1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658
HP MSM7xx Controllers Management and Configuration Guide
5400zl Switches
HP MSM7xx Controllers
Installation and Getting Started Guide
Management and Configuration Guide

Advertising

   Also See for HP MSM7xx

   Summary of Contents for HP MSM7xx

  • Page 1

    HP MSM7xx Controllers Management and Configuration Guide 5400zl Switches HP MSM7xx Controllers Installation and Getting Started Guide Management and Configuration Guide...

  • Page 3

    HP MSM7xx Controllers Management and Configuration Guide...

  • Page 4

    Hewlett-Packard. connection with the furnishing, performance, or use of this material. Publication Number The only warranties for HP products and services are set forth 5998-1136 in the express warranty statements accompanying such January 2011 products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 5: Table Of Contents

    About this guide ......................1-2 Products covered....................1-2 Important terms .....................1-3 Conventions ......................1-4 New in this release ......................1-6 Introducing the MSM7xx Controllers ................1-7 Simplified configuration, deployment, and operation ........1-7 Controller teaming ....................1-8 Seamless mobility....................1-9 Best-in-class public/guest network access service .........1-11 Safety information......................1-12 HP support ........................1-13...

  • Page 6: Table Of Contents

    Contents SNMP ...........................2-13 Configuring the SNMP agent................2-13 SOAP ..........................2-16 Configuring the SOAP server ................2-16 CLI ..........................2-17 Configuring CLI support ..................2-18 System time.........................2-19 Network configuration Port configuration ......................3-3 LAN port configuration..................3-4 Internet port configuration...................3-5 PPPoE client ......................3-6 DHCP client......................3-8 Static addressing....................3-9 Network profiles ......................3-12 About the default network profiles ..............3-12 To define a network profile ................3-12...

  • Page 7: Table Of Contents

    Contents IP routes ........................3-27 Configuration .......................3-28 Network address translation (NAT).................3-30 NAT security and static mappings..............3-30 VPN One-to-one NAT...................3-33 RIP..........................3-33 IP QoS ..........................3-34 Configuration .......................3-34 Example........................3-35 IGMP proxy .........................3-37 Wireless configuration Wireless coverage......................4-2 Factors limiting wireless coverage..............4-2 Configuring overlapping wireless cells...............4-3 Supporting 802.11n and legacy wireless clients ..........4-7 Radio configuration .....................4-8 Radio configuration parameters ................4-18...

  • Page 8: Table Of Contents

    Contents Summary of VSC configuration options .............5-8 Access control......................5-9 Virtual AP......................5-10 VSC ingress mapping...................5-16 VSC egress mapping ....................5-17 Bandwidth control....................5-17 Default user data rates..................5-18 Wireless mobility ....................5-18 Fast wireless roaming ..................5-20 Wireless security filters..................5-20 Wireless protection....................5-23 802.1X authentication ..................5-26 RADIUS authentication realms................5-26 HTML-based user logins ..................5-27 VPN-based authentication ..................5-28 MAC-based authentication .................5-28...

  • Page 9: Table Of Contents

    Contents Creating a new VSC....................5-44 Assigning a VSC to a group ..................5-44 Working with controlled APs Key concepts.........................6-3 Key controlled-mode events ..................6-4 Discovery of controllers by controlled APs..............6-6 Discovery overview ....................6-6 Discovery methods....................6-7 Discovery order .....................6-9 Discovery recommendations ................6-10 Discovery priority....................6-11 Discovery considerations ...................6-13 Monitoring the discovery process ..............6-13 Authentication of controlled APs................6-19...

  • Page 10: Table Of Contents

    Contents AeroScout RTLS ......................6-40 Software retrieval/update..................6-42 Monitoring........................6-42 Working with VLANs Key concepts.........................7-2 VLAN usage ......................7-2 Defining a VLAN ......................7-3 Creating a network profile ...................7-3 Defining a VLAN ....................7-4 Defining a VLAN on a controller port ..............7-4 User-assigned VLANs ....................7-6 Traffic flow for wireless users ..................7-6 Traffic flow examples ....................7-10 Example 1: Overriding the VSC egress on a controller with a user-assigned VLAN ........................7-10...

  • Page 11: Table Of Contents

    Contents Viewing all team members ..................8-16 Team configuration ....................8-17 Accessing the team manager................8-18 Team configuration options ................8-18 Removing a controller from a team ..............8-19 Editing team member settings ................8-20 Discovery of a controller team by controlled APs ..........8-22 Failover........................8-22 Supporting N + N redundancy ................8-22 Primary team manager failure ................8-24 Mobility support ......................8-26 Single controller team operating alone.............8-27...

  • Page 12: Table Of Contents

    Contents Scenario 1: Centralizing traffic on a controller ............9-21 How it works ......................9-21 Configuration overview ..................9-21 Scenario 2: Centralized traffic on a controller with VLAN egress .......9-24 How it works ......................9-24 Configuration overview ..................9-24 Scenario 3: Centralized traffic on a controller with per-user traffic routing ..9-28 How it works ......................9-28 Configuration overview ..................9-28 Scenario 4: Assigning home networks on a...

  • Page 13: Table Of Contents

    Contents Configuring MAC-based authentication on a VSC.........10-17 Configuring MAC-based authentication on an MSM317 switch port ..10-19 Configuring MAC-based filters on a VSC............10-19 Configuring MAC-based filters on an MSM317 switch port ......10-20 HTML-based authentication..................10-22 Configuring HTML-based authentication on a VSC ........10-22 VPN-based authentication..................10-24 Configuring VPN-based authentication on a VSC..........10-24 No authentication.....................10-26...

  • Page 14: Table Of Contents

    Contents Customizing the firewall..................12-4 Working with certificates ..................12-5 Trusted CA certificate store ................12-5 Certificate and private key store ...............12-7 Certificate usage ....................12-9 About certificate warnings ................12-10 IPSec certificates ....................12-11 MAC lockout ......................12-13 Local mesh Key concepts.......................13-2 Simultaneous AP and local mesh support............13-2 Using 802.11a/n for local mesh ................13-3 Quality of service....................13-3 Maximum range (ack timeout) ................13-4...

  • Page 15: Table Of Contents

    Contents The public access interface................14-5 Location-aware ....................14-7 Configuring global access control options .............14-8 User authentication .....................14-9 Client polling ......................14-10 User agent filtering ....................14-10 Zero configuration .....................14-11 Location configuration..................14-12 Display advertisements..................14-12 Public access interface control flow ..............14-13 Customizing the public access interface...............14-14 Sample public access pages ................14-15 Common configuration tasks................14-15 Setting site configuration options ................14-19...

  • Page 16: Table Of Contents

    Contents Billing records log .....................14-47 Location-aware authentication................14-48 How it works ......................14-48 Example......................14-50 Security .......................14-50 Working with RADIUS attributes Introduction ........................15-3 Controller attributes overview .................15-4 Customizing the public access interface using the site attribute ....15-4 Defining and retrieving site attributes ..............15-5 Controller attribute definitions................15-8 User attributes ......................15-13 Customizing user accounts with the user attribute ........15-13...

  • Page 17: Table Of Contents

    Contents Redirect URL......................15-59 NOC authentication...................15-62 HP WISPr support .....................15-62 Traffic forwarding (dnat-server)..............15-63 Multiple DNAT servers..................15-64 Colubris AV-Pair - User attribute values..............15-67 Access list ......................15-67 Advertising ......................15-68 Bandwidth level ....................15-68 Data rate ......................15-69 One-to-one NAT ....................15-69 Public IP address ....................15-70 Quotas .........................15-70 Redirect URL......................15-71...

  • Page 18: Table Of Contents

    Contents Working with VPNs Overview ........................16-2 Securing wireless client sessions with VPNs............16-3 Configure an IPSec profile for wireless client VPN ........16-4 Configure L2TP server for wireless client VPN ..........16-5 Configure PPTP server for wireless client VPN ..........16-5 VPN address pool ....................16-5 Securing controller communications to remote VPN servers ......16-6 Configure an IPSec policy for a remote VPN server ........16-7 Configure PPTP client for a remote VPN server ..........16-8...

  • Page 19: Table Of Contents

    Contents Configuring and activating sFlow ................18-3 Advanced sFlow configuration................18-5 Working with autonomous APs Key concepts.......................19-2 Autonomous AP detection .................19-3 Viewing autonomous AP information ...............19-3 Switching a controlled AP to autonomous mode..........19-4 Configuring autonomous APs...................19-5 VSC definitions ....................19-5 Working with third-party autonomous APs ............19-6 VSC selection .......................19-6 Maintenance Config file management.....................20-2...

  • Page 20: Table Of Contents

    Contents Safety and EMC regulatory statements Safety Information ...................... A-2 Informations concernant la sécurité................. A-2 Hinweise zur Sicherheit....................A-3 Considerazioni sulla sicurezza .................. A-4 Consideraciones sobre seguridad ................A-5 Safety Information (Japan) ..................A-6 Safety Information (China) ..................A-7 EMC Regulatory Statements..................A-8 U.S.A........................

  • Page 21: Table Of Contents

    Contents NOC authentication Main benefits ....................... D-2 How it works........................ D-2 Activating a remote login page with NOC authentication ........D-4 Addressing security concerns..................D-5 Securing the remote login page ................D-5 Authenticating with the login application ............D-6 Authenticating the controller................D-6 NOC authentication list ..................

  • Page 22

    Contents...

  • Page 23

    About this guide ......................1-2 Products covered....................1-2 Important terms .....................1-3 Conventions ......................1-4 New in this release .......................1-6 Introducing the MSM7xx Controllers ................1-7 Simplified configuration, deployment, and operation ........1-7 Controller teaming ....................1-8 Seamless mobility....................1-9 Best-in-class public/guest network access service .........1-11 Safety information......................1-12 HP support ........................1-13...

  • Page 24: About This Guide

    About this guide About this guide This guide explains how to configure, and operate the MSM7xx Controllers. It also provides controlled-mode information for MSM3xx and MSM4xx Access Points, and the MSM317 Access Device. For information on the operation of access points that support autonomous mode, see the MSM3xx/MSM4xx Access Points Management and Configuration Guide.

  • Page 25: Important Terms

    The following terms are used in this guide. Term Description Refers to any HP MSM3xx or MSM4xx Access Point or the MSM317 Access Device which is an AP with integrated Ethernet switch. Specific model references are used where appropriate. Non-HP access points are identified as third-party APs.

  • Page 26: Conventions

    Example directions in this guide What to do in the user interface Select Controller >> Security > Firewall. On a non-teamed MSM7xx controller In the Network Tree select the Controller element, then on the main menu select Security, and then select Firewall on the sub-menu.

  • Page 27

    Introduction About this guide Commands and program listings Monospaced text identifies commands and program listings as follows: Example Description Command name. Specify it as shown. use-access-list Items in italics are parameters for which you must supply ip_address a value. Items enclosed in square brackets are optional. You can ssl-certificate=URL [%s] either include them or not.

  • Page 28: New In This Release

    Introduction New in this release New in this release The following new features and enhancements have been added in releases 5.5.x: New feature or enhancement For information see... New APs This release supports the following new 802.11n dual-radio access points: E-MSM430, E-MSM460, and E-MSM466. For information, see the Quickstarts for these products.

  • Page 29: Introducing The Msm7xx Controllers

    Introducing the MSM7xx Controllers Introducing the MSM7xx Controllers MSM7xx Controllers provide centralized management and control of intelligent HP MSM APs for a wide range of deployments, from small Internet cafes and businesses, to large corporations and institutions, and even entire towns.

  • Page 30: Controller Teaming

    Introduction Introducing the MSM7xx Controllers Controller managing APs installed in different areas at a single location Controller Backbone Network Secure management tunnels Area #1 Area #2 Area #3 Controller teaming Controller teaming enables you to easily configure and monitor multiple controllers and their APs.

  • Page 31: Seamless Mobility

    Introduction Introducing the MSM7xx Controllers APs, including newly discovered APs. It also displays status information for all team members and their APs, as well as APs directly connected to the manager. The team manager is responsible for enforcing and updating the firmware of team members.

  • Page 32

    Introduction Introducing the MSM7xx Controllers The following diagram shows a deployment where the wireless traffic for each user is egressed onto a specific network segment by assigning a home network to each user. Traffic is sent to a different wired network based on the...

  • Page 33: Best-in-class Public/guest Network Access Service

    Introduction Introducing the MSM7xx Controllers Best-in-class public/guest network access service Designed to deliver the best possible user experience, the public/guest network access feature adapts to any client device IP address and Web proxy settings, enabling users to connect without reconfiguring their computers.

  • Page 34: Safety Information

    (except for outdoor models / antennas), including all PoE- powered network connections as described by Environment A of the IEEE 802.3af standard. Servicing There are no user-serviceable parts inside HP MSM7xx products. Any servicing, adjustment, maintenance, or repair must be performed only by trained service personnel. 1-12...

  • Page 35: Hp Support

    ProCurve. Additionally, your HP-authorized networking products reseller can provide you with assistance. Before contacting support To make the support process most efficient, before calling your networking dealer or HP Support, you first should collect the following information: Collect this information Where to find it Product identification.

  • Page 36

    Introduction Online documentation 1-14...

  • Page 37

    Chapter 2: Management Management Contents Management tool......................2-2 Management scenarios ..................2-2 Management station ....................2-2 Starting the management tool................2-2 Customizing management tool settings..............2-3 Password security policies...................2-7 Management tool security features ..............2-8 Web server ......................2-8 Auto-refresh ......................2-9 Device discovery ......................2-9 Mobility controller discovery................2-10 Controlled AP discovery..................2-11 SNMP ...........................2-13 Configuring the SNMP agent................2-13...

  • Page 38: Management Tool

    Management Management tool Management tool The management tool is a Web-based interface to the controller that provides easy access to all configuration and monitoring functions. Management scenarios For complete flexibility, you can manage the controller both locally and remotely. The following management scenarios are supported: Local management using a computer that is connected to the LAN or Internet port on the ...

  • Page 39: Customizing Management Tool Settings

    Management Management tool Customizing management tool settings To customize management tool settings, select Controller >> Management > Management tool.

  • Page 40

    Management Management tool Administrative user authentication Login credentials for administrative users can be verified using local account settings and/or an external RADIUS sever.  Local account settings: A single manager and operator account can be configured locally under Manager account and Operator account on this page. ...

  • Page 41

    Management Management tool Manager and Operator accounts Two types of administrative accounts are defined: manager and operator.  The manager account provides full management tool rights.  The operator account provides read-only rights plus the ability to disconnect wireless clients and perform troubleshooting. Only one administrator (manager or operator) can be logged in at any given time.

  • Page 42

    Management Management tool Passwords Passwords must be 6 to 16 printable ASCII characters in length with at least 4 different characters. Passwords are case sensitive. Space characters and double quotes ( “ ) cannot be used. Passwords must also conform to the selected security policy as described below. Manager username/password reset Not supported on the MSM-765.

  • Page 43: Password Security Policies

    Management Management tool A typical session looks like this: 127.0.0.1 login: emergency -------------------------- Emergency Menu -------------------------- Device information Serial number: SG9603P004 IP address: 16.90.48.186 Select one of the following options: 1. Reset both the manager username and password to "admin" 0.

  • Page 44: Management Tool Security Features

    Management Management tool  The settings under Account inactivity logout must be configured as follows: Timeout must be set to 15 minutes or less.  For more information on these guidelines, refer to the Payment Card Industry Data Security Standard v1.2 document. Management tool security features The management tool is protected by the following security features: ...

  • Page 45: Auto-refresh

    Management Device discovery Auto-refresh This option controls how often the controller updates the information in group boxes that show the auto-refresh icon in their title bar. Under Interval, specify the number of seconds between refreshes. Auto-refresh icon Device discovery Use this page to define discovery options for: ...

  • Page 46: Mobility Controller Discovery

    Management Device discovery On a controller team Mobility controller discovery The wireless mobility feature defines a mobility domain, which is an interconnection between multiple controllers for the purpose of exchanging mobility information on wireless users. For more information, see Chapter 9: Mobility traffic manager.

  • Page 47: Controlled Ap Discovery

    Management Device discovery Controller discovery and teaming When teaming is active, several configuration scenarios are possible:  Teamed controllers operating in conjunction with one or more non-teamed controllers: Set the team as the primary mobility controller. On the other controllers, set the IP address of primary mobility controller parameter to the team IP address.

  • Page 48

    Management Device discovery The following table shows how discovery would occur for several teamed and non-teamed controllers. Configured discovery Actual order of Controller or Team priority setting discovery by APs Controller 1 Controller 2 Controller 3 Team 1 Team 2 Team 3 Active interfaces Select the physical interfaces on which the controller or team manager will listen for...

  • Page 49: Snmp

    Management SNMP SNMP The controller provides a SNMP implementation supporting both industry-standard and custom MIBs. For information on supported MIBs, see the MSM SNMP MIB Reference Guide. Configuring the SNMP agent Select Controller >> Management > SNMP to open the SNMP agent configuration page. By default, the SNMP agent is enabled (SNMP agent configuration in title bar is checked) and is active on the LAN port.

  • Page 50

    Management SNMP Attributes System name Specify a name to identify the controller. By default, this is set to the serial number of the controller. Location Specify a descriptive name for the location where the controller is installed. Contact Contact information for the controller. Port Specify the UDP port and protocol the controller uses to respond to SNMP requests.

  • Page 51

    Management SNMP v3 users This table lists all defined SNMP v3 users. To add a new user, select Add New User. Up to five users are supported. To edit a user, select its link in the Username column. Username The SNMP v3 username. Security Security protocol defined for the user.

  • Page 52: Soap

    The controller provides a SOAP interface that can be used by SOAP-compliant client applications to perform configuration and management tasks. An MSM SOAP/XML SDK zip file is available at www.hp.com/networking/SOAP-XML-SDK. Look for the file corresponding to your MSM software version.

  • Page 53

    Management TCP port Specify the number of the TCP port that SOAP uses to communicate with remote applications. Default is 448. Security Use these settings to control access to the SOAP interface.  Allowed addresses: List of IP address from which access to the SOAP interface is permitted.

  • Page 54: Configuring Cli Support

    Management Configuring CLI support Select Controller >> Management > CLI to open the Command Line Interface (CLI) configuration page. Secure shell access Enable this option to allow access to the CLI via an SSH session. The CLI supports SSH on the standard TCP port (22).

  • Page 55: System Time

    Management System time Local manager account The login username and password are the same as those defined for the local manager account. If this account is disabled, the last known username and password for this account are used. Administrative user authentication settings The login username and password use the same settings (Local and/or RADIUS) as defined for the manager account under Administrative user authentication.

  • Page 56

    By default, the list contains two ntp vendor zone pools that are reserved for HP devices. By using these pools, you will get better service and keep from overloading the standard ntp.org server. For more information refer to: pool.ntp.org.

  • Page 57

    Chapter 3: Network configuration Network configuration Contents Port configuration ......................3-3 LAN port configuration..................3-4 Internet port configuration...................3-5 PPPoE client ......................3-6 DHCP client......................3-8 Static addressing....................3-9 Network profiles ......................3-12 About the default network profiles ..............3-12 To define a network profile ................3-12 Address allocation......................3-13 DHCP server......................3-14 DHCP relay agent ....................3-16 VLAN support ......................3-19...

  • Page 58

    Network configuration IP routes ........................3-27 Configuration .......................3-28 Network address translation (NAT).................3-30 NAT security and static mappings..............3-30 VPN One-to-one NAT...................3-33 RIP..........................3-33 IP QoS ..........................3-34 Configuration .......................3-34 Example ........................3-35 IGMP proxy .........................3-37...

  • Page 59: Port Configuration

    Network configuration Port configuration Port configuration The Port configuration page displays summary information about all ports, VLANs, and GRE tunnels. Open this page by selecting Controller >> Network > Ports. Port configuration information  Status indicator: Operational state of each port, as follows: ...

  • Page 60: Lan Port Configuration

    Network configuration Port configuration LAN port configuration The LAN port is used to connect the controller to a wired network. To verify and possibly adjust LAN port configuration, select Controller >> Network > Ports > LAN port. Addressing options The LAN port must be configured with a static IP address, because the controller cannot function as a DHCP client on the LAN port.

  • Page 61: Internet Port Configuration

    Network configuration Port configuration Internet port configuration To verify and possibly adjust Internet port configuration, select Controller >> Network > Ports > Internet port. Addressing options The Internet port supports the following addressing options:  PPPoE client on page 3-6 ...

  • Page 62: Pppoe Client

    Network configuration Port configuration Note If you enable this feature you should not assign static NAT mappings in the range 5000 to 10000. Size of port range Sets the number of TCP and UDP ports reserved for each user. PPPoE client To configure the PPPoE client on the Internet port, select Controller >>...

  • Page 63

    Network configuration Port configuration Un-numbered mode This feature is useful when the controller is connected to the Internet and NAT is not being used. Instead of assigning two IP addresses to the controller, one to the Internet port and one to the LAN port, both ports can share a single IP address.

  • Page 64: Dhcp Client

    Network configuration Port configuration DHCP client To configure the PPPoE client on the Internet port, select Controller >> Network > Ports and then select DHCP Client and then Configure. Settings DHCP client ID Specify an ID to identify the controller to the DHCP server. Assigned by DHCP server These settings are assigned to the controller by your service provider DHCP server.

  • Page 65: Static Addressing

    Network configuration Port configuration Release Select to release the controller IP address. Renew Select to renew the controller IP address. Static addressing To configure the PPPoE client on the Internet port, select Controller >> Network > Ports and then select Static and then Configure. Port settings IP address Specify the static IP address you want to assign to the port.

  • Page 66

    Network configuration Port configuration To reduce the number of addresses that need to be defined, the controller will use the same address for multiple users as long as they are establishing a connection with different VPN servers. Use this feature when all of the following conditions are true: Users intend to make IPSec or PPTP VPN connections with a remote site via the Internet ...

  • Page 67

    Network configuration Port configuration Public IP addresses are assigned by the integrated DHCP server using the addresses specified in the Address pool. Whenever possible, this feature will assign the same public IP address to a user each time they connect. When you enable public IP address support in a subscription plan, an additional setting is available called Reserve public IP address.

  • Page 68: Network Profiles

    Network configuration Network profiles Network profiles Network profiles let you define the characteristic of a network and assign a friendly name to it. Profiles make it easy to configure the same settings in multiple places on the controller. For example, if you define a profile with a VLAN ID of 10, you could use that profile to: ...

  • Page 69: Address Allocation

    Network configuration Address allocation 2. Select Add New Profile. 3. Configure profile settings as follows:  Under Settings, specify a Name for the profile.  To assign a VLAN, select VLAN and then specify an ID. If the profile will be used on an Ethernet port, you can also define a range of VLANs. This enables a single VLAN definition to span a large number of contiguously assigned VLANs.

  • Page 70: Dhcp Server

    Network configuration Address allocation DHCP server The DHCP server can be used to automatically assign IP addresses to devices that are connected to the controller via the LAN port or client data tunnel. Note  Do not enable the DHCP server if the LAN port is connected to a network that already has an operational DHCP server.

  • Page 71

    Network configuration Address allocation Addresses Start / End Specify the starting and ending IP addresses that define the range of addresses the DHCP server can assign to client stations. The address assigned to the controller is automatically excluded from the range. Gateway Specify the IP address of the default gateway the controller will assign to DHCP users.

  • Page 72: Dhcp Relay Agent

    This list is sent to all devices that request an IP address, encoded as DHCP option 43 (Vendor- specific information). However, this information is only interpreted by HP ProCurve APs that are operating in controlled mode. Controlled mode APs use these addresses to connect with the controllers in the order that they appear in the list.

