Page 1 . . . c o n n e c t i n g y o u r b u s i n e s s LANCOM WLC-4006 LANCOM WLC-4025+ LANCOM WLC-4100 Handbuch Manual...
Page 2 LANCOM WLC-4006 LANCOM WLC-4025+ LANCOM WLC-4100...
Page 3 The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorization from LANCOM Systems. We reserve the right to make any alterations that arise as the result of technical development.
Page 4 Smaller sites also benefit from the RADIUS/EAP server integrated into the LANCOM WLAN Controller. At the same time the LANCOM WLAN Controllers ensure maximum security as all of the LANCOM Access Points in the network strictly observe corporate security policies automatically.
Page 5 LANCOM WLC series Preface Unparalleled operational reliability which prevents "single points of fail- ure" Security settings To maximize the security available from your product, we recommend that you undertake all of the security settings (e.g. firewall, encryption, access protec- tion) that were not already activated when you purchased the product. The LANconfig Wizard 'Security Settings' will help you with this task.
Page 6 CD supplied) describes all of the parameters in LCOS, the operating system used by LANCOM products. This guide is an aid to users during the configu- ration of devices by means of WEBconfig or the telnet console.
Page 7: Table Of Contents
1.2.2 Smart controller technology 1.2.3 Communication between the Access Point and the WLAN Controller 1.2.4 Zero-touch management 1.2.5 Split management 1.3 Just what can your LANCOM WLAN Controller do? 2 Installation 2.1 Package content 2.2 System requirements 2.2.1 Configuring the LANCOM devices 2.2.2 Operating access points in managed mode...
Page 8 LANCOM WLC series Content 4 Configuring the WLAN Controller 4.1 Basic configuration of the LANCOM WLAN Controller 4.1.1 Setting the time on the LANCOM WLAN Controller 4.1.2 Generating a default configuration 4.1.3 Assigning the default configuration to the new Access Points 4.2 Extended settings...
Page 9 8 Providing dial- in access 8.1 Which details are necessary? 8.1.1 General information 8.1.2 Settings for TCP/IP 8.1.3 Settings for NetBIOS routing 8.2 Settings on the dial-in computer 8.3 Instructions for LANconfig 8.4 1-Click-VPN for LANCOM Advanced VPN Client 8.5 Instructions for WEBconfig...
Page 10 LANCOM WLC series Content 9 Appendix 9.1 Performance and characteristics 9.2 Connector wiring 9.2.1 Ethernet interface 10/100/1000Base-TX, DSL interface 9.2.2 Configuration interface (outband) 9.3 CE-declarations of conformity 10 Index...
Page 11: Centralized Wlan Management
LANCOM WLC series Chapter 1: Centralized WLAN management 1 Centralized WLAN management Introduction The widespread use of wireless Access Points and wireless routers provides great convenience and flexibility in network access for businesses, universities and other organizations. Yet in spite of the numerous advantages WLAN infrastructures offer, there are...
Page 12: Technical Concepts
LANCOM WLC series Chapter 1: Centralized WLAN management figuration optionally saved for a defined period to flash memory (in an area that cannot be read out with LANconfig or other tools). Technical concepts 1.2.1 The CAPWAP standard The CAPWAP protocol (Control And Provisioning of Wireless Access Points) was adopted by the IETF (Internet Engineering Task Force) in March 2009 as a standard for the centralized management of large WLAN infrastructures.
Page 13 CAPWAP describes different scenarios for the relocation of WLAN functions to the central WLAN Controller. Smart Controller Technology from LANCOM Systems uses the local MAC pro- cedure. This method provides for complete management and monitoring of the WLAN data traffic directly in the Access Points. The only information...
Page 14: Communication Between The Access Point And The Wlan
Chapter 1: Centralized WLAN management CAPWAP tunneling and layer- 3 roaming From one of the later LCOS versions, LANCOM WLAN Controllers also support transfer of the payload data through a CAPWAP tunnel. This allows selected applications such as VoIP to be routed via the central WLAN Controller, for example.
Page 15 LCOS 7.22 or higher have the default name 'WLC-Address' pre-configured so that a DNS server can resolve this name to a LANCOM WLAN Controller. The same applies to the DNS suffixes learned via DHCP. In this way, a DNS server can automatically suffix the controller's standard name to 'WLC-address.com-...
Page 16 LANCOM WLC series Chapter 1: Centralized WLAN management The Access Point is provided with the configuration for the integrated SCEP client via the secure DTLS connection – the Access Point is then able to retrieve its certificate from the SCEP CA via SCEP. Once this is done, the assigned con- figuration is transferred to the Access Point.
Page 17: Zero-Touch Management
1.2.5 Split management LANCOM Access Points can locate your WLAN Controller in remote net- works—a simple IP connection, such as via a VPN path, is all that you need. As the WLAN Controllers only influence the WLAN part of the configuration in the Access Point, all other functions can be managed separately.
Page 18: Just What Can Your Lancom Wlan Controller Do
Number of managed devices (factory setting / upgrade optional to maxi- 6 / 12 25 / 100 100 / 1000 mum number) ✔ ✔ ✔ Automatic detection of WLAN controllers by the LANCOM Access Points or WLAN routers ✔ ✔ ✔ Automatic or manual authentication of the Access Points ✔...
Page 19 LANCOM WLC series Chapter 1: Centralized WLAN management LANCOM LANCOM LANCOM WLC- WLC- WLC- 4006 4025+ 4100 ✔ ✔ ✔ RAS server (over VPN) ✔ ✔ ✔ IP router ✔ ✔ ✔ DHCP and DNS server (separate for all ARF networks) ✔...
Page 20 Serial configuration interface ✔ ✔ ✔ FirmSafe for no-risk firmware updates Optional software extensions ✔ ✔ LANCOM WLC-PSPOT Option for guest-access accounts and integrated chargeable WLAN access to the managed access points ✔ ✔ ✔ LANCOM 2-Year Warranty Extension ✔...
