Xirrus XD Series User Manual
  1. Manuals
  2. Brands
  3. Xirrus Manuals
  4. Wireless Access Point
  5. XD Series
  6. User manual

Xirrus XD Series User Manual

Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
Table of Contents

Advertisement

Quick Links

Download this manual
Wireless Access Point
User's Guide
August 11, 2015
Release 7.5

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the XD Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Xirrus XD Series

Summary of Contents for Xirrus XD Series

  • Page 1 Wireless Access Point User’s Guide August 11, 2015 Release 7.5...

  • Page 3: Wireless Access Points

    Wireless Access Points XR and XD Series All rights reserved. This document may not be reproduced or disclosed in whole or in part by any means without the written consent of Xirrus, Inc. Part Number: 800-0022-001 (Revision R)
  • Page 4 Trademarks is a registered trademark of Xirrus, Inc. All other trademarks and brand names are marks of their respective holders. Please see Legal Notices, Warnings, Compliance Statements, and Warranty and License Agreements in “Notices (XR-1000 to XR-6000 Indoor Models)” on page 563.

  • Page 5: Table Of Contents

    Introduction ..................1 The Xirrus Family of Products ................1 Nomenclature ....................2 Why Choose the Xirrus Access Point? ..............3 Wireless Access Point Product Overview ............4 XR Wireless AP Product Family ..............5 XR-320 Wall Mounted 2-Radio Access Points ........5 XR-500 Series 2-Radio Access Points ............
  • Page 6 Wireless Access Point Applications Enablement ................21 Advanced Feature Sets ..................21 Xirrus Advanced RF Performance Manager (RPM) ........21 Xirrus Advanced RF Security Manager (RSM) .......... 22 Xirrus Advanced RF Analysis Manager (RAM) ......... 23 Xirrus Application Control ................24 About this User’s Guide ..................
  • Page 7 Wireless Access Point Power Planning ....................55 Power over Ethernet ................55 Security Planning ................... 56 Wireless Encryption ................56 Authentication ..................56 Meeting PCI DSS Standards ..............57 Meeting FIPS Standards ................. 57 Port Requirements ..................58 Network Management Planning ..............62 WDS Planning ....................
  • Page 8 Wireless Access Point An Overview ......................86 Structure of the WMI ..................... 87 User Interface ......................89 Logging In ....................... 92 Applying Configuration Changes ............... 93 Character Restrictions ..................93 Viewing Status on the Wireless AP..........95 Access Point Status Windows ................96 Access Point Summary ...................
  • Page 9 Cisco Discovery Protocol (CDP) Settings ..........181 LLDP Settings ....................182 Services ........................185 Time Settings (NTP) ..................186 NetFlow ......................189 Wi-Fi Tag ....................... 190 Location ......................191 System Log ..................... 193 About Using Splunk for Xirrus APs ........... 196...
  • Page 10 VLANs ........................213 Understanding Virtual Tunnels ............214 VLAN Pools .................... 215 VLAN Management ..................216 Tunnels ........................220 About Xirrus Tunnels ................220 Tunnel Management ..................221 SSID Assignments ..................223 Security ........................224 Understanding Security ................ 225 Certificates and Connecting Securely to the WMI ......228 Using the AP’s Default Certificate ............
  • Page 11 Wireless Access Point SSID Management ..................276 SSID List (top of page) ................277 SSID Limits and Scheduling ..............283 Web Page Redirect (Captive Portal) Configuration ......286 Whitelist Configuration for Web Page Redirect ......292 Web Page Redirect for Purple WiFi Venues ........293 WPA Configuration ................
  • Page 12 Wireless Access Point Hotspot 2.0 ..................... 366 Understanding Hotspot 2.0 ..............366 NAI Realms ....................369 Understanding NAI Realm Authentication ........369 NAI EAP ......................370 Intrusion Detection ..................372 DoS Attacks .................... 373 Impersonation Attacks ................374 About Blocking Rogue APs ..............375 RF Intrusion Detection and Auto Block Mode ........
  • Page 13 Wireless Access Point Network Tools ..................422 Progress Bar and Status Frame ............424 CLI ......................... 424 API Documentation ..................... 426 Status/Settings ..................427 GET Requests ..................427 Trying a GET Request ................428 API Documentation Toolbar ..............430 Options ........................431 Logout ........................
  • Page 14 Wireless Access Point interface ......................470 load ......................... 471 location ......................471 location-reporting ..................472 management ....................473 mdm ........................ 475 more ........................ 476 netflow ......................477 no ........................478 quick-config ....................479 quit ........................480 authentication-server ................... 480 reboot ......................482 reset .........................
  • Page 15 Enabling Monitoring on the AP ............527 How Monitoring Works ................527 Radio Assurance ................... 528 Radio Assurance Options ..............529 RADIUS Vendor Specific Attribute (VSA) for Xirrus ........530 Location Service Data Formats ................531 Euclid Location Server ................. 531...
  • Page 16 Appendix F: Auditing PCI DSS ............ 593 Payment Card Industry Data Security Standard Overview ......593 PCI DSS and Wireless ..................594 The Xirrus AP PCI Compliance Configuration ..........595 The pci-audit Command ..................596 Additional Resources ..................597 Appendix G: Implementing FIPS Security ........599 Securing the AP Physically .................
  • Page 17 Wireless Access Point Glossary of Terms................607 Index....................619 xiii...
  • Page 18 Wireless Access Point...

  • Page 19: List Of Figures

    Wireless Access Point List of Figures Figure 1. Xirrus AP ..................... 1 Figure 2. Wireless AP (XR Series) ................4 Figure 3. Wireless Coverage Patterns ..............15 Figure 4. XP8 - Power over Ethernet Usage ............16 Figure 5. WMI: AP Status..................17 Figure 6.
  • Page 20 Wireless Access Point Figure 35. Network Interfaces—XR-2000 Series (left); XR-2005/2006 (right) ..77 Figure 36. Network Interface Ports—XR-4000 Series ..........78 Figure 37. Network Interface Ports—XR-6000 Series ..........78 Figure 38. Web Management Interface ..............86 Figure 39. WMI: Frames ..................... 89 Figure 40.
  • Page 21 Wireless Access Point Figure 72. Controls for Location Map ..............130 Figure 73. Station RSSI Values ................132 Figure 74. Station RSSI Values — Colorized Graphical View ......133 Figure 75. Station Signal-to-Noise Ratio Values........... 134 Figure 76. Station SNR Values — Colorized Graphical View......134 Figure 77.
  • Page 22 Figure 128. Tunnel Management ................221 Figure 129. Tunnel SSID Assignments..............223 Figure 130. Security..................... 224 Figure 131. Import Xirrus Certificate Authority............. 229 Figure 132. Admin Management ................230 Figure 133. Admin Privileges ..................232 Figure 134. Admin RADIUS ..................235 Figure 135.
  • Page 23 Wireless Access Point Figure 146. Finding the Domain Name from Active Directory......261 Figure 147. Rogue Control List ................. 263 Figure 148. OAuth 2.0 Management - Token List ..........265 Figure 149. SSIDs......................267 Figure 150. Four Traffic Classes ................270 Figure 151.
  • Page 24 Wireless Access Point Figure 183. DSCP Mappings..................379 Figure 184. Roaming Assist ..................381 Figure 185. WDS ......................383 Figure 186. Configuring a WDS Link ............... 384 Figure 187. WDS Client Links ................... 385 Figure 188. Filters ......................389 Figure 189. Filter Lists ....................390 Figure 190.
  • Page 25 Wireless Access Point Figure 220. Disabling Global IAPs................500 Figure 221. Enabling a Specific IAP................501 Figure 222. Disabling a Specific IAP................. 502 Figure 223. Setting Cell Size Auto-Configuration for All IAPs ......503 Figure 224. Setting the Cell Size for All IAPs............504 Figure 225.
  • Page 26 Wireless Access Point xxii List of Figures...

  • Page 27: Introduction

    Wireless Access Point Introduction This chapter introduces the Xirrus Family of Products, with an overview of its key features and benefits.  “The Xirrus Family of Products” on page  “Why Choose the Xirrus Access Point?” on page  “Wireless Access Point Product Overview” on page 4.

  • Page 28: Nomenclature

    Radios support both 2.4GHz and 5 GHz, and are named iap1, iap2, ... iapn. The Xirrus Management System is referred to as XMS. The Power over Ethernet system may be referred to as POE.

  • Page 29: Why Choose The Xirrus Access Point

    Supports a higher transmission speed of 54 Mbps in the 2.4 GHz range and is backwards compatible with 802.11b. Whether you have just a few users or many users, the Xirrus AP has the scalability and flexibility to serve your needs.

  • Page 30: Wireless Access Point Product Overview

    The Xirrus Management System (XMS) allows global management of hundreds of APs from a central location. Multiple versions of the AP with different numbers of IAPs support a variety of deployment applications.

  • Page 31: Xr Wireless Ap Product Family

    Wireless Access Point XR Wireless AP Product Family XR-320 Wall Mounted 2-Radio Access Points The XR-320 is a high performance Gigabit Wi-Fi wall access point with integrated wired Gigabit switch designed for in-room connectivity. This AP, built to support the latest 802.11ac Wi-Fi standards, is designed for multi-device wired and wireless connectivity in hotel rooms, dormitories, hospital rooms, offices, and similar locations.

  • Page 32: Xr-500 Series 2-Radio Access Points

    Wireless Access Point XR-500 Series 2-Radio Access Points These Access Points have one Gigabit Ethernet port and two multi-state radios (2.4GHz or 5GHz). They support 600Mbps total, connecting up to 240 users at one time. The Access Point provides flexibility for delivering wireless service in low-to- medium user density scenarios, in challenging deployments in areas with high RF attenuation, and in isolated or physically separated locations.

  • Page 33: Series 2-Radio Access Points

    802.11ac clients and prevent them from achieving high performance. Note that the XH2-120 is an outdoor AP that is similar to the XR-620, except that it uses customer-provided external antennas rather than integrated antennas. See the Xirrus XH2-120 Quick Installation Guide for more information. XR-620 XR-630 Feature No.

  • Page 34: Xr-1000 Series 2-Radio Access Points

    (2.4GHz or 5GHz) that can support 300Mbps or 450Mbps, connecting up to 480 users at one time. The Xirrus XR-1000 Series Wireless AP is a two slot chassis available in a two multi-state (2.4GHz or 5GHz) radio configuration with up to 900Mbps of bandwidth (up to 450 Mbps per radio).

  • Page 35: Xd4-130 4-Radio High Density Access Points

    1.3Gbps, connecting up to 780 users at one time with up to 5.2 Gbps total Wi-Fi bandwidth. The Xirrus XD4-130 AP supports high-performance for medium density needs. It integrates multi-state radios with high gain directional antennas, an onboard multi-gigabit switch, controller, firewall, threat sensor and spectrum analyzer.

  • Page 36: Xr-2006 Series 2- And 4-Radio High Density Access Points

    3x3 802.11ac radios supports 1.3Gbps, connecting up to 512 users at one time with up to 5.2 Gbps total Wi-Fi bandwidth. The Xirrus XR-2006 Series has a four-slot chassis that allows you to purchase a two-radio model and add more radios later as your needs grow. These models support high-performance for medium to high density needs.

  • Page 37: Xr-2005 Series 2- And 4-Radio Access Points

    (2.4GHz or 5GHz) that can support 300Mbps or 450Mbps, connecting up to 960 users at one time. The Xirrus XR-2005 Series Wireless AP has a four slot chassis available in a multi- state (2.4GHz or 5GHz) radio configuration supporting up to 1.8Gbps of bandwidth.

  • Page 38: Xr-4006 Series 4- To 8-Radio High Density Access Points

    1024 users at one time with up to 10.4 Gbps total Wi-Fi bandwidth. The Xirrus XR-4006 Series Wireless AP has an eight-slot chassis that allows you to purchase a four-radio model and add more radios later as your needs grow. These...

  • Page 39: Xr-4000 Series 4- To 8-Radio High Density Access Points (Not Ending In "6")

    Wireless Access Point XR-4000 Series 4- to 8-Radio High Density Access Points (not ending in “6”) These APs include models with two Gigabit Ethernet ports and four or eight radios (IAPs), connecting up to 1920 users at one time and offering a maximum wireless bandwidth of 3.6 Gbps (up to 450 Mbps per radio).

  • Page 40: Xr-6000 Series 8- To 16-Radio High Density Access Points

    A 10 Gigabit modular Ethernet expansion port (DVI connector) is available to meet high traffic demands. It is used only with an optional Xirrus 10 Gig fiber optics adapter. Feature XR-6820...

  • Page 41: Deployment Flexibility

    AP automatically. Deployment Flexibility Xirrus’ unique multi-radio architecture (on all APs except the XR-500 Series) generates 360 degrees of sectored high-gain 802.11a/b/g/n coverage that provides extended range and the highest possible data rates for a large volume of clients.

  • Page 42: Power Over Ethernet (Poe)

    Some smaller APs (XR-2000 models ending in “5” or “6”, and XR-500/600 Series) are compatible with IEEE802.3af and/or IEEE802.3at PoE+, and may be connected to appropriate powered switches. For example, the Xirrus XT-5024 and XT-5048 are 24-and 48-port 802.3at POE+ managed switches. See the Installation Guide for the AP for compatible injectors or powered switches.

  • Page 43: Figure 5. Wmi: Ap Status

    Wireless Access Point configuration and control from a graphical console, plus a full complement of troubleshooting tools and statistics. Figure 5. WMI: AP Status In addition, a fully featured Command Line Interface (CLI) offers IT professionals a familiar management and control environment. Simple Network Management Protocol (SNMP) is also supported to allow management from an SNMP compliant management tool, such as the optional XMS.

  • Page 44: Key Features And Benefits

    Wireless Access Point Key Features and Benefits This section describes some of the key product features and the benefits you can expect when deploying the Wireless AP (the XR-7630 product is used as an example in this section). High Capacity and High Performance Figure 6.

  • Page 45: Flexible Coverage Schemes

    Wireless Access Point data rates in all directions. With a Wireless AP deployed, far fewer access points are needed and wired-like resiliency is delivered throughout your wireless network. Your Wireless AP deployment ensures:  Continuous connectivity if an IAP (radio) fails. ...

  • Page 46: Non-Overlapping Channels

    IAPs or APs at both Layer 2 and Layer 3. Ease of Deployment The Xirrus XMS and Mobilize services simplify and speed deployment of the wireless network by automatically setting up each AP’s license, software image, and initial configuration. When the AP is installed and has Internet connectivity, it contacts Xirrus, which performs these initialization tasks.

  • Page 47: Applications Enablement

    The Xirrus RPM optimizes the bandwidth usage and station performance of wireless networks. Leveraging the multiple integrated access point (multi-radio) design of the Xirrus Wireless AP, RPM manages the allocation of wireless bandwidth to wireless stations across multiple RF channels. The result maximizes overall network performance with superior flexibility and capacity.

  • Page 48: Xirrus Advanced Rf Security Manager (Rsm)

    Standby Mode Xirrus Advanced RF Security Manager (RSM) The Xirrus RSM improves security and minimizes the risk in deploying 802.11 wireless networks. Leveraging an integrated 24/7 threat sensor and hardware- based encryption/decryption in each AP, RSM secures the wireless network from multiple types of threats.

  • Page 49: Xirrus Advanced Rf Analysis Manager (Ram)

    The deployment of 802.11ac presents a set of unique challenges based on technology differences with legacy 802.11a/b/g/n networks, both on the wireless infrastructure and client side. Xirrus RAM equips each Wireless AP with a powerful set of tools and features to optimally tune and verify an 802.11ac installation, as well as give IT administrators the ability to troubleshoot issues that may occur within the wireless environment.

  • Page 50: Xirrus Application Control

    Netflow Support  Network Tools: ping, RADIUS ping, traceroute Xirrus Application Control The Application Control feature is available on APs to provide real-time visibility of application usage by users across the wireless network. Network usage has changed enormously in the last few years, with the increase in smart phone and tablet usage stressing networks.

  • Page 51: About This User's Guide

    Wireless Access Point About this User’s Guide This User’s Guide provides detailed information and procedures that will enable wireless network administrators to install, configure and manage the Wireless AP so that end users can take full advantage of the product’s features and functionality without technical assistance.
  • Page 52 XR500 Series Access Points. Please read this section carefully if you are using these models.  Appendix E: Medical Usage Notices Provides compliance information for Xirrus devices with respect to the requirements of IEC 60601-1-2.  Appendix F: Auditing PCI DSS Discusses using AP features to assist in meeting security standards for PCI DSS audits.

  • Page 53: Notes And Cautions

    For example, an image may have been cropped to highlight a specific area of the screen, and/or sample data may be included in some fields. Product Specifications Please refer to the Xirrus web site for the latest specifications for these APs— www.xirrus.com. Introduction...
  • Page 54 Wireless Access Point Introduction...

  • Page 55: Installing The Wireless Ap

    Some smaller APs are compatible with IEEE802.3af and/or IEEE802.3at, and may be connected to appropriate powered switches. For example, the Xirrus XT-5024 is a 24-port 802.3at PoE+ managed switch. See the Installation Guide for the AP for compatible injectors or powered switches.
  • Page 56 AP, your computer must be equipped with a male 9-pin serial port and terminal emulation software (for example, HyperTerminal). The Xirrus AP only supports serial cable lengths up to 25’ per the RS-232 specification. Use the following settings when establishing a serial connection:...

  • Page 57: Optional Network Components

    Wireless Access Point Optional Network Components The following network components are optional.  Xirrus Management System (XMS) The optional XMS offers powerful management features for small or large Wireless AP deployments. Client Requirements The Wireless AP should only be used with Wi-Fi certified client devices.

  • Page 58: Planning Your Installation

    Wireless Access Point Planning Your Installation This section provides guidelines and examples to help you plan your Xirrus Wireless AP deployment to achieve the best overall coverage and performance. We recommend you conduct a site survey to determine the best location and settings for each AP you install.

  • Page 59: Figure 8. Wall Thickness Considerations

    Wireless Access Point Be aware of the direct line between each device. For example, a wall that is 1.5 feet thick (half a meter) at 90° is actually almost 3 feet thick (or 1 meter) when viewed at a 45° angle. At an acute 2° degree angle the same wall is over 42 feet (or 14 meters) thick.

  • Page 60: Coverage And Capacity Planning

    Wireless Access Point Coverage and Capacity Planning This section considers coverage and capacity for your deployment(s), including placement options, RF patterns and cell sizes, area calculations, roaming considerations, and channel allocations.  XR-500/600 Series Integrated Access Points are omni-directional rather than directional (sectored), and discussions involving sectored radios are not applicable to these APs.

  • Page 61: Rf Patterns

    Wireless Access Point RF Patterns The Wireless AP allows you to control — automatically or manually — the pattern of wireless coverage that best suits your deployment needs. You can choose to operate with full coverage, half coverage, or custom coverage (by enabling or disabling individual sectors).

  • Page 62: Capacity And Cell Sizes

    Wireless Access Point Custom Coverage Where there are highly reflective objects in proximity to the AP, you can turn off specific radios to avoid interference and feedback. reflective object Figure 12. Custom Coverage Capacity and Cell Sizes Cell sizes should be estimated based on the number of users, the applications being used (for example, data/video/voice), and the number of APs available at the location.

  • Page 63: Fine Tuning Cell Sizes

    Wireless Access Point Fine Tuning Cell Sizes Adjusting the transmit power allows you to fine tune cell sizes. There are four standard sizes — Small, Medium, Large, or Max (the default is Max). There is also an Auto setting that automatically determines the best cell size, and a Manual setting that allows you to choose your power settings directly.

  • Page 64: Figure 15. Auto Cell Size Options

    APs or installed APs. See also, “Coverage and Capacity Planning” on page Sharp Cell This patented Xirrus RF management option automatically creates more intelligently defined cells and improves performance by creating smaller, high- throughput cells. By dynamically limiting each cell to a defined boundary (cell size), the trailing edge bleed of RF energy is reduced, thus minimizing interference between neighboring Wireless APs or other Access Points.

  • Page 65: Roaming Considerations

    Wireless Access Point Roaming Considerations Cells should overlap approximately 10 - 15% to accommodate client roaming. R O A M I N G 10 - 15% overlap Figure 16. Overlapping Cells Allocating Channels Because the Wireless AP is a multi-channel device, allocating the best channels to radios is important if peak performance is to be maintained.

  • Page 66: Figure 17. Allocating Channels Manually

    Wireless Access Point  Allows the AP to come up for the first time and not interfere with existing equipment that may be already running, thereby limiting co-channel interference.  More accurately tunes the RF characteristics of a wireless installation than manual configuration since the radios themselves are scanning the environment from their physical location.

  • Page 67: Other Factors Affecting Throughput

    Wireless Access Point Other Factors Affecting Throughput Throughput of the AP can be affected by many factors such as distance, number of stations, obstacles, construction materials used at the site, etc. In addition, features applied to traffic may have an effect. Performance may decrease as you add increasing numbers of SSIDs, VLANs, and features such as Application Control, encryption, management via XMS-Cloud, etc.

  • Page 68: About Ieee 802.11Ac

    Gbps. Wave 2 and future products will add 160MHz channels and up to 8 streams, for a maximum data rate of 6.93Gbps. Xirrus currently supports up to three streams (in units with 3x3 radios) and 80 MHz channels. Xirrus models that offer 802.11ac support this technology on all IAPs, not just on one.
  • Page 69 Wireless Access Point  “MU-MIMO (Multi-User Multiple-In Multiple-Out)” on page 45  “Higher Precision in the Physical Layer” on page 47  “80 MHz and 160 MHz Channel Widths (Bonding)” on page 48  “802.11ac Data Rates” on page 49 ...

  • Page 70: Up To Eight Simultaneous Data Streams - Spatial Multiplexing

    Wireless Access Point Up to Eight Simultaneous Data Streams — Spatial Multiplexing Spatial Multiplexing transmits completely separate data streams on different antennas (in the same channel) that are recombined to produce new 802.11ac data rates. Previously used for 802.11n, the maximum number of streams for 802.11ac has been increased to eight.

  • Page 71: Mu-Mimo (Multi-User Multiple-In Multiple-Out)

    Wireless Access Point 802.11a/b/g radios, and degraded performance. In 802.11n and 802.11ac, these signals are used to enhance performance. MIMO Processed Signal Antenna 1 Signal Antenna 2 Signal Receiver Antenna 3 Signal Frequency Across Subcarriers Figure 19. MIMO Signal Processing 802.11ac increases the number of antennas and spatial streams from a maximum of four in 802.11n to a maximum of eight, contributing to much higher maximum data rates (up to 6.93Gbit/s).

  • Page 72: Figure 20. Mu-Mimo With Four Antennas

    Wireless Access Point one is directed to a mobile phone. When a transmission is complete, the antennas are reallocated. Tx 1 Rx 1 Tx 2 Rx 2 Data Stream Transmitter (Access Data Stream Point) Tx 3 Rx 3 Spatial Streams Data Stream Tx 4 Rx 1...

  • Page 73: Higher Precision In The Physical Layer

    Wireless Access Point Higher Precision in the Physical Layer Wi-Fi utilizes several digital modulation techniques and automatically switches between them to optimize for throughput or range. The basic unit of data transmitted is called a symbol. The number of points in the modulation constellation determines the number of bits of data conveyed with each symbol.

  • Page 74: 80 Mhz And 160 Mhz Channel Widths (Bonding)

    Wireless Access Point The higher the MCS value, the higher the data rate, as shown in the table below. Xirrus APs support MCS7 -MCS9. Higher MCS levels require higher signal-to- noise ratios (i.e., a less noisy environment) and shorter transmission distances.

  • Page 75: 802.11Ac Data Rates

    Wireless Access Point be used: as eight 20 MHz channels; four 40 MHz channels; two 80 MHz channels; or one 160 MHz channel. Xirrus currently supports channels up to 80 MHz wide. UNII-1 UNII-2 Figure 22. Channel Bonding (Channels 36-64 shown) 802.11ac Data Rates...

  • Page 76: Acexpress

    ACExpress intelligently separates clients by type onto different radios, grouping fast clients separately from slow clients, thereby maximizing performance for all. ACExpress is supported on all Xirrus 802.11ac products, and may be enabled or disabled as part of the Load Balancing feature. See...
  • Page 77  Upgrading with 802.11ac radio modules. Xirrus offers modular APs that enable you to evolve the capacity of your Arrays as your needs grow. XI Series 802.11ac Wireless Access Points (APs) are offered in two models: 867 Mbps (2X2 MIMO) or 1300 Mbps (3X3 MIMO).

