Page 1 Motorola Solutions WiNG 5.2.6 Access Point System Reference Guide...
Page 3: Table Of Contents
TABLE OF CONTENTS Chapter 1 Overview 1.1 About the Motorola Solutions WiNG 5 Access Point Software ..................... 1-3 Chapter 2 Web UI Features 2.1 Accessing the Web UI ................................2-2 2.1.1 Browser and System Requirements ..........................2-2 2.1.2 Connecting to the Web UI ............................. 2-2 2.2 Icon Glossary ...................................
Page 4 WiNG 5.2.6 Access Point System Reference Guide Chapter 5 Device Configuration 5.1 RF Domain Configuration .................................5-2 5.2 RF Domain Sensor Configuration .............................5-5 5.3 System Profile Configuration ..............................5-7 5.3.1 General Profile Configuration ............................5-7 5.3.2 Profile Radio Power ...............................5-9 5.3.3 Profile Adoption (Auto Provisioning) Configuration ....................5-11 5.3.4 Profile Interface Configuration ............................5-14...
Page 5 Table of Contents 5.10.1.3 Radio Override Configuration ........................5-142 5.10.1.4 WAN Backhaul Overrides ..........................5-154 5.10.2 Overriding the Network Configuration ........................5-156 5.10.2.1 Overriding the DNS Configuration ........................ 5-157 5.10.2.2 Overriding an ARP Configuration ........................5-159 5.10.2.3 Overriding a Quality of Service (QoS) Configuration ..................5-161 5.10.2.4 Overriding a Static Route Configuration .....................
Page 6 WiNG 5.2.6 Access Point System Reference Guide Chapter 7 Security Configuration 7.1 Wireless Firewall ..................................7-2 7.1.1 Defining a Firewall Configuration ..........................7-2 7.1.2 Configuring IP Firewall Rules ............................7-13 7.1.3 Configuring MAC Firewall Rules ..........................7-16 7.2 Wireless IPS (WIPS) ................................7-20 7.3 Device Categorization ................................7-29 7.4 Security Deployment Considerations ............................7-31...
Page 7 Table of Contents 11.2.1 Certificate Management ............................11-15 11.2.2 RSA Key Management ............................11-25 11.2.3 Certificate Creation ..............................11-30 11.2.4 Generating a Certificate Signing Request (CSR) ....................11-33 11.3 Smart RF .................................... 11-36 11.3.1 Managing Smart RF for a RF Domain ........................11-36 11.4 Operations Deployment Considerations ...........................
Page 8 WiNG 5.2.6 Access Point System Reference Guide 12.3.10 Mesh ..................................12-61 12.3.11 Interfaces ................................12-63 12.3.11.1 General Statistics ............................12-64 12.3.11.2 Viewing Interface Statistics Graph ......................12-69 12.3.12 Network .................................12-69 12.3.12.1 ARP Entries ..............................12-70 12.3.12.2 Route Entries ...............................12-71 12.3.12.3 Bridge ................................12-72 12.3.12.4 DHCP Options .............................12-75 12.3.12.5 Cisco Discovery Protocol ..........................12-77...
Page 9: About This Guide
• Motorola Solutions WiNG 5.2.6 Controller System Reference Guide - Describes the configuration of dependent mode access points using the WiNG 5.2.6 controller software. For information on managing a dependent mode AP in a controller managed network, go to http://supportcentral.motorola.com/support/product/manuals.do.
Page 10: Document Conventions
WiNG 5.2.6 Access Point System Reference Guide Document Conventions The following conventions are used in this document to draw your attention to important information: NOTE: Indicate tips or special requirements. CAUTION: Indicates conditions that can cause equipment damage or data loss.
Page 11: Chapter 1 Overview
WiNG 5 extends the differentiation Motorola Solutions access points offer to the next level, by making available services and security at every point in the network. Access point managed traffic flow is optimized to prevent wired congestion and wireless congestion.
Page 12 1 - 2 WiNG 5.2.6 Access Point System Reference Guide NOTE: This guide describes the installation and use of the WING 5 software designed specifically for AP-6511, AP-6521, AP-6532, AP-7131, AP-7161 and AP-8132 model access. It does not describe the version of the WING 5 software designed for use with the RFS4000, RFS6000, RFS7000 and NX9000 Series models.
Page 13: About The Motorola Solutions Wing 5 Access Point Software
WiNG 5 extends the differentiation Motorola Solutions access points offer to the next level, by making available services and security at every point in the network. Access point managed traffic flow is optimized to prevent wired congestion and wireless congestion.
Page 14 1 - 4 WiNG 5.2.6 Access Point System Reference Guide...
Page 15: Chapter 2 Web Ui Features
CHAPTER 2 WEB UI FEATURES The access point’s resident user interface contains a set of features specifically designed to enable either Virtual Controller AP, Standalone AP or Adopt to Controller functionality. In Virtual Controller AP mode, an access point can manage up to 24 other access points of the same model and share data amongst managed access points.
Page 16: Accessing The Web Ui
2 - 2 WiNG 5.2.6 Access Point System Reference Guide 2.1 Accessing the Web UI The access point uses a Graphical User Interface (GUI) which can be accessed using any supported Web browser on a client connected to the subnet the Web UI is configured on.
Page 17 Figure 2-1 Access Point Web UI Login Screen 5. Enter the default username admin in the Username field. 6. Enter the default password motorola in the Password field. 7. Select the Login button to load the management interface. If this is the first time the management interface has been accessed, the first screen to display will prompt for a change of the default access point password.
Page 18: Icon Glossary
2 - 4 WiNG 5.2.6 Access Point System Reference Guide 2.2 Icon Glossary The access point interface utilizes a number of icons designed to interact with the system, gather information from managed devices and obtain status. This chapter is a compendium of the icons used, and is organized as follows: •...
Page 19: Dialog Box Icons
Web UI Features 2 - 5 Create new policy – Select this icon to create a new policy. Policies define different configuration parameters that can be applied to device configurations, and device profiles. Edit policy – Select this icon to edit an existing policy. To edit a policy, click on the policy and select this button.
Page 20: Status Icons
2 - 6 WiNG 5.2.6 Access Point System Reference Guide 2.2.4 Status Icons  Icon Glossary These icons define device status, operations on the wireless controller, or any other action that requires a status being returned to the user. Fatal Error – States there is an error causing a managed device to stop functioning.
Page 21 Web UI Features 2 - 7 AAA Policy – Indicates an Authentication, Authorization and Accounting (AAA) policy has been impacted. AAA policies define RADIUS authentication and accounting parameters. Association ACL – Indicates an Association Access Control List (ACL) configuration has been impacted. An ACL is a set of configuration parameters used to set access to managed resources.
Page 22: Configuration Objects
2 - 8 WiNG 5.2.6 Access Point System Reference Guide Device Categorization – Indicates a device categorization policy is being applied. This is used by the intrusion prevention system to categorize APs or wireless clients as either neighbors or sanctioned devices. This enables these devices to bypass the intrusion prevention system.
Page 23: Configuration Operation Icons
Web UI Features 2 - 9 Panic Snapshots – Indicates a panic snapshot has been generated. A panic snapshot is a file that records the status of all the processes and memory when a failure occurs. UI Debugging – Select this icon/link to view current NETCONF messages. View UI Logs –...
Page 24: Administrative Role Icons
2 - 10 WiNG 5.2.6 Access Point System Reference Guide SSH – Indicates a SSH access permission. A user with this permission is permitted to access an access point device using SSH. Console – Indicates a console access permission. A user with this permission is permitted to access using the access point’s serial console.
Page 25: Device Icons
Web UI Features 2 - 11 2.2.10 Device Icons  Icon Glossary The following icons indicate the different device types managed by the system: System – This icon indicates system-wide impact. Cluster – This icon indicates a cluster. A cluster is a set of access points that work collectively to provide redundancy and load sharing.
Page 26 2 - 12 WiNG 5.2.6 Access Point System Reference Guide...
Page 27: Chapter 3 Quick Start
CHAPTER 3 QUICK START Access points can utilize an initial setup wizard to streamline the process of initially accessing the wireless network. The wizard defines the access point’s operational mode, deployment location, basic security, network and WLAN settings. For instructions on how to use the initial setup wizard, see Using the Initial Setup Wizard on page 3-2.
Page 28: Using The Initial Setup Wizard
3 - 2 WiNG 5.2.6 Access Point System Reference Guide 3.1 Using the Initial Setup Wizard Once the access point is installed and powered on, complete the following steps to get the access point up and running and access management functions: 1.
Page 29 Quick Start 3 - 3 If this is the first time the access points’ management interface has been accessed, an introductory screen displays that outlines the parameters that can be configured sequentially using the setup wizard. Figure 3-2 Initial Setup Wizard NOTE: The Initial Setup Wizard displays the same pages and content for each access point model supported.
Page 30 3 - 4 WiNG 5.2.6 Access Point System Reference Guide Figure 3-3 Initial Setup Wizard - Navigation Panel The first page of the Initial AP Setup Wizard displays the Navigation Panel and Introduction for the configuration activities comprising the access point's initial setup.
Page 31 Quick Start 3 - 5 Figure 3-4 Initial Setup Wizard - Introduction 6. Select Save/Commit within each page to save the updates made to that page's configuration. Select Next to proceed to the next page listed in the Navigation Panel. Select Back to revert to the previous screen in the Navigation Panel without saving your updates.
Page 32 AP isn't managed by a Virtual Controller AP, or adopted by a RFS series controller. NOTE: If designating the access point as a Standalone AP, Motorola Solutions recommends the access point’s UI be used exclusively to define its device configuration, and not the CLI.
Page 33 Quick Start 3 - 7 • Adopted to Controller - Select this option when deploying the access point as a controller managed (Dependent mode) access point. Selecting this option closes the Initial AP Setup Wizard. An adopted access point obtains its configuration from a profile stored on its managing controller.
Page 34 3 - 8 WiNG 5.2.6 Access Point System Reference Guide Figure 3-7 Initial AP Setup Wizard - Access Point Mode 10.Select an Access Point Mode from the available options. • Router Mode - In Router Mode, the access point routes traffic between the local network (LAN) and the Internet or external network (WAN).
Page 35 Quick Start 3 - 9 Figure 3-8 Initial AP Setup Wizard - LAN Configuration 12.Set the following DHCP and Static IP Address/Subnet information for the LAN interface: • Use DHCP - Select the checkbox to enable an automatic network address configuration using the access point’s DHCP server.
Page 36 3 - 10 WiNG 5.2.6 Access Point System Reference Guide • DNS Forwarding - Select this option to allow a DNS server to translate domain names into IP addresses. If this option is not selected, a primary and secondary DNS resource must be specified. DNS forwarding is useful when a request for a domain name is made but the DNS server, responsible for converting the name into its corresponding IP address, cannot locate the matching IP address.
Page 37 Quick Start 3 - 11 14.Set the following DHCP and Static IP Address/Subnet information for the WAN interface: • Use DHCP - Select the checkbox to enable an automatic network address configuration using the access point’s DHCP server. AP-6511 and AP-6521 model access points do not have an onboard DHCP server and an external DHCP server must be utilized.
Page 38 3 - 12 WiNG 5.2.6 Access Point System Reference Guide Figure 3-10 Initial AP Setup Wizard - Radio Configuration 16.Set the following parameters for each radio: • Configure as a Date Radio - Select this option to dedicate this radio for WLAN client support in either the selected 2.4 or 5GHz radio band.
Page 39 Quick Start 3 - 13 channels are scanned, it will select the channel with the fewest access points. In the case of multiple access points on the same channel, it will select the channel with the lowest average power level. When Constantly Monitor is selected, the access point will continuously scan the network for excessive noise and sources of...
Page 40 3 - 14 WiNG 5.2.6 Access Point System Reference Guide Figure 3-11 Initial AP Setup Wizard - Wireless LAN Setting 18.Set the following parameters for each if the WLAN configurations available as part of this Initial AP Setup Wizard: • SSID - Enter or modify the Services Set Identification (SSID) associated with the WLAN. The WLAN name is auto-generated using the SSID until changed by the user.
Page 41 Quick Start 3 - 15 • PSK Authentication and WPA2 Encryption - Select the option to implement a pre-shared key that must be cor- rectly shared between the access point and requesting clients using this WLAN. If using this option, specify a WPA key in either ASCII (8-63 characters) or HEX (64 characters) format.
Page 42 3 - 16 WiNG 5.2.6 Access Point System Reference Guide Figure 3-12 Initial AP Setup Wizard - RADIUS Server Configuration 20.Refer to the Username, Password, Description and Actions columns to review credentials of existing RADIUS Server user accounts. Add new accounts or edit the properties of existing accounts as updates are required.
Page 43 • Location - Define the location of the access point. The Location parameter acts as a reminder of where the AP can be located within the Motorola Solutions managed wireless network. • Contact - Specify the contact information for the administrator. The credentials provided should accurately reflect...
Page 44 3 - 18 WiNG 5.2.6 Access Point System Reference Guide • Country - Select the Country where the access point is deployed. The access point prompts for the correct country code on the first login. A warning message also displays stating an incorrect country setting may result in illegal radio operation.
Page 45 Quick Start 3 - 19 Figure 3-14 Initial AP Setup Wizard - Summary and Commit 30.If the configuration displays as intended, select the Save/Commit button to implement these settings to the access point’s configuration. If additional changes are warranted based on the summary, either select the target page from the Navigational Panel, or use the Back button.
Page 46 3 - 20 WiNG 5.2.6 Access Point System Reference Guide...
Page 47: Chapter 4 Dashboard
CHAPTER 4 DASHBOARD The dashboard allows network administrators to review and troubleshoot the operation of the devices comprising the access point managed network. Use the dashboard to review the current network topology, assess the network’s component health and diagnose problematic device behavior. By default, the Dashboard screen displays the System Dashboard, which is the top level in the device hierarchy.
Page 48: Dashboard Conventions
4 - 2 WiNG 5.2.6 Access Point System Reference Guide 4.1 Dashboard The Dashboard displays device information organized by device association and inter-connectivity between an access point and connected wireless clients. To review dashboard information: 1. Select Dashboard. 2. Expand the System menu item on the upper, left-hand, side of the UI and select either an access point or connected client.
Page 49: Health
Dashboard 4 - 3 4.1.1.1 Health  Dashboard Conventions Health tab displays information about the state of the access point managed network. Figure 4-2 Dashboard screen - Health tab Information in this tab is classified as: • Device Details • Radio RF Quality Index •...
Page 50 4 - 4 WiNG 5.2.6 Access Point System Reference Guide Figure 4-3 Device Details Device Details field displays the name assigned to the selected access point, its factory encoded MAC address, model type, RF Domain, software version, uptime, CPU and RAM information and system clock. Use this data to determine whether a software upgrade is warranted, or if the system clock needs adjustment.
Page 51 Dashboard 4 - 5 Radio Id displays as a link that can be selected to display radio configuration and network address information in greater detail. Periodically select Refresh (at the bottom of the screen) to update the RF quality data. 4.1.1.1.3 Radio Utilization Index ...
Page 52 4 - 6 WiNG 5.2.6 Access Point System Reference Guide 4.1.1.1.4 Client RF Quality Index  Dashboard Conventions The Client RF Quality field displays a list of the worst 5 performing clients managed by the selected access point. Figure 4-6 Client RF Quality Index...
Page 53: Inventory
Dashboard 4 - 7 4.1.1.2 Inventory  Dashboard Conventions The Inventory tab displays information relative to the devices managed by the selected access point. The Inventory screen affords a system administrator an overview of the number and state of managed devices. The screen contains links to display more granular data specific to a specific radio.
Page 54 4 - 8 WiNG 5.2.6 Access Point System Reference Guide 4.1.1.2.5 Radio Types  Inventory Radio Types field displays the total number and types of radios managed by the selected access point. Figure 4-8 Radio Types Refer to the Total Radios column to review the number of managed radios.
Page 55 Dashboard 4 - 9 4.1.1.2.7 Wireless Clients  Inventory Wireless Clients field displays information about the wireless clients managed by the selected access point. Figure 4-10 Wireless Client Information within the Wireless Clients field is presented in two tables. The first table lists the total number of wireless clients managed by this access point.
Page 56: Network View
4 - 10 WiNG 5.2.6 Access Point System Reference Guide 4.2 Network View The Network View displays device topology association between a selected access point, its RF Domain and its connected clients. The association is displayed using a number of different color options.
Page 57: Network View Display Options
Dashboard 4 - 11 Figure 4-13 Network View - System Browser 4.2.1 Network View Display Options  Network View 1. Select the blue Options link right under the Network View banner to display a menu for different device interaction display options. Figure 4-14 Network View - Options 2.
Page 58: Device Specific Information
4 - 12 WiNG 5.2.6 Access Point System Reference Guide • Quality – Select this option to filter based on the overall RF health. RF health is a ratio of connection rate, retry rates, and error rates. Quality results include: Red (Bad Quality, Orange (Poor Quality), Yellow (Fair Quality) and Green (Good Quality).
Page 59: Chapter 5 Device Configuration
CHAPTER 5 DEVICE CONFIGURATION Access points can either be assigned unique configurations to support a particular deployment objective or have an existing RF Domain or Profile configuration modified (overridden) to support a requirement that deviates its configuration from the configuration shared by its peer access points. Refer to the following to set an access point’s sensor functionality, Virtual Controller AP designation, and license and certificate usage configuration: •...
Page 60: Rf Domain Configuration
5 - 2 WiNG 5.2.6 Access Point System Reference Guide 5.1 RF Domain Configuration An access point’s configuration is composed of numerous elements including a RF Domain, WLAN and device specific settings. RF Domains are used to assign regulatory, location and relevant policies to access points of the same model.
Page 61 Device Configuration 5 - 3 Figure 5-1 RF Domain - Basic Configuration screen 2. Define the following Basic Configuration values for the access point RF Domain: Location Assign the physical location of the RF Domain. This name could be as specific as the floor of a building, or as generic as an entire site.
Page 62: Rf Domain Configuration
5 - 4 WiNG 5.2.6 Access Point System Reference Guide 3. Refer to the Statistics field to define how RF Domain stats are updated: Update Interval Set a statistics update interval of 0 or 5-3600 seconds for updates retrieved from the access point.
Page 63: Rf Domain Sensor Configuration
In addition to dedicated Motorola Solutions AirDefense sensors, an access point radio can function as a sensor and upload information to a dedicated WIPS server (external to the access point). Unique WIPS server configurations can be used to ensure a WIPS server configuration is available to support the unique data protection needs of a RF Domain.
Page 64 5 - 6 WiNG 5.2.6 Access Point System Reference Guide 6. Use the spinner control to specify the Port of each WIPS server. The default port is 443. 7. Select to save the changes to the AirDefense WIPS configuration, or select...
Page 65: System Profile Configuration
Device Configuration 5 - 7 5.3 System Profile Configuration An access point profile enables an administrator to assign a common set of configuration parameters and policies to the access point of the same model. Profiles can be used to assign common or unique network, wireless and security parameters to across a large, multi segment, site.
Page 66 5 - 8 WiNG 5.2.6 Access Point System Reference Guide 2. Select Devices. 3. Select System Profile from the options on left-hand side of the UI. General configuration options display by default, with the profile activated for use with this access point model.
Page 67: Profile Radio Power
Device Configuration 5 - 9 5.3.2 Profile Radio Power Use the Power screen to set one of two power modes (3af or Auto) for the access point profile. When Automatic is selected, the access point safely operates within available power. Once the power configuration is determined, the access point configures its operating power characteristics based on its model and power configuration.
Page 68 5 - 10 WiNG 5.2.6 Access Point System Reference Guide Figure 5-4 Profile - Power screen 5. Use the Power Mode drop-down menu to set the Power Mode Configuration on this NOTE: Single radio model access point’s always operate using a full power configuration.
Page 69: Profile Adoption (Auto Provisioning) Configuration
Device Configuration 5 - 11 5.3.3 Profile Adoption (Auto Provisioning) Configuration Adoption is the process an access point uses to discover Virtual Controller APs available in the network, pick the most desirable Virtual Controller, establish an association with the and optionally obtain an image upgrade, obtains its configuration and considers itself provisioned.
Page 70 5 - 12 WiNG 5.2.6 Access Point System Reference Guide Figure 5-5 Profile Adoption screen 5. Define the Preferred Group used as optimal group of Virtual Controller for adoption. The name of the preferred group cannot exceed 64 characters. 6. Set the Controller Hello Interval to set the interaction intervals between AP and its adopting resource.
Page 71 Device Configuration 5 - 13 Routing Level Use the spinner controller to set the routing level for the Virtual Controller link. The default setting is 1. 9. Select + Add Row as needed to populate the table with IP Addresses or Hostnames of adoption resources. 10.
Page 72: Profile Interface Configuration
5 - 14 WiNG 5.2.6 Access Point System Reference Guide 5.3.4 Profile Interface Configuration An access point profile can support customizable Ethernet Port, Virtual Interface, Port Channel and Radio configurations unique to the supported AP-6511, AP6521, AP-6532, AP-7131, AP-7161 or AP-8132 model.
Page 73: Ethernet Port Configuration
Device Configuration 5 - 15 5.3.4.1 Ethernet Port Configuration  Profile Interface Configuration Displays the physical port name reporting runtime data and statistics. The following ports are available depending on model: • AP-6511 - fe1, fe2, fe3, fe4, up1 • AP-6521 - GE1/POE (LAN) •...
Page 74 5 - 16 WiNG 5.2.6 Access Point System Reference Guide Admin Status A green checkmark defines the port as active and currently enabled with the profile. A red “X” defines the port as currently disabled and not available for use. The interface status can be modified with the port configuration as...
Page 75 Device Configuration 5 - 17 Figure 5-7 Ethernet Ports - Basic Configuration screen 7. Set the following Ethernet port Properties: Description Enter a brief description for the port (64 characters maximum). The description should reflect the port’s intended function to differentiate it from others with similar configurations.
Page 76 5 - 18 WiNG 5.2.6 Access Point System Reference Guide 8. Define the following Cisco Discovery Protocol (CDP) and LLDP parameters to apply to the Ethernet port configuration. Cisco Discover Select the radio button to allow the Cisco discovery protocol for receiving data Protocol Receive on this port.
Page 77 Device Configuration 5 - 19 11. Select to save the changes made to the Ethernet Port Basic Configuration. Select Reset to revert to the last saved configuration. 12. Select the Security tab. Figure 5-8 Ethernet Ports - Security screen 13. Refer to the Access Control field.
Page 78 5 - 20 WiNG 5.2.6 Access Point System Reference Guide Trust DHCP Responses Select the radio button to enable DHCP trust on this port. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port.
Page 79: Virtual Interface Configuration
