1. Manuals
  2. Brands
  3. Extreme Networks Manuals
  4. Wireless Access Point
  5. Altitude 3500 Series
  6. Product reference manual

Extreme Networks Altitude 3500 Series Product Reference Manual

Software version 2.6
Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
Table of Contents

Advertisement

Quick Links

Download this manual
TM
Altitude
3500 Series Access Point
Product Reference Guide
Software Version 2.6
Extreme Networks, Inc.
3585 Monroe Street
Santa Clara, California 95051
(888) 257-3000
(408) 579-2800
http://www.extremenetworks.com
Published: February 2012
Part Number: 120759-00 Rev 01

Advertisement

Table of Contents
loading

Related Manuals for Extreme Networks Altitude 3500 Series

Summary of Contents for Extreme Networks Altitude 3500 Series

  • Page 1 Altitude 3500 Series Access Point Product Reference Guide Software Version 2.6 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published: February 2012 Part Number: 120759-00 Rev 01...
  • Page 2 Unified Access Architecture, Unified Access RF Manager, UniStack, XNV, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries.

  • Page 3: Table Of Contents

    Table of Contents About This Guide............................11 Introduction................................11 Document Conventions ............................11 Notational Conventions ............................11 Chapter 1: Introduction..........................13 New Features .................................14 WIPS Support ..............................14 Trusted Host Management..........................14 Apache Certificate Management ........................15 Adaptive AP ..............................15 Rogue AP Detection Enhancement ........................15 RADIUS Time-Based Authentication.......................15 QBSS Support..............................16 Feature Overview ..............................16 Single or Dual Mode Radio Options ........................17...
  • Page 4 On-board RADIUS Server Authentication .......................27 Hotspot Support ..............................27 Routing Information Protocol (RIP) .........................28 Manual Date and Time Settings ........................28 Dynamic DNS..............................28 Auto Negotiation..............................28 Theory of Operations..............................28 Wireless Coverage ............................29 MAC Layer Bridging ............................30 Media Types..............................30 Direct-Sequence Spread Spectrum ........................30 MU Association Process ..........................31 Operating Modes.............................32 Management Access Options .........................32 Altitude 35xx MAC Address Assignment......................32...
  • Page 5 Where to Go from Here? ..........................65 Chapter 4: System Configuration ......................67 Configuring System Settings ..........................68 Adaptive AP Setup ..............................70 Configuring Data Access ............................72 Defining Trusted Hosts............................76 Managing Certificate Authority (CA) Certificates ....................78 Importing a CA Certificate ..........................78 Creating Self Certificates for Accessing the VPN....................79 Creating a Certificate for Onboard RADIUS Authentication ................82 Apache Certificate Management ........................84 Configuring SNMP Settings............................86...
  • Page 6 Configuring WPA/WPA2 Using TKIP........................183 Configuring WPA2-CCMP (802.11i) ........................185 Configuring Firewall Settings..........................188 Configuring LAN to WAN Access ........................189 Available Protocols ..........................192 Configuring Advanced Subnet Access ......................192 Configuring VPN Tunnels .............................194 Configuring Manual Key Settings ........................197 Configuring Auto Key Settings ........................200 Configuring IKE Key Settings ........................202 Viewing VPN Status ............................205 Configuring Content Filtering Settings........................207 Configuring Rogue AP Detection .........................210...
  • Page 7 Network WAN, Dynamic DNS Commands.....................316 Network Wireless Commands ........................320 Network WLAN Commands ........................321 Network Security Commands ........................334 Network ACL Commands ........................346 Network Radio Configuration Commands....................351 Network Quality of Service (QoS) Commands..................370 Network Wireless Rate-Limiting Commands..................375 Network Rogue-AP Commands ......................378 WIPS Commands ..........................388 Network MU Locationing Commands.....................391 Network Firewall Commands ........................394 Network Router Commands ..........................399...
  • Page 8 Chapter 10: Adaptive AP........................551 Adaptive AP Overview............................551 Where to Go From Here..........................552 Adaptive AP Management ..........................552 Types of Adaptive APs ..........................553 Licensing ...............................553 Controller Discovery ............................553 Auto Discovery using DHCP ........................553 Manual Adoption Configuration......................554 Securing a Configuration Channel Between Controller and AP ..............554 Adaptive AP WLAN Topology ........................555 Configuration Updates ..........................555 Securing Data Tunnels between the Controller and AAP ................555...
  • Page 9 Configuring a Cisco VPN Device........................586 Frequently Asked VPN Questions.........................587 Appendix C: Customer Support......................593 Registration ................................593 Documentation ..............................593 Altitude 3500 Series Access Point Product Reference Guide...
  • Page 10 Altitude 3500 Series Access Point Product Reference Guide...

  • Page 11: About This Guide

    Access Point and Altitude 3550 Access Point. NOTE Check for the latest versions of documentation on the Extreme Networks documentation website at: http://www.extremenetworks.com/go/documentation. For the purposes of this guide, the devices will be called the generic term “access point” when identical configuration activities are applied to both models.
  • Page 12 Bullets (•) indicate: ● action items ● lists of alternatives ● lists of required steps that are not necessarily sequential ● Sequential lists (those describing step-by-step procedures) appear as numbered lists. ● Altitude 3500 Series Access Point Product Reference Guide...

  • Page 13: Chapter 1: Introduction

    Web UI displays Altitude 3510 or Altitude 3550 specifically. NOTE Check for the latest versions of documentation on the Extreme Networks documentation website at: http:// www.extremenetworks.com/go/documentation.

  • Page 14: New Features

    Introduction New Features The following new features have been introduced in the 2.x release: WIPS Support on page 14 ● Trusted Host Management on page 14 ● Apache Certificate Management on page 15 ● Adaptive AP on page 15 ● Rogue AP Detection Enhancement on page 15 ●...

  • Page 15: Apache Certificate Management

    An adaptive AP (AAP) is an Altitude 35xx access point that can adopt like an Altitude 4600 access point (L3). The management of an AAP is conducted by a controller, once the access point connects to an Extreme Networks controller and receives its AAP configuration. An AAP provides: local 802.11 traffic termination...

  • Page 16: Qbss Support

    Introduction QBSS Support Each access point radio can be configured to optionally allow the access point to communicate channel usage data to associated devices and define the beacon interval used for channel utilization transmissions. The QBSS load represents the percentage of time the channel is in use by the access point and the access point’s station count.

  • Page 17: Single Or Dual Mode Radio Options

    Manual Date and Time Settings on page 28 ● Dynamic DNS on page 28 ● Auto Negotiation on page 28 ● Single or Dual Mode Radio Options Two possible configurations are available on the access point. Altitude 3510-US (part number 15720) and Altitude 3510-ROW (part number 15721) are manuafactured as a dual-radio access point, the access point enables you to configure one radio for 802.11a support, and the other for 802.11b/g support.

  • Page 18: Sixteen Configurable Wlans

    Introduction For an overview of the Radio 1 (2.4 GHz) and Radio 2 (5 GHz) antennas supported on the access point’s connectors, see “Antenna Specifications” on page 573. The Altitude 3550 model access point uses an antenna suite primarily suited for outdoor use. Sixteen Configurable WLANs A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN.

  • Page 19: Industry Leading Data Security

    WMM defines four access categories—voice, video, best effort and background—to prioritize traffic for enhanced multimedia support. For detailed information on configuring QoS support for Altitude 35xx, see “Setting the WLAN Quality of Service (QoS) Policy” on page 142. Industry Leading Data Security The Altitude 35xx access point supports numerous encryption and authentication techniques to protect the data transmitting on the WLAN.

  • Page 20: Eap Authentication

    Introduction EAP Authentication The Extensible Authentication Protocol (EAP) feature provides access points and their associated MU’s an additional measure of security for data transmitted over the wireless network. Using EAP, authentication between devices is achieved through the exchange and verification of certificates. EAP is a mutual authentication method whereby both the MU and AP are required to prove their identities.

  • Page 21: Keyguard Encryption

    KeyGuard Encryption Use KeyGuard to shield the master encryption keys from being discovered through hacking. KeyGuard negotiation takes place between the access point and MU upon association. The access point can use KeyGuard with Motorola MUs. KeyGuard is only supported on Motorola MUs. For detailed information on KeyGuard configurations, see “Configuring KeyGuard Encryption”...

  • Page 22: Vpn Tunnels

    Introduction VPN Tunnels Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN across the public network to another LAN, without sacrificing security. A VPN behaves like a private network; however, because the data travels through the public network, it needs several layers of security.

  • Page 23: Updatable Firmware

    “Configuring SNMP Settings” on page Power-over-Ethernet Support When users purchase an Extreme Networks WLAN solution, they often need to place access points in obscure locations. In the past, a dedicated power source was required for each access point in addition to the Ethernet infrastructure.

  • Page 24: Voice Prioritization

    Introduction For detailed information on configuring an Altitude 35xx WLAN to disallow MU to MU communications, see “Creating/Editing Individual WLANs” on page 135. Voice Prioritization Each Altitude 35xx access point WLAN has the capability of having its QoS policy configured to prioritize the network traffic requirements for associated MUs.

  • Page 25: Transmit Power Control

    Transmit Power Control The access point has a configurable power level for each radio. This enables the network administrator to define the antenna’s transmission power level in respect to the access point’s placement or network requirements as defined in the site survey. For detailed information on setting the radio transmit power level, see “Configuring the 802.11a or 802.11b/g Radio”...

  • Page 26: Multi-Function Leds

    Introduction The DHCP client automatically sends a DHCP request at an interval specified by the DHCP server to renew the IP address lease as long as the access point is running (this parameter is programmed at the DHCP server). For example: Windows 2000 servers typically are set for 3 days. Multi-Function LEDs An Altitude 3510 model access point has seven LED indicators.

  • Page 27: Additional Lan Subnet

    For an overview on mesh networking as well as details on configuring the access point’s mesh networking functionality, see “Configuring Mesh Networking” on page 519. Additional LAN Subnet In a typical retail or small office environment (wherein a wireless network is available along with a production WLAN) it is frequently necessary to segment a LAN into two subnets.

  • Page 28: Routing Information Protocol (Rip)

    Introduction For detailed information on configuring the access point for Hotspot support, see “Configuring WLAN Hotspot Support” on page 146. Routing Information Protocol (RIP) RIP is an interior gateway protocol that specifies how routers exchange routing-table information. The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used.

  • Page 29: Wireless Coverage

    Altitude 35xx access point can either transmit in the 2.4 to 2.5-GHz frequency range (802.11b/g radio) or the 5 GHz frequency range (802.11a radio), the actual range is country-dependent. Extreme Networks devices, like other Ethernet devices, have unique, hardware encoded Media Access Control (MAC) or IEEE addresses.

  • Page 30: Mac Layer Bridging

    Introduction MAC Layer Bridging The access point provides MAC layer bridging between its interfaces. The access point monitors traffic from its interfaces and, based on frame address, forwards the frames to the proper destination. The access point tracks source and destination addresses to provide intelligent bridging as MUs roam or network topologies change.

  • Page 31: Mu Association Process

    Intercepting and decoding a direct-sequence transmission requires a predefined algorithm to associate the spreading code used by the transmitting access point to the receiving MU. This algorithm is established by IEEE 802.11 specifications. The bit redundancy within the chipping sequence enables the receiving MU to recreate the original data pattern, even if bits in the chipping sequence are corrupted by interference.

  • Page 32: Operating Modes

    Introduction Operating Modes The access point can operate in a couple of configurations. Access Point—As an Access Point, the access point functions as a layer 2 bridge. The wired uplink can ● operate as a trunk and support multiple VLANs. Up to 16 WLANs can be defined. Each WLAN can be configured to be broadcast by one or both Altitude 35xx radios.
  • Page 33 LAN2—A virtual LAN not mapped to the LAN Ethernet port. This address is the lowest of the two ● radio MAC addresses. Radio1 (802.11bg)—Random address located on the Web UI, CLI and SNMP interfaces. ● Radio2 (802.11a)—Random address located on the Web UI, CLI and SNMP interfaces. ●...
  • Page 34 Introduction Altitude 3500 Series Access Point Product Reference Guide...

  • Page 35: Chapter 2: Hardware Installation

    Setting Up MUs on page 54 ● CAUTION Extreme Networks recommends conducting a radio site survey prior to installing an access point. A site survey is an excellent method of documenting areas of radio interference and providing a tool for device placement. Precautions Before installing an Altitude 3510 or Altitude 3550 model access point verify the following: Do not install an Altitude 3510 or Altitude 3550 in wet or dusty areas without additional protection.

  • Page 36: Available Product Configurations

    CAUTION If installing the Altitude 3550 in an outdoor area prone to high winds and rain, Extreme Networks recommends using the Altitude 3550 Heavy Weather Kit (Part No. 15732). This kit shields an Altitude 3550 from wind and rain damage resulting from driving rain.

  • Page 37: Requirements

    Point the access point antenna(s) downward if attaching to the ceiling. ● To maximize the access point’s radio coverage area, Extreme Networks recommends conducting a site survey to define and document radio interference obstacles before installing the access point. Altitude 3500 Series Access Point Product Reference Guide...

  • Page 38: Site Surveys

    Two antennas per radio provides diversity that can improve performance and signal reception. Extreme Networks supports two antenna suites for the Altitude 3510. One antenna suite supporting the 2.4 GHz band and another antenna suite supporting the 5 GHz band.

  • Page 39: Altitude 3550 Antenna Options

    Radio 2 antenna connectors. Two antennas per radio provides diversity that can improve performance and signal reception. Extreme Networks supports two antenna suites for the Altitude 3550. One antenna suite supporting the 2.4 GHz band and another antenna suite supporting the 5 GHz band. Select an antenna model best suited to the intended operational environment of your Altitude 3550.

  • Page 40: Power Tap Systems

    An Altitude 3550 model access point cannot use the Altitude 3510 recommended 48-Volt Power Supply 15728 (Part No. ). Extreme Networks recommends the Power Tap (Part No. 15729) for use an Altitude 3550 and its intended outdoor deployment. Power Tap Systems An Altitude 3510 or Altitude 3550 access point can receive power via an Ethernet cable connected to the access point’s LAN port (using 802.3af).

  • Page 41: Cabling The Power Tap

    Keep the unit away from excessive heat, humidity, vibration and dust. ● The Power Tap is not a repeater, and does not amplify the Ethernet data signal. For optimal ● performance, ensure the unit is placed as close as possible to the network data port. Cabling the Power Tap To install a Power Tap to an Ethernet data source and access point: CAUTION...

  • Page 42: Desk Mounted Installations

    Hardware Installation Refer to the following, depending on how you intend to mount the Altitude 3510: Desk Mounted Installations on page 42 ● Wall Mounted Installations on page 43 ● Suspended Ceiling T-Bar Installations on page 44 ● Above the Ceiling (Plenum) Installations on page 46 ●...

  • Page 43: Wall Mounted Installations

    c Connect the power supply line cord to the power adapter. d Attach the power adapter cable into the power connector on the Altitude 3510. e Plug the power adapter into an outlet. 5 Verify the behavior of the Altitude 3510 LEDs. For more information, see “Altitude 3510 LED Indicators”...

  • Page 44: Suspended Ceiling T-Bar Installations

    If the Altitude 3510 is utilizing remote management antennas, a wire cover can be used to provide a clean finished look to the installation. Contact Extreme Networks for more information. 9 Verify the behavior of the Altitude 3510 LEDs. For more information, see “Altitude 3510 LED...
  • Page 45 CAUTION Both the Dual and Single Radio model Altitude 3510s use RSMA type antenna connectors. On a Dual Radio Altitude 3510, a single dot on the antenna connector indicates the primary antenna for both Radio 1 (2.4 GHz) and Radio 2 (5 GHz). Two dots designate the secondary antenna for both Radio 1 and Radio 2. On Single Radio models, a single dot on the antenna connector indicates the primary antenna for Radio 1, and two dots designate the secondary antenna for Radio 1 4 Cable the Altitude 3510 using an approved line cord and power supply.

  • Page 46: Above The Ceiling (Plenum) Installations

    12.7mm (0.5in.) or a suspended ceiling tile with an unsupported span greater than 660mm (26in.). Extreme Networks strongly recommends fitting the Altitude 3510 with a safety wire suitable for supporting the weight of the device. The safety wire should be a standard ceiling suspension cable or equivalent steel wire between 1.59mm (.062in.) and 2.5mm (.10in.) in diameter.
  • Page 47 6 Use a drill to make a hole in the tile the approximate size of the Altitude 3510 LED light pipe. CAUTION Extreme Networks recommends care be taken not to damage the finished surface of the ceiling tile when creating the light pipe hole and installing the light pipe.

  • Page 48: Altitude 3510 Led Indicators

    Hardware Installation Radio models, a single dot on the antenna connector indicates the primary antenna for Radio 1, and two dots designate the secondary antenna for Radio 1. 13 Attach safety wire (if used) to the Altitude 3510 safety wire tie point or security cable (if used) to the Altitude 3510’s lock port.

  • Page 49: Mounting An Altitude 3550

    The five LEDs on the top housing of the Altitude 3510 are clearly visible in table-top, wall and below ceiling installations. The five Altitude 3510 top housing LEDs have the following display and functionality: Power Status Solid white indicates the Altitude 3510 is adequately powered. Error Conditions Solid red indicates the Altitude 3510 is experiencing a problem condition requiring immediate attention.

  • Page 50: Altitude 3550 Pole Mounted Installations

    Hardware Installation Refer to the following, depending on how you intend to mount the Altitude 3550: Altitude 3550 Pole Mounted Installations on page 50 ● Altitude 3550 Wall Mounted Installations on page 52 ● Altitude 3550 Pole Mounted Installations Complete the following steps to mount the Altitude 3550 to a (1.5 to 18 inch diameter) steel pole or tube (using the mounting bracket): 1 Fit the edges of the V-shaped clamp parts into the slots on the flat side of the rectangular plate.
  • Page 51 “System Configuration” on page CAUTION If installing the Altitude 3550 in an outdoor area prone to high winds and rain, Extreme Networks recommends using the Altitude 3550 Heavy Weather Kit (Part No. 15732). This kit shields an Altitude 3550 from high winds and water damage as a result of driving rain.

  • Page 52: Altitude 3550 Wall Mounted Installations

    Hardware Installation Altitude 3550 Wall Mounted Installations Complete the following steps to mount the Altitude 3550 to a wall using the supplied wall-mounting bracket: 1 Attach the bracket to a wall with flat side flush against the wall (see the illustration below). Position the bracket in the intended location and mark the positions of the four mounting screw holes.
  • Page 53 “System Configuration” on page CAUTION If installing the Altitude 3550 in an outdoor area prone to high winds and rain, Extreme Networks recommends using the Altitude 3550 Heavy Weather Kit (Part No.15732). This kit shields an Altitude 3550 from high winds and water damage as a result of driving rain.

  • Page 54: Altitude 3550 Led Indicators

    Hardware Installation Altitude 3550 LED Indicators The Altitude 3550 utilizes four LED indicators. Five LEDs display within four LED slots on the back of the access point. The five LEDs have the following display and functionality: Power and error conditions (split LED) Data over Ethernet 802.11a radio activity 802.11b/g radio activity...

  • Page 55: Chapter 3: Getting Started

    Getting Started C H A P T E R The access point should be installed in an area tested for radio coverage using one of the site survey tools available to the field service technician. Once an installation site has been identified, the installer should carefully follow the hardware precautions, requirements, mounting guidelines and power options outlined in “Hardware Installation”...

  • Page 56: Configuration Options

    Getting Started For information on the 802.11a and 802.11b/g radio antenna suite available to the Altitude 3550, see “Antenna Options” on page 38. To verify Altitude 3510 LED behavior once installed, see “Altitude 3510 LED Indicators” on page 48. To verify the behavior of the Altitude 3550 LEDs once installed, see “Altitude 3550 LED Indicators”...

  • Page 57: Connecting To The Access Point Using The Lan Port

    Connecting to the Access Point using the LAN Port To initially connect to the access point using the access point’s LAN port: 1 The LAN port default is set to DHCP. Connect the access point’s LAN port to a DHCP server. The access point will receive its IP address automatically.
  • Page 58 Getting Started NOTE For optimum compatibility, use Sun Microsystems’ JRE 1.5 or higher (available from Sun’s website), and be sure to disable Microsoft’s Java Virtual Machine if installed. 2 If the default login is successful, the Change Admin Password window displays. Change the password. Enter the current password and a new admin password in fields provided.

  • Page 59: Configuring Device Settings

    NOTE Though the access point can have its basic settings defined using a number of different screens, Extreme Networks recommends using the access point Quick Setup screen to set the correct country of operation and define its minimum required configuration from one convenient location. Configuring Device Settings Configure a set of minimum required device settings within the Quick Setup screen.
  • Page 60 IP address, network mask, and gateway. NOTE Extreme Networks recommends that the WAN and LAN ports should not both be configured as DHCP clients. c Specify an IP address for the access point’s WAN connection. An IP address uses a series of four numbers expressed in dot notation, for example, 190.188.12.1 (no DNS names supported).
  • Page 61 IP address. NOTE Extreme Networks recommends that the WAN and LAN ports should not both be configured as DHCP clients. c If using the static or DHCP Server option, enter the network-assigned IP Address of the access point.
  • Page 62 Setup screen. Policies can be defined over time and saved to be used as needed as security requirements change. Extreme Networks recommends you familiarize yourself with the security options available on the access point before defining a security policy. Refer to “Configuring...

  • Page 63: Configuring Wlan Security Settings

    Multiple WLANs can share the same security policy, so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy. Extreme Networks recommends naming the policy after the attributes of the authentication or encryption type selected.

  • Page 64: Testing Connectivity

    Getting Started 4 Configure the WEP 128 Settings field as required to define the Pass Key used to generate the WEP keys Pass Key Specify a 4 to 32 character pass key and click the Generate button. The access point will convert an ASCII string to a hexadecimal number as the WEP key.

  • Page 65: Where To Go From Here

    Where to Go from Here? Once basic connectivity has been verified, the access point can be fully configured to meet the needs of the network and the users it supports. Refer to the following: For detailed information on access point device access, SNMP settings, network time, importing/ ●...
  • Page 66 Getting Started Altitude 3500 Series Access Point Product Reference Guide...

  • Page 67: Chapter 4: System Configuration

    System Configuration C H A P T E R The access point contains a built-in browser interface for system configuration and remote management using a standard Web browser such as Microsoft Internet Explorer, Netscape Navigator or Mozilla Firefox (version 0.8 or higher is recommended). The browser interface also allows for system monitoring of the access point.

  • Page 68: Configuring System Settings

    System Configuration Configuring System Settings Use the System Settings screen to specify the name and location of the access point, assign an email address for the network administrator, restore the AP’s default configuration or restart the AP. To configure System Settings for the access point: 1 Select System Configuration >...
  • Page 69 The displayed number is the current version of the device firmware. Use this information to determine if the access point is running the most recent firmware available from Extreme Networks. Use the Firmware Update screen to keep the AP’s firmware up to date. System Uptime Displays the current uptime of the access point defined in the System Name field.

  • Page 70: Adaptive Ap Setup

    4 Use the Restart access point field to restart the AP (if necessary). Restart AP35xx Click the Restart AP35xx button to reboot the AP. Restarting the AP35xx resets all data collection values to zero. Extreme Networks does not recommend restarting the AP during significant system uptime or data collection activities. CAUTION After a reboot, static route entries disappear from the AP Route Table if a LAN Interface is set to DHCP Client.
  • Page 71 To configure the access point’s controller discovery method and connection medium: 1 Select System Configuration > Adaptive AP Setup from the menu tree. 2 Define the following to prioritize a controller connection scheme and AP interface used to adopt to the controller.

  • Page 72: Configuring Data Access

    AP35xx using that interface. To avoid jeopardizing the network data managed by the AP35xx, Extreme Networks recommends enabling only those interfaces used in the routine (daily) management of the network, and disabling all other interfaces until they are required.
  • Page 73 AP access can be restricted to specific IP addresses. Trusted Host subnet management restricts LAN1, LAN2 and WAN interface access (via SNMP, HTTP, HTTPS, Telnet and/or SSH) to a set of (up to 8) user defined trusted hosts or subnets. Only hosts with matching IP addresses can access the access point.
  • Page 74 System Configuration CLI TELNET (port 23) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the AP35xx CLI via the TELNET terminal emulation TCP/IP protocol. CLI SSH (port 22) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the AP35xx CLI using the SSH (Secure Shell) protocol.
  • Page 75 Shared Secret Define a shared secret for authentication on the server. The shared secret is required to be the same as the shared secret defined on the RADIUS server. Use shared secrets to verify RADIUS messages (with the exception of the Access-Request message) sent by a RADIUS-enabled device configured with the same shared secret.