  • Page 78: Failover Planning

    4836 because it now has eight 3x3 IAPs including 802.11ac radios.  Xirrus highly recommends that the upgraded Array have a radio count that matches one of our standard Arrays (e.g., XR-4000 with 4 or 8 radios, XR- 2000 with 2 or 4). The Array may have more of one type of radio than another.
  • Page 79 Wireless Access Point In addition, the AP has full failover protection between the bonded-pair Gigabit ports (see following table). Bridges Bridges Fails Over Interface IP address Data? Management Traffic? Gigabit port Bonded DHCP or static port Bonded Bonded Same Gigabit port port The Wireless AP Gigabit Ethernet ports actually support a number of modes: ...

  • Page 80: Switch Failover Protection

    Wireless Access Point Switch Failover Protection To ensure that service is continued in the event of a switch failure, you can connect APs having multiple Gigabit ports to more than one Ethernet switch (not a hub). Ethernet connections Backup switch Ethernet switch Figure 25.

  • Page 81: Power Planning

    All AP models support Power over Ethernet (POE) with an integrated splitter. Power over Ethernet To deliver power to the AP, you must use Xirrus-supplied Power over Ethernet (POE) modules or powered switches that are compatible with your AP. They provide power over Cat 5e or Cat 6 cables to the AP without running power cables —...

  • Page 82: Security Planning

    TTLS, EAP-PEAP, and EAP-LEAP Passthrough). Administrators may also be authenticated via RADIUS when preferred, or to meet particular security standards.  Xirrus Internal RADIUS server Recommended for smaller numbers of users (about 100 or less). Supports EAP-PEAP only Installing the Wireless AP...

  • Page 83: Meeting Pci Dss Standards

    Wireless Access Point  Pre-Shared Key Uses a pass-phrase or key that is manually distributed to all authorized users. The same passphrase is given to client devices and entered into each AP.  MAC Access Control Lists (ACLs) MAC access control lists provide a list of client adapter MAC addresses that are allowed or denied access to the wireless network, and can be used in addition to any of the above authentication methods.

  • Page 84: Port Requirements

    Wireless Access Point Port Requirements A number of ports are used by various AP features and by the Xirrus Management System (XMS). The Port Requirements table on page 59 lists ports and the features that require them (XMS port requirements are included in the table for your convenience).
  • Page 85 1645) RADIUS Accounting 1813, 1646 RADIUS Accounting (some servers still use Server 1646) 2055 udp Netflow Client 5000 tcp Virtual Tunnel VTUN Server 22610 udp Xirrus Roaming 22612 udp Xircon (Console Utility) Admin Workstation Installing the Wireless AP...
  • Page 86 Wireless Access Point Port Application Peer Configurable icmp Ping 22 tcp 25 tcp SMTP Mail Server 123 udp NTP Server 161 udp SNMP Via XMS 162 udp SNMP Traphost 1 config file 443 tcp HTTPS Via XMS 514 udp Resident Syslog server Internal* config file 1099 tcp...
  • Page 87 Wireless Access Point See Also Management Control External Radius Services VLAN Management Installing the Wireless AP...

  • Page 88: Network Management Planning

    XMS-Cloud provides zero-touch provisioning and ongoing management. XMS is hosted on a dedicated Xirrus appliance or your own server. XMS manages large Wireless AP deployments from a centralized Web-based interface and offers the following features:  Globally manage large numbers of APs ...

  • Page 89: Wds Planning

    Wireless Access Point WDS Planning WDS (Wireless Distribution System) creates wireless backhaul connections between APs, allowing your wireless network to be expanded using multiple APs without the need for a wired backbone to link them (see Figure 27). WDS features include: ...

  • Page 90: Figure 28. A Multiple Hop Wds Connection

    Wireless Access Point Figure 28. A Multiple Hop WDS Connection  Multiple WDS links can provide link redundancy (failover capability - see Figure 29). A network protocol (Spanning Tree Protocol — STP) prevents APs from forming network loops. Figure 29. WDS Failover Protection Installing the Wireless AP...
  • Page 91 Wireless Access Point WDS links have a Host/Client relationship similar to the usual IAP/station pattern for APs:  A WDS Client Link associates/authenticates to a host (target) AP in the same way that stations associate to IAPs. The client side of the link must be configured with the root MAC address of the target (host) AP.

  • Page 92: Common Deployment Options

    Wireless Access Point Common Deployment Options The following table lists some typical and recommended deployment options for a number of the features that have been discussed in this chapter. Number of Wireless APs Function One or Two Three or More Power Power over Ethernet Power over Ethernet...

  • Page 93: Installation Workflow

    Wireless Access Point Installation Workflow This workflow illustrates the steps that are required to install and configure the AP successfully. Review this flowchart before attempting to install the unit on a customer’s network. Cloud XMS customers will skip the last two steps. Determine the number of Arrays needed Choose the location(s) for your Wireless Arrays Run Ethernet cables for PoGE...
  • Page 94 Wireless Access Point Failover Planning Installation Prerequisites Planning Your Installation Power Planning Wireless Access Point Product Overview Security Planning Installing the Wireless AP...

  • Page 95: Installing Your Wireless Ap

    Wireless Access Point Installing Your Wireless AP This section provides information about the physical installation of your Xirrus Wireless AP. For complete instructions, please see the Installation Guide for your model of AP or Access Point. Choosing a Location Based on coverage, capacity and deployment examples previously discussed, choose a location for the AP that will provide the best results for your needs.
  • Page 96 Once you have determined the best location for your Wireless AP, you must run cables to the location for the following services: Power No separate power cable is required to the AP—Xirrus wireless APs use POE (Power over Ethernet). See the Installation Guide for your AP model for compatible power injectors or switches.
  • Page 97 Wireless Access Point Important Note About Network Connections The AP’s Ethernet ports should be plugged into an Ethernet switch, not an Ethernet hub — if a hub is used, we recommend that you connect only one Ethernet port. See Also Failover Planning Installation Prerequisites Installation Workflow...

  • Page 98: Mounting And Connecting The Ap

    Wireless Access Point Mounting and Connecting the AP A detailed Installation Guide is available at support.xirrus.com that describes mounting your AP. Please follow the provided instructions carefully. Data and power connections to the AP are also detailed in the Installation Guide. Please follow the cabling and connection instructions carefully.

  • Page 99: Ap Led Operating Sequences

    Wireless Access Point AP LED Operating Sequences Use the following tables to review the operating sequences of the AP’s LEDs.  “LED Boot Sequence” on page 73  “LED Operation when AP is Running” on page 74 LED Boot Sequence The normal boot LED sequence is as follows: AP Activity Status LED...

  • Page 100: Led Operation When Ap Is Running

    Wireless Access Point LED Operation when AP is Running The normal LED operation when the AP is running is shown in the table below. Note that behavior may be modified using “LED Settings” on page 378 or via the LED Status Reason IAP LED is OFF IAP is down...

  • Page 101: Zero-Touch Provisioning And Ongoing Management

    Zero-Touch Provisioning and Ongoing Management Most customers employ the Xirrus Management System (XMS) for the initial setup and continuing management of Xirrus devices. XMS users can readily set up their new devices for zero touch provisioning and ongoing maintenance via the following platforms.

  • Page 102: If You Are Not Using Xms

    AP. Note that every unlicensed AP with Internet connectivity obtains its license by contacting Xirrus. You have the option of whether or not to use Mobilize to update your software image and download initial configuration.

  • Page 103: Ap Management Interfaces

    AP Management Interfaces User Interfaces With zero-touch setup provided by XMS and Mobilize, your Xirrus network is ready for use a few minutes after deployment. We recommend that you use the XMS for ongoing monitoring and fine-tuning of the network.

  • Page 104: Using The Serial Port

    Wireless Access Point Serial (Console) Gigabit PoE (gig1) Gigabit 2 (gig2) Figure 36. Network Interface Ports—XR-4000 Series Serial (Console) Gigabit PoE1 (gig1) Gigabit PoE2 (gig2) Gigabit 3 (gig3) Gigabit 4 (gig4) Figure 37. Network Interface Ports—XR-6000 Series  The Xircon utility may also be used to communicate with APs locally as an alternative to using a serial connection to the console.

  • Page 105: Using The Ethernet Ports To Access The Ap

    Otherwise, examine the DHCP tables on the server and find the addresses assigned to the AP (Xirrus MAC addresses begin with 00:0F:7D or 50:60:28 and are found on the AP label and shipping container).

  • Page 106: Starting The Wmi

    Powering Up the Wireless AP Licensing When a newly deployed AP boots up, it automatically contacts Xirrus with its serial number and MAC address and obtains its license key, software image, and initial configuration from XMS or Mobilize Any unlicensed AP running ArrayOS release 6.5 or above will update in this way after it boots up, if it has Internet...

  • Page 107: Performing The Express Setup Procedure

    Wireless Access Point If you need to enter the license manually, use the following procedure. It describes entering the license key using the WMI. If you are using the XMS, you may use it to manage and upgrade large numbers of licenses for the wireless network. This procedure assumes that you have pointed a browser to the AP to start WMI, and that you have logged in with the default username and password above.

  • Page 108: Securing Low Level Access To The Ap

    Wireless Access Point Securing Low Level Access to the AP Most local management of the Xirrus AP is done via the WMI or CLI—see “The Command Line Interface” on page 433. The AP also has a lower level interface: XBL(Xirrus Boot Loader), which allows access to more primitive commands. You won’t normally use XBL unless instructed to do so by Xirrus Customer Support.
  • Page 109 CLI/WMI! In this situation, there is no way to recover from a lost password, other than returning the AP to Xirrus. If you have Xircon access to XBL enabled, you can reset the password, but this recovery will require setting the unit to factory defaults with loss of all configuration data.
  • Page 110 Wireless Access Point If Xircon access at the XBL level is to be allowed, use the following three commands to change the XBL username and password from the default values of admin/admin. In the example below, replace newusername and newpassword with your desired entries. Note that these entries are case-sensitive.

  • Page 111: The Web Management Interface

    Applying Configuration Changes Managing APs Locally or Using XMS For Xirrus deployments of any size, we recommend that you use XMS to manage the network rather than directly managing each AP individually. You may change settings directly on the AP—but be aware that XMS may not sync up with these changes for up to 24 hours.

  • Page 112: An Overview

    Wireless Access Point An Overview The WMI is an easy-to-use graphical interface to your Wireless AP. It allows you to configure the product to suit your individual requirements and ensure that the unit functions efficiently and effectively. Figure 38. Web Management Interface The Web Management Interface...

  • Page 113: Structure Of The Wmi

    Wireless Access Point Structure of the WMI The content of the WMI is organized by function and hierarchy, shown in the following table. Click on any item below to jump to the referenced destination. Status Windows Statistics Windows Access Point Status Windows IAP Statistics Summary Per-IAP Statistics Access Point Summary...
  • Page 114 Wireless Access Point Configuration Windows Configuration Windows (cont’d) Express Setup Groups Network Group Management IAPs Interfaces Bonds and Bridging IAP Settings DNS Settings Global Settings Cisco Discovery Protocol Global Settings .11an (CDP) Settings Global Settings .11bgn Services Global Settings .11n Global Settings .11u Time Settings (NTP) Global Settings .11ac...

  • Page 115: User Interface

    Wireless Access Point User Interface Left frame Right frame Utilities Help Log Message counters Command log Utilities Figure 39. WMI: Frames The WMI has been designed with simplicity in mind, making navigation quick and easy. In the following example, you’ll see that windows are divided into left and right frames.

  • Page 116: Figure 40. Wmi Header

    Wireless Access Point showing a summary of its current configuration, as well as to show links for all of its associated WMI pages.  Three Log Messages counters are located at the bottom of the menu. They provide a running total of messages generated by the ArrayOS Syslog subsystem during your session —...

  • Page 117: Figure 41. Wmi Command Log

    Figure 42. WMI: Utility Buttons  Click the Feedback button to generate a Web page that allows you to submit your comments to Xirrus, Inc.  Click the Print button to open a print dialog to send a copy of the active window to your local printer.

  • Page 118: Logging In

     Some pages or individual settings are only available if the AP’s license includes appropriate Xirrus Advanced Feature Sets. If a setting is unavailable (grayed out), then your license does not support the feature. See “About Licensing and Upgrades” on page 410.

  • Page 119: Applying Configuration Changes

    Wireless Access Point Applying Configuration Changes In most of the WMI configuration windows, your changes to settings are applied to the AP as you make them. In most cases, there is no separate Apply button to click to make the changes take effect. There are a few exceptions to this rule. In these cases, a particular section of a page may have its own Apply Settings button right below the settings.
  • Page 120 Wireless Access Point The Web Management Interface...

  • Page 121: Viewing Status On The Wireless Ap

    Wireless Access Point Viewing Status on the Wireless These windows provide status information and statistics for your AP using the product’s embedded Web Management Interface (WMI). You cannot make configuration changes to your AP from these windows. The following topics have been organized into functional areas that reflect the flow and content of the Status...

  • Page 122: Access Point Status Windows

    Wireless Access Point Access Point Status Windows The following AP Status windows are available:  Access Point Summary — displays information on the configuration of all AP interfaces, including IAPs.  Access Point Information — provides version/serial number information for all AP components. ...

  • Page 123: Content Of The Access Point Summary Window

    Wireless Access Point Content of the Access Point Summary Window The Access Point Summary window is sub-divided into the Ethernet Interfaces section and the Integrated Access Point (radio) section, providing you with the following information:  Ethernet Settings Summary This section provides information about network interface devices. To make configuration changes to these devices, go to “Interfaces”...
  • Page 124 Wireless Access Point  Bond Settings Summary This section provides information about the relationship that has been selected for the Gigabit ports. For detailed explanations and to make configuration changes, see “Bonds and Bridging” on page 173. • Bond: Lists all network bonds that have been configured. •...

  • Page 125: Figure 45. Disabled Iap (Partial View)

    Wireless Access Point Figure 45. Disabled IAP (Partial View) • Channel: Shows which channel each IAP is using, and the channel setting. To avoid co-channel interference, adjacent radios should not be using adjacent channels. To make channel selections for a specific IAP, go to “IAP Settings”...

  • Page 126: Figure 47. Network Assurance And Operating Status

    Wireless Access Point • Rx Threshold: Shows the receive threshold for each IAP. • Stations: Informs you how many client stations are currently associated with each IAP. • WDS Link/Distance: The WDS Link on this radio (if any), and whether the link has been set to support Long Distance Links.
  • Page 127 Wireless Access Point Notice that the Compass Heading field will only show a value if the AP model is one that includes a built-in compass. In order for this reading to be correct, the AP must be mounted with iap1 facing north. If the AP does not have an integrated compass, this field will just show a dash.

  • Page 128: Access Point Information

    Wireless Access Point Access Point Information This is a status only window that shows you the current firmware versions utilized by the AP, serial numbers assigned to each module, MAC addresses, licensing information, and recent boot timestamps. It will also show current internal temperatures, fan speed, and compass heading if the AP model supports these features.

  • Page 129: Access Point Configuration

    Wireless Access Point Access Point Configuration This is a status only window that allows you to display the configuration settings assigned to the AP, based on the following filter options:  Running — displays the current configuration (the one running now). ...

  • Page 130: Admin History

    Wireless Access Point Admin History It is useful to know who else is currently logged in to an AP while you're configuring it, or who has logged in since the AP booted. This status-only window shows you all administrator logins to the AP that have occurred since the last reboot.

  • Page 131: Network

    Wireless Access Point  Network Assurance — shows results of connectivity tests for network servers.  — shows VLANs present on an 802.1Q connection to Undefined VLANs the AP, that are not configured in the AP's VLAN list. Network This window provides a snapshot of the configuration settings currently established for AP’s wired interfaces.

  • Page 132: Network Map

    Wireless Access Point Network Map This window offers detailed information about this AP and all neighboring APs, including how the APs have been set up within your network. Figure 52. Network Map The Network Map has a number of options at the top of the page that allow you to customize your output by selecting from a variety of information that may be displayed.
  • Page 133 In Range: Informs you whether the AP is within wireless range of another Wireless AP.  Fast Roam: Informs you whether or not the Xirrus fast roaming feature is enabled. This feature utilizes the Xirrus Roaming Protocol (XRP) ensuring fast and seamless roaming capabilities between IAPs or APs at both Layer 2 and Layer 3.
  • Page 134 Wireless Access Point  SCD Firmware: The software version number of the SCD firmware on each AP. IAP Info (enabled by default)  Enable/disable display of the IAP/Up columns. Stations  Stations: Tells you how many stations are currently associated to each AP.

  • Page 135: Spanning Tree Status

    Wireless Access Point Spanning Tree Status Multiple active paths between stations can cause loops in the network. If a loop exists in the network topology, the potential exists for the duplication of messages. The spanning tree protocol is a link management protocol that provides path redundancy while preventing undesirable loops.

  • Page 136: Routing Table

    Wireless Access Point Routing Table This status-only window lists the entries in the AP’s routing table. The table provides the AP with instructions for sending each packet to its next hop on its route across the network. Figure 54. Routing Table See Also VLANs Configuring VLANs on an Open SSID...

  • Page 137: Dhcp Leases

    Wireless Access Point DHCP Leases This status-only window lists the IP addresses (leases) that the AP has allocated to client stations. For each, it shows the IP address assigned from one of the defined DHCP pools, and the MAC address and host name of the client station. The start and end time of the lease show how long the allocation is valid.

  • Page 138: Cdp List

    Wireless Access Point You may sort the rows based on any column that has an active column header, indicated when the mouse pointer changes to the hand icon . Click Refresh to update the information at any time. Click Auto Refresh to instruct the AP to refresh this window automatically.

  • Page 139: Lldp List

    Wireless Access Point LLDP List This status-only window lists devices on the AP’s network that support the Link Layer Discovery Protocol (LLDP). Figure 59. LLDP List The AP performs discovery on the network on an ongoing basis. This list shows the devices that have been discovered —...

  • Page 140: Undefined Vlans

    Wireless Access Point Network assurance must be enabled on the AP in order to perform these connectivity tests and display this information. See “Management Control” on page 237. See Also Management Control Undefined VLANs This status-only window lists VLANs that are detected on the AP’s trunk ports (i.e., wired ports), but have not been configured on the AP.

  • Page 141: Rf Monitor Windows

    Wireless Access Point RF Monitor Windows Every Wireless AP includes an integrated RF spectrum analyzer as a standard feature. The spectrum analyzer allows you to characterize the RF environment by monitoring throughput, signal, noise, errors, and interference levels continually per channel. This capability uses the assigned threat-sensor (monitor) radio. The associated software is part of the ArrayOS.

  • Page 142: Iap Monitoring

    Wireless Access Point IAP Monitoring The RF Monitor — IAP Monitoring window displays traffic statistics and RF readings observed by each AP IAP (radio). Note that the data is an instantaneous snapshot for the IAP — it is not an average or a cumulative total. To graph these values over time for a particular channel, see “Channel History”...

  • Page 143: Spectrum Analyzer

    Wireless Access Point Spectrum Analyzer  The RF measurements for this feature are obtained by the monitor radio. You must have a radio set to monitor mode for any data to be available. See “IAP Settings” on page 312.  Spectrum Analysis is not available for APs or Access Points featuring 802.11ac IAPs.

  • Page 144: Figure 64. Rf Spectrum Analyzer

    Wireless Access Point Select Display Options Click Channel number to highlight Figure 64. RF Spectrum Analyzer The Spectrum Analyzer offers several display options:  To display horizontal bar graphs, click the Rotate checkbox at the bottom of the data window. ...
  • Page 145 Wireless Access Point  At the bottom left of the frame, you may select whether to display only 2.4 GHz channels, 5 GHz channels, or both (the default is both). Note that the data is an instantaneous snapshot — it is not an average or a cumulative total.

  • Page 146: Rogues

    Wireless Access Point no data rate information was available for the interval. A higher date rate (above 6 Mbps) typically indicates user data traffic on the channel. Otherwise, the data rate reflects control packets at the lower basic rates. Rogues This window displays all detected access points, according to the classifications you select from the checkboxes at the top —...
  • Page 147 Wireless Access Point You can refresh the list at any time by clicking on the Refresh button, or click in the Auto Refresh check box to instruct the AP to refresh the list automatically. See Also Network Map Rogue Control List SSIDs SSID Management Viewing Status on the Wireless AP...

  • Page 148: Channel History

    Wireless Access Point Channel History  Channel History is not available for APs or Access Points featuring 802.11ac IAPs. The RF Monitor — Channel History window focuses on traffic statistics and RF readings observed for just one channel that you select in the Channel field. A new set of readings is added every 10 seconds for a 5 GHz channel, or every 5 seconds for a 2.4 GHz channel.

  • Page 149: Figure 67. Rf Monitor - Channel History (Rotated)

    Wireless Access Point Figure 67. RF Monitor — Channel History (Rotated) If you select Rotate and Text together, data is presented as a numerical table. (Figure Click Pause to stop collecting data, or Resume to continue. Figure 68. RF Monitor — Channel History (Text) Viewing Status on the Wireless AP...

  • Page 150: Radio Assurance

    Wireless Access Point Radio Assurance When Radio Assurance mode is enabled, the monitor radio performs loopback tests on the AP’s radios. When problems are encountered, the AP can take various actions to correct them by performing different levels of reset on the affected radio.
  • Page 151 Wireless Access Point See Also IAPs Xirrus Advanced RF Analysis Manager (RAM) RF Resilience Radio Assurance Viewing Status on the Wireless AP...

  • Page 152: Station Status Windows

    Wireless Access Point Station Status Windows The following Station Status windows are available:  Stations — this list describes all stations associated to the AP.  Location Map — displays a map showing the approximate locations of all stations associated to the AP. ...

  • Page 153: Stations

    Wireless Access Point Stations This window shows client stations currently visible to the AP. You may choose to view only stations that have Associated to the AP, or include stations that are Unassociated by selecting the appropriate buttons above the list. The list always shows the MAC address of each station, its IP address, the SSID used for the association, the Group...
  • Page 154 Wireless Access Point You may sort the rows based on any column that has an active column header. Click again to reverse the sort order. You may select one or more specific stations and perform one of the following actions by clicking the associated button: ...

  • Page 155: Location Map

    Wireless Access Point Location Map The Location Map shows the approximate locations of stations relative to this AP. The location of each station is computed based on the RSSI of its signal as received by the AP. The distance is adjusted based on the environment setting that you selected.

  • Page 156: Figure 72. Controls For Location Map

    Wireless Access Point completely obscure another. You may minimize a station that is not of interest by clicking it. There is also a Minimize All button. You may replace the range-finder background image above with your own custom image of the floor plan of the area served by the AP — see “Working with the Custom Image”...
  • Page 157 Wireless Access Point  Display Associated/Unassociated: Select whether to display stations that are associated to the AP, stations that are not associated, or both.  Display 2.4 GHz/5 GHz: Select whether to display 802.11bgn stations, or 802.11an stations, or both. ...

  • Page 158: Rssi

    Wireless Access Point construction), or Indoor dense (many walls or obstructions, or unusually dense walls).  Scale: This view-only value shows the approximate distance represented by each hash mark on the default map background.  Associated, Unassociated, Total Stations: These view-only values show the station counts observed by the AP.

  • Page 159: Figure 74. Station Rssi Values - Colorized Graphical View

    Wireless Access Point is shown on a representation of the AP, either colorized or numerically based on your selection. (Figure 74) The stations are listed to the left of the AP — click on a station to show its RSSI values on the AP. Figure 74.

  • Page 160: Signal-To-Noise Ratio (Snr)

    Wireless Access Point Signal-to-Noise Ratio (SNR) For each station that is associated to the AP, the Signal-to-Noise Ratio (SNR) window shows the station’s SNR value as measured by each IAP. In other words, the window shows the SNR of the station’s signal at each IAP. The signal-to-noise ratio can be very useful for determining the cause of poor performance at a station.

  • Page 161: Noise Floor

    Wireless Access Point the hand icon . Click on the Refresh button to refresh the station list, or click in the Auto Refresh check box to instruct the AP to refresh this window automatically. See Also Station Status Windows RF Monitor Windows Noise Floor For each station that is associated to the AP, the Noise Floor window shows the ambient noise affecting a station’s signal as measured by each IAP.

  • Page 162: Figure 78. Station Noise Floor Values - Colorized Graphical View

    Wireless Access Point Figure 78. Station Noise Floor Values — Colorized Graphical View In either graphical or tabular view, you may sort the rows based on any column that has an active column header, indicated when the mouse pointer changes to the hand icon .

