Siemens SCALANCE W1750D UI Configuration Manual

Table of Contents

Quick Links

SIMATIC NET

SCALANCE W1750D UI

Configuration Manual

C79000-G8976-C451-02

About this guide

Security recommendations

About SCALANCE W

Setting up an AP

Automatic Retrieval of

Configuration

SCALANCE W User

Interface

Initial Configuration Tasks

Customizing AP Settings

VLAN Configuration

IPv6 Support

Wireless Network Profiles

Wired Profiles

Captive Portal for Guest

Access

Authentication and User

Management

Roles and Policies

DHCP Configuration

Configuring Time-Based

Services

Continued on next page

Table of Contents

Summary of Contents for Siemens SCALANCE W1750D UI

Page 1 About this guide Security recommendations SIMATIC NET About SCALANCE W Setting up an AP SCALANCE W1750D UI Automatic Retrieval of Configuration SCALANCE W User Interface Configuration Manual Initial Configuration Tasks Customizing AP Settings VLAN Configuration IPv6 Support Wireless Network Profiles...
Page 2: C79000-G8976-C451
Siemens AG C79000-G8976-C451-02 Copyright © Siemens AG .2018 Division Process Industries and Drives Ⓟ 02/2018 Änderungen vorbehalten Alle Rechte vorbehalten Postfach 48 48 90026 NÜRNBERG DEUTSCHLAND...
Page 3 Continued Dynamic DNS Registration VPN Configuration AP-VPN Deployment Adaptive Radio Management Deep Packet Inspection and SCALANCE W1750D UI Application Visibility Voice and Video Services Configuration Manual AP Management and Monitoring Uplink Configuration Intrusion Detection Mesh AP Configuration Mobility and Client...
Page 4 Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems.
Page 5: Table Of Contents
6.2.2.4 Security ........................... 54 6.2.2.5 Maintenance ........................... 55 6.2.2.6 More ............................56 6.2.2.7 Help ............................61 6.2.2.8 Logout ............................. 61 6.2.2.9 Monitoring ..........................61 6.2.2.10 Client Match ..........................72 6.2.2.11 AppRF ............................. 73 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 6 Configuring Per-AP SSID and Per-AP-VLAN Settings on a Wireless Profile ...... 134 11.2 Configuring Fast Roaming for Wireless Clients ..............135 11.2.1 Opportunistic Key Caching ....................135 11.2.2 Fast BSS Transition (802.11r Roaming) ................137 11.2.3 Radio Resource Management (802.11k) ................138 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 7 Accessing the Portal Page ....................186 13.7 Configuring Guest Logon Role and Access Rules for Guest Users ........187 13.8 Configuring Captive Portal Roles for an SSID ..............190 13.9 Configuring Walled Garden Access ..................194 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 8 Understanding VLAN Assignment ..................273 15.4.4 Configuring VLAN Derivation Rules ..................275 15.5 Using Advanced Expressions in Role and VLAN Derivation Rules ........277 15.6 Configuring a User Role for VLAN Derivation ..............279 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 9 Access Point Control......................347 21.2.5 Verifying ARM Configuration ....................348 21.3 Configuring Radio Settings ....................351 Deep Packet Inspection and Application Visibility ................357 22.1 Deep Packet Inspection ......................357 22.2 Enabling Application Visibility ....................358 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 10 Setting an Uplink Priority ...................... 435 26.5.3 Enabling Uplink Preemption ....................435 26.5.4 Switching Uplinks Based on VPN and Internet Availability ..........436 26.5.5 Viewing Uplink Status and Configuration ................438 Intrusion Detection ..........................441 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 11 Associating an Advertisement Profile to a Hotspot Profile ........... 511 33.2.4 Creating a WLAN SSID and Associating Hotspot Profile ............. 512 33.3 Sample Configuration ......................514 ClearPass Guest Setup ........................519 34.1 Configuring ClearPass Guest ....................519 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 12 SCALANCE W, ClearPass Policy Manager, and ClearPass Guest Requirements ....388 Table 24- 2 AirGroup Filtering Options ......................389 Table 24- 3 XML API Command ........................407 Table 24- 4 XML API Command Options ...................... 408 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 13 Figure 6-12 .................. 68 Client Distribution on AP Radio Figure 6-13 ....................72 Figure 6-14 Channel Availability Map for Clients .................... 72 Alerts Link Figure 6-15 ............................ 74 Figure 6-16 Client Alerts ..........................75 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 14 Manual GRE Configuration ......................309 Figure 19-3 Aruba GRE Configuration ......................312 Figure 19-4 L2TPv3 Tunneling ........................314 Figure 19-5 Tunnel Configuration ........................315 Figure 19-6 Session Configuration ........................ 316 Figure 19-7 Tunneling— Routing ........................323 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 15 Routing of traffic when the client is away from its home network ..........455 Figure 29-2 L3 Mobility Window ........................458 Figure 30-1 Device List ..........................462 Figure 30-2 Channel Details .......................... 464 Figure 30-3 Channel Metrics for the 2.4 GHz Radio Channel ............... 465 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 16 Scenario 2 - IPsec: Single Datacenter with Multiple controllers for Redundancy ...... 536 Figure 35-3 Scenario 3 - IPsec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy .......................... 542 Figure 35-4 Scenario 4 - GRE: Single Datacenter Deployment with No Redundancy ......... 548 SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 17 Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customer’s exposure...
Page 18 About this guide SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 19: About This Guide
# send In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 20 Service & Support In addition to the product documentation, also check out the comprehensive online information platform of Siemens Industry Online Support at the following Internet address: (https://support.industry.siemens.com/cs/de/en/) Apart from news, there you will also find: ●...
Page 21: Security Recommendations
● Keep the software up to date. Check regularly for security updates of the product. You will find information on this on the Internet pages "Industrial Security (https://www.siemens.com/industrialsecurity)" ● Inform yourself regularly about security advisories and bulletins published by Siemens ProductCERT (https://www.siemens.com/cert/en/cert-security-advisories.htm). ● Only activate protocols that you really require to use the device.
Page 22 ● Verify certificates and fingerprints on the server and client to avoid "man in the middle" attacks. ● We recommend that you use certificates with a key length of 2048 bits. ● Change keys and certificates immediately, if there is a suspicion of compromise SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 23 ● If you require non-secure protocols and services, operate the device only within a protected network area. ● Restrict the services and protocols available to the outside to a minimum. SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 24 UDP/8211 Open Open Proprietary (dTable) UDP/8612 Open Open RADIUS UDP/1616 Open Open UDP/1892 Open Open SNMP UDP/161 Open Open TCP/22 Open Open TCP/2322 Open Open Syslog UDP/514 Open Open Telnet TCP/23 Open Open SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 25: About Scalance W
Virtual Controller. SCALANCE W continually monitors the network to determine the AP that should function as the Virtual Controller at any time, and the Virtual Controller will move from one AP to another as necessary without impacting network performance. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 26: Scalance W Ui
Continue login link on the Login page. Note To view the SCALANCE W UI, ensure that JavaScript is enabled on the web browser. Note The SCALANCE W UI logs out automatically if the window is inactive for 15 minutes. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 27: Scalance W Cli
SSH access requires that you configure an IP address and a default gateway on the AP and connect the AP to your network. This is typically performed when the SCALANCE W network on an AP is set up. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 28 About SCALANCE W 3.3 SCALANCE W CLI SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 29: Setting Up An Ap
● PoE midspan—Connect the Enet0 port of the AP to the appropriate port on the PoE midspan. ● AC to DC power adapter—Connect the 12V DC power jack socket to the AC to DC power adapter. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 30: Assigning An Ip Address To The Ap
255.255.255.0 apboot> setenv gatewayip 192.0.2.2 apboot> save Saving Environment to Flash... Un-Protected 1 sectors .done Erased 1 sectors Writing 5. Use the printenv command to view the configuration. apboot> printenv SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 31: Provisioning An Ap
NTP traffic to pool.ntp.org, or provide alternative NTP servers under DHCP options. For more information on configuring an NTP server, see NTP-Server (Page 81). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 32 APs in the same VLAN automatically find each other and form a single functioning network managed by a VC. Note Moving an AP from one cluster to another requires a factory reset of the AP. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 33: Provisioning Aps Through Airwave
5. In the apboot mode, execute the following commands to disable the provisioning network: apboot> factory_reset apboot> setenv disable_prov_ssid 1 apboot> saveenv apboot> reset 4.2.2 Provisioning APs through Airwave AirWave Deployment For information on provisioning APs through AirWave, refer to the Guide SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 34: Logging In To The Scalance W Ui
APs use. Within the regulated transmission spectrum, a high-throughput 802.11ac, 802.11a, 802.11b/g, or 802.11n radio setting can be configured. The available 20 MHz, 40 MHz, or 80 MHz channels are dependent on the specified country code. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 35 US and Japan for most of the AP models. For AP-RW variants, you can select from the list of supported regulatory domains. If the supported country code is not in the list, contact your Siemens Support team to know if the required country code is supported and obtain the software that supports the required country code.
Page 36: Accessing The Scalance W Cli
You can use the question mark (?) to view the commands available in a privileged EXEC mode, configuration mode, or subcommand mode. Note Although automatic completion is supported for some commands such as , the complete exit and end commands must be entered at command prompt. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 37 CLI session are saved in the CLI context. The CLI does not support the configuration data exceeding the 4K buffer size in a CLI session. Therefore, Siemens recommends that you configure fewer changes at a time and apply the changes at regular intervals.
Page 38 Using Sequence-Sensitive Commands The SCALANCE W CLI does not support positioning or precedence of sequence-sensitive commands. Therefore, Siemens recommends that you remove the existing configuration before adding or modifying the configuration details for sequence-sensitive commands. You can either delete an existing profile or remove a specific configuration by using the no…...
Page 39 You can also specify a timeout value of 0 to disable CLI session timeouts. The users must re-login to the AP after the session times out. The session does not time out when the value is set to 0. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 40 Setting up an AP 4.4 Accessing the SCALANCE W CLI SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 41: Automatic Retrieval Of Configuration
APs, configure the managed mode command parameters. Prerequisites Perform the following checks before configuring the managed mode command parameters: ● When the APs are in the managed mode, ensure that the APs are not managed by AirWave. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 42: Configuration Managed Mode Parameters
NOTE: Specify the retry interval in seconds within the range of 5–60 downloading the configuration file. seconds. The default retry interval is 5 seconds. (scalance)(managed-mode-profile)# end (scalance)# commit 8. Apply the configuration changes. apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 43 To configure managed mode profile: (scalance)(config)# managed-mode-profile (scalance)(managed-mode-profile)# username <username> (scalance)(managed-mode-profile)# password <password> (scalance)(managed-mode-profile)# config-filename instant.cfg (scalance)(managed-mode-profile)# download-method ftps (scalance)(managed-mode-profile)# sync-time day 00 hour 03 min 30 window 02 (scalance)(managed-mode-profile)# retry-poll-period 10 (scalance)(managed-mode-profile)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 44: Verifying The Configuration
2. Verify the status of download by running the following command at the command prompt: (scalance)# show managed-mode logs If the configuration settings retrieved in the configuration file are incomplete, APs reboot with the earlier configuration. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 45: Scalance W User Interface
If SCALANCE W cannot detect the language, then English is used as the default language. You can also select the required language option from the Languages drop-down list located on the SCALANCE W main window. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 46 Logging into the SCALANCE W UI To log in to the SCALANCE W UI, enter the following credentials: ● Username — admin ● Password — admin The SCALANCE W UI main window is displayed. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 47: Main Window
● Search Text Box ● Tabs ● Links ● Views Banner The banner is a horizontal gray rectangle that appears on the SCALANCE W main window. It displays the company name, logo, and the VC's name. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 48 The individual tabs can be expanded or collapsed by clicking the tabs. The list items in each tab can be sorted by clicking the triangle icon next to the heading labels SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 49: Tabs
Network tab. To delete a network, click the x link. For more information on the procedure to add or modify a wireless network, see Wireless Network Profiles (Page 109). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 50: Access Points Tab
● Utilization (%)—Percentage of time that the channel is utilized. ● Noise (dBm)—Noise floor of the channel. An edit link is displayed on clicking the AP name. For details on editing AP settings, see Customizing AP Settings (Page 89). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 51: Clients Tab
● Speed (mbps)—Current speed at which data is transmitted. When the client is associated with an AP, it constantly negotiates the speed of data transfer. A value of 0 means that the AP has not heard from the client for some time. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 52: Links
This link is displayed on the SCALANCE W main window only if a new image version is available on the image server and AirWave is not configured. For more information on the New version available link and its functions, see Upgrading an AP (Page 471) SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 53: System
AP (Page 471) for more information. ● Time Based Services—Allows you to configure a time profile which can be assigned to the SSID configured on the AP. See Configuring Time-Based Services. (Page 295) SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 54: Security
● Custom Blocked Page URL—Use this tab to create a list of URLs that can be blocked using an ACL rule. For more information, see Creating Custom Error Page for Web Access Blocked by AppRF Policies (Page 260). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 55: Maintenance
● About — Displays the name of the product, build time, AP model name, the SCALANCE W version, website address of Siemens, and copyright information. ● Configuration — Displays the following details: – Current Configuration — Displays the current configuration details.
Page 56: More
VPN concentrator. See VPN Configuration (Page 303) for more information. The following figure shows an example of the IPsec configuration options available in the VPN window: VPN Window for IPsec Configuration Figure 6-3 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 57: Figure 6-4 Ids Window: Intrusion Detection
The following figures show the IDS window: IDS Window: Intrusion Detection Figure 6-4 IDS Window: Intrusion Protection Figure 6-5 For more information on wireless intrusion detection and protection, see Detecting and Classifying Rogue APs (Page 441). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 58: Figure 6-6 Wired Window
● CALEA — Allows you configure support for Communications Assistance for Law Enforcement Act (CALEA) server integration, thereby ensuring compliance with Lawful Intercept and CALEA specifications. For more information, see CALEA Integration and Lawful Intercept Compliance (Page 409). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 59: Figure 6-7 Services Window: Default View
PAN, see Integrating an AP with Palo Alto Networks Firewall (Page 403) and Integrating an AP with an XML API Interface (Page 406). The following figure shows the default view of the Services window: Figure 6-7 Services Window: Default View SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 60: Figure 6-8 Dhcp Servers Window
The DHCP Servers window allows you to configure various DHCP modes. The following figure shows the options available in the DHCP Servers window: DHCP Servers Window Figure 6-8 For more information, see DHCP Configuration (Page 281). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 61: Help
Monitoring pane.The Monitoring pane consists of the following sections: ● Info ● RF Dashboard ● RF Trends ● Usage Trends ● Mobility Trail SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 62 WLAN SSIDs also indicates status of captive portal and CALEA ACLs and provides a link to upload certificates for the internal server. For more information, see Uploading Certificates (Page 238). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 63 Channel—Indicates the channel that is currently used by the client. • Type—Displays the channel type on which the client is broadcasting. • Role—Displays the role assigned to the client. • Contents of the Info Section in the SCALANCE W Main Window SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 64: Figure 6-9 Rf Dashboard In The Monitoring Pane
Orange — Utilization is between 50% and 75%. • Red — Utilization is more than 75%. • To view the utilization graph of an AP, click the Utilization icon next to the AP in the Utiliza- tion column. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 65 • To view the errors graph of an AP, click the Errors icon next to the AP in the Errors col- umn. Contents of the Info Section in the SCALANCE W Main Window SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 66: Figure 6-10 Rf Trends For Access Point
3. Study the Signal graph in the RF Trends pane. For example, the graph shows that signal strength for the client is 54.0 dB at 12:23 hours. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 67: Monitoring
12:30 hours. put of the client for the last 15 minutes. To see the exact throughput at a particular time, move the cursor over the graph line. Client View—RF Trends Graphs and Monitoring Procedures SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 68: Figure 6-12 Usage Trends Graphs In The Default View
• pane. For example, the graph shows that SCALANCE W network at a particular time, one client is associated with the selected move the cursor over the graph line. network at 12:00 hours. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 69 3. Study the CPU Utilization graph in the Overview pane. For example, the graph shows that the CPU utilization of the AP is 30% at 12:09 hours. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 70 3. Study the Clients graph. For example, the with the selected AP at a particular time, move graph shows that six clients are associated the cursor over the graph line. with the AP at 12:11 hours. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 71 AP. The SCALANCE W UI shows the client and AP association over the last 15 minutes. ● Access Point—The AP name with which the client was associated. Note Mobility information about the client is reset each time it roams from one AP to another. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 72: Client Match
RSSI, channel utilization details, and client count on each channel are displayed. The following figure shows the client view heat map for an AP radio: Figure 6-14 Channel Availability Map for Clients SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 73: Apprf
Ratio (SNIR). Spectrum monitors display spectrum analysis data seen on all channels in the selected band, and hybrid APs display data from the single channel that they are monitoring. For more information on spectrum monitoring, see Spectrum Monitor (Page 461). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 74: Alerts
The following figure shows the contents of details displayed on clicking the Alerts link: Alerts Link Figure 6-15 The Alerts link displays the following types of alerts: ● Client Alerts ● Active Faults ● Fault History SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 75: Table 6- 1 Types Of Alerts
Cleared by — Displays the module which cleared this fault. • Description — Displays the event details. • The following figures show the client alerts, active faults, and fault history: Figure 6-16 Client Alerts SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 76: Table 6- 2 Types Of Alerts
Corrective Actions Code 100101 Internal error The AP has encountered an internal error Contact the Siemens customer support team. for this client. 100102 Unknown SSID in The AP cannot allow this client to associ- Identify the client and check its Wi- Fi driver...
Page 77 If the AP is using the internal RADIUS server, connection failure using 802.1X because the RADIUS serv- Siemens recommends checking the related er did not respond to the authentication configuration as well as the installed certifi- request. If the AP is using the internal cate and passphrase.
Page 78: Ids
Push Pin icon to view the information. The following figure shows an example for the intrusion detection log: Figure 6-19 Intrusion Detection For more information on the intrusion detection feature, see Intrusion Detection (Page 441). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 79: Airgroup
The Configuration link provides an overall view of your VC, APs, and WLAN SSID configuration. The following figure shows the VC configuration details displayed on clicking the Configuration link. Figure 6-21 Configuration Link SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 80: Airwave Setup
In the Client view, all the clients in the SCALANCE W network are listed in the Clients tab. Click the IP address of the client that you want to monitor. For more information on the graphs and the views, see Monitoring (Page 61). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 81: Initial Configuration Tasks
VLAN as the native VLAN of the up- stream switch, to which the AP is connected. By de- fault, the AP considers the uplink switch native VLAN value as 1. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 82 Mobility Access Switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoE priority and au- tomatically configuring VLANs on ports where SCALANCE W Access Points are connected. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 83 <start-hour> <end- week> <end-day> <end-month> <end- hour> (scalance)(config) Preferred Band The preferred band for the AP. # rf-band <band> NOTE: Reboot the AP after modifying the radio profile for changes to take effect. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 84 When Auto-Join feature is disabled, the inactive APs are displayed in red. (scalance)(config) Terminal access When terminal access is enabled, you can access the # terminal-access AP CLI through SSH. The terminal access is enabled by default SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 85 Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision. By default, the Deny local routing parameter is disa- bled. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 86 This setting protects user experience. Always Enabled in all APs—When selected, the • client and network management functions are pro- tected. This setting helps in large networks with high client density. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 87: Changing Password
3. Select the Hash Management Password check box. This will enable the hashing of the management user password. The check box will appear grayed out after this setting is enabled, as this setting cannot be reversed. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 88 (scalance)(config)# hash-mgmt-user john password cleartext password01 usertype read- only (scalance)(config)# end (scalance)# commit apply The following examples removes a management user with read-only privilege: (scalance)(config)# no hash-mgmt-user read-only (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 89: Customizing Ap Settings
2. Click the edit link. 3. Edit the AP name in Name. You can specify a name of up to 32 ASCII characters. 4. Click OK. In the CLI To change the name: (scalance)# hostname <name> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 90: Configuring Zone Settings On An Ap
2. Click the edit link. The edit window for modifying AP details is displayed. 3. Specify the AP zone in Zone. 4. Click OK. In the CLI To change the name: (scalance)# zone <name> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 91: Specifying A Method For Obtaining Ip Address
– Enter the domain name in the Domain name text box. 4. Click OK and reboot the AP. In the CLI To configure a static IP address: (scalance)# ip-address <IP-address> <subnet-mask> <NextHop-IP> <DNS-IP-address> <domain- name> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 92: Configuring Radio Profiles For An Ap
2. Select appropriate channel number from the Channel drop-down list for both 2.4 GHz and 5 GHz band sections. 3. Enter appropriate transmit power value in the Transmit power text box in 2.4 GHz and 5 GHz band sections. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 93 SCALANCE W CLI. For more information see Configuring WLAN Settings for a SSID Profile (Page 110). If the maximum clients setting is configured multiple times, using either the configuration mode or Privileged EXEC mode, the latest configuration takes precedence. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 94: Configuring Uplink Vlan For An Ap
5. Click OK. 6. Reboot the AP. In the CLI To configure an uplink VLAN: (scalance)# uplink-vlan <VLAN-ID> To view the uplink VLAN status: (scalance)# show uplink-vlan Uplink Vlan Current :0 Uplink Vlan Provisioned :1 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 95: Changing Usb Port Status
7. Reboot the AP. In the CLI To disable the USB port: (scalance)# usb-port-disable To re-enable the USB port: (scalance)# no usb-port-disable To view the USB port status: (scalance)# show ap-env Antenna Type:External usb-port-disable:1 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 96: Master Election And Virtual Controller
In most cases, the master election process automatically determines the best AP that can perform the role of VC, which will apply its image and configuration to all other APs in the same AP management VLAN. When the VC goes down, a new VC is elected. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 97 AP Settings - Provisioning Master AP 4. Click OK. In the CLI To provision an AP as a master AP: (scalance)# iap-master To verify if the AP is provisioned as master AP: (scalance)# show ap-env Antenna Type:Internal Iap_master:1 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 98: Adding An Ap To The Network
To add an AP to the network: 1. On the Access Points tab, click the New link. 2. In the New Access Point window, enter the MAC address for the new AP. 3. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 99: Removing An Ap From The Network
2. Click x to confirm the deletion. Note The deleted APs cannot join the SCALANCE W network anymore and are not displayed in the SCALANCE W UI. However, the master AP details cannot be deleted from the VC database. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 100 Customizing AP Settings 8.9 Removing an AP from the Network SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 101: Vlan Configuration
Internet. In such scenario, the SCALANCE W UI now displays the following alert message: Figure 9-1 Uplink VLAN Detection To resolve this issue, ensure that there is no mismatch in the VLAN configuration. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 102 VLAN Configuration 9.2 Uplink VLAN Monitoring and Detection on Upstream Devices SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 103: Ipv6 Support
● With leading zeros omitted— 2001:db8:a0b:12f0:0:0:0:1 ● Switching from upper to lower case— 2001:DB8:A0B:12f0:0:0:0:1 IPv6 uses a "/" notation which describes the number of bits in netmask as in IPv4. 2001:db8::1/128 – Single Host 2001:db8::/64 – Network SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 104: Enabling Ipv6 Support For Ap Configuration
1. Go to the System link, directly above the Search bar in the SCALANCE W UI. 2. Under General, select the Allow IPv6 Management check box. 3. Enter the IP address in the Virtual Controller IPv6 address text box. 4. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 105 SNMP parameters, see Configuring SNMP (Page 481). To view the SNMP configuration: (scalance)# show running-config|include snmp snmp-server community e96a5ff136b5f481b6b55af75d7735c16ee1f61ba082d7ee snmp-server host 2001:470:20::121 version 2c Siemens-string inform SNTP Over IPv6 To view the SNTP configuration: (scalance)# show running-config|include ntp ntp-server 2001:470:20::121 SCALANCE W1750D UI...
Page 106: Firewall Support For Ipv6
2002::/64 17 0-65535 546-547 6— destined to host 2001::10 FTP is denied any 2001::10/128 6 0-65535 20-21 6— For all ACLs the AP will have an implicit IPv4 and IPv6 allow all acl rule SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 107: Debugging Commands
—displays the IPv6 routing information. show ipv6 route ● —displays IPv6 sessions. show datapath ipv6 session ● —displays IPv6 client details. show datapath ipv6 user ● —displays the details about AP clients show clients show clients debug SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 108 IPv6 Support 10.4 Debugging Commands SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 109: Wireless Network Profiles
(Quality of Service) QoS. To configure a new wireless network profile, complete the following procedures: 1. Configuring WLAN Settings 2. Configuring VLAN Settings 3. Configuring Security Settings 4. Configuring Access Rules for a Network SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 110: Configuring Wlan Settings For An Ssid Profile
2. Enter a name that uniquely identifies a wireless network in the Name (SSID) text box. Note The SSID name must be unique and may contain any special character except for ' and ". SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 111 NOTE: When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs config- ured in the same VLAN. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 112 67. Time Range Click Edit, select a Time Range Profile from the list and spec- ify if the profile must be enabled or disabled for the SSID, and then click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 113 TPSEC bandwidth to the desired value within the range of 200–600,000 Kbps. The default value is 2000 Kbps. Spectralink Voice Protocol (SVP)—Select the check box • to prioritize voice traffic for SVP handsets. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 114 The clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic be- tween the clients is sent to the upstream device to make the forwarding decision. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 115 (scalance)(SSID Profile <name>)# out-of-service <def> <name> (scalance)(SSID Profile <name>)# time-range <profile name> {<Enable>|<Disable>} (scalance)(SSID Profile <name>)# inactivity-timeout <interval> (scalance)(SSID Profile <name>)# local-probe-req-thresh <threshold> (scalance)(SSID Profile <name>)# max-clients-threshold <number-of-clients> (scalance)(SSID Profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 116 The following example shows the configuration of temporal-diversity and max-retries in a WLAN SSID profile: (scalance) (config) # wlan ssid-profile Name (scalance) (SSID Profile "Name") # temporal-diversity (scalance) (SSID Profile "Name") # max-retries 3 (scalance) (SSID Profile "Name") # end (scalance) # commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 117: Configuring Vlan Settings For A Wlan Ssid Profile
2. Select any for the following options for Client IP assignment. – Virtual Controller assigned—On selecting this option, the client obtains the IP address from the VC. – Network assigned—On selecting this option, the IP address is obtained from the network. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 118 String—Enter the string to match . – VLAN—Enter the VLAN to be assigned. 4. Click Next to configure security settings for the Employee network. For more information, see Configuring Security Settings for a WLAN SSID Profile (Page 120). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 119 ● When a client roams between the APs, the DHCP state and the client IP address will be synchronized with the new AP. By default, enforcing DHCP feature is disabled. To enforce DHCP: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# enforce-dhcp (scalance)(SSID Profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 120: Configuring Security Settings For A Wlan Ssid Profile
– Open—On selecting the open security level, the authentication options applicable to an open network are displayed. The default security setting for a network profile is Personal. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 121 Wireless Network Profiles 11.1 Configuring Wireless Network Profiles The following figures show the configuration options for Enterprise, Personal, and Open security settings. Figure 11-3 Security Tab: Enterprise SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 122 Wireless Network Profiles 11.1 Configuring Wireless Network Profiles Figure 11-4 Security Tab: Personal SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 123 Wireless Network Profiles 11.1 Configuring Wireless Network Profiles Figure 11-5 Security Tab: Open SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 124 64-bit or 128-bit . 4. Select an appropriate value for Tx key from the Tx Key drop-down list. You can specify 1, 2, 3, or 4. 5. Enter an appropriate WEP key and reconfirm. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 125 RADIUS and Open security servers is balanced. For more information on the dy- levels. namic load balancing mechanism, see Dynamic Load Balancing between Two Authentication Servers on page 154. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 126 To use a separate server for accounting, select Use • separate servers. The accounting server is distin- guished from the authentication server specified for the SSID profile. To disable the accounting function, select Disabled. • SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 127 Upload Certificate Click Upload Certificate and browse to upload a certifi- Enterprise, Personal, cate file for the internal server. For more information on and Open security certificates, see Uploading Certificates on page 177. levels SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 128 To configure enterprise security settings for the Employee and Voice users: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip,wpa2-aes|dynamic-wep} (scalance)(SSID Profile <name>)# leap-use-session-key (scalance)(SSID Profile <name>)# termination (scalance)(SSID Profile <name>)# auth-server <server-name> (scalance)(SSID Profile <name>)# external-server SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 129 (scalance)(SSID Profile <name>)# blacklist (scalance)(SSID Profile <name>)# max-authentication-failures <number> (scalance)(SSID Profile <name>)# radius-accounting (scalance)(SSID Profile <name>)# radius-accounting-mode {user-association|user- authentication} (scalance)(SSID Profile <name>)# radius-interim-accounting-interval <minutes> (scalance)(SSID Profile <name>)# radius-reauth-interval <minutes> (scalance)(SSID Profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 130 (scalance)(SSID Profile <name>)# blacklist (scalance)(SSID Profile <name>)# max-authentication-failures <number> (scalance)(SSID Profile <name>)# radius-accounting (scalance)(SSID Profile <name>)# radius-accounting-mode {user-association|user- authentication} (scalance)(SSID Profile <name>)# radius-interim-accounting-interval <minutes> (scalance)(SSID Profile <name>)# radius-reauth-interval <minutes> (scalance)(SSID Profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 131: Configuring Access Rules For A Wlan Ssid Profile
For more information, see Configuring Captive Portal Roles for an SSID on page 135. – Create a role assignment rule. For more information, see Configuring Derivation Rules on page 199. 2. Click Finish. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 132 (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# set-role-machine-auth <machine_only> <user_only> (scalance)(SSID Profile <name>)# end (scalance)# commit apply To configure unrestricted access: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# set-role-unrestricted (scalance)(SSID Profile <name>)# end SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 133 (scalance)(Access Rule "WirelessRule")# rule any any match webreputation benign-sites permit (scalance)(Access Rule "WirelessRule")# rule any any match webreputation suspicious- sites deny (scalance)(Access Rule "WirelessRule")# rule any any match webreputation high-risk- sites deny (scalance)(Access Rule "WirelessRule")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 134: Configuring Per-Ap Ssid And Per-Ap-Vlan Settings On A Wireless Profile
To verify the per-ap-ssid and per-ap-vlan configurations: (scalance)# show ap-env Antenna Type:Internal name:TechPubsAP per_ap_ssid:PCCW per_ap_vlan:vlan lacp_mode:enable Note For information on configuring a native VLAN on a wired profile, see Configuring VLAN for a Wired Profile (Page 149). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 135: Configuring Fast Roaming For Wireless Clients
You can enable OKC roaming for WLAN SSID by using the SCALANCE W UI or the CLI. In the SCALANCE W UI 1. Navigate to the WLAN wizard (Go to Network > New OR Go to Network > WLAN SSID and click edit). 2. Click the Security tab. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 136 (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# dot11k (scalance)(config)# end (scalance)# commit apply To view the beacon report details: (scalance)# show ap dot11k-beacon-report <mac> To view the neighbor details: (scalance)# show ap dot11k-nbrs SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 137: Fast Bss Transition (802.11R Roaming)
3. Under Fast Roaming, select the 802.11r check box. 4. Click Next and then click Finish. In the CLI To enable 802.11r roaming on a WLAN SSID: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# dot11r (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 138: Radio Resource Management (802.11K)
This interval may be used to assist in making channel measurements without interference from other stations in the BSS. Extended Capabilities IE ● —The extended capabilities IE carries information about the capabilities of an IEEE 802.11 station. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 139 To allow the AP and clients to exchange neighbor reports, ensure that Client match is enabled through RF > ARM > Client match > Enabled in the UI or by executing the client- match command in the arm configuration subcommand mode. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 140 To view the beacon report details: (scalance)# show ap dot11k-beacon-report <mac> To view the neighbor details: (scalance)# show ap dot11k-nbrs Example (scalance)(config)# wlan ssid-profile dot11k-profile (scalance)(SSID Profile "dot11k-profile")# dot11k (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 141: Bss Transition Management (802.11V)
In the CLI To enable 802.11v profile: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# dot11v (scalance) (config)# end (scalance)# commit apply Example (scalance)(config)# wlan ssid-profile dot11v-profile (scalance)(SSID Profile "dot11v-profile")# dot11v (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 142: Configuring Modulation Rates On A Wlan Ssid
(scalance)(SSID Profile "<ssid_profile>")# a-basic-rates 6 9 12 18 (scalance)(SSID Profile "<ssid_profile>")# a-tx-rates 36 48 54 (scalance)(SSID Profile "<ssid_profile>")# supported-mcs-set 1,3,6,7 (scalance)(SSID Profile "<ssid_profile>")# vht-support-mcs-map 7, 9, 8 (scalance)(SSID Profile "<ssid_profile>")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 143: Multi-User-Mimo
RTS/CTS threshold is set to 2333. To configure the RTS/CTS threshold: (scalance)(config)# wlan ssid-profile <ssid_profile> (scalance)(SSID Profile "<ssid_profile>")# rts-threshold <threshold> (scalance)(SSID Profile "<ssid_profile>")# end (scalance)# commit apply To disable RTS/CTS, set the RTS threshold value to 0. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 144: Management Frame Protection
AP CLI. Short preamble is enabled by default. To disable the short preamble: (scalance)# config terminal (scalance)(config)# wlan ssid-profile <ssid_profile> (scalance)(SSID Profile "<ssid_profile>")# short-preamble-disable (scalance)(SSID Profile "<ssid_profile>")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 145: Editing Status Of A Wlan Ssid Profile
1. On the Network tab, click the network that you want to delete. A x link is displayed beside the network to be deleted. 2. Click x. A delete confirmation window is displayed. 3. Click Delete Now. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 146 Wireless Network Profiles 11.8 Deleting a WLAN SSID Profile SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 147: Wired Profiles
OpenDNS, select Enabled for Content Filtering. – Uplink—Select Enabled to configure uplink on this wired profile. If Uplink is set to Enabled and this network profile is assigned to a specific port, the port will be enabled SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 148 (scalance)(wired ap profile <name>)# no shutdown (scalance)(wired ap profile <name>)# poe (scalance)(wired ap profile <name>)# uplink-enable (scalance)(wired ap profile <name>)# content-filtering (scalance)(wired ap profile <name>)# spanning-tree (scalance)(wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 149: Configuring Vlan For A Wired Profile
VLAN carried by the port in the Access mode. 2. Click Next. The Security tab details are displayed. 3. Configure security settings for the wired profile. For more information, see Configuring Security Settings for a Wired Profile (Page 151). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 150 (scalance)(wired ap profile <name>)# end (scalance)# commit apply To configure a new VLAN assignment rule: (scalance)(config)# wired-port-profile <name> (scalance)(wired ap profile <name>)# set-vlan <attribute>{equals|not-equals|starts- with| ends-with|contains| matches-regular-expression} <operator> <VLAN-ID>|value-of} (scalance)(wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 151: Configuring Security Settings For A Wired Profile
– Internal server— If an internal server is selected, add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add users. For information on adding a user, see Managing AP Users on page 140. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 152 (scalance)(wired ap profile <name>)# radius-accounting (scalance)(wired ap profile <name>)# radius-accounting-mode {user-association|user- authentication} (scalance)(wired ap profile <name>)# radius-interim-accounting-interval <minutes> (scalance)(wired ap profile <name>)# radius-reauth-interval <Minutes> (scalance)(wired ap profile <name>)# trusted (scalance)(wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 153: Configuring Access Rules For A Wired Profile
VLANs for the wired network profile. For more information on role assignment rules and VLAN derivation rules, see Configuring Derivation Rules (Page 270) and Configuring VLAN Derivation Rules (Page 275). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 154 (scalance)(wired ap profile <name>)# end (scalance)# commit apply To configure machine and user authentication roles: (scalance)(config)# wired-port-profile <name> (scalance)(wired ap profile <name>)# set-role-machine-auth <machine_only> <user-only> (scalance)(wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 155: Assigning A Profile To Ethernet Ports
0/2, 0/3, and 0/4 drop-down lists. In the CLI To assign profiles to Ethernet ports: (scalance)(config)# enet0-port-profile <name> (scalance)(config)# enet1-port-profile <name> (scalance)(config)# enet2-port-profile <name> (scalance)(config)# enet3-port-profile <name> (scalance)(config)# enet4-port-profile <name> (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 156: Editing A Wired Profile
LACP configuration to benefit from the higher (greater than 1 Gbps) aggregate throughput capabilities of the two radios. Note The LACP feature is supported only on AP-22x Series and AP-27x Series access points. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 157: Enabling Port-Channel On A Switch
-------------- ------------------ ----------- ------------- --------------- eth0 6c:f3:7f:c6:76:6e Up Yes 0 eth1 6c:f3:7f:c6:76:6f Up Yes 0 Traffic Sent on Enet Ports -------------------------- Radio Num Enet 0 Tx Count Enet 1 Tx Count --------- --------------- --------------- non-wifi SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 158: Enabling Static Lacp Configuration
To disable the static LACP mode on APs: (scalance)# lacp-mode disable Verifying Static LACP Mode To verify the static LACP configuration, execute the following command in the AP CLI: (scalance)# show ap-env Antenna Type:Internal name:TechPubsAP per_ap_ssid:1234 per_ap_vlan:abc lacp_mode:enable SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 159: Understanding Hierarchical Deployment
APs. Ensure that the downlink port configured in a private VLAN is not used for any wired client connection. Other downlink ports can be used for connecting to the wired clients. The following figure illustrates a hierarchical deployment scenario: SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 160 Wired Profiles 12.6 Understanding Hierarchical Deployment Figure 12-1 Hierarchical Deployment SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 161: Captive Portal For Guest Access
– Internal Acknowledged—When is enabled, a guest user must accept the terms and conditions to access the Internet. – External captive portal—For external captive portal authentication, an external portal on the cloud or on a server outside the enterprise network is used. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 162: Walled Garden
SSID are assigned IP addresses and an initial role. When a guest user tries to access a URL through HTTP or HTTPS, the captive portal web page prompting the user to authenticate with a username and password is displayed. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 163: Configuring A Wlan Ssid For Guest Access
When this option is enabled, multicast traffic can be sent at up to 24 Mbps. The default rate for sending frames for 2.4 GHz is 1 Mbps and 5 GHz is 6 Mbps. This option is disabled by default. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 164 802.11ac APs to function as 802.11n APs. If VHT is configured or disabled on an SSID, the changes will apply only to the SSID on which it is enabled or disabled. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 165 • Voice WMM— For voice traffic generated from the incoming and out- • going voice communication. For more information on WMM traffic and DSCP mapping, see Wi-Fi Mul- timedia Traffic Management (Page 376). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 166 Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0 to 255. The default value is 64. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 167 You can select an existing DHCP scope for client IP and VLAN assignment or you can create a new DHCP scope by se- lecting New. For more information on DHCP scopes, see Configur- ing DHCP Scopes. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 168 Note If the client IP assignment mode is set to Network assigned in a guest SSID profile, the guest clients can log out of the captive portal network by accessing the https://securelogin.scalance.com/auth/logout.html URL. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 169 To manually assign VLANs for WLAN SSID users: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# vlan <vlan-ID> To create a new VLAN assignment rule: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# set-vlan <attribute>{equals|not-equals|starts- with|ends- with|contains|matches-regular-expression} <operator> <VLAN-ID>|value-of} SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 170: Configuring Wired Profile For Guest Access
When the VC assignment is used, the source IP address is translated for all client traffic that goes through this interface. The VC can also assign a guest VLAN to a wired client. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 171 (scalance)(wired ap profile <name>)# switchport-mode {trunk|access} (scalance)(wired ap profile <name>)# allowed-vlan <vlan> (scalance)(wired ap profile <name>)# native-vlan {<guest|1…4095>} To configure a new VLAN assignment rule: (scalance)(config)# wired-port-profile <name> (scalance)(wired ap profile <name>)# set-vlan <attribute>{equals|not-equals|starts- with|ends-with|contains|matches-regular-expression} <operator> <VLAN-ID>|value-of} SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 172: Configuring Internal Captive Portal For Guest Network
MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. NOTE: This option is available only when MAC authentication is enabled. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 173 Configure an accounting interval in minutes within the range of 0– 60, to allow APs to periodically post accounting information to the RADIUS server. Encryption Select Enabled to configure encryption parameters. Select an encryption and configure a passphrase. (Applicable for WLAN SSIDs only.) SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 174 (scalance)(SSID Profile <name>)# essid <ESSID-name> (scalance)(SSID Profile <name>)# type <Guest> (scalance)(SSID Profile <name>)# captive-portal <internal-authenticated> exclude- uplink {3G|4G|Wifi|Ethernet} (scalance)(SSID Profile <name>)# mac-authentication (scalance)(SSID Profile <name>)# auth-server <server1> (scalance)(SSID Profile <name>)# radius-reauth-interval <Minutes> (scalance)(SSID Profile <name>)# end SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 175 (scalance)(Captive Portal)# terms-of-use <text> (scalance)(Captive Portal)# use-policy <text> (scalance)(Captive Portal)# end (scalance)# commit apply To upload a customized logo from a TFTP server to the AP: (scalance)# copy config tftp <ip-address> <filename> portal logo SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 176: Configuring External Captive Portal For Guest Network
The specified text will be returned by the external server after a successful user authentication. IP or hostname Enter the IP address or the host name of the external splash page server. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 177 Sends the IP address of the VC in the redirec- tion URL when external captive portal servers are used. This option is disabled by default. Redirect URL Specify a redirect URL if you want to redirect the users to another URL. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 178: Configuring An Ssid Or Wired Profile To Use External Captive Portal Authentication
2. On the Security tab, select External from the Splash page type drop-down list. 3. From the Captive Portal Profile drop-down list, select a profile. You can select and modify a default profile, or an already existing profile, or click New and create a new profile. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 179 If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client is disconnected. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 180 (scalance) (SSID Profile <name>)# radius-accounting (scalance) (SSID Profile <name>)# radius-interim-accounting-interval (scalance) (SSID Profile <name>)# radius-accounting-mode {user-association|user- authentication} (scalance)(SSID Profile <name>)# wpa-passphrase <WPA_key> (scalance)(SSID Profile <name>)# wep-key <WEP-key> <WEP-index> (scalance)(SSID Profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 181: External Captive Portal Redirect Parameters
You can configure SCALANCE W to point to ClearPass Guest as an external captive portal server. With this configuration, the user authentication is performed by matching a string in the server response and that in the RADIUS server (either ClearPass Guest or a different RADIUS server). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 182 Name configured in the ClearPass Guest RADIUS Web Login page. For example, if the Page Name is Siemens, the URL should be /name.php in the SCALANCE W UI. – Enter the Port number (generally should be 80). The ClearPass Guest server uses this port for HTTP services.
Page 183 AP intercepts this information to perform the actual RADIUS authentication with the server IP defined in the POST message. For more information on guest registration customization on ClearPass Guest User Guide ClearPass Guest, refer to the SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 184: Configuring Facebook Login
7. Click OK. The SSID with the Facebook option is created. After the SSID is created, the AP automatically registers with Facebook. If the AP registration is successful, the Facebook configuration link is displayed in the Security tab of the WLAN wizard. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 185: Configuring The Facebook Portal Page
– Require Wi-Fi code—When selected, the users are assigned a Wi-Fi code to gain access to the Facebook page. 5. Customize the session length and terms of service if required. 6. Click Save Settings. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 186: Accessing The Portal Page
Internet. 3. If you want to check in the business page, click Check In and provide your credentials. After checking in, click Continue Browsing to access the web page that was originally requested. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 187: Configuring Guest Logon Role And Access Rules For Guest Users
When the captive portal authentication is successful, a new user role is assigned to the guest users based on DHCP option configured for the SSID profile instead of the pre-authenticated role. 2. Click Finish. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 188 (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# set-role-machine-auth <machine_only> <user_only> (scalance)(SSID Profile <name>)# end (scalance)# commit apply To configure unrestricted access: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# set-role-unrestricted (scalance)(SSID Profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 189 (scalance)(Access Rule "WirelessRule")# rule any any match webreputation benign-sites permit (scalance)(Access Rule "WirelessRule")# rule any any match webreputation suspicious- sites deny (scalance)(Access Rule "WirelessRule")# rule any any match webreputation high-risk- sites deny (scalance)(Access Rule "WirelessRule")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 190: Configuring Captive Portal Roles For An Ssid
2. On the Access tab, move the slider to Role-based access control by using the scroll bar. 3. Select a role or create a new one if required. 4. Click New to add a new rule. The New Rule window is displayed. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 191 Splash Page Type Select any of the following attributes: l Select Internal to configure a rule for internal captive portal authentica- tion. l Select External to configure a rule for external captive portal authentica- tion. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 192 – Auth Text—Indicates the authentication text returned by the ex- ternal server after a successful user authentication. 6. Click OK. The enforce captive portal rule is created and listed as an access rule. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 193 In the CLI To create a captive portal role: (scalance)(config)# wlan access-rule <Name> (scalance)(Access Rule <Name>)# captive-portal {external [profile <name>]|internal} (scalance)(Access Rule <Name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 194: Configuring Walled Garden Access
5. To modify the list, select the domain name/URL and click Edit . To remove an entry from the list, select the URL from the list and click Delete. 6. Click OK to apply the changes. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 195: Disabling Captive Portal Authentication
MAC authentication failures, and configure encryption keys for authorized access. 4. If required, configure the security parameters 5. Click Next and then click Finish to apply the changes SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 196 Captive Portal for Guest Access 13.9 Configuring Walled Garden Access SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 197: Authentication And User Management
Access to local user database only Complete access to the AP read-only administrator No write privileges No write privileges guest administrator Access to local user database only Access to local user database only SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 198: Configuring Ap Users
Note The user database is also used when an AP is configured as an internal RADIUS server. Note The local user database of APs can support up to 512 user entries. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 199 6. Click Add and click OK. The users are listed in the Users list. To edit user settings: 1. Select the user you want to modify from the Users list in the table. 2. Click Edit to modify user settings. 3. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 200: Configuring Authentication Parameters For Management Users
RADIUS or TACACS server. You can configure authentication parameters for local admin, read-only, and guest management administrator account settings through the SCALANCE W UI or the CLI. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 201 If using an internal authentication server: 1. Specify the Username and Password. 2. Retype the password to confirm. Authentication server If a RADIUS or TACACS server is config- ured, select Authentication server for authentication. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 202: Adding Guest Users Through The Guest Management Interface
The guest management interface is displayed. 2. To add a user, click New. The New Guest User popup window is displayed. 3. Specify a Username and Password. 4. Retype the password to confirm. 5. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 203: Supported Authentication Methods
MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 204 ISP as per their service agreements. The AP assigns the default WISPr user role to the client when the client's ISP sends an authentication message to the AP. For more information on WISPr authentication, see Configuring WISPr Authentication. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 205: Supported Eap Authentication Frameworks
To use the AP’s internal database for user authentication, add the usernames and passwords of the users to be authenticated. Note Siemens does not recommend the use of LEAP authentication, because it does not provide any resistance to network attacks. Authentication Termination on AP APs support EAP termination for enterprise WLAN SSIDs.
Page 206: Configuring Authentication Servers
To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs and passwords. To use a RADIUS server for user authentication, configure the RADIUS server on the VC. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 207 An external RADIUS server authenticates network users and returns to the AP the vendor- specific attribute (VSA) that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 208: Tacacs Servers
The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across RADIUS servers of asymmetric capacity without the need to obtain inputs about the server capabilities from the administrators. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 209: Configuring An External Server For Authentication
20 seconds. The default value is 5 seconds. Retry count Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 210 Admin password Enter a password for administrator. Base-DN Enter a distinguished name for the node that contains the entire user da- tabase. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 211 Note You can also add TACACS server by selecting the New option when configuring au- thentication parameters for management users. For more information, see Configuring Authentication Parameters for Management Users (Page 200). SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 212 (scalance)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway <gateway-IP-address) (scalance)(Auth Server <profile-name>)# end (scalance)# commit apply To enable RadSec: (scalance)(config)# wlan auth-server <profile-name> (scalance)(Auth Server "name")# ip <host> (scalance)(Auth Server "name")# radsec [port <port>] SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 213 To configure a ClearPass Policy Manager server used for AirGroup CoA: (scalance)(config)# wlan auth-server <profile-name> (scalance)(Auth Server <profile-name>)# ip <host> (scalance)(Auth Server <profile-name>)# key <key> (scalance)(Auth Server <profile-name>)# cppm-rfc3576-port <port> (scalance)(Auth Server <profile-name>)# cppm-rfc3576-only (scalance)(Auth Server <profile-name>)# end SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 214: Enabling Radius Communication Over Tls
To configure the RadSec protocol in the UI: 1. Navigate to Security > Authentication Servers. The Security window is displayed. 2. To create a new server, click New. A popup window for specifying details for the new server is displayed. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 215 Edit. You can also associate the authentication servers when creating a new WLAN or wired profile. 2. Click the Security tab and select a splash page profile. 3. Select an authentication type. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 216: Configuring Dynamic Radius Proxy Parameters
3. Associate the authentication servers to SSID or a wired profile to which the clients connect. After completing the configuration steps mentioned above, you can authenticate the SSID users against the configured dynamic RADIUS proxy parameters. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 217 To configure dynamic RADIUS proxy in the SCALANCE W UI: 1. Go to Security > Authentication Servers. 2. To create a new server, click New and configure the required RADIUS server parameters as described in Table 33. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 218: Associate Server Profiles To A Network Profile
– To open the wired settings window, click More > Wired. In the Wired window, select a profile and click edit. You can also associate the authentication servers when creating a new WLAN or wired profile. 2. Click the Security tab. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 219 (scalance)(SSID Profile <name>)# end ((scalance)# commit apply To associate an authentication server to a wired profile: (scalance)(config)# wired-port-profile <name> (scalance)(wired ap profile <name>)# auth-server <name> (scalance)(wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 220: Understanding Encryption Types
WEP and TKIP are limited to WLAN connection speed of 54 Mbps. The 802.11n connection supports only AES encryption. Siemens recommends AES encryption. Ensure that all devices that do not support AES are upgraded or replaced with the devices that support AES encryption.
Page 221: Table 14- 3 Recommended Authentication And Encryption Combinations
None Voice Network or Handheld 802.1X or PSK as supported by AES if possible, TKIP or WEP if devices the device necessary (combine with securi- ty settings assigned for a user role). SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 222: Configuring Authentication Survivability
2. In the Edit <profile-name> or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next. 3. On the Security tab, under Enterprise security settings, select an existing authentication server or create a new server by clicking New. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 223 (scalance)# commit apply To view the cache expiry duration: (scalance)# show auth-survivability time-out To view the information cached by the AP: (scalance)# show auth-survivability cached-info To view logs for debugging: (scalance)# show auth-survivability debug-log SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 224: Configuring 802.1X Authentication For A Network Profile
– Both (WPA-2 & WPA) – Dynamic WEP with 802.1X 4. If you do not want to use a session key from the RADIUS server to derive pairwise unicast keys, set Session Key for LEAP to Enabled. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 225 (scalance)(SSID Profile <name>)# auth-server <server1> (scalance)(SSID Profile <name>)# auth-server <server2> (scalance)(SSID Profile <name>)# radius-reauth-interval <minutes> (scalance)(SSID Profile <name>)# auth-survivability (scalance)(SSID Profile <name>)# exit (scalance)(config)# auth-survivability cache-time-out <hours> (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 226 (scalance)(wired ap profile <name>)# dot1x (scalance)(wired ap profile <name>)# auth-server <server1> (scalance)(wired ap profile <name>)# auth-server <server2> (scalance)(wired ap profile <name>)# server-load-balancing (scalance)(wired ap profile <name>)# radius-reauth-interval <Minutes> (scalance)(wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 227: Enabling 802.1X Supplicant Support
2. To upload server certificates for validating the authentication server credentials, complete the following steps: – Click Upload New Certificate. – Specify the URL from where you want to upload the certificates and select the type of certificate. 3. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 228 (scalance)# download ap1xca <url> format pem To view the certificate details: (scalance)# show ap1xcert To verify the configuration, use any of the following commands: (scalance)# show ap1x config (scalance)# show ap1x debug-logs (scalance)# show ap1x status SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 229: Configuring Mac Authentication For A Network Profile
(scalance)(SSID Profile <name>)# mac-authentication (scalance)(SSID Profile <name>)# l2-auth-failthrough (scalance)(SSID Profile <name>)# auth-server <server-name1> (scalance)(SSID Profile <name>)# radius-reauth-interval <minutes> (scalance)(SSID Profile <name>)# auth-survivability (scalance)(SSID Profile <name>)# exit (scalance)(config)# auth-survivability cache-time-out <hours> (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 230 (scalance)(wired ap profile "<name>")# dot1x (scalance)(wired ap profile "<name>")# l2-auth-failthrough (scalance)(wired ap profile "<name>")# auth-server <name> (scalance)(wired ap profile "<name>")# server-load-balancing (scalance)(wired ap profile "<name>")# radius-reauth-interval <Minutes> (scalance)(wired ap profile "<name>")# end (scalance)# commit appl SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 231: Configuring Mac Authentication With Captive Portal Authentication
– To enforce MAC authentication, click the Access tab and select Enforce MAC auth only role check box. 3. Click Next and then click Finish to apply the changes SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 232 (scalance)(wired ap profile <name>)# captive-portal <type> (scalance)(wired ap profile <name>)# captive-portal {<type> [exclude-uplink <types>] |external [Profile <name>] [exclude-uplink <types>]} (scalance)(wired ap profile <name>)# set-role-mac-auth <mac-only> (scalance)(wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 233: Configuring Wispr Authentication
7. Enter the E.164 Country Code for the WISPr Location ID in the E.164 country code text box. 8. Enter the SSID/Zone section for the WISPr Location ID in the SSID/Zone text box. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 234 RADIUS server profile for the WISPr server In the CLI (scalance)(config)# wlan wispr-profile (scalance)(WISPr)# wispr-location-id-ac (scalance)(WISPr)# wispr-location-id-cc (scalance)(WISPr)# wispr-location-id-isocc (scalance)(WISPr)# wispr-location-id-network (scalance)(WISPr)# wispr-location-name-location (scalance)(WISPr)# wispr-location-name-operator-name (scalance)(WISPr)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 235: Blacklisting Clients
To blacklist a client: (scalance)(config)# blacklist-client <MAC-Address> (scalance)(config)# end (scalance)# commit apply To enable blacklisting in the SSID profile: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# blacklisting (scalance)(SSID Profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 236 You can configure a maximum number of authentication failures by the clients, after which a client must be blacklisted. For more information on configuring maximum authentication failure attempts, see Configuring Security Settings for a WLAN SSID Profile (Page 120). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 237 Auth Failure Blacklist Time 60 Manually Blacklisted Clients ---------------------------- MAC Time --- ---- Dynamically Blacklisted Clients ------------------------------- MAC Reason Timestamp Remaining time(sec) AP IP --- ------ --------- ------------------- ----- Dyn Blacklist Count 0 SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 238: Uploading Certificate
– RadSec—The RadSec server certificate to verify the identity of the server to the client. – RadSec CA—The RadSec CA certificate for mutual authentication between the AP clients and the TLS server. 6. Select the certificate format from the Certificate format drop-down list. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 239 HTTPS message and sends it to the VC. After the VC receives this message, it draws the certificate content from the message, converts it to the right format, and saves it on the RADIUS server. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 240 – Select Server Cert for certificate Type, and provide the passphrase if you want to upload a server certificate. – Select either or certificate , if you want to upload a CA certificate. Figure 14-4 Server Certificate SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 241 The Virtual Controller Certificate section displays the certificates (CA cert and Server). 5. Click Save to apply the changes only to AirWave. Click Save and Apply to apply the changes to the AP. 6. To clear the certificate options, click Revert. SCALANCE W1750D UI Configuration Manual, 02/2018 , C79000-G8976-C451-02...
Page 242 Authentication and User Management 14.13 Uploading Certificate SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 243: Roles And Policies
● ACLs that permit or deny traffic based on network services, application, application categories, web categories, and security ratings. Note You can configure up to 128 access control entries in an ACL for a user role. Note The maximum configurable universal role is 4096. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 244: Configuring Acl Rules For Network Services
2. Select the role for which you want to configure access rules. 3. In the Access rules section, click New to add a new rule. The New Rule window is displayed. 4. Ensure that the rule type is set to Access Control. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 245 Select the Log check box if you want a log entry to be created when this rule is triggered. SCALANCE W supports firewall-based logging. Firewall logs on the APs are generated as security logs. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 246 (scalance)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 110 110 permit (scalance)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 192.0.2.7 255.255.255.0 match tcp 21 21 deny (scalance)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 192.0.2.7 255.255.255.0 match udp 21 21 deny SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 247: Configuring Network Address Translation Rules
3. To configure access rules for the network, move the slider to the Network-based access control type. To configure access rules for user roles, move the slider to the Role-based access control type. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 248 2. Ensure that the source IP address is associated with the IP address configured for the L3 subnet. 3. Create an access rule for the SSID profile with Source-NAT action as described in Configuring a Source-NAT Access Rule. The source-NAT pool is configured and corporate access entry is created SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 249 In the CLI To configure destination-NAT access rule: (scalance)(config)# wlan access-rule <access_rule> (scalance)(Access Rule "<access_rule>")# rule <dest> <mask> <match> <protocol> <sport> <eport> dst-nat ip <IP-address> [<port>] (scalance)(Access Rule "<access_rule>")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 250: Configuring Alg Protocols
Reboot the AP and the client, or wait for a few minutes to view the changes. In the CLI To configure protocols for ALG: (scalance)(config)# alg (scalance)(ALG)# sccp-disable (scalance)(ALG)# no sip-disable (scalance)(ALG)# no ua-disable (scalance)(ALG)# no vocera-disable (scalance)(ALG)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 251: Configuring Firewall Settings For Protection From Arp Attacks
– Select to enable the AP to trigger an alert notifying the user about the ARP poisoning that may have been caused by the rogue APs. Figure 15-2 Firewall Settings - Protection Against Wired Attacks 4. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 252 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 253: Configuring Firewall Settings To Disable Auto Topology Rules
3. In Firewall section, select Disabled from the Auto topology rules drop-down list 4. Click OK. In the CLI (scalance)(config)# firewall (scalance)(firewall)# disable-auto-topology-rules (scalance)(firewall)# end (scalance)# commit apply To view the configuration status: Firewall -------- Type Value ---- ----- Auto topology rules disable SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 254: Managing Inbound Traffic
Configuring Management Subnets. Note The inbound firewall is not applied to traffic coming through the GRE tunnel. You can configure inbound firewall rules through the SCALANCE W UI or the CLI. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 255 TCP, UDP, and Other. If you select the TCP or • UDP options, enter appropriate port numbers. If the Other option is selected, ensure that an appropriate ID is entered. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 256 Select the Classify media check box to prioritize video and voice traffic. When media enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows: Video: Priority 5 (Critical) • Voice: Priority 6 (Internetwork Control) • SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 257 When the management subnets are configured, access through Telnet, SSH, and UI is restricted to these subnets only. You can configure management subnets by using the SCALANCE W UI or the CLI. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 258 – Click Add. 3. To add multiple subnets, repeat step 2. 4. Click OK. In the CLI To configure a management subnet: (scalance)(config) # restricted-mgmt-access <subnet-IP-address> <subnet-mask> (scalance)(config) # end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 259 2. Select Enabled from the Restrict Corporate Access drop-down list. 3. Click OK. In the CLI To configure restricted management access: (scalance)(config) # restrict-corp-access (scalance)(config) # end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 260: Content Filtering
Note Regardless of whether content filtering is disabled or enabled, the DNS requests to http://direct.siemens.com are always resolved internally on SCALANCE W. The content filtering configuration applies to all APs in the network and the service is enabled or disabled globally across the wireless or wired network profiles.
Page 261 To delete a domain, select the domain and click Delete. This will remove the domain name from the list. In the CLI To configure an enterprise domain: (scalance)(config)# internal-domains (scalance)(domain)# domain-name <name> (scalance)(domain)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 262 5. To filter access based on the security ratings of the website: – Select Web reputation under Service section. – Move the slider to the required security rating level. – From the Action drop-down list, select Allow or Deny as required. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 263 To create a list of error page URLs: In the SCALANCE W UI 1. Navigate to Security > Custom Blocked Page URL. 2. Click New and enter the URL that you want to block. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 264 To configure an ACL rule to redirect blocked HTTP websites to a custom error page URL: (scalance)(config)# wlan access-rule <access_rule_name> (scalance) (Access Rule "<access_rule_name>")# dpi-error-page-url <idx> (scalance) (Access Rule "<access_rule_name>")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 265 To configure an ACL rule to redirect blocked HTTPS to a custom error page URL: (scalance)(config)# wlan access-rule <access_rule_name> (scalance) (Access Rule "<access_rule_name>")# dpi-error-page-url <idx> (scalance) (Access Rule "<access_rule_name>")# redirect-blocked-https-traffic (scalance) (Access Rule "<access_rule_name>")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 266: Configuring User Roles
Configuring Access Rules for a Wired Profile (Page 153). In the CLI To configure user roles and access rules: (scalance)(config)# wlan access-rule <access-rule-name> (scalance)(Access Rule <Name>)# rule <dest> <mask> <match> <protocol> <start-port> <end- port> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat {<IP-address> <port>|<port>}} [<option1…option9>] SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 267 7. Click OK. 8. Associate the user role to a WLAN SSID or a wired profile You can also create a user role and assign bandwidth contracts when configuring an SSID or a wired profile. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 268 Configuring ACL Rules for Network Services. (Page 244) 3. Select Enforce Machine Authentication and select the Machine auth only and User auth only roles. 4. Click Finish to apply these changes SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 269 (scalance)(SSID Profile <name>)# end To configure machine and user authentication roles for a wired (scalance)# commit apply profile: (scalance)(config)# wired-port-profile <name> (scalance)(wired ap profile <name>)# set-role-machine-auth <machine_only> <user_only> (scalance)(wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 270: Configuring Derivation Rules
The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in the DHCP frame. Based on the operating system type, a role can be assigned to the device. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 271: Creating A Role Derivation Rule
4. Select the attribute that matches with the rule from the Attribute drop-down list. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac- address-and-dhcp-options. For information on a list of RADIUS attributes, see RADIUS Server Authentication with VSA (Page 209). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 272 (scalance)(SSID Profile <name>)# end (scalance)# commit apply To configure role assignment rules for a wired profile: (scalance)(config)# wired-port-profile <name> (scalance) (wired ap profile <name>)# set-role <attribute>{{equals|not-equal|starts- with| ends-with|contains}<operator> <role>|value-of} (scalance)(wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 273: Understanding Vlan Assignment
SCALANCE W supports role derivation based on the DHCP option for captive portal authentication. When the captive portal authentication is successful, the role derivation based on the DHCP option assigns a new user role to the guest users, instead of the pre- authenticated role. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 274 If the VSA and VLAN derivation rules are not matching, and the User Role does not contain a VLAN, the user VLAN can be derived by VLANs configured for an SSID or an Ethernet port profile. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 275: Configuring Vlan Derivation Rules
3. Select the attribute from the Attribute drop-down list. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. For information on a list of RADIUS attributes, see RADIUS Server Authentication with VSA. (Page 209) SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 276 (scalance)(wired ap profile <name>)# set-vlan <attribute>{equals|not-equals|starts- with|ends-with|contains}<operator><VLAN-ID>|value-of} (scalance)(wired ap profile <name>)# end (scalance)# commit apply Example (scalance)(config)# wlan ssid-profile Profile1 (scalance)(SSID Profile "Profile1")# set-vlan mac-address-and-dhcp-options matches- regular- expression ..link 100 (scalance)(SSID Profile "Profile1")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 277: Using Advanced Expressions In Role And Vlan Derivation Rules
Where n is an integer. Matches the declared element exactly n times. For example, {2}link matches uplink, but not downlink. {n,} Where n is an integer. Matches the declared element at n times. For example, {2,}ink matches downlink, but not uplink. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 278 For information on how to use regular expressions in role and VLAN derivation rules, see the following topics: ● Creating a Role Derivation Rule (Page 271) ● Configuring VLAN Derivation Rules (Page 275) SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 279: Configuring A User Role For Vlan Derivation
– Select the operator to match attribute from the Operator drop-down list. – Enter the string to match in the String text box. – Select the role to be assigned from the Role text box. 4. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 280 To assign VLAN role to a WLAN profile: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile <name>)# set-role <attribute>{{equals <operator> <role>|not- equals <operator> <role>|starts-with <operator> <role>|ends-with <operator> <role>|contains <operator> <role>}|value-of} (scalance)(SSID Profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 281: Dhcp Configuration
This DHCP assignment mode is used in the Networks Address Translation (NAT) forwarding mode. ● Local, L2—In this mode, the VC acts as a DHCP server and the gateway located outside the AP. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 282 86 and Configuring VLAN for a Wired Profile on page 106. Network Specify the network to use. Netmask If Local; Local, L2; or Local, L3 is selected, specify the subnet mask. The subnet mask and the network determine the size of the subnet. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 283 (scalance)(DHCP Profile <profile-name>)# server-type <local,l2> (scalance)(DHCP Profile <profile-name>)# server-vlan <vlan-ID> (scalance)(DHCP Profile <profile-name>)# subnet <IP-address> (scalance)(DHCP Profile <profile-name>)# subnet-mask <subnet-mask> (scalance)(DHCP Profile <profile-name>)# exclude-address <IP-address> (scalance)(DHCP Profile <profile-name>)# default-router (scalance)(DHCP Profile <profile-name>)# dns-server <name> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 284: Configuring Distributed Dhcp Scopes
Based on the number of clients specified for each branch, the range of IP addresses is divided. Based on the IP address range and client count configuration, the DHCP server in the VC is configured with a unique subnet and a corresponding scope. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 285 2. To configure a distributed DHCP mode, click New under Distributed DHCP Scopes. The New DHCP Scope window is displayed. The following figure shows the contents of the New DHCP Scope window. Figure 16-1 New DHCP Scope: Distributed DHCP Mode SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 286 4. Click Next 5. Specify the number of clients to use per branch. The client count configured for a branch determines the use of IP addresses from the IP address range defined for a DHCP SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 287 (scalance)(config)# ip dhcp <profile-name> (scalance)(DHCP Profile <profile-name>)# ip dhcp server-type <Distributed,L3> (scalance)(DHCP Profile <profile-name>)# server-vlan <vlan-ID> (scalance)(DHCP Profile <profile-name>)# client-count <number> (scalance)(DHCP Profile <profile-name>)# dns-server <name> (scalance)(DHCP Profile <profile-name>)# domain-name <domain-name> (scalance)(DHCP Profile <profile-name>)# lease-time <seconds> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 288: Configuring Centralized Dhcp Scopes
SSID profile. For more information on SSID profile configuration, see Configuring VLAN Settings for a WLAN SSID Profile on page 86 and Configuring VLAN for a Wired Profile on page 106. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 289: Table 16- 1 Dhcp Relay And Option 82
Table 16- 1 DHCP Relay and Option 82 DHCP Relay Option 82 Result Enabled Enabled DHCP packet relayed with the ALU-specific Option 82 string Enabled Disabled DHCP packet relayed without the ALU-specific Option 82 string SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 290 (scalance)(DHCP Profile <profile-name>)# server-type <centralized> (scalance)(DHCP Profile <profile-name>)# server-vlan <vlan-ID> (scalance)(DHCP Profile <profile-name>)# dhcp-relay (scalance)(DHCP Profile <profile-name>)# dhcp-server <DHCP-relay-server> (scalance)(DHCP Profile <profile-name>)# vlan-ip <DHCP IP address> mask <VLAN mask> (scalance)(DHCP Profile <profile-name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 291: Configuring The Default Dhcp Scope For Client Ip Assignment
You can configure a domain name, DNS server, and DHCP server for client IP assignment using the SCALANCE W UI or the CLI. In the SCALANCE W UI To configure a DHCP pool: 1. Navigate to More > DHCP Server. The DHCP Server tab contents are displayed. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 292 DHCP Configuration 16.2 Configuring the Default DHCP Scope for Client IP Assignment Figure 16-2 DHCP Servers Window SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 293 (scalance)(DHCP)# end (scalance)# commit apply To view the DHCP database: (scalance)# show ip dhcp database DHCP Subnet :192.0.2.0 DHCP Netmask :255.255.255.0 DHCP Lease Time(m) :20 DHCP Domain Name :example.com DHCP DNS Server :192.0.2.1 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 294 DHCP Configuration 16.2 Configuring the Default DHCP Scope for Client IP Assignment SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 295: Configuring Time-Based Services
– When the timer ends, if the current time is greater than the end time, the SSID is brought UP. If the SSID is already UP, then there is no effect on the SSID. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 296: Configuring A Time Range Profile
(scalance)(config)# time-range <name> absolute start <startday> <starttime> end <endday> <endtime> (scalance)(config)# end (scalance)# commit apply To configure a periodic time range profile: (scalance)(config)# time-range <name> periodic {<startday>|daily|weekday|weekend} <starttime> to <endtime> (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 297: Applying A Time Range Profile To A Wlan Ssid
(scalance)(SSID Profile "<name>")# end (scalance)# commit apply To disable a time range profile on an SSID: (scalance)(config)# wlan ssid-profile <name> (scalance)(SSID Profile "<name>")# time-range <name> disable (scalance)(SSID Profile "<name>")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, , C79000-G8976-C451-02...
Page 298: Verifying The Configuration
The following command creates a periodic time range profile that executes during the weekend: (scalance)(config)# time-range timep4 periodic weekend 10:20 to 10:30 The following command removes the time range configuration: (scalance)(config)# no time-range testhshs12 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 299: Dynamic Dns Registration
NOTE: When a key is configured, the update is • successful only if AP and DNS server clocks are in sync. 10.17.132.85 Server IP Enter the server IP address of the DNS server to which the client updates are sent. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 300 To configure a TSIG key and server IP address: (scalance)(config)# dynamic-dns-ap key <algo-name:keyname:keystring> (scalance)(config)# dynamic-dns-ap server <ddns_server> (scalance)(config)# end (scalance)# commit apply To configure a time interval: (scalance)(config)# dynamic-dns-interval <ddns_interval> (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 301: Configuring Dynamic Dns Updates For Clients
4. Click Next and then click Finish. In the CLI To enable DDNS for AP clients: (scalance)(config)# ip dhcp <profile name> (scalance)(DHCP profile "<name>")# dynamic-dns (scalance)(DHCP profile "<name>")# dynamic-dns key <algo-name:keyname:keystring> (scalance)(DHCP Profile "<name>")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 302: Verifying The Configuration
You can also configure dynamic DNS on an AP or clients using the privileged execution mode in the CLI. For more information, refer to the show ddns clients command in the Function Manual. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 303: Vpn Configuration
● Branch offices that require multiple APs. ● Individuals working from home and, connecting to the VPN. The survivability feature of APs with the VPN connectivity of RAPs allows you to provide corporate connectivity on non-corporate networks SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 304: Table 19- 1 Vpn Protocols
VLAN on the corporate side is extended to remote branch sites. Wireless cli- ents associated with an AP gets the IP address from the DHCP server running on LNS. For this, the AP has to transparently allow DHCP transactions through the L2TPv3 tunnel. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 305: Configuring A Tunnel From An Ap To A Mobility Controller
Fast failover drop- down list. When fast failover is enabled and if the primary tunnel fails, the AP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 306 AP are encrypted. In the CLI To configure an IPsec VPN tunnel: (scalance)(config)# vpn primary <name> (scalance)(config)# vpn backup <name> (scalance)(config)# vpn fast-failover (scalance)(config)# vpn hold-time <seconds> (scalance)(config)# vpn preemption SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 307 (scalance)(DHCP Profile "distL2")# subnet-mask 255.255.255.0 (scalance)(DHCP Profile "distL2")# lease-time 86400 (scalance)(DHCP Profile "distL2")# default-router 10.15.205.254 (scalance)(DHCP Profile "distL2")# dns-server 10.13.6.110,10.1.1.50 (scalance)(DHCP Profile "distL2")# domain-name siemens.com (scalance)(DHCP Profile "distL2")# client-count 5 (scalance)(config)# ip dhcp local (scalance)(DHCP Profile "local")# server-type Local (scalance)(DHCP Profile "local")# server-vlan 200 (scalance)(DHCP Profile "local")# subnet 172.16.200.1...
Page 308: Configuring An L2-Gre Tunnel
AP. When enabled, the traffic to the corporate network is sent through a Layer-2 GRE tunnel from the AP itself and need not be forwarded through the master AP. Note By default, the Per-AP tunnel option is disabled. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 309 To view VPN configuration details: (scalance)# show vpn config To configure GRE tunnel on the controller: (scalance)(config)# interface tunnel <Number> (scalance)(config-tunnel)# description <Description> > (scalance)(config-tunnel)# tunnel mode gre <ID (scalance)(config-tunnel)# tunnel source <controller-IP> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 310 4. Enter the IP address or the FQDN for the backup VPN/IPsec endpoint in the Backup host text box. This entry is optional. When you enter the primary host IP address and backup host IP address, other details are displayed. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 311 AP. When enabled, the traffic to the corporate network is sent through a Layer-2 GRE tunnel from the AP itself and need not be forwarded through the master AP. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 312 (scalance)(config)# vpn fast-failover (scalance)(config)# vpn hold-time <seconds> (scalance)(config)# vpn preemption (scalance)(config)# vpn monitor-pkt-send-freq <frequency> (scalance)(config)# vpn monitor-pkt-lost-cnt <count> (scalance)(config)# vpn reconnect-user-on-failover (scalance)(config)# vpn reconnect-time-on-failover <down_time> (scalance)(config)# end (scalance)# commit apply To view VPN configuration details: SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 313: Configuring An L2Tpv3 Tunnel
– Non-Preemptive: In this mode, when the backup tunnel is established after the primary tunnel goes down, it does not make the primary tunnel active again. You can configure an L2TPv3 tunnel and session profiles through the SCALANCE W UI or the CLI. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 314 1. Click the More > VPN link located directly above the Search bar in the SCALANCE W UI. The Tunneling window is displayed. Figure 19-4 L2TPv3 Tunneling 2. Select L2TPv3 from the Protocol drop-down list. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 315 – Enter a shared key for the message digest in the Shared Key text box. This key should match with the tunnel endpoint shared key. – If required, select the failover mode as Primary or Backup (when the backup server is available). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 316 – Specify the remote end ID. – If required, enable default l2 specific sublayer in the L2TP session. – Click OK. 5. Click Next to continue. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 317 <len_of_cookie> value <cookie_val> (scalance)(L2TPv3 Tunnel Profile <l2tpv3_session_profile>)# l2tpv3 tunnel <l2tpv3_tunnel_ name_to_associate> (scalance)(L2TPv3 Tunnel Profile <l2tpv3_session_profile>)# tunnel-ip <local_ip_addr_tunnel> mask <tunnel_mask> vlan <tunnel_mgmt_vlan> (scalance)(L2TPv3 Tunnel Profile <l2tpv3_session_profile>)# default-l2-specific- sublayer (scalance)(L2TPv3 Tunnel Profile <l2tpv3_session_profile>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 318 1570 MD5 625beed39fa4ff3424edb3082ede48fa non- preemptive 5 80 Disabled L2TPV3 Session configuration ---------------------------- Session Name Tunnel Name Local tunnel IP Tunnel Mask Tunnel Vlan Session Cookie Length Session Cookie Session Remote End ID SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 319 To view L2TPV3 tunnel status: (scalance)# show l2tpv3 tunnel status Tunnel 858508253, from 10.13.11.29 to 10.13.11.157:- state: ESTABLISHED created at: Jul 2 04:58:25 2013 administrative name: 'test_tunnel' (primary) created by admin: YES, tunnel mode: LAC, persist: YES SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 320 (scalance)# show l2tpv3 tunnel config Tunnel profile test_tunnel_primary l2tp host name: scalance-C4:42:98 local UDP port: 1701 peer IP address: 10.0.0.65 peer UDP port: 3000 hello timeout 150, retry timeout 80, idle timeout 0 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 321 Setup failures: tunnels: 0, sessions: 0 Resource failures: control frames: 0, peers: 0 tunnels: 0, sessions: 0 Limit exceeded errors: tunnels: 0, sessions: 0 Frame errors: short frames: 0, wrong version frames: 0 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 322 SCCRQ 0 0 1 SCCRP 1 0 0 SCCCN 0 0 1 STOPCCN 0 0 0 RESERVED1 0 0 0 OCRQ OCRP OCCN ICRQ ICRP ICCN HELLO 95 0 95 RESERVED2 0 0 0 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 323: Configuring Routing Profiles
– Gateway—Specify the gateway to which the traffic must be routed. This IP address must be the controller IP address on which the VPN connection is terminated. If you have a primary and backup host, configure two routes with the same destination and SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 324 (scalance)# commit apply Note Routing profile is primarily used for AP-VPN scenarios, to control which traffic should flow between the master AP and the VPN tunnel, and which traffic should flow outside of the tunnel. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 325 VPN Configuration 19.3 Configuring Routing Profiles SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 327: Ap-Vpn Deployment
7220 16,000 16,000 128,000 7240 32,000 32,000 128,000 ● Branches—The number of AP-VPN branches that can be terminated on a given controller platform. ● Routes—The number of L3 routes supported on the controller. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 328 In the Local, L2 mode, access to the corporate network is supported only in a single AP cluster. The traffic to the non-corporate network is locally bridged. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 329 For DHCP services in Centralized, L2 mode, Siemens recommends using an external DHCP server and not the DHCP server on the controller. Client traffic destined to datacenter resources is forwarded by the master AP (through the IPsec tunnel) to the client's default gateway in the datacenter.
Page 330: Table 20- 2 Dhcp Scope And Vpn Forwarding Modes Matrix
IP with local IP with local IP with local IP of the VC of the VC of the VC of the VC of the VC Branch ac- cess from datacente r SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 331: Configuring Ap And Controller For Ap-Vpn Operations
You can configure the following VPN profiles for the AP-VPN operations. For more information, see Configuring a Tunnel from an AP to a Mobility Controller (Page 305). ● IPsec ● L2TPv3 ● Manual GRE ● Aruba GRE SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 332 You can create any of the following types of DHCP profiles for the AP-VPN operations: ● Local ● Local, L2 ● Local, L3 ● Distributed, L2 ● Distributed, L3 ● Centralized, L2 ● Centralized, L3 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 333 For the AP-VPN scenario, the enterprise domain settings on the AP are used to determine how client DNS requests are routed. For information on how to configure enterprise domains, see Configuring Enterprise Domains (Page 334). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 334: Configuring A Controller For Ap-Vpn Operations
Prefix Mask Contributing routes Cost ------ ---- ------------------- ---- 201.201.200.0 255.255.252.0 5 268779624 100.100.2.0 255.255.255.0 1 10 To verify the details of a configured aggregated route: (scalance) # show ip ospf rapng-vpn aggregated-routes <net> <mask> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 335 Gateway of last resort is 10.15.148.254 to network 0.0.0.0 at cost 1 S* 0.0.0.0/0 [1/0] via 10.15.148.254* V 12.12.2.0/24 [10/0] ipsec map V 12.12.12.0/25 [10/0] ipsec map V 12.12.12.32/27 [10/0] ipsec map V 50.40.40.0/24 [10/0] ipsec map V 51.41.41.128/25 [10/0] ipsec map SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 336 APs in the external database or external directory server and then configure a RADIUS server to authenticate the APs using the entries in the external database or external directory server. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 337 The VPN profile configuration defines the server used to authenticate the AP (internal or an external server) and the role assigned to the AP after successful authentication. (scalance) (config) #aaa authentication vpn default-iap (scalance) (VPN Authentication Profile "default-iap") #server-group default (scalance) (VPN Authentication Profile "default-iap") #default-role iaprole SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 338 Munich d8:c7:c8:cb:d3:16 DOWN 0.0.0.0 London-c0:e1 6c:f3:7f:c0:e1:b1 UP 10.15.207.120 10.15.206.64/29 2 Instant-CB:D3 6c:f3:7f:cc:42:1e DOWN 0.0.0.0 Delhi 6c:f3:7f:cc:42:ca DOWN 0.0.0.0 Singapore 6c:f3:7f:cc:42:cb UP 10.15.207.122 10.15.206.120/29 2 Bid(Subnet Name) ---------------- b3c65c... b3c65c... b3c65c... 2(10.15.205.0-10.15.205.250,5),1(10.15.206.1-10.15.206.252,5) a2a65c... b3c65c... 7(10.15.205.0-10.15.205.250,5),8(10.15.206.1-10.15.206.252,5) b3c65c... SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 339: Table 20- 3 Branch Details
Bid(Subnet Name). This means that either the AP is connected to a backup controller or it is connected to a primary controller without any Distributed, L2 or Distributed, L3 subnets. Note The command output does not display the Key and Bid(Subnet Name) details. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 340 AP-VPN Deployment 20.2 Configuring AP and Controller for AP-VPN Operations SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 341: Adaptive Radio Management
When ARM is enabled, an AP dynamically scans all 802.11 channels within its 802.11 regulatory domain at regular intervals and sends reports to a VC on network (WLAN) coverage, interference, and intrusion detection. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 342 ARM computes coverage and interference metrics for each valid channel and chooses the best performing channel and transmit power settings for each AP RF environment. Each AP gathers other metrics on its ARM- assigned channel to provide a snapshot of the current RF health state. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 343: Configuring Arm Features On An Ap
This feature prevents the clients from monopolizing resources. You can configure airtime fairness mode parameters through the SCALANCE W UI or the CLI. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 344: Client Match
802.11ac-capable access points do not support the legacy band steering, station handoff assist, or load balancing settings; so these access points must be managed using client match. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 345 AP in the Access Points tab or a client in the Clients tab. Clicking this link provides a graphical representation of radio map view of an AP and the client distribution on an AP radio. For more information, see Client Match (Page 72). SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 346 Channel + Radio • 2. Click OK. In the CLI (scalance)(config)# arm (scalance)(ARM)# client-match calc-interval <seconds> (scalance)(ARM)# client-match calc-threshold <threshold> (scalance)(ARM)# client-match nb-matching <percentage> (scalance)(ARM)# client-match slb-mode 1 (scalance)(ARM)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 347: Access Point Control
802.11 regulatory domain at regular intervals and reports to the AP. This scanning report includes WLAN coverage, interference, and intrusion detection data. NOTE: For client match configuration, ensure that scanning is enabled. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 348: Verifying Arm Configuration
Maximum Transmit Power 127 Band Steering Mode :prefer-5ghz Client Aware :enable Scanning :enable Wide Channel Bands :5ghz 80Mhz Support :enable Air Time Fairness Mode :fair-access Client Match :disable CM NB Matching Percent 75 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 349 1+ enable 2+ disable 3+ disable 4+ disable 5+ disable 6+ disable 7+ enable 5.0 GHz Channels ---------------- Channel Status ------- ------ 36 enable 40 enable SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 350 56 enable 60 enable 64 enable 149 enable 153 enable 157 enable 161 enable 165 enable 36+ enable 44+ enable 52+ disable 60+ disable 149+ enable 157+ enable 36E enable 52E enable 149E enable SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 351: Configuring Radio Settings
Level 5—The AP completely disables PHY error reporting, • improving performance by eliminating the time the AP would spend on PHY processing. NOTE: Increasing the immunity level makes the AP to lose a small amount of range. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 352 (scalance)(RF dot11g Radio Profile)# end (scalance)# commit apply To configure 5 GHz radio settings: (scalance)(config)# rf dot11a-radio-profile (scalance)(RF dot11a Radio Profile)# beacon-interval <milliseconds> (scalance)(RF dot11a Radio Profile)# legacy-mode (scalance)(RF dot11a Radio Profile)# spectrum-monitor SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 353 To view the radio configuration: (scalance)# show radio config 2.4 GHz: Legacy Mode:enable Beacon Interval:100 802.11d/802.11h:enable Interference Immunity Level:2 Channel Switch Announcement Count:0 MAX Distance:600 Channel Reuse Type:disable Channel Reuse Threshold:0 Background Spectrum Monitor:disable SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 354 (scalance)# commit apply To configure Cell Size Reduction for 5 GHz radio profile in the CLI: (scalance)(config)# rf dot11a-radio-profile (scalance)(RF dot11a Radio Profile)# cell-size-reduction <reduction> (scalance)(RF dot11a Radio Profile)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 355 ● The client-aware parameter must be disabled in the ARM profile. In the CLI The following example triggers ARM scanning on a 2.4 GHz frequency band radio profile: (scalance)# ap-frequent-scan 2.4 To verify the status of ARM scanning: (scalance)# show ap debug am-config SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 357: Deep Packet Inspection And Application Visibility
The AppRF feature provides application visibility for analyzing client traffic flow. APs support the power of both in-device packet flow identification and dynamically updated cloud-based web categorization. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 358: Enabling Application Visibility
2. Select All from the AppRF visibility drop-down list to view both application and web categories charts or either App or WebCC to view their DPI graphs separately. 3. Click OK. In the CLI To enable AppRF visibility: (scalance)(config)# dpi [app|webcc] (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 359: Application Visibility
The permit and deny monitoring tabs in the All Traffic and Web Content sections provide enforcement visibility support. ● Permit represents the allowed or permitted traffic on the AP. ● Deny represents all the blocked URLs and traffic . SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 360 By clicking the rectangle area, you can view the following graphs, and toggle between the chart and list views. Figure 22-2 Application Categories Chart: Client View Figure 22-3 Application Categories List: Client View SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 361 The applications chart displays details on the client traffic towards the applications. By clicking the rectangular area, you can view the following graphs, and toggle between the chart and list views. Figure 22-5 Applications Chart: Client View SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 362 Deep Packet Inspection and Application Visibility 22.3 Application Visibility Figure 22-6 Applications List: Client View Figure 22-7 Application Chart: Access Point View SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 363 The web categories chart displays details about the client traffic to the web categories. By clicking the rectangle area, you can view the following graphs, and toggle between the chart and list views. Figure 22-8 Web Categories Chart: Client View Figure 22-9 Web Categories List: Client View SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 364 The web reputation chart displays details about the client traffic to the URLs that are assigned security ratings. By clicking in the rectangle area, you can view the following graphs, and toggle between the chart and list views. Figure 22-11 Web Reputation Chart: Client View SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 365 Deep Packet Inspection and Application Visibility 22.3 Application Visibility Figure 22-12 Web Reputation List: Client View Figure 22-13 Web Reputation Chart: AP View SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 366: Enabling Url Visibility
To enable URL visibility: 1. Navigate to System > General. 2. Select Enabled from the URL visibility drop-down list. 3. Click OK. In the CLI To enable URL visibility: (scalance)(config)# url-visibility (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 367: Configuring Acl Rules For Application And Application Categories
4. Ensure that the rule type is set to Access Control. 5. To configure access to applications or application category, select a service category from the following list: – Application – Application category SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 368 Select Destination-NAT to allow changes to destination IP address. • Select Source-NAT to allow changes to the source IP address. • The destination-NAT and source-NAT actions apply only to the network • services rules. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 369 7. Click OK and then click Finish. In the CLI To configure access rules: (scalance)(config)# wlan access-rule <access-rule-name> (scalance)(Access Rule <Name>)#rule <dest> <mask> <match/invert> {app <app> {permit|deny} |appcategory <appgrp>}[<option1..option9>] (scalance)(Access Rule <Name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 370 (scalance)(config)# wlan access-rule employee (scalance)(Access Rule "employee")# rule any any match app uoutube permit throttle- downstream 256 throttle-up 256 (scalance)(Access Rule "employee")# rule any any match appcategory collaboration permit (scalance)(Access Rule "employee")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 371: Configuring Web Policy Enforcement Service
– Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option. – From the Action drop-down list, select Allow or Deny as required. – Click OK SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 372 – Log – Blacklist – Disable scanning – DSCP tag – 802.1p priority 8. Click OK on the Roles tab to save the changes to the role for which you defined ACL rules. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 373 (scalance)(Access Rule "URLFilter")# rule any any match webcategory gambling deny (scalance)(Access Rule "URLFilter")# rule any any match webcategory training-and- tools permit (scalance)(Access Rule "URLFilter")# rule any any match webreputation suspicious- sites deny (scalance)(Access Rule "URLFilter")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 375: Voice And Video
Apple devices running the Facetime application. This section includes the following topics: ● Wi-Fi Multimedia Traffic Management (Page 376) ● Media Classification for Voice and Video Calls (Page 380) ● Enabling Enhanced Voice Call Tracking (Page 382) SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 376: Wi-Fi Multimedia Traffic Management
To configure the WMM for wireless clients: 1. Navigate to the WLAN wizard. – Click Networks > New or – Click Networks, and select the WLAN SSID > edit. 2. Click Show advanced options under WLAN Settings. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 377: Table 23- 2 Wmm Ac-Dscp Mapping
DSCP classifies packets based on network policies and rules. The following table shows the default WMM AC to DSCP mappings and the recommended WMM AC to DSCP mappings. Table 23- 2 WMM AC-DSCP Mapping DSCP Value WMM Access Category Background Best effort Video Voice SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 378 (scalance)# commit apply You can configure up to 8 DSCP mappings values within the range of 0-63. You can also configure a combination of multiple values separated by a comma, for example, wmm-voice- dscp 46,44,42,41 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 379 (scalance)(SSID Profile "<ssid_profile>")# wmm-uapsd-disable (scalance)(SSID Profile "<ssid_profile>")# end (scalance)# commit apply To re-enable U-APSD on an SSID: (scalance)(config)# wlan ssid-profile <ssid_profile> (scalance)(SSID Profile "<ssid_profile>")# no wmm-uapsd-disable (scalance)(SSID Profile "<ssid_profile>")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 380: Media Classification For Voice And Video Calls
(scalance)(example_s4b_test)# rule any any match tcp 5061 5061 permit log classify- media (scalance)(example_s4b_test)# rule any any match tcp 5223 5223 permit log classify- media (scalance)(example_s4b_test)# rule any any match any any any permit (scalance)(example_s4b_test)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 381 Note The Type of Service (ToS) values for calls prioritized using the above mentioned media classification types will always carry a ToS of 40 fora voice session and 48 for a video session. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 382: Enabling Enhanced Voice Call Tracking
SNMP server with the location (AP Name) of the VoIP caller. Following are the key parameters in the response sent by the Master AP: ● VoIP Client IP Address ● VoIP Client MAC Address ● AP MAC Address ● AP Name SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 383: Services
2. APs maintain information for all AirGroup services. AP queries ClearPass Policy Manager to map each device’s access privileges to the available services and responds to the query made by a device based on contextual data such as user role, username, and location. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 384: Multicast Dns And Bonjour® Services
As shown in the following figure, the AP1 discovers AirPrint (P1) and AP3 discovers Apple TV (TV1). AP1 advertises information about its connected P1 device to the other APs that is AP2 and AP3. Similarly, AP3 advertises TV1 device to AP1 and AP2. This type of distributed SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 385: Dlna Upnp Support
The AP also enforces native policies such as disallowing roles and VLANs and the policies defined on ClearPass Policy Manager to determine the devices or services that are allowed and can be discovered in the network. Whenever a search request SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 386: Airgroup Features
● Allows or blocks AirGroup services for all users. ● Allows or blocks AirGroup services based on user roles. ● Allows or blocks AirGroup services based on VLANs. ● Matches devices to their closest services such as printers. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 387 When AirGroup discovers a new device, it interacts with ClearPass Policy Manager to obtain the shared attributes such as shared location and role. However, the current versions of APs do not support the enforcement of shared location policy. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 388: Airgroup Components
Minimum Version for DLNA Services Services SCALANCE W 6.5.1.0-4.3.1 6.5.1.0-4.3.1 ClearPass Policy Manager soft- ClearPass Policy Manager 5.2 ClearPass Policy Manager 6.2 ware ClearPass Guest Services ClearPass Guest 6.2.0 ClearPass Guest 6.3.0 plugin SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 389: Configuring Airgroup And Airgroup Services On An Ap
● Administrator-defined username, user role, and location attributes for shared devices. 24.1.5 Configuring AirGroup and AirGroup Services on an AP You can configure AirGroup services by using the SCALANCE W UI or the CLI. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 390 VLAN and AirGroup will not discover or enforce policies in guest VLAN. 6. Select the Enable Air Group across mobility domains check box to enable inter-cluster mobility. When enabled, the AP shares the mDNS database information with the other SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 391 ClearPass Policy Manager will be discovered by Bonjour devices, based on the ClearPass Policy Manager policy. In the CLI To configure AirGroup: (scalance)(config)# airgroup (scalance)(airgroup)# enable [dlna-only | mdns-only] (scalance)(airgroup)# cppm enforce-registration (scalance)(airgroup)# cppm-server <server> (scalance)(airgroup)# cppm-query-interval <interval> (scalance)(airgroup)# disallow-vlan <vlan-ID> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 392 To configure AirGroup services: (scalance)(config)# airgroupservice <airgroup-service> (scalance)(airgroup-service)# id <airgroupservice-ID> (scalance)(airgroup-service)# description <text> (scalance)(airgroup-service)# disallow-role <role> (scalance)(airgroup-service)# disallow-vlan <vlan-ID> (scalance)(airgroup-service)# end (scalance)# commit apply To verify the AirGroup configuration status: (scalance)# show airgroup status SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 393: Configuring Airgroup And Clearpass Policy Manager Interface In Scalance W
CPPM server 2 acts as a backup server. After the configuration is complete, this particular server will be displayed in the CoA server option. To view this server go to Services > AirGroup > ClearPass Settings > CoA server. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 394 RADIUS server with CoA , see Configuring an External Server for Authentication (Page 209). Note You can also create a CoA only server in the Services > AirGroup > Clear Pass Settings > CoA server window. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 395: Configuring An Ap For Rtls Support
3. Under Aruba, select the RTLS check box to integrate SCALANCE W with the AMP or Ekahau Real Time Location Server. The following figure shows the contents of the RTLS tab. Figure 24-6 RTLS Window SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 396 In the CLI To configure AirWave RTLS: (scalance)(config)# airwave-rtls <IP-address> <port> <passphrase> <seconds> include- unassoc- sta (scalance)(config)# end (scalance)# commit apply To configure Aeroscout RTLS: (scalance)(config)# aeroscout-rtls <IP-address> <port> include-unassoc-sta (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 397: Configuring An Ap For Analytics And Location Engine Support
You can configure an AP for ALE support by using the SCALANCE W UI or the CLI. In the SCALANCE W UI Configuring ALE support: 1. Click More > Services. 2. Click the RTLS tab. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 398 5. In the Report interval text box, specify the reporting interval within the range of 6–60 seconds. The AP sends messages to the ALE server at the specified interval. The default interval is 30 seconds. 6. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 399 (scalance)(config)# ale-server <server-name | IP-address> (scalance)(config)# ale-report-interval <seconds> (scalance)(config)# end (scalance)# commit apply Verifying ALE Configuration on an AP To view the configuration details: (scalance)# show ale config To verify the configuration status: (scalance)# show ale status SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 400: Managing Ble Beacons
Local Management Switch (LMS) is lost. PersistentConsole The built-in BLE chip of the AP provides access to the AP console over BLE and also operates in the Beaconing mode. 7. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 401 (scalance)(config)# ble config <token> <url> (scalance)(config)# end (scalance)# commit apply To configure a BLE operation mode: (scalance)(config)# ble mode <opmode> (scalance)(config)# end (scalance)# commit apply To view the BLE configuration details: (scalance)# show ble-config SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 402: Configuring Opendns Credentials
2. Enter the Username and Password to enable access to OpenDNS. 3. Click OK to apply the changes. In the CLI To configure OpenDNS credentials: (scalance)(config)# opendns <username> <password> (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 403: Integrating An Ap With Palo Alto Networks Firewall
● After a client completes the authentication and is assigned an IP address, AP sends the login message. ● After a client is disconnected or dissociated from the AP, the AP sends a logout message. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 404 4. Provide the user credentials of the PAN firewall administrator in the Username and Password text boxes. 5. Enter the PAN firewall IP address. 6. Enter the port number within the range of 1–65,535. The default port is 443. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 405 To enable PAN firewall integration with the AP: (scalance)(config)# firewall-external-enforcement pan (scalance)(firewall-external-enforcement pan)# enable (scalance)(firewall-external-enforcement pan)# domain-name <name> (scalance)(firewall-external-enforcement pan)# ip <ip-address> (scalance)(firewall-external-enforcement pan)# port <port> (scalance)(firewall-external-enforcement pan)# user <name> <password> (scalance)(firewall-external-enforcement pan)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 406: Integrating An Ap With An Xml Api Interface
5. Enter the subnet mask of the XML API Server in the Mask text box. 6. Enter a passcode in the Passphrase text box, to enable authorized access to the XML API Server. 7. Re-enter the passcode in the Retype box. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 407: Table 24- 3 Xml Api Command
IPv6 address. If not dual-stack, the client reverts to the initial role. user_authenticate This command authenticates against the server group defined in the captive portal profile. This is only applicable to captive portal users. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 408: Table 24- 4 Xml Api Command Options
32/40 bytes for MD5/SHA- version The version of the XML API interface Current version is XML API 1.0 available in the VC. This is mandato- ry in all XML API requests. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 409: Calea Integration And Lawful Intercept Compliance
SCALANCE W supports CALEA integration in a hierarchical and flat topology, mesh AP network, the wired and wireless networks. Note Enable this feature only if lawful interception is authorized by a law enforcement agency. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 410 GRE tunnel. Each AP sends GRE encapsulated packets only for its associated or connected clients. The following figure illustrates the traffic flow from the AP to the CALEA server. Figure 24-9 AP to CALEA Server SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 411 IPsec client traffic while GRE data is routed to the CALEA server. The following figure illustrates the traffic flow from AP to the CALEA server through VPN. Figure 24-10 AP to CALEA Server through VPN SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 412 68–1500. After GRE encapsulation, if packet length exceeds the configured MTU, IP fragmentation occurs. The default MTU size is 1500. 4. Click OK. In the CLI To create a CALEA profile: (scalance)(config)# calea (scalance)(calea)# ip <IP-address> (scalance)(calea)# ip mtu <size> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 413 (scalance)(SSID Profile <name>)# end (scalance)(SSID Profile <name>)# commit apply To associate the access rule with a wired profile: (scalance)(config)# wired-port-profile <name> (scalance)(Wired ap profile <name>)# access-rule-name <name> (scalance)(Wired ap profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 414 (scalance)(SSID Profile"Calea-Test")# set-role Filter-Id equals 123456 calea-test (scalance)(SSID Profile"Calea-Test")# rf-band 5.0 (scalance)(SSID Profile"Calea-Test")# captive-portal disable (scalance)(SSID Profile"Calea-Test")# dtim-period 1 (scalance)(SSID Profile"Calea-Test")# inactivity-timeout 1000 (scalance)(SSID Profile"Calea-Test")# broadcast-filter none (scalance)(SSID Profile"Calea-Test")# dmo-channel-utilization-threshold 90 (scalance)(SSID Profile"Calea-Test")# local-probe-req-thresh 0 (scalance)(SSID Profile"Calea-Test")# max-clients-threshold 64 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 415 (scalance)# show calea statistics Rt resolve fail : 0 Dst resolve fail: 0 Alloc failure : 0 Fragged packets : 0 Jumbo packets : 263 Total Tx fail : 0 Total Tx ok : 263 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 417: Ap Management And Monitoring
3. Click the Factory Reset tab. Note On resetting the AP device from AirWave, all the configuration values will be set to default except for the per- ap-settings and VC Key value. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 418 APs irrespective of their location in the network and prevents authorized APs from being detected as rogue APs. It tracks and correlates the IDS events to provide a complete picture of network security. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 419 SCALANCE W device in range. VisualRF provides graphical access to floor plans, client location, and RF visualization for floors, buildings, and campuses that host your network. Figure 25-1 Adding an AP in VisualRF SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 420 Configurable Port for AP and AirWave Management Server Communication You can now customize the port number of the AMP server through the server_host:server_port format, for example, amp.siemens.com:4343. The following example shows how to configure the port number of the AMP server: 24:de:c6:cf:63:60 (config) # ams-ip 10.65.182.15:65535...
Page 421: Configuring Organization String
5. Enter the shared key in the Shared key text box and reconfirm. This shared key is used for configuring the first AP in the SCALANCE W network. 6. Click OK. In the CLI To configure AirWave information: (scalance)(config)# organization <name> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 422 Enabling DNS-Based Discovery of the Provisioning AMP Server APs can now automatically discover the provisioning AMP server if the DHCP option 43 and Activate cannot perform zero-touch provisioning (ZTP) and transfer the AirWave configuration to the AP. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 423 8. Select 043 Vendor Specific Info and enter a value for either of the following in the ASCII text box: ● airwave-orgn, airwave-ip, airwave-key; for example:Siemens,192.0.2.20, 12344567 ● airwave-orgn, airwave-domain; for example: Siemens, support.industry.siemens.com This creates DHCP options 60 and 43 on a global basis. You can do the same on a per- scope basis.
Page 424: Alternate Method For Defining Vendor Specific Dhcp Options
AirWave) Upon completion, the AP shows up as a new device in AirWave, and a new group called tme-store4 is created. Navigate to APs/Devices > New > Group to view this group. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 425: Uplink Configuration
The following figure illustrates a scenario in which the APs join the VC as slave APs through a wired or mesh Wi-Fi uplink: Figure 26-1 Uplink Types The following types of uplinks are supported on SCALANCE W: ● Ethernet Uplink ● Cellular Uplink ● Wi-Fi Uplink SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 426: Ethernet Uplink
When PPPoE is used, do not configure Dynamic RADIUS Proxy and IP address of the VC. An SSID created with default VLAN is not supported with PPPoE uplink. You can also configure an alternate Ethernet uplink to enable uplink failover when an Ethernet port fails. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 427 To configure a PPPoE uplink connection: (scalance)(config) # pppoe-uplink-profile (scalance)(pppoe-uplink-profile)# pppoe-svcname <service-name> (scalance)(pppoe-uplink-profile)# pppoe-username <username> (scalance)(pppoe-uplink-profile)# pppoe-passwd <password> (scalance)(pppoe-uplink-profile)# pppoe-chapsecret <password> (scalance)(pppoe-uplink-profile)# pppoe-unnumbered-local-l3-dhcp-profile <dhcp- profile> (scalance)(pppoe-uplink-profile)# end (scalance)# commit apply To view the PPPoE configuration: SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 428 PPPoE Configuration ------------------- Type Value ---- ----- User testUser Password 3c28ec1b82d3eef0e65371da2f39c4d49803e5b2bc88be0c Service name internet03 CHAP secret 8e87644deda9364100719e017f88ebce Unnumbered dhcp profile dhcpProfile1 To view the PPPoE status: (scalance)# show pppoe status pppoe uplink state:Suppressed. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 429: Cellular Uplink
(scalance)(cellular-uplink-profile)# modem-country <country> (scalance)(cellular-uplink-profile)# modem-isp <service-provider-name> (scalance)(cellular-uplink-profile)# usb-auth-type <usb-authentication_type> (scalance)(cellular-uplink-profile)# usb-user <username> (scalance)(cellular-uplink-profile)# usb-passwd <password> (scalance)(cellular-uplink-profile)# usb-dev <device-ID> (scalance)(cellular-uplink-profile)# usb-tty <tty-port> (scalance)(cellular-uplink-profile)# usb-init <Initialization-parameter> (scalance)(cellular-uplink-profile)# usb-dial <dial-parameter> (scalance)(cellular-uplink-profile)# usb-modeswitch <usb-modem> (scalance)(cellular-uplink-profile)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 430 To disable SIM PIN locking: (scalance)# no pin-enable <pin_current_used> To unlock a PIN with the PUK code provided by the operator: (scalance)# pin-puk <pin_puk> <pin_new> To renew the PIN: (scalance)# pin-renew <pin_current> <pin_new> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 431: Wi-Fi Uplink
If the uplink wireless router uses mixed encryption, WPA-2 is recommended for the Wi-Fi uplink. 7. Select the band in which the VC currently operates, from the band drop-down list. The following options are available: – 2.4 GHz (default) – 5 GHz SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 432 To view the configuration status in the CLI: (scalance)# show wifi-uplink config ESSID : Cipher Suite : Passphrase : Band : (scalance)# show wifi-uplink auth log ---------------------------------------------------------------------- wifi uplink auth configuration: ---------------------------------------------------------------------- ---------------------------------------------------------------------- wifi uplink auth log: ---------------------------------------------------------------------- SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 433 Uplink Configuration 26.4 Wi-Fi Uplink [1116]2000-01-01 00:00:45.625: Global control interface '/tmp/supp_gbl' SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 434: Uplink Preferences And Switching
3. Specify the Ethernet interface port number. 4. Click OK. The selected uplink is enforced on the AP. In the CLI To enforce an uplink: (scalance)(config)# uplink (scalance)(uplink)# enforce {cellular|ethernet | wifi | none} (scalance)(uplink)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 435: Setting An Uplink Priority
1. Click System > show advanced settings > Uplink. The Uplink tab contents are displayed. 2. Under Management, ensure that the Enforce Uplink is set to none. 3. Select Enabled from the Pre-emption drop-down list. 4. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 436: Switching Uplinks Based On Vpn And Internet Availability
When VPN failover timeout is set to 0, uplink does not switch over. When uplink switching based on the Internet availability is enabled, the uplink switching based on VPN failover is automatically disabled. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 437 When is enabled, the AP ignores the VPN status, although uplink switching based on VPN status is enabled. In the CLI To enable uplink switching based on VPN status: (scalance)(config)# uplink (scalance)(uplink)# failover-vpn-timeout <seconds> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 438: Viewing Uplink Status And Configuration
Max allowed test packet loss :10 Secs between test packets 30 VPN failover timeout (secs) 180 Internet check timeout (secs) 10 ICMP pkt sent 1 ICMP pkt lost 1 Continuous pkt lost 1 VPN down time 0 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 439 Ethernet uplink eth0 :DHCP Internet failover :disable Max allowed test packet loss 10 Secs between test packets 30 VPN failover timeout (secs) 180 Internet check timeout (secs) 10 Secs between test packets 30 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 441: Intrusion Detection
IDS scans for access points that are not controlled by the VC. These are listed and classified as either Interfering or Rogue, depending on whether they are on a foreign network or your network. Figure 27-1 Intrusion Detection SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 442: Os Fingerprinting
SCALANCE W: ● Windows 7 ● Windows Vista ● Windows Server ● Windows XP l Windows ME l OS-X ● iPhone ● iOS ● Android ● Blackberry ● Linux SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 443: Configuring Wireless Intrusion Protection And Detection Levels
More > IDS link on the SCALANCE W main window. The following levels of detection can be configured in the WIP Detection page: ● Off ● Low ● Medium ● High Figure 27-2 Wireless Intrusion Detection SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 444 Infrastructure Detection Policies The following table describes the detection policies enabled in the Client Detection Custom settings text box. Detection Level Detection Policy All detection policies are disabled. Detect Valid Station Misassociation • SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 445 • IDS Signature — ASLEAP • Client Detection Policies The following levels of detection can be configured in the WIP Protection page: ● Off ● Low ● High Figure 27-3 Wireless Intrusion Protection SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 446 All protection policies are disabled Protect Valid Station High Protect Windows Bridge Client Protection Policies Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your SCALANCE W network. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 447 The tarpit can be on the same channel or a different channel as the Access Point being contained. Figure 27-4 Containment Methods SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 448: Configuring Ids
(scalance)(IDS)# detect-ap-impersonation (scalance)(IDS)# detect-adhoc-network (scalance)(IDS)# detect-valid-ssid-misuse (scalance)(IDS)# detect-wireless-bridge (scalance)(IDS)# detect-ht-40mhz-intolerance (scalance)(IDS)# detect-ht-greenfield (scalance)(IDS)# detect-ap-flood (scalance)(IDS)# detect-client-flood (scalance)(IDS)# detect-bad-wep (scalance)(IDS)# detect-cts-rate-anomaly (scalance)(IDS)# detect-rts-rate-anomaly (scalance)(IDS)# detect-invalid-addresscombination (scalance)(IDS)# detect-malformed-htie (scalance)(IDS)# detect-malformed-assoc-req (scalance)(IDS)# detect-malformed-frame-auth (scalance)(IDS)# detect-overflow-ie (scalance)(IDS)# detect-overflow-eapol-key SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 449 (scalance)(IDS)# detect-unencrypted-valid (scalance)(IDS)# detect-power-save-dos-attack (scalance)(IDS)# detect-eap-rate-anomaly (scalance)(IDS)# detect-rate-anomalies (scalance)(IDS)# detect-chopchop-attack (scalance)(IDS)# detect-tkip-replay-attack (scalance)(IDS)# signature-airjack (scalance)(IDS)# signature-asleap (scalance)(IDS)# protect-ssid (scalance)(IDS)# rogue-containment (scalance)(IDS)# protect-adhoc-network (scalance)(IDS)# protect-ap-impersonation (scalance)(IDS)# protect-valid-sta (scalance)(IDS)# protect-windows-bridge (scalance)(IDS)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 450 Intrusion Detection 27.4 Configuring IDS SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 451: Mesh Ap Configuration
The mesh portal broadcasts a mesh services set identifier (MSSID/ mesh cluster name) to advertise the mesh network service to other mesh points in that SCALANCE W network. This is not configurable and is transparent to the user. The mesh points authenticate to the SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 452 In the case of single Ethernet port platforms such as AP-105, you can convert the Eth0 uplink port to a downlink port by enabling Eth0 Bridging. For additional information, see Configuring Wired Bridging on Ethernet 0 for Mesh Point on page 333. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 453: Setting Up Scalance W Mesh Network
The APs with valid uplink connections function as mesh portals. Note SCALANCE W does not support the topology in which the APs are connected to the downlink Ethernet port of a mesh point. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 454: Configuring Wired Bridging On Ethernet 0 For Mesh Point
To configure Ethernet bridging: (scalance)# enet0-bridging Note Make the necessary changes to the wired-profile when eth0 is used as the downlink port. For more information, see Configuring a Wired Profile on page 105 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 455: Mobility And Client Management
Routing of traffic when the client is away from its home network When a client first connects to an SCALANCE W network, a message is sent to all configured VC IP addresses to see if this is an L3 roamed client. On receiving an SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 456 L3 packet. If the subnet is not a local subnet and belongs to another SCALANCE W network, the client is treated as an L3 roamed client and all its traffic is forwarded to the home network through a GRE tunnel. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 457: Configuring L3-Mobility
In the SCALANCE W UI To configure a mobility domain: 1. Click the System link on the SCALANCE W main window. 2. In the Services section, click the Show advanced options link. The advanced options are displayed. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 458 5. Click New in the Virtual Controller IP Addresses section, add the IP address of a VC that is part of the mobility domain, and click OK. 6. Repeat Steps 2 to 5, to add the IP addresses of all VC that form the L3 mobility domain. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 459 – Enter the home VC IP address for this subnet in the Virtual controller IP text box. 8. Click OK. In the CLI To configure a mobility domain: (scalance)(config)# l3-mobility (scalance)(L3-mobility)# home-agent-load-balancing (scalance)(L3-mobility)# virtual-controller <IP-address> (scalance)(L3-mobility)# subnet <IP-address> <subnet-mask> <VLAN-ID> <virtual- controller-IP- address> (scalance)(L3-mobility)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 460 Mobility and Client Management 29.2 Configuring L3-Mobility SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 461: Spectrum Monitor
Wi-Fi devices currently seen by a spectrum monitor or hybrid AP radio. To view the device list, click Spectrum in the dashboard. The following figure shows an example of the device list details. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 462 Device duty cycle. This value represents the percent of time the device broadcasts a signal. Add-time Time at which the device was first detected. Update-time Time at which the device’s status was updated. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 463 Some in- dustrial, healthcare, or manufacturing environments may also have other equipment that functions like a microwave and may also be classified as a Microwave device. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 464 Channel Details Information shows the information that you can view in the Channel Details graph. Table 30- 3 Channel Details Information Column Description Channel An 802.11a or 802.11g radio channel. Quality(%) Current relative quality of the channel. Utilization(%) The percentage of the channel being used. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 465 To view this graph, click 2.4 GHz in the Spectrum section of the dashboard. Figure 30-3 Channel Metrics for the 2.4 GHz Radio Channel To view this graph, click 5 GHz in the Spectrum section of the dashboard. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 466 When a new non-Wi-Fi device is found, an alert is reported to the VC. The spectrum alert messages include the device ID, device type, IP address of the spectrum monitor or hybrid AP, and the timestamp. VC reports the detailed device information to AMP. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 467: Configuring Spectrum Monitors And Hybrid Aps
5. Click OK. In the CLI To configure 2.4 GHz radio settings: (scalance)(config)# rf dot11g-radio-profile (scalance)(RF dot11g Radio Profile)# spectrum-monitor To configure 5 GHz radio settings: (scalance)(config)# rf dot11a-radio-profile (scalance)(RF dot11a Radio Profile)# spectrum-monitor SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 468 (scalance)(RF dot11a Radio Profile)# spectrum-band <type> To view the radio configuration: (scalance)# show radio config 2.4 GHz: Legacy Mode:disable Beacon Interval: 100 802.11d/802.11h: disable Interference Immunity Level: 2 Channel Switch Announcement Count: 0 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 469 Legacy Mode: disable Beacon Interval: 100 802.11d/802.11h: disable Interference Immunity Level: 2 Channel Switch Announcement Count: 0 Channel Reuse Type: disable Channel Reuse Threshold: 0 Background Spectrum Monitor: disable Standalone Spectrum Band: 5ghz-upper SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 471: Ap Maintenance
APs to reboot automatically after a successful upgrade. To reboot the AP at a later time, clear the Reboot all APs after upgrade check box. 4. Click Upgrade Now to upgrade the AP to the newer version. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 472 Figure Upgrade Progress ---------------------- Mac IP Address AP Class Status Figure Info Error Detail --- --------- -------- ------ ---------- ------------ d8:c7:c8:c4:42:98 10.17.101.1 Hercules image-ok image file none Auto reboot :enable Use external URL :disable SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 473: Backing Up And Restoring Ap Configuration Data
3. Click Browse to browse your local system and select the configuration file. 4. Click Restore Now. 5. Click Restore Configuration to confirm restoration. The configuration is restored and the AP reboots to load the new configuration. (scalance)(config)# copy config tftp://x.x.x.x/confgi.cfg SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 474: Converting An Ap To A Remote Ap And Campus Ap
The following table describes the supported AP platforms and minimal ArubaOS version required for the Campus AP or Remote AP conversion. AP Platform ArubaOS Release SCALANCE W Release W1750D ArubaOS 6.4.4.0 or later versi- 6.5.1.0-4.3.1or later versions SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 475 Hostname or IP Address of Mobility Controller text box. Contact your local network administrator to obtain the IP address. Note Ensure that the Mobility Controller IP address is reachable by the APs. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 476 When an AP is converted to function in stand-alone mode, it cannot join a cluster of APs even if the AP is in the same VLAN. If the AP is in the cluster mode, it can form a cluster with other VC APs in the same VLAN. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 477 To convert an AP to a remote AP or campus AP: (scalance)# convert-aos-ap <mode> <controller-IP-address> To convert an AP to a stand-alone AP or to provision an AP in the cluster mode: (scalance)# swarm-mode <mode> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 478: Resetting A Remote Ap Or Campus Ap To An Ap
3. Turn on the AP without releasing the reset knob. The power LED flashes within 5 seconds indicating that the reset is completed. 4. Release the reset knob. The AP reboots with the factory default settings. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 479: Rebooting The Ap
Reboot in Progress message is displayed indicating that the reboot is in progress. The Reboot Successful message is displayed after the process is complete. If the system fails to boot, the Unable to contact Access Points after reboot was initiated message is displayed. 5. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 481: Monitoring Devices And Logs
DES, the (private) privacy key with the privacy protocol is used. Configuring SNMP This section describes the procedure for configuring SNMPv1, SNMPv2, and SNMPv3 community strings by using the SCALANCE W UI or the CLI. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 482 Creating Community Strings for SNMPv3 Using SCALANCE W UI To create community strings for SNMPv3: 1. Click the System link on the SCALANCE W main window. 2. In the System window that is displayed, click the Monitoring tab. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 483 To configure SNMPv1 and SNMPv2 community strings: (scalance)(config)# snmp-server community <password> To configure SNMPv3 community strings: (scalance)(config)# snmp-server user <name> <auth-protocol> <password> <privacy- protocol><password> To view SNMP configuration: (scalance)# show snmp-configuration Engine ID:D8C7C8C44298 Community Strings ----------------- SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 484 – Inform—When enabled, traps are sent as SNMP INFORM messages. It is applicable to SNMPv3 only. The default value is Yes. 4. Click OK to view the trap receiver information in the SNMP Trap Receivers window.. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 485 Monitoring Devices and Logs 32.1 Configuring SNMP In the CLI To configure SNMP traps: (scalance)(config)# snmp-server host <IP-address> {version 1 | version 2 | version 3} <name> udp-port <port> inform (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 486: Configuring A Syslog Server
2. Click Show advanced options to display the advanced options. 3. Click the Monitoring tab. Figure 32-3 Syslog Server 4. In the Syslog server text box, enter the IP address of the server to which you want to send system logs. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 487 Significant events of a noncritical and normal nature. The default value for all Syslog facilities. Informational Messages of general interest to system users. Debug Messages containing information useful for debugging. 6. Click OK. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 488 (scalance)(config)# end (scalance)# commit apply To view syslog logging levels: (scalance)# show syslog-level Logging Level ------------- Facility Level -------- ----- ap-debug warn network warn security warn system warn user warn user-debug warn wireless error SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 489: Configuring Tftp Dump Server
4. Enter the IP address of the TFTP server in the TFTP Dump Server text box. 5. Click OK In the CLI To configure a TFTP server: (scalance)(config)# tftp-dump-server <IP-address> (scalance)(config)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 490: Running Debug Commands
AP ARM History show ap arm history AP ARM Neighbors show ap arm neighbors AP ARM RF Summary show ap arm rf-summary AP ARM Scan Times show ap arm scan-times AP ARP Table show arp SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 491 AP Log PPPd show log pppd AP Log Rapper show log rapper AP Log Rapper Counter show log rapper-counter AP Log Rapper Brief show log rapper-brief AP Log Sapd show log sapd SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 492 AP Spectrum channel metrics show ap spectrum channel-metrics AP Spectrum channel summary show ap spectrum channel-summary AP Spectrum client table show ap spectrum client-list AP Spectrum device duty cycle show ap spectrum device-duty-cycle SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 493 VC WISPr Configuration show wispr config VC XML API Server Information show xml-api-server VC rfc3576-radius statistics show ap debug rfc3576-radius-statistics Note Use the support commands under the supervision of Siemens technical support. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 494 Monitoring Devices and Logs 32.4 Running Debug Commands SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 495: Uplink Bandwidth Monitoring
(scalance)# show ale stats ALE Stats --------- Type Value ---- ----- VC package 0 RSSI package 0 APPRF package 0 URLv package 0 STATE package 0 STAT package 0 UPLINK BW package 0 Total 0 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 497: Hotspot Profiles
To transmit a GAS query for any advertisement protocol, the advertisement protocol ID must include the advertisement protocol information element (IE) with details of the advertisement protocol and its corresponding advertisement control. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 498 AP. The IEs are included in the following Management Frames when 802.11u is enabled: ● Beacon Frame ● Probe Request Frame ● Probe Response frame ● Association Request ● Re-Association request SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 499 The NAI realm settings on an AP act as an advertisement profile to determine the NAI realm elements that must be included as part of a GAS Response frame. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 500: Configuring Hotspot Profiles
ANQP IE in a GAS query response. To configure a NAI profile: (scalance)(config)# hotspot anqp-nai-realm-profile <name> (scalance)(nai-realm <name>)# nai-realm-name <name> (scalance)(nai-realm <name>)# nai-realm-encoding {<utf8>|<rfc4282>} (scalance)(nai-realm <name>)# nai-realm-eap-method <eap-method> (scalance)(nai-realm <name>)# nai-realm-auth-id-1 <authentication-ID> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 501 ● peapmschapv2 - To use PEAP with Microsoft Challenge Handshake Authentication Protocoversion 2 (MSCHAPv2). The associated numeric value is 29. ● eap-aka - To use EAP for UniversaMobile Telecommunications System (UMTS) Authentication and Key Agreement (AKA). The associated numeric value is 50. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 502 - The associated numeric value is 7. • none - The associated numeric value is 8. • reserved - The associated numeric value is 9. • vendor-specific - The associated numeric value is 10. • SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 503 11. • bar—The associated numeric value is 12. • coffee-shop—The associated numeric value is 13. • zoo-or-aquarium—The associated numeric value is 14. • emergency-cord-center—The associated numeric value is 15. • SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 504 4. • storage unspecified—The associated numeric value is 0. • The associated numeric value is 8. utility-misc unspecified—The associated numeric value is 0. • The associated numeric value is 9. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 505 ● http-redirect—When configured, additional information on the network is provided through HTTP/HTTPS redirection. ● dns-redirect—When configured, additional information on the network is provided through DNS redirection. This option requires you to specify a redirection URL string as an IP address, FQDN, or URL. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 506 (scalance)# commit apply The Public Land Mobile Network (PLMN) ID is a combination of the mobile country code and network code. You can specify up to 6 PLMN IDs for a 3GPP profile. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 507 (scalance)(config) # hotspot h2qp-conn-cap-profile <name> (scalance)(connection-capabilities <name>)# esp-port (scalance)(connection-capabilities <name>)# icmp (scalance)(connection-capabilities <name>)# tcp-ftp (scalance)(connection-capabilities <name>)# tcp-http (scalance)(connection-capabilities <name>)# tcp-pptp-vpn (scalance)(connection-capabilities <name>)# tcp-ssh (scalance)(connection-capabilities <name>)# tcp-tls-vpn (scalance)(connection-capabilities <name>)# tcp-voip (scalance)(connection-capabilities <name>)# udp-ike2 (scalance)(connection-capabilities <name>)# udp-ipsec-vpn SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 508 ● Uplink load—Indicates the percentage of the WAN uplink currently utilized. The default value of 0 indicates that the downlink speed is unknown or unspecified. ● Uplink speed—Indicates the WAN uplink speed in Kbps. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 509: Creating A Hotspot Profile
(scalance)(Hotspot2.0 <name>)# roam-cons-len-3 <integer> (scalance)(Hotspot2.0 <name>)# roam-cons-oi-1 <integer> (scalance)(Hotspot2.0 <name>)# roam-cons-oi-2 <integer> (scalance)(Hotspot2.0 <name>)# roam-cons-oi-3 <integer> (scalance)(Hotspot2.0 <name>)# venue-group <group> (scalance)(Hotspot2.0 <name>)# venue-type <type> (scalance)(Hotspot2.0 <name>)# enable (scalance)(Hotspot2.0 <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 510 Specify this parameter to allow the AP to send an Information Element (IE) indicating that the network allows Internet access. p2p-cross-connect Specify this parameter to advertise support for P2P cross-connections. p2p-dev-mgmt Specify this parameter to advertise support for P2P device management. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 511: Associating An Advertisement Profile To A Hotspot Profile
(scalance)(Hotspot2.0 <name>)# advertisement-profile anqp-3gpp <name> (scalance)(Hotspot2.0 <name>)# advertisement-profile anqp-domain-name <name> (scalance)(Hotspot2.0 <name>)# advertisement-profile anqp-ip-addr-avail <name> (scalance)(Hotspot2.0 <name>)# advertisement-profile anqp-nai-realm <name> (scalance)(Hotspot2.0 <name>)# advertisement-profile anqp-nwk-auth <name> (scalance)(Hotspot2.0 <name>)# advertisement-profile anqp-roam-cons <name> (scalance)(Hotspot2.0 <name>)# advertisement-profile anqp-venue-name <name> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 512: Creating A Wlan Ssid And Associating Hotspot Profile
(scalance)(SSID Profile <name>)# mac-authentication (scalance)(SSID Profile <name>)# l2-auth-failthrough (scalance)(SSID Profile <name>)# termination (scalance)(SSID Profile <name>)# external-server (scalance)(SSID Profile <name>)# auth-server <server-name> (scalance)(SSID Profile <name>)# server-load-balancing (scalance)(SSID Profile <name>)# radius-accounting (scalance)(SSID Profile <name>)# radius-accounting-mode {user-authentication| user- association} SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 513 Hotspot Profiles 33.2 Configuring Hotspot Profiles (scalance)(SSID Profile <name>)# radius-interim-accounting-interval <minutes> (scalance)(SSID Profile <name>)# radius-reauth-interval <minutes> (scalance)(SSID Profile <name>)# set-role-by-ssid (scalance)(SSID Profile <name>)# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 514: Sample Configuration
(scalance)(network-auth "na1")# exit (scalance)(config)# hotspot anqp-roam-cons-profile rc1 (scalance)(roaming-consortium "rc1")# roam-cons-oi-len 3 (scalance)(roaming-consortium "rc1")# roam-cons-oi 888888 (scalance)(roaming-consortium "rc1")# exit (scalance)(config)# hotspot anqp-3gpp-profile 3g (scalance)(3gpp "3g")# 3gpp-plmn1 40486 (scalance)(3gpp "3g")# exit (scalance)(config)# hotspot anqp-ip-addr-avail-profile ip1 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 515 (scalance)(connection-capabilities <name>)# udp-voip (scalance)(connection-capabilities <name>)# enable (scalance)(connection-capabilities <name>)# exit (scalance)(config) # hotspot h2qp-oper-class-profile <profile> (scalance)(operator-class <name>)# op-class <class-ID> (scalance)(operator-class <name>)# enable (scalance)(operator-class <name>)# exit (scalance)(config)# hotspot h2qp-wan-metrics-profile <name> (scalance)(WAN-metrics <name>)# at-capacity (scalance)(WAN-metrics <name>)# downlink-load <load> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 516 (scalance)(Hotspot2.0 "hs1")# roam-cons-oi-2 223355 (scalance)(Hotspot2.0 "hs1")# addtl-roam-cons-ois 0 (scalance)(Hotspot2.0 "hs1")# venue-group business (scalance)(Hotspot2.0 "hs1")# venue-type research-and-dev-facility (scalance)(Hotspot2.0 "hs1")# pame-bi (scalance)(Hotspot2.0 "hs1")# group-frame-block (scalance)(Hotspot2.0 "hs1")# p2p-dev-mgmt (scalance)(Hotspot2.0 "hs1")# p2p-cross-connect (scalance)(Hotspot2.0 "hs1")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 517 (scalance)(SSID Profile "ssidProfile1")# radius-accounting-mode user-association (scalance)(SSID Profile "ssidProfile1")# radius-interim-accounting-interval 10 (scalance)(SSID Profile "ssidProfile1")# radius-reauth-interval 20 (scalance)(SSID Profile "ssidProfile1")# max-authentication-failures 2 (scalance)(SSID Profile "ssidProfile1")# set-role-by-ssid (scalance)(SSID Profile "ssidProfile1")# hotspot-profile hs1 (scalance)(SSID Profile "ssidProfile1")# end (scalance)# commit apply SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 518 Hotspot Profiles 33.3 Sample Configuration SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 519: Clearpass Guest Setup
ClearPass Guest Setup 34.1 Configuring ClearPass Guest To configure ClearPass Guest: 1. From the ClearPass Guest UI, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 34-1 Configure AirGroup Services SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 520 ClearPass Guest Setup 34.1 Configuring ClearPass Guest 3. Click Add a new controller. Figure 34-2 Add a New Controller for AirGroup Services SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 521 Ensure that the port configured matches the CoA port (RFC 3576) set on the AP configuration. Figure 34-3 Configure AirGroup Services: Controller Settings 5. Click Save Configuration. In order to demonstrate AirGroup, either an AirGroup Administrator or an AirGroup Operator account must be created. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 522 Policy Manager UI: 1. Navigate to the ClearPass Policy Manager UI, and navigate to Configuration > Identity > Local Users. Figure 34-4 Configuration > Identity > Local Users Selection 2. Click Add User. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 523 ClearPass Guest Setup 34.1 Configuring ClearPass Guest 3. Create an AirGroup Administrator by entering the required values. Figure 34-5 Create an AirGroup Administrator 4. Click Add. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 524 AirGroup Operator IDs will be displayed in the Local Users UI screen. Figure 34-7 Local Users UI Screen 7. Navigate to the ClearPass Guest UI and click Logout. The ClearPass Guest Login page is displayed. Use the AirGroup admin credentials to log in. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 525 The Register Shared Device page is displayed. Figure 34-9 ClearPass Guest- Register Shared Device For this test, add your AppleTV device name and MAC address but leave all other boxes empty 9. Click Register Shared Device. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 526: Verifying Clearpass Guest Setup
4. Disconnect the OSX Mountain Lion/iOS 6 device and delete it from the controller’s user table. Reconnect using the username that was added to the Shared With box. The OSX Mountain Lion/iOS 6 device should once again have access to the AppleTV. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 527: Troubleshooting
34.3 Troubleshooting Table 34- 1 Troubleshooting Problem Solution Limiting devices has no effect. Ensure IPv6 is disabled. Apple Macintosh running Mountain Lion can use AirPlay but iOS Ensure IPv6 is disabled. devices cannot. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 529: Ap-Vpn Deployment Scenarios
Scenario 2—IPsec: Single Datacenter with Multiple Controllers for Redundancy (Page 535) Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy (Page 541) Scenario 4—GRE: Single Datacenter Deployment with No Redundancy (Page 547) SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 530: Scenario 1 - Ipsec: Single Datacenter Deployment With No Redundancy
5. RADIUS server within corporate network and authentication survivability for branch survivability. 6. Wired and wireless users in L2 and L3 modes, respectively. 7. Access rules defined for wired and wireless networks to permit all traffic. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 531 35.1 Scenario 1 - IPsec: Single Datacenter Deployment with No Redundancy Topology The following figure shows the topology and the IP addressing scheme used in this scenario. Figure 35-1 Scenario 1 - IPsec: Single datacenter Deployment with No Redundancy SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 532 NOTE: The IP range configuration on each branch will be the same. Each AP will derive a smaller sub- net based on the client count scope using the Branch ID (BID) allocated by controller. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 533 (scalance)(SSID Profile "wireless-ssid")# essid wireless-ssid (scalance)(SSID Profile "wireless-ssid")# opmode wpa2-aes (scalance)(SSID Profile "wireless-ssid")# vlan 30 (scalance)(SSID Profile "wireless- ssid")# auth- server server1 (scalance)(SSID Profile "wireless-ssid")# auth- server server2 (scalance)(SSID Profile "wireless-ssid")# auth- survivability SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 534 Datacenter Configuration For information on controller configuration, see Configuring a Controller for AP-VPN Operations. Ensure that the upstream router is configured with a static route pointing to the controller for the L3 VLAN. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 535: Scenario 2 - Ipsec: Single Datacenter With Multiple Controllers For Redundancy
● Distributed, L3 and Centralized, L2 mode DHCP on all branches. L3 is used by the employee network and L2 is used by the guest network with captive portal. ● Wired and wireless users in L2 and L3 modes. ● Access rules defined for wired and wireless networks. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 536 35.2 Scenario 2 - IPsec: Single Datacenter with Multiple controllers for Redundancy Topology The following figure shows the topology and the IP addressing scheme used in this scenario. Figure 35-2 Scenario 2 - IPsec: Single Datacenter with Multiple controllers for Redundancy SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 537 4. Configure Enterprise DNS. See Configuring Enterprise (scalance)(domains)# domain-name * The configuration example in Domains the next column tunnels all DNS queries to the original DNS server of clients without proxying on AP. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 538 "presharedkey" assumes 802.1X SSID. (scalance)(Auth Server "server1")# exit (scalance)(config)# wlan auth-server server2 (scalance)(Auth Server "server2")# ip 10.2.2.2 (scalance)(Auth Server "server2")# port 1812 (scalance)(Auth Server "server2")# acctport 1813 (scalance)(Auth Server "server2")# key "presharedkey" SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 539 (scalance)(Access Rule "guest")# rule any any match any any any permit NOTE: Ensure that you execute the commit apply command in the SCALANCE W CLI before saving the configuration and propagating changes across the AP cluster. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 540 Datacenter Configuration For information on controller configuration, see Configuring a Controller for AP-VPN Operations. Ensure that the upstream router is configured with a static route pointing to the controller for the L3 VLAN. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 541: Scenario 3 - Ipsec: Multiple Datacenter Deployment With Primary And Backup Controllers For Redundancy
● Wired and wireless users in L3 and NAT modes, respectively. ● Access rules for wired and wireless users with source-NAT-based rule for contractor roles to bypass global routing profile. ● OSPF based route propagation on controller. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 542 The IP addressing scheme used in this example is as follows: ● 10.0.0.0/8 is the corporate network. ● 10.30.0.0/16 subnet is reserved for L3 mode –used by Employee SSID. ● 10.40.0.0/16 subnet is reserved for L3 mode –used by Contractor SSID. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 543 3. Configure Enterprise DNS for split See Configuring Enterpri- (scalance)(domains)# domain-name corpdo- DNS. The example in the next column se Domains main.com uses a specific enterprise domain to tunnel all DNS queries matching that domain to corporate. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 544 (scalance)(Auth Server "server1")# key "presharedkey" (scalance)(Auth Server "server1")# exit (scalance)(config)# wlan auth-server server2 (scalance)(Auth Server "server1")# ip 10.2.2.2 (scalance)(Auth Server "server1")# port 1812 (scalance)(Auth Server "server1")# acctport 1813 (scalance)(Auth Server "server1")# key "presharedkey" SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 545 (scalance)(SSID Profile "wireless-ssid- contractor")# essid wireless-ssid-contractor (scalance)(SSID Profile "wireless-ssid- contractor")# opmode wpa2-aes (scalance)(SSID Profile "wireless-ssid- contractor")# vlan 40 (scalance)(SSID Profile "wireless-ssid- contractor")# auth-server server1 (scalance)(SSID Profile "wireless-ssid- contractor")# auth-server server2 (scalance)(SSID Profile "wireless-ssid- contractor")# auth-survivability SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 546 Operations. The following OSPF configuration is required on the controller to redistribute AP- VPN routes to upstream routers: (scalance)(config) # router ospf (scalance)(config) # router ospf router-id <ID> (scalance)(config) # router ospf area 0.0.0.0 (scalance)(config) # router ospf redistribute rapng-vpn SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 547: Scenario 4 - Gre: Single Datacenter Deployment With No Redundancy
● RADIUS server within corporate network and authentication survivability for branch survivability. ● Wired and wireless users in L2 mode ● Access rules defined for wired and wireless networks to permit all traffic SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 548 35.4 Scenario 4 - GRE: Single Datacenter Deployment with No Redundancy Topology The follwoing Figure shows the topology and the IP addressing scheme used in this scenario: Figure 35-4 Scenario 4 - GRE: Single Datacenter Deployment with No Redundancy SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 549 4. Configure Centralized, L2 DHCP Centralized, L2 DHCP profile VLAN 20 See Configuring Central- profile with VLAN 20. ized DHCP Scopes (scalance)(config)# ip dhcp l2-dhcp (scalance)(DHCP profile "l2-dhcp")# server- type Centralized,L2 (scalance)(DHCP profile "l2-dhcp")# server- vlan 20 SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 550 (scalance)(SSID Profile "wireless-ssid")# essid wireless-ssid (scalance)(SSID Profile "wireless-ssid")# opmode wpa2-aes (scalance)(SSID Profile "wireless-ssid")# vlan 20 (scalance)(SSID Profile "wireless-ssid")# auth- server server1 (scalance)(SSID Profile "wireless-ssid")# auth- server server2 (scalance)(SSID Profile "wireless-ssid")# auth- survivability SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 551 Operations on page 245. The following GRE configuration is required on the controller: (scalance)(config)# interface tunnel <Number> (scalance)(config-tunnel)# description <Description> (scalance)(config-tunnel)# tunnel mode gre <ID> (scalance)(config-tunnel)# tunnel source <controller-IP> (scalance)(config-tunnel)# tunnel destination <AP-IP> (scalance)(config-tunnel)# trusted (scalance)(config-tunnel)# tunnel vlan <allowed-VLAN> SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 553: Appendix
DHCP allows a computer to be configured automatically, eliminating the need for a network administra- tor. DHCP also provides a central database to keep track of computers connected to the network. This database helps in preventing any two computers from being configured with the same IP address. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 554 Derived from TACACS but an entirely new and separate protocol to handle AAA services. TACACS+ uses TCP and is not compatible with TACACS. Because it encrypts password, username, authoriza- tion, and accounting, it is less vulnerable than RADIUS. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 555 (RF) signals rather than through end-to- end wire communication. WLAN Wireless local area network (WLAN) is a local area network (LAN) that the users access through a wireless connection. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 556: Acronyms And Abbreviations
Appendix B.2 Acronyms and Abbreviations Acronyms and Abbreviations The following table lists the acronyms and abbreviations used in Siemens documents. Acronym or Abbreviati- Definition Third Generation of Wireless Mobile Telecommunications Technology Fourth Generation of Wireless Mobile Telecommunications Technology Authentication, Authorization, and Accounting...
Page 557 Distributed Coordination Function DDMO Distributed Dynamic Multicast Optimization Data Encryption Standard Dynamic Frequency Selection Discreet Fourier Transform DHCP Dynamic Host Configuration Protocol DLNA Digital Living Network Alliance Dynamic Multicast optimization Distinguished Name Domain Name System SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 558 Extended Service Set Identifier EULA End User License Agreement Federal Communications Commission Fast Fourier Transform FHSS Frequency Hopping Spread Spectrum Forwarding Information Base FIPS Federal Information Processing Standards FQDN Fully Qualified Domain Name SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 559 Internet of Things Internet Protocol Intelligent Power Monitoring Intrusion Prevention System IPsec IP Security ISAKMP Internet Security Association and Key Management Protocol Internet Service Provider JSON JavaScript Object Notation KBps Kilobytes per second SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 560 Multiprotocol Label Switching MPPE Microsoft Point-to-Point Encryption MSCHAP Microsoft Challenge Handshake Authentication Protocol Maximum Segment Size MSSID Mesh Service Set Identifier MSTP Multiple Spanning Tree Protocol Maximum Transmission Unit MU-MIMO Multi-User Multiple-Input Multiple-Output SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 561 PEAP-GTC Protected Extensible Authentication Protocol-Generic Token Card Policy Enforcement Firewall Perfect Forward Secrecy Per-hop behavior Protocol-Independent Multicast Personal Identification Number PKCS Public Key Cryptography Standard Public Key Infrastructure PLMN Public Land Mobile Network SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 562 Request to Send RTSP Real Time Streaming Protocol Routed VLAN Interface Rest of World Security Association SAML Security Assertion Markup Language Subject Alternative Name Station Control Block SCEP Simple Certificate Enrollment Protocol Secure Copy Protocol SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 563 TACACS Terminal Access Controller Access Control System TCP/IP Transmission Control Protocol/ Internet Protocol TFTP Trivial File Transfer Protocol TKIP Temporal Key Integrity Protocol Transport Layer Security Type-length-value Type of Service Transmit Power Control SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 564 Wide Area Network WebUI Web browser User Interface Wired Equivalent Privacy Wi-Fi Alliance WIDS Wireless Intrusion Detection System WINS Windows Internet Naming Service WIPS Wireless Intrusion Prevention System WISPr Wireless Internet Service Provider Roaming SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 565 Wi-Fi Multimedia WLAN Management System Wi-Fi Protected Access WSDL Web Service Description Language World Wide Web Wireless Zero Configuration XAuth Extended Authentication Extensible Markup Language XML-RPC XML Remote Procedure Call Zero Touch Provisioning SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 566: Glossary
A specified range of frequencies of electromagnetic radiation. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 567 IEEE 802.11 standards The IEEE 802.11 is a set of standards that are categorized based on the radio wave frequency and the data transfer rate. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 568 These network elements or clients use radio signals to communicate with each other. Wireless networks are set up based on the IEEE 802.11 stand- ards. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 569 (RF) signals rather than through end-to- end wire communication. WLAN Wireless local area network (WLAN) is a local area network (LAN) that the users access through a wireless connection. SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...
Page 570 Appendix B.3 Glossary SCALANCE W1750D UI Configuration Manual, 02/2018, C79000-G8976-C451-02...

Siemens SCALANCE W1750D UI Configuration Manual

1 About this Guide

2 Security Recommendations

3 About SCALANCE W

4 Setting up an AP

5 Automatic Retrieval of Configuration

6 SCALANCE W User Interface

7 Initial Configuration Tasks

8 Customizing AP Settings

9 VLAN Configuration

10 Ipv6 Support

11 Wireless Network Profiles

12 Wired Profiles

13 Captive Portal for Guest Access

14 Authentication and User Management

15 Roles and Policies

16 DHCP Configuration

17 Configuring Time-Based Services

18 Dynamic DNS Registration

19 VPN Configuration

20 AP-VPN Deployment

21 Adaptive Radio Management

22 Deep Packet Inspection and Application Visibility

23 Voice and Video

24 Services

25 AP Management and Monitoring

26 Uplink Configuration

27 Intrusion Detection

28 Mesh AP Configuration

29 Mobility and Client Management

30 Spectrum Monitor

31 AP Maintenance

Quick Links

Related Manuals for Siemens SCALANCE W1750D UI

Summary of Contents for Siemens SCALANCE W1750D UI