Device Configuration 5 - 21 5.3.4.2 Virtual Interface Configuration  Profile Interface Configuration A Virtual Interface is required for layer 3 (IP) access to provide layer 3 service on a VLAN. The Virtual Interface defines which IP address is associated with each VLAN ID the access point is connected to. A Virtual Interface is created for the default VLAN (VLAN 1) to enable remote administration.
Page 80 5 - 22 WiNG 5.2.6 Access Point System Reference Guide VLAN Displays the numerical VLAN ID associated with each listed interface. IP Address Defines whether DHCP was used to obtain the primary IP address used by the Virtual Interface configuration.
Page 81 Device Configuration 5 - 23 8. Set the following network information from within the IP Addresses field: Enable Zero The access point can use Zero Config for IP assignments on an individual Configuration virtual interface basis. Select Primary to use Zero Config as the designated means of providing an IP address, this eliminates the means to assign one manually.
Page 82 5 - 24 WiNG 5.2.6 Access Point System Reference Guide Figure 5-11 Virtual Interfaces - Security screen 12. Use the Inbound IP Firewall Rules drop-down menu to select the firewall rule configuration to apply to this Virtual Interface. The firewall inspects and packet traffic to and from connected clients.
Page 83: Port Channel Configuration
Device Configuration 5 - 25 5.3.4.3 Port Channel Configuration  Profile Interface Configuration The access point’s profile can be applied customized port channel configurations as part of its Interface configuration. To define a port channel configuration for a controller profile: Figure 5-12 Profile Interfaces - Port Channels screen 1.
Page 84 5 - 26 WiNG 5.2.6 Access Point System Reference Guide Figure 5-13 Port Channels - Basic Configuration screen 7. Set the following port channel Properties: Description Enter a brief description for the port channel (64 characters maximum). The description should reflect the port channel’s intended function.
Page 85 Device Configuration 5 - 27 Duplex Select either Half, Full or Automatic as the duplex option. Select Half duplex to send data over the port channel, then immediately receive data from the same direction in which the data was transmitted. Like a Full duplex transmission, a Half duplex transmission can carry data in both directions, just not at the same time.
Page 86 5 - 28 WiNG 5.2.6 Access Point System Reference Guide Figure 5-14 Port Channels - Security screen 12. Refer to the Access Control field. As part of the port channel’s security configuration, Inbound IP and MAC address firewall rules are required.
Page 87 Device Configuration 5 - 29 Trust IP DSCP Select the check box to enable IP DSCP values on this port channel. The default value is disabled. 14. Select to save the changes to the security configuration. Select Reset to revert to the last saved configuration. 15.
Page 88 5 - 30 WiNG 5.2.6 Access Point System Reference Guide 17. Set the following MSTP Configuration parameters for the port channel: Enable as Edge Port Select the check box to define this port as an edge port. Using an edge (private) port, you can isolate devices to prevent connectivity over this port channel.
Page 89 Device Configuration 5 - 31 19. Select + Add Row as needed to include additional indexes. 20. Refer to the Spanning Tree Port Priority table. Define an Instance Index using the spinner control and then set the Priority. The lower the priority, a greater likelihood of the port becoming a designated port.
Page 90: Access Point Radio Configuration
5 - 32 WiNG 5.2.6 Access Point System Reference Guide 5.3.4.4 Access Point Radio Configuration  Profile Interface Configuration An access point profile can have its radio configuration modified once its radios have successfully associated to the network. To define a Access Point radio configuration: 1.
Page 91 Device Configuration 5 - 33 RF Mode Displays whether each listed radio is operating in the 802.11a/n or 802.11b/g/n radio band. If the radio is a dedicated sensor, it will be listed as a sensor to define the radio as not providing typical WLAN support. The radio band is set from within the Radio Settings tab.
Page 92 5 - 34 WiNG 5.2.6 Access Point System Reference Guide Admin Status Either select the Disabled or Enabled radio button to define this radio’s current status within the network. When defined as Enabled, the access point is operational and available for client support.
Page 93 (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. Motorola Solutions recommends that only a professional installer set the antenna gain.
Page 94 5 - 36 WiNG 5.2.6 Access Point System Reference Guide Radio Placement Use the drop-down menu to specify whether the radio is located Indoors or Outdoors. The placement should depend on the country of operation selected and its regulatory domain requirements for radio emissions. The default setting is Indoors.
Page 95 Device Configuration 5 - 37 Figure 5-18 Access Point Radio - Rates screen 9. Set the following profile WLAN Properties for the selected access point radio. Beacon Interval Set the interval between radio beacons in milliseconds (either 50, 100 or 200). A beacon is a packet broadcast by adopted radios to keep the network synchronized.
Page 96 5 - 38 WiNG 5.2.6 Access Point System Reference Guide RTS Threshold Specify a Request To Send (RTS) threshold (between 1 - 2,347 bytes) for use by the WLAN's adopted access point radios. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/CTS procedure clears the air where clients are contending for transmission time.
Page 97 Device Configuration 5 - 39 Figure 5-19 Access Point Radio - WLAN Mapping tab 13. Refer to the WLAN/BSS Mappings field to set WLAN BSSID assignments for an existing access point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available.
Page 98 5 - 40 WiNG 5.2.6 Access Point System Reference Guide Figure 5-20 Access Point Radio - Mesh tab Use the Mesh screen to define how mesh connections are established and the number of links available amongst access points within the mesh network.
Page 99 Device Configuration 5 - 41 Figure 5-21 Access Point Radio - Advanced Settings tab 20. Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define how MAC service frames are aggregated by the access point radio. A-MPDU Modes Use the drop-down menu to define the A-MPDU mode supported.
Page 100 5 - 42 WiNG 5.2.6 Access Point System Reference Guide 22. Set the following Non-Unicast Traffic values for the profile’s supported access point radio and its connected wireless clients: Non-Unicast Use the Select drop-down menu to launch a sub screen to define the data rate Transmit Rate broadcast and multicast frames are transmitted.
Page 101 802.11b clients do not support beamforming. A single access point radio can support up to 15 beamforming clients. Beamforming is supporting explicitly on Motorola Solutions access points and must be supported on the receiving client. In the receiving end of the data path, the access point updates beamforming data or the active entries when packets are received from an address matching an active entry.
Page 102: Wan Backhaul Configuration
5 - 44 WiNG 5.2.6 Access Point System Reference Guide 5.3.4.5 WAN Backhaul Configuration  Profile Interface Configuration A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a network device to connect, transmit and receive data over a Cellular Wide Area Network. The AP-7131N model access point has a PCI Express card slot that supports 3G WWAN cards.
Page 103 Device Configuration 5 - 45 6. Define the following authentication parameters from within the Basic Settings field: Username Provide your username for authentication support by the cellular data carrier. Password Provide your password for authentication support by the cellular data carrier. Access Point Name Enter the name of the cellular data provider if necessary.
Page 104: Profile Network Configuration
5 - 46 WiNG 5.2.6 Access Point System Reference Guide 5.3.5 Profile Network Configuration Setting an access point profile’s network configuration is a large task comprised of numerous administration activities. An access point profile network configuration process consists of the following: •...
Page 105: Dns Configuration
Device Configuration 5 - 47 5.3.5.1 DNS Configuration  Profile Network Configuration Domain Naming System (DNS) DNS is a hierarchical naming system for resources connected to the Internet or a private network. Primarily, DNS resources translate domain names into IP addresses. If one DNS server doesn't know how to translate a particular domain name, it asks another one until the correct IP address is returned.
Page 106 5 - 48 WiNG 5.2.6 Access Point System Reference Guide DNS Server Click to enable the forwarding DNS queries to external DNS servers if a DNS Forwarding query cannot be processed by the access point’s own DNS resources. This feature is disabled by default.
Page 107: Arp
Device Configuration 5 - 49 5.3.5.2 ARP  Profile Network Configuration Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address recognized on the network. ARP provides protocol rules for making this correlation and providing address conversion in both directions. When an incoming packet destined for a host arrives, the gateway uses ARP to find a physical host or MAC address that matches the IP address.
Page 108 5 - 50 WiNG 5.2.6 Access Point System Reference Guide Figure 5-24 Network - ARP screen 6. Set the following parameters to define the ARP configuration: Switch VLAN Use the spinner control to select a VLAN for an address requiring resolution.
Page 109: Quality Of Service (Qos)
Device Configuration 5 - 51 5.3.5.3 Quality of Service (QoS)  Profile Network Configuration The access point uses different Quality of Service (QoS) screens to define WLAN and device radio QoS configurations. The System Profiles > Network > QoS facility is separate from WLAN and radio QoS configurations, and is used to configure the priority of the different DSCP packet types.
Page 110 5 - 52 WiNG 5.2.6 Access Point System Reference Guide 802.1p Priority Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7.
Page 111: Static Routes
Device Configuration 5 - 53 5.3.5.4 Static Routes  Profile Network Configuration Use the Static Routes screen to set Destination IP and Gateway addresses enabling assignment of static IP addresses for requesting clients without creating numerous host pools with manual bindings. This eliminates the need for a long configuration file and reduces the resource space required to maintain address pools.
Page 112: Forwarding Database
5 - 54 WiNG 5.2.6 Access Point System Reference Guide 5.3.5.5 Forwarding Database  Profile Network Configuration A Forwarding Database is used by a bridge to forward or filter packets. The bridge reads the packet’s destination MAC address and decides to either forward the packet or drop (filter) it. If it is determined the destination MAC is on a different network segment, it forwards the packet to the segment.
Page 113 Device Configuration 5 - 55 7. Set a destination MAC Address address. The bridge reads the packet’s destination MAC address and decides to forward the packet or drop (filter) it. If it’s determined the destination MAC is on a different network, it forwards the packet to the segment.
Page 114: Bridge Vlan
5 - 56 WiNG 5.2.6 Access Point System Reference Guide 5.3.5.6 Bridge VLAN  Profile Network Configuration A Virtual LAN (VLAN) is separately administrated virtual network within the same physical managed network. VLANs are broadcast domains to allow control of broadcast, multicast, unicast and unknown unicast within a Layer 2 device.
Page 115 Device Configuration 5 - 57 Figure 5-28 Network Bridge VLAN screen VLAN Lists the numerical identifier defined for the Bridge VLAN when it was initially created. The available range is from 1 - 4095. This value cannot be modified during the edit process. Description Lists a description of the VLAN assigned when it was created or modified.
Page 116 5 - 58 WiNG 5.2.6 Access Point System Reference Guide 5. Select to define a new Bridge VLAN configuration, Edit to modify the configuration of an existing Bridge VLAN configuration or Delete to remove a VLAN configuration. Figure 5-29 Bridge VLAN Configuration screen 6.
Page 117 Device Configuration 5 - 59 MAC Outbound Tunnel Select a MAC Outbound Tunnel ACL for outbound traffic from the drop-down menu. If an appropriate outbound MAC ACL is not available click the create button to make a new one. NOTE: If creating a mesh connection between two access points in Standalone AP mode, Tunnel must be selected as the Bridging Mode to successfully create the mesh link between the two access points.
Page 118: Miscellaneous Network Configuration
5 - 60 WiNG 5.2.6 Access Point System Reference Guide 5.3.5.7 Miscellaneous Network Configuration  Profile Network Configuration A profile can be configured to include a hostname in a DHCP lease for a requesting device and its profile. This helps an administrator track the leased DHCP IP address by hostname for the supported device profile.
Page 119: Profile Network Configuration And Deployment Considerations
Device Configuration 5 - 61 5.3.5.8 Profile Network Configuration and Deployment Considerations  Profile Network Configuration Before defining a profile’s network configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective: • Administrators often need to route traffic to interoperate between different VLANs. Bridging VLANs are only for non-routable traffic, like tagged VLAN frames destined to some other device which will untag it.
Page 120: Defining Profile Security Settings
5. Select the radio button to require profile supported devices to use a WEP key to access the network using this profile. The access point, other proprietary routers, and Motorola Solutions clients use the key algorithm to convert an ASCII string to the same hexadecimal number. Clients without Motorola Solutions adapters need to use WEP keys manually configured as hexadecimal numbers.
Page 121: Setting The Certificate Revocation List (Crl) Configuration
Device Configuration 5 - 63 5.3.6.2 Setting the Certificate Revocation List (CRL) Configuration  Profile Security Configuration A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the certificate authority (CA) had improperly issued a certificate, or if a private-key is compromised.
Page 122: Setting The Profile's Nat Configuration
5 - 64 WiNG 5.2.6 Access Point System Reference Guide 5.3.6.3 Setting the Profile’s NAT Configuration  Profile Security Configuration Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit across a traffic routing device. This enables mapping one IP address to another to protect network address credentials.
Page 123 Device Configuration 5 - 65 Figure 5-34 Security NAT Pool screen 6. If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters: Name If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations.
Page 124 5 - 66 WiNG 5.2.6 Access Point System Reference Guide Figure 5-35 Static NAT screen - Source tab 10. To map a source IP address from an internal network to a NAT IP address click the + Add Row button. Enter the internal network IP address in Source IP field.
Page 125 Device Configuration 5 - 67 Figure 5-36 Static NAT screen - Destination tab 13. Select to create a new NAT destination configuration, Edit to modify the attributes of an existing configuration Delete to permanently remove a NAT destination.
Page 126 5 - 68 WiNG 5.2.6 Access Point System Reference Guide Figure 5-37 NAT Destination Add screen 14. Set the following Destination configuration parameters: Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network.
Page 127 Device Configuration 5 - 69 Destination Port Use the spinner control to set the local port number used at the (source) end of the static NAT configuration. The default value is port 1. NAT IP Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified.
Page 128 5 - 70 WiNG 5.2.6 Access Point System Reference Guide Figure 5-38 Dynamic NAT screen 17. Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or deletion: Source List ACL Lists the ACL defining packet selection criteria for the NAT configuration.
Page 129 Device Configuration 5 - 71 Figure 5-39 Source ACL List screen 19. Set the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT. NAT is applied only on packets which match a rule defined in the access-list.
Page 130 5 - 72 WiNG 5.2.6 Access Point System Reference Guide Overload Type Select the radio button of Overload Type used with the listed IP ACL rule. Options include NAT Pool, One Global Address and Interface IP Address. Interface IP Address is the default setting. If NAT Pool is selected, provide the Overload IP address.
Page 131: Profile Security Configuration And Deployment Considerations
Device Configuration 5 - 73 5.3.6.4 Profile Security Configuration and Deployment Considerations  Profile Security Configuration Before defining a profile’s security configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective: • Ensure the contents of the Certificate Revocation List are periodically audited to ensure revoked certificates remained quarantined or validated certificates are reinstated.
Page 132: Profile Services Configuration And Deployment Considerations
5 - 74 WiNG 5.2.6 Access Point System Reference Guide A captive portal provides secure authenticated access using a standard Web browser. Captive portals provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network.
Page 133: Profile Management Configuration
Device Configuration 5 - 75 5.3.8 Profile Management Configuration The access point has mechanisms to allow/deny management access to the network for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). These management access configurations can be applied strategically to profiles as resource permissions dictate.
Page 134 5 - 76 WiNG 5.2.6 Access Point System Reference Guide Figure 5-41 Profile Management Settings screen 5. Refer to the Message Logging field to define how the profile logs system events. It’s important to log individual events to discern an overall pattern that may be negatively impacting performance using the configuration defined...
Page 135 Device Configuration 5 - 77 for the access point’s profile. Enable Message Select the radio button to enable the profile to log system events to a user Logging defined log file or a syslog server. Selecting this radio button enables the rest of the parameters required to define the profile’s logging configuration.
Page 136 5 - 78 WiNG 5.2.6 Access Point System Reference Guide 7. Refer to the Events E-mail Notification field to define how system event notification e-mails are sent on behalf of the access point profile. SMTP Server Specify either the Hostname or IP Address of the outgoing SMTP server where notification e-mails are originated.
Page 137 Device Configuration 5 - 79 Figure 5-42 Profile Management Firmware screen 11. Refer to the Auto Install via DHCP field to define the configuration used by the profile to update firmware using DHCP: Enable Configuration Select this option to enable automatic configuration file updates for the Upgrade profile from a location external to the access point.
Page 138 5 - 80 WiNG 5.2.6 Access Point System Reference Guide Number of Concurrent Use the spinner control to define the maximum number (1 - 20) of adopted Upgrades. APs that can receive a firmware upgrade at the same time. Keep in mind...
Page 139: Upgrading Ap-6532 Firmware From 5.1 To 5.2
3. Ping the AP-6532 from the computer to ensure IP connectivity. 4. Open an SSH session on the computer and connect to the AP-6532’s IP address. 5. Login with a username and password of admin/motorola. The CLI will prompt for a new password. Re-enter the password and confirm.
Page 140: Profile Management Configuration And Deployment Considerations
HTTPS, SSH and SNMPv3 should be used when possible, as they provide data privacy and authentication. • Motorola Solutions recommends SNMPv3 be used for management profile configurations, as it provides both encryption, and authentication. 5.3.9 Advanced Profile Configuration An access point profile’s advanced configuration is comprised of defining connected client load balance settings, a...
Page 141: Advanced Profile Client Load Balancing
Device Configuration 5 - 83 5.3.9.1 Advanced Profile Client Load Balancing  Advanced Profile Configuration Use the screen to administer the client load across an access point’s radios. AP-7131 models can have from 1-3 radios depending on the SKU. AP-6532, AP-7161 and AP-8132 models have 2 radios, while AP-6511 and AP-6521 models have a single radio.
Page 142 5 - 84 WiNG 5.2.6 Access Point System Reference Guide 3. Set the following Neighbor Selection Strategies. Use probes from Select this option to use probes from shared clients in the neighbor common clients selection process. This feature is enabled by default, to provide the best common group of available clients amongst access points in neighbor selection.
Page 143 Device Configuration 5 - 85 Band Ratio (5GHz) Use the spinner control to set a loading ratio (between 0 - 10) the access point 5 GHz radio uses in respect to radio traffic on the 5 GHz band. This allows an administrator to weight client traffic if wishing to prioritize client traffic on the 5 GHz radio band.
Page 144 5 - 86 WiNG 5.2.6 Access Point System Reference Guide Weightage given to Use the spinner control to assign a weight (between 0 - 100%) the access Client Count point uses to prioritize 2.4GHz radio client count in the 2.4GHz radio load calculation.
Page 145 Device Configuration 5 - 87 Weightage given to Use the spinner control to assign a weight (between 0 - 100%) the access Throughput point radio uses to prioritize radio throughput in the load calculation (on both the 2.4 and 5 GHz radio bands). Assign this value higher if throughput and radio performance are considered mission critical and of more importance than a high client connection count.
Page 146: Configuring Mint
5 - 88 WiNG 5.2.6 Access Point System Reference Guide 5.3.9.2 Configuring MINT MINT provides the means to secure access point profile communications at the transport layer. Using MINT, an access point can be configured to only communicate with other authorized (MINT enabled) access points of the same model.
Page 147 Device Configuration 5 - 89 3. Define the following Device Heartbeat Settings in respect to devices supported by the controller profile: Designated IS Priority Use the spinner control to set a Designated IS Priority Adjustment setting Adjustment between -255 and 255. This is the value added to the base level DIS priority to influence the Designated IS (DIS) election.
Page 148 5 - 90 WiNG 5.2.6 Access Point System Reference Guide Figure 5-46 Advanced Profile MINT screen - IP tab The IP tab displays the IP address, routing level, link cost, hello packet interval and Adjacency Hold Time managed devices use to securely communicate amongst one another within the managed network. Select...
Page 149 Device Configuration 5 - 91 Figure 5-47 Advanced Profile MINT screen - Add IP MiNT Link 8. Set the following Link IP parameters to complete the MINT network address configuration: Define the IP address used by peer access points for interoperation when supporting the MINT protocol.
Page 150 5 - 92 WiNG 5.2.6 Access Point System Reference Guide 9. Select the VLAN tab to display the link IP VLAN information shared by the devices managed by the MINT configuration. Figure 5-48 Advanced Profile MINT screen - VLAN tab The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another.
Page 151 Device Configuration 5 - 93 Figure 5-49 Advanced Profile MINT screen - Add/edit VLAN 10. Set the following parameters to add or modify MINT VLAN configuration: VLAN If adding a new VLAN, define a VLAN ID between 1 - 4,094 used by peers for interoperation when supporting the MINT protocol.
Page 152: Advanced Profile Miscellaneous Configuration
5 - 94 WiNG 5.2.6 Access Point System Reference Guide 5.3.9.3 Advanced Profile Miscellaneous Configuration  Advanced Profile Configuration Refer to the advanced profile’s Miscellaneous menu item to set the profile’s NAS configuration. The profile database on the RADIUS server consists of user profiles for each connected network access server (NAS) port. Each profile is matched to a username representing a physical port.
Page 153 Device Configuration 5 - 95 to 512 client connections. An AP-6532, AP-7131, AP-7161 or AP-8132 RF Domain Manager can support up to 512 client connections. An AP-6511 or AP-6521 RF Domain Manager can support up to 256 client connections. 7. Select to save the changes made to the profile’s Advanced Miscellaneous configuration.
Page 154: Managing Virtual Controllers
Up to 24 Dependent mode access points can be connected to, and managed by, a single Virtual Controller AP of the same model. NOTE: If designating the access point as a Standalone AP, Motorola Solutions recommends the access point’s UI be used exclusively to define its device configuration, and not the CLI.
Page 155 Device Configuration 5 - 97 5. Either select an access point from those displayed and select Edit, or use the Device Browser in the lower left-hand side of the UI to select an access point. Figure 5-52 Virtual Controller AP Designation screen 6.
Page 156: Overriding A Device Configuration
5 - 98 WiNG 5.2.6 Access Point System Reference Guide 5.5 Overriding a Device Configuration Devices within the access point managed network can have an override configuration defined and applied. New devices can also have an override configuration defined and applied once NOTE: The best way to administer a network populated by numerous access points is to configure them directly from the designated Virtual Controller AP.
Page 157 Device Configuration 5 - 99 Figure 5-53 Device Overrides - Basic Configuration screen 5. Set the following Configuration settings for the target device: System Name Provide the selected device a system name up to 64 characters in length. This is the device name that appears within the RF Domain or Profile the access points supports and is identified by Area Assign the access point an Area representative of the location the access point...