Page 21: Installation
System requirements 2.2.1 Configuring the LANCOM devices Computers that connect to a LANCOM must meet the following minimum requirements: Operating system with TCP/IP support, suchas Windows, Linux, BSD Unix, Apple Mac OS, OS/2.
Page 22: Operating Access Points In Managed Mode
This allows router settings and VPN settings to be adjusted locally, for example in a branch office or home office installa- tion, and the WLAN configuration is regulated by a LANCOM WLAN Controller at the main office.
Page 23: Status Displays
LANCOM WLC series Chapter 2: Installation 2.3.1 Status displays The LANCOM WLAN Controllers are equipped with the following status dis- plays: LANCOM WLC-4025+ ³ · » ¿ ´ ² ¶ º ¾ LANCOM WLC-4100 LANCOM WLC-4006 ³ µ º ¸...
Page 24  password has been set. Without a configuration password, the con- figuration data in the LANCOM is unprotected. Normally you would set a configuration password during the basic configuration (instruc- tions in the following chapter). Information about setting a configu- ration password at a later time is available in the section 'The Security Wizard'.
Page 25 Provides information on the operational state of the device and the connected Access Point. The WLAN display can show the following: On (permanently) The LANCOM WLAN Controller is not yet operational; one of the following elements is missing: Root certificate...
Page 26 LANCOM WLC series Chapter 2: Installation º Status of a VPN connection. No VPN tunnel established Green blinking connection establishment Green Flashing First connection Green Inverse flashing Other connections Green On (perma- VPN tunnels are established nently) ¾ LCD display...
Page 27 (LANCOM Access Point. The AP status display can show the following: WLC-4006 only) On (permanently) The LANCOM WLAN Controller is not yet operational; one of the following elements is missing: Root certificate Device certificate Current time Random number for the DTLS encryption Blinking At least one of the expected Access Points is missing.
Page 28: Device Connectors
Connection to network device operational, not data traffic nently) Green Flickering Data traffic Flickering Data packet collision 2.3.2 Device connectors The LANCOM WLAN Controllers are equipped with the following device con- nectors: LANCOM WLC-4025+ » ¿ ³ · LANCOM WLC-4100 LANCOM...
Page 29 Please note:  For a complete detachment from the power supply please unplug the power connec- tion. ² Power connec- Connector for the IEC cable (LANCOM WLC-4025+, LANCOM WLC-4100) or tion power supply unit (LANCOM WLC-4006) ¶ Uplink connection Uplink Reset button functions The reset button offers two basic functions—boot (restart) and reset (to the...
Page 30: Hardware Installation
LANCOM WLC- device to prevent any scratching to other equipment. 4100 LANCOM WLC- LAN – First of all connect your LANCOM WLAN Controller to the LAN. 4025+ Plug one end of the supplied network cable (green connectors) into an LANCOM WLC-...
Page 31: Software Installation
Ethernet port on the device ·, and the other end into an available net- work connector socket in your local network. LANCOM WLC- LAN – First of all connect your LANCOM WLAN Controller to the LAN. 4006 Plug in one end of the supplied network cable (green connectors) to the ¶...
Page 32: Which Software Should I Install
2.5.2 Which software should I install? LANconfig is the Windows configuration program for all LANCOM devices. WEBconfig can be used alternatively or in addition via a web browser. With LANmonitor you can use a Windows computer to monitor all of your LANCOM devices.
Page 33: Basic Configuration
LANCOM WLC series Chapter 3: Basic configuration 3 Basic configuration The basic configuration is conducted with a convenient Setup Wizard that provides step-by-step guidance through the configuration and that requests any necessary information. First of all this chapter presents the information that has to be entered for the basic configuration.
Page 34 LANCOM WLC series Chapter 3: Basic configuration New LAN – fully automatic configuration possible The setup wizard offers to configure TCP/IP fully automatically if no network devices connected have yet been configured. This usually happens in the fol- lowing situations:...
Page 35: Configuration Protection
Multiple administrators can be set up in the configuration of the  LANCOM, each with different access rights. Up to 16 different admin- istrators can be set up for a WLAN Controller. Further information can be found in the LCOS reference manual under “Managing rights for different administrators”.
Page 36 If you choose automatic TCP/IP configuration, you can continue with step Give the LANCOM an address from the applicable IP address range. Con- firm with Next. In the window that follows, you first set the password to the configura- tion.
Page 37: Instructions For Webconfig
Instructions for WEBconfig Device settings can be configured from any Web browser. WEBconfig config- uration software is an integral component of the LANCOM. A Web browser is all that is required to access WEBconfig. WEBconfig offers similar Setup Wiz- ards to LANconfig and hence provides the perfect conditions for easy config- uration of the LANCOM –...
Page 38 Windows Me or Windows 9x, or with command ifconfig in the console under Linux). In this case, the LANCOM can be accessed with address x.x.x.254 (the “x”s stand for the first three...
Page 39 "search for other devices" option from any other networked LANCOM. Use suitable tools to find out the IP address assigned to the LANCOM by DHCP and access the device directly using this IP address. Use the serial configuration interface to connect a computer running a terminal program to the device.
