Page 3
To receive a complete machine-readable copy of the corresponding source code on CD, send $10 (to cover the costs of production and mailing) to: Fortress Technologies; 4023 Tampa Road, suite 2000; Oldsmar, FL 34677-3216. Please be sure to include a copy of your Fortress Technologies invoice and a valid “ship to”...
Page 4
Fortress Bridge DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS...
Page 9
Getting Help in the CLI ........82 Command Syntax .
Page 10
Secure Automatic Configuration ......105 Preconfiguring a New Network Deployment with SAC ....106 Connecting the Bridges for Preconfiguration .
Chapter 1 Introduction Fortress Secure Wireless Access Bridge The Fortress Secure Wireless Access Bridge is an all-in-one network access device with the most stringent security available today built in. It can serve as a wireless bridge, a WLAN access point, and an eight-port LAN switch, while performing all the functions of a Fortress controller device: encrypting wireless traffic and providing Multi-factor Authentication for devices on the network it protects.
1.1.1.2 Bridge CLI The Bridge’s command-line interface provides administration and monitoring functions via a command line. It is accessed over the network via the Bridge’s IP address or through a terminal connected directly to the Bridge’s serial 1.1.1.3 SNMP The Bridge supports versions 1 and 2 of the Simple Network Management Protocol (SNMP) Internet standard for network management.
3) User authentication requires the user of a connecting device to enter a recognized user name and valid creden- tials, a password, for example, or a digital certificate. The Fortress Security System can authenticate users locally or through existing user-authentication provisions. 1.3.2 Strong Encryption at the MAC Layer Fortress ensures network privacy at the Media Access Control...
Fortress Bridge: Introduction 1.3.5 Deployment Options The Fortress Security System is flexible and expandable. Figure 1.1 Example Point-to-Multipoint Deployment of the Fortress Secure Wireless Access Bridge...
The Bridge can provide a secure edge for a WLAN (or infrastructure-mode) deployments, as shown in Figure 1.1 This Document This user guide assumes its users have a level of expertise consistent with a professional Network Administrator. 1.4.1 Document Conventions This is a task-oriented document, and the procedures it contains are, wherever possible, self-contained and complete in themselves.
Chapter 2 Installation Introduction The Fortress Secure Wireless Access Bridge is a full-featured Fortress controller device, providing strong data encryption and Multi-factor Authentication™, including native RADIUS authentication, to users and devices on the network it secures. The Bridge additionally comprises three, independent network components that can be employed alone or simultaneously in any combination: Radio 1 is a tri-band 802.11a/b/g radio that can be...
RP-TNC connector and RP-TNC-to-N-type male connector adapter The availability and specifications of antennas offered for purchase from Fortress Technologies are subject to change. Contact your Fortress representative for details and pricing. 1. In outdoor installations, it is mandatory that the Bridge be powered with the EBU-101-01 PoE adapter (or equivalent).
2.2.2 Preparing the Network Any Ethernet device—including hubs, switches and access points—directly connected to the Bridge must have auto- negotiation capability (and have the feature enabled), or link and/or packet loss could result. Refer to a device’s documentation to configure its negotiation options. Secure Clients (and other Fortress Bridges) in communication with the Fortress Bridge must use the same encryption algorithm and must be assigned the same Access ID (as...
Page 19
This equipment must be installed by qualified General: service personnel according to the applicable installation codes. Do not locate the Bridge or antennas near power lines or power circuits. When installing an external antenna, take extreme care not to come into contact with such circuits as they can cause serious injury or death.
Page 20
PoE powered from a remote 802.11af (13 Watt) PoE midspan source. The Bridge includes a 48 V main Circuit Overloading: resettable fuse specified at 1.8 A. Lightning/Electrostatic Protection: ports conform to IEC1000-4-5 10 KV 8/20us waveform. The WAN port conforms to IEC-61000-4-2 8 KV waveform with 58 V additional transient protection.
Antennas must be installed to provide a separation of at least 20 cm (7.9") from all persons and any co-located antenna or transmitter. Regarding use in specific environments: operate near unshielded blasting caps or in an explosive environment. location to the constraints imposed by the location’s safety director.
2.4.1 Connecting the Bridge for Preconfiguration Position the Bridge so that it operates only within its safe temperature range (14º–122º F/ Connect a waterproof, standard 802.11a/b/g-capable antenna with an N-type male connector to antenna port 1 ANT1 Connect an antenna cable with an N-type male connector between antenna port 2 ( omnidirectional or directional antenna.
Page 23
Open a browser application on a computer on your LAN and, in the browser address field, enter the Bridge’s default IP address: 192.168.254.254 Log on to the Bridge GUI, entering and Password and then clicking (When prompted, agree to accept the security certificate.) From the main menu on the left choose on the screen:...
Page 24
From the main menu, select screen, in the SECURITY SETTINGS section: In Current Access ID enter 16 zeros or the word default In New Access ID enter the 16-digit hexadecimal Access ID to be used by the Bridge and its Secure Clients.
Page 25
If the Fortress Bridge is the root node in the point-to-point/ multipoint deployment, skip this step. If the Fortress Bridge is the non-root node in the point-to- point/multipoint deployment, choose the main menu and in Bridge Mode setting for Radio 2, choose , and click Non-Root...