  • Page 76: Defining Trusted Hosts

    System Configuration 10 Click Apply to save any changes to the AP35xx Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost. 11 Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the AP35xx Access screen to the last saved configuration.
  • Page 77 To restrict AP access to a set of user defined IP addresses: 1 Select System Configuration > AP35xx Access from the menu tree. 2 Select the Trusted Hosts checkbox. The Trusted Host Access field displays. The remaining portion of the Access screen (not related to Trusted Host support) can be accessed using the scroll bar on the right-hand side of the AP35xx Access screen.

  • Page 78: Managing Certificate Authority (Ca) Certificates

    System Configuration Managing Certificate Authority (CA) Certificates Certificate management includes the following sections: Importing a CA Certificate on page 78 ● Creating Self Certificates for Accessing the VPN on page 79 ● Apache Certificate Management on page 84 ● Importing a CA Certificate A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption.

  • Page 79: Creating Self Certificates For Accessing The Vpn

    To import a CA certificate: 1 Select System Configuration > Certificate Mgmt > CA Certificates from the menu tree. 2 Copy the content of the CA Certificate message (using a text editor such as notepad) and click on Paste from Clipboard. The content of the certificate displays in the Import a root CA Certificate field.
  • Page 80 System Configuration To create a self certificate: 1 Select System Configuration > Certificate Mgmt > Self Certificates from the AP35xx menu tree. 2 Click on the Add button to create the certificate request. The Certificate Request screen displays. 3 Complete the Certificate Request screen with the pertinent information. Only 4 values are required, the others are optional.
  • Page 81 5 Click the Generate Request button. The generated certificate request displays in Self Certificates screen text box. 6 Click the Copy to Clipboard button. The content of certificate request is copied to the clipboard. Create an email to your CA, paste the content of the request into the body of the message and send it to the CA.

  • Page 82: Creating A Certificate For Onboard Radius Authentication

    System Configuration Creating a Certificate for Onboard RADIUS Authentication The AP35xx can use its on-board RADIUS Server to generate certificates to authenticate MUs for use with the access point. In addition, a Windows 2000 or 2003 Server is used to sign the certificate before downloading it back to the access point’s on-board RADIUS server and loading the certificate for use with the access point.
  • Page 83 Key Length Defines the length of the key. Possible values are 512, 1024, and 2048. Extreme Networks recommends setting this value to 1024 to ensure optimum functionality. 4 Complete as many of the optional values within the Certificate Request screen as possible.

  • Page 84: Apache Certificate Management

    System Configuration 15 Load the certificates on the access point CAUTION Ensure the CA Certificate is loaded before the Self Certificate, or risk an invalid certificate load. 16 Open the certificate file and copy its contents into the CA Certificates screen by clicking the Paste from Clipboard button.
  • Page 85 2 Configure the FTP and TFTP Import/Export field to import/export security certificates for an Apache HTTP server. Certificate Name Specify the name of the certificate file to be written to the (no extension) FTP or TFTP server. Do not enter the file’s extension. FTP/TFTP Server Enter the numerical (non DNS name) IP address of the IP Address...

  • Page 86: Configuring Snmp Settings

    System Configuration 3 Refer to the Status field to review the progress of an import or export operation. When an import operation is in progress, an “importing certificate and key” message displays. Once completed, an indication of the import or export operation’s success or failure displays. 4 Click Apply to save any changes to the Apache certificate import/export configuration.
  • Page 87 Feature Feature SNMP Trap EXTR-adp35xx-MIB Firewall Configuration EXTR-CC-adp35xx-MIB-2.0 Selection SNMP RF Trap EXTR-adp35xx-MIB LAN to WAN Access EXTR-CC-adp35xx-MIB-2.0 Thresholds Config Import/Export EXTR-adp35xx-MIB Advanced LAN Access EXTR-CC-adp35xx-MIB-2.0 MU Authentication EXTR-adp35xx-MIB Router Configuration EXTR-CC-adp35xx-MIB-2.0 Stats WNMP Ping EXTR-adp35xx-MIB System Settings EXTR-CC-adp35xx-MIB-2.0 Configuration Known AP Stats EXTR-adp35xx-MIB AP 3510 Access...
  • Page 88 A read-only community string allows a remote device to retrieve information, while a read/write community string allows a remote device to modify settings. Extreme Networks recommends considering adding a community definition using a site-appropriate name and access level. Set up a read/write definition (at a minimum) to facilitate full access by the AP35xx administrator.
  • Page 89 Access Use the Access pull-down list to specify read-only (R) access or read/write (RW) access for the community. Read-only access allows a remote device to retrieve access point information, while read/write access allows a remote device to modify access point settings. 3 Configure the SNMP v3 User Definitions field (if SNMP v3 is used) to add and configure SNMP v3 user definitions.

  • Page 90: Configuring Snmp Access Control

    System Configuration 4 Specify the users who can read and optionally modify the SNMP-capable client. SNMP Access Click the SNMP Access Control button to display the Control SNMP Access Control screen for specifying which users can read SNMP-generated information and potentially modify related settings from an SNMP-capable client.
  • Page 91 To configure SNMP user access control for the AP35xx: 1 Select System Configuration > SNMP Access from the AP35xx menu tree. Click on the SNMP Access Control button from within the SNMP Access screen. 2 Configure the SNMP Access Control screen to add the IP addresses of those users receiving SNMP access.

  • Page 92: Enabling Snmp Traps

    System Configuration Enabling SNMP Traps SNMP provides the ability to send traps to notify the administrator that trap conditions are met. Traps are network packets containing data relating to network devices, or SNMP agents, that send the traps. SNMP management applications can receive and interpret these packets, and optionally can perform responsive actions.
  • Page 93 Port Specify a destination User Datagram Protocol (UDP) port for receiving traps. The default is 162. Community Enter a community name specific to the SNMP-capable client that receives the traps. SNMP Version Use the SNMP Version drop-down menu to specify v1 or Some SNMP clients support only SNMP v1 traps, while others support SNMP v2 traps and possibly both, verify the correct traps are in use with clients that support them.

  • Page 94: Configuring Specific Snmp Traps

    System Configuration Configuring Specific SNMP Traps Use the SNMP Traps screen to enable specific traps on the AP35xx. Extreme Networks recommends defining traps to capture unauthorized devices operating within the AP35xx coverage area. Trap configuration depends on the network machine that receives the generated traps. SNMP v1/v2c and v3 trap configurations function independently.
  • Page 95 3 Configure the SNMP Traps field to generate traps when SNMP capable MUs are denied authentication privileges or are subject of an ACL violation. When a trap is enabled, a trap is sent every 5 seconds until the condition no longer exists. SNMP Generates a trap when an SNMP-capable client is denied authentication...

  • Page 96: Configuring Snmp Rf Trap Thresholds

    System Configuration 6 Refer to the Set All Traps field to use a single location to either enable or disable each trap listed within the SNMP Traps screen. Enable All Select this button to enable each trap defined within the SNMP Traps screen.
  • Page 97 To configure specific SNMP RF Traps on the AP35xx: 1 Select System Configuration > SNMP Access > SNMP RF Trap Thresholds from the menu tree. 2 Configure the RF Trap Thresholds field to define device threshold values for SNMP traps. NOTE Average Bit Speed, % of Non-Unicast, Average Signal, Average Retries, % Dropped and % Undecryptable are not access point statistics.

  • Page 98: Configuring Network Time Protocol (Ntp)

    SNMP rate trap is sent. for a trap to fire Extreme Networks recommends using the default setting of 1000 as a minimum setting for the field. 4 Click Apply to save any changes to the SNMP RF Traps screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
  • Page 99 To manage clock synchronization on the AP35xx: 1 Select System Configuration > Date/Time from the AP35xx menu tree. 2 From within the Current Time field, click the Refresh button to update the time since the screen was displayed by the user. The Current Time field displays the current time based on the AP35xx system clock.

  • Page 100: Configuring Lldp Settings

    System Configuration 5 If using an NTP server to supply system time to the access point, configure the NTP Server Configuration field to define the server network address information required to acquire the AP35xx network time. Enable NTP on Select the Enable NTP on AP35xx checkbox to allow a AP35xx connection between the AP35xx and one or more specified NTP servers.
  • Page 101 LLDP transmits periodic advertisements containing device information and media-specific configuration information to neighbors attached to the same network. LLDP agents cannot solicit information from other agents by using LLDP. To configure LLDP support: 1 Select System Configuration > LLDP from the menu tree. 2 Select the Enable LLDP radio button to enable or disable the transmission of LLDP advertisements.

  • Page 102: Logging Configuration

    System Configuration Logging Configuration The AP35xx provides the capability for periodically logging system events that prove useful in assessing the throughput and performance of the AP35xx or troubleshooting problems on the AP35xx managed Local Area Network (LAN). Use the Logging Configuration screen to set the desired logging level (standard syslog levels) and view or save the current AP35xx system log.

  • Page 103: Importing/Exporting Configurations

    Logging Level Use the Logging Level drop-down menu to select the desired log level for tracking system events. Eight logging levels, (0 to 7) are available. Log Level 6: Info is the AP35xx default log level. These are the standard UNIX/ LINUX syslog levels.The levels are as follows: 0 - Emergency 1 - Alert...
  • Page 104 System Configuration NOTE When modifying the text file manually and spaces are used for wireless, security, MU policy names etc., ensure you use “\20” between the spaces. For example, “Second\20Floor\20Lab”. When imported, the name would display as “Second Floor Lab”. CAUTION A single-radio model access point cannot import/export its configuration to a dual-radio model access point.
  • Page 105 FTP/TFTP Server Enter the numerical (non DNS name) IP address of the IP Address destination FTP or TFTP server where the configuration file is imported or exported. Filepath (optional) Defines the optional path name used to import/export the target configuration file. Select the FTP radio button if using an FTP server to import or export the configuration.
  • Page 106 NOTE Extreme Networks recommends importing configuration files using the CLI. If errors occur during the import process, they display all at once and are easier to troubleshoot. The access point GUI displays errors one at a time, and troubleshooting can be a more time-consuming process.

  • Page 107: Updating Device Firmware

    Updating Device Firmware Extreme Networks periodically releases updated versions of the AP35xx device firmware to the Extreme Networks Web site. If the AP35xx firmware version displayed on the System Settings page (see “Configuring System Settings” on page 68) is older than the version on the Web site, Extreme Networks recommends updating the AP35xx to the latest firmware version for full feature functionality.
  • Page 108 3 Configure the DHCP Options checkboxes to enable/disable automatic firmware and/or configuration file updates. DHCP options are used for out-of-the-box rapid deployment for Extreme Networks wireless products. The following are the two options available on the access point: Altitude 3500 Series Access Point Product Reference Guide...
  • Page 109 Enable Automatic Firmware Update ● Enable Automatic Configuration Update ● Both DHCP options are enabled by default. These options can be used to update newer firmware and configuration files on the access point. For more information on how to configure a DHCP or BootP Server for the automatic upgrade process, “Usage Scenarios”...
  • Page 110 System Configuration 8 Set the following FTP or TFTP parameters: Username—Specify a username for the FTP server login. ● Password—Specify a password for FTP server login. Default is admin123. A blank password is not ● supported. NOTE Click Apply to save the settings before performing the firmware update. The user is not able to navigate the AP35xx user interface while the firmware update is in process.
  • Page 111 14 Click Logout to securely exit the AP35xx Access Point applet. A prompt displays confirming the logout before the applet is closed. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 112 System Configuration Altitude 3500 Series Access Point Product Reference Guide...

  • Page 113: Chapter 5: Network Management

    Network Management C H A P T E R Refer to the following for network management configuration activities supported by the access point user interface: Configuring the LAN Interface on page 113 ● Configuring WAN Settings on page 125 ● Enabling Wireless LANs (WLANs) on page 133 ●...
  • Page 114 Network Management To configure the Altitude 35xx LAN interface: 1 Select Network Configuration > LAN from the Altitude 35xx menu tree. CAUTION If deploying the access point as an AAP with a remote layer 3 configuration and the AAP is set for Controller auto discovery (primary/standby), the access point will unadopt from its switch after a few moments.
  • Page 115 Ethernet Port The Ethernet Port radio buttons allow you to select one of the two available LANs as the LAN actively transmitting over the access point’s LAN port. Both LANs can be active at any given time, but only one can transmit over the access point’s physical LAN connection, thus the selected LAN has priority.

  • Page 116: Configuring Vlan Support

    Network Management half duplex Select this option to transmit data to and from the access point, but not at the same time. Using a half duplex transmission, the access point can send data over its LAN port then immediately receive data from the same direction in which the data was transmitted.
  • Page 117 copy of the Dynamic VLAN database. This database houses the records of MAC addresses and VLAN assignments. The VLAN database looks up the MAC to determine what VLAN is assigned to it. If it is not in the database, it simply uses a default VLAN assignment. The VLAN assignment is sent to the Altitude 35xx.
  • Page 118 5 Define a 32 ASCII character maximum VLAN Name. Enter a unique name that identifies members of the VLAN. Extreme Networks recommends selecting the name carefully, as the VLAN name should signify a group of clients with a common set of requirements independent of their physical location.

  • Page 119: Configuring Lan1 And Lan2 Settings

    VLAN configured for the port. The Native VLAN is VLAN 1 by default. Extreme Networks suggests leaving the Native VLAN set to 1 as other layer 2 devices also have their Native VLAN set to 1.
  • Page 120 1 Select Network Configuration > LAN > LAN1 (or LAN2) from the Altitude 35xx menu tree. 2 Configure the DHCP Configuration field to define the DHCP settings used for the LAN. NOTE Extreme Networks recommends the WAN and LAN ports should not both be configured as DHCP clients. This interface is a...
  • Page 121 Enter the Primary DNS numerical (non DNS name) IP Server address. Secondary DNS Extreme Networks recommends entering the numerical IP Server address of an additional DNS server (if available), used if the primary DNS server goes down. A maximum of two DNS servers can be used.

  • Page 122: Configuring Advanced Dhcp Server Settings

    Network Management Mesh STP Click the Mesh STP Configuration button to define bridge Configuration settings for this specific LAN. Each of the access point’s two LANs can have a separate mesh configuration. As the Spanning Tree Protocol (STP) mentions, each mesh network maintains hello, forward delay and max age timers.

  • Page 123: Setting The Type Filter Configuration

    3 Specify a lease period in seconds for available IP addresses using the DHCP Lease Time (Seconds) parameter. An IP address is reserved for re-connection for the length of time you specify. The default interval is 86400 seconds. 4 Click the Add button to create a new table entry within the Reserved Clients field. If a statically mapped IP address is within the IP address range in use by the DHCP server, that IP address may still be assigned to another client.
  • Page 124 Packet types supported for the type filtering function include 16-bit DIX Ethernet types as well as Extreme Networks proprietary types. Select an Ethernet type from the drop down menu, or enter the Ethernet type’s hexadecimal value. See your System Administrator if unsure of the implication of adding or omitting a type from the list for either LAN1 or LAN2.

  • Page 125: Configuring Wan Settings

    4 To optionally delete a type filtering selection from the list, highlight the packet type and click the Delete button. 5 Click Apply to save any changes to the LAN1 or LAN2 Ethernet Type Filter Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.
  • Page 126 2 Refer to the WAN IP Configuration field to enable the WAN interface, and set network address information for the WAN connection. NOTE Extreme Networks recommends that the WAN and LAN ports should not both be configured as DHCP clients. Enable WAN...
  • Page 127 More IP Addresses Click the More IP Addresses button to specify additional static IP addresses for the Altitude 35xx. Additional IP addresses are required when users within the WAN need dedicated IP addresses, or when servers need to be accessed (addressed) by the outside world. The More IP Addresses screen allows the administrator to enter up to seven additional WAN IP addresses for the Altitude 35xx WAN.
  • Page 128 Network Management 4 Configure the PPP over Ethernet field to enable high speed dial-up connections to the Altitude 35xx WAN port. Enable Use the checkbox to enable Point-to-Point over Ethernet (PPPoE) for a high-speed connection that supports this protocol. Most DSL providers are currently using or deploying this protocol.

  • Page 129: Configuring Network Address Translation (Nat) Settings

    6 Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the WAN screen to the last saved configuration. 7 Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.

  • Page 130: Configuring Port Forwarding

    Network Management WAN IP Address The WAN IP addresses on the NAT screen are dynamically generated from address settings applied on the WAN screen. NAT Type Specify the NAT Type as 1 to 1 to map a WAN IP address to a single host (local) IP address.
  • Page 131 4 Configure the Port Forwarding screen to modify the following: Click Add to create a local map that includes the name, transport protocol, start port, end port, IP address and Translation Port for incoming packets. Delete Click Delete to remove a selected local map entry. Name Enter a name for the service being forwarded.

  • Page 132: Configuring Dynamic Dns

    Network Management Configuring Dynamic DNS The access point supports the Dynamic DNS service. Dynamic DNS (or DynDNS) is a feature offered by www.dyndns.com which allows the mapping of domain names to dynamically assigned IP addresses via the WAN port. When the dynamically assigned IP address of a client changes, the new IP address is sent to the DynDNS service and traffic for the specified domain(s) is routed to the new IP address.

  • Page 133: Enabling Wireless Lans (Wlans)

    6 Click the Update DynDNS button to update the access point’s current WAN IP address with the DynDNS service. NOTE DynDNS supports devices directly connected to the Internet. Having VPN enabled, and the DynDNS Server on the other side of the VPN is not supported. 7 Once the DynDNS configuration has been updated, click the Show Update Response button to open a sub-screen displaying the hostname, IP address and any messages received during an update from the DynDNS Server.
  • Page 134 Network Management To configure WLANs on the Altitude 35xx: 1 Select Network Configuration > Wireless from the Altitude 35xx menu tree. If a WLAN is defined, that WLAN displays within the Wireless Configuration screen. When the Altitude 35xx is first booted, WLAN1 exists as a default WLAN available immediately for connection.

  • Page 135: Creating/Editing Individual Wlans

    VLAN The VLAN field displays the specific VLAN the target WLAN is mapped to. For information on VLAN configuration for the WLAN, see “Configuring VLAN Support” on page 116. Security Policy The Security Policy field displays the security profile configured for the target WLAN. QoS Policy The QoS Policy field displays the quality of service currently defined for the WLAN.
  • Page 136 Network Management 3 Set the parameters in the Configuration field as required for the WLAN. ESSID Enter the Extended Services Set Identification (ESSID) associated with the WLAN. The WLAN name is auto- generated using the ESSID until changed by the user. The maximum number of characters that can be used for the ESSID is 32.
  • Page 137 Maximum MUs Use the Max MUs field to define the number of MUs permitted to interoperate within the new or revised WLAN. The maximum (and default) is 127. However, each access point can only support a maximum 127 MUs spanned across its 16 available WLANs.

  • Page 138: Configuring Wlan Security Policies

    ESSID. If a hacker tries to find an ESSID via an MU, the ESSID does not display since the ESSID is not in the beacon. Extreme Networks recommends keeping the option enabled to reduce the likelihood of hacking into the WLAN.

  • Page 139: Configuring A Wlan Access Control List (Acl)

    To create a new security policy or modify an existing policy: 1 Select Network Configuration > Wireless > Security from the Altitude 35xx menu tree. The Security Configuration screen appears with existing policies and their attributes displayed. NOTE When the Altitude 35xx is first launched, a single security policy (default) is available and mapped to WLAN 1.
  • Page 140 WLANs based on MU interoperability requirements. Extreme Networks recommends using the New MU ACL Policy or Edit MU ACL Policy screens strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to.
  • Page 141 Either the New MU ACL Policy or Edit MU ACL Policy screens display. 3 Assign a name to the new or edited ACL policy that represents an inclusion or exclusion policy specific to a particular type of MU traffic you may want to use with a single or group of WLANs. More than one WLAN can use the same ACL policy.

  • Page 142: Setting The Wlan Quality Of Service (Qos) Policy

    WLANs based on MU interoperability requirements. Extreme Networks recommends using the New QoS Policy and Edit QoS Policy screens strategically to name and configure QoS policies meeting the requirements of the particular WLANs they may map to.
  • Page 143 2 Click the Create button to configure a new QoS policy, or select a policy and click the Edit button to modify an existing QoS policy. The access point supports a maximum of 16 QoS policies. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 144 CAUTION Extreme Networks recommends using the drop-down menu to define the intended radio traffic within the WLAN. Once an option is selected, you do not need to adjust the values for the Access Categories, unless qualified to do so. Changing the Access Category default values could negatively impact the performance of the access point.
  • Page 145 7 Select the Enable Wi-Fi Multimedia (WMM) QoS Extensions checkbox to configure the Altitude 35xx’s QoS Access Categories. The Access Categories are not configurable unless the checkbox is selected. Access Categories include: Background Background traffic is typically of a low priority (file transfers, print jobs ect.).

  • Page 146: Configuring Wlan Hotspot Support

    Network Management U-APSD (WMM Power Save) Support. The access point now supports Unscheduled Automatic Power Save Delivery (U-APSD), often referred to as WMM Power Save. U-APSD provides a periodic frame exchange between a voice capable MU and the access point during a VoIP call, while legacy power management is still utilized for typical data frame exchanges.
  • Page 147 TCP/IP packets are redirected to the port on the subnet to which the WLAN is mapped. For WLANs not hotspot-enabled, all packets are allowed. 2 Click the Configure Hotspot button within the WLAN screen to display the Hotspot Configuration screen for that target WLAN. 3 Refer to the HTTP Redirection field to specify how the Login, Welcome, and Fail pages are maintained for this specific WLAN.
  • Page 148 Network Management NOTE If an external URL is used, the external Web pages are required to forward user credentials to the access point, which in turn forwards them to the authentication Server (either onboard or external server) in order to grant users Web access. Login Page URL Define the complete URL for the location of the Login page.
  • Page 149 Server Address Specify an IP address for the external RADIUS Accounting server used to provide RADIUS accounting for the hotspot. If using this option, an internal RADIUS server cannot be used. The IP address of the internal RADIUS server is fixed at 127.0.0.1 and cannot be used for the external RADIUS server.

  • Page 150: Setting The Wlan's Radio Configuration

    Network Management When a client requests a URL from a Web server, the login handler returns an HTTP redirection status code (for example, 301 Moved Permanently), which indicates to the browser it should look for the page at another URL. This other URL can be a local or remote login page (based on the hotspot configuration).
  • Page 151 NOTE This section describes mesh networking (setting the radio’s base and client bridge configuration) at a high level. For a detailed overview on the theory of mesh networking, see “Mesh Networking Overview” on page 519. For detailed information on the implications of setting the mesh network configuration, see “Configuring Mesh Networking Support”...
  • Page 152 WLAN (ESS) the client bridge uses to establish a wireless link. The default setting is (WLAN1). Extreme Networks recommends creating (and naming) a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non-Mesh supported WLANs.
  • Page 153 number of base bridges currently connected to the radio displays within the BBs Connected field. If this is an existing radio within a mesh network, these values update in real-time. 6 Click the Advanced button to define a prioritized list of access points to define Mesh Connection links.

  • Page 154: Configuring The 802.11A Or 802.11B/G Radio

    Network Management 9 Click Apply to save any changes to the Radio Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost. CAUTION When defining a Mesh configuration and changes are saved, the mesh network temporarily goes down. The Mesh network is unavailable because the access point radio is reconfigured when applying changes.
  • Page 155 To configure the Altitude 35xx’s 802.11a or 802.11b/g radio: 1 Select Network Configuration > Wireless > Radio Configuration > Radio1 (default name) from the Altitude 35xx menu tree. 2 Configure the Properties field to assign a name and placement designation for the radio. Placement Use the Placement drop-down menu to specify whether the radio is located outdoors or indoors.
  • Page 156 Network Management ERP Protection Extended Rate PHY (ERP) allows 802.11g MUs to interoperate with 802.11b only MUs. ERP Protection is managed automatically by the access point and informs users when 802.11b MUs are present within the access point’s coverage area. The presence of 802.11b MUs within the 802.11g coverage area negatively impacts network performance, so this feature should looked to as an indicator of why network performance has been...
  • Page 157 802.11a or 802.11b/g radio configuration screen. Clicking Cancel reverts the Set Rates screen to the last saved configuration. Extreme Networks recommends using the default rates unless qualified to understand the performance risks of changing them. The appearance of the Set Rates screen varies depending on the 802.11a or...
  • Page 158 BSSIDs. If a system has an abundance of broadcast traffic and it needs to be delivered quickly, Extreme Networks recommends decreasing the DTIM interval for that specific BSSID. However, decreasing the DTIM interval decreases the battery life on power save stations.
  • Page 159 QoS policies configured for the WLAN (as created or edited from the Quality of Service Configuration screen). Extreme Networks recommends only advanced users manually set these values. If the type of data-traffic is known, use the drop-down menu to select a 11g-wifi, 11b- wifi, 11g-default, 11b-default, 11g-voice or 11b-voice option.
  • Page 160 Network Management Defining Primary WLANs allows an administrator to dedicate BSSIDs (4 BSSIDs are available for mapping) to WLANs. From that initial BSSID assignment, Primary WLANs can be defined from within the WLANs assigned to BSSID groups 1 through 4. Each BSSID beacons only on the primary WLAN.

