AMX NXA-WAPZD1000 Operation/Reference Manual

Zonedirector smart wlan controller

Hide thumbs

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

Table of Contents

Quick Links

Download this manual

Operation/Reference Guide

NXA-WAPZD1000

ZoneDirector Smart WLAN Controller

N e t w o r k / C o m m u n i c a t i o n

I n i t ia l R e le a se : 3 / 2 8 / 2 0 1 1

Table of Contents

Troubleshooting

Summary of Contents for AMX NXA-WAPZD1000

Page 1 Operation/Reference Guide NXA-WAPZD1000 ZoneDirector Smart WLAN Controller N e t w o r k / C o m m u n i c a t i o n I n i t ia l R e le a se : 3 / 2 8 / 2 0 1 1...
Page 2 AMX is not responsible for products returned without a valid RMA number. AMX is not liable for any damages caused by its products or for the failure of its products to perform. This includes any lost profits, lost savings, incidental damages, or consequential damages.
Page 3 LICENSE GRANT. AMX grants to Licensee the non-exclusive right to use the AMX Software in the manner described in this License. The AMX Software is licensed, not sold. This license does not grant Licensee the right to create derivative works of the AMX Software.
Page 5: Table Of Contents
Accessing the NXA-WAPZD1000’s Command Line Interface........15 About Wireless WLAN Security ................17 Enabling Smart Redundancy ................... 17 Configuring the NXA-WAPZD1000 for Smart Redundancy ........... 17 Forcing Failover to the Backup NXA-WAPZD1000 ............18 Browser-Based Configuration Pages ..............19 Overview ........................ 19 Dashboard ......................20...
Page 6 Enabling Management via FlexMaster ................48 Configuring SNMP Support................... 48 Enabling the SNMP Agent..................... 49 Enabling SNMP Trap Notifications ................49 Trap Notifications Sent by the NXA-WAPZD1000............49 NXA-WAPZD1000 Management ACL................50 WLANs ........................51 Overview of Wireless Networks ..................52 Creating a WLAN ......................
Page 7 Creating a Guest WLAN ....................65 Access Points ......................66 Assigning a WLAN Group to an AP ................67 Deploying NXA-WAPZD1000 WLANs in a VLAN Environment ........67 Tagging Management Traffic to a VLAN............... 67 How Dynamic VLAN Works ................... 68 Adding New Access Points to the WLAN..............
Page 8 Single Domain Active Directory Authentication ............97 Multi-Domain Active Directory Authentication.............. 98 LDAP ..........................98 Advanced LDAP Filtering ....................98 Group Extraction ......................99 RADIUS / RADIUS Accounting ..................99 Configuring a Backup RADIUS / RADIUS Accounting Server......... 99 NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 9 Using an External Server for Administrator Authentication ........110 Administer Tab ....................112 Preferences......................112 Changing the NXA-WAPZD1000 Administrator User Name and Password ....112 Changing the Browser-Based Configuration Pages Display Language......113 Back up/Restore ....................114 Backing Up a Network Configuration................114 Restoring Archived Settings to the NXA-WAPZD1000 ..........
Page 10 Deploying a Wireless Mesh via the NXA-WAPZD1000 ......... 130 Step 1: Prepare for Wireless Mesh Deployment ............130 Step 2: Enable Mesh Capability on the NXA-WAPZD1000 ......... 130 Step 3: Provision and Deploy Mesh Nodes ..............130 Step 4: Verify That the Wireless Mesh Network Is Up..........131 Using the ZoneFlex LEDs to Determine the Mesh Status ........
Page 11 Using SpeedFlex in a Multi-Hop Smart Mesh Network......... 146 Allowing Users to Measure Their Own Wireless Throughput........ 147 How to Measure the Speed of Your Wireless Connection ........147 Diagnosing Poor Network Performance ............... 148 Starting a Radio Frequency Scan ................148 NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 12 Table of Contents viii NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 13: Introduction
WAPZD1000, thereby eliminating bottlenecks when higher speed Wi-Fi technologies, such as 802.11n, are used. In addition, the NXA-WAPZD1000 supports rogue AP detection and the ability to blacklist client devices from the network — all of which are easily configured and enabled system-wide. When multiple APs are in close proximity, the NXA-WAPZD1000 automatically controls the power and the channel settings on each AP to provide the best possible total coverage and resilience.
Page 14: Product Specifications
(FG2255-53) Common Applications The NXA-WAPZD1000 is ideal for homes and businesses that require a robust and secure WLAN that can be easily deployed, centrally managed and automatically tuned. The NXA-WAP1000 is perfect for environments where high bandwidth applications such as video streaming are accessed simultaneously from several wireless devices such as iPads, laptops, and gaming consoles.
Page 15: Features
PC client devices with unique encryption keys Power Adapter Compatibility The NXA-WAPZD1000 is shipped with an appropriate power adapter for the country in which it is to be used:  FG2255-52: Includes US Power Adapter for use in US, Canada, Colombia, Ecuador, Mexico ...
Page 16 Introduction NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 17: Installation And Setup
Press the button again to restart the device. Resetting the NXA-WAPZD1000 The NXA-WAPZD1000 may be reset in one of two modes. To reset the device while saving its current configuration, press the Reset button on the front of the device for one to two seconds.
Page 18: Working With The Setup Wizard
The NXA-WAPZD1000 ZoneDirector Wireless Setup wizard appears, ready for wireless network configuration. If you prefer not to use UPnP, you can type in the NXA-WAPZD1000’s IP address into a Web browser. In case the LAN has no DHCP server, the NXA-WAPZD1000’s default IP address is 192.168.0.2, with a network mask of 255.255.255.0.
Page 19: Connecting Nxa-Wap1000S To Your Local Area Ethernet Network
Installation and Setup The Setup Wizard will only appear when connecting to an NXA-WAPZD1000 in the factory default mode. For more information on returning a device to the factory default mode, please refer to the Resetting the NXA-WAPZD1000 section on page 13.