  • Page 163: Max By Iap

    Wireless Access Point Max by IAP This status-only window shows the maximum number of client stations that have historically been associated to the AP. For each IAP, the list shows the IAP’s state and channel number, the current number of stations associated, and the highest number of stations that have been associated over various periods of time: hour, day, week, month, and year.

  • Page 164: Station Assurance

    Wireless Access Point Station Assurance Station assurance monitors the quality of the connections that users are experiencing on the wireless network. This window shows client stations that have had connectivity issues. You may enable or disable the station assurance feature and set thresholds for the problems that it checks, such as excessive packet retry or packet error rates, or stations that are unable to stay associated to the AP.

  • Page 165: Statistics Windows

    Wireless Access Point Statistics Windows The following AP Statistics windows are available:  IAP Statistics Summary — provides an overview of the statistical data associated with all IAPs. Expands to show links for displaying detailed statistics for individual IAPs.  Per-IAP Statistics —...

  • Page 166: Per-Iap Statistics

    Wireless Access Point clicking on the appropriate button. You can also click in the Auto Refresh check box to instruct the AP to refresh this window automatically. See Also System Log Window Global Settings Global Settings .11an Global Settings .11bgn IAPs Per-IAP Statistics This is a status only window that provides detailed statistics for the selected IAP.

  • Page 167: Figure 82. Individual Iap Statistics Page

    Wireless Access Point Figure 82. Individual IAP Statistics Page You can Refresh the data (update the window with the latest information) or Clear the data (reset all content to zero and begin counting again) at any time by clicking on the appropriate button. You can also click in the Auto Refresh check box to instruct the AP to refresh this window automatically.

  • Page 168: Network Statistics

    Wireless Access Point Network Statistics This is a status only window that allows you to review statistical data associated with each network (Ethernet) interface and its activity. You can Refresh the data (update the window with the latest information) or Clear the data (reset all content to zero and begin counting again) at any time by clicking on the appropriate button.

  • Page 169: Vlan Statistics

    Wireless Access Point VLAN Statistics This is a status only window that allows you to review statistical data associated with your assigned VLANs. You can refresh the information that is displayed on this page at any time by clicking on the Refresh button, or select the Auto Refresh option for this window to refresh automatically.

  • Page 170: Wds Statistics

    Wireless Access Point WDS Statistics The main WDS Statistics window provides statistical data for all WDS client and host links. To access data about a specific WDS client or host link, simply click on the desired link in the left frame to access the appropriate window. You may also choose to view a sum of the statistics for all client links, all host links, or all links (both client and host links).

  • Page 171: Ids Statistics

    Wireless Access Point IDS Statistics The Xirrus AP employs a number of IDS/IPS (Intrusion Detection System/ Intrusion Prevention System) strategies to detect and prevent malicious attacks on the wireless network. This status-only window provides detailed intrusion detection statistics for the selected IAP.

  • Page 172: Figure 87. Filtered Ids Statistics

    Wireless Access Point Contains 1 will show entries for iap1, iap10, iap11, and iap12. Click the Reset button to return to showing all entries. Figure 87. Filtered IDS Statistics Many of the column headers may be clicked to sort the entries in ascending or descending order based on that column.

  • Page 173: Filter Statistics

    Wireless Access Point Filter Statistics The Filter Statistics window provides statistical data for all configured filters. The name, state (enabled — on or off), and type (allow or deny) of each filter is shown. For enabled filters, this window shows the number of packets and bytes that met the filter criteria.
  • Page 174 Wireless Access Point Click on a column header to sort the rows based on that column. You can Refresh the data (update the window with the latest information) at any time by clicking the refresh button . You can also click in the Auto Refresh check box to instruct the AP to refresh this window automatically.

  • Page 175: Per-Station Statistics

    Wireless Access Point Per-Station Statistics This window provides detailed statistics for the selected station. This window is accessed from the Station Statistics window — click the MAC address of the desired entry in the Station column to display its Per-Station Statistics window. Receive and Transmit statistics are listed by Rate —...

  • Page 176: Application Control Windows

    Wireless Access Point Application Control Windows  This feature is only available if the AP license includes Application Control. See “About Licensing and Upgrades” on page 410. The Application Control feature provides real-time visibility of application usage by users across the wireless network. Network usage has changed enormously in the last few years, with the increase in smart phone and tablet usage stressing networks.
  • Page 177 Usage may be tracked by AP, VLAN, or station. Many hundreds of applications are recognized and grouped into a number of categories. The distributed architecture of Xirrus APs allows Application Control to scale naturally as you grow the network. About Risk and Productivity Application Control ranks applications in terms of their levels of risk and productivity.

  • Page 178: Application Control

    Wireless Access Point Application Control This display-only window provides a snapshot of the application usage on your AP. In order to view the Application Control window, the AP must have a license that supports this feature, and you must have enabled the Application Control option on the Filter Lists page (see “Filter Lists”...
  • Page 179 AP Management Traffic: Check this box if you wish to analyze management traffic on this AP, including the load due to functions such as Xirrus Roaming. Tracking traffic into the AP on the management side can alert you to nefarious activity—and even to traffic on the wired network that would best be blocked before it hits the AP.

  • Page 180: Figure 92. Application Control (Pie Charts)

    Wireless Access Point  By Category: Check this box if you wish to analyze and list traffic by the types of applications in use, such as Games or Collaboration.  Auto Refresh instructs the AP to periodically refresh this window automatically.

  • Page 181: Figure 93. Application Control (Station Traffic)

    Wireless Access Point Traffic Tables Figure 93. Application Control (Station Traffic) These tables provide detailed information about how your wireless bandwidth is being used. There are tables for Station Traffic and/or AP Management Traffic, depending on which checkboxes you selected. Similarly, there are tables for By Application and/or By Category, depending on your selections.

  • Page 182: Stations (Application Control)

    Wireless Access Point When you find risky or unproductive applications consuming bandwidth on the network, you can easily create Filters to control them. See “Filter Management” on page 393. You may use filters to:  Block problematic traffic, such as BitTorrent or Y8. ...

  • Page 183: System Log Window

    Wireless Access Point System Log Window This is a status only window that allows you to review the system log, where system alerts and messages are displayed. Although there are no configuration options available in this window, you do have the usual choice of deciding how the event messages are sorted by clicking in the column header for the desired field (Time Stamp, Priority, or Message).

  • Page 184: Ids Event Log Window

    Wireless Access Point IDS Event Log Window This status only window displays the Intrusion Detection System (IDS) Event log, listing any detected attacks on your network. For descriptions of the types of attacks detected, as well as the settings to fine-tune IDS on the AP, please see “Intrusion Detection”...
  • Page 185 Wireless Access Point  Period — the length of the window used to determine whether the count of this type of event exceeded the threshold.  Current — the count of this type of event for the current period.  Average —...
  • Page 186 Wireless Access Point Viewing Status on the Wireless AP...

  • Page 187: Configuring The Wireless Ap

    Wireless Access Point Configuring the Wireless AP  If you are a customer using XMS-9000-CL-x, then APs are managed via the Cloud, and local AP management interfaces are inaccessible. The following topics include procedures for configuring the AP using the product’s embedded Web Management Interface (WMI).
  • Page 188 Wireless Access Point  If you have added modular IAPs to your AP, note that its model number will be automatically adjusted to reflect the count and types of IAPs currently installed. See Upgrading with 802.11ac radio modules. This chapter only covers using the configuration windows on the AP. To view status or use system tools on the AP, please see: ...

  • Page 189: Express Setup

    Wireless Access Point Express Setup Initial AP configuration via XMS sets items such as SSIDs and security, as described in “Zero-Touch Provisioning and Ongoing Management” on page This page allows you to see many of these values, or change them locally. Figure 97.
  • Page 190 Procedure for Performing an Express Setup License Key: An unlicensed AP will automatically contact Xirrus to obtain its license, if it has Internet connectivity. If you need to enter a license manually, enter it here. The factory installed license key is listed here.
  • Page 191 SSID Name is a unique name that identifies a wireless network. The default SSID is xirrus. Entering a value in this field will replace the this default SSID with the new name. For additional information about SSIDs, go to the...
  • Page 192 Wireless Access Point • WEP (Wired Equivalent Privacy) — An optional IEEE 802.11 function that offers frame transmission privacy similar to a wired network. WEP generates secret shared encryption keys that both source and destination stations can use to alter frame bits to avoid disclosure to eavesdroppers.
  • Page 193 Wireless Access Point Admin Settings: This section allows you to change the default admin username, password, and privileges for the AP. You may change the password and leave the user name as is, but we suggest that you change both to improve AP security. New Admin User (Replaces user “admin”): Enter the name of a new administrator user account.

  • Page 194: Figure 98. Leds Are Switched On

    Wireless Access Point to your deployment, select it and click Apply. For example, the High- Density option uses best practices to configure the AP for high density settings such as lecture halls, convention centers, stadiums, etc. IAP Settings: Figure 98. LEDs are Switched On LED on Enable/Configure All IAPs: Click on the Execute button to enable and auto configure all IAPs (a message displays the countdown time —...

  • Page 195: Network

    Wireless Access Point Network This is a status-only window that provides a snapshot of the configuration settings currently established for the Ethernet interfaces. DNS Settings and other settings are summarized as well. You must go to the appropriate configuration window to make changes to any of the settings displayed here (configuration changes cannot be made from this window).

  • Page 196: Interfaces

    Wireless Access Point Network Status Windows Spanning Tree Status Network Statistics Interfaces XR-500, XR-1000, and some XR-2000 Series APs have one Gigabit Ethernet interface, while XR- 600, XR-4000 and some XR-2000 Series APs have two, and XR-6000 Series models have four. This window allows you to establish configuration settings for these interfaces.

  • Page 197: Network Interface Ports

    Wireless Access Point Network Interface Ports For the location of network interface ports on an AP, see the illustrations in “User Interfaces” on page Procedure for Configuring the Network Interfaces Configure the Gigabit network interfaces. The fields for each of these interfaces are the same, and include: Enable Interface: Choose Yes to enable this network interface, or choose No to disable the interface.
  • Page 198 Wireless Access Point Negotiate feature is disabled, you can manually choose Half or Full duplex for your data transmission preference. MTU: The Maximum Transmission Unit size. This is the largest packet size (in bytes) that the interface can pass along. Speed: If the Auto-Negotiate feature is disabled, you must manually choose the data transmission speed from the pull-down list.

  • Page 199: Bonds And Bridging

    Wireless Access Point DNS Settings Network Network Statistics Spanning Tree Status Bonds and Bridging On models with more than one Gigabit port these ports may be bonded, i.e. configured to work together in sets. For example, one port may provide active backup or load balancing for another, or other options as described in this section.

  • Page 200: Figure 102. Bridging Traffic

    Wireless Access Point of duplicating one bond’s traffic to another bond is very useful for troubleshooting with a network analyzer.  If a set of Gigabit ports have been bonded, the IP address, IP mask, IP gateway, IP DHCP, and Management settings are shared between bonded ports.
  • Page 201 Wireless Access Point Traffic received on Gigx is transmitted by Gigy; similarly, traffic received on Gigy is transmitted by Gigx. The AP acts as a wired bridge—this allows APs to be chained and still maintain wired connectivity.  Each AP in a chain must have power supplied to its PoE port from a compatible power injector or powered switch port.

  • Page 202: Figure 103. Port Modes (A, B)

    Wireless Access Point may be bonded. You may also include just one single port in a bond—this is useful for mirroring one Gigabit port to another port (Step c on page 178). In APs that have four Gigabit ports, you have the option of bonding three or four ports together.

  • Page 203: Figure 104. Port Modes (C, D)

    Wireless Access Point Aggregate Traffic from gig ports using 802.3ad — The AP sends network traffic across all member Gigabit ports to increase link speed to the network. These ports act as a single logical interface, using a load balancing algorithm to balance traffic across the ports. For non- IP traffic (such as ARP), the last byte of the destination MAC address is used to do the calculation.
  • Page 204 Wireless Access Point Load balance traffic between gig ports — This option provides trunking, similar to option (b) — Aggregate Traffic from gig1 & gig2 using 802.3ad, but it does not use 802.3ad and it uses a different load balancing algorithm to determine the outgoing Gigabit port. The outgoing port used is based on an exclusive OR of the source and destination MAC address.

  • Page 205: Figure 105. Mirroring Traffic

    Wireless Access Point on Bondx is passed on to the onboard processor as well as out Bondy. All traffic received on Bondy is passed on to the onboard processor as well as out Bondx. This allows a network analyzer to be plugged into Bondy to capture traffic for troubleshooting, while the bonded ports provide network connectivity for data traffic.

  • Page 206: Dns Settings

    Wireless Access Point DNS Settings This window allows you to establish your (Domain Name System) settings. The AP uses these DNS servers to resolve host names into IP addresses. The AP also registers its own Host Name with these DNS servers, so that others may address the AP using its name rather than its IP address.

  • Page 207: Cisco Discovery Protocol (Cdp) Settings

    Wireless Access Point server that assigns an IP address to the AP, rather than using the DNS Server fields above. You may also configure that DHCP server to assign a host name to the AP. Click the Save button if you wish to make your changes permanent. See Also DHCP Server Network...

  • Page 208: Lldp Settings

    Wireless Access Point CDP Interval: The AP sends out CDP announcements advertising its presence at this interval. The default is 60 seconds. CDP Hold Time: CDP information received from neighbors is retained for this period of time before aging out of the AP’s neighbor list. Thus, if a neighbor stops sending announcements, it will no longer appear on the CDP List window after CDP Hold Time seconds from its last...
  • Page 209 Wireless Access Point Procedure for Configuring LLDP Settings Enable LLDP: When LLDP is enabled, the AP sends out LLDP announcements of the AP’s presence, and gathers LLDP data sent by neighbors. When disabled, it does neither. LLDP is disabled by default. LLDP Interval: The AP sends out LLDP announcements advertising its presence at this interval.
  • Page 210 Wireless Access Point XR-2225/2226 (two 2x2 radios) = 22.5W  XR-2235/2236 (two 3x3 radios) = 26.1W  XR-2425/2426 (four 2x2 radios) = 30W Note that Request Power is not available on the XR-2435/2436. Additionally, it is not available on certain other APs, including these XR Series models: XR-1000, XR-4000, XR-6000, XR-7000.

  • Page 211: Services

    Wireless Access Point Services This is a status-only window that allows you to review the current settings and status for services on the AP, including DHCP, SNMP, Syslog, and Network Time Protocol (NTP) services. For example, for the DHCP server, it shows each DHCP pool name, whether the pool is enabled, the IP address range, the gateway address, lease times, and the DNS domain being used.

  • Page 212: Time Settings (Ntp)

    Wireless Access Point  “System Log” on page 193  “SNMP” on page 197  “DHCP Server” on page 200  “Proxy Services” on page 202 Time Settings (NTP) This window allows you to manage the AP’s time settings, including synchronizing the AP’s clock with a universal clock from an Network Time Protocol (NTP) server.

  • Page 213: Figure 111. Time Settings (Ntp Time Enabled)

    Wireless Access Point Auto Adjust Daylight Savings: Check this box to have the system adjust for daylight savings automatically, else leave it unchecked (default). Use Network Time Protocol: Select whether to set time manually or use NTP to manage system time. Setting Time Manually Adjust Time (hrs:min:sec): If you are not using NTP, use this field if you want to adjust the current system time.

  • Page 214: Figure 115. System Log

    Wireless Access Point NTP Primary Authentication: (optional) If you are using authentication with NTP, select the type of key: MD5 or SHA1. Select None if you are not using authentication (this is the default). NTP Primary Authentication Key ID: Enter the key ID, which is a decimal integer.

  • Page 215: Netflow

    Wireless Access Point NetFlow This window allows you to enable or disable the sending of NetFlow information to a designated collector. NetFlow is a proprietary but open network protocol developed by Cisco Systems for collecting IP traffic information. When NetFlow is enabled, the AP will send IP flow information (traffic statistics) to the designated collector.

  • Page 216: Wi-Fi Tag

    Wireless Access Point Wi-Fi Tag This window enables or disables Wi-Fi tag capabilities. When enabled, the AP listens for and collects information about Wi-Fi RFID tags sent on the designated channel. These tags are transmitted by specialized tag devices (for example, AeroScout or Ekahau tags).

  • Page 217: Location

    Wireless Access Point Location The AP offers an integrated capability for capturing and uploading visitor analytics data, eliminating the need to install a standalone sensor network. This data can be used to characterize information such as guest or customer traffic and location, visit duration, and frequency.
  • Page 218 Wireless Access Point Location Server URL: If Location Support is enabled, enter the URL of the location/analytics server. If this URL contains the string euclid, then the AP knows that data is destined for a Euclid location server. For a Euclid analytics server, use the URL that was assigned to you as a customer by Euclid.

  • Page 219: System Log

    An option allows you to use a Splunk application to analyze AP events by sending data in key:value pairs, as described in “About Using Splunk for Xirrus APs” on page 196. Figure 115. System Log Procedure for Configuring Syslog Enable Syslog Server: Choose Yes to enable Syslog functionality, or choose No to disable this feature.
  • Page 220 514, the default port. You may set one of the server addresses to the address of a server for Splunk (see “About Using Splunk for Xirrus APs” on page 196). Email Notification: (Optional) The following parameters allow you to send an email to a designated address each time a Syslog message is generated.
  • Page 221 Key/Value to send data in Splunk’s expected format, otherwise leave this at the default value of Standard. See “About Using Splunk for Xirrus APs” on page 196. Station URL Logging: When enabled, Syslog messages are sent for each URL that each station visits.

  • Page 222: About Using Splunk For Xirrus Aps

    Click the Save button if you wish to make your changes permanent. About Using Splunk for Xirrus APs Splunk may be used to provide visibility into client experience and analyze usage on APs. A Splunk application has been developed to present this operational intelligence at a glance.

  • Page 223: Snmp

    Wireless Access Point See Also System Log Services SNMP Time Settings (NTP) SNMP This window allows you to enable or disable SNMP v2 and SNMP v3 and define the SNMP parameters. SNMP allows remote management of the AP by the XMS and other SNMP management tools.
  • Page 224 Xirrus MIB, available at support.xirrus.com, in the Downloads section (login is required to download the MIB). NOTE: If you are managing your APs with XMS (the Xirrus Management System), it is very important to make sure that your SNMP settings match those that you have configured for XMS.
  • Page 225 Port number, of an SNMP management station that is to receive SNMP traps. You may specify up to four hosts that are to receive traps. Note that by default, Trap Host 1 sends traps to Xirrus-XMS. Thus, the AP will automatically communicate its presence to XMS (as long as the network is configured correctly to allow this host name to be resolved —...

  • Page 226: Dhcp Server

    Wireless Access Point Send Auth Failure Traps: Click the checkbox to the left of the Enabled label to enable or disable log authentication failure traps. Keepalive Trap Interval (minutes): Traps are sent out at this interval to indicate the presence of the AP on the network. Keepalive traps are required for proper operation with XMS.
  • Page 227 Wireless Access Point DHCP usage is determined in several windows — see SSID Management, Group Management, and VLAN Management. Procedure for Configuring the DHCP Server New Internal DHCP Pool: Enter a name for the new DHCP pool, then click on the Create button. The new pool ID is added to the list of available DHCP pools.

  • Page 228: Proxy Services

    Wireless Access Point DNS Servers (1 to 3): Enter the IP address of the primary DNS server, secondary DNS server and tertiary DNS server. These DNS server addresses will be passed to stations when they associate, along with the assigned IP address. Note that if you leave these blank, no DNS information is sent to the stations.

  • Page 229: About Proxy Forwarding

    Wireless Access Point About Proxy Forwarding Figure 118. Proxy Forwarding Example When you configure proxy forwarding settings on the AP, it forwards each HTTP request to the proxy server (for example, Blue Coat) at the specified URL, which checks if the policies that you have set up on the server are satisfied. If so, the proxy server sends the request on to the desired web site.

  • Page 230: Proxy Forwarding For Https

     Blue Coat policy configuration: The AuthConnector utility is not used with the Xirrus implementation. Traffic must first be passed through the portal to dynamically add the User to Blue Coat’s list of recognized Users, based on the User header inserted in the packets.

  • Page 231: Summary Of Proxy Forwarding Behavior On The Ap

    If proxy forwarding is enabled for Blue Coat or Netbox Blue and the client browser is configured to use a proxy:  The browser is configured to proxy HTTPS to www.xirrus.com port 4388.  The browser automatically proxies HTTP traffic to the same port that is used for HTTPS traffic—port 4388.

  • Page 232: Figure 119. Set Up A Proxy Server On Each Client (Windows)

    Wireless Access Point Configuring Proxy Forwarding on Clients for HTTPS To set the proxy server on an Apple laptop, skip to Step For Windows laptops, click the desktop Start button. In the Search programs and files field, enter Configure proxy server. The Internet Properties dialog is displayed.

  • Page 233: Figure 120. Specify Proxy Servers (Windows)

    Wireless Access Point valid address or domain name. You must set the Port to 4388. This is very important! This is the AP port that should receive all HTTPS traffic if you are using a proxy server. For HTTP: HTTP traffic will automatically use the same port that you have configured for HTTPS: 4388.

  • Page 234: Figure 121. Set Up A Proxy Server On Each Client (Apple)

    122) Check Secure Web Proxy (HTTPS): Under Secure Web Proxy Server, you can enter any valid address. We suggest that you enter www.xirrus.com. (This field is not actually used, but it must be a valid address or domain name). You must set the Port to 4388. This is very important! This is the AP port that must receive all HTTPS traffic if you are using a proxy server for HTTPS.

  • Page 235: Figure 122. Specify Proxy Servers (Apple)

    Wireless Access Point Check Web Proxy (HTTP): Under Web Proxy Server, we suggest that you enter www.xirrus.com Port 4388 to make it obvious that HTTP traffic is being proxied in this way. Figure 122. Specify Proxy Servers (Apple) SSL Certificate: you must download and install the security certificate from your proxy server—Blue Coat or Netbox Blue.

  • Page 236: About Using A Proxy Client For Management Traffic

    Netbox Blue URL: If you selected Netbox Blue above, enter the actual URL of the proxy server, for example, xirrus.netboxblue.com. Note that this default URL is not an actual proxy server—this prevents you from unintentionally forwarding traffic.

  • Page 237: Figure 124. Proxy Client For Management Traffic

    Wireless Access Point mask of the proxy server. If this server requires authentication, you may enter a user name and password as well.  SOCKS: Other management functions use this form of socket to send traffic. For example, this socket is used by the XMS-Cloud configuration service which communicates with the XMS-Cloud using web sockets.
  • Page 238 Wireless Access Point SOCKS, an FQDN is not allowed—an IP address is required. The default Port settings are standard defaults for these ports. Username/Password: For each proxy client, if the proxy server requires authentication, enter the Username and Password here. SOCKS 4/ SOCKS 5: Select the version of SOCKS in use on your proxy server.

  • Page 239: Vlans

    Wireless Access Point VLANs This is a status-only window that allows you to review the current status of configured VLANs and VLAN Pools. VLANs are virtual LANs used to create broadcast domains. VLAN pools are provided for special situations where clients are to be assigned one of a set of VLANs that are treated as a pool.

  • Page 240: Understanding Virtual Tunnels

    Wireless Access Point Understanding Virtual Tunnels Xirrus APs support Layer 2 tunneling. This allows an AP to use tunnels to transport traffic for one or more SSID-VLAN pairs onto a single destination network through the Layer 3 core network. Tunnels may be implemented with: ...

  • Page 241: Vlan Pools

    Wireless Access Point Tunnels can be configured to come up on demand but this is a poor choice for wireless, since tunnel setup can take roughly 5-20 seconds and present a problem for authentication. VLAN Pools A VLAN pool is a set of VLANs. Using a pool allows a client associating to an AP to be assigned to one of the VLANs in the pool rather than to a particular VLAN.

  • Page 242: Vlan Management

    Wireless Access Point VLAN Management This window allows you to set up VLANs and VLAN Pools. After creating a new VLAN (added to the list of VLANs), you can modify the configuration parameters of an existing VLAN or delete a selected VLAN. For ArrayOS 6.6 and later releases, you may create up to 64 VLANs (up to 32 on XR-520).
  • Page 243 Wireless Access Point  The Wireless AP supports dynamic VLAN assignments specified by RADIUS policy settings. When RADIUS sends these assignments, the AP dynamically assigns wireless stations to VLANs as requested. VLAN tags on traffic are passed through the AP (i.e., VLAN tags are not stripped).
  • Page 244 Wireless Access Point First, create all of the VLANs that will belong to this pool. See Step 5 below. Click in the field for the new pool to display a list of VLANs. Add the desired VLANs to this pool, one at a time. This field also provides a search feature—type in a string, and a list will display all VLANs whose names contain that string in any position (VLAN names are searched, but not VLAN numbers).
  • Page 245 Wireless Access Point Gateway: If the DHCP option is disabled, enter the IP gateway address for this VLAN association. Tunnel Server: If this VLAN is to be tunneled, enter the IP address or host name of the tunnel server that will perform the tunneling. For more information on virtual tunnels, please see “Understanding Virtual Tunnels”...

