter 11: Web Logins The Number of active sessions per username/authentication type applies to External Server Authentication methods only. HTML body Sets the overall appearance of the HTML code area on the right side of user login page: • Window title text •...
Page 203: Figure 11-4: Custom Login Page - Edit Html
Customizing the User Login Page Displaying the Click the Web Logins tab in the administrator console, click the Login Screens tab, and then click the icon that corresponds to the user login page you wish to edit. Customization Click the HTML Text link at the top of the page. The Edit HTML for custom login - Page Default page appears as shown in Figure 11-4.
Page 204 Chapter 11: Web Logins Spacing Specify the remaining spacing options, if necessary: Pixels between the form and the customized HTML - Spacing in pixels between the login form on the left side of the login page and the left margin of the HTML code. Default: 40. Pixels between the top and the customized HTML - Spacing in pixels between the top of the login page (below the window title bar) and the top margin of the HTML code.
Page 205 Customizing the User Login Page Example Here is a test page for testing all custom variables. Create a custom web page and insert the following for the HTML: <style type="text/css"> <!-- li { background-repeat:no-repeat; h1 { font-weight:bold; font-size:medium; padding:0; margin:0; h2 { font-size:small;...
Page 206: Redirecting Clients To An External Server For Authentication
BSC provides a hotspot account generation feature that enables you to link a credit card processing provider to a BlueSecure Controller, enabling your wireless end users to purchase and set up their own wireless network access accounts using a credit card. You can configure hotspot account generation for each custom login page.
Page 207: Figure 11-6: Create New Account Link
Customizing the User Login Page Currently Micros-Fidelio Opera 4 PMS, Authorize.net SIM, Authorize.net AIM, and CyberSource are the four billing/payment transaction account providers that work with the BSC hotspot account generation feature. Free guest accounts are also created using the Hotspot Account generation feature. Prior to 6.5, Bluesocket supported three main (free) guest access methods: •...
Page 208: Figure 11-7: Sample Account Selections Page
Chapter 11: Web Logins BSC uses the email address internally as the account name, different from the user’s credit card account name). Figure 11-7: Sample Account Selections Page After the user creates his or her access account, a confirmation page is displayed to allow the user to see the total cost for access and confirm previous selections.
Page 209 Customizing the User Login Page Table 11-1: Required Authorize.net Settings Name Value Payment Form:Color Settings Any value Payment Form:Header Any value Payment Form:Form Fields:First Name Mark all three checkboxes: View; Edit; and Required Payment Form:Form Fields:Last Name Mark all three checkboxes: View; Edit; and Required Payment Form:Form Fields:Zip Code Mark all three checkboxes: View;...
Page 210: Figure 11-8: Hotspot Account Generation Page
Chapter 11: Web Logins • On the BSC side, set “Server Address” to test.authorize.net and check off (turn on) “Enable test mode” • On the Authorize.net Merchant Interface, switch account to test mode by going to Account Settings --> Test Mode CyberSource To setup a hotspot account to be billed through CyberSource, a merchant id and a private key is required on the Edit Hotspot Account Generation for custom login page.
Page 211 Response URL - If your BSC’s protected IP address cannot be reached via the Internet or its hostname is not publicly accessible, enter a URL that Authorize.net can use to notify this BlueSecure Controller of the transaction result. For example: https://152.210.198.81/login.pl In addition, port forwarding should be enabled on your firewall.
Page 212: Figure 11-9: Friends And Family Freespot
Chapter 11: Web Logins Response URL must be configured in the Merchant Interface.This will also cause error checking responses to be displayed directly on the transaction form. Authorize.net Enter the credentials the BSC requires to access your credit card processing provider AIM: account: Account Login ID and Transaction Key.
Page 213: Uploading Image/Media Files For The User Login Page
Uploading Image/Media Files for the User Login Page entering an anonymous email account (like blueman@yahoo.com), the BSC allows the option to exclude public email providers (yahoo, gmail). To configure this, go to Hotspot Account Generation and set auto-generate password, and exclude public-email providers.
Page 214: Translating User Login Pages
Chapter 11: Web Logins The topleftlogo file can be any GIF, JPEG or PNG file with a recommended size of 133x64 pixels. • Normal - All other image and media files. You can reference these files in HTML code for your custom login page. To upload image/media files for use on the user login page: Note: You can click the User Login Page link on the right side of the page to display the user login page as it is currently defined.
Page 215 Translating User Login Pages • Chinese-Traditional (zh-TW/Big5) • Czech (UTF-8) • Dutch (UTF-8) • English (en/ISO-8859-1) • French (fr/ISO-8859-1) • German (de/ISO-8859-1) • Italian (it/ISO-8859-1) • Japanese (ja/EUC-JP) • Korean (ko/EUC-KR) • Portuguese (pt/ISO-8859-1) • Spanish (es/ISO-8859-1) • Swedish (sv/ISO-8859-1) You can add to the list of supported languages by providing user login page translations in additional languages.
Page 216: Defining A User Login Page Language
Chapter 11: Web Logins Defining a User Login Page Language Displaying the Create a User Login Page Figure 11-12: Create a User Login Page Language Page 11-20...
Page 217 Translating User Login Pages To define a new user login page language: Click the Web Logins tab in the administrator console, and then click the Languages tab. Select Language from the Create menu. The Create new language page appears (see Figure 11-12). Language Setup Define how the language is represented in the BSC administrator console: Note that the Enable checkbox is marked by default.
Page 218: Editing A User Login Page Language
Chapter 11: Web Logins • Thank-You page - Enter any HTML code to disable URL redirection after login. The HTML is displayed in a standard Thank You page when users assigned to this role log • Pop-up Link - Enter the text for the logout link, e.g. Click to Logout. Hotspot Sign-up Provide translations for text associated with the credit card billing pages: Signup for, Hours, Days, Weeks, Months, First Name, Last Name, Card Type, Card Number, Card...
Page 219: Requesting A Certificate
Installing a Custom SSL Login Certificate • “Requesting a Certificate” on page 11-23. • “Uploading a Replacement SSL Certificate You Already Have” on page 11-25. Requesting a Certificate If you do not have a replacement certificate, you need to issue a certificate signature request (CSR) to the certificate provider who will return a signed certificate.
Page 220: Figure 11-14: Ssl Csr Generated Page
Chapter 11: Web Logins The CSR generated page appears as shown in Figure 11-14. Figure 11-14: SSL CSR Generated Page To delete a CSR and start over, click Delete CSR of the left side of the page. Save a copy of When you generate the CSR, a private key is also created on the BSC.
Page 221: Uploading A Replacement Ssl Certificate You Already Have
Installing a Custom SSL Login Certificate • The host name is the same one you entered in your Certificate Signing Request. Figure 11-15: Uploaded Certificate Uploading a Replacement SSL Certificate You Already Have Digital certificates are only valid until a certain date. If your Web SSL certificate has expired, you must replace it –...
Page 222: Recovering The Private Key
Chapter 11: Web Logins Upload the certificate as follows: Mark the BSC Client Certificate radio button. Click Browse, locate the file for the new certificate on your computer, and then click Upload to upload it to the BSC. Click the Web Logins tab in the administrator console, and then click the SSL Certificate tab.
Page 223: Renewing A Custom Ssl Certificate
Installing a Custom SSL Login Certificate The SSL Certificate Generation page appears as shown in Figure 11-17. Figure 11-17: SSL Certificate Generation Page Click Browse in the Key Upload section to locate the private key on your computer. Click Process to upload the key to the BSC. Renewing a Custom SSL Certificate A custom SSL login certificate is only valid for a finite period of time.
Page 224: Installing A Wildcard (*) Ssl Certificate On Multiple Bscs
Chapter 11: Web Logins Installing a Wildcard (*) SSL Certificate on Multiple BSCs Before installing a wildcard SSL certificate on multiple BSCs, you first need to obtain and install a new SSL Certificate on the first BSC, as explained in “Installing a Custom SSL Login Certificate”...
Page 225: Bluesecure Access Points
BlueSecure Access Points This chapter covers the following topics: • Overview • Deploying BSAPs on the Same Layer-2 Subnet as the BSC • Deploying BSAPs with Layer-3 Connectivity to the BSC • How a BSAP Discovers BSCs • How a BSAP Selects a Home BSC •...
Page 226: Overview
The BSAPs can be directly attached to any existing Ethernet switch or IP router and across any subnet boundary. Once connected, BSAPs “auto-configure” by associating with a BlueSecure controller. The BlueSecure Controller automatically configures each BSAP based on policies and configuration set by the administrator and communicates with the BSC across any subnet boundary.
Page 227: Rf Management
BSC to which it will connect and obtain its software image and configuration. If the BSAPs are on the same subnet as the home BlueSecure Controller as shown in Figure 12-2, you can run a DHCP server on the BSC to manage IP address assignment to BSAPs.
Page 228: Deploying Bsaps With Layer-3 Connectivity To The Bsc
BSAP IP Address - Each BSAP requires a unique IP address. • Host BlueSecure Controller IP Address - Each BSAP also needs the IP address of the home BSC to which it will connect and from which it will obtain its software image and configuration.
Page 229: How A Bsap Discovers Bscs
• the BSAP selects one of these discovered BSCs as its home BSC There are five methods that a BSAP may use to discover a BlueSecure Controller to which it may connect: The BSAP will connect to the BSC IP address that has been manually configured using the BSAP CLI.
Page 230: How A Bsap Selects A Home Bsc
You can specify the alternative firmware image file for individual BSAPs as required. To upload BlueSecure Access Point firmware image files to the BlueSecure Controller: Click the Wireless tab in the BSC administrator console, and then click the Firmware tab.The AP Firmware page appears as shown in Figure 12-4.
Page 231: Figure 12-5: Edit Ap Firmware Page
Uploading BSAP Firmware Files model can have one Default firmware and one Alternative firmware. If set, the Default firmware will be applied to any newly discovered BSAPs. Note: Select the icon to transfer all BSAPs back to the Default firmware and flag them for Upgrade.
Page 232: Configuring Global Miscellaneous Non-Radio Settings
Chapter 12: BlueSecure Access Points Configuring Global Miscellaneous Non-Radio Settings The Wireless Global System Settings page is used to specify the country in which the BSAPs are located and to enable remote SSH diagnostics (this option only applies to BSAP-15x0 platforms). You can optionally override these global settings for individual BSAPs on the Wireless AP tab by clicking the pencil icon for the BSAP.
Page 233 Configuring Global Miscellaneous Non-Radio Settings The Bluesocket Sales team maps customers to their country of operation, and each customer is issued an authorization code, which can be found in the Salesforce.com account. When the BSC is started for the first time, the country on the Wireless Global page is set to “No Country Set”.
Page 234: Configuring Global Radio Settings
Chapter 12: BlueSecure Access Points Enable Front User Port - Mark the Enable Front User Port checkbox to enable the front ethernet port on the Wi-Jack w/ Jack. To disable the port, uncheck the box. The default is enabled. Saving the Click Save to save the global BSAP settings to the BSC database.
Page 235 Configuring Global Radio Settings Select the Sensor Frequency Band in which to scan (BSAP-1800s with external antennas only). This determines which bands the BSAP will sense when it is scanning. It takes less time to scan all the channels when you limit the BSAP to a single band. Channel The Auto Channel Select checkbox only provides an auto mode on the global tab since Options...
Page 236 Chapter 12: BlueSecure Access Points 12-12...
Page 237: Figure 12-7: Edit 802.11B/G/N Settings - Global Page
Configuring Global Radio Settings Figure 12-7: Edit 802.11b/g/n Settings - Global Page Advanced Mark the Display Advanced Settings checkbox to specify the following: Settings for the • Beacon Interval -- Enter the rate in milliseconds at which beacon signals are 802.11b/g/n transmitted from the BSAP.
Page 238 Chapter 12: BlueSecure Access Points Mark the Antenna Diversity radio button to specify whether the antenna is automatically selected based on best signal reception (i.e., Diversity mode), or is fixed to use one of the BSAP’s antennas, A or B. (Default: Diversity mode is enabled). Mark the Antenna Mode radio button to specify whether 3 Antennas or 1 Antenna is used.
Page 239 Configuring Global Radio Settings 6.5Mbps 6.5Mbps 13.5Mbps 13.5Mbps 13Mbps 13Mbps 27Mbps 27Mbps 19.5Mbps 19.5Mbps 40.5Mbps 40.5Mbps 26Mbps 26Mbps 54Mbps 54Mbps 39Mbps 39Mbps 81Mbps 81Mbps 52Mbps 52Mbps 108Mbps 108Mbps 58.5Mbps 58.5Mbps 121.5Mbps 121.5Mbps 65Mbps 65Mbps 135Mbps 135Mbps 78Mbps 150Mbps 150Mbps 104Mbps 162Mbps 117Mbps 216Mbps...
Page 240 Chapter 12: BlueSecure Access Points • 1 = Enabled BSAP1700: MIMO Network Density: Network Density refers to how many wireless networks are deployed in your surroundings. This setting provides a mechanism to tell the AP how noisy to expect the environment so the AP can then adjust its noise threshold accordingly.
Page 241 Configuring Global Radio Settings Saving the Click Save to save the BSAP radio settings to the BSC database settings You may be prompted to restart the BSC. We recommend that you do not restart the BSC until you have completely finished configuring the BSC for use in your network. 12-17 BlueSecure™...
Page 242: 802.11A/N Radio Configuration
Chapter 12: BlueSecure Access Points 802.11a/n Radio Configuration See “802.11b/g/n Radio Configuration” on page 12-10 for settings not described here. Displaying Edit Click the Wireless Global tab, and then click the 802.11a/n link at the top of the page. 802.11a/n Settings - Global Figure 12-8: Edit 802.11a/n Settings - Global Page 12-18...
Page 243: Editing Settings For An Individual Bsap
Editing Settings for an Individual BSAP Operational Select one of the following from the drop-down menu to determine whether the BSAPs will Mode act as Access Points, as RF sensors, or as both: • AP Mode - BSAP provides standard wireless client access. •...
Page 244: Creating Ssids
Chapter 12: BlueSecure Access Points • Only Use Selected SSIDs - The BSAP will use only those SSIDs selected in the Select SSID picklist. Note: Only one SSID is supported on the BSAP-1700’s 11a radio. Creating SSIDs As part of the BSAP configuration, you can create a pool of Service Set Identifiers (SSIDs) that you can assign to BSAPs (maximum of 8 per radio).
Page 245: Bsap Data Encryption Options
Creating SSIDs the BSAP and all wireless clients. The PSK mode uses either TKIP or AES for packet encryption and key management as WPA in the enterprise, providing a robust and manageable alternative for small networks.When the WPA mode is set to “pre-shared- key,”...
Page 246: Ssid Configuration Procedure
Chapter 12: BlueSecure Access Points TKIP (This option cannot be used with 802.11n when connecting at rates above 54Mhz). Temporal Key Integrity Protocol (TKIP): WPA specifies the TKIP data encryption method to replace WEP. TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys.
Page 247 Creating SSIDs The SSID is case sensitive and can consist of up to 32 alphanumeric characters. The SSID does not need to be unique. The same SSID can exist with different attributes (e.g. VLAN) on different access points. To configure this, use a different name with the same SSID and then override the access points with the desired named SSID.
Page 248: Creating Bsaps
Chapter 12: BlueSecure Access Points Enter keys as 10 hexadecimal digits (0 to 9 and A to F) for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32 hexadecimal digits for 152 bit keys. Be sure to specify a default key (0 to 3) when entering 64-bit keys. WPA or WPA2 If you have configured WPA or WPA2 authentication, then you must configure access to Authentication...
Page 249: Figure 12-10: Create New Ap Page
Creating BSAPs Displaying the Click the Wireless tab in the BSC administrator console, click the AP tab, and then select Create new AP an AP model from the Create drop-down menu.The Create New AP page appears with page the fields required for the BSAP model you are creating, for example the BSAP-1800 as as shown in Figure 12-10.
Page 250: Enabling Bsap Service
Chapter 12: BlueSecure Access Points Display Specify which login page to display to users logging into the BSC on the managed interface via this BSAP from the drop-down menu. Select Normal to use the location- or VLAN-based login page or select a customized page you have defined. See “Customizing the User Login Page”...
Page 251 Enabling BSAP Service • Configured APs - The BSC accepts connections from only those BSAPs that have a configuration on the BSC. This is the recommended setting. • Any AP - This is the default setting. The BSC issues certificates to any BSAP. Selecting this option may pose a security risk to your network.
Page 252 Chapter 12: BlueSecure Access Points • Autochannel BG - Mark/unmark this checkbox to enable/disable the BSC to dynamically change the 802.11b/g/n channel settings of BSAPs under its control to achieve optimal RF performance. • Autochannel A - Mark/unmark this checkbox to enable/disable the BSC to dynamically change the 802.11a/n channel settings of BSAPs under its control to achieve optimal RF performance.
Page 253: Displaying Configured Bsaps
Displaying Configured BSAPs Displaying Configured BSAPs After you have created BSAPs as described in “Creating BSAPs” on page 12-24 and as BSAPs come online and connect to the BSC, you can view their status on the Wireless AP tab. The tab presents a table that provides the following information about BSAPs that will connect to the BSC (i.e., BSAPs for which you have created configurations) and BSAPs that are currently connected to the BSC.
Page 254 Chapter 12: BlueSecure Access Points • Click to accept all the DynamicRF recommendations for channel and power.The configuration will be saved to the database, and then applied to the individual access point. Note: The BSAP-1700 does not support dual mode or Dynamic RF, only Set Once and Hold.
Page 255: Rf Intrusion Detection And Containment
RF Intrusion Detection and Containment The BSC detects and protects against rogue devices, ad-hoc networks, and a large number of WLAN Denial of Service (DoS) and spoofing attacks. The BSC provides RF intrusion detection by analyzing the data collected from its BSAPs operating in dual AP/sensor mode or sensor-only mode to detect attacks, vulnerabilities, and rogue devices in the RF space.
Page 256: Identifying Authorized Rf Stations On Your Network
Chapter 13: RF Intrusion Detection and Containment Identifying Authorized RF Stations on Your Network To better track rogue devices on your network, you can create a “white list” of known authorized RF stations. RF devices not appearing on the authorized list will be identified as rogue or intruding devices.
Page 257: Configuring Rf Alarms
Configuring RF Alarms • Rogue - This station is not authorized to be on the network and an alarm will be generated if it is detected. • Neighbor - This station is not part of the internal network, but is always present. •...
Page 258 Chapter 13: RF Intrusion Detection and Containment Table 13-1: BSAP Sensor Alarms Dual/ Alarm Description Sensor Mode Client BSSID Changed Mobile station has changed its BSSID. Client Limit Maximum client limit per AP has been reached. Could be due to a MAC spoofing client or real network density increase.
Page 259: Figure 13-2: Configured Bsap Sensor Alarms
Configuring RF Alarms Table 13-1: BSAP Sensor Alarms Dual/ Alarm Description Sensor Mode Rogue AP A Rogue AP has been detected. Check that this is not a newly installed Access Point or an AP belonging to a nearby organization. Rogue Ad-Hoc Client A rogue client in Ad-Hoc mode has been detected.
Page 260: Configuring Manual Containment
Chapter 13: RF Intrusion Detection and Containment • Severe - This is the highest alert level and is usually associated with a WLAN intrusion, e.g., a broadcast attack. • Warning - This alert level is usually associated with a security vulnerability, e.g., a client association change.
Page 261: Figure 13-4: Autocontainment Configuration Page
Configuring Autocontainment Figure 13-4: Autocontainment Configuration Page Mark the Enable Autocontainment checkbox to enable RF autocontainment. Enter the duration (in minutes) that the BSC will perform active containment on the rogue device in the Autocontainment Duration field. Click Save to save the autocontainment settings to the BSC database. See “Monitoring Devices in RF Autocontainment”...
Page 262 Chapter 13: RF Intrusion Detection and Containment 13-8...
Page 263: Secure Mobility® Matrix
® Secure Mobility MatriX This chapter provides procedures for configuring a large-scale wireless network that requires two or more BlueSecure Controllers. The term Security Mobility MatriX refers to three functional areas: Secure Mobility, Replication, and Load Sharing. This chapter is organized as follows: •...
Page 264: An Overview Of The Secure Mobility Matrix
Chapter 14: Secure Mobility® MatriX An Overview of the Secure Mobility MatriX Where multiple BlueSecure Controllers are deployed across multiple WLANs, Bluesocket provides centralized management and control through its Secure Mobility MatriX architecture, as shown in the following figure. Figure 14-1: The Bluesocket Secure Mobility MatriX Architecture The multiple BlueSecure Controllers comprising the MatriX communicate with each other in real time enabling seamless secure roaming, policy enforcement, configuration replication, and load sharing.
Page 265: General Configuration Procedure
Secure Mobility® General Configuration Procedure Follow these high-level steps to configure a multiple-BSC Secure Mobility MatriX: Configure the BSC Secure Mobility feature to enable seamless secure user roaming across subnets in your network. • An overview of the Secure Mobility feature is given in “Secure Mobility®” on page 14-3.
Page 266: How Secure Mobility Works
Chapter 14: Secure Mobility® MatriX How Secure Mobility Works The following figure illustrates how Secure Mobility works. For simplicity, two wireless networks and one mobile user are shown. In practice, the number of mobile users and WLANs is much greater. S u b n e t 1 S u b n e t 2 P O W E R FA UL T DA T A A L A R M...
Page 267: Network Requirements
Secure Mobility® S u b n e t 1 S u b n e t 2 P O W E R FA U L T D A T A A L A R M Router BSC - A BSC - B Po w e r R e se t Po w er...