Page 40 LANCOM WLC series Chapter 3: Basic configuration As an alternative, the login dialog provides a link for an encrypted  connection over HTTPS. Always use the HTTPS connection for increased security whenever possible. Setup Wizards The setup Wizards allow quick and easy configuration of the most common device settings.
Page 41: Tcp/Ip Settings For Access Points
IP addresses in the LAN: IP address allocation by a LANCOM In this operating mode, a LANCOM uses DHCP to allocate not only an IP address to each PC in the LAN and WLAN (for devices with a radio mod- ule), but it also communicates its own IP address as the standard gateway and DNS server.
Page 42 Manual IP address assignment If IP addresses in a network are statically assigned, then the IP address of the LANCOM is to be set as the standard gateway and DNS server in the TCP/IP configuration of each PC in the LAN.
Page 43: Configuring The Wlan Controller
’Configuring the Access Points’ page 115. Basic configuration of the LANCOM WLAN Controller To get started, a LANCOM WLAN Controller requires the following two pieces of information to carry out the mainly automated configuration of the Access Points: Current time information (data and time) for checking the validity of the necessary certificates.
Page 44: Generating A Default Configuration
LANCOM WLC series Chapter 4: Configuring the WLAN Controller The LANCOM WLAN Controller can only check the temporal validity of these certificates if it is set with the current time. If the time is not set in the WLAN Controller, the WLAN LED illuminates in red and the device is not operational.
Page 45 WLAN Controller to assign a default configuration to any new Access Point, even if no explicit configuration has been stored for it. By combining these two options, the LANCOM WLAN Controller can auto- matically integrate any managed-mode Access Point found in the LAN into its WLAN infrastructure.
Page 46 Chapter 4: Configuring the WLAN Controller (Network) name: Give the WLAN a name. This name is used only for administrative purposes in the LANCOM WLAN Controller. SSID: This SSID is used for the WLAN clients to connect. Encryption: Select the encryption method suitable for the WLAN cli- ents being used, and enter a key or passphrase, as applicable.
Page 47 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Create a new WLAN profile, give it an unique name, and assign the above logical WLAN network and physical WLAN parameters to it.
Page 48: Assigning The Default Configuration To The New Access Points
LANCOM WLC series Chapter 4: Configuring the WLAN Controller Change to the ''AP config.' tab and add a new entry by clicking on the Default button. Assign the WLAN profile defined above to it. You can leave 'AP name' and 'Location' empty.
Page 49: Extended Settings
Access Points—as entered into the AP table—with valid certificates. Extended settings Most of the parameters for configuring the LANCOM WLAN Controller corre- spond with those of the Access Points. For this reason, this documentation does not explicitly describe all of the WLAN parameters, but only those aspects necessary for operating the WLAN Controller.
Page 50 This enables the WLAN Controller to assign a default configuration to every new Access Point, if no explicit configuration has been stored for it. In combination with auto-accept, the LANCOM WLAN Controller can accept all managed-mode Access Points which are found in the WLAN infrastructure managed by it (up to the maximum number of Access Points that can be managed by one WLAN Controller).
Page 51: Profiles
LANCOM WLC series Chapter 4: Configuring the WLAN Controller Combining the settings for auto-accept and default configuration can cater for a variety of dif- ferent situations for the setup and operation of Access Points: Auto-accept Default Suitable for configuration Rollout phase: Use this combination only if you can be sure that no Access Points can connect unintentionally with the LAN and thus be accepted into the WLAN infrastructure.
Page 52 LANCOM WLC series Chapter 4: Configuring the WLAN Controller LANconfig: WLAN Controller Profiles Logical WLAN networks WEBconfig: LCOS menu tree Setup WLAN management AP configu- ration Network profiles Name Name of the logical WLAN network under which the settings are saved.
Page 53 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Default: Blank Inheritance Selection of a logical WLAN network defined earlier and from which the → settings are to be inherited (’Inheritance of parameters’ page 76). Network name (SSID) Define an unambiguous SSID (the network name) for each of the logical wireless LAN networks.
Page 54 LANCOM WLC series Chapter 4: Configuring the WLAN Controller to LANconfig or other tools). Should the connection to the WLAN Controller be interrupted, the Access Point will continue to operate with the configuration stored in flash for the time period entered here. The Access Point can also continue to work with this flash configuration after a local power outage.
Page 55 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Physical WLAN parameters Here the physical WLAN parameters are set for assignment to the Access Points. The following parameters can be defined for each set of physical WLAN parameters: For normal access point applications you should use only the 5-GHz ...
Page 56 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Inheritance Selection of a logical WLAN network defined earlier and from which the → settings are to be inherited (’Inheritance of parameters’ page 76). Country The country in which the Access Point is to be operated. This information is used to define country-specific settings such as the permitted channels, etc.
Page 57 LANCOM WLC series Chapter 4: Configuring the WLAN Controller 1: Switches the use of VLAN on; the management network remains untagged, however. 2 to 4094: Switches the use of VLAN on; the management network uses the VLAN ID set here.