  • Page 246: Tunnels

    Tunnels may also used when providing cellular offload capability. Tunnels may be implemented with:  The Xirrus Tunnel Server (XTS)—see the Xirrus Tunnel Server User’s Guide. For an additional discussion, see the Xirrus Tunnel Solutions Application Note in the Xirrus Resource Center.

  • Page 247: Tunnel Management

    Wireless Access Point 802.1q VLAN tags for final Layer 2 processing. The process occurs in reverse for packets traveling in the other direction. One tunnel is able to transport up to 16 VLANs. Tunnel Management This window allows you to create tunnels. Figure 128.
  • Page 248 Wireless Access Point includes AP BSSID, SSID name, and SSID encryption type. You may use this option here or on the SSID Management page, but not in both places. Information is inserted as a colon-separated text string in the CIRCUIT ID value field in this format: [AP_MAC];[SSID];[ENC] [AP_MAC] length = 17 (aa:bb:cc:dd:ee:ff) [SSID] length = length of SSID name...

  • Page 249: Ssid Assignments

    Wireless Access Point SSID Assignments This window allows you to select the SSIDs to be bridged by each tunnel. Station traffic for SSIDs assigned will be bridged through a tunnel regardless of whether these SSIDs have VLANs defined for them. If there is a VLAN defined for an SSID that is assigned to a tunnel, then station traffic bridged through that tunnel will be tagged accordingly.

  • Page 250: Security

    Wireless Access Point Security This status-only window allows you to review the AP’s security parameters. It includes the assigned network administration accounts, Access Control List (ACL) values, management settings, encryption and authentication protocol settings, and RADIUS configuration settings. There are no configuration options available in this window, but if you are experiencing issues with security, you may want to print this window for your records.

  • Page 251: Understanding Security

    “OAuth 2.0 Management” on page 264 Understanding Security The Xirrus Wireless AP incorporates many configurable security features. After initially installing an AP, always change the default administrator password (the default is admin), and choose a strong replacement password (containing letters,...
  • Page 252 Wireless Access Point  Choosing an encryption method: Wireless data encryption prevents eavesdropping on data being transmitted or received over the airwaves. The AP allows you to establish the following data encryption configuration options: • Open — this option offers no data encryption and is not recommended, though you might choose this option if clients are required to use a VPN connection through a secure SSH utility, like PuTTy.
  • Page 253 Wireless Access Point The encryption mode (WEP, WPA, etc.) is selected in the SSIDs >SSID Management window (see “SSID Management” page 276). The encryption standard used with WPA or WPA2 (AES or TKIP) is selected in the Security>Global Settings window under WPA Settings (see “Global Settings”...

  • Page 254: Certificates And Connecting Securely To The Wmi

    WMI. The AP ships with a default certificate that is signed by the Xirrus CA. You may choose to use this certificate, or to use a certificate issued by the CA of your choice, as described in the following sections: ...

  • Page 255: Using The Ap's Default Certificate

    Using the AP’s Default Certificate Figure 131. Import Xirrus Certificate Authority The AP’s certificate is signed by a Xirrus CA that is customized for your AP and its current host name. By default, browsers will not trust the AP’s certificate. You may import the Xirrus certificate to instruct the browser to trust the Xirrus CA on all future connections to APs.

  • Page 256: Using An External Certificate Authority

    Wireless Access Point Using an External Certificate Authority If you prefer, you may install a certificate on your AP signed by an outside CA. The AP’s certificate is used for security when stations attempt to associate to an SSID that has Web Page Redirect (captive portal) enabled. In this case, it is preferable for the AP to present a certificate from an external CA that is likely to be trusted by most browsers.
  • Page 257 Wireless Access Point Procedure for Creating or Modifying Network Administrator Accounts Admin ID: Enter the login name for a new network administrator ID. The length of the ID must be between 5 and 50 characters, inclusive. Read/Write: Choose 1:read-write if you want to give this administrator ID full read/write privileges, or choose 0:read-only to restrict this user to read only status.

  • Page 258: Admin Privileges

    Wireless Access Point Admin Privileges This window provides a detailed level of control over the privileges of AP administrators. Administrators may be assigned one of eight Privilege Levels. You may define the privilege level of each major feature (Configuration Section) that may be configured on the AP.
  • Page 259 Admin RADIUS server to define administrator accounts, please see “RADIUS Vendor Specific Attribute (VSA) for Xirrus” on page 530 set the privilege level for each administrator. Procedure for Configuring Admin Privileges Privilege Level Names (optional): You may assign a Name to each Privilege Level.

  • Page 260: Admin Radius

    Permissions for RADIUS administrator accounts are controlled by the RADIUS Xirrus-Admin-Role attribute. This is a Vendor Specific Attribute (VSA). To define the privileges permitted to an administrator account, set the value of its Xirrus- Admin-Role attribute to the desired Privilege Level Name string, as defined in “Admin Privileges”...

  • Page 261: Figure 134. Admin Radius

    Wireless Access Point Figure 134. Admin RADIUS Procedure for Configuring Admin RADIUS Use this window to enable/disable administrator authentication via RADIUS, and to set up primary and secondary servers to use for authentication of administrators attempting to log in to the AP. Admin RADIUS Settings: Enable Admin RADIUS: Click Yes to enable the use of RADIUS to authenticate administrators logging in to the AP.
  • Page 262 Wireless Access Point Timeout (seconds): Define the maximum idle time (in seconds) before the RADIUS server’s session times out. The default is 600 seconds. Admin RADIUS Primary Server: This is the RADIUS server that you intend to use as your primary server. Host Name / IP Address: Enter the IP address or domain name of this external RADIUS server.

  • Page 263: Management Control

    Wireless Access Point Management Control This window allows you to enable or disable the AP management interfaces and set their inactivity time-outs. The range is 300 (default) to 100,000 seconds. Figure 135. Management Control Procedure for Configuring Management Control Management Settings: Maximum login attempts allowed (1-255): After this number of consecutive failing administrator login attempts via ssh or telnet, the Failed login retry period is enforced.

  • Page 264: Figure 136. Pre-Login Banner

    Wireless Access Point upload a text file. Click Choose File and browse to the file. Click Upload when done. Figure 136. Pre-login Banner Post-login Banner: Text that you enter here will be displayed in a message box after a user logs in to the WMI. If you wish to display more than 256 characters of text, upload a text file.

  • Page 265: Figure 137. Management Transports

    Wireless Access Point Figure 137. Management Transports On/Off: Choose On to enable management of the AP over a Secure Shell (SSH-2) connection, or Off to disable this feature. Be aware that only SSH-2 connections are supported by the AP. SSH clients used for connecting to the AP must be configured to use SSH-2.
  • Page 266 Port: Enter a value in this field to define the port used by Telnet. The default port is 23. Xircon The Xircon utility connects to Xirrus APs that do not have a physical console port, or whose console port is not accessible. Please see “Securing Low Level Access to the AP”...

  • Page 267: Figure 138. Management Modes

    Wireless Access Point Console On/Off: Choose On to enable management of the AP via a serial connection, or choose Off to disable this feature. Connection Timeout 30-100000 (Seconds): Enter a value in this field to define the timeout (in seconds) before your serial connection is disconnected.
  • Page 268 AP, and also if you attempt to save a configuration that is non-compliant. Use this command in conjunction with “The Xirrus AP PCI Compliance Configuration” on page 595 to ensure that you are using the AP in accordance with the...
  • Page 269 Wireless Access Point PCI DSS requirements. For more information, see “Auditing PCI DSS” on page 593. The pci-audit command checks items such as: • Telnet is disabled. • Admin RADIUS is enabled (admin login authentication is via RADIUS server). • An external Syslog server is in use.

  • Page 270: Figure 139. Https (X.509) Certificate

    Xirrus CA needs to be updated. Delete the current Xirrus CA in the browser. Upgrade the AP to release 6.5 or above and then download the new xirrus-ca.crt file and import it into the browser as a trusted CA, as explained below.

  • Page 271: Figure 140. External Certificate Authority

    CLI), it automatically creates a security certificate for that host name. That certificate uses Xirrus as the signing authority. Thus, in order to avoid having certificate errors on your browser when using WMI: •...
  • Page 272 Upload Signed Certificate: To use a custom certificate signed by an authority other than Xirrus, use the Browse button to locate the certificate file, then click Upload to copy it to the AP. The AP’s web server will be restarted and will pick up the new certificate.

  • Page 273: Access Control List

    Wireless Access Point Address. Click the Create button to create the certificate signing request. See Step 9 above to use this request. Click the Save button if you wish to make your changes permanent. See Also Interfaces - to enable/disable management over an Ethernet interface Global Settings - to enable/disable management over IAPs Admin Management...
  • Page 274 Wireless Access Point There is also a per-SSID ACL (see “Per-SSID Access Control List” on page 298). If the same MAC address is listed in both the global ACL and in an SSID’s ACL, and if either ACL would deny that station access to that SSID, then access will be denied.

  • Page 275: Global Settings

    Wireless Access Point Global Settings This window allows you to establish the security parameters for your wireless network, including WEP, WPA, WPA2 and RADIUS authentication. When finished, click the Save button if you wish to make your changes permanent. For additional information about wireless network security, refer to “Security Planning”...
  • Page 276 Wireless Access Point • Active Directory defines wireless user accounts on an Active Directory server external to the AP. See “Active Directory” on page 259. WPA Settings These settings are used if the WPA or WPA2 encryption type is selected on the SSIDs >SSID Management window or the Express Setup window (on this window, encryption type is set in the SSID Settings: Wireless Security field).
  • Page 277 Wireless Access Point WEP Settings These settings are used if the WEP encryption type is selected on the SSIDs > SSID Management window or the Express Setup window (on this window, encryption type is set in the SSID Settings: Wireless Security field). Click the Show Cleartext button to make the text that you type in to the Key fields visible.
  • Page 278 Wireless Access Point See Also Admin Management External Radius Internal Radius Access Control List Management Control Security Security Planning SSID Management Configuring the Wireless AP...

  • Page 279: External Radius

    Wireless Access Point External Radius This window allows you to define the parameters of an external RADIUS server for user authentication. To set up an external RADIUS server, you must choose External Radius as the Authentication Server Mode in “Global Settings” on page 249.

  • Page 280: About Creating User Accounts On The Radius Server

    About Creating User Accounts on the RADIUS Server An attribute of user (wireless client) accounts is controlled by RADIUS Vendor Specific Attributes (VSAs) defined by Xirrus. In particular, use the VSA named Xirrus-Admin-Role to set the privilege level for an account. For more information about the RADIUS VSAs used by Xirrus, see “RADIUS Vendor Specific Attribute...
  • Page 281 Wireless Access Point Settings (RADIUS Dynamic Authorization): Some RADIUS servers have the ability to contact the AP (referred to as an NAS, see below) to terminate a user with a Disconnect Message (DM). Or RADIUS may send a Change-of-Authorization (CoA) Message to the AP to change a user’s privileges due to changing session authorizations.
  • Page 282 Wireless Access Point SSID to which the client wishes to connect. If your site is using Purple WiFi, you must use Ethernet-MAC, which identifies the AP using its wired network MAC address rather than a particular IAP. See “Web Page Redirect for Purple WiFi Venues” on page 293.

  • Page 283: Internal Radius

    Wireless Access Point Secondary Shared Secret / Verify Secret: If using a secondary accounting server, enter the shared secret that it will be using, then re- enter the shared secret to verify that you typed it correctly. Click the Save button if you wish to make your changes permanent.
  • Page 284 Wireless Access Point  Clients using PEAP may have difficulty authenticating to the AP using the Internal RADIUS server due to invalid security certificate errors. To prevent this problem, the user may disable the Validate Server Certificate option on the station. Do this by displaying the station’s wireless devices and then displaying the properties of the desired wireless interface.

  • Page 285: Active Directory

    Wireless Access Point Verify Password: (Optional) Retype the user password to verify that you typed it correctly. If you want to delete one or more users, click their Delete buttons. Click the Save button if you wish to make your changes permanent. See Also Admin Management External Radius...

  • Page 286: Figure 145. Active Directory Server

    Wireless Access Point Figure 145. Active Directory Server Procedure for Use of an Active Directory Server Choose Active Directory as the Authentication Server Mode in “Global Settings” on page 249 Domain Administrator: Enter the administrator account name for access to the domain controller. The AP will use this (together with the password) to create a machine account on the domain for the AP.

  • Page 287: Figure 146. Finding The Domain Name From Active Directory

    Wireless Access Point after you have made a change requiring validation (i.e., entering a new hostname or changing an existing entry to a different hostname). If you return to this page at a later time, the checkmark will not be present. Workgroup/Domain: Enter the Pre-Windows 2000 Domain name.
  • Page 288 Wireless Access Point Tools. The domain controller will give the AP a secret that may be used as a key to fetch information. The secret may be checked with the Check Secret test tool, below. You may click Leave Domain to ask the domain controller to remove the AP from the domain and revoke its secret.

  • Page 289: Rogue Control List

    You may use the “*” character as a wildcard to match any string at this position. For example, 00:0f:7d:* matches any string that starts with 00:0f:7d:. Xirrus APs start with 00:0f:7d: or 50:60:28:00:0f:7d:*. By default, the Rogue Control List contains two entries that match 00:0f:7d:* and 50:60:28:* and apply the classification Known to all Xirrus APs.

  • Page 290: Oauth 2.0 Management

    You may revoke (delete) existing tokens from the list, if desired. Xirrus APs use the OAuth 2.0 standard’s client credential grant model. This allows you to use administrator account credentials to obtain a token to access RESTful API on an individual AP.

  • Page 291: Figure 148. Oauth 2.0 Management - Token List

    Wireless Access Point Figure 148. OAuth 2.0 Management - Token List Procedure for Obtaining a Token and Accessing RESTful API on the AP Present User Credentials for a Permanent Token A user-developed application must register by presenting the following information to the URL below: https://[AP hostname or IP address]/oauth/authorize ...
  • Page 292 Wireless Access Point Please see “API Documentation” on page 426 for a description of the features available in the API. Configuring the Wireless AP...

  • Page 293: Ssids

    SSID management parameters, you may want to print this page for your records.  For a complete discussion of implementing Voice over Wi-Fi on the AP, see the Voice over Wireless Application Note in the Xirrus Resource Center. Figure 149. SSIDs...

  • Page 294: Understanding Ssids

    Wireless Access Point The read-only Limits section of the SSIDs window allows you to review any limitations associated with your defined SSIDs. For example, this window shows the current state of an SSID (enabled or not), how much SSID and station traffic is allowed, time on and time off, days on and off, and whether each SSID is currently active or inactive.

  • Page 295: Figure 149. Ssids

    Wireless Access Point BSS. A group of BSSs can be formed to allow stations in one BSS to communicate to stations in another BSS via a backbone that interconnects each access point. The Extended Service Set (ESS) refers to the group of BSSIDs that are grouped together to form one ESS.

  • Page 296: Understanding Qos Priority On The Wireless Ap

    Understanding QoS Priority on the Wireless AP  For a complete discussion of implementing Voice over Wi-Fi on the AP, see the Voice over Wireless Application Note in the Xirrus Resource Center. Figure 150. Four Traffic Classes The Wireless AP’s Quality of Service Priority feature (QoS) allows traffic to be prioritized according to your requirements.

  • Page 297: Figure 151. Priority Level-Ieee 802.1P (Layer 2)

    Wireless Access Point Figure 151. Priority Level—IEEE 802.1p (Layer 2) IEEE802.1p uses three bits in an Ethernet frame header to define eight priority levels at the MAC level (Layer 2) for wired networks. Each data packet may be tagged with a priority level, i.e., a user priority tag. Since there are eight possible user priority levels and the AP implements four wireless QoS levels, user priorities are mapped to QoS as described below.
  • Page 298 Wireless Access Point End-to-End QoS Handling Wired QoS - Ethernet Port:  Egress: Outgoing wired packets are IEEE 802.1p tagged at the Ethernet port for upstream traffic, thus enabling QoS at the edge of the network. FROM AP QoS (Wireless) Priority Tag 802.1p (Wired) 1 (Lowest priority) 2 (Default)
  • Page 299 Wireless Access Point FROM Priority Tag AP QoS Typical Use 802.1p (Wired) (Wireless) 7 (Highest 3 (Highest Network control priority) priority) Wireless QoS - Radios:  Each SSID can be assigned a separate QoS priority (i.e., traffic class) from 0 to 3, where 3 is highest priority and 2 is the default. See “SSID Management”...

  • Page 300: High Density 2.4G Enhancement-Honeypot Ssid

    Wireless Access Point • All other DSCP values are set to QoS level 0 (the lowest level— Best Effort). Packet Filtering QoS classification  Filter rules can be used to redefine the QoS priority level to override defaults. See “Filter Management” on page 393.
  • Page 301 Wireless Access Point  or it may be dead-ended by defining a specific dead-end VLAN on the honeypot SSID to “trap” stations (see “VLANs” on page 213). Use the honeypot feature carefully as it could interfere with legitimate SSIDs and prevent clients from associating to another available network.

  • Page 302: Ssid Management

    Wireless Access Point SSID Management This window allows you to manage SSIDs (create, edit, schedule, rename, and delete), assign security parameters and VLANs on a per SSID basis, and configure the Web Page Redirect (WPR captive portal) functionality. Create new SSID  Configure WPA...

  • Page 303: Ssid List (Top Of Page)

    Wireless Access Point Procedure for Managing SSIDs New SSID: To create a new SSID, enter a new SSID name. SSID names are case sensitive and may only consist of the characters A-Z, a-z, 0-9, dash, and underscore. You may create up to 16 SSIDs (up to 8 on the XR-500 Series).
  • Page 304 Wireless Access Point QoS: (Optional) Select a value in this field for QoS (Quality of Service) priority filtering. The QoS value must be one of the following: • 0 — The lowest QoS priority setting, where QoS makes its best effort at filtering and prioritizing data, video and voice traffic without compromising the performance of the network.
  • Page 305 Wireless Access Point Filter List: If you wish to apply a set a filters to this SSID’s traffic, select the desired Filter List. See “Filters” on page 389. Authentication: The following authentication options are available (only valid encryption/authentication combinations are offered): •...

  • Page 306: Figure 154. Ssid Management-Encryption, Authentication, Accounting

    Wireless Access Point Set Encryption Configure Radius, Accounting Figure 154. SSID Management—Encryption, Authentication, Accounting Additional sections will be displayed to allow you to configure encryption, authentication server, and RADIUS accounting settings. • The WPA Configuration encryption settings have the same parameters as those described in “Procedure for Configuring Network Security”...
  • Page 307 Wireless Access Point Management page (i.e., they are configured per SSID rather than in Global Settings). EasyPass Onboarding facilitates “Bring Your Own Device (BYOD)” usage. XMS-Cloud’s onboarding lets you create user accounts in advance, and a user can self-register a number of devices simply by connecting to the wireless network from each device.
  • Page 308 Wireless Access Point WPR (Web Page Redirect, also called captive portal): Check the checkbox to enable the Web Page Redirect functionality, or clear it to disable this option. If enabled, WPR configuration fields will be displayed under the SSID Limits section. This feature may be used to provide an alternate mode of authentication, or to simply display a splash screen when a user first associates to the wireless network.

  • Page 309: Ssid Limits And Scheduling

    Wireless Access Point  Note that you cannot use MDM and WPR on the same SSID. The lower part of the window contains a few sections of additional settings to configure for the currently selected SSID, depending on the values chosen for the settings described above.
  • Page 310 Wireless Access Point Rename SSID: Use this field if you wish to change the name of an SSID without changing any of its other settings. For example, a convention center might wish to change the SSID name based on the name of the current exhibition.
  • Page 311 Wireless Access Point Use Date off to specify a date to take the SSID out of service without deleting it. At the specified date, the AP will turn the Enabled flag off. Leave Expiration and Date off set to none (the default) if you want this SSID to remain in service indefinitely after its scheduled start.

  • Page 312: Web Page Redirect (Captive Portal) Configuration

    Wireless Access Point Web Page Redirect (Captive Portal) Configuration If you enable WPR, the SSID Management window displays additional fields that must be configured. If enabled, WPR displays a splash or login page when a client associates to the wireless network and opens a browser to any URL (provided the URL does not point to a resource directly on the client’s device).
  • Page 313 Wireless Access Point This option displays a login page (residing on the AP) instead of the first user-requested URL. There is an upload function that allows you to replace the default login page, if you wish. Please see “Web Page Redirect (Captive Portal)”...
  • Page 314 Wireless Access Point  External Login page This option redirects the user to a login page on an external web server for authentication, instead of the first user-requested URL. Login information (user name and password) must be obtained by that page, and returned to the AP for authentication.
  • Page 315 Wireless Access Point After the splash page, the user is redirected to the captured URL. If you want the user redirected to a specific landing page instead, enter its address in Landing Page URL.  Cloud This option is only used in conjunction with the Guest Access feature in XMS-Cloud Next Generation (XMS-9500-CL-x).
  • Page 316 SSID name and PSK that they use at home, which their smartphones, tablets, and other personal devices are already configured to connect with automatically. For example, if a hotel offers Xirrus Personal Wi-Fi, guests will be able to set up SSIDs that mimic their home networks. Their devices will automatically connect securely for the duration of the guest’s...

  • Page 317: Figure 156. Customizing An Internal Login Or Splash Page

    Wireless Access Point Customizing an Internal Login or Splash page You may customize these pages with a logo and/or background image, and header and/or footer text, as shown below in Figure 156. Logo Header Internal Login Page Background Footer Figure 156. Customizing an Internal Login or Splash Page ...

  • Page 318: Whitelist Configuration For Web Page Redirect

    Wireless Access Point Whitelist Configuration for Web Page Redirect On a per-SSID basis, the whitelist allows you to specify Internet destinations that stations can access without first having to pass the WPR (captive portal) login/ splash page. Note that a whitelist may be specified for a user group as well. See “Group Management”...

  • Page 319: Web Page Redirect For Purple Wifi Venues

    Wireless Access Point  The station will still be required to pass through the configured WPR flow for all other Internet addresses.  The whitelist will work against all traffic -- not just http or https  Indirect access to other web sites is not permitted. For example, if you add www.yahoo.com to the whitelist, you can see that page, but not all the ads that it attempts to display.
  • Page 320 Wireless Access Point http://purpleportal.net/access/ • Redirect Secret: Enter the password provided to you by Purple WiFi. In the next section on the same page, create WPR Whitelist Configuration entries as directed by Purple WiFi for web sites that should not be redirected. Note that if an asterisk is part of the entry, you must include this character.
  • Page 321 Wireless Access Point Regardless of whether you selected a global authentication server in Step 13 on page 279, you need the following setting for compatibility with Purple WiFi. On the Security > External Radius Page, in the RADIUS Attribute Formatting section: •...

  • Page 322: Wpa Configuration

    Wireless Access Point If RADIUS authenticates successfully, then the end user is given access to the full Internet, outside of your internal network. Future connections to the same Access Point are automatically authenticated with no user action required. WPA Configuration If you set Encryption for this SSID to one of the WPA selections (Step 12 on page...

  • Page 323: Active Iaps

    Wireless Access Point AirWatch Active IAPs By default, when a new SSID is created, that SSID is active on all IAPs. This window allows you to specify which IAPs will offer that SSID. Put differently, you can specify which SSIDs are active on each IAP. This feature is useful in conjunction with WDS.

  • Page 324: Per-Ssid Access Control List

    Wireless Access Point Per-SSID Access Control List This window allows you set up Access Control Lists (ACLs) on a per-SSID basis, to control whether a station with a particular MAC address may associate to a particular SSID. You may create access control list entries and delete existing entries, and control the type of list (allow or deny).

  • Page 325: Honeypots

    Wireless Access Point • Deny List: Denies the listed MAC addresses permission to associate to the AP. All others are allowed. The minus symbol appears before the SSID name for a deny list. • Disabled: A red dot appears before the SSID name for a disabled list.