After the Bridge reboots, change the CLI password (according to the instructions in Section 6.4.4.2) and configure unique SSIDs for the Bridge (according to the instructions in Section 3.3). If you want to use the received signal strength indicator (RSSI) to aim the antenna of a non-root Bridge, you may want to enable it now (refer to Section 3.3.2.7).
Page 27
Slide the compression nut, with the threaded opening facing toward the connector, over the connector and onto the cable. Slide the compression bushing over the connector and onto the cable. Slide the threaded coupler, with the flanged end facing toward the compression nut and bushing, over the connector and onto the cable.
2.4.4 Mast Mounting the Bridge The Mast-Mounting Kit accommodates masts from 1.5" to 3" in diameter. To install the Mast-Mounting Kit: Position the Bridge at the desired position on the mast, with the Bridge’s underside facing toward the mast and the front panel facing down, as shown in Figure 2.4 Sandwich the mast between the underside of the Bridge and the mounting bracket, fitting the mast into the bracket’s...
omnidirectional or directional antenna. The antenna and cable must be waterproof. Connect the Bridge's PoE (Power Sourcing Equipment/Power over Ethernet) source, which—if the or a DSL or cable modem—provides an in-line connection to the necessary network device. To plug in the RJ-45 connector with the boot assembly installed: orient the connector correctly with the WAN port, and then twist the outer ring of the connector boot clockwise until the channels in the ring align with the...
Position the Bridge so that it operates only within its safe temperature range (14º–122º F/ Connect a standard 802.11a/b/g-capable antenna with an N-type male connector to antenna port 1 ( Connect an antenna cable with an N-type male connector between antenna port 2 ( omnidirectional or directional antenna.
Chapter 3 Configuration The Bridge GUI The Fortress Wireless Access Bridge’s graphical user interface provides access to Bridge administrative functions. Access Bridge GUI help screens by clicking on the main menu. 3.1.1 User Accounts There are two user accounts on the Bridge GUI, and the predetermined names associated with them are not user- configurable.
The Bridge GUI opens on the Welcome screen. Configuration settings are accessed through the main menu links on the left of the screen. 3.1.3 Logging Off To log off the Bridge GUI, click If you simply close the browser you have used to access the Bridge GUI, you will automatically be logged off.
3.2.1 Spanning Tree Protocol STP is a link management protocol that prevents bridging loops on the network while providing path redundancy. You should enable it only in deployments in which multiple OSI layer 2 paths to the same device(s)—i.e., bridging loops—are possible.
To reconfigure Bridge LAN settings: Log on to the Bridge GUI admin account and select from the menu on the left. SETTINGS On the LAN SETTINGS relevant field(s). These include: Host name - a descriptive name for the Bridge LAN IP address - the network address of the Bridge LAN Subnet mask - the correct subnet mask for the Bridge Default gateway - the IP address of the default gateway...
Radio 1 is the tri-band 802.11a/b/g radio, which can be configured as an 802.11g or an 802.11a radio. Radio 2 always functions as an 802.11a radio. fields are described in sections 3.3.1 and 3.3.2. RADIO SETTINGS Section 3.3.3 provides step-by-step instructions to change them.
- Radios in Non-Root with other Fortress Bridges—either directly with a root Bridge or with other non-root Bridges (as well as receiving connections from other non-root Bridges and wireless devices). Typically, one Bridge serves as the root node (or root Bridge) and any other Bridges in the deployment are configured as non-root nodes.
3.3.2.3 Distance The Distance setting configures the maximum distance—from miles, in increments of 1 mile—for which the radio must adjust for the propagation delay of its transmissions. Figure 3.1. Point-to-multipoint Bridge deployment with bridging radio In a point-to-multipoint deployment, the Distance setting on the networked radios of all member Bridges should be the number of miles separating the two Bridges with the greatest, unbridged distance between them.
3.3.2.5 Beacon Interval The Bridge’s radios transmit beacons at regular intervals to announce their presence on the network. You can configure the number of milliseconds between beacons in whole numbers between beacon. The default beacon interval is 3.3.2.6 Multicasting Wireless is an inherently broadcast medium. A multicast packet, like any other, is broadcast (by the root Bridge) to all nodes (non-root Bridges) on the wireless network.
on the Enabled LAN SETTINGS non-root Bridge, the Multicast field for the radio with a Radio Mode setting of Bridge will be configurable. Refer to Section 3.2.1 for more information on STP. 3.3.2.7 Received Signal Strength Indicator In outdoor, point-to-point/multipoint installations, the LED RSSI Monitor allows you to make the first adjustments to the directional antenna(s) of the non-root Bridge(s) in the network.
unconfigured VAPs for radios in display frame on the CCESS OINTS You can view the settings that assign SSIDs (and associated settings) for the radio’s VAPs in the frame on the INTERFACES provides access to the fields that configure these settings. Sections 3.3.4.1 through 3.3.4.5 describe the fields available through the Edit...
Radio 1 is preconfigured with a default SSID of default SSID for Radio 2 is 3.3.4.2 Hide SSID and Accept G Only Options To the right of the SSID field are two options that you can enable through their checkboxes: - Enabling this option deletes the SSID string Hide SSID from the packet headers of beacon and probe responses.