Page 58 This means that eight WLAN networks for purely 2.4 GHz operations and eight for purely 5 GHz operations can be defined in a profile. Consequently, each LANCOM Access Point—be it a model offering 2.4 GHz or 5 GHz support—can choose from a maximum of eight logical WLAN networks.
Page 59: Access Point Configuration
LANCOM WLC series Chapter 4: Configuring the WLAN Controller 4.2.3 Access point configuration This area contains a list of all available Access Points and the IP parameter profiles. You can use these profiles if certain Access Points should not receive their IP addresses via DHCP.
Page 60 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Max. 63 characters Default: Blank Network mask Netmask of the profile Possible values: Valid netmask Default: Blank Default gateway The gateway to be used by the profile as standard. Possible values:...
Page 61 LANCOM WLC series Chapter 4: Configuring the WLAN Controller to connect to a WLAN Controller. The following parameters can be defined for every Access Point: LANconfig: WLAN Controller AP config. Access-point table WEBconfig: LCOS menu tree Setup WLAN management AP configu-...
Page 62 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Yes, No Default: MAC address MAC address of the ethernet interface of each Access Point. Possible values: 12 hexadecimal characters. Special values: FFFFFFFFFFFF defines the default configuration (’Automatic provision → of the default configuration’...
Page 63 LANCOM WLC series Chapter 4: Configuring the WLAN Controller WLAN interface 1 Frequency of the first WLAN module. This parameter can also be used to deactivate the WLAN module. Possible values: 2.4 GHz, 5 GHz, off, default Special values: 'Default' makes use of the frequency setting defined in the 'Options' area.
Page 64 'Default' makes use of the encryption method defined in the 'Options' area. Double bandwidth LANCOM Access Points compliant with IEEE 802.11n optionally offer the activation of double the bandwidth. A wireless LAN module normally uses a frequency range of 20 MHz in which data to be transmitted is modulated to the carrier signals.
Page 65 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Antenna grouping LANCOM access points with 802.11 support can use up to three antennas for transmitting and receiving data. Depending on the application the use of the antennas can be set.
Page 66: Ap Update
DHCP 4.2.4 AP update LANCOM WLAN Controllers allow the configurations of multiple LANCOM Access Points to be managed from a central location in a consistent and con- venient manner. With central firmware and script management, uploads of firmware and scripts can be automated for all of the WLAN devices.
Page 67 LANCOM WLC series Chapter 4: Configuring the WLAN Controller LANconfig: WAN Controller AP Update WEBconfig: Setup WLAN Management Central Firmware Management General settings for firmware management Firmware URL The path to the directory with the firmware files. Possible values: URL in the form Server/Directory or http://Server/Direc-...
Page 68 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Possible values: 1 to 10 Default: Firmware sender IP address This is where you can configure an optional sender address for use instead of the one automatically selected for the destination address.
Page 69 LANCOM WLC series Chapter 4: Configuring the WLAN Controller MAC address Select here the device (identified by its MAC address) that the firmware version specified here is to be used for. Possible values: Valid MAC address Default: Blank Version Firmware version that is to be used for the devices or device types speci- fied here.
Page 70 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Blank If the list of IP networks or loopback addresses contains an entry  named 'INT' or 'DMZ', the associated IP address of the IP network or the loopback address named 'INT' or 'DMZ' is used.
Page 71: Stations
Stations The station table defines which WLAN clients can associate with the WLAN networks of the LANCOM Access Points which are centrally managed by the WLAN Controller. Furthermore, the method offers a convenient way to assign an individual authentication passphrase and a VLAN ID to each WLAN client.
Page 72 LANCOM WLC series Chapter 4: Configuring the WLAN Controller To use the station table, it is imperative that the RADIUS server is activated in the WLAN Controller. As an alternative, requests can be forwarded to another RADIUS server. More information on RADIUS is available under 'RADIUS'.
Page 73 0 to 65535 kbps Default: Special values: 0: No limit The RX bandwidth restriction is only active for LANCOM WLAN  devices in client mode. For value is not used by normal WLAN clients. VLAN ID This VLAN ID is assigned to packets that are received from the client with...
Page 74: Radius Server
LANCOM WLC series Chapter 4: Configuring the WLAN Controller Possible values: 0 to 4096 Default: Special values: In case of VLAN-ID 0, the station is not assigned a specific VLAN ID. Instead, the VLAN ID for the radio cell (SSID) applies.
Page 75: Options For The Wlan Controller
LANCOM WLC series Chapter 4: Configuring the WLAN Controller IP address IP address of the RADIUS server that is communicated to the AP in order for it to reach the RADIUS server. If no value is entered the controller's IP address is taken as default.
Page 76 LANCOM WLC series Chapter 4: Configuring the WLAN Controller LANconfig: WLAN Controller Options Event notification WEBconfig: LCOS menu tree Setup WLAN management Notification SYSLOG Activates notification by SYSLOG. Possible values: On or off Default: E- mail Activates notification by e-mail.
Page 77: Inheritance Of Parameters