Page 20 Installation and Setup You are now logged into the NXA-WAPZD1000 with limited privileges. As a user with limited privileges, you can view a history of previously executed commands and ping a device. If you want to run more commands, you can switch to privileged mode by entering enable at the root prompt.
Page 21: About Wireless Wlan Security
About Wireless WLAN Security When you connect to the NXA-WAPZD1000 for the first time and run the Setup Wizard, you are prompted to set up two basic WLAN configurations -- an Internal WLAN for your internal users, and a Guest WLAN for guests.
Page 22: Forcing Failover To The Backup Nxa-Wapzd1000
Enter a Shared Secret for two-way communication between the two devices (up to 15 alphanumeric characters). Click Apply to save your changes and prompt the NXA-WAPZD1000 to attempt to discover its peer on the network. If discovery is successful, the details of the peer device will be displayed to the right. If discovery is unsuccessful, you will be prompted to retry discovery or continue configuring the current device.
Page 23: Browser-Based Configuration Pages
NXA-WAPZD1000 and all access points connecting to it. To access the browser-based configuration pages, enter the IP address for the NXA-WAPZD1000 into your preferred Web browser. The browser will then display the Ruckus Wireless ZoneDirector Login page (FIG. 3).
Page 24: Dashboard
Refresh icon on the right side of the indicator, and hide the indicator in the Add Widgets column by clicking the Hide icon on the right side. Default Dashboard Indicators System Overview: Shows NXA-WAPZD1000 system information, including its IP address, MAC address, model number, maximum number of licensed APs, serial number, and software version number. Devices Overview:...
Page 25: Dashboard Widgets
Widgets are Dashboard components, each containing a separate indicator or table as part of the active Dashboard. Each widget may be added or removed to enhance your NXA-WAPZD1000 summary needs. All unused widgets remain hidden until you click the Add Widgets link at the bottom of the Dashboard.
Page 26 When finished installing or moving widgets, click the Finish link at the bottom of the Widgets section to save your changes. The Widgets column will disappear, but it accessible again by clicking the Add Widgets link again. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 27: Monitor Tab
Monitor tab workspace, such as the WLANs workspace “Events/Activities” table. Open the NXA-WAPZD1000 Dashboard (page 20) and look at the Most Recent User Activities table and Most Recent System Activities table for summaries of activity in the network.
Page 28: Access Points
The AP’s “description.” This can be modified on the Configure > Access Points page by clicking the Edit link next to the AP’s MAC address. Model: The model number, if applicable. Status: Displays the current status of the AP from the NXA-WAPZD1000’s perspective: • Approval Pending • Connected • Disconnected •...
Page 29: Assessing Current Performance Using The Access Point Table
Displays uptime, clients and mesh status. Actions: Action icons provide tools for managing the AP. WLANs: Displays the WLANs that this AP is supporting. Radio 802.11(a/n or g/n): Displays details on the 2.4GHz (g/n) and 5GHz (a/n) radios. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 30: Neighbor Aps
Click the Restart icon. The Status column now displays “Disconnected” along with the date and time when the NXA-WAPZD1000 last communicated with the AP. After restart is complete and the NXA-WAPZD1000 detects the active AP, the status will be returned to “Connected.”...
Page 31: Map View
The image should be monochrome or grayscale.  The file size should be no larger than 200KB in size.  The floorplan image should be (ideally) no larger than 10 inches (720 pixels) per side. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 32: Placing The Access Point Markers
Click this icon, and then click an AP from the floorplan to remove that AP. Click this icon to rotate the floorplan. When clicked, rotation crosshairs appear in the center of the map; click and hold these crosshairs and move your cursor to rotate the view. Refresh the floorplan. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 33: Ap Icons
Mesh APs through its wireless interface. Optimizing Access Point Performance Using the Map View The NXA-WAPZD1000, through its Browser-Based Configuration Pages, enables you to remotely monitor and adjust key hardware settings on each of your network APs. After assessing AP performance in the context of network performance, you can reset channels and adjust transmission power, or adjust the priority of certain WLANs over others, as needed.
Page 34: Evaluating And Optimizing Network Coverage
Evaluating and Optimizing Network Coverage If there are gaps or dead spots in your worksite WLAN coverage, you can use the NXA-WAPZD1000 to assess network RF coverage and then reposition APs to enhance coverage.
Page 35: Wlans
The date and time of the logged event. Severity: The determined alert level for the event. User: The WLAN producing the event. Activities: The specific activity being logged. Show More: Click this button to show 15 more previous events. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 36: Viewing A List Of Aps That Belong To A Wlan Group
Under Currently Active WLAN Groups, click the WLAN group name for which you want to view the member AP list. On the page that loads, look for the Member APs section. All APs that belong to this WLAN group are listed. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 37: Currently Active Clients
Go to Monitor > Currently Active Clients. When the Currently Active Clients page appears, review the table for a general survey. Click any client device MAC address link to monitor that client in more detail. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 38 (which will allow them to attempt to reconnect), testing throughput using SpeedFlex, and testing connectivity using Ping and Traceroute. To review blocked clients, go to Configure > Access Control > Blocked Clients (page 74). NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 39: Generated Psk/Certs
The selected PSKs and Certificates are deleted from the system. A user with a deleted PSK or a deleted certificate will not be able to connect to the wireless network without obtaining a new key or a new certificate. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 40: Generated Guest Passes
