Colubris Networks CN3000 Administrator's Manual

Table of Contents

Quick Links

CN3000

Administrator's Guide

Table of Contents

Summary of Contents for Colubris Networks CN3000

Page 1 CN3000 Administrator’s Guide...
Page 2 Changes are periodically made to the information herein; these changes will be incorporated into new editions of the document. Copyright © 2004 Colubris Networks Inc. All rights reserved, including those to reproduce this document or parts thereof in any form without permission in writing from Colubris Networks, Inc.
Page 3: Table Of Contents
Management station ................26 Mounting on a wall or ceiling...............65 Management scenarios ................26 Starting the management tool..............27 Step 2: Connect power................66 Security....................28 Step 3: Configure the CN3000 ..............66 Wireless coverage..................30 Chapter 4 Factors limiting wireless coverage ............30 Virtual access points................31 Scenarios Maximum wireless client stations ............31...
Page 4 Step 3: Setting up customer authentication ..........102 Managing shared secrets ..............149 Configuration procedure ..............102 HTML-based user logins..............103 Creating a profile for the CN3000 on the RADIUS server ......150 Standard RADIUS attributes ..............150 Step 4: Setting up the RADIUS server............104 Colubris-AVPair attribute ..............152 Minimum setup..................104...
Page 5 RADIUS accounting ................220 Install certificates on the web server..........179 Wireless protection ................220 Define attributes.................179 Traffic tunnelling (GRE)..............221 Install a certificate on CN3000 ............179 Wireless links list ..................223 Authenticating customers ................180 Wireless link configuration ..............223 Example 1 ..................180 Wireless link configuration ..............224 Example 2 ..................180...
Page 6 Modify the default configuration files..........305 Default user quotas................274 Start and connect to the server............305 Default user idle timeout ..............275 Define a RAS client for the CN3000 ...........306 Default user SMTP server ..............275 Create RADIUS profiles..............308 Default user session timeout .............275 Update the Steel-Belted Radius configuration........309...
Page 7 Step 1: Add support for Colubris Networks attributes......336 Step 2: Connect to the Steel-Belted Radius server ........337 Chapter 18 Step 3: Create a RADIUS client profile for the CN3000 ......339 Regulatory, wireless interoperability, Step 4: Define RADIUS profiles..............341 and health information Defining a CN3000 profile ..............341...
Page 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Table of Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 9: Introduction
Chapter 1: Introduction Chapter 1 Introduction This chapter provides an overview of this manual and other important information.
Page 10: How To Use This Guide
Chapter 11: Configuration parameters This chapter provides an overview of the configuration options provided by the management tool for most of the important features on the CN3000. For information on features not covered in this section, consult the online help.
Page 11: Feature Summary
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 Feature summary Wireless radio 802.11b...
Page 12: Security
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 Security •...
Page 13: Package Contents
Technical support To obtain technical support, contact your reseller. Information about Colubris Networks products and services, including documentation and software updates, is available on our web site at www.colubris.com. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 14: Syntax Conventions
Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 Syntax conventions This manual uses the following formatting conventions.
Page 15: How It Works
Chapter 2: How it works Chapter 2 How it works This chapter covers important topics that will help you to understand how to install, deploy, and manage a wireless public access network.
Page 16: Integrated Access Point And Access Controller
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Integrated access point and access controller The CN3000 is a fully integrated access point/access controller. It creates a public wireless network and provides fine-grained management and control of customer sessions.
Page 17: Scalable Solution
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Scalable solution The CN3000 can effectively be deployed in both small and large installations. The following topologies illustrate potential deployments.
Page 18: Multi-Site Installation
• A single CN3000 is installed along with one or more CN300/CN320 satellites at sites #1 and #3. • At site #2, the CN3000 provides a wireless network and is also connected to a LAN to enable a number of wired computers to act as public access stations.
Page 19: Multi-Area Installation
• A single CN3000 is installed along with one or more CN300/CN320 satellites at areas #1 and #3. • At area #2, the CN3000 provides a wireless network and is also connected to a LAN to enable a number of wired computers to act as public access stations.
Page 20: The Public Access Interface
The public access interface is automatically activated when a customer attempts to browse to a resource on the protected network after establishing a wireless link with the CN3000. Initially, the customer will see the Login page. For example, this is the default login page:...
Page 21: Customizing The Public Access Interface
For a complete description of the other pages that make up the public access interface Chapter 6. Customizing the The CN3000 ships with a default set of pages for the public access interface. You can customize these pages to meet the needs of your installation. A web or ftp server is public access required to host any pages that you customize.
Page 22: Connecting Customers
This feature enables wireless client stations that are using a static IP address to connect to the CN3000. The client station’s IP address does not have to be on the same subnet as the CN3000. This permits customers to access the wireless network without reconfiguring their networking settings.
Page 23: Email Redirection
• must be using the same proxy server address and port number for both HTTP and HTTPS. • not be using 802.1x. The CN3000 supports a maximum of 100 client station connections. Up to 50 of these connections can use proxy support at the same time. Email The CN3000 is able to provide SMTP email service on a per-customer basis.
Page 24: Customer Authentication
The CN3000 enables you to create local accounts that bypass RADIUS authentication. To login, customers use the public access interface, but instead of using the RADIUS server, authentication is handled directly by the CN3000. These accounts are useful for system administrators and management personnel.
Page 25 Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 MAC-based authentication The CN3000 can authenticate devices based on their MAC address. This is useful for authenticating devices that do not have a web browser (cash registers, for example).
Page 26: Management Tool
• A computer directly connected to the LAN port on the CN3000. This requires a cross- over Ethernet cable. To build your own cable, see page 288. • A computer on a wired LAN that is connected to the CN3000’s LAN port or Internet port.
Page 27: Starting The Management Tool
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Remote management • A remote computer connected to the CN3000 via the Internet. • A computer on the remote network the CN3000 has established a VPN connection to. Starting the 1. Start your Web browser.
Page 28: Security
Important: Make sure that the RADIUS profile you select is configured and that the administrator account is defined on a functioning RADIUS server. If not, you will not be able to log back into the CN3000 because the administrator password cannot be authenticated.
Page 29 Secure remote management is possible using the integrated PPTP and IPSec client software. This enables the CN3000 to create a secure tunnel to a remote server using a public network (Internet). This can also be used to secure automatic configuration updates and communications with a remote RADIUS server or Web server.
Page 30: Wireless Coverage
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Wireless coverage As a starting point for planning your setup, you can assume that the radio in the CN3000 provides a wireless networking area, also called a wireless cell, of up to 300 feet (100 meters) in diameter at high power.
Page 31: Virtual Access Points
• To define a new profile, open the Wireless > WLAN profiles page. See page details. Maximum The total number of wireless client stations that can be connected to the CN3000 at any given time is 255, with a maximum of 50 client stations taking advantage of any active wireless client wireless VPN security option (IPSec, PPTP, L2TP).
Page 32: Performance Degradation And Channel Separation
The set of available channels is automatically determined by the CN3000 based on the Country setting you define on the Wi-Fi page, which means that the number of non- overlapping channels available to you will also vary.
Page 33 Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Example When operating in 802.11b mode, the CN3000 supports the following 14 channels in the 2.4 Ghz band:...
Page 34 Distance between access points In environments where the number of wireless frequencies are limited, it can be beneficial to adjust the receiver sensitivity of the CN3000. To make the adjustment, open the Wi-Fi > Wireless page. For most installations, the large setting should be used. However, if you are installing...
Page 35: Building Multi-Cell Wireless Networks
Configure all CN3000s with the same network name (SSID). Internet connection Only one CN3000 can be connected to the Internet in this configuration. This also means that if a VPN connection is required to a remote server, this CN3000 must also make the connection. Security To properly support roaming, all CN3000s must be configured with the same security features and settings, or no security (not recommended).
Page 36: Conducting A Site Survey
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Conducting a To discover the operating frequencies of other access points in your area, open the Wireless > Neighborhood page. The CN3000 will automatically scan to find all active site survey access points. For example: Note: If an access point is not broadcasting its name, the SSID is blank.
Page 37: Address Allocation
CN3000 has the host name wireless.colubris.com. You do not have to add this name to your DNS server for it to be resolved. The CN3000 intercepts all DNS requests it receives on the wireless or LAN ports. It resolves any request that matches the certificate host name by returning the IP address assigned to the wireless port.
Page 38: Connecting To A Wired Lan
CN300 Setting the LAN port address The CN3000 connects to the wired LAN via its LAN port. You must assign a static IP address to this port because the CN3000 cannot function as a DHCP client on its LAN port.
Page 39: Connecting To The Internet
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Configuring the DHCP server By default, the CN3000 is configured as a DHCP server. If you already have a DCHP server operating on the wired LAN, you should disable it and use the one on the CN3000.
Page 40: The Radius Server
• The default address for the mail server used to support SMTP redirection. When you set up a profile for the CN3000 on the RADIUS server you define this information in the form of a Colubris Networks vendor-specific attribute. For a complete list of all supported values see page 150.
Page 41: More Information
For backup redundancy, each CN3000 RADIUS profile supports a primary and secondary server. The CN3000 will function with any RADIUS server that supports RFC 2865 and RFC 2866. Authentication occurs via EAP-MD5, CHAP, MSCHAP v1/v2, or PAP. Important: To safeguard the integrity of the RADIUS traffic, it is important that you protect communications between the CN3000 and the RADIUS server.
Page 42: Firewall
However, if necessary, you can create a completely custom set of firewall rules to suite your particular networking requirements. If the CN3000 is connected to a wired LAN, the firewall protects the wired LAN as well. Integrated Firewall...
Page 43: Firewall Configuration
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Outgoing traffic Firewall setting Application...
Page 44: Customizing The Firewall
Customizing the To customize the firewall, you define one or more rules. A rule lets you target a specific type of data. If the CN3000 finds data that matches the rule, the rule is triggered, and firewall the data is rejected/accepted by the firewall.
Page 45: Network Address Translation
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Network address translation NAT overview NAT is an address mapping service that enables one set of IP addresses to be used on...
Page 46: One-To-One Nat
IP address, or impose a limit. For example: some PPTP servers want a unique IP address for each client station. To resolve this problem, the CN3000 allows you to assign multiple IP addresses to the Internet port and use them to distinguish outgoing NAT traffic for customers making VPN connections.
Page 47: Nat Example
NAT mappings in the range 5000-10000. NAT example The following example illustrates how to configure static NAT mappings to run a Web server and an FTP server on the internal network. This might occur when the CN3000 is used in a enterprise environment. 192.168.1.2...