  • Page 73

    Network configuration Address allocation Note For additional flexibility, separate DHCP relay agents can be enabled on access-controlled VSCs. See DHCP relay agent on page 5-31. Use the following guidelines when configuring DHCP relay:  Routes must be defined on the DHCP server, so that the DHCP server can successfully send DHCP response packets back to the DHCP relay agent running on the controller.

  • Page 74

    Network configuration Address allocation The following two fields let you attach information to the DHCP request (as defined by DHCP relay agent information option 82) which lets the DHCP server identify the controller.  Circuit ID: Use this field to identify the user that issued the DHCP request. ...

  • Page 75: Vlan Support

    Network configuration VLAN support For L2 connected APs operating in controlled mode: Enable the Client data tunnel option under Settings. (If teaming is active, the client  data tunnel is automatically used.)  Enable the Always tunnel client traffic option on the VSC profile page under Virtual AP >...

  • Page 76

    Network configuration GRE tunnels To add a tunnel, select Add New GRE Tunnel. The Add/Edit GRE tunnel page opens. Define tunnel settings as follows:  Name: Tunnel name.  Local tunnel IP address: Specify the IP address of the controller inside the tunnel. ...

  • Page 77: Bandwidth Control

    Network configuration Bandwidth control Bandwidth control The controller incorporates a bandwidth management feature that enables control of all user traffic flowing through the controller. To configure Bandwidth management, select Controller >> Network > Bandwidth Control. Bandwidth control has two separate components: Internet port data rate limits and bandwidth levels.

  • Page 78: Internet Port Data Rate Limits

    Network configuration Bandwidth control Internet port data rate limits These settings enable you to limit the total incoming or outgoing data rate on the Internet port. If traffic exceeds the rate you set for short bursts, it is buffered. Long overages will result in data being dropped.

  • Page 79: Example

    Network configuration Bandwidth control Note Management traffic (which includes RADIUS, SNMP, and administrative sessions) is  assigned to bandwidth level Very High and cannot be changed.  All traffic assigned to a particular bandwidth level shares the allocated bandwidth for that level across all VSCs.

  • Page 80: Discovery Protocols

    Network configuration Discovery protocols Since both High and Normal require bandwidth in excess of their guaranteed minimum, each is allocated their guaranteed minimum. This leaves 40% of the bandwidth free to be assigned on a priority basis. High has more priority than Normal, so it takes as much bandwidth as needed.

  • Page 81

    Network configuration The controller always listens for CDP information on the LAN and Internet ports, even when this option is disabled, to build a list of autonomous APs. CDP information from third-party devices and controlled APs is ignored. Note Controlled APs always send CDP information. The controller provides several options to customize DNS handling.

  • Page 82: Dns Servers

    Network configuration Note When using Active Directory for user authentication, set the DNS servers to be the Active Directory servers or the devices that provide SRV records. DNS servers Dynamically assigned servers Shows the DNS servers that are dynamically assigned to the controller when PPPoE or DHCP is used to obtain an IP address on the Internet port.

  • Page 83: Ip Routes

    Network configuration IP routes DNS switch over Controls how the controller switches back to the primary server.  When enabled, the controller switches back to the primary server once the primary server becomes available again. When disabled, the controller switches back to the primary server only when the ...

  • Page 84: Configuration

    Network configuration IP routes Configuration To view and configure IP routes, select Controller >> Network > IP routes. Active routes This table shows all active routes on the controller. You can add routes by specifying the appropriate parameters and then selecting Add. The routing table is dynamic and is updated as needed.

  • Page 85

    Network configuration IP routes The routing table is dynamic and is updated as needed. If more than one default route exists, the first route in the table is used. The following information is shown for each default route:  Interface: The port through which traffic is routed. When you add a route, the controller automatically determines the interface to be used based on the Gateway address.

  • Page 86: Network Address Translation (nat)

    Network configuration Network address translation (NAT) Network address translation (NAT) Network address translation is an address mapping service that enables one set of IP addresses to be used on an internal network, and a second set to be used on an external network.

  • Page 87

    Network configuration Network address translation (NAT) A static NAT mapping allows only one internal IP address to act as the destination for a particular protocol (unless you map the protocol to a nonstandard port). For example, you can run only one Web server on the internal network. Note If you use a NAT static mapping to enable a secure (HTTPS) Web server on the internal ...

  • Page 88

    Network configuration Network address translation (NAT) NAT example The following example shows you how to configure static NAT mappings to run a Web server and an FTP server on the internal network. This scenario might occur if you use the controller in an enterprise environment.

  • Page 89: Vpn One-to-one Nat

    Network configuration 6. To support the FTP server, create two additional mappings with the following values: Set Standard Services to ftp-data (TCP 20) and set IP address to 192.168.1.3.   Set Standard Services to ftp-control (TCP 21) and set IP address to 192.168.1.3.

  • Page 90

    Network configuration IP QoS IP QoS To ensure that critical applications have access to the required amount of wireless bandwidth, you can classify packets destined for the wireless interface into priority queues based on a number of criteria. For example, you can use any of the following to place data packets in one of four priority queues for transmission onto the wireless interface: ...

  • Page 91

    Network configuration IP QoS Settings Profile name: Specify a unique name to identify the profile.   Protocol: Specify an IP protocol to use to classify traffic by specifying its Internet Assigned Numbers Authority (IANA) protocol number. Protocol numbers are pre-defined for a number of common protocols.

  • Page 92

    Network configuration IP QoS 5. Under Priority, from the drop-down list select Very High. 6. Select Save. Note You could also create another profile using the same parameters but for UDP to cope with any kind of SIP traffic. 7. On the IP QoS Profile page select Add New Profile. 8.

  • Page 93: Igmp Proxy

    Network configuration IGMP proxy Assign the profiles to a VSC 1. In the Network Tree select VSCs (if not visible, first select the + symbol to the left of Controller), and then select one of the VSC profiles in the Name column. Scroll down to the Quality of service section of the Virtual AP box.

  • Page 94

    Network configuration IGMP proxy 3-38...

  • Page 95

    Chapter 4: Wireless configuration Wireless configuration Contents Wireless coverage......................4-2 Factors limiting wireless coverage..............4-2 Configuring overlapping wireless cells...............4-3 Supporting 802.11n and legacy wireless clients ..........4-7 Radio configuration .....................4-8 Radio configuration parameters ................4-18 Advanced wireless settings ................4-29 Wireless neighborhood ....................4-34 Scanning modes ....................4-34 Viewing wireless information ...................4-35 Viewing all wireless clients ................4-35 Viewing info for a specific wireless client............4-36...

  • Page 96: Wireless Coverage

    AP. The following sections provide information on wireless coverage. A tool that can help simplify planning a secure wireless network is the HP ProCurve RF Planner. For more information, see the RF Planner Admin Guide.

  • Page 97: Configuring Overlapping Wireless Cells

    Wireless configuration Wireless coverage  Select Controlled APs >> Overview > Wireless rates to view information about data rates for all connected client stations. This makes it easy to determine if low-speed clients are affecting network performance. To prevent low-speed clients from connecting, you can use the Allowed wireless rates option when defining a VSC.

  • Page 98

    Wireless configuration Wireless coverage The following example shows two overlapping wireless cells operating on the same channel (frequency). Since both APs are within range of each other, the number of deferred transmissions can be large. The solution to this problem is to configure the two AP to operate on different channels. Unfortunately, in the 2.4 GHz band, adjacent channels overlap.

  • Page 99

    Wireless configuration Wireless coverage The number of channels available for use in a particular country are determined by the regulations defined by the local governing body and are automatically configured by the AP based on the Country setting you define. (See Assigning country settings to a group on page 6-30.) This means that the number of non-overlapping channels available to you varies...

  • Page 100

    Wireless configuration Wireless coverage Using only three frequencies across multiple cells in North America. This strategy can be expanded to cover an even larger area using three channels, as shown in the following figure. Using three frequencies to cover a large area in North America. Gray areas indicate overlap between two cells that use the same frequency.

  • Page 101: Supporting 802.11n And Legacy Wireless Clients

    APs more frequently. Automatic transmit power control The automatic power control feature enables the AP to dynamically adjust its transmission power to avoid causing interference with neighboring HP ProCurve APs. For information see Transmit power control on page 4-32.

  • Page 102: Radio Configuration

    Wireless configuration Radio configuration Radio configuration To define configuration settings for a radio, select Controller > Controlled APs >> Configuration > Radio list. This opens the Product radios page which lists all radios on all AP models. For example: To configure the radios for a product, select the product in the list. This opens the Radio(s) configuration page.

  • Page 103

    Wireless configuration Radio configuration E-MSM466...

  • Page 104

    Wireless configuration Radio configuration E-MSM460 and E-MSM430 4-10...

  • Page 105

    Wireless configuration Radio configuration MSM422 4-11...

  • Page 106

    Wireless configuration Radio configuration MSM410 4-12...

  • Page 107

    Wireless configuration Radio configuration MSM335 (radio 1 and 2) 4-13...

  • Page 108

    Wireless configuration Radio configuration MSM335 (radio 3) 4-14...

  • Page 109

    Wireless configuration Radio configuration MSM320 4-15...

  • Page 110

    Wireless configuration Radio configuration MSM317 4-16...

  • Page 111

    Wireless configuration Radio configuration MSM310 4-17...

  • Page 112: Radio Configuration Parameters

    Controlled APS >> Overview > Neighborhood.  Sensor: Enables RF sensor functionality on the radio. HP APs are smart APs, and do not forward broadcast packets when no client stations are connected. Therefore, the RF sensor function will not be able to detect these APs unless they have at least one connected wireless client station.

  • Page 113

    Wireless configuration Radio configuration Access point Access point Local mesh Product and Local Monitor Sensor only only mesh ✔ ✔ ✔ ✔ ✕ MSM422 ✕ ✔ ✕ ✔ ✕ MSM317 ✔ ✔ ✔ ✔ ✕ E-MSM430 ✔ ✔ ✔ ✔ ✕...

  • Page 114

    Wireless configuration Radio configuration Wireless mode Supported wireless modes are determined by the regulations of the country in which the AP is operating, and are controlled by the country setting on the AP. To configure the country setting, see Assigning country settings to a group on page 6-30.

  • Page 115

    Data rates Up to 300 Mbps. HP refers to this mode as Pure 802.11n. When operating in this mode, the AP does not permit non-802.11n clients to associate. Legacy clients can see the access point, and may attempt to associate, but they will be rejected. The AP makes this determination based on the supported rates that the client presents during its association request.

  • Page 116

    Note This mode is sometimes incorrectly called Greenfield. Greenfield is an 802.11n-specific preamble that can be used by clients and APs. HP APs do not support this preamble and therefore do not support Greenfield mode. When to use this mode...

  • Page 117

    For 802.11g clients: Up to 54 Mbps. For 802.11b clients: Up to 11 Mbps. HP refers to this mode as Compatibility mode because the AP allows both 802.11n and legacy clients to associate. The AP advertises protection in the beacon when legacy clients are associated or operating on the same channel.

  • Page 118

    Wireless configuration Radio configuration 802.11g Supported on MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 Frequency band 2.4 GHz Data rates Up to 54 Mbps. This is a legacy mode that can be used to support older wireless client stations. 802.11a Supported on MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 Frequency band 5 GHz...

  • Page 119

    Wireless configuration Radio configuration The channel selected on the radio page is the primary channel and the secondary (or extension) channel is located adjacent to it. The secondary channel is either above or below depending on which channel was selected as the primary. In the 5 GHz band, the channels are paired: 36 and 40 are always used together, 44 and 48 are always used together, etc.

  • Page 120

    When operating in 802.11a or 802.11n (5 GHz) modes, channels do not interfere with each other, enabling APs to operate on two adjacent channels without interference. HP APs support Dynamic Frequency Selection (802.11h) and Transmit Power Control (802.11d) for 802.11a operation in European countries. These options are automatically enabled as required.

  • Page 121

    Wireless configuration Radio configuration best to select channels as follows, according to the number of 2.4 GHz channels available in your region. Available 2.4 Channel GHz channels width Recommended non-overlapping channels 1 to 13 20 MHz 1, 7, 13 1 to 13 40 MHz 1, 13 (If both are used, there will be some performance degradation.)

  • Page 122

    Wireless configuration Radio configuration Antenna selection Supported on: MSM310, MSM320, MSM335, MSM422 Not available in Monitor or Sensor modes. Select the antenna(s) to use for each radio. Antenna support varies on each AP. For a list of supported external antennas, see Connecting external antennas in the MSM3xx / MSM4xx Access Points Management and Configuration Guide.

  • Page 123: Advanced Wireless Settings

    Wireless configuration Radio configuration  For point-to-point local mesh links on Radio 1, install two directional antennas on connectors A and B. Installing a third directional antenna on connector C will increase performance only on the receive side.  Radio 2 supports diversity via its two internal antennas. but not when using an external antenna.

  • Page 124

    Wireless configuration Radio configuration HP APs support the following two explicit beamforming techniques: Non-compressed beamforming, in which the client station calculates and sends the  steering matrix to the AP.  Compressed beamforming, in which the client station sends a compressed steering matrix to the AP.

  • Page 125

    Wireless configuration Radio configuration  No MAC protection: This setting gives the best performance for 802.11n clients in the presence of 802.11g or 802.11a legacy clients or APs. No protection frames (CTS- to-self or RTS/CTS) are sent at the MAC layer by the AP. PHY-based protection remains active, which alerts legacy clients to stay off the air while the AP is transmitting data to 802.11n clients.

  • Page 126

    Wireless configuration Radio configuration Distance between APs Not supported on: E-MSM430, E-MSM460, E-MSM466 Not available in Monitor or Sensor modes. Use this parameter to adjust the receiver sensitivity of the AP only if:  You have more than one wireless AP installed in your location. ...

  • Page 127

    Caution For specific power limits according to your regulatory domain, consult the Antenna Power-Level Settings Guide available at www.hp.com/networking/support (for Product Brand, select ProCurve and search for your antenna). For example, if you install an external 8 dBi directional antenna, and the maximum allowed power level for your country is 15 dBm, you may have to reduce the transmit power level to be in compliance.

  • Page 128: Wireless Neighborhood

    Wireless configuration Wireless neighborhood Wireless neighborhood Select Controlled APs >> Overview > Neighborhood to view information on APs operating in your area. This page presents a list of all APs that have been detected by all of the controlled APs. For example: You can also view the list detected by a specific controlled AP by selecting in the Network Tree.

  • Page 129: Viewing Wireless Information

    Wireless configuration Viewing wireless information  On the MSM310, MSM320, MSM335, MSM410, MSM422: Scanning is continuously performed on all the channels in the currently selected Operating mode, even though the channel is only re-evaluated each time the channel selection interval expires. (If the interval is set to Disabled, continuous scanning is not performed.) Continuous scanning can cause interruptions to voice calls.

  • Page 130: Viewing Info For A Specific Wireless Client

    Wireless configuration Viewing wireless information Duration Indicates how long the client station has been authorized. Signal Indicates the strength of the radio signal received from client stations. Signal strength is expressed in decibel milliwatt (dBm). The higher the number the stronger the signal. Noise Indicates how much background noise exists in the signal path between client stations and the AP.

  • Page 131

    Wireless configuration Viewing wireless information The information you see will vary depending on the AP to which the client is connected. For example, the following shows the status page for a client connected to an MSM317. For a complete description of all fields see the online help. 4-37...

  • Page 132: Viewing Wireless Client Data Rates

    Wireless configuration Viewing wireless information Viewing wireless client data rates To view information on all wireless client stations currently connected to the AP, select Controlled APs >> Overview > Wireless rates. This page shows the volume of traffic sent and received at each data rate for each client station.

  • Page 133: Wireless Access Points

    Wireless configuration Viewing wireless information Wireless access points To view wireless information for an AP, select Controlled APs > [group] > [AP] >> Status > Wireless. The information you see will vary depending on the AP. For example, this is the status page for an MSM317: Access point status Wireless port...

  • Page 134

    Wireless configuration Viewing wireless information Tx power Current transmission power. Transmit protection status  Disabled: HT protection / G protection is disabled.  B clients: G protection is enabled because a B client is connected to the AP.  B APs: G protection is enabled because a B client is connected to another AP on the same channel used by the AP.

  • Page 135

    Wireless configuration Viewing wireless information Tx retry limit exceeded The number of times an MSDU is not transmitted successfully because the retry limit is reached, due to no acknowledgment or no CTS received. Tx multiple retry frames The number of MSDUs successfully transmitted after more than one retransmission (on the total of all associated fragments).

  • Page 136

    Wireless configuration Viewing wireless information Rx packets (Not shown on the E-MSM460) The total number of packets received. Rx dropped (Not shown on the E-MSM460) The number of received packets that were dropped due to lack of resources on the AP. This should not occur under normal circumstances.

  • Page 137

    Wireless configuration Viewing wireless information Rx MSG in msg fragments The number of MPDUs of type Data or Management received successfully, while there was another good reception going on above the carrier detect threshold (the message-in-message path #2 in the modem). Rx WEP undecryptable The number of received MPDUs, with the WEP subfield in the Frame Control field set to one, that were discarded because it should not have been encrypted or due to the receiving station...

  • Page 138

    Wireless configuration Viewing wireless information 4-44...

  • Page 139

    Chapter 5: Working with VSCs Working with VSCs Contents Key concepts.........................5-3 Viewing and editing VSC profiles ................5-4 The default VSC .....................5-4 VSC configuration options ..................5-5 About access control and authentication............5-6 Summary of VSC configuration options .............5-8 Access control......................5-9 Virtual AP......................5-10 VSC ingress mapping...................5-16 VSC egress mapping ....................5-17 Bandwidth control....................5-17...

  • Page 140

    Working with VSCs VSC data flow ......................5-32 Access control enabled..................5-32 Access control disabled..................5-34 Using multiple VSCs....................5-36 About the default VSC ....................5-36 Quality of service (QoS) ....................5-37 Priority mechanisms ...................5-38 IP QoS profiles .....................5-40 Upstream DiffServ tagging .................5-41 Upstream/downstream traffic marking ............5-41 QoS example ......................5-43 Creating a new VSC....................5-44 Assigning a VSC to a group ..................5-44...

  • Page 141: Key Concepts

    Working with VSCs Key concepts Key concepts A VSC (virtual service community) is a collection of configuration settings that define key operating characteristics of the controller and controlled APs. In most cases, a VSC is used to define the characteristics of a wireless network and to control how wireless user traffic is distributed onto the wired network.

  • Page 142: Viewing And Editing Vsc Profiles

    The VSC profiles list shows all VSCs are that are currently defined on the controller. To open the list, select VSCs in the Network Tree. The HP VSC profile is defined by default.  To add a VSC, select VSCs >> Overview > Add New VSC Profile.

  • Page 143: Vsc Configuration Options

    Working with VSCs VSC configuration options VSC configuration options This section provides an overview of all the configuration options available for a VSC. It will give you a good idea on how the features can be used. The default VSC is pre-configured as described in the following pages. Below, is an overview of the entire VSC configuration page.

  • Page 144: About Access Control And Authentication

    Working with VSCs VSC configuration options About access control and authentication The availability of certain VSC features and their functionality is controlled by the settings of two important parameters in the Global box. These parameters determine how authentication and access control are handled by the VSC: Use Controller for: Authentication Determines if user authentication services (802.1X, WPA, WPA2, MAC-based) are provided by the controller.

  • Page 145

    Working with VSCs VSC configuration options When only authentication is enabled In this configuration, the controlled AP forwards authentication requests from users on the VSC to the controller. The controller resolves these requests using the local user list, or the services of a third-party authentication server (Active Directory or RADIUS server).

  • Page 146: Summary Of Vsc Configuration Options

    Working with VSCs VSC configuration options Summary of VSC configuration options The following table lists the VSC configuration options that are available depending on how access control and authentication are configured. Use Controller for: Authentication Authentication VSC configuration option Access control only Neither ✔...

  • Page 147: Access Control

    Working with VSCs VSC configuration options Access control The settings only apply to access-controlled VSCs. Present session and welcome page to 802.1X users Enable this option to have the public access interface present the Welcome, Transport, and Session pages to 802.1X users. When disabled, these pages are not sent to 802.1X users.

  • Page 148: Virtual Ap

    Working with VSCs VSC configuration options Virtual AP The virtual AP settings define the characteristics of the wireless network created by the VSC, including its name, the number of clients supported, and QoS settings. Access control enabled Access control disabled Select the Virtual AP checkbox to enable the wireless network defined by this VSC.

  • Page 149

    Working with VSCs VSC configuration options DTIM count Specify the DTIM period in the wireless beacon sent by controlled APs. Client stations use the DTIM to wake up from low-power mode to receive multicast traffic. APs transmit a beacon every 100 ms. The DTIM counts down with each beacon that is sent. Therefore if the DTIM is set to 5, then client stations in low-power mode will wake up every 500 ms (.5 second) to receive multicast traffic.

  • Page 150

    Working with VSCs VSC configuration options  If the AP has learned that a client is capable of transmitting at 5 GHz, the AP refuses the first association request sent by the client at 2.4 GHz.  Once a client is associated at 5 GHz, the AP will not respond to any 2.4 GHz probes from the client as long as the client’s signal strength at 5 GHz is greater than -80 dBm (decibel milliwatt).

  • Page 151

    Working with VSCs VSC configuration options  Unicast traffic exchanged between VSCs on different radios is controlled by the setting of the sender’s VSC.  Multicast traffic exchanged between VSCs is always controlled by the setting of the sender’s VSC. Generally, most clients will be involved in the bidirectional exchange of unicast packets.

  • Page 152

    Working with VSCs VSC configuration options  High security/less performance: This option uses HMAC (Hash based message authentication code) to ensure the data integrity and authenticity of each packet. Performance is reduced due to the overhead needed to calculate HMAC. Regardless of the security method used, the client tunnel does not encrypt the data stream.

  • Page 153

    Working with VSCs VSC configuration options Allowed wireless rates Select the wireless transmission speeds (in Mbps) that this VSC will support for each wireless mode. Clients will only be able to connect at the rates that you select. If a client does not support the selected rate and mode, it will not be able to connect to this VSC.

  • Page 154: Vsc Ingress Mapping

    Working with VSCs VSC configuration options Notes on 802.11n 802.11n supports legacy rates (1 to 54), as well as high-throughput (HT) rates MCS 0 to MSC  MCS 0 to MCS 15 are supported by the MSM410, MSM422, E-MSM430, E-MSM460, and E-MSM466.

  • Page 155: Vsc Egress Mapping

    Working with VSCs VSC configuration options If a VSC is bound to the MSM317 Ethernet Switch, it cannot handle traffic from wireless clients on the MSM317 or other APs. For more information, see VSC data flow on page 5-32 Traffic flow for wireless users on page 7-6.

  • Page 156: Default User Data Rates

    Working with VSCs VSC configuration options For more information on setting the appropriate RADIUS attributes to accomplish this, refer to the Management and Configuration Guide for this product. Default user data rates These options enable you to set the default data rates for authenticated users that do not have a data rate set in their RADIUS accounts, and for unauthenticated users.

  • Page 157

    Working with VSCs VSC configuration options To use wireless mobility, you must: Disable the Access control option under Global.   Install a Mobility or Premium license on the controller.  Bind the same VSC to all APs that will support roaming. Configure the Wireless security filters so that they do not interfere with roaming ...

  • Page 158: Fast Wireless Roaming

    Working with VSCs VSC configuration options One issue with using this method to determine the home subnet is that a user’s IPv4 address is typically retrieved through DHCP. If a user connects to an AP in a new location (rather than roaming to the AP), the IP address assigned through DHCP may identify the user as local to the network, and not roaming.