Monitor Tab Generated Guest Passes The Generated Guest Passes page lists all generated guest passes managed by the NXA-WAPZD1000. You can review the guest passes generated for your users, and also remove them if necessary. FIG. 12 Monitor Tab - Generated Guest Passes...
Page 41: Rogue Devices
Rogue APs also interfere with nearby authorized APs, thus degrading overall wireless network coverage. Your NXA-WAPZD1000 rogue detection options include identifying the presence of a rogue AP, and locating it on your worksite floorplan prior to its removal. You can also mark rogue APs as “Known” if they are located in a neighboring network —...
Page 42  AP: An access point unknown to the NXA-WAPZD1000.  AP (SSID-spoof): A rogue AP that uses the same SSID as the NXA-WAPZD1000’s AP, also known as Evil-twin AP.  AP (MAC-spoof): A rogue AP that has the same BSSID (MAC) of one of the virtual APs managed by the NXA-WAPZD1000.
Page 43: All Events/Activities
Changing the System Log Settings The NXA-WAPZD1000 maintains an internal log of current events and alarms. This file has a fixed capacity; at a certain level, the device will start deleting the oldest entries to make room for the newest. This log is volatile, and the contents will be deleted if the device is powered down.
Page 44: All Alarms
Monitor Tab All Alarms If an alarm condition is detected, the NXA-WAPZD1000 will record it in the events log, which, if configured, will send an email warning. FIG. 15 Monitor Tab - All Alarms Monitor Tab - All Alarms Alarms: This section lists all alarms uncleared by the NXA-WAPZD1000 administrator.
Page 45: Mesh
This table shows the current mesh network topology between APs and (Mesh-131003001936) the NXA-WAPZD1000. Access Points: The current APs connected to the NXA-WAPZD1000. Signal (dB): The current signal strength of the mesh network connection. Description: (Optional) A more detailed description of the mesh network connection.
Page 46: Real Time Monitoring
Monitor Tab - Real Time Monitoring Start Monitoring button: Click this button to start monitoring. CPU Util: Displays the percentage utilization of the NXA-WAPZD1000’s CPU. Memory Util: Displays the percentage utilization of the NXA-WAPZD1000’s memory. # of APs: Displays the number of wireless access points being managed by the NXA-WAPZD1000.
Page 47: Configure Tab
Configure Tab Configure Tab The Configure Tab contains the tools necessary to configure and maintain a NXA-WAPZD1000 network. This tab includes access to WLAN specifications, identification of users, guest access, and configuration of mesh networks. When making any changes in the Browser-Based Configuration Pages, you must click Apply before you navigate away from the page or your changes will not be saved.
Page 48: System
Configure Tab System The majority of the NXA-WAPZD1000’s general system settings can be accessed from the System page under the Configure Tab in the Browser-Based Configuration Pages. A basic set of parameters is configured during the Setup Wizard process. These parameters and others can be customized on this page.
Page 49 Smart Redundancy: Smart Redundancy allows continued operation of your network in the event of an NXA-WAPZD1000 failure or power loss by allowing a connection to a second NXA-WAPZD1000. If the active NXA- WAPZD1000 loses connection, the standby device automatically takes over.
Page 50: Changing The System Name
Click Apply to save your settings. The change goes into effect immediately. Changing the Network Addressing If you need to update the IP address and DNS server settings of the NXA-WAPZD1000, follow the steps outlined below. As soon as the IP address has been changed, you will be disconnected from your...
Page 51: Viewing Dhcp Clients
Enabling an Additional Management Interface The additional management interface is created for receiving or transmitting management traffic only. The management IP address can be configured to allow an administrator to access the NXA-WAPZD1000 remotely from a different subnet from the AP network.
Page 52: Setting The System Time
Configure Tab Setting the System Time The NXA-WAPZD1000 does not have an internal clock, and if the device is rebooted, it will lose the current time given to it by the configuring PC. Time-sensitive features--such as time-based WLANs and Smart Redundancy--will not function properly if the time is incorrect.
Page 53: Enabling The Snmp Agent
Enabling SNMP Trap Notifications If you have an SNMP trap server on the network, you can configure the NXA-WAPZD1000 to send SNMP trap notifications to the server. Enable this feature if you want to automatically receive notifications for AP and client events that indicate possible network issues.
Page 54: Nxa-Wapzd1000 Management Acl
Configure Tab NXA-WAPZD1000 Management ACL The NXA-WAPZD1000 also includes an access control feature for controlling access to the Browser-Based Configuration Pages. The Management Access Control interface is located on the Configure > System screen. Options include limiting access by subnet, single IP address and IP address range.
Page 55: Wlans
Name: The name of the WLAN group. Description: (Optional) A more detailed description of the WLAN. Actions: Select Edit to make changes to the group and Clone to make an exact copy of the group. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 56: Overview Of Wireless Networks
Overview of Wireless Networks When you have completed the NXA-WAPZD1000 Setup Wizard, you have a fully functional wireless network, based on two secure WLANs (if you enabled the optional guest WLAN) with access for authorized users and guests.
Page 57: Creating A Wlan
Select whether Web-based authentication (captive portal) will be used, and which type of authentication server will be used to host credentials (local database, Active Directory, RADIUS, LDAP). Also, enable or disable Wireless Client Isolation, Zero-IT Activation, Dynamic PSK and Priority for this WLAN. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 58: Wlan Usage Types
WEP-64: Provides a lower level of encryption, and is less secure, using 40-bit WEP encryption.  WEP-128: Provides a higher level of encryption than WEP-64, using a 104-bit key for WEP encryption. However, WEP is inherently less secure than WPA. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 59: Algorithm (Only For Wpa Or Wpa2 Encryption Methods)