  • Page 326: Figure 161. Honeypot Whitelist

    Wireless Access Point Figure 161. Honeypot Whitelist Procedure for Configuring Honeypot Whitelists Create a honeypot: If you have not already created an SSID named honeypot, you will be asked whether you wish to create one. Click Yes. You must have an SSID named honeypot to use this feature. Honeypot Whitelists: This section only appears if you have created an SSID named honeypot.

  • Page 327: Personal Wi-Fi

    Wireless Access Point Honeypot Broadcasts: This section only appears if you have created an SSID named honeypot. You may define one or more alias names for this SSID. They will be broadcast instead of the name honeypot. Personal Wi-Fi The settings on this page will apply to all of the Personal Wi-Fi SSIDs that are created by users after they connect to an EasyPass Personal portal.
  • Page 328 Wireless Access Point is optional. For example, enter 2016:09:29 08:00. If the hour and minute are omitted, they are assumed to be 23:59. Use After Duration to specify the length of time before the SSID expires, in days, hours, and minutes. Use the format DD [HH:MM], where hours and minutes are optional.

  • Page 329: Groups

    For information to help you understand groups, see Understanding Groups below. For an in-depth discussion, please see the User Groups Application Note in the Xirrus Resource Center. Figure 163. Groups Understanding Groups...

  • Page 330: Using Groups

    Wireless Access Point security parameters, web page redirect (WPR), and traffic limits. When a new user is created, you can apply all of these settings just by making the user a member of the group. The group allows you to apply a uniform configuration to a set of users in one step.

  • Page 331: Group Management

    Wireless Access Point See Also External Radius Internal Radius SSIDs Understanding QoS Priority on the Wireless AP Web Page Redirect (Captive Portal) Configuration Understanding Fast Roaming Group Management This window allows you to manage groups (create, edit and delete), assign usage limits and other parameters on a per group basis, and configure the Web Page Redirect (captive portal) functionality.
  • Page 332 Wireless Access Point Enabled: Check this box to enable this group or leave it blank to disable it. When a group is disabled, users that are members of the group will behave as if the group did not exist. In other words, the options configured for the SSID will apply to the users, rather than the options configured for the group.
  • Page 333 “Filters” on page 389. Xirrus Roaming: (Optional) For this group, select roaming behavior. Select L2&L3 to enable fast roaming between IAPs or APs at Layer 2 and Layer 3. If you select L2, then roaming uses Layer 2 only. You may only...

  • Page 334: Group Limits

    Wireless Access Point The authentication options that are offered on the SSID Management page are not offered here. Since the group membership of a user is provided to the AP by a Radius server, this means the user has already been authenticated.
  • Page 335 Wireless Access Point Traffic per Station: Check the Unlimited checkbox if you do not want to place a restriction on the traffic per station for this group, or enter a value in the Packets/Sec or Kbps field and make sure that the Unlimited box is unchecked to force a traffic restriction.

  • Page 336: Iaps

    Wireless Access Point IAPs This status-only window summarizes the status of the Integrated Access Points. For each IAP, it shows whether it is up or down, the channel and wireless mode, the antenna that it is currently using, its cell size and transmit and receive power, how many users (stations) are currently associated to it, whether a WDS link distance has been set for it, and its BSSID (MAC address).

  • Page 337: Understanding Fast Roaming

    Wireless Access Point APs have a fast roaming feature, allowing them to maintain sessions for applications such as voice, even while users cross boundaries between APs. Fast roaming is set up in the Global Settings window and is discussed in: ...

  • Page 338: Iap Settings

    Wireless Access Point a user to maintain the same IP address through an entire real-time data session. The user may be associated to any of the VLANs defined on the AP. The Layer 3 session is maintained by establishing a tunnel back to the originating AP. You should decide whether or not to use Layer 3 roaming based on your wired network design.
  • Page 339 Wireless Access Point You may also access this window by clicking on the AP image at the lower left of the WMI window — click the Xirrus logo in the center of the AP. See “User Interface” on page Procedure for Auto Configuring IAPs...
  • Page 340 Wireless Access Point One of the IAPs must be set to monitor mode if you wish to support Spectrum Analyzer, Radio Assurance (loopback testing), and Intrusion Detection features. Monitoring has a Timeshare mode option, which is especially useful for small APs with two IAPs allowing one IAP to be shared between monitoring the airwaves for problems and providing services to stations.
  • Page 341 Wireless Access Point  As mandated by FCC/IC law, APs continually scan for signatures of radar. If such a signature is detected, the AP will switch operation from conflicting channels to new ones. The AP will switch back to the original channel after 30 minutes if the channel is clear.
  • Page 342 Wireless Access Point In the Cell Size field, select auto to allow the optimal cell size to be automatically computed (see also, “RF Power and Sensitivity” on page 360). To set the cell size yourself, choose either small, medium, large, or max to use the desired pre-configured cell size.
  • Page 343 Wireless Access Point The Antenna field displays the antenna that has automatically been selected for this IAP. If desired, enter a description for this IAP in the Description field. You may reset all of the enabled IAPs by clicking the Reset Channels button at the top of the list.

  • Page 344: Global Settings

    Wireless Access Point Global Settings Figure 168. Global Settings (IAPs) This window allows you to establish global IAP settings. Global IAP settings include enabling or disabling all IAPs (regardless of their operating mode), and changing settings for beacons, station management, and advanced traffic optimization —...
  • Page 345 Wireless Access Point Procedure for Configuring Global IAP Settings Country: This is a display-only value. Once a country has been set, it may not be changed. The channels that are available for assignment to IAPs will differ, depending on the country of operation. If Country is set to United States, then 21 channels are available for 802.11a/n.

  • Page 346: Beacon Configuration

    Wireless Access Point Beacon Configuration Beacon Interval: When the AP sends a beacon, it includes with it a beacon interval, which specifies the period of time before it will send the beacon again. Enter the desired value in the Beacon Interval field, between 20 and 1000 Kusecs.

  • Page 347: Station Management

    Station Re-Authentication Period: This specifies an interval (in seconds) for station reauthentications. This is the minimum time period between station authentication attempts, enforced by the AP. This feature is part of Xirrus Advanced RF Security Manager (RSM). Configuring the Wireless AP...
  • Page 348 Wireless Access Point Station Timeout Period: Specify a time (in seconds) in this field to define the timeout period for station associations. Max Station Association per Access Point: This option allows you to define how many station associations are allowed per AP, or enter unlimited.

  • Page 349: Advanced Traffic Optimization

    Wireless Access Point Advanced Traffic Optimization Figure 169. Multicast Processing Multicast Processing: This sets how multicast traffic is handled. Multicast traffic can be received by a number of subscribing stations at the same time, thus saving a great deal of bandwidth. In some of the options below, the AP uses IGMP snooping to determine the stations that are subscribed to the multicast traffic.
  • Page 350 Wireless Access Point • for compatibility with ordinary operation, i.e., there is no optimization or modification of multicast traffic. • if you have an application where many subscribers need to see the multicast—a large enough number that it would be less efficient to convert to unicast and better just to send out multicast even though it must be sent out at the speed of the slowest connected station.
  • Page 351 By default, the list contains the IPv4 multicast address for Apple Bonjour mDNS: 224.0.0.251. For an additional discussion of optimizing Apple Bonjour handling, see the Bonjour Director Application Note in the Xirrus Resource Center.
  • Page 352 No modifications are made to the forwarded packets – they are just forwarded between specified VLANs and associated SSIDs.  Xirrus strongly recommends the use of MDNS Filters (Step 24) when using multicast forwarding. Only allow required services to be forwarded. Carefully monitor results, as forwarding may flood your network with multicast traffic.
  • Page 353 Wireless Access Point multicast addresses - host names are not allowed. To remove an entry, select it in the list and click Delete. To remove all entries from the list, click Reset. Multicast VLAN Forwarding: This is a list of VLANs that participate in the multicast forwarding.
  • Page 354 Wireless Access Point  Note that Multicast Forwarding and mDNS Filtering capabilities also work if both devices are wireless. For example, let’s say that AppleTV is using wireless to connect to an SSID that is associated with VLAN 56, and the wireless client is on an SSID that is associated with VLAN 58.

  • Page 355: Figure 170. Additional Optimization Settings

    Wireless Access Point Apple-TV, iChat, iPhoto, iTunes, iTunes-Home-Sharing, Internet- Printing, Mobile-Device-Sync, and Secure-Telnet. For example, to allow mirroring of an iPad on an Apple-TV, select Apple- You may define your own type if you do not see the service you want in the drop-down list.
  • Page 356 This starves the available bandwidth from faster clients, reducing performance significantly. Xirrus solves this issue with ACExpress that automatically separates devices onto different IAPs by their speeds and capability.
  • Page 357 Wireless Access Point If you select On and an IAP is not the best choice for network performance, that IAP will send an “AP Full” message in response to Probe, Association, or Authentication requests. This deters persistent clients from forcing their way onto overloaded IAPs. Note that ACExpress load balancing is not used if: •...
  • Page 358 Voice over Wi-Fi (see “Understanding Fast Roaming” on page 311 for a discussion of this feature). RP uses a discovery process to identify other Xirrus APs as fast roaming targets. This process has two modes: •...
  • Page 359 APs. Choose either All, In Range or Target Only, respectively. Xirrus Roaming Targets: If you chose Target Only, use this option to add target MAC addresses. Enter the MAC address of each target AP, then click on Add (add as many targets as you like). To find a target’s MAC address, open the AP Info window on the target AP and look for IAP MAC Range, then use the starting address of this range.

  • Page 360: Global Settings 11An

    Wireless Access Point Global Settings 11an This window allows you to establish global 802.11a IAP settings. These settings include defining which 802.11a data rates are supported, enabling or disabling all 802.11an IAPs, auto-configuration of channel allocations for all 802.11an IAPs, and specifying the fragmentation and RTS thresholds for all 802.11an IAPs.
  • Page 361 Instead, if the AP has been deployed for a while and already has data from the spectrum analyzer and Xirrus Roaming Protocol about channel usage on neighboring APs, it performs a quick auto channel using that information (without doing a full RF scan) to make an intelligent choice of channel assignments.
  • Page 362 Wireless Access Point • Non-Radar: give preference to channels that are not required to use dynamic frequency selection (DFS) to avoid communicating in the same frequency range as some radar (also see Step 8 on page 320). Channels Required to Use DFS Radar Avoidance in USA 36+40 Non-radar DFS required...
  • Page 363 Wireless Access Point • Full Scan: perform a full traffic scan on all channels on all IAPs to determine the best channel allocation. • Include WDS: automatically assign 5GHz to WDS client links.  To use the Auto Cell Size feature, any IAPs that will use Auto Cell must have Cell Size set to auto.
  • Page 364 Wireless Access Point Auto Cell Size Overlap (%): Enter the percentage of cell overlap that will be allowed when the AP is determining automatic cell sizes. For 100% overlap, the power is adjusted such that neighboring APs that hear each other best will hear each other at -70dB.

  • Page 365: Figure 172. Global Settings .11Bgn

    Wireless Access Point SSIDs — SSID Management window also have station limit settings — Max Station Association per IAP (page 322) and Station Limit (page 283), respectively. If multiple station limits are set, all will be enforced. As soon as any limit is reached, no new stations can associate until some other station has terminated its association.

  • Page 366: Global Settings 11Bgn

    Wireless Access Point Global Settings 11bgn This window allows you to establish global 802.11b/g IAP settings. These settings include defining which 802.11b and 802.11g data rates are supported, enabling or disabling all 802.11b/g IAPs, auto-configuring 802.11b/g IAP channel allocations, and specifying the fragmentation and RTS thresholds for all 802.11b/g IAPs. Figure 172.
  • Page 367 Instead, if the AP has been deployed for a while and already has data from the spectrum analyzer and Xirrus Roaming Protocol about channel usage on neighboring APs, it performs a quick auto channel using that information (without doing a full RF scan) to make an intelligent choice of channel assignments.
  • Page 368 Wireless Access Point environment. In this case, it will pick a set of compatible channel assignments at random.  On the XR-500/600 and XR-1000 Series, the Factory Defaults button will not restore iap1 to monitor mode. You will need to restore this setting manually.
  • Page 369 Wireless Access Point  To use the Auto Cell Size feature, any IAPs that will use Auto Cell must have Cell Size set to auto. For Auto Cell by Channel, it is not necessary for RF Monitor Mode to be turned on, or for there to be a radio set to monitor mode.
  • Page 370 AP will not send the extra frames, thus avoiding unnecessary overhead. 802.11g Slot: Choose Auto to instruct the AP to manage the 802.11g slot times automatically, or choose Short Only. Xirrus recommends using Auto for this setting, especially if 802.11b devices are present. Configuring the Wireless AP...
  • Page 371 Wireless Access Point 802.11b Preamble: The preamble contains information that the AP and client devices need when sending and receiving packets. All compliant 802.11b systems have to support the long preamble. A short preamble improves the efficiency of a network's throughput when transmitting special data, such as voice, VoIP (Voice-over IP) and streaming video.

  • Page 372: Global Settings .11N

    Wireless Access Point Global Settings This window allows you to establish global 802.11n IAP settings. These settings include enabling or disabling 802.11n mode for the entire AP, specifying the number of transmit and receive chains (data stream) used for spatial multiplexing, setting a short or standard guard interval, auto-configuring channel bonding, and specifying whether auto-configured channel bonding will be static or dynamic.
  • Page 373 Wireless Access Point Procedure for Configuring Global 802.11n IAP Settings 802.11n Data Rates: The AP allows you to define which data rates are supported for all 802.11n radios. Select (or deselect) 11n data rates by clicking in the corresponding Supported and Basic data rate check boxes. •...
  • Page 374 Wireless Access Point 5 GHz Channel Bonding: Select Dynamic to have auto-configuration for bonded 5 GHz channels be automatically updated as conditions change. For example, if there are too many clients to be supported by a bonded channel, dynamic mode will automatically break the bonded channel into two channels.

  • Page 375: Global Settings 11Ac

    Wireless Access Point Global Settings 11ac This window allows you to establish global 802.11ac IAP settings. These settings include enabling or disabling 802.11ac mode for the entire AP, specifying the number of data streams used in spatial multiplexing, and setting a short or long guard interval.
  • Page 376 Wireless Access Point Procedure for Configuring Global 802.11ac IAP Settings 802.11ac Mode: Select Enabled to allow the AP to operate in 802.11ac mode. If you select Disabled, then 802.11ac operation is disabled on the 80 MHz Guard interval: This is the length of the interval between transmission of symbols (the smallest unit of data transfer) when you are using 80MHz bonded channels.

  • Page 377: Global Settings .11U

    Wireless Access Point Global Settings Understanding 802.11u As the number of access points available in public venues increases, mobile devices users have a harder time distinguishing usable SSIDs from the tens, if not hundreds of access points visible. Using the 802.11u protocol, access points may broadcast information about the services and access that they offer and to respond to queries for additional information related to the facilities that the downstream service network provides.

  • Page 378: Figure 175. 802.11U Global Settings

    Wireless Access Point  Cellular Networks. The service network may have arrangements with one or more cellular service providers who can transparently provide wireless and Internet connectivity. Figure 175. 802.11u Global Settings Configuring the Wireless AP...
  • Page 379 Wireless Access Point Procedure for Configuring 802.11u Settings Use this window to establish the 802.11u configuration. 802.11u Internetworking. Click On to enable 802.11u protocol operation. Access Network Type: This indicates the type of network supported by the access point. The choices are: Chargeable public network Emergency services only network Free public network...
  • Page 380 Wireless Access Point HESSID. Enter the globally unique homogeneous ESS ID. This SSID is marked as being HotSpot 2.0 capable. This SSID attribute is global—if 802.11u is enabled and HotSpot 2.0 is enabled, then all SSIDs will have HotSpot 2.0 capability. IPv4 Availability.
  • Page 381 Wireless Access Point Roaming Consortium. Each of the roaming consortia has an organizational identifier (OI) obtained from IEEE that unique identifies the organization. This is similar to the OUI part of a MAC address. Use this control to build up a list of OIs for the consortia available. Enter the OI as a hexadecimal string of between 6 and 30 characters in the Add field and click Add.
  • Page 382 Wireless Access Point When Add is clicked the authentication type and optional URL will appear in the list. An authentication type may be deleted by selecting it in the list and clicking Delete. All authentication types may be deleted by clicking Reset.

  • Page 383: Advanced Rf Settings

    Wireless Access Point Advanced RF Settings This window allows you to establish RF settings, including automatically configuring channel allocation and cell size, and configuring radio assurance and standby modes. Changes you make on this page are applied to all IAPs, without exception.

  • Page 384: Rf Monitor

    Wireless Access Point applications. In Standby Mode, an AP monitors beacons from the target AP. When the target has not been heard from for 40 seconds, the standby AP enables its radios until it detects that the target AP has come back online. Standby Mode is off by default.

  • Page 385: Rf Resilience

    Wireless Access Point RF Resilience Radio Assurance Mode: When this mode is enabled, the monitor radio performs loopback tests on the AP. This mode requires RF Monitor Mode to be enabled (Dedicated or Timeshare mode, see Step 1) to support self- monitoring functions.

  • Page 386: Rf Power And Sensitivity

    Wireless Access Point RF Power and Sensitivity For an overview of RF power and cell size settings, please see “Capacity and Cell Sizes” on page 36 “Fine Tuning Cell Sizes” on page  To use the Auto Cell Size feature, the following additional settings are required: all IAPs that will use Auto Cell must have Cell Size set to auto.

  • Page 387: Rf Spectrum Management

    Wireless Access Point Auto Cell Configuration: Click this button to instruct the AP to determine and set the best cell size for each enabled IAP whose Cell Size is auto on the IAP Settings window, based on changes in the environment.
  • Page 388 Wireless Access Point Range set to Yes, and it must have at least one active IAP with an SSID that has broadcast enabled. Auto band runs separately from auto channel configuration. If a radio’s band is changed, associated stations will be disconnected and will then reconnect.
  • Page 389 APs do not use the same factory preset values for channel assignments. Instead, if the AP has been deployed for a while and already has data from the spectrum analyzer and Xirrus Roaming Protocol about channel usage on neighboring APs, it performs a quick auto channel using that information (without doing a full RF scan) to make an intelligent choice of channel assignments.

  • Page 390: Station Assurance

    Wireless Access Point specified time. If you do not specify am or pm, time is interpreted in 24- hour military time. For example, Sat 11:00 pm and Saturday 23:00 are both acceptable and specify the same time. Channel List Selection: This list selects which channels are available to the auto channel algorithm.

  • Page 391: Figure 177. Station Assurance (Advanced Rf Settings)

    Wireless Access Point Figure 177. Station Assurance (Advanced RF Settings) Enable Station Assurance: This is enabled by default. Click No if you wish to disable it, and click Yes to re-enable it. When station assurance is enabled, the AP will monitor connection quality indicators listed below and will display associated information on the Station Assurance Status...

  • Page 392: Hotspot 2.0

    Wireless Access Point Min Received Signal Strength: (dB) Station assurance detects whether the strength of the signal received from the station falls below this threshold during a period. Min Signal to Noise Ratio: (dB) Station assurance detects whether the ratio of signal to noise received from the station falls below this threshold during a period.
  • Page 393 Wireless Access Point Procedure for Hotspot 2.0 Settings Use this window to establish the Hotspot 2.0 configuration. Hotspot 2.0. Click Enabled to enable Hotspot 2.0 operation. Downstream Group-addressed Forwarding. Click Enabled to allow the access point to forward group-addressed traffic (broadcast and multicast) to all connected devices.

  • Page 394: Figure 178. Hotspot 2.0 Settings

    Wireless Access Point Figure 178. Hotspot 2.0 Settings English/Chinese Operator Friendly Name. Enter an English or Chinese name into one of the fields. An incorrectly entered name can be deleted by clicking the corresponding Delete. Connection Capabilities. A Hotspot 2.0 access point limits the particular protocols that clients may use.

  • Page 395: Nai Realms

    Wireless Access Point A Protocol number. For example 1 for ICMP, 6 for TCP, 17 for UDP, and 50 for Encapsulated Security Protocol in IPsec VPN connections. Port number for UDP/TCP connection. Status: one of open, closed or unknown. Any of the entries may be deleted by clicking the corresponding Delete button.

  • Page 396: Nai Eap

    Wireless Access Point Procedure for NAI Realms Settings Use this window to establish the names of the supported realms. Enter the realm name. Enter the name of a realm in the box to the left of the Create button and click Create. The realm will be added to the NAI Realms list.
  • Page 397 Wireless Access Point • EAP-AKA • EAP-AKA’ (EAP-AKA prime) • EAP-FAST • EAP-MSCHAP-V2 • EAP-SIM • EAP-TLS • EAP-TTLS • • MD5-Challenge • None • PEAP Specify Authentication Parameters. Each of the authentication methods may specify up to five authentication parameters. To specify the parameters click on the number corresponding to the authentication method;...

  • Page 398: Intrusion Detection

    Wireless Access Point Intrusion Detection The Xirrus AP employs a number of IDS/IPS (Intrusion Detection System/ Intrusion Prevention System) strategies to detect and prevent malicious attacks on the wireless network. Use this window to adjust intrusion detection settings. Figure 181. Intrusion Detection Settings...

  • Page 399: Dos Attacks

    Wireless Access Point The AP provides a suite of intrusion detection and prevention options to improve network security. You can separately enable detection of the following types of problems:  Rogue Access Point Detection and Blocking Unknown APs are detected, and may be automatically blocked based on a number of criteria.

  • Page 400: Impersonation Attacks

    Wireless Access Point Type of Attack Description Disassociation Flooding the AP with forged Disassociation packets. Flood Deauthentication Flooding the AP with forged Deauthenticates. Flood EAP Handshake Flooding an AP with EAP-Start messages to consume Flood resources or crash the target. Null Probe Answering a station probe-request frame with a null SSID.

  • Page 401: About Blocking Rogue Aps

    Wireless Access Point Type of Attack Description Sequence A sender may use an Add Block Address request (ADDBA number anomaly - part of the Block ACK mechanism) to specify a sequence number range for packets that the receiver can accept. An attacker spoofs an ADDBA request, asking the receiver to reset its sequence number window to a new range.

  • Page 402: Rf Intrusion Detection And Auto Block Mode

    Wireless Access Point Procedure for Configuring Intrusion Detection RF Intrusion Detection and Auto Block Mode Intrusion Detection Mode: This option allows you to choose the Standard intrusion detection method, or you can choose Off to disable this feature. See “AP Monitor and Radio Assurance Capabilities” on page 527 for more information.

  • Page 403: Dos Attack Detection Settings

    Wireless Access Point without a controlling Access Point, also called an Independent Basic Service Set — IBSS). • ESS/Infrastructure only — only consider auto blocking rogue APs if they are in infrastructure mode rather than ad hoc mode. Auto Block Whitelist: Use this list to specify channels to be excluded from automatic blocking.

  • Page 404: Impersonation Detection Settings

    Wireless Access Point Duration Attack NAV (ms): For the duration attack, you may also modify the default duration value that is used to determine whether a packet may be part of an attack. If the number of packets having at least this duration value exceeds the Threshold number in the specified Period, an attack is detected.

  • Page 405: Dscp Mappings

    Wireless Access Point Choose On Radio Enabled or On First Association, as desired. You may also choose Disabled to keep the LEDs from being lit. The LEDs will still light during the boot sequence, then turn off. LED Blink Behavior: This option allows you to select when the IAP LEDs blink, based on the activities you check here.

  • Page 406: Roaming Assist

    Roaming Assist Roaming assist is a Xirrus feature that helps clients roam to APs that will give them high quality connections. Some smart phones and tablets will stay connected to a radio with poor signal quality, even when there’s a radio with better signal strength within range.

  • Page 407: Figure 184. Roaming Assist

    Wireless Access Point RSSI of client = -75 -75 < (-5 + -65) : Therefore client will roam Another example: Threshold = -15 RSSI of neighbor AP = -60 RSSI of station = -70 -70 > (-15 + -60) : Client will not roam Figure 184.
  • Page 408 Wireless Access Point Roaming Threshold: This is the difference in signal strength between radios that will trigger a deauthentication, as described in the discussion above. In most cases, this will be a negative number. Triggering occurs regardless of whether the data rate falls below the Minimum Data Rate. Minimum Data Rate: Roaming assist will be triggered if the station’s packet data rate is below this value (1-99 Mbps), regardless of whether the Roaming Threshold has been reached.

  • Page 409: Wds

    Wireless Access Point This is a status-only window that provides an overview of all WDS links that have been defined. Wireless Distribution System (WDS) is a system that enables the interconnection of access points wirelessly, allowing your wireless network to be expanded using multiple access points without the need for a wired backbone to link them.