  • Page 159

    HTTPS traffic not addressed to the AP (or upstream device) is also blocked, which means wireless users cannot access the management tool on other HP ProCurve APs. Outgoing wireless traffic filters Applies to traffic sent from the AP to wireless users.

  • Page 160

    To use the default filters as a starting point, select Get Default Filters. Filters are specified using standard pcap syntax with the addition of a few HP ProCurve- specific placeholders. These placeholders can be used to refer to specific MAC addresses and are expanded by the AP when the filter is activated.

  • Page 161: Wireless Protection

    Working with VSCs VSC configuration options Wireless protection Two types of wireless protection are offered. WPA and WEP. On the MSM410 and MSM422 When using 802.11n, wireless protection settings are enforced as follows: WEP protection is never permitted. If selected, WPA or WPA2 protection is used instead. ...

  • Page 162

    Working with VSCs VSC configuration options Authentication can occur via the local user accounts and a remote authentication server (Active Directory, or third-party RADIUS server). If both options are enabled, the local accounts are checked first.  Preshared Key: The controller uses the key you specify in the Key field to generate the TKIP keys that encrypt the wireless data stream.

  • Page 163

    Working with VSCs VSC configuration options  When disabled, WPA/WPA2 sessions are terminated at the AP. This means that wireless communication between the client station and AP is secure, but traffic between the AP and controller is not. This is normally sufficient since outsiders do not have access to your wired network.

  • Page 164: X Authentication

    Working with VSCs VSC configuration options When encryption is enabled, wireless stations that do not support encryption cannot communicate with the AP. The definition for each encryption key must be the same on the AP and all client stations.  Key format: Select the format used to specify the encryption key: ASCII: ASCII keys are much weaker than carefully chosen HEX keys.

  • Page 165: Html-based User Logins

    Working with VSCs VSC configuration options For added flexibility, regular expressions can be used in realm names, enabling a single realm name to match many users. For example, if a realm name is defined with the regular expression ^abc.* then all usernames beginning with abc followed by any number of characters will match.

  • Page 166: Vpn-based Authentication

    Working with VSCs VSC configuration options Note The global MAC-based authentication feature only applies on VSCs that have HTML-based user logins enabled. See Configuring global MAC-based authentication on page 10-16. VPN-based authentication VPN-based authentication can be used to provide secure access for client stations on VSCs that do not have encryption enabled.

  • Page 167: Location-aware

    Working with VSCs VSC configuration options Location-aware This option enables you to control logins to the public access network based on the AP, or group of APs, to which a user is connected. It is automatically enabled when a VSC is set to Access control.

  • Page 168: Wireless Ip Filter

    Working with VSCs VSC configuration options Wireless IP filter When this option is enabled, the VSC only allows wireless traffic that is addressed to an IP address that is defined in the list. All other traffic is blocked, except for: ...

  • Page 169

    Working with VSCs VSC configuration options A separate DHCP server can be enabled on each VSC to provide custom addressing that is different from the base DHCP subnet that is determined by the LAN port IP address. To receive traffic from users, the controller assigns the Gateway address you specify to its LAN port.

  • Page 170: Vsc Data Flow

    Working with VSCs VSC data flow Note These DHCP relay agent options do not appear for the default VSC. The default VSC uses the same settings as defined on the Controller >> Network > Address allocation page. VSC data flow Each VSC provides a number of configurable options, some of which apply exclusively on controlled APs or the controller.

  • Page 171

    Working with VSCs VSC data flow VSC on controlled AP Ingress The AP only handles traffic from wireless users, except for the MSM317 which can handle traffic from both wireless and wired users. The SSID is the name of the wireless network with which the user associates.

  • Page 172: Access Control Disabled

    Working with VSCs VSC data flow Features  Authentication: The controller supports 802.1X, MAC, or HTML authentication. To validate user login credentials the controller can use the local user accounts or make use of third-party authentication servers (Active Directory and/or RADIUS). See Chapter 10: User authentication, accounts, and addressing.

  • Page 173

    Working with VSCs VSC data flow  Wireless security filters: Enables the AP to block traffic unless it is addressed to a specific destination (like the controller). See Wireless security filters on page 5-20.  Wireless MAC filter: Enables the AP to allow or deny access to the wireless network based on specific wireless user MAC addresses.

  • Page 174: Using Multiple Vscs

    About the default VSC The default VSC is automatically created by the controller. It is identified with the label (Default) in the VSC list. Initially, this VSC is named HP and has the following properties:  Wireless network name: HP ...

  • Page 175: Quality Of Service (qos)

    Working with VSCs Quality of service (QoS) This means that when a user connects to the default VSC: Unauthenticated users cannot access the protected network, except for: procurve.com  (for product registration) and windowsupdate.com (for IE, which tries to get to a windows update on a fresh start).

  • Page 176: Priority Mechanisms

    Working with VSCs Quality of service (QoS) The QoS feature defines four traffic queues based on the Wi-Fi Multimedia (WMM) access categories. In order of priority, these queues are: Queue access category Typically used for AC_VO Voice traffic AC_VI Video traffic AC_BE Best effort data traffic AC_BK...

  • Page 177

    Quality of service (QoS) VSC-based priority This mechanism is unique to HP. It enables you to assign a single priority level to all traffic on a VSC. If you enable the VSC-based priority mechanism, it takes precedence regardless of the priority mechanism supported by associated client stations.

  • Page 178: Ip Qos Profiles

    Working with VSCs Quality of service (QoS) IP QoS This option lets you assign traffic to the queues based on the criteria in one or more IP QoS profiles. Each profile lets you target traffic on specific ports or using specific protocols. Disabled When QoS traffic prioritization is disabled, all traffic is sent to queue 3.

  • Page 179: Upstream Diffserv Tagging

    Working with VSCs Quality of service (QoS) Protocol Specify an IP protocol to use to classify traffic by specifying its Internet Assigned Numbers Authority (IANA) protocol number. Protocol numbers are pre-defined for a number of common protocols. If the protocol you require does not appear in the list, select Other and specify the appropriate number manually.

  • Page 180

    Working with VSCs Quality of service (QoS) Upstream traffic marking This table describes the marking applied to wireless traffic sent by connected client stations to an AP and then forwarded onto the wired network by the AP. OUTGOING TRAFFIC Traffic sent by the AP to the network INCOMING L3 marking TRAFFIC...

  • Page 181: Qos Example

    Working with VSCs Quality of service (QoS) Downstream traffic marking This table describes the marking applied to traffic received from the wired network by an AP and then sent to connected wireless client stations. OUTGOING TRAFFIC Wireless traffic sent from the INCOMING controller to client stations TRAFFIC...

  • Page 182: Creating A New Vsc

    Working with VSCs Creating a new VSC Creating a new VSC To add a VSC, select Controller > VSCs >>VSC Profiles > Add New VSC Profile. Define VSC parameters and select Save. Familiarize yourself with sections of interest in configuration options on page 5-5.

  • Page 183

    Chapter 6: Working with controlled APs Working with controlled APs Contents Key concepts.........................6-3 Key controlled-mode events ..................6-4 Discovery of controllers by controlled APs..............6-6 Discovery overview ....................6-6 Discovery methods....................6-7 Discovery order .....................6-9 Discovery recommendations ................6-10 Discovery priority....................6-11 Discovery considerations ...................6-13 Monitoring the discovery process ..............6-13 Authentication of controlled APs................6-19 Building the AP authentication list ..............6-20 Configuring APs......................6-22...

  • Page 184

    Working with controlled APs Provisioning discovery..................6-37 Provisioning summary ..................6-38 Provisioning example..................6-39 AeroScout RTLS ......................6-40 Software retrieval/update..................6-42 Monitoring........................6-42...

  • Page 185

    Working with controlled APs Key concepts Key concepts The controller provides centralized management of APs operating in controlled mode. Controlled mode greatly simplifies the set up and maintenance of a Wi-Fi infrastructure by centralizing the configuration and management of distributed APs. Note Starting with software version 5.x, APs operate in controlled mode by default.

  • Page 186: Key Controlled-mode Events

    Working with controlled APs Key controlled-mode events AP authentication The controller can be configured to authenticate APs by their MAC address before they are managed. The authentication can be defined locally on the controller, via a third-party RADIUS server, or using a remote text-based control file. Key controlled-mode events The following diagram provides an overview of key events that occur when working with APs in controlled mode.

  • Page 187

    Working with controlled APs Key controlled-mode events Controller The controller receives a discovery request. When started, the AP attempts to discover all controllers that are operating on the local network.  Discovery of controllers by controlled APs on page 6-6 The controller sends a discovery reply.

  • Page 188: Discovery Of Controllers By Controlled Aps

    Working with controlled APs Discovery of controllers by controlled APs Controller Discovery complete. Wireless services become available. For the MSM317, the switch ports also become active. Discovery of controllers by controlled APs This section describes how the discovery process works and how it can be customized. Discovery is the process by which a controlled AP finds a controller (or controller team) on a network and establishes a secure management tunnel with it.

  • Page 189: Discovery Methods

    Working with controlled APs Discovery of controllers by controlled APs 2. Discovered controllers send a discovery reply to the AP. If the controller is configured to require AP authentication, the reply is only sent after the AP is authenticated by the controller.

  • Page 190

    Working with controlled APs Discovery of controllers by controlled APs Note A controller listens for discovery requests on its LAN port and/or Internet port as configured on the Controller >> Management > Device Discovery page. (See Device discovery on page 2-9).

  • Page 191: Discovery Order

    Working with controlled APs Discovery of controllers by controlled APs The AP appends the default domain name returned by a DHCP server (when it assigns an IP address to the AP) to the controller name. For example, if the DHCP server returns mydomain.com, then the AP will search for the following controllers in this order: ...

  • Page 192: Discovery Recommendations

    Working with controlled APs Discovery of controllers by controlled APs Discovery recommendations Note When controller teaming is active, controlled APs discover a team in the same way that they discover non-teaming controllers.  If the AP is on the same subnet as the controller, then UDP discovery will work with no configuration required on either the AP or controller.

  • Page 193: Discovery Priority

    Working with controlled APs Discovery of controllers by controlled APs Discovery priority Each controller or controller team that receives a discovery request sends the requesting AP a discovery reply. If the AP authentication option is enabled, the AP needs to be authenticated first.

  • Page 194

    Working with controlled APs Discovery of controllers by controlled APs On a non-teamed controller On a controller team If only connectivity settings are provisioned, then the AP attempts to discover a controller using the same methods as for unprovisioned APs, namely: ...

  • Page 195: Discovery Considerations

    Working with controlled APs Discovery of controllers by controlled APs Discovery considerations If controlled APs are behind a firewall or NAT device, refer to the following sections. Firewall If the network path between an AP and a controller traverses a firewall the following ports must be opened for management and discovery to work: Protocol Open these ports...

  • Page 196

    Working with controlled APs Discovery of controllers by controlled APs Viewing all discovered APs To display information about APs discovered by the controller, select Controlled APs >> Overview > Discovered APs. The Discovered APs page provides the following information:  Number of access points: Indicates the number of APs that were discovered.

  • Page 197

    Working with controlled APs Discovery of controllers by controlled APs  Diagnostic: Indicates the status of the AP with regards to management by the controller, as shown in the following table. Diagnostic Description Detected The AP was detected by the controller. Enabling VSC services The AP is enabling wireless services for all VSCs.

  • Page 198

    Working with controlled APs Discovery of controllers by controlled APs Diagnostic Description Rebooting The AP is restarting. Resetting configuration The AP configuration is being reset to factory defaults. This is normal and will occur when the firmware version on the controller is changed or if the AP is not synchronized.

  • Page 199

    Working with controlled APs Discovery of controllers by controlled APs Diagnostic Description Unsynchronized/License The AP is not synchronized but can continue operation. violation However, if synchronized, it will become non-functional as described above for Synchronized/License violation. Before synchronizing, either change the configuration to omit the affected licensed feature or acquire and install a valid license.

  • Page 200

    Working with controlled APs Discovery of controllers by controlled APs Viewing all configured APs To display information about APs configured by the controller, select Controlled APs >> Overview > Configured APs. The Configured APs page provides the following information:  Number of displayed access points: Number of configured APs that were discovered.

  • Page 201: Authentication Of Controlled Aps

    Working with controlled APs Authentication of controlled APs  Creation mode: Local: AP was added manually, or was manually authenticated after being  discovered.  RADIUS: AP was successfully authenticated via RADIUS and then created.  External file: AP was successfully authenticated using the external file option. ...

  • Page 202: Building The Ap Authentication List

    Working with controlled APs Authentication of controlled APs If authentication fails (for example, this is a new AP), and the Use the local authentication list option is enabled, then the AP is added to the Default Group and flagged as requiring authentication.

  • Page 203

    Working with controlled APs Authentication of controlled APs Use file authentication list When this option is selected, the controller retrieves authentication list entries from a file. This must be an ASCII file with one or more MAC addresses in it. Each address must be entered on a separate line.

  • Page 204: Configuring Aps

    Working with controlled APs Configuring APs Use the local authentication list When this option is selected, the controller creates authentication list entries based on the set of APs that are currently defined on the controller. For reference purposes, the table shows the AP name, Serial number and MAC address of all APs that are defined and will be included in the authentication list.

  • Page 205: Inheritance

    Working with controlled APs Configuring APs  Group: Group-level configuration enables you to define settings that are shared by APs with similar characteristics. For example, if you have several APs at a location that are all providing the same service, putting them in the same group makes them easier to manage.

  • Page 206: Configuration Strategy

    Working with controlled APs Configuring APs Any changes to a bound VSC affect all groups (and APs) to which the VSC is bound, making it easy to manage configuration changes network-wide. A key setting when binding a VSC to a group is the Egress network. If you enable this option, it can alter where the APs send user traffic.

  • Page 207: Working With Groups

    Working with controlled APs Configuring APs 2. Manually define each AP in the appropriate group. 3. Deploy the APs in their default configuration on the network. 4. Allow the discovery process to find the APs and place them in the pre-configured groups.

  • Page 208: Working With Aps

    Working with controlled APs Configuring APs Binding a VSC to a group To bind a VSC to a group, do the following: 1. Select the target group under Controlled APs. 2. In the right pane, select VSC bindings, then select Add New Binding. 3.

  • Page 209

    Working with controlled APs Configuring APs 3. In the Device box, identify the new AP, specifying at a minimum, Device Name, Ethernet BASE MAC (printed on the label affixed to each AP), and Group. Select Save. The AP is added to the selected group in the Network tree and will also be shown in the Configured APs list.

  • Page 210

    Working with controlled APs Configuring APs Deleting an AP Note When the AP authentication feature is disabled, a deleted AP may automatically rediscover the controller if the AP is left connected to the network. Therefore, before deleting, disconnect the AP unless you want it to rediscover the controller. 1.

  • Page 211

    Working with controlled APs Configuring APs Moving multiple APs between groups To move one or more APs between groups, do the following: 1. Use the check boxes in the table to select one or more APs. Select the check box in the table header to select all the APs in the table.

  • Page 212: Assigning Egress Vlans To A Group

    Working with controlled APs Configuring APs 2. Select a Synch link in the Action column to synchronize a single AP. Or, to synchronize all unsynchronized APs in the group, select Synchronize Configuration in the Select the action to apply to all listed APs list, and select Apply.

  • Page 213: Provisioning Aps

    Working with controlled APs Provisioning APs The country configuration for the Base group looks like this: After changing the country setting, APs must be synchronized. Note In some regions, APs are delivered with a fixed country setting. If you place an AP with a fixed country setting into a group that has a different country configuration, the AP will fail to be synchronized.

  • Page 214: Provisioning Methods

    Working with controlled APs Provisioning APs Provisioning methods Provisioning can be done in two ways: provision settings using the controller or provision settings directly on APs. Using the controller to provision APs On the controller, provisioning can be done at the group or AP level for added flexibility. Provisioning via the controller enables you to quickly provision many APs at once.

  • Page 215: Displaying The Provisioning Pages

    Working with controlled APs Provisioning APs Displaying the provisioning pages To display the provisioning pages, do the following: On a controller 1. Select one of the following in the Network tree:  Controlled APs  A group An AP  2.

  • Page 216: Provisioning Connectivity

    Working with controlled APs Provisioning APs Provisioning connectivity Use the Provisioning > Connectivity page to provision connectivity settings for a controlled AP. The following page will appear on all APs except for the MSM317. Enable provisioning here: 6-34...

  • Page 217

    Working with controlled APs Provisioning APs The following page will appear on the MSM317. Enable provisioning here: Interface Select the interface you want to configure and then define its settings using the other options on this page. Set VLAN ID if applicable. Assign IP address via ...

  • Page 218

    Working with controlled APs Provisioning APs Country Select the country in which the AP is operating. Caution  Selecting the wrong country may result in illegal operation and may cause harmful interference to other systems. Please consult with a professional installer who is trained in RF installation and knowledgeable about local regulations to ensure that the service controller is operating in accordance with channel, power, indoor/outdoor restrictions and license requirements for the intended country.

  • Page 219: Provisioning Discovery

    Working with controlled APs Provisioning APs Password / Confirm password Password assigned to the AP. Anonymous Name used outside the TLS tunnel by all three EAP methods. If this field is blank, then the value specified for Username is used instead. Provisioning discovery Use the Provisioning >...

  • Page 220: Provisioning Summary

    Working with controlled APs Provisioning APs If you define a name that contains a dot, then the domain name is not appended . For example, if the name is controller.yourdomain.com, no domain name is appended. If the AP is operating as a DHCP client, the DHCP server will generally return a domain name when it assigns an IP address to the AP.

  • Page 221: Provisioning Example

    Working with controlled APs Provisioning APs Provisioning example The following example shows how to use the default group as a staging area, where APs are discovered and then provisioned before being moved into their actual production group. 1. Select Controller >> Controlled APs > Provisioning. 2.

  • Page 222: Aeroscout Rtls

    Controller Devices being tracked by their RFID tags Note HP does not sell or promote AeroScout products. Contact AeroScout for information on  obtaining its MobileView software, Wi-Fi RFID tags, and associated hardware. Consult the AeroScout documentation for deployment information.

  • Page 223

    All AeroScout management and monitoring is performed in the AeroScout software itself. Aeroscout documentation and AeroScout software must be used to operate and monitor the tags. AP name Name of the AP on which HP RTLS is enabled. AP MAC address MAC address of the AP. Radio Radio on the AP to which the AeroScout tag is connected.

  • Page 224: Software Retrieval/update

    Working with controlled APs Software retrieval/update Mu report Number of Mu reports sent to the Aeroscout engine. Software retrieval/update Software management of controlled APs is automatically performed by the controller after the AP is discovered (see Key controlled-mode events on page 6-4).

  • Page 225

    Chapter 7: Working with VLANs Working with VLANs Contents Key concepts.........................7-2 VLAN usage ......................7-2 Defining a VLAN ......................7-3 Creating a network profile ...................7-3 Defining a VLAN ....................7-4 Defining a VLAN on a controller port ..............7-4 User-assigned VLANs ....................7-6 Traffic flow for wireless users ..................7-6 Traffic flow examples ....................7-10 Example 1: Overriding the VSC egress on a controller with a user-assigned VLAN....................

  • Page 226

    Working with VLANs Key concepts Key concepts The controller provides a robust and flexible virtual local area network (VLAN) implementation that supports a wide variety of scenarios. Up to 80 VLAN definitions can be created on the controller. VLAN ranges are supported, enabling a single definition to span a range of VLAN IDs.

  • Page 227: Defining A Vlan

    Working with VLANs Defining a VLAN Defining a VLAN To create a new VLAN definition, first you must define a network profile with the required VLAN ID. Next, you use the profile to define a VLAN on a port, VSC interface, or user account.

  • Page 228

    Working with VLANs Defining a VLAN Defining a VLAN Once you have created a network profile with a VLAN ID, you can use the profile to define a VLAN on the controller and APs. Some of the more frequently defined VLANs are listed in the following table.

  • Page 229

    Working with VLANs Defining a VLAN 2. Select Add New VLAN. The Add/Edit VLAN page opens. 3. Under General, select the port to which the VLAN will be bound. Once a VLAN has been defined on a port, the port assignment cannot be changed. To assign the VLAN to a different port, delete the VLAN definition and create a new one on the required port.

  • Page 230: User-assigned Vlans

    Working with VLANs User-assigned VLANs User-assigned VLANs VLANs can be assigned on a per-user basis using attributes defined in a user’s RADIUS account, or via VLAN definitions in a local user account profile. These user-assigned VLANs are also called dynamic VLANs because they are applied dynamically after a user is authenticated and override the static definitions on VSCs or VSC bindings.

  • Page 231

    Working with VLANs Traffic flow for wireless users Binding to a VSC that has Wireless mobility disabled User-assigned VLAN is assigned via RADIUS or local user accounts Egress User-assigned VLAN User-assigned VLAN does not exist network Client is not assigned via on AP or controller in VSC data...

  • Page 232

    Working with VLANs Traffic flow for wireless users User-assigned VLAN is assigned via RADIUS or local user accounts Egress User-assigned VLAN User-assigned VLAN does not exist network Client is not assigned via on AP or controller in VSC data RADIUS or local user User-assigned VLAN VSC type binding...

  • Page 233

    Working with VLANs Traffic flow for wireless users Binding to a VSC that has Wireless mobility and Subnet-based mobility enabled User-assigned VLAN is assigned via RADIUS or local user account User-assigned VLAN does Egress not exist in the mobility network User-assigned VLAN is not domain in VSC...

  • Page 234: Traffic Flow Examples

    Working with VLANs Traffic flow examples Terms used in the tables Egress network in VSC binding: This column refers to the Egress network option that  can be configured when an AP group is bound to a VSC. The egress network can be used to assign a specific VLAN.

  • Page 235

    Working with VLANs Traffic flow examples  Egress network in VSC binding: Defined VLAN = 10 Client data tunnel: Disabled   User-assigned VLAN is assigned via RADIUS or local user accounts: Assigned VLAN = 30  User-assigned VLAN exists on AP or controller: VLAN 30 is defined on the controller’s Internet port ...

  • Page 236: Example 2: Overriding The Egress Network In A Vsc Binding With A User Assigned Vlan

    Working with VLANs Traffic flow examples Example 2: Overriding the egress network in a VSC binding with a user-assigned VLAN In this scenario, a non-access-controller VSC is used to illustrate how a user-assigned VLAN can override the egress network defined for a VSC binding. Configuration summary ...

  • Page 237

    Working with VLANs Traffic flow examples P o r t r o l l e r L A N C o n t P o r t S w i t c U s e r R A D I S e r v e o r k 1 N e t w...

  • Page 238

    Working with VLANs Traffic flow examples 7-14...

  • Page 239

    Chapter 8: Controller teaming Controller teaming Contents Key concepts.........................8-2 Centralized configuration management .............8-2 Centralized monitoring and operation..............8-2 Redundancy and failover support ...............8-3 Scalability .......................8-3 Deployment considerations .................8-3 Limitations......................8-5 Creating a team......................8-5 Configuration example ..................8-6 Controller discovery ....................8-10 Monitoring the discovery process ..............8-11 Viewing all discovered controllers ..............8-14 Viewing all team members ..................8-16 Team configuration ....................8-17...

  • Page 240

    Controller teaming Key concepts Key concepts Controller teaming enables you to easily configure and monitor multiple controllers and their access points, providing the following key benefits: centralized management and monitoring, service scalability, and redundancy in case of controller failure. Up to five controllers can be combined into a team enabling support for up to 800 APs (four controllers x 200 APs per controller plus one additional controller for backup/redundancy).