Page 48 Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 4.
Page 49: Secure Remote Connectivity
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Secure remote connectivity The CN3000 features VPN software which enables it to create a secure connection to a remote site via a non-secure infrastructure like the Internet.
Page 50: Local Mode
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Local mode Local mode lets you run the CN3000 without setting up a RADIUS server to handle authentication tasks. This is convenient for experimenting with the CN3000 feature set before deploying it, or for installations with less than 50 customers and no need for accounting support.
Page 51: Defining Customer Accounts
4. Repeat for each customer. Up to 50 customers are supported. Customizing When the CN3000 is operating normally (i.e., not in local mode), it must log into a RADIUS server before it can activate the public access interface. This is required so that...
Page 52: Centralized Mode
Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Centralized mode By default, the CN3000 functions as an access controller. This means that it controls entry to the public access network via the public access interface. Customers must login to gain access to the network.
Page 53: Wireless Bridging
The wireless bridging feature enables you to use the wireless radio to create point-to- point wireless links to other access points. Each CN3000 can support up to six wireless bridges, which can operate at the same time as the network serving wireless customers.
Page 54 Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Setting up a wireless link 1.
Page 55: Firmware Management
Note: Configuration settings are preserved during firmware upgrades. Scheduled The CN3000 can automatically retrieve and install firmware from a local or remote URL. By placing CN3000 firmware on a web or ftp server, you can automate the update install process for multiple units.
Page 56: Using Curl
These examples are non-secure (no certificates are used authentication), but data traffic is still encrypted. Note: If you want to secure the connection with the CN3000 using certificates, you must use the --cacert option to specify where the CA certificates are located on your computer.
Page 57: Configuration Management
Enables you to restore a configuration from a previously saved backup. This feature enables you to maintain several configuration files with different settings, which can be useful if you frequently need to alter the configuration of the CN3000, or if you are managing several CN3000s from a central site.
Page 58: Using Curl
These examples are non-secure (no certificates are used authentication), but data traffic is still encrypted. Note: If you want to secure the connection with the CN3000 using certificates, you must use the --cacert option to specify where the CA certificates are located on your computer.
Page 59 -s -k --cookie cookie.txt "https://24.28.15.22/goform/ ScriptResetFactory?reset=Reset+to+Factory+Default" 4. Reset the CN3000 to activate the new configuration. curl -s -k --cookie cookie.txt "https://24.28.15.22/script/reset.asp" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 60 Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 60 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 61: Installation
Installation This chapter explains how to install the CN3000. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 62: Anatomy
Wireless port is receiving data. Startup behavior When power is applied to the CN3000, the power light will start flashing. When the power light stops flashing, initialization is complete and the CN3000 is fully operational. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 63: Reset Button
• the bottom five lights will be on To resume normal operations, disconnect and reconnect power. Reset button The reset button is located on the side of the CN3000. Use the end of a paper clip or another pointy object to press the button. Restarting Press and release the button quickly to restart the CN3000.
Page 64: Step 1: Preparation
Press down firmly to ensure that the card is properly seated in the socket. Installing rubber The CN3000 can be used upright or lying down. To prevent slipping, attach the four rubber feet as shown below. feet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 65: Mounting On A Wall Or Ceiling
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Mounting on a The CN3000 can be mounted on a wall or ceiling. In both cases, the unit hangs upside down.
Page 66: Step 2: Connect Power
Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Step 2: Connect power Connect the power supply to the CN3000, then use the power cord to connect the power supply to a wall outlet.
Page 67: Scenarios
Chapter 4: Scenarios Chapter 4 Scenarios This chapter provides sample deployment strategies for common scenarios. These scenarios will give you a good idea on how to approach your installation.
Page 68: Before You Begin
• Read Chapter 3 and know how to install the CN3000. Contents The following scenarios are described in this chapter. Scenario...
Page 69: Scenario 1A: Hotspot With Internet Access (Local Mode)
Customer authentication is handled locally by the CN3000 and accounts are created on the CN3000. There is no support for accounting. The CN3000 is set to local mode, which means that a RADIUS server is not required to activate the public access interface. Instead, the default public access interface resident on the CN3000 is used by customers to login and manage their sessions.
Page 70 Internet. 2. The CN3000 should intercept the URL and display the Login page. (Depending on the type of certificate that is installed on the CN3000, you may see a security warning first.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 70 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 71 Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 3. Specify a valid customer name and password to login. 4. The CN3000 session page will open. 5. Next, you are automatically redirected to the web site you originally requested.
Page 72: Scenario 1B: Custom Public Access Interface (Local Mode)
How it works In this scenario, a web server is used to store custom pages for the public access interface. The CN3000 loads these pages each time it is restarted. There are two ways to deploy this scenario. Topology 1 In this version, the web server is located on the Internet.
Page 73: Configuration Roadmap
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Topology 2 In this version, the web server is located on local LAN B. Instead of being directly connected to the Internet, the CN3000 is also connected to local LAN B . Web server Router...
Page 74 Internet. 2. The CN3000 should intercept the URL and display the modified Login page. (Depending on the type of certificate that is installed on the CN3000, you may see a security warning first.) 3. To login, specify a valid customer name and password. The CN3000 session page should open.
Page 75: Scenario 2A: Hotspot With Internet Access (Radius)
There are two ways to deploy this scenario. Topology 1 In this version, the NOC is located on the Internet. The CN3000 connects to the VPN server at the NOC using its PPTP client. This provides a secure link through which data can be transferred.
Page 76: Configuration Roadmap
LAN A LAN B Configuration On the RADIUS server roadmap Define RADIUS accounts for the CN3000 and all customers that will use the public access network. Install the CN3000 1. Install the CN3000 as described in Chapter 3. 2. Connect the Internet port to the broadband modem and then restart it.
Page 77 1. Enable the CN3000 RADIUS authentication option. 2. Select the RADIUS profile you just defined. 3. Specify the username and password the CN3000 will use to login to the RADIUS server. 4. Click Force authentication. The light should turn green, indicating that the CN3000 has been successfully authenticated.
Page 78 Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 4.
Page 79: Scenario 2B: Custom Public Access Interface (Radius)
Internet. 2. The CN3000 should intercept the URL and display the modified Login page. (Depending on the type of certificate that is installed on the CN3000, you may see a security warning first.) 3. To login, specify a valid customer name and password. The CN3000 session page should open.
Page 80: Scenario 2C: Supporting 802.1X/Wpa Customers
Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Scenario 2c: Supporting 802.1x/WPA customers This scenario adds support for 802.1x/WPA customers to Scenario 2b.
Page 81: Scenario 3: Centralized Authentication
How it works In this scenario, the CN3000 forwards all user traffic to a remote NOC. The NOC is responsible for managing customer logins to the public access network and granting access to the Internet.
Page 82: Configuration Roadmap
1. Enable the CN3000 RADIUS authentication option. 2. Select the RADIUS profile you just defined. 3. Specify the username and password the CN3000 will use to login to the RADIUS server. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 83 13. Click Save. Restart the CN3000. Once one or more GRE tunnels are enabled, the CN3000 must be restarted any time changes are made to any parameter on any page in the management tool. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 84: Scenario 4: Wholesaling With Gre
NOCs control customer logins to the public access network and granting access to the Internet. The CN3000 is configured with three SSIDs for each WISP. The first is for customers using HTML logins, the second is for customers who are using WPA, and the third is for customers who are using 802.1x.
Page 85: Configuration Roadmap
1. Enable the CN3000 RADIUS authentication option. 2. Select the RADIUS profile you just defined. 3. Specify the username and password the CN3000 will use to login to the RADIUS server. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 85 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 86 5. Click Save. Restart the CN3000. Once one or more GRE tunnels are enabled, the CN3000 must be restarted any time changes are made to any parameter on any page in the management tool. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 86 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 87: Scenario 5: Wholesaling With Vpns
WISPs. How it works In this scenario, the CN3000 controls access to the public access network. A separate WLAN profile is defined for each WISP and is mapped to an IPSec tunnel that terminates at the appropriate NOC. Each WISP must provide a RADIUS server at the NOC to handle accounting and authentication duties.
Page 88 1. Enable the CN3000 RADIUS authentication option. 2. Select either of the RADIUS profiles you just defined. 3. Specify the username and password the CN3000 will use to login to the RADIUS server. 4. Click Force authentication. The light should turn green, indicating that the CN3000 has been successfully authenticated.
Page 89 Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Create IPSec security associations Security >...
Page 90: Scenario 6: Public/Private Access With Vlans
• VLANs 51, 52, 53 and 70 are assigned to the corporate Intranet and are used by employees. VLAN carries authentication traffic to the RADIUS server. • VLAN 60 is used by guests and is mapped to the CN3000. Access lists on the CN3000 control the network resources guests can reach. For example, guests can use the Internet and specific servers or printers on the corporate Intranet.
Page 91: Configuration Roadmap
• Downstream port mapped to VLAN 60. This means that all traffic with no VLAN assigned will be sent on VLAN 60 by default. Note that all management traffic from the CN300s will use this VLAN and therefore be sent to the CN3000. • Two SSIDs are defined: •...
Page 92 1. Enable the CN3000 RADIUS authentication option. 2. Select RADIUS Profile 1. 3. Specify the username and password the CN3000 will use to login to the RADIUS server. 4. Click Force authentication. The light should turn green, indicating that the CN3000 has been successfully authenticated.
Page 93 • Tunnel-private-group-id: Set to the VLAN number. “VLAN support” on page 171 for more information. 3. In the CN3000 account, add an access list definition that blocks guests from reaching the corporate network. For example, access-list=guest,DENY,all,192.168.30.0/24,all (Provided 30.x is the corporate network.) “Access list”...
Page 94 Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 95: Activating The Public Access Interface
Chapter 5: Activating the public access interface Chapter 5 Activating the public access interface This chapter explains how to configure and start the public access interface.
Page 96: Overview
The public access interface is the sequence of web pages that customers use to login, logout, and view the status of their wireless sessions. The CN3000 ships with a default interface which you can customize to meet the needs of your installation. However, before you do this you should initialize the default setup and test it with your network.
Page 97: Step 1: Setting Up The Cn3000 Radius Client
Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Activating the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Step 1: Setting up the CN3000 RADIUS client The CN3000 lets you define up to 16 RADIUS client profiles. Each profile defines the settings for a RADIUS client connection. To support a client connection, you must create a client account (sometimes called a RAS account) on the RADIUS server.
Page 98: Profile Name
Controls the retry interval (in seconds) for access and accounting requests that time- out. If no reply is received within this interval, the CN3000 switches between the primary and secondary RADIUS servers (if defined). If a reply is received after the interval expires, it is ignored.