  • Page 410: Figure 186. Configuring A Wds Link

    TKIP should never be used for WDS links on APs.  WDS is available on most Xirrus APs, including models with two radios (WDS will operate on either of the radios). If WDS is not available, the settings are grayed out or not shown.

  • Page 411: Long Distance Links

    Wireless Access Point Long Distance Links If you are using WDS to provide backhaul over an extended distance, use the WDS Dist. (Miles) setting to prevent timeout problems associated with long transmission times. (See “IAP Settings” on page 312) Set the approximate distance in miles between this IAP and the connected AP in the WDS Dist.
  • Page 412 Wireless Access Point Procedure for Setting Up WDS Client Links Host Link Stations: Check the Allow checkbox to instruct the AP to allow stations to associate to IAPs on a host AP that participates in a WDS link. The WDS host IAP will send beacons announcing its availability to wireless clients.
  • Page 413 WDS window on the target AP, and use This AP Address located on the right under the Summary of WDS Host Links. To allow any Xirrus AP to be accepted as a WDS target, enter the Xirrus OUI: 00:0f:7d:00:00:00 or 50:60:28:00:00:00 (this is useful for roaming in a...
  • Page 414 Wireless Access Point Username: Enter a username for this WDS link. A username and password is required if the SSID is using PEAP for WDS authentication from the internal RADIUS server. Password: Enter a password for this WDS link. Clear Settings: Click on the Clear button to reset all of the fields on this line.

  • Page 415: Filters

    Wireless Access Point Filters The Wireless AP’s integrated firewall uses stateful inspection to speed the decision of whether to allow or deny traffic. Filters are used to define the rules used for blocking or passing traffic. Filters can also set the VLAN and QoS level for selected traffic.

  • Page 416: Filter Lists

    Wireless Access Point under the filter list to which they belong. Each filter entry is a link that takes you to its Filter Management entry, and the list includes information about the type of filter, the protocol it is filtering, which port it applies to, source and destination addresses, and QoS and VLAN assignments.
  • Page 417 Wireless Access Point Procedure for Managing Filter Lists Stateful Filtering: Stateful operation of the integrated firewall can be Enabled or Disabled. If you have a large number of filters and you don’t want to apply them in a stateful manner, you may use this option to turn the firewall off.
  • Page 418 Wireless Access Point Custom Application Control List Create New List: Enter a name for the new Application Control list in this field, followed by the ENTER key. The new list is added to the Application Control Lists table, and this list may be used to create filters. You may create up to 15 lists (on the XR-520, the limits are reduced to 8 lists and 125 applications per list).

  • Page 419: Filter Management

    Wireless Access Point Filter Management This window allows you to create and manage filters that belong to a selected filter list, based on the filter criteria you specify. Filters are an especially powerful feature when combined with the intelligence provided by the “Application Control Windows”...
  • Page 420 Wireless Access Point  Non- critical traffic from applications like YouTube may be given lower priority (QoS) or bandwidth allowed may be capped per station or for all stations.  Traffic flows for specific applications may be controlled by sending them into VLANs that are designated for that type of traffic.
  • Page 421 Wireless Access Point Viewing or modifying existing filter entries: Filter: Select a filter entry if you wish to modify it. Source and destination details are displayed below the bottom of the list. On: Use this field to enable or disable this filter. Log: Log usage of this filter to Syslog.
  • Page 422 Wireless Access Point QoS: (Optional) Set packets ingressing from the wired network that match the filter criteria to this QoS level (0 to 3) before sending them out on the wireless network. Select the level from the pull-down list. Level 0 has the lowest priority;...

  • Page 423: Figure 191. Filter Category Or Application

    Wireless Access Point the category Games from 9:00 to 12:00, and another could deny them from 13:00 to 18:00. Similarly, you might create two rules for different days—one to deny Games Mon-Fri 8:00 to 18:00, and another to deny them on Sat. from 8:00 to 12:00. Source Address: Define a source address to match as a filter criterion.
  • Page 424 Wireless Access Point Application Lists: If you wish this filter to apply to a previously configured Custom Application Control List, select the desired list. You may not select a Category or an Application in addition to the list. Click the Save button if you wish to make your changes permanent.

  • Page 425: Clusters

    Wireless Access Point Clusters  An XR-500 or XR-1000 Series AP cannot act as the Cluster controller. It will operate correctly as a member of a cluster. Clusters allow you to configure multiple APs at the same time. Using WMI (or CLI), you may define a set of APs that are members of the cluster.

  • Page 426: Figure 193. Cluster Management

    Wireless Access Point are shown, along with the number of APs currently in each. Up to 16 clusters may be created, with up to 50 APs in each. Figure 193. Cluster Management Procedure for Managing Cluster Definition New Cluster Name: Enter a name for the new cluster in the field to the left of the Create button, then click Create to add this entry.
  • Page 427 Wireless Access Point Note that the AP on which you are currently running WMI is not automatically a member of the cluster. If you would like it to be a member, you must add it explicitly. Procedure for Managing Clusters Edit Cluster: Expand the entry for the cluster to be managed.

  • Page 428: Figure 194. Viewing Statistics In Cluster Mode

    Wireless Access Point Some Status and Statistics windows will present information for all APs in the cluster. Click the Save button when done if you wish to save changes on the cluster member APs. Exit: Click the button to the right of the operating cluster to terminate Cluster Mode.
  • Page 429 Wireless Access Point You may terminate cluster mode operation by clicking the button to the right of the row. Configuring the Wireless AP...

  • Page 430: Mobile

    Xirrus APs support the AirWatch MDM, using an AirWatch API call to determine the status of a user’s device and allow access to the wireless network only if the device is enrolled and compliant with the policies of the service.
  • Page 431 Wireless Access Point The AP settings entered on this page are mostly taken from AirWatch. Once you have entered these settings, your users will be constrained to follow a set of steps to access the wireless network, as described in “User Procedure for Wireless Access”...

  • Page 432: User Procedure For Wireless Access

    Wireless Access Point Redirect URL: Obtain this from your AirWatch server. Go to the System / Advanced / Site URLs page, and copy the Enrollment URL string into this field. When a mobile device that is not currently enrolled with AirWatch attempts to connect to the AP, the device displays a page directing the user to install the AirWatch agent and go to the AirWatch enrollment page.
  • Page 433 Wireless Access Point If the device is not enrolled, all user traffic will be blocked, except that HTTP traffic is redirected to an intermediate page on the AP that tells the user to download and install the AirWatch agent. The page displays a link to the AirWatch-provided device enrollment URL.
  • Page 434 Wireless Access Point Configuring the Wireless AP...

  • Page 435: Using Tools On The Wireless Ap

    Wireless Access Point Using Tools on the Wireless AP These WMI windows allow you to perform administrative tasks on your AP, such as upgrading software, rebooting, uploading and downloading configuration files, and other utility tasks. Tools are described in the following sections: ...

  • Page 436: System Tools

    Wireless Access Point System Tools Status is shown here Figure 196. System Tools This window allows you to manage files for software images, configuration, and Web Page Redirect (WPR), manage the system’s configuration parameters, reboot the system, and use diagnostic tools. The page contains a number of sections that you may expand.
  • Page 437 If you are not using XMS to perform a software upgrade, you may use the Auto- provisioning Start button to get an updated license from Xirrus before performing an upgrade. If you will be entering license keys and performing upgrades on many APs, the effort will be streamlined by using the Xirrus Management System (XMS), especially if you are using XMS Cloud.

  • Page 438: System

    Operating System Software Upload: This feature upgrades the ArrayOS to a newer version provided by Xirrus. Please note that you typically will need an updated license key to cover the upgrade’s features before clicking the Upgrade button. If you are a customer using XMS-9000-CL-...
  • Page 439 Wireless Access Point x, your license will be updated for you automatically; with other XMS versions, you can easily upgrade all members of a profile network to a new ArrayOS release. See “About Licensing and Upgrades” on page 410 for details. Click the Choose File button to locate the software upgrade file, then click on the Upload button to upload the new file to the AP.

  • Page 440: Remote Boot Services

    Wireless Access Point Remote Boot Services (Automatic updates from remote image or configuration file) Figure 197. Remote Boot Services The AP software image or configuration file can be downloaded from an external server. In large deployments, all APs can be pointed to one TFTP server instead of explicitly initiating software image uploads to all APs.

  • Page 441: Configuration Management

    Wireless Access Point  The Remote Boot Image or Remote Configuration update happens every time that the AP reboots. If you only want to fetch the remote image or configuration file one time, be sure to turn off the remote option (blank out the field on the System Tools page) after the initial download.
  • Page 442 Wireless Access Point perform network-wide updates), you may obtain one through Auto- provisioning. Click the Start button, and the AP will contact the Xirrus Mobilize server with its serial number and MAC address to obtain and install its latest license. If the AP is unable to access the activation server, it will continue to attempt to contact the server at intervals specified by the Polling Interval (the default value is one minute).
  • Page 443 Wireless Access Point • history/saved-yyyymmdd-hhmm.conf: The setting values that were explicitly saved using the Set Restore Point button (see Step 4 below). Click Update to update your configuration settings by appending to the current AP configuration. Click Restore to replace the AP configuration with the configuration file selected.
  • Page 444 Wireless Access Point Apply. For example, the High-Density option uses best practices to configure the AP for high density settings such as lecture halls, convention centers, stadiums, etc. Click link titled Download Current Configuration: xs_current.conf to download the AP’s current configuration settings to a file (that you can upload back to the AP at a later date).

  • Page 445: Diagnostics

    Wireless Access Point Diagnostics Diagnostic Log: Click the Create button to update the AP information for use by Xirrus Customer Support personnel. The name of the log file ends with , and may have an additional prefix. (Figure 199) diagnostic.log Click Create to update log Figure 199.

  • Page 446: Application Control Signature File Management

    Wireless Access Point Archiving Log: This log saves internal status information that may be needed by Xirrus Customer Support personnel. Click the Start button to start accumulating this information. The size of the file is self-limiting so that you do not need to be concerned about it consuming too much storage space.

  • Page 447: Web Page Redirect (Captive Portal)

    Wireless Access Point Upload Signature File: First, download the latest signature file from the Xirrus Customer Support site: ArrayOS - XR Platform Latest Release your file system. Click the Browse button, then browse to locate the new signature file. Click the Upload button when it appears. The new file will be uploaded to the AP and will be used for identifying applications.

  • Page 448: Network Tools

    Wireless Access Point Upload File: Use this to install files for your own custom WPR splash/ login page (as described above) on the AP. Note that uploaded files are not immediately used - you must reboot the AP first. At that time, the AP looks for and uses these files, if found.

  • Page 449: Figure 203. Radius Ping Output

    Wireless Access Point The RADIUS Ping command is a simple utility that tests connectivity to a RADIUS server by attempting to log in with the specified Username and Password. When using a RADIUS server, this command allows you to verify that the server configuration is correct and whether a particular Username and Password are set up properly.

  • Page 450: Progress Bar And Status Frame

    Wireless Access Point IP Address: For Ping or Trace Route, enter the IP address of the target device. Timeout: For Ping or Trace Route, enter a value (in seconds) before the action times out. Execute System Command: Click Execute to start the specified command.
  • Page 451 Wireless Access Point To enter a command, simply type it in. The command is echoed and output is shown in the normal way — that is, the same way it would be if you were using the CLI directly. You may use the extra scroll bar inside the right edge of the window to scroll through your output.

  • Page 452: Api Documentation

    Wireless Access Point API Documentation APs provide an API interface conforming to the RESTful API model. Developers may use this read-only API to read status, statistics, and settings from the AP. The interactive API Documentation page provides documentation for the API. You may use the AP’s API for purposes such as integrating with third party applications or creating your own applications for network monitoring and analysis.

  • Page 453: Status/Settings

    Wireless Access Point The API Documentation page lists all of the APIs that are available, lists their calling parameters, if any, and allows you to perform sample calls and view sample output. Status/Settings The RESTful API on the AP is broken into these two main headings: status and settings.

  • Page 454: Trying A Get Request

    Wireless Access Point The figure above shows the GET request for ethernet-stats{name}. Click again to collapse (hide) the API details. High-level details are shown, including the Response Class name and the Response Content Type (limited to JSON at this time). Trying a GET Request The Try it out! button allows you to send the GET request to the AP API and see its response.

  • Page 455: Figure 207. Api - Get Request Response

    Wireless Access Point Figure 207. API — GET Request Response The figure above shows the response for ethernet-stats{name}. The response is produced in the human-readable JSON format. The status and statistics data shown are as described in “Viewing Status on the Wireless AP” on page 95.

  • Page 456: Api Documentation Toolbar

    Wireless Access Point API Documentation Toolbar Figure 208. API Documentation Toolbar The Status and Settings sections each have a toolbar as shown above, offering the following options.  Show/Hide—expands or collapses this list of GET requests. Hiding and then showing again displays the requests as they were before, i.e., expanded GET requests will still be expanded when displayed again.

  • Page 457: Options

    Wireless Access Point Options This window allows you to customize the behavior of the WMI. Figure 209. WMI Display Options Procedure for Configuring Options Refresh Interval in Seconds: Many of the windows in the Status section of the WMI have an Auto Refresh option. You may use this setting to change how often a status or statistics window is refreshed, if its auto refresh option is enabled.

  • Page 458: Logout

    Wireless Access Point Logout Click on the Logout button to terminate your session. When the session is terminated, you are presented with the login window. Figure 210. Login Window Using Tools on the Wireless AP...

  • Page 459: The Command Line Interface

    Wireless Access Point The Command Line Interface This section covers the commands and the command structure used by the AP’s Command Line Interface (CLI), and provides a procedure for establishing an SSH connection to the AP. Topics discussed include:  “Establishing a Secure Shell (SSH) Connection”...

  • Page 460: Figure 211. Logging In

    Wireless Access Point administrator assign a reserved address to the AP for ease of access in the future. • If the network does not use DHCP, use the factory default address 10.0.2.1 to access either the Gigabit 1 or Gigabit 2 Ethernet port. You may need to change the IP address of the port on your computer that is connected to the AP —...

  • Page 461: Getting Started With The Cli

    Wireless Access Point Getting Started with the CLI The root command prompt (Root Command Prompt) is the first prompt you see after logging in to the CLI. If you are at a level other than the root command prompt you can return to this prompt at any time by using the exit command to step back through each command prompt level.

  • Page 462: Figure 212. Help Window

    Wireless Access Point The help command is only available at the root command prompt. Initiating this command generates a window that provides information about the types of help that are available with the CLI. Figure 212. Help Window  ? Command This command is available at any prompt and provides either FULL or PARTIAL help.

  • Page 463: Figure 214. Partial Help

    Wireless Access Point Figure 214 shows an example of how the Help system can provide the argument and format when specifying the time zone under the date-time command. Figure 214. Partial Help The Command Line Interface...

  • Page 464: Top Level Commands

    Wireless Access Point Top Level Commands This section offers an at-a-glance view of all top level commands — organized alphabetically. Top level commands are defined here as commands that are directly accessible from the root command prompt that consists of the name of the AP followed by a “#”...

  • Page 465: Configure Commands

    Wireless Access Point Command Description show Display information about the selected item. See “show Commands” on page 443. statistics Display statistical data about the AP. See “statistics Commands” on page 448. uptime Display the elapsed time since the last boot. xms-override Override XMS managed mode and allow local configuration changes according to your user...
  • Page 466 Wireless Access Point Command Description cluster Make configuration changes to multiple APs. Contact information for assistance on this AP. contact-info date-time Configure date and time settings. dhcp-server Configure the DHCP Server. Configure the DNS settings. Exit the configuration mode. exit Go UP one mode level.
  • Page 467 Wireless Access Point Command Description netflow Configure NetFlow data collector. Disable (if enabled) or set to default value. proxy-fwd Configure Proxy Forwarding settings. quick-config Apply configuration template for typical deployment scenario. quit Exit the Command Line Interface. reboot Reboot the AP. reset Reset all settings to their factory default values and reboot.
  • Page 468 Wireless Access Point Command Description syslog Enable, disable or configure the Syslog Server. Configure tunnels. tunnel uptime Display time since the last boot. vlan Configure VLAN parameters. wifi-tag Configure VLAN parameters. xms-override Override XMS managed mode and allow local configuration changes according to your user privileges.

  • Page 469: Show Commands

    Wireless Access Point show Commands The following table shows the second level commands that are available with the top level show command [MyAP# show]. Command Description Display the Access Control List. active-directory Show Active Directory information. admin Display the administrator list or login information.
  • Page 470 Wireless Access Point Command Description country-list Display countries that the AP can be set to support. date-time Display date and time settings summary. dhcp-leases Display IP addresses (leases) assigned to stations by the DHCP server. dhcp-pool Display internal DHCP server settings summary information.
  • Page 471 Wireless Access Point Command Description lastboot-config Display AP configuration at the time of the last boot-up. lldp Link Layer Discovery Protocol information. location- Location server reporting information. reporting mac-table MAC address bridging table management Display settings for managing the AP, plus Standby, FIPS, and other information.
  • Page 472 Wireless Access Point Command Description self-test Display self test results. Display SNMP summary information. snmp spanning-tree Display spanning tree information. spectrum- Display spectrum analyzer measurements. analyzer ssid Display SSID summary information. station- Station assurance information. assurance Display station information. stations statistics Display statistics.
  • Page 473 Wireless Access Point Command Description <cr> Display configuration or status information. IAP-NAME IAP interface information iap1, iap2 The Command Line Interface...

  • Page 474: Statistics Commands

    Wireless Access Point statistics Commands The following table shows the second level commands that are available with the top level statistics command [MyAP# statistics]. Command Description ethernet Display statistical data for all Ethernet interfaces. filter Display statistics for defined filters (if any). FORMAT: statistics filter [detail] filter-list...
  • Page 475 Wireless Access Point Command Description Ethernet Name Display statistical data for the defined Ethernet interface (either eth0, gig1 or gig2). eth0, gig1, gig2 FORMAT: statistics gig1 IAP-NAME IAP interface information iap1, iap2 The Command Line Interface...

  • Page 476: Configuration Commands

    Wireless Access Point Configuration Commands All configuration commands are accessed by using the configure command at the root command prompt (MyAP#). This section provides a brief description of each command and presents sample formats where deemed necessary. The commands are organized alphabetically. When inputting commands, be aware that all commands are case-sensitive.

  • Page 477: Admin

    Wireless Access Point admin The admin command [MyAP(config-admin)#] is used to configure the Administrator List. Command Description Add a user to the Administrator List. FORMAT: admin add [userID] Delete a user to the Administrator List. FORMAT: admin del [userID] edit Modify user in the Administrator List.

  • Page 478: Auth

    Wireless Access Point auth The auth command [MyAP(config)# auth] is used to configure Oauth tokens. Command Description Delete an Oauth token. FORMAT: auth del <Oauth token> reset Delete all Oauth tokens. FORMAT: auth reset See also, “OAuth 2.0 Management” on page 264.
  • Page 479 Wireless Access Point Command Description interval The AP sends out CDP announcements at this interval. FORMAT: cdp interval [# seconds] Disable the Cisco Discovery Protocol FORMAT: cdp off Enable the Cisco Discovery Protocol FORMAT: cdp on The Command Line Interface...

  • Page 480: Clear

    Wireless Access Point clear The clear command [MyAP(config)# clear] is used to clear requested elements. Command Description Clear the arp table entry for a requested IP address, or clear all entries if no IP address is entered. FORMAT: clear arp [ipaddress] authentication Deauthenticate a station (specified by MAC address, hostname, or IP address).
  • Page 481 Wireless Access Point Command Description syslog Clear all Syslog messages, but continue to log new messages. FORMAT: clear syslog undefined-vlan Clear undefined VLAN information. FORMAT: clear undefined-vlan The Command Line Interface...

  • Page 482: Cluster

    Wireless Access Point cluster The cluster command [MYAP(config)# cluster] is used to create and operate clusters. Clusters allow you to configure multiple APs at the same time. Using CLI (or WMI), you may define a set of APs that are members of the cluster. Then you may switch the AP to Cluster operating mode for a selected cluster, which sends all successive configuration commands issued via CLI or WMI to all of the member APs.

  • Page 483: Contact-Info

    Wireless Access Point contact-info The contact-info command [MyAP(config)# contact-info] is used for managing administrator contact information. Command Description email Add an email address for the contact (must be in quotation marks). FORMAT: contact-info email [“contact@mail.com”] Add a contact name (must be in quotation marks). name FORMAT: contact-info name [“Contact Name”]...

  • Page 484: Date-Time

    Wireless Access Point date-time The date-time command [MyAP(config-date-time)#] is used to configure the date and time parameters. Your AP supports the Network Time Protocol (NTP) in order to ensure that the AP’s internal time is accurate. NTP is set to UTC time by default;...

  • Page 485: Dhcp-Server

    Wireless Access Point dhcp-server The dhcp-server command [MyAP(config-dhcp-server)#] is used to add, delete and modify DHCP pools. Command Description Add a DHCP pool. FORMAT: dhcp-server add [dhcp pool] Delete a DHCP pool. FORMAT: dhcp-server del [dhcp pool] edit Edit a DHCP pool FORMAT: dhcp-server edit [dhcp pool] reset...

  • Page 486: Dns

    Wireless Access Point The dns command [MyAP(config-dns)#] is used to configure your DNS parameters. Command Description domain Enter your domain name. FORMAT: dns domain [www.mydomain.com] server1 Enter the IP address of the primary DNS server. FORMAT: dns server1 [1.2.3.4] server2 Enter the IP address of the secondary DNS server.

  • Page 487: File

    Wireless Access Point file The file command [MyAP(config-file)#] is used to manage files. Command Description active-image Validate and commit a new AP software image. Validate and commit a new backup software image. backup-image List file contents. check-image Validate a new AP software image. chkdsk Check flash file system.
  • Page 488 Wireless Access Point Command Description http-get Perform an HTTP file download. This is the preferred method of downloading files for XMS Cloud. FORMAT: http-get [no-cert-check] <url> [<local_file>] no-cert-check causes the AP to download the file even if the SSL certificate is invalid, expired, or not signed by a recognized CA <url>...
  • Page 489 Wireless Access Point Command Description remote-config When the AP boots up, it fetches the specified configuration file from the TFTP server defined in the file remote-server command, and uses this configuration. This must be an AP configuration file with a .conf extension. A partial configuration file may be used.
  • Page 490 Wireless Access Point Command Description rmdir Delete a directory on the flash file system. Copy a file to or from a remote system. You may specify the port to use. tftp Open a TFTP connection with a remote server. FORMAT: file tftp host {<hostname>...

  • Page 491: Filter

    Wireless Access Point filter The filter command [MyAP(config-filter)#] is used to manage protocol filters and filter lists. Command Description Add a filter. Details about the air cleaner feature are after the end of this table. FORMAT: filter add [air-cleaner name] add-list Add a filter list.

  • Page 492: Air Cleaner

    Wireless Access Point Command Description Disable a filter list. FORMAT: filter off Enable a filter list. FORMAT: filter on reset Delete all protocol filters and filter lists. FORMAT: filter reset stateful Enable or disable stateful filtering (firewall). FORMAT: Stateful [enable | disable | on |off] track-apps Enable or disable application tracking.

  • Page 493: Figure 215. Air Cleaner Filter Rules

    Wireless Access Point If you select all, the rules shown in Figure 215 are added to the predefined filter list named Global. These rules assume that you have station-to-station blocking enabled, that a DHCP server is on the AP’s wired connection, and that you want to block most all multicast and all broadcast traffic not vital to normal operation.
  • Page 494 Wireless Access Point radios. These rogue DHCP servers are blocked from doing any damage with this filter. There have been quite a few cases in public venues like schools and conventions where such traffic is seen.  Air-cleaner-Mcast.1 drops all multicast traffic with a destination MAC address starting with 01.

  • Page 495: Group

    Wireless Access Point group The group command [MyAP(config)# group] is used to create and configure user groups. User groups allow administrators to assign specific network parameters to users through RADIUS privileges rather than having to map users to a specific SSID.

  • Page 496: Interface

    Wireless Access Point interface The interface command [MyAP(config)# interface] is used to select the interface that you want to configure. To see a listing of the commands that are available for each interface, use the ? command at the selected interface prompt. For example, using the ? command at the MyAP(config-gig1}# prompt displays a listing of all commands for the gig1 interface.

  • Page 497: Load

    Wireless Access Point load The load command [MyAP(config)# load] loads a configuration file. Command Description factory.conf Load the factory settings configuration file. FORMAT: load [factory.conf] lastboot.conf Load the configuration file from the last boot-up. FORMAT: load [lastboot.conf] [myfile].conf If you have saved a configuration, enter its name to load it.