  • Page 161: Configuring Wips Server Settings

    Status Displays the following color coded status: Red—Error (Invalid Configuration) Yellow—Warning (Broadcast Downgrade) Green—Good (Configuration is OK) Message Displays the verbal status of the WLAN and BSSID assignments. If the Status column displays green, the Message will typically be Configuration is OK. If yellow, a description of invalid configuration displays.
  • Page 162 Network Management To define the attributes of the WIPS Server: 1 Select Network Configuration > Wireless > WIPS from the Altitude 35xx menu tree. The Wireless Intrusion Prevention System screen displays. NOTE At least one radio is required to be set to WIPS (within the Wireless Intrusion Prevention System screen) to support WIPS on the access point.

  • Page 163: Configuring Router Settings

    2 Within the WIPS Status field, define whether the access point’s 802.11a or 802.11b/g radio is servicing its coverage area as a typical access point or as a WIPS sensor. Selecting the disabled radio button defines the radio as a typical access point. Selecting the enabled radio button defines the radio as a WIPS sensor.
  • Page 164 Network Management To access the Router screen: 1 Select Network Configuration > Router from the Altitude 35xx menu tree. 2 Refer to the Altitude 35xx Router Table field to view existing routes. The Altitude 35xx Router Table field displays a list of connected routes between an enabled subnet and the router.

  • Page 165: Setting The Rip Configuration

    a Click the Add button to create a new table entry. b Highlight an entry and click the Del (delete) button to remove an entry. c Specify the destination IP address, subnet mask, and gateway information for the internal static route.

  • Page 166: Configuring Ip Filtering

    Network Management 3 If RIP v2 or RIP v2 (v1 compat) is the selected RIP type, the RIP v2 Authentication field becomes active. Select the type of authentication to use from the Authentication Type drop-down menu. Available options include: None This option disables the RIP authentication.
  • Page 167 interfaces and within any of the 16 access point WLANs. An additional default action is also available denying traffic when filter rules fail. Lastly, imported and exported configurations retain their defined IP filtering configurations. IP filtering is a network layer facility. The IP filtering mechanism does not know anything about the application using the network connections, only the connections themselves.
  • Page 168 Network Management Altitude 3500 Series Access Point Product Reference Guide...

  • Page 169: Chapter 6: Configuring Access Point Security

    Configuring Access Point Security C H A P T E R Security measures for the Altitude 35xx and its WLANs are critical. Use the available Altitude 35xx security options to protect the Altitude 35xx LAN from wireless vulnerabilities, and safeguard the transmission of RF packets between the Altitude 35xx and its associated MUs.

  • Page 170: Setting Passwords

    Configuring Access Point Security To configure a security policy supporting KeyGuard, see, “Configuring KeyGuard Encryption” on ● page 181. To define a security policy supporting WPA-TKIP, see “Configuring WPA/WPA2 Using TKIP” on ● page 183. To create a security policy supporting WPA2-CCMP, see “Configuring WPA2-CCMP (802.11i)”...

  • Page 171: Resetting The Access Point Password

    Only an installation professional should reset the access point’s password and promptly define a new restrictive password. To contact Extreme Networks Support in the event of a password reset requirement, go to www.extremenetworks.com/go/TACUserGuide CAUTION Only a qualified installation professional should set or restore the access point’s radio and power...

  • Page 172: Enabling Authentication And Encryption Schemes

    Configuring Access Point Security Enabling Authentication and Encryption Schemes To complement the built-in firewall filters on the WAN side of the Altitude 35xx, the WLAN side of the Altitude 35xx supports authentication and encryption schemes. Authentication is a challenge-response procedure for validating user credentials such as username, password, and sometimes secret-key information.
  • Page 173 Remember, multiple WLANs can share the same security policy, so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy. Extreme Networks recommends naming the policy after the attributes of the authentication or encryption type selected (for example, WPA2 Allow TKIP).

  • Page 174: Configuring Kerberos Authentication

    Configuring Access Point Security WPA/WPA2 TKIP Select the WPA/WPA2 TKIP button to display the WPA/ TKIP Settings field within the New Security Policy screen. For specific information on configuring WPA/WPA2 TKIP, “Configuring WPA/WPA2 Using TKIP” on page 183. WPA2/CCMP Select the WPA2/CCMP (802.11) button to display the (802.11i) WPA2/CCMP Settings field within the New Security Policy screen.
  • Page 175 servers. Kerberos requires the Enable NTP on checkbox be selected for authentication to function properly. See “Configuring Network Time Protocol (NTP)” on page 98 to configure the NTP server. To configure Kerberos on the Altitude 35xx: 1 Select Network Configuration > Wireless > Security from the Altitude 35xx menu tree. If security policies supporting Kerberos exist, they appear within the Security Configuration screen.

  • Page 176: Configuring 802.1X Eap Authentication

    Configuring Access Point Security Primary KDC Specify a numerical (non-DNS) IP address and port for the primary Key Distribution Center (KDC). The KDC implements an Authentication Service and a Ticket Granting Service, whereby an authorized user is granted a ticket encrypted with the user's password. The KDC has a copy of every user password.
  • Page 177 6 Configure the Server Settings field as required to define address information for the authentication server. The appearance of the Server Settings field varies depending on whether Internal or External has been selected from the Radius Server drop-down menu. Radius Server If using an External RADIUS Server, specify the numerical Address (non-DNS) IP address of a primary Remote Dial-In User...
  • Page 178 Configuring Access Point Security Radius Shared Specify a shared secret for authentication on the Internal Secret or Primary RADIUS server (External RADIUS Server only). The shared secret is required to match the shared secret on the RADIUS server. Optionally, specify a shared secret for a secondary (failover) server.

  • Page 179: Configuring Wep Encryption

    Max. Retries (1-99) Define the maximum number of MU retries to retries reauthenticate after failing to complete the EAP process. Failure to reauthenticate in the specified number of retries results in a terminated connection. The default is 2 retries. NOTE The default values described are the recommended values.
  • Page 180 Configuring Access Point Security To configure WEP on the Altitude 35xx: 1 Select Network Configuration > Wireless > Security from the Altitude 35xx menu tree. If security policies supporting WEP exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting WEP, continue to step 2.

  • Page 181: Configuring Keyguard Encryption

    Keys #1-4 Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII depending on which option is selected from the drop-down menu. For WEP 64 (40-bit key), the keys are 10 hexadecimal characters in length or 5 ASCII characters.
  • Page 182 Configuring Access Point Security 5 Configure the KeyGuard Settings field as required to define the Pass Key used to generate the WEP keys used with the KeyGuard algorithm. These keys must be the same between the access point and its MU to encrypt packets between the two devices. Pass Key Specify a 4 to 32 character pass key and click the Generate button.

  • Page 183: Configuring Wpa/Wpa2 Using Tkip

    8 Click the Cancel button to undo any changes made within the KeyGuard Setting field and return to the WLAN screen. This reverts all settings to the last saved configuration. Configuring WPA/WPA2 Using TKIP Wi-Fi Protected Access (WPA) is a robust encryption scheme specified in the IEEE Wireless Fidelity (Wi- Fi) standard, 802.11i.
  • Page 184 Configuring Access Point Security 5 Configure the Key Rotation Settings area as needed to broadcast encryption key changes to MUs and define the broadcast interval. Broadcast Key Select the Broadcast Key Rotation checkbox to enable or Rotation disable broadcast key rotation. When enabled, the key indices used for encrypting/decrypting broadcast traffic will be alternatively rotated on every interval specified in the Broadcast Key Rotation Interval.

  • Page 185: Configuring Wpa2-Ccmp (802.11I)

    Default (hexadecimal) 256-bit keys for WPA/TKIP include: 1011121314151617 ● 18191A1B1C1D1E1F ● 2021222324252627 ● 28292A2B2C2D2E2F ● 7 Enable WPA2-TKIP Support as needed to allow WPA2 and TKIP client interoperation. Allow WPA2-TKIP WPA2-TKIP support enables WPA2 and TKIP clients to clients operate together on the network. 8 Configure the Fast Roaming (802.1x only) field as required to enable additional Altitude 35xx roaming and key caching options.
  • Page 186 Configuring Access Point Security To configure WPA2-CCMP on the Altitude 35xx: 1 Select Network Configuration > Wireless > Security from the Altitude 35xx menu tree. If security policies supporting WPA2-CCMP exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting WPA2-CCMP, continue to step 2.
  • Page 187 Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2- TKIP but do not support WPA2-CCMP. Extreme Networks recommends enabling this feature if WPA-TKIP or WPA2-TKIP supported MUs operate within a WLAN populated by WPA2-CCMP enabled clients.

  • Page 188: Configuring Firewall Settings

    Configuring Access Point Security Configuring Firewall Settings The Altitude 35xx's firewall is a set of related programs located in the gateway on the WAN side of the Altitude 35xx. The firewall uses a collection of filters to screen information packets for known types of system attacks.

  • Page 189: Configuring Lan To Wan Access

    NAT Timeout Network Address Translation (NAT) converts an IP address in one network to a different IP address or set of IP addresses in a different network. Set a NAT Timeout interval (in minutes) the Altitude 35xx uses to terminate the IP address translation process if no translation activity is detected after the specified interval.
  • Page 190 Configuring Access Point Security To configure Altitude 35xx subnet access: 1 Select Network Configuration > Firewall > Subnet Access from the Altitude 35xx menu tree. 2 Refer to the Overview field to view rectangles representing subnet associations. The three possible colors indicate the current access level, as defined, for each subnet association.
  • Page 191 Pre configured The following protocols are preconfigured with the Altitude Rules 35xx. To enable a protocol, check the box next to the protocol name. • HTTP—Hypertext Transfer Protocol is the protocol for transferring files on the Web. HTTP is an application protocol running on top of the TCP/IP suite of protocols, the foundation protocols for the Internet.

  • Page 192: Available Protocols

    Configuring Access Point Security Available Protocols Protocols that are not pre-configured can be specified using the drop down list within the Transport column within the Subnet Access and Advanced Subnet Access screens. They include: ALL—Enables all of the protocol options displayed in the drop-down menu (as described below). ●...
  • Page 193 To configure Altitude 35xx Advanced Subnet Access: 1 Select Network Configuration > Firewall > Advanced Subnet Access from the Altitude 35xx menu tree. 2 Configure the Settings field as needed to override the settings in the Subnet Access screen and import firewall rules into the Advanced Subnet Access screen.

  • Page 194: Configuring Vpn Tunnels

    Configuring Access Point Security Insert Click the Insert button to insert a new rule directly above a selected rule in the table. Clicking on a field in the row displays a new window with configuration options. Del (Delete) Click Del to remove the selected rule from the table. The index numbers for all the rows below the deleted row decrease by 1.
  • Page 195 When connecting to another site using a VPN, the traffic is encrypted so if anyone intercepts the traffic, they cannot see what it is unless they can break the encryption. The traffic is encrypted from your computer through the network to the VPN. At that point the traffic is decrypted. Use the VPN screen to add and remove VPN tunnels.
  • Page 196 Configuring Access Point Security Remote Gateway The Remote Gateway column lists a remote gateway IP address for each tunnel. The numeric remote gateway is the gateway IP address on the remote network the VPN tunnel connects to. Ensure the address is the same as the WAN port address of the target gateway AP or controller.

  • Page 197: Configuring Manual Key Settings

    Manual Key Selecting Manual Key Exchange requires you to manually Exchange enter keys for AH and/or ESP encryption and authentication. Click the Manual Key Settings button to configure the settings. Manual Key Select Manual Key Exchange and click the Manual Key Settings Settings button to open a screen where AH authentication and ESP encryption/authentication can be configured and...
  • Page 198 Configuring Access Point Security 3 Configure the Manual Key Settings screen to modify the following: NOTE When entering Inbound or Outbound encryption or authentication keys, an error message could display stating the keys provided are “weak”. Some WEP attack tools invoke a dictionary to hack WEP keys based on commonly used words.
  • Page 199 Outbound AH Configure a key for computing the integrity check on Authentication Key outbound traffic with the selected authentication algorithm. The key must be 32/40 (for MD5/SHA1) hexadecimal (0-9, A-F) characters in length. The key value must match the corresponding inbound key on the remote security gateway.

  • Page 200: Configuring Auto Key Settings

    Configuring Access Point Security Inbound ESP Define a key for computing the integrity check on the Authentication Key inbound traffic with the selected authentication algorithm. The key must be 32/40 (for MD5/SHA1) hexadecimal (0-9, A-F) characters in length. The key must match the corresponding outbound key on the remote security gateway.
  • Page 201 3 Configure the Auto Key Settings screen to modify the following: Use Perfect Forward secrecy is a key-establishment protocol Forward Secrecy guaranteeing the discovery of a session key or long-term private key does not compromise the keys of other sessions. Select Yes to enable Perfect Forward Secrecy. Select No to disable Perfect Forward Secrecy.

  • Page 202: Configuring Ike Key Settings

    Configuring Access Point Security ESP Encryption Use this menu to select the encryption and authentication Algorithm algorithms for this VPN tunnel. • DES—Selects the DES algorithm.No keys are required to be manually provided. • 3DES—Selects the 3DES algorithm. No keys are required to be manually provided.
  • Page 203 3 Configure the IKE Key Settings screen to modify the following: Operation Mode The Phase I protocols of IKE are based on the ISAKMP identity-protection and aggressive exchanges. IKE main mode refers to the identity-protection exchange, and IKE aggressive mode refers to the aggressive exchange. •...
  • Page 204 Configuring Access Point Security Remote ID Type Select the type of ID to be used for the Altitude 35xx end of the tunnel from the Remote ID Type drop-down menu. • IP—Select the IP option if the remote ID type is the IP address specified as part of the tunnel.

  • Page 205: Viewing Vpn Status

    Diffie Hellman Select a Diffie-Hellman Group to use. The Diffie-Hellman Group key agreement protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. Two algorithms exist, 768-bit and 1024-bit. Select one of the following options: •...
  • Page 206 Configuring Access Point Security To view VPN status: 1 Select Network Configuration > WAN > VPN > VPN Status from the Altitude 35xx menu tree. 2 Reference the Security Associations field to view the following: Tunnel Name The Tunnel Name column lists the names of all the tunnels configured on the Altitude 35xx.

  • Page 207: Configuring Content Filtering Settings

    Tx Bytes The Tx Bytes column lists the amount of data (in bytes) transmitted through each configured tunnel. Rx Bytes The Rx Bytes column lists the amount of data (in bytes) received through each configured tunnel. 3 Click the Reset VPNs button to reset active VPNs. Selecting Reset VPNs forces renegotiation of all the Security Associations and keys.
  • Page 208 Configuring Access Point Security To configure content filtering for the Altitude 35xx: 1 Select Network Configuration > WAN > Content Filtering from the Altitude 35xx menu tree. 2 Configure the HTTP field to configure block Web proxies and URL extensions. Block Outbound HyperText Transport Protocol (HTTP) is the protocol used HTTP...
  • Page 209 3 Configure the SMTP field to disable or restrict specific kinds of network mail traffic. Block Outbound Simple Mail Transport Protocol (SMTP) is the Internet SMTP Commands standard for host-to-host mail transport. SMTP generally operates over TCP on port 25. SMTP filtering allows the blocking of any or all outgoing SMTP commands.

  • Page 210: Configuring Rogue Ap Detection

    Configuring Access Point Security 4 Configure the FTP field to block or restrict various FTP traffic on the network. Block Outbound File Transfer Protocol (FTP) is the Internet standard for FTP Actions host-to-host mail transport. FTP generally operates over TCP port 20 and 21. FTP filtering allows the blocking of any or all outgoing FTP functions.
  • Page 211 CAUTION Using an antenna other than the approved Dual-Band Antenna could render the Altitude 35xx’s Rogue AP Detector Mode feature inoperable. Contact your Extreme Networks sales associate for specific information. To configure Rogue AP detection for the Altitude 35xx: 1 Select Network Configuration > Wireless > Rogue AP Detection from the Altitude 35xx menu tree.
  • Page 212 3 Use the Allowed AP List field to restrict Extreme Networks APs from Rogue AP detection and create a list of device MAC addresses and ESSIDs approved for interoperability with the Altitude 35xx.

  • Page 213: Moving Rogue Aps To The Allowed Ap List

    4 Click Apply to save any changes to the Rogue AP Detection screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost. 5 Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Rogue AP Detection screen to the last saved configuration.

  • Page 214: Displaying Rogue Ap Details

    7 To remove the Rogue AP entries displayed within the e Rogue APs field, click the Clear Rogue AP List button. Extreme Networks only recommends clearing the list of Rogue APs when the devices displaying within the list do not represent a threat to the access point managed network.
  • Page 215 Displays the MAC address of the rogue AP. This information could be useful if the MAC address is determined to be an Extreme Networks MAC address and the device is interpreted as non-hostile and the device should be defined as an allowed AP.

  • Page 216: Using Mus To Detect Rogue Devices

    Configuring Access Point Security 6 Click Cancel (if necessary) to undo any changes made and return to the Active APs screen. Using MUs to Detect Rogue Devices Certain Motorola MUs can be used for rogue AP detection. The access point can use an associated MU that has its rogue AP detection feature enabled to scan for rogue APs.

  • Page 217: Configuring User Authentication

    3 If necessary, highlight an individual MU from within the Scan Result field and click the Add to Allowed AP List button to move the AP into the Allowed APs table within the Active APs screen. 4 Additionally, if necessary, click the Add All to Allowed APs List button to move every device within the Scan Result table into the Allowed APs table within the Active APs screen.
  • Page 218 Configuring Access Point Security To configure the RADIUS Server: 1 Select System Configuration > User Authentication > Radius Server from the menu tree. 2 From within the Data Source Configuration field, use the Data Source drop-down menu to select the data source for the RADIUS server.
  • Page 219 EAP Type Use the EAP Type checkboxes to enable the default EAP type(s) for the RADIUS server. Options include: • PEAP—Select the PEAP checkbox to enable both PEAP types (GTC and MSCHAP-V2) available to the access point. PEAP uses a TLS layer on top of EAP as a carrier for other EAP modules.

  • Page 220: Configuring Ldap Authentication

    Time Based Rule restriction feature. NOTE The LDAP screen displays with unfamiliar alphanumeric characters (if new to LDAP configuration). Extreme Networks recommends only qualified administrators change the default values within the LDAP screen. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 221 2 Enter the appropriate information within the LDAP Configuration field to allow the access point to interoperate with the LDAP server. Consult with your LDAP server administrator for details on how to define the values in this screen. LDAP Server IP Enter the IP address of the external LDAP server acting as the data source for the RADIUS server.

  • Page 222: Configuring A Proxy Radius Server

    Configuring Access Point Security CAUTION Windows Active Directory users must set their Login Attribute to “sAMAccountName” in order to successfully login to the LDAP server. 3 Click Apply to save any changes to the LDAP screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost.
  • Page 223 To configure the proxy RADIUS server for the Altitude 35xx: 1 Select System Configuration > User Authentication > Radius Server > Proxy from the menu tree. 2 Refer to the Proxy Configuration field to define the proxy server’s retry count and timeout values. Retry Count Enter a value between 3 and 6 to indicate the number of times the access point attempts to reach a proxy server...

  • Page 224: Managing The Local User Database

    Configuring Access Point Security 5 Click Apply to save any changes to the Proxy screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost. 6 Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Proxy screen to the last saved configuration.

  • Page 225: Mapping Users To Groups

    Refer to the Groups field for a list of all groups in the local RADIUS database. The groups are listed in the order added. Although groups can be added and deleted, there is no capability to edit a group name. 2 Click the Add button and enter the name of the group in the new blank field in the Groups table.

  • Page 226: Defining User Access Permissions By Group

    Configuring Access Point Security 3 To add the user to a group, select the group in the Available list (on the right) and click the <-Add button. Assigned users will display within the Assigned table. Map one or more groups as needed for group authentication access for this particular user.
  • Page 227 CAUTION If using the RADIUS time-based authentication feature to authenticate access point user permissions, ensure UTC has been selected from the Date and Time Settings screen’s Time Zone field. If UTC is not selected, time based authentication will not work properly. For information on setting the time zone for the access point, see “Configuring Network Time Protocol (NTP)”...

  • Page 228: Editing Group Access Permissions

    Configuring Access Point Security Associated WLANs The Associated WLANs field displays the WLANs assigned the user group access permissions listed within the filters and grid fields. Add additional WLANs to a group by selecting the Edit button within the groups field. Timeline Displays a bar graph of the selected group’s access privileges.
  • Page 229 4 Define up to 10 access policies for the selected group within the Time Based Access Policy field. Use the drop-down menus on the left-hand side of the screen to define the day of the week for which each policy applies. If continual access is required, select the All Days option. If continual access is required during Monday through Friday, but not Saturday or Sunday, select the Weekdays option.
  • Page 230 Configuring Access Point Security Altitude 3500 Series Access Point Product Reference Guide...

  • Page 231: Chapter 7: Monitoring Statistics

    Monitoring Statistics C H A P T E R The Altitude 35xx has functionality to display robust transmit and receive statistics for its WAN and LAN port. Wireless Local Area Network (WLAN) stats can also be displayed collectively for each enabled WLAN as well as individually for up to 16 specific WLANs.
  • Page 232 Monitoring Statistics To view Altitude 35xx WAN Statistics: 1 Select Status and Statistics > WAN Stats from the Altitude 35xx menu tree. 2 Refer to the Information field to reference the following Altitude 35xx WAN data: Status The Status field displays Enabled if the WAN interface is enabled on the WAN screen.
  • Page 233 Speed The WAN connection speed is displayed in Megabits per second (Mbps), for example, 54Mbps. If the throughput speed is not achieved, examine the number of transmit and receive errors, or consider increasing the supported data rate. To change the data rate of the 802.11a or 802.11b/g radio.

  • Page 234: Viewing Lan Statistics

    Monitoring Statistics 5 Click the Clear WAN Stats button to reset each of the data collection counters to zero in order to begin new data collections. The RX/TX Packets and RX/TX Bytes totals remain at their present values and are not cleared. Do not clear the WAN stats if currently in an important data gathering activity or risk losing all data calculations to that point.
  • Page 235 2 Refer to the Information field to view the following Altitude 35xx device address information: Status Displays whether this particular LAN has been enabled as viable subnet from within the LAN Configuration screen. IP Address The Internet Protocol (IP) addresses for the Altitude 35xx LAN port.

  • Page 236: Viewing A Lan's Stp Statistics

    Monitoring Statistics 4 Refer to the Transmitted field to view statistics transmitted over the Altitude 35xx LAN port. TX Packets TX packets are data packets sent over the Altitude 35xx LAN port. The displayed number is a cumulative total since the LAN connection was last enabled or the Altitude 35xx was last restarted.
  • Page 237 To view access point LAN STP statistics: 1 Select Status and Statistics > LAN Stats > LAN1 Stats (or LAN2 Stats) > STP Stats from the Altitude 35xx menu tree. 2 Refer to the Spanning Tree Info field to for details on spanning tree state, and root access point designation.
  • Page 238 Monitoring Statistics Bridge Max Msg. The Max Msg Age measures the age of received protocol information recorded for a port, and to ensure the information is discarded when it exceeds the value set for the Maximum Message age timer. For information on setting the Maximum Message Age.

  • Page 239: Viewing Wireless Statistics

    Viewing Wireless Statistics Use the WLAN Statistics Summary screen to view overview statistics for active (enabled) WLANs on the Altitude 35xx. The WLAN Summary field displays basic information such as number of Mobile Units (MUs) and total throughput for each of the active WLANs. The Total RF Traffic section displays basic throughput information for all RF activity on the Altitude 35xx.

  • Page 240: Viewing Wlan Statistics

    Monitoring Statistics Displays the Average Bit Speed (ABS) in Megabits per second (Mbps) for each active WLAN displayed. % NU Displays a percentage of the total packets for each active WLAN that are non-unicast. Non-unicast packets include broadcast and multicast packets. Retries Displays the average number of retries per packet.
  • Page 241 To view statistics for an individual WLAN: 1 Select Status and Statistics > Wireless Stats > WLAN Stats (x = target WLAN) from the Altitude 35xx menu tree. 2 Refer to the Information field to view specific WLAN address, MU and security scheme information for the WLAN selected from the Altitude 35xx menu tree.
  • Page 242 Monitoring Statistics Pkts per second The Total column displays the average total packets per second crossing the selected WLAN. The Rx column displays the average total packets per second received on the selected WLAN. The Tx column displays the average total packets per second sent on the selected WLAN.