The security protocol(s) employed by the Bridge’s virtual access point are configured per VAP. Your selection in the Security Suite field of the V frame determines which fields are configurable OINT ETTINGS (and which are grayed-out) in the S frame (in the lower half of the same screen), as described below.
Page 43
WEP Key Type - WEP keys can be composed of an (plaintext) passphrase or hexadecimal string. WEP Keys 1–4 - You must manually enter at least one static key to be used in Open WEP and Shared WEP transactions, within the specifications you set in the two fields above, which determine the usable key lengths for these fields.
WPA and WPA2 generate encryption keys dynamically and exchange keys automatically with connected devices at user- specified intervals. This interval is the only additional setting required for WPA security. Specify the interval in seconds in the WPA Rekey Period field. Whole numbers between inclusive, are allowed.
802.1X Server and LAN Port Settings The Fortress Bridge can be used with an external 802.1X authentication server and its internal switch ports can be individually configured to allow or block 802.1X traffic. The Fortress Bridge supports non -802.1X authentication through a separate and unrelated set of configuration settings.
In the 801.1X In Server Address , enter the IP address of the network 802.1X authentication server (the default is In Server Port , enter the port used by the server for 802.1X requests (the default is In Auth Server Key , enter the shared key assigned to the Bridge in the 802.1X service.
The viewable, default security settings are shown below. 3.6.1 Operating Mode The Fortress Bridge can be operated in either of two modes: Normal (the default) or FIPS. FIPS operating mode is necessary for deployments and applications that are required to comply with the Federal Information Processing Standards (FIPS) for cryptographic modules.
If the Bridge fails any self-test on startup, it is rendered inoperable and must be returned to the vendor for repair or replacement. Only a designated Crypto Officer, as defined by the Federal Information Processing Standards, may perform administrative functions on the Bridge and its Secure Clients.
Bridge. For information on setting encryption algorithms on Secure Clients, refer to your Fortress Secure Client user guide. detail: To change the Bridge encryption algorithm: Log on to the Bridge GUI admin account and select SECURITY SETTINGS On the CRYPTO ALGORITHM screen, select the AES key length to be used to SETTINGS encrypt network data.
on Secure Clients, refer to your Fortress Secure Client user guide. detail: To change the Bridge’s Access ID Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the CHANGE ACCESS ID screen: Enter the Current Access ID. Enter a 16-digit hexadecimal number to serve as the New Access ID .
selected and, in the case of device authentication, when it has been globally enabled in the SECURITY SETTINGS Section 4.1 (Device Authentication) and Section 4.2 (User Authentication), in the next chapter. 3.6.6.1 Enabling/Disabling Authentication Globally The Fortress Bridge has an internal RADIUS server built-in. The Bridge additionally supports an external RADIUS server.
The default Auth Server Key is optionally change. Selecting authentication enables the screens and fields Local that configure local authentication settings for both users and devices. 3.6.6.3 External Authentication Server The Bridge can be integrated with an external Remote Authentication Dial-In User Service (RADIUS). It supports the open source freeRADIUS.
3.6.6.4 Enabling/Disabling Device Authentication On a Fortress Bridge configured for settings in the AUTHENTICATION OPTIONS AUTHENTICATION SETTINGS authentication, according to whether device authentication is included in the selection you make. detail: To enable/disable device authentication: Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the AUTHENTICATION SETTINGS...
detail: To configure maximum authentication attempts: Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the AUTHENTICATION SETTINGS field, ensure that Under AUTHENTICATION OPTIONS field, enter a whole number between 1 and 255. Click at the bottom of the screen. Apply A devices that exceeds the maximum allowable retry attempts to connect to the Bridge-secured network is locked out until the...
To enable/disable user session timeout login prompts: Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the AUTHENTICATION SETTINGS Check the box for enable user session timeout prompts (the default). Clear the checkbox for disable user session timeout prompts . Click at the bottom of the screen.
To configure the default user authentication and device state for authenticating devices: Log on to the Bridge GUI admin account and select SECURITY SETTINGS In the AUTHENTICATION SETTINGS ensure that Local Auth is selected under sections 3.6.6.1 and 3.6.6.4, respectively). detail: Under AUTHENTICATION OPTIONS...
Because the Bridge’s configuration settings could themselves be sensitive, Fortress Technologies recommends restoring them to their default values whenever the Bridge is to be shipped (or otherwise transported) out of a secured location.
3.10 Front-Panel Operation The Fortress Bridge front panel is equipped with three, recessed buttons: two switches (labeled Reset button. 3.10.1 Mode Selection from the Front Panel The front-panel switches can be used to select the Bridge Mode of the Bridge’s internal Radio 2 as well as to turn the Bridge’s front-panel LEDs off and on (enable/disable blackout mode).
indicated by the when the new mode is selected. If you accidentally cycle past the Bridge Mode setting, continue pushing Stat2 When is flashing, press seconds to save the new Bridge Mode setting. The Stat2 LEDs will stop flashing and light solid green to indicate that you have successfully changed Radio 2’s Bridge Mode .
3.10.2 Rebooting the Bridge from the Front Panel To reboot the Fortress Bridge from the front-panel: Press and hold the Stat1 LED exhibits a slow green flash to indicate that the Bridge is rebooting. Release the button. After the Bridge reboots the green.