Options include Local Database, RADIUS server, Active Directory and LDAP. When one of these authentication server types is selected (other than Local Database), you will need to point the NXA-WAPZD1000 to the proper authentication server configured on the Configure > AAA Servers page.
Page 60: Advanced Options
Dynamic PSK: Dynamic PSK is available when you have enabled Zero-IT Activation. When a client is activated, the NXA-WAPZD1000 provisions the user with a pre-shared key. This per-user key does not expire by default. If you want to set an expiration for Dynamic PSKs, you can do so from the drop-down menu further down the page.
Page 61: Creating A New Wlan For Workgroup Use
You can also disable a WLAN temporarily for testing purposes, for example. This feature will not work properly if the NXA-WAPZD1000 does not have the correct time. To ensure the NXA-WAPZD1000 always maintains the correct time, configure an NTP server and point the NXA-WAPZD1000 to the NTP server’s IP address, as...
Page 62: Fine-Tuning The Current Security Mode
WLAN to use 802.1X/EAP authentication, you normally have to generate and install certificates for your wireless users. With the built-in EAP server and Zero-IT Wireless Activation, certificates are automatically generated and installed on the end user's computer. Users simply follow the instructions NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 63: Authenticating With An External Radius Server
RADIUS server is required for this application. Also, you might need to deploy your own certificates for wireless client devices and for the RADIUS server you are using. In this case, the NXA-WAPZD1000 works as a bridge between your wireless clients and the RADIUS server during the wireless authentication process.
Page 64: Creating A Wlan Group
Dynamic PSK offers the following benefits over standard PSK security:  Every device on the WLAN has its own unique Dynamic PSK (DPSK) that is valid for that device only. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 65: Enabling Dynamic Pre-Shared Keys On A Wlan
WLAN settings and make sure that the Dynamic PSK check box is selected. To generate multiple dynamic PSKs: Go to Configure > WLANs. Scroll down to the Dynamic PSK Batch Generation section. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 66: Creating A Batch Dynamic Psk Profile
If you want to be able to identify the dynamic PSK users by their names (for monitoring or auditing purposes in a school setting, for example), click Browse, and upload a batch dynamic PSK profile instead. Click Generate. The NXA-WAPZD1000 generates the dynamic PSKs, and then the following message appears:...
Page 67: Enabling Automatic User Activation With Zero-It
To self-authenticate a computer to the wireless LAN: Connect the computer to the wired LAN using an Ethernet cable. Open a Web browser and enter the Activation URL in the navigation bar (http:// <NXA-WAPZD1000’s IP address>/activate). A WLAN Connection Activation Web page appears.
Page 68: Authenticating Clients That Do Not Support Zero-It
For clients that support Zero-IT, an activation script is generated that will automatically install security settings of WLANs configured on the NXA-WAPZD1000 to the client. If your users are connecting with computers running earlier versions of Windows, Linux, or other operating systems, no activation script will be provided for them.
Page 69: Creating A Guest Wlan
If you want your internal wireless traffic to have priority over guest traffic, set the Priority to Low. Click OK to save your changes. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 70: Access Points
Click Enable to balance the number of clients across adjacent APs Max Clients: The maximum number of clients allowed access through the AP. Global Configuration: Use this feature to apply global configuration settings to all Access Points. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 71: Assigning A Wlan Group To An Ap
Click OK to save your changes. Deploying NXA-WAPZD1000 WLANs in a VLAN Environment You can set up an NXA-WAPZD1000 wireless LAN as an extension of a VLAN network environment by tagging wireless client and management traffic to specific VLANs. Qualifications include the following: ...
Page 72: How Dynamic Vlan Works
WAPZD1000. How Dynamic VLAN Works By default, all wireless clients associated with APs managed by the NXA-WAPZD1000 are segmented into a single VLAN (with VLAN ID 1). If you want to segment wireless clients into different VLANs (for example, for security purposes), you can enable dynamic VLAN.
Page 73: Adding New Access Points To The Wlan
The Automatic AP Approval process is enabled by default, automatically approving AP join requests. If you prefer, you can disable Automatic Approval. If this is your preference, the NXA-WAPZD1000 will detect new APs, alert you to their presence, and then wait for you to manually “approve” their activation.
Page 74: Reviewing Current Access Point Policies
WLAN coverage, as well as policies on client distribution and communicating with the NXA-WAPZD1000. These policies are enforced on all APs managed by the NXA-WAPZD1000 unless a specific WLAN setting overrides them. For example, if you want to enable Load Balancing for most APs but disable it on specific WLANs, you would enable it in the Access Point Policies section, then disable it for the particular WLAN from the Configure >...
Page 75: Applying Global Configuration Settings To Aps
11N Only Mode: Force all 802.11n APs to accept only 802.11n compliant devices on the 2.4GHz or 5GHz radio. If N-Only is selected, all older 802.11b/g devices will be denied access to the radio. The following setting can be applied to all APs of a particular model managed by the NXA-WAPZD1000: ...
Page 76: Optimizing Access Point Performance
Click OK to save your settings. Optimizing Access Point Performance The NXA-WAPZD1000, through the Browser-Based Configuration Pages, enables you to remotely monitor and adjust key hardware settings on each of your network APs. After assessing AP performance in the context of network performance, you can reset channels and adjust transmission power, or adjust the priority of certain WLANs over others, as needed.
Page 77: Load Balancing
WAPZD1000 immediately updates the list of adjacent radios and refreshes the client limits at each affected Once the NXA-WAPZD1000 is aware of which APs are adjacent to each other, it begins managing the client load by sending desired client limits to the APs. These limits are “soft values” that can be exceeded in several scenarios, including: (1) when a client’s signal is so weak that it may not be able to support a link with another...