4.2.8 Inheritance of parameters A LANCOM WLAN Controller is capable of managing a wide range of different Access Points at different locations. However, WLAN profiles include settings that are not equally suitable for every type of Access Point that can be man- aged.
Page 78 LANCOM WLC series Chapter 4: Configuring the WLAN Controller In order to avoid having to maintain multiple redundant WLAN profiles to cater for countries or device types, it is possible to "inherit" selected properties from the logical WLAN networks and the physical WLAN parameters.
Page 79: Sample Configurations
LANCOM WLC series Chapter 4: Configuring the WLAN Controller Changes to the parent entry take immediate effect on all entries which  inherit from it. The parent entry itself may also inherit values from other entries. Complex inheritances of this type should be employed with great care, as this can quickly lead to incomprehensible config- urations and even errors.
Page 80 WEBconfig. A configuration is selected that will be assigned to the Access Point after transmission of a new certificate. Open the LANCOM WLAN Controller configuration with WEBconfig. If new Access Points have been found, WEBconfig displays this with a noti-...
Page 81: Deactivating Access Points Or Permanently Removing Them From The Wlan Infrastructure
A number of administrator accounts with different rights can be set  up for configuring LANCOM devices. It may be worthwhile to set up an administrator account on a WLAN Controller for accepting access points, but which does not allows any other changes to the configu- ration.
Page 82 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Manually removing Access Points from the WLAN infrastructure The following actions are required to remove an Access Point under manage- ment of the WLAN Controller from the WLAN infrastructure: In the Access Point, switch the WLAN operating mode of the WLAN mod- ule from 'Managed' to 'Client' or 'Access Point'.
Page 83: Backing Up The Certificates
4.3.3 Backing up the certificates At system startup, a LANCOM WLAN Controller generates the own basic cer- tificates for the assignment of certificates to the Access Points, including the root certificates for the CA (Certification Authority) and the RA (Registration Authority).
Page 84 SCEP-CA'). To ensure that this confidential information remains protected even when exported from the device, it is initially stored to a password-pro- tected PCKS12 container. Open the configuration of the LANCOM WLAN Controller with WEBconfig under LCOS menu tree Setup...
Page 85 Chapter 4: Configuring the WLAN Controller The backup file is then stored to your data medium. The passphrase will be required is when uploading the backup to a LANCOM WLAN Controller. Uploading a certificate backup into the device On the WEBconfig entry page select the command Upload certificate or file.
Page 86: Backing Up And Restoring Further Files From The Scep-Ca
LANCOM WLC series Chapter 4: Configuring the WLAN Controller 4.3.4 Backing up and restoring further files from the SCEP-CA To be able to fully restore the SCEP-CA, it is important to have the information on the device certificates issued for the individual Access Points by the SCEP- If the root certificates only were backed up, then any issued device ...
Page 87: Lancom Wlan Controller Backup
4.3.5 LANCOM WLAN Controller backup LANCOM WLAN Controllers manage a large number of Access Points, which in turn may have a large number of WLAN clients associated with them. WLAN Controllers thus play a crucial role in the functioning of the entire WLAN infra- structure—for which reason the organization of a backup solution in case of...
Page 88 LAPTOP/W-LAN LAPTOP/W-LAN LAPTOP/W-LAN LAPTOP/W-LAN ³ and ·. Set the same time on the two LANCOM WLAN Controllers ³ Transfer the CA and RA certificates from a WLAN Controller to the sec- ond and backup Controller ·. ³ Configure the first WLAN Controller according to your requirements with all profiles and the associated AT table.
Page 89 LANCOM WLC series Chapter 4: Configuring the WLAN Controller also entered into the backup controller's AP table along with their MAC addresses, the backup controller can fully take over the management of the Access Points. Changes to the WLAN profiles in the backup controller will directly affect the managed Access Points.
Page 90: Load Balancing Between Wlan Controllers
LANCOM WLC series Chapter 4: Configuring the WLAN Controller 4.3.6 Load balancing between WLAN Controllers If multiple WLAN Controllers are available in a network, the Access Points are automatically distributed evenly between the WLAN Controllers. At the beginning of communications, the Access Point sends a "Discovery Request Message"...
Page 91: Dynamic Vlan Assignment
LANCOM WLC series Chapter 4: Configuring the WLAN Controller figuration'), all WLAN Controllers can be "filled" with equal numbers of con- figurations from a portion of the Access Points. If a second WLAN Controller is to be integrated into a network in addition to an existing WLAN Controller, all of the access points initially remain registered with the older controller.
Page 92 As an alternative to an external RADIUS server, WLAN clients can be  assigned with a VLAN ID via the internal FADIUS server or the stations table in the LANCOM WLAN Controller ('Station table (ACL table)').
Page 93 LANCOM WLC series Chapter 4: Configuring the WLAN Controller VPN ROUTER RADIUS SERVER WLAN CONTROLLER ³ · » ACCESS POINT ACCESS POINT SSID ‘INTERNAL’ LAPTOP/W-LAN LAPTOP/W-LAN LAPTOP/W-LAN LAPTOP/W-LAN VLAN-ID ‘10’ VLAN-ID ‘20’ Activate VLAN tagging for the WLAN Controller. This is done in the phys- ical parameters of the profile by entering a value greater than '0' (Man- agement VLAN ID) for the management VLAN ID.
Page 94: Virtualization And Guess Access Via The Lancom Wlan