Page 99: Primary Radius Server
For 802.1x users, the authentication method is always determined by the 802.1x client software and is not controlled by this setting. If traffic between the CN3000 and the RADIUS server is not protected by a VPN, it is recommended that you use either EAP-MD5 or MSCHAP V2, if supported by your RADIUS Server.
Page 100: Step 2: Setting Up Cn3000 Authentication
• a URL specifying the location of a configuration file. • MAC addresses of devices to authenticate. When you set up a profile for the CN3000 on the RADIUS server you define this information in the form of a Colubris Networks vendor-specific attribute. See “Creating a...
Page 101: Cn3000 Radius Authentication
To avoid potential service interruptions that may occur when new operating information is activated by the CN3000, it is strongly recommended that a large interval (12 hours or more) be used. You can override this value using the RADIUS Attribute Session-timeout, which enables...
Page 102: Step 3: Setting Up Customer Authentication
Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Activating the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Step 3: Setting up customer authentication The CN3000 uses the services of a RADIUS server to authenticate customer logins, track and manage connection time, and generate billing information.
Page 103: Html-Based User Logins
Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Activating the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 HTML-based This defines settings for users who log in via the CN3000’s public access interface. If you disable this option, the public access interface Login page will not be displayed and user logins these users will not be able to login.
Page 104: Step 4: Setting Up The Radius Server
RADIUS server and retrieve certain operating settings which you must define. Therefore, you must create at least one RADIUS profile for use by the CN3000. If you have multiple CN3000s, they can all be associated with a single RADIUS profile.
Page 105: Step 5: Testing The Public Access Interface
1. Start the client station’s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The CN3000 should intercept the URL and display the Login page. Specify a valid customer name and password.
Page 106 Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Activating the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 106 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 107: Customizing The Public Access Interface
Chapter 6: Customizing the public access interface Chapter 6 Customizing the public access interface This chapter provides an overview of the public access interface and explains how to customize it.
Page 108: Overview
The public access interface is the sequence of web pages that customers use to login, logout, and view the status of their wireless sessions. The CN3000 enables you to tailor these pages to provide a customized look-and-feel for your site. Using a RADIUS server, Web pages can be auto-updated, enabling you to manage multiple units effortlessly.
Page 109: Site Map
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Site map The public access interface is composed of seven pages and is structured as follows: Note: Customers using 802.1x/WPA are automatically logged in and will not see the...
Page 110: Internal Pages
“Using a remote login page” on page 121 for details. Internal pages Internal pages are resident on the CN3000. You have the option of using the default pages supplied with the CN3000 or replacing them with customized pages of your own design.
Page 111 • the CN3000 cannot contact the RADIUS server to authenticate a customer • the CN3000 fails to be authenticated by the RADIUS server due to bad username or password on the Security > Authentication page, or wrong RADIUS configuration on the Security >...
Page 112: External Pages
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 External pages External pages are stored on a remote Web server. The CN3000 retrieves the URLs for these pages in two ways: •...
Page 113: How It Works
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 How it works The following diagram illustrates the sequence of events that occur when a customer attempts to browse an external web site.
Page 114: Customizing The Internal Pages
RADIUS profiles. When the CN3000 authenticates itself, it retrieves the URLs for the custom pages, then automatically downloads and activates them. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 114 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 115 (Chapter 17). Placeholder Description Returns the NAS ID assigned to the CN3000. By default, this is the unit’s serial number. Returns the RADIUS login name assigned to the CN3000. By default, this is the unit’s serial number. Returns the domain name assigned to the CN3000’s Internet port.
Page 116: Examples
• transport.html • session.html • fail.html 4. Edit the login.html to meet the requirements of your site. 5. Add the following entries to the RADIUS profile for the CN3000. login-page= web_server_URL /newpages/login.html transport-page= web_server_URL /newpages/transport.html session-page= web_server_URL /newpages/session.html fail-page= web_server_URL /newpages/fail.html logo= web_server_URL /newpages/logo.gif...
Page 117: Customizing The External Pages
Activating new To activate new external pages, you must define their URLs using the Colubris-AVPair value string when you create a RADIUS profile for the CN3000 or a customer. See external pages Chapter 7 for information on how to create RADIUS profiles.
Page 118 This option is used with the remote login page feature. Returns the NAS ID assigned to the CN3000. By default, this is the unit’s serial number. Not supported in local mode. Returns the RADIUS login name assigned to the CN3000. By default, this is the unit’s serial number.
Page 119: Examples
4. Add the following entry to the RADIUS profile for the premium customers. welcome-url= web_server_URL /premium/welcome.html goodbye-url= web_server_URL /premium/goodbye.html 5. Add the following entry to the RADIUS profile for the CN3000. This gives all unauthenticated users access to the web server hosting the goodbye page. access-list=loginserver,ACCEPT,tcp, web_server_IP_address,port_number...
Page 120 Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Supporting PDAs Customers using PDAs that only support a single browser window will have difficulty using the public access interface in its standard configuration.
Page 121: Using A Remote Login Page
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Using a remote login page The CN3000 provides an option that allows you to redirect customers to a remote server to log in to the public access interface instead of using the internal login page.
Page 122 Returns the URL on the CN3000 where customer login information should be posted for authentication. Returns the NAS ID assigned to the CN3000. By default, this is the unit’s serial number. Not supported in local mode. Returns the RADIUS login name assigned to the CN3000. By default, this is the unit’s serial number.
Page 123: How It Works
Although the remote login page feature enables you to host the public access login page on a remote web server, authentication of customers is still performed by the CN3000 via a RADIUS server. To accomplish this, the remote web server must send customer login information back to the CN3000.
Page 124: Example
4. Customize login.html to accept username and password information from customers and then send it to the CN3000. You can use code similar to the following example to redirect the customer’s web browser to the login URL on the CN3000 for authentication: <form action="https://CN3000.wireless.colubris.com:8090/goform/...
Page 125: Location-Aware Authentication
This is the MAC address of the wvlan0 interface in IEEE format as displayed by Tools > System Tools > Interface info. If required, the CN3000 can return other values for this attribute by setting the Called- Station-Id content on the Security > Authentication > Advanced page. The other available options are: •...
Page 126: Security
Security The CN3000 will only accept location-aware information from Colubris Networks satellites that have a matching shared secret to its own. Customers on other access points (Colubris or third-party) are treated as “wired”.
Page 127: Configuration
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Configuration If you have define more than one SSID, the location aware feature is automatically activated.
Page 128: Ipass Support
The CN3000 provides support for the Generic Interface Specification from iPass which enables you to create an iPass-compatible hotspot. To setup the CN3000 as an iPass hotspot, you must define the IPass authentication server on the Security > RADIUS page. You can use either Profile 1 or Profile 2 to do this.
Page 129: Asp Functions
To avoid having the customer login once registration is complete, the registration web server can send the customer back to the CN3000 using a special URL that will automatically log the customer into the public access interface.
Page 130: Page Urls
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 The NAS ID and NAS address are required when the customer is redirected back to the CN3000 after registration. The code on the registration web page would look something like this:...
Page 131 Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 function refresh() // refresh the Fail page {document.location="<%GetFailRetryUrl();%>";...
Page 132 Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Hours Minutes Seconds...
Page 133: Session Quotas
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 TruncateSessionRemainingTime(unit) Returns the total amount of connection time remaining for the current customer truncated to the specified unit.
Page 134: Ipass Support
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 GetSessionRemainingOutputOctets(div) Returns the maximum number of outgoing octets the current customer session can still send.
Page 135 CN3000. • If a customer logs into the CN300/CN320, this function returns the MAC address of the CN300/CN320’s downsteam port. • If a customer logs into the CN3000, this function returns the MAC address of the CN3000’s LAN port. iPassGetLoginResponseCode() Returns one of the following values when a customer attempts to login to iPass: Login was successful.
Page 136: Message File
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Message file The functions GetAuthenticationErrorMessage() and GetSessionStateMessage() are used in various internal pages to return a string from the file “message.txt”.
Page 137 Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 # The customer has exhausted the available session time.
Page 138: Source Code For The Internal Pages
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Source code for the internal pages This section presents source code for the default internal pages.
Page 139 Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 font-family: verdana, sans-serif;...
Page 140: Transport Page
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Transport page ...
Page 141 Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">...
Page 142: Fail Page
Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 <tr>...
Page 143: Customizing Cn3000 And Customer Settings
Chapter 7: Customizing CN3000 and customer settings Chapter 7 Customizing CN3000 and customer settings This chapter presents a summary of the configuration settings you can define to customize the operation of your public access network and customer accounts.
Page 144: Overview
Before it can activate the public access interface, the CN3000 must log into a RADIUS server and retrieve certain operating settings which you must define. Therefore, you must create at least one RADIUS profile for use by the CN3000. If you have multiple CN3000s, they can all be associated with a single RADIUS profile.
Page 145: Standard Radius Attributes
Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - -...
Page 146: Colubris Networks Vendor-Specific Attributes
These are called vendor-specific attributes. Colubris Networks has defined two vendor-specific attributes to support special features on the CN3000, such as the customization of the web interface and the security certificate. This attribute are: •...
Page 147: Radius Limitations
RADIUS The maximum number of attributes the CN3000 can receive in one request is 4096 bytes. limitations Terminate-Acct- Terminate Acct Cause values are supported as follows: Cause values Cause Notes User Request Supported.
Page 148 Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - -...
Page 149: Creating A Radius Client Entry For The Cn3000
• Client IP address: This is the IP address assigned to the CN3000’s Internet port. If the CN3000 is using a PPTP connection to communicate with the RADIUS server, then this is the address assigned to the CN3000 by the PPTP server.
Page 150: Creating A Profile For The Cn3000 On The Radius Server
Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 7 Creating a profile for the CN3000 on the RADIUS server Before it can activate the public access interface, the CN3000 must log into a RADIUS server and retrieve certain operating settings that you must define. Therefore, you must create at least one RADIUS profile for use by the CN3000.
Page 151 • NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the profile being used. • NAS-Ip-Address (32-bit unsigned integer): The IP address of the port the CN3000 is using to communicate with the RADIUS server. • NAS-Port (32-bit unsigned integer): Always 0.
Page 152: Colubris-Avpair Attribute