Chapter 4 Administration Device Authentication Device authentication is supported only for authentication. (When settings that configure device authentication are grayed out to reflect your selection.) On a Fortress-secured network with device authentication enabled, a unique Device ID is generated for each device connecting from an encrypted zone.
authenticate on the network. (Refer to Section 3.6.6.5 for detailed instructions.) If a device exceeds the maximum allowable retry attempts to connect to the Bridge-secured network, that device will be locked out until the device’s State is set to is locked out on every Bridge in a point-to-multipoint network, and you must change the device’s State setting on every Bridge that handles traffic from the device.
Access user configurable settings for an authenticating device by clicking its Edit 4.1.2.1). Configurable settings include: Device Name - accepts up to 64 alphanumeric characters by which you can identify the device. If a device has a hostname associated with it (the hostname of a laptop running the Fortress Secure Client, for instance), that hostname is included for the device when it is first added to the...
On the DEVICE AUTHENTICATION of the device for which you want to change settings. In the EDIT DEVICE device’s current settings are displayed, enter new values into the relevant fields (described in Section 4.1.2). Click Update changes). The device’s entry in changes.
on the AUTHENTICATION SETTINGS screen. SETTINGS On a Fortress Bridge-secured network, user authentication can be used by itself or combined with device authentication. The options that determine whether device authentication is enabled are also configured globally, in the frame of the SETTINGS 4.2.1 Maximum User Authentication Retries...
Session Timeout - sets the amount of time the user’s device can be present on the network before the current session is ended and he/she must log back in to re-establish the connection. Session Timeout is set in minutes, between 0 and 9999. A value of zero disables session timeout for that user (her device can be present on the network indefinitely without timing out).
On the USER AUTHENTICATION the user for which you want to change settings. In the EDIT USER account’s current settings are displayed, enter new values into the relevant fields (described in Section 4.2.2). Click Update changes). The user’s entry in 4.2.2.3 Deleting a User Account You can delete a user account at any time.
Trusted Devices Some wireless devices—IP phones, digital scales or printers, and APs, for example—are not equipped to run additional software such as the Fortress Secure Client. In order to allow such a device access to the encrypted zone, the Fortress Bridge must be configured to identify it as a Trusted Device —to which the narrowest possible access rules should be applied.
The section of the frame under shows the Trusted Device you added, with the settings you specified. detail: 4.3.1 Editing Trusted Devices You can edit the IP and MAC addresses of an existing Trusted Device and change its port settings, but you cannot change its TD Identifier .
4.3.2 Deleting Trusted Devices You can delete Trusted Devices one at a time, or by selecting multiple devices for deletion. detail: Log on to the Bridge GUI admin account and choose TRUSTED DEVICES On the TRUSTED DEVICES frame, check the box(es) beside the Trusted DEVICES Device(s) you wish to delete and click of the frame.
Bridge’s password-protected accounts: Bridge GUI admin and operator accounts Bridge CLI account Fortress Technologies recommends backing up your Bridge configuration: when you first set up the Bridge immediately before you upgrade Bridge software or make...
Page 73
Table 4.1. User Configured Settings Backed Up for the Bridge function network WAN port encrypted/unencrypted radio state enable/disable radio band (Radio 1) 802.11g/802.11a radio mode AP/Bridge radios multicasting enable/disable LED RSSI monitor enable/disable VAP SSIDs and related settings any created Wireless Extension Tools scripts 802.1X authentication server settings 802.1X LAN ports 1–8 802.1X off/on...
4.5.1 Backing Up the Bridge Configuration Log on to the Bridge GUI admin account and choose SYSTEM OPTIONS On the SYSTEM OPTIONS , click SETTINGS detail: On the resulting screen: Optionally enter a Password to protect the backup file. Click Backup On the system dialog, choose to save the file to disk.
Bridge software that add new features, improve functionality and/or fix known bugs. Upgrade files may be shipped to you on CD-ROM or, more often, made available for download from your account on the Fortress Technologies website. www.fortresstech.com/support/products_updates.asp The Fortress Bridge is compatible with Fortress Secure Client versions 2.4 and higher.
Page 76
Click the operation). Apply Cancel Click on the system confirmation dialog. The frame displays Uploading file... (with crawling dots to indicate system activity), then changes to the Performing upgrade... status display, which presents a series of progress messages. When the process completes, the frame displays [ ], and a system dialog prompts you to DONE...
Rebooting the Bridge The reboot option power cycles the Bridge, ending all sessions and forcing Secure Client devices (and any other Fortress Bridges) in communication with the Bridge to re-key in order to start a new session. Log on to the Bridge GUI admin account and choose SYSTEM OPTIONS On the SYSTEM OPTIONS...
Chapter 5 Monitoring and Diagnostics Statistics The statistics screen displays statistics for overall encrypted- zone traffic, each of the Bridge’s logical interfaces (including physical Ethernet ports and all configured virtual radio interfaces), as well as for each of the Bridge’s internal radios. Fortress Bridge: Monitoring and Diagnostics...
5.1.1 Traffic Statistics The packets that the Fortress Bridge has transmitted to and received from the encrypted zone since cryptographic processing was last started are shown in the Encrypt - encrypted packets—the packets received from the unencrypted zone, encrypted, and then transmitted to the encrypted zone Decrypt - decrypted packets—the packets received from the encrypted zone, decrypted, and then transmitted to the...