  • Page 498: Location-Reporting

    Wireless Access Point location-reporting The location-reporting command [MyAP(config)# location-reporting] is used to configure Location Server settings. See also, “Location” on page 191. Command Description cust-key Set Location Server customer key. FORMAT: location-reporting cust-key enc <loc-server- customer-key> Disable location-reporting. disable FORMAT: location-reporting disable enable Enable location-reporting.

  • Page 499: Management

    Wireless Access Point management The management command [MyAP(config)# management] enters management mode, where you may configure management parameters. Command Description <cr> Enter management mode. FORMAT: management <cr> The following types of settings may be configured in management mode: Setting Description activation Start or stop activation server polling.
  • Page 500 Wireless Access Point Setting Description network- Enable/disable network assurance. assurance pci-audit Enable/disable PCI (Payment Card Industry) audit mode. See “Auditing PCI DSS” on page 593. quick-config Apply quick configuration template. quit Exit the command line interface. reauth-period Time between failed CLI login attempts. restore Restore to previous saved config.

  • Page 501: Mdm

    Wireless Access Point Setting Description xircon Enable/disable Xircon access. See Xircon User’s Guide for more information. The mdm command [MyAP(config)# mdm] is used to configure Mobile Device Management Server settings. See also, “Mobile” on page 404. Command Description airwatch api Set Location Server customer key.

  • Page 502: More

    Wireless Access Point more The more command [MyAP(config)# more] is used to turn terminal pagination ON or OFF. Command Description disable Turn OFF terminal pagination. FORMAT: more off enable Turn ON terminal pagination. FORMAT: more on The Command Line Interface...

  • Page 503: Netflow

    Wireless Access Point netflow The netflow command [MyAP(config-netflow)#] is used to enable or disable, or configure sending IP flow information (traffic statistics) to the collector you specify. Command Description collector Set the Netflow collector IP address or fully qualified domain name (host.domain). Only one collector may be set.
  • Page 504 Wireless Access Point The no command [MyAP(config)# no] is used to disable a selected element or set the element to its default value. Command Description 2.4GHz Disable all 2.4GHz IAPs. 5GHz Disable all 5GHz IAPs. Disable the Access Control List. FORMAT: no acl clear-text...

  • Page 505: Quick-Config

    Wireless Access Point Command Description snmp Disable SNMP features. FORMAT: no snmp spanning-tree Disable spanning tree. Disable ssh access. FORMAT: no ssh Disable the Syslog services. syslog FORMAT: no syslog telnet Disable Telnet access. FORMAT: no telnet quick-config The quick-config command is used to apply configuration templates to the AP for typical deployment scenarios.

  • Page 506: Quit

    Wireless Access Point quit The quit command [MyAP(config)# quit] is used to exit the Command Line Interface. Command Description <cr> Exit the Command Line Interface. FORMAT: quit If you have made any configuration changes and your changes have not been saved, you are prompted to save your changes to Flash.
  • Page 507 Wireless Access Point Command Description Choose the active RADIUS server (either external or internal). FORMAT: authentication-server use external (or internal) The Command Line Interface...

  • Page 508: Reboot

    Wireless Access Point reboot The reboot command [MyAP(config)# reboot] is used to reboot the AP. If you have unsaved changes, the command will notify you and give you a chance to cancel the reboot. Command Description <cr> Reboot the AP. FORMAT: reboot delay...

  • Page 509: Restore

    Wireless Access Point restore The restore command [MyAP(config)# restore] is used to restore configuration to a version that was previously saved locally. Command Description Use this to display the list of available config files. FORMAT: restore ? <filename> Enter the name of the locally saved configuration to restore.

  • Page 510: Roaming-Assist

    Wireless Access Point roaming-assist The roaming-assist command [MyAP(config)# roaming-assist] is used to configure roaming assistance settings. See also, “Roaming Assist” on page 380. Command Description data-rate Set minimum packet data rate before roaming, in Mbps. FORMAT: roaming-assist data-rate <1-99> Set device types or classes to assist. devices FORMAT: roaming-assist devices all | unidentified |...

  • Page 511: Run-Tests

    Wireless Access Point run-tests The run-tests command [MyAP(run-tests)#] is used to enter run-tests mode, which allows you to perform a range of tests on the AP. Command Description Execute command from history ad-authenticate Test domain user authentication. ad-check-secret Check machine trust secret. ad-debug-info Display detailed Active Directory information.
  • Page 512 Wireless Access Point Command Description ping Execute ping utility. FORMAT: run-tests ping [host-name | ip-addr] quick-config Apply quick configuration template. quit Exit the command line interface. radius-ping Special ping utility to test the connection to a RADIUS server. FORMAT: run-tests radius-ping [external | ssid <ssidnum>] [primary | secondary] user <raduser>...

  • Page 513: Security

    Wireless Access Point Command Description Execute ssh utility. FORMAT: run-tests ssh [hostname | ip-addr] [command-line-switches (optional)] tcpdump Execute tcpdump utility to dump traffic for selected interface or VLAN. Supports 802.11 headers. FORMAT: run-tests tcpdump telnet Execute telnet utility. FORMAT: run-tests telnet [hostname | ip-addr] [command-line-switches (optional)] traceroute Execute traceroute utility.

  • Page 514: Snmp

    Wireless Access Point snmp The snmp command [MyAP(config-snmp)#] is used to enable, disable, or configure SNMP. Command Description trap Configure traps for SNMP. Up to four trap destinations may be configured, and you may specify whether to send traps for authentication failure.

  • Page 515: Ssid

    Wireless Access Point ssid The ssid command [MyAP(config-ssid)#] is used to establish your SSID parameters. Command Description Add an SSID. FORMAT: ssid add [newssid] Delete an SSID. FORMAT: ssid del [oldssid] edit Edit an existing SSID. FORMAT: ssid edit [existingssid] reset Delete all SSIDs and restore the default SSID.

  • Page 516: Syslog

    Wireless Access Point syslog The syslog command [MyAP(config-syslog)#] is used to enable, disable, or configure the Syslog server. Command Description console Enable or disable the display of Syslog messages on the console, and set the level to be displayed. All messages at this level and lower (i.e., more severe) will be displayed.

  • Page 517: Tunnel

    Wireless Access Point Command Description primary Set the IP address of the primary Syslog server and/or the severity level of messages to be logged. FORMAT: syslog primary [1.2.3.4] level [0-7] secondary Set the IP address of the secondary (backup) Syslog server and/or the severity level of messages to be logged.

  • Page 518: Uptime

    Wireless Access Point Command Description edit Modify an existing tunnel. FORMAT: tunnel edit [existingtunnel] reset Delete all existing tunnels. FORMAT: tunnel reset uptime The uptime command [MyAP(config)# uptime] is used to display the elapsed time since you last rebooted the AP. Command Description continuous...

  • Page 519: Wifi-Tag

    Wireless Access Point Command Description default-route Assign a VLAN for the default route (for outbound management traffic). FORMAT: vlan default-route [defaultroute] delete Delete a VLAN. FORMAT: vlan delete [oldvlan] Modify an existing VLAN. edit FORMAT: vlan edit [existingvlan] native-vlan Assign a native VLAN (traffic is untagged). FORMAT: vlan native-vlan [nativevlan] Disable the selected feature.
  • Page 520 Wireless Access Point about Wi-Fi RFID tags sent on the designated channels. See also “Wi-Fi Tag” on page 190. Command Description disable Disable wifi-tag. FORMAT: wifi-tag disable enable Enable wifi-tag. FORMAT: wifi-tag enable refresh Disable and enable WiFi tag. server Set hostname or IP address of the tag server.

  • Page 521: Sample Configuration Tasks

    Wireless Access Point Sample Configuration Tasks This section provides examples of some of the common configuration tasks used with the Wireless AP, including:  “Configuring a Simple Open Global SSID” on page 496.  “Configuring a Global SSID using WPA-PEAP” on page 497. ...

  • Page 522: Configuring A Simple Open Global Ssid

    Wireless Access Point Configuring a Simple Open Global SSID This example shows you how to configure a simple open global SSID. Figure 216. Configuring a Simple Open Global SSID The Command Line Interface...

  • Page 523: Configuring A Global Ssid Using Wpa-Peap

    Wireless Access Point Configuring a Global SSID using WPA-PEAP This example shows you how to configure a global SSID using WPA-PEAP encryption in conjunction with the AP’s Internal RADIUS server. Figure 217. Configuring a Global SSID using WPA-PEAP The Command Line Interface...

  • Page 524: Configuring An Ssid-Specific Ssid Using Wpa-Peap

    Wireless Access Point Configuring an SSID-Specific SSID using WPA-PEAP This example shows you how to configure an SSID-specific SSID using WPA- PEAP encryption in conjunction with the AP’s Internal RADIUS server. Figure 218. Configuring an SSID-Specific SSID using WPA-PEAP The Command Line Interface...

  • Page 525: Enabling Global Iaps

    Wireless Access Point Enabling Global IAPs This example shows you how to enable all IAPs (radios), regardless of the wireless technology they use. Figure 219. Enabling Global IAPs The Command Line Interface...

  • Page 526: Disabling Global Iaps

    Wireless Access Point Disabling Global IAPs This example shows you how to disable all IAPs (radios), regardless of the wireless technology they use. Figure 220. Disabling Global IAPs The Command Line Interface...

  • Page 527: Enabling A Specific Iap

    Wireless Access Point Enabling a Specific IAP This example shows you how to enable a specific IAP (radio). In this example, the IAP that is being enabled is a1 (the first IAP in the summary list). Figure 221. Enabling a Specific IAP The Command Line Interface...

  • Page 528: Disabling A Specific Iap

    Wireless Access Point Disabling a Specific IAP This example shows you how to disable a specific IAP (radio). In this example, the IAP that is being disabled is a2 (the second IAP in the summary list). Figure 222. Disabling a Specific IAP The Command Line Interface...

  • Page 529: Setting Cell Size Auto-Configuration For All Iaps

    Wireless Access Point Setting Cell Size Auto-Configuration for All IAPs This example shows how to set the cell size for all enabled IAPs to be auto- configured (auto). (See “Fine Tuning Cell Sizes” on page 37.) The auto_cell option may be used with global_settings, global_a_settings, or global_bg_settings. It sets the cell size of the specified IAPs to auto, and it launches an auto- configuration to adjust the sizes.

  • Page 530: Setting The Cell Size For All Iaps

    Wireless Access Point Setting the Cell Size for All IAPs This example shows you how to establish the cell size for all IAPs (radios), regardless of the wireless technology they use. Be aware that if the intrude-detect feature is enabled on the monitor radio the cell size cannot be set globally — you must first disable the intrude-detect feature on the monitor radio.

  • Page 531: Setting The Cell Size For A Specific Iap

    Wireless Access Point Setting the Cell Size for a Specific IAP This example shows you how to establish the cell size for a specific IAP (radio). In this example, the cell size for a2 is being set to medium. You have the option of setting IAP cell sizes to small, medium, large, or max (the default is max).

  • Page 532: Configuring Vlans On An Open Ssid

    Wireless Access Point Configuring VLANs on an Open SSID This example shows you how to configure VLANs on an Open SSID.  Setting the default route enables the AP to send management traffic, such as Syslog messages and SNMP information to a destination behind a router.

  • Page 533: Configuring Radio Assurance Mode (Loopback Tests)

    Wireless Access Point Configuring Radio Assurance Mode (Loopback Tests) The AP uses its built-in monitor radio to monitor other radios in the AP. Tests include sending probes on all channels and checking for a response, and checking whether beacons are received from the other radio. If a problem is detected, corrective actions are taken to recover.

  • Page 534: Figure 227. Configuring Radio Assurance Mode (Loopback Testing)

    Wireless Access Point Figure 227. Configuring Radio Assurance Mode (Loopback Testing) The Command Line Interface...

  • Page 535: Appendices

    Wireless Access Point Appendices Appendices...
  • Page 536 Wireless Access Point Page is intentionally blank Appendices...

  • Page 537: Appendix A: Quick Reference Guide

    Wireless Access Point Appendix A: Quick Reference Guide This section contains product reference information. Use this section to locate the information you need quickly and efficiently. Topics include:  “Factory Default Settings” on page 511.  “Keyboard Shortcuts” on page 517.

  • Page 538: Gigabit 1 And Gigabit 2

    Wireless Access Point Gigabit 1 and Gigabit 2 Setting Default Value Enabled DHCP Default IP Address 10.0.2.1 Default IP Mask 255.255.255.0 Default Gateway None Auto Negotiate Duplex Full Speed 1000 Mbps MTU Size 1500 Management Enabled Server Settings Setting Default Value Enabled Primary time.nist.gov...

  • Page 539: Snmp

    Secondary Syslog Level Information SNMP Setting Default Value Enabled Read-Only Community String (v2) xirrus_read_only Read-Write Community String (v2) xirrus Read-Only Community String (v3) xirrus-ro Read-Write Community String (v3) xirrus-rw Trap Host null (no setting) Trap Port Authorization Fail Port DHCP...

  • Page 540: Default Ssid

    IP End Range 192.168.1.254 Disabled IP Gateway None DNS Domain None DNS Server (1 to 3) None Default SSID Setting Default Value xirrus VLAN None Encryption Encryption Type None Enabled Broadcast Security Global Settings - Encryption Setting Default Value Enabled...

  • Page 541: External Radius (Global)

    Wireless Access Point Setting Default Value WEP Key Length null (all 4 keys) Default Key ID WPA Enabled TKIP Enabled AES Enabled EAP Enabled PSK Enabled Pass Phrase null Group Rekey Disabled External RADIUS (Global) Setting Default Value Enabled Primary Server None Primary Port 1812...

  • Page 542: Internal Radius

    Wireless Access Point Setting Default Value Primary Server None Primary Port 1813 Primary Secret null (no secret) Secondary Server None Secondary Port 1813 Secondary Secret null (no secret) Internal RADIUS Setting Default Value Enabled The user database is cleared upon reset to the factory defaults. For the Internal RADIUS Server you have a maximum of 1,000 entries.

  • Page 543: Keyboard Shortcuts

    Wireless Access Point Setting Default Value Telnet Telnet timeout 300 seconds Serial Serial timeout 300 seconds Management over IAPs http timeout 300 seconds Keyboard Shortcuts The following table shows the most common keyboard shortcuts used by the Command Line Interface. Action Shortcut Cut selected data and place it on the...
  • Page 544 Wireless Access Point...

  • Page 545: Appendix B: Faq And Special Topics

    Appendix B: FAQ and Special Topics This appendix provides valuable support information that can help you resolve technical difficulties. Before contacting Xirrus, review all topics below and try to determine if your problem resides with the Wireless AP or your network infrastructure.

  • Page 546: Frequently Asked Questions

    ESS at any given time. Clients ignore traffic from other Extended Service Sets that do not have the same SSID. Legacy access points typically support one SSID per access point. Xirrus Wireless APs support the ability for multiple SSIDs to be defined and used simultaneously.
  • Page 547 Wireless Access Point  The wireless Quality of Service (QoS) desired for this SSID.  The wired VLAN associated with this SSID. As an example, one SSID named accounting might require the highest level of security, while another SSID named guests might have low security requirements.

  • Page 548: Security

    Wireless Access Point If you need to edit any of the SSID settings, you can do so from SSID Management page. See Also General Hints and Tips Security SSIDs SSID Management VLAN Support Security How do I ensure that I meet FIPS requirements? To meet the Level 2 security requirements of FIPS 140-2, follow the instructions in “Implementing FIPS Security”...
  • Page 549 Wireless Access Point  Configuration auditing Do not change approved configuration settings. The optional XMS offers powerful management features for small or large Wireless AP deployments, and can audit your configuration settings automatically. In addition, using the XMS eliminates the need for an FTP server.
  • Page 550 Wireless Access Point older wireless clients). Because AES is the strongest encryption standard currently available, it is highly recommended for Enterprise networks. Any of the above encryption modes can be used (and can be used at the same time).  TKIP encryption does not support high throughput rates, per the IEEE 802.11n.

  • Page 551: Vlan Support

    What is rogue AP (Access Point) detection? The Wireless AP has integrated monitor capabilities, which can constantly scan the local wireless environment for rogue APs (non-Xirrus devices that are not part of your wireless network), unencrypted transmissions, and other security issues. Administrators can then classify each rogue AP and ensure that these devices do not interrupt or interfere with the network.
  • Page 552 Wireless Access Point particular VLAN according to the IEEE 802.1Q standard, with VLAN switches processing packets according to the tag. What would I use VLANs for? Logically separating different types of users, systems, applications, or other logical division aids in performance and management of different network devices.

  • Page 553: Ap Monitor And Radio Assurance Capabilities

    Wireless Access Point AP Monitor and Radio Assurance Capabilities All models of the Wireless AP have integrated monitoring capabilities to check that the AP’s radios are functioning correctly, and act as a threat sensor to detect and prevent intrusion from rogue access points. Enabling Monitoring on the AP Any radio may be set to monitor the AP or to be a normal radio.

  • Page 554: Radio Assurance

    Wireless Access Point Intrusion Detection is enabled or disabled separately from monitoring. See Step 1 “Intrusion Detection” on page 372. Radio Assurance The AP is capable of performing continuous, comprehensive tests on its radios to assure that they are operating properly. Testing is enabled using the Radio Assurance Mode setting (see “Advanced RF Settings”...

  • Page 555: Radio Assurance Options

    Wireless Access Point • When no stations are associated to the AP • Midnight Radio Assurance Options If the monitor detects a problem with an AP radio as described above, it will take action according to the preference that you have specified in the Radio Assurance Mode setting on the Advanced RF Settings window (see...

  • Page 556: Radius Vendor Specific Attribute (Vsa) For Xirrus

    Wireless Access Point RADIUS Vendor Specific Attribute (VSA) for Xirrus A RADIUS VSA is defined for Xirrus APs to control administrator privilege settings for user accounts. The RADIUS VSA is used by APs to define the following attribute for administrator accounts: ...

  • Page 557: Location Service Data Formats

    Wireless Access Point Location Service Data Formats Xirrus APs are able to capture and upload visitor analytics data, acting as a sensor network in addition to providing wireless connectivity. This data is sent to the location server in different formats, based on the type of server. The Location Server URL, Location Customer Key, and Location Period for reporting data are configured under Location settings.
  • Page 558 Wireless Access Point Field Name Description BSSID BSSID that the station is on (AES encrypted if cust-key is not blank). Only stations that are associated to this AP will have a bi (BSSID) field, i.e., for unassociated stations the bi (BSSID) field will not be included.

  • Page 559: Upgrading The Ap Using The Boot Loader

    Management Interface, the AP provides lower-level facilities that may be used to accomplish an upgrade via the Boot Loader (XBL). Log in to your Xirrus customer support account and download the latest software update. The software update is provided as a zip file. Unzip the contents to a local temp directory.
  • Page 560 Wireless Access Point User’s Guide here. You may also find this useful: How can I access my AP if it does not seem to be accessible via IP? How do I access an AP via console or Xircon? Attach a network cable to the AP’s Gig1 port, if it is not already part of your network.

  • Page 561: Sample Output For The Upgrade Procedure

    Are you sure you want to reboot? [yes/no]: yes Array is being rebooted... Sending trap ..done Rebooting ... Xirrus Boot Loader 6.3.0-6171 (Dec 11 2014 - 15:41:48) Board | Xirrus CN5020-CP CPU Board Clocks | CPU : 300 MHz DDR : 666 MHz...
  • Page 562 Wireless Access Point Username: admin Password: ***** XBL>dhcp [DHCP ] Device : eth0 - 1000 Mbps Full Duplex [DHCP ] IP Addr : 10.100.44.48 XBL>dir [USB 0 ] Directory of / Date Time Size File or Directory name ----------- -------- ---------- --------------------------- 2014-Dec-12 18:47:16 17776 factory.conf 2014-Dec-12 19:39:42...
  • Page 563 Wireless Access Point [TFTP ] Loading : ################################################ done [TFTP ] Complete: 7.4 sec, 10.1 MB/sec [TFTP ] Bytes : 78027656 (4a69b88 hex), 10226 Kbytes/sec [USB 0 ] File : XS-7.2.3-5452.bin [USB 0 ] Address : 0x6000000 [USB 0 ] Saving : ################################################## [USB 0 ] Saving : ################################################## [USB 0 ] Saving : ################################################## [USB 0 ] Saving : ##################################################...
  • Page 564 [Boot ] Image : Verifying image ..OK [Boot ] Loading : Multi-File Image ..OK [Boot ] Watchdog: Disabling ..OK [Boot ] Execute : Transferring control to OS Initializing hardware .... OK Xirrus Wi-Fi Array ArrayOS Version 7.2.3-5452 Copyright (c) 2005-2014 Xirrus, Inc. http://www.xirrus.com Username:...

  • Page 565: Appendix C: Notices (Xd4 And Xr500/600 Series Only)

    Wireless Access Point Appendix C: Notices (XD4 and XR500/600 Series Only)  This Appendix contains Notices, Warnings, and Compliance information for the XD4 and XR500/600 Series only. For Notices, Warnings, and Compliance information for outdoor products, please see the Quick Installation Guide for that product. For Notices, Warnings, and Compliance information for all other APs, please see “Notices (XR-1000 to XR-6000 Indoor Models)”...
  • Page 566 Wireless Access Point This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
  • Page 567 Wireless Access Point Modifications to the device will void the warranty and may violate FCC regulations. Cable Runs for Power over Gigabit Ethernet (PoGE) If using PoGE, the AP must be connected to PoGE networks without routing cabling to the outside plant — this ensures that cabling is not exposed to lightning strikes or possible cross over from high voltage.
  • Page 568 Wireless Access Point Ce dispositif est conforme à la norme CNR-210 d'Industrie Canada applicable aux appareils radio exempts de licence. Son fonctionnement est sujet aux deux conditions suivantes: (1) le dispositif ne doit pas produire de brouillage préjudiciable, et (2) ce dispositif doit accepter tout brouillage reçu, y compris un brouillage susceptible de provoquer un fonctionnement indésirable.

  • Page 569: Eu Directive 1999/5/Ec Compliance Information

    XD4 and XR500/600 Series only. For other models, see the notes under “Notices (XR-1000 to XR-6000 Indoor Models)” on page 563. This section contains compliance information for the Xirrus Wireless AP family of products. The compliance information contained in this section is relevant to the European Union and other countries that have implemented the EU Directive 1999/5/EC.
  • Page 570 Wireless Access Point Français [French] Cet appareil est conforme aux exigences essentielles et aux autres dispositions pertinentes de la Directive 1999/5/EC. ĺ Þetta tæki er samkvæmt grunnkröfum og öðrum slenska [Icelandic] viðeigandi ákvæðum Tilskipunar 1999/5/EC. Italiano [Italian] Questo apparato é conforme ai requisiti essenziali ed agli altri principi sanciti dalla Direttiva 1999/5/CE.
  • Page 571  Safety: EN 50371 to EN 50385 and EN 60601 CE Marking For the Xirrus Wireless AP, the CE mark and Class-2 identifier opposite are affixed to the equipment and its packaging: Russian Certification Marking For the Xirrus XR-500, XR-520H, XR-2000, and XR-4000 Series Wireless APs, the...
  • Page 572  If you need more information on collection, re- use and recycling systems, please contact your local or regional waste administration.  Please contact Xirrus for specific information on the environmental performance of our products.
  • Page 573 **France is indoor use only in the upper end of the band. The requirements for any country may change at any time. Xirrus recommends that you check with local authorities for the current status of their national regulations for both 2.4 GHz and 5 GHz wireless LANs.
  • Page 574 Greece A license from EETT is required for the outdoor operation in the 5470 MHz to 5725 MHz band. Xirrus recommends checking for more details. www.eett.gr Η δη ιουργβάικτ ωνεξωτερικο ρουστη ζ νησυ νοτ των 5470–5725 ΜΗz ε ιτρ ετάιωνο...
  • Page 575 See National Restrictions in this section for more information. If you still have questions regarding the compliance of Xirrus products or you cannot find the information you are looking for, please contact us at: Xirrus, Inc. 2101 Corporate Center Drive...

  • Page 576: Compliance Information (Non-Eu)

    XD4 and XR500/600 Series only. For other models, see the notes under “Notices (XR-1000 to XR-6000 Indoor Models)” on page 563. This section contains compliance information for the Xirrus Wireless AP family of products. The compliance information contained in this section is relevant to the listed countries (outside of the European Union and other countries that have implemented the EU Directive 1999/5/EC).
  • Page 577 Wireless Access Point Declaration of Conformity Mexico XR-520: Dictamen #: 1402D00742 XR-600: Dictamen #: 1402CE08098 XR-520: Cofetel Cert #: RCPXIXR13-1003 Thailand This telecommunication equipment conforms to NTC technical requirement.