Page 158 5 - 100 WiNG 5.2.6 Access Point System Reference Guide Use the New Time parameter to set the calendar day, hour and minute. Use the AM and PM radio buttons to refine whether the updated time is for the AM or PM. This time can be synchronized with the use of an external NTP resource.
Page 159: Assigning Certificates
Device Configuration 5 - 101 5.6 Assigning Certificates A certificate links identity information with a public key enclosed in the certificate. A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.
Page 160 5 - 102 WiNG 5.2.6 Access Point System Reference Guide Figure 5-54 Device Overrides - Certificates screen 6. Set the following Management Security certificate configurations: HTTPS Trustpoint Either use the default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be leveraged.
Page 161: Certificate Management
Device Configuration 5 - 103 For more information on the certification activities, refer to the following: • Certificate Management • RSA Key Management • Certificate Creation • Generating a Certificate Signing Request 5.6.1 Certificate Management  Assigning Certificates If not wanting to use an existing certificate or key with a selected device, an existing stored certificate can be leveraged from a different device.
Page 162 5 - 104 WiNG 5.2.6 Access Point System Reference Guide 3. To optionally import a certificate, select the Import button from the Certificate Management screen. The Import New Trustpoint screen displays. Figure 5-56 Certificate Management - Import New Trustpoint screen 4.
Page 163 Device Configuration 5 - 105 Hostname If selecting Advanced, provide the hostname of the server used to import the trustpoint. This option is not valid for cf, usb1 and usb2. Path If selecting Advanced, specify the path to the trustpoint. Enter the complete relative path to the file on the server.
Page 164 5 - 106 WiNG 5.2.6 Access Point System Reference Guide Protocol If selecting Advanced, select the protocol used for importing the target CA certificate. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port If selecting Advanced, use the spinner control to set the port.
Page 165 Device Configuration 5 - 107 Figure 5-58 Certificate Management - Import CRL screen 10. Define the following configuration parameters required for the Import of the CRL: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
Page 166 5 - 108 WiNG 5.2.6 Access Point System Reference Guide IP Address If selecting Advanced, enter IP address of the server used to import the CRL. This option is not valid for cf, usb1, and usb2. Hostname If selecting Advanced, provide the hostname of the server used to import the CRL.
Page 167 Device Configuration 5 - 109 Provide the complete URL to the location of the signed certificate. Protocol If selecting Advanced, select the protocol used for importing the target signed certificate. Available options include: • tftp • ftp • sftp • http •...
Page 168 5 - 110 WiNG 5.2.6 Access Point System Reference Guide Figure 5-60 Certificate Management - Export Trustpoint screen 16. Define the following configuration parameters required for the Export of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
Page 169: Rsa Key Management
Device Configuration 5 - 111 Path If selecting Advanced, specify the path to the trustpoint. Enter the complete relative path to the file on the server. 17. Select to export the defined trustpoint. Select Cancel to revert the screen to its last saved configuration. 18.
Page 170 5 - 112 WiNG 5.2.6 Access Point System Reference Guide Figure 5-61 Certificate Management - RSA Keys screen 3. Select a listed device to review its current RSA key configuration. Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device.
Page 171 Device Configuration 5 - 113 Key Size Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality. 6. Select to generate the RSA key.
Page 172 5 - 114 WiNG 5.2.6 Access Point System Reference Guide Hostname If selecting Advanced, provide the hostname of the server used to import the RSA key. This option is not valid for cf, usb1 and usb2. Path If selecting Advanced, specify the path to the RSA key. Enter the complete relative path to the key on the server.
Page 173: Certificate Creation
Device Configuration 5 - 115 Protocol If selecting Advanced, select the protocol used for exporting the RSA key. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port If selecting Advanced, use the spinner control to set the port. This option is not valid for cf, usb1 and usb2.
Page 174 5 - 116 WiNG 5.2.6 Access Point System Reference Guide Figure 5-65 Certificate Management - Create Certificate screen 3. Define the following configuration parameters required to Create New Self-Signed Certificate: Certificate Name Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate.
Page 175: Generating A Certificate Signing Request
Device Configuration 5 - 117 Country (C) Define the Country of deployment for the certificate. The field can be modified by the user to other values. This is a required field and must not exceed 2 characters. State (ST) Enter a State for the state or province name used in the certificate. This is a required field.
Page 176 5 - 118 WiNG 5.2.6 Access Point System Reference Guide 2. Select Create CSR from the upper, left-hand, side of the Certificate Management screen. Figure 5-66 Certificate Management - Create CSR screen 3. Define the following configuration parameters required to...
Page 177 Device Configuration 5 - 119 Organization (O) Define an Organization for the organization used in the CSR. This is a required field. Organizational Unit Enter an Organizational Unit for the name of the organization unit used in the (OU) CSR. This is a required field. Common Name (CN) If there’s a Common Name (IP address) for the organizational unit issuing the certificate, enter it here.
Page 178: Rf Domain Overrides
5 - 120 WiNG 5.2.6 Access Point System Reference Guide 5.7 RF Domain Overrides Use RF Domain Overrides to define settings overriding a target device’s original RF Domain configuration. An RF Domain allows an administrator to assign configuration data to multiple access points (of the same model) deployed in a common coverage area (floor, building or site).
Page 179 Device Configuration 5 - 121 Figure 5-67 RF Domain Overrides screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 180 5 - 122 WiNG 5.2.6 Access Point System Reference Guide 7. Refer to the Statistics field to set the following: Update Interval Set a statistics update interval (5 - 300 seconds). Set the value to 0 for auto mode. Using auto mode, the update interval is automatically adjusted by the RF Domain manager based on the access point’s load.
Page 181: Profile Overrides
Device Configuration 5 - 123 5.8 Profile Overrides A Profile enables an administrator to assign a common set of configuration parameters and policies to another access point of the same model. Profiles can be used to assign shared or unique network, wireless and security parameters to access points across a large, multi segment, site.
Page 182 5 - 124 WiNG 5.2.6 Access Point System Reference Guide Figure 5-68 Profile Overrides - General screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 183 Device Configuration 5 - 125 9. Refer to the following to complete the override of the access point’s entire profile configuration: • Radio Power Overrides • Adoption Overrides • Profile Interface Override Configuration • Overriding the Network Configuration • WAN Backhaul Overrides •...
Page 184: Radio Power Overrides
5 - 126 WiNG 5.2.6 Access Point System Reference Guide 5.9 Radio Power Overrides Use the Power screen to set or override one of two power modes (3af or Auto) for an access point. When Automatic is selected, the access point safely operates within available power. Once the power configuration is determined, the access point configures its operating power characteristics based on its model and power configuration.
Page 185 Device Configuration 5 - 127 Figure 5-69 Profile Overrides - Power screen 7. Use the Power Mode drop-down menu to set or override the Power Mode Configuration on this AP. NOTE: Single radio model access point’s always operate using a full power configuration. The power management configurations described in this section do not apply to single radio models.
Page 186: Adoption Overrides
5 - 128 WiNG 5.2.6 Access Point System Reference Guide 5.10 Adoption Overrides Use the Adoption screen to define the configuration of a preferred Virtual Controller resource used for access point adoption. A Virtual Controller can adopt up to 24 access points of the same model. The Virtual Controller must also share its VLAN to peer access points wishing to adopt to it.
Page 187 Device Configuration 5 - 129 Figure 5-70 Profile Overrides - Adoption screen 7. Define a 64 character maximum Preferred Group. The Preferred group is the Virtual Controller group the access point would prefer to connect upon adoption. 8. Set the Controller Hello Interval to set the interaction intervals between AP and its adopting resource.
Page 188 5 - 130 WiNG 5.2.6 Access Point System Reference Guide Pool Use the spinner control to define the pool the Virtual Controller belong to. The default setting is pool 1. Routing Level Use the spinner control to define the pool the Virtual Controller belong to. The default setting is pool 1.
Page 189: Profile Interface Override Configuration
Device Configuration 5 - 131 5.10.1 Profile Interface Override Configuration An access point requires its Virtual Interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A virtual interface defines which IP address is associated with each connected VLAN ID. An interface configuration can have overrides applied to customize the configuration to a unique deployment objective.
Page 190: Ethernet Port Override Configuration
5 - 132 WiNG 5.2.6 Access Point System Reference Guide 5.10.1.1 Ethernet Port Override Configuration  Profile Interface Override Configuration Use an Ethernet Port override to change (modify) parameters of an access point’s Ethernet Port configuration. The following ports are available on supported access point models: •...
Page 191 Device Configuration 5 - 133 Figure 5-71 Profile Overrides - Interface Ethernet Port screen 7. Refer to the following to review port status and assess whether an override is warranted: Name Displays the physical port name reporting runtime data and statistics. Supported ports vary depending the model.
Page 192 5 - 134 WiNG 5.2.6 Access Point System Reference Guide Tag Native VLAN A green checkmark defines the native VLAN as tagged. A red “X” defines the native VLAN as untagged. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN...
Page 193 Device Configuration 5 - 135 Speed Set the speed at which the port can receive and transmit the data. Select either 10 Mbps, 100 Mbps, 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port.
Page 194 5 - 136 WiNG 5.2.6 Access Point System Reference Guide Tag Native VLAN Select the radio button to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs.
Page 195 Device Configuration 5 - 137 Figure 5-73 Ethernet Ports - Security screen 14. Refer to the Access Control field. As part of the port’s security configuration, Inbound IP and MAC address firewall rules are required. The configuration can be optionally overridden if needed. Use the Inbound IP Firewall Rules and Inbound MAC Firewall Rules drop-down menus to select the firewall rules to apply to this profile’s Ethernet port configuration.
Page 196 5 - 138 WiNG 5.2.6 Access Point System Reference Guide Trust 8021p COS values Select the radio button to enable 802.1p COS values on this port. The default value is enabled. Trust IP DSCP Select the radio button to enable IP DSCP values on this port. The default value is enabled.
Page 197: Virtual Interface Override Configuration
Device Configuration 5 - 139 5.10.1.2 Virtual Interface Override Configuration  Profile Interface Override Configuration A Virtual Interface is required for layer 3 (IP) access or provide layer 3 service on a VLAN. The Virtual Interface defines which IP address is associated with each VLAN ID. A Virtual Interface is created for the default VLAN (VLAN 1) to enable remote administration.
Page 198 5 - 140 WiNG 5.2.6 Access Point System Reference Guide Figure 5-74 Profile Overrides - Virtual Interfaces screen 7. Review the following parameters unique to each Virtual Interface configuration to determine whether a parameter override is warranted: Name Displays the name of each listed Virtual Interface assigned when it was created.
Page 199 Device Configuration 5 - 141 Figure 5-75 Profile Overrides - Virtual Interfaces Basic Configuration screen The Basic Configuration screen displays by default regardless of a whether a new Virtual Interface is being created or an existing one is being modified. 9.
Page 200 5 - 142 WiNG 5.2.6 Access Point System Reference Guide Use DHCP to obtain Select this option to allow DHCP to obtain a default gateway address, and DNS Gateway/DNS resource for one virtual interface. This setting is disabled by default and only Servers available when the Use DHCP to Obtain IP option is selected.
Page 201 Device Configuration 5 - 143 Figure 5-76 Profile Overrides - Virtual Interfaces Security screen 15. Use the Inbound IP Firewall Rules drop-down menu to select the firewall rule configuration to apply to this Virtual Interface. The firewall inspects and packet traffic to and from connected clients. If a firewall rule does not exist suiting the data protection needs of this Virtual Interface, select the Create icon to define a new firewall rule configuration or the Edit icon to modify or override an existing configuration.
Page 202: Radio Override Configuration
5 - 144 WiNG 5.2.6 Access Point System Reference Guide 5.10.1.3 Radio Override Configuration  Profile Interface Override Configuration Access points can have their radio profile configurations overridden if a portion of a profile is no longer relevant to the access point’s deployment objective.
Page 203 Device Configuration 5 - 145 Type Displays the type as either Radio (for typical client support) or sensor. If setting an AP-6521 or AP-6511 model access point to function as a sensor, the access point must be rebooted before it can begin to operate as a sensor, since those models support a single radio.
Page 204 5 - 146 WiNG 5.2.6 Access Point System Reference Guide 8. Define or override the following radio configuration Properties: Description Provide or edit a description (1 - 64 characters in length) for the radio that helps differentiate it from others with similar configurations.
Page 205 (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. Motorola Solutions recommends only a professional installer set the antenna gain. The default value is 0.00.
Page 206 5 - 148 WiNG 5.2.6 Access Point System Reference Guide Radio Placement Use the drop-down menu to specify whether the radio is located Indoors or Outdoors. The placement should depend on the selected country of operation and its regulatory domain requirements for radio emissions. The default setting is Indoors.
Page 207 Device Configuration 5 - 149 Figure 5-79 Access Point Radio - Rates screen 10. Set or override the following profile WLAN Properties for the selected access point radio. Beacon Interval Set the interval between radio beacons in milliseconds (either 50, 100 or 200). A beacon is a packet broadcast by adopted radios to keep the network synchronized.
Page 208 5 - 150 WiNG 5.2.6 Access Point System Reference Guide RTS Threshold Specify a Request To Send (RTS) threshold (between 1 - 2,347 bytes) for use by the WLAN's adopted access point radios. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/CTS procedure clears the air where clients are contending for transmission time.
Page 209 Device Configuration 5 - 151 Figure 5-80 Profile Overrides - WLAN Mapping tab 14. Refer to the WLAN/BSS Mappings field to set or override WLAN BSSID assignments for an existing access point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio AP-6511 or AP-6521 access point, there are 8 BSSIDs available.
Page 210 5 - 152 WiNG 5.2.6 Access Point System Reference Guide Figure 5-81 Access Point Radio - Mesh tab 17. Use the Mesh screen to define or override how mesh connections are established and the number of links available amongst access points within the Mesh network.
Page 211 Device Configuration 5 - 153 Figure 5-82 Profile Overrides - Access Point Radio Advanced Settings tab 22. Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define or override how MAC service frames are aggregated by the access point radio. A-MPDU Modes Use the drop-down menu to define the A-MPDU mode.
Page 212 5 - 154 WiNG 5.2.6 Access Point System Reference Guide 24. Set or override the following Non-Unicast Traffic values for the profile’s supported access point radio and its connected wireless clients: Non-UnicastTransmit Use the Select drop-down menu to launch a sub screen to define the data rate Rate broadcast and multicast frames are transmitted.
Page 213 802.11b clients do not support beamforming. A single access point radio can support up to 15 beamforming clients. Beamforming is supporting explicitly on Motorola Solutions access points and must be supported on the receiving client. In the receiving end of the data path, the access point updates beamforming data or the active entries when packets are received from an address matching an active entry.
Page 214: Wan Backhaul Overrides
5 - 156 WiNG 5.2.6 Access Point System Reference Guide 5.10.1.4 WAN Backhaul Overrides A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a network device to connect, transmit and receive data over a Cellular Wide Area Network. Certain AP7131N model access points have a PCI Express card slot that supports 3G WWAN cards.
Page 215 Device Configuration 5 - 157 Figure 5-83 Profile Overrides -WAN Backhaul screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 216: Overriding The Network Configuration
5 - 158 WiNG 5.2.6 Access Point System Reference Guide Authentication Type Use the drop-down menu to specify authentication type used by the cellular data provider. Supported authentication options include None, PAP, CHAP, MSCHAP, and MSCHAP-v2. 8. Use the Network Address Translation checkboxes to specify the NAT direction used with the access point’s...
Page 217: Overriding The Dns Configuration
Device Configuration 5 - 159 5.10.2.1 Overriding the DNS Configuration  Overriding the Network Configuration Domain Naming System (DNS) DNS is a hierarchical naming system for resources connected to the Internet or a private network. Primarily, DNS resources translate domain names into IP addresses. If one DNS server doesn't know how to translate a particular domain name, it asks another one until the correct IP address is returned.
Page 218 5 - 160 WiNG 5.2.6 Access Point System Reference Guide Figure 5-84 Profile Overrides - Network DNS screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides.
Page 219: Overriding An Arp Configuration
Device Configuration 5 - 161 5.10.2.2 Overriding an ARP Configuration  Overriding the Network Configuration Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address. ARP provides protocol rules for making this correlation and providing address conversion in both directions. This ARP assignment can be overridden as needed, but removes the device configuration from the managed profile that may be shared with other similar device models.
Page 220 5 - 162 WiNG 5.2.6 Access Point System Reference Guide Figure 5-85 Profile Overrides - Network ARP screen 6. Set or override the following parameters to define the ARP configuration: Switch VLAN Use the spinner control to select a VLAN (1 - 4094) for an address requiring Interface resolution.
Page 221: Overriding A Quality Of Service (Qos) Configuration
Device Configuration 5 - 163 5.10.2.3 Overriding a Quality of Service (QoS) Configuration  Overriding the Network Configuration QoS values are required to provide service priority to packets. For example, VoIP packets get higher priority than data packets to provide a better quality of service for high priority voice traffic. The profile QoS screen maps the 6-bit Differentiated Service Code Point (DSCP) code points to the older 3-bit IP Precedent field located in the Type of Service byte of an IP header.
Page 222 5 - 164 WiNG 5.2.6 Access Point System Reference Guide Figure 5-86 Profile Overrides - Network QoS screen 6. Set or override the following parameters for the IP DSCP mappings for untagged frames: DSCP Lists the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification.
Page 223: Overriding A Static Route Configuration
Device Configuration 5 - 165 5.10.2.4 Overriding a Static Route Configuration  Overriding the Network Configuration Use the Static Routes screen to set or override Destination IP and Gateway addresses enabling assignment of static IP addresses for requesting clients without creating numerous host pools with manual bindings. This eliminates the need for a long configuration file and reduces the resource space required to maintain address pools.
Page 224 5 - 166 WiNG 5.2.6 Access Point System Reference Guide 8. Set or override the Gateway used to route traffic. A green checkmark in the Default Gateway column defines a default gateway being applied. A red “X” means a gateway assignment has been made.
Page 225: Overriding A Forwarding Database Configuration
Device Configuration 5 - 167 5.10.2.5 Overriding a Forwarding Database Configuration  Overriding the Network Configuration A Forwarding Database is used by a bridge to forward or filter packets. The bridge reads the packet’s destination MAC address and decides to either forward the packet or drop (filter) it. If it’s determined the destination MAC is on a different network segment, it forwards the packet to the segment.
Page 226 5 - 168 WiNG 5.2.6 Access Point System Reference Guide Figure 5-88 Profile Overrides - Network Forwarding Database screen 6. Define or override a Bridge Aging Time between 0, 10-1,000,000 seconds. The aging time defines the length of time an entry will remain in the a bridge’s forwarding table before being deleted due to lack of activity.
Page 227: Overriding A Bridge Vlan Configuration
Device Configuration 5 - 169 5.10.2.6 Overriding a Bridge VLAN Configuration  Overriding the Network Configuration A Virtual LAN (VLAN) is separately administrated virtual network within the same physical. VLANs are broadcast domains to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device. For example, say several computers are used into conference room X and some into conference Y.
Page 228 5 - 170 WiNG 5.2.6 Access Point System Reference Guide Figure 5-89 Profile Overrides - Network Bridge VLAN screen 6. Review the following VLAN configuration parameters to determine whether an override is warranted: VLAN Lists the numerical identifier defined for the Bridge VLAN when it was initially created.
Page 229 Device Configuration 5 - 171 Trust DHCP Responses When DHCP trust is enabled, a green checkmark displays. When disabled, a red “X” displays. When enabled, DHCP packets from a DHCP server are considered trusted and permissible within the network. DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks.
Page 230 5 - 172 WiNG 5.2.6 Access Point System Reference Guide 10. Set or override the following Extended VLAN Tunnel parameters: Bridging Mode Specify one of the following bridging mode for use on the VLAN. Automatic: Select Automatic mode to let the controller determine the best bridging mode for the VLAN.
Page 231: Overriding A Miscellaneous Network Configuration
Device Configuration 5 - 173 5.10.2.7 Overriding a Miscellaneous Network Configuration  Overriding the Network Configuration An access point profile can be configured to include a hostname in a DHCP lease for a requesting device and its profile. This helps an administrator track the leased DHCP IP address by hostname for a device profile. When numerous DHCP leases are assigned, an administrator can better track the leases when hostnames are used instead of devices.
Page 232: Overriding A Security Configuration
5 - 174 WiNG 5.2.6 Access Point System Reference Guide 5.10.3 Overriding a Security Configuration A profile can have its own firewall policy, wireless client role policy, WEP shared key authentication, NAT policy and VPN policy applied. If an existing firewall, client role or NAT policy is unavailable create the required security policy configuration.
Page 233: Overriding General Security Settings
Device Configuration 5 - 175 5.10.3.1 Overriding General Security Settings  Overriding a Security Configuration A profile can leverage existing firewall, wireless client role and WIPS policies and configurations and apply them to the configuration. This affords a profile a truly unique combination of data protection policies. However, as deployment requirements arise, an individual access point may need some or all of its general security configuration overridden from that applied in the profile.
Page 234: Overriding A Certificate Revocation List (Crl) Configuration
5 - 176 WiNG 5.2.6 Access Point System Reference Guide Figure 5-92 Profile Overrides - General Security screen 6. Refer to the General field to assign or override the following: WEP Shared Key Select the radio button to require devices using this profile to use a WEP key Authentication to access the network using this profile.
Page 235 Device Configuration 5 - 177 5. Select Certificate Revocation. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration screen’s Device Overrides field and select Clear Overrides. This will remove all overrides from the device. Figure 5-93 Profile Overrides - Certificate Revocation screen 6.
Page 236: Overriding A Profile's Nat Configuration
5 - 178 WiNG 5.2.6 Access Point System Reference Guide 5.10.3.3 Overriding a Profile’s NAT Configuration  Overriding a Security Configuration Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit across a traffic routing device. This enables mapping one IP address to another to protect network address credentials.
Page 237 Device Configuration 5 - 179 Figure 5-94 Profile Overrides - NAT Pool screen NAT Pool tab displays by default. The NAT Pool screen lists those NAT policies created thus far. Any of these policies can be selected and applied to a profile. 6.