  • Page 241: Redundancy And Failover Support

    Controller teaming Key concepts Redundancy and failover support The team provides for service redundancy in case of failure. If one of the controllers in a team becomes inoperative (due to network problems, hardware failure, etc.), its APs will automatically migrate to another controller in the team allowing for continuation of services. For this to work, sufficient capacity must be available on the remaining controllers in the team to support the APs from the inoperative controller.

  • Page 242

    Controller teaming Key concepts IMPORTANT: All team members must have an IP address assigned to their LAN port. This must be done even if the LAN port is not connected or not used in your setup.  The DHCP server feature is not supported when controller teaming is active, therefore an external DHCP server needs to be installed to support dynamic addresses assignment to controlled APs and their users.

  • Page 243: Limitations

    Controller teaming Creating a team Limitations The following features are not supported when teaming is enabled:  DHCP server  Billing records  L2TP server  Ingress VLAN on a VSC and untagged traffic on the LAN port (All APs use the client data tunnel to send traffic to ...

  • Page 244: Configuration Example

    Controller teaming Creating a team  Install APs: Connect all APs. The APs will automatically discover the team (if on the same subnet) and be synchronized with the firmware and configuration settings on the manager. If APs are installed on a different subnet than the controller, their discovery settings may need to be provisioned for them to successfully discovery the team.

  • Page 245

    Controller teaming Creating a team Configure connectivity and licenses on each controller Use the management station to connect to each controller in turn and do the following: 1. Select Controller >> Maintenance > Licenses. Install the Premium license and any required AP licenses.

  • Page 246

    Controller teaming Creating a team 2. Select the Controller teaming checkbox. 3. Under Connectivity, set Communicate using to LAN port. 4. Select the Team manager checkbox, and configure the following settings under it:  Set Team name to a name that identifies the team. This example uses 1st Floor. The team name provides a convenient way to identify a team.

  • Page 247

    Controller teaming Creating a team 7. Under Network Tree, select Controllers to view more detailed information about the discovery process. The two new controllers should be listed in red. Select Authorize in the Action column for each controller. 8. The manager will now attempt to authorize and synchronize controllers 2 and 3. Once synchronized, their status will change to green.

  • Page 248: Controller Discovery

    Controller teaming Controller discovery Controller discovery The following is an overview of key events that occur when a controller attempts to discover and join a team for the first time. Manager Controller The team manager receives a discovery request. The controller sends a discovery request onto the local network.

  • Page 249: Monitoring The Discovery Process

    Controller teaming Controller discovery Manager Controller The manager updates the controller’s The controller receives new configuration. configuration settings. Once this is done, the controller will always attempt to discover this team manager and will not join any other teams until it is manually removed from this team.

  • Page 250

    Controller teaming Controller discovery Controllers This section shows the number of controllers that are active in each management state. A controller may be active in more than one state at the same time. For example, a controller may be both Detected and Synchronized. Select the state name to display information about all controllers in that state.

  • Page 251

    Controller teaming Controller discovery Network Tree The network tree provides access to configuration options for the team. And shows a status light for each controller. Team: team name Select Team: [name] to access configuration items that apply to all members of the team and their controlled APs.

  • Page 252: Viewing All Discovered Controllers

    Controller teaming Controller discovery Status lights Controllers that are part of the team are listed under Controllers in the Network Tree. The status lights provide an indication of their state as follows:  Green: The controller has joined the team and its configuration is synchronized with the settings defined on the team manager.

  • Page 253

    Controller teaming Controller discovery  Serial number: Unique serial number assigned to the controller at the factory. Cannot be changed.  Access points: Indicates number of APs connected to the controller.  Diagnostic: Indicates the status of the controller as shown in the following table. Diagnostic Description Detected...

  • Page 254: Viewing All Team Members

    Controller teaming Viewing all team members Diagnostic Description Uploading configuration Configuration settings are currently being sent to the controller. Uploading firmware The team manager is uploading new software to the controller. Wait until the operation completes. Validating capabilities The capabilities of the controller are being identified by the team manager.

  • Page 255: Team Configuration

    Controller teaming Team configuration Select the title of a column to sort the table according to the values in the column. The Team members page provides the following information:  Number of controllers: Number of controllers that are configured as members of the team.

  • Page 256: Accessing The Team Manager

    Controller teaming Team configuration Accessing the team manager To reach the management tool on the team manager, you should always point your browser to the team IP address, and not the physical address assigned to the manager. In case of failover, the team IP address will be assigned to the interim manager.

  • Page 257: Removing A Controller From A Team

    Controller teaming Team configuration Configuration option Notes Public Access > Web content The Site file archive, FTP server, and Current site files options are not available at the team level. Public Access > Attributes New attributes cannot be added to the Configured attributes table at the team level.

  • Page 258: Editing Team Member Settings

    Controller teaming Team configuration 4. Select Save. Disable teaming on the controller 1. Open the management tool directly on the controller. 2. Select Management > Teaming. 3. Disable the Controller teaming option. 4. Select Save. Editing team member settings To change settings for a team member: 1.

  • Page 259

    Controller teaming Team configuration 4. Select Save. Manually adding a controller to a team Instead of using the automatic discovery to find controllers and add controllers to the team, you can manually preconfigure one or more controllers as team members. The main advantages of doing this is that manually added controllers do not have to be manually authorized the first time they are discovered.

  • Page 260: Discovery Of A Controller Team By Controlled Aps

    Controller teaming Discovery of a controller team by controlled APs 4. Select Save. 5. The new controller will appear in the team members list with a red status light until it is discovered on the network. Discovery of a controller team by controlled For a complete discussion of controller discovery, see Discovery of controllers by controlled APs.

  • Page 261

    Controller teaming Failover Where: APs is the total number of APs you want to deploy. You must buy one license for each  controlled AP. Although licenses are installed on individual team members, licenses are pooled across the entire team and are automatically re-allocated when a team member becomes inoperative.

  • Page 262: Primary Team Manager Failure

    Controller teaming Failover Primary team manager failure The controller that is designated as the team manager on the Controllers > [team- manager] >> Management > Teaming page is called the primary team manager. If the primary team manager becomes inoperative, an interim team manager is automatically selected by the existing team members.

  • Page 263

    Controller teaming Failover 3. Enable the Team manager option. The settings for this option should already be defined with the values that were set on the primary team manager. 4. Select Save. 8-25...

  • Page 264: Mobility Support

    Controller teaming Mobility support Mobility support Mobility support when controller teaming is active is very similar to mobility support on non- teamed controllers. This section discusses the differences and configuration issues involved. For an explanation of mobility concepts used in this section, see Chapter 9: Mobility traffic manager on page 9-1.

  • Page 265: Single Controller Team Operating Alone

    Controller teaming Mobility support Single controller team operating alone If you have a single controller team, the mobility domain is automatically created when you do the following: 1. Start the management tool on the team manager by pointing your browser to the team IP address.

  • Page 266: Single Controller Team Operating With Non-teamed Controllers

    Controller teaming Mobility support Single controller team operating with non-teamed controllers In this type of setup, the team is configured as the primary mobility controller and the non- teamed controllers set the IP address of primary controller parameter to the team IP address.

  • Page 267: Multiple Teamed And Non-teamed Controllers

    Controller teaming Mobility support 5. Select Save. Configure controller #3 and #4 1. Start the management tool each independent controller by pointing your browser to appropriate IP address. 2. Select Management > Device discovery. 3. Select Mobility controller discovery. 4. Set IP address of the primary mobility controller to 192.168.1.99. 5.

  • Page 268

    Controller teaming Mobility support 8-30...

  • Page 269

    Chapter 9: Mobility traffic manager Mobility traffic manager Contents Key concepts.........................9-4 The mobility domain .....................9-6 Home networks......................9-7 Local networks ......................9-8 Configuring Mobility Traffic Manager ...............9-9 Defining the mobility domain ................9-9 Defining network profiles...................9-10 Assigning a home network to a user ..............9-11 Defining local networks on a controller ............9-12 Assigning local networks to an AP..............9-13 Configuring the mobility settings for a VSC.............9-14...

  • Page 270

    Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing ..9-28 How it works ......................9-28 Configuration overview ..................9-28 Scenario 4: Assigning home networks on a per-user basis ........9-38 How it works ......................9-38 Configuration overview ..................9-39 Scenario 5: Traffic routing using VLANs ..............9-44 How it works ......................9-44 Configuration overview ..................9-45 Scenario 6: Distributing traffic using VLAN ranges ..........9-52...

  • Page 271

    Mobility traffic manager...

  • Page 272

    Mobility traffic manager Key concepts Key concepts Note This chapter discusses how to use and configure Mobility traffic manager (MTM) with non- teamed controllers. If you are working with a controller team, most of the same information applies. Essentially, a controller team is treated the same way as a single non-teamed controller.

  • Page 273

    Mobility traffic manager Key concepts The following diagram shows a deployment where the wireless traffic for each user is egressed onto a specific network segment by assigning a home network to each user. Traffic is sent to a different wired network based on the home network assigned to each user in their account LAN port...

  • Page 274: The Mobility Domain

    Mobility traffic manager Key concepts  Automatic traffic distribution: VLAN ranges can be used to automatically spread wireless user traffic across multiple VLANs on the wired infrastructure. See Scenario 6: Distributing traffic using VLAN ranges. Important  MTM is only available on non-access-controlled VSCs. ...

  • Page 275: Home Networks

    Mobility traffic manager Key concepts Note All controllers in the mobility domain must be running the same software version. This  means that the first two numbers in the software revision must be the same. For example: All controllers running 5.4.x, or all controllers running 5.5.x. Discovery automatically takes place on both the LAN port and Internet port.

  • Page 276: Local Networks

    Mobility traffic manager Key concepts Example In following example, User A roams between AP # 1 and AP #2. When connected to AP #2, User A is identified as roaming and traffic is tunneled back to subnet 10.0 via controller 1 and controller 2.

  • Page 277: Configuring Mobility Traffic Manager

    Mobility traffic manager Configuring Mobility Traffic Manager Configuring Mobility Traffic Manager MTM configuration can be separated into the following tasks:  Define the mobility domain.  Define network profiles.  Assign home networks to users.  Define local networks on controllers and APs. ...

  • Page 278: Defining Network Profiles

    Mobility traffic manager Configuring Mobility Traffic Manager Connect to the management tool on all other controllers, that will be part of the mobility domain and do the following: 1. Select Controller >> Management > Device discovery. 2. Select Mobility controller discovery. 3.

  • Page 279: Assigning A Home Network To A User

    Mobility traffic manager Configuring Mobility Traffic Manager About the default profiles Two network profiles are created by default: LAN port network and Internet port network. These profiles are associated with the two physical Ethernet ports on the controller. You can rename these profiles, but you cannot assign a VLAN to them or delete them.

  • Page 280: Defining Local Networks On A Controller

    Mobility traffic manager Configuring Mobility Traffic Manager Defining local networks on a controller Local networks on a controller are composed of the following interfaces:  The network connected to the LAN port. Identified by the network profile LAN port network. ...

  • Page 281: Assigning Local Networks To An Ap

    Mobility traffic manager Configuring Mobility Traffic Manager 6. Select Save. Assigning local networks to an AP Each AP can be configured to support one (or more) local networks. By comparing the home network assigned to a user with the list of local networks associated with an AP, MTM can determine if the user is at home or roaming.

  • Page 282: Configuring The Mobility Settings For A Vsc

    Mobility traffic manager Configuring Mobility Traffic Manager  If a user’s home network matches a local network on the AP, the user is considered to be at home, and their traffic is bridged onto the wired network via the Ethernet port on the AP.

  • Page 283

    Mobility traffic manager Configuring Mobility Traffic Manager 5. Configure the Wireless security filters so that they do not interfere with roaming functionality. In most cases, these filters should be disabled. If you need to use them, note that:  The Restrict wireless traffic to: Custom option can be used provided that it restricts traffic to destinations that are reachable from all subnets in the mobility domain.

  • Page 284: Monitoring The Mobility Domain

    Mobility traffic manager Monitoring the mobility domain Monitoring the mobility domain The mobility overview page displays status information for the mobility domain. For example: To view this page: On a non-teamed controller, select Controller >> Status > Mobility.   On a controller team, select Team:[Team-name] >...

  • Page 285: Networks In The Mobility Domain

    Mobility traffic manager Monitoring the mobility domain Networks in the mobility domain This table lists all networks that are defined in the mobility domain and indicates the address of the Handler (AP or controller) that provides the data path to each network. This list should be identical on all controllers that are part of the mobility domain.

  • Page 286: Forwarding Table

    Mobility traffic manager Monitoring the mobility domain Network The name of the user’s home network. Status Possible values are:  Connected: The client is connected to their home network.  Blocked: Client data transfer is blocked because the home network could not be found. Forwarding table Port Identifies the logical or physical port on which traffic is being forwarded.

  • Page 287: Mobility Client Event Log

    Mobility traffic manager Monitoring the mobility domain Mobility client event log This page lists all events for a roaming client. Date and time Date and time that the even occurred. Category Always set to Mobility. Operation Possible values are:  Client tunneling: Client tunneling events indicate activities related to establishing the data tunnel to a remote controller or AP for the purposes of transporting client data to its home network.

  • Page 288

    Mobility traffic manager Monitoring the mobility domain  Client Unicast Tunneling Off: The unicast tunneling path to the indicated device (either AP or another controller) has been removed. This is normally done only when the client has disassociated or its home network has changed. ...

  • Page 289: Scenario 1: Centralizing Traffic On A Controller

    In this scenario, a single controller manages several APs deployed on different subnets. The default VSC (named HP) is assigned to each AP and is used to provide wireless services for users. All traffic on this VSC is tunneled to the controller by MTM, where it is egressed onto the wired network.

  • Page 290

    Mobility traffic manager Scenario 1: Centralizing traffic on a controller VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP.  Under Global, clear Access control. (For complete screenshot see VSC configuration options on page 5-5.)

  • Page 291

    1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears.  Under VSC Profile, set VSC profile to HP. Select Egress network, and under it, set Network profile to LAN port network. ...

  • Page 292: Scenario 2: Centralized Traffic On A Controller With Vlan Egress

    In this scenario, a single controller manages several APs deployed on different subnets. The default VSC (named HP) is assigned to each AP and is used to provide wireless services for users. All traffic on this VSC is tunneled to the controller by MTM, where it is egressed onto the wired network on VLAN 40.

  • Page 293

    Mobility traffic manager Scenario 2: Centralized traffic on a controller with VLAN egress VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP.  Under Global, clear Access control. (For complete screenshot see VSC configuration options on page 5-5.)

  • Page 294

    Mobility traffic manager Scenario 2: Centralized traffic on a controller with VLAN egress 4. Select VLAN, and under it, set ID to 40. 5. Select Save. Create the VLAN Create a VLAN on the Internet port using the network profile you just defined. 1.

  • Page 295

    This scenario assumes that all APs are part of the Default Group. 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. Under VSC Profile, set VSC profile to HP.  ...

  • Page 296: Scenario 3: Centralized Traffic On A Controller With Per-user Traffic Routing

    In this scenario, a single controller manages several APs deployed on different subnets. The default VSC (named HP) is assigned to each AP and is used to provide wireless services for users. All traffic on this VSC is tunneled to the controller by MTM, where it is egressed onto different VLANs for different user groups.

  • Page 297

    Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP.  Under Global, clear Access control. (For complete screenshot see VSC configuration options on page 5-5.)

  • Page 298

    Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing This will automatically enable the 802.1X authentication option and set it to use the local user accounts. 2. Either disable Wireless security filters or set it to Custom. 3.

  • Page 299

    Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 8. Select VLAN, and under it, set ID to 40. 9. Select Save. Create the VLANs Create VLANs on the Internet port using the network profiles you just defined. 1.

  • Page 300

    Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 4. Select Add New VLAN.  Under General, set Port to Internet port.  Under VLAN, set VLAN ID to 40 (Network 4).  Under Assign IP address via, let the setting None. An address is not needed. 5.

  • Page 301

    Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 4. Select Egress interface, and under it select Egress VLAN ID and set it to 30. 5. Select Save. 6. Select Add New Profile. 7. Under General, set Profile name to Network 4 and disable Access-controlled profile.

  • Page 302

    Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 8. Select Egress interface, and under it select Egress VLAN ID and set it to 40. 9. Select Save. The profiles list should now look like this: 10.

  • Page 303

    Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 11. Select Add New Account. 12. Under General:  Set User name to User A.  Set Password to a secure password.  Clear Access-controlled account. 13.

  • Page 304

    Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 15. Select Add New Account. 16. Under General:  Set User name to User B.  Set Password to a secure password.  Clear Access-controlled account. 17.

  • Page 305

    This scenario assumes that all APs are part of the Default Group. 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. Under VSC Profile, set VSC profile to HP.  2. Select Save.

  • Page 306: Scenario 4: Assigning Home Networks On A Per-user Basis

    Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Scenario 4: Assigning home networks on a per-user basis This scenario illustrates how to assign home networks on a per-user basis using RADIUS attributes. How it works In this scenario, wireless services have been added to two wired networks. A single controller and multiple APs are installed on each network.

  • Page 307: Configuration Overview

    Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis A single VSC is used in this scenario. It is configured with the Wireless mobility, Mobility traffic manager option enabled. Home network assignment for users is done by setting RADIUS VLAN attributes which map users to one of two network profiles: Network profile name Assigned to Net1...

  • Page 308

    Select This is the primary mobility controller.  (For complete screenshot see Defining the mobility domain on page 9-9.) 2. Select Save. 1. Select Controller > VSCs > HP. Under Global  Clear Access control. (For complete screenshot see VSC configuration options on page 5-5.)

  • Page 309

    Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Network profiles 1. Select Controller > Network > Network profiles. 2. Select LAN port network. 3. Under Settings, change Name to Net1. 4. Select Save. Controller 2 configuration Mobility domain 1.

  • Page 310

    3. Under Settings, change Name to Net2. 4. Select Save. AP configuration VSC binding 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. (For complete screenshot see VSC configuration options on page 5-5.) ...

  • Page 311

    Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Local network assignment 1. Select Controller > Controlled APs > Default group >> Configuration > Home networks.  For each AP on network 1, double-click Net1 to add it to the Local networks list. ...

  • Page 312: Scenario 5: Traffic Routing Using Vlans

    Mobility traffic manager Scenario 5: Traffic routing using VLANs Scenario 5: Traffic routing using VLANs This scenario explains how to route the traffic from users onto specific VLANs on the wired network. How it works In this scenario, traffic on a corporate network is routed using VLANs, creating several logical networks to isolate the network resources for each workgroup.

  • Page 313

    Mobility traffic manager Scenario 5: Traffic routing using VLANs A single VSC is used. It is configured with the Mobility traffic manager option enabled. Home networks for users are determined by setting RADIUS VLAN attributes, which map users to the following network profiles: Network Assigned to Assigned to...

  • Page 314

    Select This is the primary mobility controller.  (For complete screenshot see Defining the mobility domain on page 9-9.) 2. Select Save. 1. Select Controller >> VSCs > HP.  Under Global, disable Access control. (For complete screenshot see VSC configuration options on page 5-5.) ...

  • Page 315

    Mobility traffic manager Scenario 5: Traffic routing using VLANs Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile.  Under Settings, set Name to Net1.  Select VLAN.  Under VLAN, set ID to 10. 3.

  • Page 316

    Mobility traffic manager Scenario 5: Traffic routing using VLANs VLANs 1. Select Controller > Network > Ports. Initially, the VLAN configuration list will be empty. 2. Select Add New VLAN.  Under General, set Port to LAN port.  Under VLAN, set VLAN ID to 10 (Net1). 3.

  • Page 317

    Mobility traffic manager Scenario 5: Traffic routing using VLANs Controller 2 configuration Mobility domain 1. Select Controller >> Management > Device discovery. (For complete screenshot see Defining the mobility domain on page 9-9.)  Select Mobility controller discovery.  Clear This is the primary mobility controller. ...

  • Page 318

    Mobility traffic manager Scenario 5: Traffic routing using VLANs 4. Repeat steps 2 and 3 to define the following profiles: Profile name = Net2, VLAN ID = 20   Profile name = Net3, VLAN ID = 30  Profile name = APs, VLAN ID = 2 5.

  • Page 319

    5. When done, the list of VLANs should look like this: AP configuration VSC binding 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. (For complete screenshot see Binding a VSC to a group on page 6-26.) ...

  • Page 320: Scenario 6: Distributing Traffic Using Vlan Ranges

    Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges Scenario 6: Distributing traffic using VLAN ranges This scenario explains how to automatically distribute wireless network traffic onto multiple VLANs on the wired network. How it works In this scenario, traffic on a corporate network is segmented onto multiple VLANs to address performance and scalability issues.

  • Page 321

    Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges A single VSC is used. It is configured with the It is configured with the Wireless mobility, Mobility traffic manager option enabled. The home network for users is defined by setting the Egress network when the VSC is bound to the APs.

  • Page 322

    Select This is the primary mobility controller.  (For complete screenshot see Defining the mobility domain on page 9-9.) 2. Select Save. 1. Select Controller >> VSCs > HP. Under Global  Clear Access control. (For complete screenshot see VSC configuration options on page 5-5.)

  • Page 323

    Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile.  Under Settings, set Name to Net1.  Select VLAN.  Under VLAN, set ID to 10-30. 3.

  • Page 324

    Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges 2. Select Add New VLAN.  Under General, set Port to LAN port.  Under VLAN, set VLAN ID to 10-30 (Net1). 3. Select Save. Controller 2 configuration Mobility domain 1.

  • Page 325

    Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile.  Under Settings, set Name to Net2.  Select VLAN.  Under VLAN, set ID to 31-50. 3.

  • Page 326

    6-25. Call them Group 1 and Group 2. VSC binding for Group 1 1. Select Controller > Controlled APs > Group 1 >> VSC bindings and then select HP. The VSC binding page appears.  Set VSC profile to HP.

  • Page 327

    Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges VSC binding for Group 2 1. Select Controller > Controlled APs > Group 2 >> VSC bindings and then select HP. The VSC binding page appears.  Set VSC profile, to HP.

  • Page 328: Subnet-based Mobility

    Mobility traffic manager Subnet-based mobility Subnet-based mobility This feature has been deprecated. If you are creating a new installation, use Mobility Traffic Manager. If you are upgrading from a previous release, your subnet-based configuration will still work. However, for added benefits and greater flexibility you should migrate your setup to Mobility Traffic Manager.

  • Page 329

    Chapter 10: User authentication, accounts, and addressing User authentication, accounts, and addressing Contents Introduction ........................10-3 Authentication support..................10-3 Other access control methods ................10-5 Using more than one authentication type at the same time ......10-6 User authentication limits ..................10-7 802.1X authentication ....................10-8 Supported 802.1X protocols ................10-9 Configuring 802.1X support on a VSC.............10-10 Configuring global 802.1X settings for wired users ........10-12...

  • Page 330

    User authentication, accounts, and addressing Locally-defined user accounts ................10-26 Features ......................10-26 Defining a user account ..................10-30 Defining account profiles .................10-32 Defining subscription plans ................10-35 Accounting persistence ..................10-36 User addressing and related features ..............10-36 10-2...

  • Page 331: Introduction

    User authentication, accounts, and addressing Introduction Introduction Note This chapter discusses user authentication as it applies to the controller and controlled APs only. For information on authentication when working with autonomous APs, see Chapter 19: Working with autonomous APs. User authentication tasks can be handled either by the AP or by the controller. This is controlled by the settings of the access control and authentication options on the VSC to which a user is connected.