- the total number of bytes received/transmitted on BYTES the interface - the total number of packets received/transmitted PACKETS on the interface - the total number of receive/transmit errors ERRORS reported on the interface 5.1.3 Radio Statistics 1 is the tri-band, 802.11a/b/g radio and RADIO higher-gain 802.11a radio.
Page 81
Fortress Bridge: Monitoring and Diagnostics Idle Since - the number of hours, minutes and seconds since the device was last active on the network.
Table 5.1. Commonly Seen Tracking State Codes State dynamic key exchange complete: secure connection Each device entry on the checkbox that, when checked, resets the network session of that device when screen) is clicked. AP Associations The AP Associations screen provides information about devices currently connected through the Bridge’s wireless interfaces.
Channel - identifies the channel, by number, over which the Bridge and the associated device are communicating, as selected for the radio being used (Section 3.3.2.1). Rate - provides a dynamic measurement of the data rate of the connection to the associated device, in megabits per second.
Page 84
when Secure Clients contact and negotiate keys with the Fortress Bridge system configuration changes when cryptographic processing is restarted system and communication errors The log is allocated 500 Kbytes of memory and can contain a maximum of approximately 16,000 log messages (approximate because record sizes vary somewhat).
Diagnostics Access Fortress Bridge diagnostic utilities by logging into the Bridge GUI admin account and selecting menu on the left. DIAGNOSTICS The version and build number of the firmware currently running on the Fortress Bridge, under DEVICE ID for each device on a Fortress-secured network and used, when applicable, for device authentication.
Generating a Diagnostics File To assist in diagnosing a problem with your Bridge, the Customer Support team at Fortress Technologies may request that you generate a diagnostics file. Diagnostics files encrypt the information collected from the Bridge, so the file can be securely sent to Fortress Support as an e-mail attachment.
can exhibit: Stat2 solid green - The Bridge is operating in root mode. off - The Bridge is operating in non-root mode. can exhibit: fast green flash - The Bridge is passing cleartext (unencrypted data) in the encrypted zone. can exhibit: Fail Fail off - The...
Both upper and lower LEDs can exhibit: off - The associated radio is disabled (in the Bridge GUI or CLI). All four Radio LEDs can exhibit: solid amber - A firmware error has occurred. off - Both radios are disabled (in the Bridge GUI or CLI). 5.6.3 Port LEDs The Fortress Bridge’s Ethernet ports—including those for the...
Chapter 6 Command-Line Interface Introduction The Fortress Bridge CLI provides commands for managing the Fortress Bridge and the network it secures. You can access it through a direct connection to the Bridge’s serial console port or, using Secure Shell (SSH), from any computer with access to the Bridge—i.e., any computer in the Bridge’s unencrypted zone or a computer running the Fortress Secure Client.
6.1.1 CLI Administrative Modes There are two administrative modes in the Bridge CLI. When you first access the CLI you are, by default, in Gateway mode, indicated by the command prompt: mode, you can manage the Bridge’s Fortress controller device functions, including basic administration and security settings.
WSG login: sysadm Password: <password> Fortress Wireless Security Gateway [GW]> The login ID, sysadm If you are changing the CLI password for the first time as part of an installation procedure (Chapter 2) use the default password, sysadm To log off the CLI, use the [GW]>...
Note that only those options available in the current administrative mode are displayed and that valid command options differ significantly between modes. [AP]> show Description: Displays Access Point information, configuration Usage: show [args]. Possible args: associations radio radius ?|help Several of the commands that change Bridge configuration settings can be run interactively.
Switch refers to the identifier, preceded by a dash (hyphen), for the argument to follow (ex., Switches allow permissible arguments to be entered in any combination and order. Angle brackets: indicate variable, user-supplied inputs (parameters and variable arguments), which are also italicized (ex., The absence of angle brackets and italics indicates literal (or fixed) user-supplied input (ex.,...
The CLI displays the configurable fields for a time. Enter a new value for the field—or leave the field blank and the setting unchanged—and strike next field. The final reboot query displays only when you have entered a value into at least one of the fields presented. Entering the (zero) argument for the deletes the default gateway from the Bridge’s network...
Page 96
[AP]> show radio [RADIO 1] Radio State: On Radio Band: 802.11g Radio Mode: AP Channel: 1 Tx Power: Auto Distance: 1 Beacon Interval: 100 Preamble: Short Multicast: On RSSI Monitor: Off [RADIO 2] State: On Radio Band: 802.11a Radio Mode: Bridge Bridge Mode: Root Channel: 149 Tx Power: Auto...
Page 97
[AP]> set radio 1 Radio state [on|off] (on): Radio band [802.11g|802.11a] (802.11g): 802.11a [OK] Reboot is required when changing radio band Radio Mode [ap|bridge|ids] (ap): bridge [OK] Bridge Mode [root|nonroot] (nonroot): nonroot Radio is in nonroot mode...cannot set channel Transmit Power [auto|1-18] (auto): Distance in miles [1-35] (1): 3 [OK] Beacon interval (ms) [25..1000] (100):...
The sample output for the beginning of this section) shows the default radio settings. As shown in the example interactive reconfiguring radio settings requires that you reboot the Bridge in order to effect your changes. show radio (access point) mode (refer to Section 6.1.1 for more detail). 6.4.3.1 Virtual Radio Interface Settings in the CLI The Bridge CLI AP mode uses a submenu of commands to...