Accounting response None. Colubris-AVPair For each CN3000 profile you can specify one or more instances of a Colubris-AVPair attribute that will be returned upon successful authentication (RADIUS Accept). attribute Possible values for all instance are grouped into the following categories:...
Page 153: Access Lists
Each access list is a set of rules that governs how the CN3000 controls access to network resources. You can create multiple access lists, each with multiple rules to manage the traffic on your public access network.
Page 154 Tips on using the access list With certificates • If you replaced the default SSL certificate on the CN3000 with one signed by a well- known CA, you should define the access list to permit access to the CA certificate for all non-authenticated customers.
Page 155 Defining access lists Access lists are defined by adding the following Colubris-AVPair value string to the RADIUS profile for a CN3000. Each value string defines one rule. Up to 99 rules can be defined for an access list. access-list=value All rules that make up an access list must be initialized without error for the list to be active.
Page 156 Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - -...
Page 157 Everyone This list applies to all users (students, teachers, guests), whether they are authenticated or not. This is because the list is active on the CN3000, which is accomplished with the entry: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 157 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 158: Custom Ssl Certificate
NOC). If this last rule did not exist, this traffic would be dropped. Custom SSL The CN3000 can retrieve a custom SLL security certificate to replace the Colubris Networks certificate that is included by default. For more information on certificates, see...
Page 159: Configuration File
Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 7 By using the following placeholder, you can customize the URL for each CN3000. This is useful when you need to update multiple units.
Page 160: Mac Authentication
Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 7 The CN3000 can authenticate devices based on their MAC address. This is useful for authenticating devices that do not have a web browser (cash registers, for example).
Page 161: Default User Session Timeout
Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - -...
Page 162: Default User One-To-One Nat
Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - -...
Page 163: Ipass Login Url
Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 7 IPass login url This attribute let you define the location of the IPass login page. The CN3000 will automatically redirect customers with IPass client software to this page.
Page 164: Creating Customer Profiles On The Radius Server
• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the profile being used. • NAS-Ip-Address (32-bit unsigned integer): The IP address of the port the CN3000 is using to communicate with the RADIUS server. • NAS-Port (32-bit unsigned integer): A virtual port number starting at 1. Assigned by the CN3000.
Page 165 Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 7 • CHAP-Password (string): The password assigned to the CN3000 on the Security >...
Page 166 • NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the profile being used. • NAS-Ip-Address (32-bit unsigned integer): The IP address of the port the CN3000 is using to communicate with the RADIUS server. • NAS-Port (32-bit unsigned integer): A virtual port number starting at 1. Assigned by the CN3000.
Page 167: Colubris-Avpair Attribute
Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - -...
Page 168: Group Name
Access list An access list is a set of rules that govern how the CN3000 controls customer access to protected network resources (those attached to the CN3000’s Internet port). Access lists are defined in the profile for the CN3000 (see page 153) and are activated in the customer profiles as needed.
Page 169: Colubris-Intercept
Chapter 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing CN3000 and customer settings - - - -...
Page 170: Smtp Redirection
“Session quotas” on page 133. SMTP The CN3000 is able to provide SMTP email service on a per-customer basis. This enables customers to send e-mail while on the road without the restrictions imposed by redirection most ISPs regarding the source address of outgoing mail. It works by intercepting the call to a customer’s e-mail server and redirecting it to an SMTP server that you...
Page 171: Vlan Support
Set the following standard RADIUS attributes to assign VLAN numbers on a per- customer basis. Note: The CN3000 does not directly support VLANs. VLAN support is available when using CN300/CN320s as satellite stations only. And only for customers using 802.1x/ WPA.
Page 172: Creating Administrator Profiles On The Radius Server
Creating administrator profiles on the RADIUS server If you want to support multiple administrator names and passwords, you must use a RADIUS server to manage them. The CN3000 only supports a single admin name and password internally. Important: Improper configuration of the administrator profile could expose the CN3000 to access by any customer with a valid account.
Page 173: Noc Authentication
Chapter 8: NOC authentication Chapter 8 NOC authentication This chapter explains how to use a remote login page and NOC authentication.
Page 174: Main Benefits
• Customers can login to the public access interface without exposing their web browsers to the SSL certificate on the CN3000. This eliminates warning messages caused by having an SSL certificate on the CN3000 that is not signed by a well-known certificate authority.
Page 175: Activating A Remote Login Page With Noc Authentication
Returns the URL on the CN3000 where customer login information should be posted for authentication. Returns the NAS ID assigned to the CN3000. By default, this is the unit’s serial number. Not supported in local mode. Returns the RADIUS login name assigned to the CN3000. By default, this is the unit’s serial number.
Page 176 Chapter 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 8 When the location-aware feature is enabled, returns the ESSID of the wireless access point the customer is associated with.
Page 177: How It Works
The NOC authentication feature provides a secure way of authenticating public access customers, with strong mutual authentication between the login application on the web server hosting the remote login page and the CN3000 used for authenticating customer logins. This occurs via the two Colubris-AVPair value strings (ssl-noc-certificate and ssl-noc-ca-certificate), which define the locations of two certificates.
Page 178: Addressing Security Concerns
CA. Additional security is provided via the NOC authentication list on the CN3000 (page 247). You use this list to define the set of remote IP addresses that the CN3000 will authentication accept authentication requests from.
Page 179: Setting Up The Certificates
The SSL certificate will be used by the login application to secure communications with the CN3000. Define attributes Add the following two attributes to the RADIUS profile for the CN3000 so that it can retrieve the SSL and CA certificates from the web server: ssl-noc-certificate= URL_of_the_Certificate Certificate issued to the application on the web server that will send customer info to the CN3000 for authentication.
Page 180: Authenticating Customers
IP address of the customer’s compter. customer_ip Example 1 Assume that the CN3000 is not behind a NATing device, and that its IP address is 192.168.4.2. The subject DN in its SSL certificates is www.noc-cn3.com. The Host HTTP header should be set to one of: •...
Page 181 • Host: natting.device.com:8090 • Host: 192.168.30.173:8090 When this request is forwarded to the CN3000, it will be rejected. To solve the problem, the login application must forge the host HTTP header. This is easily done by plugging in the values returned by the %i, %a, and %p placeholders. For example:...
Page 182: Simple Noc Authentication Example
• logo.gif 3. Customize login.html to accept username and password information from customers and then send it to the CN3000. You could use code similar to the following PHP example to send login information back to the CN3000 for authentication: https:// ipaddress of CNx ;8090/goform/HtmlNocLoginRequest...
Page 183 7. Enable the NOC authentication feature. 8. Add the IP address of the web server to the Allowed Addresses box. 9. Click Save. 10. In the RADIUS profile for the CN3000, define the following: login-url= URL_of_page_on_remote_server access-list=loginserver,ACCEPT,tcp, web_server_IP_address, 443 ssl-noc-certificate= URL_of_the_certificate ssl-noc-ca-certificate= URL_of_the_certificate transport-page= web_server_URL /newlogin/transport.html...
Page 184: Forcing Customer Logouts
Important: This request must come from the login application (or another other application that is using the same SSL certificate). The CN3000 returns a positive or negative answer for the customer logout as standard HTML. The login application must parse this information to retrieve the response.
Page 185: Snmp Interface
Chapter 9: SNMP interface Chapter 9 SNMP interface This chapter provides an overview of the SNMP interface and the MIBs supported by the CN3000.
Page 186: Configuring The Snmp Interface
2. Enable the options that you require. The options are described in the sections that follow. 3. Click Save. System name Attributes Specify a name to identify the CN3000. By default, this is set to the serial number of the CN3000. Location Location where the CN3000 is installed. Contact Contact information for the CN3000.
Page 187: Agent
Specify the password required by the remote host that will receive the trap. Host Specify the IP address or domain name of the host that the CN3000 will send traps to. Port Specify the port that the CN3000 will send traps on. By default, port 162 is used.
Page 188: Standard Mibs
SNMPV2C protocol. consoles MIB II support The CN3000 provides complete read support of MIB II objects 1.10. The following table lists all MIB II objects defined as read/write and indicates the objects that can be “set” details on the CN3000.
Page 189 Chapter 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SNMP interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 9 Group Notes ipRouteAge...
Page 190: Colubris Enterprise Mib
Chapter 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SNMP interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 9 Colubris Enterprise MIB The Colubris Enterprise MIB is available on the Colubris Networks web site. It is organized as follows: •...
Page 191: Ssl Certificates
Chapter 10: SSL certificates Chapter 10 SSL certificates This chapter explains how to create and install SSL certificates to secure communications with the CN3000.
Page 192: Overview Of Ssl Certificates
DNS and the The host name in the currently installed SSL certificate is automatically assigned as the CN3000’s SSL domain name of the CN3000. The factory default SSL certificate that is installed on the CN3000 has the host name wireless.colubris.com. certificate...
Page 193 Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 You do not have to add this name to your DNS server for it to be resolved. The CN3000 intercepts all DNS requests it receives on the wireless or LAN ports.
Page 194: About Certificate Warning Messages
URL that you're attempting to go to. By default the name in the "subject" field of the certificate installed in the CN3000 also becomes the domain name of the CN3000 and is resolved by the CN3000 itself.
Page 195 Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 Note: Once you comply with all three criteria client stations will no longer get a certificate warning in their browser.
Page 196: Installing A New Ssl Certificate
Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 Installing a new SSL certificate Do the following to create and install a new certificate on the CN3000. 1. Obtain or create a new SSL certificate.
Page 197: Step 1: Creating An Ssl Certificate
OpenSSL tools and components included with the Colubris Backend archive. You should download and install these items as follows: 1. Download the Backend sample archive from www.colubris.com > support > download > CN3000 or retrieve it from the CD. 2. Download openssl-0.9.7c-win32-bin.zip from http://curl.haxx.se/download.html > OpenSSL Library Packages.
Page 198 Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Laval]: Organization Name (eg, company) [Colubris Networks Inc.]:Company Inc. Organizational Unit Name (eg, section) [Research & Development]:Department Your Name []:www.company.com Email Address [support@colubris.com]:support@company.com Generated certificate request: Using configuration from openssl.conf...
Page 199: Becoming A Private Ca
Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Laval]: Organization Name (eg, company) [Colubris Networks Inc.]:Company Inc. Organizational Unit Name (eg, section) [Research & Development]:Department Your Name []:Test-Only Certificate Authority Email Address [support@colubris.com]:ca@company.com The certificate for your CA will then be displayed.
Page 200 C:\certificates\CA\private\CAcert.pem Creating the web server certificates Note: This section demonstrates how to create the equivalent of the noc-client.crt certificate and www.noc-cn3000.com.pfx described in the section “Test the NOC authentication feature” on page 323 Once you have created the CA certificates, you can use them to create certificates for your CN3000 or web server.