  • Page 332

    User authentication, accounts, and addressing Introduction Use controller for option is set to: For more Auth type information, Authentication and Authentication Neither see ... Access control MAC-based Wireless users Wireless users Wireless + wired users Configuring MAC- (VSC) authenticated via: authenticated via: authenticated via: based...

  • Page 333: Other Access Control Methods

    User authentication, accounts, and addressing Introduction Other access control methods Although not authentication options, the following features can also be used to limit access to the wireless port. option The Use controller for is set to: For more Feature Authentication and information, see ...

  • Page 334: Using More Than One Authentication Type At The Same Time

    User authentication, accounts, and addressing Introduction Using more than one authentication type at the same time For added flexibility, you can enable multiple authentication types on a VSC at the same time to support users with different needs. How this works depends on setting of the Use Controller for option in the VSC.

  • Page 335: User Authentication Limits

    User authentication, accounts, and addressing Introduction Wireless MAC filter setting Result Client address is in the list and the Client access is granted. MAC-based authentication filter is set to allow. is not performed. Client address not in the list. Client access is granted or denied based on result of MAC-based authentication.

  • Page 336

    User authentication, accounts, and addressing 802.1X authentication 802.1X authentication 802.1X is a popular protocol for user authentication that is natively supported on most client stations. 802.1X authentication can be configured at different levels as described in the following table. Switch port Authentication tasks are managed by either Authentication tasks are managed by the the controller or the AP.

  • Page 337: Supported 802.1x Protocols

    User authentication, accounts, and addressing 802.1X authentication Supported 802.1X protocols The following table lists the 802.1X protocols supported by the internal RADIUS server on the controller, and when using a third-party RADIUS server. Local user accounts (via Third-party Certificates Protocol Internal RADIUS server) RADIUS server required...

  • Page 338: Configuring 802.1x Support On A Vsc

    User authentication, accounts, and addressing 802.1X authentication  EAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunneling. Can use a pre-shared key instead of server-side certificate. Configuring 802.1X support on a VSC Each VSC can have unique settings for 802.1X authentication. These settings are defined on the VSC profile page.

  • Page 339

    User authentication, accounts, and addressing 802.1X authentication Note When the Wireless protection option in a VSC is set to WPA with a Key source of Dynamic, 802.1X is automatically enabled. Authentication Local User logins are authenticated with the list defined on the Controller >> Users > User accounts page.

  • Page 340: Configuring Global 802.1x Settings For Wired Users

    User authentication, accounts, and addressing 802.1X authentication Called-Station-ID content (Only available when Access control is disabled under Global) Select the value that the AP (with which the user has established a wireless connection) will return as the called station ID. ...

  • Page 341: Configuring Global 802.1x Settings For Wireless Users

    User authentication, accounts, and addressing 802.1X authentication Reauthentication Enable this option to force 802.1X clients to re-authenticate after the specified Period.  Period: Client stations must reauthenticate after this amount of time has passed since their last reauthentication.  Terminate ...

  • Page 342: Configuring 802.1x Support On An Msm317 Switch Port

    User authentication, accounts, and addressing MAC-based authentication Reauthentication Enable this option to force 802.1X clients to reauthenticate. Period Specify the interval at which client stations must reauthenticate. Terminate  Disabled: Client station remains connected during reauthentication. Client traffic is blocked only when reauthentication fails. ...

  • Page 343

    User authentication, accounts, and addressing MAC-based authentication MAC authentication can be configured at several different levels as described in the following table. Global Switch port Authentication is handled by the Authentication is handled by either Authentication is handled by the controller.

  • Page 344: Configuring Global Mac-based Authentication

    User authentication, accounts, and addressing MAC-based authentication MAC-based filtering In addition, MAC-based filters can also be used to manage access to the network. Switch port Filtering occurs on the AP wireless Filtering occurs individually on each MSM317 interfaces. switch port. Applies to wireless client stations only.

  • Page 345: Configuring Mac-based Authentication On A Vsc

    User authentication, accounts, and addressing MAC-based authentication Configuring MAC-based authentication on a VSC Each VSC can have unique settings for MAC authentication of wireless client stations. These settings are defined on the VSC profile page. (To open this page, see Viewing and editing VSC profiles on page 5-4).

  • Page 346

    User authentication, accounts, and addressing MAC-based authentication Remote User logins are authenticated via an external RADIUS server. To define the connection to an external RADIUS server, go to the Controller >> Authentication > RADIUS profiles page. To successfully authenticate a client station, an account must be created on the RADIUS server with both username and password set to the MAC address of the client station.

  • Page 347: Configuring Mac-based Authentication On An Msm317 Switch Port

    User authentication, accounts, and addressing MAC-based authentication Configuring MAC-based authentication on an MSM317 switch port If a switch port on the MSM317 is not bound to a VSC, then MAC-based authentication can be enabled on it. Select Controlled APs > [MSM317-AP] >> Configuration > Switch ports >...

  • Page 348: Configuring Mac-based Filters On An Msm317 Switch Port

    To configure MAC-based filters on an MSM317 switch port, do the following: 1. Open the management tool on the MSM7xx Controller. 2. Select Controller >> Authentication > MAC lists. 3. Select Add New MAC List. The Add/Edit MAC list page opens.

  • Page 349

    User authentication, accounts, and addressing MAC-based authentication 5. Under MAC list, specify the MAC address and mask that you want to match, then select Add. For example:  The following definition matches a single MAC address: MAC address = 00:03:52:07:2B:43 Mask = FF:FF:FF:FF:FF:FF By changing the last digit of the mask, the definition now matches a range of MAC ...

  • Page 350: Html-based Authentication

    User authentication, accounts, and addressing HTML-based authentication HTML-based authentication HTML-based authentication is used with the public/guest access feature described in Chapter 14: Public/guest network access. It enables users to login to the public access interface using a standard Web browser. HTML-based authentication has the following properties: ...

  • Page 351

    User authentication, accounts, and addressing HTML-based authentication Authentication If both the Local and Remote options are active, the controller first checks the local user accounts (defined on the Controller >> Users > User accounts page). If the user does not appear in the list, then the controller queries the remote server (Active Directory or RADIUS).

  • Page 352

    User authentication, accounts, and addressing VPN-based authentication VPN-based authentication VPN-based authentication can be used to provide secure access for client stations on VSCs that do not have encryption enabled. VPN-based authentication has the following properties:  Authentication is managed by the controller. ...

  • Page 353

    User authentication, accounts, and addressing VPN-based authentication When the Use controller for Authentication and Access control options are enabled under General, VPN-based user login options can be defined. Authentication Local User logins are authenticated with the list defined on the Controller >> Users > User accounts page.

  • Page 354: No Authentication

    User authentication, accounts, and addressing No authentication No authentication For applications where a remote device performs all authentication functions, it can be useful to disable authentication on the controller and instead, forward all traffic on a VSC into an egress GRE tunnel or egress VLAN for authentication by the remote device. Note Because the controller routes traffic to the VSC egress, L2 information from the user is lost and only L3 information is available to the remote authentication device.

  • Page 355

    User authentication, accounts, and addressing Locally-defined user accounts VSC usage User accounts can be restricted to specific VSCs. if a the specified VSC is not available, then the user will not be able to connect with the account. Account profiles An account profile is used to define a specific set of features for a user account.

  • Page 356

    User authentication, accounts, and addressing Locally-defined user accounts Attribute For more info see default-user-max-output-rate Default user data rates on page 15-53. default-user-bandwidth-level Default user bandwidth level on page 15-51. default-user-use-public-ip-subnet Default user bandwidth level on page 15-51 Example This example illustrates how to indirectly customize the Default AC profile by defining several attributes, and shows how these settings are then reflected in a the Default AC profile and the user account.

  • Page 357

    User authentication, accounts, and addressing Locally-defined user accounts These two attributes appear in the Default AC profile under Session time attributes: 10-29...

  • Page 358: Defining A User Account

    User authentication, accounts, and addressing Locally-defined user accounts And the attributes appear in access-controlled user accounts under Effective attributes: Defining a user account 1. Select Controller >> Users > User accounts. The User accounts page opens. It presents a list of all defined user accounts. Initially this list is empty. 10-30...

  • Page 359

    User authentication, accounts, and addressing Locally-defined user accounts 2. Select Add New Account. The Add/Edit user account page opens. 10-31...

  • Page 360: Defining Account Profiles

    User authentication, accounts, and addressing Locally-defined user accounts If you disable the Access-controlled account option, the page will look like this: 3. Configure account options as described in the online help. Defining account profiles 1. Select Controller >> Users > Account profiles. The Account profiles page opens. It presents a list of all defined profiles.

  • Page 361

    User authentication, accounts, and addressing Locally-defined user accounts 2. Select Add New Profile. The Add/Edit account profile page opens. 10-33...

  • Page 362

    User authentication, accounts, and addressing Locally-defined user accounts If you disable the Access-controlled account option, the page will look like this: 3. Configure profile options as described in the online help. 10-34...

  • Page 363: Defining Subscription Plans

    User authentication, accounts, and addressing Locally-defined user accounts Defining subscription plans 1. Select Controller >> Users > Subscription plans. The Subscription plans page opens. It presents a list of all defined subscription plans. 2. Select Add New Plan. The Add/Edit subscription plan page opens. 3.

  • Page 364: Accounting Persistence

    User authentication, accounts, and addressing User addressing and related features Public IP address This feature enables a public IP address to be assigned to any client station. This makes the client station address visible to devices on the external network, allowing external devices to create connections with the client station.

  • Page 365

    User authentication, accounts, and addressing User addressing and related features For more Feature Description information, see ... Hides the IP addresses of all users on the Network address protected network from the public translation (NAT) on network. page 3-30 Extend Internet port Enables a third-party DHCP server to Extend Internet port subnet to LAN port...

  • Page 366

    User authentication, accounts, and addressing User addressing and related features 10-38...

  • Page 367

    Chapter 11: Authentication services Authentication services Contents Introduction ........................11-2 Using the integrated RADIUS server ...............11-2 Server configuration....................11-3 User account configuration................11-5 Using a third-party RADIUS server ................11-5 Configuring a RADIUS server profile on the controller .........11-6 Using an Active Directory server ................11-10 Active Directory configuration ................11-11 Configuring an Active Directory group............11-13 Configuring a VSC to use Active Directory ............11-16...

  • Page 368

    Authentication services Introduction Introduction This chapter explains how to configure the different authentication services that the controller can use to authenticate user logins and administrator logins. The following table summarizes the services that are available and what they can be used for. Service Description For details, see ...

  • Page 369: Server Configuration

    Authentication services Using the integrated RADIUS server Primary features  Provides termination of 802.1X sessions at the controller for clients using WPA/WPA2 with EAP-PEAP, EAP-TLS and EAP-TTLS. Support for other EAP protocols is available using proxy mode. Provides MAC-based authentication of wireless users connected to both controlled and ...

  • Page 370

    Authentication services Using the integrated RADIUS server Configuration parameters RADIUS server Detect SSID from NAS-Id Enable this option when working with third-party APs to permit the controller to retrieve the SSID assigned to the AP, and therefore assign user traffic to the appropriate VSC. For this to work, the AP must be configured to send its SSID as the NAS ID in all authentication and accounting requests.

  • Page 371: User Account Configuration

    Authentication services Using a third-party RADIUS server Shared secret Specify the secret (password) that RADIUS client must use to communicate with the RADIUS server. Default shared secret Note Applies to autonomous APs only. Requests from controlled APs are always accepted because they use the management tunnel.

  • Page 372: Configuring A Radius Server Profile On The Controller

    Authentication services Using a third-party RADIUS server The following authetication types can make use of an external third-party RADIUS server: Service For details, see ... 802.1X (VSC) 802.1X authentication on page 10-8 MAC-based (Global) MAC-based authentication on page 10-14 MAC-based (VSC) MAC-based authentication on page 10-14 HTML-based HTML-based authentication on page 10-22...

  • Page 373

    Authentication services Using a third-party RADIUS server 2. Select Add New Profile. The Add/Edit RADIUS Profile page opens. 3. Configure the profile settings as described in the following section. 4. Select Save. Configuration parameters Profile name Specify a name to identify the profile. Settings ...

  • Page 374

    Authentication services Using a third-party RADIUS server RADIUS servers, if a secondary server is defined. A reply that is received after the retry interval expires is ignored. Retry interval applies to access and accounting requests that are generated by the following: Manager or operator access to the management tool ...

  • Page 375

    Authentication services Using a third-party RADIUS server Primary/Secondary RADIUS server  Server address: Specify the IP address or fully-qualified domain name of the RADIUS server.  Secret/Confirm secret: Specify the password for the controller to use to communicate with the RADIUS server. The shared secret is used to authenticate all packets exchanged with the server, proving that the packets originate from a valid/ trusted source.

  • Page 376: Using An Active Directory Server

    Authentication services Using an Active Directory server Support for regular expressions in realm names Standard regular expressions can be used in realm names. For example: Expression Matches mycompany[1-3].com mycompany1.com mycompany2.com mycompany3.com .*mycompany.com Matches mycompany.com with any number of characters in front of it.

  • Page 377: Active Directory Configuration

    Authentication services Using an Active Directory server Active Directory configuration To configure active directory support, select Controller >> Authentication > Active Directory. Note It is important that the system time on the controller is accurate when an Active Directory server is being used. To set the time select Controller >> Management > System time. Active directory settings General Device name...

  • Page 378

    Authentication services Using an Active Directory server  Use LDAP attribute: For non-standard implementation of Active Directory, set this according to the equivalent setting on the Active Directory server. Join Before the controller can process user authentication using Active Directory, you must join the controller with the Active Directory server.

  • Page 379: Configuring An Active Directory Group

    Authentication services Using an Active Directory server  If no match is found, the attributes defined for one of the default groups are applied as follows:  If the VSC the user logged in on is access-controlled then the Default AC Active Directory group is used.

  • Page 380

    Authentication services Using an Active Directory server Configuration parameters General Group name Specify a name to identify the group. This name must match an existing Active Directory Organizational Unit configured on the Active Directory Server. Active Enable this option to activate the group. The group cannot be used until it is active. Access-controlled group Determines whether the group is access-controlled or not.

  • Page 381

    Authentication services Using an Active Directory server About the Default AC profile The Default AC profile is always present and is always applied to all Active Directory groups. You can use this profile to add additional attributes that are not configurable in an account profile.

  • Page 382: Configuring A Vsc To Use Active Directory

    Authentication services Using an Active Directory server Configuring a VSC to use Active Directory Any VSC feature that can be configured to support remote authentication can be configured to use Active Directory. For example, with HTML logins. 11-16...

  • Page 383

    Chapter 12: Security Security Contents Firewall........................12-2 Firewall presets ....................12-2 Firewall configuration ..................12-4 Customizing the firewall..................12-4 Working with certificates ..................12-5 Trusted CA certificate store ................12-5 Certificate and private key store ...............12-7 Certificate usage ....................12-9 About certificate warnings ................12-10 IPSec certificates ....................12-11 MAC lockout ......................12-13...

  • Page 384: Firewall

    Security Firewall Firewall To safeguard your network from intruders, the controller features a customizable stateful firewall. The firewall operates on the traffic streaming through the Internet port. It can be used to control both incoming and outgoing data. A number of predefined firewall rules let you achieve the security level you need without going to the trouble of designing your own rules.

  • Page 385

    Security Firewall The following tables indicate how some common applications are affected by the preset firewall settings. Outgoing traffic Firewall setting Application High FTP (passive mode) Passed FTP (active mode) Passed Web (HTTP, HTTPS) Passed SNMP Passed Telnet Passed Windows networking Blocked ping Passed...

  • Page 386: Firewall Configuration

    Security Firewall Firewall configuration To configure a firewall, select Controller >> Security > Firewall. The Firewall configuration page opens.  Select Preset firewall to use a preconfigured firewall setting of High or Low. Select View to see the firewall rules for the selected setting. ...

  • Page 387: Working With Certificates

    Security Working with certificates Rules operate on IP datagrams (sometimes called packets). Datagrams are the individual packages of data that travel on an IP network. Each datagram contains addressing and control information along with the data it is transporting. The firewall analyses the addressing and control information to apply the rules you define.

  • Page 388

    Security Working with certificates The controller uses these certificates to validate certificates supplied by: Managers or operators accessing the controller’s management tool.   HTML users accessing the public access interface.  SOAP clients communicating with the controller’s SOAP server. RADIUS EAP ...

  • Page 389: Certificate And Private Key Store

    It is used to support credit card payments via Authorize.Net.  Management Console Dummy Authority: Used when the management tool communicates with HP PCM/PMM software. Note For security reasons, you should replace the default certificates with your own. Certificate and private key store This list displays all certificates installed on the controller.

  • Page 390

    Default installed private key/public key certificate chains The following private key/public key certificate chains are installed by default:  wireless.hp.internal: Default certificate used by the management tool, SOAP server, and HTML-based authentication.  Dummy Server Certificate: Used by the internal RADIUS server. This certificate is present only to allow EAP-PEAP to work if the client chooses not to verify the server's certificate.

  • Page 391: Certificate Usage

    Security Working with certificates Note When a Web browser connects to the controller using SSL/TLS, the controller sends only its own X.509 certificate to the browser. This means that if the certificate has been signed by an intermediate certificate authority, and if the Web browser only knows about the root certificate authority that signed the public key certificate of the intermediate certificate authority, the Web browser does not get the whole certificate chain it needs to validate the identity of the controller.

  • Page 392: About Certificate Warnings

    Security Working with certificates Changing the certificate assigned to a service. Select the service name to open the Certificate details page. For example, if you select Web management tool, you will see: Under Authentication to the peer, select a new Local certificate and then select Save. About certificate warnings Access to the management tool and the public access interface Login page occur through a secure connection (SSL/TLS).

  • Page 393: Ipsec Certificates

    Security Working with certificates IPSec certificates IPSec certificates are managed on the lower portion of the Controller >> VPN > IPSec page. IPSec — Trusted CA certificates The controller uses the CA certificates to validate the certificates supplied by peers during the authentication process.

  • Page 394

    Security Working with certificates Note If the local certificate includes a CA certificate, both certificates are installed. Certificate Request Wizard: Helps you to generate a certificate request that can be  used to obtain a signed certificate from a certificate authority. Once you obtain the certificate, you can use the Certificate Request Wizard to install it on the controller.

  • Page 395: Mac Lockout

    Security MAC lockout MAC lockout This feature lets you to block traffic from client stations based on their MAC address. MAC lockout applies to client stations connected to:  Wireless ports on controlled APs  Wired ports (including switch ports) on controlled APs ...

  • Page 396

    Security MAC lockout 12-14...

  • Page 397

    Chapter 13: Local mesh Local mesh Contents Key concepts.......................13-2 Simultaneous AP and local mesh support............13-2 Using 802.11a/n for local mesh ................13-3 Quality of service....................13-3 Maximum range (ack timeout) ................13-4 Local mesh terminology ....................13-5 Local mesh operational modes.................13-6 Node discovery ......................13-6 Operating channel ......................13-6 Local mesh profiles ....................13-7 Configuration guidelines ..................13-8...

  • Page 398

    Local mesh Key concepts Key concepts The local mesh feature enables you to create wireless links between two or more APs. These links provide a wireless bridge that interconnects the networks connected to the Ethernet port on each AP. The local mesh feature replaces the need for Ethernet cabling between APs, making it easy to extend your network in hard-to-wire locations or in outdoor areas.

  • Page 399: Using 802.11a/n For Local Mesh

    Local mesh Key concepts Multiple radio APs On APs with more than one radio, one radio can be dedicated to support wireless users and another to provide local mesh links. Each radio can be configured optimally according to its application. Using 802.11a/n for local mesh It is recommended that 802.11a/n in the 5 GHz band be used for local mesh links whenever possible.

  • Page 400: Maximum Range (ack Timeout)

    Local mesh Key concepts Maximum range (ack timeout) This is a global setting that is configurable on the Radio page when the Operating mode is set to support Local mesh. It fine tunes internal timeout settings to account for the distance that a link spans.

  • Page 401: Local Mesh Terminology

    Local mesh Local mesh terminology Local mesh terminology The following table defines terms that are used in this guide when discussing the local mesh feature. Root network Root node AP 1 AP 3 AP 2 Alternate master node Slave node Term Definition Node...

  • Page 402: Local Mesh Operational Modes

    Local mesh Local mesh operational modes Local mesh operational modes Three different roles can be assigned to a local mesh node: Master, Alternate Master, or Slave. Each role governs how upstream and downstream links are established by the node.  Master: Root node that provides the upstream link to the ground network that the other nodes want to reach.

  • Page 403: Local Mesh Profiles

    Local mesh Local mesh profiles If the local mesh does not operate on a DFS channel, configure the radios in one of the following ways:  Configure the radios on all nodes to use the same fixed channel.  Configure the radios for automatic channel selection. In this case the master selects the least noisy channel.

  • Page 404: Configuration Guidelines

    Local mesh Local mesh profiles Local mesh profiles are configurable at the controlled APs, group, or AP level. To view all profiles select Controller > Controlled APs >> Configuration > Local mesh. Or you can expand Controlled APs and select a group or specific AP. The following is an example of the profile list displayed when selecting Controlled APs >>...

  • Page 405: Configuring A Local Mesh Profile

    Local mesh Local mesh profiles Configuring a local mesh profile To configure profiles #1 to #6, select a name in the list. The Local mesh profile page opens. For Slave and Alternate Master, the Settings box shows the additional options, for example Alternate Master: General Enabled/Disabled...

  • Page 406

    Local mesh Local mesh profiles Settings Mode Three different roles can be assigned to a node: master, alternate master, or slave. Each role governs how links are established. Links are defined as either upstream or downstream.  Master: The master is the root node that provides the upstream connection to the ground network that the other nodes want to reach.

  • Page 407

    Local mesh Local mesh profiles This feature has been deprecated. If you are creating a new installation, use AES/ CCMP. If you are upgrading from a previous release, your existing configuration will still work. Enables WEP to secure traffic on the wireless link. Specify the encryption key the node will use to encrypt/decrypt all data it sends and receives.

  • Page 408: Provisioning Local Mesh Links

    Local mesh Provisioning local mesh links Provisioning local mesh links APs operating in controlled mode must be able to discover and connect with a controller. When operating as part of a local mesh, any AP that can only discover the controller via a wireless link must be provisioned before being deployed.

  • Page 409

    Local mesh Provisioning local mesh links In the this example, AP 1, AP 2, and AP 4 are all provisioned with the same settings as follows: Use the Local mesh radio configuration table to define local mesh settings for each product type.

  • Page 410

    Local mesh Provisioning local mesh links Note All APs must all be configured for the same country so that the local mesh established respects local RF regulations. To define the country setting, see Assigning country settings to a group on page 6-30.

  • Page 411: Sample Local Mesh Deployments

    Local mesh Sample local mesh deployments Sample local mesh deployments RF extension Local mesh provides an effective solution for extending wireless coverage in situations where it is impractical or expensive to run cabling to an AP. In this scenario, a wireless bridge is used to extend coverage of the wireless network. Both APs are equipped with omni-directional antennas, enabling them to deliver both AP capabilities and wireless bridging using local mesh capabilities.

  • Page 412: Dynamic Network

    Local mesh Sample local mesh deployments Dynamic network In this scenario, a controller is deployed with several APs to provide wireless coverage of a large area. Instead of using a backbone LAN, wireless links are used to interconnect all APs. AP 1 is the master.

  • Page 413

    Chapter 14: Public/guest network access Public/guest network access Contents Introduction ........................14-3 Key concepts.......................14-4 Access control......................14-4 Access lists ......................14-5 The public access interface................14-5 Location-aware ....................14-7 Configuring global access control options .............14-8 User authentication .....................14-9 Client polling ......................14-10 User agent filtering ....................14-10 Zero configuration .....................14-11 Location configuration..................14-12 Display advertisements..................14-12...