Structure Management of the access points is handled by the LANCOM WLC. The LANCOM WLC serves as the DHCP server for the WLAN clients in the guest network. The guest network is provided with Internet access via the LANCOM WLC (e.g.
Page 95 LANCOM WLC series Chapter 4: Configuring the WLAN Controller The VLAN management of access points is handled by the LANCOM WLC. The VLAN management of the switches is handled separately by the switch configuration. The access points operate within the internal VLANs.
Page 96 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Create a set of physical parameters for the access points. The manage- ment VLAN ID is set to '1', which serves to activate the VLAN function (but without a separate management VLAN for the device; the management data traffic is transmitted untagged).
Page 97 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Assign this WLAN profile to the access points managed by the controller. Do this either by entering the individual access points with their MAC addresses or, alternatively, you can use the default profile.
Page 98 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Configuring the switch A switch configuration is demonstrated with the example of a LANCOM ES- 2126+. Set the VLAN mode to "Tag based", as the access points handle the assignment of VLAN tags.
Page 99 LANCOM WLC series Chapter 4: Configuring the WLAN Controller The guests' VLAN group uses the VLAN ID '100' and is valid only for the ports connected to the WLAN controller and access points (ports 10 to 16 in our example). Tags are not removed from outgoing data packets.
Page 100 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Configuring the IP networks in the WLAN controller To separate the data streams on layer 3, two different IP networks are employed (ARF – Advanced Routing and Forwarding). The first step is to define the required IP networks.
Page 101 LANCOM WLC series Chapter 4: Configuring the WLAN Controller For both IP networks, an entry is created in the DHCP networks to perma- nently activate the DHCP server. With these settings, the WLAN clients of the internal employees and guests are assigned to the appropriate networks.
Page 102 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Configuring Public Spot access The Public Spot allows you to provide a strictly controlled point of access to your wireless LAN. User authentication is handled by a Web interface. If desired, access can be subject to time limits.
Page 103 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Activate user authentication for the controller's interface that is con- nected to the switch. By entering the VLAN ID of '100' for the guest network into the VLAN table, the data packets for Public Spot users are restricted to this virtual LAN.
Page 104 LANCOM WLC series Chapter 4: Configuring the WLAN Controller In the Public Spot module, activate the "Cleanup user table automatically" option to ensure that unwanted entries are automatically deleted. Configuring the RADIUS server to operate a Public Spot In LCOS versions prior to 7.70, Public Spot access accounts were defined by entering users into into the Public Spot module's user list by using the Wizard.
Page 105 Chapter 4: Configuring the WLAN Controller In order to use the user database in the internal RADIUS server, the RADIUS server in the LANCOM must be activated first. Activate the RADIUS server by entering authentication and accounting ports. Use the authentication port 1,812 and the accounting port 1,813.
Page 106 LANCOM WLC series Chapter 4: Configuring the WLAN Controller After updating to LCOS 7.70, user accounts created in the Public Spot  module's user list with previous versions of LCOS remain valid. Configuring Internet access for the guest network In order to provide users of the guest network with Internet access, the wizards can be used to create access to the provider network.
Page 107: Checking Wlan Clients With Radius (Mac Filter)
To use RADIUS to authenticate WLAN clients and grant them WLAN access based on their MAC address, an external RADIUS server can be used, as can the internal user table in the LANCOM WLAN Controller. In LANconfig enter the approved MAC addresses into the RADIUS database in the configuration section 'RADIUS servers' on the 'General' tab.
Page 108: Internal And External Radius Servers Combined
LANCOM WLC series Chapter 4: Configuring the WLAN Controller The MAC address is entered as 'User name' and as 'Password' in the  written form 'AABBCC-DDEEFF'. 4.3.10 Internal and external RADIUS servers combined Some companies use an external RADIUS server to authenticate internal WLAN users by IEEE 802.1x.
Page 109 · To limit the amount of work required for the configuration, internal users are listed without a realm. The RADIUS server in the LANCOM can auto- matically replace an empty realm with another realm in order to identify internal users. In this example, the empty realm is replaced by the domain...
Page 110 LANCOM WLC series Chapter 4: Configuring the WLAN Controller of the company "company.eu". The information specified in the forward- ing table allows all authentication requests with this realm to be for- warded to the external RADIUS server. SSID: Internal Employee...
Page 111 LANCOM WLC series Chapter 4: Configuring the WLAN Controller In the WLAN controller's RADIUS server, define an "empty realm" (e.g. "COMPANY.EU"). This realm is attached to all user names which request authentication from the WLAN controller and which do not already have a realm.
Page 112: Displays And Commands In Lanmonitor
Wizard are stored in this database, these requests can be authenti- cated as required. Displays and commands in LANmonitor LANmonitor gives you a rapid overview of the LANCOM WLAN Controllers in your network and the Access Points within the WLAN infrastructure. LANmonitor displays the following information, among others:...
Page 113 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Active WLAN networks with the logged-on WLAN clients and the descrip- tor of the Access Points that the WLAN clients are associated with. Display of new Access Points with IP and MAC address...
Page 114: Automatic Rf Optimization With Lancom Wlan Controllers
In larger installations with several Access Points it can be difficult to set a channel for every Access Point. With automatic radio-field (RF) optimization, the LANCOM WLAN Controllers provide an automatic method of setting the optimum channels for Access Points that work in the 2.4-GHz band.
Page 115 LANCOM WLC series Chapter 4: Configuring the WLAN Controller Optimization is then carried out in the following stages: The WLAN Controller deletes the AP channel list in all of the Access Points in the 2.4-GHz range. Because the channel list for the Access Points is then empty, the channel list from their profile is assigned to them by means of a configuration update.
Page 116: Configuring The Access Points
As of firmware version LCOS 7.20 there is a difference between LANCOM Access Points (e. g. the LANCOM L-54ag) and LANCOM Wireless Routers (e. g. the LANCOM 1811 Wireless) with regard to the ex-factory standard set- tings in the WLAN modules.
Page 117 LANCOM WLC series Chapter 4: Configuring the WLAN Controller If you need to change the operating mode for multiple devices, you can use a simple script on the devices with the following lines: # Script (7.22 / 23.08.2007) lang English...
Page 118: Security Settings
Wireless LANs are potentially a significant security risk. It is a common assumption that it is simple to misuse data transferred by wireless. Wireless LAN devices from LANCOM Systems enable the latest security tech- nologies to be used. Encrypted data transfer (802.11i/WPA) 802.1x / EAP...
Page 119: 802.1X / Eap
The IEEE-802.1x technology has already been fully integrated since Windows XP. Client software exists for other operating systems. The drivers for the LANCOM AirLancer wireless cards feature an integrated 802.1x client. 5.1.3 LANCOM Enhanced Passphrase Security...
Page 120: Access Control By Mac Address
Generally speaking this requires an external VPN gateway and the LANCOM Advanced VPN Client (for Windows 2000, XP and Vista™). The LANCOM WLAN Controller itself provides only a small number of VPN tunnels, such as those used for site-to-site connectivity.
Page 121: Security Settings Wizard
Along with these basic settings, you can use the Security settings Wizard to check the settings of your wireless network (if so equipped). 5.3.1 LANconfig Wizard Mark your LANCOM in the selection window. From the command line, select Extras Setup Wizard.
Page 122: Webconfig Wizard
With the help of 802.11i, WPA or WEP, you can encrypt the data in your wireless network with different encryption methods such as AES, TKIP or WEP. LANCOM Systems recommends the strongest possible encryption with 802.11i and AES. If the WLAN client adapters do not support these,...
Page 123 WEP key has been entered and selected for application. For security reasons, LANCOM Systems strongly advises you not to use  WEP! You should only ever use WEP under exceptional circumstances.
Page 124 LANCOM WLC series Chapter 5: Security settings Have you activated the firewall? The firewall in the LANCOM WLAN Controller only comes into effect if  the WLAN Controller is operated as a Public Spot and provides direct Internet access. When operated for WLAN management only, the fire- wall in the WLAN Controller remains unused.
Page 125 For self-sufficient operations, the configuration for a WLAN interface being managed by a LANCOM WLAN Controller is stored in flash memory for a certain time only, or even in the RAM only. This device configuration is deleted if contact to the WLAN Controller is lost or if the power supply is interrupted for longer than the set time period.
Page 126 LANCOM WLC series Chapter 5: Security settings can be set so that a press is either ignored or it causes a re-start, depend- ing on the time for which it is held pressed.
Page 127: Setting Up Internet Access
LANCOM WLC series Chapter 6: Setting up Internet access 6 Setting up Internet access LANCOM WLAN controllers also provide routing and firewall functions. If required, these devices can also operate as Internet access routers. The Internet Connection Wizard 6.1.1 Instructions for LANconfig Mark your device in the selection window.
Page 128: Instructions For Webconfig
LANCOM WLC series Chapter 6: Setting up Internet access 6.1.2 Instructions for WEBconfig Select the entry Set up Internet connection from the main menu. In the following windows you select your country, your Internet provider if possible, and you enter your access data.
Page 129: Connecting Two Networks
Security aspects Of course your LAN has to be protected from unauthorized access. For this reason, a LANCOM provides a range of security mechanisms that offer an out- standing level of protection. VPN-based connectivity relies on IPsec for trans- ferring data. The encryption methods employed are 3-DES, AES or Blowfish.
Page 130 IP addresses, and not only between gateways with static (fixed) IP addresses. If you have not yet given a name to your LANCOM, the Wizard will ask you to enter a new name for your device. Entering a name will cause your LANCOM to be renamed.
Page 131: Settings For The Tcp/Ip Router
LANCOM WLC series Chapter 7: Connecting two networks The shared secret is the central password for the VPN connection's secu- rity. It must be entered identically at both ends. 7.1.2 Settings for the TCP/IP router In the TCP/IP network, correct addressing is of extreme importance. For net- work connectivity, it should be observed that both networks are logically sep- arated.