Page 99
By default a single virtual access point ( each radio. The SSIDs associated with these two primary VAPs should never be left at their defaults (shown above). SSID strings can be up to 32 characters long. Configure VAP settings interactively by entering the command with just the number.
6.4.4.1 Changing Bridge GUI Passwords in the CLI Which GUI password is set depends upon the username argument: admin the view-only password. Use the follows: [GW]> set passwd web {admin|operator} Enter Current Password: <oldpassword> Enter New Password: <newpassword> Re-enter New Password: <newpassword> The default Bridge GUI admin password is operator password is GUI passwords must be at least eight characters long.
View the encryption algorithm (and the re-keying interval) in effect on the Bridge with [GW]> show crypto CryptoEngine:AES256 ReKeyInterval:4 show crypto mode (refer to Section 6.1.1 for more detail). The encryption algorithm that the Fortress Bridge and its Clients will use is set with [GW]>...
6.4.5.4 Access ID in the CLI The Access ID is a 16-digit hexadecimal ID that provides network authentication for the Fortress Security System. All of the Bridge’s Secure Clients must be configured to use the same Access ID as the Bridge. For information on setting encryption algorithms on Secure Clients, refer to your Fortress Secure Client user guide.
6.4.5.7 SSH Access to the CLI Secure Shell (SSH) is disabled on the Fortress Bridge by default. You can view the current SSH setting with [GW]> show ssh To enable SSH, log on to the CLI (via a direct connection to the Console Bridge’s [GW]>...
6.4.6 System Date and Time in the CLI View Bridge date and time settings with the command: [GW]> show clock Wkday Month DAY HR:MIN:SEC TimeZone YEAR Set system date and time on the Fortress Bridge, using the twenty-four-hour clock and numerical date, through the command, as follows: clock [GW]>...
Configure the Bridge interactively to authenticate users through an external RADIUS server with [GW]> set auth external IPserver: 123.45.67.89 [OK] set Server IP AuthKey: s3cr4ts5r6v7rk8y [OK] set Authentication Key The default RADIUS shared key is The RADIUS shared key can also be set non-interactively with: [GW]>...
6.4.9 802.1X Authentication Settings in the CLI 6.4.9.1 802.1X Authentication Server Settings Support for 802.1X authentication on the Fortress Bridge, whether for wired or wireless devices, requires the use of an external 802.1X authentication service. Those WPA and WPA2 Security Suite settings that do not use PSK (pre-shared key mode), also require the use of an 802.1.X authentication server.
Page 108
In GW mode, use the to view the server settings: [GW]> show 8021X Lan1:off Lan2:off Lan3:off Lan4:off Lan5:off Lan6:off Lan7:off Lan8:off AuthServer:127.0.0.1 AuthPort:1812 The last two lines of output display the current 802.1X server settings. The LAN port settings shown are described in the next section (6.4.9.2).
6.4.9.2 Internal LAN Switch Port 802.1X Settings You can individually configure each of the ports of the Bridge’s internal LAN switch to require that a connected device is an 802.1X supplicant successfully authenticated by the 802.1X authentication server configured for the Bridge (Section 6.4.9). View current LAN port settings with the [GW]>...
The commands that configure and delete Trusted Devices are valid only in GW (gateway) mode (refer to Section 6.1.1 for more detail). 6.5.1.1 Adding Trusted Devices in the CLI Add Trusted Devices with the [GW]> add td {-n <name>} {-ip <IPaddr>} {-m <MACaddr>} {-p any|<port1,port2,…>} in which is a descriptive identifier for the Trusted Device, name...
[GW]> set snmp -c <contact@domain.com> -l <locationName> -ro <roCmntyName> -rw <rwCmntyName> Set Contact:OK Set Location:OK Set RO Community:OK Set RW Community:OK in which contact notifications will be sent, Bridge, roCmntyName community, and community. You can include spaces in the location and SNMP community names by enclosing the input string in quotation marks.
[GW]> show device Hostname:Fswab DeviceID:4389C1B376B1AFDD CryptoEngine:AES256 IP(Private):172.24.1.27 Ssh:Off Gui:On Auth:Off Fips:On show device mode (refer to Section 6.1.1 for more detail). 6.6.2 Viewing System Uptime in the CLI The show uptime command displays the number of days, hours and minutes that the Fortress Bridge has been operating since its last boot: [GW]>...
Hosts (labeled Client) are numbered in the order they were added to the database, following the Bridge’s internal interfaces, and are listed by their MAC addresses. Below the list, a count of the entries in the database is given. You can flush the database of host (labeled Client) MAC address with the del command: [GW]>...
6.6.7 Pinging a Device You can devices from the Bridge’s CLI. The Bridge pings ping three times and then displays the ping statistics. [GW]> ping 123.45.6.78 PING 123.45.6.78 (123.45.6.78) from 123.45.6.89 : 56(84) bytes of data. 64 bytes from 123.45.6.78: icmp_seq=1 ttl=128 time=18.3 ms 64 bytes from 123.45.6.78: icmp_seq=2 ttl=128 time=23.0 ms 64 bytes from 123.45.6.78: icmp_seq=3 ttl=128 time=23.0 ms --- 123.45.6.78 ping statistics ---...