  • Page 243: Viewing Radio Statistics Summary

    Dropped Packets Displays the percentage of packets which the AP gave up on for all MUs associated with the selected WLAN. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour.
  • Page 244 Monitoring Statistics To view high-level Altitude 35xx radio statistics: 1 Select Status and Statistics > Radio Stats from the Altitude 35xx menu tree. 2 Refer to the Radio Summary field to reference Altitude 35xx radio information. Type Displays the type of radio (either 802.11a or 802.11b/g) currently deployed by the Altitude 35xx.

  • Page 245: Viewing Radio Statistics

    Do not clear the radio stats if currently in an important data gathering activity or risk losing all data calculations to that point. For information on viewing radio statistics particular to the Altitude 35xx radio type displayed within the AP Stats Summary screen, see “Viewing Radio Statistics”...
  • Page 246 Monitoring Statistics 2 Refer to the Information field to view the Altitude 35xx 802.11a or 802.11b/g radio’s MAC address, placement and transmission information. HW Address The Media Access Control (MAC) address of the Altitude 35xx housing the 802.11a radio. The MAC address is set at the factory and can be found on the bottom of the access point.

  • Page 247: Retry Histogram

    Avg MU Signal Displays the average RF signal strength in dBm for all MUs associated with the radio. The number in black represents the average signal for the last 30 seconds and the number in blue represents the average signal for the last hour.

  • Page 248: Viewing Mu Statistics Summary

    Monitoring Statistics The table’s first column shows 0 under Retries. The value under the Packets column directly to the right shows the number of packets transmitted by this access point radio that required 0 retries (delivered on the first attempt). As you go down the table you can see the number of packets requiring 1 retry, 2 retries etc.
  • Page 249 To view Altitude 35xx overview statistics for all of the MUs associated to the Altitude 35xx: 1 Select Status and Statistics > MU Stats from the Altitude 35xx menu tree. 2 Refer to the MU List field to reference associated MU address, throughput and retry information. IP Address Displays the IP address of each of the associated MU.

  • Page 250: Viewing Mu Details

    CAM indicates the MU is continuously aware of all radio traffic. Extreme Networks recommends CAM for those MUs transmitting with the AP frequently and for periods of time of two hours.
  • Page 251 HW Address Displays the Media Access Control (MAC) address for the Radio Association Displays the name of the AP MU is currently associated with. If the name of the Altitude 35xx requires modification, “Configuring System Settings” on page QoS Client Type Displays the data type transmitted by the mobile unit.

  • Page 252: Pinging Individual Mus

    Monitoring Statistics 7 Refer to the Errors field to view MU retry information and statistics on packets not transmitted. Avg Num of Retries Displays the average number of retries for the MU. The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour.

  • Page 253: Mu Authentication Statistics

    MU Authentication Statistics The Altitude 35xx can access and display authentication statistics for individual MUs. To view Altitude 35xx authentication statistics for a specific MU: 1 Select Status and Statistics > MU Stats from the Altitude 35xx menu tree. 2 Highlight a target MU from within the MU List field. 3 Click the MU Authentication Statistics button Use the displayed statistics to determine if the target MU would be better served with a different Altitude 35xx WLAN or Altitude 35xx radio.

  • Page 254: Viewing Known Access Point Statistics

    Monitoring Statistics The Mesh Statistics Summary screen displays the following information: Conn Type Displays whether the bridge has been defined as a base bridge or a client bridge. For information on defining configuring the access point as either a base or client bridge.
  • Page 255 To view detected access point statistics: 1 Select Status and Statistics > Known AP Stats from the Altitude 35xx menu tree. The Known AP Statistics screen displays the following information: IP Address The network-assigned Internet Protocol address of the located AP. MAC Address The unique 48-bit, hard-coded Media Access Control address, known as the devices station identifier.
  • Page 256 A ping test initiated from the Altitude 35xx Known AP Statistics screen uses WNMP pings. Therefore, target devices that are not Extreme Networks access points are unable to respond to the ping test. 5 Click the Send Cfg to APs button to send the your access point’s configuration to other access point’s.
  • Page 257 6 Click the Start Flash button to flash the LEDs of other Altitude 35xxs detected and displayed within the Known AP Statistics screen. Use the Start Flash button to determine the location of the devices displayed within the Known AP Statistics screen.
  • Page 258 Monitoring Statistics Altitude 3500 Series Access Point Product Reference Guide...

  • Page 259: Chapter 8: Cli Reference

    CLI Reference C H A P T E R The AP35xx Command Line Interface (CLI) is accessed through the serial port or a Telnet session. The AP35xx CLI follows the same conventions as the Web-based user interface. The CLI does, however, provide an “escape sequence”...

  • Page 260: Accessing The Cli Via Telnet

    CLI Reference Accessing the CLI via Telnet To connect to the AP35xx CLI through a Telnet connection: 1 If this is your first time connecting to your access point, keep in mind the access point uses a static IP WAN address (10.1.1.1). Additionally, the access point’s LAN port is set as a DHCP client. 2 Enter the default username of admin and the default password of admin123.
  • Page 261 AP35xx>admin>help Displays general CLI user interface help. Syntax help Displays command line help using combinations of function keys for navigation. Example admin>help : display command help - Eg. ?, show ?, s? * Restriction of “?”: : “?” after a function argument is treated : as an argument : Eg.
  • Page 262 CLI Reference AP35xx>admin>passwd Changes the password for the admin login. Syntax passwd Changes the admin password for AP35xx access. This requires typing the old admin password and entering a new password and confirming it. Passwords can be up to 11 characters. The access point CLI treats the following as invalid characters: ->...
  • Page 263 AP35xx>admin>summary Displays the AP35xx’s system summary. Syntax summary Displays a summary of high-level characteristics and settings for the WAN, LAN and WLAN. Example admin>summary ADP-35xx firmware version country code : us ap-mode : independent serial number : 09459-80043 Hw Model : AP3510-US hw version : 01...
  • Page 264 CLI Reference AP35xx>admin>.. Displays the parent menu of the current menu. This command appears in all of the submenus under admin. In each case, it has the same function, to move up one level in the directory structure. Example admin(network.lan)>.. admin(network)>...
  • Page 265 AP35xx>admin> / Displays the root menu, that is, the top-level CLI menu. This command appears in all of the submenus under admin. In each case, it has the same function, to move up to the top level in the directory structure. Example admin(network.lan)>/ admin>...
  • Page 266 CLI Reference AP35xx>admin>save Saves the configuration to system flash. The save command appears in all of the submenus under admin. In each case, it has the same function, to save the current configuration. Syntax save Saves configuration settings. The save command works at all levels of the CLI. The save command must be issued before leaving the CLI for updated settings to be retained.
  • Page 267 AP35xx>admin>quit Exits the command line interface session and terminates the session. The quit command appears in all of the submenus under admin. In each case, it has the same function, to exit out of the CLI. Once the quit command is executed, the login prompt displays again. Example admin>quit Altitude 3500 Series Access Point Product Reference Guide...

  • Page 268: Network Commands

    CLI Reference Network Commands AP35xx>admin(network)> Displays the network submenu. The items available under this command are shown below. Goes to the LAN submenu. Goes to the WAN submenu. wireless Goes to the Wireless Configuration submenu. firewall Goes to the firewall submenu. router Goes to the router submenu.
  • Page 269 AP35xx>admin(network.lan)> show Displays the AP35xx LAN settings. Syntax show Shows the settings for the AP35xx LAN1 and LAN2 interfaces. Example admin(network.lan)>show LAN On Ethernet Port : LAN1 LAN Ethernet Timeout : disable 802.1x Port Authentication: Username : admin Password : ******** Auto-negotiation : enable Speed...
  • Page 270 CLI Reference AP35xx>admin(network.lan)> set Sets the LAN parameters for the LAN port. Syntax <mode> Enables or disables the AP35xx LAN interface. name <idx-name > Defines the LAN name by index. ethernet-port-lan <idx> Defines which LAN (LAN1 or LAN2) is active on the Ethernet port.
  • Page 271 Related Commands: show Shows the current settings for the AP35xx LAN port. For information on configuring the LAN using the applet (GUI), see “Configuring the LAN Interface” on page 113. Altitude 3500 Series Access Point Product Reference Guide...

  • Page 272: Network Lan, Bridge Commands

    CLI Reference Network LAN, Bridge Commands AP35xx>admin(network.lan.bridge)> Displays the AP35xx Bridge submenu. show Displays the mesh configuration parameters for the AP35xx’s LANs. Sets the mesh configuration parameters for the AP35xx’s LANs. Moves to the parent menu. Goes to the root menu. save Saves the configuration to system flash.
  • Page 273 AP35xx>admin(network.lan.bridge)> show Displays the mesh bridge configuration parameters for the AP35xx’s LANs. Syntax show Displays the mesh bridge configuration parameters for the AP35xx’s LANs. Example admin(network.lan.bridge)>show ** LAN1 Bridge Configuration ** Bridge Priority : 65500 Hello Time (seconds) Message Age Time (seconds) : 20 Forward Delay Time (seconds) : 15...
  • Page 274 CLI Reference AP35xx>admin(network.lan.bridge)> set Sets the mesh configuration parameters for the AP35xx’s LANs. Syntax priority <LAN-idx> <seconds> Sets bridge priority time in seconds (0-65535) for specified LAN. hello <LAN-idx> <seconds> Sets bridge hello time in seconds (0-10) for specified LAN. msgage <LAN-idx>...

  • Page 275: Network Lan, Wlan-Mapping Commands

    Network LAN, WLAN-Mapping Commands AP35xx>admin(network.lan.wlan-mapping)> Displays the WLAN/Lan/Vlan Mapping submenu. Syntax show Displays the VLAN list currently defined for the AP35xx. Sets the AP35xx VLAN configuration. create Creates a new AP35xx VLAN. edit Edits the properties of an existing AP35xx VLAN. delete Deletes a VLAN.
  • Page 276 CLI Reference AP35xx>admin(network.lan.wlan-mapping)> show Displays the VLAN list currently defined for the AP35xx. These parameters are defined with the set command. Syntax show name Displays the existing list of VLAN names. vlan-cfg Shows WLAN-VLAN mapping and VLAN configuration. lan-wlan Displays a WLAN-LAN mapping summary. wlan Displays the WLAN summary list.
  • Page 277 AP35xx>admin(network.lan.wlan-mapping)> set Sets VLAN parameters for the AP35xx. Syntax mgmt- tag <id> Defines the Management VLAN tag (1-4095). native-tag <id> Sets the Native VLAN tag (1-4095). mode <wlan-idx> Sets WLAN VLAN mode (WLAN 1-16) to either dynamic or static. Example admin(network.lan.wlan-mapping)>set mgmt-tag 1 admin(network.lan.wlan-mapping)>set native-tag 2 admin(network.lan.wlan-mapping)>set mode 1 static...
  • Page 278 CLI Reference AP35xx>admin(network.lan.wlan-mapping)> create Creates a VLAN for the AP35xx. Syntax create VLAN-id Define VLAN-id (1 - 4095). VLAN-id <VLAN- Define VLAN-id (1 - 4095) and specify VLAN-name (1 - 31) characters in length. name> Example admin(network.lan.wlan-mapping)> admin(network.lan.wlan-mapping)>create 5 vlan-5 For information on creating VLANs using the applet (GUI), see “Configuring VLAN Support”...
  • Page 279 AP35xx>admin(network.lan.wlan-mapping)> edit Modifies a VLAN’s name and ID. Syntax edit name <vlan-idx> <name> Modifies an existing VLAN name (1-31 characters in length) <vlan-idx> <vlan-id> Modifies an existing VLAN ID (1-4095) characters in length). Example admin(network.lan.wlan-mapping)>show name ------------------------------------------------------------------------------- Index VLAN ID VLAN Name ------------------------------------------------------------------------------- Vlan_001...
  • Page 280 CLI Reference AP35xx>admin(network.lan.wlan-mapping)> delete Deletes a specific VLAN or all VLANs. Syntax delete < VLAN id> Deletes a specific VLAN ID (1-16). Deletes all defined VLANs. Example admin(network.lan.wlan-mapping)>show name ------------------------------------------------------------------------------- Index VLAN ID VLAN Name ------------------------------------------------------------------------------- VlanConfRoom Vlan_002 Vlan_003 admin(network.lan.wlan-mapping)>delete 2 admin(network.lan.wlan-mapping)>show name ------------------------------------------------------------------------------- Index...
  • Page 281 AP35xx>admin(network.lan.wlan-mapping)> lan-map Maps an AP35xx VLAN to a WLAN. Syntax lan-map <wlan name Maps an existing WLAN to an enabled LAN. All names and IDs are case-sensitive. <lan name> Defines enabled LAN name. All names and IDs are case-sensitive. Example admin(network.lan.wlan-mapping)>lan-map wlan1 lan1 For information on mapping VLANs using the applet (GUI), see “Configuring VLAN Support”...
  • Page 282 CLI Reference AP35xx>admin(network.lan.wlan-mapping)> vlan-map Maps an AP35xx VLAN to a WLAN. Syntax vlan-map <wlan name> Maps an existing WLAN to an enabled LAN. All names and IDs are case-sensitive. <vlan name> Defines the existing VLAN name. All names and IDs are case-sensitive. Example admin(network.lan.wlan-mapping)>vlan-map wlan1 vlan1 For information on mapping VLANs using the applet (GUI), see...

  • Page 283: Network Lan, Dhcp Commands

    Network LAN, DHCP Commands AP35xx>admin(network.lan.dhcp)> Displays the AP35xx DHCP submenu. The items available are displayed below. show Displays DHCP parameters. Sets DHCP parameters. Adds static DHCP address assignments. delete Deletes static DHCP address assignments. list Lists static DHCP address assignments. Goes to the parent menu.
  • Page 284 CLI Reference AP35xx>admin(network.lan.dhcp)> show Shows DHCP parameter settings. Syntax show Displays DHCP parameter settings for the AP35xx. These parameters are defined with the set command. Example admin(network.lan.dhcp)>show **LAN1 DHCP Information** DHCP Address Assignment Range: Starting IP Address : 192.168.0.100 Ending IP Address : 192.168.0.254 Lease Time : 86400...
  • Page 285 AP35xx>admin(network.lan.dhcp)> set Sets DHCP parameters for the LAN port. Syntax range <LAN-idx> <ip1> <ip2> Sets the DHCP assignment range from IP address <ip1> to IP address <ip2> for the specified LAN. lease <LAN-idx> <lease> Sets the DHCP lease time <lease> in seconds (1-999999) for the specified LAN.
  • Page 286 CLI Reference AP35xx>admin(network.lan.dhcp)> add Adds static DHCP address assignments. Syntax <LAN-idx> <mac> <ip> Adds a reserved static IP address to a MAC address for the specified LAN. Example admin(network.lan.dhcp)>add 1 00A0F8112233 192.160.24.6 admin(network.lan.dhcp)>add 1 00A0F1112234 192.169.24.7 admin(network.lan.dhcp)>list 1 ----------------------------------------------------------------------------- Index MAC Address IP Address -----------------------------------------------------------------------------...
  • Page 287 AP35xx>admin(network.lan.dhcp)> delete Deletes static DHCP address assignments. Syntax delete <LAN-idx> <idx> <entry> Deletes the static DHCP address entry for the specified LAN (1-LAN1, 2-LAN2) and DHCP entry index (1-30). <LAN-idx> all Deletes all static DHCP addresses. Example admin(network.lan.dhcp)>list 1 ----------------------------------------------------------------------------- Index MAC Address IP Address...
  • Page 288 CLI Reference AP35xx>admin(network.lan.dhcp)> list Lists static DHCP address assignments. Syntax list <LAN-idx> <cr> Lists the static DHCP address assignments for the specified LAN (1-LAN1, 2 LAN2). Example admin(network.lan.dhcp)>list 1 ----------------------------------------------------------------------------- Index MAC Address IP Address ----------------------------------------------------------------------------- 00A0F8112233 10.1.2.4 00A0F8102030 10.10.1.2 00A0F8112234 10.1.2.3 00A0F8112235...

  • Page 289: Network Type Filter Commands

    Network Type Filter Commands AP35xx>admin(network.lan.type-filter)> Displays the AP35xx Type Filter submenu. The items available under this command include: show Displays the current Ethernet Type exception list. Defines Ethernet Type Filter parameters. Adds an Ethernet Type Filter entry. delete Removes an Ethernet Type Filter entry. Goes to the parent menu.
  • Page 290 CLI Reference AP35xx>admin(network.lan.type-filter)> show Displays the AP35xx’s current Ethernet Type Filter configuration. Syntax show <LAN-idx> Displays the existing Type-Filter configuration for the specified LAN. Example admin(network.lan.type-filter)>show 1 Ethernet Type Filter mode : allow ----------------------------------------------------------------------------- index ethernet type ----------------------------------------------------------------------------- 8137 For information on displaying the type filter configuration using the applet, see “Setting the Type Filter Configuration”...
  • Page 291 AP35xx>admin(network.lan.type-filter)> set Defines the AP35xx Ethernet Type Filter configuration. Syntax mode <LAN-idx> <filter Allows or denies the AP35xx from processing a specified mode> Ethernet data type for the specified LAN. allow/deny Example admin(network.lan.type-filter)>set mode 1 allow For information on configuring the type filter settings using the applet (GUI), see “Setting the Type Filter Configuration”...
  • Page 292 CLI Reference AP35xx>admin(network.lan.type-filter)> add Adds an Ethernet Type Filter entry. Syntax add <LAN-idx> <type> Adds entered Ethernet Type to list of data types either allowed or denied AP35xx processing permissions for the specified LAN (either LAN1 or LAN2). Example admin(network.lan.type-filter)> admin(network.wireless.type-filter)>add 1 8137 admin(network.wireless.type-filter)>add 2 0806 admin(network.wireless.type-filter)>show 1...
  • Page 293 AP35xx>admin(network.lan.type-filter)> delete Removes an Ethernet Type Filter entry individually or the entire Type Filter list. Syntax delete <LAN-idx> <entry-idx> Deletes the specified Ethernet Type entry index (1 through 16). <LAN-idx> Deletes all Ethernet entries currently in list. Example admin(network.lan.type-filter)>delete 1 1 admin(network.lan.type-filter)>show 1 Ethernet Type Filter mode : allow...

  • Page 294: Network Wan Commands

    CLI Reference Network WAN Commands AP35xx>admin(network.wan)> Displays the WAN submenu. The items available under this command are shown below. show Displays the AP35xx WAN configuration and the AP35xx’s current PPPoE configuration. Defines the AP35xx’s WAN and PPPoE configuration. Displays the NAT submenu, wherein Network Address Translations (NAT) can be defined. Goes to the VPN submenu, where the AP35xx VPN tunnel configuration can be set.
  • Page 295 AP35xx>admin(network.wan)> show Displays the AP35xx WAN port parameters. Syntax show Shows the general IP parameters for the WAN port along with settings for the WAN interface. Example admin(network.wan)>show Status : enable WAN DHCP Client Mode : enable IP Address : 157.235.112.32 Network Mask : 0.0.0.0 Default Gateway...
  • Page 296 CLI Reference AP35xx>admin(network.wan)> set Defines the configuration of the AP35xx WAN port. Syntax enable/disable Enables or disables the AP35xx WAN port. dhcp enable/disable Enables or disables WAN DHCP Client mode. ipadr <idx> <a.b.c.d> Sets up to 8 (using <indx> from 1 to 8) IP addresses <a.b.c.d>...

  • Page 297: Network Wan Nat Commands

    Network WAN NAT Commands AP35xx>admin(network.wan.nat)> Displays the NAT submenu. The items available under this command are shown below. show Displays the AP35xx’s current NAT parameters for the specified index. Defines the AP35xx NAT settings. Adds NAT entries. delete Deletes NAT entries. list Lists NAT entries.
  • Page 298 CLI Reference AP35xx>admin(network.wan.nat)> show Displays AP35xx NAT parameters. Syntax show <idx> <cr> Displays AP35xx NAT parameters for the specified NAT index. Example admin(network.wan.nat)>show 2 WAN IP Mode : enable WAN IP Address : 157.235.91.2 NAT Type : 1-to-many Inbound Mappings : Port Forwarding unspecified port forwarding mode : enable...
  • Page 299 AP35xx>admin(network.wan.nat)> set Sets NAT inbound and outbound parameters. Syntax set type <index> <type> Sets the type of NAT translation for WAN address index <idx> (1-8) to <type> (none, 1-to-1, or 1-to- many). <index> <ip> Sets NAT IP mapping associated with WAN address <idx>...
  • Page 300 CLI Reference AP35xx>admin(network.wan.nat)> add Adds NAT entries. Syntax <idx> <name> <tran> <port1> <port2> <ip> <dst_port> Sets an inbound network address translation (NAT) for WAN address <idx>, where <name> is the name of the entry (1 to 7 characters), <tran> is the transport protocol (one of tcp, udp, icmp, ah, esp, gre, or all), <port1>...
  • Page 301 AP35xx>admin(network.wan.nat)> delete Deletes NAT entries. Syntax delete <idx> <entry> Deletes a specified NAT index entry <entry> associated with the WAN. <idx> Deletes all NAT entries associated with the WAN. Example admin(network.wan.nat)>list 1 ----------------------------------------------------------------------------- index name prot start port end port internal ip translation port -----------------------------------------------------------------------------...
  • Page 302 CLI Reference AP35xx>admin(network.wan.nat)> list Lists AP35xx NAT entries for the specified index. Syntax list <idx> Lists the inbound NAT entries associated with the WAN index (1-8). Example admin(network.wan.nat)>list 1 ----------------------------------------------------------------------------- index name transport start port end port internal ip translation port ----------------------------------------------------------------------------- special tcp 192.168.42.16...

  • Page 303: Network Wan, Vpn Commands

    Network WAN, VPN Commands AP35xx>admin(network.wan.vpn)> Displays the VPN submenu. The items available under this command include: Adds VPN tunnel entries. Sets key exchange parameters. delete Deletes VPN tunnel entries. list Lists VPN tunnel entries reset Resets all VPN tunnels. stats Lists security association status for the VPN tunnels.
  • Page 304 CLI Reference AP35xx>admin(network.wan.vpn)> add Adds a VPN tunnel entry. Syntax add <name> <subnet-idx> <local WAN <remote subnet> <remote subnet <remote gateway> IP> mask> Creates a tunnel <name> (1 to 13 characters) to gain access through local WAN IP <local WAN IP>...
  • Page 305 AP35xx>admin(network.wan.vpn)> set Sets VPN entry parameters. Syntax type <name> <tunnel type> Sets the tunnel type <name> to Auto or Manual for the specified tunnel name. authalgo <name> <authalgo> Sets the authentication algorithm for <name> to (None, MD5, or SHA1). authkey <name>...
  • Page 306 CLI Reference salife <name> <lifetime> Defines the name of the tunnel <name> the Security Association Life Time <300- 65535> applies to in seconds. opmode <name> <opmode> Sets the Operation Mode of IKE for <name> to Main or Aggr(essive). myidtype <name> <idtype>...
  • Page 307 AP35xx>admin(network.wan.vpn)> delete Deletes VPN tunnel entries. Syntax delete Deletes all VPN entries. <name> Deletes VPN entries by supplied name. Example admin(network.wan.vpn)>list -------------------------------------------------------------------------- Tunnel Name Type Remote IP/Mask Remote Gateway Local WAN IP -------------------------------------------------------------------------- Eng2EngAnnex Manual 192.168.32.2/24 192.168.33.1 192.168.24.198 SJSharkey Manual 206.107.22.45/27 206.107.22.2 209.235.12.55...
  • Page 308 CLI Reference AP35xx>admin(network.wan.vpn)> list Lists VPN tunnel entries. Syntax list <cr> Lists all tunnel entries. <name> Lists detailed information about tunnel named <name>. Note that the <name> must match case with the name of the VPN tunnel entry Example admin(network.wan.vpn)>list -------------------------------------------------------------------------- Tunnel Name Type...
  • Page 309 AP35xx>admin(network.wan.vpn)> reset Resets all of the AP35xx’s VPN tunnels. Syntax reset Resets all VPN tunnel states. Example admin(network.wan.vpn)>reset VPN tunnels reset. admin(network.wan.vpn)> For information on configuring VPN using the applet (GUI), see “Configuring VPN Tunnels” on page 194. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 310 CLI Reference AP35xx>admin(network.wan.vpn)> stats Lists statistics for all active tunnels. Syntax stats Display statistics for all VPN tunnels. Example admin(network.wan.vpn)>stats ----------------------------------------------------------------------------- Tunnel Name Status SPI(OUT/IN) Life Time Bytes(Tx/Rx) ----------------------------------------------------------------------------- Eng2EngAnnex Not Active SJSharkey Not Active For information on displaying VPN information using the applet (GUI), see “Viewing VPN Status”...
  • Page 311 AP35xx>admin(network.wan.vpn)> ikestate Displays statistics for all active tunnels using Internet Key Exchange (IKE). Syntax ikestate Displays status about Internet Key Exchange (IKE) for all tunnels. In particular, the table indicates whether IKE is connected for any of the tunnels, it provides the destination IP address, and the remaining lifetime of the IKE key.

