Table of Contents
Advertisement
Packet Filtering Policy
Policy refers to the rules that allow different groups of users access to the network. The Summit WM
Controller, Access Points and Software system can link authorized users to user groups. These user
groups then can be confined to predefined portions of the network.
In the Summit WM Controller, Access Points and Software system, network access policy is carried out
by means of packet filtering within a WM-AD.
In the Summit WM Controller user interface, you set up a packet filtering policy by defining a set of
hierarchical rules that allow or deny traffic to specific IP addresses, IP address ranges, or service ports.
The sequence and hierarchy of these filtering rules must be carefully designed based on your enterprise
user access plan.
The authentication technique selected determines how filtering is carried out:
If authentication is by SSID and Captive Portal, a non-authenticated filter allows all users to get as
●
far as the Captive Portal Web page, where logon authentication occurs. When authentication is
returned, then filters are applied, based on user ID and permissions.
If authentication is by AAA (802.1x), users have logged on and have been authenticated before being
●
assigned an IP address. When authentication is completed, the authenticated filter is assigned by
default unless a more user-specific filter is returned or indicated by the authentication mechanism.
The characteristics and level of access for a filter are controlled and defined by the system
administrator.
Mobility and Roaming
In typical configurations that are not Summit WM, APs are setup as bridges that bridge wireless traffic
to the local subnet. In bridging configurations, the user obtains an IP address from the same subnet as
the AP. If the user roams within APs on the same subnet, it is able to keep using the same IP address.
However, if the user roams to another AP outside of that subnet, its IP address is no longer valid. The
user's client device must recognize that the IP address it has is no longer valid and re-negotiate a new
one on the new subnet. The protocol does not mandate any action on the user. The recovery procedure
is entirely client dependent. Some clients automatically attempt to obtain a new address on roam (which
affects roaming latency), while others will hold on to their IP address. This loss of IP address continuity
seriously affects the client's experience in the network, because in some cases it can take minutes for a
new address to be negotiated.
The Summit WM Controller, Access Points and Software solution centralizes the user's network point of
presence, therefore abstracting and decoupling the user's IP address assignment from that of the APs
location subnet. That means that the user is able to roam across any AP without loosing its own IP
address, regardless of the subnet on which the serving APs are deployed.
Network Availability
The Summit WM Controller, Access Points and Software provides availability against Wireless AP
outages, Summit WM Controller outages, and even network outages. The Summit WM Controller in a
VLAN bridged WM-AD can potentially allow the user to retain the IP address in a failover scenario, if
the WM-AD/VLAN is common to both controllers. For example, availability is provided by defining a
paired controller configuration by which each peer can act as the backup controller for the other's APs.
APs in one controller are allowed to failover and register with the alternate controller.
Summit WM20 User Guide, Software Release 4.2
Summit WM Controller, Access Points and Software and Your Network
29
Advertisement
Table of Contents