[AP]> wlan wlanconfig -h usage: wlanconfig wlanX create wlandev wifiX wlanmode [sta|adhoc|ap|monitor] [bssid | -bssid] [nosbeacon] usage: wlanconfig wlanX destroy 6.7.1 Creating a Wireless Extension Tools Script Configuration changes made with the WLAN Wireless Extension Tools are held in dynamic memory and do not persist through reboots of the Bridge.
6.8.1 Preconfiguring a New Network Deployment with SAC All of the Bridges to be included in the new network must be at their factory-default settings. (Section 6.4.7 describes restoring the Bridge’s default settings from the Bridge CLI; Section 3.9 describes the same function in the Bridge GUI.) 6.8.1.1 Connecting the Bridges for Preconfiguration Position the Bridges so that they operate only within their...
Page 117
Allow all of the Bridges to boot before proceeding with SAC: Stat1 front-panel radios light solid green, while the upper LEDs for both radios and the WAN port link/activity ( intermittently. Open a terminal application on the computer connected to the SAC master Bridge’s settings given in Section 6.1.2) open a session with the master Bridge.
Page 118
Bridges. Alternatively, you can specify only a subnet and allow SAC to automatically generate all member IP addresses within that subnet, including that of the root/ master Bridge. The IP or subnet address you enter must fall within one of these reserved ranges: 10.0.0.0 172.16.0.0 192.168.0.0...
[GW]> set sac stop SAC Stop Initiated. May take some time to complete... Stopped SAC process successfully Reboot_Of_Master(SrlNum:24656196)_Required_For_NewConfiguration(CfgId:19082)_To_Take_Into_Effect Reboot_Of_SACPeer(SrlNum:24743196)_Required_For_Configuration_Change_From(OldCfgId:0)_To(NewCfgI d:19082_To_Take_Into_Effect Reboot_Of_SACPeer(SrlNum:24773196)_Required_For_Configuration_Change_From(OldCfgId:0)_To(NewCfgI d:19082)_To_Take_Into_Effect Disconnect all of the Bridges’ WAN ports from the switch/ hub used to connect them for the initial SAC operation. Power cycle each network Bridge by disconnecting and then reconnecting its external +48V DC power supply.
Page 120
Similarly, the encryption algorithm and re-key interval in effect on the network can be viewed with 6.4.5.1 and 6.4.5.2, respectively). The Access ID cannot be displayed for security purposes (but it must match across all network Bridges). Use the show network view its IP address (Section 6.4.1), and the command to view the IP addresses of slave/non-root Bridges.
SeriallNum|IpAddress|CfgID|PeerNum|PeerSACStatus|PeerSACState|PeerSACVer 24773196|172.24.0.4|19082|2|SAC_PEER_CONFIRMED|SAC_COMPLETE_4PEER|SAC_VER_PEGASUS_ARCH1 24743196|172.24.0.3|19082|1|SAC_PEER_CONFIRMED|SAC_COMPLETE_4PEER|SAC_VER_PEGASUS_ARCH1 To save the new configuration, enter [GW]> set sac stop SAC Stop Initiated. May take some time to complete... Stopped SAC process successfully Reboot_Of_Master(SrlNum:24656196)_Required_For_NewConfiguration(CfgId:42550)_To_Take_Into_Effect Reboot_Of_SACPeer(SrlNum:24773196)_Required_For_Configuration_Change_From(OldCfgId:19082)_To(New CfgId:42550)_To_Take_Into_Effect Reboot_Of_SACPeer(SrlNum:24743196)_Required_For_Configuration_Change_From(OldCfgId:19082)_To(New CfgId:42550)_To_Take_Into_Effect As the output informs you, you must reboot the Bridges in the network for the new configuration to take effect.
Page 122
[GW]> show sac SwabSerialNum:24743196 SwabConfigID:0 SwabSACRole:SAC_SLAVE SwabSACState:SAC_INIT4SWAB SwabSACVer:SAC_VER_PEGASUS_ARCH1 Log off the new Bridge’s CLI and disconnect the port cable. Log onto the Bridge CLI of the master/root Bridge and add the new Bridge’s serial number to the master Bridge’s SAC Peer list, with the [GW]>...
Disconnect the WAN ports of the new and master Bridges. Power cycle the new Bridge. The new Bridge is ready to be deployed on the network. 6.8.3.2 Deleting a Bridge from a SAC Network You can view the current list of SAC Peers from the master/ root Bridge’s CLI with [GW]>...
Chapter 7 Specifications Hardware Specifications 7.1.1 Performance unencrypted throughput: encrypted throughput: 7.1.2 Physical form factor: dimensions: connections: power supply: system indicators: 7.1.3 Environmental maximum AC draw: maximum heat dissipation: operating temperature: operating relative humidity (non-condensing): storage temperature: Fortress Bridge: Fortress Security System Overview up to 23 Mbps up to 10 Mbps compact, rugged desktop chassis...
7.1.4 Compliance 7.1.5 Logical Interfaces The physical connections described in Section 7.1.2 are identified as logical interfaces, as defined by FIPS 140-2, in the table below: Logical Interface RJ-45-to-DB9 Console Port Adapter An RJ-45-to-DB9 adapter (included with each Bridge) is required in order to connect the Bridge’s terminal connection.