  • Page 414

    Public/guest network access Customizing the public access Web pages............14-24 Site file archive ....................14-24 FTP server ......................14-24 Current site files ....................14-25 Configuring the public access Web server ............14-32 Options........................14-33 Ports ........................14-33 MIME types ......................14-33 Security .......................14-34 Managing payment services ..................14-35 Payment services configuration ..............14-35 Service settings ....................14-35 Billing record logging....................14-42 Settings .......................14-42...

  • Page 415

    Public/guest network access Introduction Introduction The Public/Guest Network Access feature enables you to provide controlled network access for a variety of deployments. Some common applications of this feature are:  Providing Internet access to wireless customers in airports, restaurants, train stations, conference halls, etc.

  • Page 416

    Public/guest network access Key concepts Key concepts Access control When the Access control option is enabled on a VSC, it creates an access-controlled VSC. This means that for all traffic on the VSC, the controller acts as the gatekeeper between two distinct network segments: the public network and the protected network.

  • Page 417: Access Lists

    Public/guest network access Key concepts Access lists An access list is a set of rules that governs how the controller manages access to the public and private network resources. You can create multiple access lists, each with multiple rules, enabling you to create public areas on your network that all users can browse, and protected areas that are restricted to specific user accounts or groups.

  • Page 418

    Public/guest network access Key concepts When a wireless user attempts to browse a Web site that is on the protected network, the user is redirected to the public access interface Login page. The following screen shot shows the default login page provided with the controller. After the user successfully logs in, the session and welcome pages appear.

  • Page 419

    Public/guest network access Key concepts For more information on the public access Web pages, see:  Public access interface control flow on page 14-13  Customizing the public access interface on page 14-14 Location-aware The location-aware feature enables you to control logins to the public access network based on the wireless AP to which a user is connected.

  • Page 420: Configuring Global Access Control Options

    Public/guest network access Configuring global access control options Configuring global access control options Global access control settings are managed by selecting Controller >> Public access > access control. The access control mechanism is used by the controller to manage user access to network resources.

  • Page 421: User Authentication

    Public/guest network access Configuring global access control options User authentication Allow access if authentication timed out Enable this option to give users free access to the protected network if authentication services configured for a VSC are unavailable. Once the authentication services are available again, free user sessions remain active until the user logs out.

  • Page 422: Client Polling

    Public/guest network access Configuring global access control options Reauthenticate users on location change When this option is enabled, the controller will automatically reauthenticate users when they switch to:  a wireless cell with a different SSID  a different VLAN ID on the same VSC ...

  • Page 423: Zero Configuration

    Public/guest network access Configuring global access control options Blocked agents This is the list of user-agent strings that the controller will use to block client applications. If an application’s user-agent string appears in this list, it will be blocked. When the list is empty, all valid HTTP login requests are redirected. For example, add the word Torrent to the list to stop HTTP login requests coming from the BitTorrent 6.3 client application.

  • Page 424: Location Configuration

    Public/guest network access Configuring global access control options  SMTP authentication: When the controller redirects user SMTP traffic, the server to which the traffic is redirected may need to authenticate the controller. Enable this option to allow the controller to supply a username and password to the server. You can define the username and password in the RADIUS account for the controller or for the user.

  • Page 425: Public Access Interface Control Flow

    Public/guest network access Public access interface control flow Public access interface control flow The two following diagrams provide an overview of the default public access interface Web page flow. All site Web pages are identified by their role: Login, Welcome, Logout, etc. This abstraction is used because the name of the actual page used for a particular role is configurable in many cases.

  • Page 426: Customizing The Public Access Interface

    Public/guest network access Customizing the public access interface Subscribe page (subscribe.asp) Credit Card Payment (WorldPay *1) method? Credit Card (Authorize.net *1) Account page Account page (account.asp) (account.asp) Name / Password Name / Password Payment page Payment page (payment.asp) (payment.asp) Go to WorldPay Credit card info.

  • Page 427: Sample Public Access Pages

    15-14. Sample public access pages Some of the examples in this chapter make use of files contained in the Public Access Examples zip file. This file is available at www.hp.com/networking/public-access-examples. Common configuration tasks Customizing the login, welcome, or goodbye page 1.

  • Page 428

    Access list example on page 15-40). 1. Retrieve the Public Access Examples zip file at www.hp.com/networking/public-access- examples. 2. Create the following two folders on your Web sever: basic and premium. 3. Copy the files welcome.html and goodbye.html from the Examples zip file into both the basic and premium folders on the web server.

  • Page 429

    Public/guest network access Customizing the public access interface Delivering dynamically generated content Another way to generate custom pages is to add placeholders in the URLs for the custom external pages and then use server-side scripting to dynamically create the pages. This method provides a powerful mechanism to automatically generate completely customized pages on a per-user basis.

  • Page 430

    Public/guest network access Customizing the public access interface Customizing error messages To customize the error messages, edit the appropriate messages in the files listed in the following table, using the Controller >> Public access > Web content page. If an error occurs on Messages are taken from Login page (index.asp) login_error_message.asp...

  • Page 431: Setting Site Configuration Options

    Public/guest network access Setting site configuration options How it works 1. When a user enters http://network.logout in their browser, the controller resolves it to to 10.10.1.1. 2. The controller then intercepts any TCP traffic destined for 10.10.1.1 on port 80 and redirects it to 192.168.1.1 on port 8081.

  • Page 432: Allow Subscription Plan Purchases

    Public/guest network access Setting site configuration options Allow subscription plan purchases When enabled, the Subscribe to this service option is displayed on the default Login page (index.asp). This option provides a link to the default Subscription page (subscribe.asp), where users can choose one of the subscription plans defined on the Controller >>...

  • Page 433: Support A Local Welcome Page

    Public/guest network access Setting site configuration options A user account is automatically created for each user that selects the Free Access option. Each account has the following properties:  The account name and password are set to the MAC address of the user’s device. ...

  • Page 434: Use Frames When Presenting Ads

    Public/guest network access Setting site configuration options Use frames when presenting ads This option controls how advertising is displayed:  When this option is enabled, the logo and advertisement displayed in a frame at the top of the page.  When this option is disabled, the logo and advertisement are displayed on a separate page.

  • Page 435: Allow Sslv2 Authentication

    Public/guest network access Setting site configuration options Allow SSLv2 authentication Enable this option to support client stations that use SSL v2 for their HTTPS connections. When disabled, the controller only supports client stations that are using SSL v3 for HTTPS connections.

  • Page 436: Customizing The Public Access Web Pages

    Public/guest network access Customizing the public access Web pages Customizing the public access Web pages To view, edit, and customize the public access interface Web pages, select Controller >> Public access > Web content. Site file archive Use these options to manage the files on the Web server as a single archive file (zip format). Save current site files to archive Saves all the current site files to an archive file.

  • Page 437: Current Site Files

    Public/guest network access Customizing the public access Web pages Select Configure to its define operational settings. Note For security reasons you should disable the FTP server once the controller is deployed. Or at minimum, define security filters to restrict FTP access. User Specify the username and password that will be required when connecting to the FTP server.

  • Page 438

    Public/guest network access Customizing the public access Web pages Add New File Select this button to create a new text-based file on the server. Reset to Factory Default Content Select this button to reset the site files to factory default content. You should make a backup copy of the current content using the Site file archive options before restoring factory defaults.

  • Page 439

    Public/guest network access Customizing the public access Web pages ads.jpg image/jpeg This is the default advertisement that is displayed. fail.asp text/html This is a generic error reporting page that is called by various other pages to present an error message. goodbye.asp text/html When a user logs out (by selecting the Logout button on the session.asp page, for...

  • Page 440

    Public/guest network access Customizing the public access Web pages payment.asp text/html This page is called by account.asp when a user selects Next. It displays a summary of the user’s subscription selection. For the Authorize.Net payment service  Credit card information is requested. ...

  • Page 441

    Public/guest network access Customizing the public access Web pages prototype.js application/javascript Javascript library used to support AJAX for use in session_ajax.asp and subscription_details.asp. public-ip.asp text/html Message page that is displayed explaining the steps a user must follow to activate a public IP address.

  • Page 442

    Public/guest network access Customizing the public access Web pages session_ajax.asp text/html This page is specially designed for AJAX, and provides a JSON page format for use by session.js to provide the same content as session.asp but for Javascript-enabled browsers. This enables smart refresh of the session data; only changed data is updated, not the entire page, eliminating screen flickering.

  • Page 443

    Public/guest network access Customizing the public access Web pages subscription_details_ajax.asp text/html Included by subscription_details.asp. Provides smart updates for Javascript-based browsers. This page is specially designed for AJAX, and provides a JSON page format for use by subscription_details.js to provide the same content as subscription_details.asp but for Javascript-enabled browsers.

  • Page 444: Configuring The Public Access Web Server

    Public/guest network access Configuring the public access Web server welcome.asp text/html This page is called after the login process is complete if Support a local Welcome page is enabled on the Controller >> Public access > Web content page under Site options.

  • Page 445: Options

    Public/guest network access Configuring the public access Web server Options NOC-based authentication Enable this option to support NOC-based authentication. NOC-based authentication must be used in conjunction with the remote login page feature. The remote login page feature enables users to be redirected to a remote Web server to log in instead of using the internal login page on the controller.

  • Page 446: Security

    Public/guest network access Configuring the public access Web server This page lists all MIME types that are currently defined on the Web server. A number of common MIME types are defined by default. (Some of the default definitions cannot be changed.) Select Add New MIME Type to define your own MIME type.

  • Page 447: Managing Payment Services

    Public/guest network access Managing payment services Managing payment services The controller can directly interact with payment processing services service such as Authorize.Net and WorldPay, so that users can pay for network access from within their Web browser. Payment services configuration To configure payment services, follow this procedure: 1.

  • Page 448

    Public/guest network access Managing payment services The controller maintains a billing log that provides a simple audit trail of all transactions. The log supports the buffering and retransmission of up to 2000 billing records to an external billing records server. You can configure log options on the Controller >> Public access > Records page.

  • Page 449

    Public/guest network access Managing payment services  You must configure the payment response URL in your Worldpay customer account to point to the public access web server on the controller. This tells Worldpay where to post information about transactions. The format for the URL is: https://host_name:port/goform/HtmlWorldpayPaymentResponse Where: ...

  • Page 450

    Public/guest network access Managing payment services Mode  Test: Use this option to test your setup to make sure that everything is working properly. Requests are set to the PayPal test server at: https://api-3t.sandbox.paypal.com/nvp When users select the Checkout with PayPal button, they are redirected to: https://www.sandbox.paypal.com/ For more information on using the test server, see the PayPal developer network at https://www.x.com/community/ppx/testing...

  • Page 451

    Public/guest network access Managing payment services 2. The user chooses a subscription plan and then selects Next. page name= subscribe.asp 3. The user reviews the subscription plan information, specifies a username and password for the new account, and then selects Next. page name= account.asp 4.

  • Page 452

    Public/guest network access Managing payment services 5. The user is redirected to the PayPal site. A banner placed at the top of the page shows the merchant's name. The user enters their PayPal username and password and selects Log In to sign into PayPal. 6.

  • Page 453

    Public/guest network access Managing payment services 7. The user is redirected back to the controller public access interface, which presents a summary of the transaction. To continue, the user selects Confirm. The controller queries the PayPal server to approve the transaction. page name= paypal-return.asp 8.

  • Page 454: Billing Record Logging

    Public/guest network access Billing record logging Billing record logging The billings records logging system provides a simple audit trail of all billing transactions. The log supports the buffering and retransmission of up to 2000 billing records to one or more external billing records servers. Log transmission occurs using HTTP/1.1 POST method with a completely customizable data format.

  • Page 455: Persistence

    Public/guest network access Billing record logging When this options is disabled, the oldest untransmitted record is removed from the log to make room for the new record. Configure Record Formats Select this button to edit the transmission, export, and acknowledgement formats for the billing records.

  • Page 456: External Billing Records Server Profiles

    Public/guest network access Billing record logging External billing records server profiles This list displays all configured billing records server profiles. Billing records are sent to the servers defined in this list as follows:  A copy of the current billing record is sent to each primary server. By adding multiple primary servers you create data mirroring and reduce the risk of a record being lost.

  • Page 457

    Public/guest network access Billing record logging Profile name Specify a name to identify the server profile. Hostname/IP address IP address or hostname of the server. Port Port on which to send the HTTP post. URL to which the HTTP post will be sent. Transmission timeout Amount of time that the controller waits for an HTTP response for a transmitted record.

  • Page 458

    Public/guest network access Billing record logging Validate server certificate When enabled, the controller will validate the external billing server certificate. For this to be successful, you must install the billing server CA certificate in the Trusted CA certificate store on the Security > Certificate stores page. Use HTTP authentication Enable this option if the billing server requires a username and password.

  • Page 459: Billing Records Log

    Public/guest network access Billing record logging Billing records log This table displays the contents of the billing records log. The log can hold up to 2000 records. When full, records are deleted in the following order: 1. Records that have been successfully transmitted. 2.

  • Page 460: Location-aware Authentication

    Public/guest network access Location-aware authentication Billing method Identifies the billing method: CC_WORLDPAY   CC_AUTHORIZE_NET  CC_PAYPAL Transmission state Transmitting: The record is being transmitted.   Queued: The record is queued for transmission.  Transmission Disabled: Transmission of the record was disabled. Once records fall into this category they cannot be retransmitted.

  • Page 461

    The controller can return the following attributes in the RADIUS access request for all user authentications (whether initial login or re-authentication due to roaming):  Called-station-ID (Standard RADIUS attribute)  HP-specific attribute: SSID  HP-specific attribute: GROUP Note When re-authenticating users, the returned RADIUS attribute Service-Type is set to 8744 (decimal).

  • Page 462

    Public/guest network access Location-aware authentication Example Consider the following topology for a fictional small hotel. The restaurant and lounge are available to all hotel users who subscribe to the wireless service. However, the conference room is available only to a specific group of guests who book it in advance. Broadband modem Network Operating...

  • Page 463

    Chapter 15: Working with RADIUS attributes Working with RADIUS attributes Contents Introduction ........................15-3 Controller attributes overview .................15-4 Customizing the public access interface using the site attribute ....15-4 Defining and retrieving site attributes ..............15-5 Controller attribute definitions................15-8 User attributes ......................15-13 Customizing user accounts with the user attribute ........15-13 Defining and retrieving user attributes............15-14 User attribute definitions .................15-20 Administrator attributes..................15-31...

  • Page 464

    Working with RADIUS attributes Global MAC-based authentication..............15-56 Multiple login servers..................15-57 Redirect URL......................15-59 NOC authentication...................15-62 HP WISPr support .....................15-62 Traffic forwarding (dnat-server)..............15-63 Multiple DNAT servers..................15-64 Colubris AV-Pair - User attribute values..............15-67 Access list ......................15-67 Advertising ......................15-68 Bandwidth level ....................15-68 Data rate ......................15-69 One-to-one NAT ....................15-69...

  • Page 465

    Working with RADIUS attributes Introduction Introduction RADIUS attributes can be used to customize a wide range of configuration settings on the controller. This includes defining configuration settings for the public access interface, customizing the settings of access-controlled user accounts, or configuring credentials for the administrative accounts that are used to manage/operate the controller.

  • Page 466: Controller Attributes Overview

    Customizing the public access interface using the site attribute HP has defined a vendor-specific RADIUS attribute to support configuration of the public access interface and user accounts. This attribute conforms to RADIUS RFC 2865 and is called the Colubris AV-Pair.

  • Page 467: Defining And Retrieving Site Attributes

    Working with RADIUS attributes Controller attributes overview Defining and retrieving site attributes Site attributes can be retrieved from a third-party RADIUS server or specified directly on the controller. In both cases, configuration settings are defined on the Public Access > Attributes page.

  • Page 468

    Working with RADIUS attributes Controller attributes overview Note A maximum of 128 attributes can be active at any one time (including both the RADIUS and the Configured attributes list). The maximum attribute size that the controller can receive in a single RADIUS request is 4096 bytes.

  • Page 469

    Working with RADIUS attributes Controller attributes overview Defining site attributes directly on the controller Site attributes can be defined directly on the controller eliminating the need to use a RADIUS server. If needed, both methods can be used at the same time. In this case, the retrieved attributes are combined with those attributes defined in the Configured attributes list to build the complete list of attributes that are active on the controller.

  • Page 470: Controller Attribute Definitions

    Working with RADIUS attributes Controller attributes overview Controller attribute definitions The following table lists all RADIUS attributes supported by the controller. A brief description of each attribute follows the table. For detailed information, refer to RFC2865, or the documentation that came with your RADIUS server. Access Request Access Accept ...

  • Page 471

    Working with RADIUS attributes Controller attributes overview Access request Acct-Session-Id (32-bit unsigned integer) Random value generated per authentication by the controller. Called-Station-Id (string) By default, this is set to the MAC address of the controller wireless/LAN port in IEEE format. For example: 00-02-03-5E-32-1A.

  • Page 472

    RFC 2865. Only present when the authentication method for the RADIUS profile is set to PAP. Vendor-specific (Microsoft) HP supports the following Microsoft vendor-specific attributes. MSCHAP-Challenge (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1 or MSCHAPv2.

  • Page 473

    Colubris AV-Pair (string) HP has defined this vendor-specific attribute to support configuration of special features on the controller, such as the customization of the public access interface and global user session settings. This attribute conforms to RADIUS RFC 2865. You may need to define...

  • Page 474

    Working with RADIUS attributes Controller attributes overview  SMI network management private enterprise code = 8744 Vendor-specific attribute type number = 0   Attribute type: A string in the following format <keyword>=<value> Multiple instances of the Colubris AV-pair can be defined in a RADIUS account to configure a variety of settings.

  • Page 475: User Attributes

    Customizing user accounts with the user attribute HP has defined a vendor-specific RADIUS attribute to support configuration of the public access interface and user accounts. This attribute conforms to RADIUS RFC 2865 and is called the Colubris AV-Pair.

  • Page 476: Defining And Retrieving User Attributes

    Working with RADIUS attributes User attributes Multiple instances of the Colubris AV-Pair attribute can be defined for each user, each with a different AV-Pair value. For a complete list of all supported AV-Pair values, see Colubris AV- Pair - User attribute values on page 15-67.

  • Page 477

    Working with RADIUS attributes User attributes Example In this example, two user profiles (called Employee and Guest) are defined on the Controller >> Users > Account profiles page. The settings for each profile are shown below. Employee profile Sets the attributes that will be used to define employee accounts. 15-15...

  • Page 478

    Working with RADIUS attributes User attributes Guest profile Sets the attributes that will be used to define guest accounts. Once account profiles have been defined, user accounts can be created. 15-16...

  • Page 479

    Working with RADIUS attributes User attributes The following sample page shows the initial configuration of a user account for an employee named Bill. Notice that before any account profile is assigned, the Effective attributes box shows a couple of active attributes: Idle timeout, and Session timeout. These attributes come from the Default AC profile.

  • Page 480

    ProCurve Manager IDM support HP ProCurve Manager (PCM) is a network management solution for managing HP ProCurve devices. HP ProCurve Identity Driven Manager (IDM) is a plug-in to HP ProCurve Manager Plus that enables dynamic provisioning of network security and performance settings based on user, device, location, time, and endpoint posture.

  • Page 481

    Working with RADIUS attributes User attributes IDM can be used to define settings in a user’s RADIUS account that the controller will retrieve when the user is authenticated, and then apply to the user’s wireless session. The following PCM settings are supported. PCM setting Description Supported on VSCs that are ...

  • Page 482: User Attribute Definitions

    Working with RADIUS attributes User attributes User attribute definitions The following attributes are supported for user accounts. Access Request Access Accept Accounting Request Acct-Session-Id Acct-Interim-Interval Acct-Authentic     Called-Station-Id  Chargeable User Identity  Acct-Delay-Time (CUI)  Calling-Station-Id ...

  • Page 483

    Working with RADIUS attributes User attributes Access request Acct-Session-Id (32-bit unsigned integer) Random value generated per authentication by the controller. Called-Station-Id (string) By default, this is set to the MAC address of the controller wireless/LAN port in IEEE format. For example: 00-02-03-5E-32-1A. To use the MAC address of the Internet port, you must edit the config file and change the setting of radius-called-station-id-port to WAN in the <ACCESS-CONTROLLER>...

  • Page 484

    The password supplied by a user or device when logging in. Encoded as defined in RFC 2865. Only present when the authentication method for the RADIUS profile is set to PAP. Vendor-specific (Microsoft) HP supports the following Microsoft vendor-specific attributes. MSCHAP-Challenge (string) As defined in RFC 2433.

  • Page 485

    As defined in RFC 2759. Only present when the authentication method for the RADIUS profile is set to MSCHAPv2. Length = 49 bytes. Vendor-specific (WISPr) HP supports the following Wi-Fi Alliance vendor-specific attributes. Location-Name The WISPr location name assigned to the controller.

  • Page 486

    Only used when assigning a specific VLAN number to a user. In this case it must be set to 13 (VLAN). The tag field for this attribute must be set to 0. Vendor-specific (Microsoft) HP supports the following Microsoft vendor-specific attributes. MS-MPPE-Recv-Key (string) Use to validate a PMKID inside a 802.11 association request, send EAPOL keys to a...

  • Page 487

    (string) Colubris AV-Pair The Colubris AV-Pair is a HP a vendor-specific attribute defined by HP to support configuration of user session settings. This attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server (if it is not already present) using the following values: ...

  • Page 488

    Working with RADIUS attributes User attributes Reply-Message (string) This string (as defined in RFC 2865) is recorded and passed as is to the GetRadiusReplyMessage() asp function. Multiple string are supported to a maximum length of 252 bytes. Access challenge EAP-Message (string) One or more occurrences of this attribute is supported inside the same packet.

  • Page 489

    User-Name (string) The username assigned to the user or to a device when using MAC authentication. Vendor-specific (WISPr) HP supports the following Wi-Fi Alliance vendor-specific attributes. Location-Name The WISPr location name assigned to the controller.  SMI network management private enterprise code = 14122 ...

  • Page 490

    Working with RADIUS attributes User attributes Logoff-url The WISPr log-off URL that will be used.  SMI network management private enterprise code = 14122  Vendor-specific attribute type number = 3 Attribute type: A string in the format:  wispr-logoff-url=URL Accounting stop.

  • Page 491

    Working with RADIUS attributes User attributes Accounting stop only Acct-Terminate-Cause (32-bit unsigned integer) Termination cause for the session See RFC 2866 for possible values. Only present when Acct- Status-Type is Stop. Cause Notes User Request Supported. Indicates that the user logged out. Lost Carrier Supported.

  • Page 492

    Notes User Error Supported. An 802.1X client initiated a second authentication request for a user, and this request was refused. Host Request Not Supported. (not applicable) 0x8744 Termination HP-specific termination cause. (34628 decimal) Accounting response No attributes are supported. 15-30...

  • Page 493: Administrator Attributes

    Working with RADIUS attributes Administrator attributes Administrator attributes If you want to support multiple administrator names and passwords, you must use a RADIUS server to manage them. The controller only supports a single admin name and password internally (defined on the Controller >> Management > Management tool page). Note Improper configuration of the administrator profile could expose the controller to access by any user with a valid account.

  • Page 494

    (string) Colubris AV-Pair HP has defined a vendor-specific attribute to support configuration of user session settings. This attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server (if it is not already present) using the following values: ...