Page 201 Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Laval]: Organization Name (eg, company) [Colubris Networks Inc.]:Company Inc. Organizational Unit Name (eg, section) [Research & Development]:Department Your Name []:www.company.com Email Address [support@colubris.com]:webmaster@company.com Generated certificate request: Using configuration from openssl.conf...
Page 202: Creating A Self-Signed Certificate
Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Laval]: Organization Name (eg, company) [Colubris Networks Inc.]:Company Inc. Organizational Unit Name (eg, section) [Research & Development]:Department Your Name []:www.company.com Email Address [support@colubris.com]:webmaster@company.com...
Page 203: Viewing The Certificate
Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 Validity Not Before: Feb 27 21:34:38 2002 GMT Not After : Mar 29 21:34:38 2002 GMT...
Page 204: Verifying The Certificate
Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 eb:c1:c4:e7:04:d2:67:32:ca:08:33:9f:ac:ec:23: 89:e2:36:60:63:61:5c:2d:60:9a:92:48:ed:b3:7c: 0f:60:94:6d:a4:74:d5:eb:a9:7f:40:cc:cd:24:ae:...
Page 205: Step 2: Preparing The Certificate Chain
Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 Step 2: Preparing the certificate chain When a web browser connects to the CN3000 using SSL, the CN3000 only sends its own SSL certificate to the browser. This means that if the certificate has been signed by...
Page 206: Step 3: Converting A Certificate To Pkcs #12 Format
Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 Step 3: Converting a certificate to PKCS #12 format Before you can install a certificate on the CN3000, you need to convert it to PKCS #12 format. This can be done with the openssl program pemtopkcs12.
Page 207: Step 4: Installing A New Ssl Certificate
Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 Step 4: Installing a new SSL certificate Use this procedure to replace the SSL certificate that ships with the CN3000 with one of your own. This certificate is used when validating user logins to the management tool via SSL and when accepting authentication information from a remote server when NOC authentication is active.
Page 208: Step 5: Installing Certificates In A Browser
CA will still cause a security warning to appear when customers open the CN3000’s Login page. This occurs because your CA is not part of the group of well- known certificate authorities included with most browsers. This means customers will get a security warning when establishing the SSL connection with the Login page.
Page 209 Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 4.
Page 210 Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 6.
Page 211 Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 211 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 212: Netscape Navigator
Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10 9.
Page 213: Configuration Parameters
Chapter 11 Configuration parameters This chapter provides an overview of the configuration options provided by the management tool for most of the important features on the CN3000. For information on features not covered in this section, consult the online help.
Page 214: Default Wireless Profile
WLAN name (SSID) Specify a name to uniquely identify your wireless network. Each client computer that wants to connect to the CN3000 must use this name. The name is case-sensitive. Maximum number of wireless client stations Specify the maximum number of wireless client stations that can be associated with this SSID at the same time.
Page 215: Radio
RTS threshold can affect throughput. Range: 128 and 1540. If a packet is larger than the threshold, the CN3000 will hold it and issue a request to send (RTS) message to the client station. Only when the client station replies with a clear to send (CTS) message will the CN3000 send the packet.
Page 216: Wireless Protection
TKIP keys that encrypt the wireless data stream. Select the appropriate RADIUS server. • Preshared Key: The CN3000 uses the key you specify in the Key field to generate the TKIP keys that encrypt the wireless data stream. Since this is a static key, it is not as secure as the RADIUS option.
Page 217: Dynamic Keys
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Transmission key Select the key the CN3000 will use to encrypt transmitted data. All four keys are used to decrypt received data.
Page 218: Wireless Profile List
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Wireless profile list Open the Wireless >...
Page 219: Wireless Profile Settings
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Wireless profile settings Open the Wireless >...
Page 220: Html-Based User Logins
By default, the CN3000 blocks all traffic between wireless client stations. HTML-based This defines settings for users who log in via the CN3000’s public access interface. If you disable this option, the public access interface Login page will not be displayed and user logins these users will not be able to login.
Page 221: Traffic Tunnelling (Gre)
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 • Preshared Key: The CN3000 uses the key you specify in the Key field to generate the TKIP keys that encrypt the wireless data stream.
Page 222 Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 •...
Page 223: Wireless Links List
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Wireless links list Open the Wireless >...
Page 224: Wireless Link Configuration
None Security No encryption. Specify the encryption key the CN3000 will use to encrypt/decrypt all data it sends and receives. The key is 128 bits long and must be specified as 26 hexadecimal digits. Addressing Remote MAC address MAC address of the remote access point.
Page 225: Wireless Neighborhood
Set the Repeat scan option accordingly. The results of each scan are displayed in the All access points list. To identify unauthorized access points, the CN3000 compares the MAC address of each discovered access point against the list of authorized access points (which you must define).
Page 226 Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Field descriptions •...
Page 227: Lan Port Configuration
Open the Network > Ports > LAN port page. Link Speed • Auto: Lets the CN3000 automatically set port speed based on the type of equipment it is connected to. • 100: Forces the port to operate at 100 mbps.
Page 228: Internet Connection
The title bar shows the current status of the link. Speed • Auto: Lets the CN3000 automatically set port speed based on the type of equipment it is connected to. • 10: Forces the port to operate at 10 mbps.
Page 229: Network Address Translation (Nat)
Internet unless their IP addresses are valid translation (NAT) on the Internet. If the CN3000 is connected to a wired LAN, computers on the wired LAN can also take advantage of NAT to share the Internet connection. Limit NAT port range...
Page 230 The CN3000 will automatically attempt to reconnect if the connection is lost. Un-numbered mode This feature is useful when the CN3000 is connected to the Internet and NAT is not being used. Instead of assigning two IP addresses to the CN3000, one to the Internet port and one to the LAN port, both ports can share a single IP address.
Page 231: Dhcp Client
DHCP client Settings DHCP client ID Specify an ID to identify the CN3000 to the DHCP server. This parameter is not required by all ISPs. Assigned by DHCP server These settings are assigned to the CN3000 by your ISP’s DHCP server. The Internet connection is not active until this occurs.
Page 232: Static Addressing
Alternate IP addresses The CN3000 allows you to assign multiple IP addresses to the Internet port. Each address must be valid on the Internet. The CN3000 uses these addresses to support its one-to-one NAT feature. The CN3000 will not respond to pings directed at these IP addresses.
Page 233: Dhcp Services
CN3000 is responsible for assigning IP addresses to computers on the wireless network. If you connect the CN3000 to a wired LAN, the CN3000 will also assign addresses to computers on the wired LAN as well. However, for this to function properly, no other DHCP server must be operating on the wired LAN.
Page 234: Dhcp Server
Addresses The CN3000 provides its own IP address as the DNS server address. The CN3000 acts as a DNS relay and redirects all DNS requests to the DNS servers specified on the DNS/WINS page. If a WINS server is defined on the DNS/WINS page, its address is provided to DHCP clients as well.
Page 235: Dhcp Relay Agent
The port the CN3000 will listen for DHCP requests on. agent settings Relay requests to Select the port the CN3000 will relay DHCP requests to. The primary and secondary servers must be reachable via this port. Primary DHCP server address Specify the IP address of the primary DHCP server the CN3000 should forward DHCP requests to.
Page 236: Bandwidth Control
• If outgoing traffic arrives at the port at a rate that is greater than the defined bandwidth limit, it causes the CN3000 to throttle the traffic for that port. If the traffic rate is over- limit for just a short burst, the data will be queued and forwarded without loss. If the traffic rate is over-limit for a sustained period, the CN3000 will drop data to bring the rate down to the bandwidth limit that is set.
Page 237: Ip Routes
CN3000 will add additional routes to the table as required. You cannot delete these system routes. Interface Indicates the CN3000 port through which traffic is routed. When you add a route the CN3000 automatically determines the interface to be used based on the gateway address.
Page 238: Persistent Routes
If more than one default route exists, the first route is the table is used. Interface Indicates the CN3000 port through which traffic is routed. When you add a route the CN3000 automatically determines the interface to be used based on the gateway address.
Page 239: Dns/Wins Settings
DNS servers Dynamically assigned servers Indicates the DNS servers that were assigned to the CN3000. This option does not appear if static addressing is in use. These parameters do not show the DNS servers assigned when the PPTP client option is enabled.
Page 240: Gre Tunnel List
GRE tunnel List Open the Network > GRE page. Defined GRE The CN3000 supports up to 16 GRE tunnels. To configure the type of traffic the CN3000 will forward through a GRE tunnel, go to Wireless > WLAN profiles. Each WLAN tunnels profile can have its own GRE settings.
Page 241: Gre Tunnel Definition
If you enable GRE tunnelling the CN3000 will restart when you click Save. Note: If you enable one or more GRE tunnels, you must make sure to restart the CN3000 any time you make a change to any parameter on any page in the management tool.
Page 242: Nat List
Open the Network > NAT page. NAT mappings The table on this page displays all static NAT mappings that are in effect on the CN3000. Static NAT mappings apply to the Internet port only and do not apply to VPN connections. Server IP address Indicates the IP address of the device that traffic will be forwarded to.
Page 243: Nat Static Mapping
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 NAT static mapping Open the Network >...
Page 244: Rip Configuration
RIP configuration Open the Network > RIP page. The CN3000 supports RIP versions 1 and 2. RIP can operate in one of two modes on each of the CN3000’s ports. Note: RIP is not supported if you are using PPPoE on the Internet port.
Page 245: Authentication Options
To avoid potential service interruptions that may occur when new operating information is activated by the CN3000, it is strongly recommended that a large interval (12 hours or more) be used. You can override this value using the RADIUS Attribute Session-timeout, which enables...
Page 246: Html-Based User Logins
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Last authenticated Indicates when the CN3000 was last successfully authenticated. Force authentication Click this button to force the CN3000 to authenticate now. This lets you test your settings. Advanced settings Click this button to set additional authentication-related settings.
Page 247: Authentication Advanced Options
Open the Security > Authentication > Advanced page. Allow any IP address Client station This feature enables the CN3000 to connect with wireless client stations that are using a settings static IP address that is not on the same segment as the wireless network. This permits customers to access the wireless network without reconfiguring their network settings.
Page 248: Location-Aware Authentication
This feature enables the CN3000 to detect if two client stations are using the same IP address but have different MAC addresses. If this occurs, access is terminated for this IP address removing both stations from the network.
Page 249: Access Controller Shared Secret
CN3000. To validate customer logins, a login application on the remote server must collect customer login information and send it to the CN3000, which in turn forwards it to a RADIUS server.
Page 250: Radius Profiles List
CN3000. For backup redundancy, each profile supports a primary and secondary server. The CN3000 will function with any RADIUS server that supports RFC 2865 and RFC 2866. Authentication occurs via EAP-MD5, CHAP, MSCHAP v1/v2, or PAP. To edit a profile, click on its name.
Page 251: Radius Profile Definition
Controls the retry interval (in seconds) for access and accounting requests that time- out. If no reply is received within this interval, the CN3000 switches between the primary and secondary RADIUS servers (if defined). If a reply is received after the interval expires, it is ignored.
Page 252: Primary Radius Server
For 802.1x users, the authentication method is always determined by the 802.1x client software and is not controlled by this setting. If traffic between the CN3000 and the RADIUS server is not protected by a VPN, it is recommended that you use either EAP-MD5 or MSCHAP V2, if supported by your RADIUS Server.
Page 253: Firewall - Preset
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Firewall - Preset Open the Network >...
Page 254: Firewall - Custom
Direction Specify whether the rule applies to incoming data, or outgoing data. Action Specify how the CN3000 will treat the data. • Accept: The data is passed. • Drop: The data is discarded. • Drop and log: The data is discarded and an entry is added to the system log.
Page 255: Services
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Note •...
Page 256: Pptp Client
CN3000 will send a packet from time to time to keep the connection alive. Account Username Specify the username the CN3000 will use to log on to the PPTP server. If you are logging on to a Windows NT domain, specify: domain_name\username Password / Confirm password Specify the password the CN3000 will use to log on to the PPTP server.
Page 257: Network Address Translation (Nat)
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Network If you enable NAT, it effectively hides the addresses of all local computers so that they are not visible on the other side of the PPTP connection.
Page 258: Ipsec Policy List
(SA) with the CN3000. Depending on its settings, a policy may allow one or more peers to establish an SA with the CN3000. Each time an SA is established, a new entry is added to the IPSec security associations table. Click IPSec on the Status menu to view this table.
Page 259: Ipsec New Policy
The negotiation is controlled by setting a number of different IKE options. To simplify the settings configuration of IPSec, the CN3000 presets some of these options, while others are automatically defined based on the needs of the peer. The following is a summary of the most important non-configurable IKE options:...
Page 260: General
ISAKMP SA keying material. General A security association can only be established between the CN3000 and a peer if the policy is enabled. Important: The IPSec tunnel cannot be used to transport customer traffic. To prevent...
Page 261: Peer
• Phase 1 exchange: key changed every 6 hours • Phase 2 exchange: key changed every 1 hour Note: The CN3000 will negotiate times up to 24 hours as required by the peer. Accept any peer Peer...
Page 262: Authentication Method
Preshared key Specify the key that will be used by the CN3000 to validate peers. The CN3000 and the peer must both use the same key. Security Only permit incoming traffic addressed to These settings enable you to filter incoming traffic so that only traffic addressed to a specific network or network device is permitted from the peer.
Page 263: Preconfigured Settings
The negotiation is controlled by setting a number of different IKE options. To simplify the settings configuration of IPSec, the CN3000 presets some of these options, while others are automatically defined based on the needs of the peer. The following is a summary of the most important non-configurable IKE options:...
Page 264: Certificates
Certificates Open the Security > Certificates page. [IPSec] Trusted The CN3000 uses the CA certificates to validate the certificates supplied by peers during the authentication process. Multiple CA certificates can be installed to support CA certificates validation of peers with certificates issued by different CAs.
Page 265: [Ipsec] Manage Ca Certificates
[IPSec] This is the certificate revocation list (CRL) issued by the certificate authority. The CN3000 uses the certificate revocation list (CRL list to determine if the certificates certificate provided by clients during the authentication process have been revoked. The CN3000 revocation list will not establish a security association with a client that submits a revoked certificate.
Page 266: [Ipsec] Manage Certificate Revocation List
Consequently, the web browser will issue security warnings. To avoid this problem, only install an SSL certificate on the CN3000 if it is directly signed by the root Certificate Authority or if you have appended all certificates that make up the chain.
Page 267: [Ssl] View Web Server Certificate
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 [SSL] View Web The Certificate field shows the contents of the CN field in the certificate.
Page 268: Users
Click Add to add the new user. The idle timeout lets you control how long a local user can be idle before the CN3000 terminates their connection. If the idle timeout is set to ‘0”, it is disabled. This means that the local user will not be disconnected regardless of how long their connection remains idle.
Page 269: Local Config List
These settings are used when local mode is active. To enable local mode, disable the CN3000 RADIUS authentication option on the Security > Authentication page. Local mode lets you run the CN3000 without setting up a RADIUS server to handle authentication tasks. This is convenient for experimenting with the CN3000 feature set before deploying it, or for installations with less than 50 customers and no need for accounting.support.
Page 270: Local Config Attribute
Each access list is a set of rules that governs how the CN3000 controls access to network resources. You can create multiple access lists, each with multiple rules to manage the traffic on your public access network.
Page 271: Custom Ssl Certificate
Range: 5-99999 seconds in 15 second increments. Custom SSL The CN3000 can retrieve a custom SLL security certificate to replace the Colubris Networks certificate that is included by default. . certificate Syntax...
Page 272: Configuration File
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 By using the following placeholder, you can customize the URL for each CN3000. This is useful when you need to update multiple units.
Page 273: Default User Idle Timeout
Example Consider the scenario where several CN300/CN320s are installed with a CN3000. If the CN300/CN320s are going to perform firmware upgrades from a remote web or FTP server, they will need to log in to the public access network. By using MAC-based authentication, this can easily be accomplished.
Page 274: Default User Smtp Server
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 Where: Parameter Description...
Page 275: Default User Idle Timeout
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 default-user-max-output-octets= value Where: Parameter...
Page 276: Default User One-To-One Nat
Set this to 1 to activate one-to-one NAT support. value IPass login url This attribute let you define the location of the IPass login page. The CN3000 will automatically redirect customers with IPass client software to this page. Syntax ipass-login-url= URL_of_page...
Page 277: External Pages
. Placeholder Description Returns the NAS ID assigned to the CN3000. By default, this is the unit’s serial number. Returns the RADIUS login name assigned to the CN3000. By default, this is the unit’s serial number.
Page 278: Remote Login Page
Do this with an appropriate access list definition. (Customers see this page after they are logged out.) Remote login The CN3000 provides an option that allows you to redirect customers to a remote server to log in to the public access interface instead of using the internal login page. page Hosting the login page on a remote server means that the login page is completely customizable.
Page 279: Noc Authentication
CN3000 used for authenticating customer logins. This occurs via the two Colubris-AVPair value strings (ssl-noc-certificate and ssl-noc-ca-certificate), which define the locations of two certificates. These certificates enable the CN3000 to validate that the customer login information does indeed come from a trusted application.
Page 280: Management Tool
Choose how the administrator's username and password are verified. You can choose authentication to store this information on the CN3000 (Local account), or remotely on a RADIUS server. Using a RADIUS server enables you to have multiple administrators, each with a unique name and password.
Page 281: Web Server
(HTTPS). By default this parameter is set to port 443. Web server port Specify the port number the CN3000 will use to provide standard HTTP access to the management tool. HTTP connections made to this port are met with a warning and the browser is redirected to the secure web server port.
Page 282: Snmp
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11 SNMP Open the Management > SNMP page. Attributes System name Specify a name to identify the CN3000. By default, this is set to the serial number of the CN3000. Location Location where the CN3000 is installed. Contact Contact information for the CN3000.
Page 283: Agent
Specify the password required by the remote host that will receive the trap. Host Specify the IP address or domain name of the host that the CN3000 will send traps to. Port Specify the port that the CN3000 will send traps on. By default, port 162 is used.
Page 284: System Time
Set time zone and DST System time Choose the time zone the CN3000 is located in. You can also enable support for daylight savings time. If you change the time zone setting, the new value does not take effect until you restart the CN3000.
Page 285: Satellites
Satellites This page enables you to view the status of all satellites that are active on the network. The satellites broadcast status information to the CN3000 (master) every 60 seconds. Device ID Serial number of the satellite. Click this number to view more information on the satellite.
Page 286: Country
Open the Management > Country page. Country Set the country that the CN3000 is operating in. This enables the CN3000 to properly customize the list of operating frequencies that you can choose from. Only frequencies that conform to the regulations in your area will be available.
Page 287: Building A Cross-Over Cable
Chapter 12: Building a cross-over cable Chapter 12 Building a cross-over cable This chapter explains how to build a cross-over cable.
Page 288: Wiring Details
Chapter 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Building a cross-over cable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 12 Wiring details Use the information in the following diagrams to build a cross-over cable.
Page 289: The Configuration File
Chapter 13: The configuration file Chapter 13 The configuration file This chapter provides an overview of the configuration file and explains how to edit it.
Page 290: Manually Editing The Config File
However, certain infrequently-used parameters can only be set by manually editing the configuration file. Retrieving/ To edit the configuration file, you must first retrieve it from the CN3000. Once edited, it then needs to be restored. There are several ways to do this: restoring the •...
Page 291: Configuration File Structure
Chapter 13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The configuration file - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 13 Configuration file structure The configuration file is an ASCII file and can be edited in a standard text editor.
Page 292 Chapter 13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The configuration file - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 292 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 293: Sample Setup - Backend Software
You can use this setup as a platform to experiment with the CN3000 feature set. IMPORTANT: Before reading this chapter you should familiarize yourself with the concepts discussed in...
Page 294: Overview
Important: Apache 1.2.x should never be used in a production environment on a Windows server. IN NO EVENT SHALL COLUBRIS NETWORKS INC. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF COLUBRIS NETWORKS INC.
Page 295: Equipment Setup
LAN or wireless port on the CN3000. The ‘protected network resources’ are connected to the Internet port on the CN3000. In this example, both Server 1 and Server 2 are on the protected network. Server 1 is used to host a remote login page and a RADIUS server.
Page 296: About The Components
The client station is required to test the setup once it is complete. It requires a web browser. The DHCP server on the CN3000 will assign an IP address to this computer. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 296 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 297: Step 1: Retrieve Software
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 Step 1: Retrieve software Server 1 Create temporary directory on Server 1.
Page 298: Step 2: Install Configure Software On Server 1
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 Step 2: Install configure software on Server 1 Windows 2000 1.
Page 299: Apache
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 Apache 1.
Page 300: Sample Pages
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 8.
Page 301: Php 4.2.3
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 PHP 4.2.3 1.
Page 302 Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 3.
Page 303: Phpmyadmin
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 6.
Page 304: Start Mysql
1 user admin www.noc-cn3000.com Note: It is normal to see the following error when the createdb.cmd is run the first time: DROP DATABASE radius failed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 304 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 305: Step 3: Configure Steel-Belted Radius On Server 1
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 Step 3: Configure Steel-Belted Radius on Server 1 Modify the The Backend archive file contains modified configuration settings for the Steel-Belted...
Page 306: Define A Ras Client For The Cn3000
To complete this section you need to know the IP address assigned to the Internet port CN3000 on the CN3000. For this example, use the address 192.168.2.1. 1. Select RAS Clients. 2. Click Add. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 306 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 307 Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 3. Choose a name for the CN3000. For this example, use the name COLUBRIS. This is a nickname that is used by Steel-Belted Radius to identify the client and is not configured on the CN3000.
Page 308: Create Radius Profiles
CN3000. • login name: admin • password: admin DEMO-NOC-DEVICES This is the profile used by the CN3000 when configured for NOC authentication. • login name: www.noc-cn3000.com • password: www.noc-cn3000.com 1. On the File menu, click Import. 2. Select the file example.rif in c:\colubris\radius\.
Page 309: Update The Steel-Belted Radius Configuration
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 Update the 1.
Page 310: Step 4: Install Web Server Certificates On Server 1
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 Step 4: Install web server certificates on Server 1 Certificates enable client station to validate the identity of a web server.
Page 311 Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 3.
Page 312 Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 8.
Page 313: Step 5: Install And Configure The Cn3000
1. Launch a new command-line session. 2. Run c:\opensa\apache\apache.exe –D SSL. This starts Apache in secure mode. Assign a static Perform the following steps using the CN3000 Management tool. 1. On the Network menu, click Ports. address 2. Click Internet port in the table.
Page 314: Configure Radius Settings
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 Configure The CN3000 must be configured to communicate with the Steel-Belted Radius server. For a detailed explanation of configuration issues, see Chapter “Customizing CN3000...
Page 315 • RADIUS password: Set to hotspot. 7. In the HTML-based User Logins box, set RADIUS profile to RADIUS Profile 1. 8. Click Save. The CN3000 will attempt to connect to the Steel-Belted Radius server. If successful, the status light will change from red to green.
Page 316: Certificates
• Set RADIUS profile to RADIUS Profile 1. 12. Click Save. Certificates You can replace the certificate that is installed on the CN3000 with your own to eliminate the warning message clients see when they try to login to the public access interface. Refer to...
Page 317: Step 6: Install And Configure Software On Server 2
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 Step 6: Install and configure software on Server 2 Server 2 will be used to test if the customer is successfully redirected to the originally requested page.
Page 318: Step 7: Test The Installation
1. Start the client station’s web browser and enter the IP address (or domain name) of Server 2. 2. The CN3000 should intercept the URL and redirect the browser to the login page. You should see the modified login page shown below. (Depending on the type of certificate you installed on the CN3000 you may see a security warning first.)
Page 319 Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 5.
Page 320: Step 8: Test The Remote Login Page Feature
The sample files you installed on Server 1 also include definitions to allow testing of the remote login page feature. This feature enables the CN3000 to redirect customers to a remote URL to login instead of using the internal login page. For more information see “Using a remote login page”...
Page 321: Test The Remote Login Feature
Server 2. login feature 2. The CN3000 should intercept the URL and redirect the browser to the remote login page on 192.168.2.99. (Depending on the type of certificate you installed on the CN3000 you may see a security warning first.)
Page 322 Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 remote, secure web page.
Page 323: Step 9: Test The Noc Authentication Feature
The sample files you installed on Server 1 also include definitions that enable you to test the NOC authentication feature. This feature allows you to validate customer logins using a remote server instead of using the CN3000. See Chapter 8: NOC authentication for a complete description of this feature and its benefits.
Page 324: Test Noc Authentication
1. Start the client station's web browser and enter the IP address (or domain name) of Server 2. authentication 2. The CN3000 should intercept the URL and redirect the browser to the remote NOC login page on 192.168.2.99. (Depending on the type of certificate you installed on Server 2 you may see a security warning first.)
Page 325 Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 3.
Page 326: Tools
Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 Tools Batch files Several batch files are included in c:\colubris\scripts to make management of the web...
Page 327 Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 2.
Page 328 Chapter 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Backend software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 14 u_user_id, since this is a primary key for the user table.
Page 329: Troubleshooting
• If the number of Silent Discards is non-zero, it means the CN3000 and the server have a different shared secret. They should always be the same. • If the number of Rejects is non-zero, it means the CN3000 is using an invalid login name/password pair.
Page 330 Check that the IP address and port number for the web server hosting the goodbye page is defined in the access list for the RADIUS profile for the CN3000. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 330 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 331: Sample Setup - Steel-Belted Radius
This chapter provides a walkthrough of a sample RADIUS configuration using Steel-Belted Radius. The CN3000 is compliant with RFC 2865 and RFC 2866 and will work with a variety of RADIUS servers. This example is for illustrative purposes only and does not imply that you need to use Steel-Belted Radius over any other brand.
Page 332: Overview
• a second network hub or a cross-over cable • two computers capable of running Windows 2000 Professional, Server or Advanced Server • a CN3000 • a third computer with a JavaScript-enabled web browser, with either a wireless networking adapter or standard Ethernet adapter Skills •...
Page 333: Equipment Setup
LAN or wireless port on the CN3000. The ‘protected network resources’ are connected to the Internet port on the CN3000. In this example, both Server 1 and Server 2 are on the protected network. Server 1 hosts the RADIUS server. Server 2 is used to simulate an external web server.
Page 334 The client station is required to test the setup once it is complete. It requires a web browser. The DHCP server on the CN3000 will assign an IP address to this computer. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 334 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 335: Step 1: Install Software On Server 1
Chapter 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Steel-Belted Radius - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 15 Step 1: Install software on Server 1 Windows 2000 1.
Page 336: Step 1: Add Support For Colubris Networks Attributes
Step 1: Add support for Colubris Networks attributes Note: If you do not want to modify the files yourself, modified versions are available in the Colubris Backend archive which can be found on the Colubris Networks web site or on the CD.
Page 337: Step 2: Connect To The Steel-Belted Radius Server
Chapter 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Steel-Belted Radius - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 15 Step 2: Connect to the Steel-Belted Radius server Do the following on server 1: 1.
Page 338 Chapter 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Steel-Belted Radius - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 15 If you see any error messages in the Status window, you must resolve them before continuing.
Page 339: Step 3: Create A Radius Client Profile For The Cn3000
1. Select RAS Clients. 2. Click Add. 3. Choose a name for the CN3000. For this example, use the name COLUBRIS. This is a nickname that is used by Steel-Belted Radius to identify the client and is not configured on the CN3000.
Page 340 Chapter 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Steel-Belted Radius - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 15 6. Set Make/model to Colubris CN3000.
Page 341: Step 4: Define Radius Profiles
• Return list attributes: These attributes are returned once authentication is successful. For this example you will create a RADIUS profile for: • the CN3000 • Public access customers subscribing to SMTP redirection • Public access customers not subscribing to SMTP redirection •...
Page 342 Chapter 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Steel-Belted Radius - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 15 8. Click the Returned list attributes tab. You can now specify the attributes that will be returned to the CN3000 after it is successfully authenticated. This enables you to define a number of important operating characteristics, including: •...
Page 343: Defining A Customer Profile
• Once all entries are complete, the Return list attributes tab should look like this: • Click Save. Defining a The CN3000 supports an SMTP redirection feature which enables customers to send outgoing mail without being directly connected to their SMTP server. Customer profile To use this feature, the customer profiles need to be split into two types: those with SMTP redirection and those without it.
Page 344 • Settings for session timeouts and accounting updates. For this example, you should create the following four entries: Idle-Timeout This causes the CN3000 to log the customer out if the session is idle for more than 30 seconds Session-Timeout This causes the CN3000 to log the customer out if the session is active for more than 360 seconds.
Page 345: Defining An Cn3000 Administrator Profile
Defining an By defining an administrator profile you can enable multiple administrators to log in to the management tool on the CN3000. Each administrator can have their own login CN3000 name and password. Refer to “Creating administrator profiles on the RADIUS server” on administrator page 172 for more information.
Page 346 Chapter 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Steel-Belted Radius - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 15 5.
Page 347: Step 5: Define User Accounts
Chapter 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Steel-Belted Radius - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 15 Step 5: Define user accounts RADIUS user accounts need to be created for each individual user.
Page 348 Chapter 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Steel-Belted Radius - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 15 5.
Page 349: Step 6: Install And Configure The Cn3000
• Default gateway: Leave blank. In a real setup this would be set to the address of the router providing access to the Internet. Configure The CN3000 must be configured to communicate with the Steel-Belted Radius server. For a detailed explanation of configuration issues, see Chapter “Customizing CN3000...
Page 350 • RADIUS password: Set to hotspot. 7. In the HTML-based User Logins box, set RADIUS profile to RADIUS Profile 1. 8. Click Save. The CN3000 will attempt to connect to the Steel-Belted Radius server. If successful, the status light will change from red to green.
Page 351 For example, 20030822.log for August 22, 2003. If the number of Silent Discards is incriminated, it probably means that either the IP address of the CN3000 and/or the shared secret has not been properly configured on the RAS client tab.
Page 352: Step 7: Install Server 2
Chapter 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Steel-Belted Radius - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 15 Step 7: Install Server 2 This example assumes Windows 2000 and IIS are installed on Server 2.
Page 353: Step 8: Test The Installation
To test the installation, use the client station to log onto the public access interface. For this to work, the CN3000 must be configured as the client’s default gateway. If you set up your equipment to match the setup of this example, this is automatic. If not, adjust the configuration of the client accordingly.
Page 354: Testing Administrator Logins
If you configured administrator accounts on the RADIUS server, you can test them now as follows: administrator 1. Open the CN3000 management tool with your web browser. logins 2. On the main menu, click Management. The Management tool configuration page opens.
Page 355: Sample Setup - Microsoft Radius
Service), that comes with Windows 2000 server and Windows 2000 Advanced server. The CN3000 is compliant with RFC 2865 and RFC 2866 and will work with a variety of RADIUS servers. This example is for illustrative purposes only and does not imply that you need to use Microsoft’s RADIUS server over any other brand.
Page 356: Overview
Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 Overview The sample setup in this chapter illustrates how to use IAS (Internet Authentication Service) to authenticate customer logins on the CN3000. Prerequisites Software •...
Page 357: Equipment Setup
LAN or wireless port on the CN3000. The ‘protected network resources’ are connected to the Internet port on the CN3000. In this example, both Server 1 and Server 2 are on the protected network. Server 1 hosts the IAS server. Server 2 is used to simulate an external web server.
Page 358: Step 1: Install Software On Server 1
Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 Step 1: Install software on Server 1 Windows 2000 1.
Page 359: Step 2: Define User Accounts
On server 1, accounts need to be created in Windows for three types of users as follows: • each CN3000 must have its own account • each administrator must have their own account • each customer must have their own account To create the accounts 1.
Page 360: Step 3: Define Groups And Add Users To Them