Page 126
the wide side up, pins are numbered from right to left, top to bottom. Figure 7.1 RJ-45 and DB9 Pin Numbering Table 7.1 shows the adapter pin-outs. Table 7.1. RJ-45-to-DBP Adapter Pin-Outs RJ-45 pin Fortress Bridge: Fortress Security System Overview DB9 pin standard color grey...
Chapter 8 Troubleshooting Problem You are unable to access the Bridge GUI. You are unable to access the Bridge CLI. Solution Verify the Bridge’s physical connection: • from an Ethernet port on a computer or a network switch to one of the Bridge’s unencrypted internal LAN ports.
Page 128
Problem The Bridge is not allowing traffic to pass. A Secure Client device cannot communicate with the Bridge. After the Bridge is restarted, some Secure Clients do not immediately resume processing. In a point-to-point/multipoint deployment, Secure Clients receive excessive login prompts. An upgrade process simply fails to complete, or fails with the message: Failed to decrypt...
Index Numerics 802.11a/b/g see radio settings, radio band; radios – 802.1X authentication for wired devices in Bridge CLI in Bridge GUI for wireless devices – in Bridge CLI in Bridge GUI server settings – in Bridge CLI – in Bridge GUI –...
Page 131
cabling see ports, connections channel settings configuring – in Bridge CLI in Bridge GUI – with SAC defaults clock see system date and time; Bridge CLI command set clock compatibility compliance connections see ports, network connections; grounding console port – adapter location serial settings...
Page 132
encrypted zone Device IDs IP addresses MAC addresses – tracking sessions WAN port configuration – encryption algorithm configuring – in Bridge CLI in Bridge GUI – with SAC default in Secure Clients environmental specifications Ethernet see network interfaces; ports external authentication server –...
Page 133
LAN settings configuring at installation – in Bridge CLI – in Bridge GUI – with SAC default IP address LAN switch (internal) port settings in Bridge CLI in Bridge GUI LEDs see front-panel LEDs local authentication server logging on/off – Bridge CLI –...
Page 134
operator account see Bridge GUI, operator account – outdoor installation mast mounting – preconfiguration – requirements siting – weatherizing – passwords changing at installation – in Bridge CLI in Bridge GUI default CLI password GUI admin password GUI operator password security requirements ping in Bridge CLI...
Page 135
see Secure Automatic Configuration safety compliance – requirements see also specifications Secure Automatic Configuration adding a SAC network Bridge Bridge settings when unspecified deleting a SAC network Bridge deploying a new SAC network reconfiguring the SAC network SAC event logging Secure Clients compatibility Device IDs...
Page 136
traceroute in Bridge CLI in Bridge GUI – traffic statistics see also interface statistics transmit power settings – troubleshooting see also diagnostics – Trusted Devices adding in Bridge CLI – in Bridge GUI default settings deleting in Bridge CLI in Bridge GUI editing –...
Page 137
– weatherizing cover plate – requirements – RJ-45 connector boot Weatherizing Kit – installation – – WLAN command line utility WLAN settings see radio settings – WPA and WPA2 Fortress Bridge: Index...
WiMAX, WirelessMAN™ or the Air Interface Standard. In Fortress Technologies products, a user-defined, 16-digit hexadecimal value that pro- vides network authentication for all devices authorized to communicate over a Fortress- secured network. Network authentication is one of the components of Multi-factor Authentication™.
Page 139
64 bits (56-bit encryption, 8 parity bits). NIST withdrew its FIPS-approval for DES on May 19, 2005. In Fortress Technologies products, the means by which MaPS/ACS controls network access at the level of individual devices, tracking them via their generated Device IDs...
Page 140
FIPS agencies. FIPS operating mode In Fortress Technologies products, the operating mode that complies with FIPS 140-2. Fortress Interface Shell—formerly, the command-line interface for configuring and man- aging a Fortress controller device through a direct physical connection or a serial termi- FISh nal application.
Page 141
Alternatively, in the Fortress Controller, devices given access on the encrypted (WLAN) guest side of the network as Trusted Devices, access points, or guests. host In Fortress Technologies, devices on the unencrypted (LAN) side of the network. Hypertext Transfer Protocol—used to transmit and receive all data over the World Wide HTTP Web.
Page 142
NIST ble for FIPS. NTLM Windows NT LAN Manager—a user authentication protocol developed by Microsoft®. In Fortress Technologies products, the way in which access controls and cryptographic operating mode processing are implemented on the Fortress-secured network. Open System Interconnection Model—an ISO standard that defines a networking framework for implementing data transfer and processing protocols in seven layers.
Page 143
Secure Client Refer to Secure Client Bridge Refer to In Fortress Technologies products, a device such as a laptop, PDA, tablet PC, or barcode scanner, that has the Fortress Secure Client installed and configured to permit the Secure Client device device to communicate on the Fortress-secured network.
Page 144
User Datagram Protocol—defines a method for “best effort” delivery of data packets over a network that, like TCP, runs on top of IP but, unlike TCP, does not guarantee the order of delivery or provide integrity checking. The practice of requiring users to enter their assigned user IDs and established pass- words and of checking the validity of these credentials before allowing them to connect user authentication to the network.
Need help?
Do you have a question about the ecure Wireless Access Bridge and is the answer not in the manual?
Questions and answers