  • Page 495: Colubris Av-pair - Site Attribute Values

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Colubris AV-Pair - Site attribute values Site values let you define global settings that affect operation of the public access network and all user accounts. Each Colubris AV-Pair value is specified using the following format: <keyword>=<value> The following table lists all supported site value keywords and provides a link to complete descriptions for each one.

  • Page 496: Access List

    Redirect URL on page 15-59. ssl-noc-certificate NOC authentication on page 15-62. ssl-noc-ca-certificate wispr-login-url HP WISPr support on page 15-62. wispr-abort-login-url redirect-page access-procedure dnat-server Traffic forwarding (dnat-server) on page 15-63. primary-dnat-server-status-url secondary-dnat-server-status-url Access list Access lists enable you to create public areas on your network that all users can browse, and protected areas that are restricted to specific user accounts or groups.

  • Page 497

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Default setting By default no access lists are defined. This means that:  If authentication (802.1X, WPA, HTML, MAC) is not enabled on a VSC, all users that connect to the VSC have access to the protected network. ...

  • Page 498

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Within each access list, traffic cascades through the list rules in a similar manner. Incoming traffic Rule 1 NO MATCH ACCEPT DENY Rule 2 DENY NO MATCH ACCEPT Rule 3 DENY NO MATCH ACCEPT...

  • Page 499

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values SMTP redirect If an unauthenticated user establishes a connection to their email server, the SMTP redirect feature will not work once the user logs in. The user’s email is still sent to the original email server.

  • Page 500

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Syntax access-list= listname[,OPTIONAL],action,protocol,address,port[,account[,interval]] use-access-list=uselistname default-user-access-list=uselistname use-access-list-unauth=uselistname Note You can use spaces as separators instead of commas. Where: Parameter Description Specify a name (up to 32 characters long) to identify the access list listname this rule applies to.

  • Page 501

    (continued) important resource on the network. For example, the following access list definition allows additional connections as needed to any user who is trying to reach my-web-server.com. access-list=HP,ACCEPT-MORE,all,my-web-server.com,80 use-access-list=procurve  DENY - Reject traffic matching this rule.  DNAT-SERVER: Traffic matching this rule is forwarded to the destination defined by the dnat-server value.

  • Page 502

    Topology The following two topologies show potential wireless deployments for the campus using different types of HP equipment. In both cases, a RADIUS server is used to store configuration attributes for the public access network. Although the topologies are slightly different, the same access list definitions are used for both installations.

  • Page 503

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Topology 1: Network Operating Router/Firewall Center 20.7 Faculty subnet Student subnet Admin subnet SMTP DNS/DHCP File File Public Web server server server server server 20.3 20.6 30.2 40.2 50.2 Web/FTP Management Printer Printer...

  • Page 504

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Topology 2: Network Operating Router/Firewall Center 20.7 Faculty subnet Student subnet Admin subnet SMTP DNS/DHCP File File Public Web server server server server server 20.3 20.6 30.2 40.2 50.2 Web/FTP Management Printer Printer...

  • Page 505

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values The RADIUS profile for every student contains the following: use-access-list=students The RADIUS profile for every faculty member contains the following: use-access-list=faculty This definitions create three access lists: everyone, students, and faculty. Everyone This list applies to all users (students, teachers, guests), whether they are authenticated or not.

  • Page 506: Configuration File

    Returns the domain name assigned to the controller Internet port. Returns the IP address of the controller Internet port. Custom SSL certificate The controller can retrieve a custom SSL security certificate to replace the HP certificate that is included by default. Syntax...

  • Page 507: Custom Public Access Interface Web Pages

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values By using the following placeholders, you can customize the URL for each controller. This is useful when you need to update multiple units. Placeholder Description Returns the NAS ID assigned to the controller. By default, this is its serial number.

  • Page 508

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Where: Parameter Description URL of the .zip archive to be loaded. ArchiveURL Loading individual pages These keywords have been deprecated. If you are creating a new installation, use the custom-pages keyword or the site file archive feature on the Controller >> Public access >...

  • Page 509

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Placeholder The following placeholder is only available when using a RADIUS server. If these values are specified under Controller >> Public access > Attributes > Configured attributes, the placeholder cannot be used. Placeholder Description Returns the IP address of the controller’s Internet port.

  • Page 510

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Although the remote login page feature enables you to host the public access login page on a remote Web server, authentication of users is still performed by the controller through a RADIUS server or using the local user list.

  • Page 511

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Placeholders An important feature of these pages is that they make it easy to deliver a unique experience for each user. By appending the following optional placeholders to the Colubris AV-Pair value strings, you can pass important information to the Web server.

  • Page 512

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Placeholder Description Returns the MAC address of the client station that is being authenticated. Returns the VLAN assigned to the client station at the controller ingress (LAN port). Security issues ...

  • Page 513: Default User Interim Accounting Update Interval

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Custom message file Use this value to load a custom message file. These messages are used when various error conditions occur. messages=URL_of_text_file [placeholder] If you specify a new message file, you must also specify values for: ...

  • Page 514: Default User Idle Timeout

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Where: Parameter Description Specify one of the following the bandwidth levels for the user’s session. level The actual data rate associated with a bandwidth level is defined on the Network > Bandwidth control page. VERY-HIGH HIGH NORMAL...

  • Page 515

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Where: Parameter Description For packets: 32-bit unsigned integer value. value For octets: 64-bit unsigned integer value. When a user session is terminated based on a quota, a new non-standard termination cause is used.

  • Page 516: Default User Session Timeout

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Default user session timeout Use this to set the default session timeout for all users whose RADIUS profile does not contain a value for the RADIUS attribute session-timeout. Syntax default-user-session-timeout=seconds Where: Parameter Description...

  • Page 517: Default User Urls

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Parameter Description Specify the port on the e-mail server to relay to. Range: 1 to 65535. Default: port username Specify the username required to log on to the SMTP server. Maximum 32 characters.

  • Page 518: Ipass Login Url

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Access-List=mylist,DNAT-SERVER,tcp,*mydomain.com,80 Use-access-list=mylist DNAT-Server=mylist,192.168.1.1,8088 This example forces any incoming traffic, with a matching target protocol, address, or port number (tcp,*mydomain.com,80) to be redirected to the internal HTTP proxy. Then, because of the HTTP-Proxy-Upstream keyword, the traffic is forwarded to myproxy.com. Note The HTTP-Proxy-Upstream definition must exclude any traffic addressed to the controller public access interface, otherwise HTML-based users will not be able to login.

  • Page 519: Multiple Login Servers

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values To make use of this feature you need to define a local user account or a RADIUS user account for each device as follows:  username: Set this to the username you specified in the mac-address value string. If no username is specified, set the account name to the MAC address of the device.

  • Page 520

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Where: Parameter Description Specify the URL that points to the Web server status file. Use HTTP or URL_of_page HTTPS with a port number if required. The status file must contain the following code: <?xml version="1.0"...

  • Page 521: Redirect Url

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Setting the URLs of other AV-Pair values This feature will redefine the URLs in the following AV-Pair values, if they have the same hostname as is specified for the primary-web-server-status-url: ...

  • Page 522

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Note Placeholders %G, %C, %E, %P, and %v do not produce constant values. These values may vary over time. Use the following Colubris AV-Pair value string: redirect-url=URL_of_the_page [placeholder] Where: Parameter Description URL of the redirect page.

  • Page 523

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Placeholder Description When the location-aware feature is enabled, returns the group name of the wireless access point the user is associated with. When the location-aware feature is enabled, returns the Called-station-id content for the wireless access point the user is associated with.

  • Page 524: Noc Authentication

    For a more detailed example of using NOC authentication, see Appendix D: NOC authentication HP WISPr support WISPr login URL This keyword lets you define the location of the WISPr login page. The controller automatically redirects users with WISPr-compatible wireless client software to this page. To customize the redirection use the WISPr redirect page keyword.

  • Page 525: Traffic Forwarding (dnat-server)

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values WISPr redirect page This keyword lets you define the location of the WISPr redirect page. Use this page to customize the code that the controller includes in the HTTP redirect sent to a user’s browser. Syntax redirect-page=URL_of_page Where:...

  • Page 526: Multiple Dnat Servers

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Where: Parameter Description Specify the name of an access list definition that has its action set to listname DNAT-SERVER. Specify the IP address or domain name of the primary server to which hostname traffic will be redirected.

  • Page 527

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values Parameter Description Specify the URL that points to a status file on the Web server. Use URL_of_page HTTP or HTTPS with a port number if required. The status file must contain the following code: <?xml version="1.0"...

  • Page 528

    Working with RADIUS attributes Colubris AV-Pair - Site attribute values The following table shows possible results when polling is active for both the primary and secondary servers. Server 1 Server 2 Description Traffic matching the DNAT-SERVER rule is forwarded to server DOWN Traffic matching the DNAT-SERVER rule is forwarded to server DOWN...

  • Page 529: Colubris Av-pair - User Attribute Values

    Working with RADIUS attributes Colubris AV-Pair - User attribute values Colubris AV-Pair - User attribute values User values let you define settings for individual user accounts. Each Colubris AV-Pair value is specified using the following format: <keyword>=<value> The following table lists all supported user value keywords and provides a link to complete descriptions for each one.

  • Page 530: Advertising

    Working with RADIUS attributes Colubris AV-Pair - User attribute values Syntax use-access-list=uselistname Where: Parameter Description Specify the name of an existing access list. This list is activated for the uselistname current user. Advertising Add this keyword to enable the presentation of advertising at preconfigured intervals while the user is browsing.

  • Page 531: Data Rate

    Working with RADIUS attributes Colubris AV-Pair - User attribute values Data rate This keyword sets the transmit and receive rates for a user’s session. These rates are applied on a per-user basis providing direct control of a user’s throughput in Kbps. Two keywords are available: ...

  • Page 532: Public Ip Address

    Working with RADIUS attributes Colubris AV-Pair - User attribute values Public IP address Add this keyword if the user requires a public IP address that is visible on the external network connected to the controller Internet port. For more information using public IP addresses, see Default user public IP address on page 15-54 Public IP address on...

  • Page 533

    Working with RADIUS attributes Colubris AV-Pair - User attribute values Redirect URL The redirect-url keyword is used to specify the target URL for redirection when using an access list with the REDIRECT action. Only one redirect-url value can be specified in a user RADIUS account.

  • Page 534: Station Polling

    Working with RADIUS attributes Colubris AV-Pair - User attribute values Example 1: Proxy support on smtp-redirect=smtp.mycompany.com,jimmy,letMEin smtp-redirect=smtp.mycompany.com:8025,jimmy,letMEin Example 2: Proxy support off smtp-redirect=smtp.mycompany.com smtp-redirect=smtp.mycompany.com:8025 Station polling The controller continually polls authenticated client stations to ensure they are active. This feature is configured using the Client polling settings on the Public access > Access control page.

  • Page 535

    Working with RADIUS attributes Colubris AV-Pair - User attribute values Syntax welcome-url=URL_of_page[placeholder] goodbye-url=URL_of_page[placeholder] Where: Parameter Description Specify the URL of a Web page on an external Web server. URL_of_page Placeholder as defined in the following table. placeholder Placeholders By appending the following optional placeholders, you can pass important information to the Web server about the user.

  • Page 536: Colubris Av-pair - Administrator Attribute Values

    Working with RADIUS attributes Colubris AV-Pair - Administrator attribute values Placeholder Description When the location-aware feature is enabled, returns the Called- station-id content for the wireless AP with which the user is associated. Returns the string sent by the RADIUS server when an authentication request fails.

  • Page 537: Public Access Interface Asp Functions And Variables

    Working with RADIUS attributes Public access interface ASP functions and variables Public access interface ASP functions and variables The public access interface Web pages use a number of ASP functions to perform specific tasks. These ASP functions are written in embedded Javascript, which is a limited version of Javascript running on the integrated Web server.

  • Page 538: Forms

    Working with RADIUS attributes Public access interface ASP functions and variables Forms The following forms can be used to gather information from a user and submit it to the public access interface for processing. HtmlSubscriptionRequest This form can be used create a user account and to execute a payment. To complete certain form actions, you may be required to submit several parameters.

  • Page 539

    Working with RADIUS attributes Public access interface ASP functions and variables To create an account Supply the following fields to create a new user account, or to reset an existing account:  payment_method  subscription_plan  username  password  confirm_password ...

  • Page 540: Form Errors

    Working with RADIUS attributes Public access interface ASP functions and variables  free_access: A user account is created (with the user’s MAC address as the username and password) and the user is logged into the public access interface. If the login is successful, the user is redirected to the page specified by success_url.

  • Page 541: Radius

    Working with RADIUS attributes Public access interface ASP functions and variables LoadFormFieldError(field_name) This function the following ASP variables with details about the errors caused by the specified field_name. ASP variables  field_error: Numeric error value.  0 - No error found. ...

  • Page 542

    Working with RADIUS attributes Public access interface ASP functions and variables This is not a normal return value. It cannot be assigned to an ASP variable, and is inserted directly into the HTML page. GetNasAddress() Returns the fully-qualified domain name of the controller as is specified in the currently loaded SSL certificate.

  • Page 543: Page Urls

    Working with RADIUS attributes Public access interface ASP functions and variables // When done header($targetURL); The target URL is built using the NAS IP and username and password. The form name is hard- coded. Page URLs GetFailRetryUrl() This feature has been deprecated. Returns the URL of the next internal page to display as follows: Returns the Fail page URL if a login or logout request is currently pending.

  • Page 544: Session Status And Properties

    Working with RADIUS attributes Public access interface ASP functions and variables Session status and properties All functions in this section do not provide a normal return value that can be assigned to an ASP variable. Instead, the return value is inserted directly into the HTML page. Session time GetSessionTime() Returns session duration for the current user in minutes and seconds in the format: mm:ss.

  • Page 545

    Working with RADIUS attributes Public access interface ASP functions and variables GetMaxSessionTimeHMS() Returns the total amount of connection time configured for the current user session in hours, minutes and seconds in the format: hh:mm:ss. ConvertMaxSessionTime(unit) Returns the total amount of connection time configured for the current user in the specified unit.

  • Page 546

    Working with RADIUS attributes Public access interface ASP functions and variables Session input/output/totals If you specify a value for the optional parameter div, then the return value is divided by div. GetSessionInputPackets() GetSessionInputOctets(div) Returns the number of packets/octets received by the current user session. GetSessionOutputPackets() GetSessionOutputOctets(div) Returns the number of packets/octets sent by the current user session.

  • Page 547: Ipass Support

    Working with RADIUS attributes Public access interface ASP functions and variables GetSessionMaxOutputPackets() GetSessionMaxOutputOctets(div) Returns the maximum number of packets/octets that can be sent by the current user session. Session quotas These functions let you retrieve the quota limits that are set for the current user session. If any of these limits are reached, the user is logged out.

  • Page 548

    Working with RADIUS attributes Public access interface ASP functions and variables iPassGetAbortLoginUrl() Returns the iPass Abort Login URL. iPassGetLogoffUrl() Returns the iPass Logout URL. iPassGetRedirectResponseCode() Checks if the iPass authentication server is reachable and enabled. Returns one of the following values: Authentication server is reachable and enabled.

  • Page 549: Client Information

    Working with RADIUS attributes Public access interface ASP functions and variables iPassGetLogoutResponseCode() Returns one of the following values when a user attempts to logout from iPass: Logout was successful. The authentication server could not be reached due to an error on the controller (Internet port not up, for example).

  • Page 550

    Working with RADIUS attributes Public access interface ASP functions and variables  client_session_time: The user’s session time, indicating how many seconds have elapse since the user was first authenticated by the controller. Re-authentication will not affect the value unless the authentication was terminated. ...

  • Page 551

    Working with RADIUS attributes Public access interface ASP functions and variables  client_public_ip_reserved: Indicates if the public IP address is reserved or preferred. 0 - Public IP is preferred. 1 - Public IP is reserved. For more information, see Public IP address on page 3-10.

  • Page 552: Subscription Plan Information

    Working with RADIUS attributes Public access interface ASP functions and variables  client_account_status_remaining_output_octets: Amount of traffic the user can still upload.  client_account_status_remaining_total_octets: Total amount of traffic the user can still upload or download. client_account_status_active_sessions: Number of sessions active on this account. ...

  • Page 553: Other

    Working with RADIUS attributes Public access interface ASP functions and variables Other AssignBillingRecordId() Use this function to reserve a billing record ID. If this function returns 0, it means that the payment system has been halted. Any subscription-related activities should not be attempted until this function returns a non-zero value.

  • Page 554

    Working with RADIUS attributes Public access interface ASP functions and variables SetSessionRefreshInterval(sec) Specifies the refresh interval for the session page in seconds. write(string) Writes the specified string to the browser. Example write("<p>You are connected.</p>"); LoadAccessInformation() This function initializes a set of variables that provide information on the site access options configured on the Controller >>...

  • Page 555: Session Information

    Working with RADIUS attributes Public access interface ASP functions and variables ASP variables  worldpay_url: String containing the configured WorldPay URL on the controller.  worldpay_installation_id: String containing the configured WorldPay Installation ID on the controller.  worldpay_cart_id: String containing a unique number for this order that represents a virtual cart in which items that are being bought are stored.

  • Page 556

    Working with RADIUS attributes Public access interface ASP functions and variables Session variables The following session variables are provided:  last_login_error: Contains the error number generated by the last login attempt. This is converted into the appropriate visual representation by the file login_error_messages.asp.

  • Page 557

    Working with RADIUS attributes Public access interface ASP functions and variables  last_subscription_error: Contains the error number generated by the last subscription attempt. This is converted into the appropriate visual representation by the file subscription_error_messages.asp. Value Description 0 or "" No error occurred.

  • Page 558

    Working with RADIUS attributes Public access interface ASP functions and variables 15-96...

  • Page 559

    Chapter 16: Working with VPNs Working with VPNs Contents Overview ........................16-2 Securing wireless client sessions with VPNs............16-3 Configure an IPSec profile for wireless client VPN ........16-4 Configure L2TP server for wireless client VPN ..........16-5 Configure PPTP server for wireless client VPN ..........16-5 VPN address pool ....................16-5 Securing controller communications to remote VPN servers ......16-6 Configure an IPSec policy for a remote VPN server ........16-7...

  • Page 560: Overview

    Working with VPNs Overview Overview Virtual private networks (VPNs) create secure tunnels across non-secure infrastructure such as the Internet or publicly-accessible networks. The controller features virtual private network (VPN) capabilities that enable it to do the following:  Secure wireless client sessions with a VPN tunnel between wireless clients such as wireless point-of-sale (POS) terminals and the controller.

  • Page 561: Securing Wireless Client Sessions With Vpns

    Working with VPNs Securing wireless client sessions with VPNs Securing wireless client sessions with VPNs Note The ability to secure wireless client sessions is intended for low-data-volume applications like that of wireless POS terminals. To secure wireless client sessions, create a VPN tunnel from the wireless client to the controller.

  • Page 562: Configure An Ipsec Profile For Wireless Client Vpn

    Working with VPNs Securing wireless client sessions with VPNs Configure an IPSec profile for wireless client VPN 1. On the page Controller > VPN > IPSec select Add Policy, and define a policy similar to this: Note the selections made in the sample Add/Edit security policy page above. See the online help for option descriptions.

  • Page 563: Configure L2tp Server For Wireless Client Vpn

    Working with VPNs Securing wireless client sessions with VPNs Configure L2TP server for wireless client VPN 1. On the page Controller >> VPN > L2TP server enable L2TP over IPSec configuration- LAN port. 2. Either select X.509 certificates and install an X.509 security certificate (see IPSec certificates on page 12-11), or specify a Preshared key.

  • Page 564: Securing Controller Communications To Remote Vpn Servers

    Working with VPNs Securing controller communications to remote VPN servers 2. In VPN address pool, for Address allocation select either Use static IP addresses or Use external DHCP server.  For Use static IP addresses, define a sequential pool of addresses by specifying the Starting IP address and Max connections.

  • Page 565: Configure An Ipsec Policy For A Remote Vpn Server

    Working with VPNs Securing controller communications to remote VPN servers Create a VPN tunnel like this either by configuring an IPSec policy or configuring the PPTP client. Internet 7.1.1.3 7.1.1.2 port port 3.1.1.2 10.0.0.0 7.1.1.2 10.0.0.2 7.1.1.1 24.1.1.4 Internet Router Wireless Secure VPN Server/...

  • Page 566: Configure Pptp Client For A Remote Vpn Server

    Working with VPNs Securing controller communications to remote VPN servers Note the selections made in the sample Add/Edit security policy page above. Option Value to set Notes General Enabled Name user-defined Phase 1 mode Main mode Mode Tunnel Interface Internet port Encryption Select as desired algorithm...

  • Page 567

    Working with VPNs Securing controller communications to remote VPN servers Note The PPTP tunnel should not be used to transport user traffic. To prevent user traffic from entering the tunnel, you must define access list definitions to DENY access to all subnets on the other side of the tunnel.

  • Page 568: Keeping User Traffic Out Of The Vpn Tunnel

    Working with VPNs Securing controller communications to remote VPN servers Account Username Specify the username the controller will use to log on to the PPTP server. If you are logging on to a Windows XP domain, specify domain_name\username Password / Confirm password Specify the password the controller will use to log on to the PPTP server.

  • Page 569: Additional Ipsec Configuration

    Working with VPNs Additional IPSec configuration Additional IPSec configuration The page Controller >> VPN > IPSec provides some additional configuration options and information. For information about IPsec certificates see IPSec certificates on page 12-11. IPSec VLAN mapping Use these settings to define how IPSec traffic is routed on the LAN and Internet ports. You can assign traffic to the untagged interface (no VLAN) or to any defined VLAN.

  • Page 570

    Working with VPNs Additional IPSec configuration 16-12...

  • Page 571

    Chapter 17: LLDP LLDP Contents Overview ........................17-2 LLDP-MED......................17-2 Local mesh......................17-3 SNMP support ......................17-3 Configuring LLDP on the controller ................17-4 TLV settings ......................17-6 Configuring LLDP on an AP..................17-8 LLDP agent ......................17-8 Media endpoint discovery (MED) features ............17-9 LLDP settings .....................17-10 Application type profiles ..................17-11...

  • Page 572

    When an LLDP agent receives information from another device, it stores it locally in a special LLDP MIB (management information base). This information can then be queried by other devices via SNMP. For example, the HP ProCurve Manager software retrieves this information to build an overview of a network and all its components.

  • Page 573: Local Mesh

    LLDP Overview  Power over Ethernet (PoE) status and troubleshooting support via SNMP. Support for IP telephony network troubleshooting of call quality issues via SNMP.  LLDP-MED endpoint devices are located at the network edge and communicate using the LLDP-MED framework. Any LLDP-MED endpoint device belongs to one of the following three classes: ...

  • Page 574: Configuring Lldp On The Controller

    LLDP Configuring LLDP on the controller Configuring LLDP on the controller Controller settings are defined by selecting Controller >> Network > Discovery protocols. LLDP agents Select this option to globally activate LLDP support on the controller. LAN port / Internet port For each port, select whether the agent will transmit and/or receive LLDP information.

  • Page 575

    LLDP Configuring LLDP on the controller Time to live Indicates the length of time that neighbors will consider LLDP information sent by this agent to be valid. Time to live is automatically calculated by multiplying Transmit interval by Multiplier. Generate dynamic system names When enabled, this feature replaces the system name with a dynamically generated value which you can define.

  • Page 576: Tlv Settings

    LLDP Configuring LLDP on the controller TLV settings To customize TLV settings, select Configure TLVs on the Controller >> Network > Discovery protocols page. The same TLV settings are available on both the LAN port and the Internet port. Basic TLVs The controller supports all mandatory and optional TLVs (type, length, value) information elements that are part of the basic management set.