Step 3: Define groups and add users to them Groups let you define a set of common attributes for one or more users. You will need to create at least four groups: • CN3000 devices • CN3000 administrators • Customers with SMTP redirection •...
Page 361 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 4.
Page 362: Step 4: Start The Radius Server
Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 Step 4: Start the RADIUS server Start the RADIUS server configuration by selecting Start Menu/Programs/Administrative Tools/Internet Authenticating Service.
Page 363: Step 5: Create A Radius Client Account
Step 5: Create a RADIUS client account A RADIUS client is any device that uses the services of a RADIUS server. Therefore, each CN3000 is considered to be a RADIUS client and must have its own client account. 1. Click Clients.
Page 364 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 5. Click Next. The Add RADIUS Client dialog box opens. 6. In Client address specify the IP address of the CN3000’s Internet port. For this example, specify 192.168.2.1.
Page 365: Step 6: Create An Access Policy For The Cn3000
Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 Step 6: Create an access policy for the CN3000 A remote access policy is a set of actions that apply to a group of RADIUS users.
Page 366 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 4.
Page 367 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 8.
Page 368 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 12.
Page 369 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 15.
Page 370 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 370 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 371 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 18. Click the Advanced tab. This tab is where you specify the values that are returned to the CN3000 when it logs into the RADIUS server.
Page 372 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 21. Select Administrative for Attribute value and click OK. You can now specify the attributes that will be returned to the CN3000 after it is successfully authenticated. This enables you to define a number of important operating characteristics, including: •...
Page 373 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 To add this entry: •...
Page 374 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 • Click Add to add a new attribute. • Specify the Colubris Networks vendor code 8744 in Enter Vendor Code. • Select Yes. It conforms.
Page 375: Step 7: Create An Access Policy For Customers
Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 Step 7: Create an access policy for customers This section explains how to create a remote access policy for both Public Access Customers (SMTP Redirect) and Public Access Customers (no SMTP Redirect).
Page 376 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 4.
Page 377 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 8.
Page 378 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 12.
Page 379 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 15.
Page 380 19. Click the Authentication tab and enable the options as shown. 20. Click the Advanced tab. This tab is where you specify the values that are returned to the CN3000 when a customer is authenticated by the RADIUS server. 21. Remove all entries.
Page 381 24. In the Attribute value field, specify the reporting interval (in seconds) that the CN3000 will use to send accounting information to the RADIUS server. 25. Click OK. You can now specify the attributes that will be returned after a customer is successfully authenticated.
Page 382 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 For this example, you should create the following entries: smtp-redirect=192.168.2.100 This provides access to the fictional SMTP server on 192.168.2.100.
Page 383 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 • Click Add to add a new attribute. • Specify the Colubris Networks vendor code 8744 in Enter Vendor Code. • Select Yes. It conforms.
Page 384 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 26.
Page 385: Step 8: Create An Access Policy For Cn3000 Admins
Step 8: Create an access policy for CN3000 admins This section explains how to create a remote access policy to centrally validate administrator logins via the RADIUS server instead of locally on each CN3000. Note: Setting up administrator profiles is optional and is not required for proper operation of this sample.
Page 386 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 5.
Page 387 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 10.
Page 388 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 13.
Page 389 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 16.
Page 390 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 18.
Page 391: Step 9: Install And Configure The Cn3000
Internet. • In a real setup you would also need to define DNS settings. Configure The CN3000 must be configured to communicate with the RADIUS server. For a detailed explanation of configuration issues, see Chapter “Customizing CN3000 and...
Page 392 • RADIUS password: Set to hotspot. 7. In the HTML-based User Logins box, set RADIUS profile to RADIUS Profile 1. 8. Click Save. The CN3000 will attempt to connect to the Microsoft Radius server. If successful, the status light will change from red to green.
Page 393: Step 10: Install Server 2
Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 Step 10: Install Server 2 This example assumes Windows 2000 and IIS are installed on Server 2.
Page 394: Step 11: Test The Installation
To test the installation, use the client station to log onto the public access interface. For this to work, the CN3000 must be configured as the client’s default gateway. If you set up your equipment to match the setup of this example, this is automatic. If not, adjust the configuration of the client accordingly.
Page 395: Testing Administrator Logins
To test the accounts that were setup to validate administrator logins using the RADIUS logins server, do the following: 1. Open the CN3000 management tool with your web browser. 2. On the main menu, click Management. The Management tool configuration page opens.
Page 396 Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sample setup - Microsoft RADIUS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 396 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 397: Experimenting With Noc Authentication
Chapter 17: Experimenting with NOC authentication Chapter 17 Experimenting with NOC authentication This chapter provides a sample setup that illustrates how the NOC authentication feature works and lets you experiment with it. This sample is not a complete working implementation, but rather a test setup that you can use to become familiar with the feature.
Page 398: Overview
Evaluation of the NOC authentication feature is accomplished using a VBScript program that lets you send authentication requests to the CN3000 using an SSL session. This program demonstrates the functionality that would be required in a remote login page.
Page 399: Equipment Setup
This example uses the same equipment setup presented in Chapter 14. You should follow the instructions in Chapter 14 to install this sample and get it working. For your reference the topology is: CN3000 Server 1 Server 2 Client station LAN port Internet port 192.168.1.1 192.168.2.1...
Page 400: Step 1: Configure The Cn3000
Chapter 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Experimenting with NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 17 Step 1: Configure the CN3000 In this step you will install an SSL certificate on the CN3000 and enable NOC authentication. The certificate has already been created and can be found in the backend folder.
Page 401: Step 2: Configure The Radius Profile For The Cn3000
These files are included as part of the backend example. Force For the CN3000 to authenticate to the RADIUS server so it can retrieve the new settings you just added to the profile. authentication 1. Open the management tool.
Page 402: Step 3: Configure Server 1
Chapter 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Experimenting with NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 17 Step 3: Configure Server 1 Important: Do not use the certificates supplied with this example as part of a production system.
Page 403 Chapter 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Experimenting with NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 17 4.
Page 404 Chapter 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Experimenting with NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 17 9.
Page 405: Verifying That Winhttpcertcfg.exe Is Installed
Chapter 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Experimenting with NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 17 12. On the Action menu, click All Tasks > Import. 13. Click Next. 14. Click Browse, the open the following file on the CN3000’s CD-ROM: \backend\winhttpauth\noc-ca.pfx 15. Click Next.
Page 406: Granting Access To The Private Key For Noc-Client
Granting access Using winhttpcertcfg.exe, you need to grant access to the private key imported from noc-client.pfx to the application that will send customer login information to the CN3000. to the private In this example, access needs to be granted to two accounts key for noc- •...
Page 407: Configuring The Hosts File On Server 1
CN3000, this name must be added to the Server 1 WINNT\system32\drivers\etc\hosts file. This ensures that the CN3000’s domain name will be resolved to the actual IP address of the Internet port on the CN3000. The host file is located in: \winnt\system32\drivers\etc\hosts. Another option...
Page 408: Experimenting With Noc-Authenticate.vbs
The program posts the information you specify to the following URL: https://www.noc-cn3000.com:8090/goform/HtmlNocLoginRequest The CN3000 will answer the post with the results of the RADIUS authentication. The program will print these results so you can view them. For a complete description of all possible return values, see “Authentication results”...
Page 409 “Authentication results” on page 410. Since authentication was successful, the CN3000 returns the welcome page URL that the customer should be redirected to. The session page URL is also returned, so that the customer’s web browser can be asked to open the session window.
Page 410: Authentication Results
Chapter 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Experimenting with NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 17 Authentication results The file noc.h contains the definitions used by the CN3000 when building the authentication results that are sent in reply to a customer authentication request.
Page 411: Returned Values
The following examples show the information returned for various authentication conditions. NOC authentication mode is not enabled: <HTML> NOC_INFO_STATUS=NOC_STATUS_DISABLED </HTML> The CN3000 did not receive the login application’s SSL certificate The login application did not send its certificate. Therefore, the request was rejected. <HTML> NOC_INFO_STATUS=NOC_STATUS_FAILURE NOC_INFO_INT_ERR_MESSAGE=NOC_CANNOT_GET_PEER_CERT </HTML>...
Page 412 Chapter 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Experimenting with NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 17 Certificate not valid yet The login application sent an SSL certificate that matches the one defined by ssl-noc- certificate in the RADIUS profile for the CN3000. However, the certificate that was sent is not yet valid. <HTML>...
Page 413: Examples
This could be due to an unknown username, or invalid username or password. <HTML> status=failure external-err-msg=Your login was refused. login-err-url=https://206.162.167.226:8888/cebit-php/login- error.php?site=eperie-cn3000&user=user12&nasipaddress= </HTML> Customer could not be authenticated The CN3000 could not contact a RADIUS server. <HTML> status=failure external-err-msg=You cannot be logged in at this time. Please try again later. login-err-url=https://206.162.167.226:8888/cebit-php/login- error.php?site=eperie -cn3000&user=user12&nasipaddress= </HTML>...
Page 414 Chapter 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Experimenting with NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 414 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -...
Page 415: Regulatory, Wireless Interoperability, And Health Information
Chapter 18: Regulatory, wireless interoperability, and health information Chapter 18 Regulatory, wireless interoperability, and health information...
Page 416: Regulatory Information
CN3000 in such a manner that human contact during normal operation is minimized. Interference Statement The CN3000 has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Page 417 • Reorient or relocate the receiving antenna. • Increase the distance between the CN3000 and the receiver. • Connect the CN3000 to an outlet on a circuit different from that which the receiver is connected. • Consult your dealer or an experienced radio/TV technician for help.
Page 418: Health Information
In some situations or environments, the use of the CN3000 may be restricted by the proprietor of the building or responsible representatives of the organization. These situations may, for example, include: •...

Colubris Networks CN3000 Administrator's Manual

Chapter 1 Introduction

Chapter 2 How It Works

Chapter 3 Installation

Chapter 4 Scenarios

Chapter 5 Activating the Public Access Interface

Chapter 6 Customizing the Public Access Interface

Chapter 7 Customizing CN3000 and Customer Settings

Chapter 8 NOC Authentication

Chapter 9 SNMP Interface

Chapter 10 SSL Certificates

Chapter 11 Configuration Parameters

Quick Links

Related Manuals for Colubris Networks CN3000

Summary of Contents for Colubris Networks CN3000