  • Page 312: Network Wan Content Commands

    CLI Reference Network WAN Content commands AP35xx>admin(network.wan.content)> Displays the Outbound Content Filtering menu. The items available under this command include: addcmd Adds control commands to block outbound traffic. delcmd Deletes control commands to block outbound traffic. list Lists application control commands. Goes to the parent menu.
  • Page 313 AP35xx>admin(network.wan.content)> addcmd Adds control commands to block outbound traffic. Syntax addcmd Adds WEB commands to block outbound traffic. proxy Adds a Web proxy command. activex Adds activex files. file Adds Web URL extensions (10 files maximum) smtp Adds SMTP commands to block outbound traffic. helo helo command mail...
  • Page 314 CLI Reference AP35xx>admin(network.wan.content)> delcmd Deletes control commands to block outbound traffic. Syntax delcmd Deletes WEB commands to block outbound traffic. proxy Deletes a Web proxy command. activex Deletes activex files. file Deletes Web URL extensions (10 files maximum) smtp Deletes SMTP commands to block outbound traffic. helo helo command mail...
  • Page 315 AP35xx>admin(network.wan.content)> list Lists application control commands. Syntax list Lists WEB application control record. smtp Lists SMTP application control record. Lists FTP application control record. Example admin(network.wan.content)>list web HTTP Files/Commands Web Proxy : deny ActiveX : allow filename admin(network.wan.content)>list smtp SMTP Commands HELO : deny MAIL...

  • Page 316: Network Wan, Dynamic Dns Commands

    CLI Reference Network WAN, Dynamic DNS Commands AP35xx>admin(network.wan.dyndns)> Displays the Dynamic DNS submenu. The items available under this command include: Sets Dynamic DNS parameters. update Sets key exchange parameters. show Shows the Dynamic DNS configuration. Goes to the parent menu. Goes to the root menu.
  • Page 317 AP35xx>admin(network.wan.dyndns)> set Sets the access point’s Dynamic DNS configuration. Syntax mode enable/disable Enables or disables the Dynamic DNS service for the access point. username <name> Enter a 1–32 character username for the account used for the access point. password <password> Enter a 1–32 character password for the account used for the access point.
  • Page 318 CLI Reference AP35xx>admin(network.wan.dyndns)> update Updates the access point’s current WAN IP address with the DynDNS service. Syntax update Updates the access point’s current WAN IP address with the DynDNS service (when DynDNS is enabled), Example admin(network.wan.dyndns)>update IP Address : 157.235.91.231 Hostname : greengiant For an overview of the Dynamic DNS options available using the applet (GUI), see...
  • Page 319 AP35xx>admin(network.wan.dyndns)> show Shows the current Dynamic DNS configuration. Syntax show Shows the access point’s current Dynamic DNS configuration. Example admin(network.wan.dyndns)>show DynDNS Configuration Mode : enable Username : percival Password : ******** Hostname : greengiant DynDNS Update Response IP Address : 157.235.91.231 Hostname : greengiant Status...

  • Page 320: Network Wireless Commands

    CLI Reference Network Wireless Commands AP35xx>admin(network.wireless) Displays the AP35xx wireless submenu. The items available under this command include: Sets the wireless parameters. show Shows the wireless parameters. wlan Goes to the WLAN submenu. security Goes to the Security Policy submenu. Goes to the MU Access Control Policy submenu.

  • Page 321: Network Wlan Commands

    Network WLAN Commands AP35xx>admin(network.wireless.wlan)> Displays the AP35xx wireless LAN (WLAN) submenu. The items available under this command include: show Displays the AP35xx’s current WLAN configuration. create Defines the parameters of a new WLAN. edit Modifies the properties of an existing WLAN. delete Deletes an existing WLAN.
  • Page 322 CLI Reference AP35xx>admin(network.wireless.wlan)> show Displays the AP35xx’s current WLAN configuration. Syntax show summary Displays the current configuration for existing WLANs. wlan <number> Displays the configuration for the requested WLAN (WLAN 1 through 16). Example admin(network.wireless.wlan)>show summary WLAN 1: WLAN name : Lobby ESS ID : 101...
  • Page 323 AP35xx>admin(network.wireless.wlan)> create Defines the parameters of a new WLAN. Syntax create : set ESS ID wlan-name : set WLAN name : enable/disable 802.11a radio 11bg : enable/disable 802.11b/g radio mesh : enable/disable Client Bridge Mesh Backhaul hotspot : enable/disable Hotspot Mode max-client : set maximum number of Clients security...
  • Page 324 CLI Reference WPA Countermeasure enable admin(network.wireless.wlan.create)>show acl ---------------------------------------------------------------------- ACL Policy Name Associated WLANs ---------------------------------------------------------------------- 1 Default Front Lobby 2 Admin 3rd Floor 3 Demo Room 5th Floor admin(network.wireless.wlan.create)>show qos ---------------------------------------------------------------------- QOS Policy Name Associated WLANs ---------------------------------------------------------------------- 1 Default Front Lobby 2 Voice Audio Dept 3 Video...
  • Page 325 AP35xx>admin(network.wireless.wlan)> edit Edits the properties of an existing WLAN policy. Syntax edit <idx> Edits the sequence number (index) in the WLAN summary. For information on editing a WLAN using the applet (GUI), see “Creating/Editing Individual WLANs” on page 135. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 326 CLI Reference AP35xx>admin(network.wireless.wlan)> delete Deletes an existing WLAN. Syntax delete <wlan- Deletes a target WLAN by name supplied. name> Deletes all WLAN configurations. For information on deleting a WLAN using the applet (GUI), see “Creating/Editing Individual WLANs” on page 135. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 327 AP35xx>admin(network.wireless.wlan.hotspot)> Displays the Hotspot submenu. The items available under this command include: show Show hotspot parameters. redirection Goes to the hotspot redirection menu. radius Goes to the hotspot RADIUS menu. white-list Goes to the hotspot white-list menu. save Saves the configuration to system flash. quit Quits the CLI.
  • Page 328 CLI Reference AP35xx>admin(network.wireless.wlan.hotspot)> show Displays the current AP35xx Rogue AP detection configuration. Syntax show hotspot <idx> Shows hotspot parameters per wlan index (1-16). Example admin(network.wireless.wlan.hotspot)>show hotspot 1 WLAN1 Hotspot Mode : enable Hotspot Page Location : default External Login URL : www.sjsharkey.com External Welcome URL External Fail URL...
  • Page 329 AP35xx>admin(network.wireless.wlan.hotspot)> redirection Goes to the hotspot redirection menu. redirection <page-loc> Sets the hotspot http-re-direction by index (1-16) for the specified URL. <exturl> Shows hotspot http-redirection details for specified index (1-16) for specified page (login, welcome, fail) and target URL. show Shows hotspot http-redirection details.
  • Page 330 CLI Reference AP35xx>admin(network.wireless.wlan.hotspot)> radius Goes to the hotspot RADIUS menu. Syntax Sets the RADIUS hotspot configuration. show Shows RADIUS hotspot server details. save Saves the configuration to system flash. quit Quits the CLI. Goes to the parent menu. Goes to the root menu. For information on configuring the Hotspot options available to the access point using the applet (GUI), “Configuring WLAN Hotspot Support”...
  • Page 331 AP35xx>admin(network.wireless.wlan.hotspot.radius)> set Sets the RADIUS hotspot configuration. Syntax server <idx> <srvr_type> <ipadr> Sets the RADIUS hotspot server IP address per wlan index (1-16) port <idx> <srvr_type> <port> Sets the RADIUS hotspot server port per wlan index (1-16) secret <idx> <srvr_type> <secret>...
  • Page 332 CLI Reference AP35xx>admin(network.wireless.wlan.hotspot.radius)> show Shows RADIUS hotspot server details. Syntax show radius <idx> Displays RADIUS hotspot server details per index (1-16) Example admin(network.wireless.wlan.hotspot.radius)>show radius 1 WLAN 1 Hotspot Mode : enable Primary Server Ip adr : 157.235.12.12 Primary Server Port : 1812 Primary Server Secret : ******...
  • Page 333 AP35xx>admin(network.wireless.wlan.hotspot)> white-list Goes to the hotspot white-list menu. Syntax white-list <rule> Adds hotspot whitelist rules by index (1-16) for specified IP address. clear Clears hotspot whitelist rules for specified index (1-16). show Shows hotspot whitelist rules for specified index (1-16). save Saves the updated hotspot configuration to flash memory.

  • Page 334: Network Security Commands

    CLI Reference Network Security Commands AP35xx>admin(network.wireless.security)> Displays the AP35xx wireless security submenu. The items available under this command include: show Displays the AP35xx’s current security configuration. Sets security parameters. create Defines the parameters of a security policy. edit Edits the properties of an existing security policy. delete Removes a specific security policy.
  • Page 335 AP35xx>admin(network.wireless.security)> show Displays the AP35xx’s current security configuration. Syntax show summary Displays list of existing security policies (1-16). policy <id> Displays the specified security policy <id>. Example admin(network.wireless.security)>show summary ---------------------------------------------------------------------- Secu Policy Name Authen Encryption Associated WLANs ---------------------------------------------------------------------- 1 Default Manual no encrypt Lobby...
  • Page 336 CLI Reference AP35xx>admin(network.wireless.security)> create Defines the parameter of AP35xx security policies. Syntax create Defines the parameters of a security policy. show Displays new or existing security policy parameters. sec- <name> Sets the name of the security name policy. auth <authtype> Sets the authentication type for WLAN <idx>...
  • Page 337 port <port> Set external RADIUS server port number. secret <secret> Set external RADIUS server shared secret password. timeout <period> Defines MU timeout period in seconds (1-255). retry <number> Sets the maximum number of MU retries to <retry> (1-10). syslog <mode> Enable or disable syslog messages.
  • Page 338 CLI Reference Note: TKIP parameters are only affected if “tkip” is selected as the encryption type. tkip rotate-mode <mode> Enables or disabled the broadcast key. interval <time> Sets the broadcast key rotation interval to <time> in seconds (300-604800). allow-wpa2- <mode> Enables or disables the tkip interoperation with wpa2-tkip...
  • Page 339 AP35xx>admin(network.wireless.security)> edit Edits the properties of a specific security policy. edit <idx> Edits a profile specified by its ID. A new context opens for the profile being edited. AP35xx>admin(network.wireless.security.edit)> For more information on this context see “Network Security Policy Edit Commands” on page 340.
  • Page 340 CLI Reference Network Security Policy Edit Commands. AP35xx>admin(network.wireless.security.edit)> Displays the AP35xx wireless security policy edit submenu. The items available under this menu include: show Displays the security policy parameters for the selected security policy. Sets security parameters for the selected policy. change Changes the policy and exits this submenu.
  • Page 341 AP35xx>admin(network.wireless.security.edit)>show Displays the security policy details for the selected policy. Syntax show Displays the new or modified security policy parameters. Example admin(network.wireless.security.edit)>show Policy Name : Default Authentication type : Manual Pre-shared key / No authentication Encryption type : WPA/TKIP ccmp broadcast key rotate mode : disable ccmp key type : phrase...
  • Page 342 CLI Reference AP35xx>admin(network.wireless.security.edit)>set Configures the different parameters for the selected security policy. Syntax sec-name <name-str> Sets the name of the selected security profile to <name-str>. auth <auth-type> Sets the authentication type for the selected security profile to <auth-type> (none, eap, kerberos). kerb realm <name-str>...
  • Page 343 mu-quite <time> Sets MU/supplicant Quite period to <time> (1-65535 seconds). mu-timeout <timeout> Sets MU/supplicant Timeout period to <timeout> (1-255 seconds). mu-tx <time> Sets MU/supplicant Tx period to <time> (1- 65535 seconds). mu-retry <count> Sets max MU retries to <count> (1-10). svr-timeout <timeout>...
  • Page 344 CLI Reference <256-bit-key> Sets the 256-bit CCMP key to <256-bit- key> (64 hex digits). mixed-mode <mode> Enables or disables mixed-mode operation. preauth <mode> Enables or disables preauthentication. Example admin(network.wireless.security)>edit 1 admin(network.wireless.security.edit)>show Policy Name : Default Authentication type : Manual Pre-shared key / No authentication Encryption type : WPA/TKIP ccmp broadcast key rotate mode...
  • Page 345 AP35xx>admin(network.wireless.security.edit)>change Saves the policy changes and exits to the security submenu. Syntax change Saves the policy changes and exists to the security submenu. Example admin(network.wireless.security.edit)>set auth none admin(network.wireless.security.edit)>set enc tkip admin(network.wireless.security.edit)>set tkip rotate-mode enable admin(network.wireless.security.edit)>set tkip interval 46 admin(network.wireless.security.edit)>show Policy Name : Default Authentication type : Manual Pre-shared key / No authentication...

  • Page 346: Network Acl Commands

    CLI Reference AP35xx>admin(network.wireless.security)> delete Deletes a specific security policy. Syntax delete <sec-name> Removes the specified security policy from the list of supported policies. <all> Removes all security policies except the default policy. For information on configuring the encryption and authentication options available to the access point using the applet (GUI), see “Configuring Security Options”...
  • Page 347 AP35xx>admin(network.wireless.acl)> show Displays the AP35xx’s current ACL configuration. Syntax show summary Displays the list of existing MU ACL policies. policy <index> Displays the requested MU ACL index policy. Example admin(network.wireless.acl)>show summary ---------------------------------------------------------------------- ACL Policy Name Associated WLANs ---------------------------------------------------------------------- 1 Default Front Lobby, WLAN1 2 Admin Administration...
  • Page 348 CLI Reference AP35xx>admin(network.wireless.acl)> create Creates an MU ACL policy. Syntax create show <acl- Displays the parameters of a new ACL policy. name> acl-name <index> Sets the MU ACL policy name. mode <acl- Sets the ACL mode for the defined index (1-16). mode>...
  • Page 349 AP35xx>admin(network.wireless.acl.edit)> Edits the properties of an existing MU ACL policy. Syntax show Displays MU ACL policy and its parameters. Modifies the properties of an existing MU ACL policy. add-addr Adds an MU ACL table entry. delete Deletes an MU ACL table entry, including starting and ending MAC address ranges. change Completes the changes made and exits the session.
  • Page 350 CLI Reference AP35xx>admin(network.wireless.acl)> delete Removes an MU ACL policy. Syntax delete <acl name> Deletes a particular MU ACL policy. Deletes all MU ACL policies (except for the default policy). For information on configuring the ACL options available to the access point using the applet (GUI), see “Configuring a WLAN Access Control List (ACL)”...

  • Page 351: Network Radio Configuration Commands

    Network Radio Configuration Commands AP35xx>admin(network.wireless.radio)> Displays the AP35xx Radio submenu. The items available under this command include: show Summarizes AP35xx radio parameters at a high-level. Defines the access point radio configuration. radio1 Displays the 802.11b/g radio submenu. radio2 Displays the 802.11a radio submenu. Goes to the parent menu.
  • Page 352 CLI Reference AP35xx>admin(network.wireless.radio)> show Displays the AP35xx’s current radio configuration. Syntax show Displays the AP35xx’s current radio configuration. Example admin(network.wireless.radio)>show Radio Configuration Radio 1 Name : Radio 1 Radio Mode : enable RF Band of Operation : 802.11b/g (2.4 GHz) RF Function : WLAN Wireless Mesh Configuration:...
  • Page 353 AP35xx>admin(network.wireless.radio)> set Enables an AP35xx Radio and defines the RF band of operation. Syntax <mode> Enables or disables the AP35xx’s 802.11a radio. 11bg <mode> Enables or disables the AP35xx’s 802.11b/g radio. rf-function <radio-id> Sets the radio function as either a WIPS sensor or a WLAN <rf-func>...
  • Page 354 CLI Reference Dot11 Auth Algorithm : shared-key-allowed For information on configuring the Radio Configuration options available to the access point using the applet (GUI), see “Setting the WLAN’s Radio Configuration” on page 150. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 355 AP35xx>admin(network.wireless.radio.radio1)> Displays a specific 802.11b/g radio submenu. The items available under this command include: show Displays 802.11b/g radio settings. Defines specific 802.11b/g radio parameters. delete Deletes the channels defined within the ACS exception list. advanced Displays the Advanced radio settings submenu. mesh Goes to the Wireless AP Connections submenu.
  • Page 356 CLI Reference AP35xx>admin(network.wireless.radio.radio1)> show Displays specific 802.11b/g radio settings. Syntax show radio Displays specific 802.11b/g radio settings. Displays specific 802.11b/g radio WMM QoS settings. Example admin(network.wireless.radio.radio1)>show radio Radio Setting Information Placement : indoor MAC Address : 000496422B70 Radio Type : 802.11b/g ERP Protection : Off Channel Setting...
  • Page 357 Voice 1.504 CAUTION If you do NOT include the index number (for example, "set dtim 50"), the DTIMs for all four BSSIDs will be changed to 50. To change individual DTIMs for BSSIDs, specify the BSS Index number (for example, "set dtim 2 50”).
  • Page 358 CLI Reference AP35xx>admin(network.wireless.radio.802-11bg)> set Defines specific 802.11b/g radio parameters. Syntax placement : set Radio location ch-mode : set Channel Selection channel : set Channel (for User Selection only) acs-exception-list : set ACS Exception list (for Auto Selection only) antenna : set Antenna Diversity power : set Power Level bg-mode...
  • Page 359 CAUTION If you do NOT include the index number (for example, "set dtim 50"), the DTIMs for all four BSSIDs will be changed to 50. To change individual DTIMs for BSSIDs, specify the BSS Index number (for example, "set dtim 2 50”).
  • Page 360 CLI Reference AP35xx>admin(network.wireless.radio.802-11bg.advanced)> Displays the advanced submenu for the 802.11b/g radio. The items available under this command include: show Displays advanced radio settings for the 802.11b/g radio. Defines advanced parameters for the 802.11b/g radio. Goes to the parent menu. Goes to the root menu. save Saves the configuration to system flash.
  • Page 361 AP35xx>admin(network.wireless.radio.802-11bg.advanced)> show Displays the BSSID to WLAN mapping for the 802.11b/g radio. Syntax show advanced Displays advanced settings for the 802.11b/g radio. wlan Displays WLAN summary list for the 802.11b/g radio. Example admin(network.wireless.radio.802-11bg.advanced)>show advanced ----------------------------------------------------------------------------- WLAN BSS ID BC/MC Cipher Status Message -----------------------------------------------------------------------------...
  • Page 362 CLI Reference AP35xx>admin(network.wireless.radio.802-11bg.advanced)> set Defines advanced parameters for the target 802.11b/g radio. Syntax wlan <wlan-name> <bssid> Defines advanced WLAN to BSSID mapping for the target radio. <bss-id> <wlan name> Sets the BSSID to primary WLAN definition. Example admin(network.wireless.radio.802-11bg.advanced)>set wlan demoroom 1 admin(network.wireless.radio.802-11bg.advanced)>set bss 1 demoroom For information on configuring Radio 1 Configuration options available to the access point using the applet (GUI), see...
  • Page 363 AP35xx>admin(network.wireless.radio.radio2)> Displays a specific 802.11a radio submenu. The items available under this command include: Syntax show Displays 802.11a radio settings Defines specific 802.11a radio parameters. delete Deletes the ACS exception channels. advanced Displays the Advanced radio settings submenu. mesh Goes to the Wireless AP Connections submenu. Goes to the parent menu.
  • Page 364 CLI Reference AP35xx>admin(network.wireless.radio.802-11a)> show Displays specific 802.11a radio settings. Syntax show radio Displays specific 802.11a radio settings. Displays specific 802.11a radio WMM QoS settings. Example admin(network.wireless.radio.802-11a)>show radio Radio Setting Information Placement : indoor MAC Address : 000496422C70 Radio Type : 802.11a Channel Setting : user selection Channel...
  • Page 365 For information on configuring Radio 2 Configuration options available to the access point using the applet (GUI), see “Configuring the 802.11a or 802.11b/g Radio” on page 154. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 366 CLI Reference AP35xx>admin(network.wireless.radio.802-11a)> set Defines specific 802.11a radio parameters. Syntax placement : set Radio location ch-mode : set Channel Selection channel : set Channel (for User Selection only) acs-exception-list : set ACS Exception list (for Auto Selection only) antenna : set Antenna Diversity power : set Power Level rates...
  • Page 367 AP35xx>admin(network.wireless.radio.802-11a.advanced)> Displays the advanced submenu for the 802-11a radio. The items available under this command include: Syntax show Displays advanced radio settings for the 802-11a radio. Defines advanced parameters for the 802-11a radio. Goes to the parent menu. Goes to the root menu. save Saves the configuration to system flash.
  • Page 368 CLI Reference AP35xx>admin(network.wireless.radio.802-11a.advanced)> show Displays the BSSID to WLAN mapping for the 802.11a radio. Syntax show advanced Displays advanced settings for the 802.11a radio. wlan Displays WLAN summary list for 802.11a radio. Example admin(network.wireless.radio.802-11a.advanced)>show advanced ----------------------------------------------------------------------------- WLAN BSS ID BC/MC Cipher Status Message -----------------------------------------------------------------------------...
  • Page 369 AP35xx>admin(network.wireless.radio.802-11a.advanced)> set Defines advanced parameters for the target 802.11a radio. Syntax wlan <wlan-name> <bssid> Defines advanced WLAN to BSSID mapping for the target radio. <bss-id> <wlan name> Sets the BSSID to primary WLAN definition. Example admin(network.wireless.radio.802-11a.advanced)>set wlan demoroom 1 admin(network.wireless.radio.802-11a.advanced)>set bss 1 demoroom For information on configuring Radio 2 Configuration options available to the access point using the applet (GUI), see “Configuring the 802.11a or 802.11b/g Radio”...

  • Page 370: Network Quality Of Service (Qos) Commands

    CLI Reference Network Quality of Service (QoS) Commands AP35xx>admin(network.wireless.qos)> Displays the AP35xx Quality of Service (QoS) submenu. The items available under this command include: show Displays AP35xx QoS policy information. create Defines the parameters of the QoS policy. edit Edits the settings of an existing QoS policy. delete Removes an existing QoS policy.
  • Page 371 AP35xx>admin(network.wireless.qos)> show Displays the AP35xx’s current QoS policy by summary or individual policy. Syntax show summary Displays all existing QoS policies that have been defined. policy <index> Displays the configuration for the requested QoS policy. Example admin(network.wireless.qos)>show summary ---------------------------------------------------------------------- QOS Policy Name Associated WLANs ---------------------------------------------------------------------- 1 Default...
  • Page 372 CLI Reference AP35xx>admin(network.wireless.qos.create)> Defines an AP35xx QoS policy. Syntax show Displays QoS policy parameters. qos-name <index> Sets the QoS name for the specified index entry. <index> Enables or disables support (by index) for legacy VOIP devices. mcast <mac> Defines primary and secondary Multicast MAC address. wmm-qos <index>...
  • Page 373 AP35xx>admin(network.wireless.qos.edit)> Edits the properties of an existing QoS policy. Syntax show Displays QoS policy parameters. qos-name <index> Sets the QoS name for the specified index entry. <index> Enables or disables support (by index) for legacy VOIP devices. mcast <mac> Defines primary and secondary Multicast MAC address. wmm-qos <index>...
  • Page 374 CLI Reference AP35xx>admin(network.wireless.qos)> delete Removes a QoS policy. Syntax delete <qos-name> Deletes the specified QoS policy index, or all of the policies (except <all> default policy). For information on configuring the WLAN QoS options available to the access point using the applet (GUI), see “Setting the WLAN Quality of Service (QoS) Policy”...

  • Page 375: Network Wireless Rate-Limiting Commands

    Network Wireless Rate-Limiting Commands AP35xx>admin(network.wireless.rate-limiting)> Displays the AP35xx Rate Limiting submenu. The items available under this command include: show Shows the Rate Limiting state and WLAN values. Sets the Rate Limiting state. Goes to the parent menu. Goes to the root menu. save Saves the configuration to system flash.
  • Page 376 CLI Reference AP35xx>admin(network.wireless.rate-limiting)> show Displays the AP35xx’s current Rate Limiting configuration. Syntax show <summary> Displays the current Rate Limiting configuration summary or for defined WLANs as <wlan> well as how they are weighted. Example admin(network.wireless.rate-limiting)> show summary Per-MU Rate Limiting disable Altitude 3500 Series Access Point Product Reference Guide...
  • Page 377 AP35xx>admin(network.wireless.rate-limiting)> set Defines the AP35xx Rate Limiting configuration. Syntax rate-limit Enable/disable Rate Limiting Altitude 3500 Series Access Point Product Reference Guide...