Page 238 5 - 180 WiNG 5.2.6 Access Point System Reference Guide Figure 5-95 NAT Pool screen 7. If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters: Name If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations.
Page 239 Device Configuration 5 - 181 Figure 5-96 Profile Overrides - Static NAT screen To map a source IP address from an internal network to a NAT IP address click the + Add Row button. Enter the internal network IP address in Source IP field. Enter the NAT IP address in the NAT IP field. Use the Network drop-down menu to set the NAT type either Inside or Outside.
Page 240 5 - 182 WiNG 5.2.6 Access Point System Reference Guide Figure 5-97 NAT Destination screen 11. Select to create a new NAT destination configuration, Edit to modify or override the attributes of an existing configuration or Delete to permanently remove a NAT destination.
Page 241 Device Configuration 5 - 183 Figure 5-98 Destination NAT screen 12. Set or override the following Destination configuration parameters: Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 242 5 - 184 WiNG 5.2.6 Access Point System Reference Guide Destination Port Use the spinner control to set the local port number used at the (source) end of the static NAT configuration. The default value is port 1. NAT IP Enter the IP address of the matching packet to the specified value.
Page 243 Device Configuration 5 - 185 Figure 5-99 Profile Overrides - Dynamic NAT screen 16.Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or deletion: Source List ACL Lists an ACL name to define the packet selection criteria for the NAT configuration.
Page 244 5 - 186 WiNG 5.2.6 Access Point System Reference Guide Figure 5-100 Source NAT screen 18.Set or override the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT.
Page 245: Overriding A Services Configuration
Device Configuration 5 - 187 13. Select to save the changes or overrides made to the dynamic NAT configuration. Select Reset to revert to the last saved configuration. 5.10.4 Overriding a Services Configuration A profile can contain specific guest access (captive portal), DHCP server and RADIUS server configurations. These access, IP assignment and user authorization resources can be defined uniquely as profile requirements dictate.
Page 246: Overriding A Management Configuration
5 - 188 WiNG 5.2.6 Access Point System Reference Guide login page where the user must enter valid credentials to access to the network. Once logged into the hotspot, additional Agreement, Welcome and Fail pages provide the administrator with a number of options on the hotspot’s screen flow and user appearance.
Page 247 Device Configuration 5 - 189 Figure 5-102 Profile Overrides - Management Settings screen...
Page 248 5 - 190 WiNG 5.2.6 Access Point System Reference Guide 5. Refer to the Message Logging field to define how the profile logs system events. It’s important to log individual events to discern an overall pattern that may be negatively impacting performance.
Page 249 Device Configuration 5 - 191 Port of SMTP If a non-standard SMTP port is used on the outgoing SMTP server check this box and specify a port between 1 and 65,535 for the outgoing SMTP server to use. Sender E-mail Address Specify the e-mail address that notification e-mails will be sent from.
Page 250 5 - 192 WiNG 5.2.6 Access Point System Reference Guide Figure 5-103 Profile Overrides - Management Firmware screen 11. Refer to the Auto Install via DHCP Option field to define automatic configuration file and firmware updates. Enable Configuration Select the Enable Configuration Update check box to enable automatic...
Page 251: Overriding An Advanced Configuration
Device Configuration 5 - 193 13. Use the parameters within the Legacy Settings field to define how legacy devices manage firmware updates. Legacy AP650 Auto Select the radio button to define whether a legacy AP650 model access Upgrade point will connect to a legacy device and downgrade to be compatible with that lower firmware version.
Page 252 5 - 194 WiNG 5.2.6 Access Point System Reference Guide users to know about certificates and PKI. However, administrators do not need to define security parameters for access points to be adopted (secure WISPe being an exception, but that isn’t a commonly used feature). Also, users can replace any device on the network or move devices around and they continue to work.
Page 253 Device Configuration 5 - 195 7. Define or override the following Priority Adjustment settings: Designated IS Priority Use the spinner control to set a Designated IS Priority Adjustment setting Adjustment between -255 and 255. This is the value added to the base level DIS priority to influence the Designated IS (DIS) election.
Page 254 5 - 196 WiNG 5.2.6 Access Point System Reference Guide Figure 5-106 Advanced Profile MINT screen - IP tab The IP tab displays the IP address, Routing Level, Listening Link, Port, Forced Link, Link Cost, Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another.
Page 255 Device Configuration 5 - 197 Figure 5-107 Advanced Profile MINT screen - IP tab 12. Set the following Link IP parameters to complete the MINT network address configuration: Define or override the IP address used by peer access points for interoperation when supporting the MINT protocol.
Page 256 5 - 198 WiNG 5.2.6 Access Point System Reference Guide 13. Select the VLAN tab to display the link IP VLAN information shared by the access points managed by the MINT configuration. Figure 5-108 Advanced Profile MINT screen - VLAN tab The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another.
Page 257 Device Configuration 5 - 199 Figure 5-109 Advanced Profile MINT screen - VLAN tab 20.Set the following VLAN parameters to complete the MINT configuration: VLAN Define a VLAN ID between 1 - 4,094 used by peer controllers for interoperation when supporting the MINT protocol. Routing Level Use the spinner control to define or override a routing level of either 1 or 2.
Page 258 5 - 200 WiNG 5.2.6 Access Point System Reference Guide Figure 5-110 Profile Overrides - Miscellaneous screen 23.Set a NAS-Identifier Attribute up to 253 characters in length. This is the RADIUS NAS-Identifier attribute that typically identifies where a RADIUS message originates 24.Set a...
Page 259: Critical Resources
Device Configuration 5 - 201 5.11 Critical Resources Access point critical resources are a list of device IP addresses on the network (gateways, routers etc.). The support of these defined IP address is interopreted as critical to the health of the access point managed network. These device addresses are pinged regularly by the access point.
Page 260 5 - 202 WiNG 5.2.6 Access Point System Reference Guide 5. Set the following parameters to define the Critical Resource configuration: Ping Interval Set the duration between two successive pings from the access point to the critical device. Select from: •...
Page 261: Managing An Event Policy
Device Configuration 5 - 203 5.12 Managing an Event Policy Event Policies enable an administrator to create specific notification mechanisms using one, some or all of the SNMP, syslog, controller forwarding or email notification options available to the controller. Each listed event can have customized notification settings defined and saved as part of an event policy.
Page 262 5 - 204 WiNG 5.2.6 Access Point System Reference Guide 6. Select to save the changes. Select Reset to revert to the last saved configuration. Delete obsolete rows as needed.
Page 263: Chapter 6 Wireless Configuration
CHAPTER 6 WIRELESS CONFIGURATION A Wireless Local Area Network (WLAN) is a data-communications system and wireless local area network that flexibly extends the functionalities of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or OFDM modulation based technology.
Page 264 6 - 2 WiNG 5.2.6 Access Point System Reference Guide Figure 6-1 Configuration > Wireless...
Page 265: Wireless Lans
Wireless Configuration 6 - 3 6.1 Wireless LANs To review the attributes of existing WLANs and, if necessary, modify their configurations: 1. Select Configuration > Wireless > Wireless LANs to display a high-level display of existing WLANs. Figure 6-2 Wireless LANs screen 2.
Page 266: Basic Wlan Configuration
6 - 4 WiNG 5.2.6 Access Point System Reference Guide Authentication Type Displays the name of the authentication scheme each listed WLAN is using to secure client transmissions. None is listed if authentication is not used within a WLAN. Refer to the Encryption Type column if no authentication is used to verify there is some sort of data protection used with the WLAN, or risk using this WLAN with no protection at all.
Page 267 Wireless Configuration 6 - 5 Figure 6-3 WLAN Basic Configuration screen 3. Refer to the WLAN Configuration field to define the following: WLAN If adding a new WLAN, enter its name in the space provided. Spaces between words are not permitted. The name could be a logical representation of the WLAN coverage area (engineering, marketing etc.).
Page 268 6 - 6 WiNG 5.2.6 Access Point System Reference Guide QoS Policy Use the drop-down menu to assign an existing QoS policy to the WLAN. If needed, select the Create icon to define a new QoS policy or select the Edit icon to modify the configuration of a selected QoS Policy.
Page 269: Wlan Basic Configuration Deployment Considerations
Before defining a WLAN’s basic configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: NOTE: Motorola Solutions recommends one VLAN be deployed for secure WLANs, while separate VLANs be defined for each WLAN providing guest access.
Page 270 6 - 8 WiNG 5.2.6 Access Point System Reference Guide Refer to the following to configure an authentication scheme for a WLAN: • 802.1x EAP, EAP PSK and EAP MAC • MAC Authentication • PSK / None Secure guest access to the network is referred to as captive portal. A captive portal is guest access policy for providing guests temporary and restrictive access to the access point managed wireless network.
Page 271: Eap, Eap Psk And Eap Mac
Wireless Configuration 6 - 9 6.1.2.1 802.1x EAP, EAP PSK and EAP MAC  Configuring WLAN Security The Extensible Authentication Protocol (EAP) is the de-facto standard authentication method used to provide secure authenticated access to WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption.
Page 272 • Motorola Solutions Solutions recommends a valid certificate be issued and installed on devices providing 802.1X EAP. The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials.
Page 273: Mac Authentication
Wireless Configuration 6 - 11 6.1.2.2 MAC Authentication  Configuring WLAN Security MAC is a device level authentication method used to augment other security schemes. MAC can be used open, with WEP 64 or WEP 128, KeyGuard, TKIP or CCMP. MAC authentication can be used for device level authentication by permitting WLAN access based on device MAC address.
Page 274: Psk / None
6 - 12 WiNG 5.2.6 Access Point System Reference Guide • MAC authentication is somewhat poor as a standalone data protection technique, as MAC addresses can be easily spoofed by hackers who can provision a MAC address on their device to mimic a trusted device.
Page 275: Captive Portal
Wireless Configuration 6 - 13 6.1.2.4 Captive Portal  Configuring WLAN Security A captive portal is guest access policy for providing guests temporary and restrictive access to the wireless network. The primary means of securing such guest access is the use of a hotspot. For an overview of the Captive Portal process and information on how to define a captive portal policy that can be applied to a WLAN, see Configuring Captive Portal Policies on page...
Page 276: Wpa/Wpa2-Tkip
6 - 14 WiNG 5.2.6 Access Point System Reference Guide 6.1.2.5 WPA/WPA2-TKIP  Configuring WLAN Security Wi-Fi Protected Access (WPA) is an encryption scheme specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11i. WPA provides more sophisticated data encryption than WEP. WPA is designed for corporate networks and small-business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person.
Page 277 When using WPA2, a wireless client can use 2 keys: one unicast key, for its own traffic to and from an access point, and one broadcast key, the common key for all clients in that subnet. Motorola Solutions recommends rotating these keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.
Page 278 6 - 16 WiNG 5.2.6 Access Point System Reference Guide Broadcast Rotation When enabled, the key indices used for encrypting/decrypting broadcast Interval traffic will be alternatively rotated based on the defined interval Define an interval for broadcast key transmission in seconds (30-86,400). Key rotation enhances the broadcast traffic security on the WLAN.
Page 279 Wireless Configuration 6 - 17 WPA-TKIP Deployment Considerations Before defining a WPA-TKIP supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Though TKIP offers better security than WEP, it can be vulnerable to certain attacks. •...
Page 280: Wpa2-Ccmp
6 - 18 WiNG 5.2.6 Access Point System Reference Guide 6.1.2.6 WPA2-CCMP  Configuring WLAN Security WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. CCMP is the security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP.
Page 281 Wireless Configuration 6 - 19 Figure 6-6 WLAN Security - WPA2-CCMP screen 5. Define Settings. Pre-Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share.
Page 282 AP, and one broadcast key, the common key for clients in that subnet. Motorola Solutions Solutions recommends rotating these keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.
Page 283 • Motorola Solutions Solutions recommends WPA2-CCMP be configured for all new (non visitor) WLANs requiring encryption, as it’s supported by the majority of the hardware and client vendors using Motorola Solutions Solutions wireless networking equipment.
Page 284: Wep 64
6 - 22 WiNG 5.2.6 Access Point System Reference Guide 6.1.2.7 WEP 64  Configuring WLAN Security Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi -Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN.
Page 285 The pass key can be any alphanumeric string. The wireless controller, other proprietary routers, and Motorola Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without Motorola Solutions Solutions adapters need to use WEP keys manually configured as hexadecimal numbers.
Page 286: Wep 128 And Keyguard
WLAN with a level of security and privacy comparable to that of a wired LAN. KeyGuard is a Motorola Solutions encryption option used with legacy clients capable of supporting it. It closely resembled WEP 128 in key structure.
Page 287 The access point, other proprietary routers, and Motorola Solutions Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without Motorola Solutions Solutions adapters need to use WEP keys manually configured as hexadecimal numbers. Keys 1-4 Use the Key #1-4 areas to specify key numbers.
Page 288: Configuring Wlan Firewall Support
• Motorola Solutions Solutions recommends additional layers of security (beyond WEP) be enabled to minimize the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with Firewall policies restricting access to hosts and suspicious network applications.
Page 289 Wireless Configuration 6 - 27 Figure 6-9 WLAN Firewall screen The screen displays editable fields for IP Firewall Rules, MAC Firewall Rules, Trust Parameters and Client Deny Limits. 4. Select an existing inbound and outbound IP Firewall Rule using the drop-down menu. If no rules exist, select the Create icon to create a new Firewall rule configuration.
Page 290 6 - 28 WiNG 5.2.6 Access Point System Reference Guide Figure 6-10 WLAN IP Firewall Rules screen 7. Define the following parameters for either inbound or outbound IP Firewall Rules: Allow Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria.
Page 291 Wireless Configuration 6 - 29 Protocol Select the protocol used with the IP access policy from the drop-down menu. IP is selected by default. Selecting ICMP displays an additional set of ICMP specific options for ICMP type and code. Selecting either TCP or UDP displays an additional set of specific TCP/UDP source and destinations port options.
Page 292 6 - 30 WiNG 5.2.6 Access Point System Reference Guide Figure 6-11 WLAN MAC Firewall Rules screen 11.Define the following parameters for either the inbound or outbound MAC Firewall Rules: Allow Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria.
Page 293 Wireless Configuration 6 - 31 Action The following actions are supported: Log - Creates a log entry that a Firewall rule has allowed a packet to either be denied or permitted. Mark - Modifies certain fields inside the packet, and then permits them. Therefore, mark is an action with an implicit permit.
Page 294: Configuring Client Settings
6 - 32 WiNG 5.2.6 Access Point System Reference Guide Blacklist Duration Select the checkbox and define a setting between 0 - 86,400 seconds. Once the blacklist duration has been exceeded, offending clients can reauthenticate. 15.Set a Firewall Session Hold Time in either Seconds (1 - 300) or Minutes (1 - 5).
Page 295 Wireless Configuration 6 - 33 Figure 6-12 WLAN Client Settings screen 4. Define the following Client Settings for the WLAN: Enable Select this option to allow client to client communication within this WLAN. Client-to-Client The default is enabled, meaning clients are allowed to exchange packets with Communication other clients.
Page 296 6 - 34 WiNG 5.2.6 Access Point System Reference Guide Max Firewall Select this option to set the maximum number of sessions (between 10 - Sessions per Client 10,000 clients) over the Firewall. When enabled, this parameter limits the number of simultaneous sessions allowed by the Firewall per wireless client.
Page 297: Configuring Wlan Accounting Settings
Wireless Configuration 6 - 35 6.1.5 Configuring WLAN Accounting Settings Accounting is the method of collecting and sending security server information for billing, auditing, and reporting user data; such as start and stop times, executed commands (such as PPP), number of packets and number of bytes. Accounting enables wireless network administrators to track the services users are accessing and the network resources they are consuming.
Page 298 6 - 36 WiNG 5.2.6 Access Point System Reference Guide Syslog Port Use the spinner control to set the destination UDP port of the external syslog host where accounting records are routed. The default port is 514. Proxy Mode Use the drop-down menu to define how syslog accounting is conducted.
Page 299: Accounting Deployment Considerations
Before defining a AAA configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • When using RADIUS authentication, Motorola Solutions recommends the WAN port round trip delay not exceed 150ms. Excessive delay over a WAN can cause authentication and roaming issues. When excessive delays exists, a distributed RADIUS service should be used.
Page 300: Configuring Client Load Balancing
6 - 38 WiNG 5.2.6 Access Point System Reference Guide 6.1.6 Configuring Client Load Balancing Client load balance settings can be defined generically to both the 2.4 and 5 GHz bands and specifically to either of the 2.4 or 5 GHz bands.
Page 301: Configuring Advanced Wlan Settings
Wireless Configuration 6 - 39 5. Set the following Load Balancing Settings (2.4 GHz): Allow Single Band Select this option to enable single band client associations on the 2.4GHz Clients frequency, even if load balancing is available. The default setting is enabled.
Page 302 6 - 40 WiNG 5.2.6 Access Point System Reference Guide Figure 6-15 WLAN Advanced Configuration screen 4. Refer to the Advanced RADIUS Configuration field to set the WLAN’s NAS configuration and RADIUS Dynamic Authorization. NAS Identifier Specify what should be included in the RADIUS NAS-Identifier field for authentication and accounting packets relating.
Page 303 Wireless Configuration 6 - 41 Figure 6-16 Advanced WLAN Rate Settings 2.4 GHz 6. Define both minimum Basic and Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band and 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this WLAN.
Page 304 6 - 42 WiNG 5.2.6 Access Point System Reference Guide Figure 6-17 Advanced WLAN Rate Settings 5 GHz If supporting 802.11n, select a Supported MCS index. Set a MCS (modulation and coding scheme) in respect to the radio’s channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types.
Page 305: Configuring Wlan Qos Policies
Wireless Configuration 6 - 43 6.2 Configuring WLAN QoS Policies  Wireless LANs QoS provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value.
Page 306 6 - 44 WiNG 5.2.6 Access Point System Reference Guide 1. Select Configuration > Wireless > WLAN QoS Policy to display existing QoS policies available to access point WLANs. Figure 6-18 WLAN Quality of Service (QoS) screen 2. Refer to the following read-only information on each listed QoS policy to determine whether an existing policy...
Page 307 Wireless Configuration 6 - 45 WMM Power Save Enables support for the WMM based power-save mechanism, also known as Unscheduled Automatic Power Save Delivery (U-APSD). This is primarily used by WMM capable voice devices. The default setting is enabled. Multicast Mask Displays the primary multicast mask defined for each listed QoS policy.
Page 308: Configuring A Wlan's Qos Wmm Settings
6 - 46 WiNG 5.2.6 Access Point System Reference Guide 6.2.1 Configuring a WLAN’s QoS WMM Settings Using WMM, end-user satisfaction is maintained in a wider variety of environments and traffic conditions. WMM makes it possible for both home networks and Enterprises to decide which data streams are most important and assign them a higher priority.
Page 309 Wireless Configuration 6 - 47 Figure 6-19 WLAN QoS Policy screen - WMM tab 3. Configure the following Settings in respect to the WLAN’s intended WMM radio traffic and user requirements: Use the drop-down menu to select the Classification for this Wireless Client Wireless Client Classification...
Page 310 6 - 48 WiNG 5.2.6 Access Point System Reference Guide Non-Unicast Use this drop-down menu to define how traffic matching multicast masks Classification is classified relative to prioritization on the radio. Options include Video, Voice, Normal, Low and Default. The default setting is Normal.
Page 311 Wireless Configuration 6 - 49 5. Set the following Voice Access settings for the WLAN’s QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. The default value is 47. AIFSN Set the current Arbitrary Inter-frame Space Number (AIFSN) between 2-15.
Page 312 6 - 50 WiNG 5.2.6 Access Point System Reference Guide ECW Max The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Higher values are used for lower priority traffic.
Page 313: Configuring A Wlan's Qos Rate Limit Settings
(downstream). AP-6511 and AP6521 model access points do not support rate limiting on an individual client basis. Before defining rate limit thresholds for WLAN upstream and downstream traffic, Motorola Solutions recommends you define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category.
Page 314 6 - 52 WiNG 5.2.6 Access Point System Reference Guide 3. Select the Rate Limit tab. Figure 6-20 WLAN QoS Policy screen - Rate Limit tab 4. Configure the following parameters in respect to the intended Upstream Rate Limit for the selected WLAN.
Page 315 Wireless Configuration 6 - 53 Maximum Burst Set a maximum burst size between 2 - 1024 kbytes. The smaller the burst, Size the less likely the upstream packet transmission will result in congestion for the WLAN’s wireless client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained.
Page 316 6 - 54 WiNG 5.2.6 Access Point System Reference Guide 6. Configure the following parameters in respect to the WLAN’s intended Downstream Rate Limit, or traffic from wireless clients to associated access Point radios: Enable Select the Enable radio button to enable rate limiting for data transmitted from Access Point radios to associated wireless clients.
Page 317 Wireless Configuration 6 - 55 Voice Traffic Set a percentage value for WLAN voice traffic in the downstream direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped and a log message is generated.
Page 318 6 - 56 WiNG 5.2.6 Access Point System Reference Guide Video Traffic Set a percentage value for client video traffic in the upstream direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated.
Page 319 Wireless Configuration 6 - 57 Best Effort Traffic Set a percentage value for client best effort traffic in the downstream direction. This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped and a log message is generated.
Page 320 6 - 58 WiNG 5.2.6 Access Point System Reference Guide Figure 6-21 WLAN QoS Policy screen - Multimedia Optimizations tab 13.Configure the following parameters in respect to the intended Multicast Mask: Multicast Mask Configure the primary multicast mask defined for a QoS policy. Normally,...
Page 321 Wireless Configuration 6 - 59 Multicast Mask Set a secondary multicast mask for the WLAN QoS policy. Normally, all Secondary multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode wake to check for frames.
Page 322: Radio Qos Policy
• Prevent the ineffective utilization of access points degrading session quality by configuring admission control mechanisms within each radio QoS policy Within a Motorola Solutions wireless network, wireless clients supporting low and high priority traffic contend with one another for data resources. The IEEE 802.11e amendment has defined Enhanced Distributed Channel Access (EDCA) mechanisms stating high priority traffic can access the network sooner then lower priority traffic.
Page 323 Wireless Configuration 6 - 61 value. When enabled on a WLAN, traffic forwarded from to a client is prioritized and forwarded based on the WLAN’s WMM access control setting. NOTE: Statically setting a WLAN WMM access category value only prioritizes traffic to the client.
Page 324: Configuring A Radio's Qos Policy
6 - 62 WiNG 5.2.6 Access Point System Reference Guide 6.3.1 Configuring a Radio’s QoS Policy  Radio QoS Policy To configure an access point radio’s QoS policy: 1. Select Configuration > Wireless > Radio QoS Policy. Figure 6-22 Radio QoS Policy screen 2.