Page 78: Access Control
Access controls can be configured to control access to both your wireless network and to the Browser-Based Configuration Pages themselves. For network access, the NXA-WAPZD1000 features a block list as well as access control lists (ACL) to control access to the network.
Page 79: Wlan Acls And Block Lists
ACL. Thus, the block list takes precedence over an ACL.  MAC addresses that are in the deny list are blocked at the AP, not at the NXA-WAPZD1000. Configuring Access Control Lists You can build L2/MAC and L3/L4 access control lists to establish which devices are allowed to associate to the APs.
Page 80: L3/L4 Access Control
L3/L4 Access Control In addition to L2/MAC based ACL, the NXA-WAPZD1000 also provides access control options at the Layer 3 and Layer 4 levels. This means that you can configure the access control options based on a set of criteria, including: ...
Page 81: Maps
Configure Tab Maps If the NXA-WAPZD1000 does not display a floorplan for your worksite when you open the Monitor tab Map View (page 27), you can import a floorplan and place AP markers in relevant locations by following the steps outlined in this section.
Page 82 Configure Tab Go to Monitor > Map View (page 27) to see this image. You can now use the Map View to place the Access Point markers. FIG. 25 Maps - Editing NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 83: Roles And Policies
Configure Tab Roles and Policies The NXA-WAPZD1000 provides a “Default” role that is automatically applied to all new user accounts. This role links all users to the internal WLAN and permits access to all WLANs by default. As an alternative, you...
Page 84: Controlling Guest Pass Generation Privileges
If you want users with this role to have the permission to generate guest passes, enable this option. Administration: This option allows you to create a user role with NXA-WAPZD1000 administration privileges - either full access or limited (read only) access. In the Policies options, clear the Allow Guest Pass Generation check box.
Page 85: Creating A Guest Pass Generation User Role
Guest Pass: If you want users with this role to have permission to generate guest passes, check this option. Click OK to save your settings. This new role is ready for application to authorized users. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 86: Users
Configure Tab Users Once your wireless network is set up, you can instruct the NXA-WAPZD1000 to authenticate wireless users by referring to accounts that are stored in the NXA-WAPZD1000’s internal user database. FIG. 28 Configure Tab - Users Configure Tab - Users User Name: The name of the particular user.
Page 87: Internal User Database
Click OK to save your settings. Be sure to communicate the user name and password to the appropriate end user. Managing Current User Accounts The NXA-WAPZD1000 allows you to review your current user roster on the internal user database and to make changes to existing user accounts as needed. To change an existing user account: Go to Configure >...
Page 88: Assigning A Pass Generator Role To A User Account
You can edit an existing user account and reassign the pass generator role, if you prefer. Click OK to save your settings. Be sure to communicate the role, user name and password to the appropriate end user. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 89: Guest Access
These include options you can fine-tune to fit your work environment. FIG. 30 Configure Tab - Guest Access NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 90: Configuring System-Wide Guest Access Policy
Use this workspace to import your custom Guest Pass Printout in HTML Customization: format. The NXA-WAPZD1000 can support up to 1,250 combined total users and guest passes in the internal database. Configuring System-Wide Guest Access Policy The Enable Guest Access options enable the administrator to define the system-wide guest access policy. You can require guests to validate their guest pass, accept terms of use, and be redirected to a URL you specify.
Page 91: Working With Guest Passes
To generate a single guest pass: On your computer, start your Web browser. In the address or location bar, type the URL of the NXA-WAPZD1000 Guest Pass Generation page: https://{NXA-WAPZD1000-hostname-or-ipaddress}/guestpass In User Name, type your user name. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 92: Generating And Printing Multiple Guest Passes At Once
 Key: Leave as is if you want to use the random key that the NXA-WAPZD1000 generated. If you want to use a key that is easy to remember, delete the random key, and then type a custom key. For example, if the NXA-WAPZD1000 generated the random key OVEGS-RZKKF, you can change it to joe-guest-key.
Page 93: Creating A Guest Pass Profile
Once you have generated a pass for a guest, you can monitor and, if necessary, remove it. Go to Monitor > Generated Guest Passes. View generated guest passes. To remove a guest pass, select the check box for the guest pass. Click the Delete button. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 94: Configuring Guest Subnet Access
Guest Access > Restricted Subnet Access section. You can create up to 22 subnet access rules, which will be enforced both on the NXA-WAPZD1000 side (for tunneled/redirect traffic) and the AP side (for local-bridging traffic).
Page 95: Guest Pass Printout Tokens
Click Browse, select the HTML file that you customized earlier, and then click Open.The NXA- WAPZD1000 copies the HTML file to its database. Click Import to save the HTML file to the NXA-WAPZD1000 database. You have completed creating a custom guest pass printout. When users generate a guest pass, the custom printout that you created will appear as one of the options that they can print.
Page 96: Hotspot Services
The NXA-WAPZD1000 has a built-in hotspot feature that you can enable and configure to provide hotspot service to users via its WLANs. In addition to the NXA-WAPZD1000 and its managed APs, you will need the following to deploy a hotspot: ...
Page 97: Creating A Hotspot Service