  • Page 378: Network Rogue-Ap Commands

    CLI Reference Network Rogue-AP Commands AP35xx>admin(network.wireless.rogue-ap)> Displays the Rogue AP submenu. The items available under this command include: show Displays the current AP35xx Rogue AP detection configuration. Defines the Rogue AP detection method. mu-scan Goes to the Rogue AP mu-uscan submenu. allowed-list Goes to the Rogue AP Allowed List submenu.
  • Page 379 AP35xx>admin(network.wireless.rogue-ap)> show Displays the current AP35xx Rogue AP detection configuration. Syntax show Displays the current AP35xx Rogue AP detection configuration. Example admin(network.wireless.rogue-ap)>show MU Scan : disable MU Scan Interval : 60 minutes On-Channel : disable Detector Radio Scan : enable Auto Authorize Extreme APs : disable Approved APs age out...
  • Page 380 MU Scan Interval : 10 minutes On Channel : disable Detector Radio Scan : disable Auto Authorize Extreme Networks APs : enable Approved AP age out : 10 minutes Rogue AP age out : 10 minutes For information on configuring the Rogue AP options available to the access point using the applet (GUI), see “Configuring Rogue AP Detection”...
  • Page 381 AP35xx>admin(network.wireless.rogue-ap.mu-scan)> Displays the Rogue-AP mu-scan submenu. Add all or just one scan result to Allowed AP list. show Displays all APs located by the MU scan. start Initiates scan immediately by the MU. Goes to the parent menu. Goes to the root menu. save Saves the configuration to system flash.
  • Page 382 CLI Reference AP35xx>admin(network.wireless.rogue-ap.mu-scan)> start Initiates an MU scan for a user provided MAC address. Syntax start <mu-mac> Initiates MU scan from user provided MAC address. For information on configuring the Rogue AP options available to the access point using the applet (GUI), see “Configuring Rogue AP Detection”...
  • Page 383 AP35xx>admin(network.wireless.rogue-ap.mu-scan)> show Displays the results of an MU scan. Syntax show Displays all APs located by the MU scan. For information on configuring the Rogue AP options available to the access point using the applet (GUI), see “Configuring Rogue AP Detection” on page 210.
  • Page 384 CLI Reference AP35xx>admin(network.wireless.rogue-ap.allowed-list)> Displays the Rogue-AP allowed-list submenu. show Displays the rogue AP allowed list Adds an AP MAC address and ESSID to the allowed list. delete Deletes an entry or all entries from the allowed list. Goes to the parent menu. Goes to the root menu.
  • Page 385 AP35xx>admin(network.wireless.rogue-ap.allowed-list)> show Displays the Rogue AP allowed List. Syntax show Displays the rogue-AP allowed list. Example admin(network.wireless.rogue-ap.allowed-list)>show Allowed AP List ----------------------------------------------------------------------------- index ap mac essid ----------------------------------------------------------------------------- 00:A0:F8:71:59:20 00:A0:F8:33:44:55 00:A0:F8:40:20:01 Marketing For information on configuring the Rogue AP options available to the access point using the applet (GUI), see “Configuring Rogue AP Detection”...
  • Page 386 CLI Reference AP35xx>admin(network.wireless.rogue-ap.allowed-list)> add Adds an AP MAC address and ESSID to existing allowed list. Syntax <mac-addr> Adds an AP MAC address and ESSID to existing allowed list. <ess-id> “fffffffffffffffff” means any MAC Use a “*” for any ESSID. Example admin(network.wireless.rogue-ap.allowed-list)>add 00A0F83161BB 103 admin(network.wireless.rogue-ap.allowed-list)>show -----------------------------------------------------------------------------...
  • Page 387 AP35xx>admin(network.wireless.rogue-ap.allowed-list)> delete Deletes an AP MAC address and ESSID to existing allowed list. Syntax delete <idx> Deletes a specified AP MAC address and ESSID index (1-50) from the <all> allowed list. The options also exists to remove all indexes. For information on configuring the Rogue AP options available to the access point using the applet (GUI), see “Configuring Rogue AP Detection”...

  • Page 388: Wips Commands

    CLI Reference WIPS Commands AP35xx>admin(network.wireless.wips> Displays the wips Locationing submenu. The items available under this command include: show Displays the current WLAN Intrusion Prevention configuration. Sets WLAN Intrusion Prevention parameters. Goes to the parent menu. Goes to the root menu. save Saves the configuration to system flash.
  • Page 389 AP35xx>admin(network.wireless.wips> show Shows the WLAN Intrusion Prevention configuration. Syntax show Displays the WLAN Intrusion Prevention configuration. Example admin(network.wireless.wips)>show WIPS Server #1 IP Address : 192.168.0.21 WIPS Server #2 IP Address : 10.10.1.1 admin(network.wireless.wips)> Altitude 3500 Series Access Point Product Reference Guide...
  • Page 390 CLI Reference AP35xx>admin(network.wireless.wips> set Sets the WLAN Intrusion Prevention configuration. Syntax <idx 1 and 2> <ip> Defines the WLAN Intrusion Prevention Server IP Address for (server IPs 1 and Example admin(network.wireless.wips)>set server 1 192.168.0.21 admin(network.wireless.wips> Altitude 3500 Series Access Point Product Reference Guide...

  • Page 391: Network Mu Locationing Commands

    Network MU Locationing Commands AP35xx>admin(network.wireless.mu-locationing)> Displays the MU Locationing submenu. The items available under this command include: show Displays the current MU Locationing configuration. Defines MU Locationing parameters. Goes to the parent menu. Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
  • Page 392 CLI Reference AP35xx>admin(network.wireless.mu-locationing> show Displays the MU probe table configuration Syntax show Displays the MU probe table configuration. Example admin(network.wireless.mu-locationing)>show MU Probe Table Mode : disable MU Probe Table Size : 200 admin(network.wireless.mu-locationing)> Altitude 3500 Series Access Point Product Reference Guide...
  • Page 393 AP35xx>admin(network.wireless.mu-locationing> set Defines the MU probe table configuration used for locating MUs. Syntax Defines the MU probe table configuration. mode Enables/disables a mu probe scan for the purposes of MU locationing. size Defines the number of MUs in the table (the maximum allowed is 200). Example admin(network.wireless.mu-locationing)>set admin(network.wireless.mu-locationing)>set mode enable...

  • Page 394: Network Firewall Commands

    CLI Reference Network Firewall Commands AP35xx>admin(network.firewall)> Displays the AP35xx firewall submenu. The items available under this command include: show Displays the AP35xx’s current firewall configuration. Defines the AP35xx’s firewall parameters. access Enables/disables firewall permissions through the LAN and WAN ports. advanced Displays interoperaility rules between the LAN and WAN ports.
  • Page 395 AP35xx>admin(network.firewall)> show Displays the AP35xx firewall parameters. Syntax show Shows all AP35xx’s firewall settings. Example admin(network.firewall)>show Firewall Status : disable NAT Timeout : 10 minutes Configurable Firewall Filters: ftp bounce attack filter : enable syn flood attack filter : enable unaligned ip timestamp filter : enable source routing attack filter...
  • Page 396 CLI Reference AP35xx>admin(network.firewall)> set Defines the AP35xx firewall parameters. Syntax mode <mode> Enables or disables the firewall. nat-timeout <interval> Defines the NAT timeout value. <mode> Enables or disables SYN flood attack check. <mode> Enables or disables source routing check. <mode> Enables or disables Winnuke attack check.
  • Page 397 AP35xx>admin(network.firewall)> access Enables or disables firewall permissions through LAN to WAN ports. Syntax show Displays LAN to WAN access rules. Sets LAN to WAN access rules. Adds LAN to WAN exception rules. delete Deletes LAN to WAN access exception rules. list Displays LAN to WAN access exception rules.
  • Page 398 CLI Reference AP35xx>admin(network.firewall)> advanced Displays whether an AP35xx firewall rule is intended for inbound traffic to an interface or outbound traffic from that interface. Syntax show Shows advanced subnet access parameters. Sets advanced subnet access parameters. import Imports rules from subnet access. inbound Goes to the Inbound Firewall Rules submenu.

  • Page 399: Network Router Commands

    Network Router Commands AP35xx>admin(network.router)> Displays the router submenu. The items available under this command are: show Displays the existing AP35xx router configuration. Sets the RIP parameters. Adds user-defined routes. delete Deletes user-defined routes. list Lists user-defined routes. Goes to the parent menu. Goes to the root menu.
  • Page 400 CLI Reference AP35xx>admin(network.router)> show Shows the access point route table. Syntax show Shows the access point route table. Example admin(network.router)>show routes ---------------------------------------------------------------------------- index destination netmask gateway interface metric ---------------------------------------------------------------------------- 192.168.2.0 255.255.255.0 0.0.0.0 lan1 192.168.1.0 255.255.255.0 0.0.0.0 lan2 192.168.0.0 255.255.255.0 0.0.0.0 lan1 192.168.24.0 255.255.255.0...
  • Page 401 AP35xx>admin(network.router)> set Shows the access point route table. Syntax auth Sets the RIP authentication type. Sets RIP direction. Sets MD5 authentication ID. Sets MD5 authentication key. passwd Sets the password for simple authentication. type Defines the RIP type. dgw-iface Sets the default gateway interface. For information on configuring the Router options available to the access point using the applet (GUI), “Configuring Router Settings”...
  • Page 402 CLI Reference AP35xx>admin(network.router)> add Adds user-defined routes. Syntax add <dest> <netmask> <gw> <iface> <metric> Adds a route with destination IP address <dest>, IP netmask <netmask>, destination gateway IP address <gw>, interface LAN1, LAN2 or WAN <iface>, and metric set to <metric>...
  • Page 403 AP35xx>admin(network.router)> delete Deletes user-defined routes. Syntax delete <idx> Deletes the user-defined route <idx> (1-20) from list. Deletes all user-defined routes. Example admin(network.router)>list ---------------------------------------------------------------------------- index destination netmask gateway interface metric ---------------------------------------------------------------------------- 192.168.2.0 255.255.255.0 192.168.0.1 lan1 192.168.1.0 255.255.255.0 0.0.0.0 lan2 192.168.0.0 255.255.255.0 0.0.0.0 lan2 admin(network.router)>delete 2...
  • Page 404 CLI Reference AP35xx>admin(network.router)> list Lists user-defined routes. Syntax list Displays a list of user-defined routes. Example admin(network.router)>list ---------------------------------------------------------------------------- index destination netmask gateway interface metric ---------------------------------------------------------------------------- 192.168.2.0 255.255.255.0 192.168.0.1 lan1 192.168.1.0 255.255.255.0 0.0.0.0 lan2 192.168.0.0 255.255.255.0 0.0.0.0 lan1 For information on configuring the Router options available to the access point using the applet (GUI), “Configuring Router Settings”...

  • Page 405: System Commands

    System Commands AP35xx>admin(system)> Displays the System submenu. The items available under this command are shown below. restart : restart the system show : show ADP-35xx system information : set ADP-35xx system parameters lastpw : display last expired debug password exec : execute a Linux command : display arp table aap-setup...
  • Page 406 ** Please be sure to save changes before resetting. ************************************************************************** Are you sure you want to restart the AP35xx?? (yes/no): AP35xx Boot Firmware Version 2.2.0.0-XXX Copyright(c) Extreme Networks 2007. All rights reserved. Press escape key to run boot firmware ..Power On Self Test testing ram...
  • Page 407 AP35xx>admin(system)>show Displays high-level system information helpful to differentiate this access point. Syntax show Displays AP35xx system information. Example admin(system)>show system name : ADP-35xx system location admin email address system uptime : 0 days 0 hours 56 minutes 27 seconds led state : enable DNS Relay Mode : enable...
  • Page 408 CLI Reference AP35xx>admin(system)>set Sets AP35xx system parameters: name : set ADP-35xx system name : set ADP-35xx system location email : set ADP-35xx admin email address : set ADP-35xx country code : set ADP-35xx LED state dns-relay-mode : set DNS relay mode sslv2 : set SSLv2 mode for apache (enable/disable) weak-ssl-cipher...
  • Page 409 AP35xx>admin(system)>lastpw Displays last expired debug password. Example admin(system)>lastpw AP35xx MAC Address is 00:15:70:02:7A:66 Last debug password was Extreme Networks Current debug password used 0 times, valid 4 more time(s) admin(system)> Altitude 3500 Series Access Point Product Reference Guide...
  • Page 410 CLI Reference AP35xx>admin(system)>arp Displays the access point’s arp table. Example admin(system)>arp Address HWtype HWaddress Flags Mask Iface 157.235.92.210 ether 00:11:25:14:61:A8 ixp1 157.235.92.179 ether 00:14:22:F3:D7:39 ixp1 157.235.92.248 ether 00:11:25:B2:09:60 ixp1 157.235.92.180 ether 00:0D:60:D0:06:90 ixp1 157.235.92.3 ether 00:D0:2B:A0:D4:FC ixp1 157.235.92.181 ether 00:15:C5:0C:19:27 ixp1 157.235.92.80 ether...

  • Page 411: Adaptive Ap Setup Commands

    Adaptive AP Setup Commands AP35xx>admin(system)>aap-setup Displays the Adaptive AP submenu. show Displays Adaptive AP information. Defines the Adaptive AP configuration. delete Deletes static controller address assignments. Goes to the parent menu. Goes to the root menu. save Saves the current configuration to the AP35xx system flash. quit Quits the CLI and exits the current session.
  • Page 412 CLI Reference AP35xx>admin(system.aap-setup)>show Displays the access point’s Adaptive AP configuration. Syntax show Displays the access point’s Adaptive AP configuration. Example admin(system.aap-setup)>show Auto Discovery Mode : disable Controller Interface : lan1 Controller Name Static IP Port : 24576 Static IP Addresses: IP Address 1 : 0.0.0.0 IP Address 2...
  • Page 413 AP35xx>admin(system.aap-setup)>set Sets AP35xx’s Adaptive AP configuration. auto-discovery : set controller auto-discovery mode interface : set tunnel interface ipadr : set controller ip addresses name : set controller domain name port : set control port passphrase : set controller passphrase tunnel-to-cntrlr : enable/disable AP-Controller Tunnel ac-keepalive : set the AC KeepAlive period...
  • Page 414 CLI Reference AP35xx>admin(system.aap-setup)>delete Deletes static controller address assignments. Syntax delete <idx> Deletes static controller address assignments by selected index. <all> Deletes all assignments. Example admin(system.aap-setup)>delete 1 admin(system.aap-setup)> For information on configuring adaptive AP using the applet (GUI), see “Adaptive AP Setup” on page For an overview of adaptive AP functionality and its implications, see “Adaptive AP”...
  • Page 415 AP-3500 series>admin(system)>lldp Displays the LLDP sub menu. Syntax show Displays LLDP information. Sets LLDP parameters. Goes to the parent menu. Goes to the root menu. save Saves the current configuration to the access point system flash. quit Quits the CLI and exits the current session. For information on configuring LLDP using the applet (GUI), see “Configuring LLDP Settings”...
  • Page 416 CLI Reference AP-3500 series>admin (system.lldp)show Displays LLDP information. Syntax show Displays Adaptive AP information. ExampleExample: admin(system.lldp)>show LLDP Status : disable LLDP Referesh Interval: 30 LLDP Holdtime Multiplier : 4 For information on configuring LLDP using the applet (GUI), see “Configuring LLDP Settings” page 4-100.
  • Page 417 AP-3500 series>admin (system.lldp)set Sets the LLDP configuration. Syntax show Displays LLDP information. Sets LLDP parameters. Goes to the parent menu. Goes to the root menu. save Saves the current configuration to the access point system flash. quit Quits the CLI and exits the current session. Altitude 3500 Series Access Point Product Reference Guide...

  • Page 418: System Access Commands

    CLI Reference System Access Commands AP35xx>admin(system)>access Displays the access point access submenu. show Displays AP35xx system access capabilities. Goes to the AP35xx system access submenu. Goes to the parent menu. Goes to the root menu. save Saves the current configuration to the AP35xx system flash. quit Quits the CLI and exits the current session.
  • Page 419 AP35xx>admin(system.access)>set Defines the permissions to access the AP35xx applet, CLI, SNMP as well as defining their timeout values. Syntax applet Defines the applet HTTP/HTTPS access parameters. app-timeout <minutes> Sets the applet timeout. Default is 300 Mins. Defines CLI Telnet access parameters. Enables/disables access from lan and wan.
  • Page 420 CLI Reference AP35xx>admin(system.access)>show Displays the current AP35xx access permissions and timeout values. Syntax show Shows all of the current system access settings for the AP35xx. Example admin(system.access)>set trusted-host mode enable admin(system.access)>set trusted-host range 1 10.1.1.1 10.1.1.10 Warning: Only trusted hosts can access the AP through snmp, http, https, telnet, ssh admin(system.access)>show trusted host access mode : enable...

  • Page 421: System Certificate Management Commands

    System Certificate Management Commands AP35xx>admin(system)>cmgr Displays the Certificate Manager submenu. The items available under this command include: genreq : generate Certificate Request delself : delete Signed Certificate loadself : load Signed Certificate signed by CA listself : list the Signed Certificate loaded loadca : load root CA certificate delca...
  • Page 422 CLI Reference AP35xx>admin(system.cmgr)> genreq Generates a certificate request. Syntax genreq <IDname <Subject> [-ou <OrgUnit>] [-on <OrgName>] [-cn <City>] [-st <State>] . . . > . . . [-p <PostCode>] [-cc <CCode>] [-e <Email>] [-d <Domain>] [-i <IP>] [-sa <SAlgo>] Generates a self-certificate request for a Certification Authority (CA), where: <IDname>...
  • Page 423 AP35xx>admin(system.cmgr)> delself Deletes a self certificate. Syntax delself <IDname> Deletes the self certificate named <IDname>. Example admin(system.cmgr)>delself MyCert2 For information on configuring self certificate settings using the applet (GUI), see “Creating Self Certificates for Accessing the VPN” on page Altitude 3500 Series Access Point Product Reference Guide...
  • Page 424 CLI Reference AP35xx>admin(system.cmgr)> loadself Loads a self certificate signed by the Certificate Authority. Syntax loadself <IDname> [https] Load the self certificate signed by the CA with name <IDname> (7 characters). HTTPS is needed for an apacahe certificate and keys. For information on configuring self certificate settings using the applet (GUI), see “Creating Self Certificates for Accessing the VPN”...
  • Page 425 AP35xx>admin(system.cmgr)> listself Lists the loaded self certificates. Syntax listself Lists all self certificates that are loaded. For information on configuring self certificate settings using the applet (GUI), see “Creating Self Certificates for Accessing the VPN” on page Altitude 3500 Series Access Point Product Reference Guide...
  • Page 426 CLI Reference AP35xx>admin(system.cmgr)> loadca Loads a trusted certificate from the Certificate Authority. Syntax loadca Loads the trusted certificate (in PEM format) that is pasted into the command line. For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate”...
  • Page 427 AP35xx>admin(system.cmgr)> delca Deletes a trusted certificate. Syntax delca <IDname> Deletes the trusted certificate. For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate” on page Altitude 3500 Series Access Point Product Reference Guide...
  • Page 428 CLI Reference AP35xx>admin(system.cmgr)> listca Lists the loaded trusted certificate. Syntax listca Lists the loaded trusted certificates. For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate” on page Altitude 3500 Series Access Point Product Reference Guide...
  • Page 429 AP35xx>admin(system.cmgr)> showreq Displays a certificate request in PEM format. Syntax showreq <IDname> Displays a certificate request named <IDname> generated from the genreq command (7 characters maximum). For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate”...
  • Page 430 CLI Reference AP35xx>admin(system.cmgr)> delprivkey Deletes a private key. Syntax delprivkey <IDname> Deletes private key named <IDname>. For information on configuring certificate settings using the applet (GUI), see “Creating Self Certificates for Accessing the VPN” on page Altitude 3500 Series Access Point Product Reference Guide...
  • Page 431 AP35xx>admin(system.cmgr)> listprivkey Lists the names of private keys. Syntax listprivkey Lists all private keys and their associated certificates. For information on configuring certificate settings using the applet (GUI), see “Importing a CA Certificate” on page Altitude 3500 Series Access Point Product Reference Guide...
  • Page 432 CLI Reference AP35xx>admin(system.cmgr)> expcert Exports the certificate file to a user defined location. Syntax expcert Exports the access point’s CA or Self certificate file. To export certificate information from an Altitude 3510 or Altitude 3550 model access point: admin(system.cmgr)>expcert ? <type>...
  • Page 433 AP35xx>admin(system.cmgr)> impcert Imports the target certificate file. Syntax impcert Imports the target certificate file. To import certificate information from an Altitude 3510 or Altitude 3550 model access point: admin(system.cmgr)>impcert ? <type> <file name> [https] <cr> : type: ftp/tftp : file name: Certificate file name : https: If set to import apache certificate : and key : Server options for this file are the same...

  • Page 434: System Snmp Commands

    CLI Reference System SNMP Commands AP35xx>admin(system)> snmp Displays the SNMP submenu. The items available under this command are shown below. access Goes to the SNMP access submenu. traps Goes to the SNMP traps submenu. Goes to the parent menu. Goes to the root menu. save Saves the configuration to system flash.
  • Page 435 AP35xx>admin(system.snmp.access)> show Shows the SNMP v3 engine ID. Syntax show Shows the SNMP v3 Engine ID. Example admin(system.snmp.access)>show eid AP35xx snmp v3 engine id : 000001846B8B4567F871AC68 admin(system.snmp.access)> For information on configuring SNMP access settings using the applet (GUI), see “Configuring SNMP Access Control”...
  • Page 436 CLI Reference AP35xx>admin(system.snmp.access)> add Adds SNMP access entries for specific v1v2 and v3 user definitions. Syntax add acl <ip1> <ip2> Adds an entry to the SNMP access control list with <ip1> as the starting IP address and <ip2> and as the ending IP address. v1v2c <comm>...
  • Page 437 AP35xx>admin(system.snmp.access)> delete Deletes SNMP access entries for specific v1v2 and v3 user definitions. Syntax delete <idx> Deletes entry <idx> (1-10) from the access control list. Deletes all entries from the access control list. v1v2c <idx> Deletes entry <idx> (1-10) from the v1/v2 configuration list. Deletes all entries from the v1/v2 configuration list.
  • Page 438 CLI Reference AP35xx>admin(system.snmp.access)> list Lists SNMP access entries. Syntax list Lists SNMP access control list entries. v1v2c Lists SNMP v1/v2c configuration. <idx> Lists SNMP v3 user definition with index <idx>. Lists all SNMP v3 user definitions. Example admin(system.snmp.access)>list acl ---------------------------------------------------------------- index start ip end ip...

  • Page 439: System Snmp Traps Commands

    System SNMP Traps Commands AP35xx>admin(system.snmp.traps) Displays the SNMP traps submenu. The items available under this command are shown below. show Shows SNMP trap parameters. Sets SNMP trap parameters. Adds SNMP trap entries. delete Deletes SNMP trap entries. list Lists SNMP trap entries. Goes to the parent menu.
  • Page 440 CLI Reference AP35xx>admin(system.snmp.traps)> show Shows SNMP trap parameters. Syntax show trap Shows SNMP trap parameter settings. rate-trap Shows SNMP rate-trap parameter settings. Example admin(system.snmp.traps)>show trap SNMP MU Traps mu associated : enable mu unassociated : disable mu denied association : disable mu denied authentication : disable SNMP Traps...
  • Page 441 AP35xx>admin(system.snmp.traps)> set Sets SNMP trap parameters. Syntax mu-assoc enable/disable Enables/disables the MU associated trap. mu-unassoc enable/disable Enables/disables the MU unassociated trap. mu-deny-assoc enable/disable Enables/disables the MU association denied trap. mu-deny-auth enable/disable Enables/disables the MU authentication denied trap. snmp-auth enable/disable Enables/disables the authentication failure trap. snmp-acl enable/disable Enables/disables the SNMP ACL violation trap.
  • Page 442 CLI Reference AP35xx>admin(system.snmp.traps)> add Adds SNMP trap entries. Syntax <ver> add v1v2 <ip> <port> <comm> Adds an entry to the SNMP v1/v2 access list with the destination IP address set to <ip>, the destination UDP port set to <port>, the community string set to <comm> (1 to 31 characters), and the SNMP version set to <ver>.
  • Page 443 AP35xx>admin(system.snmp.traps)> delete Deletes SNMP trap entries. Syntax delete v1v2c <idx> Deletes entry <idx> from the v1v2c access control list. Deletes all entries from the v1v2c access control list. <idx> Deletes entry <idx> from the v3 access control list. Deletes all entries from the v3 access control list. Example admin(system.snmp.traps)>delete v1v2 all For information on configuring SNMP traps using the applet (GUI), see...
  • Page 444 CLI Reference AP35xx>admin(system.snmp.traps)> list Lists SNMP trap entries. Syntax list v1v2c Lists SNMP v1/v2c access entries. <idx> Lists SNMP v3 access entry <idx>. Lists all SNMP v3 access entries. Example admin(system.snmp.traps)>add v1v2 203.223.24.2 162 mycomm v1 admin(system.snmp.traps)>list v1v2c ---------------------------------------------------------------------- index dest ip dest port community...

  • Page 445: System User Database Commands

    System User Database Commands AP35xx>admin(system)> userdb Goes to the user database submenu. user Goes to the user submenu. group Goes to the group submenu. save Saves the configuration to system flash. Goes to the parent menu. Goes to the root menu. For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group”...

  • Page 446: Adding And Removing Users From The User Database

    CLI Reference Adding and Removing Users from the User Database AP35xx>admin(system.userdb)> user Adds and removes users from the user database and defines user passwords. Adds a new user. delete Deletes an existing user ID. clearall Removes all existing user IDs from the system. Sets a password for a user.
  • Page 447 AP35xx>admin(system.userdb.user)> add Adds a new user to the user database. Syntax <name> Adds a new user and password to the user database. <password> Example admin(system.userdb.user>add george password admin(system.userdb.user> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group”...
  • Page 448 CLI Reference AP35xx>admin(system.userdb.user)> delete Removes a new user to the user database. Syntax delete Removes a user ID string from the user database. Example admin(system.userdb.user>delete george admin(system.userdb.user> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group”...
  • Page 449 AP35xx>admin(system.userdb.user)>clearall Removes all existing user IDs from the system. Syntax clearall Removes all existing user IDs from the system. Example admin(system.userdb.user>clearall admin(system.userdb.user> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 226.
  • Page 450 CLI Reference AP35xx>admin(system.userdb.user)>set Sets a password for a user. Syntax <userid> Sets a password for a specific user. <passwd> Example admin(system.userdb.user>set george password admin(system.userdb.user> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 226.

  • Page 451: Adding And Removing Groups From The User Database

    Adding and Removing Groups from the User Database AP35xx>admin(system.userdb)> group Adds and removes groups from the user database. create Creates a group name. delete Deletes a group name. clearall Removes all existing group names from the system. Adds a user to an existing group. remove Removes a user from an existing group.
  • Page 452 CLI Reference AP35xx>admin(system.userdb.group> create Creates a group name. Once defined, users can be added to the group. Syntax create Creates a group name. Once defined, users can be added to the group. Example admin(system.userdb.group>create 2 admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group”...
  • Page 453 AP35xx>admin(system.userdb.group> delete Deletes an existing group. Syntax delete Deletes an existing group. Example admin(system.userdb.group>delete 2 admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 226. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 454 CLI Reference AP35xx>admin(system.userdb.group> clearall Removes all existing group names from the system. Syntax clearall Removes all existing group names from the system. Example admin(system.userdb.group>clearall admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group” on page 226.
  • Page 455 AP35xx>admin(system.userdb.group> add Adds a user to an existing group. Syntax <userid> Adds a user <userid> to an existing group <group>. <group> Example admin(system.userdb.group>add lucy group x admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group”...
  • Page 456 CLI Reference AP35xx>admin(system.userdb.group> remove Removes a user from an existing group. Syntax remove <userid> Removes a user <userid> from an existing group<group> . <group> Example admin(system.userdb.group>remove lucy group x admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group”...
  • Page 457 AP35xx>admin(system.userdb.group> show Displays existing groups. Syntax show Displays existing groups and users. users Displays configured user IDs for a group. groups Displays configured groups. Example admin(system.userdb.group>show groups List of Group Names : engineering : marketing : demo room admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining User Access Permissions by Group”...

  • Page 458: System Radius Commands

    CLI Reference System RADIUS Commands AP35xx>admin(system)> radius Goes to the RADIUS system submenu. Goes to the EAP submenu. policy Goes to the access policy submenu. ldap Goes to the LDAP submenu. proxy Goes to the proxy submenu. client Goes to the client submenu. Sets RADIUS parameters.
  • Page 459 AP35xx>admin(system.radius)> set/show Sets or displays the RADIUS user database. Syntax Sets the RADIUS user database. show all Displays the RADIUS user database. Example admin(system.radius)>set database local admin(system.radius)>show all Database : local admin(system.radius)> For information on configuring RADIUS using the applet (GUI), see “Configuring User Authentication”...
  • Page 460 CLI Reference AP35xx>admin(system.radius)> eap Goes to the EAP submenu. Syntax peap Goes to the Peap submenu. ttls Goes to the TTLS submenu. import Imports the requested EAP certificates. Defines EAP parameters. show Displays the EAP configuration. save Saves the configuration to system flash. quit Quits the CLI.
  • Page 461 AP35xx>admin(system.radius.eap)> peap Goes to the Peap submenu. Syntax Defines Peap parameters. show Displays the Peap configuration. save Saves the configuration to system flash. quit Quits the CLI. Goes to the parent menu. Goes to the root menu. For information on configuring PEAP RADIUS using the applet (GUI), see “Configuring User Authentication”...
  • Page 462 CLI Reference AP35xx>admin(system.radius.eap.peap> set/show Defines and displays Peap parameters Syntax Sets the Peap authentication <type>. show Displays the Peap authentication type. Example admin(system.radius.eap.peap)>set auth gtc admin(system.radius.eap.peap)>show PEAP Auth Type : gtc For information on configuring EAP PEAP RADIUS values using the applet (GUI), see “Configuring User Authentication”...
  • Page 463 AP35xx>admin(system.radius.eap)> ttls Goes to the TTLS submenu. Syntax Defines TTLS parameters. show Displays the TTLS configuration. save Saves the configuration to system flash. quit Quits the CLI. Goes to the parent menu. Goes to the root menu. For information on configuring EAP TTLS RADIUS values using the applet (GUI), see “Configuring User Authentication”...
  • Page 464 CLI Reference AP35xx>admin(system.radius.eap.ttls> set/show Defines and displays TTLS parameters Syntax Sets the TTLS authentication <type>. show Displays the TTLS authentication type. Example admin(system.radius.eap.ttls)>set auth pap admin(system.radius.eap.ttls)>show TTLS Auth Type : pap For information on configuring EAP TTLS RADIUS values using the applet (GUI), see “Configuring User Authentication”...
  • Page 465 AP35xx>admin(system.radius)> policy Goes to the access policy submenu. Syntax Sets a group’s WLAN access policy. access-time Goes to the time based login submenu. show Displays the group’s access policy. save Saves the configuration to system flash. quit Quits the CLI. Goes to the parent menu.
  • Page 466 CLI Reference AP35xx>admin(system.radius.policy> set Defines the group’s WLAN access policy. Syntax <group> Defines the group’s <group name> WLAN access policy (WLAN name <wlan(s)> delimited by a space). Example admin(system.radius.policy)>set engineering 16 admin(system.radius.policy)> For information on configuring RADIUS WLAN policy values using the applet (GUI), see “Configuring User Authentication”...
  • Page 467 AP35xx>admin(system.radius.policy> access-time Goes to the time-based login submenu. Syntax <group> Defines a target group’s access time permissions. Access time is in <access-time> DayDDDD-DDDD format. show Displays the group’s access time rule. save Saves the configuration to system flash. quit Quits the CLI. Goes to the parent menu.
  • Page 468 CLI Reference AP35xx>admin(system.radius.policy> show Displays a group’s access policy. Syntax show Displays a group’s access policy. Example admin(system.radius.policy)>show List of Access Policies engineering : 16 marketing : 10 demo room test demo : No Wlans admin(system.radius.policy)> For information on configuring RADIUS WLAN policy values using the applet (GUI), see “Configuring User Authentication”...
  • Page 469 AP35xx>admin(system.radius)> ldap Goes to the LDAP submenu. Defines the LDAP parameters. show Displays existing LDAP parameters (command must be supplied as “show all.” save Saves the configuration to system flash. quit Quits the CLI. Goes to the parent menu. Goes to the root menu. For information on configuring a RADIUS LDAP server using the applet (GUI), see “Configuring LDAP Authentication”...
  • Page 470 CLI Reference AP35xx>admin(system.radius.ldap)> set Defines the LDAP parameters. Syntax Defines the LDAP parameters. ipadr Sets LDAP IP address. port Sets LDAP server port. binddn Sets LDAP bind distinguished name. basedn Sets LDAP base distinguished name. passwd Sets LDAP server password. login Sets LDAP login attribute.
  • Page 471 AP35xx>admin(system.radius.ldap)> show all Displays existing LDAP parameters. Syntax show all Displays existing LDAP parameters. Example admin(system.radius.ldap)>show all LDAP Server IP : 0.0.0.0 LDAP Server Port : 389 LDAP Bind DN : cn=manager, o=trion LDAP Base DN : 0=trion LDAP Login Attribute : (uid=%{Stripped-User-Name:-%{User-Name}}) LDAP Password attribute : userPassword...
  • Page 472 CLI Reference AP35xx>admin(system.radius)> proxy Goes to the RADIUS proxy server submenu. Adds a proxy realm. delete Deletes a proxy realm. clearall Removes all proxy server records. Sets proxy server parameters. show Displays current RADIUS proxy server parameters. save Saves the configuration to system flash. quit Quits the CLI.
  • Page 473 AP35xx>admin(system.radius.proxy)> add Adds a proxy. Syntax Adds a proxy realm. name <name> Realm name. <ip1> Authentication server IP address. port <port> Authentication server port. <sec> Shared secret password. Example admin(system.radius.proxy)>add lancelot 157.235.241.22 1812 muddy admin(system.radius.proxy)> For information on configuring RADIUS proxy server values using the applet (GUI), see “Configuring a Proxy Radius Server”...
  • Page 474 CLI Reference AP35xx>admin(system.radius.proxy)> delete Deletes a proxy. Syntax delete <realm> Deletes a specified realm name. Example admin(system.radius.proxy)>delete lancelot admin(system.radius.proxy)> For information on configuring RADIUS proxy server values using the applet (GUI), see “Configuring a Proxy Radius Server” on page 222. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 475 AP35xx>admin(system.radius.proxy)> clearall Removes all proxy server records from the system. Syntax clearall Removes all proxy server records from the system. Example admin(system.radius.proxy)>clearall admin(system.radius.proxy)> For information on configuring RADIUS proxy server values using the applet (GUI), see “Configuring a Proxy Radius Server” on page 222.
  • Page 476 CLI Reference AP35xx>admin(system.radius.proxy)> set Sets Radius proxy server parameters. Syntax Sets Radius proxy server parameters. delay Defines retry delay time (in seconds) for the proxy server. count Defines retry count value for the proxy server. Example admin(system.radius.proxy)>set delay 10 admin(system.radius.proxy)>set count 5 admin(system.radius.proxy)>...
  • Page 477 AP35xx>admin(system.radius)> client Goes to the RADIUS client submenu. Adds a RADIUS client to list of available clients. delete Deletes a RADIUS client from list of available clients. show Displays a list of configured clients. save Saves the configuration to system flash. quit Quits the CLI.
  • Page 478 CLI Reference AP35xx>admin(system.radius.client> add Adds a RADIUS client to those available to the RADIUS server. Syntax Adds a proxy. <ip> Client’s IP address. mask <ip1> Network mask address of the client. secret <sec> Shared secret password. Example admin(system.radius.client)>add 157.235.132.11 255.255.255.225 muddy admin(system.radius.client)>...
  • Page 479 AP35xx>admin(system.radius.client> delete Removes a specified RADIUS client from those available to the RADIUS server. Syntax delete <ipadr> Removes a specified RADIUS client (by IP address) from those available to the RADIUS server Example admin(system.radius.client)>delete 157.235.132.11 admin(system.radius.client)> For information on configuring RADIUS client values using the applet (GUI), see “Configuring the Radius Server”...
  • Page 480 CLI Reference AP35xx>admin(system.radius.client> show Displays a list of configured RADIUS clients. Syntax show Removes a specified RADIUS client from those available to the RADIUS server. Example admin(system.radius.client)>show ---------------------------------------------------------------------------- Subnet/Host Netmask SharedSecret ---------------------------------------------------------------------------- 157.235.132.11 255.255.255.225 ***** admin(system.radius.client)> For information on configuring RADIUS client values using the applet (GUI), see “Configuring the Radius Server”...

  • Page 481: System Network Time Protocol (Ntp) Commands

    System Network Time Protocol (NTP) Commands AP35xx>admin(system)> ntp Displays the NTP menu. The correct network time is required for numerous functions to be configured accurately on the AP35xx. Syntax show Shows NTP parameters settings. date-zone Show date, time and time zone. zone-list Displays list of time zones.
  • Page 482 CLI Reference AP35xx>admin(system.ntp)> show Displays the NTP server configuration. Syntax show Shows all NTP server settings. Example admin(system.ntp)>show current time (UTC) : 2006-07-31 14:35:20 Time Zone: ntp mode : enable preferred Time server ip : 203.21.37.18 preferred Time server port : 123 first alternate server ip : 203.21.37.19...
  • Page 483 AP35xx>admin(system.ntp)> date-zone Show date, time and time zone. Syntax date-zone Show date, time and time zone. Example admin(system.ntp)>date-zone Date/Time : Sat 1970-Jan-03 20:06:22 +0000 UTC Time Zone : UTC For information on configuring NTP using the applet (GUI), see “Configuring Network Time Protocol (NTP)”...
  • Page 484 CLI Reference AP35xx>admin(system.ntp)> zone-list Displays an extensive list of time zones for countries around the world. Syntax zone-list Displays list of time zone indexes for every known zone. Example admin(system.ntp)> zone-list For information on configuring NTP using the applet (GUI), see “Configuring Network Time Protocol (NTP)”...
  • Page 485 AP35xx>admin(system.ntp)> set Sets NTP parameters for AP35xx clock synchronization. Syntax mode <ntp-mode> Enables or disables NTP. server <idx> <ip> Sets the NTP sever IP address. port <idx> <port> Defines the port number. intrvl <period> Defines the clock synchronization interval used between the AP35xx and the NTP server in minutes (15 - 65535).

  • Page 486: System Log Commands

    CLI Reference System Log Commands AP35xx>admin(system)> logs Displays the AP35xx log submenu. Logging options include: show Shows logging options. Sets log options and parameters. view Views system log. delete Deletes the system log. send Sends log to the designated FTP Server. Goes to the parent menu.
  • Page 487 AP35xx>admin(system.logs)> show Displays the current AP35xx logging settings. Syntax show Displays the current access point logging configuration. Example admin(system.logs)>show log level : L6 Info syslog server logging : enable syslog server ip address : 192.168.0.102 For information on configuring logging settings using the applet (GUI), see “Logging Configuration”...
  • Page 488 CLI Reference AP35xx>admin(system.logs)> set Sets log options and parameters. Syntax level <level> Sets the level of the events that will be logged. All events with a level at or above <level> (L0-L7) will be saved to the system log. L0:Emergency L1:Alert L2:Critical L3:Errors...
  • Page 489 >admin(system.logs)> view Displays the AP35xx system log file. Syntax view Displays the entire AP35xx system log file. Example admin(system.logs)>view 7 16:14:00 (none) syslogd 1.4.1: restart (remote reception). 7 16:14:10 (none) klogd: :ps log:fc: queue maintenance 7 16:14:41 (none) klogd: :ps log:fc: queue maintenance 7 16:15:43 (none) last message repeated 2 times 7 16:16:01 (none) CC: 4:16pm...
  • Page 490 CLI Reference AP35xx>admin(system.logs)> delete Deletes the log files. Syntax delete Deletes the AP35xx system log file. Example admin(system.logs)>delete For information on configuring logging settings using the applet (GUI), see “Logging Configuration” on page 102. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 491 AP35xx>admin(system.logs)> send Sends log and core file to an FTP Server. Syntax send Sends the system log file via FTP to a location specified with the set command. Refer to the command set under the (system.fwupdate) command for information on setting up an FTP server and login information.

  • Page 492: System Configuration-Update Commands

    CLI Reference System Configuration-Update Commands AP35xx>admin(system.config)> Displays the AP35xx configuration update submenu. default Restores the default AP35xx configuration. partial Restores a partial default AP35xx configuration. show Shows import/export parameters. Sets import/export AP35xx configuration parameters. export Exports AP35xx configuration to a designated system. import Imports configuration to the access point.
  • Page 493 AP35xx>admin(system.config)> default Restores the full AP35xx factory default configuration. Syntax default Restores the AP35xx to the original (factory) configuration. Example admin(system.config)>default Are you sure you want to default the configuration? <yes/no>: For information on importing/exporting access point configurations using the applet (GUI), see “Importing/Exporting Configurations”...
  • Page 494 CLI Reference AP35xx>admin(system.config)> partial Restores a partial factory default configuration. The AP35xx’s LAN, WAN and SNMP settings are unaffected by the partial restore. Syntax default Restores a partial access point configuration. Example admin(system.config)>partial Are you sure you want to partially default AP35xx? <yes/no>: For information on importing/exporting access point configurations using the applet (GUI), see “Importing/Exporting Configurations”...
  • Page 495 AP35xx>admin(system.config)> show Displays import/export parameters for the AP35xx configuration file. Syntax show Shows all import/export parameters. Example admin(system.config)>show cfg filename : cfg.txt cfg filepath ftp/tftp server ip address : 192.168.0.101 ftp user name : myadmin ftp password : ******** For information on importing/exporting access point configurations using the applet (GUI), see “Importing/Exporting Configurations”...
  • Page 496 CLI Reference AP35xx>admin(system.config)> set Sets the import/export parameters. Syntax file <filename> Sets the configuration file name (1 to 39 characters in length). path <path> Defines the path used for the configuration file upload. server <ipaddress> Sets the FTP/TFTP server IP address. user <username>...
  • Page 497 AP35xx>admin(system.config)> export Exports the configuration from the system. Syntax export Exports the AP35xx configuration to the FTP server. Use the set command to set the server, user, password, and file name before using this command. tftp Exports the AP35xx configuration to the TFTP server. Use the set command to set the IP address for the TFTP server before using the command.
  • Page 498 CLI Reference AP35xx>admin(system.config)> import Imports the AP35xx configuration to the access point. Errors could display as a result of invalid configuration parameters. Correct the specified lines and import the file again until the import operation is error free. Syntax import Imports the AP35xx configuration file from the FTP server.

  • Page 499: Firmware Update Commands

    Firmware Update Commands AP35xx>admin(system)>fw-update Displays the firmware update submenu. The items available under this command are shown below. NOTE The access point must complete the reboot process to successfully update the device firmware, regardless of whether the reboot is conducted using the GUI or CLI interfaces. show Displays the current AP35xx firmware update settings.
  • Page 500 CLI Reference AP35xx>admin(system.fw-update)>show Displays the current AP35xx firmware update settings. Syntax show Shows the current system firmware update settings for the AP35xx. Example admin(system.fw-update)>show automatic firmware upgrade : enable automatic config upgrade : enable firmware filename : APFW.bin firmware path : /tftpboot/ ftp/tftp server ip address : 168.197.2.2...
  • Page 501 AP35xx>admin(system.fw-update)>set Defines AP35xx firmware update settings and user permissions. Syntax fw-auto <mode> When enabled, updates device firmware each time the firmware versions are found to be different between the AP35xx and the specified firmware on the remote system. cfg-auto <mode> When enabled, updates device configuration file each time the config file versions are found to be different between the AP35xx and the specified LAN or WAN interface.
  • Page 502 CLI Reference AP35xx>admin(system.fw-update)>update Executes the AP35xx firmware update over the WAN or LAN port using either ftp or tftp. Syntax update <mode> Defines the ftp or tftp mode used to conduct the firmware update. Specifies whether the update is executed over the AP35xx’s WAN, LAN1 or LAN2 interface <iface>. NOTE The access point must complete the reboot process to successfully update the device firmware, regardless of whether the reboot is conducted using the GUI or CLI interfaces.

  • Page 503: Statistics Commands

    Statistics Commands AP35xx>admin(stats) Displays the AP35xx statistics submenu. The items available under this command are: show Displays AP35xx WLAN, MU, LAN and WAN statistics. send-cfg-ap Sends a config file to another access point within the known AP table. send-cfg-all Sends a config file to all access points within the known AP table. clear Clears all statistic counters to zero.
  • Page 504 CLI Reference AP35xx>admin(stats)> show Displays AP35xx system information. Syntax show : show WAN Status and Statistics : show LAN Status and Statistics : show LAN Spanning Tree Status wlan : show WLAN Status and Statistics Summary s-wlan : show single WLAN status and statistics radio : show Radio Statistics Summary s-radio...
  • Page 505 AP35xx>admin(stats)> send-cfg-ap Copies the AP35xx’s configuration to another AP35xx within the known AP table. Syntax send-cfg-ap <idx> Copies the AP35xx’s configuration to the AP35xxs within the known AP table. Mesh configuration attributes do not get copied using this command and must be configured manually.
  • Page 506 CLI Reference AP35xx>admin(stats)> send-cfg-all Copies the AP35xx’s configuration to all of the AP35xxs within the known AP table. Syntax send-cfg-all Copies the AP35xx’s configuration to all of the AP35xxs within the known AP table. Example admin(stats)>send-cfg-all admin(stats)> NOTE The send-cfg-all command copies all existing configuration parameters except Mesh settings, LAN IP data, WAN IP data and DHCP Server parameter information.
  • Page 507 AP35xx>admin(stats)> clear Clears the specified statistics counters to zero to begin new data calculations. Syntax clear Clears WAN statistics counters. Clears LAN statistics counters for specified LAN index (either clear lan 1 or clear lan 2). all-rf Clears all RF data. all-wlan Clears all WLAN summary information.
  • Page 508 CLI Reference AP35xx>admin(stats)> flash-all-leds Starts and stops the illumination of a specified access point’s LEDs. Syntax flash-all-leds <idx> Defines the Known AP index number of the target AP to flash. <action> Starts or stops the flash activity. Example admin(stats)> admin(stats)>flash-all-leds 1 start Password ******** admin(stats)>flash-all-leds 1 stop admin(stats)>...
  • Page 509 AP35xx>admin(stats)> echo Defines the echo test values used to conduct a ping test to an associated MU. Syntax show Shows the Mobile Unit Statistics Summary. list Defines echo test parameters and result. Determines echo test packet data. start Begins echoing the defined station. Goes to parent menu.
  • Page 510 CLI Reference AP35xx>admin.stats.echo)> show Shows Mobile Unit Statistics Summary. Syntax show Shows Mobile Unit Statistics Summary. Example admin(stats.echo)>show ---------------------------------------------------------------------------- IP Address MAC Address WLAN Radio T-put Retries ---------------------------------------------------------------------------- 192.168.2.0 00:A0F8:72:57:83 demo For information on MU Echo and Ping tests using the applet (GUI), see “Pinging Individual MUs”...
  • Page 511 AP35xx>admin.stats.echo)> list Lists echo test parameters and results. Syntax list Lists echo test parameters and results. Example admin(stats.echo)>list Station Address : 00A0F8213434 Number of Pings : 10 Packet Length : 10 Packet Data (in HEX) : 55 admin(stats.echo)> For information on MU Echo and Ping tests using the applet (GUI), see “Pinging Individual MUs”...
  • Page 512 CLI Reference AP35xx>admin.stats.echo)>set Defines the parameters of the echo test. Syntax station <mac> Defines MU target MAC address. request <num> Sets number of echo packets to transmit (1-539). length <num> Determines echo packet length in bytes (1-539). data <hex> Defines the particular packet data. For information on MU Echo and Ping tests using the applet (GUI), see “Pinging Individual MUs”...
  • Page 513 AP35xx>admin.stats.echo)> start Initiates the echo test. Syntax start Initiates the echo test. Example admin(stats.echo)>start admin(stats.echo)>list Station Address : 00A0F843AABB Number of Pings : 10 Packet Length : 100 Packet Data (in HEX) Number of MU Responses For information on MU Echo and Ping tests using the applet (GUI), see “Pinging Individual MUs”...
  • Page 514 CLI Reference AP35xx>admin(stats)> ping Defines the ping test values used to conduct a ping test to an AP with the same ESSID. Syntax ping show Shows Known AP Summary details. list Defines ping test packet length. Determines ping test packet data. start Begins pinging the defined station.
  • Page 515 AP35xx>admin.stats.ping)> show Shows Known AP Summary Details. Syntax show Shows Known AP Summary Details. Example admin(stats.ping)>show ---------------------------------------------------------------------------- IP Address MAC Address KBIOS Unit Name ---------------------------------------------------------------------------- 192.168.2.0 00:A0F8:72:57:83 access point Altitude 3500 Series Access Point Product Reference Guide...
  • Page 516 CLI Reference AP35xx>admin.stats.ping)> list Lists ping test parameters and results. Syntax list Lists ping test parameters and results. Example admin(stats.ping)>list Station Address : 00A0F8213434 Number of Pings : 10 Packet Length : 10 Packet Data (in HEX) : 55 admin(stats.ping)> For information on Known AP tests using the applet (GUI), see “Pinging Individual MUs”...
  • Page 517 AP35xx>admin.stats.ping)> set Defines the parameters of the ping test. Syntax station Defines the AP target MAC address. request Sets number of ping packets to transmit (1-539). length Determines ping packet length in bytes (1-539). data Defines the particular packet data. Example admin(stats.ping)>set station 00A0F843AABB admin(stats.ping)>set request 10...
  • Page 518 CLI Reference AP35xx>admin.stats.echo)> start Initiates the ping test. Syntax start Initiates the ping test. Example admin(stats.ping)>start admin(stats.ping)>list Station Address : 00A0F843AABB Number of Pings : 10 Packet Length : 100 Packet Data (in HEX) Number of AP Responses For information on Known AP tests using the applet (GUI), see “Pinging Individual MUs”...