Page 325 Wireless Configuration 6 - 63 Voice A green checkmark indicates Voice prioritization QoS is enabled on the radio. A red X indicates Voice prioritization QoS is disabled on the radio. Best Effort A green checkmark indicates Best Effort QoS is enabled on the radio. A red X indicates Best Effort QoS is disabled on the radio.
Page 326 6 - 64 WiNG 5.2.6 Access Point System Reference Guide 4. Set the following Voice Access settings for the Radio QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. When resources are shared between a...
Page 327 Wireless Configuration 6 - 65 6. Set the following Video Access settings for the Radio QoS policy: Transmit Ops Use the spinner control to set the maximum duration a radio can transmit after obtaining a transmit opportunity. For higher-priority traffic categories (like video), this value should be set to a low number.
Page 328 6 - 66 WiNG 5.2.6 Access Point System Reference Guide 9. Select the Admission Control tab to configure an admission control configuration for selected radio QoS policy. Admission control requires clients send their traffic specifications (TSPEC) to a managed Access Point before they can transmit or receive data within the access point managed network.
Page 329 Wireless Configuration 6 - 67 Maximum Wireless Set the number of voice supported wireless clients allowed to exist (and Clients consume bandwidth) within the radio’s QoS policy. Select from an available range of 0-256 clients. Consider setting this value proportionally to the number of other QoS policies supporting the voice access category, as wireless clients supporting voice use a greater proportion of resources than lower bandwidth traffic (like low and best effort categories).
Page 330 6 - 68 WiNG 5.2.6 Access Point System Reference Guide 14.Set the following Video Access admission control settings for the radio QoS policy: Enable Video Select the check box to enable admission control for video traffic. Only video traffic admission control is enabled, not any of the other access categories (each access category must be separately enabled and configured).
Page 331 Wireless Configuration 6 - 69 Maximum Roamed Set the number of low priority supported wireless clients allowed to roam Wireless Clients to a different access point radio. Select from a range of 0-256 clients. The default value is 10 roamed clients. Reserved for Roam Set the roam utilization (in the form of a percentage of the radio’s bandwidth) allotted to admission control for clients who have roamed to a...
Page 332: Radio Qos Configuration And Deployment Considerations
• WMM enabled clients can co-exist with non-WMM clients on the same WLAN. Non-WMM clients are always assigned a Best Effort access category. • Motorola Solutions recommends default WMM values be used for all deployments. Changing these values can lead to unexpected traffic blockages, and the blockages might be difficult to diagnose.
Page 333: Aaa Policy
Wireless Configuration 6 - 71 6.4 AAA Policy Authentication, Authorization, and Accounting (AAA) provides the mechanism network administrators define access control within the access point managed network. The access point can optionally use an external RADIUS and LDAP Servers (AAA Servers) to provide user database information and user authentication data.
Page 334 6 - 72 WiNG 5.2.6 Access Point System Reference Guide Figure 6-26 Authentication, Authorization, and Accounting (AAA) screen 2. Refer to the following information listed for each existing AAA policy: AAA Policy Displays the name assigned to the AAA policy when it was initially created.
Page 335 Wireless Configuration 6 - 73 Figure 6-27 AAA Policy - RADIUS Authentication screen 4. Refer to the following information about configured AAA Authentication policies. Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point. Host Displays the IP address or hostname of the RADIUS authentication server.
Page 336 6 - 74 WiNG 5.2.6 Access Point System Reference Guide NAI Routing Enable Displays NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name.
Page 337 Wireless Configuration 6 - 75 Figure 6-28 AAA Policy - Add RADIUS Authentication Server 6. Define the following settings to add or modify new AAA RADIUS authentication server configuration: Server ID Define the numerical server index (1-6) for the authentication server to differentiate it from others available to the access point’s AAA policy.
Page 338 6 - 76 WiNG 5.2.6 Access Point System Reference Guide Request Proxy Mode Select the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller, or Through RF Domain Manager.
Page 339 Wireless Configuration 6 - 77 9. Refer to the following information supporting configured RADIUS Accounting profiles. Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point. Displays the IP address or hostname of the RADIUS authentication server. Host Displays the port on which the RADIUS server listens to traffic within the Port...
Page 340 6 - 78 WiNG 5.2.6 Access Point System Reference Guide NAI Routing Enable Displays the NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name.
Page 341 Wireless Configuration 6 - 79 Figure 6-29 AAA Policy - Add RADIUS Accounting Server 11.Define the following settings to add or modify new AAA RADIUS accounting server configuration: Server ID Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point.
Page 342 6 - 80 WiNG 5.2.6 Access Point System Reference Guide Request Proxy Mode Select the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller, or Through RF Domain Manager.
Page 343 Wireless Configuration 6 - 81 13.Set the following RADIUS server configuration parameters: Protocol for MAC, Define the authentication protocol when the server is used for any non-EAP Captive-Portal authentication. Options include PAP, CHAP, MS-CHAP and MS-CHAPv2. Authentication PAP is the default setting. Accounting Packet Set the type of RADIUS Accounting Request packets generated.
Page 344 6 - 82 WiNG 5.2.6 Access Point System Reference Guide Accounting Server Select the server preference for RADIUS Accounting. The options are: Preference Prefer Same Authentication Server Host - Uses the authentication server host name as the host used for RADIUS accounting. This is the default setting.
Page 345: Association Acl
Wireless Configuration 6 - 83 6.5 Association ACL An Association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a WLAN. An Association ACL affords an administrator the ability to grant or restrict client access by specifying a wireless client MAC address or range of MAC addresses to either include or exclude from connectivity.
Page 346 6 - 84 WiNG 5.2.6 Access Point System Reference Guide Figure 6-31 Association ACL screen 3. Select the + Add Row button to add an association ACL template that requires configuration. 4. If creating a new Association ACL, provide a name specific to its function. Avoid naming it after a WLAN it may support.
Page 347: Association Acl Deployment Considerations
• Motorola Solutions recommends using the Association ACL screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to. However, be careful not to name ACLs after specific WLANs, as individual ACL policies can be used by more than one WLAN.
Page 348: Smart Rf
6 - 86 WiNG 5.2.6 Access Point System Reference Guide 6.6 Smart RF Self Monitoring At Run Time RF Management (Smart RF) is a Motorola Solutions Solutions innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization radio performance improvements.
Page 349 Wireless Configuration 6 - 87 Figure 6-32 Smart RF - Basic Configuration screen 3. Refer to the Basic Settings field to enable a Smart RF policy and define its sensitivity and detector status. Sensitivity Select a radio button corresponding to the desired Smart RF sensitivity. Options include Low, Medium, High and Custom.
Page 350 6 - 88 WiNG 5.2.6 Access Point System Reference Guide Coverage Hole Select the radio button to enable Coverage Hole Recovery when a radio Recovery coverage hole is detected within the Smart RF supported radio coverage area. When coverage hole is detected, Smart RF first determines the power increase needed based on the signal to noise ratio for a client as seen by the access point radio.
Page 351 Wireless Configuration 6 - 89 Figure 6-33 Smart RF - Channel and Power screen 7. Refer to the Power Settings field to define Smart RF recovery settings for the access point’s 5.0 GHz (802.11a) and 2.4 GHz (802.11bg) radio. 5.0 GHz Minimum Use the spinner control to select a 1 - 20 dBm minimum power level for Power Smart RF to assign to a radio in the 5 GHz band.
Page 352 6 - 90 WiNG 5.2.6 Access Point System Reference Guide 5.0 Channel Width 20 and 40 MHz channel widths are supported by the 802.11a radio. 20/40 MHz operation (the default setting for the 5 GHz radio) allows the access point to receive packets from clients using 20 MHz of bandwidth while transmitting a packet using 40 MHz bandwidth.
Page 353 Wireless Configuration 6 - 91 NOTE: The monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen.
Page 354 6 - 92 WiNG 5.2.6 Access Point System Reference Guide 11.Enable or disable Smart Monitoring Enable by selecting the check box. The feature is enabled by default. When enabled, detector radios monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation.
Page 355 Wireless Configuration 6 - 93 15.Set the following Neighbor Recovery variables for the Smart RF configuration: NOTE: The recovery parameters within the Neighbor Recovery, Interference and Coverage Hole Recovery tabs are only enabled when Custom is selected as the Sensitivity setting from the Smart RF Basic Configuration screen. Figure 6-34 Smart RF Recovery screen - Neighbor Recovery tab Power Hold Time Defines the minimum time between two radio power changes during...
Page 356 6 - 94 WiNG 5.2.6 Access Point System Reference Guide 2.4 GHz Neighbor Use the spinner control to set a value between -85 to -55 dBm the access Recovery Power point’s 2.4 GHz radio uses as a maximum power increase threshold if the...
Page 357 Wireless Configuration 6 - 95 19.Select the Interference Recovery tab. Figure 6-35 Smart RF Recovery screen - Interference Recovery tab 20.Set the following Interference Recovery parameters: Interference Select the radio button to allow Smart RF to scan for excess interference from supported radio devices.
Page 358 6 - 96 WiNG 5.2.6 Access Point System Reference Guide 5.0 GHz Channel Use the spinner to set a channel switch delta (between 5 - 35 dBm) for the Switch Delta 5.0 GHz radio. This parameter is the difference between noise levels on the current channel and a prospective channel.
Page 359 Wireless Configuration 6 - 97 22.Select the Coverage Hole Recovery tab. Figure 6-36 Smart RF Recovery screen - Coverage Hole Recovery tab 23.Set the following Coverage Hole Recovery for 5.0 GHz 2.4 GHz parameters: Client Threshold Use the spinner to set a client threshold between 1 - 255. This is the minimum number of clients a radio should have associated for coverage hole recovery to trigger.
Page 360: Smart Rf Configuration And Deployment Considerations
6 - 98 WiNG 5.2.6 Access Point System Reference Guide Interval Define the interval coverage hole recovery should be conducted after a coverage hole is detected. The default is 30 seconds for both the 2.4 and 5.0 GHz radios. 24.Select to update the Smart RF Coverage Hole Recovery settings for this policy.
Page 361: Chapter 7 Security Configuration
CHAPTER 7 SECURITY CONFIGURATION When taking precautions to secure wireless traffic from a client to an access point, the network administrator should not lose sight of the security solution in it's entirety, since the network’s chain is as weak as its weakest link. An access point managed wireless network provides seamless data protection and user validation to protect and secure data at each vulnerable point in the network.
Page 362: Wireless Firewall
Firewall is of little value, and in fact could provide a false sense of security. With Motorola Solutions’ access points, Firewalls are configured to protect against unauthenticated logins from outside the wireless network. This helps prevent hackers from accessing wireless clients within the access point managed network.
Page 363 Security Configuration 7 - 3 Figure 7-1 Wireless Firewall screen - Denial of Service tab A denial of service (DoS) attack is an attempt to make a computer or network resource unavailable to its intended users. Although the means to carry out a DoS attack will vary, it generally consists of a concerted effort of one or more persons attempting to prevent a device, site or service from functioning temporarily or indefinitely.
Page 364 7 - 4 WiNG 5.2.6 Access Point System Reference Guide Action If a DoS filter is enabled, chose an action from the drop-down menu to determine how the Firewall treats the associated DoS attack. Options include: Log and Drop - An entry for the associated DoS attack is added to the log and then the packets are dropped.
Page 365 Security Configuration 7 - 5 LAND The LAND DoS attack sends spoofed packets containing the SYN flag to the target destination using the target port and IP address as both the source and destination. This will either crash the target system or result in high resource utilization slowing down all other processes.
Page 366 7 - 6 WiNG 5.2.6 Access Point System Reference Guide TCP Intercept A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved...
Page 367 Security Configuration 7 - 7 TCP Packet This is an attempt to predict the sequence number used to identify the Sequence packets in a TCP connection, which can be used to counterfeit packets. The attacker hopes to correctly guess the sequence number to be used by the sending host.
Page 368 7 - 8 WiNG 5.2.6 Access Point System Reference Guide Figure 7-2 Wireless Firewall screen - Storm Control tab The Firewall maintains a facility to control packet storms. Storms are packet bombardments that exceed the high threshold value configured for an interface. During a storm, packets are throttled until the rate falls below the configured rate, severely impacting performance for the interface.
Page 369 Security Configuration 7 - 9 Interface Name Use the drop-down menu to refine the interface selection to a specific WLAN or physical port. This helps with threshold configuration for potentially impacted interfaces. Packets per Second Select the check box to activate the spinner control used for specifying the packets per second threshold for activating the Storm Control mechanism.
Page 370 7 - 10 WiNG 5.2.6 Access Point System Reference Guide Figure 7-3 Wireless Firewall screen - Advanced Settings tab 14.Refer to the Enable Firewall radio buttons to define the Firewall as either Enabled or Disabled. The Firewall is enabled by default.
Page 371 Security Configuration 7 - 11 When enabled, use the drop-down menu to set the logging level (Error, IPMAC Conflict Warning, Notification, Information or Debug) if an attack is detected. The Logging default setting is Warning. IPMAC Conflict Use the drop-down menu to set the action taken when an attack is Action detected.
Page 372 7 - 12 WiNG 5.2.6 Access Point System Reference Guide TFTP ALG Check the Enable box to allow TFTP traffic through the Firewall using its default ports. This feature is enabled by default. SIP ALG Check the Enable box to allow SIP traffic through the Firewall using its default ports.
Page 373: Configuring Ip Firewall Rules
Security Configuration 7 - 13 21.Refer to the TCP Protocol Checks field to set the following parameters: Check TCP states Select the checkbox to allow a SYN packet to delete an old flow in where a SYN packet TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow. The tears down the flow default setting is enabled.
Page 374 7 - 14 WiNG 5.2.6 Access Point System Reference Guide Figure 7-4 IP Firewall Rules screen 2. Select + Add Row to create a new IP Firewall Rule. Select an existing policy and click Edit to modify the attributes of the rule’s configuration.
Page 375 Security Configuration 7 - 15 Figure 7-5 IP Firewall Rules screen - Adding a new rule 4. If adding a new rule, enter a name up to 32 characters in length. 5. Define the following parameters for the IP Firewall Rule: Allow Every IP Firewall rule is made up of matching criteria rules.
Page 376: Configuring Mac Firewall Rules
7 - 16 WiNG 5.2.6 Access Point System Reference Guide Protocol Select the protocol used with the IP rule from the drop-down menu. IP is selected by default. Selecting ICMP displays an additional set of ICMP specific Options for ICMP Type and code. Selecting either TCP or UDP displays an additional set of specific TCP/UDP source and destinations port options.
Page 377 Security Configuration 7 - 17 Figure 7-6 MAC Firewall Rules screen 2. Select + Add Row to create a new MAC Firewall Rule. Select an existing policy and click Edit to modify the attributes of the rule’s configuration. 3. Select the added row to expand it into configurable parameters for defining the MAC based Firewall rule.
Page 378 7 - 18 WiNG 5.2.6 Access Point System Reference Guide Figure 7-7 MAC Firewall Rules screen - Adding a new rule 4. If adding a new MAC Firewall Rule, provide a name up to 32 characters in length. 5. Define the following parameters for the IP Firewall Rule: Allow Every IP Firewall rule is made up of matching criteria rules.
Page 379 Security Configuration 7 - 19 Action The following actions are supported: Log - Events are logged for archive and analysis. Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit. - VLAN 802.1p priority.
Page 380: Wireless Ips (Wips)
7 - 20 WiNG 5.2.6 Access Point System Reference Guide 7.2 Wireless IPS (WIPS) The access point supports Wireless Intrusion Protection Systems (WIPS) to provide continuous protection against wireless threats and act as an additional layer of security complementing wireless VPNs and encryption and authentication policies.
Page 381 Security Configuration 7 - 21 Figure 7-8 Wireless IPS screen - Settings tab 2. Select the Activate Firewall IPS Policy option on the upper left-hand side of the screen to enable the screen’s parameters for configuration. Ensure this option stays selected to apply the configuration to the access point profile. 3.
Page 382 7 - 22 WiNG 5.2.6 Access Point System Reference Guide 6. Select to update the settings. Select Reset to revert to the last saved configuration. The WIPS policy can be invoked at any point in the configuration process by selecting...
Page 383 Security Configuration 7 - 23 Filter Expiration Set the duration an event generating client is filtered. This creates a special ACL entry, and frames coming from the client are dropped. The default setting is 0 seconds. This value is applicable across the RF Domain. If a station is detected performing an attack and is filtered by an access point, the information is passed to the domain controller.
Page 384 7 - 24 WiNG 5.2.6 Access Point System Reference Guide 11.Set the following MU Anomaly Event configurations: Name Displays the name of the event tracked against the defined thresholds set for interpreting the event as excessive or permitted. Enable Displays whether tracking is enabled for each MU Anomaly event. Use the drop-down menu to enable/disable events as required.
Page 385 Security Configuration 7 - 25 Figure 7-11 Wireless IPS screen - WIPS Events, AP Anomaly tab AP Anomaly events are suspicious frames sent by neighboring APs. Use the AP Anomaly tab to enable or disable an event. 14.Enable or disable the following AP Anomaly Events: Name Displays the name of each AP Anomaly event.
Page 386 7 - 26 WiNG 5.2.6 Access Point System Reference Guide 16.Select the WIPS Signatures tab. Ensure the Activate Wireless IPS Policy option remains selected to enable the screen’s configuration parameters. Figure 7-12 Wireless IPS screen - WIPS Signatures tab 17.The...
Page 387 Security Configuration 7 - 27 Figure 7-13 WIPS Signature Configuration screen 19.If adding a new WIPS signature, define a Name to distinguish it from others with similar configurations. The name cannot exceed 64 characters. 20.Set the following network address information for a new or modified WIPS Signature: Enable Signature Select the radio button to enable the WIPS signature for use with the profile.
Page 388 7 - 28 WiNG 5.2.6 Access Point System Reference Guide Radio Threshold Specify the threshold limit per radio that, when exceeded, signals the event. The configurable range is from 1 - 65,535. 22.Set a Filter Expiration between 1 - 86,400 seconds that specifies the duration a client is excluded from radio association when responsible for triggering a WIPS event.
Page 389: Device Categorization
Security Configuration 7 - 29 7.3 Device Categorization Properly classifying and categorizing access points and clients can help suppress unnecessary unauthorized access point alarms, and allow an administrator to focus on alarms on devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized could potentially perform activities that harm your organization.
Page 390 7 - 30 WiNG 5.2.6 Access Point System Reference Guide Figure 7-15 Device Categorization screen - Marked Devices 3. If creating a new Device Categorization filter, provide it a Name (up to 32 characters). Select to save the name and enable the remaining device categorization parameters.
Page 391: Security Deployment Considerations
• Is the detected access point properly configured according to your organization’s security policies? • Motorola Solutions recommends trusted and known access points be added to an sanctioned AP list. This will minimize the number of unsanctioned AP alarms received.
Page 392 7 - 32 WiNG 5.2.6 Access Point System Reference Guide...
Page 393: Chapter 8 Services Configuration
CHAPTER 8 SERVICES CONFIGURATION The Motorola Solutions WING 5 software supports services providing captive portal (guest) access, leased DHCP IP address assignments to requesting clients and local RADIUS client authentication. For more information, refer to the following: • Configuring Captive Portal Policies •...
Page 394: Configuring Captive Portal Policies
8 - 2 WiNG 5.6.2 Access Point System Reference Guide 8.1 Configuring Captive Portal Policies A captive portal is guest access policy for providing guests temporary and restrictive access to the access point managed wireless network. A captive portal policy’s configuration provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network.
Page 395 VLAN is defined where the client can reach the controller. 0 is the default value. Connection Mode Lists each policy’s connection mode as either HTTP or HTTPS. Motorola Solutions recommends the use of HTTPS, as it offers client transmissions a measure of data protection HTTP cannot provide.
Page 396 8 - 4 WiNG 5.6.2 Access Point System Reference Guide AAA Policy Lists each AAA policy used to authorize client guest access requests. The security provisions provide a way to configure advanced AAA policies that can be applied to captive portal policies supporting authentication. When a captive portal policy is created or modified, a AAA policy must be defined and applied to authorize, authenticate and account user requests.
Page 397 Services Configuration 8 - 5 Basic Configuration tab displays by default. Define the policy’s security, access and whitelist basic configuration before HTML pages can be defined for guest user access.
Page 398 Connection Mode Select either the HTTP or HTTPS radio button to define the connection medium. Motorola Solutions recommends the use of HTTPS, as is offers additional data protection HTTP cannot provide. The default value however is HTTP. Simultaneous Users...
Page 399 Services Configuration 8 - 7 7. Set the following Access parameters to define captive portal access, RADIUS lookup information and whether the login pages contain terms that must be accepted before access is granted: Access Type Select the radio button for the authentication scheme applied to wireless clients using the captive portal for guest access.
Page 400 8 - 8 WiNG 5.6.2 Access Point System Reference Guide Figure 8-2 Captive Portal DNS Whitelist screen b. Provide a numerical IP address or Hostname within the DNS Entry parameter for each destination IP address or host in the Whitelist. c.
Page 401 Services Configuration 8 - 9 Enable Syslog Select this option to log information about the use of remote access Accounting services by users using an external syslog resource. This information is of great assistance in partitioning local versus remote users. Remote user information can be archived to an external location for periodic network and user administration.
Page 402 8 - 10 WiNG 5.6.2 Access Point System Reference Guide Figure 8-3 Captive Portal Policy Basic Web Page screen The Login screen prompts for a username and password to access the captive portal and proceed to either the Terms and Conditions page (if used) or the Welcome page. The Terms and Conditions page provides conditions that must be agreed to before wireless client guest access is provided for the captive portal policy.
Page 403 Services Configuration 8 - 11 14.Provide the following required information when creating Login, Terms and Conditions, Welcome Fail pages maintained internally. Organization Name If the captive portal is defined on behalf of an organization, that name can be associated as sponsoring the captive portal. Title Text Set the title text displayed on the Login, Terms and Conditions, Welcome and Fail pages when wireless clients access each page.
Page 404 8 - 12 WiNG 5.6.2 Access Point System Reference Guide Figure 8-4 Captive Portal Policy Externally Hosted Web Page screen 17.Set the following URL destinations for externally hosted captive portal pages: Login URL Define the complete URL for the location of the Login page. The Login screen prompts the user for a username and password to access the Terms and Conditions or Welcome page.
Page 405 Services Configuration 8 - 13 Figure 8-5 Captive Portal Policy Advanced Web Page screen 20.The access point maintains its own set of Advanced Web pages for custom captive portal creation. These files can be transferred to other managed devices as the devices support connection attempts on behalf of their connected access point.
Page 406: Setting The Whitelist Configuration
8 - 14 WiNG 5.6.2 Access Point System Reference Guide 8.2 Setting the Whitelist Configuration A DNS whitelist is used in conjunction with a captive portal to provide hotspot services to wireless clients. Use the WING 5 DNS Whitelist parameter to create a set of allowed destination IP addresses within the captive portal. These allowed IP addresses are called the Whitelist.
Page 407 Services Configuration 8 - 15 c. Use the Match Suffix parameter to match any hostname or domain name as a suffix. The default setting is disabled. d. If necessary, select the radio button of an existing Whitelist entry and select the - Delete icon to remove the entry from the Whitelist.
Page 408: Setting The Dhcp Server Configuration
8 - 16 WiNG 5.6.2 Access Point System Reference Guide 8.3 Setting the DHCP Server Configuration Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses as well as discover information about the network where they reside. Each subnet can be configured with its own address pool.
Page 409 Services Configuration 8 - 17 Figure 8-7 DHCP Server Policy screen - DHCP Pool tab 2. Select the Activate DHCP Server Policy option to optimally display the screen and enable the ability Add or Edit a new policy. This option must remain selected to apply the DHCP pool configuration to the access point profile. 3.
Page 410 8 - 18 WiNG 5.6.2 Access Point System Reference Guide Lease Time If a lease time has been defined for a listed network pool, it displays as an interval between 1 - 9,999,999 seconds. DHCP leases provide addresses for defined times to various clients. If a client does not use a leased address for the defined time, that IP address can be re-assigned to another DHCP supported client.
Page 411 Services Configuration 8 - 19 5. Set the following General parameters: DHCP Pool If adding a new pool, a name is required. The pool is the range of IP addresses defined for DHCP assignment or lease. The name assigned cannot be modified as part of the edit process. However, if the network pool configuration is obsolete it can be deleted.
Page 412 8 - 20 WiNG 5.6.2 Access Point System Reference Guide 7. Select the Static Bindings tab from within the DHCP Pools screen. A binding is a collection of configuration parameters, including an IP address, associated with, or bound to, a DHCP client.
Page 413 Services Configuration 8 - 21 Figure 8-10 Static Bindings Add screen 10.Define the following General parameters required to complete the creation of the static binding configuration: Client Identifier Use the drop-down menu whether the DHCP client is using a Hardware Type Address or Client Identifier as its identifier type with a DHCP server.
Page 414 8 - 22 WiNG 5.6.2 Access Point System Reference Guide BOOTP Next Server Provide the numerical IP address of the server providing BOOTP resources. Client Name Provide the name of the client requesting DHCP Server support. Enable Unicast Unicast packets are sent from one location to another location (there's just one sender, and one receiver).
Page 415 Services Configuration 8 - 23 Figure 8-11 DHCP Pools screen - Advanced tab 17.The addition or edit of the network pool’s advanced settings requires the following General parameters be set: Boot File Enter the name of the boot file used with this pool. Boot files (Boot Protocol) can be used to boot remote systems over the network.
Page 416: Defining Dhcp Server Global Settings
8 - 24 WiNG 5.6.2 Access Point System Reference Guide 18.Set the following NetBIOS parameters for the network pool: NetBIOS Node Type Set the NetBIOS Node Type used with this pool. The following types are available: Broadcast - Uses broadcasting to query nodes on the network for the owner of a NetBIOS name.
Page 417 Services Configuration 8 - 25 Figure 8-12 DHCP Server Policy screen - Global Settings tab 2. Set the following parameters within the Configuration field: Ignore BOOTP Select the checkbox to ignore BOOTP requests. BOOTP requests boot remote Requests systems within the network. BOOTP messages are encapsulated inside UDP messages and are forwarded.
Page 418: Dhcp Class Policy Configuration
8 - 26 WiNG 5.6.2 Access Point System Reference Guide 8.3.3 DHCP Class Policy Configuration The DHCP server assigns IP addresses to DHCP enabled wireless clients based on user class option names. Clients with a defined set of user class option names are identified by their user class name. The DHCP server can assign IP addresses from as many IP address ranges as defined by the administrator.
Page 419 Services Configuration 8 - 27 Figure 8-14 DHCP Class Name Add screen 3. If adding a new DHCP Class Name, assign a name representative of the device class supported. The DHCP user class name should not exceed 32 characters. 4. Select a row within the Value column to enter a 32 character maximum value string.
Page 420: Setting The Radius Configuration
8 - 28 WiNG 5.6.2 Access Point System Reference Guide 8.4 Setting the RADIUS Configuration Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software enabling remote access servers to authenticate users and authorize their access to the access point managed network. RADIUS is a distributed client/server system that secures networks against unauthorized access.
Page 421 Services Configuration 8 - 29 1. Select Configuration > Services. 2. Select RADIUS. A list of existing groups displays by default. Figure 8-15 RADIUS Group screen 3. Review the following read-only information for existing groups to determine if a new group requires creation or an existing group requires modification: RADIUS Group Displays the group name or identifier assigned to each listed group when it...
Page 422 8 - 30 WiNG 5.6.2 Access Point System Reference Guide VLAN Displays the VLAN ID used by the group. The VLAN ID is representative of the shared SSID each group member (user) employs to interoperate within the access point managed network (once authenticated by the local RADIUS server).
Page 423: Creating Radius Groups
Services Configuration 8 - 31 8.4.1.1 Creating RADIUS Groups To create a RADIUS group: 1. Select Configuration > Services. 2. Select and expand the RADIUS menu. Select Groups if the RADIUS Group screen is not already displayed by default. 3. Click to create a new RADIUS group, Edit to modify the configuration of an existing group or...
Page 424 8 - 32 WiNG 5.6.2 Access Point System Reference Guide VLAN Select this option (and use the slider) to assign a specific VLAN to this RADIUS user group. Ensure Dynamic VLAN assignment (Single VLAN) is enabled for the WLAN for the VLAN to work properly. For more information, see Basic WLAN Configuration on page 6-4.
Page 425: Defining User Pools
Services Configuration 8 - 33 8.4.2 Defining User Pools A user pool defines policies for individual user access to the access point’s internal RADIUS resources. User or pools provide a convenient means of providing user access to RADIUS resources based on the pool’s unique permissions (either temporary or permanent).
Page 426 8 - 34 WiNG 5.6.2 Access Point System Reference Guide Figure 8-18 RADIUS User Pool Add screen 5. Refer to the following User Pool configurations to discern when specific user IDs have access to the access point’s RADIUS resources: User Id Displays the unique alphanumeric string identifying this user.
Page 427 Services Configuration 8 - 35 6. Select the button to add a new RADIUS user, Edit to modify the configuration of an existing user or Delete remove an existing user Id. Figure 8-19 RADIUS User screen 7. Set the following to create a new RADIUS user with unique access privileges: User Id Assign a unique alphanumeric string identifying this user.
Page 428: Configuring The Radius Server
8 - 36 WiNG 5.6.2 Access Point System Reference Guide 8.4.3 Configuring the RADIUS Server A RADIUS server policy is a unique authentication and authorization configuration for receiving user connection requests, authenticating users and returning the configuration information necessary for the RADIUS client to deliver service to the user.
Page 429 Services Configuration 8 - 37 2. Expand the RADIUS menu option and select Standalone_RADIUS_Server. Figure 8-20 RADIUS Server Policy screen - Server Policy tab RADIUS Server Policy screen displays with the Server Policy tab displayed by default.
Page 430 8 - 38 WiNG 5.6.2 Access Point System Reference Guide 3. Select the Activate RADIUS Server Policy button to enable the parameters within the screen for configuration. Ensure this option remains selected, or this RADIUS server configuration is not applied to the access point profile. 4.
Page 431 Services Configuration 8 - 39 LDAP Authentication Type Use the drop-down menu to select the LDAP authentication scheme. The following LDAP authentication types are supported by the external LDAP resource: All – Enables both TTLS and PAP and PEAP and GTC. TTLS and PAP - The EAP type is TTLS with default authentication using PAP.
Page 432 8 - 40 WiNG 5.6.2 Access Point System Reference Guide Figure 8-21 RADIUS Server Policy screen - Client tab 9. Select the + Add Row button to add a table entry for a new client’s IP address, mask and shared secret. To delete a client entry, select the Delete icon on the right-hand side of the table entry.
Page 433 Services Configuration 8 - 41 Figure 8-22 RADIUS Server Policy screen - Proxy tab 14.Enter the Proxy Retry Delay as a value in seconds (within the range of 5-10 seconds). This is the interval the RADIUS server waits before making an additional connection attempt. The default delay interval is 5 seconds. 15.Enter the Proxy Retry Count field as a value within the range of 3-6.
Page 434 8 - 42 WiNG 5.6.2 Access Point System Reference Guide 23. Select the LDAP and ensure the Activate RADIUS Server Policy button remains selected. Administrators have the option of using the access point’s RADIUS server to authenticate users against an external LDAP server resource.
Page 435 Services Configuration 8 - 43 25.Select to add a new LDAP server configuration, Edit to modify an existing LDAP server configuration or Delete to remove a LDAP server from the list of those available. Figure 8-24 LDAP Server Add screen 26.Set the following Network address information required for the connection to the external LDAP server resource:.
Page 436 8 - 44 WiNG 5.6.2 Access Point System Reference Guide 27.Set the following Network information for the connection to the external LDAP server resource: Bind DN Specify the distinguished name to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas.
Page 437: Services Deployment Considerations
• Motorola Solutions recommends each RADIUS client use a different shared secret password. If a shared secret is compromised, only the one client poses a risk as opposed all the additional clients that potentially share that secret password.
Page 438 8 - 46 WiNG 5.6.2 Access Point System Reference Guide...
Page 439: Chapter 9 Management Access
Management Access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces. Motorola Solutions recommends disabling unused and insecure management interfaces as required within different access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources.
Page 440: Creating Administrators And Roles
9 - 2 WiNG 5.2.6 Access Point System Reference Guide 9.1 Creating Administrators and Roles Use the Administrators screen to review existing administrators, their access medium and their administrative role within the access point managed network. New administrators can be added and existing administrative configurations modified or deleted as required.
Page 441 Management Access 9 - 3 Figure 9-2 Administrators screen 4. If adding a new administrator, enter the user name in the User Name field. This is a mandatory field, and cannot exceed 32 characters. Optimally assign a name representative of the user’s intended access type and role. 5.
Page 442 9 - 4 WiNG 5.2.6 Access Point System Reference Guide Network Select this option to allow the user to configure all wired and wireless parameters (IP configuration, VLANs, L2/L3 security, WLANs, radios etc). Security Select Security to set the administrative rights for a security administrator allowing the configuration of all security parameters.
Page 443: Setting The Access Control Configuration
(HTTP, HTTPS, Telnet, SSH or SNMP). Access options can be either enabled or disabled as required. Motorola Solutions recommends disabling unused interfaces to reduce security holes. The Access Control tab is not meant to function as an ACL (in routers or other firewalls), where you can specify and customize specific IPs to access specific interfaces.
Page 444 9 - 6 WiNG 5.2.6 Access Point System Reference Guide 2. Select Access Control from the list of Management Policy options in the upper, left-hand, side of the UI. Figure 9-3 Management Policy Access Control screen 3. Set the following parameters required for...
Page 445 Management Access 9 - 7 4. Set the following parameters required for access: Enable SSHv2 Select the checkbox to enable SSH device access. SSH (Secure Shell) version 2, like Telnet, provides a command line interface to a remote host. SSH transmissions are encrypted and authenticated, increasing the security of transmission.
Page 446 9 - 8 WiNG 5.2.6 Access Point System Reference Guide 8. Set the following Access Restrictions: Filter Type Use the drop-down menu to select the filter mechanism used as the management policy access restriction. Options include source-address, ip-access-list and None.
Page 447: Setting The Authentication Configuration
Management Access 9 - 9 9.3 Setting the Authentication Configuration As part of the access point’s Management Policy, define how client authentication requests are validated using either an external or internal authentication resource: To configure an authentication resource: 1. Select Configuration >...
Page 448 9 - 10 WiNG 5.2.6 Access Point System Reference Guide 4. Use the drop-down menu to specify to select the AAA Policy to use with an external RADIUS resource. An AP-6511 or AP-6521 model access point (or a model that’s not using its local RADIUS resource) will need to interoperate with a RADIUS and LDAP Server (AAA Servers) to provide user database information and user authentication data.
Page 449: Setting The Snmp Configuration
Management Access 9 - 11 9.4 Setting the SNMP Configuration The access point can use Simple Network Management Protocol (SNMP) to interact with wireless devices. SNMP is an application layer protocol that facilitates the exchange of management information. SNMP enabled devices listen on port 162 (by default) for SNMP packets from their management server.
Page 450 9 - 12 WiNG 5.2.6 Access Point System Reference Guide 2. Select SNMP from the list of Management Policy options in the upper, left-hand, side of the UI. Figure 9-5 Management Policy screen - SNMP tab 3. Enable or disable SNMPv2 and SNMPv3.
Page 451 Management Access 9 - 13 4. Set the SNMP v1/v2 Community String configuration. Use the + Add Row function as needed to add additional SNMP v1/2 community strings, or select an existing community string’s radio button and select the Delete icon to remove it.
Page 452: Snmp Trap Configuration
9 - 14 WiNG 5.2.6 Access Point System Reference Guide 9.5 SNMP Trap Configuration An access point can use SNMP trap receivers for fault notifications. SNMP traps are unsolicited notifications triggered by thresholds (or actions) on devices, and are therefore an important fault management tool.
Page 453 Management Access 9 - 15 4. Refer to the Trap Receiver table to set the configuration of the external resource receiving trap information. Select Add Row + as required to add additional trap receivers. Select the Delete icon to permanently remove a trap receiver. IP Address Set the IP address of the external server resource receiving SNMP traps on behalf of the access point.
Page 454: Management Access Deployment Considerations
Legacy Motorola Solutions devices may use other community strings by default. • Motorola Solutions recommends SNMPv3 be used for device management, as it provides both encryption, and authentication. • Enabling SNMP traps can provide alerts for isolated attacks at both small radio deployments or distributed attacks...
Page 455: Chapter 10 Diagnostics
CHAPTER 10 DIAGNOSTICS An access point’s resident diagnostic capabilities enable administrators to understand how devices are performing and troubleshoot issues impacting network performance. Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail. Numerous tools are available within the Diagnostics menu.
Page 456: Fault Management
10 - 2 WiNG 5.2.6 Access Point System Reference Guide 10.1 Fault Management Fault management enables user's administering multiple sites to assess device performance and issues effecting the network. Use the Fault Management screens to view and administrate errors generated by an access point or a connected wireless client.
Page 457 Diagnostics 10 - 3 Module Select the module from which events are tracked. When a single module is selected, events from other modules are not tracked. Remember this when interested in events generated by a particular module. Individual modules can be selected (such as TEST, LOG, FSM etc.) or all modules can be tracked by selecting All Modules.
Page 458 10 - 4 WiNG 5.2.6 Access Point System Reference Guide 5. Select View Events from the upper, left-hand, side of the Fault Management browser. Figure 10-2 Fault Management View Events screen Use the View Events screen to track and troubleshoot events using source and severity levels defined in the Configure events screen.
Page 459 Diagnostics 10 - 5 Figure 10-3 Fault Management Event History screen 9. Refer to the Select a Device field, and specify a single device MAC address for event tracking. 10.Select Fetch Historical Events from the lower, right-hand, side of the UI to populate the table with either device or RF Domain events.
Page 460: Crash Files
10 - 6 WiNG 5.2.6 Access Point System Reference Guide 10.2 Crash Files Use the Crash Files screen to review files created when an access point encounters a critical error or malfunction. Use crash files to troubleshoot issues specific to the device on which a crash event was generated.These are issues impacting the core (distribution layer).
Page 461: Advanced
Diagnostics 10 - 7 10.3 Advanced Use the Advanced diagnostics screens to review and troubleshoot potential issues with the access point’s User Interface (UI). The UI Diagnostics screen contains tools to effectively identify and correct access point UI issues. Diagnostics can also be performed at the device level for connected clients.
Page 462 10 - 8 WiNG 5.2.6 Access Point System Reference Guide 3. Select View UI Logs from the upper, left-hand, side of the browser to view Application Logs, Flex Logs and Error Logs. The Sequence (order of occurrence), Date/Time, Type, Category and Message items display for each log option selected.
Page 463: Chapter 11 Operations
Self Monitoring At Run Time RF Management (Smart RF) is a Motorola Solutions innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements.
Page 464: Device Operations
11 - 2 WiNG 5.2.6 Access Point System Reference Guide 11.1 Device Operations Motorola Solutions periodically releases updated device firmware and configuration files to the Motorola Solutions Support Web site. If an access point’s (or its associated device’s) firmware is older than the version on the Web site, Motorola Solutions recommends updating to the latest firmware version for full functionality and utilization.
Page 465: Managing Firmware And Config Files
Operations 11 - 3 11.1.1 Managing Firmware and Config Files  Device Operations Device Details screen displays by default when the Operations menu item is selected from the main menu. Use this screen to assess whether a device’s firmware or configuration file requires an update to the latest feature set and functionality.
Page 466 11 - 4 WiNG 5.2.6 Access Point System Reference Guide Fallback Lists whether fallback is currently enabled for the selected device. When enabled, the device reverts back to the last successfully installed firmware image if something were to happen in its next firmware upgrade that would render the device inoperable.
Page 467: Upgrading Device Firmware
Operations 11 - 5 11.1.1.1 Upgrading Device Firmware  Managing Firmware and Config Files To update the firmware of a Virtual Controller AP managed device access point: NOTE: AP upgrades can only be performed by access points in Virtual Controller AP mode, and cannot be initiated by Standalone APs.
Page 468 11 - 6 WiNG 5.2.6 Access Point System Reference Guide 4. If needed, select Advanced to expand the dialog to display network address information to the location of the firmware. The number of additional fields that populate the screen is also dependent on the selected protocol.
Page 469: Managing File Transfers
Operations 11 - 7 11.1.2 Managing File Transfers  Device Operations Transfer files from a device to this access point, to a remote server or from a remote server. An administrator can transfer logs, configurations and crash dumps. Additionally, the Web pages used to create captive portal pages can be transferred to managed devices that need to host them to provide access to the access point managed wireless network.
Page 470 11 - 8 WiNG 5.2.6 Access Point System Reference Guide Protocol If Advanced is selected, choose the protocol for file management. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 This parameter is required only when Server is selected as the Source and Advanced is selected.
Page 471: Using The File Browser
Operations 11 - 9 11.1.3 Using the File Browser  Device Operations The access point maintains a File Browser enabling the administration of files currently residing on any internal or external memory location. Directories can be created and maintained for each File Browser location, and folders and files can be moved and deleted as needed.
Page 472: Ap Upgrades
11 - 10 WiNG 5.2.6 Access Point System Reference Guide 11.1.4 AP Upgrades  Device Operations To configure an AP upgrade: NOTE: AP upgrades can only be performed by access points in Virtual Controller AP mode, and cannot be initiated by Standalone APs. Additionally, upgrades can only be performed on access points of the same model as the Virtual Controller AP.
Page 473 Operations 11 - 11 Schedule Reboot Time To reboot a target access point immediately, select Now. To schedule the reboot to take place at a specified time in the future, enter a date and time. This feature is helpful when wishing to upgrade an access point’s firmware, but wish to keep in operation until the reboot does not impact its current client support and operation.
Page 474 11 - 12 WiNG 5.2.6 Access Point System Reference Guide 6. Select the AP Image File tab to specify the model and network address information to the file used in the access point upgrade operation. Figure 11-7 AP Upgrade screen - AP Image File 7.
Page 475 Operations 11 - 13 8. When the AP Image Type and appropriate file location and protocol have been specified, select the Load Image button to load all available images to the Type Version table. The table now displays available images and their corresponding versions. 9.
Page 476 11 - 14 WiNG 5.2.6 Access Point System Reference Guide Displays the time of the last status update for access points that are no Last Status longer upgrading. Selecting the Clear History button clears the history log page for each Clear History access point.
Page 477: Certificates
Operations 11 - 15 11.2 Certificates A certificate links identity information with a public key enclosed in the certificate. A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.
Page 478 11 - 16 WiNG 5.2.6 Access Point System Reference Guide Figure 11-9 Trustpoints screen Trustpoints screen displays for the selected MAC address. 2. Refer to the Certificate Details to review certificate properties, self-signed credentials, validity period and CA information. 3. Select the Import button to import a certificate.
Page 479 Operations 11 - 17 Figure 11-10 Import New Trustpoint screen 4. Define the following configuration parameters required for the Import of the trustpoint: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
Page 480 11 - 18 WiNG 5.2.6 Access Point System Reference Guide IP Address If using Advanced settings, enter IP address of the server used to import the trustpoint. This option is not valid for cf, usb1 and usb2. Hostname If using Advanced settings, provide the hostname of the server used to import the trustpoint.
Page 481 Operations 11 - 19 Cut and Paste Select the Cut and Paste radio button to simply copy an existing CA certificate into the cut and past field. When pasting a valid CA certificate, no additional network address information is required. Protocol Select the protocol used for importing the target CA certificate.
Page 482 11 - 20 WiNG 5.2.6 Access Point System Reference Guide Figure 11-12 Import CRL screen 10.Define the following configuration parameters required for the Import of the CRL: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate.
Page 483 Operations 11 - 21 IP Address If using Advanced settings, enter IP address of the server used to import the CRL. This option is not valid for cf, usb1, and usb2. Hostname If using Advanced settings, provide the hostname of the server used to import the CRL.
Page 484 11 - 22 WiNG 5.2.6 Access Point System Reference Guide Self-signed certificates cannot be revoked which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. However, CAs have the ability to revoke a compromised certificate, which prevents its further use.
Page 485 Operations 11 - 23 Protocol Select the protocol used for importing the target signed certificate. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1 and usb2.
Page 486 11 - 24 WiNG 5.2.6 Access Point System Reference Guide Figure 11-14 Export Trustpoint screen 16.Define the following configuration parameters required for the Export of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
Page 487: Rsa Key Management
Operations 11 - 25 Port If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1, and usb2. IP Address If using Advanced settings, enter IP address of the server used to export the trustpoint.
Page 488 11 - 26 WiNG 5.2.6 Access Point System Reference Guide Figure 11-15 RSA Keys screen Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device.
Page 489 Enter the 32 character maximum name assigned to the RSA key. Key Size Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality.
Page 490 11 - 28 WiNG 5.2.6 Access Point System Reference Guide 5. To optionally import a CA certificate, select the Import button from the RSA Keys screen. Figure 11-17 Import New RSA Key screen 6. Define the following configuration parameters required for the Import of the RSA key: Key Name Enter the 32 character maximum name assigned to identify the RSA key.
Page 491 Operations 11 - 29 IP Address Enter IP address of the server used to import the RSA key. This option is not valid for cf, usb1 and usb2. Hostname Provide the hostname of the server used to import the RSA key. This option is not valid for cf, usb1 and usb2.
Page 492: Certificate Creation
11 - 30 WiNG 5.2.6 Access Point System Reference Guide Protocol Select the protocol used for exporting the RSA key. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1 and usb2.
Page 493 Operations 11 - 31 Figure 11-19 Create Certificate screen 3. Define the following configuration parameters required to Create New Self-Signed Certificate: Certificate Name Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
Page 494 11 - 32 WiNG 5.2.6 Access Point System Reference Guide Create a New RSA To create a new RSA key, select the radio button to define 32 character name used to identify the RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits).
Page 495: Generating A Certificate Signing Request (Csr)
Operations 11 - 33 11.2.4 Generating a Certificate Signing Request (CSR)  Certificates A certificate signing request (CSR) is a message from a requestor to a certificate authority to apply for a digital identity certificate. The CSR is composed of a block of encrypted text generated on the server the certificate will be used on. It contains information included in the certificate, including organization name, common name (domain name), locality and country.
Page 496 Create or use an existing key by selecting the appropriate radio button. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality.
Page 497 Operations 11 - 35 4. Set the following Certificate Subject Name parameters required for the creation of the certificate: Certificate Subject Select either the auto-generate radio button to automatically create the Name certificate's subject credentials or select user-defined to manually enter the credentials of the self signed certificate.
Page 498: Smart Rf
11 - 36 WiNG 5.2.6 Access Point System Reference Guide 11.3 Smart RF Self Monitoring At Run Time RF Management (Smart RF) is a Motorola Solutions innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements.
Page 499 Operations 11 - 37 Figure 11-21 Smart RF screen 2. Refer to the following to determine whether Smart RF calibrations or interactive calibration is required. AP MAC Address Displays the hardware encoded MAC address assigned to each access point radio within the RF Domain. This value cannot be modified as past of a calibration activity.
Page 500 11 - 38 WiNG 5.2.6 Access Point System Reference Guide Old Power Lists the transmit power assigned to each listed access point within the RF Domain. The power level may have been increased or decreased as part an Interactive Calibration process applied to the RF Domain. Compare this...
Page 501 Operations 11 - 39 Figure 11-22 Save Calibration Result screen • Replace - Only overwrites the current channel and power values with the new channel power values the Interactive Calibration has calculated. • Write - Writes the new channel and power values to the radios under their respective device configurations. •...
Page 502: Operations Deployment Considerations
• If an access point’s (or its associated device’s) firmware is older than the version on the support site, Motorola Solutions recommends updating to the latest firmware version for full functionality and utilization.
Page 503: Chapter 12 Statistics
CHAPTER 12 STATISTICS This chapter describes the statistical information available to WING 5.2.6 supported access points. Statistics can be exclusively displayed to validate access points, their VLAN assignments and the current authentication and encryption schemes. Statistics can be displayed for the entire system or access point coverage are. Stats can also be viewed collectively for RF Domain member access point radio’s and their connected clients.
Page 504: System Statistics
12 - 2 WiNG 5.2.6 Access Point System Reference Guide 12.1 System Statistics System screens displays information supporting access points, RF Domains and managed clients (the entire access point managed network). Use this information to obtain an overall view of the state of the network. The data is organized as follows: •...
Page 505 Statistics 12 - 3 Figure 12-1 System - Health screen 4. The Devices table displays the total number of access points in the network. The pie chart is a proportional view of how many are functional and currently online. Green indicates online devices and red offline devices. 5.
Page 506 12 - 4 WiNG 5.2.6 Access Point System Reference Guide • 75 – 100 (Good). This area displays the following: Worst 5 Displays five RF Domains with the lowest quality indices in the access point managed network. The value can be interpreted as: •...
Page 507: Inventory
Statistics 12 - 5 12.1.2 Inventory  System Statistics The Inventory screen displays information about the physical hardware deployed within the system. Use this information to assess the overall performance of access points and their connected clients in the system, whether members of the RF Domain or not.
Page 508: Adopted Devices
12 - 6 WiNG 5.2.6 Access Point System Reference Guide 5. The Radios table displays radios in use throughout within the wireless controller managed network. This area displays the total number of managed radios and top 5 RF Domains in terms of radio count. The Total Radios value is the total number of radios in this system.
Page 509 Statistics 12 - 7 Figure 12-3 System - Adopted Devices screen 4. The Adopted Devices screen provides the following: Adopted Device Displays the hostname assigned to each listed adopted access point. Type Displays the type of each adopted access point. RF Domain Name Displays the adopting access point’s RF Domain membership (unique to that model type).
Page 510: Pending Adoptions
12 - 8 WiNG 5.2.6 Access Point System Reference Guide 12.1.4 Pending Adoptions  System Statistics The Pending Adoptions screen displays a list of devices detected in the access point managed system, but have not yet been connected to one of the system’s access points and adoption is pending.
Page 511: Offline Devices
Statistics 12 - 9 12.1.5 Offline Devices  System Statistics The Offline Devices screen displays a list of devices in the access point managed network and RF Domain that are currently offline. To view offline device statistics: 1. Select the Statistics menu from the Web UI.
Page 512 12 - 10 WiNG 5.2.6 Access Point System Reference Guide Area Displays the deployment area assigned to the listed device when deployed using the WING UI as a means of identifying the device’s physical location. Floor Displays the deployment floor assigned to the listed device when deployed using the WING UI as a means of identifying the device’s physical location.
Page 513: Rf Domain Statistics
Statistics 12 - 11 12.2 RF Domain Statistics RF Domain screens display status for an access point’s RF domain. This includes the RF Domain health and device inventory, wireless clients and Smart RF functionality. RF Domains allow administrators to assign regional, regulatory and RF configuration to access points of the same model deployed in a common coverage area such as in a floor, building or site.
Page 514 12 - 12 WiNG 5.2.6 Access Point System Reference Guide Figure 12-6 RF Domain - Health screen...
Page 515 Statistics 12 - 13 Domain field displays the name of the RF Domain manager. The RF Domain manager is the focal point for the radio system and acts as a central registry of applications, hardware and capabilities. It also serves as a mount point for all the different pieces of the hardware system file.
Page 516 12 - 14 WiNG 5.2.6 Access Point System Reference Guide 7. The Radio Traffic Utilization area displays the following: Traffic Index Displays traffic utilization efficiency. This index measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to maximum possible throughput.
Page 517: Inventory
Statistics 12 - 15 Bcast/Mcast Displays the total number of broadcast/multicast packets transmitted and Packets received within the access point RF Domain. Management This is the total number of management packets processed within the access Packets point RF Domain. Tx Dropped Packets Lists total number of dropped data packets within the access point RF Domain.
Page 518 12 - 16 WiNG 5.2.6 Access Point System Reference Guide Figure 12-7 RF Domain - Inventory screen 4. The Device Types table displays the total members in the RF Domain. The exploded pie chart depicts the distribution of RF Domain members by model type.
Page 519: Access Points
Statistics 12 - 17 6. The Radios by Channel field displays the radio channels being utilized by RF Domain member devices in two separate charts. One chart displays 5 GHz channel utilization and the other 2.4 GHz channel utilization. 7. The Top 5 Radios by Clients table displays the highest 5 performing wireless clients connected to RF Domain members.
Page 520: Ap Detection
12 - 18 WiNG 5.2.6 Access Point System Reference Guide Figure 12-8 RF Domain - Access Points screen Access Point Displays the system assigned name of each member of the RF Domain. AP MAC Address Displays each access point’s factory encoded MAC address as its hardware identifier.
Page 521 Statistics 12 - 19 1. Select the Statistics menu from the Web UI. 2. Select the default item from under the System node on the top, left-hand side, of the screen. 3. Select AP Detection from the RF Domain menu. Figure 12-9 RF Domain - AP Detection screen 4.
Page 522: Wireless Clients
12 - 20 WiNG 5.2.6 Access Point System Reference Guide 12.2.5 Wireless Clients  RF Domain Statistics The Wireless Clients screen displays device information for wireless clients connected to RF Domain member access points. Review this content to determine whether a client should be removed from access point association within the selected access point RF Domain.
Page 523: Wireless Lans
Statistics 12 - 21 4. The Wireless Clients screen displays the following: MAC Address Displays the Hardware or Media Access Control (MAC) address of each listed wireless client. This address is hard-coded at the factory and can not be modified. WLAN Displays the name of the defined WLAN the wireless client is currently using for its access point interoperation within the RF Domain.
Page 524 12 - 22 WiNG 5.2.6 Access Point System Reference Guide Figure 12-11 RF Domain - Wireless LANs screen 4. The Wireless LANs screen displays the following: WLAN Name Displays the text-based name assigned to the WLAN upon its creation within the access point managed network.
Page 525: Radios
Statistics 12 - 23 Refresh Select the Refresh button to update the statistics counters to their latest values. 12.2.7 Radios  RF Domain Statistics Radio screens displays information on RF Domain member access point radios. Use these screens to troubleshooting radio issues.
Page 526 12 - 24 WiNG 5.2.6 Access Point System Reference Guide Displays the MAC address and numerical value assigned to each listed RF Domain member access point radio. Radio MAC Defines whether the radio is a 802.11b, 802.11bg, 802.11bgn, 802.11a, or 802.11an.
Page 527: Rf Statistics
Statistics 12 - 25 12.2.7.2 RF Statistics To view the RF Domain access point radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select the default item from under the System node on the top, left-hand side, of the screen. 3.
Page 528: Traffic Statistics
12 - 26 WiNG 5.2.6 Access Point System Reference Guide Traffic Index Displays the traffic utilization index of each RF Domain member access point radio. This is expressed as an integer value. 0 – 20 indicates very low utilization, and 60 and above indicate high utilization.
Page 529 Statistics 12 - 27 Tx Bytes Displays the total number of bytes transmitted by each RF Domain member access point radio. This includes all user data as well as any management overhead data. Rx Bytes Displays the total number of bytes received by each RF Domain member access point radio.
Page 530: Mesh
12 - 28 WiNG 5.2.6 Access Point System Reference Guide 12.2.8 Mesh  RF Domain Statistics To view Mesh statistics for RF Domain member access points and connected clients: 1. Select the Statistics menu from the Web UI. 2. Select the default item from under the System node on the top, left-hand side, of the screen.
Page 531: Smart Rf
Statistics 12 - 29 12.2.9 SMART RF  RF Domain Statistics When invoked by an administrator, Self-Monitoring At Run Time (Smart RF) instructs access point radios to change to a specific channel and begin beaconing using the maximum available transmit power. Within a well-planned deployment, any RF Domain member access point radio should be reachable by at least one other radio.
Page 532 12 - 30 WiNG 5.2.6 Access Point System Reference Guide Figure 12-17 RF Domain - Smart RF Details screen 5. Select the Energy Graph tab for a RF Domain member access point radio to review the radio’s operating channel and noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed...
Page 533 Statistics 12 - 31 Figure 12-18 RF Domain - Smart RF Energy Graph...
Page 534: Wips
12 - 32 WiNG 5.2.6 Access Point System Reference Guide 12.2.10 WIPS  RF Domain Statistics Refer to the Wireless Intrusion Protection Software (WIPS) screens to review the RF Domain client blacklist and events reported by a RF Domain member access point.
Page 535: Wips Events
Statistics 12 - 33 Time Blacklisted Displays the time when the wireless client was blacklisted by a RF Domain member access point. Total Time Displays the time the unauthorized (now blacklisted) device remained in the RF Domain. Time Left Displays the time the blacklisted client remains on the list. Refresh Select the Refresh...
Page 536: Captive Portal
12 - 34 WiNG 5.2.6 Access Point System Reference Guide Originating Device Displays the MAC address of the intruding device. Detector Radio Displays RF Domain member access point radio number detecting the event. AP-7131 models can have from 1-3 radios depending on the SKU. AP-6532, AP-7161 and AP-8132 models have 2 radios, while AP-6511 and AP-6521 models have 1 radio.
Page 537: Historical Data
Statistics 12 - 35 Client IP Displays the IP address of each listed client using its connected RF Domain member access point for captive portal access. Captive Portal Lists the name of the RF Domain captive portal currently being utilized by each listed client.
Page 538: Viewing Smart Rf History
12 - 36 WiNG 5.2.6 Access Point System Reference Guide 12.2.12.1 Viewing Smart RF History  Historical Data To view the RF Domain member Smart RF history: 1. Select the Statistics menu from the Web UI. 2. Select the default item from under the System node on the top, left-hand side, of the screen.
Page 539: Access Point Statistics
Statistics 12 - 37 12.3 Access Point Statistics The access point statistics screens displays an access point’s performance, health, version, client support, radio, mesh, interface, DHCP, firewall, WIPS, sensor, captive portal, NTP and load information. Access point statistics consists of the following: •...
Page 540 12 - 38 WiNG 5.2.6 Access Point System Reference Guide Figure 12-23 Access Point - Health screen 4. The Device Details field displays the following information: Hostname Displays the AP’s unique name. A hostname is assigned to a device connected to a computer network.
Page 541 Statistics 12 - 39 Version Displays the access point’s current firmware version. Use this information to assess whether an upgrade is required for better compatibility. Uptime Displays the cumulative time since the access point was last rebooted or lost power. Displays the processor core.
Page 542: Device
12 - 40 WiNG 5.2.6 Access Point System Reference Guide 12.3.2 Device  Access Point Statistics The Device screen displays basic information about the selected access point. Use this screen to gather version information, such as the installed firmware image version, the boot image and upgrade status.
Page 543 Statistics 12 - 41 Version Displays the software (firmware) version on the access point. Boot Partition Displays the boot partition type. Fallback Enabled Displays whether this option is enabled. This method enables a user to store a known legacy version and a new version in device memory. The user can test the new software, and use an automatic fallback, which loads the old version on the access point if the new version fails.
Page 544 12 - 42 WiNG 5.2.6 Access Point System Reference Guide Maximum Lists the maximum buffers available to the selected access point. Buffers 9. The IP Domain field displays the following: IP Domain Name Displays the name of the IP Domain service used with the selected access point.
Page 545: Ap Upgrade
Statistics 12 - 43 Power Lists the power status of the access point. Management Status Ethernet Power Displays the access point’s Ethernet power status. Status Radio Power Displays the power status of the access point’s radios. Status 12.3.3 AP Upgrade ...
Page 546: Adoption
12 - 44 WiNG 5.2.6 Access Point System Reference Guide Type Displays the model of the access point. The updating access point must be of the same model as the access point receiving the update. Displays the MAC address of the access point receiving the update.
Page 547: Adopted Aps
Statistics 12 - 45 12.3.4.1 Adopted APs  Adoption The adopted AP statistics screen lists access points adopted by this access point, their RF Domain memberships and network service information. To view adopted access point statistics: 1. Select the Statistics menu from the Web UI.
Page 548 12 - 46 WiNG 5.2.6 Access Point System Reference Guide Config Status Displays each listed access point’s configuration status to help determine its service role. Config Errors Lists any configuration errors that may be hindering performance. Adopted By Lists the adopting access point.
Page 549: Ap Adoption History
Statistics 12 - 47 12.3.4.2 AP Adoption History  Adoption To view historical statistics for adopted access points: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 550: Pending Adoptions
12 - 48 WiNG 5.2.6 Access Point System Reference Guide 12.3.4.3 Pending Adoptions  Adoption The Pending Adoptions screen displays a list of devices adopted to this access point or access points in the process of adoption. To view pending access point statistics: 1.
Page 551: Ap Detection
Statistics 12 - 49 Last Seen Displays the date and time stamp of the last time the device was seen. Click the arrow next to the date and time to toggle between standard time and UTC. Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.
Page 552: Wireless Client
12 - 50 WiNG 5.2.6 Access Point System Reference Guide AP Mode Displays the mode of the unsanctioned access point. Radio Type Displays the type of the radio on the unsanctioned access point. The radio can be 802.11b, 802.11bg, 802.1bgn, 802.11a or 802.11an.
Page 553 Statistics 12 - 51 3. Select Wireless Clients. Figure 12-30 Access Point - Wireless Clients screen 4. The Access Point Wireless Statistics screen displays the following: Client MAC Displays the MAC address of each listed client that’s connected to the selected access point.
Page 554: Wireless Lans
12 - 52 WiNG 5.2.6 Access Point System Reference Guide 12.3.7 Wireless LANs  Access Point Statistics The Wireless LAN statistics screen displays an overview of access point WLAN utilization. This screen displays access point WLAN assignment, SSIDs, traffic utilization, number of radios the access point is utilizing on the WLAN and transmit and receive statistics.
Page 555: Critical Resources
Statistics 12 - 53 Radio Count Displays the number of access point radios deployed within each listed WLAN. Tx Bytes Displays the average number of transmitted bytes sent on each listed WLAN. Tx User Data Displays transmitted user data rate in kbps for each listed WLAN. Rate Rx Bytes Displays the average number of packets in bytes received on each listed...
Page 556: Radios
12 - 54 WiNG 5.2.6 Access Point System Reference Guide Figure 12-32 Access Point - Critical Resources screen 4. The Access Point Critical Resource screen displays the following: IP Address Lists the IP address of the critical resource. This is the address the device assigned and is used by the access point to ensure the critical resource is available.
Page 557 Statistics 12 - 55 The access point’s radio statistics screens provide details about associated radios. It provides radio ID, radio type, RF quality index etc. Use this information to assess the overall health of radio transmissions and access point placement. An AP-7131 model access point can support from 1-3 radios depending on the SKU purchased.
Page 558: Status
12 - 56 WiNG 5.2.6 Access Point System Reference Guide 12.3.9.1 Status An administrator can use the Status screen to review access point radio stats in detail. Use the Status screen to assess radio type, operational state, operating channel and current power to assess whether the radio is optimally configured in respect to its intended deployment objective.
Page 559 Statistics 12 - 57 Power Current Displays the current power level each listed radio is broadcasting on, as well (Config) as the power level it is configured to use in parenthesis. Configured Displays each listed radio’s administrator defined output power level. Power Compare this level to the current power level to determine whether the radio is optimally transmitting.
Page 560: Rf Statistics
12 - 58 WiNG 5.2.6 Access Point System Reference Guide 12.3.9.2 RF Statistics An administrator can use the RF Statistics screen to review access point radio transmit and receive statistics, error rate and RF quality. To view access point radio RF statistics: 1.
Page 561 Statistics 12 - 59 Error Rate Displays the average number of retries per packet. A high number indicates possible network or hardware problems. Assess the error rate in respect to potentially high signal and SNR values to determine whether the error rate coincides with a noisy signal.
Page 562: Traffic Statistics
12 - 60 WiNG 5.2.6 Access Point System Reference Guide 12.3.9.3 Traffic Statistics An administrator can use the Traffic Statistics screen to review access point radio transmit and receive statistics, data rate, and packets dropped during both transmit and receive operations.
Page 563: Mesh
Statistics 12 - 61 Rx User Data Displays the rate (in kbps) user data is received by the radio. This rate only Rate applies to user data and does not include management overhead. Tx Dropped Displays the total number of transmitted packets dropped by each listed radio.
Page 564 12 - 62 WiNG 5.2.6 Access Point System Reference Guide 4. Select Mesh. Figure 12-37 Access Point Mesh screen 5. The Mesh screen describes the following: Client AP Displays the name for each access point in the RF Domain mesh network.
Page 565: Interfaces
Statistics 12 - 63 12.3.11 Interfaces  Access Point Statistics The Interface screen provides detailed statistics on each of the interfaces available on WING 5 supported access points. Use this screen to review the statistics for each access point interface. Use the following screens to review the performance of each interface on the access point.
Page 566: General Statistics
12 - 64 WiNG 5.2.6 Access Point System Reference Guide 12.3.11.1 General Statistics  Interfaces The General screen provides information on a selected access point interface such as its MAC address, type and TX/RX statistics. To view the general interface statistics: 1.
Page 567 Statistics 12 - 65 3. Select Interfaces. The General tab displays by default. Figure 12-38 Access Point Interface - General tab 4. Select an access point interface from those available for this access point model. The subsequent display within the General and Network Graph tabs is specific to the selected interface.
Page 568 12 - 66 WiNG 5.2.6 Access Point System Reference Guide Hardware Type Displays the hardware type of the access point interface. Index Displays the unique numerical identifier supporting the interface. Access VLAN Displays the interface the VLAN can access. Access Setting Displays the mode of the VLAN as either Access or Trunk.
Page 569 Statistics 12 - 67 Good Pkts Describes the number of good packets received. Received Mcast Pkts Sent Displays the number of multicast packets sent through the selected interface. Mcast Pkts Displays the number of multicast packets received through the selected Received interface.
Page 570 12 - 68 WiNG 5.2.6 Access Point System Reference Guide 9. The Receive Errors field displays the following information about the selected interface: Rx Frame Errors Displays the number of frame errors received at the interface. A frame error occurs when a byte of data is received, but not in the format expected.
Page 571: Viewing Interface Statistics Graph
Statistics 12 - 69 12.3.11.2 Viewing Interface Statistics Graph  Interfaces Network Graph tab displays interface statistics graphically. To view a detailed graph for an interface, select an interface, then choose from up to three performance variables from within the Parameters drop down menu.
Page 572: Arp Entries
12 - 70 WiNG 5.2.6 Access Point System Reference Guide 12.3.12.1 ARP Entries  Network ARP is a networking protocol for determining a network host’s hardware address when its IP address or network layer address is known. To view an access point’s ARP statistics: 1.
Page 573: Route Entries
Statistics 12 - 71 12.3.12.2 Route Entries  Network The route entries screen provides details about the destination subnet, gateway, and interface for routing packets to a defined destination. When an existing destination subnet does not meet the needs of the network, add a new destination subnet, subnet mask and gateway.
Page 574: Bridge
12 - 72 WiNG 5.2.6 Access Point System Reference Guide 12.3.12.3 Bridge  Network A bridge is a device connecting two networks using either the same or different Data Link Layer (DLL) protocol. Bridging is a forwarding technique used in networks. Bridging makes no assumption about where a particular address is located.
Page 575 Statistics 12 - 73 Figure 12-42 Access Point Network - Bridge Details screen 5. The Details screen’s Integrated Gateway Server (IGS) table displays the following: VLAN Displays the VLAN where the multicast transmission is conducted. Group Address Displays the Multicast Group ID supporting the statistics displayed. This group ID is the multicast address hosts are listening to.
Page 576 12 - 74 WiNG 5.2.6 Access Point System Reference Guide 7. Select the MAC Address tab. 8. Review the following from within the MAC Address tab: Bridge Name Displays the name of the network bridge. MAC Address Displays the MAC address of the bridge selected.
Page 577: Dhcp Options
Statistics 12 - 75 12.3.12.4 DHCP Options  Network Supported access point’s can use a DHCP server resource to provide the dynamic assignment of IP addresses automatically. This is a protocol that includes IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host.
Page 578 12 - 76 WiNG 5.2.6 Access Point System Reference Guide Configuration Displays the name of the configuration file on the DHCP server. Legacy Adoption Displays legacy device adoption information on behalf of the access point. Adoption Displays adoption information on behalf of the access point.
Page 579: Cisco Discovery Protocol
Statistics 12 - 77 12.3.12.5 Cisco Discovery Protocol  Network The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer network protocol implemented in Cisco networking equipment and used to share information about network devices. To view an access point’s CDP statistics: 1.
Page 580: Link Layer Discovery Protocol
12 - 78 WiNG 5.2.6 Access Point System Reference Guide Refresh Select Refresh to update the statistics counters to their latest values. 12.3.12.6 Link Layer Discovery Protocol  Network The Link Layer Discovery Protocol (LLDP) or IEEE 802.1AB is a vendor-neutral Data Link Layer protocol used by network devices for advertising of (announcing) their identity, capabilities, and interconnections on a IEEE 802 LAN network.
Page 581: Dhcp Server
Statistics 12 - 79 Platform Displays the model number of the LLDP capable device. Port ID Displays the identifier for the local port. Displays the time to live for each LLDP connection. Clear Neighbors Select Clear Neighbors to remove all known LDP neighbors from the table. Refresh Select Refresh...
Page 582 12 - 80 WiNG 5.2.6 Access Point System Reference Guide 4. Select General. Figure 12-46 Access Point Network DHCP Server - General tab 5. The General screen displays the following: Interfaces Displays the interface used for the newly created DHCP configuration.
Page 583: Dhcp Bindings
Statistics 12 - 81 12.3.13.1 DHCP Bindings  Network The DHCP binding information screen displays DHCP binding information such as expiry time, client IP addresses and their MAC address. To view a network’s DHCP Bindings: 1. Select the Statistics menu from the Web UI. 2.
Page 584: Dhcp Networks
12 - 82 WiNG 5.2.6 Access Point System Reference Guide 12.3.13.2 DHCP Networks  Network The DHCP server maintains a pool of IP addresses and client configuration parameters (default gateway, domain name, name servers etc). On receiving a valid client request, the server assigns the computer an IP address, a lease (the validity of time), and other IP configuration parameters.
Page 585: Packet Flows
Statistics 12 - 83 12.3.14.1 Packet Flows Total Active Flows graph displays the total number of flows supported. Other bar graphs display for each individual packet type. The Packet Flows screen displays data traffic packet flow utilization. The chart represents the different protocol flows supported, and displays a proportional view of the flows in respect to their percentage of data traffic utilized.
Page 586: Denial Of Service
12 - 84 WiNG 5.2.6 Access Point System Reference Guide 12.3.14.2 Denial of Service  Firewall A denial-of-service attack (DoS attack) or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out a DoS attack may vary, it generally consists of concerted efforts to prevent an Internet site or service from functioning efficiently.
Page 587 Statistics 12 - 85 Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection. Select the Refresh button to update the screen’s statistics counters to their Refresh latest values.
Page 588: Ip Firewall Rules
12 - 86 WiNG 5.2.6 Access Point System Reference Guide 12.3.14.3 IP Firewall Rules  Firewall Create firewall rules to let any computer to send traffic to, or receive traffic from, programs, system services, computers or users. Firewall rules can be created to take one of the three actions listed below that match the rule’s criteria: •...
Page 589 Statistics 12 - 87 Hit Count Displays the number of times each WLAN ACL has been triggered. Select the Refresh button to update the screen’s statistics counters to their Refresh latest values.
Page 590: Mac Firewall Rules
12 - 88 WiNG 5.2.6 Access Point System Reference Guide 12.3.14.4 MAC Firewall Rules  Firewall The ability to allow or deny access point connectivity by client MAC address ensures malicious or unwanted clients are unable to bypass the access point’s security filters. Firewall rules can be created to support one of the three actions listed below that match the rule’s criteria:...
Page 591 Statistics 12 - 89 MAC Firewall Rules screen provides the following information: Precedence Displays the precedence value, which are applied to packets. The rules within an Access Control Entries (ACL) list are based on their precedence values. Every rule has a unique precedence value between 1 and 5000. You cannot add two rules with the same precedence value.
Page 592: Nat Translations
12 - 90 WiNG 5.2.6 Access Point System Reference Guide 12.3.14.5 NAT Translations  Firewall To view the Firewall’s NAT translations: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 593 Statistics 12 - 91 Reverse Source Displays the source port for the reverse NAT flow (contains ICMP ID if it is an Port ICMP flow). Reverse Dest IP Displays the destination IP address for the reverse NAT flow. Reverse Dest Displays the destination port for the reverse NAT flow (contains ICMP ID if it Port is an ICMP flow).
Page 594: Dhcp Snooping
12 - 92 WiNG 5.2.6 Access Point System Reference Guide 12.3.14.6 DHCP Snooping  Firewall When DHCP servers are allocating IP addresses to clients on the LAN, DHCP snooping can be configured to better enforce the security on the LAN to allow only clients with specific IP/MAC addresses.
Page 595: Certificates
Statistics 12 - 93 Lease Time When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator). The lease time is the time an IP address is reserved for re-connection after its last use.
Page 596: Trustpoints
12 - 94 WiNG 5.2.6 Access Point System Reference Guide 12.3.15.1 Trustpoints  Certificates Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporate or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters and an association with an enrolled identity certificate.
Page 597 Statistics 12 - 95 Figure 12-54 Access Point Certificate - Trustpoint screen...
Page 598 12 - 96 WiNG 5.2.6 Access Point System Reference Guide 5. The Certificate Details field displays the following: Subject Name Lists details about the entity to which the certificate is issued. Alternate Displays alternative details to the information specified under the Subject Subject Name Name field.
Page 599: Rsa Keys
Statistics 12 - 97 12.3.15.2 RSA Keys  Certificates Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. It’s the first algorithm known to be suitable for signing, as well as encryption. The RSA Keys screen displays a list of RSA keys installed in the selected access point. RSA Keys are generally used for establishing a SSH session, and are a part of the certificate set used by RADIUS, VPN and HTTPS.
Page 600: Wips
12 - 98 WiNG 5.2.6 Access Point System Reference Guide 12.3.16 WIPS  Access Point Statistics A Wireless Intrusion Prevention System (WIPS) monitors the radio spectrum for the presence of unauthorized access points and take measures to prevent an intrusion. Unauthorized attempts to access the WLAN is generally accompanied by anomalous behavior as intruding clients try to find network vulnerabilities.
Page 601: Wips Client Blacklist
Statistics 12 - 99 12.3.16.1 WIPS Client Blacklist  WIPS This Client Blacklist displays blacklisted clients detected by this access point using WIPS. Blacklisted clients are not allowed to associate to this access points. To view the WIPS client blacklist for this access point: 1.
Page 602: Wips Events
12 - 100 WiNG 5.2.6 Access Point System Reference Guide 12.3.16.2 WIPS Events  WIPS The WIPS Events screen details the wireless intrusion event by an access point. To view the WIPS events statistics: 1. Select the Statistics menu from the Web UI.
Page 603: Sensor Servers
Statistics 12 - 101 Select the Refresh button to update the screen’s statistics counters to their Refresh latest values. 12.3.17 Sensor Servers  Access Point Statistics Sensor servers allow the monitor and download of data from multiple sensors and remote locations using Ethernet TCP/IP or serial communication.
Page 604: Captive Portal
12 - 102 WiNG 5.2.6 Access Point System Reference Guide 12.3.18 Captive Portal  Access Point Statistics A captive portal forces a HTTP client to use a special Web page for authentication before using the Internet. A captive portal turns a Web browser into a client authenticator. This is done by intercepting packets regardless of the address or port, until the user opens a browser and tries to access the Internet.
Page 605 Statistics 12 - 103 Remaining Time Displays the time after which the client is disconnected from the captive portal hosted Internet. Select the Refresh button to update the screen’s statistics counters to their Refresh latest values.
Page 606: Network Time
12 - 104 WiNG 5.2.6 Access Point System Reference Guide 12.3.19 Network Time  Access Point Statistics Network Time Protocol (NTP) is central to networks that rely on their access point(s) to supply system time. Without NTP, access point supplied network time is unpredictable, which can result in data loss, failed processes, and compromised security.
Page 607: Ntp Status
Statistics 12 - 105 12.3.19.1 NTP Status  Network Time To view the Network Time statistics of an access point: 1. Select the Statistics menu from the Web UI. 2. Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an access point for statistical observation.
Page 608 12 - 106 WiNG 5.2.6 Access Point System Reference Guide Root Delay The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on relative time and frequency offsets. The values that normally appear in this field range from negative values (a few milliseconds) to positive values (several hundred milliseconds).
Page 609: Ntp Association
Statistics 12 - 107 12.3.19.2 NTP Association  Network Time The interaction between the access point and an NTP server constitutes an association. NTP associations can be either peer associations (the access point synchronizes to another system or allows another system to synchronize to it), or a server associations (only the access point synchronizes to the NTP resource, not the other way around).
Page 610: Load Balancing
12 - 108 WiNG 5.2.6 Access Point System Reference Guide Poll Displays the maximum interval between successive messages in seconds to the nearest power of two. Reach Displays the status of the last eight SNTP messages. If an SNTP packet is lost, the lost packet is tracked over the next eight SNTP messages.
Page 611 Statistics 12 - 109 Figure 12-62 Access Point - Load Balancing screen 4. The Load Balancing screen displays the following: Load Balancing Select any of the options to display any or all of the following information in the graph below: AP Load, 2.4GHz Load, 5GHz Load, and Channel. The graph section displays the load percentages for each of the selected variables over a period of time, which can be altered using the slider below the upper graph.
Page 612: Wireless Client Statistics
12 - 110 WiNG 5.2.6 Access Point System Reference Guide 12.4 Wireless Client Statistics The wireless client statistics display read-only statistics for a client selected from within its connected access point directory. It provides an overview of the health of wireless clients in the access point managed network. Use this information to assess if configuration changes are required to improve client performance.
Page 613 Displays the factory encoded MAC address of the selected wireless client. Hostname Lists the hostname assigned to the client when initially managed by the WiNG 5.2.6 supported access point. Vendor Displays the vendor name or the manufacturer of the wireless client.
Page 614 12 - 112 WiNG 5.2.6 Access Point System Reference Guide 5. The User Details field displays the following: Username Displays the unique name of the administrator or operator managing the client’s connected access point. Authentication Lists the authentication scheme applied to the client for interoperation with the Access Point.
Page 615: Details
Statistics 12 - 113 8. The Traffic Utilization field displays statistics on the traffic generated and received by the selected client. This area displays the traffic index, which measures how efficiently the traffic medium is utilized. It’s defined as the percentage of current throughput relative to the maximum possible throughput.
Page 616 12 - 114 WiNG 5.2.6 Access Point System Reference Guide Figure 12-64 Wireless Clients - Details screen 4. The Wireless Client field displays the following: SSID Displays the client’s Service Set ID. RF Domain Displays the access point RF Domain to which the connected client is a member.
Page 617 Statistics 12 - 115 Captive Portal Displays whether captive portal authentication is enabled (True of False). Auth. 6. The Connection field displays the following: Idle Time Displays the time for which the wireless client remained idle. Last Active Displays the time in seconds the wireless client was last in contact with its connected access point.
Page 618: Traffic
12 - 116 WiNG 5.2.6 Access Point System Reference Guide 8. The 802.11 Protocol field displays the following: High-Throughput Displays whether high throughput is supported. High throughput is a measure of the successful packet delivery over a communication channel. RIFS Displays whether this feature is supported.
Page 619 Statistics 12 - 117 Figure 12-65 Wireless Clients - Traffic screen Traffic Utilization statistics utilize an index, which measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to the maximum possible throughput. This screen also provides the following: Total Bytes Displays the total bytes processed by the access point’s connected client.
Page 620 12 - 118 WiNG 5.2.6 Access Point System Reference Guide Tx Dropped Displays the client’s number of dropped packets while transmitting to its Packets connected access point. Tx Retries Displays the total number of client transmit retries with its connected access point.
Page 621: Wmm Tspec
Statistics 12 - 119 R-Value R-value is a number or score that is used to quantitatively express the quality of speech in communications systems. This is used in digital networks that carry Voice over IP (VoIP) traffic. The R-value can range from 1 (worst) to 100 (best) and is based on the percentage of users who are satisfied with the quality of a test voice signal after it has passed through a network from a source (transmitter) to a destination (receiver).
Page 622 12 - 120 WiNG 5.2.6 Access Point System Reference Guide Figure 12-66 Wireless Clients - WMM TPSEC screen 4. The TSPEC Count displays the number of TSPECs available for the client’s packet flow. 5. The TSPEC Type field displays the following: Voice Displays the status of voice traffic prioritization.
Page 623: Association History
Statistics 12 - 121 Parameter Displays the parameter for defining the traffic stream. TID identifies data packets as belonging to a unique traffic stream. Voice Displays the Voice corresponding to the TID and Media Time. Video Displays the Video corresponding to the TID and Media Time. Best Effort Displays the Best Effort corresponding to the TID and Media Time.
Page 624 12 - 122 WiNG 5.2.6 Access Point System Reference Guide Figure 12-67 Wireless Clients - Association History screen 4. Refer to the following to discern this client’s access point association history: Access Point Lists the access point this client has connected to, and been managed by, since the screen was last refreshed.
Page 625: Graph
Statistics 12 - 123 12.4.6 Graph  Wireless Client Statistics Use the Graph to assess a connected client’s radio performance and diagnose radio performance issues that may be negatively impacting performance. Up to three selected performance variables can be charted at one time. The graph uses a Y-axis and a X-axis to associate selected.
Page 626 12 - 124 WiNG 5.2.6 Access Point System Reference Guide...
Page 627: Customer Support
• Software type and version number Motorola Solutions responds to calls by email or telephone within the time limits set forth in support agreements. If you purchased your product from a Motorola Solutions business partner, contact that business partner for support.
Page 628 A - 2 WiNG 5.2.6 Access Point System Reference Guide...
Page 629 APPENDIX B PUBLICLY AVAILABLE SOFTWARE B.1 General Information This document contains information regarding licenses, acknowledgments and required copyright notices for open source packages used in these Motorola Solutions products: Access Points • AP8132 • AP7181 • AP7161 • AP7131 • AP6532 •...
Page 630 • NX4524 • NX6500 • NX6524 For instructions on obtaining a copy of any source code being made publicly available by Motorola Solutions related to software used in these products, you may send a request in writing to: Motorola Solutions, INC.
Page 631 Appendix B Publicly Available Software B - 3 Name Version Origin License bridge-utils 1.0.4 http://sourceforge.net/projects/bridge/ GNU General Public License 2.0 busybox 1.11.3 http://www.busybox.net GNU General Public License 2.0 dash 0.5.7 http://gondor.apana.org.au/~herbert/dash/ BSD Style Licenses dhcp 3.0.3 https://www.isc.org/ ISC License diffutils 2.8.1 http://www.gnu.org/software/diffutils/diffutils.ht GNU General Public...
Page 632 B - 4 WiNG 5.2.6 Access Point System Reference Guide Name Version Origin License glib2 2.30.2 http://www.gtk.org GNU Lesser General Public License 2.1 glibc http://www.gnu.org/software/libc/ GNU General Public License 2.0 hdparm 9.38 http://sourceforge.net/projects/hdparm/ GNU General Public License 2.0 hostapd 0.6.9 http://hostap.epitest.fi/hostapd/...
Page 633 Appendix B Publicly Available Software B - 5 Name Version Origin License libkerberos http://web.mit.edu/kerberos/dist/ BSD Style Licenses libncurses http://www.gnu.org/software/ncurses/ncurses.ht MIT License libpam 0.99.9.0 http://www.kernel.org/pub/linux/libs/pam/ GNU General Public License 2.0 libpcap 0.9.8 http://www.tcpdump.org/ BSD Style Licenses libpopt 1.14 http://packages.debian.org/changelogs/pool/main MIT License /p/popt/ libreadline http://tiswww.case.edu/php/chet/readline/rltop.h...
Page 634 B - 6 WiNG 5.2.6 Access Point System Reference Guide Name Version Origin License memtester 4.0.8 http://pyropus.ca/software/memtester/ GNU General Public License 2.0 mii-diag 2.09 http://freecode.com/projects/mii-diag GNU General Public License 2.0 mkyaffs None http://www.yaffs.net/ GNU General Public License 2.0 mod_ssl 2.8.3.1-1.3 http://www.modssl.org/...
Page 635 Appendix B Publicly Available Software B - 7 Name Version Origin License 2.4.3 http://ppp.samba.org/ppp/ BSD Style Licenses procname http://code.google.com/p/procname/ GNU Lesser General Public License 2.0 procps 3.2.8 http://procps.sourceforge.net/ GNU General Public License 2.0 psmisc 22.2 http://sourceforge.net/projects/psmisc/ GNU General Public License 2.0 pure-ftpd 1.0.22 http://www.pureftpd.org/...
Page 636 B - 8 WiNG 5.2.6 Access Point System Reference Guide Name Version Origin License stunnel 4.31 http://www.stunnel.org GNU General Public License 2.0 sysstat 9.0.5 http://sebastien.godard.pagesperso-orange.fr/ GNU General Public License 2.0 tcpdump 4.0.0 http://www.tcpdump.org/ BSD Style Licenses u-boot trunk-2010 http://www.denx.de/wiki/U-Boot/ GNU General Public -03-30 License 2.0...
Page 637 Appendix B Publicly Available Software B - 9 B.3 OSS Licenses B.3.1 Apache License 2.0 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
Page 638 B - 10 WiNG 5.2.6 Access Point System Reference Guide applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted.
Page 639 Appendix B Publicly Available Software B - 11 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License.
Page 640 B - 12 WiNG 5.2.6 Access Point System Reference Guide B.3.3 Drop Bear License Dropbear contains a number of components from different sources, hence there are a few licenses and authors involved. All licenses are fairly non-restrictive. The majority of code is written by Matt Johnston, under the license below.
Page 641 Appendix B Publicly Available Software B - 13 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the...
Page 642 B - 14 WiNG 5.2.6 Access Point System Reference Guide Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
Page 643 Appendix B Publicly Available Software B - 15 These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.
Page 644 B - 16 WiNG 5.2.6 Access Point System Reference Guide the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License.
Page 645 Appendix B Publicly Available Software B - 17 do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.
Page 646 B - 18 WiNG 5.2.6 Access Point System Reference Guide 4. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED...
Page 647 Appendix B Publicly Available Software B - 19 proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs.
Page 648 B - 20 WiNG 5.2.6 Access Point System Reference Guide You may charge a fee for the physical act of transferring a copy, and you may atyour option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library,...
Page 649 Appendix B Publicly Available Software B - 21 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.
Page 650 B - 22 WiNG 5.2.6 Access Point System Reference Guide 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the...
Page 651 Appendix B Publicly Available Software B - 23 Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation.
Page 652 B - 24 WiNG 5.2.6 Access Point System Reference Guide When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish);...
Page 653 Appendix B Publicly Available Software B - 25 The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.
Page 654 B - 26 WiNG 5.2.6 Access Point System Reference Guide These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.
Page 655 Appendix B Publicly Available Software B - 27 that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License.
Page 656 B - 28 WiNG 5.2.6 Access Point System Reference Guide 10.Each time you redistribute the Library (or any work based on the library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions.
Page 657 Appendix B Publicly Available Software B - 29 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO...
Page 658 B - 30 WiNG 5.2.6 Access Point System Reference Guide products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.
Page 659 Appendix B Publicly Available Software B - 31 programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.
Page 660 B - 32 WiNG 5.2.6 Access Point System Reference Guide and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.
Page 661 Appendix B Publicly Available Software B - 33 "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source.
Page 662 B - 34 WiNG 5.2.6 Access Point System Reference Guide If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.
Page 663 Appendix B Publicly Available Software B - 35 modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.
Page 664 B - 36 WiNG 5.2.6 Access Point System Reference Guide The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Page 665 Appendix B Publicly Available Software B - 37 B.3.8 ISC License Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS"...
Page 666 B - 38 WiNG 5.2.6 Access Point System Reference Guide B.3.11 Open SSL License LICENSE ISSUES ============== The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses.
Page 667 Appendix B Publicly Available Software B - 39 SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used.
Page 668 B - 40 WiNG 5.2.6 Access Point System Reference Guide Copyright (c) 1999,2000,2001 WU-FTPD Development Group. All rights reserved. Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 The Regents of the University of California. Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.
Page 670 MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLC and are used under license. All other trademarks are the property of their respective owners. © 2012 Motorola Solutions, Inc. All Rights Reserved.

Motorola Solutions WiNG 5.2.6 Reference Manual

Chapter 1 Overview

Chapter 2 Web UI Features

Chapter 3 Quick Start

Chapter 4 Dashboard

Chapter 5 Device Configuration

Chapter 6 Wireless Configuration

Chapter 7 Security Configuration

Chapter 8 Services Configuration

Chapter 9 Management Access

Chapter 10 Diagnostics

Chapter 11 Operations

Chapter 12 Statistics

Quick Links

Related Manuals for Motorola Solutions WiNG 5.2.6

Summary of Contents for Motorola Solutions WiNG 5.2.6