  • Page 578: Safety Warnings

    “Notices (XR-1000 to XR-6000 Indoor Models)” on page 563. Safety Warnings Read all user documentation before powering this device. All Xirrus interconnected equipment should be contained indoors. This product is not suitable for outdoor operation. Please verify the integrity of the system ground prior to installing Xirrus equipment.

  • Page 579: Translated Safety Warnings

    être installés en intérieur. Ce produit n'est pas conçu pour être utilisé en extérieur. Veuillez vérifier l'intégrité de la terre du système avant d'installer des équipements Xirrus. Vérifiez également que la température de fonctionnement ambiante n'excède pas 50°C (40°C pour XR-520).

  • Page 580: Software License And Product Warranty Agreement

    Software covering the installation, application, and use thereof. 1.2 “Licensor” means Xirrus and its suppliers. 1.3 “Product” means a multi-radio access point containing four or more distinct radios capable of simultaneous operation on four or more non-overlapping channels.
  • Page 581 Wireless Access Point the Product in accordance with the accompanying Documentation and for no other purpose. 2.2 Ownership. The license granted under Sections 2.1 above with respect to the Software does not constitute a transfer or sale of Licensor's or its suppliers' ownership interest in or to the Software, which is solely licensed to Customer.
  • Page 582 Wireless Access Point 3.0 LIMITED WARRANTY AND LIMITATION OF LIABILITY 3.1 Limited Warranty & Exclusions. Licensor warrants that the Software will perform in substantial accordance with the specifications therefore set forth in the Documentation for a period of ninety [90] days after Customer's acceptance of the terms of this Agreement with respect to the Software (“Warranty Period”).
  • Page 583 Wireless Access Point 3.4 Limitation of Liability. (a) TOTAL LIABILITY. NOTWITHSTANDING ANYTHING ELSE HEREIN, ALL LIABILITY OF LICENSOR AND ITS SUPPLIERS UNDER THIS AGREEMENT SHALL BE LIMITED TO THE AMOUNT PAID BY CUSTOMER FOR THE RELEVANT SOFTWARE, OR PORTION THEREOF, THAT GAVE RISE TO SUCH LIABILITY OR ONE HUNDRED UNITED STATES DOLLARS (US$100), WHICHEVER IS GREATER.
  • Page 584 Wireless Access Point protective of a party's right in such Confidential Information as those set forth herein. 4.2 Return of Materials. Customer agrees to (i) destroy all Confidential Information (including deleting any and all copies contained on any of Customer's Designated Hardware or the Product) within fifteen (15) days of the date of termination of this Agreement or (ii) if requested by Licensor, return, any Confidential Information to Licensor within thirty (30) days of Licensor's written request.
  • Page 585 Wireless Access Point 6. MISCELLANEOUS If Customer is a corporation, partnership or similar entity, then the license to the Software and Documentation that is granted under this Agreement is expressly conditioned upon and Customer represents and warrants to Licensor that the person accepting the terms of this Agreement is authorized to bind such entity to the terms and conditions herein.

  • Page 586: Hardware Warranty Agreement

    CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE EQUIPMENT EVEN IF Xirrus OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH...
  • Page 587 All information or feedback provided by Customer to Xirrus with respect to the Product shall be Xirrus' property and deemed confidential information of Xirrus.
  • Page 588 Wireless Access Point...

  • Page 589: Appendix D: Notices (Xr-1000 To Xr-6000 Indoor Models)

    This Appendix contains Notices, Warnings, and Compliance information for all Array models except for the following: For the XR-500/600/XD Series, please see “Notices (XD4 and XR500/600 Series Only)” on page 539. For models including the letter H (such as the XR-520H and XH2- 120), please see the Quick Installation Guide for that model.
  • Page 590 Modifications to the device will void the warranty and may violate FCC regulations. Please go to the Xirrus Web site for a list of all approved antennas. Cable Runs for Power over Gigabit Ethernet (PoGE) If using PoGE, the Array must be connected to PoGE networks without routing cabling to the outside plant —...
  • Page 591 Wireless Access Point Battery Warning Caution! The Array contains a battery which is not to be replaced by the customer. Danger of Explosion exists if the battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer.
  • Page 592 Wireless Access Point Conformément à la réglementation d'Industrie Canada, le présent émetteur radio peut fonctionner avec une antenne d'un type et d'un gain maximal (ou inférieur) approuvé pour l'émetteur par Industrie Canada. Dans le but de réduire les risques de brouillage radioélectrique à...

  • Page 593: Eu Directive 1999/5/Ec Compliance Information

     This Appendix contains Notices, Warnings, and Compliance information for all Array models except for the XR-500/600/XD Series and models including the letter H. For Notices, Warnings, and Compliance information for those models, see the notes at the beginning of this chapter.
  • Page 594 Wireless Access Point Français [French] Cet appareil est conforme aux exigences essentielles et aux autres dispositions pertinentes de la Directive 1999/5/EC. ĺ Þetta tæki er samkvæmt grunnkröfum og öðrum slenska [Icelandic] viðeigandi ákvæðum Tilskipunar 1999/5/EC. Italiano [Italian] Questo apparato é conforme ai requisiti essenziali ed agli altri principi sanciti dalla Direttiva 1999/5/CE.
  • Page 595  Safety: EN 50371 to EN 50385 and EN 60601 CE Marking For the Xirrus Wireless Array, the CE mark and Class-2 identifier opposite are affixed to the equipment and its packaging: Russian Certification Marking For the Xirrus XR-500, XR-520H, XR-2000, and XR-4000 Series Wireless Arrays,...
  • Page 596  If you need more information on collection, re- use and recycling systems, please contact your local or regional waste administration.  Please contact Xirrus for specific information on the environmental performance of our products.
  • Page 597 **France is indoor use only in the upper end of the band. The requirements for any country may change at any time. Xirrus recommends that you check with local authorities for the current status of their national regulations for both 2.4 GHz and 5 GHz wireless LANs.
  • Page 598 Greece A license from EETT is required for the outdoor operation in the 5470 MHz to 5725 MHz band. Xirrus recommends checking for more details. www.eett.gr Η δη ιουργβάικτ ωνεξωτερικο ρουστη ζ νησυ νοτ των 5470–5725 ΜΗz ε ιτρ ετάιωνο...
  • Page 599 National Restrictions in this section for more information. Russia CU Approval (XR-2000/4000 Series) If you still have questions regarding the compliance of Xirrus products or you cannot find the information you are looking for, please contact us at: Xirrus, Inc.

  • Page 600: Compliance Information (Non-Eu)

    Compliance Information (Non-EU)  This Appendix contains Notices, Warnings, and Compliance information for all Array models except for the XR-500/600/XD Series and models including the letter H. For information for those models, see the notes at  the start of this chapter.
  • Page 601 Wireless Access Point —Brazil Declaration of Conformity XR-1000 XR-2000 XR-4000  ...

  • Page 602: Safety Warnings

    Safety Warnings Read all user documentation before powering this device. All Xirrus interconnected equipment should be contained indoors. This product is not suitable for outdoor operation. Please verify the integrity of the system ground prior to installing Xirrus equipment.

  • Page 603: Translated Safety Warnings

     This Appendix contains Notices, Warnings, and Compliance information for all Array models except for the XR-500/600/XD Series and models including the letter H. For Notices, Warnings, and Compliance information for those models, see the notes at the beginning of this chapter.

  • Page 604: Software License And Product Warranty Agreement

    Software covering the installation, application, and use thereof. 1.2 “Licensor” means XIRRUS and its suppliers. 1.3 “Product” means a multi-radio access point containing four or more distinct radios capable of simultaneous operation on four or more non-overlapping channels.
  • Page 605 Wireless Access Point the Product in accordance with the accompanying Documentation and for no other purpose. 2.2 Ownership. The license granted under Sections 2.1 above with respect to the Software does not constitute a transfer or sale of Licensor's or its suppliers' ownership interest in or to the Software, which is solely licensed to Customer.
  • Page 606 Wireless Access Point 3.0 LIMITED WARRANTY AND LIMITATION OF LIABILITY 3.1 Limited Warranty & Exclusions. Licensor warrants that the Software will perform in substantial accordance with the specifications therefore set forth in the Documentation for a period of ninety [90] days after Customer's acceptance of the terms of this Agreement with respect to the Software (“Warranty Period”).
  • Page 607 Wireless Access Point 3.4 Limitation of Liability. (a) TOTAL LIABILITY. NOTWITHSTANDING ANYTHING ELSE HEREIN, ALL LIABILITY OF LICENSOR AND ITS SUPPLIERS UNDER THIS AGREEMENT SHALL BE LIMITED TO THE AMOUNT PAID BY CUSTOMER FOR THE RELEVANT SOFTWARE, OR PORTION THEREOF, THAT GAVE RISE TO SUCH LIABILITY OR ONE HUNDRED UNITED STATES DOLLARS (US$100), WHICHEVER IS GREATER.
  • Page 608 Wireless Access Point protective of a party's right in such Confidential Information as those set forth herein. 4.2 Return of Materials. Customer agrees to (i) destroy all Confidential Information (including deleting any and all copies contained on any of Customer's Designated Hardware or the Product) within fifteen (15) days of the date of termination of this Agreement or (ii) if requested by Licensor, return, any Confidential Information to Licensor within thirty (30) days of Licensor's written request.
  • Page 609 Wireless Access Point 6. MISCELLANEOUS If Customer is a corporation, partnership or similar entity, then the license to the Software and Documentation that is granted under this Agreement is expressly conditioned upon and Customer represents and warrants to Licensor that the person accepting the terms of this Agreement is authorized to bind such entity to the terms and conditions herein.

  • Page 610: Hardware Warranty Agreement

    AGREEMENT, RETURN THE UNUSED PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND. LIMITED WARRANTY. Xirrus warrants that for a period of five years from the date of purchase by the original purchaser (“Customer”): (i) the Xirrus Equipment (“Equipment”) will be free of defects in materials and workmanship under normal use;...
  • Page 611 All information or feedback provided by Customer to Xirrus with respect to the Product shall be Xirrus' property and deemed confidential information of Xirrus.
  • Page 612 Wireless Access Point...

  • Page 613: Appendix E: Medical Usage Notices

    Guidance and manufacturer’s declaration – electromagnetic emissions The Xirrus wireless device is intended for use in the electromagnetic environment specified below. The customer or the user of the Xirrus device should assure that it is used in such an environment. Electromagnetic environment – guidance...
  • Page 614 Guidance and manufacturer’s declaration – electromagnetic immunity Xirrus wireless devices are intended for use in the electromagnetic environment specified below. The customer or the user of the Xirrus wireless device should assure that it is used in such an environment.
  • Page 615 Guidance and manufacturer’s declaration – electromagnetic immunity Xirrus wireless devices are intended for use in the electromagnetic environment specified below. The customer or the user of the Xirrus device should assure that it is used in such an environment. Immunity test...
  • Page 616 Xirrus wireless devices are intended for use in an electromagnetic environment in which radiated RF disturbances are controlled. The customer or the user of the Xirrus wireless device can help prevent electromagnetic interference by maintaining a minimum distance between portable and...
  • Page 617 128 132 136 140 144 UNI III – Non-DFS Channels: 149 153 157 161 165 Both single channels (20MHz bandwidth) and bonded channels (40MHz  bandwidth) are supported.  Xirrus wireless devices may be interfered with by other equipment, even if that other equipment complies with CISPR EMISSION requirements. Section 5.2.2.6  The types of modulation used include CCK, QSPK, BPSK, DSS, OFDM, 16‐QAM,  and 64‐QAM. ...
  • Page 618 Wireless Access Point Maximum EIRP 2.4GHz 36dBm 5150-5250MHz 23dBm 5250-5350MHz 30dBm 5470-5725MHz 30dBm 5725-5850MHz 36dBm...

  • Page 619: Appendix F: Auditing Pci Dss

    Wireless Access Point Appendix F: Auditing PCI DSS The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by major credit card companies to help those that process credit card transactions (or cardholder information) in order to secure cardholder information and protect it from unauthorized access, fraud and other security issues.

  • Page 620: Pci Dss And Wireless

    Requirement 12: Maintain a policy that addresses information security. PCI DSS and Wireless The Xirrus AP provides numerous security features that allow it to be a component of a PCI DSS-compliant network. The following sections indicate the specific features that allow the AP to operate in a PCI DSS mode.

  • Page 621: The Xirrus Ap Pci Compliance Configuration

    User’s Guide.  Xirrus AP Configuration for PCI DSS See... ( ) Register at the Xirrus Support Site to ensure  notification and access to software updates. support.xirrus.com Confirm that the latest version of AOS is being used by checking the Xirrus web site.

  • Page 622: The Pci-Audit Command

    Wireless Access Point  Xirrus AP Configuration for PCI DSS See...  ( ) Check that external RADIUS servers have been SSIDs, p. 267 and  configured for use with 802.1x and WPA/WPA2 Global Settings, p. 249 wireless security. ...

  • Page 623: Additional Resources

    Wireless Access Point The pci-audit command checks items such as:  Telnet is disabled.  Admin RADIUS is enabled (admin login authentication is via RADIUS server).  An external Syslog server is in use.  All SSIDs must set encryption to WPA or better (which also enforces 802.1x authentication) Sample output from this command is shown below.
  • Page 624 Wireless Access Point...

  • Page 625: Appendix G: Implementing Fips Security

    . This appendix lists simple steps that must Processing Standard (FIPS) Publication 140-2 be followed exactly to implement FIPS 140-2, Level 2 on Xirrus APs. The procedures include physical actions, and parameters that must be set in the Web Management Interface (WMI) or Command Line Interface (CLI).

  • Page 626: Applying Tamper Evident Seals

    Wireless Access Point IMPORTANT:  Before you apply the tamper-evident seal, clean the area of any grease, dirt, or oil. We recommend using alcohol-based cleaning pads for this.  Each seal must be applied to straddle both sides of an opening or seam so that it will show if an attempt has been made to open or tamper with the AP or enclosure.

  • Page 627: To Implement Fips 140-2, Level 2 Using Wmi

    Wireless Access Point Each seal straddles both sides of an opening   Figure 230. Tamper Evident Seal Application Close-up Apply four seals, near the middle of each of the sides of the enclosure and straddling the slight gap between the metal back and the plastic dome cover as shown below.

  • Page 628: Figure 231. Ap Information

    Step Figure 231. AP Information If you need to run a different software release, first log in to your account at support.xirrus.com. Download the desired FIPS-certified software image (see the Note on page 599). Click Tools > System Tools in the menu on the left of the WMI window.

  • Page 629: Figure 232. Security - Management Control Window

    Wireless Access Point Figure 232. Security - Management Control Window You may now proceed to define SSIDs, as described in “SSIDs” on page 227.

  • Page 630: To Implement Fips 140-2, Level 2 Using Cli

    Wireless Access Point To implement FIPS 140-2, Level 2 using CLI: For details of the settings that are enforced for FIPS Level 2, see “About FIPS Configuration” on page 605.  The following steps must be performed in the order shown — you must enable FIPS 140-2 before you create SSIDs.

  • Page 631: About Fips Configuration

    Wireless Access Point  In the CLI, enter show management and check the FIPS 140-2 Mode setting. See Also The Web Management Interface The Command Line Interface About FIPS Configuration When you put the AP in FIPS mode, it checks that the following settings are in effect, and changes them as needed.
  • Page 632 Wireless Access Point These additional features are not allowed in FIPS mode: FTP, TFTP, and zero-touch activation. Only FIPS approved ciphers are used for SSH/ HTTPS in FIPS mode. When FIPS mode is enabled/disabled, CSPs (critical security parameters) are zeroed, configuration is saved and the system is rebooted.
  • Page 633 Wireless Access Point Glossary of Terms 802.11a A supplement to the IEEE 802.11 WLAN specification that describes radio transmissions at a frequency of 5 GHz and data rates of up to 54 Mbps. 802.11ac A supplement to the IEEE 802.11 WLAN specification. Operates in the 5 GHz range, using a number of advanced techniques to achieve a maximum speed of 1.3 Gbps.
  • Page 634 Wireless Access Point (Advanced Encryption Standard) A data encryption scheme that uses three different key sizes (128-bit, 192-bit, and 256-bit). AES was adopted by the U.S. government in 2002 as the encryption standard for protecting sensitive but unclassified electronic data. authentication The process that a station, device, or user employs to announce its identify to the network which validates it.
  • Page 635 Wireless Access Point (Cisco Discovery Protocol) CDP is a layer 2 network protocol which runs on most Cisco equipment and some other network equipment. It is used to share information with other directly connected network devices. Information such as the model, network capabilities, and IP address is shared. Wireless APs can both advertise their presence by sending CDP announcements, and gather and display information sent by neighbors.
  • Page 636 Wireless Access Point (Domain Name System) A system that maps meaningful domain names with complex numeric IP addresses. DNS is actually a separate network — if one DNS server cannot translate a domain name, it will ask a second or third until a server is found with the correct IP address.
  • Page 637 Wireless Access Point EDCF (Enhanced Distributed Coordinator Function) A extension which uses the same contention-based access mechanism as current devices but adds “offset contention windows” that separate high priority packets from low priority packets (by assigning a larger random backoff window to lower priorities than to higher priorities).
  • Page 638 Wireless Access Point Gigabit 1 through 4 The Gigabit Ethernet interfaces on XR Series APs. XR-4000 Series APs have two gigabit interfaces, while XR-6000 Series and higher models have four gigabit interfaces. See also, Gigabit Ethernet. Gigabit Ethernet A version of Ethernet with data transfer rates of 1 Gigabit (1,000 Mbps). Group A user group, created to define a set of attributes (such as VLAN, traffic limits, and Web Page Redirect) and privileges (such as fast roaming) that apply to all...
  • Page 639 This refers to the optional Xirrus-supplied Power over Gigabit Ethernet modules that provide DC power to APs. Power is supplied over the same Cat 5e or Cat 6 cable that supplies the data connection to your gigabit Ethernet switch, thus eliminating the need to run a power cable.
  • Page 640 Wireless Access Point preamble Preamble (sometimes called a header) is a section of data at the head of a packet that contains information that the access point and client devices need when sending and receiving packets. PLCP Has two structures, a long and a short preamble.
  • Page 641 Wireless Access Point SDMA (Spatial Division Multiple Access) A wireless communications mode that optimizes the use of the radio spectrum and minimizes cost by taking advantage of the directional properties of antennas. The antennas are highly directional, allowing duplicate frequencies to be used for multiple zones. SNMP (Simple Network Management Protocol) A standard protocol that regulates network management over the Internet.
  • Page 642 Wireless Access Point subnet mask A mask used to determine what subnet an IP address belongs to. An IP address has two components: (1) the network address and (2) the host address. For example, consider the IP address 150.215.017.009. Assuming this is part of a Class B network, the first two numbers (150.215) represent the Class B network address, and the second two numbers (017.009) identify a particular host on this network.
  • Page 643 Wireless Access Point multiple switches from different vendors. This interoperability and traffic containment across different switches is the result of a switch's ability to use and recognize 802.1Q tag headers — called VLAN tagging. Switches that implement 802.1Q tagging add this tag header to the frame directly after the destination and source MAC addresses.
  • Page 644 WPA, WPA2 is designed to secure all versions of 802.11 devices, including 802.11a, 802.11b, 802.11g, and 802.11n, multi-band and multi-mode. Xirrus Management System (XMS) A Xirrus product used for managing large Wireless AP deployments from a centralized Web-based interface. Xirrus Release 7.5...
  • Page 645 Wireless Access Point Index ACLs active directory active IAPs per SSID active software image Numerics Address Resolution Protocol 11ac window see 802.11ac Address Resolution Protocol (ARP) 802.11a 802.11a/b/g Admin 802.11a/b/g/n Admin ID 802.11a/n authentication via RADIUS 802.11ac Admin Management WMI page admin privileges 802.11b setting in admin RADIUS account...
  • Page 646 Wireless Access Point WMI options see impersonation attack application control auth CLI command custom list authentication update (signature file) of admin via RADIUS approved authentication (Oauth token) setting rogues CLI command auth rogues, blocking authority APs, rogue certificate see rogue APs auto block APs, XR rogue APs, settings...
  • Page 647 CLI command cell size clusters auto-configuration management cell size configuration command certificate wifi-tag about Command Line Interface authority error configuration commands install Xirrus authority getting help X.509 getting started chain inputting commands see bridging sample configuration tasks channel auto-configuration Index...
  • Page 648 Wireless Access Point top level commands syslog command, utilities tunnel ping, traceroute, RADIUS ping vlan commands Community String compass heading admin configuration auth, authentication express setup reset to factory defaults clear configuration changes cluster applying configure configuration files contact-info automatic update from remote date-time server dhcp-server...
  • Page 649 Wireless Access Point defaults duplex reset configuration to factory de- dynamic VLAN faults overridden by group Delivery Traffic Indication Message denial of service see DoS attack EAP-MDS deny traffic EAP-PEAP see filters EAP-TLS deployment EAP-TTLS ease of EasyPass Onboarding detection User-PSK intrusion EDCF...
  • Page 650 Wireless Access Point Express Setup fragmentation threshold express setup frequently asked questions Extended Service Set Extensible Authentication Protocol General Hints factory default settings getting started factory defaults express setup DHCP Gigabit reset configuration to global settings factory.conf glossary of terms fail-over Google Chrome standby mode...
  • Page 651 Wireless Access Point HyperTerminal web page redirect web page redirect, customize Internet Explorer interval automatic WMI refresh active SSIDs intrusion detection naming and auto block settings see also radio configuration settings setting as approved or known IAP LED intrusion detection (IDS) viewing event log see Intrusion Detection Intrusion Detection (IDS/IPS)
  • Page 652 Wireless Access Point settings via Console port license Key login page upgrading web page redirect limits web page redirect, customize group logout interactions long retry limit station loopback traffic see radio assurance Link Layer Discovery Protocol (LLDP) loopback testing radio assurance mode list custom application control list list, access control...
  • Page 653 Wireless Access Point Mobilize north monitor see compass heading mode for Auto Cell monitoring NTP Server intrusion detection see intrusion detection mounting Oauth mounting plate CLI command mounting the unit auth Onboarding size EasyPass, User-PSK multiple data streams Open (encryption method) optimization, VLAN options table - see connection tracking...
  • Page 654 Wireless Access Point ping user group planning quality failover of user experience network management Quality of Service port failover see QoS power quick reference guide security quick start switch failover express setup PoGE PoGE Power Injectors radio port failover assurance (self-test) port requirements fast roaming power...
  • Page 655 Wireless Access Point RAM (RF Analysis Manager) see RPM reauthentication RF resilience reboot RF Security Manager active software image see RSM redirect (WPR) roaming refresh interval see fast roaming Rogue AP remote boot image rogue AP automatic update from remote blocking TFTP server settings for blocking...
  • Page 656 Wireless Access Point secret software upgrade Secure Shell spatial multiplexing secure Shell specifications Security spectrum (RF) management FIPS speed PCI DSS 11 Mbps security 54 Mbps certificate, see certificate splash page Security Manager web page redirect see RSM web page redirect, customize see group self-monitoring radio assurance...
  • Page 657 Wireless Access Point station timeout period frequently asked questions Stations Telnet stations Temporal Key Integrity Protocol limits and interactions TFTP server rogues automatic update of boot image, statistics configuration statistics per station Time Out statistics time zone filters timeout netflow Tips per-station TKIP...
  • Page 658 WDS Client Links Web interface structure and navigation Vendor Specific Attributes (VSAs) web interface RADIUS Web Management Interface RADIUS, for Xirrus virtual tunnels Web Management Interface (WMI) see VTun web page redirect VLAN also called WPR broadcast optimization...
  • Page 659 SSID settings, about whitelist settings, about X.509 certificate WEP (Wired Equivalent Privacy) Xirrus encryption method certificate authority WEP encryption Xirrus Advanced RF Analysis Manag- and XR Arrays whitelist see RAM honeypot Xirrus Advanced RF Performance web page redirect Manager Wi-Fi...
  • Page 660 Wireless Access Point Index...
  • Page 662 2101 Corporate Center Drive Thousand Oaks, CA 91320, USA © 201 Xirrus, Inc. All Rights Reserved. The Xirrus logo is a registered trademark of Xirrus, Inc. 800-0022-001R All other trademarks are the property of their respective owners. Content subject to change without notice.

This manual is also suitable for:

Xr series

Table of Contents

Save PDF