Page 132: Settings For Netbios Routing
LANCOM WLC series Chapter 7: Connecting two networks figuration. Refer to the LANCOM Router reference manual for more detailed information. VPN extranet In the case of LAN-LAN connectivity via VPN, you can mask the individual computers behind another IP address. The operating mode referred to as...
Page 133: 1-Click-Vpn For Networks (Site-To-Site)
Once you have completed the set-up of both routers, you can start testing the network connection. Try to communicate with a computer in the remote LAN (e.g. with ping). The LANCOM Router should automatically connect to the remote site and make contact to the requested computer.
Page 134 LANCOM WLC series Chapter 7: Connecting two networks Use drag&drop by mouse to place the devices onto the entry for the cen- tral router. The 1-Click-VPN Site-to-Site Wizard will be started. Enter a name for this access and select the address under which the router is accessible from the Internet.
Page 135: Instructions For Webconfig
Once you have completed the set-up of both routers, you can start testing the network connection. Try to communicate with a computer in the remote LAN (e.g. with ping). The LANCOM Router should automatically connect to the remote site and make contact to the requested computer.
Page 136: 8 Providing Dial-In Access
Chapter 8: Providing dial- in access 8 Providing dial-in access Your LANCOM can be set up with dial-in access accounts enabling individual computers to dial-in to your LAN and fully participate in the network for the duration of the connection. This service is called RAS (Remote Access Service).
Page 137: Settings For Tcp/Ip
This IP address can be manually set to a fixed value when the user is created. A simpler option is to allow the LANCOM Router to assign the user with a free IP address when dialing in. In this case, all you have to do is to set the range of IP addresses which are to be available for assignment to the RAS users by the LANCOM Router.
Page 138: Settings On The Dial-In Computer
Internet access A VPN client LANCOM Systems offers you a 30-day test version of the LANCOM Advanced VPN Client on the CD supplied. A precise description of the VPN client and notes on its setup are also to be found on the CD.
Page 139: 1-Click-Vpn For Lancom Advanced Vpn Client
Advanced VPN Client are very easy to set up with the Setup Wizard and exported to a file. This file can then be imported as a profile by the LANCOM Advanced VPN Client. All of the information about the LANCOM VPN Router's configuration is also included, and then supplemented with randomly gener- ated values (e.g.
Page 140: Instructions For Webconfig
Exchange mode: The exchange mode to be used is 'Aggressive Mode'. IKE config mode: The IKE config mode is activated, the IP address infor- mation for the LANCOM Advanced VPN Client is automatically assigned by the LANCOM VPN Router. Instructions for WEBconfig In the main menu, launch the Wizard 'Provide remote access (RAS)'.
Page 141: Appendix
Access Points Access Points Access Points Accessories LANCOM modem adapter kit for connecting modems (analog or GSM) to the serial configuration interface item no. 110288 LANCOM LCOS Reference Manual (DE), item no. 110405 LANCOM Next Business LANCOM Next Business Day Service Extension Cen- Day Service Extension tral Site item no.
Page 142: Connector Wiring
LANCOM WLC series Chapter 9: Appendix Connector wiring 9.2.1 Ethernet interface 10/100/1000Base-TX, DSL interface 8-pin RJ45 sockets (ISO 8877, EN 60603-7) Connector Fast Gigabit Ethernet Ethernet BI_DA+* BI_DA- BI_DB+ BI_DC+ BI_DC- BI_DB- BI_DD+ BI_DD- *BI_DA+ stands for "bi-directional pair +A"...
Page 143: Ce-Declarations Of Conformity
LANCOM WLC series Chapter 9: Appendix CE-declarations of conformity LANCOM Systems herewith declares that the devices of the type described in this documentation are in agreement with the basic requirements and other relevant regulations of the 1995/5/EC directive. The CE declarations of conformity for your device can be found on the relevant...
Page 144: Index
LANCOM WLC series Index Index Numerics Backup 10/100Base-TX Certification Authority 100-Mbit network Charge protection 3 DES Configuration 802.11i Configuration access 802.11i/ Configuration cable 802.1p Configuration file 802.1x Configuration interface Connector cable Configuration password Access point Configuration protection Access point mode...
Page 145 LANCOM WLC series Index DTLS IPX router Dynamic VLAN assignment Connector cable E-mail LAN connection Encryption LANCOM Enhanced Passphrase Security Expected access point LANconfig Starting the Wizards Fast roaming LAN-LAN connectivity Firewall Required information Block stations LANmonitor FirmSafe Assign new access point to profile 112...
Page 146 LANCOM WLC series Index Security aspects Security Network mask Protecting the configuration Network name Security checklist Network Time Protocol self-sufficient New access point Serial configuration cable New AP LED Simple Certificate Encryption Protocol Number of VPN tunnels SIP telephone Smart controller...
Page 147 LANCOM WLC series Index Windows workgroup search USB connector Wireless LAN Controllers Firmware management Script management Virtual Private Networks (VPN) WLAN LED VLAN WLAN profile VLAN ID VPN client WEBconfig Zero-touch management HTTPS System requirements...
Page 148 LANCOM WLC series Index...

This manual is also suitable for:

Wlc-4025+Wlc-4100

Lancom WLC-4006 Manual

1 Centralized WLAN Management

2 Installation

3 Basic Configuration

4 Configuring the WLAN Controller

5 Security Settings

6 Setting up Internet Access

7 Connecting Two Networks

8 Providing Dial-In Access

9 Appendix

10 Index

Quick Links

Related Manuals for Lancom WLC-4006

Summary of Contents for Lancom WLC-4006

This manual is also suitable for:

Table of Contents