Page 268: Step 1: Designate And Set Up The Mobility Node List Master
Chapter 14: Secure Mobility® MatriX subnet. BSC protected interfaces that are not connected to a router may be on the same subnet. The following figure illustrates the subnet requirements for the BSC ® managed and protected interfaces to enable use of Secure Mobility in a multiple- BSC network.
Page 269: Step 2: Create A List Of Nodes
Secure Mobility® Figure 14-7: BSC Secure Mobility Setup Page communicating with each other, thus providing an extra layer of security. The key can be any text string you choose, as long as it is the same for all BSCs in the Secure Mobility configuration.
Page 270: Step 3: Set Up Secure Mobility® On The Nodes
Chapter 14: Secure Mobility® MatriX Enter the IP address of the protected interface on the Node and an optional description in the fields provided. Note that the Enable Secure Mobility node checkbox is marked by default to enable secure mobility on this node. Click Save to store the information or Save and create another to continue defining mobility node BSCs.
Page 271: Step 4: Restart Services On The Mobility Master And All Nodes
Enabled - Is Secure Mobility enabled on the BSC? Yes or no. • Address - IP address of Secure Mobility Node or Master. • Model - BlueSecure Controller model number, e.g. BSC-2100. • Version - System software version the BSC is running. •...
Page 272: Enabling Vlan Roaming Across Lsg Bscs
Chapter 14: Secure Mobility® MatriX • Last Update - ID of last status update. • Last Update Message - Last message concerning Secure Mobility configuration update. • Last Requested Update - ID or update last requested by Node. Enabling VLAN Roaming Across LSG BSCs To enable users to roam between BSC managed interfaces within the same LSG, configure the following Secure Mobility settings on each LSG member BSC: Click the Mobility MatriX tab in the BSC administrator console, and then click the...
Page 273: A Comparison Of Standard And Cascaded Replication
Replication A Comparison of Standard and Cascaded Replication In addition to the standard replication configuration described above, v4 (and later) of the BSC system software also supports a cascaded replication configuration. The following figure illustrates a standard BSC replication configuration and a cascaded BSC replication configuration.
Page 274: Step 1: Set Up Replication On The Master
Chapter 14: Secure Mobility® MatriX Step 1: Set Up Replication on the Master Select one BSC as the Replication Master. You can also set up a secondary BSC in a failover configuration with the Replication Master. You can configure VLANs as well To set up replication on the Master BSC: Click the Mobility MatriX tab in the BSC administrator console, and then click the Replication Setup tab.
Page 275: Step 3: Set Up Replication On The Nodes
Replication Figure 14-12: Create a Node Page Optional. If you are configuring the replication feature to support a Load Sharing Group, you must take the additional step of adding the Replication Master as a Replication Node by following steps a to c. This is only required if you are using the BSC Load Sharing Feature.
Page 276: Step 4: Set Up Cascaded Replication (More Than Ten Bscs)
Chapter 14: Secure Mobility® MatriX Figure 14-13: Configuring Replication on a Node BSC Mark the Acquire a snapshot from the master? checkbox to configure the Replication Node to upload the database snapshot file that is generated on the Replication Master. The upload occurs when you restart the Replication Nodes, later in this procedure.
Page 277: Step 5: Restart Services On The Master And All Nodes
Replication Figure 14-14: Configuring a Replication Master/Node Do not restart the BSC until instructed to do so at the end of this procedure. Step 5: Restart Services on the Master and All Nodes To restart each BSC, click the click here link in the Restart message on the Replication Master, on all of the Replication Nodes, and on any combination Master/Node BSC if using cascaded replication.
Page 278: Tracking Replication Status
Enabled - Is replication enabled on the BSC? Yes or no. • Address - IP address of Replication Node or Master. • Model - BlueSecure Controller model number, e.g. BSC-2100. • Version - System software version the BSC is running. •...
Page 279: Load Sharing
Load Sharing Load Sharing Use the BSC load sharing feature in environments where many wireless clients log onto the network simultaneously via a limited number of access points.The load sharing feature should be used when the collective traffic load from a group of wireless and wired clients exceeds the performance limits of a single BSC.
Page 280: Network Requirements
Chapter 14: Secure Mobility® MatriX Network Requirements Ensure that your BSC network meets the following requirements before you configure the BSC load sharing feature on up to six BSCs in a load sharing group. • We recommend that you assign a fixed IP address to the protected interface for each BSC in the load sharing group (LSG) because during a load sharing failover event, the interface state might change such as to conflict with the DHCP client.
Page 281: Figure 14-17: Load Sharing Nodes Page
Load Sharing sharing feature on up to six members of the local replication configuration including the Replication Master by following these steps. Note: Before configuring LoadSharing or performing the following three stepes, create all the VLANs that you wish to use on LoadSharing Nodes.
Page 282: Figure 14-18: Defining Lsg Member Settings
Chapter 14: Secure Mobility® MatriX Figure 14-18: Defining LSG Member Settings Select a weight (1 to 5) from the Weight drop-down menu to assign the LSG member. A low weight (e.g. 1) means that the LSG member is less likely to be selected to service client traffic.A high weight means the LSG member is more likely to be selected.
Page 283: Figure 14-19: Configuring Load Sharing On The Master
Load Sharing • Enter a subnet mask in the Managed side netmask that specifies which bits in the Load Sharing virtual IP address correspond to network address and which bits correspond to the subnet portion of the address. This netmask must match the corresponding VLAN’s netmask.
Page 284: Configuring Bsc Load Sharing (No Nat)
Chapter 14: Secure Mobility® MatriX Figure 14-20: Configuring Load Sharing on a Node Mark the ID radio button that corresponds to the load sharing ID for the Load Sharing Node. Specify the Load sharing method that is to be used: NAT enabled for Managed Interfaces or NAT disabled for Managed Interfaces.
Page 285: Verifying Your Load Sharing Configuration
Load Sharing You must allocate physical and virtual address carefully according to the subnets you have chosen. Each node's assigned virtual address and physical address must be located in the same subnet. physical=192.168.160.1/24 virtual=192.168.160.2/26 physical=192.168.160.65/24 virtual=192.168.160.66/26 physical=192.168.160.129/24 virtual=192.168.160.130/26 Note here we use the /24 subnet for all physical addresses and the /26 subnet for the virtual addresses.
Page 286: Figure 14-21: Verifying The Protected Interface Address Settings
Chapter 14: Secure Mobility® MatriX Physical Protected Interface Address Virtual Loadsharing Protected Interface Setting Figure 14-21: Verifying the Protected Interface Address Settings Figure 14-22: Load Sharing Setup on the Load Sharing Master In the event of a down interface on a Load Sharing Group member, the Load Sharing Master will reassign the traffic load to another member of the group almost instantaneously.
Page 287: Figure 14-25: Status Summary For An Operational Lsg
Load Sharing Figure 14-23: Load Sharing Setup on the Load Sharing Node Figure 14-24: Verifying the Load Sharing Failover Event Load Sharing Status Summary You can also display a quick visual snapshot of your configured Load Sharing Group by clicking Status/Summary, and then clicking the Loadsharing link at the top of the page. The status summary for a three-node Load Sharing Group that is up and fully operational would look similar to this: Figure 14-25: Status Summary for an Operational LSG...
Page 288 Chapter 14: Secure Mobility® MatriX 14-26...
Page 289 Status This chapter covers the following topics: • Monitoring Active User Connections • Viewing the BSC Event Log • Displaying a BSC Status Summary • Displaying BSC Secure Mobility® Status • Displaying Load Sharing Status • Displaying Power over Ethernet (PoE) Status •...
Page 290: Monitoring Active User Connections
Chapter 15: Status Monitoring Active User Connections You can monitor and display active user connection status and other user information, such as IP address, assigned role, and throughput statistics, in both text and graphical formats. The information in this section is organized as follows: •...
Page 291: Forcing A User Logout
Monitoring Active User Connections • Role - Role assigned to this connection. To change a user’s role, mark that user’s checkbox and then select the new role from the Override Role dropdown. • Authentication - Authentication type (Local = BSC user database) •...
Page 292: Monitoring Connected Access Points
Chapter 15: Status • Packets Dropped - Count of packets dropped due to blocked port(s). • Port N - Count of packets dropped on this blocked port. • Start Time - Start date and time of the connection session. Monitoring Connected Access Points To enable the BSC to monitor the status of connected access points, you must configure the access point tracking parameters listed on the General/Misc page in the BSC administrator console.
Page 293: Figure 15-3: Displaying Detailed Access Point Information
Monitoring Active User Connections Figure 15-3: Displaying Detailed Access Point Information If you are monitoring BlueSecure Access Points connected to and configured by the BSC, then the following additional fields of status information are displayed: 15-5 BlueSecure™ Controller Setup and Administration Guide...
Page 294: Monitoring Rf Ids Alarms
Chapter 15: Status • Associations - Wireless clients that have associated to the BSAP. Click (+) to expand the list of associations or (-) to collapse the list. • Count - Number of associations to the BSAP. • Channel - Channel on which BSAP’s 802.11a/n and 802.11b/g/n radios are operating.
Page 295: Monitoring Devices In Rf Autocontainment
Monitoring Active User Connections Sensor IP or Sensor Location columns are visible, the column headers also have a global expansion button (a plus icon). Clicking on this icon expands all sensor mac columns. • Action - Click the pencil icon to display the Create a New Station page.
Page 296: Figure 15-6: A Sample Graphical Monitor Display
Chapter 15: Status Figure 15-5: Contained Devices Page You must have the Macromedia Flash (Version 6 or later) browser plug-in installed and a VBScript-enabled browser [e.g., Microsoft Internet Explorer] to use the graphical monitoring tool. You can download and install the latest Macromedia Flash browser plug- in by visiting http://www.macromedia.com/go/getflashplayer.
Page 297: Figure 15-7: Filter Users Dialog
Monitoring Active User Connections User connections are displayed on the horizontal axis and data throughput on the vertical axis. Note the following about the graphical monitor display: • Secure connections are shown as a solid cylinder (not shown in the example) and non-secure connections as a hollow tube with a center rod.
Page 298: Viewing The Bsc Event Log
Chapter 15: Status Click Filter to apply the filters you have defined. The Filter Users dialog closes and the graphical monitoring tool is refreshed to display only those user connections that pass through the filters you have defined. You may edit or turn off the filters you have defined by clicking on the appropriate link at the bottom of the graphical monitoring tool screen.
Page 299: Displaying A Bsc Status Summary
Displaying a BSC Status Summary alphanumeric characters in event descriptions, choose Search from the Message drop- down list and enter the string. The Rows per page control restricts the number of rows displayed per log page for easy viewing. The Page number drop-down list, next link, and prior link allow quick navigation through the log.
Page 300: Displaying Bsc Secure Mobility® Status
Chapter 15: Status ® Displaying BSC Secure Mobility Status If you have configured the BSC Secure Mobility feature to enable users to roam across subnets seamlessly (See “Step 1: Designate and Set Up the Mobility Node List Master” on page 14-6 for setup details), you can display status information about a users’ roaming status.
Page 301: Displaying Power Over Ethernet (Poe) Status
Displaying Power over Ethernet (PoE) Status Figure 15-10: Load Sharing Status Summary Displaying Power over Ethernet (PoE) Status For the BSC 600/1200, you can display the PoE status, as shown in The status summary for a three-node Load Sharing Group that is up and fully operational would look similar to the following figure.
Page 302: Using Pre-Defined Report Definitions
Chapter 15: Status Using Pre-defined Report Definitions The following pre-defined report definitions are available to generate your BSC report: • Total Users - Total number of users. • Bandwidth usage by user - Bandwidth consumed by each user. • System bandwidth usage - Total BSC throughput. •...
Page 303: Creating A Bsc Report
Generating and Displaying BSC Reports • Log Level - Restricts collected data to records of a specified log level or higher in severity. For example, if you choose Critical, the BSC only collects data from records that have a Critical, Alert, or Emergency log level. Click Save to save the report definition to the BSC database or Save and create another to continue creating report definitions.
Page 304: Displaying Or Delivering A Report
Chapter 15: Status Alternatively, you can generate a report for a specific time period. To do so, select Specific Time Period from the drop down and then indicate the Start Time and End Time. The ending date and time you select is also the date/time that the report is automatically delivered via the selected delivery options.
Page 305: Performing Standard Network Diagnostic Tests
Performing Standard Network Diagnostic Tests To specify display or delivery of the report, click the appropriate icon in the Action column next to the name of the report. The following table summarizes the report icons. Table 15-1: Report Display and Delivery Icons Icon Click to ...
Page 306: Figure 15-15: Task Execution Menu Page
Chapter 15: Status Figure 15-15: Task Execution Menu Page Displaying the Click the Status tab in the BSC administrator console, click the Diagnostics tab, and then Task Execution click the System link at the top of the page. The Task execution menu page appears as Menu shown in Figure 15-15.
Page 307 Performing Standard Network Diagnostic Tests Purge DHCP Mark this checkbox to purge existing IP addresses leased by the DHCP server. Enabling leases this option means that clients might receive different IP addresses when issued by the DHCP server. Netstat List statistics about the network including socket status, interfaces that have been auto- configured, memory statistics, etc.
Page 308: Capturing Network Traffic Data
Chapter 15: Status Capturing Network Traffic Data The BSC allows you to capture network traffic data on any of its physical or VLAN interfaces, filter the packets using specified criteria, and then save the data as a file. You can then either display the data file on screen or import the file into any network analyzer program, such as Ethereal or TCP Dump.
Page 309 Capturing Network Traffic Data Optional. To delete a traffic capture file, select the name of the file from the Choose File drop-down list, mark the Delete radio button, and then click the Submit button. 15-21 BlueSecure™ Controller Setup and Administration Guide...
Page 310 Chapter 15: Status 15-22...
Page 311: Maintenance
Maintenance This chapter covers the following topics: • Restarting, Rebooting, and Shutting Down the BSC • Configuration Backup and Restore • Backup • Restore • Show Tech • Resetting the BSC to its Default Settings • Save DHCP Leases • Export Firewall Policies •...
Page 312: Restarting, Rebooting, And Shutting Down The Bsc
Chapter 16: Maintenance Restarting, Rebooting, and Shutting Down the BSC Many configuration settings in the BSC do not take effect until you restart certain BSC services or reboot the BSC. Where a restart of service(s) or a reboot is needed to effect configuration changes, a message is displayed in the administrator console that includes a click here link.
Page 313: Backup
Configuration Backup and Restore Backup All BSC configuration information is stored in its internal database. We strongly recommended that you routinely back up the database, so that you can restore the original settings if the current database becomes corrupted or unusable. You can also configure the BSC to back up its database automatically to an external host via FTP or SCP.
Page 314: Show Tech
The restored configuration will not take effect until you restart the BSC. Show Tech If you encounter trouble configuring your BlueSecure Controller, you may contact Bluesocket customer support for assistance (See Appendix B for Customer Support contact information). Your Bluesocket customer support representative may ask you to send him a debug file that contains your BSC’s configuration along with troubleshooting information.
Page 315: Save Dhcp Leases
Configuration Backup and Restore To reset all BSC configuration settings back to their default values: Click the Maintenance tab and then click Configuration Backup/Restore. The BSC configuration backup and restore page appears. Mark the Reset to default settings radio button, and then click Reset. You are prompted to confirm your intention to restore the BSC’s default settings as shown in Figure 16-4.
Page 316: Export Bsap-1840 Licenses
Chapter 16: Maintenance Un-registered;1;Allow;Any;Any;Outgoing;192.168.100.18/ 255.255.255.255;Any;Any; Un-registered;1;Allow;Any;Any;Outgoing;abc.go.com/ 255.255.255.255;Any;Any; Un-registered;1;Allow;Any;Any;Outgoing;www.google.com/ 255.255.255.255;Any;Any; Guest;2;Allow;TCP;53;Outgoing;0.0.0.0/0;Any;Any; Guest;2;Allow;UDP;53;Outgoing;0.0.0.0/0;Any;Any; Guest;2;Allow;Any;Any;Outgoing;0.0.0.0/0;Any;Any; Export BSAP-1840 Licenses This exports the list of BSAP-1840 802.11n licenses on the BSC. Upgrading to a New Version of Runtime Software The BSC contains two runtime software images, A and B. One runtime image is active and the other image is in standby mode.
Page 317: Upgrading Multiple Bscs In A Replication Configuration
Upgrading to a New Version of Runtime Software After the database is backed up, click the Maintenance tab in the BSC administrator console, and then click Upgrade to display the BSC update page, for example as shown in Figure 16-5. Figure 16-5: BSC Update Page The current active image, either A or B, is shown in boldface on the right side of the page.
Page 318: Upgrading A Failover Bsc Configuration
Chapter 16: Maintenance Restart services on each BSC you have upgraded. Re-configure each original Node BSC as a Node and configure it to receive a snapshot from the Replication Master: Click the Mobility MatriX tab in the Administrator console, and then click Replication Setup.
Page 319: Uninstalling A Patch
Switching Between BSC Runtime Software Versions The Manage Patches for BSC page appears as shown in Figure 16-6. Figure 16-6: Manage Patches for BSC Page Any previously installed patches are listed in the Installed Patches listbox. Use the Browse button to enter the pathname where the patch file resides on your local computer in the Upload new patch field.
Page 320: Exporting And Importing Bsc Bulk Data Files
Chapter 16: Maintenance Click Switch, and then reboot the BSC manually when prompted. Figure 16-7: BSC Switch Tool Page Exporting and Importing BSC Bulk Data Files You can export and import these types of BSC bulk data files: • Local Users •...
Page 321: Importing Data Files
Exporting and Importing BSC Bulk Data Files Select the local data fields to export by marking the checkbox. It is good practice to export all or all configured data fields. Never omit a configured data field. Click Export, and then specify where to save the file on your computer. Importing Data Files Note: The presence/absence of the ID column in the import data determines whether the existing records are overridden or added to the existing records.
Page 322: Exporting Bsc Log Records
Chapter 16: Maintenance Note: When importing values, the BSC shows the values before it adds them to the configuration information. It will give you warnings about any records it cannot accept because they would conflict with the data in existing records (such as two records with the same MAC address or user name).
Page 323: Blueprotect
Figure 16-12: Manage Licenses page BlueProtect The license is supplied by Bluesocket as part of your BlueSecure Controller distribution if you have purchased the endpoint scanning option. Note: A unique BlueProtect license is required for all Controllers even if in a load sharing or mobility mesh.
Page 324: Bsap 1840
Chapter 16: Maintenance BSAP 1840 When purchasing BSAP-1840 APs, there are three SKUs: two hardware SKUs (same hardware, different serial numbers) and one 11n license SKU. They are: • BSAP-1840-000-00-0 - 802.11abg with 11n upgrade option • BSAP-1840-11N-00-0 – 802.11abgn •...
Page 325 Licenses failover, the license file is automatically copied between the primary and failover box, so in the event of a failover, the BSAP-1840s will remain licensed. 16-15 BlueSecure™ Controller Setup and Administration Guide...
Page 326 Chapter 16: Maintenance 16-16...
Page 327: An Overview Of Virtual Lans
An Overview of Virtual LANs The Bluesocket BSC supports multiple VLANs on both the managed and protected sides of the network. This appendix presents an overview of VLANs and their implementation in the BSC, and includes: • LANs vs. VLANs •...
Page 328: Lans Vs. Vlans
Appendix A: LANs vs. VLANs A LAN is a broadcast domain composed of hubs, switches, or bridges that are physically wired to each other and to multiple nodes and hosts. Typically, hosts within one LAN can communicate directly with each other, but inter-LAN communication requires one or more routers depending on the complexity of the network.
Page 329: Pass-Through Vlans
number. VLAN interfaces support all of the authentication types and services supported by the physical interfaces. On the BSC, you can set up these types of VLANs: • Pass-Through VLANs • Termination VLANs • Initiation/Switched VLANs Pass-Through VLANs Pass-through VLANs on the BSC receive 802.1q-tagged packets from one physical interface (typically the managed side) and forward them with the same tag to the outgoing physical interface (protected side).
Page 330: Initiation/Switched Vlans
Appendix A: To configure a termination VLAN properly, do configure a VLAN interface on the protected side with a VLAN ID that corresponds to a VLAN interface on the managed side. Initiation/Switched VLANs With initiation or switched VLANs on the BSC, VLAN tags are added to packets exiting the BSC on the protected side based on the user’s Role.
Page 331: Enforcing Network Usage Policies With Vlans
Enforcing Network Usage Policies with VLANs Enforcing Network Usage Policies with VLANs In addition to configuring Roles to perform VLAN tagging, you can use VLAN IDs to determine policy enforcement within a Role (the managed side VLAN ID that is used within the policy).
Page 332 Appendix A:...
Page 333: Provisioning Network Dhcp Servers To Support Bsaps
Provisioning Network DHCP Servers to Support BSAPs The BSAP needs the IP address of the home BSC to which it will connect and from which it will obtain its software image and configuration. You can provide the home BSC IP address to a BSAP by manually configuring the DHCP server on your network to send BSC IP addresses to BSAPs using DHCP vendor- specific option 43.
Page 334: Overview
Appendix B: Overview You can deploy BSAPs on a routed network with Layer-3 connectivity to the BSC as shown in the following figure. BSAPs Receive their IP Addresses from Network DHCP Server BSAPs Receive Home BSC IP Address Using DHCP Option 43 or DNS Network Network...
Page 335: Figure B-3: Entering Dhcp Vendor Class Information
Figure B-2: Defining the BSAP Vendor Class The DHCP Vendor Classes dialog appears. Click Add... and the New Class dialog appears, for example. Figure B-3: Entering DHCP Vendor Class Information Enter a meaningful Display name and Description, and then enter the string (BlueSecure.AP1500) that the DHCP client on the BSAP will send to the DHCP server.
Page 336: Figure B-4: The Bsap Vendor Class Is Now Listed
Appendix B: Click OK to close the New Class dialog. You will see that the BSAP vendor class is listed in the DHCP Vendor Classes dialog, for example: Figure B-4: The BSAP Vendor Class is Now Listed Set a value for Right click on the DHCP server in the navigation tree, and then select Set Predefined predefined Options….
Page 337: Figure B-7: Configuring Scope Options
In the Option Type dialog: Enter a descriptive name in the Name field. Select Encapsulated for the Data type. Enter 127 for the Code Value. Enter a meaningful description in the Description field. Click OK to return to the Predefined Options and Values dialog. Click OK to finish the definition of Options and Values.
Page 338: Provisioning An Internet Systems Consortium (Isc) Dhcp Server
Appendix B: Note: If you wish to prioritize certain BSCs to connect to, a failover option is allowed in the IP separated list. By prepending the letter F to the IP address, it designates that BSC as a failover BSC. Only if the primary BSC(s) fail, will the AP associate to the failover BSC(s).
Page 339: Configuring A Cisco Ios Dhcp Server
More than one BSC IP address can be specified, separated by commas or semi-colons. The length (up to 255) can contain up to 15 IP addresses. The following example shows two BSC IP addresses (192.168.160.1 and 40.4.4.1) - 2C is a comma: if option vendor-class-identifier = "BlueSecure.AP1500"...
Page 340 Appendix B:...
Page 341: Appendix C Endpoint Scanning
Bluesocket BSC functionality to provide the proper network access and policy management based on the user’s credentials. This appendix provides complete procedures for configuring endpoint scanning via BlueProtect on the BlueSecure Controller and includes: • Overview •...
Page 342: Overview
Appendix C: Endpoint Scanning Overview A “trusted end-point” refers to a client device that has been verified to be free of worm or virus infection and confirmed to be running virus detection software or firewall software to protect it against future attacks or infections. Increasingly, as a matter of policy, network administrators will allow only trusted end-points onto their networks.
Page 343: Client Browser Requirements
Client Browser Requirements HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Install Check And the existence of the key: IE40 Registry key checks must end with a value name, and path checking is not supported. Only DWORD, String, and Expanded Strings are supported. Expanded strings are treated as regular strings. File Checking BlueProtect can now scan the system for a file on the disk, or a running process.
Page 344: Applet Loader Page
Entering BlueProtect License on the BSC’s Manage License Page Before you can access and use BlueProtect on the BlueSecure Controller, you must enter your License Key in the BCS administrator console. See “Licenses” on page 16-12 for details.
Page 345: Creating A Blueprotect Policy
Creating a BlueProtect Policy Figure C-1: HTTP Settings Page - BlueProtect Endpoint Scanning Note: Any URL that appears in this window will be automatically allowed for clients in the Unregistered role. This allows a client to download Java. By default, a link is provided for Windows clients.
Page 346 Appendix C: Endpoint Scanning Select the Save button. To configure Antivirus, Antispyware, or Firewall settings, click the link for your platform at the left of the page. For example, the Edit BlueProtect policy page redisplays as shown in Figure C-2 when you click the Antivirus Windows link: Mark the Enable Antivirus Category checkbox In the Select Products scrolling list, mark the checkbox for the product you want BlueProtect to verify is installed on the wireless client.
Page 347: Figure C-2: Edit Blueprotect Policy
Creating a BlueProtect Policy Figure C-2: Edit BlueProtect Policy BlueSecure™ Controller Setup and Administration Guide...
Page 348: Remediation
Unregistered role. When scanning is enabled, the BlueSecure controller will intelligently open the minimum amount of destination IPs in the Unregistered role to allow endpoints to reach remediation sites. For example, if the administrator requires McAfee antivirus, then www.mcafee.com is...
Page 349: Assigning A Blueprotect Policy To A User Role
Assigning a BlueProtect Policy to a User Role without credentials from getting to Remediation sites (which could be internet sites or internal resources). Assigning a BlueProtect Policy to a User Role You need to edit user roles on the BSC to enable/disable BlueProtect scanning for each role and to specify the frequency at which users authenticated into that role will have their devices scanned.
Page 350: Figure C-3: Client Display When Required Products Not Installed
Appendix C: Endpoint Scanning Figure C-3: Client Display when Required Products Not Installed Figure C-4: Overriding a Client Role C-10...
Page 351: Serial Port Access To Essential Functions
Serial Port Access to Essential Functions On a rare occasion, you may temporarily lose access to the BSC's web browser interface due to a misplaced password or an ISP service outage. In this case, the BSC provides serial port access to essential functions via the serial port.
Page 352: Listing Of Accessible Functions
Appendix D: Listing of Accessible Functions • 1) dbinit - Restore all values in the BSC back to their defaults. • 2) ifconfig - Show the NIC settings for the protected, managed, or failover interface. • 3) processes - Show a list of all running processes. •...
Page 353: Figure D-1: Recommended Null-Modem Serial Cable Pinout
DB-9 Female DB-9 Female Pin Connections Use the above cable for RS-232 asynchronous communications between the BSC and a L-SH R-SH laptop computer. L-7, R-8 In this cable, Request-to-Send (RTS, pin 7) asserts the Carrier Detect (pin 1) on the same side and the Clear-to-Send (CTS, pin 8) on the other side of the cable.
Page 354 Appendix D:...
Page 355: Contacting Bluesocket, Inc
Contacting Bluesocket, Inc. This appendix provides complete information for contacting Bluesocket customer support personnel and includes: • Obtaining Technical Support • Contacting Bluesocket Customer Support BlueSecure™ Controller Setup and Administration Guide...
Page 356: Obtaining Technical Support
Appendix E: Obtaining Technical Support Bluesocket is committed to providing complete technical support to its customers. If you have a question concerning your Bluesocket products, refer to the technical documentation, including release notes, supplied with your distribution. You should be able to find the answer to your question in these documents.
Page 357 API (Application Programming Interface) - Bluesocket provides a set of remote procedure call (RPC) functions as an application programming interface (API) in its BlueSecure Controller (BSC) system software. By utilizing this API, you can create a custom application to configure, manage, and monitor a Bluesocket BSC.
Page 358 Bluetooth - A specification for short-range radio links between mobile computers, mobile phones, digital cameras, and other portable devices. BSC - The abbreviation BSC refers to all models of the BlueSecure Controller product family. CAS (Central Authentication Service) - CAS is an authentication method developed at Yale that enables single sign-on across multiple web applications.
Page 359 Glossary EAP-FAST (EAP-Flexible Authentication via Secure Tunneling) - A publicly accessible IEEE 802.1X EAP type developed by Cisco Systems and supported by the BSC. EAP-FAST uses symmetric key algorithms to achieve a tunneled authentication process. Encryption - Scrambling data so that only the authorized recipient can read it. Usually a key is needed to decrypt the data.
Page 360 Managed Side - The segment of the network containing wireless clients and wireless access points. The BlueSecure Controller manages use, quality of service, and security on this side of the network.
Page 361 Glossary RADIUS (Remote Authentication Dial-In User Service) - An authentication and accounting system that verifies users' credentials and grants access to requested resources. RC4 - An encryption algorithm designed at RSA Laboratories; specifically, a stream cipher of pseudo-random bytes that is used in WEP encryption. Rogue - A rogue station is one that you have not authorized for operation.
Page 362 Glossary Glossary-6...
Page 363 Index Symbols .BLUE file 16-3 16-4 .DEBUG file 16-4 .DMP file 15-20 Numerics 802.11i preauthentication, enabling for an SSID 12-24 802.1x authentication server, configuring the BSC’s 6-21 802.1x authentication server, running the BSC’s internal 6-19 802.1x authentication, configuring 6-17 802.3af PoE support, enabling on the BSC-600 2-14 4-11 4-33 AARP proxy...
Page 364 13-3 data encryption options 12-21 limiting client connections to 12-15 monitoring 12-29 15-4 monitoring connected 15-5 overview of 1-3 12-2 uploading firmware files for 12-6 BlueSecure Controller connecting to remotely 3-2 installation procedures 2-1 introduction to 1-2 Index-2...
Page 365 Index models 1-7 network configurations 1-10 specifications 1-9 Bluesocket SSL certificate, installing 3-6 Bluesocket stopped message 2-7 Bluesocket, contacting E-2 Brackets, mounting 2-12 BSAP service, enabling on the BSC 12-26 BSC-1200 1-8 BSC-2100 1-8 BSC-5200 1-7 BSC-600 1-8 Bulk data files, importing/exporting 16-10 Capturing network traffic data 15-20 CAS authentication, configuring 6-30 Certificate management page 10-21...
Page 366 Index Date setting, configuring the BSC’s 10-10 Debug file, creating 16-4 Debugging the BSC 16-4 4-20 Default gateway IP address for remote clients to reach the BSC 10-3 Default redirect URL Defaults, resetting all BSC parameters to 16-4 Delete button, using 3-11 Deleting administrator or user accounts 3-6 Deleting user accounts 5-2 Denial of Service (DoS) attack, combating 8-14...
Page 367 Index Enable MAC Device 8-15 Enable QoS for this Service 10-25 Enable show Cisco CDP Neighbors? Enable SIP Outbound Proxy Service? 9-2 Endpoint scanning, configuring support for C-1 12-15 Enforcement Enterprise guest access, configuring 5-2 Envelope icon, using 3-12 Environmental requirements for the BSC 2-10 Event levels, descriptions of 10-16 Event log, viewing 15-10 Event logging, configuring 10-14...
Page 368 Index H.323 protocol, running as a BSC network service 8-14 4-27 Heart beat Help button, enabling on the user login page 11-5 Home BSC, how a BSAP selects 12-6 Hostname redirection 10-3 Hotspot account generation feature, enabling 1-3 11-10 HTML, customizing on the user login page 11-6 HTML-based administrator console 3-2 HTTP proxy server, using with the BSC 10-3 HTTP server settings, modifying the BSC’s 10-2...
Page 369 Index Language code 10-4 Languages, changing on the user login page 11-5 LCD 2-4 LDAP/Active Directory authentication over SSL, configuring 6-6 6-31 LDAP/Active directory authentication server, configuring 6-6 LEDs BSC-1200 2-7 BSC-1200/BSC-1200 SOE 2-8 BSC-2100 2-5 BSC-5200 2-4 License, entering your BlueProtect C-4 Lifetime Minutes Load balancing clients on a BSAP 12-15 Load sharing...
Page 370 Index Managed side of the network 1-2 Managed virtual interface, configuring 4-23 MatriX, secure mobility general configuration procedure 14-3 overview of 1-5 14-2 reasons for deploying 14-2 MD5, configuring support of 6-17 Media files, uploading to the BSC 11-17 Miscellaneous BSC options, configuring 10-24 Mobility MatriX page 3-9 Monitor administrator account 3-4 Monitoring access points 15-4...
Page 371 Index Page controls, using 3-13 Pass-through VLANs A-3 Password administrator account 3-2 changing 3-6 11-5 Password change choice enabled Password change, forcing a user 5-4 Password, changing an administrator’s 3-5 Password, recovering lost or forgotten administrator account 3-3 Patch installing a system software patch 16-8 removing an installed system software patch 16-9 PEAP, configuring support of 6-17 PEAP, terminating on the BSC 6-19...
Page 372 Index Quality of service (QoS), defining for a network service 8-15 Quarantined role for IDS 10-8 Question mark (?) link 3-9 Rack requirements 2-10 Rack-mounting procedures 2-12 Radio settings, configuring 12-10 RADIUS accounting attributes sent from the BSC 7-3 configuring use of 7-1 description of 1-2 RADIUS authentication server configuring use of 6-3...
Page 373 Index 6-19 RFC822 Rogue, identifying an RF station as 13-3 Role elements, creating 8-10 Role inheritance 8-3 Role-based authorization configuring 8-2 description of 1-3 example of 8-2 Roles defining 8-4 modifying 8-10 10-4 Root CA URL Routing table, displaying the BSC’s 4-28 Rubber feet, connecting to the BSC chassis 2-10 Safety considerations when installing the BSC 2-2 Save and create another button, using 3-11...
Page 374 Index Sorting administrator console data 3-12 Sorting table data 3-12 Space requirements 2-10 Specifications for the BSC 1-9 Specifications, BSC 1-9 Spectralink IP phone traffic, passing through the BSC 9-3 Speed LEDs, BSC-2100 2-5 SSIDs, creating 12-20 SSL certificate installing a custom login 11-22 installing Bluesocket 3-6 renewing 11-27 requesting from certificate provider 11-23...
Page 375 Index Trash can icon, using 3-11 Troubleshooting your BSC’s configuration 16-4 Trusted certificate authority (CA) certificate 10-20 Trusted server certificate 10-20 TTLS, configuring support of 6-17 TTLS, terminating on the BSC 6-19 Tunneled Transport Layer Security Protocol, terminating on the BSC 6-19 10-23 Upload Cert URL Redirect...
Page 376 Index creating on the protected side 4-5 initiation A-4 overview of A-1 pass-through A-3 termination A-3 Vocera IP phone traffic, passing through the BSC 9-3 Voice Over WLAN support, configuring 9-1 Voice page 3-9 VoIP Protocol Support 1-5 VoIP, configuring network services to support 8-14 Web Logins page 3-9 Web page, directing users to after login 8-9 Windows Internet naming service (WINS) server 4-13...

ADTRAN BlueSecure Controller Setup And Administration Manual

Chapter 1 An Overview of the Bluesecure Controller

Chapter 2 Installation

Chapter 3 Administrator Console

Chapter 4 Networks

Chapter 5 Authentication Using Internal Database

Chapter 6 Authentication Using External Servers

Chapter 7 RADIUS Accounting

Chapter 8 Roles and Role Elements

Chapter 9 Voice over WLAN Support

Chapter 10 General BSC Operational Settings

Chapter 11 Web Logins

Quick Links

Related Manuals for ADTRAN BlueSecure Controller

Summary of Contents for ADTRAN BlueSecure Controller