  • Page 577

    LLDP Configuring LLDP on the controller  System capabilities (Type 7): Indicates the primary function of the device. Set to: WLAN access point for APs   Router for controllers.  Management IP address (Type 8): The controller always sends a management IP address TLV containing the IP address of the port.

  • Page 578: Configuring Lldp On An Ap

    LLDP Configuring LLDP on an AP Configuring LLDP on an AP AP settings are defined by selecting Controlled APs >> Configuration > LLDP. LLDP agent Enable this option to activate LLDP support on the AP. When active, the agent will transmit and receive LLDP information.

  • Page 579: Media Endpoint Discovery (med) Features

    The MED LLDP extensions specify two kinds of network devices: network connectivity and endpoint. Network connectivity devices connect endpoint devices to an IEEE 802-based LAN infrastructure. This means that HP access points and controllers are network connectivity devices. Endpoint devices are located at the network edge, and include devices such as IP phones, IP media servers, and IP communication controllers.

  • Page 580: Lldp Settings

    LLDP Configuring LLDP on an AP TLV name Description Network Policy The network policy TLV is a fixed length TLV that indicates a port VLAN type, VLAN identifier (VID), and both the Layer 2 and Layer 3 priorities associated with a specific set of application types.

  • Page 581: Application Type Profiles

    LLDP Configuring LLDP on an AP AP name When the Generate dynamic system names option is enabled on the Controllers >> Network > Discovery protocols page, the system name of the AP will be replaced with a dynamically generated name that you define. Specify how the dynamically generated name will be created.

  • Page 582

    LLDP Configuring LLDP on an AP L2 priority Select the layer 2 priority setting. This setting is used instead of the Default traffic priority set for the switch port. Supported settings are: L2 priority QoS queue Low - 1 Low - 2 Normal - 0 Normal - 3 High - 4...

  • Page 583

    Chapter 18: sFlow sFlow Contents Overview ........................18-2 sFlow proxy......................18-2 MIB support......................18-3 Configuring and activating sFlow ................18-3 Advanced sFlow configuration................18-5...

  • Page 584

    sFlow Overview Overview sFlow is a technology for monitoring traffic in high speed switched or routed networks. The standard sFlow monitoring system is comprised of the following:  An sFlow Agent that runs on a network device such as an AP, switch, or router. The agent uses sampling techniques to capture information about the data traffic flowing through the device and forwards this information to an sFlow collector.

  • Page 585: Mib Support

    SNMP MIB2 IPAddrTable base OID: 1.3.6.1.2.1.4.20  SNMP MIB2 ifXTable base OID: 1.3.6.1.2.1.31.1.1.1  SNMP MIB: HP-WLAN-SFLOW-EXTENSIONS-MIB base OID: 1.3.6.1.4.1.11.2.14.11.6.4.2 Configuring and activating sFlow All sFlow configuration occurs via the controller management tool by selecting Controller >> Tools > sFlow.

  • Page 586: Advanced Sflow Configuration

    sFlow Configuring and activating sFlow Important Under normal conditions, sFlow settings on the controller will be configured by an sFlow collector operating elsewhere on the network. Therefore, in most cases all you need to do to support sFlow is select the Enabled option under Global settings. Advanced users who want to fine tune their sFlow configuration, or who are using an sFlow collector in manual mode, can select Advanced Configuration to gain access to additional settings.

  • Page 587

    Max datagram size: The maximum number of data bytes that will be sent to the  collector in a single sFlow datagram.  HP PMM compatibility: When enabled, information not supported by HP PMM network management software is dropped from the sFlow data to conserve network bandwidth. 18-5...

  • Page 588

    The UDP port on which sFlow data will be sent to the collector. HP PMM compatibility Enable this option to generate sFlow data in a format that is compatible with the HP PMM application. When enabled, information not supported by PMM is dropped from the sFlow data to conserve network bandwidth.

  • Page 589

    sFlow Configuring and activating sFlow The table lists the following information for each agent. AP name: Name assigned to the AP. By default, this is its serial number.   MAC address: MAC address assigned to the AP.  Product: Product name of the AP. Group name: Name of the group to which the AP is assigned.

  • Page 590

    sFlow Configuring and activating sFlow Instance configuration settings Each instance can be customized as follows: Packet flow sampling Packet flow sampling is executed by copying a specified amount of data from the header of packets and sending it to a collector for analysis. Collector Select the collector to which data will be sent.

  • Page 591

    Chapter 19: Working with autonomous APs Working with autonomous APs Contents Key concepts.......................19-2 Autonomous AP detection .................19-3 Viewing autonomous AP information ...............19-3 Switching a controlled AP to autonomous mode..........19-4 Configuring autonomous APs...................19-5 VSC definitions ....................19-5 Working with third-party autonomous APs ............19-6 VSC selection .......................19-6...

  • Page 592

    Working with autonomous APs Key concepts Key concepts This chapter describes how to use the controller in conjunction with autonomous APs. Most of this chapter applies to working with autonomous MSM APs. For third-party autonomous APs, see Working with third-party autonomous APs on page 19-6.

  • Page 593: Autonomous Ap Detection

    Working with autonomous APs Key concepts Autonomous AP detection The controller automatically detects all autonomous APs that have their CDP discovery option enabled (default setting) and are installed on the same subnet as the controller. To configure this CDP discovery, select Network > CDP on the AP management tool. Viewing autonomous AP information When the controller detects at least one autonomous AP, the Summary box and the Network Tree are updated to include autonomous AP information as follows:...

  • Page 594: Switching A Controlled Ap To Autonomous Mode

    Working with autonomous APs Key concepts Select a link in the Device ID column to display the Autonomous APs details like this: You can also select the link in IP address column to launch the AP management tool. See the MSM3xx/MSM4xx Management and Configuration Guide.

  • Page 595: Configuring Autonomous Aps

    Working with autonomous APs Configuring autonomous APs Configuring autonomous APs Autonomous APs must be configured via their own management tool. For convenience, you can launch an autonomous AP management tool from within the controller management tool by selecting the link in the IP address column of the Detected Autonomous APs page, providing network access is possible.

  • Page 596: Working With Third-party Autonomous Aps

    Working with autonomous APs Working with third-party autonomous APs Management with VLANs When operating in a VLAN environment, management traffic can be carried on its own VLAN. Configure the VSC on both the autonomous AP and the controller as illustrated here: VSC Profiles (IP = 192.168.1.1) VLAN ID = 10...

  • Page 597

    Working with autonomous APs Working with third-party autonomous APs Because the HP location-aware feature is not available on third-party APs, support for VSC selection using an SSID requires that the following additional configuration be performed:  Configure the AP to send its SSID as the NAS ID in all authentication and accounting requests.

  • Page 598

    Working with autonomous APs Working with third-party autonomous APs 19-8...

  • Page 599

    Chapter 20: Maintenance Maintenance Contents Config file management.....................20-2 Manual configuration file management ............20-2 Scheduled operations..................20-3 Software updates......................20-4 Performing an immediate software update............20-5 Performing a scheduled software update............20-5 Licenses ........................20-6 Factory reset considerations ................20-7 Generating and installing a feature license ............20-7...

  • Page 600: Config File Management

    Maintenance Config file management Config file management The configuration file contains all the settings that customize the operation of the controller. You can save and restore the configuration file manually or automatically. Select Controller >> Maintenance > Config file management. Manual configuration file management The following options are available for manual configuration file management.

  • Page 601: Scheduled Operations

    Maintenance Config file management  All other configuration information: All other configuration information is saved as plain text, allowing the settings to be viewed with a standard text editor. Reset configuration Appendix C: Resetting to factory defaults. Restore configuration The Restore configuration option enables you to load a previously saved configuration file. This option enables you to maintain several configuration files with different settings, which can be useful if you must frequently alter the configuration of the controller or if you are managing several controllers from a central site.

  • Page 602: Software Updates

    Maintenance Software updates 7. Select Validate to test that the specified URL is correct. 8. Select Save. Software updates Controller software updates are managed by selecting Controller >> Maintenance > Firmware updates. Caution  Before updating be sure to check for update issues in the Release Notes. ...

  • Page 603: Performing An Immediate Software Update

    Maintenance Software updates Performing an immediate software update To update the controller software now, Browse to the software file (extension .cim) and then select Install. Performing a scheduled software update The controller can automatically retrieve and install software from a remote Web site identified by its URL.

  • Page 604: Licenses

    Maintenance Licenses Licenses Some controller features are optional, becoming active only when a license is installed. To view and manage licenses, select Controller >> Maintenance > Licenses. Factory installed licenses This table lists all licenses that were installed on the controller at the factory. These licenses are always active and cannot be removed or disabled.

  • Page 605: Factory Reset Considerations

    When you purchase an optional feature license, a physical license registration card is shipped to you. License registration cards are not matched to your MSM7xx Controller until you go to the My Networking portal and generate a license file for a specific MSM7xx Controller.

  • Page 606

    Maintenance Licenses 4. If you do not have the MAC address of your MSM7xx Controller already on file, open its management tool in a separate Web browser window, and select Controller >> Maintenance > Licenses. Under License ordering information, copy the MAC address onto your clipboard.

  • Page 607

    9. When done, select Generate license(s) to return to the main licenses page. Installing a license If you are ready to install your new license on your MSM7xx Controller, go back to the MSM7xx Controller management tool and do the following: 1.

  • Page 608

    Maintenance Licenses 20-10...

  • Page 609

    Appendix A: Safety and EMC regulatory statements Safety and EMC regulatory statements Contents Safety Information ...................... A-2 Informations concernant la sécurité................. A-2 Hinweise zur Sicherheit....................A-3 Considerazioni sulla sicurezza .................. A-4 Consideraciones sobre seguridad ................A-5 Safety Information (Japan) ..................A-6 Safety Information (China) ..................

  • Page 610

    Safety and EMC regulatory statements Safety Information Safety Information Documentation reference symbol. If the product is marked with this symbol, see the product documentation to get more information about the product. WARNING A WARNING in the manual denotes a hazard that can cause injury or death. Caution A Caution in the manual denotes a hazard that can damage equipment.

  • Page 611: Hinweise Zur Sicherheit

    Safety and EMC regulatory statements Hinweise zur Sicherheit Caution Un texte de mise en garde intitulé Caution indique un danger susceptible de causer des dommages à l'équipement. Ne continuez pas au-delà d'une rubrique WARNING ou Caution avant d'avoir bien compris les conditions présentant un danger et pris les mesures appropriées.

  • Page 612: Considerazioni Sulla Sicurezza

    Safety and EMC regulatory statements Considerazioni sulla sicurezza Dies ist ein Gerät der Sicherheitsklasse I und verfügt über einen schützenden Erdungsterminal. Der Betrieb des Geräts erfordert eine ununterbrochene Sicherheitserdung von der Hauptstromquelle zu den Geräteingabeterminals, den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus.

  • Page 613: Consideraciones Sobre Seguridad

    Safety and EMC regulatory statements Consideraciones sobre seguridad Per la messa a terra dei cavi LAN: se la vostra LAN copre un'area servita da più di un sistema di distribuzione elettrica,  accertatevi che i collegamenti a terra di sicurezza siano ben collegati fra loro; ...

  • Page 614: Safety Information (japan)

    Safety and EMC regulatory statements Safety Information (Japan) Este aparato no contiene pieza alguna susceptible de reparación por parte del usuario. Todas las reparaciones, ajustes o servicio de mantenimiento debe realizarlos solamente el técnico. Este producto no tiene interruptor de potencia; se activa cuando se enchufa el cable de alimentación.

  • Page 615: Safety Information (china)

    Safety and EMC regulatory statements Safety Information (China) Safety Information (China)

  • Page 616: Emc Regulatory Statements

    Safety and EMC regulatory statements EMC Regulatory Statements EMC Regulatory Statements U.S.A. FCC Class A (Applies to the MSM730/MSM750) This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against interference when the equipment is operated in a commercial environment.

  • Page 617

    Safety and EMC regulatory statements EMC Regulatory Statements VCCI Class B (Applies to the MSM710) Korea Class A (Applies to the MSM730/MSM750) Class B (Applies to the MSM710) Taiwan Class A (Applies to the MSM730/MSM750)

  • Page 618: Recycle Statements

    Safety and EMC regulatory statements Recycle Statements Recycle Statements Waste Electrical and Electronic Equipment (WEEE) Statements Disposal of Waste Equipment by Users in Private Household in the European Union This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste.

  • Page 619

    Safety and EMC regulatory statements Recycle Statements Élimination des appareils mis au rebut par les ménages dans l'Union européenne Le symbole apposé sur ce produit ou sur son emballage indique que ce produit ne doit pas être jeté avec les déchets ménagers ordinaires. Il est de votre responsabilité de mettre au rebut vos appareils en les déposant dans les centres de collecte publique désignés pour le recyclage des équipements électriques et électroniques.

  • Page 620

    Para obter mais informações sobre locais que reciclam esse tipo de material, entre em contato com o escritório da HP em sua cidade, com o serviço de coleta de lixo ou com a loja em que o produto foi adquirido.

  • Page 621

    Safety and EMC regulatory statements Recycle Statements Eliminación de residuos de equipos eléctricos y electrónicos por parte de usuarios particulares en la Unión Europea Este símbolo en el producto o en su envase indica que no debe eliminarse junto con los desperdicios generales de la casa.

  • Page 622

    Safety and EMC regulatory statements Recycle Statements A-14...

  • Page 623

    Appendix B: Console ports Console ports Contents Overview ........................B-2 MSM710 Console port ..................B-2 MSM730 Console port ..................B-2 MSM750 Console port ..................B-3 Using the console port....................B-3...

  • Page 624

    Console ports Overview Overview Console port and cable information for the MSM7xx controllers is provided as follows: Product Information to use MSM710, MSM730, MSM750 Relevant section below MSM760, MSM765zl The provided Installation and Getting Started Guide. MSM710 Console port The MSM710 provides a DB-9 (female) Console (serial) port connector. The DB-9 connector (DCE) has pin assignments as follows: To connect to a computer, use a standard (straight through) serial cable (male-to-female).

  • Page 625: Msm750 Console Port

    Console ports Using the console port To connect to a computer, use the supplied null-modem serial cable. MSM750 Console port The MSM750 provides an RJ-45 Console (serial) port connector. Connect the supplied RJ-45 to DB-9 (female) adapter. The DB-9 connector (DCE) has pin assignments as follows: To connect to a computer, use a standard (straight through) serial cable (male-to-female).

  • Page 626

    Console ports Using the console port...

  • Page 627: How It Works

    Appendix C: Resetting to factory defaults Resetting to factory defaults Contents How it works........................ C-2 Using the Reset button..................C-2 Using the management tool................. C-2 Using the Console (serial) port................C-3...

  • Page 628

    Resetting to factory defaults How it works How it works Depending on the controller model, there may be more than one way to reset the controller to its factory default settings. This appendix describes the methods available for each model type.

  • Page 629: Using The Console (serial) Port

    Resetting to factory defaults How it works Using the Console (serial) port Supported on models: MSM730, MSM750, MSM760 Note It is recommended that you use the management tool as previously described to reset a controller to factory defaults. However, if you forgot the manager username or password, you can still force factory reset as described here: 1.

  • Page 630

    Resetting to factory defaults How it works...

  • Page 631

    Appendix D: NOC authentication NOC authentication Contents Main benefits ....................... D-2 How it works........................ D-2 Activating a remote login page with NOC authentication ........D-4 Addressing security concerns..................D-5 Securing the remote login page ................D-5 Authenticating with the login application ............D-6 Authenticating the controller................

  • Page 632: Main Benefits

    NOC authentication Main benefits Main benefits Using a remote login page with NOC (network operations center) authentication provides you with the following benefits:  The login page is completely customizable. You are not bound by the limits imposed by loading a login page onto the controller. ...

  • Page 633

    NOC authentication How it works The following diagram shows the sequence of events for a typical user session when using the NOC-based authentication feature. Web server hosting User Controller RADIUS server remote login page Unauthenticated user Request is intercepted. attempts to browse a Web site on the protected network.

  • Page 634: Activating A Remote Login Page With Noc Authentication

    NOC authentication Activating a remote login page with NOC authentication Activating a remote login page with NOC authentication To activate a remote login page, you must define several controller attributes. These attributes can be defined in the RADIUS account for the controller (if you are using a RADIUS server) or they can be locally configured.

  • Page 635: Addressing Security Concerns

    NOC authentication Addressing security concerns Placeholder Description Returns the original URL requested by the user. By default, this value is URL encoded. By default, this value is URL encoded. (To enable/disable URL encoding, set the value of url-encode in the <ACCESS- CONTROLLER>...

  • Page 636: Authenticating With The Login Application

    NOC authentication Setting up the certificates Authenticating with the login application The connection between the login application and the controller is secured using SSL. When establishing the SSL connection with the controller, the login application must supply its SSL certificate. In a standard SSL setup, the controller uses the CA for this certificate to validate the certificate’s identity and authenticate the login application.

  • Page 637: Install Certificates On The Web Server

    NOC authentication Setting up the certificates Install certificates on the Web server Install an SSL certificate and its matching CA certificate into a folder on the Web server hosting the remote login page. The login application and the controller access the certificates from this location.

  • Page 638: Authenticating Users

    NOC authentication Authenticating users Authenticating users After a user has supplied login information on the remote login page, the login application must submit an authentication request containing the user’s login name, password, and IP address to the controller by establishing an SSL session to the following URL: https://controller_ip:8090/goform/HtmlNocLoginRequest ?username=username&password=password&ipaddr=user_ip Where:...

  • Page 639: Returned Values

    NOC authentication Authenticating users The Host HTTP header should be set to one of: Host: www.noc-cn3.com:8090   Host: 192.168.4.2:8090 Example 2 Assume that the controller is behind a NATting device. The device has the address 192.168.30.173, and the controller has the address 192.168.4.2. A NAT mapping is defined on the NATting device that redirects traffic received on port 8090 to 192.168.4.2:8090.

  • Page 640

    NOC authentication Authenticating users Certificate mismatch The login application sent an SSL certificate that does not match the one defined by ssl-noc- certificate in the RADIUS profile for the controller. <HTML> NOC_INFO_STATUS=NOC_STATUS_FAILURE NOC_INFO_INT_ERR_MESSAGE=NOC_CANNOT_GET_PEER_CERT </HTML> Certificate not valid yet The login application sent an SSL certificate that matches the one defined by ssl-noc- certificate in the RADIUS profile for the controller.

  • Page 641: Examples Of Returned Html Code

    NOC authentication Authenticating users Authentication was successful <HTML> NOC_INFO_STATUS=NOC_STATUS_SUCCESS NOC_INFO_WELCOME_URL=<welcome url> NOC_INFO_SESSION_URL=<session url> </HTML> Authentication failed <HTML> NOC_INFO_STATUS=NOC_STATUS_FAILURE NOC_INFO_ERR_MESSAGE=<error message> NOC_INFO_LOGIN_ERR_URL =<login error url> </HTML> Logout succeeded <HTML> NOC_INFO_STATUS=NOC_STATUS_SUCCESS </HTML> Logout failed <HTML> NOC_INFO_STATUS=NOC_STATUS_FAILURE NOC_INFO_INT_ERR_MESSAGE=<error message> </HTML> Examples of returned HTML code The following examples show the actual HTML code returned file for various authentication conditions.

  • Page 642: Simple Noc Authentication Example

    Simple NOC authentication example This is a simple example showing how to use the NOC authentication feature. 1. Retrieve the Public Access Examples zip file at www.hp.com/networking/public-access- examples. 2. Create the following folder on your Web sever: newlogin. 3. Copy these files from the Public Access Examples zip file into the newlogin folder: ...

  • Page 643: Forcing User Logouts

    NOC authentication Forcing user logouts 6. Select Public access > Web server. 7. Enable the NOC-based authentication feature. 8. Under Security add the IP address of the Web server to the Allowed Addresses box. 9. Under Active interfaces make sure that the interface on which the request will be received is enabled.

  • Page 644

    NOC authentication Forcing user logouts Logout failure <HTML> NOC_INFO_STATUS=NOC_STATUS_FAILURE NOC_INFO_INT_ERR_MESSAGE=<error message> </HTML> These definitions are contained in noc.h. D-14...

  • Page 645

    Appendix E: DHCP servers and Colubris vendor classes DHCP servers and Colubris vendor classes Contents Overview ........................E-2 Windows Server 2003 configuration ................. E-2 ISC DHCP server configuration................E-7...

  • Page 646: Isc Dhcp Server Configuration

    HP ProCurve device. Windows Server 2003 configuration This section describes how to configure a Windows 2003 DHCP server to use the HP ProCurve vendor class. The following procedure assumes that you have a Windows 2003 Server that has a DHCP server configured and running.

  • Page 647

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration Creating the vendor class Use the following steps to create the Colubris vendor class on the DHCP server. 1. Select Start > Settings > Control Panel > Administrative Tools > DHCP. The DHCP administration page opens.

  • Page 648

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration 3. On the DHCP Vendor Classes page, select Add. The New Class page opens. 4. On the New Class page  Under Display name, specify Colubris.  Under Description, specify any desired descriptive information for this vendor class.

  • Page 649

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration Defining vendor class options Use the following steps to define Colubris vendor class options on the DHCP server. 1. On the DHCP administration page, select Action > Set Predefined Options. From the Option class drop-down menu, select Colubris, and then select Add.

  • Page 650

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration 2. Right-click Scope Options, and from the resulting menu select Configure Options. The Scope Options page opens. Select the Advanced tab. 3. On the Advanced tab, configure the following:  From the Vendor class drop-down menu, select Colubris.

  • Page 651

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration 4. The controller IP addresses now appear on the DHCP administration page under Scope Options. When an AP requests an IP address, these addresses are returned in a DHCP Ack message as option 43. Note For information on solving problems, see Troubleshooting on page...

  • Page 652

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration This sample file defines some general options to apply to all clients, as well as two DHCP Scopes—172.25.1.x and 172.25.2.x. You must add lines to the dhcpd.conf file to define the following for the ISC server: ...

  • Page 653

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration subnet 172.25.2.0 netmask 255.255.255.0 { range 172.25.2.100 172.25.2.150; option routers 172.25.2.1; option subnet-mask 255.255.255.0; option broadcast-address 172.25.2.255; Troubleshooting This section shows an Ethereal trace of a DHCP transaction, with the frames edited for readability.

  • Page 654

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration Frame 2 - DHCP-Offer Frame 2 (346 bytes on wire, 346 bytes captured) Ethernet II, Src: Cisco_23:0e:80 (00:0d:bc:23:0e:80), Dst: Colubris_01:5f:05 (00:03:52:01:5f:05) 802.1Q Virtual LAN Internet Protocol, Src: 172.25.1.1 (172.25.1.1), Dst: 172.25.1.201 (172.25.1.201) User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68) Bootstrap Protocol Frame 3 - DHCP-Request...

  • Page 655

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration Client MAC address: Colubris_01:5f:05 (00:03:52:01:5f:05) Server host name not given Boot file name not given Magic cookie: (OK) Option 53: DHCP Message Type = DHCP ACK Option 58: Renewal Time Value = 12 hours Option 59: Rebinding Time Value = 21 hours Option 51: IP Address Lease Time = 1 day Option 54: Server Identifier = 172.24.50.4...

  • Page 656

    DHCP servers and Colubris vendor classes Windows Server 2003 configuration E-12...

  • Page 658

    To learn more, visit www.hp.com/networking © Copyright 201 1 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.

Comments to this Manuals

Symbols: 0
Latest comments: