Fortress Technologies ecure Wireless Access Bridge User Manual

Network access device
Table of Contents

Advertisement

Quick Links

Fortress Security System
Secure Wireless
Access Bridge
User Guide
www.fortresstech.com
© 2006 Fortress Technologies

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ecure Wireless Access Bridge and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Fortress Technologies ecure Wireless Access Bridge

  • Page 1 Fortress Security System Secure Wireless Access Bridge User Guide www.fortresstech.com © 2006 Fortress Technologies...
  • Page 3 To receive a complete machine-readable copy of the corresponding source code on CD, send $10 (to cover the costs of production and mailing) to: Fortress Technologies; 4023 Tampa Road, suite 2000; Oldsmar, FL 34677-3216. Please be sure to include a copy of your Fortress Technologies invoice and a valid “ship to”...
  • Page 4 Fortress Bridge DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS...
  • Page 5: Table Of Contents

    Table of Contents Introduction Fortress Secure Wireless Access Bridge .....1 Management Interfaces ........1 Bridge GUI .
  • Page 6 Installation Instructions ........11 Outdoor Installation ........11 Connecting the Bridge for Preconfiguration .
  • Page 7 802.1X Server and LAN Port Settings ..... . 35 802.1X Authentication Server ........35 LAN Port 802.1X Settings .
  • Page 8 Trusted Devices ........59 Adding Trusted Devices .
  • Page 9 Getting Help in the CLI ........82 Command Syntax .
  • Page 10 Secure Automatic Configuration ......105 Preconfiguring a New Network Deployment with SAC ....106 Connecting the Bridges for Preconfiguration .
  • Page 11: Introduction

    Chapter 1 Introduction Fortress Secure Wireless Access Bridge The Fortress Secure Wireless Access Bridge is an all-in-one network access device with the most stringent security available today built in. It can serve as a wireless bridge, a WLAN access point, and an eight-port LAN switch, while performing all the functions of a Fortress controller device: encrypting wireless traffic and providing Multi-factor Authentication for devices on the network it protects.
  • Page 12: Bridge Cli

    1.1.1.2 Bridge CLI The Bridge’s command-line interface provides administration and monitoring functions via a command line. It is accessed over the network via the Bridge’s IP address or through a terminal connected directly to the Bridge’s serial 1.1.1.3 SNMP The Bridge supports versions 1 and 2 of the Simple Network Management Protocol (SNMP) Internet standard for network management.
  • Page 13: Strong Encryption At The Mac Layer

    3) User authentication requires the user of a connecting device to enter a recognized user name and valid creden- tials, a password, for example, or a digital certificate. The Fortress Security System can authenticate users locally or through existing user-authentication provisions. 1.3.2 Strong Encryption at the MAC Layer Fortress ensures network privacy at the Media Access Control...
  • Page 14: Deployment Options

    Fortress Bridge: Introduction 1.3.5 Deployment Options The Fortress Security System is flexible and expandable. Figure 1.1 Example Point-to-Multipoint Deployment of the Fortress Secure Wireless Access Bridge...
  • Page 15: This Document

    The Bridge can provide a secure edge for a WLAN (or infrastructure-mode) deployments, as shown in Figure 1.1 This Document This user guide assumes its users have a level of expertise consistent with a professional Network Administrator. 1.4.1 Document Conventions This is a task-oriented document, and the procedures it contains are, wherever possible, self-contained and complete in themselves.
  • Page 16: Installation

    Chapter 2 Installation Introduction The Fortress Secure Wireless Access Bridge is a full-featured Fortress controller device, providing strong data encryption and Multi-factor Authentication™, including native RADIUS authentication, to users and devices on the network it secures. The Bridge additionally comprises three, independent network components that can be employed alone or simultaneously in any combination: Radio 1 is a tri-band 802.11a/b/g radio that can be...
  • Page 17: Compatibility

    RP-TNC connector and RP-TNC-to-N-type male connector adapter The availability and specifications of antennas offered for purchase from Fortress Technologies are subject to change. Contact your Fortress representative for details and pricing. 1. In outdoor installations, it is mandatory that the Bridge be powered with the EBU-101-01 PoE adapter (or equivalent).
  • Page 18: Preparing The Network

    2.2.2 Preparing the Network Any Ethernet device—including hubs, switches and access points—directly connected to the Bridge must have auto- negotiation capability (and have the feature enabled), or link and/or packet loss could result. Refer to a device’s documentation to configure its negotiation options. Secure Clients (and other Fortress Bridges) in communication with the Fortress Bridge must use the same encryption algorithm and must be assigned the same Access ID (as...
  • Page 19 This equipment must be installed by qualified General: service personnel according to the applicable installation codes. Do not locate the Bridge or antennas near power lines or power circuits. When installing an external antenna, take extreme care not to come into contact with such circuits as they can cause serious injury or death.
  • Page 20 PoE powered from a remote 802.11af (13 Watt) PoE midspan source. The Bridge includes a 48 V main Circuit Overloading: resettable fuse specified at 1.8 A. Lightning/Electrostatic Protection: ports conform to IEC1000-4-5 10 KV 8/20us waveform. The WAN port conforms to IEC-61000-4-2 8 KV waveform with 58 V additional transient protection.
  • Page 21: Installation Instructions

    Antennas must be installed to provide a separation of at least 20 cm (7.9") from all persons and any co-located antenna or transmitter. Regarding use in specific environments: operate near unshielded blasting caps or in an explosive environment. location to the constraints imposed by the location’s safety director.
  • Page 22: Connecting The Bridge For Preconfiguration

    2.4.1 Connecting the Bridge for Preconfiguration Position the Bridge so that it operates only within its safe temperature range (14º–122º F/ Connect a waterproof, standard 802.11a/b/g-capable antenna with an N-type male connector to antenna port 1 ANT1 Connect an antenna cable with an N-type male connector between antenna port 2 ( omnidirectional or directional antenna.
  • Page 23 Open a browser application on a computer on your LAN and, in the browser address field, enter the Bridge’s default IP address: 192.168.254.254 Log on to the Bridge GUI, entering and Password and then clicking (When prompted, agree to accept the security certificate.) From the main menu on the left choose on the screen:...
  • Page 24 From the main menu, select screen, in the SECURITY SETTINGS section: In Current Access ID enter 16 zeros or the word default In New Access ID enter the 16-digit hexadecimal Access ID to be used by the Bridge and its Secure Clients.
  • Page 25 If the Fortress Bridge is the root node in the point-to-point/ multipoint deployment, skip this step. If the Fortress Bridge is the non-root node in the point-to- point/multipoint deployment, choose the main menu and in Bridge Mode setting for Radio 2, choose , and click Non-Root...
  • Page 26: Weatherizing The Bridge

    After the Bridge reboots, change the CLI password (according to the instructions in Section 6.4.4.2) and configure unique SSIDs for the Bridge (according to the instructions in Section 3.3). If you want to use the received signal strength indicator (RSSI) to aim the antenna of a non-root Bridge, you may want to enable it now (refer to Section 3.3.2.7).
  • Page 27 Slide the compression nut, with the threaded opening facing toward the connector, over the connector and onto the cable. Slide the compression bushing over the connector and onto the cable. Slide the threaded coupler, with the flanged end facing toward the compression nut and bushing, over the connector and onto the cable.
  • Page 28: Mast Mounting The Bridge

    2.4.4 Mast Mounting the Bridge The Mast-Mounting Kit accommodates masts from 1.5" to 3" in diameter. To install the Mast-Mounting Kit: Position the Bridge at the desired position on the mast, with the Bridge’s underside facing toward the mast and the front panel facing down, as shown in Figure 2.4 Sandwich the mast between the underside of the Bridge and the mounting bracket, fitting the mast into the bracket’s...
  • Page 29: Indoor Installation

    omnidirectional or directional antenna. The antenna and cable must be waterproof. Connect the Bridge's PoE (Power Sourcing Equipment/Power over Ethernet) source, which—if the or a DSL or cable modem—provides an in-line connection to the necessary network device. To plug in the RJ-45 connector with the boot assembly installed: orient the connector correctly with the WAN port, and then twist the outer ring of the connector boot clockwise until the channels in the ring align with the...
  • Page 30: Configuring The Bridge For Indoor Operation

    Position the Bridge so that it operates only within its safe temperature range (14º–122º F/ Connect a standard 802.11a/b/g-capable antenna with an N-type male connector to antenna port 1 ( Connect an antenna cable with an N-type male connector between antenna port 2 ( omnidirectional or directional antenna.
  • Page 31: Configuration

    Chapter 3 Configuration The Bridge GUI The Fortress Wireless Access Bridge’s graphical user interface provides access to Bridge administrative functions. Access Bridge GUI help screens by clicking on the main menu. 3.1.1 User Accounts There are two user accounts on the Bridge GUI, and the predetermined names associated with them are not user- configurable.
  • Page 32: Logging Off

    The Bridge GUI opens on the Welcome screen. Configuration settings are accessed through the main menu links on the left of the screen. 3.1.3 Logging Off To log off the Bridge GUI, click If you simply close the browser you have used to access the Bridge GUI, you will automatically be logged off.
  • Page 33: Spanning Tree Protocol

    3.2.1 Spanning Tree Protocol STP is a link management protocol that prevents bridging loops on the network while providing path redundancy. You should enable it only in deployments in which multiple OSI layer 2 paths to the same device(s)—i.e., bridging loops—are possible.
  • Page 34: Radio Settings

    To reconfigure Bridge LAN settings: Log on to the Bridge GUI admin account and select from the menu on the left. SETTINGS On the LAN SETTINGS relevant field(s). These include: Host name - a descriptive name for the Bridge LAN IP address - the network address of the Bridge LAN Subnet mask - the correct subnet mask for the Bridge Default gateway - the IP address of the default gateway...
  • Page 35: Radio State, Band And Mode Settings

    Radio 1 is the tri-band 802.11a/b/g radio, which can be configured as an 802.11g or an 802.11a radio. Radio 2 always functions as an 802.11a radio. fields are described in sections 3.3.1 and 3.3.2. RADIO SETTINGS Section 3.3.3 provides step-by-step instructions to change them.
  • Page 36: Radio Transmission And Reception Settings

    - Radios in Non-Root with other Fortress Bridges—either directly with a root Bridge or with other non-root Bridges (as well as receiving connections from other non-root Bridges and wireless devices). Typically, one Bridge serves as the root node (or root Bridge) and any other Bridges in the deployment are configured as non-root nodes.
  • Page 37: Distance

    3.3.2.3 Distance The Distance setting configures the maximum distance—from miles, in increments of 1 mile—for which the radio must adjust for the propagation delay of its transmissions. Figure 3.1. Point-to-multipoint Bridge deployment with bridging radio In a point-to-multipoint deployment, the Distance setting on the networked radios of all member Bridges should be the number of miles separating the two Bridges with the greatest, unbridged distance between them.
  • Page 38: Beacon Interval

    3.3.2.5 Beacon Interval The Bridge’s radios transmit beacons at regular intervals to announce their presence on the network. You can configure the number of milliseconds between beacons in whole numbers between beacon. The default beacon interval is 3.3.2.6 Multicasting Wireless is an inherently broadcast medium. A multicast packet, like any other, is broadcast (by the root Bridge) to all nodes (non-root Bridges) on the wireless network.
  • Page 39: Received Signal Strength Indicator

    on the Enabled LAN SETTINGS non-root Bridge, the Multicast field for the radio with a Radio Mode setting of Bridge will be configurable. Refer to Section 3.2.1 for more information on STP. 3.3.2.7 Received Signal Strength Indicator In outdoor, point-to-point/multipoint installations, the LED RSSI Monitor allows you to make the first adjustments to the directional antenna(s) of the non-root Bridge(s) in the network.
  • Page 40: Ssid

    unconfigured VAPs for radios in display frame on the CCESS OINTS You can view the settings that assign SSIDs (and associated settings) for the radio’s VAPs in the frame on the INTERFACES provides access to the fields that configure these settings. Sections 3.3.4.1 through 3.3.4.5 describe the fields available through the Edit...
  • Page 41: Hide Ssid And Accept G Only Options

    Radio 1 is preconfigured with a default SSID of default SSID for Radio 2 is 3.3.4.2 Hide SSID and Accept G Only Options To the right of the SSID field are two options that you can enable through their checkboxes: - Enabling this option deletes the SSID string Hide SSID from the packet headers of beacon and probe responses.
  • Page 42: Security Suite And Security Suite Settings

    The security protocol(s) employed by the Bridge’s virtual access point are configured per VAP. Your selection in the Security Suite field of the V frame determines which fields are configurable OINT ETTINGS (and which are grayed-out) in the S frame (in the lower half of the same screen), as described below.
  • Page 43 WEP Key Type - WEP keys can be composed of an (plaintext) passphrase or hexadecimal string. WEP Keys 1–4 - You must manually enter at least one static key to be used in Open WEP and Shared WEP transactions, within the specifications you set in the two fields above, which determine the usable key lengths for these fields.
  • Page 44: Configuring Virtual Radio Settings

    WPA and WPA2 generate encryption keys dynamically and exchange keys automatically with connected devices at user- specified intervals. This interval is the only additional setting required for WPA security. Specify the interval in seconds in the WPA Rekey Period field. Whole numbers between inclusive, are allowed.
  • Page 45: Server And Lan Port Settings

    802.1X Server and LAN Port Settings The Fortress Bridge can be used with an external 802.1X authentication server and its internal switch ports can be individually configured to allow or block 802.1X traffic. The Fortress Bridge supports non -802.1X authentication through a separate and unrelated set of configuration settings.
  • Page 46: Lan Port 802.1X Settings

    In the 801.1X In Server Address , enter the IP address of the network 802.1X authentication server (the default is In Server Port , enter the port used by the server for 802.1X requests (the default is In Auth Server Key , enter the shared key assigned to the Bridge in the 802.1X service.
  • Page 47: Security Settings

    Fortress Bridge: Configuration For security NOTE:...
  • Page 48: Operating Mode

    The viewable, default security settings are shown below. 3.6.1 Operating Mode The Fortress Bridge can be operated in either of two modes: Normal (the default) or FIPS. FIPS operating mode is necessary for deployments and applications that are required to comply with the Federal Information Processing Standards (FIPS) for cryptographic modules.
  • Page 49: Secure Shell Access

    If the Bridge fails any self-test on startup, it is rendered inoperable and must be returned to the vendor for repair or replacement. Only a designated Crypto Officer, as defined by the Federal Information Processing Standards, may perform administrative functions on the Bridge and its Secure Clients.
  • Page 50: Re-Keying Interval

    Bridge. For information on setting encryption algorithms on Secure Clients, refer to your Fortress Secure Client user guide. detail: To change the Bridge encryption algorithm: Log on to the Bridge GUI admin account and select SECURITY SETTINGS On the CRYPTO ALGORITHM screen, select the AES key length to be used to SETTINGS encrypt network data.
  • Page 51: Non-802.1X Authentication Global And Default Settings

    on Secure Clients, refer to your Fortress Secure Client user guide. detail: To change the Bridge’s Access ID Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the CHANGE ACCESS ID screen: Enter the Current Access ID. Enter a 16-digit hexadecimal number to serve as the New Access ID .
  • Page 52: Enabling/Disabling Authentication Globally

    selected and, in the case of device authentication, when it has been globally enabled in the SECURITY SETTINGS Section 4.1 (Device Authentication) and Section 4.2 (User Authentication), in the next chapter. 3.6.6.1 Enabling/Disabling Authentication Globally The Fortress Bridge has an internal RADIUS server built-in. The Bridge additionally supports an external RADIUS server.
  • Page 53: External Authentication Server

    The default Auth Server Key is optionally change. Selecting authentication enables the screens and fields Local that configure local authentication settings for both users and devices. 3.6.6.3 External Authentication Server The Bridge can be integrated with an external Remote Authentication Dial-In User Service (RADIUS). It supports the open source freeRADIUS.
  • Page 54: Enabling/Disabling Device Authentication

    3.6.6.4 Enabling/Disabling Device Authentication On a Fortress Bridge configured for settings in the AUTHENTICATION OPTIONS AUTHENTICATION SETTINGS authentication, according to whether device authentication is included in the selection you make. detail: To enable/disable device authentication: Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the AUTHENTICATION SETTINGS...
  • Page 55: Restart Session Login Prompt

    detail: To configure maximum authentication attempts: Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the AUTHENTICATION SETTINGS field, ensure that Under AUTHENTICATION OPTIONS field, enter a whole number between 1 and 255. Click at the bottom of the screen. Apply A devices that exceeds the maximum allowable retry attempts to connect to the Bridge-secured network is locked out until the...
  • Page 56: Default User Authentication Settings

    To enable/disable user session timeout login prompts: Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the AUTHENTICATION SETTINGS Check the box for enable user session timeout prompts (the default). Clear the checkbox for disable user session timeout prompts . Click at the bottom of the screen.
  • Page 57: Blackout Mode

    To configure the default user authentication and device state for authenticating devices: Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the AUTHENTICATION SETTINGS ensure that Local Auth is selected under sections 3.6.6.1 and 3.6.6.4, respectively). detail: Under AUTHENTICATION OPTIONS...
  • Page 58: System Date And Time

    Because the Bridge’s configuration settings could themselves be sensitive, Fortress Technologies recommends restoring them to their default values whenever the Bridge is to be shipped (or otherwise transported) out of a secured location.
  • Page 59: 3.10 Front-Panel Operation

    3.10 Front-Panel Operation The Fortress Bridge front panel is equipped with three, recessed buttons: two switches (labeled Reset button. 3.10.1 Mode Selection from the Front Panel The front-panel switches can be used to select the Bridge Mode of the Bridge’s internal Radio 2 as well as to turn the Bridge’s front-panel LEDs off and on (enable/disable blackout mode).
  • Page 60: Toggling The Blackout Mode Setting

    indicated by the when the new mode is selected. If you accidentally cycle past the Bridge Mode setting, continue pushing Stat2 When is flashing, press seconds to save the new Bridge Mode setting. The Stat2 LEDs will stop flashing and light solid green to indicate that you have successfully changed Radio 2’s Bridge Mode .
  • Page 61: Rebooting The Bridge From The Front Panel

    3.10.2 Rebooting the Bridge from the Front Panel To reboot the Fortress Bridge from the front-panel: Press and hold the Stat1 LED exhibits a slow green flash to indicate that the Bridge is rebooting. Release the button. After the Bridge reboots the green.
  • Page 62: Administration

    Chapter 4 Administration Device Authentication Device authentication is supported only for authentication. (When settings that configure device authentication are grayed out to reflect your selection.) On a Fortress-secured network with device authentication enabled, a unique Device ID is generated for each device connecting from an encrypted zone.
  • Page 63: Default Device Authentication Settings

    authenticate on the network. (Refer to Section 3.6.6.5 for detailed instructions.) If a device exceeds the maximum allowable retry attempts to connect to the Bridge-secured network, that device will be locked out until the device’s State is set to is locked out on every Bridge in a point-to-multipoint network, and you must change the device’s State setting on every Bridge that handles traffic from the device.
  • Page 64: Editing A Device

    Access user configurable settings for an authenticating device by clicking its Edit 4.1.2.1). Configurable settings include: Device Name - accepts up to 64 alphanumeric characters by which you can identify the device. If a device has a hostname associated with it (the hostname of a laptop running the Fortress Secure Client, for instance), that hostname is included for the device when it is first added to the...
  • Page 65: Deleting Devices

    On the DEVICE AUTHENTICATION of the device for which you want to change settings. In the EDIT DEVICE device’s current settings are displayed, enter new values into the relevant fields (described in Section 4.1.2). Click Update changes). The device’s entry in changes.
  • Page 66: Maximum User Authentication Retries

    on the AUTHENTICATION SETTINGS screen. SETTINGS On a Fortress Bridge-secured network, user authentication can be used by itself or combined with device authentication. The options that determine whether device authentication is enabled are also configured globally, in the frame of the SETTINGS 4.2.1 Maximum User Authentication Retries...
  • Page 67: Adding A User

    Session Timeout - sets the amount of time the user’s device can be present on the network before the current session is ended and he/she must log back in to re-establish the connection. Session Timeout is set in minutes, between 0 and 9999. A value of zero disables session timeout for that user (her device can be present on the network indefinitely without timing out).
  • Page 68: Deleting A User Account

    On the USER AUTHENTICATION the user for which you want to change settings. In the EDIT USER account’s current settings are displayed, enter new values into the relevant fields (described in Section 4.2.2). Click Update changes). The user’s entry in 4.2.2.3 Deleting a User Account You can delete a user account at any time.
  • Page 69: Trusted Devices

    Trusted Devices Some wireless devices—IP phones, digital scales or printers, and APs, for example—are not equipped to run additional software such as the Fortress Secure Client. In order to allow such a device access to the encrypted zone, the Fortress Bridge must be configured to identify it as a Trusted Device —to which the narrowest possible access rules should be applied.
  • Page 70: Editing Trusted Devices

    The section of the frame under shows the Trusted Device you added, with the settings you specified. detail: 4.3.1 Editing Trusted Devices You can edit the IP and MAC addresses of an existing Trusted Device and change its port settings, but you cannot change its TD Identifier .
  • Page 71: Deleting Trusted Devices

    4.3.2 Deleting Trusted Devices You can delete Trusted Devices one at a time, or by selecting multiple devices for deletion. detail: Log on to the Bridge GUI admin account and choose TRUSTED DEVICES On the TRUSTED DEVICES frame, check the box(es) beside the Trusted DEVICES Device(s) you wish to delete and click of the frame.
  • Page 72: Configuring Snmp

    Bridge’s password-protected accounts: Bridge GUI admin and operator accounts Bridge CLI account Fortress Technologies recommends backing up your Bridge configuration: when you first set up the Bridge immediately before you upgrade Bridge software or make...
  • Page 73 Table 4.1. User Configured Settings Backed Up for the Bridge function network WAN port encrypted/unencrypted radio state enable/disable radio band (Radio 1) 802.11g/802.11a radio mode AP/Bridge radios multicasting enable/disable LED RSSI monitor enable/disable VAP SSIDs and related settings any created Wireless Extension Tools scripts 802.1X authentication server settings 802.1X LAN ports 1–8 802.1X off/on...
  • Page 74: Backing Up The Bridge Configuration

    4.5.1 Backing Up the Bridge Configuration Log on to the Bridge GUI admin account and choose SYSTEM OPTIONS On the SYSTEM OPTIONS , click SETTINGS detail: On the resulting screen: Optionally enter a Password to protect the backup file. Click Backup On the system dialog, choose to save the file to disk.
  • Page 75: Software Versions And Upgrades

    Bridge software that add new features, improve functionality and/or fix known bugs. Upgrade files may be shipped to you on CD-ROM or, more often, made available for download from your account on the Fortress Technologies website. www.fortresstech.com/support/products_updates.asp The Fortress Bridge is compatible with Fortress Secure Client versions 2.4 and higher.
  • Page 76 Click the operation). Apply Cancel Click on the system confirmation dialog. The frame displays Uploading file... (with crawling dots to indicate system activity), then changes to the Performing upgrade... status display, which presents a series of progress messages. When the process completes, the frame displays [ ], and a system dialog prompts you to DONE...
  • Page 77: Rebooting The Bridge

    Rebooting the Bridge The reboot option power cycles the Bridge, ending all sessions and forcing Secure Client devices (and any other Fortress Bridges) in communication with the Bridge to re-key in order to start a new session. Log on to the Bridge GUI admin account and choose SYSTEM OPTIONS On the SYSTEM OPTIONS...
  • Page 78: Monitoring And Diagnostics

    Chapter 5 Monitoring and Diagnostics Statistics The statistics screen displays statistics for overall encrypted- zone traffic, each of the Bridge’s logical interfaces (including physical Ethernet ports and all configured virtual radio interfaces), as well as for each of the Bridge’s internal radios. Fortress Bridge: Monitoring and Diagnostics...
  • Page 79: Traffic Statistics

    5.1.1 Traffic Statistics The packets that the Fortress Bridge has transmitted to and received from the encrypted zone since cryptographic processing was last started are shown in the Encrypt - encrypted packets—the packets received from the unencrypted zone, encrypted, and then transmitted to the encrypted zone Decrypt - decrypted packets—the packets received from the encrypted zone, decrypted, and then transmitted to the...
  • Page 80: Radio Statistics

    - the total number of bytes received/transmitted on BYTES the interface - the total number of packets received/transmitted PACKETS on the interface - the total number of receive/transmit errors ERRORS reported on the interface 5.1.3 Radio Statistics 1 is the tri-band, 802.11a/b/g radio and RADIO higher-gain 802.11a radio.
  • Page 81 Fortress Bridge: Monitoring and Diagnostics Idle Since - the number of hours, minutes and seconds since the device was last active on the network.
  • Page 82: Ap Associations

    Table 5.1. Commonly Seen Tracking State Codes State dynamic key exchange complete: secure connection Each device entry on the checkbox that, when checked, resets the network session of that device when screen) is clicked. AP Associations The AP Associations screen provides information about devices currently connected through the Bridge’s wireless interfaces.
  • Page 83: View Log

    Channel - identifies the channel, by number, over which the Bridge and the associated device are communicating, as selected for the radio being used (Section 3.3.2.1). Rate - provides a dynamic measurement of the data rate of the connection to the associated device, in megabits per second.
  • Page 84 when Secure Clients contact and negotiate keys with the Fortress Bridge system configuration changes when cryptographic processing is restarted system and communication errors The log is allocated 500 Kbytes of memory and can contain a maximum of approximately 16,000 log messages (approximate because record sizes vary somewhat).
  • Page 85: Diagnostics

    Diagnostics Access Fortress Bridge diagnostic utilities by logging into the Bridge GUI admin account and selecting menu on the left. DIAGNOSTICS The version and build number of the firmware currently running on the Fortress Bridge, under DEVICE ID for each device on a Fortress-secured network and used, when applicable, for device authentication.
  • Page 86: Flushing The Host Mac Database

    Generating a Diagnostics File To assist in diagnosing a problem with your Bridge, the Customer Support team at Fortress Technologies may request that you generate a diagnostics file. Diagnostics files encrypt the information collected from the Bridge, so the file can be securely sent to Fortress Support as an e-mail attachment.
  • Page 87: Front-Panel Indicators

    Front-Panel Indicators Fortress Bridge: Monitoring and Diagnostics There are NOTE: tions in a Bridge in blackout mode (refer to indica-...
  • Page 88: Radio Leds

    can exhibit: Stat2 solid green - The Bridge is operating in root mode. off - The Bridge is operating in non-root mode. can exhibit: fast green flash - The Bridge is passing cleartext (unencrypted data) in the encrypted zone. can exhibit: Fail Fail off - The...
  • Page 89: Port Leds

    Both upper and lower LEDs can exhibit: off - The associated radio is disabled (in the Bridge GUI or CLI). All four Radio LEDs can exhibit: solid amber - A firmware error has occurred. off - Both radios are disabled (in the Bridge GUI or CLI). 5.6.3 Port LEDs The Fortress Bridge’s Ethernet ports—including those for the...
  • Page 90: Command-Line Interface

    Chapter 6 Command-Line Interface Introduction The Fortress Bridge CLI provides commands for managing the Fortress Bridge and the network it secures. You can access it through a direct connection to the Bridge’s serial console port or, using Secure Shell (SSH), from any computer with access to the Bridge—i.e., any computer in the Bridge’s unencrypted zone or a computer running the Fortress Secure Client.
  • Page 91: Cli Administrative Modes

    6.1.1 CLI Administrative Modes There are two administrative modes in the Bridge CLI. When you first access the CLI you are, by default, in Gateway mode, indicated by the command prompt: mode, you can manage the Bridge’s Fortress controller device functions, including basic administration and security settings.
  • Page 92: Getting Help In The Cli

    WSG login: sysadm Password: <password> Fortress Wireless Security Gateway [GW]> The login ID, sysadm If you are changing the CLI password for the first time as part of an installation procedure (Chapter 2) use the default password, sysadm To log off the CLI, use the [GW]>...
  • Page 93: Command Syntax

    Note that only those options available in the current administrative mode are displayed and that valid command options differ significantly between modes. [AP]> show Description: Displays Access Point information, configuration Usage: show [args]. Possible args: associations radio radius ?|help Several of the commands that change Bridge configuration settings can be run interactively.
  • Page 94: Configuration In The Bridge Cli

    Switch refers to the identifier, preceded by a dash (hyphen), for the argument to follow (ex., Switches allow permissible arguments to be entered in any combination and order. Angle brackets: indicate variable, user-supplied inputs (parameters and variable arguments), which are also italicized (ex., The absence of angle brackets and italics indicates literal (or fixed) user-supplied input (ex.,...
  • Page 95: Spanning Tree Protocol In The Cli

    The CLI displays the configurable fields for a time. Enter a new value for the field—or leave the field blank and the setting unchanged—and strike next field. The final reboot query displays only when you have entered a value into at least one of the fields presented. Entering the (zero) argument for the deletes the default gateway from the Bridge’s network...
  • Page 96 [AP]> show radio [RADIO 1] Radio State: On Radio Band: 802.11g Radio Mode: AP Channel: 1 Tx Power: Auto Distance: 1 Beacon Interval: 100 Preamble: Short Multicast: On RSSI Monitor: Off [RADIO 2] State: On Radio Band: 802.11a Radio Mode: Bridge Bridge Mode: Root Channel: 149 Tx Power: Auto...
  • Page 97 [AP]> set radio 1 Radio state [on|off] (on): Radio band [802.11g|802.11a] (802.11g): 802.11a [OK] Reboot is required when changing radio band Radio Mode [ap|bridge|ids] (ap): bridge [OK] Bridge Mode [root|nonroot] (nonroot): nonroot Radio is in nonroot mode...cannot set channel Transmit Power [auto|1-18] (auto): Distance in miles [1-35] (1): 3 [OK] Beacon interval (ms) [25..1000] (100):...
  • Page 98: Virtual Radio Interface Settings In The Cli

    The sample output for the beginning of this section) shows the default radio settings. As shown in the example interactive reconfiguring radio settings requires that you reboot the Bridge in order to effect your changes. show radio (access point) mode (refer to Section 6.1.1 for more detail). 6.4.3.1 Virtual Radio Interface Settings in the CLI The Bridge CLI AP mode uses a submenu of commands to...
  • Page 99 By default a single virtual access point ( each radio. The SSIDs associated with these two primary VAPs should never be left at their defaults (shown above). SSID strings can be up to 32 characters long. Configure VAP settings interactively by entering the command with just the number.
  • Page 100: Bridge Passwords In The Cli

    [VAP]> set vap {1|2|3|4} [-ssid <ssidstring>|.] [-dtim 1-255] [-hidessid on|off] [-rts 1–2345|off] [-frag 256–2345|off] [-only11g on|off] [-suite fortress|clear|open-wep|shared-wep|8021x|wpa|wpa-psk|wpa2|wpa2-psk|wpa-mixed|wpa-mixed-psk] [-wepkeytype hex|passphrase] [-wepkeysize 40|104] [-wepkey1 <key>] [-wepkey2 <key>] [-wepkey3 <key>] [-wepkey4 <key>] [-weptxkey 1–4] [-keytype hex|passphrase] [-rekeyperiod <sec>] [-passphrase <phrase>] [-hex <key>] In the dot ( ) input for the The output of...
  • Page 101: Changing Bridge Gui Passwords In The Cli

    6.4.4.1 Changing Bridge GUI Passwords in the CLI Which GUI password is set depends upon the username argument: admin the view-only password. Use the follows: [GW]> set passwd web {admin|operator} Enter Current Password: <oldpassword> Enter New Password: <newpassword> Re-enter New Password: <newpassword> The default Bridge GUI admin password is operator password is GUI passwords must be at least eight characters long.
  • Page 102: Re-Keying Interval In The Cli

    View the encryption algorithm (and the re-keying interval) in effect on the Bridge with [GW]> show crypto CryptoEngine:AES256 ReKeyInterval:4 show crypto mode (refer to Section 6.1.1 for more detail). The encryption algorithm that the Fortress Bridge and its Clients will use is set with [GW]>...
  • Page 103: Access Id In The Cli

    6.4.5.4 Access ID in the CLI The Access ID is a 16-digit hexadecimal ID that provides network authentication for the Fortress Security System. All of the Bridge’s Secure Clients must be configured to use the same Access ID as the Bridge. For information on setting encryption algorithms on Secure Clients, refer to your Fortress Secure Client user guide.
  • Page 104: Ssh Access To The Cli

    6.4.5.7 SSH Access to the CLI Secure Shell (SSH) is disabled on the Fortress Bridge by default. You can view the current SSH setting with [GW]> show ssh To enable SSH, log on to the CLI (via a direct connection to the Console Bridge’s [GW]>...
  • Page 105: System Date And Time In The Cli

    6.4.6 System Date and Time in the CLI View Bridge date and time settings with the command: [GW]> show clock Wkday Month DAY HR:MIN:SEC TimeZone YEAR Set system date and time on the Fortress Bridge, using the twenty-four-hour clock and numerical date, through the command, as follows: clock [GW]>...
  • Page 106: Non-802.1X Eap Retry Interval Setting

    Configure the Bridge interactively to authenticate users through an external RADIUS server with [GW]> set auth external IPserver: 123.45.67.89 [OK] set Server IP AuthKey: s3cr4ts5r6v7rk8y [OK] set Authentication Key The default RADIUS shared key is The RADIUS shared key can also be set non-interactively with: [GW]>...
  • Page 107: Authentication Settings In The Cli

    6.4.9 802.1X Authentication Settings in the CLI 6.4.9.1 802.1X Authentication Server Settings Support for 802.1X authentication on the Fortress Bridge, whether for wired or wireless devices, requires the use of an external 802.1X authentication service. Those WPA and WPA2 Security Suite settings that do not use PSK (pre-shared key mode), also require the use of an 802.1.X authentication server.
  • Page 108 In GW mode, use the to view the server settings: [GW]> show 8021X Lan1:off Lan2:off Lan3:off Lan4:off Lan5:off Lan6:off Lan7:off Lan8:off AuthServer:127.0.0.1 AuthPort:1812 The last two lines of output display the current 802.1X server settings. The LAN port settings shown are described in the next section (6.4.9.2).
  • Page 109: Internal Lan Switch Port 802.1X Settings

    6.4.9.2 Internal LAN Switch Port 802.1X Settings You can individually configure each of the ports of the Bridge’s internal LAN switch to require that a connected device is an 802.1X supplicant successfully authenticated by the 802.1X authentication server configured for the Bridge (Section 6.4.9). View current LAN port settings with the [GW]>...
  • Page 110: Adding Trusted Devices In The Cli

    The commands that configure and delete Trusted Devices are valid only in GW (gateway) mode (refer to Section 6.1.1 for more detail). 6.5.1.1 Adding Trusted Devices in the CLI Add Trusted Devices with the [GW]> add td {-n <name>} {-ip <IPaddr>} {-m <MACaddr>} {-p any|<port1,port2,…>} in which is a descriptive identifier for the Trusted Device, name...
  • Page 111: Viewing The Software Version In The Cli

    [GW]> set snmp -c <contact@domain.com> -l <locationName> -ro <roCmntyName> -rw <rwCmntyName> Set Contact:OK Set Location:OK Set RO Community:OK Set RW Community:OK in which contact notifications will be sent, Bridge, roCmntyName community, and community. You can include spaces in the location and SNMP community names by enclosing the input string in quotation marks.
  • Page 112: Viewing System Uptime In The Cli

    [GW]> show device Hostname:Fswab DeviceID:4389C1B376B1AFDD CryptoEngine:AES256 IP(Private):172.24.1.27 Ssh:Off Gui:On Auth:Off Fips:On show device mode (refer to Section 6.1.1 for more detail). 6.6.2 Viewing System Uptime in the CLI The show uptime command displays the number of days, hours and minutes that the Fortress Bridge has been operating since its last boot: [GW]>...
  • Page 113: Ap Associations In The Cli

    Hosts (labeled Client) are numbered in the order they were added to the database, following the Bridge’s internal interfaces, and are listed by their MAC addresses. Below the list, a count of the entries in the database is given. You can flush the database of host (labeled Client) MAC address with the del command: [GW]>...
  • Page 114: Pinging A Device

    6.6.7 Pinging a Device You can devices from the Bridge’s CLI. The Bridge pings ping three times and then displays the ping statistics. [GW]> ping 123.45.6.78 PING 123.45.6.78 (123.45.6.78) from 123.45.6.89 : 56(84) bytes of data. 64 bytes from 123.45.6.78: icmp_seq=1 ttl=128 time=18.3 ms 64 bytes from 123.45.6.78: icmp_seq=2 ttl=128 time=23.0 ms 64 bytes from 123.45.6.78: icmp_seq=3 ttl=128 time=23.0 ms --- 123.45.6.78 ping statistics ---...
  • Page 115: Creating A Wireless Extension Tools Script

    [AP]> wlan wlanconfig -h usage: wlanconfig wlanX create wlandev wifiX wlanmode [sta|adhoc|ap|monitor] [bssid | -bssid] [nosbeacon] usage: wlanconfig wlanX destroy 6.7.1 Creating a Wireless Extension Tools Script Configuration changes made with the WLAN Wireless Extension Tools are held in dynamic memory and do not persist through reboots of the Bridge.
  • Page 116: Preconfiguring A New Network Deployment With Sac

    6.8.1 Preconfiguring a New Network Deployment with SAC All of the Bridges to be included in the new network must be at their factory-default settings. (Section 6.4.7 describes restoring the Bridge’s default settings from the Bridge CLI; Section 3.9 describes the same function in the Bridge GUI.) 6.8.1.1 Connecting the Bridges for Preconfiguration Position the Bridges so that they operate only within their...
  • Page 117 Allow all of the Bridges to boot before proceeding with SAC: Stat1 front-panel radios light solid green, while the upper LEDs for both radios and the WAN port link/activity ( intermittently. Open a terminal application on the computer connected to the SAC master Bridge’s settings given in Section 6.1.2) open a session with the master Bridge.
  • Page 118 Bridges. Alternatively, you can specify only a subnet and allow SAC to automatically generate all member IP addresses within that subnet, including that of the root/ master Bridge. The IP or subnet address you enter must fall within one of these reserved ranges: 10.0.0.0 172.16.0.0 192.168.0.0...
  • Page 119: Reconfiguring Network Settings With Sac

    [GW]> set sac stop SAC Stop Initiated. May take some time to complete... Stopped SAC process successfully Reboot_Of_Master(SrlNum:24656196)_Required_For_NewConfiguration(CfgId:19082)_To_Take_Into_Effect Reboot_Of_SACPeer(SrlNum:24743196)_Required_For_Configuration_Change_From(OldCfgId:0)_To(NewCfgI d:19082_To_Take_Into_Effect Reboot_Of_SACPeer(SrlNum:24773196)_Required_For_Configuration_Change_From(OldCfgId:0)_To(NewCfgI d:19082)_To_Take_Into_Effect Disconnect all of the Bridges’ WAN ports from the switch/ hub used to connect them for the initial SAC operation. Power cycle each network Bridge by disconnecting and then reconnecting its external +48V DC power supply.
  • Page 120 Similarly, the encryption algorithm and re-key interval in effect on the network can be viewed with 6.4.5.1 and 6.4.5.2, respectively). The Access ID cannot be displayed for security purposes (but it must match across all network Bridges). Use the show network view its IP address (Section 6.4.1), and the command to view the IP addresses of slave/non-root Bridges.
  • Page 121: Adding And Deleting Network Bridges With Sac

    SeriallNum|IpAddress|CfgID|PeerNum|PeerSACStatus|PeerSACState|PeerSACVer 24773196|172.24.0.4|19082|2|SAC_PEER_CONFIRMED|SAC_COMPLETE_4PEER|SAC_VER_PEGASUS_ARCH1 24743196|172.24.0.3|19082|1|SAC_PEER_CONFIRMED|SAC_COMPLETE_4PEER|SAC_VER_PEGASUS_ARCH1 To save the new configuration, enter [GW]> set sac stop SAC Stop Initiated. May take some time to complete... Stopped SAC process successfully Reboot_Of_Master(SrlNum:24656196)_Required_For_NewConfiguration(CfgId:42550)_To_Take_Into_Effect Reboot_Of_SACPeer(SrlNum:24773196)_Required_For_Configuration_Change_From(OldCfgId:19082)_To(New CfgId:42550)_To_Take_Into_Effect Reboot_Of_SACPeer(SrlNum:24743196)_Required_For_Configuration_Change_From(OldCfgId:19082)_To(New CfgId:42550)_To_Take_Into_Effect As the output informs you, you must reboot the Bridges in the network for the new configuration to take effect.
  • Page 122 [GW]> show sac SwabSerialNum:24743196 SwabConfigID:0 SwabSACRole:SAC_SLAVE SwabSACState:SAC_INIT4SWAB SwabSACVer:SAC_VER_PEGASUS_ARCH1 Log off the new Bridge’s CLI and disconnect the port cable. Log onto the Bridge CLI of the master/root Bridge and add the new Bridge’s serial number to the master Bridge’s SAC Peer list, with the [GW]>...
  • Page 123: Deleting A Bridge From A Sac Network

    Disconnect the WAN ports of the new and master Bridges. Power cycle the new Bridge. The new Bridge is ready to be deployed on the network. 6.8.3.2 Deleting a Bridge from a SAC Network You can view the current list of SAC Peers from the master/ root Bridge’s CLI with [GW]>...
  • Page 124: Specifications

    Chapter 7 Specifications Hardware Specifications 7.1.1 Performance unencrypted throughput: encrypted throughput: 7.1.2 Physical form factor: dimensions: connections: power supply: system indicators: 7.1.3 Environmental maximum AC draw: maximum heat dissipation: operating temperature: operating relative humidity (non-condensing): storage temperature: Fortress Bridge: Fortress Security System Overview up to 23 Mbps up to 10 Mbps compact, rugged desktop chassis...
  • Page 125: Compliance

    7.1.4 Compliance 7.1.5 Logical Interfaces The physical connections described in Section 7.1.2 are identified as logical interfaces, as defined by FIPS 140-2, in the table below: Logical Interface RJ-45-to-DB9 Console Port Adapter An RJ-45-to-DB9 adapter (included with each Bridge) is required in order to connect the Bridge’s terminal connection.
  • Page 126 the wide side up, pins are numbered from right to left, top to bottom. Figure 7.1 RJ-45 and DB9 Pin Numbering Table 7.1 shows the adapter pin-outs. Table 7.1. RJ-45-to-DBP Adapter Pin-Outs RJ-45 pin Fortress Bridge: Fortress Security System Overview DB9 pin standard color grey...
  • Page 127: Troubleshooting

    Chapter 8 Troubleshooting Problem You are unable to access the Bridge GUI. You are unable to access the Bridge CLI. Solution Verify the Bridge’s physical connection: • from an Ethernet port on a computer or a network switch to one of the Bridge’s unencrypted internal LAN ports.
  • Page 128 Problem The Bridge is not allowing traffic to pass. A Secure Client device cannot communicate with the Bridge. After the Bridge is restarted, some Secure Clients do not immediately resume processing. In a point-to-point/multipoint deployment, Secure Clients receive excessive login prompts. An upgrade process simply fails to complete, or fails with the message: Failed to decrypt...
  • Page 129: Index

    Index Numerics 802.11a/b/g see radio settings, radio band; radios – 802.1X authentication for wired devices in Bridge CLI in Bridge GUI for wireless devices – in Bridge CLI in Bridge GUI server settings – in Bridge CLI – in Bridge GUI –...
  • Page 130 – Bridge CLI command about accessing troubleshooting commands add/del sp commands add/del td command command clear vap – command syntax default password command del clients commands exit – getting help command password default command ping command reboot command reset command script command set 8021X...
  • Page 131 cabling see ports, connections channel settings configuring – in Bridge CLI in Bridge GUI – with SAC defaults clock see system date and time; Bridge CLI command set clock compatibility compliance connections see ports, network connections; grounding console port – adapter location serial settings...
  • Page 132 encrypted zone Device IDs IP addresses MAC addresses – tracking sessions WAN port configuration – encryption algorithm configuring – in Bridge CLI in Bridge GUI – with SAC default in Secure Clients environmental specifications Ethernet see network interfaces; ports external authentication server –...
  • Page 133 LAN settings configuring at installation – in Bridge CLI – in Bridge GUI – with SAC default IP address LAN switch (internal) port settings in Bridge CLI in Bridge GUI LEDs see front-panel LEDs local authentication server logging on/off – Bridge CLI –...
  • Page 134 operator account see Bridge GUI, operator account – outdoor installation mast mounting – preconfiguration – requirements siting – weatherizing – passwords changing at installation – in Bridge CLI in Bridge GUI default CLI password GUI admin password GUI operator password security requirements ping in Bridge CLI...
  • Page 135 see Secure Automatic Configuration safety compliance – requirements see also specifications Secure Automatic Configuration adding a SAC network Bridge Bridge settings when unspecified deleting a SAC network Bridge deploying a new SAC network reconfiguring the SAC network SAC event logging Secure Clients compatibility Device IDs...
  • Page 136 traceroute in Bridge CLI in Bridge GUI – traffic statistics see also interface statistics transmit power settings – troubleshooting see also diagnostics – Trusted Devices adding in Bridge CLI – in Bridge GUI default settings deleting in Bridge CLI in Bridge GUI editing –...
  • Page 137 – weatherizing cover plate – requirements – RJ-45 connector boot Weatherizing Kit – installation – – WLAN command line utility WLAN settings see radio settings – WPA and WPA2 Fortress Bridge: Index...
  • Page 138: Glossary

    WiMAX, WirelessMAN™ or the Air Interface Standard. In Fortress Technologies products, a user-defined, 16-digit hexadecimal value that pro- vides network authentication for all devices authorized to communicate over a Fortress- secured network. Network authentication is one of the components of Multi-factor Authentication™.
  • Page 139 64 bits (56-bit encryption, 8 parity bits). NIST withdrew its FIPS-approval for DES on May 19, 2005. In Fortress Technologies products, the means by which MaPS/ACS controls network access at the level of individual devices, tracking them via their generated Device IDs...
  • Page 140 FIPS agencies. FIPS operating mode In Fortress Technologies products, the operating mode that complies with FIPS 140-2. Fortress Interface Shell—formerly, the command-line interface for configuring and man- aging a Fortress controller device through a direct physical connection or a serial termi- FISh nal application.
  • Page 141 Alternatively, in the Fortress Controller, devices given access on the encrypted (WLAN) guest side of the network as Trusted Devices, access points, or guests. host In Fortress Technologies, devices on the unencrypted (LAN) side of the network. Hypertext Transfer Protocol—used to transmit and receive all data over the World Wide HTTP Web.
  • Page 142 NIST ble for FIPS. NTLM Windows NT LAN Manager—a user authentication protocol developed by Microsoft®. In Fortress Technologies products, the way in which access controls and cryptographic operating mode processing are implemented on the Fortress-secured network. Open System Interconnection Model—an ISO standard that defines a networking framework for implementing data transfer and processing protocols in seven layers.
  • Page 143 Secure Client Refer to Secure Client Bridge Refer to In Fortress Technologies products, a device such as a laptop, PDA, tablet PC, or barcode scanner, that has the Fortress Secure Client installed and configured to permit the Secure Client device device to communicate on the Fortress-secured network.
  • Page 144 User Datagram Protocol—defines a method for “best effort” delivery of data packets over a network that, like TCP, runs on top of IP but, unlike TCP, does not guarantee the order of delivery or provide integrity checking. The practice of requiring users to enter their assigned user IDs and established pass- words and of checking the validity of these credentials before allowing them to connect user authentication to the network.

This manual is also suitable for:

Secure wireless access bridge

Table of Contents