(for example, your company Web site).  In Session Timeout, select the check box, and then set a maximum session time (in minutes) after which sessions will be restarted automatically. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 98 In Restricted Subnet, type the subnets to which hotspot users will be prevented from accessing. Click OK to save the hotspot settings. The page refreshes and the hotspot service you created appears in the list. You may now assign the WLANs that you want to provide hotspot service. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 99: Mesh
In the Mesh Settings section, click Apply to save your settings and enable Smart Mesh. You have completed enabling mesh capability on the NXA-WAPZD1000. You can now start provisioning and deploying the APs that you want to be part of your wireless mesh network.
Page 100: Authentication/Accounting Servers
If you want to authenticate users against an external Authentication, Authorization and Accounting (AAA) server, you will need to first configure your AAA server, then point the NXA-WAPZD1000 to the AAA server, so that requests will be passed through the NXA-WAPZD1000 before access is granted. This section describes the tasks that you need to perform on the NXA-WAPZD1000 to ensure the device can communicate with your AAA server.
Page 101: Using An External Server For User Authentication
Click OK to save this server entry. The page refreshes and the AAA server that you added appears in the list of authentication and accounting servers. Note that input fields differ for different types of AAA server. The NXA-WAPZD1000 only displays the option to enable Global Catalog support if Active Directory is chosen, for example, and only offers backup RADIUS server options if RADIUS or RADIUS Accounting server is chosen.
Page 102: Multi-Domain Active Directory Authentication
The Admin account need not have write privileges, but must able to read and search all users in the database. Click OK to save changes. LDAP The NXA-WAPZD1000 supports several of the most commonly used LDAP servers, including:  OpenLDAP ...
Page 103: Group Extraction
Group Extraction By using the Search Filter, you can extract the groups to which a user belongs, as categorized in your LDAP server. Using these groups, you can attribute Roles within the NXA-WAPZD1000 to members of specific groups. For example, in a school setting, if you want to assign members of the group “students” to a Student role, you can enter a known student’s name in the Test Authentication Settings section, click Test, and return the groups...
Page 104: Mac Authentication With An External Radius Server
The Test Authentication Settings feature allows you to query an AAA server for a known authorized user, and return Groups associated with the user that can be used for configuring Roles within the NXA-WAPZD1000. After you have configured one or more authentication servers in the NXA-WAPZD1000, perform this task to ensure that the device can connect to the authentication server and retrieve the groups/attributes that you have configured for each user account.
Page 105: Alarm Settings
If your server allows TLS encryption, click the box to allow it. Setting Up Email Alarm Notification If an alarm condition is detected, the NXA-WAPZD1000 will record it in the event log. If you prefer, an email notification can be sent to a configured email address of your choosing.
Page 106: Events That Trigger Alarm Notifications
Rogue DHCP server on {ip} is detected. When any of these events occur, the NXA-WAPZD1000 sends an email notification to the email address that you previously specified. With the exception of the Lost contact with AP event, the NXA-WAPZD1000 only sends one email alarm notification for each event.
Page 107: Services
Points to assess radio frequency (RF) usage, to detect rogue APs and to determine which APs are near each other for mesh optimization. Rogue DHCP Server Detection: The NXA-WAPZD1000 has a rogue DHCP server detection feature that can help you prevent connectivity and security issues that rogue DHCP servers may cause.
Page 108: Configuring Intrusion Prevention Options
Automatically adjust AP channel when interference is detected: If interference of any kind is detected in an AP, the radio frequency will be switched automatically. Click the Apply button in the same section to save your changes. The NXA-WAPZD1000 issues necessary AP power and/or channel updates at 10 minute intervals.
Page 109: Active Client Detection
If the check box is cleared, the NXA-WAPZD1000 will not generate these events. Active Client Detection Enabling active client detection allows the NXA-WAPZD1000 to trigger an event when a client with a low signal strength joins the network. To enable active client detection: Go to Configure >...
Page 110: Certificate
Configure Tab - Certificate page Configure Tab - Certificate Generate a Request: Common Name Enter the NXA-WAPZD1000’s Fully Qualified Domain Name (FQDN). Subject Alternative Name: (Optional) Select either IP or DNS from the menu and enter either alternative IP addresses or alternate DNS names.
Page 111: Creating A Certificate Signing Request
DNS server, you may use the NXA-WAPZD1000’s IP address instead. However, note that some CAs may not allow this. - If you wish to access the NXA-WAPZD1000 from a public network via the internet, you must use a Fully Qualified Domain Name (FQDN).
Page 112: Importing An Ssl Certificate
Importing an SSL Certificate If you already have an SSL certificate, you can import it into the NXA-WAPZD1000 and use it for HTTPS communication. To complete this procedure, you will need the SSL certificate file and the key pair password that you set when you created the certificate signing request (CSR) file.
Page 113: Ssl Certificate Advanced Options
Configure Tab Finally, you can also import a wildcard certificate. If you do this, the NXA-WAPZD1000 will prompt you to fill in the NXA-WAPZD1000 redirect URL before proceeding. Once the private key matches and intermediate certificates are imported, clicking the Import button will start the Loading Certificate process.
Page 114: Using An External Server For Administrator Authentication
Configure Tab If the imported certificate does not match the NXA-WAPZD1000’s private key, a warning message appears (FIG. 40). FIG. 40 The imported certificate does not match ZoneDirector’s private key Click the click here link, and an Import Private Key dialog appears (FIG. 41).
Page 115 Configure Tab If you do not select the Allow ZoneDirector Administration check box, administrators that are assigned this role will be unable to log into the NXA-WAPZD1000 even if all other settings are configured correctly. Test your authentication settings (Configure > AAA Servers > Test Authentication Settings).
Page 116: Administer Tab
Apply before you navigate away from the page or your changes will not be saved. Preferences You should change your NXA-WAPZD1000 administrator login password on a monthly basis, but the administrator user name should be changed only if necessary. FIG. 42...
Page 117: Changing The Browser-Based Configuration Pages Display Language
 Admin Name: Delete the text in this field and type the new administrator account name (used solely to log into the NXA-WAPZD1000 via the Browser-Based Configuration Pages.)  Password/Confirm Password: Delete the text in both fields and type the same text for a new password.
Page 118: Back Up/Restore
After you have set up and configured your wireless network, you may want to back up the full configuration. The resulting archive can be used to restore your NXA-WAPZD1000 and network. And, whenever you make additions or changes to the setup, you can create new backup files at that time, too.
Page 119: Restoring The Nxa-Wapzd1000 To Default Factory Settings
“factory default” state. After you complete the Setup Wizard, the Status LED will be steady green. Alternate Factory Default Reset Method If you are unable to complete a software-based resetting of the NXA-WAPZD1000, you can do the following “hard” restore: Do not disconnect the NXA-WAPZD1000 from its power source until this procedure is complete.
Page 120: Restart/Shutdown
Administer Tab Restart/Shutdown This page allows you to make a remote reboot or shutdown of the NXA-WAPZD1000 without having physical access to the device. FIG. 44 Administer Tab - Restart/Shutdown Restarting the NXA-WAPZD1000 The NXA-WAPZD1000 three “restart” options:  To disconnect and then reconnect the NXA-WAPZD1000 from the power source, ...
Page 121: Upgrade
Administer Tab Upgrade Check the AMX Web site on a regular basis for updates that can be applied to your Ruckus Wireless network devices — to the NXA-WAPZD1000 and all your NXA-WAP1000 APs. After downloading any update package to a convenient folder on your administrative PC, you can complete the network upgrade of both the NXA-WAPZD1000 and APs by following the steps detailed below.
Page 122: Performing An Upgrade With Smart Redundancy
(begins accepting AP requests), while the original active device enters backup state and begins its own upgrade process. All APs are now associated to the original backup NXA-WAPZD1000 (which is now the active device), and begin upgrading AP firmware to the new version.
Page 123: License
Administer Tab License Depending on the number of Ruckus Wireless APs you need to manage with your NXA-WAPZD1000, you may need to upgrade your license. Contact your authorized AMX reseller to purchase an upgrade license. Once you load the license via the Browser-Based Configuration Pages, it takes effect immediately.
Page 124: Diagnostics
If requested to generate and save a debug file: Go to Administer > Diagnostics. Select the items under Debug Components as directed by AMX technical support, or check the box next to Debug Components to select all. (If they are already selected, skip this step.) If you are instructed to save only log information for a specific AP or client, you can select the check box next to Debug log per AP’s or client’s mac address, then enter either the MAC address in the adjacent...
Page 125: Viewing Current Ap Logs
Viewing Current AP Logs While the NXA-WAPZD1000 debug files can not be directly viewed, you can display a list of recent AP activity from the Browser-Based Configuration Pages. To view AP logs: Go to Administer >...
Page 126: Product Registration
AMX for customer assistance. You can register your NXA-WAPZD1000 along with all of your access points in one step using the NXA-WAPZD1000’s Registration form (FIG. 48).
Page 127: Toolbox
The Browser-Based Configuration Pages provide two commonly used tools that allow you to diagnose connectivity issues while managing the NXA-WAPZD1000 without having to exit the UI. The Ping and Traceroute tools can be accessed from anywhere in the UI that you see the icon.
Page 128: Real Time Monitoring
To view the Real Time Monitoring page, locate the Toolbox link at the top of the page and select Real Time Monitoring from the pull-down menu. You can also access the Real Time Monitoring page from the Monitor > Real Time Monitoring tab (page 42). FIG. 51 Real Time Monitoring Tool NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 129: Blocking Client Devices
Blocking Client Devices Blocking Client Devices When users log into an NXA-WAPZD1000 network, their client devices are recorded and tracked. If, for any reason, you need to block a client device from network use, you can do so from the Browser-Based Configuration Pages.
Page 130 Blocking Client Devices NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 131: Deploying A Smart Mesh Network
In the Ruckus Wireless Smart Mesh network, all traffic going through the mesh links is encrypted. A passphrase is shared between mesh nodes to securely pass traffic. When deployed as a mesh network, Ruckus Wireless APs communicate with the NXA-WAPZD1000 through a wired LAN connection or through wireless LAN connection with other access points.
Page 132: Supported Mesh Topologies
Hybrid Mesh Topology Standard Topology The standard Smart Mesh topology consists of an NXA-WAPZD1000 and a number of Root APs and Mesh APs. In this topology, the NXA-WAPZD1000 and the upstream router are connected to the same wired LAN segment. You can extend the reach of your wireless network by forming and connecting multiple mesh trees (FIG.
Page 133: Hybrid Mesh Topology
Mesh AP that uses a wired Ethernet link as its uplink rather than wireless. An eMAP is not considered a Root AP, despite the fact that it discovers the NXA-WAPZD1000 through its Ethernet port. Multiple eMAPs can be connected to a single Mesh AP to, for example, bridge a wired LAN segment inside a building to a wireless mesh outdoors.
Page 134: Deploying A Wireless Mesh Via The Nxa-Wapzd1000
Step 3: Provision and Deploy Mesh Nodes In this step, you will connect each AP to the same wired network as the NXA-WAPZD1000 to provision it with mesh-related settings. After you complete provisioning an AP, you must reboot it for the mesh-related settings to take effect.
Page 135: Step 4: Verify That The Wireless Mesh Network Is Up
(FIG. 55). These dotted lines identify the neighbor relationships that have been established in the current mesh network. If your mesh spans multiple NXA-WAPZD1000s, it is possible for a node to be associated to a different device than its parent or children. FIG. 55 Neighbor relationships in a mesh network NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 136 An AP with a dimmed blue square indicates that it is a Root AP without any active downlinks. An AP with a red square is an Ethernet-Linked Mesh AP (eMAP). An AP with an X icon is disconnected. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 137: Using The Zoneflex Leds To Determine The Mesh Status
• Signal quality is good • Signal quality is good Solid amber • At least one Mesh AP is • Connected to a Root AP connected • Signal quality is fair • Signal quality is fair NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 138: Understanding Mesh-Related Ap Statuses
Mesh tree that also shows the uplink and downlink APs connected to this AP. SpeedFlex Launch the SpeedFlex performance test tool to measure uplink/downlink speeds to/from this AP. Troubleshoot Troubleshoot connectivity issues using Ping and Traceroute. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 139: Setting Mesh Uplinks Manually
Troubleshooting Isolated Mesh APs Isolated Mesh APs are those that were once managed by the NXA-WAPZD1000 but are now unreachable. They are up and running and constantly searching for mesh uplinks, but are unable to connect to any root AP.
Page 140: Understanding Isolated Mesh Ap Statuses
AP will only connect to another 802.11n AP, and an 802.11b/g Mesh AP will only connect to another 802.11b/g AP. To resolve this, place additional wired APs or Mesh APs that use the same radio type near this AP. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 141: Recovering An Isolated Mesh Ap
You have completed recovering the isolated mesh AP. You should be able to manage this AP again shortly. Please wait at least 15 minutes (to allow the mesh network to stabilize), and then try managing this AP again via the NXA-WAPZD1000. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 142: Smart Mesh Networking Best Practices
Choosing the Right AP Model for Your Mesh Network The NXA-WAPZD1000 supports both 802.11g and the newer, faster 802.11n APs with which to form a mesh network. Because mesh throughput degrades with the number of hops, the best performance can be achieved using the newer, faster 802.11n APs.
Page 143: Step 2
MAPs.  If there are multiple Roots, ensure that the Roots are distributed evenly throughout the coverage area (not clumped up close together in one area). Of course, the whole purpose of mesh is to NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 144: Signal Quality Verification
RAPs and MAPs are at ceiling height (standard 15-foot ceiling), then you would not want to mount the outdoor MAPs on 40-foot poles. You would want to keep all MAPs and RAPs at around the same elevation from the ground. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 145: Best Practice Checklist
Connected MAP uplink is 25% or better. Ideally there should be at least one alternate uplink path for every MAP, and the signal quality of that alternate path should also be 25% or better. NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 146 Smart Mesh Networking Best Practices NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 147: Troubleshooting
WLAN. Upon the completion of the Setup Wizard, the NXA-WAPZD1000 automatically activates a default internal WLAN for authorized users. A key benefit of the internal WLAN is the Zero-IT configuration, which enables new users to self-activate their wireless client devices with little or no assistance from the IT department.
Page 148: Measuring Wireless Network Throughput With Speedflex
Measuring Wireless Network Throughput with SpeedFlex SpeedFlex is a wireless performance tool included in the NXA-WAPZD1000 that you can use to measure the downlink throughput between the NXA-WAPZD1000 and a wireless client, the NXA-WAPZD1000 and an AP, and a wireless client and an AP.
Page 149 When the tests are complete, the results appear below the Start button. Information that is shown includes the downlink/uplink throughput and the packet loss percentage during the tests. FIG. 57 Click the download link for the target client’s operating system NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 150: Using Speedflex In A Multi-Hop Smart Mesh Network
SpeedFlex can also be used to measure multi-hop throughput between APs and the NXA-WAPZD1000 in a mesh tree. For example, if you have a mesh tree that is three hops deep (i.e., NXA-WAPZD1000... Root AP... Mesh AP 1... Mesh AP 2), SpeedFlex can measure the total throughput between the NXA-WAPZD1000 and Mesh AP 2.
Page 151: Allowing Users To Measure Their Own Wireless Throughput
Uplink or Downlink and test one direction at a time. Allowing Users to Measure Their Own Wireless Throughput The NXA-WAPZD1000 provides another version of the SpeedFlex Wireless Performance Test application that does not require authentication. This version can be accessed at:...
Page 152: Diagnosing Poor Network Performance
AP has a fixed channel number not too close to the number of a nearby Ruckus AP. Starting a Radio Frequency Scan This task complements the automatic RF scanning feature that is built into the NXA-WAPZD1000 That automatic scan assesses one radio frequency at a time, every 20 seconds or so.
Page 153 Troubleshooting NXA-WAPZD1000 ZoneDirector Smart WLAN Controller...
Page 154 - Schedules and registration for any AMX University course - Travel and hotel information - Your individual certification requirements and progress 3000 RESEARCH DRIVE, RICHARDSON, TX 75082 USA • 800.222.0193 • 469.624.8000 • 469-624-7153 fax • 800.932.6993 technical support • www.amx.com...

AMX NXA-WAPZD1000 Operation/Reference Manual

Introduction

Installation and Setup

Browser-Based Configuration Pages

Dashboard

Monitor Tab

Configure Tab

Maps

Roles and Policies

Users

Guest Access

Working with Guest Passes

Hotspot Services

Mesh

Authentication/Accounting Servers

Administer Tab

Toolbox

Blocking Client Devices

Deploying a Smart Mesh Network

Smart Mesh Networking Best Practices

Troubleshooting

Quick Links

Troubleshooting

Related Manuals for AMX NXA-WAPZD1000

Summary of Contents for AMX NXA-WAPZD1000