  • Page 519: Chapter 9: Configuring Mesh Networking

    Configuring Mesh Networking C H A P T E R Mesh Networking Overview An Altitude 35xx can be configured in two modes to support the new mesh networking functionality. The access point can be set to a client bridge mode and/or a base bridge mode (which accepts connections from client bridges).

  • Page 520: The Altitude 35Xx Client Bridge Association Process

    MU traffic with its associated devices. CAUTION Only Extreme Networks Altitude 3510 or Altitude 3550 model access points can be used as base bridges, client bridges or repeaters within an access point supported mesh network. If utilizing a mesh network, Extreme Networks recommends considering a dual-radio model to optimize channel utilization and throughput.

  • Page 521: Client Bridge Configuration Process Example

    NOTE Extreme Networks recommends using the Mesh STP Configuration screen to define a base bridge as a root. Only advanced users should use the Advanced Client Bridge Settings screen’s Preferred List to define the mesh topology, as omitting a bridge from the preferred list could break connections within the mesh network.

  • Page 522: Mesh Networking And The Altitude 35Xx's Two Subnets

    Configuring Mesh Networking The access point can manipulate the path cost assigned to a bridge connection based on that connection’s RSSI. This results in the spanning tree selecting the optimal path for forwarding data when redundant paths exist. However, this can be overridden using the preferred list. When using the preferred list, the user enters a priority for each bridge, resulting in the selection of the forwarding link.

  • Page 523: Configuring Mesh Networking Support

    The user does not necessarily have to change these settings, as the default settings will work. However, Extreme Networks encourages the user to define an access point as a base bridge and root (using the base bridge priority settings within the Bridge STP Configuration screen). Members of the mesh network can be configured as client bridges or additional base bridges with a higher priority value.
  • Page 524 (commonly referred to as the root). Extreme Networks recommends assigning a Base Bridge AP with the lowest bridge priority so it becomes the root in the STP. If a root already exists, set the Bridge Priorities of new APs accordingly so the root of the STP doesn't get altered.

  • Page 525: Configuring A Wlan For Mesh Networking Support

    WLAN in order to share the same ESSID, radio designation, security policy, MU ACL and Quality of Service policy. If intending to use the access point for mesh networking support, Extreme Networks recommends configuring at least one WLAN (of the 16 WLANs available) specifically for mesh networking support.
  • Page 526 3 Assign an ESSID and Name to the WLAN that each access point will share when using this WLAN within their mesh network. Extreme Networks recommends assigning a unique name to a WLAN supporting a mesh network to differentiate it from WLANs defined for non mesh support. The name assigned to the WLAN is what is selected from the Radio Configuration screen for use within the mesh network.
  • Page 527 If a hacker tries to find an ESSID via an MU, the access point’s ESSID does not display since the ESSID is not in the beacon. Extreme Networks recommends keeping the option enabled to reduce the likelihood of hacking into the WLAN.

  • Page 528: Configuring The Access Point Radio For Mesh Support

    Configuring Mesh Networking 11 Select the Accept Broadcast ESSID checkbox to associate an MU that has a blank ESSID (regardless of which ESSID the access point is currently using). Traffic within a mesh network probably consists of known devices, so you may want to leave the checkbox unselected and configure each MU with an ESSID.
  • Page 529 1 Select Network Configuration > Wireless > Radio Configuration from the Altitude 35xx menu tree. 2 Enable the radio(s) using the Enable checkbox(es) for both Radio 1 and Radio 2. Refer to RF Band of Operation parameter to ensure you are enabling the correct 802.11a or 802.11b/g radio.
  • Page 530 WLAN (ESS) the client bridge uses to establish a wireless link. The default setting, is (WLAN1). Extreme Networks recommends creating (and naming) a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non-Mesh supported WLANs.
  • Page 531 7 Select the Automatic Link Selection checkbox to allow the access point to select the links used by the client bridge to populate the mesh network. Selecting this checkbox prohibits the user from selecting the order base bridges are added to the mesh network when one of the three associated base bridges becomes unavailable.
  • Page 532 Auto link selection is based on the RSSI and load. The client bridge will select the best available link when the Automatic Link Selection checkbox is selected. Extreme Networks recommends you do not disable this option, as (when enabled) the access point will select the best base bridge for connection.
  • Page 533 16 If using a dual-radio model access point, refer to the Mesh Timeout drop-down menu (from within the Radio Configuration screen) to define whether one of the access point’s radio’s beacons on an existing WLAN or if a client bridge radio uses an uplink connection. The Mesh Timeout value is not available on a single-radio access point, since the radio would have to stop beaconing and go into scan mode to determine if a base bridge uplink is lost.

  • Page 534: Mesh Network Deployment-Quick Setup

    Configuring Mesh Networking For additional information on configuring the access point’s radio, see “Configuring the 802.11a or 802.11b/g Radio” on page 154. For two fictional deployment scenarios, see “Mesh Network Deployment—Quick Setup” on page 534. Mesh Network Deployment—Quick Setup This section provides instructions on how to quickly setup and demonstrate mesh functionality using three access points.

  • Page 535: Configuring Ap#1

    Configuring AP#1: 1 Provide a known IP address for the LAN1 interface. NOTE Enable the LAN1 Interface of AP#1 as a DHCP Server if you intend to associate MUs and require them to obtain an IP address via DHCP. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 536 Configuring Mesh Networking 2 Assign a Mesh STP Priority of 40000 to LAN1 Interface. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 537 3 Define a mesh supported WLAN. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 538 Configuring Mesh Networking 4 Enable base bridge functionality on the 802.11a radio (Radio 2). Altitude 3500 Series Access Point Product Reference Guide...
  • Page 539 5 Define a channel of operation for the 802.11a radio. Altitude 3500 Series Access Point Product Reference Guide...

  • Page 540: Configuring Ap#2

    Configuring Mesh Networking 6 If needed, create another WLAN mapped to the 802.11bg radio if 802.11bg support is required for MUs on that 802.11 band. Configuring AP#2 AP#2 can be configured the same as AP#1 with the following exceptions: Assign an IP Address to the LAN1 Interface different than that of AP#1. ●...

  • Page 541: Configuring Ap#3

    Configuring AP#3 To define the configuration for AP#3 (a client bridge connecting to both AP#1 and AP#2 simultaneously): 1 Provide a known IP address for the LAN1 interface. Altitude 3500 Series Access Point Product Reference Guide...
  • Page 542 Configuring Mesh Networking 2 Assign the maximum value (65535) for the Mesh STP Priority. 3 Create a mesh supported WLAN with the Enable Client Bridge Backhaul option selected. NOTE This WLAN should not be mapped to any radio. Therefore, leave both of the “Available On” radio options unselected.
  • Page 543 4 Select the Client Bridge checkbox to enable client bridge functionality on the 802.11a radio. Use the Mesh Network Name drop-down menu to select the name of the WLAN created in step 3. NOTE You don't need to configure channel settings on the client bridge (AP#3). It automatically finds the base bridges (AP#1 and AP#2) and uses the channel assigned to them.

  • Page 544: Verifying Mesh Network Functionality For Scenario #1

    Configuring Mesh Networking 5 If needed, create another WLAN mapped to the 802.11bg radio if 802.11bg support is required for MUs on that 802.11 band. Verifying Mesh Network Functionality for Scenario #1 You now have a three AP mesh network ready to demonstrate. Associate a single MU on each AP WLAN configured for 802.11bg radio support.

  • Page 545: Scenario 2-Two Hop Mesh Network With A Base Bridge Repeater And A Client Bridge

    Scenario 2—Two Hop Mesh Network with a Base Bridge Repeater and a Client Bridge By default, the mesh algorithm runs an automatic link selection algorithm to determine the best possible active and redundant links. If member APs are not far apart (in physical distance), the algorithm intelligently chooses a single hop link to forward data.
  • Page 546 Configuring Mesh Networking 1 Enable client bridge backhaul on the mesh supported WLAN. Altitude 3500 Series Access Point Product Reference Guide...

  • Page 547: Configuring Ap#3

    2 Enable client and base bridge functionality on the 802.11a radio. Configuring AP#3 To define AP #3’s configuration: 1 The only change needed on AP#3 (with respect to the configuration used in scenario #1) is to disable the Auto Link Selection option. Click the Advanced button within the Mesh Client Bridge Settings field.

  • Page 548: Verifying Mesh Network Functionality For Scenario #2

    Configuring Mesh Networking 2 Add the 802.11a Radio MAC Address. In scenario #2, the mesh WLAN is mapped to BSS1 on the 802.11a radio of each AP. The Radio MAC Address (the BSSID#1 MAC Address) is used for the AP#2 Preferred Base Bridge List. Ensure both the AP#1 and AP#2 Radio MAC Addresses are in the Available Base Bridge List.
  • Page 549 Can I use secure beacons on the mesh backhaul supported WLAN? Yes, you can enable a secure beacon on a mesh backhaul supported WLAN. In fact, it is an Resolution. Extreme Networks recommended practice. Mesh Deployment Issue 6—Is my mesh topology complete? How can I determine if all my mesh APs are connected and the mesh topology is complete? Resolution.
  • Page 550 Configuring Mesh Networking Resolution. No, an Altitude 4600 does not support mesh networking, so you won't be able to mesh between two Altitude 4600s or between an Altitude 4600 and an Altitude 3510 or Altitude 3550. Mesh Deployment Issue 10—Can I update firmware/configuration files across a mesh backhaul? Can I update device firmware over the mesh backhaul on a client bridge or repeater AP with no wired connectivity?

  • Page 551: Chapter 10: Adaptive Ap

    An adaptive AP (AAP) is an Altitude 35xx access point that can adopt like an Altitude 4600 series access point (L3). The management of an AAP is conducted by the controller, once the access point connects to an Extreme Networks controller and receives its AAP configuration. An AAP provides: local 802.11 traffic termination...

  • Page 552: Where To Go From Here

    Adaptive AP Where to Go From Here Refer to the following for a further understanding of AAP operation: Adaptive AP Management on page 552 ● Types of Adaptive APs on page 553 ● Licensing on page 553 ● Controller Discovery on page 553 ●...

  • Page 553: Types Of Adaptive Aps

    Types of Adaptive APs The types of adaptive access points include the following: AP3510 - US ● AP3510 - ROW ● AP3510 - IL (Israel) ● AP3550 - US ● AP3550 - ROW ● Licensing An AAP uses the same licensing scheme as a thin access port. This implies an existing license purchased with a controller can be used for an AAP deployment.

  • Page 554: Manual Adoption Configuration

    Adaptive AP tunnel-to-controller enable Manual Adoption Configuration A manual controller adoption of an AAP can be conducted using: Static FQDN—A controller fully qualified domain name can be specified to perform a DNS lookup ● and controller discovery. Static IP addresses—Up to 12 controller IP addresses can be manually specified in an ordered list the ●...

  • Page 555: Adaptive Ap Wlan Topology

    Adaptive AP WLAN Topology An AAP can be deployed in the following WLAN topologies: Extended WLANs—Extended WLANs are the centralized WLANs created on the controller. ● Independent WLANs—Independent WLANs are local to an AAP and can be configured from the ●...

  • Page 556: Remote Site Survivability (Rss)

    Adaptive AP Remote Site Survivability (RSS) RSS can be used to turn off RF activity on an AAP if it loses adoption (connection) to the controller. RSS State Independent WLANs Extended WLANs RSS Enabled WLAN continues beaconing WLAN continues beaconing but AP does allow clients to associate on that WLAN RSS Disabled WLAN stops beaconing...

  • Page 557: Supported Adaptive Ap Topologies

    LAN1. If the WAN Interface is used, explicitly configure WAN as the default gateway interface. Extreme Networks recommends using the LAN1 interface for adoption in multi-cell deployments. ● If you have multiple independent WLANs mapped to different VLANs, the AAP's LAN1 interface ●...

  • Page 558: Extended Wlans Only

    Adaptive AP Extended WLANs Only An extended WLAN configuration forces all MU traffic through the controller. No wireless traffic is locally bridged by the AAP. Each extended WLAN is mapped to the access point's virtual LAN2 subnet. By default, the access point's LAN2 is not enabled and the default configuration is set to static with IP addresses defined as all zeros.

  • Page 559: How The Ap Receives Its Adaptive Configuration

    For additional information on defining the connection medium used by the access point to receive an AAP configuration, see “Adaptive AP Setup” on page To avoid a lengthy broken connection with the controller, Extreme Networks recommends generating an SNMP trap when the AAP loses adoption with the controller. NOTE For additional information (in greater detail) on the AP configuration activities described above, see “Adaptive AP Configuration”...

  • Page 560: Configuring The Controller For Adaptive Ap Adoption

    Adaptive AP Configuring the Controller for Adaptive AP Adoption The tasks described below are configured on an Extreme Networks controller. For information on configuring the controller for AAP support, see http://www.extremenetworks.com/go/documentation To adopt an AAP on a controller: 1 Ensure enough licenses are available on the controller to adopt the required number of AAPs.

  • Page 561: Adopting An Adaptive Ap Manually

    Adopting an Adaptive AP Manually To manually enable the access point’s controller discovery method and connection medium required for adoption: 1 Select System Configuration > Adaptive AP Setup from the access point’s menu tree. CAUTION If deploying the access point as an AAP with a remote layer 3 configuration and the AAP is set for controller auto discovery (primary/standby), the access point will un-adopt from its controller after a few moments.

  • Page 562: Adopting An Adaptive Ap Using A Configuration File

    Adaptive AP 6 If using IPSec as the tunnel resource, enter the IPSec Passkey to ensure IPSec connectivity. 7 Click Apply to save the changes to the AAP setup. NOTE The manual AAP adoption described above can also be conducted using the access point’s CLI interface using the admin(system.aapsetup)>...
  • Page 563 To disable automatic adoption on the controller: 1 Select Network > Access Point Radios from the controller main menu tree. 2 Select the Configuration tab (should be displayed be default) and click the Global Settings button. 3 Ensure the Adopt unconfigured radios automatically option is NOT selected. When disabled, there is no automatic adoption of non-configured radios on the network.
  • Page 564 Adaptive AP NOTE Additionally, a WLAN can be defined as independent using the "wlan <index> independent" command from the config-wireless context. Once an AAP is adopted by the controller, it displays within the controller Access Point Radios screen (under the Network parent menu item) as an Altitude 3510 or Altitude 3550 within the AP Type column.

  • Page 565: Adaptive Ap Deployment Considerations

    Adaptive AP Deployment Considerations Before deploying your controller/AAP configuration, refer to the following usage caveats to optimize its effectiveness: If deploying the access point as an AAP with a remote layer 3 configuration and the AAP is set for ● controller auto discovery (primary/standby), the access point will un-adopt from its controller after a few moments.

  • Page 566: Sample Controller Configuration File For Ipsec And Independent Wlan

    Adaptive AP Sample Controller Configuration File for IPSec and Independent WLAN The following constitutes a sample Summit WM3700 controller configuration file supporting an AAP IPSec with Independent WLAN configuration. Please note new AAP specific CLI commands in relevant comments in blue. The sample output is as follows: ! configuration of WM3700 WM3700-1 version 1.0...
  • Page 567 license AP xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxx yxyxyx wireless no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 ssid qs5-ccmp wlan 1 vlan 200 wlan 1 encryption-type ccmp wlan 1 dot11i phrase 0 admin123 wlan 2 enable wlan 2 ssid qs5-tkip wlan 2 vlan 210 wlan 2 encryption-type tkip wlan 2 dot11i phrase 0 admin123 wlan 3 enable...
  • Page 568 Adaptive AP radio 3 rss enable radio add 4 00-15-70-00-79-12 11a aap3550 radio 4 bss 1 5 radio 4 bss 2 6 radio 4 channel-power indoor 48 4 radio 4 rss enable radio 4 client-bridge bridge-select-mode auto radio 4 client-bridge ssid Mesh radio 4 client-bridge mesh-timeout 0 radio 4 client-bridge enable radio default-11a rss enable...
  • Page 569 controllerport mode trunk controllerport trunk native vlan 1 controllerport trunk allowed vlan none controllerport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, controllerport trunk allowed vlan add 180,190,200,210,220,230,240,250, interface vlan1 ip address dhcp To attach a Crypto Map to a VLAN Interface crypto map AAP-CRYPTOMAP sole ip route 157.235.0.0/16 157.235.92.2 ip route 172.0.0.0/8 157.235.92.2...
  • Page 570 Adaptive AP Altitude 3500 Series Access Point Product Reference Guide...

  • Page 571: Appendix A: Technical Specifications

    Technical Specifications A P P E N D I X This appendix provides technical specifications in the following areas: Physical Characteristics on page 571 ● Electrical Characteristics on page 572 ● Radio Characteristics on page 573 ● Antenna Specifications on page 573 ●...

  • Page 572: Altitude 3550 Physical Characteristics

    Both the Altitude 3510 and the Altitude 3550 access points have the following electrical characteristics: CAUTION An Altitude 3550 model access point cannot use the Altitude 3510 recommended Extreme Networks 48- Volt Power Supply (Part No. 15728). However, Extreme Networks does recommend the Power Tap for use with the Altitude 3550. Operating Voltage...

  • Page 573: Radio Characteristics

    CAUTION Using an antenna other than the Dual-Band Antenna (Part No.15756) could render the Altitude 3510’s Rogue AP Detector Mode feature inoperable. Contact your Extreme Networks sales associate for specific information. For more information about the antennas approved for the AP3510, refer to the Altitude 35xx/46xx AP Antenna Selection Guide, Rev.xx.

  • Page 574: Altitude 3550 Antenna Specifications

    Altitude 3550 Antenna Specifications For more information about the antennas approved for the AP3550, refer to the Altitude 35xx/46xx AP Antenna Selection Guide, Rev.xx. Country Codes The following list of countries and their country codes is useful when using the access point configuration file, CLI or the MIB to configure the access point: Country Code...
  • Page 575 Country Code France French Guiana Germany Greece Guadelupe Guam Guatemala Guinea Haiti Honduras Hong Kong Hungary Iceland India Indonesia Ireland Israel Italy Jamaica Japan Jordan Kazakhstan Kuwait Latvia Lebanon Liechtenstein Lithuania Luxembourg Macau Macedonia Malaysia Malta Mariana Island Martinique Mexico Moldavia Montenegro Morocco...
  • Page 576 Country Code Nicaragua Norfolk Island Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russian Federation Saudi Arabia Serbia Singapore Slovak Republic Slovenia South Africa South Korea Spain Sri Lanka Sweden Switzerland Taiwan Thailand Trinidad and Tobago Tunisia Turkey Ukraine...

  • Page 577: Appendix B: Usage Scenarios

    Usage Scenarios A P P E N D I X This appendix provides practical usage scenarios for many of the access point’s key features. This information should be referenced as a supplement to the information contained within this Product Reference Guide. The following scenarios are described: Configuring Automatic Updates using a DHCP or Linux BootP Server on page 577 ●...

  • Page 578: Windows-Dhcp Server Configuration

    Windows—DHCP Server Configuration See the following sections for information on these DHCP server configurations in the Windows environment: Embedded Options—Using Option 43 on page 578 ● Global Options—Using Extended/Standard Options on page 579 ● Embedded Options—Using Option 43 This section provides instructions for automatic update of firmware and configuration file via DHCP using extended options or standard options configured globally.

  • Page 579: Global Options-Using Extended/Standard Options

    Obtains and applies the expected IP Address from the DHCP Server ● Downloads both the firmware and configuration files from the TFTP Server and updates both as ● needed. Verify the file versions within the System Settings screen. NOTE If the firmware files are the same, the firmware will not get updated. If the configuration file name matches the last used configuration file on the access point or if the configuration file versions are the same, the access point configuration will not get updated.
  • Page 580 d Under the General tab, check all 3 options mentioned within the Extended Options table and enter a value for each option. 3 Copy both the firmware and configuration files to the appropriate directory on the TFTP Server. By default, auto update is enabled on the access point (since the LAN Port is a DHCP Client, out-of-the-box auto update support is on the LAN Port).

  • Page 581: Dhcp Priorities

    DHCP Priorities The following flowchart indicates the priorities used by the access point when the DHCP server is configured for multiple options. ------------------------------------------------------- ------------------------------------- If the DHCP Server is configured for options 186 and 66 (to assign TFTP Server IP addresses) the access point uses the IP address configured for option 186.
  • Page 582 To configure BootP options using a Linux/Unix BootP Server: 1 Set the Linux/Unix BootP Server and access point on the same Ethernet segment. 2 Configure the bootptab file (/etc/bootptab) on the Linux/Unix BootP Server in any one of the formats that follows: Using options 186, 187 and 188: AP35xx:ha=00a0f88aa6d8\ <LAN MAC Address>...

  • Page 583: Bootp Priorities

    or the firmware file name. If T136 is not specified, the access point uses the entire bf field as the config file name. NOTE The update process is conducted over the LAN or WAN port depending on which Server responds first to the access point’s request for an automatic update.

  • Page 584: Configuring A Vpn Tunnel Between Two Access Points

    Configuring a VPN Tunnel Between Two Access Points The access point can connect to a non-AP device supporting IPSec, such as a Cisco VPN device—labeled as “Device #2”. For this usage scenario, the following components are required: 2 access points (either an Altitude 3510 or Altitude 3550 model) ●...
  • Page 585 NOTE For this example, Auto IKE Key Exchange is used. Any key exchange can be used, depending on the security needed, as long as both devices on each end of the tunnel are configured exactly the same. 9 Select the Auto (IKE) Key Exchange radio button. 10 Select the Auto Key Settings button.

  • Page 586: Configuring A Cisco Vpn Device

    13 Select Pre Shared Key (PSK) from the IKE Authentication Mode drop-down menu. 14 Enter a Passphrase. Passphrases must match on both VPN devices. NOTE Ensure the IKE authentication Passphrase is the same as the Pre-shared key on the Cisco PIX device. 15 Select AES 128-bit as the IKE Encryption Algorithm.

  • Page 587: Frequently Asked Vpn Questions

    For the usage scenario described in this section, you will require the following: 1 Cisco VPN device ● 1 PC connected to the LAN side of the access point and the Cisco PIX. ● NOTE The Cisco PIX device configuration should match the access point VPN configuration in terms of Local WAN IP (PIX WAN), Remote WAN Gateway (access point WAN IP), Remote Subnet (access point LAN Subnet), and the Remote Subnet Mask.
  • Page 588 Question 2: Even if a wildcard entry of “0.0.0.0” is entered in the Remote Subnet field in the VPN ● configuration page, can the AP access multiple subnets on the other end of a VPN concentrator for the AP’s LAN/WAN side? No.
  • Page 589 Configure the following on the IKE Settings page: Local ID type refers to the way that IKE selects a local certificate to use. IP—tries to match the local WAN IP to the IP addresses specified in a local certificate. ● FQDN—tries to match the user entered local ID data string to the domain name field of the ●...
  • Page 590 VPN tunnels are negotiated on an “as-needed” basis. If you have not sent any traffic between the two subnets, the tunnel will not get established. Once a packet is sent between the two subnets, the VPN tunnel setup occurs. Question 10: I still can't get my tunnel to work after attempting to initiate traffic between the two ●...
  • Page 591 Question 12: Do I need to add any special routes on the access point to get my VPN tunnel to ● work? No. However, clients could need extra routing information. Clients on the local LAN side should either use the access point as their gateway or have a route entry tell them to use the access point as the gateway to reach the remote subnet.
  • Page 592 Altitude 3500 Series Access Point Product Reference Guide...

  • Page 593: Appendix C: Customer Support

    A P P E N D I X NOTE Services can be purchased from Extreme Networks or through one of its channel partners. If you are an end-user who has purchased service through an Extreme Networks channel partner, please contact your partner first for support.
  • Page 594 Altitude 3500 Series Access Point Product Reference Guide...

Table of Contents